Cisco Intrusion Prevention System Command Reference for IPS 5.1
Introducing the CLI
Downloads: This chapterpdf (PDF - 145.0 KB) The complete bookPDF (PDF - 1.25 MB) | Feedback

Introducing the CLI

Table Of Contents

Introducing the CLI

User Roles

CLI Behavior

Command Line Editing

IPS Command Modes

Regular Expression Syntax

General CLI Commands

CLI Keywords

Introducing the CLI

The IPS 5.1 CLI lets you access the sensor through Telnet, SSH, and serial interface connections.

This chapter contains the following topics:

User Roles

CLI Behavior

Command Line Editing

IPS Command Modes

Regular Expression Syntax

General CLI Commands

CLI Keywords

User Roles

The CLI for IPS 5.1 permits multiple users to log in at a time. You can create and remove users from the local sensor. You can only modify one user account at a time. Each user is associated with a role that controls what that user can and cannot modify

The CLI supports four user roles: Administrator, Operator, Viewer, and Service. The privilege levels for each role are different; therefore, the menus and available commands vary for each role.

Administrators—This user role has the highest level of privileges. Administrators have unrestricted view access and can perform the following functions:

Add users and assign passwords

Enable and disable control of physical interfaces and virtual sensors

Assign physical sensing interfaces to a virtual sensor

Modify the list of hosts allowed to connect to the sensor as a configuring or viewing agent

Modify sensor address configuration

Tune signatures

Assign configuration to a virtual sensor

Manage routers

Operators—This user role has the second highest level of privileges. Operators have unrestricted view access and can perform the following functions:

Modify their passwords

Tune signatures

Manage routers

Assign configuration to a virtual sensor

Viewers—This user role has the lowest level of privileges. Viewers can view configuration and event data and can modify their passwords.

Tip Monitoring applications only require viewer access to the sensor. You can use the CLI to set up a user account with viewer privileges and then configure the event viewer to use this account to connect to the sensor.

Service—This user role does not have direct access to the CLI. Service account users are logged directly into a bash shell. Use this account for support and troubleshooting purposes only. Unauthorized modifications are not supported and will require the device to be reimaged to guarantee proper operation. You can create only one user with the service role.

When you log in to the service account, you receive the following warning:

******************************* WARNING *****************************************
This account is intended to be used for support and troubleshooting purposes only. 
Unauthorized modifications are not supported and will require this device to be 
re-imaged to guarantee proper operation.

Note The service role is a special role that allows you to bypass the CLI if needed. Only a user with Administrator privileges can edit the service account.

CLI Behavior

Follow these tips when using the IPS CLI:


You cannot change the prompt displayed for the CLI commands.

User interactive prompts occur when the system displays a question and waits for user input. The default input is displayed inside brackets [ ]. To accept the default input, press Enter.


To display the help for a command, type ? after the command.

The following example demonstrates the ? function:

sensor# configure ?
terminal     Configure from the terminal
sensor# configure

Note When the prompt returns from displaying help, the command previously entered is displayed without the ?.

You can type ? after an incomplete token to view the valid tokens that complete the command. If there is a trailing space between the token and the ?, you receive an ambiguous command error:

sensor# show c ?
% Ambiguous command : "show c"

If you enter the token without the space, a selection of available tokens for the completion (with no help description) appears:

sensor# show c?
clock configuration
sensor# show c

Only commands available in the current mode are displayed by help.

Tab Completion

Only commands available in the current mode are displayed by tab complete and help.

If you are unsure of the complete syntax for a command, you can type a portion of the command and press Tab to complete the command.

If multiple commands match for tab completion, nothing is displayed.


To recall the commands entered in a mode, use the Up Arrow or Down Arrow keys or press Ctrl-P or Ctrl-N.

Note Help and tab complete requests are not reported in the recall list.

A blank prompt indicates the end of the recall list.

Case Sensitivity

The CLI is not case sensitive, but it does echo back the text in the same case you typed it. For example, if you type:

sensor# CONF 

and press Tab, the sensor displays:

sensor# CONFigure

Display Options

—More— is an interactive prompt that indicates that the terminal output exceeds the allotted display space. To display the remaining output, press the spacebar to display the next page of output or press Enter to display the output one line at a time.

To clear the current line contents and return to a blank command line, press Ctrl-C.

Command Line Editing

Table 1-1 describes the command line editing capabilities provided by the CLI.

Table 1-1 Command Line Editing 



Completes a partial command name entry. When you type a unique set of characters and press Tab, the system completes the command name. If you type a set of characters that could indicate more than one command, the system beeps to indicate an error. Type a question mark (?) immediately following the partial command (no space). The system provides a list of commands that begin with that string.


Erases the character to the left of the cursor.


At the command line, pressing Enter processes a command. At the ---More--- prompt on a terminal screen, pressing Enter scrolls down a line.


Enables you to see more output on the terminal screen. Press the Spacebar when you see the line ---More--- on the screen to display the next screen.

Left arrow

Moves the cursor one character to the left. When you type a command that extends beyond a single line, you can press the Left Arrow key repeatedly to scroll back toward the system prompt and verify the beginning of the command entry.

Right arrow

Moves the cursor one character to the right.

Up Arrow or Ctrl-P

Recalls commands in the history buffer, beginning with the most recent command. Repeat the key sequence to recall successively older commands.

Down Arrow or Ctrl-N

Returns to more recent commands in the history buffer after recalling commands with the Up Arrow or Ctrl-P. Repeat the key sequence to recall successively more recent commands.


Moves the cursor to the beginning of the line.


Moves the cursor back one character.


Deletes the character at the cursor.


Moves the cursor to the end of the command line.


Moves the cursor forward one character.


Deletes all characters from the cursor to the end of the command line.


Clears the screen and redisplays the system prompt and command line


Transposes the character to the left of the cursor with the character located at the cursor.


Deletes all characters from the cursor to the beginning of the command line.


Inserts a code to indicate to the system that the keystroke immediately following should be treated as a command entry, not as an editing key.


Deletes the word to the left of the cursor.


Recalls the most recent entry in the delete buffer. The delete buffer contains the last ten items you deleted or cut.


Ends configuration mode and returns you to the EXEC prompt.


Moves the cursor back one word.


Capitalizes the word at the cursor.


Deletes from the cursor to the end of the word.


Moves the cursor forward one word.


Changes the word at the cursor to lowercase.


Capitalizes from the cursor to the end of the word.

IPS Command Modes

IPS CLI has the following command modes:

privileged EXEC—Entered when you log in to the CLI interface.

global configuration—Entered from privileged EXEC mode by typing configure terminal.

The command prompt is sensor(config)#.

service mode configuration—Entered from global configuration mode by typing service service-name.

The command prompt is sensor(config-ser)#, where ser is the first three characters of the service name.

multi-instance service mode—Entered from global configuration mode by typing service service-name log-instance-name.

The command prompt is sensor(config-log)# where log is the first three characters of the log instance name. The only multi-instance services in the system are signature definition and event action rules.

Regular Expression Syntax

Regular expressions are text patterns that are used for string matching. Regular expressions contain a mix of plain text and special characters to indicate what kind of matching to do. For example, if you are looking for a numeric digit, the regular expression to search for is "[0-9]". The brackets indicate that the character being compared should match any one of the characters enclosed within the bracket. The dash (-) between 0 and 9 indicates that it is a range from 0 to 9. Therefore, this regular expression will match any character from 0 to 9, that is, any digit.

To search for a specific special character, you must use a backslash before the special character. For example, the single character regular expression "\*" matches a single asterisk.

The regular expressions defined in this section are similar to a subset of the POSIX Extended Regular Expression definitions. In particular, "[..]", "[==]", and "[::]" expressions are not supported. Also, escaped expressions representing single characters are supported. A character can be represented as its hexadecimal value, for example, \x61 equals `a,' so \x61 is an escaped expression representing the character `a.'

Table 1-2 lists the special characters.

Table 1-2 Regular Expression Syntax 



Beginning of the string. The expression "^A" will match an "A" only at the beginning of the string.


Immediately following the left-bracket ([). Excludes the remaining characters within brackets from matching the target string. The expression "[^0-9]" indicates that the target character should not be a digit.


Matches the end of the string. The expression "abc$" matches the sub-string "abc" only if it is at the end of the string.


Allows the expression on either side to match the target string. The expression "a|b" matches "a" as well as "b."


Matches any character.


Indicates that the character to the left of the asterisk in the expression should match 0 or more times.


Similar to * but there should be at least one match of the character to the left of the + sign in the expression.


Matches the character to its left 0 or 1 times.


Affects the order of pattern evaluation and also serves as a tagged expression that can be used when replacing the matched sub-string with another expression.


Enclosing a set of characters indicates that any of the enclosed characters may match the target character.


Allows specifying a character that would otherwise be interpreted as special.

\xHH represents the character whose value is the same as the value represented by (HH) hexadecimal digits [0-9A-Fa-f]. The value must be non-zero.

BEL is the same as \x07, BS is \x08, FF is \x0C, LF is \x0A, CR is \x0D, TAB is \x09, and VT is \x0B.

For any other character `c', `\c' is the same as `c' except that it is never interpreted as special

The following examples demonstrate the special characters:

a* matches any number of occurrences of the letter a, including none.

a+ requires that at least one letter a be in the string to be matched.

ba?b matches the string bb or bab.

\** matches any number of asterisks (*).

To use multipliers with multiple-character patterns, you enclose the pattern in parentheses.

(ab)* matches any number of the multiple-character string ab.

([A-Za-z][0-9])+ matches one or more instances of alphanumeric pairs, but not none (that is, an empty string is not a match).

The order for matches using multipliers (*, +, or ?) is to put the longest construct first. Nested constructs are matched from outside to inside. Concatenated constructs are matched beginning at the left side of the construct. Thus, the regular expression matches A9b3, but not 9Ab3 because the letters are specified before the numbers.

You can also use parentheses around a single- or multiple-character pattern to instruct the software to remember a pattern for use elsewhere in the regular expression.

To create a regular expression that recalls a previous pattern, you use parentheses to indicate memory of a specific pattern and a backslash (\) followed by a digit to reuse the remembered pattern. The digit specifies the occurrence of a parentheses in the regular expression pattern. If you have more than one remembered pattern in your regular expression, then \1 indicates the first remembered pattern, and \2 indicates the second remembered pattern, and so on.

The following regular expression uses parentheses for recall:

a(.)bc(.)\1\2 matches an a followed by any character, followed by bc followed by any character, followed by the first any character again, followed by the second any character again.

For example, the regular expression can match aZbcTZT. The software remembers that the first character is Z and the second character is T and then uses Z and T again later in the regular expression.

General CLI Commands

The following CLI commands are generic to IPS 5.1.

configure terminal—Enters global configuration mode.

Global configuration commands apply to features that affect the system as a whole rather than just one protocol or interface.

sensor# configure terminal

service—Takes you to the following configuration submodes: analysis-engine, authentication, event-action-rules, host, interface, logger, network-access, notification, signature-definition, ssh-known-hosts, trusted-certificates, and web-server.

Note The event-action-rules and signature-definition submodes are multiple instance services. Only one predefined instance is allowed for each. For event-action-rules, the only supported instance name is rules0. For signature-definition, the only supported instance name is sig0.

sensor# configure terminal
sensor(config)# service event-action-rules rules0

end—Exits configuration mode or any configuration submodes. It takes you back to the top-level EXEC menu.

sensor# configure terminal
sensor(config)# end

exit—Exits any configuration mode or closes an active terminal session and terminates the EXEC mode. It takes you to the previous menu session.

sensor# configure terminal
sensor(config)# service event-action-rules rules0
sensor(config-rul)# exit
sensor(config)# exit

CLI Keywords

In general, use the no form of a command to disable a feature or function. Use the command without the keyword no to enable a disabled feature or function. For example, the command ssh host-key ipaddress adds an entry to the known hosts table, the command no ssh host-key ipaddress removes the entry from the known hosts table. Refer to the individual commands for a complete description of what the no form of that command does.

Service configuration commands can also have a default form. Use the default form of the command to return the command setting to its default. This keyword applies to the service submenu commands used for application configuration. Typing default with the command resets the parameter to the default value. You can only use the default keyword with commands that specify a default value in the configuration files.