Cisco Traffic Anomaly Detector Module Web-Based Manager Configuration Guide (Software Version 5.1 and 6.0) - Index [Cisco Services Modules]

Table Of Contents

Symbols - A - B - C - D - E - F - G - H - I - J - L - M - N - O - P - R - S - T - U - V - W - Z

Index

Symbols

# (number sign) 10-25

A

AAA services 3-2

activation extent

entire zone 4-16

IP address only 4-16

activation interface, by packet or IP address 4-16

active dynamic filters 10-11

analyzing traffic flow 10-14

anomaly detection

activating 9-3

verifying 9-4

anomaly flow, common characteristics 10-24

attack report

deleting 10-28

exporting 10-27

statistics 10-22

understanding report details 10-21

attacks summary report 10-16

attack summary 10-18

attack type 10-19

auth packet types 8-4, 10-30

automatic detect mode 9-2

automatic learning, configuring 7-12

automatic operation mode 4-7, 4-13, 9-2

B

banner, configuring login 2-4

base zone 7-26

base zone services

adding 7-29

copying policy parameters to the base zone 7-30

deleting 7-29

basic filter actions 5-16

Berkley Packet filter 5-8

burst 4-14

bypass filter

adding 5-3

configuring 5-3

deleting 5-4

C

changing password 3-6, 3-7

compared zone 7-26

connections, concurrent or source IP addresses 10-29

constructing policies 7-2

copy wbm-logo command 2-5

counters

clearing Detector 10-5

clearing zone 10-14

received packets 10-5

viewing 10-4

zone 10-12

D

DDoS

nonspoofed attacks 1-5

overview 1-5

spoofed attacks 1-5

zombies 1-5

Detect and Learn feature

activating 7-15

deactivating 7-16

detected anomalies

types 10-23, 10-24

viewing 10-23

viewing details 10-25

detected attack types 10-19

Detect feature

activating 9-3

deactivating 9-4

detect mode

activating 9-3

automatic 9-2

deactivating 9-4

interactive 9-3

Detector

counters, clearing 10-5

overview 1-4

recommendations, acting on 9-17

zone templates 4-8

diagnostics, viewing 10-4

DNS

policy templates 6-2

tcp protocol flow 10-19

drop filter action 5-17

dst-ip-by-ip activation method 4-14

dst-ip-by-name activation method 4-14

dst traffic characteristics 8-6

dynamic filter

actions 9-10

active 10-11

adding 9-9

deleting 9-11

fields 9-10

overview 9-6

pending 9-15, 10-11

preventing production of 9-11

recommendations 9-15

viewing 9-6

E

entire-zone activation method 4-14

event log

global 10-7

zone 10-15

exporting an attack report 10-27

extent of zone protection 4-5

F

filter

dynamic 9-6

flex-content 5-5

user 5-2

zone filter overview 5-2

filter-rate termination threshold 4-15

flex-content filter

adding 5-10

configuring 5-5

deleting 5-13

expression 5-6

pattern 5-9

fragments 10-20, 10-24

G

general attack information 10-22

global counters, viewing in real time 10-6

Guard zones 4-3

Guard zone templates 4-9

H

http 10-23

HTTP policy template 6-2

hybrid 10-20

I

icons 1-9

information area 1-9

in packet types 10-30

interactive detect mode 9-3

interactive operation mode 4-7, 4-13, 9-3

IP scan 6-3, 10-20, 10-24

IP threshold configuration 8-12

J

Java 2 Runtime Environment (JRE), installing 1-2

L

learning process

overview 7-2

performing 7-5

phases 7-2

policy construction phase

accepting results 7-7

starting 7-6

stopping 7-7

threshold tuning phase 7-3

accepting results 7-9

starting 7-8

stopping 7-10

login banner, configuring 2-4

logo, adding WBM 2-4

M

main menu bar 1-8

malicious-rate

detection threshold 4-15

termination threshold 4-15

marking zone policies tuned or untuned 7-19

max. rate 4-14

N

navigation area 1-8

nonspoofed attacks 1-5

O

operation modes

automatic 4-7, 4-13

interactive 4-7, 4-13

other protocols, policy template 6-3

out_pkts packet types 10-30

P

packet-dump capture

automatic capture

disabling 11-3

enabling 11-3

file

deleting 11-20

exporting 11-17

importing 11-19

renaming 11-15

manual capture

starting 11-4

stopping 11-6

overview 11-2

parameters 4-17

packet type

auth 8-4

out_pkts 10-30

pkts 8-5, 10-30

reqs 8-5

syns 8-5

unauth_pkts 8-5, 10-30

password, changing 3-6, 3-7

pending dynamic filters

accepting 9-21

exceeding 1000 9-13

fields 9-20

overview 9-15

viewing 9-19

viewing number of 10-11

permit filter action 5-16

pkts packet type 8-5, 10-30

policy

adding services 8-15

constructing 7-2

deleting services 8-17

key 8-6

service 8-3

statistics 10-28

policy construction phase

starting 7-5

stopping 7-7

policy statistics table, viewing 10-28

policy template

Guard policy templates for synchronization 6-4

other_protocols 6-3

overview 6-2

template types 6-2

policy-type activation method 4-14

port scan 6-3, 10-20, 10-24

privilege levels, moving between 3-8

protection activation methods 4-4

protection-end time 4-15

protect-IP state

entire zone 4-10

only dst IP 4-10

only DstIP by address 4-11

policy type 4-10

R

ratio, SYN to FIN/RST packets 10-29

recommendations

activating 9-17

fields 9-16

viewing new 9-15

remote Guard, activating 9-9

reqs packet type 8-5, 10-30

S

scanners traffic characteristics 8-6

service

adding 8-15

deleting 8-17

SIP, user filter action 5-16

snapshot

backing up zone policies 7-21

comparing two snapshots 7-26

taking a snapshot 7-20

spoofed attacks 1-5

src traffic characteristics 8-6, 10-31

status icons 1-9

status summary, zone 10-11

strong filter action 5-17

subzone 4-5

syn_by_fin packet type 10-30

syns packet types 8-5, 10-30

system requirements 1-2

T

TACACS+

AAA services 3-2

WBM commands 3-9

TCP

detected anomalies 10-19, 10-23

policy templates 6-3

template, zone 4-7

threshold

configuring IP threshold 8-12

filter-rate termination 4-15

malicious-rate termination 4-15

tuning 7-3

threshold tuning phase

accepting results 7-9

overview 7-3

starting 7-8

stopping 7-10

troubleshooting WBM connection 2-3

tuning thresholds 7-3, 7-8

U

UDP policy template 6-3

unauth_pkts packet type 8-5, 10-30

user filter 5-2

action 5-16

adding 5-14

configuring 5-14

deleting 5-17

user privilege level, moving between 3-8

user profile

changing another user password 3-7

changing your password 3-6

configuring on a TACACS+ server 3-9

creating 3-4

deleting 3-6

preconfigured user profiles 3-2

users

authentication methods 3-2

list of 3-3

V

viewing

attack reports 10-16, 10-21

counters 10-12, 10-15

diagnostics 10-4

pending dynamic filters 9-19

policy configuration differences 7-26

policy statistics 10-28

recommendations 9-15

zone status 9-4

VoIP, user filter action 5-16

W

WBM

enabling service 2-2

launching 2-3

navigation maps 1-10

overview 1-6

requirements

client 1-2

Detector 1-3

setting up 2-2

troubleshooting connection 2-3

WBM logo, adding 2-4

worm

policy 8-6

policy templates 6-4

Z

zombies 1-5

zone

configuring attributes 4-12

counters

clearing 10-14

viewing 10-12

viewing in real time 10-15

create

methods 4-2

using another zone 4-12

using a zone template 4-6

delete 4-20

diagnostic tools 10-12

event log 10-15

extent of protection 4-5

Guard zone 4-3

IP address

add 4-18

delete 4-19

learning 7-2

operation mode 4-7, 4-13

overview 4-2

policies

adding an IP address and threshold 8-12

service, adding 8-15

service, deleting 8-17

tuned 7-18

untuned 7-18

viewing 8-2

protection activation methods 4-4

protection characteristics 4-4

recent events table 10-12

status 10-8

status bar 10-10

status icons 1-9

status table 10-11

summary 10-11

templates 4-7

traffic rate graph 10-11

zone templates

Detector 4-8

Guard 4-9

	Cisco Traffic Anomaly Detector Module Web-Based Manager Configuration Guide (Software Version 5.1 and 6.0)
	Index
Cisco Traffic Anomaly Detector Module Web-Based Manager Configuration Guide (Software Version 5.1 and 6.0) Index Preface Introduction Launching and Customizing the WBM Managing User Access Creating and Configuring Zones Configuring Zone Filters Configuring Policy Templates Learning Zone Traffic Managing Zone Policies Activating Anomaly Detection Monitoring Detector Module and Zone Operations Monitoring Network Traffic and Extracting Attack Signatures	Download this chapter Index Download the complete book Cisco Traffic Anomaly Detector Module Web-Based Manager Configuration Guide (Software Version 5.1), Book-Length PDF (PDF - 2 MB) Table Of Contents Symbols - A - B - C - D - E - F - G - H - I - J - L - M - N - O - P - R - S - T - U - V - W - Z Index Symbols # (number sign) 10-25 A AAA services 3-2 activation extent entire zone 4-16 IP address only 4-16 activation interface, by packet or IP address 4-16 active dynamic filters 10-11 analyzing traffic flow 10-14 anomaly detection activating 9-3 verifying 9-4 anomaly flow, common characteristics 10-24 attack report deleting 10-28 exporting 10-27 statistics 10-22 understanding report details 10-21 attacks summary report 10-16 attack summary 10-18 attack type 10-19 auth packet types 8-4, 10-30 automatic detect mode 9-2 automatic learning, configuring 7-12 automatic operation mode 4-7, 4-13, 9-2 B banner, configuring login 2-4 base zone 7-26 base zone services adding 7-29 copying policy parameters to the base zone 7-30 deleting 7-29 basic filter actions 5-16 Berkley Packet filter 5-8 burst 4-14 bypass filter adding 5-3 configuring 5-3 deleting 5-4 C changing password 3-6, 3-7 compared zone 7-26 connections, concurrent or source IP addresses 10-29 constructing policies 7-2 copy wbm-logo command 2-5 counters clearing Detector 10-5 clearing zone 10-14 received packets 10-5 viewing 10-4 zone 10-12 D DDoS nonspoofed attacks 1-5 overview 1-5 spoofed attacks 1-5 zombies 1-5 Detect and Learn feature activating 7-15 deactivating 7-16 detected anomalies types 10-23, 10-24 viewing 10-23 viewing details 10-25 detected attack types 10-19 Detect feature activating 9-3 deactivating 9-4 detect mode activating 9-3 automatic 9-2 deactivating 9-4 interactive 9-3 Detector counters, clearing 10-5 overview 1-4 recommendations, acting on 9-17 zone templates 4-8 diagnostics, viewing 10-4 DNS policy templates 6-2 tcp protocol flow 10-19 drop filter action 5-17 dst-ip-by-ip activation method 4-14 dst-ip-by-name activation method 4-14 dst traffic characteristics 8-6 dynamic filter actions 9-10 active 10-11 adding 9-9 deleting 9-11 fields 9-10 overview 9-6 pending 9-15, 10-11 preventing production of 9-11 recommendations 9-15 viewing 9-6 E entire-zone activation method 4-14 event log global 10-7 zone 10-15 exporting an attack report 10-27 extent of zone protection 4-5 F filter dynamic 9-6 flex-content 5-5 user 5-2 zone filter overview 5-2 filter-rate termination threshold 4-15 flex-content filter adding 5-10 configuring 5-5 deleting 5-13 expression 5-6 pattern 5-9 fragments 10-20, 10-24 G general attack information 10-22 global counters, viewing in real time 10-6 Guard zones 4-3 Guard zone templates 4-9 H http 10-23 HTTP policy template 6-2 hybrid 10-20 I icons 1-9 information area 1-9 in packet types 10-30 interactive detect mode 9-3 interactive operation mode 4-7, 4-13, 9-3 IP scan 6-3, 10-20, 10-24 IP threshold configuration 8-12 J Java 2 Runtime Environment (JRE), installing 1-2 L learning process overview 7-2 performing 7-5 phases 7-2 policy construction phase accepting results 7-7 starting 7-6 stopping 7-7 threshold tuning phase 7-3 accepting results 7-9 starting 7-8 stopping 7-10 login banner, configuring 2-4 logo, adding WBM 2-4 M main menu bar 1-8 malicious-rate detection threshold 4-15 termination threshold 4-15 marking zone policies tuned or untuned 7-19 max. rate 4-14 N navigation area 1-8 nonspoofed attacks 1-5 O operation modes automatic 4-7, 4-13 interactive 4-7, 4-13 other protocols, policy template 6-3 out_pkts packet types 10-30 P packet-dump capture automatic capture disabling 11-3 enabling 11-3 file deleting 11-20 exporting 11-17 importing 11-19 renaming 11-15 manual capture starting 11-4 stopping 11-6 overview 11-2 parameters 4-17 packet type auth 8-4 out_pkts 10-30 pkts 8-5, 10-30 reqs 8-5 syns 8-5 unauth_pkts 8-5, 10-30 password, changing 3-6, 3-7 pending dynamic filters accepting 9-21 exceeding 1000 9-13 fields 9-20 overview 9-15 viewing 9-19 viewing number of 10-11 permit filter action 5-16 pkts packet type 8-5, 10-30 policy adding services 8-15 constructing 7-2 deleting services 8-17 key 8-6 service 8-3 statistics 10-28 policy construction phase starting 7-5 stopping 7-7 policy statistics table, viewing 10-28 policy template Guard policy templates for synchronization 6-4 other_protocols 6-3 overview 6-2 template types 6-2 policy-type activation method 4-14 port scan 6-3, 10-20, 10-24 privilege levels, moving between 3-8 protection activation methods 4-4 protection-end time 4-15 protect-IP state entire zone 4-10 only dst IP 4-10 only DstIP by address 4-11 policy type 4-10 R ratio, SYN to FIN/RST packets 10-29 recommendations activating 9-17 fields 9-16 viewing new 9-15 remote Guard, activating 9-9 reqs packet type 8-5, 10-30 S scanners traffic characteristics 8-6 service adding 8-15 deleting 8-17 SIP, user filter action 5-16 snapshot backing up zone policies 7-21 comparing two snapshots 7-26 taking a snapshot 7-20 spoofed attacks 1-5 src traffic characteristics 8-6, 10-31 status icons 1-9 status summary, zone 10-11 strong filter action 5-17 subzone 4-5 syn_by_fin packet type 10-30 syns packet types 8-5, 10-30 system requirements 1-2 T TACACS+ AAA services 3-2 WBM commands 3-9 TCP detected anomalies 10-19, 10-23 policy templates 6-3 template, zone 4-7 threshold configuring IP threshold 8-12 filter-rate termination 4-15 malicious-rate termination 4-15 tuning 7-3 threshold tuning phase accepting results 7-9 overview 7-3 starting 7-8 stopping 7-10 troubleshooting WBM connection 2-3 tuning thresholds 7-3, 7-8 U UDP policy template 6-3 unauth_pkts packet type 8-5, 10-30 user filter 5-2 action 5-16 adding 5-14 configuring 5-14 deleting 5-17 user privilege level, moving between 3-8 user profile changing another user password 3-7 changing your password 3-6 configuring on a TACACS+ server 3-9 creating 3-4 deleting 3-6 preconfigured user profiles 3-2 users authentication methods 3-2 list of 3-3 V viewing attack reports 10-16, 10-21 counters 10-12, 10-15 diagnostics 10-4 pending dynamic filters 9-19 policy configuration differences 7-26 policy statistics 10-28 recommendations 9-15 zone status 9-4 VoIP, user filter action 5-16 W WBM enabling service 2-2 launching 2-3 navigation maps 1-10 overview 1-6 requirements client 1-2 Detector 1-3 setting up 2-2 troubleshooting connection 2-3 WBM logo, adding 2-4 worm policy 8-6 policy templates 6-4 Z zombies 1-5 zone configuring attributes 4-12 counters clearing 10-14 viewing 10-12 viewing in real time 10-15 create methods 4-2 using another zone 4-12 using a zone template 4-6 delete 4-20 diagnostic tools 10-12 event log 10-15 extent of protection 4-5 Guard zone 4-3 IP address add 4-18 delete 4-19 learning 7-2 operation mode 4-7, 4-13 overview 4-2 policies adding an IP address and threshold 8-12 service, adding 8-15 service, deleting 8-17 tuned 7-18 untuned 7-18 viewing 8-2 protection activation methods 4-4 protection characteristics 4-4 recent events table 10-12 status 10-8 status bar 10-10 status icons 1-9 status table 10-11 summary 10-11 templates 4-7 traffic rate graph 10-11 zone templates Detector 4-8 Guard 4-9
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks