Filter
Top Products
B-73
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Appendix B Signature Engines
Traffic Anomaly Engine
When a scanner is detected but no histogram anomaly occurred, the scanner signature fires for that
attacker (scanner) IP address. If the histogram signature is triggered, the attacker addresses that are doing
the scanning each trigger the worm signature (instead of the scanner signature). The alert details state
which threshold is being used for the worm detection now that the histogram has been triggered. From
that point on, all scanners are detected as worm-infected hosts.
The following anomaly detection event actions are possible:
• produce-alert—Writes the event to the Event Store.
• deny-attacker-inline—Does not transmit this packet and future packets originating from the attacker
address for a specified period of time.
• log-attacker-packets—Starts IP logging for packets that contain the attacker address.
• log-pair-packets—Starts IP logging for packets that contain the attacker and victim address pair.
• deny-attacker-service-pair-inline—Blocks the source IP address and the destination port.
• request-snmp-trap—Sends a request to NotificationApp to perform SNMP notification.
• request-block-host—Sends a request to ARC to block this host (the attacker).
Table B-39 lists the anomaly detection worm signatures.
Table B-39 Anomaly Detection Worm Signatures
Signature
ID
Subsignature
ID Name Description
13000 0 Internal TCP Scanner Identified a single scanner over a TCP
protocol in the internal zone.
13000 1 Internal TCP Scanner Identified a worm attack over a TCP protocol
in the internal zone; the TCP histogram
threshold was crossed and a scanner over a
TCP protocol was identified.
13001 0 Internal UDP Scanner Identified a single scanner over a UDP
protocol in the internal zone.
13001 1 Internal UDP Scanner Identified a worm attack over a UDP protocol
in the internal zone; the UDP histogram
threshold was crossed and a scanner over a
UDP protocol was identified.
13002 0 Internal Other Scanner Identified a single scanner over an Other
protocol in the internal zone.
13002 1 Internal Other Scanner Identified a worm attack over an Other
protocol in the internal zone; the Other
histogram threshold was crossed and a scanner
over an Other protocol was identified.
13003 0 External TCP Scanner Identified a single scanner over a TCP
protocol in the external zone.
13003 1 External TCP Scanner Identified a worm attack over a TCP protocol
in the external zone; the TCP histogram
threshold was crossed and a scanner over a
TCP protocol was identified.
13004 0 External UDP Scanner Identified a single scanner over a UDP
protocol in the external zone.