Numerics -
A -
B -
C -
D -
E -
F -
G -
H -
I -
J -
K -
L -
M -
N -
O -
P -
Q -
R -
S -
T -
U -
V -
W -
Index
Numerics
4GE bypass interface card
configuration restrictions 3-8
described 3-7
illustration 3-7
A
accessing IPS software 12-2
access list misconfiguration C-7
ACLs
described 8-3
Post-Block 8-22, 8-24
Pre-Block 8-22, 8-24
Active Host Blocks pane
button functions 8-36, 11-3
configuring 8-37, 11-5
described 8-36, 11-3
field descriptions 8-36, 11-3
user roles 8-36, 11-3
Add Active Host Block dialog box
button functions 8-37, 11-4
field descriptions 8-37, 11-4
Add Allowed Host dialog box
button functions 2-5
field descriptions 2-5
user roles 2-5
Add Authorized Key dialog box
button functions 2-9
field descriptions 2-9
user roles 2-8
Add Blocking Device dialog box user roles 8-19
Add Cat 6K Blocking Device Interface dialog box
button functions 8-29
field descriptions 8-29
user roles 8-28
Add Device Login Profile dialog box user roles 8-15
Add Event Action Filters dialog box
button functions 7-22
field descriptions 7-22
user roles 7-20
Add Event Action Overrides dialog box
button functions 7-16
field descriptions 7-16
user roles 7-15
Add Event Variable dialog box user roles 7-10
Add Interface Pair dialog box
button functions 3-16
field descriptions 3-16
user roles 3-15
Add IP Logging dialog box
button functions 11-13
field descriptions 11-13
Add Known Host Key dialog box
button functions 2-12
field descriptions 2-12
user roles 2-11
Add Master Blocking Sensor dialog box user roles 8-32
Add Never Block Address dialog box user roles 8-7
Add Router Blocking Device Interface dialog box user roles 8-24
Add Signature dialog box user roles 5-6
Add Signature Variable dialog box user roles 5-2
Add SNMP Trap Destination dialog box user roles 9-4
Add Target Value Rating dialog box
button functions 7-13
field descriptions 7-13
user roles 7-13
Add Trusted Host dialog box
button functions 2-16
field descriptions 2-16
user roles 2-15
Add User dialog box
button functions 2-27
field descriptions 2-27
user roles 2-26
Administrator privileges A-27
Advanced Alert Behavior Wizard
Alert Dynamic Response Fire All window
button functions 6-20
field descriptions 6-20
Alert Dynamic Response Fire Once window
button functions 6-21
field descriptions 6-21
Alert Dynamic Response Summary window
button functions 6-19
field descriptions 6-19
Alert Summarization window
button functions 6-19
field descriptions 6-19
Event Count and Interval window
button functions 6-18
field descriptions 6-18
Global Summarization window
button functions 6-21
field descriptions 6-21
advisory for cryptographic products 1-1
AIC engine
AIC FTP B-8
AIC HTTP B-8
defined 5-28, B-8
features B-8
AIC FTP engine parameters (table) B-10
AIC HTTP engine parameters (table) B-9
AIP-SSM
recovering C-45
resetting C-44
time sources 2-20
alarm channel described 7-4, A-24
Allowed Hosts pane
button functions 2-5
configuring 2-6
described 2-4
field descriptions 2-5
analysis engine
global variables 4-4
virtual sensor 4-1
Analysis Engine busy IDM exits C-36
appliances
application partition image 13-10
recovering software image 13-22
setting up a terminal server 13-12
terminal server 13-12
time sources 2-19
upgrading recovery partition 13-5
application partition
described A-3
recovering the image 13-10
applications in XML format A-2
ARC
ACLs 8-22, A-13
authentication A-14
blocking
connection-based A-16
unconditional blocking A-16
blocking application 8-1
block response A-12
Catalyst 6000 series switch
VACL commands A-18
VACLs A-18
Catalyst switches
VACLs A-15
VLANs A-15
checking status 8-3
described A-2
design 8-2
features A-13
firewalls
AAA A-17
connection blocking A-17
NAT A-17
network blocking A-17
postblock ACL A-15
preblock ACL A-15
shun command A-17
TACACS+ A-17
formerly known as Network Access Controller 8-1, 8-3
functions 8-1
illustration A-12
interfaces A-13
maintaining states A-15
managed devices 8-6
master blocking sensors A-13
maximum blocks 8-2
nac.shun.txt file A-15
NAT addressing A-14
number of blocks A-14
postblock ACL A-15
preblock ACL A-15
prerequisites 8-4
rate limiting 8-3, 11-8
responsibilities A-12
single point of control A-14
SSH A-13
supported devices 8-5, A-14
Telnet A-13
VACLs A-13
ASR described 7-2
Assign Actions dialog box
button functions 5-16
field descriptions 5-16
assigning interfaces to the virtual sensor 4-3
Atomic ARP engine
described B-11
parameters (table) B-11
Atomic IP engine
described B-11
parameters (table) B-11
Attack Response Controller
described A-2
formerly known as Network Access Controller A-2
See ARC
attack severity rating. See ASR.
AuthenticationApp
authenticating users A-20
described A-3
login attempt limit A-19
method A-19
responsibilities A-19
secure communications A-20
sensor configuration A-19
Authorized Keys pane
button functions 2-8
configuring 2-9
described 2-7
field descriptions 2-8
RSA authentication 2-8
RSA key generation tool 2-9
automatic updates
Cisco.com 10-1
servers
FTP 10-1
SCP 10-1
troubleshooting C-32
Auto Update and UNIX-style directory listings 13-8
Auto Update pane
button functions 10-2
configuring 10-3
described 10-1
field descriptions 10-2
user roles 10-2
auto-upgrade-option command 13-6
B
back door Trojan BO2K B-38
BackOrifice protocol B-38
blocking
described 8-1
disabling 8-7
master blocking sensor 8-31
necessary information 8-3
prerequisites 8-4
supported devices 8-5
types 8-2
Blocking Devices pane
button functions 8-19
configuring 8-20
described 8-18
field descriptions 8-19
ssh host-key command 8-21
blocking not occurring for signature C-22
Blocking Properties pane
button functions 8-8
configuring 8-10
described 8-6
field descriptions 8-8
Bug Toolkit
described C-1
URL C-1
bypass mode 3-20
described 3-20
function 3-2
Bypass pane
button functions 3-21
field descriptions 3-21
user roles 3-21
C
cannot access sensor C-5
Cat 6K Blocking Device Interfaces pane
button functions 8-29
configuring 8-30
described 8-27
field descriptions 8-29
VACLs
Post-Block 8-27
Pre-Block 8-27
certificates
Internet Explorer 1-16
Mozilla 1-18
Netscape 1-17
changing Microsoft IIS to UNIX-style directory listings 13-9
changing the memory
Java Plug-in on Linux 1-4, C-35
Java Plug-in on Solaris 1-4, C-35
Java Plug-in on Windows 1-3, C-34, C-35
CIDEE
defined A-34
example A-34
IPS extensions A-34
protocol A-34
supported IPS events A-34
Cisco.com
accessing software 12-2
downloading software 12-1
IPS software 12-1
software downloads 12-1
Cisco IOS and rate limiting 8-3, 11-8
Cisco Security Intelligence Operations
described 12-14
URL 12-14
Cisco Services for IPS
service contract 1-20, 12-9
supported products 1-20, 12-9
clear events command 2-24, C-66
clearing
events C-66
statistics C-53
CLI behavior A-29
case sensitivity A-30
display options A-30
help A-29
prompts A-29
recall A-29
tab completion A-29
CLI described A-3, A-27
Clone Signature dialog box user roles 5-6
commands
auto-upgrade-option 13-6
clear events 2-24, C-66
copy license-key 12-12
debug module-boot C-45
downgrade 13-9
hw-module module 1 reset C-44
setup 1-4, 1-5, 2-1
show events C-63
show module 1 details C-44
show statistics C-52
show statistics virtual-sensor C-52
show tech-support C-47
show version C-50
upgrade 13-5
Configure Summertime dialog box
button functions 2-22
field descriptions 2-22
configuring
active host blocks 8-37, 11-5
application policy 5-36
automatic upgrades 13-7
blocking devices 8-20
blocking properties 8-10
Cat 6K blocking device interfaces 8-30
device login profiles 8-17
event action filters 7-25
event action overrides 7-18
event action rules general settings 7-28
events 7-31
event variables 7-11
interface pairs 3-16
interfaces 3-14
IP fragment reassembly parameters 5-37
IP logging 11-14
maintenance partition (Catalyst Software) 13-28
maintenance partition (Cisco IOS) 13-32
master blocking sensor 8-34
network blocks 8-40, 11-7
rate limiting devices 8-20
rate limits 8-13, 11-10
router blocking device interfaces 8-26
SNMP 9-3
SNMP traps 9-6
TCP fragment reassembly parameters 5-44
traffic flow notifications 3-22
TVR 7-14
upgrades 13-3
VLAN pairs 3-19
control transactions
characteristics A-8
request types A-7
copy license-key command 12-12
correcting time on the sensor 2-24
creating
custom signatures
not using signature engines 6-3
Service HTTP 6-34
String TCP 6-29
using signature engines 6-2
MEG signatures 5-46
cryptographic account
Encryption Software Export Distribution Authorization from 12-2
obtaining 12-2
cryptographic products IDM 1-1
CtlTransSource
described A-2, A-10
illustration A-11
Ctrl-N A-29
Ctrl-P A-29
custom MEG signatures 5-46
Custom Signature Wizard
Alert Behavior window button functions 6-18
Alert Response window
button functions 6-17
field descriptions 6-17
Atomic IP Engine Parameters window
button functions 6-6
field descriptions 6-6
described 6-1
ICMP Traffic Type window
button functions 6-14
field descriptions 6-14
Inspect Data window
button functions 6-17
field descriptions 6-17
MSRPC Engine Parameters window
button functions 6-9
field descriptions 6-9
no signature engine sequence 6-3
protocols 6-5
Protocol Type window
button functions 6-5
field descriptions 6-5
Service HTTP Engine Parameters window
button functions 6-8
field descriptions 6-8
Service RPC Engine Parameters window
button functions 6-9
field descriptions 6-9
Service Type window
button functions 6-16
field descriptions 6-16
signature engine sequence 6-2
Signature Identification window
button functions 6-6
field descriptions 6-6
State Engine Parameters window
button functions 6-10
field descriptions 6-10
String ICMP Engine Parameters window
button functions 6-11
field descriptions 6-11
String TCP Engine Parameters window
button functions 6-12
field descriptions 6-12
String UDP Engine Parameters window
button functions 6-13
field descriptions 6-13
Sweep Engine Parameters window
button functions 6-14
field descriptions 6-14
TCP Sweep Type window
button functions 6-16
field descriptions 6-16
TCP Traffic Type window
button functions 6-15
field descriptions 6-15
UDP Sweep Type window
button functions 6-16
field descriptions 6-16
UDP Traffic Type window
button functions 6-15
field descriptions 6-15
user roles 6-4
Welcome window
button functions 6-5
field descriptions 6-5
D
data structure examples A-7
DDOS protocol B-38
debug-module-boot command C-45
defaults restoring 10-4
denied attackers
clearing list 11-2
hit count 11-1
resetting hit counts 11-2
Denied Attackers pane
button functions 11-2
described 11-1
field descriptions 11-2
user roles 11-1
using 11-2
Deny Packet Inline described 5-11, 5-17, 7-8, 7-18, B-8
device access issues C-19
Device Login Profiles pane
button functions 8-15
configuring 8-17
described 8-15
field descriptions 8-15
devices 8-20
diagnostics report 10-11
Diagnostics Report pane
button functions 10-11
described 10-11
user roles 10-11
using 10-11
disabling blocking 8-7
disaster recovery C-2
displaying
events C-64
statistics C-53
tech support information C-47
version C-50
downgrade command 13-9
downgrading sensors 13-9
downloading software 12-1
duplicate IP addresses C-8
E
Edit Allowed Host dialog box
button functions 2-5
field descriptions 2-5
user roles 2-5
Edit Authorized Key dialog box
button functions 2-9
field descriptions 2-9
user roles 2-8
Edit Blocking Device dialog box user roles 8-19
Edit Cat 6K Blocking Device Interface dialog box
button functions 8-29
field descriptions 8-29
user roles 8-28
Edit Device Login Profile dialog box user roles 8-15
Edit Event Action Filters dialog box
button functions 7-22
field descriptions 7-22
user roles 7-20
Edit Event Action Overrides dialog box 7-15
button functions 7-16
field descriptions 7-16
Edit Event Variable dialog box user roles 7-10
Edit Interface dialog box user roles 3-11
Edit Interface Pair dialog box
button functions 3-16
field descriptions 3-16
user roles 3-15
Edit IP Logging dialog box
button functions 11-13
field descriptions 11-13
Edit Known Host Key dialog box
button functions 2-12
field descriptions 2-12
user roles 2-11
Edit Master Blocking Sensor dialog box user roles 8-32
Edit Never Block Address dialog box user roles 8-7
Edit Router Blocking Device Interface dialog box user roles 8-24
Edit Signature dialog box user roles 5-6
Edit Signature Variable dialog box user roles 5-2
Edit SNMP Trap Destination dialog box user roles 9-4
Edit Target Value Rating dialog box
button functions 7-13
field descriptions 7-13
user roles 7-13
Edit User dialog box
button functions 2-27
field descriptions 2-27
user roles 2-26
Edit Virtual Sensor dialog box user roles 4-2
enabling debug logging C-24
Encryption Software Export Distribution Authorization form
cryptographic account 12-2
described 12-2
event action filters
configuring 7-25
described 7-3
Event Action Filters pane
button functions 7-21
configuring 7-25
described 7-20
field descriptions 7-21
event action overrides
configuring 7-18
described 7-2
Event Action Overrides pane
button functions 7-15
configuring 7-18
described 7-15
field descriptions 7-15
event action rules
described 7-1
example 7-8
functions 7-1
event actions
described 7-6
table 7-6, B-6
Events pane
button functions 7-30
configuring 7-31
described 7-29
field descriptions 7-30
Event Store
clearing events 2-24
data structures A-7
described A-2
examples A-6
responsibilities A-6
timestamp A-6
event types C-62
event variables
configuring 7-11
example 7-10
Event Variables pane
button functions 7-10
configuring 7-11
described 7-9
field descriptions 7-10
Event Viewer page
button functions 7-30
field descriptions 7-30
F
fail-over testing 3-8
Flood engine described B-12
Flood Host engine parameters (table) B-12
FLood Net engine parameters (table) B-12
G
general settings described 7-27
General Settings pane
configuring 7-28
user roles 7-27
generating a diagnostics report 10-11
Global Variables pane
button functions 4-4
described 4-4
field descriptions 4-4
user roles 4-4
H
H.225.0 protocol B-20
H.323 protocol B-20
hardware bypass
configuration restrictions 3-8
IPS-4260 3-7
with software bypass 3-7
help
question mark A-29
using A-29
HTTP deobfuscation
ASCII normalization 6-33, B-23
described 6-33, B-23
hw-module module 1 reset command C-44
I
IDAPI
communications A-3, A-30
described A-3, A-30
functions A-30
illustration A-30
responsibilities A-30
IDCONF
described A-33
example A-33
RDEP2 A-33
XML A-33
IDIOM
defined A-33
messages A-33
IDM
advisory 1-1
certificates 1-15
clear Java cache C-36
cookies 1-15
cryptographic products 1-1
error message Analysis Engine is busy C-36
GUI 1-2
introducing 1-2
Java Plug-in 1-3, C-34
logging in 1-13, 1-14
memory 1-3, C-34
prerequisites 1-13
Signature Wizard unsupported signature engines 6-1, 6-22
system requirements 1-2
TLS and SSL 1-15
user interface 1-2
validating
Internet Explorer certificate fingerprints 1-16
Mozilla certificate fingerprints 1-18
Netscape certificate fingerprints 1-17
web browsers 1-2
IDM will not load clear Java cache C-36
IDS-4215
BIOS upgrade 13-16
reimaging 13-14
ROMMON upgrade 13-16
upgrading
BIOS 13-16
ROMMON 13-16
IDSM-2
configuring
maintenance partition (Catalyst Software) 13-28
maintenance partition (Cisco IOS) 13-32
installing
system image (Catalyst software) 13-26
system image (Cisco IOS software) 13-26
reimaging described 13-25
time sources 2-19
upgrading
maintenance partition (Catalyst software) 13-35
maintenance partition (Cisco IOS software) 13-36
IDSM-2 command and control port C-42
IDSM-2 not online C-42
initialization verification 1-10
initializing the sensor 1-4, 1-5, 2-1
inline VLAN pairs
described 3-3
supported sensors 3-3
installer major version described 12-6
installer minor version described 12-6
installing
license key 12-13
sensor license 1-22, 12-11
system image
IDSM-2 (Catalyst software) 13-26
IDSM-2 (Cisco IOS software) 13-26
IPS-4240 13-17
IPS-4260 13-20
InterfaceApp described A-2
interface pairs
configuring 3-16
described 3-15
Interface Pairs pane
button functions 3-15
configuring 3-16
described 3-15
field descriptions 3-15
interfaces
configuration restrictions 3-5
configuring 3-14
Interfaces pane
button functions 3-12
configuring 3-14
described 3-10
field descriptions 3-12
interface support (table) 3-4
Internet Explorer certificate fingerprints validation 1-16
IP fragment reassembly
described 5-36
parameters (table) 5-37
signatures (table) 5-37
IP logging
described 5-45, 11-11
event actions 11-12
system performance 11-12
IP Logging pane
button functions 11-13
configuring 11-14
described 11-12
field descriptions 11-13
user roles 11-12
IP logs
circular buffer 11-12
Ethereal 11-12
states 11-11
TCP Dump 11-12
viewing 11-14
IPS
external communications A-31
internal communications A-30
IPS-4240
installing system image 13-17
ROMMON 13-10
IPS-4255
installing system image 13-17
ROMMON 13-10
IPS-4260
hardware bypass 3-7
reimaging 13-20
IPS applications
summary A-36
table A-36
XML format A-2
IPS data
types A-7
XML document A-8
IPS events
listed A-8
types A-8
IPS software
application list A-2
available files 12-1
configuring device parameters A-4
directory structure A-35
Linux OS A-1
new features A-3
obtaining 12-1
platform-dependent release examples 12-7
retrieving data A-4
security features A-4
tuning signatures A-4
updating A-4
user interaction A-4
versioning scheme 12-3
IPS software file names
major updates (illustration) 12-3
minor updates (illustration) 12-3
patch releases (illustration) 12-3
service packs (illustration) 12-3
J
Java Plug-in
Linux 1-4, C-35
Solaris 1-4, C-35
Windows 1-3, C-34, C-35
K
Known Host Keys pane
button functions 2-11
configuring 2-12
described 2-11
field descriptions 2-11
L
license key
installing 12-13
status 1-19
licensing
described 1-19, 12-9
IPS device serial number 1-19, 12-9
Licensing pane
button functions 1-21
configuring 1-22, 12-11
described 1-19, 12-9
field descriptions 1-21
user roles 1-21
limitations for concurrent CLI sessions 1-13
listings UNIX-style 13-8
LogApp
described A-2, A-18
functions A-18
syslog messages A-19
logging in
IDM 1-14
terminal servers 13-12
LOKI protocol B-38
M
MainApp
applications A-5
described A-2
host statistics A-5
responsibilities A-5
show version command A-5
maintenance partition
configuring (Catalyst Software) 13-28
configuring (Cisco IOS) 13-32
described A-3
major updates described 12-3
manual block to bogus host C-21
master blocking sensor described 8-31
Master Blocking Sensor pane
button functions 8-32
configuring 8-34
described 8-31
field descriptions 8-32
Master engine
alert frequency B-5
alert frequency parameters (table) B-5
defined B-3
event actions B-6
general parameters (table) B-4
promiscuous delta B-5
universal parameters B-4
MBS not set up properly C-23
memory and IDM 1-3, C-34
Meta engine
described 5-46, B-13
parameters (table) B-13
Meta Event Generator described 7-27
MIBs supported 9-7
minor updates described 12-4
Miscellaneous pane
button functions 5-26
configuring
application policy 5-35
IP fragment reassembly 5-38
IP logging 5-46
TCP stream reassembly 5-45
described 5-26
field descriptions 5-26
user roles 5-26
modes
bypass 3-2, 3-20
inline 3-3
monitoring
events 7-31
Viewer privileges A-28
Mozilla certificate fingerprints validation 1-18
Multi String engine described B-14
N
Netscape certificate fingerprints validation 1-17
Network Access Controller functions A-11
Network Blocks pane
button functions 8-39, 11-6
configuring 8-40, 11-7
described 8-39, 11-6
field descriptions 8-39, 11-6
user roles 8-39, 11-6
Network pane
button functions 2-2
configuring 2-3
described 2-2
field descriptions 2-2
TLS/SSL 2-3
user roles 2-2
Network Timing Protocol. See NTP.
never block
hosts 8-6
networks 8-6
NM-CIDS
bootloader 13-23
reimaging 13-24
system image file 13-23
time sources 2-20
Normalizer engine
described B-15
IP fragment reassembly B-15
parameters (table) B-16
TCP stream reassembly B-16
NotificationApp
alert information A-8
described A-2
functions A-8
SNMP gets A-8
SNMP traps A-8
statistics A-10
system health information A-9
NTP
described 2-19
time synchronization 2-19
O
obtaining
cryptographic account 12-2
IPS sofware 12-1
Operator privileges A-27
output
clearing current line A-30
displaying A-30
P
partitions
application A-3
maintenance A-3
recovery A-3
passwords and the service account 1-5
patch releases described 12-4
physical connectivity issues C-10
platforms and concurrent CLI sessions 1-13
Post-Block ACLs 8-22, 8-24
Pre-Block ACLs 8-22, 8-24
prerequisites for blocking 8-4
prompt default input A-29
protocols for the Custom Signature Wizard 6-5
Q
Q.931 protocol
described B-20
SETUP messages B-20
R
rate limiting
ACLs 8-23
described 8-3, 11-8
routers 8-3, 11-8
service policies 8-23
supported signatures 8-4, 11-8
Rate Limits pane
button functions 8-12, 11-9
configuring 8-13, 11-10
described 8-12
field descriptions 8-12, 11-9
user roles 8-12
RDEP2
described A-31
functions A-31
messages A-31
responsibilities A-31
rebooting the sensor 10-6
Reboot Sensor pane
button functions 10-6
configuring 10-6
described 10-6
user roles 10-6
recall
help and tab completion A-29
using A-29
recover command 13-10
recovering
AIP-SSM C-45
application partition image 13-10
recovery/upgrade CD 13-22
recovery partition
described A-3
upgrading 13-5
reimaging
appliance 13-10
described 13-1
IDS-4215 ROMMON 13-14
IDS-4260 13-20
IDSM-2 13-25
IPS-4260 ROMMON 13-20
NM-CIDS 13-24
sensors 13-1
removing the last applied upgrade 13-9
reset not occurring for a signature C-30
resetting AIP-SSM C-44
Restore Defaults pane
button functions 10-5
configuring 10-5
described 10-4
user roles 10-4
restoring defaults 10-5
retrieving events through RDEP2 (illustration) A-31
risk rating see RR
ROMMON
described 13-12
IDS-4215 13-14
remote sensors 13-12
serial console port 13-12
TFTP 13-12
round-trip time. See RTT.
Router Blocking Device Interfaces pane
button functions 8-25
configuring 8-26
described 8-23
field descriptions 8-25
RPC portmapper B-27
RR
calculating 7-2
example 7-9
RTT
described 13-12
TFTP limitation 13-12
S
scheduling automatic upgrades 13-7
SDEE
defined A-34
HTTP A-34
protocol A-34
SDEE Server requests A-34
SEAF
described 7-4, A-24
parameters 7-4, A-24
SEAO described 7-4, A-24
SEAP
alarm channel 7-4, A-24
components 7-4, A-24
described A-22
figure A-24
flow of signature events 7-5, A-24
function 7-4
illustration 7-5
security
information on Cisco Security Intelligence Operations 12-14
security and SSH 2-7
sending commands through RDEP2 (illustration) A-32
sensor
blocking itself 8-7
diagnostics report 10-11
license 12-11
rebooting 10-6
restoring defaults 10-5
shutting down 10-7
statistics 10-13
system information 10-14
updating 10-3, 10-9
SensorApp
Alarm Channel A-23
Analysis Engine A-23
described A-3
event action filtering A-27
hold down timer A-26
inline packet processing A-25
IP normalization A-26
new features A-25
packet flow A-23
processors A-22
responsibilities A-22
RR A-26
SEAP A-22
TCP normalization A-26
sensor interfaces described 3-1
Sensor Key pane
button functions 2-14
described 2-14
field descriptions 2-14
sensor SSH key
displaying 2-14
generating 2-14
user roles 2-14
sensor not seeing packets C-13
sensor process not running C-9
sensors
downgrading 13-9
initializing 1-4, 1-5, 2-1
interface support 3-4
license 1-22
NTP time synchronization 2-19
partitions A-3
recovering the system image 12-8
reimaging 12-8, 13-1
setup command 1-4, 1-5, 2-1
time sources 2-19
Server Certificate pane
button functions 2-18
certificate
displaying 2-18
generating 2-18
described 2-17
field descriptions 2-18
user roles 2-18
service account
described A-28
privileges A-28
TAC A-28
troubleshooting A-28
Service DNS engine
described B-17
parameters (table) B-18
Service FTP engine
described B-19
parameters (table) B-19
Service Generic engine
described B-19
parameters (table) B-20
Service H225 engine
ASN.1PER validation B-21
described B-20
features B-21
parameters (table) B-22
TPKT validation B-21
Service HTTP engine
custom signature 6-34
described 6-33, B-23
example signature 6-34
parameters (table) B-23
Service IDENT engine
described B-24
parameters (table) B-25
Service MSRPC engine
DCS/RPC protocol B-25
described B-25
parameters (table) B-26
Service MSSQL engine
described B-26
MSSQL protocol B-26
parameters (table) B-26
Service NTP engine
described B-27
parameters (table) B-27
service packs described 12-4
Service privileges A-28
service role 2-26, A-28
Service RPC engine
described B-27
parameters (table) B-27
RPC portmapper B-27
Service SMB engine
described B-28
parameters (table) B-28
Service SNMP engine
described B-30
parameters (table) B-30
Service SSH engine
described B-31
parameters (table) B-31
setting up a terminal server 13-12
setup command 1-4, 1-5, 2-1
SFR
calculating 7-2
described 7-2
show events command C-62, C-63
show interfaces command C-61
show module 1 details command C-44
show statistics command C-52
show statistics virtual-sensor command C-52
show tech-support command
described C-47
options C-47
output C-48
show version command C-49, C-50
Shut Down Sensor pane
button functions 10-7
configuring 10-7
describing 10-7
user roles 10-7
shutting down the sensor 10-7
signature/virus update files described 12-5
Signature Configuration pane
assigning actions 5-23
button functions 5-6
described 5-5
field descriptions 5-6
signatures
activating 5-22
adding 5-18
cloning 5-19
disabling 5-22
enabling 5-22
retiring 5-22
tuning 5-21
signature engines
AIC 5-28, B-9
Atomic B-10
Atomic ARP B-11
Atomic IP B-11
creating custom signatures 6-2
defined B-1
Flood B-12
Flood Host B-12
FLood Net B-12
list B-1
Meta 5-46, B-13
Multi String B-14
Normalizer B-15
not supported by IDM 6-1, 6-22
Service DNS B-17
Service FTP B-19
Service Generic B-19
Service H225 B-20
Service HTTP 6-33, B-23
Service IDENT B-24
Service MSRPC B-25
Service MSSQL B-26
Service NTP engine B-27
Service RPC B-27
Service SMB B-28
Service SNMP B-30
Service SSH engine B-31
State B-31
String 6-28, B-33
Sweep B-36
Traffic ICMP B-37
Trojan B-38
signature engine update files described 12-5
Signature Event Action Processor. See SEAP.
signature fidelity rating. See SFR.
signatures
custom 5-2
default 5-1
described 5-1
false positives 5-1
rate limits 8-4, 11-8
subsignatures 5-1
tuned 5-1
signature variables described 5-2
Signature Variables pane
button functions 5-3
configuring 5-4
field descriptions 5-3
Signature Wizard unsupported signature engines 6-1, 6-22
SNMP
configuring 9-3
described 9-1
Get 9-1
GetNext 9-1
Set 9-1
supported MIBs 9-7
Trap 9-1
SNMP General Configuration pane
button functions 9-2
configuring 9-3
described 9-2
field descriptions 9-2
user roles 9-2
SNMP traps
configuring 9-6
described 9-1
SNMP Traps Configuration pane
button functions 9-5
configuring 9-6
described 9-4
field descriptions 9-5
software architecture
ARC (illustration) A-12
IDAPI (illustration) A-30
RDEP2 (illustration) A-32
software bypass with hardware bypass 3-7
software downloads Cisco.com 12-1
software file names
recovery (illustration) 12-5
signature/virus updates (illustration) 12-4
signature engine updates (illustration) 12-5
system image (illustration) 12-5
software release examples
platform-dependent 12-7
platform identifiers 12-7
platform-independent 12-6
SPAN port issues C-10
SSH
security 2-7
understanding 2-7
SSH Server
private keys A-20
public keys A-20
State engine
Cisco Login B-32
described B-31
LPR Format String B-32
parameters (table) B-32
SMTP B-32
Statistics pane
button functions 10-13
described 10-12
user roles 10-13
using 10-13
statistics viewing 10-13
String engine described 6-28, B-33
String ICMP engine parameters (table) B-33
String TCP engine
custom signature 6-29
parameters (table) B-34
String TCP example signature 6-29
String UDP engine parameters (table) B-35
summarization
described 7-3
Fire All 7-4
Fire Once 7-4
Global Summarization 7-4
Meta engine 7-3
Summary 7-4
Summarizer described 7-27
Summary pane
button functions 3-9
described 3-9
field descriptions 3-9
Sweep engine
described B-36
parameters (table) B-36
switch commands for troubleshooting C-39
syntax and case sensitivity A-30
system architecture
directory structure A-35
supported platforms A-1
system components IDAPI A-31
system design (illustration) A-1
system image
installing for IDSM-2 (Cisco IOS software) 13-26
system information display 10-14
System Information pane
button functions 10-14
described 10-13
user roles 10-14
using 10-14
system requirements for IDM 1-2
T
tab completion use A-29
TAC
service account A-28
show tech-support command C-47
target value rating. See TVR.
Target Value Rating pane
button functions 7-13
configuring 7-14
field descriptions 7-13
TCP reset interface conditions 3-10, 3-11
TCP stream reassembly
described 5-39
parameters (table) 5-39, 5-44
signatures (table) 5-39, 5-44
terminal server setup 13-12
testing fail-over 3-8
TFN2K protocol B-37
TFTP servers
maximum file size limitation 13-12
RTT 13-12
time correction on the sensor 2-24
Time pane
button functions 2-21
configuring 2-23
described 2-19
field descriptions 2-21
user roles 2-21
time sources
AIP-SSM 2-20
appliances 2-19
IDSM-2 2-19
NM-CIDS 2-20
TLS
certificates 1-15
described 1-15, 2-3
handshaking 1-15
traffic flow notification configuration 3-22
Traffic Flow Notifications pane
button functions 3-22
configuring 3-22
describing 3-22
field descriptions 3-22
user roles 3-22
Traffic ICMP engine
DDOS B-37
described B-37
LOKI B-37
parameters (table) B-38
TFN2K B-37
Transport Layer Security. See TLS.
Tribe Flood Net 2000 protocol B-37
Trojan engine
BO2K B-38
described B-38
TFN2K B-38
troubleshooting
accessing files on FTP site C-67
access list misconfiguration C-7
AIP-SSM
commands C-44
debugging C-45
recovering C-45
reset C-44
Analysis Engine busy C-36
automatic update C-32
blocking not occurring for signature C-22
cannot access sensor C-5
cidDump script C-67
cidLog messages to syslog C-29
communication C-5
corrupted SensorApp configuration C-15
debug logger zone names (table) C-28
device access issues C-19
disaster recovery C-2
duplicate IP address C-8
enabling debug logging C-24
false positive alerts C-16
faulty DIMMs C-16
gathering information C-46
IDM cannot access sensor C-37
IDM will not load C-36
IDSM-2
command and control port C-42
diagnosing problems C-38
not online C-42
serial cable C-44
switch commands C-39
TCP reset port C-43
IPS and PIX devices C-4
manual block to bogus host C-21
MBS not set up properly C-23
normalizer inline mode C-4
NTP C-30
physical connectivity issues C-10
preventive maintenance C-2
reset not occurring for a signature C-30
sensor events C-62
sensor not seeing packets C-13
sensor process not running C-9
show events command C-62
show interfaces command C-61
show statistics command C-52
show tech-support command C-46, C-47
show tech-support command output C-48
show version command C-49
software upgrades C-32
IDS-4235 C-32
IDS-4250 C-32
on sensor C-33
SPAN port issue C-10
unable to see alerts C-12
uploading files to FTP site C-67
using debug logging C-24
Trusted Hosts pane
button functions 2-16
configuring 2-16
described 2-15
field descriptions 2-16
TVR
configuring 7-14
described 7-2, 7-12
U
understanding
SSH 2-7
time on the sensor 2-19
UNIX-style directory listings 13-8
Update Sensor pane
button functions 10-8
configuring 10-9
described 10-8
field descriptions 10-8
user roles 10-8
updating
Cisco.com 10-8
FTP server 10-8
updating the sensor 10-9
upgrade command 13-5, 13-10
upgrading
4.1 to 5.0 12-8
maintenance partition
IDSM-2 (Catalyst software) 13-35
IDSM-2 (Cisco IOS software) 13-36
minimum required version 12-8
recovery partition 13-5, 13-10
URLs for Cisco Security Intelligence Operations 12-14
user roles
Administrator A-27
Operator A-27
Service A-27
Viewer A-27
Users pane
button functions 2-27
configuring 2-28
described 2-25
field descriptions 2-27
user roles 2-25
using
debug logging C-24
TCP reset interface 3-10, 3-11
V
VACLs
described 8-3
Post-Block 8-27
Pre-Block 8-27
verifying
sensor initialization 1-10
sensor setup 1-10
Viewer privileges A-28
viewing
IP logs 11-14
statistics 10-13
system information 10-14
virtual sensor interface assignment 4-3
Virtual Sensor pane
button functions 4-2
configuring 4-3
described 4-1
field descriptions 4-2
VLAN pairs configuration 3-19
VLAN Pairs pane
button functions 3-18
configuring 3-19
described 3-17
field descriptions 3-18
W
Web Server
described A-2, A-21
HTTP 1.0 and 1.1 support A-21
private keys A-20
public keys A-20
RDEP2 support A-21