31. Reports » Tools » Anomalies¶
Anomalies tab displays live and historical traffic anomaly data.
31.1. Active Anomalies¶
№ |
Unique index of the anomaly. |
Prefix |
The IP address/class subject of the traffic anomaly. When clicked, it opens a new tab or window with data specific to that prefix. In front of the prefix, the arrow indicates the direction of traffic: inbound when the arrow is pointing downwards, or outbound when the arrow is pointing upwards. A cloud icon located on the right of the prefix indicates that the IP is external (not included in the IP Zone). |
IP Group |
The IP group that includes the prefix. Click it to open a new tab with specific data. |
Anomaly |
A short description of the threshold that generated the anomaly. |
Speed (Latest) |
The peak value of the abnormal traffic. The latest value is displayed between parentheses. |
Sensor Interface |
Name of the detecting Sensor, and the interface if it is a Flow Sensor or SNMP Sensor. Click it to open a new tab with specific data. |
From |
The time and date when the anomaly started. |
Latest Alarm |
How much time has passed since the most recent detection of the anomaly. |
Pkts/s – Bits/s |
The latest packets/s and bits/s values from the IP decoder. |
Classification |
The anomaly can be classified by clicking a button from the Actions column. |
Severity |
It is a graphical representation of the ratio between the abnormal traffic and the threshold value. Every bar represents 100% of the threshold value. The color indicates the link severity (0-25% blue, 25%-50% yellow, 50%-75% orange, 75%-100% red), which is the ratio between the abnormal traffic and the overall traffic of the link (Sensor or interface) for pkt/s thresholds, or the ratio between the abnormal traffic and the link capacity for bits/s thresholds. The exact rule severity and link severity are displayed as a tooltip. |
Actions |
When hovering with the mouse over an action button, a brief description is shown:
Generate Anomaly Report generates a full anomaly report that can be viewed in a separate tab.
Enable Manual Action(s) executes all Response actions configured for manual execution.
Classify/Set Comment allows classifying the impact of anomalies as well as adding and modifying comments. It is used only for reporting purposes and does not impact IP profiling.
Open Packet Dump is available for Packet Sensors when the Response contains a traffic capturing action.
Open Flow List is available for Flow Sensors with the Flow Collector feature enabled. Shows bi-directional flows that started or ended during the selected time interval. Flow listings may have an up to 5-minute delay due to flow data file buffering. Time zone differences are not adjusted.
View Live Graph is available if IP Graphing is enabled for the prefix in the IP Zone.
Delete BGP Announcement is available if a BGP announcement with the prefix exists.
Expire Anomaly instructs the Sensor to clear the anomaly immediately. The detecting Sensor must be running for the action to take effect.
|
Sum Pkts |
Absolute number of packets counted since the anomaly started. |
Sum Bits |
Absolute number of bits counted since the anomaly started. |
Threshold Value |
The threshold value of the anomaly, as defined in the threshold rule. For profiled anomalies, this value is dynamically adjusted by the behavioral traffic graph available in Reports » IP Addresses » [Subnet] » Profile Graphs. |
Overall Traffic |
Percentage value of the decoder traffic within the total IP traffic made by the prefix. |
IP Zone (Inheritance) |
IP Zone used by the detecting Sensor. Click it to change the most specific prefix settings. |
Threshold Template |
Threshold Template containing the threshold rule, if any. |
Expiration |
Seconds that must pass for the anomaly to be considered inactive. |
Response (Actions) |
Name of the Response and a list of actions (with the Record Action parameter set) that were executed. |
Comments |
This row is hidden if no comment was set by the Classify/Set Comment action. |
Filter |
Name of the detecting Filter. Click it to open a new tab with Filter-specific data. |
Filtering Rule |
A description of the filtering rule matching the malicious traffic or which is applied by default. A white flag within the same cell indicates that the filtering rule conflicts with a whitelist rule. The filtering rules enabled for the decoder are listed in General Settings » Anomaly Mitigation. |
Started |
Date and time when the filtering rule was generated. |
Latest Alarm |
Latest time when the filtering rule matched traffic above the threshold value. |
Pkts/s (Peak) |
Packets/second value for the traffic matching the filtering rule. In parentheses, the maximum pkts/s value. |
Bits/s (Peak) |
Bits/second value for the traffic matching the filtering rule. In parentheses, the maximum bits/s value. |
Firewall |
Each icon indicates the firewall backend that applied the filtering rule: Netfilter Firewall, Dataplane Firewall, Hardware Offload, BGP Flowspec or S/RTBH, Third-party Firewall. |
Scrubbed |
Percentage of abnormal traffic mitigated. Some firewall backends may not report dropped traffic, so the value is not always accurate. |
Pkts |
Absolute value of the packets matched by the filtering rule. |
Bits |
Absolute value of the bits matched by the filtering rule. |
Actions |
Open Packet Dump is available for Packet Filters when the Response contains a traffic capturing action.
Open Flow List is available for Flow Sensors with the Flow Collector feature enabled. Shows bi-directional flows that started or ended during the selected time interval. Flow listings may have a 5-minute delay due to flow file buffering. Time zone differences are not adjusted.
Expire Filtering Rule instructs the Filter to clear the filtering rule and corresponding firewall rules immediately.
|
31.2. Anomaly Archive¶
It lists all traffic anomalies sorted by time in descending order. By clicking the down arrow on any column header, you can apply row filters, change sorting direction, or toggle columns’ visibility.
The [+] sign from the first column expands the anomaly for additional information, mitigation data, etc. The most important columns are explained in the previous section.
31.3. Anomaly Overview¶
It provides trends and summarizations of traffic anomalies detected by the selected Sensor Interfaces, using the chosen decoders, during the specified time frame.