Global Correlation and Anomaly detection drop messages?

Similar Messages

• Global Correlation and Network Participation - what's the value of it ???

  Hi security gurus!
  Can someone please shed me more light on the value of Global Correlation and Network Participation available at IPS 7.x
  We've enabled it on the clients IPS appliances and now the only information I see is some cryptic reports seen at IDM gadgets.
  It says that the reputation filtering is 100% under Percentage of malicious packets indentified. So what ?
  How would I know exactly what those packets are and where did they come from?
  Other metrics are Global Correlation inspection and Traditional IPS Detection techniques are 0%
  What does it mean? Doesn't something work ? Why are they 0% ?
  How is this normally sold to the customer if there's no credible information about it?
  Eugene

  Hi,
  I think this link will help you http://docs.oracle.com/cd/B14117_01/network.101/b10776/listener.htm

• ODM Apriori and Anomaly Detection Questions

  i have 2 questions the 1st concerning the Apriori algorithm does it
  support timestamps and dates ??
  if yes then how to use it :$ (is there any sample ?)
  the other questiong regarding the Anomaly Detection when ever i try
  building the model i get wiered errors and when i searched for the
  last error i found online "Reported as a bug" its error ORA:00600 but
  most of the times i get the error ORA-40109: inconsistent logical data
  record

  see Re: Some Questions regarding Apriori algorithm and anomaly detection for a reply

• Global Correlation and Application Failed

  Hi, People.
  I have IPS4270-20-K9 with version 7.0(3)E4 and signature version 572.
  In Sensor Health show me a problem critical, with:
  - Application Failed
  - Global Correlation
  sensor#sh statistics global-correlation
  Error: getGlobalCorrelationStatistics : ct-collaborationApp.459 not responding, please check system processes - The connect to the specified Io::ClientPipe failed.
  How do I resolve these problems?
  Tks.

  That error message indicates that one of the software processes required for the Global Correlation feature (CollaborationApp) is not responding (stopped/crashed, hung, etc.). You will need to reboot ("reset") the sensor to restore the process to a "Running" status.
  There are multiple defects present in the version of software you are running (7.0(3)E4) that are likely culprits/causes that were fixed in subsequent releases (7.0(4)E4 and 7.0(5a)E4). After you have rebooted the sensor and restored it to service, you can upgrade to a fixed release (7.0(5a)E4).

• ODM ANOMALY DETECTION PROBLEM !!!!

  i'm trying to create an anomaly detection model, but i encounter this error: ORA-40101: Data Mining System Error ORA-00600: internal error code, arguments:
  [KGHALO2], [0x0], [], [], [], [], [], []
  can any 1 help me with this please ?

  see Re: Some Questions regarding Apriori algorithm and anomaly detection for request for more information.
  --Marcos                                                                                                                                                                                                                                               

• Cisco IPS (global correlation) is downloading lots of updates from the iron-port website

  I have query on Global correlation.
  Following is the observed behavior
  Scenario 1:
  Global Correlation Inspection: ON (Standard)
  Reputation Filter: ON
  Result: Global correlation downloads in bytes or KBs (observed on proxy)
  Scenario 2:
  Global Correlation Inspection: OFF
  Reputation Filter: ON
  Result: Global correlation downloads 4-5 MB every 5 Minutes (observed on proxy)
  This behavior has been observed on both IPS devices one by one. What we wanted the clarity on is why is does global correlation download so much of data when it is OFF, and downloads only minimal data when ON. The equation does not seem to be right.
  Request you for your prompt response.
  Regards,
  Neal

  Both global correlation and reputation filtering retrieve updates from the SensorBase network, or IronPort. By default, they communicate with the network every five minutes. This value cannot be changed by the IPS administrator.

• Startup guide for oracle data mining for anomaly detection

  hi
  well i have setup oralce 10g for data mining. ihae also downlaoded and nstalled demo prog.
  now im wondering how to start to develop my own model.... basically my idea is to use anomaly detection tecnuique for network traffic.
  i want ot scann network packets and mine them for anomaly. do i have to create profiles for that and if yes how?????
  A BIG DILEMMA... ANY ONE CAN PLS GUIDE, ILL APPRECIATE
  CHEERS
  ninja

  Ninja,
  You may also want to take a look at this thread in the forum:
  Re: Some Questions regarding Apriori algorithm and anomaly detection
  It has some discussion that might help.
  -Marcos

• MFP Anomaly Detected Access Points are moving from one wlc to another and vice versa

  Hi together,
  a customer has lost some Access Points to another WLC with 7.2  and then they come back after 15 minutes to the origin WLC with 7.5
  Attached the messages
  MFP Protection is configured as optional
  152
  Wed Nov 27 05:33:26 2013
  MFP Anomaly Detected - 1 Not encrypted event(s) found as   violated by the radio 58:bf:ea:0f:67:4a and detected by the dot11 interface   at slot 1 of AP 58:bf:ea:0f:67:40 in 300 seconds when observing . Client's   last source mac 70:11:24:e4:43:0f
  153
  Wed Nov 27 05:31:40 2013
  AP Disassociated. Base Radio MAC:88:43:e1:56:91:d0
  154
  Wed Nov 27 05:31:40 2013
  AP's Interface:0(802.11b) Operation State Down: Base Radio   MAC:88:43:e1:56:91:d0 Cause=New Discovery Status:NA
  155
  Wed Nov 27 05:31:33 2013
  AP Disassociated. Base Radio MAC:58:bf:ea:0f:73:d0
  156
  Wed Nov 27 05:31:33 2013
  AP's Interface:1(802.11a) Operation State Down: Base Radio   MAC:58:bf:ea:0f:73:d0 Cause=New Discovery Status:NA
  157
  Wed Nov 27 05:31:33 2013
  AP's Interface:0(802.11b) Operation State Down: Base Radio   MAC:58:bf:ea:0f:73:d0 Cause=New Discovery Status:NA
  158
  Wed Nov 27 05:31:28 2013
  AP Disassociated. Base Radio MAC:58:bf:ea:0f:fc:20
  159
  Wed Nov 27 05:31:28 2013
  AP's Interface:1(802.11a) Operation State Down: Base Radio   MAC:58:bf:ea:0f:fc:20 Cause=New Discovery Status:NA
  160
  Wed Nov 27 05:31:28 2013
  AP's Interface:0(802.11b) Operation State Down: Base Radio   MAC:58:bf:ea:0f:fc:20 Cause=New Discovery Status:NA
  161
  Wed Nov 27 05:31:17 2013
  AP Disassociated. Base Radio MAC:b4:e9:b0:e4:02:20
  162
  Wed Nov 27 05:31:17 2013
  AP's Interface:1(802.11a) Operation State Down: Base Radio   MAC:b4:e9:b0:e4:02:20 Cause=New Discovery Status:NA
  163
  Wed Nov 27 05:31:17 2013
  AP's Interface:0(802.11b) Operation State Down: Base Radio   MAC:b4:e9:b0:e4:02:20 Cause=New Discovery Status:NA
  164
  Wed Nov 27 05:31:15 2013
  AP Disassociated. Base Radio MAC:a4:18:75:eb:da:b0
  165
  Wed Nov 27 05:31:15 2013
  AP's Interface:1(802.11a) Operation State Down: Base Radio   MAC:a4:18:75:eb:da:b0 Cause=New Discovery Status:NA
  166
  Wed Nov 27 05:31:15 2013
  AP's Interface:0(802.11b) Operation State Down: Base Radio   MAC:a4:18:75:eb:da:b0 Cause=New Discovery Status:NA
  167
  Wed Nov 27 05:28:26 2013
  MFP Anomaly Detected - 35 Not encrypted event(s) found as   violated by the radio d8:24:bd:2f:df:6f and detected by the dot11 interface   at slot 1 of AP d8:24:bd:2f:df:60 in 300 seconds when observing Deauth.   Client's last source mac 00:23:14:a7:e3:54
  168
  Wed Nov 27 05:23:26 2013
  MFP Anomaly Detected - 23 Not encrypted event(s) found as   violated by the radio f8:4f:57:a5:40:b2 and detected by the dot11 interface   at slot 0 of AP f8:4f:57:a5:40:b0 in 300 seconds when observing . Client's   last source mac 44:4c:0c:ba:27:77
  Don´t know at the moment how to handle it.
  Regards
  Alex

  Hi lAlex,
  Disable Client MFP under WLAN advanced tab & see if  this still occur
  Regards
  Rasika
  **** Pls rate all useful responses *****

• When I try to connect the Air with my iPhone to create an Hotspot, it drops the connection and gives an error message in the iPhone saying that the device (MacBook Air) is not supported. What can i do about it?

  When I try to connect the Air with my iPhone to create an Hotspot, it drops the connection and gives an error message in the iPhone saying that the device (MacBook Air) is not supported. What can i do about it?

  The problem has been fixed with the most recent OS X software update.

• Node failed to join the cluster because it ould not send and receive failure detection network messages

  One of my customers has a Windows Server 2008 R2 cluster for an Exchange 2010 Mailbox Database Availability Group.  Lately, they've been having problems with one of their nodes (the one node that is on a different subnet in a different datacenter) where
  their Exchange databases aren't replicating.  While looking into this issue it seems that the problem is the Network Manager isn't started because the cluster service is failing.  Since the issue seems to be with the cluster service, and not Exchange,
  I'm asking here. 
  When the cluster service starts, it appears to start working, but within a few minutes the following is logged in the system event log.
  FailoverClustering
  1572
  Critical
  Cluster Virtual Adapter
  Node 'nodename' failed to join the cluster because it could not send and receive failure detection network messages with other cluster nodes. ...
  It seems that the problem is with the 169.254 address on the cluster virtual adapter.  An entry in the cluster.log file says: Aborting connection because NetFT route to node nodename on virtual IP 169.254.1.44:~3343~ has failed to come up. 
  In my experience, you never have to mess with the cluster virtual adapter.  I'm not sure what happened here, but I doubt it has been modified.  I need the cluster to communicate with its other nodes on our routed 10. network.  I've never experienced
  this before and found little in my searches on the subject.  Any idea how I can fix this?
  Thanks,
  Joe
  Joseph M. Durnal MCM: Exchange 2010 MCITP: Enterprise Messaging Administrator, Exchange 2010 MCITP: Enterprise Messaging Administrator, MCITP: Enterprise Administrator

  Hi,
  I suspected an issue with communication on UDP port 3343. Please confirm the set rules for port 3343 on all the nodes in firewall and enabled all connections for all the profiles
  in firewall on all the nodes are opened, or confirm the connectivity of all the node.
  Use ipconfig /flushdns to update all the node DNS register, then confirm the DNS in your DNS server entry is correct.
  The similar issue article:
  Exchange 2010 DAG - NetworkManager has not yet been initialized
  https://blogs.technet.com/b/dblanch/archive/2012/03/05/exchange-2010-dag-networkmanager-has-not-yet-been-initialized.aspx?Redirected=true
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• UNABLE TO DRAG AND DROP MESSAGES TO MAIL FOLDER

  UNABLE TO DRAG AND DROP MESSAGES TO MY MAIL FOLDER

  Hi,
  Typing in all capitals is regarded as shouting.
  As far as I can tell your post is filtered to the Messages app and not the Mail tagging.
  You would have to supply a lot more detail as to what you are calling "your Mail Folder"
  To help this is part of my Side bar list
  My "On My Mac" folder probably has 20 folders plus some of those have sub folders.
  Out of sight are two sets of IMAP Folders (held on the Servers)
  As it is the Mail App I also may not know the answer. (I was filtering for Messages (App))
  9:02 PM      Thursday; November 27, 2014
  ​  iMac 2.5Ghz i5 2011 (Mavericks 10.9)
   G4/1GhzDual MDD (Leopard 10.5.8)
   MacBookPro 2Gb (Snow Leopard 10.6.8)
   Mac OS X (10.6.8),
   Couple of iPhones and an iPad

• Hi, my Iphone 6 dropped in water, and couldn't save it back although I tried with rice bag. So,how much would be cost if I can exchange with new one? Please kindly drop message about how to deal with it. Thank you.

  Hi, My Iphone 6 " iOS 8.1"  is dropped in water, and couldn't save it back although I tried with dryer and also put it in rice bag for 3 days. The flash light was still on even though the screen shows up nothing at all when i try to switch on after 3 days I put in the rice bag. So,how much it would be cost if I can exchange with new one? Please kindly drop message about how to deal with it. Thank you.

  Out of Warranty replacement on iPhone 6 is $299 US, adjust for your location.
  It is highly suggested that you make a Genius Bar appointment to avoid delay
  if going to an Apple store.
  Make a Genius Bar Reservation
  http://www.apple.com/retail/geniusbar/

• IPS V7 Global Correlation

  Dear all,
  IPS Correlation update will be done through the Management interface right? So I should confirm the ability of the IPS Management IP address to be able to access internet right?
  I did so, but still not able to have global correlation update, what I am having each time I enable global correlation is a boost of traffic generated from the IPS and directed to the outside that is consuming the total internet link bandwidth.
  What could be the reason behind this boost, and how may I troubleshoot the reason why the correlation is not being updated.
  Regards,

  Hi,
  I had the exact same problem that I solved to day.
  Full connectivity but still the error:
  # sh statistics global-correlation
  Network Participation:
     Counters:
        Total Connection Attempts = 0
        Total Connection Failures = 0
        Connection Failures Since Last Success = 0
     Connection History:
  Updates:
     Status Of Last Update Attempt = Failed
     Time Since Last Successful Update = 3826 minutes
     Counters:
        Update Failures Since Last Success = 764
        Total Update Attempts = 22747
        Total Update Failures = 806
     Update Interval In Seconds = 300
     Update Server = update-manifests.ironport.com
     Update Server Address = 204.15.82.17
     Current Versions:
        config = 1236210407
        drop = 1312830724
        ip = 1312830846
        rule = 1312744926
  # sh events error error warning past 12:00
  evError: eventId=1304592381890230981 severity=error vendor=Cisco
    originator:
      hostId: xxxxxxxx
      appName: collaborationApp
      appInstanceId: 458
    time: 2011/08/11 00:38:28 2011/08/11 02:38:28 GMT+01:00
    errorMessage: name=errUnclassified A global correlation update failed: Failed download of ibrs/1.1/drop/default/1313021562 :
    URI does not contain a valid ip address
  Messages, like this one, in the category - Reputation update failure - were logged 49 times in the last 14699 seconds.
  I found a tip when searching that worked for me :
  Issue the: dns-secondary-server disable to flush DNS wait for GC to update again.
  Thanks to: http://doublef.org/archives/cisco-ips-global-correlation-update-failures 
  HTH
  Edit: I see a difference in our output, you don't have the ip address in update server field:
  Update Server Address = Unknown
  Might not bee the same problem.

• How can I stop iTunes from dropping my iPhone 5 when connected with USB cable?  It sees it and start a backup and then it drops and tells me cannot find phone.

  My HP notebook 64 bit Windows 8 after the last iTunes update will detect my iPhone 5, sync and when finished with thy sync I start a backup to my computer.  It runs fine for a bit and then gives me message I have changed settings on my iPhone 5 and asked me if I want to update.  I OK the question and runs a bit more and then drops the connection telling me cant find my iPhone 5.  I can restart iTunes and start over and does the same thing.
  ITunes update 11.1.1.62 had difficulties with the updates on 64 bit Windows 7 and 8.1 causing an error on boot other trouble.  I found solution on research that insturcted to Remove iTunes, Bonjour, Apple Support and Apple Update and reload iTunes old version.  I simply reloaded the new version becasue did not have the old version of iTunes.  I have been working fine with the old version.  I know problem is a simple setting somewhere but it is NOT SIMPLE to me since I dont know where the find the simple setting.
  Will someone tell what to do.  I appreciate all you smart guys.

  My apologies...the version is 11.1.4.62 not as stated aboive in my problem description.  I'm trying again and it just finished syncing fine and my iPhone 5 is still connected to iTuns physcially with USB lightening cable and is displaying the iPhone icon top right.  I clicked on it and iTunes is now "hung' or  locked up.  Shows to be an active running application but can't get back to it so willl have to kill with task manager.  There is some kind of problem going on with the latest version of iTunes and Wndows 7 and 8.1 or something.  My iPhone 5 now has a new feature that it is now asking me if I "Trust" this computer.  iTunes just came "unhung" after several minutes while I was typing this. Now I am going to start the backup to this computer HP Winsows 8.1 and iTune 11.1.4.62 and see what happens.  Says it is Backing up Jerrys iPhone but the Barber Pole progress bar is not turning an iTunes is hung again and I cant get back to it from this page I am typing on.  Maybe it will eventually release as it did a moment ago. 

• Global-correlation does not update.

  Hi all,
  I have a problem to update the global-correlation. I do get updates for the signatures in the IPS but see output below regarding the global-correlation;
  ==========================================
  show statistics global-correlation
  Network Participation:
     Counters:
        Total Connection Attempts = 0
        Total Connection Failures = 0
        Connection Failures Since Last Success = 0
     Connection History:
  Updates:
     Status Of Last Update Attempt = Failed
     Time Since Last Successful Update = never
     Counters:
        Update Failures Since Last Success = 8
        Total Update Attempts = 8
        Total Update Failures = 8
     Update Interval In Seconds = 300
     Update Server = update-manifests.ironport.com
     Update Server Address = 204.15.82.17
     Current Versions:
        config = 0
        drop = 0
        ip = 0
        rule = 0
  Warnings:
  ===========================================
  Hardware used:
  asa-ssm-10 (version 7.0(4)E4)
  ASA-5520(version 8.4(1))
  I see all traffic passing the firewall and ISP-routers.
  I hope someone can help me with this issue or some pointers.
  Thanks in advance,
  Erik Verkerk.

  Hi Jennifer,
  Good to hear we do not have to buy an additional license and that global-correlation is included in version 7.0.
  Thanks for your suggestion "access to internet", I did a re-re-recheck of my configuration and found out that I had a "little routing issue in one of my routers". I solved this and now it is working.
  ===========================================
  sh statistics global-correlation
  Network Participation:
     Counters:
        Total Connection Attempts = 0
        Total Connection Failures = 0
        Connection Failures Since Last Success = 0
     Connection History:
  Updates:
     Status Of Last Update Attempt = Ok
     Time Since Last Successful Update = 2 minutes
     Counters:
        Update Failures Since Last Success = 0
        Total Update Attempts = 269
        Total Update Failures = 268
     Update Interval In Seconds = 300
     Update Server = update-manifests.ironport.com
     Update Server Address = 204.15.82.17
     Current Versions:
        config = 1236210407
        drop = 1300274962
        ip = 1300276386
        rule = 1300221126
  Warnings:
  =================================
  Thanks for your time and help.
  Thanks,
  Erik Verkerk.