Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 6.0
Index
Downloads: This chapterpdf (PDF - 1.2MB) The complete bookPDF (PDF - 8.39MB) | Feedback

Index

Table Of Contents

Numerics - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - Z

Index

Numerics

4GE bypass interface card

configuration restrictions 5-9

described 5-8

802.1q encapsulation

VLAN groups 5-27

A

accessing IPS software 22-2

access list

configuring 4-5

misconfiguring D-26

access-list

command 4-5

configuring 4-5

account locking

configuring 4-17

described 4-17

ACLs

described 13-2

Post-Block 13-21, 13-22

Pre-Block 13-21, 13-22

adding

event action overrides 8-15

external product interfaces 10-5

global parameters 7-9

hosts to the SSH known hosts list 4-31, 4-32

signature variables 6-4

target value ratings 8-13

trusted hosts 4-37

users 4-11, 4-15, 4-16

virtual sensors 7-4, 7-7, 18-4

Address Resolution Protocol. See ARP.

administrator privileges 1-4, A-27

aggregation

alert frequency 8-30

operating modes 8-30

AIC engine

AIC FTP B-11

AIC HTTP B-11

described 6-17, B-11

features B-11

AIC FTP engine parameters (table) B-13

AIC HTTP engine parameters (table) B-12

AIC policy enforcement

default configuration 6-18, B-12

described 6-18, B-12

sensor oversubscription 6-18, B-12

AIM IPS

configuration sequence 17-1

configuration tasks 17-1

configuring interfaces 17-5, 17-7, 17-9, 17-10, 17-11, 17-12

initializing 3-19

interface sequence 17-4

logging in 2-9, 17-15

NAT 17-5

RBCP 17-17

rebooting 17-17

resetting 17-17

resetting heartbeat 17-18

session command 2-9, 17-14

sessioning 2-9, 17-15

setting up interfaces 17-4

setup command 3-19

shutting down 17-17

status display 17-16

time sources 4-19

verifying installation 17-2, D-72

AIP SSM

assigning policies 18-4

assigning virtual sensors 18-7

configuration tasks 18-1

creating virtual sensors 18-4

Deny Connection Inline 8-6, D-71

Deny Packet Inline 8-6, D-71

hw-module module 1 recover 18-14

hw-module module 1 reset 18-14

hw-module module 1 shutdown 18-13

initializing 3-24

inline mode 18-9

inspecting IPS traffic 18-9

installing system image 21-49

interfaces 18-3

logging in 2-10

modes 18-9

Normalizer engine 18-12, B-21, D-70

password recovery 16-5, D-12

promiscuous mode 18-9

recovering D-67

reimaging 21-49

Reset TCP Connection 8-6, D-71

resetting D-67

resetting the password 16-6, D-12

sending traffic 18-9

session command 2-10

setup command 3-24

show context 18-6

show ips command 18-6

show module command 18-2

task sequence 18-1

TCP reset packets 8-6, D-71

time sources 4-19

verifying initialization 18-2

virtual sensors

assigning interfaces 18-4

assigning to security context 18-6

virtual sensor sequence 18-3

AIP-SSM

bypass mode 18-12

Alarm Channel described 8-2, A-25

alert and log actions (list) 8-4

alert-frequency command 6-7

alert frequency modes B-6

alert-severity

command 6-8

configuring 6-9

allocate-ips command 18-3

allow-sensor-block command 13-7

alternate TCP reset interface configuration restrictions 5-11

alternate TCP reset interfaces

conditions 5-5

described 5-4

alternateTCP reset interfaces (table) 5-4

Analysis Engine

busy D-23

described 7-1

IDM exits D-57

is busy error messages D-23

verify it is running D-20

virtual sensors 7-1

anomaly detection

asymmetric environment 9-1, 9-2

caution 9-1, 9-2

clearing statistics 9-47

configuration sequence 9-5

default configuration (example) 9-4

described 9-2

detect mode 9-3

disabling 9-48, D-19

displaying policy lists 16-20

event actions 9-6, B-48

inactive mode 9-4

learning accept mode 9-3

learning process 9-3

limiting false positives 9-37

protocols 9-2

signatures (table) 9-7, B-49

statistics display 9-47

worm attacks 9-36

worms 9-2

zones 9-4

anomaly-detection

load command 9-41

save command 9-41

anomaly detection operational settings

configuring 9-10, 9-38

described 9-10

anomaly detection policies

copying 9-8

creating 9-8

deleting 9-8

displaying 9-8

editing 9-8

anomaly detection zones

illegal 9-19

internal 9-11

appliances

application partition image 21-12

GRUB menu 16-3, D-9

initializing 3-4

logging in 2-2

password recovery 16-3, D-9

recovering software image 21-27

resetting 16-35

terminal servers

described 2-3, 21-14

setting up 2-3, 21-14

time sources 4-19

upgrading recovery partition 21-6

Application Inspection and Control. See AIC.

application partition

described A-3

image recovery 21-12

application-policy

command 6-18

configuring 6-18

application policy enforcement

described 6-18, B-12

applications in XML format A-2

applying software updates D-53

ARC

ACLs 13-21, A-13

authentication A-14

blocking

application 13-1

connection-based A-17

unconditional blocking A-17

blocking not occurring for signature D-41

block response A-12

Catalyst 6000 series switch

VACL commands A-18

VACLs A-18

Catalyst switches

VACLs A-15

VLANs A-15

checking status 13-3

described A-2

design 13-2

device access issues D-38

enabling SSH D-40

features A-13

firewalls

AAA A-18

connection blocking A-17

NAT A-18

network blocking A-17

postblock ACL A-15

preblock ACL A-15

shun command A-17

TACACS+ A-18

formerly Network Access Controller 13-3

functions 13-1, A-11

illustration A-12

inactive state D-37

interfaces A-13

maintaining states A-16

master blocking sensors A-13

maximum blocks 13-2

misconfigured MBS D-42

nac.shun.txt file A-16

NAT addressing A-14

number of blocks A-14

postblock ACL A-15

preblock ACL A-15

prerequisites 13-4

rate limiting 13-3

responsibilities A-12

single point of control A-14

SSH A-13

supported devices 13-5, A-15

Telnet A-13

troubleshooting D-35

VACLs A-13

verifying device interfaces D-40

verifying status D-36

ARP

Layer 2 signatures B-14

protocol B-14

ARP spoof tools

dsniff B-14

ettercap B-14

ASDM resetting passwords 16-7, D-14

assigning interfaces

AIP SSM 18-4

virtual sensors 7-4

assigning policies

AIP SSM 18-4

virtual sensors 7-4

asymmetric environment and anomaly detection 9-1, 9-2

asymmetric traffic and disabling anomaly detection 9-48, D-19

Atomic ARP engine

described B-14

parameters (table) B-14

Atomic IP engine

described B-14

parameters (table) B-14

Atomic IPv6 engine

described B-15

Neighborhood Discovery protocol B-15

signatures B-15

signatures (table) B-16

attack relevance rating

described 8-12

target host OS 8-23

Attack Response Controller

described A-2

formerly known as Network Access Controller A-2

Attack Response Controller. See ARC.

attack severity rating

calculating risk rating 8-11

described 8-11

attemptLimit command 4-17

authenticated NTP 4-19, 4-29

AuthenticationApp

authenticating users A-21

described A-3

login attempt limit A-20

method A-20

responsibilities A-20

secure communications A-21

sensor configuration A-20

authorized keys

defining 4-33

RSA authentication 4-33

automatic upgrades

information required 21-7

troubleshooting D-53

autonegotiation and hardware bypass 5-10

auto-upgrade-option command 21-7

B

backing up

configuration 15-22, D-3

current configuration 15-21, 15-22, D-4, D-5

BackOrifice. See BO.

BackOrifice 2000. See BO2K.

backup-config command 15-18

banner login command 16-10

block-enable command 13-8

block-hosts command 13-31

blocking

addresses never to block 13-18

block time 13-12

described 13-1

disabling 13-9

list of blocked hosts 13-32

managing

firewalls 13-27

routers 13-23

switches 13-26

manual 13-31

master blocking sensor 13-28

maximum entries 13-10

necessary information 13-3

not occurring for signature D-41

prerequisites 13-4

properties 13-6

sensor block itself 13-7

show statistics 13-32

supported devices 13-5

types 13-2

user profiles 13-19

block-networks command 13-31

BO

described B-51

Trojans B-51

BO2K

described B-51

Trojans B-51

bootloader

understanding 21-31

upgrading 21-31

Bug Toolkit

described D-2

URL D-2

bypass mode

AIP-SSM 18-12

configuring 5-34

described 5-34

bypass-option command 5-34

C

calculating risk rating

attack severity rating 8-11

watch list rating 8-12

cannot access sensor D-24

capturing live traffic 12-5

Catalyst software

command and control access 19-5

IDSM2

command and control access 19-5

configuring VACLs 19-15

enabling full memory tests 19-40

enabling SPAN 19-11

mls ip ids command 19-18

resetting 19-41

set span command 19-10

supervisor engine commands

supported 19-43

unsupported 19-44

changing passwords 4-15

changing the memory

Java Plug-in on Linux D-56

Java Plug-in on Solaris D-56

Java Plug-in on Windows D-55

checking NM CIDS IPS software status 20-8

cidDump and obtaining information D-93

CIDEE

defined A-33

example A-33

IPS extensions A-33

protocol A-33

supported IPS events A-33

cisco

default password 2-2

default username 2-2

Cisco.com

accessing software 22-2

downloading software 22-1

IPS software 22-1

software downloads 22-1

Cisco IOS software

configuration commands 19-46

EXEC commands 19-45

IDSM2

command and control access 19-7

configuring VACLs 19-16

enabling full memory tests 19-40

enabling SPAN 19-13

mls ip ids command 19-19

resetting 19-42

rate limiting 13-3

SPAN options 19-12

cisco-security-agents-mc-settings command 10-4

Cisco Security Intelligence Operations

described 22-15

URL 22-15

Cisco Services for IPS

service contract 4-39, 22-10

supported products 4-39, 22-10

class-map command 18-9

clear denied-attackers command 8-33, 16-18

clear events command 4-20, 8-39, 16-16, D-17, D-93

clearing

anomaly detection statistics 9-47

denied attackers statistics 8-33, 16-18

events 8-39, 16-16, D-93

OS IDs 8-29

statistics 16-21, D-79

clear line command 16-11

clear os-identification command 8-28

clear password command 16-5, 16-8, D-11, D-14

CLI

command line editing 1-6

command modes 1-7

default keywords 1-10

described A-3, A-26

error messages C-1

generic commands 1-10

introducing 1-1

regular expression syntax 1-8

CLI behavior

case sensitivity 1-6

display options 1-6

help 1-5

prompts 1-5

recall 1-5

tab completion 1-5

clock set command 4-22, 16-17

command 17-17

command and control access

Catalyst software 19-5

Cisco IOS software 19-7

described 19-5

command and control interfaces

described 5-2

list 5-3

command line editing (table) 1-6

command modes

described 1-7

event action rules configuration 1-8

EXEC 1-7

global configuration 1-7

privileged EXEC 1-7

service mode configuration 1-7

signature definition configuration 1-8

commands

access-list 4-5

alert-frequency 6-7

alert-severity 6-8

allocate-ips 18-3

allow-sensor-block 13-7

anomaly-detection load 9-41

anomaly-detection save 9-41

application-policy 6-18

attemptLimit 4-17

auto-upgrade-option 21-7

backup-config 15-18

banner login 16-10

block-enable 13-8

block-hosts 13-31

block-networks 13-31

bypass-option 5-34

cisco-security-agents-mc-settings 10-4

class-map 18-9

clear denied-attackers 8-33, 16-18

clear events 4-20, 8-39, 16-16, D-17, D-93

clear line 16-11

clear os-identification 8-28

clear password 16-5, 16-8, D-11, D-14

clock set 4-22, 16-17

copy ad-knowledge-base 9-41

copy anomaly-detection 9-8

copy backup-config 15-20, 15-22, D-3

copy current-config 15-20, 15-22, D-3

copy event-action-rules 8-7

copy iplog 11-7

copy license-key 4-40, 22-12

copy packet-file 12-6

copy signature-definition 6-1

current-config 15-18

debug module-boot D-67

default service anomaly-detection 9-8

default service event-action-rules 8-7

default service signature-definition 6-1

display-serial 2-5, 16-33

downgrade 21-10

enable-acl-logging 13-13

enable-detail-traps 14-4

enable-nvram-write 13-14

erase 15-23

erase ad-knowledge-base 9-42

erase packet-file 12-7

event-action 6-14

event-action-rules-configurations 16-20

event-counter 6-10

external-zone 9-28

filters 8-18

fragment-reassembly 6-30

ftp-timeout 4-7

global-block-timeout 8-31, 13-12

global-deny-timeout 8-31

global-filters-status 8-31

global-metaevent-status 8-31

global-overrides-status 8-31

global-parameters 7-9

global-summarization 8-31

host-ip 4-3

host-name 4-1

hw-module module 1 recover 18-14

hw-module module 1 reset 18-14, D-67

hw-module module 1 shutdown 18-13

hw-module module slot_number password-reset 16-6, D-12

ignore 9-10

illegal-zone 9-20

inline-interfaces 5-17

interface GigabitEthernet 17-21

interface IDS-Sensor 17-19

interface-notifications 5-35

internal-zone 9-11

ip-access-list 19-16

ip-log 6-38

iplog 11-3

ip-log-bytes 11-2

ip-log-packets 11-2

iplog-status 11-4

ip-log-time 11-2

learning-accept-mode 9-37

list anomaly-detection-configurations 9-8, 16-20

list event-action-rules-configurations 8-7

list signature-definition-configurations 6-1

log-all-block-events-and-errors 13-15

login-banner-text 4-8

max-block-entries 13-10

max-denied-attackers 8-31

max-interfaces 13-16

mls ip ids 19-18, 19-19

more 15-18

more current-config 15-1

never-block-hosts 13-18

never-block-networks 13-18

no iplog 11-6

no service anomaly-detection 9-8

no service event-action-rules 8-7

no service signature-definition 6-1

no target-value 8-13

no variables 8-9

os-identifications 8-25

other 9-17, 9-26, 9-34

overrides 8-14

packet capture 12-4

packet-display 12-2

password 4-11

physical-interfaces 5-12, 5-22, 5-28

ping 16-34

policy-map 18-9

privilege 4-11, 4-15

rename ad-knowledge-base 9-42

reset 16-34

service anomaly-detection 9-8

service event-action-rules 8-7

service-module IDS-Sensor 17-22

service-module ids-sensor slot/port heartbeat reset 17-18

service-module ids-sensor slot/port status 17-16

service-policy 18-9

service signature-definition 6-1

session 2-9, 17-15

set security acl 19-14

set span 19-10

setup 3-1, 3-4, 3-12, 3-19, 3-24, 3-31

show ad-knowledge-base diff 9-44, 9-45

show ad-knowledge-base files 9-40, 9-41

show clock 4-21, 16-16

show configuration 15-1, 15-15

show context 18-6

show events 8-36, 16-13, D-90

show history 16-35

show interfaces 5-36

show inventory 16-36, 17-2, D-72

show ips 18-6

show module 1 details D-66

show os-identification 8-28

show settings 15-3, 15-17, 16-9, 16-37, D-16

show statistics 13-32, 16-20, D-79

show statistics anomaly-detection 9-47

show statistics denied-attackers 8-33, 16-18

show statistics virtual-sensor 16-20, D-23, D-79

show tech-support 16-29, D-73

show users 4-16

show version 16-30, D-76

sig-fidelity-rating 6-11, 6-13

signature-definition-configurations 16-20

snmp-agent-port 14-2

snmp-agent-protocol 14-2

ssh authorized-key 4-33

ssh-generate-key 4-34

ssh host-key 4-31

status 6-12

stream-reassembly 6-37

subinterface-type 5-22, 5-29

summertime-option non-recurring 4-25

summertime-option recurring 4-23

target-value 8-13

tcp 9-12, 9-21, 9-29

telnet-option 4-4

terminal 16-12

time-zone-settings 4-27

tls generate-key 4-38

tls trusted-host 4-36

trace 16-37

trap-community-name 14-4

trap-destinations 14-4

udp 9-15, 9-23, 9-31

upgrade 21-3, 21-6

username 4-11

user-profile 13-19

variables 6-4, 8-9

virtual-sensor name 7-4, 18-4

worm-timeout 9-10

comparing KBs 9-44

configuration files

backing up 15-22, D-3

merging 15-22, D-3

configuration restrictions

alternate TCP reset interface 5-11

inline interface pairs 5-10

inline VLAN pairs 5-11

interfaces 5-10

physical interfaces 5-10

VLAN groups 5-11

configuration sequence

AIM IPS 17-1

AIP SSM 18-1

configured OS mapping (example) 8-25

configuring

access-list 4-5

account locking 4-17

ACL logging 13-13

AIM IPS interfaces 17-5, 17-7, 17-9, 17-10, 17-11, 17-12

alert frequency parameters 6-7

alert severity 6-9

anomaly detection operational settings 9-10, 9-38

application policy 6-18, 6-26

automatic IP logging 11-2

automatic upgrades 21-9

blocking

firewalls 13-27

routers 13-23

switches 13-26

time 13-12

bypass mode 5-34

CSA MC IPS interfaces 10-4

event action filters 8-19

event actions 6-15

event counter 6-10

external zone 9-28

ftp-timeout 4-7

host-ip 4-3

host manual blocks 13-31

host name 4-2

hosts never to block 13-18

illegal zone 9-20

inline interface pairs 5-18

inline VLAN groups 5-29

inline VLAN pairs 5-23

interfaces (sequence) 5-12

internal zone 9-12

IP fragment reassembly 6-30

IP fragment reassembly parameters 6-29, 6-36

IP logging 6-39

logging all blocking events and errors 13-15

logical devices 13-19

login-banner-text 4-8

maintenance partition

IDSM2 (Catalyst software) 21-37

IDSM2 (Cisco IOS software) 21-41

manual IP logging 11-4

master blocking sensor 13-29

maximum block entries 13-11

maximum blocking interfaces 13-17

maximum denied attackers 8-31

meta event generator 8-31

network manual blocks 13-31

networks never to block 13-18

NM CIDS

interfaces 20-3

packet capture 20-5

NTP servers 4-28

NVRAM write 13-14

OS maps 8-26

other protocols

external zone 9-34

illegal zone 9-26

internal zone 9-18

passwords 4-15

privilege 4-15

promiscuous mode 5-14

sensors (task sequence) 1-1

sensor to block itself 13-7

sensor to use NTP 4-29

signature fidelity rating 6-11

status 6-12

summarizer 8-31

summertime

non-recurring 4-25

recurring 4-23

TCP

external zone 9-29

illegal zone 9-21

internal zone 9-13

stream reassembly 6-37

telnet-option 4-4

timezone settings 4-27

traffic flow notifications 5-35

UDP

external zone 9-32

illegal zone 9-23

internal zone 9-15

upgrades 21-4

user profiles 13-20

Web Server settings 4-9

control transactions

characteristics A-8

request types A-7

copy ad-knowledge-base command 9-41

copy anomaly-detection command 9-8

copy backup-config command 15-20, 15-22, D-3

copy command syntax 9-42

copy current-config command 15-20, 15-22, D-3

copy event-action-rules command 8-7

copying

anomaly detection policies 9-8

event action rules policies 8-7

IP log files 11-7

KBs 9-41, 9-43

packet files 12-7

signature definition policies 6-2

copy iplog command 11-7

copy license-key command 4-40, 22-12

copy packet-file command 12-6

copy signature-definition command 6-1

correcting time on the sensor 4-20, D-17

creating

anomaly detection policies 9-8

banner logins 16-10

custom signatures 6-40

event action rules policies 8-7

event action variables 8-10

global parameters 7-9

OS maps 8-26

service account 4-14, D-6

service HTTP signatures 6-45

signature definition policies 6-2

string TCP signatures 6-42

user profiles 13-19

VACLs

Post-Block 13-25

Pre-Block 13-25

virtual sensors 7-4, 7-7

cryptographic account

Encryption Software Export Distribution Authorization from 22-2

obtaining 22-2

CSA MC

configuring IPS interfaces 10-4

host posture events 10-1, 10-3

quarantined IP address events 10-1

supported IPS interfaces 10-3

CtlTransSource

described A-2, A-10

illustration A-11

Ctrl-N 1-5

Ctrl-P 1-5

current-config command 15-18

current configuration

backing up 15-22, D-3

filtering output 15-15

searching output 15-15

custom signatures

configuration sequence 6-40

described 6-3

service HTTP example 6-45

String TCP 6-40

D

data ports restoring defaults 19-28

data structures (examples) A-7

DDoS

protocols B-50

Stacheldraht B-50

TFN B-50

debug logging enabling D-43

debug-module-boot command D-67

default

blocking time 13-12

keywords 1-10

password 2-2

username 2-2

virtual sensor vs0 7-2

default service anomaly-detection command 9-8

default service event-action-rules command 8-7

default service signature-definition command 6-1

defining authorized keys 4-33

deleting

anomaly detection policies 9-8

denied attackers list 8-33, 16-18

event action rules policies 8-7

event action variables 8-10

inline interface pairs 5-20

inline VLAN pairs 5-26

OS maps 8-28

signature definition policies 6-2

signature variables 6-4

target value ratings 8-13

VLAN groups 5-33

Denial of Service. See DoS.

deny actions (list) 8-4

deny-packet-inline described 8-6, B-9

detect mode (anomaly detection) 9-3

device access issues D-38

diagnosing network connectivity 16-34

directing output to serial port 2-5, 16-33

disabling

anomaly detection 9-48, D-19

blocking 13-9

ECLB (Cisco IOS software) 19-36

password recovery 16-9, D-15

signatures 6-12

disaster recovery D-7

displaying

AIM IPS status 17-16

anomaly detection

policies 9-8

policy lists 16-20

statistics 9-47

contents of logical file 15-19

current configuration 15-1

current submode configuration 15-3

event action rules policies 8-7

event actions rules lists 16-20

events 8-37, 16-14, D-91

interface statistics 5-37

IP log contents 11-5

KB files 9-40

KB thresholds 9-45

live traffic 12-3

OS IDs 8-29

password recovery setting 16-9, D-16

PEP information 16-36

policy lists 16-20

signature definition lists 16-20

statistics 16-21, D-79

submode settings 16-37

system clock 4-21, 16-16

tech support information 16-30, D-74

version 16-31, D-76

display-serial

command 2-5, 16-33

supported platforms 2-5, 16-33

Distributed Denial of Service. See DDoS.

DoS tools (stick) B-6

downgrade command 21-10

downgrading sensors 21-11

downloading software 22-1

duplicate IP addresses D-27

E

ECLB

described 19-25

disabling (Cisco IOS software) 19-36

options 19-29

promiscuous mode 19-29

requirements 19-29

sensing modes 19-26

editing

anomaly detection policies 9-8

event action rules policies 8-7

event action variables 8-10

signature definition policies 6-2

signature variables 6-4

target value ratings 8-13

enable-acl-logging command 13-13

enable-detail-traps command 14-4

enable-nvram-write command 13-14

enabling

full memory tests

Catalyst software 19-40

Cisco IOS software 19-40

signatures 6-12

SPAN

Catalyst software 19-11

Cisco IOS software 19-13

enabling debug logging D-43

Encryption Software Export Distribution Authorization form

cryptographic account 22-2

described 22-2

engines

AIC 6-17

Master B-4

Sweep B-45

erase ad-knowledge-base command 9-42

erase command 15-23

erase packet-file command 12-7

erasing

current configuration 15-23

KBs 9-41, 9-43

packet files 12-7

error messages

Analysis Engine is busy D-23

described C-1

validation C-5

EtherChannel Load Balancing. See ECLB.

event-action command 6-14

event action filters described 8-17

event action overrides described 8-14

event action rules

example 8-35

functions 8-1

lists 16-20

task list 8-7

understanding 8-1

event action rules policies

copying 8-7

creating 8-7

deleting 8-7

displaying 8-7

editing 8-7

event actions

configuring 6-15

deny attackers inline 8-31

described B-7

table B-7

event-counter

command 6-10

configuring 6-10

events

displaying 8-37, 16-14, D-91

host posture 10-2

quarantined IP address 10-2

Event Store

clearing events 4-20, D-17

data structures A-7

described A-2

examples A-6

responsibilities A-6

timestamp A-6

event types D-90

event variables

described 8-9

example 8-9

examples

ASA failover configuration D-69

external product interfaces

adding 10-5

described 10-1

issues 10-3, D-21

troubleshooting 10-8, D-21

external zone

configuring 9-28

configuring other protocols 9-34

configuring TCP 9-29

configuring UDP 9-32

described 9-28

external-zone command 9-28

F

fail-over testing 5-9

false positives described 6-3

files

IDSM2 password recovery 16-4, D-11

upgrade 21-3

filtering

current configuration 15-15

submode configuration 15-17

filters command 8-18

finding serial number 17-2, D-72

Flood engine described B-16

Flood Host engine parameters (table) B-16

Flood Net engine parameters (table) B-17

fragment-reassembly command 6-30

FTP servers supported 21-2

ftp-timeout

command 4-7

configuring 4-7

G

generating

SSH server host key 4-34

TLS certificate 4-38

generic commands 1-10

global-block-timeout command 8-31, 13-12

global correlation

Produce Alert 8-4

global-deny-timeout command 8-31

global-filters-status command 8-31

global-metaevent-status command 8-31

global-overrides-status command 8-31

global parameters

adding 7-9

creating 7-9

maximum open IP logs 7-9

options 7-9

global-parameters command 7-9

global-summarization command 8-31

GRUB menu password recovery 16-3, D-9

H

H.225.0 protocol B-27

H.323 protocol B-27

hardware bypass

autonegotiation 5-10

configuration restrictions 5-9

fail-over 5-9

IPS 4260 5-8

IPS 4270-20 5-8

supported configurations 5-9

with software bypass 5-9

help

question mark 1-5

using 1-5

host-ip

command 4-3

configuring 4-3

host-name

command 4-1

configuring 4-2

host posture events

CSA MC 10-3

described 10-2

HTTP/HTTPS servers supported 21-2

HTTP deobfuscation

ASCII normalization 6-43, B-30

described 6-43, B-30

hw-module module 1 recover command 18-14

hw-module module 1 reset command 18-14, D-67

hw-module module 1 shutdown command 18-13

hw-module module slot_number password-reset command 16-6, D-12

I

IDAPI

communications A-3, A-29

described A-3

functions A-29

illustration A-29

responsibilities A-29

IDCONF

described A-32

example A-32

RDEP2 A-32

XML A-32

IDIOM

defined A-31

messages A-31

IDM

Analysis Engine is busy D-57

certificates 4-35

Java Plug-in D-55

memory D-55

TLS and SSL 4-35

will not load D-57

IDS 4215

BIOS upgrade 21-18

installing system image 21-16

ROMMON upgrade 21-18

upgrading

BIOS 21-18

ROMMON 21-18

IDSM2

administrative tasks 19-39

capturing IPS traffic

described 19-14

mls ip id command 19-18

SPAN 19-10

Catalyst software

command and control access 19-5

inline mode 19-20

inline VLAN pair mode 19-23

Cisco IOS software

command and control access 19-7

inline mode 19-21

inline VLAN pair mode 19-24

command and control

access 19-5

port 19-9

command and control access 19-7

command and control port D-64

configuration tasks 19-1

configuring

command and control access 19-5

ECLB 19-29, 19-31, 19-34

ECLB inline mode 19-27

ECLB inline VLAN pair mode 19-26

ECLB promiscuous mode 19-26

inline mode 19-20, 19-21

inline VLAN pair mode 19-24

inline VLAN pair mode (Catalyst software) 19-23

load balancing 19-29, 19-31, 19-34

maintenance partition (Catalyst software) 21-37

maintenance partition (Cisco IOS software) 21-41

mls ip ids command 19-18

sequence 19-1

SPAN 19-10

tasks 19-1

configuring VACLs

Catalyst software 19-15

Cisco IOS software 19-16

disabling

ECLB (Catalyst software) 19-36

ECLB (Cisco IOS software) 19-36

ECLB

disabling (Catalyst software) 19-36

disabling (Cisco IOS software) 19-36

requirements 19-29

verifying (Catalyst software) 19-37

verifying (Cisco IOS software) 19-38

enabling full memory tests

Catalyst software 19-40

Cisco IOS software 19-40

initializing 3-12

inline mode

Catalyst software 19-20

Cisco IOS software 19-21

described 19-8, 19-20

requirements (Catalyst software) 19-20, 19-23

inline VLAN pair mode

Catalyst software 19-23

Cisco IOS software 19-24

described 19-8, 19-22

installing

system image (Catalyst software) 21-34

system image (Cisco IOS software) 21-35

logging in 2-5

mixing sensing modes 19-8

mls ip ids command

Catalyst software 19-18

Cisco IOS software 19-19

described 19-9

monitoring ports 19-9

not online D-64

password recovery 16-4, D-11

password recovery image file 16-4, D-11

promiscuous mode 19-8, 19-9

reimaging 21-34

resetting

Catalyst software 19-41

Cisco IOS software 19-42

described 19-41

restoring data port defaults 19-28

sensing ports 19-14

set span command 19-10

setup command 3-12

supported configurations 19-5, D-60

supported supervisor engine commands 19-43

TCP reset port 19-9, 19-10, 19-14, D-65

time sources 4-19

unsupported supervisor engine commands 19-44

upgrading

maintenance partition (Catalyst software) 21-44

maintenance partition (Cisco IOS software) 21-45

VACLs

configuring 19-14

described 19-14

verifying

ECLB (Catalyst software) 19-37

ECLB (Cisco IOS software) 19-38

verifying installation 19-3

IDS-Sensor interface ip unnumbered 17-5, 17-7

ignore command 9-10

illegal zone

configuring 9-20

configuring other protocols 9-26

configuring TCP 9-21

configuring UDP 9-23

described 9-19

protocols 9-19

illegal-zone command 9-20

inactive mode (anomaly detection) 9-4

initialization

verifying 3-37

verifying (AIP SSM) 18-2

initializing

AIM IPS 3-19

AIP SSM 3-24

appliances 3-4

IDSM2 3-12

NM CIDS 3-31

sensors 3-1

inline interface pair mode described 5-16

inline interface pairs

configuration restrictions 5-10

configuring 5-18

deleting 5-20

inline-interfaces command 5-17

inline mode (IDSM2) 19-8

inline VLAN groups configuration 5-29

inline VLAN pair mode

described 5-21

supported sensors 5-21

inline VLAN pair mode (IDSM2) 19-8

inline VLAN pairs

configuration restrictions 5-11

configuring 5-23

deleting 5-26

installer major version 22-5

installer minor version 22-5

installing

license key 4-41, 22-14

sensor license 22-11

system image

AIP SSM 21-49

IDS 4215 21-16

IDSM2 (Catalyst software) 21-34

IDSM2 (Cisco IOS software) 21-35

IPS 4240 21-20

IPS 4255 21-20

IPS 4260 21-23

IPS 4270-20 21-25

InterfaceApp

described A-19

interactions A-19

NIC drivers A-19

InterfaceApp described A-2

interface configuration sequence 5-12

interface GigabitEthernet command 17-21

interface IDS-Sensor command 17-19

interface-notifications command 5-35

interfaces

AIM IPS 17-4

alternate TCP reset 5-2, 5-4

command and control 5-2

configuration restrictions 5-10

described 5-2

displaying live traffic 12-3

port numbers 5-2

sensing 5-2, 5-3

slot numbers 5-2

VLAN groups 5-2

interface statistics display 5-37

interface support (table) 5-5

internal zone

configuring 9-12

configuring other protocols 9-18

configuring TCP 9-13

configuring UDP 9-15

described 9-11

protocols 9-11

internal-zone command 9-11

introducing the CLI 1-1

ip-access-list command 19-16

IP fragmentation described B-20

IP fragment reassembly

described 6-27

parameters (table) 6-28

signatures (table) 6-28

ip-log-bytes command 11-2

ip-log command 6-38

iplog command 11-3

IP log contents

displaying 11-5

viewing 11-5

IP log files copying 11-7

IP logging

automatic 11-2

configuring 11-1

copying files 11-7

described 6-38, 11-1

manual 11-4

ip-log-packets command 11-2

iplog-status command 11-4

ip-log-time command 11-2

IPS

external communications A-30

internal communications A-29

IPS 4240

installing system image 21-20

password recovery 16-3

reimaging 21-20

router speed D-23

IPS 4255

installing system image 21-20

password recovery 16-3

reimaging 21-20

IPS 4260

hardware bypass 5-8

installing system image 21-23

reimaging 21-23

IPS 4270-20

hardware bypass 5-8

installing system image 21-25

reimaging 21-25

IPS appliances

Deny Connection Inline 8-6, D-71

Deny Packet Inline 8-6, D-71

Reset TCP Connection 8-6, D-71

TCP reset packets 8-6, D-71

IPS applications

summary A-34

table A-34

XML format A-2

IPS data

types A-7

XML document A-8

IPS events

listed A-8

types A-8

IPS modules and time synchronization 4-20

IPS software

application list A-2

available files 22-1

configuring device parameters A-4

directory structure A-33

Linux OS A-1

new features A-3

obtaining 22-1

platform-dependent release examples 22-6

retrieving data A-4

security features A-5

tuning signatures A-4

updating A-4

user interaction A-4

versioning scheme 22-3

IPS software file names

major updates (illustration) 22-4

minor updates (illustration) 22-4

patch releases (illustration) 22-4

service packs (illustration) 22-4

ip unnumbered command 17-5, 17-7

IPv6 described B-15

J

Java Plug-in

Linux D-56

Solaris D-56

Windows D-55

K

KB

file display 9-40

threshold display 9-45

KBs

comparing 9-44

copying 9-41, 9-43

described 9-3

erasing 9-41, 9-43

histogram 9-36

initial baseline 9-3

loading 9-41

manually loading 9-41

manually saving 9-41

renaming 9-41, 9-43

saving 9-41

scanner threshold 9-36

tree structure 9-36

keywords

default 1-10

no 1-10

Knowledge Base. See KB.

L

learning accept mode (anomaly detection) 9-3

learning-accept-mode command 9-37

license key

installing 4-41, 22-14

status 4-39, 22-9

trial 4-39, 22-9

licensing

described 4-39, 22-9

IPS device serial number 4-39, 22-9

Licensing pane described 22-11

limitations on concurrent CLI sessions 1-3, 2-1, 17-1

list anomaly-detection-configurations command 9-8, 16-20

list event-action-rules-configurations command 8-7, 16-20

list of blocked hosts 13-32

list signature-definition-configurations command 6-1, 16-20

load balancing options 19-29

loading KBs 9-41

locked account reset 4-15

log-all-block-events-and-errors command 13-15

LogApp

described A-2, A-19

functions A-19

syslog messages A-19

logging in

AIM IPS 2-9, 17-15

AIP SSM 2-10

appliances 2-2

IDSM2 2-5

NM CIDS 2-6

sensors

SSH 2-12

Telnet 2-12

service role 2-2

terminal servers 2-3, 21-14

user role 2-1

login-banner-text

command 4-8

configuring 4-8

LOKI

described B-50

protocol B-50

M

MainApp

applications A-6

described A-2

host statistics A-5

responsibilities A-5

show version command A-5

maintenance partition

configuring

IDSM2 (Catalyst software) 21-37

IDSM2 (Cisco IOS software) 21-41

described A-3

major updates described 22-3

managing

firewalls 13-27

routers 13-23

switches 13-26

manual blocking 13-31

manual block to bogus host D-40

manually

loading KBs 9-41

saving KBs 9-41

master blocking sensor described 13-28

Master engine

alert frequency B-6

alert frequency parameters (table) B-6

described B-3

event actions B-7

general parameters (table) B-4

universal parameters B-4

master engine parameters

obsoletes B-6

promiscous delta B-5

vulnerable OSes B-6

max-block-entries command 13-10

max-denied-attackers command 8-31

maximum open IP logs 7-9

max-interfaces command 13-16

MBS not set up properly D-42

memory (IDM) D-55

merging configuration files 15-22, D-3

Meta engine

described 6-46, B-17

parameters (table) B-18

Signature Event Action Processor 6-46, B-17

MIBs supported 14-6, D-18

minor updates described 22-3

mls ip ids command

described 19-18

IDSM2 19-18

modes

anomaly detection detect 9-3

anomaly detection inactive 9-4

anomaly detection learning accept 9-3

bypass 5-34

inline interface pair 5-16

inline VLAN pair 5-21

promiscuous 5-16

VLAN groups 5-27

modifying terminal properties 16-12

modify packets inline modes 7-3

monitoring and viewer privileges 1-4, A-27

more command 15-18

more current-config command 15-1

moving OS maps 8-27

Multi String engine

described B-18

parameters (table) B-19

Regex B-18

N

NAT and AIM IPS 17-5

Neighborhood Discovery

options B-15

types B-15

Network Access Controller. See NAC.

Network Timing Protocol. See NTP.

never-block-hosts command 13-18

never-block-networks command 13-18

NM CIDS

bootloader

file 21-31

overview 21-31

checking IPS software status 20-8

configuration tasks 20-1

configuring

ids-sensor interfaces 20-2

interfaces 20-3

packet capture 20-5

initializing 3-31

logging in 2-6

packet monitoring 20-5

password recovery 16-5, D-11

rebooting 20-7

reimaging 21-28, 21-29

reload command 20-7

reset command 20-7

session command 20-2

setup command 3-31

shutdown command 20-7

supported Cisco IOS software commands 20-8

system image file 21-28

telneting to the router 20-5

upgrading bootloader 21-31

no iplog command 11-6

Normalizer engine

described B-20

IP fragment reassembly B-20

parameters (table) B-22

TCP stream reassembly B-20

no service anomaly-detection command 9-8

no service event-action-rules command 8-7

no service signature-definition command 6-1

no target-value command 8-13

NotificationApp

alert information A-8

described A-3

functions A-8

SNMP gets A-8

SNMP traps A-8

statistics A-10

system health information A-9

no variables command 8-9

NTP

authenticated 4-19, 4-29

configuring servers 4-28

described 4-18

incorrect configuration D-49

sensor time source 4-28, 4-29

time synchronization 4-18

unauthenticated 4-19, 4-29

O

obsoletes field

described B-6

obtaining

command history 16-35

cryptographic account 22-2

IPS sofware 22-1

list of blocked hosts and connections 13-32

used commands list 16-35

operator privileges 1-4, A-27

os-identifications command 8-25

OS IDs

clearing 8-29

displaying 8-29

OS maps

creating 8-26

deleting 8-28

moving 8-27

other actions (list) 8-5

other command 9-17, 9-26, 9-34

output

clearing current line 1-6

displaying 1-6

overrides command 8-14

P

packet capture command 12-4

packet display command 12-2

partitions

application A-3

maintenance A-3

recovery A-3

passive OS fingerprinting

components 8-23

configuring 8-24

described 8-23

password command 4-11

password recovery

AIP SSM 16-5, D-12

appliances 16-3, D-9

described 16-2, D-8

disabling 16-9, D-15

GRUB menu 16-3, D-9

IDSM2 16-4, D-11

IPS 4240 16-3

IPS 4255 16-3

NM CIDS 16-5, D-11

platforms 16-2, D-8

ROMMON 16-3, D-10

troubleshooting 16-10, D-16

verifying 16-9, D-16

passwords

changing 4-15

configuring 4-15

patch releases described 22-3

peacetime learning (anomaly detection) 9-3

PEP information

PID 16-36

SN 16-36

VID 16-36

physical connectivity issues D-30

physical-interfaces command 5-12, 5-22, 5-28

physical interfaces configuration restrictions 5-10

ping command 16-34

platforms and concurrent CLI sessions 1-3, 2-1, 17-1

policy lists display 16-20

policy-map command 18-9

Post-Block ACLs 13-21, 13-22

Pre-Block ACLs 13-21, 13-22

prerequisites for blocking 13-4

privilege

command 4-11, 4-15

configuring 4-15

promiscuous delta

described B-5

promiscuous delta described 8-12

promiscuous mode

configuring 5-14, 5-16

described 5-16

ECLB 19-29

IDSM2 19-8

packet flow 5-16

prompts and default input 1-5

protocols

ARP B-14

CIDEE A-33

DCE B-32

DDoS B-50

H.323 B-27

H225.0 B-27

IPv6 B-15

LOKI B-50

MSSQL B-33

Neighborhood Discovery B-15

Q.931 B-27

RPC B-32

Q

Q.931 protocol

described B-27

SETUP messages B-27

quarantined IP address events described 10-2

R

rate limiting

described 13-3

routers 13-3

supported signatures 13-3

RBCP (AIM IPS) 17-17

RDEP2

described A-30

functions A-30

messages A-30

responsibilities A-30

rebooting

AIM IPS 17-17

NM CIDS 20-7

recall

help and tab completion 1-5

using 1-5

recover command 21-11

recovering

AIP SSM D-67

application partition image 21-12

recovery/upgrade CD 21-27

recovery partition

described A-3

upgrading 21-6

Regular Expression. See Regex.

regular expression syntax

described 1-8

signatures B-9

table 1-8

reimaging

AIP SSM 21-49

appliances 21-11

described 21-1

IDS 4215 21-16

IDSM2 21-34

IPS 4240 21-20

IPS 4255 21-20

IPS 4260 21-23

IPS 4270-20 21-25

NM CIDS 21-29

sensors 21-1, 22-8

service-module ids-sensor slot/port 17-17

removing last applied upgrade 21-11

rename ad-knowledge-base command 9-42

renaming KBs 9-41, 9-43

reset command 16-34

reset not occurring for a signature D-49

resetting

AIM IPS 17-17

AIP SSM D-67

appliances 16-35

heartbeat (AIM IPS) 17-18

IDSM2 19-41

passwords

ASDM 16-7, D-14

hw-module command 16-6, D-12

resetting the password

AIP SSM 16-6, D-12

restoring

data port defaults 19-28

restoring the current configuration 15-21, 15-22, D-4, D-5

retiring signatures 6-12

retrieving events through RDEP2 (illlustration) A-30

risk rating

calculating 8-11

described 8-23

example 8-35

ROMMON

described 21-14

IDS 4215 21-16

IPS 4240 21-20

IPS 4255 21-20

IPS 4260 21-23

IPS 4270-20 21-25

password recovery 16-3, D-10

remote sensors 21-14

serial console port 21-14

TFTP 21-14

round-trip time. See RTT.

RPC portmapper B-34

RSA authentication and authorized keys 4-33

RTT

described 21-14

TFTP limitation 21-14

S

saving KBs 9-41

scheduling automatic upgrades 21-9

SDEE

defined A-32

HTTP A-32

protocol A-32

Server requests A-32

searching

current configuration 15-15

submode configuration 15-17

security

account locking 4-17

information on Cisco Security Intelligence Operations 22-15

SSH 4-31

security policies described 6-1, 8-1, 9-2

sending commands through RDEP2 (illustration) A-31

sensing interfaces

described 5-3

modes 5-3

PCI cards 5-3

SensorApp

Alarm Channel A-24

Analysis Engine A-24

described A-3

packet flow A-24

processors A-23

responsibilities A-23

Signature Event Action Processor A-23

sensors

access problems D-24

asymmetric traffic and disabling anomaly detection 9-48, D-19

configuration task sequence 1-1

configuring to use NTP 4-29

corrupted SensorApp configuration D-34

disaster recovery D-7

downgrading 21-11

incorrect NTP configuration D-49

initializing 3-1

interface support 5-5

IP address conflicts D-27

license 22-11

logging in

SSH 2-12

Telnet 2-12

managing

firewalls 13-27

routers 13-23

switches 13-26

misconfigured access lists D-26

no alerts D-31, D-59

not seeing packets D-33

NTP time source 4-29

NTP time synchronization 4-18

partitions A-3

physical connectivity D-30

preventive maintenance D-2

process not running D-28

recovering the system image 22-8

reimaging 21-1, 22-8

sensing process not running D-28

setup command 3-1, 3-4

system images 22-8

time sources 4-18

troubleshooting software upgrades D-54

using NTP time source 4-28

serial connection and supported platforms 2-5, 16-33

serial number and show inventory command 17-2, D-72

service account

creating 4-14, D-6

described 4-13, A-28, D-5

privileges 1-4, A-27

TAC A-28

troubleshooting A-28

service anomaly-detection command 9-8

Service DNS engine

described B-24

parameters (table) B-24

Service engine

described B-23

Layer 5 traffic B-23

service event-action-rules command 8-7

Service FTP engine

described B-25

parameters (table) B-25

PASV port spoof B-25

Service Generic Advanced engine described B-27

Service Generic engine

described B-26

parameters (table) B-26

Service H225 engine

ASN.1PER validation B-27

described B-27

features B-28

parameters (table) B-28

TPKT validation B-27

Service HTTP engine

described 6-43, B-29

parameters (table) B-30

Service IDENT engine

described B-31

parameters (table) B-32

service-module IDS-Sensor command 17-22

service-module ids-sensor slot/port heartbeat reset command 17-18

service-module ids-sensor slot/port status command 17-16

Service MSRPC engine

DCS/RPC protocol B-32

described B-32

parameters (table) B-33

Service MSSQL engine

described B-33

MSSQL protocol B-33

parameters (table) B-33

Service NTP engine

described B-34

parameters (table) B-34

service packs described 22-3

service-policy command 18-9

service privileges 1-4, A-27

service role 1-4, 2-2, A-27

Service RPC engine

described B-34

parameters (table) B-34

RPC portmapper B-34

service signature-definition command 6-1

Service SMB Advanced engine

described B-37

parameters (table) B-37

Service SMB engine

described B-35

parameters (table) B-35

Service SNMP engine

described B-39

parameters (table) B-39

Service SSH engine

described B-40

parameters (table) B-40

Service TNS engine

described B-40

parameters (table) B-41

session command

AIM IPS 2-9, 17-14

AIP SSM 2-10

described 2-9

IDSM2 2-5

NM CIDS 2-6

session command described 17-15

sessioning

AIM IPS 2-9, 17-15

AIP SSM 2-10

IDSM2 2-6

NM CIDS 2-7

set security acl command 19-14

setting system clock 4-22, 16-17

setting up a terminal server 2-3, 21-14

setup command 3-1, 3-4, 3-12, 3-19, 3-24, 3-31

show ad-knowledge-base diff command 9-44, 9-45

show ad-knowledge-base files command 9-40, 9-41

show clock command 4-21, 16-16

show configuration command 15-1, 15-15

show context command 18-6

show events command 8-36, 16-13, D-90

show history command 16-35

show interfaces command 5-36, D-88

show inventory command 16-36, 17-2, D-72

show ips command 18-6

show module 1 details command D-66

show module command 18-2

show os-identification command 8-28

show settings command 15-3, 15-17, 16-9, 16-37, D-16

show statistics anomaly-detection command 9-47

show statistics command 13-32, 16-20, D-78, D-79

show statistics denied-attackers command 8-33, 16-18

show statistics virtual-sensor command 16-20, D-23, D-79

show tech-support command 16-29, D-73

show tech-support command output D-74

show users command 4-16

show version command 16-30, D-76

shutting down AIM IPS 17-17

sig-fidelity-rating command 6-11, 6-13

signature/virus update files described 22-4

signature definition list display 16-20

signature definition policies

copying 6-2

creating 6-2

deleting 6-2

editing 6-2

signature engines

AIC B-12

Atomic B-13

Atomic ARP B-14

Atomic IP B-14

Atomic IPv6 B-15

described B-1

Flood B-16

Flood Host B-16

Flood Net B-17

list B-2

Master B-4

Meta 6-46, B-17

Multi String B-18

Normalizer B-20

Regex

patterns B-10

syntax B-9

Service B-23

Service DNS B-24

Service FTP B-25

Service Generic B-26

Service Generic Advanced B-27

Service H225 B-27

Service HTTP 6-43, B-29

Service IDENT B-31

Service MSRPC B-32

Service MSSQL B-33

Service NTP engine B-34

Service RPC B-34

Service SMB B-35

Service SMB Advanced B-37

Service SNMP B-39

Service SSH engine B-40

Service TNS B-40

State B-41

String 6-40, B-43

Sweep B-46

Sweep Other TCP B-48

Traffic Anomaly 9-6, B-48

Traffic ICMP B-50

Trojan B-51

signature engine update files described 22-5

Signature Event Action Filter

described 8-2, A-25

parameters 8-2, A-25

Signature Event Action Handler described 8-3, A-25

Signature Event Action Override described 8-2, A-25

Signature Event Action Processor

Alarm Channel 8-2

alarm channel A-25

components 8-2, A-25

described 8-2, A-23, A-25

figure A-25

flow of signature events 8-3, A-25

illustration 8-3

signature fidelity rating

configuring 6-11

described 8-11

signatures

custom 6-3

default 6-3

described 6-3

false positives 6-3

no TCP reset D-49

rate limits 13-3

string TCP 6-42

subsignatures 6-3

tuned 6-3

signature variables

adding 6-4

deleting 6-4

described 6-4

editing 6-4

SNMP

configuring

agent parameters 14-2

traps 14-4

described 14-1

general parameters 14-2

Get 14-1

GetNext 14-1

Set 14-1

supported MIBs 14-6, D-18

trap 14-1

snmp-agent-port command 14-2

snmp-agent-protocol command 14-2

SNMP traps described 14-1

software architecture

ARC (illustration) A-12

IDAPI (illustration) A-29

RDEP2 (illustration) A-30

software bypass

supported configurations 5-9

with hardware bypass 5-9

software downloads Cisco.com 22-1

software file names

recovery (illustration) 22-5

signature/virus updates (illustration) 22-4

signature engine updates (illustration) 22-5

system image (illustration) 22-5

software release examples

platform-dependent 22-6

platform identifiers 22-7

platform-independent 22-6

software updates

supported FTP servers 21-2

supported HTTP/HTTPS servers 21-2

SPAN

configuring 19-10

options 19-12

port issues D-30

specifying worm timeout 9-10, 9-38

SSH

adding hosts 4-32

security 4-31

understanding 4-31

ssh authorized-key command 4-33

ssh generate-key command 4-34

ssh host-key command 4-31

SSH known hosts list adding hosts 4-31

SSH Server

host key generation 4-34

private keys A-21

public keys A-21

standards

CIDEE A-33

IDCONF A-32

SDEE A-32

State engine

Cisco Login B-41

described B-41

LPR Format String B-41

parameters (table) B-42

SMTP B-41

status command 6-12

stopping IP logging 11-6

stream-reassembly command 6-37

String engine described 6-40, B-43

String ICMP engine parameters (table) B-43

String TCP engine

options 6-40

parameters (table) B-44

signature 6-40

String UDP engine parameters (table) B-45

subinterface 0 described 5-27

subinterface-type command 5-22, 5-29

submode configuration

filtering output 15-17

searching output 15-17

subsignatures described 6-3

summarization

described 8-30

fire-all 8-30

fire-once 8-31

global-summarization 8-31

Meta engine 8-30

summary 8-30

summertime

configuring

non-recurring 4-25

recurring 4-23

summertime-option non-recurring command 4-25

summertime-option recurring command 4-23

supervisor engine commands

supported 19-43

unsupported 19-44

supported Cisco IOS software commands (NM CIDS) 20-8

supported FTP servers 21-2

supported IPS interfaces (CSA MC) 10-3

Sweep engine

described B-45, B-46

parameters (table) B-46, B-48

Sweep Other TCP engine described B-48

switch commands for troubleshooting D-61

syntax and case sensitivity 1-6

system architecture

directory structure A-33

supported platforms A-1

system clock

displaying 4-21, 16-16

setting 4-22, 16-17

System Configuration Dialog

described 3-1

example 3-2

system design (illustration) A-1

system images

installing

IDSM2 (Cisco IOS software) 21-35

IPS 4240 21-20

IPS 4255 21-20

sensors 22-8

T

tab completion use 1-5

TAC

PEP information 16-36

service account 4-13, A-28, D-5

show tech-support command 16-29, D-73

target-value command 8-13

target value rating

described 8-12, 8-13

settings 8-13

tasks

configuring AIM IPS 17-1

configuring IDSM2 19-1

configuring NM CIDS 20-1

configuring the sensor 1-1

tcp command 9-12, 9-21, 9-29

TCP fragmentation described B-20

TCP reset

not occurring D-49

TCP resets

IDSM2 port 19-10, D-65

TCP stream reassembly

described 6-31

parameters (table) 6-32, 6-36

signatures (table) 6-32, 6-36

telnet (NM CIDS) 20-5

telnet-option

command 4-4

configuring 4-4

terminal

command 16-12

modifying length 16-12

server setup 2-3, 21-14

terminating CLI session 16-11

testing fail-over 5-9

TFN2K

described B-50

Trojans B-51

TFTP servers

maximum file size limitation 21-14

RTT 21-14

threat rating described 8-12

time

correcting on the sensor 4-20, D-17

sensor 4-18

synchronization on IPS modules 4-20

time sources

AIM IPS 4-19

AIP SSM 4-19

appliances 4-19

IDSM2 4-19

time-zone-settings

command 4-27

configuring 4-27

TLS

certificate generation 4-38

certificates 4-35

handshaking 4-36

understanding 4-35

tls generate-key command 4-38

tls trusted-host command 4-36

trace

command 16-37

IP packet route 16-37

Traffic Anomaly engine

described 9-6, B-48

protocols 9-6, B-48

signatures 9-6, B-48

traffic flow notifications

configuring 5-35

described 5-35

Traffic ICMP engine

DDoS B-50

described B-50

LOKI B-50

parameters (table) B-50

TFN2K B-50

Transport Layer Security. See TLS.

trap-community-name 14-4

trap-destinations command 14-4

trial license key 4-39, 22-9

Tribe Flood Network. See TFN.

Tribe Flood Network 2000. See TFN2K.

Trojan engine

BO2K B-51

described B-51

TFN2K B-51

Trojans

BO B-51

BO2K B-51

LOKI B-50

TFN2K B-51

troubleshooting

accessing files on FTP site D-94

AIP SSM

commands D-66

debugging D-67

failover scenarios D-68

recovering D-67

reset D-67

Analysis Engine busy D-57

applying software updates D-53

ARC

blocking not occurring for signature D-41

device access issues D-38

enabling SSH D-40

inactive state D-37

misconfigured MBS D-42

procedures D-35

verifying device interfaces D-40

automatic updates D-53

cannot access sensor D-24

cidDump D-93

cidLog messages to syslog D-48

communication D-24

corrupted SensorApp configuration D-34

debug logger zone names (table) D-47

debug logging D-43

disaster recovery D-7

duplicate sensor IP addresses D-27

enabling debug logging D-43

external product interfaces 10-8, D-21

faulty DIMMs D-35

gathering information D-72

IDM

cannot access sensor D-58

will not load D-57

IDSM2

command and control port D-64

diagnosing problems D-59

not online D-63, D-64

serial cable D-65

status indicator D-61

switch commands D-61

IPS 4240 router speed D-23

IPS and PIX devices D-22

manual block to bogus host D-40

misconfigured access list D-26

no alerts D-31, D-59

normalizer inline mode D-22

NTP D-49

password recovery 16-10, D-16

physical connectivity issues D-30

preventive maintenance D-2

procedures D-1

reset not occurring for a signature D-49

sensing process not running D-28

sensor events D-90

sensor not seeing packets D-33

sensor software upgrade D-54

service account 4-13, D-5

show events command D-89

show interfaces command D-88

show statistics command D-78

show tech-support command D-73, D-74

show version command D-76

software upgrade

IDS 4235 D-52

IDS 4250 D-52

SPAN port issue D-30

upgrading from 5.x to 6.0 D-51

uploading files to FTP site D-94

verifying Analysis Engine is running D-20

verifying ARC status D-36

trusted hosts adding 4-37

tuned signatures described 6-3

U

udp command 9-15, 9-23, 9-31

unassigned VLAN groups described 5-27

unauthenticated NTP 4-19, 4-29

unsupported supervisor engine commands 19-44

upgrade

command 21-3, 21-6

files 21-3

upgrading

5.x to 6.0 22-7

files 21-3

from 5.x to 6.0 D-51

maintenance partition

IDSM2 (Catalyst software) 21-44

IDSM2 (Cisco IOS software) 21-45

minimum required version 22-7

recovery partition 21-6, 21-11

URLs for Cisco Security Intelligence Operations 22-15

username command 4-11

user-profile command 13-19

user profiles 13-19

user roles

administrator 1-3, A-27

operator 1-3, A-27

service 1-3, A-27

viewer 1-3, A-27

users

adding 4-11

removing 4-11

using

alternate TCP reset interface 5-5

debug logging D-43

V

VACLs

described 13-2

IDSM2 19-14

Post-Block 13-25

Pre-Block 13-25

validation error messages described C-5

variables command 6-4, 8-9

verifying

ECLB (Catalyst software) 19-37

ECLB (Cisco IOS software) 19-38

IDSM2 installation 19-3

installation

AIM IPS 17-2, D-72

NME IPS D-72

password recovery 16-9, D-16

sensor initialization 3-37

sensor setup 3-37

viewer privileges 1-4, A-27

viewing

IP log contents 11-5

user information 4-17

virtual-sensor name command 7-4, 18-4

virtual sensors

adding 7-4, 7-7, 18-4

assigning interfaces 7-4

assigning policies 7-4

creating 7-4, 7-7, 18-4

default virtual sensor 7-2

described 7-1

displaying KB files 9-40

options 7-4, 18-4

stream segregation 7-3

VLAN groups

802.1q encapsulation 5-27

configuration restrictions 5-11

deleting 5-33

deploying 5-27

described 5-27

switches 5-27

vulnerable OS field described B-6

W

watch list rating

calculating risk rating 8-12

described 8-12

Web Server

configuring 4-9

described A-3, A-22

HTTP 1.0 and 1.1 support A-22

private keys A-21

public keys A-21

RDEP2 support A-22

worm attacks and histograms 9-36

worms

Blaster 9-2

Code Red 9-2

described 9-2

Nimbda 9-2

protocols 9-2

Sasser 9-2

scanners 9-2

Slammer 9-2

SQL Slammer 9-2

worm-timeout

command 9-10

specifying 9-10, 9-38

Z

zones

external 9-4

illegal 9-4

internal 9-4