03-15-2012 10:21 AM - edited 03-10-2019 05:38 AM
We've implemented an SSP-40 and were wondering if there were event messages for Global Correlation or Anomaly detection drops. We seem to only have signature event messages.
Dennis
03-26-2012 06:50 PM
Please have a look at the following link:
If the traffic dropped becuase of Global Correlation, (and not becuase of a signature) you should see an event.
For more details you can use the "show statistics global-correlation" CLI.
For Anomaly Detection, please ensure you have "Produce Alert" event action configured.
Regards,
Sawan Gupta
03-27-2012 06:27 AM
Can you provide an example message for either type? The output for "show statistics global-correlation" isn't very detailed. I will double check the setting for Anomaly Detection to make sure an alert is being produced.
We don't know what to look for when searching for the specific message types.
Thanks,
Dennis
03-27-2012 08:22 AM
Sure. Here is an example:
evIdsAlert: eventId=1332748411090083862 severity=informational vendor=Cisco alarmTraits=32768
originator:
hostId: sensorName
appName: sensorApp
appInstanceId: 19247
time: 2012/03/27 15:12:41 2012/03/27 15:12:41 UTC
signature: description=ICMP Echo Request id=2004 created=20001127 type=other version=S592
subsigId: 0
interfaceGroup: vs0
vlan: 1104
participants:
attacker:
addr: locality=OUT A.B.C.3
target:
addr: locality=OUT A.B.C.2
os: idSource=unknown relevance=relevant type=unknown
actions:
deniedPacket: true
riskRatingValue: attackRelevanceRating=relevant targetValueRating=medium 95
threatRatingValue: 60
interface: ge2_0
protocol: icmp
globalCorrelation:
globalCorrelationScore: -9.2
globalCorrelationRiskDelta: 60
globalCorrelationModifiedRiskRating: true
globalCorrelationDenyPacket: true
globalCorrelationDenyAttacker: false
globalCorrelationOtherOverrides: false
globalCorrelationAuditMode: false
Alternatively, you can see the stats using:
sensor# show statistics analysis-engine | be Malicious MaliciousSiteDenyHitCounts A.B.C.D/16 = 1 MaliciousSiteDenyHitCountsAUDIT
Regards,
Sawan Gupta
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide