-
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.1
-
Preface
-
Introducing the CLI Configuration Guide
-
Logging In to the Sensor
-
Initializing the Sensor
-
Initial Tasks
-
Configuring Interfaces
-
Configuring Event Action Rules
-
Defining Signatures
-
Configuring IP Logging
-
Capturing and Displaying Live Traffic on an Interface
-
Configuring Attack Response Controller for Blocking and Rate Limiting
-
Configuring SNMP
-
Working With Configuration Files
-
Administrative Tasks
-
Configuring IDSM-2
-
Configuring NM-CIDS
-
Configuring AIP-SSM
-
Upgrading, Downgrading, and Installing System Images
-
Obtaining Software
-
System Architecture
-
Signature Engines
-
Troubleshooting
-
Glossary
-
Index
-
Table Of Contents
Numerics - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W -
Index
Numerics
4GE bypass interface card
configuration restrictions 5-9
described 5-8
illustration 5-8
A
accessing IPS software 18-2
access-list
command 4-5
configuring 4-5
misconfiguration C-11
account locking configuration 4-17
ACLs
described 10-2
adding
event action overrides 6-11
hosts to the SSH known hosts list 4-32
trusted hosts 4-37
Administrator privileges 1-3, A-27
AIC engine
AIC FTP B-8
AIC HTTP B-8
defined B-8
features B-8
AIC FTP engine parameters (table) B-10
AIC HTTP engine parameters (table) B-9
AIP-SSM
configuration tasks 14-1
hw-module module 1 recover 14-6
hw-module module 1 reset 14-6
hw-module module 1 shutdown 14-6
inline mode 14-2
inspecting IPS traffic 14-3
logging in 2-7
modes 14-2
promiscuous mode 14-2
recovering C-48
resetting C-47
sending traffic 14-2
session command 2-7
show module command 14-2
task sequence 14-1
verifying initialization 14-2
alarm channel described 6-2, A-24
alert-frequency command 7-5
alert-severity command 7-6
allow-sensor-block command 10-7
Analysis Engine busy IDM exits C-39
appliances
application partition image 17-11
logging in 2-2
recovering software image 17-24
setting up a terminal server 2-3, 17-13
upgrading recovery partition 17-5
application partition
described A-3
image recovery 17-11
application-policy command 7-14
applications in XML format A-2
applying software updates C-34
ARC
authentication A-14
blocking
connection-based A-16
unconditional blocking A-16
blocking application 10-1
block response A-12
Catalyst switches
VACL commands A-18
VLANs A-15
checking status 10-3
described A-2
device access issues C-22
features A-12
figure A-12
firewalls
AAA A-17
connection blocking A-16
NAT A-17
network blocking A-16
postblock ACL A-15
preblock ACL A-15
shun command A-17
TACACS+ A-17
formerly Network Access Controller 10-3
functions 10-1
inactive state C-21
interfaces A-13
maintaining states A-15
master blocking sensors A-13
nac.shun.txt file A-15
NAT addressing A-14
number of blocks A-14
postblock ACL A-15
preblock ACL A-15
prerequisites 10-4
rate limiting 10-3
responsibilities A-12
single point of control A-14
SSH A-13
Telnet A-13
VACLs A-13
verifying interface C-24
verifying it is running C-20
ASR
calculating 6-8
described 6-8
assigning interfaces to virtual sensor 5-24
Atomic ARP engine
described B-11
parameters (table) B-11
Atomic IP engine
described B-11
parameters (table) B-11
Attack Response Controller
described A-2
formerly known as Network Access Controller A-2
functions A-11
attack severity rating see ASR
attemptLimit command 4-17
AuthenticationApp
authenticating users A-20
described A-3
login attempt limit A-19
method A-19
responsibilities A-19
secure communications A-20
sensor configuration A-19
authorized keys
defining 4-34
RSA authentication 4-34
automatic update C-35
automatic upgrade examples 17-9
Auto Update and UNIX-style directory listings 17-8, C-36
auto-upgrade-option command 17-6
B
back door Trojan BO2K B-38
backing up
configuration 12-18
current configuration 12-17
BackOrifice protocol B-38
backup-config command 12-14
banner login command 13-1
block-enable command 10-8
block-hosts command 10-30
blocking
addresses never to block 10-18
block time 10-12
disabling 10-9
list of blocked hosts 10-32
managing firewalls 10-27
managing routers 10-23
managing switches 10-26
manual 10-30
master blocking sensor 10-28
maximum entries 10-10
necessary information 10-3
not occurring for signature C-25
prerequisites 10-4
properties 10-6
sensor block itself 10-7
show statistics 10-32
supported devices 10-5
types 10-2
understanding 10-1
user profiles 10-19
block-networks command 10-30
Bug Toolkit
described C-1
URL C-1
bypass mode
configuring 5-23
understanding 5-23
bypass-option command 5-23
C
cannot access sensor C-8
capturing live traffic 9-5
Catalyst software
command and control access 15-5
IDSM-2
command and control access 15-5
configuring VACLs 15-14
enabling full memory tests 15-39
enabling SPAN 15-10
mls ip ids command 15-17
resetting 15-40
set span command 15-10
supervisor engine commands
supported 15-42
unsupported 15-43
changing
Microsoft IIS to UNIX-style directory listings 17-9, C-36
passwords 4-15
changing the memory
Java Plug-in on Linux C-38
Java Plug-in on Solaris C-38
Java Plug-in on Windows C-37
checking IPS software status (NM-CIDS) 16-7
CIDEE
defined A-34
example A-34
IPS extensions A-34
protocol A-34
supported IPS events A-34
cisco
default password 2-2
default username 2-2
Cisco.com
accessing software 18-2
downloading software 18-1
IPS software 18-1
software downloads 18-1
Cisco IOS software
configuration commands 15-45
EXEC commands 15-44
IDSM-2
command and control access 15-6
configuring VACLs 15-15
enabling full memory tests 15-39
enabling SPAN 15-12
mls ip ids command 15-18
resetting 15-41
rate limiting 10-3
SPAN options 15-11
Cisco Security Intelligence Operations
described 18-14
URL 18-14
Cisco Services for IPS
class-map command 14-2
clear denied-attackers command 6-21, 13-9
clear events command 4-21, 6-27, 13-7, C-7, C-69
clearing
denied attackers statistics 6-22, 13-9
clear line command 13-2
CLI
command line editing 1-6
command modes 1-7
concurrent sessions 2-1
default keywords 1-10
generic commands 1-9
introducing 1-1
regular expression syntax 1-7
CLI behavior
command and control access
Catalyst software 15-5
Cisco IOS software 15-6
described 15-5
command and control interfaces
list 5-2
understanding 5-2
command line editing (table) 1-6
command modes
described 1-7
event action rules configuration 1-7
EXEC 1-7
global configuration 1-7
privileged EXEC 1-7
service mode configuration 1-7
signature definition configuration 1-7
commands
access-list 4-5
alert-frequency 7-5
alert-severity 7-6
allow-sensor-block 10-7
application-policy 7-14
attemptLimit 4-17
auto-upgrade-option 17-6
backup-config 12-14
banner login 13-1
block-enable 10-8
block-hosts 10-30
block-networks 10-30
bypass-option 5-23
class-map 14-2
clear denied-attackers 6-21, 13-9
clear events 4-21, 6-27, 13-7, C-7, C-69
clear line 13-2
copy backup-config 12-16
copy current-config 12-16
copy iplog 8-5
copy packet-file 9-6
current-config 12-14
debug module-boot C-48
display-serial 13-21
downgrade 17-10
enable-acl-logging 10-13
enable-detail-traps 11-4
enable-nvram-write 10-14
erase 12-18
erase packet-file 9-7
event-action 7-11
event-counter 7-8
filters 6-14
fragment-reassembly 7-23
ftp-timeout 4-7
global-block-timeout 6-20, 10-12
global-deny-timeout 6-20
global-filters-status 6-20
global-metaevent-status 6-20
global-overrides-status 6-20
global-summarization 6-20
host-ip 4-3
host-name 4-1
hw-module module 1 recover 14-6
hw-module module 1 reset 14-6, C-47
hw-module module 1 shutdown 14-6
inline-interfaces 5-15
interface-notifications 5-25
ip-access-list 15-15
ip-log 7-31
iplog 8-3
ip-log-bytes 8-2
ip-log-packets 8-2
ip-log-time 8-2
log-all-block-events-and-errors 10-15
logical-interface 5-24
login-banner-text 4-8
max-block-entries 10-10
max-denied-attackers 6-20
max-interfaces 10-16
more 12-14
more current-config 12-1
never-block-hosts 10-18
never-block-networks 10-18
no iplog 8-4
overrides 6-11
packet capture 9-4
packet-display 9-2
password 4-11
physical-interface 5-24
physical-interfaces 5-11, 5-15, 5-18
ping 13-22
policy-map 14-2
reset 13-23
service-policy 14-2
set security acl 15-14
set span 15-10
show configuration 12-1, 12-11
show history 13-24
show inventory 13-24
show module 1 details C-47
show module command 14-2
show settings 12-3, 12-13, 13-26
show statistics 10-32, 13-10, C-55
show statistics denied-attackers 6-21
show statistics virtual-sensor 13-10, C-55
show users 4-16
sig-fidelity-rating 7-9
snmp-agent-port 11-2
snmp-agent-protocol 11-2
ssh authorized-key 4-33
ssh-generate-key 4-35
ssh host-key 4-32
status 7-10
stream-reassembly 7-30
subinterface-type 5-19
summertime-option non-recurring 4-26
summertime-option recurring 4-24
target-value 6-9
telnet-option 4-4
terminal 13-3
time-zone-settings 4-28
tls generate-key 4-38
tls trusted-host 4-37
trace 13-25
trap-community-name 11-4
trap-destinations 11-4
upgrade 17-5
username 4-11
user-profile 10-19
configuration files
backing up 12-18
merging 12-18
configuration sequence
AIP-SSM 14-1
interfaces 5-9
NM-CIDS 16-1
sensors 1-2
configuring
access list 4-5
account locking 4-17
ACL logging 10-13
alert frequency parameters 7-5
alert severity 7-7
automatic IP logging 8-2
automatic upgrades 17-7
blocking
firewalls 10-27
routers 10-23
switches 10-26
time 10-12
bypass mode 5-23
event action filters 6-15
event actions 7-12
event action variables 6-7
event counter 7-8
ftp-timeout 4-7
host-ip 4-3
host manual blocks 10-31
hostname 4-2
hosts never to block 10-18
inline interface mode 5-16
inline VLAN paris 5-19
interfaces 5-9
IP fragment reassembly 7-23
IP fragment reassembly parameters 7-22, 7-29
IP logging 7-32
logging all blocking events and errors 10-15
logical devices 10-19
login-banner-text 4-8
maintenance partition (Catalyst software) 17-29
maintenance partition (Cisco IOS software) 17-33
manual IP logging 8-3
master blocking sensor 10-29
maximum block entries 10-10
maximum blocking interfaces 10-17
maximum denied attackers 6-20
meta event generator 6-20
network manual blocks 10-31
networks never to block 10-18
NM-CIDS interfaces 16-2
NM-CIDS packet capture 16-5
NTP servers 4-29
NVRAM write 10-14
passwords 4-15
physical interfaces 5-24
privilege 4-16
promiscuous mode 5-12
sensor (task sequence) 1-2
sensor to block itself 10-7
sensor to use NTP 4-30
SFR 7-9
signature fidelity rating 7-9
signature variables 7-3
status 7-10
summarizer 6-20
summertime
non-recurring 4-26
recurring 4-24
TCP stream reassembly 7-31
telnet-option 4-4
timezone settings 4-28
traffic flow notifications 5-25
TVRs 6-9
upgrades 17-4
user profiles 10-19
web server settings 4-9
control transactions
characteristics A-8
request types A-7
copy backup-config command 12-16
copy current-config command 12-16
copying
IP logging files 8-5
packet files 9-7
copy iplog command 8-5
copy license-key command 4-41, 18-12
copy packet-file command 9-6
correcting time on the sensor 4-21, C-7
creating
banner login 13-1
custom signatures 7-33
MEG signatures 7-39
service account 4-14
service HTTP signatures 7-38
string TCP signatures 7-35
user-profiles 10-19
cryptographic account
Encryption Software Export Distribution Authorization from 18-2
obtaining 18-2
CtlTransSource
illustration A-11
current-config command 12-14
current configuration
backing up 12-18
filtering output 12-11
searching output 12-11
custom signatures
configuration sequence 7-33
MEG signature 7-39
service HTTP example 7-38
string TCP 7-33
D
data port restoring defaults 15-27
data structures (example) A-7
DDoS protocol B-38
debug-module-boot command C-48
default
blocking time 10-12
keywords 1-10
password 2-2
username 2-2
defining authorized keys 4-34
deleting denied attackers list 6-22, 13-9
deny-packet-inline described 6-6, 6-10, 7-12, B-8
device access issues C-22
diagnosing network connectivity 13-22
directing output to serial port 13-22
disabling
blocking 10-9
ECLB 15-35
signatures 7-10
disaster recovery C-2
displaying
contents of logical file 12-15
current configuration 12-1
current submode configuration 12-3
live traffic 9-3
PEP information 13-25
submode settings 13-26
tech support information 13-19, C-50
display-serial command
described 13-21
supported platforms 13-21
downgrade command 17-10
downgrading sensors 17-10
downloading software 18-1
duplicate IP addresses C-11
E
ECLB
described 15-24
disabling 15-35
options 15-28
promiscuous mode 15-27
requirements 15-27
sensing modes 15-25
verifying 15-37
enable-acl-logging command 10-13
enable-detail-traps command 11-4
enable-nvram-write command 10-14
enabling
full memory tests
Catalyst software 15-39
Cisco IOS software 15-39
signatures 7-10
SPAN (Cisco IOS software) 15-12
enabling debug logging C-27
Encryption Software Export Distribution Authorization form
cryptographic account 18-2
described 18-2
erase command 12-18
erase packet-file command 9-7
erasing
current configuration 12-18
packet files 9-7
event-action command 7-11
event action filters
overview 6-13
understanding 6-13
event action overrides described 6-10
event action rules
example 6-23
functions 6-1
task list 6-6
understanding 6-1
event actions
deny attackers inline 6-19
event-counter command 7-8
Event Store
data structures A-7
described A-2
examples A-6
responsibilities A-6
timestamp A-6
event types C-65
event variables
described 6-7
example 6-7
F
fail-over testing 5-9
filtering
current configuration 12-11
submode configuration 12-13
filters command 6-14
Flood engine described B-12
Flood Host engine parameters (table) B-12
FLood Net engine parameters (table) B-12
fragment-reassembly command 7-23
ftp-timeout
command 4-7
configuring 4-7
G
generating
SSH server host key 4-35
TLS certificate 4-38
generic commands 1-9
global-block-timeout command 6-20, 10-12
global-deny-timeout command 6-20
global-filters-status command 6-20
global-metaevent-status command 6-20
global-overrides-status command 6-20
global-summarization command 6-20
H
H.225.0 protocol B-20
H.323 protocol B-20
hardware bypass
configuration restrictions 5-9
IPS-4260 5-8
with software bypass 5-8
help
host-ip
command 4-3
configuring 4-3
host-name
command 4-1
configuring 4-2
HTTP deobfuscation
ASCII normalization 7-36, B-23
hw-module module 1 recover command 14-6
hw-module module 1 reset command 14-6, C-47
hw-module module 1 shutdown command 14-6
I
IDAPI
functions A-30
illustration A-30
responsibilities A-30
IDCONF
described A-33
example A-33
RDEP2 A-33
XML A-33
IDIOM
defined A-33
messages A-33
IDM
certificates 4-36
error message Analysis Engine is busy C-39
Java Plug-in C-37
memory C-37
TLS and SSL 4-36
will not load clear Java cache C-39
IDS-4215
BIOS/ROMMON upgrade utility 17-17
BIOS upgrade 17-17
reimaging 17-15
ROMMON upgrade 17-17
upgrading
BIOS 17-17
ROMMON 17-17
IDSM-2
administrative tasks 15-38
capturing IPS traffic
described 15-13
mls ip id command 15-17
SPAN 15-9
Catalyst software
command and control access 15-5
inline mode 15-19, 15-21, 15-22
command and control access
configuring 15-6
described 15-5
command and control port 15-8, C-45
configuration tasks 15-1
configuring
command and control access 15-5
ECLB inline mode 15-26
ECLB inline VLAN pair mode 15-25
ECLB promiscuous mode 15-25
inline mode 15-19, 15-20, 15-22
inline VLAN pair mode 15-23
load balancing 15-28, 15-30, 15-32
maintenance partition (Catalyst software) 17-29
maintenance partition (Cisco IOS software) 17-33
mls ip ids command 15-17
sequence 15-1
SPAN 15-9
tasks 15-1
configuring VACLs
Catalyst software 15-14
Cisco IOS software 15-15
disabling
ECLB (Catalyst software) 15-36
ECLB inline mode (Catalyst software) 15-35
ECLB inline VLAN pair mode (Catalyst software) 15-35
ECLB promiscuous mode (Catalyst software) 15-35
ECLB
disabling 15-35
requirements 15-27
verifying 15-37
enabling full memory tests
Catalyst software 15-39
Cisco IOS software 15-39
inline mode
Cisco IOS software 15-20
described 15-8
inline VLAN pair mode
Cisco IOS software 15-23
described 15-8
installing
system image (Catalyst software) 17-27
system image (Cisco IOS software) 17-28
logging in 2-4
mixing sensing modes 15-8
mls ip ids command
Catalyst software 15-17
Cisco IOS software 15-18
described 15-8
monitoring ports 15-8
not online C-45
reimaging described 17-27
resetting
Catalyst software 15-40
Cisco IOS software 15-41
described 15-40
restoring data port defaults 15-27
sensing ports 15-14
set span command 15-10
supported configurations 15-4
supported supervisor engine commands 15-42
TCP reset port 15-8, 15-9, 15-14
unsupported supervisor engine commands 15-43
upgrading
maintenance partition (Catalyst software) 17-37
maintenance partition (Cisco IOS software) 17-37
VACLs
configuring 15-13
understanding 15-13
verifying
ECLB (Catalyst software) 15-36
installation 15-2
initialization
verifying (AIP-SSM) 14-2
verifying (sensor) 3-7
initializing the sensor 3-1, 3-2
inline-interfaces
command 5-15
configuring 5-16
inline mode
IDSM-2 15-8
understanding 5-15
inline VLAN pair mode
IDSM-2 15-8
understanding 5-18
inline VLAN pairs
configuring 5-19
supported sensors 5-18
installer major version described 18-5
installer minor version described 18-6
installing
sensor license 18-11
system image
IDS-4260 17-22
IDSM-2 (Catalyst software) 17-27
IDSM-2 (Cisco IOS software) 17-28
IPS-4240 17-18
InterfaceApp described A-2
interface configuration sequence 5-9
interface-notifications command 5-25
interfaces
alternate TCP reset 5-1
configuration restrictions 5-10
described 5-1
displaying live traffic 9-3
port numbers 5-1
slot numbers 5-1
TCP reset 5-6
VLAN groups 5-1
interface support (table) 5-3
introducing the CLI 1-1
ip-access-list command 15-15
IP fragment reassembly
parameters (table) 7-22
signatures (table) 7-22
understanding 7-22
ip-log-bytes command 8-2
ip-log command 7-31
iplog command 8-3
IP logging
automatic 8-2
configuring 8-1
copying files 8-5
manual 8-3
ip-log-packets command 8-2
ip-log-time command 8-2
IPS
external communications A-31
internal communications A-30
IPS-4240
installing system image 17-18
ROMMON 17-11
IPS-4255
installing system image 17-18
ROMMON 17-11
IPS-4260
hardware bypass 5-8
installing system image 17-22
reimaging 17-22
IPS applications
summary A-36
table A-36
XML format A-2
IPS data
types A-7
XML document A-8
IPS events
listed A-8
types A-8
IPS modules and time synchronization 4-20, C-6
IPS software
application list A-2
available files 18-1
configuring device parameters A-4
directory structure A-35
Linux OS A-1
new features A-3
obtaining 18-1
platform-dependent release examples 18-7
retrieving data A-4
security features A-4
tuning signatures A-4
updating A-4
user interaction A-4
IPS software file names
major updates (illustration) 18-3
minor updates (illustration) 18-3
patch releases (illustration) 18-3
service packs (illustration) 18-3
J
Java Plug-in
Linux C-38
Solaris C-38
Windows C-37
K
keywords
default 1-10
no 1-10
L
license key
trial 4-39
licensing
IPS device serial number 4-39, 18-9
Licensing pane
configuring 18-11
listings UNIX-style 17-8, C-36
list of blocked hosts 10-32
load balancing options 15-28
locked account reset 4-15
log-all-block-events-and-errors command 10-15
LogApp
functions A-18
syslog messages A-18
logging in
AIP-SSM 2-7
appliances 2-2
IDSM-2 2-4
NM-CIDS 2-5
sensors
SSH 2-8
Telnet 2-8
service role 2-2
user role 2-1
logical-interface command 5-24
login-banner-text
command 4-8
configuring 4-8
LOKI protocol B-38
M
MainApp
applications A-5
described A-2
host statistics A-5
responsibilities A-5
show version command A-5
maintenance partition
configuring (Catalyst software) 17-29
configuring (Cisco IOS software) 17-33
described A-3
major updates described 18-3
managing
firewalls 10-27
routers 10-23
switches 10-26
manual
blocking 10-30
block to bogus host C-24
master blocking sensor
configuring 10-29
described 10-28
not set up properly C-26
Master engine
alert frequency B-5
alert frequency parameters (table) B-5
defined B-3
event actions B-6
general parameters (table) B-4
promiscuous delta B-5
universal parameters B-4
max-block-entries command 10-10
max-denied-attackers command 6-20
max-interfaces command 10-16
memory (IDM) C-37
merging configuration files 12-18
Meta engine
parameters (table) B-13
MIBS supported 11-6
minor updates described 18-3
mls ip ids command
Catalyst software 15-17
Cisco IOS software 15-18
IDSM-2 15-17
modes
bypass 5-23
inline 5-15
modifying terminal properties 13-3
monitoring and Viewer privileges 1-4, A-27
more command 12-14
more current-config command 12-1
Multi String engine described B-14
N
Network Timing Protocol see NTP
never-block-hosts command 10-18
never-block-networks command 10-18
NM-CIDS
checking IPS software status 16-7
configuration tasks 16-1
configuring
ids-sensor interfaces 16-2
interfaces 16-2
packet capture 16-5
logging in 2-5
packet monitoring described 16-5
rebooting 16-7
reimaging
overview 17-25
procedure 17-25
reload command 16-7
reset command 16-7
session command 16-2
shutdown command 16-7
supported Cisco IOS software commands 16-8
system image file 17-25
telneting to the router 16-4
no iplog command 8-4
Normalizer engine
described B-15
IP fragment reassembly B-15
parameters (table) B-16
TCP stream reassembly B-16
NotificationApp
alert information A-8
described A-2
functions A-8
SNMP gets A-8
SNMP traps A-8
statistics A-10
system health information A-9
NTP
described C-4
incorrect configuration 4-21
time synchronization 4-18, C-4
understanding 4-18
NTP servers configuration 4-29
O
obtaining
command history 13-24
cryptographic account 18-2
IPS sofware 18-1
list of blocked hosts and connections 10-32
used commands list 13-24
output
clearing current line 1-5, A-30
overrides command 6-11
P
packet capture command 9-4
packet display command 9-2
partitions
application A-3
maintenance A-3
recovery A-3
password command 4-11
passwords
changing 4-15
configuring 4-15
service account 3-2
patch releases described 18-4
PEP information
PID 13-24
SN 13-24
VID 13-24
physical connectivity issues C-14
physical-interface command 5-24
physical-interfaces
configuring 5-24
ping command 13-22
policy-map command 14-2
prerequisites for blocking 10-4
privilege
configuring 4-16
promiscuous mode
ECLB 15-27
IDSM-2 15-7
packet flow 5-14
understanding 5-14
prompts default input 1-4, A-29
Q
Q.931 protocol
described B-20
SETUP messages B-20
R
rate limiting
routers 10-3
supported signatures 10-3
understanding 10-3
RDEP2
described A-31
functions A-31
messages A-31
responsibilities A-31
rebooting NM-CIDS 16-7
recall
help and tab completion 1-5, A-29
recover command 17-11
recovering
AIP-SSM C-48
application partition image 17-11
recovery/upgrade CD 17-24
recovery partition
described A-3
upgrading 17-5
regular expression syntax
described 1-7
table 1-8
reimaging
appliance 17-11
described 17-1
IDS-4215 ROMMON 17-15
IDS-4260 17-22
IDSM-2 17-27
IPS-4260 ROMMON 17-22
NM-CIDS 17-25
sensors 17-1
removing last applied upgrade 17-10
reset
command 13-23
not occurring for a signature C-33
resetting
AIP-SSM C-47
appliance 13-23
IDSM-2 15-40
restoring
current configuration 12-17
data port defaults 15-27
retiring signatures 7-10
retrieving events through RDEP2 (illustration) A-31
ROMMON
described 17-13
IDS-4215 17-15
remote sensors 17-13
serial console port 17-13
TFTP 17-13
RPC portmapper B-27
RR
calculating 6-8
example 6-24
RSA authentication and authorized keys 4-34
RTT
described 17-13
TFTP limitation 17-13
S
scheduling automatic upgrades 17-7
SDEE
defined A-34
HTTP A-34
protocol A-34
Server requests A-34
SEAF
SEAP
described A-22
flow of signature events 6-2, A-24
function 6-2
searching
current configuration 12-11
submode configuration 12-13
security
account locking 4-17
information on Cisco Security Intelligence Operations 18-14
SSH 4-32
sending commands through RDEP2 (illustration) A-32
sensing interfaces
modes 5-3
PCI cards 5-3
understanding 5-3
SensorApp
Alarm Channel A-23
Analysis Engine A-23
described A-3
event action filtering A-26
hold down timer A-26
inline packet processing A-25
IP normalization A-26
new features A-25
packet flow A-23
processors A-22
responsibilities A-22
RR A-26
SEAP A-22
TCP normalization A-26
sensor license 18-11
sensors
configuration task sequence 1-2
configuring to use NTP 4-30
downgrading 17-10
incorrect NTP configuration 4-21
interface support 5-3
logging in
SSH 2-8
Telnet 2-8
managing
firewalls 10-27
routers 10-23
switches 10-26
not seeing packets C-17
NTP
time source 4-30
time synchronization 4-18, C-4
partitions A-3
process not running C-13
recovering the system image 18-8
using NTP time source 4-29
service account
creating 4-14
described A-28
TAC A-28
troubleshooting A-28
understanding 4-13
Service DNS engine
described B-17
parameters (table) B-18
Service FTP engine
described B-19
parameters (table) B-19
Service Generic engine
described B-19
parameters (table) B-20
Service H225 engine
ASN.1PER validation B-21
described B-20
features B-21
parameters (table) B-22
TPKT validation B-21
Service HTTP engine
parameters (table) B-23
signature 7-37
Service IDENT engine
described B-25
parameters (table) B-25
Service MSRPC engine
DCS/RPC protocol B-25
described B-25
parameters (table) B-26
Service MSSQL engine
described B-26
MSSQL protocol B-26
parameters (table) B-26
Service NTP engine
described B-27
parameters (table) B-27
service packs described 18-4
service-policy command 14-2
Service RPC engine
described B-27
parameters (table) B-27
RPC portmapper B-27
Service SMB engine
described B-28
parameters (table) B-28
Service SNMP engine
described B-30
parameters (table) B-30
Service SSH engine
described B-31
parameters (table) B-31
session command
AIP-SSM 2-7
IDSM-2 2-4
NM-CIDS 2-5
set security acl command 15-14
setting the system clock 4-23, 13-8
setting up a terminal server 2-3, 17-13
SFR
calculating 6-8
described 6-8
show configuration command 12-1, 12-11
show events command 6-24, 13-4, C-66
show history command 13-24
show interfaces command C-64
show inventory command 13-24
show module 1 details command C-47
show module command 14-2
show settings command 12-3, 12-13, 13-26
show statistics command 10-32, 13-10, C-55
show statistics denied-attackers command 6-21
show statistics virtual-sensor command 13-10, C-55
show tech-support command
output C-51
show users command 4-16
show version command 13-19, C-53
sig-fidelity-rating command 7-9
signature/virus update files described 18-4
signature engines
AIC B-9
Atomic B-10
Atomic ARP B-11
Atomic IP B-11
defined B-1
Flood B-12
Flood Host B-12
FLood Net B-12
list B-2
Multi String B-14
Normalizer B-15
Service DNS B-17
Service FTP B-19
Service Generic B-19
Service H225 B-20
Service IDENT B-25
Service MSRPC B-25
Service MSSQL B-26
Service NTP engine B-27
Service RPC B-27
Service SMB B-28
Service SNMP B-30
Service SSH engine B-31
State B-32
Sweep B-36
Traffic ICMP B-37
Trojan B-38
signature engine update files described 18-5
Signature Event Action Processor see SEAP
signature fidelity rating see SFR
signatures
custom 7-2
default 7-1
false positives 7-1
rate limits 10-3
service HTTP 7-37
string TCP 7-35
subsignatures 7-1
tuned 7-1
understanding 7-1
signature variables described 7-2
SNMP
configuring
agent parameters 11-2
traps 11-4
general parameters 11-2
Get 11-1
GetNext 11-1
Set 11-1
supported MIBS 11-6
Trap 11-1
understanding 11-1
snmp-agent-port command 11-2
snmp-agent-protocol command 11-2
SNMP traps described 11-1
software architecture
ARC (illustration) A-12
IDAPI (illustration) A-30
RDEP2 (illlustration) A-32
software bypass with hardware bypass 5-8
software downloads Cisco.com 18-1
software file names
recovery (illustration) 18-5
signature/virus updates (illustration) 18-4
signature engine updates (illustration) 18-5
system image (illustration) 18-5
software release examples
platform-dependent 18-7
platform identifiers 18-7
platform-independent 18-6
SPAN
configuring 15-9
options 15-11
port issues C-14
SSH
adding hosts 4-32
security 4-32
understanding 4-32
ssh authorized-key command 4-33
ssh generate-key command 4-35
ssh host-key command 4-32
SSH known hosts list adding hosts 4-32
SSH Server
host key generation 4-35
private keys A-20
public keys A-20
State engine
Cisco Login B-32
described B-32
LPR Format String B-32
parameters (table) B-32
SMTP B-32
status command 7-10
stopping IP logging 8-4
stream-reassembly command 7-30
String engine described 7-33, B-33
String ICMP engine parameters (table) B-33
String TCP engine
options 7-33
signature (example) 7-33
String TCP engine parameters (table) B-34
String UDP engine parameters (table) B-35
subinterface-type command 5-19
submode configuration
filtering output 12-13
searching output 12-13
summarization
Fire All 6-19
Fire Once 6-19
Global Summarization 6-19
Meta engine 6-19
Summary 6-19
understanding 6-19
summertime
configuring
non-recurring 4-26
recurring 4-24
summertime-option
non-recurring command 4-26
recurring command 4-24
supervisor engine commands
supported 15-42
unsupported 15-43
supported Cisco IOS software commands (NM-CIDS) 16-8
Sweep engine
described B-36
parameters (table) B-36
switch commands for troubleshooting C-42
syntax and case sensitivity 1-5, A-29
system architecture
directory structure A-35
supported platforms A-1
system clock
System Configuration Dialog described 3-1
system design (illustration) A-1
system image
installing
IDSM-2 (Cisco IOS software) 17-28
T
TAC
PEP information 13-25
show tech-support command 13-18, C-50
target-value command 6-9
tasks
configuring IDSM-2 15-1
configuring NM-CIDS 16-1
configuring the sensor 1-2
TCP reset interfaces
conditions 5-7
described 5-6
list 5-6
TCP reset port (IDSM-2) 15-9
TCP stream reassembly
understanding 7-24
telnet (NM-CIDS) 16-4
telnet-option
command 4-4
configuring 4-4
terminal
command 13-3
modifying length 13-3
terminating CLI sessions 13-3
testing fail-over 5-9
TFN2K protocol B-37
TFTP servers
maximum file size limitation 17-13
RTT 17-13
time
correction on the sensor 4-21, C-7
synchronization and IPS modules 4-20, C-6
time sources
time-zone-settings
command 4-28
configuring 4-28
TLS
certificate generation 4-38
certificates 4-36
handshaking 4-36
understanding 4-36
tls generate-key command 4-38
tls trusted-host command 4-37
trace
command 13-25
IP packet route 13-25
traffic flow notifications
configuring 5-25
overview 5-25
Traffic ICMP engine
DDoS B-37
described B-37
LOKI B-37
parameters (table) B-38
TFN2K B-37
Transport Layer Security see TLS
trap-community-name 11-4
trap-destinations command 11-4
trial license key 4-39
Tribe Flood Net 2000 protocol B-37
Trojan engine
BO2K B-38
described B-38
TFN2K B-38
troubleshooting
accessing files on FTP site C-70
access list misconfiguration C-11
AIP-SSM
commands C-47
debugging C-48
recovering C-48
reset C-47
Analysis Engine busy C-39
applying software updates C-34
ARC C-20
automatic update C-35
blocking not occurring for signature C-25
cannot access sensor C-8
cidDump script C-70
cidLog messages to syslog C-32
communication C-8
corrupted SensorApp configuration C-19
debug logger zone names (table) C-31
device access issues C-22
disaster recovery C-2
duplicate IP address C-11
enabling debug logging C-27
faulty DIMMs C-19
gathering information C-49
IDM
cannot access sensor C-40
will not load C-39
IDSM-2
command and control port C-45
diagnosing problems C-41
not online C-45
serial cable C-47
switch commands C-42
TCP reset port C-46
IPS and PIX devices C-4
manual block to bogus host C-24
master blocking sensor not set up properly C-26
normalizer inline mode C-4
NTP C-33
physical connectivity issues C-14
preventive maintenance C-2
reset not occurring for a signature C-33
sensor
events C-65
not seeing packets C-17
process not running C-13
service account 4-13
show events command C-65
show interfaces command C-64
show statistics command C-55
show tech-support command C-49, C-50
show tech-support command output C-51
show version command C-52, C-53
software upgrades
IDS-4235 C-34
IDS-4250 C-34
on sensor C-36
SPAN port issue C-14
unable to see alerts C-15
uploading files to FTP site C-70
using debug logging C-27
trusted hosts adding 4-37
TVR
described 6-8
overview 6-9
U
understanding
bypass mode 5-23
SSH 4-32
UNIX-style directory listings 17-8, C-36
unsupported supervisor engine commands 15-43
upgrading
4.1 to 5.0 18-8
maintenance partition
IDSM-2 (Catalyst software) 17-37
IDSM-2 (Cisco IOS software) 17-37
minimum required version 18-8
recovery partition 17-5, 17-11
URLs for Cisco Security Intelligence Operations 18-14
username command 4-11
user-profiles
command 10-19
described 10-19
user roles
users
adding 4-11
removing 4-11
using
debug logging C-27
TCP reset interface 5-7
V
VACLs
described 10-2
IDSM-2 15-13
verifying
ECLB 15-37
IDSM-2 installation 15-2
sensor initialization 3-7
sensor setup 3-7
viewing user information 4-17
virtual sensors and assigning the interfaces 5-24
W
Web Server
HTTP 1.0 and 1.1 support A-21
private keys A-20
public keys A-20
RDEP2 support A-21
settings configuration 4-9