Filter
Top Products
9-49
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 9 Configuring Anomaly Detection
Disabling Anomaly Detection
Illegal Zone
TCP Protocol
UDP Protocol
Other Protocol
sensor#
Disabling Anomaly Detection
If you have anomaly detection enabled and you have your sensor configured to see only one direction of
traffic, you should disable anomaly detection. Otherwise, you will receive many alerts, because anomaly
detection sees asymmetric traffic as having incomplete connections, that is, like worm scanners, and fires
alerts.
To disable anomaly detection, follow these steps:
Step 1 Log in to the CLI using an account with administrator privileges.
Step 2 Enter analysis engine submode.
sensor# configure terminal
sensor(config)# service analysis-engine
sensor(config-ana)#
Step 3 Enter the virtual sensor name that contains the anomaly detection policy you want to disable.
sensor(config-ana)# virtual-sensor vs0
sensor(config-ana-vir)#
Step 4 Disable anomaly detection operational mode.
sensor(config-ana-vir)# anomaly-detection
sensor(config-ana-vir-ano)# operational-mode inactive
sensor(config-ana-vir-ano)#
Step 5 Exit analysis engine submode.
sensor(config-ana-vir-ano)# exit
sensor(config-ana-vir)# exit
sensor(config-ana-)# exit
Apply Changes:?[yes]:
Step 6 Press Enter to apply your changes or enter no to discard them.
For More Information
For more information about how worms operate, see Understanding Worms, page 9-2.