Table Of Contents

Configuring Zone Filters

Overview

Configuring Flex-Content Filters

Adding a Flex-Content Filter

Understanding the tcpdump-expression Syntax

Understanding the pattern-expression Syntax

Displaying Flex-Content Filters

Deleting Flex-Content Filters

Changing the State of a Flex-Content Filter

Configuring Bypass Filters

Adding a Bypass Filter

Displaying Bypass Filters

Deleting Bypass Filters

Configuring Dynamic Filters

Displaying Dynamic Filters

Deleting Dynamic Filters

Configuring Zone Filters

---

This chapter describes how to configure the Cisco Traffic Anomaly Detector Module (Detector module) filters.

This chapter contains the following sections:

•Overview

•Configuring Flex-Content Filters

•Configuring Bypass Filters

•Configuring Dynamic Filters

Overview

Zone filters define how the Detector handles a specific traffic flow. You can configure filters to customize the functions that the Detector module uses to detect traffic anomalies.

The Detector module has the following types of filters:

•Bypass filters—Prevent the Detector module from handling specific traffic flows.

You can direct trusted traffic away from the Detector module anomaly detection features, and prevent the Detector module from analyzing it.

See the "Configuring Bypass Filters" section for more information.

•Flex-Content filters—Count a specific traffic flow that provides extremely flexible filtering capabilities, such as filtering according to fields in the IP and TCP headers, filtering based on payload content, and filtering based on complex Boolean expressions.

See the "Configuring Flex-Content Filters" section for more information.

•Dynamic filters—Apply the required protection level to the specified traffic flow. The Detector creates dynamic filters according to the analysis of traffic flow and continuously modifies this set of filters to zone traffic and the type of DDoS attack. The dynamic filters have a limited life span and are erased when the attack ends.

See the "Configuring Dynamic Filters" section for more information.

Figure 6-1 displays the Detector module filter system.

Figure 6-1

Cisco Traffic Anomaly Detector Module Filter System

The Detector module applies the analysis detection level to the traffic flow to analyze the zone traffic. You can direct specific flows to bypass the Detector module detection features by configuring bypass filters.

To perform statistical analysis of traffic flow, the Detector module has definitions that handle specific types of traffic, which are called zone policies. The zone policies constantly measure traffic flows and take action against a particular traffic flow if they identify that flow as malicious or abnormal, which occurs when the flow exceeds the policy threshold. When the Detector module identifies anomalies in the zone traffic, it creates new filters (dynamic filters), which can can activate a Cisco Anomaly Guard Module defined in the remote Guard lists to protect the zone, or records the event in its syslog.

Configuring Flex-Content Filters

Flex-Content filters filter zone traffic based on fields in the packet header or patterns in the packet payload. You can identify attacks that are based on patterns that appear in the incoming traffic. These patterns can identify known worms or flood attacks that have a constant pattern.

---

Note The flex-content filter consumes a lot of resources. We recommend that you limit the use of flex-content filters because they might affect the performance of the Detector module. If you are using a flex-content filter to detect a specific attack that can be identified by a dynamic filter, such as TCP traffic to a specified port, we recommend that you filter the traffic using a dynamic filter.

---

Use the flex-content filters to count a desired packet flow and to identify a specific malicious source of traffic.

The Flex-Content filter applies the filtering criteria in the following order:

1. Filters packets based on the protocol and the port parameter values.

2. Filters packets based on the tcpdump-expression value.

3. Performs pattern matching with the pattern-expression value on the remaining packets.

This section contains the following topics:

•Adding a Flex-Content Filter

•Displaying Flex-Content Filters

•Deleting Flex-Content Filters

•Changing the State of a Flex-Content Filter

Adding a Flex-Content Filter

Flex-Content filters are activated in ascending order of the row numbers. When you add a new flex-content filter be sure that you place it in the correct location in the list.

To configure a flex-content filter, perform the following steps:

---

Step 1 Display the list of flex-content filters and identify the location in the list in which you want to add the new filter.

See the "Displaying Flex-Content Filters" section for more information.

Step 2 If the current row numbers are consecutive, renumber the flex-content filters in increments that allow you to insert the new flex-content filter by entering the following command in zone configuration mode:

flex-content-filter renumber [start [step]]

Table 6-1 provides the arguments for the flex-content-filter renumber command.

Table 6-1 Arguments for the flex-content-filter renumber
Command  

Parameter	Description
start	(Optional) An integer from 1 to 9999 that denotes the new starting number of the Flex-Content filter list. The default is 10.
step	(Optional) An integer from 1 to 999 that defines the increment between the Flex-Content filter row numbers. The default is 10.

Step 3 (Optional) To filter a pattern expression of an ongoing attack or an attack that you have previously recorded, activate the Detector module to generate a signature of the attack by using the show packet-dump signatures command.

See the "Generating Attack Signatures from Packet-Dump Capture Files" section for more information.

Step 4 Add a new flex-content filter by entering the following command:

flex-content-filter row-num {disabled | enabled} {drop | count} 
protocol port [start start-offset [end end-offset]] [ignore-case] 
expression tcpdump-expression pattern pattern-expression

Table 6-2 provides the arguments and keywords for the flex-content-filter command.

Table 6-2 Arguments and Keywords for the flex-content-filter
Command 

Parameter	Description
row-num	A unique number from 1 to 9999. The row number identifies the filter and defines the priority among the flex-content filters. The Detector module operates the filters in ascending row-number order.
disabled	Sets the filter state to disabled. The filter does not relate to traffic.
enabled	Sets the filter state to enabled. The filter relates to traffic and performs the action (drop or count) when a match is found. This is the default state.
drop	Drops the flow that matches the filter. You can configure the drop action in Guard configuration mode for zones created from the GUARD zone templates. The drop action is applicable to the Cisco Anomaly Guard Module only.
count	Counts the flow that matches the filter.
protocol	Processes traffic coming from a specific protocol. Use an asterisk (*) to indicate any protocol. Enter an integer from 0 to 255. Review possible protocol numbers at the Internet Assigned Numbers Authority (IANA) website: http://www.iana.org/assignments/protocol-numbers
port	Processes traffic destined to a specific destination port. Enter an integer from 0 to 65535. To define a specific port number, you must define a specific protocol number. Use an asterisk (*) to indicate any destination port. You can use an asterisk only if you configure the protocol number to 6 (TCP) or 17 (UDP). Review possible port numbers at the Internet Assigned Numbers Authority (IANA) website: http://www.iana.org/assignments/port-numbers
start-offset	The offset, in bytes, from the beginning of the packet payload, where the pattern matching for the pattern-expression argument begins. The default is 0 (the start of the payload). Enter an integer from 0 to 1800. If you copy the pattern from the show packet-dump signatures command output, copy this argument from the Start Offset field in the command output.
end-offset	The offset, in bytes, from the beginning of the packet payload, where the pattern matching for the pattern-expression argument ends. The default is the packet length (the end of the payload). Enter an integer from 0 to 1800. If you copy the pattern from the show packet-dump signatures command output, copy this argument from the End Offset field in the command output.
ignore-case	Defines the pattern-expression argument as case-insensitive. By default the pattern-expression argument is case-sensitive.
tcpdump- expression	Specifies the expression to be matched with the packet. The expression is in Berkley Packet filter format. See the "Understanding the tcpdump-expression Syntax" section for more information and configuration examples. If spaces are part of the expression, enclose the expression in quotation marks (""). To enter an empty expression, use double quotation marks (""). To use a quotation mark in the expression, use the backslash escape character before the quotation mark(\"). Help is not available for the tcpdump-expression syntax.
pattern- expression	Specifies the regular expression data pattern to be matched with the packet payload. See the "Understanding the pattern-expression Syntax" section for more information. You can activate the Detector module to generate the signature by using the show packet-dump signatures command. See the "Generating Attack Signatures from Packet-Dump Capture Files" section. If spaces are part of the expression, enclose the expression in quotation marks (""). To enter an empty expression, use double quotation marks (""). To use a quotation mark in the expression, use the backslash escape character before the quotation mark(\"). Help is not available for the pattern-expression syntax.

You can change the filter state at any time. See the "Changing the State of a Flex-Content Filter" section for more information.

---

The following example shows how to configure the flex-content filter:

user@DETECTOR-conf-zone-scannet# flex-content-filter enabled count * * 
expression "ip[6:2] & 0x1fff=0" pattern  
"/ HTTP/1\.1\ x0D\0AAccept: .*/.*\x0D\x0AAccept-Language: 
en*\x0D\x0AAccept-Encoding: gzip, deflate\x0D\x0AUser-Agent: 
Mozilla/4\.0" 

This section contains the following topics:

•Understanding the tcpdump-expression Syntax

•Understanding the pattern-expression Syntax

Understanding the tcpdump-expression Syntax

The tcpdump-expression is in the Berkley Packet filter format and specifies the expression to be matched with the packet.

---

Note You can use the tcpdump-expression to filter traffic based on the destination port and protocol. However, due to performance considerations, we recommend that you filter traffic based on these criteria using the flex-content filter protocol and port arguments.

---

The expression contains one or more elements. Elements usually consist of an ID (name or number) preceded by one or more qualifiers. There are three types of qualifiers:

•Type qualifiers—Define what the ID (name or number) refers to. Possible types are host, net and port. For example, host foo. Host type qualifier is the default.

•Dir qualifiers—Define the transfer direction. Possible directions are src, dst, src or dst, and src and dst. For example, src foo. Src or dst dir qualifier is the default.

•Proto qualifiers—Restrict the match to a particular protocol. Possible protos are: ether, ip, arp, rarp, tcp and udp. For example, ether src foo. If you do not specify a proto qualifier, all protocols that apply to the type are matched. For example, port 53 means (tcp or udp) port 53.

Table 6-3 describes the tcpdump-expression elements.

Table 6-3 tcpdump-expression Elements 

Element	Description
dst host host_ip_address	Traffic to a destination host IP address.
src host host_ip_address	Traffic from a source host IP address.
host host_ip_ address	Traffic to and from both source and destination host IP addresses.
net net mask mask	Traffic to a specific network.
net net/len	Traffic to a specific subnet.
dst port destination_port_number	TCP or UDP traffic to a destination port number.
src port source_port_number	TCP or UDP traffic from a source port number.
port port_number	TCP or UDP traffic to and from both source and destination port numbers.
less packet_length	Packets with a length equal to or less than the specific length in bytes.
greater packet_length	Packets with a length equal to or greater than the specific length in bytes.
ip proto protocol	Packets with a protocol number of the following protocols: ICMP, UDP, and TCP.
ip broadcast	Broadcast IP packets.
ip multicast	Multicast packets.
ether proto protocol	Ether protocol packets of a specific protocol number or name such as IP, ARP, or RARP.
expr relop expr	Traffic that complies with the specific expression. Table 6-4 describes the tcpdump-expression rules.

Table 6-4 describes the tcpdump-expression rules.

Table 6-4 Flex-Content Filter Expression Rules 

Expression Rule	Description
relop	>, <, >=, <=, =, !=
expr	An arithmetic expression composed of integer constants (expressed in standard C syntax), the normal binary operators [+, -, *, /, &, |], a length operator, and special packet data accesses. To access data inside the packet, use the following syntax: proto [expr: size]
proto	Specifies the protocol layer for the index operation. The possible values are ether, ip, tcp, udp, or icmp. The byte offset, relative to the indicated protocol layer, is given by the expr value. To access data inside the packet, use the following syntax: proto [expr: size] The size argument is optional and indicates the number of bytes in the field of interest; it can be one, two, or four. The default is one.

You can combine expression elements using the following methods:

•A group of elements and operators in parentheses—The operators are the normal binary operators [+, -, *, /, &, |] and a length operator.

---

Note To use a parenthesis in the expression, use the backslash escape character before the parenthesis ( \( ).

---

•Negation—Use ! or not.

•Concatenation—Use && or and.

•Alternation—Use || or or.

Negation has the highest precedence. Alternation and concatenation have equal precedence and are associated from left to right. Explicit and tokens, not juxtaposition, are required for concatenation. If you specify an identifier without a keyword, the most recent keyword is used.

For a detailed explanation of the Berkley Packet filter configuration options go to thos location:

http://www.freesoft.org/CIE/Topics/56.htm.

The following example shows how to count unfragmented datagrams and fragmented zeros of fragmented datagrams only. This filter is implicitly applied to the TCP and UDP index operations. For instance, tcp[0] always indicates the first byte of the TCP header, and never indicates the first byte of an intervening fragment as shown in this example:

user@DETECTOR-conf-zone-scannet# flex-content-filter enabled count * * 
expression ip[6:2]&0x1fff=0 pattern ""

The following example shows how to count all TCP RST packets:

user@DETECTOR-conf-zone-scannet# user@DETECTOR-conf-zone-scannet# 
flex-content-filter enabled count * * expression tcp[13]&4!=0 pattern 
""

The following example shows how to count all ICMP packets that are not echo requests/echo replies (ping):

user@DETECTOR-conf-zone-scannet# flex-content-filter enabled count * * 
expression "icmp [0]!=8 and icmp[0] != 0" pattern ""

The following example shows how to count all TCP packets that are destined to port 80 and that did not originate from port 1000:

user@DETECTOR-conf-zone-scannet# flex-content-filter enabled count * * 
expression "tcp and dst port 80 and not src port 1000" pattern ""

Understanding the pattern-expression Syntax

The pattern-expression is a regular expression that describes a string of characters. The pattern-expression describes a set of strings without actually listing its elements. This expression is made up of normal characters and special characters. Normal characters include all printable ASCII characters that are not considered to be special characters. Special characters are characters that have a special meaning and specify the type of matching that the Detector module performs on the pattern-expression. The flex-content filter matches the pattern-expression with the content of the packet (the packet payload). For example, the three strings version 3.1, version 4.0, and version 5.2 are described by the following pattern: version .*\..*

Table 6-5 describes the special characters you can use.

Table 6-5 Special Characters Used in the pattern-expression 

Special character	Description
.*	Matches a string that may be present and can contain zero or more characters. For example, the pattern goo.*s matches the patterns goos, goods, good for ddos, and so on.
\	Removes the special meaning of a special character. To use the special characters in this list as single-character patterns, remove the special meaning by preceding each character with a backslash (\). For example, two backslashes (\\) match one backslash (\), and one backslash and a period (\.) matches one period (.). You must also proceed an asterisk (*) with a backslash.
\xHH	Matches a hexadecimal value, where H is a hexadecimal digit and is not case-sensitive. Hexadecimal values must be exactly two digits long. For example, the pattern \x41 matches the hexadecimal value A.

By default, the pattern-expression is case sensitive. To define the pattern-expression as case-insensitive, use the flex-content-filter command with the ignore-case keyword . See the "Adding a Flex-Content Filter" section for more information.

The following example shows how to drop packets with a specific pattern in the packet payload. The pattern in the example was extracted from the Slammer worm. The protocol, port, and tcpdump-expression parameters are nonspecific.

user@DETECTOR-conf-zone-scannet# flex-content-filter enabled drop * * 
expression " " pattern 
\x89\xE5Qh\.dllhel32hkernQhounthickChGetTf\xB9ll 
Qh32\.dhws2_f\xB9etQhsockf\xB9toQhsend\xBE\x18\x10\xAEB

Displaying Flex-Content Filters

To display the Flex-Content filters, enter the following command in zone configuration mode:

show flex-content-filters

Table 6-6 describes the fields in the show flex-content-filters command output.

Table 6-6 Field Descriptions for the show flex-content-filters
Command 

Field	Description
Row	Specifies the Flex-Content filter priority.
State	Specifies the filter state (enabled or disabled).
Action	Specifies the action that the filter performs on the specific traffic type.
Protocol	Specifies the protocol number of the traffic that the filter processes.
Port	Specifies the destination port of the traffic the filter processes.
Start	Specifies the offset, in bytes, from the beginning of the packet payload where the pattern matching begins. This offset applies to the pattern field.
End	Specifies the offset, in bytes, from the beginning of the packet payload where the pattern matching ends. This offset applies to the pattern field.
Match-case	Specifies whether the pattern-expression that the filter matches is case sensitive or not case sensitive. yes=case-sensitive no=case-insensitive
TCPDump-expression	Specifies the tcpdump-expression to be matched with the packet in Berkley Packet filter format. See the "Understanding the tcpdump-expression Syntax" section for the information on the tcpdump-expression syntax.
Pattern-filter	Specifies the regular expression data pattern to be matched with the packet payload. See the "Understanding the pattern-expression Syntax" section for information on the pattern-expression syntax.
RxRate (pps)	Specifies in pps the current traffic rate that is measured for this filter.

Deleting Flex-Content Filters

You can delete a flex-content filter, or you can disable a flex-content filter to prevent the Detector module from filtering packets based on the filter expression. See the "Changing the State of a Flex-Content Filter" section for more information.

To delete a flex-content filter, perform the following steps:

---

Step 1 Display the list of flex-content filters and identify the row number of the flex-content filter that you want to delete.

See the "Displaying Flex-Content Filters" section for more information.

Step 2 Delete the flex-content filter by entering the following command:

no flex-content-filter row-num

Use the row-num argument to specify the flex-content filter row number to be deleted. To delete all flex-content filters, enter an asterisk (*).

---

This example shows how to delete a flex-content filter:

user@DETECTOR-conf-zone-scannet# no flex-content-filters 5

Changing the State of a Flex-Content Filter

You can disable a flex-content filter to prevent the Detector module from filtering packets based on the filter expression and to prevent it from filtering specific types of traffic. (The filter will remain in the flex-content filter list.)

You can then set the Detector module to filter the specified traffic again, without the need to reconfigure the filter, or you can delete a flex-content filter. See the "Deleting Flex-Content Filters" section for more information.

To change the state of a flex-content filter, perform the following steps:

---

Step 1 Display the list of flex-content filters and identify the row number of the flex-content filter for which you want to change the state.

See the "Displaying Flex-Content Filters" section for more information.

Step 2 Change the state of the flex-content filter by entering the following command:

flex-content-filter row-num {disabled | enabled}

The row-num argument specifies the flex-content filter row number.

---

This example shows how to disable a flex-content filter:

user@DETECTOR-conf-zone-scannet# flex-content-filters 5 disabled

Configuring Bypass Filters

The bypass filter prevents the Detector module from analyzing specific traffic flows. You can configure a bypass filter to direct trusted traffic away from the Detector module detection functions.

This section contains the following topics:

•Adding a Bypass Filter

•Displaying Bypass Filters

•Deleting Bypass Filters

Adding a Bypass Filter

To add a bypass filter, enter the following command in zone configuration mode:

bypass-filter row-num src-ip [ip-mask] protocol dest-port [fragments-type]

Table 6-7 provides the arguments for the bypass-filter command.

Table 6-7 Arguments for the bypass-filter Command 

Parameter	Description
row-num	Assign a unique number from 1 to 9999. The row-number identifies the filter and defines priority among the bypass filters. The Detector module operates the filters according to ascending row-number order.
src-ip	Processes traffic coming from a specific IP address. Use an asterisk (*) to indicate any IP address.
ip-mask	(Optional) Processes traffic coming from a specific subnet. The subnet mask can contain only Class C values. The default subnet is 255.255.255.255.
protocol	Processes traffic coming from a specific protocol. Use an asterisk (*) to indicate any protocol. Review possible protocol numbers at the Internet Assigned Numbers Authority (IANA) website: http://www.iana.org/assignments/protocol-numbers
dest-port	Processes traffic destined to a specific destination port. Use an asterisk (*) to indicate any destination port. Review possible port numbers at the Internet Assigned Numbers Authority (IANA) website: http://www.iana.org/assignments/port-numbers
fragments-type	(Optional) Specifies whether or not the filter processes fragmented traffic. There are three fragmented types: •no-fragments—Non-fragmented traffic •fragments—Fragmented traffic •any-fragments—Fragmented and non-fragmented traffic The default is no-fragments.

---

Note You cannot specify both a fragments type and a destination port. To set the fragments type, enter * for the destination port.

---

Displaying Bypass Filters

To display the bypass filters, enter the following command in zone configuration mode:

show bypass-filters

Table 6-8 describes the fields in the show bypass-filters command output.

Table 6-8 Field Descriptions for the show bypass-filters Command 

Field	Description
Row	Specifies the Bypass filter priority.
Source IP	Specifies the source IP address of the traffic that the filter processes.
Source Mask	Specifies the source address mask of the traffic that the filter processes.
Proto	Specifies the protocol number of the traffic that the filter processes.
DPort	Specifies the destination port of the traffic that the filter processes.
Frg	Specifies whether or not the filter processes fragmented traffic: •yes—The filter processes fragmented traffic •no—The filter processes non-fragmented traffic •any—The filter processes both fragmented and non-fragmented traffic
RxRate (pps)	Specifies in pps the current traffic rate that is measured for this filter.

The source IP address, source address mask, protocol number, and destination port may be non-specific. An asterisk (*) indicates that the filter acts on all field values or that more than one value was matched for the filter.

Deleting Bypass Filters

To delete a bypass filter, perform the following steps:

---

Step 1 Display the list of bypass filters, and identify the row number of the bypass filter that you want to delete.

See the previous section,"Displaying Bypass Filters", for more information.

Step 2 Delete the bypass filter by entering the following command in zone configuration mode:

no bypass-filter row-num

The row-num argument specifies the bypass filter row number to be deleted. To delete all Bypass filters, enter an asterisk (*).

---

The following example shows how to delete a bypass filter:

user@DETECTOR-conf-zone-scannet# no bypass-filter 10

Configuring Dynamic Filters

Dynamic filters apply the required protection level to traffic flow and define how to handle the attack. The Detector creates dynamic filters when it identifies an anomaly in the zone traffic, which occurs when the flow exceeds the zone policy thresholds, and continuously adapts this set of filters to zone traffic and the type of DDoS attack. The dynamic filters have a limited life span and are erased when the attack ends.

Dynamic filters produce a notification record in the Detector module syslog or activate remote Guards to protect the zone.

This section includes the following topics:

•Displaying Dynamic Filters

•Deleting Dynamic Filters

Displaying Dynamic Filters

You can display the dynamic filters that the Detector module created. This command provides the following options:

•show dynamic-filters [details]—Displays a list of all dynamic filters.

•show dynamic-filters dynamic-filter-id [details]—Displays a single dynamic filter.

•show dynamic-filters sort {action | exp-time | id}—Displays a sorted list of all dynamic filters.

To display the pending dynamic filters, use the show recommendations command. See "Using Interactive Detect Mode" for more information on pending dynamic filters.

Table 6-9 provides the arguments for the show dynamic-filters command.

Table 6-9 Arguments for the show dynamic-filters Command 

Parameter	Description
dynamic-filter-id	The identification number (ID) of the specific Dynamic filter to display. This integer is assigned by the Detector module. To identify the filter ID, display the complete list of Dynamic filters.
details	Displays Dynamic filter in detail. The details consist of additional information on the attack flow, the triggering rate, and the policy that produced it.
action	Displays Dynamic filters by their action.
exp-time	Displays Dynamic filters by their expiration time in ascending order.
id	Displays Dynamic filters by ascending ID number.

---

Note The Detector module displays a maximum of 1,000 Dynamic filters. When more than 1,000 Dynamic filters are active, examine the log file or zone report for a complete list of Dynamic filters.

---

The following example shows how to display a dynamic filter in detail:

user@DETECTOR-conf-zone-scannet# show dynamic-filters 876 details

Table 6-10 describes the fields in the show dynamic-filters command output.

Table 6-10 Field Descriptions for show dynamic-filters
Command Output 

Field	Description
ID	Specifies the filter identification number.
Action	Specifies the action that the filter performs on the traffic flow.
Exp Time	Specifies the amount of time the filter is active. After the time expires, the filter is deleted.
Source IP	Specifies the source IP address of the traffic that the filter processes.
Source Mask	Specifies the source address mask of the traffic that the filter processes.
Proto	Specifies the protocol number of the traffic that the filter processes.
DPort	Specifies the destination port of the traffic that the filter processes.
Frg	Specifies whether or not the filter processes fragmented traffic: •yes—The filter processes fragmented traffic •no—The filter processes non-fragmented traffic •any—The filter processes both fragmented and non-fragmented traffic
RxRate (pps)	Specifies in pps the current traffic rate that is measured for this filter.

The source IP address, source address mask, protocol number, and destination port may be non-specific. An asterisk (*) indicates that the filter acts on all field values or that more than one value was matched for the filter.

Table 6-11 describes the additional fields in the show dynamic-filters details command output.

Table 6-11 Field Descriptions for show dynamic-filters details Command 

Field	Description
Attack flow	Specifies the attack flow characteristics. The attack flow contains the Source IP, Source Mask, Proto, DPort, and Frg fields that are described in table Table 6-10.
Triggering Rate	Specifies the rate of the attack flow that exceeded a policy threshold.
Threshold	Specifies the policy threshold that was exceeded by the attack flow.
Policy	Specifies the policy that produced the Dynamic filter. See "Configuring Policy Templates and Policies" for more information.

Deleting Dynamic Filters

When you delete dynamic filters the deletion is effective for a limited period of time because the Detector module continues to configure new dynamic filters when zone anomaly detection is enabled.

To delete a Dynamic filter, perform the following steps:

---

Step 1 Display the list of dynamic filters and identify the ID of the dynamic filter that you want to delete.

See the previous section,"Displaying Dynamic Filters", for more information.

Step 2 Delete the relevant dynamic filter by entering the following command in zone configuration mode:

no dynamic-filter dynamic-filter-id

The dynamic-filter-id argument specifies the dynamic filter ID. To delete all zone dynamic filters, use an asterisk (*).

---

The following example shows how to delete a dynamic filter:

user@DETECTOR-conf-zone-scannet# no dynamic-filter 876

To prevent unwanted dynamic filters from being reproduced, perform one of the following actions:

•Deactivate the policy that produces the dynamic filters (see the "Changing the Policy State" section for more information.) To determine which policy produced the unwanted dynamic filters, see the "Displaying Dynamic Filters" section.

•Configure a bypass filter for the desired traffic flow. See the "Configuring Bypass Filters" section for more information.

•Increase the threshold of the policy that produced the undesired dynamic filter. See the "Configuring the Policy Threshold" section for more information.