Filter
Top Products
9-5
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 9 Configuring Anomaly Detection
Anomaly Detection Configuration Sequence
The external zone is the default zone with the default Internet range of 0.0.0.0-255.255.255.255. By
default, the internal and illegal zones contain no IP addresses. Packets that do not match the set of IP
addresses in the internal or illegal zone are handled by the external zone.
We recommend that you configure the internal zone with the IP address range of your internal network.
If you configure it in this way, the internal zone is all the traffic that comes to your IP address range, and
the external zone is all the traffic that goes to the Internet.
You can configure the illegal zone with IP address ranges that should never be seen in normal traffic, for
example, unallocated IP addresses or part of your internal IP address range that is unoccupied. An illegal
zone can be very helpful for accurate detection, because we do not expect any legal traffic to reach this
zone. This allows very low thresholds, which in turn can lead to very quick worm virus detection.
For More Information
For the procedures for configuring zones, see Configuring the Internal Zone, page 9-12, Configuring the
Illegal Zone, page 9-20, and Configuring the External Zone, page 9-29.
Anomaly Detection Configuration Sequence
You can configure the detection part of anomaly detection. You can configure a set of thresholds that
override the KB learned thresholds. However, anomaly detection continues learning regardless of how
you configure the detection. You can also import, export, and load a KB and you can view a KB for data.
Follow this sequence when configuring anomaly detection:
1. Create an anomaly detection policy to add to the virtual sensors. Or you can use the default anomaly
detection policy, ad0.
2. Add the anomaly detection policy to your virtual sensors.
3. Enable anomaly detection.
4. Configure the anomaly detection zones and protocols.
5. For the first 24 hours anomaly detection performs learning to create a populated KB. The initial KB
is empty and during the default 24 hours, anomaly detection collects data to use to populate the KB.
If you want the learning period to be longer than the default period of 24 hours, you must manually
set the mode to learning accept.
6. Let the sensor run in learning accept mode for at least 24 hours (the default). You should let the
sensor run in learning accept mode for at least 24 hours so it can gather information on the normal
state of the network for the initial KB. However, you should change the amount of time for learning
accept mode according to the complexity of your network. After the time period, the sensor saves
the initial KB as a baseline of the normal activity of your network.
Note We recommend leaving the sensor in learning accept mode for at least 24 hours, but letting
the sensor run in learning accept mode for longer, even up to a week, is better.
7. If you manually set anomaly detection to learning accept mode, switch back to detect mode.
8. Configure the anomaly detection parameters:
• Configure the worm timeout and which source and destination IP addresses should be bypassed
by anomaly detection. After this timeout, the scanner threshold returns to the configured value.
• Decide whether you want to enable automatic KB updates when anomaly detection is in detect
mode.