Pre-Requisites for Anomaly Detection¶

To detect Anomalies, Administrators need to preconfigure components such as the Network sensor or Agent.

Anomaly Detection Mechanism¶

Anomalies are detected by Sensor or Agent.

To Detect Anomalies, both Sensor and Agent must be pre configured.

If Anomalies are detected by Agent, Administrators should assign the appropriate Agent action under the Node Policy.

Anomalies ID	Detection Mechanism	Required Configuration
Multi-Homed / Ad hoc Network	Agent	Collect Network Information Agent plugin
ARP Bomb	Network Sensor	Add Virtual IP to Sensor Interface
Spoofed ARP	Network Sensor	Add Virtual IP to Sensor Interface
MAC+IP Clone	Network Sensor / Agent(ARP Spoofing)	Enable Network Sensor MAC + IP Clone Detection
Malware Detection	Agent	Collect Malware Information Agent plugin
Port Scanning	Network Sensor	Add Virtual IP to Sensor Interface
SNMP Disabled	Policy Server	SNMP Trap Options
Rogue DHCP Server Detection	Network Sensor	Network Sensor DHCP Server Scan
Sensor MAC Clones	Network Sensor	Network Sensor MAC + IP Clone Detection
Unauthorized Service Request	Network Sensor	Add Virtual IP to Sensor Interface
Rogue Gateway	Agent	Collect Network Information Agent plugin

Go to System in the top panel
Go to System > Sensor in the left Policy panel
Find Sensor and Click Checkbox
Click Tasks > Edit Network Sensor Settings
Go to Sensor Settings > Network Scan > DHCP Server Scan and choose On to the configure features
Click save

Go to Preferences in the top panel
Go to General > Log in the left Policy panel
Go to Log > SNMP Trap Options > SNMP Trap and choose On to the configure features
Enter Community String
Click Update

Go to System in the top panel
Go to System > Sensor in the left Policy panel
Find Sensor and Click Checkbox
Click Tasks > Edit Network Sensor Settings
Go to Sensor Settings > Node Status Scan > MAC+IP Clone Detection and choose On to the configure features
Click save