Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
605
Views
0
Helpful
2
Replies

Anomaly Detection syntax/options

Go to solution
Colin Higgins
Level 2
Level 2

‎03-25-2014 08:55 AM - edited ‎03-10-2019 06:10 AM

I want to configure anomaly detection on my IPS, but was a little unclear on the syntax for the zones.

 

Looks like I can configure the internal/service zone as

 

172.25.13.1-172.25.13.254,172.25.20.1-172.25.13.254

 

What if I want to make a very general internal zone (because I have a lot of subnets). Would I do something like this?

 

172.25.1.1-172.25.255.255

 

I want to define pretty mcuh everything in 172.25.0.0 /16 as internal, but not sure about the syntax here

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Poonam Garg
Level 3
Level 3

‎04-10-2014 02:35 AM

Hello,

You can use the syntax:

172.25.0.0-172.25.255.255

The defaults for most of the settings show starting with a network address and ending with the broadcast addresses for those networks.

 

"Please rate helpful posts"

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Poonam Garg
Level 3
Level 3

‎04-10-2014 02:35 AM

Hello,

You can use the syntax:

172.25.0.0-172.25.255.255

The defaults for most of the settings show starting with a network address and ending with the broadcast addresses for those networks.

 

"Please rate helpful posts"

0 Helpful

Go to solution
Saurav Lodh
Level 7
Level 7

‎04-10-2014 02:55 AM

Anomaly Detection Zones

By subdividing the network into zones, you can achieve a lower false negative rate. A zone is a set of destination IP addresses. There are three zones, each with its own thresholds: internal, illegal, and external.

The external zone is the default zone with the default Internet range of 0.0.0.0-255.255.255.255. By default, the internal and illegal zones contain no IP addresses. Packets that do not match the set of IP addresses in the internal or illegal zone are handled by the external zone.

We recommend that you configure the internal zone with the IP address range of your internal network. If you configure it in this way, the internal zone is all the traffic that comes to your IP address range, and the external zone is all the traffic that goes to the Internet.

You can configure the illegal zone with IP address ranges that should never be seen in normal traffic, for example, unallocated IP addresses or part of your internal IP address range that is unoccupied. An illegal zone can be very helpful for accurate detection, because we do not expect any legal traffic to reach this zone. This allows very low thresholds, which in turn can lead to very quick worm virus detection.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card