27. Reports » Tools » Anomalies¶
This report provides live and historical data related to DoS, DDoS, and other traffic anomalies. The number of active traffic anomalies is displayed inside the Reports » Tools panel. This number is refreshed every 10 seconds. The color of the number reflects the highest severity of the active anomalies
The Anomalies tab contains 3 sub-tabs located at the lower left side of the window:
27.1. Active Anomalies¶
It shows a listing with active anomalies where each row represents an active anomaly. The columns are:
№ |
Unique index of the anomaly. Click it to open a detailed anomaly report
|
Prefix |
The IP address/class subject of the traffic anomaly, and its reverse DNS.
In front of the prefix, the arrow indicates the direction of traffic: inbound when the arrow
is pointing towards the prefix, or outbound when the arrow is pointing away from the prefix.
Click it to open a new tab or window with data specific to that prefix. A cloud icon located on
the right of the prefix indicates that the IP is external, thus not included in the IP Zone
|
IP Group |
The IP group of the prefix. Click it to open a new tab with data specific to that IP group |
Anomaly |
A short description of the anomaly |
Speed (Latest) |
The peak value of the abnormal traffic. The latest value is displayed between parentheses |
Sensor Interface |
On which Packet Sensor or Flow Sensor Interface the anomaly was detected. Click it to open a new tab with data specific to that Sensor Interface |
From |
The time and date when the anomaly started |
Latest Alarm |
How much time has passed since the most recent detection of the anomaly |
Pkts/s – Bits/s |
The latest packets/second and bits/second throughput of the IP decoder |
Severity |
The exact rule severity and link severity are displayed as a tool-tip.
The rule severity field graphically represents the ratio between the abnormal traffic and the
threshold value. Every bar represents 100% of the threshold value
The color of the severity indicates the link’s severity: 0-25% blue, 25%-50% yellow, 50%-75%
orange, 75%-100% red. The link’s severity is the ratio between the abnormal traffic and the
overall traffic of the link (Sensor or interface) for pkt/s thresholds, or the ratio between the
abnormal traffic and the link capacity for bits/s thresholds
|
Actions |
Actions available for administrators, operators, and guests with proper permissions:
• Enable Manual Action(s) – execute all actions configured for manual execution
• Classify/Set Comment – add or modify comments, or manually classify the impact of
anomalies. It is used only for reporting purposes and does not impact IP profiling
• View Live Graph – available if IP Graphing is enabled for the prefix
Open Packet Dump – available for Packet Sensors when the Response contains a
traffic capturing action
• Open Flow List – available for Flow Sensors with the Flow Collector feature enabled
Shows bi-directional flows that started or ended during the selected time interval.
Flow listings may have an up to 5-minute delay due to flow data file buffering. Time
zone differences are not adjusted
• Delete BGP Prefix – available if a BGP announcement with the prefix exists
• Generate Anomaly Report – generates a full anomaly report that can be viewed in a
separate tab
• Expire Anomaly – instructs the Sensor to clear the anomaly immediately, even if it’s
still active. The detecting Sensor must be running for the action to take effect
|
ADDITIONAL PARAMETERS VISIBLE WHEN DISPLAY IS SET TO “FULL”: |
|
Total Pkts |
Absolute number of packets counted since the anomaly started |
Total Bits |
Absolute number of bits counted since the anomaly started |
Overall Traffic |
Percentage value between the decoder traffic and the IP traffic |
Threshold |
Threshold value and unit |
IP Zone
(Inheritance)
|
IP Zone used by the detecting Sensor. Click it to open the most specific prefix settings |
Template |
Threshold Template containing the threshold rule, if any |
Expiration |
Seconds that must pass for the anomaly to be considered inactive |
Response
Actions
|
Name of the Response and a list of actions (with the Record Action parameter set) that
were executed
|
Comments |
This field is hidden if the Classify/Set Comment action was not used |
When a Filter detects a filtering rule, a new table is displayed within the same row with the traffic anomaly. In most themes, the rows of the Filter table have a red background for active filtering rules and a yellow background for inactive filtering rules.
Filter |
Name of the Filter that detected the filtering rule. Click it to open a new tab with Filter-specific data |
Filtering Rule |
A summary of the filtering rule detected to isolate the malicious traffic. The filtering rules that are enabled for the decoder are listed in Configuration » General Settings » Anomaly Mitigation
A white flag within the same row indicates that the filtering rule conflicts with a whitelist rule, which also means that it was not applied to any Firewall
|
Started |
Date and time when the filtering rule was generated |
Latest Alarm |
Latest time when the filtering rule matched traffic above the threshold value |
Pkts/s (Peak) |
Packets/second value for the traffic matching the filtering rule. In parentheses, peak pkts/s value |
Bits/s (Peak) |
Bits/second value for the traffic matching the filtering rule. In parentheses, peak bits/s value |
Firewall |
Indicates the firewall backend(s) that applied the filtering rule: NetFilter Firewall Dataplane Firewall Hardware Offload BGP Flowspec or S/RTBH Third-party Firewall |
Scrubbed |
Percentage of abnormal traffic mitigated |
Pkts |
Absolute value with the packets matched by the filtering rule |
Bits |
Absolute value with the bits matched by the filtering rule |
Actions |
|
27.2. Anomaly Archive¶
It lists all traffic anomalies sorted by time, in descending order. By clicking the down arrow on any column header, you can apply row filters, change sorting direction, or toggle the visibility of columns.
The [+] sign from the first column expands the anomaly for additional information, mitigation data, etc. The columns are explained in the previous section.
27.3. Anomaly Overview¶
Provides trends and summarizations of traffic anomalies detected on the selected Sensor Interfaces, using the selected decoders, for the selected time-frame.