40-12
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 40 Managing IPS Anomaly Detection
Configuring Anomaly Detection
The content of this table is fixed; you cannot add or delete items. However, you can select a row and
click Edit Row (pencil) to change the number of source addresses configured for a threshold setting.
See Histogram Dialog Box, page 40-13.
Step 4 Repeat the process for each combination of zone and protocol for which you are defining non-default
settings.
Dest Port or Protocol Map Dialog Box
Use the Add or Modify Dest Port Map dialog box to add or modify destination port scanner settings for
TCP or UDP, and the Add or Modify Protocol Map dialog box to add or modify scanner settings for other
protocols.
Before you configure these settings, read the following topics:
Understanding Anomaly Detection Thresholds and Histograms, page 40-9
Configuring Anomaly Detection Thresholds and Histograms, page 40-11
Tip You do not need to add a port or protocol to have anomaly detection look for worm attacks against it. By
default, all ports and protocols are processed. You need to configure specific settings only if you want
to turn off detection on a specific port or protocol, or if you want non-default thresholds or histograms.
Navigation Path
In the Anomaly Detection policy, on the TCP Protocol, UDP Protocol, or Other Protocol sub tabs on
the Internal Zone, Illegal Zone, or External Zone tabs, click the Add Row button beneath the Destination
Port Map or Protocol Number Map tables, or select a row and click the Edit Row button. For more
information on the steps required to get here, see Configuring Anomaly Detection Thresholds and
Histograms, page 40-11.
Field Reference
Table40-2 Destination Port or Protocol Map Dialog Box
Element Description
Destination Port Number
(Dest Port Map dialog box
only.)
The destination port number for which you are defining non-default
values. The range is 0 to 65535.
Enter a single port number, or the name of a port list object that contains
a single port number. Click Select to select an object from a list or to
create a new one.
Protocol Number
(Protocol Map dialog box
only.)
The protocol number for non-TCP/UDP protocols. For a list of protocol
numbers, see RFC 1700 at http://www.ietf.org/rfc/rfc1700.txt and
search for “Protocol Numbers.” Look for a heading (at the time of this
writing, the second search hit). The range is 0 to 255.
For example, ICMP is protocol 1.
Enabled Whether to enable this service. If you do not enable the service, the
associated port or protocol is not processed by anomaly detection.