Hi I need to get better a picture of AD - Analomy detection. I have an understading but need to fill up some gaps.
Modes - Detect, Learning and Inactive > this is to form the baseline Zones - Internal, External and Illegal > Reduces false positives Signatures - total of 9 sigs for tcp, udp and other with three zones - hence 9 I am not getting a good doc to explain on how it works. AD by default forms a KB by 24 hrs. For each zone, there is a *thresold.* If the thresold is crossed, then the Sensor anticipates that there is a scanning happening but doesn't decide that it is a worm. If it hits the *histogram*, then it is confirmed a worn. Can someone explain the working AD along with the *Thresold* and *Histogram* . With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
