Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.0
Index
Downloads: This chapterpdf (PDF - 1.33MB) The complete bookPDF (PDF - 9.54MB) | Feedback

Index

Table Of Contents

Numerics - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W - Z

Index

Numerics

4GE bypass interface card

configuration restrictions 7-11

described 7-10

802.1q encapsulation for VLAN groups 7-15

A

AAA RADIUS

functionality 6-20

limitations 6-20

accessing IPS software 24-2

access lists

misconfiguration C-28

necessary hosts 5-4

account locking

configuring 6-27

security 6-27

account unlocking

configuring 6-26

ACLs

adding 5-4

described 15-3

Post-Block 15-17, 15-18

Pre-Block 15-17, 15-18

Active Host Blocks pane

field descriptions 19-6

user roles 19-6

ad0 pane

default 11-10

described 11-10

tabs 11-10

Add ACL Entry dialog box field descriptions 5-4

Add Active Host Block dialog box field descriptions 19-7

Add Allowed Host dialog box

field descriptions 6-5

user roles 6-5

Add Authorized Key dialog box

field descriptions 14-3

user roles 14-2

Add Blocking Device dialog box

field descriptions 15-15

user roles 15-14

Add Cat 6K Blocking Device Interface dialog box

field descriptions 15-23

user roles 15-22

Add Configured OS Map dialog box field descriptions 8-26, 12-27

Add Destination Port dialog box field descriptions 11-16, 11-23, 11-30

Add Device Login Profile dialog box

field descriptions 15-13

user roles 15-12

Add Event Action Filter dialog box

field descriptions 8-14, 12-16

user roles 8-13, 12-15

Add Event Action Override dialog box

field descriptions 8-11, 12-13

user roles 8-10, 12-13

Add Event Variable dialog box

field descriptions 8-29, 12-30

user roles 8-28, 12-29

Add External Product Interface dialog box

field descriptions 17-6

user roles 17-5

Add Filter dialog box field descriptions 3-19

Add Histogram dialog box field descriptions 11-17, 11-24, 11-30

adding

ACLs 5-4

a host never to be blocked 15-11

anomaly detection policies 11-9

CSA MC interfaces 17-7

denied attackers 19-5

event action filters 8-16, 12-18

event action overrides 12-14

event action rules policies 12-12

event variables 8-29, 12-31

external product interfaces 17-7

host blocks 19-7

IPv4 target value rating 8-19, 12-21

IPv6 target value rating 8-22, 12-23

network blocks 19-9

OS maps 8-26, 12-28

risk categories 8-32, 12-33

signature definition policies 9-3

signatures 9-13

signature variables 9-27

virtual sensors 5-13, 8-11

Add Inline VLAN Pair dialog box field descriptions 5-10, 7-22

Add Interface Pair dialog box field descriptions 7-20

Add IP Logging dialog box field descriptions 19-14

Add IPv4 Target Value Rating dialog box

field descriptions 8-19, 12-21

user roles 8-19, 12-20

Add IPv6 Target Value Rating dialog box

field descriptions 8-21, 12-22

user roles 8-21, 12-22

Add Known Host Key dialog box

field descriptions 14-5

user roles 14-5

Add Master Blocking Sensor dialog box

field descriptions 15-26

user roles 15-25

Add Network Block dialog box field descriptions 19-9

Add Never Block Address dialog box

field descriptions 15-11

user roles 15-7

Add Policy dialog box field descriptions 9-2, 11-9, 12-11

Add Posture ACL dialog box field descriptions 17-7

Add Protocol Number dialog box field descriptions 11-18, 11-25, 11-32

Add Rate Limit dialog box

field descriptions 19-11

user role 19-10

Address Resolution Protocol. See ARP.

Add Risk Level dialog box field descriptions 8-32, 12-33

Add Router Blocking Device Interface dialog box

field descriptions 15-20

user roles 15-17

Add Signature dialog box field descriptions 9-8

Add Signature Variable dialog box

field descriptions 9-27

user roles 9-27

Add SNMP Trap Destination dialog box field descriptions 16-4

Add Trusted Host dialog box

field descriptions 14-10

user roles 14-9

Add User dialog box

field descriptions 6-23

user roles 6-17

Add Virtual Sensor dialog box

described 5-12, 8-9

field descriptions 5-12, 8-9

Add VLAN Group dialog box field descriptions 7-25

Advanced Alert Behavior Wizard

Alert Dynamic Response Fire All window field descriptions 10-29

Alert Dynamic Response Fire Once window field descriptions 10-30

Alert Dynamic Response Summary window field descriptions 10-30

Alert Summarization window field descriptions 10-29

Event Count and Interval window field descriptions 10-28

Global Summarization window field descriptions 10-31

AIC

policy 9-37

signatures (example) 9-38

AIC engine

AIC FTP B-11

AIC FTP engine parameters (table) B-13

AIC HTTP B-11

AIC HTTP engine parameters (table) B-12

described B-11

features B-11

signature categories 9-31

AIC policy enforcement

default configuration 9-31, B-11

described 9-31, B-11

sensor oversubscription 9-31, B-11

AIM IPS

initializing 23-13

installing system image 25-21

logging in 22-5

session command 22-5

sessioning 22-4, 22-5

setup command 23-13

AIP SSM

bypass mode 7-28

Deny Connection Inline 12-10, C-72

Deny Packet Inline 12-10, C-72

initializing 23-16

installing system image 25-25

logging in 22-6

Normalizer engine B-39, C-71

password recovery 18-6, C-10

recovering C-68

reimaging 25-24

Reset TCP Connection 12-10, C-72

resetting C-68

resetting the password 18-7, C-11

session command 22-6

setup command 23-16

TCP reset packets 12-10, C-72

time sources 6-8, C-17

Alarm Channel described 12-6, A-26

alert and log actions (list) 12-8

alert behavior

normal 10-28

Signature Wizard 10-28

alert frequency

aggregation 9-18

configuring 9-19

controlling 9-18

modes B-6

Allowed Hosts/Networks pane

configuring 6-5

field descriptions 6-5

alternate TCP reset interface 7-9

Analysis Engine

described 8-2

error messages C-25

IDM exits C-58

verify it is running C-21

virtual sensors 8-2

anomaly detection

asymmetric traffic 11-2, 11-35

caution 11-2, 11-35

configuration sequence 11-5

default configuration (example) 11-4

described 11-2

detect mode 11-4

disabling 11-36, C-20

event actions 11-6, B-66

inactive mode 11-4

learning accept mode 11-3

learning process 11-3

limiting false positives 11-13, 19-17

operation settings 11-11

protocols 11-3

signatures 11-6

signatures (table) 11-7, B-66

worms

attacks 11-12

described 11-3

zones 11-4

Anomaly Detection pane

button functions 19-17

described 19-16

field descriptions 19-17

user roles 19-16

anomaly detection policies

ad0 11-8

adding 11-9

cloning 11-9

default policy 11-8

deleting 11-9

Anomaly Detections pane

described 11-8

field descriptions 11-9

appliances

application partition image 25-11

GRUB menu 18-4, C-8

initializing 23-8

logging in 22-2

password recovery 18-4, C-8

terminal servers

described 22-3, 25-13

setting up 22-3, 25-13

time sources 6-7, C-16

UDLD protocol 7-23

upgrading recovery partition 25-5

Application Inspection and Control. See AIC.

application partition

described A-3

image recovery 25-11

application policy enforcement

described 9-31, B-11

disabled (default) 9-31, B-11

applications in XML format A-2

applying software updates C-54

ARC

ACLs 15-18, A-13

authentication A-14

blocking

application 15-2

connection-based A-16

not occurring for signature C-44

unconditional blocking A-16

block response A-13

Catalyst 6000 series switch

VACL commands A-18

VACLs A-18

Catalyst switches

VACLs A-15

VLANs A-15

checking status 15-3, 15-4

described A-3

design 15-2

device access issues C-41

enabling SSH C-43

features A-13

firewalls

AAA A-17

connection blocking A-17

NAT A-18

network blocking A-17

postblock ACL A-15

preblock ACL A-15

shun command A-17

TACACS+ A-18

formerly Network Access Controller 15-1, 15-3

functions 15-2

illustration A-12

inactive state C-39

interfaces A-13

maintaining states A-16

managed devices 15-8

master blocking sensors A-13

maximum blocks 15-2

misconfigured master blocking sensor C-45

nac.shun.txt file A-16

NAT addressing A-14

number of blocks A-14

postblock ACL A-15

preblock ACL A-15

prerequisites 15-5

rate limiting 15-4

responsibilities A-12

single point of control A-14

SSH A-13

supported devices 15-6, A-15

Telnet A-13

troubleshooting C-38

VACLs A-13

verifying device interfaces C-42

verifying status C-38

ARP

Layer 2 signatures B-13

protocol B-13

ARP spoof tools

dsniff B-13

ettercap B-13

ASA modules time sources C-17

ASDM resetting passwords 18-8, C-12

assigning actions to signatures 9-17

asymmetric traffic

anomaly detection 11-2, 11-35

caution 11-2, 11-35

disabling anomaly detection C-19

Atomic ARP engine

described B-13

parameters (table) B-13

Atomic IP Advanced engine

described B-14

restrictions B-15

Atomic IP engine

described 10-14, B-24

parameters (table) B-25

Atomic IPv6 engine

described B-28

signatures B-28

signatures (table) B-29

attack relevance rating

calculating risk rating 8-6, 12-3

described 8-6, 8-23, 12-3, 12-25

Attack Response Controller

described A-3

formerly known as Network Access Controller A-3

Attack Response Controller. See ARC.

attack severity rating

calculating risk rating 8-5, 12-3

described 8-5, 12-3

Attacks Over Time gadgets

configuring 3-13

described 3-13

attemptLimit command 6-27

audit mode

described 13-9

testing global correlation 13-9

authenticated NTP 6-7, 6-14, C-16

authentication

local 6-17

RADIUS 6-17

AuthenticationApp

authenticating users A-20

described A-3

login attempt limit A-20

method A-20

responsibilities A-20

secure communications A-21

sensor configuration A-20

Authentication pane

configuring 6-23

described 6-17

field descriptions 6-21

user roles 6-18

Authorized Keys pane

configuring 14-3

described 14-2

field descriptions 14-2

RSA authentication 14-2

RSA key generation tool 14-3

Auto/Cisco.com Update pane

button functions 18-20

configuring 18-21

described 18-19

field descriptions 18-20

UNIX-style directory listings 18-19

user roles 18-19

automatic setup 23-2

automatic updates

Cisco.com 18-19

servers

FTP 18-19

SCP 18-19

troubleshooting C-55

automatic upgrade

information required 25-6

autonegotiation for hardware bypass 7-11

auto-upgrade-option command 25-6

B

backing up

configuration C-3

current configuration C-4, C-5

BackOrifice. See BO.

BackOrifice 2000. See BO2K.

BackOrifice see BO

basic setup 23-4

blocking

described 15-2

disabling 15-8

master blocking sensor 15-25

necessary information 15-3

not occurring for signature C-44

prerequisites 15-5

supported devices 15-6

types 15-2

Blocking Devices pane

configuring 15-15

described 15-14

field descriptions 15-15

ssh host-key command 15-15

Blocking Properties pane

adding a host never to be blocked 15-11

configuring 15-10

described 15-7

field descriptions 15-8

BO

described B-68

Trojans B-68

BO2K

described B-68

Trojans B-68

Bug Toolkit

described C-1

URL C-1

bypass mode

AIP SSM 7-28

described 7-27

Bypass pane field descriptions 7-27

C

calculating risk rating

attack relevance rating 8-6, 12-3

attack severity rating 8-5, 12-3

promiscuous delta 8-6, 12-3

signature fidelity rating 8-5, 12-3

target value rating 8-5, 12-3

watch list rating 8-6, 12-4

cannot access sensor C-26

Cat 6K Blocking Device Interfaces pane

configuring 15-23

described 15-22

field descriptions 15-23

CDP mode

configuring 7-30

described 7-30

CDP Mode pane

configuring 7-30

field descriptions 7-30

certificates

displaying 14-11

generating 14-11

IDM 14-8

changing Microsoft IIS to UNIX-style directory listings 18-20

cidDump obtaining information C-95

CIDEE

defined A-34

example A-34

IPS extensions A-34

protocol A-34

supported IPS events A-34

cisco

default password 22-2

default username 22-2

Cisco.com

accessing software 24-2

downloading software 24-1

IPS software 24-1

software downloads 24-1

Cisco IOS software and rate limiting 15-4

Cisco Security Intelligence Operations

described 24-10

URL 24-10

Cisco Services for IPS

service contract 18-13

supported products 18-13

clear events command 6-12, 6-16, 19-4, C-18, C-95

Clear Flow States pane

described 19-27

field descriptions 19-28

clearing

events 6-16, 19-4, C-95

flow states 19-28

statistics C-80

clear password command 18-6, 18-10, C-10, C-13

CLI described A-3, A-29

client manifest described A-28

clock set command 6-16

Clone Event Action Rules dialog box field descriptions 12-11

Clone Policy dialog box field descriptions 9-2, 11-9

Clone Signature dialog box field descriptions 9-8

cloning

anomaly detection policies 11-9

event action rules policies 12-12

signature definition policies 9-3

signatures 9-15

CollaborationApp described A-3, A-27

color rules described 20-2

command and control interface

described 7-2

list 7-2

commands

attemptLimit 6-27

auto-upgrade-option 25-6

clear events 6-12, 6-16, 19-4, C-18, C-95

clear password 18-6, 18-10, C-10, C-13

clock set 6-16

copy backup-config C-3

copy current-config C-3

debug module-boot C-68

downgrade 25-10

erase license-key 18-16

hw-module module 1 reset C-68

hw-module module slot_number password-reset 18-6, C-10

session 22-5, 22-10

setup 6-1, 23-1, 23-4, 23-8, 23-13, 23-16, 23-20, 23-24

show events C-92

show health C-73

show settings 18-12, C-15

show statistics C-80

show statistics virtual-sensor C-25, C-80

show tech-support C-74

show version C-77

unlock user username 6-26

upgrade 25-3, 25-5

Compare Knowledge Bases dialog box field descriptions 19-20

comparing KBs 19-20, 19-21

component signatures

Meta engine B-34

risk rating B-34

configuration files

backing up C-3

merging C-3

configuration restrictions

alternate TCP reset interface 7-9

inline interface pairs 7-8

inline VLAN pairs 7-8

interfaces 7-8

physical interfaces 7-8

VLAN groups 7-9

Configured OS Map dialog box user roles 8-25, 12-24

Configure Summertime dialog box field descriptions 5-4, 6-10

configuring

account locking 6-27

account unlocking 6-26

AIC policy parameters 9-37

allowed hosts 6-5

allowed networks 6-5

application policy 9-38

Attacks Over Time gadgets 3-13

authorized keys 14-3

automatic upgrades 25-8

blocking devices 15-15

blocking properties 15-10

Cat 6K blocking device interfaces 15-23

CDP mode 7-30

CPU, Memory, & Load gadget 3-10

CSA MC IPS interfaces 17-4

device login profiles 15-13

event action filters 8-16, 12-18

events 19-3

event variables 8-29, 12-31

external zone 11-32

general settings 8-34, 12-36

Global Correlation Health gadget 3-8

Global Correlation Reports gadget 3-7

host blocks 19-7

illegal zone 11-25

inline VLAN pairs 5-11

inspection/reputation 13-10

interface pairs 7-20

interfaces 7-18

Interface Status gadget 3-6

internal zone 11-18

IP fragment reassembly signatures 9-41

IP logging 19-15

IPv4 target value rating 8-19, 12-21

IPv6 target value rating 8-22, 12-23

known host keys 14-6

learning accept mode 11-14

Licensing gadget 3-5

local authentication 6-23

maintenance partition

IDSM2 (Catalyst software) 25-30

IDSM2 (Cisco IOS software) 25-34

master blocking sensor 15-26

network blocks 19-9

network participation 13-11

Network Security gadget 3-9

network settings 6-3

NTP servers 6-13

operation settings 11-11

OS maps 8-26, 12-28

RADIUS authentication 6-24

rate limiting 19-11

rate limiting devices 15-15

risk categories 8-32, 12-33

router blocking device interfaces 15-20

RSS Feed gadgets 3-11

RSS feeds 4-2

Sensor Health gadget 3-5

Sensor Information gadget 3-3

Sensor Setup window 5-5

sensor to use NTP 6-14

SNMP 16-3

SNMP traps 16-4

TCP fragment reassembly parameters 9-48

time 6-10

Top Applications gadget 3-9

Top Attackers gadgets 3-11

Top Signatures gadgets 3-12

Top Victims gadgets 3-12

traffic flow notifications 7-29

trusted hosts 14-10

UDLD protocol 7-23

upgrades 25-4

users 6-23

VLAN groups 7-26

VLAN pairs 7-22

control transactions

characteristics A-8

request types A-8

copy backup-config command C-3

copy current-config command C-3

correcting time on the sensor 6-12, C-18

CPU, Memory, & Load gadget

configuring 3-10

described 3-10

creating

Atomic IP Advanced signature 9-25, 10-16

custom signatures

not using signature engines 10-4

Service HTTP 10-19

String TCP 10-24

using signature engines 10-2

IPv6 signatures 9-25, 10-16

Meta signatures 9-22

Post-Block VACLs 15-22

Pre-Block VACLs 15-22

service account C-6

cryptographic features (IME) 1-2

CSA MC

adding interfaces 17-7

configuring IPS interfaces 17-4

host posture events 17-1, 17-4

quarantined IP address events 17-1

supported IPS interfaces 17-4

CtlTransSource

described A-2, A-11

illustration A-11

current configuration back up C-3

current KB setting 19-22

custom signatures

described 9-5

IPv6 signature 9-25, 10-16

Meta signature 9-22

Custom Signature Wizard

Alert Response window field descriptions 10-28

Atomic IP Engine Parameters window field descriptions 10-15

ICMP Traffic Type window field descriptions 10-13

Inspect Data window field descriptions 10-13

MSRPC Engine Parameters window field descriptions 10-13

no signature engine sequence 10-4

Protocol Type window field descriptions 10-12

Service HTTP Engine Parameters window field descriptions 10-18

Service RPC Engine Parameters window field descriptions 10-21

Service Type window field descriptions 10-14

signature engine sequence 10-2

Signature Identification window field descriptions 10-12

State Engine Parameters window field descriptions 10-22

String ICMP Engine Parameters window field descriptions 10-23

String TCP Engine Parameters window field descriptions 10-23

String UDP Engine Parameters window field descriptions 10-26

Sweep Engine Parameters window field descriptions 10-27

TCP Sweep Type window field descriptions 10-14

TCP Traffic Type window field descriptions 10-14

UDP Sweep Type window field descriptions 10-14

UDP Traffic Type window field descriptions 10-13

Welcome window field descriptions 10-11

D

Dashboard pane gadgets 3-1

Data Archive pane

configuring 1-9

described 1-9

field descriptions 1-9

user roles 1-9

data archiving

configuring 1-9

data structures (examples) A-7

DDoS

protocols B-68

Stacheldraht B-68

TFN B-68

debug logging enable C-46

debug-module-boot command C-68

default policies

ad0 11-8

rules0 12-12

sig0 9-2

defaults

KB filename 11-12

password 22-2

restoring 18-25

username 22-2

virtual sensor vs0 8-3

deleting

anomaly detection policies 11-9

event action filters 8-16, 12-18

event action overrides 12-14

event action rules policies 12-12

event variables 8-29, 12-31

imported OS values 19-27

IPv4 target value rating 8-19, 12-21

IPv6 target value rating 8-22, 12-23

KBs 19-23

learned OS values 19-26

OS maps 8-26, 12-28

risk categories 8-32, 12-33

signature definition policies 9-3

signature variables 9-27

virtual sensors 8-11

Demo mode (IME) 1-6

Denial of Service. See DoS.

denied attackers

adding 19-5

clearing list 19-5

hit count 19-4

resetting hit counts 19-5

Denied Attackers pane

described 19-4

field descriptions 19-5

user roles 19-4

using 19-5

deny actions (list) 12-8

Deny Packet Inline described 8-11, 12-10, B-9

detect mode (anomaly detection) 11-4

device access issues C-41

Device Details pane described 2-1

Device List pane

described 2-1

field descriptions 2-2

Device Login Profiles pane

configuring 15-13

described 15-12

field descriptions 15-12

devices

adding 2-4

deleting 2-4

editing 2-4

device tools

DNS lookup 2-6

ping 2-6

traceroute 2-6

whois 2-6

Diagnostics Report pane

button functions 19-30

described 19-30

user roles 19-30

using 19-30

diagnostics reports 19-30

Differences between knowledge bases KB_Name and KB_Name window field descriptions 19-20

disabling

anomaly detection 11-36, C-20

blocking 15-8

global correlation 13-12

interfaces 7-18

password recovery 18-10, C-14

disaster recovery C-6

displaying

events C-93

health status C-73

password recovery setting 18-12, C-15

statistics C-80

tech support information C-74

version C-77

Distributed Denial of Service. See DDoS.

DNS lookup device tool (IME) 1-3

DNS lookup device tools (IME) 2-6

DoS tools B-6

downgrade command 25-10

downgrading sensors 25-10

downloading

software 24-1

downloading KBs 19-24

Download Knowledge Base From Sensor dialog box

described 19-24

field descriptions 19-24

duplicate IP addresses C-29

E

Edit Actions dialog box field descriptions 9-9

Edit Allowed Host dialog box

field descriptions 6-5

user roles 6-5

Edit Authorized Key dialog box

field descriptions 14-3

user roles 14-2

Edit Blocking Device dialog box

field descriptions 15-15

user roles 15-14

Edit Cat 6K Blocking Device Interface dialog box

field descriptions 15-23

user roles 15-22

Edit Configured OS Map dialog box field descriptions 8-26, 12-27

Edit Destination Port dialog box field descriptions 11-16, 11-23, 11-30

Edit Device Login Profile dialog box

field descriptions 15-13

user roles 15-12

Edit Event Action Filter dialog box

field descriptions 8-14, 12-16

user roles 8-13, 12-15

Edit Event Action Override dialog box

field descriptions 8-11, 12-13

user roles 8-10, 12-13

Edit Event Variable dialog box

field descriptions 8-29, 12-30

user roles 8-28, 12-29

Edit External Product Interface dialog box

field descriptions 17-6

user roles 17-5

Edit Filter dialog box field descriptions 3-19

Edit Histogram dialog box field descriptions 11-17, 11-24, 11-30

editing

event action filters 8-16, 12-18

event action overrides 12-14

event variables 8-29, 12-31

interfaces 7-18

IPv4 target value rating 8-19, 12-21

IPv6 target value rating 8-22, 12-23

OS maps 8-26, 12-28

risk categories 8-32, 12-33

signatures 9-16

signature variables 9-27

virtual sensors 8-11

Edit Inline VLAN Pair dialog box field descriptions 5-10, 7-22

Edit Interface dialog box field descriptions 7-17

Edit Interface Pair dialog box field descriptions 7-20

Edit IP Logging dialog box field descriptions 19-14

Edit IPv4 Target Value Rating dialog box

field descriptions 8-19, 12-21

user roles 8-19, 12-20

Edit IPv6 Target Value Rating dialog box

field descriptions 8-21, 12-22

user roles 8-21, 12-22

Edit Known Host Key dialog box

field descriptions 14-5

user roles 14-5

Edit Master Blocking Sensor dialog box

field descriptions 15-26

user roles 15-25

Edit Never Block Address dialog box

field descriptions 15-11

user roles 15-7

Edit Posture ACL dialog box field descriptions 17-7

Edit Protocol Number dialog box field descriptions 11-18, 11-25, 11-32

Edit Risk Level dialog box field descriptions 8-32, 12-33

Edit Router Blocking Device Interface dialog box

field descriptions 15-20

user roles 15-17

Edit Signature dialog box field descriptions 9-8

Edit Signature Variable dialog box

field descriptions 9-27

user roles 9-27

Edit SNMP Trap Destination dialog box field descriptions 16-4

Edit User dialog box

field descriptions 6-23

user roles 6-17

Edit Virtual Sensor dialog box

field descriptions 8-9

user roles 8-9

Edit VLAN Group dialog box field descriptions 7-25

efficacy

described 13-4

measurements 13-4

email notification

configuring 1-11

enabling

debug logging C-46

event action filters 8-16, 12-18

event action overrides 12-14

interfaces 7-18

Encryption Software Export Distribution Authorization 24-2

engines

AIC B-11

Fixed B-30

Flood B-33

Master B-4

Meta 9-21, B-34

Multi String B-36

Normalizer B-38

Service DNS B-41

Service FTP B-42

Service Generic B-43

Service H225 B-44

Service HTTP 10-18, B-47

Service IDENT B-49

Service MSRPC 10-12, B-49

Service MSSQL B-51

Service NTP B-51

Service P2P B-52

Service RPC 10-21, B-52

Service SMB Advanced B-53

Service SNMP B-55

Service SSH B-56

Service TNS B-57

State 10-22, B-58

String 10-22, 10-23, 10-26, B-60

Sweep 10-26, B-63

Sweep Other TCP B-65

Traffic ICMP B-68

Trojan B-68

EPS

described 1-3

IME Home pane 1-3

erase license-key command 18-16

evAlert A-8

event action filters

adding 8-16, 12-18

configuring 8-16, 12-18

deleting 8-16, 12-18

described 8-13, 12-5

editing 8-16, 12-18

enabling 8-16, 12-18

Event Action Filters tab

button functions 12-16

configuring 8-16, 12-18

described 8-13, 12-15

field descriptions 8-14, 12-16

event action overrides

adding 12-14

deleting 12-14

described 8-4, 12-4

editing 12-14

enabling 12-14

risk rating range 8-4, 12-4

Event Action Overrides tab

described 12-13

field descriptions 12-13

event action rules

described 12-2

functions 12-2

Event Action Rules (rules0) pane described 12-12

Event Action Rules pane

described 12-11

field descriptions 12-11

user roles 12-11

event action rules policies

adding 12-12

cloning 12-12

deleting 12-12

event actions and threat rating 12-4

event connection status

displaying 2-5

starting 2-5

stopping 2-5

events

displaying C-93

host posture 17-2

quarantined IP address 17-2

Events pane

configuring 19-3

described 19-2

field descriptions 19-2

events per second. See EPS.

Event Store

clearing events 6-12, C-18

data structures A-7

described A-2

examples A-7

responsibilities A-7

timestamp A-7

event types C-91

event variables

adding 8-29, 12-31

configuring 8-29, 12-31

deleting 8-29, 12-31

described 8-28, 12-29

editing 8-29, 12-31

example 8-28, 12-30

Event Variables tab

configuring 8-29, 12-31

field descriptions 8-29, 12-30

Event Viewer

described 20-1

field descriptions 19-3

event views using 20-4

evError A-8

evLogTransaction A-8

evShunRqst A-8

evStatus A-8

example custom signatures

Atomic IP Advanced 9-25, 10-16

Meta 9-22

examples

ASA failover configuration C-70

email notifications 1-12

Meta engine signature 9-22

external product interfaces

adding 17-7

described 17-1

issues 17-3, C-22

troubleshooting 17-10, C-22

trusted hosts 17-5

External Product Interfaces pane

described 17-5

field descriptions 17-5

external zone

configuring 11-32

protocols 11-29

user roles 11-29

External Zone tab

described 11-29

tabs 11-29

user roles 11-29

F

fail-over testing 7-10

false positives described 9-5

files

IDSM2 password recovery 18-9, C-13

filtering described 20-2

filters configuring 3-16, 20-6

Filter tab field descriptions 20-3

Fixed engine described B-30

Fixed ICMP engine parameters (table) B-30

Fixed TCP engine parameters (table) B-31

Fixed UDP engine parameters (table) B-32

Flood engine described B-33

Flood Host engine parameters (table) B-33

Flood Net engine parameters (table) B-33

flow states clearing 19-28

FTP servers supported 18-19, 25-2

G

gadgets

Attacks Over Time 3-13

CPU, Memory, & Load 3-10

Dashboard pane 3-1

Global Correlation Health 3-7

Global Correlation Reports 3-6

IDM 3-1

IME 3-1

Interface Status 3-6

Licensing 3-5

Network Security 3-8

RSS Feed 3-11

Sensor Health 3-4

Sensor Information 3-3

Top Applications 3-9

Top Attackers 3-11

Top Signatures 3-12

Top Victims 3-12

General pane

configuring 1-13

described 1-13

field descriptions 1-13

user roles 1-13

general settings

configuring 8-34, 12-36

described 8-33, 12-34

General Settings tab

configuring 8-34, 12-36

described 8-33, 12-34

field descriptions 8-34

user roles 8-33, 12-34

General tab

described 11-15, 11-22

enabling zones 11-15, 11-22

field descriptions 12-35

generating diagnostics reports 19-30

global correlation

described 1-2, 13-1, 13-2, A-3

disabling 13-12

DNS server 13-6

error messages A-29

features 13-5

goals 13-5

health metrics 13-7

HTTP proxy server 13-6

IPv6 support 8-29, 13-7

license 6-3, 13-6, 13-9, 23-1, 23-5

Produce Alert 9-10, 12-8, B-7

requirements 13-6

troubleshooting 13-12, C-21

update client (illustration) 13-8

global correlation connection status

displaying 2-5

starting 2-5

stopping 2-5

Global Correlation Health gadget

configuring 3-8

described 3-7

Global Correlation Reports gadget

configuring 3-7

described 3-6

Global Variables pane field description 18-18

Grouping events described 20-2

GRUB menu password recovery 18-4, C-8

H

H.225.0 protocol B-44

H.323 protocol B-44

hardware bypass

autonegotiation 7-11

configuration restrictions 7-11

fail-over 7-10

IPS 4270-20 7-10

supported configurations 7-10

with software bypass 7-10

health connection status

displaying 2-5

starting 2-5

stopping 2-5

Host Blocks pane

configuring 19-7

described 19-6

host posture events

CSA MC 17-4

described 17-2

HTTP/HTTPS servers 18-19, 25-2

HTTP deobfuscation

ASCII normalization 10-18, B-47

described 10-18, B-47

hw-module module 1 reset command C-68

hw-module module slot_number password-reset command 18-6, C-10

I

IDAPI

communications A-3, A-32

described A-3

functions A-32

illustration A-32

responsibilities A-32

IDCONF

described A-33

example A-33

IDIOM messages A-33

XML A-33

IDIOM

defined A-32

messages A-32

IDM

Analysis Engine is busy C-58

certificates 14-8

gadgets 3-1

Signature Wizard supported signature engines 10-3

TLS 14-8

will not load C-57

IDSM2

command and control port C-65

configuring

maintenance partition (Catalyst software) 25-30

maintenance partition (Cisco IOS software) 25-34

initializing 23-20

installing

system image (Catalyst software) 25-27

system image (Cisco IOS software) 25-28, 25-29

logging in 22-8

password recovery 18-8, C-12

password recovery image file 18-9, C-13

reimaging 25-27

sessioning 22-8

setup command 23-20

supported configurations C-62

TCP reset port C-66

time sources 6-7, C-16

upgrading

maintenance partition (Catalyst software) 25-37

maintenance partition (Cisco IOS software) 25-38

illegal zones

configuring 11-25

user roles 11-22

Illegal Zone tab

described 11-22

user roles 11-22

IME

color rules 20-2

configuring

email notification 1-11

filters 3-16, 20-6

RSS feeds 4-2

views 3-16, 20-6

cryptographic features 1-2

Demo mode 1-6

described 1-1

devices

adding 2-4

deleting 2-4

editing 2-4

email notification example 1-12

EPS 1-3

event connection status

displaying 2-5

starting 2-5

stopping 2-5

Event Viewer 20-1

filtering 20-2

gadgets 3-1

global correlation connection status

displaying 2-5

starting 2-5

stopping 2-5

grouping events 20-2

health connection status

displaying 2-5

starting 2-5

stopping 2-5

installation notes and caveats 1-7

IPS versions 1-5

menu features 1-3

MySQL database 1-7

password requirements 1-7

reports

configuring 21-2

described 21-1

generating 21-2

types 21-1

supported platforms 1-4

system requirements 1-4

using event views 20-4

video help 1-3

working with

top attacker IP addresses 3-13

top signatures 3-15

top victim IP addresses 3-13

IME Home pane

described 1-3

EPS 1-3

features 1-3

IME time synchronization problems C-59

Imported OS pane

clearing 19-27

described 19-26

field descriptions 19-27

inactive mode (anomaly detection) 11-4

initializing

AIM IPS 23-13

AIP SSM 23-16

appliances 23-8

IDSM2 23-20

NME IPS 23-24

sensors 6-1, 23-1, 23-4

user roles 23-2

verifying 23-27

inline interface pair mode

configuration restrictions 7-8

described 7-13

illustration 7-13

Inline Interface Pair window

described 5-9

Startup Wizard 5-9

inline VLAN pair mode

configuration restrictions 7-8

configuring 5-11

described 7-14

illustration 7-14

supported sensors 7-14

UDLD protocol 7-23

Inline VLAN Pairs window

described 5-9

field descriptions 5-10

Startup Wizard 5-9

Inspection/Reputation pane

configuring 13-10

described 13-8

field descriptions 13-9

installing

sensor license 18-15

system image

AIM IPS 25-21

AIP SSM 25-25

IDSM2 (Catalyst software) 25-27

IDSM2 (Cisco IOS software) 25-28, 25-29

IPS 4240 25-14

IPS 4255 25-14

IPS 4260 25-17

IPS 4270-20 25-19

NME IPS 25-39

InterfaceApp

described A-19

interactions A-19

NIC drivers A-19

InterfaceApp described A-3

interface pairs

configuring 7-20

described 7-19

Interface Pairs pane

configuring 7-20

described 7-19

field descriptions 7-20

interfaces

alternate TCP reset 7-2

command and control 7-2

configuration restrictions 7-8

configuring 7-18

described 5-7, 7-1

disabling 7-18

editing 7-18

enabling 7-18

logical 5-7

physical 5-7

port numbers 7-1

sensing 7-2, 7-3

slot numbers 7-1

support (table) 7-4

TCP reset 7-6

VLAN groups 7-2

Interface Selection window

described 5-9

Startup Wizard 5-9

Interfaces pane

configuring 7-18

described 7-16

field descriptions 7-17

Interface Status gadget

configuring 3-6

described 3-6

Interface Summary window

described 5-7

internal zones

configuring 11-18

user roles 11-15

Internal Zone tab

described 11-15

user roles 11-15

IP fragmentation described B-38

IP fragment reassembly

configuring 9-41

described 9-39

example signature 9-41

mode 9-41

parameters (table) 9-39

signatures 9-41

signatures (table) 9-39

IP logging

described 9-49, 19-13

event actions 19-13

system performance 19-13

IP Logging pane

configuring 19-15

described 19-13

field descriptions 19-14

user roles 19-13

IP Logging Variables pane described 18-18

IP logs

circular buffer 19-13

states 19-13

TCPDUMP 19-13

viewing 19-15

WireShark 19-13

IPS 4240

installing system image 25-14

password recovery 18-5, C-9

reimaging 25-14

IPS 4255

installing system image 25-14

password recovery 18-5, C-9

reimaging 25-14

IPS 4260

installing system image 25-17

reimaging 25-17

IPS 4270-20

hardware bypass 7-10

installing system image 25-19

reimaging 25-19

IPS appliances

Deny Connection Inline 12-10, C-72

Deny Packet Inline 12-10, C-72

Reset TCP Connection 12-10, C-72

TCP reset packets 12-10, C-72

IPS applications

summary A-35

table A-35

XML format A-2

IPS data

types A-8

XML document A-8

IPS events

evAlert A-8

evError A-8

evLogTransaction A-8

evShunRqst A-8

evStatus A-8

list A-8

types A-8

IPS internal communications A-32

IPS Manager Express described 1-1

IPS modules

time synchronization 6-8, C-17

unsupported features 5-1

IPS Policies pane

described 8-8

field descriptions 8-9

IPS software

application list A-2

available files 24-1

configuring device parameters A-4

directory structure A-34

Linux OS A-1

obtaining 24-1

platform-dependent release examples 24-6

retrieving data A-4

security features A-5

tuning signatures A-4

updating A-4

user interaction A-4

versioning scheme 24-3

IPS software file names

major updates (illustration) 24-4

minor updates (illustration) 24-4

patch releases (illustration) 24-4

service packs (illustration) 24-4

IPS versions supported (IME) 1-5

IPv4 target value rating

adding 8-19, 12-21

configuring 8-19

deleting 8-19, 12-21

editing 8-19, 12-21

IPv4 Target Value Rating tab

configuring 8-19, 12-21

field descriptions 8-19, 12-21

IPv6

described B-28

SPAN ports 7-12

switches 7-12

IPv6 target value rating

adding 8-22, 12-23

configuring 8-22, 12-23

deleting 8-22, 12-23

editing 8-22, 12-23

IPv6 Target Value Rating tab

configuring 8-22, 12-23

field descriptions 8-21, 12-22

K

KBs

comparing 19-21

default filename 11-12

deleting 19-23

described 11-3

downloading 19-24

histogram 11-12, 19-16

initial baseline 11-3

learning accept mode 11-12

loading 19-22

monitoring 19-19

renaming 19-23

saving 19-22

scanner threshold 11-12, 19-16

tree structure 11-12, 19-16

uploading 19-25

Knowledge Base. See KB.

Known Host Keys pane

configuring 14-6

described 14-5

field descriptions 14-5

L

Learned OS pane

clearing 19-26

described 19-26

field descriptions 19-26

learned OS values

clearing 19-26

deleting 19-26

learning accept mode

anomaly detection 11-3

configuring 11-14

user roles 11-12

Learning Accept Mode tab

described 11-12

field descriptions 11-13, 11-14

user roles 11-12

license files

BSD license D-3

expat license D-12

GNU Lesser license D-33

GNU license D-28

license key

uninstalling 18-16

license key trial 18-13

licensing

described 18-13

IPS device serial number 18-13

Licensing gadget

configuring 3-5

described 3-5

Licensing pane

configuring 18-15

described 18-13

field descriptions 18-14

user roles 18-12

limitations for concurrent CLI sessions 22-1, A-29

listings UNIX-style 18-19

loading KBs 19-22

local authentication configuring 6-23

Logger

described A-3, A-19

functions A-19

syslog messages A-19

logging in

AIM IPS 22-5

AIP SSM 22-6

appliances 22-2

IDSM2 22-8

NME IPS 22-10

sensors

SSH 22-11

Telnet 22-11

service role 22-2

terminal servers 22-3, 25-13

user role 22-1

LOKI

described B-68

protocol B-68

loose connections on sensors C-23

M

MainApp

components A-5

described A-2, A-5

host statistics A-6

responsibilities A-6

show version command A-6

maintenance partition

configuring

IDSM2 (Catalyst software) 25-30

IDSM2 (Cisco IOS software) 25-34

maintenance partition described A-3

major updates described 24-3

Manage Filter Rules dialog box field descriptions 3-18

managing rate limiting 19-11

manifests

client A-28

server A-28

manual block to bogus host C-43

master blocking sensor

described 15-25

not set up properly C-45

Master Blocking Sensor pane

configuring 15-26

described 15-25

field descriptions 15-26

Master engine

alert frequency B-6

alert frequency parameters (table) B-6

described B-3

event actions B-7

general parameters (table) B-4

universal parameters B-4, B-6

master engine parameters

obsoletes B-6

promiscous delta B-5

vulnerable OSes B-6

merging configuration files C-3

Meta engine

component signatures B-34

described 9-21, B-34

parameters (table) B-35

Signature Event Action Processor 9-22, B-34

Meta Event Generator described 8-33, 12-34

Meta signature

component signatures B-34

MIBs supported 16-6, C-19

minor updates described 24-3

Miscellaneous tab

button functions 9-30

configuring

application policy 9-37

IP fragment reassembly mode 9-41

IP logging 9-49

TCP stream reassembly mode 9-47

described 9-29

field descriptions 9-30

user roles 9-29

modes

anomaly detection detect 11-4

anomaly detection inactive 11-4

anomaly detection learning accept 11-3

bypass 7-27

inline interface pair 7-13

inline VLAN pair 7-14

promiscuous 7-11, 7-12

VLAN Groups 7-14

modify packets inline modes 8-4

monitoring

events 19-3

KBs 19-19

moving OS maps 8-26, 12-28

Multi String engine

described B-36

parameters (table) B-37

Regex B-36

MySDN described 9-5

MySQL database

coexisting with IME 1-7

installing IME 1-7

N

NAS-ID

described 6-24

RADIUS authentication 6-24

Neighborhood Discovery

Atomic IPv6 engine B-28

options B-29

types B-29

Network Blocks pane

configuring 19-9

described 19-9

field descriptions 19-9

user roles 19-8

Network pane

configuring 6-3

field descriptions 6-2

TLS/SSL 6-4

user roles 6-2

network participation

data gathered 13-3

data use (table) 1-2, 13-2

described 13-3

health metrics 13-7

modes 13-4

requirements 13-4

statistics 13-4

Network Participation pane

configuring 13-11

described 13-10

field descriptions 13-11

Network Security gadget

configuring 3-9

described 3-8

network security health data resetting 19-29

never block

hosts 15-8

networks 15-8

NME IPS

initializing 23-24

installing system image 25-39

logging in 22-10

reimaging 25-39

session command 22-10

sessioning 22-9, 22-10

setup command 23-24

Normalizer engine

described B-38

parameters (table) B-40

Normalizer mode described 8-4

NotificationApp

alert information A-9

described A-3

functions A-9

SNMP gets A-9

SNMP traps A-9

statistics A-10

system health information A-10

Notification pane

configuring 1-11

field descriptions 1-10

user roles 1-10

NTP

authenticated 6-7, 6-14, C-16

configuring servers 6-13

described 6-7, C-16

incorrect configuration 6-8, C-17

sensor time source 6-13, 6-14

time synchronization 6-7, C-16

unauthenticated 6-7, 6-14, C-16

verifying configuration 6-9

O

obsoletes field described B-6

one-way TCP reset described 8-33, 12-35

Operation Settings tab

described 11-10

field descriptions 11-11

OS Identifications tab

described 8-25, 12-24

field descriptions 8-25, 12-27

OS maps

adding 8-26, 12-28

configuring 8-26, 12-28

deleting 8-26, 12-28

editing 8-26, 12-28

moving 8-26, 12-28

other actions (list) 12-9

Other Protocols tab

described 11-17, 11-24, 11-25, 11-31

enabling other protocols 11-17

external zone 11-31

field descriptions 11-18, 11-31

illegal zone 11-24, 11-25

P

P2P networks described B-52

partitions

application A-3

maintenance A-3

recovery A-3

passive OS fingerprinting

components 8-23, 12-25

configuring 8-24, 12-26

described 8-23, 12-25

password policy caution 18-2, 18-3

password recovery

AIP SSM 18-6, C-10

appliances 18-4, C-8

CLI 18-11, C-14

described 18-3, C-8

disabling 18-10, C-14

GRUB menu 18-4, C-8

IDSM2 18-8, C-12

IPS 4240 18-5, C-9

IPS 4255 18-5, C-9

platforms 18-3, C-8

ROMMON 18-5, C-9

troubleshooting 18-11, C-15

verifying 18-12, C-15

password requirements configuring 18-2

Passwords pane

described 18-1

field descriptions 18-2

patch releases described 24-3

peacetime learning (anomaly detection) 11-3

Peer-to-Peer. See P2P.

physical connectivity issues C-32

physical interfaces configuration restrictions 7-8

ping device tool (IME) 1-3

ping IME device tools 2-6

platforms and concurrent CLI sessions 22-1, A-29

Post-Block ACLs 15-17, 15-18

Pre-Block ACLs 15-17, 15-18

prerequisites for blocking 15-5

promiscuous delta

calculating risk rating 8-6, 12-3

described 8-6, 12-3

promiscuous delta described B-5

promiscuous mode

atomic attacks 7-12

described 7-11, 7-12

illustration 7-12

packet flow 7-11, 7-12

SPAN ports 7-12

VACL capture 7-12

protocols

ARP B-13

CDP 7-30

CIDEE A-34

DCE 10-13, B-49

DDoS B-68

H.323 B-44

H225.0 B-44

ICMPv6 B-14

IDAPI A-32

IDCONF A-33

IDIOM A-32

IPv6 B-28

LOKI B-68

MSSQL B-51

Neighborhood Discovery B-29

Q.931 B-45

RPC 10-13, B-49

SDEE A-33

Signature Wizard 10-12

UDLD 7-23

Q

Q.931 protocol

described B-45

SETUP messages B-45

quarantined IP address events described 17-2

R

RADIUS authentication

configuring 6-24

described 6-17

NAS-ID 6-24

service account 6-20

shared secret 6-25

rate limiting

ACLs 15-5

configuring 19-11

described 15-4

managing 19-11

percentages 19-10

routers 15-4

service policies 15-5

supported signatures 15-4

Rate Limits pane

described 19-10

field descriptions 19-11

rebooting the sensor 18-26

Reboot Sensor pane

configuring 18-26

described 18-26

user roles 18-26

receiving RSS feeds 4-1

recover command 25-10

recovering

AIP SSM C-68

application partition image 25-11

recovery partition

described A-3

upgrading 25-5

Regular Expression. See Regex.

regular expression syntax signatures B-9

reimaging

AIP SSM 25-24

appliances 25-10

described 25-1

IDSM2 25-27

IPS 4240 25-14

IPS 4255 25-14

IPS 4260 25-17

IPS 4270-20 25-19

NME IPS 25-39

sensors 24-8, 25-1

removing

last applied

service pack 25-10

signature update 25-10

Rename Knowledge Base dialog box field descriptions 19-23

renaming KBs 19-23

reports

configuring 21-2

described 21-1

generating 21-2

report types

Attacks Over Time 21-1

Top Attackers 21-1

Top Signatures 21-1

Top Victim 21-1

reputation

described 13-2

illustration 13-3

servers 13-3

requirements

IME passwords 1-7

Reset Network Security Health pane

described 19-29

field descriptions 19-29

user roles 19-29

reset not occurring for a signature C-52

resetting

AIP SSM C-68

network security health data 19-29

passwords

ASDM 18-8, C-12

hw-module command 18-6, C-10

resetting the password

AIP SSM 18-7, C-11

Restore Default Interface dialog box field descriptions 5-8

Restore Defaults pane

configuring 18-25

described 18-25

user roles 18-25

restoring

current configuration C-5

defaults 18-25

restoring the current configuration C-4, C-5

risk categories

adding 8-32, 12-33

configuring 8-32, 12-33

deleting 8-32, 12-33

editing 8-32, 12-33

Risk Category tab

configuring 8-32, 12-33

described 8-31, 12-32

field descriptions 8-31, 12-33

risk rating

Alarm Channel 13-5

calculating 8-5, 12-2

component signatures B-34

described 8-23, 12-25

reputation score 13-4

ROMMON

described 25-12

IPS 4240 25-14

IPS 4255 25-14

IPS 4260 25-17

IPS 4270-20 25-17, 25-19

password recovery 18-5, C-9

remote sensors 25-12

serial console port 25-12

TFTP 25-12

round-trip time. See RTT.

Router Blocking Device Interfaces pane

configuring 15-20

described 15-17

field descriptions 15-19

RPC portmapper 10-21, B-52

RSS Feed gadgets

configuring 3-11

described 3-11

RSS feeds

channels 4-1

configuring 4-2

described 4-1

formats 4-1

receiving 4-1

RTT

described 25-13

TFTP limitation 25-13

S

Save Knowledge Base dialog box

described 19-22

field descriptions 19-22

saving KBs 19-22

scheduling automatic upgrades 25-8

SDEE

described A-33

HTTP A-33

protocol A-33

server requests A-33

security

account locking 6-27

information on Cisco Security Intelligence Operations 24-10

MySDN 9-5

security policies described 8-1, 9-1, 11-1, 12-1

security SSH 14-1

sensing interfaces

described 7-3

interface cards 7-3

modes 7-3

SensorApp

Alarm Channel A-24

Analysis Engine A-24

anomaly detection A-25

described A-3

event action filtering A-25

inline packet processing A-24

IP normalization A-24

packet flow A-25

process not running C-30

processors A-22

responsibilities A-22

Signature Event Action Processor A-23, A-25

TCP normalization A-24

SensorBase Network

described 1-2, 13-1, A-3

participation 1-2, 13-2

servers 1-2

Sensor Health gadget

configuring 3-5

described 3-4

metrics 3-4

status 3-4

Sensor Health pane

described 18-17

field descriptions 18-17

Sensor Information gadget

configuring 3-3

described 3-3

Sensor Key pane

button functions 14-7

described 14-7

field descriptions 14-7

sensor SSH key

displaying 14-7

generating 14-7

user roles 14-7

sensors

access problems C-26

asymmetric traffic and disabling anomaly detection C-19

blocking themselves 15-8

configuring to use NTP 6-14

corrupted SensorApp configuration C-37

diagnostics reports 19-30

disaster recovery C-6

downgrading 25-10

incorrect NTP configuration 6-8, C-17

initializing 6-1, 23-1, 23-4

interface support 7-4

IP address conflicts C-29

license 18-15

logging in

SSH 22-11

Telnet 22-11

loose connections C-23

misconfigured access lists C-28

no alerts C-33, C-59

not seeing packets C-35

NTP time source 6-14

NTP time synchronization 6-7, C-16

partitions A-3

physical connectivity C-32

preventive maintenance C-2

rebooting 18-26

recovering the system image 24-8

reimaging 24-8, 25-1

restoring defaults 18-25

sensing process not running C-30

setting up 6-1

setup command 6-1, 23-1, 23-4, 23-8

shutting down 18-26

statistics 19-31

system images 24-8

system information 19-32

time sources 6-7, C-16

troubleshooting software upgrades C-56

updating 18-21, 18-24

upgrading 25-4

using NTP time source 6-13

Sensor Setup window

described 5-2

Startup Wizard 5-2

Server Certificate pane

button functions 14-11

certificate

displaying 14-11

generating 14-11

described 14-11

field descriptions 14-11

user roles 14-11

server manifest described A-28

service account

creating C-6

described 6-19, A-31, C-5

RADIUS authentication 6-20

TAC A-31

troubleshooting A-31

Service DNS engine

described B-41

parameters (table) B-41

Service engine

described B-41

Layer 5 traffic B-41

Service FTP engine

described B-42

parameters (table) B-43

PASV port spoof B-42

Service Generic engine

described B-43

parameters (table) B-44

Service H225 engine

ASN.1PER validation B-45

described B-44

features B-45

parameters (table) B-46

TPKT validation B-45

Service HTTP engine

custom signature 10-19

described 10-18, B-47

example signature 10-19

parameters (table) B-47

Service IDENT engine

described B-49

parameters (table) B-49

service-module ids-sensor slot/port session command 22-4, 22-9

Service MSRPC engine

DCS/RPC protocol 10-13, B-49

described 10-12, B-49

parameters (table) B-50

Service MSSQL engine

described B-51

MSSQL protocol B-51

parameters (table) B-51

Service NTP engine

described B-51

parameters (table) B-51

Service P2P engine described B-52

service packs described 24-3

service role 6-19, 22-2, A-30

Service RPC engine

described 10-21, B-52

parameters (table) 10-21, B-52

RPC portmapper 10-21, B-52

Service SMB Advanced engine

described B-53

parameters (table) B-54

Service SNMP engine

described B-55

parameters (table) B-56

Service SSH engine

described B-56

parameters (table) B-56

Service TNS engine

described B-57

parameters (table) B-57

session command

AIM IPS 22-5

AIP SSM 22-6

IDSM2 22-8

NME IPS 22-10

sessioning

AIM IPS 22-5

AIP SSM 22-6

IDSM2 22-8

NME IPS 22-10

setting

current KB 19-22

system clock 6-16

setting up

sensors 6-1

terminal servers 22-3, 25-13

setup

automatic 23-2

command 6-1, 23-1, 23-4, 23-8, 23-13, 23-16, 23-20, 23-24

simplified mode 23-2

shared secret

described 6-25

RADIUS authentication 6-25

show events command C-91, C-92

show health command C-73

show interfaces command C-90

show settings command 18-12, C-15

show statistics command C-79, C-80

show statistics virtual-sensor command C-25, C-80

show tech-support command C-74

show version command C-77

Shut Down Sensor pane

configuring 18-26

described 18-26

user roles 18-26

shutting down the sensor 18-26

sig0 pane

default 9-4

described 9-4

signatures

assigning actions 9-17

cloning 9-14

tuning 9-16

tabs 9-4

sig0 pane field descriptions 9-7

signature/virus update files described 24-4

signature definition policies

adding 9-3

cloning 9-3

default policy 9-2

deleting 9-3

sig0 9-2

Signature Definitions pane

described 9-2

field descriptions 9-2

signature engines

AIC B-11

Atomic B-13

Atomic ARP B-13

Atomic IP 10-14, B-24

Atomic IP Advanced B-14

Atomic IPv6 B-28

creating custom signatures 10-2

described B-1

event actions B-7

Fixed B-30

Flood B-33

Flood Host B-33

Flood Net B-33

list B-2

Master B-4

Meta 9-21, B-34

Multi String B-36

Normalizer B-38

Regex

patterns B-10

syntax B-9

Service B-41

Service DNS B-41

Service FTP B-42

Service Generic B-43

Service H225 B-44

Service HTTP 10-18, B-47

Service IDENT B-49

Service MSRPC 10-12, B-49

Service MSSQL B-51

Service NTP engine B-51

Service P2P B-52

Service RPC 10-21, B-52

Service SMB Advanced B-53

Service SNMP B-55

Service SSH engine B-56

Service TNS B-57

State 10-22, B-58

String 10-22, 10-23, 10-26, B-60

supported by IDM 10-3

Sweep Other TCP B-65

Traffic Anomaly B-66

Traffic ICMP B-68

Trojan B-68

signature engine update files described 24-4

Signature Event Action Filter

described 12-6, A-26

parameters 12-6, A-26

Signature Event Action Handler described 12-6, A-26

Signature Event Action Override described 12-6, A-26

Signature Event Action Processor

Alarm Channel 12-6, A-26

components 12-6, A-26

described 12-6, A-23, A-25, A-26

signature fidelity rating

calculating risk rating 8-5, 12-3

described 8-5, 12-3

signatures

adding 9-13

alert frequency 9-19

assigning actions 9-17

cloning 9-15

custom 9-5

default 9-5

described 9-4

editing 9-16

false positives 9-5

rate limits 15-4

subsignatures 9-5

tuned 9-5

tuning 9-16

signatures and TCP reset C-52

signature updates installation time 18-20

signature variables

adding 9-27

deleting 9-27

described 9-27

editing 9-27

Signature Variables tab

configuring 9-27

field descriptions 9-27

Signature Wizard

alert behavior 10-28

described 10-1

protocols 10-12

signature identification 10-12

supported signature engines 10-3

using 10-5

SNMP

configuring 16-3

described 16-1

Get 16-1

GetNext 16-1

Set 16-1

supported MIBs 16-6, C-19

Trap 16-1

SNMP General Configuration pane

configuring 16-3

described 16-2

field descriptions 16-2

user roles 16-2

SNMP traps

configuring 16-4

described 16-1

SNMP Traps Configuration pane

button functions 16-4

described 16-4

field descriptions 16-4

software architecture

ARC (illustration) A-12

IDAPI (illustration) A-32

software bypass

supported configurations 7-10

with hardware bypass 7-10

software downloads Cisco.com 24-1

software file names

recovery (illustration) 24-5

signature/virus updates (illustration) 24-4

signature engine updates (illustration) 24-5

system image (illustration) 24-5

software release examples

platform-dependent 24-6

platform identifiers 24-7

platform-independent 24-6

software updates

supported FTP servers 18-19, 25-2

supported HTTP/HTTPS servers 18-19, 25-2

SPAN port issues C-32

SSH

described 14-1

security 14-1

SSH Server

private keys A-21

public keys A-21

standards for CIDEE A-34

Startup Wizard

access lists 5-4

adding virtual sensors 5-13

Add Virtual Sensor dialog box 5-12

AIP SSM 5-2

described 5-1

Inline Interface Pair window

described 5-9

field descriptions 5-9

Inline VLAN Pairs window configuring 5-11

Interface Selection window 5-9

Interface Summary window 5-7

Sensor Setup window 5-2

configuring 5-5

field descriptions 5-2

Traffic Inspection Mode window 5-8

Virtual Sensors window

described 5-12

field descriptions 5-12

VLAN groups unsupported 5-1, 5-8

State engine

Cisco Login 10-22, B-58

described 10-22, B-58

LPR Format String 10-22, B-58

parameters (table) B-59

SMTP 10-22, B-58

Statistics pane

button functions 19-31, 19-32

categories 19-31

described 19-31

using 19-31

statistics viewing 19-31

String engine described 10-22, 10-23, 10-26, B-60

String ICMP engine parameters (table) B-61

String TCP engine

custom signature 10-24

example signature 10-24

parameters (table) B-61

String UDP engine parameters (table) B-62

subinterface 0 described 7-15

subsignatures described 9-5

summarization

described 8-7, 12-5

Fire All 8-7, 12-5

Fire Once 8-7, 12-6

Global Summarization 8-7, 12-6

Meta engine 8-7, 12-5

Summary 8-7, 12-5

Summarizer described 8-33, 12-34

Summary pane

button functions 7-16

described 7-15

field descriptions 5-8, 7-16

supported

FTP servers 18-19, 25-2

HTTP/HTTPS servers 18-19, 25-2

IDSM2 configurations C-62

IPS interfaces for CSA MC 17-4

platforms for IME 1-4

Sweep engine

described 10-26, B-63

parameters (table) B-64, B-65

Sweep Other TCP engine described B-65

switch commands for troubleshooting C-62

system architecture

directory structure A-34

supported platforms A-1

system clock setting 6-16

System Configuration Dialog

described 23-2

example 23-2

system design (illustration) A-2

system image

installing

AIM IPS 25-21

AIP SSC-5 25-25

AIP SSM 25-25

IDSM2 (Catalyst software) 25-27

IDSM2 (Cisco IOS software) 25-28

IPS 4240 25-14

IPS 4255 25-14

IPS 4260 25-17

IPS 4270-20 25-19

NME IPS 25-39

sensors 24-8

System Information pane

described 19-31

using 19-32

system information viewing 19-32

system requirements for IME 1-4

T

TAC

service account 6-19, A-31, C-5

show tech-support command C-74

target value rating

calculating risk rating 8-5, 12-3

described 8-5, 8-19, 8-21, 12-3, 12-20, 12-22

TCP fragmentation described B-38

TCP Protocol tab

described 11-16, 11-23, 11-29

enabling TCP 11-16

external zone 11-29

field descriptions 11-16

illegal zone 11-23

TCP reset

not occurring C-52

TCP reset interfaces

conditions 7-7

described 7-6

list 7-7

TCP resets

IDSM2 port C-66

TCP stream reassembly

described 9-42

mode 9-47

parameters (table) 9-43

signatures (table) 9-43

terminal server setup 22-3, 25-13

testing fail-over 7-10

TFN2K

described B-68

Trojans B-68

TFTP servers

maximum file size limitation 25-13

RTT 25-12

threat rating

described 8-6, 12-4

risk rating 12-4

Thresholds for KB Name window

described 19-18

field descriptions 19-19

filtering information 19-18

time

correction on the sensor 6-12, C-18

sensors 6-7, C-16

synchronization for IPS modules 6-8, C-17

Time pane

configuring 6-10

described 6-7

field definitions 6-9, 6-10

user roles 6-7

time sources

AIP SSM 6-8, C-17

appliances 6-7, C-16

ASA modules C-17

IDSM2 6-7, C-16

TLS

described 6-4

handshaking 14-8

IDM 14-8

Top Applications gadget

configuring 3-9

described 3-9

Top Attackers gadgets

configuring 3-11

described 3-11

Top Signatures gadgets

configuring 3-12

described 3-12

Top Victims gadgets

configuring 3-12

described 3-12

traceroute device tool (IME) 1-3

traceroute IME device tools 2-6

Traffic Anomaly engine

described B-66

protocols B-66

signatures B-66

traffic flow notifications

configuring 7-29

described 7-29

Traffic Flow Notifications pane

configuring 7-29

field descriptions 7-29

Traffic ICMP engine

DDoS B-68

described B-68

LOKI B-68

parameters (table) B-68

TFN2K B-68

Traffic Inspection Mode window described 5-8

Traps Configuration pane configuring 16-4

trial license key 18-13

Tribe Flood Network. See TFN.

Tribe Flood Network 2000. See TFN2K.

Trojan engine

BO2K B-68

described B-68

TFN2K B-68

Trojans

BO B-68

BO2K B-68

LOKI B-68

TFN2K B-68

troubleshooting C-1

AIP SSM

debugging C-68

recovering C-68

reset C-68

Analysis Engine busy C-58

applying software updates C-54

ARC

blocking not occurring for signature C-44

device access issues C-41

enabling SSH C-43

inactive state C-39

misconfigured master blocking sensor C-45

verifying device interfaces C-42

ASA 5500 AIP SSM

failover scenarios C-69

automatic updates C-55

cannot access sensor C-26

cidDump C-95

cidLog messages to syslog C-51

communication C-26

corrupted SensorApp configuration C-37

debug logger zone names (table) C-50

debug logging C-46

disaster recovery C-6

duplicate sensor IP addresses C-29

enabling debug logging C-46

external product interfaces 17-10, C-22

gathering information C-73

global correlation 13-12, C-21

IDM

cannot access sensor C-58

will not load C-57

IDSM2

command and control port C-65

diagnosing problems C-60

not online C-64

serial cable C-67

status indicator C-63

switch commands C-62

IME time synchronization C-59

IPS modules time drift 6-8, C-17

manual block to bogus host C-43

misconfigured access list C-28

no alerts C-33, C-59

NTP C-52

password recovery 18-11, C-15

physical connectivity issues C-32

preventive maintenance C-2

reset not occurring for a signature C-52

sensing process not running C-30

sensor events C-91

sensor loose connections C-23

sensor not seeing packets C-35

sensor software upgrade C-56

service account 6-19, C-5

show events command C-91

show interfaces command C-90

show statistics command C-79

show tech-support command C-74, C-75

show version command C-77

software upgrades C-53

SPAN port issue C-32

upgrading C-54

verifying Analysis Engine is running C-21

verifying ARC status C-38

Trusted Hosts pane

configuring 14-10

described 14-9

field descriptions 14-9

tuned signatures described 9-5

tuning

AIC signatures 9-38

IP fragment reassembly signatures 9-41

signatures 9-16

U

UDLD described 7-23

UDP Protocol tab

described 11-17, 11-24, 11-31

enabling UDP 11-17

external zone 11-31

field descriptions 11-31

illegal zone 11-24

unassigned VLAN groups described 7-15

unauthenticated NTP 6-7, 6-14, C-16

UniDirectional Link Detection. See UDLD.

uninstalling

license key 18-16

UNIX-style directory listings 18-19

unlocking accounts 6-26

unlock user username command 6-26

updater client described A-28

Update Sensor pane

configuring 18-24

described 18-23

field descriptions 18-23

user roles 18-23

updating

Cisco.com 18-23

FTP server 18-23

sensors 18-24

upgrade command 25-3, 25-5

upgrading

latest version C-54

maintenance partition

IDSM2 (Catalyst software) 25-37

IDSM2 (Cisco IOS software) 25-38

minimum required version 24-7

recovery partition 25-5, 25-10

sensors 25-4

to 6.2 24-7

to 7.0 24-7

uploading KBs

FTP 19-24

SCP 19-24

Upload Knowledge Base to Sensor dialog box

described 19-24

field descriptions 19-24

URLs for Cisco Security Intelligence Operations 24-10

user roles authentication 6-17

users

configuring 6-23

Users pane

configuring 6-23

user roles A-30

using

debug logging C-46

TCP reset interfaces 7-7

V

VACLs

described 15-3

Post-Block 15-22

Pre-Block 15-22

verifying

NTP configuration 6-9

password recovery 18-12, C-15

sensor initialization 23-27

sensor setup 23-27

video help described 1-3

viewing

IP logs 19-15

statistics 19-31

system information 19-32

virtual sensors

adding 5-13, 8-11

default virtual sensor 8-3, 8-8

deleting 8-11

described 8-2, 8-8

editing 8-11

stream segregation 8-4

Virtual Sensors window described 5-12

VLAN groups

802.1q encapsulation 7-15

configuration restrictions 7-9

configuring 7-26

deploying 7-24

described 7-14

switches 7-24

VLAN Groups pane

configuring 7-26

described 7-24

field descriptions 7-25

VLAN IDs 7-24

VLAN Pairs pane

configuring 7-22

describing 7-21

field descriptions 7-21

vulnerable OSes field

described B-6

W

watch list rating

calculating risk rating 8-6, 12-4

described 8-6, 12-4

Web Server

described A-3, A-22

HTTP 1.0 and 1.1 support A-22

private keys A-21

public keys A-21

SDEE support A-22

whois device tool (IME) 1-3

whois IME device tools 2-6

worms

Blaster 11-2

Code Red 11-2

histograms 11-12

Nimbda 11-2

protocols 11-3

Sasser 11-2

scanners 11-3

Slammer 11-2

SQL Slammer 11-2

Z

zones

external 11-4

illegal 11-4

internal 11-4