Filter
Top Products
9-24
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 9 Configuring Anomaly Detection
Configuring the Illegal Zone
enabled: true <defaulted>
-----------------------------------------------
-----------------------------------------------
default-thresholds
-----------------------------------------------
scanner-threshold: 120 default: 200
threshold-histogram (min: 0, max: 3, current: 3)
-----------------------------------------------
<protected entry>
dest-ip-bin: low <defaulted>
num-source-ips: 10 <defaulted>
<protected entry>
dest-ip-bin: medium
num-source-ips: 120 default: 1
<protected entry>
dest-ip-bin: high <defaulted>
num-source-ips: 1 <defaulted>
-----------------------------------------------
-----------------------------------------------
enabled: true <defaulted>
-----------------------------------------------
sensor(config-ano-ill-tcp)#
Configuring UDP Protocol for the Illegal Zone
Use the udp {enabled | dst-port number | default-thresholds} command in service anomaly detection
illegal zone submode to enable and configure the UDP service. The following options apply:
• enabled {false | true}—Enables/disables UDP protocol.
• default-thresholds—Defines thresholds to be used for all ports not specified in the destination port
map:
–
threshold-histogram {low | medium | high} num-source-ips number—Sets values in the
threshold histogram.
–
scanner-threshold—Sets the scanner threshold. The default is 200.
• dst-port number—Defines thresholds for specific destination ports. The valid values are 0 to 65535.
• enabled {true | false}—Enables/disables the service.
• override-scanner-settings {yes | no}—Lets you override the scanner values:
–
threshold-histogram {low | medium | high} num-source-ips number—Sets values in the
threshold histogram.
–
scanner-threshold—Sets the scanner threshold. The default is 200.
Configuring the Illegal Zone UDP Protocol
To configure UDP protocol for a zone, follow these steps:
Step 1 Log in to the CLI using an account with administrator privileges.
Step 2 Enter anomaly detection illegal zone submode.
sensor# configure terminal
sensor(config)# service anomaly-detection ad0
sensor(config-ano)# illegal-zone
sensor(config-ano-ill)#