01-21-2014 05:02 PM - edited 03-10-2019 06:07 AM
Forum
I am supporting an IPS4345 at a Cisco client site.
I wanted to ask the following questions:
1) Is there a way to tell how many matches against each signature have been fired, similar to the hit count on an access list? I am asking as I would like to disable any unneccessary signatures to improve performance. The processor seems to stay at about 68%.
2) Is the Learning Period for the Knowledgebase within Anomoly Detection considered baselining? If not, is the best method for baselining to ue a sniffer monitoring traffic in parralel to the IPS how to baseline the traffic?
Thank You in advance!
01-26-2014 04:08 PM
Kevin,
1) The cli command "show statistics virtual-sensor" will list all signatures with a count for each signature along with other details.
2) This following from the IPS Configuration guide should help you with AD
Learning accept mode
"Although anomaly detection is in detect mode by default, it conducts an initial learning accept mode for the default period of 24 hours. We assume that during this phase no attack is being carried out. Anomaly detection creates an initial baseline, known as a knowledge base (KB), of the network traffic. The default interval value for periodic schedule is 24 hours and the default action is rotate, meaning that a new KB is saved and loaded, and then replaces the initial KB after 24 hours. "
Detect mode
For ongoing operation, the sensor should remain in detect mode. This is for 24 hours a day, 7 days a week. Once a KB is created and replaces the initial KB, anomaly detection detects attacks based on it. It looks at the network traffic flows that violate thresholds in the KB and sends alerts. As anomaly detection looks for anomalies, it also records gradual changes to the KB that do not violate the thresholds and thus creates a new KB. The new KB is periodically saved and takes the place of the old one thus maintaining an up-to-date KB.
02-09-2014 11:47 AM
The default policy and the default values for configured policies do not show up in the configuration when you issue a show running-config EXEC command. Instead, to see the default policy and any default values within configured policies, use the show crypto isakmp policy EXEC command.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide