Index Numerics
4GE bypass interface card
configuration restrictions 5-12
described 5-12
802.1q encapsulation for VLAN groups 5-17
A
AAA RADIUS
functionality 4-19
limitations 4-19
accessing
IPS software 21-1
service account 4-18, C-5
access list misconfiguration C-29
access lists
necessary hosts 3-3
Startup Wizard 3-3
account locking
configuring 4-25
security 4-25
account unlocking configuring 4-26
ACLs
adding 3-5
described 13-2
Post-Block 13-17
Pre-Block 13-17
Active Host Blocks pane
field descriptions 14-3
user roles 14-3
ad0 pane
default 10-10
described 10-10
tabs 10-10
Add/Update Trusted Root Certificate dialog box
field descriptions 12-16
Add ACL Entry dialog box field descriptions 3-4
Add Active Host Block dialog box field descriptions 14-4
Add Allowed Host dialog box
field descriptions 4-6
user roles 4-5
Add Authorized RSA1 Key dialog box
field descriptions 12-5
user roles 12-4
Add Authorized RSA Key dialog box
field descriptions 12-3
user roles 12-2
Add Blocking Device dialog box
field descriptions 13-14
user roles 13-13
Add Cat 6K Blocking Device Interface dialog box
field descriptions 13-22
user roles 13-20
Add Configured OS Map dialog box
field descriptions 6-33, 9-27
user roles 6-32, 9-25
Add Destination Port dialog box field descriptions 10-16
Add Device Login Profile dialog box
field descriptions 13-12
user roles 13-11
Add Event Action Filter dialog box
field descriptions 6-22, 9-17
user roles 6-21, 9-15
Add Event Action Override dialog box
field descriptions 6-12, 9-14
user roles 6-12, 9-13
Add Event Variable dialog box
field descriptions 6-36, 9-31
user roles 9-29
Add External Product Interface dialog box
field descriptions 16-6
user roles 16-4
Add Histogram dialog box field descriptions 10-17
adding
ACLs 3-5
a host never to be blocked 13-10
anomaly detection policies 10-9
blocking devices 13-15
CSA MC interfaces 16-7
dashboards 2-1
denied attackers 14-2
event action filters 6-23, 9-18
event action overrides 9-14
event action rules policies 9-12
event variables 6-37, 9-31
external product interfaces 16-7
gadgets 2-1
host blocks 14-4
IPv4 target value ratings 6-26, 9-21
IPv6 target value ratings 6-29, 9-23
network blocks 14-7
OS maps 6-33, 9-28
rate limiting devices 13-15
rate limits 14-9
risk categories 6-39, 9-34
signature definition policies 7-2
signatures 7-12
signature variables 7-32
trusted root certificates 12-16
virtual sensors 3-13, 6-13
virtual sensors (ASA 5500 AIP SSM) 6-16
virtual sensors (ASA 5500-X IPS SSP) 6-16
virtual sensors (ASA 5585-X IPS SSP) 6-16
Add Inline VLAN Pair dialog box field descriptions 3-10, 5-24
Add Interface Pair dialog box field descriptions 5-22
Add IP Logging dialog box field descriptions 14-11
Add Known Host RSA1 Key dialog box
field descriptions 12-9
user roles 12-8
Add Known Host RSA Key dialog box
field descriptions 12-7
user roles 12-6
Add Master Blocking Sensor dialog box
field descriptions 13-24
user roles 13-23
Add Network Block dialog box field descriptions 14-6
Add Never Block Address dialog box
field descriptions 13-10
user roles 13-7
Add Policy dialog box field descriptions 7-2, 9-12, 10-9
Add Posture ACL dialog box field descriptions 16-7
Add Protocol Number dialog box field descriptions 10-18, 10-25
Add Rate Limit dialog box
field descriptions 14-8
user role 14-7
Address Resolution Protocol. See ARP.
Add Risk Level dialog box field descriptions 6-39, 9-33
Add Router Blocking Device Interface dialog box
field descriptions 13-19
user roles 13-16
Add Signature dialog box field descriptions 7-7
Add Signature Variable dialog box
field descriptions 7-32
user roles 7-31
Add SNMP Trap Destination dialog box field descriptions 15-4
Add Target Value Rating dialog box field descriptions 9-23
Add Trusted Host dialog box
field descriptions 12-13
user roles 12-13
Add User dialog box
field descriptions 4-22
user roles 4-19, 4-22
Add Virtual Sensor dialog box
described 3-12, 6-10
field descriptions 3-13, 6-11
Add VLAN Group dialog box field descriptions 5-27
Advanced Alert Behavior Wizard
Alert Dynamic Response Fire All window field descriptions 8-27
Alert Dynamic Response Fire Once window field descriptions 8-28
Alert Dynamic Response Summary window field descriptions 8-28
Alert Summarization window field descriptions 8-27
Event Count and Interval window field descriptions 8-26
Global Summarization window field descriptions 8-29
aggregation
alert frequency 6-7, 9-5
operating modes 6-7, 9-5
AIC
policy 7-43
signatures (example) 7-43
AIC engine
AIC FTP B-11
AIC FTP engine parameters (table) B-12
AIC HTTP B-11
AIC HTTP engine parameters (table) B-12
described B-11
features B-11
signature categories 7-35
AIC policy enforcement
default configuration 7-36, B-11
described 7-36, B-11
sensor oversubscription 7-36, B-11
Alarm Channel
described 9-6, A-27
risk rating 11-5
alert and log actions (list) 9-8
alert behavior
Custom Signature Wizard 8-26
normal 8-26
alert frequency
aggregation 7-18
configuring 7-18
controlling 7-18
modes B-7
allocate-ips command 6-15
Allowed Hosts/Networks pane
configuring 4-6
described 4-5
field descriptions 4-6
alternate TCP reset interface
configuration restrictions 5-10
designating 5-9
restrictions 5-2
Analysis Engine
described 6-2
error messages C-26
errors C-55
IDM exits C-58
sensing interfaces 5-3
verify it is running C-22
virtual sensors 6-2
anomaly detection
asymmetric traffic 10-2
caution 10-2
configuration sequence 10-5
default anomaly detection configuration 10-4
default configuration (example) 10-4
described 10-2
detect mode 10-4
disabling 10-34
enabling 10-4
event actions 10-7, B-69
inactive mode 10-4
learning accept mode 10-3
learning process 10-3
limiting false positives 10-13, 18-7
operation settings 10-11
protocols 10-3
signatures (table) 10-7, B-70
signatures described 10-6
worms
attacks 10-13, 18-6
described 10-3
zones 10-5
anomaly detection disabling C-21
Anomaly Detection pane
button functions 18-7
described 18-6
field descriptions 18-7
user roles 18-5
anomaly detection policies
ad0 10-9
adding 10-9
cloning 10-9
default policy 10-9
deleting 10-9
Anomaly Detections pane
described 10-9
field descriptions 10-9
user roles 10-9
appliances
GRUB menu 17-5, C-8
initializing 19-8
logging in 20-2
password recovery 17-5, C-8
setting system clock 4-16
terminal servers
described 20-3, 22-14
setting up 20-3, 22-14
time sources 4-8, C-17
upgrading recovery partition 22-6
Application Inspection and Control. see AIC.
application partition
described A-4
image recovery 22-12
application policy enforcement described 7-36, B-11
applications in XML format A-4
applying signature threat profiles 3-15
applying software updates C-55
ARC
ACLs 13-17, A-14
authentication A-15
blocking
connection-based A-17
response A-13
unconditional blocking A-17
blocking application 13-1
blocking not occurring for signature C-44
Catalyst switches
VACL commands A-19
VACLs A-16, A-19
VLANs A-16
checking status 13-3, 13-4
described A-4
design 13-2
device access issues C-42
enabling SSH C-44
features A-14
firewalls
AAA A-18
connection blocking A-18
NAT A-18
network blocking A-18
postblock ACL A-16
preblock ACL A-16
shun command A-18
TACACS+ A-18
formerly Network Access Controller 13-1
functions 13-1
illustration A-13
inactive state C-40
interfaces A-14
maintaining states A-16
managed devices 13-7
master blocking sensors A-14
maximum blocks 13-2
misconfigured master blocking sensor C-45
nac.shun.txt file A-16
NAT addressing A-15
number of blocks A-15
postblock ACL A-16
preblock ACL A-16
prerequisites 13-5
rate limiting 13-3
responsibilities A-13
single point of control A-15
SSH A-14
supported devices 13-5, A-15
Telnet A-14
troubleshooting C-38
VACLs A-14
verifying device interfaces C-43
verifying status C-39
ARP
Layer 2 signatures B-13
protocol B-13
ARP spoof tools
dsniff B-13
ettercap B-13
ASA 5500 AIP SSC-5
time sources 4-8, C-18
ASA 5500 AIP SSM
assigning virtual sensors 6-18
bypass mode 5-30
creating virtual sensors 6-16
initializing 19-13
installing system image 22-28
logging in 20-4
Normalizer engine B-37, C-63
password recovery 17-6, C-10
recovering C-61
resetting C-61
resetting the password 17-7, C-10
sensing interface 6-15
session command 20-4
sessioning in 20-4
setup command 19-13
time sources 4-8, C-18
virtual sensors
assigning the interface 6-16
sequence 6-15
ASA 5500-X IPS SSP
assigning virtual sensors 6-18
creating virtual sensors 6-16
initializing 19-17
IPS reloading messages C-66, C-71, C-79
logging in 20-5
memory usage 17-20, C-70
memory usage values (table) 17-20, C-70
no CDP mode support 5-32
Normalizer engine B-37, C-69
password recovery 17-8, C-12
resetting the password 17-9, C-12
sensing interface 6-15
session command 20-5
sessioning in 20-5
setup command 19-17
time sources 4-8, C-18
virtual sensors
assigning policies 6-15
assigning the interface 6-16
virtual sensor sequence 6-15
ASA 5585-X IPS SSP
assigning virtual sensors 6-18
creating virtual sensors 6-16
initializing 19-21
installing system image 22-32
IPS reloading messages C-66, C-71, C-79
logging in 20-6
no CDP mode support 5-32
Normalizer engine B-37, C-77
password recovery 17-10, C-14
resetting the password 17-10, C-14
sensing interface 6-15
session command 20-6
sessioning in 20-6
setup command 19-21
time sources 4-8, C-18
virtual sensors
assigning policies 6-15
assigning the interface 6-16
sequence 6-15
ASA IPS modules
jumbo packet count C-65, C-70, C-78
ASDM
resetting passwords 17-8, 17-10, 17-12, C-12, C-13, C-15
assigning
interfaces to virtual sensors (ASA 5500 AIP SSM) 6-16
interfaces to virtual sensors (ASA 5500-X IPS SSP) 6-16
interfaces to virtual sensors (ASA 5585-X IPS SSP) 6-16
policies to virtual sensors (ASA 5500 AIP SSM) 6-15
policies to virtual sensors (ASA 5500-X IPS SSP) 6-15
policies to virtual sensors (ASA 5585-X IPS SSP) 6-15
assigning actions to signatures 7-16
asymmetric mode
described 6-4
normalization 6-4
asymmetric traffic
anomaly detection 10-2
caution 10-2
disabling anomaly detection 10-34
asymmetric traffic and disabling anomaly detection C-21
Atomic ARP engine
parameters (table) B-13
Atomic ARP engine described B-13
Atomic IP Advanced engine
described B-14
parameters (table) B-16
restrictions B-15
Atomic IP engine
described 8-13, B-24
parameters (table) B-24
Atomic IPv6 engine
described B-27
Neighborhood Discovery protocol B-28
signatures B-28
attack relevance rating
calculating risk rating 6-6, 9-3
described 6-6, 6-30, 9-3, 9-25
Attack Response Controller
described A-4
formerly known as Network Access Controller A-4
Attack Response Controller. See ARC.
attack severity rating
calculating risk rating 6-6, 9-3
described 6-6, 9-3
attempt limit
RADIUS C-23
attemptLimit command 4-25
audit mode
described 11-9
testing global correlation 11-9
authenticated NTP 4-7, 4-14, C-17
authentication
local 4-19
RADIUS 4-19
AuthenticationApp
authenticating users A-21
described A-4
login attempt limit A-21
method A-21
responsibilities A-20
secure communications A-21
sensor configuration A-20
Authentication pane
configuring 4-22
described 4-19
field descriptions 4-20
user roles 4-17, A-31
Authorized RSA1 Keys pane
configuring 12-5
described 12-4
field descriptions 12-4
RSA authentication 12-4
RSA key generation tool 12-5
Authorized RSA Keys pane
configuring 12-3
described 12-2
field descriptions 12-3
RSA authentication 12-2
RSA key generation tool 12-3
Auto/Cisco.com Update pane
configuring 17-24
described 3-16, 17-22
field descriptions 17-23
UNIX-style directory listings 17-22
user roles 17-22
automatic setup 19-2
automatic updates
Cisco.com 3-16, 17-22
configuring 3-17, 17-24
cryptographic account 3-16, 17-22
FTP servers 17-22
SCP servers 3-16, 17-22
automatic upgrade
information required 22-7
troubleshooting C-55
autonegotiation for hardware bypass 5-13
Auto Update window
field descriptions 3-16
user roles 3-16
auto-upgrade-option command 22-7
B
backing up
configuration C-2
current configuration C-4
BackOrifice. See BO.
BackOrifice 2000. See BO2K.
basic setup 19-4
blocking
described 13-1
disabling 13-7
master blocking sensor 13-23
necessary information 13-3
prerequisites 13-5
supported devices 13-5
types 13-2
blocking devices
adding 13-15
deleting 13-15
editing 13-15
Blocking Devices pane
configuring 13-15
described 13-14
field descriptions 13-14
ssh host-key command 13-15
blocking not occurring for signature C-44
Blocking Properties pane
adding a host never to be blocked 13-10
configuring 13-9
described 13-7
field descriptions 13-8
BO
described B-72
Trojans B-72
BO2K
described B-72
Trojans B-72
bypass mode
ASA 5500 AIP SSM 5-30
described 5-29
signature updates 17-23
Bypass pane
field descriptions 5-29
user roles 5-28
C
calculating risk rating
attack relevance rating 6-6, 9-3
attack severity rating 6-6, 9-3
promiscuous delta 6-6, 9-3
signature fidelity rating 6-5, 9-3
target value rating 6-6, 9-3
watch list rating 6-6, 9-3
cannot access sensor C-27
Cat 6K Blocking Device Interfaces pane
configuring 13-22
described 13-20
field descriptions 13-21
CDP mode
ASA 5500-X IPS SSP 5-32
ASA 5585-X IPS SSP 5-32
described 5-32
interfaces 5-32
CDP Mode pane
configuring 5-32
field descriptions 5-32
user roles 5-31
certificates
displaying 12-17
Firefox 1-8
generating 12-17
Internet Explorer 1-8
certificates (IDM) 1-7, 12-11
changing Microsoft IIS to UNIX-style directory listings 17-23
cidDump obtaining information C-104
CIDEE
defined A-35
example A-35
IPS extensions A-35
protocol A-35
supported IPS events A-35
cisco
default password 20-2
default username 20-2
Cisco.com
accessing software 21-1
downloading software 21-1
software downloads 21-1
Cisco Discovery Protocol. See CDP.
Cisco IOS rate limiting 13-3
Cisco Security Intelligence Operations
described 21-7
URL 21-8
Cisco Services for IPS
service contract 1-10, 17-15
supported products 1-10, 17-15
clear events command 4-12, 4-16, 18-4, C-19, C-104
Clear Flow States pane
described 18-16
field descriptions 18-17
clearing
denied attackers 14-2
events 4-16, 18-4, C-104
flow states 18-17
statistics C-88
CLI
described A-4, A-31
password recovery 17-12, C-16
client manifest described A-29
clock set command 4-15
Clone Event Action Rules dialog box field descriptions 9-12
Clone Policy dialog box field descriptions 7-2, 10-9
Clone Signature dialog box field descriptions 7-7
cloning
anomaly detection policies 10-9
event action rules policies 9-12
signature definition policies 7-2
signatures 7-14
CollaborationApp described A-4, A-29
command and control interface
described 5-2
list 5-2
commands
allocate-ips 6-15
attemptLimit 4-25
auto-upgrade-option 22-7
clear events 4-12, 4-16, 18-4, C-19, C-104
clock set 4-15
copy backup-config C-3
copy current-config C-3
debug module-boot C-61
downgrade 22-11
erase license-key 17-18
hw-module module 1 reset C-61
hw-module module slot_number password-reset 17-6, 17-10, C-10, C-14
setup 4-1, 19-1, 19-4, 19-8, 19-13, 19-17, 19-21
show events C-101
show health C-80
show module 1 details C-60, C-68, C-74
show settings 17-13, C-16
show statistics C-88
show statistics virtual-sensor C-26, C-88
show tech-support C-81, C-82
show version C-85
sw-module module slot_number password-reset 17-9, C-12
unlock user username 4-26
upgrade 22-3, 22-6
virtual-sensor name 6-15
Compare Knowledge Bases dialog box field descriptions 18-9
comparing KBs 18-9, 18-11
component signatures
risk rating B-32
configuration files
backing up C-2
merging C-2
configuration restrictions
alternate TCP reset interface 5-10
inline interface pairs 5-10
inline VLAN pairs 5-10
interfaces 5-9
physical interfaces 5-9
VLAN groups 5-11
Configure Summertime dialog box field descriptions 3-4, 4-10
configuring
account locking 4-25
account unlocking 4-26
AIC policy parameters 7-43
allowed hosts 4-6
allowed networks 4-6
anomaly detection operation settings 10-11
application policy signatures 7-43
authorized RSA1 keys 12-5
authorized RSA keys 12-3
automatic updates 3-17, 17-24
automatic upgrades 22-9
blocking devices 13-15
blocking properties 13-9
Cat 6K blocking device interfaces 13-22
CDP mode 5-32
CPU, Memory, & Load gadget 2-12
CSA MC IPS interfaces 16-3
device login profiles 13-12
event action filters 6-23, 9-18
events 18-3
event variables 6-37, 9-31
external zone 10-31
general settings 6-42, 9-36
Global Correlation Health gadget 2-9
Global Correlation Reports gadget 2-7
host blocks 14-4
illegal zone 10-25
inline VLAN pairs 3-10
inspection/reputation 11-10
inspection load statistics display 18-5
interface pairs 5-23
interfaces 5-20
Interface Status gadget 2-7
internal zone 10-19
IP fragment reassembly signatures 7-47
IP logging 14-12
IPv4 target value ratings 6-26, 9-21
IPv6 target value ratings 6-29, 9-23
learning accept mode 10-14
Licensing gadget 2-6
local authentication 4-22
master blocking sensor 13-25
network blocks 14-7
network participation 11-11
Network Security gadget 2-10
network settings 4-3
NTP servers 4-13
OS maps 6-33, 9-28
RADIUS authentication 4-23
rate limiting 14-9
rate limiting device interfaces 13-19
risk categories 6-39, 9-34
router blocking device interfaces 13-19
Sensor Health gadget 2-5
Sensor Information gadget 2-4
Sensor Setup window 3-4
sensor to use NTP 4-14
signature variables 7-32
SNMP 15-2
SNMP traps 15-4
time 4-10
Top Applications gadget 2-10
traffic flow notifications 5-31
trusted hosts 12-14
upgrades 22-4
users 4-22
VLAN groups 5-27
VLAN pairs 5-25
control transactions
characteristics A-9
request types A-8
cookies IDM 1-7
copy backup-config command C-3
copy current-config command C-3
correcting time on the sensor 4-12, C-19
CPU, Memory, & Load gadget
configuring 2-12
described 2-11
creating
Atomic IP Advanced engine signature 7-24, 8-14
custom signatures
not using signature engines 8-4
Service HTTP 8-17
String TCP 8-22
using signature engines 8-1
IPv6 signatures 7-24, 8-14
Meta signatures 7-21
Post-Block VACLs 13-21
Pre-Block VACLs 13-21
String TCP XL signatures 7-29
creating the service account C-6
cryptographic account
automatic updates 3-16, 17-22
Encryption Software Export Distribution Authorization from 21-2
obtaining 21-2
cryptographic features (IDM) 1-1
CSA MC
adding interfaces 16-7
configuring IPS interfaces 16-3
host posture events 16-1, 16-3
quarantined IP address events 16-1
supported IPS interfaces 16-3
CtlTransSource
described A-4, A-11
illustration A-12
current configuration back up C-2
current KB setting 18-12
customizing
dashboards 2-1
gadgets 2-1
custom signatures
Custom Signature Wizard 8-5
described 7-4
IPv6 signature 7-24, 8-14
Meta signature 7-21
sensor performance 8-4
String TCP XL 7-26, 7-29
Custom Signature Wizard
alert behavior 8-26
described 8-1
no signature engine sequence 8-4
signature engine sequence 8-1
supported signature engines 8-2
using 8-5
D
Dashboard pane gadgets 2-2
dashboards
adding 2-1
customizing 2-1
data nodes 8-25, B-67
data structures (examples) A-8
DDoS
protocols B-71
Stacheldraht B-71
TFN B-71
debug logging enable C-47
debug-module-boot command C-61
default policies
ad0 10-9
rules0 9-12
sig0 7-2
defaults
KB filename 10-12
password 20-2
restoring 17-28
username 20-2
virtual sensor vs0 6-2
deleting
anomaly detection policies 10-9
blocking devices 13-15
denied attackers 14-2
event action filters 6-23, 9-18
event action overrides 9-14
event action rules policies 9-12
event variables 6-37, 9-31
host blocks 14-4
imported OS values 18-16
IPv4 target value ratings 6-26, 9-21
IPv6 target value ratings 6-29, 9-23
KBs 18-13
learned OS values 18-15
network blocks 14-7
OS maps 6-33, 9-28
rate limiting devices 13-15
rate limits 14-9
risk categories 6-39, 9-34
signature definition policies 7-2
signature variables 7-32
virtual sensors 6-13
Denial of Service. See DoS.
denied attackers
adding 14-2
clearing 14-2
deleting 14-2
hit count 14-1
resetting hit counts 14-2
viewing hit counts 14-2
viewing list 14-2
Denied Attackers pane
described 14-1
field descriptions 14-2
user roles 14-1
using 14-2
deny actions (list) 9-8
Deny Packet Inline described 9-10
detect mode (anomaly detection) 10-4
device access issues C-42
Device Login Profiles pane
configuring 13-12
described 13-11
field descriptions 13-12
Diagnostics Report pane
button functions 18-19
described 18-19
user roles 18-18
using 18-19
diagnostics reports 18-19
Differences between knowledge bases KB_Name and KB_Name window field descriptions 18-10
Difference Thresholds between knowledge base KB_Name and KB_Name window field descriptions 18-10
disabling
anomaly detection 10-34, C-21
blocking 13-7
event action filters 6-23, 9-18
global correlation 11-12
interfaces 5-20
password recovery 17-12, C-16
signatures 7-12
disaster recovery C-6
displaying
events 18-3, C-102
health status C-80
imported OS maps 18-16
inspection load statistics 18-5
learned OS maps 18-15
password recovery setting 17-13, C-16
sensor statistics 18-20
statistics C-88
tech support information C-81
version C-85
Distributed Denial of Service. See DDoS.
DoS tools
Stacheldraht B-71
stick B-7
TFN B-71
downgrade command 22-11
downgrading sensors 22-11
downloading
Cisco software 21-1
KBs 18-13
Download Knowledge Base From Sensor dialog box
described 18-13
field descriptions 18-13
duplicate IP addresses C-29
E
Edit Actions dialog box field descriptions 7-9
Edit Allowed Host dialog box
field descriptions 4-6
user roles 4-5
Edit Authorized RSA1 Key dialog box
field descriptions 12-5
user roles 12-4
Edit Authorized RSA Key dialog box
field descriptions 12-3
user roles 12-2
Edit Blocking Device dialog box
field descriptions 13-14
user roles 13-13
Edit Cat 6K Blocking Device Interface dialog box
field descriptions 13-22
user roles 13-20
Edit Configured OS Map dialog box
field descriptions 6-33, 9-27
user roles 6-32, 9-25
Edit Destination Port dialog box field descriptions 10-16
Edit Device Login Profile dialog box
field descriptions 13-12
user roles 13-11
Edit Event Action Filter dialog box
field descriptions 6-22, 9-17
user roles 6-21, 9-15
Edit Event Action Override dialog box
field descriptions 6-12, 9-14
user roles 6-12, 9-13
Edit Event Variable dialog box
field descriptions 6-36, 9-31
user roles 9-29
Edit External Product Interface dialog box
field descriptions 16-6
user roles 16-4
Edit Histogram dialog box field descriptions 10-17
editing
blocking devices 13-15
event action filters 6-23, 9-18
event action overrides 9-14
event variables 6-37, 9-31
interfaces 5-21
IPv4 target value ratings 6-26, 9-21
IPv6 target value ratings 6-29, 9-23
OS maps 6-33, 9-28
rate limiting devices 13-15
risk categories 6-39, 9-34
signatures 7-15
signature variables 7-32
virtual sensors 6-13
Edit Inline VLAN Pair dialog box field descriptions 3-10, 5-24
Edit Interface dialog box field descriptions 5-20
Edit Interface Pair dialog box field descriptions 5-22
Edit IP Logging dialog box field descriptions 14-11
Edit Known Host RSA1 Key dialog box
field descriptions 12-9
user roles 12-8
Edit Known Host RSA Key dialog box
field descriptions 12-7
user roles 12-6
Edit Master Blocking Sensor dialog box
field descriptions 13-24
user roles 13-23
Edit Never Block Address dialog box
field descriptions 13-10
user roles 13-7
Edit Posture ACL dialog box field descriptions 16-7
Edit Protocol Number dialog box field descriptions 10-18, 10-25
Edit Risk Level dialog box field descriptions 6-39, 9-33
Edit Router Blocking Device Interface dialog box
field descriptions 13-19
user roles 13-16
Edit Signature dialog box field descriptions 7-7
Edit Signature Variable dialog box
field descriptions 7-32
user roles 7-31
Edit SNMP Trap Destination dialog box field descriptions 15-4
Edit User dialog box
field descriptions 4-22
user roles 4-19, 4-22
Edit Virtual Sensor dialog box
field descriptions 6-11
user roles 6-10
Edit VLAN Group dialog box field descriptions 5-27
efficacy
described 11-4
measurements 11-4
enabling
anomaly detection 10-4
event action filters 6-23, 9-18
event action overrides 9-14
interfaces 5-20
packet logging 17-3
signatures 7-12
enabling debug logging C-47
Encryption Software Export Distribution Authorization form
cryptographic account 21-2
described 21-2
engines
AIC B-10
AIC FTP B-11
AIC HTTP B-11
Atomic B-13
Atomic ARP B-13
Atomic IP 8-13, B-24
Atomic IP Advanced B-14
Atomic IPv6 B-27
Fixed B-28
Fixed ICMP B-28
Fixed TCP B-28
Fixed UDP B-28
Flood B-31
Flood Host B-31
Flood Net B-31
Master B-4
Meta 7-21, B-32
Multi String B-34
Normalizer B-36
Service B-39
Service DNS B-39
Service FTP B-41
Service Generic B-42
Service H225 B-43
Service HTTP 8-16, B-46
Service IDENT B-48
Service MSRPC 8-11, B-48
Service MSSQL B-50
Service NTP B-51
Service P2P B-52
Service RPC 8-19, B-52
Service SMB Advanced B-54
Service SNMP B-56
Service SSH B-57
Service TNS B-57
State 8-20, B-59
String 8-21, 8-24, B-61
String ICMP 8-21, 8-24, B-61
String TCP 8-21, 8-24, B-61
String UDP 8-21, 8-24, B-61
Sweep 8-24, B-66
Sweep Other TCP B-68
Traffic Anomaly B-69
Traffic ICMP B-71
Trojan B-72
erase license-key command 17-18
errors (Analysis Engine) C-55
evAlert A-9
event action filters
adding 6-23, 9-18
configuring 6-23, 9-18
deleting 6-23, 9-18
described 6-20, 9-5
disabling 6-23, 9-18
editing 6-23, 9-18
enabling 6-23, 9-18
moving 6-23, 9-18
Event Action Filters tab
configuring 6-23, 9-18
described 6-21, 9-16
field descriptions 6-21, 9-16
event action overrides
adding 9-14
deleting 9-14
described 6-5, 9-4
editing 9-14
enabling 9-14
risk rating range 6-5, 9-4
Event Action Overrides tab
described 9-13
field descriptions 9-14
event action rules
described 9-2
functions 9-2
Event Action Rules (rules0) pane described 9-13
Event Action Rules pane
described 9-12
field descriptions 9-12
user roles 9-12
event action rules policies
adding 9-12
cloning 9-12
deleting 9-12
event action rules variables 6-21, 9-16
event actions
risk ratings 6-7, 9-4
threat ratings 6-7, 9-4
events
clearing 4-16, 18-4, C-104
displaying C-102
host posture 16-2
quarantined IP address 16-2
Events pane
configuring 18-3
described 18-1
field descriptions 18-2
Event Store
clearing 4-16, 18-4, C-104
clearing events 4-12, C-19
data structures A-8
described A-4
examples A-7
no alerts C-34
responsibilities A-7
time stamp 4-12, C-19
timestamp A-7
event types C-101
event variables
adding 6-37, 9-31
configuring 6-37, 9-31
deleting 6-37, 9-31
described 6-35, 9-29
editing 6-37, 9-31
example 6-36, 9-30
Event Variables tab
configuring 6-37, 9-31
field descriptions 6-36, 9-30
Event Viewer pane
displaying events 18-3
field descriptions 18-2
evError A-9
evLogTransaction A-9
evShunRqst A-9
evStatus A-9
example custom signatures
Atomic IP Advanced 7-24, 8-14
Meta 7-21
Service HTTP 8-17
String TCP 8-22
String TCP XL 7-26
examples
AIC engine signature 7-43
ASA failover configuration C-63, C-67, C-73
Atomic IP Advanced engine signature 7-24, 8-14
automatic update 17-25
configured OS maps 6-32, 9-25
default anomaly detection configuration 10-4
IP Fragment Reassembly signature 7-47
IPv6 attacker address 6-22, 9-17
IPV6 victim address 6-23, 9-17
KB histogram 10-13, 18-7
Meta engine signature 7-21
Service HTTP engine signature 8-17
SPAN configuration for IPv6 support 5-14
String TCP engine signature 8-22
String TCP XL engine signature 7-26, 7-29
System Configuration Dialog 19-2
TCP Stream Reassembly signature 7-54
external product interfaces
adding 16-7
described 16-1
issues 16-3, C-24
troubleshooting 16-10, C-24
trusted hosts 16-4
External Product Interfaces pane
described 16-4
field descriptions 16-5
external zone
configuring 10-31
protocols 10-29
user roles 10-28
External Zone tab
described 10-29
tabs 10-29
user roles 10-28
F
fail-over testing 5-12
false positives described 7-4
files Cisco IPS (list) 21-1
Firefox
certificates 1-8
validating CAs 1-8
Fixed engine described B-28
Fixed ICMP engine parameters (table) B-29
Fixed TCP engine parameters (table) B-29
Fixed UDP engine parameters (table) B-30
Flood engine described B-31
Flood Host engine parameters (table) B-31
Flood Net engine parameters (table) B-32
flow states clearing 18-17
FTP servers
automatic updates 17-22
signature updates 17-26
FTP servers and software updates 17-22, 22-2
G
gadgets
adding 2-1
CPU, Memory, & Load 2-11
customizing 2-1
Dashboard pane 2-2
Global Correlation Health 2-8
Global Correlation Reports 2-7
IDM 2-2
IDM home pane 1-3
Interface Status 2-6
Licensing 2-6
Network Security 2-9
Sensor Health 2-4
Sensor Information 2-3
Top Applications 2-10
general settings
configuring 6-42, 9-36
described 6-41, 9-35
General tab
configuring 6-42, 9-36
described 6-41, 9-35, 10-16, 10-23
enabling zones 10-16, 10-23
field descriptions 6-42, 9-36
user roles 9-35
generating diagnostics reports 18-19
global correlation
described 1-1, 11-1, 11-2
disabling 11-12
disabling about 11-12
DNS server 11-6
error messages A-30
features 11-5
goals 11-5
health metrics 11-7
health status 11-7
HTTP proxy server 11-6
license 1-9, 11-6, 11-8, 19-1, 19-5
no IPv6 support 6-22, 6-23, 6-28, 6-29, 6-35, 6-37, 9-15, 9-16, 9-18, 9-22, 9-23, 9-29, 9-31, 11-6
Produce Alert 7-9, 9-8
requirements 11-6
risk rating 11-5
troubleshooting 11-11, C-23
update client (illustration) 11-8
Global Correlation Health gadget
configuring 2-9
described 2-8
Global Correlation Reports gadget
configuring 2-7
described 2-7
Global Correlation Update
client described A-29
server described A-29
GRUB menu password recovery 17-5, C-8
H
H.225.0 protocol B-43
H.323 protocol B-43
hardware bypass
autonegotiation 5-13
configuration restrictions 5-12
fail-over 5-12
IPS 4260 5-12
IPS 4270-20 5-12
reimage 5-13
supported configurations 5-12
with software bypass 5-12
health status
global correlation 11-7
metrics 2-4
sensor 2-4
health status display C-80
Home pane
gadgets 1-3
updating 1-3
host blocks
adding 14-4
deleting 14-4
managing 14-4
Host Blocks pane
configuring 14-4
described 14-3
host posture events
CSA MC 16-3
described 16-2
HTTP/HTTPS servers supported 17-22, 22-2
HTTP advanced decoding
described 6-4
platform support 6-5
restrictions 6-4
HTTP deobfuscation
ASCII normalization 8-16, B-46
described 8-16, B-46
hw-module module 1 reset command C-61
hw-module module slot_number password-reset command 17-6, 17-10, C-10, C-14
I
IDAPI
communications A-4, A-33
described A-4
functions A-33
illustration A-33
responsibilities A-33
IDCONF
described A-34
example A-34
RDEP2 A-34
XML A-34
IDIOM
defined A-34
messages A-34
IDM
Analysis Engine is busy C-58
certificates 1-7, 12-11
cookies 1-7
cryptographic features 1-1
Custom Signature Wizard supported signature engines 8-2
described 1-2, 1-6
gadgets 2-2
GUI 1-3
known host key retrieval 12-6, 12-7, 12-8
logging in 1-6
password recovery 17-13, C-16
supported platforms 1-4
system requirements 1-4
TLS 1-7, 12-12
user interface 1-3
web browsers 1-2, 1-6
will not load C-58
illegal zone
configuring 10-25
user roles 10-22
Illegal Zone tab
described 10-22
user roles 10-22
Imported OS pane
clearing 18-16
described 18-16
field descriptions 18-16
imported OS values
clearing 18-16
deleting 18-16
inactive mode (anomaly detection) 10-4
initializing
appliances 19-8
ASA 5500 AIP SSM 19-13
ASA 5500-X IPS SSP 19-17
ASA 5585-X IPS SSP 19-21
sensors 4-1, 19-1, 19-4
user roles 19-1
verifying 19-25
inline interface pair mode
configuration restrictions 5-10
described 5-15
illustration 5-15
Inline Interface Pair window
described 3-9
Startup Wizard 3-9
inline mode
interface cards 5-3
normalization 6-4
pairing interfaces 5-3
inline TCP session tracking modes described 6-4
inline VLAN pair mode
configuration restrictions 5-10
configuring 3-10
described 5-16
illustration 5-16
supported sensors 5-16
Inline VLAN Pairs window
described 3-9
field descriptions 3-10
Startup Wizard 3-9
Inspection/Reputation pane
configuring 11-10
described 11-8
field descriptions 11-9
Inspection Load Statistics pane
configuring 18-5
described 18-4
field descriptions 18-4
user roles 18-4
installer major version 21-4
installer minor version 21-4
installing
sensor license 1-12, 17-16
system image
ASA 5500 AIP SSM 22-28
ASA 5500-X IPS SSP 22-30
ASA 5585-X IPS SSP 22-32
IPS 4240 22-15
IPS 4255 22-15
IPS 4260 22-18
IPS 4270-20 22-20
IPS 4345 22-22
IPS 4360 22-22
IntelliShield
alerts 7-5
MySDN 7-5
InterfaceApp
described A-20
interactions A-20
NIC drivers A-20
InterfaceApp described A-4
interface pairs
configuring 5-23
described 5-22
Interface Pairs pane
configuring 5-23
described 5-22
field descriptions 5-22
user roles 5-22
interfaces
alternate TCP reset 5-2
command and control 5-2
configuration restrictions 5-9
configuring 5-20
described 3-7, 5-1
disabling 5-20
editing 5-21
enabling 5-20
logical 3-7
physical 3-7
port numbers 5-1
sensing 5-2, 5-3
slot numbers 5-1
support (table) 5-4
TCP reset 5-8
Interface Selection window
described 3-9
Startup Wizard 3-9
Interfaces pane
configuring 5-20
described 5-18
field descriptions 5-19
Interface Status gadget
configuring 2-7
described 2-6
Interface Summary window
described 3-7
internal zone
user roles 10-15
internal zone configuring 10-19
Internal Zone tab
described 10-15
user roles 10-15
Internet Explorer validating certificates 1-8
IP fragmentation described B-36
IP fragment reassembly
configuring 7-46
described 7-44
mode 7-46
parameters (table) 7-45
signatures 7-47
signatures (example) 7-47
signatures (table) 7-45
IP logging
described 7-55, 14-10
event actions 14-10
system performance 14-10
IP Logging pane
configuring 14-12
described 14-10
field descriptions 14-11
user roles 14-10
IP Logging Variables pane
described 17-21
field description 17-21
IP logs
circular buffer 14-10
states 14-10
TCPDUMP 14-10
viewing 14-12
WireShark 14-10
IPS 4240
installing system image 22-15
password recovery 17-5, C-9
reimaging 22-15
IPS 4255
installing system image 22-15
password recovery 17-5, C-9
reimaging 22-14
IPS 4260
hardware bypass 5-12
password recovery 17-5, C-8
IPS 4260
installing system image 22-18
reimaging 22-18
IPS 4270-20
hardware bypass 5-12
installing system image 22-20
password recovery 17-5, C-8
reimaging 22-20
IPS 4345
installing system image 22-22
password recovery 17-5, C-8, C-9
reimaging 22-22
IPS 4360
installing system image 22-22
password recovery 17-5, C-8, C-9
reimaging 22-22
IPS 4510
password recovery 17-5, C-8, C-9
reimaging 22-25
SwitchApp A-30
IPS 4520
password recovery 17-5, C-8, C-9
reimaging 22-25
SwitchApp A-30
IPS applications
summary A-37
table A-37
XML format A-4
IPS clock synchronization 4-8, C-18
IPS data
types A-8
XML document A-9
IPS events
evAlert A-9
evError A-9
evLogTransaction A-9
evShunRqst A-9
evStatus A-9
list A-9
types A-9
IPS internal communications A-33
IPS Policies pane
described 6-8
Event Action Rules 6-9
field descriptions 6-9
IPS software
application list A-4
available files 21-1
configuring device parameters A-5
directory structure A-36
Linux OS A-1
obtaining 21-1
retrieving data A-5
security features A-5
tuning signatures A-5
updating A-5
user interaction A-5
versioning scheme 21-2
IPS software file names
major updates (illustration) 21-4
minor updates (illustration) 21-4
patch releases (illustration) 21-4
service packs (illustration) 21-4
IPv4
address format 6-35, 9-30
event variables 6-35, 9-30
IPv4 Add Target Value Rating dialog box
field descriptions 6-26, 9-21
user roles 6-26, 9-20
IPv4 Edit Target Value Rating dialog box
field descriptions 6-26, 9-21
user roles 6-26, 9-20
IPv4 target value ratings
adding 6-26, 9-21
deleting 6-26, 9-21
editing 6-26, 9-21
IPv4 Target Value Rating tab
configuring 6-26, 9-21
field descriptions 6-26, 9-21
IPv6
address format 6-36, 9-30
described B-28
event variables 6-36, 9-30
SPAN ports 5-14
switches 5-14
IPv6 Add Target Value Rating dialog box
field descriptions 6-28
user roles 6-27, 9-22
IPv6 Edit Target Value Rating dialog box
field descriptions 6-28, 9-23
user roles 6-27, 9-22
IPv6 target value ratings
adding 6-29, 9-23
configuring 6-29, 9-23
deleting 6-29, 9-23
editing 6-29, 9-23
IPv6 Target Value Rating tab
configuring 6-29, 9-23
field descriptions 6-28, 9-23
K
KBs
comparing 18-11
default filename 10-12
deleting 18-13
described 10-3
downloading 18-13
histogram 10-12, 18-6
initial baseline 10-3
learning accept mode 10-12
loading 18-12
monitoring 18-9
renaming 18-13
saving 18-12
scanner threshold 10-12, 18-6
tree structure 10-12, 18-6
uploading 18-14
Knowledge Base. See KB.
Known Host RSA1 Keys pane
field descriptions 12-9
Known Host RSA Keys pane
field descriptions 12-7
L
Learned OS pane
clearing 18-15
described 18-15
field descriptions 18-15
learned OS values
clearing 18-15
deleting 18-15
learning accept mode
anomaly detection 10-3
configuring 10-14
user roles 10-12
Learning Accept Mode tab
described 10-12
field descriptions 10-13, 10-14
user roles 10-12
license key
obtaining 1-10, 17-14
trial 1-10, 17-14
uninstalling 17-18
viewing status of 1-10, 17-14
licensing
described 1-10, 17-14
IPS device serial number 1-10, 17-14
Licensing gadget
configuring 2-6
described 2-6
Licensing pane
configuring 1-12, 17-16
described 1-10, 17-14
field descriptions 1-11, 17-16
user roles 1-11, 17-14
limitations for concurrent CLI sessions 20-1
listings UNIX-style 17-22
loading KBs 18-12
local authentication configuring 4-22
Logger
described A-4, A-19
functions A-19
syslog messages A-19
logging in
appliances 20-2
ASA 5500 AIP SSM 20-4
ASA 5500-X IPS SSP 20-5
ASA 5585-X IPS SSP 20-6
IDM 1-6
sensors
SSH 20-7
Telnet 20-7
service role 20-2
terminal servers 20-3, 22-14
user role 20-1
LOKI
described B-71
protocol B-71
loose connections on sensors C-25
M
MainApp
components A-6
described A-4, A-6
host statistics A-6
responsibilities A-6
show version command A-6
major updates described 21-2
managing
host blocks 14-4
network blocks 14-7
rate limiting 14-9
manifests
client A-29
server A-29
manually updating sensor 17-26
master blocking sensor
described 13-23
not set up properly C-45
verifying configuration C-46
Master Blocking Sensor pane
configuring 13-25
described 13-23
field descriptions 13-24
Master engine
alert frequency B-7
alert frequency parameters (table) B-7
described B-4
event actions B-8
general parameters (table) B-4
universal parameters B-4
master engine parameters
obsoletes B-6
promiscous delta B-6
vulnerable OSes B-6
merging configuration files C-2
Meta engine
described 7-21, B-32
parameters (table) B-33
Signature Event Action Processor 7-21, B-32
Meta Event Generator described 6-41, 9-35
Meta signature
component signatures B-32
metrics for sensor health 17-19
MIBs supported 15-6, C-20
minor updates described 21-3
Miscellaneous tab
application policy parameters 7-33
button functions 7-34
configuring
application policy 7-43
IP fragment reassembly mode 7-46
IP logging 7-55
TCP stream reassembly mode 7-53
described 7-33
field descriptions 7-34
IP fragment reassembly options 7-33
IP logging options 7-34
TCP stream reassembly 7-33
user roles 7-33
modes
anomaly detection detect 10-4
anomaly detection learning accept 10-3
asymmetric 6-4
bypass 5-29
inactive (anomaly detection) 10-4
inline interface pair 5-15
inline TCP tracking 6-4
inline VLAN pair 5-16
Normalizer 6-4
promiscuous 5-13
VLAN groups 5-17
monitoring
events 18-3
inspection load statistics 18-4, 18-5
KBs 18-9
moving
event action filters 6-23, 9-18
OS maps 6-33, 9-28
Multi String engine
described B-34
parameters (table) B-35
Regex B-34
MySDN
described 7-5
Intellishield 7-5
N
NAS-ID
described 4-23
RADIUS authentication 4-23
Neighborhood Discovery
options B-28
types B-28
network blocks
adding 14-7
deleting 14-7
managing 14-7
Network Blocks pane
configuring 14-7
described 14-6
field descriptions 14-6
user roles 14-6
Network pane
configuring 4-3
described 4-2
field descriptions 4-2
TLS/SSL 4-4
user roles 4-2
network participation
data gathered 11-3
data use (table) 1-2, 11-2
described 11-3
health metrics 11-7
modes 11-4
requirements 11-3
SensorBase Network 11-4
statistics 11-4
network participation data
improving signature fidelity 11-4
understanding sensor deployment 11-4
Network Participation pane
configuring 11-11
described 11-10
field descriptions 11-11
Network Security gadget
configuring 2-10
described 2-9
never block
hosts 13-7
networks 13-7
normalization described 6-4
Normalizer engine
ASA 5500 AIP SSM B-37
ASA 5500-X IPS SSP B-37
ASA 5585-X IPS SSP B-37
described B-36
IP fragment reassembly B-36
IPv6 fragments B-36
modify packets inline 6-4
parameters (table) B-38
TCP stream reassembly B-36
NotificationApp
alert information A-9
described A-4
functions A-9
SNMP gets A-9
SNMP traps A-9
statistics A-11
system health information A-10
NTP
authenticated 4-7, 4-14, C-17
configuring servers 4-13
described 4-8, C-17
incorrect configuration 4-8, C-18
sensor time source 4-12, 4-14
time synchronization 4-8, C-17
unauthenticated 4-7, 4-14, C-17
verifying configuration 4-8
O
obsoletes field described B-6
obtaining
cryptographic account 21-2
IPS software 21-1
license key 1-10, 17-14
sensor license 1-12, 17-16
one-way TCP reset described 6-41, 9-36
Operation Settings tab
described 10-11
field descriptions 10-11
user roles 10-11
OS Identifications tab
described 6-32, 9-25
field descriptions 6-32, 9-27
OS information sources 6-31, 9-26
OS maps
adding 6-33, 9-28
configuring 6-33, 9-28
deleting 6-33, 9-28
editing 6-33, 9-28
moving 6-33, 9-28
other actions (list) 9-9
Other Protocols tab
described 10-18, 10-24, 10-30
enabling other protocols 10-18
external zone 10-30
field descriptions 10-18, 10-30
illegal zone 10-24
P
P2P networks described B-52
Packet Logging pane
described 17-3
field descriptions 17-3
partitions
application A-4
recovery A-4
passive OS fingerprinting
components 6-30, 9-25
configuring 6-31, 9-26
described 6-30, 9-25
enabled (default) 6-31, 9-26
password policy caution 17-3
password recovery
appliances 17-5, C-8
ASA 5500 AIP SSM 17-6, C-10
ASA 5500-X IPS SSP 17-8, C-12
ASA 5585-X IPS SSP 17-10, C-14
CLI 17-12, C-16
described 17-4, C-8
disabling 17-12, C-16
displaying setting 17-13, C-16
GRUB menu 17-5, C-8
IDM 17-13, C-16
IPS 4240 17-5, C-9
IPS 4255 17-5, C-9
IPS 4260 17-5, C-8
IPS 4270-20 17-5, C-8
IPS 4345 17-5, C-8, C-9
IPS 4360 17-5, C-8, C-9
IPS 4510 17-5, C-8, C-9
IPS 4520 17-5, C-8, C-9
platforms 17-4, C-8
ROMMON 17-5, C-9
troubleshooting 17-13, C-17
verifying 17-13, C-16
password requirements configuring 17-2
Passwords pane
configuring 17-2
described 17-2
field descriptions 17-2
patch releases described 21-3
peacetime learning (anomaly detection) 10-3
Peer-to-Peer. See P2P.
physical connectivity issues C-33
physical interfaces configuration restrictions 5-9
platforms concurrent CLI sessions 20-1
Post-Block ACLs 13-17
Pre-Block ACLs 13-17
prerequisites for blocking 13-5
promiscuous delta
calculating risk rating 6-6, 9-3
described 6-6, 9-3
promiscuous delta described B-6
promiscuous mode
atomic attacks 5-13
described 5-13
illustration 5-14
packet flow 5-13
SPAN ports 5-14
TCP reset interfaces 5-8
VACL capture 5-14
protocols
ARP B-13
CDP 5-32
CIDEE A-35
DCE 8-11, B-48
DDoS B-71
H.323 B-43
H225.0 B-43
ICMPv6 B-14
IDAPI A-33
IDCONF A-34
IDIOM A-34
IPv6 B-28
LOKI B-71
MSSQL B-50
Neighborhood Discovery B-28
Q.931 B-43
RPC 8-11, B-48
SDEE A-35
Signature Wizard 8-10
Q
Q.931 protocol
described B-43
SETUP messages B-43
quarantined IP address events described 16-2
R
RADIUS
attempt limit C-23
multiple cisco av-pairs 4-21, 4-24
RADIUS authentication
configuring 4-23
described 4-19
NAS-ID 4-23
service account 4-18
shared secret 4-24
rate limiting
ACLs 13-4
configuring 14-9
described 13-3
managing 14-9
percentages 14-8
routers 13-3
service policies 13-4
supported signatures 13-4
rate limiting devices
adding 13-15
deleting 13-15
editing 13-15
rate limits
adding 14-9
deleting 14-9
Rate Limits pane
configuring 14-9
described 14-7
field descriptions 14-8
raw expression syntax
described B-63
expert mode B-63
Raw Regex
described 7-28, 7-30, B-63
expert mode 7-28, 7-30, B-63
rebooting the sensor 17-29
Reboot Sensor pane
configuring 17-29
described 17-29
user roles 17-29
recover command 22-11
recovering
application partition image 22-12
ASA 5500 AIP SSM C-61
recovery partition
described A-4
upgrade 22-6
Regex
Multi String engine B-34
standardized B-1
Regular Expression. See also Regex.
regular expression syntax
raw Regex 7-28, 7-30, B-63
signatures B-9
reimaging
ASA 5500-X IPS SSP 22-30
described 22-2
hardware bypass 5-13
IPS 4240 22-15
IPS 4255 22-14
IPS 4260 22-18
IPS 4270-20 22-20
IPS 4345 22-22
IPS 4360 22-22
IPS 4510 22-25
IPS 4520 22-25
sensors 22-2, 22-11
removing
last applied
service pack 22-11
signature update 22-11
renaming KBs 18-13
reputation
described 11-2
illustration 11-3
servers 11-3
Reset Network Security Health pane
described 18-18
field descriptions 18-18
resetting data 18-18
user roles 18-18
reset not occurring for a signature C-53
resetting
ASA 5500 AIP SSM C-61
hit counts for denied attackers 14-2
network security health data 18-18
passwords
ASDM 17-8, 17-10, 17-12, C-12, C-13, C-15
hw-module command 17-6, 17-10, C-10, C-14
sw-module command 17-9, C-12
resetting the password
ASA 5500 AIP SSM 17-7, C-10
ASA 5500-X IPS SSP 17-9, C-12
ASA 5585-X IPS SSP 17-10, C-14
Restore Default Interface dialog box field descriptions 3-8
Restore Defaults pane
configuring 17-28
described 17-28
user roles 17-28
restoring
defaults 17-28
restoring the current configuration C-4
retiring signatures 7-12
risk categories
adding 6-39, 9-34
configuring 6-39, 9-34
deleting 6-39, 9-34
editing 6-39, 9-34
Risk Category tab
configuring 6-39, 9-34
described 6-38, 9-33
field descriptions 6-39, 9-33
risk rating
Alarm Channel 11-5
calculating 6-5, 9-2
component signatures B-32
described 6-30, 9-25
global correlation 11-5
reputation score 11-5
ROMMON
ASA 5585-X IPS SSP 22-34
described 22-13
IPS 4240 17-5, 22-15, C-9
IPS 4255 17-5, 22-15, C-9
IPS 4260 22-18
IPS 4270-20 22-20
IPS 4345 17-5, 22-22, C-9
IPS 4360 17-5, 22-22, C-9
IPS 4510 17-5, 22-25, C-9
IPS 4520 17-5, 22-25, C-9
password recovery 17-5, C-9
remote sensors 22-13
serial console port 22-13
TFTP 22-13
round-trip time. See RTT.
Router Blocking Device Interfaces pane
configuring 13-19
described 13-16
field descriptions 13-18
RPC portmapper 8-19, B-52
RTT
described 22-13
TFTP limitation 22-13
S
Save Knowledge Base dialog box
described 18-11
field descriptions 18-12
saving KBs 18-12
scheduling automatic upgrades 22-9
SDEE
described A-35
HTTP A-35
protocol A-35
server requests A-35
security
account locking 4-25
information on Cisco Security Intelligence Operations 21-7
information on MySDN 7-5
SSH 12-2
security policies described 6-1, 7-1, 9-1, 10-1
sensing interface
ASA 5500 AIP SSM 6-15
ASA 5500-X IPS SSP 6-15
ASA 5585-X IPS SSP 6-15
sensing interfaces
Analysis Engine 5-3
described 5-3
interface cards 5-3
modes 5-3
SensorApp
Alarm Channel A-24
Analysis Engine A-24
described A-4
event action filtering A-25
inline packet processing A-25
IP normalization A-25
packet flow A-26
processors A-23
responsibilities A-23
risk rating A-25
Signature Event Action Processor A-23
signature updates 17-23
TCP normalization A-25
SensorBase Network
described 1-1, 11-1, 11-2
network participation 11-4
participation 1-2, 11-2
servers 1-2, 11-2
sensor health
critical settings 17-19
metrics 17-19
Sensor Health gadget
configuring 2-5
described 2-4
metrics 2-4
status 2-4
Sensor Health pane
described 17-19
field descriptions 17-20
Sensor Information gadget
configuring 2-4
described 2-3
Sensor Key pane
button functions 12-11
described 12-11
field descriptions 12-11
sensor SSH host key
displaying 12-11
generating 12-11
user roles 12-11
sensor license
installing 1-12, 17-16
obtaining 1-12, 17-16
sensors
access problems C-27
application partition image 22-12
asymmetric traffic and disabling anomaly detection 10-34, C-21
blocking self 13-7
command and control interfaces (list) 5-2
configuring to use NTP 4-14
corrupted SensorApp configuration C-37
diagnostics reports 18-19
disaster recovery C-6
downgrading 22-11
incorrect NTP configuration 4-8, C-18
initializing 4-1, 19-1, 19-4
interface support 5-4
IP address conflicts C-29
logging in
SSH 20-7
Telnet 20-7
loose connections C-25
misconfigured access lists C-29
no alerts C-34, C-60
not seeing packets C-36
NTP time source 4-14
NTP time synchronization 4-8, C-17
partitions A-4
physical connectivity C-33
preventive maintenance C-2
rebooting 17-29
reimaging 22-2
restoring defaults 17-28
sensing process not running C-31
setup command 4-1, 19-1, 19-4, 19-8
shutting down 17-29
statistics 18-20
system information 18-21
time sources 4-7, C-17
troubleshooting software upgrades C-56
updating 17-27
upgrading 22-4
using NTP time source 4-12
Sensor Setup window
described 3-2
Startup Wizard 3-2
Server Certificate pane
button functions 12-17
certificate
displaying 12-17
generating 12-17
described 12-17
field descriptions 12-17
user roles 12-17
server manifest described A-29
service account
accessing 4-18, C-5
cautions 4-18, C-5
creating C-6
described 4-18, A-32, C-5
RADIUS authentication 4-18
TAC A-32
troubleshooting A-32
Service DNS engine
described B-40
parameters (table) B-40
Service engine
described B-39
Layer 5 traffic B-39
Service FTP engine
described B-41
parameters (table) B-41
PASV port spoof B-41
Service Generic engine
described B-42
no custom signatures B-42
parameters (table) B-42
Service H225 engine
ASN.1PER validation B-44
described B-43
features B-44
parameters (table) B-44
TPKT validation B-44
Service HTTP engine
custom signature 8-17
described 8-16, B-46
example signature 8-17
parameters (table) B-46
Service IDENT engine
described B-48
parameters (table) B-48
Service MSRPC engine
DCS/RPC protocol 8-11, B-48
described 8-11, B-48
parameters (table) B-49
Service MSSQL engine
described B-50
MSSQL protocol B-50
parameters (table) B-51
Service NTP engine
described B-51
parameters (table) B-51
Service P2P engine described B-52
service packs described 21-3
service role 4-17, 20-2, A-32
Service RPC engine
described 8-19, B-52
parameters (table) B-52
RPC portmapper 8-19, B-52
Service SMB Advanced engine
described B-54
parameters (table) B-54
Service SNMP engine
described B-56
parameters (table) B-56
Service SSH engine
described B-57
parameters (table) B-57
Service TNS engine
described B-57
parameters (table) B-58
session command
ASA 5500 AIP SSM 20-4
ASA 5500-X IPS SSP 20-5
ASA 5585-X IPS SSP 20-6
sessioning in
ASA 5500 AIP SSM 20-4
ASA 5500-X IPS SSP 20-5
ASA 5585-X IPS SSP 20-6
setting
current KB 18-12
system clock 4-16
setting up terminal servers 20-3, 22-14
setup
automatic 19-2
command 4-1, 19-1, 19-4, 19-8, 19-13, 19-17, 19-21
simplified mode 19-2
shared secret
described 4-24
RADIUS authentication 4-24
show events command C-101
show health command C-80
show interfaces command C-99
show module 1 details command C-60, C-68, C-74
show settings command 17-13, C-16
show statistics command C-87, C-88
show statistics virtual-sensor command C-26, C-88
show tech-support command C-80, C-81, C-82
show version command C-84, C-85
Shut Down Sensor pane
configuring 17-29
described 17-29
user roles 17-29
shutting down the sensor 17-29
sig0 pane
column heads 7-3
configuration buttons 7-3
default 7-3
described 7-3
field descriptions 7-6
signatures
assigning actions 7-16
cloning 7-14
tuning 7-15
tabs 7-3
signature definition policies
adding 7-2
cloning 7-2
default policy 7-2
deleting 7-2
sig0 7-2
Signature Definitions pane
described 7-2
field descriptions 7-2
signature engines
AIC B-10
Atomic B-13
Atomic ARP B-13
Atomic IP 8-13, B-24
Atomic IP Advanced B-14
Atomic IPv6 B-27
creating custom signatures 8-1
described B-1
Fixed B-28
Flood B-31
Flood Host B-31
Flood Net B-32
list B-2
Master B-4
Meta 7-21, B-32
Multi String B-34
Normalizer B-36
Regex
patterns B-10
syntax B-9
Service B-39
Service DNS B-40
Service FTP B-41
Service Generic B-42
Service H225 B-43
Service HTTP 8-16, B-46
Service IDENT B-48
Service MSRPC 8-11, B-48
Service MSSQL B-50
Service NTP B-51
Service P2P B-52
Service RPC 8-19, B-52
Service SMB Advanced B-54
Service SNMP B-56
Service SSH engine B-57
Service TNS B-57
State 8-20, B-59
String 8-21, 8-24, B-61
supported by IDM 8-2
Sweep 8-24, B-66
Sweep Other TCP B-68
Traffic Anomaly B-69
Traffic ICMP B-71
Trojan B-72
Signature Event Action Filter
described 9-6, A-27
parameters 9-6, A-27
Signature Event Action Handler described 9-7, A-27
Signature Event Action Override described 9-6, A-27
Signature Event Action Processor
Alarm Channel 9-6, A-27
components 9-6, A-27
described 9-6, A-23, A-27
signature fidelity rating
calculating risk rating 6-5, 9-3
described 6-5, 9-3
signatures
adding 7-12
alert frequency 7-18
assigning actions 7-16
cloning 7-14
custom 7-4
default 7-4
described 7-4
disabling 7-12
editing 7-15
enabling 7-12
false positives 7-4
rate limits 13-4
retiring 7-12
String TCP XL 7-29
subsignatures 7-4
TCP reset C-53
tuned 7-4
tuning 7-15
Signatures window
field descriptions 3-15
user roles 3-14
Signatures window described 3-14
signature threat profiles
applying 3-15
platform support 3-14
signature updates
bypass mode 17-23
files 21-4
FTP server 17-26
installation time 17-23
SensorApp 17-23
signature variables
adding 7-32
configuring 7-32
deleting 7-32
described 7-31
editing 7-32
Signature Variables tab
configuring 7-32
field descriptions 7-32
Signature Wizard
Alert Response window field descriptions 8-26
Atomic IP Engine Parameters window field descriptions 8-13
ICMP Traffic Type window field descriptions 8-12
Inspect Data window field descriptions 8-12
MSRPC Engine Parameters window field descriptions 8-11
protocols 8-10
Protocol Type window field descriptions 8-10
Service HTTP Engine Parameters window field descriptions 8-16
Service RPC Engine Parameters window field descriptions 8-19
Service Type window field descriptions 8-12
signature identification 8-10
Signature Identification window field descriptions 8-11
State Engine Parameters window field descriptions 8-20
String ICMP Engine Parameters window field descriptions 8-21
String TCP Engine Parameters window field descriptions 8-21
String UDP Engine Parameters window field descriptions 8-24
Sweep Engine Parameters window field descriptions 8-25
TCP Sweep Type window field descriptions 8-13
TCP Traffic Type window field descriptions 8-12
UDP Sweep Type window field descriptions 8-12
UDP Traffic Type window field descriptions 8-12
Welcome window field descriptions 8-10
SNMP
configuring 15-2
described 15-1
General Configuration pane
field descriptions 15-2
user roles 15-2
Get 15-1
GetNext 15-1
Set 15-1
supported MIBs 15-6, C-20
Trap 15-1
Traps Configuration pane
field descriptions 15-3
user roles 15-3
SNMP General Configuration pane
configuring 15-2
described 15-2
SNMP traps
configuring 15-4
described 15-1
software architecture
ARC (illustration) A-13
IDAPI (illustration) A-33
software bypass
supported configurations 5-12
with hardware bypass 5-12
software downloads Cisco.com 21-1
software file names
recovery (illustration) 21-5
signature/virus updates (illustration) 21-4
system image (illustration) 21-5
software release examples
platform identifiers 21-6
platform-independent 21-5
software updates
supported FTP servers 17-22, 22-2
supported HTTP/HTTPS servers 17-22, 22-2
SPAN port issues C-33
SSH
described 12-1
security 12-2
SSH Server
private keys A-22
public keys A-22
standards
CIDEE A-35
IDCONF A-34
IDIOM A-34
SDEE A-35
Startup Wizard
access lists 3-3
adding ACLs 3-5
adding virtual sensors 3-13
Add Virtual Sensor dialog box 3-12
ASA 5500 AIP SSM 3-2
ASA 5500-X IPS SSP 3-2
ASA 5585-X IPS SSP 3-2
Auto Update configuring 3-17
described 3-1
Inline Interface Pair window
described 3-9
field descriptions 3-9
Inline VLAN Pairs window configuring 3-10
Interface Selection window 3-9
Interface Summary window 3-7
Sensor Setup window
configuring 3-4
field descriptions 3-2
Signatures window described 3-14
Traffic Inspection Mode window 3-8
Virtual Sensors window
field descriptions 3-12
Virtual Sensors window described 3-11
VLAN groups unsupported 3-1, 3-8
State engine
Cisco Login 8-20, B-59
described 8-20, B-59
LPR Format String 8-20, B-59
parameters (table) B-59
SMTP 8-20, B-59
statistic display C-88
Statistics pane
button functions 18-20
categories 18-19
described 18-19
using 18-20
statistics viewing 18-20
String engine described 8-21, 8-24, B-61
String ICMP engine parameters (table) B-61
String TCP engine
custom signature 8-22
example signature 8-22
parameters (table) B-61
String TCP XL signature (example) 7-26, 7-29
String UDP engine parameters (table) B-62
String XL engine
description B-63
hardware support 8-3, B-3, B-63
parameters (table) B-64
unsupported parameters B-66
subinterface 0 described 5-17
subsignatures described 7-4
summarization
described 6-7, 9-5
Fire All 6-8, 9-5
Fire Once 6-8, 9-6
Global Summarization 6-8, 9-6
Meta engine 6-7, 9-5
Summary 6-8, 9-6
Summarizer described 6-41, 9-35
Summary pane
button functions 5-18
described 5-17
field descriptions 3-8, 5-18
supported
FTP servers 17-22, 22-2
HTTP/HTTPS servers 17-22, 22-2
IDM platforms 1-4
IPS interfaces for CSA MC 16-3
sensors (signature threat profiles) 3-14
Sweep engine 8-25, B-67
described 8-24, B-66
parameters (table) B-67
Sweep Other TCP engine
described B-68
parameters (table) B-69
SwitchApp described A-30
switches and TCP reset interfaces 5-9
sw-module module slot_number password-reset command 17-9, C-12
system architecture
directory structure A-36
supported platforms A-1
system clock setting 4-16
system components IDAPI A-33
System Configuration Dialog
described 19-2
example 19-2
system design (illustration) A-2, A-3
system image
installing
ASA 5500 AIP SSM 22-28
ASA 5500-X IPS SSP 22-30
IPS 4240 22-15
IPS 4255 22-15
IPS 4260 22-18
IPS 4270-20 22-20
IPS 4345 22-22
IPS 4360 22-22
system images
installing
IPS 4510 22-25
IPS 4520 22-25
System Information pane
described 18-20
using 18-21
system information viewing 18-21
system requirements for IDM 1-4
T
TAC
contact information 18-20
service account 4-18, A-32, C-5
show tech-support command C-81, C-82
troubleshooting A-32
target value rating
calculating risk rating 6-6, 9-3
described 6-6, 6-26, 6-28, 9-3, 9-21, 9-22
TCP fragmentation described B-36
TCP Protocol tab
described 10-16, 10-23, 10-29
enabling TCP 10-16
external zone 10-29
field descriptions 10-16
illegal zone 10-23
TCP reset interfaces
conditions 5-9
described 5-8
list 5-8
promiscuous mode 5-8
switches 5-9
TCP resets not occurring C-53
TCP stream reassembly
described 7-47
parameters (table) 7-48
signatures (table) 7-48
TCP stream reassembly mode 7-53
tech support information display C-81
terminal server setup 20-3, 22-14
testing fail-over 5-12
TFN2K
described B-71
Trojans B-72
TFTP servers
maximum file size limitation 22-13
RTT 22-13
Threat Category tab
described 6-40, 9-34
field descriptions 6-40, 9-35
threat rating
described 6-7, 9-4
risk rating 6-7, 9-4
Thresholds for KB Name window
described 18-8
field descriptions 18-8
filtering information 18-8
time
correction on the sensor 4-12, C-19
sensors 4-7, C-17
synchronizing IPS clocks 4-8, C-18
Time pane
configuring 4-10
described 4-7
field descriptions 4-9
user roles 4-7
time sources
appliances 4-8, C-17
ASA 5500 AIP SSC-5 4-8, C-18
ASA 5500 AIP SSM 4-8, C-18
ASA 5500-X IPS SSP 4-8, C-18
ASA 5585-X IPS SSP 4-8, C-18
TLS
described 4-4
handshaking 1-7, 12-12
IDM 1-7, 12-12
web server 1-7, 12-11
Top Applications gadget
configuring 2-10
described 2-10
Traffic Anomaly engine
described B-69
protocols B-69
signatures B-69
traffic flow notifications
configuring 5-31
described 5-31
Traffic Flow Notifications pane
configuring 5-31
field descriptions 5-31
user roles 5-31
Traffic ICMP engine
DDoS B-71
described B-71
LOKI B-71
parameters (table) B-72
TFN2K B-71
Traffic Inspection Mode window described 3-8
Traps Configuration pane
configuring 15-4
described 15-3
trial license key 1-10, 17-14
Tribe Flood Network. See TFN.
Tribe Flood Network 2000. See TFN2K.
Trojan engine
BO2K B-72
described B-72
TFN2K B-72
Trojans
BO B-72
BO2K B-72
LOKI B-71
TFN2K B-72
troubleshooting
Analysis Engine busy C-58
applying software updates C-55
ARC
blocking not occurring for signature C-44
device access issues C-42
enabling SSH C-44
inactive state C-40
misconfigured master blocking sensor C-45
verifying device interfaces C-43
ASA 5500 AIP SSM
commands C-60
debugging C-61
recovering C-61
reset C-61
ASA 5500-X IPS SSP
commands C-68
failover scenarios C-67
ASA 5585-X IPS SSP
commands C-74
failover scenarios C-62, C-72
traffic flow stopped C-73
automatic updates C-55
cannot access sensor C-27
cidDump C-104
cidLog messages to syslog C-52
communication C-26
corrupted SensorApp configuration C-37
debug logger zone names (table) C-51
debug logging C-47
disaster recovery C-6
duplicate sensor IP addresses C-29
enabling debug logging C-47
external product interfaces 16-10, C-24
gathering information C-79
global correlation 11-11, C-23
IDM
cannot access sensor C-59
will not load C-58
IPS clock time drift 4-8, C-18
misconfigured access list C-29
no alerts C-34, C-60
password recovery 17-13, C-17
physical connectivity issues C-33
preventive maintenance C-2
RADIUS
attempt limit C-23
reset not occurring for a signature C-53
sensing process not running C-31
sensor events C-101
sensor loose connections C-25
sensor not seeing packets C-36
sensor software upgrade C-56
service account 4-18, C-5
show events command C-101
show interfaces command C-99
show statistics command C-87
show tech-support command C-80, C-82
show version command C-84
software upgrades C-54
SPAN port issue C-33
upgrading C-54
verifying Analysis Engine is running C-22
verifying ARC status C-39
Trusted Hosts pane
configuring 12-14
described 12-13
field descriptions 12-13
Trusted Root Certificates pane
configuring 12-16
described 12-15
field descriptions 12-15
tuned signatures described 7-4
tuning
AIC signatures 7-43
IP fragment reassembly signatures 7-47
signatures 7-15
TCP fragment reassembly signatures 7-54
U
UDP Protocol tab
described 10-17, 10-23, 10-24, 10-29
enabling UDP 10-17
external zone 10-29
field descriptions 10-30
illegal zone 10-23, 10-24
unassigned VLAN groups described 5-17
unauthenticated NTP 4-7, 4-14, C-17
uninstalling the license key 17-18
UNIX-style directory listings 17-22
unlocking accounts 4-26
unlock user username command 4-26
Update Sensor pane
configuring 17-27
described 17-26
field descriptions 17-26
user roles 17-26
updating
Home pane 1-3
sensors 17-27
trusted root certificates 12-16
upgrade command 22-3, 22-6
upgrading
application partition 22-11
latest version C-54
recovery partition 22-6
sensors 22-4
uploading KBs
FTP 18-14
SCP 18-14
Upload Knowledge Base to Sensor dialog box
described 18-14
field descriptions 18-14
URLs for Cisco Security Intelligence Operations 21-8
user roles authentication 4-19
users
configuring 4-22
users configuring 4-22
using
debug logging C-47
TCP reset interfaces 5-9
V
VACLs
described 13-2
Post-Block 13-21
Pre-Block 13-21
verifying
NTP configuration 4-8
password recovery 17-13, C-16
sensor initialization 19-25
sensor setup 19-25
version display C-85
viewing
denied attacker hit counts 14-2
denied attackers list 14-2
IP logs 14-12
license key status 1-10, 17-14
statistics 18-20
system information 18-21
virtualization
advantages 6-3, C-19
restrictions 6-3, C-19
supported sensors 6-3, C-20
traffic capture requirements 6-3, C-20
virtual-sensor name command 6-15
virtual sensors
adding 3-13, 6-13
adding (ASA 5500 AIP SSM) 6-16
adding (ASA 5500-X IPS SSP) 6-16
adding (ASA 5585-X IPS SSP) 6-16
ASA 5500 AIP SSM 6-18
ASA 5500-X IPS SSP 6-18
ASA 5585-X IPS SSP 6-18
creating (ASA 5500 AIP SSM) 6-16
creating (ASA 5500-X IPS SSP) 6-16
creating (ASA 5585-X IPS SSP) 6-16
default virtual sensor 6-2, 6-8
deleting 6-13
described 6-2, 6-8
editing 6-13
options 6-16
Virtual Sensors window
described 3-11
VLAN groups
802.1q encapsulation 5-17
configuration restrictions 5-11
configuring 5-27
deploying 5-26
switches 5-26
VLAN IDs 5-26
VLAN groups mode
described 5-17
VLAN Groups pane
configuring 5-27
described 5-26
field descriptions 5-27
user roles 5-26
VLAN Pairs pane
configuring 5-25
described 5-24
field descriptions 5-24
user roles 5-24
vulnerable OSes field described B-6
W
watch list rating
calculating risk rating 6-6, 9-3
described 6-6, 9-3
web server
described A-4, A-23
HTTP 1.0 and 1.1 support A-23
private keys A-22
public keys A-22
SDEE support A-23
TLS 1-7, 12-11
worms
Blaster 10-2
Code Red 10-2
histograms 10-13, 18-6
Nimbda 10-2
protocols 10-3
Sasser 10-2
scanners 10-3
Slammer 10-2
SQL Slammer 10-2
Z
zones
external 10-5
illegal 10-5
internal 10-5
Index
Numerics
4GE bypass interface card
configuration restrictions 5-12
described 5-12
802.1q encapsulation for VLAN groups 5-17
A
AAA RADIUS
functionality 4-19
limitations 4-19
accessing
IPS software 21-1
service account 4-18, C-5
access list misconfiguration C-29
access lists
necessary hosts 3-3
Startup Wizard 3-3
account locking
configuring 4-25
security 4-25
account unlocking configuring 4-26
ACLs
adding 3-5
described 13-2
Post-Block 13-17
Pre-Block 13-17
Active Host Blocks pane
field descriptions 14-3
user roles 14-3
ad0 pane
default 10-10
described 10-10
tabs 10-10
Add/Update Trusted Root Certificate dialog box
field descriptions 12-16
Add ACL Entry dialog box field descriptions 3-4
Add Active Host Block dialog box field descriptions 14-4
Add Allowed Host dialog box
field descriptions 4-6
user roles 4-5
Add Authorized RSA1 Key dialog box
field descriptions 12-5
user roles 12-4
Add Authorized RSA Key dialog box
field descriptions 12-3
user roles 12-2
Add Blocking Device dialog box
field descriptions 13-14
user roles 13-13
Add Cat 6K Blocking Device Interface dialog box
field descriptions 13-22
user roles 13-20
Add Configured OS Map dialog box
field descriptions 6-33, 9-27
user roles 6-32, 9-25
Add Destination Port dialog box field descriptions 10-16
Add Device Login Profile dialog box
field descriptions 13-12
user roles 13-11
Add Event Action Filter dialog box
field descriptions 6-22, 9-17
user roles 6-21, 9-15
Add Event Action Override dialog box
field descriptions 6-12, 9-14
user roles 6-12, 9-13
Add Event Variable dialog box
field descriptions 6-36, 9-31
user roles 9-29
Add External Product Interface dialog box
field descriptions 16-6
user roles 16-4
Add Histogram dialog box field descriptions 10-17
adding
ACLs 3-5
a host never to be blocked 13-10
anomaly detection policies 10-9
blocking devices 13-15
CSA MC interfaces 16-7
dashboards 2-1
denied attackers 14-2
event action filters 6-23, 9-18
event action overrides 9-14
event action rules policies 9-12
event variables 6-37, 9-31
external product interfaces 16-7
gadgets 2-1
host blocks 14-4
IPv4 target value ratings 6-26, 9-21
IPv6 target value ratings 6-29, 9-23
network blocks 14-7
OS maps 6-33, 9-28
rate limiting devices 13-15
rate limits 14-9
risk categories 6-39, 9-34
signature definition policies 7-2
signatures 7-12
signature variables 7-32
trusted root certificates 12-16
virtual sensors 3-13, 6-13
virtual sensors (ASA 5500 AIP SSM) 6-16
virtual sensors (ASA 5500-X IPS SSP) 6-16
virtual sensors (ASA 5585-X IPS SSP) 6-16
Add Inline VLAN Pair dialog box field descriptions 3-10, 5-24
Add Interface Pair dialog box field descriptions 5-22
Add IP Logging dialog box field descriptions 14-11
Add Known Host RSA1 Key dialog box
field descriptions 12-9
user roles 12-8
Add Known Host RSA Key dialog box
field descriptions 12-7
user roles 12-6
Add Master Blocking Sensor dialog box
field descriptions 13-24
user roles 13-23
Add Network Block dialog box field descriptions 14-6
Add Never Block Address dialog box
field descriptions 13-10
user roles 13-7
Add Policy dialog box field descriptions 7-2, 9-12, 10-9
Add Posture ACL dialog box field descriptions 16-7
Add Protocol Number dialog box field descriptions 10-18, 10-25
Add Rate Limit dialog box
field descriptions 14-8
user role 14-7
Address Resolution Protocol. See ARP.
Add Risk Level dialog box field descriptions 6-39, 9-33
Add Router Blocking Device Interface dialog box
field descriptions 13-19
user roles 13-16
Add Signature dialog box field descriptions 7-7
Add Signature Variable dialog box
field descriptions 7-32
user roles 7-31
Add SNMP Trap Destination dialog box field descriptions 15-4
Add Target Value Rating dialog box field descriptions 9-23
Add Trusted Host dialog box
field descriptions 12-13
user roles 12-13
Add User dialog box
field descriptions 4-22
user roles 4-19, 4-22
Add Virtual Sensor dialog box
described 3-12, 6-10
field descriptions 3-13, 6-11
Add VLAN Group dialog box field descriptions 5-27
Advanced Alert Behavior Wizard
Alert Dynamic Response Fire All window field descriptions 8-27
Alert Dynamic Response Fire Once window field descriptions 8-28
Alert Dynamic Response Summary window field descriptions 8-28
Alert Summarization window field descriptions 8-27
Event Count and Interval window field descriptions 8-26
Global Summarization window field descriptions 8-29
aggregation
alert frequency 6-7, 9-5
operating modes 6-7, 9-5
AIC
policy 7-43
signatures (example) 7-43
AIC engine
AIC FTP B-11
AIC FTP engine parameters (table) B-12
AIC HTTP B-11
AIC HTTP engine parameters (table) B-12
described B-11
features B-11
signature categories 7-35
AIC policy enforcement
default configuration 7-36, B-11
described 7-36, B-11
sensor oversubscription 7-36, B-11
Alarm Channel
described 9-6, A-27
risk rating 11-5
alert and log actions (list) 9-8
alert behavior
Custom Signature Wizard 8-26
normal 8-26
alert frequency
aggregation 7-18
configuring 7-18
controlling 7-18
modes B-7
allocate-ips command 6-15
Allowed Hosts/Networks pane
configuring 4-6
described 4-5
field descriptions 4-6
alternate TCP reset interface
configuration restrictions 5-10
designating 5-9
restrictions 5-2
Analysis Engine
described 6-2
error messages C-26
errors C-55
IDM exits C-58
sensing interfaces 5-3
verify it is running C-22
virtual sensors 6-2
anomaly detection
asymmetric traffic 10-2
caution 10-2
configuration sequence 10-5
default anomaly detection configuration 10-4
default configuration (example) 10-4
described 10-2
detect mode 10-4
disabling 10-34
enabling 10-4
event actions 10-7, B-69
inactive mode 10-4
learning accept mode 10-3
learning process 10-3
limiting false positives 10-13, 18-7
operation settings 10-11
protocols 10-3
signatures (table) 10-7, B-70
signatures described 10-6
worms
attacks 10-13, 18-6
described 10-3
zones 10-5
anomaly detection disabling C-21
Anomaly Detection pane
button functions 18-7
described 18-6
field descriptions 18-7
user roles 18-5
anomaly detection policies
ad0 10-9
adding 10-9
cloning 10-9
default policy 10-9
deleting 10-9
Anomaly Detections pane
described 10-9
field descriptions 10-9
user roles 10-9
appliances
GRUB menu 17-5, C-8
initializing 19-8
logging in 20-2
password recovery 17-5, C-8
setting system clock 4-16
terminal servers
described 20-3, 22-14
setting up 20-3, 22-14
time sources 4-8, C-17
upgrading recovery partition 22-6
Application Inspection and Control. see AIC.
application partition
described A-4
image recovery 22-12
application policy enforcement described 7-36, B-11
applications in XML format A-4
applying signature threat profiles 3-15
applying software updates C-55
ARC
ACLs 13-17, A-14
authentication A-15
blocking
connection-based A-17
response A-13
unconditional blocking A-17
blocking application 13-1
blocking not occurring for signature C-44
Catalyst switches
VACL commands A-19
VACLs A-16, A-19
VLANs A-16
checking status 13-3, 13-4
described A-4
design 13-2
device access issues C-42
enabling SSH C-44
features A-14
firewalls
AAA A-18
connection blocking A-18
NAT A-18
network blocking A-18
postblock ACL A-16
preblock ACL A-16
shun command A-18
TACACS+ A-18
formerly Network Access Controller 13-1
functions 13-1
illustration A-13
inactive state C-40
interfaces A-14
maintaining states A-16
managed devices 13-7
master blocking sensors A-14
maximum blocks 13-2
misconfigured master blocking sensor C-45
nac.shun.txt file A-16
NAT addressing A-15
number of blocks A-15
postblock ACL A-16
preblock ACL A-16
prerequisites 13-5
rate limiting 13-3
responsibilities A-13
single point of control A-15
SSH A-14
supported devices 13-5, A-15
Telnet A-14
troubleshooting C-38
VACLs A-14
verifying device interfaces C-43
verifying status C-39
ARP
Layer 2 signatures B-13
protocol B-13
ARP spoof tools
dsniff B-13
ettercap B-13
ASA 5500 AIP SSC-5
time sources 4-8, C-18
ASA 5500 AIP SSM
assigning virtual sensors 6-18
bypass mode 5-30
creating virtual sensors 6-16
initializing 19-13
installing system image 22-28
logging in 20-4
Normalizer engine B-37, C-63
password recovery 17-6, C-10
recovering C-61
resetting C-61
resetting the password 17-7, C-10
sensing interface 6-15
session command 20-4
sessioning in 20-4
setup command 19-13
time sources 4-8, C-18
virtual sensors
assigning the interface 6-16
sequence 6-15
ASA 5500-X IPS SSP
assigning virtual sensors 6-18
creating virtual sensors 6-16
initializing 19-17
IPS reloading messages C-66, C-71, C-79
logging in 20-5
memory usage 17-20, C-70
memory usage values (table) 17-20, C-70
no CDP mode support 5-32
Normalizer engine B-37, C-69
password recovery 17-8, C-12
resetting the password 17-9, C-12
sensing interface 6-15
session command 20-5
sessioning in 20-5
setup command 19-17
time sources 4-8, C-18
virtual sensors
assigning policies 6-15
assigning the interface 6-16
virtual sensor sequence 6-15
ASA 5585-X IPS SSP
assigning virtual sensors 6-18
creating virtual sensors 6-16
initializing 19-21
installing system image 22-32
IPS reloading messages C-66, C-71, C-79
logging in 20-6
no CDP mode support 5-32
Normalizer engine B-37, C-77
password recovery 17-10, C-14
resetting the password 17-10, C-14
sensing interface 6-15
session command 20-6
sessioning in 20-6
setup command 19-21
time sources 4-8, C-18
virtual sensors
assigning policies 6-15
assigning the interface 6-16
sequence 6-15
ASA IPS modules
jumbo packet count C-65, C-70, C-78
ASDM
resetting passwords 17-8, 17-10, 17-12, C-12, C-13, C-15
assigning
interfaces to virtual sensors (ASA 5500 AIP SSM) 6-16
interfaces to virtual sensors (ASA 5500-X IPS SSP) 6-16
interfaces to virtual sensors (ASA 5585-X IPS SSP) 6-16
policies to virtual sensors (ASA 5500 AIP SSM) 6-15
policies to virtual sensors (ASA 5500-X IPS SSP) 6-15
policies to virtual sensors (ASA 5585-X IPS SSP) 6-15
assigning actions to signatures 7-16
asymmetric mode
described 6-4
normalization 6-4
asymmetric traffic
anomaly detection 10-2
caution 10-2
disabling anomaly detection 10-34
asymmetric traffic and disabling anomaly detection C-21
Atomic ARP engine
parameters (table) B-13
Atomic ARP engine described B-13
Atomic IP Advanced engine
described B-14
parameters (table) B-16
restrictions B-15
Atomic IP engine
described 8-13, B-24
parameters (table) B-24
Atomic IPv6 engine
described B-27
Neighborhood Discovery protocol B-28
signatures B-28
attack relevance rating
calculating risk rating 6-6, 9-3
described 6-6, 6-30, 9-3, 9-25
Attack Response Controller
described A-4
formerly known as Network Access Controller A-4
Attack Response Controller. See ARC.
attack severity rating
calculating risk rating 6-6, 9-3
described 6-6, 9-3
attempt limit
RADIUS C-23
attemptLimit command 4-25
audit mode
described 11-9
testing global correlation 11-9
authenticated NTP 4-7, 4-14, C-17
authentication
local 4-19
RADIUS 4-19
AuthenticationApp
authenticating users A-21
described A-4
login attempt limit A-21
method A-21
responsibilities A-20
secure communications A-21
sensor configuration A-20
Authentication pane
configuring 4-22
described 4-19
field descriptions 4-20
user roles 4-17, A-31
Authorized RSA1 Keys pane
configuring 12-5
described 12-4
field descriptions 12-4
RSA authentication 12-4
RSA key generation tool 12-5
Authorized RSA Keys pane
configuring 12-3
described 12-2
field descriptions 12-3
RSA authentication 12-2
RSA key generation tool 12-3
Auto/Cisco.com Update pane
configuring 17-24
described 3-16, 17-22
field descriptions 17-23
UNIX-style directory listings 17-22
user roles 17-22
automatic setup 19-2
automatic updates
Cisco.com 3-16, 17-22
configuring 3-17, 17-24
cryptographic account 3-16, 17-22
FTP servers 17-22
SCP servers 3-16, 17-22
automatic upgrade
information required 22-7
troubleshooting C-55
autonegotiation for hardware bypass 5-13
Auto Update window
field descriptions 3-16
user roles 3-16
auto-upgrade-option command 22-7
B
backing up
configuration C-2
current configuration C-4
BackOrifice. See BO.
BackOrifice 2000. See BO2K.
basic setup 19-4
blocking
described 13-1
disabling 13-7
master blocking sensor 13-23
necessary information 13-3
prerequisites 13-5
supported devices 13-5
types 13-2
blocking devices
adding 13-15
deleting 13-15
editing 13-15
Blocking Devices pane
configuring 13-15
described 13-14
field descriptions 13-14
ssh host-key command 13-15
blocking not occurring for signature C-44
Blocking Properties pane
adding a host never to be blocked 13-10
configuring 13-9
described 13-7
field descriptions 13-8
BO
described B-72
Trojans B-72
BO2K
described B-72
Trojans B-72
bypass mode
ASA 5500 AIP SSM 5-30
described 5-29
signature updates 17-23
Bypass pane
field descriptions 5-29
user roles 5-28
C
calculating risk rating
attack relevance rating 6-6, 9-3
attack severity rating 6-6, 9-3
promiscuous delta 6-6, 9-3
signature fidelity rating 6-5, 9-3
target value rating 6-6, 9-3
watch list rating 6-6, 9-3
cannot access sensor C-27
Cat 6K Blocking Device Interfaces pane
configuring 13-22
described 13-20
field descriptions 13-21
CDP mode
ASA 5500-X IPS SSP 5-32
ASA 5585-X IPS SSP 5-32
described 5-32
interfaces 5-32
CDP Mode pane
configuring 5-32
field descriptions 5-32
user roles 5-31
certificates
displaying 12-17
Firefox 1-8
generating 12-17
Internet Explorer 1-8
certificates (IDM) 1-7, 12-11
changing Microsoft IIS to UNIX-style directory listings 17-23
cidDump obtaining information C-104
CIDEE
defined A-35
example A-35
IPS extensions A-35
protocol A-35
supported IPS events A-35
cisco
default password 20-2
default username 20-2
Cisco.com
accessing software 21-1
downloading software 21-1
software downloads 21-1
Cisco Discovery Protocol. See CDP.
Cisco IOS rate limiting 13-3
Cisco Security Intelligence Operations
described 21-7
URL 21-8
Cisco Services for IPS
service contract 1-10, 17-15
supported products 1-10, 17-15
clear events command 4-12, 4-16, 18-4, C-19, C-104
Clear Flow States pane
described 18-16
field descriptions 18-17
clearing
denied attackers 14-2
events 4-16, 18-4, C-104
flow states 18-17
statistics C-88
CLI
described A-4, A-31
password recovery 17-12, C-16
client manifest described A-29
clock set command 4-15
Clone Event Action Rules dialog box field descriptions 9-12
Clone Policy dialog box field descriptions 7-2, 10-9
Clone Signature dialog box field descriptions 7-7
cloning
anomaly detection policies 10-9
event action rules policies 9-12
signature definition policies 7-2
signatures 7-14
CollaborationApp described A-4, A-29
command and control interface
described 5-2
list 5-2
commands
allocate-ips 6-15
attemptLimit 4-25
auto-upgrade-option 22-7
clear events 4-12, 4-16, 18-4, C-19, C-104
clock set 4-15
copy backup-config C-3
copy current-config C-3
debug module-boot C-61
downgrade 22-11
erase license-key 17-18
hw-module module 1 reset C-61
hw-module module slot_number password-reset 17-6, 17-10, C-10, C-14
setup 4-1, 19-1, 19-4, 19-8, 19-13, 19-17, 19-21
show events C-101
show health C-80
show module 1 details C-60, C-68, C-74
show settings 17-13, C-16
show statistics C-88
show statistics virtual-sensor C-26, C-88
show tech-support C-81, C-82
show version C-85
sw-module module slot_number password-reset 17-9, C-12
unlock user username 4-26
upgrade 22-3, 22-6
virtual-sensor name 6-15
Compare Knowledge Bases dialog box field descriptions 18-9
comparing KBs 18-9, 18-11
component signatures
risk rating B-32
configuration files
backing up C-2
merging C-2
configuration restrictions
alternate TCP reset interface 5-10
inline interface pairs 5-10
inline VLAN pairs 5-10
interfaces 5-9
physical interfaces 5-9
VLAN groups 5-11
Configure Summertime dialog box field descriptions 3-4, 4-10
configuring
account locking 4-25
account unlocking 4-26
AIC policy parameters 7-43
allowed hosts 4-6
allowed networks 4-6
anomaly detection operation settings 10-11
application policy signatures 7-43
authorized RSA1 keys 12-5
authorized RSA keys 12-3
automatic updates 3-17, 17-24
automatic upgrades 22-9
blocking devices 13-15
blocking properties 13-9
Cat 6K blocking device interfaces 13-22
CDP mode 5-32
CPU, Memory, & Load gadget 2-12
CSA MC IPS interfaces 16-3
device login profiles 13-12
event action filters 6-23, 9-18
events 18-3
event variables 6-37, 9-31
external zone 10-31
general settings 6-42, 9-36
Global Correlation Health gadget 2-9
Global Correlation Reports gadget 2-7
host blocks 14-4
illegal zone 10-25
inline VLAN pairs 3-10
inspection/reputation 11-10
inspection load statistics display 18-5
interface pairs 5-23
interfaces 5-20
Interface Status gadget 2-7
internal zone 10-19
IP fragment reassembly signatures 7-47
IP logging 14-12
IPv4 target value ratings 6-26, 9-21
IPv6 target value ratings 6-29, 9-23
learning accept mode 10-14
Licensing gadget 2-6
local authentication 4-22
master blocking sensor 13-25
network blocks 14-7
network participation 11-11
Network Security gadget 2-10
network settings 4-3
NTP servers 4-13
OS maps 6-33, 9-28
RADIUS authentication 4-23
rate limiting 14-9
rate limiting device interfaces 13-19
risk categories 6-39, 9-34
router blocking device interfaces 13-19
Sensor Health gadget 2-5
Sensor Information gadget 2-4
Sensor Setup window 3-4
sensor to use NTP 4-14
signature variables 7-32
SNMP 15-2
SNMP traps 15-4
time 4-10
Top Applications gadget 2-10
traffic flow notifications 5-31
trusted hosts 12-14
upgrades 22-4
users 4-22
VLAN groups 5-27
VLAN pairs 5-25
control transactions
characteristics A-9
request types A-8
cookies IDM 1-7
copy backup-config command C-3
copy current-config command C-3
correcting time on the sensor 4-12, C-19
CPU, Memory, & Load gadget
configuring 2-12
described 2-11
creating
Atomic IP Advanced engine signature 7-24, 8-14
custom signatures
not using signature engines 8-4
Service HTTP 8-17
String TCP 8-22
using signature engines 8-1
IPv6 signatures 7-24, 8-14
Meta signatures 7-21
Post-Block VACLs 13-21
Pre-Block VACLs 13-21
String TCP XL signatures 7-29
creating the service account C-6
cryptographic account
automatic updates 3-16, 17-22
Encryption Software Export Distribution Authorization from 21-2
obtaining 21-2
cryptographic features (IDM) 1-1
CSA MC
adding interfaces 16-7
configuring IPS interfaces 16-3
host posture events 16-1, 16-3
quarantined IP address events 16-1
supported IPS interfaces 16-3
CtlTransSource
described A-4, A-11
illustration A-12
current configuration back up C-2
current KB setting 18-12
customizing
dashboards 2-1
gadgets 2-1
custom signatures
Custom Signature Wizard 8-5
described 7-4
IPv6 signature 7-24, 8-14
Meta signature 7-21
sensor performance 8-4
String TCP XL 7-26, 7-29
Custom Signature Wizard
alert behavior 8-26
described 8-1
no signature engine sequence 8-4
signature engine sequence 8-1
supported signature engines 8-2
using 8-5
D
Dashboard pane gadgets 2-2
dashboards
adding 2-1
customizing 2-1
data nodes 8-25, B-67
data structures (examples) A-8
DDoS
protocols B-71
Stacheldraht B-71
TFN B-71
debug logging enable C-47
debug-module-boot command C-61
default policies
ad0 10-9
rules0 9-12
sig0 7-2
defaults
KB filename 10-12
password 20-2
restoring 17-28
username 20-2
virtual sensor vs0 6-2
deleting
anomaly detection policies 10-9
blocking devices 13-15
denied attackers 14-2
event action filters 6-23, 9-18
event action overrides 9-14
event action rules policies 9-12
event variables 6-37, 9-31
host blocks 14-4
imported OS values 18-16
IPv4 target value ratings 6-26, 9-21
IPv6 target value ratings 6-29, 9-23
KBs 18-13
learned OS values 18-15
network blocks 14-7
OS maps 6-33, 9-28
rate limiting devices 13-15
rate limits 14-9
risk categories 6-39, 9-34
signature definition policies 7-2
signature variables 7-32
virtual sensors 6-13
Denial of Service. See DoS.
denied attackers
adding 14-2
clearing 14-2
deleting 14-2
hit count 14-1
resetting hit counts 14-2
viewing hit counts 14-2
viewing list 14-2
Denied Attackers pane
described 14-1
field descriptions 14-2
user roles 14-1
using 14-2
deny actions (list) 9-8
Deny Packet Inline described 9-10
detect mode (anomaly detection) 10-4
device access issues C-42
Device Login Profiles pane
configuring 13-12
described 13-11
field descriptions 13-12
Diagnostics Report pane
button functions 18-19
described 18-19
user roles 18-18
using 18-19
diagnostics reports 18-19
Differences between knowledge bases KB_Name and KB_Name window field descriptions 18-10
Difference Thresholds between knowledge base KB_Name and KB_Name window field descriptions 18-10
disabling
anomaly detection 10-34, C-21
blocking 13-7
event action filters 6-23, 9-18
global correlation 11-12
interfaces 5-20
password recovery 17-12, C-16
signatures 7-12
disaster recovery C-6
displaying
events 18-3, C-102
health status C-80
imported OS maps 18-16
inspection load statistics 18-5
learned OS maps 18-15
password recovery setting 17-13, C-16
sensor statistics 18-20
statistics C-88
tech support information C-81
version C-85
Distributed Denial of Service. See DDoS.
DoS tools
Stacheldraht B-71
stick B-7
TFN B-71
downgrade command 22-11
downgrading sensors 22-11
downloading
Cisco software 21-1
KBs 18-13
Download Knowledge Base From Sensor dialog box
described 18-13
field descriptions 18-13
duplicate IP addresses C-29
E
Edit Actions dialog box field descriptions 7-9
Edit Allowed Host dialog box
field descriptions 4-6
user roles 4-5
Edit Authorized RSA1 Key dialog box
field descriptions 12-5
user roles 12-4
Edit Authorized RSA Key dialog box
field descriptions 12-3
user roles 12-2
Edit Blocking Device dialog box
field descriptions 13-14
user roles 13-13
Edit Cat 6K Blocking Device Interface dialog box
field descriptions 13-22
user roles 13-20
Edit Configured OS Map dialog box
field descriptions 6-33, 9-27
user roles 6-32, 9-25
Edit Destination Port dialog box field descriptions 10-16
Edit Device Login Profile dialog box
field descriptions 13-12
user roles 13-11
Edit Event Action Filter dialog box
field descriptions 6-22, 9-17
user roles 6-21, 9-15
Edit Event Action Override dialog box
field descriptions 6-12, 9-14
user roles 6-12, 9-13
Edit Event Variable dialog box
field descriptions 6-36, 9-31
user roles 9-29
Edit External Product Interface dialog box
field descriptions 16-6
user roles 16-4
Edit Histogram dialog box field descriptions 10-17
editing
blocking devices 13-15
event action filters 6-23, 9-18
event action overrides 9-14
event variables 6-37, 9-31
interfaces 5-21
IPv4 target value ratings 6-26, 9-21
IPv6 target value ratings 6-29, 9-23
OS maps 6-33, 9-28
rate limiting devices 13-15
risk categories 6-39, 9-34
signatures 7-15
signature variables 7-32
virtual sensors 6-13
Edit Inline VLAN Pair dialog box field descriptions 3-10, 5-24
Edit Interface dialog box field descriptions 5-20
Edit Interface Pair dialog box field descriptions 5-22
Edit IP Logging dialog box field descriptions 14-11
Edit Known Host RSA1 Key dialog box
field descriptions 12-9
user roles 12-8
Edit Known Host RSA Key dialog box
field descriptions 12-7
user roles 12-6
Edit Master Blocking Sensor dialog box
field descriptions 13-24
user roles 13-23
Edit Never Block Address dialog box
field descriptions 13-10
user roles 13-7
Edit Posture ACL dialog box field descriptions 16-7
Edit Protocol Number dialog box field descriptions 10-18, 10-25
Edit Risk Level dialog box field descriptions 6-39, 9-33
Edit Router Blocking Device Interface dialog box
field descriptions 13-19
user roles 13-16
Edit Signature dialog box field descriptions 7-7
Edit Signature Variable dialog box
field descriptions 7-32
user roles 7-31
Edit SNMP Trap Destination dialog box field descriptions 15-4
Edit User dialog box
field descriptions 4-22
user roles 4-19, 4-22
Edit Virtual Sensor dialog box
field descriptions 6-11
user roles 6-10
Edit VLAN Group dialog box field descriptions 5-27
efficacy
described 11-4
measurements 11-4
enabling
anomaly detection 10-4
event action filters 6-23, 9-18
event action overrides 9-14
interfaces 5-20
packet logging 17-3
signatures 7-12
enabling debug logging C-47
Encryption Software Export Distribution Authorization form
cryptographic account 21-2
described 21-2
engines
AIC B-10
AIC FTP B-11
AIC HTTP B-11
Atomic B-13
Atomic ARP B-13
Atomic IP 8-13, B-24
Atomic IP Advanced B-14
Atomic IPv6 B-27
Fixed B-28
Fixed ICMP B-28
Fixed TCP B-28
Fixed UDP B-28
Flood B-31
Flood Host B-31
Flood Net B-31
Master B-4
Meta 7-21, B-32
Multi String B-34
Normalizer B-36
Service B-39
Service DNS B-39
Service FTP B-41
Service Generic B-42
Service H225 B-43
Service HTTP 8-16, B-46
Service IDENT B-48
Service MSRPC 8-11, B-48
Service MSSQL B-50
Service NTP B-51
Service P2P B-52
Service RPC 8-19, B-52
Service SMB Advanced B-54
Service SNMP B-56
Service SSH B-57
Service TNS B-57
State 8-20, B-59
String 8-21, 8-24, B-61
String ICMP 8-21, 8-24, B-61
String TCP 8-21, 8-24, B-61
String UDP 8-21, 8-24, B-61
Sweep 8-24, B-66
Sweep Other TCP B-68
Traffic Anomaly B-69
Traffic ICMP B-71
Trojan B-72
erase license-key command 17-18
errors (Analysis Engine) C-55
evAlert A-9
event action filters
adding 6-23, 9-18
configuring 6-23, 9-18
deleting 6-23, 9-18
described 6-20, 9-5
disabling 6-23, 9-18
editing 6-23, 9-18
enabling 6-23, 9-18
moving 6-23, 9-18
Event Action Filters tab
configuring 6-23, 9-18
described 6-21, 9-16
field descriptions 6-21, 9-16
event action overrides
adding 9-14
deleting 9-14
described 6-5, 9-4
editing 9-14
enabling 9-14
risk rating range 6-5, 9-4
Event Action Overrides tab
described 9-13
field descriptions 9-14
event action rules
described 9-2
functions 9-2
Event Action Rules (rules0) pane described 9-13
Event Action Rules pane
described 9-12
field descriptions 9-12
user roles 9-12
event action rules policies
adding 9-12
cloning 9-12
deleting 9-12
event action rules variables 6-21, 9-16
event actions
risk ratings 6-7, 9-4
threat ratings 6-7, 9-4
events
clearing 4-16, 18-4, C-104
displaying C-102
host posture 16-2
quarantined IP address 16-2
Events pane
configuring 18-3
described 18-1
field descriptions 18-2
Event Store
clearing 4-16, 18-4, C-104
clearing events 4-12, C-19
data structures A-8
described A-4
examples A-7
no alerts C-34
responsibilities A-7
time stamp 4-12, C-19
timestamp A-7
event types C-101
event variables
adding 6-37, 9-31
configuring 6-37, 9-31
deleting 6-37, 9-31
described 6-35, 9-29
editing 6-37, 9-31
example 6-36, 9-30
Event Variables tab
configuring 6-37, 9-31
field descriptions 6-36, 9-30
Event Viewer pane
displaying events 18-3
field descriptions 18-2
evError A-9
evLogTransaction A-9
evShunRqst A-9
evStatus A-9
example custom signatures
Atomic IP Advanced 7-24, 8-14
Meta 7-21
Service HTTP 8-17
String TCP 8-22
String TCP XL 7-26
examples
AIC engine signature 7-43
ASA failover configuration C-63, C-67, C-73
Atomic IP Advanced engine signature 7-24, 8-14
automatic update 17-25
configured OS maps 6-32, 9-25
default anomaly detection configuration 10-4
IP Fragment Reassembly signature 7-47
IPv6 attacker address 6-22, 9-17
IPV6 victim address 6-23, 9-17
KB histogram 10-13, 18-7
Meta engine signature 7-21
Service HTTP engine signature 8-17
SPAN configuration for IPv6 support 5-14
String TCP engine signature 8-22
String TCP XL engine signature 7-26, 7-29
System Configuration Dialog 19-2
TCP Stream Reassembly signature 7-54
external product interfaces
adding 16-7
described 16-1
issues 16-3, C-24
troubleshooting 16-10, C-24
trusted hosts 16-4
External Product Interfaces pane
described 16-4
field descriptions 16-5
external zone
configuring 10-31
protocols 10-29
user roles 10-28
External Zone tab
described 10-29
tabs 10-29
user roles 10-28
F
fail-over testing 5-12
false positives described 7-4
files Cisco IPS (list) 21-1
Firefox
certificates 1-8
validating CAs 1-8
Fixed engine described B-28
Fixed ICMP engine parameters (table) B-29
Fixed TCP engine parameters (table) B-29
Fixed UDP engine parameters (table) B-30
Flood engine described B-31
Flood Host engine parameters (table) B-31
Flood Net engine parameters (table) B-32
flow states clearing 18-17
FTP servers
automatic updates 17-22
signature updates 17-26
FTP servers and software updates 17-22, 22-2
G
gadgets
adding 2-1
CPU, Memory, & Load 2-11
customizing 2-1
Dashboard pane 2-2
Global Correlation Health 2-8
Global Correlation Reports 2-7
IDM 2-2
IDM home pane 1-3
Interface Status 2-6
Licensing 2-6
Network Security 2-9
Sensor Health 2-4
Sensor Information 2-3
Top Applications 2-10
general settings
configuring 6-42, 9-36
described 6-41, 9-35
General tab
configuring 6-42, 9-36
described 6-41, 9-35, 10-16, 10-23
enabling zones 10-16, 10-23
field descriptions 6-42, 9-36
user roles 9-35
generating diagnostics reports 18-19
global correlation
described 1-1, 11-1, 11-2
disabling 11-12
disabling about 11-12
DNS server 11-6
error messages A-30
features 11-5
goals 11-5
health metrics 11-7
health status 11-7
HTTP proxy server 11-6
license 1-9, 11-6, 11-8, 19-1, 19-5
no IPv6 support 6-22, 6-23, 6-28, 6-29, 6-35, 6-37, 9-15, 9-16, 9-18, 9-22, 9-23, 9-29, 9-31, 11-6
Produce Alert 7-9, 9-8
requirements 11-6
risk rating 11-5
troubleshooting 11-11, C-23
update client (illustration) 11-8
Global Correlation Health gadget
configuring 2-9
described 2-8
Global Correlation Reports gadget
configuring 2-7
described 2-7
Global Correlation Update
client described A-29
server described A-29
GRUB menu password recovery 17-5, C-8
H
H.225.0 protocol B-43
H.323 protocol B-43
hardware bypass
autonegotiation 5-13
configuration restrictions 5-12
fail-over 5-12
IPS 4260 5-12
IPS 4270-20 5-12
reimage 5-13
supported configurations 5-12
with software bypass 5-12
health status
global correlation 11-7
metrics 2-4
sensor 2-4
health status display C-80
Home pane
gadgets 1-3
updating 1-3
host blocks
adding 14-4
deleting 14-4
managing 14-4
Host Blocks pane
configuring 14-4
described 14-3
host posture events
CSA MC 16-3
described 16-2
HTTP/HTTPS servers supported 17-22, 22-2
HTTP advanced decoding
described 6-4
platform support 6-5
restrictions 6-4
HTTP deobfuscation
ASCII normalization 8-16, B-46
described 8-16, B-46
hw-module module 1 reset command C-61
hw-module module slot_number password-reset command 17-6, 17-10, C-10, C-14
I
IDAPI
communications A-4, A-33
described A-4
functions A-33
illustration A-33
responsibilities A-33
IDCONF
described A-34
example A-34
RDEP2 A-34
XML A-34
IDIOM
defined A-34
messages A-34
IDM
Analysis Engine is busy C-58
certificates 1-7, 12-11
cookies 1-7
cryptographic features 1-1
Custom Signature Wizard supported signature engines 8-2
described 1-2, 1-6
gadgets 2-2
GUI 1-3
known host key retrieval 12-6, 12-7, 12-8
logging in 1-6
password recovery 17-13, C-16
supported platforms 1-4
system requirements 1-4
TLS 1-7, 12-12
user interface 1-3
web browsers 1-2, 1-6
will not load C-58
illegal zone
configuring 10-25
user roles 10-22
Illegal Zone tab
described 10-22
user roles 10-22
Imported OS pane
clearing 18-16
described 18-16
field descriptions 18-16
imported OS values
clearing 18-16
deleting 18-16
inactive mode (anomaly detection) 10-4
initializing
appliances 19-8
ASA 5500 AIP SSM 19-13
ASA 5500-X IPS SSP 19-17
ASA 5585-X IPS SSP 19-21
sensors 4-1, 19-1, 19-4
user roles 19-1
verifying 19-25
inline interface pair mode
configuration restrictions 5-10
described 5-15
illustration 5-15
Inline Interface Pair window
described 3-9
Startup Wizard 3-9
inline mode
interface cards 5-3
normalization 6-4
pairing interfaces 5-3
inline TCP session tracking modes described 6-4
inline VLAN pair mode
configuration restrictions 5-10
configuring 3-10
described 5-16
illustration 5-16
supported sensors 5-16
Inline VLAN Pairs window
described 3-9
field descriptions 3-10
Startup Wizard 3-9
Inspection/Reputation pane
configuring 11-10
described 11-8
field descriptions 11-9
Inspection Load Statistics pane
configuring 18-5
described 18-4
field descriptions 18-4
user roles 18-4
installer major version 21-4
installer minor version 21-4
installing
sensor license 1-12, 17-16
system image
ASA 5500 AIP SSM 22-28
ASA 5500-X IPS SSP 22-30
ASA 5585-X IPS SSP 22-32
IPS 4240 22-15
IPS 4255 22-15
IPS 4260 22-18
IPS 4270-20 22-20
IPS 4345 22-22
IPS 4360 22-22
IntelliShield
alerts 7-5
MySDN 7-5
InterfaceApp
described A-20
interactions A-20
NIC drivers A-20
InterfaceApp described A-4
interface pairs
configuring 5-23
described 5-22
Interface Pairs pane
configuring 5-23
described 5-22
field descriptions 5-22
user roles 5-22
interfaces
alternate TCP reset 5-2
command and control 5-2
configuration restrictions 5-9
configuring 5-20
described 3-7, 5-1
disabling 5-20
editing 5-21
enabling 5-20
logical 3-7
physical 3-7
port numbers 5-1
sensing 5-2, 5-3
slot numbers 5-1
support (table) 5-4
TCP reset 5-8
Interface Selection window
described 3-9
Startup Wizard 3-9
Interfaces pane
configuring 5-20
described 5-18
field descriptions 5-19
Interface Status gadget
configuring 2-7
described 2-6
Interface Summary window
described 3-7
internal zone
user roles 10-15
internal zone configuring 10-19
Internal Zone tab
described 10-15
user roles 10-15
Internet Explorer validating certificates 1-8
IP fragmentation described B-36
IP fragment reassembly
configuring 7-46
described 7-44
mode 7-46
parameters (table) 7-45
signatures 7-47
signatures (example) 7-47
signatures (table) 7-45
IP logging
described 7-55, 14-10
event actions 14-10
system performance 14-10
IP Logging pane
configuring 14-12
described 14-10
field descriptions 14-11
user roles 14-10
IP Logging Variables pane
described 17-21
field description 17-21
IP logs
circular buffer 14-10
states 14-10
TCPDUMP 14-10
viewing 14-12
WireShark 14-10
IPS 4240
installing system image 22-15
password recovery 17-5, C-9
reimaging 22-15
IPS 4255
installing system image 22-15
password recovery 17-5, C-9
reimaging 22-14
IPS 4260
hardware bypass 5-12
password recovery 17-5, C-8
IPS 4260
installing system image 22-18
reimaging 22-18
IPS 4270-20
hardware bypass 5-12
installing system image 22-20
password recovery 17-5, C-8
reimaging 22-20
IPS 4345
installing system image 22-22
password recovery 17-5, C-8, C-9
reimaging 22-22
IPS 4360
installing system image 22-22
password recovery 17-5, C-8, C-9
reimaging 22-22
IPS 4510
password recovery 17-5, C-8, C-9
reimaging 22-25
SwitchApp A-30
IPS 4520
password recovery 17-5, C-8, C-9
reimaging 22-25
SwitchApp A-30
IPS applications
summary A-37
table A-37
XML format A-4
IPS clock synchronization 4-8, C-18
IPS data
types A-8
XML document A-9
IPS events
evAlert A-9
evError A-9
evLogTransaction A-9
evShunRqst A-9
evStatus A-9
list A-9
types A-9
IPS internal communications A-33
IPS Policies pane
described 6-8
Event Action Rules 6-9
field descriptions 6-9
IPS software
application list A-4
available files 21-1
configuring device parameters A-5
directory structure A-36
Linux OS A-1
obtaining 21-1
retrieving data A-5
security features A-5
tuning signatures A-5
updating A-5
user interaction A-5
versioning scheme 21-2
IPS software file names
major updates (illustration) 21-4
minor updates (illustration) 21-4
patch releases (illustration) 21-4
service packs (illustration) 21-4
IPv4
address format 6-35, 9-30
event variables 6-35, 9-30
IPv4 Add Target Value Rating dialog box
field descriptions 6-26, 9-21
user roles 6-26, 9-20
IPv4 Edit Target Value Rating dialog box
field descriptions 6-26, 9-21
user roles 6-26, 9-20
IPv4 target value ratings
adding 6-26, 9-21
deleting 6-26, 9-21
editing 6-26, 9-21
IPv4 Target Value Rating tab
configuring 6-26, 9-21
field descriptions 6-26, 9-21
IPv6
address format 6-36, 9-30
described B-28
event variables 6-36, 9-30
SPAN ports 5-14
switches 5-14
IPv6 Add Target Value Rating dialog box
field descriptions 6-28
user roles 6-27, 9-22
IPv6 Edit Target Value Rating dialog box
field descriptions 6-28, 9-23
user roles 6-27, 9-22
IPv6 target value ratings
adding 6-29, 9-23
configuring 6-29, 9-23
deleting 6-29, 9-23
editing 6-29, 9-23
IPv6 Target Value Rating tab
configuring 6-29, 9-23
field descriptions 6-28, 9-23
K
KBs
comparing 18-11
default filename 10-12
deleting 18-13
described 10-3
downloading 18-13
histogram 10-12, 18-6
initial baseline 10-3
learning accept mode 10-12
loading 18-12
monitoring 18-9
renaming 18-13
saving 18-12
scanner threshold 10-12, 18-6
tree structure 10-12, 18-6
uploading 18-14
Knowledge Base. See KB.
Known Host RSA1 Keys pane
field descriptions 12-9
Known Host RSA Keys pane
field descriptions 12-7
L
Learned OS pane
clearing 18-15
described 18-15
field descriptions 18-15
learned OS values
clearing 18-15
deleting 18-15
learning accept mode
anomaly detection 10-3
configuring 10-14
user roles 10-12
Learning Accept Mode tab
described 10-12
field descriptions 10-13, 10-14
user roles 10-12
license key
obtaining 1-10, 17-14
trial 1-10, 17-14
uninstalling 17-18
viewing status of 1-10, 17-14
licensing
described 1-10, 17-14
IPS device serial number 1-10, 17-14
Licensing gadget
configuring 2-6
described 2-6
Licensing pane
configuring 1-12, 17-16
described 1-10, 17-14
field descriptions 1-11, 17-16
user roles 1-11, 17-14
limitations for concurrent CLI sessions 20-1
listings UNIX-style 17-22
loading KBs 18-12
local authentication configuring 4-22
Logger
described A-4, A-19
functions A-19
syslog messages A-19
logging in
appliances 20-2
ASA 5500 AIP SSM 20-4
ASA 5500-X IPS SSP 20-5
ASA 5585-X IPS SSP 20-6
IDM 1-6
sensors
SSH 20-7
Telnet 20-7
service role 20-2
terminal servers 20-3, 22-14
user role 20-1
LOKI
described B-71
protocol B-71
loose connections on sensors C-25
M
MainApp
components A-6
described A-4, A-6
host statistics A-6
responsibilities A-6
show version command A-6
major updates described 21-2
managing
host blocks 14-4
network blocks 14-7
rate limiting 14-9
manifests
client A-29
server A-29
manually updating sensor 17-26
master blocking sensor
described 13-23
not set up properly C-45
verifying configuration C-46
Master Blocking Sensor pane
configuring 13-25
described 13-23
field descriptions 13-24
Master engine
alert frequency B-7
alert frequency parameters (table) B-7
described B-4
event actions B-8
general parameters (table) B-4
universal parameters B-4
master engine parameters
obsoletes B-6
promiscous delta B-6
vulnerable OSes B-6
merging configuration files C-2
Meta engine
described 7-21, B-32
parameters (table) B-33
Signature Event Action Processor 7-21, B-32
Meta Event Generator described 6-41, 9-35
Meta signature
component signatures B-32
metrics for sensor health 17-19
MIBs supported 15-6, C-20
minor updates described 21-3
Miscellaneous tab
application policy parameters 7-33
button functions 7-34
configuring
application policy 7-43
IP fragment reassembly mode 7-46
IP logging 7-55
TCP stream reassembly mode 7-53
described 7-33
field descriptions 7-34
IP fragment reassembly options 7-33
IP logging options 7-34
TCP stream reassembly 7-33
user roles 7-33
modes
anomaly detection detect 10-4
anomaly detection learning accept 10-3
asymmetric 6-4
bypass 5-29
inactive (anomaly detection) 10-4
inline interface pair 5-15
inline TCP tracking 6-4
inline VLAN pair 5-16
Normalizer 6-4
promiscuous 5-13
VLAN groups 5-17
monitoring
events 18-3
inspection load statistics 18-4, 18-5
KBs 18-9
moving
event action filters 6-23, 9-18
OS maps 6-33, 9-28
Multi String engine
described B-34
parameters (table) B-35
Regex B-34
MySDN
described 7-5
Intellishield 7-5
N
NAS-ID
described 4-23
RADIUS authentication 4-23
Neighborhood Discovery
options B-28
types B-28
network blocks
adding 14-7
deleting 14-7
managing 14-7
Network Blocks pane
configuring 14-7
described 14-6
field descriptions 14-6
user roles 14-6
Network pane
configuring 4-3
described 4-2
field descriptions 4-2
TLS/SSL 4-4
user roles 4-2
network participation
data gathered 11-3
data use (table) 1-2, 11-2
described 11-3
health metrics 11-7
modes 11-4
requirements 11-3
SensorBase Network 11-4
statistics 11-4
network participation data
improving signature fidelity 11-4
understanding sensor deployment 11-4
Network Participation pane
configuring 11-11
described 11-10
field descriptions 11-11
Network Security gadget
configuring 2-10
described 2-9
never block
hosts 13-7
networks 13-7
normalization described 6-4
Normalizer engine
ASA 5500 AIP SSM B-37
ASA 5500-X IPS SSP B-37
ASA 5585-X IPS SSP B-37
described B-36
IP fragment reassembly B-36
IPv6 fragments B-36
modify packets inline 6-4
parameters (table) B-38
TCP stream reassembly B-36
NotificationApp
alert information A-9
described A-4
functions A-9
SNMP gets A-9
SNMP traps A-9
statistics A-11
system health information A-10
NTP
authenticated 4-7, 4-14, C-17
configuring servers 4-13
described 4-8, C-17
incorrect configuration 4-8, C-18
sensor time source 4-12, 4-14
time synchronization 4-8, C-17
unauthenticated 4-7, 4-14, C-17
verifying configuration 4-8
O
obsoletes field described B-6
obtaining
cryptographic account 21-2
IPS software 21-1
license key 1-10, 17-14
sensor license 1-12, 17-16
one-way TCP reset described 6-41, 9-36
Operation Settings tab
described 10-11
field descriptions 10-11
user roles 10-11
OS Identifications tab
described 6-32, 9-25
field descriptions 6-32, 9-27
OS information sources 6-31, 9-26
OS maps
adding 6-33, 9-28
configuring 6-33, 9-28
deleting 6-33, 9-28
editing 6-33, 9-28
moving 6-33, 9-28
other actions (list) 9-9
Other Protocols tab
described 10-18, 10-24, 10-30
enabling other protocols 10-18
external zone 10-30
field descriptions 10-18, 10-30
illegal zone 10-24
P
P2P networks described B-52
Packet Logging pane
described 17-3
field descriptions 17-3
partitions
application A-4
recovery A-4
passive OS fingerprinting
components 6-30, 9-25
configuring 6-31, 9-26
described 6-30, 9-25
enabled (default) 6-31, 9-26
password policy caution 17-3
password recovery
appliances 17-5, C-8
ASA 5500 AIP SSM 17-6, C-10
ASA 5500-X IPS SSP 17-8, C-12
ASA 5585-X IPS SSP 17-10, C-14
CLI 17-12, C-16
described 17-4, C-8
disabling 17-12, C-16
displaying setting 17-13, C-16
GRUB menu 17-5, C-8
IDM 17-13, C-16
IPS 4240 17-5, C-9
IPS 4255 17-5, C-9
IPS 4260 17-5, C-8
IPS 4270-20 17-5, C-8
IPS 4345 17-5, C-8, C-9
IPS 4360 17-5, C-8, C-9
IPS 4510 17-5, C-8, C-9
IPS 4520 17-5, C-8, C-9
platforms 17-4, C-8
ROMMON 17-5, C-9
troubleshooting 17-13, C-17
verifying 17-13, C-16
password requirements configuring 17-2
Passwords pane
configuring 17-2
described 17-2
field descriptions 17-2
patch releases described 21-3
peacetime learning (anomaly detection) 10-3
Peer-to-Peer. See P2P.
physical connectivity issues C-33
physical interfaces configuration restrictions 5-9
platforms concurrent CLI sessions 20-1
Post-Block ACLs 13-17
Pre-Block ACLs 13-17
prerequisites for blocking 13-5
promiscuous delta
calculating risk rating 6-6, 9-3
described 6-6, 9-3
promiscuous delta described B-6
promiscuous mode
atomic attacks 5-13
described 5-13
illustration 5-14
packet flow 5-13
SPAN ports 5-14
TCP reset interfaces 5-8
VACL capture 5-14
protocols
ARP B-13
CDP 5-32
CIDEE A-35
DCE 8-11, B-48
DDoS B-71
H.323 B-43
H225.0 B-43
ICMPv6 B-14
IDAPI A-33
IDCONF A-34
IDIOM A-34
IPv6 B-28
LOKI B-71
MSSQL B-50
Neighborhood Discovery B-28
Q.931 B-43
RPC 8-11, B-48
SDEE A-35
Signature Wizard 8-10
Q
Q.931 protocol
described B-43
SETUP messages B-43
quarantined IP address events described 16-2
R
RADIUS
attempt limit C-23
multiple cisco av-pairs 4-21, 4-24
RADIUS authentication
configuring 4-23
described 4-19
NAS-ID 4-23
service account 4-18
shared secret 4-24
rate limiting
ACLs 13-4
configuring 14-9
described 13-3
managing 14-9
percentages 14-8
routers 13-3
service policies 13-4
supported signatures 13-4
rate limiting devices
adding 13-15
deleting 13-15
editing 13-15
rate limits
adding 14-9
deleting 14-9
Rate Limits pane
configuring 14-9
described 14-7
field descriptions 14-8
raw expression syntax
described B-63
expert mode B-63
Raw Regex
described 7-28, 7-30, B-63
expert mode 7-28, 7-30, B-63
rebooting the sensor 17-29
Reboot Sensor pane
configuring 17-29
described 17-29
user roles 17-29
recover command 22-11
recovering
application partition image 22-12
ASA 5500 AIP SSM C-61
recovery partition
described A-4
upgrade 22-6
Regex
Multi String engine B-34
standardized B-1
Regular Expression. See also Regex.
regular expression syntax
raw Regex 7-28, 7-30, B-63
signatures B-9
reimaging
ASA 5500-X IPS SSP 22-30
described 22-2
hardware bypass 5-13
IPS 4240 22-15
IPS 4255 22-14
IPS 4260 22-18
IPS 4270-20 22-20
IPS 4345 22-22
IPS 4360 22-22
IPS 4510 22-25
IPS 4520 22-25
sensors 22-2, 22-11
removing
last applied
service pack 22-11
signature update 22-11
renaming KBs 18-13
reputation
described 11-2
illustration 11-3
servers 11-3
Reset Network Security Health pane
described 18-18
field descriptions 18-18
resetting data 18-18
user roles 18-18
reset not occurring for a signature C-53
resetting
ASA 5500 AIP SSM C-61
hit counts for denied attackers 14-2
network security health data 18-18
passwords
ASDM 17-8, 17-10, 17-12, C-12, C-13, C-15
hw-module command 17-6, 17-10, C-10, C-14
sw-module command 17-9, C-12
resetting the password
ASA 5500 AIP SSM 17-7, C-10
ASA 5500-X IPS SSP 17-9, C-12
ASA 5585-X IPS SSP 17-10, C-14
Restore Default Interface dialog box field descriptions 3-8
Restore Defaults pane
configuring 17-28
described 17-28
user roles 17-28
restoring
defaults 17-28
restoring the current configuration C-4
retiring signatures 7-12
risk categories
adding 6-39, 9-34
configuring 6-39, 9-34
deleting 6-39, 9-34
editing 6-39, 9-34
Risk Category tab
configuring 6-39, 9-34
described 6-38, 9-33
field descriptions 6-39, 9-33
risk rating
Alarm Channel 11-5
calculating 6-5, 9-2
component signatures B-32
described 6-30, 9-25
global correlation 11-5
reputation score 11-5
ROMMON
ASA 5585-X IPS SSP 22-34
described 22-13
IPS 4240 17-5, 22-15, C-9
IPS 4255 17-5, 22-15, C-9
IPS 4260 22-18
IPS 4270-20 22-20
IPS 4345 17-5, 22-22, C-9
IPS 4360 17-5, 22-22, C-9
IPS 4510 17-5, 22-25, C-9
IPS 4520 17-5, 22-25, C-9
password recovery 17-5, C-9
remote sensors 22-13
serial console port 22-13
TFTP 22-13
round-trip time. See RTT.
Router Blocking Device Interfaces pane
configuring 13-19
described 13-16
field descriptions 13-18
RPC portmapper 8-19, B-52
RTT
described 22-13
TFTP limitation 22-13
S
Save Knowledge Base dialog box
described 18-11
field descriptions 18-12
saving KBs 18-12
scheduling automatic upgrades 22-9
SDEE
described A-35
HTTP A-35
protocol A-35
server requests A-35
security
account locking 4-25
information on Cisco Security Intelligence Operations 21-7
information on MySDN 7-5
SSH 12-2
security policies described 6-1, 7-1, 9-1, 10-1
sensing interface
ASA 5500 AIP SSM 6-15
ASA 5500-X IPS SSP 6-15
ASA 5585-X IPS SSP 6-15
sensing interfaces
Analysis Engine 5-3
described 5-3
interface cards 5-3
modes 5-3
SensorApp
Alarm Channel A-24
Analysis Engine A-24
described A-4
event action filtering A-25
inline packet processing A-25
IP normalization A-25
packet flow A-26
processors A-23
responsibilities A-23
risk rating A-25
Signature Event Action Processor A-23
signature updates 17-23
TCP normalization A-25
SensorBase Network
described 1-1, 11-1, 11-2
network participation 11-4
participation 1-2, 11-2
servers 1-2, 11-2
sensor health
critical settings 17-19
metrics 17-19
Sensor Health gadget
configuring 2-5
described 2-4
metrics 2-4
status 2-4
Sensor Health pane
described 17-19
field descriptions 17-20
Sensor Information gadget
configuring 2-4
described 2-3
Sensor Key pane
button functions 12-11
described 12-11
field descriptions 12-11
sensor SSH host key
displaying 12-11
generating 12-11
user roles 12-11
sensor license
installing 1-12, 17-16
obtaining 1-12, 17-16
sensors
access problems C-27
application partition image 22-12
asymmetric traffic and disabling anomaly detection 10-34, C-21
blocking self 13-7
command and control interfaces (list) 5-2
configuring to use NTP 4-14
corrupted SensorApp configuration C-37
diagnostics reports 18-19
disaster recovery C-6
downgrading 22-11
incorrect NTP configuration 4-8, C-18
initializing 4-1, 19-1, 19-4
interface support 5-4
IP address conflicts C-29
logging in
SSH 20-7
Telnet 20-7
loose connections C-25
misconfigured access lists C-29
no alerts C-34, C-60
not seeing packets C-36
NTP time source 4-14
NTP time synchronization 4-8, C-17
partitions A-4
physical connectivity C-33
preventive maintenance C-2
rebooting 17-29
reimaging 22-2
restoring defaults 17-28
sensing process not running C-31
setup command 4-1, 19-1, 19-4, 19-8
shutting down 17-29
statistics 18-20
system information 18-21
time sources 4-7, C-17
troubleshooting software upgrades C-56
updating 17-27
upgrading 22-4
using NTP time source 4-12
Sensor Setup window
described 3-2
Startup Wizard 3-2
Server Certificate pane
button functions 12-17
certificate
displaying 12-17
generating 12-17
described 12-17
field descriptions 12-17
user roles 12-17
server manifest described A-29
service account
accessing 4-18, C-5
cautions 4-18, C-5
creating C-6
described 4-18, A-32, C-5
RADIUS authentication 4-18
TAC A-32
troubleshooting A-32
Service DNS engine
described B-40
parameters (table) B-40
Service engine
described B-39
Layer 5 traffic B-39
Service FTP engine
described B-41
parameters (table) B-41
PASV port spoof B-41
Service Generic engine
described B-42
no custom signatures B-42
parameters (table) B-42
Service H225 engine
ASN.1PER validation B-44
described B-43
features B-44
parameters (table) B-44
TPKT validation B-44
Service HTTP engine
custom signature 8-17
described 8-16, B-46
example signature 8-17
parameters (table) B-46
Service IDENT engine
described B-48
parameters (table) B-48
Service MSRPC engine
DCS/RPC protocol 8-11, B-48
described 8-11, B-48
parameters (table) B-49
Service MSSQL engine
described B-50
MSSQL protocol B-50
parameters (table) B-51
Service NTP engine
described B-51
parameters (table) B-51
Service P2P engine described B-52
service packs described 21-3
service role 4-17, 20-2, A-32
Service RPC engine
described 8-19, B-52
parameters (table) B-52
RPC portmapper 8-19, B-52
Service SMB Advanced engine
described B-54
parameters (table) B-54
Service SNMP engine
described B-56
parameters (table) B-56
Service SSH engine
described B-57
parameters (table) B-57
Service TNS engine
described B-57
parameters (table) B-58
session command
ASA 5500 AIP SSM 20-4
ASA 5500-X IPS SSP 20-5
ASA 5585-X IPS SSP 20-6
sessioning in
ASA 5500 AIP SSM 20-4
ASA 5500-X IPS SSP 20-5
ASA 5585-X IPS SSP 20-6
setting
current KB 18-12
system clock 4-16
setting up terminal servers 20-3, 22-14
setup
automatic 19-2
command 4-1, 19-1, 19-4, 19-8, 19-13, 19-17, 19-21
simplified mode 19-2
shared secret
described 4-24
RADIUS authentication 4-24
show events command C-101
show health command C-80
show interfaces command C-99
show module 1 details command C-60, C-68, C-74
show settings command 17-13, C-16
show statistics command C-87, C-88
show statistics virtual-sensor command C-26, C-88
show tech-support command C-80, C-81, C-82
show version command C-84, C-85
Shut Down Sensor pane
configuring 17-29
described 17-29
user roles 17-29
shutting down the sensor 17-29
sig0 pane
column heads 7-3
configuration buttons 7-3
default 7-3
described 7-3
field descriptions 7-6
signatures
assigning actions 7-16
cloning 7-14
tuning 7-15
tabs 7-3
signature definition policies
adding 7-2
cloning 7-2
default policy 7-2
deleting 7-2
sig0 7-2
Signature Definitions pane
described 7-2
field descriptions 7-2
signature engines
AIC B-10
Atomic B-13
Atomic ARP B-13
Atomic IP 8-13, B-24
Atomic IP Advanced B-14
Atomic IPv6 B-27
creating custom signatures 8-1
described B-1
Fixed B-28
Flood B-31
Flood Host B-31
Flood Net B-32
list B-2
Master B-4
Meta 7-21, B-32
Multi String B-34
Normalizer B-36
Regex
patterns B-10
syntax B-9
Service B-39
Service DNS B-40
Service FTP B-41
Service Generic B-42
Service H225 B-43
Service HTTP 8-16, B-46
Service IDENT B-48
Service MSRPC 8-11, B-48
Service MSSQL B-50
Service NTP B-51
Service P2P B-52
Service RPC 8-19, B-52
Service SMB Advanced B-54
Service SNMP B-56
Service SSH engine B-57
Service TNS B-57
State 8-20, B-59
String 8-21, 8-24, B-61
supported by IDM 8-2
Sweep 8-24, B-66
Sweep Other TCP B-68
Traffic Anomaly B-69
Traffic ICMP B-71
Trojan B-72
Signature Event Action Filter
described 9-6, A-27
parameters 9-6, A-27
Signature Event Action Handler described 9-7, A-27
Signature Event Action Override described 9-6, A-27
Signature Event Action Processor
Alarm Channel 9-6, A-27
components 9-6, A-27
described 9-6, A-23, A-27
signature fidelity rating
calculating risk rating 6-5, 9-3
described 6-5, 9-3
signatures
adding 7-12
alert frequency 7-18
assigning actions 7-16
cloning 7-14
custom 7-4
default 7-4
described 7-4
disabling 7-12
editing 7-15
enabling 7-12
false positives 7-4
rate limits 13-4
retiring 7-12
String TCP XL 7-29
subsignatures 7-4
TCP reset C-53
tuned 7-4
tuning 7-15
Signatures window
field descriptions 3-15
user roles 3-14
Signatures window described 3-14
signature threat profiles
applying 3-15
platform support 3-14
signature updates
bypass mode 17-23
files 21-4
FTP server 17-26
installation time 17-23
SensorApp 17-23
signature variables
adding 7-32
configuring 7-32
deleting 7-32
described 7-31
editing 7-32
Signature Variables tab
configuring 7-32
field descriptions 7-32
Signature Wizard
Alert Response window field descriptions 8-26
Atomic IP Engine Parameters window field descriptions 8-13
ICMP Traffic Type window field descriptions 8-12
Inspect Data window field descriptions 8-12
MSRPC Engine Parameters window field descriptions 8-11
protocols 8-10
Protocol Type window field descriptions 8-10
Service HTTP Engine Parameters window field descriptions 8-16
Service RPC Engine Parameters window field descriptions 8-19
Service Type window field descriptions 8-12
signature identification 8-10
Signature Identification window field descriptions 8-11
State Engine Parameters window field descriptions 8-20
String ICMP Engine Parameters window field descriptions 8-21
String TCP Engine Parameters window field descriptions 8-21
String UDP Engine Parameters window field descriptions 8-24
Sweep Engine Parameters window field descriptions 8-25
TCP Sweep Type window field descriptions 8-13
TCP Traffic Type window field descriptions 8-12
UDP Sweep Type window field descriptions 8-12
UDP Traffic Type window field descriptions 8-12
Welcome window field descriptions 8-10
SNMP
configuring 15-2
described 15-1
General Configuration pane
field descriptions 15-2
user roles 15-2
Get 15-1
GetNext 15-1
Set 15-1
supported MIBs 15-6, C-20
Trap 15-1
Traps Configuration pane
field descriptions 15-3
user roles 15-3
SNMP General Configuration pane
configuring 15-2
described 15-2
SNMP traps
configuring 15-4
described 15-1
software architecture
ARC (illustration) A-13
IDAPI (illustration) A-33
software bypass
supported configurations 5-12
with hardware bypass 5-12
software downloads Cisco.com 21-1
software file names
recovery (illustration) 21-5
signature/virus updates (illustration) 21-4
system image (illustration) 21-5
software release examples
platform identifiers 21-6
platform-independent 21-5
software updates
supported FTP servers 17-22, 22-2
supported HTTP/HTTPS servers 17-22, 22-2
SPAN port issues C-33
SSH
described 12-1
security 12-2
SSH Server
private keys A-22
public keys A-22
standards
CIDEE A-35
IDCONF A-34
IDIOM A-34
SDEE A-35
Startup Wizard
access lists 3-3
adding ACLs 3-5
adding virtual sensors 3-13
Add Virtual Sensor dialog box 3-12
ASA 5500 AIP SSM 3-2
ASA 5500-X IPS SSP 3-2
ASA 5585-X IPS SSP 3-2
Auto Update configuring 3-17
described 3-1
Inline Interface Pair window
described 3-9
field descriptions 3-9
Inline VLAN Pairs window configuring 3-10
Interface Selection window 3-9
Interface Summary window 3-7
Sensor Setup window
configuring 3-4
field descriptions 3-2
Signatures window described 3-14
Traffic Inspection Mode window 3-8
Virtual Sensors window
field descriptions 3-12
Virtual Sensors window described 3-11
VLAN groups unsupported 3-1, 3-8
State engine
Cisco Login 8-20, B-59
described 8-20, B-59
LPR Format String 8-20, B-59
parameters (table) B-59
SMTP 8-20, B-59
statistic display C-88
Statistics pane
button functions 18-20
categories 18-19
described 18-19
using 18-20
statistics viewing 18-20
String engine described 8-21, 8-24, B-61
String ICMP engine parameters (table) B-61
String TCP engine
custom signature 8-22
example signature 8-22
parameters (table) B-61
String TCP XL signature (example) 7-26, 7-29
String UDP engine parameters (table) B-62
String XL engine
description B-63
hardware support 8-3, B-3, B-63
parameters (table) B-64
unsupported parameters B-66
subinterface 0 described 5-17
subsignatures described 7-4
summarization
described 6-7, 9-5
Fire All 6-8, 9-5
Fire Once 6-8, 9-6
Global Summarization 6-8, 9-6
Meta engine 6-7, 9-5
Summary 6-8, 9-6
Summarizer described 6-41, 9-35
Summary pane
button functions 5-18
described 5-17
field descriptions 3-8, 5-18
supported
FTP servers 17-22, 22-2
HTTP/HTTPS servers 17-22, 22-2
IDM platforms 1-4
IPS interfaces for CSA MC 16-3
sensors (signature threat profiles) 3-14
Sweep engine 8-25, B-67
described 8-24, B-66
parameters (table) B-67
Sweep Other TCP engine
described B-68
parameters (table) B-69
SwitchApp described A-30
switches and TCP reset interfaces 5-9
sw-module module slot_number password-reset command 17-9, C-12
system architecture
directory structure A-36
supported platforms A-1
system clock setting 4-16
system components IDAPI A-33
System Configuration Dialog
described 19-2
example 19-2
system design (illustration) A-2, A-3
system image
installing
ASA 5500 AIP SSM 22-28
ASA 5500-X IPS SSP 22-30
IPS 4240 22-15
IPS 4255 22-15
IPS 4260 22-18
IPS 4270-20 22-20
IPS 4345 22-22
IPS 4360 22-22
system images
installing
IPS 4510 22-25
IPS 4520 22-25
System Information pane
described 18-20
using 18-21
system information viewing 18-21
system requirements for IDM 1-4
T
TAC
contact information 18-20
service account 4-18, A-32, C-5
show tech-support command C-81, C-82
troubleshooting A-32
target value rating
calculating risk rating 6-6, 9-3
described 6-6, 6-26, 6-28, 9-3, 9-21, 9-22
TCP fragmentation described B-36
TCP Protocol tab
described 10-16, 10-23, 10-29
enabling TCP 10-16
external zone 10-29
field descriptions 10-16
illegal zone 10-23
TCP reset interfaces
conditions 5-9
described 5-8
list 5-8
promiscuous mode 5-8
switches 5-9
TCP resets not occurring C-53
TCP stream reassembly
described 7-47
parameters (table) 7-48
signatures (table) 7-48
TCP stream reassembly mode 7-53
tech support information display C-81
terminal server setup 20-3, 22-14
testing fail-over 5-12
TFN2K
described B-71
Trojans B-72
TFTP servers
maximum file size limitation 22-13
RTT 22-13
Threat Category tab
described 6-40, 9-34
field descriptions 6-40, 9-35
threat rating
described 6-7, 9-4
risk rating 6-7, 9-4
Thresholds for KB Name window
described 18-8
field descriptions 18-8
filtering information 18-8
time
correction on the sensor 4-12, C-19
sensors 4-7, C-17
synchronizing IPS clocks 4-8, C-18
Time pane
configuring 4-10
described 4-7
field descriptions 4-9
user roles 4-7
time sources
appliances 4-8, C-17
ASA 5500 AIP SSC-5 4-8, C-18
ASA 5500 AIP SSM 4-8, C-18
ASA 5500-X IPS SSP 4-8, C-18
ASA 5585-X IPS SSP 4-8, C-18
TLS
described 4-4
handshaking 1-7, 12-12
IDM 1-7, 12-12
web server 1-7, 12-11
Top Applications gadget
configuring 2-10
described 2-10
Traffic Anomaly engine
described B-69
protocols B-69
signatures B-69
traffic flow notifications
configuring 5-31
described 5-31
Traffic Flow Notifications pane
configuring 5-31
field descriptions 5-31
user roles 5-31
Traffic ICMP engine
DDoS B-71
described B-71
LOKI B-71
parameters (table) B-72
TFN2K B-71
Traffic Inspection Mode window described 3-8
Traps Configuration pane
configuring 15-4
described 15-3
trial license key 1-10, 17-14
Tribe Flood Network. See TFN.
Tribe Flood Network 2000. See TFN2K.
Trojan engine
BO2K B-72
described B-72
TFN2K B-72
Trojans
BO B-72
BO2K B-72
LOKI B-71
TFN2K B-72
troubleshooting
Analysis Engine busy C-58
applying software updates C-55
ARC
blocking not occurring for signature C-44
device access issues C-42
enabling SSH C-44
inactive state C-40
misconfigured master blocking sensor C-45
verifying device interfaces C-43
ASA 5500 AIP SSM
commands C-60
debugging C-61
recovering C-61
reset C-61
ASA 5500-X IPS SSP
commands C-68
failover scenarios C-67
ASA 5585-X IPS SSP
commands C-74
failover scenarios C-62, C-72
traffic flow stopped C-73
automatic updates C-55
cannot access sensor C-27
cidDump C-104
cidLog messages to syslog C-52
communication C-26
corrupted SensorApp configuration C-37
debug logger zone names (table) C-51
debug logging C-47
disaster recovery C-6
duplicate sensor IP addresses C-29
enabling debug logging C-47
external product interfaces 16-10, C-24
gathering information C-79
global correlation 11-11, C-23
IDM
cannot access sensor C-59
will not load C-58
IPS clock time drift 4-8, C-18
misconfigured access list C-29
no alerts C-34, C-60
password recovery 17-13, C-17
physical connectivity issues C-33
preventive maintenance C-2
RADIUS
attempt limit C-23
reset not occurring for a signature C-53
sensing process not running C-31
sensor events C-101
sensor loose connections C-25
sensor not seeing packets C-36
sensor software upgrade C-56
service account 4-18, C-5
show events command C-101
show interfaces command C-99
show statistics command C-87
show tech-support command C-80, C-82
show version command C-84
software upgrades C-54
SPAN port issue C-33
upgrading C-54
verifying Analysis Engine is running C-22
verifying ARC status C-39
Trusted Hosts pane
configuring 12-14
described 12-13
field descriptions 12-13
Trusted Root Certificates pane
configuring 12-16
described 12-15
field descriptions 12-15
tuned signatures described 7-4
tuning
AIC signatures 7-43
IP fragment reassembly signatures 7-47
signatures 7-15
TCP fragment reassembly signatures 7-54
U
UDP Protocol tab
described 10-17, 10-23, 10-24, 10-29
enabling UDP 10-17
external zone 10-29
field descriptions 10-30
illegal zone 10-23, 10-24
unassigned VLAN groups described 5-17
unauthenticated NTP 4-7, 4-14, C-17
uninstalling the license key 17-18
UNIX-style directory listings 17-22
unlocking accounts 4-26
unlock user username command 4-26
Update Sensor pane
configuring 17-27
described 17-26
field descriptions 17-26
user roles 17-26
updating
Home pane 1-3
sensors 17-27
trusted root certificates 12-16
upgrade command 22-3, 22-6
upgrading
application partition 22-11
latest version C-54
recovery partition 22-6
sensors 22-4
uploading KBs
FTP 18-14
SCP 18-14
Upload Knowledge Base to Sensor dialog box
described 18-14
field descriptions 18-14
URLs for Cisco Security Intelligence Operations 21-8
user roles authentication 4-19
users
configuring 4-22
users configuring 4-22
using
debug logging C-47
TCP reset interfaces 5-9
V
VACLs
described 13-2
Post-Block 13-21
Pre-Block 13-21
verifying
NTP configuration 4-8
password recovery 17-13, C-16
sensor initialization 19-25
sensor setup 19-25
version display C-85
viewing
denied attacker hit counts 14-2
denied attackers list 14-2
IP logs 14-12
license key status 1-10, 17-14
statistics 18-20
system information 18-21
virtualization
advantages 6-3, C-19
restrictions 6-3, C-19
supported sensors 6-3, C-20
traffic capture requirements 6-3, C-20
virtual-sensor name command 6-15
virtual sensors
adding 3-13, 6-13
adding (ASA 5500 AIP SSM) 6-16
adding (ASA 5500-X IPS SSP) 6-16
adding (ASA 5585-X IPS SSP) 6-16
ASA 5500 AIP SSM 6-18
ASA 5500-X IPS SSP 6-18
ASA 5585-X IPS SSP 6-18
creating (ASA 5500 AIP SSM) 6-16
creating (ASA 5500-X IPS SSP) 6-16
creating (ASA 5585-X IPS SSP) 6-16
default virtual sensor 6-2, 6-8
deleting 6-13
described 6-2, 6-8
editing 6-13
options 6-16
Virtual Sensors window
described 3-11
VLAN groups
802.1q encapsulation 5-17
configuration restrictions 5-11
configuring 5-27
deploying 5-26
switches 5-26
VLAN IDs 5-26
VLAN groups mode
described 5-17
VLAN Groups pane
configuring 5-27
described 5-26
field descriptions 5-27
user roles 5-26
VLAN Pairs pane
configuring 5-25
described 5-24
field descriptions 5-24
user roles 5-24
vulnerable OSes field described B-6
W
watch list rating
calculating risk rating 6-6, 9-3
described 6-6, 9-3
web server
described A-4, A-23
HTTP 1.0 and 1.1 support A-23
private keys A-22
public keys A-22
SDEE support A-23
TLS 1-7, 12-11
worms
Blaster 10-2
Code Red 10-2
histograms 10-13, 18-6
Nimbda 10-2
protocols 10-3
Sasser 10-2
scanners 10-3
Slammer 10-2
SQL Slammer 10-2
Z
zones
external 10-5
illegal 10-5
internal 10-5