-
Installing and Using Cisco Intrusion Prevention System Manager Express 7.0
-
Preface
-
Getting Started
-
Configuring Device Lists
-
Configuring Dashboards
-
Configuring RSS Feeds
-
Using the Startup Wizard
-
Setting Up the Sensor
-
Configuring Interfaces
-
Configuring Policies
-
Defining Signatures
-
Using the Signature Wizard
-
Configuring Event Action Rules
-
Configuring Anomaly Detection
-
Configuring Global Correlation
-
Configuring SSH and Certificates
-
Configuring Attack Response Controller for Blocking and Rate Limiting
-
Configuring SNMP
-
Configuring External Product Interfaces
-
Managing the Sensor
-
Monitoring the Sensor
-
Configuring Event Monitoring
-
Configuring and Generating Reports
-
Logging In to the Sensor
-
Initializing the Sensor
-
Obtaining Software
-
Upgrading, Downgrading, and Installing System Images
-
System Architecture
-
Signature Engines
-
Troubleshooting
-
Open Source License Files
-
Glossary
-
Index
-
Table Of Contents
Numerics - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W - Z
Index
Numerics
4GE bypass interface card
configuration restrictions 7-10
described 7-10
802.1q encapsulation for VLAN groups 7-14
A
accessing IPS software 24-2
access lists
misconfiguration C-26
necessary hosts 5-4
ACLs
adding 5-4
described 15-3
Active Host Blocks pane
field descriptions 19-6
user roles 19-6
active update bulletins 24-9
ad0 pane
default 11-10
described 11-10
tabs 11-10
Add ACL Entry dialog box field descriptions 5-4
Add Active Host Block dialog box field descriptions 19-7
Add Allowed Host dialog box
field descriptions 6-6
user roles 6-6
Add Authorized Key dialog box
field descriptions 14-3
user roles 14-2
Add Blocking Device dialog box
field descriptions 15-15
user roles 15-14
Add Cat 6K Blocking Device Interface dialog box
field descriptions 15-23
user roles 15-21
Add Configured OS Map dialog box field descriptions 8-25, 12-26
Add Destination Port dialog box field descriptions 11-16, 11-24, 11-31
Add Device dialog box field descriptions 2-3
Add Device Login Profile dialog box
field descriptions 15-13
user roles 15-12
Add Event Action Filter dialog box
field descriptions 8-14, 12-15
Add Event Action Override dialog box
field descriptions 8-11, 12-13
Add Event Variable dialog box
field descriptions 8-29, 12-30
Add External Product Interface dialog box
field descriptions 17-6
user roles 17-4
Add Filter dialog box field descriptions 3-19
Add Histogram dialog box field descriptions 11-16, 11-24, 11-31
adding
ACLs 5-4
a host never to be blocked 15-11
anomaly detection policies 11-9
CSA MC interfaces 17-7
denied attackers 19-5
event action filters 8-16, 12-17
event action overrides 12-13
event action rules policies 12-11
external product interfaces 17-7
host blocks 19-7
IPv4 target value rating 8-19, 12-20
IPv6 target value rating 8-22, 12-22
network blocks 19-9
signature definition policies 9-3
signatures 9-13
signature variables 9-28
Add Inline VLAN Pair dialog box field descriptions 5-10, 7-21
Add Interface Pair dialog box field descriptions 7-19
Add IP Logging dialog box field descriptions 19-14
Add IPv4 Target Value Rating dialog box
field descriptions 8-19, 12-20
Add IPv6 Target Value Rating dialog box
field descriptions 8-21, 12-22
Add Known Host Key dialog box
field descriptions 14-5
user roles 14-4
Add Master Blocking Sensor dialog box
field descriptions 15-26
user roles 15-24
Add Network Block dialog box field descriptions 19-9
Add Never Block Address dialog box
field descriptions 15-11
user roles 15-7
Add Policy dialog box field descriptions 9-2, 11-9, 12-11
Add Posture ACL dialog box field descriptions 17-7
Add Protocol Number dialog box field descriptions 11-18, 11-25, 11-33
Add Rate Limit dialog box
field descriptions 19-11
user role 19-10
Address Resolution Protocol see ARP
Add Risk Level dialog box field descriptions 8-32, 12-33
Add Router Blocking Device Interface dialog box
field descriptions 15-20
user roles 15-17
Add Signature dialog box field descriptions 9-8
Add Signature Variable dialog box
field descriptions 9-27
user roles 9-27
Add SNMP Trap Destination dialog box field descriptions 16-4
Add Trusted Host dialog box
field descriptions 14-10
user roles 14-9
Add User dialog box
field descriptions 6-19
user roles 6-18
Add Virtual Sensor dialog box
Add VLAN Group dialog box field descriptions 7-24
Advanced Alert Behavior Wizard
Alert Dynamic Response Fire All window field descriptions 10-29
Alert Dynamic Response Fire Once window field descriptions 10-29
Alert Dynamic Response Summary window field descriptions 10-30
Alert Summarization window field descriptions 10-28
Event Count and Interval window field descriptions 10-28
Global Summarization window field descriptions 10-30
AIC
policy 9-38
signatures (example) 9-39
AIC engine
AIC FTP B-8
AIC FTP engine parameters (table) B-9
AIC HTTP B-8
AIC HTTP engine parameters (table) B-9
described B-8
features B-8
signature categories 9-31
AIC policy enforcement
default configuration 9-32, B-8
sensor oversubscription 9-32, B-8
AIM-IPS
initializing 23-14
installing system image 25-25
logging in 22-5
session command 22-5
setup command 23-14
AIP-SSC-5
bypass mode 7-27
initializing 23-8
logging in 22-6
session command 22-6
AIP-SSM
bypass mode 7-27
initializing 23-17
installing system image 25-29
logging in 22-6
recovering C-67
reimaging 25-29
resetting C-66
session command 22-6
setup command 23-17
Alarm Channel described 12-6, A-27
alert and log actions (list) 12-8
alert behavior
normal 10-28
Signature Wizard 10-28
alert frequency
aggregation 9-19
configuring 9-19
controlling 9-19
modes B-5
Allowed Hosts/Networks pane
configuring 6-6
field descriptions 6-6
alternate TCP reset interface 7-8
Analysis Engine
described 8-2
error messages C-23
IDM exits C-56
verify it is running C-19
virtual sensors 8-2
anomaly detection
asymmetric traffic 11-2
caution 11-2
configuration sequence 11-5
default configuration (example) 11-4
described 11-2
detect mode 11-4
inactive mode 11-4
learning accept mode 11-3
learning process 11-3
limiting false positives 11-13, 19-17
operation settings 11-11
protocols 11-3
signatures 11-6
worms
attacks 11-12
described 11-3
zones 11-4
Anomaly Detection pane
button functions 19-17
described 19-16
field descriptions 19-17
user roles 19-16
anomaly detection policies
ad0 11-9
adding 11-9
cloning 11-9
default policy 11-9
deleting 11-9
Anomaly Detections pane
described 11-9
field descriptions 11-9
appliances
application partition image 25-14
initializing 23-9
logging in 22-2
terminal servers
UDLD protocol 7-22
upgrading recovery partition 25-6
Application Inspection and Control see AIC
application partition
described A-4
image recovery 25-14
application policy enforcement
applications in XML format A-3
applying software updates C-53
ARC
authentication A-16
blocking
application 15-2
connection-based A-18
not occurring for signature C-42
unconditional blocking A-18
block response A-14
Catalyst 6000 series switch
VACL commands A-20
VACLs A-20
Catalyst switches
VACLs A-17
VLANs A-17
described A-4
design 15-2
device access issues C-39
enabling SSH C-41
features A-15
firewalls
AAA A-19
connection blocking A-19
NAT A-19
network blocking A-19
postblock ACL A-17
preblock ACL A-17
shun command A-19
TACACS+ A-19
formerly Network Access Controller 15-1, 15-3
functions 15-2
illustration A-14
inactive state C-37
interfaces A-15
maintaining states A-17
managed devices 15-8
master blocking sensors A-15
maximum blocks 15-2
misconfigured master blocking sensor C-43
nac.shun.txt file A-17
NAT addressing A-16
number of blocks A-16
postblock ACL A-17
preblock ACL A-17
prerequisites 15-5
rate limiting 15-4
responsibilities A-14
single point of control A-16
SSH A-15
Telnet A-15
troubleshooting C-36
VACLs A-15
verifying device interfaces C-40
verifying status C-36
ARP
Layer 2 signatures B-10
protocol B-10
ARP spoof tools
dsniff B-10
ettercap B-10
Assign Actions dialog box
button functions 9-9
field descriptions 9-9
assigning actions to signatures 9-17
asymmetric traffic
anomaly detection caution 11-2
disabling anomaly detection 11-37, C-18
Atomic ARP engine
described B-10
parameters (table) B-10
Atomic IP Advanced engine
described B-11
restrictions B-12
Atomic IP engine
parameters (table) B-22
Atomic IPv6 engine
described B-25
signatures B-25
signatures (table) B-26
attack relevance rating
calculating risk rating 8-5, 12-3
described 8-5, 8-23, 12-3, 12-24
Attack Response Controller
described A-4
formerly known as Network Access Controller A-4
attack severity rating
calculating risk rating 8-5, 12-3
Attacks Over Time gadgets
configuring 3-13
described 3-13
audit mode
described 13-9
testing global correlation 13-9
authenticated NTP 6-8, 6-9, 6-10, 6-15, C-14, C-15
AuthenticationApp
authenticating users A-22
described A-4
login attempt limit A-21
method A-21
responsibilities A-21
secure communications A-22
sensor configuration A-21
Authorized Keys pane
configuring 14-3
described 14-2
field descriptions 14-2
RSA authentication 14-2
RSA key generation tool 14-3
Auto/Cisco.com Update pane
button functions 18-18
configuring 18-19
described 18-16
field descriptions 18-18
UNIX-style directory listings 18-17
user roles 18-16
automatic setup 23-2
automatic updates
Cisco.com 18-16
servers
FTP 18-16
SCP 18-16
troubleshooting C-53
automatic upgrade
examples 25-11
information required 25-8
autonegotiation for hardware bypass 7-11
auto-upgrade-option command 25-8
B
backing up
configuration C-2
current configuration C-4
basic setup 23-4
blocking
described 15-2
disabling 15-8
master blocking sensor 15-25
necessary information 15-3
not occurring for signature C-42
prerequisites 15-5
supported devices 15-6
types 15-2
Blocking Devices pane
configuring 15-15
described 15-14
field descriptions 15-15
ssh host-key command 15-15
Blocking Properties pane
adding a host never to be blocked 15-11
configuring 15-10
described 15-7
field descriptions 15-8
BO
described B-62
Trojans B-62
BO2K
described B-62
Trojans B-62
bypass mode
AIP-SSC-5 7-27
AIP-SSM 7-27
described 7-26
Bypass pane field descriptions 7-26
C
calculating risk rating
attack relevance rating 8-5, 12-3
attack severity rating 8-5, 12-3
signature fidelity rating 8-5, 12-3
cannot access sensor C-24
Cat 6K Blocking Device Interfaces pane
configuring 15-23
described 15-21
field descriptions 15-23
CDP mode
configuring 7-29
described 7-29
CDP Mode pane
configuring 7-29
field descriptions 7-29
certificates
displaying 14-11
generating 14-11
IDM 14-8
changing Microsoft IIS to UNIX-style directory listings 18-17
cidDump obtaining information C-91
CIDEE
defined A-35
example A-36
IPS extensions A-35
protocol A-35
supported IPS events A-36
cisco
default password 22-2
default username 22-2
Cisco.com
accessing software 24-2
Active Update Bulletins 24-9
downloading software 24-1
IPS software 24-1
software downloads 24-1
Cisco IOS software and rate limiting 15-4
Cisco IPS software files 25-2, 25-3
Cisco Security Center
described 24-11
URL 24-11
Cisco Services for IPS
service contract 18-11
supported products 18-11
clear events command 6-13, 6-17, 19-4, C-17, C-91
Clear Flow States pane
described 19-28
field descriptions 19-28
clearing
flow states 19-28
statistics C-76
clear password command 18-5, 18-8, C-9, C-11
client manifest described A-30
clock set command 6-17
Clone Event Action Rules dialog box field descriptions 12-11
Clone Policy dialog box field descriptions 9-2, 11-9
Clone Signature dialog box field descriptions 9-8
cloning
anomaly detection policies 11-9
event action rules policies 12-11
signature definition policies 9-3
signatures 9-15
CollaborationApp described A-4, A-30
collaboration connection status
displaying 2-5
starting 2-5
stopping 2-5
color rules described 20-2
command and control interface
described 7-2
list 7-2
commands
auto-upgrade-option 25-8
clear events 6-13, 6-17, 19-4, C-17, C-91
clear password 18-5, 18-8, C-9, C-11
clock set 6-17
copy backup-config C-3
copy current-config C-3
debug module-boot C-67
downgrade 25-13
hw-module module 1 reset C-66
hw-module module slot_number password-reset 18-6, C-10
setup 6-1, 23-1, 23-4, 23-9, 23-14, 23-17, 23-21, 23-25
show events C-88
show health C-69
show module 1 details C-66
show statistics C-76
show statistics virtual-sensor C-23, C-76
show tech-support C-70
show version C-73
Compare Knowledge Bases dialog box field descriptions 19-20
component signatures
Meta engine B-31
risk rating B-31
configuration files
backing up C-2
merging C-2
configuration restrictions
alternate TCP reset interface 7-8
inline interface pairs 7-8
inline VLAN pairs 7-8
interfaces 7-8
physical interfaces 7-8
VLAN groups 7-9
Configured OS Map dialog box user roles 8-25, 12-24
Configure Summertime dialog box field descriptions 5-4, 6-11
configuring
AIC policy parameters 9-38
allowed hosts 6-6
allowed networks 6-6
application policy 9-39
Attacks Over Time gadgets 3-13
authorized keys 14-3
automatic upgrades 25-9
blocking devices 15-15
blocking properties 15-10
Cat 6K blocking device interfaces 15-23
CDP mode 7-29
CPU, Memory, & Load gadget 3-11
CSA MC IPS interfaces 17-4
device login profiles 15-13
event action filters 8-16, 12-17
events 19-3
external zone 11-33
Global Correlation Health gadget 3-8
Global Correlation Reports gadget 3-7
host blocks 19-7
illegal zone 11-26
inline VLAN pairs 5-11
inspection/reputation 13-9
interface pairs 7-19
interfaces 7-17
Interface Status gadget 3-6
internal zone 11-18
IP fragment reassembly signatures 9-42
IP logging 19-15
IPv4 target value rating 8-19, 12-20
IPv6 target value rating 8-22, 12-22
known host keys 14-5
learning accept mode 11-14
Licensing gadget 3-6
maintenance partition
IDSM-2 (Catalyst software) 25-34
IDSM-2 (Cisco IOS software) 25-38
master blocking sensor 15-26
network blocks 19-9
network participation 13-11
Network Security gadget 3-9
network settings 6-4
NTP servers 6-14
operation settings 11-11
rate limiting 19-11
rate limiting devices 15-15
router blocking device interfaces 15-20
RSS Feed gadgets 3-11
RSS feeds 4-2
Sensor Health gadget 3-5
Sensor Information gadget 3-4
Sensor Setup window 5-5
sensor to use NTP 6-15
SNMP 16-3
SNMP traps 16-4
TCP fragment reassembly parameters 9-49
time 6-12
Top Applications gadget 3-10
Top Attackers gadgets 3-12
Top Signatures gadgets 3-13
Top Victims gadgets 3-12
traffic flow notifications 7-28
trusted hosts 14-10
UDLD protocol 7-22
upgrades 25-5
users 6-20
VLAN groups 7-24
VLAN pairs 7-21
control transactions
characteristics A-10
request types A-10
copy backup-config command C-3
copy current-config command C-3
correcting time on the sensor 6-13, C-17
CPU, Memory, & Load gadget
configuring 3-11
described 3-10
creating
Atomic IP Advanced signature 9-25, 10-16
custom signatures
not using signature engines 10-4
Service HTTP 10-19
String TCP 10-24
using signature engines 10-2
Meta signatures 9-22
Post-Block VACLs 15-22
Pre-Block VACLs 15-22
service account C-5
cryptographic features (IME) 1-1
CSA MC
adding interfaces 17-7
configuring IPS interfaces 17-4
host posture events 17-1, 17-3
quarantined IP address events 17-1
supported IPS interfaces 17-3
CtlTransSource
illustration A-13
current configuration back up C-2
current KB setting 19-22
custom signatures
described 9-5
Custom Signature Wizard
Alert Response window field descriptions 10-27
Atomic IP Engine Parameters window field descriptions 10-15
ICMP Traffic Type window field descriptions 10-13
Inspect Data window field descriptions 10-13
MSRPC Engine Parameters window field descriptions 10-13
no signature engine sequence 10-4
Protocol Type window field descriptions 10-12
Service HTTP Engine Parameters window field descriptions 10-18
Service RPC Engine Parameters window field descriptions 10-21
Service Type window field descriptions 10-14
signature engine sequence 10-2
Signature Identification window field descriptions 10-12
State Engine Parameters window field descriptions 10-22
String ICMP Engine Parameters window field descriptions 10-23
String TCP Engine Parameters window field descriptions 10-23
String UDP Engine Parameters window field descriptions 10-26
Sweep Engine Parameters window field descriptions 10-27
TCP Sweep Type window field descriptions 10-14
TCP Traffic Type window field descriptions 10-14
UDP Sweep Type window field descriptions 10-14
UDP Traffic Type window field descriptions 10-13
Welcome window field descriptions 10-11
D
Dashboard pane gadgets 3-2
data structures (examples) A-9
DDoS
protocols B-61
Stacheldraht B-61
TFN B-61
debug logging enable C-45
debug-module-boot command C-67
default policies
ad0 11-9
rules0 12-12
sig0 9-2
defaults
KB filename 11-12
password 22-2
restoring 18-23
username 22-2
virtual sensor vs0 8-3
deleting
anomaly detection policies 11-9
event action filters 8-16, 12-17
event action overrides 12-13
event action rules policies 12-11
imported OS values 19-27
IPv4 target value rating 8-19, 12-20
IPv6 target value rating 8-22, 12-22
KBs 19-23
learned OS values 19-26
signature definition policies 9-3
signature variables 9-28
virtual sensors 8-11
Demo mode (IME) 1-5
denied attackers
adding 19-5
clearing list 19-5
hit count 19-4
resetting hit counts 19-5
Denied Attackers pane
described 19-4
field descriptions 19-4
user roles 19-4
using 19-5
deny actions (list) 12-8
detect mode (anomaly detection) 11-4
device access issues C-39
Device Details pane described 2-1
Device List pane
described 2-1
field descriptions 2-2
Device Login Profiles pane
configuring 15-13
described 15-12
field descriptions 15-12
devices
adding 2-4
deleting 2-4
editing 2-4
device tools
DNS lookup 2-6
ping 2-6
traceroute 2-6
whois 2-6
Diagnostics Report pane
button functions 19-30
described 19-30
user roles 19-30
using 19-31
diagnostics reports 19-31
Differences between knowledge bases KB_Name and KB_Name window field descriptions 19-20
disabling
blocking 15-8
global correlation 13-11
interfaces 7-17
disaster recovery C-6
displaying
events C-89
health status C-69
password recovery setting 18-10, C-13
statistics C-76
tech support information C-70
version C-73
Distributed Denial of Service see DDoS
DNS lookup device tools (IME) 2-6
DoS tools B-5
downgrade command 25-13
downgrading sensors 25-13
downloading KBs 19-24
downloading software 24-1
Download Knowledge Base From Sensor dialog box
described 19-24
field descriptions 19-24
duplicate IP addresses C-27
E
Edit Actions dialog box field descriptions 9-9
Edit Allowed Host dialog box
field descriptions 6-6
user roles 6-6
Edit Authorized Key dialog box
field descriptions 14-3
user roles 14-2
Edit Blocking Device dialog box
field descriptions 15-15
user roles 15-14
Edit Cat 6K Blocking Device Interface dialog box
field descriptions 15-23
user roles 15-21
Edit Configured OS Map dialog box field descriptions 8-25, 12-26
Edit Destination Port dialog box field descriptions 11-16, 11-24, 11-31
Edit Device dialog box field descriptions 2-3
Edit Device Login Profile dialog box
field descriptions 15-13
user roles 15-12
Edit Event Action Filter dialog box
field descriptions 8-14, 12-15
Edit Event Action Override dialog box
field descriptions 8-11, 12-13
Edit Event Variable dialog box
field descriptions 8-29, 12-30
Edit External Product Interface dialog box
field descriptions 17-6
user roles 17-4
Edit Filter dialog box field descriptions 3-19
Edit Histogram dialog box field descriptions 11-16, 11-24, 11-31
editing
event action filters 8-16, 12-17
event action overrides 12-13
interfaces 7-17
IPv4 target value rating 8-19, 12-20
IPv6 target value rating 8-22, 12-22
signatures 9-16
signature variables 9-28
virtual sensors 8-11
Edit Inline VLAN Pair dialog box field descriptions 5-10, 7-21
Edit Interface dialog box field descriptions 7-16
Edit Interface Pair dialog box field descriptions 7-19
Edit IP Logging dialog box field descriptions 19-14
Edit IPv4 Target Value Rating dialog box
field descriptions 8-19, 12-20
Edit IPv6 Target Value Rating dialog box
field descriptions 8-21, 12-22
Edit Known Host Key dialog box
field descriptions 14-5
user roles 14-4
Edit Master Blocking Sensor dialog box
field descriptions 15-26
user roles 15-24
Edit Never Block Address dialog box
field descriptions 15-11
user roles 15-7
Edit Posture ACL dialog box field descriptions 17-7
Edit Protocol Number dialog box field descriptions 11-18, 11-25, 11-33
Edit Risk Level dialog box field descriptions 8-32, 12-33
Edit Router Blocking Device Interface dialog box
field descriptions 15-20
user roles 15-17
Edit Signature dialog box field descriptions 9-8
Edit Signature Variable dialog box
field descriptions 9-27
user roles 9-27
Edit SNMP Trap Destination dialog box field descriptions 16-4
Edit User dialog box
field descriptions 6-19
user roles 6-18
Edit Virtual Sensor dialog box
field descriptions 8-9
user roles 8-9
Edit VLAN Group dialog box field descriptions 7-24
efficacy
described 13-4
measurements 13-4
enabling
debug logging C-45
event action filters 8-16, 12-17
event action overrides 12-13
interfaces 7-17
Encryption Software Export Distribution Authorization 24-2
engines
AIC B-7
Fixed B-27
Flood B-29
Master B-4
Multi String B-32
Normalizer B-34
Service DNS B-36
Service FTP B-37
Service Generic B-38
Service H225 B-39
Service IDENT B-44
Service MSSQL B-45
Service NTP B-46
Service P2P B-46
Service SMB Advanced B-48
Service SNMP B-50
Service SSH B-51
Service TNS B-51
String 10-22, 10-23, 10-26, B-54
Sweep Other TCP B-58
Traffic ICMP B-61
Trojan B-62
EPS on IME Home pane 1-2
evAlert A-10
event action filters
Event Action Filters tab
button functions 12-15
field descriptions 8-13, 12-15
event action overrides
adding 12-13
deleting 12-13
editing 12-13
enabling 12-13
Event Action Overrides tab
described 12-12
field descriptions 12-12
event action rules
described 12-2
functions 12-2
Event Action Rules (rules0) pane described 12-12
Event Action Rules pane
described 12-10
field descriptions 12-10
event action rules policies
adding 12-11
cloning 12-11
deleting 12-11
event actions and threat rating 12-4
events
displaying C-89
host posture 17-2
quarantined IP address 17-2
Events pane
configuring 19-3
described 19-2
field descriptions 19-2
event status
displaying 2-5
starting 2-5
stopping 2-5
Event Store
data structures A-9
described A-3
examples A-9
responsibilities A-8
timestamp A-8
event types C-87
event variables
Event Variables tab
field descriptions 8-29, 12-29
Event Viewer
described 20-1
field descriptions 19-3
event views using 20-4
evError A-10
evLogTransaction A-10
evShunRqst A-10
evStatus A-10
example custom signatures
Atomic IP Advanced 9-25, 10-16
Meta engine 9-22
external product interfaces
adding 17-7
described 17-1
trusted hosts 17-5
External Product Interfaces pane
described 17-4
field descriptions 17-5
external zone
configuring 11-33
protocols 11-30
user roles 11-30
External Zone tab
described 11-30
tabs 11-30
user roles 11-30
F
fail-over testing 7-10
false positives described 9-5
files
IDSM-2 password recovery 18-7, C-11
filtering described 20-2
filters configuring 3-16, 20-6
Filter tab field descriptions 20-3
Fixed engine described B-27
Fixed ICMP engine parameters (table) B-27
Fixed TCP engine parameters (table) B-28
Fixed UDP engine parameters (table) B-29
Flood engine described B-29
Flood Host engine parameters (table) B-30
Flood Net engine parameters (table) B-30
flow states clearing 19-28
FTP servers supported 18-17, 25-2
G
gadgets
Attacks Over Time 3-13
CPU, Memory, & Load 3-10
Dashboard pane 3-2
Global Correlation Health 3-7
Global Correlation Reports 3-7
IDM 3-2
IME 3-2
Interface Status 3-6
Licensing 3-5
Network Security 3-8
RSS Feed 3-11
Sensor Health 3-4
Sensor Information 3-3
Top Applications 3-9
Top Attackers 3-11
Top Signatures 3-13
Top Victims 3-12
general settings
General Settings tab
field descriptions 8-34
General tab
field descriptions 12-35
generating diagnostics reports 19-31
global correlation
disabling 13-11
DNS server 13-6
error messages A-31
features 13-5
goals 13-6
health metrics 13-7
HTTP Proxy server 13-6
license 6-3, 13-6, 13-8, 23-1, 23-5
requirements 13-6
update client (illustration) 13-8
Global Correlation Health gadget
configuring 3-8
described 3-7
Global Correlation Reports gadget
configuring 3-7
described 3-7
Global Variables pane field description 18-16
Grouping events described 20-2
GRUB menu password recovery 18-4, C-8
H
H.225.0 protocol B-39
H.323 protocol B-39
hardware bypass
autonegotiation 7-11
configuration restrictions 7-10
fail-over 7-10
IPS 4270-20 7-10
supported configurations 7-10
with software bypass 7-10
health status
displaying 2-5
starting 2-5
stopping 2-5
Host Blocks pane
configuring 19-7
described 19-6
host posture events
CSA MC 17-3
described 17-2
HTTP/HTTPS servers 18-17, 25-2
HTTP deobfuscation
ASCII normalization 10-18, B-42
hw-module module 1 reset command C-66
hw-module module slot_number password-reset command 18-6, C-10
I
IDAPI
described A-4
functions A-33
illustration A-34
responsibilities A-33
IDCONF
described A-34
example A-35
IDIOM messages A-35
XML A-34
IDIOM
defined A-34
messages A-34
IDM
Analysis Engine is busy C-56
certificates 14-8
gadgets 3-2
Signature Wizard supported signature engines 10-3
TLS 14-8
will not load C-55
IDSM-2
command and control port C-63
configuring
maintenance partition (Catalyst software) 25-34
maintenance partition (Cisco IOS software) 25-38
initializing 23-21
installing
system image (Catalyst software) 25-32
system image (Cisco IOS software) 25-33
logging in 22-8
password recovery image file 18-7, C-11
reimaging 25-32
sessioning 22-8
setup command 23-21
supported configurations C-60
TCP reset port C-65
upgrading
maintenance partition (Catalyst software) 25-42
maintenance partition (Cisco IOS software) 25-42
illegal zones
configuring 11-26
user roles 11-22
Illegal Zone tab
described 11-22
user roles 11-22
IME
collaboration connection status
displaying 2-5
starting 2-5
stopping 2-5
color rules 20-2
configuring
RSS feeds 4-2
cryptographic features 1-1
Demo mode 1-5
described 1-1
devices
adding 2-4
deleting 2-4
editing 2-4
EPS 1-2
event status
starting 2-5
stopping 2-5
Event Viewer 20-1
filtering 20-2
gadgets 3-2
grouping events 20-2
health status
displaying 2-5
starting 2-5
stopping 2-5
installing 1-6
IPS versions 1-3
menu features 1-2
MySQL database 1-5
reports
configuring 21-2
described 21-1
generating 21-2
types 21-1
supported platforms 1-3
system requirements 1-3
using event views 20-4
video help 1-2
working with
top attacker IP addresses 3-14
top signatures 3-15
top victim IP addresses 3-14
IME Home pane
described 1-2
EPS 1-2
features 1-2
IME time synchronization problems C-58
Imported OS pane
clearing 19-27
described 19-27
field descriptions 19-27
inactive mode (anomaly detection) 11-4
initializing
AIM-IPS 23-14
AIP-SSC-5 23-8
AIP-SSM 23-17
appliances 23-9
IDSM-2 23-21
NME-IPS 23-25
user roles 23-2
verifying 23-28
inline interface pair mode
configuration restrictions 7-8
described 7-12
Inline Interface Pair window
described 5-9
Startup Wizard 5-9
inline VLAN pair mode
configuration restrictions 7-8
configuring 5-11
described 7-13
supported sensors 7-13
UDLD protocol 7-22
Inline VLAN Pairs window
described 5-10
field descriptions 5-10
Startup Wizard 5-10
Inspection/Reputation pane
configuring 13-9
described 13-8
field descriptions 13-9
installer major version 24-6
installer minor version 24-6
installing
IME 1-6
sensor license 18-13
system image
AIM-IPS 25-25
AIP-SSM 25-29
IDSM-2 (Catalyst software) 25-32
IDSM-2 (Cisco IOS software) 25-33
IPS-4240 25-17
IPS-4255 25-17
IPS-4260 25-20
IPS 4270-20 25-22
NME-IPS 25-43
InterfaceApp described A-3
interface pairs
configuring 7-19
described 7-18
Interface Pairs pane
configuring 7-19
described 7-18
field descriptions 7-18
interfaces
alternate TCP reset 7-2
command and control 7-2
configuration restrictions 7-8
configuring 7-17
disabling 7-17
editing 7-17
enabling 7-17
logical 5-7
physical 5-7
port numbers 7-1
slot numbers 7-1
support (table) 7-4
TCP reset 7-6
VLAN groups 7-2
Interface Selection window
described 5-9
Startup Wizard 5-9
Interfaces pane
configuring 7-17
described 7-15
field descriptions 7-15
Interface Status gadget
configuring 3-6
described 3-6
Interface Summary window described 5-7
internal zones
configuring 11-18
user roles 11-15
Internal Zone tab
described 11-15
user roles 11-15
IP fragmentation described B-34
IP fragment reassembly
configuring 9-42
described 9-40
example signature 9-42
mode 9-42
parameters (table) 9-40
signatures 9-42
signatures (table) 9-40
IP logging
event actions 19-13
system performance 19-13
IP Logging pane
configuring 19-15
described 19-13
field descriptions 19-14
user roles 19-13
IP Logging Variables pane described 18-16
IP logs
circular buffer 19-13
states 19-13
TCPDUMP 19-13
viewing 19-15
WireShark 19-13
IPS-4240
installing system image 25-17
reimaging 25-17
IPS-4255
installing system image 25-17
reimaging 25-17
IPS-4260
installing system image 25-20
reimaging 25-20
IPS 4270-20
hardware bypass 7-10
installing system image 25-22
reimaging 25-22
IPS applications
XML format A-3
IPS data
types A-9
XML document A-10
IPS events
evAlert A-10
evError A-10
evLogTransaction A-10
evShunRqst A-10
evStatus A-10
list A-10
types A-10
IPS internal communications A-33
IPS Manager Express described 1-1
IPS modules
time synchronization 6-10, C-16
unsupported features 5-8
IPS Policies pane
described 8-8
field descriptions 8-9
IPS software
application list A-3
available files 24-1
configuring device parameters A-6
directory structure A-36, A-37
Linux OS A-2
new features A-4
obtaining 24-1
platform-dependent release examples 24-7
retrieving data A-6
security features A-6
tuning signatures A-6
updating A-6
user interaction A-6
versioning scheme 24-3
IPS software file names
major updates (illustration) 24-3
minor updates (illustration) 24-3
patch releases (illustration) 24-3
service packs (illustration) 24-3
IPS versions supported (IME) 1-3
IPv4 target value rating
configuring 8-19
IPv4 Target Value Rating tab
field descriptions 8-19, 12-20
IPv6
described B-25
SPAN ports 7-12
switches 7-12
IPv6 target value rating
IPv6 Target Value Rating tab
field descriptions 8-21, 12-21
K
KBs
comparing 19-21
default filename 11-12
deleting 19-23
described 11-3
downloading 19-24
initial baseline 11-3
learning accept mode 11-12
loading 19-22
monitoring 19-19
renaming 19-23
saving 19-22
scanner threshold 11-12, 19-16
uploading 19-25
Known Host Keys pane
configuring 14-5
described 14-4
field descriptions 14-5
L
Learned OS pane
clearing 19-26
described 19-26
field descriptions 19-26
learned OS values
clearing 19-26
deleting 19-26
learning accept mode
anomaly detection 11-3
configuring 11-14
user roles 11-12
Learning Accept Mode tab
described 11-12
field descriptions 11-13
user roles 11-12
license files
BSD license D-3
expat license D-12
GNU Lesser license D-22
GNU license D-17
license key trial 18-11
licensing
described 18-11
IPS device serial number 18-11
Licensing gadget
configuring 3-6
described 3-5
Licensing pane
configuring 18-13
described 18-11
field descriptions 18-13
user roles 18-10
limitations for concurrent CLI sessions 22-1, A-31
listings UNIX-style 18-17
loading KBs 19-22
Logger
functions A-20
syslog messages A-21
logging in
AIM-IPS 22-5
AIP-SSC-5 22-6
AIP-SSM 22-6
appliances 22-2
IDSM-2 22-8
NME-IPS 22-10
sensors
SSH 22-11
Telnet 22-11
service role 22-2
user role 22-1
LOKI
described B-61
protocol B-61
loose connections on sensors C-22
M
MainApp
components A-7
host statistics A-7
responsibilities A-7
show version command A-7
maintenance partition
configuring
IDSM-2 (Catalyst software) 25-34
IDSM-2 (Cisco IOS software) 25-38
maintenance partition described A-4
major updates described 24-4
Manage Filter Rules dialog box field descriptions 3-18
managing rate limiting 19-11
manifests
client A-30
server A-30
manual block to bogus host C-41
master blocking sensor
described 15-25
not set up properly C-43
Master Blocking Sensor pane
configuring 15-26
described 15-24
field descriptions 15-25
Master engine
alert frequency B-5
alert frequency parameters (table) B-5
described B-3
event actions B-5
general parameters (table) B-4
universal parameters B-4
merging configuration files C-2
Meta engine
component signatures B-31
parameters (table) B-31
Signature Event Action Processor 9-22, B-31
Meta Event Generator described 8-33, 12-34
Meta signature
component signatures B-31
creating 9-22
minor updates described 24-4
Miscellaneous tab
button functions 9-30
configuring
application policy 9-38
IP fragment reassembly mode 9-42
IP logging 9-50
TCP stream reassembly mode 9-48
described 9-29
field descriptions 9-30
user roles 9-29
modes
anomaly detection detect 11-4
anomaly detection inactive 11-4
anomaly detection learning accept 11-3
bypass 7-26
inline interface pair 7-12
inline VLAN pair 7-13
promiscuous 7-11
VLAN Groups 7-13
modify packets inline modes 8-4
monitoring
events 19-3
KBs 19-19
Multi String engine
described B-32
parameters (table) B-33
Regex B-32
MySDN described 9-5
MySQL database for IME 1-5
N
Neighborhood Discovery
Atomic IPv6 engine B-25
options B-26
types B-26
Network Blocks pane
configuring 19-9
described 19-9
field descriptions 19-9
user roles 19-8
Network pane
configuring 6-4
field descriptions 6-2
TLS/SSL 6-4
user roles 6-2
network participation
data gathered 13-3
data use (table) 13-2
described 13-3
health metrics 13-7
modes 13-4
requirements 13-4
statistics 13-4
Network Participation pane
configuring 13-11
described 13-10
field descriptions 13-11
Network Security gadget
configuring 3-9
described 3-8
network security health data resetting 19-29
Network Timing Protocol see NTP
never block
hosts 15-8
networks 15-8
NME-IPS
initializing 23-25
installing system image 25-43
logging in 22-10
reimaging 25-43
session command 22-10
setup command 23-25
Normalizer engine
described B-34
IP fragment reassembly B-34
parameters (table) B-35
TCP stream reassembly B-34
Normalizer mode described 8-4
NotificationApp
alert information A-10
described A-4
functions A-10
SNMP gets A-10
SNMP traps A-10
statistics A-12
system health information A-11
NTP
authenticated 6-8, 6-9, 6-10, 6-15, C-14, C-15
configuring servers 6-14
incorrect configuration 6-10, C-16
time synchronization 6-8, C-14
unauthenticated 6-8, 6-9, 6-10, 6-15, C-14, C-15
verifying configuration 6-10
O
one-way TCP reset described 8-33, 12-34
Operation Settings tab
described 11-10
field descriptions 11-11
OS Identifications tab
field descriptions 8-25, 12-26
OS maps
other actions (list) 12-9
Other Protocols tab
enabling other protocols 11-17
external zone 11-32
field descriptions 11-17, 11-32
illegal zone 11-25
P
P2P networks described B-46
partitions
application A-4
maintenance A-4
recovery A-4
passive OS fingerprinting
password policy caution 18-2, 18-3
password recovery
password requirements configuring 18-2
Passwords pane
described 18-1
field descriptions 18-2
patch releases described 24-4
peacetime learning (anomaly detection) 11-3
physical connectivity issues C-30
physical interfaces configuration restrictions 7-8
ping IME device tools 2-6
platforms and concurrent CLI sessions 22-1, A-31
prerequisites for blocking 15-5
promiscuous delta
calculating risk rating 8-5, 12-3
promiscuous mode
described 7-11
packet flow 7-11
SPAN ports 7-12
VACL capture 7-12
protocols
ARP B-10
CDP 7-29
CIDEE A-35
DDoS B-61
H.323 B-39
H225.0 B-39
ICMPv6 B-11
IDAPI A-33
IDCONF A-34
IDIOM A-34
IPv6 B-25
LOKI B-61
MSSQL B-45
Neighborhood Discovery B-26
Q.931 B-39
SDEE A-35
Signature Wizard 10-12
UDLD 7-22
Q
Q.931 protocol
described B-39
SETUP messages B-39
quarantined IP address events described 17-2
R
rate limiting
ACLs 15-5
configuring 19-11
described 15-4
managing 19-11
percentages 19-10
routers 15-4
service policies 15-5
supported signatures 15-4
Rate Limits pane
described 19-10
field descriptions 19-11
rebooting the sensor 18-23
Reboot Sensor pane
configuring 18-23
described 18-23
user roles 18-23
recover command 25-13
recovering
AIP-SSM C-67
application partition image 25-14
recovery partition
described A-4
upgrading 25-6
reimaging
AIP-SSM 25-29
appliances 25-13
described 25-1
IDSM-2 25-32
IPS-4240 25-17
IPS-4255 25-17
IPS-4260 25-20
IPS 4270-20 25-22
NME-IPS 25-43
removing
last applied
service pack 25-13
signature update 25-13
Rename Knowledge Base dialog box field descriptions 19-23
renaming KBs 19-23
reports
configuring 21-2
described 21-1
generating 21-2
report types
Attacks Over Time 21-1
Top Attackers 21-1
Top Signatures 21-1
Top Victim 21-1
reputation
described 13-3
illustration 13-3
servers 13-3
Reset Network Security Health pane
described 19-29
field descriptions 19-29
user roles 19-29
reset not occurring for a signature C-50
resetting
AIP-SSM C-66
network security health data 19-29
Restore Default Interface dialog box field descriptions 5-8
Restore Defaults pane
configuring 18-23
described 18-23
user roles 18-23
restoring
current configuration C-4
defaults 18-23
risk categories
Risk Category tab
field descriptions 8-31, 12-32
risk rating
Alarm Channel 13-5
component signatures B-31
reputation score 13-5
ROMMON
described 25-15
IPS-4240 25-17
IPS-4255 25-17
IPS-4260 25-20
remote sensors 25-15
serial console port 25-15
TFTP 25-15
Router Blocking Device Interfaces pane
configuring 15-20
described 15-17
field descriptions 15-19
RSS Feed gadgets
configuring 3-11
described 3-11
RSS feeds
channels 4-1
configuring 4-2
described 4-1
formats 4-1
RTT
described 25-15
TFTP limitation 25-15
S
Save Knowledge Base dialog box
described 19-22
field descriptions 19-22
saving KBs 19-22
scheduling automatic upgrades 25-9
SDEE
described A-35
HTTP A-35
protocol A-35
server requests A-35
security information
Cisco Security Center 24-11
MySDN 9-5
security policies described 8-1, 9-1, 11-1, 12-1
security SSH 14-1
sensing interfaces
described 7-3
interface cards 7-3
modes 7-3
SensorApp
Alarm Channel A-25
Analysis Engine A-25
anomaly detection A-26
described A-4
event action filtering A-26
inline packet processing A-26
IP normalization A-26
packet flow A-27
process not running C-28
processors A-24
responsibilities A-24
Signature Event Action Processor A-24, A-27
TCP normalization A-26
SensorBase Network
participation 13-2
Sensor Health gadget
configuring 3-5
described 3-4
metrics 3-4
status 3-4
Sensor Health pane
described 18-14
field descriptions 18-15
Sensor Information gadget
configuring 3-4
described 3-3
Sensor Key pane
button functions 14-7
described 14-7
field descriptions 14-7
sensor SSH key
displaying 14-7
generating 14-7
user roles 14-7
sensors
access problems C-24
asymmetric traffic and disabling anomaly detection 11-37, C-18
blocking themselves 15-8
configuring to use NTP 6-15
corrupted SensorApp configuration C-35
diagnostics reports 19-31
disaster recovery C-6
downgrading 25-13
incorrect NTP configuration 6-10, C-16
interface support 7-4
IP address conflicts C-27
license 18-13
logging in
SSH 22-11
Telnet 22-11
loose connections C-22
misconfigured access lists C-26
not seeing packets C-33
NTP time source 6-15
NTP time synchronization 6-8, C-14
partitions A-4
physical connectivity C-30
preventive maintenance C-2
rebooting 18-23
recovering the system image 24-8
restoring defaults 18-23
sensing process not running C-28
setting up 6-1
setup command 6-1, 23-1, 23-4, 23-9
shutting down 18-24
statistics 19-32
system images 24-8
system information 19-32
troubleshooting software upgrades C-54
upgrading 25-5
using NTP time source 6-14
Sensor Setup window
described 5-2
Startup Wizard 5-2
Server Certificate pane
button functions 14-11
certificate
displaying 14-11
generating 14-11
described 14-11
field descriptions 14-11
user roles 14-11
server manifest described A-30
service account
creating C-5
TAC A-33
troubleshooting A-33
Service DNS engine
described B-36
parameters (table) B-36
Service engine
described B-36
Layer 5 traffic B-36
Service FTP engine
described B-37
parameters (table) B-38
PASV port spoof B-37
Service Generic engine
described B-38
parameters (table) B-39
Service H225 engine
ASN.1PER validation B-40
described B-39
features B-40
parameters (table) B-41
TPKT validation B-40
Service HTTP engine
custom signature 10-19
example signature 10-19
parameters (table) B-42
Service IDENT engine
described B-44
parameters (table) B-44
service-module ids-sensor slot/port session command 22-4, 22-9
Service MSRPC engine
parameters (table) B-45
Service MSSQL engine
described B-45
MSSQL protocol B-45
parameters (table) B-46
Service NTP engine
described B-46
parameters (table) B-46
Service P2P engine described B-46
service packs described 24-4
Service RPC engine
parameters (table) 10-21, B-47
Service SMB Advanced engine
described B-48
parameters (table) B-48
Service SNMP engine
described B-50
parameters (table) B-50
Service SSH engine
described B-51
parameters (table) B-51
Service TNS engine
described B-51
parameters (table) B-52
session command
AIM-IPS 22-5
AIP-SSC-5 22-6
AIP-SSM 22-6
IDSM-2 22-8
NME-IPS 22-10
sessioning
AIM-IPS 22-5
AIP-SSM 22-6
IDSM-2 22-8
NME-IPS 22-10
setting
current KB 19-22
system clock 6-17
setting up
sensors 6-1
setup
automatic 23-2
command 6-1, 23-1, 23-4, 23-9, 23-14, 23-17, 23-21, 23-25
simplified mode 23-2
show events command C-87, C-88
show health command C-69
show interfaces command C-86
show module 1 details command C-66
show settings command 18-10, C-13
show statistics command C-75, C-76
show statistics virtual-sensor command C-23, C-76
show tech-support command C-70
show version command C-73
Shut Down Sensor pane
configuring 18-24
described 18-24
user roles 18-24
shutting down the sensor 18-24
sig0 pane
default 9-4
described 9-4
signatures
assigning actions 9-17
cloning 9-14
tuning 9-16
tabs 9-4
sig0 pane field descriptions 9-7
signature/virus update files described 24-5
signature definition policies
adding 9-3
cloning 9-3
default policy 9-2
deleting 9-3
sig0 9-2
Signature Definitions pane
described 9-2
field descriptions 9-2
signature engines
AIC B-7
Atomic B-10
Atomic ARP B-10
Atomic IP Advanced B-11
Atomic IPv6 B-25
creating custom signatures 10-2
described B-1
event actions B-6
Fixed B-27
Flood B-29
Flood Host B-30
Flood Net B-30
list B-2
Multi String B-32
Normalizer B-34
Service B-36
Service DNS B-36
Service FTP B-37
Service Generic B-38
Service H225 B-39
Service IDENT B-44
Service MSSQL B-45
Service NTP engine B-46
Service P2P B-46
Service SMB Advanced B-48
Service SNMP B-50
Service SSH engine B-51
Service TNS B-51
String 10-22, 10-23, 10-26, B-54
supported by IDM 10-3
Sweep Other TCP B-59
Traffic Anomaly B-59
Traffic ICMP B-61
Trojan B-62
signature engine update files described 24-5
Signature Event Action Filter
Signature Event Action Handler described 12-6, A-28
Signature Event Action Override described 12-6, A-27
Signature Event Action Processor
signature fidelity rating
calculating risk rating 8-5, 12-3
signatures
adding 9-13
alert frequency 9-19
assigning actions 9-17
cloning 9-15
custom 9-5
default 9-5
described 9-4
editing 9-16
false positives 9-5
rate limits 15-4
subsignatures 9-5
tuned 9-5
tuning 9-16
signatures and TCP reset C-50
signature updates installation time 18-17
signature variables
adding 9-28
deleting 9-28
described 9-27
editing 9-28
Signature Variables tab
configuring 9-28
field descriptions 9-27
Signature Wizard
alert behavior 10-28
described 10-1
protocols 10-12
signature identification 10-12
supported signature engines 10-3
using 10-5
SNMP
configuring 16-3
described 16-1
Get 16-1
GetNext 16-1
Set 16-1
Trap 16-1
SNMP General Configuration pane
configuring 16-3
described 16-2
field descriptions 16-2
user roles 16-2
SNMP traps
configuring 16-4
described 16-1
SNMP Traps Configuration pane
button functions 16-4
described 16-4
field descriptions 16-4
software architecture
ARC (illustration) A-14
IDAPI (illustration) A-34
software bypass
supported configurations 7-10
with hardware bypass 7-10
software downloads Cisco.com 24-1
software file names
recovery (illustration) 24-6
signature/virus updates (illustration) 24-5
signature engine updates (illustration) 24-5
system image (illustration) 24-6
software release examples
platform-dependent 24-7
platform identifiers 24-8
platform-independent 24-6
software updates
supported FTP servers 18-17, 25-2
supported HTTP/HTTPS servers 18-17, 25-2
SPAN port issues C-30
SSH
described 14-1
security 14-1
SSH Server
private keys A-22
public keys A-22
standards for CIDEE A-35
Startup Wizard
access lists 5-4
adding virtual sensors 5-13
Add Virtual Sensor dialog box 5-12
described 5-1
Inline Interface Pair window
described 5-9
field descriptions 5-9
Inline VLAN Pairs window configuring 5-11
Interface Selection window 5-9
Interface Summary window 5-7
Sensor Setup window 5-2
configuring 5-5
field descriptions 5-2
Traffic Inspection Mode window 5-9
Virtual Sensors window
described 5-12
field descriptions 5-12
State engine
parameters (table) B-53
Statistics pane
categories 19-31
described 19-31
using 19-32
statistics viewing 19-32
String engine described 10-22, 10-23, 10-26, B-54
String ICMP engine parameters (table) B-55
String TCP engine
custom signature 10-24
example signature 10-24
parameters (table) B-55
String UDP engine parameters (table) B-56
subinterface 0 described 7-13
subsignatures described 9-5
summarization
Global Summarization 8-7, 12-6
Summarizer described 8-33, 12-34
Summary pane
button functions 7-15
described 7-14
supported
HTTP/HTTPS servers 18-17, 25-2
IDSM-2 configurations C-60
IME platforms 1-3
IPS interfaces for CSA MC 17-3
Sweep engine
Sweep Other TCP engine described B-59
switch commands for troubleshooting C-60
system architecture
directory structure A-36, A-37
supported platforms A-1
system clock setting 6-17
System Configuration Dialog
described 23-2
example 23-3
system design (illustration) A-2, A-3
system image
installing
AIM-IPS 25-25
AIP-SSC-5 25-29
AIP-SSM 25-29
IDSM-2 (Catalyst software) 25-32
IDSM-2 (Cisco IOS software) 25-33
IPS-4240 25-17
IPS-4255 25-17
IPS-4260 25-20
IPS 4270-20 25-22
NME-IPS 25-43
sensors 24-8
System Information pane
described 19-32
using 19-32
system information viewing 19-32
system requirements for IME 1-3
T
TAC
service account 6-19, A-33, C-4
show tech-support command C-70
target value rating
calculating risk rating 8-5, 12-3
described 8-5, 8-18, 8-20, 12-3, 12-19, 12-21
TCP fragmentation described B-34
TCP Protocol tab
enabling TCP 11-15
external zone 11-30
field descriptions 11-16
illegal zone 11-23
TCP reset
IDSM-2 port C-65
not occurring C-50
TCP reset interfaces
conditions 7-7
described 7-6
list 7-7
TCP stream reassembly
described 9-43
mode 9-48
parameters (table) 9-44
signatures (table) 9-44
terminal server setup 22-3, 25-16
testing fail-over 7-10
TFN2K
described B-61
Trojans B-62
TFTP RTT 25-15
TFTP servers
recommended
UNIX 25-16
Windows 25-16
threat rating
risk rating 12-4
Thresholds for KB Name window
described 19-18
field descriptions 19-19
filtering information 19-18
time
correction on the sensor 6-13, C-17
synchronization for IPS modules 6-10, C-16
Time pane
configuring 6-12
described 6-8
field definitions 6-11
user roles 6-8
time sources
TLS
described 6-4
handshaking 14-8
IDM 14-8
Top Applications gadget
configuring 3-10
described 3-9
Top Attackers gadgets
configuring 3-12
described 3-11
Top Signatures gadgets
configuring 3-13
described 3-13
Top Victims gadgets
configuring 3-12
described 3-12
traceroute IME device tools 2-6
Traffic Anomaly engine
described B-59
protocols B-59
signatures B-59
traffic flow notifications
configuring 7-28
described 7-27
Traffic Flow Notifications pane
configuring 7-28
field descriptions 7-28
Traffic ICMP engine
DDoS B-61
described B-61
LOKI B-61
parameters (table) B-61
TFN2K B-61
Traffic Inspection Mode window described 5-9
Traps Configuration pane configuring 16-4
trial license key 18-11
Tribe Flood Network 2000 see TFN2K
Trojan engine
BO2K B-62
described B-62
TFN2K B-62
Trojans
BO B-62
BO2K B-62
LOKI B-61
TFN2K B-62
troubleshooting C-1
AIP-SSM
commands C-66
debugging C-67
recovering C-67
reset C-66
Analysis Engine busy C-56
applying software updates C-53
ARC
blocking not occurring for signature C-42
device access issues C-39
enabling SSH C-41
inactive state C-37
misconfigured master blocking sensor C-43
verifying device interfaces C-40
automatic updates C-53
cannot access sensor C-24
cidDump C-91
cidLog messages to syslog C-49
communication C-24
corrupted SensorApp configuration C-35
debug logger zone names (table) C-48
debug logging C-44
disaster recovery C-6
duplicate sensor IP addresses C-27
enabling debug logging C-45
external product interfaces 17-10, C-21
gathering information C-69
global correlation 13-12, C-20
IDM
cannot access sensor C-56
will not load C-55
IDSM-2
command and control port C-63
diagnosing problems C-59
serial cable C-65
status indicator C-61
switch commands C-60
IME time synchronization C-58
IPS modules time drift 6-10, C-16
manual block to bogus host C-41
misconfigured access list C-26
NTP C-50
physical connectivity issues C-30
preventive maintenance C-2
reset not occurring for a signature C-50
sensing process not running C-28
sensor events C-87
sensor loose connections C-22
sensor not seeing packets C-33
sensor software upgrade C-54
show events command C-87
show interfaces command C-86
show statistics command C-75
show tech-support command C-70, C-71
show version command C-73
software upgrades C-52
SPAN port issue C-30
upgrading C-52
verifying Analysis Engine is running C-19
verifying ARC status C-36
Trusted Hosts pane
configuring 14-10
described 14-9
field descriptions 14-9
tuned signatures described 9-5
tuning
AIC signatures 9-39
IP fragment reassembly signatures 9-42
signatures 9-16
U
UDLD described 7-22
UDP Protocol tab
enabling UDP 11-17
external zone 11-31
field descriptions 11-31
illegal zone 11-24
unassigned VLAN groups described 7-14
unauthenticated NTP 6-8, 6-9, 6-10, 6-15, C-14, C-15
UniDirectional Link Detection see UDLD
UNIX-style directory listings 18-17
updater client described A-30
Update Sensor pane
configuring 18-21
described 18-20
field descriptions 18-21
user roles 18-20
updating
Cisco.com 18-20
FTP server 18-20
sensors 18-21
upgrading
latest version C-52
maintenance partition
IDSM-2 (Catalyst software) 25-42
IDSM-2 (Cisco IOS software) 25-42
minimum required version 24-8
recovery partition 25-6, 25-13
sensors 25-5
to 6.2 24-8
to 7.0 24-8
uploading KBs
FTP 19-25
SCP 19-25
Upload Knowledge Base to Sensor dialog box
described 19-25
field descriptions 19-25
URLs for Cisco Security Center 24-11
Users pane
configuring 6-20
field descriptions 6-18
user roles A-32
using
debug logging C-44
TCP reset interfaces 7-7
V
VACLs
described 15-3
Post-Block 15-22
Pre-Block 15-22
verifying
NTP configuration 6-10
sensor initialization 23-28
sensor setup 23-28
video help described 1-2
viewing
IP logs 19-15
statistics 19-32
system information 19-32
virtual sensors
default virtual sensor 8-3, 8-8
deleting 8-11
editing 8-11
stream segregation 8-4
Virtual Sensors window described 5-12
VLAN groups
802.1q encapsulation 7-14
configuration restrictions 7-9
configuring 7-24
deploying 7-23
described 7-13
switches 7-23
VLAN Groups pane
configuring 7-24
described 7-23
field descriptions 7-24
VLAN IDs 7-23
VLAN Pairs pane
configuring 7-21
describing 7-20
field descriptions 7-20
W
watch list rating
calculating risk rating 8-6, 12-4
Web Server
HTTP 1.0 and 1.1 support A-23
private keys A-22
public keys A-22
SDEE support A-23
whois IME device tools 2-6
worms
Blaster 11-2
Code Red 11-2
histograms 11-12
Nimbda 11-2
protocols 11-3
Sasser 11-2
scanners 11-3
Slammer 11-2
SQL Slammer 11-2
Z
zones
external 11-4
illegal 11-4
internal 11-4