-
Installing and Using Cisco Intrusion Prevention System Device Manager 5.1
-
Preface
-
Getting Started
-
Setting Up the Sensor
-
Configuring Interfaces
-
Analysis Engine
-
Defining Signatures
-
Creating Custom Signatures
-
Configuring Event Action Rules
-
Configuring Attack Response Controller for Blocking and Rate Limiting
-
Configuring SNMP
-
Maintaining the Sensor
-
Monitoring the Sensor
-
Obtaining Software
-
Upgrading, Downgrading, and Installing System Images
-
System Architecture
-
Signature Engines
-
Troubleshooting
-
Glossary
-
Index
-
Table Of Contents
Numerics - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W -
Index
Numerics
4GE bypass interface card
configuration restrictions 3-8
described 3-7
illustration 3-7
A
accessing IPS software 12-2
access list misconfiguration C-7
ACLs
described 8-3
Active Host Blocks pane
active update bulletin subscription 12-14
Add Active Host Block dialog box
Add Allowed Host dialog box
button functions 2-5
field descriptions 2-5
user roles 2-5
Add Authorized Key dialog box
button functions 2-9
field descriptions 2-9
user roles 2-8
Add Blocking Device dialog box user roles 8-19
Add Cat 6K Blocking Device Interface dialog box
button functions 8-29
field descriptions 8-29
user roles 8-28
Add Device Login Profile dialog box user roles 8-15
Add Event Action Filters dialog box
button functions 7-22
field descriptions 7-22
user roles 7-20
Add Event Action Overrides dialog box
button functions 7-16
field descriptions 7-16
user roles 7-15
Add Event Variable dialog box user roles 7-10
Add Interface Pair dialog box
button functions 3-16
field descriptions 3-16
user roles 3-15
Add IP Logging dialog box
button functions 11-13
field descriptions 11-13
Add Known Host Key dialog box
button functions 2-12
field descriptions 2-12
user roles 2-11
Add Master Blocking Sensor dialog box user roles 8-32
Add Never Block Address dialog box user roles 8-7
Add Router Blocking Device Interface dialog box user roles 8-24
Add Signature dialog box user roles 5-6
Add Signature Variable dialog box user roles 5-2
Add SNMP Trap Destination dialog box user roles 9-4
Add Target Value Rating dialog box
button functions 7-13
field descriptions 7-13
user roles 7-12
Add Trusted Host dialog box
button functions 2-16
field descriptions 2-16
user roles 2-15
Add User dialog box
button functions 2-27
field descriptions 2-27
user roles 2-26
Administrator privileges A-27
Advanced Alert Behavior Wizard
Alert Dynamic Response Fire All window
button functions 6-20
field descriptions 6-20
Alert Dynamic Response Fire Once window
button functions 6-21
field descriptions 6-21
Alert Dynamic Response Summary window
button functions 6-19
field descriptions 6-19
Alert Summarization window
button functions 6-19
field descriptions 6-19
Event Count and Interval window
button functions 6-18
field descriptions 6-18
Global Summarization window
button functions 6-21
field descriptions 6-21
advisory for cryptographic products 1-1
AIC engine
AIC FTP B-8
AIC HTTP B-8
features B-8
AIC FTP engine parameters (table) B-10
AIC HTTP engine parameters (table) B-9
AIP-SSM
recovering C-46
resetting C-45
time sources 2-20
alarm channel described 7-4, A-24
Allowed Hosts pane
button functions 2-5
configuring 2-6
described 2-4
field descriptions 2-5
analysis engine
global variables 4-4
virtual sensor 4-1
Analysis Engine busy IDM exits C-37
appliances
application partition image 13-11
recovering software image 13-24
setting up a terminal server 13-14
terminal server 13-14
time sources 2-19
upgrading recovery partition 13-5
application partition
described A-3
recovering the image 13-11
applications in XML format A-2
ARC
authentication A-14
blocking
connection-based A-16
unconditional blocking A-16
blocking application 8-1
block response A-12
Catalyst 6000 series switch
VACL commands A-18
VACLs A-18
Catalyst switches
VACLs A-15
VLANs A-15
checking status 8-3
described A-2
design 8-2
features A-13
firewalls
AAA A-17
connection blocking A-17
NAT A-17
network blocking A-17
postblock ACL A-15
preblock ACL A-15
shun command A-17
TACACS+ A-17
formerly known as Network Access Controller 8-1, 8-3
functions 8-1
illustration A-12
interfaces A-13
maintaining states A-15
managed devices 8-6
master blocking sensors A-13
maximum blocks 8-2
nac.shun.txt file A-15
NAT addressing A-14
number of blocks A-14
postblock ACL A-15
preblock ACL A-15
prerequisites 8-4
responsibilities A-12
single point of control A-14
SSH A-13
Telnet A-13
VACLs A-13
ASR described 7-2
Assign Actions dialog box
button functions 5-16
field descriptions 5-16
assigning interfaces to the virtual sensor 4-3
Atomic ARP engine
described B-10
parameters (table) B-10
Atomic IP engine
described B-11
parameters (table) B-11
Attack Response Controller
described A-2
formerly known as Network Access Controller A-2
attack severity rating see ASR
AuthenticationApp
authenticating users A-20
described A-3
login attempt limit A-19
method A-19
responsibilities A-19
secure communications A-20
sensor configuration A-19
Authorized Keys pane
button functions 2-8
configuring 2-9
described 2-7
field descriptions 2-8
RSA authentication 2-8
RSA key generation tool 2-9
automatic updates
Cisco.com 10-1
servers
FTP 10-1
SCP 10-1
troubleshooting C-32
automatic upgrade examples 13-9
Auto Update and UNIX-style directory listings 13-8
Auto Update pane
button functions 10-2
configuring 10-3
described 10-1
field descriptions 10-2
user roles 10-2
auto-upgrade-option command 13-6
B
back door Trojan BO2K B-37
BackOrifice protocol B-37
blocking
described 8-1
disabling 8-7
master blocking sensor 8-31
necessary information 8-3
prerequisites 8-4
supported devices 8-5
types 8-2
Blocking Devices pane
button functions 8-19
configuring 8-20
described 8-18
field descriptions 8-19
ssh host-key command 8-21
blocking not occurring for signature C-22
Blocking Properties pane
button functions 8-8
configuring 8-10
described 8-6
field descriptions 8-8
bypass mode 3-20
described 3-20
function 3-2
Bypass pane
button functions 3-21
field descriptions 3-21
user roles 3-21
C
cannot access sensor C-5
Cat 6K Blocking Device Interfaces pane
button functions 8-29
configuring 8-30
described 8-27
field descriptions 8-29
VACLs
Post-Block 8-27
Pre-Block 8-27
certificates
Internet Explorer 1-16
Mozilla 1-18
Netscape 1-17
changing Microsoft IIS to UNIX-style directory listings 13-9
changing the memory
Java Plug-in on Linux 1-4, C-35
Java Plug-in on Solaris 1-4, C-35
Java Plug-in on Windows 1-3, C-34, C-35
CIDEE
defined A-34
example A-34
IPS extensions A-34
protocol A-34
supported IPS events A-34
Cisco.com
accessing software 12-2
Active Update Bulletins 12-14
downloading software 12-1
IPS software 12-1
software downloads 12-1
Cisco IOS and rate limiting 8-3, 11-8
Cisco Security Center
described 12-14
URL 12-14
Cisco Services for IPS
clear events command 2-24, C-66
clearing
events C-66
statistics C-53
CLI behavior A-29
case sensitivity A-30
display options A-30
help A-29
prompts A-29
recall A-29
tab completion A-29
Clone Signature dialog box user roles 5-6
commands
auto-upgrade-option 13-6
copy license-key 12-12
debug module-boot C-46
downgrade 13-10
hw-module module 1 reset C-45
show events C-64
show module 1 details C-45
show statistics C-53
show statistics virtual-sensor C-53
show tech-support C-47
show version C-50
upgrade 13-5
Configure Summertime dialog box
button functions 2-22
field descriptions 2-22
configuring
application policy 5-35
automatic upgrades 13-7
blocking devices 8-20
blocking properties 8-10
Cat 6K blocking device interfaces 8-30
device login profiles 8-17
event action filters 7-24
event action overrides 7-18
event action rules general settings 7-28
events 7-30
event variables 7-11
interface pairs 3-16
interfaces 3-14
IP fragment reassembly parameters 5-37
IP logging 11-14
maintenance partition (Catalyst Software) 13-30
maintenance partition (Cisco IOS) 13-34
master blocking sensor 8-33
rate limiting devices 8-20
router blocking device interfaces 8-26
SNMP 9-3
SNMP traps 9-6
TCP fragment reassembly parameters 5-41
traffic flow notifications 3-22
TVR 7-14
upgrades 13-3
VLAN pairs 3-19
control transactions
characteristics A-8
request types A-7
copy license-key command 12-12
correcting time on the sensor 2-24
creating
custom signatures
not using signature engines 6-3
Service HTTP 6-34
String TCP 6-29
using signature engines 6-2
MEG signatures 5-43
cryptographic account
Encryption Software Export Distribution Authorization from 12-2
obtaining 12-2
cryptographic products IDM 1-1
CtlTransSource
illustration A-11
Ctrl-N A-29
Ctrl-P A-29
custom MEG signatures 5-43
Custom Signature Wizard
Alert Behavior window button functions 6-18
Alert Response window
button functions 6-17
field descriptions 6-17
Atomic IP Engine Parameters window
button functions 6-6
field descriptions 6-6
described 6-1
ICMP Traffic Type window
button functions 6-14
field descriptions 6-14
Inspect Data window
button functions 6-17
field descriptions 6-17
MSRPC Engine Parameters window
button functions 6-9
field descriptions 6-9
no signature engine sequence 6-3
protocols 6-5
Protocol Type window
button functions 6-5
field descriptions 6-5
Service HTTP Engine Parameters window
button functions 6-8
field descriptions 6-8
Service RPC Engine Parameters window
button functions 6-9
field descriptions 6-9
Service Type window
button functions 6-16
field descriptions 6-16
signature engine sequence 6-2
Signature Identification window
button functions 6-6
field descriptions 6-6
State Engine Parameters window
button functions 6-10
field descriptions 6-10
String ICMP Engine Parameters window
button functions 6-11
field descriptions 6-11
String TCP Engine Parameters window
button functions 6-12
field descriptions 6-12
String UDP Engine Parameters window
button functions 6-13
field descriptions 6-13
Sweep Engine Parameters window
button functions 6-14
field descriptions 6-14
TCP Sweep Type window
button functions 6-16
field descriptions 6-16
TCP Traffic Type window
button functions 6-15
field descriptions 6-15
UDP Sweep Type window
button functions 6-16
field descriptions 6-16
UDP Traffic Type window
button functions 6-15
field descriptions 6-15
user roles 6-4
Welcome window
button functions 6-5
field descriptions 6-5
D
data structure examples A-7
DDOS protocol B-37
debug-module-boot command C-46
defaults restoring 10-4
denied attackers
clearing list 11-2
hit count 11-1
resetting hit counts 11-2
Denied Attackers pane
button functions 11-2
described 11-1
field descriptions 11-2
user roles 11-2
using 11-2
device access issues C-19
Device Login Profiles pane
button functions 8-15
configuring 8-17
described 8-15
field descriptions 8-15
devices 8-20
diagnostics report 10-11
Diagnostics Report pane
button functions 10-11
described 10-11
user roles 10-11
using 10-11
disabling blocking 8-7
disaster recovery C-2
displaying
events C-64
statistics C-53
tech support information C-48
version C-51
downgrade command 13-10
downgrading sensors 13-10
downloading software 12-1
duplicate IP addresses C-7
E
Edit Allowed Host dialog box
button functions 2-5
field descriptions 2-5
user roles 2-5
Edit Authorized Key dialog box
button functions 2-9
field descriptions 2-9
user roles 2-8
Edit Blocking Device dialog box user roles 8-19
Edit Cat 6K Blocking Device Interface dialog box
button functions 8-29
field descriptions 8-29
user roles 8-28
Edit Device Login Profile dialog box user roles 8-15
Edit Event Action Filters dialog box
button functions 7-22
field descriptions 7-22
user roles 7-20
Edit Event Action Overrides dialog box 7-15
button functions 7-16
field descriptions 7-16
Edit Event Variable dialog box user roles 7-10
Edit Interface dialog box user roles 3-11
Edit Interface Pair dialog box
button functions 3-16
field descriptions 3-16
user roles 3-15
Edit IP Logging dialog box
button functions 11-13
field descriptions 11-13
Edit Known Host Key dialog box
button functions 2-12
field descriptions 2-12
user roles 2-11
Edit Master Blocking Sensor dialog box user roles 8-32
Edit Never Block Address dialog box user roles 8-7
Edit Router Blocking Device Interface dialog box user roles 8-24
Edit Signature dialog box user roles 5-6
Edit Signature Variable dialog box user roles 5-2
Edit SNMP Trap Destination dialog box user roles 9-4
Edit Target Value Rating dialog box
button functions 7-13
field descriptions 7-13
user roles 7-12
Edit User dialog box
button functions 2-27
field descriptions 2-27
user roles 2-26
Edit Virtual Sensor dialog box user roles 4-2
enabling debug logging C-24
Encryption Software Export Distribution Authorization form
cryptographic account 12-2
described 12-2
event action filters
configuring 7-24
described 7-3
Event Action Filters pane
button functions 7-20
configuring 7-24
described 7-19
field descriptions 7-20
event action overrides
configuring 7-18
described 7-2
Event Action Overrides pane
button functions 7-15
configuring 7-18
described 7-15
field descriptions 7-15
event action rules
described 7-1
example 7-8
functions 7-1
event actions
described 7-6
Events pane
button functions 7-29
configuring 7-30
described 7-29
field descriptions 7-29
Event Store
clearing events 2-24
data structures A-7
described A-2
examples A-6
responsibilities A-6
timestamp A-6
event types C-63
event variables
configuring 7-11
example 7-10
Event Variables pane
button functions 7-10
configuring 7-11
described 7-9
field descriptions 7-10
Event Viewer page
button functions 7-30
field descriptions 7-30
F
fail-over testing 3-8
Flood engine described B-11
Flood Host engine parameters (table) B-11
FLood Net engine parameters (table) B-12
G
general settings described 7-26
General Settings pane
configuring 7-28
user roles 7-27
generating a diagnostics report 10-11
Global Variables pane
button functions 4-4
described 4-4
field descriptions 4-4
user roles 4-4
H
H.225.0 protocol B-20
H.323 protocol B-20
hardware bypass
configuration restrictions 3-8
IPS-4260 3-7
with software bypass 3-7
help
question mark A-29
using A-29
HTTP deobfuscation
ASCII normalization 6-33, B-22
hw-module module 1 reset command C-45
I
IDAPI
functions A-30
illustration A-30
responsibilities A-30
IDCONF
described A-33
example A-33
RDEP2 A-33
XML A-33
IDIOM
defined A-33
messages A-33
IDM
advisory 1-1
certificates 1-15
clear Java cache C-36
cookies 1-15
cryptographic products 1-1
error message Analysis Engine is busy C-37
GUI 1-2
introducing 1-2
prerequisites 1-13
Signature Wizard unsupported signature engines 6-1, 6-22
system requirements 1-2
TLS and SSL 1-15
user interface 1-2
validating
Internet Explorer certificate fingerprints 1-16
Mozilla certificate fingerprints 1-18
Netscape certificate fingerprints 1-17
web browsers 1-2
IDM will not load clear Java cache C-36
IDS-4215
BIOS upgrade 13-17
reimaging 13-15
ROMMON upgrade 13-17
upgrading
BIOS 13-17
ROMMON 13-17
IDS-4260 installing system image 13-22
IDSM-2
configuring
maintenance partition (Catalyst Software) 13-30
maintenance partition (Cisco IOS) 13-34
installing
system image (Catalyst software) 13-28
system image (Cisco IOS software) 13-29
reimaging described 13-27
time sources 2-19
upgrading
maintenance partition (Catalyst software) 13-37
maintenance partition (Cisco IOS software) 13-38
IDSM-2 command and control port C-42
IDSM-2 not online C-42
initialization verification 1-10
initializing the sensor 1-4, 1-5, 2-1
inline VLAN pairs
described 3-3
supported sensors 3-3
installer major version described 12-6
installer minor version described 12-6
installing
license key 12-13
system image
IDS-4260 13-22
IDSM-2 (Catalyst software) 13-28
IDSM-2 (Cisco IOS software) 13-29
IPS-4240 13-19
InterfaceApp described A-2
interface pairs
configuring 3-16
described 3-15
Interface Pairs pane
button functions 3-15
configuring 3-16
described 3-15
field descriptions 3-15
interfaces
configuration restrictions 3-5
configuring 3-14
Interfaces pane
button functions 3-12
configuring 3-14
described 3-10
field descriptions 3-12
interface support (table) 3-4
Internet Explorer certificate fingerprints validation 1-16
IP fragment reassembly
described 5-36
parameters (table) 5-36
signatures (table) 5-36
IP logging
event actions 11-12
system performance 11-12
IP Logging pane
button functions 11-13
configuring 11-14
described 11-12
field descriptions 11-13
user roles 11-12
IP logs
circular buffer 11-12
Ethereal 11-12
states 11-11
TCP Dump 11-12
viewing 11-14
IPS
external communications A-31
internal communications A-30
IPS-4240
installing system image 13-19
ROMMON 13-11
IPS-4255
installing system image 13-19
ROMMON 13-11
IPS-4260
hardware bypass 3-7
reimaging 13-22
IPS applications
summary A-36
table A-36
XML format A-2
IPS data
types A-7
XML document A-8
IPS events
listed A-8
types A-8
IPS software
application list A-2
available files 12-1
configuring device parameters A-4
directory structure A-35
Linux OS A-1
new features A-3
obtaining 12-1
platform-dependent release examples 12-7
retrieving data A-4
security features A-4
tuning signatures A-4
updating A-4
user interaction A-4
versioning scheme 12-3
IPS software file names
major updates (illustration) 12-3
minor updates (illustration) 12-3
patch releases (illustration) 12-3
service packs (illustration) 12-3
J
Java Plug-in
K
Known Host Keys pane
button functions 2-11
configuring 2-12
described 2-11
field descriptions 2-11
L
license key
installing 12-13
status 1-19
licensing
IPS device serial number 1-19, 12-9
Licensing pane
button functions 1-21
field descriptions 1-21
user roles 1-21
limitations for concurrent CLI sessions 1-13
listings UNIX-style 13-8
LogApp
functions A-18
syslog messages A-19
logging in
IDM 1-14
terminal servers 13-14
LOKI protocol B-37
M
MainApp
applications A-5
described A-2
host statistics A-5
responsibilities A-5
show version command A-5
maintenance partition
configuring (Catalyst Software) 13-30
configuring (Cisco IOS) 13-34
described A-3
major updates described 12-3
manual block to bogus host C-21
master blocking sensor described 8-31
Master Blocking Sensor pane
button functions 8-32
configuring 8-33
described 8-31
field descriptions 8-32
Master engine
alert frequency B-5
alert frequency parameters (table) B-5
defined B-3
event actions B-6
general parameters (table) B-4
promiscuous delta B-5
universal parameters B-4
MBS not set up properly C-23
Meta engine
parameters (table) B-13
Meta Event Generator described 7-26
MIBs supported 9-7
minor updates described 12-4
Miscellaneous pane
button functions 5-26
configuring
application policy 5-34
IP fragment reassembly 5-38
IP logging 5-43
TCP stream reassembly 5-42
described 5-25
field descriptions 5-26
user roles 5-26
modes
inline 3-3
monitoring
events 7-30
Viewer privileges A-28
Mozilla certificate fingerprints validation 1-18
Multi String engine described B-13
N
Netscape certificate fingerprints validation 1-17
Network Access Controller functions A-11
Network Blocks pane
Network pane
button functions 2-2
configuring 2-3
described 2-2
field descriptions 2-2
TLS/SSL 2-3
user roles 2-2
Network Timing Protocol see NTP
never block
hosts 8-6
networks 8-6
NM-CIDS
bootloader 13-25
reimaging 13-25
system image file 13-25
time sources 2-20
Normalizer engine
described B-15
IP fragment reassembly B-15
parameters (table) B-16
TCP stream reassembly B-15
NotificationApp
alert information A-8
described A-2
functions A-8
SNMP gets A-8
SNMP traps A-8
statistics A-10
system health information A-9
NTP
described 2-19
time synchronization 2-19
O
obtaining
cryptographic account 12-2
IPS sofware 12-1
Operator privileges A-27
output
clearing current line A-30
displaying A-30
P
partitions
application A-3
maintenance A-3
recovery A-3
passwords and the service account 1-5
patch releases described 12-4
physical connectivity issues C-10
platforms and concurrent CLI sessions 1-13
prerequisites for blocking 8-4
prompt default input A-29
protocols for the Custom Signature Wizard 6-5
Q
Q.931 protocol
described B-20
SETUP messages B-20
R
rate limiting
ACLs 8-23
service policies 8-23
supported signatures 8-4, 11-8
Rate Limits pane
described 8-12
user roles 8-12
RDEP2
described A-31
functions A-31
messages A-31
responsibilities A-31
rebooting the sensor 10-6
Reboot Sensor pane
button functions 10-6
configuring 10-6
described 10-6
user roles 10-6
recall
help and tab completion A-29
using A-29
recover command 13-11
recovering
AIP-SSM C-46
application partition image 13-11
recovery/upgrade CD 13-24
recovery partition
described A-3
upgrading 13-5
reimaging
appliance 13-11
described 13-1
IDS-4215 ROMMON 13-15
IDS-4260 13-22
IDSM-2 13-27
IPS-4260 ROMMON 13-22
NM-CIDS 13-25
sensors 13-1
removing the last applied upgrade 13-10
reset not occurring for a signature C-30
resetting AIP-SSM C-45
Restore Defaults pane
button functions 10-5
configuring 10-5
described 10-4
user roles 10-4
restoring defaults 10-5
retrieving events through RDEP2 (illustration) A-31
ROMMON
described 13-13
IDS-4215 13-15
remote sensors 13-13
serial console port 13-13
TFTP 13-13
Router Blocking Device Interfaces pane
button functions 8-25
configuring 8-26
described 8-23
field descriptions 8-25
RPC portmapper B-27
RR
calculating 7-2
example 7-9
RTT
described 13-13
TFTP limitation 13-13
S
scheduling automatic upgrades 13-7
SDEE
defined A-34
HTTP A-34
protocol A-34
SDEE Server requests A-34
SEAF
SEAP
described A-22
figure A-24
flow of signature events 7-5, A-24
illustration 7-5
security and SSH 2-7
security information on Cisco Security Center 12-14
sending commands through RDEP2 (illustration) A-32
sensor
blocking itself 8-7
diagnostics report 10-11
initializing 2-1
license 12-11
rebooting 10-6
restoring defaults 10-5
setting up 2-1
shutting down 10-7
statistics 10-13
system information 10-14
SensorApp
Alarm Channel A-23
Analysis Engine A-23
described A-3
event action filtering A-27
hold down timer A-26
inline packet processing A-25
IP normalization A-26
new features A-25
packet flow A-23
processors A-22
responsibilities A-22
RR A-26
SEAP A-22
TCP normalization A-26
sensor interfaces described 3-1
Sensor Key pane
button functions 2-14
described 2-14
field descriptions 2-14
sensor SSH key
displaying 2-14
generating 2-14
user roles 2-14
sensor not seeing packets C-13
sensor process not running C-9
sensors
downgrading 13-10
interface support 3-4
license 1-22
NTP time synchronization 2-19
partitions A-3
recovering the system image 12-8
time sources 2-19
Server Certificate pane
button functions 2-18
certificate
displaying 2-18
generating 2-18
described 2-17
field descriptions 2-18
user roles 2-18
service account
described A-28
privileges A-28
TAC A-28
troubleshooting A-28
Service DNS engine
described B-17
parameters (table) B-17
Service FTP engine
described B-18
parameters (table) B-18
Service Generic engine
described B-19
parameters (table) B-19
Service H225 engine
ASN.1PER validation B-21
described B-20
features B-21
parameters (table) B-21
TPKT validation B-21
Service HTTP engine
custom signature 6-34
example signature 6-34
parameters (table) B-23
Service IDENT engine
described B-24
parameters (table) B-24
Service MSRPC engine
DCS/RPC protocol B-25
described B-25
parameters (table) B-25
Service MSSQL engine
described B-26
MSSQL protocol B-26
parameters (table) B-26
Service NTP engine
described B-26
parameters (table) B-26
service packs described 12-4
Service privileges A-28
Service RPC engine
described B-27
parameters (table) B-27
RPC portmapper B-27
Service SMB engine
described B-28
parameters (table) B-28
Service SNMP engine
described B-29
parameters (table) B-30
Service SSH engine
described B-30
parameters (table) B-30
setting up a terminal server 13-14
setting up the sensor 2-1
SFR
calculating 7-2
described 7-2
show events command C-63, C-64
show interfaces command C-62
show module 1 details command C-45
show statistics command C-53
show statistics virtual-sensor command C-53
show tech-support command
described C-47
options C-47
output C-49
show version command C-50
Shut Down Sensor pane
button functions 10-7
configuring 10-7
describing 10-7
user roles 10-7
shutting down the sensor 10-7
signature/virus update files described 12-5
Signature Configuration pane
assigning actions 5-22
button functions 5-6
described 5-5
field descriptions 5-6
signatures
activating 5-22
adding 5-17
cloning 5-19
disabling 5-21
enabling 5-21
retiring 5-22
tuning 5-20
signature engines
Atomic B-10
Atomic ARP B-10
Atomic IP B-11
creating custom signatures 6-2
defined B-1
Flood B-11
Flood Host B-11
FLood Net B-12
list B-1
Multi String B-13
Normalizer B-15
not supported by IDM 6-1, 6-22
Service DNS B-17
Service FTP B-18
Service Generic B-19
Service H225 B-20
Service IDENT B-24
Service MSRPC B-25
Service MSSQL B-26
Service NTP engine B-26
Service RPC B-27
Service SMB B-28
Service SNMP B-29
Service SSH engine B-30
State B-31
Sweep B-35
Traffic ICMP B-36
Trojan B-37
signature engine update files described 12-5
Signature Event Action Processor see SEAP
signature fidelity rating see SFR
signatures
custom 5-2
default 5-1
described 5-1
false positives 5-1
subsignatures 5-1
tuned 5-1
signature variables described 5-2
Signature Variables pane
button functions 5-3
configuring 5-4
field descriptions 5-3
Signature Wizard unsupported signature engines 6-1, 6-22
SNMP
configuring 9-3
described 9-1
Get 9-1
GetNext 9-1
Set 9-1
supported MIBs 9-7
Trap 9-1
SNMP General Configuration pane
button functions 9-2
configuring 9-3
described 9-2
field descriptions 9-2
user roles 9-2
SNMP traps
configuring 9-6
described 9-1
SNMP Traps Configuration pane
button functions 9-5
configuring 9-6
described 9-4
field descriptions 9-5
software architecture
ARC (illustration) A-12
IDAPI (illustration) A-30
RDEP2 (illustration) A-32
software bypass with hardware bypass 3-7
software downloads Cisco.com 12-1
software file names
recovery (illustration) 12-5
signature/virus updates (illustration) 12-4
signature engine updates (illustration) 12-5
system image (illustration) 12-5
software release examples
platform-dependent 12-7
platform identifiers 12-7
platform-independent 12-6
SPAN port issues C-10
SSH
security 2-7
understanding 2-7
SSH Server
private keys A-20
public keys A-20
State engine
Cisco Login B-31
described B-31
LPR Format String B-31
parameters (table) B-31
SMTP B-31
Statistics pane
button functions 10-13
described 10-12
user roles 10-13
using 10-13
statistics viewing 10-13
String engine described 6-28, B-32
String ICMP engine parameters (table) B-33
String TCP engine
custom signature 6-29
parameters (table) B-33
String TCP example signature 6-29
String UDP engine parameters (table) B-34
summarization
described 7-3
Fire All 7-4
Fire Once 7-4
Global Summarization 7-4
Meta engine 7-3
Summary 7-4
Summarizer described 7-26
Summary pane
button functions 3-9
described 3-9
field descriptions 3-9
Sweep engine
described B-35
parameters (table) B-35
switch commands for troubleshooting C-39
syntax and case sensitivity A-30
system architecture
directory structure A-35
supported platforms A-1
system components IDAPI A-31
system design (illustration) A-1
system information display 10-14
System Information pane
button functions 10-14
described 10-13
user roles 10-14
using 10-14
system requirements for IDM 1-2
T
tab completion use A-29
TAC
service account A-28
show tech-support command C-47
Target Value Rating pane
button functions 7-13
configuring 7-14
field descriptions 7-13
TCP reset interface conditions 3-10, 3-11
TCP stream reassembly
described 5-38
parameters (table) 5-38
signatures (table) 5-38
terminal server setup 13-14
testing fail-over 3-8
TFN2K protocol B-36
TFT and RTT 13-13
TFTP servers
recommended 13-13
UNIX 13-13
Windows 13-13
time correction on the sensor 2-24
Time pane
button functions 2-21
configuring 2-23
described 2-19
field descriptions 2-21
user roles 2-21
time sources
AIP-SSM 2-20
appliances 2-19
IDSM-2 2-19
NM-CIDS 2-20
TLS
certificates 1-15
handshaking 1-15
traffic flow notification configuration 3-22
Traffic Flow Notifications pane
button functions 3-22
configuring 3-22
describing 3-22
field descriptions 3-22
user roles 3-22
Traffic ICMP engine
DDOS B-36
described B-36
LOKI B-36
parameters (table) B-37
TFN2K B-36
Transport Layer Security see TLS
Tribe Flood Net 2000 protocol B-36
Trojan engine
BO2K B-37
described B-37
TFN2K B-37
troubleshooting
accessing files on FTP site C-67
access list misconfiguration C-7
AIP-SSM
commands C-45
debugging C-46
recovering C-46
reset C-45
Analysis Engine busy C-37
automatic update C-32
blocking not occurring for signature C-22
cannot access sensor C-5
cidDump script C-67
cidLog messages to syslog C-29
communication C-4
corrupted SensorApp configuration C-15
debug logger zone names (table) C-28
device access issues C-19
disaster recovery C-2
duplicate IP address C-7
enabling debug logging C-24
false positive alerts C-16
faulty DIMMs C-15
gathering information C-47
IDM cannot access sensor C-37
IDM will not load C-36
IDSM-2
command and control port C-42
diagnosing problems C-39
not online C-42
serial cable C-44
switch commands C-39
TCP reset port C-44
IPS and PIX devices C-4
manual block to bogus host C-21
MBS not set up properly C-23
normalizer inline mode C-4
NTP C-30
physical connectivity issues C-10
preventive maintenance C-1
reset not occurring for a signature C-30
sensor events C-63
sensor not seeing packets C-13
sensor process not running C-9
show events command C-63
show interfaces command C-61, C-62
show statistics command C-52, C-53
show tech-support command C-47
show tech-support command output C-49
show version command C-50
software upgrades C-32
IDS-4235 C-32
IDS-4250 C-32
on sensor C-33
SPAN port issue C-10
unable to see alerts C-11
uploading files to FTP site C-67
using debug logging C-24
Trusted Hosts pane
button functions 2-16
configuring 2-16
described 2-15
field descriptions 2-16
TVR
configuring 7-14
U
understanding
SSH 2-7
time on the sensor 2-19
UNIX-style directory listings 13-8
Update Sensor pane
button functions 10-8
configuring 10-9
described 10-8
field descriptions 10-8
user roles 10-8
updating
Cisco.com 10-8
FTP server 10-8
updating the sensor 10-9
upgrading
4.1 to 5.0 12-7
maintenance partition
IDSM-2 (Catalyst software) 13-37
IDSM-2 (Cisco IOS software) 13-38
minimum required version 12-7
recovery partition 13-5, 13-11
URLs for Cisco Security Center 12-14
user roles
Administrator A-27
Operator A-27
Service A-27
Viewer A-27
Users pane
button functions 2-26
configuring 2-27
described 2-25
field descriptions 2-26
user roles 2-25
using
debug logging C-24
TCP reset interface 3-10, 3-11
V
VACLs
described 8-3
Post-Block 8-27
Pre-Block 8-27
verifying
sensor initialization 1-10
sensor setup 1-10
Viewer privileges A-28
viewing
IP logs 11-14
statistics 10-13
system information 10-14
virtual sensor interface assignment 4-3
Virtual Sensor pane
button functions 4-2
configuring 4-3
described 4-1
field descriptions 4-2
VLAN pairs configuration 3-19
VLAN Pairs pane
button functions 3-18
configuring 3-19
described 3-17
field descriptions 3-18
W
Web Server
HTTP 1.0 and 1.1 support A-21
private keys A-20
public keys A-20
RDEP2 support A-21