Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
Index
Downloads: This chapterpdf (PDF - 1.27MB) The complete bookPDF (PDF - 9.22MB) | Feedback

Index

Table Of Contents

Numerics - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W - Z

Index

Numerics

4GE bypass interface card

configuration restrictions 5-11

described 5-10

802.1q encapsulation for VLAN groups 5-15

A

AAA RADIUS

functionality 4-20

limitations 4-20

accessing IPS software 20-2

access lists

misconfiguration C-27

necessary hosts 3-4

account locking

configuring 4-26

security 4-26

account unlocking

configuring 4-25

RADIUS 4-25

ACLs

adding 3-4

described 13-3

Post-Block 13-17, 13-18

Pre-Block 13-17, 13-18

Active Host Blocks pane

field descriptions 17-6

user roles 17-6

ad0 pane

default 10-10

described 10-10

tabs 10-10

Add ACL Entry dialog box field descriptions 3-4

Add Active Host Block dialog box field descriptions 17-7

Add Allowed Host dialog box

field descriptions 4-6

user roles 4-5

Add Authorized Key dialog box

field descriptions 12-3

user roles 12-2

Add Blocking Device dialog box

field descriptions 13-15

user roles 13-14

Add Cat 6K Blocking Device Interface dialog box

field descriptions 13-23

user roles 13-21

Add Configured OS Map dialog box

field descriptions 6-25, 9-27

user roles 6-24, 9-24

Add Destination Port dialog box field descriptions 10-16

Add Device Login Profile dialog box

field descriptions 13-13

user roles 13-12

Add Event Action Filter dialog box

field descriptions 6-14, 9-16

user roles 6-13, 9-15

Add Event Action Override dialog box

field descriptions 6-11, 9-14

user roles 6-11, 9-13

Add Event Variable dialog box

field descriptions 6-29, 9-30

user roles 6-27, 9-29

Add External Product Interface dialog box

field descriptions 15-6

user roles 15-5

Add Histogram dialog box field descriptions 10-17

adding

ACLs 3-4

a host never to be blocked 13-11

anomaly detection policies 10-9

CSA MC interfaces 15-7

dashboards 2-1

denied attackers 17-5

event action filters 6-16, 9-18

event action overrides 9-14

event action rules policies 9-12

event variables 6-29, 9-31

external product interfaces 15-7

gadgets 2-1

host blocks 17-7

IPv4 target value rating 6-19, 9-21

IPv6 target value rating 6-22, 9-23

network blocks 17-9

OS maps 6-26, 9-27

risk categories 6-32, 9-33

signature definition policies 7-2

signatures 7-13

signature variables 7-27

virtual sensors 3-13, 6-11

Add Inline VLAN Pair dialog box field descriptions 3-11, 5-22

Add Interface Pair dialog box field descriptions 5-20

Add IP Logging dialog box field descriptions 17-14

Add IPv4 Target Value Rating dialog box

field descriptions 6-19, 9-21

user roles 6-18, 9-20

Add IPv6 Target Value Rating dialog box

field descriptions 6-21, 9-22

user roles 6-20, 9-22

Add Known Host Key dialog box

field descriptions 12-5

user roles 12-5

Add Master Blocking Sensor dialog box

field descriptions 13-26

user roles 13-24

Add Network Block dialog box field descriptions 17-9

Add Never Block Address dialog box

field descriptions 13-11

user roles 13-7

Add Policy dialog box field descriptions 7-2, 9-12, 10-9

Add Posture ACL dialog box field descriptions 15-7

Add Protocol Number dialog box field descriptions 10-18, 10-24

Add Rate Limit dialog box

field descriptions 17-11

user role 17-10

Address Resolution Protocol. See ARP.

Add Risk Level dialog box field descriptions 6-32, 9-33

Add Router Blocking Device Interface dialog box

field descriptions 13-20

user roles 13-17

Add Signature dialog box field descriptions 7-7

Add Signature Variable dialog box

field descriptions 7-27

user roles 7-27

Add SNMP Trap Destination dialog box field descriptions 14-4

Add Trusted Host dialog box

field descriptions 12-9

user roles 12-9

Add User dialog box

field descriptions 4-22

user roles 4-17

Add Virtual Sensor dialog box

described 3-12, 6-9

field descriptions 3-13, 6-9

Add VLAN Group dialog box field descriptions 5-25

Advanced Alert Behavior Wizard

Alert Dynamic Response Fire All window field descriptions 8-25

Alert Dynamic Response Fire Once window field descriptions 8-25

Alert Dynamic Response Summary window field descriptions 8-26

Alert Summarization window field descriptions 8-25

Event Count and Interval window field descriptions 8-24

Global Summarization window field descriptions 8-26

AIC

policy 7-38

signatures (example) 7-39

AIC engine

AIC FTP B-11

AIC FTP engine parameters (table) B-12

AIC HTTP B-11

AIC HTTP engine parameters (table) B-12

described B-11

features B-11

signature categories 7-31

AIC policy enforcement

default configuration 7-32, B-11

described 7-31, B-11

sensor oversubscription 7-32, B-11

AIM IPS

initializing 18-13

installing system image 21-21

logging in 19-5

session command 19-5

sessioning 19-4, 19-5

setup command 18-13

AIP SSM

bypass mode 5-28

initializing 18-16

installing system image 21-25

logging in 19-6

Normalizer engine B-39, C-70

password recovery 16-6, C-10

recovering C-68

reimaging 21-24

resetting C-67

resetting the password 16-7, C-11

session command 19-6

setup command 18-16

time sources 4-8, C-16

Alarm Channel described 9-6, A-28

alert and log actions (list) 9-8

alert behavior

normal 8-24

Signature Wizard 8-24

alert frequency

aggregation 7-19

configuring 7-19

controlling 7-19

modes B-6

Allowed Hosts/Networks pane

configuring 4-6

described 4-5

field descriptions 4-6

alternate TCP reset interface 5-9

Analysis Engine

described 6-2

error messages C-24

IDM exits C-57

verify it is running C-21

virtual sensors 6-2

anomaly detection

asymmetric traffic 10-2, 10-34

caution 10-2, 10-34

configuration sequence 10-5

default configuration (example) 10-4

described 10-2

detect mode 10-4

disabling C-20

event actions 10-6, B-67

inactive mode 10-4

learning accept mode 10-3

learning process 10-3

limiting false positives 10-13, 17-16

operation settings 10-11

protocols 10-3

signatures 10-6

signatures (table) 10-6, B-68

turning off 10-34

worms

attacks 10-12

described 10-3

zones 10-4

Anomaly Detection pane

button functions 17-17

described 17-15

field descriptions 17-17

user roles 17-15

anomaly detection policies

ad0 10-8

adding 10-9

cloning 10-9

default policy 10-8

deleting 10-9

Anomaly Detections pane

described 10-8

field descriptions 10-9

user roles 10-8

appliances

application partition image 21-11

GRUB menu 16-4, C-8

initializing 18-8

logging in 19-2

password recovery 16-4, C-8

terminal servers

described 19-3, 21-13

setting up 19-3, 21-13

time sources 4-7, C-16

UDLD protocol 5-23

upgrading recovery partition 21-5

Application Inspection and Control. See AIC.

application partition

described A-3

image recovery 21-11

application policy enforcement

described 7-31, B-11

disabled (default) 7-32, B-11

applying software updates C-54

ARC

ACLs 13-18, A-14

authentication A-14

blocking

application 13-2

connection-based A-17

not occurring for signature C-43

unconditional blocking A-17

block response A-13

Catalyst 6000 series switch

VACL commands A-19

VACLs A-18

Catalyst switches

VACLs A-16

VLANs A-16

checking status 13-3, 13-4

described A-3

design 13-2

device access issues C-41

enabling SSH C-43

features A-13

firewalls

AAA A-18

connection blocking A-17

NAT A-18

network blocking A-17

postblock ACL A-16

preblock ACL A-16

shun command A-17

TACACS+ A-18

formerly Network Access Controller 13-1

functions 13-2

illustration A-12

inactive state C-39

interfaces A-14

maintaining states A-16

managed devices 13-8

master blocking sensors A-14

maximum blocks 13-2

misconfigured master blocking sensor C-44

nac.shun.txt file A-16

NAT addressing A-15

number of blocks A-15

postblock ACL A-16

preblock ACL A-16

prerequisites 13-5

rate limiting 13-4

responsibilities A-12

single point of control A-15

SSH A-13

supported devices 13-6, A-15

Telnet A-13

troubleshooting C-37

VACLs A-14

verifying device interfaces C-42

verifying status C-38

ARP

Layer 2 signatures B-13

protocol B-13

ARP spoof tools

dsniff B-13

ettercap B-13

ASA IPS modules

Deny Connection Inline 9-11, C-71

Deny Packet Inline 9-11, C-71

Reset TCP Connection 9-11, C-71

TCP reset packets 9-11, C-71

ASA modules time sources C-17

ASDM resetting passwords 16-8, C-12

assigning actions to signatures 7-17

asymmetric traffic

anomaly detection 10-2, 10-34

caution 10-2, 10-34

disabling anomaly detection C-19

Atomic ARP engine

described B-13

parameters (table) B-13

Atomic IP Advanced engine

described B-14

restrictions B-15

Atomic IP engine

described 8-13, B-24

parameters (table) B-25

Atomic IPv6 engine

described B-28

Neighborhood Discovery protocol B-28, B-29

signatures B-28

signatures (table) B-29

attack relevance rating

calculating risk rating 6-5, 9-3

described 6-5, 6-23, 9-3, 9-25

Attack Response Controller

described A-3

formerly known as Network Access Controller A-3

Attack Response Controller. See ARC.

attack severity rating

calculating risk rating 6-5, 9-3

described 6-5, 9-3

attemptLimit command 4-26

Audit mode

described 11-9

Test Global Correlation 11-9

authenticated NTP 4-7, 4-14, C-16

authentication

local 4-17

RADIUS 4-17

AuthenticationApp

authenticating users A-21

described A-3

login attempt limit A-20

method A-20

responsibilities A-20

secure communications A-23

sensor configuration

local A-20

RADIUS A-21

Authentication pane

configuring 4-23

described 4-17

field descriptions 4-20

user roles 4-18, A-31

Authorized Keys pane

configuring 12-3

described 12-2

field descriptions 12-2

RSA authentication 12-2

RSA key generation tool 12-3

Auto/Cisco.com Update pane

configuring 16-21

described 16-18

field descriptions 16-20

UNIX-style directory listings 16-19

user roles 16-18

automatic setup 18-2

automatic updates

Cisco.com 16-18

information required 21-6

servers

FTP 16-18

SCP 16-18

troubleshooting C-54

autonegotiation for hardware bypass 5-11

auto-upgrade-option command 21-6

B

backing up

configuration C-2

current configuration C-4

BackOrifice. See BO.

BackOrifice 2000. See BO2K.

basic setup 18-4

blocking

described 13-2

disabling 13-8

master blocking sensor 13-25

necessary information 13-3

not occurring for signature C-43

prerequisites 13-5

supported devices 13-6

types 13-2

Blocking Devices pane

configuring 13-15

described 13-14

field descriptions 13-15

ssh host-key command 13-15

Blocking Properties pane

adding a host never to be blocked 13-11

configuring 13-10

described 13-7

field descriptions 13-8

BO

described B-70

Trojans B-70

BO2K

described B-70

Trojans B-70

Bug Toolkit

described C-1

URL C-1

bypass mode

AIP SSM 5-28

described 5-27

Bypass pane

field descriptions 5-27

user roles 5-27

C

calculating risk rating

attack relevance rating 6-5, 9-3

attack severity rating 6-5, 9-3

promiscuous delta 6-5, 9-3

signature fidelity rating 6-5, 9-3

target value rating 6-5, 9-3

watch list rating 6-6, 9-4

cannot access sensor C-25

Cat 6K Blocking Device Interfaces pane

configuring 13-23

described 13-22

field descriptions 13-23

CDP described 5-30

CDP Mode pane

configuring 5-31

field descriptions 5-30

user roles 5-30

certificates

displaying 12-11

Firefox 1-7

generating 12-11

IDM 1-7, 12-8

Internet Explorer 1-8

changing Microsoft IIS to UNIX-style directory listings 16-19

cidDump obtaining information C-95

CIDEE

defined A-35

example A-36

IPS extensions A-35

protocol A-35

supported IPS events A-35

cisco

default password 19-2

default username 19-2

Cisco.com

accessing software 20-2

downloading software 20-1

IPS software 20-1

software downloads 20-1

Cisco IOS rate limiting 13-4

Cisco Security Intelligence Operations

described 20-10

URL 20-10

Cisco Services for IPS

service contract 1-10, 16-13

supported products 1-10, 16-13

clear events command 4-12, 4-16, 17-4, C-18, C-95

Clear Flow States pane

described 17-27

field descriptions 17-27

clearing

events 4-16, 17-4, C-95

flow states 17-27

statistics C-80

clear password command 16-6, 16-9, C-10, C-13

CLI described A-3, A-31

client manifest described A-30

Clone Event Action Rules dialog box field descriptions 9-12

Clone Policy dialog box field descriptions 7-2, 10-9

Clone Signature dialog box field descriptions 7-7

cloning

anomaly detection policies 10-9

event action rules policies 9-12

signature definition policies 7-2

signatures 7-15

CollaborationApp described A-3, A-29

command and control interface

described 5-2

list 5-2

commands

attemptLimit 4-26

auto-upgrade-option 21-6

clear events 4-12, 4-16, 17-4, C-18, C-95

clear password 16-6, 16-9, C-10, C-13

copy backup-config C-3

copy current-config C-3

debug module-boot C-68

downgrade 21-10

erase license-key 16-15

hw-module module 1 reset C-67

hw-module module slot_number password-reset 16-6, C-10

session 19-5, 19-9

setup 4-1, 18-1, 18-4, 18-8, 18-13, 18-16, 18-20, 18-24

show events C-92

show health C-73

show settings 16-11, C-15

show statistics C-80

show statistics virtual-sensor C-24, C-80

show tech-support C-74

show version C-77

unlock user username 4-25

upgrade 21-3, 21-5

Compare Knowledge Bases dialog box field descriptions 17-19

comparing KBs 17-19, 17-20

component signatures

Meta engine B-34

risk rating B-34

configuration files

backing up C-2

merging C-2

configuration restrictions

alternate TCP reset interface 5-9

inline interface pairs 5-8

inline VLAN pairs 5-8

interfaces 5-8

physical interfaces 5-8

VLAN groups 5-9

Configure Summertime dialog box field descriptions 3-4, 4-10

configuring

account locking 4-26

account unlocking 4-25

AIC policy parameters 7-38

allowed hosts 4-6

allowed networks 4-6

anomaly detection operation settings 10-11

application policy 7-39

authorized keys 12-3

automatic upgrades 21-8

blocking devices 13-15

blocking properties 13-10

Cat 6K blocking device interfaces 13-23

CDP Mode 5-31

CPU, Memory, & Load gadget 2-12

CSA MC IPS interfaces 15-4

device login profiles 13-13

event action filters 6-16, 9-18

events 17-3

event variables 6-29, 9-31

external zone 10-30

general settings 6-34, 9-35

Global Correlation Health gadget 2-9

Global Correlation Reports gadget 2-7

host blocks 17-7

illegal zone 10-25

inline VLAN pairs 3-11

inspection/reputation 11-10

interface pairs 5-20

interfaces 5-18

Interface Status gadget 2-7

internal zone 10-18

IP fragment reassembly signatures 7-42

IP logging 17-14

IPv4 target value rating 6-19, 9-21

IPv6 target value rating 6-22

known host keys 12-6

learning accept mode 10-14

Licensing gadget 2-6

local authentication 4-23

maintenance partition

IDSM2 (Catalyst software) 21-30

IDSM2 (Cisco IOS software) 21-34

master blocking sensor 13-26

network blocks 17-9

network participation 11-11

Network Security gadget 2-10

network settings 4-3

NTP servers 4-13

OS maps 6-26, 9-27

RADIUS authentication 4-24

rate limiting 17-11

rate limiting devices 13-15

risk categories 6-32, 9-33

router blocking device interfaces 13-20

Sensor Health gadget 2-5

Sensor Information gadget 2-4

Sensor Setup window 3-5

sensor to use NTP 4-14

SNMP 14-2

SNMP traps 14-4

target value rating 9-23

TCP fragment reassembly parameters 7-49

time 4-11

Top Applications gadget 2-10

traffic flow notifications 5-29

trusted hosts 12-10

UDLD protocol 5-23

upgrades 21-4

users 4-23

VLAN groups 5-26

VLAN pairs 5-22

control transactions

characteristics A-8

request types A-8

cookies IDM 1-6

copy backup-config command C-3

copy current-config command C-3

correcting time on the sensor 4-12, C-18

CPU, Memory, & Load gadget

configuring 2-12

described 2-11

creating

Atomic IP Advanced signature 7-25

custom signatures

not using signature engines 8-3

Service HTTP 8-15

String TCP 8-20

using signature engines 8-1

IPv6 signatures 7-25

Meta signatures 7-22

Post-Block VACLs 13-22

Pre-Block VACLs 13-22

service account C-5

cryptographic features (IDM) 1-1

CSA MC

adding interfaces 15-7

configuring IPS interfaces 15-4

host posture events 15-1, 15-4

quarantined IP address events 15-1

supported IPS interfaces 15-4

CtlTransSource

described A-2, A-11

illustration A-11

current configuration back up C-2

current KB setting 17-21

customizing

dashboards 2-1

gadgets 2-1

custom signatures

described 7-4

IPv6 signature 7-25

Meta signature 7-22

Custom Signature Wizard

no signature engine sequence 8-3

signature engine sequence 8-1

D

Dashboard pane gadgets 2-2

dashboards

adding 2-1

customizing 2-1

data structures (examples) A-8

DDoS

protocols B-69

Stacheldraht B-69

TFN B-69

debug logging enable C-46

debug-module-boot command C-68

default policies

ad0 10-8

sig0 7-2

defaults

KB filename 10-12

password 19-2

restoring 16-24

username 19-2

virtual sensor vs0 6-3

deleting

anomaly detection policies 10-9

event action filters 6-16, 9-18

event action overrides 9-14

event action rules policies 9-12

event variables 6-29, 9-31

imported OS values 17-26

IPv4 target value rating 6-19, 9-21

IPv6 target value rating 6-22, 9-23

KBs 17-22

learned OS values 17-25

OS maps 6-26, 9-27

risk categories 6-32, 9-33

signature definition policies 7-2

signature variables 7-27

virtual sensors 6-11

Denial of Service. See DoS.

denied attackers

adding 17-5

clearing list 17-5

hit count 17-4

resetting hit counts 17-5

Denied Attackers pane

described 17-4

field descriptions 17-5

user roles 17-4

using 17-5

deny actions (list) 9-8

Deny Packet Inline described 6-11, 9-10, B-9

detect mode (anomaly detection) 10-4

device access issues C-41

Device Login Profiles pane

configuring 13-13

described 13-12

field descriptions 13-12

devices 13-15

Diagnostics Report pane

button functions 17-29

described 17-29

user roles 17-29

using 17-30

diagnostics reports 17-30

Differences between knowledge bases KB_Name and KB_Name window field descriptions 17-19

disabling

anomaly detection C-20

blocking 13-8

global correlation 11-12

interfaces 5-18

password recovery 16-10, C-14

disaster recovery C-6

displaying

events C-93

health status C-73

password recovery setting 16-11, C-15

statistics C-80

tech support information C-74

version C-77

Distributed Denial of Service. See DDoS.

DoS tools B-6

downgrade command 21-10

downgrading sensors 21-10

downloading

KBs 17-23

software 20-1

Download Knowledge Base From Sensor dialog box

described 17-23

field descriptions 17-23

duplicate IP addresses C-28

E

Edit Actions dialog box field descriptions 7-9

Edit Allowed Host dialog box

field descriptions 4-6

user roles 4-5

Edit Authorized Key dialog box

field descriptions 12-3

user roles 12-2

Edit Blocking Device dialog box

field descriptions 13-15

user roles 13-14

Edit Cat 6K Blocking Device Interface dialog box

field descriptions 13-23

user roles 13-21

Edit Configured OS Map dialog box

field descriptions 6-25, 9-27

user roles 6-24, 9-24

Edit Destination Port dialog box field descriptions 10-16

Edit Device Login Profile dialog box

field descriptions 13-13

user roles 13-12

Edit Event Action Filter dialog box

field descriptions 6-14, 9-16

user roles 6-13, 9-15

Edit Event Action Override dialog box

field descriptions 6-11, 9-14

user roles 6-11, 9-13

Edit Event Variable dialog box

field descriptions 6-29, 9-30

user roles 6-27, 9-29

Edit External Product Interface dialog box

field descriptions 15-6

user roles 15-5

Edit Histogram dialog box field descriptions 10-17

editing

event action filters 6-16, 9-18

event action overrides 9-14

event variables 6-29, 9-31

interfaces 5-18

IPv4 target value rating 6-19, 9-21

IPv6 target value rating 6-22, 9-23

OS maps 6-26, 9-27

risk categories 6-32, 9-33

signatures 7-16

signature variables 7-27

virtual sensors 6-11

Edit Inline VLAN Pair dialog box field descriptions 3-11, 5-22

Edit Interface dialog box field descriptions 5-17

Edit Interface Pair dialog box field descriptions 5-20

Edit IP Logging dialog box field descriptions 17-14

Edit IPv4 Target Value Rating dialog box

field descriptions 6-19, 9-21

user roles 6-18, 9-20

Edit IPv6 Target Value Rating dialog box

field descriptions 6-21, 9-22

user roles 6-20, 9-22

Edit Known Host Key dialog box

field descriptions 12-5

user roles 12-5

Edit Master Blocking Sensor dialog box

field descriptions 13-26

user roles 13-24

Edit Never Block Address dialog box

field descriptions 13-11

user roles 13-7

Edit Posture ACL dialog box field descriptions 15-7

Edit Protocol Number dialog box field descriptions 10-18, 10-24

Edit Risk Level dialog box field descriptions 6-32, 9-33

Edit Router Blocking Device Interface dialog box

field descriptions 13-20

user roles 13-17

Edit Signature dialog box field descriptions 7-7

Edit Signature Variable dialog box

field descriptions 7-27

user roles 7-27

Edit SNMP Trap Destination dialog box field descriptions 14-4

Edit User dialog box

field descriptions 4-22

user roles 4-17

Edit Virtual Sensor dialog box

field descriptions 6-9

user roles 6-9

Edit VLAN Group dialog box field descriptions 5-25

efficacy

described 11-4

measurements 11-4

enabling

debug logging C-46

event action filters 6-16, 9-18

event action overrides 9-14

interfaces 5-18

Encryption Software Export Distribution Authorization 20-2

engines

AIC B-11

Fixed B-30

Flood B-33

Master B-4

Meta 7-21, B-34

Multi String B-37

Normalizer B-38

Service DNS B-42

Service FTP B-43

Service Generic B-44

Service H225 B-45

Service HTTP 8-14, B-47

Service IDENT B-49

Service MSRPC 8-11, B-50

Service MSSQL B-52

Service NTP B-52

Service P2P B-53

Service RPC 8-17, B-53

Service SMB Advanced B-55

Service SNMP B-57

Service SSH B-57

Service TNS B-58

State 8-18, B-60

String 8-19, 8-22, B-61

Sweep 8-23, B-64

Sweep Other TCP B-66

Traffic ICMP B-69

Trojan B-70

erase license-key command 16-15

evAlert A-9

event action filters

adding 6-16, 9-18

configuring 6-16, 9-18

deleting 6-16, 9-18

described 6-13, 9-5

editing 6-16, 9-18

enabling 6-16, 9-18

Event Action Filters tab

configuring 6-16, 9-18

described 6-14, 9-15

field descriptions 6-14, 9-16

event action overrides

adding 9-14

deleting 9-14

described 6-4, 9-4

editing 9-14

enabling 9-14

risk rating range 6-4, 9-4

Event Action Overrides tab

described 9-13

field descriptions 9-13

event action rules

described 9-2

functions 9-2

Event Action Rules pane

described 9-11

field descriptions 9-12

user roles 9-11, 9-12

event action rules policies

adding 9-12

cloning 9-12

deleting 9-12

events

displaying C-93

host posture 15-2

quarantined IP address 15-2

Events pane

configuring 17-3

described 17-2

field descriptions 17-2

Event Store

clearing events 4-12, C-18

data structures A-8

described A-2

examples A-7

responsibilities A-7

timestamp A-7

event types C-91

event variables

adding 6-29, 9-31

configuring 6-29, 9-31

deleting 6-29, 9-31

described 6-28, 9-29

editing 6-29, 9-31

Event Variables tab

configuring 6-29, 9-31

field descriptions 6-28, 9-30

Event Viewer window field descriptions 17-3

evError A-9

evLogTransaction A-9

evShunRqst A-9

evStatus A-9

example custom signatures

Atomic IP Advanced 7-25

Meta 7-22

examples

ASA failover configuration C-70

Meta engine signature 7-22

external product interfaces

adding 15-7

described 15-1

issues 15-3, C-22

troubleshooting 15-10, C-23

trusted hosts 15-5

External Product Interfaces pane

described 15-5

field descriptions 15-5

external zone

configuring 10-30

protocols 10-28

user roles 10-28

External Zone tab

described 10-28

tabs 10-28

user roles 10-28

F

fail-over testing 5-10

false positives described 7-4

files

IDSM2 password recovery 16-9, C-13

Firefox

certificates 1-7

validating CAs 1-7

Fixed engine described B-30

Fixed ICMP engine parameters (table) B-30

Fixed TCP engine parameters (table) B-31

Fixed UDP engine parameters (table) B-32

Flood engine described B-33

Flood Host engine parameters (table) B-33

Flood Net engine parameters (table) B-34

flow states clearing 17-27

FTP servers supported 16-19, 21-2

G

gadgets

adding 2-1

CPU, Memory, & Load 2-11

customizing 2-1

Dashboard pane 2-2

Global Correlation Health 2-8

Global Correlation Reports 2-7

IDM 2-2

IDM home pane 1-3

Interface Status 2-6

Licensing 2-5

Network Security 2-9

Sensor Health 2-4

Sensor Information 2-3

Top Applications 2-10

general settings

configuring 6-34, 9-35

described 6-33, 9-34

General tab

configuring 6-34, 9-35

described 6-33, 9-34, 10-15, 10-22

enabling zones 10-15, 10-22

field descriptions 6-34, 9-35

user roles 6-33, 9-34

generating diagnostics reports 17-30

global correlation

described 1-1, 11-1, 11-2, A-4

disabling 11-12

DNS server 11-6

error messages A-31

features 11-5

goals 11-5

health metrics 11-7

HTTP proxy server 11-6

IPv6 support 6-20, 6-21, 6-29, 9-18, 9-23, 9-30, 11-6

license 1-9, 4-3, 11-6, 11-8, 18-1, 18-5

Produce Alert 7-9, 9-8, 11-5, B-7

requirements 11-6

troubleshooting 11-12, C-21

update client (illustration) 11-8

update client described A-30

update server described A-30

Global Correlation Health gadget

configuring 2-9

described 2-8

Global Correlation Reports gadget

configuring 2-7

described 2-7

Global Variables pane field description 16-18

GRUB menu password recovery 16-4, C-8

H

H.225.0 protocol B-45

H.323 protocol B-45

hardware bypass

autonegotiation 5-11

configuration restrictions 5-11

fail-over 5-10

IPS 4260 5-10

IPS 4270-20 5-10

supported configurations 5-10

with software bypass 5-10

Home pane

device information 1-3

gadgets 1-3

health information 1-3

interface status 1-3

licensing information 1-3

system resources usage 1-3

updating 1-3

Host Blocks pane

configuring 17-7

described 17-6

host posture events

CSA MC 15-4

described 15-2

HTTP/HTTPS servers 16-19, 21-2

HTTP deobfuscation

ASCII normalization 8-14, B-47

described 8-14, B-47

hw-module module 1 reset command C-67

hw-module module slot_number password-reset command 16-6, C-10

I

IDAPI

communications A-3, A-33

described A-3

functions A-33

illustration A-33

responsibilities A-33

IDCONF

described A-34

example A-34

XML A-34

IDIOM

defined A-34

messages A-34

IDM

Analysis Engine is busy C-57

certificates 1-7, 12-8

cookies 1-6

cryptographic features 1-1

described 1-2, 1-5

gadgets 2-2

GUI 1-3

logging in 1-5

Signature Wizard supported signature engines 8-2

supported platforms 1-4

system requirements 1-4

TLS 1-7, 12-8

user interface 1-3

web browsers 1-2, 1-5

will not load C-56

IDSM2

command and control port C-64

configuring

maintenance partition (Catalyst software) 21-30

maintenance partition (Cisco IOS software) 21-34

initializing 18-20

installing

system image (Catalyst software) 21-27

system image (Cisco IOS software) 21-28

logging in 19-8

password recovery 16-9, C-12

password recovery image file 16-9, C-13

reimaging 21-27

sessioning 19-8

setup command 18-20

supported configurations C-61

TCP reset port C-66

time sources 4-8, C-16

upgrading

maintenance partition (Catalyst software) 21-37

maintenance partition (Cisco IOS software) 21-38

illegal zone

configuring 10-25

user roles 10-22

Illegal Zone tab

described 10-22

user roles 10-22

IME time synchronization problems C-59

Imported OS pane

clearing 17-26

described 17-26

field descriptions 17-26

imported OS values

clearing 17-26

deleting 17-26

inactive mode (anomaly detection) 10-4

initializing

AIM IPS 18-13

AIP SSM 18-16

appliances 18-8

IDSM2 18-20

NME IPS 18-24

sensors 4-1, 18-1, 18-4

user roles 18-1

verifying 18-27

inline interface pair mode

configuration restrictions 5-8

described 5-13

Inline Interface Pair window

described 3-9

Startup Wizard 3-9

inline VLAN pair mode

configuration restrictions 5-8

configuring 3-11

described 5-14

supported sensors 5-14

UDLD protocol 5-23

Inline VLAN Pairs pane user roles 5-21

Inline VLAN Pairs window

described 3-10

field descriptions 3-10

Startup Wizard 3-10

Inspection/Reputation pane

configuring 11-10

described 11-8

field descriptions 11-9

installer major version 20-5

installer minor version 20-5

installing

sensor license 1-11, 16-14

system image

AIM IPS 21-21

AIP SSM 21-25

IDSM2 (Catalyst software) 21-27

IDSM2 (Cisco IOS software) 21-28

IPS 4240 21-14

IPS 4255 21-14

IPS 4260 21-17

IPS 4270-20 21-19

NME IPS 21-39

InterfaceApp

described A-19

interactions A-20

NIC drivers A-19

InterfaceApp described A-3

interface pairs

configuring 5-20

described 5-19

Interface Pairs pane

configuring 5-20

described 5-19

field descriptions 5-19

user roles 5-19

interfaces

alternate TCP reset 5-2

command and control 5-2

configuration restrictions 5-8

configuring 5-18

described 3-7, 5-1

disabling 5-18

editing 5-18

enabling 5-18

logical 3-7

physical 3-7

port numbers 5-1

sensing 5-2, 5-3

slot numbers 5-1

support (table) 5-4

TCP reset 5-6

VLAN groups 5-2

Interface Selection window

described 3-9

Startup Wizard 3-9

Interfaces pane

configuring 5-18

described 5-16

field descriptions 5-17

user roles 5-16

Interface Status gadget

configuring 2-7

described 2-6

Interface Summary window described 3-7

internal zone

configuring 10-18

user roles 10-15

Internal Zone tab

described 10-15

user roles 10-15

Internet Explorer validating certificates 1-8

IP fragmentation described B-38

IP fragment reassembly

configuring 7-42

described 7-40

mode 7-42

parameters (table) 7-40

signatures 7-42

signatures (example) 7-42

signatures (table) 7-40

IP logging

described 7-50, 17-12

event actions 17-13

system performance 17-12

IP Logging pane

configuring 17-14

described 17-13

field descriptions 17-13

user roles 17-13

IP Logging Variables pane described 16-17

IP logs

circular buffer 17-13

states 17-12

TCPDUMP 17-13

viewing 17-14

WireShark 17-13

IPS 4240

installing system image 21-14

password recovery 16-5, C-9

reimaging 21-14

IPS 4255

installing system image 21-14

password recovery 16-5, C-9

reimaging 21-14

IPS 4260

hardware bypass 5-10

installing system image 21-17

reimaging 21-17

IPS 4270-20

hardware bypass 5-10

installing system image 21-19

reimaging 21-19

IPS appliances

Deny Connection Inline 9-10, C-71

Deny Packet Inline 9-10, C-71

Reset TCP Connection 9-10, C-71

TCP reset packets 9-10, C-71

IPS applications

internal communications A-33

summary A-37

table A-37

XML format A-2

IPS data

types A-8

XML document A-8

IPS events

evAlert A-9

evError A-9

evLogTransaction A-9

evShunRqst A-9

evStatus A-9

list A-9

types A-9

IPS modules

time synchronization 4-8, C-17

unsupported features 3-1

IPS Policies pane

described 6-8

field descriptions 6-9

IPS software

application list A-2

available files 20-1

configuring device parameters A-4

directory structure A-36

Linux OS A-1

obtaining 20-1

platform-dependent release examples 20-7

retrieving data A-5

security features A-5

tuning signatures A-5

updating A-5

user interaction A-4

versioning scheme 20-3

IPS software file names

major updates (illustration) 20-4

minor updates (illustration) 20-4

patch releases (illustration) 20-4

service packs (illustration) 20-4

IPv4 target value rating

adding 6-19, 9-21

configuring 6-19, 9-21

deleting 6-19, 9-21

editing 6-19, 9-21

IPv4 Target Value Rating tab

configuring 6-19, 9-21

field descriptions 6-19, 9-20

IPv6

described B-28

SPAN ports 5-12

switches 5-12

IPv6 target value rating

adding 6-22, 9-23

configuring 6-22, 9-23

deleting 6-22, 9-23

editing 6-22, 9-23

IPv6 Target Value Rating tab

configuring 6-22, 9-23

field descriptions 6-21, 9-22

K

KBs

comparing 17-20

default filename 10-12

deleting 17-22

described 10-3

downloading 17-23

histogram 10-12, 17-16

initial baseline 10-3

learning accept mode 10-12

loading 17-21

monitoring 17-18

renaming 17-23

saving 17-22

scanner threshold 10-12, 17-16

tree structure 10-12, 17-16

uploading 17-24

Knowledge Base. See KB.

Known Host Keys pane

configuring 12-6

describing 12-5

field descriptions 12-5

L

Learned OS pane

clearing 17-25

described 17-25

field descriptions 17-25

learned OS values

clearing 17-25

deleting 17-25

learning accept mode (anomaly detection) 10-3

Learning Accept Mode tab

configuring 10-14

described 10-12

field descriptions 10-13, 10-14

user roles 10-12

license files

BSD license D-3

expat license D-12

GNU Lesser license D-33

GNU license D-28

license key

uninstalling 16-15

license key trial 1-9, 16-12

licensing

described 1-9, 16-12

IPS device serial number 1-9, 16-12

Licensing gadget

configuring 2-6

described 2-5

Licensing pane

configuring 1-11, 16-14

described 1-9, 16-12

field descriptions 1-11, 16-14

user roles 1-11, 16-12

limitations for concurrent CLI sessions 19-1

listings UNIX-style 16-19

loading KBs 17-21

local authentication configuring 4-23

Logger

described A-3, A-19

functions A-19

syslog messages A-19

logging in

AIM IPS 19-5

AIP SSM 19-6

appliances 19-2

IDM 1-5

IDSM2 19-8

NME IPS 19-10

sensors

SSH 19-11

Telnet 19-11

service role 19-2

terminal servers 19-3, 21-13

user role 19-1

LOKI

described B-69

protocol B-69

loose connections on sensors C-24

M

MainApp

components A-6

described A-2, A-6

host statistics A-6

responsibilities A-6

show version command A-6

maintenance partition

configuring

IDSM2 (Catalyst software) 21-30

IDSM2 (Cisco IOS software) 21-34

described A-3

major updates described 20-3

managing rate limiting 17-11

manifests

client A-30

server A-30

manual block to bogus host C-43

master blocking sensor

described 13-25

not set up properly C-44

Master Blocking Sensor pane

configuring 13-26

described 13-24

field descriptions 13-25

Master engine

alert frequency B-6

alert frequency parameters (table) B-6

described B-3

event actions 9-8

general parameters (table) B-4

universal parameters B-4

master engine parameters

obsoletes B-6

promiscous delta B-5

vulnerable OSes B-6

merging configuration files C-2

Meta engine

component signatures B-34

described 7-21, B-34

parameters (table) B-36

Signature Event Action Processor 7-21, B-34

Meta Event Generator described 6-33, 9-34

MIBs supported 14-6, C-19

minor updates described 20-3

Miscellaneous tab

button functions 7-30

configuring

application policy 7-38

IP fragment reassembly mode 7-42

IP logging 7-50

TCP stream reassembly mode 7-48

described 7-29

field descriptions 7-30

user roles 7-28

modes

anomaly detection

detect 10-4

inactive 10-4

learning accept 10-3

bypass 5-27

inline interface pair 5-13

inline VLAN pair 5-14

promiscuous 5-11

VLAN Groups 5-14

modify packets inline modes 6-4

monitoring

events 17-3

KBs 17-18

moving OS maps 6-26, 9-27

Multi String engine

described B-37

parameters (table) B-37

Regex B-37

MySDN described 7-5

N

NAS-ID

described 4-24

RADIUS authentication 4-24

Neighborhood Discovery

options B-29

types B-29

Network Blocks pane

configuring 17-9

described 17-8

field descriptions 17-9

user roles 17-8

Network pane

configuring 4-3

described 4-2

field descriptions 4-2

TLS/SSL 4-4

user roles 4-2

network participation

data gathered 11-3

data use (table) 1-2, 11-2

described 11-3

health metrics 11-7

modes 11-4

requirements 11-4

statistics 11-4

Network Participation pane

configuring 11-11

described 11-10

field descriptions 11-11

Network Security gadget

configuring 2-10

described 2-9

network security health data resetting 17-28

never block

hosts 13-8

networks 13-8

NME IPS

initializing 18-24

installing system image 21-39

logging in 19-10

reimaging 21-39

session command 19-9

sessioning 19-9, 19-10

setup command 18-24

Normalizer engine

described B-38

IP fragment reassembly B-38

parameters (table) B-40

TCP stream reassembly B-39

Normalizer mode described 6-4

NotificationApp

alert information A-9

described A-3

functions A-9

SNMP gets A-9

SNMP traps A-9

statistics A-11

system health information A-10

NTP

authenticated 4-7, 4-14, C-16

configuring servers 4-13

described 4-7, C-16

incorrect configuration 4-9, C-17

sensor time source 4-13, 4-14

time synchronization 4-7, C-16

unauthenticated 4-7, 4-14, C-16

verifying configuration 4-9

O

obsoletes field described B-6

one-way TCP reset described 6-33, 9-34

Operation Settings tab

described 10-10

field descriptions 10-10

user roles 10-10

OS Identifications tab

described 6-24, 9-24

field descriptions 6-25, 9-26

OS maps

adding 6-26, 9-27

configuring 6-26, 9-27

deleting 6-26, 9-27

editing 6-26, 9-27

moving 6-26, 9-27

other actions (list) 9-9

Other Protocols tab

described 10-24, 10-30

describing 10-17

enabling other protocols 10-17

external zone 10-30

field descriptions 10-18, 10-30

illegal zone 10-24

P

P2P networks described B-53

partitions

application A-3

maintenance A-3

recovery A-3

Passive OS Fingerprinting

components 6-23, 9-25

configuring 6-24, 9-26

described 6-23, 9-25

password policy caution 16-2, 16-3

password recovery

AIP SSM 16-6, C-10

appliances 16-4, C-8

CLI 16-10, C-14

described 16-3, C-8

disabling 16-10, C-14

GRUB menu 16-4, C-8

IDSM2 16-9, C-12

IPS 4240 16-5, C-9

IPS 4255 16-5, C-9

platforms 16-3, C-8

ROMMON 16-5, C-9

troubleshooting 16-11, C-15

verifying 16-11, C-15

password requirements configuring 16-2

Passwords pane

described 16-2

field descriptions 16-2

patch releases described 20-4

peacetime learning (anomaly detection) 10-3

Peer-to-Peer. See P2P.

physical connectivity issues C-31

physical interfaces configuration restrictions 5-8

platforms concurrent CLI sessions 19-1

Post-Block ACLs 13-17, 13-18

Pre-Block ACLs 13-17, 13-18

prerequisites for blocking 13-5

promiscuous delta

calculating risk rating 6-5, 9-3

described 6-5, 9-3

promiscuous delta described B-5

promiscuous mode

described 5-11

packet flow 5-11

SPAN ports 5-12

VACL capture 5-12

protocols

ARP B-13

CIDEE A-35

DCE 8-11, B-50

DDoS B-69

H.323 B-45

H225.0 B-45

ICMPv6 B-14

IDAPI A-33

IDCONF A-34

IDIOM A-34

IPv6 B-28

LOKI B-69

MSSQL B-52

Neighborhood Discovery B-28, B-29

Q.931 B-45

RPC 8-11, B-50

SDEE A-35

Signature Wizard 8-10

UDLD 5-23

Q

Q.931 protocol

described B-45

SETUP messages B-45

quarantined IP address events described 15-2

R

RADIUS authentication

configuring 4-24

described 4-17

NAS-ID 4-24

service account 4-19

shared secret 4-24

rate limiting

ACLs 13-5

configuring 17-11

described 13-4

managing 17-11

percentages 17-10

routers 13-4

service policies 13-5

supported signatures 13-4

Rate Limits pane

described 17-10

field descriptions 17-10

rebooting the sensor 16-25

Reboot Sensor pane

configuring 16-25

described 16-25

user roles 16-25

recover command 21-10

recovering

AIP SSM C-68

application partition image 21-11

recovery partition

described A-3

upgrading 21-5

Regular Expression. See Regex.

regular expression syntax

signatures B-9

reimaging

AIM IPS 21-21

AIP SSM 21-24

appliances 21-10

described 21-1

IDSM2 21-27

IPS 4240 21-14

IPS 4255 21-14

IPS 4260 21-17

IPS 4270-20 21-19

NME IPS 21-39

sensors 20-8, 21-1

removing

service packs 21-10

signature updates 21-10

Rename Knowledge Base dialog box field descriptions 17-23

renaming KBs 17-23

reputation

described 11-2

illustration 11-3

servers 11-3

Reset Network Security Health pane

described 17-28

field descriptions 17-28

user roles 17-28

resetting

AIP SSM C-67

network security health data 17-28

passwords

ASDM 16-8, C-12

hw-module command 16-6, C-10

resetting the password

AIP SSM 16-7, C-11

Restore Default Interface dialog box field descriptions 3-8

Restore Defaults pane

configuring 16-24

described 16-24

user roles 16-24

restoring

current configuration C-4

defaults 16-24

restoring the current configuration C-4

risk categories

adding 6-32, 9-33

configuring 6-32, 9-33

deleting 6-32, 9-33

editing 6-32, 9-33

Risk Category tab

configuring 6-32, 9-33

described 6-31, 9-32

field descriptions 6-31, 9-32

risk rating

Alarm Channel 11-5

calculating 6-4, 9-2

component signatures B-34

described 6-23, 9-25

reputation score 11-4

ROMMON

described 21-12

IPS 4240 21-14

IPS 4255 21-14

IPS 4260 21-17

IPS 4270-20 21-17, 21-19

password recovery 16-5, C-9

remote sensors 21-12

serial console port 21-12

TFTP 21-12

round-trip time. See RTT.

Router Blocking Device Interfaces pane

configuring 13-20

described 13-17

field descriptions 13-19

RPC portmapper 8-17, B-53

RTT

described 21-13

TFTP limitation 21-13

rules0 pane

described 9-13

tabs 9-13

S

Save Knowledge Base dialog box

described 17-21

field descriptions 17-21

saving KBs 17-22

scheduling automatic upgrades 21-8

SDEE

described A-35

HTTP A-35

protocol A-35

server requests A-35

security

account locking 4-26

information on Cisco Security Intelligence Operations 20-10

security information

MySDN 7-5

security policies described 6-1, 7-1, 9-1, 10-1

security SSH 12-1

sensing interfaces

described 5-3

interface cards 5-3

modes 5-3

SensorApp

Alarm Channel A-26

Analysis Engine A-26

described A-3

event action filtering A-27

inline packet processing A-26

IP normalization A-26

packet flow A-27

processors A-24

responsibilities A-24

risk rating A-27

Signature Event Action Processor A-25, A-27

TCP normalization A-26

SensorBase Network

described 11-1, A-4

global correlation A-4

network traffic 11-2

Sensor Health gadget

configuring 2-5

described 2-4

metrics 2-4

status 2-4

Sensor Health pane

described 16-16

field descriptions 16-17

Sensor Information gadget

configuring 2-4

described 2-3

Sensor Key pane

button functions 12-7

described 12-7

field descriptions 12-7

sensor SSH key

displaying 12-7

generating 12-7

user roles 12-7

sensors

access problems C-25

asymmetric traffic and disabling anomaly detection C-19

blocking self 13-8

configuring to use NTP 4-14

corrupted SensorApp configuration C-36

diagnostics reports 17-30

disaster recovery C-6

downgrading 21-10

incorrect NTP configuration 4-9, C-17

initializing 4-1, 18-1, 18-4

interface support 5-4

IP address conflicts C-28

license 1-11, 16-14

logging in

SSH 19-11

Telnet 19-11

loose connections C-24

misconfigured access lists C-27

no alerts C-33, C-58

not seeing packets C-34

NTP time source 4-14

NTP time synchronization 4-7, C-16

partitions A-3

physical connectivity C-31

preventive maintenance C-2

rebooting 16-25

recovering the application partition 21-10

recovering the system image 20-8

reimaging 20-8, 21-1

restoring defaults 16-24

sensing process not running C-30

setting up 4-1

setup command 4-1, 18-1, 18-4, 18-8

shutting down 16-25

statistics 17-31

system images 20-8

system information 17-31

time sources 4-7, C-16

troubleshooting software upgrades C-55

updating 16-21, 16-23

upgrading 21-4

using NTP time source 4-13

Sensor Setup window

described 3-2

Startup Wizard 3-2

Server Certificate pane

button functions 12-11

certificate

displaying 12-11

generating 12-11

described 12-11

field descriptions 12-11

user roles 12-11

server manifest described A-30

service account

creating C-5

described 4-19, A-32, C-5

RADIUS authentication 4-19

TAC A-32

troubleshooting A-32

Service DNS engine

described B-42

parameters (table) B-42

Service engine

described B-41

Layer 5 traffic B-41

Service FTP engine

described B-43

parameters (table) B-43

PASV port spoof B-43

Service Generic engine

described B-44

parameters (table) B-44

Service H225 engine

ASN.1PER validation B-45

described B-45

features B-46

parameters (table) B-46

TPKT validation B-45

Service HTTP engine

custom signature 8-15

described 8-14, B-47

example signature 8-15

parameters (table) B-48

Service IDENT engine

described B-49

parameters (table) B-50

service-module ids-sensor slot/port session command 19-4, 19-9

Service MSRPC engine

DCS/RPC protocol 8-11, B-50

described 8-11, B-50

parameters (table) B-51

Service MSSQL engine

described B-52

MSSQL protocol B-52

parameters (table) B-52

Service NTP engine

described B-52

parameters (table) B-52

Service P2P engine described B-53

service packs described 20-3

service role 4-18, 19-2, A-32

Service RPC engine

described 8-17, B-53

parameters (table) 8-17, B-53

RPC portmapper 8-17, B-53

Service SMB Advanced engine

described B-55

parameters (table) B-55

Service SNMP engine

described B-57

parameters (table) B-57

Service SSH engine

described B-57

parameters (table) B-58

Service TNS engine

described B-58

parameters (table) B-59

session command

AIM IPS 19-5

AIP SSM 19-6

IDSM2 19-8

NME IPS 19-9

sessioning

AIM IPS 19-5

AIP SSM 19-6

IDSM2 19-8

NME IPS 19-10

setting

current KB 17-21

setting up

sensors 4-1

terminal servers 19-3, 21-13

setup

automatic 18-2

command 4-1, 18-1, 18-4, 18-8, 18-13, 18-16, 18-20, 18-24

simplified mode 18-2

shared secret

described 4-24

RADIUS authentication 4-24

show events command C-91, C-92

show health command C-73

show interfaces command C-90

show settings command 16-11, C-15

show statistics command C-79, C-80

show statistics virtual-sensor command C-24, C-80

show tech-support command C-73, C-74

show version command C-76, C-77

Shut Down Sensor pane

configuring 16-25

described 16-25

user roles 16-25

shutting down the sensor 16-25

sig0 pane

default 7-3

described 7-3

field descriptions 7-6

signatures

assigning actions 7-17

cloning 7-14

tuning 7-16

tabs 7-3

signature/virus update files described 20-4

signature definition policies

adding 7-2

cloning 7-2

default policy 7-2

deleting 7-2

sig0 7-2

Signature Definitions pane

described 7-2

field descriptions 7-2

signature engines

AIC B-11

Atomic B-13

Atomic ARP B-13

Atomic IP 8-13, B-24

Atomic IP Advanced B-14

Atomic IPv6 B-28

creating custom signatures 8-1

described B-1

Fixed B-30

Flood B-33

Flood Host B-33

Flood Net B-34

list B-2

Master B-4

Meta 7-21, B-34

Multi String B-37

Normalizer B-38

Regex

patterns B-10

syntax B-9

Service B-41

Service DNS B-42

Service FTP B-43

Service Generic B-44

Service H225 B-45

Service HTTP 8-14, B-47

Service IDENT B-49

Service MSRPC 8-11, B-50

Service MSSQL B-52

Service NTP engine B-52

Service P2P B-53

Service RPC 8-17, B-53

Service SMB Advanced B-55

Service SNMP B-57

Service SSH engine B-57

Service TNS B-58

State 8-18, B-60

String 8-19, 8-22, B-61

supported by IDM 8-2

Sweep Other TCP B-67

Traffic Anomaly B-67

Traffic ICMP B-69

Trojan B-70

signature engine update files described 20-5

Signature Event Action Filter

described 9-6, A-28

parameters 9-6, A-28

Signature Event Action Handler described 9-6, A-28

Signature Event Action Override described 9-6, A-28

Signature Event Action Processor

Alarm Channel 9-6, A-28

components 9-6, A-28

described 9-6, A-25, A-27, A-28

signature fidelity rating

calculating risk rating 6-5, 9-3

described 6-5, 9-3

signatures

adding 7-13

alert frequency 7-19

assigning actions 7-17

cloning 7-15

custom 7-4

default 7-4

described 7-4

editing 7-16

false positives 7-4

rate limits 13-4

subsignatures 7-4

TCP reset C-52

tuned 7-4

tuning 7-16

signature updates installation time 16-19

signature variables

adding 7-27

deleting 7-27

described 7-27

editing 7-27

Signature Variables tab

configuring 7-27

field descriptions 7-27

Signature Wizard

alert behavior 8-24

Alert Response window field descriptions 8-24

Atomic IP Engine Parameters window field descriptions 8-13

described 8-1

ICMP Traffic Type window field descriptions 8-12

Inspect Data window field descriptions 8-12

MSRPC Engine Parameters window field descriptions 8-11

protocols 8-10

Protocol Type window field descriptions 8-10

Service HTTP Engine Parameters window field descriptions 8-14

Service RPC Engine Parameters window field descriptions 8-17

Service Type window field descriptions 8-13

signature identification 8-11

Signature Identification window field descriptions 8-11

State Engine Parameters window field descriptions 8-18

String ICMP Engine Parameters window field descriptions 8-19

String TCP Engine Parameters window field descriptions 8-20

String UDP Engine Parameters window field descriptions 8-22

supported signature engines 8-2

Sweep Engine Parameters window field descriptions 8-23

TCP Sweep Type window field descriptions 8-13

TCP Traffic Type window field descriptions 8-12

UDP Sweep Type window field descriptions 8-12

UDP Traffic Type window field descriptions 8-12

using 8-4

Welcome window field descriptions 8-10

SNMP

configuring 14-2

described 14-1

Get 14-1

GetNext 14-1

Set 14-1

supported MIBs 14-6, C-19

Trap 14-1

SNMP General Configuration pane

configuring 14-2

described 14-2

field descriptions 14-2

user roles 14-2

SNMP traps

configuring 14-4

described 14-1

SNMP Traps Configuration pane

described 14-4

field descriptions 14-4

user roles 14-3

software architecture

ARC (illustration) A-13

IDAPI (illustration) A-33

software bypass

supported configurations 5-10

with hardware bypass 5-10

software downloads Cisco.com 20-1

software file names

recovery (illustration) 20-6

signature/virus updates (illustration) 20-5

signature engine updates (illustration) 20-5

system image (illustration) 20-6

software release examples

platform-dependent 20-7

platform identifiers 20-7

platform-independent 20-6

software updates

supported FTP servers 16-19, 21-2

supported HTTP/HTTPS servers 16-19, 21-2

SPAN port issues C-31

SSH

security 12-1

understanding 12-1

SSH Server

private keys A-23

public keys A-23

standards

CIDEE A-35

IDCONF A-34

SDEE A-35

Startup Wizard

access lists 3-4

adding virtual sensors 3-13

Add Virtual Sensor dialog box 3-12

described 3-1

Inline Interface Pair window

described 3-9

field descriptions 3-9

Inline VLAN Pairs window configuring 3-11

Interface Selection window 3-9

Interface Summary window 3-7

Sensor Setup window

configuring 3-5

field descriptions 3-2

Traffic Inspection Mode window 3-9

Virtual Sensors window

described 3-12

field descriptions 3-12

State engine

Cisco Login 8-18, B-60

described 8-18, B-60

LPR Format String 8-18, B-60

parameters (table) B-60

SMTP 8-18, B-60

Statistics pane

button functions 17-30

categories 17-30

described 17-30

using 17-31

statistics viewing 17-31

String engine described 8-19, 8-22, B-61

String ICMP engine parameters (table) B-62

String TCP engine

custom signature 8-20

example signature 8-20

parameters (table) B-62

String UDP engine parameters (table) B-63

subinterface 0 described 5-15

subsignatures described 7-4

summarization

described 6-6, 9-5

Fire All 6-7, 9-5

Fire Once 6-7, 9-6

Global Summarization 6-7, 9-6

Meta engine 6-7, 9-5

Summary 6-7, 9-5

Summarizer described 6-33, 9-34

Summary pane

button functions 5-16

described 5-15

field descriptions 3-8, 5-16

supported

FTP servers 16-19, 21-2

HTTP/HTTPS servers 16-19, 21-2

IDM platforms 1-4

IDSM2 configurations C-61

IPS interfaces for CSA MC 15-4

Sweep engine

described 8-23, B-64

parameters (table) B-65, B-67

Sweep Other TCP engine described B-67

switch commands for troubleshooting C-61

system

design (illustration) A-2

IDAPI components A-34

IDM requirements 1-4

system architecture

directory structure A-36

supported platforms A-1

System Configuration Dialog

described 18-2

example 18-3

system image

installing

IDSM2 (Cisco IOS software) 21-28

system images

installing

AIM IPS 21-21

AIP SSM 21-25

IDSM2 (Catalyst Software) 21-27

IPS 4240 21-14

IPS 4255 21-14

IPS 4270-20 21-19

NME IPS 21-39

sensors 20-8

System Information pane

described 17-31

using 17-31

system information viewing 17-31

T

TAC

service account 4-19, A-32, C-5

show tech-support command C-74

target value rating

calculating risk rating 6-5, 9-3

described 6-5, 6-19, 6-20, 9-3, 9-20, 9-22

TCP fragmentation described B-39

TCP Protocol tab

described 10-16, 10-23, 10-29

enabling TCP 10-16

external zone 10-29

field descriptions 10-16

illegal zone 10-23

TCP reset

described 5-6

interfaces (list) 5-7

not occurring C-52

not occurring for a signature C-52

TCP reset interfaces

conditions 5-7

described 5-6

TCP resets

IDSM2 port C-66

TCP stream reassembly

described 7-43

mode 7-48

parameters (table) 7-44

signatures (table) 7-44

terminal server setup 19-3, 21-13

testing fail-over 5-10

TFN2K

described B-69

Trojans B-70

TFTP servers

maximum file size limitation 21-13

RTT 21-12

threat rating described 6-6, 9-4

Thresholds for KB Name window

described 17-18

field descriptions 17-18

filtering information 17-18

time

correcting on sensors 4-12, C-18

sensors 4-7, C-16

synchronization for IPS modules 4-8, C-17

Time pane

configuring 4-11

described 4-7

field descriptions 4-9

user roles 4-7

time sources

AIP SSM 4-8, C-16

appliances 4-7, C-16

ASA modules C-17

IDSM2 4-8, C-16

TLS

described 4-4

handshaking 1-7, 12-8

IDM 1-7, 12-8

Top Applications gadget

configuring 2-10

described 2-10

Traffic Anomaly engine

described B-67

protocols B-67

signatures B-67

traffic flow notifications

configuring 5-29

described 5-29

Traffic Flow Notifications pane

configuring 5-29

field descriptions 5-29

user roles 5-29

Traffic ICMP engine

DDoS B-69

described B-69

LOKI B-69

parameters (table) B-70

TFN2K B-69

Traffic Inspection Mode window described 3-9

Traps Configuration pane configuring 14-4

trial license key 1-9, 16-12

Tribe Flood Network. See TFN.

Tribe Flood Network 2000. See TFN2K.

Trojan engine

BO2K B-70

described B-70

TFN2K B-70

Trojans

BO B-70

BO2K B-70

LOKI B-69

TFN2K B-70

troubleshooting C-1

AIP SSM

debugging C-68

recovering C-68

reset C-67

Analysis Engine busy C-57

applying software updates C-54

ARC

blocking not occurring for signature C-43

device access issues C-41

enabling SSH C-43

inactive state C-39

misconfigured master blocking sensor C-44

verifying device interfaces C-42

ASA 5500 AIP SSM

failover scenarios C-69

automatic updates C-54

cannot access sensor C-25

cidDump C-95

cidLog messages to syslog C-51

communication C-25

corrupted SensorApp configuration C-36

debug logger zone names (table) C-50

debug logging C-46

disaster recovery C-6

duplicate sensor IP addresses C-28

enabling debug logging C-46

external product interfaces 15-10, C-23

gathering information C-72

global correlation 11-12, C-21

IDM

cannot access sensor C-57

will not load C-56

IDSM2

command and control port C-64

diagnosing problems C-60

not online C-63, C-64

serial cable C-66

status indicator C-62

switch commands C-61

IME time synchronization C-59

IPS modules time drift 4-8, C-17

manual block to bogus host C-43

misconfigured access list C-27

no alerts C-33, C-58

NTP C-52

password recovery 16-11, C-15

physical connectivity issues C-31

preventive maintenance C-2

reset not occurring for a signature C-52

sensing process not running C-30

sensor events C-91

sensor loose connections C-24

sensor not seeing packets C-34

sensor software upgrade C-55

service account 4-19, C-5

show events command C-91

show interfaces command C-89, C-90

show statistics command C-79

show tech-support command C-73, C-75

show version command C-76

software upgrades C-53

SPAN port issue C-31

upgrading C-53

verifying Analysis Engine is running C-21

verifying ARC status C-38

Trusted Hosts pane

configuring 12-10

described 12-9

field descriptions 12-9

tuned signatures described 7-4

tuning

AIC signatures 7-39

IP fragment reassembly signatures 7-42

signatures 7-16

turning off anomaly detection 10-34

U

UDLD

configuring 5-23

described 5-23

UDP Protocol tab

described 10-17, 10-23, 10-29

enabling UDP 10-17

external zone 10-29

field descriptions 10-29

illegal zone 10-23

unassigned VLAN groups described 5-15

unauthenticated NTP 4-7, 4-14, C-16

UniDirectional Link Detection. See UDLD.

uninstalling

license key 16-15

UNIX-style directory listings 16-19

unlocking accounts 4-25

unlock user username command 4-25

Update Sensor pane

configuring 16-23

described 16-22

field descriptions 16-22

user roles 16-22

updating

Cisco.com 16-22

FTP server 16-22

Home pane 1-3

sensors 16-23

upgrade command 21-3, 21-5

upgrading

IPS software 20-8

latest version C-53

maintenance partition

IDSM2 (Catalyst software) 21-37

IDSM2 (Cisco IOS software) 21-38

minimum required version 20-8

recovery partition 21-5, 21-10

sensors 21-4

uploading KBs

FTP 17-24

SCP 17-24

Upload Knowledge Base to Sensor dialog box

described 17-24

field descriptions 17-24

URLs for Cisco Security Intelligence Operations 20-10

user roles authentication 4-17

users configuring 4-23

using

debug logging C-46

TCP reset interfaces 5-7

V

VACLs

described 13-3

Post-Block 13-22

Pre-Block 13-22

verifying

NTP configuration 4-9

password recovery 16-11, C-15

sensor initialization 18-27

sensor setup 18-27

viewing

IP logs 17-14

statistics 17-31

system information 17-31

virtual sensors

adding 3-13, 6-11

default virtual sensor 6-3, 6-8

deleting 6-11

described 6-2, 6-8

editing 6-11

stream segregation 6-4

Virtual Sensors window described 3-12

VLAN groups

802.1q encapsulation 5-15

configuration restrictions 5-9

configuring 5-26

deploying 5-25

described 5-14

switches 5-25

VLAN Groups pane

configuring 5-26

described 5-24

field descriptions 5-25

user roles 5-24

VLAN IDs 5-24

VLAN Pairs pane

configuring 5-22

describing 5-21

field descriptions 5-22

vulnerable OSes field

described B-6

W

watch list rating

calculating risk rating 6-6, 9-4

described 6-6, 9-4

Web Server

described A-3, A-24

HTTP 1.0 and 1.1 support A-24

private keys A-23

public keys A-23

SDEE support A-24

worms

Blaster 10-2

Code Red 10-2

histograms 10-12

Nimbda 10-2

protocols 10-3

Sasser 10-2

scanners 10-3

Slammer 10-2

SQL Slammer 10-2

Z

zones

external 10-4

illegal 10-4

internal 10-4