Support User Manuals

Cisco Systems IPS 7.1 Home Security System User Manual

Open as PDF

of 1042

9-27

Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1

OL-19892-01

Chapter 9 Configuring Anomaly Detection

Configuring the Illegal Zone

Configuring Other Protocols for the Illegal Zone

Use the other {enabled | protocol number | default-thresholds} command in service anomaly detection

illegal zone submode to enable and configure the other services. The following options apply:

• enabled {false | true}—Enables/disables other protocols.

• default-thresholds—Defines thresholds to be used for all ports not specified in the destination port

map:

–

threshold-histogram {low | medium | high} num-source-ips number—Sets values in the

threshold histogram.

–

scanner-threshold—Sets the scanner threshold. The default is 200.

• protocol-number number—Defines thresholds for specific protocols. The valid values are 0 to 255.

• enabled {true | false}—Enables/disables the service.

• override-scanner-settings {yes | no}—Lets you override the scanner values:

–

threshold-histogram {low | medium | high} num-source-ips number—Sets values in the

threshold histogram.

–

scanner-threshold—Sets the scanner threshold. The default is 200.

Configuring the Illegal Zone Other Protocols

To configure other protocols for a zone, follow these steps:

Step 1 Log in to the CLI using an account with administrator privileges.

Step 2 Enter anomaly detection illegal zone submode.

sensor# configure terminal

sensor(config)# service anomaly-detection ad0

sensor(config-ano)# illegal-zone

sensor(config-ano-ill)#

Step 3 Enable the other protocols.

sensor(config-ano-ill)# other

sensor(config-ano-ill-oth)# enabled true

Step 4 Associate a specific number for the other protocols.

sensor(config-ano-ill-oth)# protocol-number 5

sensor(config-ano-ill-oth-pro)#

Step 5 Enable the service for that port.

sensor(config-ano-ill-oth-pro)# enabled true

Step 6 Override the scanner values for that protocol. You can use the default scanner values, or you can override

them and configure your own scanner values.

sensor(config-ano-ill-oth-pro)# override-scanner-settings yes

sensor(config-ano-ill-oth-pro-yes)#

Step 7 Add a histogram for the new scanner settings. Enter the number of destination IP addresses (low,

medium, or high) and the number of source IP addresses you want associated with this histogram.

sensor(config-ano-ill-oth-pro-yes)# threshold-histogram high num-source-ips 75

previous next