40-8
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 40 Managing IPS Anomaly Detection
Configuring Anomaly Detection
If you configured the Anomaly Detection policy as a shared policy in Policy view, select the IPS
device to which the policy is assigned, or that hosts a virtual sensor to which the policy is assigned.
Then, complete the following steps in the Virtual Sensors policy:
a. Select the desired virtual sensor in the table and click the Edit Row button.
b. In the Modify Virtual Sensors dialog box, select the appropriate option for the Anomaly Detection
Mode setting: Detect, Inactive, Learn. The default and normal operational mode is Detect. However,
if you are using asymmetric normalizer mode, you might want to set the anomaly detection mode to
Inactive. For detailed information about these modes, see Anomaly Detection Modes, page 40-2. For
information about the other settings in this dialog box, see Virtual Sensor Dialog Box, page37-7.
c. If you placed anomaly detection in Learning mode, remember to change the mode to Detect after
the desired learning period has completed.
Step 6 Add additional actions to the anomaly detection signatures, if desired. For example, you might want to
add a deny action so that attacks are dropped. You can alternatively configure event action overrides to
add actions based on risk rating. For more information, see Configuring Anomaly Detection Signatures,
page 40-4.
Step 7 Manage the knowledge base, if necessary.
If you configured the knowledge base to automatically rotate (on the Learning Accept Mode tab), then
the knowledge base is refreshed automatically and manual intervention is not necessary.
If you configured anomaly detection to only save new databases, and not use them, then you need to
manually load updated knowledge bases periodically. You cannot do this in Security Manager; use the
IPS Device Manager (IDM) instead.
Using IDM (or IME), you can load, delete, and rename knowledge bases, and upload them to or
download them from an external server. For more information about what you can do, see the online help
for IDM or IME.
Configuring Anomaly Detection Learning Accept Mode
Use the Learning Accept Mode tab of the Anomaly Detection policy to configure whether you want the
sensor to create a new knowledge base every so many hours. You can configure whether the knowledge
base is created and loaded (Rotate) or saved (Save Only). You can schedule how often and when the
knowledge base is loaded or saved.
The default generated filename is YYYY-Mon-dd-hh_mm_ss (that is,
year-month-day-hour_minute_second),where Mon is a three-letter abbreviation of the current month.
The knowledge base has a tree structure and contains the following information:
Knowledge base name
Zone name
Protocol
Service
The knowledge base holds a scanner threshold and a histogram for each service. If you have learning
accept mode set to automatic and the action set to rotate, a new knowledge base is created every 24 hours
and used in the next 24 hours. If you have learning accept mode set to automatic and the action is set to
save only, a new knowledge base is created but not loaded, and the current knowledge base is used. If
you do not have learning accept mode set to automatic, no knowledge base is created.