9-46
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 9 Configuring Anomaly Detection
Working With KB Files
• illegal—Displays the thresholds for the illegal zone.
• internal—Displays the thresholds for the internal zone.
• protocol—(Optional) Displays the thresholds for the specified protocol. The default displays
information about all protocols.
• tcp—Displays the thresholds for the TCP protocol.
• udp—Displays the thresholds for the UDP protocol.
• other—Displays the thresholds for the other protocols besides TCP or UDP.
• dst-port—(Optional) Displays thresholds for the specified port. The default displays information
about all TCP and/or UDP ports.
• port—Specifies the port number. The valid values are 0 to 65535.
• number—(Optional) Displays thresholds for the specified other protocol number. The default
displays information for all other protocols.
• protocol-number—Specifies the protocol number. The valid values are 0 to 255.
Displaying KB Thresholds
To display the KB thresholds, follow these steps:
Step 1 Log in to the CLI.
Step 2 Locate the file for which you want to display thresholds:
sensor# show ad-knowledge-base vs1 files
Virtual Sensor vs1
Filename Size Created
initial 84 10:24:58 CDT Tue Mar 14 2006
2006-Mar-16-10_00_00 84 10:00:00 CDT Thu Mar 16 2006
2006-Mar-17-10_00_00 84 10:00:00 CDT Fri Mar 17 2006
2006-Mar-18-10_00_00 84 10:00:00 CDT Sat Mar 18 2006
2006-Mar-19-10_00_00 84 10:00:00 CDT Sun Mar 19 2006
2006-Mar-27-10_00_00 84 10:00:00 CDT Mon Mar 27 2006
2006-Apr-24-05_00_00 88 05:00:00 CDT Mon Apr 24 2006
* 2006-Apr-25-05_00_00 88 05:00:00 CDT Tue Apr 25 2006
Step 3 Display thresholds contained in a specific file for the illegal zone.
sensor# show ad-knowledge-base vs0 thresholds file 2006-Nov-11-10_00_00 zone illegal
AD Thresholds
Creation Date = 2006-Nov-11-10_00_00
KB = 2006-Nov-11-10_00_00
Illegal Zone
TCP Services
Default
Scanner Threshold
User Configuration = 200
Threshold Histogram - User Configuration
Low = 10
Medium = 3
High = 1
UDP Services
Default
Scanner Threshold
User Configuration = 200
Threshold Histogram - User Configuration
Low = 10
Medium = 3