Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1117
Views
0
Helpful
3
Replies

Global Correlation and Anomaly detection drop messages?

dschwind
Level 1
Level 1

‎03-15-2012 10:21 AM - edited ‎03-10-2019 05:38 AM

We've implemented an SSP-40 and were wondering if there were event messages for Global Correlation or Anomaly detection drops.  We seem to only have signature event messages.

Dennis

Labels:
0 Helpful
3 Replies 3

sawgupta
Level 1
Level 1

‎03-26-2012 06:50 PM

Please have a look at the following link:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_collaboration.html#wp1065809

If the traffic dropped becuase of Global Correlation, (and not becuase of a signature) you should see an event.

For more details you can use the "show statistics global-correlation" CLI.

For Anomaly Detection, please ensure you have "Produce Alert" event action configured.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta
0 Helpful

dschwind
Level 1
Level 1
In response to sawgupta

‎03-27-2012 06:27 AM

Can you provide an example message for either type?  The output for "show statistics global-correlation" isn't very detailed.  I will double check the setting for Anomaly Detection to make sure an alert is being produced. 

We don't know what to look for when searching for the specific message types.

Thanks,

Dennis

0 Helpful

sawgupta
Level 1
Level 1
In response to dschwind

‎03-27-2012 08:22 AM

Sure. Here is an example:

evIdsAlert: eventId=1332748411090083862 severity=informational vendor=Cisco alarmTraits=32768

originator:

   hostId: sensorName

   appName: sensorApp

   appInstanceId: 19247

time: 2012/03/27 15:12:41 2012/03/27 15:12:41 UTC

signature: description=ICMP Echo Request id=2004 created=20001127 type=other version=S592

   subsigId: 0

interfaceGroup: vs0

vlan: 1104

participants:

   attacker:

     addr: locality=OUT A.B.C.3

   target:

     addr: locality=OUT A.B.C.2

     os: idSource=unknown relevance=relevant type=unknown

actions:

   deniedPacket: true

riskRatingValue: attackRelevanceRating=relevant targetValueRating=medium 95

threatRatingValue: 60

interface: ge2_0

protocol: icmp

globalCorrelation:

   globalCorrelationScore: -9.2

   globalCorrelationRiskDelta: 60

   globalCorrelationModifiedRiskRating: true

   globalCorrelationDenyPacket: true

   globalCorrelationDenyAttacker: false

   globalCorrelationOtherOverrides: false

   globalCorrelationAuditMode: false

Alternatively, you can see the stats using:

sensor# show  statistics analysis-engine | be Malicious
MaliciousSiteDenyHitCounts
A.B.C.D/16 = 1
MaliciousSiteDenyHitCountsAUDIT

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card