Cisco Cisco IPS 4255 Sensor

If you have anomaly detection enabled and you have your sensor configured to see only one direction of 
traffic, you should disable anomaly detection. Otherwise, you will receive many alerts, because anomaly 
detection sees asymmetric traffic as having incomplete connections, that is, like worm scanners, and fires 
alerts. 

To disable anomaly detection, follow these steps: 

Log in to the CLI using an account with administrator privileges.

Enter analysis engine submode.

sensor# configure terminal

sensor(config)# service analysis-engine

sensor(config-ana)#

Enter the virtual sensor name that contains the anomaly detection policy you want to disable.

sensor(config-ana)# virtual-sensor vs0

sensor(config-ana-vir)# 

Disable anomaly detection operational mode.

sensor(config-ana-vir)# anomaly-detection

sensor(config-ana-vir-ano)# operational-mode inactive

sensor(config-ana-vir-ano)# 

Exit analysis engine submode.

sensor(config-ana-vir-ano)# exit

sensor(config-ana-vir)# exit

sensor(config-ana-)# exit

Apply Changes:?[yes]:

Press Enter to apply your changes or enter 

 to discard them.

For more detailed information about anomaly detection, refer to 

The Cisco Security Intelligence Operations site on Cisco.com provides intelligence reports about current 
vulnerabilities and security threats. It also has reports on other security topics that help you protect your 
network and deploy your security systems to reduce organizational risk.

You should be aware of the most recent security threats so that you can most effectively secure and 
manage your network. Cisco Security Intelligence Operations contains the top ten intelligence reports 
listed by date, severity, urgency, and whether there is a new signature available to deal with the threat.

Cisco Security Intelligence Operations contains a Security News section that lists security articles of 
interest. There are related security tools and links.

You can access Cisco Security Intelligence Operations at this URL: