Filter
Top Products
9-38
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 9 Configuring Anomaly Detection
Configuring Learning Accept Mode
Triggering the High Category Histogram Before the Single-Scanner Threshold
Based on the default histogram (nonlearned knowledge base [KB]) values, histogram-based detection
can occur before single-scanner detection.
Single scanner detection is based on the scanner threshold settings. The scanner threshold setting is a
single number for that port or protocol and zone. Any single IP address scanning more than that number
of hosts of that port or protocol in that zone is alerted as a scanner.
There is a histogram for that port or protocol and zone that tracks how many systems normally scan a
smaller number of hosts (10 hosts, 20 hosts, or 100 hosts). When more than that normal number of
scanners are seen, then a worm is declared and all IPs scanning more than the associated number of hosts
are alerted on as being a worm scanner.
Note An IP source address can be alerted on as being a worm scanner without ever reaching the scanner
threshold. The scanner threshold is used to detect single systems scanning a large number of hosts and
is tracked separately from the algorithms for detecting worms.
Configuring Learning Accept Mode
Use the learning-accept-mode command in service anomaly detection submode to configure whether
you want the sensor to create a new KB every so many hours. You can configure whether the KB is
created and loaded (rotate) or saved (save only). You can schedule how often and when the KB is loaded
or saved.
The new updated KB file name is the current date and time, YYYY-Mon-dd-hh_mm_ss, where Mon is the
three-letter abbreviation of the month.
Note Anomaly detection learning accept mode uses the sensor local time.
The following options apply:
• learning-accept-mode—Specifies if and when the KB is saved and loaded:
–
auto— Configures the sensor to automatically accept the KB.
–
manual—Does not save the KB.
Note You can save and load the KB using the anomaly-detection {load | save} commands.
• action—Specifies whether to rotate or save the KB:
–
save-only—Saves the new KB. You can examine it and decide whether to load it into anomaly
detection.
Note You can load the KB using the anomaly-detection load command.
–
rotate—Saves the new KB and loads it as the current KB according to the schedule you define.
• schedule— Configures a schedule to accept the KB:
–
calendar-schedule {days-of-week} {times-of-day}—Starts learning accept mode at specific
times on specific days.