Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.0
Index
Downloads: This chapterpdf (PDF - 1.42MB) The complete bookPDF (PDF - 9.67MB) | Feedback

Index

Table Of Contents

Numerics - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W - Z

Index

Numerics

4GE bypass interface card

configuration restrictions 6-9

described 6-8

802.1q encapsulation for VLAN groups 6-29

A

AAA RADIUS

functionality 4-23

limitations 4-23

accessing IPS software 22-2

access-list command 4-5

access lists

changing 4-6

configuring 4-6

misconfiguration C-29

account locking

configuring 4-28

security 4-28

account unlocking configuring 4-29

ACLs

described 14-2

Post-Block 14-22, 14-23

Pre-Block 14-22, 14-23

adaptive security appliance

sending IPS traffic (AIP SSM) 18-9

traffic inspection modes (AIP SSM) 18-8

adding

denied attackers 7-36

event action overrides 7-18

external product interfaces 11-5

global parameters 5-10

hosts to the SSH known hosts list 4-41, 4-42

login banners 4-8

signature variables 8-4

target value rating 7-15

trusted hosts 4-47

users 4-14, 4-24, 4-25

virtual sensors 5-5, 5-7, 18-4

Address Resolution Protocol. See ARP.

administrator role privileges 1-4

aggregation

alert frequency 7-33

operating modes 7-33

AIC engine

AIC FTP B-11

AIC FTP engine parameters (table) B-13

AIC HTTP B-11

AIC HTTP engine parameters (table) B-12

described B-11

features B-11

signature categories 8-17

AIC policy enforcement

default configuration 8-18, B-11

described 8-18, B-11

sensor oversubscription 8-18, B-11

AIM IPS

configuration sequence 19-1

configuring interfaces 19-5, 19-7, 19-9, 19-11, 19-13

displaying status 19-16

initializing 3-13

installing system image 23-23

interfaces described 19-3

interface sequence 19-4

logging in 2-6, 19-15

NAT 19-5

RBCP 19-18

rebooting 19-18

resetting 19-18

session command 2-5, 19-15

sessioning 2-4, 2-6, 19-14, 19-15

setup command 3-13

shutting down 19-18

verifying installation 19-2

AIP SSM

assigning virtual sensors 18-6

bypass mode 18-11

configuration tasks 18-1

creating virtual sensors 18-4

fail-open mode 18-8

fail-over mode 18-8

hw-module module 1 recover configure 18-13

hw-module module slot_number password-reset 18-13

hw-module module slot_number recover boot 18-13

hw-module module slot_number recover stop 18-13

hw-module module slot_number reload 18-12

hw-module module slot_number reset 18-13

hw-module module slot_number shutdown 18-12

initializing 3-16

inline mode 18-8

installing system image 23-26

interfaces 18-3

logging in 2-7

Normalizer engine 18-11, B-38, C-72

password recovery 17-5, C-11

promiscuous mode 18-8

receiving IPS traffic 18-9

recovering C-70

reimaging 23-26

resetting C-69

resetting the password 17-5, C-12

session command 2-7

setup command 3-16

show context 18-6

show ips command 18-6

show module command 18-2

task sequence 18-1

time sources 4-31, C-17

verifying initialization 18-2

virtual sensors

assigning policies 18-4

assigning the interface 18-4

assigning to security context 18-5

configuration sequence 18-3

Alarm Channel described 7-2, A-28

alert and log actions (list) 7-4

alert-frequency

command 8-7

modes B-6

alert-frequency command 8-7

alert-severity

command 8-9

configuring 8-9

allocate-ips command 18-3

allow-sensor-block command 14-8

alternate TCP reset interface 6-11

Analysis Engine

described 5-1

error messages C-25

IDM exits C-58

verify it is running C-22

virtual sensors 5-1

anomaly detection

asymmetric traffic 9-2

caution 9-2

configuration sequence 9-5

default configuration (example) 9-4

described 9-2

detect mode 9-4

disabling 9-49, C-21

event actions 9-6, B-64

inactive mode 9-4

learning accept mode 9-3

learning process 9-3

limiting false positives 9-37

protocols 9-3

signatures (table) 9-7, B-64

worms

attacks 9-37

described 9-3

zones 9-4

anomaly-detection load command 9-41

anomaly detection operational settings

configuring 9-10

described 9-10

anomaly detection policies

copying 9-8

creating 9-8

deleting 9-8

displaying 9-8

editing 9-8

lists 17-27

anomaly-detection save command 9-41

anomaly detection statistics

clearing 9-47

displaying 9-47

anomaly detection zones

external 9-28

illegal 9-20

internal 9-11

appliances

application partition image 23-12

GRUB menu 17-3, C-9

initializing 3-8

logging in 2-3

password recovery 17-3, C-9

resetting 17-42

terminal servers

described 2-3, 23-14

setting up 2-3, 23-14

time sources 4-30, C-17

UDLD protocol 6-28

upgrading recovery partition 23-6

Application Inspection and Control. See AIC.

application partition

described A-4

image recovery 23-12

application-policy

command 8-18

configuring 8-19

application policy enforcement

described 8-18, B-11

disabled (default) 8-18

applications in XML format A-3

applying software updates C-55

ARC

ACLs 14-22, A-14

authentication A-15

blocking

application 14-1

connection-based A-17

not occurring for signature C-45

unconditional blocking A-17

block response A-13

Catalyst 6000 series switch

VACL commands A-19

VACLs A-19

Catalyst switches

VACLs A-16

VLANs A-16

checking status 14-3, 14-4

described A-3

design 14-2

device access issues C-42

enabling SSH C-44

features A-14

firewalls

AAA A-18

connection blocking A-18

NAT A-18

network blocking A-18

postblock ACL A-16

preblock ACL A-16

shun command A-18

TACACS+ A-18

formerly Network Access Controller 14-1, 14-3

functions 14-1, A-12

illustration A-13

inactive state C-40

interfaces A-14

maintaining states A-16

master blocking sensors A-14

maximum blocks 14-2

misconfigured master blocking sensor C-46

nac.shun.txt file A-16

NAT addressing A-15

number of blocks A-15

postblock ACL A-16

preblock ACL A-16

prerequisites 14-5

rate limiting 14-4

responsibilities A-13

single point of control A-15

SSH A-14

supported devices 14-6, A-15

Telnet A-14

troubleshooting C-38

VACLs A-14

verifying device interfaces C-43

verifying status C-39

ARP

Layer 2 signatures B-13

protocol B-13

ARP spoof tools

dsniff B-13

ettercap B-13

ASA modules time sources 4-31, C-17

ASDM resetting passwords 17-7, C-13

assigning interfaces

virtual sensors 5-4

virtual sensors (AIP SSM) 18-4

assigning policies

virtual sensors 5-4

virtual sensors (AIP SSM) 18-4

asymmetric traffic

anomaly detection scanners 9-2

disabling anomaly detection 9-48, C-21

Atomic ARP engine

described B-13

parameters (table) B-13

Atomic IP Advanced engine

described B-14

restrictions B-15

Atomic IP engine

described B-24

parameters (table) B-24

Atomic IPv6 engine

described B-28

Neighborhood Discovery protocol B-28

signatures B-28

signatures (table) B-29

attack relevance rating

calculating risk rating 7-14

described 7-14, 7-26

Attack Response Controller

described A-3

formerly known as Network Access Controller A-3

Attack Response Controller. See ARC.

attack severity rating

calculating risk rating 7-13

described 7-13

attempt limit

RADIUS C-23

attemptLimit command 4-28

Audit mode described 10-9

authenticated NTP 4-30, 4-39, C-17

authentication

local 4-16

RADIUS 4-16

AuthenticationApp

authenticating users A-21

described A-3

login attempt limit A-21

method A-21

RADIUS A-21

responsibilities A-20

secure communications A-23

sensor configuration A-21

authorized keys

defining 4-43

RSA authentication 4-43

automatic setup 3-2

automatic upgrade

information required 23-7

troubleshooting C-55

autonegotiation for hardware bypass 6-10

auto-upgrade-option command 23-7

B

backing up

configuration 16-23, C-3

current configuration 16-22, C-5

BackOrifice. See BO.

BackOrifice 2000. See BO2K.

BackOrifice see BO

backup-config command 16-19

banner login command 17-18

basic setup 3-4

block connection command 14-34

block-enable command 14-9

block hosts command 14-32

blocking

addresses never to block 14-19

block time 14-13

connection 14-34

described 14-1

disabling 14-10

hosts 14-32

list of blocked hosts 14-34

managing firewalls 14-28

managing routers 14-24

managing switches 14-27

master blocking sensor 14-29

maximum entries 14-11

necessary information 14-3

not occurring for signature C-45

prerequisites 14-5

properties 14-7

sensor block itself 14-8

show statistics 14-34

supported devices 14-6

types 14-2

user profiles 14-20

block network command 14-33

BO

described B-66

Trojans B-66

BO2K

described B-66

Trojans B-66

Bug Toolkit

described C-2

URL C-2

bypass mode

AIP SSM 18-11

configuring 6-37

described 6-36

bypass-option command 6-37

C

calculating risk rating

attack relevance rating 7-14

attack severity rating 7-13

promiscuous delta 7-14

signature fidelity rating 7-13

target value rating 7-13

watch list rating 7-14

cannot access sensor C-26

capturing live traffic 13-5

Catalyst software

command and control access 20-5

IDSM2

command and control access 20-5

configuring VACLs 20-15

enabling full memory tests 20-40

enabling SPAN 20-11

mls ip ids command 20-18

resetting 20-41

set span command 20-11

supervisor engine commands

supported 20-43

unsupported 20-44

caution for clearing databases 17-10

certificates IDM 4-45

changing

access lists 4-6

FTP timeout 4-7

host IP address 4-3

hostname 4-2

passwords 4-24

privilege 4-25

Web Server settings 4-12

cidDump obtaining information C-97

CIDEE

defined A-36

example A-36

IPS extensions A-36

protocol A-36

supported IPS events A-36

cisco

default password 2-3

default username 2-3

Cisco.com

accessing software 22-2

downloading software 22-2

IPS software 22-2

software downloads 22-2

Cisco IOS software

command and control access 20-7

configuration commands 20-46

EXEC commands 20-45

IDSM2

command and control access 20-7

configuring VACLs 20-16

enabling full memory tests 20-40

enabling SPAN 20-13

mls ip ids command 20-19

resetting 20-42

rate limiting 14-4

SPAN options 20-12

cisco-security-agents-mc-settings command 11-4

Cisco Security Intelligence Operations

described 22-10

URL 22-10

Cisco Services for IPS

service contract 4-49, 22-11

supported products 4-49, 22-11

clear database command 17-10

clear denied-attackers command 7-37, 17-25

clear events command 4-31, 7-42, 17-23, C-19, C-97

clearing

anomaly detection statistics 9-47

denied attackers statistics 7-37, 17-26

events 7-42, 17-23, C-97

global correlation statistics 10-13

OS IDs 7-32

sensor database caution 17-10

sensor databases 17-11

statistics 17-28, C-82

clear line command 17-19

clear os-identification command 7-32

clear password command 17-4, 17-8, C-11, C-14

CLI

command line editing 1-7

command modes 1-8

default keywords 1-11

described A-3, A-32

error messages D-1

generic commands 1-10

guide introduction 1-1

regular expression syntax 1-8

CLI behavior 1-5

case sensitivity 1-6

display options 1-6

help 1-5

prompts 1-5

recall 1-6

tab completion 1-6

client manifest described A-31

clock set command 4-33, 17-25

CollaborationApp described A-3, A-30

command and control access

Catalyst software 20-5

Cisco IOS software 20-7

described 20-5

command and control interface

described 6-3

list 6-3

command line editing (table) 1-7

command modes

anomaly detection configuration 1-8

described 1-8

event action rules configuration 1-8

EXEC 1-8

global configuration 1-8

privileged EXEC 1-8

service mode configuration 1-8

signature definition configuration 1-8

commands

access-list 4-5

alert-frequency 8-7

alert-severity 8-9

allocate-ips 18-3

allow-sensor-block 14-8

anomaly-detection load 9-41

anomaly-detection save 9-41

application-policy 8-18

attemptLimit 4-28

auto-upgrade-option 23-7

backup-config 16-19

banner login 17-18

block connection 14-34

block-enable 14-9

block hosts 14-32

block network 14-33

bypass-option 6-37

cisco-security-agents-mc-settings 11-4

clear database 17-10

clear denied-attackers 7-37, 17-25

clear events 4-31, 7-42, 17-23, C-19, C-97

clear line 17-19

clear os-identification 7-32

clear password 17-4, 17-8, C-11, C-14

clock set 4-33, 17-25

copy ad-knowledge-base 9-42

copy anomaly-detection 9-8

copy backup-config 16-21, C-4

copy current-config 16-21, C-4

copy event-action-rules 7-8

copy iplog 12-7

copy license-key 4-50, 22-13

copy packet-file 13-6

copy signature-definition 8-1

current-config 16-19

debug module-boot C-70

default service anomaly-detection 9-8

default service event-action-rules 7-8

default service signature-definition 8-2

deny attacker 7-36

downgrade 23-11

enable-acl-logging 14-14

enable-detail-traps 15-4

enable-nvram-write 14-15

erase 16-24

erase ad-knowledge-base 9-42

erase license-key 4-52, 22-16

erase packet-file 13-7

event-action 8-15

event-action-rules-configurations 17-27

event-counter 8-10

external-zone 9-28

filters 7-21

fragment-reassembly 8-30

ftp-timeout 4-7

global-block-timeout 7-34, 14-13

global-deny-timeout 7-34

global-filters-status 7-34

global-metaevent-status 7-34

global-overrides-status 7-34

global-parameters 5-10

global-summarization 7-35

health-monitor 10-7, 17-13

host-ip 4-3

host-name 4-2

hw-module module 1 recover configure 18-13

hw-module module 1 reset C-69

hw-module module slot_number password-reset 17-5, 18-13, C-11

hw-module module slot_number recover boot 18-13

hw-module module slot_number recover stop 18-13

hw-module module slot_number reload 18-12

hw-module module slot_number reset 18-13

hw-module module slot_number shutdown 18-12

ignore 9-10

illegal-zone 9-20

inline-interfaces 6-18

interface GigabitEthernet 19-21, 21-15

interface IDS-Sensor 19-19, 21-13

interface-notifications 6-38

internal-zone 9-12

ip-access-list 20-16

ip-log 8-39

iplog 12-3

ip-log-bytes 12-2

ip-log-packets 12-2

iplog-status 12-5

ip-log-time 12-2

ipv6-target-value 7-15

learning-accept-mode 9-38

list anomaly-detection-configurations 9-8, 17-27

list event-action-rules-configurations 7-8

list signature-definition-configurations 8-1

log-all-block-events-and-errors 14-16

login-banner-text 4-8

max-block-entries 14-11

max-denied-attackers 7-35

max-interfaces 14-17

mls ip ids 20-18, 20-19

more 16-19

more current-config 16-1

never-block-hosts 14-19

never-block-networks 14-19

no iplog 12-6

no ipv6-target-value 7-15

no service anomaly-detection 9-8

no service event-action-rules 7-8

no service signature-definition 8-2

no target-value 7-15

no variables 7-11

os-identifications 7-28

other 9-18, 9-26, 9-34

overrides 7-17

packet capture 13-4

packet-display 13-2

password 4-14, 4-24

physical-interfaces 6-12, 6-23, 6-30

ping 17-41

privilege 4-14, 4-24

rename ad-knowledge-base 9-42

reset 17-42

service anomaly-detection 9-8

service event-action-rules 7-8

service-module IDS-Sensor 19-22, 21-16

service-module ids-sensor slot/port 19-18, 21-12

service-module ids-sensor slot/port heartbeat reset 19-17, 21-11

service-module ids-sensor slot/port status 19-16, 21-10

service signature-definition 8-1

session 2-5, 2-10, 19-15, 21-9

set security acl 20-14

set span 20-11

setup 3-2, 3-4, 3-8, 3-13, 3-16, 3-20, 3-24

show ad-knowledge-base diff 9-44, 9-45

show ad-knowledge-base files 9-40, 9-41

show clock 4-32, 17-24

show configuration 16-1

show context 18-6

show events 7-39, 17-20, C-94

show health 10-9, 17-17, C-74

show history 17-42

show inspection-load 17-11

show interfaces 6-39

show inventory 17-43, 19-2, 21-2

show ips 18-6

show module 18-2

show os-identification 7-32

show settings 16-3, 16-18, 17-9, 17-45, C-16

show statistics 14-34, 17-28, C-82

show statistics anomaly-detection 9-47

show statistics denied-attackers 7-37, 17-25

show statistics virtual-sensor 17-28, C-25, C-82

show tech-support 17-38, C-75

show users 4-25

show version 17-39, C-79

sig-fidelity-rating 8-11, 8-13

signature-definition-configurations 17-27

snmp-agent-port 15-2

snmp-agent-protocol 15-2

ssh authorized-key 4-43

ssh-generate-key 4-44

ssh host-key 4-41, 4-42

status 8-12

stream-reassembly 8-38

subinterface-type 6-24, 6-31

summertime-option non-recurring 4-35

summertime-option recurring 4-33

target-value 7-15

tcp 9-13, 9-21, 9-29

telnet-option 4-4

terminal 17-20

time-zone-settings 4-37

tls generate-key 4-48

tls trusted-host 4-46

trace 17-44

trap-community-name 15-4

trap-destinations 15-4

udp 9-15, 9-24, 9-32

unlock user username 4-29

upgrade 23-3, 23-6

username 4-14

user-profile 14-20

variables 7-11, 8-4

virtual-sensor name 5-4, 18-4

worm-timeout 9-10

comparing KBs 9-44

component signatures

Meta signatures B-33

risk rating B-33

configuration files

backing up 16-23, C-3

merging 16-23, C-3

configuration restrictions

alternate TCP reset interface 6-11

inline interface pairs 6-10

inline VLAN pairs 6-11

interfaces 6-10

physical interfaces 6-10

VLAN groups 6-11

configuration sequence

AIM IPS 19-1

AIP SSM 18-1

NME IPS 21-1

configured OS mapping (example) 7-28

configuring

access lists 4-6

account locking 4-28

account unlocking 4-29

ACL logging 14-14

alert frequency parameters 8-8

alert severity 8-9

anomaly detection operational settings 9-10

application policy 8-19, 8-27

automatic IP logging 12-2

automatic upgrades 23-9

blocking

firewalls 14-28

routers 14-24

switches 14-27

time 14-13

bypass mode 6-37

connection blocking 14-34

CSA MC IPS interfaces 11-4

DNS servers 4-10

event action filters 7-22

event actions 8-16

event counter 8-10

external zone 9-29

ftp-timeout 4-7

global correlation 10-10

health statistics 17-14

host blocks 14-32

host IP address 4-3

hostname 4-2

hosts never to block 14-19

HTTP proxy servers 4-10

illegal zone 9-20

inline interface pairs 6-19

inline VLAN groups 6-31

inline VLAN pairs 6-24

interfaces

AIM IPS 19-5, 19-7, 19-9, 19-11, 19-13

NME IPS 21-7

interface sequence 6-12

internal zone 9-12

IP fragment reassembly 8-31

IP fragment reassembly parameters 8-30, 8-37

IP logging 8-39

learning accept mode 9-38

logging all blocking events and errors 14-16

logical devices 14-20

login-banner-text 4-8

maintenance partition

IDSM2 (Catalyst software) 23-31

IDSM2 (Cisco IOS software) 23-35

manual IP logging 12-4

master blocking sensor 14-30

maximum

block entries 14-12

blocking interfaces 14-18

denied attackers 7-35

meta event generator 7-35

network blocks 14-33

network participation 10-11

networks never to block 14-19

NTP servers 4-38

NVRAM write 14-15

OS maps 7-29

other protocols

external zone 9-35

illegal zone 9-26

internal zone 9-18

password policy 4-26

passwords 4-24

privilege 4-25

promiscuous mode 6-14

RADIUS authentication 4-18

sensor sequence 1-2

sensor to block itself 14-8

sensor to use NTP 4-39

signature fidelity rating 8-11

status 8-12

summarizer 7-35

summertime

non-recurring 4-35

recurring 4-33

TCP

external zone 9-30

illegal zone 9-21

internal zone 9-13

stream reassembly 8-38

telnet-option 4-4

time zone settings 4-37

traffic flow notifications 6-38

UDLD protocol 6-28

UDP

external zone 9-32

illegal zone 9-24

internal zone 9-15

upgrades 23-5

user profiles 14-21

vulnerable OSes 8-14

Web Server settings 4-11

control transactions

characteristics A-9

request types A-9

copy ad-knowledge-base command 9-42

copy anomaly-detection command 9-8

copy backup-config command 16-21, C-4

copy command syntax 9-42

copy current-config command 16-21, C-4

copy event-action-rules command 7-8

copying

anomaly detection policies 9-8

event action rules policies 7-8

IP log files 12-7

KBs 9-42, 9-43

packet files 13-7

signature definition policies 8-2

copy iplog command 12-7

copy license-key command 4-50, 22-13

copy packet-file command 13-6

copy signature-definition command 8-1

correcting time on the sensor 4-31, C-19

creating

anomaly detection policies 9-8

Atomic IP Advanced signatures 8-51

banner logins 17-18

custom signatures 8-40

event action rules policies 7-8

event action variables 7-11

global parameters 5-10

Meta signatures 8-49

OS maps 7-29

Post-Block VACLs 14-26

Pre-Block VACLs 14-26

service account 4-22, C-6

service HTTP signatures 8-46

signature definition policies 8-2

string TCP signatures 8-42

user profiles 14-20

virtual sensors 5-5, 5-7

CSA MC

configuring IPS interfaces 11-4

host posture events 11-1, 11-4

quarantined IP address events 11-1

supported IPS interfaces 11-4

CtlTransSource

described A-3, A-11

illustration A-12

Ctrl-N 1-6

Ctrl-P 1-6

current-config command 16-19

current configuration back up 16-23, C-3

custom signatures

Atomic IP Advanced signature 8-51

configuration sequence 8-40

described 8-4

Meta signature 8-49

service HTTP example 8-46

String TCP 8-41

D

data ports restore defaults 20-28

data structures (examples) A-8

DDoS

protocols B-66

Stacheldraht B-66

TFN B-66

debug logging enable C-47

debug-module-boot command C-70

default

blocking time 14-13

keywords 1-11

password 2-3

username 2-3

virtual sensor vs0 5-2

default service anomaly-detection command 9-8

default service event-action-rules command 7-8

default service signature-definition command 8-2

defining authorized keys 4-43

deleting

anomaly detection policies 9-8

denied attackers list 7-37, 17-26

event action rules policies 7-8

event action variables 7-11

inline interface pairs 6-21

inline VLAN pairs 6-27

OS maps 7-31

signature definition policies 8-2

signature variables 8-4

target value rating 7-15

VLAN groups 6-35

Denial of Service. See DoS.

denied attackers adding 7-36

deny actions (list) 7-5

deny attacker command 7-36

deny-packet-inline described 7-6, B-8

detect mode (anomaly detection) 9-4

device access issues C-42

diagnosing network connectivity 17-41

disabling

anomaly detection 9-49, C-21

blocking 14-10

ECLB (Cisco IOS software) 20-36

global correlation 10-12

password recovery 17-9, C-15

signatures 8-12

Telnet 4-4

disaster recovery C-7

displaying

AIM IPS status 19-16

anomaly detection policies 9-8

anomaly detection policy lists 17-27

anomaly detections tatistics 9-47

contents of logical file 16-20

current configuration 16-1

current submode configuration 16-3

event action rules policies 7-8

event actions rules lists 17-27

events 7-40, 17-21, C-95

global correlation statistics 10-13

health status 17-17, C-75

inspection load 17-12

interface statistics 6-39

IP log contents 12-5

KB files 9-40

KB thresholds 9-46

live traffic 13-3

NME IPS status 21-10

OS IDs 7-32

password recovery setting 17-9, C-16

PEP information 17-43

policy lists 17-27

signature definition lists 17-27

statistics 17-28, C-82

submode settings 17-45

system clock 4-32, 17-24

tech support information 17-38, C-76

version 17-39, C-79

Distributed Denial of Service. See DDoS.

DNS server configuration 4-10

DoS tools B-6

downgrade command 23-11

downgrading sensors 23-11

downloading software 22-2

duplicate IP addresses C-29

E

ECLB

described 20-25

disabling (Cisco IOS software) 20-36

options 20-29

promiscuous mode 20-28

requirements 20-28

sensing modes 20-26

editing

anomaly detection policies 9-8

event action rules policies 7-8

event action variables 7-11

signature definition policies 8-2

signature variables 8-4

target value rating 7-15

efficacy

described 10-4

measurements 10-4

enable-acl-logging command 14-14

enable-detail-traps command 15-4

enable-nvram-write command 14-15

enabling

debug logging C-47

full memory tests

Catalyst software 20-40

Cisco IOS software 20-40

signatures 8-12

SPAN

Catalyst software 20-11

Cisco IOS software 20-13

Telnet 4-4

Encryption Software Export Distribution Authorization 22-3

engines

AIC 8-17, B-11

Fixed B-29

Flood B-32

Master B-4

Meta 8-47, B-33

Multi String B-35

Normalizer B-37

Service DNS B-40

Service FTP B-41

Service Generic B-42

Service H225 B-43

Service HTTP 8-44, B-46

Service IDENT B-48

Service MSRPC B-48

Service MSSQL B-49

Service NTP B-50

Service P2P B-50

Service RPC B-51

Service SMB B-54

Service SMB Advanced B-52

Service SSH B-55

Service TNS B-55

State B-57

String 8-41, B-59

Sweep B-61

Sweep Other TCP B-63

Traffic ICMP B-65

Trojan B-66

erase ad-knowledge-base command 9-42

erase command 16-24

erase license-key command 4-52, 22-16

erase packet-file command 13-7

erasing

current configuration 16-24

KBs 9-42, 9-43

packet files 13-7

error messages

described D-1

validation D-5

EtherChannel Load Balancing. See ECLB.

evAlert A-9

event-action command 8-15

event action filters

described 7-20

using variables 7-21

event action overrides

described 7-17

risk rating range 7-17

event action rules

described 7-2

functions 7-2

list display 17-27

task list 7-7

event action rules policies

copying 7-8

creating 7-8

deleting 7-8

displaying 7-8

editing 7-8

event actions

configuring 8-16

threat rating 7-14

event-counter

command 8-10

configuring 8-10

events

displaying 7-40, 17-21, C-95

host posture 11-2

quarantined IP address 11-2

Event Store

clearing events 4-31, C-19

data structures A-8

described A-3

examples A-8

responsibilities A-7

timestamp A-7

event types C-93

event variables

described 7-10

example 7-10

evError A-9

evLogTransaction A-9

evShunRqst A-9

evStatus A-9

examples

ASA failover configuration C-71

external product interfaces

adding 11-5

described 11-1

issues 11-3, C-23

troubleshooting 11-8, C-24

external zone

configuring 9-29

configuring other protocols 9-35

configuring TCP 9-30

configuring UDP 9-32

described 9-28

protocols 9-28

external-zone command 9-28

F

fail-over testing 6-9

false positives described 8-3

files

IDSM2 password recovery 17-7, C-14

filtering

more command 16-16

submode configuration 16-18

filters command 7-21

finding the serial number 19-2, 21-2

Fixed engine described B-29

Fixed ICMP engine parameters (table) B-30

Fixed TCP engine parameters (table) B-30

Fixed UDP engine parameters (table) B-31

Flood engine described B-32

Flood Host engine parameters (table) B-32

Flood Net engine parameters (table) B-32

fragment-reassembly command 8-30

FTP servers supported 23-3

FTP timeout

configuring 4-7

described 4-7

ftp-timeout command 4-7

G

general settings described 7-34

General tab described 7-34

generating

SSH Server host key 4-44

TLS certificate 4-48

generic commands 1-10

global-block-timeout command 7-34, 14-13

global correlation

described 10-1, 10-2, A-4

DNS server 4-10, 10-6

error messages A-31

features 10-5

goals 10-5

health metrics 10-7

HTTP proxy server 4-10, 10-6

IPv6 support 7-10, 7-11, 7-15, 7-20, 7-21, 10-6

license 3-5, 10-6, 10-8

options 10-9, 10-12

Produce Alert 7-5, 10-5, B-7

requirements 10-6

troubleshooting 10-15, C-20

update client (illustration) 10-8

global-deny-timeout command 7-34

global-filters-status command 7-34

global-metaevent-status command 7-34

global-overrides-status command 7-34

global parameters

adding 5-10

creating 5-10

maximum open IP logs 5-10

options 5-10

global-parameters command 5-10

global-summarization command 7-35

GRUB menu password recovery 17-3, C-9

H

H.225.0 protocol B-43

H.323 protocol B-43

hardware bypass

autonegotiation 6-10

configuration restrictions 6-9

fail-over 6-9

IPS 4270-20 6-8

supported configurations 6-9

with software bypass 6-9

health-monitor command 10-7, 17-13

health statistics configure 17-14

help

question mark 1-5

using 1-5

host blocks configure 14-32

host IP address

changing 4-3

configuring 4-3

host-ip command 4-3

hostname

changing 4-2

configuring 4-2

host-name command 4-2

host posture events

CSA MC 11-4

described 11-2

HTTP/HTTPS servers 23-3

HTTP deobfuscation

ASCII normalization 8-44, B-46

described 8-44, B-46

HTTP proxy server configuration 4-10

hw-module module 1 recover configure command 18-13

hw-module module 1 reset command C-69

hw-module module slot_number password-reset command 17-5, 18-13, C-11

hw-module module slot_number recover boot command 18-13

hw-module module slot_number recover stop command 18-13

hw-module module slot_number reload command 18-12

hw-module module slot_number reset command 18-13

hw-module module slot_number shutdown command 18-12

I

IDAPI

communications A-3, A-34

described A-3

functions A-34

illustration A-34

responsibilities A-34

IDCONF

described A-35

example A-35

XML A-35

IDIOM

defined A-34

messages A-34

IDM

Analysis Engine is busy C-58

certificates 4-45

TLS 4-45

will not load C-58

IDSM2

administrative tasks 20-39

capturing IPS traffic

mls ip id command 20-18

SPAN 20-10

Catalyst software

command and control access 20-5

inline mode 20-20

inline VLAN pair mode 20-23

Cisco IOS software

command and control access 20-7

inline mode 20-21

inline VLAN pair mode 20-24

command and control access 20-7

command and control port 20-9, C-66

configuration tasks 20-1

configuring

command and control access 20-5

ECLB 20-29, 20-31, 20-33

ECLB inline mode 20-27

ECLB inline VLAN pair mode 20-26

ECLB promiscuous mode 20-26

inline mode 20-20, 20-21

inline VLAN pair mode (Catalyst software) 20-23

inline VLAN pair mode (Cisco IOS software) 20-24

load balancing 20-29, 20-31, 20-33

maintenance partition (Catalyst software) 23-31

maintenance partition (Cisco IOS software) 23-35

mls ip ids command 20-18

sequence 20-1

SPAN 20-10

tasks 20-1

configuring VACLs

Catalyst software 20-15

Cisco IOS software 20-16

disabling

ECLB (Catalyst software) 20-36

ECLB (Cisco IOS software) 20-36

ECLB

disabling (Catalyst software) 20-36

disabling (Cisco IOS software) 20-36

requirements 20-28

verifying (Catalyst software) 20-37

verifying (Cisco IOS software) 20-38

enabling full memory tests

Catalyst software 20-40

Cisco IOS software 20-40

initializing 3-20

inline mode

Catalyst software 20-20

Cisco IOS software 20-21

described 20-8, 20-20

requirements (Catalyst software) 20-20, 20-23

inline VLAN pair mode 20-8

Catalyst software 20-23

Cisco IOS software 20-24

described 20-22

installing

system image (Catalyst software) 23-29

system image (Cisco IOS software) 23-30

logging in 2-8

mixing sensing modes 20-9

mls ip ids command

Catalyst software 20-18

Cisco IOS software 20-19

described 20-9

monitoring ports 20-9

password recovery 17-7, C-13

password recovery image file 17-7, C-14

promiscuous mode 20-8, 20-9

reimaging 23-28

resetting

Catalyst software 20-41

Cisco IOS software 20-42

described 20-41

restoring data port defaults 20-28

sensing ports 20-14

sessioning 2-8

set span command 20-11

setup command 3-20

supported configurations 20-4, C-62

supported supervisor engine commands 20-43

TCP reset port 20-9, 20-10, 20-14, C-68

time sources 4-30, C-17

unsupported supervisor engine commands 20-44

upgrading

maintenance partition (Catalyst software) 23-39

maintenance partition (Cisco IOS software) 23-39

VACLs

configuring 20-14

described 20-14

verifying

ECLB (Catalyst software) 20-37

ECLB (Cisco IOS software) 20-38

installation 20-3

IDS-Sensor interface

ip unnumbered (AIM IPS) 19-6, 19-8

preferred method (AIM IPS) 19-4

ignore command 9-10

illegal zone

configuring 9-20

configuring other protocols 9-26

configuring TCP 9-21

configuring UDP 9-24

described 9-20

protocols 9-20

illegal-zone command 9-20

IME time synchronization problems C-60

inactive mode (anomaly detection) 9-4

initialization

verifying AIM IPS 19-2

verifying AIP SSM 18-2

verifying NME IPS 21-2

verifying sensor 3-27

initializing

AIM IPS 3-13

AIP SSM 3-16

appliances 3-8

IDSM2 3-20

NME IPS 3-24

sensors 3-2, 3-4

user roles 3-2

verifying 3-27

inline interface pairs

configuration restrictions 6-10

configuring 6-19

deleting 6-21

described 6-18

inline-interfaces command 6-18

inline mode IDSM2 20-8

inline VLAN groups configuration 6-31

inline VLAN pair mode

described 6-22

IDSM2 20-8

supported sensors 6-22

UDLD protocol 6-28

inline VLAN pairs

configuration restrictions 6-11

configuring 6-24

deleting 6-27

inspection load

description 17-11

displaying 17-12

installer major version 22-5

installer minor version 22-5

installing

license key 4-51, 22-14

sensor license 22-12

system image

AIM IPS 23-23

AIP SSM 23-26

IDSM2 (Catalyst software) 23-29

IDSM2 (Cisco IOS software) 23-30

IPS 4240 23-15

IPS 4255 23-15

IPS 4260 23-18

IPS 4270-20 23-20

NME IPS 23-40

InterfaceApp

described A-20

interactions A-20

NIC drivers A-20

InterfaceApp described A-3

interface configuration sequence 6-12

interface GigabitEthernet command 19-21, 21-15

interface IDS-Sensor command 19-19, 21-13

interface-notifications command 6-38

interfaces

alternate TCP reset 6-2

command and control 6-2, 6-3

configuration restrictions 6-10

described 6-2

displaying live traffic 13-3

port numbers 6-2

sensing 6-2, 6-3

slot numbers 6-2

statistics display 6-39

support (table) 6-6

TCP reset 6-4

VLAN groups 6-2

internal zone

configuring 9-12

configuring other protocols 9-18

configuring TCP 9-13

configuring UDP 9-15

described 9-11

protocols 9-11

internal-zone command 9-12

introducing the CLI guide 1-1

ip-access-list command 20-16

IP fragmentation described B-37

IP fragment reassembly

described 8-28

parameters (table) 8-28

signatures (table) 8-28

ip-log-bytes command 12-2

ip-log command 8-39

iplog command 12-3

IP log contents

displaying 12-5

viewing 12-5

IP log files

copying 12-7

TCPDUMP 12-1

Wireshark 12-1

IP logging

automatic 12-2

configuring 12-1

copying files 12-7

described 8-39, 12-1

manual 12-4

ip-log-packets command 12-2

iplog-status command 12-5

ip-log-time command 12-2

IPS 4240

installing system image 23-15

password recovery 17-3, C-10

reimaging 23-15

IPS 4255

installing system image 23-15

password recovery 17-3, C-10

reimaging 23-15

IPS 4260

installing system image 23-18

reimaging 23-18

IPS 4270-20

hardware bypass 6-8

installing system image 23-20

reimaging 23-20

IPS applications

summary A-37

table A-37

XML format A-3

IPS data

types A-8

XML document A-9

IPS events

evAlert A-9

evError A-9

evLogTransaction A-9

evShunRqst A-9

evStatus A-9

list A-9

types A-9

IPS internal communications A-34

IPS modules and time synchronization 4-31, C-18

IPS software

application list A-3

available files 22-2

configuring device parameters A-5

directory structure A-36

Linux OS A-2

obtaining 22-2

platform-dependent release examples 22-7

retrieving data A-5

security features A-5

tuning signatures A-5

updating A-5

user interaction A-5

versioning scheme 22-3

IPS software file names

major updates (illustration) 22-4

minor updates (illustration) 22-4

patch releases (illustration) 22-4

service packs (illustration) 22-4

ip unnumbered command 19-6, 19-8

IPv6

described B-28

SPAN ports 6-17

switches 6-17

ipv6-target-value command 7-15

K

KBs

comparing 9-44

copying 9-42, 9-43

described 9-3

displaying 9-40

erasing 9-42, 9-43

histogram 9-36

initial baseline 9-3

manually loading 9-41

manually saving 9-41

renaming 9-42, 9-43

scanner threshold 9-36

threshold display 9-46

tree structure 9-36

keywords

default 1-11

no 1-11

Knowledge Base. See KB.

L

learning accept mode

anomaly detection 9-3

configuring 9-38

learning-accept-mode command 9-38

license files

BSD license E-3

expat license E-12

GNU Lesser license E-33

GNU license E-28

license key

installation 4-51, 22-14

trial 4-49, 22-11

uninstalling 4-52, 22-16

licensing

described 4-49, 22-10

IPS device serial number 4-49, 22-10

Licensing pane

configuring 22-12

described 4-49, 22-10

limitations for concurrent CLI sessions 1-4

list anomaly-detection-configurations command 9-8, 17-27

list event-action-rules-configurations command 7-8, 17-27

list of blocked hosts 14-34

list signature-definition-configurations command 8-1, 17-27

load balancing options 20-29

loading KBs 9-41

log-all-block-events-and-errors command 14-16

Logger

described A-3, A-19

functions A-19

syslog messages A-20

logging in

AIM IPS 2-6, 19-15

AIP SSM 2-7

appliances 2-3

IDSM2 2-8

NME IPS 2-10, 21-9

sensors

SSH 2-11

Telnet 2-11

service role 2-2

terminal servers 2-3, 23-14

user role 2-2

login banners 4-8

login-banner-text

command 4-8

configuring 4-8

LOKI

described B-66

protocol B-65

loose connections on sensors C-25

M

MainApp

components A-6

described A-3, A-6

host statistics A-6

responsibilities A-6

show version command A-6

maintenance partition

configuring

IDSM2 (Catalyst software) 23-31

IDSM2 (Cisco IOS software) 23-35

described A-4

major updates described 22-3

managing

firewalls 14-28

routers 14-24

switches 14-27

manifests

client A-31

server A-31

manual

blocking 14-32, 14-34

block to bogus host C-44

manually

loading KBs 9-41

saving KBs 9-41

master blocking sensor

described 14-29

not set up properly C-46

Master engine

alert frequency B-6

alert frequency parameters (table) B-6

described B-3

event actions B-7

general parameters (table) B-4

universal parameters B-4

master engine parameters

obsoletes B-6

promiscous delta B-5

vulnerable OSes B-6

max-block-entries command 14-11

max-denied-attackers command 7-35

maximum open IP logs 5-10

max-interfaces command 14-17

merging configuration files 16-23, C-3

Meta engine

component signatures B-33

described 8-47, B-33

parameters (table) B-34

Signature Event Action Processor 8-47, B-33

Meta Event Generator described 7-34

MIBs supported 15-6, C-20

minor updates described 22-3

mls ip ids command 20-18, 20-19

modes

AIP SSM 18-8

anomaly detection

detect 9-4

inactive 9-4

learning accept 9-3

bypass 6-36

inline interface pair 6-18

inline VLAN pair 6-22

promiscuous 6-16

VLAN Groups 6-29

modifying terminal properties 17-20

modify packets inline modes 5-3

monitoring and viewer privileges 1-4

more command

described 16-19

filtering 16-16

more current-config command 16-1

Multi String engine

described B-35

parameters (table) B-35

Regex B-35

N

NAT

advantages 19-5, 21-5

AIM IPS 19-5

NME IPS 21-5

Neighborhood Discovery

options B-29

types B-29

network block configuration 14-33

network participation

data gathered 10-3

data use (table) 10-2

described 10-3

health metrics 10-7

modes 10-4

options 10-11

requirements 10-4

statistics 10-4

never-block-hosts command 14-19

never-block-networks command 14-19

NME IPS

configuration sequence 21-1

configuring interfaces 21-6, 21-7

displaying status 21-10

initializing 3-24

installing system image 23-40

interface sequence 21-5

logging in 2-10, 21-9

NAT 21-5

RBCP 21-12

rebooting 21-12

reimaging 23-40

resetting 21-12

resetting heartbeat 21-11

session command 2-10, 21-9

sessioning 2-9, 2-10, 21-8, 21-9

setup command 3-24

shutting down 21-12

verifying installation 21-2

no iplog command 12-6

no ipv6-target-value command 7-15

Normalizer engine

described B-37

IP fragment reassembly B-37

parameters (table) B-38

TCP stream reassembly B-37

no service anomaly-detection command 9-8

no service event-action-rules command 7-8

no service signature-definition command 8-2

no target-value command 7-15

NotificationApp

alert information A-9

described A-3

functions A-9

SNMP gets A-9

SNMP traps A-9

statistics A-11

system health information A-10

no variables command 7-11

NTP

authenticated 4-30, 4-39, C-17

configuring servers 4-38

described 4-30, C-17

incorrect configuration C-18

sensor time source 4-38, 4-39

time synchronization 4-30, C-17

unauthenticated 4-30, 4-39, C-17

O

obsoletes field described B-6

obtaining

command history 17-43

IPS sofware 22-2

list of blocked hosts and connections 14-34

used commands list 17-43

one-way TCP reset described 7-34

operator role privileges 1-4

os-identifications command 7-28

OS IDs

clearing 7-32

displaying 7-32

OS maps

creating 7-29

deleting 7-31

other actions (list) 7-6

other command 9-18, 9-26, 9-34

output

clearing current line 1-6

displaying 1-6

overrides command 7-17

P

P2P networks described B-50

packet capture command 13-4

packet display command 13-2

packet files

viewing

TCPDUMP 13-7

Wireshark 13-7

partitions

application A-4

maintenance A-4

recovery A-4

passive OS fingerprinting

components 7-26

configuring 7-27

described 7-26

password command 4-14, 4-24

password policy

caution 4-26

configuring 4-26

password recovery

AIP SSM 17-5, C-11

appliances 17-3, C-9

CLI 17-9, C-15

described 17-2, C-8

disabling 17-9, C-15

GRUB menu 17-3, C-9

IDSM2 17-7, C-13

IPS 4240 17-3, C-10

IPS 4255 17-3, C-10

platforms 17-2, C-8

ROMMON 17-3, C-10

troubleshooting 17-10, C-16

verifying 17-9, C-16

passwords

changing 4-24

configuring 4-24

patch releases described 22-4

peacetime learning (anomaly detection) 9-3

Peer-to-Peer. See P2P.

PEP information

PID 17-43

SN 17-43

VID 17-43

physical connectivity issues C-33

physical-interfaces command 6-12, 6-23, 6-30

physical interfaces configuration restrictions 6-10

ping command 17-41

platforms concurrent CLI sessions 1-4

policy list display 17-27

Post-Block ACLs 14-22, 14-23

Pre-Block ACLs 14-22, 14-23

prerequisites for blocking 14-5

privilege

changing 4-25

command 4-14, 4-24

configuring 4-25

privilege levels

administrator 1-4

operator 1-4

service 1-4

viewer 1-4

promiscuous delta

calculating risk rating 7-14

described 7-14, 8-6

promiscuous delta described B-5

promiscuous mode

configuring 6-14

configuring (IDSM2) 6-17

described 6-16

ECLB 20-28

IDSM2 20-8

packet flow 6-16

SPAN ports 6-17

VACL capture 6-17

prompts and default input 1-5

protocols

ARP B-13

CIDEE A-36

DCE B-48

DDoS B-66

H.323 B-43

H225.0 B-43

HTTP 4-11

ICMPv6 B-14

IDAPI A-34

IDCONF A-35

IDIOM A-34

IPv6 B-28

LOKI B-65

MSSQL B-49

Neighborhood Discovery B-28

Q.931 B-44

RPC B-48

SDEE A-35

UDLD 6-28

Q

Q.931 protocol

described B-44

SETUP messages B-44

quarantined IP address events described 11-2

R

RADIUS

attempt limit C-23

multiple cisco av-pairs 4-17, 4-19

RADIUS authentication

configuring 4-18

described 4-16

service account 4-23

shared secret 4-20

rate limiting

ACLs 14-5

described 14-4

routers 14-4

service policies 14-5

supported signatures 14-4

RBCP

AIM IPS 19-18

NME IPS 21-12

rebooting

AIM IPS 19-18

NME IPS 21-12

recall

help and tab completion 1-6

using 1-6

recover command 23-12

recovering

AIP SSM C-70

application partition image 23-12

recovery partition

described A-4

upgrading 23-6

Regular Expression. See Regex.

regular expression syntax

described 1-8

signatures B-9

table 1-9

reimaging

AIP SSM 23-26

appliances 23-12

described 23-2

IDSM2 23-28

IPS 4240 23-15

IPS 4255 23-15

IPS 4260 23-18

IPS 4270-20 23-20

NME IPS 23-40

sensors 22-8, 23-2

removing

last applied

service pack 23-11

signature update 23-11

users 4-14

rename ad-knowledge-base command 9-42

renaming KBs 9-42, 9-43

reputation

described 10-2

illustration 10-3

servers 10-3

reset

command 17-42

not occurring for a signature C-53

resetting

AIM IPS 19-18

AIP SSM C-69

appliances 17-42

IDSM2 20-41

NME IPS 21-12

passwords

ASDM 17-7, C-13

hw-module command 17-5, C-11

resetting heartbeat

NME IPS 21-11

resetting the password

AIP SSM 17-5, C-12

restoring

data port defaults 20-28

restoring the current configuration 16-22, C-5

retiring signatures 8-12

risk rating

Alarm Channel 10-5

calculating 7-13

component signatures B-33

described 7-26

reputation score 10-4

ROMMON

described 23-14

IPS 4240 23-15

IPS 4255 23-15

IPS 4260 23-18

IPS 4270-20 23-18, 23-20

password recovery 17-3, C-10

remote sensors 23-14

serial console port 23-14

TFTP 23-14

round-trip time. See RTT.

RPC portmapper B-51

RSA authentication and authorized keys 4-43

RTT

described 23-14

TFTP limitation 23-14

S

saving KBs 9-41

scheduling automatic upgrades 23-9

SDEE

described A-35

HTTP A-35

protocol A-35

server requests A-36

searching the submode configuration 16-18

security

account locking 4-28

information on Cisco Security Intelligence Operations 22-10

policies described 7-1, 8-1, 9-2

SSH 4-41

sensing interfaces

described 6-3

interface cards 6-4

modes 6-3

SensorApp

Alarm Channel A-26

Analysis Engine A-26

described A-3

event action filtering A-27

inline packet processing A-26

IP normalization A-26

packet flow A-27

processors A-25

responsibilities A-25

risk rating A-27

Signature Event Action Processor A-25, A-28

TCP normalization A-27

SensorBase Network

described 10-1, A-4

known threats 10-2, A-4

sensors

access problems C-26

asymmetric traffic and disabling anomaly detection 9-48, C-21

clearing databases 17-11

configuration sequence 1-2

configuring to use NTP 4-39

corrupted SensorApp configuration C-37

disaster recovery C-7

downgrading 23-11

incorrect NTP configuration C-18

initializing 3-2, 3-4

interface support 6-6

IP address conflicts C-29

license 22-12

logging in

SSH 2-11

Telnet 2-11

loose connections C-25

managing

firewalls 14-28

routers 14-24

switches 14-27

misconfigured access lists C-29

no alerts C-34, C-60

not seeing packets C-36

NTP time source 4-39

NTP time synchronization 4-30, C-17

partitions A-4

physical connectivity C-33

preventive maintenance C-3

recovering the system image 22-8

reimaging 22-8, 23-2

sensing process C-31

sensing process not running C-31

SensorApp not running C-31

setup command 3-2, 3-4, 3-8

system images 22-8

time sources 4-30, C-17

troubleshooting software upgrades C-57

upgrading 23-5

using NTP time source 4-38

sequence

AIM IPS interfaces 19-4

NME IPS interfaces 21-5

serial number and the show inventory command 19-2, 21-2

server manifest described A-31

service account

creating 4-22, C-6

described 4-22, A-33, C-6

RADIUS authentication 4-23

TAC A-33

troubleshooting A-33

service anomaly-detection command 9-8

Service DNS engine

described B-40

parameters (table) B-40

Service engine

described B-40

Layer 5 traffic B-40

service event-action-rules command 7-8

Service FTP engine

described B-41

parameters (table) B-42

PASV port spoof B-41

Service Generic engine

described B-42

parameters (table) B-43

Service H225 engine

ASN.1PER validation B-44

described B-43

features B-44

parameters (table) B-45

TPKT validation B-44

Service HTTP engine

described 8-44, B-46

parameters (table) B-46

signature 8-46

Service IDENT engine

described B-48

parameters (table) B-48

service-module IDS-Sensor command 19-22, 21-16

service-module ids-sensor slot/port command 19-18, 21-12

service-module ids-sensor slot/port heartbeat reset command 19-17, 21-11

service-module ids-sensor slot/port session command 2-4, 2-9, 19-14, 21-8

service-module ids-sensor slot/port status command 19-16, 21-10

Service MSRPC engine

DCS/RPC protocol B-48

described B-48

parameters (table) B-49

Service MSSQL engine

described B-49

MSSQL protocol B-49

parameters (table) B-50

Service NTP engine

described B-50

parameters (table) B-50

Service P2P engine described B-50

service packs described 22-4

Service role

bypass CLI 2-2

described 1-5

privileges 1-4

troubleshooting use A-32

Service RPC engine

described B-51

parameters (table) B-51

RPC portmapper B-51

service signature-definition command 8-1

Service SMB Advanced engine

described B-52

parameters (table) B-52

Service SNMP engine

described B-54

parameters (table) B-54

Service SSH engine

described B-55

parameters (table) B-55

Service TNS engine

described B-55

parameters (table) B-56

session command

AIM IPS 2-5, 19-15

AIP SSM 2-7

IDSM2 2-8

NME IPS 2-10, 21-9

sessioning

AIM IPS 2-6, 19-15

AIP SSM 2-7

IDSM2 2-8

NME IPS 2-10, 21-9

set security acl command 20-14

setting the system clock 4-33, 17-25

setting up terminal servers 2-3, 23-14

setup

automatic 3-2

simplified mode 3-2

setup command 3-2, 3-4, 3-8, 3-13, 3-16, 3-20, 3-24

shared secret

described 4-20

RADIUS authentication 4-20

show ad-knowledge-base diff command 9-44, 9-45

show ad-knowledge-base files command 9-40, 9-41

show clock command 4-32, 17-24

show configuration command 16-1

show context command 18-6

show events command 7-39, 17-20, C-93, C-94

show health command 10-9, 17-17, C-74

show history command 17-42

showing user information 4-26

show inspection-load command 17-11

show interfaces command 6-39, C-92

show inventory command 17-43, 19-2, 21-2

show ips command 18-6

show module command 18-2

show os-identification command 7-32

show settings command 16-3, 16-18, 17-9, 17-45, C-16

show statistics anomaly-detection command 9-47

show statistics command 14-34, 17-28, C-81, C-82

show statistics denied-attackers command 7-37, 17-25

show statistics virtual-sensor command 17-28, C-25, C-82

show tech-support command 17-38, C-75

show users command 4-25

show version command 17-39, C-78, C-79

shutting down

AIM IPS 19-18

NME IPS 21-12

sig-fidelity-rating command 8-11, 8-13

signature/virus update files described 22-4

signature definition list display 17-27

signature definition policies

copying 8-2

creating 8-2

deleting 8-2

editing 8-2

signature engines

AIC 8-17, B-11

Atomic B-13

Atomic ARP B-13

Atomic IP B-24

Atomic IP Advanced B-14

Atomic IPv6 B-28

described B-1

event actions B-7

Fixed B-29

Flood B-32

Flood Host B-32

Flood Net B-32

list B-2

Master B-4

Meta 8-47, B-33

Multi String B-35

Normalizer B-37

Regex

patterns B-10

syntax B-9

Service B-40

Service DNS B-40

Service FTP B-41

Service Generic B-42

Service H225 B-43

Service HTTP 8-44, B-46

Service IDENT B-48

Service MSRPC B-48

Service MSSQL B-49

Service NTP engine B-50

Service P2P B-50

Service RPC B-51

Service SMB Advanced B-52

Service SNMP B-54

Service SSH engine B-55

Service TNS B-55

State B-57

String 8-41, B-59

Sweep Other TCP B-63

Traffic Anomaly 9-6, B-63

Traffic ICMP B-65

Trojan B-66

signature engine update files described 22-5

Signature Event Action Filter

described 7-2, A-28

parameters 7-3, A-28

Signature Event Action Handler described 7-3, A-29

Signature Event Action Override described 7-2, A-28

Signature Event Action Processor

Alarm Channel 7-2, A-28

components 7-2, A-28

described 7-2, A-25, A-28

signature fidelity rating

calculating risk rating 7-13

configuring 8-11

described 7-13

signatures

custom 8-4

default 8-3

described 8-3

false positives 8-3

general parameters 8-6

rate limits 14-4

Service HTTP 8-46

string TCP 8-42

subsignatures 8-3

TCP reset C-53

tuned 8-3

signature variables

adding 8-4

deleting 8-4

described 8-4

editing 8-4

SNMP

configuring

agent parameters 15-2

traps 15-4

described 15-1

general parameters 15-2

Get 15-1

GetNext 15-1

Set 15-1

supported MIBs 15-6, C-20

Trap 15-1

traps described 15-1

snmp-agent-port command 15-2

snmp-agent-protocol command 15-2

software architecture

ARC (illustration) A-13

IDAPI (illustration) A-34

software bypass

supported configurations 6-9

with hardware bypass 6-9

software downloads Cisco.com 22-2

software file names

recovery (illustration) 22-6

signature/virus updates (illustration) 22-5

signature engine updates (illustration) 22-5

system image (illustration) 22-6

software release examples

platform-dependent 22-7

platform identifiers 22-7

platform-independent 22-6

software updates

supported FTP servers 23-3

supported HTTP/HTTPS servers 23-3

SPAN

configuring 20-10

options 20-12

port issues C-33

specifying worm timeout 9-10

SSH

adding hosts 4-42

known hosts list 4-41

security 4-41

understanding 4-41

ssh authorized-key command 4-43

ssh generate-key command 4-44

ssh host-key command 4-41, 4-42

SSH Server

host key generation 4-44

private keys A-23

public keys A-23

standards

CIDEE A-36

IDCONF A-35

SDEE A-35

State engine

Cisco Login B-57

described B-57

LPR Format String B-57

parameters (table) B-57

SMTP B-57

status command 8-12

stopping IP logging 12-6

stream-reassembly command 8-38

String engine described 8-41, B-59

String ICMP engine parameters (table) B-59

String TCP engine

example signature 8-41

options 8-41

parameters (table) B-59

String UDP engine parameters (table) B-60

subinterface 0 described 6-29

subinterface-type command 6-24, 6-31

submode configuration

filtering output 16-18

searching output 16-18

subsignatures described 8-3

summarization

described 7-33

fire-all 7-33

fire-once 7-34

global-summarization 7-34

Meta engine 7-33

summary 7-34

Summarizer described 7-34

summertime

configuring

non-recurring 4-35

recurring 4-33

summertime-option non-recurring command 4-35

summertime-option recurring command 4-33

supervisor engine commands

supported 20-43

unsupported 20-44

supported

FTP servers 23-3

HTTP/HTTPS servers 23-3

IDSM2 configurations 20-4, C-62

supporting IPS interfaces for CSA MC 11-4

Sweep engine

described B-61

parameters (table) B-62, B-63

Sweep Other TCP engine described B-63

switch commands for troubleshooting C-63

syntax and case sensitivity 1-6

system architecture

directory structure A-36

supported platforms A-1

system clock

displaying 4-32, 17-24

setting 4-33, 17-25

System Configuration Dialog

described 3-2

example 3-3

system design (illustration) A-2

system image

installing

IDSM2 (Cisco IOS software) 23-30

system images sensors 22-8

T

tab completion use 1-6

TAC

PEP information 17-43

service account 4-22, A-33, C-6

show tech-support command 17-38, C-75

target-value command 7-15

IPv4 7-15

IPv6 7-15

target value rating

calculating risk rating 7-13

described 7-13, 7-15

tasks

configuring IDSM2 20-1

configuring the sensor 1-2

tcp command 9-13, 9-21, 9-29

TCPDUMP

copy packet-file command 13-6

expression syntax 13-2

IP logs 12-1

packet capture command 13-5

packet display command 13-2

TCP fragmentation described B-37

TCP reset

not occurring C-53

TCP reset interfaces

conditions 6-5

described 6-4

list 6-5

TCP resets

IDSM2 port 20-10, C-68

TCP stream reassembly

described 8-32

parameters (table) 8-32, 8-37

signatures (table) 8-32, 8-37

Telnet

disabling 4-4

enabling 4-4

telnet-option

command 4-4

configuring 4-4

terminal

command 17-20

modifying length 17-20

server setup 2-3, 23-14

terminating CLI sessions 17-19

testing fail-over 6-9

TFN2K

described B-65

Trojans B-66

TFTP RTT 23-14

TFTP servers

recommended

UNIX 23-14

Windows 23-14

threat rating

described 7-14

risk rating 7-14

time

correction on the sensor 4-31, C-19

sensors 4-30, C-17

synchronization on IPS modules 4-31, C-18

time sources

AIP SSM 4-31, C-17

appliances 4-30, C-17

ASA modules 4-31, C-17

IDSM2 4-30, C-17

time-zone-settings

command 4-37

configuring 4-37

TLS

certificate generation 4-48

handshaking 4-46

IDM 4-45

tls generate-key command 4-48

tls trusted-host command 4-46

trace

command 17-44

IP packet route 17-44

Traffic Anomaly engine

described 9-6, B-63

protocols 9-6, B-63

signatures 9-6, B-63

traffic flow notifications

configuring 6-38

described 6-38

Traffic ICMP engine

DDoS B-65

described B-65

LOKI B-65

parameters (table) B-66

TFN2K B-65

trap-community-name command 15-4

trap-destinations command 15-4

trial license key 4-49, 22-11

Tribe Flood Network. See TFN.

Tribe Flood Network 2000. See TFN2K.

Trojan engine

BO2K B-66

described B-66

TFN2K B-66

Trojans

BO B-66

BO2K B-66

LOKI B-66

TFN2K B-66

troubleshooting

AIP SSM

debugging C-70

recovering C-70

reset C-69

Analysis Engine busy C-58

applying software updates C-55

ARC

blocking not occurring for signature C-45

device access issues C-42

enabling SSH C-44

inactive state C-40

misconfigured master blocking sensor C-46

verifying device interfaces C-43

ASA 5500 AIP SSM

failover scenarios C-71

automatic updates C-55

cannot access sensor C-26

cidDump C-97

cidLog messages to syslog C-52

communication C-26

corrupted SensorApp configuration C-37

debug logger zone names (table) C-51

debug logging C-47

disaster recovery C-7

duplicate sensor IP addresses C-29

enabling debug logging C-47

external product interfaces 11-8, C-24

gathering information C-74

global correlation 10-15, C-20

IDM

cannot access sensor C-59

will not load C-58

IDSM2

command and control port C-66

diagnosing problems C-61, C-62

not online C-65, C-66

serial cable C-68

status indicator C-63

switch commands C-63

IME time synchronization C-60

IPS modules time drift 4-31, C-18

manual block to bogus host C-44

misconfigured access list C-29

no alerts C-34, C-60

NTP C-53

password recovery 17-10, C-16

physical connectivity issues C-33

preventive maintenance C-3

RADIUS

attempt limit C-23

reset not occurring for a signature C-53

sensing process not running C-31

sensor events C-93

sensor loose connections C-25

sensor not seeing packets C-36

sensor software upgrade C-57

service account 4-22, C-6

show events command C-93

show interfaces command C-91, C-92

show statistics command C-81

show tech-support command C-75, C-77

show version command C-78

software upgrades C-54

SPAN port issue C-33

upgrading C-55

verifying Analysis Engine is running C-22

verifying ARC status C-39

trusted hosts add 4-47

tuned signatures described 8-3

U

UDLD described 6-28

udp command 9-15, 9-24, 9-32

unassigned VLAN groups described 6-29

unauthenticated NTP 4-30, 4-39, C-17

UniDirectional Link Detection. See UDLD.

uninstalling

license key 4-52, 22-16

unlocking accounts 4-29

unlock user username command 4-29

unsupported supervisor engine commands 20-44

Updater Client described A-30

upgrade command 23-3, 23-6

upgrading

IPS software 22-8

latest version C-55

maintenance partition

IDSM2 (Catalyst software) 23-39

IDSM2 (Cisco IOS software) 23-39

minimum required version 22-8

recovery partition 23-6, 23-12

sensors 23-5

URLs for Cisco Security Intelligence Operations 22-10

username command 4-14

user-profiles

command 14-20

described 14-20

user roles

administrator 1-4

operator 1-4

service 1-4

viewer 1-4

user roles authentication 4-16

users

adding 4-14

removing 4-14

using

debug logging C-47

TCP reset interfaces 6-5

V

VACLs

described 14-2

IDSM2 20-14

Post-Block 14-26

Pre-Block 14-26

validation error messages described D-5

variables command 7-11, 8-4

IPv4 7-11

IPv6 7-11

verifying

AIM IPS installation 19-2

ECLB (Catalyst software) 20-37

ECLB (Cisco IOS software) 20-38

IDSM2 installation 20-3

NME IPS installation 21-2

password recovery 17-9, C-16

sensor initialization 3-27

sensor setup 3-27

viewer role privileges 1-4

viewing

IP log contents 12-5

user information 4-26

virtual-sensor name command 5-4, 18-4

virtual sensors

adding 5-5, 5-7, 18-4

assigning interfaces 5-4

assigning policies 5-4

creating 5-5, 5-7, 18-4

default virtual sensor 5-2

described 5-2

displaying KB files 9-40

options 5-4, 18-4

stream segregation 5-3

VLAN groups

802.1q encapsulation 6-29

configuration restrictions 6-11

deleting 6-35

deploying 6-30

described 6-29

switches 6-30

vulnerable OSes configuring 8-14

vulnerable OSes field

described B-6

W

watch list rating

calculating risk rating 7-14

described 7-14

Web Server

changing settings 4-12

configuring settings 4-11

default port 4-11

described A-3, A-24

HTTP 1.0 and 1.1 support A-24

HTTP protocol 4-11

private keys A-23

public keys A-23

Wireshark

copy packet-file command 13-6

IP logs 12-1

worms

Blaster 9-3

Code Red 9-2, 9-3

histograms 9-37

Nimbda 9-2

protocols 9-3

Sasser 9-3

scanners 9-3

Slammer 9-3

SQL Slammer 9-2

worm-timeout

command 9-10

specifying 9-10

Z

zones

external 9-4

illegal 9-4

internal 9-4