-
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 6.2
-
Preface
-
Getting Started
-
Configuring Device Lists
-
Configuring Dashboards
-
Configuring RSS Feeds
-
Using the Startup Wizard
-
Setting Up the Sensor
-
Configuring Interfaces
-
Configuring Policies
-
Defining Signatures
-
Using the Signature Wizard
-
Configuring Event Action Rules
-
Configuring Anomaly Detection
-
Configuring SSH and Certificates
-
Configuring Attack Response Controller for Blocking and Rate Limiting
-
Configuring SNMP
-
Configuring External Product Interfaces
-
Managing the Sensor
-
Monitoring the Sensor
-
Configuring Event Monitoring
-
Configuring and Generating Reports
-
Logging In to the Sensor
-
Initializing the Sensor
-
Obtaining Software
-
Upgrading, Downgrading, and Inst
-
System Architecture
-
Signature Engines
-
Troubleshooting
-
Open Source License Files
-
Glossary
-
Index
-
Table Of Contents
Numerics - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W - Z
Index
Numerics
4GE bypass interface card
configuration restrictions 7-10
described 7-10
802.1q encapsulation
VLAN groups 7-15
A
accessing IPS software 23-2
access lists
misconfiguration C-29
necessary hosts 5-3
ACLs
adding 5-3
described 14-3
ad0 pane
default 12-9
described 12-9
tabs 12-9
Add ACL Entry dialog box field descriptions 5-3
Add Active Host Block dialog box
field descriptions 18-7
user roles 18-6
Add Allowed Host dialog box
field descriptions 6-4
user roles 6-4
Add Authorized Key dialog box
field descriptions 13-3
user roles 13-2
Add Blocking Device dialog box
field descriptions 14-15
user roles 14-14
Add Cat 6K Blocking Device Interface dialog box
field descriptions 14-23
user roles 14-22
Add Configured OS Map dialog box
field descriptions 8-25, 11-27
Add Destination Port dialog box field descriptions 12-16, 12-23, 12-30
Add Device List dialog box field descriptions 2-3
Add Device Login Profile dialog box
field descriptions 14-13
user roles 14-12
Add Event Action Filter dialog box
field descriptions 8-14, 11-16
Add Event Action Override dialog box
field descriptions 8-10, 11-13
Add Event Variable dialog box
field descriptions 8-29, 11-30
Add External Product Interface dialog box
field descriptions 16-6
user roles 16-5
Add Filter dialog box field descriptions 3-17
Add Histogram dialog box field descriptions 12-16, 12-23, 12-31
adding
ACLs 5-3
a host never to be blocked 14-11
anomaly detection policies 12-9
blocking devices 14-15
CSA MC interfaces 16-7
denied attackers 18-5
event action filters 8-16, 11-18
event action overrides 11-13
event action rules policies 11-11
external product interfaces 16-7
host blocks 18-7
IPv4 target value rating 8-19, 11-21
IPv6 target value rating 8-21, 11-23
network blocks 18-9
rate limiting devices 14-15
signature definition policies 9-3
signatures 9-13
signature variables 9-29
Add Inline VLAN Pair dialog box field descriptions 7-22
Add Inline VLAN Pair Entry dialog box field descriptions 5-10
Add Interface Pair dialog box field descriptions 7-20
Add IP Logging dialog box
field descriptions 18-14
user roles 18-13
Add IPv4 Target Value Rating dialog box
field descriptions 8-19, 11-21
Add IPv6 Target Value Rating dialog box
field descriptions 8-21, 11-22
Add Known Host Key dialog box
field descriptions 13-5
user roles 13-4
Add Master Blocking Sensor dialog box
field descriptions 14-26
user roles 14-25
Add Network Block dialog box
field descriptions 18-9
user roles 18-8
Add Never Block Address dialog box
field descriptions 14-11
user roles 14-7
Add Policy dialog box
field descriptions 9-2, 11-11, 12-8
Add Posture ACL dialog box field descriptions 16-7
Add Protocol Number dialog box field descriptions 12-17, 12-25, 12-32
Add Rate Limit dialog box
field descriptions 18-11
user role 18-10
Address Resolution Protocol. See ARP.
Add Risk Level dialog box
field descriptions 8-32, 11-33
Add Router Blocking Device Interface dialog box
field descriptions 14-20
user roles 14-17
Add Signature dialog box
field descriptions 9-8
user roles 9-6
Add Signature Variable dialog box
field descriptions 9-28
user roles 9-28
Add SNMP Trap Destination dialog box
field descriptions 15-4
user roles 15-4
Add Start Time dialog box field descriptions 12-13
Add Trusted Host dialog box
field descriptions 13-10
user roles 13-9
Add User dialog box
field descriptions 6-17
user roles 6-16
Add Virtual Sensor dialog box
user roles 8-9
Add VLAN Group dialog box
field descriptions 7-24
user roles 7-23
Advanced Alert Behavior Wizard
Alert Dynamic Response Fire All window field descriptions 10-29
Alert Dynamic Response Fire Once window field descriptions 10-29
Alert Dynamic Response Summary window field descriptions 10-31
Alert Summarization window field descriptions 10-28
Event Count and Interval window field descriptions 10-28
Global Summarization window field descriptions 10-31
AIC engine
AIC FTP B-11
AIC HTTP B-11
described B-11
features B-11
signature categories 9-32
signatures (example) 9-40
AIC FTP engine parameters (table) B-12
AIC HTTP engine parameters (table) B-11
AIC policy configuration 9-39
AIC policy enforcement
default configuration 9-33, B-11
sensor oversubscription 9-33, B-11
AIM IPS
initializing 22-12
installing system image 24-22
logging in 21-4
session command 21-4
setup command 22-12
time sources 6-7
AIP SSC-5
resetting the password 17-7, C-11
AIP SSM
bypass mode 7-27
initializing 22-15
installing system image 24-26
logging in 21-5
recovering C-69
reimaging 24-25
resetting C-68
resetting the password 17-8, C-13
session command 21-5
setup command 22-15
time sources 6-7
Alarm Channel described 11-6, A-25
alert and log actions (list) 11-7
alert behavior 10-28
alert frequency
aggregation 9-20
configuring 9-20
controlling 9-20
modes B-6
Allowed Hosts/Networks pane
configuring 6-5
field descriptions 6-4
alternate TCP reset interface configuration restrictions 7-8
Analysis Engine
described 8-2
error messages C-26
IDM exits C-58
verify it is running C-23
virtual sensors 8-2
anomaly detection
asymmetric environment 12-2
caution 12-2
configuration sequence 12-4
default configuration (example) 12-4
described 12-2
detect mode 12-3
disabling C-22
inactive mode 12-4
learning accept mode 12-3
learning process 12-3
limiting false positives 12-12, 18-16
operation settings configuration 12-10
protocols 12-2
worm attacks 18-16
worms
attacks 12-12
described 12-2
zones 12-4
Anomaly Detection pane
button functions 18-16
described 18-15
field descriptions 18-16
user roles 18-15
anomaly detection policies
ad0 12-8
adding 12-9
cloning 12-9
default policy 12-8
deleting 12-9
Anomaly Detections pane
described 12-8
field descriptions 12-8
appliances
application partition image 24-12
initializing 22-7
logging in 21-1
terminal servers
time sources 6-6
upgrading recovery partition 24-5
Application Inspection and Control. See AIC.
application partition
described A-3
recovering image 24-12
application policy enforcement
disabled (default) 9-33
applying software updates C-55
ARC
authentication A-13
blocking
application 14-2
connection-based A-16
not occurring for signature C-45
unconditional blocking A-16
block response A-12
Catalyst 6000 series switch
VACL commands A-18
VACLs A-17
Catalyst switches
VACLs A-15
VLANs A-15
described A-2
design 14-2
device access issues C-42
enabling SSH C-44
features A-12
firewalls
AAA A-17
connection blocking A-16
NAT A-17
network blocking A-16
postblock ACL A-15
preblock ACL A-15
shun command A-17
TACACS+ A-17
formerly Network Access Controller 14-1, 14-3
functions 14-2
illustration A-11
inactive state C-40
interfaces A-13
maintaining states A-15
managed devices 14-8
master blocking sensors A-13
maximum blocks 14-2
misconfigured master blocking sensor C-46
nac.shun.txt file A-15
NAT addressing A-14
number of blocks A-14
postblock ACL A-15
preblock ACL A-15
prerequisites 14-5
rate limiting 14-4
responsibilities A-11
single point of control A-14
SSH A-12
Telnet A-12
troubleshooting C-39
VACLs A-13
verifying device interfaces C-43
verifying status C-39
ARP
Layer 2 signatures B-13
protocol B-13
ARP spoof tools
dsniff B-13
ettercap B-13
ASDM resetting passwords 17-8, 17-10, C-12, C-14
assigning actions to signatures 9-17
asymmetric
environment and anomaly detection 12-2
traffic and disabling anomaly detection C-22
Atomic ARP engine
described B-13
parameters (table) B-13
Atomic IP Advanced engine
described B-14
restrictions B-15
Atomic IP engine
parameters (table) B-24
Atomic IPv6 engine
described B-28
Neighborhood Discovery protocol B-28
signatures B-28
signatures (table) B-29
attack relevance rating
calculating risk rating 8-5, 11-3
risk rating 8-23
Attack Response Controller
described A-2
formerly known as Network Access Controller A-2
Attack Response Controller. See ARC.
attack severity rating
calculating risk rating 8-5, 11-3
Attacks Over Time gadgets
configuring 3-11
described 3-11
authenticated NTP 6-6, 6-7, 6-8, 6-14, C-18
AuthenticationApp
authenticating users A-19
described A-3
login attempt limit A-19
method A-19
responsibilities A-19
secure communications A-20
sensor configuration A-19
Authorized Keys pane
configuring 13-3
described 13-2
field descriptions 13-2
RSA authentication 13-2
RSA key generation tool 13-3
Auto/Cisco.com Update pane
configuring 17-21
described 17-18
field descriptions 17-20
UNIX-style directory listings 17-19
user roles 17-18
automatic setup 22-1
automatic upgrade
examples 24-10
information required 24-6
troubleshooting C-55
autonegotiation and hardware bypass 7-11
auto-upgrade-option command 24-6
B
backing up
configuration C-3
current configuration C-4, C-5
basic setup 22-3
blocking
described 14-2
master blocking sensor 14-25
necessary information 14-3
not occurring for signature C-45
prerequisites 14-5
supported devices 14-6
types 14-2
when to disable 14-8
blocking devices
adding 14-15
deleting 14-15
editing 14-15
Blocking Devices pane
configuring 14-15
described 14-14
field descriptions 14-15
ssh host-key command 14-16
Blocking Properties pane
adding a host never to be blocked 14-11
configuring 14-10
described 14-7
field descriptions 14-8
BO
described B-64
Trojans B-64
BO2K
described B-64
Trojans B-64
Bug Toolkit
described C-1
URL C-1
bypass mode
AIP SSM 7-27
described 7-26
Bypass pane field descriptions 7-26
C
calculating risk rating
attack relevance rating 8-5, 11-3
attack severity rating 8-5, 11-3
signature fidelity rating 8-4, 11-3
cannot access sensor C-27
Cat 6K Blocking Device Interfaces pane
configuring 14-23
described 14-22
field descriptions 14-23
CDP described 7-29
CDP Mode pane
configuring 7-29
field descriptions 7-29
user roles 7-29
certificates
displaying 13-11
generating 13-11
IDM 13-8
changing Microsoft IIS to UNIX-style directory listings 17-19
cidDump and obtaining information C-93
CIDEE
defined A-31
example A-31
IPS extensions A-31
protocol A-31
supported IPS events A-31
cisco
default password 21-1
default username 21-1
Cisco.com
accessing software 23-2
downloading software 23-1
IPS software 23-1
software downloads 23-1
Cisco Discovery Protocol. See CDP.
Cisco IOS and rate limiting 14-4
Cisco IPS software files 24-2
Cisco Security Intelligence Operations
described 23-9
URL 23-9
Cisco Services for IPS
service contract 17-14
supported products 17-14
clear events command 6-12, 6-16, 18-4, C-20, C-93
Clear Flow States pane
configuring 18-27
described 18-26
field descriptions 18-27
clearing
flow states 18-27
statistics C-79
clear password command 17-6, 17-11, C-10, C-15
clock set command 6-15
Clone Policy dialog box
field descriptions 9-2, 11-11, 12-8
Clone Signature dialog box
field descriptions 9-8
user roles 9-6
cloning
anomaly detection policies 12-9
event action rules policies 11-11
signature definition policies 9-3
signatures 9-15
Color rules described 19-2
command and control interface
described 7-2
list 7-2
commands
auto-upgrade-option 24-6
clear events 6-12, 6-16, 18-4, C-20, C-93
clear password 17-6, 17-11, C-10, C-15
clock set 6-15
copy backup-config C-3
copy current-config C-3
debug module-boot C-69
downgrade 24-11
hw-module module 1 reset C-68
hw-module module slot_number password-reset 17-6, 17-8, C-11, C-12
setup 22-1, 22-3, 22-7, 22-12, 22-15, 22-19, 22-24
show events C-90
show health C-71
show module 1 details C-68
show statistics C-78
show statistics virtual-sensor C-26, C-78
show tech-support C-72
show version C-76
Compare Knowledge Bases dialog box field descriptions 18-19
configuration files
backing up C-3
merging C-3
configuration restrictions
alternate TCP reset interface 7-8
inline interface pairs 7-8
inline VLAN pairs 7-8
interfaces 7-8
physical interfaces 7-8
VLAN groups 7-9
Configure Summertime dialog box field descriptions 5-4, 6-10
configuring
AIC policy parameters 9-39
allowed hosts 6-5
allowed networks 6-5
anomaly detection operation settings 12-10
Attacks Over Time gadgets 3-11
authorized keys 13-3
automatic upgrades 24-8
blocking devices 14-15
blocking properties 14-10
Cat 6K blocking device interfaces 14-23
CDP mode 7-29
CPU, Memory, & Load gadgets 3-9
CSA MC IPS interfaces 16-4
device login profiles 14-13
event action filters 8-16, 11-18
Event Action Overrides tab 11-13
events 18-3
external zone 12-32
host blocks 18-7
illegal zone 12-25
inline VLAN pairs 5-10
interface pairs 7-20
interfaces 7-18
Interface Status gadgets 3-6
internal zone 12-18
IP fragment reassembly signatures 9-43
IP logging 18-14
IPv4 target value rating 8-19, 11-21
IPv6 target value rating 8-21, 11-23
known host keys 13-6
learning accept mode 12-13
Licensing gadgets 3-6
maintenance partition
IDSM2 (Catalyst software) 24-30
IDSM2 (Cisco IOS software) 24-34
master blocking sensor 14-26
network blocks 18-9
Network Security gadgets 3-7
network settings 6-2
NTP servers 6-13
OS Identifications tab 8-26, 11-28
password requirements 17-2
rate limiting 18-11
rate limiting devices 14-15
router blocking device interfaces 14-20
RSS Feed gadgets 3-9
RSS feeds 4-2
Sensor Health gadgets 3-5
Sensor Information gadgets 3-4
Sensor Setup window 5-4
sensor to use NTP 6-14
sig0 pane 9-12
Signature Variables tab 9-29
SNMP 15-3
SNMP traps 15-5
TCP fragment reassembly parameters 9-50
time 6-10
Top Applications gadgets 3-8
Top Attackers gadgets 3-10
Top Signatures gadgets 3-11
Top Victims gadgets 3-10
traffic flow notifications 7-28
trusted hosts 13-10
upgrades 24-4
users 6-18
VLAN groups 7-25
VLAN pairs 7-22
control transactions
characteristics A-8
request types A-7
copy backup-config command C-3
copy current-config command C-3
correcting time on the sensor 6-12, C-20
CPU, Memory, & Load gadgets
configuring 3-9
described 3-8
creating
Atomic IP Advanced signatures 9-26, 10-10
custom signatures
described 9-13
not using signature engines 10-4
Service HTTP 10-12
using signature engines 10-2
Meta signatures 9-23
Post-Block VACLs 14-22
Pre-Block VACLs 14-22
service account C-6
cryptographic account
Encryption Software Export Distribution Authorization from 23-2
obtaining 23-2
cryptographic features (IME) 1-1
CSA MC
adding interfaces 16-7
configuring IPS interfaces 16-4
host posture events 16-1, 16-4
quarantined IP address events 16-1
supported IPS interfaces 16-4
CtlTransSource
illustration A-11
current configuration backup C-3
current KB setting 18-21
custom signatures
creating 9-13
described 9-5
Meta signature 9-23
D
Dashboard pane gadgets 3-1
data structures (examples) A-7
DDoS
protocols B-64
Stacheldraht B-64
TFN B-64
debug logging enable C-47
debug-module-boot command C-69
default policies
ad0 12-8
sig0 9-2
defaults
KB filename 12-11
password 21-1
restoring 17-25
username 21-1
virtual sensor vs0 8-2
deleting
anomaly detection policies 12-9
blocking devices 14-15
event action filters 8-16, 11-18
event action overrides 11-13
event action rules policies 11-11
imported OS values 18-26
IPv4 target value rating 8-19, 11-21
IPv6 target value rating 8-21, 11-23
KBs 18-22
learned OS values 18-25
rate limiting devices 14-15
signature definition policies 9-3
signature variables 9-29
virtual sensors 8-11
Demo mode (IME) 1-5
denied attackers
adding 18-5
clearing list 18-5
hit count 18-4
resetting hit counts 18-5
Denied Attackers pane
described 18-4
field descriptions 18-4
user roles 18-4
using 18-5
deny actions (list) 11-8
Deny Packet Inline described 8-10, 9-12, 11-9, 11-12, B-8
detect mode (anomaly detection) 12-3
device access issues C-42
Device Details pane described 2-1
Device List pane
described 2-1
field descriptions 2-2
Device Login Profiles pane
configuring 14-13
described 14-12
field descriptions 14-12
devices
adding 2-3
deleting 2-3
editing 2-3
device tools
DNS lookup 2-5
ping 2-5
traceroute 2-5
whois 2-5
Diagnostics Report pane
button functions 18-29
described 18-29
user roles 18-29
using 18-29
diagnostics reports 18-29
Differences between knowledge bases KB_Name and KB_Name window field descriptions 18-19
disabling
anomaly detection C-22
event action filters 11-18
event action overrides 11-13
interfaces 7-18
signatures 9-12
disaster recovery C-6
displaying
events C-91
health status C-71
password recovery setting 17-13, C-17
statistics C-79
tech support information C-73
version C-76
Distributed Denial of Service. See DDoS.
DNS lookup IME device tools 2-5
DoS tools B-6
downgrade command 24-11
downgrading sensors 24-11
downloading
KBs 18-23
software 23-1
Download Knowledge Base From Sensor dialog box
described 18-23
field descriptions 18-23
duplicate IP addresses C-30
E
Edit ACL Entry dialog box field descriptions 5-3
Edit Actions dialog box
field descriptions 9-9
user roles 9-6
Edit Allowed Host dialog box
field descriptions 6-4
user roles 6-4
Edit Authorized Key dialog box
field descriptions 13-3
user roles 13-2
Edit Blocking Device dialog box
field descriptions 14-15
user roles 14-14
Edit Cat 6K Blocking Device Interface dialog box
field descriptions 14-23
user roles 14-22
Edit Configured OS Map dialog box
field descriptions 8-25, 11-27
Edit Destination Port dialog box field descriptions 12-16, 12-23, 12-30
Edit Device List dialog box field descriptions 2-3
Edit Device Login Profile dialog box
field descriptions 14-13
user roles 14-12
Edit Event Action Filter dialog box
field descriptions 8-14, 11-16
Edit Event Action Override dialog box
field descriptions 8-10, 11-13
Edit Event Variable dialog box
field descriptions 8-29, 11-30
Edit External Product Interface dialog box
field descriptions 16-6
user roles 16-5
Edit Filter dialog box field descriptions 3-17
Edit Histogram dialog box field descriptions 12-16, 12-23, 12-31
editing
blocking devices 14-15
event action filters 8-16, 11-18
event action overrides 11-13
interfaces 7-18
IPv4 target value rating 8-19, 11-21
IPv6 target value rating 8-21, 11-23
rate limiting devices 14-15
signatures 9-16
signature variables 9-29
virtual sensors 8-11
Edit Inline VLAN Pair dialog box field descriptions 7-22
Edit Inline VLAN Pair Entry dialog box field descriptions 5-10
Edit Interface dialog box field descriptions 7-17
Edit Interface Pair dialog box field descriptions 7-20
Edit IP Logging dialog box
field descriptions 18-14
user roles 18-13
Edit IPv4 Target Value Rating dialog box
field descriptions 8-19, 11-21
Edit IPv6 Target Value Rating dialog box
field descriptions 8-21, 11-22
Edit Known Host Key dialog box
field descriptions 13-5
user roles 13-4
Edit Master Blocking Sensor dialog box
field descriptions 14-26
user roles 14-25
Edit Never Block Address dialog box
field descriptions 14-11
user roles 14-7
Edit Posture ACL dialog box field descriptions 16-7
Edit Protocol Number dialog box field descriptions 12-17, 12-25, 12-32
Edit Risk Level dialog box
field descriptions 8-32, 11-33
Edit Router Blocking Device Interface dialog box
field descriptions 14-20
user roles 14-17
Edit Signature dialog box
field descriptions 9-8
user roles 9-6
Edit Signature Variable dialog box
field descriptions 9-28
user roles 9-28
Edit SNMP Trap Destination dialog box
field descriptions 15-4
user roles 15-4
Edit Start Time dialog box field descriptions 12-13
Edit User dialog box
field descriptions 6-17
user roles 6-16
Edit Virtual Sensor dialog box
field descriptions 8-9
user roles 8-9
Edit VLAN Group dialog box
field descriptions 7-24
user roles 7-23
enabling
debug logging C-47
event action filters 8-16, 11-18
event action overrides 11-13
interfaces 7-18
signatures 9-12
Encryption Software Export Distribution Authorization form
cryptographic account 23-2
described 23-2
engines
AIC B-10
Fixed B-30
Flood B-32
Master B-4
Meta B-33
Multi String B-34
Normalizer B-36
Service DNS B-38
Service FTP B-40
Service Generic B-40
Service H225 B-42
Service HTTP B-44
Service IDENT B-46
Service MSRPC B-46
Service MSSQL B-47
Service NTP B-48
Service P2P B-48
Service RPC B-49
Service SMB Advanced B-50
Service SNMP B-52
Service SSH B-53
Service TNS B-53
State B-55
String B-56
Sweep B-59
Sweep Other TCP B-61
Traffic ICMP B-64
Trojan B-64
EPS in IME Home pane 1-2
evAlert A-8
event action filters
disabling 11-18
moving 11-18
Event Action Filters tab
field descriptions 8-14, 11-15
event action overrides
adding 11-13
deleting 11-13
disabling 11-13
editing 11-13
enabling 11-13
Event Action Overrides tab
configuring 11-13
described 11-12
field descriptions 11-13
Event Action Rules pane
described 11-10
field descriptions 11-10
event action rules policies
adding 11-11
cloning 11-11
deleting 11-11
events
color rules 19-2
display configuration 18-3
displaying C-91
filtering 19-2
grouping 19-2
host posture 16-2
quarantined IP address 16-2
using views 19-4
Events pane
configuring 18-3
described 18-2
field descriptions 18-2
event status
displaying 2-4
starting 2-4
stopping 2-4
Event Store
data structures A-7
described A-2
examples A-6
responsibilities A-6
timestamp A-6
event types C-89
event variables
Event Variables tab
field descriptions 8-28, 11-30
Event Viewer pane
described 19-1
field descriptions 18-3
evError A-8
evLogTransaction A-8
evShunRqst A-8
evStatus A-8
example custom signatures
Atomic IP Advanced 9-26, 10-10
Meta engine 9-23
external product interfaces
adding 16-7
described 16-1
trusted hosts 16-5
External Product Interfaces pane
configuring 16-7
described 16-5
field descriptions 16-5
external zone
configuring 12-32
protocols 12-29
user roles 12-29
External Zone tab
described 12-29
tabs 12-29
user roles 12-29
F
fail-over testing 7-10
false positives described 9-4
files
Cisco IPS 24-2
IDSM2 password recovery 17-10, C-15
filtering
described 19-2
predefined 19-2
Filter pane field descriptions 19-3
filters
configuring
event views 19-5
gadgets 3-14
Fixed engine described B-30
Fixed ICMP engine parameters (table) B-30
Fixed TCP engine parameters (table) B-31
Fixed UDP engine parameters (table) B-32
Flood engine described B-32
Flood Host engine parameters (table) B-33
Flood Net engine parameters (table) B-33
flow states clearing 18-27
FTP servers
IPS software update support 17-19, 24-2
G
gadgets
Attacks Over Time 3-11
CPU, Memory, & Load 3-8
Interface Status 3-6
Licensing 3-5
Network Security 3-7
RSS Feed 3-9
Sensor Health 3-4
Sensor Information 3-3
Top Applications 3-8
Top Attackers 3-9
Top Signatures 3-11
Top Victims 3-10
general settings
General tab
described 8-33, 11-34, 12-15, 12-22
field descriptions 8-33, 11-35
generating diagnostics reports 18-29
Global Variables pane
described 17-18
field description 17-18
user roles 17-18
grouping events described 19-2
GRUB menu password recovery 17-4, C-8
H
H.225.0 protocol B-42
H.323 protocol B-42
hardware bypass
autonegotiation 7-11
configuration restrictions 7-10
fail-over 7-10
IPS 4260 7-10
IPS 4270-20 7-10
supported configurations 7-10
with software bypass 7-10
health status
starting 2-4
stopping 2-4
Host Blocks pane
configuring 18-7
described 18-6
field descriptions 18-6
host posture events
CSA MC 16-4
described 16-2
HTTP/HTTPS servers
IPS software update support 17-19, 24-2
HTTP deobfuscation
ASCII normalization 10-22, B-44
hw-module module 1 reset command C-68
hw-module module slot_number password-reset command 17-6, 17-8, C-11, C-12
I
IDAPI
described A-3
functions A-29
illustration A-29
responsibilities A-29
IDCONF
described A-30
example A-30
XML A-30
IDIOM
defined A-29
messages A-29
IDM
Analysis Engine is busy C-58
certificates 13-8
Signature Wizard supported signature engines 10-3
TLS 13-8
will not load C-57
IDSM2
command and control port C-65
configuring
maintenance partition (Cisco IOS software) 24-34
maintenance partition Catalyst software) 24-30
initializing 22-19
installing
system image (Catalyst software) 24-28
system image (Cisco IOS software) 24-29
logging in 21-7
minimum supported configurations C-62
password recovery image file 17-10, C-15
reimaging 24-28
sessioning 21-7
setup command 22-19
TCP reset port C-67
time sources 6-6
upgrading
maintenance partition (Catalyst software) 24-38
maintenance partition (Cisco IOS software) 24-38
illegal zone
configuring 12-25
user roles 12-21
Illegal Zone tab
described 12-22
user roles 12-21
IME
color rules 19-2
configuring
RSS feeds 4-2
cryptographic features 1-1
Demo mode 1-5
described 1-1
devices
adding 2-3
deleting 2-3
editing 2-3
EPS 1-2
event status
starting 2-4
stopping 2-4
Event Viewer 19-1
filtering 19-2
gadgets 3-1
grouping events 19-2
health status
displaying 2-4
starting 2-4
stopping 2-4
installing 1-5
IPS versions 1-3
menu features 1-2
MySQL database 1-4
replaces IEV 1-1
reports
configuring 20-2
described 20-1
generating 20-2
report types 20-1
supported platforms 1-3
system requirements 1-3
time synchronization problems C-60
using event views 19-4
video help 1-2
working with
top attacker IP addresses 3-12
top signatures 3-13
top victim IP addresses 3-12
IME Home pane
described 1-2
EPS 1-2
features 1-2
Imported OS pane
clearing 18-26
described 18-26
field descriptions 18-26
user roles 18-25
imported OS values
clearing 18-26
deleting 18-26
inactive mode (anomaly detection) 12-4
initializing
AIM IPS 22-12
AIP SSM 22-15
appliances 22-7
IDSM2 22-19
NME IPS 22-24
user roles 22-1
verifying 22-27
inline interface pair mode
configuration restrictions 7-8
described 7-13
Inline Interface Pair window
described 5-8
Startup Wizard 5-8
inline VLAN pair mode
described 7-13
supported sensors 7-13
inline VLAN pairs
configuration restrictions 7-8
configuring 5-10
Inline VLAN Pairs window
described 5-9
field descriptions 5-9
Startup Wizard 5-9
installer major version 23-5
installer minor version 23-5
installing
IME 1-5
sensor license 17-16
system image
AIP SSM 24-26
IDSM2 (Catalyst software) 24-28
IDSM2 (Cisco IOS software) 24-29
IPS 4240 24-15
IPS 4255 24-15
IPS 4260 24-18
IPS 4270-20 24-20
InterfaceApp described A-2
interface pairs
configuring 7-20
described 7-19
Interface Pairs pane
configuring 7-20
described 7-19
field descriptions 7-19
interfaces
alternate TCP reset 7-2
command and control 7-2
configuration restrictions 7-8
configuring 7-18
disabling 7-18
editing 7-18
enabling 7-18
logical 5-6
physical 5-6
port numbers 7-1
slot numbers 7-1
support (table) 7-4
TCP reset 7-6
VLAN groups 7-2
Interface Selection window
described 5-8
Startup Wizard 5-8
Interfaces pane
configuring 7-18
described 7-16
field descriptions 7-16
user roles 7-16
Interface Status gadgets
configuring 3-6
described 3-6
Interface Summary window
described 5-6
field descriptions 5-7
internal zone
configuring 12-18
user roles 12-14
Internal Zone tab
described 12-14
user roles 12-14
IP fragmentation described B-36
IP fragment reassembly
configuring 9-43
described 9-41
mode 9-43
parameters (table) 9-41
signatures 9-43
signatures (example) 9-43
signatures (table) 9-41
IP logging
event actions 18-13
system performance 18-12
IP Logging pane
configuring 18-14
described 18-13
field descriptions 18-13
IP logs
circular buffer 18-13
states 18-12
TCPDUMP 18-13
viewing 18-14
WireShark 18-13
IPS 4240
installing system image 24-15
reimaging 24-15
IPS 4255
installing system image 24-15
reimaging 24-15
IPS 4260
hardware bypass 7-10
installing system image 24-18
reimaging 24-18
IPS 4270-20
hardware bypass 7-10
installing system image 24-20
reimaging 24-20
IPS applications
summary A-32
table A-32
XML format A-2
IPS data
types A-7
XML document A-8
IPS events
evAlert A-8
evError A-8
evLogTransaction A-8
evShunRqst A-8
evStatus A-8
list A-8
types A-8
IPS internal communications A-29
IPS Manager Express described 1-1
IPS modules
time synchronization 6-8, C-19
unsupported features 5-7
IPS Policies pane
described 8-7
field descriptions 8-8
IPS software
application list A-2
available files 23-1
configuring device parameters A-4
directory structure A-31
Linux OS A-1
new features A-3
obtaining 23-1
platform-dependent release examples 23-6
retrieving data A-4
security features A-4
tuning signatures A-4
updating A-4
user interaction A-4
versioning scheme 23-3
IPS software file names
major updates (illustration) 23-4
minor updates (illustration) 23-4
patch releases (illustration) 23-4
service packs (illustration) 23-4
IPS versions for IME 1-3
IPv4 target value rating
IPv4 Target Value Rating tab
field descriptions 8-19, 11-20
IPv6
described B-28
SPAN ports 7-12
switches 7-12
IPv6 target value rating
IPv6 Target Value Rating tab
field descriptions 8-20, 11-22
K
KBs
comparing 18-20
default filename 12-11
deleting 18-22
described 12-3
downloading 18-23
initial baseline 12-3
learning accept mode 12-11
loading 18-21
monitoring 18-18
renaming 18-22
saving 18-22
scanner threshold 12-12, 18-16
uploading 18-24
Known Host Keys pane
configuring 13-6
described 13-5
field descriptions 13-5
L
Learned OS pane
clearing 18-25
described 18-25
field descriptions 18-25
user roles 18-25
learned OS values
clearing 18-25
deleting 18-25
learning accept mode (anomaly detection) 12-3
Learning Accept Mode tab
configuring 12-13
described 12-11
field descriptions 12-12
user roles 12-11
license files
BSD license D-3
expat license D-12
GNU Lesser license D-22
GNU license D-17
licensing
described 17-14
IPS device serial number 17-14
trial key 17-14
Licensing gadgets
configuring 3-6
described 3-5
Licensing pane
configuring 17-16
described 17-14
field descriptions 17-15
user roles 17-13
limitations for concurrent CLI sessions 21-1
loading KBs 18-21
Logger
functions A-18
syslog messages A-18
logging in
AIM IPS 21-4
AIP SSM 21-5
appliances 21-1
IDSM2 21-7
NME IPS 21-9
sensors
SSH 21-10
Telnet 21-10
LOKI
described B-64
protocol B-64
loose connections and sensors C-25
M
MainApp
components A-5
host statistics A-5
responsibilities A-5
show version command A-5
maintenance partition
configuring
IDSM2 (Catalyst software) 24-30
IDSM2 (Cisco IOS software) 24-34
described A-3
major updates described 23-3
Manage Filter Rules dialog box field descriptions 3-16
managing rate limiting 18-11
manual block to bogus host C-44
Master Blocking Sensor pane
configuring 14-26
described 14-25
field descriptions 14-26
master blocking sensors
described 14-25
not set up properly C-46
rate limiting 14-25
Master engine
alert frequency B-6
alert frequency parameters (table) B-6
described B-3
event actions B-7
general parameters (table) B-4
universal parameters B-4
master engine parameters
obsoletes B-6
promiscous delta B-5
vulnerable OSes B-6
merging configuration files C-3
Meta engine
parameters (table) B-34
Signature Event Action Processor 9-23, B-33
Meta Event Generator described 8-33, 11-34
minor updates described 23-3
Miscellaneous tab
configuring
application policy 9-39
IP fragment reassembly mode 9-43
IP logging 9-52
TCP stream reassembly mode 9-49
described 9-30
field descriptions 9-31
user roles 9-30
modes
anomaly detection detect 12-3
anomaly detection inactive 12-4
anomaly detection learning accept 12-3
bypass 7-26
CDP 7-29
inline interface pair 7-13
inline VLAN pair 7-13
promiscuous 7-11
VLAN Groups 7-14
modify packets inline modes 8-3
monitoring
events 18-3
KBs 18-18
moving
event action filters 11-18
Multi String engine
described B-34
parameters (table) B-35
Regex B-34
MySDN
described 9-5
IntelliShield site 9-5
MySQL database and IME 1-4
N
Neighborhood Discovery
Atomic IPv6 engine B-28
options B-29
types B-29
Network Blocks pane
configuring 18-9
described 18-8
field descriptions 18-9
Network pane
configuring 6-2
field descriptions 6-2
TLS/SSL 6-3
user roles 6-1
Network Security gadgets
configuring 3-7
described 3-7
network security health data reset 18-28
Network Timing Protocol. See NTP.
never block
hosts 14-8
networks 14-8
NME IPS
initializing 22-24
installing system image 24-39
logging in 21-9
reimaging 24-39
session command 21-8
setup command 22-24
time sources 6-7
Normalizer engine
AIP SSM B-37
ASA 5500 AIP SSM C-70
ASA 5500-X IPS SSP C-70
ASA 5585-X IPS SSP C-70
described B-36
IP fragment reassembly B-36
parameters (table) B-37
TCP stream reassembly B-36
Normalizer mode described 8-4
NotificationApp
alert information A-8
described A-3
functions A-8
SNMP gets A-8
SNMP traps A-8
statistics A-10
system health information A-9
NTP
authenticated 6-6, 6-7, 6-8, 6-14, C-18
configuration verification 6-8
configuring servers 6-13
incorrect configuration 6-8, C-19
time synchronization 6-6, C-18
unauthenticated 6-6, 6-7, 6-8, 6-14, C-18
O
obsoletes field described B-6
obtaining
cryptographic account 23-2
IPS software 23-1
one-way TCP reset described 8-33, 11-35
Operation Settings tab
configuring 12-10
described 12-10
field descriptions 12-10
user roles 12-10
OS Identifications tab
field descriptions 8-25, 11-27
OS maps
other actions (list) 11-9
Other Protocols tab
enabling other protocols 12-17
external zone 12-31
field descriptions 12-17, 12-31
illegal zone 12-24
P
P2P networks described B-48
partitions
application A-3
maintenance A-3
recovery A-3
passive OS fingerprinting
components 8-23
password policy caution 17-2, 17-3
password recovery
IME 17-12
Passwords pane
configuring 17-2
described 17-1
field descriptions 17-2
patch releases described 23-3
peacetime learning (anomaly detection) 12-3
physical connectivity issues C-33
physical interfaces configuration restrictions 7-8
ping IME device tools 2-5
platforms and concurrent CLI sessions 21-1
prerequisites
blocking 14-5
IME 1-4
promiscuous delta
calculating risk rating 8-5, 11-3
promiscuous delta described B-5
promiscuous mode
described 7-11
packet flow 7-11
SPAN ports 7-12
VACL capture 7-12
protocols
ARP B-13
CIDEE A-31
DDoS B-64
H.323 B-42
H225.0 B-42
ICMPv6 B-14
IDAPI A-29
IDCONF A-30
IDIOM A-29
IPv6 B-28
LOKI B-64
MSSQL B-47
Neighborhood Discovery B-28
Q.931 B-42
SDEE A-30
Signature Wizard 10-18
Q
Q.931 protocol
described B-42
SETUP messages B-42
quarantined IP address events described 16-2
R
rate limiting
ACLs 14-5
configuring 18-11
described 14-4
managing 18-11
percent values 18-10
routers 14-4
service policies 14-5
supported signatures 14-4
rate limiting devices
adding 14-15
deleting 14-15
editing 14-15
Rate Limits pane
configuring 18-11
described 18-10
field descriptions 18-10
RDEP event server deprecated A-21
rebooting the sensor 17-25
Reboot Sensor pane
configuring 17-25
described 17-25
user roles 17-25
recover command 24-11
recovering
AIP SSM C-69
application partition image 24-12
recovery partition
described A-3
upgrading 24-5
Regular Expression. See Regex.
regular expression syntax signatures B-9
reimaging
AIP SSM 24-25
appliances 24-11
described 24-1
IDSM2 24-28
IPS 4240 24-15
IPS 4255 24-15
IPS 4260 24-18
IPS 4270-20 24-20
NME IPS 24-39
removing
last applied
service pack 24-11
signature update 24-11
renaming KBs 18-22
reports
configuring 20-2
described 20-1
generating 20-2
report types
Attacks Over Time 20-1
Top Attackers 20-1
Top Signatures 20-1
Top Victim 20-1
Reset Network Security Health pane
configuring 18-28
described 18-28
field descriptions 18-28
user roles 18-28
reset not occurring for a signature C-53
resetting
AIP SSM C-68
network security health data 18-28
passwords
hw-module command 17-6, 17-8, C-11, C-12
resetting the password
Restore Default Interface dialog box field descriptions 5-8
Restore Defaults pane
configuring 17-25
described 17-25
user roles 17-25
restoring
defaults 17-25
restoring the current configuration C-4, C-5
retiring signatures 9-12
risk categories
Risk Category tab
field descriptions 8-31, 11-33
risk rating
attack severity rating 8-4, 11-2
formula (illustration) 8-5, 11-4
passive OS fingerprinting 8-23
signature fidelity rating 8-4, 11-2
ROMMON
described 24-13
IPS 4240 24-15
IPS 4255 24-15
IPS 4260 24-18
remote sensors 24-13
serial console port 24-13
TFTP 24-14
Router Blocking Device Interfaces pane
configuring 14-20
described 14-17
field descriptions 14-19
RSS Feed gadgets
configuring 3-9
described 3-9
RSS feeds
channels 4-2
configuring 4-2
described 4-1
formats 4-1
RTT
described 24-14
TFTP limitation 24-14
rules0 pane described 11-12
S
Save Knowledge Base dialog box
described 18-21
field descriptions 18-21
saving KBs 18-22
scheduling automatic upgrades 24-8
SDEE
described A-30
HTTP A-30
protocol A-30
server requests A-31
security
information on Cisco Security Intelligence Operations 23-9
information on MySDN 9-5
policies described 8-1
SSH 13-1
security policies
platform limitations 9-2, 12-8
sensing interfaces
described 7-3
interface cards 7-3
modes 7-3
SensorApp
6.2 new features A-24
Alarm Channel A-23
Analysis Engine A-23
described A-3
event action filtering A-24
inline packet processing A-23
IP normalization A-23
packet flow A-24
processors A-22
responsibilities A-21
risk rating A-24
Signature Event Action Processor A-22, A-25
signature updates 17-20
TCP normalization A-24
Sensor Health gadgets
configuring 3-5
described 3-4
Sensor Health pane
described 17-17
field descriptions 17-17
user roles 17-17
Sensor Information gadgets
configuring 3-4
described 3-3
Sensor Key pane
button functions 13-7
described 13-7
field descriptions 13-7
sensor SSH key
displaying 13-7
generating 13-7
user roles 13-7
sensors
access problems C-27
asymmetric traffic and disabling anomaly detection C-22
automatic software update 17-21
blocking themselves 14-8
configuring to use NTP 6-14
corrupted SensorApp configuration C-38
diagnostics reports 18-29
disaster recovery C-6
downgrading 24-11
incorrect NTP configuration 6-8, C-19
interface support 7-4
IP address conflicts C-30
license 17-16
logging in
SSH 21-10
Telnet 21-10
loose connections C-25
misconfigured access lists C-29
not seeing packets C-36
NTP time source 6-14
NTP time synchronization 6-6, C-18
partitions A-3
physical connectivity C-33
preventive maintenance C-2
process not running C-31
rebooting 17-25
recovering the system image 23-7
restoring defaults 17-25
sensing process not running C-31
setting up 6-1
setup command 22-1, 22-3, 22-7
shutting down 17-26
statistics 18-30
supported MIBs 15-6
system images 23-7
system information 18-31
troubleshooting software upgrades C-56
updating 17-23
upgrading 24-4
using NTP time source 6-12
Sensor Setup window
described 5-2
Startup Wizard 5-2
Server Certificate pane
button functions 13-11
certificate
displaying 13-11
generating 13-11
described 13-11
field descriptions 13-11
user roles 13-11
service account
bypass CLI A-27
creating C-6
TAC A-28
troubleshooting A-28
Service DNS engine
described B-38
parameters (table) B-39
Service engine
described B-38
Layer 5 traffic B-38
Service FTP engine
described B-40
parameters (table) B-40
PASV port spoof B-40
Service Generic engine
described B-40
parameters (table) B-41
Service H225 engine
ASN.1PER validation B-42
described B-42
features B-42
parameters (table) B-43
TPKT validation B-42
Service HTTP engine
custom signature 10-12
example signature 10-12
parameters (table) B-44
Service IDENT engine
described B-46
parameters (table) B-46
service-module ids-sensor slot/port session command 21-3, 21-8
Service MSRPC engine
parameters (table) B-47
Service MSSQL engine
described B-47
MSSQL protocol B-47
parameters (table) B-48
Service NTP engine
described B-48
parameters (table) B-48
Service P2P engine described B-48
service packs described 23-3
Service RPC engine
parameters (table) 10-23, B-49
Service SMB Advanced engine
described B-50
parameters (table) B-50
Service SNMP engine
described B-52
parameters (table) B-52
Service SSH engine
described B-53
parameters (table) B-53
Service TNS engine
described B-53
parameters (table) B-54
session command
AIM IPS 21-4
AIP SSM 21-5
IDSM2 21-7
NME IPS 21-8
sessioning
AIM IPS 21-4
AIP SSM 21-5
IDSM2 21-7
NME IPS 21-9
setting
current KB 18-21
system clock 6-16
setting up
sensors 6-1
setup
automatic 22-1
command 22-1, 22-3, 22-7, 22-12, 22-15, 22-19, 22-24
simplified mode 22-1
show events command C-89, C-90
show health command C-71
show interfaces command C-88
show module 1 details command C-68
show settings command 17-13, C-17
show statistics command C-78
show statistics virtual-sensor command C-26, C-78
show tech-support command C-72
show version command C-75, C-76
Shut Down Sensor pane
configuring 17-26
described 17-26
user roles 17-26
shutting down the sensor 17-26
sig0 pane
assigning actions to signatures 9-17
cloning signatures 9-15
configuring 9-12
default 9-3
described 9-3
field descriptions 9-6
tabs 9-3
tuning signatures 9-16
signature/virus update files described 23-4
signature definition policies
adding 9-3
cloning 9-3
default policy 9-2
deleting 9-3
sig0 9-2
Signature Definitions pane
described 9-2
field descriptions 9-2
signature engines
AIC B-10
Atomic B-13
Atomic ARP B-13
Atomic IP Advanced B-14
Atomic IPv6 B-28
creating custom signatures 10-2
described B-1
event actions B-7
Fixed B-30
Flood B-32
Flood Host B-33
Flood Net B-33
list B-2
Master B-4
Multi String B-34
Normalizer B-36
Regex
patterns B-10
syntax B-9
Service B-38
Service DNS B-38
Service FTP B-40
Service Generic B-40
Service H225 B-42
Service IDENT B-46
Service MSSQL B-47
Service NTP engine B-48
Service P2P B-48
Service SMB Advanced B-50
Service SNMP B-52
Service SSH engine B-53
Service TNS B-53
String 10-24, 10-25, 10-26, B-56
supported by IDM 10-3
Sweep 10-26
Sweep Other TCP B-61
Traffic ICMP B-64
Trojan B-64
signature engine update files described 23-4
Signature Event Action Filter
Signature Event Action Handler described 11-6, A-26
Signature Event Action Override described 11-6, A-25
Signature Event Action Processor
logical flow of events 11-6, A-26
Signature Event Action Filter 11-6, A-25
Signature Event Action Handler 11-6, A-25
Signature Event Action Override 11-6, A-25
signature fidelity rating
calculating risk rating 8-4, 11-3
signatures
adding 9-13
alert frequency 9-20
assigning actions 9-17
cloning 9-15
custom 9-5
default 9-5
described 9-4
disabling 9-12
editing 9-16
enabling 9-12
false positives 9-4
no TCP reset C-53
rate limits 14-4
retiring 9-12
subsignatures 9-5
tuned 9-5
tuning 9-16
signature updates
installation time 17-19
SensorApp 17-20
signature variables
adding 9-29
deleting 9-29
described 9-28
editing 9-29
Signature Variables tab
configuring 9-29
described 9-28
field descriptions 9-28
Signature Wizard
alert behavior 10-28
Alert Response window field descriptions 10-28
Atomic IP Engine Parameters window field descriptions 10-21
described 10-1
ICMP Traffic Type window field descriptions 10-19
Inspect Data window field descriptions 10-19
MSRPC Engine Parameters window field descriptions 10-19
no signature engine sequence 10-4
protocols 10-18
Protocol Type window field descriptions 10-18
Service HTTP Engine Parameters window field descriptions 10-22
Service RPC Engine Parameters window field descriptions 10-23
Service Type window field descriptions 10-20
signature engine sequence 10-2
signature identification 10-18
Signature Identification window field descriptions 10-18
State Engine Parameters window field descriptions 10-24
String ICMP Engine Parameters window field descriptions 10-25
String TCP Engine Parameters window field descriptions 10-25
String UDP Engine Parameters window field descriptions 10-26
supported signature engines 10-3
Sweep Engine Parameters window field descriptions 10-27
TCP Sweep Type window field descriptions 10-20
TCP Traffic Type window field descriptions 10-20
UDP Sweep Type window field descriptions 10-20
UDP Traffic Type window field descriptions 10-19
user roles 10-1
using 10-5
Welcome window field descriptions 10-17
SNMP
configuring 15-3
described 15-1
Get 15-1
GetNext 15-1
Set 15-1
Trap 15-1
SNMP General Configuration pane
configuring 15-3
described 15-2
field descriptions 15-2
user roles 15-2
SNMP traps
configuring 15-5
described 15-1
SNMP Traps Configuration pane
configuring 15-5
described 15-4
field descriptions 15-4
software architecture
ARC (illustration) A-12
IDAPI (illustration) A-29
software bypass
supported configurations 7-10
with hardware bypass 7-10
software downloads Cisco.com 23-1
software file names
recovery (illustration) 23-5
signature/virus updates (illustration) 23-4
signature engine updates (illustration) 23-5
system image (illustration) 23-5
software release examples
platform-dependent 23-6
platform identifiers 23-7
platform-independent 23-6
software updates
supported FTP servers 17-19, 24-2
supported HTTP/HTTPS servers 17-19, 24-2
UNIX-style listings 17-19
SPAN port issues C-33
SSH
described 13-1
security 13-1
SSH Server
private keys A-20
public keys A-20
standards
CIDEE A-31
IDCONF A-30
IDIOM A-29
SDEE A-30
Startup Wizard
access lists 5-3
adding virtual sensors 5-12
Add Virtual Sensor dialog box 5-12
described 5-1
Inline Interface Pairs window field descriptions 5-9
Inline VLAN Pairs window configuration 5-10
Interface Selection window 5-8
Interface Summary window 5-6
Sensor Setup window
configuring 5-4
described 5-2
field descriptions 5-2
Traffic Inspection Mode window 5-8
Virtual Sensors window
described 5-11
field descriptions 5-11
State engine
parameters (table) B-55
statistics display 18-30
Statistics pane
categories 18-30
described 18-30
user roles 18-29
using 18-30
String engine described 10-24, 10-26, B-56
String ICMP engine parameters (table) B-57
String TCP engine parameters (table) B-57
String UDP engine parameters (table) B-58
subinterface 0 described 7-14
subsignatures described 9-5
summarization
Global Summarization 8-7, 11-5
Summarizer described 8-33, 11-34
Summary pane
described 7-15
field descriptions 7-15
supported
IDSM2 minimum configurations C-62
IPS interfaces for CSA MC 16-4
platforms for IME 1-3
Sweep engine
Sweep Other TCP engine described B-61
switch commands for troubleshooting C-62
system architecture
directory structure A-31
supported platforms A-1
system clock setting 6-16
System Configuration Dialog
described 22-2
example 22-2
system design (illustration) A-2
system image
installing
IDSM2 (Cisco IOS software) 24-29
system images
installing
AIM IPS 24-22
AIP SSM 24-26
IDSM2 (Catalyst software) 24-28
IPS 4240 24-15
IPS 4255 24-15
IPS 4260 24-18
IPS 4270-20 24-20
NME IPS 24-39
sensors 23-7
system information display 18-31
System Information pane
described 18-30
user roles 18-30
using 18-31
system requirements (IME) 1-3
T
TAC
service account 6-17, A-28, C-5
show tech-support command C-72
target value rating
calculating risk rating 8-5, 11-3
described 8-5, 8-18, 8-20, 11-3, 11-20, 11-22
TCP fragmentation described B-36
TCP Protocol tab
enabling TCP 12-15
external zone 12-30
field descriptions 12-15
illegal zone 12-22
TCP reset interfaces
conditions 7-7
described 7-6
list 7-7
TCP resets
IDSM2 port C-67
IDSM2 ports C-67
not occurring C-53
TCP stream reassembly
described 9-44
mode 9-49
parameters (table) 9-45
signatures (table) 9-45
terminal servers setup 21-2, 24-14
testing fail-over 7-10
TFN2K
described B-64
Trojans B-64
TFTP servers
maximum file size limitation 24-14
RTT 24-14
threat rating
Thresholds for KB Name window
described 18-17
field descriptions 18-18
filtering information 18-18
time
correcting on the sensor 6-12, C-20
synchronization and IPS modules 6-8, C-19
Time pane
configuring 6-10
described 6-6
field descriptions 6-9
user roles 6-6
time sources
AIM IPS 6-7
AIP SSM 6-7
appliances 6-6
IDSM2 6-6
NME IPS 6-7
TLS
described 6-3
handshaking 13-8
IDM 13-8
Top Applications gadgets
configuring 3-8
described 3-8
Top Attackers gadgets
configuring 3-10
described 3-9
Top Signatures gadgets
configuring 3-11
described 3-11
Top Victims gadgets
configuring 3-10
described 3-10
traceroute IME device tools 2-5
Traffic Anomaly engine
Traffic Flow Notifications pane
configuring 7-28
described 7-27
field descriptions 7-28
user roles 7-27
Traffic ICMP engine
DDoS B-64
described B-64
LOKI B-64
parameters (table) B-64
TFN2K B-64
Traffic Inspection Mode window described 5-8
trial license key 17-14
Tribe Flood Network 2000. See TFN2K.
Trojan engine
BO2K B-64
described B-64
TFN2K B-64
Trojans
BO B-64
BO2K B-64
LOKI B-64
TFN2K B-64
troubleshooting
AIP SSM
commands C-68
debugging C-69
recovering C-69
reset C-68
Analysis Engine busy C-58
applying software updates C-55
ARC
blocking not occurring for signature C-45
device access issues C-42
enabling SSH C-44
inactive state C-40
misconfigured master blocking sensor C-46
verifying device interfaces C-43
automatic updates C-55
cannot access sensor C-27
cidDump C-93
cidLog messages to syslog C-52
communication C-27
corrupted SensorApp configuration C-38
debug logger zone names (table) C-51
debug logging C-47
disaster recovery C-6
duplicate sensor IP addresses C-30
enabling debug logging C-47
external product interfaces 16-10, C-24
gathering information C-71
IDM cannot access sensor C-58
IDM will not load C-57
IDSM2
command and control port C-65
diagnosing problems C-61
serial cable C-67
status indicator C-63
switch commands C-62
IME time synchronization C-60
IPS modules time drift 6-8, C-19
manual block to bogus host C-44
misconfigured access list C-29
NTP C-53
physical connectivity issues C-33
preventive maintenance C-2
reset not occurring for a signature C-53
sensing process not running C-31
sensor events C-89
sensor loose connections C-25
sensor not seeing packets C-36
sensor software upgrade C-56
show events command C-89
show interfaces command C-88
show statistics command C-78
show tech-support command C-72, C-73
show version command C-75
software upgrades C-54
SPAN port issue C-33
upgrading to 6.x C-55
verifying Analysis Engine is running C-23
verifying ARC status C-39
Trusted Hosts pane
configuring 13-10
described 13-9
field descriptions 13-9
tuned signatures described 9-5
tuning
AIC signatures 9-40
IP fragment reassembly signatures 9-43
signatures 9-16
U
UDP Protocol tab
described 12-16, 12-23, 12-24, 12-31
enabling UDP 12-16
external zone 12-31
field descriptions 12-31
unassigned VLAN groups described 7-14
unauthenticated NTP 6-6, 6-7, 6-8, 6-14, C-18
UNIX-style directory listings 17-19
Update Sensor pane
configuring 17-23
described 17-22
field descriptions 17-23
user roles 17-22
updating
Cisco.com 17-22
FTP server 17-22
sensors 17-23
upgrading
maintenance partition
IDSM2 (Catalyst software) 24-38
IDSM2 (Cisco IOS software) 24-38
minimum required version 23-7
recovery partition 24-5, 24-11
sensors 24-4
to 6.2 23-7
uploading KBs
FTP 18-23
SCP 18-23
Upload Knowledge Base to Sensor dialog box
described 18-23
field descriptions 18-24
URLs for Cisco Security Intelligence Operations 23-9
Users pane
button functions 6-17
configuring 6-18
field descriptions 6-17
user roles A-27
using
debug logging C-47
IME event views 19-4
TCP reset interfaces 7-7
V
VACLs
described 14-3
Post-Block 14-22
Pre-Block 14-22
verifying
NTP configuration 6-8
sensor initialization 22-27
sensor setup 22-27
video help described 1-2
viewing
IP logs 18-14
statistics 18-30
system information 18-31
virtual sensors
default virtual sensor 8-2, 8-7
deleting 8-11
editing 8-11
stream segregation 8-3
Virtual Sensors window described 5-11
VLAN groups
802.1q encapsulation 7-15
configuration restrictions 7-9
configuring 7-25
deploying 7-24
described 7-14
switches 7-24
VLAN Groups pane
configuring 7-25
described 7-23
field descriptions 7-24
VLAN IDs 7-23
VLAN Pairs pane
configuring 7-22
described 7-21
field descriptions 7-21
vulnerable OSes field
described B-6
W
watch list rating
calculating risk rating 8-5, 11-3
Web Server
HTTP 1.0 and 1.1 support A-21
private keys A-20
public keys A-20
whois IME device tools 2-5
worms
Blaster 12-2
Code Red 12-2
Nimbda 12-2
protocols 12-2
Sasser 12-2
scanners 12-2
Slammer 12-2
SQL Slammer 12-2
Z
zones
external 12-4
illegal 12-4
internal 12-4