Cisco Traffic Anomaly Detector Module Web-Based Manager Configuration Guide (Software Version 6.1 and 6.1-XG) - Index [Cisco Services Modules]

Table Of Contents

Symbols - A - B - C - D - E - F - G - H - I - J - L - M - N - O - P - R - S - T - U - V - W - Z

Index

Symbols

# (number sign) 10-17

A

AAA services 3-2

activation extent

entire zone 4-10

IP address only 4-10

activation interface

by IP address 4-10

by packet 4-9

active dynamic filters 10-9

analyzing traffic flow 10-11

anomaly detection

activating 9-3

verifying 9-3

anomaly detection engine memory usage 10-7

anomaly flow, common characteristics 10-17

attack report

deleting 10-19

exporting 10-19

statistics 10-16

understanding report details 10-15

attacks summary report 10-13

attack summary 10-14

attack type 10-14

auth packet types 8-4, 10-21

automatic detect mode 9-2

automatic learning, configuring 7-9

automatic operation mode 9-2

automatic protect operation mode 4-6, 4-7

B

banner, configuring login 2-3

base zone 7-19

base zone services

adding 7-21

copying policy parameters to the base zone 7-21

deleting 7-21

basic filter actions 5-11

Berkley Packet filter 5-6

burst 4-8

bypass filter

adding 5-2

configuring 5-2

deleting 5-3

C

changing password 3-5

compared zone 7-19

connections, concurrent or source IP addresses 10-20

constructing policies 7-2

copy wbm-logo command 2-3

counters

clearing Detector 10-4

clearing zone 10-11

received packets 10-4

viewing 10-3

zone 10-10

D

DDoS

nonspoofed attacks 1-4

overview 1-3

spoofed attacks 1-4

zombies 1-4

Detect and Learn feature

activating 7-11

deactivating 7-12

detected anomalies

types 10-17

viewing 10-16

viewing details 10-18

detected attack types 10-14

Detect feature

activating 9-3

deactivating 9-3

detect mode

activating 9-3

automatic 9-2

deactivating 9-3

interactive 9-2

Detector

counters, clearing 10-4

overview 1-3

recommendations, acting on 9-12

zone templates 4-5

device resources, monitoring 10-6

diagnostics, viewing 10-3

DNS

policy templates 6-2

tcp protocol flow 10-14

drop filter action 5-11

dst traffic characteristics 8-5

dynamic filter

actions 9-8

active 10-9

adding 9-7

deleting 9-8

fields 9-7

overview 9-5

pending 9-11, 10-9

preventing production of 9-8

recommendations 9-11

viewing 9-5

E

event log

global 10-5

zone 10-12

exporting an attack report 10-19

extent of zone protection 4-4

F

filter

dynamic 9-5

flex-content 5-4

user 5-2

zone filter overview 5-1

filter-rate termination threshold 4-9

flex-content filter

adding 5-7

configuring 5-4

deleting 5-9

expression 5-4

pattern 5-7

fragments 10-14, 10-17

G

general attack information 10-16

global counters, viewing in real time 10-4

GUARD_VOIP zone template 4-6

Guard zones 4-2

Guard zone templates 4-6

H

http 10-17

HTTP policy template 6-2

hybrid 10-14

I

icons 1-7

information area 1-6

in packet types 10-21

interactive detect mode 9-2

interactive operation mode 9-2

interactive protect operation mode 4-6, 4-7

IP scan 6-2, 10-14, 10-17

IP summarization 11-2, 11-4

IP threshold configuration 8-8

J

Java 2 Runtime Environment (JRE), installing 1-2

L

learning process

overview 7-2

performing 7-3

phases 7-2

policy construction phase

accepting results 7-5

starting 7-4

stopping 7-5

threshold tuning phase 7-2

accepting results 7-6

starting 7-5

stopping 7-7

login banner, configuring 2-3

logo, adding WBM 2-3

M

main menu bar 1-6

malicious-rate

detection threshold 4-9

termination threshold 4-9

marking zone policies tuned or untuned 7-14

memory usage, anomaly detection engine 10-7

N

navigation area 1-6

nonspoofed attacks 1-4

O

operation modes

automatic protect 4-6, 4-7

interactive protect 4-6, 4-7

other protocols, policy template 6-2

out_pkts packet types 10-21

P

packet-dump

automatic

activating 11-2

packet-dump capture

automatic capture

disabling 11-3

enabling 11-2

file

deleting 11-14

exporting 11-12

importing 11-13

renaming 11-11

manual capture

starting 11-4

stopping 11-5

overview 11-1

packet type

auth 8-4

out_pkts 10-21

pkts 8-4, 10-21

reqs 8-4

syns 8-4

unauth_pkts 8-4, 10-21

password, changing 3-5

pending dynamic filters

accepting 9-15

exceeding 1000 9-10

fields 9-14

overview 9-11

viewing 9-13

viewing number of 10-9

permit filter action 5-11

pkts packet type 8-4, 10-21

policy

adding services 8-10

constructing 7-2

deleting services 8-11

key 8-5

service 8-3

statistics 10-20

policy construction phase

starting 7-4

stopping 7-5

policy statistics table, viewing 10-20

policy template

Guard policy templates for synchronization 6-3

other_protocols 6-2

overview 6-1

template types 6-1

port scan 6-2, 10-14, 10-17

privilege levels, moving between 3-6

protection activation methods 4-3

protection-end time 4-9

protect-IP state

entire zone 4-7

only dst IP 4-7

only dstIP by address 4-8

policy type 4-8

R

rate 4-8

ratio, SYN to FIN/RST packets 10-20

recommendations

activating 9-12

fields 9-12

viewing new 9-11

remote Guard, activating 9-7

replied IP summarization 11-2, 11-4

reqs packet type 8-4, 10-21

RTP/RTCP 4-6

S

scanners traffic characteristics 8-5

service

adding 8-10

deleting 8-11

SIP

zone template 4-6

SIP, user filter action 5-11

snapshot

backing up zone policies 7-16

comparing two snapshots 7-19

taking a snapshot 7-15

spoofed attacks 1-4

src traffic characteristics 8-5, 10-22

status icons 1-7

status summary, zone 10-9

strong filter action 5-11

subzone 4-4

syn_by_fin packet type 10-21

syns packet types 8-4, 10-21

system requirements 1-2

T

TACACS+

AAA services 3-2

TCP

detected anomalies 10-14, 10-17

policy templates 6-2

template, zone 4-5

threshold

configuring IP threshold 8-8

filter-rate termination 4-9

malicious-rate termination 4-9

tuning 7-2

threshold tuning phase

accepting results 7-6

overview 7-2

starting 7-5

stopping 7-7

troubleshooting WBM connection 2-2

tuning thresholds 7-2, 7-6

U

UDP policy template 6-2

unauth_pkts packet type 8-4, 10-21

user filter 5-2

action 5-11

adding 5-10

configuring 5-9

deleting 5-12

user privilege level, moving between 3-6

user profile

changing another user password 3-5

changing your password 3-5

configuring on a TACACS+ server 3-6

creating 3-3

deleting 3-4

preconfigured user profiles 3-2

users

authentication methods 3-2

list of 3-3

V

viewing

attack reports 10-13, 10-15

counters 10-10, 10-12

diagnostics 10-3

pending dynamic filters 9-13

policy configuration differences 7-19

policy statistics 10-20

recommendations 9-11

zone status 9-3

Voice over IP

See VoIP

VoIP

zone template 4-6

VoIP, user filter action 5-11

W

WBM

enabling service 2-1

launching 2-2

navigation maps 1-7

overview 1-5

requirements

client 1-2

Detector 1-2

setting up 2-1

troubleshooting connection 2-2

WBM logo, adding 2-3

worm

policy 8-5

policy templates 6-3

Z

zombies 1-4

zone

counters

clearing 10-11

viewing 10-10

viewing in real time 10-12

create

methods 4-2

using another zone 4-11

using a zone template 4-4

delete 4-14

diagnostic tools 10-10

event log 10-12

extent of protection 4-4

Guard zone 4-2

IP address

add 4-11

delete 4-12

learning 7-2

overview 4-1

policies

adding an IP address and threshold 8-9

service, adding 8-10

service, deleting 8-11

tuned 7-14

untuned 7-14

viewing 8-2

protection activation methods 4-3

protection characteristics 4-3

recent events table 10-10

status 10-7

status bar 10-9

status icons 1-7

status table 10-9

summary 10-9

templates 4-5

traffic rate graph 10-9

zone templates

Detector 4-5

Guard 4-6

	Cisco Traffic Anomaly Detector Module Web-Based Manager Configuration Guide (Software Version 6.1 and 6.1-XG)
	Index
Cisco Traffic Anomaly Detector Module Web-Based Manager Configuration Guide (Software Version 6.1 and 6.1-XG) Index Preface Product Overview Launching and Customizing the WBM Managing User Access Creating and Configuring Zones Creating Zone Filters Configuring Policy Templates Learning Zone Traffic Managing Zone Policies Activating Anomaly Detection Monitoring Detector Module and Zone Operations Monitoring Network Traffic and Extracting Attack Signatures	Download this chapter Index Download the complete book Cisco Traffic Anomaly Detector Module Web-Based Manager Configuration Guide (Software Version 6.1 and 6.1-XG) Book-Length PDF (PDF - 3 MB) Table Of Contents Symbols - A - B - C - D - E - F - G - H - I - J - L - M - N - O - P - R - S - T - U - V - W - Z Index Symbols # (number sign) 10-17 A AAA services 3-2 activation extent entire zone 4-10 IP address only 4-10 activation interface by IP address 4-10 by packet 4-9 active dynamic filters 10-9 analyzing traffic flow 10-11 anomaly detection activating 9-3 verifying 9-3 anomaly detection engine memory usage 10-7 anomaly flow, common characteristics 10-17 attack report deleting 10-19 exporting 10-19 statistics 10-16 understanding report details 10-15 attacks summary report 10-13 attack summary 10-14 attack type 10-14 auth packet types 8-4, 10-21 automatic detect mode 9-2 automatic learning, configuring 7-9 automatic operation mode 9-2 automatic protect operation mode 4-6, 4-7 B banner, configuring login 2-3 base zone 7-19 base zone services adding 7-21 copying policy parameters to the base zone 7-21 deleting 7-21 basic filter actions 5-11 Berkley Packet filter 5-6 burst 4-8 bypass filter adding 5-2 configuring 5-2 deleting 5-3 C changing password 3-5 compared zone 7-19 connections, concurrent or source IP addresses 10-20 constructing policies 7-2 copy wbm-logo command 2-3 counters clearing Detector 10-4 clearing zone 10-11 received packets 10-4 viewing 10-3 zone 10-10 D DDoS nonspoofed attacks 1-4 overview 1-3 spoofed attacks 1-4 zombies 1-4 Detect and Learn feature activating 7-11 deactivating 7-12 detected anomalies types 10-17 viewing 10-16 viewing details 10-18 detected attack types 10-14 Detect feature activating 9-3 deactivating 9-3 detect mode activating 9-3 automatic 9-2 deactivating 9-3 interactive 9-2 Detector counters, clearing 10-4 overview 1-3 recommendations, acting on 9-12 zone templates 4-5 device resources, monitoring 10-6 diagnostics, viewing 10-3 DNS policy templates 6-2 tcp protocol flow 10-14 drop filter action 5-11 dst traffic characteristics 8-5 dynamic filter actions 9-8 active 10-9 adding 9-7 deleting 9-8 fields 9-7 overview 9-5 pending 9-11, 10-9 preventing production of 9-8 recommendations 9-11 viewing 9-5 E event log global 10-5 zone 10-12 exporting an attack report 10-19 extent of zone protection 4-4 F filter dynamic 9-5 flex-content 5-4 user 5-2 zone filter overview 5-1 filter-rate termination threshold 4-9 flex-content filter adding 5-7 configuring 5-4 deleting 5-9 expression 5-4 pattern 5-7 fragments 10-14, 10-17 G general attack information 10-16 global counters, viewing in real time 10-4 GUARD_VOIP zone template 4-6 Guard zones 4-2 Guard zone templates 4-6 H http 10-17 HTTP policy template 6-2 hybrid 10-14 I icons 1-7 information area 1-6 in packet types 10-21 interactive detect mode 9-2 interactive operation mode 9-2 interactive protect operation mode 4-6, 4-7 IP scan 6-2, 10-14, 10-17 IP summarization 11-2, 11-4 IP threshold configuration 8-8 J Java 2 Runtime Environment (JRE), installing 1-2 L learning process overview 7-2 performing 7-3 phases 7-2 policy construction phase accepting results 7-5 starting 7-4 stopping 7-5 threshold tuning phase 7-2 accepting results 7-6 starting 7-5 stopping 7-7 login banner, configuring 2-3 logo, adding WBM 2-3 M main menu bar 1-6 malicious-rate detection threshold 4-9 termination threshold 4-9 marking zone policies tuned or untuned 7-14 memory usage, anomaly detection engine 10-7 N navigation area 1-6 nonspoofed attacks 1-4 O operation modes automatic protect 4-6, 4-7 interactive protect 4-6, 4-7 other protocols, policy template 6-2 out_pkts packet types 10-21 P packet-dump automatic activating 11-2 packet-dump capture automatic capture disabling 11-3 enabling 11-2 file deleting 11-14 exporting 11-12 importing 11-13 renaming 11-11 manual capture starting 11-4 stopping 11-5 overview 11-1 packet type auth 8-4 out_pkts 10-21 pkts 8-4, 10-21 reqs 8-4 syns 8-4 unauth_pkts 8-4, 10-21 password, changing 3-5 pending dynamic filters accepting 9-15 exceeding 1000 9-10 fields 9-14 overview 9-11 viewing 9-13 viewing number of 10-9 permit filter action 5-11 pkts packet type 8-4, 10-21 policy adding services 8-10 constructing 7-2 deleting services 8-11 key 8-5 service 8-3 statistics 10-20 policy construction phase starting 7-4 stopping 7-5 policy statistics table, viewing 10-20 policy template Guard policy templates for synchronization 6-3 other_protocols 6-2 overview 6-1 template types 6-1 port scan 6-2, 10-14, 10-17 privilege levels, moving between 3-6 protection activation methods 4-3 protection-end time 4-9 protect-IP state entire zone 4-7 only dst IP 4-7 only dstIP by address 4-8 policy type 4-8 R rate 4-8 ratio, SYN to FIN/RST packets 10-20 recommendations activating 9-12 fields 9-12 viewing new 9-11 remote Guard, activating 9-7 replied IP summarization 11-2, 11-4 reqs packet type 8-4, 10-21 RTP/RTCP 4-6 S scanners traffic characteristics 8-5 service adding 8-10 deleting 8-11 SIP zone template 4-6 SIP, user filter action 5-11 snapshot backing up zone policies 7-16 comparing two snapshots 7-19 taking a snapshot 7-15 spoofed attacks 1-4 src traffic characteristics 8-5, 10-22 status icons 1-7 status summary, zone 10-9 strong filter action 5-11 subzone 4-4 syn_by_fin packet type 10-21 syns packet types 8-4, 10-21 system requirements 1-2 T TACACS+ AAA services 3-2 TCP detected anomalies 10-14, 10-17 policy templates 6-2 template, zone 4-5 threshold configuring IP threshold 8-8 filter-rate termination 4-9 malicious-rate termination 4-9 tuning 7-2 threshold tuning phase accepting results 7-6 overview 7-2 starting 7-5 stopping 7-7 troubleshooting WBM connection 2-2 tuning thresholds 7-2, 7-6 U UDP policy template 6-2 unauth_pkts packet type 8-4, 10-21 user filter 5-2 action 5-11 adding 5-10 configuring 5-9 deleting 5-12 user privilege level, moving between 3-6 user profile changing another user password 3-5 changing your password 3-5 configuring on a TACACS+ server 3-6 creating 3-3 deleting 3-4 preconfigured user profiles 3-2 users authentication methods 3-2 list of 3-3 V viewing attack reports 10-13, 10-15 counters 10-10, 10-12 diagnostics 10-3 pending dynamic filters 9-13 policy configuration differences 7-19 policy statistics 10-20 recommendations 9-11 zone status 9-3 Voice over IP See VoIP VoIP zone template 4-6 VoIP, user filter action 5-11 W WBM enabling service 2-1 launching 2-2 navigation maps 1-7 overview 1-5 requirements client 1-2 Detector 1-2 setting up 2-1 troubleshooting connection 2-2 WBM logo, adding 2-3 worm policy 8-5 policy templates 6-3 Z zombies 1-4 zone counters clearing 10-11 viewing 10-10 viewing in real time 10-12 create methods 4-2 using another zone 4-11 using a zone template 4-4 delete 4-14 diagnostic tools 10-10 event log 10-12 extent of protection 4-4 Guard zone 4-2 IP address add 4-11 delete 4-12 learning 7-2 overview 4-1 policies adding an IP address and threshold 8-9 service, adding 8-10 service, deleting 8-11 tuned 7-14 untuned 7-14 viewing 8-2 protection activation methods 4-3 protection characteristics 4-3 recent events table 10-10 status 10-7 status bar 10-9 status icons 1-7 status table 10-9 summary 10-9 templates 4-5 traffic rate graph 10-9 zone templates Detector 4-5 Guard 4-6
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.