-
Cisco Traffic Anomaly Detector Module Configuration Guide (Software Version 5.1)
-
Index
-
Preface
-
Product Overview
-
Configuring the Detector Module on the Supervisor Engine
-
Initializing the Detector Module
-
Configuring the Detector Module
-
Configuring Zones
-
Configuring Zone Filters
-
Configuring Policy Templates and Policies
-
Learning the Zone Traffic Characteristics
-
Detecting Zone Traffic Anomalies
-
Using Interactive Detect Mode
-
Understanding Attack Reports
-
Using Detector Module Diagnostics Tools
-
Performing Maintenance Tasks
-
Table Of Contents
Learning the Zone Traffic Characteristics
Understanding the Learning Process
Understanding the Phases of the Learning Process
Verifying the Results of the Learning Process
Understanding the Detect and Learn Function
Synchronizing the Zone Learning Process Results with a Cisco Anomaly Guard Module
Configuring Learning Parameters
Configuring the Threshold Selection Method
Tuning Zone Policy Thresholds and Enabling Zone Anomaly Detection Simultaneously
Using Snapshots to Verify the Results of the Learning Process
Copying Policies to the Zone Configuration
Learning the Zone Traffic Characteristics
This chapter describes how to use the Detector module learning process to analyze zone traffic characteristics to create and fine-tune the policies that the Detector module uses for zone anomaly detection.
This chapter contains the following topics:
•
Understanding the Learning Process
•
•
•
•
•
Understanding the Learning Process
The learning process creates a baseline of normal traffic patterns, when no current attack is occurring on the network. The Detector module uses this baseline as a reference point to help detect the existence of anomalies in the zone traffic. These reference points are called policies.
After an initial learning process of constructing policies, you can activate the learning process and zone anomaly detection simultaneously. At the same time, the Detector module tunes the policy thresholds and monitors the policy thresholds for traffic anomalies. This process enables the Detector module to detect anomalies in the zone traffic, while constantly updating the policy thresholds according to the zone traffic characteristics, and prevents the Detector module from learning malicious traffic thresholds.
For the learning process to take place, you must configure the switch to capture the traffic sent to the zone and pass a copy of it to the Detector module. See the "Configuring Traffic Sources for Capturing Traffic" section on page 2-4 for more information.
You can enter learning-related commands for several zones at the same time. Enter the command in global mode and use an asterisk (*) as a wildcard. For example, to initiate the policy construction phase for all zones, enter the learning policy-construction * command in global mode. To accept the results of the policy construction phase for all Detector module zones with names that begin with scan (such as scannet and scanserver), enter the no learning scan* accept command in global mode.
This section contains the following topics:
•
•
Understanding the Phases of the Learning Process
The learning process consists of these two phases:
•
The policy templates are the Detector module tools for constructing the policies. These templates define the types of zone policies that the Detector module creates. The policy templates also define the maximum number of services that the Detector module monitors closely and the minimum threshold that triggers the Detector module to create new policies. To change the rules for constructing zone policies, you must change the policy template parameters before you initiate the policy construction phase. See Chapter 7, "Configuring Policy Templates and Policies," for more information.
You cannot perform the policy construction phase for zones that you created using the GUARD_LINK or the DETECTOR_LINK zone templates.
•
You can activate the threshold tuning phase and activate zone anomaly detection simultaneously (the detect and learn function) to prevent the Detector module from learning malicious traffic thresholds. You can set the Detector module to constantly tune the zone policies and define the intervals in which the Detector module updates the policy thresholds.
The Detector module learns the zone traffic characteristics to create a baseline of zone traffic and trace any anomalies that might become malicious. The Detector module does not modify the current zone policies during the learning process and updates the policies when you decide to accept the results of one of the learning phases only. After the policies are created, you can add and delete policies or change policy parameters such as thresholds, services, timeouts, and actions.
The Detector module learns new services for worm policies during the threshold tuning phase, rather than during the policy construction phase. Therefore, you may see new services (ports) added to worm policies during the threshold tuning phase.
Verifying the Results of the Learning Process
You can save the current results of either learning phase at any stage during the learning process and review it later by using the snapshot command. Taking a snapshot of the learning process allows you to view the policy information that the Detector module has created up to the point of the snapshot and decide whether to not to accept the results of the learning process. Saving the results of the learning phase in a snapshot does not affect the zone configuration. You can update the zone configuration with the policy information in a snapshot.
Understanding the Detect and Learn Function
After an initial learning process of constructing policies, you can activate the learning process and enable zone anomaly detection simultaneously using the detect and learn function. The Detector module tunes the policy thresholds and monitors the policy thresholds for traffic anomalies. The detect and learn function enables the Detector module to detect anomalies in the zone traffic, constantly update the policy thresholds based on the zone traffic characteristics, and prevents the Detector module from learning malicious traffic thresholds.
Before you activate the protect and learn function, you can configure when and how the Detector module accepts the results of the learning process by configuring the learning parameters.
See the "Tuning Zone Policy Thresholds and Enabling Zone Anomaly Detection Simultaneously" section for more information.
Synchronizing the Zone Learning Process Results with a Cisco Anomaly Guard Module
When the Detector module detects an attack on the zone, it stops the learning process, activates a Cisco Anomaly Guard Module (Guard module) to protect the zone, and then resumes learning the zone traffic when the attack ends. This process enables you to continuously adjust the zone policy thresholds to the traffic, but avoid having to constantly divert the zone traffic to the Guard module. You can configure the Detector module to constantly learn the zone traffic and update a Guard module with the zone policies.
To synchronize the learning process results with a Guard module, you must perform the following tasks:
1.
2.
3.
4.
You can synchronize the zone configuration with the Guard module manually or configure the Detector module to synchronize the zone configuration with the Guard module automatically. See the "Synchronizing a Detector with Cisco Guard Zone Configuration" section on page 5-13 for more information.
Constructing Policies
Use the policy construction phase after creating a new zone or anytime that the zone configuration needs updating with new service policies. After performing the policy construction phase, execute the threshold tuning phase to fine-tune the thresholds of each policy.
In the policy construction phase, the Detector module creates the zone policies using the policy templates. The traffic flows through the Detector module enabling it to discover the main services (ports and protocols) that the zone uses. You can configure the policy construction rules. For example, you can prevent the Detector module from creating policies of a certain type by disabling the relevant policy template. To change the rules for constructing zone policies, you must change the policy template parameters before you initiate the policy construction phase. See the "Understanding Policy Templates" section on page 7-4 for more information.
The Detector module sets default values for the policy parameters (timeout, action, and threshold). See Chapter 7, "Configuring Policy Templates and Policies," for information on how to configure the default values for the operational parameters.
The new policies that the Detector module creates in this phase replace the existing policies.
Note
Before you activate the policy construction phase make sure that no attack on the zone is in progress so that the Detector does not construct the policies based on the traffic characteristics of a DDoS attack. Allowing the Detector to learn the traffic characteristics of a DDoS attack and saving the results of the attack as a baseline may prevent the Detector from detecting future attacks because it may view them as normal traffic conditions.
To construct the zone policies, perform the following steps:
Step 1
learning policy-constructionStep 2
Wait at least 10 seconds after initiating policy construction or threshold tuning and enter the show rates command. Verify that the value of the Received traffic rate is greater than zero. A value of zero indicates that the Detector module is not receiving a copy of the zone traffic. Check the configuration of traffic sources for capturing traffic. See the "Configuring Traffic Sources for Capturing Traffic" section on page 2-4 for more information.
Step 3
You can save a snapshot of the learning parameters (services, thresholds, and other policy related data) by using the snapshot command at any stage during the policy construction phase, and review it later. You can save a single snapshot or save a periodic snapshot at specified intervals.
For more information, see the "Backing Up Policy Configuration" section on page 7-39.
Step 4
To accept the policies that the Detector module suggested and continue the policy construction phase, use the following command:
learning acceptTo automatically accept the policies that the Detector module suggests at specified intervals, use the following command:
learning-params periodic-action auto-accept learn_params_days learn_params_hours learn_params_minutesSee the "Configuring Learning Parameters" section for more information.
Use the no learning-params periodic-action command to terminate the periodic action.
Step 5
We recommend letting the policy construction phase continue for at least 2 hours before terminating it to allow the Detector module enough time to discover the main services (ports and protocols) that the zone uses.
You can perform one of the following actions:
•
no learning acceptThe Detector module erases previously learned policies and thresholds.
After accepting the newly constructed policies, you can manually add or remove policies. See Chapter 7, "Configuring Policy Templates and Policies," for more information.
•
no learning rejectThe Detector module stops the process and does not save the new policies that it has just learned. The policies of the zone are the policies that the Detector module had prior to initiating the learning process or prior to the last time that you accepted the results of the policy construction phase.
The following example shows how to initiate the policy construction phase and accept the suggested policies at 12-hour intervals. The example also shows how to stop the policy construction phase and accept the suggested policies.
user@DETECTOR-conf-zone-scannet# learning policy-constructionuser@DETECTOR-conf-zone-scannet# learning-params periodic-action auto-accept 0 12 0user@DETECTOR-conf-zone-scannet# no learning acceptTuning Policy Thresholds
In the threshold tuning phase, the Detector module analyzes the zone traffic and defines thresholds for the policies that were constructed during the policy construction phase.
You can set the Detector module to learn the zone traffic while monitoring the last accepted policy thresholds for traffic anomalies. After the Detector module detects an attack on the zone, it stops the threshold tuning phase but continues zone anomaly detection to prevent the Detector module from learning malicious traffic thresholds.
The Detector module resumes the learning process after the attack ends.
To tune the policy thresholds, perform the following steps:
Step 1
detect learningWe recommend that you enable the detect and learn function, that is, activate the threshold tuning phase and set the Detector module to perform zone anomaly detection at the same time.
If you have already activated zone anomaly detection or the threshold tuning phase of the learning process, you can enter both the learning threshold-tuning command and the detect command (the order is not important) to activate the detect and learn function.
If the Detector module detects an attack on the zone, it stops the threshold tuning phase but continues zone detection.
Note
•
•
To deactivate zone anomaly detection and the threshold tuning phase simultaneously, use the deactivate command in zone configuration mode.
To activate the threshold tuning phase only, use the learning threshold-tuning command.
Step 2
Wait at least 10 seconds after initiating policy construction or threshold tuning and enter the show rates command. Verify that the value of the Received traffic rate is greater than zero. A value of zero indicates that the Detector module is not receiving a copy of the zone traffic. Check the configuration of traffic sources for capturing traffic. See the "Configuring Traffic Sources for Capturing Traffic" section on page 2-4 for more information.
Step 3
You can save a snapshot of the learning parameters (services, thresholds, and other policy-related data) by using the snapshot command at any time during the threshold tuning phase. You can review the snapshot later or compare the learning parameters with another snapshot. You can save a single snapshot or save a periodic snapshot at specified intervals.
For more information, see the "Backing Up Policy Configuration" section on page 7-39.
Step 4
You can accept the zone policies that the Detector module suggested and continue the threshold tuning phase once, or define that the Detector module automatically accept the suggested policies at specified intervals to ensure that the zone has the most updated policies and continues to learn the zone traffic.
To accept the policies that the Detector module suggested and continue the threshold tuning phase, use the following command:
learning accept [threshold-selection {new-thresholds | max-thresholds | weighted weight}]See Table 8-2 for a description of the threshold-selection arguments and keywords.
To automatically accept the policies that the Detector module suggests at specified intervals, use the following command:
learning-params periodic-action auto-accept learn_params_days learn_params_hours learn_params_minutesSee the "Configuring Learning Parameters" section for more information.
Use the no learning-params periodic-action command to terminate the periodic action.
Step 5
Note
We recommend that you enable the detect and learn function and do not terminate the threshold tuning phase.
You can perform one of the following actions:
•
no learning accept [threshold-selection {new-thresholds | max-thresholds | weighted weight}]See Table 8-2 for a description of the threshold-selection arguments and keywords.
The Detector module erases previously learned thresholds.
After accepting the newly tuned policies, you can manually change the policy parameters. See Chapter 7, "Configuring Policy Templates and Policies," for more information.
•
no learning rejectThe Detector module stops tuning the thresholds and reverts to prior thresholds. This process may result in a situation in which new zone policies have thresholds that were obtained according to past traffic characteristics. We recommend that you enable the threshold tuning phase at a later time or that you configure the thresholds manually.
The following example shows how to initiate the threshold tuning phase and accept the suggested policies at 1-hour intervals. The Detector module then stops the threshold tuning phase and accepts the suggested policies if the threshold values are higher than the current values (the max-thresholds method).
user@DETECTOR-conf-zone-scannet# learning threshold-tuninguser@DETECTOR-conf-zone-scannet# learning-params periodic-action auto-accept 0 1 0user@DETECTOR-conf-zone-scannet# no learning accept threshold-selection max-thresholdsTo display the learning results, use the show policies statistics command. See the "Displaying Policies" section on page 7-34 for more information.
After reviewing the learned thresholds, you may choose to modify some of the results. To avoid overriding these changes by future threshold tuning phases, perform one of the following tasks:
•
•
Configuring Learning Parameters
The learning parameters allow you to configure the learning-related actions that the Detector module can perform and to define how the Detector module handles specific policies. You can define the following parameters:
•
See the "Configuring Periodic Actions" section for more information.
•
See the "Marking the Policies as Tuned" section for more information.
•
See the "Configuring the Threshold Selection Method" section for more information.
•
See the "Setting the Threshold as Fixed" section on page 7-22 for more information.
•
See the "Configuring a Threshold Multiplier" section on page 7-23 for more information.
To display the configuration of the learning parameters, use the show learning-params command in zone configuration mode.
Configuring Periodic Actions
You can set the Detector module to perform one of the following actions at specified intervals:
•
•
See the "Monitoring Policies" section on page 7-34 for more information on snapshots.
To set the periodic action that the Detector module performs, use the following command in zone configuration mode:
learning-params periodic-action {auto-accept | snapshot-only} learn_params_days learn_params_hours learn_params_minutes
Table 8-1 provides the arguments and keywords for the learning-params command.
The value of the interval is the sum of the learn_params_days value, the learn_params_hours value, and the learn_params_minutes value.
The following example shows how set the Detector module to accept the policies at 1-hour intervals:
user@DETECTOR-conf-zone-scannet# learning-params periodic-action auto-accept 0 1 0Configuring the Threshold Selection Method
You can set the default method that the Detector module uses to generate new thresholds to accept during the threshold tuning phase. You can accept the results of the threshold tuning phase manually, or configure the Detector module to automatically accept the results of the threshold tuning phase at specified intervals.
To configure the threshold selection method, use the following command in zone configuration mode:
learning-params threshold-selection {new-thresholds | max-thresholds | weighted weight}
Table 8-2 provides the arguments and keywords for the learning-params threshold-selection command.
This example shows how to configure the Detector module to accept the suggested policies if the learned threshold values are higher than the current policy threshold values:
user@DETECTOR-conf-zone-scannet# learning-params threshold-selection max-thresholdsMarking the Policies as Tuned
The Detector module marks the policy threshold status that defines if the policy thresholds are tuned or not, and relates to this status when you enable the protect and learn function. The policy threshold status specifies if the Detector module identifies an attack on the zone when the policy threshold is exceeded.
When a new zone is created, or after you accept the policy construction phase results for a zone, the Detector module marks the zone policy thresholds as untuned. The default thresholds of the zone templates are tuned so that the Detector module activates the antispoofing functions quickly if it identifies traffic anomalies in the zone traffic. When you enable the protect and learn function, the learning process might stop if the current zone traffic is higher than the current policy threshold values. To avoid such situations, if the zone policies are not tuned the Detector module does not detect attacks in the zone traffic when you enable the detect and learn function until the zone policy thresholds are accepted once.
If the zone policies are untuned, the Detector module activates only a threshold selection method of accept-new and ignores previous threshold values when accepting the new policies. If the Detector module accepts the threshold tuning phase results of the learning process for a zone with a threshold selection method other than accept-new, bad policy threshold values may result. See the "Configuring the Threshold Selection Method" section for more information on the threshold selection method.
The Detector module marks the zone policies as untuned in the following situations:
•
•
•
The Detector module marks the zone policies as tuned after accepting the threshold tuning phase results.
You can modify the settings of the zone policies. To mark the zone policies as tuned, use the following command in zone configuration mode:
learning-params threshold-tuned
To mark the zone policies as untuned, use the no form of this command.
You may want to change the status of the zone policies to tuned when one of the following applies:
•
•
You may want to change the status of the zone policies to untuned when one of the following applies:
•
•
•
When the zone policies are marked as untuned, the Detector module does not monitor the current policy thresholds and does not detect attacks on the zone if the policy thresholds are exceeded.
Caution
The following example shows how to mark the status of the zone policies as tuned:
user@DETECTOR-conf-zone-scannet# learning-params threshold-tunedTuning Zone Policy Thresholds and Enabling Zone Anomaly Detection Simultaneously
You can activate the learning process and enable zone anomaly detection simultaneously by using the detect and learn function. The Detector module tunes the policy thresholds and at the same time monitors the policy thresholds for traffic anomalies. The detect and learn function enables the Detector module todetect anomalies in the zone traffic and continuously update the policy thresholds based on the zone traffic characteristics. The detect and learn function also prevents the Detector module from learning malicious traffic thresholds.
Note
When you create a new zone, add or remove a service from the zone policies, or accept the policy construction phase results, the Detector module marks the zone policies as untuned. The Detector module marks the zone policies as tuned only after you accept the results of the threshold tuning phase of the learning process. You can accept the results of the threshold tuning phase manually or configure the Detector module to accept the results automatically by using the learning-params command.
If you enable the learning process and zone detection simultaneously and the status of the zone policies is untuned, the Detector module functions in the following ways until the zone policy thresholds are accepted once:
•
•
When the Detector module identifies an attack on the zone, it stops the learning process. If the Detector module has activated a Cisco Anomaly Guard Module (Guard module) to protect the zone, it polls the Guard module constantly. Once it identifies that the Guard module has deactivated zone protection, it verifies that additional traffic anomalies do not exist and then reactivates the detect and learn function. This option is available if you have configured an SSL communication channel only.
Before you activate the protect and learn function, you can configure when and how the Detector module accepts the results of the learning process. See the "Configuring Learning Parameters" section for more information.
To activate the learning process and zone anomaly detection simultaneously, use the detect learning command or enter both the learning threshold-tuning command and the detect command (the order is not important).
See the "Tuning Policy Thresholds" section and Chapter 9, "Detecting Zone Traffic Anomalies," for more information.
Using Snapshots to Verify the Results of the Learning Process
You can save a snapshot of the learning parameters (services, thresholds, and other policy-related data) at any stage during the learning process and review it later. You can compare the learning parameters of two zones or compare two of the zone snapshots to verify the outcome of the learning process and trace the differences in policies, services, and thresholds.
We recommend that you save a snapshot every few hours during the learning process. If an attack occurs during the learning process, you can use the snapshot policies for the zone. You can take the snapshot manually or configure the Detector module to automatically take a snapshot at specified intervals. The Detector module saves up to 100 snapshots for each zone. New snapshots replace the previous ones.
You can copy zone policies from the snapshot to configure the zone according to previous learning results if necessary.
This section provides information on the following topics:
•
Creating Snapshots
You can save a single snapshot of the zone learning parameters or configure the Detector module to automatically take a snapshot at specified intervals. The Detector module continues the learning process while the snapshot is taken.
To set the Detector module to automatically take a snapshot at specified intervals, see the "Configuring Periodic Actions" section for more information.
To save a single snapshot of the zone learning parameters, use the following command in zone configuration mode:
snapshot [threshold-selection {new-thresholds | max-thresholds | cur-thresholds | weighted calc-weight}]
Table 8-3 provides the arguments and keywords for the snapshot command.
Use the snapshot command to save the results of the zone learning process. The results include the zone policies, services, and thresholds. After you verify the snapshot parameters and compare two snapshots or copy the snapshot parameters to a new zone, you can delete the snapshot.
You can back up the current zone policies using the snapshot threshold-selection cur-thresholds command.
The following example shows how to create a snapshot in which the thresholds are the highest value between the current policy threshold and the new threshold of the learning process:
user@DETECTOR-conf-zone-scannet# snapshot threshold-selection max-thresholdsTo save a single snapshot in global mode, use the snapshot zone-name [threshold-selection {new-thresholds | max-thresholds | cur-thresholds | weighted weight}] command.
Comparing Learning Results
You can compare the learning results of two snapshots or two zones to trace the differences in policies, services, and thresholds.
This section includes the following topics:
Comparing Snapshots
To compare two snapshots, use the following command in zone configuration mode:
diff snapshots snapshot-id snapshot-id [percent]
Table 8-4 provides the arguments for the diff command.
The following example shows how to display the zone snapshots and compare the two most recent snapshots:
user@DETECTOR-conf-zone-scannet# show snapshotsID Time1 Feb 10 10:32:042 Feb 10 10:49:123 Feb 10 11:01:50user@DETECTOR-conf-zone-scannet# diff 2 3To compare snapshots in global mode, use the diff zone-name snapshots snapshot-id snapshot-id [percent] command.
Comparing Zones
To compare the learning parameters of two zones, use the following command in global mode or in configuration mode:
diff zone-name zone-name [percent]
Table 8-5 provides the arguments for the diff command.
The following example shows how to compare the learning parameters of two zones:
user@DETECTOR# diff scannet scannet-mailserverDisplaying Snapshots
Display a list of the zone snapshots or the snapshot parameters to get a comprehensive view of the zone learning results by entering the following command:
show snapshots [snapshot-id [policies policy-path]]
Table 8-6 provides the arguments and keywords for the show snapshots command.
Table 8-6 Arguments and Keywords for the show snapshots
Commandsnapshots
Displays the zone snapshots. If you do not specify the snapshot ID, the Detector module displays a list of all the zone snapshots.
ID of the snapshot to display. If you do not specify policies, the default is to display a list of all the zone snapshots. To view the snapshot ID, use this command with no arguments.
Group of policies to display. See the "Using Policy Paths" section on page 7-2 for more information.
To compare snapshots in global mode, use the show zone zone-name snapshots [snapshot-id [policies policy-path]] command.
The following example shows how to display a list of the zone snapshots and the policies that are related to dns_tcp in snapshot 2:
user@DETECTOR-conf-zone-scannet# show snapshotsID Time1 Feb 10 10:32:042 Feb 10 10:49:12user@DETECTOR-conf-zone-scannet# show snapshots 2 policies dns_tcpThe fields of the show zone zone-name snapshots snapshot-id policies policy-path command output are identical to the fields in the output of the show policies command. See the "Displaying Policies" section on page 7-34 for more information.
Table 8-7 describes the fields in the show snapshots command output.
Table 8-7 Field Descriptions for show snapshots
Command OutputSnapshot ID.
Date and time that the snapshot was taken.
Deleting Snapshots
You can delete old snapshots to free up disk space.
To delete a snapshot, use the following command in zone configuration mode:
no snapshot snapshot-id
The snapshot-id argument specifies the ID of an existing snapshot. Enter an asterisk (*) to delete all the zone snapshots. To view the details of a snapshot, use the show snapshots command.
The following example shows how to delete all the zone snapshots:
user@DETECTOR-conf-zone-scannet# no snapshot *Copying Policies to the Zone Configuration
You can copy a complete policy configuration or a partial configuration to the current zone.
You can copy the following information:
•
•
To copy the zone policies, use the following command in zone configuration mode:
copy-policies {snapshot-id | src-zone-name [service-path]}
Table 8-8 provides the arguments and keywords for the copy-policies command.
The following example shows how to copy all services that relate to the policy template tcp_connections from the zone webnet to the current zone, scannet:
user@DETECTOR-conf-zone-scannet# copy-policies webnet tcp_connections/The following example shows how to display a list of the zone snapshots and then copy the policies from the snapshot with ID 2:
user@DETECTOR-conf-zone-scannet# show snapshotsID Time1 Feb 10 10:32:042 Feb 10 10:49:12user@DETECTOR-conf-zone-scannet# copy-policies 2Backing Up the Zone Policies
You can back up the current zone policies at all times by using the snapshot threshold-selection cur-thresholds command.
The following example shows how to back up the current zone policies:
user@DETECTOR-conf-zone-scannet# snapshot threshold-selection cur-thresholds
