Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Anomaly Detection syntax/options

I want to configure anomaly detection on my IPS, but was a little unclear on the syntax for the zones.

 

Looks like I can configure the internal/service zone as

 

172.25.13.1-172.25.13.254,172.25.20.1-172.25.13.254

 

What if I want to make a very general internal zone (because I have a lot of subnets). Would I do something like this?

 

172.25.1.1-172.25.255.255

 

I want to define pretty mcuh everything in 172.25.0.0 /16 as internal, but not sure about the syntax here

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Hello,You can use the synatax

Hello,

You can use the syntax:

172.25.0.0-172.25.255.255

The defaults for most of the settings show starting with a network address and ending with the broadcast addresses for those networks.

 

"Please rate helpful posts"

2 REPLIES
Silver

Hello,You can use the synatax

Hello,

You can use the syntax:

172.25.0.0-172.25.255.255

The defaults for most of the settings show starting with a network address and ending with the broadcast addresses for those networks.

 

"Please rate helpful posts"

Anomaly Detection ZonesBy

Anomaly Detection Zones

By subdividing the network into zones, you can achieve a lower false negative rate. A zone is a set of destination IP addresses. There are three zones, each with its own thresholds: internal, illegal, and external.

The external zone is the default zone with the default Internet range of 0.0.0.0-255.255.255.255. By default, the internal and illegal zones contain no IP addresses. Packets that do not match the set of IP addresses in the internal or illegal zone are handled by the external zone.

We recommend that you configure the internal zone with the IP address range of your internal network. If you configure it in this way, the internal zone is all the traffic that comes to your IP address range, and the external zone is all the traffic that goes to the Internet.

You can configure the illegal zone with IP address ranges that should never be seen in normal traffic, for example, unallocated IP addresses or part of your internal IP address range that is unoccupied. An illegal zone can be very helpful for accurate detection, because we do not expect any legal traffic to reach this zone. This allows very low thresholds, which in turn can lead to very quick worm virus detection.

44
Views
0
Helpful
2
Replies