FeedbackTable Of Contents
A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W -
Index
A
accessing IPS software 18-1
access-list
command 4-5
configuring 4-5
access list misconfiguration C-7
account locking configuration 4-17
ACLs
described 10-2
adding
event action overrides 6-8
hosts to the SSH known hosts list 4-31
trusted hosts 4-36
Administrator privileges 1-3, A-28
AIC.FTP engine parameters (table) B-8
AIC.HTTP engine parameters (table) B-7
AIC engine
AIC.FTP B-6
AIC.HTTP B-6
defined B-6
described 7-12
features B-6
AIP-SSM
commands 14-5
configuration tasks 14-1
hw-module module 1 recover 14-5
hw-module module 1 reset 14-5
hw-module module 1 shutdown 14-5
inline mode 14-2
inspecting IPS traffic 14-3
logging in 2-7
modes 14-2
promiscuous mode 14-2
recovering C-46
resetting C-45
sending traffic 14-2
session command 2-7
show module command 14-2
task sequence 14-1
time sources 4-20
verifying initialization 14-2
alarm channel described 6-2, A-25
alert-frequency command 7-5
alert-severity command 7-6
allow-sensor-block command 10-4
Analysis Engine busy IDM exits C-37
appliances
application partition image 17-9
logging in 2-2
recovering software image 17-18
setting up a terminal server 2-3
terminal server 2-3
time sources 4-18
upgrading recovery partition 17-4
application partition
described A-3
image recovery 17-9
application-policy command 7-13
applications XML format A-2
applying software updates C-32
ASDM
certificates 4-34
described A-4
TLS/SSL 4-35
assigning an interface to the virtual sensor 5-9
ATOMIC.ARP engine
described B-8
parameters (table) B-8
ATOMIC.IP engine
described B-9
parameters (table) B-9
attack severity rating see SFR
attemptLimit command 4-17
AuthenticationApp
authenticating users A-21
described A-3
login attempt limit A-20
method A-20
responsibilities A-20
secure communications A-21
sensor configuration A-20
authorized keys
defining 4-33
RSA authentication 4-32
automatic update C-32
auto-upgrade-option command 17-5
B
back door Trojan BO2K B-34
backing up
configuration 12-17
current configuration 12-16
BackOrifice protocol B-34
backup-config command 12-13
banner login command 13-1
block-enable command 10-6
block-hosts command 10-27
blocking
addresses never to block 10-15
block time 10-10
disabling 10-6
list of blocked hosts 10-28
managing PIX Firewalls 10-24
managing routers 10-20
managing switches 10-22
manual 10-27
master blocking sensor 10-25
maximum entries 10-8
necessary information 10-2
not occurring for signature C-21
prerequisites 10-3
properties 10-4
sensor block itself 10-4
show statistics 10-28
supported devices 10-3
types 10-1
user profiles 10-17
block-networks command 10-27
bootloader
described 17-22
upgrading 17-22
Bug Toolkit
described C-1
URL C-1
Bypass mode
configuring 5-10
function 5-1
understanding 5-9
bypass-option command 5-10
C
cannot access sensor C-5
capturing live traffic 9-5
Cat 6K Blocking Device Interfaces panel
VACLs
Post-Block 10-22
Pre-Block 10-22
Catalyst software
command and control access 15-4
IDSM-2
command and control access 15-4
configuring VACLs 15-12
enabling full memory tests 15-24
enabling SPAN 15-8
mls ip ids command 15-15
resetting 15-26
set span command 15-8
supervisor engine commands
supported 15-28
unsupported 15-29
changing
Microsoft IIS to UNIX-style directory listings 17-6, C-34
passwords 4-15
changing the memory
Java Plug-in on Linux C-35
Java Plug-in on Solaris C-35
Java Plug-in on Windows C-35
checking IPS software status (NM-CIDS) 16-7
CIDEE
defined A-35
example A-35
IPS extensions A-35
protocol A-35
supported IPS events A-35
cisco
default password 2-2
default username 2-2
Cisco.com
accessing software 18-1
account 18-6
cryptographic access 18-6
downloading software 18-1
downloading software updates 18-6
software downloads 18-1
Cisco IOS software
configuration commands 15-31
EXEC commands 15-30
IDSM-2
command and control access 15-6
configuring VACLs 15-13
enabling full memory tests 15-25
enabling SPAN 15-10
mls ip ids command 15-15
resetting 15-27
SPAN options 15-10
Cisco Security Intelligence Operations
described 18-11
URL 18-11
Cisco Services for IPS
service contract 18-7
supported products 18-7
class-map command 14-2
clear denied-attackers command 6-18, 13-8
clear events command 4-20, 13-7, C-66
clearing
denied attackers statistics 6-18, 13-9
clear line command 13-2
CLI
command line editing 1-5
command modes 1-6
concurrent sessions 2-1
default keywords 1-9
generic commands 1-9
introducing 1-1
regular expression syntax 1-7
CLI behavior
described A-30
desscribed 1-4
command and control access
Catalyst software 15-4
Cisco IOS software 15-6
described 15-4
command line editing (table) 1-5
command modes
described 1-6
event action rules configuration 1-7
EXEC 1-6
global configuration 1-6
privileged EXEC 1-6
service mode configuration 1-7
signature definition configuration 1-7
commands
access-list 4-5
alert-frequency 7-5
alert-severity 7-6
allow-sensor-block 10-4
application-policy 7-13
attemptLimit 4-17
auto-upgrade-option 17-5
backup-config 12-13
banner login 13-1
block-enable 10-6
block-hosts 10-27
block-networks 10-27
bypass-option 5-10
class-map 14-2
clear denied-attackers 6-18, 13-8
clear line 13-2
copy backup-config 12-15
copy current-config 12-15
copy iplog 8-6
copy packet-file 9-6
current-config 12-13
debug module-boot C-46
display-serial 13-21
downgrade 17-8
enable-acl-logging 10-11
enable-detail-traps 11-4
enable-nvram-write 10-12
erase 12-17
erase packet-file 9-7
event-action 7-11
event-counter 7-8
filters 6-10
fragment-reassembly 7-23
ftp-timeout 4-7
global-block-timeout 6-16, 10-10
global-deny-timeout 6-16
global-filters-status 6-16
global-metaevent-status 6-16
global-overrides-status 6-16
global-summarization 6-16
host-ip 4-3
host-name 4-2
hw-module module 1 recover 14-5
hw-module module 1 reset 14-5, C-45
hw-module module 1 shutdown 14-5
inline-interfaces 5-7
interface-notifications 5-10
ip-access-list 15-13
ip-log 7-28
iplog 8-3
ip-log-bytes 8-2
ip-log-packets 8-2
ip-log-time 8-2
log-all-block-events-and-errors 10-13
login-banner-text 4-8
max-block-entries 10-8
max-denied-attackers 6-16
mls ip ids 15-15
more 12-13
more current-config 12-1
never-block-hosts 10-15
never-block-networks 10-15
no iplog 8-4
overrides 6-8
packet capture 9-4
packet-display 9-2
password 4-11
physical-interface 5-8
physical-interfaces 5-4
ping 13-22
policy-map 14-2
reset 13-23
service-policy 14-2
set security acl 15-12
set span 15-8
setup 3-2
show history 13-24
show inventory 13-24
show module 1 details C-45
show module command 14-2
show settings 12-3, 12-11, 13-26
show statistics 10-28, 13-10, C-53
show statistics virtual-sensor 13-10, C-53
show users 4-16
sig-fidelity-rating 7-9
snmp-agent-port 11-2
snmp-agent-protocol 11-2
ssh authorized-key 4-32
ssh-generate-key 4-34
ssh host-key 4-31
status 7-10
stream-reassembly 7-27
summertime-option non-recurring 4-25
summertime-option recurring 4-23
target-value 6-7
telnet-option 4-4
terminal 13-3
time-zone-settings 4-27
tls generate-key 4-37
tls trusted-host 4-36
trace 13-25
trap-community-name 11-4
trap-destinations 11-4
upgrade 17-4
username 4-11
user-profile 10-17
configuration files
backing up 12-17
merging 12-17
configuration sequence (AIP-SSM) 14-1
configuring
access-list 4-5
account locking 4-17
ACL logging 10-11
alert frequency parameters 7-5
alert severity 7-7
automatic IP logging 8-2
automatic upgrades 17-7
blocking
firewalls 10-24
routers 10-20
switches 10-22
time 10-10
Bypass mode 5-10
event action filters 6-10
event actions 7-11
event action variables 6-5
event counter 7-8
ftp-timeout 4-7
host-ip 4-3
host manual blocks 10-27
hostname 4-2
hosts never to block 10-16
inline mode 5-8
interfaces (NM-CIDS) 16-2
IP fragment reassembly 7-24
IP fragment reassembly parameters 7-22, 7-26
IP logging 7-28
logging all blocking events and errors 10-13
logical devices 10-17
login-banner-text 4-8
maintenance partition (Catalyst Software) 17-28
maintenance partition (Cisco IOS) 17-31
manual IP logging 8-4
master blocking sensor 10-25
maximum block entries 10-8
maximum blocking interfaces 10-14
maximum denied attackers 6-16
meta event generator 6-16
network manual blocks 10-27
networks never to block 10-16
NTP servers 4-28
NVRAM write 10-12
packet capture (NM-CIDS) 16-5
passwords 4-15
physical interfaces 5-9
privilege 4-15
promiscuous mode 5-6
sensor to block itself 10-4
sensor to use NTP 4-29
SFR 7-9
signature fidelity rating 7-9
signature variables 7-3
status 7-10
summarizer 6-16
summertime
non-recurring 4-25
recurring 4-23
task sequence (sensor) 1-2
TCP stream reassembly 7-27
telnet-option 4-4
timezone settings 4-27
traffic flow notifications 5-10
TVRs 6-7
upgrades 17-3
user profiles 10-17
web server settings 4-9
control transactions
characteristics A-8
request types A-8
copy backup-config command 12-15
copy current-config command 12-15
copying
IP logging files 8-6
packet files 9-7
copy iplog command 8-6
copy license-key command 4-38, 18-9
copy packet-file command 9-6
correcting time on the sensor 4-20
creating
banner login 13-1
custom signatures 7-29
MEG signatures 7-33
service account 4-14
service HTTP signatures 7-32
string TCP signatures 7-30
user profiles 10-17
cryptographic access to Cisco.com 18-6
cryptographic account
Encryption Software Export Distribution Authorization from 18-2
obtaining 18-2
CtlTransSource
illustration A-11
current-config command 12-13
current configuration
backing up 12-17
filtering output 12-10
searching output 12-10
custom signatures
configuration sequence 7-29
MEG signature 7-33
service HTTP example 7-32
string TCP 7-30
D
data structures (examples) A-8
DDoS protocol B-33
debug-module-boot command C-46
default
blocking time 10-10
keywords 1-9
password 2-2
username 2-2
defining authorized keys 4-33
deleting denied attackers list 6-18, 13-9
device access issues C-18
diagnosing network connectivity 13-22
directing output to serial port 13-22
disabling
blocking 10-6
EtherChanneling 15-22
signatures 7-10
disaster recovery C-2
displaying
contents of logical file 12-13
current configuration 12-1
current submode configuration 12-3
live traffic 9-3
PEP information 13-24
submode settings 13-26
tech support information 13-19, C-48
display-serial command
described 13-21
supported platforms 13-21
downgrade command 17-8
downgrading sensors 17-8
downloading
Cisco software 18-1
duplicate IP addresses C-8
E
enable-acl-logging command 10-11
enable-detail-traps command 11-4
enable-nvram-write command 10-12
enabling
full memory tests
Catalyst software 15-24
Cisco IOS software 15-25
signatures 7-10
SPAN
Catalyst Software 15-8
Cisco IOS software 15-10
enabling debug logging C-24
Encryption Software Export Distribution Authorization form
cryptographic account 18-2
described 18-2
erase command 12-17
erase packet-file command 9-7
erasing
current configuration 12-18
packet files 9-7
EtherChanneling
described 15-20
disabling 15-22
load balancing 15-20
options 15-20
promiscuous mode 15-20
requirements 15-20
verifying 15-23
event-action command 7-11
event action filters
overview 6-10
understanding 6-9
event action overrides
overview 6-7
understanding 6-7
event action rules
example 6-19
functions 6-1
task list 6-4
understanding 6-1
event actions
deny attackers inline 6-16
describing 6-3
event actions (table) 6-3
event-counter command 7-8
Event Store
clearing events 4-20
data structures A-8
described A-2
examples A-7
responsibilities A-7
timestamp A-7
event types C-63
event variables
describing 6-5
example 6-5
F
files
Cisco IPS (list) 18-1
filtering
current configuration 12-10
submode configuration 12-12
filters command 6-10
FLOOD.HOST engine parameters (table) B-10
FLOOD.NET engine parameters (table) B-10
FLOOD engine described B-10
fragment-reassembly command 7-23
ftp-timeout
command 4-7
configuring 4-7
G
generating
SSH server host key 4-34
TLS certificate 4-37
generic commands 1-9
global-block-timeout command 6-16, 10-10
global-deny-timeout command 6-16
global-filters-status command 6-16
global-metaevent-status command 6-16
global-overrides-status command 6-16
global-summarization command 6-16
H
H.225.0 protocol B-17
H.323 protocol B-17
H225 engine
ASN.1PER validation B-17
described B-17
features B-17
parameters (table) B-17
TPKT validation B-17
help
host-ip
command 4-3
configuring 4-3
host-name
command 4-2
configuring 4-2
HTTP deobfuscation
ASCII normalization B-19
described B-19
hw-module commands 14-5
hw-module module 1 recover command 14-5
hw-module module 1 reset command 14-5, C-45
hw-module module 1 shutdown command 14-5
I
IDAPI
described A-3
functions A-31
illustration A-31
responsibilities A-31
IDCONF
example A-34
RDEP2 A-34
XML A-34
IDIOM
defined A-34
messages A-34
IDM
certificates 4-34
error message Analysis Engine is busy C-37
Java Plug-in C-35
memory C-35
TLS/SSL 4-35
will not load clear Java cache C-36
IDS-4215
BIOS upgrade 17-13
installing system image 17-11
reimaging 17-11
ROMMON 17-9
ROMMON upgrade 17-13
upgrading
BIOS 17-13
ROMMON 17-13
IDSM-2
administrative tasks 15-24
capturing IPS traffic
described 15-11
mls ip id command 15-14
SPAN 15-8
Catalyst software
command and control access 15-4
command and control access
configuring 15-6
described 15-4
command and control port 15-7, C-42
configuration tasks 15-1
configuring
command and control access 15-4
EtherChanneling 15-21
load balancing 15-21
maintenance partition (Catalyst Software) 17-28
maintenance partition (Cisco IOS) 17-31
mls ip ids command 15-15
sequence 15-1
SPAN 15-8
tasks 15-1
configuring VACLs
Catalyst software 15-12
Cisco IOS software 15-13
enabling full memory tests
Catalyst software 15-24
Cisco IOS software 15-25
EtherChanneling
disabling 15-22
requirements 15-20
verifying 15-23
inline mode
Cisco IOS software 15-18
described 15-16
requirements 15-17
installing
system image (Catalyst software) 17-25
system image (Cisco IOS software) 17-26
verifying 15-2
logging in 2-4
mls ip ids command
Catalyst software 15-15
Cisco IOS software 15-15
monitoring ports 15-7
not online C-42
promiscuous mode 15-7
reimaging described 17-25
resetting
Catalyst software 15-26
Cisco IOS software 15-27
described 15-26
sensing ports 15-12
set span command 15-8
supported supervisor engine commands 15-28
time sources 4-19
unsupported supervisor engine commands 15-29
upgrading
maintenance partition (Catalyst software) 17-35
maintenance partition (Cisco IOS software) 17-36
VACLs
configuring 15-11
described 15-11
verifying installation 15-2
initialization
verifying 3-7
verifying (AIP-SSM) 14-2
initializing the sensor 3-1, 3-2
inline-interfaces command 5-7
inline mode
configuring 5-8
described 5-1
understanding 5-7
inline pairs described 5-1
installing
sensor license 18-8
system image
IDS-4215 17-11
IDSM-2 (Catalyst software) 17-25
IDSM-2 (Cisco IOS software) 17-26
IPS-4240 17-15
IPS-4255 17-15
InterfaceApp described A-2
interface-notifications command 5-10
interfaces displaying live traffic 9-3
interface support (table) 5-2
introducing CLI 1-1
ip-access-list command 15-13
IP fragment reassembly
described 7-22
parameters (table) 7-22
signatures (table) 7-22
ip-log-bytes command 8-2
ip-log command 7-28
iplog command 8-3
IP logging
automatic 8-2
configuring 8-1
copying files 8-6
manual 8-4
ip-log-packets command 8-2
ip-log-time command 8-2
IPS
external communications A-32
internal communications A-31
IPS-4240
installing system image 17-15
ROMMON 17-9
IPS-4255
installing system image 17-15
ROMMON 17-9
IPS applications
summary A-37
table A-37
XML format A-2
IPS data
types A-8
XML document A-8
IPS events
listed A-9
types A-9
IPS software
application list A-2
available files 18-1
configuring device parameters A-4
directory structure A-36
Linux OS A-1
new features A-3
obtaining 18-1
platform-dependent release examples 18-5
retrieving data A-5
security features A-5
tuning signatures A-5
updating A-5
user interaction A-4
versioning scheme 18-2
J
Java Plug-in
Linux C-35
Solaris C-35
Windows C-35
K
keywords
default 1-9
no 1-9
L
license key
status 18-6
trial 18-6
licensing
IPS device serial number 4-37, 18-6
Licensing pane
configuring 18-8
listings UNIX-style 17-5, C-34
list of blocked hosts 10-28
load balancing options 15-20
locked account reset 4-15
log-all-block-events-and-errors command 10-13
LogApp
functions A-19
syslog messages A-20
logging in
AIP-SSM 2-7
appliances 2-2
IDSM-2 2-4
NM-CIDS 2-5
sensors
SSH 2-8
Telnet 2-8
service role 2-2
terminal servers 2-3
user role 2-1
login-banner-text command 4-8
login-banner-text configuration 4-8
LOKI protocol B-33
M
MainApp A-6
applications A-6
described A-2
host statistics A-6
responsibilities A-6
show version command A-6
maintenance partition
configuring (Catalyst Software) 17-28
configuring (Cisco IOS) 17-31
described A-3
managing
routers 10-20
switches 10-22
manual blocking 10-27
manual block to bogus host C-21
master blocking sensor described 10-25
MASTER engine
alert frequency B-4
alert frequency parameters (table) B-4
defined B-3
general parameters (table) B-4
promiscuous delta B-3
universal parameters B-3
max-block-entries command 10-8
max-denied-attackers command 6-16
MBS not set up properly C-22
memory (IDM) C-35
merging configuration files 12-17
META engine
described B-10
parameters (table) B-11
MIBS supported 11-6
MIBs supported 11-6
mls ip ids command 15-15
described 15-15
IDSM-2 15-14
modes
modifying terminal properties 13-3
monitoring Viewer privileges 1-3, A-28
more command 12-13
more current-config command 12-1
N
Network Access Controller
authentication A-15
blocking
connection-based A-17
unconditional blocking A-17
blocking application 10-1, 10-3
block response A-13
Catalyst 6000 series switch
VACL commands A-19
VACLs A-19
Catalyst switches
VACLs A-16
VLANs A-16
checking status 10-2
described A-2
features A-13
firewalls
AAA A-18
connection blocking A-18
NAT A-18
network blocking A-18
postblock ACL A-16
preblock ACL A-16
shun command A-18
TACACS+ A-18
illustration A-12
interfaces A-14
maintaining states A-16
master blocking sensors A-14
nac.shun.txt file A-16
NAT addressing A-15
number of blocks A-15
postblock ACL A-16
preblock ACL A-16
responsibilities A-12
single point of control A-15
SSH A-13
Telnet A-13
VACLs A-14
Network Timing Protocol see NTP
never-block-hosts command 10-15
never-block-networks command 10-15
NM-CIDS
bootloader
file 17-22
overview 17-22
checking IPS software status 16-7
configuration tasks 16-1
configuring
ids-sensor interfaces 16-2
packet capture 16-5
configuring interfaces 16-2
logging in 2-5
packet monitoring described 16-5
rebooting 16-7
reimaging 17-20
reimaging described 17-19
reload command 16-7
reset command 16-7
session command 16-2
shutdown command 16-7
supported Cisco IOS commands 16-8
system image file 17-19
telneting to the router 16-5
time sources 4-19
upgrading bootloader 17-22
no iplog command 8-4
NORMALIZER engine
described B-12
IP fragment reassembly B-12
parameters (table) B-12
TCP stream reassembly B-12
NotificationApp
alert information A-9
described A-2
functions A-9
SNMP gets A-9
SNMP traps A-9
statistics A-11
system health information A-10
NTP
described 4-18
server configuration 4-28
time synchronization 4-18
O
obtaining
command history 13-24
cryptographic account 18-2
IPS software 18-1
list of blocked hosts and connections 10-28
used commands list 13-24
output
clearing current line 1-5, A-31
overrides command 6-8
P
packet capture command 9-4
packet display command 9-2
partitions
application A-3
maintenance A-3
recovery A-3
password command 4-11
passwords
changing 4-15
configuring 4-15
service account 3-2
PEP
described A-4
PID 13-24
SN 13-24
VID 13-24
physical connectivity issues C-10
physical-interface command 5-8
physical-interfaces command 5-4
physical interfaces configuration 5-9
ping command 13-22
policy-map command 14-2
prerequisites for blocking 10-3
privilege
configuring 4-15
promiscuous mode
configuring 5-6
described 5-1
EtherChanneling 15-20
understanding 5-4
prompts default input 1-4, A-30
Q
Q.931 protocol
described B-17
SETUP messages B-17
R
RDEP2
described A-3
functions A-32
messages A-32
responsibilities A-32
rebooting NM-CIDS 16-7
recall
help and tab completion 1-5, A-30
recover command 17-9
recovering
AIP-SSM C-46
application partition image 17-9
recovery/upgrade CD 17-18
recovery partition
described A-3
upgrading 17-4
regular expression syntax
described 1-7
table 1-7
reimaging
appliance 17-9
describing 17-1
IDS-4215
described 17-11
ROMMON 17-11
IDSM-2 described 17-25
NM-CIDS 17-20
sensors 17-1
removing last applied upgrade 17-8
reset
command 13-23
not occurring for a signature C-30
resetting
AIP-SSM C-45
appliance 13-23
IDSM-2 15-26
restoring current configuration 12-16
retiring signatures 7-10
retrieving events through RDEP2 (illustration) A-32
ROMMON
IDS-4215 17-11
IDS-4240 17-15
IDS-4255 17-15
TFTP 17-11
RPC portmapper B-23
RR
calculating 6-6
described A-3
example 6-20
RSA authentication and authorized keys 4-32
RTT
described 17-11
TFTP limitation 17-11
S
scheduling automatic upgrades 17-7
SDEE
defined A-35
HTTP A-35
protocol A-35
Server requests A-35
SEAF
SEAP
described A-23
flow of signature events 6-2, A-25
searching
current configuration 12-10
submode configuration 12-12
security
information on Cisco Security Intelligence Operations 18-11
security and account locking 4-17
sending commands through RDEP2 (illustration) A-33
SensorApp
Alarm Channel A-24
Analysis Engine A-24
described A-3
event action filtering A-27
hold down timer A-27
inline packet processing A-26
IP normalization A-27
new features A-26
packet flow A-24
processors A-23
responsibilities A-23
RR A-27
SEAP A-23
TCP normalization A-27
sensors
configuration task sequence 1-2
configuring to use NTP 4-29
downgrading 17-8
interface support 5-2
license 18-8
logging in
SSH 2-8
Telnet 2-8
managing
firewalls 10-24
routers 10-20
switches 10-22
not seeing packets C-13
NTP
time source 4-29
time synchronization 4-18
partitions A-3
process not running C-9
recovering the system image 18-5
time sources 4-18
using NTP time source 4-28
SERVICE.DNS engine
described B-14
parameters (table) B-14
SERVICE.FTP engine
described B-15
parameters (table) B-15
SERVICE.GENERIC engine
described B-16
parameters (table) B-16
SERVICE.HTTP engine
described B-19
parameters (table) B-19
signature 7-32
SERVICE.IDENT engine
described B-20
parameters (table) B-21
SERVICE.MSRPC engine
DCS/RPC protocol B-21
described B-21
SERVICE.MSSQL engine
described B-22
MS SQL protocol B-22
parameters (table) B-22
SERVICE.NTP engine
described B-22
parameters (table) B-23
SERVICE.RPC engine
described B-23
parameters (table) B-23
RPC portmapper B-23
SERVICE.SMB engine
described B-24
parameters (table) B-24
SERVICE.SNMP engine
described B-26
parameters (table) B-26
SERVICE.SSH engine
described B-27
parameters (table) B-27
service account
creating 4-14
TAC A-29
troubleshooting A-29
service-policy command 14-2
session command
AIP-SSM 2-7
IDSM-2 2-4
NM-CIDS 2-5
set security acl command 15-12
setting the system clock 4-22, 13-8
setting up a terminal server 2-3
SFR described 6-6
show configuration command 12-1, 12-9
show events command 13-4, C-63, C-64
show history command 13-24
show interfaces command C-62
show inventory command 13-24
show module 1 details command C-45
show module command 14-2
show settings command 12-3, 12-11, 13-26
show statistics command 10-28, 13-10, C-53
show statistics virtual-sensor command 13-10, C-53
show tech-support command 13-18, C-47
show users command 4-16
show version command 13-19, C-50
sig-fidelity-rating command 7-9
signature engines
AIC B-7
ATOMIC B-8
ATOMIC.ARP B-8
ATOMIC.IP B-9
defined B-1
event actions B-5
FLOOD B-10
FLOOD.HOST B-10
FLOOD.NET B-10
H225 B-17
list B-1
META B-10
NORMALIZER B-12
SERVICE.DNS B-14
SERVICE.FTP B-15
SERVICE.GENERIC B-16
SERVICE.HTTP B-19
SERVICE.IDENT B-20
SERVICE.MSRPC B-21
SERVICE.MSSQL B-22
SERVICE.NTP engine B-22
SERVICE.RPC B-23
SERVICE.SMB B-24
SERVICE.SNMP B-26
SERVICE.SSH engine B-27
STATE B-27
STRING B-29
SWEEP B-31
TRAFFIC.ICMP B-33
TROJAN B-34
TROJAN.BO2K B-34
TROJAN.TFN2K B-34
TROJAN.UDP B-34
Signature Event Action Processor see SEAP
Signature Fidelity Rating see SFR
signatures
custom 7-2
default 7-1
described 7-1
false positives 7-1
service HTTP 7-32
string TCP 7-30
subsignatures 7-1
tuned 7-1
signature variables described 7-2
SNMP
configuring
agent parameters 11-2
traps 11-4
general parameters 11-2
Get 11-1
GetNext 11-1
Set 11-1
supported MIBS 11-6
supported MIBs 11-6
Trap 11-1
understanding 11-1
snmp-agent-port command 11-2
snmp-agent-protocol command 11-2
SNMP traps described 11-1
software architecture
IDAPI (illustration) A-31
Network Access Controller (illustration) A-13
RDEP2 (illlustration) A-33
software downloads Cisco.com 18-1
SPAN
configuring 15-8
options 15-10
port issues C-10
SSH
adding hosts 4-31
understanding 4-30
ssh authorized-key command 4-32
ssh generate-key command 4-34
ssh host-key command 4-31
SSH known hosts list adding hosts 4-31
SSH Server
host key generation 4-34
private keys A-21
public keys A-21
STATE engine
Cisco Login B-28
described B-27
LPR Format String B-28
parameters (table) B-28
SMTP B-28
status command 7-10
stopping IP logging 8-4
stream-reassembly command 7-27
STRING.ICMP engine parameters (table) B-29
STRING.TCP engine
options 7-30
parameters (table) B-30
signature (example) 7-30
STRING.UDP engine parameters (table) B-31
STRING engine described B-29
submode configuration
filtering output 12-12
searching output 12-12
summarization
described 6-15
Engine.META 6-15
Fire All 6-15
Fire Once 6-16
Global Summarization 6-16
Summary 6-15
summertime
configuring
non-recurring 4-25
recurring 4-23
summertime-option non-recurring command 4-25
summertime-option recurring command 4-23
supervisor engine commands
supported 15-28
unsupported 15-29
supported Cisco IOS commands (NM-CIDS) 16-8
SWEEP engine
described B-31
parameters (table) B-32
switch commands for troubleshooting C-40
syntax case sensitivity 1-5, A-31
system architecture
directory structure A-36
supported platforms A-1
system clock
System Configuration Dialog described 3-1
system design (illustration) A-1
system image
installing
IPS-4240 17-15
IPS-4255 17-15
T
TAC
PEP information 13-24
show tech-support command 13-18, C-47
target-value command 6-7
tasks
configuring IDSM-2 15-1
configuring NM-CIDS 16-1
configuring the sensor 1-2
TCP reset
interface conditions 5-4
port (IDSM-2) 15-7
TCP stream reassembly
described 7-24
parameters (table) 7-24
signatures (table) 7-24
telnet (NM-CIDS) 16-5
telnet-option
command 4-4
configuring 4-4
terminal
command 13-3
modifying length 13-3
server setup 2-3
terminating CLI sessions 13-3
TFN2K protocol B-33
TFTP servers
maximum file size limitation 17-11
RTT 17-11
time correction on sensors 4-20
time sources
AIP-SSM 4-20
appliances 4-18
IDSM-2 4-19
NM-CIDS 4-19
time-zone-settings
command 4-27
configuring 4-27
TLS
certificate generation 4-37
certificates 4-34
described 4-34
handshaking 4-35
tls generate-key command 4-37
tls trusted-host command 4-36
trace
command 13-25
IP packet route 13-25
TRAFFIC.ICMP engine
DDOS B-33
described B-33
LOKI B-33
parameters (table) B-33
TFN2K B-33
traffic flow notifications
configuring 5-10
overview 5-10
Transport Layer Security see TLS
trap-community-name command 11-4
trap-destinations command 11-4
trial license key 18-6
Tribe Flood Net 2000 protocol B-33
TROJAN.BO2K engine described B-34
TROJAN.TFN2K engine described B-34
TROJAN.UDP engine described B-34
TROJAN engine
BO2K B-34
described B-34
TFN2K B-34
troubleshooting
accessing files on FTP site C-67
access list misconfiguration C-7
AIP-SSM
commands C-45
debugging C-46
recovering C-46
reset C-45
Analysis Engine busy C-37
applying software updates C-32
automatic update C-32
blocking not occurring for signature C-21
cannot access sensor C-5
cidDump script C-67
cidLog messages to syslog C-28
communication C-4
corrupted SensorApp configuration C-15
debug logger zone names (table) C-27
device access issues C-18
disaster recovery C-2
duplicate IP address C-8
enabling debug logging C-24
faulty DIMMs C-15
gathering information C-47
IDM cannot access sensor C-37
IDM will not load C-36
IDSM-2
command and control port C-42
diagnosing problems C-39
not online C-42
serial cable C-44
switch commands C-40
TCP reset port C-44
manual block to bogus host C-21
MBS not set up properly C-22
NTP C-30
physical connectivity issues C-10
preventive maintenance C-2
reset not occurring for a signature C-30
sensor events C-63
sensor not seeing packets C-13
sensor process not running C-9
service account 4-13
show events command C-63
show interfaces command C-61, C-62
show statistics command C-52, C-53
show tech-support command C-47
show tech-support command output C-48
show version command C-50
software upgrade
IDS-4235 C-31
IDS-4250 C-31
on sensor C-33
software upgrades C-31
SPAN port issue C-10
unable to see alerts C-12
uploading files to FTP site C-67
using debug logging C-23
trusted hosts adding 4-36
TVR
described 6-6
overview 6-7
U
understanding
Bypass mode 5-9
SSH 4-30
time on the sensor 4-18
UNIX-style directory listings 17-5, C-34
unsupported supervisor engine commands 15-29
upgrading
4.1 to 5.0 18-5
maintenance partition
IDSM-2 (Catalyst software) 17-35
IDSM-2 (Cisco IOS software) 17-36
minimum required version 18-5
URLs for Cisco Security Intelligence Operations 18-11
username command 4-11
user profiles
described 10-17
user-profiles
command 10-17
user roles
users
adding 4-11
removing 4-11
using
debug logging C-23
TCP reset interface 5-4
V
VACLs
described 10-2
IDSM-2 15-11
Post-Block 10-22
Pre-Block 10-22
verifying
EtherChanneling 15-23
IDSM-2 installation 15-2
sensor initialization 3-7
sensor setup 3-7
viewing user information 4-16
virtual sensor and assigning the interfaces 5-9
W
Web Server
HTTP 1.0 and 1.1 support A-22
private keys A-21
public keys A-21
RDEP2 support A-22
web server setting configuration 4-9