Table Of Contents
Monitoring Detector Module and Zone Operations
Viewing the Detector Summary Screen
Using the Detector Module Global Diagnostic Tools
Displaying the Global Counters
Clearing the Detector Module Counters
Viewing the Global Received Counter in Real Time
Viewing the Event Log
Viewing the Zone Status Screen
Zone Status Bar
Zone Traffic Rate Graph
Zone Status Table
Zone Recent Events Table
Using the Zone Diagnostic Tools
Viewing the Zone Counters
Using Zone Counters to Analyze Traffic Flow
Clearing the Zone Counters
Viewing the Zone Counters in Real Time
Viewing the Zone Event Log
Viewing the Attacks Summary Report
Viewing Details of an Attack Report
Understanding Attack Report Details
General Attack Information
Attack Statistics
Detected Anomalies
Viewing Details of Detected Anomalies
Exporting Attack Reports
Deleting Attack Reports
Viewing the Policy Statistics Table
Monitoring Detector Module and Zone Operations
This chapter describes how to monitor the status of the Cisco Traffic Anomaly Detector Module (Detector module) and its zones and diagnose the problems that are related to the zone traffic flow.
This chapter contains the following sections:
•
Viewing the Detector Summary Screen
•Using the Detector Module Global Diagnostic Tools
•Viewing the Zone Status Screen
•Using the Zone Diagnostic Tools
Viewing the Detector Summary Screen
The Detector Summary screen (see Figure 10-1) provides a summary of the current Detector module activity and is the first screen to appear when you connect to the Detector module WBM. You can access this screen from the following locations within the interface:
•Click Detector Summary from the navigation pane.
•Click Home from the information area.
Figure 10-1 Detector Module Summary Screen
The Detector Summary screen includes the following two areas:
•Detector Summary—Graphical summary of the received traffic rate that the Detector module handled over the last two hours in bits per second (bps).
Table 10-1 describes the information that appears below the graph.
Table 10-1 Field Descriptions for Detector Summary Graph
Field
|
Description
|
Min.
|
Minimum traffic rate measured during the last 2 hours in bits per second.
|
Max.
|
Maximum traffic rate measured during the last 2 hours in bits per second.
|
Avg.
|
Average traffic rate measured during the last 2 hours in bits per second.
|
Cur.
|
Current traffic rate in bits per second.
|
•Zones Under Detection—Status information of the zones that the Detector module is currently monitoring for traffic anomalies. The zone information can vary depending on which of the following anomaly detection modes that you activate:
–Detect—Displays the zone information when the zone is under attack and when normal traffic conditions exist.
–Detect and Learn—Displays zone information only when the zone is under attack.
The Detector module lists the zones in the order in which they encountered attacks with the most recently attacked zone appearing at the top of the list. Click on the information that the Detector module displays in each row to view the associated zone summary screen.
Table 10-2 describes the fields for zones under detection.
Table 10-2 Field Descriptions for Zones Under Anomaly Detection
Fields
|
Description
|
Zone
|
Zone name. The zone name also provides a link to the status screen of the specific zone.
|
Activation Time
|
Date and time that zone protection was activated.
|
Attack Start Time
|
Date and time that the most recent attack on the zone was detected.
|
#DF
|
Number of dynamic filters. Because the Detector module creates a dynamic filter only when it detects an anomaly, a #DF value greater that zero indicates an attack on the zone.
|
#PF
|
Number of pending dynamic filters. The display is N/A if the zone is operating in automatic protect mode (not interactive protect mode).
|
Receive Rate
|
Current rate of traffic (in bits per second) destined to the zone.
|
Thumbnail of the zone traffic summary
|
Graph that displays a summary of the traffic (in bits per second) to the zone in the last 30 minutes.
|
Using the Detector Module Global Diagnostic Tools
The Detector module provides diagnostic information that allows you to monitor and troubleshoot global events. This section contains the following topics:
•Displaying the Global Counters
•Clearing the Detector Module Counters
•Viewing the Global Received Counter in Real Time
•Viewing the Event Log
Displaying the Global Counters
The Counters screen provides an in-depth analysis of the counter information that the Detector module displays in the Detector module Summary screen. From the Counters screen, you can filter the information that the Detector module displays in the traffic rates graph.
To display the Detector module counters, perform the following steps:
Step 1 From the navigation pane, click Detector Summary. The Detector Summary menu appears.
Step 2 From the Detector Summary menu, choose Diagnostics > Counters > Detector Counters. The Counters screen appears.
By default, the traffic rate graph displays counter information recorded in the last 2 hours, measured in bits per second.
Step 3 (Optional) Modify the unit of measurement that the Detector module uses in the traffic rate graph. Choose a unit of measurement from the Graph Type drop-down list:
•pps—Packets per second
•bps—Bits per second
Step 4 Click Update Graph. The Detector module updates the graph.
Step 5 (Optional) Click Clear Counters to clear the Detector module counters. The Detector module clears the current counters and the traffic rates. You can clear the Detector module counters if you are going to perform testing and want to be sure that the counters include information from the testing session only.
The Received packets counter provides information on the total number of packets that the Detector module received and analyzed.
Table 10-3 describes the fields for the Received packets counter.
Table 10-3 Field Descriptions for Received Packets Counter
Field
|
Description
|
Packets
|
Total amount of packets since the Detector module was reloaded.
|
Bits
|
Total amount of bits since the Detector module was reloaded.
|
pps
|
Current traffic rate measured in packets per second.
|
bps
|
Current traffic rate measured in bits per second.
|
Clearing the Detector Module Counters
You can clear the Detector module counters if you are going to perform testing and want to be sure that the counters include information from the testing session only.
To clear the Detector module counters, perform the following steps:
Step 1 From the navigation pane, click Detector Summary. The Detector Summary menu appears.
Step 2 From the Detector Summary menu, choose Diagnostics > Counters > Detector Counters. The Detector Counters screen appears.
Step 3 Click Clear Counters. The Detector module clears the current counters and the traffic rates.
Viewing the Global Received Counter in Real Time
The Detector module allows you view the Received packets counter information in real time. The Received packets counter provides information on the total number of packets that the Detector module received and analyzed.
Note You must have Java Runtime Environment (JRE) installed on the client to view the counter information in real time (see the "Installing Java 2 Runtime Environment" section).
To view the counters in real time, perform the following steps:
Step 1 From the navigation pane, click Detector Summary. The Detector Summary menu appears.
Step 2 From the Detector Summary menu, choose Diagnostics > Counters > Real time counters. The Real Time Counters screen appears.
Step 3 (Optional) Change the unit of measurement that the Detector module uses in the traffic rate graph by choosing one of the following Graph Type options:
•bps—Bits per second
•pps—Packets per second
The Detector module updates the traffic rate graph.
Viewing the Event Log
The Detector module automatically logs system activity and events that relate to the zones under detection and to Detector module operation. You can display the Detector module logs to review and track the Detector module activity.
Table 10-4 describes the event severity levels.
Table 10-4 Event Log Severity Levels
Event Level
|
Description
|
Emergencies
|
System is unusable
|
Alerts
|
Immediate action required
|
Critical
|
Critical condition
|
Errors
|
Error condition
|
Warnings
|
Warning condition
|
Notifications
|
Normal but significant condition
|
Informational
|
Informational messages
|
Debugging
|
Debugging messages
|
Note The event logs only display zone-related events with a severity level of Emergency, Alert, Critical, Error, Warning, and Notification. See the "Viewing the Zone Event Log" section for more information about zone event logs.
To view the contents of the event log, perform the following steps:
Step 1 From the navigation pane, click Detector Summary. The Detector Summary menu appears.
Step 2 From the Detector Summary menu, choose Diagnostics > Event log. The Events screen appears. Use the navigation tool provided above the Events table to scroll through the events.
Step 3 (Optional) Control which events display in the Events table by choosing one of the following options:
•Show all Events—Displays the events of every severity level.
•Show events with severity level—Displays only the events of the severity levels that you select (see Table 10-4).
Step 4 Click Filter Events. The Detector module updates the Events table.
Viewing the Zone Status Screen
The zone status screen (see Figure 10-2) provides a summary of the zone operating status. You can navigate to this screen as follows:
•From the All Zones list in the navigation pane, click the zone name.
•If zone anomaly detection is currently enabled, click the zone name from the Under Detection list in the navigation pane.
•From the navigation path of any zone-specific screen, click Zone.
•From the zone list (Detector Summary > Zones > Zone list), click the zone name.
Figure 10-2 Zone Status Screen
The zone status screen is divided into four areas (zone status bar, zone traffic rate graph, zone status table, and zone recent events table) and is described in the following topics:
•Zone Status Bar
•Zone Traffic Rate Graph
•Zone Status Table
•Zone Recent Events Table
The zone status screen contains function buttons. The WBM displays different function buttons depending on the current operating mode of the zone.
If the zone is in standby, the following function buttons appear:
•Detect & Learn—Activates the detect and learn function. The detect and learn function enables the Detector module to detect zone traffic anomalies while performing the threshold tuning phase of the learning process. Using this button is equivalent to choosing Detection > Detect and then Learning > Tune Thresholds (the order is not important) from the zone main menu.
•Detect—Activates zone anomaly detection. Using this button is equivalent to choosing Detection > Detect from the zone main menu.
If zone anomaly detection or the detect and learn function are currently enabled, the following function buttons appear:
•Deactivate—Deactivates zone protection. Using this button is equivalent to choosing Detection > Deactivate from the zone main menu.
If the protect and learn function is enabled and you click Deactivate, you have the option of deactivating zone anomaly detection, the learning process, or both operations.
•Report—Provides a link to the current attack report. Using this button is equivalent to choosing Diagnostics > Attack reports > Attack Summary from the zone main menu and clicking on the current attack (the attack with an identification number (#) of Curr). The Report button is available only if an attack is in progress. See the "Understanding Attack Report Details" section for more information.
Zone Status Bar
The zone status bar runs across the top of the zone status screen and provides a quick reference to the current operating status of the zone. The zone status bar provides the following information:
•Name of the zone.
•Mode in which the Detector module performs zone anomaly detection—Indicates whether the Detector module operates in automatic or interactive detect mode for the zone. See the "Automatic and Interactive Operation Modes" section and the "Activating Automatic or Interactive Detect Mode" section for information about zone operation mode settings.
•Zone operating state—Indicates the current operating state of the zone. The operating state can be Under Detection, Under Detection/Tuning Thresholds, Inactive, Constructing Policy, or Tuning Thresholds.
•New recommendations—Indicates that new dynamic filter recommendations are available for you to review and decide whether to accept, ignore, or direct the recommendations to automatic activation. This indication is available only when you have the zone operation mode set to interactive.
Zone Traffic Rate Graph
The zone traffic rate graph displays the received traffic rate over the last 2 hours measured in bits per second.
Table 10-5 describes the fields that appear below the zone traffic rate graph.
Table 10-5 Field Descriptions for Fields below Zone Traffic Rate Graph
Field
|
Description
|
Min
|
Minimum traffic rate measured over the last 2 hours in bits per second.
|
Max
|
Maximum traffic rate measured over the last 2 hours in bits per second.
|
Avg
|
Average traffic rate measured over the last 2 hours in bits per second.
|
Cur
|
Current traffic rate in bits per second.
|
Zone Status Table
The zone status table provides information on the current operation of the zone and contains the following information:
•Active Dynamic filters—Number of active dynamic filters. The number of active dynamic filters is greater than 1 when the Detector module identifies anomalies in the zone traffic.
Click Active Dynamic filters to view the Dynamic Filters screen. See the "Managing Dynamic Filters" section for information about dynamic filters.
•Pending dynamic filters—Number of pending dynamic filters. The number of pending dynamic filters is greater than 1 when the zone is in interactive detect mode and there are new recommendations.
Click Pending Dynamic filters to view the Recommendations screen. See the "Managing Detector Module Recommendations for Dynamic Filters" section for information about the Detector module recommendations.
•Last attack time—Date and time of the last attack on the zone.
•Activation time—Date and time that zone anomaly detection was activated.
Zone Recent Events Table
The recent events table displays the reported zone events with a minimum severity level of notify. The Detector module also records the events in the zone event log and the Detector module event log.
Using the Zone Diagnostic Tools
The Detector module provides diagnostic information that allows you to monitor and troubleshoot zone events. This section contains the following topics:
•Viewing the Zone Counters
•Using Zone Counters to Analyze Traffic Flow
•Clearing the Zone Counters
•Viewing the Zone Counters in Real Time
•Viewing the Zone Event Log
•Viewing the Attacks Summary Report
•Viewing Details of an Attack Report
•Understanding Attack Report Details
•Exporting Attack Reports
•Deleting Attack Reports
•Viewing the Policy Statistics Table
Viewing the Zone Counters
You can use the zone counters to enable you to analyze zone-specific traffic information to verify the zone status and determine if zone anomaly detection is functioning properly. You can adjust the period of time that is displayed in the zone counters graph view to see how zone protection is evolving.
To view the zone counter information, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Diagnostics > Counters > Zone Counters. The zone Counters screen appears.
Step 3 (Optional) Modify the period of time that is displayed in the graph. Choose a period of time from the Graph Period drop-down list, and then click Update Graph. The Detector module updates the graph.
By default, the traffic rate graph displays counter information recorded in the last 2 hours.
Step 4 (Optional) Change the unit of measurement that the Detector module uses in the traffic rate graph by choosing a unit of measurement from the Graph Type drop-down list:
•pps—Packets per second
•bps—Bits per second
Step 5 Click Update Graph. The Detector module updates the graph.
Step 6 (Optional) Click Clear Counters to clear the Detector module counters. The Detector module clears the current counters and the traffic rates. You can clear the zone counters if you are going to perform testing and want to be sure that the counters include information from the testing session only.
The Zone Current Counters/Rates table displays the following information:
•Packets—Total number of packets destined to the zone since the Detector module was last reloaded.
•Bits—Total number of bits destined to the zone since the Detector module was last reloaded.
•pps—Current traffic rate destined to the zone, measured in packets per second.
•bps—Current traffic rate destined to the zone, measured in bits per second.
A legend that identifies the counters appears below the traffic rates graph. The minimum, maximum, and average rates for each counter display for the time period that you select.
Using Zone Counters to Analyze Traffic Flow
It is important that you analyze the traffic flow in order to determine if traffic is flowing properly to an active zone. The following information describes how to analyze traffic flow, recognize possible problems, and provide solutions:
•A number of received packets that is greater than zero indicates proper traffic flow to the zone.
•A number of received packets that equals zero could indicate one of the following situations:
–If the current rate (pps or bps) of received packets for the Detector module or for other zones is equal to zero, this could indicate a problem with either the traffic-capturing configuration or traffic destined to the zone or zones is blocked before it reaches the switch or router in which the Detector module is installed.
–If the received packets current rate (pps or bps) of the Detector module or other zones is greater than zero, verify that a bypass filter is not defined for the zone.
Clearing the Zone Counters
You can clear the zone counters if you are going to perform testing and want to be sure that the counters include information from the testing session only.
To clear the zone counters, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Diagnostics > Counters > Zone Counters. The zone Counters screen appears.
Step 3 Click Clear Counters. The Detector module clears the current zone counters and the traffic rates.
Viewing the Zone Counters in Real Time
The Detector module allows you to view the zone counter information in real time.
Note You must have JRE installed on the client to view the counter information in real time (see the "Installing Java 2 Runtime Environment" section).
To view the zone counter information in real time, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Diagnostics > Counters > Real Time Counters. The zone Real Time Counters/Rates screen appears.
Step 3 (Optional) Change the unit of measurement that the Detector module uses in the traffic rate graph by choosing one of the following Graph Type options:
•bps—Bits per second
•pps—Packets per second
The Detector module updates the traffic rate graph.
For information about using the counter information to analyze zone traffic, see the "Using Zone Counters to Analyze Traffic Flow" section.
Viewing the Zone Event Log
The Detector module automatically logs system activity and events. You can display the Detector module logs to review and track the Detector module activity.
Table 10-6 describes the event severity levels.
Table 10-6 Event Log Severity Levels
Event Level
|
Description
|
Emergencies
|
System is unusable
|
Alerts
|
Immediate action required
|
Critical
|
Critical condition
|
Errors
|
Error condition
|
Warnings
|
Warning condition
|
Notifications
|
Normal but significant condition
|
Informational
|
Informational messages
|
Debugging
|
Debugging messages
|
To view the contents of the zone event log, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Diagnostics > Event log. The zone Events screen appears.
Step 3 (Optional) Control which events display in the events table by choosing one of the following options:
•Show all Events—Displays the events of each severity level.
•Show events with severity level—Displays only the events of the severity levels that you select (see Table 10-6).
Step 4 Click Filter Events. The Detector module updates the events table.
Viewing the Attacks Summary Report
The Detector module provides a high level summary report for each zone to help you analyze the attacks on the zone that the Detector module detects. The report summarizes the DDoS attacks made on the zone during a user-defined period of time. The Detector module records information during an attack and organizes the data into different categories. The report provides details of the total number and intensity of the attacks with a short summary for each of the attacks. The Detector module also presents the attack data in a graph format.
To view the zone attacks summary report, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Diagnostics > Attack Reports > Attack Summary. The Attacks Summary screen appears. By default, the report displays attack information for the last month.
Step 3 (Optional) Change the period of time of the attack report. Enter the period of time that you want to display in the Period from and to dates and then click Get Reports. You can enter the dates manually or click on the calendar icon at the right of each date field and then choose a date from the calendar popup window.
The Attack Summary Report screen consists of the following areas:
•Detection graph— Provides a graphical summary of the attacks during the period of time that you defined.
Figure 10-3 Zone Detection Summary Report—Detection Graph
The X-axis displays the time over which the attack occurred. The Y-axis displays the average attack rate in packets per second (pps). Each attack is represented by a bar. If you hold your mouse over any of the attack bars for a few seconds, the average attack rate displays.
To view attack details, click on the attack bar in the graph to open the attack report (see the "Viewing Details of an Attack Report" section).
•Total Attack Statistics table—Provides information about the number of attacks on the zone and the aggregated attack details during the period of time that you defined.
Table 10-7 describes the fields in the Total Attack Statistics table.
Table 10-7 Field Descriptions for Total Attack Statistics Table
Field
|
Description
|
Attacks Detected
|
Number of attacks detected.
|
Attacks Duration
|
Aggregated duration of the detected attacks.
|
Max. Traffic Rate
|
Maximum rate of traffic destined to the zone.
|
Total Rx
|
Total amount of traffic destined to the zone.
|
•Per Attack Summary table—Provides a table with a list of the DDoS attacks on the zone during the period of time that you defined. You can delete the information currently displayed in the Per Attack Summary table (see the "Deleting Attack Reports" section) or export the contents of an attack report (see the "Exporting Attack Reports" section).
Table 10-8 describes the fields in the columns of the Per Attack Summary table.
Table 10-8 Field Descriptions for Summary Report
Field
|
Description
|
#
|
Identification number (ID) of the detected attack. The Detector module displays a value of Curr for an ongoing attack.
|
Start time
|
Date and time of the detected attack.
|
Duration
|
Duration of the detected attack in hours, minutes, and seconds.
|
Type
|
Type of detected attack. Possible values are as follows:
•Tcp connections—Detected flow with an unusual number of concurrent TCP connections, with or without data.
•HTTP—Unusual HTTP traffic flow.
•Tcp incoming—Detected flow that attacks a TCP service when the zone is a server.
•Tcp outgoing—Detected attack flow in which the client seems to be the zone, such as SYN-ACK attacks on connections initiated by the zone when the zone is the client.
•Unauthenticated tcp—Detected flow that the Detector anti-spoofing functions have not succeeded in authenticating. For example, ACK flood, FIN flood, or any other flood of unauthenticated packets.
•DNS (UDP)—Attacking DNS-UDP protocol flow.
•DNS (TCP)—Attacking DNS-TCP protocol flow.
|
Type (continued)
|
•UDP—Attacking UDP protocol flow.
•Non tcp/udp protocols—Non-TCP/UDP attacking protocol flow.
•Fragments—Detected flow with an unusual quantity of fragmented traffic.
•Hybrid—Attack composed of several attacks with different characteristics.
•IP scan—Detected flow initiated from a source IP address that tried to access many zone destination IP addresses.
•port scan—Detected flow initiated from a source IP address that tried to access many zone ports.
•user detected—Anomaly flow detected by user definitions.
•worm_tcp—Worm attack over the TCP/IP protocol.
|
Peak (pps)
|
Maximum attack rate measured in packets per second.
|
Received Pkts
|
Total number of packets destined to the zone that was handled by the Detector module during the attack.
|
Note To view attack details, click in any of the rows of the Per Attack Summary table (see the "Viewing Details of an Attack Report" section).
Viewing Details of an Attack Report
The Detector module allows you to display details of an attack report listed in the Attacks Summary screen. The attack report provides details of the attack, starting with the production of the first dynamic filter and ending either by a user decision or after a defined period of time that no new dynamic filters were added.
The Detector module records the information during an attack and organizes the data into categories.You can view the details of past and current attacks.
To view the details of an attack report, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Diagnostics > Attack Reports > Attack Summary. The Attacks Summary screen appears.
Step 3 (Optional) Change the period of time of the attack report, enter the period of time that you want to display in the Period from and to dates and then click Get Reports. You can enter the dates manually or click on the calendar icon at the right of each date field and then choose a date from the calendar popup window.
Step 4 In the Detection Graph, click on the attack bar. The Attack Report screen appears.
You can also click on any of the fields for the attack in the Per Attack Summary table.
The Detector module displays a value of Curr for the identification number (#) of an ongoing attack.
When an attack on a zone is in progress, the Detector module displays a Report button on the status screen of the zone under attack. Click Report to display the information that the Detector module is gathering on the current attack.
Understanding Attack Report Details
The attack report contains data fields and tables that are grouped together in the following sections:
•General Attack Information
•Attack Statistics
•Detected Anomalies
General Attack Information
The first section of the attack report provides information about the timing of the attack, which includes when the attack started, when it ended, and how long it lasted.
To view additional report details, click i or click Show details for all events.
All counters are integers except for the rate. You can choose the statistics unit of measurement from the general attack information area of the screen.
To change the statistic unit of measurement, perform the following steps:
Step 1 Choose the desired units to use from the Statistics units drop-down list.
Step 2 Click Set units. The Detector module updates the display.
Attack Statistics
The attack statistics provides information on the received packets.
Table 10-9 describes the information that is provided on the attack statistics.
Table 10-9 Attack Statistics
Field
|
Description
|
Total
|
Total number of packets in the category.
|
Max Rate
|
Maximum packet rate that was measured.
|
Average Rate
|
Average packet rate.
|
The traffic rate is displayed in the units that were selected from the drop-down list in the General Attack area (see the "General Attack Information" section).
Detected Anomalies
The Detected Anomalies table provides details about the anomalies that the Detector module detected in the zone traffic. The Detector module classifies the traffic as being an anomaly when it requires the production of a dynamic filter. Traffic anomalies can occur infrequently or can turn into systematic DDoS attacks. The Detector module clusters anomalies with the same type and flow parameters (such as source IP address or destination port) under one anomaly type.
Table 10-10 describes the information that is provided for each anomaly.
Table 10-10 Field Descriptions for Detected Anomalies
Field
|
Description
|
#
|
Identification number (ID) of the detected anomaly.
|
Start time
|
Date and time that the anomaly was detected.
|
Duration
|
Duration of the anomaly in hours, minutes, and seconds.
|
Type
|
Type of the detected anomaly. Possible values are as follows:
•Tcp_connections—Detected flow with an unusual number of TCP concurrent connections, with or without data.
•HTTP—Unusual HTTP traffic flow.
•Tcp incoming—Detected flow that attacks a TCP service when the zone is a server.
•Tcp outgoing—Detected attack flow in which the client appears to be the zone, such as SYN-ACK attacks on connections initiated by the zone when the zone is the client.
•Unauthenticated tcp—Detected flow that the Detector module anti-spoofing functions have not succeeded in authenticating. For example, ACK flood, FIN flood, or any other flood of unauthenticated packets.
•DNS (UDP)—Attacking DNS-UDP protocol flow.
•DNS (TCP)—Attacking DNS-TCP protocol flow.
•UDP—Attacking UDP protocol flow.
|
Type (continued)
|
•Non tcp/udp protocols—Non-TCP/UDP attacking protocol flow.
•Fragments—Detected flow with an unusual amount of fragmented traffic.
•TCP ratio—Detected flow with an unusual ratio between different types of TCP packets (for example, SYN packets instead of FIN/RST packets).
•IP scan—Detected flow initiated from a source IP address that tried to access many zone destination IP addresses.
•port scan—Detected flow initiated from a source IP address that tried to access many zone ports.
•user detected—Anomaly flow detected by user definitions.
•Worm Tcp—Worm attack over the TCP/IP protocol.
|
Triggering rate
|
Anomaly traffic rate that exceeded a policy threshold.
|
% Threshold
|
Percentage by which the triggering rate is above the policy threshold.
|
Anomaly Flow
|
Anomaly traffic flow. The parameters of the common flow characteristics are displayed. The information includes parameters such as the anomaly protocol number, the destination IP address of the traffic flow, and the flow packet type.
If the anomaly flow is on a specific port, it is displayed as dst=ip address:port
|
Details
|
Indicates whether additional information can be viewed for this filter. Click i for additional information (see the "Viewing Details of Detected Anomalies" section).
|
An asterisk (*),which is used as a wildcard for one of the parameters, indicates one of the following:
•The value is undetermined.
•More than one value was measured for the anomaly parameter.
A number sign (#), followed by a number for any of the parameters, indicates the number of values measured for that parameter.
Viewing Details of Detected Anomalies
The Detected Anomalies Details table provides additional information about the dynamic filters that are related to the detected anomaly.
To display the Detected Anomalies Details table, click i in the details column for the filter in the Detected Anomalies table.
Table 10-11 describes the detailed anomaly information that the Detector module provides.
Table 10-11 Field Descriptions for Detected Anomalies Details
Field
|
Description
|
Start time
|
Date and time that the anomaly was detected.
|
End time
|
Expiration date and time of the dynamic filter.
|
Rate (pps)
|
Rate measured in packets per second:
•Thresh—Indicates the policy threshold that was violated by the detected anomaly.
•Triggered—Indicates the anomaly traffic rate that violated a policy threshold.
|
Count
|
Number of packets that were handled by the dynamic filter.
|
Detected flow
|
Information about the detected attack flow that caused the production of the dynamic filter:
•Prot.—Protocol number.
•Src IP—Source IP address.
•Src Port—Source port number.
•Dst IP—Destination IP address.
•Dst Port—Destination port number.
•frag.—Fragmentation characteristics of the detected traffic flow.
•Type—Detected anomaly type.
|
Action flow
|
Information about the action flow that was addressed by the dynamic filter. The action flow can have a wider range than the detected flow. For example, the detected flow could indicate a specific source port for a specific source IP. The action flow could indicate all source ports for the specific source IP. The columns represent the dynamic filter traffic data.
•Prot.—Protocol number.
•Src IP—Source IP address.
•Src Port—Source port number.
•Dst IP—Destination IP address.
•Dst Port—Destination port number.
•frag.—Fragmentation characteristics of the action flow.
|
|
Exporting Attack Reports
To export attack reports to a network server, perform the following steps:
Step 1 Choose a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Diagnostics > Attack Reports > Attack Summary from the zone main menu. The Attacks Summary screen appears.
Step 3 (Optional) Change the time period of the attack report, enter the desired Period from and to dates, and then click Get Reports. You can enter the dates manually or click on the calendar icon located at the right of each field and select a date.
Step 4 From the Per Attack Summary table, click the check box next to the attack report to export. To choose all of the reports listed in the table, click the check box in the table header next to the number symbol (#).
Step 5 Click Export. The Export File Server Parameters window opens.
Step 6 From the Select File Server Parameters form, choose and define the network server to use:
•Use automatic export file server definitions—Exports the attack reports to the network servers that you defined in the Detector module configuration by using the CLI export reports command.
•Use the following server definition—Exports the attack reports to the network server that you define. Enter the following network server information:
–Transfer method—The Detector module supports the File Transfer Protocol (FTP) method only for exporting attack reports.
–Address—IP address of the network server.
–Path—Full pathname. If you do not specify a path, the server saves the file or files in your home directory.
–Username—Network server login name. The server login name. The username argument is optional when you define an FTP server. When you do not insert a login name, the FTP server assumes an anonymous login and does not prompt you for a password.
–Password—(Optional) Password for the remote FTP server. If you enter a username but do not enter a password, the Detector module prompts you for the password.
Step 7 Click OK to export the attack reports to the network server.
Deleting Attack Reports
To delete attack reports, perform the following steps:
Step 1 Choose a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Diagnostics > Attack Reports > Attack Summary from the zone main menu. The Attacks Summary screen appears.
Step 3 (Optional) Change the time period of the attack report, enter the desired Period from and to dates, and then click Get Reports. You can enter the dates manually or click on the calendar icon (at the right of each field) and choose a date.
Step 4 From the Per Attack Summary table, click the check box next to the attack report to export. To select all of the reports listed in the table, click the check box in the table header next to the number symbol (#).
Step 5 Click Delete. The Detector module deletes the attack report.
Viewing the Policy Statistics Table
The policy statistics table enables you to view the rate of the traffic that flows through each policy for a specific zone. You can use this table to determine whether only legitimate traffic is passed to the zone and to manually tune thresholds.
To view the policy statistics table, perform the following steps.
Step 1 Choose a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Diagnostics > Statistics > Policy Statistics from the zone main menu. The Policies Statistics screen appears.
Step 3 (Optional) Filter the information displayed as follows:
a. Click Set Screen Filter. The Policy Filter window opens.
b. Choose the values of the parameters from the drop-down lists in the Policy Filter window.
c. Click OK. The Policy statistics screen is updated and displays only the selected parameters. Details of the selected path and the maximum keys per policy appear in the Screen Filter frame.
The policy statistics table displays the information in four sections. The information in each section is sorted by value with the highest values appearing at the top:
•Rate—Rate of traffic that flows through the policy.
•Ratio—Ratio between the number of SYN flagged packets and the number of FIN/RST flagged packets. This information is available only for syn_by_fin policies.
•Connections—Number of concurrent connections or source IP addresses. This information is available for tcp_connections policies and the in_nodata_conns.
•Dst IPs—Number of zone destination IP addresses that were scanned. This information is available for worm_tcp policies.
For easier management of the information displayed, you can set screen filters to display only a partial list of the statistics available.
Note When you change one of the display parameters, the Detector module automatically clears all the parameters listed below the one that you changed. You must enter new values for the cleared parameters.
Table 10-12 describes the policy statistics fields.
Table 10-12 Policy Statistics
Field
|
Description
|
Policy template
|
Policy template that was used to construct the policy.
|
Service
|
Services to which the policy relates.
|
Level
|
Level used to process the traffic flow.
|
Type
|
Packet type. Possible values are as follows:
•auth_pkts—Packets that underwent either a TCP handshake or UDP authentication.
•in_nodata_conns—Zone incoming connections that have no data transfer on the connection (packets without a data payload).
•in_pkts—Zone incoming DNS query packets.
•in_unauth_pkts—Zone incoming unauthenticated DNS queries.
•non_estb_conns—Nonestablished connections. Zone incoming failed connections. TCP connection requests (SYN packets) for which no reply was received.
•out_pkts—Zone incoming DNS reply packets.
•reqs—Request packets with data payload.
•syns—Synchronization packets—TCP SYN flagged packets.
•syn_by_fin—SYN and FIN flagged packets. Verifies the ratio between the number of SYN flagged packets and the number of FIN flagged packets.
•unauth_pkts—Packets that did not undergo a TCP handshake.
•pkts—All packet types that do not fall under any other category in the same protection level.
|
Policy
|
Policy identifier.
|
Key
|
Key (traffic characteristics) used to aggregate the policies.
In policies that relate to worms, the key is the source IP address that scans the zone network addresses, colon, and the destination port that is being scanned. For example, 192.128.100.3:70.
Possible values are as follows:
•dst_ip—Traffic destined to a zone IP address.
•dst_ip_ratio—Ratio of SYN and FIN flagged packets destined to a specific IP address.
•dst_port_ratio—Ratio of SYN and FIN flagged packets destined to a specific port.
•global—Summation of all traffic flow as defined by the other policy sections.
•src_ip—Traffic destined to the zone aggregated according to source IP address.
•dst_port—Traffic destined to a specific zone port.
•protocol—Traffic destined to the zone aggregated according to protocol.
•src_ip_many_dst_ips—Key used for IP scanning. Traffic from a single IP address destined to many zone IP addresses.
•src_ip_many_port—Key used for port scanning. Traffic from one IP address destined to many zone ports.
•scanners—Histogram of the number of source IP addresses that scan zone destination IP addresses on a specific destination port.
|
Value
|
Rate, ratio, or number of connections depending on the section of the table. The information in each section is sorted by value with the highest value appearing first.
|
