Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 6.1
Index
Downloads: This chapterpdf (PDF - 1.22MB) The complete bookPDF (PDF - 8.53MB) | Feedback

Index

Table Of Contents

Numerics - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W - Z

Index

Numerics

4GE bypass interface card

configuration restrictions 7-10

described 7-10

802.1q encapsulation

VLAN groups 7-13

A

accessing IPS software 23-2

access list

misconfiguration C-26

necessary hosts 5-3

ACLs

adding 5-3

described 14-3

Post-Block 14-17, 14-18

Pre-Block 14-17, 14-18

Active Host Blocks pane

configuring 18-7

described 18-6

field descriptions 18-6

user roles 18-6

ad0 pane

default 12-9

described 12-9

tabs 12-9

Add ACL Entry dialog box field descriptions 5-4

Add Active Host Block dialog box field descriptions 18-7

Add Allowed Host dialog box

field descriptions 6-5

user roles 6-4

Add Authorized Key dialog box

field descriptions 13-3

user roles 13-2

Add Blocking Device dialog box

field descriptions 14-15

user roles 14-14

Add Cat 6K Blocking Device Interface dialog box

field descriptions 14-23

user roles 14-21

Add Configured OS Map dialog box field descriptions 8-21, 11-23

Add Destination Port dialog box field descriptions 12-16, 12-17, 12-23, 12-24, 12-30, 12-31

Add Device dialog box field descriptions 2-3

Add Device Login Profile dialog box

field descriptions 14-12

user roles 14-11

Add Event Action Filter dialog box

field descriptions 8-14, 11-16

user roles 8-13, 11-15

Add Event Action Override dialog box

field descriptions 8-10, 11-13

user roles 8-10, 11-13

Add Event Variable dialog box

field descriptions 8-24, 11-26

user roles 8-24, 11-25

Add External Product Interface dialog box

field descriptions 16-6

user roles 16-5

Add Filter dialog box field descriptions 3-15

Add Histogram dialog box field descriptions 12-16, 12-17, 12-23, 12-25, 12-31, 12-32

adding

ACLs 5-3

active host blocks 18-7

a host never to be blocked 14-10

anomaly detection policies 12-9

CSA MC interfaces 16-7

denied attackers 18-5

event action filters 8-15, 11-17

event action overrides 11-14

event action rules policies 11-12

event variables 8-25, 11-26

external product interfaces 16-7

network blocks 18-9

OS maps 8-22, 11-24

risk categories 8-27, 11-28

signature definition policies 9-3

signatures 9-13

signature variables 9-25

target value rating 8-17

virtual sensors 5-12, 8-11

Add Inline VLAN Pair dialog box field descriptions 5-10, 7-20

Add Interface Pair dialog box field descriptions 7-18

Add IP Logging dialog box field descriptions 18-14

Add Known Host Key dialog box

field descriptions 13-5

user roles 13-4

Add Master Blocking Sensor dialog box

field descriptions 14-26

user roles 14-24

Add Network Block dialog box field descriptions 18-9

Add Never Block Address dialog box

field descriptions 14-10

user roles 14-7

Add Policy dialog box field descriptions 9-2, 11-11, 12-8

Add Posture ACL dialog box field descriptions 16-7

Add Protocol Number dialog box field descriptions 12-18, 12-25, 12-32

Add Rate Limit dialog box

field descriptions 18-11

user role 18-10

Address Resolution Protocol. See ARP.

Add Risk Level dialog box field descriptions 8-27, 11-28

Add Router Blocking Device Interface dialog box

field descriptions 14-19

user roles 14-16

Add Signature dialog box field descriptions 9-8

Add Signature Variable dialog box

field descriptions 9-25

user roles 9-24

Add SNMP Trap Destination dialog box field descriptions 15-4

Add Target Value Rating dialog box

field descriptions 8-17, 11-19

user roles 8-17, 11-19

Add Trusted Host dialog box

field descriptions 13-10

user roles 13-9

Add User dialog box

field descriptions 6-17

user roles 6-16

Add Virtual Sensor dialog box

described 5-12, 8-9

field descriptions 5-12, 8-9

Add VLAN Group dialog box field descriptions 7-22

Advanced Alert Behavior Wizard

Alert Dynamic Response Fire All window field descriptions 10-26

Alert Dynamic Response Fire Once window field descriptions 10-27

Alert Dynamic Response Summary window field descriptions 10-27

Alert Summarization window field descriptions 10-26

Event Count and Interval window field descriptions 10-25

Global Summarization window field descriptions 10-28

AIC

policy configuration 9-35

signatures (example) 9-36

AIC engine

AIC FTP B-11

AIC HTTP B-11

described B-11

features B-11

signature categories 9-28

AIC FTP engine parameters (table) B-12

AIC HTTP engine parameters (table) B-11

AIC policy enforcement

default configuration 9-29, B-11

described 9-29, B-10

sensor oversubscription 9-29, B-11

AIM-IPS

initializing 21-12

installing system image 24-21

logging in 22-4

session command 22-4

sessioning 22-3, 22-4

setup command 21-12

time sources 6-7, C-16

AIP SSM

password recovery 17-6, C-10

resetting the password 17-7, C-11

AIP-SSM

bypass mode 7-25

Deny Connection Inline 11-10, C-70

Deny Packet Inline 11-10, C-70

initializing 21-15

installing system image 24-25

logging in 22-6

Normalizer engine B-23, C-69

recovering C-66

reimaging 24-24

Reset TCP Connection 11-10, C-70

resetting C-66

session command 22-6

setup command 21-15

TCP reset packets 11-10, C-70

time sources 6-7, C-17

Alarm Channel described 11-6, A-26

alert and log actions (list) 11-8

alert behavior normal 10-25

alert frequency

aggregation 9-19

configuring 9-19

controlling 9-19

modes B-6

Allowed Hosts/Networks pane

configuring 6-5

described 6-4

field descriptions 6-5

alternate TCP reset interface configuration restrictions 7-8

Analysis Engine

described 8-2

error messages C-23

IDM exits C-55

virtual sensors 8-2

anomaly detection

asymmetric environment 12-2

caution 12-2

configuration sequence 12-4

default configuration (example) 12-4

described 12-2

detect mode 12-3

disabling 12-36, C-20

event actions 12-6, B-50

inactive mode 12-3

learning accept mode 12-3

learning process 12-3

limiting false positives 12-12, 18-16

protocols 12-2

signatures 12-6

signatures (table) 12-6, B-50

worm attacks 12-12, 18-16

worms 12-2

zones 12-4

Anomaly Detection pane

button functions 18-16

field descriptions 18-16

overview 18-15

user roles 18-15

anomaly detection policies

ad0 12-8

adding 12-9

cloning 12-9

default policy 12-8

deleting 12-9

user roles 12-8

Anomaly Detections pane

described 12-8

field descriptions 12-8

user roles 12-8

appliances

application partition image 24-11

GRUB menu 17-4, C-8

initializing 21-7

logging in 22-1

password recovery 17-4, C-8

terminal servers

described 22-2, 24-13

setting up 22-2, 24-13

time sources 6-6, C-16

upgrading recovery partition 24-5

Application Inspection and Control. See AIC.

application partition

described A-3

image recovery 24-11

application policy enforcement

described 9-29, B-10

disabled (default) 9-29

application XML format A-2

applying software updates C-52

ARC

ACLs 14-18, A-13

authentication A-14

blocking

application 14-2

connection-based A-16

not occurring for signature C-42

unconditional blocking A-16

block response A-13

Catalyst 6000 series switch

VACL commands A-18

VACLs described A-18

Catalyst switches

VACLs described A-15

VLANs described A-15

checking status 14-3, 14-4

described A-3

design 14-2

device access issues C-39

enabling SSH C-41

features A-13

firewalls

AAA A-17

connection blocking A-17

NAT A-18

network blocking A-17

postblock ACL A-15

preblock ACL A-15

shun command A-17

TACACS+ A-18

formerly Network Access Controller 14-1, 14-3

functions 14-2

illustration A-12

inactive state C-37

interfaces A-13

maintaining states A-16

managed devices 14-7

master blocking sensors A-13

maximum blocks 14-2

misconfigured master blocking sensor C-43

nac.shun.txt file A-16

NAT addressing A-14

number of blocks A-14

postblock ACL A-15

preblock ACL A-15

prerequisites 14-5

rate limiting 14-4

responsibilities A-12

single point of control A-14

SSH A-13

supported devices 14-5, A-15

Telnet A-13

troubleshooting C-36

VACLs A-13

verifying device interfaces C-41

verifying status C-37

ARP

Layer 2 signatures B-13

protocol B-13

ARP spoof tools

dsniff B-13

ettercap B-13

ASDM

resetting passwords C-12

ASDM resetting passwords 17-8

Assign Actions dialog box

button functions 9-9

field descriptions 9-9

assigning actions to signatures 9-17

asymmetric

environment and anomaly detection 12-2

traffic and disabling anomaly detection 12-36, C-20

Atomic ARP engine

described B-13

parameters (table) B-13

Atomic IP engine

described 10-14, B-13

parameters (table) B-13

Atomic IPv6 engine

described B-14

Neighborhood Discovery protocol B-14

signatures B-14

signatures (table) B-15

attack relevance rating

calculating risk rating 8-5, 11-3

described 8-5, 11-3

Attack Response Controller

described A-3

formerly known as Network Access Controller A-3

Attack Response Controller. See ARC.

attack severity rating

calculating risk rating 8-5, 11-3

described 8-5, 11-3

Attacks Over Time gadgets

configuring 3-11

described 3-11

authenticated NTP 6-6, 6-13, C-16

AuthenticationApp

authenticating users A-20

described A-3

login attempt limit A-20

method A-20

responsibilities A-20

secure communications A-21

sensor configuration A-20

Authorized Keys pane

configuring 13-3

described 13-2

field descriptions 13-3

RSA authentication 13-2

RSA key generation tool 13-4

Auto/Cisco.com Update pane

button functions 17-18

configuring 17-19

described 17-16

field descriptions 17-18

UNIX-style directory listings 17-17

user roles 17-16

automatic setup 21-1

automatic updates

Cisco.com 17-16

servers

FTP 17-16

SCP 17-16

troubleshooting C-53

automatic upgrade

information required 24-6

autonegotiation and hardware bypass 7-11

auto-upgrade-option command 24-6

B

backing up

configuration C-3

current configuration C-4, C-5

BackOrifice. See BO.

BackOrifice 2000. See BO2K.

BackOrifice see BO

basic setup 21-3

blocking

described 14-2

disabling 14-7

master blocking sensor 14-24

necessary information 14-3

not occurring for signature C-42

prerequisites 14-5

supported devices 14-5

types 14-2

Blocking Devices pane

configuring 14-15

described 14-14

field descriptions 14-14

ssh host-key command 14-15

Blocking Properties pane

adding a host never to be blocked 14-10

configuring 14-9

described 14-7

field descriptions 14-8

BO

described B-52

Trojans B-52

BO2K

described B-52

Trojans B-52

Bug Toolkit

described C-1

URL C-1

bypass mode

AIP-SSM 7-25

described 7-24

Bypass pane

field descriptions 7-24

user roles 7-24

C

calculating risk rating

attack relevance rating 8-5, 11-3

attack severity rating 8-5, 11-3

promiscuous delta 8-5, 11-3

signature fidelity rating 8-5, 11-3

target value rating 8-5, 11-3

watch list rating 8-5, 11-3

cannot access sensor C-24

Cat 6K Blocking Device Interfaces pane

configuring 14-23

described 14-21

field descriptions 14-22

CDP described 7-27

CDP Mode pane

configuring 7-27

field descriptions 7-27

certificates

displaying 13-11

generating 13-11

IDM 13-8

changing Microsoft IIS to UNIX-style directory listings 17-17

cidDump and obtaining information C-93

CIDEE

defined A-33

example A-34

IPS extensions A-33

protocol A-33

supported IPS events A-34

cisco

default password 22-1

default username 22-1

Cisco.com

accessing software 23-2

downloading software 23-1

IPS software 23-1, 23-3

software downloads 23-1

Cisco IOS and rate limiting 14-4

Cisco IPS software

6.1 files 24-3

new features A-3

Cisco Security Intelligence Operations

described 23-9

URL 23-9

Cisco Services for IPS

service contract 17-12

supported products 17-12

clear events command 6-11, 6-16, 18-4, C-18, C-93

Clear Flow State pane described 18-26

clearing

events 6-16, 18-4, C-93

flow states 18-27

statistics C-79

clear password command 17-6, 17-9, C-10, C-13

CLI described A-3, A-27

clock set command 6-15

Clone Event Action Rules dialog box field descriptions 11-11

Clone Policy dialog box field descriptions 9-2, 12-8

Clone Signature dialog box field descriptions 9-8

cloning

anomaly detection policies 12-9

event action rules policies 11-12

signature definition policies 9-3

signatures 9-14

color rules described 19-2

command and control interface

described 7-2

list 7-2

commands

auto-upgrade-option 24-6

clear events 6-11, 6-16, 18-4, C-18, C-93

clear password 17-6, 17-9, C-10, C-13

clock set 6-15

copy backup-config C-3

copy current-config C-3

debug module-boot C-66

downgrade 24-10

hw-module module 1 reset C-66

hw-module module slot_number password-reset 17-6, C-11

session 22-4, 22-9

setup 21-1, 21-3, 21-7, 21-12, 21-15, 21-20, 21-24

show events C-90

show health C-71

show module 1 details C-65

show settings 17-11, C-15

show statistics C-78

show statistics virtual-sensor C-23, C-78

show tech-support C-72

show version C-76

upgrade 24-3, 24-5

Compare Knowledge Bases dialog box field descriptions 18-19

comparing KBs 18-19, 18-20

configuration files

backing up C-3

merging C-3

configuration restrictions

alternate TCP reset interface 7-8

inline interface pairs 7-8

inline VLAN pairs 7-8

interfaces 7-8

physical interfaces 7-8

VLAN groups 7-9

Configured OS Map dialog box user roles 8-20, 11-20

Configure Summertime dialog box field descriptions 5-4, 6-9

configuring

active host blocks 18-7

AIC policy parameters 9-35

allowed hosts 6-5

allowed networks 6-5

application policy 9-36

Attacks Over Time gadgets 3-11

authorized keys 13-3

automatic upgrades 24-8

blocking devices 14-15

blocking properties 14-9

Cat 6K blocking device interfaces 14-23

CDP Mode 7-27

CPU, Memory, & Load gadgets 3-9

CSA MC IPS interfaces 16-4

device login profiles 14-13

event action filters 8-15, 11-17

events 18-3

event variables 8-25, 11-26

external zone 12-33

general settings 8-29, 11-31

illegal zone 12-26

inline VLAN pairs 5-10

interface pairs 7-18

interfaces 7-16

Interface Status gadgets 3-6

internal zone 12-18

IP fragment reassembly signatures 9-39

IP logging 18-14

known host keys 13-6

learning accept mode 12-13

Licensing gadgets 3-6

maintenance partition

IDSM-2 (Catalyst software) 24-29

IDSM-2 (Cisco IOS software) 24-33

master blocking sensor 14-26

network blocks 18-9

Network Security gadgets 3-7

network settings 6-3

NTP servers 6-12

operation settings 12-10

OS maps 8-22, 11-24

rate limiting 18-11

rate limiting devices 14-15

risk categories 8-27, 11-28

router blocking device interfaces 14-20

RSS Feed gadgets 3-9

Sensor Health gadgets 3-5

Sensor Information gadgets 3-4

Sensor Setup window 5-4

sensor to use NTP 6-14

SNMP 15-3

SNMP traps 15-5

target value rating 8-17

TCP fragment reassembly parameters 9-46

time 6-10

Top Applications gadgets 3-8

Top Attackers gadgets 3-10

Top Signatures gadgets 3-11

Top Victims gadgets 3-10

traffic flow notifications 7-26

trusted hosts 13-10

upgrades 24-4

users 6-18

VLAN groups 7-23

VLAN pairs 7-20

configuring traffic flow notifications user roles 7-27

control transactions

characteristics A-8

request types A-8

copy backup-config command C-3

copy current-config command C-3

correcting time on the sensor 6-11, C-18

CPU, Memory, & Load gadgets

configuring 3-9

described 3-8

creating

custom signatures

not using signature engines 10-3

Service HTTP 10-16

String TCP 10-21

using signature engines 10-1

Meta signatures 9-21

Post-Block VACLs 14-21

Pre-Block VACLs 14-21

service account C-6

cryptographic account

Encryption Software Export Distribution Authorization from 23-2

obtaining 23-2

cryptographic features for IME 1-1

CSA MC

adding interfaces 16-7

configuring IPS interfaces 16-4

host posture events 16-1, 16-3

quarantined IP address events 16-1

supporting IPS interfaces 16-3

CtlTransSource

described A-2, A-11

illustration A-11

current

configuration backup C-3

KB setting 18-21

custom signatures

described 9-5

Meta signature 9-21

Custom Signature Wizard

Alert Response window field descriptions 10-25

Atomic IP Engine Parameters window field descriptions 10-14

described 10-1

ICMP Traffic Type window field descriptions 10-12

Inspect Data window field descriptions 10-12

MSRPC Engine Parameters window field descriptions 10-12

no signature engine sequence 10-3

protocols 10-11

Protocol Type window field descriptions 10-11

Service HTTP Engine Parameters window field descriptions 10-15

Service RPC Engine Parameters window field descriptions 10-18

Service Type window field descriptions 10-13

signature engine sequence 10-1

signature identification 10-11

Signature Identification window field descriptions 10-11

State Engine Parameters window field descriptions 10-19

String ICMP Engine Parameters window field descriptions 10-20

String TCP Engine Parameters window field descriptions 10-20

String UDP Engine Parameters window field descriptions 10-23

Sweep Engine Parameters window field descriptions 10-24

TCP Sweep Type window field descriptions 10-13

TCP Traffic Type window field descriptions 10-13

UDP Sweep Type window field descriptions 10-13

UDP Traffic Type window field descriptions 10-13

Welcome window field descriptions 10-10

D

Dashboard pane gadgets 3-1

data structures (examples) A-7

DDoS

protocols B-52

Stacheldraht B-52

TFN B-52

debug logging

described C-44

enabling C-45

zone names C-48

debug-module-boot command C-66

default

KB filename 12-11

password 22-1

username 22-1

virtual sensor vs0 8-2

default policies

ad0 12-8

rules0 11-11

sig0 9-2

defaults restoring 17-23

deleting

anomaly detection policies 12-9

event action filters 8-15, 11-17

event action overrides 11-14

event action rules policies 11-12

event variables 8-25, 11-26

imported OS values 18-26

KBs 18-22

learned OS values 18-25

OS maps 8-22, 11-24

risk categories 8-27, 11-28

signature definition policies 9-3

signature variables 9-25

target value rating 8-17

virtual sensors 8-11

Demo mode IME 1-5

Denial of Service. See DoS.

denied attackers

adding 18-5

clearing list 18-5

hit count 18-4

resetting hit counts 18-5

Denied Attackers pane

described 18-4

field descriptions 18-4

user roles 18-4

using 18-5

deny actions (list) 11-8

Deny Packet Inline described 8-10, 11-10, B-8

detect mode (anomaly detection) 12-3

device access issues C-39

Device Details pane described 2-1

Device List pane

described 2-1

field descriptions 2-2

Device Login Profiles pane

configuring 14-13

described 14-11

field descriptions 14-12

devices

adding 2-3

deleting 2-3

editing 2-3

devices tools

DNS lookup 2-5

ping 2-5

traceroute 2-5

whois 2-5

Diagnostics Report pane

button functions 18-29

described 18-29

user roles 18-28

using 18-29

diagnostics reports 18-29

Differences between knowledge bases KB_Name and KB_Name window field descriptions 18-19

disabling

anomaly detection 12-36, C-20

blocking 14-7

interfaces 7-16

password recovery 17-10, C-14

disaster recovery C-6

displaying

events C-91

health status C-71

password recovery setting 17-11, C-15

statistics C-79

tech support information C-73

version C-76

Distributed Denial of Service. See DDoS.

DoS tools (stick) B-6

downgrade command 24-10

downgrading sensors 24-10

downloading

KBs 18-23

software 23-1

Download Knowledge Base From Sensor dialog box

described 18-23

field descriptions 18-23

duplicate IP addresses C-27

E

Edit Actions dialog box field descriptions 9-9

Edit Allowed Host dialog box

field descriptions 6-5

user roles 6-4

Edit Authorized Key dialog box

field descriptions 13-3

user roles 13-2

Edit Blocking Device dialog box

field descriptions 14-15

user roles 14-14

Edit Cat 6K Blocking Device Interface dialog box

field descriptions 14-23

user roles 14-21

Edit Configured OS Map dialog box field descriptions 8-21, 11-23

Edit Destination Port dialog box field descriptions 12-16, 12-17, 12-23, 12-24, 12-30, 12-31

Edit Device dialog box field descriptions 2-3

Edit Device Login Profile dialog box

field descriptions 14-12

user roles 14-11

Edit Event Action Filter dialog box

field descriptions 8-14, 11-16

user roles 8-13, 11-15

Edit Event Action Override dialog box

field descriptions 8-10, 11-13

user roles 8-10, 11-13

Edit Event Variable dialog box

field descriptions 8-24, 11-26

user roles 8-24, 11-25

Edit External Product Interface dialog box

field descriptions 16-6

user roles 16-5

Edit Filter dialog box field descriptions 3-15

Edit Histogram dialog box field descriptions 12-16, 12-17, 12-23, 12-25, 12-31, 12-32

editing

event action filters 8-15, 11-17

event action overrides 11-14

event variables 8-25, 11-26

interfaces 7-16

OS maps 8-22, 11-24

risk categories 8-27, 11-28

signatures 9-16

signature variables 9-25

target value rating 8-17

virtual sensors 8-11

Edit Inline VLAN Pair dialog box field descriptions 5-10, 7-20

Edit Interface dialog box field descriptions 7-15

Edit Interface Pair dialog box field descriptions 7-18

Edit IP Logging dialog box field descriptions 18-14

Edit Known Host Key dialog box

field descriptions 13-5

user roles 13-4

Edit Master Blocking Sensor dialog box

field descriptions 14-26

user roles 14-24

Edit Never Block Address dialog box

field descriptions 14-10

user roles 14-7

Edit Posture ACL dialog box field descriptions 16-7

Edit Protocol Number dialog box field descriptions 12-18, 12-25, 12-32

Edit Risk Level dialog box field descriptions 8-27, 11-28

Edit Router Blocking Device Interface dialog box

field descriptions 14-19

user roles 14-16

Edit Signature dialog box field descriptions 9-8

Edit Signature Variable dialog box

field descriptions 9-25

user roles 9-24

Edit SNMP Trap Destination dialog box field descriptions 15-4

Edit Target Value Rating dialog box

field descriptions 8-17, 11-19

user roles 8-17, 11-19

Edit User dialog box

field descriptions 6-17

user roles 6-16

Edit Virtual Sensor dialog box

field descriptions 8-9

user roles 8-9

Edit VLAN Group dialog box field descriptions 7-22

enabling

debug logging C-45

event action filters 8-15, 11-17

event action overrides 11-14

interfaces 7-16

Encryption Software Export Distribution Authorization form

cryptographic account 23-2

described 23-2

EPS in Home pane 1-2

evAlert A-8

event action filters

adding 8-15, 11-17

configuring 8-15, 11-17

deleting 8-15, 11-17

described 8-13, 11-4

editing 8-15, 11-17

enabling 8-15, 11-17

Event Action Filters tab

button functions 11-15

configuring 8-15, 11-17

described 8-13, 11-15

field descriptions 8-13, 11-15

event action overrides

adding 11-14

deleting 11-14

described 8-4, 11-4

editing 11-14

enabling 11-14

Event Action Overrides tab

described 11-13

field descriptions 11-13

event action rules

described 11-2

functions 11-2

Event Action Rules pane

described 11-11

field descriptions 11-11

user roles 11-11

event action rules policies

adding 11-12

cloning 11-12

deleting 11-12

events

configuring display 18-3

displaying C-91

host posture 16-1

quarantined IP address 16-2

types C-89

Events pane

configuring 18-3

described 18-2

field descriptions 18-2

event status

displaying 2-4

starting 2-4

stopping 2-4

Event Store

clearing events 6-11, C-18

data structures A-7

described A-2

examples A-7

responsibilities A-7

timestamp A-7

event variables

adding 8-25, 11-26

configuring 8-25, 11-26

deleting 8-25, 11-26

editing 8-25, 11-26

example 8-24, 11-25

Event Variables tab

configuring 8-25, 11-26

described 8-24, 11-25

field descriptions 8-24, 11-26

Event Viewer

described 19-1

field descriptions 18-3

event views

working with 19-4

evError A-8

evLogTransaction A-8

evShunRqst A-8

evStatus A-8

examples

ASA failover configuration C-68

external product interfaces

adding 16-7

described 16-1

issues 16-3, C-21

troubleshooting 16-10, C-22

trusted hosts 16-5

External Product Interfaces pane

described 16-5

field descriptions 16-5

external zone

configuring 12-33

protocols 12-29

user roles 12-29

External Zone tab

described 12-29

tabs 12-29

user roles 12-29

F

fail-over testing 7-10

false positives described 9-4

files

Cisco IPS 6.1 24-3

IDSM2 password recovery 17-9, C-13

Filter pane field descriptions 19-3

filters

configuring 3-16, 19-6

described 19-2

Fixed engine described B-15

Fixed ICMP engine parameters (table) B-16

Fixed TCP engine parameters (table) B-17

Fixed UDP engine parameters (table) B-18

Flood engine described B-18

Flood Host engine parameters (table) B-19

Flood Net engine parameters (table) B-19

flow states clearing 18-27

FTP servers supported 17-17, 24-2

G

gadgets

Attacks Over Time 3-11

CPU, Memory, & Load 3-8

Interface Status 3-6

Licensing 3-5

Network Security 3-7

RSS Feed 3-9

Sensor Health 3-4

Sensor Information 3-3

Top Applications 3-8

Top Attackers 3-9

Top Signatures 3-11

Top Victims 3-10

general settings

configuring 8-29, 11-31

described 8-28, 11-29

General tab

configuring 8-29, 11-31

described 8-28, 11-29, 12-15, 12-22

enabling zones 12-15, 12-22

field descriptions 8-29, 11-30

user roles 8-28, 11-29

generating diagnostics reports 18-29

Global Variables pane field description 17-16

Grouping events described 19-2

GRUB menu password recovery 17-4, C-8

H

H.225.0 protocol B-28

H.323 protocol B-28

hardware bypass

autonegotiation 7-11

configuration restrictions 7-10

fail-over 7-10

IPS 4270-20 7-10

supported configurations 7-10

with software bypass 7-10

health status

displaying 2-4, C-71

starting 2-4

stopping 2-4

Home pane and EPS 1-2

host posture events

CSA MC 16-3

described 16-1

HTTP/HTTPS servers supported 17-17, 24-2

HTTP deobfuscation

ASCII normalization 10-15, B-31

described 10-15, B-31

hw-module module 1 reset command C-66

hw-module module slot_number password-reset command 17-6, C-11

I

IDAPI

communications A-3, A-30

described A-3

functions A-30

illustration A-30

responsibilities A-30

IDCONF

described A-32

example A-32

RDEP2 A-32

XML A-32

IDIOM

defined A-32

messages A-32

IDM

Analysis Engine is busy C-55

certificates 13-8

Signature Wizard unsupported signature engines 10-2

TLS 13-8

will not load C-55

IDSM-2

command and control port C-63

configuring

maintenance partition (Catalyst software) 24-29

maintenance partition (Cisco IOS software) 24-33

initializing 21-20

installing

system image (Catalyst software) 24-27

system image (Cisco IOS software) 24-28, 24-29

logging in 22-7

reimaging 24-27

setup command 21-20

supported configurations C-59

time sources 6-7, C-16

upgrading

maintenance partition (Catalyst software) 24-37

maintenance partition (Cisco IOS software) 24-37

IDSM2

password recovery 17-8, C-13

password recovery image file 17-9, C-13

TCP reset port C-64

illegal zone

configuring 12-26

user roles 12-22

Illegal Zone tab

described 12-22

user roles 12-22

IME

color rules 19-2

configuring

filters 3-16, 19-6

RSS feeds 4-2

views 3-16, 19-6

cryptographic features 1-1

Demo mode 1-5

described 1-1

devices

adding 2-3

deleting 2-3

editing 2-3

EPS 1-2

event status

starting 2-4

stopping 2-4

Event Viewer 19-1

filtering 19-2

gadgets 3-1

grouping events 19-2

health status

displaying 2-4

starting 2-4

stopping 2-4

Home pane described 1-2

installing 1-5

IPS versions 1-3

menu features 1-2

MySQL database 1-4

replacing IEV 1-1

reports

configuring 20-2

described 20-1

generating 20-2

report types 20-1

supported platforms 1-3

system requirements 1-3

time synchronization problems C-57

using event views 19-4

video help 1-2

working with

top attacker IP addresses 3-12

top signatures 3-13

top victim IP addresses 3-12

Imported OS pane

clearing 18-26

described 18-25

field descriptions 18-26

imported OS values

clearing 18-26

deleting 18-26

inactive mode (anomaly detection) 12-3

initializing

AIM-IPS 21-12

AIP-SSM 21-15

appliances 21-7

IDSM-2 21-20

NME-IPS 21-24

sensors 21-1, 21-3

user roles 21-1

verifying 21-27

inline interface pairs

configuration restrictions 7-8

described 7-12

Inline Interface Pair window

described 5-8

Startup Wizard 5-8

inline VLAN pair mode

described 7-12

supported sensors 7-12

inline VLAN pairs

configuration restrictions 7-8

configuring 5-10

Inline VLAN Pairs pane

user roles 7-19

Inline VLAN Pairs window

described 5-9

field descriptions 5-9

Startup Wizard 5-9

installer major version 23-5

installer minor version 23-5

installing

IME 1-5

sensor license 17-14

system image

AIP-SSM 24-25

IDSM-2 (Catalyst software) 24-27

IDSM-2 (Cisco IOS software) 24-28, 24-29

IPS-4240 24-14

IPS-4255 24-14

IPS-4260 24-17

IPS 4270-20 24-19

NME-IPS 24-38

InterfaceApp

described A-19

interactions A-19

NIC drivers A-19

InterfaceApp described A-2

interface pairs

configuring 7-18

described 7-17

Interface Pairs pane

configuring 7-18

described 7-17

field descriptions 7-17

user roles 7-17

interfaces

alternate TCP reset 7-2

command and control 7-2

configuration restrictions 7-8

configuring 7-16

described 5-7, 7-1

disabling 7-16

editing 7-16

enabling 7-16

logical 5-7

physical 5-7

port numbers 7-1

sensing 7-2, 7-3

slot numbers 7-1

support (table) 7-4

TCP reset 7-6

VLAN groups 7-2

Interface Selection window

described 5-8

Startup Wizard 5-8

Interfaces pane

configuring 7-16

described 7-14

field descriptions 7-14

user roles 7-14

Interface Status gadgets

configuring 3-6

described 3-6

Interface Summary window described 5-7

internal zone

configuring 12-18

user roles 12-15

Internal Zone tab

described 12-15

user roles 12-15

IP fragmentation described B-22

IP fragment reassembly

configuring 9-38

described 9-37, B-22

mode 9-38

parameters (table) 9-37

signature (example) 9-39

signatures 9-39

signatures (table) 9-37

IP logging

described 9-47, 18-12

event actions 18-13

system performance 18-13

IP Logging pane

configuring 18-14

described 18-13

field descriptions 18-13

user roles 18-13

IP Logging Variables pane described 17-16

IP logs

circular buffer 18-12

Ethereal 18-13

states 18-12

TCP Dump 18-13

viewing 18-14

IPS

external communications A-30

internal communications A-30

IPS-4240

installing system image 24-14

password recovery 17-5, C-9

reimaging 24-14

IPS-4255

installing system image 24-14

password recovery 17-5, C-9

reimaging 24-14

IPS-4260

installing system image 24-17

reimaging 24-17

IPS 4270-20

hardware bypass 7-10

installing system image 24-19

reimaging 24-19

IPS appliances

Deny Connection Inline 11-10, C-70

Deny Packet Inline 11-10, C-70

Reset TCP Connection 11-10, C-70

TCP reset packets 11-10, C-70

IPS applications

summary A-35

table A-35

XML format A-2

IPS data

types A-8

XML document A-8

IPS events

evAlert A-8

evError A-8

evLogTransaction A-8

evShunRqst A-8

evStatus A-8

listed A-8

types A-8

IPS Manager Express described 1-1

IPS modules

time synchronization 6-8, C-17

unsupported features 5-7

IPS Policies pane

described 8-7

field descriptions 8-8

IPS software

application list A-2

available files 23-1, 23-3

configuring device parameters A-4

directory structure A-34

Linux OS A-1

obtaining 23-1, 23-3

platform-dependent release examples 23-6

retrieving data A-4

security features A-5

tuning signatures A-4

updating A-4

user interaction A-4

versioning scheme 23-3

IPS software file names

major updates (illustration) 23-4

minor updates (illustration) 23-4

patch releases (illustration) 23-4

service packs (illustration) 23-4

IPS versions for IME 1-3

IPv6 described B-14

K

KBs

comparing 18-20

default filename 12-11

deleting 18-22

described 12-3

downloading 18-23

histogram 12-12, 18-15

initial baseline 12-3

learning accept mode 12-11

loading 18-21

monitoring 18-18

renaming 18-22

saving 18-21

scanner threshold 12-12, 18-15

tree structure 12-12, 18-15

uploading 18-24

Knowledge Base. See KB.

Known Host Keys pane

configuring 13-6

describing 13-5

field descriptions 13-5

L

Learned OS pane

clearing 18-25

described 18-25

field descriptions 18-25

learned OS values

clearing 18-25

deleting 18-25

learning accept mode

anomaly detection 12-3

configuring 12-13

user roles 12-11

Learning Accept Mode tab

described 12-11

field descriptions 12-13

user roles 12-11

license files

BSD license D-3

expat license D-12

GNU Lesser license D-22

GNU license D-17

license key

status 17-12

trial 17-12

licensing

described 17-12

IPS device serial number 17-12

Licensing gadgets

configuring 3-6

described 3-5

Licensing pane

configuring 17-14

described 17-12

field descriptions 17-13

user roles 17-11

limitations for concurrent CLI sessions 22-1

listings UNIX-style 17-17

loading KBs 18-21

Logger

described A-2, A-19

functions A-19

syslog messages A-19

logging in

AIM-IPS 22-4

AIP-SSM 22-6

appliances 22-1

IDSM-2 22-7

NME-IPS 22-9

sensors

SSH 22-10

Telnet 22-10

terminal servers 22-2, 24-13

LOKI

described B-52

protocol B-52

loose connections on sensors C-22

M

MainApp

components A-5

described A-2, A-5

host statistics A-6

responsibilities A-6

show version command A-6

maintenance partition

configuring

IDSM-2 (Catalyst software) 24-29

IDSM-2 (Cisco IOS software) 24-33

described A-3

major updates described 23-3

Manage Filter Rules dialog box field descriptions 3-14

managing rate limiting 18-11

manual block to bogus host C-41

master blocking sensor

described 14-24

not set up properly C-43

Master Blocking Sensor pane

configuring 14-26

described 14-24

field descriptions 14-25

Master engine

alert frequency B-6

alert frequency parameters (table) B-6

described B-3

event actions B-7

general parameters (table) B-3

universal parameters B-3

master engine parameters

obsoletes B-5

promiscous delta B-5

vulnerable OSes B-6

merging configuration files C-3

Meta engine

described 9-21, B-19

parameters (table) B-20

Signature Event Action Processor 9-21, B-19

Meta Event Generator described 8-28, 11-29

MIBs supported 15-6, C-19

minor updates described 23-3

Miscellaneous tab

button functions 9-27

configuring

application policy 9-35

IP fragment reassembly mode 9-38

IP logging 9-47

TCP stream reassembly mode 9-45

described 9-26

field descriptions 9-27

user roles 9-26

modes

anomaly detection detect 12-3

anomaly detection inactive 12-3

anomaly detection learning accept 12-3

bypass 7-24

inline interface pair 7-12

inline VLAN pair 7-12

promiscuous 7-11

VLAN Groups 7-12

modify packets inline modes 8-3

monitoring

events 18-3

KBs 18-18

moving OS maps 8-22, 11-24

Multi String engine

described B-20

parameters (table) B-21

Regex B-20

MySDN described 9-5

MySQL database and IME 1-4

N

Neighborhood Discovery

options B-14

types B-14

Network Blocks pane

configuring 18-9

described 18-8

field descriptions 18-9

user roles 18-8

Network pane

configuring 6-3

described 6-1

field descriptions 6-2

TLS/SSL 6-3

user roles 6-1

Network Security gadgets

configuring 3-7

described 3-7

network security health data resetting 18-28

Network Timing Protocol. See NTP.

never block

hosts 14-7

networks 14-7

NME-IPS

initializing 21-24

installing system image 24-38

logging in 22-9

reimaging 24-38

session command 22-9

sessioning 22-8, 22-9

setup command 21-24

time sources 6-7, C-16

Normalizer engine

described B-22

IP fragment reassembly B-22

parameters (table) B-24

TCP stream reassembly B-22

Normalizer mode described 8-4

NotificationApp

alert information A-9

described A-3

functions A-9

SNMP gets A-9

SNMP traps A-9

statistics A-10

system health information A-10

NTP

authenticated 6-6, 6-13, C-16

configuring servers 6-12

described 6-6, C-16

incorrect configuration 6-8, C-17

sensor time source 6-12, 6-13

time synchronization 6-6, C-16

unauthenticated 6-6, 6-13, C-16

O

obsoletes field described B-5

obtaining

cryptographic account 23-2

IPS software 23-1

one-way TCP reset described 8-28, 11-30

operation settings

configuring 12-10

user roles 12-10

Operation Settings tab

described 12-10

field descriptions 12-10

user roles 12-10

OS Identifications tab

described 8-20, 11-20

field descriptions 8-21, 11-23

OS maps

adding 8-22, 11-24

configuring 8-22, 11-24

deleting 8-22, 11-24

editing 8-22, 11-24

moving 8-22, 11-24

other actions (list) 11-9

Other Protocols tab

described 12-25, 12-32

describing 12-17

enabling other protocols 12-17

external zone 12-32

field descriptions 12-17, 12-32

illegal zone 12-25

P

P2P networks described B-35

partitions

application A-3

maintenance A-3

recovery A-3

passive OS fingerprinting

components 8-19, 11-21

configuring 8-20, 11-22

described 8-19, 11-21

password policy caution 17-2, 17-3

password recovery

AIP SSM 17-6, C-10

appliances 17-4, C-8

CLI 17-10, C-14

described 17-3, C-8

disabling 17-10, C-14

GRUB menu 17-4, C-8

IDSM2 17-8, C-13

IPS-4240 17-5, C-9

IPS-4255 17-5, C-9

platforms 17-3, C-8

ROMMON 17-5, C-9

troubleshooting 17-11, C-15

verifying 17-11, C-15

password requirement configuration 17-2

Passwords pane

described 17-1

field descriptions 17-2

patch releases described 23-3

peacetime learning (anomaly detection) 12-3

Peer-to-Peer. See P2P.

physical connectivity issues C-30

physical interfaces configuration restrictions 7-8

platforms and concurrent CLI sessions 22-1

policies and platform limitations 9-2, 12-8

Post-Block ACLs 14-17, 14-18

Pre-Block ACLs 14-17, 14-18

prerequisites for blocking 14-5

promiscuous delta

calculating risk rating 8-5, 11-3

described 8-5, 11-3

promiscuous delta described B-5

promiscuous mode

described 7-11

packet flow 7-11

protocols

ARP B-13

CIDEE A-33

Custom Signature Wizard 10-11

DCE 10-12, B-33

DDoS B-52

H.323 B-28

H225.0 B-28

IDAPI A-30

IDCONF A-32

IDIOM A-32

IPv6 B-14

LOKI B-52

MSSQL B-35

Neighborhood Discovery B-14

Q.931 B-29

RDEP2 A-30

RPC 10-12, B-33

SDEE A-33

Q

Q.931 protocol

described B-29

SETUP messages B-29

quarantined IP address events described 16-2

R

rate limiting

ACLs 14-4

configuring 18-11

described 14-4

managing 18-11

percentages 18-10

routers 14-4

service policies 14-4

supported signatures 14-4

Rate Limits pane

described 18-10

field descriptions 18-10

RDEP2

functions A-30

messages A-30

responsibilities A-31

RDEP event server deprecated A-22

rebooting the sensor 17-23

Reboot Sensor pane

configuring 17-23

described 17-23

user roles 17-23

recover command 24-11

recovering

AIP-SSM C-66

application partition image 24-11

recovery partition

described A-3

upgrading 24-5

Regular Expression. See Regex.

regular expression syntax signatures B-8

reimaging

AIP-SSM 24-24

appliances 24-11

described 24-1

IDSM-2 24-27

IPS-4240 24-14

IPS-4255 24-14

IPS-4260 24-17

IPS 4270-20 24-19

NME-IPS 24-38

sensors 24-1

removing

last applied

service pack 24-10

signature update 24-10

renaming KBs 18-22

reports

configuring 20-2

described 20-1

generating 20-2

report types

Attacks Over Time 20-1

Top Attackers 20-1

Top Signatures 20-1

Top Victim 20-1

Reset Network Security Health pane

described 18-28

field descriptions 18-28

reset not occurring for a signature C-50

resetting

AIP-SSM C-66

network security health data 18-28

passwords

ASDM 17-8, C-12

hw-module command 17-6, C-11

resetting the password

AIP SSM 17-7, C-11

Restore Default Interface dialog box field descriptions 5-8

Restore Defaults pane

configuring 17-23

described 17-23

user roles 17-23

restoring

defaults 17-23

restoring the current configuration C-4, C-5

retiring signatures 9-12

retrieving events through RDEP2 (illustration) A-31

risk categories

adding 8-27, 11-28

configuring 8-27, 11-28

deleting 8-27, 11-28

editing 8-27, 11-28

Risk Category tab

configuring 8-27, 11-28

described 8-26, 11-27

field descriptions 8-26, 11-28

risk rating

calculating 8-4, 11-2

described 8-19, 11-21

ROMMON

described 24-12

IPS-4240 24-14

IPS-4255 24-14

IPS-4260 24-17

IPS-4270 24-17

IPS 4270-20 24-19

password recovery 17-5, C-9

remote sensors 24-12

serial console port 24-12

TFTP 24-13

round-trip time. See RTT.

Router Blocking Device Interfaces pane

configuring 14-20

described 14-17

field descriptions 14-19

RPC portmapper 10-18, B-36

RSS Feed gadgets

configuring 3-9

described 3-9

RSS feeds

channels 4-1

configuring 4-2

described 4-1

formats 4-1

RTT

described 24-13

TFTP limitation 24-13

rules0 pane described 11-12

S

Save Knowledge Base dialog box

described 18-21

field descriptions 18-21

saving KBs 18-21

scheduling automatic upgrades 24-8

SDEE

described A-33

HTTP A-33

protocol A-33

Server requests A-33

security

information on Cisco Security Intelligence Operations 23-9

security and SSH 13-1

security information

MySDN 9-5

security policies described 8-1, 9-1, 11-1, 12-1

sending commands through RDEP2 (illustration) A-31

sensing interfaces

described 7-3

interface cards 7-3

modes 7-3

sensor

blocking itself 14-7

not seeing packets C-33

process not running C-28

SensorApp

6.1 new features A-25

Alarm Channel A-24

Analysis Engine A-24

described A-3

event action filtering A-25

inline packet processing A-24

IP normalization A-24

packet flow A-25

processors A-22

responsibilities A-22

risk rating A-25

Signature Event Action Processor A-23

TCP normalization A-24

Sensor Health gadgets

configuring 3-5

described 3-4

Sensor Health pane

described 17-15

field descriptions 17-15

Sensor Information gadgets

configuring 3-4

described 3-3

Sensor Key pane

button functions 13-7

described 13-7

field descriptions 13-7

sensor SSH key

displaying 13-7

generating 13-7

user roles 13-7

sensors

access problems C-24

asymmetric traffic and disabling Anomaly Detection 12-36

asymmetric traffic and disabling anomaly detection C-20

configuring to use NTP 6-14

corrupted SensorApp configuration C-35

diagnostics reports 18-29

disaster recovery C-6

downgrading 24-10

incorrect NTP configuration 6-8, C-17

initializing 6-1, 21-1, 21-3

interface support 7-4

IP address conflicts C-27

license 17-14

logging in

SSH 22-10

Telnet 22-10

loose connections C-22

misconfigured access lists C-26

no alerts C-32, C-57

not seeing packets C-33

NTP time source 6-13

NTP time synchronization 6-6, C-16

partitions A-3

physical connectivity C-30

preventive maintenance C-2

rebooting 17-23

reimaging 24-1

restoring defaults 17-23

sensing process not running C-28

setting up 6-1

setup command 21-1, 21-3, 21-7

shutting down 17-24

statistics 18-30

system information 18-31

time sources 6-6, C-16

troubleshooting software upgrades C-54

updating 17-19, 17-21

using NTP time source 6-12

Sensor Setup window

described 5-2

Startup Wizard 5-2

Server Certificate pane

button functions 13-11

certificate

displaying 13-11

generating 13-11

described 13-11

field descriptions 13-11

user roles 13-11

service account

creating C-6

described 6-17, A-29, C-5

TAC A-29

troubleshooting A-29

Service DNS engine

described B-25

parameters (table) B-25

Service engine

described B-24

Layer 5 traffic B-24

Service FTP engine

described B-26

parameters (table) B-27

PASV port spoof B-26

Service Generic engine

described B-27

parameters (table) B-28

Service H225 engine

ASN.1PER validation B-29

described B-28

features B-29

parameters (table) B-30

TPKT validation B-29

Service HTTP engine

custom signature 10-16

described 10-15, B-31

example signature 10-16

parameters (table) B-31

Service IDENT engine

described B-33

parameters (table) B-33

service-module ids-sensor slot/port session command 22-3, 22-8

Service MSRPC engine

DCS/RPC protocol 10-12, B-33

described 10-12, B-33

parameters (table) B-34

Service MSSQL engine

described B-35

MSSQL protocol B-35

parameters (table) B-35

Service NTP engine

described B-35

parameters (table) B-35

Service P2P engine described B-36

service packs described 23-3

service role A-28

Service RPC engine

described 10-18, B-36

parameters (table) 10-18, B-36

RPC portmapper 10-18, B-36

Service SMB Advanced engine

described B-37

parameters (table) B-38

Service SNMP engine

described B-39

parameters (table) B-40

Service SSH engine

described B-40

parameters (table) B-40

Service TNS engine

described B-41

parameters (table) B-41

session command

AIM-IPS 22-4

AIP-SSM 22-6

IDSM-2 22-7

NME-IPS 22-9

sessioning

AIM-IPS 22-4

AIP-SSM 22-6

IDSM-2 22-7

NME-IPS 22-9

setting

current KB 18-21

system clock 6-15

setting up

sensors 6-1

terminal servers 22-2, 24-13

setup

automatic 21-1

simplified mode 21-1

setup command 21-1, 21-3, 21-7, 21-12, 21-15, 21-20, 21-24

show events command C-90

show health command C-71

show interfaces command C-88

show module 1 details command C-65

show settings command 17-11, C-15

show statistics command C-78

show statistics virtual-sensor command C-23, C-78

show tech-support command

described C-72

output C-73

show version command C-75, C-76

Shut Down Sensor pane

configuring 17-24

described 17-24

user roles 17-24

shutting down the sensor 17-24

sig0 pane

default 9-3

described 9-3

retiring signatures 9-12

signatures

assigning actions 9-17

cloning 9-14

disabling 9-12

enabling 9-12

tuning 9-15

tabs 9-3

Sig0 pane field descriptions 9-6

signature/virus update files described 23-4

signature definition policies

adding 9-3

cloning 9-3

default policy 9-2

deleting 9-3

sig0 9-2

Signature Definitions pane

described 9-2

field descriptions 9-2

signature engines

AIC B-10

Atomic B-12

Atomic ARP B-13

Atomic IP 10-14, B-13

Atomic IPv6 B-14

creating custom signatures 10-1

described B-1

event actions B-7

Fixed B-15

Flood B-18

Flood Host B-19

Flood Net B-19

list B-2

Master B-3

Meta 9-21, B-19

Multi String B-20

Normalizer B-22

Regex

patterns B-9

syntax B-8

Service B-24

Service DNS B-25

Service FTP B-26

Service Generic B-27

Service H225 B-28

Service HTTP 10-15, B-31

Service IDENT B-33

Service MSRPC 10-12, B-33

Service MSSQL B-35

Service NTP engine B-35

Service P2P B-35, B-36

Service RPC 10-18, B-36

Service SMB Advanced B-37

Service SNMP B-39

Service SSH engine B-40

Service TNS B-41

State 10-19, B-42

String 10-20, 10-23, B-44

supported by IDM 10-2

Sweep 10-24, B-47

Sweep Other TCP B-49

Traffic Anomaly B-50

Traffic ICMP B-52

Trojan B-52

signature engine update files described 23-5

Signature Event Action Filter

described 11-6, A-26

parameters 11-6, A-26

Signature Event Action Handler described 11-6, A-26

Signature Event Action Override described 11-6, A-26

Signature Event Action Processor

alarm channel 11-6, A-26

components 11-6, A-26

described 11-6, A-23, A-26

illustration 11-7, A-26

logical flow of events 11-7, A-26

signature fidelity rating

calculating risk rating 8-5, 11-3

described 8-5, 11-3

signatures

adding 9-13

alert frequency 9-19

assigning actions 9-17

cloning 9-14

custom 9-5

default 9-5

described 9-4

disabling 9-12

editing 9-16

enabling 9-12

false positives 9-4

no TCP reset C-50

rate limits 14-4

retiring 9-12

subsignatures 9-5

tuned 9-5

tuning 9-16

signature update installation time 17-18

signature variables

adding 9-25

deleting 9-25

described 9-24

editing 9-25

Signature Variables tab

configuring 9-25

field descriptions 9-25

Signature Wizard

alert behavior 10-25

supported signature engines 10-2

SNMP

configuring 15-3

described 15-1

Get 15-1

GetNext 15-1

Set 15-1

supported MIBs 15-6, C-19

Trap 15-1

SNMP General Configuration pane

configuring 15-3

described 15-2

field descriptions 15-2

user roles 15-2

SNMP traps

configuring 15-5

described 15-1

SNMP Traps Configuration pane

button functions 15-4

configuring 15-5

described 15-4

field descriptions 15-4

user roles 15-4

software architecture

ARC (illustration) A-12

IDAPI (illustration) A-30

RDEP2 (illustration) A-31

software bypass

supported configurations 7-10

with hardware bypass 7-10

software downloads Cisco.com 23-1

software file names

recovery (illustration) 23-5

signature/virus updates (illustration) 23-4

signature engine updates (illustration) 23-5

system image (illustration) 23-5

software release examples

platform-dependent 23-6

platform identifiers 23-7

platform-independent 23-6

software updates

supported FTP servers 17-17, 24-2

supported HTTP/HTTPS servers 17-17, 24-2

SPAN port issues C-30

SSH

security 13-1

understanding 13-1

SSH Server

private keys A-21

public keys A-21

standards

CIDEE A-33

IDCONF A-32

SDEE A-33

Startup Wizard

access list 5-3

adding virtual sensors 5-12

Add Virtual Sensor dialog box 5-12

described 5-1

Inline Interface Pair window 5-8, 5-9

Inline VLAN Pairs window 5-9, 5-10

Interface Selection window 5-8

Interface Summary window 5-7

Sensor Setup window

configuring 5-4

field descriptions 5-2

Traffic Inspection Mode window 5-8

Virtual Sensors window 5-11

State engine

Cisco Login 10-19, B-42

described 10-19, B-42

LPR Format String 10-19, B-42

parameters (table) B-43

SMTP 10-19, B-42

statistics display 18-30

Statistics pane

button functions 18-30, 18-31

categories 18-29

described 18-29

using 18-30

status of license key 17-12

stick (DoS tools) B-6

String engine described 10-20, 10-23, B-44

String ICMP engine parameters (table) B-45

String TCP engine

custom signature 10-21

example signature 10-21

parameters (table) B-45

String UDP engine parameters (table) B-46

subinterface 0 described 7-13

subsignatures described 9-5

summarization

described 8-6, 11-5

Fire All 8-7, 11-5

Fire Once 8-7, 11-6

Global Summarization 8-7, 11-6

Meta engine 8-6, 11-5

Summary 8-7, 11-5

Summarizer described 8-28, 11-29

Summary pane

button functions 7-14

described 7-13

field descriptions 5-7, 7-14

supported

configurations (IDSM-2) C-59

FTP servers 17-17, 24-2

HTTP/HTTPS servers 17-17, 24-2

IPS interfaces (CSA MC) 16-3

platforms (IME) 1-3

Sweep engine

described 10-24, B-47

parameters (table) B-48, B-49

Sweep Other TCP engine described B-49

switch commands for troubleshooting C-60

system architecture

directory structure A-34

supported platforms A-1

system clock setting 6-15

System Configuration Dialog

described 21-2

example 21-2

system design (illustration) A-2

system image

installing

AIM-IPS 24-21

AIP-SSM 24-25

IDSM-2 (Catalyst software) 24-27

IDSM-2 (Cisco IOS software) 24-28

IPS-4240 24-14

IPS-4255 24-14

IPS-4260 24-17

IPS 4270-20 24-19

NME-IPS 24-38

system information display 18-31

System Information pane

described 18-30

using 18-31

system requirements (IME) 1-3

T

TAC

service account 6-17, A-29, C-5

show tech-support command C-72

target value rating

adding 8-17

calculating risk rating 8-5, 11-3

configuring 8-17

deleting 8-17

described 8-5, 8-17, 11-3, 11-19

editing 8-17

Target Value Rating tab

configuring 8-17

field descriptions 8-17, 11-19

TCP fragmentation described B-22

TCP Protocol tab

described 12-15, 12-22, 12-30

enabling TCP 12-15

external zone 12-30

field descriptions 12-15

illegal zone 12-22

TCP reset interfaces

conditions 7-7

described 7-6

list 7-7

TCP resets

IDSM2 port C-64

not occurring C-50

TCP stream reassembly

explaining 9-40

mode 9-45

parameters (table) 9-40

signatures (table) 9-40

terminal server setup 22-2, 24-13

testing fail-over 7-10

TFN2K

described B-52

Trojans B-52

TFTP servers

maximum file size limitation 24-13

RTT 24-13

threat rating described 8-6, 11-4

Thresholds for KB Name window

described 18-17

field descriptions 18-18

filtering information 18-17

time correction on the sensor 6-11, C-18

Time pane

configuring 6-10

described 6-6

field descriptions 6-9

user roles 6-6

time sources

AIM-IPS 6-7, C-16

AIP-SSM 6-7, C-17

appliances 6-6, C-16

IDSM-2 6-7, C-16

NME-IPS 6-7, C-16

time synchronization and IPS modules 6-8, C-17

TLS

handshaking 13-8

IDM 13-8

understanding 6-3

Top Applications gadgets

configuring 3-8

described 3-8

Top Attackers gadgets

configuring 3-10

described 3-9

Top Signatures gadgets

configuring 3-11

described 3-11

Top Victims gadgets

configuring 3-10

described 3-10

Traffic Anomaly engine

described B-50

protocols B-50

signatures B-50

traffic flow notifications

configuring 7-26

described 7-26

Traffic Flow Notifications pane

configuring 7-26

field descriptions 7-26

user roles 7-26

Traffic ICMP engine

DDoS B-52

described B-52

LOKI B-52

parameters (table) B-52

TFN2K B-52

Traffic Inspection Mode window described 5-8

trial license key 17-12

Tribe Flood Network. See TFN.

Tribe Flood Network 2000. See TFN2K.

Trojan engine

BO2K B-52

described B-52

TFN2K B-52

Trojans

BO B-52

BO2K B-52

LOKI B-52

TFN2K B-52

troubleshooting

AIP-SSM

commands C-65

debugging C-66

failover scenarios C-67

recovering C-66

reset C-66

Analysis Engine busy C-55

applying software updates C-52

ARC

blocking not occurring for signature C-42

device access issues C-39

enabling SSH C-41

inactive state C-37

misconfigured master blocking sensor C-43

verifying device interfaces C-41

automatic updates C-53

cannot access sensor C-24

cidDump C-93

cidLog messages to syslog C-49

communication C-24

corrupted SensorApp configuration C-35

debug logger zone names (table) C-48

debug logging C-44

disaster recovery C-6

duplicate sensor IP addresses C-27

enabling debug logging C-45

external product interfaces 16-10, C-22

gathering information C-71

IDM cannot access sensor C-56

IDM will not load C-55

IDSM-2

command and control port C-63

diagnosing problems C-58

not online C-62, C-63

serial cable C-65

status indicator C-60

switch commands C-60

IME time synchronization problems C-57

IPS modules time drift 6-8, C-17

manual block to bogus host C-41

misconfigured access list C-26

no alerts C-32, C-57

NTP C-50

password recovery 17-11, C-15

physical connectivity issues C-30

preventive maintenance C-2

reset not occurring for a signature C-50

sensing process not running C-28

sensor events C-89

sensor loose connections C-22

sensor not seeing packets C-33

sensor software upgrade C-54

service account 6-17, C-5

show events command C-89

show interfaces command C-88

show statistics command C-78

show tech-support command C-72, C-73

show version command C-75

software upgrades C-51

SPAN port issue C-30

upgrading 5.x to 6.x C-52

verifying ARC status C-37

Trusted Hosts pane

configuring 13-10

described 13-9

field descriptions 13-10

tuned signatures described 9-5

tuning

AIC signatures 9-36

IP fragment reassembly signatures 9-39

signatures 9-16

U

UDP Protocol tab

described 12-16, 12-24, 12-31

enabling UDP 12-16

external zone 12-31

field descriptions 12-31

illegal zone 12-24

unassigned VLAN groups described 7-13

unauthenticated NTP 6-6, 6-13, C-16

understanding

SSH 13-1

time on the sensor 6-6, C-16

UNIX-style directory listings 17-17

Update Sensor pane

configuring 17-21

described 17-20

field descriptions 17-21

user roles 17-20

updating

Cisco.com 17-20

FTP server 17-20

sensors 17-21

upgrade command 24-3, 24-5

upgrading

5.x to 6.x 23-7, C-52

maintenance partition

IDSM-2 (Catalyst software) 24-37

IDSM-2 (Cisco IOS software) 24-37

minimum required version 23-7

recovery partition 24-5, 24-11

uploading KBs

FTP 18-23

SCP 18-23

Upload Knowledge Base to Sensor dialog box

described 18-23

field descriptions 18-23

URLs for Cisco Security Intelligence Operations 23-9

Users pane

button functions 6-17

configuring 6-18

field descriptions 6-17

user roles A-28

using

debug logging C-44

TCP reset interface 7-7

V

VACLs

described 14-3

Post-Block 14-21

Pre-Block 14-21

verifying

password recovery 17-11, C-15

sensor initialization 21-27

sensor setup 21-27

video help described 1-2

viewing

IP logs 18-14

statistics 18-30

system information 18-31

virtual sensors

adding 5-12, 8-11

default virtual sensor 8-2, 8-7

deleting 8-11

described 8-2, 8-7

editing 8-11

stream segregation 8-3

Virtual Sensors window described 5-11

VLAN groups

802.1q encapsulation 7-13

configuration restrictions 7-9

configuring 7-23

deploying 7-22

described 7-12

switches 7-22

VLAN Groups pane

configuring 7-23

described 7-21

field descriptions 7-22

user roles 7-21

VLAN IDs 7-21

VLAN Pairs pane

configuring 7-20

describing 7-19

field descriptions 7-19

vulnerable OSes field

described B-6

W

watch list rating

calculating risk rating 8-5, 11-3

described 8-5, 11-3

Web Server

described A-3, A-22

HTTP 1.0 and 1.1 support A-22

private keys A-21

public keys A-21

RDEP2 support A-22

worm attacks and histograms 12-12, 18-16

worms

Blaster 12-2

Code Red 12-2

described 12-2

Nimbda 12-2

protocols 12-2

Sasser 12-2

scanners 12-2

Slammer 12-2

SQL Slammer 12-2

Z

zones

external 12-4

illegal 12-4

internal 12-4