9-4
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2
OL-29168-01
Chapter9 Co nfiguring Anomaly Detection
Anomaly Detection Zones
Detect mode—For ongoing operation, the sensor should remain in detect mode. This is for 24 hours
a day, 7 days a week. Once a KB is created and replaces the initial KB, anomaly detection detects
attacks based on it. It looks at the network traffic flows that violate thresholds in the KB and sends
alerts. As anomaly detection looks for anomalies, it also records gradual changes to the KB that do
not violate the thresholds and thus creates a new KB. The new KB is periodically saved and takes
the place of the old one thus maintaining an up-to-date KB.
Inactive mode—You can turn anomaly detection off by putting it in inactive mode. Under certain
circumstances, anomaly detection should be in inactive mode, for example, if the sensor is running
in an asymmetric environment. Because anomaly detection assumes it gets traffic from both
directions, if the sensor is configured to see only one direction of traffic, anomaly detection
identifies all traffic as having incomplete connections, that is, as scanners, and sends alerts for all
traffic flows. Having anomaly detection running also lowers performance.
Example
The following example summarizes the default anomaly detection configuration. If you add a virtual
sensor at 11:00 pm and do not change the default anomaly detection configuration, anomaly detection
begins working with the initial KB and only performs learning. Although it is in detect mode, it cannot
detect attacks until it has gathered information for 24 hours and replaced the initial KB. At the first start
time (10:00 am by default), and the first interval (24 hours by default), the learning results are saved to
a new KB and this KB is loaded and replaces the initial KB. Because the anomaly detection is in detect
mode by default, now that anomaly detection has a new KB, the anomaly detection begins to detect
attacks.
For More Information
For the procedures for putting anomaly detection in different modes, see Adding, Editing, and
Deleting Virtual Sensors, page 5-4.
For more information about how worms operate, see Understanding Worms, page 9-2.
Anomaly Detection Zones
By subdividing the network into zones, you can achieve a lower false negative rate. A zone is a set of
destination IP addresses. There are three zones, internal, illegal, and external, each with its own
thresholds.
The external zone is the default zone with the default Internet range of 0.0.0.0-255.255.255.255. By
default, the internal and illegal zones contain no IP addresses. Packets that do not match the set of IP
addresses in the internal or illegal zone are handled by the external zone.
We recommend that you configure the internal zone with the IP address range of your interna l network.
If you configure it in this way, the internal zone is all the traffic that comes to your IP address range, and
the external zone is all the traffic that goes to the Internet.
You can configure the illegal zone with IP address ranges that should never be seen in normal traffic, for
example, unallocated IP addresses or part of your internal IP address range that is unoccupied. An illegal
zone can be very helpful for accurate detection, because we do not expect any legal traffic to reach this
zone. This allows very low thresholds, which in turn can lead to very quick worm virus detection.
For More Information
For the procedures for configuring zones, see Configuring the Internal Zone, page 9-11, Configuring the
Illegal Zone, page 9-20, and Configuring the External Zone, page 9-28.