Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Global Correlation and Anomaly detection drop messages?

We've implemented an SSP-40 and were wondering if there were event messages for Global Correlation or Anomaly detection drops.  We seem to only have signature event messages.

Dennis

  • Intrusion Prevention Systems/IDS
3 REPLIES
Bronze

Global Correlation and Anomaly detection drop messages?

Please have a look at the following link:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_collaboration.html#wp1065809

If the traffic dropped becuase of Global Correlation, (and not becuase of a signature) you should see an event.

For more details you can use the "show statistics global-correlation" CLI.

For Anomaly Detection, please ensure you have "Produce Alert" event action configured.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta
New Member

Global Correlation and Anomaly detection drop messages?

Can you provide an example message for either type?  The output for "show statistics global-correlation" isn't very detailed.  I will double check the setting for Anomaly Detection to make sure an alert is being produced. 

We don't know what to look for when searching for the specific message types.

Thanks,

Dennis

Bronze

Global Correlation and Anomaly detection drop messages?

Sure. Here is an example:

evIdsAlert: eventId=1332748411090083862 severity=informational vendor=Cisco alarmTraits=32768

originator:

   hostId: sensorName

   appName: sensorApp

   appInstanceId: 19247

time: 2012/03/27 15:12:41 2012/03/27 15:12:41 UTC

signature: description=ICMP Echo Request id=2004 created=20001127 type=other version=S592

   subsigId: 0

interfaceGroup: vs0

vlan: 1104

participants:

   attacker:

     addr: locality=OUT A.B.C.3

   target:

     addr: locality=OUT A.B.C.2

     os: idSource=unknown relevance=relevant type=unknown

actions:

   deniedPacket: true

riskRatingValue: attackRelevanceRating=relevant targetValueRating=medium 95

threatRatingValue: 60

interface: ge2_0

protocol: icmp

globalCorrelation:

   globalCorrelationScore: -9.2

   globalCorrelationRiskDelta: 60

   globalCorrelationModifiedRiskRating: true

   globalCorrelationDenyPacket: true

   globalCorrelationDenyAttacker: false

   globalCorrelationOtherOverrides: false

   globalCorrelationAuditMode: false

Alternatively, you can see the stats using:

sensor# show  statistics analysis-engine | be Malicious
MaliciousSiteDenyHitCounts
A.B.C.D/16 = 1
MaliciousSiteDenyHitCountsAUDIT

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta
593
Views
0
Helpful
3
Replies