Cisco IPS 4240 establishes a baseline (normal traffic) and uses this baseline to check for deviation from traffic patterns to determine if there is anomaly in the network. This detection technique mainly detects worm attacks originated from host/s in the network. Worm propagated by email, instant messages and file sharing cannot be detected by anomaly detection.
Anomaly detection uses signature ID from 13000 to 13008.
Anomaly detection setting description
The anomaly detection configuration page consists of five tabs namely Operation Settings, Learning Accept Mode, Internal Zone, Illegal Zone and External Zone. This section describes the settings of each tab, understand the settings helps you to determine how you customize the anomaly detection for Cisco IPS.
Worm timeout is the time anomaly detection will wait after an worm outbreak before continuing learning the baseline of the network. The default is set to 10 minutes which means the learning will resume 10 minutes after the worm outbreak.
Configure IP address ranges to ignore during AD processing allows you to set a list of IP addresses or one IP address that will be excluded from the baseline learning.
Learn Accept Mode
There are two actions – Rotate and Save Only. Rotate saves the baseline every learning interval and loads the current latest baseline. Save Only saves the baseline every learning interval but does not load the baseline.
The learning interval is set as 24 hours, which means every 24 hours there will be new baseline saved and loaded.
Internal zone contains your organization network or your internal private network. In this example 192.168.20.0-192.168.20.254 are my internal network. I can make the internal zone more specific by including 192.168.20.1-192.168.20.2 and 192.168.20.254 instead of the whole subnet, this is because these three hosts are actual hosts that are hosted in the internal network to make the baseline result more accurate with the least false positives you should consider making the internal zone settings more specific.
You can define the TCP port that you want the IPS to watch out for building the baseline.
The default scanner threshold is the number of hosts scanned by a single scanner per minute. If the scanner threshold is exceeded, IPS will consult the threshold histogram to determine if it is a worm attack.
The default values under the threshold histogram means:
1. No more than 1 host can scan more than 100 hosts (HIGH), if this is violated a worm attack is determined.
2. No more than 3 hosts can scan between 20 and 99 hosts (MEDIUM), if this is violated a worm attack is determined.
3. No more than 10 hosts can scan between 5 and 19 hosts (LOW), if this is violated a work attack is determined.
The illegal zone contains the networks that are not available, not expected or invalid. In my example I do not expect traffic to be sent to these addresses as seen in the screenshot. I can also include unallocated IP address from the 192.168.20.0/24 pool, since in my lab environment only three IP addresses are used and others are unavailable.
Any undefined IP addresses in Internal Zone and Illegal Zone belongs to External Zone.
Anomaly Detection Knowledge Base
If in Learning Accept Mode Action you chose “Save Only” then the knowledge base will be saved but not loaded you will have to choose which knowledge base to be loaded for your anomaly detection policy, if you have chosen “Rotate” then the newly created knowledge base is loaded automatically.
Anomaly detection policy assignment
You assign an anomaly detection policy to a virtual sensor.
There are three AD operational mode: Detect, Inactive and Learn.
Detect suspends anomaly detection learning when there is a suspected worm attack, Inactive is self-explanatory and Learn continues to learn despite there is a suspected worm attack. If you do not wish to include attack traffic into your knowledge base you should choose Detect.