Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.1
Index
Downloads: This chapterpdf (PDF - 1.39MB) The complete bookPDF (PDF - 10.6MB) | Feedback

Index

Table Of Contents

Numerics - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W - Z

Index

Numerics

4GE bypass interface card

configuration restrictions 5-12

described 5-11

802.1q encapsulation for VLAN groups 5-31

A

AAA authentication

configuring 4-20

AAA RADIUS

functionality 4-26

limitations 4-26

accessing

IPS software 21-2

service account 4-25, C-5

access-list command 4-6

access list misconfiguration C-29

access lists

changing 4-6

configuring 4-6

account locking

configuring 4-30

security 4-30

account unlocking configuring 4-31

ACLs

described 14-3

Post-Block 14-22, 14-23

Pre-Block 14-22, 14-23

adaptive security appliance

sending IPS traffic (ASA 5500 AIP SSM) 18-10

adding

denied attackers 8-36

event action overrides 8-18

external product interfaces 11-6

global parameters 6-12

hosts to the SSH known hosts list 4-43, 4-44

login banners 4-9

signature variables 7-5

target value ratings 8-16

trusted hosts 4-48

users 4-15, 4-16, 4-27, 4-28

virtual sensors 6-6, 6-9

virtual sensors (ASA 5500 AIP SSM) 18-5

virtual sensors (ASA 5500-X IPS SSP) 19-5

virtual sensors (ASA 5585-X IPS SSP) 20-5

Address Resolution Protocol. See ARP.

administrative tasks notes and caveats 17-2

administrator role privileges 1-3

aggregation

alert frequency 8-33

operating modes 8-33

AIC engine

AIC FTP B-11

AIC FTP engine parameters (table) B-13

AIC HTTP B-11

AIC HTTP engine parameters (table) B-12

described B-11

features B-11

signature categories 7-17

AIC policy enforcement

default configuration 7-18, B-11

described 7-18, B-11

sensor oversubscription 7-18, B-11

Alarm Channel

described 8-3, A-26

risk rating 10-6

alert and log actions (list) 8-5

alert frequency

modes B-7

alert-frequency command 7-7

alert-severity command 7-9

alert severity configuring 7-9

allocate-ips command 18-4, 19-4, 20-4

ASA 5500 AIP SSM 18-16

ASA 5500-X IPS SSP 19-21

allow-sensor-block command 14-8

alternate TCP reset interface

configuration restrictions 5-14

designating 5-6

restrictions 5-3

Analysis Engine

described 6-2

error messages C-25

errors C-54

IDM exits C-58

sensing interfaces 5-4

verify it is running C-22

virtual sensors 6-2

anomaly detection 9-2

asymmetric traffic 9-2

caution 9-2

configuration sequence 9-5

default anomaly detection configuration 9-4

default configuration (example) 9-4

described 9-2

detect mode 9-4

enabling 9-8

event actions 9-6, B-73

inactive mode 9-4

learning accept mode 9-4

learning process 9-3

limiting false positives 9-37

protocols 9-3

signatures (table) 9-7, B-73

signatures described 9-6

worms

attacks 9-37

described 9-3

zones 9-4

anomaly detection disabling 9-49, C-21

anomaly-detection load command 9-41

anomaly detection operational settings

configuring 9-11, 9-39

described 9-10

anomaly detection policies

copying 9-9

creating 9-9

deleting 9-9

displaying 9-9

editing 9-9

lists 17-29

anomaly-detection save command 9-41

anomaly detection statistics

clearing 9-48

displaying 9-48

Anomaly Detection zones

illegal 9-20

internal 9-12

appliances

GRUB menu 17-3, C-8

initializing 3-8

logging in 2-2

password recovery 17-3, C-8

resetting 17-46

setting system clock 4-35, 17-27

terminal servers

described 2-3, 22-13

setting up 2-3, 22-13

time sources 4-32, C-17

upgrading recovery partition 22-7

Application Inspection and Control. See AIC.

application partition

described A-4

image recovery 22-12

application-policy command 7-18

application policy configuring 7-19

application policy enforcement described 7-18, B-11

applications in XML format A-4

applying software updates C-55

ARC

ACLs 14-22, A-14

authentication A-15

blocking

connection-based A-17

response A-13

unconditional blocking A-17

blocking application 14-2

blocking not occurring for signature C-44

Catalyst switches

VACL commands A-19

VACLs A-16, A-19

VLANs A-16

checking status 14-4, 14-5

described A-4

design 14-2

device access issues C-41

enabling SSH C-44

features A-14

firewalls

AAA A-18

connection blocking A-18

NAT A-18

network blocking A-18

postblock ACL A-16

preblock ACL A-16

shun command A-18

TACACS+ A-18

formerly Network Access Controller 14-1

functions 14-2, A-12

illustration A-13

inactive state C-40

interfaces A-14

maintaining states A-16

master blocking sensors A-14

maximum blocks 14-2

misconfigured master blocking sensor C-45

nac.shun.txt file A-16

NAT addressing A-15

number of blocks A-15

postblock ACL A-16

preblock ACL A-16

prerequisites 14-6

rate limiting 14-4

responsibilities A-13

single point of control A-15

SSH A-14

supported devices 14-6, A-15

Telnet A-14

troubleshooting C-38

VACLs A-14

verifying device interfaces C-43

verifying status C-39

ARP

Layer 2 signatures B-14

protocol B-14

ARP spoof tools

dsniff B-14

ettercap B-14

ASA 5500 AIP SSM

assigning virtual sensors 18-7

bypass mode 18-12

configuration tasks 18-1

creating virtual sensors 18-5

fail-open mode 18-10

fail-over mode 18-10

hw-module module 1 recover configure 18-16

hw-module module slot_number password-reset 18-15

hw-module module slot_number recover boot 18-16

hw-module module slot_number recover stop 18-16

hw-module module slot_number reload 18-15

hw-module module slot_number reset 18-15

hw-module module slot_number shutdown 18-15

initializing 3-13

inline mode 18-10

installing system image 22-28

logging in 2-4

Normalizer engine 18-12, B-38

notes and caveats 18-1

password recovery 17-4, C-10

promiscuous mode 18-10

receiving IPS traffic 18-10

recovering C-62

reimaging 22-27

resetting C-61

resetting the password 17-5, C-10

sensing interface 18-4

session command 2-4

sessioning in 2-4

setup command 3-13

show module command 18-3

task sequence 18-2

time sources 4-33, C-18

verifying initialization 18-3

virtual sensors

assigning policies 18-4, 19-5, 20-5

assigning the interface 18-4, 19-5, 20-5

assigning to security context 18-7

sequence 18-4, 19-4, 20-5

ASA 5500-X IPS SSP

assigning virtual sensors 19-7

bypass mode 19-9

configuration tasks 19-1

creating virtual sensors 19-5

initializing 3-17

logging in 2-5

memory usage 17-16, 19-11, C-76

memory usage values (table) 17-16, 19-11, C-76

no CDP mode support 5-41

Normalizer engine 19-10, B-38, C-75

notes and caveats 19-1

password recovery 17-7, C-12

resetting the password 17-7, C-12

sensing interface 19-4

session command 2-5

sessioning in 2-5

setup command 3-17

show module command 19-3

sw-module module 1 recover configure 19-12

sw-module module slot_number password-reset 19-12

sw-module module slot_number reload 19-12

sw-module module slot_number reset 19-12

sw-module module slot_number shutdown 19-12

task sequence 19-2

time soruces 4-33, C-18

verifying initialization 19-3

virtual sensors

assigning policies 18-4, 19-5, 20-5

assigning the interface 18-4, 19-5, 20-5

virtual sensor sequence 18-4, 19-4, 20-5

ASA 5585-X IPS SSP

assigning virtual sensors 20-8

bypass mode 20-10

configuration tasks 20-1

creating virtual sensors 20-5

hw-module module 1 recover configure 20-12

hw-module module slot_number password-reset 20-12

hw-module module slot_number recover boot 20-12

hw-module module slot_number recover stop 20-12

hw-module module slot_number reload 20-12

hw-module module slot_number reset 20-12

hw-module module slot_number shutdown 20-12

initializing 3-20

installing system image 22-32

interfaces

command and control 20-4

described 20-4

port numbers 20-4

sensing 20-4

slot numbers 20-4

logging in 2-6

no CDP mode support 5-41, 20-1

Normalizer engine 20-10, B-38, C-82

notes and caveats 20-1

password recovery 17-8, C-14

resetting the password 17-9, C-14

sensing interface 20-4

session command 2-6

sessioning in 2-6

setup command 3-20

show module command 20-3

task sequence 20-2

time sources 4-33, C-18

verifying initialization 20-3

virtual sensors

assigning policies 18-4, 19-5, 20-5

assigning the interface 18-4, 19-5, 20-5

assigning to security context 20-7

sequence 20-5

ASA IPS modules

jumbo packet count 5-42, 18-15, 19-11, 20-11, C-65, C-76, C-83

ASDM

resetting passwords 17-6, 17-8, 17-10, C-12, C-13, C-15

assigning

interfaces to virtual sensors (ASA 5500 AIP SSM) 18-4, 19-5, 20-5

interfaces to virtual sensors (ASA 5500-X IPS SSP) 18-4, 19-5, 20-5

interfaces to virtual sensors (ASA 5585-X IPS SSP) 18-4, 19-5, 20-5

policies to virtual sensors (ASA 5500 AIP SSM) 18-4, 19-5, 20-5

policies to virtual sensors (ASA 5500-X IPS SSP) 18-4, 19-5, 20-5

policies to virtual sensors (ASA 5585-X IPS SSP) 18-4, 19-5, 20-5

assigning interfaces to virtual sensors 6-5

assigning policies to virtual sensors 6-5

asymmetric mode

described 6-4

normalization 6-4

asymmetric traffic

anomaly detection 9-2

caution 9-2

asymmetric traffic and disabling anomaly detection 9-49, C-21

Atomic ARP engine

described B-14

parameters (table) B-14

Atomic IP Advanced engine

described B-15

parameters (table) B-17

restrictions B-16

Atomic IP engine

described B-25

parameters (table) B-25

Atomic IPv6 engine

described B-29

Neighborhood Discovery protocol B-29

signatures B-29

attack relevance rating

calculating risk rating 8-14

described 8-14, 8-26

Attack Response Controller

described A-4

formerly known as Network Access Controller A-4

See ARC

attack severity rating

calculating risk rating 8-13

described 8-13

attemptLimit command 4-30

audit mode

described 10-9

testing global correlation 10-9

authenticated NTP 4-2, 4-32, 4-41, C-17

authentication

local 4-17

RADIUS 4-17

AuthenticationApp

authenticating users A-21

described A-4

login attempt limit A-21

method A-21

responsibilities A-20

secure communications A-21

sensor configuration A-20

Authentication pane

user roles A-30

authorized keys

defining 4-45

RSA authentication 4-45

automatic setup 3-2

automatic upgrade

information required 22-8

troubleshooting C-55

autonegotiation for hardware bypass 5-12

auto-upgrade-option command 22-8

B

backing up

configuration 16-23, C-3

current configuration 16-22, C-4

BackOrifice. See BO.

BackOrifice 2000. See BO2K.

backup-config command 16-19

banner login command 17-20

basic setup 3-4

block connection command 14-33

block-enable command 14-9

block hosts command 14-31

blocking

addresses never to block 14-19

block time 14-13

connection 14-33

described 14-2

disabling 14-10

hosts 14-31

list of blocked hosts 14-33

managing firewalls 14-27

managing routers 14-23

managing switches 14-26

master blocking sensor 14-28

maximum entries 14-11

necessary information 14-3

notes and caveats 14-1

prerequisites 14-6

properties 14-7

sensor block itself 14-8

show statistics 14-33

supported devices 14-6

types 14-3

user profiles 14-20

blocking not occurring for signature C-44

block network command 14-32

BO

described B-75

Trojans B-75

BO2K

described B-75

Trojans B-75

Bug Toolkit

described C-1

URL C-1

bypass mode

ASA 5500 AIP SSM 18-12

ASA 5500-X IPS SSP 19-9

ASA 5585-X IPS SSP 20-10

configuring 5-39

described 5-38

bypass-option command 5-39

C

calculating risk rating

attack relevance rating 8-14

attack severity rating 8-13

promiscuous delta 8-14

signature fidelity rating 8-13

target value rating 8-14

watch list rating 8-14

cannot access sensor C-26

capture packet files

notes and caveats 13-1

capturing live traffic 13-5

caution for clearing databases 17-12

CDP mode

ASA 5500-X IPS SSP 5-41

ASA 5585-X IPS SSP 5-41, 20-1

configuring 5-41

described 5-41

interfaces 5-41

certificates (IDM) 4-47

changing 4-27

access lists 4-6

CLI inactivity timeout 4-12

FTP timeout 4-8

host IP address 4-4

hostname 4-3

passwords 4-27

privilege 4-27

web server settings 4-14

cidDump obtaining information C-109

CIDEE

defined A-34

example A-34

IPS extensions A-34

protocol A-34

supported IPS events A-34

cisco

default password 2-2

default username 2-2

Cisco.com

accessing software 21-2

downloading software 21-1

software downloads 21-1

Cisco Discovery Protocol. See CDP.

Cisco IOS rate limiting 14-4

cisco-security-agents-mc-settings command 11-5

Cisco Security Intelligence Operations

described 21-8

URL 21-8

Cisco Services for IPS

service contract 4-51

supported products 4-51

clear database command 17-12

clear denied-attackers command 8-36, 17-27

clear events command 4-33, 8-41, 17-26, C-19, C-109

clearing

anomaly detection statistics 9-48

denied attackers statistics 8-37, 17-28

events 8-41, 17-26, C-109

global correlation statistics 10-15

OS IDs 8-32

sensor databases 17-12

statistics 17-31, C-93

clearing databases caution 17-12

clear line command 17-21

clear os-identification command 8-31

CLI

command line editing 1-6

command modes 1-7

default keywords 1-10

described A-4, A-30

error messages D-1

generic commands 1-10

password recovery 17-10, C-16

regular expression syntax 1-8

CLI behavior 1-5

case sensitivity 1-6

display options 1-6

help 1-5

prompts 1-5

recall 1-5

tab completion 1-5

client manifest described A-29

CLI guide introduction 1-1

CLI inactivity timeout

configuring 4-12

described 4-12

cli-inactivity-timeout command 4-12

CLI session termination 17-21

clock set command 4-35, 17-27

CollaborationApp described A-4, A-28

command and control interface

described 5-3

list 5-3

command and control interface described (ASA 5585-X IPS SSP) 20-4

command line editing (table) 1-6

command modes 1-7

anomaly detection configuration 1-7

event action rules configuration 1-7

EXEC 1-7

global configuration 1-7

privileged EXEC 1-7

service mode configuration 1-7

signature definition configuration 1-7

commands 15-4, 18-3, 20-3

access-list 4-6

alert-frequency 7-7

alert-severity 7-9

allocate-ips 18-4, 19-4, 20-4

allow-sensor-block 14-8

anomaly-detection load 9-41

anomaly-detection save 9-41

application-policy 7-18

attemptLimit 4-30

auto-upgrade-option 22-8

backup-config 16-19

banner login 17-20

block connection 14-33

block-enable 14-9

block hosts 14-31

block network 14-32

bypass-option 5-39

cisco-security-agents-mc-settings 11-5

clear database 17-12

clear denied-attackers 8-36, 17-27

clear events 4-33, 8-41, 17-26, C-19, C-109

clear line 17-21

clear os-identification 8-31

cli-inactivity-timeout 4-12

clock set 4-35, 17-27

copy ad-knowledge-base 9-42

copy anomaly-detection 9-9

copy backup-config 16-21, C-3

copy current-config 16-21, C-3

copy event-action-rules 8-8

copy iplog 12-7

copy license-key 4-52

copy packet-file 13-6

copy signature-definition 7-2

current-config 16-19

debug module-boot C-62

default service anomaly-detection 9-9

default service event-action-rules 8-8

default service signature-definition 7-2

deny attacker 8-35

downgrade 22-11

enable-acl-logging 14-14

enable-detail-traps 15-4

enable-nvram-write 14-15

erase 16-23

erase ad-knowledge-base 9-42

erase license-key 4-55

erase packet-file 13-7

event-action 7-15

event-action-rules-configurations 17-29

event-counter 7-10

external-zone 9-29

filters 8-21

fragment-reassembly 7-30

ftp-timeout 4-8

global-block-timeout 8-34, 14-13

global-deny-timeout 8-34

global-filters-status 8-34

global-metaevent-status 8-34

global-overrides-status 8-34

global-parameters 6-12

global-summarization 8-34

health-monitor 10-8

host-ip 4-4

host-name 4-3

hw-module module 1 recover configure 18-16, 20-12

hw-module module 1 reset C-61

hw-module module slot_number password-reset 17-5, 17-9, 18-15, 20-12, C-10, C-14

hw-module module slot_number recover boot 18-16, 20-12

hw-module module slot_number recover stop 18-16, 20-12

hw-module module slot_number reload 18-15, 20-12

hw-module module slot_number reset 18-15, 20-12

hw-module module slot_number shutdown 18-15, 20-12

ignore 9-10

illegal-zone 9-21

inline-interfaces 5-21

interface-notifications 5-40

internal-zone 9-12

ip-log 7-39

iplog 12-3

ip-log-bytes 12-2

ip-log-packets 12-2

iplog-status 12-5

ip-log-time 12-2

ipv6-target-value 8-15

learning-accept-mode 9-38

list anomaly-detection-configurations 9-9, 17-29

list event-action-rules-configurations 8-8

list signature-definition-configurations 7-2

log-all-block-events-and-errors 14-16

login-banner-text 4-9

max-block-entries 14-11

max-denied-attackers 8-34

max-interfaces 14-17

more 16-19

more current-config 16-1

never-block-hosts 14-19

never-block-networks 14-19

no iplog 12-6

no ipv6-target-value 8-15

no service anomaly-detection 9-9

no service event-action-rules 8-8

no service signature-definition 7-2

no target-value 8-15

no variables 8-11

os-identifications 8-28

other 9-18, 9-27, 9-35

overrides 8-17

packet capture 13-4

packet-display 13-2

password 4-15, 4-26

permit-packet-logging 4-23

physical-interfaces 5-15, 5-26, 5-32

ping 17-45

privilege 4-15, 4-27

rename ad-knowledge-base 9-42

reset 17-46

service anomaly-detection 9-9

service event-action-rules 8-8

service signature-definition 7-2

setup 3-2, 3-4, 3-8, 3-13, 3-17, 3-20

show ad-knowledge-base diff 9-44, 9-45

show ad-knowledge-base files 9-40, 9-41

show clock 4-34, 17-26

show configuration 16-1

show context 18-7, 19-7, 20-8

show events 8-39, 17-23, C-106

show health 10-9, 17-20, C-84

show history 17-47

show inspection-load 17-13

show interfaces 5-42

show inventory 17-47

show module 1 details 20-12, C-61, C-66, C-77

show os-identification 8-31

show settings 16-3, 16-18, 17-11, 17-50, C-16

show statistics 14-33, 17-30, C-92

show statistics anomaly-detection 9-47

show statistics denied-attackers 8-36, 17-27

show statistics virtual-sensor 17-30, C-25, C-92

show tech-support 17-42, C-85

show users 4-28

show version 17-43, C-89

sig-fidelity-rating 7-12, 7-14

signature-definition-configurations 17-29

snmp-agent-port 15-2

snmp-agent-protocol 15-2

ssh authorized-key 4-45

ssh-generate-key 4-46

ssh host-key 4-43, 4-44

status 7-13

stream-reassembly 7-38

subinterface-type 5-27, 5-33

summertime-option non-recurring 4-37

summertime-option recurring 4-35

sw-module module 1 recover configure 19-12

sw-module module slot_number password-reset 17-7, 19-12, C-12

sw-module module slot_number reload 19-12

sw-module module slot_number reset 19-12

sw-module module slot_number shutdown 19-12

target-value 8-15

tcp 9-13, 9-22, 9-30

telnet-option 4-5

terminal 17-22

time-zone-settings 4-39

tls generate-key 4-49

tls trusted-host 4-48

trace 17-49

trap-community-name 15-4

trap-destinations 15-4

udp 9-16, 9-24, 9-32

unlock user username 4-31

upgrade 22-4, 22-6

username 4-15

user-profile 14-20

variables 7-4, 8-11

virtual-sensor name 6-5, 18-4, 19-5, 20-5

worm-timeout 9-10

comparing KBs 9-44

component signatures

risk rating B-34

configuration files

backing up 16-23, C-3

merging 16-23, C-3

configuration restrictions

alternate TCP reset interface 5-14

inline interface pairs 5-13

inline VLAN pairs 5-13

interfaces 5-13

physical interfaces 5-13

VLAN groups 5-14

configuration sequence

ASA 5500 AIP SSM 18-2

ASA 5500-X IPS SSP 19-2

ASA 5585-X IPS SSP 20-2

configured OS mapping (example) 8-28

configuring

AAA authentication 4-20

access lists 4-6

account locking 4-30

account unlocking 4-31

ACL logging 14-14

alert frequency parameters 7-8

alert severity 7-9

anomaly detection operational settings 9-11, 9-39

application policy 7-19, 7-27

automatic IP logging 12-3

automatic upgrades 22-9

blocking

firewalls 14-27

routers 14-23

switches 14-26

time 14-13

bypass mode 5-39

CDP mode 5-41

cli-inactivity-timeout 4-12

connection blocking 14-33

CSA MC IPS interfaces 11-4

DNS servers 4-11

event action filters 8-23

event actions 7-16

event counter 7-10

external zone 9-29

ftp-timeout 4-8

global correlation 10-10, 10-12

health statistics 17-17

host blocks 14-31

host IP address 4-4

hostname 4-3

hosts never to block 14-19

illegal zone 9-21

inline interface pairs 5-22

inline VLAN groups 5-33

inline VLAN pairs 5-27

internal zone 9-13

IP fragment reassembly 7-31

IP fragment reassembly parameters 7-30, 7-37

IP logging 7-39

logging all blocking events and errors 14-16

logical devices 14-20

login-banner-text 4-9

manual IP logging 12-4

master blocking sensor 14-29

maximum block entries 14-12

maximum blocking interfaces 14-18

maximum denied attackers 8-34

Meta Event Generator 8-34

network blocks 14-32

networks never to block 14-19

NTP servers 4-40

NVRAM write 14-15

OS maps 8-29

other protocols

external zone 9-35

illegal zone 9-27

internal zone 9-19

packet command restrictions 4-24

password policy 4-29

passwords 4-27

physical interfaces 5-17

privilege 4-27

proxy servers 4-11

sensor sequence 1-1

sensor to block itself 14-8

sensor to use NTP 4-41

signature fidelity rating 7-12, 7-14

status 7-13

summarizer 8-34

summertime

non-recurring 4-37

recurring 4-35

TCP

external zone 9-30

illegal zone 9-22

internal zone 9-14

TCP stream reassembly 7-38

telnet-option 4-5

time zone settings 4-39

traffic flow notifications 5-40

UDP

external zone 9-33

illegal zone 9-24

internal zone 9-16

upgrades 22-5

user profiles 14-20

web server settings 4-13

configuring interfaces

notes and caveats 5-1

sequence 5-15

control transactions

characteristics A-9

request types A-9

copy ad-knowledge-base command 9-42

copy anomaly-detection command 9-9

copy backup-config command 16-21, C-3

copy command syntax 9-42

copy current-config command 16-21, C-3

copy event-action-rules command 8-8

copying

anomaly detection policies 9-9

event action rules policies 8-8

IP log files 12-7

KBs 9-42, 9-43

packet files 13-7

signature definition policies 7-2

copy iplog command 12-7

copy license-key command 4-52

copy packet-file command 13-6

copy signature-definition command 7-2

correcting time on the sensor 4-33, C-19

creating

anomaly detection policies 9-9

Atomic IP Advanced signatures 7-51

banner logins 17-20

custom signatures 7-41

event action rules policies 8-8

event action variables 8-11

global parameters 6-12

Meta signatures 7-49

OS maps 8-29

Post-Block VACLs 14-26

Pre-Block VACLs 14-26

service HTTP signatures 7-46

signature definition policies 7-2

string TCP signatures 7-43

string TCP XL signatures 7-52, 7-56

user profiles 14-20

virtual sensors 6-6, 6-9

creating the service account 4-25, C-6

cryptographic account

Encryption Software Export Distribution Authorization from 21-2

obtaining 21-2

CSA MC

configuring IPS interfaces 11-4

host posture events 11-2, 11-4

quarantined IP address events 11-2

supported IPS interfaces 11-4

CtlTransSource

described A-4, A-11

illustration A-12

Ctrl-N 1-5

Ctrl-P 1-5

current-config command 16-19

current configuration back up 16-23, C-3

custom signatures

AIC MIME-type 7-27

Atomic IP Advanced signature 7-51

configuration sequence 7-41

described 7-4

Meta signature 7-49

service HTTP example 7-46

String TCP 7-43

String TCP XL 7-52, 7-56

D

data nodes B-70

data structures (examples) A-8

DDoS

protocols B-75

Stacheldraht B-75

TFN B-75

debug logging enable C-47

debug-module-boot command C-62

default blocking time 14-13

default keywords 1-10

defaults

password 2-2

username 2-2

virtual sensor vs0 6-2

default service anomaly-detection command 9-9

default service event-action-rules command 8-8

default service signature-definition command 7-2

defining authorized keys 4-45

defining signatures 7-1

deleting

anomaly detection policies 9-9

denied attackers list 8-37, 17-28

event action rules policies 8-8

event action variables 8-11

inline interface pairs 5-24

inline VLAN pairs 5-30

OS maps 8-31

signature definition policies 7-2

signature variables 7-5

target value ratings 8-16

VLAN groups 5-37

Denial of Service. See DoS.

denied attackers add 8-36

deny actions (list) 8-5

deny attacker command 8-35

deny-packet-inline described 8-7

detect mode (anomaly detection) 9-4

device access issues C-41

diagnosing network connectivity 17-45

disabling

anomaly detection 9-49, C-21

blocking 14-10

global correlation 10-14

password recovery 17-10, C-16

signatures 7-13

Telnet 4-5

disaster recovery C-6

displaying

anomaly detection policies 9-9

anomaly detection policy lists 17-29

anomaly detection statistics 9-48

contents of logical file 16-20

current configuration 16-1

current submode configuration 16-3

event action rules policies 8-8

event actions rules lists 17-29

events 8-39, 17-24, C-107

global correlation statistics 10-15

health status 17-20, C-84

inspection load 17-13

interface statistics 5-43

IP log contents 12-5

KB files 9-40

KB thresholds 9-46

live traffic 13-3

OS IDs 8-32

password recovery setting 17-11, C-16

PEP information 17-47

policy lists 17-29

signature definition lists 17-29

statistics 17-31, C-93

submode settings 17-50

system clock 4-34, 17-26

tech support information 17-42, C-86

version 17-43, C-89

Distributed Denial of Service. See DDoS.

DNS servers

configuring 4-11

DoS tools

Stacheldraht B-75

stick B-7

TFN B-75

downgrade command 22-11

downgrading sensors 22-11

downloading Cisco software 21-1

duplicate IP addresses C-29

E

editing

anomaly detection policies 9-9

event action rules policies 8-8

event action variables 8-11

signature definition policies 7-2

signature variables 7-5

target value ratings 8-16

efficacy

described 10-5

measurements 10-5

enable-acl-logging command 14-14

enable-detail-traps command 15-4

enable-nvram-write command 14-15

enabling

anomaly detection 9-8

signatures 7-13

Telnet 4-5

enabling debug logging C-47

Encryption Software Export Distribution Authorization form

cryptographic account 21-2

described 21-2

engines

AIC 7-17, B-11

AIC FTP B-11

AIC HTTP B-11

Atomic ARP B-14

Atomic IP B-25

Atomic IP Advanced B-15

Atomic IPv6 B-29

Fixed B-30

Fixed ICMP B-30

Fixed TCP B-30

Fixed UDP B-30

Flood B-32

Flood Host B-32

Flood Net B-32

Master B-4

Meta B-33

Multi String B-36

Normalizer B-37

Service B-41

Service DNS B-41

Service FTP B-42

Service Generic B-43

Service H225 B-45

Service HTTP 7-44, B-47

Service IDENT B-49

Service MSRPC B-50

Service MSSQL B-52

Service NTP B-53

Service P2P B-54

Service RPC B-54

Service SMB Advanced B-56

Service SNMP B-58

Service SSH B-59

Service TNS B-60

State B-61

String 7-41, B-63

String ICMP 7-41, B-63

String TCP 7-41, B-63

String UDP 7-41, B-63

Sweep B-69

Sweep Other TCP B-72

Traffic Anomaly B-72

Traffic ICMP B-74

Trojan B-75

erase ad-knowledge-base command 9-42

erase command 16-23

erase license-key command 4-55

erase packet-file command 13-7

erasing

current configuration 16-24

KBs 9-42, 9-43

packet files 13-7

error messages

described D-1

validation D-5

errors (Analysis Engine) C-54

evAlert A-9

event-action command 7-15

event action filters

described 8-20

using variables 8-21

event action overrides

described 8-17

risk rating range 8-17

event action rules

described 8-2

functions 8-2

notes and caveats 8-1

task list 8-8

event action rules lists display 17-29

event action rules policies

copying 8-8

creating 8-8

deleting 8-8

displaying 8-8

editing 8-8

event actions

risk ratings 8-14

threat ratings 8-14

event actions configure 7-16

event-counter command 7-10

event counter configure 7-10

events

clearing 8-41, 17-26, C-109

displaying 8-39, 17-24, C-107

host posture 11-2

quarantined IP address 11-2

Event Store

clearing 8-41, 17-26, C-109

clearing events 4-33, C-19

data structures A-8

described A-4

examples A-8

no alerts C-34

responsibilities A-7

time stamp 4-33, C-19

timestamp A-7

event types C-105

event variables

described 8-10

example 8-11

evError A-9

evLogTransaction A-9

evShunRqst A-9

evStatus A-9

examples

ASA failover configuration 18-14, 19-21, 20-16, C-63, C-74, C-81

default anomaly detection configuration 9-4

KB histogram 9-37

password 4-16

password policy 4-29

privilege 4-16

SPAN configuration for IPv6 support 5-20

System Configuration Dialog 3-3

username 4-16

external product interfaces

adding 11-6

described 11-1

issues 11-3, C-23

notes and caveats 11-1

troubleshooting 11-8, C-24

external zone

configuring 9-29

configuring other protocols 9-35

configuring TCP 9-30

configuring UDP 9-33

described 9-29

external-zone command 9-29

F

fail-over testing 5-11

false positives described 7-3

files Cisco IPS (list) 21-1

filtering

more command 16-16

submode configuration 16-18

filters command 8-21

Fixed engine described B-30

Fixed ICMP engine parameters (table) B-30

Fixed TCP engine parameters (table) B-31

Fixed UDP engine parameters (table) B-32

Flood engine described B-32

Flood Host engine parameters (table) B-33

Flood Net engine parameters (table) B-33

fragment-reassembly command 7-30

FTP servers and software updates 22-3

FTP timeout

configuring 4-8

described 4-8

ftp-timeout command 4-8

G

generating

SSH server host key 4-46

TLS certificate 4-50

generic commands 1-10

global-block-timeout command 8-34, 14-13

global correlation 10-1

described 10-2

disabling about 10-13

DNS server 10-7

DNS servers 4-11

error messages A-29

features 10-6

goals 10-6

health metrics 10-8

health status 10-8

HTTP proxy server 10-7

license 3-1, 3-5, 10-1, 10-7, 10-9

no IPv6 support 8-1, 8-10, 8-11, 8-15, 8-20, 8-21, 10-2, 10-7

notes and caveats 10-1

options 10-10, 10-11, 10-13

Produce Alert 8-5

proxy servers 4-11

requirements 10-7

risk rating 10-6

troubleshooting 10-13, C-21

update client (illustration) 10-9

Global Correlation Update

client described A-28

server described A-28

global-deny-timeout command 8-34

global-filters-status command 8-34

global-metaevent-status command 8-34

global-overrides-status command 8-34

global parameters

adding 6-12

creating 6-12

maximum open IP logs 6-12

options 6-12

global-parameters command 6-12

global-summarization command 8-34

GRUB menu password recovery 17-3, C-8

H

H.225.0 protocol B-45

H.323 protocol B-45

hardware bypass

autonegotiation 5-12

configuration restrictions 5-12

fail-over 5-11

IPS 4260 5-11

IPS 4270-20 5-11

supported configurations 5-11

with software bypass 5-11

health-monitor command 10-8

health statistics configuration 17-17

health status

displaying 17-20, C-84

global correlation 10-8

help

question mark 1-5

using 1-5

host blocks configure 14-31

host IP address

changing 4-4

configuring 4-4

host-ip command 4-4

hostname

changing 4-3

configuring 4-3

host-name command 4-3

host posture events

CSA MC 11-4

described 11-2

HTTP/HTTPS servers supported 22-3

HTTP advanced decoding

described 6-4

platform support 6-4

restrictions 6-4

HTTP deobfuscation

ASCII normalization 7-45, B-47

described 7-45, B-47

hw-module module 1 recover configure command 18-16, 20-12

hw-module module 1 reset command C-61

hw-module module slot_number password-reset command 17-5, 17-9, 18-15, 20-12, C-10, C-14

hw-module module slot_number recover boot command 18-16, 20-12

hw-module module slot_number recover stop command 18-16, 20-12

hw-module module slot_number reload command 18-15, 20-12

hw-module module slot_number reset command 18-15, 20-12

hw-module module slot_number shutdown command 18-15, 20-12

I

IDAPI

communications A-4, A-32

described A-4

functions A-32

illustration A-32

responsibilities A-32

IDCONF

described A-33

example A-33

RDEP2 A-33

XML A-33

IDIOM

defined A-33

messages A-33

IDM

Analysis Engine is busy C-58

certificates 4-47

TLS 4-47

will not load C-57

ignore command 9-10

illegal zone

configuring 9-21

configuring other protocols 9-27

configuring TCP 9-22

configuring UDP 9-24

described 9-20

protocols 9-20

illegal-zone command 9-21

IME time synchronization problems C-60

inactive mode (anomaly detection) 9-4

initializing

appliances 3-8

ASA 5500 AIP SSM 3-13

ASA 5500-X IPS SSP 3-17

ASA 5585-X IPS SSP 3-20

sensors 3-2, 3-4

user roles 3-1, 3-2

verifying 3-24

verifying (ASA 5500 AIP SSM) 18-3

verifying (ASA 5500-X IPS SSP) 19-3

verifying (ASA 5585-X IPS SSP) 20-3

initializing the sensor (notes and caveats) 3-1

inline interface pair mode

configuration restrictions 5-13

described 5-20

illustration 5-21

inline interface pairs

configuring 5-22

deleting 5-24

inline-interfaces command 5-21

inline mode

interface cards 5-4

normalization 6-4

pairing interfaces 5-4

inline TCP session tracking modes described 6-4

inline VLAN groups

configuring 5-33

deleting 5-37

inline VLAN pair mode

configuration restrictions 5-13

described 5-25

illustration 5-26

supported sensors 5-25

inline VLAN pairs

configuring 5-27

deleting 5-30

inspection load

description 17-13

displaying 17-13

installer major version 21-5

installer minor version 21-5

installing

license key 4-53

system image

ASA 5500 AIP SSM 22-28

ASA 5500-X IPS SSP 22-30

ASA 5585-X IPS SSP 22-32

IPS 4240 22-14

IPS 4255 22-14

IPS4260 22-17

IPS 4270-20 22-19

IPS 4345 22-22

IPS 4360 22-22

IPS 4510 22-25

IPS 4520 22-25

InterfaceApp

described A-20

interactions A-20

NIC drivers A-20

InterfaceApp described A-4

interface configuration sequence 5-15

interface-notifications command 5-40

interfaces

alternate TCP reset 5-3

command and control 5-3

configuration restrictions 5-13

described 5-3

displaying live traffic 13-3

port numbers 5-3

sensing 5-3, 5-4

slot numbers 5-3

support (table) 5-7

TCP reset 5-5

interface statistics displaying 5-43

internal zone

configuring 9-13

configuring other protocols 9-19

configuring TCP 9-14

configuring UDP 9-16

described 9-12

protocols 9-12

internal-zone command 9-12

introducing the CLI guide 1-1

IP fragmentation described B-38

IP fragment reassembly

described 7-28

parameters (table) 7-28

signatures (table) 7-28

ip-log-bytes command 12-2

ip-log command 7-39

iplog command 12-3

IP log contents

displaying 12-5

viewing 12-5

IP log files copying 12-7

IP logging

automatic 12-2

configuring 12-2

copying files 12-7

described 7-39, 12-2

manual 12-4

notes and caveats 12-1

ip-log-packets command 12-2

ip logs

TCPDUMP 12-2

Wireshark 12-2

iplog-status command 12-5

ip-log-time command 12-2

IP packet trace 17-49

IPS 4240

7200 series router C-26

installing system image 22-14

password recovery 17-4, C-9

reimaging 22-14

IPS 4255

installing system image 22-14

password recovery 17-4, C-9

reimaging 22-14

IPS 4260

hardware bypass 5-11

password recovery 17-3, C-9

IPS 4260

installing system image 22-17

reimaging 22-17

IPS 4270-20

hardware bypass 5-11

installing system image 22-19

password recovery 17-3, C-9

reimaging 22-19

IPS 4345

installing system image 22-22

password recovery 17-3, 17-4, C-8, C-9

reimaging 22-22

IPS 4360

installing system image 22-22

password recovery 17-3, 17-4, C-8, C-9

reimaging 22-22

IPS 4510

installing system image 22-25

password recovery 17-3, 17-4, C-8, C-9

reimaging 22-25

SwitchApp A-30

IPS 4520

installing system image 22-25

password recovery 17-3, 17-4, C-8, C-9

reimaging 22-25

SwitchApp A-30

IPS applications

summary A-36

table A-36

XML format A-4

IPS clock synchronization 4-33, C-18

IPS data

types A-8

XML document A-9

IPS events

evAlert A-9

evError A-9

evLogTransaction A-9

evShunRqst A-9

evStatus A-9

list A-9

types A-9

IPS internal communications A-32

IPS software

application list A-4

available files 21-1

configuring device parameters A-5

directory structure A-35

Linux OS A-1

obtaining 21-1

platform-dependent release examples 21-6

retrieving data A-5

security features A-5

tuning signatures A-5

updating A-5

user interaction A-5

versioning scheme 21-3

IPS software file names

major updates (illustration) 21-4

minor updates (illustration) 21-4

patch releases (illustration) 21-4

service packs (illustration) 21-4

IPv4

address format 8-10

event variables 8-10

IPv6

address format 8-11

described B-29

event variables 8-11

SPAN ports 5-20

switches 5-20

ipv6-target-value command 8-15

K

KB files

displaying 9-40

KBs

comparing 9-44

copying 9-42, 9-43

described 9-4

erasing 9-42, 9-43

histogram 9-37

initial baseline 9-4

manually loading 9-41

manually saving 9-41

renaming 9-42, 9-43

scanner threshold 9-37

tree structure 9-37

KB thresholds display 9-46

keywords

default 1-10

no 1-10

Knowledge Base. See KB.

L

learning accept mode

anomaly detection 9-4

learning-accept-mode command 9-38

license key

installing 4-53

obtaining 4-50

trial 4-50

uninstalling 4-55

viewing status of 4-51

licensing

described 4-50

IPS device serial number 4-50

Licensing pane

described 4-50

limitations for concurrent CLI sessions 18-1, 19-1, 20-1

list anomaly-detection-configurations command 9-9, 17-29

list event-action-rules-configurations command 8-8, 17-29

list of blocked hosts 14-33

list signature-definition-configurations command 7-2, 17-29

loading

KBs 9-41

log-all-block-events-and-errors command 14-16

Logger

described A-4, A-19

functions A-19

syslog messages A-19

logging in

appliances 2-2

ASA 5500 AIP SSM 2-4

ASA 5500-X IPS SSP 2-5

ASA 5585-X IPS SSP 2-6

notes and caveats 2-1

sensors

SSH 2-7

Telnet 2-7

terminal servers 2-3, 22-13

user role 2-1

login banners

adding 4-9

login-banner-text

configuring 4-9

login-banner-text command 4-9

LOKI

described B-75

protocol B-74

loose connections on sensors C-25

M

MainApp

components A-6

described A-4, A-6

host statistics A-6

responsibilities A-6

show version command A-6

major updates described 21-3

managing

firewalls 14-27

routers 14-23

switches 14-26

manifests

client A-29

server A-29

manual blocking 14-31, 14-33

manual block to bogus host C-44

manually loading

KBs 9-41

manually saving

KBs 9-41

master blocking sensor

described 14-28

not set up properly C-45

verifying configuration C-45

Master engine

alert frequency B-7

alert frequency parameters (table) B-7

described B-4

event actions 8-5, B-8

general parameters (table) B-4

universal parameters B-4

master engine parameters

obsoletes B-7

promiscous delta B-6

vulnerable OSes B-7

max-block-entries command 14-11

max-denied-attackers command 8-34

maximum open IP logs 6-12

max-interfaces command 14-17

merging configuration files 16-23, C-3

Meta engine

described B-33

parameters (table) B-35

Signature Event Action Processor B-34

Meta signature

component signatures B-34

MIBs supported 15-6, C-20

minor updates described 21-3

modes

anomaly detection detect 9-4

anomaly detection learning accept 9-4

ASA 5500 AIP SSM 18-10

asymmetric 6-4

bypass 5-38

inactive (anomaly detection) 9-4

inline interface pair 5-20

inline TCP tracking 6-4

inline VLAN pair 5-25

Normalizer 6-4

promiscuous 5-19

VLAN groups 5-31

modifying

terminal properties 17-22

monitoring

viewer privileges 1-4

more command 16-19

filtering 16-16

more current-config command 16-1

moving

OS maps 8-30

Multi String engine

described B-36

parameters (table) B-36

Regex B-36

N

Neighborhood Discovery

options B-30

types B-30

network blocks

configuring 14-32

network connectivity diagnosis 17-45

network participation

data gathered 10-4

data use (table) 10-3

described 10-4

health metrics 10-8

modes 10-5

requirements 10-4

SensorBase Network 10-5

statistics 10-5

network participation data

improving signature fidelity 10-5

understanding sensor deployment 10-5

never-block-hosts command 14-19

never-block-networks command 14-19

no iplog command 12-6

no ipv6-target-value command 8-15

normalization described 6-4

Normalizer engine

ASA 5500 AIP SSM 18-12, 19-10, 20-10, B-38, C-64

ASA 5500-X IPS SSP 18-12, 19-10, 20-10, B-38

ASA 5585-X IPS SSP 18-12, 19-10, 20-10, B-38

described B-37

IP fragment reassembly B-38

IPv6 fragments B-38

modify packets inline 6-3

parameters (table) B-39

TCP stream reassembly B-38

no service anomaly-detection command 9-9

no service event-action-rules command 8-8

no service signature-definition command 7-2

no target-value command 8-15

notes and caveats 7-1, 9-2, 10-1

administrative tasks 17-2

anomaly detection 9-2

ASA 5500 AIP SSM 18-1

ASA 5500-X IPS SSP 19-1

ASA 5585-X IPS SSP 20-1

blocking 14-1

capture packet files 13-1

configuring interfaces 5-1

event action rules 8-1

external product interfaces 11-1

initializing the sensor 3-1

IP logging 12-1

logging in 2-1

setting up the sensor 4-1

SNMP 15-1

virtual sensors 6-1

NotificationApp

alert information A-9

described A-4

functions A-9

SNMP gets A-9

SNMP traps A-9

statistics A-11

system health information A-10

no variables command 8-11

NTP

authenticated 4-2, 4-32, 4-41, C-17

configuring servers 4-40

described 4-32, C-17

incorrect configuration C-18

sensor time source 4-40, 4-41

time synchronization 4-32, C-17

unauthenticated 4-2, 4-32, 4-41, C-17

O

obsoletes field described B-7

obtaining

command history 17-47

cryptographic account 21-2

IPS software 21-1

license key 4-50

list of blocked hosts and connections 14-33

used commands list 17-47

operator role privileges 1-4

options

global correlation 10-10, 10-11, 10-13

os-identifications command 8-28

OS IDs

clearing 8-32

displaying 8-32

OS information sources 8-27

OS maps

creating 8-29

deleting 8-31

moving 8-30

other actions (list) 8-6

other command 9-18, 9-27, 9-35

output

clearing current line 1-6

displaying 1-6

overrides command 8-17

P

P2P networks described B-54

packet capture command 13-4

packet command restrictions

configuring 4-24

packet display command 13-2

packet files

viewing

TCPDUMP 13-7

Wireshark 13-7

partitions

application A-4

recovery A-4

passive OS fingerprinting

components 8-26

configuring 8-27

described 8-26

enabled (default) 8-27

password command 4-15, 4-26

password policy

caution 4-29

configuring 4-29

password recovery

appliances 17-3, C-8

ASA 5500 AIP SSM 17-4, C-10

ASA 5500-X IPS SSP 17-7, C-12

ASA 5585-X IPS SSP 17-8, C-14

CLI 17-10, C-16

described 17-3, C-8

disabling 17-10, C-16

displaying setting 17-11, C-16

GRUB menu 17-3, C-8

IPS 4240 17-4, C-9

IPS 4255 17-4, C-9

IPS 4260 17-3, C-9

IPS 4270-20 17-3, C-9

IPS 4345 17-3, 17-4, C-8, C-9

IPS 4360 17-3, 17-4, C-8, C-9

IPS 4510 17-3, 17-4, C-8, C-9

IPS 4520 17-3, 17-4, C-8, C-9

platforms 17-3, C-8

ROMMON 17-4, C-9

troubleshooting 17-11, C-17

verifying 17-11, C-16

passwords 4-27

changing 4-27

configuring 4-27

policy 4-29

patch releases described 21-3

peacetime learning (anomaly detection) 9-3

Peer-to-Peer. See P2P.

PEP information

PID 17-47

SN 17-47

VID 17-47

permit-packet-logging command 4-23

physical connectivity issues C-32

physical interfaces

configuration restrictions 5-13

configuring 5-17

physical-interfaces command 5-15, 5-26, 5-32

ping command 17-45

platforms concurrent CLI sessions 18-1, 19-1, 20-1

policies

passwords 4-29

policy lists

displaying 17-29

Post-Block ACLs 14-22, 14-23

Pre-Block ACLs 14-22, 14-23

prerequisites for blocking 14-6

privilege

changing 4-27

configuring 4-27

privilege command 4-15, 4-27

privilege levels

administrator 1-3

operators 1-3

service 1-3

viewers 1-3

promiscuous delta

calculating risk rating 8-14

described 7-6, 8-14

promiscuous delta described B-6

promiscuous mode

atomic attacks 5-19

configuring 5-20

described 5-19

illustration 5-19

packet flow 5-19

SPAN ports 5-20

TCP reset interfaces 5-5

VACL capture 5-20

prompts

default input 1-5

protocols

ARP B-14

CDP 5-41

CIDEE A-34

DCE B-50

DDoS B-75

H.323 B-45

H225.0 B-45

HTTP 4-13

ICMPv6 B-15

IDAPI A-32

IDCONF A-33

IDIOM A-33

IPv6 B-29

LOKI B-74

MSSQL B-52

Neighborhood Discovery B-29

Q.931 B-45

RPC B-50

SDEE A-34

proxy servers

configuring 4-11

Q

Q.931 protocol

described B-45

SETUP messages B-45

quarantined IP address events described 11-2

R

RADIUS authentication

described 4-17

service account 4-26

shared secret 4-21, 4-22

rate limiting

ACLs 14-5

described 14-4

routers 14-4

service policies 14-5

supported signatures 14-4

raw expression syntax

described B-66

expert mode B-66

Raw Regex

described 7-53, 7-56, B-66

expert mode 7-53, 7-56, B-66

recall

help and tab completion 1-5

using 1-5

recover command 22-11

recovering

application partition image 22-12

ASA 5500 AIP SSM C-62

recovery partition

described A-4

upgrade 22-7

Regex

described 1-8

Multi String engine B-36

standardized B-1

Regular Expression. See also Regex.

regular expression syntax

described 1-8

raw Regex 7-53, 7-56, B-66

signatures B-9

table 1-8

reimaging

ASA 5500 AIP SSM 22-27

ASA 5500-X IPS SSP 22-30

described 22-2

IPS 4240 22-14

IPS 4255 22-14

IPS4260 22-17

IPS 4270-20 22-19

IPS 4345 22-22

IPS 4360 22-22

IPS 4510 22-25

IPS 4520 22-25

sensors 22-2, 22-11

removing

last applied

service pack 22-11

signature update 22-11

users 4-16

rename ad-knowledge-base command 9-42

renaming KBs 9-42, 9-43

reputation

described 10-3

illustration 10-4

servers 10-3

reset command 17-46

reset not occurring for a signature C-53

resetting

appliances 17-46

ASA 5500 AIP SSM C-61

passwords

ASDM 17-6, 17-8, 17-10, C-12, C-13, C-15

hw-module command 17-5, 17-9, C-10, C-14

sw-module command 17-7, C-12

resetting the password

ASA 5500 AIP SSM 17-5, C-10

ASA 5500-X IPS SSP 17-7, C-12

ASA 5585-X IPS SSP 17-9, C-14

restoring the current configuration 16-22, C-5

retiring

signatures 7-13

risk rating

Alarm Channel 10-6

calculating 8-13

component signatures B-34

described 8-26

global correlation 10-6

reputation score 10-6

ROMMON

ASA 5585-X IPS SSP 22-34

described 22-13

IPS 4240 17-4, 22-14, C-9

IPS 4255 17-4, 22-14, C-9

IPS4260 22-17

IPS 4270-20 22-19

IPS 4345 17-4, 22-22, C-9

IPS 4360 17-4, 22-22, C-9

IPS 4510 17-4, 22-25, C-9

IPS 4520 17-4, 22-25, C-9

password recovery 17-4, C-9

remote sensors 22-13

serial console port 22-13

TFTP 22-13

round-trip time. See RTT.

RPC portmapper B-54

RSA authentication

authorized keys 4-45

RTT

described 22-13

TFTP limitation 22-13

S

saving KBs 9-41

scheduling automatic upgrades 22-9

SDEE

described A-34

HTTP A-34

protocol A-34

server requests A-34

searching

submode configuration 16-18

security

account locking 4-30

information on Cisco Security Intelligence Operations 21-8

SSH 4-43

security policies described 7-1, 8-2, 9-2

sensing interface

ASA 5500 AIP SSM 18-4

ASA 5500-X IPS SSP 19-4

ASA 5585-X IPS SSP 20-4

sensing interfaces

Analysis Engine 5-4

described 5-4

interface cards 5-4

modes 5-4

sensing interfaces described (ASA 5585-X IPS SSP) 20-4

SensorApp

Alarm Channel A-24

Analysis Engine A-24

described A-4

event action filtering A-25

inline packet processing A-24

IP normalization A-25

packet flow A-26

processors A-23

responsibilities A-23

risk rating A-25

Signature Event Action Processor A-23

TCP normalization A-25

SensorBase Network

described 10-2

network participation 10-5

participation 10-2

servers 10-2

sensor databases

clearing 17-12

sensors

access problems C-26

application partition image 22-12

asymmetric traffic and disabling anomaly detection 9-49, C-21

command and control interfaces (list) 5-3

configuration sequence 1-1

configuring to use NTP 4-41

corrupted SensorApp configuration C-37

disaster recovery C-6

downgrading 22-11

incorrect NTP configuration C-18

initializing 3-2, 3-4

interface support 5-7

IP address conflicts C-29

logging in

SSH 2-7

Telnet 2-7

loose connections C-25

managing

firewalls 14-27

routers 14-23

switches 14-26

misconfigured access lists C-29

no alerts C-34, C-59

not seeing packets C-35

NTP time source 4-41

NTP time synchronization 4-32, C-17

partitions A-4

physical connectivity C-32

preventive maintenance C-2

reimaging 22-2

sensing process not running C-31

setup command 3-2, 3-4, 3-8

time sources 4-32, C-17

troubleshooting software upgrades C-56

upgrading 22-5

using NTP time source 4-40

server manifest described A-29

service account

accessing 4-25, C-5

cautions 4-2, 4-25, C-5

creating 4-25, C-6

described 4-25, A-31, C-5

RADIUS authentication 4-26

TAC A-31

troubleshooting A-31

service anomaly-detection command 9-9

Service DNS engine

described B-41

parameters (table) B-41

Service engine

described B-41

Layer 5 traffic B-41

service event-action-rules command 8-8

Service FTP engine

described B-42

parameters (table) B-43

PASV port spoof B-42

Service Generic engine

described B-43

no custom signatures B-43

parameters (table) B-44

Service H225 engine

ASN.1PER validation B-45

described B-45

features B-45

parameters (table) B-46

TPKT validation B-45

service HTTP

signature 7-46

Service HTTP engine

described 7-44, B-47

parameters (table) B-48

Service IDENT engine

described B-49

parameters (table) B-50

Service MSRPC engine

DCS/RPC protocol B-50

described B-50

parameters (table) B-51

Service MSSQL engine

described B-52

MSSQL protocol B-52

parameters (table) B-53

Service NTP engine

described B-53

parameters (table) B-53

Service P2P engine described B-54

service packs described 21-3

service role

bypassing CLIlogging in

service role 2-2

described 1-4

privileges 1-4

Service RPC engine

described B-54

parameters (table) B-54

RPC portmapper B-54

service signature-definition command 7-2

Service SMB Advanced engine

described B-56

parameters (table) B-56

Service SNMP engine

described B-58

parameters (table) B-58

Service SSH engine

described B-59

parameters (table) B-59

Service TNS engine

described B-60

parameters (table) B-60

session command

ASA 5500 AIP SSM 2-4

ASA 5500-X IPS SSP 2-5

ASA 5585-X IPS SSP 2-6

sessioning in

ASA 5500 AIP SSM 2-4

ASA 5500-X IPS SSP 2-5

ASA 5585-X IPS SSP 2-6

setting

system clock 4-35, 17-27

setting up

notes and caveats 4-1

terminal servers 2-3, 22-13

setup

automatic 3-2

command 3-2, 3-4, 3-8, 3-13, 3-17, 3-20

simplified mode 3-2

setup command

user roles 3-1, 3-2

shared secret

described 4-21, 4-22

RADIUS authentication 4-21, 4-22

show ad-knowledge-base diff command 9-44, 9-45

show ad-knowledge-base files command 9-40, 9-41

show clock command 4-34, 17-26

show configuration command 16-1

show context command 18-7, 19-7, 20-8

show events command 8-39, 17-23, C-106

show health command 10-9, 17-20, C-84

show history command 17-47

showing

user information 4-28

show inspection-load command 17-13

show interfaces command 5-42, C-104

show inventory command 17-47

show module 19-3

show module 1 details command 20-12, C-61, C-66, C-77

show module command 18-3, 20-3

show os-identification command 8-31

show settings command 16-3, 16-18, 17-11, 17-50, C-16

show statistics anomaly-detection command 9-47

show statistics command 14-33, 17-30, C-92

show statistics denied-attackers command 8-36, 17-27

show statistics virtual-sensor command 17-30, C-25, C-92

show tech-support command 17-42, C-85

show users command 4-28

show version command 17-43, C-89

sig-fidelity-rating command 7-12, 7-14

signature definition lists

displaying 17-29

signature definition policies

copying 7-2

creating 7-2

deleting 7-2

editing 7-2

signature engines

AIC 7-17, B-11

Atomic B-14

Atomic ARP B-14

Atomic IP B-25

Atomic IP Advanced B-15

Atomic IPv6 B-29

described B-1

Fixed B-30

Flood B-32

Flood Host B-33

Flood Net B-33

list B-2

Master B-4

Meta B-33

Multi String B-36

Normalizer B-37

Regex

patterns B-10

syntax B-9

Service B-41

Service DNS B-41

Service FTP B-42

Service Generic B-43

Service H225 B-45

Service HTTP 7-44, B-47

Service IDENT B-49

Service MSRPC B-50

Service MSSQL B-52

Service NTP B-53

Service P2P B-54

Service RPC B-54

Service SMB Advanced B-56

Service SNMP B-58

Service SSH engine B-59

Service TNS B-60

State B-61

String 7-41, B-63

Sweep B-69

Sweep Other TCP B-72

Traffic Anomaly B-72

Traffic ICMP B-74

Trojan B-75

signature engine update files described 21-4

Signature Event Action Filter

described 8-3, A-26

parameters 8-3, A-26

Signature Event Action Handler described 8-3, A-27

Signature Event Action Override described 8-3, A-26

Signature Event Action Processor

Alarm Channel 8-3, A-26

components 8-3, A-26

described 8-3, A-23, A-26

signature fidelity rating

calculating risk rating 8-13

configuring 7-12, 7-14

described 8-13

signatures

custom 7-4

default 7-4

described 7-3

false positives 7-3

general parameters 7-6

rate limits 14-4

service HTTP 7-46

string TCP 7-43

string TCP XL 7-52, 7-56

subsignatures 7-3

TCP reset C-53

tuned 7-4

signature update

files 21-4

signature variables

adding 7-5

deleting 7-5

described 7-4

editing 7-5

SNMP

configuring

agent parameters 15-3

traps 15-5

described 15-1

general parameters 15-2

Get 15-1

GetNext 15-1

notes and caveats 15-1

Set 15-1

supported MIBs 15-6, C-20

Trap 15-1

snmp-agent-port command 15-2

snmp-agent-protocol command 15-2

SNMP traps

described 15-2

software architecture

ARC (illustration) A-13

IDAPI (illustration) A-32

software bypass

supported configurations 5-11

with hardware bypass 5-11

software downloads Cisco.com 21-1

software file names

recovery (illustration) 21-5

signature/virus updates (illustration) 21-4

signature engine updates (illustration) 21-5

system image (illustration) 21-5

software release examples

platform-dependent 21-6

platform identifiers 21-7

platform-independent 21-6

software updates

supported FTP servers 22-3

supported HTTP/HTTPS servers 22-3

SPAN port issues C-32

specifying

worm timeout 9-11

worm timout 9-39

SSH

adding hosts 4-44

described 4-43

security 4-43

ssh authorized-key command 4-45

ssh generate-key command 4-46

ssh host-key command 4-43, 4-44

SSH known hosts list

adding hosts 4-43

SSH Server

private keys A-22

public keys A-22

SSH server host key

generating 4-46

standards

CIDEE A-34

IDCONF A-33

IDIOM A-33

SDEE A-34

State engine

Cisco Login B-61

described B-61

LPR Format String B-61

parameters (table) B-62

SMTP B-61

statistic display 17-31, C-93

status command 7-13

stopping

IP logging 12-6

stream-reassembly command 7-38

String engine described 7-41, B-63

String ICMP engine parameters (table) B-64

String TCP engine

parameters 7-41

parameters (table) B-64

String TCP engine signature

example 7-43

String TCP XL signature

example 7-52, 7-56

String UDP engine parameters (table) B-65

String XL engine

description B-66

hardware support B-3, B-66

parameters (table) B-67

unsupported parameters B-69

subinterface 0 described 5-31

subinterface-type command 5-27, 5-33

submode configuration

filtering output 16-18

searching output 16-18

submode settings display 17-50

subsignatures described 7-3

summarization

described 8-33

fire-all 8-33

fire-once 8-33

global-summarization 8-33

Meta engine 8-33

summary 8-33

summertime

configuring

non-recurring 4-37

recurring 4-35

summertime-option non-recurring command 4-37

summertime-option recurring command 4-35

supported

FTP servers 22-3

HTTP/HTTPS servers 22-3

IPS interfaces for CSA MC 11-4

Sweep engine B-70

described B-69

parameters (table) B-70

Sweep Other TCP engine

described B-72

parameters (table) B-72

SwitchApp

described A-30

switches

TCP reset interfaces 5-6

sw-module module 1 recover configure command 19-12

sw-module module slot_number password-reset command 17-7, 19-12, C-12

sw-module module slot_number reload command 19-12

sw-module module slot_number reset command 19-12

sw-module module slot_number shutdown command 19-12

syntax

case sensitivity 1-6

system architecture

directory structure A-35

supported platforms A-1

system clock

displaying 4-34, 17-26

system clock setting 4-35, 17-27

system components IDAPI A-32

System Configuration Dialog

described 3-2

example 3-3

system design (illustration) A-2, A-3

system image

installing

ASA 5500 AIP SSM 22-28

ASA 5500-X IPS SSP 22-30

IPS 4240 22-14

IPS 4255 22-14

IPS4260 22-17

IPS 4270-20 22-19

IPS 4345 22-22

IPS 4360 22-22

system images

installing

IPS 4510 22-25

IPS 4520 22-25

T

tab completion

using 1-5

TAC

PEP information 17-47

service account 4-25, A-31, C-5

show tech-support command 17-42, C-85

troubleshooting A-31

target-value command 8-15

IPv4 8-15

IPv6 8-15

target value rating

calculating risk rating 8-14

described 8-14, 8-15

tasks

configuring the sensor 1-1

tcp command 9-13, 9-22, 9-30

TCPDUMP

copy packet-file command 13-6

expression syntax 13-2

ip logs 12-2

packet capture command 13-5

packet display command 13-2

TCP fragmentation described B-38

TCP reset interfaces

conditions 5-6

described 5-5

list 5-5

promiscuous mode 5-5

switches 5-6

TCP resets

not occurring C-53

TCP stream reassembly

described 7-31

parameters (table) 7-32, 7-37

signatures (table) 7-32, 7-37

tech support information display 17-42, C-86

Telnet

disabling 4-5

enabling 4-5

telnet-option

configuring 4-5

telnet-option command 4-5

terminal

modifying length 17-22

terminal command 17-22

terminal server setup 2-3, 22-13

terminating

CLI sessions 17-21

testing fail-over 5-11

TFN2K

described B-74

Trojans B-75

TFTP servers

recommended

UNIX 22-13

Windows 22-13

RTT 22-13

threat rating

described 8-14

risk rating 8-14

time

correction on the sensor 4-33, C-19

sensors 4-32, C-17

synchronizing IPS clocks 4-33, C-18

time sources

appliances 4-32, C-17

ASA 5500 AIP SSM 4-33, C-18

ASA 5500-X IPS SSP 4-33, C-18

ASA 5585-X IPS SSP 4-33, C-18

time zone settings

configuring 4-39

time-zone-settings command 4-39

TLS

handshaking 4-47

IDM 4-47

web server 4-47

TLS certificates

generating 4-50

tls generate-key command 4-49

tls trusted-host command 4-48

trace command 17-49

tracing

IP packet route 17-49

Traffic Anomaly engine

described B-72

protocols B-72

signatures B-72

traffic flow notifications

configuring 5-40

described 5-40

Traffic ICMP engine

DDoS B-74

described B-74

LOKI B-74

parameters (table) B-75

TFN2K B-74

trap-community-name 15-4

trap-destinations command 15-4

trial license key 4-50

Tribe Flood Network. See TFN.

Tribe Flood Network 2000. See TFN2K.

Trojan engine

BO2K B-75

described B-75

TFN2K B-75

Trojans

BO B-75

BO2K B-75

LOKI B-75

TFN2K B-75

troubleshooting C-1

Analysis Engine busy C-58

applying software updates C-55

ARC

blocking not occurring for signature C-44

device access issues C-41

enabling SSH C-44

inactive state C-40

misconfigured master blocking sensor C-45

verifying device interfaces C-43

ASA 5500 AIP SSM

commands C-61

debugging C-62

failover scenarios 18-13, C-63

recovering C-62

reset C-61

ASA 5500-X IPS SSP

commands C-66

failover scenarios 19-20, C-74

ASA 5585-X IPS SSP

commands 20-12, C-77

failover scenarios 20-16, C-80

traffic flow stopped 20-15, C-82

automatic updates C-55

cannot access sensor C-26

cidDump C-109

cidLog messages to syslog C-51

communication C-26

corrupted SensorApp configuration C-37

debug logger zone names (table) C-51

debug logging C-47

disaster recovery C-6

duplicate sensor IP addresses C-29

enabling debug logging C-47

external product interfaces 11-8, C-24

gathering information C-84

global correlation 10-13, C-21

IDM

cannot access sensor C-58

will not load C-57

IME time synchronization C-60

IPS clock time drift 4-33, C-18

manual block to bogus host C-44

misconfigured access list C-29

no alerts C-34, C-59

NTP C-52

password recovery 17-11, C-17

physical connectivity issues C-32

preventive maintenance C-2

reset not occurring for a signature C-53

sensing process not running C-31

sensor events C-105

sensor loose connections C-25

sensor not seeing packets C-35

sensor software upgrade C-56

service account 4-25, C-5

show events command C-105

show interfaces command C-104

show statistics command C-91, C-92

show tech-support command C-85, C-86

show version command C-89

software upgrades C-54

SPAN

port issue C-32

upgrading C-54

verifying Analysis Engine is running C-22

verifying ARC status C-39

trusted hosts add 4-48

tuned signatures described 7-4

U

udp command 9-16, 9-24, 9-32

unassigned VLAN groups described 5-31

unauthenticated NTP 4-2, 4-32, 4-41, C-17

uninstalling

license key 4-55

unlocking accounts 4-31

unlock user username command 4-31

upgrade command 22-4, 22-6

upgrade notes and caveats

upgrading IPS software 22-1

upgrading

application partition 22-11

latest version C-54

recovery partition 22-7

sensors 22-5

upgrading IPS software

upgrade notes and caveats 22-1

URLs for Cisco Security Intelligence Operations 21-8

user

adding 4-16

username command 4-15

user-profile command 14-20

user profiles 14-20

user roles

administrator 1-3

operator 1-3

service 1-3

viewer 1-3

user roles authentication 4-17

users

adding 4-15

removing 4-15, 4-16

using

debug logging C-47

TCP reset interfaces 5-6

V

VACLs

described 14-3

Post-Block 14-26

Pre-Block 14-26

validation error messages described D-5

variables command 7-4, 8-11

IPv4 8-11

IPv6 8-11

verifying

password recovery 17-11, C-16

sensor initialization 3-24

sensor setup 3-24

version display 17-43, C-89

viewer role privileges 1-4

viewing

IP log contents 12-5

license key status 4-51

user information 4-28

virtualization

advantages 6-2, C-19

restrictions 6-3, C-20

supported sensors 6-3, C-20

traffic capture requirements 6-3, C-20

virtual-sensor name command 6-5, 18-4, 19-5, 20-5

virtual sensors

adding 6-6, 6-9

adding (ASA 5500 AIP SSM) 18-5

adding (ASA 5500-X IPS SSP) 19-5

adding (ASA 5585-X IPS SSP) 20-5

ASA 5500 AIP SSM 18-7

ASA 5500-X IPS SSP 19-7

ASA 5585-X IPS SSP 20-8

assigning interfaces 6-5

assigning policies 6-5

creating 6-6, 6-9

creating (ASA 5500 AIP SSM) 18-5

creating (ASA 5500-X IPS SSP) 19-5

creating (ASA 5585-X IPS SSP) 20-5

default virtual sensor 6-2

described 6-2

displaying KB files 9-40

notes and caveats 6-1

options 6-5, 18-5, 19-5, 20-5

VLAN groups

802.1q encapsulation 5-31

configuration restrictions 5-14

deploying 5-32

switches 5-32

VLAN groups mode

described 5-31

vulnerable OSes field described B-7

W

watch list rating

calculating risk rating 8-14

described 8-14

web server

described A-4, A-23

HTTP 1.0 and 1.1 support A-23

HTTP protocol 4-13

port (default) 4-1, 4-13

private keys A-22

public keys A-22

SDEE support A-23

TLS 4-47

web server settings

changing 4-14

configuring 4-13

Wireshark

copy packet-file command 13-6

ip logs 12-2

worms

Blaster 9-3

Code Red 9-2, 9-3

histograms 9-37

Nimbda 9-2

protocols 9-3

Sasser 9-3

scanners 9-3

Slammer 9-3

SQL Slammer 9-2

worm-timeout command 9-10

worm timeout specify 9-11, 9-39

Z

zones

external 9-4

illegal 9-4

internal 9-4