Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.1
Index
Downloads: This chapterpdf (PDF - 1.45MB) The complete bookPDF (PDF - 10.07MB) | Feedback

Index

Table Of Contents

Numerics - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W - Z

Index

Numerics

4GE bypass interface card

configuration restrictions 5-13

described 5-12

802.1q encapsulation for VLAN groups 5-17

A

AAA RADIUS

functionality 4-18

limitations 4-18

accessing

IPS software 21-1

service account 4-17, C-5

access list misconfiguration C-28

access lists

necessary hosts 3-3

Startup Wizard 3-3

account locking

configuring 4-24

security 4-24

account unlocking configuring 4-26

ACLs

adding 3-5

described 13-2

Post-Block 13-17

Pre-Block 13-17

Active Host Blocks pane

field descriptions 14-3

user roles 14-3

ad0 pane

default 10-10

described 10-10

tabs 10-10

Add ACL Entry dialog box field descriptions 3-4

Add Active Host Block dialog box field descriptions 14-4

Add Allowed Host dialog box

field descriptions 4-5

user roles 4-5

Add Authorized Key dialog box

field descriptions 12-3

user roles 12-2

Add Blocking Device dialog box

field descriptions 13-14

user roles 13-13

Add Cat 6K Blocking Device Interface dialog box

field descriptions 13-22

user roles 13-20

Add Configured OS Map dialog box

field descriptions 6-33, 9-27

user roles 6-32, 9-24

Add Destination Port dialog box field descriptions 10-16

Add Device Login Profile dialog box

field descriptions 13-12

user roles 13-11

Add Event Action Filter dialog box

field descriptions 6-22, 9-16

user roles 6-21, 9-15

Add Event Action Override dialog box

field descriptions 6-12, 9-14

user roles 6-12, 9-13

Add Event Variable dialog box

field descriptions 6-36, 9-30

user roles 9-29

Add External Product Interface dialog box

field descriptions 16-6

user roles 16-4

Add Histogram dialog box field descriptions 10-17

adding

ACLs 3-5

a host never to be blocked 13-10

anomaly detection policies 10-9

blocking devices 13-15

CSA MC interfaces 16-7

dashboards 2-1

denied attackers 14-2

event action filters 6-23, 9-18

event action overrides 9-14

event action rules policies 9-12

event variables 6-37, 9-31

external product interfaces 16-7

gadgets 2-1

host blocks 14-4

IPv4 target value ratings 6-26, 9-21

IPv6 target value ratings 6-29, 9-23

network blocks 14-7

OS maps 6-33, 9-28

rate limiting devices 13-15

rate limits 14-9

risk categories 6-39, 9-33

signature definition policies 7-2

signatures 7-12

signature variables 7-32

virtual sensors 3-13, 6-13

virtual sensors (ASA 5500 AIP SSM) 6-16

virtual sensors (ASA 5500-X IPS SSP) 6-16

virtual sensors (ASA 5585-X IPS SSP) 6-16

Add Inline VLAN Pair dialog box field descriptions 3-10, 5-24

Add Interface Pair dialog box field descriptions 5-22

Add IP Logging dialog box field descriptions 14-11

Add Known Host Key dialog box

field descriptions 12-5

user roles 12-4

Add Master Blocking Sensor dialog box

field descriptions 13-24

user roles 13-23

Add Network Block dialog box field descriptions 14-6

Add Never Block Address dialog box

field descriptions 13-10

user roles 13-7

Add Policy dialog box field descriptions 7-2, 9-12, 10-9

Add Posture ACL dialog box field descriptions 16-7

Add Protocol Number dialog box field descriptions 10-18, 10-25

Add Rate Limit dialog box

field descriptions 14-8

user role 14-7

Address Resolution Protocol. See ARP.

Add Risk Level dialog box field descriptions 6-39, 9-33

Add Router Blocking Device Interface dialog box

field descriptions 13-19

user roles 13-16

Add Signature dialog box field descriptions 7-7

Add Signature Variable dialog box

field descriptions 7-32

user roles 7-31

Add SNMP Trap Destination dialog box field descriptions 15-4

Add Target Value Rating dialog box field descriptions 9-23

Add Trusted Host dialog box

field descriptions 12-9

user roles 12-8

Add User dialog box

field descriptions 4-21

user roles 4-18, 4-21

Add Virtual Sensor dialog box

described 3-12, 6-10

field descriptions 3-13, 6-11

Add VLAN Group dialog box field descriptions 5-27

Advanced Alert Behavior Wizard

Alert Dynamic Response Fire All window field descriptions 8-27

Alert Dynamic Response Fire Once window field descriptions 8-28

Alert Dynamic Response Summary window field descriptions 8-28

Alert Summarization window field descriptions 8-27

Event Count and Interval window field descriptions 8-26

Global Summarization window field descriptions 8-29

aggregation

alert frequency 6-7, 9-5

operating modes 6-7, 9-5

AIC

policy 7-43

signatures (example) 7-43

AIC engine

AIC FTP B-11

AIC FTP engine parameters (table) B-12

AIC HTTP B-11

AIC HTTP engine parameters (table) B-12

described B-11

features B-11

signature categories 7-35

AIC policy enforcement

default configuration 7-36, B-11

described 7-36, B-11

sensor oversubscription 7-36, B-11

Alarm Channel

described 9-6, A-27

risk rating 11-5

alert and log actions (list) 9-8

alert behavior

Custom Signature Wizard 8-26

normal 8-26

alert frequency

aggregation 7-18

configuring 7-18

controlling 7-18

modes B-7

allocate-ips command 6-15

Allowed Hosts/Networks pane

configuring 4-5

described 4-5

field descriptions 4-5

alternate TCP reset interface

configuration restrictions 5-10

designating 5-9

restrictions 5-2

Analysis Engine

described 6-2

error messages C-25

errors C-54

IDM exits C-57

sensing interfaces 5-3

verify it is running C-21

virtual sensors 6-2

anomaly detection

asymmetric traffic 10-2

caution 10-2

configuration sequence 10-5

default anomaly detection configuration 10-4

default configuration (example) 10-4

described 10-2

detect mode 10-4

disabling 10-34

enabling 10-4

event actions 10-7, B-69

inactive mode 10-4

learning accept mode 10-3

learning process 10-3

limiting false positives 10-13, 18-7

operation settings 10-11

protocols 10-3

signatures (table) 10-7, B-70

signatures described 10-6

worms

attacks 10-13, 18-6

described 10-3

zones 10-5

anomaly detection disabling C-20

Anomaly Detection pane

button functions 18-7

described 18-6

field descriptions 18-7

user roles 18-5

anomaly detection policies

ad0 10-9

adding 10-9

cloning 10-9

default policy 10-9

deleting 10-9

Anomaly Detections pane

described 10-9

field descriptions 10-9

user roles 10-9

appliances

GRUB menu 17-5, C-8

initializing 19-8

logging in 20-2

password recovery 17-5, C-8

setting system clock 4-15

terminal servers

described 20-3, 22-13

setting up 20-3, 22-13

time sources 4-7, C-17

upgrading recovery partition 22-5

Application Inspection and Control see AIC

application partition

described A-4

application partitionimage recovery 22-11

application policy enforcement described 7-36, B-11

applications in XML format A-4

applying signature threat profiles 3-15

applying software updates C-54

ARC

ACLs 13-17, A-14

authentication A-15

blocking

connection-based A-17

response A-13

unconditional blocking A-17

blocking application 13-1

blocking not occurring for signature C-43

Catalyst switches

VACL commands A-19

VACLs A-16, A-19

VLANs A-16

checking status 13-3, 13-4

described A-4

design 13-2

device access issues C-41

enabling SSH C-43

features A-14

firewalls

AAA A-18

connection blocking A-18

NAT A-18

network blocking A-18

postblock ACL A-16

preblock ACL A-16

shun command A-18

TACACS+ A-18

formerly Network Access Controller 13-1

functions 13-1

illustration A-13

inactive state C-39

interfaces A-14

maintaining states A-16

managed devices 13-7

master blocking sensors A-14

maximum blocks 13-2

misconfigured master blocking sensor C-44

nac.shun.txt file A-16

NAT addressing A-15

number of blocks A-15

postblock ACL A-16

preblock ACL A-16

prerequisites 13-5

rate limiting 13-3

responsibilities A-13

single point of control A-15

SSH A-14

supported devices 13-5, A-15

Telnet A-14

troubleshooting C-37

VACLs A-14

verifying device interfaces C-42

verifying status C-38

ARP

Layer 2 signatures B-13

protocol B-13

ARP spoof tools

dsniff B-13

ettercap B-13

ASA 5500 AIP SSC-5

time sources 4-7, C-17

ASA 5500 AIP SSM

assigning virtual sensors 6-18

bypass mode 5-29

creating virtual sensors 6-16

initializing 19-13

installing system image 22-27

logging in 20-4

Normalizer engine B-37, C-62

password recovery 17-6, C-9

recovering C-60

resetting C-60

resetting the password 17-6, C-10

sensing interface 6-15

session command 20-4

sessioning in 20-4

setup command 19-13

time sources 4-7, C-17

virtual sensors

assigning the interface 6-16

sequence 6-15

ASA 5500-X IPS SSP

assigning virtual sensors 6-18

creating virtual sensors 6-16

initializing 19-17

logging in 20-5

memory usage 17-20, C-75

memory usage values (table) 17-20, C-75

no CDP mode support 5-31

Normalizer engine B-37, C-74

password recovery 17-8, C-12

resetting the password 17-8, C-12

sensing interface 6-15

session command 20-5

sessioning in 20-5

setup command 19-17

time soruces 4-7, C-17

virtual sensors

assigning policies 6-15

assigning the interface 6-16

virtual sensor sequence 6-15

ASA 5585-X IPS SSP

assigning virtual sensors 6-18

creating virtual sensors 6-16

initializing 19-21

installing system image 22-31

logging in 20-6

no CDP mode support 5-31

Normalizer engine B-37, C-81

password recovery 17-10, C-13

resetting the password 17-10, C-14

sensing interface 6-15

session command 20-6

sessioning in 20-6

setup command 19-21

time sources 4-7, C-17

virtual sensors

assigning policies 6-15

assigning the interface 6-16

sequence 6-15

ASA IPS modules

jumbo packet count C-64, C-75, C-82

ASDM

resetting passwords 17-8, 17-10, 17-12, C-11, C-13, C-15

assigning

interfaces to virtual sensors (ASA 5500 AIP SSM) 6-16

interfaces to virtual sensors (ASA 5500-X IPS SSP) 6-16

interfaces to virtual sensors (ASA 5585-X IPS SSP) 6-16

policies to virtual sensors (ASA 5500 AIPSSM) 6-15

policies to virtual sensors (ASA 5500-X IPS SSP) 6-15

policies to virtual sensors (ASA 5585-X IPS SSP) 6-15

assigning actions to signatures 7-16

asymmetric mode

described 6-4

normalization 6-4

asymmetric traffic

anomaly detection 10-2

caution 10-2

disabling anomaly detection 10-34

asymmetric traffic and disabling anomaly detection C-20

Atomic ARP engine

parameters (table) B-13

Atomic ARP engine described B-13

Atomic IP Advanced engine

described B-14

parameters (table) B-16

restrictions B-15

Atomic IP engine

described 8-13, B-24

parameters (table) B-24

Atomic IPv6 engine

described B-27

Neighborhood Discovery protocol B-28

signatures B-28

attack relevance rating

calculating risk rating 6-6, 9-3

described 6-6, 6-30, 9-3, 9-25

Attack Response Controller

described A-4

formerly known as Network Access Controller A-4

Attack Response Controller. See ARC.

attack severity rating

calculating risk rating 6-6, 9-3

described 6-6, 9-3

attemptLimit command 4-24

audit mode

described 11-9

testing global correlation 11-9

authenticated NTP 4-7, 4-13, C-17

authentication

local 4-19

RADIUS 4-19

AuthenticationApp

authenticating users A-21

described A-4

login attempt limit A-21

method A-21

responsibilities A-20

secure communications A-21

sensor configuration A-20

Authentication pane

configuring 4-22

described 4-19

field descriptions 4-19

user roles 4-16, A-31

Authorized Keys pane

configuring 12-3

described 12-2

field descriptions 12-2

RSA authentication 12-2

RSA key generation tool 12-3

Auto/Cisco.com Update pane

configuring 17-24

described 3-16, 17-22

field descriptions 17-23

UNIX-style directory listings 17-22

user roles 17-22

automatic setup 19-2

automatic updates

Cisco.com 3-16, 17-22

configuring 3-17, 17-24

cryptographic account 3-16, 17-22

FTP servers 17-22

SCP servers 3-16, 17-22

automatic upgrade

information required 22-6

troubleshooting C-54

autonegotiation for hardware bypass 5-13

Auto Update window

field descriptions 3-16

user roles 3-16

auto-upgrade-option command 22-6

B

backing up

configuration C-2

current configuration C-4

BackOrifice. See BO.

BackOrifice 2000. See BO2K.

basic setup 19-4

blocking

described 13-1

disabling 13-7

master blocking sensor 13-23

necessary information 13-3

prerequisites 13-5

supported devices 13-5

types 13-2

blocking devices

adding 13-15

deleting 13-15

editing 13-15

Blocking Devices pane

configuring 13-15

described 13-14

field descriptions 13-14

ssh host-key command 13-15

blocking not occurring for signature C-43

Blocking Properties pane

adding a host never to be blocked 13-10

configuring 13-9

described 13-7

field descriptions 13-8

BO

described B-72

Trojans B-72

BO2K

described B-72

Trojans B-72

Bug Toolkit

described C-1

URL C-1

bypass mode

ASA 5500 AIP SSM 5-29

described 5-28

signature updates 17-23

Bypass pane

field descriptions 5-29

user roles 5-28

C

calculating risk rating

attack relevance rating 6-6, 9-3

attack severity rating 6-6, 9-3

promiscuous delta 6-6, 9-3

signature fidelity rating 6-5, 9-3

target value rating 6-6, 9-3

watch list rating 6-6, 9-3

cannot access sensor C-26

Cat 6K Blocking Device Interfaces pane

configuring 13-22

described 13-20

field descriptions 13-21

CDP mode

ASA 5500-X IPS SSP 5-31

ASA 5585-X IPS SSP 5-31

described 5-31

interfaces 5-31

CDP Mode pane

configuring 5-31

field descriptions 5-31

user roles 5-31

certificates

displaying 12-11

Firefox 1-8

generating 12-11

Internet Explorer 1-8

certificates (IDM) 1-7, 12-7

changing Microsoft IIS to UNIX-style directory listings 17-23

cidDump obtaining information C-108

CIDEE

defined A-35

example A-35

IPS extensions A-35

protocol A-35

supported IPS events A-35

cisco

default password 20-2

default username 20-2

Cisco.com

accessing software 21-1

downloading software 21-1

software downloads 21-1

Cisco Discovery Protocol. See CDP.

Cisco IOS rate limiting 13-3

Cisco Security Intelligence Operations

described 21-8

URL 21-8

Cisco Services for IPS

service contract 1-10, 17-15

supported products 1-10, 17-15

clear events command 4-11, 4-16, 18-4, C-18, C-108

Clear Flow States pane

described 18-16

field descriptions 18-17

clearing

denied attackers 14-2

events 4-16, 18-4, C-108

flow states 18-17

statistics C-91

CLI

described A-4, A-31

password recovery 17-12, C-15

client manifest described A-29

clock set command 4-15

Clone Event Action Rules dialog box field descriptions 9-12

Clone Policy dialog box field descriptions 7-2, 10-9

Clone Signature dialog box field descriptions 7-7

cloning

anomaly detection policies 10-9

event action rules policies 9-12

signature definition policies 7-2

signatures 7-14

CollaborationApp described A-4, A-29

command and control interface

described 5-2

list 5-2

commands

allocate-ips 6-15

attemptLimit 4-24

auto-upgrade-option 22-6

clear events 4-11, 4-16, 18-4, C-18, C-108

clock set 4-15

copy backup-config C-3

copy current-config C-3

debug module-boot C-60

downgrade 22-10

erase license-key 17-18

hw-module module 1 reset C-60

hw-module module slot_number password-reset 17-6, 17-10, C-10, C-14

setup 4-1, 19-1, 19-4, 19-8, 19-13, 19-17, 19-21

show events C-105

show health C-83

show module 1 details C-59, C-66, C-78

show settings 17-13, C-16

show statistics C-91

show statistics virtual-sensor C-25, C-91

show tech-support C-84

show version C-88

sw-module module slot_number password-reset 17-8, C-12

unlock user username 4-26

upgrade 22-3, 22-5

virtual-sensor name 6-15

Compare Knowledge Bases dialog box field descriptions 18-9

comparing KBs 18-9, 18-11

component signatures

risk rating B-32

configuration files

backing up C-2

merging C-2

configuration restrictions

alternate TCP reset interface 5-10

inline interface pairs 5-10

inline VLAN pairs 5-10

interfaces 5-9

physical interfaces 5-9

VLAN groups 5-11

Configure Summertime dialog box field descriptions 3-4, 4-9

configuring

account locking 4-24

account unlocking 4-26

AIC policy parameters 7-43

allowed hosts 4-5

allowed networks 4-5

anomaly detection operation settings 10-11

application policy signatures 7-43

authorized keys 12-3

automatic updates 3-17, 17-24

automatic upgrades 22-8

blocking devices 13-15

blocking properties 13-9

Cat 6K blocking device interfaces 13-22

CDP mode 5-31

CPU, Memory, & Load gadget 2-12

CSA MC IPS interfaces 16-3

device login profiles 13-12

event action filters 6-23, 9-18

events 18-3

event variables 6-37, 9-31

external zone 10-31

general settings 6-42, 9-36

Global Correlation Health gadget 2-9

Global Correlation Reports gadget 2-7

host blocks 14-4

illegal zone 10-25

inline VLAN pairs 3-10

inspection/reputation 11-10

inspection load statistics display 18-5

interface pairs 5-22

interfaces 5-20

Interface Status gadget 2-7

internal zone 10-19

IP fragment reassembly signatures 7-47

IP logging 14-12

IPv4 target value ratings 6-26, 9-21

IPv6 target value ratings 6-29, 9-23

known host keys 12-5

learning accept mode 10-14

Licensing gadget 2-6

local authentication 4-22

master blocking sensor 13-25

network blocks 14-7

network participation 11-11

Network Security gadget 2-10

network settings 4-3

NTP servers 4-12

OS maps 6-33, 9-28

RADIUS authentication 4-23

rate limiting 14-9

rate limiting device interfaces 13-19

risk categories 6-39, 9-33

router blocking device interfaces 13-19

Sensor Health gadget 2-5

Sensor Information gadget 2-4

Sensor Setup window 3-4

sensor to use NTP 4-14

signature variables 7-32

SNMP 15-2

SNMP traps 15-4

time 4-10

Top Applications gadget 2-10

traffic flow notifications 5-31

trusted hosts 12-9

upgrades 22-4

users 4-22

VLAN groups 5-27

VLAN pairs 5-24

control transactions

characteristics A-9

request types A-8

cookies IDM 1-7

copy backup-config command C-3

copy current-config command C-3

correcting time on the sensor 4-11, C-18

CPU, Memory, & Load gadget

configuring 2-12

described 2-11

creating

Atomic IP Advanced engine signature 7-24, 8-14

custom signatures

not using signature engines 8-4

Service HTTP 8-17

String TCP 8-22

using signature engines 8-1

IPv6 signatures 7-24, 8-14

Meta signatures 7-21

Post-Block VACLs 13-21

Pre-Block VACLs 13-21

String TCP XL signatures 7-29

creating the service account C-5

cryptographic account

automatic updates 3-16, 17-22

Encryption Software Export Distribution Authorization from 21-2

obtaining 21-2

cryptographic features (IDM) 1-1

CSA MC

adding interfaces 16-7

configuring IPS interfaces 16-3

host posture events 16-1, 16-3

quarantined IP address events 16-1

supported IPS interfaces 16-3

CtlTransSource

described A-4, A-11

illustration A-12

current configuration back up C-2

current KB setting 18-12

customizing

dashboards 2-1

gadgets 2-1

custom signatures

Custom Signature Wizard 8-5

described 7-4

IPv6 signature 7-24, 8-14

Meta signature 7-21

sensor performance 8-4

String TCP XL 7-26, 7-29

Custom Signature Wizard

alert behavior 8-26

described 8-1

no signature engine sequence 8-4

signature engine sequence 8-1

supported signature engines 8-2

using 8-5

D

Dashboard pane gadgets 2-2

dashboards

adding 2-1

customizing 2-1

data nodes 8-25, B-67

data structures (examples) A-8

DDoS

protocols B-71

Stacheldraht B-71

TFN B-71

debug logging enable C-46

debug-module-boot command C-60

default policies

ad0 10-9

rules0 9-11

sig0 7-2

defaults

KB filename 10-12

password 20-2

restoring 17-28

username 20-2

virtual sensor vs0 6-2

deleting

anomaly detection policies 10-9

blocking devices 13-15

denied attackers 14-2

event action filters 6-23, 9-18

event action overrides 9-14

event action rules policies 9-12

event variables 6-37, 9-31

host blocks 14-4

imported OS values 18-16

IPv4 target value ratings 6-26, 9-21

IPv6 target value ratings 6-29, 9-23

KBs 18-13

learned OS values 18-15

network blocks 14-7

OS maps 6-33, 9-28

rate limiting devices 13-15

rate limits 14-9

risk categories 6-39, 9-33

signature definition policies 7-2

signature variables 7-32

virtual sensors 6-13

Denial of Service. See DoS.

denied attackers

adding 14-2

clearing 14-2

deleting 14-2

hit count 14-1

resetting hit counts 14-2

viewing hit counts 14-2

viewing list 14-2

Denied Attackers pane

described 14-1

field descriptions 14-2

user roles 14-1

using 14-2

deny actions (list) 9-8

Deny Packet Inline described 9-10

detect mode (anomaly detection) 10-4

device access issues C-41

Device Login Profiles pane

configuring 13-12

described 13-11

field descriptions 13-12

Diagnostics Report pane

button functions 18-19

described 18-19

user roles 18-18

using 18-19

diagnostics reports 18-19

Differences between knowledge bases KB_Name and KB_Name window field descriptions 18-10

Difference Thresholds between knowledge base KB_Name and KB_Name window field descriptions 18-10

disabling

anomaly detection 10-34, C-20

blocking 13-7

event action filters 6-23, 9-18

global correlation 11-12

interfaces 5-20

password recovery 17-12, C-15

signatures 7-12

disaster recovery C-6

displaying

events 18-3, C-106

health status C-83

imported OS maps 18-16

inspection load statitistics 18-5

learned OS maps 18-15

password recovery setting 17-13, C-16

sensor statistics 18-20

statistics C-91

tech support information C-85

version C-88

Distributed Denial of Service. See DDoS.

DoS tools

Stacheldraht B-71

stick B-7

TFN B-71

downgrade command 22-10

downgrading sensors 22-10

downloading

Cisco software 21-1

KBs 18-13

Download Knowledge Base From Sensor dialog box

described 18-13

field descriptions 18-13

duplicate IP addresses C-28

E

Edit Actions dialog box field descriptions 7-9

Edit Allowed Host dialog box

field descriptions 4-5

user roles 4-5

Edit Authorized Key dialog box

field descriptions 12-3

user roles 12-2

Edit Blocking Device dialog box

field descriptions 13-14

user roles 13-13

Edit Cat 6K Blocking Device Interface dialog box

field descriptions 13-22

user roles 13-20

Edit Configured OS Map dialog box

field descriptions 6-33, 9-27

user roles 6-32, 9-24

Edit Destination Port dialog box field descriptions 10-16

Edit Device Login Profile dialog box

field descriptions 13-12

user roles 13-11

Edit Event Action Filter dialog box

field descriptions 6-22, 9-16

user roles 6-21, 9-15

Edit Event Action Override dialog box

field descriptions 6-12, 9-14

user roles 6-12, 9-13

Edit Event Variable dialog box

field descriptions 6-36, 9-30

user roles 9-29

Edit External Product Interface dialog box

field descriptions 16-6

user roles 16-4

Edit Histogram dialog box field descriptions 10-17

editing

blocking devices 13-15

event action filters 6-23, 9-18

event action overrides 9-14

event variables 6-37, 9-31

interfaces 5-21

IPv4 target value ratings 6-26, 9-21

IPv6 target value ratings 6-29, 9-23

OS maps 6-33, 9-28

rate limiting devices 13-15

risk categories 6-39, 9-33

signatures 7-15

signature variables 7-32

virtual sensors 6-13

Edit Inline VLAN Pair dialog box field descriptions 3-10, 5-24

Edit Interface dialog box field descriptions 5-19

Edit Interface Pair dialog box field descriptions 5-22

Edit IP Logging dialog box field descriptions 14-11

Edit Known Host Key dialog box

field descriptions 12-5

user roles 12-4

Edit Master Blocking Sensor dialog box

field descriptions 13-24

user roles 13-23

Edit Never Block Address dialog box

field descriptions 13-10

user roles 13-7

Edit Posture ACL dialog box field descriptions 16-7

Edit Protocol Number dialog box field descriptions 10-18, 10-25

Edit Risk Level dialog box field descriptions 6-39, 9-33

Edit Router Blocking Device Interface dialog box

field descriptions 13-19

user roles 13-16

Edit Signature dialog box field descriptions 7-7

Edit Signature Variable dialog box

field descriptions 7-32

user roles 7-31

Edit SNMP Trap Destination dialog box field descriptions 15-4

Edit User dialog box

field descriptions 4-21

user roles 4-18, 4-21

Edit Virtual Sensor dialog box

field descriptions 6-11

user roles 6-10

Edit VLAN Group dialog box field descriptions 5-27

efficacy

described 11-4

measurements 11-4

enabling

anomaly detection 10-4

event action filters 6-23, 9-18

event action overrides 9-14

interfaces 5-20

packet logging 17-3

signatures 7-12

enabling debug logging C-46

Encryption Software Export Distribution Authorization form

cryptographic account 21-2

described 21-2

engines

AIC B-10

AIC FTP B-11

AIC HTTP B-11

Atomic B-13

Atomic ARP B-13

Atomic IP 8-13, B-24

Atomic IP Advanced B-14

Atomic IPv6 B-27

Fixed B-28

Fixed ICMP B-28

Fixed TCP B-28

Fixed UDP B-28

Flood B-31

Flood Host B-31

Flood Net B-31

Master B-4

Meta 7-21, B-32

Multi String B-34

Normalizer B-36

Service B-39

Service DNS B-39

Service FTP B-41

Service Generic B-42

Service H225 B-43

Service HTTP 8-16, B-46

Service IDENT B-48

Service MSRPC 8-11, B-48

Service MSSQL B-50

Service NTP B-51

Service P2P B-52

Service RPC 8-19, B-52

Service SMB Advanced B-54

Service SNMP B-56

Service SSH B-57

Service TNS B-57

State 8-20, B-59

String 8-21, 8-24, B-61

String ICMP 8-21, 8-24, B-61

String TCP 8-21, 8-24, B-61

String UDP 8-21, 8-24, B-61

Sweep 8-24, B-66

Sweep Other TCP B-68

Traffic Anomaly B-69

Traffic ICMP B-71

Trojan B-72

erase license-key command 17-18

errors (Analysis Engine) C-54

evAlert A-9

event action filters

adding 6-23, 9-18

configuring 6-23, 9-18

deleting 6-23, 9-18

described 6-20, 9-5

disabling 6-23, 9-18

editing 6-23, 9-18

enabling 6-23, 9-18

moving 6-23, 9-18

Event Action Filters tab

configuring 6-23, 9-18

described 6-21, 9-15

field descriptions 6-21, 9-16

event action overrides

adding 9-14

deleting 9-14

described 6-5, 9-4

editing 9-14

enabling 9-14

risk rating range 6-5, 9-4

Event Action Overrides tab

described 9-13

field descriptions 9-13

event action rules

described 9-2

functions 9-2

Event Action Rules (rules0) pane described 9-13

Event Action Rules pane

described 9-11

field descriptions 9-12

user roles 9-11

event action rules policies

adding 9-12

cloning 9-12

deleting 9-12

event action rules variables 6-21, 9-15

event actions

risk ratings 6-7, 9-4

threat ratings 6-7, 9-4

events

clearing 4-16, 18-4, C-108

displaying C-106

host posture 16-2

quarantined IP address 16-2

Events pane

configuring 18-3

described 18-1

field descriptions 18-2

Event Store

clearing 4-16, 18-4, C-108

clearing events 4-11, C-18

data structures A-8

described A-4

examples A-7

no alerts C-33

responsibilities A-7

time stamp 4-11, C-18

timestamp A-7

event types C-104

event variables

adding 6-37, 9-31

configuring 6-37, 9-31

deleting 6-37, 9-31

described 6-35, 9-29

editing 6-37, 9-31

example 6-36, 9-30

Event Variables tab

configuring 6-37, 9-31

field descriptions 6-36, 9-30

Event Viewer pane

displaying events 18-3

field descriptions 18-2

evError A-9

evLogTransaction A-9

evShunRqst A-9

evStatus A-9

example custom signatures

Atomic IP Advanced 7-24, 8-14

Meta 7-21

Service HTTP 8-17

String TCP 8-22

String TCP XL 7-26

examples

AIC engine signature 7-43

ASA failover configuration C-62, C-66, C-77

Atomic IP Advanced engine signature 7-24, 8-14

automatic update 17-25

configured OS maps 6-32, 9-25

default anomaly detection configuration 10-4

IP Fragment Reassembly signature 7-47

IPv6 attacker address 6-22, 9-17

IPV6 victim address 6-23, 9-17

KB histogram 10-13, 18-7

Meta engine signature 7-21

Service HTTP engine signature 8-17

SPAN configuration for IPv6 support 5-14

String TCP engine signature 8-22

String TCP XL engine signature 7-26, 7-29

System Configuration Dialog 19-2

TCP Stream Reassembly signature 7-54

external product interfaces

adding 16-7

described 16-1

issues 16-3, C-22

troubleshooting 16-10, C-23

trusted hosts 16-4

External Product Interfaces pane

described 16-4

field descriptions 16-5

external zone

configuring 10-31

protocols 10-29

user roles 10-28

External Zone tab

described 10-29

tabs 10-29

user roles 10-28

F

fail-over testing 5-12

false positives described 7-4

files Cisco IPS (list) 21-1

Firefox

certificates 1-8

validating CAs 1-8

Fixed engine described B-28

Fixed ICMP engine parameters (table) B-29

Fixed TCP engine parameters (table) B-29

Fixed UDP engine parameters (table) B-30

Flood engine described B-31

Flood Host engine parameters (table) B-31

Flood Net engine parameters (table) B-32

flow states clearing 18-17

FTP servers

automatic updates 17-22

signature updates 17-26

FTP servers and software updates 17-22, 22-2

G

gadgets

adding 2-1

CPU, Memory, & Load 2-11

customizing 2-1

Dashboard pane 2-2

Global Correlation Health 2-8

Global Correlation Reports 2-7

IDM 2-2

IDM home pane 1-3

Interface Status 2-6

Licensing 2-6

Network Security 2-9

Sensor Health 2-4

Sensor Information 2-3

Top Applications 2-10

general settings

configuring 6-42, 9-36

described 6-41, 9-35

General tab

configuring 6-42, 9-36

described 6-41, 9-35, 10-16, 10-23

enabling zones 10-16, 10-23

field descriptions 6-42, 9-36

user roles 9-35

generating diagnostics reports 18-19

global correlation

described 1-1, 11-1, 11-2

disabling 11-12

disabling about 11-12

DNS server 11-6

error messages A-30

features 11-5

goals 11-5

health metrics 11-7

health status 11-7

HTTP proxy server 11-6

license 1-9, 11-6, 11-8, 19-1, 19-5

no IPv6 support 6-22, 6-23, 6-28, 6-29, 6-35, 6-37, 9-15, 9-16, 9-18, 9-22, 9-23, 9-29, 9-31, 11-6

Produce Alert 7-9, 9-8

requirements 11-6

risk rating 11-5

troubleshooting 11-11, C-22

update client (illustration) 11-8

Global Correlation Health gadget

configuring 2-9

described 2-8

Global Correlation Reports gadget

configuring 2-7

described 2-7

Global Correlation Update

client described A-29

server described A-29

GRUB menu password recovery 17-5, C-8

H

H.225.0 protocol B-43

H.323 protocol B-43

hardware bypass

autonegotiation 5-13

configuration restrictions 5-13

fail-over 5-12

IPS 4260 5-12

IPS 4270-20 5-12

supported configurations 5-12

with software bypass 5-12

health status

global correlation 11-7

metrics 2-4

sensor 2-4

health status display C-83

Home pane

gadgets 1-3

updating 1-3

host blocks

adding 14-4

deleting 14-4

managing 14-4

Host Blocks pane

configuring 14-4

described 14-3

host posture events

CSA MC 16-3

described 16-2

HTTP/HTTPS servers supported 17-22, 22-2

HTTP advanced decoding

described 6-4

platform support 6-5

restrictions 6-4

HTTP deobfuscation

ASCII normalization 8-16, B-46

described 8-16, B-46

hw-module module 1 reset command C-60

hw-module module slot_number password-reset command 17-6, 17-10, C-10, C-14

I

IDAPI

communications A-4, A-33

described A-4

functions A-33

illustration A-33

responsibilities A-33

IDCONF

described A-34

example A-34

RDEP2 A-34

XML A-34

IDIOM

defined A-34

messages A-34

IDM

Analysis Engine is busy C-57

certificates 1-7, 12-7

cookies 1-7

cryptographic features 1-1

Custom Signature Wizard supported signature engines 8-2

described 1-3, 1-6

gadgets 2-2

GUI 1-3

known host key retrieval 12-4

logging in 1-6

password recovery 17-13, C-16

supported platforms 1-4

system requirements 1-4

TLS 1-7, 12-7

user interface 1-3

web browsers 1-3, 1-6

will not load C-57

illegal zone

configuring 10-25

user roles 10-22

Illegal Zone tab

described 10-22

user roles 10-22

Imported OS pane

clearing 18-16

described 18-16

field descriptions 18-16

imported OS values

clearing 18-16

deleting 18-16

inactive mode (anomaly detection) 10-4

initializing

appliances 19-8

ASA 5500 AIP SSM 19-13

ASA 5500-X IPS SSP 19-17

ASA 5585-X IPS SSP 19-21

sensors 4-1, 19-1, 19-4

user roles 19-1

verifying 19-25

inline interface pair mode

configuration restrictions 5-10

described 5-15

illustration 5-15

Inline Interface Pair window

described 3-9

Startup Wizard 3-9

inline mode

interface cards 5-3

normalization 6-4

pairing interfaces 5-3

inline TCP session tracking modes described 6-4

inline VLAN pair mode

configuration restrictions 5-10

configuring 3-10

described 5-16

illustration 5-16

supported sensors 5-16

Inline VLAN Pairs window

described 3-9

field descriptions 3-10

Startup Wizard 3-9

Inspection/Reputation pane

configuring 11-10

described 11-8

field descriptions 11-9

Inspection Load Statistics pane

configuring 18-5

described 18-4

field descriptions 18-4

user roles 18-4

installer major version 21-5

installer minor version 21-5

installing

sensor license 1-12, 17-16

system image

ASA 5500 AIP SSM 22-27

ASA 5500-X IPS SSP 22-29

ASA 5585-X IPS SSP 22-31

IPS 4240 22-14

IPS 4255 22-14

IPS4260 22-17

IPS 4270-20 22-19

IPS 4345 22-21

IPS 4360 22-21

IntelliShield

alerts 7-5

MySDN 7-5

InterfaceApp

described A-20

interactions A-20

NIC drivers A-20

InterfaceApp described A-4

interface pairs

configuring 5-22

described 5-22

Interface Pairs pane

configuring 5-22

described 5-22

field descriptions 5-22

user roles 5-21

interfaces

alternate TCP reset 5-2

command and control 5-2

configuration restrictions 5-9

configuring 5-20

described 3-7, 5-1

disabling 5-20

editing 5-21

enabling 5-20

logical 3-7

physical 3-7

port numbers 5-1

sensing 5-2, 5-3

slot numbers 5-1

support (table) 5-4

TCP reset 5-8

Interface Selection window

described 3-9

Startup Wizard 3-9

Interfaces pane

configuring 5-20

described 5-18

field descriptions 5-19

Interface Status gadget

configuring 2-7

described 2-6

Interface Summary window

described 3-7

internal zone

user roles 10-15

internal zone configuring 10-19

Internal Zone tab

described 10-15

user roles 10-15

Internet Explorer validating certificates 1-8

IP fragmentation described B-36

IP fragment reassembly

configuring 7-46

described 7-44

mode 7-46

parameters (table) 7-45

signatures 7-47

signatures (example) 7-47

signatures (table) 7-45

IP logging

described 7-55, 14-10

event actions 14-10

system performance 14-10

IP Logging pane

configuring 14-12

described 14-10

field descriptions 14-11

user roles 14-10

IP Logging Variables pane

described 17-21

field description 17-21

IP logs

circular buffer 14-10

states 14-10

TCPDUMP 14-10

viewing 14-12

WireShark 14-10

IPS 4240

installing system image 22-14

password recovery 17-5, C-9

reimaging 22-14

IPS 4255

installing system image 22-14

password recovery 17-5, C-9

reimaging 22-13

IPS 4260

hardware bypass 5-12

password recovery 17-5, C-8

IPS 4260

installing system image 22-17

reimaging 22-17

IPS 4270-20

hardware bypass 5-12

installing system image 22-19

password recovery 17-5, C-8

reimaging 22-19

IPS 4345

installing system image 22-21

password recovery 17-5, C-8, C-9

reimaging 22-21

IPS 4360

installing system image 22-21

password recovery 17-5, C-8, C-9

reimaging 22-21

IPS 4510

password recovery 17-5, C-8, C-9

reimaging 22-24

SwitchApp A-30

IPS 4520

password recovery 17-5, C-8, C-9

reimaging 22-24

SwitchApp A-30

IPS applications

summary A-37

table A-37

XML format A-4

IPS clock synchronization 4-8, C-17

IPS data

types A-8

XML document A-9

IPS events

evAlert A-9

evError A-9

evLogTransaction A-9

evShunRqst A-9

evStatus A-9

list A-9

types A-9

IPS internal communications A-33

IPS Policies pane

described 6-8

Event Action Rules 6-9

field descriptions 6-9

IPS software

application list A-4

available files 21-1

configuring device parameters A-5

directory structure A-36

Linux OS A-1

obtaining 21-1

platform-dependent release examples 21-6

retrieving data A-5

security features A-5

tuning signatures A-5

updating A-5

user interaction A-5

versioning scheme 21-2

IPS software file names

major updates (illustration) 21-4

minor updates (illustration) 21-4

patch releases (illustration) 21-4

service packs (illustration) 21-4

IPv4

address format 6-35, 9-30

event variables 6-35, 9-30

IPv4 Add Target Value Rating dialog box

field descriptions 6-26, 9-21

user roles 6-26, 9-20

IPv4 Edit Target Value Rating dialog box

field descriptions 6-26, 9-21

user roles 6-26, 9-20

IPv4 target value ratings

adding 6-26, 9-21

deleting 6-26, 9-21

editing 6-26, 9-21

IPv4 Target Value Rating tab

configuring 6-26, 9-21

field descriptions 6-26, 9-20

IPv6

address format 6-36, 9-30

described B-28

event variables 6-36, 9-30

SPAN ports 5-14

switches 5-14

IPv6 Add Target Value Rating dialog box

field descriptions 6-28

user roles 6-27, 9-22

IPv6 Edit Target Value Rating dialog box

field descriptions 6-28, 9-23

user roles 6-27, 9-22

IPv6 target value ratings

adding 6-29, 9-23

configuring 6-29, 9-23

deleting 6-29, 9-23

editing 6-29, 9-23

IPv6 Target Value Rating tab

configuring 6-29, 9-23

field descriptions 6-28, 9-22

K

KBs

comparing 18-11

default filename 10-12

deleting 18-13

described 10-3

downloading 18-13

histogram 10-12, 18-6

initial baseline 10-3

learning accept mode 10-12

loading 18-12

monitoring 18-9

renaming 18-13

saving 18-12

scanner threshold 10-12, 18-6

tree structure 10-12, 18-6

uploading 18-14

Knowledge Base. See KB.

Known Host Keys pane

configuring 12-5

described 12-4

field descriptions 12-5

L

Learned OS pane

clearing 18-15

described 18-15

field descriptions 18-15

learned OS values

clearing 18-15

deleting 18-15

learning accept mode

anomaly detection 10-3

configuring 10-14

user roles 10-12

Learning Accept Mode tab

described 10-12

field descriptions 10-13, 10-14

user roles 10-12

license key

obtaining 1-10, 17-14

trial 1-10, 17-14

uninstalling 17-18

viewing status of 1-10, 17-14

licensing

described 1-10, 17-14

IPS device serial number 1-10, 17-14

Licensing gadget

configuring 2-6

described 2-6

Licensing pane

configuring 1-12, 17-16

described 1-10, 17-14

field descriptions 1-11, 17-16

user roles 1-11, 17-14

limitations for concurrent CLI sessions 20-1

listings UNIX-style 17-22

loading KBs 18-12

local authentication configuring 4-22

Logger

described A-4, A-19

functions A-19

syslog messages A-19

logging in

appliances 20-2

ASA 5500 AIP SSM 20-4

ASA 5500-X IPS SSP 20-5

ASA 5585-X IPS SSP 20-6

IDM 1-6

sensors

SSH 20-7

Telnet 20-7

service role 20-2

terminal servers 20-3, 22-13

user role 20-1

LOKI

described B-71

protocol B-71

loose connections on sensors C-24

M

MainApp

components A-6

described A-4, A-6

host statistics A-6

responsibilities A-6

show version command A-6

major updates described 21-2

managing

host blocks 14-4

network blocks 14-7

rate limiting 14-9

manifests

client A-29

server A-29

manually updating sensor 17-26

master blocking sensor

described 13-23

not set up properly C-44

verifying configuration C-45

Master Blocking Sensor pane

configuring 13-25

described 13-23

field descriptions 13-24

Master engine

alert frequency B-7

alert frequency parameters (table) B-7

described B-4

event actions B-8

general parameters (table) B-4

universal parameters B-4

master engine parameters

obsoletes B-6

promiscous delta B-6

vulnerable OSes B-6

merging configuration files C-2

Meta engine

described 7-21, B-32

parameters (table) B-33

Signature Event Action Processor 7-21, B-32

Meta Event Generator described 6-41, 9-35

Meta signature

component signatures B-32

metrics for sensor health 17-19

MIBs supported 15-6, C-20

minor updates described 21-3

Miscellaneous tab

application policy parameters 7-33

button functions 7-34

configuring

application policy 7-43

IP fragment reassembly mode 7-46

IP logging 7-55

TCP stream reassembly mode 7-53

described 7-33

field descriptions 7-34

IP fragment reassembly options 7-33

IP logging options 7-34

TCP stream reassembly 7-33

user roles 7-33

modes

anomaly detection detect 10-4

anomaly detection learning accept 10-3

asymmetric 6-4

bypass 5-28

inactive (anomaly detection) 10-4

inline interface pair 5-15

inline TCP tracking 6-4

inline VLAN pair 5-16

Normalizer 6-4

promiscuous 5-13

VLAN groups 5-16

monitoring

events 18-3

inspection load statistics 18-4, 18-5

KBs 18-9

moving

event action filters 6-23, 9-18

OS maps 6-33, 9-28

Multi String engine

described B-34

parameters (table) B-35

Regex B-34

MySDN

described 7-5

Intellishield 7-5

N

NAS-ID

described 4-23

RADIUS authentication 4-23

Neighborhood Discovery

options B-28

types B-28

network blocks

adding 14-7

deleting 14-7

managing 14-7

Network Blocks pane

configuring 14-7

described 14-6

field descriptions 14-6

user roles 14-6

Network pane

configuring 4-3

described 4-2

field descriptions 4-2

TLS/SSL 4-4

user roles 4-2

network participation

data gathered 11-3

data use (table) 1-2, 11-2

described 11-3

health metrics 11-7

modes 11-4

requirements 11-3

SensorBase Network 11-4

statistics 11-4

network participation data

improving signature fidelity 11-4

understanding sensor deployment 11-4

Network Participation pane

configuring 11-11

described 11-10

field descriptions 11-11

Network Security gadget

configuring 2-10

described 2-9

never block

hosts 13-7

networks 13-7

normalization described 6-4

Normalizer engine

ASA 5500 AIP SSM B-37

ASA 5500-X IPS SSP B-37

ASA 5585-X IPS SSP B-37

described B-36

IP fragment reassembly B-36

IPv6 fragments B-36

modify packets inline 6-4

parameters (table) B-38

TCP stream reassembly B-36

NotificationApp

alert information A-9

described A-4

functions A-9

SNMP gets A-9

SNMP traps A-9

statistics A-11

system health information A-10

NTP

authenticated 4-7, 4-13, C-17

configuring servers 4-12

described 4-7, C-17

incorrect configuration 4-8, C-18

sensor time source 4-12, 4-13

time synchronization 4-7, C-17

unauthenticated 4-7, 4-13, C-17

verifying configuration 4-8

O

obsoletes field described B-6

obtaining

cryptographic account 21-2

IPS software 21-1

license key 1-10, 17-14

sensor license 1-12, 17-16

one-way TCP reset described 6-41, 9-35

Operation Settings tab

described 10-11

field descriptions 10-11

user roles 10-11

OS Identifications tab

described 6-32, 9-25

field descriptions 6-32, 9-27

OS information sources 6-31, 9-26

OS maps

adding 6-33, 9-28

configuring 6-33, 9-28

deleting 6-33, 9-28

editing 6-33, 9-28

moving 6-33, 9-28

other actions (list) 9-9

Other Protocols tab

described 10-18, 10-24, 10-30

enabling other protocols 10-18

external zone 10-30

field descriptions 10-18, 10-30

illegal zone 10-24

P

P2P networks described B-52

Packet Logging pane

described 17-3

field descriptions 17-3

partitions

application A-4

recovery A-4

passive OS fingerprinting

components 6-30, 9-25

configuring 6-31, 9-26

described 6-30, 9-25

enabled (default) 6-31, 9-26

password policy caution 17-3

password recovery

appliances 17-5, C-8

ASA 5500 AIP SSM 17-6, C-9

ASA 5500-X IPS SSP 17-8, C-12

ASA 5585-X IPS SSP 17-10, C-13

CLI 17-12, C-15

described 17-4, C-8

disabling 17-12, C-15

displaying setting 17-13, C-16

GRUB menu 17-5, C-8

IDM 17-13, C-16

IPS 4240 17-5, C-9

IPS 4255 17-5, C-9

IPS 4260 17-5, C-8

IPS 4270-20 17-5, C-8

IPS 4345 17-5, C-8, C-9

IPS 4360 17-5, C-8, C-9

IPS 4510 17-5, C-8, C-9

IPS 4520 17-5, C-8, C-9

platforms 17-4, C-8

ROMMON 17-5, C-9

troubleshooting 17-13, C-16

verifying 17-13, C-16

password requirements configuring 17-2

Passwords pane

configuring 17-2

described 17-2

field descriptions 17-2

patch releases described 21-3

peacetime learning (anomaly detection) 10-3

Peer-to-Peer. See P2P.

physical connectivity issues C-32

physical interfaces configuration restrictions 5-9

platforms concurrent CLI sessions 20-1

Post-Block ACLs 13-17

Pre-Block ACLs 13-17

prerequisites for blocking 13-5

promiscuous delta

calculating risk rating 6-6, 9-3

described 6-6, 9-3

promiscuous delta described B-6

promiscuous mode

atomic attacks 5-14

described 5-13

illustration 5-14

packet flow 5-13

SPAN ports 5-14

TCP reset interfaces 5-8

VACL capture 5-14

protocols

ARP B-13

CDP 5-31

CIDEE A-35

DCE 8-11, B-48

DDoS B-71

H.323 B-43

H225.0 B-43

ICMPv6 B-14

IDAPI A-33

IDCONF A-34

IDIOM A-34

IPv6 B-28

LOKI B-71

MSSQL B-50

Neighborhood Discovery B-28

Q.931 B-43

RPC 8-11, B-48

SDEE A-35

Signature Wizard 8-10

Q

Q.931 protocol

described B-43

SETUP messages B-43

quarantined IP address events described 16-2

R

RADIUS authentication

configuring 4-23

described 4-19

NAS-ID 4-23

service account 4-18

shared secret 4-23

rate limiting

ACLs 13-4

configuring 14-9

described 13-3

managing 14-9

percentages 14-8

routers 13-3

service policies 13-4

supported signatures 13-4

rate limiting devices

adding 13-15

deleting 13-15

editing 13-15

rate limits

adding 14-9

deleting 14-9

Rate Limits pane

configuring 14-9

described 14-7

field descriptions 14-8

raw expression syntax

described B-63

expert mode B-63

Raw Regex

described 7-28, 7-30, B-63

expert mode 7-28, 7-30, B-63

rebooting the sensor 17-29

Reboot Sensor pane

configuring 17-29

described 17-29

user roles 17-29

recover command 22-10

recovering

application partition image 22-11

ASA 5500 AIP SSM C-60

recovery partition

described A-4

upgrade 22-5

Regex

Multi String engine B-34

standardized B-1

Regular Expression. See also Regex.

regular expression syntax

raw Regex 7-28, 7-30, B-63

signatures B-9

reimaging

ASA 5500-X IPS SSP 22-29

described 22-1

IPS 4240 22-14

IPS 4255 22-13

IPS4260 22-17

IPS 4270-20 22-19

IPS 4345 22-21

IPS 4360 22-21

IPS 4510 22-24

IPS 4520 22-24

sensors 22-1, 22-10

removing

last applied

service pack 22-10

signature update 22-10

renaming KBs 18-13

reputation

described 11-2

illustration 11-3

servers 11-3

Reset Network Security Health pane

described 18-18

field descriptions 18-18

resetting data 18-18

user roles 18-18

reset not occurring for a signature C-52

resetting

ASA 5500 AIP SSM C-60

hit counts for denied attackers 14-2

network security health data 18-18

passwords

ASDM 17-8, 17-10, 17-12, C-11, C-13, C-15

hw-module command 17-6, 17-10, C-10, C-14

sw-module command 17-8, C-12

resetting the password

ASA 5500 AIP SSM 17-6, C-10

ASA 5500-X IPS SSP 17-8, C-12

ASA 5585-X IPS SSP 17-10, C-14

Restore Default Interface dialog box field descriptions 3-8

Restore Defaults pane

configuring 17-28

described 17-28

user roles 17-28

restoring

defaults 17-28

restoring the current configuration C-4

retiring signatures 7-12

risk categories

adding 6-39, 9-33

configuring 6-39, 9-33

deleting 6-39, 9-33

editing 6-39, 9-33

Risk Category tab

configuring 6-39, 9-33

described 6-38, 9-33

field descriptions 6-39, 9-33

risk rating

Alarm Channel 11-5

calculating 6-5, 9-2

component signatures B-32

described 6-30, 9-25

global correlation 11-5

reputation score 11-5

ROMMON

ASA 5585-X IPS SSP 22-33

described 22-12

IPS 4240 17-5, 22-14, C-9

IPS 4255 17-5, 22-14, C-9

IPS4260 22-17

IPS 4270-20 22-19

IPS 4345 17-5, 22-21, C-9

IPS 4360 17-5, 22-21, C-9

IPS 4510 17-5, 22-24, C-9

IPS 4520 17-5, 22-24, C-9

password recovery 17-5, C-9

remote sensors 22-12

serial console port 22-12

TFTP 22-12

round-trip time. See RTT.

Router Blocking Device Interfaces pane

configuring 13-19

described 13-16

field descriptions 13-18

RPC portmapper 8-19, B-52

RTT

described 22-12

TFTP limitation 22-12

S

Save Knowledge Base dialog box

described 18-11

field descriptions 18-12

saving KBs 18-12

scheduling automatic upgrades 22-8

SDEE

described A-35

HTTP A-35

protocol A-35

server requests A-35

security

account locking 4-24

information on Cisco Security Intelligence Operations 21-8

information on MySDN 7-5

SSH 12-1

security policies described 6-1, 7-1, 9-1, 10-1

sensing interface

ASA 5500 AIP SSM 6-15

ASA 5500-X IPS SSP 6-15

ASA 5585-X IPS SSP 6-15

sensing interfaces

Analysis Engine 5-3

described 5-3

interface cards 5-3

modes 5-3

SensorApp

Alarm Channel A-25

Analysis Engine A-25

described A-4

event action filtering A-25

inline packet processing A-25

IP normalization A-25

packet flow A-26

processors A-23

responsibilities A-23

risk rating A-25

Signature Event Action Processor A-23

signature updates 17-23

TCP normalization A-25

SensorBase Network

described 1-1, 11-1, 11-2

network participation 11-4

participation 1-2, 11-2

servers 1-2, 11-2

sensor health

critical settings 17-19

metrics 17-19

Sensor Health gadget

configuring 2-5

described 2-4

metrics 2-4

status 2-4

Sensor Health pane

described 17-19

field descriptions 17-20

Sensor Information gadget

configuring 2-4

described 2-3

Sensor Key pane

button functions 12-7

described 12-6

field descriptions 12-7

sensor SSH host key

displaying 12-7

generating 12-7

user roles 12-6

sensor license

installing 1-12, 17-16

obtaining 1-12, 17-16

sensors

access problems C-26

application partition image 22-11

asymmetric traffic and disabling anomaly detection 10-34, C-20

blocking self 13-7

command and control interfaces (list) 5-2

configuring to use NTP 4-14

corrupted SensorApp configuration C-36

diagnostics reports 18-19

disaster recovery C-6

downgrading 22-10

incorrect NTP configuration 4-8, C-18

initializing 4-1, 19-1, 19-4

interface support 5-4

IP address conflicts C-28

logging in

SSH 20-7

Telnet 20-7

loose connections C-24

misconfigured access lists C-28

no alerts C-33, C-59

not seeing packets C-35

NTP time source 4-13

NTP time synchronization 4-7, C-17

partitions A-4

physical connectivity C-32

preventive maintenance C-2

rebooting 17-29

reimaging 22-1

restoring defaults 17-28

sensing process not running C-30

setup command 4-1, 19-1, 19-4, 19-8

shutting down 17-29

statistics 18-20

system information 18-21

time sources 4-7, C-17

troubleshooting software upgrades C-55

updating 17-27

upgrading 22-4

using NTP time source 4-12

Sensor Setup window

described 3-2

Startup Wizard 3-2

Server Certificate pane

button functions 12-11

certificate

displaying 12-11

generating 12-11

described 12-10

field descriptions 12-11

user roles 12-10

server manifest described A-29

service account

accessing 4-17, C-5

cautions 4-17, C-5

creating C-5

described 4-17, A-32, C-5

RADIUS authentication 4-18

TAC A-32

troubleshooting A-32

Service DNS engine

described B-40

parameters (table) B-40

Service engine

described B-39

Layer 5 traffic B-39

Service FTP engine

described B-41

parameters (table) B-41

PASV port spoof B-41

Service Generic engine

described B-42

no custom signatures B-42

parameters (table) B-42

Service H225 engine

ASN.1PER validation B-44

described B-43

features B-44

parameters (table) B-44

TPKT validation B-44

Service HTTP engine

custom signature 8-17

described 8-16, B-46

example signature 8-17

parameters (table) B-46

Service IDENT engine

described B-48

parameters (table) B-48

Service MSRPC engine

DCS/RPC protocol 8-11, B-48

described 8-11, B-48

parameters (table) B-49

Service MSSQL engine

described B-50

MSSQL protocol B-50

parameters (table) B-51

Service NTP engine

described B-51

parameters (table) B-51

Service P2P engine described B-52

service packs described 21-3

service role 4-17, 20-2, A-32

Service RPC engine

described 8-19, B-52

parameters (table) B-52

RPC portmapper 8-19, B-52

Service SMB Advanced engine

described B-54

parameters (table) B-54

Service SNMP engine

described B-56

parameters (table) B-56

Service SSH engine

described B-57

parameters (table) B-57

Service TNS engine

described B-57

parameters (table) B-58

session command

ASA 5500 AIP SSM 20-4

ASA 5500-X IPS SSP 20-5

ASA 5585-X IPS SSP 20-6

sessioning in

ASA 5500 AIP SSM 20-4

ASA 5500-X IPS SSP 20-5

ASA 5585-X IPS SSP 20-6

setting

current KB 18-12

system clock 4-15

setting up terminal servers 20-3, 22-13

setup

automatic 19-2

command 4-1, 19-1, 19-4, 19-8, 19-13, 19-17, 19-21

simplified mode 19-2

shared secret

described 4-23

RADIUS authentication 4-23

show events command C-104, C-105

show health command C-83

show interfaces command C-103

show module 1 details command C-59, C-66, C-78

show settings command 17-13, C-16

show statistics command C-90, C-91

show statistics virtual-sensor command C-25, C-91

show tech-support command C-84

show version command C-88

Shut Down Sensor pane

configuring 17-29

described 17-29

user roles 17-29

shutting down the sensor 17-29

sig0 pane

column heads 7-3

configuration buttons 7-3

default 7-3

described 7-3

field descriptions 7-6

signatures

assigning actions 7-16

cloning 7-14

tuning 7-15

tabs 7-3

signature definition policies

adding 7-2

cloning 7-2

default policy 7-2

deleting 7-2

sig0 7-2

Signature Definitions pane

described 7-2

field descriptions 7-2

signature engines

AIC B-10

Atomic B-13

Atomic ARP B-13

Atomic IP 8-13, B-24

Atomic IP Advanced B-14

Atomic IPv6 B-27

creating custom signatures 8-1

described B-1

Fixed B-28

Flood B-31

Flood Host B-31

Flood Net B-32

list B-2

Master B-4

Meta 7-21, B-32

Multi String B-34

Normalizer B-36

Regex

patterns B-10

syntax B-9

Service B-39

Service DNS B-40

Service FTP B-41

Service Generic B-42

Service H225 B-43

Service HTTP 8-16, B-46

Service IDENT B-48

Service MSRPC 8-11, B-48

Service MSSQL B-50

Service NTP B-51

Service P2P B-52

Service RPC 8-19, B-52

Service SMB Advanced B-54

Service SNMP B-56

Service SSH engine B-57

Service TNS B-57

State 8-20, B-59

String 8-21, 8-24, B-61

supported by IDM 8-2

Sweep 8-24, B-66

Sweep Other TCP B-68

Traffic Anomaly B-69

Traffic ICMP B-71

Trojan B-72

signature engine update files described 21-4

Signature Event Action Filter

described 9-6, A-27

parameters 9-6, A-27

Signature Event Action Handler described 9-7, A-27

Signature Event Action Override described 9-6, A-27

Signature Event Action Processor

Alarm Channel 9-6, A-27

components 9-6, A-27

described 9-6, A-23, A-27

signature fidelity rating

calculating risk rating 6-5, 9-3

described 6-5, 9-3

signatures

adding 7-12

alert frequency 7-18

assigning actions 7-16

cloning 7-14

custom 7-4

default 7-4

described 7-4

disabling 7-12

editing 7-15

enabling 7-12

false positives 7-4

rate limits 13-4

retiring 7-12

String TCP XL 7-29

subsignatures 7-4

TCP reset C-52

tuned 7-4

tuning 7-15

Signatures window

field descriptions 3-15

user roles 3-14

Signatures window described 3-14

signature threat profiles

applying 3-15

platform support 3-14

signature updates

bypass mode 17-23

files 21-4

FTP server 17-26

installation time 17-23

SensorApp 17-23

signature variables

adding 7-32

configuring 7-32

deleting 7-32

described 7-31

editing 7-32

Signature Variables tab

configuring 7-32

field descriptions 7-32

Signature Wizard

Alert Response window field descriptions 8-26

Atomic IP Engine Parameters window field descriptions 8-13

ICMP Traffic Type window field descriptions 8-12

Inspect Data window field descriptions 8-12

MSRPC Engine Parameters window field descriptions 8-11

protocols 8-10

Protocol Type window field descriptions 8-10

Service HTTP Engine Parameters window field descriptions 8-16

Service RPC Engine Parameters window field descriptions 8-19

Service Type window field descriptions 8-12

signature identification 8-10

Signature Identification window field descriptions 8-11

State Engine Parameters window field descriptions 8-20

String ICMP Engine Parameters window field descriptions 8-21

String TCP Engine Parameters window field descriptions 8-21

String UDP Engine Parameters window field descriptions 8-24

Sweep Engine Parameters window field descriptions 8-25

TCP Sweep Type window field descriptions 8-13

TCP Traffic Type window field descriptions 8-12

UDP Sweep Type window field descriptions 8-12

UDP Traffic Type window field descriptions 8-12

Welcome window field descriptions 8-10

SNMP

configuring 15-2

described 15-1

General Configuration pane

field descriptions 15-2

user roles 15-2

Get 15-1

GetNext 15-1

Set 15-1

supported MIBs 15-6, C-20

Trap 15-1

Traps Configuration pane

field descriptions 15-3

user roles 15-3

SNMP General Configuration pane

configuring 15-2

described 15-2

SNMP traps

configuring 15-4

described 15-1

software architecture

ARC (illustration) A-13

IDAPI (illustration) A-33

software bypass

supported configurations 5-12

with hardware bypass 5-12

software downloads Cisco.com 21-1

software file names

recovery (illustration) 21-5

signature/virus updates (illustration) 21-4

signature engine updates (illustration) 21-5

system image (illustration) 21-5

software release examples

platform-dependent 21-6

platform identifiers 21-7

platform-independent 21-6

software updates

supported FTP servers 17-22, 22-2

supported HTTP/HTTPS servers 17-22, 22-2

SPAN port issues C-32

SSH

described 12-1

security 12-1

SSH Server

private keys A-22

public keys A-22

standards

CIDEE A-35

IDCONF A-34

IDIOM A-34

SDEE A-35

Startup Wizard

access lists 3-3

adding ACLs 3-5

adding virtual sensors 3-13

Add Virtual Sensor dialog box 3-12

ASA 5500 AIP SSM 3-2

ASA 5500-X IPS SSP 3-2

ASA 5585-X IPS SSP 3-2

Auto Update configuring 3-17

described 3-1

Inline Interface Pair window

described 3-9

field descriptions 3-9

Inline VLAN Pairs window configuring 3-10

Interface Selection window 3-9

Interface Summary window 3-7

Sensor Setup window

configuring 3-4

field descriptions 3-2

Signatures window described 3-14

Traffic Inspection Mode window 3-8

Virtual Sensors window

field descriptions 3-12

Virtual Sensors window described 3-11

VLAN groups unsupported 3-1, 3-8

State engine

Cisco Login 8-20, B-59

described 8-20, B-59

LPR Format String 8-20, B-59

parameters (table) B-59

SMTP 8-20, B-59

statistic display C-91

Statistics pane

button functions 18-20

categories 18-19

described 18-19

using 18-20

statistics viewing 18-20

String engine described 8-21, 8-24, B-61

String ICMP engine parameters (table) B-61

String TCP engine

custom signature 8-22

example signature 8-22

parameters (table) B-61

String TCP XL signature (example) 7-26, 7-29

String UDP engine parameters (table) B-62

String XL engine

description B-63

hardware support 8-3, B-3, B-63

parameters (table) B-64

unsupported parameters B-66

subinterface 0 described 5-17

subsignatures described 7-4

summarization

described 6-7, 9-5

Fire All 6-8, 9-5

Fire Once 6-8, 9-6

Global Summarization 6-8, 9-6

Meta engine 6-7, 9-5

Summary 6-8, 9-6

Summarizer described 6-41, 9-35

Summary pane

button functions 5-18

described 5-17

field descriptions 3-8, 5-18

supported

FTP servers 17-22, 22-2

HTTP/HTTPS servers 17-22, 22-2

IDM platforms 1-4

IPS interfaces for CSA MC 16-3

sensors (signature threat profiles) 3-14

Sweep engine 8-25, B-67

described 8-24, B-66

parameters (table) B-67

Sweep Other TCP engine

described B-68

parameters (table) B-69

SwitchApp described A-30

switches and TCP reset interfaces 5-9

sw-module module slot_number password-reset command 17-8, C-12

system architecture

directory structure A-36

supported platforms A-1

system clock setting 4-15

system components IDAPI A-33

System Configuration Dialog

described 19-2

example 19-2

system design (illustration) A-2, A-3

system image

installing

ASA 5500 AIP SSM 22-27

ASA 5500-X IPS SSP 22-29

IPS 4240 22-14

IPS 4255 22-14

IPS4260 22-17

IPS 4270-20 22-19

IPS 4345 22-21

IPS 4360 22-21

system images

installing

IPS 4510 22-24

IPS 4520 22-24

System Information pane

described 18-20

using 18-21

system information viewing 18-21

system requirements for IDM 1-4

T

TAC

contact information 18-20

service account 4-17, A-32, C-5

show tech-support command C-84

troubleshooting A-32

target value rating

calculating risk rating 6-6, 9-3

described 6-6, 6-26, 6-28, 9-3, 9-20, 9-22

TCP fragmentation described B-36

TCP Protocol tab

described 10-16, 10-23, 10-29

enabling TCP 10-16

external zone 10-29

field descriptions 10-16

illegal zone 10-23

TCP reset interfaces

conditions 5-9

described 5-8

list 5-8

promiscuous mode 5-8

switches 5-9

TCP resets not occurring C-52

TCP stream reassembly

described 7-47

parameters (table) 7-48

signatures (table) 7-48

TCP stream reassembly mode 7-53

tech support information display C-85

terminal server setup 20-3, 22-13

testing fail-over 5-12

TFN2K

described B-71

Trojans B-72

TFTP servers

maximum file size limitation 22-12

RTT 22-12

Threat Category tab

described 6-40, 9-34

field descriptions 6-40, 9-34

threat rating

described 6-7, 9-4

risk rating 6-7, 9-4

Thresholds for KB Name window

described 18-8

field descriptions 18-8

filtering information 18-8

time

correction on the sensor 4-11, C-18

sensors 4-7, C-17

synchronizing IPS clocks 4-8, C-17

Time pane

configuring 4-10

described 4-7

field descriptions 4-9

user roles 4-7

time sources

appliances 4-7, C-17

ASA 5500 AIP SSC-5 4-7, C-17

ASA 5500 AIP SSM 4-7, C-17

ASA 5500-X IPS SSP 4-7, C-17

ASA 5585-X IPS SSP 4-7, C-17

TLS

described 4-4

handshaking 1-7, 12-8

IDM 1-7, 12-7

web server 1-7, 12-7

Top Applications gadget

configuring 2-10

described 2-10

Traffic Anomaly engine

described B-69

protocols B-69

signatures B-69

traffic flow notifications

configuring 5-31

described 5-30

Traffic Flow Notifications pane

configuring 5-31

field descriptions 5-30

user roles 5-30

Traffic ICMP engine

DDoS B-71

described B-71

LOKI B-71

parameters (table) B-72

TFN2K B-71

Traffic Inspection Mode window described 3-8

Traps Configuration pane

configuring 15-4

described 15-3

trial license key 1-10, 17-14

Tribe Flood Network. See TFN.

Tribe Flood Network 2000. See TFN2K.

Trojan engine

BO2K B-72

described B-72

TFN2K B-72

Trojans

BO B-72

BO2K B-72

LOKI B-71

TFN2K B-72

troubleshooting

Analysis Engine busy C-57

applying software updates C-54

ARC

blocking not occurring for signature C-43

device access issues C-41

enabling SSH C-43

inactive state C-39

misconfigured master blocking sensor C-44

verifying device interfaces C-42

ASA 5500 AIP SSM

commands C-59

debugging C-60

recovering C-60

reset C-60

ASA 5500-X IPS SSP

commands C-66

failover scenarios C-65

ASA 5585-X IPS SSP

commands C-78

failover scenarios C-61, C-76

traffic flow stopped C-78

automatic updates C-54

cannot access sensor C-26

cidDump C-108

cidLog messages to syslog C-51

communication C-25

corrupted SensorApp configuration C-36

debug logger zone names (table) C-50

debug logging C-46

disaster recovery C-6

duplicate sensor IP addresses C-28

enabling debug logging C-46

external product interfaces 16-10, C-23

gathering information C-83

global correlation 11-11, C-22

IDM

cannot access sensor C-58

will not load C-57

IPS clock time drift 4-8, C-17

misconfigured access list C-28

no alerts C-33, C-59

password recovery 17-13, C-16

physical connectivity issues C-32

preventive maintenance C-2

reset not occurring for a signature C-52

sensing process not running C-30

sensor events C-104

sensor loose connections C-24

sensor not seeing packets C-35

sensor software upgrade C-55

service account 4-17, C-5

show events command C-104

show interfaces command C-103

show statistics command C-90

show tech-support command C-84, C-85

show version command C-88

software upgrades C-53

SPAN port issue C-32

upgrading C-53

verifying Analysis Engine is running C-21

verifying ARC status C-38

Trusted Hosts pane

configuring 12-9

described 12-9

field descriptions 12-9

tuned signatures described 7-4

tuning

AIC signatures 7-43

IP fragment reassembly signatures 7-47

signatures 7-15

TCP fragment reassembly signatures 7-54

U

UDP Protocol tab

described 10-17, 10-23, 10-24, 10-29

enabling UDP 10-17

external zone 10-29

field descriptions 10-30

illegal zone 10-23, 10-24

unassigned VLAN groups described 5-17

unauthenticated NTP 4-7, 4-13, C-17

uninstalling the license key 17-18

UNIX-style directory listings 17-22

unlocking accounts 4-26

unlock user username command 4-26

Update Sensor pane

configuring 17-27

described 17-26

field descriptions 17-26

user roles 17-26

updating

Home pane 1-3

sensors 17-27

upgrade command 22-3, 22-5

upgrading

application partition 22-10

latest version C-53

recovery partition 22-5

sensors 22-4

uploading KBs

FTP 18-14

SCP 18-14

Upload Knowledge Base to Sensor dialog box

described 18-14

field descriptions 18-14

URLs for Cisco Security Intelligence Operations 21-8

user roles authentication 4-19

users

configuring 4-22

users configuring 4-22

using

debug logging C-46

TCP reset interfaces 5-9

V

VACLs

described 13-2

Post-Block 13-21

Pre-Block 13-21

verifying

NTP configuration 4-8

password recovery 17-13, C-16

sensor initialization 19-25

sensor setup 19-25

version display C-88

viewing

denied attacker hit counts 14-2

denied attackers list 14-2

IP logs 14-12

license key status 1-10, 17-14

statistics 18-20

system information 18-21

virtualization

advantages 6-3, C-19

restrictions 6-3, C-19

supported sensors 6-3, C-19

traffic capture requirements 6-3, C-19

virtual-sensor name command 6-15

virtual sensors

adding 3-13, 6-13

adding (ASA 5500 AIP SSM) 6-16

adding (ASA 5500-X IPS SSP) 6-16

adding (ASA 5585-X IPS SSP) 6-16

ASA 5500 AIP SSM 6-18

ASA 5500-X IPS SSP 6-18

ASA 5585-X IPS SSP 6-18

creating (ASA 5500 AIP SSM) 6-16

creating (ASA 5500-X IPS SSP) 6-16

creating (ASA 5585-X IPS SSP) 6-16

default virtual sensor 6-2, 6-8

deleting 6-13

described 6-2, 6-8

editing 6-13

options 6-16

Virtual Sensors window

described 3-11

VLAN groups

802.1q encapsulation 5-17

configuration restrictions 5-11

configuring 5-27

deploying 5-26

switches 5-26

VLAN IDs 5-26

VLAN groups mode

described 5-16

VLAN Groups pane

configuring 5-27

described 5-26

field descriptions 5-26

user roles 5-25

VLAN Pairs pane

configuring 5-24

described 5-23

field descriptions 5-24

user roles 5-23

vulnerable OSes field described B-6

W

watch list rating

calculating risk rating 6-6, 9-3

described 6-6, 9-3

web server

described A-4, A-23

HTTP 1.0 and 1.1 support A-23

private keys A-22

public keys A-22

SDEE support A-23

TLS 1-7, 12-7

worms

Blaster 10-2

Code Red 10-2

histograms 10-13, 18-6

Nimbda 10-2

protocols 10-3

Sasser 10-2

scanners 10-3

Slammer 10-2

SQL Slammer 10-2

Z

zones

external 10-5

illegal 10-5

internal 10-5