WANGUARD 5.2 User Manual & Administrator's Guide
Anomaly detection settings & Thresholds Templates
Thresholds Anomalies
panel in the IP Zone Confguraton window can contain user-defned trafc
thresholds. To ease the additon of thresholds with the same values for multple prefxes, use Thresholds Templates
(Confguraton » Network & Policy » Add Thresholds Template).
Thresholds have the following parameters:
●
Domain.
Sensors can detect anomalies to / from an IP contained in the subnet, or to / from the whole
subnet.
●
Directon.
The directon of the analyzed trafc: can be "receives" for inbound trafc or "sends" for
outbound trafc.
●
Comparison.
Select "over" for volumetric anomalies (e.g. DrDoS, DDoS) or "under" to detect the lack of
trafc towards a monitored subnet or server.
●
Value.
Write the threshold value as an absolute number or as a percent of the total trafc received by
the Sensor. Absolute values can be multples of 1000 with K (kilo) appended, multple of 1 million with
M (mega) appended, or multple of 1 billion with G (giga) appended.
●
Decoder.
Select one of the Decoders enabled in the Anomalies Confguraton window – see page 33.
●
Unit.
DDoS atacks reach an unusually high number of packets per second, so select "pkts/s" to detect
them. For bandwidth-related anomalies select "bits/s".
●
Response.
Select a previously defned Response or select "None" if you're not interested in reactng to
the anomaly.
●
Parent.
Select "Yes" if the threshold should be inherited by more specifc subnets. You can cancel
inherited thresholds by selectng "Unlimited" in the Value feld.
●
Inheritance.
Shows who's the parent Prefx, if any.
Adding a threshold on 0.0.0.0/0 that reads "Any IP receives over 5% TCP+SYN pkts/s" will catch ports scans
and all SYN atacks. Threshold on 0.0.0.0/0 "Subnet receives under 5M TOTAL bits/s" will trigger the Response when
the monitored link is down. You can confgure "illegal" IP address ranges that should never be seen in normal trafc,
for example, unallocated IP addresses or part of your internal IP address range that is unoccupied. You then add
small thresholds to them to catch malicious actvites such as scans and worms.
Profle Anomalies
panel contains the Profling Data parameter that can have the following values:
●
Inherit
– inherit the value from the parent Prefx
●
No
– don't generate profling data for the selected Prefx
●
For Subnet
– generate profling data for the whole trafc received by the Prefx
●
For IPs
– use carefully as it will generate profling data for every IP contained in the Prefx. Don't use this
on large Prefxes, and never for 0.0.0.0/0
- 41 -
Содержание Wanguard 5.2
Страница 1: ......