Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
791
Views
0
Helpful
2
Replies

Verifying singature matches and baselining

Kevin Melton
Level 2
Level 2

‎01-21-2014 05:02 PM - edited ‎03-10-2019 06:07 AM

Forum

I am supporting an IPS4345 at a Cisco client site.

I wanted to ask the following questions:

1) Is there a way to tell how many matches against each signature have been fired, similar to the hit count on an access list?  I am asking as I would like to disable any unneccessary signatures to improve performance.  The processor seems to stay at about 68%.

2) Is the Learning Period for the Knowledgebase within Anomoly Detection considered baselining?  If not, is the best method for baselining to ue a sniffer monitoring traffic in parralel to the IPS how to baseline the traffic?

Thank You in advance!                  

Labels:
0 Helpful
2 Replies 2

ruppala
Level 1
Level 1

‎01-26-2014 04:08 PM

Kevin, 

1) The cli command "show statistics virtual-sensor" will list all signatures with a count for each signature along with other details.

2) This following from the IPS Configuration guide should help you with AD

Learning accept mode

"Although anomaly detection is in detect mode by  default, it conducts an initial learning accept mode for the default  period of 24 hours. We assume that during this phase no attack is being  carried out. Anomaly detection creates an initial baseline, known as a  knowledge base (KB), of the network traffic. The default interval value  for periodic schedule is 24 hours and the default action is rotate,  meaning that a new KB is saved and loaded, and then replaces the initial  KB after 24 hours. "

Detect mode

For ongoing operation, the sensor should remain in detect mode. This is  for 24 hours a day, 7 days a week. Once a KB is created and replaces the  initial KB, anomaly detection detects attacks based on it. It looks at  the network traffic flows that violate thresholds in the KB and sends  alerts. As anomaly detection looks for anomalies, it also records  gradual changes to the KB that do not violate the thresholds and thus  creates a new KB. The new KB is periodically saved and takes the place  of the old one thus maintaining an up-to-date KB.

0 Helpful

blenka
Level 3
Level 3

‎02-09-2014 11:47 AM

The default policy and the default values for configured policies do not show up in the configuration when you issue a show running-config EXEC command. Instead, to see the default policy and any default values within configured policies, use the show crypto isakmp policy EXEC command.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card