6.x Anomaly Detection

Unanswered Question
May 23rd, 2007
User Badges:

Everything is set to the default in my AD policy and the KB's that are generated everyday by the sensor are the same. When I view the KB, the Scanner Threshold (Learned) and Histogram (Learned) columns are empty. How do I configure the IPS to actually dynamically learn these values?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
marcabal Wed, 05/23/2007 - 11:05
User Badges:
  • Cisco Employee,

This is normal on most networks.


The only time you have learned thesholds is if the learned threshold would be higher than the pre-defined configured threshold.


By default the system expects to see fewer than 10 Low rate scanners, fewer than 3 Medium rare scanners, and fewer than 1 High rate scanner for any particular port/service/protocol. And any one scanner can scan up to 200 hosts before the AD sending a special alert for it.


The only time that "learned" information gets filled in is either:


-----------------

1) It is in Detect mode and detects that your network normally has close to (but does not exceed) the threshold number of Low, Medium, or High scanners. Since the threshold is not exceeded a worm is NOT declared so it considers it normal traffic. To provide a buffer between the normal number of scanners and what would trigger a worm being declared the AD will then "learn" or increase the threshold for that specific port/service/protocol.

So as new machines are slowly added to the network, then the AD can learn that a few more scanners is normal and automatically adjust by increasing it's "learned" thresholds.


BUT if the number of scanners ever goes above the threshold then instead a worm is declared, and "learned" thresholds will NOT be adjusted.


So "learned" thresholds only change if you get close to the previous theshold without going over.

If the "learned" would be the same or lower than "configured" it does not get put into the KB file.

----------------


2) The other time "learned" information gets filled in is if you set AD to learned mode.


The difference in "learned" mode is that even if the "configured" thresholds are exceeded then it will update the "learned" data WITHOUT declaring a worm.


Specifically forcing AD into Learn only mode rather than Detect (which does both Detect and Learn) is if your network normally has a lot of scanners that would exceed the "configured" thresholds and you want to force the AD to learn that it is normal for that many scanners to be in your network.


But just like in Detect mode if the number of "learned" scanners is less than the number of "configured" scanners then the "learned" information does Not get put into the KB.

-------------------


So it is very normal in networks with low numbers of scanners to not have anything in the "learned" columns of the KB files.


The preconfigured defaults are already adequate for determining the existence of a worm in your network.


The "learned" data only gets filled into the KB when the AD learns that you normally have a lot of scanners in your network and it has to raise it's thresholds to account for it.


Most smaller networks or well secured networks will likely never have any higher "learned" thresholds, as there are few scanners in the network under normal conditions.

robertsmichael Wed, 05/23/2007 - 14:08
User Badges:

Thanks for the response. On another note...on the same IPS 4250-SX sensor, the event store is wrapping around every couple of days of so - and the quantity of alerts on this sensor are very very low.


The sensing interface counters are incrementing. Any ideas on what would cause the event store to wrap around so frequently with such little network traffic?

marcabal Wed, 05/23/2007 - 14:30
User Badges:
  • Cisco Employee,

Execute "show statistics event-store" and see the number of each type of messages. It may be a large number of status events or error events filling the eventstore.


The size of the eventstore in 5.x and 6.x is much smaller than previously in 4.x. This has been a surprise to some 4.x customers that recently upgraded to 5.x and 6.x. And the smaller eventstore size may be the simple reason.


Actions

This Discussion