Filter
Top Products
9-6
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 9 Configuring Anomaly Detection
Anomaly Detection Signatures
• Configure the 18 anomaly detection worm signatures to have more event actions than just the
default produce-alert. For example, configure them to have deny-attacker event actions.
For More Information
• For the procedures for putting anomaly detection in different modes, see Adding, Editing, and
Deleting Virtual Sensors, page 6-5.
• For the procedure for configuring a new anomaly detection policy, see Working With Anomaly
Detection Policies, page 9-9.
• For more information on configuring zones, see Configuring the Internal Zone, page 9-12,
Configuring the Illegal Zone, page 9-20, and Configuring the External Zone, page 9-29.
• For more information on anomaly detection modes, see Anomaly Detection Modes, page 9-3.
• For more information about configuring learning accept mode, see Configuring Learning Accept
Mode, page 9-37.
• For more information on configuring anomaly detection signatures, see Anomaly Detection
Signatures, page 9-6.
• For more information on Deny Attacker event actions, see Event Actions, page 7-5.
Anomaly Detection Signatures
The Traffic Anomaly engine contains nine anomaly detection signatures covering three protocols (TCP,
UDP, and other). Each signature has two subsignatures, one for the scanner and the other for the
worm-infected host (or a scanner under worm attack). When anomaly detection discovers an anomaly, it
triggers an alert for these signatures. All anomaly detection signatures are enabled by default and the
alert severity for each one is set to high.
When a scanner is detected but no histogram anomaly occurred, the scanner signature fires for that
attacker (scanner) IP address. If the histogram signature is triggered, the attacker addresses that are doing
the scanning each trigger the worm signature (instead of the scanner signature). The alert details state
which threshold is being used for the worm detection now that the histogram has been triggered. From
that point on, all scanners are detected as worm-infected hosts.
The following anomaly detection event actions are possible:
• produce-alert—Writes the event to the Event Store.
• deny-attacker-inline (inline only)—Does not transmit this packet and future packets originating
from the attacker address for a specified period of time.
• log-attacker-packets—Starts IP logging for packets that contain the attacker address.
• deny-attacker-service-pair-inline—Blocks the source IP address and the destination port.
• request-snmp-trapRequest—Sends a request to NotificationApp to perform SNMP notification.
• request-block-host—Sends a request to ARC to block this host (the attacker).