Manually starting and stopping a Network Anomaly Detection rule

You can start and stop network anomaly detection rules manually. Stopping or starting a rule is available only for enabled rules.

You cannot start a rule with the New, Pending, Awaiting data, or Running status.

To trigger the Network Anomaly Detection rule:

  1. In the application web interface, go to the Intrusion detection section, Network Anomaly Detection subsection.
  2. Select the rule that you want to start.

    The details area is displayed in the right part of the web interface window.

  3. Click Run at interval (the button is disabled if the rule cannot be triggered).

    The Configure rule run pane appears on the right. The upper part of the panel displays information about the available range for analyzing protocol attributes. The range is limited to the earliest and latest arrival of traffic data in the database used to store protocol attributes.

  4. Use the Search depth parameter to specify the duration of the time interval for searching for network anomalies among the protocol attributes. To manually run a rule, this value may be different from the value that was defined for the rule when it was created or when the settings were changed.
  5. In the Interval end field, specify the date and time of the end of the time interval.
  6. Click Run.

The network anomaly detection rule is started.

You can stop rules if they have one of the following statuses: New, Pending, Awaiting data, or Running.

To stop the execution of a network anomaly detection rule:

  1. In the application web interface, go to the Intrusion detection section, Network Anomaly Detection subsection.
  2. Select the rule that you want to stop.

    The details area is displayed in the right part of the web interface window.

  3. Click Stop (this button is disabled if the rule cannot be stopped at this time).

The network anomaly detection rule is stopped.

Page top