Index
Numerics
802.1q encapsulation for VLAN groups
7-14
A
AAA RADIUS
functionality
6-19
limitations
6-19
accessing
IPS software
26-2
service account
6-18, C-5
access list misconfiguration
C-27
access lists
necessary hosts
5-3
Startup Wizard
5-3
account locking
configuring
6-25
security
6-25
account unlocking configuring
6-26
ACLs
adding
5-6
described
16-3
Post-Block
16-17, 16-18
Pre-Block
16-17, 16-18
ad0 pane
default
13-10
described
13-10
tabs
13-10
Add ACL Entry dialog box field descriptions
5-3
Add Allowed Host dialog box
field descriptions
6-6
user roles
6-5
Add Authorized RSA1 Key dialog box
field descriptions
15-5
Add AuthorizedRSA1 Key dialog box
user roles
15-4
Add Authorized RSA Key dialog box
field descriptions
15-3
user roles
15-2
Add Blocking Device dialog box
field descriptions
16-14
user roles
16-14
Add Cat 6K Blocking Device Interface dialog box
field descriptions
16-22
user roles
16-21
Add Configured OS Map dialog box
field descriptions
8-31, 12-26
user roles
8-30, 12-23
Add Destination Port dialog box
field descriptions
13-17, 13-23, 13-30
user roles
13-15
Add Device dialog box field descriptions
2-3
Add Device Login Profile dialog box
field descriptions
16-12
user roles
16-12
Add Event Action Filter dialog box
field descriptions
8-20, 12-16
user roles
12-15
Add Event Action Override dialog box
field descriptions
8-12, 12-13
user roles
8-12, 12-13
Add Event Variable dialog box
field descriptions
8-34, 12-29
user roles
8-33, 12-28
Add External Product Interface dialog box
field descriptions
19-6
user roles
19-4
Add Filter dialog box
field descriptions
3-19, 22-3
Add Histogram dialog box
field descriptions
13-17, 13-24, 13-30
user roles
13-15
Add Host Block dialog box field descriptions
17-4
adding
ACLs
5-6
a host never to be blocked
16-11
anomaly detection policies
13-10
blocking devices
16-15
CSA MC interfaces
19-7
denied attackers
17-2
event action filters
8-22, 12-17
event action overrides
12-14
event action rules policies
12-12
event variables
8-35, 12-29
external product interfaces
19-7
host blocks
17-4
IPv4 target value ratings
8-25, 12-20
IPv6 target value ratings
8-27, 12-22
network blocks
17-7
OS maps
8-31, 12-27
rate limiting devices
16-15
rate limits
17-9
risk categories
8-37, 12-32
signature definition policies
10-9
signatures
10-19
signature variables
10-39
virtual sensors
5-14, 8-12
virtual sensors (ASA 5500-X IPS SSP)
8-16
virtual sensors (ASA 5585-X IPS SSP)
8-16
Add Inline VLAN Pair dialog box
field descriptions
7-21
user roles
7-20
Add Inline VLAN Pair Entry dialog box field descriptions
5-11
Add Interface Pair dialog box
field descriptions
7-19
user roles
7-18
Add IP Logging dialog box field descriptions
17-11
Add Known Host Key dialog box
user roles
15-8
Add Known Host RSA1 Key dialog box
field descriptions
15-9
Add Known Host RSA Key dialog box
field descriptions
15-7
user roles
15-6
Add Master Blocking Sensor dialog box
field descriptions
16-25
user roles
16-24
Add Network Block dialog box field descriptions
17-6
Add Never Block Address dialog box
field descriptions
16-10
user roles
16-7
Add Policy dialog box
field descriptions
9-2, 10-9, 12-12, 13-9
user roles
10-8, 12-11, 13-9
Add Posture ACL dialog box field descriptions
19-7
Add Protocol Number dialog box field descriptions
13-18, 13-25, 13-32
Add Rate Limit dialog box
field descriptions
17-8
user role
17-7
Address Resolution Protocol. See ARP.
Add Risk Level dialog box
field descriptions
8-37, 12-31
user roles
8-36, 12-31
Add Router Blocking Device Interface dialog box
field descriptions
16-19
user roles
16-17
Add Signature dialog box field descriptions
10-13
Add Signature Variable dialog box
field descriptions
10-38
user roles
10-38
Add SNMP Trap Destination dialog box
field descriptions
18-8
user roles
18-7
Add SNMPv3 User dialog box
field descriptions
18-4
Add SNMPv3 user dialog box
user roles
18-3
Add Start Time dialog box
field descriptions
13-14
user roles
13-12
Add Target Value Rating dialog box
field descriptions
8-25, 8-26
user roles
8-24, 8-26
Add Trusted Host dialog box
field descriptions
15-13
user roles
15-13
Add User dialog box
field descriptions
6-22
user roles
6-19, 6-22
Add Virtual Sensor dialog box
described
5-13, 8-10
field descriptions
5-14, 8-10
user roles
8-9
Add VLAN Group dialog box
field descriptions
7-23
user roles
7-22
Advanced Alert Behavior Wizard
Alert Dynamic Response Fire All window field descriptions
11-27
Alert Dynamic Response Fire Once window field descriptions
11-28
Alert Dynamic Response Summary window field descriptions
11-28
Alert Summarization window field descriptions
11-27
Event Count and Interval window field descriptions
11-26
Global Summarization window field descriptions
11-29
aggregation
alert frequency
8-7, 12-5
operating modes
8-7, 12-5
AIC
policy
10-50
signatures (example)
10-50
AIC engine
AIC FTP
B-11
AIC FTP engine parameters (table)
B-12
AIC HTTP
B-11
AIC HTTP engine parameters (table)
B-12
described
B-11
features
B-11
signature categories
10-42
AIC policy enforcement
default configuration
10-43, B-11
described
10-43, B-11
sensor oversubscription
10-43, B-11
Alarm Channel
described
12-6, A-26
risk rating
14-5
alert and log actions (list)
10-2, 10-15, 12-7
alert behavior
Custom Signature Wizard
11-26
normal
11-26
alert frequency
aggregation
10-25
configuring
10-25
controlling
10-25
modes
B-7
allocate-ips command
8-15
Allowed Hosts/Networks pane
configuring
6-6
described
6-5
field descriptions
6-6
alternate TCP reset interface
configuration restrictions
7-9
designating
7-7
restrictions
7-2
Analysis Engine
described
8-2
error messages
C-24
errors
C-52
IDM exits
C-56
sensing interfaces
7-3
verify it is running
C-20
virtual sensors
8-2
anomaly detection
asymmetric traffic
13-2
caution
13-2
configuration sequence
13-5
default anomaly detection configuration
13-4
default configuration (example)
13-4
described
13-2
detect mode
13-4
enabling
13-4
event actions
13-7, B-70
inactive mode
13-4
learning accept mode
13-3
learning process
13-3
limiting false positives
13-13, 21-8
operation settings
13-11
protocols
13-3
signatures (table)
13-7, B-71
signatures described
13-7
worms
attacks
13-13, 21-8
described
13-3
zones
13-5
anomaly detection disabling
13-35, C-19
Anomaly Detection pane
button functions
21-9
described
21-7
field descriptions
21-9
user roles
21-7
anomaly detection policies
ad0
13-9
adding
13-10
cloning
13-10
default policy
13-9
deleting
13-10
Anomaly Detections pane
described
13-9
field descriptions
13-9
user roles
13-9
appliances
GRUB menu
20-5, C-8
initializing
25-8
logging in
24-2
password recovery
20-5, C-8
setting system clock
6-16
terminal servers
described
24-3, 27-16
setting up
24-3, 27-16
time sources
6-11, C-15
upgrading recovery partition
27-7
Application Inspection and Control. See AIC.
application partition
described
A-4
application partition image recovery
27-14
application policy enforcement described
10-43, B-11
applications in XML format
A-4
applying signature threat profiles
5-16
applying software updates
C-53
ARC
ACLs
16-18, A-14
authentication
A-15
blocking
connection-based
A-17
response
A-13
unconditional blocking
A-17
blocking application
16-2
blocking not occurring for signature
C-42
Catalyst switches
VACL commands
A-19
VACLs
A-16, A-19
VLANs
A-16
checking status
16-3, 16-4
described
A-4
design
16-2
device access issues
C-40
enabling SSH
C-42
features
A-14
firewalls
AAA
A-18
connection blocking
A-18
NAT
A-18
network blocking
A-18
postblock ACL
A-16
preblock ACL
A-16
shun command
A-18
TACACS+
A-18
formerly Network Access Controller
16-1
functions
16-2
illustration
A-13
inactive state
C-38
interfaces
A-14
maintaining states
A-16
managed devices
16-7
master blocking sensors
A-14
maximum blocks
16-2
misconfigured master blocking sensor
C-43
nac.shun.txt file
A-16
NAT addressing
A-15
number of blocks
A-15
postblock ACL
A-16
preblock ACL
A-16
prerequisites
16-5
rate limiting
16-4
responsibilities
A-13
single point of control
A-15
SSH
A-14
supported devices
16-5, A-15
Telnet
A-14
troubleshooting
C-36
VACLs
A-14
verifying device interfaces
C-41
verifying status
C-37
ARP
Layer 2 signatures
B-13
protocol
B-13
ARP spoof tools
dsniff
B-13
ettercap
B-13
ASA 5500-X IPS SSP
assigning virtual sensors
8-17
creating virtual sensors
8-16
initializing
25-13
IPS reloading messages
C-69, C-75
logging in
24-4
memory usage
20-17, C-68
memory usage values (table)
20-17, C-69
no CDP mode support
7-27
Normalizer engine
B-37, C-68, C-74
password recovery
20-6, C-10
resetting the password
20-7, C-10
sensing interface
8-14
session command
24-4
sessioning in
24-4
setup command
25-13
time sources
6-11, C-16
virtual sensors
assigning policies
8-15
assigning the interface
8-15
virtual sensor sequence
8-15
ASA 5585-X IPS SSP
assigning virtual sensors
8-17
creating virtual sensors
8-16
initializing
25-17
installing system image
27-25
IPS reloading messages
C-69, C-75
logging in
24-5
no CDP mode support
7-27
Normalizer engine
B-37, C-68, C-74
password recovery
20-8, C-12
resetting the password
20-9, C-12
sensing interface
8-14
session command
24-5
sessioning in
24-5
setup command
25-17
time sources
6-11, C-16
virtual sensors
assigning policies
8-15
assigning the interface
8-15
sequence
8-15
ASA IPS modules
Deny Connection Inline
10-5, 10-18, 12-10
Deny Packet Inline
10-5, 10-18, 12-10
jumbo packet count
C-69, C-75
Reset TCP Connection
10-5, 10-18, 12-10
TCP reset packets
10-5, 10-18, 12-10
ASDM
resetting passwords
20-8, 20-10, C-11, C-13
assigning
interfaces to virtual sensors (ASA 5500-X IPS SSP)
8-15
interfaces to virtual sensors (ASA 5585-X IPS SSP)
8-15
policies to virtual sensors (ASA 5500-X IPS SSP)
8-15
policies to virtual sensors (ASA 5585-X IPS SSP)
8-15
assigning actions to signatures
10-23
asymmetric mode
described
8-4
normalization
8-4
asymmetric traffic
anomaly detection
13-2
caution
13-2
asymmetric traffic and disabling anomaly detection
13-35, C-19
Atomic ARP engine
described
B-13
parameters (table)
B-13
Atomic IP Advanced engine
described
B-14
parameters (table)
B-16
restrictions
B-15
Atomic IP engine
described
11-13, B-24
parameters (table)
B-24
Atomic IPv6 engine
described
B-27
Neighborhood Discovery protocol
B-28
signatures
B-28
attack relevance rating
calculating risk rating
8-6, 12-3
described
8-6, 8-28, 12-3, 12-24
Attack Response Controller
described
A-4
formerly known as Network Access Controller
A-4
Attack Response Controller. See ARC.
attack severity rating
calculating risk rating
8-6, 12-3
described
8-6, 12-3
Attacks Over Time gadgets
configuring
3-13
described
3-13
Attacks Over Time Reports described
1-15, 23-2
attempt limit
RADIUS
C-21
attemptLimit command
6-25
audit mode
described
14-8
testing global correlation
14-8
authenticated NTP
6-11, 6-14, C-15
authentication
local
6-19
RADIUS
6-19
AuthenticationApp
authenticating users
A-20
described
A-4
login attempt limit
A-20
method
A-20
responsibilities
A-20
secure communications
A-21
sensor configuration
A-20
Authentication pane
configuring
6-23
described
6-19
field descriptions
6-20
user roles
6-17, A-30
Authorized RSA1 Keys pane
configuring
15-5
described
15-4
field descriptions
15-4
RSA authentication
15-4
RSA key generation tool
15-5
Authorized RSA Keys pane
configuring
15-3
described
15-2
field descriptions
15-2
RSA authentication
15-2
RSA key generation tool
15-3
Auto/Cisco.com Update pane
configuring
20-24
described
5-17, 20-20
field descriptions
20-22
UNIX-style directory listings
20-21
user roles
20-18, 20-20
automatic reporting configuring (IME)
1-15
automatic setup
25-2
automatic update
immediate
27-12
automatic updates
Cisco.com
5-17
configuring
5-18, 20-24
cryptographic account
5-17, 20-20
FTP servers
20-20
SCP servers
5-17
automatic upgrade
information required
27-8
troubleshooting
C-53
autoupdatenow command
27-12
Auto Update window field descriptions
5-17
auto-upgrade-option command
27-8
B
backing up
configuration
C-2
current configuration
C-4
BackOrifice. See BO.
BackOrifice 2000. See BO2K.
basic setup
25-4
blocking
described
16-2
disabling
16-8
master blocking sensor
16-24
necessary information
16-3
prerequisites
16-5
supported devices
16-5
types
16-2
blocking devices
adding
16-15
deleting
16-15
editing
16-15
Blocking Devices pane
configuring
16-15
described
16-14
field descriptions
16-14
ssh host-key command
16-15
blocking not occurring for signature
C-42
Blocking Properties pane
adding a host never to be blocked
16-11
configuring
16-9
described
16-7
field descriptions
16-8
BO
described
B-73
Trojans
B-73
BO2K
described
B-73
Trojans
B-73
BST
described
C-1
URL
C-1
Bug Search Tool. See BST.
bypass mode
described
7-25
signature updates
20-22
Bypass pane
field descriptions
7-26
user roles
7-25
C
calculating risk rating
attack relevance rating
8-6, 12-3
attack severity rating
8-6, 12-3
promiscuous delta
8-6, 12-3
signature fidelity rating
8-5, 12-3
target value rating
8-6, 12-3
watch list rating
8-6, 12-3
cannot access sensor
C-25
Cat 6K Blocking Device Interfaces pane
configuring
16-22
described
16-21
field descriptions
16-22
CDP mode
ASA 5500-X IPS SSP
7-27
ASA 5585-X IPS SSP
7-27
described
7-27
interfaces
7-27
CDP Mode pane
configuring
7-27
field descriptions
7-27
user roles
7-27
certificates
displaying
15-15
generating
15-15
certificates (IDM)
15-11
changing Microsoft IIS to UNIX-style directory listings
20-21
cidDump obtaining information
C-101
CIDEE
defined
A-34
example
A-34
IPS extensions
A-34
protocol
A-34
supported IPS events
A-34
cisco
default password
24-2
default username
24-2
Cisco.com
accessing software
26-2
downloading software
26-1
software downloads
26-1
Cisco Bug Search Tool
described
C-1
Cisco Discovery Protocol. See CDP.
Cisco IOS rate limiting
16-4
Cisco Security Intelligence Operations
described
26-7
URL
26-7
Cisco Services for IPS
service contract
20-13
supported products
20-13
clear events command
6-12, 6-16, 21-4, C-17, C-100
Clear Flow States pane
described
21-19
field descriptions
21-19
clearing
denied attackers
17-2
events
6-16, 21-4, C-100
flow states
21-19
statistics
C-84
CLI
described
A-4, A-30
password recovery
20-10, C-14
client manifest described
A-28
clock set command
6-16
Clone Policy dialog box
field descriptions
10-9, 12-12, 13-9
user roles
10-8, 12-11, 13-9
Clone Signature dialog box field descriptions
10-13
cloning
anomaly detection policies
13-10
event action rules policies
12-12
signature definition policies
10-9
signatures
10-21
CollaborationApp described
A-4, A-27
color rules
described
22-2
events (IME)
22-2
Color Rules tab
described
22-2
filters
22-2
command and control interface
described
7-2
list
7-2
commands
allocate-ips
8-15
attemptLimit
6-25
autoupdatenow
27-12
auto-upgrade-option
27-8
clear events
6-12, 6-16, 21-4, C-17, C-100
clock set
6-16
copy backup-config
C-3
copy current-config
C-3
downgrade
27-13
erase license-key
20-15
hw-module module slot_number password-reset
20-8, C-12
setup
6-1, 25-1, 25-4, 25-8, 25-13, 25-17
show events
C-98
show health
C-76
show module 1 details
C-60, C-71
show settings
20-11, C-14
show statistics
C-84
show statistics virtual-sensor
C-24, C-84
show tech-support
C-77
show version
C-80
sw-module module slot_number password-reset
20-7, C-10
unlock user username
6-26
upgrade
27-5, 27-7
virtual-sensor name
8-15
Compare Knowledge Bases dialog box field descriptions
21-11
comparing KBs
21-11, 21-12
configuration files
backing up
C-2
merging
C-2
configuration restrictions
alternate TCP reset interface
7-9
inline interface pairs
7-8
inline VLAN pairs
7-9
interfaces
7-8
physical interfaces
7-8
VLAN groups
7-9
Configure Summertime dialog box field descriptions
5-5, 6-8
configuring
account locking
6-25
account unlocking
6-26
AIC policy parameters
10-50
allowed hosts
6-6
allowed networks
6-6
anomaly detection operation settings
13-11
application policy signatures
10-50
Attacks Over Time gadgets
3-13
authorized keys
15-5
authorized RSA keys
15-3
automatic updates
5-18, 20-24
automatic upgrades
27-10
blocking devices
16-15
blocking properties
16-9
Cat 6K blocking device interfaces
16-22
CDP mode
7-27
CPU, Memory, & Load gadget
3-11
CSA MC IPS interfaces
19-3
device login profiles
16-13
event action filters
8-22, 12-17
events
21-3
event variables
8-35, 12-29
external zone
13-32
general settings
8-40, 12-34
Global Correlation Health gadget
3-8
Global Correlation Reports gadget
3-6
host blocks
17-4
illegal zone
13-25
inline VLAN pairs
5-11
inspection/reputation
14-9
inspection load statistics display
21-5
interface pairs
7-19
interfaces
7-16
interface statistics display
21-6
Interface Status gadget
3-6
internal zone
13-19
IP fragment reassembly signatures
10-54
IP logging
17-12
IPv4 target value ratings
8-25, 12-20
IPv6 target value ratings
8-27, 12-22
known host RSA1 keys
15-9
known host RSA keys
15-7
learning accept mode
13-14
Licensing gadget
3-5
local authentication
6-23
master blocking sensor
16-25
network blocks
17-7
network participation
14-11
Network Security gadget
3-9
network settings
6-3
NTP servers
6-13
OS maps
8-31, 12-27
RADIUS authentication
6-23
rate limiting
17-9
rate limiting device interfaces
16-19
risk categories
8-37, 12-32
router blocking device interfaces
16-19
RSS Feed gadgets
3-11
RSS feeds
4-2
Sensor Health gadget
3-4
Sensor Information gadget
3-3
Sensor Setup window
5-5
sensor to use NTP
6-14
signature variables
10-39
SNMP
18-2
SNMP traps
18-8, 18-9
SNMPv3 users
18-5
time
6-9
Top Applications gadget
3-9
Top Attackers gadgets
3-12
Top Signatures gadgets
3-13
Top Victims gadgets
3-12
traffic flow notifications
7-26
trusted hosts
15-13
upgrades
27-5
users
6-23
VLAN groups
7-24
VLAN pairs
7-21
control transactions
characteristics
A-9
request types
A-8
copy backup-config command
C-3
copy current-config command
C-3
correcting time on the sensor
6-12, C-17
CPU, Memory, & Load gadget
configuring
3-11
described
3-10
creating
Atomic IP Advanced engine signature
10-31, 11-14
custom signatures
not using signature engines
11-4
Service HTTP
11-17
String TCP
11-22
using signature engines
11-1
event views
22-4
IPv6 signatures
10-30, 11-14
Meta signatures
10-28
Post-Block VACLs
16-21
Pre-Block VACLs
16-21
reports (IME)
23-2
String TCP XL signatures
10-36
creating the service account
C-6
cryptographic account
automatic updates
5-17, 20-20
Encryption Software Export Distribution Authorization from
26-2
obtaining
26-2
cryptographic features (IME)
1-2
CSA MC
adding interfaces
19-7
configuring IPS interfaces
19-3
host posture events
19-1, 19-3
quarantined IP address events
19-1
supported IPS interfaces
19-3
CtlTransSource
described
A-4, A-11
illustration
A-12
current configuration back up
C-2
current KB setting
21-13
custom signatures
Custom Signature Wizard
11-5
described
10-2
IPv6 signature
10-30, 11-14
Meta signature
10-28
sensor performance
11-4
String TCP XL
10-33, 10-36
Custom Signature Wizard
alert behavior
11-26
Alert Response window field descriptions
11-26
Atomic IP Engine Parameters window field descriptions
11-13
described
11-1
ICMP Traffic Type window field descriptions
11-12
Inspect Data window field descriptions
11-12
MSRPC Engine Parameters window field descriptions
11-11
no signature engine sequence
11-4
Protocol Type window field descriptions
11-10
Service HTTP Engine Parameters window field descriptions
11-16
Service RPC Engine Parameters window field descriptions
11-19
Service Type window field descriptions
11-13
signature engine sequence
11-1
Signature Identification window field descriptions
11-11
State Engine Parameters window field descriptions
11-20
String ICMP Engine Parameters window field descriptions
11-21
String TCP Engine Parameters window field descriptions
11-21
String UDP Engine Parameters window field descriptions
11-24
supported signature engines
11-2
Sweep Engine Parameters window field descriptions
11-25
TCP Sweep Type window field descriptions
11-13
TCP Traffic Type window field descriptions
11-12
UDP Sweep Type window field descriptions
11-12
UDP Traffic Type window field descriptions
11-12
using
11-5
Welcome window field descriptions
11-10
D
dashboards
adding
3-1
deleting
3-1
Data Archive dialog box
configuring
1-9
described
1-8
field descriptions
1-9
data archiving configuring
1-9
data nodes
11-25, B-67
data structures (examples)
A-8
DDoS
protocols
B-72
Stacheldraht
B-72
TFN
B-72
debug logging enable
C-45
default policies
ad0
13-9
rules0
12-2, 12-11
sig0
10-8
defaults
KB filename
13-12
password
24-2
restoring
20-28
username
24-2
virtual sensor vs0
8-2
deleting
anomaly detection policies
13-10
blocking devices
16-15
denied attackers
17-2
event action filters
8-22, 12-17
event action overrides
12-14
event action rules policies
12-12
event variables
8-35, 12-29
host blocks
17-4
imported OS values
21-18
IPv4 target value ratings
8-25, 12-20
IPv6 target value ratings
8-27, 12-22
KBs
21-14
learned OS values
21-17
network blocks
17-7
OS maps
8-31, 12-27
rate limiting devices
16-15
rate limits
17-9
risk categories
8-37, 12-32
signature definition policies
10-9
signature variables
10-39
virtual sensors
8-12
Demo mode (IME)
1-4
demo reports described
23-1
Denial of Service. See DoS.
denied attackers
adding
17-2
clearing
17-2
deleting
17-2
hit count
17-1
resetting hit counts
17-2
viewing hit counts
17-2
viewing list
17-2
Denied Attackers pane
described
17-1
field descriptions
17-2
user roles
17-1
using
17-2
deny actions (list)
10-3, 10-16, 12-8
Deny Packet Inline described
10-5, 10-17, 12-10
detect mode (anomaly detection)
13-4
device access issues
C-40
Device Details pane described
2-1
Device List pane
described
2-1
field descriptions
2-2
Device Login Profiles pane
configuring
16-13
described
16-12
field descriptions
16-12
devices
adding
2-4
deleting
2-4
editing
2-4
device tools
DNS lookup
2-6
ping
2-6
traceroute
2-6
whois
2-6
Diagnostics Report pane
button functions
21-21
described
21-21
user roles
21-21
using
21-21
diagnostics reports
21-21
Differences between knowledge bases KB_Name and KB_Name window field descriptions
21-11
disabling
anomaly detection
13-35, C-19
blocking
16-8
event action filters
8-22, 12-17
global correlation
14-12
interfaces
7-16
password recovery
20-10, C-14
signatures
10-19
disaster recovery
C-6
displaying
events
21-3, C-98
health status
C-76
imported OS maps
21-18
inspection load statistics
21-5
interface statistics
21-6
learned OS maps
21-17
password recovery setting
20-11, C-14
sensor statistics
21-23
statistics
C-84
tech support information
C-78
version
C-81
Distributed Denial of Service. See DDoS.
DNS lookup device tool (IME)
1-3, 2-6, 3-15, 3-16, 22-6
DoS tools
Stacheldraht
B-72
stick
B-7
TFN
B-72
downgrade command
27-13
downgrading sensors
27-13
downloading
Cisco software
26-1
KBs
21-15
Download Knowledge Base From Sensor dialog box
described
21-15
field descriptions
21-15
duplicate IP addresses
C-27
E
Edit ACL Entry dialog box field descriptions
5-3
Edit Allowed Host dialog box
field descriptions
6-6
user roles
6-5
Edit Authorized RSA1 Key dialog box
field descriptions
15-5
user roles
15-4
Edit Authorized RSA Key dialog box
field descriptions
15-3
user roles
15-2
Edit Blocking Device dialog box
field descriptions
16-14
user roles
16-14
Edit Cat 6K Blocking Device Interface dialog box
field descriptions
16-22
user roles
16-21
Edit Configured OS Map dialog box
field descriptions
8-31, 12-26
user roles
8-30, 12-23
Edit Destination Port dialog box
field descriptions
13-17, 13-23, 13-30
user roles
13-15
Edit Device dialog box field descriptions
2-3
Edit Device Login Profile dialog box
field descriptions
16-12
user roles
16-12
Edit Event Action Filter dialog box
field descriptions
8-20, 12-16
user roles
12-15
Edit Event Action Override dialog box
field descriptions
8-12, 12-13
user roles
8-12, 12-13
Edit Event Variable dialog box
field descriptions
8-34, 12-29
user roles
8-33, 12-28
Edit External Product Interface dialog box
field descriptions
19-6
user roles
19-4
Edit Filter dialog box field descriptions
3-19
Edit Histogram dialog box
field descriptions
13-17, 13-24, 13-30
user roles
13-15
editing
blocking devices
16-15
event action filters
8-22, 12-17
event action overrides
12-14
event variables
8-35, 12-29
interfaces
7-17
IPv4 target value ratings
8-25, 12-20
IPv6 target value ratings
8-27, 12-22
OS maps
8-31, 12-27
rate limiting devices
16-15
risk categories
8-37, 12-32
signatures
10-22
signature variables
10-39
virtual sensors
8-12
Edit Inline VLAN Pair dialog box
field descriptions
7-21
user roles
7-20
Edit Inline VLAN Pair Entry dialog box field descriptions
5-11
Edit Interface dialog box
field descriptions
7-17
user roles
7-15
Edit Interface Pair dialog box
field descriptions
7-19
user roles
7-18
Edit IP Logging dialog box field descriptions
17-11
Edit Known Host Key dialog box
user roles
15-8
Edit Known Host RSA1 Key dialog box
field descriptions
15-9
Edit Known Host RSA Key dialog box
field descriptions
15-7
user roles
15-6
Edit Master Blocking Sensor dialog box
field descriptions
16-25
user roles
16-24
Edit Never Block Address dialog box
field descriptions
16-10
user roles
16-7
Edit Posture ACL dialog box field descriptions
19-7
Edit Protocol Number dialog box field descriptions
13-18, 13-25, 13-32
Edit Risk Level dialog box
field descriptions
8-37, 12-31
user roles
8-36, 12-31
Edit Router Blocking Device Interface dialog box
field descriptions
16-19
user roles
16-17
Edit Signature dialog box field descriptions
10-13
Edit Signature Variable dialog box
field descriptions
10-38
user roles
10-38
Edit SNMP Trap Destination dialog box
field descriptions
18-8
user roles
18-7
Edit SNMPv3 User dialog box
field descriptions
18-4
Edit SNMPv3 user dialog box
user roles
18-3
Edit Start Time dialog box
field descriptions
13-14
user roles
13-12
Edit Target Value Rating dialog box
field descriptions
8-25, 8-26
user roles
8-24, 8-26
Edit User dialog box
field descriptions
6-22
user roles
6-19, 6-22
Edit Virtual Sensor dialog box
field descriptions
8-10
user roles
8-9
Edit VLAN Group dialog box
field descriptions
7-23
user roles
7-22
efficacy
described
14-4
measurements
14-4
email notification
configuring (IME)
1-13
example (IME)
1-11
email setup (IME)
1-11
Email Setup dialog box
configuring
1-11
described
1-10
field descriptions
1-10
enabling
anomaly detection
13-4
event action filters
8-22, 12-17
event action overrides
12-14
interfaces
7-16
packet logging
20-3
signatures
10-19
enabling debug logging
C-45
Encryption Software Export Distribution Authorization form
cryptographic account
26-2
described
26-2
engines
AIC
B-10
AIC FTP
B-11
AIC HTTP
B-11
Atomic ARP
B-13
Atomic IP
11-13, B-24
Atomic IP Advanced
B-14
Atomic IPv6
B-27
Fixed
B-28
Fixed ICMP
B-28
Fixed TCP
B-28
Fixed UDP
B-28
Flood
B-31
Flood Host
B-31
Flood Net
B-31
Master
B-4
Meta
10-27, B-32
Multi String
B-34
Normalizer
B-35
Service
B-39
Service DNS
B-39
Service FTP
B-40
Service Generic
B-41
Service H225
B-43
Service HTTP
11-16, B-45
Service IDENT
B-47
Service MSRPC
11-11, B-48
Service MSSQL
B-50
Service NTP
B-51
Service P2P
B-52
Service RPC
11-19, B-52
Service SMB Advanced
B-54
Service SNMP
B-56
Service SSH
B-57
Service TNS
B-57
State
11-20, B-59
String
11-21, 11-24, B-61
String ICMP
11-21, 11-24, B-61
String TCP
11-21, 11-24, B-61
String UDP
11-21, 11-24, B-61
Sweep
11-24, B-67
Sweep Other TCP
B-69
Traffic Anomaly
B-70
Traffic ICMP
B-72
Trojan
B-73
EPS
described
1-3
IME Home pane
1-3
erase license-key command
20-15
errors (Analysis Engine)
C-52
evAlert
A-9
event action filters
adding
8-22, 12-17
configuring
8-22, 12-17
deleting
8-22, 12-17
described
8-19, 12-4
disabling
8-22, 12-17
editing
8-22, 12-17
enabling
8-22, 12-17
moving
8-22, 12-17
Event Action Filters tab
configuring
8-22, 12-17
described
8-19, 12-15
field descriptions
8-20, 12-15
event action overrides
adding
12-14
deleting
12-14
described
8-5, 12-4
editing
12-14
enabling
12-14
risk rating range
8-5, 12-4
Event Action Overrides tab
described
12-13
field descriptions
12-13
Event Action Rules (rules0) pane described
12-13
Event Action Rules pane
described
12-2, 12-11
field descriptions
12-12
user roles
12-11
event action rules policies
adding
12-12
cloning
12-12
deleting
12-12
event action rules variables
8-19, 12-15
event actions
risk ratings
8-6, 12-4
threat ratings
8-6, 12-4
event connection status
displaying
2-5
starting
2-5
stopping
2-5
Event Monitoring pane
described
22-1
filters
22-2
events
clearing
6-16, 21-4, C-100
color rules
22-2
displaying
C-98
grouping
22-2
host posture
19-2
quarantined IP address
19-2
Events pane
configuring
21-3
described
21-1
field descriptions
21-2
events per second. See EPS.
Event Store
clearing
6-16, 21-4, C-100
clearing events
6-12, C-17
data structures
A-8
described
A-4
examples
A-7
no alerts
C-32
responsibilities
A-7
time stamp
6-12, C-17
timestamp
A-7
event types
C-97
event variables
adding
8-35, 12-29
configuring
8-35, 12-29
deleting
8-35, 12-29
described
8-33, 12-28
editing
8-35, 12-29
example
8-34, 12-29
Event Variables tab
configuring
8-35, 12-29
field descriptions
8-34, 12-29
Event Viewer pane
displaying events
21-3
field descriptions
21-3
event views
creating
22-4
using
22-4
evError
A-9
evLogTransaction
A-9
evShunRqst
A-9
evStatus
A-9
example custom signatures
Atomic IP Advanced
10-31, 11-14
Meta
10-28
Service HTTP
11-17
String TCP
11-22
String TCP XL
10-33
examples
AIC engine signature
10-50
ASA failover configuration
C-60, C-71
Atomic IP Advanced engine signature
10-30, 11-14
automatic update
20-24
configured OS maps
8-30, 12-24
default anomaly detection configuration
13-4
email notification (IME)
1-11
email notifications (IME)
1-14
IP Fragment Reassembly signature
10-54
IPv6 attacker address
8-20, 12-16
IPV6 victim address
8-21, 12-16
KB histogram
13-13, 21-8
Meta engine signature
10-28
Service HTTP engine signature
11-17
SPAN configuration for IPv6 support
7-11
String TCP engine signature
11-22
String TCP XL engine signature
10-33, 10-36
System Configuration Dialog
25-2
TCP Stream Reassembly signature
10-61
external product interfaces
adding
19-7
described
19-1
issues
19-3, C-22
troubleshooting
19-10, C-22
trusted hosts
19-4
External Product Interfaces pane
described
19-4
field descriptions
19-5
external zone
configuring
13-32
protocols
13-29
External Zone tab
described
13-29
tabs
13-29
user roles
13-29
F
false positives described
10-2
Fields tab described
22-2
files
Cisco IPS (list)
26-1
Filtered Events vs All Events Reports described
1-15, 23-2
filtering described
22-2
Filter pane field descriptions
22-3
filters
configuring
3-16, 22-6
creating reports
23-2
Fixed engine described
B-28
Fixed ICMP engine parameters (table)
B-29
Fixed TCP engine parameters (table)
B-29
Fixed UDP engine parameters (table)
B-30
Flood engine described
B-31
Flood Host engine parameters (table)
B-31
Flood Net engine parameters (table)
B-32
flow states clearing
21-19
FTP servers
automatic updates
20-20
signature updates
20-26
FTP servers and software updates
20-21, 27-3
G
gadgets
adding
3-1
Attacks Over Time
3-13
CPU, Memory, & Load
3-10
deleting
3-1
Global Correlation Health
3-7
Global Correlation Reports
3-6
Interface Status
3-5
Licensing
3-5
Network Security
3-8
RSS Feed
3-11
Sensor Health
3-3
Sensor Information
3-2
Top Applications
3-9
Top Attackers
3-11
Top Signatures
3-13
Top Victims
3-12
General dialog box
configuring
1-8
described
1-7
field descriptions
1-8
user roles
1-8
general settings
configuring
8-40, 12-34
described
8-39, 12-33
General tab
configuring
8-40, 12-34
described
8-39, 12-33, 13-16, 13-23
described (IME)
22-2
enabling zones
13-16, 13-23
field descriptions
8-39, 12-34, 13-16, 13-23
user roles
8-39, 12-33
generating diagnostics reports
21-21
global correlation
23-2
described
1-2, 14-1, 14-2
disabling
14-12
disabling about
14-12
DNS server
14-6
error messages
A-29
features
14-5
goals
14-5
health metrics
14-7
health status
14-7
HTTP proxy server
14-6
IPS reloading messages
C-69, C-75
license
6-3, 14-6, 14-8, 25-1, 25-5
no IPv6 support
8-22, 8-27, 8-34, 14-6
Produce Alert
10-3, 10-15, 12-8
requirements
14-6
risk rating
14-5
shared policies
9-1
troubleshooting
14-11, C-21
update client (illustration)
14-8
global correlation connection status
displaying
2-5
starting
2-5
stopping
2-5
Global Correlation Health gadget
configuring
3-8
described
3-7
Global Correlation Reports described
23-2
Global Correlation Reports gadget
configuring
3-6
described
3-6
Global Correlation Update
client described
A-28
server described
A-28
Group By tab described
22-2
grouping events
22-2
GRUB menu password recovery
20-5, C-8
H
H.225.0 protocol
B-43
H.323 protocol
B-43
health connection status
displaying
2-5
starting
2-5
stopping
2-5
health status
global correlation
14-7
metrics
3-4
sensor
3-3
health status display
C-76
host blocks
adding
17-4
deleting
17-4
managing
17-4
Host Blocks pane
configuring
17-4
described
17-3
field descriptions
17-3
user roles
17-3
host posture events
CSA MC
19-3
described
19-2
HTTP/HTTPS servers supported
20-21, 27-3
HTTP advanced decoding
described
8-4
platform support
8-5
restrictions
8-4
HTTP deobfuscation
ASCII normalization
11-16, B-45
described
11-16, B-45
hw-module module slot_number password-reset command
20-8, C-12
I
IDAPI
communications
A-4, A-32
described
A-4
functions
A-32
illustration
A-32
responsibilities
A-32
IDCONF
described
A-33
example
A-33
RDEP2
A-33
XML
A-33
IDIOM
defined
A-32
messages
A-32
IDM
Analysis Engine is busy
C-56
certificates
15-11
Custom Signature Wizard supported signature engines
11-2
TLS
15-11
will not load
C-55
illegal zone configuring
13-25
Illegal Zone tab
described
13-22
user roles
13-22
IME
color rules
22-2
Color Rules tab
22-2
configuring
automatic reporting
1-15
email notification
1-13
filters
3-16, 22-6
RSS feeds
4-2
views
3-16, 22-6
cryptographic features
1-2
dashboards
adding
3-1
deleting
3-1
Demo mode
1-4
described
1-1
devices
adding
2-4
deleting
2-4
editing
2-4
email notification example
1-14
EPS
1-3
event connection status
displaying
2-5
starting
2-5
stopping
2-5
Event Monitoring pane
22-1
Fields tab
22-2
filtering
22-2
gadgets
adding
3-1
deleting
3-1
General tab
22-2
global correlation connection status
displaying
2-5
starting
2-5
stopping
2-5
Group By tab
22-2
grouping events
22-2
health connection status
displaying
2-5
starting
2-5
stopping
2-5
installation notes and caveats
1-5
installing
1-4
known host key retrieval
15-6, 15-7, 15-8, 15-9
menu features
1-3
MySQL database
1-5
password recovery
20-11, C-14
password requirements
1-6
reports
configuring
23-3
described
23-1
generating
23-3
report types
23-1
using event views
22-4
video help
1-3
working with
top attacker IP addresses
3-14
top signatures
3-15
top victim IP addresses
3-14
IME Home pane
described
1-3
EPS
1-3
features
1-3
IME time synchronization problems
C-58
Imported OS pane
clearing
21-18
described
21-18
field descriptions
21-18
imported OS values
clearing
21-18
deleting
21-18
inactive mode (anomaly detection)
13-4
initializing
appliances
25-8
ASA 5500-X IPS SSP
25-13
ASA 5585-X IPS SSP
25-17
sensors
6-1, 25-1, 25-4
verifying
25-21
inline interface pair mode
configuration restrictions
7-8
described
7-12
illustration
7-12
Inline Interface Pair window
described
5-10
Startup Wizard
5-10
inline mode
interface cards
7-3
normalization
8-4
pairing interfaces
7-3
inline TCP session tracking modes described
8-4
inline VLAN pair mode
configuration restrictions
7-9
configuring
5-11
described
7-13
illustration
7-13
supported sensors
7-13
Inline VLAN Pairs window
described
5-10
field descriptions
5-11
Startup Wizard
5-10
Inspection/Reputation pane
configuring
14-9
described
14-8
field descriptions
14-9
Inspection Load Statistics pane
configuring
21-5
described
21-4
field descriptions
21-4
user roles
21-4
installer major version
26-5
installer minor version
26-5
installing
IME
1-4
sensor license
20-14
system image
ASA 5500-X IPS SSP
27-23
ASA 5585-X IPS SSP
27-25
IPS 4345
27-17
IPS 4360
27-17
IPS 4510
27-20
IPS 4520
27-20
IPS 4520-XL
27-20
IntelliShield
alerts
10-11
MySDN
10-11
InterfaceApp described
A-4
interface pairs
configuring
7-19
described
7-18
Interface Pairs pane
configuring
7-19
described
7-18
field descriptions
7-19
user roles
7-18
interfaces
alternate TCP reset
7-2
command and control
7-2
configuration restrictions
7-8
configuring
7-16
described
5-8, 7-1
disabling
7-16
editing
7-17
enabling
7-16
logical
5-8
physical
5-8
port numbers
7-1
sensing
7-2, 7-3
slot numbers
7-1
support (table)
7-4
TCP reset
7-6
Interface Selection window
described
5-10
Startup Wizard
5-10
Interfaces pane
configuring
7-16
described
7-15
field descriptions
7-15
user roles
7-15
Interface Statistics pane
configuring
21-6
described
21-5
field descriptions
21-6
Interface Status gadget
configuring
3-6
described
3-5
Interface Summary window
described
5-8
field descriptions
5-9
internal zone configuring
13-19
Internal Zone tab
described
13-15
user roles
13-15
IP fragmentation described
B-36
IP fragment reassembly
configuring
10-53
described
10-51
mode
10-53
parameters (table)
10-52
signatures
10-54
signatures (example)
10-54
signatures (table)
10-52
IP logging
described
10-61, 17-10
event actions
17-11
system performance
17-10, 17-11
IP Logging pane
configuring
17-12
described
17-11
field descriptions
17-11
user roles
17-10
IP Logging Variables pane
described
20-18
field description
20-18
user roles
20-18
IP logs
circular buffer
17-10
states
17-10
TCPDUMP
17-10
viewing
17-12
WireShark
17-10
IPS 4345
installing system image
27-17
password recovery
20-5, C-8, C-9
reimaging
27-17
IPS 4360
installing system image
27-17
password recovery
20-5, C-8, C-9
reimaging
27-17
IPS 4510
installing system image
27-20
password recovery
20-5, C-8, C-9
reimaging
27-20
SwitchApp
A-29
IPS 4520
installing system image
27-20
password recovery
20-5, C-8, C-9
reimaging
27-20
SwitchApp
A-29
IPS 4520-XL
installing system image
27-20
password recovery
20-5, C-8, C-9
reimaging
27-20
SwitchApp
A-29
IPS appliances
Deny Connection Inline
10-5, 10-18, 12-10
Deny Packet Inline
10-5, 10-18, 12-10
Reset TCP Connection
10-5, 10-18, 12-10
TCP reset packets
10-5, 10-18, 12-10
IPS applications
summary
A-35
table
A-35
XML format
A-4
IPS clock synchronization
C-16
IPS data
types
A-8
XML document
A-9
IPS events
evAlert
A-9
evError
A-9
evLogTransaction
A-9
evShunRqst
A-9
evStatus
A-9
list
A-9
types
A-9
IPS internal communications
A-32
IPS Manager Express described
1-1
IPS modules unsupported features
5-2
IPS Policies pane
described
8-8
Event Action Rules
8-8
field descriptions
8-9
IPS software
application list
A-4
available files
26-1
configuring device parameters
A-5
directory structure
A-34
Linux OS
A-1
obtaining
26-1
retrieving data
A-5
security features
A-5
tuning signatures
A-5
updating
A-5
user interaction
A-5
versioning scheme
26-3
IPS software file names
major updates (illustration)
26-4
minor updates (illustration)
26-4
patch releases (illustration)
26-4
service packs (illustration)
26-4
IPv4
address format
8-33, 12-28
event variables
8-33, 12-28
IPv4 Add Target Value Rating dialog box
field descriptions
12-20
user roles
12-19
IPv4 Edit Target Value Rating dialog box
field descriptions
12-20
user roles
12-19
IPv4 target value ratings
adding
8-25, 12-20
deleting
8-25, 12-20
editing
8-25, 12-20
IPv4 Target Value Rating tab
configuring
8-25, 12-20
field descriptions
8-24, 12-20
IPv6
address format
8-33, 12-28
described
B-28
event variables
8-33, 12-28
SPAN ports
7-11
switches
7-11
IPv6 Add Target Value Rating dialog box
field descriptions
12-22
user roles
12-21
IPv6 Edit Target Value Rating dialog box
field descriptions
12-22
user roles
12-21
IPv6 target value ratings
adding
8-27, 12-22
configuring
8-27, 12-22
deleting
8-27, 12-22
editing
8-27, 12-22
IPv6 Target Value Rating tab
configuring
8-27, 12-22
field descriptions
8-26, 12-21
K
KBs
comparing
21-12
default filename
13-12
deleting
21-14
described
13-3
downloading
21-15
histogram
13-12, 21-7
initial baseline
13-3
learning accept mode
13-12
loading
21-13
monitoring
21-10
renaming
21-15
saving
21-14
scanner threshold
13-12, 21-7
tree structure
13-12, 21-7
uploading
21-16
Knowledge Base. See KB.
Known Host RSA1 Keys pane
configuring
15-9
described
15-8, 15-9
field descriptions
15-9
Known Host RSA Keys pane
configuring
15-7
described
15-6
field descriptions
15-7
L
Learned OS pane
clearing
21-17
described
21-17
field descriptions
21-17
learned OS values
clearing
21-17
deleting
21-17
learning accept mode
anomaly detection
13-3
configuring
13-14
Learning Accept Mode tab
described
13-12
field descriptions
13-14
user roles
13-12
license key
obtaining
20-12
trial
20-12
uninstalling
20-15
viewing status of
20-12
licensing
described
20-12
IPS device serial number
20-12
Licensing gadget
configuring
3-5
described
3-5
Licensing pane
configuring
20-14
described
20-12
field descriptions
20-14
user roles
20-12
limitations for concurrent CLI sessions
24-1
listings UNIX-style
20-21
loading KBs
21-13
local authentication configuring
6-23
Logger
described
A-4, A-19
functions
A-19
syslog messages
A-19
logging in
appliances
24-2
ASA 5500-X IPS SSP
24-4
ASA 5585-X IPS SSP
24-5
sensors
SSH
24-6
Telnet
24-6
service role
24-2
terminal servers
24-3, 27-16
user role
24-1
LOKI
described
B-72
protocol
B-72
loose connections on sensors
C-23
M
MainApp
components
A-6
described
A-4, A-6
host statistics
A-6
responsibilities
A-6
show version command
A-6
major updates described
26-3
Manage Filter Rules dialog box field descriptions
3-18
managing
host blocks
17-4
network blocks
17-7
rate limiting
17-9
manifests
client
A-28
server
A-28
manually updating sensor
20-26
master blocking sensor
described
16-24
not set up properly
C-43
verifying configuration
C-43
Master Blocking Sensor pane
configuring
16-25
described
16-24
field descriptions
16-25
Master engine
alert frequency
B-7
alert frequency parameters (table)
B-7
described
B-4
event actions
10-2, 12-7, B-8
general parameters (table)
B-4
universal parameters
B-4
master engine parameters
obsoletes
B-6
promiscuous delta
B-6
vulnerable OSes
B-6
merging configuration files
C-2
Meta engine
described
10-27, B-32
parameters (table)
B-33
Signature Event Action Processor
10-27, B-32
Meta Event Generator described
8-39, 12-33
metrics for sensor health
20-16
MIBs supported
18-10, C-18
minor updates described
26-3
Miscellaneous tab
application policy parameters
10-40
configuring
application policy
10-50
IP fragment reassembly mode
10-53
IP logging
10-62
TCP stream reassembly mode
10-60
described
10-40
field descriptions
10-41
IP fragment reassembly options
10-40
IP logging options
10-41
TCP stream reassembly
10-40
user roles
10-40
modes
anomaly detection detect
13-4
anomaly detection learning accept
13-3
asymmetric
8-4
bypass
7-25
inactive (anomaly detection)
13-4
inline interface pair
7-12
inline TCP tracking
8-4
inline VLAN pair
7-13
Normalizer
8-4
promiscuous
7-10
VLAN groups
7-13
monitoring
displaying statistics
21-6
events
21-3
inspection load statistics
21-4, 21-5
KBs
21-10
moving
event action filters
8-22, 12-17
OS maps
8-31, 12-27
Multi String engine
described
B-34
parameters (table)
B-34
Regex
B-34
MySDN
described
10-11
IntelliShield
10-12
MySQL database
coexisting with IME
1-5
installing IME
1-5
N
NAS-ID
described
6-23
RADIUS authentication
6-23
Neighborhood Discovery
options
B-28
types
B-28
network blocks
adding
17-7
deleting
17-7
managing
17-7
Network Blocks pane
configuring
17-7
described
17-6
field descriptions
17-6
user roles
17-6
Network pane
configuring
6-3
described
6-2
field descriptions
6-2
TLS/SSL
6-4
user roles
6-2
network participation
data gathered
14-3
data use (table)
1-2, 14-2
described
14-3
health metrics
14-7
modes
14-4
requirements
14-3
SensorBase Network
14-4
statistics
14-4
network participation data
improving signature fidelity
14-4
understanding sensor deployment
14-4
Network Participation pane
configuring
14-11
described
14-10
field descriptions
14-10
Network Security gadget
configuring
3-9
described
3-8
never block
hosts
16-7
networks
16-7
normalization described
8-4
Normalizer engine
described
B-36
IPv6 fragments
B-36
modify packets inline
8-3
parameters (table)
B-37
NotificationApp
alert information
A-9
described
A-4
functions
A-9
SNMP gets
A-9
SNMP traps
A-9
SNMPv3
A-9
statistics
A-11
system health information
A-10
Notifications dialog box
configuring
1-13
field descriptions
1-12
NTP
authenticated
6-11, 6-14, C-15
configuring servers
6-13
described
6-11, C-15
incorrect configuration
6-12, C-16
sensor time source
6-13, 6-14
time synchronization
6-11, C-15
unauthenticated
6-11, 6-14, C-15
verifying configuration
6-12
O
Obfuscated Traffic/Attacks reports described
23-2
obsoletes field described
B-6
obtaining
cryptographic account
26-2
IPS software
26-1
license key
20-12
sensor license
20-14
one-way TCP reset described
8-39, 12-33
Operation Settings tab
described
13-11
field descriptions
13-11
user roles
13-11
OS Identifications tab
described
8-30, 12-23
field descriptions
8-30, 12-25
OS information sources
8-29, 12-24
OS maps
adding
8-31, 12-27
configuring
8-31, 12-27
deleting
8-31, 12-27
editing
8-31, 12-27
moving
8-31, 12-27
other actions (list)
10-4, 10-17, 12-9
Other Protocols tab
described
13-18, 13-25, 13-31
enabling other protocols
13-18
external zone
13-31
field descriptions
13-18, 13-31
illegal zone
13-25
P
P2P networks described
B-52
Packet Logging pane
described
20-3
field descriptions
20-3
partitions
application
A-4
recovery
A-4
passive OS fingerprinting
components
8-28, 12-24
configuring
8-29, 12-25
described
8-28, 12-24
enabled (default)
8-29, 12-25
password policy caution
20-2, 20-3
password recovery
appliances
20-5, C-8
ASA 5500-X IPS SSP
20-6, C-10
ASA 5585-X IPS SSP
20-8, C-12
CLI
20-10, C-14
described
20-4, C-8
disabling
20-10, C-14
displaying setting
20-11, C-14
GRUB menu
20-5, C-8
IME
20-11, C-14
IPS 4345
20-5, C-8, C-9
IPS 4360
20-5, C-8, C-9
IPS 4510
20-5, C-8, C-9
IPS 4520
20-5, C-8, C-9
IPS 4520-XL
20-5, C-8, C-9
platforms
20-4, C-8
ROMMON
20-5, C-9
troubleshooting
20-11, C-15
verifying
20-11, C-14
password requirements configuring
20-2
Passwords pane
configuring
20-2
described
20-1
field descriptions
20-2
patch releases described
26-3
peacetime learning (anomaly detection)
13-3
Peer-to-Peer. See P2P.
physical connectivity issues
C-30
physical interfaces configuration restrictions
7-8
ping device tool (IME)
1-3, 2-6, 3-15, 3-16, 22-6
platforms concurrent CLI sessions
24-1
policy groups
described
9-4
managing
9-4
Post-Block ACLs
16-17, 16-18
Pre-Block ACLs
16-17, 16-18
prerequisites for blocking
16-5
promiscuous delta
calculating risk rating
8-6, 12-3
described
8-6, 12-3
promiscuous delta described
B-6
promiscuous mode
atomic attacks
7-10
described
7-10
illustration
7-11
packet flow
7-10
SPAN ports
7-11
TCP reset interfaces
7-7
VACL capture
7-11
protocols
ARP
B-13
CDP
7-27
CIDEE
A-34
DCE
11-11, B-48
DDoS
B-72
H.323
B-43
H225.0
B-43
ICMPv6
B-14
IDAPI
A-32
IDCONF
A-33
IDIOM
A-32
IPv6
B-28
LOKI
B-72
MSSQL
B-50
Neighborhood Discovery
B-28
Q.931
B-43
RPC
11-11, B-48
SDEE
A-33
Signature Wizard
11-10
Q
Q.931 protocol
described
B-43
SETUP messages
B-43
quarantined IP address events described
19-2
R
RADIUS
multiple cisco av-pairs
6-21, 6-24
RADIUS attempt limit
C-21
RADIUS authentication
configuring
6-23
described
6-19
NAS-ID
6-23
service account
6-19
shared secret
6-24
rate limiting
ACLs
16-5
configuring
17-9
described
16-4
managing
17-9
percentages
17-8
routers
16-4
service policies
16-5
supported signatures
16-4
rate limiting devices
adding
16-15
deleting
16-15
editing
16-15
rate limits
adding
17-9
deleting
17-9
Rate Limits pane
configuring
17-9
described
17-7
field descriptions
17-8
raw expression syntax
described
B-63
expert mode
B-63
Raw Regex
described
10-34, 10-37, B-63
expert mode
10-34, 10-37, B-63
rebooting the sensor
20-29
Reboot Sensor pane
configuring
20-29
described
20-29
user roles
20-28
receiving RSS feeds (IME)
4-1
recover command
27-14
recovering the application partition image
27-14
recovery partition
described
A-4
recovery partition upgrade
27-7
Regex
Multi String engine
B-34
standardized
10-6, B-1
Regular Expression. See also Regex.
regular expression syntax
raw Regex
10-34, 10-37, B-63
signatures
B-9
reimaging
ASA 5500-X IPS SSP
27-23
ASA 5585-X IPS SSP
27-25
described
27-2
IPS 4345
27-17
IPS 4360
27-17
IPS 4510
27-20
IPS 4520
27-20
IPS 4520-XL
27-20
sensors
27-2, 27-14
removing
last applied
service pack
27-13
signature update
27-13
Rename Knowledge Base dialog box field descriptions
21-14
renaming KBs
21-15
reports
configuring
23-3
customizing
23-2
described
23-1
generating
23-3
using filters
23-2
Reports dialog box
configuring
1-15
field descriptions
1-14
report types
23-2
attacks over time
1-15, 23-2
demo
23-1
filtered events vs all events
1-15, 23-2
obfuscated traffic/attacks
23-2
top attackers
1-15, 23-1
top signatures
1-15, 23-2
top victim
1-15, 23-2
user-defined
23-1
reputation
described
14-2
illustration
14-3
servers
14-3
requirements passwords (IME)
1-6
Reset Network Security Health pane
described
21-20
field descriptions
21-20
resetting data
21-20
user roles
21-20
reset not occurring for a signature
C-51
resetting
hit counts for denied attackers
17-2
network security health data
21-20
passwords
ASDM
20-8, 20-10, C-11, C-13
hw-module command
20-8, C-12
sw-module command
20-7, C-10
resetting the password
ASA 5500-X IPS SSP
20-7, C-10
ASA 5585-X IPS SSP
20-9, C-12
Restore Default Interface dialog box field descriptions
5-9
Restore Defaults pane
configuring
20-28
described
20-28
user roles
20-28
restoring
defaults
20-28
restoring the current configuration
C-5
retiring signatures
10-19
risk categories
adding
8-37, 12-32
configuring
8-37, 12-32
deleting
8-37, 12-32
editing
8-37, 12-32
Risk Category tab
configuring
8-37, 12-32
described
8-36, 12-31
field descriptions
8-36, 12-31
risk rating
Alarm Channel
14-5
calculating
8-5, 12-2
described
8-28, 12-24
global correlation
14-5
reputation score
14-5
ROMMON
ASA 5585-X IPS SSP
27-27
described
27-16
IPS 4345
20-5, 27-17, C-9
IPS 4360
20-5, 27-17, C-9
IPS 4510
20-5, 27-20, C-9
IPS 4520
20-5, 27-20, C-9
IPS 4520-XL
20-5, 27-20
password recovery
20-5, C-9
remote sensors
27-16
serial console port
27-16
TFTP
27-16
round-trip time. See RTT.
Router Blocking Device Interfaces pane
configuring
16-19
described
16-17
field descriptions
16-19
RPC portmapper
11-19, B-52
RSS Feed gadgets
configuring
3-11
described
3-11
RSS feeds
channels
4-1
configuring
4-2
described
4-1
formats
4-1
receiving
4-1
RTT
described
27-16
TFTP limitation
27-16
S
Save Knowledge Base dialog box
described
21-13
field descriptions
21-13
saving KBs
21-14
scheduling automatic upgrades
27-10
SDEE
described
A-33
HTTP
20-19, A-33
protocol
A-33
server requests
20-19, A-34
SDEE Subscription pane
user roles
20-19
SDEE Subscriptions pane
field descriptions
20-19
security
account locking
6-25
information on Cisco Security Intelligence Operations
26-7
information on MySDN
10-11
SSH
15-2
security policies described
8-1, 10-1, 12-1, 13-1
sensing interface
ASA 5500-X IPS SSP
8-14
ASA 5585-X IPS SSP
8-14
sensing interfaces
Analysis Engine
7-3
described
7-3
interface cards
7-3
modes
7-3
SensorApp
Alarm Channel
A-24
Analysis Engine
A-24
described
A-4
event action filtering
A-25
inline packet processing
A-24
IP normalization
A-24
packet flow
A-25
processors
A-23
responsibilities
A-23
risk rating
A-25
Signature Event Action Processor
A-23
signature updates
20-22
TCP normalization
A-24
SensorBase Network
described
1-2, 14-1, 14-2
network participation
14-4
participation
1-2, 14-2
servers
1-2, 14-2
sensor health
critical settings
20-16
metrics
20-16
Sensor Health gadget
configuring
3-4
described
3-3
metrics
3-4
status
3-4
Sensor Health pane
described
20-16
field descriptions
20-17
user roles
20-16
Sensor Information gadget
configuring
3-3
described
3-2
Sensor Key pane
button functions
15-11
described
15-10
field descriptions
15-11
sensor SSH host key
displaying
15-11
generating
15-11
user roles
15-10
sensor license
installing
20-14
obtaining
20-14
sensors
access problems
C-25
application partition image
27-14
asymmetric traffic and disabling anomaly detection
13-35, C-19
blocking self
16-8
command and control interfaces (list)
7-2
configuring to use NTP
6-14
corrupted SensorApp configuration
C-35
diagnostics reports
21-21
disaster recovery
C-6
downgrading
27-13
incorrect NTP configuration
6-12, C-16
initializing
6-1, 25-1, 25-4
interface support
7-4
IP address conflicts
C-27
logging in
SSH
24-6
Telnet
24-6
loose connections
C-23
misconfigured access lists
C-27
no alerts
C-32, C-57
not seeing packets
C-33
NTP time source
6-14
NTP time synchronization
6-11, C-15
partitions
A-4
physical connectivity
C-30
preventive maintenance
C-2
rebooting
20-29
reimaging
27-2
restoring defaults
20-28
sensing process not running
C-29
setup command
6-1, 25-1, 25-4, 25-8
shutting down
20-29
statistics
21-23
system information
21-24
time sources
6-11, C-15
troubleshooting software upgrades
C-54
updating
20-26
upgrading
27-5
using NTP time source
6-13
Sensor Setup window
described
5-2, 5-4
Startup Wizard
5-2, 5-4
Server Certificate pane
button functions
15-14
certificate
displaying
15-15
generating
15-15
described
15-14
field descriptions
15-14
user roles
15-14
server manifest described
A-28
service account
accessing
6-18, C-5
cautions
6-18, C-5
creating
C-6
described
6-18, A-31, C-5
RADIUS authentication
6-19
TAC
A-31
troubleshooting
A-31
Service Activity pane
described
20-18
field descriptions
20-19
Service DNS engine
described
B-39
parameters (table)
B-39
Service engine
described
B-39
Layer 5 traffic
B-39
Service FTP engine
described
B-40
parameters (table)
B-41
PASV port spoof
B-40
Service Generic engine
described
B-41
no custom signatures
B-41
parameters (table)
B-42
Service H225 engine
ASN.1PER validation
B-43
described
B-43
features
B-43
parameters (table)
B-44
TPKT validation
B-43
Service HTTP engine
custom signature
11-17
described
11-16, B-45
example signature
11-17
parameters (table)
B-46
Service IDENT engine
described
B-47
parameters (table)
B-48
Service MSRPC engine
DCS/RPC protocol
11-11, B-48
described
11-11, B-48
parameters (table)
B-49
Service MSSQL engine
described
B-50
MSSQL protocol
B-50
parameters (table)
B-51
Service NTP engine
described
B-51
parameters (table)
B-51
Service P2P engine described
B-52
service packs described
26-3
service role
6-18, 24-2, A-30
Service RPC engine
described
11-19, B-52
parameters (table)
B-52
RPC portmapper
11-19, B-52
Service SMB Advanced engine
described
B-54
parameters (table)
B-54
Service SNMP engine
described
B-56
parameters (table)
B-56
Service SSH engine
described
B-57
parameters (table)
B-57
Service TNS engine
described
B-57
parameters (table)
B-58
session command
ASA 5500-X IPS SSP
24-4
ASA 5585-X IPS SSP
24-5
sessioning in
ASA 5500-X IPS SSP
24-4
ASA 5585-X IPS SSP
24-5
setting
current KB
21-13
system clock
6-16
setting up
IME email notification
1-11
terminal servers
24-3, 27-16
setup
automatic
25-2
command
6-1, 25-1, 25-4, 25-8, 25-13, 25-17
simplified mode
25-2
shared policies
adding
9-3
deleting
9-3
described
9-1
restrictions
9-2
shared secret
described
6-24
RADIUS authentication
6-24
show events command
C-97, C-98
show health command
C-76
show interfaces command
C-95
show module 1 details command
C-60, C-71
show settings command
20-11, C-14
show statistics command
C-83, C-84
show statistics virtual-sensor command
C-24, C-84
show tech-support command
C-77
show version command
C-80
Shut Down Sensor pane
configuring
20-29
described
20-29
user roles
20-29
shutting down the sensor
20-29
sig0 pane
column heads
10-10
configuration buttons
10-11
default
10-10
described
10-10
field descriptions
10-12
signatures
assigning actions
10-23
cloning
10-21
tuning
10-22
tabs
10-10
signature definition policies
adding
10-9
cloning
10-9
default policy
10-8
deleting
10-9
sig0
10-8
Signature Definitions pane
described
10-8
field descriptions
10-9
signature engines
AIC
B-10
Atomic
B-13
Atomic ARP
B-13
Atomic IP
11-13, B-24
Atomic IP Advanced
B-14
Atomic IPv6
B-27
creating custom signatures
11-1
described
10-6, B-1
Fixed
B-28
Flood
B-31
Flood Host
B-31
Flood Net
B-32
list
10-6, B-2
Master
B-4
Meta
10-27, B-32
Multi String
B-34
Normalizer
B-36
Regex
patterns
B-10
syntax
B-9
Service
B-39
Service DNS
B-39
Service FTP
B-40
Service Generic
B-41
Service H225
B-43
Service HTTP
11-16, B-45
Service IDENT
B-47
Service MSRPC
11-11, B-48
Service MSSQL
B-50
Service NTP
B-51
Service P2P
B-52
Service RPC
11-19, B-52
Service SMB Advanced
B-54
Service SNMP
B-56
Service SSH engine
B-57
Service TNS
B-57
State
11-20, B-59
String
11-21, 11-24, B-61
supported by IDM
11-2
Sweep
11-24, B-67
Sweep Other TCP
B-69
Traffic Anomaly
B-70
Traffic ICMP
B-72
Trojan
B-73
signature engine update files described
26-4
Signature Event Action Filter
described
12-6, A-26
parameters
12-6, A-26
Signature Event Action Handler described
12-6, A-26
Signature Event Action Override described
12-6, A-26
Signature Event Action Processor
Alarm Channel
12-6, A-26
components
12-6, A-26
described
12-6, A-23, A-26
signature fidelity rating
calculating risk rating
8-5, 12-3
described
8-5, 12-2
signatures
adding
10-19
alert frequency
10-25
assigning actions
10-23
cloning
10-21
custom
10-2
default
10-2
described
10-1
disabling
10-19
editing
10-22
enabling
10-19
false positives
10-2
rate limits
16-4
retiring
10-19
String TCP XL
10-36
subsignatures
10-2
TCP reset
C-51
tuned
10-2
tuning
10-22
Signatures window
field descriptions
5-16
user roles
5-15
Signatures window described
5-15
signature threat profiles
applying
5-16
platform support
5-15
signature update
files
26-4
IPS reloading messages
C-69, C-75
signature updates
bypass mode
20-22
FTP server
20-26
installation time
20-21
SensorApp
20-22
signature variables
adding
10-39
configuring
10-39
deleting
10-39
described
10-38
editing
10-39
Signature Variables tab
configuring
10-39
field descriptions
10-38
Signature Wizard
protocols
11-10
signature identification
11-11
SNMP
configuring
18-2
described
18-1
General Configuration pane
field descriptions
18-2
user roles
18-2
Get
18-1
GetNext
18-1
Set
18-1
supported MIBs
18-10, C-18
Trap
18-1
Traps Configuration pane
field descriptions
18-7
user roles
18-7
SNMP General Configuration pane
configuring
18-2
described
18-2
SNMP traps
configuring
18-8, 18-9
described
18-1
SNMPv3 protocol
described
18-4
SNMPv3 users
configuring
18-5
SNMPv3 Users pane
configuring
18-5
described
18-4
field descriptions
18-4
software architecture
ARC (illustration)
A-13
IDAPI (illustration)
A-32
software downloads Cisco.com
26-1
software file names
recovery (illustration)
26-5
signature/virus updates (illustration)
26-4
system image (illustration)
26-5
software release examples
platform identifiers
26-6
platform-independent
26-5
software updates
supported FTP servers
20-21, 27-3
supported HTTP/HTTPS servers
20-21, 27-3
SPAN port issues
C-30
specialized
23-2
Specialized Reports described
23-2
SSH
described
15-1
security
15-2
SSH Server
private keys
A-21
public keys
A-21
standards
CIDEE
A-34
IDCONF
A-33
IDIOM
A-32
SDEE
20-19, A-33
Startup Wizard
access lists
5-3
adding ACLs
5-6
adding virtual sensors
5-14
Add Virtual Sensor dialog box
5-13
Auto Update configuring
5-18
described
5-1
Inline Interface Pair window
described
5-10
field descriptions
5-10
Inline VLAN Pairs window configuring
5-11
Interface Selection window
5-10
Interface Summary window
5-8
Sensor Setup window
configuring
5-5
described
5-2, 5-4
field descriptions
5-2, 5-4
Signatures window described
5-15
Traffic Inspection Mode window
5-9
Virtual Sensors window
field descriptions
5-12
Virtual Sensors window described
5-12
VLAN groups unsupported
5-1, 5-8
State engine
Cisco Login
11-20, B-59
described
11-20, B-59
LPR Format String
11-20, B-59
parameters (table)
B-59
SMTP
11-20, B-59
statistic display
C-84
Statistics pane
button functions
21-23, 21-24
categories
21-22
described
21-22
user roles
21-22
using
21-23
statistics viewing
21-23
String engine described
11-21, 11-24, B-61
String ICMP engine parameters (table)
B-61
String TCP engine
custom signature
11-22
example signature
11-22
parameters (table)
B-61
String TCP XL signature (example)
10-33, 10-36
String UDP engine parameters (table)
B-62
String XL engine
description
B-63
hardware support
10-8, 11-3, B-3, B-63
parameters (table)
B-64
unsupported parameters
B-66
subinterface 0 described
7-14
subsignatures described
10-2
summarization
described
8-7, 12-5
Fire All
8-7, 12-5
Fire Once
8-8, 12-5
Global Summarization
8-7, 12-5
Meta engine
8-7, 12-5
Summary
8-7, 12-5
Summarizer described
8-39, 12-33
Summary pane
described
7-14
field descriptions
7-14
supported
FTP servers
20-21, 27-3
HTTP/HTTPS servers
20-21, 27-3
IPS interfaces for CSA MC
19-3
supported appliances
6-11
supported sensors
signature threat profiles
5-15
Sweep engine
11-25, B-67
described
11-24, B-67
parameters (table)
B-67
Sweep Other TCP engine
described
B-69
parameters (table)
B-69
SwitchApp
described
A-29
switches
TCP reset interfaces
7-7
sw-module module slot_number password-reset command
20-7, C-10
system architecture
directory structure
A-34
supported platforms
A-1
system clock setting
6-16
system components IDAPI
A-32
System Configuration Dialog
described
25-2
example
25-2
system design (illustration)
A-2, A-3
system images
installing
ASA 5500-X IPS SSP
27-23
ASA 5585-X IPS SSP
27-25
IPS 4345
27-17
IPS 4360
27-17
IPS 4510
27-20
IPS 4520
27-20
IPS 4520-XL
27-20
System Information pane
described
21-23
using
21-24
system information viewing
21-24
T
TAC
contact information
21-23
service account
6-18, A-31, C-5
show tech-support command
C-77
troubleshooting
A-31
target value rating
calculating risk rating
8-6, 12-3
described
8-6, 8-24, 8-26, 12-3, 12-20, 12-21
TCP fragmentation described
B-36
TCP Protocol tab
described
13-16, 13-23, 13-29
enabling TCP
13-16
external zone
13-29
field descriptions
13-16, 13-23, 13-30
illegal zone
13-23
TCP reset interfaces
conditions
7-7
described
7-6
list
7-7
promiscuous mode
7-7
switches
7-7
TCP resets
not occurring
C-51
TCP stream reassembly
described
10-54
parameters (table)
10-55
signatures (table)
10-55
TCP stream reassembly mode
10-60
tech support information display
C-78
terminal server setup
24-3, 27-16
TFN2K
described
B-72
Trojans
B-73
TFTP servers
maximum file size limitation
27-16
RTT
27-16
Threat Category tab
described
8-38, 12-32
field descriptions
8-38, 12-33
threat rating
described
8-6, 12-4
risk rating
8-6, 12-4
Thresholds for KB Name window
described
21-10
field descriptions
21-10
filtering information
21-10
time
correction on the sensor
6-12, C-17
sensors
6-11, C-15
synchronizing IPS clocks
C-16
Time pane
configuring
6-9
described
6-7
field descriptions
6-8
user roles
6-7
time sources
appliances
6-11, C-15
ASA 5500-X IPS SSP
6-11, C-16
ASA 5585-X IPS SSP
6-11, C-16
TLS
described
6-4
handshaking
15-12
IDM
15-11
web server
15-11
Top Applications gadget
configuring
3-9
described
3-9
Top Attacker Reports described
1-15, 23-1
Top Attackers gadgets
configuring
3-12
described
3-11
Top Signature Reports described
1-15, 23-2
Top Signatures gadgets
configuring
3-13
described
3-13
Top Victim Reports described
1-15, 23-2
Top Victims gadgets
configuring
3-12
described
3-12
traceroute device tool (IME)
1-3, 2-6, 3-15, 3-16, 22-6
Traffic Anomaly engine
described
B-70
protocols
B-70
signatures
B-70
traffic flow notifications
configuring
7-26
described
7-26
Traffic Flow Notifications pane
configuring
7-26
field descriptions
7-26
user roles
7-26
Traffic ICMP engine
DDoS
B-72
described
B-72
LOKI
B-72
parameters (table)
B-73
TFN2K
B-72
Traffic Inspection Mode window described
5-9
Traps Configuration pane
configuring
18-8, 18-9
described
18-7
trial license key
20-12
Tribe Flood Network. See TFN.
Tribe Flood Network 2000. See TFN2K.
Trojan engine
BO2K
B-73
described
B-73
TFN2K
B-73
Trojans
BO
B-73
BO2K
B-73
LOKI
B-72
TFN2K
B-73
troubleshooting
Analysis Engine busy
C-56
applying software updates
C-53
ARC
blocking not occurring for signature
C-42
device access issues
C-40
enabling SSH
C-42
inactive state
C-38
misconfigured master blocking sensor
C-43
verifying device interfaces
C-41
ASA 5500-X IPS SSP
commands
C-60
failover scenarios
C-59
ASA 5585-X IPS SSP
commands
C-71
failover scenarios
C-70
traffic flow stopped
C-71
automatic updates
C-53
cannot access sensor
C-25
cidDump
C-101
cidLog messages to syslog
C-50
communication
C-24
corrupted SensorApp configuration
C-35
debug logger zone names (table)
C-49
debug logging
C-45
disaster recovery
C-6
duplicate sensor IP addresses
C-27
enabling debug logging
C-45
external product interfaces
19-10, C-22
gathering information
C-76
global correlation
14-11, C-21
IDM
cannot access sensor
C-56
will not load
C-55
IME time synchronization
C-58
IPS clock time drift
6-11, C-16
misconfigured access list
C-27
no alerts
C-32, C-57
password recovery
20-11, C-15
physical connectivity issues
C-30
preventive maintenance
C-2
RADIUS
attempt limit
C-21
reset not occurring for a signature
C-51
sensing process not running
C-29
sensor events
C-97
sensor loose connections
C-23
sensor not seeing packets
C-33
sensor software upgrade
C-54
service account
6-18, C-5
show events command
C-97
show interfaces command
C-95
show tech-support command
C-77, C-78
show version command
C-80
software upgrades
C-52
SPAN
port issue
C-30
upgrading
C-52
verifying Analysis Engine is running
C-20
verifying ARC status
C-37
Trusted Hosts pane
configuring
15-13
described
15-13
field descriptions
15-13
tuned signatures described
10-2
tuning
AIC signatures
10-50
IP fragment reassembly signatures
10-54
signatures
10-22
TCP fragment reassembly signatures
10-61
U
UDP Protocol tab
described
13-17, 13-24, 13-31
enabling UDP
13-17
external zone
13-31
field descriptions
13-17, 13-31
illegal zone
13-24
unassigned VLAN groups described
7-14
unauthenticated NTP
6-11, 6-14, C-15
uninstalling license key
20-15
UNIX-style directory listings
20-21
unlocking accounts
6-26
unlock user username command
6-26
Update Sensor pane
configuring
20-26
described
20-26
field descriptions
20-26
user roles
20-25
updating sensors
20-26
updating the sensor immediately
27-12
upgrade command
27-5, 27-7
upgrade notes and caveats
upgrading IPS software
27-1
upgrading
application partition
27-14
latest version
C-52
recovery partition
27-7
sensors
27-5
upgrading IPS software
upgrade notes and caveats
27-1
uploading KBs
FTP
21-16
SCP
21-16
Upload Knowledge Base to Sensor dialog box
described
21-16
field descriptions
21-16
URLs for Cisco Security Intelligence Operations
26-7
user-defined reports described
23-1
user roles authentication
6-19
users
configuring
6-23
using
debug logging
C-45
TCP reset interfaces
7-7
V
VACLs
described
16-3
Post-Block
16-21
Pre-Block
16-21
verifying
NTP configuration
6-12
password recovery
20-11, C-14
sensor initialization
25-21
sensor setup
25-21
version display
C-81
video help described
1-3
viewing
denied attacker hit counts
17-2
denied attackers list
17-2
IP logs
17-12
license key status
20-12
statistics
21-23
system information
21-24
virtualization
advantages
8-3, C-17
restrictions
8-3, C-17
supported sensors
8-3, C-18
traffic capture requirements
8-3, C-18
virtual-sensor name command
8-15
virtual sensors
adding
5-14, 8-12
adding (ASA 5500-X IPS SSP)
8-16
adding (ASA 5585-X IPS SSP)
8-16
ASA 5500-X IPS SSP
8-17
ASA 5585-X IPS SSP
8-17
creating (ASA 5500-X IPS SSP)
8-16
creating (ASA 5585-X IPS SSP)
8-16
default virtual sensor
8-2, 8-8
deleting
8-12
described
8-2, 8-8
editing
8-12
options
8-15
Virtual Sensors window described
5-12
VLAN groups
802.1q encapsulation
7-14
configuration restrictions
7-9
configuring
7-24
deploying
7-23
switches
7-23
VLAN IDs
7-22
VLAN groups mode
described
7-13
VLAN Groups pane
configuring
7-24
described
7-22
field descriptions
7-23
user roles
7-22
VLAN Pairs pane
configuring
7-21
described
7-20
field descriptions
7-21
user roles
7-20
vulnerable OSes field described
B-6
W
watch list rating
calculating risk rating
8-6, 12-3
described
8-6, 12-3
web server
described
A-4, A-22
HTTP 1.0 and 1.1 support
A-22
private keys
A-21
public keys
A-21
SDEE support
A-22
TLS
15-11
whois device tool (IME)
1-3, 2-6, 3-15, 3-16, 22-6
worms
Blaster
13-2
Code Red
13-2
histograms
13-13, 21-8
Nimbda
13-2
protocols
13-3
Sasser
13-2
scanners
13-3
Slammer
13-2
SQL Slammer
13-2
Z
zones
external
13-5
illegal
13-5
internal
13-5