Filter
Top Products
9-10
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 9 Configuring Anomaly Detection
Configuring Anomaly Detection Operational Settings
Step 5 Display a list of anomaly detection policies on the sensor.
sensor# list anomaly-detection-configurations
Anomaly Detection
Instance Size Virtual Sensor
ad0 255 vs0
temp 707 N/A
MyAnomaly Detection 255 N/A
ad1 141 vs1
sensor#
Step 6 Delete an anomaly detection policy.
sensor# configure terminal
sensor(config)# no service anomaly-detection MyAnomaly Detection
sensor(config)# exit
sensor#
Note You cannot delete the default anomaly detection policy, ad0.
Step 7 Verify that the anomaly detection instance has been deleted.
sensor# list anomaly-detection-configurations
Anomaly Detection
Instance Size Virtual Sensor
ad0 204 vs0
ad1 141 N/A
sensor#
Step 8 Reset an anomaly detection policy to factory settings.
sensor# configure terminal
sensor(config)# default service anomaly-detection ad1
sensor(config)#
For More Information
• For the procedure for configuring operational settings, see Configuring Anomaly Detection
Operational Settings, page 9-10.
• For the procedures for configuring anomaly detection zones, see Configuring the Internal Zone,
page 9-12, Configuring the Illegal Zone, page 9-20, and Configuring the External Zone, page 9-29.
• For the procedure for configuring learning accept mode, see Configuring Learning Accept Mode,
page 9-38.
• For the procedure for working with KBs, see Working With KB Files, page 9-40.
Configuring Anomaly Detection Operational Settings
Use the worm-timeout command in service anomaly detection submode to set the worm detection
timeout. After this timeout, the scanner threshold returns to the configured value. Use the ignore
command in service anomaly detection submode to configure source and destination IP addresses that
you want the sensor to ignore when anomaly detection is gathering information for a KB. Anomaly
detection does not track these source and destination IP addresses and the KB thresholds are not affected
by these IP addresses.