Numerics -
A -
B -
C -
D -
E -
F -
G -
H -
I -
K -
L -
M -
N -
O -
P -
Q -
R -
S -
T -
U -
V -
W -
Z
Index
Numerics
4GE bypass interface card
configuration restrictions 5-11
described 5-10
802.1q encapsulation for VLAN groups 5-15
A
AAA RADIUS
functionality 4-20
limitations 4-20
accessing IPS software 20-2
access lists
misconfiguration C-27
necessary hosts 3-4
account locking
configuring 4-26
security 4-26
account unlocking
configuring 4-25
RADIUS 4-25
ACLs
adding 3-4
described 13-3
Post-Block 13-17, 13-18
Pre-Block 13-17, 13-18
Active Host Blocks pane
field descriptions 17-6
user roles 17-6
ad0 pane
default 10-10
described 10-10
tabs 10-10
Add ACL Entry dialog box field descriptions 3-4
Add Active Host Block dialog box field descriptions 17-7
Add Allowed Host dialog box
field descriptions 4-6
user roles 4-5
Add Authorized Key dialog box
field descriptions 12-3
user roles 12-2
Add Blocking Device dialog box
field descriptions 13-15
user roles 13-14
Add Cat 6K Blocking Device Interface dialog box
field descriptions 13-23
user roles 13-21
Add Configured OS Map dialog box
field descriptions 6-25, 9-27
user roles 6-24, 9-24
Add Destination Port dialog box field descriptions 10-16
Add Device Login Profile dialog box
field descriptions 13-13
user roles 13-12
Add Event Action Filter dialog box
field descriptions 6-14, 9-16
user roles 6-13, 9-15
Add Event Action Override dialog box
field descriptions 6-11, 9-14
user roles 6-11, 9-13
Add Event Variable dialog box
field descriptions 6-29, 9-30
user roles 6-27, 9-29
Add External Product Interface dialog box
field descriptions 15-6
user roles 15-5
Add Histogram dialog box field descriptions 10-17
adding
ACLs 3-4
a host never to be blocked 13-11
anomaly detection policies 10-9
CSA MC interfaces 15-7
dashboards 2-1
denied attackers 17-5
event action filters 6-16, 9-18
event action overrides 9-14
event action rules policies 9-12
event variables 6-29, 9-31
external product interfaces 15-7
gadgets 2-1
host blocks 17-7
IPv4 target value rating 6-19, 9-21
IPv6 target value rating 6-22, 9-23
network blocks 17-9
OS maps 6-26, 9-27
risk categories 6-32, 9-33
signature definition policies 7-2
signatures 7-13
signature variables 7-27
virtual sensors 3-13, 6-11
Add Inline VLAN Pair dialog box field descriptions 3-11, 5-22
Add Interface Pair dialog box field descriptions 5-20
Add IP Logging dialog box field descriptions 17-14
Add IPv4 Target Value Rating dialog box
field descriptions 6-19, 9-21
user roles 6-18, 9-20
Add IPv6 Target Value Rating dialog box
field descriptions 6-21, 9-22
user roles 6-20, 9-22
Add Known Host Key dialog box
field descriptions 12-5
user roles 12-5
Add Master Blocking Sensor dialog box
field descriptions 13-26
user roles 13-24
Add Network Block dialog box field descriptions 17-9
Add Never Block Address dialog box
field descriptions 13-11
user roles 13-7
Add Policy dialog box field descriptions 7-2, 9-12, 10-9
Add Posture ACL dialog box field descriptions 15-7
Add Protocol Number dialog box field descriptions 10-18, 10-24
Add Rate Limit dialog box
field descriptions 17-11
user role 17-10
Address Resolution Protocol. See ARP.
Add Risk Level dialog box field descriptions 6-32, 9-33
Add Router Blocking Device Interface dialog box
field descriptions 13-20
user roles 13-17
Add Signature dialog box field descriptions 7-7
Add Signature Variable dialog box
field descriptions 7-27
user roles 7-27
Add SNMP Trap Destination dialog box field descriptions 14-4
Add Trusted Host dialog box
field descriptions 12-9
user roles 12-9
Add User dialog box
field descriptions 4-22
user roles 4-17
Add Virtual Sensor dialog box
described 3-12, 6-9
field descriptions 3-13, 6-9
Add VLAN Group dialog box field descriptions 5-25
Advanced Alert Behavior Wizard
Alert Dynamic Response Fire All window field descriptions 8-25
Alert Dynamic Response Fire Once window field descriptions 8-25
Alert Dynamic Response Summary window field descriptions 8-26
Alert Summarization window field descriptions 8-25
Event Count and Interval window field descriptions 8-24
Global Summarization window field descriptions 8-26
AIC
policy 7-38
signatures (example) 7-39
AIC engine
AIC FTP B-11
AIC FTP engine parameters (table) B-12
AIC HTTP B-11
AIC HTTP engine parameters (table) B-12
described B-11
features B-11
signature categories 7-31
AIC policy enforcement
default configuration 7-32, B-11
described 7-31, B-11
sensor oversubscription 7-32, B-11
AIM IPS
initializing 18-13
installing system image 21-21
logging in 19-5
session command 19-5
sessioning 19-4, 19-5
setup command 18-13
AIP SSM
bypass mode 5-28
initializing 18-16
installing system image 21-25
logging in 19-6
Normalizer engine B-39, C-70
password recovery 16-6, C-10
recovering C-68
reimaging 21-24
resetting C-67
resetting the password 16-7, C-11
session command 19-6
setup command 18-16
time sources 4-8, C-16
Alarm Channel described 9-6, A-28
alert and log actions (list) 9-8
alert behavior
normal 8-24
Signature Wizard 8-24
alert frequency
aggregation 7-19
configuring 7-19
controlling 7-19
modes B-6
Allowed Hosts/Networks pane
configuring 4-6
described 4-5
field descriptions 4-6
alternate TCP reset interface 5-9
Analysis Engine
described 6-2
error messages C-24
IDM exits C-57
verify it is running C-21
virtual sensors 6-2
anomaly detection
asymmetric traffic 10-2, 10-34
caution 10-2, 10-34
configuration sequence 10-5
default configuration (example) 10-4
described 10-2
detect mode 10-4
disabling C-20
event actions 10-6, B-67
inactive mode 10-4
learning accept mode 10-3
learning process 10-3
limiting false positives 10-13, 17-16
operation settings 10-11
protocols 10-3
signatures 10-6
signatures (table) 10-6, B-68
turning off 10-34
worms
attacks 10-12
described 10-3
zones 10-4
Anomaly Detection pane
button functions 17-17
described 17-15
field descriptions 17-17
user roles 17-15
anomaly detection policies
ad0 10-8
adding 10-9
cloning 10-9
default policy 10-8
deleting 10-9
Anomaly Detections pane
described 10-8
field descriptions 10-9
user roles 10-8
appliances
application partition image 21-11
GRUB menu 16-4, C-8
initializing 18-8
logging in 19-2
password recovery 16-4, C-8
terminal servers
described 19-3, 21-13
setting up 19-3, 21-13
time sources 4-7, C-16
UDLD protocol 5-23
upgrading recovery partition 21-5
Application Inspection and Control. See AIC.
application partition
described A-3
image recovery 21-11
application policy enforcement
described 7-31, B-11
disabled (default) 7-32, B-11
applying software updates C-54
ARC
ACLs 13-18, A-14
authentication A-14
blocking
application 13-2
connection-based A-17
not occurring for signature C-43
unconditional blocking A-17
block response A-13
Catalyst 6000 series switch
VACL commands A-19
VACLs A-18
Catalyst switches
VACLs A-16
VLANs A-16
checking status 13-3, 13-4
described A-3
design 13-2
device access issues C-41
enabling SSH C-43
features A-13
firewalls
AAA A-18
connection blocking A-17
NAT A-18
network blocking A-17
postblock ACL A-16
preblock ACL A-16
shun command A-17
TACACS+ A-18
formerly Network Access Controller 13-1
functions 13-2
illustration A-12
inactive state C-39
interfaces A-14
maintaining states A-16
managed devices 13-8
master blocking sensors A-14
maximum blocks 13-2
misconfigured master blocking sensor C-44
nac.shun.txt file A-16
NAT addressing A-15
number of blocks A-15
postblock ACL A-16
preblock ACL A-16
prerequisites 13-5
rate limiting 13-4
responsibilities A-12
single point of control A-15
SSH A-13
supported devices 13-6, A-15
Telnet A-13
troubleshooting C-37
VACLs A-14
verifying device interfaces C-42
verifying status C-38
ARP
Layer 2 signatures B-13
protocol B-13
ARP spoof tools
dsniff B-13
ettercap B-13
ASA IPS modules
Deny Connection Inline 9-11, C-71
Deny Packet Inline 9-11, C-71
Reset TCP Connection 9-11, C-71
TCP reset packets 9-11, C-71
ASA modules time sources C-17
ASDM resetting passwords 16-8, C-12
assigning actions to signatures 7-17
asymmetric traffic
anomaly detection 10-2, 10-34
caution 10-2, 10-34
disabling anomaly detection C-19
Atomic ARP engine
described B-13
parameters (table) B-13
Atomic IP Advanced engine
described B-14
restrictions B-15
Atomic IP engine
described 8-13, B-24
parameters (table) B-25
Atomic IPv6 engine
described B-28
Neighborhood Discovery protocol B-28, B-29
signatures B-28
signatures (table) B-29
attack relevance rating
calculating risk rating 6-5, 9-3
described 6-5, 6-23, 9-3, 9-25
Attack Response Controller
described A-3
formerly known as Network Access Controller A-3
Attack Response Controller. See ARC.
attack severity rating
calculating risk rating 6-5, 9-3
described 6-5, 9-3
attemptLimit command 4-26
Audit mode
described 11-9
Test Global Correlation 11-9
authenticated NTP 4-7, 4-14, C-16
authentication
local 4-17
RADIUS 4-17
AuthenticationApp
authenticating users A-21
described A-3
login attempt limit A-20
method A-20
responsibilities A-20
secure communications A-23
sensor configuration
local A-20
RADIUS A-21
Authentication pane
configuring 4-23
described 4-17
field descriptions 4-20
user roles 4-18, A-31
Authorized Keys pane
configuring 12-3
described 12-2
field descriptions 12-2
RSA authentication 12-2
RSA key generation tool 12-3
Auto/Cisco.com Update pane
configuring 16-21
described 16-18
field descriptions 16-20
UNIX-style directory listings 16-19
user roles 16-18
automatic setup 18-2
automatic updates
Cisco.com 16-18
information required 21-6
servers
FTP 16-18
SCP 16-18
troubleshooting C-54
autonegotiation for hardware bypass 5-11
auto-upgrade-option command 21-6
B
backing up
configuration C-2
current configuration C-4
BackOrifice. See BO.
BackOrifice 2000. See BO2K.
basic setup 18-4
blocking
described 13-2
disabling 13-8
master blocking sensor 13-25
necessary information 13-3
not occurring for signature C-43
prerequisites 13-5
supported devices 13-6
types 13-2
Blocking Devices pane
configuring 13-15
described 13-14
field descriptions 13-15
ssh host-key command 13-15
Blocking Properties pane
adding a host never to be blocked 13-11
configuring 13-10
described 13-7
field descriptions 13-8
BO
described B-70
Trojans B-70
BO2K
described B-70
Trojans B-70
Bug Toolkit
described C-1
URL C-1
bypass mode
AIP SSM 5-28
described 5-27
Bypass pane
field descriptions 5-27
user roles 5-27
C
calculating risk rating
attack relevance rating 6-5, 9-3
attack severity rating 6-5, 9-3
promiscuous delta 6-5, 9-3
signature fidelity rating 6-5, 9-3
target value rating 6-5, 9-3
watch list rating 6-6, 9-4
cannot access sensor C-25
Cat 6K Blocking Device Interfaces pane
configuring 13-23
described 13-22
field descriptions 13-23
CDP described 5-30
CDP Mode pane
configuring 5-31
field descriptions 5-30
user roles 5-30
certificates
displaying 12-11
Firefox 1-7
generating 12-11
IDM 1-7, 12-8
Internet Explorer 1-8
changing Microsoft IIS to UNIX-style directory listings 16-19
cidDump obtaining information C-95
CIDEE
defined A-35
example A-36
IPS extensions A-35
protocol A-35
supported IPS events A-35
cisco
default password 19-2
default username 19-2
Cisco.com
accessing software 20-2
downloading software 20-1
IPS software 20-1
software downloads 20-1
Cisco IOS rate limiting 13-4
Cisco Security Intelligence Operations
described 20-10
URL 20-10
Cisco Services for IPS
service contract 1-10, 16-13
supported products 1-10, 16-13
clear events command 4-12, 4-16, 17-4, C-18, C-95
Clear Flow States pane
described 17-27
field descriptions 17-27
clearing
events 4-16, 17-4, C-95
flow states 17-27
statistics C-80
clear password command 16-6, 16-9, C-10, C-13
CLI described A-3, A-31
client manifest described A-30
Clone Event Action Rules dialog box field descriptions 9-12
Clone Policy dialog box field descriptions 7-2, 10-9
Clone Signature dialog box field descriptions 7-7
cloning
anomaly detection policies 10-9
event action rules policies 9-12
signature definition policies 7-2
signatures 7-15
CollaborationApp described A-3, A-29
command and control interface
described 5-2
list 5-2
commands
attemptLimit 4-26
auto-upgrade-option 21-6
clear events 4-12, 4-16, 17-4, C-18, C-95
clear password 16-6, 16-9, C-10, C-13
copy backup-config C-3
copy current-config C-3
debug module-boot C-68
downgrade 21-10
erase license-key 16-15
hw-module module 1 reset C-67
hw-module module slot_number password-reset 16-6, C-10
session 19-5, 19-9
setup 4-1, 18-1, 18-4, 18-8, 18-13, 18-16, 18-20, 18-24
show events C-92
show health C-73
show settings 16-11, C-15
show statistics C-80
show statistics virtual-sensor C-24, C-80
show tech-support C-74
show version C-77
unlock user username 4-25
upgrade 21-3, 21-5
Compare Knowledge Bases dialog box field descriptions 17-19
comparing KBs 17-19, 17-20
component signatures
Meta engine B-34
risk rating B-34
configuration files
backing up C-2
merging C-2
configuration restrictions
alternate TCP reset interface 5-9
inline interface pairs 5-8
inline VLAN pairs 5-8
interfaces 5-8
physical interfaces 5-8
VLAN groups 5-9
Configure Summertime dialog box field descriptions 3-4, 4-10
configuring
account locking 4-26
account unlocking 4-25
AIC policy parameters 7-38
allowed hosts 4-6
allowed networks 4-6
anomaly detection operation settings 10-11
application policy 7-39
authorized keys 12-3
automatic upgrades 21-8
blocking devices 13-15
blocking properties 13-10
Cat 6K blocking device interfaces 13-23
CDP Mode 5-31
CPU, Memory, & Load gadget 2-12
CSA MC IPS interfaces 15-4
device login profiles 13-13
event action filters 6-16, 9-18
events 17-3
event variables 6-29, 9-31
external zone 10-30
general settings 6-34, 9-35
Global Correlation Health gadget 2-9
Global Correlation Reports gadget 2-7
host blocks 17-7
illegal zone 10-25
inline VLAN pairs 3-11
inspection/reputation 11-10
interface pairs 5-20
interfaces 5-18
Interface Status gadget 2-7
internal zone 10-18
IP fragment reassembly signatures 7-42
IP logging 17-14
IPv4 target value rating 6-19, 9-21
IPv6 target value rating 6-22
known host keys 12-6
learning accept mode 10-14
Licensing gadget 2-6
local authentication 4-23
maintenance partition
IDSM2 (Catalyst software) 21-30
IDSM2 (Cisco IOS software) 21-34
master blocking sensor 13-26
network blocks 17-9
network participation 11-11
Network Security gadget 2-10
network settings 4-3
NTP servers 4-13
OS maps 6-26, 9-27
RADIUS authentication 4-24
rate limiting 17-11
rate limiting devices 13-15
risk categories 6-32, 9-33
router blocking device interfaces 13-20
Sensor Health gadget 2-5
Sensor Information gadget 2-4
Sensor Setup window 3-5
sensor to use NTP 4-14
SNMP 14-2
SNMP traps 14-4
target value rating 9-23
TCP fragment reassembly parameters 7-49
time 4-11
Top Applications gadget 2-10
traffic flow notifications 5-29
trusted hosts 12-10
UDLD protocol 5-23
upgrades 21-4
users 4-23
VLAN groups 5-26
VLAN pairs 5-22
control transactions
characteristics A-8
request types A-8
cookies IDM 1-6
copy backup-config command C-3
copy current-config command C-3
correcting time on the sensor 4-12, C-18
CPU, Memory, & Load gadget
configuring 2-12
described 2-11
creating
Atomic IP Advanced signature 7-25
custom signatures
not using signature engines 8-3
Service HTTP 8-15
String TCP 8-20
using signature engines 8-1
IPv6 signatures 7-25
Meta signatures 7-22
Post-Block VACLs 13-22
Pre-Block VACLs 13-22
service account C-5
cryptographic features (IDM) 1-1
CSA MC
adding interfaces 15-7
configuring IPS interfaces 15-4
host posture events 15-1, 15-4
quarantined IP address events 15-1
supported IPS interfaces 15-4
CtlTransSource
described A-2, A-11
illustration A-11
current configuration back up C-2
current KB setting 17-21
customizing
dashboards 2-1
gadgets 2-1
custom signatures
described 7-4
IPv6 signature 7-25
Meta signature 7-22
Custom Signature Wizard
no signature engine sequence 8-3
signature engine sequence 8-1
D
Dashboard pane gadgets 2-2
dashboards
adding 2-1
customizing 2-1
data structures (examples) A-8
DDoS
protocols B-69
Stacheldraht B-69
TFN B-69
debug logging enable C-46
debug-module-boot command C-68
default policies
ad0 10-8
sig0 7-2
defaults
KB filename 10-12
password 19-2
restoring 16-24
username 19-2
virtual sensor vs0 6-3
deleting
anomaly detection policies 10-9
event action filters 6-16, 9-18
event action overrides 9-14
event action rules policies 9-12
event variables 6-29, 9-31
imported OS values 17-26
IPv4 target value rating 6-19, 9-21
IPv6 target value rating 6-22, 9-23
KBs 17-22
learned OS values 17-25
OS maps 6-26, 9-27
risk categories 6-32, 9-33
signature definition policies 7-2
signature variables 7-27
virtual sensors 6-11
Denial of Service. See DoS.
denied attackers
adding 17-5
clearing list 17-5
hit count 17-4
resetting hit counts 17-5
Denied Attackers pane
described 17-4
field descriptions 17-5
user roles 17-4
using 17-5
deny actions (list) 9-8
Deny Packet Inline described 6-11, 9-10, B-9
detect mode (anomaly detection) 10-4
device access issues C-41
Device Login Profiles pane
configuring 13-13
described 13-12
field descriptions 13-12
devices 13-15
Diagnostics Report pane
button functions 17-29
described 17-29
user roles 17-29
using 17-30
diagnostics reports 17-30
Differences between knowledge bases KB_Name and KB_Name window field descriptions 17-19
disabling
anomaly detection C-20
blocking 13-8
global correlation 11-12
interfaces 5-18
password recovery 16-10, C-14
disaster recovery C-6
displaying
events C-93
health status C-73
password recovery setting 16-11, C-15
statistics C-80
tech support information C-74
version C-77
Distributed Denial of Service. See DDoS.
DoS tools B-6
downgrade command 21-10
downgrading sensors 21-10
downloading
KBs 17-23
software 20-1
Download Knowledge Base From Sensor dialog box
described 17-23
field descriptions 17-23
duplicate IP addresses C-28
E
Edit Actions dialog box field descriptions 7-9
Edit Allowed Host dialog box
field descriptions 4-6
user roles 4-5
Edit Authorized Key dialog box
field descriptions 12-3
user roles 12-2
Edit Blocking Device dialog box
field descriptions 13-15
user roles 13-14
Edit Cat 6K Blocking Device Interface dialog box
field descriptions 13-23
user roles 13-21
Edit Configured OS Map dialog box
field descriptions 6-25, 9-27
user roles 6-24, 9-24
Edit Destination Port dialog box field descriptions 10-16
Edit Device Login Profile dialog box
field descriptions 13-13
user roles 13-12
Edit Event Action Filter dialog box
field descriptions 6-14, 9-16
user roles 6-13, 9-15
Edit Event Action Override dialog box
field descriptions 6-11, 9-14
user roles 6-11, 9-13
Edit Event Variable dialog box
field descriptions 6-29, 9-30
user roles 6-27, 9-29
Edit External Product Interface dialog box
field descriptions 15-6
user roles 15-5
Edit Histogram dialog box field descriptions 10-17
editing
event action filters 6-16, 9-18
event action overrides 9-14
event variables 6-29, 9-31
interfaces 5-18
IPv4 target value rating 6-19, 9-21
IPv6 target value rating 6-22, 9-23
OS maps 6-26, 9-27
risk categories 6-32, 9-33
signatures 7-16
signature variables 7-27
virtual sensors 6-11
Edit Inline VLAN Pair dialog box field descriptions 3-11, 5-22
Edit Interface dialog box field descriptions 5-17
Edit Interface Pair dialog box field descriptions 5-20
Edit IP Logging dialog box field descriptions 17-14
Edit IPv4 Target Value Rating dialog box
field descriptions 6-19, 9-21
user roles 6-18, 9-20
Edit IPv6 Target Value Rating dialog box
field descriptions 6-21, 9-22
user roles 6-20, 9-22
Edit Known Host Key dialog box
field descriptions 12-5
user roles 12-5
Edit Master Blocking Sensor dialog box
field descriptions 13-26
user roles 13-24
Edit Never Block Address dialog box
field descriptions 13-11
user roles 13-7
Edit Posture ACL dialog box field descriptions 15-7
Edit Protocol Number dialog box field descriptions 10-18, 10-24
Edit Risk Level dialog box field descriptions 6-32, 9-33
Edit Router Blocking Device Interface dialog box
field descriptions 13-20
user roles 13-17
Edit Signature dialog box field descriptions 7-7
Edit Signature Variable dialog box
field descriptions 7-27
user roles 7-27
Edit SNMP Trap Destination dialog box field descriptions 14-4
Edit User dialog box
field descriptions 4-22
user roles 4-17
Edit Virtual Sensor dialog box
field descriptions 6-9
user roles 6-9
Edit VLAN Group dialog box field descriptions 5-25
efficacy
described 11-4
measurements 11-4
enabling
debug logging C-46
event action filters 6-16, 9-18
event action overrides 9-14
interfaces 5-18
Encryption Software Export Distribution Authorization 20-2
engines
AIC B-11
Fixed B-30
Flood B-33
Master B-4
Meta 7-21, B-34
Multi String B-37
Normalizer B-38
Service DNS B-42
Service FTP B-43
Service Generic B-44
Service H225 B-45
Service HTTP 8-14, B-47
Service IDENT B-49
Service MSRPC 8-11, B-50
Service MSSQL B-52
Service NTP B-52
Service P2P B-53
Service RPC 8-17, B-53
Service SMB Advanced B-55
Service SNMP B-57
Service SSH B-57
Service TNS B-58
State 8-18, B-60
String 8-19, 8-22, B-61
Sweep 8-23, B-64
Sweep Other TCP B-66
Traffic ICMP B-69
Trojan B-70
erase license-key command 16-15
evAlert A-9
event action filters
adding 6-16, 9-18
configuring 6-16, 9-18
deleting 6-16, 9-18
described 6-13, 9-5
editing 6-16, 9-18
enabling 6-16, 9-18
Event Action Filters tab
configuring 6-16, 9-18
described 6-14, 9-15
field descriptions 6-14, 9-16
event action overrides
adding 9-14
deleting 9-14
described 6-4, 9-4
editing 9-14
enabling 9-14
risk rating range 6-4, 9-4
Event Action Overrides tab
described 9-13
field descriptions 9-13
event action rules
described 9-2
functions 9-2
Event Action Rules pane
described 9-11
field descriptions 9-12
user roles 9-11, 9-12
event action rules policies
adding 9-12
cloning 9-12
deleting 9-12
events
displaying C-93
host posture 15-2
quarantined IP address 15-2
Events pane
configuring 17-3
described 17-2
field descriptions 17-2
Event Store
clearing events 4-12, C-18
data structures A-8
described A-2
examples A-7
responsibilities A-7
timestamp A-7
event types C-91
event variables
adding 6-29, 9-31
configuring 6-29, 9-31
deleting 6-29, 9-31
described 6-28, 9-29
editing 6-29, 9-31
Event Variables tab
configuring 6-29, 9-31
field descriptions 6-28, 9-30
Event Viewer window field descriptions 17-3
evError A-9
evLogTransaction A-9
evShunRqst A-9
evStatus A-9
example custom signatures
Atomic IP Advanced 7-25
Meta 7-22
examples
ASA failover configuration C-70
Meta engine signature 7-22
external product interfaces
adding 15-7
described 15-1
issues 15-3, C-22
troubleshooting 15-10, C-23
trusted hosts 15-5
External Product Interfaces pane
described 15-5
field descriptions 15-5
external zone
configuring 10-30
protocols 10-28
user roles 10-28
External Zone tab
described 10-28
tabs 10-28
user roles 10-28
F
fail-over testing 5-10
false positives described 7-4
files
IDSM2 password recovery 16-9, C-13
Firefox
certificates 1-7
validating CAs 1-7
Fixed engine described B-30
Fixed ICMP engine parameters (table) B-30
Fixed TCP engine parameters (table) B-31
Fixed UDP engine parameters (table) B-32
Flood engine described B-33
Flood Host engine parameters (table) B-33
Flood Net engine parameters (table) B-34
flow states clearing 17-27
FTP servers supported 16-19, 21-2
G
gadgets
adding 2-1
CPU, Memory, & Load 2-11
customizing 2-1
Dashboard pane 2-2
Global Correlation Health 2-8
Global Correlation Reports 2-7
IDM 2-2
IDM home pane 1-3
Interface Status 2-6
Licensing 2-5
Network Security 2-9
Sensor Health 2-4
Sensor Information 2-3
Top Applications 2-10
general settings
configuring 6-34, 9-35
described 6-33, 9-34
General tab
configuring 6-34, 9-35
described 6-33, 9-34, 10-15, 10-22
enabling zones 10-15, 10-22
field descriptions 6-34, 9-35
user roles 6-33, 9-34
generating diagnostics reports 17-30
global correlation
described 1-1, 11-1, 11-2, A-4
disabling 11-12
DNS server 11-6
error messages A-31
features 11-5
goals 11-5
health metrics 11-7
HTTP proxy server 11-6
IPv6 support 6-20, 6-21, 6-29, 9-18, 9-23, 9-30, 11-6
license 1-9, 4-3, 11-6, 11-8, 18-1, 18-5
Produce Alert 7-9, 9-8, 11-5, B-7
requirements 11-6
troubleshooting 11-12, C-21
update client (illustration) 11-8
update client described A-30
update server described A-30
Global Correlation Health gadget
configuring 2-9
described 2-8
Global Correlation Reports gadget
configuring 2-7
described 2-7
Global Variables pane field description 16-18
GRUB menu password recovery 16-4, C-8
H
H.225.0 protocol B-45
H.323 protocol B-45
hardware bypass
autonegotiation 5-11
configuration restrictions 5-11
fail-over 5-10
IPS 4260 5-10
IPS 4270-20 5-10
supported configurations 5-10
with software bypass 5-10
Home pane
device information 1-3
gadgets 1-3
health information 1-3
interface status 1-3
licensing information 1-3
system resources usage 1-3
updating 1-3
Host Blocks pane
configuring 17-7
described 17-6
host posture events
CSA MC 15-4
described 15-2
HTTP/HTTPS servers 16-19, 21-2
HTTP deobfuscation
ASCII normalization 8-14, B-47
described 8-14, B-47
hw-module module 1 reset command C-67
hw-module module slot_number password-reset command 16-6, C-10
I
IDAPI
communications A-3, A-33
described A-3
functions A-33
illustration A-33
responsibilities A-33
IDCONF
described A-34
example A-34
XML A-34
IDIOM
defined A-34
messages A-34
IDM
Analysis Engine is busy C-57
certificates 1-7, 12-8
cookies 1-6
cryptographic features 1-1
described 1-2, 1-5
gadgets 2-2
GUI 1-3
logging in 1-5
Signature Wizard supported signature engines 8-2
supported platforms 1-4
system requirements 1-4
TLS 1-7, 12-8
user interface 1-3
web browsers 1-2, 1-5
will not load C-56
IDSM2
command and control port C-64
configuring
maintenance partition (Catalyst software) 21-30
maintenance partition (Cisco IOS software) 21-34
initializing 18-20
installing
system image (Catalyst software) 21-27
system image (Cisco IOS software) 21-28
logging in 19-8
password recovery 16-9, C-12
password recovery image file 16-9, C-13
reimaging 21-27
sessioning 19-8
setup command 18-20
supported configurations C-61
TCP reset port C-66
time sources 4-8, C-16
upgrading
maintenance partition (Catalyst software) 21-37
maintenance partition (Cisco IOS software) 21-38
illegal zone
configuring 10-25
user roles 10-22
Illegal Zone tab
described 10-22
user roles 10-22
IME time synchronization problems C-59
Imported OS pane
clearing 17-26
described 17-26
field descriptions 17-26
imported OS values
clearing 17-26
deleting 17-26
inactive mode (anomaly detection) 10-4
initializing
AIM IPS 18-13
AIP SSM 18-16
appliances 18-8
IDSM2 18-20
NME IPS 18-24
sensors 4-1, 18-1, 18-4
user roles 18-1
verifying 18-27
inline interface pair mode
configuration restrictions 5-8
described 5-13
Inline Interface Pair window
described 3-9
Startup Wizard 3-9
inline VLAN pair mode
configuration restrictions 5-8
configuring 3-11
described 5-14
supported sensors 5-14
UDLD protocol 5-23
Inline VLAN Pairs pane user roles 5-21
Inline VLAN Pairs window
described 3-10
field descriptions 3-10
Startup Wizard 3-10
Inspection/Reputation pane
configuring 11-10
described 11-8
field descriptions 11-9
installer major version 20-5
installer minor version 20-5
installing
sensor license 1-11, 16-14
system image
AIM IPS 21-21
AIP SSM 21-25
IDSM2 (Catalyst software) 21-27
IDSM2 (Cisco IOS software) 21-28
IPS 4240 21-14
IPS 4255 21-14
IPS 4260 21-17
IPS 4270-20 21-19
NME IPS 21-39
InterfaceApp
described A-19
interactions A-20
NIC drivers A-19
InterfaceApp described A-3
interface pairs
configuring 5-20
described 5-19
Interface Pairs pane
configuring 5-20
described 5-19
field descriptions 5-19
user roles 5-19
interfaces
alternate TCP reset 5-2
command and control 5-2
configuration restrictions 5-8
configuring 5-18
described 3-7, 5-1
disabling 5-18
editing 5-18
enabling 5-18
logical 3-7
physical 3-7
port numbers 5-1
sensing 5-2, 5-3
slot numbers 5-1
support (table) 5-4
TCP reset 5-6
VLAN groups 5-2
Interface Selection window
described 3-9
Startup Wizard 3-9
Interfaces pane
configuring 5-18
described 5-16
field descriptions 5-17
user roles 5-16
Interface Status gadget
configuring 2-7
described 2-6
Interface Summary window described 3-7
internal zone
configuring 10-18
user roles 10-15
Internal Zone tab
described 10-15
user roles 10-15
Internet Explorer validating certificates 1-8
IP fragmentation described B-38
IP fragment reassembly
configuring 7-42
described 7-40
mode 7-42
parameters (table) 7-40
signatures 7-42
signatures (example) 7-42
signatures (table) 7-40
IP logging
described 7-50, 17-12
event actions 17-13
system performance 17-12
IP Logging pane
configuring 17-14
described 17-13
field descriptions 17-13
user roles 17-13
IP Logging Variables pane described 16-17
IP logs
circular buffer 17-13
states 17-12
TCPDUMP 17-13
viewing 17-14
WireShark 17-13
IPS 4240
installing system image 21-14
password recovery 16-5, C-9
reimaging 21-14
IPS 4255
installing system image 21-14
password recovery 16-5, C-9
reimaging 21-14
IPS 4260
hardware bypass 5-10
installing system image 21-17
reimaging 21-17
IPS 4270-20
hardware bypass 5-10
installing system image 21-19
reimaging 21-19
IPS appliances
Deny Connection Inline 9-10, C-71
Deny Packet Inline 9-10, C-71
Reset TCP Connection 9-10, C-71
TCP reset packets 9-10, C-71
IPS applications
internal communications A-33
summary A-37
table A-37
XML format A-2
IPS data
types A-8
XML document A-8
IPS events
evAlert A-9
evError A-9
evLogTransaction A-9
evShunRqst A-9
evStatus A-9
list A-9
types A-9
IPS modules
time synchronization 4-8, C-17
unsupported features 3-1
IPS Policies pane
described 6-8
field descriptions 6-9
IPS software
application list A-2
available files 20-1
configuring device parameters A-4
directory structure A-36
Linux OS A-1
obtaining 20-1
platform-dependent release examples 20-7
retrieving data A-5
security features A-5
tuning signatures A-5
updating A-5
user interaction A-4
versioning scheme 20-3
IPS software file names
major updates (illustration) 20-4
minor updates (illustration) 20-4
patch releases (illustration) 20-4
service packs (illustration) 20-4
IPv4 target value rating
adding 6-19, 9-21
configuring 6-19, 9-21
deleting 6-19, 9-21
editing 6-19, 9-21
IPv4 Target Value Rating tab
configuring 6-19, 9-21
field descriptions 6-19, 9-20
IPv6
described B-28
SPAN ports 5-12
switches 5-12
IPv6 target value rating
adding 6-22, 9-23
configuring 6-22, 9-23
deleting 6-22, 9-23
editing 6-22, 9-23
IPv6 Target Value Rating tab
configuring 6-22, 9-23
field descriptions 6-21, 9-22
K
KBs
comparing 17-20
default filename 10-12
deleting 17-22
described 10-3
downloading 17-23
histogram 10-12, 17-16
initial baseline 10-3
learning accept mode 10-12
loading 17-21
monitoring 17-18
renaming 17-23
saving 17-22
scanner threshold 10-12, 17-16
tree structure 10-12, 17-16
uploading 17-24
Knowledge Base. See KB.
Known Host Keys pane
configuring 12-6
describing 12-5
field descriptions 12-5
L
Learned OS pane
clearing 17-25
described 17-25
field descriptions 17-25
learned OS values
clearing 17-25
deleting 17-25
learning accept mode (anomaly detection) 10-3
Learning Accept Mode tab
configuring 10-14
described 10-12
field descriptions 10-13, 10-14
user roles 10-12
license files
BSD license D-3
expat license D-12
GNU Lesser license D-33
GNU license D-28
license key
uninstalling 16-15
license key trial 1-9, 16-12
licensing
described 1-9, 16-12
IPS device serial number 1-9, 16-12
Licensing gadget
configuring 2-6
described 2-5
Licensing pane
configuring 1-11, 16-14
described 1-9, 16-12
field descriptions 1-11, 16-14
user roles 1-11, 16-12
limitations for concurrent CLI sessions 19-1
listings UNIX-style 16-19
loading KBs 17-21
local authentication configuring 4-23
Logger
described A-3, A-19
functions A-19
syslog messages A-19
logging in
AIM IPS 19-5
AIP SSM 19-6
appliances 19-2
IDM 1-5
IDSM2 19-8
NME IPS 19-10
sensors
SSH 19-11
Telnet 19-11
service role 19-2
terminal servers 19-3, 21-13
user role 19-1
LOKI
described B-69
protocol B-69
loose connections on sensors C-24
M
MainApp
components A-6
described A-2, A-6
host statistics A-6
responsibilities A-6
show version command A-6
maintenance partition
configuring
IDSM2 (Catalyst software) 21-30
IDSM2 (Cisco IOS software) 21-34
described A-3
major updates described 20-3
managing rate limiting 17-11
manifests
client A-30
server A-30
manual block to bogus host C-43
master blocking sensor
described 13-25
not set up properly C-44
Master Blocking Sensor pane
configuring 13-26
described 13-24
field descriptions 13-25
Master engine
alert frequency B-6
alert frequency parameters (table) B-6
described B-3
event actions 9-8
general parameters (table) B-4
universal parameters B-4
master engine parameters
obsoletes B-6
promiscous delta B-5
vulnerable OSes B-6
merging configuration files C-2
Meta engine
component signatures B-34
described 7-21, B-34
parameters (table) B-36
Signature Event Action Processor 7-21, B-34
Meta Event Generator described 6-33, 9-34
MIBs supported 14-6, C-19
minor updates described 20-3
Miscellaneous tab
button functions 7-30
configuring
application policy 7-38
IP fragment reassembly mode 7-42
IP logging 7-50
TCP stream reassembly mode 7-48
described 7-29
field descriptions 7-30
user roles 7-28
modes
anomaly detection
detect 10-4
inactive 10-4
learning accept 10-3
bypass 5-27
inline interface pair 5-13
inline VLAN pair 5-14
promiscuous 5-11
VLAN Groups 5-14
modify packets inline modes 6-4
monitoring
events 17-3
KBs 17-18
moving OS maps 6-26, 9-27
Multi String engine
described B-37
parameters (table) B-37
Regex B-37
MySDN described 7-5
N
NAS-ID
described 4-24
RADIUS authentication 4-24
Neighborhood Discovery
options B-29
types B-29
Network Blocks pane
configuring 17-9
described 17-8
field descriptions 17-9
user roles 17-8
Network pane
configuring 4-3
described 4-2
field descriptions 4-2
TLS/SSL 4-4
user roles 4-2
network participation
data gathered 11-3
data use (table) 1-2, 11-2
described 11-3
health metrics 11-7
modes 11-4
requirements 11-4
statistics 11-4
Network Participation pane
configuring 11-11
described 11-10
field descriptions 11-11
Network Security gadget
configuring 2-10
described 2-9
network security health data resetting 17-28
never block
hosts 13-8
networks 13-8
NME IPS
initializing 18-24
installing system image 21-39
logging in 19-10
reimaging 21-39
session command 19-9
sessioning 19-9, 19-10
setup command 18-24
Normalizer engine
described B-38
IP fragment reassembly B-38
parameters (table) B-40
TCP stream reassembly B-39
Normalizer mode described 6-4
NotificationApp
alert information A-9
described A-3
functions A-9
SNMP gets A-9
SNMP traps A-9
statistics A-11
system health information A-10
NTP
authenticated 4-7, 4-14, C-16
configuring servers 4-13
described 4-7, C-16
incorrect configuration 4-9, C-17
sensor time source 4-13, 4-14
time synchronization 4-7, C-16
unauthenticated 4-7, 4-14, C-16
verifying configuration 4-9
O
obsoletes field described B-6
one-way TCP reset described 6-33, 9-34
Operation Settings tab
described 10-10
field descriptions 10-10
user roles 10-10
OS Identifications tab
described 6-24, 9-24
field descriptions 6-25, 9-26
OS maps
adding 6-26, 9-27
configuring 6-26, 9-27
deleting 6-26, 9-27
editing 6-26, 9-27
moving 6-26, 9-27
other actions (list) 9-9
Other Protocols tab
described 10-24, 10-30
describing 10-17
enabling other protocols 10-17
external zone 10-30
field descriptions 10-18, 10-30
illegal zone 10-24
P
P2P networks described B-53
partitions
application A-3
maintenance A-3
recovery A-3
Passive OS Fingerprinting
components 6-23, 9-25
configuring 6-24, 9-26
described 6-23, 9-25
password policy caution 16-2, 16-3
password recovery
AIP SSM 16-6, C-10
appliances 16-4, C-8
CLI 16-10, C-14
described 16-3, C-8
disabling 16-10, C-14
GRUB menu 16-4, C-8
IDSM2 16-9, C-12
IPS 4240 16-5, C-9
IPS 4255 16-5, C-9
platforms 16-3, C-8
ROMMON 16-5, C-9
troubleshooting 16-11, C-15
verifying 16-11, C-15
password requirements configuring 16-2
Passwords pane
described 16-2
field descriptions 16-2
patch releases described 20-4
peacetime learning (anomaly detection) 10-3
Peer-to-Peer. See P2P.
physical connectivity issues C-31
physical interfaces configuration restrictions 5-8
platforms concurrent CLI sessions 19-1
Post-Block ACLs 13-17, 13-18
Pre-Block ACLs 13-17, 13-18
prerequisites for blocking 13-5
promiscuous delta
calculating risk rating 6-5, 9-3
described 6-5, 9-3
promiscuous delta described B-5
promiscuous mode
described 5-11
packet flow 5-11
SPAN ports 5-12
VACL capture 5-12
protocols
ARP B-13
CIDEE A-35
DCE 8-11, B-50
DDoS B-69
H.323 B-45
H225.0 B-45
ICMPv6 B-14
IDAPI A-33
IDCONF A-34
IDIOM A-34
IPv6 B-28
LOKI B-69
MSSQL B-52
Neighborhood Discovery B-28, B-29
Q.931 B-45
RPC 8-11, B-50
SDEE A-35
Signature Wizard 8-10
UDLD 5-23
Q
Q.931 protocol
described B-45
SETUP messages B-45
quarantined IP address events described 15-2
R
RADIUS authentication
configuring 4-24
described 4-17
NAS-ID 4-24
service account 4-19
shared secret 4-24
rate limiting
ACLs 13-5
configuring 17-11
described 13-4
managing 17-11
percentages 17-10
routers 13-4
service policies 13-5
supported signatures 13-4
Rate Limits pane
described 17-10
field descriptions 17-10
rebooting the sensor 16-25
Reboot Sensor pane
configuring 16-25
described 16-25
user roles 16-25
recover command 21-10
recovering
AIP SSM C-68
application partition image 21-11
recovery partition
described A-3
upgrading 21-5
Regular Expression. See Regex.
regular expression syntax
signatures B-9
reimaging
AIM IPS 21-21
AIP SSM 21-24
appliances 21-10
described 21-1
IDSM2 21-27
IPS 4240 21-14
IPS 4255 21-14
IPS 4260 21-17
IPS 4270-20 21-19
NME IPS 21-39
sensors 20-8, 21-1
removing
service packs 21-10
signature updates 21-10
Rename Knowledge Base dialog box field descriptions 17-23
renaming KBs 17-23
reputation
described 11-2
illustration 11-3
servers 11-3
Reset Network Security Health pane
described 17-28
field descriptions 17-28
user roles 17-28
resetting
AIP SSM C-67
network security health data 17-28
passwords
ASDM 16-8, C-12
hw-module command 16-6, C-10
resetting the password
AIP SSM 16-7, C-11
Restore Default Interface dialog box field descriptions 3-8
Restore Defaults pane
configuring 16-24
described 16-24
user roles 16-24
restoring
current configuration C-4
defaults 16-24
restoring the current configuration C-4
risk categories
adding 6-32, 9-33
configuring 6-32, 9-33
deleting 6-32, 9-33
editing 6-32, 9-33
Risk Category tab
configuring 6-32, 9-33
described 6-31, 9-32
field descriptions 6-31, 9-32
risk rating
Alarm Channel 11-5
calculating 6-4, 9-2
component signatures B-34
described 6-23, 9-25
reputation score 11-4
ROMMON
described 21-12
IPS 4240 21-14
IPS 4255 21-14
IPS 4260 21-17
IPS 4270-20 21-17, 21-19
password recovery 16-5, C-9
remote sensors 21-12
serial console port 21-12
TFTP 21-12
round-trip time. See RTT.
Router Blocking Device Interfaces pane
configuring 13-20
described 13-17
field descriptions 13-19
RPC portmapper 8-17, B-53
RTT
described 21-13
TFTP limitation 21-13
rules0 pane
described 9-13
tabs 9-13
S
Save Knowledge Base dialog box
described 17-21
field descriptions 17-21
saving KBs 17-22
scheduling automatic upgrades 21-8
SDEE
described A-35
HTTP A-35
protocol A-35
server requests A-35
security
account locking 4-26
information on Cisco Security Intelligence Operations 20-10
security information
MySDN 7-5
security policies described 6-1, 7-1, 9-1, 10-1
security SSH 12-1
sensing interfaces
described 5-3
interface cards 5-3
modes 5-3
SensorApp
Alarm Channel A-26
Analysis Engine A-26
described A-3
event action filtering A-27
inline packet processing A-26
IP normalization A-26
packet flow A-27
processors A-24
responsibilities A-24
risk rating A-27
Signature Event Action Processor A-25, A-27
TCP normalization A-26
SensorBase Network
described 11-1, A-4
global correlation A-4
network traffic 11-2
Sensor Health gadget
configuring 2-5
described 2-4
metrics 2-4
status 2-4
Sensor Health pane
described 16-16
field descriptions 16-17
Sensor Information gadget
configuring 2-4
described 2-3
Sensor Key pane
button functions 12-7
described 12-7
field descriptions 12-7
sensor SSH key
displaying 12-7
generating 12-7
user roles 12-7
sensors
access problems C-25
asymmetric traffic and disabling anomaly detection C-19
blocking self 13-8
configuring to use NTP 4-14
corrupted SensorApp configuration C-36
diagnostics reports 17-30
disaster recovery C-6
downgrading 21-10
incorrect NTP configuration 4-9, C-17
initializing 4-1, 18-1, 18-4
interface support 5-4
IP address conflicts C-28
license 1-11, 16-14
logging in
SSH 19-11
Telnet 19-11
loose connections C-24
misconfigured access lists C-27
no alerts C-33, C-58
not seeing packets C-34
NTP time source 4-14
NTP time synchronization 4-7, C-16
partitions A-3
physical connectivity C-31
preventive maintenance C-2
rebooting 16-25
recovering the application partition 21-10
recovering the system image 20-8
reimaging 20-8, 21-1
restoring defaults 16-24
sensing process not running C-30
setting up 4-1
setup command 4-1, 18-1, 18-4, 18-8
shutting down 16-25
statistics 17-31
system images 20-8
system information 17-31
time sources 4-7, C-16
troubleshooting software upgrades C-55
updating 16-21, 16-23
upgrading 21-4
using NTP time source 4-13
Sensor Setup window
described 3-2
Startup Wizard 3-2
Server Certificate pane
button functions 12-11
certificate
displaying 12-11
generating 12-11
described 12-11
field descriptions 12-11
user roles 12-11
server manifest described A-30
service account
creating C-5
described 4-19, A-32, C-5
RADIUS authentication 4-19
TAC A-32
troubleshooting A-32
Service DNS engine
described B-42
parameters (table) B-42
Service engine
described B-41
Layer 5 traffic B-41
Service FTP engine
described B-43
parameters (table) B-43
PASV port spoof B-43
Service Generic engine
described B-44
parameters (table) B-44
Service H225 engine
ASN.1PER validation B-45
described B-45
features B-46
parameters (table) B-46
TPKT validation B-45
Service HTTP engine
custom signature 8-15
described 8-14, B-47
example signature 8-15
parameters (table) B-48
Service IDENT engine
described B-49
parameters (table) B-50
service-module ids-sensor slot/port session command 19-4, 19-9
Service MSRPC engine
DCS/RPC protocol 8-11, B-50
described 8-11, B-50
parameters (table) B-51
Service MSSQL engine
described B-52
MSSQL protocol B-52
parameters (table) B-52
Service NTP engine
described B-52
parameters (table) B-52
Service P2P engine described B-53
service packs described 20-3
service role 4-18, 19-2, A-32
Service RPC engine
described 8-17, B-53
parameters (table) 8-17, B-53
RPC portmapper 8-17, B-53
Service SMB Advanced engine
described B-55
parameters (table) B-55
Service SNMP engine
described B-57
parameters (table) B-57
Service SSH engine
described B-57
parameters (table) B-58
Service TNS engine
described B-58
parameters (table) B-59
session command
AIM IPS 19-5
AIP SSM 19-6
IDSM2 19-8
NME IPS 19-9
sessioning
AIM IPS 19-5
AIP SSM 19-6
IDSM2 19-8
NME IPS 19-10
setting
current KB 17-21
setting up
sensors 4-1
terminal servers 19-3, 21-13
setup
automatic 18-2
command 4-1, 18-1, 18-4, 18-8, 18-13, 18-16, 18-20, 18-24
simplified mode 18-2
shared secret
described 4-24
RADIUS authentication 4-24
show events command C-91, C-92
show health command C-73
show interfaces command C-90
show settings command 16-11, C-15
show statistics command C-79, C-80
show statistics virtual-sensor command C-24, C-80
show tech-support command C-73, C-74
show version command C-76, C-77
Shut Down Sensor pane
configuring 16-25
described 16-25
user roles 16-25
shutting down the sensor 16-25
sig0 pane
default 7-3
described 7-3
field descriptions 7-6
signatures
assigning actions 7-17
cloning 7-14
tuning 7-16
tabs 7-3
signature/virus update files described 20-4
signature definition policies
adding 7-2
cloning 7-2
default policy 7-2
deleting 7-2
sig0 7-2
Signature Definitions pane
described 7-2
field descriptions 7-2
signature engines
AIC B-11
Atomic B-13
Atomic ARP B-13
Atomic IP 8-13, B-24
Atomic IP Advanced B-14
Atomic IPv6 B-28
creating custom signatures 8-1
described B-1
Fixed B-30
Flood B-33
Flood Host B-33
Flood Net B-34
list B-2
Master B-4
Meta 7-21, B-34
Multi String B-37
Normalizer B-38
Regex
patterns B-10
syntax B-9
Service B-41
Service DNS B-42
Service FTP B-43
Service Generic B-44
Service H225 B-45
Service HTTP 8-14, B-47
Service IDENT B-49
Service MSRPC 8-11, B-50
Service MSSQL B-52
Service NTP engine B-52
Service P2P B-53
Service RPC 8-17, B-53
Service SMB Advanced B-55
Service SNMP B-57
Service SSH engine B-57
Service TNS B-58
State 8-18, B-60
String 8-19, 8-22, B-61
supported by IDM 8-2
Sweep Other TCP B-67
Traffic Anomaly B-67
Traffic ICMP B-69
Trojan B-70
signature engine update files described 20-5
Signature Event Action Filter
described 9-6, A-28
parameters 9-6, A-28
Signature Event Action Handler described 9-6, A-28
Signature Event Action Override described 9-6, A-28
Signature Event Action Processor
Alarm Channel 9-6, A-28
components 9-6, A-28
described 9-6, A-25, A-27, A-28
signature fidelity rating
calculating risk rating 6-5, 9-3
described 6-5, 9-3
signatures
adding 7-13
alert frequency 7-19
assigning actions 7-17
cloning 7-15
custom 7-4
default 7-4
described 7-4
editing 7-16
false positives 7-4
rate limits 13-4
subsignatures 7-4
TCP reset C-52
tuned 7-4
tuning 7-16
signature updates installation time 16-19
signature variables
adding 7-27
deleting 7-27
described 7-27
editing 7-27
Signature Variables tab
configuring 7-27
field descriptions 7-27
Signature Wizard
alert behavior 8-24
Alert Response window field descriptions 8-24
Atomic IP Engine Parameters window field descriptions 8-13
described 8-1
ICMP Traffic Type window field descriptions 8-12
Inspect Data window field descriptions 8-12
MSRPC Engine Parameters window field descriptions 8-11
protocols 8-10
Protocol Type window field descriptions 8-10
Service HTTP Engine Parameters window field descriptions 8-14
Service RPC Engine Parameters window field descriptions 8-17
Service Type window field descriptions 8-13
signature identification 8-11
Signature Identification window field descriptions 8-11
State Engine Parameters window field descriptions 8-18
String ICMP Engine Parameters window field descriptions 8-19
String TCP Engine Parameters window field descriptions 8-20
String UDP Engine Parameters window field descriptions 8-22
supported signature engines 8-2
Sweep Engine Parameters window field descriptions 8-23
TCP Sweep Type window field descriptions 8-13
TCP Traffic Type window field descriptions 8-12
UDP Sweep Type window field descriptions 8-12
UDP Traffic Type window field descriptions 8-12
using 8-4
Welcome window field descriptions 8-10
SNMP
configuring 14-2
described 14-1
Get 14-1
GetNext 14-1
Set 14-1
supported MIBs 14-6, C-19
Trap 14-1
SNMP General Configuration pane
configuring 14-2
described 14-2
field descriptions 14-2
user roles 14-2
SNMP traps
configuring 14-4
described 14-1
SNMP Traps Configuration pane
described 14-4
field descriptions 14-4
user roles 14-3
software architecture
ARC (illustration) A-13
IDAPI (illustration) A-33
software bypass
supported configurations 5-10
with hardware bypass 5-10
software downloads Cisco.com 20-1
software file names
recovery (illustration) 20-6
signature/virus updates (illustration) 20-5
signature engine updates (illustration) 20-5
system image (illustration) 20-6
software release examples
platform-dependent 20-7
platform identifiers 20-7
platform-independent 20-6
software updates
supported FTP servers 16-19, 21-2
supported HTTP/HTTPS servers 16-19, 21-2
SPAN port issues C-31
SSH
security 12-1
understanding 12-1
SSH Server
private keys A-23
public keys A-23
standards
CIDEE A-35
IDCONF A-34
SDEE A-35
Startup Wizard
access lists 3-4
adding virtual sensors 3-13
Add Virtual Sensor dialog box 3-12
described 3-1
Inline Interface Pair window
described 3-9
field descriptions 3-9
Inline VLAN Pairs window configuring 3-11
Interface Selection window 3-9
Interface Summary window 3-7
Sensor Setup window
configuring 3-5
field descriptions 3-2
Traffic Inspection Mode window 3-9
Virtual Sensors window
described 3-12
field descriptions 3-12
State engine
Cisco Login 8-18, B-60
described 8-18, B-60
LPR Format String 8-18, B-60
parameters (table) B-60
SMTP 8-18, B-60
Statistics pane
button functions 17-30
categories 17-30
described 17-30
using 17-31
statistics viewing 17-31
String engine described 8-19, 8-22, B-61
String ICMP engine parameters (table) B-62
String TCP engine
custom signature 8-20
example signature 8-20
parameters (table) B-62
String UDP engine parameters (table) B-63
subinterface 0 described 5-15
subsignatures described 7-4
summarization
described 6-6, 9-5
Fire All 6-7, 9-5
Fire Once 6-7, 9-6
Global Summarization 6-7, 9-6
Meta engine 6-7, 9-5
Summary 6-7, 9-5
Summarizer described 6-33, 9-34
Summary pane
button functions 5-16
described 5-15
field descriptions 3-8, 5-16
supported
FTP servers 16-19, 21-2
HTTP/HTTPS servers 16-19, 21-2
IDM platforms 1-4
IDSM2 configurations C-61
IPS interfaces for CSA MC 15-4
Sweep engine
described 8-23, B-64
parameters (table) B-65, B-67
Sweep Other TCP engine described B-67
switch commands for troubleshooting C-61
system
design (illustration) A-2
IDAPI components A-34
IDM requirements 1-4
system architecture
directory structure A-36
supported platforms A-1
System Configuration Dialog
described 18-2
example 18-3
system image
installing
IDSM2 (Cisco IOS software) 21-28
system images
installing
AIM IPS 21-21
AIP SSM 21-25
IDSM2 (Catalyst Software) 21-27
IPS 4240 21-14
IPS 4255 21-14
IPS 4270-20 21-19
NME IPS 21-39
sensors 20-8
System Information pane
described 17-31
using 17-31
system information viewing 17-31
T
TAC
service account 4-19, A-32, C-5
show tech-support command C-74
target value rating
calculating risk rating 6-5, 9-3
described 6-5, 6-19, 6-20, 9-3, 9-20, 9-22
TCP fragmentation described B-39
TCP Protocol tab
described 10-16, 10-23, 10-29
enabling TCP 10-16
external zone 10-29
field descriptions 10-16
illegal zone 10-23
TCP reset
described 5-6
interfaces (list) 5-7
not occurring C-52
not occurring for a signature C-52
TCP reset interfaces
conditions 5-7
described 5-6
TCP resets
IDSM2 port C-66
TCP stream reassembly
described 7-43
mode 7-48
parameters (table) 7-44
signatures (table) 7-44
terminal server setup 19-3, 21-13
testing fail-over 5-10
TFN2K
described B-69
Trojans B-70
TFTP servers
maximum file size limitation 21-13
RTT 21-12
threat rating described 6-6, 9-4
Thresholds for KB Name window
described 17-18
field descriptions 17-18
filtering information 17-18
time
correcting on sensors 4-12, C-18
sensors 4-7, C-16
synchronization for IPS modules 4-8, C-17
Time pane
configuring 4-11
described 4-7
field descriptions 4-9
user roles 4-7
time sources
AIP SSM 4-8, C-16
appliances 4-7, C-16
ASA modules C-17
IDSM2 4-8, C-16
TLS
described 4-4
handshaking 1-7, 12-8
IDM 1-7, 12-8
Top Applications gadget
configuring 2-10
described 2-10
Traffic Anomaly engine
described B-67
protocols B-67
signatures B-67
traffic flow notifications
configuring 5-29
described 5-29
Traffic Flow Notifications pane
configuring 5-29
field descriptions 5-29
user roles 5-29
Traffic ICMP engine
DDoS B-69
described B-69
LOKI B-69
parameters (table) B-70
TFN2K B-69
Traffic Inspection Mode window described 3-9
Traps Configuration pane configuring 14-4
trial license key 1-9, 16-12
Tribe Flood Network. See TFN.
Tribe Flood Network 2000. See TFN2K.
Trojan engine
BO2K B-70
described B-70
TFN2K B-70
Trojans
BO B-70
BO2K B-70
LOKI B-69
TFN2K B-70
troubleshooting C-1
AIP SSM
debugging C-68
recovering C-68
reset C-67
Analysis Engine busy C-57
applying software updates C-54
ARC
blocking not occurring for signature C-43
device access issues C-41
enabling SSH C-43
inactive state C-39
misconfigured master blocking sensor C-44
verifying device interfaces C-42
ASA 5500 AIP SSM
failover scenarios C-69
automatic updates C-54
cannot access sensor C-25
cidDump C-95
cidLog messages to syslog C-51
communication C-25
corrupted SensorApp configuration C-36
debug logger zone names (table) C-50
debug logging C-46
disaster recovery C-6
duplicate sensor IP addresses C-28
enabling debug logging C-46
external product interfaces 15-10, C-23
gathering information C-72
global correlation 11-12, C-21
IDM
cannot access sensor C-57
will not load C-56
IDSM2
command and control port C-64
diagnosing problems C-60
not online C-63, C-64
serial cable C-66
status indicator C-62
switch commands C-61
IME time synchronization C-59
IPS modules time drift 4-8, C-17
manual block to bogus host C-43
misconfigured access list C-27
no alerts C-33, C-58
NTP C-52
password recovery 16-11, C-15
physical connectivity issues C-31
preventive maintenance C-2
reset not occurring for a signature C-52
sensing process not running C-30
sensor events C-91
sensor loose connections C-24
sensor not seeing packets C-34
sensor software upgrade C-55
service account 4-19, C-5
show events command C-91
show interfaces command C-89, C-90
show statistics command C-79
show tech-support command C-73, C-75
show version command C-76
software upgrades C-53
SPAN port issue C-31
upgrading C-53
verifying Analysis Engine is running C-21
verifying ARC status C-38
Trusted Hosts pane
configuring 12-10
described 12-9
field descriptions 12-9
tuned signatures described 7-4
tuning
AIC signatures 7-39
IP fragment reassembly signatures 7-42
signatures 7-16
turning off anomaly detection 10-34
U
UDLD
configuring 5-23
described 5-23
UDP Protocol tab
described 10-17, 10-23, 10-29
enabling UDP 10-17
external zone 10-29
field descriptions 10-29
illegal zone 10-23
unassigned VLAN groups described 5-15
unauthenticated NTP 4-7, 4-14, C-16
UniDirectional Link Detection. See UDLD.
uninstalling
license key 16-15
UNIX-style directory listings 16-19
unlocking accounts 4-25
unlock user username command 4-25
Update Sensor pane
configuring 16-23
described 16-22
field descriptions 16-22
user roles 16-22
updating
Cisco.com 16-22
FTP server 16-22
Home pane 1-3
sensors 16-23
upgrade command 21-3, 21-5
upgrading
IPS software 20-8
latest version C-53
maintenance partition
IDSM2 (Catalyst software) 21-37
IDSM2 (Cisco IOS software) 21-38
minimum required version 20-8
recovery partition 21-5, 21-10
sensors 21-4
uploading KBs
FTP 17-24
SCP 17-24
Upload Knowledge Base to Sensor dialog box
described 17-24
field descriptions 17-24
URLs for Cisco Security Intelligence Operations 20-10
user roles authentication 4-17
users configuring 4-23
using
debug logging C-46
TCP reset interfaces 5-7
V
VACLs
described 13-3
Post-Block 13-22
Pre-Block 13-22
verifying
NTP configuration 4-9
password recovery 16-11, C-15
sensor initialization 18-27
sensor setup 18-27
viewing
IP logs 17-14
statistics 17-31
system information 17-31
virtual sensors
adding 3-13, 6-11
default virtual sensor 6-3, 6-8
deleting 6-11
described 6-2, 6-8
editing 6-11
stream segregation 6-4
Virtual Sensors window described 3-12
VLAN groups
802.1q encapsulation 5-15
configuration restrictions 5-9
configuring 5-26
deploying 5-25
described 5-14
switches 5-25
VLAN Groups pane
configuring 5-26
described 5-24
field descriptions 5-25
user roles 5-24
VLAN IDs 5-24
VLAN Pairs pane
configuring 5-22
describing 5-21
field descriptions 5-22
vulnerable OSes field
described B-6
W
watch list rating
calculating risk rating 6-6, 9-4
described 6-6, 9-4
Web Server
described A-3, A-24
HTTP 1.0 and 1.1 support A-24
private keys A-23
public keys A-23
SDEE support A-24
worms
Blaster 10-2
Code Red 10-2
histograms 10-12
Nimbda 10-2
protocols 10-3
Sasser 10-2
scanners 10-3
Slammer 10-2
SQL Slammer 10-2
Z
zones
external 10-4
illegal 10-4
internal 10-4