Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 7.0
Index

Table Of Contents

Numerics - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W - Z

Index

Numerics

4GE bypass interface card

configuration restrictions 6-9

described 6-8

802.1q encapsulation for VLAN groups 6-27

A

accessing IPS software 22-2

access-list command 4-5

access lists

changing 4-5

configuring 4-5

misconfiguration C-26

account locking

configuring 4-20

security 4-20

ACLs

described 14-2

Post-Block 14-22, 14-23

Pre-Block 14-22, 14-23

active update bulletins 22-9

adaptive security appliance

sending IPS traffic (AIP-SSM) 19-9

traffic inpsection modes (AIP-SSM) 19-9

adding

denied attackers 7-36

event action overrides 7-17

external product interfaces 11-6

global parameters 5-10

hosts to the SSH known hosts list 4-41, 4-42

login banners 4-8

signature variables 8-4

target value rating 7-14

trusted hosts 4-46

users 4-13, 4-14, 4-17, 4-18

virtual sensors 5-5, 5-7, 19-4

Address Resolution Protocol see ARP

administrator role privileges 1-3

AIC engine

AIC FTP B-8

AIC FTP engine parameters (table) B-9

AIC HTTP B-8

AIC HTTP engine parameters (table) B-9

described B-8

features B-8

signature categories 8-17

AIC policy enforcement

default configuration 8-18, B-8

described 8-18, B-8

sensor oversubscription 8-18, B-8

AIM-IPS

configuration sequence 18-1

configuring interfaces 18-5, 18-7, 18-9, 18-11, 18-13

displaying status 18-16, 21-10

initializing 3-13

installing system image 23-23

interfaces described 18-3

interface sequence 18-4

logging in 2-5, 18-15

NAT 18-5

RBCP 18-18

rebooting 18-18

resetting 18-18

resetting heartbeat 18-17

session command 2-5, 18-15

sessioning 2-4, 2-5, 18-14, 18-15

setup command 3-13

shutting down 18-18

time sources 4-29, C-15

verifying installation 18-2

AIP-SSM

assigning virtual sensors 19-6

bypass mode 19-10

configuration tasks 19-1

creating virtual sensors 19-4

fail-open mode 19-9

fail-over mode 19-9

hw-module module 1 recover configure 19-12

hw-module module slot_number password-reset 19-11

hw-module module slot_number recover boot 19-11

hw-module module slot_number recover stop 19-11

hw-module module slot_number reload 19-11

hw-module module slot_number reset 19-11

hw-module module slot_number shutdown 19-11

initializing 3-16

inline mode 19-9

installing system image 23-26

interfaces 19-3

logging in 2-6

password recovery 4-25, 17-5, C-10

promiscuous mode 19-9

receiving IPS traffic 19-9

recovering C-66

reimaging 23-26

resetting C-66

session command 2-6

setup command 3-16

show context 19-6

show ips command 19-6

show module command 19-2

task sequence 19-1

time sources 4-29, C-15

verifying initialization 19-2

virtual sensors

assigning policies 19-4

assigning the interface 19-4

assigning to security context 19-5

configuration sequence 19-3

Alarm Channel described 7-2, A-26

alert and log actions (list) 7-4

alert-frequency

command 8-7

modes B-5

alert-severity

command 8-9

configuring 8-9

allocate-ips command 19-3

allow-sensor-block command 14-8

alternate TCP reset interface 6-10

Analysis Engine

described 5-1

error messages C-23

IDM exits C-56

verify it is running C-20

virtual sensors 5-1

anomaly detection

asymmetric traffic 9-2

caution 9-2

configuration sequence 9-5

default configuration (example) 9-4

described 9-2

detect mode 9-4

disabling 9-48, C-19

event actions 9-6, B-58

inactive mode 9-4

learning accept mode 9-3

learning process 9-3

limiting false positives 9-37

protocols 9-3

signatures (table) 9-7, B-59

worms

attacks 9-37

described 9-3

zones 9-4

anomaly-detection load command 9-41

anomaly detection operational settings

configuring 9-10

described 9-10

anomaly detection policies

copying 9-8

creating 9-8

deleting 9-8

displaying 9-8

editing 9-8

lists 17-24

anomaly-detection save command 9-41

anomaly detection statistics

clearing 9-47

displaying 9-47

anomaly detection zones

external 9-28

illegal 9-20

internal 9-11

appliances

application partition image 23-12

GRUB menu 4-22, 17-3, C-8

initializing 3-8

logging in 2-2

password recovery 4-22, 17-3, C-8

resetting 17-38

terminal servers

described 2-3, 23-14

setting up 2-3, 23-14

time sources 4-28, C-14

UDLD protocol 6-26

upgrading recovery partition 23-5

Application Inspection and Control see AIC

application partition

described A-4

image recovery 23-12

application-policy

command 8-18

configuring 8-19

application policy enforcement

described 8-18, B-8

disabled (default) 8-18

applications in XML format A-3

applying software updates C-53

ARC

ACLs 14-22, A-14

authentication A-15

blocking

application 14-1

connection-based A-17

not occurring for signature C-42

unconditional blocking A-17

block response A-13

Catalyst 6000 series switch

VACL commands A-19

VACLs A-19

Catalyst switches

VACLs A-16

VLANs A-16

checking status 14-3, 14-4

described A-3

design 14-2

device access issues C-39

enabling SSH C-42

features A-14

firewalls

AAA A-18

connection blocking A-18

NAT A-18

network blocking A-18

postblock ACL A-16

preblock ACL A-16

shun command A-18

TACACS+ A-18

formerly Network Access Controller 14-1, 14-3

functions 14-1, A-12

illustration A-13

inactive state C-37

interfaces A-14

maintaining states A-16

master blocking sensors A-14

maximum blocks 14-2

misconfigured master blocking sensor C-43

nac.shun.txt file A-16

NAT addressing A-15

number of blocks A-15

postblock ACL A-16

preblock ACL A-16

prerequisites 14-5

rate limiting 14-4

responsibilities A-13

single point of control A-15

SSH A-14

supported devices 14-6, A-15

Telnet A-14

troubleshooting C-36

VACLs A-14

verifying device interfaces C-41

verifying status C-36

ARP

Layer 2 signatures B-10

protocol B-10

ARP spoof tools

dsniff B-10

ettercap B-10

assigning interfaces

virtual sensors 5-4

virtual sensors (AIP-SSM) 19-4

assigning policies

virtual sensors 5-4

virtual sensors (AIP-SSM) 19-4

asymmetric traffic

anomaly detection scanners 9-2

disabling anomaly detection 9-48, C-19

Atomic ARP engine

described B-10

parameters (table) B-10

Atomic IP Advanced engine

described B-11

restrictions B-12

Atomic IP engine

described B-21

parameters (table) B-21

Atomic IPv6 engine

described B-24

Neighborhood Discovery protocol B-24

signatures B-24

signatures (table) B-25

attack relevance rating

calculating risk rating 7-13

described 7-13, 7-25

Attack Response Controller

described A-3

formerly known as Network Access Controller A-3

See ARC

attack severity rating

calculating risk rating 7-12

described 7-12

attemptLimit command 4-20

Audit mode described 10-8

authenticated NTP 4-28, 4-29, 4-30, 4-39, C-14, C-15

AuthenticationApp

authenticating users A-21

described A-3

login attempt limit A-20

method A-20

responsibilities A-20

secure communications A-21

sensor configuration A-20

authorized keys

defining 4-43

RSA authentication 4-43

automatic setup 3-1

automatic upgrade

examples 23-10

information required 23-6

troubleshooting C-53

autonegotiation for hardware bypass 6-9

auto-upgrade-option command 23-6

B

backing up

configuration 16-23, C-2

current configuration 16-22, C-4

BackOrifice 2000 see BO2K

BackOrifice see BO

backup-config command 16-19

banner login command 17-14

basic setup 3-4

block connection command 14-34

block-enable command 14-9

block hosts command 14-32

blocking

addresses never to block 14-19

block time 14-13

connection 14-34

described 14-1

disabling 14-10

hosts 14-32

list of blocked hosts 14-35

managing firewalls 14-28

managing routers 14-24

managing switches 14-27

master blocking sensor 14-29

maximum entries 14-11

necessary information 14-3

not occurring for signature C-42

prerequisites 14-5

properties 14-7

sensor block itself 14-8

show statistics 14-35

supported devices 14-6

types 14-2

user profiles 14-20

block network command 14-33

BO

described B-61

Trojans B-61

BO2K

described B-61

Trojans B-61

bypass mode

AIP-SSM 19-10

configuring 6-35

described 6-34

bypass-option command 6-35

C

calculating risk rating

attack relevance rating 7-13

attack severity rating 7-12

promiscuous delta 7-13

signature fidelity rating 7-12

target value rating 7-12

watch list rating 7-13

cannot access sensor C-24

capturing live traffic 13-5

Catalyst software

command and control access 20-5

IDSM-2

command and control access 20-5

configuring VACLs 20-14

enabling full memory tests 20-40

enabling SPAN 20-11

mls ip ids command 20-17, 20-18

resetting 20-41

set span command 20-10

supervisor engine commands

supported 20-43

unsupported 20-44

caution for clearing databases 17-8

certificates IDM 4-45

changing

access lists 4-5

FTP timeout 4-7

host IP address 4-3

hostname 4-2

passwords 4-16

privilege 4-17

Web server settings 4-12

cidDump obtaining information C-91

CIDEE

defined A-34

example A-34

IPS extensions A-34

protocol A-34

supported IPS events A-34

cisco

default password 2-2

default username 2-2

Cisco.com

accessing software 22-2

Active Update Bulletins 22-9

downloading software 22-2

IPS software 22-1, 22-2

software downloads 22-2

Cisco IOS software

command and control access 20-6

configuration commands 20-46

EXEC commands 20-45

IDSM-2

command and control access 20-6

configuring VACLs 20-16

enabling full memory tests 20-40

enabling SPAN 20-12

mls ip ids command 20-18

resetting 20-42

rate limiting 14-4

SPAN options 20-12

Cisco IPS software files 23-2

cisco-security-agents-mc-settings command 11-5

Cisco Security Center

described 22-11

URL 22-11

Cisco Services for IPS

service contract 4-49, 22-12

supported products 4-49, 22-12

clear database command 17-8

clear denied-attackers command 7-36, 17-22

clear events command 4-30, 7-41, 17-20, C-17, C-90

clearing

anomaly detection statistics 9-47

denied attackers statistics 7-37, 17-22

events 7-41, 17-20, C-90

OS IDs 7-31

sensor database caution 17-8

sensor databases 17-9

statistics 17-25, C-76

clear line command 17-15

clear os-identification command 7-31

clear password command 4-24, 4-26, 17-4, 17-6, C-9, C-11

CLI

command line editing 1-6

command modes 1-7

default keywords 1-11

described A-3, A-30

error messages D-1

generic commands 1-10

guide introduction 1-1

regular expression syntax 1-8

CLI behavior 1-5

case sensitivity 1-6

display options 1-6

help 1-5

prompts 1-5

recall 1-5

tab completion 1-5

client manifest described A-29

clock set command 4-32, 17-21

CollaborationApp described A-3, A-28

command and control access

Catalyst software 20-5

Cisco IOS software 20-6

described 20-5

command and control interface

described 6-2

list 6-3

command line editing (table) 1-6

command modes

anomaly detection configuration 1-8

described 1-7

event action rules configuration 1-8

EXEC 1-7

global configuration 1-7

privileged EXEC 1-7

service mode configuration 1-7

signature definition configuration 1-8

commands

access-list 4-5

alert-frequency 8-7

alert-severity 8-9

allocate-ips 19-3

allow-sensor-block 14-8

anomaly-detection load 9-41

anomaly-detection save 9-41

application-policy 8-18

attemptLimit 4-20

auto-upgrade-option 23-6

backup-config 16-19

banner login 17-14

block connection 14-34

block-enable 14-9

block hosts 14-32

block network 14-33

bypass-option 6-35

cisco-security-agents-mc-settings 11-5

clear database 17-8

clear denied-attackers 7-36, 17-22

clear events 4-30, 7-41, 17-20, C-17, C-90

clear line 17-15

clear os-identification 7-31

clear password 4-24, 4-26, 17-4, 17-6, C-9, C-11

clock set 4-32, 17-21

copy ad-knowledge-base 9-41

copy anomaly-detection 9-8

copy backup-config 16-21, C-3

copy current-config 16-21, C-3

copy event-action-rules 7-7

copy iplog 12-6

copy license-key 4-51, 22-15

copy packet-file 13-6

copy signature-definition 8-1

current-config 16-19

debug module-boot C-66

default service anomaly-detection 9-8

default service event-action-rules 7-7

default service signature-definition 8-2

deny attacker 7-35

downgrade 23-11

enable-acl-logging 14-14

enable-detail-traps 15-4

enable-nvram-write 14-15

erase 16-23

erase ad-knowledge-base 9-42

erase packet-file 13-7

event-action 8-15

event-action-rules-configurations 17-24

event-counter 8-10

external-zone 9-28

filters 7-20

fragment-reassembly 8-30

ftp-timeout 4-7

global-block-timeout 7-33, 14-13

global-deny-timeout 7-33

global-filters-status 7-33

global-metaevent-status 7-34

global-overrides-status 7-34

global-parameters 5-10

global-summarization 7-34

health-monitor 10-7, 17-10

host-ip 4-3

host-name 4-2

hw-module module 1 recover configure 19-12

hw-module module 1 reset C-66

hw-module module slot_number password-reset 4-25, 17-5, 19-11, C-10

hw-module module slot_number recover boot 19-11

hw-module module slot_number recover stop 19-11

hw-module module slot_number reload 19-11

hw-module module slot_number reset 19-11

hw-module module slot_number shutdown 19-11

ignore 9-10

illegal-zone 9-20

inline-interfaces 6-17

interface GigabitEthernet 18-21, 21-15

interface IDS-Sensor 18-19, 21-13

interface-notifications 6-36

internal-zone 9-12

ip-access-list 20-15

ip-log 8-38

iplog 12-3

ip-log-bytes 12-2

ip-log-packets 12-2

iplog-status 12-4

ip-log-time 12-2

ipv6-target-value 7-14

learning-accept-mode 9-37

list anomaly-detection-configurations 9-8, 17-24

list event-action-rules-configurations 7-7

list signature-definition-configurations 8-1

log-all-block-events-and-errors 14-16

login-banner-text 4-8

max-block-entries 14-11

max-denied-attackers 7-34

max-interfaces 14-17

mls ip ids 20-17, 20-18

more 16-19

more current-config 16-1

never-block-hosts 14-19

never-block-networks 14-19

no iplog 12-5

no ipv6-target-value 7-14

no service anomaly-detection 9-8

no service event-action-rules 7-7

no service signature-definition 8-2

no target-value 7-14

no variables 7-10

os-identifications 7-27

other 9-18, 9-26, 9-34

overrides 7-16

packet capture 13-4

packet-display 13-2

password 4-13, 4-16

physical-interfaces 6-12, 6-21, 6-28

ping 17-37

privilege 4-13, 4-17

rename ad-knowledge-base 9-42

reset 17-38

service anomaly-detection 9-8

service event-action-rules 7-7

service-module IDS-Sensor 18-22, 21-16

service-module ids-sensor slot/port 18-18, 21-12

service-module ids-sensor slot/port heartbeat reset 18-17, 21-11

service-module ids-sensor slot/port status 18-16, 21-10

service signature-definition 8-1

session 2-5, 2-9, 18-15, 21-9

set security acl 20-14

set span 20-10

setup 3-1, 3-4, 3-8, 3-13, 3-16, 3-20, 3-24

show ad-knowledge-base diff 9-43, 9-45

show ad-knowledge-base files 9-40, 9-41

show clock 4-31, 17-20

show configuration 16-1

show context 19-6

show events 7-38, 17-17, C-88

show health 10-8, 17-14, C-69

show history 17-39

show interfaces 6-37

show inventory 17-39, 18-2, 21-2

show ips 19-6

show module 19-2

show os-identification 7-31

show settings 4-27, 16-3, 16-18, 17-8, 17-41, C-13

show statistics 14-35, 17-24, C-76

show statistics anomaly-detection 9-47

show statistics denied-attackers 7-36, 17-22

show statistics virtual-sensor 17-24, C-23, C-76

show tech-support 17-34, C-70

show users 4-18

show version 17-35, C-73

sig-fidelity-rating 8-11, 8-13

signature-definition-configurations 17-24

snmp-agent-port 15-2

snmp-agent-protocol 15-2

ssh authorized-key 4-43

ssh-generate-key 4-44

ssh host-key 4-41

status 8-12

stream-reassembly 8-37

subinterface-type 6-22, 6-29

summertime-option non-recurring 4-35

summertime-option recurring 4-32

target-value 7-14

tcp 9-13, 9-21, 9-29

telnet-option 4-4

terminal 17-16

time-zone-settings 4-36

tls generate-key 4-47

tls trusted-host 4-46

trace 17-40

trap-community-name 15-4

trap-destinations 15-4

udp 9-15, 9-24, 9-32

upgrade 23-3, 23-5

username 4-13

user-profile 14-20

variables 7-10, 8-4

virtual-sensor name 5-4, 19-4

worm-timeout 9-10

comparing KBs 9-44

component signatures

Meta signatures B-30

risk rating B-30

configuration files

backing up 16-23, C-2

merging 16-23, C-2

configuration restrictions

alternate TCP reset interface 6-10

inline interface pairs 6-10

inline VLAN pairs 6-10

interfaces 6-9

physical interfaces 6-9

VLAN groups 6-10

configuration sequence

AIM-IPS 18-1

AIP-SSM 19-1

NME-IPS 21-1

configured OS mapping (example) 7-27

configuring

access lists 4-5

account locking 4-20

ACL logging 14-14

alert frequency parameters 8-8

alert severity 8-9

anomaly detection operational settings 9-10

application policy 8-19, 8-27

automatic IP logging 12-2

automatic upgrades 23-8

blocking

firewalls 14-28

routers 14-24

switches 14-27

time 14-13

bypass mode 6-35

connection blocking 14-34

CSA MC IPS interfaces 11-4

DNS servers 4-10

event action filters 7-21

event actions 8-16

event counter 8-10

external zone 9-29

ftp-timeout 4-7

global correlation 10-9

health statistics 17-11

host blocks 14-32

host IP address 4-3

hostname 4-2

hosts never to block 14-19

HTTP Proxy servers 4-10

illegal zone 9-20

inline interface pairs 6-17

inline VLAN groups 6-29

inline VLAN pairs 6-22

interfaces

AIM-IPS 18-5, 18-7, 18-9, 18-11, 18-13

NME-IPS 21-7

interface sequence 6-11

internal zone 9-12

IP fragment reassembly 8-31

IP fragment reassembly parameters 8-30, 8-36

IP logging 8-39

learning accept mode 9-38

logging all blocking events and errors 14-16

logical devices 14-20

login-banner-text 4-8

maintenance partition

IDSM-2 (Catalyst software) 23-31

IDSM-2 (Cisco IOS software) 23-35

manual IP logging 12-3

master blocking sensor 14-30

maximum

block entries 14-12

blocking interfaces 14-18

denied attackers 7-34

meta event generator 7-34

network blocks 14-33

network participation 10-11

networks never to block 14-19

NTP servers 4-38

NVRAM write 14-15

OS maps 7-28

other protocols

external zone 9-35

illegal zone 9-26

internal zone 9-18

password policy 4-19

passwords 4-16

privilege 4-17

promiscuous mode 6-13

sensor sequence 1-1

sensor to block itself 14-8

sensor to use NTP 4-39

signature fidelity rating 8-11

status 8-12

summarizer 7-34

summertime

non-recurring 4-35

recurring 4-32

TCP

external zone 9-30

illegal zone 9-21

internal zone 9-13

stream reassembly 8-38

telnet-option 4-4

time zone settings 4-36

traffic flow notifications 6-36

UDLD protocol 6-26

UDP

external zone 9-32

illegal zone 9-24

internal zone 9-15

upgrades 23-4

user profiles 14-21

vulnerable OSes 8-14

Web Server settings 4-11

control transactions

characteristics A-9

request types A-8

copy ad-knowledge-base command 9-41

copy anomaly-detection command 9-8

copy backup-config command 16-21, C-3

copy command syntax 9-42

copy current-config command 16-21, C-3

copy event-action-rules command 7-7

copying

anomaly detection policies 9-8

event action rules policies 7-7

IP log files 12-7

KBs 9-41, 9-42

packet files 13-7

signature definition policies 8-2

copy iplog command 12-6

copy license-key command 4-51, 22-15

copy packet-file command 13-6

copy signature-definition command 8-1

correcting time on the sensor 4-30, C-17

creating

anomaly detection policies 9-8

Atomic IP Advanced signatures 8-50

banner logins 17-14

custom signatures 8-40

event action rules policies 7-7

event action variables 7-10

global parameters 5-10

Meta signatures 8-48

OS maps 7-28

Post-Block VACLs 14-26

Pre-Block VACLs 14-26

service account 4-16, C-5

service HTTP signatures 8-45

signature definition policies 8-2

string TCP signatures 8-42

user profiles 14-20

virtual sensors 5-5, 5-7

CSA MC

configuring IPS interfaces 11-4

host posture events 11-1, 11-4

quarantined IP address events 11-1

supported IPS interfaces 11-4

CtlTransSource

described A-3, A-11

illustration A-12

Ctrl-N 1-5

Ctrl-P 1-5

current-config command 16-19

current configuration back up 16-23, C-2

custom signatures

Atomic IP Advanced signature 8-50

configuration sequence 8-40

described 8-4

Meta signature 8-48

service HTTP example 8-45

String TCP 8-40

D

data ports restore defaults 20-28

data structures (examples) A-8

DDoS

protocols B-60

Stacheldraht B-60

TFN B-60

debug logging enable C-45

debug-module-boot command C-66

default

blocking time 14-13

keywords 1-11

password 2-2

username 2-2

virtual sensor vs0 5-2

default service anomaly-detection command 9-8

default service event-action-rules command 7-7

default service signature-definition command 8-2

defining authorized keys 4-43

deleting

anomaly detection policies 9-8

denied attackers list 7-37, 17-22

event action rules policies 7-7

event action variables 7-10

inline interface pairs 6-20

inline VLAN pairs 6-25

OS maps 7-30

signature definition policies 8-2

signature variables 8-4

target value rating 7-14

VLAN groups 6-33

Denial of Service see DoS

denied attackers adding 7-36

deny actions (list) 7-5

deny attacker command 7-35

detect mode (anomaly detection) 9-4

device access issues C-39

diagnosing network connectivity 17-37

disabling

anomaly detection 9-48, C-19

blocking 14-10

ECLB (Cisco IOS software) 20-36

global correlation 10-12

password recovery 4-27, 17-7, C-12

signatures 8-12

Telnet 4-4

disaster recovery C-6

displaying

AIM-IPS status 18-16, 21-10

anomaly detection policies 9-8

anomaly detection policy lists 17-24

anomaly detections tatistics 9-47

contents of logical file 16-20

current configuration 16-1

current submode configuration 16-3

event action rules policies 7-7

event actions rules lists 17-24

events 7-39, 17-18, C-89

health status 17-14, C-69

interface statistics 6-37

IP log contents 12-5

KB files 9-40

KB thresholds 9-45

live traffic 13-3

OS IDs 7-31

password recovery setting 4-27, 17-8, C-13

PEP information 17-40

policy lists 17-24

signature definition lists 17-24

statistics 17-25, C-76

submode settings 17-41

system clock 4-31, 17-20

tech support information 17-34, C-70

version 17-35, C-73

Distributed Denial of Service see DDoS

DNS server configuration 4-10

DoS tools B-5

downgrade command 23-11

downgrading sensors 23-11

downloading software 22-2

duplicate IP addresses C-27

E

ECLB

described 20-25

disabling (Cisco IOS software) 20-36

options 20-28

promiscuous mode 20-28

requirements 20-28

sensing modes 20-25

editing

anomaly detection policies 9-8

event action rules policies 7-7

event action variables 7-10

signature definition policies 8-2

signature variables 8-4

target value rating 7-14

efficacy

described 10-4

measurements 10-4

enable-acl-logging command 14-14

enable-detail-traps command 15-4

enable-nvram-write command 14-15

enabling

debug logging C-45

full memory tests

Catalyst software 20-40

Cisco IOS software 20-40

signatures 8-12

SPAN

Catalyst software 20-11

Cisco IOS software 20-12

Telnet 4-4

Encryption Software Export Distribution Authorization 22-2

engines

AIC 8-17, B-8

Fixed B-26

Flood B-28

Master B-4

Meta 8-46, B-29

Multi String B-31

Normalizer B-33

Service DNS B-35

Service FTP B-36

Service Generic B-37

Service H225 B-38

Service HTTP 8-43, B-41

Service IDENT B-43

Service MSRPC B-43

Service MSSQL B-44

Service NTP B-45

Service P2P B-45

Service RPC B-46

Service SMB B-49

Service SMB Advanced B-47

Service SSH B-50

Service TNS B-50

State B-51

String 8-40, B-53

Sweep B-56

Sweep Other TCP B-57

Traffic ICMP B-60

Trojan B-61

erase ad-knowledge-base command 9-42

erase command 16-23

erase packet-file command 13-7

erasing

current configuration 16-24

KBs 9-41, 9-42

packet files 13-7

error messages

described D-1

validation D-5

EtherChannel Load Balancing see ECLB

evAlert A-9

event-action command 8-15

event action filters

described 7-19

using variables 7-20

event action overrides

described 7-16

risk rating range 7-16

event action rules

described 7-2

functions 7-2

list display 17-24

task list 7-6

event action rules policies

copying 7-7

creating 7-7

deleting 7-7

displaying 7-7

editing 7-7

event actions

configuring 8-16

threat rating 7-13

event-counter

command 8-10

configuring 8-10

events

displaying 7-39, 17-18, C-89

host posture 11-2

quarantined IP address 11-2

Event Store

clearing events 4-30, C-17

data structures A-8

described A-3

examples A-7

responsibilities A-7

timestamp A-7

event types C-87

event variables

described 7-9

example 7-9

evError A-9

evLogTransaction A-9

evShunRqst A-9

evStatus A-9

external product interfaces

adding 11-6

described 11-1

issues 11-3, C-21

troubleshooting 11-8, C-21

external zone

configuring 9-29

configuring other protocols 9-35

configuring TCP 9-30

configuring UDP 9-32

described 9-28

protocols 9-28

external-zone command 9-28

F

fail-over testing 6-8

false positives described 8-3

files

Cisco IPS 23-2

IDSM-2 password recovery 4-25, 17-6, C-11

filtering

more command 16-16

submode configuration 16-18

filters command 7-20

finding the serial number 18-2, 21-2

Fixed engine described B-26

Fixed ICMP engine parameters (table) B-26

Fixed TCP engine parameters (table) B-27

Fixed UDP engine parameters (table) B-27

Flood engine described B-28

Flood Host engine parameters (table) B-28

Flood Net engine parameters (table) B-29

fragment-reassembly command 8-30

FTP servers supported 23-2

FTP timeout

configuring 4-7

described 4-7

ftp-timeout command 4-7

G

general settings described 7-33

General tab described 7-33

generating

SSH Server host key 4-44

TLS certificate 4-48

generic commands 1-10

global-block-timeout command 7-33, 14-13

global correlation

described 10-1, 10-2, A-4

DNS server 4-10, 10-6

error messages A-29

features 10-5

goals 10-5

health metrics 10-7

HTTP Proxy server 4-10, 10-6

IPv6 support 7-9, 7-10, 7-14, 7-19, 7-20, 10-6

license 3-4, 10-6, 10-8

options 10-9, 10-12

Produce Alert 7-5, 10-5, B-6

requirements 10-6

troubleshooting 10-13, C-18

update client (illustration) 10-8

global-deny-timeout command 7-33

global-filters-status command 7-33

global-metaevent-status command 7-34

global-overrides-status command 7-34

global parameters

adding 5-10

creating 5-10

maximum open IP logs 5-10

options 5-10

global-parameters command 5-10

global-summarization command 7-34

GRUB menu password recovery 4-22, 17-3, C-8

H

H.225.0 protocol B-38

H.323 protocol B-38

hardware bypass

autonegotiation 6-9

configuration restrictions 6-9

fail-over 6-8

IPS 4270-20 6-8

supported configurations 6-8

with software bypass 6-8

health-monitor command 10-7, 17-10

health statistics configure 17-11

help

question mark 1-5

using 1-5

host blocks configure 14-32

host IP address

changing 4-3

configuring 4-3

host-ip command 4-3

hostname

changing 4-2

configuring 4-2

host-name command 4-2

host posture events

CSA MC 11-4

described 11-2

HTTP/HTTPS servers 23-2

HTTP deobfuscation

ASCII normalization 8-43, B-41

described 8-43, B-41

HTTP Proxy server configuration 4-10

hw-module module 1 recover configure command 19-12

hw-module module 1 reset command C-66

hw-module module slot_number password-reset command 4-25, 17-5, 19-11, C-10

hw-module module slot_number recover boot command 19-11

hw-module module slot_number recover stop command 19-11

hw-module module slot_number reload command 19-11

hw-module module slot_number reset command 19-11

hw-module module slot_number shutdown command 19-11

I

IDAPI

communications A-3, A-32

described A-3

functions A-32

illustration A-32

responsibilities A-32

IDCONF

described A-33

example A-33

RDEP2 A-33

XML A-33

IDIOM

defined A-32

messages A-32

IDM

Analysis Engine is busy C-56

certificates 4-45

TLS 4-45

will not load C-55

IDSM-2

administrative tasks 20-39

capturing IPS traffic

mls ip id command 20-17

SPAN 20-10

Catalyst software

command and control access 20-5

inline mode 20-20

inline VLAN pair mode 20-22

Cisco IOS software

command and control access 20-6

inline mode 20-20

inline VLAN pair mode 20-23

command and control access 20-6

command and control port 20-9, C-63

configuration tasks 20-1

configuring

command and control access 20-5

ECLB 20-29, 20-31, 20-33

ECLB inline mode 20-27

ECLB inline VLAN pair mode 20-26

ECLB promiscuous mode 20-26

inline mode 20-20

inline VLAN pair mode (Catalyst software) 20-22

inline VLAN pair mode (Cisco IOS software) 20-23

load balancing 20-29, 20-31, 20-33

maintenance partition (Catalyst software) 23-31

maintenance partition (Cisco IOS software) 23-35

mls ip ids command 20-18

sequence 20-1

SPAN 20-10

tasks 20-1

configuring VACLs

Catalyst software 20-14

Cisco IOS software 20-16

disabling

ECLB (Catalyst software) 20-36

ECLB (Cisco IOS software) 20-36

ECLB

disabling (Catalyst software) 20-36

disabling (Cisco IOS software) 20-36

requirements 20-28

verifying (Catalyst software) 20-37

verifying (Cisco IOS software) 20-38

enabling full memory tests

Catalyst software 20-40

Cisco IOS software 20-40

initializing 3-20

inline mode

Catalyst software 20-20

Cisco IOS software 20-20

described 20-8, 20-19

requirements (Catalyst software) 20-19, 20-22

inline VLAN pair mode 20-8

Catalyst software 20-22

Cisco IOS software 20-23

described 20-22

installing

system image (Catalyst software) 23-28

system image (Cisco IOS software) 23-29

logging in 2-7

mixing sensing modes 20-8

mls ip ids command

Catalyst software 20-17

Cisco IOS software 20-18

described 20-9

monitoring ports 20-9

password recovery 4-25, 17-6, C-11

password recovery image file 4-25, 17-6, C-11

promiscuous mode 20-8, 20-9

reimaging 23-28

resetting

Catalyst software 20-41

Cisco IOS software 20-42

described 20-41

restoring data port defaults 20-28

sensing ports 20-14

sessioning 2-7

set span command 20-10

setup command 3-20

supported configurations 20-4, C-60

supported supervisor engine commands 20-43

TCP reset port 20-9, 20-10, 20-14

time sources 4-29, C-14

unsupported supervisor engine commands 20-44

upgrading

maintenance partition (Catalyst software) 23-38

maintenance partition (Cisco IOS software) 23-39

VACLs

configuring 20-14

described 20-14

verifying

ECLB (Catalyst software) 20-37

ECLB (Cisco IOS software) 20-38

installation 20-3

IDS-Sensor interface

ip unnumbered (AIM-IPS) 18-6, 18-8

preferred method (AIM-IPS) 18-4

ignore command 9-10

illegal zone

configuring 9-20

configuring other protocols 9-26

configuring TCP 9-21

configuring UDP 9-24

described 9-20

protocols 9-20

illegal-zone command 9-20

IME time synchronization problems C-58

inactive mode (anomaly detection) 9-4

initialization

verifying AIM-IPS 18-2

verifying AIP-SSM 19-2

verifying NME-IPS 21-3

verifying sensor 3-27

initializing

AIM-IPS 3-13

AIP-SSM 3-16

appliances 3-8

IDSM-2 3-20

NME-IPS 3-24

sensors 3-1, 3-4

user roles 3-1

verifying 3-27

inline interface pairs

configuration restrictions 6-10

configuring 6-17

deleting 6-20

described 6-16

inline-interfaces command 6-17

inline mode IDSM-2 20-8

inline VLAN groups configuration 6-29

inline VLAN pair mode

described 6-21

IDSM-2 20-8

supported sensors 6-21

UDLD protocol 6-26

inline VLAN pairs

configuration restrictions 6-10

configuring 6-22

deleting 6-25

installer major version 22-6

installer minor version 22-6

installing

license key 4-51, 22-15

sensor license 22-13

system image

AIM-IPS 23-23

AIP-SSM 23-26

IDSM-2 (Catalyst software) 23-28

IDSM-2 (Cisco IOS software) 23-29

IPS-4240 23-15

IPS-4255 23-15

IPS-4260 23-18

IPS 4270-20 23-20

NME-IPS 23-40

InterfaceApp described A-3

interface configuration sequence 6-11

interface GigabitEthernet command 18-21, 21-15

interface IDS-Sensor command 18-19, 21-13

interface-notifications command 6-36

interfaces

alternate TCP reset 6-2

command and control 6-2

configuration restrictions 6-9

described 6-2

displaying live traffic 13-3

port numbers 6-2

sensing 6-2, 6-3

slot numbers 6-2

statistics display 6-37

support (table) 6-5

TCP reset 6-4

VLAN groups 6-2

internal zone

configuring 9-12

configuring other protocols 9-18

configuring TCP 9-13

configuring UDP 9-15

described 9-11

protocols 9-11

internal-zone command 9-12

introducing the CLI guide 1-1

ip-access-list command 20-15

IP fragmentation described B-33

IP fragment reassembly

described 8-28

parameters (table) 8-28

signatures (table) 8-28

ip-log-bytes command 12-2

ip-log command 8-38

iplog command 12-3

IP log contents

displaying 12-5

viewing 12-5

IP log files

copying 12-7

TCPDUMP 12-1

Wireshark 12-1

IP logging

automatic 12-2

configuring 12-1

copying files 12-6

described 8-38, 12-1

manual 12-3

ip-log-packets command 12-2

iplog-status command 12-4

ip-log-time command 12-2

IPS-4240

installing system image 23-15

password recovery 4-23, 17-3, C-8

reimaging 23-15

IPS-4255

installing system image 23-15

password recovery 4-23, 17-3, C-8

reimaging 23-15

IPS-4260

installing system image 23-18

reimaging 23-18

IPS 4270-20

hardware bypass 6-8

installing system image 23-20

reimaging 23-20

IPS applications

summary A-35

table A-35

XML format A-3

IPS data

types A-8

XML document A-9

IPS events

evAlert A-9

evError A-9

evLogTransaction A-9

evShunRqst A-9

evStatus A-9

list A-9

types A-9

IPS internal communications A-32

IPS modules and time synchronization 4-30, C-16

IPS software

application list A-3

available files 22-1, 22-2

configuring device parameters A-5

directory structure A-34

Linux OS A-2

obtaining 22-1, 22-2

platform-dependent release examples 22-7

retrieving data A-5

security features A-5

tuning signatures A-5

updating A-5

user interaction A-5

versioning scheme 22-3

IPS software file names

major updates (illustration) 22-3

minor updates (illustration) 22-3

patch releases (illustration) 22-3

service packs (illustration) 22-3

ip unnumbered command 18-6, 18-8

IPv6

described B-24

SPAN ports 6-15

switches 6-15

ipv6-target-value command 7-14

K

KBs

comparing 9-44

copying 9-41, 9-42

described 9-3

displaying 9-40

erasing 9-41, 9-42

histogram 9-36

initial baseline 9-3

manually loading 9-41

manually saving 9-41

renaming 9-41, 9-42

scanner threshold 9-36

threshold display 9-45

tree structure 9-36

keywords

default 1-11

no 1-11

Knowledge Base see KB

L

learning accept mode

anomaly detection 9-3

configuring 9-38

learning-accept-mode command 9-37

license files

BSD license E-3

expat license E-12

GNU Lesser license E-22

GNU license E-17

license key

installation 4-51, 22-15

trial 4-49, 22-11

licensing

described 4-48, 22-11

IPS device serial number 4-48, 22-11

Licensing pane

configuring 22-13

described 4-48, 22-11

limitations for concurrent CLI sessions 1-3

list anomaly-detection-configurations command 9-8, 17-24

list event-action-rules-configurations command 7-7, 17-24

list of blocked hosts 14-35

list signature-definition-configurations command 8-1, 17-24

load balancing options 20-28

loading KBs 9-41

log-all-block-events-and-errors command 14-16

Logger

described A-3, A-19

functions A-19

syslog messages A-20

logging in

AIM-IPS 2-5, 18-15

AIP-SSM 2-6

appliances 2-2

IDSM-2 2-7

NME-IPS 2-10, 21-9

sensors

SSH 2-11

Telnet 2-11

service role 2-2

terminal servers 2-3, 23-14

user role 2-1

login banners 4-8

login-banner-text

command 4-8

configuring 4-8

LOKI

described B-60

protocol B-60

loose connections on sensors C-22

M

MainApp

components A-6

described A-3, A-6

host statistics A-6

responsibilities A-6

show version command A-6

maintenance partition

configuring

IDSM-2 (Catalyst software) 23-31

IDSM-2 (Cisco IOS software) 23-35

described A-4

major updates described 22-4

managing

firewalls 14-28

routers 14-24

switches 14-27

manifests

client A-29

server A-29

manual

blocking 14-32, 14-34

block to bogus host C-42

manually

loading KBs 9-41

saving KBs 9-41

master blocking sensor

described 14-29

not set up properly C-43

Master engine

alert frequency B-5

alert frequency parameters (table) B-5

described B-3

event actions B-6

general parameters (table) B-4

universal parameters B-4

max-block-entries command 14-11

max-denied-attackers command 7-34

maximum open IP logs 5-10

max-interfaces command 14-17

merging configuration files 16-23, C-2

Meta engine

component signatures B-30

described 8-46, B-29

parameters (table) B-30

Signature Event Action Processor 8-46, B-29

Meta Event Generator described 7-33

MIBs supported 15-6, C-18

minor updates described 22-4

mls ip ids command 20-17, 20-18

modes

AIP-SSM 19-9

anomaly detection

detect 9-4

inactive 9-4

learning accept 9-3

bypass 6-34

inline interface pair 6-16

inline VLAN pair 6-21

promiscuous 6-15

VLAN Groups 6-27

modifying terminal properties 17-16

modify packets inline modes 5-3

monitoring and viewer privileges 1-4

more command

described 16-19

filtering 16-16

more current-config command 16-1

moving OS maps 7-29

Multi String engine

described B-31

parameters (table) B-31

Regex B-31

N

NAT

advantages 18-5, 21-5

AIM-IPS 18-5

NME-IPS 21-5

Neighborhood Discovery

options B-25

types B-25

network block configuration 14-33

network participation

data gathered 10-3

data use (table) 10-2

described 10-3

health metrics 10-7

modes 10-4

options 10-10

requirements 10-4

statistics 10-4

Network Timing Protocol see NTP

never-block-hosts command 14-19

never-block-networks command 14-19

NME-IPS

configuration sequence 21-1

configuring interfaces 21-6, 21-7

initializing 3-24

installing system image 23-40

interface sequence 21-5

logging in 2-10, 21-9

NAT 21-5

RBCP 21-12

rebooting 21-12

reimaging 23-40

resetting 21-12

resetting heartbeat 21-11

session command 2-9, 21-9

sessioning 2-8, 2-10, 21-8, 21-9

setup command 3-24

shutting down 21-12

time sources 4-29, C-15

verifying installation 21-3

no iplog command 12-5

no ipv6-target-value command 7-14

Normalizer engine

described B-33

IP fragment reassembly B-33

parameters (table) B-34

TCP stream reassembly B-33

no service anomaly-detection command 9-8

no service event-action-rules command 7-7

no service signature-definition command 8-2

no target-value command 7-14

NotificationApp

alert information A-9

described A-3

functions A-9

SNMP gets A-9

SNMP traps A-9

statistics A-11

system health information A-10

no variables command 7-10

NTP

authenticated 4-28, 4-29, 4-30, 4-39, C-14, C-15

configuring servers 4-38

described 4-28, C-14

incorrect configuration C-16

sensor time source 4-37, 4-39

time synchronization 4-28, C-14

unauthenticated 4-28, 4-29, 4-30, 4-39, C-14, C-15

O

obtaining

command history 17-39

IPS sofware 22-1

list of blocked hosts and connections 14-35

used commands list 17-39

one-way TCP reset described 7-33

operator role privileges 1-4

os-identifications command 7-27

OS IDs

clearing 7-31

displaying 7-31

OS maps

creating 7-28

deleting 7-30

moving 7-29

other actions (list) 7-6

other command 9-18, 9-26, 9-34

output

clearing current line 1-6

displaying 1-6

overrides command 7-16

P

P2P networks described B-45

packet capture command 13-4

packet display command 13-2

packet files

viewing

TCPDUMP 13-7

Wireshark 13-7

partitions

application A-4

maintenance A-4

recovery A-4

passive OS fingerprinting

components 7-25

configuring 7-26

described 7-25

password command 4-13, 4-16

password policy

caution 4-19

configuring 4-19

password recovery

AIP-SSM 4-24, 17-5, C-10

appliances 4-22, 17-3, C-8

CLI 4-27, 17-7, C-12

described 4-21, 17-2, C-7

disabling 4-27, 17-7, C-12

GRUB menu 4-22, 17-3, C-8

IDSM-2 4-25, 17-6, C-11

IPS-4240 4-23, 17-3, C-8

IPS-4255 4-23, 17-3, C-8

platforms 4-21, 17-2, C-7

ROMMON 4-23, 17-3, C-8

troubleshooting 4-28, 17-8, C-13

verifying 4-27, 17-8, C-13

passwords

changing 4-16

configuring 4-16

patch releases described 22-4

peacetime learning (anomaly detection) 9-3

Peer-to-Peer see P2P

PEP information

PID 17-39

SN 17-39

VID 17-39

physical connectivity issues C-30

physical-interfaces command 6-12, 6-21, 6-28

physical interfaces configuration restrictions 6-9

ping command 17-37

platforms concurrent CLI sessions 1-3

policy list display 17-24

Post-Block ACLs 14-22, 14-23

Pre-Block ACLs 14-22, 14-23

prerequisites for blocking 14-5

privilege

changing 4-17

command 4-13, 4-17

configuring 4-17

privilege levels

administrator 1-3

operator 1-3

service 1-3

viewer 1-3

promiscuous delta

calculating risk rating 7-13

described 7-13, 8-6

promiscuous mode

configuring 6-13

configuring (IDSM-2) 6-15

described 6-15

ECLB 20-28

IDSM-2 20-8

packet flow 6-15

SPAN ports 6-15

VACL capture 6-15

prompts and default input 1-5

protocols

ARP B-10

CIDEE A-34

DCE B-43

DDoS B-60

H.323 B-38

H225.0 B-38

HTTP 4-11

ICMPv6 B-11

IDAPI A-32

IDCONF A-33

IDIOM A-32

IPv6 B-24

LOKI B-60

MSSQL B-44

Neighborhood Discovery B-24

Q.931 B-38

RPC B-43

SDEE A-33

UDLD 6-26

Q

Q.931 protocol

described B-38

SETUP messages B-38

quarantined IP address events described 11-2

R

rate limiting

ACLs 14-5

described 14-4

routers 14-4

service policies 14-5

supported signatures 14-4

RBCP

AIM-IPS 18-18

NME-IPS 21-12

rebooting

AIM-IPS 18-18

NME-IPS 21-12

recall

help and tab completion 1-5

using 1-5

recover command 23-12

recovering

AIP-SSM C-66

application partition image 23-12

recovery partition

described A-4

upgrading 23-5

regular expression syntax

described 1-8

table 1-8

reimaging

AIP-SSM 23-26

appliances 23-12

described 23-1

IDSM-2 23-28

IPS-4240 23-15

IPS-4255 23-15

IPS-4260 23-18

IPS 4270-20 23-20

NME-IPS 23-40

sensors 22-8, 23-1

removing

last applied

service pack 23-11

signature update 23-11

users 4-14

rename ad-knowledge-base command 9-42

renaming KBs 9-41, 9-42

reputation

described 10-2

illustration 10-3

servers 10-3

reset

command 17-38

not occurring for a signature C-51

resetting

AIM-IPS 18-18

AIP-SSM C-66

appliances 17-38

IDSM-2 20-41

NME-IPS 21-12

resetting heartbeat

AIM-IPS 18-17

NME-IPS 21-11

restoring

current configuration 16-22, C-4

data port defaults 20-28

retiring signatures 8-12

risk rating

Alarm Channel 10-5

calculating 7-12

component signatures B-30

described 7-25

reputation score 10-4

ROMMON

described 23-14

IPS-4240 23-15

IPS-4255 23-15

IPS-4260 23-18

IPS 4270-20 23-18, 23-20

password recovery 4-23, 17-3, C-8

remote sensors 23-14

serial console port 23-14

TFTP 23-14

round-trip time see RTT

RPC portmapper B-46

RSA authentication and authorized keys 4-43

RTT

described 23-14

TFTP limitation 23-14

S

saving KBs 9-41

scheduling automatic upgrades 23-8

SDEE

described A-33

HTTP A-33

protocol A-33

server requests A-33

searching the submode configuration 16-18

security

account locking 4-20

information on Cisco Security Center 22-11

policies described 7-1, 8-1, 9-2

SSH 4-41

sensing interfaces

described 6-3

interface cards 6-3

modes 6-3

SensorApp

Alarm Channel A-24

Analysis Engine A-24

described A-3

event action filtering A-25

inline packet processing A-24

IP normalization A-25

packet flow A-26

processors A-23

responsibilities A-23

risk rating A-25

Signature Event Action Processor A-23, A-26

TCP normalization A-25

SensorBase Network

described 10-1, 10-2, A-4

participation 10-2

servers 10-2

sensors

access problems C-24

asymmetric traffic and disabling anomaly detection 9-48, C-19

clearing databases 17-9

configuration sequence 1-1

configuring to use NTP 4-39

corrupted SensorApp configuration C-35

disaster recovery C-6

downgrading 23-11

incorrect NTP configuration C-16

initializing 3-1, 3-4

interface support 6-5

IP address conflicts C-27

license 22-13

logging in

SSH 2-11

Telnet 2-11

loose connections C-22

managing

firewalls 14-28

routers 14-24

switches 14-27

misconfigured access lists C-26

no alerts C-31, C-57

not seeing packets C-33

NTP time source 4-39

NTP time synchronization 4-28, C-14

partitions A-4

physical connectivity C-30

preventive maintenance C-2

recovering the system image 22-8

reimaging 22-8, 23-1

sensing process C-28

sensing process not running C-28

SensorApp not running C-28

setup command 3-1, 3-4, 3-8

system images 22-8

time sources 4-28, C-14

troubleshooting software upgrades C-54

upgrading 23-4

using NTP time source 4-37

sequence

AIM-IPS interfaces 18-4

NME-IPS interfaces 21-5

serial number and the show inventory command 18-2, 21-2

server manifest described A-29

service account

creating 4-16, C-5

described 4-15, A-31, C-4

TAC A-31

troubleshooting A-31

service anomaly-detection command 9-8

Service DNS engine

described B-35

parameters (table) B-35

Service engine

described B-35

Layer 5 traffic B-35

service event-action-rules command 7-7

Service FTP engine

described B-36

parameters (table) B-37

PASV port spoof B-36

Service Generic engine

described B-37

parameters (table) B-38

Service H225 engine

ASN.1PER validation B-39

described B-38

features B-39

parameters (table) B-40

TPKT validation B-39

Service HTTP engine

described 8-43, B-41

parameters (table) B-41

signature 8-45

Service IDENT engine

described B-43

parameters (table) B-43

service-module IDS-Sensor command 18-22, 21-16

service-module ids-sensor slot/port command 18-18, 21-12

service-module ids-sensor slot/port heartbeat reset command 18-17, 21-11

service-module ids-sensor slot/port session command 2-4, 2-8, 18-14, 21-8

service-module ids-sensor slot/port status command 18-16, 21-10

Service MSRPC engine

DCS/RPC protocol B-43

described B-43

parameters (table) B-44

Service MSSQL engine

described B-44

MSSQL protocol B-44

parameters (table) B-45

Service NTP engine

described B-45

parameters (table) B-45

Service P2P engine described B-45

service packs described 22-4

Service role

bypass CLI 2-2

described 1-4

privileges 1-4

troubleshooting use A-30

Service RPC engine

described B-46

parameters (table) B-46

RPC portmapper B-46

service signature-definition command 8-1

Service SMB Advanced engine

described B-47

parameters (table) B-47

Service SNMP engine

described B-49

parameters (table) B-49

Service SSH engine

described B-50

parameters (table) B-50

Service TNS engine

described B-50

parameters (table) B-51

session command

AIM-IPS 2-5, 18-15

AIP-SSM 2-6

IDSM-2 2-7

NME-IPS 2-9, 21-9

sessioning

AIM-IPS 2-5, 18-15

AIP-SSM 2-6

IDSM-2 2-7

NME-IPS 2-10, 21-9

set security acl command 20-14

setting the system clock 4-32, 17-21

setting up terminal servers 2-3, 23-14

setup

automatic 3-1

simplified mode 3-1

setup command 3-1, 3-4, 3-8, 3-13, 3-16, 3-20, 3-24

show ad-knowledge-base diff command 9-43, 9-45

show ad-knowledge-base files command 9-40, 9-41

show clock command 4-31, 17-20

show configuration command 16-1

show context command 19-6

show events command 7-38, 17-17, C-87, C-88

show health command 10-8, 17-14, C-69

show history command 17-39

showing user information 4-18

show interfaces command 6-37, C-86

show inventory command 17-39, 18-2, 21-2

show ips command 19-6

show module command 19-2

show os-identification command 7-31

show settings command 4-27, 16-3, 16-18, 17-8, 17-41, C-13

show statistics anomaly-detection command 9-47

show statistics command 14-35, 17-24, C-75, C-76

show statistics denied-attackers command 7-36, 17-22

show statistics virtual-sensor command 17-24, C-23, C-76

show tech-support command 17-34, C-70

show users command 4-18

show version command 17-35, C-73

shutting down

AIM-IPS 18-18

NME-IPS 21-12

sig-fidelity-rating command 8-11, 8-13

signature/virus update files described 22-5

signature definition list display 17-24

signature definition policies

copying 8-2

creating 8-2

deleting 8-2

editing 8-2

signature engines

AIC 8-17, B-7

Atomic B-10

Atomic ARP B-10

Atomic IP B-21

Atomic IP Advanced B-11

Atomic IPv6 B-24

described B-1

event actions B-6

Fixed B-26

Flood B-28

Flood Host B-28

Flood Net B-29

list B-2

Meta 8-46, B-29

Multi String B-31

Normalizer B-33

Service B-35

Service DNS B-35

Service FTP B-36

Service Generic B-37

Service H225 B-38

Service HTTP 8-43, B-41

Service IDENT B-43

Service MSRPC B-43

Service MSSQL B-44

Service NTP engine B-45

Service P2P B-45

Service RPC B-46

Service SMB Advanced B-47

Service SNMP B-49

Service SSH engine B-50

Service TNS B-50

State B-51

String 8-40, B-53

Sweep Other TCP B-58

Traffic Anomaly 9-6, B-58

Traffic ICMP B-60

Trojan B-61

signature engine update files described 22-5

Signature Event Action Filter

described 7-2, A-26

parameters 7-3, A-26

Signature Event Action Handler described 7-3, A-27

Signature Event Action Override described 7-2, A-26

Signature Event Action Processor

Alarm Channel 7-2, A-26

components 7-2, A-26

described 7-2, A-23, A-26

signature fidelity rating

calculating risk rating 7-12

configuring 8-11

described 7-12

signatures

custom 8-4

default 8-3

described 8-3

false positives 8-3

general parameters 8-6

rate limits 14-4

Service HTTP 8-45

string TCP 8-42

subsignatures 8-3

TCP reset C-51

tuned 8-3

signature variables

adding 8-4

deleting 8-4

described 8-4

editing 8-4

SNMP

configuring

agent parameters 15-2

traps 15-4

described 15-1

general parameters 15-2

Get 15-1

GetNext 15-1

Set 15-1

supported MIBs 15-6, C-18

Trap 15-1

traps described 15-1

snmp-agent-port command 15-2

snmp-agent-protocol command 15-2

software architecture

ARC (illustration) A-13

IDAPI (illustration) A-32

software bypass

supported configurations 6-8

with hardware bypass 6-8

software downloads Cisco.com 22-2

software file names

recovery (illustration) 22-6

signature/virus updates (illustration) 22-5

signature engine updates (illustration) 22-5

system image (illustration) 22-6

software release examples

platform-dependent 22-7

platform identifiers 22-8

platform-independent 22-6

software updates

supported FTP servers 23-2

supported HTTP/HTTPS servers 23-2

SPAN

configuring 20-10

options 20-12

port issues C-30

specifying worm timeout 9-10

SSH

adding hosts 4-42

known hosts list 4-41

security 4-41

understanding 4-40

ssh authorized-key command 4-43

ssh generate-key command 4-44

ssh host-key command 4-41

SSH Server

host key generation 4-44

private keys A-21

public keys A-21

standards

CIDEE A-34

IDCONF A-33

SDEE A-33

State engine

Cisco Login B-51

described B-51

LPR Format String B-51

parameters (table) B-52

SMTP B-51

status command 8-12

stopping IP logging 12-5

stream-reassembly command 8-37

String engine described 8-40, B-53

String ICMP engine parameters (table) B-54

String TCP engine

example signature 8-40

options 8-40

parameters (table) B-54

String UDP engine parameters (table) B-55

subinterface 0 described 6-27

subinterface-type command 6-22, 6-29

submode configuration

filtering output 16-18

searching output 16-18

subsignatures described 8-3

summarization

described 7-32

Fire All 7-33

Fire Once 7-33

Global Summarization 7-33

Meta engine 7-32

Summary 7-33

Summarizer described 7-33

summertime

configuring

non-recurring 4-35

recurring 4-32

summertime-option non-recurring command 4-35

summertime-option recurring command 4-32

supervisor engine commands

supported 20-43

unsupported 20-44

supported

FTP servers 23-2

HTTP/HTTPS servers 23-2

IDSM-2 configurations 20-4, C-60

supporting IPS interfaces for CSA MC 11-4

Sweep engine

described B-56

parameters (table) B-56, B-58

Sweep Other TCP engine described B-58

switch commands for troubleshooting C-60

syntax and case sensitivity 1-6

system architecture

directory structure A-34

supported platforms A-1

system clock

displaying 4-31, 17-20

setting 4-32, 17-21

System Configuration Dialog

described 3-2

example 3-2

system design (illustration) A-2

system images sensors 22-8

T

tab completion use 1-5

TAC

PEP information 17-40

service account 4-15, A-31, C-4

show tech-support command 17-34, C-70

target-value command 7-14

IPv4 7-14

IPv6 7-14

target value rating

calculating risk rating 7-12

described 7-12, 7-14

tasks

configuring IDSM-2 20-1

configuring the sensor 1-1

tcp command 9-13, 9-21, 9-29

TCPDUMP

copy packet-file command 13-6

expression syntax 13-2

IP logs 12-1

packet capture command 13-5

packet display command 13-2

TCP fragmentation described B-33

TCP reset

IDSM-2 port 20-10

not occurring C-51

TCP reset interfaces

conditions 6-5

described 6-4

list 6-4

TCP stream reassembly

described 8-32

parameters (table) 8-32, 8-36

signatures (table) 8-32, 8-36

Telnet

disabling 4-4

enabling 4-4

telnet-option

command 4-4

configuring 4-4

terminal

command 17-16

modifying length 17-16

server setup 2-3, 23-14

terminating CLI sessions 17-15

testing fail-over 6-8

TFN2K

described B-60

Trojans B-61

TFTP RTT 23-14

TFTP servers

recommended

UNIX 23-14

Windows 23-14

threat rating

described 7-13

risk rating 7-13

time

correction on the sensor 4-30, C-17

sensor sources 4-28, C-14

synchronization on IPS modules 4-30, C-16

time sources

AIM-IPS 4-29, C-15

AIP-SSM 4-29, C-15

appliances 4-28, C-14

IDSM-2 4-29, C-14

NME-IPS 4-29, C-15

time-zone-settings

command 4-36

configuring 4-36

TLS

certificate generation 4-48

handshaking 4-45

IDM 4-45

tls generate-key command 4-47

tls trusted-host command 4-46

trace

command 17-40

IP packet route 17-40

Traffic Anomaly engine

described 9-6, B-58

protocols 9-6, B-58

signatures 9-6, B-58

traffic flow notifications

configuring 6-36

described 6-36

Traffic ICMP engine

DDoS B-60

described B-60

LOKI B-60

parameters (table) B-60

TFN2K B-60

trap-community-name command 15-4

trap-destinations command 15-4

trial license key 4-49, 22-11

Tribe Flood Network 2000 see TFN2K

Tribe Flood Network see TFN

Trojan engine

BO2K B-61

described B-61

TFN2K B-61

Trojans

BO B-61

BO2K B-61

LOKI B-60

TFN2K B-61

troubleshooting

AIP-SSM

debugging C-66

recovering C-66

reset C-66

Analysis Engine busy C-56

applying software updates C-53

ARC

blocking not occurring for signature C-42

device access issues C-39

enabling SSH C-42

inactive state C-37

misconfigured master blocking sensor C-43

verifying device interfaces C-41

automatic updates C-53

cannot access sensor C-24

cidDump C-91

cidLog messages to syslog C-49

communication C-24

corrupted SensorApp configuration C-35

debug logger zone names (table) C-49

debug logging C-45

disaster recovery C-6

duplicate sensor IP addresses C-27

enabling debug logging C-45

external product interfaces 11-8, C-21

gathering information C-68

global correlation 10-13, C-18

IDM

cannot access sensor C-56

will not load C-55

IDSM-2

command and control port C-63

diagnosing problems C-59

not online C-62, C-63

serial cable C-65

status indicator C-61

switch commands C-60

IME time synchronization C-58

IPS modules time drift 4-30, C-16

manual block to bogus host C-42

misconfigured access list C-26

no alerts C-31, C-57

NTP C-51

password recovery 4-28, 17-8, C-13

physical connectivity issues C-30

preventive maintenance C-2

reset not occurring for a signature C-51

sensing process not running C-28

sensor events C-87

sensor loose connections C-22

sensor not seeing packets C-33

sensor software upgrade C-54

service account 4-15, C-4

show events command C-87

show interfaces command C-86

show statistics command C-75

show tech-support command C-69, C-70, C-71

show version command C-72, C-73

software upgrades C-52

SPAN port issue C-30

upgrading C-52

verifying Analysis Engine is running C-20

verifying ARC status C-36

trusted hosts add 4-46

tuned signatures described 8-3

U

UDLD described 6-26

udp command 9-15, 9-24, 9-32

unassigned VLAN groups described 6-27

unauthenticated NTP 4-28, 4-29, 4-30, 4-39, C-14, C-15

UniDirectional Link Detection see UDLD

unsupported supervisor engine commands 20-44

Updater Client described A-28

upgrade command 23-3, 23-5

upgrading

IPS software 22-8

latest version C-52

maintenance partition

IDSM-2 (Catalyst software) 23-38

IDSM-2 (Cisco IOS software) 23-39

minimum required version 22-8

recovery partition 23-5, 23-12

sensors 23-4

URLs for Cisco Security Center 22-11

username command 4-13

user-profiles

command 14-20

described 14-20

user roles

administrator 1-3

operator 1-3

service 1-3

viewer 1-3

users

adding 4-13, 4-14

removing 4-13, 4-14

using

debug logging C-45

TCP reset interfaces 6-5

V

VACLs

described 14-2

IDSM-2 20-14

Post-Block 14-26

Pre-Block 14-26

validation error messages described D-5

variables command 7-10, 8-4

IPv4 7-10

IPv6 7-10

verifying

AIM-IPS installation 18-2

ECLB (Catalyst software) 20-37

ECLB (Cisco IOS software) 20-38

IDSM-2 installation 20-3

NME-IPS installation 21-3

password recovery 4-27, 17-8, C-13

sensor initialization 3-27

sensor setup 3-27

viewer role privileges 1-4

viewing

IP log contents 12-5

user information 4-18

virtual-sensor name command 5-4, 19-4

virtual sensors

adding 5-5, 5-7, 19-4

assigning interfaces 5-4

assigning policies 5-4

creating 5-5, 5-7, 19-4

default virtual sensor 5-2

described 5-2

displaying KB files 9-40

options 5-4, 19-4

stream segregation 5-3

VLAN groups

802.1q encapsulation 6-27

configuration restrictions 6-10

deleting 6-33

deploying 6-28

described 6-27

switches 6-28

vulnerable OSes configuring 8-14

W

watch list rating

calculating risk rating 7-13

described 7-13

Web Server

configuring settings 4-11

described A-3, A-22

HTTP 1.0 and 1.1 support A-22

private keys A-21

public keys A-21

RDEP2 support A-22

Web server

changing settings 4-12

default port 4-11

HTTP protocol 4-11

Wireshark

copy packet-file command 13-6

IP logs 12-1

worms

Blaster 9-3

Code Red 9-2, 9-3

histograms 9-37

Nimbda 9-2

protocols 9-3

Sasser 9-3

scanners 9-3

Slammer 9-3

SQL Slammer 9-2

worm-timeout

command 9-10

specifying 9-10

Z

zones

external 9-4

illegal 9-4

internal 9-4