Filter
Top Products
9-20
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 9 Configuring Anomaly Detection
Configuring the Illegal Zone
-----------------------------------------------
dest-ip-bin: high
num-source-ips: 75
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
enabled: true default: true
-----------------------------------------------
-----------------------------------------------
default-thresholds
-----------------------------------------------
scanner-threshold: 200 <defaulted>
threshold-histogram (min: 0, max: 3, current: 3)
-----------------------------------------------
<protected entry>
dest-ip-bin: low <defaulted>
num-source-ips: 10 <defaulted>
<protected entry>
dest-ip-bin: medium <defaulted>
num-source-ips: 1 <defaulted>
<protected entry>
dest-ip-bin: high <defaulted>
num-source-ips: 1 <defaulted>
-----------------------------------------------
-----------------------------------------------
enabled: true default: true
-----------------------------------------------
sensor(config-ano-int-oth)#
Configuring the Illegal Zone
This section describes how to configure the illegal zone, and contains the following topics:
• Understanding the Illegal Zone, page 9-20
• Configuring the Illegal Zone, page 9-21
• Configuring TCP Protocol for the Illegal Zone, page 9-22
• Configuring UDP Protocol for the Illegal Zone, page 9-24
• Configuring Other Protocols for the Illegal Zone, page 9-27
Understanding the Illegal Zone
The illegal zone should represent IP address ranges that should never be seen in normal traffic, for
example, unallocated IP addresses or part of your internal IP address range that is unoccupied. You then
add the IP addresses that belong to this zone. If you do not configure IP addresses for all zones, all
packets are sent to the default zone, the external zone.
You can enable or disable TCP, UDP, and other protocols for the internal zone. You can configure a
destination port for the TCP and UDP protocols and a protocol number for the other protocols. You can
either use the default thresholds or override the scanner settings and add your own thresholds and
histograms.