Numerics -
A -
B -
C -
D -
E -
F -
G -
H -
I -
K -
L -
M -
N -
O -
P -
Q -
R -
S -
T -
U -
V -
W -
Z
Index
Numerics
4GE bypass interface card
configuration restrictions 6-9
described 6-8
802.1q encapsulation for VLAN groups 6-29
A
AAA RADIUS
functionality 4-23
limitations 4-23
accessing IPS software 22-2
access-list command 4-5
access lists
changing 4-6
configuring 4-6
misconfiguration C-29
account locking
configuring 4-28
security 4-28
account unlocking configuring 4-29
ACLs
described 14-2
Post-Block 14-22, 14-23
Pre-Block 14-22, 14-23
adaptive security appliance
sending IPS traffic (AIP SSM) 18-9
traffic inspection modes (AIP SSM) 18-8
adding
denied attackers 7-36
event action overrides 7-18
external product interfaces 11-5
global parameters 5-10
hosts to the SSH known hosts list 4-41, 4-42
login banners 4-8
signature variables 8-4
target value rating 7-15
trusted hosts 4-47
users 4-14, 4-24, 4-25
virtual sensors 5-5, 5-7, 18-4
Address Resolution Protocol. See ARP.
administrator role privileges 1-4
aggregation
alert frequency 7-33
operating modes 7-33
AIC engine
AIC FTP B-11
AIC FTP engine parameters (table) B-13
AIC HTTP B-11
AIC HTTP engine parameters (table) B-12
described B-11
features B-11
signature categories 8-17
AIC policy enforcement
default configuration 8-18, B-11
described 8-18, B-11
sensor oversubscription 8-18, B-11
AIM IPS
configuration sequence 19-1
configuring interfaces 19-5, 19-7, 19-9, 19-11, 19-13
displaying status 19-16
initializing 3-13
installing system image 23-23
interfaces described 19-3
interface sequence 19-4
logging in 2-6, 19-15
NAT 19-5
RBCP 19-18
rebooting 19-18
resetting 19-18
session command 2-5, 19-15
sessioning 2-4, 2-6, 19-14, 19-15
setup command 3-13
shutting down 19-18
verifying installation 19-2
AIP SSM
assigning virtual sensors 18-6
bypass mode 18-11
configuration tasks 18-1
creating virtual sensors 18-4
fail-open mode 18-8
fail-over mode 18-8
hw-module module 1 recover configure 18-13
hw-module module slot_number password-reset 18-13
hw-module module slot_number recover boot 18-13
hw-module module slot_number recover stop 18-13
hw-module module slot_number reload 18-12
hw-module module slot_number reset 18-13
hw-module module slot_number shutdown 18-12
initializing 3-16
inline mode 18-8
installing system image 23-26
interfaces 18-3
logging in 2-7
Normalizer engine 18-11, B-38, C-72
password recovery 17-5, C-11
promiscuous mode 18-8
receiving IPS traffic 18-9
recovering C-70
reimaging 23-26
resetting C-69
resetting the password 17-5, C-12
session command 2-7
setup command 3-16
show context 18-6
show ips command 18-6
show module command 18-2
task sequence 18-1
time sources 4-31, C-17
verifying initialization 18-2
virtual sensors
assigning policies 18-4
assigning the interface 18-4
assigning to security context 18-5
configuration sequence 18-3
Alarm Channel described 7-2, A-28
alert and log actions (list) 7-4
alert-frequency
command 8-7
modes B-6
alert-frequency command 8-7
alert-severity
command 8-9
configuring 8-9
allocate-ips command 18-3
allow-sensor-block command 14-8
alternate TCP reset interface 6-11
Analysis Engine
described 5-1
error messages C-25
IDM exits C-58
verify it is running C-22
virtual sensors 5-1
anomaly detection
asymmetric traffic 9-2
caution 9-2
configuration sequence 9-5
default configuration (example) 9-4
described 9-2
detect mode 9-4
disabling 9-49, C-21
event actions 9-6, B-64
inactive mode 9-4
learning accept mode 9-3
learning process 9-3
limiting false positives 9-37
protocols 9-3
signatures (table) 9-7, B-64
worms
attacks 9-37
described 9-3
zones 9-4
anomaly-detection load command 9-41
anomaly detection operational settings
configuring 9-10
described 9-10
anomaly detection policies
copying 9-8
creating 9-8
deleting 9-8
displaying 9-8
editing 9-8
lists 17-27
anomaly-detection save command 9-41
anomaly detection statistics
clearing 9-47
displaying 9-47
anomaly detection zones
external 9-28
illegal 9-20
internal 9-11
appliances
application partition image 23-12
GRUB menu 17-3, C-9
initializing 3-8
logging in 2-3
password recovery 17-3, C-9
resetting 17-42
terminal servers
described 2-3, 23-14
setting up 2-3, 23-14
time sources 4-30, C-17
UDLD protocol 6-28
upgrading recovery partition 23-6
Application Inspection and Control. See AIC.
application partition
described A-4
image recovery 23-12
application-policy
command 8-18
configuring 8-19
application policy enforcement
described 8-18, B-11
disabled (default) 8-18
applications in XML format A-3
applying software updates C-55
ARC
ACLs 14-22, A-14
authentication A-15
blocking
application 14-1
connection-based A-17
not occurring for signature C-45
unconditional blocking A-17
block response A-13
Catalyst 6000 series switch
VACL commands A-19
VACLs A-19
Catalyst switches
VACLs A-16
VLANs A-16
checking status 14-3, 14-4
described A-3
design 14-2
device access issues C-42
enabling SSH C-44
features A-14
firewalls
AAA A-18
connection blocking A-18
NAT A-18
network blocking A-18
postblock ACL A-16
preblock ACL A-16
shun command A-18
TACACS+ A-18
formerly Network Access Controller 14-1, 14-3
functions 14-1, A-12
illustration A-13
inactive state C-40
interfaces A-14
maintaining states A-16
master blocking sensors A-14
maximum blocks 14-2
misconfigured master blocking sensor C-46
nac.shun.txt file A-16
NAT addressing A-15
number of blocks A-15
postblock ACL A-16
preblock ACL A-16
prerequisites 14-5
rate limiting 14-4
responsibilities A-13
single point of control A-15
SSH A-14
supported devices 14-6, A-15
Telnet A-14
troubleshooting C-38
VACLs A-14
verifying device interfaces C-43
verifying status C-39
ARP
Layer 2 signatures B-13
protocol B-13
ARP spoof tools
dsniff B-13
ettercap B-13
ASA modules time sources 4-31, C-17
ASDM resetting passwords 17-7, C-13
assigning interfaces
virtual sensors 5-4
virtual sensors (AIP SSM) 18-4
assigning policies
virtual sensors 5-4
virtual sensors (AIP SSM) 18-4
asymmetric traffic
anomaly detection scanners 9-2
disabling anomaly detection 9-48, C-21
Atomic ARP engine
described B-13
parameters (table) B-13
Atomic IP Advanced engine
described B-14
restrictions B-15
Atomic IP engine
described B-24
parameters (table) B-24
Atomic IPv6 engine
described B-28
Neighborhood Discovery protocol B-28
signatures B-28
signatures (table) B-29
attack relevance rating
calculating risk rating 7-14
described 7-14, 7-26
Attack Response Controller
described A-3
formerly known as Network Access Controller A-3
Attack Response Controller. See ARC.
attack severity rating
calculating risk rating 7-13
described 7-13
attempt limit
RADIUS C-23
attemptLimit command 4-28
Audit mode described 10-9
authenticated NTP 4-30, 4-39, C-17
authentication
local 4-16
RADIUS 4-16
AuthenticationApp
authenticating users A-21
described A-3
login attempt limit A-21
method A-21
RADIUS A-21
responsibilities A-20
secure communications A-23
sensor configuration A-21
authorized keys
defining 4-43
RSA authentication 4-43
automatic setup 3-2
automatic upgrade
information required 23-7
troubleshooting C-55
autonegotiation for hardware bypass 6-10
auto-upgrade-option command 23-7
B
backing up
configuration 16-23, C-3
current configuration 16-22, C-5
BackOrifice. See BO.
BackOrifice 2000. See BO2K.
BackOrifice see BO
backup-config command 16-19
banner login command 17-18
basic setup 3-4
block connection command 14-34
block-enable command 14-9
block hosts command 14-32
blocking
addresses never to block 14-19
block time 14-13
connection 14-34
described 14-1
disabling 14-10
hosts 14-32
list of blocked hosts 14-34
managing firewalls 14-28
managing routers 14-24
managing switches 14-27
master blocking sensor 14-29
maximum entries 14-11
necessary information 14-3
not occurring for signature C-45
prerequisites 14-5
properties 14-7
sensor block itself 14-8
show statistics 14-34
supported devices 14-6
types 14-2
user profiles 14-20
block network command 14-33
BO
described B-66
Trojans B-66
BO2K
described B-66
Trojans B-66
Bug Toolkit
described C-2
URL C-2
bypass mode
AIP SSM 18-11
configuring 6-37
described 6-36
bypass-option command 6-37
C
calculating risk rating
attack relevance rating 7-14
attack severity rating 7-13
promiscuous delta 7-14
signature fidelity rating 7-13
target value rating 7-13
watch list rating 7-14
cannot access sensor C-26
capturing live traffic 13-5
Catalyst software
command and control access 20-5
IDSM2
command and control access 20-5
configuring VACLs 20-15
enabling full memory tests 20-40
enabling SPAN 20-11
mls ip ids command 20-18
resetting 20-41
set span command 20-11
supervisor engine commands
supported 20-43
unsupported 20-44
caution for clearing databases 17-10
certificates IDM 4-45
changing
access lists 4-6
FTP timeout 4-7
host IP address 4-3
hostname 4-2
passwords 4-24
privilege 4-25
Web Server settings 4-12
cidDump obtaining information C-97
CIDEE
defined A-36
example A-36
IPS extensions A-36
protocol A-36
supported IPS events A-36
cisco
default password 2-3
default username 2-3
Cisco.com
accessing software 22-2
downloading software 22-2
IPS software 22-2
software downloads 22-2
Cisco IOS software
command and control access 20-7
configuration commands 20-46
EXEC commands 20-45
IDSM2
command and control access 20-7
configuring VACLs 20-16
enabling full memory tests 20-40
enabling SPAN 20-13
mls ip ids command 20-19
resetting 20-42
rate limiting 14-4
SPAN options 20-12
cisco-security-agents-mc-settings command 11-4
Cisco Security Intelligence Operations
described 22-10
URL 22-10
Cisco Services for IPS
service contract 4-49, 22-11
supported products 4-49, 22-11
clear database command 17-10
clear denied-attackers command 7-37, 17-25
clear events command 4-31, 7-42, 17-23, C-19, C-97
clearing
anomaly detection statistics 9-47
denied attackers statistics 7-37, 17-26
events 7-42, 17-23, C-97
global correlation statistics 10-13
OS IDs 7-32
sensor database caution 17-10
sensor databases 17-11
statistics 17-28, C-82
clear line command 17-19
clear os-identification command 7-32
clear password command 17-4, 17-8, C-11, C-14
CLI
command line editing 1-7
command modes 1-8
default keywords 1-11
described A-3, A-32
error messages D-1
generic commands 1-10
guide introduction 1-1
regular expression syntax 1-8
CLI behavior 1-5
case sensitivity 1-6
display options 1-6
help 1-5
prompts 1-5
recall 1-6
tab completion 1-6
client manifest described A-31
clock set command 4-33, 17-25
CollaborationApp described A-3, A-30
command and control access
Catalyst software 20-5
Cisco IOS software 20-7
described 20-5
command and control interface
described 6-3
list 6-3
command line editing (table) 1-7
command modes
anomaly detection configuration 1-8
described 1-8
event action rules configuration 1-8
EXEC 1-8
global configuration 1-8
privileged EXEC 1-8
service mode configuration 1-8
signature definition configuration 1-8
commands
access-list 4-5
alert-frequency 8-7
alert-severity 8-9
allocate-ips 18-3
allow-sensor-block 14-8
anomaly-detection load 9-41
anomaly-detection save 9-41
application-policy 8-18
attemptLimit 4-28
auto-upgrade-option 23-7
backup-config 16-19
banner login 17-18
block connection 14-34
block-enable 14-9
block hosts 14-32
block network 14-33
bypass-option 6-37
cisco-security-agents-mc-settings 11-4
clear database 17-10
clear denied-attackers 7-37, 17-25
clear events 4-31, 7-42, 17-23, C-19, C-97
clear line 17-19
clear os-identification 7-32
clear password 17-4, 17-8, C-11, C-14
clock set 4-33, 17-25
copy ad-knowledge-base 9-42
copy anomaly-detection 9-8
copy backup-config 16-21, C-4
copy current-config 16-21, C-4
copy event-action-rules 7-8
copy iplog 12-7
copy license-key 4-50, 22-13
copy packet-file 13-6
copy signature-definition 8-1
current-config 16-19
debug module-boot C-70
default service anomaly-detection 9-8
default service event-action-rules 7-8
default service signature-definition 8-2
deny attacker 7-36
downgrade 23-11
enable-acl-logging 14-14
enable-detail-traps 15-4
enable-nvram-write 14-15
erase 16-24
erase ad-knowledge-base 9-42
erase license-key 4-52, 22-16
erase packet-file 13-7
event-action 8-15
event-action-rules-configurations 17-27
event-counter 8-10
external-zone 9-28
filters 7-21
fragment-reassembly 8-30
ftp-timeout 4-7
global-block-timeout 7-34, 14-13
global-deny-timeout 7-34
global-filters-status 7-34
global-metaevent-status 7-34
global-overrides-status 7-34
global-parameters 5-10
global-summarization 7-35
health-monitor 10-7, 17-13
host-ip 4-3
host-name 4-2
hw-module module 1 recover configure 18-13
hw-module module 1 reset C-69
hw-module module slot_number password-reset 17-5, 18-13, C-11
hw-module module slot_number recover boot 18-13
hw-module module slot_number recover stop 18-13
hw-module module slot_number reload 18-12
hw-module module slot_number reset 18-13
hw-module module slot_number shutdown 18-12
ignore 9-10
illegal-zone 9-20
inline-interfaces 6-18
interface GigabitEthernet 19-21, 21-15
interface IDS-Sensor 19-19, 21-13
interface-notifications 6-38
internal-zone 9-12
ip-access-list 20-16
ip-log 8-39
iplog 12-3
ip-log-bytes 12-2
ip-log-packets 12-2
iplog-status 12-5
ip-log-time 12-2
ipv6-target-value 7-15
learning-accept-mode 9-38
list anomaly-detection-configurations 9-8, 17-27
list event-action-rules-configurations 7-8
list signature-definition-configurations 8-1
log-all-block-events-and-errors 14-16
login-banner-text 4-8
max-block-entries 14-11
max-denied-attackers 7-35
max-interfaces 14-17
mls ip ids 20-18, 20-19
more 16-19
more current-config 16-1
never-block-hosts 14-19
never-block-networks 14-19
no iplog 12-6
no ipv6-target-value 7-15
no service anomaly-detection 9-8
no service event-action-rules 7-8
no service signature-definition 8-2
no target-value 7-15
no variables 7-11
os-identifications 7-28
other 9-18, 9-26, 9-34
overrides 7-17
packet capture 13-4
packet-display 13-2
password 4-14, 4-24
physical-interfaces 6-12, 6-23, 6-30
ping 17-41
privilege 4-14, 4-24
rename ad-knowledge-base 9-42
reset 17-42
service anomaly-detection 9-8
service event-action-rules 7-8
service-module IDS-Sensor 19-22, 21-16
service-module ids-sensor slot/port 19-18, 21-12
service-module ids-sensor slot/port heartbeat reset 19-17, 21-11
service-module ids-sensor slot/port status 19-16, 21-10
service signature-definition 8-1
session 2-5, 2-10, 19-15, 21-9
set security acl 20-14
set span 20-11
setup 3-2, 3-4, 3-8, 3-13, 3-16, 3-20, 3-24
show ad-knowledge-base diff 9-44, 9-45
show ad-knowledge-base files 9-40, 9-41
show clock 4-32, 17-24
show configuration 16-1
show context 18-6
show events 7-39, 17-20, C-94
show health 10-9, 17-17, C-74
show history 17-42
show inspection-load 17-11
show interfaces 6-39
show inventory 17-43, 19-2, 21-2
show ips 18-6
show module 18-2
show os-identification 7-32
show settings 16-3, 16-18, 17-9, 17-45, C-16
show statistics 14-34, 17-28, C-82
show statistics anomaly-detection 9-47
show statistics denied-attackers 7-37, 17-25
show statistics virtual-sensor 17-28, C-25, C-82
show tech-support 17-38, C-75
show users 4-25
show version 17-39, C-79
sig-fidelity-rating 8-11, 8-13
signature-definition-configurations 17-27
snmp-agent-port 15-2
snmp-agent-protocol 15-2
ssh authorized-key 4-43
ssh-generate-key 4-44
ssh host-key 4-41, 4-42
status 8-12
stream-reassembly 8-38
subinterface-type 6-24, 6-31
summertime-option non-recurring 4-35
summertime-option recurring 4-33
target-value 7-15
tcp 9-13, 9-21, 9-29
telnet-option 4-4
terminal 17-20
time-zone-settings 4-37
tls generate-key 4-48
tls trusted-host 4-46
trace 17-44
trap-community-name 15-4
trap-destinations 15-4
udp 9-15, 9-24, 9-32
unlock user username 4-29
upgrade 23-3, 23-6
username 4-14
user-profile 14-20
variables 7-11, 8-4
virtual-sensor name 5-4, 18-4
worm-timeout 9-10
comparing KBs 9-44
component signatures
Meta signatures B-33
risk rating B-33
configuration files
backing up 16-23, C-3
merging 16-23, C-3
configuration restrictions
alternate TCP reset interface 6-11
inline interface pairs 6-10
inline VLAN pairs 6-11
interfaces 6-10
physical interfaces 6-10
VLAN groups 6-11
configuration sequence
AIM IPS 19-1
AIP SSM 18-1
NME IPS 21-1
configured OS mapping (example) 7-28
configuring
access lists 4-6
account locking 4-28
account unlocking 4-29
ACL logging 14-14
alert frequency parameters 8-8
alert severity 8-9
anomaly detection operational settings 9-10
application policy 8-19, 8-27
automatic IP logging 12-2
automatic upgrades 23-9
blocking
firewalls 14-28
routers 14-24
switches 14-27
time 14-13
bypass mode 6-37
connection blocking 14-34
CSA MC IPS interfaces 11-4
DNS servers 4-10
event action filters 7-22
event actions 8-16
event counter 8-10
external zone 9-29
ftp-timeout 4-7
global correlation 10-10
health statistics 17-14
host blocks 14-32
host IP address 4-3
hostname 4-2
hosts never to block 14-19
HTTP proxy servers 4-10
illegal zone 9-20
inline interface pairs 6-19
inline VLAN groups 6-31
inline VLAN pairs 6-24
interfaces
AIM IPS 19-5, 19-7, 19-9, 19-11, 19-13
NME IPS 21-7
interface sequence 6-12
internal zone 9-12
IP fragment reassembly 8-31
IP fragment reassembly parameters 8-30, 8-37
IP logging 8-39
learning accept mode 9-38
logging all blocking events and errors 14-16
logical devices 14-20
login-banner-text 4-8
maintenance partition
IDSM2 (Catalyst software) 23-31
IDSM2 (Cisco IOS software) 23-35
manual IP logging 12-4
master blocking sensor 14-30
maximum
block entries 14-12
blocking interfaces 14-18
denied attackers 7-35
meta event generator 7-35
network blocks 14-33
network participation 10-11
networks never to block 14-19
NTP servers 4-38
NVRAM write 14-15
OS maps 7-29
other protocols
external zone 9-35
illegal zone 9-26
internal zone 9-18
password policy 4-26
passwords 4-24
privilege 4-25
promiscuous mode 6-14
RADIUS authentication 4-18
sensor sequence 1-2
sensor to block itself 14-8
sensor to use NTP 4-39
signature fidelity rating 8-11
status 8-12
summarizer 7-35
summertime
non-recurring 4-35
recurring 4-33
TCP
external zone 9-30
illegal zone 9-21
internal zone 9-13
stream reassembly 8-38
telnet-option 4-4
time zone settings 4-37
traffic flow notifications 6-38
UDLD protocol 6-28
UDP
external zone 9-32
illegal zone 9-24
internal zone 9-15
upgrades 23-5
user profiles 14-21
vulnerable OSes 8-14
Web Server settings 4-11
control transactions
characteristics A-9
request types A-9
copy ad-knowledge-base command 9-42
copy anomaly-detection command 9-8
copy backup-config command 16-21, C-4
copy command syntax 9-42
copy current-config command 16-21, C-4
copy event-action-rules command 7-8
copying
anomaly detection policies 9-8
event action rules policies 7-8
IP log files 12-7
KBs 9-42, 9-43
packet files 13-7
signature definition policies 8-2
copy iplog command 12-7
copy license-key command 4-50, 22-13
copy packet-file command 13-6
copy signature-definition command 8-1
correcting time on the sensor 4-31, C-19
creating
anomaly detection policies 9-8
Atomic IP Advanced signatures 8-51
banner logins 17-18
custom signatures 8-40
event action rules policies 7-8
event action variables 7-11
global parameters 5-10
Meta signatures 8-49
OS maps 7-29
Post-Block VACLs 14-26
Pre-Block VACLs 14-26
service account 4-22, C-6
service HTTP signatures 8-46
signature definition policies 8-2
string TCP signatures 8-42
user profiles 14-20
virtual sensors 5-5, 5-7
CSA MC
configuring IPS interfaces 11-4
host posture events 11-1, 11-4
quarantined IP address events 11-1
supported IPS interfaces 11-4
CtlTransSource
described A-3, A-11
illustration A-12
Ctrl-N 1-6
Ctrl-P 1-6
current-config command 16-19
current configuration back up 16-23, C-3
custom signatures
Atomic IP Advanced signature 8-51
configuration sequence 8-40
described 8-4
Meta signature 8-49
service HTTP example 8-46
String TCP 8-41
D
data ports restore defaults 20-28
data structures (examples) A-8
DDoS
protocols B-66
Stacheldraht B-66
TFN B-66
debug logging enable C-47
debug-module-boot command C-70
default
blocking time 14-13
keywords 1-11
password 2-3
username 2-3
virtual sensor vs0 5-2
default service anomaly-detection command 9-8
default service event-action-rules command 7-8
default service signature-definition command 8-2
defining authorized keys 4-43
deleting
anomaly detection policies 9-8
denied attackers list 7-37, 17-26
event action rules policies 7-8
event action variables 7-11
inline interface pairs 6-21
inline VLAN pairs 6-27
OS maps 7-31
signature definition policies 8-2
signature variables 8-4
target value rating 7-15
VLAN groups 6-35
Denial of Service. See DoS.
denied attackers adding 7-36
deny actions (list) 7-5
deny attacker command 7-36
deny-packet-inline described 7-6, B-8
detect mode (anomaly detection) 9-4
device access issues C-42
diagnosing network connectivity 17-41
disabling
anomaly detection 9-49, C-21
blocking 14-10
ECLB (Cisco IOS software) 20-36
global correlation 10-12
password recovery 17-9, C-15
signatures 8-12
Telnet 4-4
disaster recovery C-7
displaying
AIM IPS status 19-16
anomaly detection policies 9-8
anomaly detection policy lists 17-27
anomaly detections tatistics 9-47
contents of logical file 16-20
current configuration 16-1
current submode configuration 16-3
event action rules policies 7-8
event actions rules lists 17-27
events 7-40, 17-21, C-95
global correlation statistics 10-13
health status 17-17, C-75
inspection load 17-12
interface statistics 6-39
IP log contents 12-5
KB files 9-40
KB thresholds 9-46
live traffic 13-3
NME IPS status 21-10
OS IDs 7-32
password recovery setting 17-9, C-16
PEP information 17-43
policy lists 17-27
signature definition lists 17-27
statistics 17-28, C-82
submode settings 17-45
system clock 4-32, 17-24
tech support information 17-38, C-76
version 17-39, C-79
Distributed Denial of Service. See DDoS.
DNS server configuration 4-10
DoS tools B-6
downgrade command 23-11
downgrading sensors 23-11
downloading software 22-2
duplicate IP addresses C-29
E
ECLB
described 20-25
disabling (Cisco IOS software) 20-36
options 20-29
promiscuous mode 20-28
requirements 20-28
sensing modes 20-26
editing
anomaly detection policies 9-8
event action rules policies 7-8
event action variables 7-11
signature definition policies 8-2
signature variables 8-4
target value rating 7-15
efficacy
described 10-4
measurements 10-4
enable-acl-logging command 14-14
enable-detail-traps command 15-4
enable-nvram-write command 14-15
enabling
debug logging C-47
full memory tests
Catalyst software 20-40
Cisco IOS software 20-40
signatures 8-12
SPAN
Catalyst software 20-11
Cisco IOS software 20-13
Telnet 4-4
Encryption Software Export Distribution Authorization 22-3
engines
AIC 8-17, B-11
Fixed B-29
Flood B-32
Master B-4
Meta 8-47, B-33
Multi String B-35
Normalizer B-37
Service DNS B-40
Service FTP B-41
Service Generic B-42
Service H225 B-43
Service HTTP 8-44, B-46
Service IDENT B-48
Service MSRPC B-48
Service MSSQL B-49
Service NTP B-50
Service P2P B-50
Service RPC B-51
Service SMB B-54
Service SMB Advanced B-52
Service SSH B-55
Service TNS B-55
State B-57
String 8-41, B-59
Sweep B-61
Sweep Other TCP B-63
Traffic ICMP B-65
Trojan B-66
erase ad-knowledge-base command 9-42
erase command 16-24
erase license-key command 4-52, 22-16
erase packet-file command 13-7
erasing
current configuration 16-24
KBs 9-42, 9-43
packet files 13-7
error messages
described D-1
validation D-5
EtherChannel Load Balancing. See ECLB.
evAlert A-9
event-action command 8-15
event action filters
described 7-20
using variables 7-21
event action overrides
described 7-17
risk rating range 7-17
event action rules
described 7-2
functions 7-2
list display 17-27
task list 7-7
event action rules policies
copying 7-8
creating 7-8
deleting 7-8
displaying 7-8
editing 7-8
event actions
configuring 8-16
threat rating 7-14
event-counter
command 8-10
configuring 8-10
events
displaying 7-40, 17-21, C-95
host posture 11-2
quarantined IP address 11-2
Event Store
clearing events 4-31, C-19
data structures A-8
described A-3
examples A-8
responsibilities A-7
timestamp A-7
event types C-93
event variables
described 7-10
example 7-10
evError A-9
evLogTransaction A-9
evShunRqst A-9
evStatus A-9
examples
ASA failover configuration C-71
external product interfaces
adding 11-5
described 11-1
issues 11-3, C-23
troubleshooting 11-8, C-24
external zone
configuring 9-29
configuring other protocols 9-35
configuring TCP 9-30
configuring UDP 9-32
described 9-28
protocols 9-28
external-zone command 9-28
F
fail-over testing 6-9
false positives described 8-3
files
IDSM2 password recovery 17-7, C-14
filtering
more command 16-16
submode configuration 16-18
filters command 7-21
finding the serial number 19-2, 21-2
Fixed engine described B-29
Fixed ICMP engine parameters (table) B-30
Fixed TCP engine parameters (table) B-30
Fixed UDP engine parameters (table) B-31
Flood engine described B-32
Flood Host engine parameters (table) B-32
Flood Net engine parameters (table) B-32
fragment-reassembly command 8-30
FTP servers supported 23-3
FTP timeout
configuring 4-7
described 4-7
ftp-timeout command 4-7
G
general settings described 7-34
General tab described 7-34
generating
SSH Server host key 4-44
TLS certificate 4-48
generic commands 1-10
global-block-timeout command 7-34, 14-13
global correlation
described 10-1, 10-2, A-4
DNS server 4-10, 10-6
error messages A-31
features 10-5
goals 10-5
health metrics 10-7
HTTP proxy server 4-10, 10-6
IPv6 support 7-10, 7-11, 7-15, 7-20, 7-21, 10-6
license 3-5, 10-6, 10-8
options 10-9, 10-12
Produce Alert 7-5, 10-5, B-7
requirements 10-6
troubleshooting 10-15, C-20
update client (illustration) 10-8
global-deny-timeout command 7-34
global-filters-status command 7-34
global-metaevent-status command 7-34
global-overrides-status command 7-34
global parameters
adding 5-10
creating 5-10
maximum open IP logs 5-10
options 5-10
global-parameters command 5-10
global-summarization command 7-35
GRUB menu password recovery 17-3, C-9
H
H.225.0 protocol B-43
H.323 protocol B-43
hardware bypass
autonegotiation 6-10
configuration restrictions 6-9
fail-over 6-9
IPS 4270-20 6-8
supported configurations 6-9
with software bypass 6-9
health-monitor command 10-7, 17-13
health statistics configure 17-14
help
question mark 1-5
using 1-5
host blocks configure 14-32
host IP address
changing 4-3
configuring 4-3
host-ip command 4-3
hostname
changing 4-2
configuring 4-2
host-name command 4-2
host posture events
CSA MC 11-4
described 11-2
HTTP/HTTPS servers 23-3
HTTP deobfuscation
ASCII normalization 8-44, B-46
described 8-44, B-46
HTTP proxy server configuration 4-10
hw-module module 1 recover configure command 18-13
hw-module module 1 reset command C-69
hw-module module slot_number password-reset command 17-5, 18-13, C-11
hw-module module slot_number recover boot command 18-13
hw-module module slot_number recover stop command 18-13
hw-module module slot_number reload command 18-12
hw-module module slot_number reset command 18-13
hw-module module slot_number shutdown command 18-12
I
IDAPI
communications A-3, A-34
described A-3
functions A-34
illustration A-34
responsibilities A-34
IDCONF
described A-35
example A-35
XML A-35
IDIOM
defined A-34
messages A-34
IDM
Analysis Engine is busy C-58
certificates 4-45
TLS 4-45
will not load C-58
IDSM2
administrative tasks 20-39
capturing IPS traffic
mls ip id command 20-18
SPAN 20-10
Catalyst software
command and control access 20-5
inline mode 20-20
inline VLAN pair mode 20-23
Cisco IOS software
command and control access 20-7
inline mode 20-21
inline VLAN pair mode 20-24
command and control access 20-7
command and control port 20-9, C-66
configuration tasks 20-1
configuring
command and control access 20-5
ECLB 20-29, 20-31, 20-33
ECLB inline mode 20-27
ECLB inline VLAN pair mode 20-26
ECLB promiscuous mode 20-26
inline mode 20-20, 20-21
inline VLAN pair mode (Catalyst software) 20-23
inline VLAN pair mode (Cisco IOS software) 20-24
load balancing 20-29, 20-31, 20-33
maintenance partition (Catalyst software) 23-31
maintenance partition (Cisco IOS software) 23-35
mls ip ids command 20-18
sequence 20-1
SPAN 20-10
tasks 20-1
configuring VACLs
Catalyst software 20-15
Cisco IOS software 20-16
disabling
ECLB (Catalyst software) 20-36
ECLB (Cisco IOS software) 20-36
ECLB
disabling (Catalyst software) 20-36
disabling (Cisco IOS software) 20-36
requirements 20-28
verifying (Catalyst software) 20-37
verifying (Cisco IOS software) 20-38
enabling full memory tests
Catalyst software 20-40
Cisco IOS software 20-40
initializing 3-20
inline mode
Catalyst software 20-20
Cisco IOS software 20-21
described 20-8, 20-20
requirements (Catalyst software) 20-20, 20-23
inline VLAN pair mode 20-8
Catalyst software 20-23
Cisco IOS software 20-24
described 20-22
installing
system image (Catalyst software) 23-29
system image (Cisco IOS software) 23-30
logging in 2-8
mixing sensing modes 20-9
mls ip ids command
Catalyst software 20-18
Cisco IOS software 20-19
described 20-9
monitoring ports 20-9
password recovery 17-7, C-13
password recovery image file 17-7, C-14
promiscuous mode 20-8, 20-9
reimaging 23-28
resetting
Catalyst software 20-41
Cisco IOS software 20-42
described 20-41
restoring data port defaults 20-28
sensing ports 20-14
sessioning 2-8
set span command 20-11
setup command 3-20
supported configurations 20-4, C-62
supported supervisor engine commands 20-43
TCP reset port 20-9, 20-10, 20-14, C-68
time sources 4-30, C-17
unsupported supervisor engine commands 20-44
upgrading
maintenance partition (Catalyst software) 23-39
maintenance partition (Cisco IOS software) 23-39
VACLs
configuring 20-14
described 20-14
verifying
ECLB (Catalyst software) 20-37
ECLB (Cisco IOS software) 20-38
installation 20-3
IDS-Sensor interface
ip unnumbered (AIM IPS) 19-6, 19-8
preferred method (AIM IPS) 19-4
ignore command 9-10
illegal zone
configuring 9-20
configuring other protocols 9-26
configuring TCP 9-21
configuring UDP 9-24
described 9-20
protocols 9-20
illegal-zone command 9-20
IME time synchronization problems C-60
inactive mode (anomaly detection) 9-4
initialization
verifying AIM IPS 19-2
verifying AIP SSM 18-2
verifying NME IPS 21-2
verifying sensor 3-27
initializing
AIM IPS 3-13
AIP SSM 3-16
appliances 3-8
IDSM2 3-20
NME IPS 3-24
sensors 3-2, 3-4
user roles 3-2
verifying 3-27
inline interface pairs
configuration restrictions 6-10
configuring 6-19
deleting 6-21
described 6-18
inline-interfaces command 6-18
inline mode IDSM2 20-8
inline VLAN groups configuration 6-31
inline VLAN pair mode
described 6-22
IDSM2 20-8
supported sensors 6-22
UDLD protocol 6-28
inline VLAN pairs
configuration restrictions 6-11
configuring 6-24
deleting 6-27
inspection load
description 17-11
displaying 17-12
installer major version 22-5
installer minor version 22-5
installing
license key 4-51, 22-14
sensor license 22-12
system image
AIM IPS 23-23
AIP SSM 23-26
IDSM2 (Catalyst software) 23-29
IDSM2 (Cisco IOS software) 23-30
IPS 4240 23-15
IPS 4255 23-15
IPS 4260 23-18
IPS 4270-20 23-20
NME IPS 23-40
InterfaceApp
described A-20
interactions A-20
NIC drivers A-20
InterfaceApp described A-3
interface configuration sequence 6-12
interface GigabitEthernet command 19-21, 21-15
interface IDS-Sensor command 19-19, 21-13
interface-notifications command 6-38
interfaces
alternate TCP reset 6-2
command and control 6-2, 6-3
configuration restrictions 6-10
described 6-2
displaying live traffic 13-3
port numbers 6-2
sensing 6-2, 6-3
slot numbers 6-2
statistics display 6-39
support (table) 6-6
TCP reset 6-4
VLAN groups 6-2
internal zone
configuring 9-12
configuring other protocols 9-18
configuring TCP 9-13
configuring UDP 9-15
described 9-11
protocols 9-11
internal-zone command 9-12
introducing the CLI guide 1-1
ip-access-list command 20-16
IP fragmentation described B-37
IP fragment reassembly
described 8-28
parameters (table) 8-28
signatures (table) 8-28
ip-log-bytes command 12-2
ip-log command 8-39
iplog command 12-3
IP log contents
displaying 12-5
viewing 12-5
IP log files
copying 12-7
TCPDUMP 12-1
Wireshark 12-1
IP logging
automatic 12-2
configuring 12-1
copying files 12-7
described 8-39, 12-1
manual 12-4
ip-log-packets command 12-2
iplog-status command 12-5
ip-log-time command 12-2
IPS 4240
installing system image 23-15
password recovery 17-3, C-10
reimaging 23-15
IPS 4255
installing system image 23-15
password recovery 17-3, C-10
reimaging 23-15
IPS 4260
installing system image 23-18
reimaging 23-18
IPS 4270-20
hardware bypass 6-8
installing system image 23-20
reimaging 23-20
IPS applications
summary A-37
table A-37
XML format A-3
IPS data
types A-8
XML document A-9
IPS events
evAlert A-9
evError A-9
evLogTransaction A-9
evShunRqst A-9
evStatus A-9
list A-9
types A-9
IPS internal communications A-34
IPS modules and time synchronization 4-31, C-18
IPS software
application list A-3
available files 22-2
configuring device parameters A-5
directory structure A-36
Linux OS A-2
obtaining 22-2
platform-dependent release examples 22-7
retrieving data A-5
security features A-5
tuning signatures A-5
updating A-5
user interaction A-5
versioning scheme 22-3
IPS software file names
major updates (illustration) 22-4
minor updates (illustration) 22-4
patch releases (illustration) 22-4
service packs (illustration) 22-4
ip unnumbered command 19-6, 19-8
IPv6
described B-28
SPAN ports 6-17
switches 6-17
ipv6-target-value command 7-15
K
KBs
comparing 9-44
copying 9-42, 9-43
described 9-3
displaying 9-40
erasing 9-42, 9-43
histogram 9-36
initial baseline 9-3
manually loading 9-41
manually saving 9-41
renaming 9-42, 9-43
scanner threshold 9-36
threshold display 9-46
tree structure 9-36
keywords
default 1-11
no 1-11
Knowledge Base. See KB.
L
learning accept mode
anomaly detection 9-3
configuring 9-38
learning-accept-mode command 9-38
license files
BSD license E-3
expat license E-12
GNU Lesser license E-33
GNU license E-28
license key
installation 4-51, 22-14
trial 4-49, 22-11
uninstalling 4-52, 22-16
licensing
described 4-49, 22-10
IPS device serial number 4-49, 22-10
Licensing pane
configuring 22-12
described 4-49, 22-10
limitations for concurrent CLI sessions 1-4
list anomaly-detection-configurations command 9-8, 17-27
list event-action-rules-configurations command 7-8, 17-27
list of blocked hosts 14-34
list signature-definition-configurations command 8-1, 17-27
load balancing options 20-29
loading KBs 9-41
log-all-block-events-and-errors command 14-16
Logger
described A-3, A-19
functions A-19
syslog messages A-20
logging in
AIM IPS 2-6, 19-15
AIP SSM 2-7
appliances 2-3
IDSM2 2-8
NME IPS 2-10, 21-9
sensors
SSH 2-11
Telnet 2-11
service role 2-2
terminal servers 2-3, 23-14
user role 2-2
login banners 4-8
login-banner-text
command 4-8
configuring 4-8
LOKI
described B-66
protocol B-65
loose connections on sensors C-25
M
MainApp
components A-6
described A-3, A-6
host statistics A-6
responsibilities A-6
show version command A-6
maintenance partition
configuring
IDSM2 (Catalyst software) 23-31
IDSM2 (Cisco IOS software) 23-35
described A-4
major updates described 22-3
managing
firewalls 14-28
routers 14-24
switches 14-27
manifests
client A-31
server A-31
manual
blocking 14-32, 14-34
block to bogus host C-44
manually
loading KBs 9-41
saving KBs 9-41
master blocking sensor
described 14-29
not set up properly C-46
Master engine
alert frequency B-6
alert frequency parameters (table) B-6
described B-3
event actions B-7
general parameters (table) B-4
universal parameters B-4
master engine parameters
obsoletes B-6
promiscous delta B-5
vulnerable OSes B-6
max-block-entries command 14-11
max-denied-attackers command 7-35
maximum open IP logs 5-10
max-interfaces command 14-17
merging configuration files 16-23, C-3
Meta engine
component signatures B-33
described 8-47, B-33
parameters (table) B-34
Signature Event Action Processor 8-47, B-33
Meta Event Generator described 7-34
MIBs supported 15-6, C-20
minor updates described 22-3
mls ip ids command 20-18, 20-19
modes
AIP SSM 18-8
anomaly detection
detect 9-4
inactive 9-4
learning accept 9-3
bypass 6-36
inline interface pair 6-18
inline VLAN pair 6-22
promiscuous 6-16
VLAN Groups 6-29
modifying terminal properties 17-20
modify packets inline modes 5-3
monitoring and viewer privileges 1-4
more command
described 16-19
filtering 16-16
more current-config command 16-1
Multi String engine
described B-35
parameters (table) B-35
Regex B-35
N
NAT
advantages 19-5, 21-5
AIM IPS 19-5
NME IPS 21-5
Neighborhood Discovery
options B-29
types B-29
network block configuration 14-33
network participation
data gathered 10-3
data use (table) 10-2
described 10-3
health metrics 10-7
modes 10-4
options 10-11
requirements 10-4
statistics 10-4
never-block-hosts command 14-19
never-block-networks command 14-19
NME IPS
configuration sequence 21-1
configuring interfaces 21-6, 21-7
displaying status 21-10
initializing 3-24
installing system image 23-40
interface sequence 21-5
logging in 2-10, 21-9
NAT 21-5
RBCP 21-12
rebooting 21-12
reimaging 23-40
resetting 21-12
resetting heartbeat 21-11
session command 2-10, 21-9
sessioning 2-9, 2-10, 21-8, 21-9
setup command 3-24
shutting down 21-12
verifying installation 21-2
no iplog command 12-6
no ipv6-target-value command 7-15
Normalizer engine
described B-37
IP fragment reassembly B-37
parameters (table) B-38
TCP stream reassembly B-37
no service anomaly-detection command 9-8
no service event-action-rules command 7-8
no service signature-definition command 8-2
no target-value command 7-15
NotificationApp
alert information A-9
described A-3
functions A-9
SNMP gets A-9
SNMP traps A-9
statistics A-11
system health information A-10
no variables command 7-11
NTP
authenticated 4-30, 4-39, C-17
configuring servers 4-38
described 4-30, C-17
incorrect configuration C-18
sensor time source 4-38, 4-39
time synchronization 4-30, C-17
unauthenticated 4-30, 4-39, C-17
O
obsoletes field described B-6
obtaining
command history 17-43
IPS sofware 22-2
list of blocked hosts and connections 14-34
used commands list 17-43
one-way TCP reset described 7-34
operator role privileges 1-4
os-identifications command 7-28
OS IDs
clearing 7-32
displaying 7-32
OS maps
creating 7-29
deleting 7-31
other actions (list) 7-6
other command 9-18, 9-26, 9-34
output
clearing current line 1-6
displaying 1-6
overrides command 7-17
P
P2P networks described B-50
packet capture command 13-4
packet display command 13-2
packet files
viewing
TCPDUMP 13-7
Wireshark 13-7
partitions
application A-4
maintenance A-4
recovery A-4
passive OS fingerprinting
components 7-26
configuring 7-27
described 7-26
password command 4-14, 4-24
password policy
caution 4-26
configuring 4-26
password recovery
AIP SSM 17-5, C-11
appliances 17-3, C-9
CLI 17-9, C-15
described 17-2, C-8
disabling 17-9, C-15
GRUB menu 17-3, C-9
IDSM2 17-7, C-13
IPS 4240 17-3, C-10
IPS 4255 17-3, C-10
platforms 17-2, C-8
ROMMON 17-3, C-10
troubleshooting 17-10, C-16
verifying 17-9, C-16
passwords
changing 4-24
configuring 4-24
patch releases described 22-4
peacetime learning (anomaly detection) 9-3
Peer-to-Peer. See P2P.
PEP information
PID 17-43
SN 17-43
VID 17-43
physical connectivity issues C-33
physical-interfaces command 6-12, 6-23, 6-30
physical interfaces configuration restrictions 6-10
ping command 17-41
platforms concurrent CLI sessions 1-4
policy list display 17-27
Post-Block ACLs 14-22, 14-23
Pre-Block ACLs 14-22, 14-23
prerequisites for blocking 14-5
privilege
changing 4-25
command 4-14, 4-24
configuring 4-25
privilege levels
administrator 1-4
operator 1-4
service 1-4
viewer 1-4
promiscuous delta
calculating risk rating 7-14
described 7-14, 8-6
promiscuous delta described B-5
promiscuous mode
configuring 6-14
configuring (IDSM2) 6-17
described 6-16
ECLB 20-28
IDSM2 20-8
packet flow 6-16
SPAN ports 6-17
VACL capture 6-17
prompts and default input 1-5
protocols
ARP B-13
CIDEE A-36
DCE B-48
DDoS B-66
H.323 B-43
H225.0 B-43
HTTP 4-11
ICMPv6 B-14
IDAPI A-34
IDCONF A-35
IDIOM A-34
IPv6 B-28
LOKI B-65
MSSQL B-49
Neighborhood Discovery B-28
Q.931 B-44
RPC B-48
SDEE A-35
UDLD 6-28
Q
Q.931 protocol
described B-44
SETUP messages B-44
quarantined IP address events described 11-2
R
RADIUS
attempt limit C-23
multiple cisco av-pairs 4-17, 4-19
RADIUS authentication
configuring 4-18
described 4-16
service account 4-23
shared secret 4-20
rate limiting
ACLs 14-5
described 14-4
routers 14-4
service policies 14-5
supported signatures 14-4
RBCP
AIM IPS 19-18
NME IPS 21-12
rebooting
AIM IPS 19-18
NME IPS 21-12
recall
help and tab completion 1-6
using 1-6
recover command 23-12
recovering
AIP SSM C-70
application partition image 23-12
recovery partition
described A-4
upgrading 23-6
Regular Expression. See Regex.
regular expression syntax
described 1-8
signatures B-9
table 1-9
reimaging
AIP SSM 23-26
appliances 23-12
described 23-2
IDSM2 23-28
IPS 4240 23-15
IPS 4255 23-15
IPS 4260 23-18
IPS 4270-20 23-20
NME IPS 23-40
sensors 22-8, 23-2
removing
last applied
service pack 23-11
signature update 23-11
users 4-14
rename ad-knowledge-base command 9-42
renaming KBs 9-42, 9-43
reputation
described 10-2
illustration 10-3
servers 10-3
reset
command 17-42
not occurring for a signature C-53
resetting
AIM IPS 19-18
AIP SSM C-69
appliances 17-42
IDSM2 20-41
NME IPS 21-12
passwords
ASDM 17-7, C-13
hw-module command 17-5, C-11
resetting heartbeat
NME IPS 21-11
resetting the password
AIP SSM 17-5, C-12
restoring
data port defaults 20-28
restoring the current configuration 16-22, C-5
retiring signatures 8-12
risk rating
Alarm Channel 10-5
calculating 7-13
component signatures B-33
described 7-26
reputation score 10-4
ROMMON
described 23-14
IPS 4240 23-15
IPS 4255 23-15
IPS 4260 23-18
IPS 4270-20 23-18, 23-20
password recovery 17-3, C-10
remote sensors 23-14
serial console port 23-14
TFTP 23-14
round-trip time. See RTT.
RPC portmapper B-51
RSA authentication and authorized keys 4-43
RTT
described 23-14
TFTP limitation 23-14
S
saving KBs 9-41
scheduling automatic upgrades 23-9
SDEE
described A-35
HTTP A-35
protocol A-35
server requests A-36
searching the submode configuration 16-18
security
account locking 4-28
information on Cisco Security Intelligence Operations 22-10
policies described 7-1, 8-1, 9-2
SSH 4-41
sensing interfaces
described 6-3
interface cards 6-4
modes 6-3
SensorApp
Alarm Channel A-26
Analysis Engine A-26
described A-3
event action filtering A-27
inline packet processing A-26
IP normalization A-26
packet flow A-27
processors A-25
responsibilities A-25
risk rating A-27
Signature Event Action Processor A-25, A-28
TCP normalization A-27
SensorBase Network
described 10-1, A-4
known threats 10-2, A-4
sensors
access problems C-26
asymmetric traffic and disabling anomaly detection 9-48, C-21
clearing databases 17-11
configuration sequence 1-2
configuring to use NTP 4-39
corrupted SensorApp configuration C-37
disaster recovery C-7
downgrading 23-11
incorrect NTP configuration C-18
initializing 3-2, 3-4
interface support 6-6
IP address conflicts C-29
license 22-12
logging in
SSH 2-11
Telnet 2-11
loose connections C-25
managing
firewalls 14-28
routers 14-24
switches 14-27
misconfigured access lists C-29
no alerts C-34, C-60
not seeing packets C-36
NTP time source 4-39
NTP time synchronization 4-30, C-17
partitions A-4
physical connectivity C-33
preventive maintenance C-3
recovering the system image 22-8
reimaging 22-8, 23-2
sensing process C-31
sensing process not running C-31
SensorApp not running C-31
setup command 3-2, 3-4, 3-8
system images 22-8
time sources 4-30, C-17
troubleshooting software upgrades C-57
upgrading 23-5
using NTP time source 4-38
sequence
AIM IPS interfaces 19-4
NME IPS interfaces 21-5
serial number and the show inventory command 19-2, 21-2
server manifest described A-31
service account
creating 4-22, C-6
described 4-22, A-33, C-6
RADIUS authentication 4-23
TAC A-33
troubleshooting A-33
service anomaly-detection command 9-8
Service DNS engine
described B-40
parameters (table) B-40
Service engine
described B-40
Layer 5 traffic B-40
service event-action-rules command 7-8
Service FTP engine
described B-41
parameters (table) B-42
PASV port spoof B-41
Service Generic engine
described B-42
parameters (table) B-43
Service H225 engine
ASN.1PER validation B-44
described B-43
features B-44
parameters (table) B-45
TPKT validation B-44
Service HTTP engine
described 8-44, B-46
parameters (table) B-46
signature 8-46
Service IDENT engine
described B-48
parameters (table) B-48
service-module IDS-Sensor command 19-22, 21-16
service-module ids-sensor slot/port command 19-18, 21-12
service-module ids-sensor slot/port heartbeat reset command 19-17, 21-11
service-module ids-sensor slot/port session command 2-4, 2-9, 19-14, 21-8
service-module ids-sensor slot/port status command 19-16, 21-10
Service MSRPC engine
DCS/RPC protocol B-48
described B-48
parameters (table) B-49
Service MSSQL engine
described B-49
MSSQL protocol B-49
parameters (table) B-50
Service NTP engine
described B-50
parameters (table) B-50
Service P2P engine described B-50
service packs described 22-4
Service role
bypass CLI 2-2
described 1-5
privileges 1-4
troubleshooting use A-32
Service RPC engine
described B-51
parameters (table) B-51
RPC portmapper B-51
service signature-definition command 8-1
Service SMB Advanced engine
described B-52
parameters (table) B-52
Service SNMP engine
described B-54
parameters (table) B-54
Service SSH engine
described B-55
parameters (table) B-55
Service TNS engine
described B-55
parameters (table) B-56
session command
AIM IPS 2-5, 19-15
AIP SSM 2-7
IDSM2 2-8
NME IPS 2-10, 21-9
sessioning
AIM IPS 2-6, 19-15
AIP SSM 2-7
IDSM2 2-8
NME IPS 2-10, 21-9
set security acl command 20-14
setting the system clock 4-33, 17-25
setting up terminal servers 2-3, 23-14
setup
automatic 3-2
simplified mode 3-2
setup command 3-2, 3-4, 3-8, 3-13, 3-16, 3-20, 3-24
shared secret
described 4-20
RADIUS authentication 4-20
show ad-knowledge-base diff command 9-44, 9-45
show ad-knowledge-base files command 9-40, 9-41
show clock command 4-32, 17-24
show configuration command 16-1
show context command 18-6
show events command 7-39, 17-20, C-93, C-94
show health command 10-9, 17-17, C-74
show history command 17-42
showing user information 4-26
show inspection-load command 17-11
show interfaces command 6-39, C-92
show inventory command 17-43, 19-2, 21-2
show ips command 18-6
show module command 18-2
show os-identification command 7-32
show settings command 16-3, 16-18, 17-9, 17-45, C-16
show statistics anomaly-detection command 9-47
show statistics command 14-34, 17-28, C-81, C-82
show statistics denied-attackers command 7-37, 17-25
show statistics virtual-sensor command 17-28, C-25, C-82
show tech-support command 17-38, C-75
show users command 4-25
show version command 17-39, C-78, C-79
shutting down
AIM IPS 19-18
NME IPS 21-12
sig-fidelity-rating command 8-11, 8-13
signature/virus update files described 22-4
signature definition list display 17-27
signature definition policies
copying 8-2
creating 8-2
deleting 8-2
editing 8-2
signature engines
AIC 8-17, B-11
Atomic B-13
Atomic ARP B-13
Atomic IP B-24
Atomic IP Advanced B-14
Atomic IPv6 B-28
described B-1
event actions B-7
Fixed B-29
Flood B-32
Flood Host B-32
Flood Net B-32
list B-2
Master B-4
Meta 8-47, B-33
Multi String B-35
Normalizer B-37
Regex
patterns B-10
syntax B-9
Service B-40
Service DNS B-40
Service FTP B-41
Service Generic B-42
Service H225 B-43
Service HTTP 8-44, B-46
Service IDENT B-48
Service MSRPC B-48
Service MSSQL B-49
Service NTP engine B-50
Service P2P B-50
Service RPC B-51
Service SMB Advanced B-52
Service SNMP B-54
Service SSH engine B-55
Service TNS B-55
State B-57
String 8-41, B-59
Sweep Other TCP B-63
Traffic Anomaly 9-6, B-63
Traffic ICMP B-65
Trojan B-66
signature engine update files described 22-5
Signature Event Action Filter
described 7-2, A-28
parameters 7-3, A-28
Signature Event Action Handler described 7-3, A-29
Signature Event Action Override described 7-2, A-28
Signature Event Action Processor
Alarm Channel 7-2, A-28
components 7-2, A-28
described 7-2, A-25, A-28
signature fidelity rating
calculating risk rating 7-13
configuring 8-11
described 7-13
signatures
custom 8-4
default 8-3
described 8-3
false positives 8-3
general parameters 8-6
rate limits 14-4
Service HTTP 8-46
string TCP 8-42
subsignatures 8-3
TCP reset C-53
tuned 8-3
signature variables
adding 8-4
deleting 8-4
described 8-4
editing 8-4
SNMP
configuring
agent parameters 15-2
traps 15-4
described 15-1
general parameters 15-2
Get 15-1
GetNext 15-1
Set 15-1
supported MIBs 15-6, C-20
Trap 15-1
traps described 15-1
snmp-agent-port command 15-2
snmp-agent-protocol command 15-2
software architecture
ARC (illustration) A-13
IDAPI (illustration) A-34
software bypass
supported configurations 6-9
with hardware bypass 6-9
software downloads Cisco.com 22-2
software file names
recovery (illustration) 22-6
signature/virus updates (illustration) 22-5
signature engine updates (illustration) 22-5
system image (illustration) 22-6
software release examples
platform-dependent 22-7
platform identifiers 22-7
platform-independent 22-6
software updates
supported FTP servers 23-3
supported HTTP/HTTPS servers 23-3
SPAN
configuring 20-10
options 20-12
port issues C-33
specifying worm timeout 9-10
SSH
adding hosts 4-42
known hosts list 4-41
security 4-41
understanding 4-41
ssh authorized-key command 4-43
ssh generate-key command 4-44
ssh host-key command 4-41, 4-42
SSH Server
host key generation 4-44
private keys A-23
public keys A-23
standards
CIDEE A-36
IDCONF A-35
SDEE A-35
State engine
Cisco Login B-57
described B-57
LPR Format String B-57
parameters (table) B-57
SMTP B-57
status command 8-12
stopping IP logging 12-6
stream-reassembly command 8-38
String engine described 8-41, B-59
String ICMP engine parameters (table) B-59
String TCP engine
example signature 8-41
options 8-41
parameters (table) B-59
String UDP engine parameters (table) B-60
subinterface 0 described 6-29
subinterface-type command 6-24, 6-31
submode configuration
filtering output 16-18
searching output 16-18
subsignatures described 8-3
summarization
described 7-33
fire-all 7-33
fire-once 7-34
global-summarization 7-34
Meta engine 7-33
summary 7-34
Summarizer described 7-34
summertime
configuring
non-recurring 4-35
recurring 4-33
summertime-option non-recurring command 4-35
summertime-option recurring command 4-33
supervisor engine commands
supported 20-43
unsupported 20-44
supported
FTP servers 23-3
HTTP/HTTPS servers 23-3
IDSM2 configurations 20-4, C-62
supporting IPS interfaces for CSA MC 11-4
Sweep engine
described B-61
parameters (table) B-62, B-63
Sweep Other TCP engine described B-63
switch commands for troubleshooting C-63
syntax and case sensitivity 1-6
system architecture
directory structure A-36
supported platforms A-1
system clock
displaying 4-32, 17-24
setting 4-33, 17-25
System Configuration Dialog
described 3-2
example 3-3
system design (illustration) A-2
system image
installing
IDSM2 (Cisco IOS software) 23-30
system images sensors 22-8
T
tab completion use 1-6
TAC
PEP information 17-43
service account 4-22, A-33, C-6
show tech-support command 17-38, C-75
target-value command 7-15
IPv4 7-15
IPv6 7-15
target value rating
calculating risk rating 7-13
described 7-13, 7-15
tasks
configuring IDSM2 20-1
configuring the sensor 1-2
tcp command 9-13, 9-21, 9-29
TCPDUMP
copy packet-file command 13-6
expression syntax 13-2
IP logs 12-1
packet capture command 13-5
packet display command 13-2
TCP fragmentation described B-37
TCP reset
not occurring C-53
TCP reset interfaces
conditions 6-5
described 6-4
list 6-5
TCP resets
IDSM2 port 20-10, C-68
TCP stream reassembly
described 8-32
parameters (table) 8-32, 8-37
signatures (table) 8-32, 8-37
Telnet
disabling 4-4
enabling 4-4
telnet-option
command 4-4
configuring 4-4
terminal
command 17-20
modifying length 17-20
server setup 2-3, 23-14
terminating CLI sessions 17-19
testing fail-over 6-9
TFN2K
described B-65
Trojans B-66
TFTP RTT 23-14
TFTP servers
recommended
UNIX 23-14
Windows 23-14
threat rating
described 7-14
risk rating 7-14
time
correction on the sensor 4-31, C-19
sensors 4-30, C-17
synchronization on IPS modules 4-31, C-18
time sources
AIP SSM 4-31, C-17
appliances 4-30, C-17
ASA modules 4-31, C-17
IDSM2 4-30, C-17
time-zone-settings
command 4-37
configuring 4-37
TLS
certificate generation 4-48
handshaking 4-46
IDM 4-45
tls generate-key command 4-48
tls trusted-host command 4-46
trace
command 17-44
IP packet route 17-44
Traffic Anomaly engine
described 9-6, B-63
protocols 9-6, B-63
signatures 9-6, B-63
traffic flow notifications
configuring 6-38
described 6-38
Traffic ICMP engine
DDoS B-65
described B-65
LOKI B-65
parameters (table) B-66
TFN2K B-65
trap-community-name command 15-4
trap-destinations command 15-4
trial license key 4-49, 22-11
Tribe Flood Network. See TFN.
Tribe Flood Network 2000. See TFN2K.
Trojan engine
BO2K B-66
described B-66
TFN2K B-66
Trojans
BO B-66
BO2K B-66
LOKI B-66
TFN2K B-66
troubleshooting
AIP SSM
debugging C-70
recovering C-70
reset C-69
Analysis Engine busy C-58
applying software updates C-55
ARC
blocking not occurring for signature C-45
device access issues C-42
enabling SSH C-44
inactive state C-40
misconfigured master blocking sensor C-46
verifying device interfaces C-43
ASA 5500 AIP SSM
failover scenarios C-71
automatic updates C-55
cannot access sensor C-26
cidDump C-97
cidLog messages to syslog C-52
communication C-26
corrupted SensorApp configuration C-37
debug logger zone names (table) C-51
debug logging C-47
disaster recovery C-7
duplicate sensor IP addresses C-29
enabling debug logging C-47
external product interfaces 11-8, C-24
gathering information C-74
global correlation 10-15, C-20
IDM
cannot access sensor C-59
will not load C-58
IDSM2
command and control port C-66
diagnosing problems C-61, C-62
not online C-65, C-66
serial cable C-68
status indicator C-63
switch commands C-63
IME time synchronization C-60
IPS modules time drift 4-31, C-18
manual block to bogus host C-44
misconfigured access list C-29
no alerts C-34, C-60
NTP C-53
password recovery 17-10, C-16
physical connectivity issues C-33
preventive maintenance C-3
RADIUS
attempt limit C-23
reset not occurring for a signature C-53
sensing process not running C-31
sensor events C-93
sensor loose connections C-25
sensor not seeing packets C-36
sensor software upgrade C-57
service account 4-22, C-6
show events command C-93
show interfaces command C-91, C-92
show statistics command C-81
show tech-support command C-75, C-77
show version command C-78
software upgrades C-54
SPAN port issue C-33
upgrading C-55
verifying Analysis Engine is running C-22
verifying ARC status C-39
trusted hosts add 4-47
tuned signatures described 8-3
U
UDLD described 6-28
udp command 9-15, 9-24, 9-32
unassigned VLAN groups described 6-29
unauthenticated NTP 4-30, 4-39, C-17
UniDirectional Link Detection. See UDLD.
uninstalling
license key 4-52, 22-16
unlocking accounts 4-29
unlock user username command 4-29
unsupported supervisor engine commands 20-44
Updater Client described A-30
upgrade command 23-3, 23-6
upgrading
IPS software 22-8
latest version C-55
maintenance partition
IDSM2 (Catalyst software) 23-39
IDSM2 (Cisco IOS software) 23-39
minimum required version 22-8
recovery partition 23-6, 23-12
sensors 23-5
URLs for Cisco Security Intelligence Operations 22-10
username command 4-14
user-profiles
command 14-20
described 14-20
user roles
administrator 1-4
operator 1-4
service 1-4
viewer 1-4
user roles authentication 4-16
users
adding 4-14
removing 4-14
using
debug logging C-47
TCP reset interfaces 6-5
V
VACLs
described 14-2
IDSM2 20-14
Post-Block 14-26
Pre-Block 14-26
validation error messages described D-5
variables command 7-11, 8-4
IPv4 7-11
IPv6 7-11
verifying
AIM IPS installation 19-2
ECLB (Catalyst software) 20-37
ECLB (Cisco IOS software) 20-38
IDSM2 installation 20-3
NME IPS installation 21-2
password recovery 17-9, C-16
sensor initialization 3-27
sensor setup 3-27
viewer role privileges 1-4
viewing
IP log contents 12-5
user information 4-26
virtual-sensor name command 5-4, 18-4
virtual sensors
adding 5-5, 5-7, 18-4
assigning interfaces 5-4
assigning policies 5-4
creating 5-5, 5-7, 18-4
default virtual sensor 5-2
described 5-2
displaying KB files 9-40
options 5-4, 18-4
stream segregation 5-3
VLAN groups
802.1q encapsulation 6-29
configuration restrictions 6-11
deleting 6-35
deploying 6-30
described 6-29
switches 6-30
vulnerable OSes configuring 8-14
vulnerable OSes field
described B-6
W
watch list rating
calculating risk rating 7-14
described 7-14
Web Server
changing settings 4-12
configuring settings 4-11
default port 4-11
described A-3, A-24
HTTP 1.0 and 1.1 support A-24
HTTP protocol 4-11
private keys A-23
public keys A-23
Wireshark
copy packet-file command 13-6
IP logs 12-1
worms
Blaster 9-3
Code Red 9-2, 9-3
histograms 9-37
Nimbda 9-2
protocols 9-3
Sasser 9-3
scanners 9-3
Slammer 9-3
SQL Slammer 9-2
worm-timeout
command 9-10
specifying 9-10
Z
zones
external 9-4
illegal 9-4
internal 9-4