Numerics -
A -
B -
C -
D -
E -
F -
G -
H -
I -
K -
L -
M -
N -
O -
P -
Q -
R -
S -
T -
U -
V -
W -
Z
Index
Numerics
4GE bypass interface card
configuration restrictions 7-10
described 7-10
802.1q encapsulation
VLAN groups 7-13
A
accessing IPS software 23-2
access list
misconfiguration C-26
necessary hosts 5-3
ACLs
adding 5-3
described 14-3
Post-Block 14-17, 14-18
Pre-Block 14-17, 14-18
Active Host Blocks pane
configuring 18-7
described 18-6
field descriptions 18-6
user roles 18-6
ad0 pane
default 12-9
described 12-9
tabs 12-9
Add ACL Entry dialog box field descriptions 5-4
Add Active Host Block dialog box field descriptions 18-7
Add Allowed Host dialog box
field descriptions 6-5
user roles 6-4
Add Authorized Key dialog box
field descriptions 13-3
user roles 13-2
Add Blocking Device dialog box
field descriptions 14-15
user roles 14-14
Add Cat 6K Blocking Device Interface dialog box
field descriptions 14-23
user roles 14-21
Add Configured OS Map dialog box field descriptions 8-21, 11-23
Add Destination Port dialog box field descriptions 12-16, 12-17, 12-23, 12-24, 12-30, 12-31
Add Device dialog box field descriptions 2-3
Add Device Login Profile dialog box
field descriptions 14-12
user roles 14-11
Add Event Action Filter dialog box
field descriptions 8-14, 11-16
user roles 8-13, 11-15
Add Event Action Override dialog box
field descriptions 8-10, 11-13
user roles 8-10, 11-13
Add Event Variable dialog box
field descriptions 8-24, 11-26
user roles 8-24, 11-25
Add External Product Interface dialog box
field descriptions 16-6
user roles 16-5
Add Filter dialog box field descriptions 3-15
Add Histogram dialog box field descriptions 12-16, 12-17, 12-23, 12-25, 12-31, 12-32
adding
ACLs 5-3
active host blocks 18-7
a host never to be blocked 14-10
anomaly detection policies 12-9
CSA MC interfaces 16-7
denied attackers 18-5
event action filters 8-15, 11-17
event action overrides 11-14
event action rules policies 11-12
event variables 8-25, 11-26
external product interfaces 16-7
network blocks 18-9
OS maps 8-22, 11-24
risk categories 8-27, 11-28
signature definition policies 9-3
signatures 9-13
signature variables 9-25
target value rating 8-17
virtual sensors 5-12, 8-11
Add Inline VLAN Pair dialog box field descriptions 5-10, 7-20
Add Interface Pair dialog box field descriptions 7-18
Add IP Logging dialog box field descriptions 18-14
Add Known Host Key dialog box
field descriptions 13-5
user roles 13-4
Add Master Blocking Sensor dialog box
field descriptions 14-26
user roles 14-24
Add Network Block dialog box field descriptions 18-9
Add Never Block Address dialog box
field descriptions 14-10
user roles 14-7
Add Policy dialog box field descriptions 9-2, 11-11, 12-8
Add Posture ACL dialog box field descriptions 16-7
Add Protocol Number dialog box field descriptions 12-18, 12-25, 12-32
Add Rate Limit dialog box
field descriptions 18-11
user role 18-10
Address Resolution Protocol. See ARP.
Add Risk Level dialog box field descriptions 8-27, 11-28
Add Router Blocking Device Interface dialog box
field descriptions 14-19
user roles 14-16
Add Signature dialog box field descriptions 9-8
Add Signature Variable dialog box
field descriptions 9-25
user roles 9-24
Add SNMP Trap Destination dialog box field descriptions 15-4
Add Target Value Rating dialog box
field descriptions 8-17, 11-19
user roles 8-17, 11-19
Add Trusted Host dialog box
field descriptions 13-10
user roles 13-9
Add User dialog box
field descriptions 6-17
user roles 6-16
Add Virtual Sensor dialog box
described 5-12, 8-9
field descriptions 5-12, 8-9
Add VLAN Group dialog box field descriptions 7-22
Advanced Alert Behavior Wizard
Alert Dynamic Response Fire All window field descriptions 10-26
Alert Dynamic Response Fire Once window field descriptions 10-27
Alert Dynamic Response Summary window field descriptions 10-27
Alert Summarization window field descriptions 10-26
Event Count and Interval window field descriptions 10-25
Global Summarization window field descriptions 10-28
AIC
policy configuration 9-35
signatures (example) 9-36
AIC engine
AIC FTP B-11
AIC HTTP B-11
described B-11
features B-11
signature categories 9-28
AIC FTP engine parameters (table) B-12
AIC HTTP engine parameters (table) B-11
AIC policy enforcement
default configuration 9-29, B-11
described 9-29, B-10
sensor oversubscription 9-29, B-11
AIM-IPS
initializing 21-12
installing system image 24-21
logging in 22-4
session command 22-4
sessioning 22-3, 22-4
setup command 21-12
time sources 6-7, C-16
AIP SSM
password recovery 17-6, C-10
resetting the password 17-7, C-11
AIP-SSM
bypass mode 7-25
Deny Connection Inline 11-10, C-70
Deny Packet Inline 11-10, C-70
initializing 21-15
installing system image 24-25
logging in 22-6
Normalizer engine B-23, C-69
recovering C-66
reimaging 24-24
Reset TCP Connection 11-10, C-70
resetting C-66
session command 22-6
setup command 21-15
TCP reset packets 11-10, C-70
time sources 6-7, C-17
Alarm Channel described 11-6, A-26
alert and log actions (list) 11-8
alert behavior normal 10-25
alert frequency
aggregation 9-19
configuring 9-19
controlling 9-19
modes B-6
Allowed Hosts/Networks pane
configuring 6-5
described 6-4
field descriptions 6-5
alternate TCP reset interface configuration restrictions 7-8
Analysis Engine
described 8-2
error messages C-23
IDM exits C-55
virtual sensors 8-2
anomaly detection
asymmetric environment 12-2
caution 12-2
configuration sequence 12-4
default configuration (example) 12-4
described 12-2
detect mode 12-3
disabling 12-36, C-20
event actions 12-6, B-50
inactive mode 12-3
learning accept mode 12-3
learning process 12-3
limiting false positives 12-12, 18-16
protocols 12-2
signatures 12-6
signatures (table) 12-6, B-50
worm attacks 12-12, 18-16
worms 12-2
zones 12-4
Anomaly Detection pane
button functions 18-16
field descriptions 18-16
overview 18-15
user roles 18-15
anomaly detection policies
ad0 12-8
adding 12-9
cloning 12-9
default policy 12-8
deleting 12-9
user roles 12-8
Anomaly Detections pane
described 12-8
field descriptions 12-8
user roles 12-8
appliances
application partition image 24-11
GRUB menu 17-4, C-8
initializing 21-7
logging in 22-1
password recovery 17-4, C-8
terminal servers
described 22-2, 24-13
setting up 22-2, 24-13
time sources 6-6, C-16
upgrading recovery partition 24-5
Application Inspection and Control. See AIC.
application partition
described A-3
image recovery 24-11
application policy enforcement
described 9-29, B-10
disabled (default) 9-29
application XML format A-2
applying software updates C-52
ARC
ACLs 14-18, A-13
authentication A-14
blocking
application 14-2
connection-based A-16
not occurring for signature C-42
unconditional blocking A-16
block response A-13
Catalyst 6000 series switch
VACL commands A-18
VACLs described A-18
Catalyst switches
VACLs described A-15
VLANs described A-15
checking status 14-3, 14-4
described A-3
design 14-2
device access issues C-39
enabling SSH C-41
features A-13
firewalls
AAA A-17
connection blocking A-17
NAT A-18
network blocking A-17
postblock ACL A-15
preblock ACL A-15
shun command A-17
TACACS+ A-18
formerly Network Access Controller 14-1, 14-3
functions 14-2
illustration A-12
inactive state C-37
interfaces A-13
maintaining states A-16
managed devices 14-7
master blocking sensors A-13
maximum blocks 14-2
misconfigured master blocking sensor C-43
nac.shun.txt file A-16
NAT addressing A-14
number of blocks A-14
postblock ACL A-15
preblock ACL A-15
prerequisites 14-5
rate limiting 14-4
responsibilities A-12
single point of control A-14
SSH A-13
supported devices 14-5, A-15
Telnet A-13
troubleshooting C-36
VACLs A-13
verifying device interfaces C-41
verifying status C-37
ARP
Layer 2 signatures B-13
protocol B-13
ARP spoof tools
dsniff B-13
ettercap B-13
ASDM
resetting passwords C-12
ASDM resetting passwords 17-8
Assign Actions dialog box
button functions 9-9
field descriptions 9-9
assigning actions to signatures 9-17
asymmetric
environment and anomaly detection 12-2
traffic and disabling anomaly detection 12-36, C-20
Atomic ARP engine
described B-13
parameters (table) B-13
Atomic IP engine
described 10-14, B-13
parameters (table) B-13
Atomic IPv6 engine
described B-14
Neighborhood Discovery protocol B-14
signatures B-14
signatures (table) B-15
attack relevance rating
calculating risk rating 8-5, 11-3
described 8-5, 11-3
Attack Response Controller
described A-3
formerly known as Network Access Controller A-3
Attack Response Controller. See ARC.
attack severity rating
calculating risk rating 8-5, 11-3
described 8-5, 11-3
Attacks Over Time gadgets
configuring 3-11
described 3-11
authenticated NTP 6-6, 6-13, C-16
AuthenticationApp
authenticating users A-20
described A-3
login attempt limit A-20
method A-20
responsibilities A-20
secure communications A-21
sensor configuration A-20
Authorized Keys pane
configuring 13-3
described 13-2
field descriptions 13-3
RSA authentication 13-2
RSA key generation tool 13-4
Auto/Cisco.com Update pane
button functions 17-18
configuring 17-19
described 17-16
field descriptions 17-18
UNIX-style directory listings 17-17
user roles 17-16
automatic setup 21-1
automatic updates
Cisco.com 17-16
servers
FTP 17-16
SCP 17-16
troubleshooting C-53
automatic upgrade
information required 24-6
autonegotiation and hardware bypass 7-11
auto-upgrade-option command 24-6
B
backing up
configuration C-3
current configuration C-4, C-5
BackOrifice. See BO.
BackOrifice 2000. See BO2K.
BackOrifice see BO
basic setup 21-3
blocking
described 14-2
disabling 14-7
master blocking sensor 14-24
necessary information 14-3
not occurring for signature C-42
prerequisites 14-5
supported devices 14-5
types 14-2
Blocking Devices pane
configuring 14-15
described 14-14
field descriptions 14-14
ssh host-key command 14-15
Blocking Properties pane
adding a host never to be blocked 14-10
configuring 14-9
described 14-7
field descriptions 14-8
BO
described B-52
Trojans B-52
BO2K
described B-52
Trojans B-52
Bug Toolkit
described C-1
URL C-1
bypass mode
AIP-SSM 7-25
described 7-24
Bypass pane
field descriptions 7-24
user roles 7-24
C
calculating risk rating
attack relevance rating 8-5, 11-3
attack severity rating 8-5, 11-3
promiscuous delta 8-5, 11-3
signature fidelity rating 8-5, 11-3
target value rating 8-5, 11-3
watch list rating 8-5, 11-3
cannot access sensor C-24
Cat 6K Blocking Device Interfaces pane
configuring 14-23
described 14-21
field descriptions 14-22
CDP described 7-27
CDP Mode pane
configuring 7-27
field descriptions 7-27
certificates
displaying 13-11
generating 13-11
IDM 13-8
changing Microsoft IIS to UNIX-style directory listings 17-17
cidDump and obtaining information C-93
CIDEE
defined A-33
example A-34
IPS extensions A-33
protocol A-33
supported IPS events A-34
cisco
default password 22-1
default username 22-1
Cisco.com
accessing software 23-2
downloading software 23-1
IPS software 23-1, 23-3
software downloads 23-1
Cisco IOS and rate limiting 14-4
Cisco IPS software
6.1 files 24-3
new features A-3
Cisco Security Intelligence Operations
described 23-9
URL 23-9
Cisco Services for IPS
service contract 17-12
supported products 17-12
clear events command 6-11, 6-16, 18-4, C-18, C-93
Clear Flow State pane described 18-26
clearing
events 6-16, 18-4, C-93
flow states 18-27
statistics C-79
clear password command 17-6, 17-9, C-10, C-13
CLI described A-3, A-27
clock set command 6-15
Clone Event Action Rules dialog box field descriptions 11-11
Clone Policy dialog box field descriptions 9-2, 12-8
Clone Signature dialog box field descriptions 9-8
cloning
anomaly detection policies 12-9
event action rules policies 11-12
signature definition policies 9-3
signatures 9-14
color rules described 19-2
command and control interface
described 7-2
list 7-2
commands
auto-upgrade-option 24-6
clear events 6-11, 6-16, 18-4, C-18, C-93
clear password 17-6, 17-9, C-10, C-13
clock set 6-15
copy backup-config C-3
copy current-config C-3
debug module-boot C-66
downgrade 24-10
hw-module module 1 reset C-66
hw-module module slot_number password-reset 17-6, C-11
session 22-4, 22-9
setup 21-1, 21-3, 21-7, 21-12, 21-15, 21-20, 21-24
show events C-90
show health C-71
show module 1 details C-65
show settings 17-11, C-15
show statistics C-78
show statistics virtual-sensor C-23, C-78
show tech-support C-72
show version C-76
upgrade 24-3, 24-5
Compare Knowledge Bases dialog box field descriptions 18-19
comparing KBs 18-19, 18-20
configuration files
backing up C-3
merging C-3
configuration restrictions
alternate TCP reset interface 7-8
inline interface pairs 7-8
inline VLAN pairs 7-8
interfaces 7-8
physical interfaces 7-8
VLAN groups 7-9
Configured OS Map dialog box user roles 8-20, 11-20
Configure Summertime dialog box field descriptions 5-4, 6-9
configuring
active host blocks 18-7
AIC policy parameters 9-35
allowed hosts 6-5
allowed networks 6-5
application policy 9-36
Attacks Over Time gadgets 3-11
authorized keys 13-3
automatic upgrades 24-8
blocking devices 14-15
blocking properties 14-9
Cat 6K blocking device interfaces 14-23
CDP Mode 7-27
CPU, Memory, & Load gadgets 3-9
CSA MC IPS interfaces 16-4
device login profiles 14-13
event action filters 8-15, 11-17
events 18-3
event variables 8-25, 11-26
external zone 12-33
general settings 8-29, 11-31
illegal zone 12-26
inline VLAN pairs 5-10
interface pairs 7-18
interfaces 7-16
Interface Status gadgets 3-6
internal zone 12-18
IP fragment reassembly signatures 9-39
IP logging 18-14
known host keys 13-6
learning accept mode 12-13
Licensing gadgets 3-6
maintenance partition
IDSM-2 (Catalyst software) 24-29
IDSM-2 (Cisco IOS software) 24-33
master blocking sensor 14-26
network blocks 18-9
Network Security gadgets 3-7
network settings 6-3
NTP servers 6-12
operation settings 12-10
OS maps 8-22, 11-24
rate limiting 18-11
rate limiting devices 14-15
risk categories 8-27, 11-28
router blocking device interfaces 14-20
RSS Feed gadgets 3-9
Sensor Health gadgets 3-5
Sensor Information gadgets 3-4
Sensor Setup window 5-4
sensor to use NTP 6-14
SNMP 15-3
SNMP traps 15-5
target value rating 8-17
TCP fragment reassembly parameters 9-46
time 6-10
Top Applications gadgets 3-8
Top Attackers gadgets 3-10
Top Signatures gadgets 3-11
Top Victims gadgets 3-10
traffic flow notifications 7-26
trusted hosts 13-10
upgrades 24-4
users 6-18
VLAN groups 7-23
VLAN pairs 7-20
configuring traffic flow notifications user roles 7-27
control transactions
characteristics A-8
request types A-8
copy backup-config command C-3
copy current-config command C-3
correcting time on the sensor 6-11, C-18
CPU, Memory, & Load gadgets
configuring 3-9
described 3-8
creating
custom signatures
not using signature engines 10-3
Service HTTP 10-16
String TCP 10-21
using signature engines 10-1
Meta signatures 9-21
Post-Block VACLs 14-21
Pre-Block VACLs 14-21
service account C-6
cryptographic account
Encryption Software Export Distribution Authorization from 23-2
obtaining 23-2
cryptographic features for IME 1-1
CSA MC
adding interfaces 16-7
configuring IPS interfaces 16-4
host posture events 16-1, 16-3
quarantined IP address events 16-1
supporting IPS interfaces 16-3
CtlTransSource
described A-2, A-11
illustration A-11
current
configuration backup C-3
KB setting 18-21
custom signatures
described 9-5
Meta signature 9-21
Custom Signature Wizard
Alert Response window field descriptions 10-25
Atomic IP Engine Parameters window field descriptions 10-14
described 10-1
ICMP Traffic Type window field descriptions 10-12
Inspect Data window field descriptions 10-12
MSRPC Engine Parameters window field descriptions 10-12
no signature engine sequence 10-3
protocols 10-11
Protocol Type window field descriptions 10-11
Service HTTP Engine Parameters window field descriptions 10-15
Service RPC Engine Parameters window field descriptions 10-18
Service Type window field descriptions 10-13
signature engine sequence 10-1
signature identification 10-11
Signature Identification window field descriptions 10-11
State Engine Parameters window field descriptions 10-19
String ICMP Engine Parameters window field descriptions 10-20
String TCP Engine Parameters window field descriptions 10-20
String UDP Engine Parameters window field descriptions 10-23
Sweep Engine Parameters window field descriptions 10-24
TCP Sweep Type window field descriptions 10-13
TCP Traffic Type window field descriptions 10-13
UDP Sweep Type window field descriptions 10-13
UDP Traffic Type window field descriptions 10-13
Welcome window field descriptions 10-10
D
Dashboard pane gadgets 3-1
data structures (examples) A-7
DDoS
protocols B-52
Stacheldraht B-52
TFN B-52
debug logging
described C-44
enabling C-45
zone names C-48
debug-module-boot command C-66
default
KB filename 12-11
password 22-1
username 22-1
virtual sensor vs0 8-2
default policies
ad0 12-8
rules0 11-11
sig0 9-2
defaults restoring 17-23
deleting
anomaly detection policies 12-9
event action filters 8-15, 11-17
event action overrides 11-14
event action rules policies 11-12
event variables 8-25, 11-26
imported OS values 18-26
KBs 18-22
learned OS values 18-25
OS maps 8-22, 11-24
risk categories 8-27, 11-28
signature definition policies 9-3
signature variables 9-25
target value rating 8-17
virtual sensors 8-11
Demo mode IME 1-5
Denial of Service. See DoS.
denied attackers
adding 18-5
clearing list 18-5
hit count 18-4
resetting hit counts 18-5
Denied Attackers pane
described 18-4
field descriptions 18-4
user roles 18-4
using 18-5
deny actions (list) 11-8
Deny Packet Inline described 8-10, 11-10, B-8
detect mode (anomaly detection) 12-3
device access issues C-39
Device Details pane described 2-1
Device List pane
described 2-1
field descriptions 2-2
Device Login Profiles pane
configuring 14-13
described 14-11
field descriptions 14-12
devices
adding 2-3
deleting 2-3
editing 2-3
devices tools
DNS lookup 2-5
ping 2-5
traceroute 2-5
whois 2-5
Diagnostics Report pane
button functions 18-29
described 18-29
user roles 18-28
using 18-29
diagnostics reports 18-29
Differences between knowledge bases KB_Name and KB_Name window field descriptions 18-19
disabling
anomaly detection 12-36, C-20
blocking 14-7
interfaces 7-16
password recovery 17-10, C-14
disaster recovery C-6
displaying
events C-91
health status C-71
password recovery setting 17-11, C-15
statistics C-79
tech support information C-73
version C-76
Distributed Denial of Service. See DDoS.
DoS tools (stick) B-6
downgrade command 24-10
downgrading sensors 24-10
downloading
KBs 18-23
software 23-1
Download Knowledge Base From Sensor dialog box
described 18-23
field descriptions 18-23
duplicate IP addresses C-27
E
Edit Actions dialog box field descriptions 9-9
Edit Allowed Host dialog box
field descriptions 6-5
user roles 6-4
Edit Authorized Key dialog box
field descriptions 13-3
user roles 13-2
Edit Blocking Device dialog box
field descriptions 14-15
user roles 14-14
Edit Cat 6K Blocking Device Interface dialog box
field descriptions 14-23
user roles 14-21
Edit Configured OS Map dialog box field descriptions 8-21, 11-23
Edit Destination Port dialog box field descriptions 12-16, 12-17, 12-23, 12-24, 12-30, 12-31
Edit Device dialog box field descriptions 2-3
Edit Device Login Profile dialog box
field descriptions 14-12
user roles 14-11
Edit Event Action Filter dialog box
field descriptions 8-14, 11-16
user roles 8-13, 11-15
Edit Event Action Override dialog box
field descriptions 8-10, 11-13
user roles 8-10, 11-13
Edit Event Variable dialog box
field descriptions 8-24, 11-26
user roles 8-24, 11-25
Edit External Product Interface dialog box
field descriptions 16-6
user roles 16-5
Edit Filter dialog box field descriptions 3-15
Edit Histogram dialog box field descriptions 12-16, 12-17, 12-23, 12-25, 12-31, 12-32
editing
event action filters 8-15, 11-17
event action overrides 11-14
event variables 8-25, 11-26
interfaces 7-16
OS maps 8-22, 11-24
risk categories 8-27, 11-28
signatures 9-16
signature variables 9-25
target value rating 8-17
virtual sensors 8-11
Edit Inline VLAN Pair dialog box field descriptions 5-10, 7-20
Edit Interface dialog box field descriptions 7-15
Edit Interface Pair dialog box field descriptions 7-18
Edit IP Logging dialog box field descriptions 18-14
Edit Known Host Key dialog box
field descriptions 13-5
user roles 13-4
Edit Master Blocking Sensor dialog box
field descriptions 14-26
user roles 14-24
Edit Never Block Address dialog box
field descriptions 14-10
user roles 14-7
Edit Posture ACL dialog box field descriptions 16-7
Edit Protocol Number dialog box field descriptions 12-18, 12-25, 12-32
Edit Risk Level dialog box field descriptions 8-27, 11-28
Edit Router Blocking Device Interface dialog box
field descriptions 14-19
user roles 14-16
Edit Signature dialog box field descriptions 9-8
Edit Signature Variable dialog box
field descriptions 9-25
user roles 9-24
Edit SNMP Trap Destination dialog box field descriptions 15-4
Edit Target Value Rating dialog box
field descriptions 8-17, 11-19
user roles 8-17, 11-19
Edit User dialog box
field descriptions 6-17
user roles 6-16
Edit Virtual Sensor dialog box
field descriptions 8-9
user roles 8-9
Edit VLAN Group dialog box field descriptions 7-22
enabling
debug logging C-45
event action filters 8-15, 11-17
event action overrides 11-14
interfaces 7-16
Encryption Software Export Distribution Authorization form
cryptographic account 23-2
described 23-2
EPS in Home pane 1-2
evAlert A-8
event action filters
adding 8-15, 11-17
configuring 8-15, 11-17
deleting 8-15, 11-17
described 8-13, 11-4
editing 8-15, 11-17
enabling 8-15, 11-17
Event Action Filters tab
button functions 11-15
configuring 8-15, 11-17
described 8-13, 11-15
field descriptions 8-13, 11-15
event action overrides
adding 11-14
deleting 11-14
described 8-4, 11-4
editing 11-14
enabling 11-14
Event Action Overrides tab
described 11-13
field descriptions 11-13
event action rules
described 11-2
functions 11-2
Event Action Rules pane
described 11-11
field descriptions 11-11
user roles 11-11
event action rules policies
adding 11-12
cloning 11-12
deleting 11-12
events
configuring display 18-3
displaying C-91
host posture 16-1
quarantined IP address 16-2
types C-89
Events pane
configuring 18-3
described 18-2
field descriptions 18-2
event status
displaying 2-4
starting 2-4
stopping 2-4
Event Store
clearing events 6-11, C-18
data structures A-7
described A-2
examples A-7
responsibilities A-7
timestamp A-7
event variables
adding 8-25, 11-26
configuring 8-25, 11-26
deleting 8-25, 11-26
editing 8-25, 11-26
example 8-24, 11-25
Event Variables tab
configuring 8-25, 11-26
described 8-24, 11-25
field descriptions 8-24, 11-26
Event Viewer
described 19-1
field descriptions 18-3
event views
working with 19-4
evError A-8
evLogTransaction A-8
evShunRqst A-8
evStatus A-8
examples
ASA failover configuration C-68
external product interfaces
adding 16-7
described 16-1
issues 16-3, C-21
troubleshooting 16-10, C-22
trusted hosts 16-5
External Product Interfaces pane
described 16-5
field descriptions 16-5
external zone
configuring 12-33
protocols 12-29
user roles 12-29
External Zone tab
described 12-29
tabs 12-29
user roles 12-29
F
fail-over testing 7-10
false positives described 9-4
files
Cisco IPS 6.1 24-3
IDSM2 password recovery 17-9, C-13
Filter pane field descriptions 19-3
filters
configuring 3-16, 19-6
described 19-2
Fixed engine described B-15
Fixed ICMP engine parameters (table) B-16
Fixed TCP engine parameters (table) B-17
Fixed UDP engine parameters (table) B-18
Flood engine described B-18
Flood Host engine parameters (table) B-19
Flood Net engine parameters (table) B-19
flow states clearing 18-27
FTP servers supported 17-17, 24-2
G
gadgets
Attacks Over Time 3-11
CPU, Memory, & Load 3-8
Interface Status 3-6
Licensing 3-5
Network Security 3-7
RSS Feed 3-9
Sensor Health 3-4
Sensor Information 3-3
Top Applications 3-8
Top Attackers 3-9
Top Signatures 3-11
Top Victims 3-10
general settings
configuring 8-29, 11-31
described 8-28, 11-29
General tab
configuring 8-29, 11-31
described 8-28, 11-29, 12-15, 12-22
enabling zones 12-15, 12-22
field descriptions 8-29, 11-30
user roles 8-28, 11-29
generating diagnostics reports 18-29
Global Variables pane field description 17-16
Grouping events described 19-2
GRUB menu password recovery 17-4, C-8
H
H.225.0 protocol B-28
H.323 protocol B-28
hardware bypass
autonegotiation 7-11
configuration restrictions 7-10
fail-over 7-10
IPS 4270-20 7-10
supported configurations 7-10
with software bypass 7-10
health status
displaying 2-4, C-71
starting 2-4
stopping 2-4
Home pane and EPS 1-2
host posture events
CSA MC 16-3
described 16-1
HTTP/HTTPS servers supported 17-17, 24-2
HTTP deobfuscation
ASCII normalization 10-15, B-31
described 10-15, B-31
hw-module module 1 reset command C-66
hw-module module slot_number password-reset command 17-6, C-11
I
IDAPI
communications A-3, A-30
described A-3
functions A-30
illustration A-30
responsibilities A-30
IDCONF
described A-32
example A-32
RDEP2 A-32
XML A-32
IDIOM
defined A-32
messages A-32
IDM
Analysis Engine is busy C-55
certificates 13-8
Signature Wizard unsupported signature engines 10-2
TLS 13-8
will not load C-55
IDSM-2
command and control port C-63
configuring
maintenance partition (Catalyst software) 24-29
maintenance partition (Cisco IOS software) 24-33
initializing 21-20
installing
system image (Catalyst software) 24-27
system image (Cisco IOS software) 24-28, 24-29
logging in 22-7
reimaging 24-27
setup command 21-20
supported configurations C-59
time sources 6-7, C-16
upgrading
maintenance partition (Catalyst software) 24-37
maintenance partition (Cisco IOS software) 24-37
IDSM2
password recovery 17-8, C-13
password recovery image file 17-9, C-13
TCP reset port C-64
illegal zone
configuring 12-26
user roles 12-22
Illegal Zone tab
described 12-22
user roles 12-22
IME
color rules 19-2
configuring
filters 3-16, 19-6
RSS feeds 4-2
views 3-16, 19-6
cryptographic features 1-1
Demo mode 1-5
described 1-1
devices
adding 2-3
deleting 2-3
editing 2-3
EPS 1-2
event status
starting 2-4
stopping 2-4
Event Viewer 19-1
filtering 19-2
gadgets 3-1
grouping events 19-2
health status
displaying 2-4
starting 2-4
stopping 2-4
Home pane described 1-2
installing 1-5
IPS versions 1-3
menu features 1-2
MySQL database 1-4
replacing IEV 1-1
reports
configuring 20-2
described 20-1
generating 20-2
report types 20-1
supported platforms 1-3
system requirements 1-3
time synchronization problems C-57
using event views 19-4
video help 1-2
working with
top attacker IP addresses 3-12
top signatures 3-13
top victim IP addresses 3-12
Imported OS pane
clearing 18-26
described 18-25
field descriptions 18-26
imported OS values
clearing 18-26
deleting 18-26
inactive mode (anomaly detection) 12-3
initializing
AIM-IPS 21-12
AIP-SSM 21-15
appliances 21-7
IDSM-2 21-20
NME-IPS 21-24
sensors 21-1, 21-3
user roles 21-1
verifying 21-27
inline interface pairs
configuration restrictions 7-8
described 7-12
Inline Interface Pair window
described 5-8
Startup Wizard 5-8
inline VLAN pair mode
described 7-12
supported sensors 7-12
inline VLAN pairs
configuration restrictions 7-8
configuring 5-10
Inline VLAN Pairs pane
user roles 7-19
Inline VLAN Pairs window
described 5-9
field descriptions 5-9
Startup Wizard 5-9
installer major version 23-5
installer minor version 23-5
installing
IME 1-5
sensor license 17-14
system image
AIP-SSM 24-25
IDSM-2 (Catalyst software) 24-27
IDSM-2 (Cisco IOS software) 24-28, 24-29
IPS-4240 24-14
IPS-4255 24-14
IPS-4260 24-17
IPS 4270-20 24-19
NME-IPS 24-38
InterfaceApp
described A-19
interactions A-19
NIC drivers A-19
InterfaceApp described A-2
interface pairs
configuring 7-18
described 7-17
Interface Pairs pane
configuring 7-18
described 7-17
field descriptions 7-17
user roles 7-17
interfaces
alternate TCP reset 7-2
command and control 7-2
configuration restrictions 7-8
configuring 7-16
described 5-7, 7-1
disabling 7-16
editing 7-16
enabling 7-16
logical 5-7
physical 5-7
port numbers 7-1
sensing 7-2, 7-3
slot numbers 7-1
support (table) 7-4
TCP reset 7-6
VLAN groups 7-2
Interface Selection window
described 5-8
Startup Wizard 5-8
Interfaces pane
configuring 7-16
described 7-14
field descriptions 7-14
user roles 7-14
Interface Status gadgets
configuring 3-6
described 3-6
Interface Summary window described 5-7
internal zone
configuring 12-18
user roles 12-15
Internal Zone tab
described 12-15
user roles 12-15
IP fragmentation described B-22
IP fragment reassembly
configuring 9-38
described 9-37, B-22
mode 9-38
parameters (table) 9-37
signature (example) 9-39
signatures 9-39
signatures (table) 9-37
IP logging
described 9-47, 18-12
event actions 18-13
system performance 18-13
IP Logging pane
configuring 18-14
described 18-13
field descriptions 18-13
user roles 18-13
IP Logging Variables pane described 17-16
IP logs
circular buffer 18-12
Ethereal 18-13
states 18-12
TCP Dump 18-13
viewing 18-14
IPS
external communications A-30
internal communications A-30
IPS-4240
installing system image 24-14
password recovery 17-5, C-9
reimaging 24-14
IPS-4255
installing system image 24-14
password recovery 17-5, C-9
reimaging 24-14
IPS-4260
installing system image 24-17
reimaging 24-17
IPS 4270-20
hardware bypass 7-10
installing system image 24-19
reimaging 24-19
IPS appliances
Deny Connection Inline 11-10, C-70
Deny Packet Inline 11-10, C-70
Reset TCP Connection 11-10, C-70
TCP reset packets 11-10, C-70
IPS applications
summary A-35
table A-35
XML format A-2
IPS data
types A-8
XML document A-8
IPS events
evAlert A-8
evError A-8
evLogTransaction A-8
evShunRqst A-8
evStatus A-8
listed A-8
types A-8
IPS Manager Express described 1-1
IPS modules
time synchronization 6-8, C-17
unsupported features 5-7
IPS Policies pane
described 8-7
field descriptions 8-8
IPS software
application list A-2
available files 23-1, 23-3
configuring device parameters A-4
directory structure A-34
Linux OS A-1
obtaining 23-1, 23-3
platform-dependent release examples 23-6
retrieving data A-4
security features A-5
tuning signatures A-4
updating A-4
user interaction A-4
versioning scheme 23-3
IPS software file names
major updates (illustration) 23-4
minor updates (illustration) 23-4
patch releases (illustration) 23-4
service packs (illustration) 23-4
IPS versions for IME 1-3
IPv6 described B-14
K
KBs
comparing 18-20
default filename 12-11
deleting 18-22
described 12-3
downloading 18-23
histogram 12-12, 18-15
initial baseline 12-3
learning accept mode 12-11
loading 18-21
monitoring 18-18
renaming 18-22
saving 18-21
scanner threshold 12-12, 18-15
tree structure 12-12, 18-15
uploading 18-24
Knowledge Base. See KB.
Known Host Keys pane
configuring 13-6
describing 13-5
field descriptions 13-5
L
Learned OS pane
clearing 18-25
described 18-25
field descriptions 18-25
learned OS values
clearing 18-25
deleting 18-25
learning accept mode
anomaly detection 12-3
configuring 12-13
user roles 12-11
Learning Accept Mode tab
described 12-11
field descriptions 12-13
user roles 12-11
license files
BSD license D-3
expat license D-12
GNU Lesser license D-22
GNU license D-17
license key
status 17-12
trial 17-12
licensing
described 17-12
IPS device serial number 17-12
Licensing gadgets
configuring 3-6
described 3-5
Licensing pane
configuring 17-14
described 17-12
field descriptions 17-13
user roles 17-11
limitations for concurrent CLI sessions 22-1
listings UNIX-style 17-17
loading KBs 18-21
Logger
described A-2, A-19
functions A-19
syslog messages A-19
logging in
AIM-IPS 22-4
AIP-SSM 22-6
appliances 22-1
IDSM-2 22-7
NME-IPS 22-9
sensors
SSH 22-10
Telnet 22-10
terminal servers 22-2, 24-13
LOKI
described B-52
protocol B-52
loose connections on sensors C-22
M
MainApp
components A-5
described A-2, A-5
host statistics A-6
responsibilities A-6
show version command A-6
maintenance partition
configuring
IDSM-2 (Catalyst software) 24-29
IDSM-2 (Cisco IOS software) 24-33
described A-3
major updates described 23-3
Manage Filter Rules dialog box field descriptions 3-14
managing rate limiting 18-11
manual block to bogus host C-41
master blocking sensor
described 14-24
not set up properly C-43
Master Blocking Sensor pane
configuring 14-26
described 14-24
field descriptions 14-25
Master engine
alert frequency B-6
alert frequency parameters (table) B-6
described B-3
event actions B-7
general parameters (table) B-3
universal parameters B-3
master engine parameters
obsoletes B-5
promiscous delta B-5
vulnerable OSes B-6
merging configuration files C-3
Meta engine
described 9-21, B-19
parameters (table) B-20
Signature Event Action Processor 9-21, B-19
Meta Event Generator described 8-28, 11-29
MIBs supported 15-6, C-19
minor updates described 23-3
Miscellaneous tab
button functions 9-27
configuring
application policy 9-35
IP fragment reassembly mode 9-38
IP logging 9-47
TCP stream reassembly mode 9-45
described 9-26
field descriptions 9-27
user roles 9-26
modes
anomaly detection detect 12-3
anomaly detection inactive 12-3
anomaly detection learning accept 12-3
bypass 7-24
inline interface pair 7-12
inline VLAN pair 7-12
promiscuous 7-11
VLAN Groups 7-12
modify packets inline modes 8-3
monitoring
events 18-3
KBs 18-18
moving OS maps 8-22, 11-24
Multi String engine
described B-20
parameters (table) B-21
Regex B-20
MySDN described 9-5
MySQL database and IME 1-4
N
Neighborhood Discovery
options B-14
types B-14
Network Blocks pane
configuring 18-9
described 18-8
field descriptions 18-9
user roles 18-8
Network pane
configuring 6-3
described 6-1
field descriptions 6-2
TLS/SSL 6-3
user roles 6-1
Network Security gadgets
configuring 3-7
described 3-7
network security health data resetting 18-28
Network Timing Protocol. See NTP.
never block
hosts 14-7
networks 14-7
NME-IPS
initializing 21-24
installing system image 24-38
logging in 22-9
reimaging 24-38
session command 22-9
sessioning 22-8, 22-9
setup command 21-24
time sources 6-7, C-16
Normalizer engine
described B-22
IP fragment reassembly B-22
parameters (table) B-24
TCP stream reassembly B-22
Normalizer mode described 8-4
NotificationApp
alert information A-9
described A-3
functions A-9
SNMP gets A-9
SNMP traps A-9
statistics A-10
system health information A-10
NTP
authenticated 6-6, 6-13, C-16
configuring servers 6-12
described 6-6, C-16
incorrect configuration 6-8, C-17
sensor time source 6-12, 6-13
time synchronization 6-6, C-16
unauthenticated 6-6, 6-13, C-16
O
obsoletes field described B-5
obtaining
cryptographic account 23-2
IPS software 23-1
one-way TCP reset described 8-28, 11-30
operation settings
configuring 12-10
user roles 12-10
Operation Settings tab
described 12-10
field descriptions 12-10
user roles 12-10
OS Identifications tab
described 8-20, 11-20
field descriptions 8-21, 11-23
OS maps
adding 8-22, 11-24
configuring 8-22, 11-24
deleting 8-22, 11-24
editing 8-22, 11-24
moving 8-22, 11-24
other actions (list) 11-9
Other Protocols tab
described 12-25, 12-32
describing 12-17
enabling other protocols 12-17
external zone 12-32
field descriptions 12-17, 12-32
illegal zone 12-25
P
P2P networks described B-35
partitions
application A-3
maintenance A-3
recovery A-3
passive OS fingerprinting
components 8-19, 11-21
configuring 8-20, 11-22
described 8-19, 11-21
password policy caution 17-2, 17-3
password recovery
AIP SSM 17-6, C-10
appliances 17-4, C-8
CLI 17-10, C-14
described 17-3, C-8
disabling 17-10, C-14
GRUB menu 17-4, C-8
IDSM2 17-8, C-13
IPS-4240 17-5, C-9
IPS-4255 17-5, C-9
platforms 17-3, C-8
ROMMON 17-5, C-9
troubleshooting 17-11, C-15
verifying 17-11, C-15
password requirement configuration 17-2
Passwords pane
described 17-1
field descriptions 17-2
patch releases described 23-3
peacetime learning (anomaly detection) 12-3
Peer-to-Peer. See P2P.
physical connectivity issues C-30
physical interfaces configuration restrictions 7-8
platforms and concurrent CLI sessions 22-1
policies and platform limitations 9-2, 12-8
Post-Block ACLs 14-17, 14-18
Pre-Block ACLs 14-17, 14-18
prerequisites for blocking 14-5
promiscuous delta
calculating risk rating 8-5, 11-3
described 8-5, 11-3
promiscuous delta described B-5
promiscuous mode
described 7-11
packet flow 7-11
protocols
ARP B-13
CIDEE A-33
Custom Signature Wizard 10-11
DCE 10-12, B-33
DDoS B-52
H.323 B-28
H225.0 B-28
IDAPI A-30
IDCONF A-32
IDIOM A-32
IPv6 B-14
LOKI B-52
MSSQL B-35
Neighborhood Discovery B-14
Q.931 B-29
RDEP2 A-30
RPC 10-12, B-33
SDEE A-33
Q
Q.931 protocol
described B-29
SETUP messages B-29
quarantined IP address events described 16-2
R
rate limiting
ACLs 14-4
configuring 18-11
described 14-4
managing 18-11
percentages 18-10
routers 14-4
service policies 14-4
supported signatures 14-4
Rate Limits pane
described 18-10
field descriptions 18-10
RDEP2
functions A-30
messages A-30
responsibilities A-31
RDEP event server deprecated A-22
rebooting the sensor 17-23
Reboot Sensor pane
configuring 17-23
described 17-23
user roles 17-23
recover command 24-11
recovering
AIP-SSM C-66
application partition image 24-11
recovery partition
described A-3
upgrading 24-5
Regular Expression. See Regex.
regular expression syntax signatures B-8
reimaging
AIP-SSM 24-24
appliances 24-11
described 24-1
IDSM-2 24-27
IPS-4240 24-14
IPS-4255 24-14
IPS-4260 24-17
IPS 4270-20 24-19
NME-IPS 24-38
sensors 24-1
removing
last applied
service pack 24-10
signature update 24-10
renaming KBs 18-22
reports
configuring 20-2
described 20-1
generating 20-2
report types
Attacks Over Time 20-1
Top Attackers 20-1
Top Signatures 20-1
Top Victim 20-1
Reset Network Security Health pane
described 18-28
field descriptions 18-28
reset not occurring for a signature C-50
resetting
AIP-SSM C-66
network security health data 18-28
passwords
ASDM 17-8, C-12
hw-module command 17-6, C-11
resetting the password
AIP SSM 17-7, C-11
Restore Default Interface dialog box field descriptions 5-8
Restore Defaults pane
configuring 17-23
described 17-23
user roles 17-23
restoring
defaults 17-23
restoring the current configuration C-4, C-5
retiring signatures 9-12
retrieving events through RDEP2 (illustration) A-31
risk categories
adding 8-27, 11-28
configuring 8-27, 11-28
deleting 8-27, 11-28
editing 8-27, 11-28
Risk Category tab
configuring 8-27, 11-28
described 8-26, 11-27
field descriptions 8-26, 11-28
risk rating
calculating 8-4, 11-2
described 8-19, 11-21
ROMMON
described 24-12
IPS-4240 24-14
IPS-4255 24-14
IPS-4260 24-17
IPS-4270 24-17
IPS 4270-20 24-19
password recovery 17-5, C-9
remote sensors 24-12
serial console port 24-12
TFTP 24-13
round-trip time. See RTT.
Router Blocking Device Interfaces pane
configuring 14-20
described 14-17
field descriptions 14-19
RPC portmapper 10-18, B-36
RSS Feed gadgets
configuring 3-9
described 3-9
RSS feeds
channels 4-1
configuring 4-2
described 4-1
formats 4-1
RTT
described 24-13
TFTP limitation 24-13
rules0 pane described 11-12
S
Save Knowledge Base dialog box
described 18-21
field descriptions 18-21
saving KBs 18-21
scheduling automatic upgrades 24-8
SDEE
described A-33
HTTP A-33
protocol A-33
Server requests A-33
security
information on Cisco Security Intelligence Operations 23-9
security and SSH 13-1
security information
MySDN 9-5
security policies described 8-1, 9-1, 11-1, 12-1
sending commands through RDEP2 (illustration) A-31
sensing interfaces
described 7-3
interface cards 7-3
modes 7-3
sensor
blocking itself 14-7
not seeing packets C-33
process not running C-28
SensorApp
6.1 new features A-25
Alarm Channel A-24
Analysis Engine A-24
described A-3
event action filtering A-25
inline packet processing A-24
IP normalization A-24
packet flow A-25
processors A-22
responsibilities A-22
risk rating A-25
Signature Event Action Processor A-23
TCP normalization A-24
Sensor Health gadgets
configuring 3-5
described 3-4
Sensor Health pane
described 17-15
field descriptions 17-15
Sensor Information gadgets
configuring 3-4
described 3-3
Sensor Key pane
button functions 13-7
described 13-7
field descriptions 13-7
sensor SSH key
displaying 13-7
generating 13-7
user roles 13-7
sensors
access problems C-24
asymmetric traffic and disabling Anomaly Detection 12-36
asymmetric traffic and disabling anomaly detection C-20
configuring to use NTP 6-14
corrupted SensorApp configuration C-35
diagnostics reports 18-29
disaster recovery C-6
downgrading 24-10
incorrect NTP configuration 6-8, C-17
initializing 6-1, 21-1, 21-3
interface support 7-4
IP address conflicts C-27
license 17-14
logging in
SSH 22-10
Telnet 22-10
loose connections C-22
misconfigured access lists C-26
no alerts C-32, C-57
not seeing packets C-33
NTP time source 6-13
NTP time synchronization 6-6, C-16
partitions A-3
physical connectivity C-30
preventive maintenance C-2
rebooting 17-23
reimaging 24-1
restoring defaults 17-23
sensing process not running C-28
setting up 6-1
setup command 21-1, 21-3, 21-7
shutting down 17-24
statistics 18-30
system information 18-31
time sources 6-6, C-16
troubleshooting software upgrades C-54
updating 17-19, 17-21
using NTP time source 6-12
Sensor Setup window
described 5-2
Startup Wizard 5-2
Server Certificate pane
button functions 13-11
certificate
displaying 13-11
generating 13-11
described 13-11
field descriptions 13-11
user roles 13-11
service account
creating C-6
described 6-17, A-29, C-5
TAC A-29
troubleshooting A-29
Service DNS engine
described B-25
parameters (table) B-25
Service engine
described B-24
Layer 5 traffic B-24
Service FTP engine
described B-26
parameters (table) B-27
PASV port spoof B-26
Service Generic engine
described B-27
parameters (table) B-28
Service H225 engine
ASN.1PER validation B-29
described B-28
features B-29
parameters (table) B-30
TPKT validation B-29
Service HTTP engine
custom signature 10-16
described 10-15, B-31
example signature 10-16
parameters (table) B-31
Service IDENT engine
described B-33
parameters (table) B-33
service-module ids-sensor slot/port session command 22-3, 22-8
Service MSRPC engine
DCS/RPC protocol 10-12, B-33
described 10-12, B-33
parameters (table) B-34
Service MSSQL engine
described B-35
MSSQL protocol B-35
parameters (table) B-35
Service NTP engine
described B-35
parameters (table) B-35
Service P2P engine described B-36
service packs described 23-3
service role A-28
Service RPC engine
described 10-18, B-36
parameters (table) 10-18, B-36
RPC portmapper 10-18, B-36
Service SMB Advanced engine
described B-37
parameters (table) B-38
Service SNMP engine
described B-39
parameters (table) B-40
Service SSH engine
described B-40
parameters (table) B-40
Service TNS engine
described B-41
parameters (table) B-41
session command
AIM-IPS 22-4
AIP-SSM 22-6
IDSM-2 22-7
NME-IPS 22-9
sessioning
AIM-IPS 22-4
AIP-SSM 22-6
IDSM-2 22-7
NME-IPS 22-9
setting
current KB 18-21
system clock 6-15
setting up
sensors 6-1
terminal servers 22-2, 24-13
setup
automatic 21-1
simplified mode 21-1
setup command 21-1, 21-3, 21-7, 21-12, 21-15, 21-20, 21-24
show events command C-90
show health command C-71
show interfaces command C-88
show module 1 details command C-65
show settings command 17-11, C-15
show statistics command C-78
show statistics virtual-sensor command C-23, C-78
show tech-support command
described C-72
output C-73
show version command C-75, C-76
Shut Down Sensor pane
configuring 17-24
described 17-24
user roles 17-24
shutting down the sensor 17-24
sig0 pane
default 9-3
described 9-3
retiring signatures 9-12
signatures
assigning actions 9-17
cloning 9-14
disabling 9-12
enabling 9-12
tuning 9-15
tabs 9-3
Sig0 pane field descriptions 9-6
signature/virus update files described 23-4
signature definition policies
adding 9-3
cloning 9-3
default policy 9-2
deleting 9-3
sig0 9-2
Signature Definitions pane
described 9-2
field descriptions 9-2
signature engines
AIC B-10
Atomic B-12
Atomic ARP B-13
Atomic IP 10-14, B-13
Atomic IPv6 B-14
creating custom signatures 10-1
described B-1
event actions B-7
Fixed B-15
Flood B-18
Flood Host B-19
Flood Net B-19
list B-2
Master B-3
Meta 9-21, B-19
Multi String B-20
Normalizer B-22
Regex
patterns B-9
syntax B-8
Service B-24
Service DNS B-25
Service FTP B-26
Service Generic B-27
Service H225 B-28
Service HTTP 10-15, B-31
Service IDENT B-33
Service MSRPC 10-12, B-33
Service MSSQL B-35
Service NTP engine B-35
Service P2P B-35, B-36
Service RPC 10-18, B-36
Service SMB Advanced B-37
Service SNMP B-39
Service SSH engine B-40
Service TNS B-41
State 10-19, B-42
String 10-20, 10-23, B-44
supported by IDM 10-2
Sweep 10-24, B-47
Sweep Other TCP B-49
Traffic Anomaly B-50
Traffic ICMP B-52
Trojan B-52
signature engine update files described 23-5
Signature Event Action Filter
described 11-6, A-26
parameters 11-6, A-26
Signature Event Action Handler described 11-6, A-26
Signature Event Action Override described 11-6, A-26
Signature Event Action Processor
alarm channel 11-6, A-26
components 11-6, A-26
described 11-6, A-23, A-26
illustration 11-7, A-26
logical flow of events 11-7, A-26
signature fidelity rating
calculating risk rating 8-5, 11-3
described 8-5, 11-3
signatures
adding 9-13
alert frequency 9-19
assigning actions 9-17
cloning 9-14
custom 9-5
default 9-5
described 9-4
disabling 9-12
editing 9-16
enabling 9-12
false positives 9-4
no TCP reset C-50
rate limits 14-4
retiring 9-12
subsignatures 9-5
tuned 9-5
tuning 9-16
signature update installation time 17-18
signature variables
adding 9-25
deleting 9-25
described 9-24
editing 9-25
Signature Variables tab
configuring 9-25
field descriptions 9-25
Signature Wizard
alert behavior 10-25
supported signature engines 10-2
SNMP
configuring 15-3
described 15-1
Get 15-1
GetNext 15-1
Set 15-1
supported MIBs 15-6, C-19
Trap 15-1
SNMP General Configuration pane
configuring 15-3
described 15-2
field descriptions 15-2
user roles 15-2
SNMP traps
configuring 15-5
described 15-1
SNMP Traps Configuration pane
button functions 15-4
configuring 15-5
described 15-4
field descriptions 15-4
user roles 15-4
software architecture
ARC (illustration) A-12
IDAPI (illustration) A-30
RDEP2 (illustration) A-31
software bypass
supported configurations 7-10
with hardware bypass 7-10
software downloads Cisco.com 23-1
software file names
recovery (illustration) 23-5
signature/virus updates (illustration) 23-4
signature engine updates (illustration) 23-5
system image (illustration) 23-5
software release examples
platform-dependent 23-6
platform identifiers 23-7
platform-independent 23-6
software updates
supported FTP servers 17-17, 24-2
supported HTTP/HTTPS servers 17-17, 24-2
SPAN port issues C-30
SSH
security 13-1
understanding 13-1
SSH Server
private keys A-21
public keys A-21
standards
CIDEE A-33
IDCONF A-32
SDEE A-33
Startup Wizard
access list 5-3
adding virtual sensors 5-12
Add Virtual Sensor dialog box 5-12
described 5-1
Inline Interface Pair window 5-8, 5-9
Inline VLAN Pairs window 5-9, 5-10
Interface Selection window 5-8
Interface Summary window 5-7
Sensor Setup window
configuring 5-4
field descriptions 5-2
Traffic Inspection Mode window 5-8
Virtual Sensors window 5-11
State engine
Cisco Login 10-19, B-42
described 10-19, B-42
LPR Format String 10-19, B-42
parameters (table) B-43
SMTP 10-19, B-42
statistics display 18-30
Statistics pane
button functions 18-30, 18-31
categories 18-29
described 18-29
using 18-30
status of license key 17-12
stick (DoS tools) B-6
String engine described 10-20, 10-23, B-44
String ICMP engine parameters (table) B-45
String TCP engine
custom signature 10-21
example signature 10-21
parameters (table) B-45
String UDP engine parameters (table) B-46
subinterface 0 described 7-13
subsignatures described 9-5
summarization
described 8-6, 11-5
Fire All 8-7, 11-5
Fire Once 8-7, 11-6
Global Summarization 8-7, 11-6
Meta engine 8-6, 11-5
Summary 8-7, 11-5
Summarizer described 8-28, 11-29
Summary pane
button functions 7-14
described 7-13
field descriptions 5-7, 7-14
supported
configurations (IDSM-2) C-59
FTP servers 17-17, 24-2
HTTP/HTTPS servers 17-17, 24-2
IPS interfaces (CSA MC) 16-3
platforms (IME) 1-3
Sweep engine
described 10-24, B-47
parameters (table) B-48, B-49
Sweep Other TCP engine described B-49
switch commands for troubleshooting C-60
system architecture
directory structure A-34
supported platforms A-1
system clock setting 6-15
System Configuration Dialog
described 21-2
example 21-2
system design (illustration) A-2
system image
installing
AIM-IPS 24-21
AIP-SSM 24-25
IDSM-2 (Catalyst software) 24-27
IDSM-2 (Cisco IOS software) 24-28
IPS-4240 24-14
IPS-4255 24-14
IPS-4260 24-17
IPS 4270-20 24-19
NME-IPS 24-38
system information display 18-31
System Information pane
described 18-30
using 18-31
system requirements (IME) 1-3
T
TAC
service account 6-17, A-29, C-5
show tech-support command C-72
target value rating
adding 8-17
calculating risk rating 8-5, 11-3
configuring 8-17
deleting 8-17
described 8-5, 8-17, 11-3, 11-19
editing 8-17
Target Value Rating tab
configuring 8-17
field descriptions 8-17, 11-19
TCP fragmentation described B-22
TCP Protocol tab
described 12-15, 12-22, 12-30
enabling TCP 12-15
external zone 12-30
field descriptions 12-15
illegal zone 12-22
TCP reset interfaces
conditions 7-7
described 7-6
list 7-7
TCP resets
IDSM2 port C-64
not occurring C-50
TCP stream reassembly
explaining 9-40
mode 9-45
parameters (table) 9-40
signatures (table) 9-40
terminal server setup 22-2, 24-13
testing fail-over 7-10
TFN2K
described B-52
Trojans B-52
TFTP servers
maximum file size limitation 24-13
RTT 24-13
threat rating described 8-6, 11-4
Thresholds for KB Name window
described 18-17
field descriptions 18-18
filtering information 18-17
time correction on the sensor 6-11, C-18
Time pane
configuring 6-10
described 6-6
field descriptions 6-9
user roles 6-6
time sources
AIM-IPS 6-7, C-16
AIP-SSM 6-7, C-17
appliances 6-6, C-16
IDSM-2 6-7, C-16
NME-IPS 6-7, C-16
time synchronization and IPS modules 6-8, C-17
TLS
handshaking 13-8
IDM 13-8
understanding 6-3
Top Applications gadgets
configuring 3-8
described 3-8
Top Attackers gadgets
configuring 3-10
described 3-9
Top Signatures gadgets
configuring 3-11
described 3-11
Top Victims gadgets
configuring 3-10
described 3-10
Traffic Anomaly engine
described B-50
protocols B-50
signatures B-50
traffic flow notifications
configuring 7-26
described 7-26
Traffic Flow Notifications pane
configuring 7-26
field descriptions 7-26
user roles 7-26
Traffic ICMP engine
DDoS B-52
described B-52
LOKI B-52
parameters (table) B-52
TFN2K B-52
Traffic Inspection Mode window described 5-8
trial license key 17-12
Tribe Flood Network. See TFN.
Tribe Flood Network 2000. See TFN2K.
Trojan engine
BO2K B-52
described B-52
TFN2K B-52
Trojans
BO B-52
BO2K B-52
LOKI B-52
TFN2K B-52
troubleshooting
AIP-SSM
commands C-65
debugging C-66
failover scenarios C-67
recovering C-66
reset C-66
Analysis Engine busy C-55
applying software updates C-52
ARC
blocking not occurring for signature C-42
device access issues C-39
enabling SSH C-41
inactive state C-37
misconfigured master blocking sensor C-43
verifying device interfaces C-41
automatic updates C-53
cannot access sensor C-24
cidDump C-93
cidLog messages to syslog C-49
communication C-24
corrupted SensorApp configuration C-35
debug logger zone names (table) C-48
debug logging C-44
disaster recovery C-6
duplicate sensor IP addresses C-27
enabling debug logging C-45
external product interfaces 16-10, C-22
gathering information C-71
IDM cannot access sensor C-56
IDM will not load C-55
IDSM-2
command and control port C-63
diagnosing problems C-58
not online C-62, C-63
serial cable C-65
status indicator C-60
switch commands C-60
IME time synchronization problems C-57
IPS modules time drift 6-8, C-17
manual block to bogus host C-41
misconfigured access list C-26
no alerts C-32, C-57
NTP C-50
password recovery 17-11, C-15
physical connectivity issues C-30
preventive maintenance C-2
reset not occurring for a signature C-50
sensing process not running C-28
sensor events C-89
sensor loose connections C-22
sensor not seeing packets C-33
sensor software upgrade C-54
service account 6-17, C-5
show events command C-89
show interfaces command C-88
show statistics command C-78
show tech-support command C-72, C-73
show version command C-75
software upgrades C-51
SPAN port issue C-30
upgrading 5.x to 6.x C-52
verifying ARC status C-37
Trusted Hosts pane
configuring 13-10
described 13-9
field descriptions 13-10
tuned signatures described 9-5
tuning
AIC signatures 9-36
IP fragment reassembly signatures 9-39
signatures 9-16
U
UDP Protocol tab
described 12-16, 12-24, 12-31
enabling UDP 12-16
external zone 12-31
field descriptions 12-31
illegal zone 12-24
unassigned VLAN groups described 7-13
unauthenticated NTP 6-6, 6-13, C-16
understanding
SSH 13-1
time on the sensor 6-6, C-16
UNIX-style directory listings 17-17
Update Sensor pane
configuring 17-21
described 17-20
field descriptions 17-21
user roles 17-20
updating
Cisco.com 17-20
FTP server 17-20
sensors 17-21
upgrade command 24-3, 24-5
upgrading
5.x to 6.x 23-7, C-52
maintenance partition
IDSM-2 (Catalyst software) 24-37
IDSM-2 (Cisco IOS software) 24-37
minimum required version 23-7
recovery partition 24-5, 24-11
uploading KBs
FTP 18-23
SCP 18-23
Upload Knowledge Base to Sensor dialog box
described 18-23
field descriptions 18-23
URLs for Cisco Security Intelligence Operations 23-9
Users pane
button functions 6-17
configuring 6-18
field descriptions 6-17
user roles A-28
using
debug logging C-44
TCP reset interface 7-7
V
VACLs
described 14-3
Post-Block 14-21
Pre-Block 14-21
verifying
password recovery 17-11, C-15
sensor initialization 21-27
sensor setup 21-27
video help described 1-2
viewing
IP logs 18-14
statistics 18-30
system information 18-31
virtual sensors
adding 5-12, 8-11
default virtual sensor 8-2, 8-7
deleting 8-11
described 8-2, 8-7
editing 8-11
stream segregation 8-3
Virtual Sensors window described 5-11
VLAN groups
802.1q encapsulation 7-13
configuration restrictions 7-9
configuring 7-23
deploying 7-22
described 7-12
switches 7-22
VLAN Groups pane
configuring 7-23
described 7-21
field descriptions 7-22
user roles 7-21
VLAN IDs 7-21
VLAN Pairs pane
configuring 7-20
describing 7-19
field descriptions 7-19
vulnerable OSes field
described B-6
W
watch list rating
calculating risk rating 8-5, 11-3
described 8-5, 11-3
Web Server
described A-3, A-22
HTTP 1.0 and 1.1 support A-22
private keys A-21
public keys A-21
RDEP2 support A-22
worm attacks and histograms 12-12, 18-16
worms
Blaster 12-2
Code Red 12-2
described 12-2
Nimbda 12-2
protocols 12-2
Sasser 12-2
scanners 12-2
Slammer 12-2
SQL Slammer 12-2
Z
zones
external 12-4
illegal 12-4
internal 12-4