31. Reports » Tools » Anomalies¶
Anomalies tab displays live and historical traffic anomaly data.
31.1. Active Anomalies¶
№ |
Unique index of the anomaly. |
Prefix |
The prefix (IP address/class) involved in the anomaly. Clicking opens a new tab with details. The arrow before the prefix shows direction: ↓ for inbound, ↑ for outbound. If a cloud icon appears on the right, the IP is external (not in the IP Zone). |
IP Group |
Name of the IP Group containing the prefix. Clicking opens a new tab with details. |
Anomaly |
Brief description of the threshold that triggered the anomaly. |
Speed (Latest) |
Peak value of the abnormal traffic. The most recent value is in parentheses. |
Sensor Interface |
Name of the detecting Sensor, plus the interface if it’s a Flow Sensor or SNMP Sensor. Clicking opens a new tab with details. |
From |
Date/time when the anomaly began. |
Latest Alarm |
Time elapsed since the last detection of the anomaly. |
Pkts/s – Bits/s |
Latest pkts/s and bits/s from the IP decoder. |
Classification |
Allows classifying the anomaly by using a button in the Actions column. |
Severity |
A graphical bar showing the ratio of abnormal traffic to the threshold value. Each bar = 100% of threshold. The color denotes the link severity: 0–25% = blue, 25–50% = yellow, 50–75% = orange, 75–100% = red. For pkts/s, it’s the ratio of abnormal traffic to overall link traffic (Sensor or interface). For bits/s, it’s the ratio of abnormal traffic to link capacity. Exact rule severity and link severity appear as a tooltip. |
Actions |
Generate Anomaly Report → Opens a tab with a full anomaly report. Enable Manual Action(s) → Runs all Response actions set for manual execution. Classify/Set Comment → Lets you classify anomaly impact and add/edit comments (for reporting only, not IP profiling). Open Packet Dump → Available for Packet Sensors if a capturing action is in Response. Open Flow List → Available for Flow Sensors if Flow Collector is enabled. Shows bi-directional flows for the selected time (possible 5-minute delay due to flow data file buffering). Time zone differences are not adjusted. View Live Graph → If IP Graphing is on for this prefix in the IP Zone. Delete BGP Announcement → If a BGP prefix announcement exists. Expire Anomaly → Immediately clears the anomaly; the Sensor must be running. |
Sum Pkts |
Total packets counted since the anomaly began. |
Sum Bits |
Total bits counted since the anomaly began. |
Threshold Value |
The numeric threshold that triggered the anomaly, as defined in its rule. For profiled anomalies, this threshold changes dynamically based on the behavioral traffic graph (see Reports » IP Addresses » [Subnet] » Profile Graphs). |
Overall Traffic |
Percentage of decoder traffic relative to the prefix’s total IP traffic. |
IP Zone (Inheritance) |
Indicates the IP Zone the Sensor used. Clicking opens the most specific prefix’s settings. |
Threshold Template |
Specifies which Threshold Template contains the anomaly’s threshold rule (if any). |
Expiration |
How many seconds must pass before the anomaly is deemed inactive. |
Response (Actions) |
Name of the Response and a list of any executed actions with Record Action enabled. |
Comments |
Hidden if no comment exists. Use Classify/Set Comment (in Actions) to add or edit. |
Filter |
Identifies the detecting Wanguard Filter. Clicking opens a new tab with details. |
Filtering Rule |
Describes the rule matching malicious traffic or a default-applied rule. If a white flag appears, the rule conflicts with a whitelist rule entry. The filtering rules enabled for the decoder are listed in General Settings » Anomaly Mitigation. |
Started |
Date/time when the rule was created. |
Latest Alarm |
Most recent time the rule detected above-threshold traffic. |
Pkts/s (Peak) |
Current packets/second matching the rule, with the maximum value in parentheses. |
Bits/s (Peak) |
Current bits/second matching the rule, with the maximum value in parentheses. |
Firewall |
Icons show which backend applied the rule: Netfilter, Dataplane, Hardware Offload, BGP Flowspec/S/RTBH, or Third-party. |
Scrubbed |
Approximate percentage of mitigated abnormal traffic. Not all backends accurately report drops. |
Pkts |
Total packets matched by the rule. |
Bits |
Total bits matched by the rule. |
Actions |
Open Packet Dump → For Packet Filters if the Response includes traffic capturing. Open Flow List → For Flow Sensors with the Flow Collector feature enabled. Displays bi-directional flows from the chosen time range (potential 5-minute delay, no time zone adjustment). Expire Filtering Rule → Immediately clears the rule and associated firewall entries. |
Note
If there are hundreds of active anomalies, the Active Anomalies tab may load very slowly. In that case, click the Display options button and set Histogram to None to disable per-anomaly graph generation.
31.2. Anomaly Archive¶
Shows all recorded anomalies, sorted newest-first. Click the down arrow on any column header to filter rows, change sort direction, or hide columns. Use the [+] button in the first column to expand the anomaly and see mitigation data or other details. For definitions of columns, refer to the previous section.
31.3. Anomaly Overview¶
Offers trends and summaries of detected anomalies for specified Sensor Interfaces, decoders, and time ranges.