-
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.0
-
Preface
-
Getting Started
-
Configuring Device Lists
-
Configuring Dashboards
-
Configuring RSS Feeds
-
Using the Startup Wizard
-
Setting Up the Sensor
-
Configuring Interfaces
-
Configuring Policies
-
Defining Signatures
-
Using the Signature Wizard
-
Configuring Event Action Rules
-
Configuring Anomaly Detection
-
Configuring Global Correlation
-
Configuring SSH and Certificates
-
Configuring Attack Response Controller for Blocking and Rate Limiting
-
Configuring SNMP
-
Configuring External Product Interfaces
-
Managing the Sensor
-
Monitoring the Sensor
-
Configuring Event Monitoring
-
Configuring and Generating Reports
-
Logging In to the Sensor
-
Initializing the Sensor
-
Obtaining Software
-
Upgrading, Downgrading, and Installing System Images
-
System Architecture
-
Signature Engines
-
Troubleshooting
-
Open Source License Files
-
Glossary
-
Index
-
Table Of Contents
Numerics - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W - Z
Index
Numerics
4GE bypass interface card
configuration restrictions 7-10
described 7-10
802.1q encapsulation for VLAN groups 7-15
A
AAA RADIUS
functionality 6-20
limitations 6-20
accessing IPS software 24-2
access lists
misconfiguration C-27
necessary hosts 5-4
account locking
configuring 6-27
security 6-27
account unlocking
configuring 6-26
ACLs
adding 5-4
described 15-3
Active Host Blocks pane
field descriptions 19-6
user roles 19-6
ad0 pane
default 11-10
described 11-10
tabs 11-10
Add ACL Entry dialog box field descriptions 5-4
Add Active Host Block dialog box field descriptions 19-7
Add Allowed Host dialog box
field descriptions 6-5
user roles 6-5
Add Authorized Key dialog box
field descriptions 14-3
user roles 14-2
Add Blocking Device dialog box
field descriptions 15-15
user roles 15-14
Add Cat 6K Blocking Device Interface dialog box
field descriptions 15-23
user roles 15-22
Add Configured OS Map dialog box field descriptions 8-26, 12-27
Add Destination Port dialog box field descriptions 11-16, 11-24, 11-31
Add Device Login Profile dialog box
field descriptions 15-13
user roles 15-12
Add Event Action Filter dialog box
field descriptions 8-14, 12-16
Add Event Action Override dialog box
field descriptions 8-11, 12-13
Add Event Variable dialog box
field descriptions 8-29, 12-30
Add External Product Interface dialog box
field descriptions 17-6
user roles 17-5
Add Filter dialog box field descriptions 3-19
Add Histogram dialog box field descriptions 11-16, 11-24, 11-31
adding
ACLs 5-4
a host never to be blocked 15-11
anomaly detection policies 11-9
CSA MC interfaces 17-7
denied attackers 19-5
event action filters 8-16, 12-18
event action overrides 12-14
event action rules policies 12-11
external product interfaces 17-7
host blocks 19-7
IPv4 target value rating 8-19, 12-21
IPv6 target value rating 8-22, 12-23
network blocks 19-9
signature definition policies 9-3
signatures 9-13
signature variables 9-27
Add Inline VLAN Pair dialog box field descriptions 5-10, 7-22
Add Interface Pair dialog box field descriptions 7-20
Add IP Logging dialog box field descriptions 19-14
Add IPv4 Target Value Rating dialog box
field descriptions 8-19, 12-21
Add IPv6 Target Value Rating dialog box
field descriptions 8-21, 12-22
Add Known Host Key dialog box
field descriptions 14-5
user roles 14-5
Add Master Blocking Sensor dialog box
field descriptions 15-26
user roles 15-25
Add Network Block dialog box field descriptions 19-9
Add Never Block Address dialog box
field descriptions 15-11
user roles 15-7
Add Policy dialog box field descriptions 9-2, 11-9, 12-11
Add Posture ACL dialog box field descriptions 17-7
Add Protocol Number dialog box field descriptions 11-18, 11-25, 11-33
Add Rate Limit dialog box
field descriptions 19-11
user role 19-10
Address Resolution Protocol. See ARP.
Add Risk Level dialog box field descriptions 8-32, 12-33
Add Router Blocking Device Interface dialog box
field descriptions 15-20
user roles 15-17
Add Signature dialog box field descriptions 9-8
Add Signature Variable dialog box
field descriptions 9-27
user roles 9-27
Add SNMP Trap Destination dialog box field descriptions 16-4
Add Trusted Host dialog box
field descriptions 14-10
user roles 14-9
Add User dialog box
field descriptions 6-23
user roles 6-17
Add Virtual Sensor dialog box
Add VLAN Group dialog box field descriptions 7-25
Advanced Alert Behavior Wizard
Alert Dynamic Response Fire All window field descriptions 10-29
Alert Dynamic Response Fire Once window field descriptions 10-30
Alert Dynamic Response Summary window field descriptions 10-30
Alert Summarization window field descriptions 10-29
Event Count and Interval window field descriptions 10-28
Global Summarization window field descriptions 10-31
AIC
policy 9-37
signatures (example) 9-38
AIC engine
AIC FTP B-11
AIC FTP engine parameters (table) B-13
AIC HTTP B-11
AIC HTTP engine parameters (table) B-12
described B-11
features B-11
signature categories 9-31
AIC policy enforcement
default configuration 9-31, B-11
sensor oversubscription 9-31, B-11
AIM IPS
initializing 23-13
installing system image 25-21
logging in 22-5
session command 22-5
setup command 23-13
AIP SSM
bypass mode 7-28
initializing 23-16
installing system image 25-25
logging in 22-6
recovering C-67
reimaging 25-24
resetting C-66
resetting the password 18-7, C-11
session command 22-6
setup command 23-16
Alarm Channel described 12-6, A-25
alert and log actions (list) 12-8
alert behavior
normal 10-28
Signature Wizard 10-28
alert frequency
aggregation 9-19
configuring 9-19
controlling 9-19
modes B-6
Allowed Hosts/Networks pane
configuring 6-5
field descriptions 6-5
alternate TCP reset interface 7-8
Analysis Engine
described 8-2
error messages C-23
IDM exits C-56
verify it is running C-21
virtual sensors 8-2
anomaly detection
asymmetric traffic 11-2, 11-37
configuration sequence 11-5
default configuration (example) 11-4
described 11-2
detect mode 11-4
inactive mode 11-4
learning accept mode 11-3
learning process 11-3
limiting false positives 11-13, 19-17
operation settings 11-11
protocols 11-3
signatures 11-6
worms
attacks 11-12
described 11-3
zones 11-4
Anomaly Detection pane
button functions 19-17
described 19-16
field descriptions 19-17
user roles 19-16
anomaly detection policies
ad0 11-8
adding 11-9
cloning 11-9
default policy 11-8
deleting 11-9
Anomaly Detections pane
described 11-8
field descriptions 11-9
appliances
application partition image 25-11
initializing 23-8
logging in 22-2
terminal servers
UDLD protocol 7-23
upgrading recovery partition 25-5
Application Inspection and Control. See AIC.
application partition
described A-3
image recovery 25-11
application policy enforcement
applications in XML format A-2
applying software updates C-53
ARC
authentication A-14
blocking
application 15-2
connection-based A-16
not occurring for signature C-43
unconditional blocking A-16
block response A-13
Catalyst 6000 series switch
VACL commands A-18
VACLs A-18
Catalyst switches
VACLs A-15
VLANs A-15
described A-3
design 15-2
device access issues C-40
enabling SSH C-42
features A-13
firewalls
AAA A-17
connection blocking A-17
NAT A-18
network blocking A-17
postblock ACL A-15
preblock ACL A-15
shun command A-17
TACACS+ A-18
formerly Network Access Controller 15-1, 15-3
functions 15-2
illustration A-12
inactive state C-38
interfaces A-13
maintaining states A-16
managed devices 15-8
master blocking sensors A-13
maximum blocks 15-2
misconfigured master blocking sensor C-44
nac.shun.txt file A-16
NAT addressing A-14
number of blocks A-14
postblock ACL A-15
preblock ACL A-15
prerequisites 15-5
rate limiting 15-4
responsibilities A-12
single point of control A-14
SSH A-13
Telnet A-13
troubleshooting C-37
VACLs A-13
verifying device interfaces C-41
verifying status C-37
ARP
Layer 2 signatures B-13
protocol B-13
ARP spoof tools
dsniff B-13
ettercap B-13
ASA modules time sources C-17
ASDM resetting passwords 18-8, C-12
assigning actions to signatures 9-17
asymmetric traffic
disabling anomaly detection C-19
Atomic ARP engine
described B-13
parameters (table) B-13
Atomic IP Advanced engine
described B-14
restrictions B-15
Atomic IP engine
parameters (table) B-25
Atomic IPv6 engine
described B-28
signatures B-28
signatures (table) B-29
attack relevance rating
calculating risk rating 8-6, 12-3
described 8-6, 8-23, 12-3, 12-25
Attack Response Controller
described A-3
formerly known as Network Access Controller A-3
Attack Response Controller. See ARC.
attack severity rating
calculating risk rating 8-5, 12-3
Attacks Over Time gadgets
configuring 3-13
described 3-13
attemptLimit command 6-27
audit mode
described 13-8
testing global correlation 13-8
authenticated NTP 6-7, 6-14, C-16
authentication
local 6-17
RADIUS 6-17
AuthenticationApp
authenticating users A-20
described A-3
login attempt limit A-20
method A-20
responsibilities A-19
secure communications A-20
sensor configuration A-19
Authentication pane
configuring 6-23
described 6-17
field descriptions 6-21
user roles 6-18
Authorized Keys pane
configuring 14-3
described 14-2
field descriptions 14-2
RSA authentication 14-2
RSA key generation tool 14-3
Auto/Cisco.com Update pane
button functions 18-20
configuring 18-21
described 18-19
field descriptions 18-20
UNIX-style directory listings 18-19
user roles 18-19
automatic setup 23-2
automatic updates
Cisco.com 18-19
servers
FTP 18-19
SCP 18-19
troubleshooting C-53
automatic upgrade
information required 25-6
autonegotiation for hardware bypass 7-11
auto-upgrade-option command 25-6
B
backing up
configuration C-3
current configuration C-4, C-5
basic setup 23-4
blocking
described 15-2
disabling 15-8
master blocking sensor 15-25
necessary information 15-3
not occurring for signature C-43
prerequisites 15-5
supported devices 15-6
types 15-2
Blocking Devices pane
configuring 15-15
described 15-14
field descriptions 15-15
ssh host-key command 15-15
Blocking Properties pane
adding a host never to be blocked 15-11
configuring 15-10
described 15-7
field descriptions 15-8
BO
described B-66
Trojans B-66
BO2K
described B-66
Trojans B-66
Bug Toolkit
described C-1
URL C-1
bypass mode
AIP SSM 7-28
described 7-27
Bypass pane field descriptions 7-27
C
calculating risk rating
attack relevance rating 8-6, 12-3
attack severity rating 8-5, 12-3
signature fidelity rating 8-5, 12-3
cannot access sensor C-25
Cat 6K Blocking Device Interfaces pane
configuring 15-23
described 15-22
field descriptions 15-23
CDP mode
configuring 7-30
described 7-30
CDP Mode pane
configuring 7-30
field descriptions 7-30
certificates
displaying 14-11
generating 14-11
IDM 14-8
changing Microsoft IIS to UNIX-style directory listings 18-19
cidDump obtaining information C-91
CIDEE
defined A-34
example A-34
IPS extensions A-34
protocol A-34
supported IPS events A-34
cisco
default password 22-2
default username 22-2
Cisco.com
accessing software 24-2
downloading software 24-1
IPS software 24-1
software downloads 24-1
Cisco IOS software and rate limiting 15-4
Cisco IPS software files 25-2
Cisco Security Intelligence Operations
described 24-9
URL 24-9
Cisco Services for IPS
service contract 18-13
supported products 18-13
clear events command 6-12, 6-16, 19-4, C-18, C-91
Clear Flow States pane
described 19-27
field descriptions 19-28
clearing
flow states 19-28
statistics C-76
clear password command 18-6, 18-10, C-10, C-13
client manifest described A-28
clock set command 6-16
Clone Event Action Rules dialog box field descriptions 12-11
Clone Policy dialog box field descriptions 9-2, 11-9
Clone Signature dialog box field descriptions 9-8
cloning
anomaly detection policies 11-9
event action rules policies 12-11
signature definition policies 9-3
signatures 9-15
CollaborationApp described A-3, A-27
color rules described 20-2
command and control interface
described 7-2
list 7-2
commands
attemptLimit 6-27
auto-upgrade-option 25-6
clear events 6-12, 6-16, 19-4, C-18, C-91
clear password 18-6, 18-10, C-10, C-13
clock set 6-16
copy backup-config C-3
copy current-config C-3
debug module-boot C-67
downgrade 25-10
erase license-key 18-16
hw-module module 1 reset C-66
hw-module module slot_number password-reset 18-6, C-10
setup 6-1, 23-1, 23-4, 23-8, 23-13, 23-16, 23-20, 23-24
show events C-88
show health C-69
show statistics C-76
show statistics virtual-sensor C-23, C-76
show tech-support C-70
show version C-73
unlock user username 6-26
Compare Knowledge Bases dialog box field descriptions 19-20
component signatures
Meta engine B-34
risk rating B-34
configuration files
backing up C-3
merging C-3
configuration restrictions
alternate TCP reset interface 7-8
inline interface pairs 7-8
inline VLAN pairs 7-8
interfaces 7-8
physical interfaces 7-8
VLAN groups 7-9
Configured OS Map dialog box user roles 8-25, 12-24
Configure Summertime dialog box field descriptions 5-4, 6-10
configuring
account locking 6-27
account unlocking 6-26
AIC policy parameters 9-37
allowed hosts 6-5
allowed networks 6-5
application policy 9-38
Attacks Over Time gadgets 3-13
authorized keys 14-3
automatic upgrades 25-8
blocking devices 15-15
blocking properties 15-10
Cat 6K blocking device interfaces 15-23
CDP mode 7-30
CPU, Memory, & Load gadget 3-10
CSA MC IPS interfaces 17-4
device login profiles 15-13
event action filters 8-16, 12-18
events 19-3
external zone 11-33
Global Correlation Health gadget 3-8
Global Correlation Reports gadget 3-7
host blocks 19-7
illegal zone 11-26
inline VLAN pairs 5-11
inspection/reputation 13-9
interface pairs 7-20
interfaces 7-18
Interface Status gadget 3-6
internal zone 11-18
IP fragment reassembly signatures 9-42
IP logging 19-15
IPv4 target value rating 8-19, 12-21
IPv6 target value rating 8-22, 12-23
known host keys 14-6
learning accept mode 11-14
Licensing gadget 3-5
local authentication 6-23
maintenance partition
IDSM2 (Catalyst software) 25-29
IDSM2 (Cisco IOS software) 25-33
master blocking sensor 15-26
network blocks 19-9
network participation 13-10
Network Security gadget 3-9
network settings 6-3
NTP servers 6-13
operation settings 11-11
RADIUS authentication 6-24
rate limiting 19-11
rate limiting devices 15-15
router blocking device interfaces 15-20
RSS Feed gadgets 3-11
RSS feeds 4-2
Sensor Health gadget 3-5
Sensor Information gadget 3-3
Sensor Setup window 5-5
sensor to use NTP 6-14
SNMP 16-3
SNMP traps 16-4
TCP fragment reassembly parameters 9-49
time 6-10
Top Applications gadget 3-9
Top Attackers gadgets 3-11
Top Signatures gadgets 3-12
Top Victims gadgets 3-12
traffic flow notifications 7-29
trusted hosts 14-10
UDLD protocol 7-23
upgrades 25-4
users 6-23
VLAN groups 7-25
VLAN pairs 7-22
control transactions
characteristics A-8
request types A-8
copy backup-config command C-3
copy current-config command C-3
correcting time on the sensor 6-12, C-18
CPU, Memory, & Load gadget
configuring 3-10
described 3-10
creating
Atomic IP Advanced signature 9-25, 10-16
custom signatures
not using signature engines 10-4
Service HTTP 10-19
String TCP 10-24
using signature engines 10-2
Meta signatures 9-22
Post-Block VACLs 15-22
Pre-Block VACLs 15-22
service account C-6
cryptographic features (IME) 1-2
CSA MC
adding interfaces 17-7
configuring IPS interfaces 17-4
host posture events 17-1, 17-4
quarantined IP address events 17-1
supported IPS interfaces 17-4
CtlTransSource
illustration A-11
current configuration back up C-3
current KB setting 19-22
custom signatures
described 9-5
Custom Signature Wizard
Alert Response window field descriptions 10-28
Atomic IP Engine Parameters window field descriptions 10-15
ICMP Traffic Type window field descriptions 10-13
Inspect Data window field descriptions 10-13
MSRPC Engine Parameters window field descriptions 10-13
no signature engine sequence 10-4
Protocol Type window field descriptions 10-12
Service HTTP Engine Parameters window field descriptions 10-18
Service RPC Engine Parameters window field descriptions 10-21
Service Type window field descriptions 10-14
signature engine sequence 10-2
Signature Identification window field descriptions 10-12
State Engine Parameters window field descriptions 10-22
String ICMP Engine Parameters window field descriptions 10-23
String TCP Engine Parameters window field descriptions 10-23
String UDP Engine Parameters window field descriptions 10-26
Sweep Engine Parameters window field descriptions 10-27
TCP Sweep Type window field descriptions 10-14
TCP Traffic Type window field descriptions 10-14
UDP Sweep Type window field descriptions 10-14
UDP Traffic Type window field descriptions 10-13
Welcome window field descriptions 10-11
D
Dashboard pane gadgets 3-1
Data Archive pane
configuring 1-9
described 1-9
field descriptions 1-9
user roles 1-9
data archiving
configuring 1-9
data structures (examples) A-7
DDoS
protocols B-66
Stacheldraht B-66
TFN B-66
debug logging enable C-45
debug-module-boot command C-67
default policies
ad0 11-8
rules0 12-12
sig0 9-2
defaults
KB filename 11-12
password 22-2
restoring 18-25
username 22-2
virtual sensor vs0 8-3
deleting
anomaly detection policies 11-9
event action filters 8-16, 12-18
event action overrides 12-14
event action rules policies 12-11
imported OS values 19-27
IPv4 target value rating 8-19, 12-21
IPv6 target value rating 8-22, 12-23
KBs 19-23
learned OS values 19-26
signature definition policies 9-3
signature variables 9-27
virtual sensors 8-11
Demo mode (IME) 1-6
denied attackers
adding 19-5
clearing list 19-5
hit count 19-4
resetting hit counts 19-5
Denied Attackers pane
described 19-4
field descriptions 19-5
user roles 19-4
using 19-5
deny actions (list) 12-8
Deny Packet Inline described 8-11, 9-12, 12-10, 12-13, B-9
detect mode (anomaly detection) 11-4
device access issues C-40
Device Details pane described 2-1
Device List pane
described 2-1
field descriptions 2-2
Device Login Profiles pane
configuring 15-13
described 15-12
field descriptions 15-12
devices
adding 2-4
deleting 2-4
editing 2-4
device tools
DNS lookup 2-6
ping 2-6
traceroute 2-6
whois 2-6
Diagnostics Report pane
button functions 19-30
described 19-30
user roles 19-30
using 19-30
diagnostics reports 19-30
Differences between knowledge bases KB_Name and KB_Name window field descriptions 19-20
disabling
blocking 15-8
global correlation 13-11
interfaces 7-18
disaster recovery C-6
displaying
events C-89
health status C-69
password recovery setting 18-12, C-15
statistics C-76
tech support information C-71
version C-73
Distributed Denial of Service. See DDoS.
DNS lookup device tool (IME) 1-3
DNS lookup device tools (IME) 2-6
DoS tools B-6
downgrade command 25-10
downgrading sensors 25-10
downloading
software 24-1
downloading KBs 19-24
Download Knowledge Base From Sensor dialog box
described 19-24
field descriptions 19-24
duplicate IP addresses C-27
E
Edit Actions dialog box field descriptions 9-9
Edit Allowed Host dialog box
field descriptions 6-5
user roles 6-5
Edit Authorized Key dialog box
field descriptions 14-3
user roles 14-2
Edit Blocking Device dialog box
field descriptions 15-15
user roles 15-14
Edit Cat 6K Blocking Device Interface dialog box
field descriptions 15-23
user roles 15-22
Edit Configured OS Map dialog box field descriptions 8-26, 12-27
Edit Destination Port dialog box field descriptions 11-16, 11-24, 11-31
Edit Device Login Profile dialog box
field descriptions 15-13
user roles 15-12
Edit Event Action Filter dialog box
field descriptions 8-14, 12-16
Edit Event Action Override dialog box
field descriptions 8-11, 12-13
Edit Event Variable dialog box
field descriptions 8-29, 12-30
Edit External Product Interface dialog box
field descriptions 17-6
user roles 17-5
Edit Filter dialog box field descriptions 3-19
Edit Histogram dialog box field descriptions 11-16, 11-24, 11-31
editing
event action filters 8-16, 12-18
event action overrides 12-14
interfaces 7-18
IPv4 target value rating 8-19, 12-21
IPv6 target value rating 8-22, 12-23
signatures 9-16
signature variables 9-27
virtual sensors 8-11
Edit Inline VLAN Pair dialog box field descriptions 5-10, 7-22
Edit Interface dialog box field descriptions 7-17
Edit Interface Pair dialog box field descriptions 7-20
Edit IP Logging dialog box field descriptions 19-14
Edit IPv4 Target Value Rating dialog box
field descriptions 8-19, 12-21
Edit IPv6 Target Value Rating dialog box
field descriptions 8-21, 12-22
Edit Known Host Key dialog box
field descriptions 14-5
user roles 14-5
Edit Master Blocking Sensor dialog box
field descriptions 15-26
user roles 15-25
Edit Never Block Address dialog box
field descriptions 15-11
user roles 15-7
Edit Posture ACL dialog box field descriptions 17-7
Edit Protocol Number dialog box field descriptions 11-18, 11-25, 11-33
Edit Risk Level dialog box field descriptions 8-32, 12-33
Edit Router Blocking Device Interface dialog box
field descriptions 15-20
user roles 15-17
Edit Signature dialog box field descriptions 9-8
Edit Signature Variable dialog box
field descriptions 9-27
user roles 9-27
Edit SNMP Trap Destination dialog box field descriptions 16-4
Edit User dialog box
field descriptions 6-23
user roles 6-17
Edit Virtual Sensor dialog box
field descriptions 8-9
user roles 8-9
Edit VLAN Group dialog box field descriptions 7-25
efficacy
described 13-4
measurements 13-4
email notification
configuring 1-11
enabling
debug logging C-45
event action filters 8-16, 12-18
event action overrides 12-14
interfaces 7-18
Encryption Software Export Distribution Authorization 24-2
engines
AIC B-11
Fixed B-30
Flood B-32
Master B-4
Multi String B-35
Normalizer B-37
Service DNS B-40
Service FTP B-41
Service Generic B-42
Service H225 B-43
Service IDENT B-47
Service MSSQL B-49
Service NTP B-50
Service P2P B-50
Service SMB Advanced B-52
Service SNMP B-54
Service SSH B-54
Service TNS B-55
String 10-22, 10-23, 10-26, B-58
Sweep Other TCP B-63
Traffic ICMP B-66
Trojan B-66
EPS
described 1-3
IME Home pane 1-3
erase license-key command 18-16
evAlert A-8
event action filters
Event Action Filters tab
button functions 12-15
field descriptions 8-14, 12-15
event action overrides
adding 12-14
deleting 12-14
editing 12-14
enabling 12-14
Event Action Overrides tab
described 12-12
field descriptions 12-13
event action rules
described 12-2
functions 12-2
Event Action Rules (rules0) pane described 12-12
Event Action Rules pane
described 12-11
field descriptions 12-11
event action rules policies
adding 12-11
cloning 12-11
deleting 12-11
event actions and threat rating 12-4
event connection status
displaying 2-5
starting 2-5
stopping 2-5
events
displaying C-89
host posture 17-2
quarantined IP address 17-2
Events pane
configuring 19-3
described 19-2
field descriptions 19-2
Event Store
data structures A-7
described A-2
examples A-7
responsibilities A-7
timestamp A-7
event types C-87
event variables
Event Variables tab
field descriptions 8-29, 12-30
Event Viewer
described 20-1
field descriptions 19-3
event views using 20-4
evError A-8
evLogTransaction A-8
evShunRqst A-8
evStatus A-8
example custom signatures
Atomic IP Advanced 9-25, 10-16
Meta engine 9-22
examples
email notifications 1-12
external product interfaces
adding 17-7
described 17-1
trusted hosts 17-5
External Product Interfaces pane
described 17-5
field descriptions 17-5
external zone
configuring 11-33
protocols 11-30
user roles 11-30
External Zone tab
described 11-30
tabs 11-30
user roles 11-30
F
fail-over testing 7-10
false positives described 9-5
files
Cisco IPS 25-2
IDSM2 password recovery 18-9, C-13
filtering described 20-2
filters configuring 3-16, 20-6
Filter tab field descriptions 20-3
Fixed engine described B-30
Fixed ICMP engine parameters (table) B-30
Fixed TCP engine parameters (table) B-31
Fixed UDP engine parameters (table) B-32
Flood engine described B-32
Flood Host engine parameters (table) B-33
Flood Net engine parameters (table) B-33
flow states clearing 19-28
FTP servers supported 18-19, 25-2
G
gadgets
Attacks Over Time 3-13
CPU, Memory, & Load 3-10
Dashboard pane 3-1
Global Correlation Health 3-7
Global Correlation Reports 3-6
IDM 3-1
IME 3-1
Interface Status 3-6
Licensing 3-5
Network Security 3-8
RSS Feed 3-11
Sensor Health 3-4
Sensor Information 3-3
Top Applications 3-9
Top Attackers 3-11
Top Signatures 3-12
Top Victims 3-12
General pane
configuring 1-13
described 1-13
field descriptions 1-13
user roles 1-13
general settings
General Settings tab
field descriptions 8-34
General tab
field descriptions 12-35
generating diagnostics reports 19-30
global correlation
described 1-2, 13-1, 13-2, A-3
disabling 13-11
DNS server 13-6
error messages A-29
features 13-5
goals 13-5
health metrics 13-7
HTTP proxy server 13-6
license 6-3, 13-6, 13-8, 23-1, 23-5
requirements 13-6
update client (illustration) 13-8
global correlation connection status
displaying 2-5
starting 2-5
stopping 2-5
Global Correlation Health gadget
configuring 3-8
described 3-7
Global Correlation Reports gadget
configuring 3-7
described 3-6
Global Variables pane field description 18-18
Grouping events described 20-2
GRUB menu password recovery 18-4, C-8
H
H.225.0 protocol B-43
H.323 protocol B-43
hardware bypass
autonegotiation 7-11
configuration restrictions 7-10
fail-over 7-10
IPS 4270-20 7-10
supported configurations 7-10
with software bypass 7-10
health connection status
displaying 2-5
starting 2-5
stopping 2-5
Host Blocks pane
configuring 19-7
described 19-6
host posture events
CSA MC 17-4
described 17-2
HTTP/HTTPS servers 18-19, 25-2
HTTP deobfuscation
ASCII normalization 10-18, B-45
hw-module module 1 reset command C-66
hw-module module slot_number password-reset command 18-6, C-10
I
IDAPI
described A-3
functions A-32
illustration A-32
responsibilities A-32
IDCONF
described A-33
example A-33
IDIOM messages A-33
XML A-33
IDIOM
defined A-32
messages A-32
IDM
Analysis Engine is busy C-56
certificates 14-8
gadgets 3-1
Signature Wizard supported signature engines 10-3
TLS 14-8
will not load C-55
IDSM2
command and control port C-63
configuring
maintenance partition (Catalyst software) 25-29
maintenance partition (Cisco IOS software) 25-33
initializing 23-20
installing
system image (Catalyst software) 25-27
system image (Cisco IOS software) 25-28, 25-29
logging in 22-8
password recovery image file 18-9, C-13
reimaging 25-27
sessioning 22-8
setup command 23-20
supported configurations C-60
TCP reset port C-65
upgrading
maintenance partition (Catalyst software) 25-37
maintenance partition (Cisco IOS software) 25-38
illegal zones
configuring 11-26
user roles 11-22
Illegal Zone tab
described 11-22
user roles 11-22
IME
color rules 20-2
configuring
email notification 1-11
RSS feeds 4-2
cryptographic features 1-2
Demo mode 1-6
described 1-1
devices
adding 2-4
deleting 2-4
editing 2-4
email notification example 1-12
EPS 1-3
event connection status
displaying 2-5
starting 2-5
stopping 2-5
Event Viewer 20-1
filtering 20-2
gadgets 3-1
global correlation connection status
displaying 2-5
starting 2-5
stopping 2-5
grouping events 20-2
health connection status
displaying 2-5
starting 2-5
stopping 2-5
installation notes and caveats 1-7
IPS versions 1-5
menu features 1-3
MySQL database 1-7
password requirements 1-7
reports
configuring 21-2
described 21-1
generating 21-2
types 21-1
supported platforms 1-4
system requirements 1-4
using event views 20-4
video help 1-3
working with
top attacker IP addresses 3-13
top signatures 3-15
top victim IP addresses 3-13
IME Home pane
described 1-3
EPS 1-3
features 1-3
IME time synchronization problems C-58
Imported OS pane
clearing 19-27
described 19-26
field descriptions 19-27
inactive mode (anomaly detection) 11-4
initializing
AIM IPS 23-13
AIP SSM 23-16
appliances 23-8
IDSM2 23-20
NME IPS 23-24
user roles 23-2
verifying 23-27
inline interface pair mode
configuration restrictions 7-8
described 7-13
illustration 7-13
Inline Interface Pair window
described 5-9
Startup Wizard 5-9
inline VLAN pair mode
configuration restrictions 7-8
configuring 5-11
described 7-13
illustration 7-14
supported sensors 7-13
UDLD protocol 7-23
Inline VLAN Pairs window
described 5-9
field descriptions 5-10
Startup Wizard 5-9
Inspection/Reputation pane
configuring 13-9
described 13-8
field descriptions 13-9
installing
sensor license 18-15
system image
AIM IPS 25-21
AIP SSM 25-25
IDSM2 (Catalyst software) 25-27
IDSM2 (Cisco IOS software) 25-28, 25-29
IPS 4240 25-14
IPS 4255 25-14
IPS 4260 25-17
IPS 4270-20 25-19
NME IPS 25-39
InterfaceApp described A-2
interface pairs
configuring 7-20
described 7-19
Interface Pairs pane
configuring 7-20
described 7-19
field descriptions 7-19
interfaces
alternate TCP reset 7-2
command and control 7-2
configuration restrictions 7-8
configuring 7-18
disabling 7-18
editing 7-18
enabling 7-18
logical 5-7
physical 5-7
port numbers 7-1
slot numbers 7-1
support (table) 7-4
TCP reset 7-6
VLAN groups 7-2
Interface Selection window
described 5-9
Startup Wizard 5-9
Interfaces pane
configuring 7-18
described 7-16
field descriptions 7-16
Interface Status gadget
configuring 3-6
described 3-6
Interface Summary window
described 5-7
internal zones
configuring 11-18
user roles 11-15
Internal Zone tab
described 11-15
user roles 11-15
IP fragmentation described B-37
IP fragment reassembly
configuring 9-42
described 9-39
example signature 9-42
mode 9-42
parameters (table) 9-39
signatures 9-42
signatures (table) 9-39
IP logging
event actions 19-13
system performance 19-13
IP Logging pane
configuring 19-15
described 19-13
field descriptions 19-14
user roles 19-13
IP Logging Variables pane described 18-18
IP logs
circular buffer 19-13
states 19-13
TCPDUMP 19-13
viewing 19-15
WireShark 19-13
IPS 4240
installing system image 25-14
reimaging 25-13
IPS 4255
installing system image 25-14
reimaging 25-13
IPS 4260
installing system image 25-17
reimaging 25-17
IPS 4270-20
hardware bypass 7-10
installing system image 25-19
reimaging 25-19
IPS applications
summary A-35
table A-35
XML format A-2
IPS data
types A-8
XML document A-8
IPS events
evAlert A-8
evError A-8
evLogTransaction A-8
evShunRqst A-8
evStatus A-8
list A-8
types A-8
IPS internal communications A-32
IPS Manager Express described 1-1
IPS modules
time synchronization 6-8, C-17
unsupported features 5-1
IPS Policies pane
described 8-8
field descriptions 8-9
IPS software
application list A-2
available files 24-1
configuring device parameters A-4
directory structure A-34
Linux OS A-1
obtaining 24-1
platform-dependent release examples 24-6
retrieving data A-4
security features A-5
tuning signatures A-4
updating A-4
user interaction A-4
versioning scheme 24-3
IPS software file names
major updates (illustration) 24-4
minor updates (illustration) 24-4
patch releases (illustration) 24-4
service packs (illustration) 24-4
IPS versions supported (IME) 1-5
IPv4 target value rating
configuring 8-19
IPv4 Target Value Rating tab
field descriptions 8-19, 12-20
IPv6
described B-28
SPAN ports 7-12
switches 7-12
IPv6 target value rating
IPv6 Target Value Rating tab
field descriptions 8-21, 12-22
K
KBs
comparing 19-21
default filename 11-12
deleting 19-23
described 11-3
downloading 19-24
initial baseline 11-3
learning accept mode 11-12
loading 19-22
monitoring 19-19
renaming 19-23
saving 19-22
scanner threshold 11-12, 19-16
uploading 19-25
Known Host Keys pane
configuring 14-6
described 14-5
field descriptions 14-5
L
Learned OS pane
clearing 19-26
described 19-26
field descriptions 19-26
learned OS values
clearing 19-26
deleting 19-26
learning accept mode
anomaly detection 11-3
configuring 11-14
user roles 11-12
Learning Accept Mode tab
described 11-12
field descriptions 11-13
user roles 11-12
license files
BSD license D-3
expat license D-12
GNU Lesser license D-33
GNU license D-28
license key
uninstalling 18-16
license key trial 18-13
licensing
described 18-13
IPS device serial number 18-13
Licensing gadget
configuring 3-5
described 3-5
Licensing pane
configuring 18-15
described 18-13
field descriptions 18-14
user roles 18-12
limitations for concurrent CLI sessions 22-1, A-29
listings UNIX-style 18-19
loading KBs 19-22
local authentication configuring 6-23
Logger
functions A-19
syslog messages A-19
logging in
AIM IPS 22-5
AIP SSM 22-6
appliances 22-2
IDSM2 22-8
NME IPS 22-10
sensors
SSH 22-11
Telnet 22-11
service role 22-2
user role 22-1
LOKI
described B-66
protocol B-66
loose connections on sensors C-23
M
MainApp
components A-5
host statistics A-6
responsibilities A-6
show version command A-6
maintenance partition
configuring
IDSM2 (Catalyst software) 25-29
IDSM2 (Cisco IOS software) 25-33
maintenance partition described A-3
major updates described 24-3
Manage Filter Rules dialog box field descriptions 3-18
managing rate limiting 19-11
manifests
client A-28
server A-28
manual block to bogus host C-42
master blocking sensor
described 15-25
not set up properly C-44
Master Blocking Sensor pane
configuring 15-26
described 15-25
field descriptions 15-26
Master engine
alert frequency B-6
alert frequency parameters (table) B-6
described B-3
event actions B-7
general parameters (table) B-4
master engine parameters
obsoletes B-6
promiscous delta B-5
vulnerable OSes B-6
merging configuration files C-3
Meta engine
component signatures B-34
parameters (table) B-35
Signature Event Action Processor 9-22, B-34
Meta Event Generator described 8-33, 12-34
Meta signature
component signatures B-34
creating 9-22
minor updates described 24-3
Miscellaneous tab
button functions 9-30
configuring
application policy 9-37
IP fragment reassembly mode 9-42
IP logging 9-50
TCP stream reassembly mode 9-48
described 9-29
field descriptions 9-30
user roles 9-29
modes
anomaly detection detect 11-4
anomaly detection inactive 11-4
anomaly detection learning accept 11-3
bypass 7-27
inline interface pair 7-13
inline VLAN pair 7-13
VLAN Groups 7-14
modify packets inline modes 8-4
monitoring
events 19-3
KBs 19-19
Multi String engine
described B-35
parameters (table) B-36
Regex B-36
MySDN described 9-5
MySQL database
coexisting with IME 1-7
installing IME 1-7
N
NAS-ID
described 6-24
RADIUS authentication 6-24
Neighborhood Discovery
Atomic IPv6 engine B-28
options B-29
types B-29
Network Blocks pane
configuring 19-9
described 19-9
field descriptions 19-9
user roles 19-8
Network pane
configuring 6-3
field descriptions 6-2
TLS/SSL 6-4
user roles 6-2
network participation
data gathered 13-3
described 13-3
health metrics 13-7
modes 13-4
requirements 13-4
statistics 13-4
Network Participation pane
configuring 13-10
described 13-10
field descriptions 13-10
Network Security gadget
configuring 3-9
described 3-8
network security health data resetting 19-29
never block
hosts 15-8
networks 15-8
NME IPS
initializing 23-24
installing system image 25-39
logging in 22-10
reimaging 25-39
session command 22-10
setup command 23-24
Normalizer engine
described B-37
IP fragment reassembly B-37
parameters (table) B-38
TCP stream reassembly B-37
Normalizer mode described 8-4
NotificationApp
alert information A-9
described A-3
functions A-9
SNMP gets A-9
SNMP traps A-9
statistics A-10
system health information A-10
Notification pane
configuring 1-11
field descriptions 1-10
user roles 1-10
NTP
configuring servers 6-13
incorrect configuration 6-8, C-17
time synchronization 6-7, C-16
unauthenticated 6-7, 6-14, C-16
verifying configuration 6-9
O
obsoletes field described B-6
one-way TCP reset described 8-33, 12-34
Operation Settings tab
described 11-10
field descriptions 11-11
OS Identifications tab
field descriptions 8-25, 12-26
OS maps
other actions (list) 12-9
Other Protocols tab
enabling other protocols 11-17
external zone 11-32
field descriptions 11-17, 11-32
illegal zone 11-25
P
P2P networks described B-50
partitions
application A-3
maintenance A-3
recovery A-3
passive OS fingerprinting
password policy caution 18-2, 18-3
password recovery
password requirements configuring 18-2
Passwords pane
described 18-1
field descriptions 18-2
patch releases described 24-3
peacetime learning (anomaly detection) 11-3
physical connectivity issues C-31
physical interfaces configuration restrictions 7-8
ping device tool (IME) 1-3
ping IME device tools 2-6
platforms and concurrent CLI sessions 22-1, A-29
prerequisites for blocking 15-5
promiscuous delta
calculating risk rating 8-6, 12-3
promiscuous delta described B-5
promiscuous mode
atomic attacks 7-11
illustration 7-12
SPAN ports 7-12
VACL capture 7-12
protocols
ARP B-13
CDP 7-30
CIDEE A-34
DDoS B-66
H.323 B-43
H225.0 B-43
ICMPv6 B-14
IDAPI A-32
IDCONF A-33
IDIOM A-32
IPv6 B-28
LOKI B-66
MSSQL B-49
Neighborhood Discovery B-29
Q.931 B-43
SDEE A-33
Signature Wizard 10-12
UDLD 7-23
Q
Q.931 protocol
described B-43
SETUP messages B-43
quarantined IP address events described 17-2
R
RADIUS authentication
configuring 6-24
described 6-17
NAS-ID 6-24
service account 6-20
shared secret 6-25
rate limiting
ACLs 15-5
configuring 19-11
described 15-4
managing 19-11
percentages 19-10
routers 15-4
service policies 15-5
supported signatures 15-4
Rate Limits pane
described 19-10
field descriptions 19-11
rebooting the sensor 18-26
Reboot Sensor pane
configuring 18-26
described 18-26
user roles 18-26
receiving RSS feeds 4-1
recover command 25-10
recovering
AIP SSM C-67
application partition image 25-11
recovery partition
described A-3
upgrading 25-5
Regular Expression. See Regex.
regular expression syntax signatures B-9
reimaging
AIP SSM 25-24
appliances 25-10
described 25-1
IDSM2 25-27
IPS 4240 25-13
IPS 4255 25-13
IPS 4260 25-17
IPS 4270-20 25-19
NME IPS 25-39
removing
last applied
service pack 25-10
signature update 25-10
Rename Knowledge Base dialog box field descriptions 19-23
renaming KBs 19-23
reports
configuring 21-2
described 21-1
generating 21-2
report types
Attacks Over Time 21-1
Top Attackers 21-1
Top Signatures 21-1
Top Victim 21-1
reputation
described 13-2
illustration 13-3
servers 13-3
requirements
IME passwords 1-7
Reset Network Security Health pane
described 19-29
field descriptions 19-29
user roles 19-29
reset not occurring for a signature C-51
resetting
AIP SSM C-66
network security health data 19-29
passwords
Restore Default Interface dialog box field descriptions 5-8
Restore Defaults pane
configuring 18-25
described 18-25
user roles 18-25
restoring
current configuration C-5
defaults 18-25
restoring the current configuration C-4, C-5
risk categories
Risk Category tab
field descriptions 8-31, 12-32
risk rating
Alarm Channel 13-5
component signatures B-34
reputation score 13-4
ROMMON
described 25-12
IPS 4240 25-14
IPS 4255 25-14
IPS 4260 25-17
remote sensors 25-12
serial console port 25-12
TFTP 25-12
Router Blocking Device Interfaces pane
configuring 15-20
described 15-17
field descriptions 15-19
RSS Feed gadgets
configuring 3-11
described 3-11
RSS feeds
channels 4-1
configuring 4-2
described 4-1
formats 4-1
receiving 4-1
RTT
described 25-12
TFTP limitation 25-12
S
Save Knowledge Base dialog box
described 19-22
field descriptions 19-22
saving KBs 19-22
scheduling automatic upgrades 25-8
SDEE
described A-33
HTTP A-33
protocol A-33
server requests A-33
security
account locking 6-27
information on Cisco Security Intelligence Operations 24-9
MySDN 9-5
security policies described 8-1, 9-1, 11-1, 12-1
security SSH 14-1
sensing interfaces
described 7-3
interface cards 7-3
modes 7-3
SensorApp
Alarm Channel A-23
Analysis Engine A-23
anomaly detection A-24
described A-3
event action filtering A-24
inline packet processing A-24
IP normalization A-24
packet flow A-25
process not running C-29
processors A-22
responsibilities A-22
Signature Event Action Processor A-22, A-25
TCP normalization A-24
SensorBase Network
servers 1-2
Sensor Health gadget
configuring 3-5
described 3-4
metrics 3-4
status 3-4
Sensor Health pane
described 18-17
field descriptions 18-17
Sensor Information gadget
configuring 3-3
described 3-3
Sensor Key pane
button functions 14-7
described 14-7
field descriptions 14-7
sensor SSH key
displaying 14-7
generating 14-7
user roles 14-7
sensors
access problems C-25
asymmetric traffic and disabling anomaly detection C-19
blocking themselves 15-8
configuring to use NTP 6-14
corrupted SensorApp configuration C-36
diagnostics reports 19-30
disaster recovery C-6
downgrading 25-10
incorrect NTP configuration 6-8, C-17
interface support 7-4
IP address conflicts C-27
license 18-15
logging in
SSH 22-11
Telnet 22-11
loose connections C-23
misconfigured access lists C-27
not seeing packets C-34
NTP time source 6-14
NTP time synchronization 6-7, C-16
partitions A-3
physical connectivity C-31
preventive maintenance C-2
rebooting 18-26
recovering the system image 24-8
restoring defaults 18-25
sensing process not running C-29
setting up 6-1
setup command 6-1, 23-1, 23-4, 23-8
shutting down 18-26
statistics 19-31
system images 24-8
system information 19-32
troubleshooting software upgrades C-54
upgrading 25-4
using NTP time source 6-13
Sensor Setup window
described 5-2
Startup Wizard 5-2
Server Certificate pane
button functions 14-11
certificate
displaying 14-11
generating 14-11
described 14-11
field descriptions 14-11
user roles 14-11
server manifest described A-28
service account
creating C-6
RADIUS authentication 6-20
TAC A-31
troubleshooting A-31
Service DNS engine
described B-40
parameters (table) B-40
Service engine
described B-40
Layer 5 traffic B-40
Service FTP engine
described B-41
parameters (table) B-41
PASV port spoof B-41
Service Generic engine
described B-42
parameters (table) B-42
Service H225 engine
ASN.1PER validation B-43
described B-43
features B-44
parameters (table) B-44
TPKT validation B-43
Service HTTP engine
custom signature 10-19
example signature 10-19
parameters (table) B-46
Service IDENT engine
described B-47
parameters (table) B-48
service-module ids-sensor slot/port session command 22-4, 22-9
Service MSRPC engine
parameters (table) B-48
Service MSSQL engine
described B-49
MSSQL protocol B-49
parameters (table) B-49
Service NTP engine
described B-50
parameters (table) B-50
Service P2P engine described B-50
service packs described 24-3
Service RPC engine
parameters (table) 10-21, B-50, B-51
Service SMB Advanced engine
described B-52
parameters (table) B-52
Service SNMP engine
described B-54
parameters (table) B-54
Service SSH engine
described B-54
parameters (table) B-55
Service TNS engine
described B-55
parameters (table) B-56
session command
AIM IPS 22-5
AIP SSM 22-6
IDSM2 22-8
NME IPS 22-10
sessioning
AIM IPS 22-5
AIP SSM 22-6
IDSM2 22-8
NME IPS 22-10
setting
current KB 19-22
system clock 6-16
setting up
sensors 6-1
setup
automatic 23-2
command 6-1, 23-1, 23-4, 23-8, 23-13, 23-16, 23-20, 23-24
simplified mode 23-2
shared secret
described 6-25
RADIUS authentication 6-25
show events command C-88
show health command C-69
show interfaces command C-86
show settings command 18-12, C-15
show statistics command C-76
show statistics virtual-sensor command C-23, C-76
show tech-support command C-70
show version command C-73
Shut Down Sensor pane
configuring 18-26
described 18-26
user roles 18-26
shutting down the sensor 18-26
sig0 pane
default 9-4
described 9-4
signatures
assigning actions 9-17
cloning 9-14
tuning 9-16
tabs 9-4
sig0 pane field descriptions 9-7
signature/virus update files described 24-4
signature definition policies
adding 9-3
cloning 9-3
default policy 9-2
deleting 9-3
sig0 9-2
Signature Definitions pane
described 9-2
field descriptions 9-2
signature engines
AIC B-11
Atomic B-13
Atomic ARP B-13
Atomic IP Advanced B-14
Atomic IPv6 B-28
creating custom signatures 10-2
described B-1
event actions B-7
Fixed B-30
Flood B-32
Flood Host B-33
Flood Net B-33
list B-2
Master B-4
Multi String B-35
Normalizer B-37
Regex
patterns B-10
syntax B-9
Service B-40
Service DNS B-40
Service FTP B-41
Service Generic B-42
Service H225 B-43
Service IDENT B-47
Service MSSQL B-49
Service NTP engine B-50
Service P2P B-50
Service SMB Advanced B-52
Service SNMP B-54
Service SSH engine B-54
Service TNS B-55
String 10-22, 10-23, 10-26, B-58
supported by IDM 10-3
Sweep Other TCP B-63
Traffic Anomaly B-64
Traffic ICMP B-66
Trojan B-66
signature engine update files described 24-4
Signature Event Action Filter
Signature Event Action Handler described 12-6, A-26
Signature Event Action Override described 12-6, A-25
Signature Event Action Processor
signature fidelity rating
calculating risk rating 8-5, 12-3
signatures
adding 9-13
alert frequency 9-19
assigning actions 9-17
cloning 9-15
custom 9-5
default 9-5
described 9-4
editing 9-16
false positives 9-5
rate limits 15-4
subsignatures 9-5
tuned 9-5
tuning 9-16
signatures and TCP reset C-51
signature updates installation time 18-20
signature variables
adding 9-27
deleting 9-27
described 9-27
editing 9-27
Signature Variables tab
configuring 9-27
field descriptions 9-27
Signature Wizard
alert behavior 10-28
described 10-1
protocols 10-12
signature identification 10-12
supported signature engines 10-3
using 10-5
SNMP
configuring 16-3
described 16-1
Get 16-1
GetNext 16-1
Set 16-1
Trap 16-1
SNMP General Configuration pane
configuring 16-3
described 16-2
field descriptions 16-2
user roles 16-2
SNMP traps
configuring 16-4
described 16-1
SNMP Traps Configuration pane
button functions 16-4
described 16-4
field descriptions 16-4
software architecture
ARC (illustration) A-12
IDAPI (illustration) A-32
software bypass
supported configurations 7-10
with hardware bypass 7-10
software downloads Cisco.com 24-1
software file names
recovery (illustration) 24-5
signature/virus updates (illustration) 24-4
signature engine updates (illustration) 24-5
system image (illustration) 24-5
software release examples
platform-dependent 24-6
platform identifiers 24-7
platform-independent 24-6
software updates
supported FTP servers 18-19, 25-2
supported HTTP/HTTPS servers 18-19, 25-2
SPAN port issues C-31
SSH
described 14-1
security 14-1
SSH Server
private keys A-20
public keys A-20
standards for CIDEE A-34
Startup Wizard
access lists 5-4
adding virtual sensors 5-13
Add Virtual Sensor dialog box 5-12
AIP SSM 5-2
described 5-1
Inline Interface Pair window
described 5-9
field descriptions 5-9
Inline VLAN Pairs window configuring 5-11
Interface Selection window 5-9
Interface Summary window 5-7
Sensor Setup window 5-2
configuring 5-5
field descriptions 5-2
Traffic Inspection Mode window 5-8
Virtual Sensors window
described 5-12
field descriptions 5-12
VLAN groups unsupported 5-1, 5-8
State engine
parameters (table) B-57
Statistics pane
categories 19-31
described 19-31
using 19-31
statistics viewing 19-31
String engine described 10-22, 10-23, 10-26, B-58
String ICMP engine parameters (table) B-59
String TCP engine
custom signature 10-24
example signature 10-24
parameters (table) B-59
String UDP engine parameters (table) B-60
subinterface 0 described 7-14
subsignatures described 9-5
summarization
Global Summarization 8-7, 12-6
Summarizer described 8-33, 12-34
Summary pane
button functions 7-16
described 7-15
supported
HTTP/HTTPS servers 18-19, 25-2
IDSM2 configurations C-60
IPS interfaces for CSA MC 17-4
platforms for IME 1-4
Sweep engine
Sweep Other TCP engine described B-63
switch commands for troubleshooting C-60
system architecture
directory structure A-34
supported platforms A-1
system clock setting 6-16
System Configuration Dialog
described 23-2
example 23-2
system design (illustration) A-2
system image
installing
AIM IPS 25-21
AIP SSC-5 25-25
AIP SSM 25-25
IDSM2 (Catalyst software) 25-27
IDSM2 (Cisco IOS software) 25-28
IPS 4240 25-14
IPS 4255 25-14
IPS 4260 25-17
IPS 4270-20 25-19
NME IPS 25-39
sensors 24-8
System Information pane
described 19-31
using 19-32
system information viewing 19-32
system requirements for IME 1-4
T
TAC
service account 6-19, A-31, C-5
show tech-support command C-70
target value rating
calculating risk rating 8-5, 12-3
described 8-5, 8-19, 8-21, 12-3, 12-20, 12-22
TCP fragmentation described B-37
TCP Protocol tab
enabling TCP 11-15
external zone 11-30
field descriptions 11-16
illegal zone 11-23
TCP reset
not occurring C-51
TCP reset interfaces
conditions 7-7
described 7-6
list 7-7
TCP resets
IDSM2 port C-65
TCP stream reassembly
described 9-43
mode 9-48
parameters (table) 9-44
signatures (table) 9-44
terminal server setup 22-3, 25-13
testing fail-over 7-10
TFN2K
described B-66
Trojans B-66
TFTP servers
maximum file size limitation 25-12
RTT 25-12
threat rating
risk rating 12-4
Thresholds for KB Name window
described 19-18
field descriptions 19-19
filtering information 19-18
time
correction on the sensor 6-12, C-18
synchronization for IPS modules 6-8, C-17
Time pane
configuring 6-10
described 6-7
user roles 6-7
time sources
ASA modules C-17
TLS
described 6-4
handshaking 14-8
IDM 14-8
Top Applications gadget
configuring 3-9
described 3-9
Top Attackers gadgets
configuring 3-11
described 3-11
Top Signatures gadgets
configuring 3-12
described 3-12
Top Victims gadgets
configuring 3-12
described 3-12
traceroute device tool (IME) 1-3
traceroute IME device tools 2-6
Traffic Anomaly engine
described B-64
protocols B-64
signatures B-64
traffic flow notifications
configuring 7-29
described 7-28
Traffic Flow Notifications pane
configuring 7-29
field descriptions 7-29
Traffic ICMP engine
DDoS B-66
described B-66
LOKI B-66
parameters (table) B-66
TFN2K B-66
Traffic Inspection Mode window described 5-8
Traps Configuration pane configuring 16-4
trial license key 18-13
Tribe Flood Network 2000. See TFN2K.
Trojan engine
BO2K B-66
described B-66
TFN2K B-66
Trojans
BO B-66
BO2K B-66
LOKI B-66
TFN2K B-66
troubleshooting C-1
AIP SSM
debugging C-67
recovering C-67
reset C-66
Analysis Engine busy C-56
applying software updates C-53
ARC
blocking not occurring for signature C-43
device access issues C-40
enabling SSH C-42
inactive state C-38
misconfigured master blocking sensor C-44
verifying device interfaces C-41
automatic updates C-53
cannot access sensor C-25
cidDump C-91
cidLog messages to syslog C-50
communication C-24
corrupted SensorApp configuration C-36
debug logger zone names (table) C-49
debug logging C-45
disaster recovery C-6
duplicate sensor IP addresses C-27
enabling debug logging C-45
external product interfaces 17-10, C-22
gathering information C-69
global correlation 13-11, C-21
IDM
cannot access sensor C-56
will not load C-55
IDSM2
command and control port C-63
diagnosing problems C-59
not online C-63
serial cable C-65
status indicator C-61
switch commands C-60
IME time synchronization C-58
IPS modules time drift 6-8, C-17
manual block to bogus host C-42
misconfigured access list C-27
NTP C-51
physical connectivity issues C-31
preventive maintenance C-2
reset not occurring for a signature C-51
sensing process not running C-29
sensor events C-87
sensor loose connections C-23
sensor not seeing packets C-34
sensor software upgrade C-54
show events command C-87
show interfaces command C-86
show statistics command C-75, C-76
show tech-support command C-70, C-71
show version command C-73
software upgrades C-52
SPAN port issue C-31
upgrading C-53
verifying Analysis Engine is running C-21
verifying ARC status C-37
Trusted Hosts pane
configuring 14-10
described 14-9
field descriptions 14-9
tuned signatures described 9-5
tuning
AIC signatures 9-38
IP fragment reassembly signatures 9-42
signatures 9-16
U
UDLD described 7-23
UDP Protocol tab
enabling UDP 11-17
external zone 11-31
field descriptions 11-31
illegal zone 11-24
unassigned VLAN groups described 7-14
unauthenticated NTP 6-7, 6-14, C-16
UniDirectional Link Detection. See UDLD.
uninstalling
license key 18-16
UNIX-style directory listings 18-19
unlocking accounts 6-26
unlock user username command 6-26
updater client described A-28
Update Sensor pane
configuring 18-24
described 18-23
field descriptions 18-23
user roles 18-23
updating
Cisco.com 18-23
FTP server 18-23
sensors 18-24
upgrading
latest version C-53
maintenance partition
IDSM2 (Catalyst software) 25-37
IDSM2 (Cisco IOS software) 25-38
minimum required version 24-7
recovery partition 25-5, 25-10
sensors 25-4
to 6.2 24-7
to 7.0 24-7
uploading KBs
FTP 19-24
SCP 19-24
Upload Knowledge Base to Sensor dialog box
described 19-24
field descriptions 19-24
URLs for Cisco Security Intelligence Operations 24-9
user roles authentication 6-17
users
configuring 6-23
Users pane
configuring 6-23
user roles A-30
using
debug logging C-45
TCP reset interfaces 7-7
V
VACLs
described 15-3
Post-Block 15-22
Pre-Block 15-22
verifying
NTP configuration 6-9
sensor initialization 23-27
sensor setup 23-27
video help described 1-3
viewing
IP logs 19-15
statistics 19-31
system information 19-32
virtual sensors
default virtual sensor 8-3, 8-8
deleting 8-11
editing 8-11
stream segregation 8-4
Virtual Sensors window described 5-12
VLAN groups
802.1q encapsulation 7-15
configuration restrictions 7-9
configuring 7-25
deploying 7-24
described 7-14
switches 7-24
VLAN Groups pane
configuring 7-25
described 7-24
field descriptions 7-25
VLAN IDs 7-24
VLAN Pairs pane
configuring 7-22
describing 7-21
field descriptions 7-21
vulnerable OSes field
described B-6
W
watch list rating
calculating risk rating 8-6, 12-4
Web Server
HTTP 1.0 and 1.1 support A-21
private keys A-20
public keys A-20
SDEE support A-21
whois device tool (IME) 1-3
whois IME device tools 2-6
worms
Blaster 11-2
Code Red 11-2
histograms 11-12
Nimbda 11-2
protocols 11-3
Sasser 11-2
scanners 11-3
Slammer 11-2
SQL Slammer 11-2
Z
zones
external 11-4
illegal 11-4
internal 11-4