9-45
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 9 Configuring Anomaly Detection
Working With KB Files
Step 3 Compare the currently loaded file (the file with the *) with the initial KB for virtual sensor vs0.
sensor# show ad-knowledge-base vs0 diff initial file 2006-Jun-28-10_00_01
Initial Only Services/Protocols
External Zone
TCP Services
Service = 30
Service = 20
UDP Services
None
Other Protocols
Protocol = 1
Illegal Zone
None
Internal Zone
None
2006-Jun-28-10_00_01 Only Services/Protocols
External Zone
None
Illegal Zone
None
Internal Zone
None
Thresholds differ more than 10%
External Zone
None
Illegal Zone
TCP Services
Service = 31
Service = 22
UDP Services
None
Other Protocols
Protocol = 3
Internal Zone
None
sensor#
Displaying the Thresholds for a KB
Use the show ad-knowledge-base virtual-sensor thresholds {current | initial | file name} [zone
{external | illegal | internal]} {[protocol {tcp | udp}] [dst-port port] | [protocol other] [number
protocol-number]} command in privileged EXEC mode to display the thresholds in a KB.
The following options apply:
• virtual-sensor—Specifies the name of the virtual sensor that contains the KB files you want to
compare.
• name—Specifies the name of the existing KB file.
• current—Specifies the currently loaded KB.
• initial—Specifies the initial KB.
• file—Specifies the name of an existing KB file.
• zone—(Optional) Displays the thresholds for the specified zone. The default displays information
for all zones.
• external—Displays the thresholds for the external zone.