Professional Documents
Culture Documents
Finished
Profiled Anomaly Detection
Lab Description
Review the key elements in a profiled alert to differentiate a real attack from a false positive
Understand the Router Profiled Automatic threshold configuration
Duration:
30 minutes
Platform:
https://slvis1.ne.netscout.com/
Username:
NE186
Password:
Vafaseyu2!
⚠ Please ensure you read each step carefully before performing the required task in the order described.
1. Examining Profiled DoS Alerts
Username: NE186
Password: Vafaseyu2!
2 In the menu, browse to Alerts > DoS page, using the search box or wizard if needed, search for the
following alerts characteristics:
Severity: High
Alert Type: DoS Profiled Router
Start Time: In the last 5 days (use start is after filter)
In the Alert Search Wizard the option “DoS Profiled Router *” does not exist, manually typing at:"DoS
Profiled Router" will match both DoS Profiled Router Bandwidth, DoS Profiled Router ICMP, ....
Need Help
Example:
3 Select the alert with the highest impact listed in the first page (keeping the default sorting by start time)
and answer the following questions:
ID:
https://cx.netscout.com/lab/465/EN 1/6
25/01/2023 12:14 Netscout University - Lab "Profiled Anomaly Detection"
Finished Duration:
Importance:
Profiled alert type: (Bandwidth, TCP, UDP, ICMP, etc.)
Managed object name:
Threshold value:
4 Click on the Alert ID or Mini Graph of the alert you studied to open the alert details.
5 Reviewing the Top Traffic Patterns (last 5 min of selected timeframe) listed for this alert.
What is the first pattern listed?
Could the first pattern listed correspond to a legitimate traffic flow? (Please skip and proceed if your
platform is not showing these stats)
Need Help
As mentioned before, source and destination port ranges of 1-1023 or 1024-65535 should help here.
6 In the Alert Characterization section, use the included lookup tool (Whois) to find more information
about the first source IP address.
To access the functionality, click on the arrow down in front of the Source IP Addresses.
Need Help
The Direction is shown on the Summary tab and can only be Incoming or Outgoing.
8 Looking at the Top Interfaces at the bottom of the Summary tab, find the interface which received the
most traffic in IN direction
Is this interface part of the boundary called Network?
If the interface is part of the Network boundary, it confirms that the traffic is coming from the OUTSIDE and is
RECEIVED through this interface into your network.
9 In your opinion, was this alert a real attack or a false positive? Write in a few words the key elements that
helped you to conclude.
In a virtual training, send this and the alert ID chosen to your instructor via the WebEx chat function.
https://cx.netscout.com/lab/465/EN 2/6
25/01/2023 12:14 Netscout University - Lab "Profiled Anomaly Detection"
Finished
10
In the Annotations tab, perform the following action:
Add your findings as a new annotation (Add Annotation)
Update the Alert Classification accordingly (False Positive, Flash Crowd, ...)
Click on Save
Check Solution
Incoming Profiled Router detection is enabled, Outgoing Detection is set to Global and globally it
was set to enabled.
2 Looking at the configuration which is shown after clicking on Edit Profiled Router Configuration:
https://cx.netscout.com/lab/465/EN 3/6
25/01/2023 12:14 Netscout University - Lab "Profiled Anomaly Detection"
Finished
https://cx.netscout.com/lab/465/EN 4/6
25/01/2023 12:14 Netscout University - Lab "Profiled Anomaly Detection"
Finished
Check Solution
The option Enable Automatic Rate Calculation (Automatic Rates will override configured Severity and
Ignore Rates) is enabled...
Check Solution
5 Looking at the Automatic Rate Calculation Results Graph, you can easily review how the rates you noted
previously were calculated.
Look at the value defined above the Graph. Severity Percentile * Severity Multiplier
Need Help
Finished The default value is 40. This means that 60% of the data points over the last 30 days are greater
than the calculated trigger rate. We recommend that you enter a value between 40 and 50.
Calculated Severity Rates were calculated by using the 95 PCT * 1.3
Example: If the 95th percentile value for incoming traffic is 100 Mbps and the multiplier is 1.3,
then the high severity threshold for that managed object becomes 130 Mbps.
Well Done
You can click on the button below to report back to the trainer.
Tell us what do you think of this lab, and how it could be improved ?
Save
If you would like a copy of this lab select either the Print or the Save Page As (Control-S) menu options
from your browser’s dropdown menu. Need Help
https://cx.netscout.com/lab/465/EN 6/6