40-4
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 40 Managing IPS Anomaly Detection
Understanding Anomaly Detection
You can configure the illegal zone with IP address ranges that should never be seen in normal traffic, for
example, unallocated IP addresses or part of your internal IP address range that is unoccupied. An illegal
zone can be very helpful for accurate detection, because we do not expect any legal traffic to reach this
zone. This allows very low thresholds, which in turn can lead to very quick worm virus detection.
Knowing When to Turn Off Anomaly Detection
Anomaly detection assumes that it gets traffic from both directions. If the sensor is configured to see
only one direction of traffic, you should turn off anomaly detection. Otherwise, when anomaly detection
is running in an asymmetric environment, it identifies all traffic as having incomplete connections, that
is, as scanners, and sends alerts for all traffic flows.
You turn off anomaly detection in the Virtual Sensors policy. Edit the virtual sensor for which you are
disabling anomaly detection, and change the Anomaly Detection Mode to Inactive. For information on
editing virtual sensors, see Editing Policies for a Virtual Sensor, page 37-9.
Configuring Anomaly Detection Signatures
The Traffic Anomaly engine contains nine anomaly detection signatures covering three protocols (TCP,
UDP, and other). Each signature has two subsignatures, one for the scanner and the other for the
worm-infected host (or a scanner under worm attack). When anomaly detection discovers an anomaly, it
triggers an alert for these signatures. All anomaly detection signatures are enabled by default and the
alert severity for each one is set to high.
When a scanner is detected but no histogram anomaly occurred, the scanner signature fires for that
attacker (scanner) IP address. If the histogram signature is triggered, the attacker addresses that are doing
the scanning each trigger the worm signature (instead of the scanner signature). The alert details state
which threshold is being used for the worm detection now that the histogram has been triggered. From
that point on, all scanners are detected as worm-infected hosts.
The following anomaly detection event actions are possible:
Produce alert—Writes the event to the Event Store.
Deny attacker inline—(Inline only) Does not transmit this packet and future packets originating
from the attacker address for a specified period of time.
Log attacker packets—Starts IP logging for packets that contain the attacker address.
Deny attacker service pair inline—Blocks the source IP address and the destination port.
Request SNMP trap—Sends a trap notification to an SNMP trap destination. To use this action, you
must configure SNMP trap hosts as described in Configuring SNMP, page35-8.
Request block host—Sends a request to ARC to block this host (the attacker). To use this action, you
must configure blocking devices as described in Configuring IPS Blocking and Rate Limiting,
page 42-7.
You can add actions to the signatures either directly, in the Signatures policy, or to events generated by
the signatures based on risk rating in the Event Actions Overrides policy.
The following table lists the anomaly detection worm signatures.