Does anybody have experience with AD in IPS6? I tried to test it today with 3 nmap sessions each scanning 100 different IPs. I saw the Sig 13003-0 (single scanner) fired:
signature: description=AD - External TCP Scanner id=13003 version=S262
alertDetails: . adExtraData: numDestIps=150; currentThreshold=150; destPort=80
The scanner threshold was indeed set to 150:
S1# sh ad-knowledge-base vs0 thresholds current
User Configuration = 150
Threshold Histogram - User Configuration
Low = 10
Medium = 3
High = 1
This is ok. The problem is that the Sig 13003-1 (warm) didn't fire, however the number of scanned IPs was very high:
S1# sh statistics anomaly-detection vs0
Statistics for Virtual Sensor vs0
Attack in progress
Detection - ON
Learning - OFF
Next KB rotation at 10:00:00 MSK Fri Dec 28 2007
Source IP: 10.0.1.1 Num Dest IP: 280
- what does Low/Medium/High exactly mean in threshold histogram?
- how does the sensor detect worms? When the Sig 13003-1 fires? What sequence of events should happen?
- how can I test it?