IPS - Anomaly detection - ASA AIP-SSM

 

 Anomaly detection on all IPS with firmware 7.1(2)E4 and higher are disabled by default but we will focus on version 7.0(enabled by default).

Anomaly detection should be disabled when IPS sensor works in  asymmetric mode to avoid false positive detections.

Anomaly detection put focus on checking network traffic for anomaly,everything what is strange in comparison to normal network traffic. It is used mainly in worm detection and works independly to signature definition however anomaly detection does not discover e-mail worms.

Anomaly detection has three modes:

  • Learning

This is time for learning and by default it lasts 24 hours.During this period no detection has place.

After 24h anomaly detection creates baseline known asa aKB(Knowledge Base), save it and loaded.

From that time anomaly detection can detect anomaly.

Cisco recommends to keep sensor in learning state longer than 24h and I share their point of view. In my opinion at least one week anomaly detecion should be in "learning mode".

 

  • Detection

Normal,operational mode. In this mode anomaly detection detects anomalies based on KB,send alerts and also does actions. Changes in traffic ,hat ones which does not generate threshold are saved and ovveride KB so KB is always up-to-date.

  • Inactive

Anomaly detection is disabled,e.g. when sensor is working  in asymmetric mode.

 

 CONFIGURATION

 

(config)# service anomaly-detection danpol-ad
Editing new instance danpol-ad.

IGNORE

Ignore represents hosts which should be checked by anomaly detection.

(config-ano)# ignore

Default settings are:

(config-ano-ign)# show settings
ignore
-----------------------------------------------
enabled: true <defaulted>
source-ip-address-range: 0.0.0.0 <defaulted>
dest-ip-address-range: 0.0.0.0 <defaulted>
-----------------------------------------------

(config-ano-ign)# source-ip-address-range 149.121.230.62

(config-ano-ign)# dest-ip-address-range 91.223.184.144-91.223.184.158

(config-ano-ign)# dest-ip-address-range 87.204.202.1-87.204.202.6

(config-ano-ign)# enabled true

(config-ano-ign)# exit

 

WORM-TIMEOUT

Keep default settings(600 secs)

INTERNAL ZONE

(config-ano)# internal-zone

By default is enabled.Add all networks which are your internal networks.The rest keep default.If you do not set up internal zone all traffic will be assigned to external-zone.

(config-ano-int)# ip-address-range 149.121.228.0-149.121.231.255

(config-ano-int)# exit

ILLEGAL ZONE

 

By default is enabled.Illegal zone represents ip which should NEVER be seen on your network.

(config-ano)# illegal-zone

(config-ano-ill)# enabled true

(config-ano-ill)# ip-address-range 10.0.0.0-10.255.255.255,192.168.0.0-192.168.99.255,192.168.101.0-192.168.255.255

(config-ano-ill)# exit

 

 EXTERNAL ZONE

 

By default external zone is enabled and all traffic is assigned to external zone unless we  configure Internal or Illegal zone.

Keep defaults settings for External zone.

 

LEARNING ACCEPT MODE

 

By default learning-accept-mode is set to "auto" and rotate KB every 24h however you can change,e.g.

you can set learning to manuall or action to "save-only" so IPS sensor will not load new KB periodically.

I recommend to keep default settings besides schedule.

I configure my sensor to rotate every saturday at 7'oclock in the morning.(local time).

(config-ano)# learning-accept-mode auto

(config-ano-aut)# schedule calendar-schedule

(config-ano-aut-cal)# days-of-week saturday

(config-ano-aut-cal)# times-of-day time 07:00:00

(config-ano-aut-cal)# exit

(config-ano-aut)# exit

(config-ano)# exit
Apply Changes?[yes]: yes


ASSIGNING ANOMALY DETECTION TO VIRTUAL SENSOR

 

(config)# service analysis-engine

(config-ana)# virtual-sensor danpol

(config-ana-vir)# anomaly-detection

(config-ana-vir-ano)# anomaly-detection-name danpol-ad

(config-ana-vir-ano)# operational-mode learn

(config-ana-vir-ano)# exit

(config-ana-vir)# exit

(config-ana)# exit
Apply Changes?[yes]: yes

 

 

ANOMALY DETECTION STATS

 

# show statistics anomaly-detection danpol
Statistics for Virtual Sensor danpol
No attack
Detection - OFF
Learning - ON
Next KB rotation at 07:00:00 GMT00:00 Sat Mar 09 2013
Internal Zone
TCP Protocol
UDP Protocol
Other Protocol
External Zone
TCP Protocol
UDP Protocol
Service 53
Source IP: 119.121.230.13 Num Dest IP: 14
Other Protocol
Illegal Zone
TCP Protocol
UDP Protocol
Other Protocol

 

 Based on the output we see our anomaly-detection is in learning mode,next rotate will be on Saturday morning at 7 a.m.


KB Files


To display all Knowledge Base files simply type:

# show ad-knowledge-base files

Virtual Sensor danpol
Filename Size Created
initial 88 20:37:56 GMT00:00 Sat Mar 02 2013
2013-Mar-03-10_00_01 88 10:00:01 GMT00:00 Sun Mar 03 2013
* 2013-Mar-04-10_00_04 124 10:00:04 GMT00:00 Mon Mar 04 2013
Virtual Sensor vs0
Filename Size Created
initial 88 08:11:35 GMT00:00 Sat Jul 02 2011
2012-Nov-05-10_00_00 160 10:00:00 GMT00:00 Mon Nov 05 2012
2012-Nov-06-10_00_00 160 10:00:00 GMT00:00 Tue Nov 06 2012
2012-Nov-07-10_00_00 160 10:00:00 GMT00:00 Wed Nov 07 2012
2012-Nov-08-10_00_00 160 10:00:00 GMT00:00 Thu Nov 08 2012

 

To display KB files for particular sensor type:

# show ad-knowledge-base danpol files
Virtual Sensor danpol
Filename Size Created
initial 88 20:37:56 GMT00:00 Sat Mar 02 2013
2013-Mar-03-10_00_01 88 10:00:01 GMT00:00 Sun Mar 03 2013
* 2013-Mar-04-10_00_04 124 10:00:04 GMT00:00 Mon Mar 04 2013

 

To display differences between KB files type:

# show ad-knowledge-base vs0 diff file  2012-Nov-11-10_00_00 file 2012-Nov-18-10_00_00

Diff
2012-Nov-11-10_00_00 - Services in this Knowledge Base Only
Internal Zone
None
External Zone
TCP Services
None
UDP Services
Other Services
Illegal Zone
None
2012-Nov-18-10_00_00 - Services in this Knowledge Base Only
Internal Zone
None
External Zone
TCP Services
None
UDP Services
Other Services
Illegal Zone
None
Thresholds for services that appear in both knowledge bases and differ by more than 0 percents
Internal Zone
None
External Zone
TCP Services
None
UDP Services
Service = 53
Thresholds of 2012-Nov-11-10_00_00
Scanner Threshold = 238
Threshold Histogram
Low = 10
Medium = 3
High = 2
Thresholds of 2012-Nov-18-10_00_00
Scanner Threshold = 340
Threshold Histogram
Low = 10
Medium = 3
High = 2
Other Services
None
Illegal Zone
None

 

To erase one KB file type:

# erase ad-knowledge-base vs0 2012-Nov-11-10_00_00

 

To erase all KB files for virtual sensor type:

# erase ad-knowledge-base vs0
Warning: Executing this command will delete all virtual sensor 'vs0' knowledge bases except the file loaded as current and the initial knowledge base.
Continue with erase? [yes]: yes

 

To rename  KB file type:

# rename ad-knowledge-base vs0 file old_filename new_filename

 

To copy KB file,e.g. via FTP type:

# copy ad-knowledge-base danpol file 2013-Mar-03-10_00_01 ftp://user@ftp-server.com
Server's IP Address: 5.5.5.5
Port[21]:
File name: kb-file-test
Password: *********

 

 

  dzbanek 2013-03-04

This site uses cookies. Some of the cookies we use are essential for parts of the site to operate and have already been set. You may delete and block all cookies from this site, but parts of the site will not work.