Filter
Top Products
9-37
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 9 Configuring Anomaly Detection
Configuring Learning Accept Mode
Configuring Learning Accept Mode
This section describes KBs and histograms and how to configure learning accept mode. It contains the
following topics:
• The KB and Histograms, page 9-37
• Configuring Learning Accept Mode, page 9-38
The KB and Histograms
The KB has a tree structure, and contains the following information:
• KB name
• Zone name
• Protocol
• Service
The KB holds a scanner threshold and a histogram for each service. If you have learning accept mode
set to auto and the action set to rotate, a new KB is created every 24 hours and used in the next 24 hours.
If you have learning accept mode set to auto and the action is set to save only, a new KB is created, but
the current KB is used. If you do not have learning accept mode set to auto, no KB is created.
Note Learning accept mode uses the sensor local time.
The scanner threshold defines the maximum number of zone IP addresses that a single source IP address
can scan. The histogram threshold defines the maximum number of source IP addresses that can scan
more than the specified numbers of zone IP addresses.
Anomaly detection identifies a worm attack when there is a deviation from the histogram that it has
learned when no attack was in progress (that is, when the number of source IP addresses that
concurrently scan more than the defined zone destination IP address is exceeded). For example, if the
scanning threshold is 300 and the histogram for port 445, if anomaly detection identifies a scanner that
scans 350 zone destination IP addresses, it produces an action indicating that a mass scanner was
detected. However, this scanner does not yet verify that a worm attack is in progress. Table 9-2 describes
this example.
When anomaly detection identifies six concurrent source IP addresses that scan more than 20 zone
destination IP addresses on port 445, it produces an action with an unspecified source IP address that
indicates anomaly detection has identified a worm attack on port 445. The dynamic filter threshold, 20,
specifies the new internal scanning threshold and causes anomaly detection to lower the threshold
definition of a scanner so that anomaly detection produces additional dynamic filters for each source IP
address that scans more than the new scanning threshold (20).
You can override what the KB learned per anomaly detection policy and per zone. If you understand your
network traffic, you may want to use overrides to limit false positives.
Table 9-2 Example Histogram
Number of source IP addresses 10 5 2
Number of destination IP addresses 5 20 100