Anomaly Detection

cjthedj45cjthedj45 Posts: 331Member ■■■□□□□□□□
Hi,

Does anybody use anomaly detection with the Cisco IPS? Did you accept the default policy or create your own policy? Does it have any impact on the network and do you get loads more alerts that you need to manage?

Any advice much appreciated

Comments

  • doverdover Posts: 184Member ■■■■□□□□□□
    I don't use Cisco IPS in production but I have labbed with it quite a bit.

    I think the default setting of 'learning' network behavior for 24 hours is way too short. If I were to implement I would probably recommend learning over at least 72 hours - preferably longer - on Tuesday through Thursday to get a decent baseline of normal activity. Then set event action overrides to for Produce Alert only (if inline) and observe the next couple of days to see what kind of sigs are firing and investigate.

    Another big consideration is you have to assume that there aren't any compromised machines already on the network spewing bad traffic that will be 'learned' to be legitimate network activity.
Sign In or Register to comment.