Cisco Traffic Anomaly Detector Configuration Guide (Software Version 6.0)
Index

Table Of Contents

Symbols - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - R - S - T - U - W - X - Z

Index

Symbols

# (number sign) 10-4

* (wildcard) 2-6, 4-5, 10-3

A

AAA

accounting 3-13

authentication 3-6

authorization 3-11

configuring 3-4

aaa accounting command 3-13

aaa authentication command 3-6

aaa authorization command 3-11

accounting, configuring 3-13

action command 6-18

action flow 10-6

activation

activation-extent command 8-11, 8-12

activation-interface command 8-12

activation sensitivity 8-12

add-service command 6-9

admin privilege level 2-2, 3-7

always-accept 6-19

always-ignore 6-19

anomaly

detected 10-2

flow 10-3

anomaly detection engine memory usage 11-24, 11-26

arp command 11-26

attack report

copying 10-7

detected anomalies 10-2

exporting 10-6, 10-7, 12-5

exporting automatically 10-6

history 11-23

layout 10-1

notify 10-4

statistics 10-2

timing 10-1

viewing 10-4

attack type

detected attack 10-5

authentication, configuring 3-6

authorization

disabling zone command completion 3-13, 4-6

authorization, configuring 3-9

auth packet types 6-11

automatic detect mode 1-5

automatic protection mode 8-3

automatic protect mode 8-3, 9-1

B

banner

configuring login 3-32

Berkeley Packet filter 5-7

BGP 8-8

burn flash 12-9

bypass filter

command 5-10

configuring 5-10

definition 1-4, 5-1

deleting 5-12

displaying 5-11

C

capture, packets 11-12

caution, symbol overview 1-xiii

CFE 12-9

clear counters command 2-10, 11-4

clear log command 11-9

CLI

changing prompt 3-28

command shortcuts 2-6

error messages 2-5

getting help 2-6

issuing commands 2-3

TAB completion 2-6

using 2-1

command completion 3-13

command line interface

See CLI 2-1

command shortcuts 2-6

config privilege level 2-2, 3-7

configuration

file

copying 12-2

exporting 12-3

importing 12-4

viewing 11-1

importing 12-4

saving router 8-10, 8-13

configuration, accessing command mode 3-12

configuration mode 2-2

configure command 2-7

constructing policies 7-4

copy command

packet-dump 11-15

copy commands

ftp running-config 12-4

log 11-6, 11-8

new-version 12-8

reports 10-7

running-config 4-15, 12-3

zone log 11-8

copy-from-this 4-5

copy guard-running-config command 4-14, 4-17

copy login-banner command 3-33

copy-policies command 7-16

copy wbm-logo command 3-34

counters

clearing 2-10, 11-4

history 11-3

counters, viewing 11-3

cpu utilization 11-24

D

date command 3-23, 3-24

DDoS

nonspoofed attacks 1-3

overview 1-2

spoofed attacks 1-2

zombies 1-3

deactivate command 8-5

deactivating commands

commands, deactivating 2-5

default-gateway command 2-10

description command 4-6

detect

automatic mode 1-5

interactive mode 1-5

detect command 8-4

detected

anomalies 10-2

flow 10-6

detected attack 10-5

DETECTOR_DEFAULT 4-2

DETECTOR_WORM 4-2

Detector configuration

resetting 12-12

diff command 7-13, 7-14

disable command 6-6

disabling

automatic export 12-6

disk usage 11-23

DNS

detected anomalies 10-2

TCP policy templates 6-2

tcp protocol flow 10-5

dst-ip-by-ip activation form 8-4

dst-ip-by-ip activation method 8-7

dst-ip-by-name activation method 8-4

dst traffic characteristics 6-11

Dynamic filter

command 8-14

displaying 8-11

timeout 8-8

dynamic filter

1000 and more 5-13

command 5-15

definition 1-4

deleting 5-15

displaying 5-13

displaying events 11-7

overview 5-2, 5-12

preventing production of 5-16

sorting 5-13

worm 6-21

dynamic filters 9-1

dynamic privilege level 2-2, 3-7

E

enable

command 3-10, 6-6

password command 3-10

enabling services 3-2

entire-zone activation method 8-3

even log

deactivating 11-6

event log

activating 11-6

event monitor command 11-6

export

disabling automatic 12-6

export command 12-5

packet-dump 11-14

reports 10-7

exporting

configuration file 12-3

log file 11-8

reports automatically 10-6

exporting GUARD configuration 4-14, 4-17

export sync-config command 4-16

extracting signatures 11-18

F

facility 11-6

file server

configuring 12-1

file-server

command 4-16, 12-2

configuring 12-2

deleting 12-2

displaying 12-2, 12-6

displaying sync-config 4-16, 12-6

file server, displaying sync-config 12-6

filters

bypass 1-4, 5-10

dynamic 1-4, 5-2, 5-12

flex-content 1-4, 5-2

overview 5-1

fixed-threshold 6-15

flash-burn command 12-9

flex-content filter

configuring 5-3

definition 1-4, 5-1

displaying 5-8

filtering criteria 5-2

renumbering 5-3

fragments 10-5

detected anomalies 10-2

policy template 6-2

G

generating signatures 11-18

global mode 2-2

global traffic characteristics 6-11

Guard

configuration mode 2-3

exporting configuration 12-5

GUARD_DEFAULT 4-3

GUARD_LINK 4-3

GUARD_TCP_NO_PROXY 4-3

GUARD_ zone template

policy templates included with zone templates 6-3

guard-conf command 4-10

GUARD configuration, exporting 4-14, 4-17

GUARD configuration, importing 4-15

Guard-protection activation methods 8-3, 8-10

H

histogram command 6-20

history command 11-23

host, logging 11-7

host keys

deleting 3-20, 3-21

hostname

changing 3-28

command 3-28

HTTP

detected anomalies 10-2

policy template 6-2

hybrid 10-5

I

idle session, configuring timeout 3-35

idle session, displaying timeout 3-36

importing

configuration 12-4

importing GUARD configuration 4-15

in-band

configuring interface 2-8

in packet types 6-11

install new-version command 12-8

interactive

operation mode 9-3

policy status 6-19

interactive detect mode 1-5

interactive protection mode 8-3

interactive protect mode 8-3, 9-1

interactive-status command 6-19

interface

activating 2-8, 2-9

clearing counters 2-10

command 2-8

configuration mode 2-2

configuring 2-8

configuring IP address 2-9

out-of-band 2-8

ip address

modifying, zone 4-8

IP address command

excluding 4-7

ip address command

deleting 4-8

interface 2-9

zone 4-7

ip route command 2-10

IP scan 10-5

detected anomalies 10-2

policy template 6-2

IP threshold configuration 6-17

K

key command

add 3-21, 3-25

generate 3-22, 3-27

remove 3-26

key publish command 3-22

L

learning

command 7-5, 7-7

constructing policies 7-4

overview 7-1

policy-construction command 7-4

synchronizing results 7-3

terminating process 7-5, 7-7

threshold-tuning command 7-6

tuning thresholds 7-6

learning accept command 7-5, 7-6

learning parameters, displaying 7-8

learning-params

deactivating periodic action 7-7

deactivating periodic-action command 7-5

periodic-action command 4-12, 7-5, 7-7, 7-8

threshold-multiplier command 6-15

threshold-selection command 7-6, 7-9

threshold-tuned command 4-8, 7-10

learning-params command 4-11, 4-16

learning-params fixed-threshold command 6-15

LINK templates 7-4

log file

clearing 11-9

exporting 11-6, 11-8

history 11-23

viewing 11-8

logging, viewing configuration 11-7

logging command 11-6

login banner

configuring 3-32, 3-33

deleting 3-34

importing 3-33

login-banner command 3-33

logo, adding WBM 3-34

logo, deleting WBM 3-35

M

management

MDM 2-12

overview 2-11

SSH 2-13

WBM 2-11

max-services command 6-5

MDM

activating 2-12

memory consumption 11-23

memory usage, anomaly detection engine 11-24, 11-26

min-threshold command 6-6

monitoring

network traffic 11-14, 11-15

MP

upgrading 12-8

mtu command 2-9

N

netstat command 11-28

network server

configuring 12-1, 12-2

deleting 12-2

displaying 12-2, 12-6

displaying sync-config 4-16, 12-6

network server, displaying sync-config 12-6

new version

installing 12-8

upgrading 12-8

no learning command 7-5, 7-7

non_estb_conns packet type 6-11

nonspoofed attacks 1-3

no proxy policy templates 6-4

note, symbol overview 1-xiii

notify 10-4

notify policy action 6-18

ns policy templates 6-4

NTP 3-24

enable service 3-24

permit 3-25

server 3-25

O

other protocols

detected anomalies 10-2

policy template 6-3

out_pkts packet types 6-11

out-of-band

configuring interface 2-8

out-of-band interface 2-8

P

packet-dump

auto-capture command 11-11

automatic

activating 11-10

deactivating 11-11

displaying settings 11-12

exporting 11-14, 11-15, 12-5

signatures 11-19

packet-dump command 11-12

packets, capturing 11-12

password

changing 3-7

enabling 3-10

encrypted 3-7

resetting 12-10

pending 9-1

pending dynamic filters 9-1, 9-2

displaying 9-3, 9-5

periodic action

accepting policies automatically 7-5, 7-7

deactivating 7-5, 7-7

permit

command 2-12, 2-13, 3-3

permit ssh command 3-21

ping command 11-31

pkts packet type 6-11

policy

action 6-12, 6-18

activating 6-13

adding services 6-9

backing up current 6-25, 7-17

command 6-12

configuration mode 2-3

constructing 1-4, 7-2, 7-4

copying parameters 7-16

copy-policies 7-16

deleting services 6-9

disabling 6-13

displaying 8-11

inactivating 6-13

learning-params, fixed-threshold command 6-15

marking as tuned 4-8, 7-10

marking threshold as fixed 6-15

multiplying thresholds 6-16

navigating path 6-12

packet types 6-10

show statistics 6-23

state 6-13

threshold 6-12, 6-14

threshold-list command 6-17

timeout 6-12, 6-17

timeout, configuring 8-11

traffic characteristics 6-11

tuning thresholds 1-4, 7-2, 7-6

using wildcards 6-12, 6-22, 6-24

viewing statistics 7-8

policy set-timeout command 6-18, 8-11

policy template

command 6-4, 6-6

configuration command level 6-4

configuration mode 2-3

displaying list 6-4

Guard policy templates for synchronization 6-3

max-services 6-5

min-threshold 6-6

overview 6-2

parameters 6-4

state 6-6

worm_tcp 6-4

policy-template add-service command 6-9

policy-template remove service command 6-9

policy-type activation method 8-4

port scan 10-5

detected anomalies 10-2

policy template 6-3

poweroff command 12-7

privilege levels 2-2

assigning passwords 3-10

moving between 3-10

protect

activation methods 8-3, 8-10

automatic mode 8-3, 9-1

deactivating 8-5

interactive mode 8-3, 9-1

protect command 8-5

protection-end-timer 8-7, 8-14

protection-end-timer command 8-12

protect-ip-state command 8-3, 8-10

protect learning command 7-6

protect-packet command 8-12

protocol traffic characteristics 6-11

proxy

no proxy policy templates 6-4

public-key

displaying 3-27

R

rates

history 11-3

rates, viewing 11-3

reactivate-zones 12-7

reboot command 12-7

rebooting

parameters 12-7

recommendations 9-1

accepting 9-6

activating 9-3, 9-5

change decision 6-19

command 9-6

deactivating 9-3, 9-7

dynamic filters 9-1

ignoring 9-6

overview 9-1

viewing 9-4

viewing pending-filters 9-3, 9-5

redistribute detector command 8-10

reload command 12-6

remote-activate policy action 6-18

remote Guard

activating 5-14

commands

activation-extent 8-11, 8-12

activation-interface 8-12

protection-end-timer 8-12

protect-packet 8-12

terminating protection 8-7, 8-14

remote-guard command 8-7, 8-8

remote Guard list

displaying 8-8

remote Guards

activating 8-5

BGP, activating 8-8

default list 8-7

list 8-8

list activation order 8-8

remove service command 6-9

renumbering flex-content filters 5-3

report

See attack report 10-1

reports

details 10-4

exporting 12-5

reqs packet type 6-11

router

command 8-10, 8-13

configuration mode 8-10, 8-13

configuring adjacent 8-11

enabling service 8-10

router configuration mode 2-3

routes, redistributing 8-10

routing table

manipulation 2-10

viewing 2-11

running-config

copy 4-15, 12-3, 12-4

show 11-1

S

saving configuration, router 8-10, 8-13

scanners traffic characteristics 6-12

service

adding 6-9

command 2-11, 2-13, 3-2

copy 7-16

deleting 6-9

MDM 2-13

permissions 3-3

snmp-trap 3-28

wbm 2-11

services

enabling 3-2

session, configuring timeout 3-35

session, displaying idle timeout 3-36

session timeout, disabling 3-36

session-timeout command 3-35

set-action 6-18

show commands

counters 11-3

cpu 11-24

diagnostic-info 11-21

disk-usage 11-23

dynamic-filters 5-13, 5-15

file-servers 12-2, 12-6

flex-content-filter 5-8

host-keys 3-21, 3-23

learning parameters 7-8

learning-params 6-15

log 11-8

log export-ip 11-7

logging 11-7

login-banner 3-33

memory 11-24

packet-dump 11-12

packet-dump signatures 11-19

policies 6-22

policies statistics 6-23, 7-8

public-key 3-23, 3-27

rates 11-3

recommendations 9-4

recommendations pending-filters 9-3, 9-5

remote-guards 8-8

reports details 10-4

running-config 11-1

show 11-3

sorting dynamic-filters 5-13

sync-config 4-16

sync-config file-servers 4-16, 12-6

templates 4-5

zone policies 6-22

show privilege level 2-2, 3-7

show public-key command 3-27

shutdown command 2-9

signature

generating 11-18

snapshot

backing up policies 6-25, 7-17

command 7-12

comparing 7-13

deleting 7-15

displaying 7-15

saving 7-12, 7-13

snapshot command 7-12

snapshots

save periodically 7-8

SNMP

configuring trap generator 3-28

traps description 3-29

snmp commands

community 3-32

trap-dest 3-28

specific IP threshold 6-17

speed command 2-9

spoofed attacks 1-2

src traffic characteristics 6-12

SSH

configuring 2-13

deleting keys 3-26

generating key 3-22, 3-27

host key 3-23

service 2-13

viewing public key 3-23

ssh key, publishing 3-22

state command 6-13

static route

adding 2-10

syn_by_fin packet type 6-11

sync command 4-12, 4-13

synchronization

exporting configuration 12-5

syns packet type 6-11

syslog

configuring export parameters 11-6

configuring server 11-7

message format 11-6

system log

message format 11-6

T

TACACS+

authentication

key generate command 3-19

key publish command 3-22

clearing statistics 3-17

configuring search 3-16

configuring server 3-14

server connection timeout 3-16

server encryption key 3-15

server IP address 3-15

viewing statistics 3-17

tacacs-server commands

clear statistics 3-17

first-hit 3-14

host 3-14, 3-15

key 3-14, 3-15, 3-16

show statistics 3-17

timeout 3-14, 3-16

TCP

detected anomalies 10-2, 10-5

no proxy policy templates 6-4

policy templates 6-3

templates

LINK 7-4

viewing policies 4-5

zone 4-2

thresh-mult 6-16

threshold

command 6-14

configuring IP threshold 6-17

configuring list 6-17

configuring specific IP 6-17

marking as tuned 4-8, 7-10

multiplying before accepting 6-15

selection 7-12

setting as fixed 6-14

tuning 1-4, 7-2

worm 6-20

threshold-list command 6-17

threshold selection 7-6

threshold tuning

save results periodically 7-8

time, configuring 3-23

timeout command 6-17, 8-11

timeout session, configuring 3-35

timeout session, disabling 3-36

timesaver, symbol overview 1-xiii

timezone 3-24

tip, symbol overview 1-xiii

traceroute command 11-30

traffic

monitoring 11-14, 11-15

trap 11-6

trap-dest 3-28

tuning policy thresholds 7-6

U

UDP

detected anomalies 10-3

policy templates 6-3

unauth_pkts packet type 6-11

unauthenticated TCP detected anomalies 10-3

upgrading 12-8

MP 12-8

user

detected anomalies 10-3

user filter

command 5-3

username

encrypted password 3-7

username command 3-7

users

adding 3-7

adding new 3-7

assigning privilege levels 3-6

deleting 3-8

privilege levels 2-2, 3-9

system users

admin 2-7

riverhead 2-7

username command 3-7

W

WBM

activating 2-11

WBM logo

adding 3-34

deleting 3-35

worm

dynamic filter 6-21

identifying attack 6-21

overview 6-19

policy 6-11, 6-12

policy templates 6-3, 6-20

thresholds 6-20

worm_tcp policy template 6-4

X

XML schema10-6to 10-9, 11-14, 12-6

Z

zombies 1-3

zone

anomaly detection 8-1

clearing counters 11-4

command 4-4, 4-5, 9-3

command completion 3-13, 4-6

comparing 7-14

configuration mode 2-3, 4-6

copying 4-5

creating 4-4

defining IP address 4-7

deleting 4-5

deleting IP address 4-8

duplicating 4-5

excluding IP address 4-7

exporting configuration 4-16

IP address 4-7

learning 7-1

LINK templates 7-4

modifying IP address 4-8

operation mode 4-5

reconfiguring 4-6

synchronize configuration 4-8

synchronizing automatically 4-11

synchronizing offline 4-14

templates 4-2

viewing configuration 4-7

viewing policies 6-22

viewing status 11-2

zone policy

marking as tuned 4-8, 7-10

zone synchronization 7-3