The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The IPS 5.1 CLI lets you access the sensor through Telnet, SSH, and serial interface connections.
This chapter contains the following topics:
The CLI for IPS 5.1 permits multiple users to log in at a time. You can create and remove users from the local sensor. You can only modify one user account at a time. Each user is associated with a role that controls what that user can and cannot modify
The CLI supports four user roles: Administrator, Operator, Viewer, and Service. The privilege levels for each role are different; therefore, the menus and available commands vary for each role.
•Administrators—This user role has the highest level of privileges. Administrators have unrestricted view access and can perform the following functions:
–Add users and assign passwords
–Enable and disable control of physical interfaces and virtual sensors
–Assign physical sensing interfaces to a virtual sensor
–Modify the list of hosts allowed to connect to the sensor as a configuring or viewing agent
–Modify sensor address configuration
–Tune signatures
–Assign configuration to a virtual sensor
–Manage routers
•Operators—This user role has the second highest level of privileges. Operators have unrestricted view access and can perform the following functions:
–Modify their passwords
–Tune signatures
–Manage routers
–Assign configuration to a virtual sensor
•Viewers—This user role has the lowest level of privileges. Viewers can view configuration and event data and can modify their passwords.
Tip Monitoring applications only require viewer access to the sensor. You can use the CLI to set up a user account with viewer privileges and then configure the event viewer to use this account to connect to the sensor.
•Service—This user role does not have direct access to the CLI. Service account users are logged directly into a bash shell. Use this account for support and troubleshooting purposes only. Unauthorized modifications are not supported and will require the device to be reimaged to guarantee proper operation. You can create only one user with the service role.
When you log in to the service account, you receive the following warning:
******************************* WARNING *****************************************
UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
This account is intended to be used for support and troubleshooting purposes only. Unauthorized modifications are not supported and will require this device to be re-imaged to guarantee proper operation.
*********************************************************************************
Note The service role is a special role that allows you to bypass the CLI if needed. Only a user with Administrator privileges can edit the service account.
Follow these tips when using the IPS CLI:
Prompts
•You cannot change the prompt displayed for the CLI commands.
•User interactive prompts occur when the system displays a question and waits for user input. The default input is displayed inside brackets [ ]. To accept the default input, press Enter.
Help
•To display the help for a command, type ? after the command.
The following example demonstrates the ? function:
sensor#
configure ?
terminal Configure from the terminal
sensor# configure
Note When the prompt returns from displaying help, the command previously entered is displayed without the ?.
•You can type ? after an incomplete token to view the valid tokens that complete the command. If there is a trailing space between the token and the ?, you receive an ambiguous command error:
sensor# show c ?
% Ambiguous command : "show c"
If you enter the token without the space, a selection of available tokens for the completion (with no help description) appears:
sensor#
show c?
clock configuration
sensor# show c
•Only commands available in the current mode are displayed by help.
Tab Completion
•Only commands available in the current mode are displayed by tab complete and help.
•If you are unsure of the complete syntax for a command, you can type a portion of the command and press Tab to complete the command.
•If multiple commands match for tab completion, nothing is displayed.
Recall
•To recall the commands entered in a mode, use the Up Arrow or Down Arrow keys or press Ctrl-P or Ctrl-N.
Note Help and tab complete requests are not reported in the recall list.
•A blank prompt indicates the end of the recall list.
Case Sensitivity
•The CLI is not case sensitive, but it does echo back the text in the same case you typed it. For example, if you type:
sensor#
CONF
and press Tab, the sensor displays:
sensor# CONFigure
Display Options
•—More—
is an interactive prompt that indicates that the terminal output exceeds the allotted display space. To display the remaining output, press the spacebar to display the next page of output or press Enter to display the output one line at a time.
•To clear the current line contents and return to a blank command line, press Ctrl-C.
Table 1-1 describes the command line editing capabilities provided by the CLI.
IPS CLI has the following command modes:
•privileged EXEC—Entered when you log in to the CLI interface.
•global configuration—Entered from privileged EXEC mode by typing configure terminal.
The command prompt is sensor(config)#
.
•service mode configuration—Entered from global configuration mode by typing service service-name.
The command prompt is sensor(config-ser)#
, where ser
is the first three characters of the service name.
•multi-instance service mode—Entered from global configuration mode by typing service service-name log-instance-name.
The command prompt is sensor(config-log)#
where log
is the first three characters of the log instance name. The only multi-instance services in the system are signature definition and event action rules.
Regular expressions are text patterns that are used for string matching. Regular expressions contain a mix of plain text and special characters to indicate what kind of matching to do. For example, if you are looking for a numeric digit, the regular expression to search for is "[0-9]". The brackets indicate that the character being compared should match any one of the characters enclosed within the bracket. The dash (-) between 0 and 9 indicates that it is a range from 0 to 9. Therefore, this regular expression will match any character from 0 to 9, that is, any digit.
To search for a specific special character, you must use a backslash before the special character. For example, the single character regular expression "\*" matches a single asterisk.
The regular expressions defined in this section are similar to a subset of the POSIX Extended Regular Expression definitions. In particular, "[..]", "[==]", and "[::]" expressions are not supported. Also, escaped expressions representing single characters are supported. A character can be represented as its hexadecimal value, for example, \x61 equals `a,' so \x61 is an escaped expression representing the character `a.'
Table 1-2 lists the special characters.
The following examples demonstrate the special characters:
•a* matches any number of occurrences of the letter a, including none.
•a+ requires that at least one letter a be in the string to be matched.
•ba?b matches the string bb or bab.
•\** matches any number of asterisks (*).
To use multipliers with multiple-character patterns, you enclose the pattern in parentheses.
•(ab)* matches any number of the multiple-character string ab.
•([A-Za-z][0-9])+ matches one or more instances of alphanumeric pairs, but not none (that is, an empty string is not a match).
The order for matches using multipliers (*, +, or ?) is to put the longest construct first. Nested constructs are matched from outside to inside. Concatenated constructs are matched beginning at the left side of the construct. Thus, the regular expression matches A9b3, but not 9Ab3 because the letters are specified before the numbers.
You can also use parentheses around a single- or multiple-character pattern to instruct the software to remember a pattern for use elsewhere in the regular expression.
To create a regular expression that recalls a previous pattern, you use parentheses to indicate memory of a specific pattern and a backslash (\) followed by a digit to reuse the remembered pattern. The digit specifies the occurrence of a parentheses in the regular expression pattern. If you have more than one remembered pattern in your regular expression, then \1 indicates the first remembered pattern, and \2 indicates the second remembered pattern, and so on.
The following regular expression uses parentheses for recall:
•a(.)bc(.)\1\2 matches an a followed by any character, followed by bc followed by any character, followed by the first any character again, followed by the second any character again.
For example, the regular expression can match aZbcTZT. The software remembers that the first character is Z and the second character is T and then uses Z and T again later in the regular expression.
The following CLI commands are generic to IPS 5.1.
•configure terminal—Enters global configuration mode.
Global configuration commands apply to features that affect the system as a whole rather than just one protocol or interface.
sensor# configure terminal
sensor(config)#
•service—Takes you to the following configuration submodes: analysis-engine, authentication, event-action-rules, host, interface, logger, network-access, notification, signature-definition, ssh-known-hosts, trusted-certificates, and web-server.
Note The event-action-rules and signature-definition submodes are multiple instance services. Only one predefined instance is allowed for each. For event-action-rules, the only supported instance name is rules0. For signature-definition, the only supported instance name is sig0.
sensor# configure terminal
sensor(config)# service event-action-rules rules0
sensor(config-rul)#
•end—Exits configuration mode or any configuration submodes. It takes you back to the top-level EXEC menu.
sensor# configure terminal
sensor(config)# end
sensor#
•exit—Exits any configuration mode or closes an active terminal session and terminates the EXEC mode. It takes you to the previous menu session.
sensor# configure terminal
sensor(config)# service event-action-rules rules0
sensor(config-rul)# exit
sensor(config)# exit
sensor#
In general, use the no form of a command to disable a feature or function. Use the command without the keyword no to enable a disabled feature or function. For example, the command ssh host-key ipaddress adds an entry to the known hosts table, the command no ssh host-key ipaddress removes the entry from the known hosts table. Refer to the individual commands for a complete description of what the no form of that command does.
Service configuration commands can also have a default form. Use the default form of the command to return the command setting to its default. This keyword applies to the service submenu commands used for application configuration. Typing default with the command resets the parameter to the default value. You can only use the default keyword with commands that specify a default value in the configuration files.