Pre-Requisites for Anomaly Detection

To detect Anomalies, Administrators need to preconfigure components such as the Network sensor or Agent.

Anomaly Detection Mechanism

Anomalies are detected by Sensor or Agent.

To Detect Anomalies, both Sensor and Agent must be pre configured.

If Anomalies are detected by Agent, Administrators should assign the appropriate Agent action under the Node Policy.

Anomalies ID Detection Mechanism Required Configuration
Multi-Homed / Ad hoc Network Agent Collect Network Information Agent plugin
ARP Bomb Network Sensor Add Virtual IP to Sensor Interface
Spoofed ARP Network Sensor Add Virtual IP to Sensor Interface
MAC+IP Clone Network Sensor / Agent(ARP Spoofing) Enable Network Sensor MAC + IP Clone Detection
Malware Detection Agent Collect Malware Information Agent plugin
Port Scanning Network Sensor Add Virtual IP to Sensor Interface
SNMP Disabled Policy Server SNMP Trap Options
Rogue DHCP Server Detection Network Sensor Network Sensor DHCP Server Scan
Sensor MAC Clones Network Sensor Network Sensor MAC + IP Clone Detection
Unauthorized Service Request Network Sensor Add Virtual IP to Sensor Interface
Rogue Gateway Agent Collect Network Information Agent plugin

Configuration Details

Add Virtual IP to Sensor Interface

Configuring Network Sensor DHCP Server Scan

  1. Go to System in the top panel
  2. Go to System > Sensor in the left Policy panel
  3. Find Sensor and Click Checkbox
  4. Click Tasks > Edit Network Sensor Settings
  5. Go to Sensor Settings > Network Scan > DHCP Server Scan and choose On to the configure features
  6. Click save

Configuring Policy Server SNMP Trap Options

  1. Go to Preferences in the top panel
  2. Go to General > Log in the left Policy panel
  3. Go to Log > SNMP Trap Options > SNMP Trap and choose On to the configure features
  4. Enter Community String
  5. Click Update

Configuring Network Sensor MAC + IP Clone Detection

  1. Go to System in the top panel
  2. Go to System > Sensor in the left Policy panel
  3. Find Sensor and Click Checkbox
  4. Click Tasks > Edit Network Sensor Settings
  5. Go to Sensor Settings > Node Status Scan > MAC+IP Clone Detection and choose On to the configure features
  6. Click save