Numerics -
A -
B -
C -
D -
E -
F -
G -
H -
I -
K -
L -
M -
N -
O -
P -
Q -
R -
S -
T -
U -
V -
W -
Z
Index
Numerics
4GE bypass interface card
configuration restrictions 7-10
described 7-10
802.1q encapsulation for VLAN groups 7-17
A
AAA RADIUS
functionality 6-19
limitations 6-19
accessing
IPS software 26-2
service account 6-18, C-5
access list misconfiguration C-29
access lists
necessary hosts 5-3
Startup Wizard 5-3
account locking
configuring 6-25
security 6-25
account unlocking configuring 6-26
ACLs
adding 5-5
described 16-3
Post-Block 16-17, 16-18
Pre-Block 16-17, 16-18
ad0 pane
default 13-10
described 13-10
tabs 13-10
Add ACL Entry dialog box field descriptions 5-3
Add Allowed Host dialog box
field descriptions 6-6
user roles 6-5
Add Authorized RSA1 Key dialog box
field descriptions 15-5
user roles 15-4
Add Authorized RSA Key dialog box
field descriptions 15-3
user roles 15-2
Add Blocking Device dialog box
field descriptions 16-15
user roles 16-14
Add Cat 6K Blocking Device Interface dialog box
field descriptions 16-22
user roles 16-21
Add Configured OS Map dialog box
field descriptions 8-32, 12-26
user roles 8-31, 12-23
Add Destination Port dialog box
field descriptions 13-17, 13-23, 13-30
user roles 13-15
Add Device dialog box field descriptions 2-3
Add Device Login Profile dialog box
field descriptions 16-12
user roles 16-12
Add Event Action Filter dialog box
field descriptions 8-22, 12-16
user roles 12-15
Add Event Action Override dialog box
field descriptions 8-12, 12-13
user roles 8-12, 12-13
Add Event Variable dialog box
field descriptions 8-35, 12-29
user roles 8-34, 12-28
Add External Product Interface dialog box
field descriptions 19-6
user roles 19-4
Add Filter dialog box field descriptions 3-19, 22-3
Add Histogram dialog box
field descriptions 13-17, 13-24, 13-30
user roles 13-15
Add Host Block dialog box field descriptions 17-4
adding
ACLs 5-5
a host never to be blocked 16-11
anomaly detection policies 13-10
blocking devices 16-15
CSA MC interfaces 19-7
denied attackers 17-2
event action filters 8-23, 12-17
event action overrides 12-14
event action rules policies 12-12
event variables 8-36, 12-29
external product interfaces 19-7
host blocks 17-4
IPv4 target value ratings 8-26, 12-20
IPv6 target value ratings 8-28, 12-22
network blocks 17-7
OS maps 8-33, 12-27
rate limiting devices 16-15
rate limits 17-9
risk categories 8-38, 12-32
signature definition policies 10-8
signatures 10-17
signature variables 10-37
virtual sensors 5-13, 8-13
virtual sensors (ASA 5500 AIP SSM) 8-16
virtual sensors (ASA 5500-X IPS SSP) 8-16
virtual sensors (ASA 5585-X IPS SSP) 8-16
Add Inline VLAN Pair dialog box
field descriptions 7-24
user roles 7-23
Add Inline VLAN Pair Entry dialog box field descriptions 5-10
Add Interface Pair dialog box
field descriptions 7-22
user roles 7-22
Add IP Logging dialog box field descriptions 17-11
Add Known Host RSA1 Key dialog box
field descriptions 15-9
user roles 15-8
Add Known Host RSA Key dialog box
field descriptions 15-7
user roles 15-6
Add Master Blocking Sensor dialog box
field descriptions 16-25
user roles 16-24
Add Network Block dialog box field descriptions 17-6
Add Never Block Address dialog box
field descriptions 16-10
user roles 16-7
Add Policy dialog box
field descriptions 9-2, 10-8, 12-12, 13-9
user roles 10-7, 12-11, 13-9
Add Posture ACL dialog box field descriptions 19-7
Add Protocol Number dialog box field descriptions 13-18, 13-25, 13-32
Add Rate Limit dialog box
field descriptions 17-8
user role 17-7
Address Resolution Protocol. See ARP.
Add Risk Level dialog box
field descriptions 8-38, 12-31
user roles 8-37, 12-31
Add Router Blocking Device Interface dialog box
field descriptions 16-19
user roles 16-17
Add Signature dialog box field descriptions 10-12
Add Signature Variable dialog box
field descriptions 10-36
user roles 10-36
Add SNMP Trap Destination dialog box
field descriptions 18-5
user roles 18-4
Add Start Time dialog box
field descriptions 13-14
user roles 13-12
Add Target Value Rating dialog box
field descriptions 8-26, 8-28
user roles 8-26, 8-27
Add Trusted Host dialog box
field descriptions 15-13
user roles 15-13
Add User dialog box
field descriptions 6-22
user roles 6-19, 6-22
Add Virtual Sensor dialog box
described 5-12, 8-10
field descriptions 5-13, 8-10
user roles 8-10
Add VLAN Group dialog box
field descriptions 7-27
user roles 7-26
Advanced Alert Behavior Wizard
Alert Dynamic Response Fire All window field descriptions 11-27
Alert Dynamic Response Fire Once window field descriptions 11-28
Alert Dynamic Response Summary window field descriptions 11-28
Alert Summarization window field descriptions 11-27
Event Count and Interval window field descriptions 11-26
Global Summarization window field descriptions 11-29
aggregation
alert frequency 8-7, 12-5
operating modes 8-7, 12-5
AIC
policy 10-48
signatures (example) 10-48
AIC engine
AIC FTP B-11
AIC FTP engine parameters (table) B-12
AIC HTTP B-11
AIC HTTP engine parameters (table) B-12
described B-11
features B-11
signature categories 10-40
AIC policy enforcement
default configuration 10-41, B-11
described 10-41, B-11
sensor oversubscription 10-41, B-11
Alarm Channel
described 12-6, A-26
risk rating 14-5
alert and log actions (list) 10-2, 10-14, 12-8
alert behavior
Custom Signature Wizard 11-26
normal 11-26
alert frequency
aggregation 10-23
configuring 10-23
controlling 10-23
modes B-7
allocate-ips command 8-15
Allowed Hosts/Networks pane
configuring 6-6
described 6-5
field descriptions 6-6
alternate TCP reset interface
configuration restrictions 7-12
designating 7-9
restrictions 7-2
Analysis Engine
described 8-2
error messages C-26
errors C-55
IDM exits C-59
sensing interfaces 7-3
verify it is running C-22
virtual sensors 8-2
anomaly detection
asymmetric traffic 13-2
caution 13-2
configuration sequence 13-5
default anomaly detection configuration 13-4
default configuration (example) 13-4
described 13-2
detect mode 13-4
enabling 13-4
event actions 13-7, B-70
inactive mode 13-4
learning accept mode 13-3
learning process 13-3
limiting false positives 13-13, 21-8
operation settings 13-11
protocols 13-3
signatures (table) 13-7, B-70
signatures described 13-7
worms
attacks 13-13, 21-8
described 13-3
zones 13-5
anomaly detection disabling 13-35, C-21
Anomaly Detection pane
button functions 21-8
described 21-7
field descriptions 21-8
user roles 21-7
anomaly detection policies
ad0 13-9
adding 13-10
cloning 13-10
default policy 13-9
deleting 13-10
Anomaly Detections pane
described 13-9
field descriptions 13-9
user roles 13-9
appliances
GRUB menu 20-5, C-8
initializing 25-8
logging in 24-2
password recovery 20-5, C-8
setting system clock 6-16
terminal servers
described 24-3, 27-13
setting up 24-3, 27-13
time sources 6-10, C-17
upgrading recovery partition 27-6
Application Inspection and Control. See AIC.
application partition
described A-4
image recovery 27-11
application policy enforcement described 10-41, B-11
applications in XML format A-4
applying signature threat profiles 5-15
applying software updates C-55
ARC
ACLs 16-18, A-14
authentication A-15
blocking
connection-based A-17
response A-13
unconditional blocking A-17
blocking application 16-2
blocking not occurring for signature C-45
Catalyst switches
VACL commands A-19
VACLs A-16, A-19
VLANs A-16
checking status 16-3, 16-4
described A-4
design 16-2
device access issues C-42
enabling SSH C-44
features A-14
firewalls
AAA A-18
connection blocking A-18
NAT A-18
network blocking A-18
postblock ACL A-16
preblock ACL A-16
shun command A-18
TACACS+ A-18
formerly Network Access Controller 16-1
functions 16-2
illustration A-13
inactive state C-40
interfaces A-14
maintaining states A-16
managed devices 16-7
master blocking sensors A-14
maximum blocks 16-2
misconfigured master blocking sensor C-46
nac.shun.txt file A-16
NAT addressing A-15
number of blocks A-15
postblock ACL A-16
preblock ACL A-16
prerequisites 16-5
rate limiting 16-4
responsibilities A-13
single point of control A-15
SSH A-14
supported devices 16-5, A-15
Telnet A-14
troubleshooting C-38
VACLs A-14
verifying device interfaces C-43
verifying status C-39
ARP
Layer 2 signatures B-13
protocol B-13
ARP spoof tools
dsniff B-13
ettercap B-13
ASA 5500 AIP SSM
assigning virtual sensors 8-18
bypass mode 7-30
creating virtual sensors 8-16
initializing 25-13
installing system image 27-27
logging in 24-4
Normalizer engine B-37, C-65
password recovery 20-7, 20-11, C-10
recovering C-64
resetting C-64
resetting the password 20-7, 20-11, C-10
sensing interface 8-15
session command 24-4
sessioning in 24-4
setup command 25-13
time sources 6-11, C-18
virtual sensors
assigning the interface 8-16
sequence 8-15
ASA 5500-X IPS SSP
assigning virtual sensors 8-18
creating virtual sensors 8-16
initializing 25-17
IPS reloading messages C-67, C-79, C-86
logging in 24-5
memory usage 20-20, C-77
memory usage values (table) 20-20, C-78
no CDP mode support 7-31
Normalizer engine B-37, C-77
password recovery 20-9, C-12
resetting the password 20-9, C-12
sensing interface 8-15
session command 24-5
sessioning in 24-5
setup command 25-17
time soruces 6-11, C-18
virtual sensors
assigning policies 8-16
assigning the interface 8-16
virtual sensor sequence 8-15
ASA 5585-X IPS SSP
assigning virtual sensors 8-18
creating virtual sensors 8-16
initializing 25-21
installing system image 27-31
IPS reloading messages C-67, C-79, C-86
logging in 24-6
no CDP mode support 7-31
Normalizer engine B-37, C-84
password recovery C-14
resetting the password C-14
sensing interface 8-15
session command 24-6
sessioning in 24-6
setup command 25-21
time sources 6-11, C-18
virtual sensors
assigning policies 8-16
assigning the interface 8-16
sequence 8-15
ASA IPS modules
jumbo packet count C-66, C-78, C-85
ASDM
resetting passwords 20-9, 20-10, 20-13, C-12, C-13, C-15
assigning
interfaces to virtual sensors (ASA 5500 AIP SSM) 8-16
interfaces to virtual sensors (ASA 5500-X IPS SSP) 8-16
interfaces to virtual sensors (ASA 5585-X IPS SSP) 8-16
policies to virtual sensors (ASA 5500 AIPSSM) 8-16
policies to virtual sensors (ASA 5500-X IPS SSP) 8-16
policies to virtual sensors (ASA 5585-X IPS SSP) 8-16
assigning actions to signatures 10-21
asymmetric mode
described 8-4
normalization 8-4
asymmetric traffic
anomaly detection 13-2
caution 13-2
asymmetric traffic and disabling anomaly detection 13-35, C-21
Atomic ARP engine
described B-13
parameters (table) B-13
Atomic IP Advanced engine
described B-14
parameters (table) B-16
restrictions B-15
Atomic IP engine
described 11-13, B-24
parameters (table) B-24
Atomic IPv6 engine
described B-27
Neighborhood Discovery protocol B-28
signatures B-28
attack relevance rating
calculating risk rating 8-6, 12-3
described 8-6, 8-30, 12-3, 12-24
Attack Response Controller
described A-4
formerly known as Network Access Controller A-4
Attack Response Controller. See ARC.
attack severity rating
calculating risk rating 8-6, 12-3
described 8-6, 12-3
Attacks Over Time gadgets
configuring 3-13
described 3-13
Attacks Over Time Reports described 1-18, 23-2
attempt limit
RADIUS C-23
attemptLimit command 6-25
audit mode
described 14-8
testing global correlation 14-8
authenticated NTP 6-10, 6-14, C-17
authentication
local 6-19
RADIUS 6-19
AuthenticationApp
authenticating users A-21
described A-4
login attempt limit A-21
method A-21
responsibilities A-20
secure communications A-21
sensor configuration A-20
Authentication pane
configuring 6-22
described 6-19
field descriptions 6-20
user roles 6-17, A-30
Authorized RSA1 Keys pane
configuring 15-5
described 15-4
field descriptions 15-4
RSA authentication 15-4
RSA key generation tool 15-5
Authorized RSA Keys pane
configuring 15-3
described 15-2
field descriptions 15-2
RSA authentication 15-2
RSA key generation tool 15-3
Auto/Cisco.com Update pane
configuring 20-25
described 5-16, 20-22
field descriptions 20-24
UNIX-style directory listings 20-23
user roles 20-22
automatic reporting configuring (IME) 1-19
automatic setup 25-2
automatic updates
Cisco.com 5-16, 20-22
configuring 5-17, 20-25
cryptographic account 5-16, 20-22
FTP servers 20-22
SCP servers 5-16, 20-22
automatic upgrade
information required 27-7
troubleshooting C-56
autonegotiation for hardware bypass 7-11
Auto Update window field descriptions 5-16
auto-upgrade-option command 27-7
B
backing up
configuration C-2
current configuration C-4
BackOrifice. See BO.
BackOrifice 2000. See BO2K.
basic setup 25-4
blocking
described 16-2
disabling 16-8
master blocking sensor 16-24
necessary information 16-3
prerequisites 16-5
supported devices 16-5
types 16-2
blocking devices
adding 16-15
deleting 16-15
editing 16-15
Blocking Devices pane
configuring 16-15
described 16-14
field descriptions 16-14
ssh host-key command 16-15
blocking not occurring for signature C-45
Blocking Properties pane
adding a host never to be blocked 16-11
configuring 16-9
described 16-7
field descriptions 16-8
BO
described B-72
Trojans B-72
BO2K
described B-72
Trojans B-72
bypass mode
ASA 5500 AIP SSM 7-30
described 7-29
signature updates 20-24
Bypass pane
field descriptions 7-29
user roles 7-28
C
calculating risk rating
attack relevance rating 8-6, 12-3
attack severity rating 8-6, 12-3
promiscuous delta 8-6, 12-3
signature fidelity rating 8-5, 12-3
target value rating 8-6, 12-3
watch list rating 8-6, 12-3
cannot access sensor C-27
Cat 6K Blocking Device Interfaces pane
configuring 16-23
described 16-21
field descriptions 16-22
CDP mode
ASA 5500-X IPS SSP 7-31
ASA 5585-X IPS SSP 7-31
described 7-31
interfaces 7-31
CDP Mode pane
configuring 7-32
field descriptions 7-31
user roles 7-31
certificates
displaying 15-15
generating 15-15
certificates (IDM) 15-11
changing Microsoft IIS to UNIX-style directory listings 20-23
cidDump obtaining information C-112
CIDEE
defined A-34
example A-34
IPS extensions A-34
protocol A-34
supported IPS events A-34
cisco
default password 24-2
default username 24-2
Cisco.com
accessing software 26-2
downloading software 26-1
software downloads 26-1
Cisco Discovery Protocol. See CDP.
Cisco IOS rate limiting 16-4
Cisco Security Intelligence Operations
described 26-8
URL 26-8
Cisco Services for IPS
service contract 20-16
supported products 20-16
clear events command 6-12, 6-16, 21-4, C-19, C-112
Clear Flow States pane
described 21-18
field descriptions 21-19
clearing
denied attackers 17-2
events 6-16, 21-4, C-112
flow states 21-19
statistics C-96
CLI
described A-4, A-30
password recovery 20-13, C-16
client manifest described A-29
clock set command 6-16
Clone Policy dialog box
field descriptions 10-8, 12-12, 13-9
user roles 10-7, 12-11, 13-9
Clone Signature dialog box field descriptions 10-12
cloning
anomaly detection policies 13-10
event action rules policies 12-12
signature definition policies 10-8
signatures 10-19
CollaborationApp described A-4, A-28
color rules
described 22-2
events (IME) 22-2
Color Rules tab
described 22-2
filters 22-2
command and control interface
described 7-2
list 7-2
commands
allocate-ips 8-15
attemptLimit 6-25
auto-upgrade-option 27-7
clear events 6-12, 6-16, 21-4, C-19, C-112
clock set 6-16
copy backup-config C-3
copy current-config C-3
debug module-boot C-64
downgrade 27-10
erase license-key 20-19
hw-module module 1 reset C-64
hw-module module slot_number password-reset 20-7, 20-11, C-10, C-14
setup 6-1, 25-1, 25-4, 25-8, 25-13, 25-17, 25-21
show events C-109
show health C-87
show module 1 details C-63, C-69, C-81
show settings 20-14, C-16
show statistics C-95
show statistics virtual-sensor C-26, C-95
show tech-support C-88
show version C-92
sw-module module slot_number password-reset 20-9, C-12
unlock user username 6-26
upgrade 27-3, 27-6
virtual-sensor name 8-16
Compare Knowledge Bases dialog box field descriptions 21-11
comparing KBs 21-11, 21-12
component signatures
risk rating B-32
configuration files
backing up C-2
merging C-2
configuration restrictions
alternate TCP reset interface 7-12
inline interface pairs 7-12
inline VLAN pairs 7-12
interfaces 7-11
physical interfaces 7-11
VLAN groups 7-13
Configure Summertime dialog box field descriptions 5-4, 6-8
configuring
account locking 6-25
account unlocking 6-26
AIC policy parameters 10-48
allowed hosts 6-6
allowed networks 6-6
anomaly detection operation settings 13-11
application policy signatures 10-48
Attacks Over Time gadgets 3-13
authorized keys 15-5
authorized RSA keys 15-3
automatic updates 5-17, 20-25
automatic upgrades 27-9
blocking devices 16-15
blocking properties 16-9
Cat 6K blocking device interfaces 16-23
CDP mode 7-32
CPU, Memory, & Load gadget 3-11
CSA MC IPS interfaces 19-3
device login profiles 16-13
event action filters 8-23, 12-17
events 21-3
event variables 8-36, 12-29
external zone 13-32
general settings 8-41, 12-34
Global Correlation Health gadget 3-8
Global Correlation Reports gadget 3-6
host blocks 17-4
illegal zone 13-25
inline VLAN pairs 5-10
inspection/reputation 14-9
inspection load statistics display 21-5
interface pairs 7-23
interfaces 7-20
interface statistics display 21-6
Interface Status gadget 3-6
internal zone 13-19
IP fragment reassembly signatures 10-52
IP logging 17-12
IPv4 target value ratings 8-26, 12-20
IPv6 target value ratings 8-28, 12-22
known host keys 15-9
known host RSA keys 15-7
learning accept mode 13-14
Licensing gadget 3-5
local authentication 6-23
master blocking sensor 16-25
network blocks 17-7
network participation 14-11
Network Security gadget 3-9
network settings 6-3
NTP servers 6-13
OS maps 8-33, 12-27
RADIUS authentication 6-23
rate limiting 17-9
rate limiting device interfaces 16-20
risk categories 8-38, 12-32
router blocking device interfaces 16-20
RSS Feed gadgets 3-11
RSS feeds 4-2
Sensor Health gadget 3-4
Sensor Information gadget 3-3
Sensor Setup window 5-4
sensor to use NTP 6-14
signature variables 10-37
SNMP 18-3
SNMP traps 18-5
time 6-9
Top Applications gadget 3-9
Top Attackers gadgets 3-12
Top Signatures gadgets 3-13
Top Victims gadgets 3-12
traffic flow notifications 7-31
trusted hosts 15-13
upgrades 27-4
users 6-22
VLAN groups 7-27
VLAN pairs 7-25
control transactions
characteristics A-9
request types A-9
copy backup-config command C-3
copy current-config command C-3
correcting time on the sensor 6-12, C-19
CPU, Memory, & Load gadget
configuring 3-11
creating
Atomic IP Advanced engine signature 10-29, 11-14
custom signatures
not using signature engines 11-4
Service HTTP 11-17
String TCP 11-22
using signature engines 11-1
event views 22-4
IPv6 signatures 10-28, 11-14
Meta signatures 10-26
Post-Block VACLs 16-21
Pre-Block VACLs 16-21
reports (IME) 23-3
String TCP XL signatures 10-34
creating the service account C-5
cryptographic account
automatic updates 5-16, 20-22
Encryption Software Export Distribution Authorization from 26-2
obtaining 26-2
cryptographic features (IME) 1-2
CSA MC
adding interfaces 19-7
configuring IPS interfaces 19-3
host posture events 19-1, 19-3
quarantined IP address events 19-1
supported IPS interfaces 19-3
CtlTransSource
described A-4, A-11
illustration A-12
current configuration back up C-2
current KB setting 21-13
custom signatures
Custom Signature Wizard 11-5
described 10-2
IPv6 signature 10-28, 11-14
Meta signature 10-26
sensor performance 11-4
String TCP XL 10-31, 10-34
Custom Signature Wizard
alert behavior 11-26
Alert Response window field descriptions 11-26
Atomic IP Engine Parameters window field descriptions 11-13
described 11-1
ICMP Traffic Type window field descriptions 11-12
Inspect Data window field descriptions 11-12
MSRPC Engine Parameters window field descriptions 11-11
no signature engine sequence 11-4
Protocol Type window field descriptions 11-10
Service HTTP Engine Parameters window field descriptions 11-16
Service RPC Engine Parameters window field descriptions 11-19
Service Type window field descriptions 11-13
signature engine sequence 11-1
Signature Identification window field descriptions 11-11
State Engine Parameters window field descriptions 11-20
String ICMP Engine Parameters window field descriptions 11-21
String TCP Engine Parameters window field descriptions 11-21
String UDP Engine Parameters window field descriptions 11-24
supported signature engines 11-2
Sweep Engine Parameters window field descriptions 11-25
TCP Sweep Type window field descriptions 11-13
TCP Traffic Type window field descriptions 11-12
UDP Sweep Type window field descriptions 11-12
UDP Traffic Type window field descriptions 11-12
using 11-5
Welcome window field descriptions 11-10
D
dashboards
adding 3-1
deleting 3-1
Data Archive dialog box
configuring 1-13
described 1-12
field descriptions 1-12
data archiving configuring 1-13
data nodes 11-25, B-67
data structures (examples) A-8
DDoS
protocols B-72
Stacheldraht B-72
TFN B-72
debug logging enable C-47
debug-module-boot command C-64
default policies
ad0 13-9
rules0 12-2, 12-11
sig0 10-7
defaults
KB filename 13-12
password 24-2
restoring 20-29
username 24-2
virtual sensor vs0 8-2
deleting
anomaly detection policies 13-10
blocking devices 16-15
denied attackers 17-2
event action filters 8-23, 12-17
event action overrides 12-14
event action rules policies 12-12
event variables 8-36, 12-29
host blocks 17-4
imported OS values 21-18
IPv4 target value ratings 8-26, 12-20
IPv6 target value ratings 8-28, 12-22
KBs 21-14
learned OS values 21-17
network blocks 17-7
OS maps 8-33, 12-27
rate limiting devices 16-15
rate limits 17-9
risk categories 8-38, 12-32
signature definition policies 10-8
signature variables 10-37
virtual sensors 8-13
Demo mode (IME) 1-7
demo reports described 23-1
Denial of Service. See DoS.
denied attackers
adding 17-2
clearing 17-2
deleting 17-2
hit count 17-1
resetting hit counts 17-2
viewing hit counts 17-2
viewing list 17-2
Denied Attackers pane
described 17-1
field descriptions 17-2
user roles 17-1
using 17-2
deny actions (list) 10-3, 10-15, 12-8
Deny Packet Inline described 12-10
detect mode (anomaly detection) 13-4
device access issues C-42
Device Details pane described 2-1
Device List pane
described 2-1
field descriptions 2-2
Device Login Profiles pane
configuring 16-13
described 16-12
field descriptions 16-12
devices
adding 2-4
deleting 2-4
editing 2-4
device tools
DNS lookup 2-6
ping 2-6
traceroute 2-6
whois 2-6
Diagnostics Report pane
button functions 21-21
described 21-21
user roles 21-20
using 21-21
diagnostics reports 21-21
Differences between knowledge bases KB_Name and KB_Name window field descriptions 21-11
disabling
anomaly detection 13-35, C-21
blocking 16-8
event action filters 8-23, 12-17
global correlation 14-12
interfaces 7-20
password recovery 20-13, C-16
signatures 10-17
disaster recovery C-6
displaying
events 21-3, C-110
health status C-87
imported OS maps 21-17
inspection load statitistics 21-5
interface statistics 21-6
learned OS maps 21-16
password recovery setting 20-14, C-16
sensor statistics 21-22
statistics C-96
tech support information C-89
version C-92
Distributed Denial of Service. See DDoS.
DNS lookup device tool (IME) 1-4, 2-6, 3-15, 3-16, 22-6
DoS tools
Stacheldraht B-72
stick B-7
TFN B-72
downgrade command 27-10
downgrading sensors 27-10
downloading
Cisco software 26-1
KBs 21-15
Download Knowledge Base From Sensor dialog box
described 21-15
field descriptions 21-15
duplicate IP addresses C-30
E
Edit ACL Entry dialog box field descriptions 5-3
Edit Allowed Host dialog box
field descriptions 6-6
user roles 6-5
Edit Authorized RSA1 Key dialog box
field descriptions 15-5
user roles 15-4
Edit Authorized RSA Key dialog box
field descriptions 15-3
user roles 15-2
Edit Blocking Device dialog box
field descriptions 16-15
user roles 16-14
Edit Cat 6K Blocking Device Interface dialog box
field descriptions 16-22
user roles 16-21
Edit Configured OS Map dialog box
field descriptions 8-32, 12-26
user roles 8-31, 12-23
Edit Destination Port dialog box
field descriptions 13-17, 13-23, 13-30
user roles 13-15
Edit Device dialog box field descriptions 2-3
Edit Device Login Profile dialog box
field descriptions 16-12
user roles 16-12
Edit Event Action Filter dialog box
field descriptions 8-22, 12-16
user roles 12-15
Edit Event Action Override dialog box
field descriptions 8-12, 12-13
user roles 8-12, 12-13
Edit Event Variable dialog box
field descriptions 8-35, 12-29
user roles 8-34, 12-28
Edit External Product Interface dialog box
field descriptions 19-6
user roles 19-4
Edit Filter dialog box field descriptions 3-19
Edit Histogram dialog box
field descriptions 13-17, 13-24, 13-30
user roles 13-15
editing
blocking devices 16-15
event action filters 8-23, 12-17
event action overrides 12-14
event variables 8-36, 12-29
interfaces 7-21
IPv4 target value ratings 8-26, 12-20
IPv6 target value ratings 8-28, 12-22
OS maps 8-33, 12-27
rate limiting devices 16-15
risk categories 8-38, 12-32
signatures 10-20
signature variables 10-37
virtual sensors 8-13
Edit Inline VLAN Pair dialog box
field descriptions 7-24
user roles 7-23
Edit Inline VLAN Pair Entry dialog box field descriptions 5-10
Edit Interface dialog box
field descriptions 7-20
user roles 7-18
Edit Interface Pair dialog box
field descriptions 7-22
user roles 7-22
Edit IP Logging dialog box field descriptions 17-11
Edit Known Host RSA1 Key dialog box
field descriptions 15-9
user roles 15-8
Edit Known Host RSA Key dialog box
field descriptions 15-7
user roles 15-6
Edit Master Blocking Sensor dialog box
field descriptions 16-25
user roles 16-24
Edit Never Block Address dialog box
field descriptions 16-10
user roles 16-7
Edit Posture ACL dialog box field descriptions 19-7
Edit Protocol Number dialog box field descriptions 13-18, 13-25, 13-32
Edit Risk Level dialog box
field descriptions 8-38, 12-31
user roles 8-37, 12-31
Edit Router Blocking Device Interface dialog box
field descriptions 16-19
user roles 16-17
Edit Signature dialog box field descriptions 10-12
Edit Signature Variable dialog box
field descriptions 10-36
user roles 10-36
Edit SNMP Trap Destination dialog box
field descriptions 18-5
user roles 18-4
Edit Start Time dialog box
field descriptions 13-14
user roles 13-12
Edit Target Value Rating dialog box
field descriptions 8-26, 8-28
user roles 8-26, 8-27
Edit User dialog box
field descriptions 6-22
user roles 6-19, 6-22
Edit Virtual Sensor dialog box
field descriptions 8-10
user roles 8-10
Edit VLAN Group dialog box
field descriptions 7-27
user roles 7-26
efficacy
described 14-4
measurements 14-4
email notification
configuring (IME) 1-16
example (IME) 1-15
email setup (IME) 1-14
Email Setup dialog box
configuring 1-14
described 1-14
field descriptions 1-14
enabling
anomaly detection 13-4
event action filters 8-23, 12-17
event action overrides 12-14
interfaces 7-20
packet logging 20-3
signatures 10-17
enabling debug logging C-47
Encryption Software Export Distribution Authorization form
cryptographic account 26-2
described 26-2
engines
AIC B-10
AIC FTP B-11
AIC HTTP B-11
Atomic ARP B-13
Atomic IP 11-13, B-24
Atomic IP Advanced B-14
Atomic IPv6 B-27
Fixed B-28
Fixed ICMP B-28
Fixed TCP B-28
Fixed UDP B-28
Flood B-31
Flood Host B-31
Flood Net B-31
Master B-4
Meta 10-25, B-32
Multi String B-34
Normalizer B-36
Service B-39
Service DNS B-39
Service FTP B-41
Service Generic B-42
Service H225 B-43
Service HTTP 11-16, B-46
Service IDENT B-48
Service MSRPC 11-11, B-48
Service MSSQL B-50
Service NTP B-51
Service P2P B-52
Service RPC 11-19, B-52
Service SMB Advanced B-54
Service SNMP B-56
Service SSH B-57
Service TNS B-57
State 11-20, B-59
String 11-21, 11-24, B-61
String ICMP 11-21, 11-24, B-61
String TCP 11-21, 11-24, B-61
String UDP 11-21, 11-24, B-61
Sweep 11-24, B-66
Sweep Other TCP B-69
Traffic Anomaly B-69
Traffic ICMP B-72
Trojan B-72
EPS
described 1-3
IME Home pane 1-3
erase license-key command 20-19
errors (Analysis Engine) C-55
evAlert A-9
event action filters
adding 8-23, 12-17
configuring 8-23, 12-17
deleting 8-23, 12-17
described 8-20, 12-4
disabling 8-23, 12-17
editing 8-23, 12-17
enabling 8-23, 12-17
moving 8-23, 12-17
Event Action Filters tab
configuring 8-23, 12-17
described 8-21, 12-15
field descriptions 8-21, 12-15
event action overrides
adding 12-14
deleting 12-14
described 8-5, 12-4
editing 12-14
enabling 12-14
risk rating range 8-5, 12-4
Event Action Overrides tab
described 12-13
field descriptions 12-13
Event Action Rules (rules0) pane described 12-13
Event Action Rules pane
described 12-2, 12-11
field descriptions 12-12
user roles 12-11
event action rules policies
adding 12-12
cloning 12-12
deleting 12-12
event action rules variables 8-21, 12-15
event actions
risk ratings 8-6, 12-4
threat ratings 8-6, 12-4
event connection status
displaying 2-5
starting 2-5
stopping 2-5
Event Monitoring pane
described 22-1
filters 22-2
events
clearing 6-16, 21-4, C-112
color rules 22-2
displaying C-110
grouping 22-2
host posture 19-2
quarantined IP address 19-2
Events pane
configuring 21-3
described 21-1
field descriptions 21-2
events per second. See EPS.
Event Store
clearing 6-16, 21-4, C-112
clearing events 6-12, C-19
data structures A-8
described A-4
examples A-8
no alerts C-34
responsibilities A-7
time stamp 6-12, C-19
timestamp A-7
event types C-108
event variables
adding 8-36, 12-29
configuring 8-36, 12-29
deleting 8-36, 12-29
described 8-34, 12-28
editing 8-36, 12-29
example 8-35, 12-29
Event Variables tab
configuring 8-36, 12-29
field descriptions 8-35, 12-29
Event Viewer pane
displaying events 21-3
field descriptions 21-3
event views
creating 22-4
using 22-4
evError A-9
evLogTransaction A-9
evShunRqst A-9
evStatus A-9
example custom signatures
Atomic IP Advanced 10-29, 11-14
Meta 10-26
Service HTTP 11-17
String TCP 11-22
String TCP XL 10-31
examples
AIC engine signature 10-48
ASA failover configuration C-63, C-69, C-81
Atomic IP Advanced engine signature 10-28, 11-14
automatic update 20-25
configured OS maps 8-31, 12-24
default anomaly detection configuration 13-4
email notification (IME) 1-15
email notifications (IME) 1-17
IP Fragment Reassembly signature 10-52
IPv6 attacker address 8-22, 12-16
IPV6 victim address 8-22, 12-16
KB histogram 13-13, 21-8
Meta engine signature 10-26
Service HTTP engine signature 11-17
SPAN configuration for IPv6 support 7-15
String TCP engine signature 11-22
String TCP XL engine signature 10-31, 10-34
System Configuration Dialog 25-2
TCP Stream Reassembly signature 10-59
external product interfaces
adding 19-7
described 19-1
issues 19-3, C-24
troubleshooting 19-10, C-24
trusted hosts 19-4
External Product Interfaces pane
described 19-4
field descriptions 19-5
external zone
configuring 13-32
protocols 13-29
External Zone tab
described 13-29
tabs 13-29
user roles 13-29
F
fail-over testing 7-10
false positives described 10-2
Fields tab described 22-2
files Cisco IPS (list) 26-1
Filtered Events vs All Events Reports described 1-19, 23-2
filtering described 22-2
Filter pane field descriptions 22-3
filters
configuring 3-16, 22-6
creating reports 23-3
Fixed engine described B-28
Fixed ICMP engine parameters (table) B-29
Fixed TCP engine parameters (table) B-29
Fixed UDP engine parameters (table) B-30
Flood engine described B-31
Flood Host engine parameters (table) B-31
Flood Net engine parameters (table) B-32
flow states clearing 21-19
FTP servers
automatic updates 20-22
signature updates 20-27
FTP servers and software updates 20-23, 27-2
G
gadgets
adding 3-1
Attacks Over Time 3-13
deleting 3-1
Global Correlation Health 3-7
Global Correlation Reports 3-6
Interface Status 3-5
Licensing 3-5
Network Security 3-8
RSS Feed 3-11
Sensor Health 3-3
Sensor Information 3-2
Top Applications 3-9
Top Attackers 3-11
Top Signatures 3-13
Top Victims 3-12
General dialog box
configuring 1-11
described 1-11
field descriptions 1-11
user roles 1-11
general settings
configuring 8-41, 12-34
described 8-40, 12-33
General tab
configuring 8-41, 12-34
described 8-40, 12-33, 13-16, 13-23
described (IME) 22-2
enabling zones 13-16, 13-23
field descriptions 8-41, 12-34, 13-16, 13-23
user roles 8-40, 12-33
generating diagnostics reports 21-21
global correlation 23-2
described 1-2, 14-1, 14-2
disabling 14-12
disabling about 14-12
DNS server 14-6
error messages A-29
features 14-5
goals 14-5
health metrics 14-7
health status 14-7
HTTP proxy server 14-6
license 6-3, 14-6, 14-8, 25-1, 25-5
no IPv6 support 8-23, 8-28, 8-36, 14-6
Produce Alert 10-2, 10-14, 12-8
requirements 14-6
risk rating 14-5
shared policies 9-1
troubleshooting 14-11, C-23
update client (illustration) 14-8
global correlation connection status
displaying 2-5
starting 2-5
stopping 2-5
Global Correlation Health gadget
configuring 3-8
described 3-7
Global Correlation Reports described 23-2
Global Correlation Reports gadget
configuring 3-6
described 3-6
Global Correlation Update
client described A-28
server described A-28
Group By tab described 22-2
grouping events 22-2
GRUB menu password recovery 20-5, C-8
H
H.225.0 protocol B-43
H.323 protocol B-43
hardware bypass
autonegotiation 7-11
configuration restrictions 7-10
fail-over 7-10
IPS4260 7-10
IPS 4270-20 7-10
supported configurations 7-10
with software bypass 7-10
health connection status
displaying 2-5
starting 2-5
stopping 2-5
health status
global correlation 14-7
metrics 3-4
sensor 3-3
health status display C-87
host blocks
adding 17-4
deleting 17-4
managing 17-4
Host Blocks pane
configuring 17-4
described 17-3
field descriptions 17-3
user roles 17-3
host posture events
CSA MC 19-3
described 19-2
HTTP/HTTPS servers supported 20-23, 27-2
HTTP advanced decoding
described 8-4
platform support 8-5
restrictions 8-4
HTTP deobfuscation
ASCII normalization 11-16, B-46
described 11-16, B-46
hw-module module 1 reset command C-64
hw-module module slot_number password-reset command 20-7, 20-11, C-10, C-14
I
IDAPI
communications A-4, A-32
described A-4
functions A-32
illustration A-32
responsibilities A-32
IDCONF
described A-33
example A-33
RDEP2 A-33
XML A-33
IDIOM
defined A-33
messages A-33
IDM
Analysis Engine is busy C-59
certificates 15-11
Custom Signature Wizard supported signature engines 11-2
TLS 15-11
will not load C-58
illegal zone configuring 13-25
Illegal Zone tab
described 13-22
user roles 13-22
IME
color rules 22-2
Color Rules tab 22-2
configuring
automatic reporting 1-19
email notification 1-16
filters 3-16, 22-6
RSS feeds 4-2
views 3-16, 22-6
cryptographic features 1-2
dashboards
adding 3-1
deleting 3-1
Demo mode 1-7
described 1-1
devices
adding 2-4
deleting 2-4
editing 2-4
email notification example 1-17
EPS 1-3
event connection status
displaying 2-5
starting 2-5
stopping 2-5
Event Monitoring pane 22-1
Fields tab 22-2
filtering 22-2
gadgets
adding 3-1
deleting 3-1
General tab 22-2
global correlation connection status
displaying 2-5
starting 2-5
stopping 2-5
Group By tab 22-2
grouping events 22-2
health connection status
displaying 2-5
starting 2-5
stopping 2-5
installation error 1-20, C-61
installation notes and caveats 1-8
installing 1-8
IPS versions 1-6
known host key retrieval 15-6, 15-7, 15-8, 15-9
menu features 1-4
MySQL database 1-8
password recovery 20-13, C-16
password requirements 1-10
reports
configuring 23-3
described 23-1
generating 23-3
report types 23-1
supported platforms 1-5
system requirements 1-4
using event views 22-4
video help 1-3
working with
top attacker IP addresses 3-14
top signatures 3-15
top victim IP addresses 3-14
IME Home pane
described 1-3
EPS 1-3
features 1-3
IME time synchronization problems C-61
Imported OS pane
clearing 21-18
described 21-17
field descriptions 21-18
imported OS values
clearing 21-18
deleting 21-18
inactive mode (anomaly detection) 13-4
initializing
appliances 25-8
ASA 5500 AIP SSM 25-13
ASA 5500-X IPS SSP 25-17
ASA 5585-X IPS SSP 25-21
sensors 6-1, 25-1, 25-4
verifying 25-24
inline interface pair mode
configuration restrictions 7-12
described 7-15
illustration 7-16
Inline Interface Pair window
described 5-9
Startup Wizard 5-9
inline mode
interface cards 7-3
normalization 8-4
pairing interfaces 7-3
inline TCP session tracking modes described 8-4
inline VLAN pair mode
configuration restrictions 7-12
configuring 5-10
described 7-16
illustration 7-17
supported sensors 7-16
Inline VLAN Pairs window
described 5-9
field descriptions 5-10
Startup Wizard 5-9
Inspection/Reputation pane
configuring 14-9
described 14-8
field descriptions 14-9
Inspection Load Statistics pane
configuring 21-5
described 21-4
field descriptions 21-4
user roles 21-4
installer major version 26-5
installer minor version 26-5
installing
IME 1-8
sensor license 20-17
system image
ASA 5500 AIP SSM 27-27
ASA 5500-X IPS SSP 27-29
ASA 5585-X IPS SSP 27-31
IPS 4240 27-14
IPS 4255 27-14
IPS4260 27-17
IPS 4270-20 27-19
IPS 4345 27-22
IPS 4360 27-22
IPS 4510 27-25
IPS 4520 27-25
IntelliShield
alerts 10-10
MySDN 10-10
InterfaceApp
described A-20
interactions A-20
NIC drivers A-20
InterfaceApp described A-4
interface pairs
configuring 7-23
described 7-22
Interface Pairs pane
configuring 7-23
described 7-22
field descriptions 7-22
user roles 7-22
interfaces
alternate TCP reset 7-2
command and control 7-2
configuration restrictions 7-11
configuring 7-20
described 5-7, 7-1
disabling 7-20
editing 7-21
enabling 7-20
logical 5-7
physical 5-7
port numbers 7-1
sensing 7-2, 7-3
slot numbers 7-1
support (table) 7-4
TCP reset 7-8
Interface Selection window
described 5-9
Startup Wizard 5-9
Interfaces pane
configuring 7-20
described 7-19
field descriptions 7-19
user roles 7-18
Interface Statistics pane
configuring 21-6
described 21-5
field descriptions 21-6
Interface Status gadget
configuring 3-6
described 3-5
Interface Summary window
described 5-7
field descriptions 5-8
internal zone configuring 13-19
Internal Zone tab
described 13-15
user roles 13-15
IP fragmentation described B-36
IP fragment reassembly
configuring 10-51
described 10-49
mode 10-51
parameters (table) 10-50
signatures 10-52
signatures (example) 10-52
signatures (table) 10-50
IP logging
described 10-60, 17-10
event actions 17-11
system performance 17-10, 17-11
IP Logging pane
configuring 17-12
described 17-11
field descriptions 17-11
user roles 17-11
IP Logging Variables pane
described 20-21
field description 20-22
user roles 20-21
IP logs
circular buffer 17-10
states 17-10
TCPDUMP 17-10
viewing 17-12
WireShark 17-10
IPS 4240
7200 series router C-26
installing system image 27-14
password recovery 20-6, C-9
reimaging 27-14
IPS 4255
installing system image 27-14
password recovery 20-6, C-9
reimaging 27-14
IPS 4260
hardware bypass 7-10
installing system image 27-17
password recovery C-8
reimaging 27-17
IPS 4270-20
hardware bypass 7-10
installing system image 27-19
password recovery 20-5, C-8
reimaging 27-19
IPS 4345
installing system image 27-22
password recovery 20-5, 20-6, C-8, C-9
reimaging 27-21
IPS 4360
installing system image 27-22
password recovery 20-5, C-8, C-9
reimaging 27-21
IPS 4510
installing system image 27-25
password recovery 20-5, 20-6, C-8, C-9
reimaging 27-25
SwitchApp A-30
IPS 4520
installing system image 27-25
password recovery 20-5, 20-6, C-8, C-9
reimaging 27-25
SwitchApp A-30
IPS applications
summary A-36
table A-36
XML format A-4
IPS clock synchronization 6-11, C-18
IPS data
types A-8
XML document A-9
IPS events
evAlert A-9
evError A-9
evLogTransaction A-9
evShunRqst A-9
evStatus A-9
list A-9
types A-9
IPS internal communications A-32
IPS Manager Express described 1-1
IPS Policies pane
described 8-8
Event Action Rules 8-9
field descriptions 8-9
IPS software
application list A-4
available files 26-1
configuring device parameters A-5
directory structure A-35
Linux OS A-1
obtaining 26-1
platform-dependent release examples 26-6
retrieving data A-5
security features A-5
tuning signatures A-5
updating A-5
user interaction A-5
versioning scheme 26-3
IPS software file names
major updates (illustration) 26-4
minor updates (illustration) 26-4
patch releases (illustration) 26-4
service packs (illustration) 26-4
IPS versions supported (IME) 1-6
IPv4
address format 8-34, 12-28
event variables 8-34, 12-28
IPv4 Add Target Value Rating dialog box
field descriptions 12-20
user roles 12-20
IPv4 Edit Target Value Rating dialog box
field descriptions 12-20
user roles 12-20
IPv4 target value ratings
adding 8-26, 12-20
deleting 8-26, 12-20
editing 8-26, 12-20
IPv4 Target Value Rating tab
configuring 8-26, 12-20
field descriptions 8-26, 12-20
IPv6
address format 8-35, 12-28
described B-28
event variables 8-35, 12-28
SPAN ports 7-14
switches 7-14
IPv6 Add Target Value Rating dialog box
field descriptions 12-22
user roles 12-21
IPv6 Edit Target Value Rating dialog box
field descriptions 12-22
user roles 12-21
IPv6 target value ratings
adding 8-28, 12-22
configuring 8-28, 12-22
deleting 8-28, 12-22
editing 8-28, 12-22
IPv6 Target Value Rating tab
configuring 8-28, 12-22
field descriptions 8-27, 12-21
K
KBs
comparing 21-12
default filename 13-12
deleting 21-14
described 13-3
downloading 21-15
histogram 13-12, 21-8
initial baseline 13-3
learning accept mode 13-12
loading 21-13
monitoring 21-10
renaming 21-14
saving 21-13
scanner threshold 13-12, 21-8
tree structure 13-12, 21-8
uploading 21-16
Knowledge Base. See KB.
Known Host RSA1 Keys pane
configuring 15-9
described 15-8
field descriptions 15-9
Known Host RSA Keys pane
configuring 15-7
described 15-6
field descriptions 15-7
L
Learned OS pane
clearing 21-17
described 21-16
field descriptions 21-17
learned OS values
clearing 21-17
deleting 21-17
learning accept mode
anomaly detection 13-3
configuring 13-14
Learning Accept Mode tab
described 13-12
field descriptions 13-14
user roles 13-12
license key
obtaining 20-15
trial 20-15
uninstalling 20-19
viewing status of 20-15
licensing
described 20-15
IPS device serial number 20-15
Licensing gadget
configuring 3-5
described 3-5
Licensing pane
configuring 20-17
described 20-15
field descriptions 20-16
user roles 20-15
limitations for concurrent CLI sessions 24-1
listings UNIX-style 20-23
loading KBs 21-13
local authentication configuring 6-23
Logger
described A-4, A-19
functions A-19
syslog messages A-19
logging in
appliances 24-2
ASA 5500 AIP SSM 24-4
ASA 5500-X IPS SSP 24-5
ASA 5585-X IPS SSP 24-6
sensors
SSH 24-7
Telnet 24-7
service role 24-2
terminal servers 24-3, 27-13
user role 24-1
LOKI
described B-72
protocol B-72
loose connections on sensors C-25
M
MainApp
components A-6
described A-4, A-6
host statistics A-6
responsibilities A-6
show version command A-6
major updates described 26-3
Manage Filter Rules dialog box field descriptions 3-18
managing
host blocks 17-4
network blocks 17-7
rate limiting 17-9
manifests
client A-29
server A-29
manually updating sensor 20-27
master blocking sensor
described 16-24
not set up properly C-46
verifying configuration C-46
Master Blocking Sensor pane
configuring 16-25
described 16-24
field descriptions 16-25
Master engine
alert frequency B-7
alert frequency parameters (table) B-7
described B-4
event actions 12-8, B-8
general parameters (table) B-4
universal parameters B-4
master engine parameters
obsoletes B-6
promiscous delta B-6
vulnerable OSes B-6
merging configuration files C-2
Meta engine
described 10-25, B-32
parameters (table) B-33
Signature Event Action Processor 10-25, B-32
Meta Event Generator described 8-40, 12-33
Meta signature
component signatures B-32
metrics for sensor health 20-20
MIBs supported 18-6, C-20
minor updates described 26-3
Miscellaneous tab
application policy parameters 10-38
configuring
application policy 10-48
IP fragment reassembly mode 10-51
IP logging 10-60
TCP stream reassembly mode 10-58
described 10-38
field descriptions 10-39
IP fragment reassembly options 10-38
IP logging options 10-39
TCP stream reassembly 10-38
user roles 10-38
modes
anomaly detection detect 13-4
anomaly detection learning accept 13-3
asymmetric 8-4
bypass 7-29
inactive (anomaly detection) 13-4
inline interface pair 7-15
inline TCP tracking 8-4
inline VLAN pair 7-16
Normalizer 8-4
promiscuous 7-14
VLAN groups 7-17
monitoring
displaying statistics 21-6
events 21-3
inspection load statistics 21-4, 21-5
KBs 21-10
moving
event action filters 8-23, 12-17
OS maps 8-33, 12-27
Multi String engine
described B-34
parameters (table) B-35
Regex B-34
MySDN
described 10-10
Intellishield 10-11
MySQL database
coexisting with IME 1-8
installing IME 1-8
N
NAS-ID
described 6-23
RADIUS authentication 6-23
Neighborhood Discovery
options B-28
types B-28
network blocks
adding 17-7
deleting 17-7
managing 17-7
Network Blocks pane
configuring 17-7
described 17-6
field descriptions 17-6
user roles 17-6
Network pane
configuring 6-3
described 6-2
field descriptions 6-2
TLS/SSL 6-4
user roles 6-2
network participation
data gathered 14-3
data use (table) 1-3, 14-2
described 14-3
health metrics 14-7
modes 14-4
requirements 14-3
SensorBase Network 14-4
statistics 14-4
network participation data
improving signature fidelity 14-4
understanding sensor deployment 14-4
Network Participation pane
configuring 14-11
described 14-10
field descriptions 14-10
Network Security gadget
configuring 3-9
described 3-8
never block
hosts 16-7
networks 16-7
normalization described 8-4
Normalizer engine
ASA 5500 AIP SSM B-37
ASA 5500-X IPS SSP B-37
ASA 5585-X IPS SSP B-37
described B-36
IP fragment reassembly B-36
IPv6 fragments B-36
modify packets inline 8-4
parameters (table) B-38
TCP stream reassembly B-36
NotificationApp
alert information A-9
described A-4
functions A-9
SNMP gets A-9
SNMP traps A-9
statistics A-11
system health information A-10
Notifications dialog box
configuring 1-16
field descriptions 1-15
NTP
authenticated 6-10, 6-14, C-17
configuring servers 6-13
described 6-10, C-17
incorrect configuration 6-11, C-18
sensor time source 6-12, 6-14
time synchronization 6-10, C-17
unauthenticated 6-10, 6-14, C-17
verifying configuration 6-11
O
Obfuscated Traffic/Attacks reports described 23-2
obsoletes field described B-6
obtaining
cryptographic account 26-2
IPS software 26-1
license key 20-15
sensor license 20-17
one-way TCP reset described 8-40, 12-34
Operation Settings tab
described 13-11
field descriptions 13-11
user roles 13-11
OS Identifications tab
described 8-31, 12-23
field descriptions 8-32, 12-25
OS information sources 8-30, 12-24
OS maps
adding 8-33, 12-27
configuring 8-33, 12-27
deleting 8-33, 12-27
editing 8-33, 12-27
moving 8-33, 12-27
other actions (list) 10-4, 10-16, 12-9
Other Protocols tab
described 13-18, 13-25, 13-31
enabling other protocols 13-18
external zone 13-31
field descriptions 13-18, 13-31
illegal zone 13-25
P
P2P networks described B-52
Packet Logging pane
described 20-3
field descriptions 20-3
partitions
application A-4
recovery A-5
passive OS fingerprinting
components 8-30, 12-24
configuring 8-31, 12-25
described 8-30, 12-24
enabled (default) 8-31, 12-25
password policy caution 20-2, 20-3
password recovery
appliances 20-5, C-8
ASA 5500 AIP SSM 20-7, 20-11, C-10
ASA 5500-X IPS SSP 20-9, C-12
ASA 5585-X IPS SSP C-14
CLI 20-13, C-16
described 20-4, C-8
disabling 20-13, C-16
displaying setting 20-14, C-16
GRUB menu 20-5, C-8
IME 20-13, C-16
IPS 4240 20-6, C-9
IPS 4255 20-6, C-9
IPS4260 C-8
IPS 4270-20 20-5, C-8
IPS 4345 20-5, 20-6, C-8, C-9
IPS 4360 20-5, C-8, C-9
IPS 4510 20-5, 20-6, C-8, C-9
IPS 4520 20-5, 20-6, C-8, C-9
platforms 20-4, C-8
ROMMON 20-6, C-9
troubleshooting 20-14, C-17
verifying 20-14, C-16
password requirements configuring 20-2
Passwords pane
configuring 20-2
described 20-1
field descriptions 20-2
patch releases described 26-3
peacetime learning (anomaly detection) 13-3
Peer-to-Peer. See P2P.
physical connectivity issues C-33
physical interfaces configuration restrictions 7-11
ping device tool (IME) 1-4, 2-6, 3-15, 3-16, 22-6
platforms concurrent CLI sessions 24-1
policy groups
described 9-4
managing 9-4
Post-Block ACLs 16-17, 16-18
Pre-Block ACLs 16-17, 16-18
prerequisites for blocking 16-5
promiscuous delta
calculating risk rating 8-6, 12-3
described 8-6, 12-3
promiscuous delta described B-6
promiscuous mode
atomic attacks 7-14
described 7-14
illustration 7-14
packet flow 7-14
SPAN ports 7-14
TCP reset interfaces 7-8
VACL capture 7-14
protocols
ARP B-13
CDP 7-31
CIDEE A-34
DCE 11-11, B-48
DDoS B-72
H.323 B-43
H225.0 B-43
ICMPv6 B-14
IDAPI A-32
IDCONF A-33
IDIOM A-33
IPv6 B-28
LOKI B-72
MSSQL B-50
Neighborhood Discovery B-28
Q.931 B-43
RPC 11-11, B-48
SDEE A-34
Signature Wizard 11-10
Q
Q.931 protocol
described B-43
SETUP messages B-43
quarantined IP address events described 19-2
R
RADIUS
attempt limit C-23
multiple cisco av-pairs 6-21, 6-24
RADIUS authentication
configuring 6-23
described 6-19
NAS-ID 6-23
service account 6-18
shared secret 6-24
rate limiting
ACLs 16-5
configuring 17-9
described 16-4
managing 17-9
percentages 17-8
routers 16-4
service policies 16-5
supported signatures 16-4
rate limiting devices
adding 16-15
deleting 16-15
editing 16-15
rate limits
adding 17-9
deleting 17-9
Rate Limits pane
configuring 17-9
described 17-7
field descriptions 17-8
raw expression syntax
described B-63
expert mode B-63
Raw Regex
described 10-32, 10-35, B-63
expert mode 10-32, 10-35, B-63
rebooting the sensor 20-30
Reboot Sensor pane
configuring 20-30
described 20-30
user roles 20-29
receiving RSS feeds (IME) 4-1
recover command 27-11
recovering
application partition image 27-11
ASA 5500 AIP SSM C-64
recovery partition
described A-5
upgrade 27-6
Regex
Multi String engine B-34
standardized 10-5, B-1
Regular Expression. See also Regex.
regular expression syntax
raw Regex 10-32, 10-35, B-63
signatures B-9
reimaging
ASA 5500-X IPS SSP 27-29
described 27-1
IPS 4240 27-14
IPS 4255 27-14
IPS4260 27-17
IPS 4270-20 27-19
IPS 4345 27-21
IPS 4360 27-21
IPS 4510 27-25
IPS 4520 27-25
sensors 27-1, 27-11
removing
last applied
service pack 27-10
signature update 27-10
Rename Knowledge Base dialog box field descriptions 21-14
renaming KBs 21-14
reports
configuring 23-3
customizing 23-3
described 23-1
generating 23-3
using filters 23-3
Reports dialog box
configuring 1-19
field descriptions 1-18
report types 23-2
attacks over time 1-18, 23-2
demo 23-1
filtered events vs all events 1-19, 23-2
obfuscated traffic/attacks 23-2
top attackers 1-18, 23-1
top signatures 1-18, 23-2
top victim 1-18, 23-2
user-defined 23-1
reputation
described 14-2
illustration 14-3
servers 14-3
requirements passwords (IME) 1-10
Reset Network Security Health pane
described 21-20
field descriptions 21-20
resetting data 21-20
user roles 21-20
reset not occurring for a signature C-53
resetting
ASA 5500 AIP SSM C-64
hit counts for denied attackers 17-2
network security health data 21-20
passwords
ASDM 20-9, 20-10, 20-13, C-12, C-13, C-15
hw-module command 20-7, 20-11, C-10, C-14
sw-module command 20-9, C-12
resetting the password
ASA 5500 AIP SSM 20-7, 20-11, C-10
ASA 5500-X IPS SSP 20-9, C-12
ASA 5585-X IPS SSP C-14
Restore Default Interface dialog box field descriptions 5-8
Restore Defaults pane
configuring 20-29
described 20-29
user roles 20-29
restoring
current configuration C-4
defaults 20-29
retiring signatures 10-17
risk categories
adding 8-38, 12-32
configuring 8-38, 12-32
deleting 8-38, 12-32
editing 8-38, 12-32
Risk Category tab
configuring 8-38, 12-32
described 8-37, 12-31
field descriptions 8-38, 12-31
risk rating
Alarm Channel 14-5
calculating 8-5, 12-2
component signatures B-32
described 8-30, 12-24
global correlation 14-5
reputation score 14-5
ROMMON
ASA 5585-X IPS SSP 27-33
described 27-13
IPS 4240 20-6, 27-14, C-9
IPS 4255 20-6, 27-14, C-9
IPS4260 27-17
IPS 4270-20 27-19
IPS 4345 20-6, 27-22, C-9
IPS 4360 27-22, C-9
IPS 4510 20-6, 27-25, C-9
IPS 4520 20-6, 27-25, C-9
password recovery 20-6, C-9
remote sensors 27-13
serial console port 27-13
TFTP 27-13
round-trip time. See RTT.
Router Blocking Device Interfaces pane
configuring 16-20
described 16-17
field descriptions 16-19
RPC portmapper 11-19, B-52
RSS Feed gadgets
configuring 3-11
described 3-11
RSS feeds
channels 4-1
configuring 4-2
described 4-1
formats 4-1
receiving 4-1
RTT
described 27-13
TFTP limitation 27-13
S
Save Knowledge Base dialog box
described 21-13
field descriptions 21-13
saving KBs 21-13
scheduling automatic upgrades 27-9
SDEE
described A-34
HTTP A-34
protocol A-34
server requests A-34
security
account locking 6-25
information on Cisco Security Intelligence Operations 26-8
information on MySDN 10-10
SSH 15-1
security policies described 8-1, 10-1, 12-1, 13-1
sensing interface
ASA 5500 AIP SSM 8-15
ASA 5500-X IPS SSP 8-15
ASA 5585-X IPS SSP 8-15
sensing interfaces
Analysis Engine 7-3
described 7-3
interface cards 7-3
modes 7-3
SensorApp
Alarm Channel A-24
Analysis Engine A-24
described A-4
event action filtering A-25
inline packet processing A-24
IP normalization A-25
packet flow A-26
processors A-23
responsibilities A-23
risk rating A-25
Signature Event Action Processor A-23
signature updates 20-23
TCP normalization A-25
SensorBase Network
described 1-2, 14-1, 14-2
network participation 14-4
participation 1-2, 14-2
servers 1-2, 14-2
sensor health
critical settings 20-20
metrics 20-20
Sensor Health gadget
configuring 3-4
described 3-3
metrics 3-4
status 3-4
Sensor Health pane
described 20-20
field descriptions 20-21
user roles 20-20
Sensor Information gadget
configuring 3-3
described 3-2
Sensor Key pane
button functions 15-11
described 15-11
field descriptions 15-11
sensor SSH host key
displaying 15-11
generating 15-11
user roles 15-10
sensor license
installing 20-17
obtaining 20-17
sensors
access problems C-27
application partition image 27-11
asymmetric traffic and disabling anomaly detection 13-35, C-21
blocking self 16-8
command and control interfaces (list) 7-2
configuring to use NTP 6-14
corrupted SensorApp configuration C-37
diagnostics reports 21-21
disaster recovery C-6
downgrading 27-10
incorrect NTP configuration 6-11, C-18
initializing 6-1, 25-1, 25-4
interface support 7-4
IP address conflicts C-30
logging in
SSH 24-7
Telnet 24-7
loose connections C-25
misconfigured access lists C-29
no alerts C-34, C-60
not seeing packets C-36
NTP time source 6-14
NTP time synchronization 6-10, C-17
partitions A-4
physical connectivity C-33
preventive maintenance C-2
rebooting 20-30
reimaging 27-1
restoring defaults 20-29
sensing process not running C-31
setup command 6-1, 25-1, 25-4, 25-8
shutting down 20-30
statistics 21-22
system information 21-23
time sources 6-10, C-17
troubleshooting software upgrades C-57
updating 20-27
upgrading 27-4
using NTP time source 6-12
Sensor Setup window
described 5-2
Startup Wizard 5-2
Server Certificate pane
button functions 15-14
certificate
displaying 15-15
generating 15-15
described 15-14
field descriptions 15-14
user roles 15-14
server manifest described A-29
service account
accessing 6-18, C-5
cautions 6-18, C-5
creating C-5
described 6-18, A-31, C-5
RADIUS authentication 6-18
TAC A-31
troubleshooting A-31
Service DNS engine
described B-40
parameters (table) B-40
Service engine
described B-39
Layer 5 traffic B-39
Service FTP engine
described B-41
parameters (table) B-41
PASV port spoof B-41
Service Generic engine
described B-42
no custom signatures B-42
parameters (table) B-42
Service H225 engine
ASN.1PER validation B-44
described B-43
features B-44
parameters (table) B-44
TPKT validation B-44
Service HTTP engine
custom signature 11-17
described 11-16, B-46
example signature 11-17
parameters (table) B-46
Service IDENT engine
described B-48
parameters (table) B-48
Service MSRPC engine
DCS/RPC protocol 11-11, B-48
described 11-11, B-48
parameters (table) B-49
Service MSSQL engine
described B-50
MSSQL protocol B-50
parameters (table) B-51
Service NTP engine
described B-51
parameters (table) B-51
Service P2P engine described B-52
service packs described 26-3
service role 6-17, 24-2, A-31
Service RPC engine
described 11-19, B-52
parameters (table) B-52
RPC portmapper 11-19, B-52
Service SMB Advanced engine
described B-54
parameters (table) B-54
Service SNMP engine
described B-56
parameters (table) B-56
Service SSH engine
described B-57
parameters (table) B-57
Service TNS engine
described B-57
parameters (table) B-58
session command
ASA 5500 AIP SSM 24-4
ASA 5500-X IPS SSP 24-5
ASA 5585-X IPS SSP 24-6
sessioning in
ASA 5500 AIP SSM 24-4
ASA 5500-X IPS SSP 24-5
ASA 5585-X IPS SSP 24-6
setting
current KB 21-13
system clock 6-16
setting up
IME email notification 1-14
terminal servers 24-3, 27-13
setup
automatic 25-2
command 6-1, 25-1, 25-4, 25-8, 25-13, 25-17, 25-21
simplified mode 25-2
shared policies
adding 9-3
deleting 9-3
described 9-1
restrictions 9-2
shared secret
described 6-24
RADIUS authentication 6-24
show events command C-108, C-109
show health command C-87
show interfaces command C-107
show module 1 details command C-63, C-69, C-81
show settings command 20-14, C-16
show statistics command C-95
show statistics virtual-sensor command C-26, C-95
show tech-support command C-88
show version command C-92
Shut Down Sensor pane
configuring 20-30
described 20-30
user roles 20-30
shutting down the sensor 20-30
sig0 pane
column heads 10-9
configuration buttons 10-10
default 10-9
described 10-9
field descriptions 10-11
signatures
assigning actions 10-21
cloning 10-19
tuning 10-20
tabs 10-9
signature definition policies
adding 10-8
cloning 10-8
default policy 10-7
deleting 10-8
sig0 10-7
Signature Definitions pane
described 10-7
field descriptions 10-8
signature engines
AIC B-10
Atomic B-13
Atomic ARP B-13
Atomic IP 11-13, B-24
Atomic IP Advanced B-14
Atomic IPv6 B-27
creating custom signatures 11-1
described 10-4, B-1
Fixed B-28
Flood B-31
Flood Host B-31
Flood Net B-32
list 10-5, B-2
Master B-4
Meta 10-25, B-32
Multi String B-34
Normalizer B-36
Regex
patterns B-10
syntax B-9
Service B-39
Service DNS B-40
Service FTP B-41
Service Generic B-42
Service H225 B-43
Service HTTP 11-16, B-46
Service IDENT B-48
Service MSRPC 11-11, B-48
Service MSSQL B-50
Service NTP B-51
Service P2P B-52
Service RPC 11-19, B-52
Service SMB Advanced B-54
Service SNMP B-56
Service SSH engine B-57
Service TNS B-57
State 11-20, B-59
String 11-21, 11-24, B-61
supported by IDM 11-2
Sweep 11-24, B-66
Sweep Other TCP B-69
Traffic Anomaly B-69
Traffic ICMP B-72
Trojan B-72
signature engine update files described 26-5
Signature Event Action Filter
described 12-6, A-26
parameters 12-6, A-26
Signature Event Action Handler described 12-6, A-27
Signature Event Action Override described 12-6, A-26
Signature Event Action Processor
Alarm Channel 12-6, A-26
components 12-6, A-26
described 12-6, A-23, A-26
signature fidelity rating
calculating risk rating 8-5, 12-3
described 8-5, 12-2
signatures
adding 10-17
alert frequency 10-23
assigning actions 10-21
cloning 10-19
custom 10-2
default 10-2
described 10-1
disabling 10-17
editing 10-20
enabling 10-17
false positives 10-2
rate limits 16-4
retiring 10-17
String TCP XL 10-34
subsignatures 10-2
TCP reset C-53
tuned 10-2
tuning 10-20
Signatures window
field descriptions 5-15
user roles 5-14
Signatures window described 5-14
signature threat profiles
applying 5-15
platform support 5-14
signature updates
bypass mode 20-24
files 26-4
FTP server 20-27
installation time 20-23
SensorApp 20-23
signature variables
adding 10-37
configuring 10-37
deleting 10-37
described 10-36
editing 10-37
Signature Variables tab
configuring 10-37
field descriptions 10-36
Signature Wizard
protocols 11-10
signature identification 11-11
SNMP
configuring 18-3
described 18-1
General Configuration pane
field descriptions 18-2
user roles 18-2
Get 18-1
GetNext 18-1
Set 18-1
supported MIBs 18-6, C-20
Trap 18-1
Traps Configuration pane
field descriptions 18-4
user roles 18-4
SNMP General Configuration pane
configuring 18-3
described 18-2
SNMP traps
configuring 18-5
described 18-1
software architecture
ARC (illustration) A-13
IDAPI (illustration) A-32
software bypass
supported configurations 7-10
with hardware bypass 7-10
software downloads Cisco.com 26-1
software file names
recovery (illustration) 26-5
signature/virus updates (illustration) 26-4
signature engine updates (illustration) 26-5
system image (illustration) 26-5
software release examples
platform-dependent 26-6
platform identifiers 26-7
platform-independent 26-6
software updates
supported FTP servers 20-23, 27-2
supported HTTP/HTTPS servers 20-23, 27-2
SPAN port issues C-33
specialized 23-2
Specialized Reports described 23-2
SSH
described 15-1
security 15-1
SSH Server
private keys A-22
public keys A-22
standards
CIDEE A-34
IDCONF A-33
IDIOM A-33
SDEE A-34
Startup Wizard
access lists 5-3
adding ACLs 5-5
adding virtual sensors 5-13
Add Virtual Sensor dialog box 5-12
Auto Update configuring 5-17
described 5-1
Inline Interface Pair window
described 5-9
field descriptions 5-9
Inline VLAN Pairs window configuring 5-10
Interface Selection window 5-9
Interface Summary window 5-7
Sensor Setup window
configuring 5-4
described 5-2
field descriptions 5-2
Signatures window described 5-14
Traffic Inspection Mode window 5-8
Virtual Sensors window
field descriptions 5-11
Virtual Sensors window described 5-11
VLAN groups unsupported 5-1, 5-7
State engine
Cisco Login 11-20, B-59
described 11-20, B-59
LPR Format String 11-20, B-59
parameters (table) B-59
SMTP 11-20, B-59
statistic display C-96
Statistics pane
button functions 21-22, 21-23
categories 21-21
described 21-21
using 21-22
statistics viewing 21-22
String engine described 11-21, 11-24, B-61
String ICMP engine parameters (table) B-61
String TCP engine
custom signature 11-22
example signature 11-22
parameters (table) B-61
String TCP XL signature (example) 10-31, 10-34
String UDP engine parameters (table) B-62
String XL engine
description B-63
hardware support 10-6, 11-3, B-3, B-63
parameters (table) B-64
unsupported parameters B-66
subinterface 0 described 7-17
subsignatures described 10-2
summarization
described 8-7, 12-5
Fire All 8-7, 12-5
Fire Once 8-8, 12-5
Global Summarization 8-7, 12-5
Meta engine 8-7, 12-5
Summary 8-7, 12-5
Summarizer described 8-40, 12-33
Summary pane
described 7-18
field descriptions 7-18
supported
FTP servers 20-23, 27-2
HTTP/HTTPS servers 20-23, 27-2
IPS interfaces for CSA MC 19-3
platforms for IME 1-5
supported sensors for signature threat profiles 5-14
Sweep engine 11-25, B-67
described 11-24, B-66
parameters (table) B-67
Sweep Other TCP engine
described B-69
parameters (table) B-69
SwitchApp described A-30
switches and TCP reset interfaces 7-9
sw-module module slot_number password-reset command 20-9, C-12
system architecture
directory structure A-35
supported platforms A-1
system clock setting 6-16
system components IDAPI A-32
System Configuration Dialog
described 25-2
example 25-2
system design (illustration) A-2
system image
installing
ASA 5500 AIP SSM 27-27
ASA 5500-X IPS SSP 27-29
IPS 4240 27-14
IPS 4255 27-14
IPS4260 27-17
IPS 4270-20 27-19
IPS 4345 27-22
IPS 4360 27-22
system images
installing
IPS 4510 27-25
IPS 4520 27-25
System Information pane
described 21-22
using 21-23
system information viewing 21-23
system requirements for IME 1-4
T
TAC
contact information 21-22
service account 6-18, A-31, C-5
show tech-support command C-88
troubleshooting A-31
target value rating
calculating risk rating 8-6, 12-3
described 8-6, 8-26, 8-27, 12-3, 12-20, 12-21
TCP fragmentation described B-36
TCP Protocol tab
described 13-16, 13-23, 13-29
enabling TCP 13-16
external zone 13-29
field descriptions 13-16, 13-23, 13-30
illegal zone 13-23
TCP reset interfaces
conditions 7-9
described 7-8
list 7-8
promiscuous mode 7-8
switches 7-9
TCP resets not occurring C-53
TCP stream reassembly
described 10-52
mode 10-58
parameters (table) 10-53
signatures (table) 10-53
tech support information display C-89
terminal server setup 24-3, 27-13
testing fail-over 7-10
TFN2K
described B-72
Trojans B-72
TFTP servers
maximum file size limitation 27-13
RTT 27-13
Threat Category tab
described 8-39, 12-32
field descriptions 8-39, 12-33
threat rating
described 8-6, 12-4
risk rating 8-6, 12-4
Thresholds for KB Name window
described 21-9
field descriptions 21-10
filtering information 21-10
time
correction on the sensor 6-12, C-19
sensors 6-10, C-17
synchronizing IPS clocks 6-11, C-18
Time pane
configuring 6-9
described 6-7
field descriptions 6-7
user roles 6-7
time sources
appliances 6-10, C-17
ASA 5500 AIP SSM 6-11, C-18
ASA 5500-X IPS SSP 6-11, C-18
ASA 5585-X IPS SSP 6-11, C-18
TLS
described 6-4
handshaking 15-12
IDM 15-11
web server 15-11
Top Applications gadget
configuring 3-9
described 3-9
Top Attacker Reports described 1-18, 23-1
Top Attackers gadgets
configuring 3-12
described 3-11
Top Signature Reports described 1-18, 23-2
Top Signatures gadgets
configuring 3-13
described 3-13
Top Victim Reports described 1-18, 23-2
Top Victims gadgets
configuring 3-12
described 3-12
traceroute device tool (IME) 1-4, 2-6, 3-15, 3-16, 22-6
Traffic Anomaly engine
described B-69
protocols B-69
signatures B-69
traffic flow notifications
configuring 7-31
described 7-30
Traffic Flow Notifications pane
configuring 7-31
field descriptions 7-30
user roles 7-30
Traffic ICMP engine
DDoS B-72
described B-72
LOKI B-72
parameters (table) B-72
TFN2K B-72
Traffic Inspection Mode window described 5-8
Traps Configuration pane
configuring 18-5
described 18-4
trial license key 20-15
Tribe Flood Network. See TFN.
Tribe Flood Network 2000. See TFN2K.
Trojan engine
BO2K B-72
described B-72
TFN2K B-72
Trojans
BO B-72
BO2K B-72
LOKI B-72
TFN2K B-72
troubleshooting
Analysis Engine busy C-59
applying software updates C-55
ARC
blocking not occurring for signature C-45
device access issues C-42
enabling SSH C-44
inactive state C-40
misconfigured master blocking sensor C-46
verifying device interfaces C-43
ASA 5500 AIP SSM
commands C-63
debugging C-64
failover scenarios C-62
recovering C-64
reset C-64
ASA 5500-X IPS SSP
commands C-69
failover scenarios C-68
ASA 5585-X IPS SSP
commands C-81
failover scenarios C-80
traffic flow stopped C-81
automatic updates C-56
cannot access sensor C-27
cidDump C-112
cidLog messages to syslog C-52
communication C-27
corrupted SensorApp configuration C-37
debug logger zone names (table) C-51
debug logging C-47
disaster recovery C-6
duplicate sensor IP addresses C-30
enabling debug logging C-47
external product interfaces 19-10, C-24
gathering information C-87
global correlation 14-11, C-23
IDM
cannot access sensor C-59
will not load C-58
IME
installation error 1-20, C-61
IME time synchronization C-61
IPS clock time drift 6-11, C-18
misconfigured access list C-29
no alerts C-34, C-60
password recovery 20-14, C-17
physical connectivity issues C-33
preventive maintenance C-2
RADIUS
attempt limit C-23
reset not occurring for a signature C-53
sensing process not running C-31
sensor events C-108
sensor loose connections C-25
sensor not seeing packets C-36
sensor software upgrade C-57
service account 6-18, C-5
show events command C-108
show interfaces command C-107
show tech-support command C-88, C-89
show version command C-92
software upgrades C-55
SPAN port issue C-33
upgrading C-55
verifying Analysis Engine is running C-22
verifying ARC status C-39
Trusted Hosts pane
configuring 15-13
described 15-13
field descriptions 15-13
tuned signatures described 10-2
tuning
AIC signatures 10-48
IP fragment reassembly signatures 10-52
signatures 10-20
TCP fragment reassembly signatures 10-59
U
UDP Protocol tab
described 13-17, 13-24, 13-31
enabling UDP 13-17
external zone 13-31
field descriptions 13-17, 13-31
illegal zone 13-24
unassigned VLAN groups described 7-17
unauthenticated NTP 6-10, 6-14, C-17
uninstalling the license key 20-19
UNIX-style directory listings 20-23
unlocking accounts 6-26
unlock user username command 6-26
Update Sensor pane
configuring 20-27
described 20-27
field descriptions 20-27
user roles 20-26
updating sensors 20-27
upgrade command 27-3, 27-6
upgrading
application partition 27-11
latest version C-55
recovery partition 27-6
sensors 27-4
uploading KBs
FTP 21-15
SCP 21-15
Upload Knowledge Base to Sensor dialog box
described 21-15
field descriptions 21-15
URLs for Cisco Security Intelligence Operations 26-8
user-defined reports described 23-1
user roles authentication 6-19
users configuring 6-22
using
debug logging C-47
TCP reset interfaces 7-9
V
VACLs
described 16-3
Post-Block 16-21
Pre-Block 16-21
verifying
NTP configuration 6-11
password recovery 20-14, C-16
sensor initialization 25-24
sensor setup 25-24
version display C-92
video help described 1-3
viewing
denied attacker hit counts 17-2
denied attackers list 17-2
IP logs 17-12
license key status 20-15
statistics 21-22
system information 21-23
virtualization
advantages 8-3, C-19
restrictions 8-3, C-19
supported sensors 8-3, C-20
traffic capture requirements 8-3, C-20
virtual-sensor name command 8-16
virtual sensors
adding 5-13, 8-13
adding (ASA 5500 AIP SSM) 8-16
adding (ASA 5500-X IPS SSP) 8-16
adding (ASA 5585-X IPS SSP) 8-16
ASA 5500 AIP SSM 8-18
ASA 5500-X IPS SSP 8-18
ASA 5585-X IPS SSP 8-18
creating (ASA 5500 AIP SSM) 8-16
creating (ASA 5500-X IPS SSP) 8-16
creating (ASA 5585-X IPS SSP) 8-16
default virtual sensor 8-2, 8-8
deleting 8-13
described 8-2, 8-8
editing 8-13
options 8-16
Virtual Sensors window
described 5-11
VLAN groups
802.1q encapsulation 7-17
configuration restrictions 7-13
configuring 7-27
deploying 7-26
switches 7-26
VLAN IDs 7-26
VLAN groups mode
described 7-17
VLAN Groups pane
configuring 7-27
described 7-26
field descriptions 7-27
user roles 7-26
VLAN Pairs pane
configuring 7-25
described 7-24
field descriptions 7-24
user roles 7-23
vulnerable OSes field described B-6
W
watch list rating
calculating risk rating 8-6, 12-3
described 8-6, 12-3
web server
described A-4, A-23
HTTP 1.0 and 1.1 support A-23
private keys A-22
public keys A-22
SDEE support A-23
TLS 15-11
whois device tool (IME) 1-4, 2-6, 3-15, 3-16, 22-6
worms
Blaster 13-2
Code Red 13-2
histograms 13-13, 21-8
Nimbda 13-2
protocols 13-3
Sasser 13-2
scanners 13-3
Slammer 13-2
SQL Slammer 13-2
Z
zones
external 13-5
illegal 13-5
internal 13-5