I am supporting an IPS4345 at a Cisco client site.
I wanted to ask the following questions:
1) Is there a way to tell how many matches against each signature have been fired, similar to the hit count on an access list? I am asking as I would like to disable any unneccessary signatures to improve performance. The processor seems to stay at about 68%.
2) Is the Learning Period for the Knowledgebase within Anomoly Detection considered baselining? If not, is the best method for baselining to ue a sniffer monitoring traffic in parralel to the IPS how to baseline the traffic?
1) The cli command "show statistics virtual-sensor" will list all signatures with a count for each signature along with other details.
2) This following from the IPS Configuration guide should help you with AD
Learning accept mode
"Although anomaly detection is in detect mode by default, it conducts an initial learning accept mode for the default period of 24 hours. We assume that during this phase no attack is being carried out. Anomaly detection creates an initial baseline, known as a knowledge base (KB), of the network traffic. The default interval value for periodic schedule is 24 hours and the default action is rotate, meaning that a new KB is saved and loaded, and then replaces the initial KB after 24 hours. "
For ongoing operation, the sensor should remain in detect mode. This is for 24 hours a day, 7 days a week. Once a KB is created and replaces the initial KB, anomaly detection detects attacks based on it. It looks at the network traffic flows that violate thresholds in the KB and sends alerts. As anomaly detection looks for anomalies, it also records gradual changes to the KB that do not violate the thresholds and thus creates a new KB. The new KB is periodically saved and takes the place of the old one thus maintaining an up-to-date KB.
The default policy and the default values for configured policies do not show up in the configuration when you issue a show running-config EXEC command. Instead, to see the default policy and any default values within configured policies, use the show crypto isakmp policy EXEC command.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...