-
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
-
Preface
-
Getting Started
-
Configuring Device Lists
-
Configuring Dashboards
-
Configuring RSS Feeds
-
Using the Startup Wizard
-
Setting Up the Sensor
-
Configuring Interfaces
-
Configuring Policies
-
Configuring Shared Policies and Group Policies
-
Defining Signatures
-
Using the Signature Wizard
-
Configuring Event Action Rules
-
Configuring Anomaly Detection
-
Configuring Global Correlation
-
Configuring SSH and Certificates
-
Configuring the Attack Response Controller for Blocking and Rate Limiting
-
Configuring SNMP
-
Managing Time-Based Actions
-
Configuring External Product Interfaces
-
Managing the Sensor
-
Monitoring the Sensor
-
Configuring Event Monitoring
-
Configuring and Generating Reports
-
Logging In to the Sensor
-
Initializing the Sensor
-
Understanding Cisco IPS Software
-
Upgrading, Downgrading, and Installing System Images
-
Understanding the System Architecture
-
Understanding the Signature Engines
-
Troubleshooting the Sensor
-
Open Source License Files
-
Glossary
-
Index
-
FeedbackTable Of Contents
Numerics - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W - Z
Index
Numerics
4GE bypass interface card
configuration restrictions 7-10
described 7-10
802.1q encapsulation for VLAN groups 7-17
A
AAA RADIUS
functionality 6-19
limitations 6-19
accessing
IPS software 26-2
access list misconfiguration C-29
access lists
necessary hosts 5-3
Startup Wizard 5-3
account locking
configuring 6-24
security 6-25
account unlocking configuring 6-26
ACLs
adding 5-5
described 16-3
ad0 pane
default 13-10
described 13-10
tabs 13-10
Add ACL Entry dialog box field descriptions 5-3
Add Allowed Host dialog box
field descriptions 6-6
user roles 6-5
Add Authorized Key dialog box
field descriptions 15-3
user roles 15-2
Add Blocking Device dialog box
field descriptions 16-15
user roles 16-14
Add Cat 6K Blocking Device Interface dialog box
field descriptions 16-22
user roles 16-21
Add Configured OS Map dialog box
field descriptions 8-32, 12-25
Add Destination Port dialog box
field descriptions 13-17, 13-23, 13-30
user roles 13-15
Add Device dialog box field descriptions 2-3
Add Device Login Profile dialog box
field descriptions 16-12
user roles 16-12
Add Event Action Filter dialog box
field descriptions 8-21, 12-15
user roles 12-15
Add Event Action Override dialog box
field descriptions 8-12, 12-13
Add Event Variable dialog box
field descriptions 8-35, 12-28
Add External Product Interface dialog box
field descriptions 19-6
user roles 19-4
Add Filter dialog box field descriptions 3-19, 22-3
Add Histogram dialog box
field descriptions 13-17, 13-24, 13-30
user roles 13-15
Add Host Block dialog box field descriptions 17-4
adding
ACLs 5-5
a host never to be blocked 16-11
anomaly detection policies 13-10
blocking devices 16-15
CSA MC interfaces 19-7
denied attackers 17-2
event action filters 8-23, 12-17
event action overrides 12-13
event action rules policies 12-12
external product interfaces 19-7
host blocks 17-4
IPv4 target value ratings 8-26, 12-20
IPv6 target value ratings 8-28, 12-22
network blocks 17-7
rate limiting devices 16-15
rate limits 17-9
signature definition policies 10-8
signatures 10-17
signature variables 10-37
virtual sensors (ASA 5500 AIP SSM) 8-16
virtual sensors (ASA 5500-X IPS SSP) 8-16
virtual sensors (ASA 5585-X IPS SSP) 8-16
Add Inline VLAN Pair dialog box
field descriptions 7-24
user roles 7-23
Add Inline VLAN Pair Entry dialog box field descriptions 5-10
Add Interface Pair dialog box
field descriptions 7-22
user roles 7-22
Add IP Logging dialog box field descriptions 17-11
Add Known Host Key dialog box
field descriptions 15-5
user roles 15-4
Add Master Blocking Sensor dialog box
field descriptions 16-25
user roles 16-24
Add Network Block dialog box field descriptions 17-6
Add Never Block Address dialog box
field descriptions 16-10
user roles 16-7
Add Policy dialog box
field descriptions 9-2, 10-8, 12-11, 13-9
Add Posture ACL dialog box field descriptions 19-7
Add Protocol Number dialog box field descriptions 13-18, 13-25, 13-32
Add Rate Limit dialog box
field descriptions 17-8
user role 17-7
Address Resolution Protocol. See ARP.
Add Risk Level dialog box
field descriptions 8-38, 12-31
Add Router Blocking Device Interface dialog box
field descriptions 16-19
user roles 16-17
Add Signature dialog box field descriptions 10-12
Add Signature Variable dialog box
field descriptions 10-36
user roles 10-36
Add SNMP Trap Destination dialog box
field descriptions 18-5
user roles 18-4
Add Start Time dialog box
field descriptions 13-14
user roles 13-12
Add Target Value Rating dialog box
Add Trusted Host dialog box
field descriptions 15-9
user roles 15-8
Add User dialog box
field descriptions 6-22
Add Virtual Sensor dialog box
user roles 8-10
Add VLAN Group dialog box
field descriptions 7-27
user roles 7-26
Advanced Alert Behavior Wizard
Alert Dynamic Response Fire All window field descriptions 11-27
Alert Dynamic Response Fire Once window field descriptions 11-28
Alert Dynamic Response Summary window field descriptions 11-28
Alert Summarization window field descriptions 11-27
Event Count and Interval window field descriptions 11-26
Global Summarization window field descriptions 11-29
aggregation
AIC
policy 10-48
signatures (example) 10-48
AIC engine
AIC FTP B-11
AIC FTP engine parameters (table) B-12
AIC HTTP B-11
AIC HTTP engine parameters (table) B-12
described B-11
features B-11
signature categories 10-40
AIC policy enforcement
default configuration 10-41, B-11
sensor oversubscription 10-41, B-11
Alarm Channel
risk rating 14-5
alert and log actions (list) 10-2, 10-14, 12-8
alert behavior
Custom Signature Wizard 11-26
normal 11-26
alert frequency
aggregation 10-23
configuring 10-23
controlling 10-23
modes B-7
allocate-ips command 8-15
Allowed Hosts/Networks pane
configuring 6-6
described 6-5
field descriptions 6-6
alternate TCP reset interface
configuration restrictions 7-12
designating 7-9
restrictions 7-2
Analysis Engine
described 8-2
error messages C-25
errors C-55
IDM exits C-58
sensing interfaces 7-3
verify it is running C-22
virtual sensors 8-2
anomaly detection
asymmetric traffic 13-2
caution 13-2
configuration sequence 13-5
default anomaly detection configuration 13-4
default configuration (example) 13-4
described 13-2
detect mode 13-4
enabling 13-4
inactive mode 13-4
learning accept mode 13-3
learning process 13-3
limiting false positives 13-13, 21-7
operation settings 13-11
protocols 13-3
signatures described 13-7
worms
described 13-3
zones 13-5
anomaly detection disabling 13-35, C-21
Anomaly Detection pane
button functions 21-7
described 21-6
field descriptions 21-7
user roles 21-6
anomaly detection policies
ad0 13-9
adding 13-10
cloning 13-10
default policy 13-9
deleting 13-10
Anomaly Detections pane
described 13-9
field descriptions 13-9
user roles 13-9
appliances
initializing 25-8
logging in 24-2
setting system clock 6-16
terminal servers
upgrading recovery partition 27-5
Application Inspection and Control. See AIC.
application partition
described A-4
image recovery 27-11
application policy enforcement described 10-41, B-11
applications in XML format A-4
applying signature threat profiles 5-15
applying software updates C-55
ARC
authentication A-15
blocking
connection-based A-17
response A-13
unconditional blocking A-17
blocking application 16-2
blocking not occurring for signature C-44
Catalyst switches
VACL commands A-19
VLANs A-16
described A-4
design 16-2
device access issues C-42
enabling SSH C-44
features A-14
firewalls
AAA A-18
connection blocking A-18
NAT A-18
network blocking A-18
postblock ACL A-16
preblock ACL A-16
shun command A-18
TACACS+ A-18
formerly Network Access Controller 16-1
functions 16-2
illustration A-13
inactive state C-40
interfaces A-14
maintaining states A-16
managed devices 16-7
master blocking sensors A-14
maximum blocks 16-2
misconfigured master blocking sensor C-45
nac.shun.txt file A-16
NAT addressing A-15
number of blocks A-15
postblock ACL A-16
preblock ACL A-16
prerequisites 16-5
rate limiting 16-4
responsibilities A-13
single point of control A-15
SSH A-14
Telnet A-14
troubleshooting C-38
VACLs A-14
verifying device interfaces C-43
verifying status C-39
ARP
Layer 2 signatures B-13
protocol B-13
ARP spoof tools
dsniff B-13
ettercap B-13
ASA 5500 AIP SSM
assigning virtual sensors 8-18
bypass mode 7-29
creating virtual sensors 8-16
initializing 25-13
installing system image 27-27
logging in 24-4
password recovery 20-7, 20-11, C-10
recovering C-64
resetting C-63
resetting the password 20-7, 20-11, C-10
sensing interface 8-15
session command 24-4
sessioning in 24-4
setup command 25-13
virtual sensors
assigning the interface 8-16
sequence 8-15
ASA 5500-X IPS SSP
assigning virtual sensors 8-18
creating virtual sensors 8-16
initializing 25-17
logging in 24-5
memory usage values (table) 20-20, C-77
no CDP mode support 7-31
resetting the password 20-9, C-12
sensing interface 8-15
session command 24-5
sessioning in 24-5
setup command 25-17
virtual sensors
assigning policies 8-16
assigning the interface 8-16
virtual sensor sequence 8-15
ASA 5585-X IPS SSP
assigning virtual sensors 8-18
creating virtual sensors 8-16
initializing 25-20
installing system image 27-31
logging in 24-6
no CDP mode support 7-31
password recovery C-14
resetting the password C-14
sensing interface 8-15
session command 24-6
sessioning in 24-6
setup command 25-20
virtual sensors
assigning policies 8-16
assigning the interface 8-16
sequence 8-15
ASA IPS modules
jumbo packet count C-66, C-77, C-83
ASDM
resetting passwords 20-8, 20-10, 20-12, C-12, C-14, C-15
assigning
interfaces to virtual sensors (ASA 5500 AIP SSM) 8-16
interfaces to virtual sensors (ASA 5500-X IPS SSP) 8-16
interfaces to virtual sensors (ASA 5585-X IPS SSP) 8-16
policies to virtual sensors (ASA 5500 AIPSSM) 8-16
policies to virtual sensors (ASA 5500-X IPS SSP) 8-16
policies to virtual sensors (ASA 5585-X IPS SSP) 8-16
assigning actions to signatures 10-21
asymmetric mode
described 8-4
normalization 8-4
asymmetric traffic
anomaly detection 13-2
caution 13-2
asymmetric traffic and disabling anomaly detection 13-35, C-21
Atomic ARP engine
described B-13
parameters (table) B-13
Atomic IP Advanced engine
described B-14
parameters (table) B-16
restrictions B-15
Atomic IP engine
parameters (table) B-24
Atomic IPv6 engine
described B-27
Neighborhood Discovery protocol B-28
signatures B-28
attack relevance rating
calculating risk rating 8-6, 12-3
described 8-6, 8-30, 12-3, 12-23
Attack Response Controller
described A-4
formerly known as Network Access Controller A-4
Attack Response Controller. See ARC.
attack severity rating
calculating risk rating 8-6, 12-3
Attacks Over Time gadgets
configuring 3-13
described 3-13
Attacks Over Time Reports described 1-17, 23-2
attemptLimit command 6-24
audit mode
described 14-8
testing global correlation 14-8
authenticated NTP 6-10, 6-14, C-17
authentication
local 6-19
RADIUS 6-19
AuthenticationApp
authenticating users A-21
described A-4
login attempt limit A-21
method A-21
responsibilities A-20
secure communications A-21
sensor configuration A-20
Authentication pane
configuring 6-22
described 6-19
field descriptions 6-20
Authorized Keys pane
configuring 15-3
described 15-2
field descriptions 15-2
RSA authentication 15-2
RSA key generation tool 15-3
Auto/Cisco.com Update pane
configuring 20-25
field descriptions 20-24
UNIX-style directory listings 20-23
user roles 20-22
automatic reporting configuring (IME) 1-18
automatic setup 25-2
automatic updates
cryptographic account 5-16, 20-22
FTP servers 20-22
automatic upgrade
information required 27-6
troubleshooting C-55
autonegotiation for hardware bypass 7-11
Auto Update window field descriptions 5-16
auto-upgrade-option command 27-6
B
backing up
configuration C-3
current configuration C-4
basic setup 25-4
blocking
described 16-2
disabling 16-8
master blocking sensor 16-24
necessary information 16-3
prerequisites 16-5
supported devices 16-5
types 16-2
blocking devices
adding 16-15
deleting 16-15
editing 16-15
Blocking Devices pane
configuring 16-15
described 16-14
field descriptions 16-14
ssh host-key command 16-15
blocking not occurring for signature C-44
Blocking Properties pane
adding a host never to be blocked 16-11
configuring 16-9
described 16-7
field descriptions 16-8
BO
described B-72
Trojans B-72
BO2K
described B-72
Trojans B-72
Bug Toolkit
described C-1
URL C-1
bypass mode
ASA 5500 AIP SSM 7-29
described 7-28
signature updates 20-24
Bypass pane
field descriptions 7-29
user roles 7-28
C
calculating risk rating
attack relevance rating 8-6, 12-3
attack severity rating 8-6, 12-3
signature fidelity rating 8-5, 12-3
cannot access sensor C-26
Cat 6K Blocking Device Interfaces pane
configuring 16-23
described 16-21
field descriptions 16-22
CDP mode
ASA 5500-X IPS SSP 7-31
ASA 5585-X IPS SSP 7-31
described 7-31
interfaces 7-31
CDP Mode pane
configuring 7-31
field descriptions 7-31
user roles 7-31
certificates
displaying 15-10
generating 15-10
certificates (IDM) 15-7
changing Microsoft IIS to UNIX-style directory listings 20-23
cidDump obtaining information C-109
CIDEE
defined A-34
example A-34
IPS extensions A-34
protocol A-34
supported IPS events A-34
cisco
default password 24-2
default username 24-2
Cisco.com
accessing software 26-2
downloading software 26-1
software downloads 26-1
Cisco Discovery Protocol. See CDP.
Cisco IOS rate limiting 16-4
Cisco Security Intelligence Operations
described 26-8
URL 26-8
Cisco Services for IPS
service contract 20-15
supported products 20-15
clear events command 6-12, 6-16, 21-4, C-19, C-109
Clear Flow States pane
described 21-17
field descriptions 21-17
clearing
denied attackers 17-2
flow states 21-17
statistics C-93
CLI
client manifest described A-29
clock set command 6-15
Clone Policy dialog box
field descriptions 10-8, 12-11, 13-9
Clone Signature dialog box field descriptions 10-12
cloning
anomaly detection policies 13-10
event action rules policies 12-12
signature definition policies 10-8
signatures 10-19
CollaborationApp described A-4, A-28
color rules
described 22-2
events (IME) 22-2
Color Rules tab
described 22-2
filters 22-2
command and control interface
described 7-2
list 7-2
commands
allocate-ips 8-15
attemptLimit 6-24
auto-upgrade-option 27-6
clear events 6-12, 6-16, 21-4, C-19, C-109
clock set 6-15
copy backup-config C-3
copy current-config C-3
debug module-boot C-64
downgrade 27-10
erase license-key 20-19
hw-module module 1 reset C-63
hw-module module slot_number password-reset 20-7, 20-11, C-10, C-14
setup 6-1, 25-1, 25-4, 25-8, 25-13, 25-17, 25-20
show events C-106
show health C-85
show module 1 details C-63, C-68, C-79
show statistics C-93
show statistics virtual-sensor C-25, C-93
show tech-support C-86
show version C-90
sw-module module slot_number password-reset 20-9, C-12
unlock user username 6-26
virtual-sensor name 8-16
Compare Knowledge Bases dialog box field descriptions 21-9
component signatures
risk rating B-32
configuration files
backing up C-3
merging C-3
configuration restrictions
alternate TCP reset interface 7-12
inline interface pairs 7-12
inline VLAN pairs 7-12
interfaces 7-11
physical interfaces 7-11
VLAN groups 7-13
Configure Summertime dialog box field descriptions 5-4, 6-8
configuring
account locking 6-24
account unlocking 6-26
AIC policy parameters 10-48
allowed hosts 6-6
allowed networks 6-6
anomaly detection operation settings 13-11
application policy signatures 10-48
Attacks Over Time gadgets 3-13
authorized keys 15-3
automatic upgrades 27-8
blocking devices 16-15
blocking properties 16-9
Cat 6K blocking device interfaces 16-23
CDP mode 7-31
CPU, Memory, & Load gadget 3-11
CSA MC IPS interfaces 19-3
device login profiles 16-13
event action filters 8-23, 12-17
events 21-3
external zone 13-32
Global Correlation Health gadget 3-8
Global Correlation Reports gadget 3-6
host blocks 17-4
illegal zone 13-25
inline VLAN pairs 5-10
inspection/reputation 14-9
inspection load statistics display 21-5
interface pairs 7-22
interfaces 7-20
Interface Status gadget 3-6
internal zone 13-19
IP fragment reassembly signatures 10-52
IP logging 17-12
IPv4 target value ratings 8-26, 12-20
IPv6 target value ratings 8-28, 12-22
known host keys 15-5
learning accept mode 13-14
Licensing gadget 3-5
local authentication 6-22
master blocking sensor 16-25
network blocks 17-7
network participation 14-11
Network Security gadget 3-9
network settings 6-3
NTP servers 6-13
RADIUS authentication 6-23
rate limiting 17-9
rate limiting device interfaces 16-20
router blocking device interfaces 16-20
RSS Feed gadgets 3-11
RSS feeds 4-2
Sensor Health gadget 3-4
Sensor Information gadget 3-3
Sensor Setup window 5-4
sensor to use NTP 6-14
signature variables 10-37
SNMP 18-3
SNMP traps 18-5
time 6-9
Top Applications gadget 3-9
Top Attackers gadgets 3-11
Top Signatures gadgets 3-13
Top Victims gadgets 3-12
traffic flow notifications 7-30
trusted hosts 15-9
upgrades 27-4
users 6-22
VLAN groups 7-27
VLAN pairs 7-25
control transactions
characteristics A-9
request types A-9
copy backup-config command C-3
copy current-config command C-3
correcting time on the sensor 6-12, C-19
CPU, Memory, & Load gadget
configuring 3-11
described 3-10
creating
Atomic IP Advanced engine signature 10-29, 11-14
custom signatures
not using signature engines 11-4
Service HTTP 11-17
String TCP 11-22
using signature engines 11-1
event views 22-4
Meta signatures 10-26
Post-Block VACLs 16-21
Pre-Block VACLs 16-21
reports (IME) 23-3
String TCP XL signatures 10-34
creating the service account C-6
cryptographic account
Encryption Software Export Distribution Authorization from 26-2
obtaining 26-2
cryptographic features (IME) 1-2
CSA MC
adding interfaces 19-7
configuring IPS interfaces 19-3
host posture events 19-1, 19-3
quarantined IP address events 19-1
supported IPS interfaces 19-3
CtlTransSource
illustration A-12
current configuration back up C-3
current KB setting 21-12
custom signatures
Custom Signature Wizard 11-5
described 10-2
Meta signature 10-26
sensor performance 11-4
Custom Signature Wizard
alert behavior 11-26
Alert Response window field descriptions 11-26
Atomic IP Engine Parameters window field descriptions 11-13
described 11-1
ICMP Traffic Type window field descriptions 11-12
Inspect Data window field descriptions 11-12
MSRPC Engine Parameters window field descriptions 11-11
no signature engine sequence 11-4
Protocol Type window field descriptions 11-10
Service HTTP Engine Parameters window field descriptions 11-16
Service RPC Engine Parameters window field descriptions 11-19
Service Type window field descriptions 11-13
signature engine sequence 11-1
Signature Identification window field descriptions 11-11
State Engine Parameters window field descriptions 11-20
String ICMP Engine Parameters window field descriptions 11-21
String TCP Engine Parameters window field descriptions 11-21
String UDP Engine Parameters window field descriptions 11-24
supported signature engines 11-2
Sweep Engine Parameters window field descriptions 11-25
TCP Sweep Type window field descriptions 11-13
TCP Traffic Type window field descriptions 11-12
UDP Sweep Type window field descriptions 11-12
UDP Traffic Type window field descriptions 11-12
using 11-5
Welcome window field descriptions 11-10
D
dashboards
adding 3-1
deleting 3-1
Data Archive dialog box
configuring 1-12
described 1-12
field descriptions 1-12
data archiving configuring 1-12
data structures (examples) A-8
DDoS
protocols B-72
Stacheldraht B-72
TFN B-72
debug logging enable C-47
debug-module-boot command C-64
default policies
ad0 13-9
sig0 10-7
defaults
KB filename 13-12
password 24-2
restoring 20-29
username 24-2
virtual sensor vs0 8-2
deleting
anomaly detection policies 13-10
blocking devices 16-15
denied attackers 17-2
event action filters 8-23, 12-17
event action overrides 12-13
event action rules policies 12-12
host blocks 17-4
imported OS values 21-16
IPv4 target value ratings 8-26, 12-20
IPv6 target value ratings 8-28, 12-22
KBs 21-12
learned OS values 21-15
network blocks 17-7
rate limiting devices 16-15
rate limits 17-9
signature definition policies 10-8
signature variables 10-37
virtual sensors 8-13
Demo mode (IME) 1-7
demo reports described 23-1
denied attackers
adding 17-2
clearing 17-2
deleting 17-2
hit count 17-1
resetting hit counts 17-2
viewing hit counts 17-2
viewing list 17-2
Denied Attackers pane
described 17-1
field descriptions 17-2
user roles 17-1
using 17-2
deny actions (list) 10-3, 10-15, 12-8
Deny Packet Inline described 12-10
detect mode (anomaly detection) 13-4
device access issues C-42
Device Details pane described 2-1
Device List pane
described 2-1
field descriptions 2-2
Device Login Profiles pane
configuring 16-13
described 16-12
field descriptions 16-12
devices
adding 2-4
deleting 2-4
editing 2-4
device tools
DNS lookup 2-6
ping 2-6
traceroute 2-6
whois 2-6
Diagnostics Report pane
button functions 21-19
described 21-19
user roles 21-19
using 21-19
diagnostics reports 21-19
Differences between knowledge bases KB_Name and KB_Name window field descriptions 21-10
disabling
blocking 16-8
event action filters 8-23, 12-17
global correlation 14-12
interfaces 7-20
signatures 10-17
disaster recovery C-6
displaying
health status C-85
imported OS maps 21-16
inspection load statitistics 21-5
learned OS maps 21-15
password recovery setting 20-14, C-16
sensor statistics 21-20
statistics C-93
tech support information C-86
version C-90
Distributed Denial of Service. See DDoS.
DNS lookup device tool (IME) 1-4, 2-6, 3-15, 3-16, 22-6
DoS tools
Stacheldraht B-72
stick B-7
TFN B-72
downgrade command 27-10
downgrading sensors 27-10
downloading
Cisco software 26-1
KBs 21-13
Download Knowledge Base From Sensor dialog box
described 21-13
field descriptions 21-13
duplicate IP addresses C-29
E
Edit ACL Entry dialog box field descriptions 5-3
Edit Allowed Host dialog box
field descriptions 6-6
user roles 6-5
Edit Authorized Key dialog box
field descriptions 15-3
user roles 15-2
Edit Blocking Device dialog box
field descriptions 16-15
user roles 16-14
Edit Cat 6K Blocking Device Interface dialog box
field descriptions 16-22
user roles 16-21
Edit Configured OS Map dialog box
field descriptions 8-32, 12-25
Edit Destination Port dialog box
field descriptions 13-17, 13-23, 13-30
user roles 13-15
Edit Device dialog box field descriptions 2-3
Edit Device Login Profile dialog box
field descriptions 16-12
user roles 16-12
Edit Event Action Filter dialog box
field descriptions 8-21, 12-15
user roles 12-15
Edit Event Action Override dialog box
field descriptions 8-12, 12-13
Edit Event Variable dialog box
field descriptions 8-35, 12-28
Edit External Product Interface dialog box
field descriptions 19-6
user roles 19-4
Edit Filter dialog box field descriptions 3-19
Edit Histogram dialog box
field descriptions 13-17, 13-24, 13-30
user roles 13-15
editing
blocking devices 16-15
event action filters 8-23, 12-17
event action overrides 12-13
interfaces 7-21
IPv4 target value ratings 8-26, 12-20
IPv6 target value ratings 8-28, 12-22
rate limiting devices 16-15
signatures 10-20
signature variables 10-37
virtual sensors 8-13
Edit Inline VLAN Pair dialog box
field descriptions 7-24
user roles 7-23
Edit Inline VLAN Pair Entry dialog box field descriptions 5-10
Edit Interface dialog box
field descriptions 7-20
user roles 7-18
Edit Interface Pair dialog box
field descriptions 7-22
user roles 7-22
Edit IP Logging dialog box field descriptions 17-11
Edit Known Host Key dialog box
field descriptions 15-5
user roles 15-4
Edit Master Blocking Sensor dialog box
field descriptions 16-25
user roles 16-24
Edit Never Block Address dialog box
field descriptions 16-10
user roles 16-7
Edit Posture ACL dialog box field descriptions 19-7
Edit Protocol Number dialog box field descriptions 13-18, 13-25, 13-32
Edit Risk Level dialog box
field descriptions 8-38, 12-31
Edit Router Blocking Device Interface dialog box
field descriptions 16-19
user roles 16-17
Edit Signature dialog box field descriptions 10-12
Edit Signature Variable dialog box
field descriptions 10-36
user roles 10-36
Edit SNMP Trap Destination dialog box
field descriptions 18-5
user roles 18-4
Edit Start Time dialog box
field descriptions 13-14
user roles 13-12
Edit Target Value Rating dialog box
Edit User dialog box
field descriptions 6-22
Edit Virtual Sensor dialog box
field descriptions 8-10
user roles 8-10
Edit VLAN Group dialog box
field descriptions 7-27
user roles 7-26
efficacy
described 14-4
measurements 14-4
email notification
configuring (IME) 1-15
example (IME) 1-14
email setup (IME) 1-13
Email Setup dialog box
configuring 1-13
described 1-13
field descriptions 1-13
enabling
anomaly detection 13-4
event action filters 8-23, 12-17
event action overrides 12-13
interfaces 7-20
packet logging 20-3
signatures 10-17
enabling debug logging C-47
Encryption Software Export Distribution Authorization form
cryptographic account 26-2
described 26-2
engines
AIC B-10
AIC FTP B-11
AIC HTTP B-11
Atomic ARP B-13
Atomic IP Advanced B-14
Atomic IPv6 B-27
Fixed B-28
Fixed ICMP B-28
Fixed TCP B-28
Fixed UDP B-28
Flood B-31
Flood Host B-31
Flood Net B-31
Master B-4
Multi String B-34
Normalizer B-36
Service B-39
Service DNS B-39
Service FTP B-41
Service Generic B-42
Service H225 B-43
Service IDENT B-48
Service MSSQL B-50
Service NTP B-51
Service P2P B-52
Service SMB Advanced B-54
Service SNMP B-56
Service SSH B-57
Service TNS B-57
String ICMP 11-21, 11-24, B-61
Sweep Other TCP B-69
Traffic Anomaly B-69
Traffic ICMP B-71
Trojan B-72
EPS
described 1-3
IME Home pane 1-3
erase license-key command 20-19
errors (Analysis Engine) C-55
evAlert A-9
event action filters
Event Action Filters tab
field descriptions 8-21, 12-15
event action overrides
adding 12-13
deleting 12-13
editing 12-13
enabling 12-13
Event Action Overrides tab
described 12-13
field descriptions 12-13
Event Action Rules (rules0) pane described 12-12
Event Action Rules pane
field descriptions 12-11
user roles 12-11
event action rules policies
adding 12-12
cloning 12-12
deleting 12-12
event action rules variables 8-21, 12-15
event actions
event connection status
displaying 2-5
starting 2-5
stopping 2-5
Event Monitoring pane
described 22-1
filters 22-2
events
color rules 22-2
displaying C-107
grouping 22-2
host posture 19-2
quarantined IP address 19-2
Events pane
configuring 21-3
described 21-1
field descriptions 21-2
Event Store
data structures A-8
described A-4
examples A-8
no alerts C-34
responsibilities A-7
timestamp A-7
event types C-105
event variables
Event Variables tab
field descriptions 8-35, 12-28
Event Viewer pane
displaying events 21-3
field descriptions 21-2
event views
creating 22-4
using 22-4
evError A-9
evLogTransaction A-9
evShunRqst A-9
evStatus A-9
example custom signatures
Atomic IP Advanced 10-29, 11-14
Meta 10-26
Service HTTP 11-17
String TCP 11-22
String TCP XL 10-31
examples
AIC engine signature 10-48
ASA failover configuration C-62, C-68, C-79
Atomic IP Advanced engine signature 10-28, 11-14
automatic update 20-25
configured OS maps 8-31, 12-23
default anomaly detection configuration 13-4
email notification (IME) 1-14
email notifications (IME) 1-16
IP Fragment Reassembly signature 10-52
IPv6 attacker address 8-22, 12-16
IPV6 victim address 8-22, 12-16
Meta engine signature 10-26
Service HTTP engine signature 11-17
SPAN configuration for IPv6 support 7-14
String TCP engine signature 11-22
String TCP XL engine signature 10-31, 10-34
System Configuration Dialog 25-2
TCP Stream Reassembly signature 10-59
external product interfaces
adding 19-7
described 19-1
trusted hosts 19-4
External Product Interfaces pane
described 19-4
field descriptions 19-5
external zone
configuring 13-32
protocols 13-29
External Zone tab
described 13-29
tabs 13-29
user roles 13-29
F
fail-over testing 7-10
false positives described 10-2
Fields tab described 22-2
files Cisco IPS (list) 26-1
Filtered Events vs All Events Reports described 1-18, 23-2
filtering described 22-2
Filter pane field descriptions 22-3
filters
creating reports 23-3
Fixed engine described B-28
Fixed ICMP engine parameters (table) B-29
Fixed TCP engine parameters (table) B-29
Fixed UDP engine parameters (table) B-30
Flood engine described B-31
Flood Host engine parameters (table) B-31
Flood Net engine parameters (table) B-32
flow states clearing 21-17
FTP servers
automatic updates 20-22
signature updates 20-27
FTP servers and software updates 20-23, 27-2
G
gadgets
adding 3-1
Attacks Over Time 3-13
CPU, Memory, & Load 3-10
deleting 3-1
Global Correlation Health 3-7
Global Correlation Reports 3-6
Interface Status 3-5
Licensing 3-5
Network Security 3-8
RSS Feed 3-11
Sensor Health 3-3
Sensor Information 3-2
Top Applications 3-9
Top Attackers 3-11
Top Signatures 3-12
Top Victims 3-12
General dialog box
configuring 1-11
described 1-11
field descriptions 1-11
user roles 1-11
general settings
General tab
described 8-40, 12-33, 13-16, 13-23
described (IME) 22-2
field descriptions 8-41, 12-33, 13-16, 13-23
generating diagnostics reports 21-19
global correlation 23-2
disabling 14-12
disabling about 14-12
DNS server 14-6
error messages A-29
features 14-5
goals 14-5
health metrics 14-7
health status 14-7
HTTP proxy server 14-6
license 6-3, 14-6, 14-8, 25-1, 25-5
no IPv6 support 8-23, 8-28, 8-36, 14-6
Produce Alert 10-2, 10-14, 12-8
requirements 14-6
risk rating 14-5
shared policies 9-1
update client (illustration) 14-8
global correlation connection status
displaying 2-5
starting 2-5
stopping 2-5
Global Correlation Health gadget
configuring 3-8
described 3-7
Global Correlation Reports described 23-2
Global Correlation Reports gadget
configuring 3-6
described 3-6
Global Correlation Update
client described A-28
server described A-28
Group By tab described 22-2
grouping events 22-2
GRUB menu password recovery 20-5, C-8
H
H.225.0 protocol B-43
H.323 protocol B-43
hardware bypass
autonegotiation 7-11
configuration restrictions 7-10
fail-over 7-10
IPS4260 7-10
IPS 4270-20 7-10
supported configurations 7-10
with software bypass 7-10
health connection status
displaying 2-5
starting 2-5
stopping 2-5
health status
global correlation 14-7
metrics 3-4
sensor 3-3
health status display C-85
host blocks
adding 17-4
deleting 17-4
managing 17-4
Host Blocks pane
configuring 17-4
described 17-3
field descriptions 17-3
user roles 17-3
host posture events
CSA MC 19-3
described 19-2
HTTP/HTTPS servers supported 20-23, 27-2
HTTP advanced decoding
described 8-4
platform support 8-5
restrictions 8-4
HTTP deobfuscation
ASCII normalization 11-16, B-46
hw-module module 1 reset command C-63
hw-module module slot_number password-reset command 20-7, 20-11, C-10, C-14
I
IDAPI
described A-4
functions A-32
illustration A-32
responsibilities A-32
IDCONF
described A-33
example A-33
RDEP2 A-33
XML A-33
IDIOM
defined A-33
messages A-33
IDM
Analysis Engine is busy C-58
certificates 15-7
Custom Signature Wizard supported signature engines 11-2
TLS 15-7
will not load C-58
illegal zone configuring 13-25
Illegal Zone tab
described 13-22
user roles 13-22
IME
color rules 22-2
Color Rules tab 22-2
configuring
automatic reporting 1-18
email notification 1-15
RSS feeds 4-2
cryptographic features 1-2
dashboards
adding 3-1
deleting 3-1
Demo mode 1-7
described 1-1
devices
adding 2-4
deleting 2-4
editing 2-4
email notification example 1-16
EPS 1-3
event connection status
displaying 2-5
starting 2-5
stopping 2-5
Event Monitoring pane 22-1
Fields tab 22-2
filtering 22-2
gadgets
adding 3-1
deleting 3-1
General tab 22-2
global correlation connection status
displaying 2-5
starting 2-5
stopping 2-5
Group By tab 22-2
grouping events 22-2
health connection status
displaying 2-5
starting 2-5
stopping 2-5
installation notes and caveats 1-8
installing 1-8
IPS versions 1-6
known host key retrieval 15-4, 15-5
menu features 1-4
MySQL database 1-8
password requirements 1-10
reports
configuring 23-3
described 23-1
generating 23-3
report types 23-1
supported platforms 1-5
system requirements 1-4
using event views 22-4
video help 1-3
working with
top attacker IP addresses 3-14
top signatures 3-15
top victim IP addresses 3-14
IME Home pane
described 1-3
EPS 1-3
features 1-3
IME time synchronization problems C-60
Imported OS pane
clearing 21-16
described 21-16
field descriptions 21-16
imported OS values
clearing 21-16
deleting 21-16
inactive mode (anomaly detection) 13-4
initializing
appliances 25-8
ASA 5500 AIP SSM 25-13
ASA 5500-X IPS SSP 25-17
ASA 5585-X IPS SSP 25-20
verifying 25-24
inline interface pair mode
configuration restrictions 7-12
described 7-15
illustration 7-16
Inline Interface Pair window
described 5-9
Startup Wizard 5-9
inline mode
interface cards 7-3
normalization 8-4
pairing interfaces 7-3
inline TCP session tracking modes described 8-4
inline VLAN pair mode
configuration restrictions 7-12
configuring 5-10
described 7-16
illustration 7-16
supported sensors 7-16
Inline VLAN Pairs window
described 5-9
field descriptions 5-10
Startup Wizard 5-9
Inspection/Reputation pane
configuring 14-9
described 14-8
field descriptions 14-9
Inspection Load Statistics pane
configuring 21-5
described 21-4
field descriptions 21-4
user roles 21-4
installer major version 26-5
installer minor version 26-5
installing
IME 1-8
sensor license 20-17
system image
ASA 5500 AIP SSM 27-27
ASA 5500-X IPS SSP 27-29
ASA 5585-X IPS SSP 27-31
IPS 4240 27-14
IPS 4255 27-14
IPS4260 27-17
IPS 4270-20 27-19
IPS 4345 27-21
IPS 4360 27-21
IPS 4510 27-24
IPS 4520 27-24
IntelliShield
alerts 10-10
MySDN 10-10
InterfaceApp
described A-20
interactions A-20
NIC drivers A-20
InterfaceApp described A-4
interface pairs
configuring 7-22
described 7-22
Interface Pairs pane
configuring 7-22
described 7-22
field descriptions 7-22
user roles 7-22
interfaces
alternate TCP reset 7-2
command and control 7-2
configuration restrictions 7-11
configuring 7-20
disabling 7-20
editing 7-21
enabling 7-20
logical 5-7
physical 5-7
port numbers 7-1
slot numbers 7-1
support (table) 7-4
TCP reset 7-8
Interface Selection window
described 5-9
Startup Wizard 5-9
Interfaces pane
configuring 7-20
described 7-18
field descriptions 7-19
user roles 7-18
Interface Status gadget
configuring 3-6
described 3-5
Interface Summary window
described 5-7
field descriptions 5-8
internal zone configuring 13-19
Internal Zone tab
described 13-15
user roles 13-15
IP fragmentation described B-36
IP fragment reassembly
configuring 10-51
described 10-49
mode 10-51
parameters (table) 10-50
signatures 10-52
signatures (example) 10-52
signatures (table) 10-50
IP logging
event actions 17-11
system performance 17-10, 17-11
IP Logging pane
configuring 17-12
described 17-11
field descriptions 17-11
user roles 17-11
IP Logging Variables pane
described 20-21
field description 20-21
user roles 20-21
IP logs
circular buffer 17-10
states 17-10
TCPDUMP 17-10
viewing 17-12
WireShark 17-10
IPS 4240
7200 series router C-26
installing system image 27-14
reimaging 27-14
IPS 4255
installing system image 27-14
reimaging 27-13
IPS 4260
hardware bypass 7-10
installing system image 27-17
password recovery C-9
reimaging 27-17
IPS 4270-20
hardware bypass 7-10
installing system image 27-19
reimaging 27-19
IPS 4345
installing system image 27-21
password recovery 20-5, 20-6, C-8, C-9
reimaging 27-21
IPS 4360
installing system image 27-21
password recovery 20-5, C-8, C-9
reimaging 27-21
IPS 4510
installing system image 27-24
password recovery 20-5, 20-6, C-8, C-9
reimaging 27-24
SwitchApp A-30
IPS 4520
installing system image 27-24
password recovery 20-5, 20-6, C-8, C-9
reimaging 27-24
SwitchApp A-30
IPS applications
summary A-36
table A-36
XML format A-4
IPS clock synchronization 6-11, C-18
IPS data
types A-8
XML document A-9
IPS events
evAlert A-9
evError A-9
evLogTransaction A-9
evShunRqst A-9
evStatus A-9
list A-9
types A-9
IPS internal communications A-32
IPS Manager Express described 1-1
IPS Policies pane
described 8-8
Event Action Rules 8-9
field descriptions 8-9
IPS software
application list A-4
available files 26-1
configuring device parameters A-5
directory structure A-35
Linux OS A-1
obtaining 26-1
platform-dependent release examples 26-6
retrieving data A-5
security features A-5
tuning signatures A-5
updating A-5
user interaction A-5
versioning scheme 26-3
IPS software file names
major updates (illustration) 26-4
minor updates (illustration) 26-4
patch releases (illustration) 26-4
service packs (illustration) 26-4
IPS versions supported (IME) 1-6
IPv4
IPv4 Add Target Value Rating dialog box
field descriptions 12-20
user roles 12-19
IPv4 Edit Target Value Rating dialog box
field descriptions 12-20
user roles 12-19
IPv4 target value ratings
IPv4 Target Value Rating tab
field descriptions 8-26, 12-19
IPv6
described B-28
SPAN ports 7-14
switches 7-14
IPv6 Add Target Value Rating dialog box
field descriptions 12-21
user roles 12-21
IPv6 Edit Target Value Rating dialog box
field descriptions 12-21
user roles 12-21
IPv6 target value ratings
IPv6 Target Value Rating tab
field descriptions 8-27, 12-21
K
KBs
comparing 21-10
default filename 13-12
deleting 21-12
described 13-3
downloading 21-13
initial baseline 13-3
learning accept mode 13-12
loading 21-12
monitoring 21-9
renaming 21-13
saving 21-12
uploading 21-14
Known Host Keys pane
configuring 15-5
field descriptions 15-5
L
Learned OS pane
clearing 21-15
described 21-15
field descriptions 21-15
learned OS values
clearing 21-15
deleting 21-15
learning accept mode
anomaly detection 13-3
configuring 13-14
Learning Accept Mode tab
described 13-12
field descriptions 13-14
user roles 13-12
license key
obtaining 20-15
trial 20-15
uninstalling 20-19
viewing status of 20-15
licensing
described 20-15
IPS device serial number 20-15
Licensing gadget
configuring 3-5
described 3-5
Licensing pane
configuring 20-17
described 20-15
field descriptions 20-16
user roles 20-15
limitations for concurrent CLI sessions 24-1
listings UNIX-style 20-23
loading KBs 21-12
local authentication configuring 6-22
Logger
functions A-19
syslog messages A-19
logging in
appliances 24-2
ASA 5500 AIP SSM 24-4
ASA 5500-X IPS SSP 24-5
ASA 5585-X IPS SSP 24-6
sensors
SSH 24-7
Telnet 24-7
service role 24-2
user role 24-1
LOKI
described B-72
protocol B-71
loose connections on sensors C-25
M
MainApp
components A-6
host statistics A-6
responsibilities A-6
show version command A-6
major updates described 26-3
Manage Filter Rules dialog box field descriptions 3-18
managing
host blocks 17-4
network blocks 17-7
rate limiting 17-9
manifests
client A-29
server A-29
manually updating sensor 20-27
master blocking sensor
described 16-24
not set up properly C-45
verifying configuration C-45
Master Blocking Sensor pane
configuring 16-25
described 16-24
field descriptions 16-25
Master engine
alert frequency B-7
alert frequency parameters (table) B-7
described B-4
event actions B-8
general parameters (table) B-4
universal parameters B-4
master engine parameters
obsoletes B-6
promiscous delta B-6
vulnerable OSes B-6
merging configuration files C-3
Meta engine
parameters (table) B-33
Signature Event Action Processor 10-25, B-32
Meta Event Generator described 8-40, 12-33
Meta signature
component signatures B-32
metrics for sensor health 20-20
minor updates described 26-3
Miscellaneous tab
application policy parameters 10-38
configuring
application policy 10-48
IP fragment reassembly mode 10-51
IP logging 10-60
TCP stream reassembly mode 10-58
described 10-38
field descriptions 10-39
IP fragment reassembly options 10-38
IP logging options 10-39
TCP stream reassembly 10-38
user roles 10-38
modes
anomaly detection detect 13-4
anomaly detection learning accept 13-3
asymmetric 8-4
bypass 7-28
inactive (anomaly detection) 13-4
inline interface pair 7-15
inline TCP tracking 8-4
inline VLAN pair 7-16
Normalizer 8-4
promiscuous 7-14
VLAN groups 7-17
monitoring
events 21-3
inspection load statistics 21-4, 21-5
KBs 21-9
moving
event action filters 8-23, 12-17
Multi String engine
described B-34
parameters (table) B-35
Regex B-34
MySDN
described 10-10
Intellishield 10-10
MySQL database
coexisting with IME 1-8
installing IME 1-8
N
NAS-ID
described 6-23
RADIUS authentication 6-23
Neighborhood Discovery
options B-28
types B-28
network blocks
adding 17-7
deleting 17-7
managing 17-7
Network Blocks pane
configuring 17-7
described 17-6
field descriptions 17-6
user roles 17-6
Network pane
configuring 6-3
described 6-2
field descriptions 6-2
TLS/SSL 6-4
user roles 6-2
network participation
data gathered 14-3
described 14-3
health metrics 14-7
modes 14-4
requirements 14-3
SensorBase Network 14-4
statistics 14-4
network participation data
improving signature fidelity 14-4
understanding sensor deployment 14-4
Network Participation pane
configuring 14-11
described 14-10
field descriptions 14-10
Network Security gadget
configuring 3-9
described 3-8
never block
hosts 16-7
networks 16-7
normalization described 8-4
Normalizer engine
ASA 5500 AIP SSM B-37
ASA 5500-X IPS SSP B-37
ASA 5585-X IPS SSP B-37
described B-36
IP fragment reassembly B-36
IPv6 fragments B-36
modify packets inline 8-4
parameters (table) B-38
TCP stream reassembly B-36
NotificationApp
alert information A-9
described A-4
functions A-9
SNMP gets A-9
SNMP traps A-9
statistics A-11
system health information A-10
Notifications dialog box
configuring 1-15
field descriptions 1-14
NTP
authenticated 6-10, 6-14, C-17
configuring servers 6-13
incorrect configuration 6-11, C-18
time synchronization 6-10, C-18
unauthenticated 6-10, 6-14, C-17
verifying configuration 6-11
O
Obfuscated Traffic/Attacks reports described 23-2
obsoletes field described B-6
obtaining
cryptographic account 26-2
IPS software 26-1
license key 20-15
sensor license 20-17
one-way TCP reset described 8-40, 12-33
Operation Settings tab
described 13-11
field descriptions 13-11
user roles 13-11
OS Identifications tab
field descriptions 8-32, 12-25
OS information sources 8-30, 12-24
OS maps
other actions (list) 10-4, 10-16, 12-9
Other Protocols tab
enabling other protocols 13-18
external zone 13-31
field descriptions 13-18, 13-31
illegal zone 13-25
P
P2P networks described B-52
Packet Logging pane
described 20-3
field descriptions 20-3
partitions
application A-4
recovery A-5
passive OS fingerprinting
password policy caution 20-2, 20-3
password recovery
ASA 5500 AIP SSM 20-7, 20-11, C-10
ASA 5585-X IPS SSP C-14
displaying setting 20-14, C-16
IPS4260 C-9
password requirements configuring 20-2
Passwords pane
configuring 20-2
described 20-1
field descriptions 20-2
patch releases described 26-3
peacetime learning (anomaly detection) 13-3
physical connectivity issues C-32
physical interfaces configuration restrictions 7-11
ping device tool (IME) 1-4, 2-6, 3-15, 3-16, 22-6
platforms concurrent CLI sessions 24-1
policy groups
described 9-4
managing 9-4
prerequisites for blocking 16-5
promiscuous delta
calculating risk rating 8-6, 12-3
promiscuous delta described B-6
promiscuous mode
atomic attacks 7-14
described 7-14
illustration 7-14
packet flow 7-14
SPAN ports 7-14
TCP reset interfaces 7-8
VACL capture 7-14
protocols
ARP B-13
CDP 7-31
CIDEE A-34
DDoS B-72
H.323 B-43
H225.0 B-43
ICMPv6 B-14
IDAPI A-32
IDCONF A-33
IDIOM A-33
IPv6 B-28
LOKI B-71
MSSQL B-50
Neighborhood Discovery B-28
Q.931 B-43
SDEE A-34
Signature Wizard 11-10
Q
Q.931 protocol
described B-43
SETUP messages B-43
quarantined IP address events described 19-2
R
RADIUS authentication
configuring 6-23
described 6-19
NAS-ID 6-23
service account 6-18
shared secret 6-24
rate limiting
ACLs 16-5
configuring 17-9
described 16-4
managing 17-9
percentages 17-8
routers 16-4
service policies 16-5
supported signatures 16-4
rate limiting devices
adding 16-15
deleting 16-15
editing 16-15
rate limits
adding 17-9
deleting 17-9
Rate Limits pane
configuring 17-9
described 17-7
field descriptions 17-8
raw expression syntax
described B-63
expert mode B-63
Raw Regex
expert mode 10-32, 10-35, B-63
rebooting the sensor 20-30
Reboot Sensor pane
configuring 20-30
described 20-30
user roles 20-29
receiving RSS feeds (IME) 4-1
recover command 27-10
recovering
application partition image 27-11
ASA 5500 AIP SSM C-64
recovery partition
described A-5
upgrade 27-5
Regex
Multi String engine B-34
Regular Expression. See also Regex.
regular expression syntax
signatures B-9
reimaging
ASA 5500-X IPS SSP 27-29
described 27-1
IPS 4240 27-14
IPS 4255 27-13
IPS4260 27-17
IPS 4270-20 27-19
IPS 4345 27-21
IPS 4360 27-21
IPS 4510 27-24
IPS 4520 27-24
removing
last applied
service pack 27-10
signature update 27-10
Rename Knowledge Base dialog box field descriptions 21-13
renaming KBs 21-13
reports
configuring 23-3
customizing 23-3
described 23-1
generating 23-3
using filters 23-3
Reports dialog box
configuring 1-18
field descriptions 1-17
report types 23-2
demo 23-1
filtered events vs all events 1-18, 23-2
obfuscated traffic/attacks 23-2
user-defined 23-1
reputation
described 14-2
illustration 14-3
servers 14-3
requirements passwords (IME) 1-10
Reset Network Security Health pane
described 21-18
field descriptions 21-18
resetting data 21-18
user roles 21-18
reset not occurring for a signature C-53
resetting
ASA 5500 AIP SSM C-63
hit counts for denied attackers 17-2
network security health data 21-18
passwords
ASDM 20-8, 20-10, 20-12, C-12, C-14, C-15
hw-module command 20-7, 20-11, C-10, C-14
resetting the password
ASA 5500 AIP SSM 20-7, 20-11, C-10
ASA 5585-X IPS SSP C-14
Restore Default Interface dialog box field descriptions 5-8
Restore Defaults pane
configuring 20-29
described 20-29
user roles 20-29
restoring
current configuration C-5
defaults 20-29
retiring signatures 10-17
risk categories
Risk Category tab
field descriptions 8-38, 12-30
risk rating
Alarm Channel 14-5
component signatures B-32
global correlation 14-5
reputation score 14-5
ROMMON
ASA 5585-X IPS SSP 27-33
described 27-12
IPS4260 27-17
IPS 4270-20 27-19
remote sensors 27-12
serial console port 27-12
TFTP 27-12
Router Blocking Device Interfaces pane
configuring 16-20
described 16-17
field descriptions 16-19
RSS Feed gadgets
configuring 3-11
described 3-11
RSS feeds
channels 4-1
configuring 4-2
described 4-1
formats 4-1
receiving 4-1
RTT
described 27-12
TFTP limitation 27-12
S
Save Knowledge Base dialog box
described 21-11
field descriptions 21-11
saving KBs 21-12
scheduling automatic upgrades 27-8
SDEE
described A-34
HTTP A-34
protocol A-34
server requests A-34
security
account locking 6-24
information on Cisco Security Intelligence Operations 26-8
information on MySDN 10-10
SSH 15-1
security policies described 8-1, 10-1, 12-1, 13-1
sensing interface
ASA 5500 AIP SSM 8-15
ASA 5500-X IPS SSP 8-15
ASA 5585-X IPS SSP 8-15
sensing interfaces
Analysis Engine 7-3
described 7-3
interface cards 7-3
modes 7-3
SensorApp
Alarm Channel A-24
Analysis Engine A-24
described A-4
event action filtering A-25
inline packet processing A-24
IP normalization A-25
packet flow A-26
processors A-23
responsibilities A-23
risk rating A-25
Signature Event Action Processor A-23
signature updates 20-23
TCP normalization A-25
SensorBase Network
network participation 14-4
sensor health
critical settings 20-20
metrics 20-20
Sensor Health gadget
configuring 3-4
described 3-3
metrics 3-4
status 3-4
Sensor Health pane
described 20-20
field descriptions 20-20
user roles 20-20
Sensor Information gadget
configuring 3-3
described 3-2
Sensor Key pane
button functions 15-6
described 15-6
field descriptions 15-6
sensor SSH host key
displaying 15-7
generating 15-7
user roles 15-6
sensor license
installing 20-17
obtaining 20-17
sensors
access problems C-26
application partition image 27-11
asymmetric traffic and disabling anomaly detection 13-35, C-21
blocking self 16-8
command and control interfaces (list) 7-2
configuring to use NTP 6-14
corrupted SensorApp configuration C-37
diagnostics reports 21-19
disaster recovery C-6
downgrading 27-10
incorrect NTP configuration 6-11, C-18
interface support 7-4
IP address conflicts C-29
logging in
SSH 24-7
Telnet 24-7
loose connections C-25
misconfigured access lists C-29
not seeing packets C-35
NTP time source 6-14
NTP time synchronization 6-10, C-18
partitions A-4
physical connectivity C-32
preventive maintenance C-2
rebooting 20-30
reimaging 27-1
restoring defaults 20-29
sensing process not running C-31
setup command 6-1, 25-1, 25-4, 25-8
shutting down 20-30
statistics 21-20
system information 21-21
troubleshooting software upgrades C-56
updating 20-27
upgrading 27-4
using NTP time source 6-12
Sensor Setup window
described 5-2
Startup Wizard 5-2
Server Certificate pane
button functions 15-10
certificate
displaying 15-10
generating 15-10
described 15-10
field descriptions 15-10
user roles 15-10
server manifest described A-29
service account
creating C-6
RADIUS authentication 6-18
TAC A-31
troubleshooting A-31
Service DNS engine
described B-40
parameters (table) B-40
Service engine
described B-39
Layer 5 traffic B-39
Service FTP engine
described B-41
parameters (table) B-41
PASV port spoof B-41
Service Generic engine
described B-42
no custom signatures B-42
parameters (table) B-42
Service H225 engine
ASN.1PER validation B-44
described B-43
features B-44
parameters (table) B-44
TPKT validation B-44
Service HTTP engine
custom signature 11-17
example signature 11-17
parameters (table) B-46
Service IDENT engine
described B-48
parameters (table) B-48
Service MSRPC engine
parameters (table) B-49
Service MSSQL engine
described B-50
MSSQL protocol B-50
parameters (table) B-51
Service NTP engine
described B-51
parameters (table) B-51
Service P2P engine described B-52
service packs described 26-3
Service RPC engine
parameters (table) B-52
Service SMB Advanced engine
described B-54
parameters (table) B-54
Service SNMP engine
described B-56
parameters (table) B-56
Service SSH engine
described B-57
parameters (table) B-57
Service TNS engine
described B-57
parameters (table) B-58
session command
ASA 5500 AIP SSM 24-4
ASA 5500-X IPS SSP 24-5
ASA 5585-X IPS SSP 24-6
sessioning in
ASA 5500 AIP SSM 24-4
ASA 5500-X IPS SSP 24-5
ASA 5585-X IPS SSP 24-6
setting
current KB 21-12
system clock 6-16
setting up
IME email notification 1-13
setup
automatic 25-2
command 6-1, 25-1, 25-4, 25-8, 25-13, 25-17, 25-20
simplified mode 25-2
shared policies
adding 9-3
deleting 9-3
described 9-1
restrictions 9-2
shared secret
described 6-24
RADIUS authentication 6-24
show events command C-106
show health command C-85
show interfaces command C-104
show module 1 details command C-63, C-68, C-79
show settings command 20-14, C-16
show statistics command C-92, C-93
show statistics virtual-sensor command C-25, C-93
show tech-support command C-85, C-86
show version command C-89, C-90
Shut Down Sensor pane
configuring 20-30
described 20-30
user roles 20-30
shutting down the sensor 20-30
sig0 pane
column heads 10-9
configuration buttons 10-9
default 10-9
described 10-9
field descriptions 10-11
signatures
assigning actions 10-21
cloning 10-19
tuning 10-20
tabs 10-9
signature definition policies
adding 10-8
cloning 10-8
default policy 10-7
deleting 10-8
sig0 10-7
Signature Definitions pane
described 10-7
field descriptions 10-7
signature engines
AIC B-10
Atomic B-13
Atomic ARP B-13
Atomic IP Advanced B-14
Atomic IPv6 B-27
creating custom signatures 11-1
Fixed B-28
Flood B-31
Flood Host B-31
Flood Net B-32
Master B-4
Multi String B-34
Normalizer B-36
Regex
patterns B-10
syntax B-9
Service B-39
Service DNS B-40
Service FTP B-41
Service Generic B-42
Service H225 B-43
Service IDENT B-48
Service MSSQL B-50
Service NTP B-51
Service P2P B-52
Service SMB Advanced B-54
Service SNMP B-56
Service SSH engine B-57
Service TNS B-57
supported by IDM 11-2
Sweep Other TCP B-69
Traffic Anomaly B-69
Traffic ICMP B-71
Trojan B-72
signature engine update files described 26-5
Signature Event Action Filter
Signature Event Action Handler described 12-6, A-27
Signature Event Action Override described 12-6, A-26
Signature Event Action Processor
signature fidelity rating
calculating risk rating 8-5, 12-3
signatures
adding 10-17
alert frequency 10-23
assigning actions 10-21
cloning 10-19
custom 10-2
default 10-2
described 10-1
disabling 10-17
editing 10-20
enabling 10-17
false positives 10-2
rate limits 16-4
retiring 10-17
String TCP XL 10-34
subsignatures 10-2
TCP reset C-53
tuned 10-2
tuning 10-20
Signatures window
field descriptions 5-15
user roles 5-14
Signatures window described 5-14
signature threat profiles
applying 5-15
platform support 5-14
signature updates
bypass mode 20-24
files 26-4
FTP server 20-27
installation time 20-23
SensorApp 20-23
signature variables
adding 10-37
configuring 10-37
deleting 10-37
described 10-36
editing 10-37
Signature Variables tab
configuring 10-37
field descriptions 10-36
Signature Wizard
protocols 11-10
signature identification 11-11
SNMP
configuring 18-3
described 18-1
General Configuration pane
field descriptions 18-2
user roles 18-2
Get 18-1
GetNext 18-1
Set 18-1
Trap 18-1
Traps Configuration pane
field descriptions 18-4
user roles 18-4
SNMP General Configuration pane
configuring 18-3
described 18-2
SNMP traps
configuring 18-5
described 18-1
software architecture
ARC (illustration) A-13
IDAPI (illustration) A-32
software bypass
supported configurations 7-10
with hardware bypass 7-10
software downloads Cisco.com 26-1
software file names
recovery (illustration) 26-5
signature/virus updates (illustration) 26-4
signature engine updates (illustration) 26-5
system image (illustration) 26-5
software release examples
platform-dependent 26-6
platform identifiers 26-7
platform-independent 26-6
software updates
supported FTP servers 20-23, 27-2
supported HTTP/HTTPS servers 20-23, 27-2
SPAN port issues C-32
specialized 23-2
Specialized Reports described 23-2
SSH
described 15-1
security 15-1
SSH Server
private keys A-22
public keys A-22
standards
CIDEE A-34
IDCONF A-33
IDIOM A-33
SDEE A-34
Startup Wizard
access lists 5-3
adding ACLs 5-5
adding virtual sensors 5-13
Add Virtual Sensor dialog box 5-12
ASA 5500 AIP SSM 5-2
ASA 5500-X IPS SSP 5-2
ASA 5585-X IPS SSP 5-2
Auto Update configuring 5-17
described 5-1
Inline Interface Pair window
described 5-9
field descriptions 5-9
Inline VLAN Pairs window configuring 5-10
Interface Selection window 5-9
Interface Summary window 5-7
Sensor Setup window
configuring 5-4
described 5-2
field descriptions 5-2
Signatures window described 5-14
Traffic Inspection Mode window 5-8
Virtual Sensors window
field descriptions 5-11
Virtual Sensors window described 5-11
VLAN groups unsupported 5-1, 5-7
State engine
parameters (table) B-59
statistic display C-93
Statistics pane
categories 21-20
described 21-20
using 21-20
statistics viewing 21-20
String engine described 11-21, 11-24, B-61
String ICMP engine parameters (table) B-61
String TCP engine
custom signature 11-22
example signature 11-22
parameters (table) B-61
String TCP XL signature (example) 10-31, 10-34
String UDP engine parameters (table) B-62
String XL engine
description B-63
hardware support 10-6, 11-3, B-3, B-63
parameters (table) B-64
unsupported parameters B-66
subinterface 0 described 7-17
subsignatures described 10-2
summarization
Global Summarization 8-7, 12-5
Summarizer described 8-40, 12-33
Summary pane
described 7-17
field descriptions 7-18
supported
HTTP/HTTPS servers 20-23, 27-2
IPS interfaces for CSA MC 19-3
platforms for IME 1-5
supported sensors for signature threat profiles 5-14
parameters (table) B-67
Sweep Other TCP engine
described B-69
parameters (table) B-69
SwitchApp described A-30
switches and TCP reset interfaces 7-9
sw-module module slot_number password-reset command 20-9, C-12
system architecture
directory structure A-35
supported platforms A-1
system clock setting 6-16
system components IDAPI A-32
System Configuration Dialog
described 25-2
example 25-2
system design (illustration) A-2
system image
installing
ASA 5500 AIP SSM 27-27
ASA 5500-X IPS SSP 27-29
IPS 4240 27-14
IPS 4255 27-14
IPS4260 27-17
IPS 4270-20 27-19
IPS 4345 27-21
IPS 4360 27-21
system images
installing
IPS 4510 27-24
IPS 4520 27-24
System Information pane
described 21-21
using 21-21
system information viewing 21-21
system requirements for IME 1-4
T
TAC
contact information 21-21
service account 6-18, A-31, C-5
show tech-support command C-86
troubleshooting A-31
target value rating
calculating risk rating 8-6, 12-3
described 8-6, 8-26, 8-27, 12-3, 12-19, 12-21
TCP fragmentation described B-36
TCP Protocol tab
enabling TCP 13-16
external zone 13-29
field descriptions 13-16, 13-23, 13-29
illegal zone 13-23
TCP reset interfaces
conditions 7-9
described 7-8
list 7-8
promiscuous mode 7-8
switches 7-9
TCP resets not occurring C-53
TCP stream reassembly
described 10-52
mode 10-58
parameters (table) 10-53
signatures (table) 10-53
tech support information display C-86
terminal server setup 24-3, 27-12
testing fail-over 7-10
TFN2K
described B-71
Trojans B-72
TFTP servers
maximum file size limitation 27-12
RTT 27-12
Threat Category tab
field descriptions 8-39, 12-32
threat rating
Thresholds for KB Name window
described 21-8
field descriptions 21-8
filtering information 21-8
time
correction on the sensor 6-12, C-19
synchronizing IPS clocks 6-11, C-18
Time pane
configuring 6-9
described 6-7
field descriptions 6-7
user roles 6-7
time sources
TLS
described 6-4
handshaking 15-7
IDM 15-7
web server 15-7
Top Applications gadget
configuring 3-9
described 3-9
Top Attacker Reports described 1-17, 23-1
Top Attackers gadgets
configuring 3-11
described 3-11
Top Signature Reports described 1-17, 23-2
Top Signatures gadgets
configuring 3-13
described 3-12
Top Victim Reports described 1-17, 23-2
Top Victims gadgets
configuring 3-12
described 3-12
traceroute device tool (IME) 1-4, 2-6, 3-15, 3-16, 22-6
Traffic Anomaly engine
described B-69
protocols B-69
signatures B-69
traffic flow notifications
configuring 7-30
described 7-30
Traffic Flow Notifications pane
configuring 7-30
field descriptions 7-30
user roles 7-30
Traffic ICMP engine
DDoS B-71
described B-71
LOKI B-71
parameters (table) B-72
TFN2K B-71
Traffic Inspection Mode window described 5-8
Traps Configuration pane
configuring 18-5
described 18-4
trial license key 20-15
Tribe Flood Network 2000. See TFN2K.
Trojan engine
BO2K B-72
described B-72
TFN2K B-72
Trojans
BO B-72
BO2K B-72
LOKI B-72
TFN2K B-72
troubleshooting
Analysis Engine busy C-58
applying software updates C-55
ARC
blocking not occurring for signature C-44
device access issues C-42
enabling SSH C-44
inactive state C-40
misconfigured master blocking sensor C-45
verifying device interfaces C-43
ASA 5500 AIP SSM
commands C-63
debugging C-64
failover scenarios C-61
recovering C-64
reset C-63
ASA 5500-X IPS SSP
commands C-68
failover scenarios C-67
ASA 5585-X IPS SSP
commands C-79
failover scenarios C-78
traffic flow stopped C-79
automatic updates C-55
cannot access sensor C-26
cidDump C-109
cidLog messages to syslog C-52
communication C-26
corrupted SensorApp configuration C-37
debug logger zone names (table) C-51
debug logging C-47
disaster recovery C-6
duplicate sensor IP addresses C-29
enabling debug logging C-47
external product interfaces 19-10, C-24
gathering information C-84
global correlation 14-11, C-22
IDM
cannot access sensor C-59
will not load C-58
IME time synchronization C-60
IPS clock time drift 6-11, C-18
misconfigured access list C-29
physical connectivity issues C-32
preventive maintenance C-2
reset not occurring for a signature C-53
sensing process not running C-31
sensor events C-105
sensor loose connections C-25
sensor not seeing packets C-35
sensor software upgrade C-56
show events command C-105
show interfaces command C-104
show tech-support command C-85, C-87
show version command C-89
software upgrades C-54
SPAN port issue C-32
upgrading C-54
verifying Analysis Engine is running C-22
verifying ARC status C-39
Trusted Hosts pane
configuring 15-9
described 15-9
field descriptions 15-9
tuned signatures described 10-2
tuning
AIC signatures 10-48
IP fragment reassembly signatures 10-52
signatures 10-20
TCP fragment reassembly signatures 10-59
U
UDP Protocol tab
enabling UDP 13-17
external zone 13-30
field descriptions 13-17, 13-31
illegal zone 13-24
unassigned VLAN groups described 7-17
unauthenticated NTP 6-10, 6-14, C-17
uninstalling the license key 20-19
UNIX-style directory listings 20-23
unlocking accounts 6-26
unlock user username command 6-26
Update Sensor pane
configuring 20-27
described 20-27
field descriptions 20-27
user roles 20-26
updating sensors 20-27
upgrading
application partition 27-10
latest version C-54
recovery partition 27-5
sensors 27-4
uploading KBs
FTP 21-14
SCP 21-14
Upload Knowledge Base to Sensor dialog box
described 21-14
field descriptions 21-14
URLs for Cisco Security Intelligence Operations 26-8
user-defined reports described 23-1
user roles authentication 6-19
users configuring 6-22
using
debug logging C-47
TCP reset interfaces 7-9
V
VACLs
described 16-3
Post-Block 16-21
Pre-Block 16-21
verifying
NTP configuration 6-11
sensor initialization 25-24
sensor setup 25-24
version display C-90
video help described 1-3
viewing
denied attacker hit counts 17-2
denied attackers list 17-2
IP logs 17-12
license key status 20-15
statistics 21-20
system information 21-21
virtualization
traffic capture requirements 8-3, C-20
virtual-sensor name command 8-16
virtual sensors
adding (ASA 5500 AIP SSM) 8-16
adding (ASA 5500-X IPS SSP) 8-16
adding (ASA 5585-X IPS SSP) 8-16
ASA 5500 AIP SSM 8-18
ASA 5500-X IPS SSP 8-18
ASA 5585-X IPS SSP 8-18
creating (ASA 5500 AIP SSM) 8-16
creating (ASA 5500-X IPS SSP) 8-16
creating (ASA 5585-X IPS SSP) 8-16
default virtual sensor 8-2, 8-8
deleting 8-13
editing 8-13
options 8-16
Virtual Sensors window
described 5-11
VLAN groups
802.1q encapsulation 7-17
configuration restrictions 7-13
configuring 7-27
deploying 7-26
switches 7-26
VLAN IDs 7-26
VLAN groups mode
described 7-17
VLAN Groups pane
configuring 7-27
described 7-26
field descriptions 7-26
user roles 7-26
VLAN Pairs pane
configuring 7-25
described 7-24
field descriptions 7-24
user roles 7-23
vulnerable OSes field described B-6
W
watch list rating
calculating risk rating 8-6, 12-3
web server
HTTP 1.0 and 1.1 support A-23
private keys A-22
public keys A-22
SDEE support A-23
TLS 15-7
whois device tool (IME) 1-4, 2-6, 3-15, 3-16, 22-6
worms
Blaster 13-2
Code Red 13-2
Nimbda 13-2
protocols 13-3
Sasser 13-2
scanners 13-3
Slammer 13-2
SQL Slammer 13-2
Z
zones
external 13-5
illegal 13-5
internal 13-5