Cisco Anomaly Guard Module Web-Based Manager Configuration Guide (Software Version 5.1 and 6.0) - Index [Cisco Services Modules]

Table Of Contents

Symbols - A - B - C - D - E - F - G - H - I - J - L - M - N - O - P - R - S - T - U - V - W - Z

Index

Symbols

# (number sign) 10-31, 10-35

* (wildcard) 10-31, 10-35

A

AAA services 3-2

activation extent

entire zone 4-17

IP address only 4-17

activation interface

by IP address 4-16

by packet 4-15

active dynamic filters 10-13

analyzing traffic flow 10-17

analyzing zone traffic problems 10-18

anomaly flow, common characteristics 10-31

anti-spoofing internal errors 10-47

attack

statistics 10-27

summary 10-23

types 10-24, 10-34

attack report

deleting 10-38

dropped/bounced packets 10-28

exporting 10-37

report details 10-26

viewing current attack details 10-26

viewing past attack details 10-25

zone 10-25

attacks summary report 10-21

auth packet types 8-5, 10-42

automatic learning, configuring 7-12

automatic protect operation mode 4-7, 4-12, 9-4

B

bad packets to proxy addresses 10-46

bandwidth limited link templates 4-8

banner, configuring login 2-4

base zone 7-26

base zone services

adding 7-29

copying policy parameters to the base zone 7-30

deleting 7-29

Berkley Packet Filter 5-13

burst 4-10, 4-13

bypass filter

adding 5-8

definition 5-3

deleting 5-9

C

changing another user password 3-7

changing your password 3-6

client attack 10-24, 10-34

compared zone 7-26

concurrent connections 10-41

constructing policies 7-2

copy wbm-logo command 2-4

counters

clearing Guard 10-6

clearing zone 10-16

dropped 10-5, 10-8, 10-15, 10-20, 10-27

forwarded 10-27

legitimate 10-5, 10-8, 10-15, 10-19

malicious 10-5, 10-8, 10-15, 10-19

received 10-5, 10-8, 10-15, 10-20, 10-27

replied 10-5, 10-8, 10-15, 10-20, 10-27

spoofed 10-5, 10-8, 10-15, 10-20

zone 10-15

create a zone

using an existing zone as a template 4-11

using a predefined zone template 4-7

D

DDoS

nonspoofed attacks 1-5

overview 1-4

spoofed attacks 1-5

zombies 1-5

detected anomalies

types 10-24, 10-30

viewing 10-29

viewing details 10-31

diagnostics, viewing 10-4

DNS

drop statistics 10-46

policy templates 6-2

dropped/bounced packets 10-28

drop statistics 10-43

dst traffic characteristics 8-6

dynamic filter

actions 9-16

active 10-13

adding 9-15

deactivating 9-11

definition 5-2

deleting 9-18

fields 9-15

pending 9-21, 10-13

preventing production of 9-18

recommendations 9-21

table 9-12

viewing 9-12

dynamic filters

overview 9-11

E

event log

Guard 10-9

zone 10-20

extent of zone protection 4-4

F

filter actions

dynamic filters 9-13, 9-16

user filters 5-6

filter overview

bypass 5-3

dynamic 5-2

flex-content 5-3

user 5-2

filter-rate termination threshold 4-10, 4-13

flex-content filter

adding 5-15

configuring 5-10

definition 5-3

deleting 5-18

expression 5-11

pattern 5-14

fragments 10-30

G

general attack information 10-27

GUARD_LINK zone templates 4-8

GUARD_VOIP zone template 4-9

Guard counters, clearing 10-6

H

HTTP

policy template 6-2

type of detected anomaly 10-30

zombies 10-37, 10-39

zombies list 10-39

hybrid, type of mitigated attack 10-24

I

icons 1-9

information area 1-9

in packet types 10-42

interactive protect operation mode 4-7, 4-12, 9-4

IP address, configuring zone 4-18, 4-19

IP scan 6-3, 10-30

IP threshold configuration 8-14

J

Java 2 Runtime Environment (JRE), installing 1-2

L

land attack 10-47

learning process

overview 7-2

performing 7-4

phases 7-2

policy construction phase

accepting the results 7-6

overview 7-2

starting 7-5

stopping 7-6

threshold tuning phase

accepting the results 7-8

overview 7-3

starting 7-7

stopping 7-10

login banner, configuring 2-4

logo, adding WBM 2-4

M

main menu bar 1-8

malformed packets 10-24, 10-28, 10-34, 10-47

malicious-rate

detection threshold 4-10, 4-13

termination threshold 4-10, 4-14

marking zone policies tuned or untuned 7-19

max. rate 4-9, 4-13

mitigated attack

action flow 10-34

anomaly flow 10-34

attack types 10-34

viewing 10-33

viewing details 10-35

N

navigation area 1-8

new recommendations 9-22

non DNS drop statistics 10-46

nonspoofed attacks 1-5

O

on-demand protection

activating 9-6

overview 9-2

operation modes

automatic protect 4-7, 4-12

interactive protect 4-7, 4-12

other protocols

drop statistics 10-45

policy template 6-3

out_pkts packet types 10-42

P

packet-dump capture

automatic capture

disabling 11-3

enabling 11-3

file

deleting 11-21

exporting 11-18

importing 11-20

renaming 11-16

manual capture

starting 11-4

stopping 11-6

overview 11-2

parameters 4-17

packets

dropped/bounced 10-28

malformed 10-28

packet type

auth 8-5

out_pkts 10-42

pkts 8-6, 10-42

reqs 8-5

syns 8-5

unauth_pkts 8-6, 10-42

password

changing another user password 3-7

changing your password 3-6

pending dynamic filters

accepting 9-27

fields 9-25

in zone status table 10-13

number exceeds 1000 9-20

overview 9-21

pkts packet type 8-6, 10-42

policy

constructing 7-2

key 8-6

service 8-3

services

adding 8-17

deleting 8-19

statistics 10-40

types 8-5

policy construction phase

starting 7-5

stopping 7-6

policy statistics table, viewing 10-40

policy template

no proxy zones 6-4

other_protocols 6-3

overview 6-2

template types 6-2

types of templates 6-2

port scan 6-3, 10-30

privilege levels, moving between 3-8

protect

automatic operation mode 9-4

interactive operation mode 9-4

on-demand 9-2

Protect and Learn feature

activating 7-15

deactivating 7-16

overview 9-3

Protect feature

activating 9-5

deactivating 9-9

overview 9-3

protection activation methods 4-3

protection-end time 4-10, 4-13

protection verification 9-8

R

ratio, SYN to FIN/RST packets 10-41

recommendations, viewing new 9-22

redirect/zombie 9-17

reqs packet type 8-5, 10-42

RTP/RTCP 4-9

S

service

adding 8-17

deleting 8-19

SIP

detected anomalies 10-31

drop statistics 10-47

policy template 6-4

spoofed statistics 10-49

zone template 4-9

snapshot

comparing two snapshots 7-26

learning process results 7-20

overview 7-20

zone configuration policies 7-21

spoofed attack 1-5, 10-24, 10-34

spoofed packets 10-28

src traffic characteristics 8-6, 10-43

status icons 1-9

status summary, zone 10-13

subzone

overview 4-5

reports 10-24

syn_by_fin packet type 10-42

syns packet types 8-5, 10-42

system requirements 1-2

T

TACACS+

AAA services 3-2

WBM commands 3-9

TCP

detected anomalies 10-30

drop statistics 10-44

policy templates 6-3

template, zone 4-8

threshold

configuring IP threshold 8-14

filter-rate termination 4-10, 4-13

malicious-rate termination 4-10, 4-14

tuning 7-3

threshold tuning phase

accepting results 7-8

overview 7-3

starting 7-7

stopping 7-10

traffic rate 10-41

troubleshooting WBM connection 2-3

tuning thresholds 7-3, 7-7

U

UDP

drop statistics 10-45

policy template 6-4

unauth_pkts packet type 8-6, 10-42

user authentication methods 3-2

user filter

actions 5-6

adding 5-4

configuring 5-4

deleting 5-7

overview 5-2

user interface 1-6

user privilege levels, moving between 3-8

user profile

changing another user password 3-7

changing your password 3-6

configuring on a TACACS+ server 3-9

creating 3-4

deleting 3-6

displaying the list of users 3-3

preconfigured user profiles 3-2

V

viewing

attack reports 10-22, 10-25

diagnostics 10-4

drop statistics 10-44

dynamic filters 9-12

pending dynamic filters 9-25

policy configuration differences 7-26

policy statistics 10-40

recommendations 9-22

zone status 9-8

Voice over IP

See VoIP

VoIP

detected anomalies 10-31

drop statistics 10-47

policy template 6-4

spoofed statistics 10-49

zone template 4-9

W

WBM

enabling service 2-2

launching 2-3

setting up 2-2

troubleshooting connection 2-3

WBM logo, adding 2-4

Z

zombie

detected 10-37

list 10-39

mitigated attack type 10-24, 10-34

overview 1-5

zone

configure attributes 4-12

counters

clearing 10-16

viewing 10-15

viewing in real time 10-19

create

methods 4-2

using another zone 4-11

using a predefined zone template 4-7

delete 4-20

diagnostic tools 10-14

event log 10-9, 10-20

extent of protection 4-4

icons 1-9

IP address

adding 4-18

deleting 4-19

learning 7-2

operation mode

changing to automatic 9-19

changing to interactive 9-20

defining 4-12

overview 9-19

taking action when pending filters exceed 1000 9-20

overview 4-2

policies

adding an IP address and threshold 8-14

adding a service 8-17

deleting a service 8-19

tuned 7-18

untuned 7-18

viewing 8-2

protection

activating 9-5

deactivating 9-9

extent 4-4

on-demand, activating 9-6

on-demand overview 9-2

options 9-2

Protect and Learn feature 9-3

Protect feature 9-3

verifying 9-8

protection activation methods 4-3

recent events table 10-14

status

status bar 10-12

status table 10-13

viewing 10-10

status summary 10-13

subzone 4-5

template

predefined 4-2

types 4-8

traffic rate graph 10-13

	Cisco Anomaly Guard Module Web-Based Manager Configuration Guide (Software Version 5.1 and 6.0)
	Index
Cisco Anomaly Guard Module Web-Based Manager Configuration Guide (Software Version 5.1 and 6.0) Index Preface Introduction Launching and Customizing the WBM Managing User Access Creating and Configuring Zones Configuring Zone Filters Configuring Policy Templates Learning Zone Traffic Managing Zone Policies Activating Zone Protection Monitoring Guard Module and Zone Operations Monitoring Network Traffic and Extracting Attack Signatures	Download this chapter Index Download the complete book Cisco Anomaly Guard Module Web-Based Manager Configuration Guide (Software Version 5.1), Book-Length PDF (PDF - 2 MB) Table Of Contents Symbols - A - B - C - D - E - F - G - H - I - J - L - M - N - O - P - R - S - T - U - V - W - Z Index Symbols # (number sign) 10-31, 10-35 * (wildcard) 10-31, 10-35 A AAA services 3-2 activation extent entire zone 4-17 IP address only 4-17 activation interface by IP address 4-16 by packet 4-15 active dynamic filters 10-13 analyzing traffic flow 10-17 analyzing zone traffic problems 10-18 anomaly flow, common characteristics 10-31 anti-spoofing internal errors 10-47 attack statistics 10-27 summary 10-23 types 10-24, 10-34 attack report deleting 10-38 dropped/bounced packets 10-28 exporting 10-37 report details 10-26 viewing current attack details 10-26 viewing past attack details 10-25 zone 10-25 attacks summary report 10-21 auth packet types 8-5, 10-42 automatic learning, configuring 7-12 automatic protect operation mode 4-7, 4-12, 9-4 B bad packets to proxy addresses 10-46 bandwidth limited link templates 4-8 banner, configuring login 2-4 base zone 7-26 base zone services adding 7-29 copying policy parameters to the base zone 7-30 deleting 7-29 Berkley Packet Filter 5-13 burst 4-10, 4-13 bypass filter adding 5-8 definition 5-3 deleting 5-9 C changing another user password 3-7 changing your password 3-6 client attack 10-24, 10-34 compared zone 7-26 concurrent connections 10-41 constructing policies 7-2 copy wbm-logo command 2-4 counters clearing Guard 10-6 clearing zone 10-16 dropped 10-5, 10-8, 10-15, 10-20, 10-27 forwarded 10-27 legitimate 10-5, 10-8, 10-15, 10-19 malicious 10-5, 10-8, 10-15, 10-19 received 10-5, 10-8, 10-15, 10-20, 10-27 replied 10-5, 10-8, 10-15, 10-20, 10-27 spoofed 10-5, 10-8, 10-15, 10-20 zone 10-15 create a zone using an existing zone as a template 4-11 using a predefined zone template 4-7 D DDoS nonspoofed attacks 1-5 overview 1-4 spoofed attacks 1-5 zombies 1-5 detected anomalies types 10-24, 10-30 viewing 10-29 viewing details 10-31 diagnostics, viewing 10-4 DNS drop statistics 10-46 policy templates 6-2 dropped/bounced packets 10-28 drop statistics 10-43 dst traffic characteristics 8-6 dynamic filter actions 9-16 active 10-13 adding 9-15 deactivating 9-11 definition 5-2 deleting 9-18 fields 9-15 pending 9-21, 10-13 preventing production of 9-18 recommendations 9-21 table 9-12 viewing 9-12 dynamic filters overview 9-11 E event log Guard 10-9 zone 10-20 extent of zone protection 4-4 F filter actions dynamic filters 9-13, 9-16 user filters 5-6 filter overview bypass 5-3 dynamic 5-2 flex-content 5-3 user 5-2 filter-rate termination threshold 4-10, 4-13 flex-content filter adding 5-15 configuring 5-10 definition 5-3 deleting 5-18 expression 5-11 pattern 5-14 fragments 10-30 G general attack information 10-27 GUARD_LINK zone templates 4-8 GUARD_VOIP zone template 4-9 Guard counters, clearing 10-6 H HTTP policy template 6-2 type of detected anomaly 10-30 zombies 10-37, 10-39 zombies list 10-39 hybrid, type of mitigated attack 10-24 I icons 1-9 information area 1-9 in packet types 10-42 interactive protect operation mode 4-7, 4-12, 9-4 IP address, configuring zone 4-18, 4-19 IP scan 6-3, 10-30 IP threshold configuration 8-14 J Java 2 Runtime Environment (JRE), installing 1-2 L land attack 10-47 learning process overview 7-2 performing 7-4 phases 7-2 policy construction phase accepting the results 7-6 overview 7-2 starting 7-5 stopping 7-6 threshold tuning phase accepting the results 7-8 overview 7-3 starting 7-7 stopping 7-10 login banner, configuring 2-4 logo, adding WBM 2-4 M main menu bar 1-8 malformed packets 10-24, 10-28, 10-34, 10-47 malicious-rate detection threshold 4-10, 4-13 termination threshold 4-10, 4-14 marking zone policies tuned or untuned 7-19 max. rate 4-9, 4-13 mitigated attack action flow 10-34 anomaly flow 10-34 attack types 10-34 viewing 10-33 viewing details 10-35 N navigation area 1-8 new recommendations 9-22 non DNS drop statistics 10-46 nonspoofed attacks 1-5 O on-demand protection activating 9-6 overview 9-2 operation modes automatic protect 4-7, 4-12 interactive protect 4-7, 4-12 other protocols drop statistics 10-45 policy template 6-3 out_pkts packet types 10-42 P packet-dump capture automatic capture disabling 11-3 enabling 11-3 file deleting 11-21 exporting 11-18 importing 11-20 renaming 11-16 manual capture starting 11-4 stopping 11-6 overview 11-2 parameters 4-17 packets dropped/bounced 10-28 malformed 10-28 packet type auth 8-5 out_pkts 10-42 pkts 8-6, 10-42 reqs 8-5 syns 8-5 unauth_pkts 8-6, 10-42 password changing another user password 3-7 changing your password 3-6 pending dynamic filters accepting 9-27 fields 9-25 in zone status table 10-13 number exceeds 1000 9-20 overview 9-21 pkts packet type 8-6, 10-42 policy constructing 7-2 key 8-6 service 8-3 services adding 8-17 deleting 8-19 statistics 10-40 types 8-5 policy construction phase starting 7-5 stopping 7-6 policy statistics table, viewing 10-40 policy template no proxy zones 6-4 other_protocols 6-3 overview 6-2 template types 6-2 types of templates 6-2 port scan 6-3, 10-30 privilege levels, moving between 3-8 protect automatic operation mode 9-4 interactive operation mode 9-4 on-demand 9-2 Protect and Learn feature activating 7-15 deactivating 7-16 overview 9-3 Protect feature activating 9-5 deactivating 9-9 overview 9-3 protection activation methods 4-3 protection-end time 4-10, 4-13 protection verification 9-8 R ratio, SYN to FIN/RST packets 10-41 recommendations, viewing new 9-22 redirect/zombie 9-17 reqs packet type 8-5, 10-42 RTP/RTCP 4-9 S service adding 8-17 deleting 8-19 SIP detected anomalies 10-31 drop statistics 10-47 policy template 6-4 spoofed statistics 10-49 zone template 4-9 snapshot comparing two snapshots 7-26 learning process results 7-20 overview 7-20 zone configuration policies 7-21 spoofed attack 1-5, 10-24, 10-34 spoofed packets 10-28 src traffic characteristics 8-6, 10-43 status icons 1-9 status summary, zone 10-13 subzone overview 4-5 reports 10-24 syn_by_fin packet type 10-42 syns packet types 8-5, 10-42 system requirements 1-2 T TACACS+ AAA services 3-2 WBM commands 3-9 TCP detected anomalies 10-30 drop statistics 10-44 policy templates 6-3 template, zone 4-8 threshold configuring IP threshold 8-14 filter-rate termination 4-10, 4-13 malicious-rate termination 4-10, 4-14 tuning 7-3 threshold tuning phase accepting results 7-8 overview 7-3 starting 7-7 stopping 7-10 traffic rate 10-41 troubleshooting WBM connection 2-3 tuning thresholds 7-3, 7-7 U UDP drop statistics 10-45 policy template 6-4 unauth_pkts packet type 8-6, 10-42 user authentication methods 3-2 user filter actions 5-6 adding 5-4 configuring 5-4 deleting 5-7 overview 5-2 user interface 1-6 user privilege levels, moving between 3-8 user profile changing another user password 3-7 changing your password 3-6 configuring on a TACACS+ server 3-9 creating 3-4 deleting 3-6 displaying the list of users 3-3 preconfigured user profiles 3-2 V viewing attack reports 10-22, 10-25 diagnostics 10-4 drop statistics 10-44 dynamic filters 9-12 pending dynamic filters 9-25 policy configuration differences 7-26 policy statistics 10-40 recommendations 9-22 zone status 9-8 Voice over IP See VoIP VoIP detected anomalies 10-31 drop statistics 10-47 policy template 6-4 spoofed statistics 10-49 zone template 4-9 W WBM enabling service 2-2 launching 2-3 setting up 2-2 troubleshooting connection 2-3 WBM logo, adding 2-4 Z zombie detected 10-37 list 10-39 mitigated attack type 10-24, 10-34 overview 1-5 zone configure attributes 4-12 counters clearing 10-16 viewing 10-15 viewing in real time 10-19 create methods 4-2 using another zone 4-11 using a predefined zone template 4-7 delete 4-20 diagnostic tools 10-14 event log 10-9, 10-20 extent of protection 4-4 icons 1-9 IP address adding 4-18 deleting 4-19 learning 7-2 operation mode changing to automatic 9-19 changing to interactive 9-20 defining 4-12 overview 9-19 taking action when pending filters exceed 1000 9-20 overview 4-2 policies adding an IP address and threshold 8-14 adding a service 8-17 deleting a service 8-19 tuned 7-18 untuned 7-18 viewing 8-2 protection activating 9-5 deactivating 9-9 extent 4-4 on-demand, activating 9-6 on-demand overview 9-2 options 9-2 Protect and Learn feature 9-3 Protect feature 9-3 verifying 9-8 protection activation methods 4-3 recent events table 10-14 status status bar 10-12 status table 10-13 viewing 10-10 status summary 10-13 subzone 4-5 template predefined 4-2 types 4-8 traffic rate graph 10-13
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.