-
Installing and Using Cisco Intrusion Prevention System Device Manager 6.1
-
Preface
-
Getting Started
-
Startup Wizard
-
Setting Up the Sensor
-
Configuring Interfaces
-
Policies
-
Signature Definitions
-
Signature Wizard
-
Event Action Rules
-
Anomaly Detection
-
SSH and Certificates
-
Configuring Attack Response Controller for Blocking and Rate Limiting
-
Configuring SNMP
-
Managing the Sensor
-
Configuring External Product Interfaces
-
Monitoring
-
Initializing the Sensor
-
Logging In
-
Obtaining Software
-
Upgrading, Downgrading, and Installing System Images
-
System Architecture
-
Signature Engines
-
Troubleshooting
-
Open Source License Files
-
Glossary
-
Index
-
Table Of Contents
Numerics - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W - Z
Index
Numerics
4GE bypass interface card
configuration restrictions 4-10
described 4-10
802.1q encapsulation
VLAN groups 4-13
A
accessing IPS software 18-2
access list
misconfiguration C-24
necessary hosts 2-3
ACLs
adding 2-3
described 11-3
Active Host Blocks pane
configuring 15-7
described 15-6
field descriptions 15-6
user roles 15-6
active update bulletins subscription 18-10
ad0 pane
default 9-9
described 9-9
tabs 9-9
Add ACL Entry dialog box field descriptions 2-4
Add Active Host Block dialog box field descriptions 15-6
Add Allowed Host dialog box
field descriptions 3-5
user roles 3-4
Add Authorized Key dialog box
field descriptions 10-3
user roles 10-2
Add Blocking Device dialog box
field descriptions 11-15
user roles 11-14
Add Cat 6K Blocking Device Interface dialog box
field descriptions 11-22
user roles 11-21
Add Configured OS Map dialog box field descriptions 6-20, 8-22
Add Destination Port dialog box field descriptions 9-15, 9-17, 9-23, 9-24, 9-31, 9-32
Add Device Login Profile dialog box
field descriptions 11-12
user roles 11-12
Add Event Action Filter dialog box
Add Event Action Override dialog box
Add Event Variable dialog box
Add External Product Interface dialog box
field descriptions 13-6
user roles 13-5
Add Histogram dialog box field descriptions 9-16, 9-17, 9-24, 9-25, 9-31, 9-32
adding
ACLs 2-3
active host blocks 15-7
a host never to be blocked 11-11
anomaly detection policies 9-9
CSA MC interfaces 13-7
denied attackers 15-5
event action filters 6-14, 8-15
event action overrides 8-12
event action rules policies 8-10
external product interfaces 13-7
network blocks 15-9
signature definition policies 5-2
signatures 5-12
signature variables 5-26
target value rating 6-17, 8-18
Add Inline VLAN Pair dialog box field descriptions 2-10, 4-20
Add Interface Pair dialog box field descriptions 4-18
Add IP Logging dialog box field descriptions 15-13
Add Known Host Key dialog box
field descriptions 10-5
user roles 10-4
Add Master Blocking Sensor dialog box
field descriptions 11-25
user roles 11-24
Add Network Block dialog box field descriptions 15-9
Add Never Block Address dialog box
field descriptions 11-10
user roles 11-7
Add Policy dialog box field descriptions 5-2, 8-10, 9-8
Add Posture ACL dialog box field descriptions 13-7
Add Protocol Number dialog box field descriptions 9-18, 9-25, 9-33
Add Rate Limit dialog box
field descriptions 15-11
user role 15-10
Address Resolution Protocol see ARP
Add Risk Level dialog box field descriptions 6-26, 8-27
Add Router Blocking Device Interface dialog box
field descriptions 11-19
user roles 11-16
Add Signature dialog box field descriptions 5-7
Add Signature Variable dialog box
field descriptions 5-26
user roles 5-26
Add SNMP Trap Destination dialog box field descriptions 12-4
Add Target Value Rating dialog box
Add Trusted Host dialog box
field descriptions 10-10
user roles 10-9
Add User dialog box
field descriptions 3-17
user roles 3-16
Add Virtual Sensor dialog box
Add VLAN Group dialog box field descriptions 4-22
Advanced Alert Behavior Wizard
Alert Dynamic Response Fire All window field descriptions 7-26
Alert Dynamic Response Fire Once window field descriptions 7-27
Alert Dynamic Response Summary window field descriptions 7-27
Alert Summarization window field descriptions 7-26
Event Count and Interval window field descriptions 7-25
Global Summarization window field descriptions 7-28
AIC engine
AIC FTP B-8
AIC HTTP B-8
described B-8
features B-8
signature categories 5-30
signatures (example) 5-38
AIC FTP engine parameters (table) B-9
AIC HTTP engine parameters (table) B-8
AIC policy configuration 5-37
AIC policy enforcement
default configuration 5-31, B-8
sensor oversubscription 5-31, B-8
AIM-IPS
initializing 16-12
installing system image 19-23
logging in 17-4
session command 17-4
setup command 16-12
AIP-SSM
bypass mode 4-25
initializing 16-15
installing system image 19-26
logging in 17-6
recovering C-64
reimaging 19-26
resetting C-63
session command 17-6
setup command 16-15
Alarm Channel described 8-6, A-25
alert and log actions (list) 8-7
alert behavior normal 7-25
alert frequency
aggregation 5-20
configuring 5-20
controlling 5-20
modes B-5
Allowed Hosts/Networks pane
configuring 3-5
described 3-4
field descriptions 3-5
alternate TCP reset interface configuration restrictions 4-8
Analysis Engine
described 6-2
error messages C-21
IDM exits C-54
virtual sensors 6-2
anomaly detection
asymmetric environment 9-2, 9-37
configuration sequence 9-4
default configuration (example) 9-4
described 9-2
detect mode 9-3
disabling C-18
inactive mode 9-3
learning process 9-3
limiting false positives 9-12, 15-16
protocols 9-2
signatures 9-6
turning off 9-37
worms 9-2
zones 9-4
Anomaly Detection pane
button functions 15-16
field descriptions 15-16
overview 15-15
user roles 15-15
anomaly detection policies
ad0 9-8
adding 9-9
cloning 9-9
default policy 9-8
deleting 9-9
user roles 9-8
Anomaly Detections pane
described 9-8
field descriptions 9-8
user roles 9-8
appliances
application partition image 19-12
initializing 16-7
logging in 17-1
terminal servers
upgrading recovery partition 19-5
Application Inspection and Control see AIC
application partition
described A-3
image recovery 19-12
application policy enforcement
disabled (default) 5-31
applications and XML format A-2
applying software updates C-51
ARC
authentication A-14
blocking
application 11-2
connection-based A-16
not occurring for signature C-40
unconditional blocking A-16
block response A-13
Catalyst 6000 series switch
VACL commands A-18
VACLs A-18
Catalyst switches
VACLs A-15
VLANs A-15
described A-2
design 11-2
device access issues C-37
enabling SSH C-40
features A-13
firewalls
AAA A-17
connection blocking A-17
NAT A-18
network blocking A-17
postblock ACL A-15
preblock ACL A-15
shun command A-17
TACACS+ A-18
formerly Network Access Controller 11-1, 11-3
functions 11-2
illustration A-12
inactive state C-36
interfaces A-13
maintaining states A-16
managed devices 11-7
master blocking sensors A-13
maximum blocks 11-2
misconfigured MBS C-41
nac.shun.txt file A-16
NAT addressing A-14
number of blocks A-14
postblock ACL A-15
preblock ACL A-15
prerequisites 11-5
rate limiting 11-4
responsibilities A-12
single point of control A-14
SSH A-13
Telnet A-13
troubleshooting C-34
VACLs A-13
verifying device interfaces C-39
verifying status C-35
ARP
Layer 2 signatures B-10
protocol B-10
ARP spoof tools
dsniff B-10
ettercap B-10
Assign Actions dialog box
button functions 5-9
field descriptions 5-9
assigning actions to signatures 5-16
asymmetric environment and anomaly detection 9-2, 9-37
asymmetric traffic and disabling anomaly detection C-18
Atomic ARP engine
described B-10
parameters (table) B-10
Atomic IP engine
parameters (table) B-10
Atomic IPv6 engine
described B-11
Neighborhood Discovery protocol B-11
signatures B-11
signatures (table) B-12
attack relevance rating
calculating risk rating 6-5, 8-3
described 6-5, 6-18, 8-3, 8-20
Attack Response Controller
described A-2
formerly known as Network Access Controller A-2
attack severity rating
calculating risk rating 6-5, 8-3
authenticated NTP 3-7, 3-8, 3-14, C-14, C-15
AuthenticationApp
authenticating users A-20
described A-3
login attempt limit A-20
method A-20
responsibilities A-19
secure communications A-20
sensor configuration A-19
Authorized Keys pane
configuring 10-3
described 10-2
field descriptions 10-2
RSA authentication 10-2
RSA key generation tool 10-3
Auto/Cisco.com Update pane
configuring 14-18
field descriptions 14-17
automatic setup 16-1
automatic updates
Cisco.com 14-15
servers
FTP 14-15
SCP 14-15
troubleshooting C-51
automatic upgrade
examples 19-10
information required 19-6
autonegotiation and hardware bypass 4-11
Auto Update and UNIX-style directory listings 14-16
Auto Update pane
button functions 14-17
described 14-15
field descriptions 14-17
user roles 14-15
auto-upgrade-option command 19-6
B
backing up
configuration C-2
current configuration C-4
basic setup 16-3
blocking
described 11-2
disabling 11-8
master blocking sensor 11-24
necessary information 11-3
not occurring for signature C-40
prerequisites 11-5
supported devices 11-5
types 11-2
Blocking Devices pane
configuring 11-15
described 11-14
field descriptions 11-14
ssh host-key command 11-15
Blocking Properties pane
adding a host never to be blocked 11-11
configuring 11-9
described 11-7
field descriptions 11-8
BO
described B-47
Trojans B-47
BO2K
described B-47
Trojans B-47
bypass mode
AIP-SSM 4-25
described 4-24
Bypass pane field descriptions 4-25
C
calculating risk rating
attack relevance rating 6-5, 8-3
attack severity rating 6-5, 8-3
signature fidelity rating 6-5, 8-3
cannot access sensor C-22
Cat 6K Blocking Device Interfaces pane
configuring 11-23
described 11-21
field descriptions 11-22
CDP described 4-27
CDP Mode pane
configuring 4-27
field descriptions 4-27
certificates
displaying 10-11
Firefox 1-7
generating 10-11
Internet Explorer 1-7
changing Microsoft IIS to UNIX-style directory listings 14-16
cidDump and obtaining information C-87
CIDEE
defined A-33
example A-33
IPS extensions A-33
protocol A-33
supported IPS events A-33
cisco
default password 17-1
default username 17-1
Cisco.com
accessing software 18-2
Active Update Bulletins 18-10
downloading software 18-1
software downloads 18-1
Cisco IOS and rate limiting 11-4
Cisco IPS 6.1 files 19-3
Cisco IPS software new features A-3
Cisco Security Center
described 18-9
URL 18-9
Cisco Services for IPS
clear events command 3-12, 3-16, 15-4, C-16, C-87
Clear Flow States pane described 15-27
clearing
flow states 15-27
statistics C-73
clear password command 14-5, 14-7, C-9, C-11
clock set command 3-15
Clone Event Action Rules dialog box field descriptions 8-10
Clone Policy dialog box field descriptions 5-2, 9-8
Clone Signature dialog box field descriptions 5-7
cloning
anomaly detection policies 9-9
event action rules policies 8-10
signature definition policies 5-2
signatures 5-14
command and control interface
described 4-2
list 4-2
commands
auto-upgrade-option 19-6
clear events 3-12, 3-16, 15-4, C-16, C-87
clear password 14-5, 14-7, C-9, C-11
clock set 3-15
copy backup-config C-3
copy current-config C-3
debug module-boot C-64
downgrade 19-11
hw-module module 1 reset C-63
hw-module module slot_number password-reset 14-6, C-10
setup 3-1, 16-1, 16-3, 16-7, 16-12, 16-15, 16-20, 16-24
show events C-84
show health C-66
show module 1 details C-63
show statistics C-73
show statistics virtual-sensor C-21, C-73
show tech-support C-67
show version C-70
Compare Knowledge Bases dialog box field descriptions 15-19
configuration files
backing up C-2
merging C-2
configuration restrictions
alternate TCP reset interface 4-8
inline interface pairs 4-8
inline VLAN pairs 4-8
interfaces 4-8
physical interfaces 4-8
VLAN groups 4-9
Configured OS Map dialog box user roles 6-19, 8-19
Configure Summertime dialog box field descriptions 2-4, 3-10
configuring
active host blocks 15-7
AIC policy parameters 5-37
allowed hosts 3-5
allowed networks 3-5
application policy 5-38
authorized keys 10-3
automatic upgrades 19-8
blocking devices 11-15
blocking properties 11-9
Cat 6K blocking device interfaces 11-23
CDP Mode 4-27
CSA MC for IPS interfaces 13-4
device login profiles 11-13
event action filters 6-14, 8-15
events 15-3
external zone 9-33
illegal zone 9-26
inline VLAN pairs 2-10
interface pairs 4-18
interfaces 4-16
internal zone 9-18
IP fragment reassembly signatures 5-41
IP logging 15-14
known host keys 10-6
learning accept mode 9-13
maintenance partition
IDSM-2 (Catalyst software) 19-30
IDSM-2 (Cisco IOS software) 19-34
master blocking sensor 11-25
network blocks 15-9
network settings 3-3
NTP servers 3-13
operation settings 9-10
rate limiting 15-11
rate limiting devices 11-15
router blocking device interfaces 11-20
Sensor Setup window 2-4
sensor to use NTP 3-14
SNMP 12-3
SNMP traps 12-5
target value rating 6-17, 8-18
TCP fragment reassembly parameters 5-49
time 3-10
traffic flow notifications 4-26
trusted hosts 10-10
upgrades 19-4
users 3-18
VLAN groups 4-23
VLAN pairs 4-20
control transactions
characteristics A-8
request types A-8
cookies and IDM 1-5
copy backup-config command C-3
copy current-config command C-3
correcting time on the sensor 3-12, C-16
creating
custom signatures
not using signature engines 7-3
Service HTTP 7-16
String TCP 7-21
using signature engines 7-1
Post-Block VACLs 11-21
Pre-Block VACLs 11-21
service account C-5
cryptographic account
Encryption Software Export Distribution Authorization from 18-2
obtaining 18-2
cryptographic features and IDM 1-1
cryptographic products and IDM 1-1
CSA MC
adding interfaces 13-7
configuring IPS interfaces 13-4
host posture events 13-1, 13-3
quarantined IP address events 13-1
supporting IPS interfaces 13-3
CtlTransSource
illustration A-11
current configuration backup C-2
current KB settings 15-21
custom signatures described 5-5
Custom Signature Wizard
Alert Response window field descriptions 7-25
Atomic IP Engine Parameters window field descriptions 7-14
described 7-1
ICMP Traffic Type window field descriptions 7-13
Inspect Data window field descriptions 7-13
MSRPC Engine Parameters window field descriptions 7-12
no signature engine sequence 7-3
protocols 7-11
Protocol Type window field descriptions 7-11
Service HTTP Engine Parameters window field descriptions 7-15
Service RPC Engine Parameters window field descriptions 7-18
Service Type window field descriptions 7-13
signature engine sequence 7-1
signature identification 7-11
Signature Identification window field descriptions 7-12
State Engine Parameters window field descriptions 7-19
String ICMP Engine Parameters window field descriptions 7-20
String TCP Engine Parameters window field descriptions 7-20
String UDP Engine Parameters window field descriptions 7-23
Sweep Engine Parameters window field descriptions 7-24
TCP Sweep Type window field descriptions 7-14
TCP Traffic Type window field descriptions 7-13
UDP Sweep Type window field descriptions 7-13
UDP Traffic Type window field descriptions 7-13
Welcome window field descriptions 7-11
D
data structures (examples) A-7
DDoS
protocols B-46
Stacheldraht B-46
TFN B-46
debug logging enabling C-43
debug-module-boot command C-64
default
KB filename 9-11
password 17-1
policies (ad0) 9-8
policies (rules0) 8-10
policies (sig0) 5-2
username 17-1
virtual sensor (vs0) 6-2
defaults restoring 14-22
deleting
anomaly detection policies 9-9
event action filters 6-14, 8-15
event action overrides 8-12
event action rules policies 8-10
imported OS values 15-26
KBs 15-22
learned OS values 15-25
signature definition policies 5-2
signature variables 5-26
target value rating 6-17, 8-18
virtual sensors 6-10
denied attackers
adding 15-5
clearing list 15-5
hit count 15-4
resetting hit counts 15-5
Denied Attackers pane
described 15-4
field descriptions 15-4
user roles 15-4
using 15-5
deny actions (list) 8-8
detect mode and anomaly detection 9-3
device access issues C-37
Device Login Profiles pane
configuring 11-13
described 11-12
field descriptions 11-12
devices 11-15
Diagnostics Report pane
button functions 15-29
described 15-29
user roles 15-29
using 15-29
diagnostics reports 15-29
Differences between knowledge bases KB_Name and KB_Name window field descriptions 15-19
disabling
anomaly detection C-18
blocking 11-8
interfaces 4-16
disaster recovery C-6
displaying
events C-85
health status C-66
password recovery setting 14-9, C-12
statistics C-73
tech support information C-67
version C-70
Distributed Denial of Service see DDoS
DoS tools stick B-5
downgrade command 19-11
downgrading sensors 19-11
downloading
KBs 15-23
software 18-1
Download Knowledge Base From Sensor dialog box
described 15-23
field descriptions 15-23
duplicate IP addresses C-25
E
Edit Actions dialog box field descriptions 5-9
Edit Allowed Host dialog box
field descriptions 3-5
user roles 3-4
Edit Authorized Key dialog box
field descriptions 10-3
user roles 10-2
Edit Blocking Device dialog box
field descriptions 11-15
user roles 11-14
Edit Cat 6K Blocking Device Interface dialog box
field descriptions 11-22
user roles 11-21
Edit Configured OS Map dialog box field descriptions 6-20, 8-22
Edit Destination Port dialog box field descriptions 9-15, 9-17, 9-23, 9-24, 9-31, 9-32
Edit Device Login Profile dialog box
field descriptions 11-12
user roles 11-12
Edit Event Action Filter dialog box
Edit Event Action Override dialog box
Edit Event Variable dialog box
Edit External Product Interface dialog box
field descriptions 13-6
user roles 13-5
Edit Histogram dialog box field descriptions 9-16, 9-17, 9-24, 9-25, 9-31, 9-32
editing
event action filters 6-14, 8-15
event action overrides 8-12
interfaces 4-17
signatures 5-15
signature variables 5-26
target value rating 6-17, 8-18
virtual sensors 6-10
Edit Inline VLAN Pair dialog box field descriptions 2-10, 4-20
Edit Interface dialog box field descriptions 4-15
Edit Interface Pair dialog box field descriptions 4-18
Edit IP Logging dialog box field descriptions 15-13
Edit Known Host Key dialog box
field descriptions 10-5
user roles 10-4
Edit Master Blocking Sensor dialog box
field descriptions 11-25
user roles 11-24
Edit Never Block Address dialog box
field descriptions 11-10
user roles 11-7
Edit Posture ACL dialog box field descriptions 13-7
Edit Protocol Number dialog box field descriptions 9-18, 9-25, 9-33
Edit Risk Level dialog box field descriptions 6-26, 8-27
Edit Router Blocking Device Interface dialog box
field descriptions 11-19
user roles 11-16
Edit Signature dialog box field descriptions 5-7
Edit Signature Variable dialog box
field descriptions 5-26
user roles 5-26
Edit SNMP Trap Destination dialog box field descriptions 12-4
Edit Target Value Rating dialog box
Edit User dialog box
field descriptions 3-17
user roles 3-16
Edit Virtual Sensor dialog box
field descriptions 6-9
user roles 6-9
Edit VLAN Group dialog box field descriptions 4-22
enabling
debug logging C-43
event action filters 6-14, 8-15
event action overrides 8-12
interfaces 4-16
Encryption Software Export Distribution Authorization form
cryptographic account 18-2
described 18-2
evAlert A-8
event action filters
Event Action Filters tab
button functions 8-14
event action overrides
adding 8-12
deleting 8-12
editing 8-12
enabling 8-12
Event Action Overrides tab
described 8-12
field descriptions 8-12
event action rules
functions 8-2
understanding 8-2
Event Action Rules (rules0) pane described 8-11
Event Action Rules pane
described 8-10
field descriptions 8-10
user roles 8-10
event action rules policies
adding 8-10
cloning 8-10
deleting 8-10
events
configuring display 15-3
displaying C-85
host posture 13-2
quarantined IP address 13-2
Events pane
configuring 15-3
described 15-2
field descriptions 15-2
Event Store
data structures A-7
described A-2
examples A-7
responsibilities A-7
timestamp A-7
event types C-84
event variables
Event Variables tab
Event Viewer window field descriptions 15-3
evError A-8
evLogTransaction A-8
evShunRqst A-8
evStatus A-8
external product interfaces
adding 13-7
described 13-1
trusted hosts 13-5
External Product Interfaces pane
described 13-5
field descriptions 13-5
external zone
configuring 9-33
protocols 9-30
External Zone tab
described 9-30
tabs 9-30
F
fail-over testing 4-10
false positives described 5-4
files
Cisco IPS 6.1 19-3
IDSM-2 password recovery 14-8, C-11
Firefox
certificates 1-7
validating CAs 1-7
Fixed engine described B-12
Fixed ICMP engine parameters (table) B-13
Fixed TCP engine parameters (table) B-14
Fixed UDP engine parameters (table) B-15
Flood engine described B-15
Flood Host engine parameters (table) B-16
Flood Net engine parameters (table) B-16
flow states clearing 15-27
FTP servers supported 14-15, 19-2
G
gadgets and the IDM home pane 1-2
general settings
General tab
described 6-27, 8-28, 9-15, 9-22
generating diagnostics reports 15-29
Global Variables pane field description 14-15
GRUB menu password recovery 14-4, C-8
H
H.225.0 protocol B-24
H.323 protocol B-24
hardware bypass
autonegotiation 4-11
configuration restrictions 4-10
fail-over 4-10
IPS 4270-20 4-10
supported configurations 4-10
with software bypass 4-10
health status display C-66
Home pane
device information 1-2
gadgets 1-2
health information 1-2
interface status 1-2
licensing information 1-2
system resources usage 1-2
updating 1-2
host posture events
CSA MC 13-3
described 13-2
HTTP/HTTPS servers supported 14-16, 19-2
HTTP deobfuscation
ASCII normalization 7-15, B-27
hw-module module 1 reset command C-63
hw-module module slot_number password-reset command 14-6, C-10
I
icons
signature configuration 5-7, 5-14, 5-15, 5-20, 5-23, 5-37, 5-38, 5-41, 5-48, 5-49, 5-50, 7-7, 7-17, 7-22
IDAPI
described A-3
functions A-29
illustration A-30
responsibilities A-29
IDCONF
described A-32
example A-32
RDEP2 A-32
XML A-32
IDIOM
defined A-32
messages A-32
IDM
advisory 1-1
Analysis Engine is busy C-54
cookies 1-5
cryptographic features 1-1
cryptographic products 1-1
GUI 1-2
logging in 1-4
Signature Wizard unsupported signature engines 7-2
supported platforms 1-3
system requirements 1-3
user interface 1-2
will not load C-53
IDSM-2
command and control port C-61
configuring
maintenance partition (Catalyst software) 19-30
maintenance partition (Cisco IOS software) 19-34
initializing 16-20
installing
system image (Catalyst software) 19-28
system image (Cisco IOS software) 19-29
logging in 17-7
password recovery image file 14-8, C-11
reimaging 19-28
setup command 16-20
supported configurations C-57
TCP reset port C-62
upgrading
maintenance partition (Catalyst software) 19-38
maintenance partition (Cisco IOS software) 19-38
illegal zone configuration 9-26
Illegal Zone tab
described 9-22
user roles 9-22
IME time synchronization problems C-55
Imported OS pane
clearing 15-26
described 15-26
field descriptions 15-26
imported OS values
clearing 15-26
deleting 15-26
inactive mode and anomaly detection 9-3
initializing
AIM-IPS 16-12
AIP-SSM 16-15
appliances 16-7
IDSM-2 16-20
NME-IPS 16-24
verifying 16-27
inline interface pair mode described 4-12
inline interface pairs configuration restrictions 4-8
Inline Interface Pair window
described 2-8
Startup Wizard 2-8
inline VLAN pair mode
described 4-12
supported sensors 4-12
inline VLAN pairs
configuration restrictions 4-8
configuring 2-10
Inline VLAN Pairs window
described 2-9
field descriptions 2-9
Startup Wizard 2-9
installer major version described 18-6
installer minor version described 18-6
installing
system image
AIP-SSM 19-26
IDSM-2 (Catalyst software) 19-28
IDSM-2 (Cisco IOS software) 19-29
IPS-4240 19-15
IPS-4255 19-15
IPS-4260 19-18
IPS 4270-20 19-20
NME-IPS 19-39
InterfaceApp described A-2
interface pairs
configuring 4-18
described 4-17
Interface Pairs pane
configuring 4-18
described 4-17
field descriptions 4-18
interfaces
alternate TCP reset 4-2
command and control 4-2
configuration restrictions 4-8
configuring 4-16
disabling 4-16
editing 4-17
enabling 4-16
logical 2-7
physical 2-7
port numbers 4-1
slot numbers 4-1
support (table) 4-4
TCP reset 4-6
VLAN groups 4-2
Interface Selection window
described 2-8
Startup Wizard 2-8
Interfaces pane
configuring 4-16
described 4-15
field descriptions 4-15
Interface Summary window described 2-6
internal zone configuration 9-18
Internal Zone tab
described 9-14
user roles 9-14
Internet Explorer and validating certificates 1-7
IP fragmentation described B-19
IP fragment reassembly
configuring 5-40
described 5-39
mode 5-40
parameters (table) 5-39
signatures 5-41
signatures (example) 5-41
signatures (table) 5-39
IP logging
event actions 15-13
system performance 15-13
IP Logging pane
configuring 15-14
described 15-13
field descriptions 15-13
user roles 15-13
IP Logging Variables pane described 14-14
IP logs
circular buffer 15-12
Ethereal 15-13
states 15-12
TCP Dump 15-13
viewing 15-14
IPS
external communications A-30
internal communications A-29
IPS-4240
installing system image 19-15
reimaging 19-15
IPS-4255
installing system image 19-15
reimaging 19-15
IPS-4260
installing system image 19-18
reimaging 19-18
IPS 4270-20
hardware bypass 4-10
installing system image 19-20
reimaging 19-20
IPS applications
summary A-35
table A-35
XML format A-2
IPS data
types A-8
XML document A-8
IPS events
evAlert A-8
evError A-8
evLogTransaction A-8
evShunRqst A-8
evStatus A-8
listed A-8
types A-8
IPS modules
time synchronization 3-8, C-15
unsupported features 2-7
IPS Policies pane
described 6-7
field descriptions 6-8
IPS software
application list A-2
configuring device parameters A-4
directory structure A-34
Linux OS A-1
platform-dependent release examples 18-7
retrieving data A-4
security features A-5
tuning signatures A-4
updating A-4
user interaction A-4
versioning scheme 18-3
IPS software file names
major updates (illustration) 18-3
minor updates (illustration) 18-3
patch releases (illustration) 18-3
service packs (illustration) 18-3
IPv6 described B-11
K
KBs
comparing 15-20
default filename 9-11
deleting 15-22
described 9-3
downloading 15-23
initial baseline 9-3
learning accept mode 9-11
loading 15-21
monitoring 15-18
renaming 15-22
saving 15-22
uploading 15-24
Known Host Keys pane
configuring 10-6
describing 10-5
field descriptions 10-5
L
Learned OS pane
clearing 15-25
described 15-25
field descriptions 15-25
learned OS values
clearing 15-25
deleting 15-25
learning accept mode
configuring 9-13
user roles 9-11
Learning Accept Mode tab
described 9-11
user roles 9-11
license files
BSD license D-3
expat license D-12
GNU Lesser license D-22
GNU license D-17
license key
licensing
IPS device serial number 1-8, 14-10
Licensing pane
button functions 1-10
field descriptions 1-10, 14-12
limitations on concurrent CLI sessions 17-1
listings UNIX-style 14-16
loading KBs 15-21
LogApp described A-2
Logger
described A-19
functions A-19
syslog messages A-19
logging in
AIM-IPS 17-4
AIP-SSM 17-6
appliances 17-1
IDM 1-4
IDSM-2 17-7
NME-IPS 17-9
sensors
SSH 17-10
Telnet 17-10
LOKI
described B-46
protocol B-46
loose connections on sensors C-21
M
MainApp
components A-5
host statistics A-6
responsibilities A-6
show version command A-6
maintenance partition
configuring
IDSM-2 (Catalyst software) 19-30
IDSM-2 (Cisco IOS software) 19-34
described A-3
major updates described 18-4
managing rate limiting 15-11
manual block to bogus host C-40
master blocking sensor
described 11-24
not set up properly C-41
Master Blocking Sensor pane
configuring 11-25
described 11-24
field descriptions 11-25
Master engine
alert frequency B-5
alert frequency parameters (table) B-5
described B-3
event actions B-6
general parameters (table) B-4
universal parameters B-4
merging configuration files C-2
Meta engine
parameters (table) B-17
Signature Event Action Processor 5-22, B-16
Meta Event Generator described 6-27, 8-28
minor updates described 18-4
Miscellaneous tab
button functions 5-29
configuring
application policy 5-37
IP fragment reassembly mode 5-40
IP logging 5-50
TCP stream reassembly mode 5-48
described 5-27
field descriptions 5-29
user roles 5-27
modes
anomaly detection detect 9-3
anomaly detection inactive 9-3
bypass 4-24
inline interface pair 4-12
inline VLAN pair mode 4-12
promiscuous 4-11
VLAN Groups 4-13
modify packets inline modes 6-3
monitoring
events 15-3
KBs 15-18
Multi String engine
described B-17
parameters (table) B-18
Regex B-17
MySDN described 5-5
N
Neighborhood Discovery
options B-11
types B-11
Network Blocks pane
configuring 15-9
described 15-8
field descriptions 15-8
user roles 15-8
Network pane
configuring 3-3
described 3-2
field descriptions 3-2
TLS/SSL 3-3
user roles 3-2
network security health data resetting 15-28
Network Timing Protocol see NTP
never block
hosts 11-7
networks 11-7
NME-IPS
initializing 16-24
installing system image 19-39
logging in 17-9
reimaging 19-39
session command 17-9
setup command 16-24
Normalizer engine
described B-19
IP fragment reassembly B-19
parameters (table) B-20
TCP stream reassembly B-19
Normalizer mode described 6-4
NotificationApp
alert information A-9
described A-3
functions A-9
SNMP gets A-9
SNMP traps A-9
statistics A-10
system health information A-10
NTP
authenticated 3-7, 3-8, 3-14, C-14, C-15
configuring servers 3-13
incorrect configuration 3-8, C-16
time synchronization 3-6, C-13
unauthenticated 3-7, 3-8, 3-14, C-14, C-15
O
obtaining
cryptographic account 18-2
IPS software 18-1
one-way TCP reset described 6-27, 8-29
operation settings
configuring 9-10
user roles 9-10
Operation Settings tab
described 9-10
field descriptions 9-10
user roles 9-10
OS Identifications tab
OS maps
other actions (list) 8-9
Other Protocols tab
describing 9-17
enabling other protocols 9-17
external zone 9-32
illegal zone 9-25
P
P2P networks described B-31
partitions
application A-3
maintenance A-3
recovery A-3
passive OS fingerprinting
password policy caution 14-2, 14-3
password recovery
password requirements configuration 14-2
Passwords pane
described 14-1
field descriptions 14-2
patch releases described 18-4
peacetime learning and anomaly detection 9-3
physical connectivity issues C-28
physical interfaces configuration restrictions 4-8
platforms and concurrent CLI sessions 17-1
policies and platform limitations 5-2, 9-8
prerequisites for blocking 11-5
promiscuous delta
calculating risk rating 6-5, 8-3
promiscuous mode
described 4-11
packet flow 4-11
protocols
ARP B-10
CIDEE A-33
Custom Signature Wizard 7-11
DDoS B-46
H.323 B-24
H225.0 B-24
IDAPI A-29
IDCONF A-32
IDIOM A-32
IPv6 B-11
LOKI B-46
MSSQL B-30
Neighborhood Discovery B-11
Q.931 B-24
RDEP2 A-30
SDEE A-33
Q
Q.931 protocol
described B-24
SETUP messages B-24
quarantined IP address events described 13-2
R
rate limiting
ACLs 11-5
configuring 15-11
described 11-4
managing 15-11
percentages 15-10
routers 11-4
service policies 11-5
supported signatures 11-4
Rate Limits pane
described 15-10
field descriptions 15-10
RDEP2
functions A-30
messages A-30
responsibilities A-31
RDEP event server deprecated A-22
rebooting the sensor 14-22
Reboot Sensor pane
configuring 14-22
described 14-22
user roles 14-22
recover command 19-12
recovering
AIP-SSM C-64
application partition image 19-12
recovery partition
described A-3
upgrading 19-5
reimaging
AIP-SSM 19-26
appliances 19-12
described 19-1
IDSM-2 19-28
IPS-4240 19-15
IPS-4255 19-15
IPS-4260 19-18
IPS 4270-20 19-20
NME-IPS 19-39
removing
last applied
service pack 19-11
signature update 19-11
renaming KBs 15-22
Reset Network Security Health pane described 15-28
reset not occurring for a signature C-48
resetting
AIP-SSM C-63
network security health data 15-28
Restore Default Interface dialog box field descriptions 2-8
Restore Defaults pane
configuring 14-22
described 14-22
user roles 14-22
restoring
current configuration C-4
defaults 14-22
retiring signatures 5-11
retrieving events through RDEP2 (illustration) A-31
risk categories
Risk Category tab
risk rating
ROMMON
described 19-13
IPS-4240 19-15
IPS-4255 19-15
IPS-4260 19-18
IPS-4270 19-18
IPS 4270-20 19-20
remote sensors 19-13
serial console port 19-13
TFTP 19-14
Router Blocking Device Interfaces pane
configuring 11-20
described 11-17
field descriptions 11-19
RTT
described 19-14
TFTP limitation 19-14
S
Save Knowledge Base dialog box
described 15-21
field descriptions 15-21
saving KBs 15-22
scheduling automatic upgrades 19-8
SDEE
described A-33
HTTP A-33
protocol A-33
server requests A-33
security and SSH 10-1
security information
Cisco Security Center 18-9
MySDN 5-5
security policies described 5-1, 6-1, 8-1, 9-1
sending commands through RDEP2(illustration) A-31
sensing interfaces
described 4-3
interface cards 4-3
modes 4-3
sensor
blocking itself 11-7
not seeing packets C-31
process not running C-27
SensorApp
6.1 new features A-25
Alarm Channel A-23
Analysis Engine A-23
described A-3
event action filtering A-24
inline packet processing A-24
IP normalization A-24
packet flow A-25
processors A-22
responsibilities A-22
risk rating A-24
Signature Event Action Processor A-22
TCP normalization A-24
Sensor Health pane
described 14-13
field descriptions 14-14
Sensor Key pane
button functions 10-7
described 10-7
field descriptions 10-7
sensor SSH key
displaying 10-7
generating 10-7
user roles 10-7
sensors
access problems C-22
asymmetric traffic and disabling anomaly detection C-18
configuring to use NTP 3-14
corrupted SensorApp configuration C-33
diagnostics reports 15-29
disaster recovery C-6
downgrading 19-11
incorrect NTP configuration 3-8, C-16
interface support 4-4
IP address conflicts C-25
logging in
SSH 17-10
Telnet 17-10
loose connections C-21
misconfigured access lists C-24
not seeing packets C-31
NTP time source 3-14
NTP time synchronization 3-6, C-13
partitions A-3
physical connectivity C-28
preventive maintenance C-2
rebooting 14-22
recovering the system image 18-8
restoring defaults 14-22
sensing process not running C-27
setting up 3-1
setup command 3-1, 16-1, 16-3, 16-7
shutting down 14-23
statistics 15-30
system images 18-8
system information 15-31
troubleshooting software upgrades C-52
using NTP time source 3-12
Sensor Setup window
described 2-2
Startup Wizard 2-2
Server Certificate pane
button functions 10-11
certificate
displaying 10-11
generating 10-11
described 10-11
field descriptions 10-11
user roles 10-11
service account
creating C-5
TAC A-29
troubleshooting A-29
Service DNS engine
described B-21
parameters (table) B-21
Service engine
described B-20
Layer 5 traffic B-20
Service FTP engine
described B-22
parameters (table) B-23
PASV port spoof B-22
Service Generic engine
described B-23
parameters (table) B-24
Service H225 engine
ASN.1PER validation B-25
described B-24
features B-25
parameters (table) B-26
TPKT validation B-25
Service HTTP engine
custom signature 7-16
example signature 7-16
parameters (table) B-27
Service IDENT engine
described B-29
parameters (table) B-29
service-module ids-sensor slot/port session command 17-3, 17-8
Service MSRPC engine
parameters (table) B-30
Service MSSQL engine
described B-30
MSSQL protocol B-30
parameters (table) B-31
Service NTP engine
described B-31
parameters (table) B-31
Service P2P engine
described B-31
Service P2P engine described B-31
service packs described 18-4
service role A-28
Service RPC engine
Service SMB Advanced engine
described B-33
parameters (table) B-33
Service SNMP engine
described B-35
parameters (table) B-35
Service SSH engine
described B-36
parameters (table) B-36
Service TNS engine
described B-36
parameters (table) B-37
AIM-IPS 17-4
AIP-SSM 17-6
IDSM-2 17-7
NME-IPS 17-9
sessioning
AIM-IPS 17-4
AIP-SSM 17-6
IDSM-2 17-7
NME-IPS 17-9
setting
current KB 15-21
system clock 3-16
setting up
sensors 3-1
setup
automatic 16-1
simplified mode 16-1
setup command 3-1, 16-1, 16-3, 16-7, 16-12, 16-15, 16-20, 16-24
show events command C-84
show health command C-66
show interfaces command C-82
show module 1 details command C-63
show settings command 14-9, C-12
show statistics command C-72, C-73
show statistics virtual-sensor command C-21, C-73
show tech-support command
described C-67
output C-68
show version command C-70
Shut Down Sensor pane
configuring 14-23
described 14-23
user roles 14-23
shutting down the sensor 14-23
sig0 pane
default 5-3
described 5-3
retiring signatures 5-11
signatures
assigning actions 5-16
cloning 5-14
disabling 5-11
enabling 5-11
tuning 5-15
tabs 5-3
Sig0 pane field descriptions 5-6
signature/virus update files described 18-5
signature definition policies
adding 5-2
cloning 5-2
default policy 5-2
deleting 5-2
sig0 5-2
Signature Definitions pane
described 5-2
field descriptions 5-2
signature engines
AIC B-7
Atomic B-9
Atomic ARP B-10
Atomic IPv6 B-11
creating custom signatures 7-1
described B-1
event actions B-6
Fixed B-12
Flood B-15
Flood Host B-16
Flood Net B-16
list B-2
Multi String B-17
Normalizer B-19
Service B-20
Service DNS B-21
Service FTP B-22
Service Generic B-23
Service H225 B-24
Service IDENT B-29
Service MSSQL B-30
Service NTP engine B-31
Service P2P B-31
Service SMB Advanced B-33
Service SNMP B-35
Service SSH engine B-36
Service TNS B-36
supported by IDM 7-2
Sweep Other TCP B-44
Traffic Anomaly B-44
Traffic ICMP B-46
Trojan B-47
signature engine update files described 18-5
Signature Event Action Filter
Signature Event Action Handler described 8-6, A-26
Signature Event Action Override described 8-6, A-25
Signature Event Action Processor
logical flow of events 8-6, A-26
signature fidelity rating
calculating risk rating 6-5, 8-3
signatures
adding 5-12
alert frequency 5-20
assigning actions 5-16
cloning 5-14
custom 5-5
default 5-4
described 5-4
disabling 5-11
editing 5-15
enabling 5-11
false positives 5-4
no TCP reset C-48
rate limits 11-4
retiring 5-11
subsignatures 5-4
tuned 5-4
tuning 5-15
signature update installation time 14-16
signature variables
adding 5-26
deleting 5-26
described 5-26
editing 5-26
Signature Variables tab
configuring 5-26
field descriptions 5-26
Signature Wizard
alert behavior 7-25
supported signature engines 7-2
SNMP
configuring 12-3
described 12-1
Get 12-1
GetNext 12-1
Set 12-1
Trap 12-1
SNMP General Configuration pane
configuring 12-3
described 12-2
field descriptions 12-2
user roles 12-2
SNMP traps
configuring 12-5
described 12-1
SNMP Traps Configuration pane
button functions 12-4
configuring 12-5
described 12-4
field descriptions 12-4
software architecture
ARC (illustration) A-12
IDAPI (illustration) A-30
RDEP2 (illustration) A-31
software bypass
supported configurations 4-10
with hardware bypass 4-10
software downloads Cisco.com 18-1
software file names
recovery (illustration) 18-6
signature/virus updates (illustration) 18-5
signature engine updates (illustration) 18-5
system image (illustration) 18-6
software release examples
platform-dependent 18-7
platform identifiers 18-8
platform-independent 18-6
software updates
supported FTP servers 14-15, 19-2
supported HTTP/HTTPS servers 14-16, 19-2
SPAN port issues C-28
SSH
security 10-1
understanding 10-1
SSH Server
private keys A-20
public keys A-20
standards
CIDEE A-33
IDIOM A-32
SDEE A-33
Startup Wizard
access list 2-3
adding virtual sensors 2-12
Add Virtual Sensor dialog box 2-12
described 2-1
Inline Interface Pair window described 2-8
Inline Interface Pair window field descriptions 2-9
Inline VLAN Pairs window
described 2-9
Inline VLAN Pairs window configuration 2-10
Interface Selection window 2-8
Interface Summary window 2-6
Sensor Setup window
configuring 2-4
described 2-2
field descriptions 2-2
Traffic Inspection Mode window 2-8
Virtual Sensors window
described 2-11
field descriptions 2-11
State engine
parameters (table) B-38
statistics display 15-30
Statistics pane
categories 15-30
described 15-30
using 15-30
String engine described 7-20, 7-23, B-39
String ICMP engine parameters (table) B-40
String TCP engine
custom signature 7-21
example signature 7-21
parameters (table) B-40
String UDP engine parameters (table) B-41
subinterface 0 described 4-13
subsignatures described 5-4
summarization
Summarizer described 6-27, 8-28
Summary pane
button functions 4-14
described 4-14
supported
configurations (IDSM-2) C-57
HTTP/HTTPS servers 14-16, 19-2
IPS interfaces (CSA MC) 13-3
platforms (IDM) 1-3
Sweep engine
Sweep Other TCP engine described B-44
switch commands for troubleshooting C-58
system architecture
directory structure A-34
supported platforms A-1
system clock setting 3-16
System Configuration Dialog
described 16-2
example 16-2
system design (illustration) A-2
system image
installing
AIM-IPS 19-23
AIP-SSM 19-26
IDSM-2 (Catalyst software) 19-28
IDSM-2 (Cisco IOS software) 19-29
IPS-4240 19-15
IPS-4255 19-15
IPS-4260 19-18
IPS 4270-20 19-20
NME-IPS 19-39
system information display 15-31
System Information pane
described 15-31
using 15-31
system requirements for IDM 1-3
T
TAC
service account 3-17, A-29, C-4
show tech-support command C-67
target value rating
calculating risk rating 6-5, 8-3
described 6-5, 6-16, 8-3, 8-17
Target Value Rating tab
TCP fragmentation described B-19
TCP Protocol tab
enabling TCP 9-15
external zone 9-30
field descriptions 9-15
illegal zone 9-23
TCP reset
not occurring C-48
port (IDSM-2) C-62
TCP reset interfaces
conditions 4-7
described 4-6
list 4-7
TCP stream reassembly
explaining 5-42
mode 5-48
parameters (table) 5-43
signatures (table) 5-43
terminal server setup 17-2, 19-14
testing fail-over 4-10
TFN2K
described B-46
Trojans B-47
TFTP and RTT 19-14
TFTP servers
recommended 19-14
UNIX 19-14
Windows 19-14
threat rating described 6-6, 8-4
Thresholds for KB Name window
described 15-17
field descriptions 15-18
filtering information 15-17
time
correction on the sensor 3-12, C-16
sensor 3-6
Time pane
configuring 3-10
described 3-6
field descriptions 3-9
user roles 3-6
time sources
time synchronization and IPS modules 3-8, C-15
TLS
understanding 3-3
Traffic Anomaly engine
described B-44
protocols B-44
signatures B-44
traffic flow notifications
configuring 4-26
described 4-26
Traffic Flow Notifications pane
configuring 4-26
field descriptions 4-26
Traffic ICMP engine
DDoS B-46
described B-46
LOKI B-46
parameters (table) B-46
TFN2K B-46
Traffic Inspection Mode window described 2-8
Tribe Flood Network 2000 see TFN2K
Trojan engine
BO2K B-47
described B-47
TFN2K B-47
Trojans
BO B-47
BO2K B-47
LOKI B-46
TFN2K B-47
troubleshooting C-1
AIP-SSM
commands C-63
debugging C-64
recovering C-64
reset C-63
Analysis Engine busy C-54
applying software updates C-51
ARC
blocking not occurring for signature C-40
device access issues C-37
enabling SSH C-40
inactive state C-36
misconfigured master blocking sensor C-41
verifying device interfaces C-39
automatic updates C-51
cannot access sensor C-22
cidDump C-87
cidLog messages to syslog C-47
communication C-22
corrupted SensorApp configuration C-33
debug logger zone names (table) C-47
debug logging C-43
disaster recovery C-6
duplicate sensor IP addresses C-25
enabling debug logging C-43
external product interfaces 13-10, C-20
gathering information C-66
IDM cannot access sensor C-54
IDM will not load C-53
IDSM-2
command and control port C-61
diagnosing problems C-56
serial cable C-62
status indicator C-58
switch commands C-58
IME and time synchronization problems C-55
IPS modules time drift 3-8, C-15
manual block to bogus host C-40
misconfigured access list C-24
NTP C-48
physical connectivity issues C-28
preventive maintenance C-2
reset not occurring for a signature C-48
sensing process not running C-27
sensor events C-84
sensor loose connections C-21
sensor not seeing packets C-31
sensor software upgrade C-52
show events command C-83
show interfaces command C-82
show statistics command C-72
show tech-support command C-67, C-68
show version command C-70
software upgrades C-50
SPAN port issue C-28
upgrading from 5.x to 6.0 C-50
verifying ARC status C-35
Trusted Hosts pane
configuring 10-10
described 10-9
field descriptions 10-10
tuned signatures described 5-4
tuning
AIC signatures 5-38
IP fragment reassembly signatures 5-41
signatures 5-15
turning off anomaly detection 9-37
U
UDP Protocol tab
enabling UDP 9-16
external zone 9-31
field descriptions 9-31
illegal zone 9-24
unassigned VLAN groups described 4-13
unauthenticated NTP 3-7, 3-8, 3-14, C-14, C-15
understanding
SSH 10-1
time on the sensor C-13
UNIX-style directory listings 14-16
Update Sensor pane
configuring 14-20
described 14-19
field descriptions 14-20
user roles 14-19
updating
Cisco.com 14-19
FTP server 14-19
Home pane 1-2
sensors 14-20
upgrading
5.x to 6.0 18-8
from 5.x to 6.0 C-50
maintenance partition
IDSM-2 (Catalyst software) 19-38
IDSM-2 (Cisco IOS software) 19-38
minimum required version 18-8
recovery partition 19-5, 19-12
uploading KBs
FTP 15-24
SCP 15-24
Upload Knowledge Base to Sensor dialog box
described 15-24
field descriptions 15-24
URLs for Cisco Security Center 18-9
Users pane
button functions 3-17
configuring 3-18
field descriptions 3-17
user roles A-28
using
debug logging C-43
TCP reset interfaces 4-7
V
VACLs
described 11-3
Post-Block 11-21
Pre-Block 11-21
verifying
sensor initialization 16-27
sensor setup 16-27
viewing
IP logs 15-14
statistics 15-30
system information 15-31
virtual sensors
default virtual sensor 6-2, 6-7
deleting 6-10
editing 6-10
stream segregation 6-3
Virtual Sensors window described 2-11
VLAN groups
802.1q encapsulation 4-13
configuration restrictions 4-9
configuring 4-23
deploying 4-22
described 4-13
switches 4-22
VLAN Groups pane
configuring 4-23
described 4-21
field descriptions 4-22
VLAN IDs 4-21
VLAN Pairs pane
configuring 4-20
describing 4-19
field descriptions 4-20
W
watch list rating
described 8-3
calculating risk rating 6-5, 8-3
described 6-5
Web Server
HTTP 1.0 and 1.1 support A-21
private keys A-20
public keys A-20
RDEP2 support A-21
worm attacks and histograms 9-12, 15-16
worms
Blaster 9-2
Code Red 9-2
described 9-2
Nimbda 9-2
protocols 9-2
Sasser 9-2
scanners 9-2
Slammer 9-2
SQL Slammer 9-2
Z
zones
external 9-4
illegal 9-4
internal 9-4