Filter
Top Products
40-7
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 40 Managing IPS Anomaly Detection
Configuring Anomaly Detection
• Learning Accept Mode—The configuration for learning mode, including how the knowledge base
is handled.
• Internal Zone, Illegal Zone, External Zone—The zones of your network that you define. You can
configure unique settings for each zone. For an explanation of the zones, see Anomaly Detection
Zones, page 40-3.
Step 2 Click the Operation Settings tab, if necessary, and configure the following:
• Worm Timeout—The time in seconds for the worm termination timeout. The range is 120 to
10,000,000 seconds. The default is 600 seconds. For an explanation of how this timeout is used, see
Understanding Anomaly Detection Thresholds and Histograms, page 40-9.
• Enable Ignored Addresses and Source/Destination Addresses to Ignore—Whether you are
configuring a list of addresses that should be ignored while anomaly detection is processing. You
can specify a list of source addresses (those that initiate a scan) or destination addresses (the hosts
that are scanned).
The addresses can be single host (such as 10.100.10.1), a range of addresses (such as
10.100.10.0-10.100.10.255), or network/host objects that contain single hosts, address ranges, or a
combination of hosts and ranges. Click Select to select objects from a list or to create new objects.
Step 3 Click the Learning Accept Mode tab and define how the knowledge base will be generated and used.
For detailed information, see Configuring Anomaly Detection Learning Accept Mode, page 40-8.
Step 4 Configure the internal, illegal, and external zones:
• Define the internal and illegal zones—The internal zones are the IP addresses of your internal
network, the network that you manage. The illegal zone should represent IP address ranges that
should never be seen in normal traffic, for example, unallocated IP addresses or part of your internal
IP address range that is unoccupied.
Click the Internal Zone and Illegal Zone tabs in turn and configure the following on the General
tab:
–
Enable this zone—Whether the zone will be processed by anomaly detection.
–
Service Subnets—The IP addresses that comprise the zone. The default (0.0.0.0) is that no
address is included in the zone. Replace 0.0.0.0 to define addresses for the zone.
The addresses can be single host (such as 10.100.10.1), a range of addresses (such as
10.100.10.0-10.100.10.255), or network/host objects that contain single hosts, address ranges,
or a combination of hosts and ranges. Click Select to select objects from a list or to create new
objects.
• Decide whether to enable the external zone—The external zone comprises all IP addresses that are
not configured for the internal or illegal zones. You do not explicitly assign addresses to this zone.
On the External Zone tab, General sub-tab, you can enable or disable the zone using the Enable
this zone checkbox. The external zone is enabled by default.
• Configure scanner thresholds and histograms—Each zone has sub-tabs for TCP Protocol, UDP
Protocol, and Other Protocols. On these tabs, you can configure non-default settings for specific
services that override the learned histograms. For detailed information about configuring these
settings, see Configuring Anomaly Detection Thresholds and Histograms, page 40-11.
At this point, you have finished configuring the basic anomaly detection settings.
Step 5 (Device view only.) Configure the anomaly detection mode. This setting is defined in the Virtual
Sensors policy. Consider the following tips to select the correct policy:
• If you configured the anomaly detection policy on a virtual sensor (other than vs0, which is
represented by the parent IPS device), you must select the parent IPS device, then select the Virtual
Sensors policy.