Numerics -
A -
B -
C -
D -
E -
F -
G -
H -
I -
J -
K -
L -
M -
N -
O -
P -
Q -
R -
S -
T -
U -
V -
W -
Z
Index
Numerics
4GE bypass interface card
configuration restrictions 3-11
described 3-11
802.1q encapsulation
VLAN groups 3-14
A
accessing IPS software 13-2
access list misconfiguration C-28
ACLs
described 9-2
Post-Block 9-20, 9-21
Pre-Block 9-20, 9-21
Active Host Blocks pane
configuring 9-33, 12-4
described 9-32, 12-2
field descriptions 9-32, 12-3
user roles 9-32, 12-2
ad0 pane
default 7-10
described 7-10
tabs 7-10
Add Active Host Block dialog box field descriptions 9-33, 12-3
Add Allowed Host dialog box
field descriptions 2-5
user roles 2-4
Add Authorized Key dialog box
field descriptions 2-7
user roles 2-7
Add Blocking Device dialog box
field descriptions 9-17
user roles 9-17
Add Cat 6K Blocking Device Interface dialog box
field descriptions 9-26
user roles 9-25
Add Configured OS Map dialog box
field descriptions 6-28
user roles 6-26
Add Destination Port dialog box field descriptions 7-16, 7-17, 7-24, 7-25, 7-31, 7-32
Add Device Login Profile dialog box
field descriptions 9-15
user roles 9-14
Add Event Action Filter dialog box
field descriptions 6-21
user roles 6-19
Add Event Action Override dialog box
field descriptions 6-14
user roles 6-14
Add Event Variable dialog box
field descriptions 6-31
user roles 6-30
Add External Product Interface dialog box
field descriptions 10-5
user roles 10-1
Add Histogram dialog box field descriptions 7-17, 7-18, 7-19, 7-24, 7-25, 7-26, 7-32, 7-33, 7-34
adding
active host blocks 9-33, 12-4
a host never to be blocked 9-11
anomaly detection policies 7-9
event action filters 6-23
event action overrides 6-16
event action rules policies 6-12
event variables 6-31
external product interfaces 10-8
network blocks 9-35, 12-6
OS maps 6-29
signature definition policies 5-2
signatures 5-14
signature variables 5-56
target value rating 6-18
virtual sensors 4-5
Add Inline VLAN Pair dialog box
field descriptions 3-21
user roles 3-20
Add Interface Pair dialog box
field descriptions 3-19
user roles 3-19
Add IP Logging dialog box
field descriptions 12-21
user roles 12-20
Add Known Host Key dialog box
field descriptions 2-9
user roles 2-9
Add Master Blocking Sensor dialog box
field descriptions 9-29
user roles 9-28
Add Network Block dialog box
field descriptions 9-35
user roles 9-35
Add Never Block Address dialog box
field descriptions 9-10
user roles 9-7
Add Policy dialog box
field descriptions 5-2, 6-12, 7-8
user roles 5-2, 6-12, 7-8
Add Posture ACL dialog box
field descriptions 10-7
user roles 10-1
Add Protocol Number dialog box field descriptions 7-18, 7-26, 7-34
Add Rate Limit dialog box
field descriptions 9-13
user roles 9-12
Address Resolution Protocol. See ARP.
Add Router Blocking Device Interface dialog box
field descriptions 9-23
user roles 9-20
Add Signature dialog box
field descriptions 5-7
user roles 5-4
Add Signature Variable dialog box
field descriptions 5-56
user roles 5-55
Add SNMP Trap Destination dialog box
field descriptions 8-4
user roles 8-3
Add Target Value Rating dialog box
field descriptions 6-18
user roles 6-18
Add Trusted Host dialog box
field descriptions 2-13
user roles 2-13
Add User dialog box
field descriptions 2-27
user roles 2-26
Add Virtual Sensor dialog box
described 4-5
field descriptions 4-5
Add VLAN Group dialog box
field descriptions 3-24
user roles 3-23
Administrator privileges A-27
Advanced Alert Behavior Wizard
Alert Dynamic Response Fire All window field descriptions 5-42
Alert Dynamic Response Fire Once window field descriptions 5-42
Alert Dynamic Response Summary window field descriptions 5-41
Alert Summarization window field descriptions 5-41
Event Count and Interval window field descriptions 5-40
Global Summarization window field descriptions 5-42
advisory for cryptographic products 1-1
AIC engine
AIC FTP B-10
AIC HTTP B-10
described 5-59, B-10
features B-10
signatures (example) 5-68
AIC FTP engine parameters (table) B-12
AIC HTTP engine parameters (table) B-11
AIC policy configuration 5-68
AIC policy enforcement
default configuration 5-61, B-11
described 5-61, B-11
sensor oversubscription 5-61, B-11
AIM-IPS
initializing 1-33
setup command 1-33
system image installation 14-46
time sources 2-17, C-17
verifying installation C-74
AIP SSM
bypass mode 3-27
Deny Connection Inline 6-10, C-73
Deny Packet Inline 6-10, C-73
Normalizer engine B-20, C-72
password recovery C-12
Reset TCP Connection 6-10, C-73
resetting the password C-12
TCP reset packets 6-10, C-73
AIP-SSM
initializing 1-21
recovering C-70
reimaging 14-49
resetting C-69
setup command 1-21
system image installation 14-49
time sources 2-17, C-18
Alarm Channel described 6-5, A-24
alert and log actions (list) 6-7
alert frequency
aggregation 5-21
configuring 5-21
controlling 5-21
modes B-6
alert profile in Home window 1-2
alert summary in Home window 1-2
Allowed Hosts pane
configuring 2-5
described 2-4
alternate TCP reset interface configuration restrictions 3-9
Analysis Engine
busy C-25
described 4-1
global variables 4-7
verify it is running C-22
virtual sensors 4-1
Analysis Engine busy
error messages C-25
IDM exits C-60
anomaly detection
asymmetric environment 7-2
caution 7-2
configuration sequence 7-4
default configuration (example) 7-4
described 7-2
detect mode 7-3
disabling C-21
event actions 7-6, B-47
inactive mode 7-3
learning accept mode 7-3
learning process 7-3
limiting false positives 7-12
protocols 7-2
signatures (table) 7-6, B-48
worm attacks 7-12
worms 7-2
zones 7-4
Anomaly Detection pane
described 7-8
field descriptions 7-8, 7-38, 12-12
user roles 7-8, 7-38, 12-12
anomaly detection policies
ad0 7-8
adding 7-9
cloning 7-9
default policy 7-8
deleting 7-9
user roles 7-8
appliances
application partition image 14-12
GRUB menu C-9
initializing 1-6
password recovery C-9
recovering the software image 14-27
terminal servers
described 14-14
setting up 14-14
time sources 2-16, C-17
upgrading the recovery partition 14-6
Application Inspection and Control. See AIC.
application partition
described A-3
image recovery 14-12
application policy enforcement
described 5-61, B-11
applications in XML format A-2
applying software updates C-55
ARC
ACLs 9-21, A-13
authentication A-13
blocking
application 9-1
connection-based A-16
not occurring for signature C-44
unconditional blocking A-16
block response A-12
Catalyst 6000 series switch
VACL commands A-18
VACLs A-18
Catalyst switches
VACLs A-15
VLANs A-15
checking status 9-3, 9-4, 12-7
described A-3
design 9-2
device access issues C-41
enabling SSH C-44
features A-12
firewalls
AAA A-17
connection blocking A-17
NAT A-17
network blocking A-17
postblock ACL A-15
preblock ACL A-15
shun command A-17
TACACS+ A-17
formerly Network Access Controller 9-3
functions 9-1, A-11
illustration A-11
inactive state C-40
interfaces A-13
maintaining states A-15
managed devices 9-7
master blocking sensors A-13
maximum blocks 9-2
misconfigured master blocking sensor C-45
nac.shun.txt file A-15
NAT addressing A-14
number of blocks A-14
postblock ACL A-15
preblock ACL A-15
prerequisites 9-5
rate limiting 9-4, 12-7
responsibilities A-11
single point of control A-14
SSH A-12
supported devices 9-6, A-14
Telnet A-12
troubleshooting C-38
VACLs A-13
verifying device interfaces C-43
verifying status C-39
ARP
Layer 2 signatures B-13
protocol B-13
ARP spoof tools
dsniff B-13
ettercap B-13
ASDM resetting passwords C-14
Assign Actions dialog box field descriptions 5-11
assigning actions to signatures 5-18
asymmetric environment and anomaly detection 7-2
asymmetric traffic and disabling anomaly detection C-21
Atomic ARP engine
described B-13
parameters (table) B-13
Atomic IP engine
described B-13
parameters (table) B-14
Atomic IPv6 engine
described B-14
Neighborhood Discovery protocol B-14
signatures B-14
signatures (table) B-15
attack relevance rating
calculating risk rating 6-3
described 6-3, 6-26
Attack Response Controller
described A-3
formerly known as Network Access Controller A-3
Attack Response Controller. See ARC.
attack severity rating
calculating risk rating 6-3
described 6-3
authenticated NTP 2-23
AuthenticationApp
authenticating users A-20
described A-3
login attempt limit A-20
method A-20
responsibilities A-20
secure communications A-21
sensor configuration A-20
Authorized Keys pane
configuring 2-8
described 2-7
field descriptions 2-7
RSA authentication 2-7
RSA key generation tool 2-8
automatic updates
Cisco.com 11-1
servers
FTP 11-1
SCP 11-1
troubleshooting C-56
automatic upgrade
required information 14-8
autonegotiation and hardware bypass 3-12
Auto Update pane
configuring 11-3
described 11-1
field descriptions 11-2
UNIX-style directory listings 11-2
user roles 11-1
auto-upgrade-option command 14-7
B
backing up
configuration C-3
current configuration C-4, C-5
BackOrifice. See BO.
BackOrifice 2000. See BO2K.
blocking
described 9-1
disabling 9-8
master blocking sensor 9-28
necessary information 9-3
not occurring for signature C-44
prerequisites 9-5
supported devices 9-6
types 9-2
Blocking Devices pane
configuring 9-18
described 9-17
field descriptions 9-17
ssh host-key command 9-18
Blocking Properties pane
adding a host never to be blocked 9-11
configuring 9-10
described 9-7
field descriptions 9-8
BO
described B-50
Trojans B-50
BO2K
described B-50
Trojans B-50
bootloader
explaining 14-31
upgrading 14-31
Bug Toolkit
described C-1
URL C-1
bypass mode
AIP SSM 3-27
described 3-26
Bypass pane
field descriptions 3-26
user roles 3-26
C
calculating risk rating
attack relevance rating 6-3
attack severity rating 6-3
promiscuous delta 6-3
signature fidelity rating 6-2
target value rating 6-3
watch list rating 6-3
cannot access sensor C-26
Cat 6K Blocking Device Interfaces pane
configuring 9-26
described 9-25
field descriptions 9-26
certificates
displaying 2-15
generating 2-15
Internet Explorer 1-48
changing Microsoft IIS to UNIX-style directory listings 11-2
changing the memory
Java Plug-in on Linux 1-43, C-59
Java Plug-in on Solaris 1-43, C-59
Java Plug-in on Windows 1-42, C-58
cidDump and obtaining information C-96
CIDEE
defined A-33
example A-33
IPS extensions A-33
protocol A-33
supported IPS events A-33
Cisco.com
accessing software 13-2
downloading software 13-1
IPS software 13-1
software downloads 13-1
Cisco IOS and rate limiting 9-4, 12-7
cisco-security-agents-mc-settings command 10-7
Cisco Security Intelligence Operations
described 13-14
URL 13-14
Cisco Services for IPS
service contract 1-50, 13-10
supported products 1-50, 13-10
clear events command 2-21, 2-25, C-19, C-96
clearing
events 2-25, C-96
statistics C-82
clear password command C-11, C-14
CLI described A-3, A-26
clock set command 2-24
Clone Policy dialog box
field descriptions 5-2, 6-12, 7-8
user roles 5-2, 6-12, 7-8
Clone Signature dialog box
field descriptions 5-7
user roles 5-4
cloning
anomaly detection policies 7-9
event action rules policies 6-12
signature definition policies 5-2
signatures 5-16
command and control interfaces
described 3-2
list 3-2
commands
auto-upgrade-option 14-7
cisco-security-agents-mc-settings 10-7
clear events 2-21, 2-25, C-19, C-96
clear password C-11, C-14
clock set 2-24
copy backup-config C-3
copy current-config C-3
copy license-key 13-12
debug module-boot C-70
downgrade 14-11
hw-module module 1 reset C-69
hw-module module slot_number password-reset C-12
setup 1-3, 1-6, 1-14, 1-21, 1-28, 1-33, 2-1
show events C-93
show inventory C-74
show module 1 details C-69
show settings C-16
show statistics C-81
show statistics virtual-sensor C-25, C-81
show tech-support C-75
show version C-78
upgrade 14-3, 14-6
Compare Knowledge Bases dialog box field descriptions 7-40, 12-14
comparing KBs 7-41, 12-15
configuration files
backing up C-3
merging C-3
configuration restrictions
alternate TCP reset interface 3-9
inline interface pairs 3-9
inline VLAN pairs 3-9
interfaces 3-9
physical interfaces 3-9
VLAN groups 3-10
Configure Summertime dialog box field descriptions 2-19
configuring
active host blocks 9-33, 12-4
AIC policy parameters 5-68
allowed hosts 2-5
application policy 5-68
authorized keys 2-8
automatic upgrades 14-9
blocking devices 9-18
blocking properties 9-10
Cat 6K blocking device interfaces 9-26
CSA MC support for IPS interfaces 10-4
device login profiles 9-15
event action filters 6-23
events 6-36
event variables 6-31
external zone 7-34
general settings 6-33
illegal zone 7-27
interface pairs 3-19
interfaces 3-17
interfaces (sequence) 3-8
internal zone 7-19
IP fragment reassembly signatures 5-72
IP logging 12-21
known host keys 2-9
learning accept mode 7-14
maintenance partition
IDSM-2 (Catalyst software) 14-37
IDSM-2 (Cisco IOS software) 14-41
master blocking sensor 9-29
network blocks 9-35, 12-6
NTP servers 2-22
operation settings 7-11
OS maps 6-29
rate limiting 9-13, 12-9
rate limiting devices 9-18
router blocking device interfaces 9-23
sensor to use NTP 2-23
SNMP 8-2
SNMP traps 8-4
target value rating 6-18
TCP fragment reassembly parameters 5-79
time 2-19
traffic flow notifications 3-28
trusted hosts 2-14
upgrades 14-5
users 2-28
VLAN groups 3-24
VLAN pairs 3-22
control transactions
characteristics A-7
request types A-7
cookies and IDM 1-47
copy backup-config command C-3
copy current-config command C-3
copy license-key command 13-12
correcting time on the sensor 2-21, C-19
creating
custom signatures
not using signature engines 5-29
Service HTTP 5-52
String TCP 5-50
using signature engines 5-28
Meta signatures 5-24
Post-Block VACLs 9-25
Pre-Block VACLs 9-25
service account C-6
cryptographic account
Encryption Software Export Distribution Authorization from 13-2
obtaining 13-2
cryptographic products and IDM 1-1
CSA MC
configuring IPS interfaces 10-4
host posture events 10-2, 10-4
quarantined IP address events 10-2
supporting IPS interfaces 10-4
CtlTransSource
described A-2, A-10
illustration A-10
current configuration backup C-3
current KB settings 7-42, 12-16
custom signatures
described 5-4
Meta signature 5-24
Custom Signature Wizard
Alert Response window field descriptions 5-39
Atomic IP Engine Parameters window field descriptions 5-32
described 5-27
ICMP Traffic Type window field descriptions 5-38
Inspect Data window field descriptions 5-39
MSRPC Engine Parameters window field descriptions 5-34
no signature engine sequence 5-29
Protocol Type window field descriptions 5-31
Service HTTP Engine Parameters window field descriptions 5-33
Service RPC Engine Parameters window field descriptions 5-34
Service Type window field descriptions 5-39
signature engine sequence 5-28
Signature Identification window field descriptions 5-31
State Engine Parameters window field descriptions 5-35
String ICMP Engine Parameters window field descriptions 5-35
String TCP Engine Parameters window field descriptions 5-36
String UDP Engine Parameters window field descriptions 5-37
Sweep Engine Parameters window field descriptions 5-37
TCP Sweep Type window field descriptions 5-39
TCP Traffic Type window field descriptions 5-38
UDP Sweep Type window field descriptions 5-38
UDP Traffic Type window field descriptions 5-38
user roles 5-27
Welcome window field descriptions 5-31
D
data structure examples A-7
DDoS
protocols B-49
Stacheldraht B-49
TFN B-49
debug logging enabling C-47
debug-module-boot command C-70
default KB filename 7-13
default policies
ad0 7-8
rules0 6-12
sig0 5-2
defaults restoring 11-4
default virtual sensor vs0 4-2
deleting
anomaly detection policies 7-9
event action filters 6-23
event action overrides 6-16
event action rules policies 6-12
event variables 6-31
imported OS values 6-38, 12-11
KBs 7-42, 12-16
learned OS values 6-37, 12-10
OS maps 6-29
signature definition policies 5-2
signature variables 5-56
target value rating 6-18
virtual sensors 4-5
Denial of Service. See DoS.
denied attackers
clearing list 12-2
hit count 12-1
resetting hit counts 12-2
Denied Attackers pane
described 12-1
field descriptions 12-1
user roles 12-1
using 12-2
deny actions (list) 6-8
Deny Packet Inline described 6-9, B-8
detect mode and anomaly detection 7-3
device access issues C-41
device information in the Home window 1-2
Device Login Profiles pane
configuring 9-15
described 9-14
field descriptions 9-15
Diagnostics Report pane
button functions 11-9
described 11-8
user roles 11-8
using 11-9
diagnostics reports 11-9
disabling
anomaly detection C-21
blocking 9-8
interfaces 3-17
password recovery C-15
disaster recovery C-6
displaying
events C-94
password recovery setting C-16
statistics C-82
tech support information C-76
version C-79
Distributed Denial of Service. See DDoS.
DoS tools (stick) B-6
downgrade command 14-11
downgrading sensors 14-11
downloading
KBs 7-43, 12-18
software 13-1
Download Knowledge Base From Sensor dialog box
described 7-43, 12-17
user roles 7-43, 12-17
duplicate IP addresses C-29
E
Edit Allowed Host dialog box
field definitions 2-5
user roles 2-4
Edit Authorized Key dialog box
field definitions 2-7
user roles 2-7
Edit Blocking Device dialog box
field descriptions 9-17
user roles 9-17
Edit Cat 6K Blocking Device Interface dialog box
field descriptions 9-26
user roles 9-25
Edit Configured OS Map dialog box
field descriptions 6-28
user roles 6-26
Edit Destination Port dialog box field descriptions 7-16, 7-17, 7-24, 7-31, 7-32
Edit Device Login Profile dialog box
field descriptions 9-15
user roles 9-14
Edit Event Action Filter dialog box
field descriptions 6-21
user roles 6-19
Edit Event Action Override dialog box
field descriptions 6-14
user roles 6-14
Edit Event Variable dialog box
field descriptions 6-31
user roles 6-30
Edit External Product Interface dialog box
field descriptions 10-5
user roles 10-1
Edit Histogram dialog box field descriptions 7-17, 7-18, 7-19, 7-24, 7-26, 7-32, 7-33, 7-34
editing
event action filters 6-23
event action overrides 6-16
event variables 6-31
interfaces 3-18
OS maps 6-29
signatures 5-17
signature variables 5-56
target value rating 6-18
virtual sensors 4-5
Edit Inline VLAN Pair dialog box
field descriptions 3-21
user roles 3-20
Edit Interface dialog box
field descriptions 3-16
user roles 3-15
Edit Interface Pair dialog box
field descriptions 3-19
user roles 3-19
Edit IP Logging dialog box
field descriptions 12-21
user roles 12-20
Edit Known Host Key dialog box
field descriptions 2-9
user roles 2-9
Edit Master Blocking Sensor dialog box
field descriptions 9-29
user roles 9-28
Edit Never Block Address dialog box
field descriptions 9-10
user roles 9-7
Edit Posture ACL dialog box field descriptions 10-7
Edit Protocol Number dialog box field descriptions 7-26
Edit Router Blocking Device Interface dialog box
field descriptions 9-23
user roles 9-20
Edit Signature dialog box
field descriptions 5-7
user roles 5-4
Edit Signature Variable dialog box
field descriptions 5-56
user roles 5-55
Edit SNMP Trap Destination dialog box
field descriptions 8-4
user roles 8-3
Edit Target Value Rating dialog box
field descriptions 6-18
user roles 6-18
Edit User dialog box
field descriptions 2-27
user roles 2-26
Edit Virtual Sensor dialog box
field descriptions 4-5
user roles 4-4
Edit VLAN Group dialog box
field descriptions 3-24
user roles 3-23
enabling
debug logging C-47
event action filters 6-23
event action overrides 6-16
interfaces 3-17
Encryption Software Export Distribution Authorization form
cryptographic account 13-2
described 13-2
engines
Master B-4
error message Analysis Engine is busy C-25
evAlert A-8
event action filters
adding 6-23
configuring 6-23
deleting 6-23
described 6-4
editing 6-23
enabling 6-23
Event Action Filters tab
configuring 6-23
described 6-19
field descriptions 6-20
event action overrides
adding 6-16
deleting 6-16
described 6-4
editing 6-16
enabling 6-16
Event Action Overrides tab
field descriptions 6-14
user roles 6-14
event action rules
default policy 6-12
example 6-10
functions 6-2
rules0 6-12
understanding 6-2
Event Action Rules pane
described 6-12
field descriptions 6-12
user roles 6-12
event action rules policies
adding 6-12
cloning 6-12
deleting 6-12
events
display configuration 6-36
displaying C-94
host posture 10-2
quarantined IP address 10-2
Events pane
configuring 6-36
described 6-34
field descriptions 6-34
Event Store
clearing events 2-21, C-19
data structures A-7
described A-2
examples A-6
responsibilities A-6
timestamp A-6
event types C-92
event variables
adding 6-31
configuring 6-31
deleting 6-31
editing 6-31
example 6-31
Event Variables tab
configuring 6-31
described 6-30
field descriptions 6-31
Event Viewer window field descriptions 6-35
evError A-8
evLogTransaction A-8
evShunRqst A-8
evStatus A-8
examples
ASA failover configuration C-72
external product interfaces
adding 10-8
described 10-1
issues 10-3, C-23
troubleshooting 10-11, C-24
External Product Interfaces pane
field descriptions 10-4
user roles 10-1
external zone
configuring 7-34
protocols 7-30
user roles 7-30
External Zone tab
described 7-30
tabs 7-30
user roles 7-30
F
fail-over testing 3-11
false positives described 5-3
files
IDSM-2 password recovery C-10
upgrade 14-3
finding the serial number C-74
Flood engine described B-15
Flood Host engine parameters (table) B-15
Flood Net engine parameters (table) B-16
FTP servers supported 14-2
G
general settings
configuring 6-33
described 6-32
General Settings tab
configuring 6-33
described 6-32
field descriptions 6-33
user roles 6-32
General tab
described 7-15, 7-23
enabling zones 7-15, 7-23
field descriptions 7-15, 7-23
generating diagnostics reports 11-9
global correlation
Produce Alert 5-11, 6-8
Global Variables pane
described 4-7
field definitions 4-7
user roles 4-7
GRUB menu for password recovery C-9
H
H.225.0 protocol B-27
H.323 protocol B-27
hardware bypass
autonegotiation 3-12
configuration restrictions 3-11
fail-over 3-11
IPS-4260 3-11
IPS 4270-20 3-11
supported configurations 3-11
with software bypass 3-11
Home window
auto refresh 1-2
described 1-2
host posture events
CSA MC 10-4
described 10-2
HTTP/HTTPS supported servers 14-2
HTTP deobfuscation
ASCII normalization 5-52, B-29
described 5-52, B-29
hw-module module 1 reset command C-69
hw-module module slot_number password-reset command C-12
I
icons
signature configuration 5-6, 5-14, 5-16, 5-17, 5-21, 5-24, 5-47, 5-51, 5-53, 5-67, 5-68, 5-71, 5-72, 5-78, 5-79, 5-80
IDAPI
communications A-3, A-29
described A-3
functions A-29
illustration A-29
responsibilities A-29
IDCONF
described A-32
example A-32
RDEP2 A-32
XML A-32
IDIOM
defined A-31
messages A-31
IDM
advisory 1-1
Analysis Engine is busy C-60
certificates 1-47, 2-11
cookies 1-47
cryptographic products 1-1
described 1-1, 1-44, 1-45
GUI 1-1
Java Plug-in 1-42, C-58
logging in 1-44, 1-45
memory 1-42, C-58
prerequisites 1-44
Signature Wizard unsupported signature engines 5-27, 5-43
TLS and SSL 1-47, 2-12
user interface 1-1
validating certificates 1-48
web browsers 1-1, 1-44, 1-45
will not load C-59
IDS-4215
BIOS upgrade 14-18
installing system image 14-16
installing the system image 14-16
ROMMON upgrade 14-18
upgrading
BIOS 14-18
ROMMON 14-18
IDSM-2
command and control port C-67
configuring
maintenance partition (Catalyst software) 14-37
maintenance partition (Cisco IOS software) 14-41
initializing 1-14
installing
system image (Catalyst software) 14-34
system image (Cisco IOS software) 14-35, 14-36
password recovery C-10
password recovery image file C-10
reimaging 14-34
setup command 1-14
supported configurations C-63
time sources 2-16, C-17
upgrading
maintenance partition (Catalyst software) 14-44
maintenance partition (Cisco IOS software) 14-45
IDSM2
TCP reset port C-68
illegal zone
configuring 7-27
user roles 7-23
Illegal Zone tab
described 7-23
user roles 7-23
Imported OS pane
clearing 6-38, 12-11
described 6-38, 12-11
field descriptions 6-38, 12-11
imported OS values
clearing 6-38, 12-11
deleting 6-38, 12-11
user roles 6-38, 12-11
inactive mode and anomaly detection 7-3
initializing
AIM-IPS 1-33
AIP-SSM 1-21
appliances 1-6
IDSM-2 1-14
NM-CIDS 1-28
sensors 1-3, 2-1
verification 1-39
Inline Interface Pair mode
configuration restrictions 3-9
described 3-13
inline VLAN pair mode
configuration restrictions 3-9
described 3-13
supported sensors 3-13
installer major version 13-5
installer minor version 13-5
installing
AIM-IPS system image 14-46
license key 13-13
sensor license 1-52, 13-11
system image
AIP-SSM 14-49
IDS-4215 14-16
IDSM-2 (Catalyst software) 14-34
IDSM-2 (Cisco IOS software) 14-35, 14-36
IPS-4240 14-20
IPS-4255 14-20
IPS-4260 14-23
IPS 4270-20 14-25
InterfaceApp
described A-19
interactions A-19
NIC drivers A-19
InterfaceApp described A-2
interface configuration sequence 3-8
interface pairs
configuring 3-19
described 3-19
Interface Pairs pane
configuring 3-19
described 3-19
field descriptions 3-19
interfaces
alternate TCP reset 3-2
command and control 3-2
configuration restrictions 3-9
configuring 3-17
described 3-1
disabling 3-17
editing 3-18
enabling 3-17
port numbers 3-1
sensing 3-2, 3-3
slot numbers 3-1
support (table) 3-4
TCP reset 3-7
VLAN groups 3-2
Interfaces pane
configuring 3-17
described 3-15
field descriptions 3-16
interface status and the Home window 1-2
internal zone
configuring 7-19
user roles 7-15
Internal Zone tab
described 7-15
user roles 7-15
Internet Explorer certificate validation 1-48
IP fragmentation described B-19
IP fragment reassembly
configuring 5-71
described 5-69
mode 5-71
parameters (table) 5-70
signatures 5-72
signatures (example) 5-72
signatures (table) 5-70
IP logging
described 5-80, 12-19
event actions 12-20
system performance 12-20
IP Logging pane
configuring 12-21
described 12-20
field descriptions 12-20
user roles 12-20
IP logs
circular buffer 12-20
states 12-19
TCP Dump 12-20
viewing 12-21
Wireshark 12-20
IPS
external communications A-30
internal communications A-29
IPS-4240
installing the system image 14-20
password recovery C-9
reimaging 14-20
IPS-4255
installing the system image 14-20
password recovery C-9
reimaging 14-20
IPS-4260
hardware bypass 3-11
installing the system image 14-23
reimaging 14-23
IPS 4270-20
hardware bypass 3-11
installing the system image 14-25
reimaging 14-25
IPS appliances
Deny Connection Inline 6-10, C-73
Deny Packet Inline 6-10, C-73
Reset TCP Connection 6-10, C-73
TCP reset packets 6-10, C-73
IPS applications
summary A-34
table A-34
XML format A-2
IPS data
types A-7
XML document A-7
IPS events
evAlert A-8
evError A-8
evLogTransaction A-8
evShunRqst A-8
evStatus A-8
listed A-8
types A-8
IPS features
anomaly detection A-3
CSA collaboration A-3
enhanced password recovery A-3
passive OS fingerprinting A-3
signature policy virtualization A-3
threat rating A-4
IPS modules and time synchronization 2-18, C-18
IPS software
application list A-2
available files 13-1
configuring device parameters A-4
directory structure A-33
Linux OS A-1
new features A-3
obtaining 13-1
platform-dependent release examples 13-6
retrieving data A-4
security features A-4
tuning signatures A-4
updating A-4
user interaction A-4
versioning scheme 13-3
IPS software file names
major updates (illustration) 13-4
minor updates (illustration) 13-4
patch releases (illustration) 13-4
service packs (illustration) 13-4
IPv6 described B-14
J
Java Plug-in
Linux 1-43, C-59
Solaris 1-43, C-59
Windows 1-42, C-58
K
KBs
comparing 7-41, 12-15
default filename 7-13
deleting 7-42, 12-16
described 7-3
downloading 7-43, 12-18
histogram 7-12
initial baseline 7-3
learning accept mode 7-13
loading 7-42, 12-16
monitoring 7-39, 12-13
renaming 7-43, 12-17
saving 7-42, 12-16
scanner threshold 7-12
tree structure 7-12
uploading 7-44, 12-19
Knowledge Base. See KB.
Known Host Keys pane
configuring 2-9
described 2-9
field descriptions 2-9
L
Learned OS pane
clearing 6-37, 12-10
described 6-37, 12-10
field descriptions 6-37, 12-10
passive OS fingerprinting 6-37, 12-10
learned OS values
clearing 6-37, 12-10
deleting 6-37, 12-10
user roles 6-37, 12-10
learning accept mode
anomaly detection 7-3
configuring 7-14
user roles 7-13
Learning Accept Mode tab
described 7-13
field descriptions 7-13
user roles 7-13
license key
installing 13-13
status 1-50, 13-9
trial 1-50, 13-9
licensing
described 1-50, 13-9
IPS device serial number 1-50, 13-9
Licensing pane
configuring 1-52, 13-11
described 1-50, 13-9
field descriptions 1-52
user roles 1-50
limitations on concurrent CLI sessions 1-43
listings UNIX-style 11-2
loading KBs 7-42, 12-16
LogApp
described A-2, A-18
functions A-18
syslog messages A-19
logging in
IDM 1-44, 1-45
terminal servers 14-14
LOKI
described B-49
protocol B-49
loose connections on sensors C-25
M
MainApp
applications A-5
described A-2
host statistics A-5
responsibilities A-5
show version command A-5
maintenance partition
configuring
IDSM-2 (Catalyst software) 14-37
IDSM-2 (Cisco IOS software) 14-41
described A-3
major updates described 13-3
managing rate limiting 9-13, 12-9
manual block to bogus host C-44
master blocking sensor
described 9-28
not set up properly C-45
Master Blocking Sensor pane
configuring 9-29
described 9-28
field descriptions 9-28
Master engine
alert frequency B-6
alert frequency parameters (table) B-6
described B-3
event actions B-7
general parameters (table) B-4
universal parameters B-4
master engine parameters
obsoletes B-6
promiscous delta B-5
vulnerable OSes B-6
memory for IDM 1-42, C-58
merging configuration files C-3
Meta engine
described 5-23, B-16
parameters (table) B-17
Signature Event Action Processor 5-23, B-16
Meta Event Generator described 6-32
MIBs supported 8-6, C-21
minor updates described 13-3
Miscellaneous tab
configuring
application policy 5-68
IP fragment reassembly mode 5-71
IP logging 5-80
TCP stream reassembly mode 5-78
described 5-57
field descriptions 5-58
user roles 5-57
modes
anomaly detection detect 7-3
anomaly detection inactive 7-3
anomaly detection learning accept 7-3
bypass 3-26
Inline Interface Pair 3-13
inline VLAN pair 3-13
promiscuous 3-12
VLAN groups 3-13
modify packets inline modes 4-3
monitoring
events 6-36
KBs 7-39, 12-13
Viewer privileges A-27
moving OS maps 6-29
Multi String engine
described B-17
parameters (table) B-18
Regex B-17
N
Neighborhood Discovery
options B-14
types B-14
Network Blocks pane
configuring 9-35, 12-6
described 9-35, 12-5
field descriptions 9-35, 12-5
user roles 9-35, 12-5
Network pane
configuring 2-3
described 2-2
field definitions 2-2
TLS/SSL 2-3
user roles 2-2
Network Timing Protocol. See NTP.
never block
hosts 9-7
networks 9-7
NM-CIDS
bootloader
described 14-31
file 14-31
initializing 1-28
password recovery C-11
reimaging 14-28, 14-29
setup command 1-28
system image file 14-28
time sources 2-17, C-17
upgrading the bootloader 14-31
Normalizer engine
described B-19
IP fragment reassembly B-19
parameters (table) B-22
TCP stream reassembly B-19
NotificationApp
alert information A-8
described A-3
functions A-8
SNMP gets A-8
SNMP traps A-8
statistics A-10
system health information A-9
NTP
authenticated 2-23
configuring servers 2-22
described 2-16, C-17
incorrect configuration C-19
sensor time source 2-21, 2-23
time synchronization 2-16, C-17
unauthenticated 2-23
O
obsoletes field described B-6
obtaining
cryptographic account 13-2
IPS software 13-1
operation settings
configuring 7-11
user roles 7-10
Operation Settings tab
described 7-10
field descriptions 7-10
user roles 7-10
Operator privileges A-27
OS Identifications tab
described 6-27
field descriptions 6-28
OS maps
adding 6-29
configuring 6-29
deleting 6-29
editing 6-29
moving 6-29
other actions (list) 6-9
Other Protocols tab
described 7-18, 7-26, 7-33
enabling other protocols 7-18
external zone 7-33
field descriptions 7-18, 7-33
illegal zone 7-26
P
partitions
application A-3
maintenance A-3
recovery A-3
passive OS fingerprinting
components 6-26
configuring 6-27
described 6-26
password recovery
AIP SSM C-12
appliances C-9
described C-8
disabling C-15
GRUB menu C-9
IDSM-2 C-10
IPS-4240 C-9
IPS-4255 C-9
NM-CIDS C-11
platforms C-8
ROMMON C-9
troubleshooting C-16
verifying C-16
patch releases described 13-3
peacetime learning and anomaly detection 7-3
physical connectivity issues C-32
physical interfaces configuration restrictions 3-9
platforms and concurrent CLI sessions 1-43
policies and platform limitations 5-2, 6-12, 7-8
Post-Block ACLs 9-20, 9-21
Pre-Block ACLs 9-20, 9-21
prerequisites for blocking 9-5
promiscuous delta
calculating risk rating 6-3
described 6-3
promiscuous delta described B-5
promiscuous mode
described 3-12
packet flow 3-12
protocols
ARP B-13
CIDEE A-33
DCE B-32
DDoS B-49
H.323 B-27
H225.0 B-27
IDAPI A-29
IDCONF A-32
IDIOM A-31
IPv6 B-14
LOKI B-49
MSSQL B-33
Neighborhood Discovery B-14
Q.931 B-27
RDEP2 A-30
RPC B-32
SDEE A-32
Q
Q.931 protocol
described B-27
SETUP messages B-27
quarantined IP address events described 10-2
R
rate limiting
ACLs 9-5
configuring 9-13, 12-9
described 9-4, 12-7
managing 9-13, 12-9
percentages 9-12, 12-7
routers 9-4, 12-7
service policies 9-5
supported signatures 9-4, 12-7
Rate Limits pane
described 9-12, 12-7
field descriptions 9-12, 12-8
RDEP2
described A-30
functions A-30
messages A-30
responsibilities A-30
rebooting the sensor 11-5
Reboot Sensor pane
button functions 11-5
configuring 11-5
described 11-5
user roles 11-5
recover command 14-11
recovering
AIP-SSM C-70
application partition image 14-12
recovery/upgrade CD 14-27
recovery partition
described A-3
upgrading 14-6
Regular Expression. See Regex.
regular expression syntax signatures B-8
reimaging
AIP-SSM 14-49
appliances 14-11
described 14-1
IDS-4215 14-16
IDSM-2 14-34
IPS-4240 14-20
IPS-4255 14-20
IPS-4260 14-23
IPS 4270-20 14-25
NM-CIDS 14-29
sensors 13-8, 14-1
removing the last applied upgrade 14-11
Rename Knowledge Base dialog box
field descriptions 7-43, 12-17
user roles 7-43, 12-17
renaming KBs 7-43, 12-17
reset not occurring for a signature C-52
resetting
passwords
ASDM C-14
hw-module command C-12
resetting AIP-SSM C-69
resetting the password
AIP SSM C-12
Restore Defaults pane
button functions 11-4
configuring 11-4
described 11-4
user roles 11-4
restoring
defaults 11-4
restoring the current configuration C-4, C-5
retrieving events through RDEP2 (illustration) A-30
risk rating
calculating 6-2
described 6-26
example 6-11
ROMMON
described 14-14
IDS-4215 14-16
IPS-4240 14-20
IPS-4255 14-20
IPS-4260 14-23
IPS-4270 14-23
IPS 4270-20 14-25
password recovery C-9
remote sensors 14-14
serial console port 14-14
TFTP 14-14
round-trip time. See RTT.
Router Blocking Device Interfaces pane
configuring 9-23
described 9-20
field descriptions 9-22
RPC portmapper B-34
RTT
described 14-14
TFTP limitation 14-14
rules0 event action rules default policy 6-12
rules0 pane
default 6-13
described 6-13
tabs 6-13
S
Save Knowledge Base dialog box
described 7-41, 12-15
field descriptions 7-41, 12-15
user roles 7-41, 12-15
saving KBs 7-42, 12-16
scheduling automatic upgrades 14-9
SDEE
defined A-32
HTTP A-32
protocol A-32
server requests A-32
security
information on Cisco Security Intelligence Operations 13-14
security and SSH 2-6
security policies described 5-1, 6-1, 7-1
sending commands through RDEP2 (illustration) A-31
sensing interfaces
described 3-3
modes 3-3
PCI cards 3-3
sensor
blocking itself 9-8
not seeing packets C-35
process not running C-31
SensorApp
Alarm Channel A-24
Analysis Engine A-24
described A-3
packet flow A-24
processors A-22
responsibilities A-22
Signature Event Action Handler A-24
Signature Event Action Processor A-22
Sensor Key pane
button functions 2-11
described 2-11
field descriptions 2-11
sensor SSH key
displaying 2-11
generating 2-11
user roles 2-10
sensors
access problems C-26
asymmetric traffic and disabling anomaly detection C-21
configuring to use NTP 2-23
corrupted SensorApp configuration C-37
diagnostics reports 11-9
disaster recovery C-6
downgrading 14-11
incorrect NTP configuration C-19
initializing 1-3, 2-1
interface support 3-4
IP address conflicts C-29
license 1-52, 13-11
loose connections C-25
misconfigured access lists C-28
no alerts C-34, C-61
not seeing packets C-35
NTP time source 2-23
NTP time synchronization 2-16, C-17
partitions A-3
physical connectivity C-32
preventive maintenance C-2
rebooting 11-5
recovering the system image 13-8
reimaging 13-8, 14-1
restoring defaults 11-4
sensing process not running C-31
setting up 2-1
setup command 1-3, 1-6, 2-1
shutting down 11-5
statistics 11-10
system images 13-8
system information 11-11
time sources 2-16, C-17
troubleshooting software upgrades C-57
updating 11-3, 11-7
using NTP time source 2-21
serial number and the show inventory command C-74
Server Certificate pane
button functions 2-15
certificate
displaying 2-15
generating 2-15
described 2-15
field descriptions 2-15
user roles 2-14
service account
creating C-6
described A-28, C-5
privileges A-27
TAC A-28
troubleshooting A-28
Service DNS engine
described B-23
parameters (table) B-23
Service engine
described B-22
Layer 5 traffic B-22
Service FTP engine
described B-24
parameters (table) B-25
PASV port spoof B-24
Service Generic Advanced engine described B-26
Service Generic engine
described B-25
parameters (table) B-26
Service H225 engine
ASN.1PER validation B-27
described B-27
features B-27
parameters (table) B-28
TPKT validation B-27
Service HTTP engine
custom signature 5-52
described 5-52, B-29
example signature 5-52
parameters (table) B-30
Service IDENT engine
described B-31
parameters (table) B-31
Service MSRPC engine
DCS/RPC protocol B-32
described B-32
parameters (table) B-32
Service MSSQL engine
described B-33
MSSQL protocol B-33
parameters (table) B-33
Service NTP engine
described B-33
parameters (table) B-33
service packs described 13-3
Service privileges A-27
service role 2-26, A-27
Service RPC engine
described B-34
parameters (table) B-34
RPC portmapper B-34
Service SMB Advanced engine
described B-36
parameters (table) B-37
Service SMB engine
described B-35
parameters (table) B-35
Service SNMP engine
described B-38
parameters (table) B-39
Service SSH engine
described B-39
parameters (table) B-39
Service TNS engine
described B-40
parameters (table) B-40
setting
current KBs 7-42, 12-16
system clock 2-25
setting up
sensors 2-1
terminal servers 14-14
setup command 1-3, 1-6, 1-14, 1-21, 1-28, 1-33, 2-1
show events command C-92, C-93
show interfaces command C-91
show inventory command C-74
show module 1 details command C-69
show settings command C-16
show statistics command C-81
show statistics virtual-sensor command C-25, C-81
show tech-support command
described C-75
output C-77
show version command C-78
Shut Down Sensor pane
button functions 11-5
configuring 11-5
described 11-5
user roles 11-5
shutting down the sensor 11-5
sig0 pane
default 5-3
described 5-3
tabs 5-3
signature/virus update files described 13-4
Signature Configuration tab
described 5-4
field descriptions 5-5
signatures
adding 5-14
assigning actions 5-18
cloning 5-16
disabling 5-13
enabling 5-13
tuning 5-17
signature definition policies
adding 5-2
cloning 5-2
default policy 5-2
deleting 5-2
sig0 5-2
Signature Definitions pane
described 5-2
field descriptions 5-2
signature engines
AIC 5-59, B-11
Atomic B-13
Atomic ARP B-13
Atomic IP B-13
Atomic IPv6 B-14
creating custom signatures 5-28
described B-1
event actions B-7
Flood B-15
Flood Host B-15
Flood Net B-16
list B-2
Master B-4
Meta 5-23, B-16
Multi String B-17
Normalizer B-19
Regex
patterns B-9
syntax B-8
Service B-22
Service DNS B-23
Service FTP B-24
Service Generic B-25
Service Generic Advanced B-26
Service H225 B-27
Service HTTP 5-52, B-29
Service IDENT B-31
Service MSRPC B-32
Service MSSQL B-33
Service NTP engine B-33
Service RPC B-34
Service SMB B-35
Service SMB Advanced B-36
Service SNMP B-38
Service SSH engine B-39
Service TNS B-40
State B-41
String 5-50, B-42
supported by IDM 5-27, 5-43
Sweep B-45
Sweep Other TCP B-47
Traffic Anomaly 7-5, B-47
Traffic ICMP B-49
Trojan B-50
signature engine update files described 13-5
Signature Event Action Filter
described 6-6
parameters 6-6, A-25
Signature Event Action Handler
alarm channel 6-5, A-24
components 6-5, A-24
described 6-6, A-24
figure 6-6, A-25
Signature Event Action Override
described A-24
Signature Event Action Override described 6-6
Signature Event Action Processor
described 6-5, A-22
flow of signature events 6-6, A-25
signature fidelity rating
calculating risk rating 6-2
described 6-2
signatures
adding 5-14
alert frequency 5-21
assigning actions 5-18
cloning 5-16
custom 5-4
default 5-4
described 5-3
disabling 5-13
editing 5-17
enabling 5-13
false positives 5-3
no TCP reset C-52
rate limits 9-4, 12-7
subsignatures 5-4
tuned 5-4
tuning 5-17
signature variables
adding 5-56
deleting 5-56
described 5-55
editing 5-56
Signature Variables tab
configuring 5-56
field descriptions 5-55
Signature Wizard unsupported signature engines 5-27, 5-43
SNMP
configuring 8-2
described 8-1
Get 8-1
GetNext 8-1
Set 8-1
supported MIBs 8-6, C-21
Trap 8-1
SNMP General Configuration pane
configuring 8-2
described 8-2
field descriptions 8-2
user roles 8-2
SNMP traps
configuring 8-4
described 8-1
SNMP Traps Configuration pane
configuring 8-4
field descriptions 8-4
software architecture
ARC (illustration) A-12
IDAPI (illustration) A-29
RDEP2 (illustration) A-30
software bypass
supported configurations 3-11
with hardware bypass 3-11
software downloads Cisco.com 13-1
software file names
recovery (illustration) 13-5
signature/virus updates (illustration) 13-4
signature engine updates (illustration) 13-5
system image (illustration) 13-5
software release examples
platform-dependent 13-6
platform identifiers 13-7
platform-independent 13-6
software updates
supported FTP servers 14-2
supported HTTP/HTTPS servers 14-2
SPAN port issues C-32
SSH
described 2-6
security 2-6
SSH Server
private keys A-21
public keys A-21
standards
CIDEE A-33
SDEE A-32
State engine
Cisco Login B-41
described B-41
LPR Format String B-41
parameters (table) B-41
SMTP B-41
statistics display 11-10
Statistics pane
button functions 11-10
categories 11-9
described 11-9
user roles 11-9
using 11-10
String engine described 5-50, B-42
String ICMP engine parameters (table) B-42
String TCP engine
custom signature 5-50
example signature 5-50
parameters (table) B-43
String UDP engine parameters (table) B-44
subinterface 0 described 3-14
subsignatures described 5-4
summarization
described 6-5
Fire All 6-5
Fire Once 6-5
Global Summarization 6-5
Meta engine 6-5
Summary 6-5
Summarizer described 6-32
Summary pane
described 3-15
field descriptions 3-15
supported
FTP servers 14-2
HTTP/HTTPS servers 14-2
IDSM-2 configurations C-63
IPS interfaces for CSA MC 10-4
Sweep engine
described B-44, B-45
parameters (table) B-45, B-47
Sweep Other TCP engine described B-47
switch commands for troubleshooting C-64
system architecture
directory structure A-33
supported platforms A-1
system clock setting 2-25
system components (IDAPI) A-29
System Configuration Dialog
described 1-3
example 1-4
system design (illustration) A-1
system image
installing
IDSM-2 (Cisco IOS software) 14-35
system images
installing IPS-4240 14-20
installing IPS-4255 14-20
sensors 13-8
system information display 11-11
System Information pane
button functions 11-11
described 11-10
user roles 11-11
using 11-11
system resources status and the Home window 1-2
T
TAC
service account A-28, C-5
show tech-support command C-75
target value rating
adding 6-18
calculating risk rating 6-3
configuring 6-18
deleting 6-18
described 6-3, 6-18
editing 6-18
Target Value Rating tab
configuring 6-18
field descriptions 6-18
TCP fragmentation described B-19
TCP Protocol tab
described 7-16, 7-23, 7-31
enabling TCP 7-16
external zone 7-31
field descriptions 7-16, 7-23, 7-31
illegal zone 7-23
TCP reset interfaces
conditions 3-8
described 3-7
list 3-7
TCP resets
IDSM2 port C-68
TCP resets not occurring C-52
TCP stream reassembly
described 5-73
mode 5-78
parameters (table) 5-73, 5-78
signatures (table) 5-73, 5-78
terminal servers setup 14-14
testing fail-over 3-11
TFN2K
described B-49
Trojans B-50
TFTP servers
maximum file size limitation 14-14
RTT 14-14
threat rating described 6-4
Thresholds for KB Name window
described 7-39, 12-13
field descriptions 7-39, 12-13
filtering information 7-39, 12-13
user roles 7-39, 12-13
time correction on the sensor 2-21, C-19
Time pane
configuring 2-19
described 2-16
field descriptions 2-18, 2-19
user roles 2-16
time sources
AIM-IPS 2-17, C-17
AIP-SSM 2-17, C-18
appliances 2-16, C-17
IDSM-2 2-16, C-17
NM-CIDS 2-17, C-17
time synchronization and IPS modules 2-18, C-18
TLS
certificates 1-47, 2-11
handshaking 1-47, 2-12
understanding 1-47, 2-3, 2-11
Traffic Anomaly engine
described 7-5, B-47
protocols 7-5, B-47
signatures 7-5, B-47
traffic flow notifications
configuring 3-28
overview 3-28
Traffic Flow Notifications pane
configuring 3-28
field descriptions 3-28
Traffic ICMP engine
DDoS B-49
described B-49
LOKI B-49
parameters (table) B-50
TFN2K B-49
Transport Layer Security. See TLS.
trial license key 1-50, 13-9
Tribe Flood Network. See TFN.
Tribe Flood Network 2000. See TFN2K.
Trojan engine
BO2K B-50
described B-50
TFN2K B-50
Trojans
BO B-50
BO2K B-50
LOKI B-49
TFN2K B-50
troubleshooting
AIP SSM
failover scenarios C-71
AIP-SSM
commands C-69
debugging C-70
recovering C-70
reset C-69
Analysis Engine busy C-60
applying software updates C-55
ARC
blocking not occurring for signature C-44
device access issues C-41
enabling SSH C-44
inactive state C-40
misconfigured master blocking sensor C-45
verifying device interfaces C-43
automatic updates C-56
cannot access sensor C-26
cidDump C-96
cidLog messages to syslog C-51
communication C-26
corrupted SensorApp configuration C-37
debug logger zone names (table) C-51
debug logging C-46
disaster recovery C-6
duplicate sensor IP addresses C-29
enabling debug logging C-47
external product interfaces 10-11, C-24
faulty DIMMs C-38
gathering information C-75
IDM
cannot access sensor C-60
will not load C-59
IDSM-2
command and control port C-67
diagnosing problems C-62
not online C-66, C-67
serial cable C-68
status indicator C-64
switch commands C-64
IPS modules and time drift 2-18, C-18
manual block to bogus host C-44
misconfigured access list C-28
no alerts C-34, C-61
NTP C-52
password recovery C-16
physical connectivity issues C-32
preventive maintenance C-2
reset not occurring for a signature C-52
sensing process not running C-31
sensor events C-92
sensor loose connections C-25
sensor not seeing packets C-35
sensor software upgrade C-57
service account C-5
show events command C-92
show interfaces command C-91
show statistics command C-81
show tech-support command C-75, C-77
show version command C-78
software upgrade
IDS-4235 C-54
IDS-4250 C-54
software upgrades C-54
SPAN port issue C-32
upgrading from 5.x to 6.0 C-54
verifying Analysis Engine is running C-22
verifying ARC status C-39
Trusted Hosts pane
configuring 2-14
described 2-13
field definitions 2-13
tuned signatures described 5-4
tuning
AIC signatures 5-68
IP fragment reassembly signatures 5-72
signatures 5-17
U
UDP Protocol tab
described 7-17, 7-24, 7-25, 7-32
enabling UDP 7-17
external zone 7-32
field descriptions 7-17, 7-32
illegal zone 7-24, 7-25
unassigned VLAN groups described 3-14
unauthenticated NTP 2-23
understanding
SSH 2-6
time on the sensor 2-16, C-17
UNIX-style directory listings 11-2
Update Sensor pane
configuring 11-7
described 11-6
field descriptions 11-6
user roles 11-6
updating
Cisco.com 11-6
FTP server 11-6
sensors 11-7
upgrade
command 14-3
files 14-3
upgrade command 14-6
upgrading
5.x to 6.0 13-7
files 14-3
from 5.x to 6.0 C-54
maintenance partition
IDSM-2 (Catalyst software) 14-44
IDSM-2 (Cisco IOS software) 14-45
minimum required version 13-7
recovery partition 14-6, 14-11
uploading KBs
FTP 7-44, 12-18
SCP 7-44, 12-18
Upload Knowledge Base to Sensor dialog box
described 7-44, 12-18
field descriptions 7-44, 12-18
user roles 7-44, 12-18
URLs for Cisco Security Intelligence Operations 13-14
user roles
Administrator A-27
Operator A-27
Service A-27
Viewer A-27
Users pane
configuring 2-28
described 2-26
field definitions 2-27
user roles 2-26
using
debug logging C-46
TCP reset interface 3-8
V
VACLs
described 9-2
Post-Block 9-25
Pre-Block 9-25
verifying
installation
AIM-IPS C-74
NME-IPS C-74
password recovery C-16
sensor initialization 1-39
sensor setup 1-39
Viewer privileges A-27
viewing
IP logs 12-21
statistics 11-10
system information 11-11
virtual sensors
adding 4-5
default virtual sensor 4-2, 4-4
deleting 4-5
described 4-1, 4-4
editing 4-5
stream segregation 4-3
Virtual Sensors pane
described 4-4
field descriptions 4-4
VLAN groups
802.1q encapsulation 3-14
configuration restrictions 3-10
configuring 3-24
deploying 3-23
described 3-13
switches 3-23
VLAN Groups pane
configuring 3-24
described 3-23
field descriptions 3-24
VLAN IDs 3-23
VLAN pairs configuration 3-22
VLAN Pairs pane
configuring 3-22
field descriptions 3-21
overview 3-21
vulnerable OSes field described B-6
W
watch list rating
calculating risk rating 6-3
described 6-3
Web Server
described A-3, A-22
HTTP 1.0 and 1.1 support A-22
private keys A-21
public keys A-21
RDEP2 support A-22
worms
attacks and histograms 7-12
Blaster 7-2
Code Red 7-2
described 7-2
Nimbda 7-2
protocols 7-2
Sasser 7-2
scanners 7-2
Slammer 7-2
SQL Slammer 7-2
Z
zones
external 7-4
illegal 7-4
internal 7-4