Cisco Traffic Anomaly Detector Module Configuration Guide (Software Version 5.0)
Understanding Attack Reports
Download this chapter
Understanding Attack ReportsUnderstanding Attack Reports
Download the complete book
Cisco Traffic Anomaly Detector Module Configuration Guide (Software Version 5.0), Book-Length PDFCisco Traffic Anomaly Detector Module Configuration Guide (Software Version 5.0), Book-Length PDF (PDF - 3 MB)
give_us_feedback

Table Of Contents

Understanding Attack Reports

Understanding the Report Layout

General Details

Attack Statistics

Detected Anomalies

Understanding the Report Parameters

Displaying Attack Reports

Exporting Attack Reports

Exporting Attack Reports Automatically

Exporting Attack Reports of All Zones

Exporting Zone Reports


Understanding Attack Reports

This chapter describes the attack reports that the Cisco Traffic Anomaly Detector Module (Detector module) produces and contains the following sections:

Understanding the Report Layout

Understanding the Report Parameters

Displaying Attack Reports

Exporting Attack Reports

Understanding the Report Layout

The Detector module provides an attack report for each zone to help form a comprehensive view of the attack. An attack begins when the Detector module produces the first dynamic filter and ends when no dynamic filter is in use and no new dynamic filters are added. Reports include details of the attacks that are organized into sections. Each section describes different aspects of the traffic flow during an attack. You can display reports of past attacks and ongoing attacks, and you can export reports to an FTP or a Secure FTP (SFTP) server.

Reports include the following information and are described in these sections:

General Details

Attack Statistics

Detected Anomalies

General Details

The general details section of the attack report includes general information about an attack.

Table 9-1 describes the fields in this section of the report.

Table 9-1 Field Descriptions in General Details Section of Attack Report

Field
Description

Report ID

The identification number of the report.

Attack Start

Displays the date and time that the attack started.

Attack End

Displays the date and time that the attack ended. A value of "Attack in progress" indicates that there is an ongoing attack.

Attack Duration

Displays the duration of the attack.


Attack Statistics

The attack statistics section provides a general analysis of the received traffic flow.

Detected Anomalies

The detected anomalies section of the attack report provides details of the traffic anomalies that the Detector module detected in the zone traffic. A flow is classified as being an anomaly when it requires the production of a Dynamic filter. These anomalies can occur infrequently or can turn into systematic DDoS attacks. The Detector clusters anomalies with the same type and flow parameters (such as source IP address and destination port) under one anomaly type.

Table 9-2 describes the different types of detected anomalies.

Table 9-2 Types of Detected Anomalies 

Type
Description

dns (tcp)

An attacking DNS-TCP protocol flow.

dns (udp)

An attacking DNS-UDP protocol flow.

fragments

A detected flow with an unusual amount of fragmented traffic.

http

An unusual HTTP traffic flow.

ip_scan

A detected flow initiated from a source IP address that tried to access many zone destination IP addresses.

other_protocols

A non-TCP/UDP attacking protocol flow.

port_scan

A detected flow initiated from a source IP address that tried to access many zone ports.

tcp_connections

A detected flow with an unusual number of TCP concurrent connections, with or without data.

tcp_incoming

A detected flow attacking a TCP service.

tcp_outgoing

A detected flow consisting of SYN-ACK flood or other packet attacks on connections initiated by the zone when the zone is the client.

tcp_ratio

A detected flow with an unusual ratio between different types of TCP packets, for example, SYN packets as opposed to FIN/RST packets.

udp

An attacking UDP protocol flow.

unauthenticated_tcp

A detected flow that the Detector anti-spoofing functions have not succeeded in authenticating, for example, ACK flood, FIN flood, or any other flood of unauthenticated packets.

user

An anomaly flow that was detected by user definitions.

worm_tcp

A worm attack over the TCP/IP protocol.


Understanding the Report Parameters

Different sections of the report describe different aspects of the traffic flow.

Table 9-3 describes the fields for Attack Statistics.

Table 9-3 Field Descriptions for Attack Statistics 

Field
Description

Total Packets

Specifies the total number of attack packets.

Average pps

Specifies the average traffic rate in pps units.

Average bps

Specifies the average traffic rate in bps units.

Max. pps

Specifies the maximum traffic rate measured in pps units.

Max. bps

Specifies the maximum traffic rate measured in bps units.


Table 9-4 describes the flow statistics for Detected Anomalies.

Table 9-4 Field Descriptions for Flow Statistics 

Field
Description

ID

Specifies the identification number (ID) of the detected anomaly.

Start time

Specifies the date and time that the anomaly was detected.

Duration

Specifies the duration of the anomaly in hours, minutes, and seconds.

Type

Specifies the type of anomaly.

Triggering rate

Specifies the anomaly traffic rate that exceeded the policy
threshold.

% Threshold

Indicates the percentage by which the triggering rate is above the policy threshold.

Flow

Specifies the anomaly flow. The characteristics include the protocol number, source IP address, source port, destination IP address, and destination port. It indicates whether or not the traffic is fragmented. Any indicates that there is both fragmented and non-fragmented traffic.


A value of * for any of the parameters indicates one of the following:

The value is undetermined.

More than one value was measured for the anomaly parameter.

A value of #, followed by a number, for any of the parameters indicates the number of values measured for that parameter.

The Detector module may display a value of notify on the right side of the flow description. A value of notify for any of the report rows indicates that the Detector module produces a notification only for the type of traffic the row describes, and it does not take action.

Displaying Attack Reports

To display a list of attack reports for any specific zone or a more detailed report for a specific attack, enter the following command in zone configuration mode:

show reports [current | report-id] [details]

Table 9-5 provides the arguments and keywords for the show reports command.

Table 9-5 Arguments and Keywords for the show reports Command  

Parameter
Description

current

An attack that is in progress.

The number of bits and packets is not displayed for an ongoing attack. In reports of an attack in progress, the packets and bits fields have a value of zero (0).

report-id

The identification number of the report.

details

(Optional) Displays details of the flows.


The following example shows how to view a list of all attacks on the zone: 

user@DETECTOR-conf-zone-scannet# show reports

Table 9-7 describes the fields in the show reports command output.

Table 9-6 Field Descriptions for the show reports
Command Output 

Field
Description

Report ID

The report identification number.

Attack Start

The date and time the attack started.

Attack End

The date and time the attack ended. A value of "Attack in progress" indicates that there an ongoing attack.

Attack Duration

The duration of the attack.

Attack Type

Type of detected attack. Possible values are as follows:

tcp_connections—Detected flow with unusual number of TCP concurrent connections, with or without data.

http—Unusual HTTP traffic flow.

tcp_incoming—Detected flow attacking a TCP service.

tcp_outgoing—Detected attack flow in which the client seems to be the Zone, such as SYN-ACK attacks on connections initiated by the zone when the zone is the client.

unauthenticated_tcp—Detected flow that the Detector anti-spoofing functions have not succeeded in authenticating. For example, ACK flood, FIN flood or any other flood of unauthenticated packets.

dns (udp)—Attacking DNS-UDP protocol flow.

dns (tcp)—Attacking DNS-TCP protocol flow.

udp—Attacking UDP protocol flow.

other_protocols—Non TCP/UDP attacking protocol flow.

fragments—Detected flow with an unusual quantity of fragmented traffic.

hybrid—Attack composed of several attacks with different characteristics.

ip_scan—Detected flow initiated from source IP address that tried to access many zone destination IP addresses.

port_scan—Detected flow initiated from source IP address that tried to access many zone ports.

Attack Type (continued)

user_detected—Anomaly flow detected by user definitions.

worm_tcp—A worm attack over the TCP/IP protocol.

Malicious Traffic

This field is relevant to the Cisco Anomaly Guard Module only and is not applicable to the Detector module.


The following example shows how to display the report of the current attack on the zone: 

user@DETECTOR-conf-zone-scannet# show reports current

The attack report displays the following output. For more information about the different sections, see the "Understanding the Report Layout" section. 

Attack Start

:

Feb 26 2004 09:58:54

Attack End

:

Attack in progress

Attack Duration

:

00:08:34



Attack Statistics:


Total 
Packets

Average 
pps

Average 
bps

Max pps

Max bps


Received

95878

186.53

110977.74

1455.44

914428.24

N/A



Detected Anomalies:

ID

 Start Time

 Duration

 Type

Triggering 
Rate

%Threshold 

1

Feb 26 09:58:54

00:08:34

HTTP

997.44

897.44


Flow: 6 * 

*

92.168.100.34  80

no fragments


To display a more detailed report about the detected anomalies flow, use the details option.

Table 9-7 describes the flow fields in the detailed report.

Table 9-7 Field Descriptions of Flows in Detailed Report 

Field
Description

Detected Flow

Specifies the flow that caused the production of the Dynamic filter. The flow characteristics include the protocol number, source IP address, source port, destination IP address, and destination port, and an indication of whether the traffic is fragmented or not. Any indicates that there is both fragmented and non-fragmented traffic.

Action Flow

Specifies the flow that was addressed by the Dynamic filter. The action flow can have a wider range than the detected flow. For example, the detected flow could indicate a specific source port for a specific source IP address, whereas the action flow could indicate all source ports for the specified source IP address.

The flow characteristics include the protocol number, source IP address, source port, destination IP address, and destination port, and an indication of whether the traffic is fragmented or not. Any indicates that there is both fragmented and non-fragmented traffic.


Exporting Attack Reports

You can export attack reports to an FTP or an SFTP server for monitoring and diagnostics capabilities. You can export attack reports in text format or in Extensible Markup Language (XML) format.

This section includes the following topics:

Exporting Attack Reports Automatically

Exporting Attack Reports of All Zones

Exporting Zone Reports

Exporting Attack Reports Automatically

You can configure the Detector module to export attack reports automatically, in XML format, at the end of an attack. The Detector module exports the reports of any one of the zones when an attack on the zone ends. The XML schema is described in the ExportedReports.xsd file that accompanies the version. You can download the .xsd files that accompany the version from the Software Center at: http://www.cisco.com/public/sw-center/.

To configure the Detector module to export attack reports automatically, enter one of the following commands in configuration mode:

export reports ftp server remote-path [login] [password]

export reports sftp server remote-path login

Note You must configure the SSH key that the Detector module uses for SFTP communication before you enter the copy reports command. See the "Configuring the Key for SFTP Connections" section for more information.

Table 9-8 describes the arguments for the export reports command.

Table 9-8 Arguments for the export reports Command  

Parameter
Description

ftp

Exports the attack reports to an FTP server.

sftp

Exports the attack reports to an SFTP server.

server

The IP address of the server.

remote-path

The complete path of the directory where the files are saved.

login

The server login name.

The login argument is optional when you define an FTP server. When you do not insert a login name, the FTP server assumes an anonymous login and does not prompt you for a password.

password

(Optional) The password for the remote FTP server.


The following example shows how to automatically export reports (in XML format) at the end of an attack to an FTP server at IP address 10.0.0.191 by using login name user1 and password password1: 

user@DETECTOR-conf# export reports ftp 10.0.0.191 /root/reports user1 
password1

Exporting Attack Reports of All Zones

You can export the attack reports of all zones in text or XML format by entering the following command in global mode:

copy reports [details] [xml] ftp server full-file-name [login] [password]

Table 9-9 provides the arguments and keywords for the copy reports command.

Table 9-9 Arguments and Keywords for the copy reports Command 

Parameter
Description

xml

(Optional) Export the report in XML format. The XML schema is described in the ExportedReports.xsd file that accompanies the version. You can download the .xsd files that accompany the version from the Software Center at: http://www.cisco.com/public/sw-center/.

By default, reports are exported in text format.

Reports in XML format include all details. If you include the xml option, it is not necessary to include the details option.

details

(Optional) Export details of flow and attacking source IP addresses.

ftp

Exports the attack reports to an FTP server.

server

The IP address of the server.

full-file-name

The full name of the file. If you do not specify a path, the server saves the file in your home directory.

login

The server login name.

The login argument is optional when you define an FTP server. When you do not insert a login name, the FTP server assumes an anonymous login and does not prompt you for a password.

password

(Optional) The password for the remote FTP server.


The following example shows how to copy a list of all attacks handled by the Detector module (in text format) to an FTP server at IP address 10.0.0.191 by using login name user1 and password password1: 

user@DETECTOR# copy reports ftp 10.0.0.191 ADMreports.txt user1 
password1

Exporting Zone Reports

To copy the attack reports of a specific zone to an FTP server, enter the following command in global mode:

copy zone zone-name reports [current | report-id] [xml] [details] ftp server full-file-name [login] [password]

Table 9-10 describes the arguments and keywords for the copy zone reports command.

Table 9-10 Arguments and Keywords for the copy zone reports
Command  

Parameter
Description

zone-name

The name of an existing zone.

current

(Optional) Export an ongoing attack report (if applicable).

The default is to export all zone reports.

report-id

(Optional) The ID of an existing report. The Detector module exports the report with the specified ID number. To view the details of the zone attack reports, use the show zone reports command.

The default is to export all zone reports.

xml

(Optional) Export the report in XML format. The XML schema is described in the ExportedReports.xsd file that accompanies the version. You can download the .xsd files that accompany the version from the Software Center at: http://www.cisco.com/public/sw-center/.

The default is to export reports in text format.

Reports in XML format include all details. If you include the xml option, it is not necessary to include the details option.

details

(Optional) Export details of flow and attacking source IP addresses.

ftp

Exports the attack reports to an FTP server.

server

The IP address of the server.

remote-path

The complete path of the directory where the files are saved.

login

The server login name.

The login argument is optional when you define an FTP server. When you do not insert a login name, the FTP server assumes an anonymous login and does not prompt you for a password.

password

(Optional) The password for the remote FTP server.


The following example shows how to copy all attack reports on the zone to an FTP server at IP address 10.0.0.191 by using login name user1 and password password1: 

user@DETECTOR# copy zone scannet reports ftp 10.0.0.191 
ScannetCurrentReport.txt user1 password1