Anomaly Definition Pre-configuration
To detect risks in Network Sensors and Agents, the detection entities must be configured.
Anomaly Definition Entities
The entities that detect risks are divided by Anomaly Definition item as follows. Pre-configuration is required to detect risks, depending on each detection entity.
If the Anomaly Definition entity is an Agent, Anomaly Definition is possible only by assigning the node action to the Node Policy.
| Anomaly Definition ID | Anomaly Definition Entity | Configuration Item |
|---|---|---|
| Ad Hoc Network Connection | Agent | Network Information Collection Plugin |
| ARP Bomb | Network Sensor | Virtual IP Configuration for Inducing Risky Traffic |
| ARP Spoofing | Network Sensor | Virtual IP Configuration for Inducing Risky Traffic |
| MAC / IP Clone | Network Sensor / Agent (ARP Spoofing) | Network Sensor MAC / IP Clone Detection Function |
| Malware Detection | Agent | Malware Detection Plugin |
| Port Scan | Network Sensor | Virtual IP Configuration for Inducing Risky Traffic |
| SNMP Blocking Request | Policy Server | SNMP Trap Reception Function |
| Detecting Abnormal DHCP Server | Network Sensor | Network Sensor DHCP Server Scan Function |
| Sensor MAC Clone | Network Sensor | Network Sensor MAC / IP Clone Detection Function, Sensor MAC Conflict Avoidance Function |
| Unknown Service Request | Network Sensor | Virtual IP Configuration for Inducing Risky Traffic |
| Using Invalid Gateway | Agent | Network Information Collection Plugin |
Configuring Environment
Configuring Virtual IP for Inducing Risky Traffic
Please refer to Configuring Virtual IP for virtual IP settings.
Configuring Network Sensor DHCP Server Scan Function
- Select System in the top panel.
- In the left system menu, click Sensor.
- Select the checkbox of the target Network Sensor for configuration.
- In the Select Tasks menu, select Edit Network Sensor Settings item.
- In the Sensor Settings menu, change the DHCP Server Scan value to ON for the network scan item.
- Click the Save button.
Configuring Policy Server SNMP Trap Reception Function
- Select Preferences in the top panel.
- In the left Preferences menu, select Audit Log.
- In the SNMP Trap Reception item, set usage to ON and enter the Community value.
- Click the Update button.
Configuring Network Sensor MAC / IP Clone Detection Function
- Select System in the top panel.
- In the left system menu, click Sensor.
- Select the checkbox of the target Network Sensor for configuration.
- In the Select Tasks menu, select Edit Network Sensor Settings item.
- In the Sensor Settings menu, change the MAC+IP Clone Detection value to ON for the node status check item.
- Click the Save button.