Numerics -
A -
B -
C -
D -
E -
F -
G -
H -
I -
K -
L -
M -
N -
O -
P -
Q -
R -
S -
T -
U -
V -
W -
Z
Index
Numerics
4GE bypass interface card
configuration restrictions 5-12
described 5-11
802.1q encapsulation for VLAN groups 5-31
A
AAA authentication
configuring 4-20
AAA RADIUS
functionality 4-26
limitations 4-26
accessing
IPS software 21-2
service account 4-25, C-5
access-list command 4-6
access list misconfiguration C-29
access lists
changing 4-6
configuring 4-6
account locking
configuring 4-30
security 4-30
account unlocking configuring 4-31
ACLs
described 14-3
Post-Block 14-22, 14-23
Pre-Block 14-22, 14-23
adaptive security appliance
sending IPS traffic (ASA 5500 AIP SSM) 18-10
adding
denied attackers 8-36
event action overrides 8-18
external product interfaces 11-6
global parameters 6-12
hosts to the SSH known hosts list 4-43, 4-44
login banners 4-9
signature variables 7-5
target value ratings 8-16
trusted hosts 4-48
users 4-15, 4-16, 4-27, 4-28
virtual sensors 6-6, 6-9
virtual sensors (ASA 5500 AIP SSM) 18-5
virtual sensors (ASA 5500-X IPS SSP) 19-5
virtual sensors (ASA 5585-X IPS SSP) 20-5
Address Resolution Protocol. See ARP.
administrative tasks notes and caveats 17-2
administrator role privileges 1-3
aggregation
alert frequency 8-33
operating modes 8-33
AIC engine
AIC FTP B-11
AIC FTP engine parameters (table) B-13
AIC HTTP B-11
AIC HTTP engine parameters (table) B-12
described B-11
features B-11
signature categories 7-17
AIC policy enforcement
default configuration 7-18, B-11
described 7-18, B-11
sensor oversubscription 7-18, B-11
Alarm Channel
described 8-3, A-26
risk rating 10-6
alert and log actions (list) 8-5
alert frequency
modes B-7
alert-frequency command 7-7
alert-severity command 7-9
alert severity configuring 7-9
allocate-ips command 18-4, 19-4, 20-4
ASA 5500 AIP SSM 18-16
ASA 5500-X IPS SSP 19-21
allow-sensor-block command 14-8
alternate TCP reset interface
configuration restrictions 5-14
designating 5-6
restrictions 5-3
Analysis Engine
described 6-2
error messages C-25
errors C-54
IDM exits C-58
sensing interfaces 5-4
verify it is running C-22
virtual sensors 6-2
anomaly detection 9-2
asymmetric traffic 9-2
caution 9-2
configuration sequence 9-5
default anomaly detection configuration 9-4
default configuration (example) 9-4
described 9-2
detect mode 9-4
enabling 9-8
event actions 9-6, B-73
inactive mode 9-4
learning accept mode 9-4
learning process 9-3
limiting false positives 9-37
protocols 9-3
signatures (table) 9-7, B-73
signatures described 9-6
worms
attacks 9-37
described 9-3
zones 9-4
anomaly detection disabling 9-49, C-21
anomaly-detection load command 9-41
anomaly detection operational settings
configuring 9-11, 9-39
described 9-10
anomaly detection policies
copying 9-9
creating 9-9
deleting 9-9
displaying 9-9
editing 9-9
lists 17-29
anomaly-detection save command 9-41
anomaly detection statistics
clearing 9-48
displaying 9-48
Anomaly Detection zones
illegal 9-20
internal 9-12
appliances
GRUB menu 17-3, C-8
initializing 3-8
logging in 2-2
password recovery 17-3, C-8
resetting 17-46
setting system clock 4-35, 17-27
terminal servers
described 2-3, 22-13
setting up 2-3, 22-13
time sources 4-32, C-17
upgrading recovery partition 22-7
Application Inspection and Control. See AIC.
application partition
described A-4
image recovery 22-12
application-policy command 7-18
application policy configuring 7-19
application policy enforcement described 7-18, B-11
applications in XML format A-4
applying software updates C-55
ARC
ACLs 14-22, A-14
authentication A-15
blocking
connection-based A-17
response A-13
unconditional blocking A-17
blocking application 14-2
blocking not occurring for signature C-44
Catalyst switches
VACL commands A-19
VACLs A-16, A-19
VLANs A-16
checking status 14-4, 14-5
described A-4
design 14-2
device access issues C-41
enabling SSH C-44
features A-14
firewalls
AAA A-18
connection blocking A-18
NAT A-18
network blocking A-18
postblock ACL A-16
preblock ACL A-16
shun command A-18
TACACS+ A-18
formerly Network Access Controller 14-1
functions 14-2, A-12
illustration A-13
inactive state C-40
interfaces A-14
maintaining states A-16
master blocking sensors A-14
maximum blocks 14-2
misconfigured master blocking sensor C-45
nac.shun.txt file A-16
NAT addressing A-15
number of blocks A-15
postblock ACL A-16
preblock ACL A-16
prerequisites 14-6
rate limiting 14-4
responsibilities A-13
single point of control A-15
SSH A-14
supported devices 14-6, A-15
Telnet A-14
troubleshooting C-38
VACLs A-14
verifying device interfaces C-43
verifying status C-39
ARP
Layer 2 signatures B-14
protocol B-14
ARP spoof tools
dsniff B-14
ettercap B-14
ASA 5500 AIP SSM
assigning virtual sensors 18-7
bypass mode 18-12
configuration tasks 18-1
creating virtual sensors 18-5
fail-open mode 18-10
fail-over mode 18-10
hw-module module 1 recover configure 18-16
hw-module module slot_number password-reset 18-15
hw-module module slot_number recover boot 18-16
hw-module module slot_number recover stop 18-16
hw-module module slot_number reload 18-15
hw-module module slot_number reset 18-15
hw-module module slot_number shutdown 18-15
initializing 3-13
inline mode 18-10
installing system image 22-28
logging in 2-4
Normalizer engine 18-12, B-38
notes and caveats 18-1
password recovery 17-4, C-10
promiscuous mode 18-10
receiving IPS traffic 18-10
recovering C-62
reimaging 22-27
resetting C-61
resetting the password 17-5, C-10
sensing interface 18-4
session command 2-4
sessioning in 2-4
setup command 3-13
show module command 18-3
task sequence 18-2
time sources 4-33, C-18
verifying initialization 18-3
virtual sensors
assigning policies 18-4, 19-5, 20-5
assigning the interface 18-4, 19-5, 20-5
assigning to security context 18-7
sequence 18-4, 19-4, 20-5
ASA 5500-X IPS SSP
assigning virtual sensors 19-7
bypass mode 19-9
configuration tasks 19-1
creating virtual sensors 19-5
initializing 3-17
logging in 2-5
memory usage 17-16, 19-11, C-76
memory usage values (table) 17-16, 19-11, C-76
no CDP mode support 5-41
Normalizer engine 19-10, B-38, C-75
notes and caveats 19-1
password recovery 17-7, C-12
resetting the password 17-7, C-12
sensing interface 19-4
session command 2-5
sessioning in 2-5
setup command 3-17
show module command 19-3
sw-module module 1 recover configure 19-12
sw-module module slot_number password-reset 19-12
sw-module module slot_number reload 19-12
sw-module module slot_number reset 19-12
sw-module module slot_number shutdown 19-12
task sequence 19-2
time soruces 4-33, C-18
verifying initialization 19-3
virtual sensors
assigning policies 18-4, 19-5, 20-5
assigning the interface 18-4, 19-5, 20-5
virtual sensor sequence 18-4, 19-4, 20-5
ASA 5585-X IPS SSP
assigning virtual sensors 20-8
bypass mode 20-10
configuration tasks 20-1
creating virtual sensors 20-5
hw-module module 1 recover configure 20-12
hw-module module slot_number password-reset 20-12
hw-module module slot_number recover boot 20-12
hw-module module slot_number recover stop 20-12
hw-module module slot_number reload 20-12
hw-module module slot_number reset 20-12
hw-module module slot_number shutdown 20-12
initializing 3-20
installing system image 22-32
interfaces
command and control 20-4
described 20-4
port numbers 20-4
sensing 20-4
slot numbers 20-4
logging in 2-6
no CDP mode support 5-41, 20-1
Normalizer engine 20-10, B-38, C-82
notes and caveats 20-1
password recovery 17-8, C-14
resetting the password 17-9, C-14
sensing interface 20-4
session command 2-6
sessioning in 2-6
setup command 3-20
show module command 20-3
task sequence 20-2
time sources 4-33, C-18
verifying initialization 20-3
virtual sensors
assigning policies 18-4, 19-5, 20-5
assigning the interface 18-4, 19-5, 20-5
assigning to security context 20-7
sequence 20-5
ASA IPS modules
jumbo packet count 5-42, 18-15, 19-11, 20-11, C-65, C-76, C-83
ASDM
resetting passwords 17-6, 17-8, 17-10, C-12, C-13, C-15
assigning
interfaces to virtual sensors (ASA 5500 AIP SSM) 18-4, 19-5, 20-5
interfaces to virtual sensors (ASA 5500-X IPS SSP) 18-4, 19-5, 20-5
interfaces to virtual sensors (ASA 5585-X IPS SSP) 18-4, 19-5, 20-5
policies to virtual sensors (ASA 5500 AIP SSM) 18-4, 19-5, 20-5
policies to virtual sensors (ASA 5500-X IPS SSP) 18-4, 19-5, 20-5
policies to virtual sensors (ASA 5585-X IPS SSP) 18-4, 19-5, 20-5
assigning interfaces to virtual sensors 6-5
assigning policies to virtual sensors 6-5
asymmetric mode
described 6-4
normalization 6-4
asymmetric traffic
anomaly detection 9-2
caution 9-2
asymmetric traffic and disabling anomaly detection 9-49, C-21
Atomic ARP engine
described B-14
parameters (table) B-14
Atomic IP Advanced engine
described B-15
parameters (table) B-17
restrictions B-16
Atomic IP engine
described B-25
parameters (table) B-25
Atomic IPv6 engine
described B-29
Neighborhood Discovery protocol B-29
signatures B-29
attack relevance rating
calculating risk rating 8-14
described 8-14, 8-26
Attack Response Controller
described A-4
formerly known as Network Access Controller A-4
See ARC
attack severity rating
calculating risk rating 8-13
described 8-13
attemptLimit command 4-30
audit mode
described 10-9
testing global correlation 10-9
authenticated NTP 4-2, 4-32, 4-41, C-17
authentication
local 4-17
RADIUS 4-17
AuthenticationApp
authenticating users A-21
described A-4
login attempt limit A-21
method A-21
responsibilities A-20
secure communications A-21
sensor configuration A-20
Authentication pane
user roles A-30
authorized keys
defining 4-45
RSA authentication 4-45
automatic setup 3-2
automatic upgrade
information required 22-8
troubleshooting C-55
autonegotiation for hardware bypass 5-12
auto-upgrade-option command 22-8
B
backing up
configuration 16-23, C-3
current configuration 16-22, C-4
BackOrifice. See BO.
BackOrifice 2000. See BO2K.
backup-config command 16-19
banner login command 17-20
basic setup 3-4
block connection command 14-33
block-enable command 14-9
block hosts command 14-31
blocking
addresses never to block 14-19
block time 14-13
connection 14-33
described 14-2
disabling 14-10
hosts 14-31
list of blocked hosts 14-33
managing firewalls 14-27
managing routers 14-23
managing switches 14-26
master blocking sensor 14-28
maximum entries 14-11
necessary information 14-3
notes and caveats 14-1
prerequisites 14-6
properties 14-7
sensor block itself 14-8
show statistics 14-33
supported devices 14-6
types 14-3
user profiles 14-20
blocking not occurring for signature C-44
block network command 14-32
BO
described B-75
Trojans B-75
BO2K
described B-75
Trojans B-75
Bug Toolkit
described C-1
URL C-1
bypass mode
ASA 5500 AIP SSM 18-12
ASA 5500-X IPS SSP 19-9
ASA 5585-X IPS SSP 20-10
configuring 5-39
described 5-38
bypass-option command 5-39
C
calculating risk rating
attack relevance rating 8-14
attack severity rating 8-13
promiscuous delta 8-14
signature fidelity rating 8-13
target value rating 8-14
watch list rating 8-14
cannot access sensor C-26
capture packet files
notes and caveats 13-1
capturing live traffic 13-5
caution for clearing databases 17-12
CDP mode
ASA 5500-X IPS SSP 5-41
ASA 5585-X IPS SSP 5-41, 20-1
configuring 5-41
described 5-41
interfaces 5-41
certificates (IDM) 4-47
changing 4-27
access lists 4-6
CLI inactivity timeout 4-12
FTP timeout 4-8
host IP address 4-4
hostname 4-3
passwords 4-27
privilege 4-27
web server settings 4-14
cidDump obtaining information C-109
CIDEE
defined A-34
example A-34
IPS extensions A-34
protocol A-34
supported IPS events A-34
cisco
default password 2-2
default username 2-2
Cisco.com
accessing software 21-2
downloading software 21-1
software downloads 21-1
Cisco Discovery Protocol. See CDP.
Cisco IOS rate limiting 14-4
cisco-security-agents-mc-settings command 11-5
Cisco Security Intelligence Operations
described 21-8
URL 21-8
Cisco Services for IPS
service contract 4-51
supported products 4-51
clear database command 17-12
clear denied-attackers command 8-36, 17-27
clear events command 4-33, 8-41, 17-26, C-19, C-109
clearing
anomaly detection statistics 9-48
denied attackers statistics 8-37, 17-28
events 8-41, 17-26, C-109
global correlation statistics 10-15
OS IDs 8-32
sensor databases 17-12
statistics 17-31, C-93
clearing databases caution 17-12
clear line command 17-21
clear os-identification command 8-31
CLI
command line editing 1-6
command modes 1-7
default keywords 1-10
described A-4, A-30
error messages D-1
generic commands 1-10
password recovery 17-10, C-16
regular expression syntax 1-8
CLI behavior 1-5
case sensitivity 1-6
display options 1-6
help 1-5
prompts 1-5
recall 1-5
tab completion 1-5
client manifest described A-29
CLI guide introduction 1-1
CLI inactivity timeout
configuring 4-12
described 4-12
cli-inactivity-timeout command 4-12
CLI session termination 17-21
clock set command 4-35, 17-27
CollaborationApp described A-4, A-28
command and control interface
described 5-3
list 5-3
command and control interface described (ASA 5585-X IPS SSP) 20-4
command line editing (table) 1-6
command modes 1-7
anomaly detection configuration 1-7
event action rules configuration 1-7
EXEC 1-7
global configuration 1-7
privileged EXEC 1-7
service mode configuration 1-7
signature definition configuration 1-7
commands 15-4, 18-3, 20-3
access-list 4-6
alert-frequency 7-7
alert-severity 7-9
allocate-ips 18-4, 19-4, 20-4
allow-sensor-block 14-8
anomaly-detection load 9-41
anomaly-detection save 9-41
application-policy 7-18
attemptLimit 4-30
auto-upgrade-option 22-8
backup-config 16-19
banner login 17-20
block connection 14-33
block-enable 14-9
block hosts 14-31
block network 14-32
bypass-option 5-39
cisco-security-agents-mc-settings 11-5
clear database 17-12
clear denied-attackers 8-36, 17-27
clear events 4-33, 8-41, 17-26, C-19, C-109
clear line 17-21
clear os-identification 8-31
cli-inactivity-timeout 4-12
clock set 4-35, 17-27
copy ad-knowledge-base 9-42
copy anomaly-detection 9-9
copy backup-config 16-21, C-3
copy current-config 16-21, C-3
copy event-action-rules 8-8
copy iplog 12-7
copy license-key 4-52
copy packet-file 13-6
copy signature-definition 7-2
current-config 16-19
debug module-boot C-62
default service anomaly-detection 9-9
default service event-action-rules 8-8
default service signature-definition 7-2
deny attacker 8-35
downgrade 22-11
enable-acl-logging 14-14
enable-detail-traps 15-4
enable-nvram-write 14-15
erase 16-23
erase ad-knowledge-base 9-42
erase license-key 4-55
erase packet-file 13-7
event-action 7-15
event-action-rules-configurations 17-29
event-counter 7-10
external-zone 9-29
filters 8-21
fragment-reassembly 7-30
ftp-timeout 4-8
global-block-timeout 8-34, 14-13
global-deny-timeout 8-34
global-filters-status 8-34
global-metaevent-status 8-34
global-overrides-status 8-34
global-parameters 6-12
global-summarization 8-34
health-monitor 10-8
host-ip 4-4
host-name 4-3
hw-module module 1 recover configure 18-16, 20-12
hw-module module 1 reset C-61
hw-module module slot_number password-reset 17-5, 17-9, 18-15, 20-12, C-10, C-14
hw-module module slot_number recover boot 18-16, 20-12
hw-module module slot_number recover stop 18-16, 20-12
hw-module module slot_number reload 18-15, 20-12
hw-module module slot_number reset 18-15, 20-12
hw-module module slot_number shutdown 18-15, 20-12
ignore 9-10
illegal-zone 9-21
inline-interfaces 5-21
interface-notifications 5-40
internal-zone 9-12
ip-log 7-39
iplog 12-3
ip-log-bytes 12-2
ip-log-packets 12-2
iplog-status 12-5
ip-log-time 12-2
ipv6-target-value 8-15
learning-accept-mode 9-38
list anomaly-detection-configurations 9-9, 17-29
list event-action-rules-configurations 8-8
list signature-definition-configurations 7-2
log-all-block-events-and-errors 14-16
login-banner-text 4-9
max-block-entries 14-11
max-denied-attackers 8-34
max-interfaces 14-17
more 16-19
more current-config 16-1
never-block-hosts 14-19
never-block-networks 14-19
no iplog 12-6
no ipv6-target-value 8-15
no service anomaly-detection 9-9
no service event-action-rules 8-8
no service signature-definition 7-2
no target-value 8-15
no variables 8-11
os-identifications 8-28
other 9-18, 9-27, 9-35
overrides 8-17
packet capture 13-4
packet-display 13-2
password 4-15, 4-26
permit-packet-logging 4-23
physical-interfaces 5-15, 5-26, 5-32
ping 17-45
privilege 4-15, 4-27
rename ad-knowledge-base 9-42
reset 17-46
service anomaly-detection 9-9
service event-action-rules 8-8
service signature-definition 7-2
setup 3-2, 3-4, 3-8, 3-13, 3-17, 3-20
show ad-knowledge-base diff 9-44, 9-45
show ad-knowledge-base files 9-40, 9-41
show clock 4-34, 17-26
show configuration 16-1
show context 18-7, 19-7, 20-8
show events 8-39, 17-23, C-106
show health 10-9, 17-20, C-84
show history 17-47
show inspection-load 17-13
show interfaces 5-42
show inventory 17-47
show module 1 details 20-12, C-61, C-66, C-77
show os-identification 8-31
show settings 16-3, 16-18, 17-11, 17-50, C-16
show statistics 14-33, 17-30, C-92
show statistics anomaly-detection 9-47
show statistics denied-attackers 8-36, 17-27
show statistics virtual-sensor 17-30, C-25, C-92
show tech-support 17-42, C-85
show users 4-28
show version 17-43, C-89
sig-fidelity-rating 7-12, 7-14
signature-definition-configurations 17-29
snmp-agent-port 15-2
snmp-agent-protocol 15-2
ssh authorized-key 4-45
ssh-generate-key 4-46
ssh host-key 4-43, 4-44
status 7-13
stream-reassembly 7-38
subinterface-type 5-27, 5-33
summertime-option non-recurring 4-37
summertime-option recurring 4-35
sw-module module 1 recover configure 19-12
sw-module module slot_number password-reset 17-7, 19-12, C-12
sw-module module slot_number reload 19-12
sw-module module slot_number reset 19-12
sw-module module slot_number shutdown 19-12
target-value 8-15
tcp 9-13, 9-22, 9-30
telnet-option 4-5
terminal 17-22
time-zone-settings 4-39
tls generate-key 4-49
tls trusted-host 4-48
trace 17-49
trap-community-name 15-4
trap-destinations 15-4
udp 9-16, 9-24, 9-32
unlock user username 4-31
upgrade 22-4, 22-6
username 4-15
user-profile 14-20
variables 7-4, 8-11
virtual-sensor name 6-5, 18-4, 19-5, 20-5
worm-timeout 9-10
comparing KBs 9-44
component signatures
risk rating B-34
configuration files
backing up 16-23, C-3
merging 16-23, C-3
configuration restrictions
alternate TCP reset interface 5-14
inline interface pairs 5-13
inline VLAN pairs 5-13
interfaces 5-13
physical interfaces 5-13
VLAN groups 5-14
configuration sequence
ASA 5500 AIP SSM 18-2
ASA 5500-X IPS SSP 19-2
ASA 5585-X IPS SSP 20-2
configured OS mapping (example) 8-28
configuring
AAA authentication 4-20
access lists 4-6
account locking 4-30
account unlocking 4-31
ACL logging 14-14
alert frequency parameters 7-8
alert severity 7-9
anomaly detection operational settings 9-11, 9-39
application policy 7-19, 7-27
automatic IP logging 12-3
automatic upgrades 22-9
blocking
firewalls 14-27
routers 14-23
switches 14-26
time 14-13
bypass mode 5-39
CDP mode 5-41
cli-inactivity-timeout 4-12
connection blocking 14-33
CSA MC IPS interfaces 11-4
DNS servers 4-11
event action filters 8-23
event actions 7-16
event counter 7-10
external zone 9-29
ftp-timeout 4-8
global correlation 10-10, 10-12
health statistics 17-17
host blocks 14-31
host IP address 4-4
hostname 4-3
hosts never to block 14-19
illegal zone 9-21
inline interface pairs 5-22
inline VLAN groups 5-33
inline VLAN pairs 5-27
internal zone 9-13
IP fragment reassembly 7-31
IP fragment reassembly parameters 7-30, 7-37
IP logging 7-39
logging all blocking events and errors 14-16
logical devices 14-20
login-banner-text 4-9
manual IP logging 12-4
master blocking sensor 14-29
maximum block entries 14-12
maximum blocking interfaces 14-18
maximum denied attackers 8-34
Meta Event Generator 8-34
network blocks 14-32
networks never to block 14-19
NTP servers 4-40
NVRAM write 14-15
OS maps 8-29
other protocols
external zone 9-35
illegal zone 9-27
internal zone 9-19
packet command restrictions 4-24
password policy 4-29
passwords 4-27
physical interfaces 5-17
privilege 4-27
proxy servers 4-11
sensor sequence 1-1
sensor to block itself 14-8
sensor to use NTP 4-41
signature fidelity rating 7-12, 7-14
status 7-13
summarizer 8-34
summertime
non-recurring 4-37
recurring 4-35
TCP
external zone 9-30
illegal zone 9-22
internal zone 9-14
TCP stream reassembly 7-38
telnet-option 4-5
time zone settings 4-39
traffic flow notifications 5-40
UDP
external zone 9-33
illegal zone 9-24
internal zone 9-16
upgrades 22-5
user profiles 14-20
web server settings 4-13
configuring interfaces
notes and caveats 5-1
sequence 5-15
control transactions
characteristics A-9
request types A-9
copy ad-knowledge-base command 9-42
copy anomaly-detection command 9-9
copy backup-config command 16-21, C-3
copy command syntax 9-42
copy current-config command 16-21, C-3
copy event-action-rules command 8-8
copying
anomaly detection policies 9-9
event action rules policies 8-8
IP log files 12-7
KBs 9-42, 9-43
packet files 13-7
signature definition policies 7-2
copy iplog command 12-7
copy license-key command 4-52
copy packet-file command 13-6
copy signature-definition command 7-2
correcting time on the sensor 4-33, C-19
creating
anomaly detection policies 9-9
Atomic IP Advanced signatures 7-51
banner logins 17-20
custom signatures 7-41
event action rules policies 8-8
event action variables 8-11
global parameters 6-12
Meta signatures 7-49
OS maps 8-29
Post-Block VACLs 14-26
Pre-Block VACLs 14-26
service HTTP signatures 7-46
signature definition policies 7-2
string TCP signatures 7-43
string TCP XL signatures 7-52, 7-56
user profiles 14-20
virtual sensors 6-6, 6-9
creating the service account 4-25, C-6
cryptographic account
Encryption Software Export Distribution Authorization from 21-2
obtaining 21-2
CSA MC
configuring IPS interfaces 11-4
host posture events 11-2, 11-4
quarantined IP address events 11-2
supported IPS interfaces 11-4
CtlTransSource
described A-4, A-11
illustration A-12
Ctrl-N 1-5
Ctrl-P 1-5
current-config command 16-19
current configuration back up 16-23, C-3
custom signatures
AIC MIME-type 7-27
Atomic IP Advanced signature 7-51
configuration sequence 7-41
described 7-4
Meta signature 7-49
service HTTP example 7-46
String TCP 7-43
String TCP XL 7-52, 7-56
D
data nodes B-70
data structures (examples) A-8
DDoS
protocols B-75
Stacheldraht B-75
TFN B-75
debug logging enable C-47
debug-module-boot command C-62
default blocking time 14-13
default keywords 1-10
defaults
password 2-2
username 2-2
virtual sensor vs0 6-2
default service anomaly-detection command 9-9
default service event-action-rules command 8-8
default service signature-definition command 7-2
defining authorized keys 4-45
defining signatures 7-1
deleting
anomaly detection policies 9-9
denied attackers list 8-37, 17-28
event action rules policies 8-8
event action variables 8-11
inline interface pairs 5-24
inline VLAN pairs 5-30
OS maps 8-31
signature definition policies 7-2
signature variables 7-5
target value ratings 8-16
VLAN groups 5-37
Denial of Service. See DoS.
denied attackers add 8-36
deny actions (list) 8-5
deny attacker command 8-35
deny-packet-inline described 8-7
detect mode (anomaly detection) 9-4
device access issues C-41
diagnosing network connectivity 17-45
disabling
anomaly detection 9-49, C-21
blocking 14-10
global correlation 10-14
password recovery 17-10, C-16
signatures 7-13
Telnet 4-5
disaster recovery C-6
displaying
anomaly detection policies 9-9
anomaly detection policy lists 17-29
anomaly detection statistics 9-48
contents of logical file 16-20
current configuration 16-1
current submode configuration 16-3
event action rules policies 8-8
event actions rules lists 17-29
events 8-39, 17-24, C-107
global correlation statistics 10-15
health status 17-20, C-84
inspection load 17-13
interface statistics 5-43
IP log contents 12-5
KB files 9-40
KB thresholds 9-46
live traffic 13-3
OS IDs 8-32
password recovery setting 17-11, C-16
PEP information 17-47
policy lists 17-29
signature definition lists 17-29
statistics 17-31, C-93
submode settings 17-50
system clock 4-34, 17-26
tech support information 17-42, C-86
version 17-43, C-89
Distributed Denial of Service. See DDoS.
DNS servers
configuring 4-11
DoS tools
Stacheldraht B-75
stick B-7
TFN B-75
downgrade command 22-11
downgrading sensors 22-11
downloading Cisco software 21-1
duplicate IP addresses C-29
E
editing
anomaly detection policies 9-9
event action rules policies 8-8
event action variables 8-11
signature definition policies 7-2
signature variables 7-5
target value ratings 8-16
efficacy
described 10-5
measurements 10-5
enable-acl-logging command 14-14
enable-detail-traps command 15-4
enable-nvram-write command 14-15
enabling
anomaly detection 9-8
signatures 7-13
Telnet 4-5
enabling debug logging C-47
Encryption Software Export Distribution Authorization form
cryptographic account 21-2
described 21-2
engines
AIC 7-17, B-11
AIC FTP B-11
AIC HTTP B-11
Atomic ARP B-14
Atomic IP B-25
Atomic IP Advanced B-15
Atomic IPv6 B-29
Fixed B-30
Fixed ICMP B-30
Fixed TCP B-30
Fixed UDP B-30
Flood B-32
Flood Host B-32
Flood Net B-32
Master B-4
Meta B-33
Multi String B-36
Normalizer B-37
Service B-41
Service DNS B-41
Service FTP B-42
Service Generic B-43
Service H225 B-45
Service HTTP 7-44, B-47
Service IDENT B-49
Service MSRPC B-50
Service MSSQL B-52
Service NTP B-53
Service P2P B-54
Service RPC B-54
Service SMB Advanced B-56
Service SNMP B-58
Service SSH B-59
Service TNS B-60
State B-61
String 7-41, B-63
String ICMP 7-41, B-63
String TCP 7-41, B-63
String UDP 7-41, B-63
Sweep B-69
Sweep Other TCP B-72
Traffic Anomaly B-72
Traffic ICMP B-74
Trojan B-75
erase ad-knowledge-base command 9-42
erase command 16-23
erase license-key command 4-55
erase packet-file command 13-7
erasing
current configuration 16-24
KBs 9-42, 9-43
packet files 13-7
error messages
described D-1
validation D-5
errors (Analysis Engine) C-54
evAlert A-9
event-action command 7-15
event action filters
described 8-20
using variables 8-21
event action overrides
described 8-17
risk rating range 8-17
event action rules
described 8-2
functions 8-2
notes and caveats 8-1
task list 8-8
event action rules lists display 17-29
event action rules policies
copying 8-8
creating 8-8
deleting 8-8
displaying 8-8
editing 8-8
event actions
risk ratings 8-14
threat ratings 8-14
event actions configure 7-16
event-counter command 7-10
event counter configure 7-10
events
clearing 8-41, 17-26, C-109
displaying 8-39, 17-24, C-107
host posture 11-2
quarantined IP address 11-2
Event Store
clearing 8-41, 17-26, C-109
clearing events 4-33, C-19
data structures A-8
described A-4
examples A-8
no alerts C-34
responsibilities A-7
time stamp 4-33, C-19
timestamp A-7
event types C-105
event variables
described 8-10
example 8-11
evError A-9
evLogTransaction A-9
evShunRqst A-9
evStatus A-9
examples
ASA failover configuration 18-14, 19-21, 20-16, C-63, C-74, C-81
default anomaly detection configuration 9-4
KB histogram 9-37
password 4-16
password policy 4-29
privilege 4-16
SPAN configuration for IPv6 support 5-20
System Configuration Dialog 3-3
username 4-16
external product interfaces
adding 11-6
described 11-1
issues 11-3, C-23
notes and caveats 11-1
troubleshooting 11-8, C-24
external zone
configuring 9-29
configuring other protocols 9-35
configuring TCP 9-30
configuring UDP 9-33
described 9-29
external-zone command 9-29
F
fail-over testing 5-11
false positives described 7-3
files Cisco IPS (list) 21-1
filtering
more command 16-16
submode configuration 16-18
filters command 8-21
Fixed engine described B-30
Fixed ICMP engine parameters (table) B-30
Fixed TCP engine parameters (table) B-31
Fixed UDP engine parameters (table) B-32
Flood engine described B-32
Flood Host engine parameters (table) B-33
Flood Net engine parameters (table) B-33
fragment-reassembly command 7-30
FTP servers and software updates 22-3
FTP timeout
configuring 4-8
described 4-8
ftp-timeout command 4-8
G
generating
SSH server host key 4-46
TLS certificate 4-50
generic commands 1-10
global-block-timeout command 8-34, 14-13
global correlation 10-1
described 10-2
disabling about 10-13
DNS server 10-7
DNS servers 4-11
error messages A-29
features 10-6
goals 10-6
health metrics 10-8
health status 10-8
HTTP proxy server 10-7
license 3-1, 3-5, 10-1, 10-7, 10-9
no IPv6 support 8-1, 8-10, 8-11, 8-15, 8-20, 8-21, 10-2, 10-7
notes and caveats 10-1
options 10-10, 10-11, 10-13
Produce Alert 8-5
proxy servers 4-11
requirements 10-7
risk rating 10-6
troubleshooting 10-13, C-21
update client (illustration) 10-9
Global Correlation Update
client described A-28
server described A-28
global-deny-timeout command 8-34
global-filters-status command 8-34
global-metaevent-status command 8-34
global-overrides-status command 8-34
global parameters
adding 6-12
creating 6-12
maximum open IP logs 6-12
options 6-12
global-parameters command 6-12
global-summarization command 8-34
GRUB menu password recovery 17-3, C-8
H
H.225.0 protocol B-45
H.323 protocol B-45
hardware bypass
autonegotiation 5-12
configuration restrictions 5-12
fail-over 5-11
IPS 4260 5-11
IPS 4270-20 5-11
supported configurations 5-11
with software bypass 5-11
health-monitor command 10-8
health statistics configuration 17-17
health status
displaying 17-20, C-84
global correlation 10-8
help
question mark 1-5
using 1-5
host blocks configure 14-31
host IP address
changing 4-4
configuring 4-4
host-ip command 4-4
hostname
changing 4-3
configuring 4-3
host-name command 4-3
host posture events
CSA MC 11-4
described 11-2
HTTP/HTTPS servers supported 22-3
HTTP advanced decoding
described 6-4
platform support 6-4
restrictions 6-4
HTTP deobfuscation
ASCII normalization 7-45, B-47
described 7-45, B-47
hw-module module 1 recover configure command 18-16, 20-12
hw-module module 1 reset command C-61
hw-module module slot_number password-reset command 17-5, 17-9, 18-15, 20-12, C-10, C-14
hw-module module slot_number recover boot command 18-16, 20-12
hw-module module slot_number recover stop command 18-16, 20-12
hw-module module slot_number reload command 18-15, 20-12
hw-module module slot_number reset command 18-15, 20-12
hw-module module slot_number shutdown command 18-15, 20-12
I
IDAPI
communications A-4, A-32
described A-4
functions A-32
illustration A-32
responsibilities A-32
IDCONF
described A-33
example A-33
RDEP2 A-33
XML A-33
IDIOM
defined A-33
messages A-33
IDM
Analysis Engine is busy C-58
certificates 4-47
TLS 4-47
will not load C-57
ignore command 9-10
illegal zone
configuring 9-21
configuring other protocols 9-27
configuring TCP 9-22
configuring UDP 9-24
described 9-20
protocols 9-20
illegal-zone command 9-21
IME time synchronization problems C-60
inactive mode (anomaly detection) 9-4
initializing
appliances 3-8
ASA 5500 AIP SSM 3-13
ASA 5500-X IPS SSP 3-17
ASA 5585-X IPS SSP 3-20
sensors 3-2, 3-4
user roles 3-1, 3-2
verifying 3-24
verifying (ASA 5500 AIP SSM) 18-3
verifying (ASA 5500-X IPS SSP) 19-3
verifying (ASA 5585-X IPS SSP) 20-3
initializing the sensor (notes and caveats) 3-1
inline interface pair mode
configuration restrictions 5-13
described 5-20
illustration 5-21
inline interface pairs
configuring 5-22
deleting 5-24
inline-interfaces command 5-21
inline mode
interface cards 5-4
normalization 6-4
pairing interfaces 5-4
inline TCP session tracking modes described 6-4
inline VLAN groups
configuring 5-33
deleting 5-37
inline VLAN pair mode
configuration restrictions 5-13
described 5-25
illustration 5-26
supported sensors 5-25
inline VLAN pairs
configuring 5-27
deleting 5-30
inspection load
description 17-13
displaying 17-13
installer major version 21-5
installer minor version 21-5
installing
license key 4-53
system image
ASA 5500 AIP SSM 22-28
ASA 5500-X IPS SSP 22-30
ASA 5585-X IPS SSP 22-32
IPS 4240 22-14
IPS 4255 22-14
IPS4260 22-17
IPS 4270-20 22-19
IPS 4345 22-22
IPS 4360 22-22
IPS 4510 22-25
IPS 4520 22-25
InterfaceApp
described A-20
interactions A-20
NIC drivers A-20
InterfaceApp described A-4
interface configuration sequence 5-15
interface-notifications command 5-40
interfaces
alternate TCP reset 5-3
command and control 5-3
configuration restrictions 5-13
described 5-3
displaying live traffic 13-3
port numbers 5-3
sensing 5-3, 5-4
slot numbers 5-3
support (table) 5-7
TCP reset 5-5
interface statistics displaying 5-43
internal zone
configuring 9-13
configuring other protocols 9-19
configuring TCP 9-14
configuring UDP 9-16
described 9-12
protocols 9-12
internal-zone command 9-12
introducing the CLI guide 1-1
IP fragmentation described B-38
IP fragment reassembly
described 7-28
parameters (table) 7-28
signatures (table) 7-28
ip-log-bytes command 12-2
ip-log command 7-39
iplog command 12-3
IP log contents
displaying 12-5
viewing 12-5
IP log files copying 12-7
IP logging
automatic 12-2
configuring 12-2
copying files 12-7
described 7-39, 12-2
manual 12-4
notes and caveats 12-1
ip-log-packets command 12-2
ip logs
TCPDUMP 12-2
Wireshark 12-2
iplog-status command 12-5
ip-log-time command 12-2
IP packet trace 17-49
IPS 4240
7200 series router C-26
installing system image 22-14
password recovery 17-4, C-9
reimaging 22-14
IPS 4255
installing system image 22-14
password recovery 17-4, C-9
reimaging 22-14
IPS 4260
hardware bypass 5-11
password recovery 17-3, C-9
IPS 4260
installing system image 22-17
reimaging 22-17
IPS 4270-20
hardware bypass 5-11
installing system image 22-19
password recovery 17-3, C-9
reimaging 22-19
IPS 4345
installing system image 22-22
password recovery 17-3, 17-4, C-8, C-9
reimaging 22-22
IPS 4360
installing system image 22-22
password recovery 17-3, 17-4, C-8, C-9
reimaging 22-22
IPS 4510
installing system image 22-25
password recovery 17-3, 17-4, C-8, C-9
reimaging 22-25
SwitchApp A-30
IPS 4520
installing system image 22-25
password recovery 17-3, 17-4, C-8, C-9
reimaging 22-25
SwitchApp A-30
IPS applications
summary A-36
table A-36
XML format A-4
IPS clock synchronization 4-33, C-18
IPS data
types A-8
XML document A-9
IPS events
evAlert A-9
evError A-9
evLogTransaction A-9
evShunRqst A-9
evStatus A-9
list A-9
types A-9
IPS internal communications A-32
IPS software
application list A-4
available files 21-1
configuring device parameters A-5
directory structure A-35
Linux OS A-1
obtaining 21-1
platform-dependent release examples 21-6
retrieving data A-5
security features A-5
tuning signatures A-5
updating A-5
user interaction A-5
versioning scheme 21-3
IPS software file names
major updates (illustration) 21-4
minor updates (illustration) 21-4
patch releases (illustration) 21-4
service packs (illustration) 21-4
IPv4
address format 8-10
event variables 8-10
IPv6
address format 8-11
described B-29
event variables 8-11
SPAN ports 5-20
switches 5-20
ipv6-target-value command 8-15
K
KB files
displaying 9-40
KBs
comparing 9-44
copying 9-42, 9-43
described 9-4
erasing 9-42, 9-43
histogram 9-37
initial baseline 9-4
manually loading 9-41
manually saving 9-41
renaming 9-42, 9-43
scanner threshold 9-37
tree structure 9-37
KB thresholds display 9-46
keywords
default 1-10
no 1-10
Knowledge Base. See KB.
L
learning accept mode
anomaly detection 9-4
learning-accept-mode command 9-38
license key
installing 4-53
obtaining 4-50
trial 4-50
uninstalling 4-55
viewing status of 4-51
licensing
described 4-50
IPS device serial number 4-50
Licensing pane
described 4-50
limitations for concurrent CLI sessions 18-1, 19-1, 20-1
list anomaly-detection-configurations command 9-9, 17-29
list event-action-rules-configurations command 8-8, 17-29
list of blocked hosts 14-33
list signature-definition-configurations command 7-2, 17-29
loading
KBs 9-41
log-all-block-events-and-errors command 14-16
Logger
described A-4, A-19
functions A-19
syslog messages A-19
logging in
appliances 2-2
ASA 5500 AIP SSM 2-4
ASA 5500-X IPS SSP 2-5
ASA 5585-X IPS SSP 2-6
notes and caveats 2-1
sensors
SSH 2-7
Telnet 2-7
terminal servers 2-3, 22-13
user role 2-1
login banners
adding 4-9
login-banner-text
configuring 4-9
login-banner-text command 4-9
LOKI
described B-75
protocol B-74
loose connections on sensors C-25
M
MainApp
components A-6
described A-4, A-6
host statistics A-6
responsibilities A-6
show version command A-6
major updates described 21-3
managing
firewalls 14-27
routers 14-23
switches 14-26
manifests
client A-29
server A-29
manual blocking 14-31, 14-33
manual block to bogus host C-44
manually loading
KBs 9-41
manually saving
KBs 9-41
master blocking sensor
described 14-28
not set up properly C-45
verifying configuration C-45
Master engine
alert frequency B-7
alert frequency parameters (table) B-7
described B-4
event actions 8-5, B-8
general parameters (table) B-4
universal parameters B-4
master engine parameters
obsoletes B-7
promiscous delta B-6
vulnerable OSes B-7
max-block-entries command 14-11
max-denied-attackers command 8-34
maximum open IP logs 6-12
max-interfaces command 14-17
merging configuration files 16-23, C-3
Meta engine
described B-33
parameters (table) B-35
Signature Event Action Processor B-34
Meta signature
component signatures B-34
MIBs supported 15-6, C-20
minor updates described 21-3
modes
anomaly detection detect 9-4
anomaly detection learning accept 9-4
ASA 5500 AIP SSM 18-10
asymmetric 6-4
bypass 5-38
inactive (anomaly detection) 9-4
inline interface pair 5-20
inline TCP tracking 6-4
inline VLAN pair 5-25
Normalizer 6-4
promiscuous 5-19
VLAN groups 5-31
modifying
terminal properties 17-22
monitoring
viewer privileges 1-4
more command 16-19
filtering 16-16
more current-config command 16-1
moving
OS maps 8-30
Multi String engine
described B-36
parameters (table) B-36
Regex B-36
N
Neighborhood Discovery
options B-30
types B-30
network blocks
configuring 14-32
network connectivity diagnosis 17-45
network participation
data gathered 10-4
data use (table) 10-3
described 10-4
health metrics 10-8
modes 10-5
requirements 10-4
SensorBase Network 10-5
statistics 10-5
network participation data
improving signature fidelity 10-5
understanding sensor deployment 10-5
never-block-hosts command 14-19
never-block-networks command 14-19
no iplog command 12-6
no ipv6-target-value command 8-15
normalization described 6-4
Normalizer engine
ASA 5500 AIP SSM 18-12, 19-10, 20-10, B-38, C-64
ASA 5500-X IPS SSP 18-12, 19-10, 20-10, B-38
ASA 5585-X IPS SSP 18-12, 19-10, 20-10, B-38
described B-37
IP fragment reassembly B-38
IPv6 fragments B-38
modify packets inline 6-3
parameters (table) B-39
TCP stream reassembly B-38
no service anomaly-detection command 9-9
no service event-action-rules command 8-8
no service signature-definition command 7-2
no target-value command 8-15
notes and caveats 7-1, 9-2, 10-1
administrative tasks 17-2
anomaly detection 9-2
ASA 5500 AIP SSM 18-1
ASA 5500-X IPS SSP 19-1
ASA 5585-X IPS SSP 20-1
blocking 14-1
capture packet files 13-1
configuring interfaces 5-1
event action rules 8-1
external product interfaces 11-1
initializing the sensor 3-1
IP logging 12-1
logging in 2-1
setting up the sensor 4-1
SNMP 15-1
virtual sensors 6-1
NotificationApp
alert information A-9
described A-4
functions A-9
SNMP gets A-9
SNMP traps A-9
statistics A-11
system health information A-10
no variables command 8-11
NTP
authenticated 4-2, 4-32, 4-41, C-17
configuring servers 4-40
described 4-32, C-17
incorrect configuration C-18
sensor time source 4-40, 4-41
time synchronization 4-32, C-17
unauthenticated 4-2, 4-32, 4-41, C-17
O
obsoletes field described B-7
obtaining
command history 17-47
cryptographic account 21-2
IPS software 21-1
license key 4-50
list of blocked hosts and connections 14-33
used commands list 17-47
operator role privileges 1-4
options
global correlation 10-10, 10-11, 10-13
os-identifications command 8-28
OS IDs
clearing 8-32
displaying 8-32
OS information sources 8-27
OS maps
creating 8-29
deleting 8-31
moving 8-30
other actions (list) 8-6
other command 9-18, 9-27, 9-35
output
clearing current line 1-6
displaying 1-6
overrides command 8-17
P
P2P networks described B-54
packet capture command 13-4
packet command restrictions
configuring 4-24
packet display command 13-2
packet files
viewing
TCPDUMP 13-7
Wireshark 13-7
partitions
application A-4
recovery A-4
passive OS fingerprinting
components 8-26
configuring 8-27
described 8-26
enabled (default) 8-27
password command 4-15, 4-26
password policy
caution 4-29
configuring 4-29
password recovery
appliances 17-3, C-8
ASA 5500 AIP SSM 17-4, C-10
ASA 5500-X IPS SSP 17-7, C-12
ASA 5585-X IPS SSP 17-8, C-14
CLI 17-10, C-16
described 17-3, C-8
disabling 17-10, C-16
displaying setting 17-11, C-16
GRUB menu 17-3, C-8
IPS 4240 17-4, C-9
IPS 4255 17-4, C-9
IPS 4260 17-3, C-9
IPS 4270-20 17-3, C-9
IPS 4345 17-3, 17-4, C-8, C-9
IPS 4360 17-3, 17-4, C-8, C-9
IPS 4510 17-3, 17-4, C-8, C-9
IPS 4520 17-3, 17-4, C-8, C-9
platforms 17-3, C-8
ROMMON 17-4, C-9
troubleshooting 17-11, C-17
verifying 17-11, C-16
passwords 4-27
changing 4-27
configuring 4-27
policy 4-29
patch releases described 21-3
peacetime learning (anomaly detection) 9-3
Peer-to-Peer. See P2P.
PEP information
PID 17-47
SN 17-47
VID 17-47
permit-packet-logging command 4-23
physical connectivity issues C-32
physical interfaces
configuration restrictions 5-13
configuring 5-17
physical-interfaces command 5-15, 5-26, 5-32
ping command 17-45
platforms concurrent CLI sessions 18-1, 19-1, 20-1
policies
passwords 4-29
policy lists
displaying 17-29
Post-Block ACLs 14-22, 14-23
Pre-Block ACLs 14-22, 14-23
prerequisites for blocking 14-6
privilege
changing 4-27
configuring 4-27
privilege command 4-15, 4-27
privilege levels
administrator 1-3
operators 1-3
service 1-3
viewers 1-3
promiscuous delta
calculating risk rating 8-14
described 7-6, 8-14
promiscuous delta described B-6
promiscuous mode
atomic attacks 5-19
configuring 5-20
described 5-19
illustration 5-19
packet flow 5-19
SPAN ports 5-20
TCP reset interfaces 5-5
VACL capture 5-20
prompts
default input 1-5
protocols
ARP B-14
CDP 5-41
CIDEE A-34
DCE B-50
DDoS B-75
H.323 B-45
H225.0 B-45
HTTP 4-13
ICMPv6 B-15
IDAPI A-32
IDCONF A-33
IDIOM A-33
IPv6 B-29
LOKI B-74
MSSQL B-52
Neighborhood Discovery B-29
Q.931 B-45
RPC B-50
SDEE A-34
proxy servers
configuring 4-11
Q
Q.931 protocol
described B-45
SETUP messages B-45
quarantined IP address events described 11-2
R
RADIUS authentication
described 4-17
service account 4-26
shared secret 4-21, 4-22
rate limiting
ACLs 14-5
described 14-4
routers 14-4
service policies 14-5
supported signatures 14-4
raw expression syntax
described B-66
expert mode B-66
Raw Regex
described 7-53, 7-56, B-66
expert mode 7-53, 7-56, B-66
recall
help and tab completion 1-5
using 1-5
recover command 22-11
recovering
application partition image 22-12
ASA 5500 AIP SSM C-62
recovery partition
described A-4
upgrade 22-7
Regex
described 1-8
Multi String engine B-36
standardized B-1
Regular Expression. See also Regex.
regular expression syntax
described 1-8
raw Regex 7-53, 7-56, B-66
signatures B-9
table 1-8
reimaging
ASA 5500 AIP SSM 22-27
ASA 5500-X IPS SSP 22-30
described 22-2
IPS 4240 22-14
IPS 4255 22-14
IPS4260 22-17
IPS 4270-20 22-19
IPS 4345 22-22
IPS 4360 22-22
IPS 4510 22-25
IPS 4520 22-25
sensors 22-2, 22-11
removing
last applied
service pack 22-11
signature update 22-11
users 4-16
rename ad-knowledge-base command 9-42
renaming KBs 9-42, 9-43
reputation
described 10-3
illustration 10-4
servers 10-3
reset command 17-46
reset not occurring for a signature C-53
resetting
appliances 17-46
ASA 5500 AIP SSM C-61
passwords
ASDM 17-6, 17-8, 17-10, C-12, C-13, C-15
hw-module command 17-5, 17-9, C-10, C-14
sw-module command 17-7, C-12
resetting the password
ASA 5500 AIP SSM 17-5, C-10
ASA 5500-X IPS SSP 17-7, C-12
ASA 5585-X IPS SSP 17-9, C-14
restoring the current configuration 16-22, C-5
retiring
signatures 7-13
risk rating
Alarm Channel 10-6
calculating 8-13
component signatures B-34
described 8-26
global correlation 10-6
reputation score 10-6
ROMMON
ASA 5585-X IPS SSP 22-34
described 22-13
IPS 4240 17-4, 22-14, C-9
IPS 4255 17-4, 22-14, C-9
IPS4260 22-17
IPS 4270-20 22-19
IPS 4345 17-4, 22-22, C-9
IPS 4360 17-4, 22-22, C-9
IPS 4510 17-4, 22-25, C-9
IPS 4520 17-4, 22-25, C-9
password recovery 17-4, C-9
remote sensors 22-13
serial console port 22-13
TFTP 22-13
round-trip time. See RTT.
RPC portmapper B-54
RSA authentication
authorized keys 4-45
RTT
described 22-13
TFTP limitation 22-13
S
saving KBs 9-41
scheduling automatic upgrades 22-9
SDEE
described A-34
HTTP A-34
protocol A-34
server requests A-34
searching
submode configuration 16-18
security
account locking 4-30
information on Cisco Security Intelligence Operations 21-8
SSH 4-43
security policies described 7-1, 8-2, 9-2
sensing interface
ASA 5500 AIP SSM 18-4
ASA 5500-X IPS SSP 19-4
ASA 5585-X IPS SSP 20-4
sensing interfaces
Analysis Engine 5-4
described 5-4
interface cards 5-4
modes 5-4
sensing interfaces described (ASA 5585-X IPS SSP) 20-4
SensorApp
Alarm Channel A-24
Analysis Engine A-24
described A-4
event action filtering A-25
inline packet processing A-24
IP normalization A-25
packet flow A-26
processors A-23
responsibilities A-23
risk rating A-25
Signature Event Action Processor A-23
TCP normalization A-25
SensorBase Network
described 10-2
network participation 10-5
participation 10-2
servers 10-2
sensor databases
clearing 17-12
sensors
access problems C-26
application partition image 22-12
asymmetric traffic and disabling anomaly detection 9-49, C-21
command and control interfaces (list) 5-3
configuration sequence 1-1
configuring to use NTP 4-41
corrupted SensorApp configuration C-37
disaster recovery C-6
downgrading 22-11
incorrect NTP configuration C-18
initializing 3-2, 3-4
interface support 5-7
IP address conflicts C-29
logging in
SSH 2-7
Telnet 2-7
loose connections C-25
managing
firewalls 14-27
routers 14-23
switches 14-26
misconfigured access lists C-29
no alerts C-34, C-59
not seeing packets C-35
NTP time source 4-41
NTP time synchronization 4-32, C-17
partitions A-4
physical connectivity C-32
preventive maintenance C-2
reimaging 22-2
sensing process not running C-31
setup command 3-2, 3-4, 3-8
time sources 4-32, C-17
troubleshooting software upgrades C-56
upgrading 22-5
using NTP time source 4-40
server manifest described A-29
service account
accessing 4-25, C-5
cautions 4-2, 4-25, C-5
creating 4-25, C-6
described 4-25, A-31, C-5
RADIUS authentication 4-26
TAC A-31
troubleshooting A-31
service anomaly-detection command 9-9
Service DNS engine
described B-41
parameters (table) B-41
Service engine
described B-41
Layer 5 traffic B-41
service event-action-rules command 8-8
Service FTP engine
described B-42
parameters (table) B-43
PASV port spoof B-42
Service Generic engine
described B-43
no custom signatures B-43
parameters (table) B-44
Service H225 engine
ASN.1PER validation B-45
described B-45
features B-45
parameters (table) B-46
TPKT validation B-45
service HTTP
signature 7-46
Service HTTP engine
described 7-44, B-47
parameters (table) B-48
Service IDENT engine
described B-49
parameters (table) B-50
Service MSRPC engine
DCS/RPC protocol B-50
described B-50
parameters (table) B-51
Service MSSQL engine
described B-52
MSSQL protocol B-52
parameters (table) B-53
Service NTP engine
described B-53
parameters (table) B-53
Service P2P engine described B-54
service packs described 21-3
service role
bypassing CLIlogging in
service role 2-2
described 1-4
privileges 1-4
Service RPC engine
described B-54
parameters (table) B-54
RPC portmapper B-54
service signature-definition command 7-2
Service SMB Advanced engine
described B-56
parameters (table) B-56
Service SNMP engine
described B-58
parameters (table) B-58
Service SSH engine
described B-59
parameters (table) B-59
Service TNS engine
described B-60
parameters (table) B-60
session command
ASA 5500 AIP SSM 2-4
ASA 5500-X IPS SSP 2-5
ASA 5585-X IPS SSP 2-6
sessioning in
ASA 5500 AIP SSM 2-4
ASA 5500-X IPS SSP 2-5
ASA 5585-X IPS SSP 2-6
setting
system clock 4-35, 17-27
setting up
notes and caveats 4-1
terminal servers 2-3, 22-13
setup
automatic 3-2
command 3-2, 3-4, 3-8, 3-13, 3-17, 3-20
simplified mode 3-2
setup command
user roles 3-1, 3-2
shared secret
described 4-21, 4-22
RADIUS authentication 4-21, 4-22
show ad-knowledge-base diff command 9-44, 9-45
show ad-knowledge-base files command 9-40, 9-41
show clock command 4-34, 17-26
show configuration command 16-1
show context command 18-7, 19-7, 20-8
show events command 8-39, 17-23, C-106
show health command 10-9, 17-20, C-84
show history command 17-47
showing
user information 4-28
show inspection-load command 17-13
show interfaces command 5-42, C-104
show inventory command 17-47
show module 19-3
show module 1 details command 20-12, C-61, C-66, C-77
show module command 18-3, 20-3
show os-identification command 8-31
show settings command 16-3, 16-18, 17-11, 17-50, C-16
show statistics anomaly-detection command 9-47
show statistics command 14-33, 17-30, C-92
show statistics denied-attackers command 8-36, 17-27
show statistics virtual-sensor command 17-30, C-25, C-92
show tech-support command 17-42, C-85
show users command 4-28
show version command 17-43, C-89
sig-fidelity-rating command 7-12, 7-14
signature definition lists
displaying 17-29
signature definition policies
copying 7-2
creating 7-2
deleting 7-2
editing 7-2
signature engines
AIC 7-17, B-11
Atomic B-14
Atomic ARP B-14
Atomic IP B-25
Atomic IP Advanced B-15
Atomic IPv6 B-29
described B-1
Fixed B-30
Flood B-32
Flood Host B-33
Flood Net B-33
list B-2
Master B-4
Meta B-33
Multi String B-36
Normalizer B-37
Regex
patterns B-10
syntax B-9
Service B-41
Service DNS B-41
Service FTP B-42
Service Generic B-43
Service H225 B-45
Service HTTP 7-44, B-47
Service IDENT B-49
Service MSRPC B-50
Service MSSQL B-52
Service NTP B-53
Service P2P B-54
Service RPC B-54
Service SMB Advanced B-56
Service SNMP B-58
Service SSH engine B-59
Service TNS B-60
State B-61
String 7-41, B-63
Sweep B-69
Sweep Other TCP B-72
Traffic Anomaly B-72
Traffic ICMP B-74
Trojan B-75
signature engine update files described 21-4
Signature Event Action Filter
described 8-3, A-26
parameters 8-3, A-26
Signature Event Action Handler described 8-3, A-27
Signature Event Action Override described 8-3, A-26
Signature Event Action Processor
Alarm Channel 8-3, A-26
components 8-3, A-26
described 8-3, A-23, A-26
signature fidelity rating
calculating risk rating 8-13
configuring 7-12, 7-14
described 8-13
signatures
custom 7-4
default 7-4
described 7-3
false positives 7-3
general parameters 7-6
rate limits 14-4
service HTTP 7-46
string TCP 7-43
string TCP XL 7-52, 7-56
subsignatures 7-3
TCP reset C-53
tuned 7-4
signature update
files 21-4
signature variables
adding 7-5
deleting 7-5
described 7-4
editing 7-5
SNMP
configuring
agent parameters 15-3
traps 15-5
described 15-1
general parameters 15-2
Get 15-1
GetNext 15-1
notes and caveats 15-1
Set 15-1
supported MIBs 15-6, C-20
Trap 15-1
snmp-agent-port command 15-2
snmp-agent-protocol command 15-2
SNMP traps
described 15-2
software architecture
ARC (illustration) A-13
IDAPI (illustration) A-32
software bypass
supported configurations 5-11
with hardware bypass 5-11
software downloads Cisco.com 21-1
software file names
recovery (illustration) 21-5
signature/virus updates (illustration) 21-4
signature engine updates (illustration) 21-5
system image (illustration) 21-5
software release examples
platform-dependent 21-6
platform identifiers 21-7
platform-independent 21-6
software updates
supported FTP servers 22-3
supported HTTP/HTTPS servers 22-3
SPAN port issues C-32
specifying
worm timeout 9-11
worm timout 9-39
SSH
adding hosts 4-44
described 4-43
security 4-43
ssh authorized-key command 4-45
ssh generate-key command 4-46
ssh host-key command 4-43, 4-44
SSH known hosts list
adding hosts 4-43
SSH Server
private keys A-22
public keys A-22
SSH server host key
generating 4-46
standards
CIDEE A-34
IDCONF A-33
IDIOM A-33
SDEE A-34
State engine
Cisco Login B-61
described B-61
LPR Format String B-61
parameters (table) B-62
SMTP B-61
statistic display 17-31, C-93
status command 7-13
stopping
IP logging 12-6
stream-reassembly command 7-38
String engine described 7-41, B-63
String ICMP engine parameters (table) B-64
String TCP engine
parameters 7-41
parameters (table) B-64
String TCP engine signature
example 7-43
String TCP XL signature
example 7-52, 7-56
String UDP engine parameters (table) B-65
String XL engine
description B-66
hardware support B-3, B-66
parameters (table) B-67
unsupported parameters B-69
subinterface 0 described 5-31
subinterface-type command 5-27, 5-33
submode configuration
filtering output 16-18
searching output 16-18
submode settings display 17-50
subsignatures described 7-3
summarization
described 8-33
fire-all 8-33
fire-once 8-33
global-summarization 8-33
Meta engine 8-33
summary 8-33
summertime
configuring
non-recurring 4-37
recurring 4-35
summertime-option non-recurring command 4-37
summertime-option recurring command 4-35
supported
FTP servers 22-3
HTTP/HTTPS servers 22-3
IPS interfaces for CSA MC 11-4
Sweep engine B-70
described B-69
parameters (table) B-70
Sweep Other TCP engine
described B-72
parameters (table) B-72
SwitchApp
described A-30
switches
TCP reset interfaces 5-6
sw-module module 1 recover configure command 19-12
sw-module module slot_number password-reset command 17-7, 19-12, C-12
sw-module module slot_number reload command 19-12
sw-module module slot_number reset command 19-12
sw-module module slot_number shutdown command 19-12
syntax
case sensitivity 1-6
system architecture
directory structure A-35
supported platforms A-1
system clock
displaying 4-34, 17-26
system clock setting 4-35, 17-27
system components IDAPI A-32
System Configuration Dialog
described 3-2
example 3-3
system design (illustration) A-2, A-3
system image
installing
ASA 5500 AIP SSM 22-28
ASA 5500-X IPS SSP 22-30
IPS 4240 22-14
IPS 4255 22-14
IPS4260 22-17
IPS 4270-20 22-19
IPS 4345 22-22
IPS 4360 22-22
system images
installing
IPS 4510 22-25
IPS 4520 22-25
T
tab completion
using 1-5
TAC
PEP information 17-47
service account 4-25, A-31, C-5
show tech-support command 17-42, C-85
troubleshooting A-31
target-value command 8-15
IPv4 8-15
IPv6 8-15
target value rating
calculating risk rating 8-14
described 8-14, 8-15
tasks
configuring the sensor 1-1
tcp command 9-13, 9-22, 9-30
TCPDUMP
copy packet-file command 13-6
expression syntax 13-2
ip logs 12-2
packet capture command 13-5
packet display command 13-2
TCP fragmentation described B-38
TCP reset interfaces
conditions 5-6
described 5-5
list 5-5
promiscuous mode 5-5
switches 5-6
TCP resets
not occurring C-53
TCP stream reassembly
described 7-31
parameters (table) 7-32, 7-37
signatures (table) 7-32, 7-37
tech support information display 17-42, C-86
Telnet
disabling 4-5
enabling 4-5
telnet-option
configuring 4-5
telnet-option command 4-5
terminal
modifying length 17-22
terminal command 17-22
terminal server setup 2-3, 22-13
terminating
CLI sessions 17-21
testing fail-over 5-11
TFN2K
described B-74
Trojans B-75
TFTP servers
recommended
UNIX 22-13
Windows 22-13
RTT 22-13
threat rating
described 8-14
risk rating 8-14
time
correction on the sensor 4-33, C-19
sensors 4-32, C-17
synchronizing IPS clocks 4-33, C-18
time sources
appliances 4-32, C-17
ASA 5500 AIP SSM 4-33, C-18
ASA 5500-X IPS SSP 4-33, C-18
ASA 5585-X IPS SSP 4-33, C-18
time zone settings
configuring 4-39
time-zone-settings command 4-39
TLS
handshaking 4-47
IDM 4-47
web server 4-47
TLS certificates
generating 4-50
tls generate-key command 4-49
tls trusted-host command 4-48
trace command 17-49
tracing
IP packet route 17-49
Traffic Anomaly engine
described B-72
protocols B-72
signatures B-72
traffic flow notifications
configuring 5-40
described 5-40
Traffic ICMP engine
DDoS B-74
described B-74
LOKI B-74
parameters (table) B-75
TFN2K B-74
trap-community-name 15-4
trap-destinations command 15-4
trial license key 4-50
Tribe Flood Network. See TFN.
Tribe Flood Network 2000. See TFN2K.
Trojan engine
BO2K B-75
described B-75
TFN2K B-75
Trojans
BO B-75
BO2K B-75
LOKI B-75
TFN2K B-75
troubleshooting C-1
Analysis Engine busy C-58
applying software updates C-55
ARC
blocking not occurring for signature C-44
device access issues C-41
enabling SSH C-44
inactive state C-40
misconfigured master blocking sensor C-45
verifying device interfaces C-43
ASA 5500 AIP SSM
commands C-61
debugging C-62
failover scenarios 18-13, C-63
recovering C-62
reset C-61
ASA 5500-X IPS SSP
commands C-66
failover scenarios 19-20, C-74
ASA 5585-X IPS SSP
commands 20-12, C-77
failover scenarios 20-16, C-80
traffic flow stopped 20-15, C-82
automatic updates C-55
cannot access sensor C-26
cidDump C-109
cidLog messages to syslog C-51
communication C-26
corrupted SensorApp configuration C-37
debug logger zone names (table) C-51
debug logging C-47
disaster recovery C-6
duplicate sensor IP addresses C-29
enabling debug logging C-47
external product interfaces 11-8, C-24
gathering information C-84
global correlation 10-13, C-21
IDM
cannot access sensor C-58
will not load C-57
IME time synchronization C-60
IPS clock time drift 4-33, C-18
manual block to bogus host C-44
misconfigured access list C-29
no alerts C-34, C-59
NTP C-52
password recovery 17-11, C-17
physical connectivity issues C-32
preventive maintenance C-2
reset not occurring for a signature C-53
sensing process not running C-31
sensor events C-105
sensor loose connections C-25
sensor not seeing packets C-35
sensor software upgrade C-56
service account 4-25, C-5
show events command C-105
show interfaces command C-104
show statistics command C-91, C-92
show tech-support command C-85, C-86
show version command C-89
software upgrades C-54
SPAN
port issue C-32
upgrading C-54
verifying Analysis Engine is running C-22
verifying ARC status C-39
trusted hosts add 4-48
tuned signatures described 7-4
U
udp command 9-16, 9-24, 9-32
unassigned VLAN groups described 5-31
unauthenticated NTP 4-2, 4-32, 4-41, C-17
uninstalling
license key 4-55
unlocking accounts 4-31
unlock user username command 4-31
upgrade command 22-4, 22-6
upgrade notes and caveats
upgrading IPS software 22-1
upgrading
application partition 22-11
latest version C-54
recovery partition 22-7
sensors 22-5
upgrading IPS software
upgrade notes and caveats 22-1
URLs for Cisco Security Intelligence Operations 21-8
user
adding 4-16
username command 4-15
user-profile command 14-20
user profiles 14-20
user roles
administrator 1-3
operator 1-3
service 1-3
viewer 1-3
user roles authentication 4-17
users
adding 4-15
removing 4-15, 4-16
using
debug logging C-47
TCP reset interfaces 5-6
V
VACLs
described 14-3
Post-Block 14-26
Pre-Block 14-26
validation error messages described D-5
variables command 7-4, 8-11
IPv4 8-11
IPv6 8-11
verifying
password recovery 17-11, C-16
sensor initialization 3-24
sensor setup 3-24
version display 17-43, C-89
viewer role privileges 1-4
viewing
IP log contents 12-5
license key status 4-51
user information 4-28
virtualization
advantages 6-2, C-19
restrictions 6-3, C-20
supported sensors 6-3, C-20
traffic capture requirements 6-3, C-20
virtual-sensor name command 6-5, 18-4, 19-5, 20-5
virtual sensors
adding 6-6, 6-9
adding (ASA 5500 AIP SSM) 18-5
adding (ASA 5500-X IPS SSP) 19-5
adding (ASA 5585-X IPS SSP) 20-5
ASA 5500 AIP SSM 18-7
ASA 5500-X IPS SSP 19-7
ASA 5585-X IPS SSP 20-8
assigning interfaces 6-5
assigning policies 6-5
creating 6-6, 6-9
creating (ASA 5500 AIP SSM) 18-5
creating (ASA 5500-X IPS SSP) 19-5
creating (ASA 5585-X IPS SSP) 20-5
default virtual sensor 6-2
described 6-2
displaying KB files 9-40
notes and caveats 6-1
options 6-5, 18-5, 19-5, 20-5
VLAN groups
802.1q encapsulation 5-31
configuration restrictions 5-14
deploying 5-32
switches 5-32
VLAN groups mode
described 5-31
vulnerable OSes field described B-7
W
watch list rating
calculating risk rating 8-14
described 8-14
web server
described A-4, A-23
HTTP 1.0 and 1.1 support A-23
HTTP protocol 4-13
port (default) 4-1, 4-13
private keys A-22
public keys A-22
SDEE support A-23
TLS 4-47
web server settings
changing 4-14
configuring 4-13
Wireshark
copy packet-file command 13-6
ip logs 12-2
worms
Blaster 9-3
Code Red 9-2, 9-3
histograms 9-37
Nimbda 9-2
protocols 9-3
Sasser 9-3
scanners 9-3
Slammer 9-3
SQL Slammer 9-2
worm-timeout command 9-10
worm timeout specify 9-11, 9-39
Z
zones
external 9-4
illegal 9-4
internal 9-4