Filter
Top Products
CHAPTER
40-1
User Guide for Cisco Security Manager 4.4
OL-28826-01
40
Managing IPS Anomaly Detection
Anomaly detection is designed to recognize network congestion caused by worm traffic that exhibits
scanning behavior. Anomaly detection also will identify infected hosts on the network that are scanning
for other vulnerable hosts.
Anomaly detection is enabled by default, but there are some configuration settings you should adjust to
use it effectively.
Note The sensor must use IPS software version 6.x or higher to configure anomaly detection. In addition,
Cisco IOS IPS and the AIP-SSC-5 do not support anomaly detection.
This chapter contains the following topics:
• Understanding Anomaly Detection, page 40-1
• Configuring Anomaly Detection, page 40-6
Understanding Anomaly Detection
The anomaly detection component of the sensor detects worm-infected hosts. This enables the sensor to
be less dependent on signature updates for protection again worms and scanners, such as Code Red and
SQL Slammer and so forth. The anomaly detection component lets the sensor learn normal activity and
send alerts or take dynamic response actions for behavior that deviates from what it has learned as
normal behavior.
Note Anomaly detection does not detect email-based worms, such as Nimda.
Anomaly detection detects the following two situations:
• When the network starts on the path of becoming congested by worm traffic.
• When a single worm-infected source enters the network and starts scanning for other vulnerable
hosts.
The following topics explain anomaly detection in more detail:
• Worm Viruses, page 40-2
• Anomaly Detection Modes, page 40-2
• Anomaly Detection Zones, page 40-3