Table Of Contents
IPS User Interface Reference
Signature Policies
Signatures Page
Edit Signature Dialog Box
Row Shortcut Menu
Add Custom Signature Dialog Box
Update Level Dialog Box
Actions Shortcut Menu
Edit Actions Dialog Box
Edit Fidelity Dialog Box
Accessing the Cisco NSDB
Edit Signature Parameters Dialog Box
Engine Options
Edit Signature Parameter—Component List Dialog Box
Add Signature Parameter—List Entry Dialog Box
Edit Signature Parameter—List Entry Dialog Box
Obsoletes Dialog Box
Add an Entry Dialog Box
Settings Page
Anomaly Detection Page
Anomaly Detection Page > Operation Settings Tab
Anomaly Detection Page > Learning Accept Mode Tab
Times Of Day Dialog Box
Days Of Week Dialog Box
Anomaly Detection Page > Internal Zone, External Zone, and Illegal Zone Tabs
General Sub-Tab
TCP Protocol Sub-Tab
UDP Protocol Sub-Tab
Other Protocols Sub-Tab
Event Action Policies
Event Action Filters Page
Filter Item Dialog Box
Event Action Overrides Page
Event Action Override Dialog Box
Network Information Page
Target Value Ratings Tab
OS Identification Tab
Event Actions > Settings Page
Interfaces Page
Physical Interfaces Tab
Modify Physical Interface Map Dialog Box
Inline Pairs Tab
Interface Pair Dialog Box
VLAN Pairs Tab
VLAN Pair Dialog Box
VLAN Groups Tab
VLAN Group Map Dialog Box
Summary Tab
Platform Policies
Device Admin Policies
Device Access Policies
Server Access Policies
Logging Page
Interface Notifications Tab
Analysis Engine Tab
Security Policies
Blocking Page
IPS Updates Page
Virtual Sensors Page
Add Virtual Sensor Dialog Box
Edit Virtual Sensor Dialog Box
General Settings Page
Interface Rules Page
Add IPS Rule Dialog Box
Adding Pair Dialog Box
IPS User Interface Reference
The following topics describe the pages available for configuring policies for IPS sensors (appliances, switch modules, and network modules) and IOS IPS devices (Cisco IOS routers with IPS-enabled images and Cisco Integrated Services Routers):
•
Signature Policies
•Anomaly Detection Page
•Event Action Policies
•Interfaces Page
•Platform Policies
•Virtual Sensors Page
•General Settings Page
•Interface Rules Page
Signature Policies
The pages that you access from the Signatures folder from the Policies selector in Device View enable you to configure signatures and their settings.
These topics describe the main pages available from the Signatures folder:
•Signatures Page
•Settings Page
Signatures Page
Use the Signatures page to display the signature summary table, in which you can edit and delete IPS signatures. The primary function of this page is to tune the active signature set in a policy by enabling or disabling signatures. You can also use this page to unload signatures from the engine. In the signature summary table, you also can add a custom signature and access the Cisco NSDB.
Navigation Path
•(Device view) Select IPS > Signatures > Signatures from the Policy selector.
•(Policy view) Select Intrusion Prevention System > Signatures > Signatures from the Policy Type selector. Right-click Signatures to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Edit Signature Dialog Box
•Row Shortcut Menu
•Actions Shortcut Menu
•Edit Actions Dialog Box
•Accessing the Cisco NSDB
Field Reference
Table N-1 Signature Summary Table
Element
|
Description
|
ID
|
Signature ID. Identifies the unique numerical value assigned to this signature. This value lets the sensor identify a particular signature. Clicking on the link in the ID column triggers a browser window that opens to the entry in MySDN for that signature. This column is visible by default.
|
Sub
|
Subsignature ID. Identifies the unique numerical value assigned to this subsignature. A Subsignature ID is used to identify a more granular version of a broad signature. This column is visible by default.
|
Name
|
Identifies the name assigned to the signature. This column is visible by default.
|
Action
|
Identifies the actions the sensor takes when this signature fires.
Any changes made using Action will affect all of the rows selected. This column is visible by default.
|
Severity
|
Identifies the severity level that the signature reports: High, Informational, Low, Medium.
Any changes made using Severity will affect all of the rows selected. This column is visible by default.
|
Fidelity
|
Identifies the weight associated with how well this signature might perform in the absence of specific knowledge of the target.
Any changes made using Fidelity affects all of the rows selected. This column is visible by default.
|
Source
|
Displays the lowest policy in the inheritance hierarchy that overrides the settings for a signature. This column is visible by default.
|
Enabled
|
Identifies whether or not the signature is enabled in this policy. A signature must be enabled for the sensor to protect against the traffic specified by the signature.
Possible values are:
•true. The signature is enabled in this policy.
•false. The signature is disabled in this policy.
|
Base Risk Rating
|
Displays the base risk rating value of each signature.
|
Retired
|
Identifies whether or not the signature is retired. A retired signature is removed from the signature engine.
|
Obsolete
|
Identifies whether or not the signature is obsolete. An obsolete signature is removed from the signature engine. It cannot be re-activated. This column is visible by default and it is read only.
|
Engine
|
Identifies the engine that parses and inspects the traffic specified by this signature. This column is visible by default.
|
Add button
|
Opens the Add Custom Signature dialog box.
|
Edit button
|
Opens the Edit Signature dialog box. If more than one row is selected, the Edit row option is disabled.
|
Delete button
|
Removes the selected signature(s) from the table. The Delete button is enabled only when the set of selected rows contains only custom signatures.
|
Edit Signature Dialog Box
Use the Edit Signature dialog box if you want the source of the signature settings to be anything other than the default policy. The default policy cannot be edited, so if you want to change the signature settings, you will have to override them in the local policy for the device. You can do this by selecting Local from the Source Policy dropdown list. After you change the source policy to Local, the controls are enabled.
Navigation Path
(Device view) Select IPS > Signatures > Signatures from the Policy selector. Click the Edit button to open the Edit Signature dialog box.
Related Topics
•Edit Actions Dialog Box
•Edit Signature Parameters Dialog Box
•Engine Options
Field Reference
.
Table N-2 Edit Signature Dialog Box
Menu Command
|
Description
|
Source Policy
|
Values are Default or Local. For a newly added device, the source of the signature settings is the Default policy. Because this policy cannot be edited, if you want to change the values of these settings, you must override them in the local policy for the device; you do that by selecting Local.
|
Inheritance Mandatory
|
When selected, forces any policy that inherits from that policy to use the signature settings defined.
|
Enabled check box
|
Specifies that the signature is enabled.
|
Severity
|
Identifies the severity level that the signature will report: High, Informational, Low, Medium.
|
Fidelity Rating
|
Identifies the weight associated with how well this signature might perform in the absence of specific knowledge of the target.
|
Actions
|
Identifies the actions the sensor will take when this signature fires. For a complete list of actions, see the Edit Actions Dialog Box.
|
Base Risk Rating
|
Set the base risk rating value of the signature. Risk rating is calculated as the base risk rating by multiplying the fidelity rating and the severity factor and dividing them by 100 (Fidelity Rating x Severity Factor /100).
Severity Factor has the following values:
•Severity Factor = 100 if the signature's severity level is high
•Severity Factor = 75 if signature's severity level is medium
•Severity Factor = 50 if signature's severity level is low
•Severity Factor = 25 if signature's severity level is informational
|
Engine
|
Identifies the engine that parses and inspects the traffic specified by this signature.
|
Retired
|
Identifies whether or not the signature is retired. A retired signature is removed from the signature engine. You can activate a retired signature to place it back in the signature engine. This column is visible by default.
Timesaver Use the retried column to unload disabled signatures on your IOS-IPS device to maximize the memory usage of that device.
|
Obsolete
|
Identifies whether or not the signature is obsolete. An obsolete signature is removed from the signature engine. It cannot be re-activated.
|
Restore Defaults button
|
Reverts to default values as defined by Cisco.
|
Edit Parameters button
|
Opens the Edit Signature Parameters dialog box.
|
OK
|
Accepts your changes and closes the dialog box.
|
Cancel
|
Discards your changes and closes the dialog box.
|
Help
|
Displays the help topic for this feature.
|
Row Shortcut Menu
In the Signature Summary table, you can access a shortcut menu that enables you to add and edit signatures. This shortcut menu is available for all columns except Actions, Severity, and Fidelity.
Navigation Path
•(Device view) Select IPS > Signatures > Signatures from the Policy selector. Right-click a cell in a column other than Actions, Severity, or Fidelity.
Related Topics
•Actions Shortcut Menu
•Edit Actions Dialog Box
•Accessing the Cisco NSDB
Field Reference
.
Table N-3 Row Shortcut Menu Options
Menu Command
|
Description
|
Add button
|
Opens the Add Custom Signature dialog box.
|
Edit button
|
Opens the Edit Signature dialog box. If more than one row is selected, the Edit row option is disabled.
|
Delete button
|
Removes the selected signature(s) from the table. The Delete button is enabled only when the set of selected rows contains only custom signatures.
|
Clone
|
Opens the Add Custom Signature dialog box with the properties of the selected signature shown.
|
Enable/Disable
|
Places the signature in the enabled or disabled state, respectively. Disabled signatures appear with crosshatching over them.
|
Clone
|
Creates a custom signature with the settings that the selected signature has.
|
Add Custom Signature Dialog Box
Use the Add Custom Signature dialog box to create a custom signature. In the Add Custom Signature dialog box, you enter a name and then select an existing engine from a dropdown list. The signature ID and subsignature ID will be assigned by Security Manager. After you finish selecting the remaining parameters, the new signature is added to the Signatures page in the appropriate numerical location, and it is selected.
Navigation Path
(Device view) Select IPS > Signatures > Signatures from the Policy selector. Click the Add button to open the Add Custom Signature dialog box.
Related Topics
•Edit Signature Parameters Dialog Box
•Engine Options
Field Reference
.
Table N-4 Add Custom Signatures Dialog Box
Menu Command
|
Description
|
Name
|
Name of the signature.
|
Engine
|
Specifies the engine to use for this signature. See Engine Options.
|
Actions
|
Identifies the actions the sensor will take when this signature fires. For a complete list of actions, see the Edit Actions Dialog Box.
|
Enabled check box
|
Specifies that the signature is enabled.
|
Severity
|
Identifies the severity level that the signature will report: High, Informational, Low, Medium.
|
Fidelity Rating
|
Identifies the weight associated with how well this signature might perform in the absence of specific knowledge of the target.
|
Risk Rating
|
Set the base risk rating value of the signature. Risk rating is calculated as the base risk rating by multiplying the fidelity rating and the severity factor and dividing them by 100 (Fidelity Rating x Severity Factor /100).
Severity Factor has the following values:
•Severity Factor = 100 if the signature's severity level is high
•Severity Factor = 75 if signature's severity level is medium
•Severity Factor = 50 if signature's severity level is low
•Severity Factor = 25 if signature's severity level is informational
|
Edit Parameters button
|
Opens the Edit Signature Parameters dialog box. See Edit Signature Parameters Dialog Box.
|
OK
|
Accepts your changes and closes the dialog box.
|
Cancel
|
Discards your changes and closes the dialog box.
|
Help
|
Displays the help topic for this feature.
|
Update Level Dialog Box
Displays the delta between the update packages applied in Security Manager and that deployed on the IPS device.
Differences between applied and deployed can occur when:
•the device is updated outside of Security Manager
•an update is applied to the policy in Security Manager but not yet published to the device
•during initial Security Manager deployment before the devices are under Security Manager control
Navigation Path
(Device view) Select IPS > Signatures > Signatures from the Policy selector. Click the View Update Level button to open the Update Level for ... dialog box.
Field Reference
.
Table N-5 Update Level for Dialog Box
Menu Command
|
Description
|
Applied Level
|
This column displays the patch level that is applied to this device in Security Manager.
|
Deployed Level
|
This column displays the patch level that is currently running on the selected device.
|
Major Update
|
Identifies the major update level.
|
Minor Update
|
Identifies the minor update level.
|
Service Pack
|
Identifies the service pack level.
|
Patch
|
Identifies the patch level.
|
Engine
|
Identifies the engine level.
|
Signature Update
|
Identifies the signature update level.
Note This field is the only field on this page that applies to the IOS IPS devices; all of the other fields are exclusive to IPS devices.
|
Actions Shortcut Menu
In the Signature Summary table, you can access a shortcut menu that enables you to add and remove actions. This shortcut menu is available only for the Actions column.
Navigation Path
•(Device view) Select IPS > Signatures > Signatures from the Policy selector. Right-click a cell in the Actions column.
Related Topics
•Row Shortcut Menu
•Edit Actions Dialog Box
•Accessing the Cisco NSDB
Field Reference
.
Table N-6 Actions Shortcut Menu Options
Menu Command
|
Description
|
Add to Actions
|
Adds an action to the current list of actions for the selected signature.
|
Delete from Actions
|
Deletes an action from the current list of actions for the selected signature.
|
Replace Actions With
|
Replace the current set of actions for the selected signature with the single action selected.
|
Edit Actions
|
Opens the Edit Actions dialog box.
|
Edit Actions Dialog Box
Use the Edit Actions dialog box to select an action that is not on the Add to Actions or Replace Actions with menus, or if you want to select more than one action.
Navigation Path
•(Device view) Select IPS > Signatures > Signatures from the Policy selector. Right-click a cell in the Actions column. Select Edit Actions from the shortcut menu.
Related Topics
•Row Shortcut Menu
•Actions Shortcut Menu
•Accessing the Cisco NSDB
Field Reference
.
Table N-7 Edit Actions Dialog Box
Menu Command
|
Description
|
Deny Attacker Inline
|
Terminates the current packet and future packets from this attacker address for a specified period of time.
|
Deny Attacker/Service Pair Inline
|
Does not transmit this packet and future packets on the attacker address victim port pair for a specified period of time.
|
Deny Attacker/Victim Pair Inline
|
Does not transmit this packet and future packets on the attacker/victim address pair for a specified period of time.
|
Deny Connection Inline
|
Terminates the current packet and future packets on this TCP flow.
|
Deny Packet Inline
|
Terminates the packet.
|
Log Attacker Packets
|
Starts IP logging on packets that contain the attacker address and sends an alert. This action causes an alert to be written to the Event Store, even if Produce Alert is not selected.
|
Log Pair Packets
|
Starts IP Logging on packets that contain the attacker/victim address pair. This action causes an alert to be written to the Event Store, even if Produce Alert is not selected.
|
Log Victim Packets
|
Starts IP Logging on packets that contain the victim address and sends an alert. This action causes an alert to be written to the Event Store, even if Produce Alert is not selected.
|
Modify Packet Inline
|
Modifies packet data to remove ambiguity about what the end point might do with the packet.
|
Product Alert
|
Writes the event to the Event Store as an alert.
|
Produce Verbose Alert
|
Includes an encoded dump of the offending packet in the alert. This action causes an alert to be written to the Event Store, even if Produce Alert is not selected.
|
Request Block Connection
|
Sends a request to block this connection. You must have blocking devices configured to implement this action.
|
Request Block Host
|
Sends a request to block this attacker host. You must have blocking devices configured to implement this action.
|
Request Rate Limit
|
Sends a rate limit request to perform rate limiting. You must have rate limiting devices configured to implement this action.
|
Request SNMP Trap
|
Sends a request to the sensor to perform SNMP notification. This action causes an alert to be written even if Produce Alert is not selected. You must have SNMP configured on the sensor to implement this action.
|
Reset TCP Connection
|
Sends TCP resets to hijack and terminate the TCP flow. Reset TCP Connection only works on TCP signatures that analyze a single connection. It does not work for sweeps or floods.
|
OK
|
Accepts your changes and closes the dialog box.
|
Cancel
|
Discards your changes and closes the dialog box.
|
Help
|
Displays the help topic for this feature.
|
Edit Fidelity Dialog Box
Use the Edit Fidelity dialog box make changes in the Fidelity Rating for a particular signature. The Fidelity Rating, or Signature Fidelity Rating (SFR), identifies the weight associated with how well this signature might perform in the absence of specific knowledge of the target. This rating can be any number from 0 to 100, with 100 indicating the most confidence in the signature.
Accessing the Cisco NSDB
The Cisco Network Security Database (NSDB) can be accessed, or invoked, through the user interface of Security Manager.
The NSDB is a database of security information that explains the signatures the IPS uses along with the vulnerabilities on which these signatures are based. The NSDB contains a description for each attack signature that the sensor can detect.
In Security Manager, the table in the content area of the IPS Signature policy contains several columns by default, one of which is Signature ID. The Signature ID column contains hyperlinks to the NSDB. Clicking on the link in the ID column will trigger the opening of an external browser window that opens to the entry in MySDN for that signature.
MySDN, which stands for My Self-Defending Network, provides up-to-date intelligence reports about current vulnerabilities and threats, as well as education on advanced security topics to help you protect your network, prioritize remediation, and structure your systems to reduce organizational risk. For more information, refer to http://www.cisco.com/go/MySDN.
If you have access to Cisco.com, then the signature ID is linked to MySDN. If you do not have access to Cisco.com, then the signature ID is linked to the local copy of the NSDB. Security Manager will detect whether or not you have access to Cisco.com and make the appropriate link for you without your having to set a preference.
Some signatures in IPS 5.x, IPS 6.0, and IOS IPS have special characteristics: Built-in signatures cannot be added, deleted, or renamed, because they are provided with IPS itself. ("Built-in" means all signatures other than those that you create.) The information for built-in signatures, such as their names and IDs, appears as it does in the NSDB.
Tip For a particular signature in the NSDB, the "Release Version" refers to the version of IPS that the signature first appeared in, or was last modified in. The "Release Version" appears in the bottom left-hand corner of the header information when you are looking at a particular signature.
Edit Signature Parameters Dialog Box
Use the Edit Signature Parameters dialog box to edit (also called tune) the built-in micro-engine parameters for a particular signature. Different engines have different parameters, so the appearance of the Edit Signature Parameters dialog box will vary.
Navigation Path
•(Device view) Select IPS > Signatures > Signatures from the Policy selector. Right-click the row containing the signature that you want to edit, and then click Edit Row in the shortcut menu that appears. Finally, click Edit Parameters.
Related Topics
•Add Custom Signature Dialog Box
•Edit Signature Dialog Box
•Engine Options
Field Reference
.
Table N-8 Edit Signature Parameters Dialog Box
Primary and Secondary Elements
|
Description
|
Signature Definition
|
—
|
| |
Signature ID
|
Identifies the unique numerical value assigned to this signature. This value lets the sensor identify a particular signature.
The value is 1000 to 65000.
|
| |
SubSignature ID
|
Identifies the unique numerical value assigned to this subsignature. The subsignature ID identifies a more granular version of a broad signature.
The value is 0 to 255.
|
| |
Promiscuous Delta check box
|
Lets you determine the seriousness of the alert.
|
Sig Description
|
Lets you specify the following attributes that help you distinguish this signature from other signatures:
•Alert Notes
•User Comments
•Alarm Traits
•Release
|
| |
Alert Notes
|
Add alert notes in this field.
|
| |
User Comments
|
Add your comments about this signature in this field.
|
| |
Alert Traits
|
Add the alarm trait in this field. The value is 0 to 65535. The default is 0.
|
| |
Release
|
The release in which the signature was most recently updated.
|
Engine
|
Lets you choose the engine that parses and inspects the traffic specified by this signature. For the list of possible values, see Engine Options.
|
| |
Fragment Status
|
Specifies whether fragments are wanted or not:
•Any fragment status.
•Do not inspect fragments.
•Inspect fragments.
|
Regex String
|
—
|
| |
Service Ports
|
A comma-separated list of ports or port ranges where the target service resides.
|
| |
Direction
|
Direction of traffic:
•Traffic from service port destined to client port.
•Traffic from client port destined to service port.
|
| |
Specify Exact Match Offset
|
(Optional) Enables exact match offset:
•Specify Max Match Offset/Specify Min Match Offset—The exact stream offset the regular expression string must report for a match to be valid.
|
| |
Swap Attacker Victim
|
Yes if address (and ports) source and destination are swapped in the alert message. No for no swap (default).
|
Event Counter
|
Lets you configure how the sensor counts events. For example, you can specify that you want the sensor to send an alert only if the same signature fires 5 times for the same address set:
•Event Count
•Event Count Key
•Specify Alert Interval
|
| |
Event Count
|
The number of times an event must occur before an alert is generated. The value is 1 to 65535. The default is 1.
|
| |
Event Count Key
|
The storage type used to count events for this signature. Choose attacker address, attacker address and victim port, attacker and victim addresses, attacker and victim addresses and ports, or victim address. The default is attacker address.
|
| |
Specify Alert Interval
|
Specifies the time in seconds before the event count is reset. Choose Yes or No from the drop-down list and then specify the amount of time.
|
Alert Frequency
|
Lets you configure how often the sensor alerts you when this signature is firing. Specify the following parameters for this signature:
•Summary Mode
•Summary Interval
•Summary Key
•Specify Global Summary Threshold
|
| |
Summary Mode
|
The mode of alert summarization. Choose Fire All, Fire Once, Global Summarize, or Summarize.
Note When multiple contexts from the adaptive security appliance are contained in one virtual sensor, the summary alerts contain the context name of the last context that was summarized. Thus, the summary is the result of all alerts of this type from all contexts that are being summarized.
|
| |
Summary Mode Interval
|
The time in seconds used in each summary alert. The value is 1 to 65535. The default is 15.
|
| |
Summary Key
|
The storage type used to summarize alerts. Choose Attacker address, Attacker address and victim port, Attacker and victim addresses, Attacker and victim addresses and ports, or Victim address. The default is Attacker address.
|
| |
Specify Global Summary Threshold
|
Lets you specify the threshold number of events to take the alert into global summary. Choose Yes or No and then specify the threshold number of events.
|
Status
|
Lets you enable or disable a signature, or retire or unretire a signature:
•Enabled—Lets you choose whether the signature is enabled or disabled.The default is yes (enabled).
•Retired—Let you choose whether the signature is retired or not. The default is no (not retired).
|
| |
Obsoletes
|
Lists the signatures that are obsoleted by this signature.
|
Vulnerable OS List
|
Identifies the list of operating systems that this attack targets.
|
MARS Category
|
Identifies the category in Cisco Security MARS to which this signature belongs. This metadata is used to color the events generated in such a way as to provide MARS with the data that it needs to process this signature relative to the event categories that it studies.
|
Expand All
|
Expands all categories and subcategories.
|
Collapse All
|
Collapses all fields to the category.
|
OK
|
Accepts your changes and closes the dialog box.
|
Cancel
|
Discards your changes and closes the dialog box.
|
Help
|
Displays the help topic for this feature.
|
Engine Options
Engine options for IOS IPS and IPS are as follows:
The following list identifies the options you can specifying the Engine field of the Edit Signature Parameters dialog box:
•atomic-ip—Inspects IP protocol packets and associated Layer-4 transport protocols. For option detail, see Atomic IP Engine Options
•multi-string—Defines signatures that inspect Layer 4 transport protocol (ICMP, TCP, and UDP) payloads using multiple string matches for one signature. You can specify a series of regular expression patterns that must be matched to fire the signature. For option detail, see Multi-String Engine Options
•normalizer—Configures how the IP and TCP normalizer functions and provides configuration for signature events related to the IP and TCP normalizer. Allows you to enforce RFC compliance. For option detail, see Normalizer Engine Options
•service-dns—Inspects DNS (TCP and UDP) traffic. For option detail, see Service DNS Engine Options
•service-ftp—Inspects FTP traffic. For option detail, see Service FTP Engine Options
•service-http—Inspects HTTP traffic. The WEBPORTS variable defines inspection port for HTTP traffic. For option detail, see HTTP Service Engine Options
•service-rpc—Inspects RPC traffic. For option detail, see RPC Service Engine Options
•state—Stateful searches of strings in protocols such as SMTP. For option detail, see STATE Engine Options
•string-icmp—Searches on Regex strings based on ICMP protocol. For option detail, see String ICMP Engine Options
•string-tcp—Searches on Regex strings based on TCP protocol. For option detail, see String TCP Engine Options
•string-udp—Searches on Regex strings based on UDP protocol. For option detail, see String UDP Engine Options
Atomic IP Engine Options
Table N-9 lists the parameters that are specific to the Atomic IP engine.
Table N-9 Atomic IP Engine Parameters
Parameter
|
Description
|
Fragment Status
|
Specifies whether or not fragments are wanted.
|
Specify Layer 4 Protocol
|
Specifies Layer 4 protocol.
|
Specify IP Payload Length
|
Specifies IP datagram payload length.
|
Specify IP Header Length
|
Specifies IP datagram header length.
|
Specify IP Type of Service
|
Specifies type of server.
|
Specify IP Time-to-Live
|
Specifies time to live.
|
Specify IP Version
|
Specifies IP protocol version.
|
Specify IP Identifier
|
Specifies IP identifier.
|
Specify IP Total Length
|
Specifies IP datagram total length.
|
Specify IP Option Inspection
|
Specifies IP options inspection.
|
Specify IP Addr Options
|
Specifies IP addresses.
|
Multi-String Engine Options
The Multi String engine lets you define signatures that inspect Layer 4 transport protocol (ICMP, TCP, and UDP) payloads using multiple string matches for one signature. You can specify a series of regular expression patterns that must be matched to fire the signature. For example, you can define a signature that looks for regex 1 followed by regex 2 on a UDP service. For UDP and TCP you can specify port numbers and direction. You can specify a single source port, a single destination port, or both ports. The string matching takes place in both directions.
Use the Multi String engine when you need to specify more than one regex pattern. Otherwise, you can use the String ICMP, String TCP, or String UDP engine to specify a single Regex pattern for one of those protocols.
Table N-10 lists the parameters specific to the Multi String Engine.
Table N-10 Multi String Engine Parameters
Parameter
|
Description
|
Value
|
Inspect Length
|
Length of stream or packet that must contain all offending strings for the signature to fire.
|
0 to 4294967295
|
Protocol
|
Layer 4 protocol selection.
|
Icmp
Tcp
Udp
|
Regex Component
|
List of regex components:
•Regex String—The string to search for.
•Spacing Type—Type of spacing required from the match before or from the beginning of the stream/packet if it is the first entry in the list.
|
list (1 to 16 items)
exact
minimum
|
Port Selection
|
Type of TCP or UDP port to inspect. Only displays if TCP or UDP is selected in the Protocol field.
|
Both Ports
Destination
Source
|
Source Ports
|
Specifies a range of source ports.1
|
0 to 65535 2
|
Dest Ports
|
Specifies a range of destination ports.
|
0 to 65535
|
Exact Spacing
|
Exact number of bytes that must be between this regex string and the one before, or from the beginning of the stream/packet if it is the first entry in the list.
|
0 to 4294967296
|
Minimum Spacing
|
Minimum number of bytes that must be between this regex string and the one before, or from the beginning of the stream/packet if it is the first entry in the list.
|
0 to 4294967296
|
Swap Attacker Victim
|
Yes if address (and ports) source and destination are swapped in the alert message. No for no swap (default).
|
Yes | No
|
Caution The Multi String engine can have a significant impact on memory usage.
Normalizer Engine Options
Table N-11 lists the parameters that are specific to the Normalizer engine.
Table N-11 Normalizer Engine Parameters
Parameter
|
Description
|
Edit defaults
|
Specify Service Ports
|
(Optional) Enables service ports.
|
Specify TCP Max MSS
|
(Optional) Enables TCP maximum mss.
|
Specify TCP Min MSS
|
(Optional) Enables TCP minimum mss.
|
Specify TCP Option Number
|
(Optional) Enables TCP option number.
|
Specify TCP Max Queue
|
(Optional) Enables TCP maximum queue.
|
Specify TCP Closed Timeout
|
(Optional) Enables TCP closed timeout.
|
Specify TCP Embryonic Timeout
|
(Optional) Enables TCP embryonic timeout.
|
Specify TCP Idle Timeout
|
(Optional) Enables TCP idle timeout.
|
Specify Fragment Reassembly Timeout
|
(Optional) Enables fragment reassembly timeout.
|
Specify Max Fragments per Datagram
|
(Optional) Enables maximum fragments per datagram.
|
Specify Max Small Frags
|
(Optional) Enables maximum small fragments.
|
Specify Min Fragment Size
|
(Optional) Enables minimum fragment size.
|
Specify Max Partial Datagrams
|
(Optional) Enables maximum partial datagrams.
|
Specify Max Datagram Size
|
(Optional) Enables maximum datagram size.
|
Specify Max Fragments
|
(Optional) Enables maximum fragments.
|
Specify Max Last Fragments
|
(Optional) Enables maximum last fragments.
|
Specify Hijack Max Old Ack
|
(Optional) Enables hijack-max-old-ack.
|
Specify SYN Flood Max Embryonic
|
(Optional) Enables SYN flood maximum embryonic.
|
Service DNS Engine Options
The Service DNS engine specializes in advanced DNS decode, which includes anti-evasive techniques, such as following multiple jumps. It has many parameters such as lengths, opcodes, strings, and so forth. The Service DNS engine is a biprotocol inspector operating on both TCP and UDP port 53. It uses the stream for TCP and the quad for UDP.
Table N-12 lists the parameters specific to the Service DNS engine.
Table N-12 Service DNS Engine Parameters
Parameter
|
Description
|
Value
|
Protocol
|
Protocol of interest for this inspector.
|
TCP
UDP
|
Specify Query Type
|
(Optional) Enables the query type:
•Query Type—DNS Query Type 2 Byte Value
|
0 to 65535
|
Specify Query Opcode
|
(Optional) Enables query opcode:
•Query Opcode—DNS Query Opcode 1 byte Value
|
0 to 65535
|
Specify Query Record Data Length
|
(Optional) Enables the query record data length:
•Query Record Data Length—DNS Response Record Data Length
|
0 to 65535
|
Specify Query Record Data Invalid
|
(Optional) Enables query record data invalid:
•Query Record Data Invalid—DNS Record Data incomplete
|
Yes | No
|
Specify Query Src Port 53
|
(Optional) Enables the query source port 53:
•Query Src Port 53—DNS packet source port 53
|
Yes | No
|
Specify Query Value
|
(Optional) Enables the query value:
•Query Value—Query 0 Response 1
|
Yes | No
|
Specify Query Stream Length
|
(Optional) Enables the query stream length:
•Query Stream Length—DNS Packet Length
|
0 to 65535
|
Specify Query Jump Count Exceeded
|
(Optional) Enables query jump count exceeded:
•Query Jump Count Exceeded—DNS compression counter
|
Yes | No
|
Specify Query Invalid Domain Name
|
(Optional) Enables query invalid domain name:
•Query Invalid Domain Name—DNS Query Length greater than 255
|
Yes | No
|
Specify Query Class
|
(Optional) Enables the query class:
•Query Class—DNS Query Class 2 Byte Value
|
0 to 65535
|
Specify Query Chaos String
|
(Optional) Enables the DNS Query Class Chaos String.
|
query-chaos-string
|
Service FTP Engine Options
The Service FTP engine specializes in FTP port command decode, trapping invalid port commands and the PASV port spoof. It fills in the gaps when the String engine is not appropriate for detection. The parameters are Boolean and map to the various error trap conditions in the port command decode. The Service FTP engine runs on TCP ports 20 and 21. Port 20 is for data and the Service FTP engine does not do any inspection on this. It inspects the control transactions on port 21.
Table N-13 lists the parameters that are specific to the Service FTP engine.
Table N-13 Service FTP Engine Parameters
Parameter
|
Description
|
Value
|
Direction
|
Direction of traffic:
•Traffic from service port destined to client port
•Traffic from client port destined to service port
|
From Service
To Service
|
Service Ports
|
A comma-separated list of ports or port ranges where the target service resides.
|
0 to 655351
|
Swap Attacker Victim
|
Yes if address (and ports) source and destination are swapped in the alert message. No for no swap (default).
|
Yes | No
|
FTP Inspection Type
|
Type of inspection to perform:
•Looks for an invalid address in the FTP port command
•Looks for an invalid port in the FTP port command
•Looks for the PASV port spoof
|
Invalid Address in PORT Command
Invalid Port in PORT Command
PASV Port Spoof
|
HTTP Service Engine Options
Table N-14 lists the parameters specific to the Service HTTP engine.
Table N-14 Service HTTP Engine Parameters
Parameter
|
Description
|
Value
|
De Obfuscate
|
Applies anti-evasive deobfuscation before searching.
|
Yes | No
|
Max Field Sizes
|
Maximum field sizes grouping.
|
—
|
Specify Max URI Field Length
|
(Optional) Enables the maximum URI field length:
•Max URI Field Length—Maximum length of the URI field.
|
0 to 65535
|
Specify Max Arg Field Length
|
(Optional) Enables maximum argument field length:
•Max Arg Field Length—Maximum length of the arguments field.
|
0 to 65535
|
Specify Max Header Field Length
|
(Optional) Enables maximum header field length:
•Max Header Field Length—Maximum length of the header field.
|
0 to 65535
|
Specify Max Request Length
|
(Optional) Enables maximum request field length:
•Max Request Length—Maximum length of the request field.
|
0 to 65535
|
Regex
|
Regular expression grouping.
|
—
|
Specify URI Regex
|
(Optional) Regular expression to search in HTTP URI field. The URI field is defined to be after the HTTP method (GET, for example) and before the first CRLF. The regular expression is protected, which means you cannot change the value.
|
[/\\][a-zA-Z][a-zA-Z][a-zA-Z][a-zA-Z][a-zA-Z][a-zA-Z][a-zA-Z][.]jpeg
|
Specify Arg Name Regex
|
(Optional) Enables searching the Arguments field for a specific regular expression:
•Arg Name Regex—Regular expression to search for in the HTTP Arguments field (after the ? and in the Entity body as defined by Content-Length).
|
—
|
Specify Header Regex
|
(Optional) Enables searching the Header field for a specific regular expression:
•Header Regex—Regular Expression to search in the HTTP Header field. The Header is defined after the first CRLF and continues until CRLFCRLF.
|
—
|
Specify Request Regex
|
(Optional) Enables searching the Request field for a specific regular expression:
•Request Regex—Regular expression to search in both HTTP URI and HTTP Argument fields.
•Specify Min Request Match Length—Enables setting a minimum request match length.
|
0 to 65535
|
Service Ports
|
A comma-separated list of ports or port ranges where the target service resides.
|
0 to 655351
|
Swap Attacker Victim
|
Yes if address (and ports) source and destination are swapped in the alert message. No for no swap (default).
|
Yes | No
|
RPC Service Engine Options
Table N-15 lists the parameters specific to the Service RPC engine.
Table N-15 Service RPC Engine Parameters
Parameter
|
Description
|
Value
|
Direction
|
Direction of traffic:
•Traffic from service port destined to client port.
•Traffic from client port destined to service port.
|
From Service
To Service
|
Protocol
|
Protocol of interest.
|
TCP
UDP
|
Service Ports
|
A comma-separated list of ports or port ranges where the target service resides.
|
0 to 655351
|
Specify Regex String
|
Enables regex fields:
•Specify Exact Match Offset
•Regex String
•Specify Min Match Length
|
Yes | No
|
Specify Exact Match Offset
|
(Optional) Enables exact match offset:
•Exact Match Offset—The exact stream offset the regular expression string must report for a match to be valid.
|
0 to 65535
|
Regex String
|
The string to search for.
|
—
|
Specify Min Match Length
|
(Optional) Enables minimum match length:
•Min Match Length—Minimum number of bytes the regular expression string must match.
|
0 to 65535
|
Specify Port Map Program
|
(Optional) Enables the portmapper program:
•Port Map Program—The program number sent to the portmapper for this signature.
|
0 to 9999999999
|
Specify RPC Program
|
(Optional) Enables RPC program:
•RPC Program—RPC program number for this signature.
|
0 to 1000000
|
Specify Spoof Src
|
(Optional) Enables the spoof source address:
•Spoof Src—Fires an alert when the source address is 127.0.0.1.
|
true | false
|
Specify RPC Max Length
|
(Optional) Enables RPC maximum length:
•RPC Max Length—Maximum allowed length of the entire RPC message. Lengths longer than what you specify fire an alert.
|
0 to 65535
|
Specify RPC Procedure
|
(Optional) Enables RPC procedure:
•RPC Procedure—RPC procedure number for this signature.
|
0 to 1000000
|
STATE Engine Options
Table N-16 lists the parameters specific to the State engine.
Table N-16 State Engine Parameters
Parameter
|
Description
|
Value
|
State Machine
|
State machine grouping.
|
—
|
Specify Min Match Length
|
(Optional) Enables minimum match length:
•Min Match Length—Minimum number of bytes the regular expression string must match.
|
0 to 65535
|
SMTP
|
Specifies the state machine for the SMTP protocol:
•State Name—Name of the state required before the signature fires an alert:
–Abort state to end LPR Format String inspection
–Mail body state
–Mail header state
–SMTP commands state
–Start state
|
abort
mail-body
mail-header
smtp-commands
start
|
Regex String
|
The string to search for.
|
—
|
Direction
|
Direction of the traffic:
•Traffic from service port destined to client port.
•Traffic from client port destined to service port.
|
From Service
To Service
|
Service Ports
|
A comma-separated list of ports or port ranges where the target service resides.
|
0 to 65535
1
|
Swap Attacker Victim
|
Yes if address (and ports) source and destination are swapped in the alert message. No for no swap (default).
|
Yes | No
|
Specify Exact Match Offset
|
(Optional) Enables exact match offset:
•Specify Max Match Offset/Specify Min Match Offset—The exact stream offset the regular expression string must report for a match to be valid.
|
0 to 65535
|
String ICMP Engine Options
Table N-17 lists the parameters specific to the String ICMP engine.
Table N-17 String ICMP Engine Parameters
Parameter
|
Description
|
Value
|
Specify Min Match Length
|
(Optional) Enables minimum match length:
•Min Match Length—Minimum number of bytes the regular expression string must match.
|
0 to 65535
|
Regex String
|
The string to search for.
|
—
|
Direction
|
Direction of the traffic:
•Traffic from service port destined to client port.
•Traffic from client port destined to service port.
|
From Service
To Service
|
ICMP Type
|
ICMP header TYPE value.
|
0 to 181 ]
|
Swap Attacker Victim
|
Yes if address (and ports) source and destination are swapped in the alert message. No for no swap (default).
|
Yes | No
|
Specify Exact Match Offset
|
(Optional) Enables exact match offset:
•Specify Max Match Offset/Specify Min Match Offset—The exact stream offset the regular expression string must report for a match to be valid.
|
0 to 65535
|
String TCP Engine Options
Table N-18 lists the parameters specific to the String TCP engine.
Table N-18 String TCP Engine
Parameter
|
Description
|
Value
|
Strip Telnet Options
|
Strips the Telnet option characters from the data before the pattern is searched.1
|
Yes | No
|
Specify Min Match Length
|
(Optional) Enables minimum match length:
•Min Match Length—Minimum number of bytes the regular expression string must match.
|
0 to 65535
|
Regex String
|
The string to search for.
|
—
|
Service Ports
|
A comma-separated list of ports or port ranges where the target service resides.
|
0 to 655352
|
Direction
|
Direction of the traffic:
•Traffic from service port destined to client port.
•Traffic from client port destined to service port.
|
From Service
To Service
|
Specify Exact Match Offset
|
(Optional) Enables exact match offset:
•Specify Max Match Offset/Specify Min Match Offset—The exact stream offset the regular expression string must report for a match to be valid.
|
0 to 65535
|
Swap Attacker Victim
|
Yes if address (and ports) source and destination are swapped in the alert message. No for no swap (default).
|
Yes | No
|
String UDP Engine Options
Table N-19 lists the parameters specific to the String UDP engine.
Table N-19 String UDP Engine
Parameter
|
Description
|
Value
|
Specify Min Match Length
|
(Optional) Enables minimum match length:
•Min Match Length—Minimum number of bytes the regular expression string must match.
|
0 to 65535
|
Regex String
|
The string to search for.
|
—
|
Service Ports
|
A comma-separated list of ports or port ranges where the target service resides.
|
0 to 655351
|
Direction
|
Direction of the traffic:
•Traffic from service port destined to client port.
•Traffic from client port destined to service port.
|
From Service
To Service
|
Swap Attacker Victim
|
Yes if address (and ports) source and destination are swapped in the alert message. No for no swap (default).
|
Yes | No
|
Specify Exact Match Offset
|
(Optional) Enables exact match offset:
•Specify Max Match Offset/Specify Min Match Offset—The exact stream offset the regular expression string must report for a match to be valid.
|
0 to 65535
|
Edit Signature Parameter—Component List Dialog Box
Use the Edit Signature Parameter—Component List dialog box to edit the component list for the meta engine.
Navigation Path
•(Device view) Select IPS > Signatures > Signatures from the Policy selector. Right-click a row containing a signature that uses the meta engine, and then click Edit Row in the shortcut menu that appears. Click Edit Parameters. In the Edit Signature Parameters dialog box, click List in the Value column.
Add Signature Parameter—List Entry Dialog Box
Use the Add Signature Parameter—List Entry dialog box to add components of the meta engine.
Edit Signature Parameter—List Entry Dialog Box
Use the Edit Signature Parameter—List Entry dialog box to edit components of the meta engine.
Obsoletes Dialog Box
Use the Obsoletes dialog box to identify obsolete signatures associated with a particular signature.
Add an Entry Dialog Box
Use the Add an Entry dialog box to add obsolete signatures associated with a particular signature.
Settings Page
Use the Settings page to define application policy (enable HTTP, maximum number of HTTP Requests, AIC web ports, and enable FTP), fragment reassembly policy, stream reassembly policy, and IP logging policy.These settings result in policies that can be shared but not inherited. When a new IPS device is added, it has a local policy that contains the default settings for all signatures.
Navigation Path
•(Device view) Select IPS > Signatures > Settings from the Policy selector.
•(Policy view) Select IPS > Signatures > Signature Settings from the Policy Type selector. Right-click Signature Settings to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Signature Policies
•Accessing the Cisco NSDB
Field Reference
.
Table N-20 Settings Page
Element
|
Description
|
Enable HTTP
|
Enables protection for web services. Select Yes to require the sensor to inspect HTTP traffic for compliance with the RFC.
|
Max HTTP Requests
|
Specifies the maximum number of outstanding HTTP requests per connection.
|
AIC Web Ports
|
Specifies the variable for ports to look for AIC traffic.
|
Enable FTP
|
Enables protection for FTP services. Select Yes to require the sensor to inspect FTP traffic.
|
IP Reassembly Mode
|
Identifies the method the sensor uses to reassemble the fragments, based on the operating system.
|
TCP Handshake Required
|
Specifies that the sensor should only track sessions for which the three-way handshake is completed.
|
TCP Reassembly Mode
|
Specifies the mode the sensor should use to reassemble TCP sessions with the following options:
•Asymmetric—May only be seeing one direction of bidirectional traffic flow.
Note Asymmetric mode lets the sensor synchronize state with the flow and maintain inspection for those engines that do not require both directions. Asymmetric mode lowers security because full protection requires both sides of traffic to be seen.
•Strict—If a packet is missed for any reason, all packets after the missed packet are not processed.
•Loose—Use in environments where packets might be dropped.
|
Max IP Log Packets
|
Identifies the number of packets you want logged.
|
IP Log Time
|
Identifies the duration you want the sensor to log. A valid value is 1 to 60 seconds. The default is 30 seconds.
|
Max IP Log Bytes
|
Max IP Log Bytes—Identifies the maximum number of bytes you want logged.
|
Save
|
Applies your changes and saves the revised configuration.
|
Anomaly Detection Page
Use the Anomaly Detection page to configure anomaly detection. The anomaly detection policy can be shared but not inherited.
The following tabs are available on the Anomaly Detection page:
•Anomaly Detection Page > Operation Settings Tab
•Anomaly Detection Page > Learning Accept Mode Tab
•Anomaly Detection Page > Internal Zone, External Zone, and Illegal Zone Tabs
Navigation Path
•(Device view) Select IPS > Anomaly Detection from the Policy selector.
Related Topics
•Configuring Anomaly Detection, page 13-18
•Explaining Anomaly Detection, page 13-18
•Worm Viruses, page 13-19
•Learning Mode, page 13-20
•Anomaly Detection Zones, page 13-21
Anomaly Detection Page > Operation Settings Tab
Use the Operation Settings tab of the Anomaly Detection page to configure the worm timeout and the IP addresses that will be ignored during anomaly detection processing.
Navigation Path
(Device view) Select IPS > Anomaly Detection from the Policy selector. Click Operation Settings.
Related Topics
•Configuring Anomaly Detection, page 13-18
•Explaining Anomaly Detection, page 13-18
•Worm Viruses, page 13-19
•Learning Mode, page 13-20
•Anomaly Detection Zones, page 13-21
•Anomaly Detection Page > Learning Accept Mode Tab
•Anomaly Detection Page > Internal Zone, External Zone, and Illegal Zone Tabs
Field Reference
.
Table N-21 Operation Settings Tab
Element
|
Description
|
Worm Timeout
|
The number of seconds you want to wait for a worm termination to time out. The range is 120 to 10,000,000 seconds. The default is 600 seconds.
|
Enabled Ignored Addresses
|
When selected, enables the lists of ignored source IP addresses and destination IP addresses. You must select the Enabled check box or none of the lists of ignored IP addresses you enter will be enabled.
|
Source Addresses to Ignore
|
The source IP address(es), or range(s) of source IP addresses, that you want the anomaly detection module to ignore. The valid form is 10.10.5.5,10.10.2.1-10.10.2.30.
|
Destination Addresses to Ignore
|
The destination IP address(es), or range(s) of destination IP addresses, that you want the anomaly detection module to ignore. The valid form is 10.10.5.5,10.10.2.1-10.10.2.30.
|
Save
|
Applies your changes and saves the revised configuration.
|
Anomaly Detection Page > Learning Accept Mode Tab
Use the Learning Accept Mode tab of the Anomaly Detection page to specify if and when the learning knowledge base in the anomaly detection module will be saved or loaded.
Navigation Path
(Device view) Select IPS > Anomaly Detection from the Policy selector. Click Learning Accept Mode.
Related Topics
•Configuring Anomaly Detection, page 13-18
•Explaining Anomaly Detection, page 13-18
•Worm Viruses, page 13-19
•Learning Mode, page 13-20
•Anomaly Detection Zones, page 13-21
•Anomaly Detection Page > Operation Settings Tab
•Anomaly Detection Page > Internal Zone, External Zone, and Illegal Zone Tabs
Field Reference
.
Table N-22 Learning Accept Mode Tab
Element
|
Description
|
Automatically accept learning knowledge base
|
When selected, the anomaly detection module updates the knowledge base. When deselected, the anomaly detection module does not create a knowledge base. When you choose to automatically accept the learning knowledge base, you can specify the action, such as to only save the learned thresholds or to rotate (save and load) the learned thresholds automatically. You can also specify the time schedules upon which snapshots of the learning knowledge base will be taken and loaded. If you choose "Periodic Schedule," you need to specify the start time, which is the time to start the first learning knowledge base snapshot, and also the learning interval, which is the number of hours to wait between automatically performing learning knowledge base snapshots.
|
Action
|
Specifies whether to rotate or save the knowledge base:
•Save Only—Creates a new knowledge base. You can examine it and decide whether to load it into the anomaly detection module.
•Rotate—Creates a new knowledge base and loads it according to the schedule you choose.
|
Schedule
|
Allows you to choose Calendar Schedule or Periodic Schedule:
•Periodic Schedule—Allows you to configure the first learning snapshot time of day and the interval of the subsequent snapshots.
•Calendar Schedule—Allows you to configure the days and times of the day for the knowledge base to be created.
The default schedule is the periodic schedule in 24-hour format.
|
Times of Day
|
Appears when you select Calendar from the Schedule list. Allows you to configure the days and times of the day for the knowledge base to be created. The valid format is hh:mm:ss.
|
Days of the Week
|
Appears when you select Periodic from the Schedule list. Allows you to configure the days of the week you want to configure.
|
Start Time
|
Appears when you select Calendar from the Schedule list. Specifies the time that you want the new knowledge base to start. The valid format is hh:mm:ss.
|
Learning Interval in hours
|
Appears when you select Periodic from the Schedule list. Specifies the time, in hours, that you want the anomaly detection module to learn from the network before creating a new knowledge base.
|
Times Of Day Dialog Box
Use the Times Of Day dialog box when using the Calendar Schedule selection, not the Periodic Schedule selection, on the Learning Accept Mode tab of the Anomaly Detection page. The Times Of Day dialog box appears as either Add Times Of Day or Modify Times Of Day.
In the Add appearance of the Times Of Day dialog box, add the clock hour times of day that you want anomaly detection to accept the learning knowledge base.
In the Modify appearance of the Times Of Day dialog box, modify the clock hour times of day that you want anomaly detection to accept the learning knowledge base.
Days Of Week Dialog Box
Use the Days of Week dialog box when using the Calendar Schedule selection, not the Periodic Schedule selection, on the Learning Accept Mode tab of the Anomaly Detection page. The Days Of Week dialog box appears as either Add Days Of Week or Modify Days Of Week.
In the Add appearance of the Days Of Week dialog box, add the days of the week that you want anomaly detection to accept the learning knowledge base.
In the Modify appearance of the Days Of Week dialog box, modify the days of the week that you want anomaly detection to accept the learning knowledge base.
Anomaly Detection Page > Internal Zone, External Zone, and Illegal Zone Tabs
The Anomaly Detection module divides the network into three zones, each represented by a unique tab:
•Internal Zone Tab. The internal zone should represent your internal network. It should receive all the traffic that comes to your IP address range.
•External Zone Tab. The external zone is the default zone with the default Internet range of 0.0.0.0-255.255.255.255. By default, the internal and illegal zones contain no IP addresses. Packets that do not match the set of IP addresses in the internal or illegal zone are handled by the external zone.
•Illegal Zone Tab. The illegal zone should represent IP address ranges that should never be seen in normal traffic, for example, unallocated IP addresses or part of your internal IP address range that is unoccupied.
Each of these three zones has its own designated set of IP addresses.
The following tabs are available on each of the zone tabs:
•General Sub-Tab
•TCP Protocol Sub-Tab
•UDP Protocol Sub-Tab
•Other Protocols Sub-Tab
Navigation Path
•(Device view) Select IPS > Anomaly Detection from the Policy selector. Click the Internal Zone tab.
•(Device view) Select IPS > Anomaly Detection from the Policy selector. Click the Illegal Zone tab.
•(Device view) Select IPS > Anomaly Detection from the Policy selector. Click the External Zone tab.
Related Topics
•Configuring Anomaly Detection, page 13-18
•Explaining Anomaly Detection, page 13-18
•Worm Viruses, page 13-19
•Learning Mode, page 13-20
•Anomaly Detection Zones, page 13-21
•Anomaly Detection Page > Operation Settings Tab
•Anomaly Detection Page > Learning Accept Mode Tab
General Sub-Tab
Use the General Sub-tab to enable the selected zone. In the case of the Internal and External zone, you can also identify the Service Subnets of those zones.
Field Reference
.
Table N-23 General Sub-Tab
Element
|
Description
|
Enable this zone check box
|
If checked, enables the selected zone.
|
Service Subnets
|
(Visible on Internal and External Zones tabs only) Lets you enter the subnets that you want to apply to the selected zone.
The valid format is 10.10.5.5,10.10.2.1-10.10.2.30.
|
TCP Protocol Sub-Tab
Use the TCP Protocol Sub-tab to enter TCP Destination Port Maps and to configure threshold histogram properties.
Related Topics
•Dest Port Map Dialog Box
•Histogram Dialog Box
Field Reference
Table N-24 TCP Protocol Sub-Tab
Element
|
Description
|
Enabled check box
|
If checked, enables the selected zone.
|
Destination Port Map
|
(Visible on Internal and External Zones tabs only) Lets you enter the subnets that you want to apply to the selected zone.
The valid format is 10.10.5.5,10.10.2.1-10.10.2.30.
|
Scanner Threshold
|
Lets you set the scanner threshold.
The valid range is 5 to 1000. The default is 200.
|
Threshold Histogram
|
Displays the histograms that you added.
•Number of Destination IP Addresses—Displays the number of destination IP addresses that you added.
•Number of Source IP Addresses—Displays the number of source IP addresses that you added
|
Dest Port Map Dialog Box
Use the Dest Port Map dialog box to add or modify destination ports for the selected protocol. The Dest Port Map dialog box appears as either Add Dest Port Map or Modify Dest Port Map.
Field Reference
Table N-25 Destination Port Dialog Box
Element
|
Description
|
Destination Port Number
|
Lets you enter the destination port number.
The valid range is 0 to 65535.
|
Enabled check box
|
If checked, enables the service.
|
Override Scanner Settings check box
|
If checked, overrides the default scanner settings and lets you add, edit, delete, and select all histograms.
|
Scanner Threshold
|
Lets you set the scanner threshold.
The valid range is 5 to 1000. The default is 200.
|
Threshold Histogram
|
Displays the histograms that you added.
•Number of Destination IP Addresses—Displays the number of destination IP addresses that you added.
•Number of Source IP Addresses—Displays the number of source IP addresses that you added
|
Histogram Dialog Box
Use the Histogram dialog box if you want to override the scanner settings instead of using the default histograms. Use the Histogram dialog box if you want to modify a previously defined histogram for the selected protocol.
The knowledge base has a tree structure and contains the following information:
•knowledge base name
•Zone name
•Protocol
•Service
The knowledge base holds a scanner threshold and a histogram for each service. If you have learning accept mode set to auto and the action set to rotate, a new knowledge base is created every 24 hours and used in the next 24 hours. If you have learning accept mode set to auto and the action is set to save only, a new knowledge base is created, but the current knowledge base is used. If you do not have learning accept mode set to auto, no knowledge base is created. For more information, see Anomaly Detection Page > Learning Accept Mode Tab.
Note Anomaly detection learning mode uses the sensor local time.
The scanner threshold defines the maximum number of zone IP addresses that a single source IP address can scan. The histogram threshold defines the maximum number of source IP addresses that can scan more than the specified numbers of zone IP addresses.
Anomaly detection identifies a worm attack when there is a deviation from the histogram that it has learned when no attack was in progress (that is, when the number of source IP addresses that concurrently scan more than the defined zone destination IP address is exceeded). For example, if the scanning threshold is 300 and the histogram for port 445, if anomaly detection identifies a scanner that scans 350 zone destination IP addresses, it produces an action indicating that a mass scanner was detected. However, this scanner does not yet verify that a worm attack is in progress. Table N-26 describes this example.
Table N-26 Example Histogram
Number of source IP addresses
|
10
|
5
|
2
|
Number of destination IP addresses
|
5
|
20
|
100
|
When anomaly detection identifies six concurrent source IP addresses that scan more than 50 zone destination IP addresses on port 445, it produces an action with an unspecified source IP address that indicates anomaly detection has identified a worm attack on port 445. The dynamic filter threshold, 50, specifies the new internal scanning threshold and causes anomaly detection to lower the threshold definition of a scanner so that anomaly detection produces additional dynamic filters for each source IP address that scans more than the new scanning threshold (50).
You can override what the knowledge base learned per anomaly detection policy and per zone. If you understand your network traffic, you may want to use overrides to limit false positives.
Related Topics
•Learning Mode, page 13-20
•TCP Protocol Sub-Tab
•UDP Protocol Sub-Tab
•Other Protocols Sub-Tab
•Dest Port Map Dialog Box
•Protocol Map Dialog Box
Field Reference
Table N-27 Histogram Dialog Box
Element
|
Description
|
Number of Destination IP Addresses
|
Lets you add a high, medium, or low number of destination IP addresses.
Low is 5 destination IP addresses, medium is 20, and high is 100.
|
Number of Source IP Addresses
|
Lets you add the number of source IP addresses.
The valid range is 0 to 4096.
|
UDP Protocol Sub-Tab
Use the UDP Protocol Sub-tab of the Internal Zone tab to enter UDP Destination Port Maps and to configure threshold histogram properties.
Related Topics
•Dest Port Map Dialog Box
•Histogram Dialog Box
Field Reference
Table N-28 UDP Protocol Sub-Tab
Element
|
Description
|
Enabled check box
|
If checked, enables the selected zone.
|
Destination Port Map
|
(Visible on Internal and External Zones tabs only) Lets you enter the subnets that you want to apply to the selected zone.
The valid format is 10.10.5.5,10.10.2.1-10.10.2.30.
|
Scanner Threshold
|
Lets you set the scanner threshold.
The valid range is 5 to 1000. The default is 200.
|
Threshold Histogram
|
Displays the histograms that you added.
•Number of Destination IP Addresses—Displays the number of destination IP addresses that you added.
•Number of Source IP Addresses—Displays the number of source IP addresses that you added
|
Other Protocols Sub-Tab
Use the Other Protocols Sub-tab of the Internal Zone tab to enter protocol number maps for protocols other than TCP and UDP and to configure threshold histogram properties.
Related Topics
•Dest Port Map Dialog Box
•Histogram Dialog Box
Field Reference
Table N-29 Other Protocol Sub-Tab
Element
|
Description
|
Enabled check box
|
If checked, enables the selected zone.
|
Protocol Number Map
|
(Visible on Internal and External Zones tabs only) Lets you enter the subnets that you want to apply to the selected zone.
The valid format is 10.10.5.5,10.10.2.1-10.10.2.30.
|
Scanner Threshold
|
Lets you set the scanner threshold.
The valid range is 5 to 1000. The default is 200.
|
Threshold Histogram
|
Displays the histograms that you added.
•Number of Destination IP Addresses—Displays the number of destination IP addresses that you added.
•Number of Source IP Addresses—Displays the number of source IP addresses that you added
|
Protocol Map Dialog Box
Use the Protocol Map dialog box to tab to specify protocols other than TCP and UDP. You can either use the default thresholds or override the scanner settings and add your own thresholds and histograms. The Protocol Map dialog box appears as either Add Protocol Map or Modify Protocol Map.
Related Topics
•Other Protocols Sub-Tab
•Histogram Dialog Box
Field Reference
Table N-30 Protocol Map Dialog Box
Element
|
Description
|
Protocol Number
|
Lets you enter the protocol number.
The valid range is 0 to 255.
|
Enabled check box
|
If checked, enables the service.
|
Override Scanner Settings check box
|
If checked, overrides the default scanner settings and lets you add, edit, delete, and select all histograms.
|
Scanner Threshold
|
Lets you set the scanner threshold.
The valid range is 5 to 1000. The default is 200.
|
Threshold Histogram
|
Displays the histograms that you added.
•Number of Destination IP Addresses—Displays the number of destination IP addresses that you added.
•Number of Source IP Addresses—Displays the number of source IP addresses that you added
|
Event Action Policies
The pages that you access from the Event Actions folder from the Policies selector in Device View enable you to configure event actions and related settings.
These topics describe the main pages available from the Event Actions folder:
•Event Action Filters Page
•Event Action Overrides Page
•Network Information Page
•Event Actions > Settings Page
Event Action Filters Page
Use the Event Action Filters page to remove specific actions from an event or to discard an entire event and prevent further processing by the sensor.
Navigation Path
(Device view) Select IPS > Event Actions > Event Action Filters from the Policy selector.
Related Topics
•Event Action Policies
•Filter Item Dialog Box
Field Reference
.
Table N-31 Event Action Filters Page
Element
|
Description
|
Name
|
Identifies the filter by unique name.
|
IDs
|
Identifies the signature.
|
Subs
|
Identifies the subsignature.
|
Attackers
|
Identifies the IP address (or range) of the attacking host that triggers the filter.
|
Attack Ports
|
Identifies the port used by the attacker host that triggers the filter.
|
Victims
|
Identifies the IP address used by the attacker host that triggers the filter.
|
Victim Ports
|
Identifies the port targeted by the attacker host that triggers the filter.
|
Actions
|
Indicates the actions removed from the event when the filter is triggered.
|
RR
|
Indicates the risk rating range that triggers this event action filter. For detailed information on risk rating, see Calculating the Risk Rating in Installing and Using Cisco Intrusion Prevention System Device Manager 6.0.
|
Stop
|
Identifies whether or not this event will be processed against remaining filters in the event action filters list.
|
Active
|
Identifies whether the filter is in the filter list.
|
Up Row button
|
Moves the selected row up in the table.
A first match rule order determines which filter is applied. If the conditions of an event match those defined for a filter, and the filter has the Stop field set to Yes, that filter is applied and no additional filters are considered. You should order the more restrictive rules before general rules in the table.
|
Down Row button
|
Moves the selected row down in the table.
|
Add button
|
Opens the Add Filter Item dialog box.
|
Edit button
|
Opens the Edit Filter Item dialog box.
|
Delete button
|
Removes the selected row from the EAF table.
|
Filter Item Dialog Box
Use the Filter Item dialog box to add items to a filter, remove items from a filter, and otherwise define the filter. Also, use the Filter Item dialog box to edit items in an existing filter.
The Filter Item dialog box appears as either Add Filter Item or Edit Filter Item.
In the Add appearance of the Filter Item dialog box, add items to a filter, remove items from a filter, and otherwise define the filter.
In the Modify appearance of the Filter Item dialog box, edit items in an existing filter.
Navigation Path
(Device view) Select IPS > Event Actions > Event Action Filters from the Policy selector. Click the Add button or the Edit button to open the Filter Item dialog box.
Related Topics
•Event Action Policies
•Event Action Filters Page
Field Reference
.
Table N-32 Filter Item Dialog Box
Element
|
Description
|
Enabled
|
When selected, indicates that the filter is enabled.
The default value is checked (enabled).
If a filter is active but not enabled, it will still be included in the ordering list; it will be processed, but it will not be used.
|
Active
|
When selected, indicates that the filter has been put into the filter list and will take effect on filtering events.
The default value is unchecked (not active).
If a filter is not active, then it will not be included at all in the ordering of the filters; it will not be processed at all.
|
Name
|
Lets you name the filter you are adding.
You need to name your filters so that you can move them around in the list and move them to the inactive list if needed.
|
Signature IDs
|
Identifies the unique numerical value assigned to this signature.
This value lets the sensor identify a particular signature. You can also enter a range of signatures. The default values are in the range 900-65535
|
SubSignature ID
|
Identifies the unique numerical value assigned to this subsignature.
The subSig ID identifies a more granular version of a broad signature. You can also enter a range of subSig IDs. The default value is the range of 0-255.
|
Attacker Address
|
Identifies the IP address of the host that sent the offending packet.
You can also enter a range of addresses.
|
Attacker Port
|
Identifies the port used by the attacker host.
This is the port from which the offending packet originated. You can also enter a range of ports. The default value is a range of all ports (0-65535).
|
Victim Address
|
Identifies the IP address used by the attacker host.
You can also enter a range of addresses. The default value is a range of all addresses (0.0.0.0-255.255.255.255).
|
Victim Port
|
Identifies the port targeted by the attacker host. Valid values are between 0-65535.
This is the port to which the offending packet was sent. You can also enter a range of ports. The default value is a range of all ports (0-65535).
|
Risk Rating Min. and Max.
|
Indicates the RR range between 0 and 100 that should be used to trigger this event action filter. The default value is the complete range (0-100).
If an event occurs with an RR that falls within the minimum-maximum range you configure here, the event is processed against the rules of this event filter.
|
OS Relevance
|
Indicates whether the alert is relevant to the OS that has been identified for the victim. Possible values include one or more of the following: Not Relevant, Relevant, Unknown. Hold CTRL or SHIFT while clicking on the items to select multiple values.
Note OS Relevance is applicable only to IPS 6.x devices, so for IOS IPS devices, this field is read-only and cannot be edited, and for IPS 5.x devices, this field is blank.
|
Comments
|
Displays the user comments associated with this filter.
|
Actions to Subtract
|
Indicates the actions that should be removed from the event, should the conditions of the event meet the criteria of the event action filter. You can select one or more actions in this list box. All selected actions are removed from the event. Hold CTRL or SHIFT while clicking on the items to select multiple values. For more information about the possible actions, see Edit Actions Dialog Box.
Note For IOS IPS devices, the possible values are restricted to:
•Deny Attacker Inline blocks the attacker's source IP address completely. No connection can be established from the attacker to the router until the shun time expires (this time is set by the user).
•Deny Connection Inline blocks the appropriate TCP flow from the attacker. Other connections from the attacker can be established to the router.
•Deny Packet Inline discards the packet without sending a reset. Cisco recommends using "drop and reset" in conjunction with alarm.
•Produce Alert sends a notification about the attack through syslog or SDEE.
•Reset TCP Connection is effective for TCP-based connections and sends a reset to both the source and destination addresses. For example, in case of a half-open SYN attack, Cisco IOS IPS can reset the TCP connections.
|
% to Deny
|
Indicates the percentage of packets to deny for deny attacker features. Valid values range between 1 and 100%.
Note For IOS IPS devices, this field is read only and cannot be edited.
|
Stop on Match check box
|
Determines whether or not this event will be processed against remaining filters in the event action filters list.
If set to No, the remaining filters are processed for a match until a Stop flag is encountered.
If set to Yes, no further processing is done. The actions specified by this filter are removed and the remaining actions are performed.
|
OK button
|
Accepts your changes and closes the dialog box.
|
Cancel button
|
Discards your changes and closes the dialog box.
|
Help button
|
Displays the help topic for this feature.
|
Event Action Overrides Page
Use the Event Action Overrides page to view a summary page of event action overrides that act globally (rather than per signature) to override, or change, the actions associated with an event based on the risk rating of that event.
Navigation Path
(Device view) Select IPS > Event Actions > Event Action Overrides from the Policy selector.
Related Topics
•Event Action Override Dialog Box
•Edit Actions Dialog Box
Field Reference
.
Table N-33 Event Action Overrides Page
Element
|
Description
|
Action
|
Specifies the event action that will be added to an event if the conditions of this event action override are satisfied.
|
Range
|
Indicates the risk rating range between 0 and 100 defined for this rule If an event occurs with a risk rating that falls within the minimum-maximum range defined, the event action override is added to the list of actions to be performed by when that event is triggered.
|
Enabled
|
Indicates whether or not the override is enabled.
|
Add button
|
Opens the Event Action Override dialog box.
|
Edit button
|
Opens the Event Action Override dialog box.
|
Delete button
|
Removes the selected event action overrides row from the table.
|
Event Action Override Dialog Box
Use the Event Action Override dialog box to add or edit an event action override that acts globally (rather than per signature) to change the actions associated with an event based on the risk rating of that event.
The Event Action Override dialog box appears as either Add Event Action Override or Edit Event Action Override. In the Add appearance of the Event Action Override dialog box, add an event action override. In the Edit appearance of the Event Action Override dialog box, edit an event action override.
Navigation Path
(Device view) Select IPS > Event Actions > Event Action Overrides from the Policy selector. Click the Add button or the Edit button to open the Event Action Override dialog box.
Related Topics
•Event Action Policies
•Event Action Overrides Page
•Edit Actions Dialog Box
Field Reference
.
Table N-34 Event Action Override Dialog Box
Element
|
Description
|
Event Action
|
Specifies the event action that will be added to an event if the conditions of this event action override are satisfied.
|
Enabled
|
Indicates whether or not the override is enabled.
|
Risk Rating
|
Indicates the risk rating range between 0 and 100 that should be used to trigger this event action override.
If an event occurs with a risk rating that falls within the minimum-maximum range you configure here, the event action is added to this event.
|
OK button
|
Accepts your changes and closes the dialog box.
|
Cancel button
|
Discards your changes and closes the dialog box.
|
Help button
|
Displays the help topic for this feature.
|
Network Information Page
Use the Network Information page to enable or disable passive operating system fingerprinting (POSFP), limit Attack Relevance Rating (ARR) computation to specific IP addresses, and define fixed OS mappings.
Target Value Ratings Tab
Use the Target Value Ratings tab to view a summary of Target Value Ratings (TVRs). TVR is a weight associated with the perceived value of the target. You can assign a TVR to your network assets. The TVR is one of the factors used to calculate the RR value for each alert. You can assign different TVRs to different targets. Events with a higher RR trigger more severe signature event actions.
TVR identifies the importance of a network asset through its IP address. You can develop a security policy that is strict for valuable corporate resources and lenient for less important resources.
Navigation Path
(Device view) Select IPS > Event Actions > Network Information from the Policy selector. Click the Target Value Ratings tab.
Related Topics
•Event Action Policies
•Target Value Rating Dialog Box
Field Reference
.
Table N-35 Target Value Tab
Element
|
Description
|
Value
|
Indicates the perceived value selected for this target.
|
Targets
|
Identifies the targets associated with the selected value.
|
Add button
|
Opens the Add Target Value Rating dialog box.
|
Edit button
|
Opens the Edit Target Value Rating dialog box.
|
Delete button
|
Removes the selected Target Value Rating from the table.
|
Target Value Rating Dialog Box
Use the Target Value Rating dialog box to add a TVR to one or more IP addresses. Also, use the Target Value Rating dialog box to edit a TVR that has already been assigned.
The Target Value Rating dialog box appears as either Add Target Value Rating or Edit Target Value Rating. In the Add appearance of the Target Value Rating dialog box, add a TVR. In the Edit appearance of the Target Value Rating dialog box, edit a TVR.
Navigation Path
(Device view) Select IPS > Event Actions > Network Information from the Policy selector. Click the Target Value Ratings tab. Click the Add button or the Edit button to open the Target Value Rating dialog box.
Related Topics
•Event Action Policies
•Network Information Page
•Target Value Ratings Tab
Field Reference
.
Table N-36 Target Value Rating Dialog Box
Element
|
Description
|
Value
|
Identifies the value assigned to this network asset. The value can be High, Low, Medium, Mission Critical, or No Value.
|
target-addresses
|
Identifies the IP address(es) of the network asset(s) you want to prioritize with a TVR.
|
OK button
|
Accepts your changes and closes the dialog box.
|
Cancel button
|
Discards your changes and closes the dialog box.
|
Help button
|
Displays the help topic for this feature.
|
OS Identification Tab
Use the OS Identifications tab to configure OS host mappings, which take precedence over learned OS mappings. On the OS Identifications tab you can add, edit, and delete configured OS maps. You can move them up and down in the list to change the order in which the sensor computes the ARR and RR for that particular IP address and OS type combination.
Note OS Identification applies to IPS 6.x sensors only, not earlier versions.
You can also move them up and down in the list to change the order in which the sensor resolves the OS associated with a particular IP address. Configured OS mappings allow for ranges, so for network 192.168.1.0/24 an administrator might define the following:
Table N-37 Example Configured OS Mapping
IP Address Range Set
|
OS
|
192.168.1.1
|
IOS
|
192.168.1.2-192.168.1.10,192.168.1.25
|
UNIX
|
192.168.1.1-192.168.1.255
|
Windows
|
More specific mappings should be at the beginning of the list. Overlap in the IP address range sets is allowed, but the entry closest to the beginning of the list takes precedence.
Navigation Path
(Device view) Select IPS > Event Actions > Network Information from the Policy selector. Click the OS Identification Tab tab.
Related Topics
•Event Action Policies
•Network Information Page
•OS Map Dialog Box
Field Reference
.
Table N-38 OS Identification Tab
Element
|
Description
|
Enable Passive OS Fingerprinting
|
When checked, lets the sensor perform passive OS analysis.
|
Restricted to these IP Addresses
|
Lets you configure the mapping of OS type to a specific IP address and have the sensor calculate the ARR for that IP address.
|
IP Addresses
|
Identifies the IP addresses associated with the selected OS type.
|
OS Type
|
Identifies the operating system(s) associated with the IP addresses.
|
Up Row button
|
Moves the selected row up in the table.
|
Down Row button
|
Moves the selected row down in the table.
|
Add button
|
Opens the Add OS Map dialog box.
|
Edit button
|
Opens the Edit OS Map dialog box.
|
Delete button
|
Removes the selected OS Map from the table.
|
OS Map Dialog Box
Use the OS Map dialog box to map a host through its IP address to an OS type. Also, use the OS Map dialog box to change the map of a host through its IP address to an OS type.
The OS Map dialog box appears as either Add OS Map or Edit OS Map. In the Add appearance of the OS Map dialog box, add an OS Map. In the Edit appearance of the OS Map dialog box, edit an OS Map.
Navigation Path
(Device view) Select IPS > Event Actions > Network Information from the Policy selector. Click the OS Identification tab. Click the Add button or the Edit button to open the OS Map dialog box.
Related Topics
•Event Action Policies
•Network Information Page
•OS Identification Tab
Field Reference
.
Table N-39 OS Map Dialog Box
Element
|
Description
|
IP Addresses
|
Identifies the IP address of the selected device.
|
OS Type
|
Identifies the operating system type(s) associated with the selected IP addresses. Select one or more of the following values:
•General OS
•IOS
•Mac OS
•Netware
•Other
•UNIX
•AIX
•BSD
•HP-UX
•IRIX
•Linux
•Solaris
•Windows
•Windows NT/2K/XP
•WinNT
•Unknown OS
Hold CTRL or SHIFT while clicking on the items to select multiple values.
|
OK button
|
Accepts your changes and closes the dialog box.
|
Cancel button
|
Discards your changes and closes the dialog box.
|
Help button
|
Displays the help topic for this feature.
|
Event Actions > Settings Page
Use the Event Actions > Settings page to define Event Actions. An event action is the sensor's response to an event.
Navigation Path
(Device view) Select IPS > Event Actions > Settings from the Policy selector.
Related Topics
•Event Actions > Settings Page
Field Reference
.
Table N-40 Settings Page
Element
|
Description
|
Enable Event Action Override check box
|
Enable override rules as defined on the Event Action Overrides page.You can add an event action override to change the actions associated with an event based on specific details about that event.
|
Enable Event Action Filters check box
|
Enables the filter rules as defined on the Event Action Filters page. You can configure event action filters to remove specific actions from an event or to discard an entire event and prevent further processing by the sensor.
|
Enable Event Action Summarizer check box
|
(IPS only) Enables the Summarizer component. The Summarizer groups events into a single alert, thus decreasing the number of alerts the sensor sends out.
By default, the Summarizer is enabled. If you disable it, all signatures are set to Fire All with no summarization. If you configure individual signatures to summarize, this configuration will be ignored if the Summarizer is not enabled
|
Enable Meta Event Generator check box
|
(IPS only) Enables the Meta Event Generator. The Meta Event Generator processes the component events, which lets the sensor watch for suspicious activity transpiring over a series of events.
By default, the Meta Event Generator is enabled. If you disable the Meta Event Generator, all Meta engine signatures are disabled.
|
Enable Threat Rating Adjustment check box
|
(IPS only) Enables threat rating adjustment, which adjusts the risk rating. If disabled, then risk rating is equal to threat rating.
The Threat Rating feature (new in Cisco IPS Sensor Software Version 6.0) provides a single view of the threat environment of the network. Threat Rating minimizes alarms and events through a customized view that show only events with a high Threat Rating value. The Threat Rating value is derived as follows:
•Dynamic adjustment of event Risk Rating based on success of response action
•If response action was applied, Risk Rating is deprecated (Threat Rating < Risk Rating)
•If response action was not applied, Risk Rating remains unchanged (Threat Rating = Risk Rating)
The result is a single value by which the threat risk is determined.
|
Deny Attacker Duration in seconds
|
Number of seconds to deny the attacker inline.
The valid range is 0 to 518400. The default is 3600.
|
Block Attack Duration in minutes
|
(IPS only) Number of minutes to block a host or connection.
The valid range is 0 to 10000000. The default is 30.
|
Maximum Number of Denied Attackers
|
(IPS only) Limits the number of denied attackers possible in the system at any one time.
The valid range is 0 to 100000000. The default is 10000.
|
Interfaces Page
The following tabs are available on the Interfaces page:
•Physical Interfaces Tab
•Inline Pairs Tab
•VLAN Pairs Tab
•VLAN Groups Tab
•Summary Tab
Physical Interfaces Tab
The Physical Interfaces tab lists the existing physical interfaces on your sensor and their associated settings. The sensor detects the interfaces and populates the interfaces list in the Interfaces pane.
To configure the sensor to monitor traffic, you must enable the interface. When you initialized the sensor using the setup command (using the command line interface in Cisco IPS), you assigned the interface or the inline pair to a virtual sensor, and enabled the interface or inline pair. If you need to change your interfaces settings, you can do so in the Physical Interfaces tab. To assign an interface to a virtual sensor, select the Virtual Sensors policy. Click the Add/Edit button. Use the dialog to assign an available interface to the virtual sensor.
Navigation Path
(Device view) Select IPS > Interfaces from the Policy selector. Click the Physical Interfaces tab.
Related Topics
•Interfaces Page
Field Reference
.
Table N-41 Physical Interfaces Tab
Element
|
Description
|
Interface Name
|
Name of the interface.
The values are FastEthernet or GigabitEthernet for all interfaces.
|
Media Type
|
Indicates the media type.
The media type options are the following:
•TX—Copper media
•SX—Fiber media
•XL—Network accelerator card
•Backplane interface—An internal interface that connects the module to the parent chassis' backplane.
|
Description
|
Lets you provide a description of the interface.
|
Enabled
|
Whether or not the interface is enabled.
|
Duplex
|
Indicates the duplex setting of the interface.
The duplex type options are the following:
•Auto—Sets the interface to auto negotiate duplex.
•Full—Sets the interface to full duplex.
•Half—Sets the interface to half duplex.
|
Speed
|
Indicates the speed setting of the interface.
The speed type options are the following:
•Auto—Sets the interface to auto negotiate speed.
•10 MB—Sets the interface to 10 MB (for TX interfaces only).
•100 MB—Sets the interface to 100 MB (for TX interfaces only).
•1000—Sets the interface to 1 GB (for gigabit interfaces only).
|
Specify Interface for TCP Reset
|
If selected, sends TCP resets on an alternate interface when this interface is used for promiscuous monitoring and the reset action is triggered by a signature firing.
|
Bypass Mode
|
A global setting that specifies the bypass mode setting for all interfaces on this device. Values are:
•Off (Always inspect inline traffic)
•On (Never inspect inline traffic)
•Auto (Bypass inspection when analysis engine is stopped)
|
Modify Physical Interface Map Dialog Box
Use the Modify Physical Interface Map dialog box to change the configuration of the physical interfaces of a sensor.
Navigation Path
(Device view) Select IPS > Interfaces from the Policy selector. Click the Physical Interfaces tab. Click the Edit button to open the Modify Physical Interfaces dialog box. The fields in Table N-42 may be modified.
Related Topics
•Interfaces Page
Field Reference
.
Table N-42 Modify Physical Interfaces Dialog Box
Element
|
Description
|
Description
|
Lets you provide a description of the interface.
|
Enabled
|
Specify whether or not the interface is enabled.
|
Duplex
|
Select the duplex setting of the interface.
The duplex type options are the following:
•Auto—Sets the interface to auto negotiate duplex.
•Full—Sets the interface to full duplex.
•Half—Sets the interface to half duplex.
|
Speed
|
Select the speed setting of the interface.
The speed type options are the following:
•Auto—Sets the interface to auto negotiate speed.
•10 MB—Sets the interface to 10 MB (for TX interfaces only).
•100 MB—Sets the interface to 100 MB (for TX interfaces only).
•1000—Sets the interface to 1 GB (for gigabit interfaces only).
|
Default VLAN
|
Specify the Vlan ID associated with native traffic, or 0 if unknown or if you do not care which VLAN it is.
|
Specify Interface for TCP Reset
|
If selected, sends TCP resets on an alternate interface when this interface is used for promiscuous monitoring and the reset action is triggered by a signature firing.
|
interface-name
|
Select the interface that sends the TCP reset.
|
Inline Pairs Tab
Use the Inline Pairs tab to see the existing inline pairs configured on the IPS.
Navigation Path
(Device view) Select IPS > Interfaces from the Policy selector. Click the Inline Pairs tab.
Related Topics
•Interfaces Page
•Physical Interfaces Tab
Field Reference
.
Table N-43 Inline Pairs Tab
Element
|
Description
|
Name
|
The name you give this inline interface pair.
|
Interface A
|
The first interface in the pair. The interface must be defined on the Physical Interfaces tab.
|
Interface B
|
The second interface in the pair. The interface must be defined on the Physical Interfaces tab.
|
Description
|
Lets you add a description of this interface pair.
|
Bypass Mode
|
A global setting that specifies the bypass mode setting for all interfaces on this device. Values are:
•Off (Always inspect inline traffic)
•On (Never inspect inline traffic)
•Auto (Bypass inspection when analysis engine is stopped)
|
Interface Pair Dialog Box
You can pair interfaces on your sensor if your sensor is capable of inline monitoring. Use the Interface Pair dialog box to add an inline pair of interfaces to a sensor. Also, use the Interface Pair dialog box to edit an inline pair of interfaces that has already been added to a sensor.
The Interface Pair dialog box appears as either Add Interface Pair or Edit Interface Pair. In the Add appearance of the Interface Pair dialog box, add an inline pair of interfaces to a sensor. In the Edit appearance of the Interface Pair dialog box, edit an inline pair of interfaces that has already been added to a sensor.
You cannot delete an inline pair if there is an inline VLAN group. First delete the inline VLAN group from the VLAN Groups tab, and then delete the inline pair.
Navigation Path
(Device view) Select IPS > Interfaces from the Policy selector. Click the Inline Pairs tab. Click the Add button or the Edit button to open the Interface Pair dialog box.
Related Topics
•Interfaces Page
•Inline Pairs Tab
•Physical Interfaces Tab
Field Reference
.
Table N-44 Interface Pair Dialog Box
Element
|
Description
|
Inline Interface Name
|
Enter the name of this inline interface pair. Must be less than 32 alphanumeric and/or underscore characters.
|
Interface A
|
Select the first interface in the pair. The interface must be defined on the Physical Interfaces tab.
|
Interface B
|
Select the second interface in the pair. The interface must be defined on the Physical Interfaces tab.
|
Description
|
Lets you add a description of this interface pair.
|
VLAN Pairs Tab
Use the VLAN Pairs tab to view a summary of the existing inline VLAN pairs for each physical interface.
The VLAN Pairs tab displays the existing inline VLAN pairs for each physical interface. Click Add to create an inline VLAN pair.
Note You cannot create an inline VLAN pair for an interface that has already been paired with another interface or for an interface that is in promiscuous mode and assigned to a virtual sensor.
To create an inline VLAN pair for an interface that is in promiscuous mode, you must remove the interface from the virtual sensor and then create the inline VLAN pair. If the interface is already paired or in promiscuous mode, you receive an error message when you try to create an inline VLAN pair.
Note If your sensor does not support inline VLAN pairs, the VLAN Pairs pane is not displayed. AIP-SSM and NM-CIDS do not support inline VLAN pairs.
Navigation Path
(Device view) Select IPS > Interfaces from the Policy selector. Click the VLAN Pairs tab.
Related Topics
•Interfaces Page
Field Reference
.
Table N-45 VLAN Pairs Tab
Element
|
Description
|
Interface Name
|
Select the name of the inline VLAN pair.
|
Subinterface Number
|
Subinterface number of the inline VLAN pair.
The value is 1 to 255.
|
Description
|
Lets you provide a description of the inline VLAN pair.
|
VLAN A
|
Displays the VLAN ID for the first VLAN.
The value is 1 to 4095.
|
VLAN B
|
Displays the VLAN ID for the second VLAN.
The value is 1 to 4095.
|
Bypass Mode
|
A global setting that specifies the bypass mode setting for all interfaces on this device. Values are:
•Off (Always inspect inline traffic)
•On (Never inspect inline traffic)
•Auto (Bypass inspection when analysis engine is stopped)
|
VLAN Pair Dialog Box
Use the VLAN Pair dialog box to add a pair of VLANs to a sensor. Also, use the VLAN Pair dialog box to edit a pair of VLANs previously added to a sensor.
The VLAN Pair dialog box appears as either Add VLAN Pair or Edit VLAN Pair. In the Add appearance of the VLAN Pair dialog box, add a VLAN pair for a physical interface. In the Edit appearance of the VLAN Pair dialog box, edit a VLAN pair that has already been added to a physical interface.
Note You cannot pair a VLAN with itself.
Note The subinterface number and the VLAN numbers should be unique to each physical interface.
Navigation Path
(Device view) Select IPS > Interfaces from the Policy selector. Click the VLAN Pairs tab. Click the Add button or the Edit button to open the VLAN Pairs dialog box.
Related Topics
•Interfaces Page
Field Reference
.
Table N-46 VLAN Pairs Dialog Box
Element
|
Description
|
Physical Interface
|
Select the physical interface to which this VLAN pair is assigned.
|
Subinterface Number
|
Specify the subinterface number of the inline VLAN pair.
The value is 1 to 255.
|
Description
|
Lets you provide a description of the inline VLAN pair.
|
VLAN A
|
Specify the VLAN number for the first VLAN.
The value is 1 to 4095.
|
VLAN B
|
Specify the VLAN number for the second VLAN.
The value is 1 to 4095.
|
VLAN Groups Tab
In the VLAN Groups tab you can add, edit, or delete VLAN groups that you defined in the sensor interface configuration. A VLAN group consists of a group of VLAN IDs that exist on an interface. There are two types of VLAN groups: promiscuous and inline. Promiscuous VLAN groups are created on a promiscuous interface. Inline VLAN groups are created on an existing interface pair. Each VLAN group consists of at least one VLAN ID. You can have up to 255 VLAN groups per interface (logical or physical). Each group can contain any number of VLANs IDs. You then assign each VLAN group to a virtual sensor (but not multiple virtual sensors). You can assign different VLAN groups on the same sensor to different virtual sensors.
After you assign the VLAN IDs to the VLAN group, you must assign the VLAN group to a virtual sensor.
Navigation Path
(Device view) Select IPS > Interfaces from the Policy selector. Click the VLAN Groups tab.
Related Topics
•Interfaces Page
Field Reference
.
Table N-47 VLAN Groups Tab
Element
|
Description
|
Name
|
The physical or logical interface name of the VLAN group.
|
Subinterface Number
|
Subinterface number of the VLAN group.
The value is 1 to 255.
|
Description
|
Lets you provide a description of the VLAN group.
|
VLANs
|
Displays the range of VLAN IDs belonging to the VLAN group.
Each VLAN ID is an number between 1 and 4095.
|
Bypass Mode
|
A global setting that specifies the bypass mode setting for all interfaces on this device. Values are:
•Off (Always inspect inline traffic)
•On (Never inspect inline traffic)
•Auto (Bypass inspection when analysis engine is stopped)
|
VLAN Group Map Dialog Box
Use the VLAN Group Map dialog box to add a group of VLANs to a sensor. Also, use the VLAN Group Map dialog box to edit a pair of VLANs previously added to a sensor.
The VLAN Group Map dialog box appears as either Add VLAN Group Map or Edit VLAN Group Map. In the Add appearance of the VLAN Group Map dialog box, add a group of VLANs to a sensor. In the Edit appearance of the VLAN Group Map dialog box, edit a group of VLANs that has already been added to a sensor.
Note The subinterface number and VLAN IDs should be unique on each physical interface and inline pair.
Navigation Path
(Device view) Select IPS > Interfaces from the Policy selector. Click the VLAN Groups tab. Click the Add button or the Edit button to open the VLAN Group Map dialog box.
Related Topics
•Interfaces Page
Field Reference
.
Table N-48 VLAN Group Map Dialog Box
Element
|
Description
|
Physical and Logical Interfaces
|
Select the physical or logical interface name of the VLAN group.
|
Subinterface Number
|
Specify the subinterface number of the VLAN group.
The value is 1 to 255.
|
Description
|
Lets you provide a description of the VLAN group.
|
All Unassigned VLAN IDs
|
Selects all VLAN IDs that are not a member of another VLAN group definition.
|
Range of Free VLANs IDs
|
Specify the range of VLAN IDs belonging to the VLAN group. The format is dashed pairs of lower-upper IDs, separated by commas. For example, 23-44, 91-144.
|
Summary Tab
Use the Summary tab on the Interfaces page to see a summary of how you have configured the sensing interfaces—the interfaces you have configured for promiscuous mode, the interfaces you have configured as inline pairs, and the interfaces you have configured as inline VLAN pairs.
The content of this page changes when you change your interface configuration.
Caution You can configure any single physical interface to run in promiscuous mode, inline pair mode, inline VLAN pair mode, promiscuous VLAN group, or inline VLAN group, but you cannot configure an interface in a combination of these modes.
Navigation Path
(Device view) Select IPS > Interfaces from the Policy selector. Click the Summary tab.
Related Topics
•Interfaces Page
•Physical Interfaces Tab
•Inline Pairs Tab
•VLAN Pairs Tab
•VLAN Groups Tab
Field Reference
.
Table N-49 Summary Tab
Element
|
Description
|
Name
|
Name of the interface.
The values are FastEthernet or GigabitEthernet for promiscuous interfaces.
|
Subinterface Number
|
Subinterface number of the inline VLAN pair or VLAN group.
The value is 1 to 255.
|
Inline Interface Name
|
The name of this inline interface pair
|
Mode
|
Identifies whether the interface is promiscuous, inline, promiscuous VLAN group, or inline VLAN group and whether there are VLAN pairs.
|
VLAN A
|
Displays the VLAN ID for the first VLAN.
The value is 1 to 4095.
|
VLAN B
|
Displays the VLAN ID for the second VLAN.
The value is 1 to 4095.
|
VLANs Range
|
Displays the range of VLAN IDs belonging to the VLAN group.
Each VLAN ID is an number between 1 and 4095.
|
Bypass Mode
|
A global setting that specifies the bypass mode setting for all interfaces on this device. Values are:
•Off (Always inspect inline traffic)
•On (Never inspect inline traffic)
•Auto (Bypass inspection when analysis engine is stopped)
|
Platform Policies
The pages that you access from the Platform Policies folder from the Policies selector in Device View enable you to configure device administration, logging, and security.
These topics describe the folder and main pages available from the Platform Policies folder:
•Device Admin Policies
•Logging Page
•Security Policies
Device Admin Policies
The pages that you access from the Device Admin folder from the Policies selector in Device View enable you to configure device access and server access.
These topics describe the folders available from the Device Admin Policies folder:
•Device Access Policies
•Server Access Policies
Device Access Policies
The pages that you access from the Device Access folder from the Policies Selector in Device View enable you to identify allowed hosts and configure SNMP.
Allowed Hosts Page
Use the Allowed Hosts page to view a summary of the hosts that are allowed to connect to a sensor. By default, all hosts on your network can connect to a sensor to configure it and receive alarm data from it. However, you can identify the hosts that are allowed to connect to a sensor, and no other hosts will be allowed to connect.
Note If your Security Manager server is not an allowed host, then you are not able to connect to your IPS sensors and manage them.
Navigation Path
(Device view) Select Platform > Device Admin > Device Access > Allowed Hosts from the Policy selector.
Field Reference
.
Table N-50 Allowed Hosts Page
Element
|
Description
|
Network address
|
Identifies the allowed host in prefix notation: <IP network>/subnet mask. For example, 64.0.0.0/8.
|
Add button
|
Opens the Add Access List dialog.
|
Edit button
|
Opens the Modify Access List dialog box.
|
Delete button
|
Deletes the selected allowed host.
|
Access List Dialog Box
The Access List dialog box appears as either the Add Access List dialog box or the Modify Access List dialog box. Use the Add Access List dialog box to identify the hosts that you want to be able to connect to a sensor. Use the Modify Access List dialog box to change an existing list of hosts that you want to be able to connect to a sensor.
Navigation Path
(Device view) Select Platform > Device Admin > Device Access > Allowed Hosts from the Policy selector. Click the Add button or the Edit button.
Field Reference
.
Table N-51 Access List Dialog Box
Element
|
Description
|
Network address
|
Identifies the allowed host in prefix notation: <IP network>/subnet mask. For example, 64.0.0.0/8.
|
Select. . . button
|
Opens the Available Networks/Hosts dialog box.
|
SNMP Page
Use the SNMP page to configure Simple Network Management Protocol (SNMP). Security Manager does not use SNMP to manage sensors, but the sensors support SNMP and therefore require a means of configuration in Security Manager.
SNMP configuration has three parts:
•General Configuration—Enables you to configure general SNMP parameters and apply them to sensors.
•Traps Configuration—Enables you to configure traps and apply them to sensors.
•Traps Destination—Enables you to identify recipients that the traps should be sent to.
General Configuration Tab
Use the General Configuration tab on the SNMP page to configure general SNMP parameters and apply them to sensors.
Navigation Path
(Device view) Select Platform > Device Admin > Device Access > SNMP from the Policy selector. The General Configuration tab is active by default.
Field Reference
.
Table N-52 SNMP > General Configuration Tab
Element
|
Description
|
Enable SNMP Gets/Sets
|
Allows you to enable the sensor to respond to get and set queries. If this field is disabled, the sensor does not respond to the query.
|
Read-Only Community String
|
Sets the read-only community string of the sensor to a string you specify. When a sensor receives an SNMP get request with the specified read-only community string, it responds. This string gives access to all SNMP get requests.
|
Read-Write Community String
|
Sets the read-write community string of the sensor to a string you specify. When a sensor receives an SNMP get request, or an SNMP set request, with the specified read-write community string, it responds. This string gives access to all SNMP get requests and set requests.
|
Sensor Contact
|
The network administrator who is responsible for this sensor.
|
Sensor Location
|
The physical location of the sensor appliance or other hardware used as a sensing device.
|
Sensor Agent Port
|
Instructs a sensor to run SNMP Agent in the specified port. Valid port numbers range from 1 to 65535.
|
Snmp Agent Protocol
|
Instructs a sensor to run SNMP on top of particular transport protocol. The options available are TCP (Transmission Control Protocol) and UDP (User Datagram Protocol).
|
Select. . . button
|
Opens the Port Lists Selector dialog box.
|
SNMP Trap Configuration Tab
Use the SNMP Trap Communication tab on the SNMP page to configure traps and apply them to sensors and to identify recipients that the traps should be sent to.
Navigation Path
(Device view) Select Platform > Device Admin > Device Access > SNMP from the Policy selector. Click the SNMP Trap Configuration tab.
Field Reference
.
Table N-53 SNMP > SNMP Trap Configuration Tab
Element
|
Description
|
Enable Notifications
|
Allows you to enable the sensor to notify interested parties whenever a specific type of event occurs in a sensor. When you select this check box, the sensor is instructed to perform notification. (You can also use the Traps Destination function to configure interested parties.) If the Enable Notifications check box is not selected, the sensor does not respond to the query.
|
Error Filter
|
Use this set of filters to specify the level of notifications that are enabled. The three levels of notification are Fatal, Error, and Warning. When you select one or more of these filters, you enable the sensor to send notification of events that correspond to the levels selected.
|
Enable Detail Traps
|
When selected, this check box enables the sensor to send the detailed traps for all alerts.
|
Default Trap Community String
|
All traps that are being notified carry a community string. All traps that have a community string identical to that of the destination are taken by the destination. All other traps are discarded by the destination. This is a primary default condition, but this default can also be overridden at any destination.
|
Trap Destinations
|
A summary table of the traps that you have configured, with the following information listed:
•IP Address
•Trap Community String
•Trap Port
|
Add button
|
Opens the Add Snmp Trap Communication dialog box.
|
Edit button
|
Opens the Modify Snmp Trap Communication dialog box.
|
Delete button
|
Deletes the selected allowed host.
|
Snmp Trap Communication Dialog Box
The Snmp Trap Communication dialog box appears as either the Add Snmp Trap Communication dialog box or the Modify Snmp Trap dialog box. Use the Add form of this dialog box to add an Snmp trap. Use the Modify form of this dialog box to modify an Snmp trap that you added earlier.
Navigation Path
(Device view) Select Platform > Device Admin > Device Access > SNMP from the Policy selector. Click the SNMP Trap Configuration tab. Click the Add button or the Edit button.
Field Reference
.
Table N-54 Add Snmp Trap Communication Dialog Box
Element
|
Description
|
Ip Address
|
Identifies the trap destination in prefix notation: <IP network>/subnet mask. For example, 64.0.0.0/8. One of the three items that define a trap.
|
Select. . . button
|
Opens the Available Networks/Hosts dialog box.
|
Trap Community String
|
The community string of the trap. (All traps that are being notified carry a community string.) One of the three items that define a trap.
|
Trap Port
|
The port used by the trap. One of the three items that define a trap.
|
Select. . . button
|
Opens the Port Lists Selector dialog box.
|
Server Access Policies
The pages that you access from the Server Access folder from the Policy Selector in Device View enable you to configure server access.
These topics describe the pages available from the Server Access folder:
•External Product Interface Page
•NTP Page
External Product Interface Page
Use the External Product Interface page to configure the way that Security Manager works with external products.
Note Management Center for Cisco Security Agents is the only external product for which interfaces can be configured for IPS in Security Manager.
Navigation Path
(Device view) Select Platform > Device Admin > Server Access > External Product Interface from the Policy selector.
Management Center for Cisco Security Agents Tab
Use the Management Center for Cisco Security Agents tab to configure the way that Security Manager works with Management Center for Cisco Security Agents.
Note Only two interfaces can be configured for Management Center for Cisco Security Agents.
Navigation Path
(Device view) Select Platform > Device Admin > Server Access > External Product Interface from the Policy selector. The Management Center for Cisco Security Agents tab is active by default.
Field Reference
.
Table N-55 External Product Interface > Management Center for Cisco Security Agents Tab
Element
|
Description
|
IP Address
|
The IP address of the external product.
|
Interface Type
|
Identifies the physical interface type, that is, copper or fiber.
|
Enable
|
Specifies whether an agent is enabled to notify the management
station of significant events by way of an unsolicited SNMP message.
|
URL
|
The URL of the external product.
|
Port
|
Specifies the port being used for communications.
|
Username
|
A valid user name for authentication to the external product.
|
Add button
|
Opens the Add External Product Interface dialog box.
|
Edit button
|
Opens the Edit External Product Interface dialog box.
|
Delete button
|
Deletes the selected External Product Interface.
|
External Product Interface Dialog Box
Use the External Product Interface dialog box to add or modify interfaces between Management Center for Cisco Security Agents and Security Manager. This dialog box appears in two forms: Add and Edit.
Also use the External Product Interface dialog box to add or modify Posture ACLs.
Navigation Path
(Device view) Select Platform > Device Admin > Server Access > External Product Interface from the Policy selector. The Management Center for Cisco Security Agents tab is active by default. Click the Add button or the Modify button.
Field Reference
.
Table N-56 External Product Interface Dialog Box
Element
|
Description
|
External Product's IP Address
|
The IP address of the external product.
|
Select. . . button
|
Opens the Available Networks/Hosts dialog box.
|
Interface Type
|
Identifies the physical interface type, that is, copper or fiber.
|
Enable receipt of information
|
Specifies whether an agent is enabled to notify the management
station of significant events by way of an unsolicited SNMP message.
|
SDEE URL
|
The URL of the external product.
|
Port
|
Specifies the port being used for communications.
|
Select. . . button
|
Opens the Port Lists Selector dialog box.
|
User name
|
A valid user name for authentication to the external product. A value in this field is mandatory.
|
Password
|
A valid password for authentication to the external product. A value in this field is mandatory.
|
Enable receipt of host postures
|
When checked, allows the host posture information to be passed from the external product to the sensor.
|
Allow unreachable hosts' postures
|
When checked, allows the host posture information from unreachable hosts to be passed from the external product to the sensor.
|
Add button
|
Opens the Add Posture Acl dialog box.
|
Edit button
|
Opens the Modify Access List dialog box.
|
Delete button
|
Deletes the selected allowed host.
|
Manual Watch List RR increase
|
Identifies the risk rating for the manual watch list. The default is 25, and the valid range is 0 to 35.
|
Session-based Watch List RR Increase
|
Identifies the risk rating for the session-based watch list. The default is 25, and the valid range is 0 to 35.
|
Packed-based Watch List RR Increase
|
Identifies the risk rating for the packet-based watch list. The default is 10, and the valid range is 0 to 35.
|
Posture Acl Dialog Box
Host Posture ACLs indicate how host postures received from Management Center for Security Agents should be handled.
Navigation Path
(Device view) Select Platform > Device Admin > Server Access > External Product Interface from the Policy selector. The Management Center for Cisco Security Agents tab is active by default. Click the Add button to open the Add External Product Interface dialog box. Click the Add button or the Edit button to open the Posture Acl dialog box.
Field Reference
.
Table N-57 Posture Acl Dialog Box
Element
|
Description
|
Network Address
|
Network address of the posture ACL.
|
Select. . . button
|
Opens the Available Networks/Hosts dialog box.
|
Action
|
Action (deny or permit) the posture ACL will take.
|
NTP Page
Use the NTP page to identify a Network Time Protocol (NTP) server to use with a sensor. NTP server time can be used with a sensor that you manage with Security Manager.
Navigation Path
(Device view) Select Platform > Device Admin > Server Access > NTP from the Policy selector. The Network Time Protocol page appears.
Field Reference
.
Table N-58 NTP Page
Element
|
Description
|
NTP Server IP Address
|
The IP address of the NTP server
|
Select. . . button
|
Opens the Available Networks/Hosts dialog box.
|
Key
|
The key value of the NTP server. The key is an MD5 type of key (either numeric or character); it is the key that was used to set up the NTP server.
|
Key ID
|
The key ID value of the NTP server.
|
Logging Page
Use the Logging page to configure traffic flow notifications and Analysis Engine global variables.
Navigation Path
(Device view) Select Platform > Logging from the Policy selector.
Interface Notifications Tab
Use the Interface Notifications tab to configure traffic flow notifications.
Navigation Path
(Device view) Select Platform > Logging from the Policy selector. The Interface Notifications tab is active by default.
Field Reference
.
Table N-59 Logging > Interface Notifications Tab
Element
|
Description
|
Missed Packets Threshold
|
The percent of missed packets that has to occur before you want to receive notification. The default value is 0, and the valid range is 0 through 100.
|
Notification Interval
|
The length of time in seconds that you want to check for the percentage of missed packets. The default value is 30, and the valid range is 5 to 3600.
|
Interface Idle Threshold
|
The length of time in seconds that you will allow an interface to be idle and not receiving packets before you want to be notified. The default value is 30, and the valid range is 5 to 3600.
|
Analysis Engine Tab
Use the Analysis Engine tab to configure the Analysis Engine global variables.
Navigation Path
(Device view) Select Platform > Logging from the Policy selector. Click the Analysis Engine tab.
Field Reference
.
Table N-60 Logging > Interface Notifications Tab
Element
|
Description
|
Maximum Open IP Log Files
|
The maximum number of open IP log files that you want to have and enter that value in the Maximum Open IP Log Files field. The valid range is from 20 to 100. The default is 20.
|
Security Policies
The pages that you access from the Security folder in Device View help you configure blocking properties.
This topic describes the main page available from the Security folder:
•Blocking Page
Blocking Page
Use the Blocking page to configure sensor blocking properties. You can configure sensors to block attacks; you also can manage other devices to block attacks.
The following tabs are available on the Blocking page:
•Blocking Page > General Tab
•Blocking Page > User Profiles Tab
•Blocking Page > Master Blocking Sensors Tab
•Blocking Page > Router Tab
•Blocking Page > Firewall Tab
•Blocking Page > Catalyst 6K Tab
•Blocking Page > Never Block Hosts and Networks Tab
Navigation Path
(Device view) Select Platform > Security > Blocking from the Policy selector.
Related Topic
•Configuring Blocking, page 17-11.
Blocking Page > General Tab
Use the General tab of the Blocking Properties page to configure the basic settings required to enable blocking and rate limiting.
Navigation Path
(Device view) Select Platform > Security > Blocking from the Policy selector. Click the General tab.
Related Topic
•Configuring Blocking, page 17-11.
Field Reference
.
Table N-61 General Tab
Element
|
Description
|
Log All Block Events and Errors
|
When selected, configures the sensor to log events that follow blocks from start to finish and any error messages that occur. When a block is added to or removed from a device, an event is logged. You may not want all these events and errors to be logged. Disabling this option suppresses new events and errors. The default is enabled.
Note Log all block events and errors also applies to rate limiting.
|
Enable NVRAM Write
|
When selected, configures the sensor to have the router write to non-volatile RAM (NVRAM) when Attack Response Control (ARC) first connects. If enabled, NVRAM is written each time the ACLs are updated. The default is disabled. Enabling NVRAM writing ensures that all changes for blocking and rate limiting are written to NVRAM. If the router is rebooted, the correct blocks and rate limits will still be active.
If NVRAM writing is disabled, a short time without blocking or rate limiting occurs after a router reboot. Not enabling NVRAM writing increases the life of the NVRAM and decreases the time for new blocks and rate limits to be configured.
|
Enable ACL Logging
|
When selected, causes ARC to append the log parameter to block entries in the access control list (ACL) or VLAN ACL (VACL). This causes the device to generate syslog events when packets are filtered. This option only applies to routers and switches. The default is disabled.
|
Allow Sensor IP address to be Blocked
|
When selected, specifies that the sensor IP address can be blocked. The default is disabled.
|
Enable Blocking
|
When selected, enables blocking of hosts. The default is enabled.
Note When you enable blocking, you also enable rate limiting. When you disable blocking, you also disable rate limiting. This means that ARC cannot add new or remove existing blocks or rate limits.
Note Even if you do not enable blocking, you can configure all other blocking settings.
|
Max Blocks
|
The maximum number of entries to block. The valid range is 1 to 65535. The default is 250.
|
Max Interfaces
|
Configures the maximum number of interfaces for performing blocks. For example, a PIX 500 series security appliance counts as one interface. A router with one interface counts as one, but a router with two interfaces counts as two. The maximum number of interfaces is 250 per device. The default is 250.
Note You use Max Interfaces to set an upper limit on the number of devices and interfaces that ARC can manage. The total number of blocking devices (not including master blocking sensors) cannot exceed this value. The total number of blocking items also cannot exceed this value, where a blocking item is one security appliance context, one router blocking interface/direction, or one Catalyst Software switch blocking VLAN.
In addition, the following maximum limits are fixed and you cannot change them: 100 interfaces per device, 250 security appliances, 250 routers, 250 Catalyst Software switches, and 100 master blocking sensors.
|
Max Ratelimits
|
Maximum number of rate limit entries.The maximum rate limit should be equal or less then the maximum blocking entries. If you configure more rate limit entries than block entries, you receive an error. The valid range is 1 to 32767. The default value is 250.
|
Blocking Page > User Profiles Tab
Use the User Profiles tab of the Blocking page to define connection credential information to the blocking devices. After you populate this table, you can choose one of the profiles from it when you define blocking devices.
Navigation Path
(Device view) Select Platform > Security > Blocking from the Policy selector. Click the User Profiles tab.
Related Topic
•Configuring Blocking, page 17-11.
Field Reference
.
Table N-62 User Profiles Tab
Element
|
Description
|
Profile Name
|
Name of the profile.
|
Enable Password
|
(Optional) Enable password used on the blocking device. The enable password is found only in the Add User Profile dialog box.
Note If a password exists, it is displayed with a fixed number of asterisks.
|
Password
|
(Optional) Login password used to log in to the blocking device. Found only in the Add User Profile dialog box.
Note If a password exists, it is displayed with a fixed number of asterisks.
|
Username
|
(Optional) Username used to log in to the blocking device.
|
Add button
|
Opens the Add User Profile dialog box.
|
Edit button
|
Opens the Modify User Profile dialog box.
|
Delete button
|
Removes the selected user profile from the table.
|
User Profile Dialog Box
Use the User Profile Dialog Box to add or modify a user profile that you can use when you define blocking devices.
Navigation Path
(Device view) Select Platform > Security > Blocking from the Policy selector. Click the User Profiles tab. Select a row. Click the Add button or the Modify button.
Field Reference
.
Table N-63 User Profile Dialog Box
Element
|
Description
|
Profile Name
|
Name of the profile.
|
Enable Password
|
(Optional) Enable password used on the blocking device. The enable password is found only in the Add User Profile dialog box.
Note If a password exists, it is displayed with a fixed number of asterisks.
|
Password
|
(Optional) Login password used to log in to the blocking device. Found only in the Add User Profile dialog box.
Note If a password exists, it is displayed with a fixed number of asterisks.
|
Username
|
(Optional) Username used to log in to the blocking device.
|
.
Blocking Page > Master Blocking Sensors Tab
Use the Master Blocking Sensors tab of the Blocking Properties page to configure a master blocking sensor. The master blocking sensor must have one blocking device assigned.
Navigation Path
(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Master Blocking Sensors tab.
Related Topic
•Configuring Blocking, page 17-11.
Field Reference
.
Table N-64 Master Blocking Sensors Tab
Element
|
Description
|
IP Address
|
IP address of the master blocking sensor. You receive a warning if the IP address already exists. Security Manager allows you to specify the IP address in either of two ways: by entering it manually or by choosing an existing sensor that is known to Security Manager.
|
Username
|
Username used to log in to the blocking device.
|
Password
|
The login password used to log in to the master blocking sensor.
|
Port
|
(Optional) Port on which to connect on the master blocking sensor.
The default is 443.
|
TLS
|
Whether or not to use transport layer security (TLS).
|
Username
|
(Optional) Username used to log in to the blocking device.
|
Add button
|
Opens the Add Master Blocking Sensor dialog box.
|
Edit button
|
Opens the Modify Master Blocking Sensor dialog box.
|
Delete button
|
Removes the selected Master Blocking Sensor from the table.
|
Master Blocking Sensor Dialog Box
Use the Master Blocking Sensor dialog box to add a master blocking sensor or to modify the properties of a master blocking sensor that you added previously.
Navigation Path
(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Master Blocking Sensors tab. Click the Add button to add a master blocking sensor. Select a row and click the Modify button to modify a master blocking sensor.
Related Topic
•Blocking Page > Master Blocking Sensors Tab
Field Reference
.
Table N-65 Master Blocking Sensor Dialog Box
Element
|
Description
|
IP Address
|
The IP address of the master blocking sensor. You receive a warning if the IP address already exists. Security Manager allows you to specify the IP address in either of two ways: by entering it manually or by choosing an existing sensor that is known to Security Manager.
|
Password
|
The login password used to log in to the master blocking sensor.
|
Port
|
(Optional) The port on which to connect on the master blocking sensor. The default is 443.
|
TLS
|
Specifies whether or not to use TLS.
|
Blocking Page > Router Tab
Use the Router Tab to configure an IOS router to be used as a blocking device.
Navigation Path
(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Router tab.
Related Topic
•Configuring Blocking, page 17-11.
Field Reference
.
Table N-66 Router Tab
Element
|
Description
|
IP Address
|
The IP address of the router. You receive a warning if the IP address already exists. Security Manager allows you to specify the IP address in either of two ways: by entering it manually or by choosing an existing router that is known to Security Manager.
|
Communication Type
|
SSH DES, SSH 3DES, or Telnet
|
NAT Address
|
The network address translation (NAT) address, if any, to the router.
|
Profile Name
|
The name of the profile as specified in the Add User Profile dialog box or the Modify User Profile dialog box.
|
Response Capabilities
|
Indicates whether the device uses blocking or rate limiting or both.
|
Add button
|
Opens the Add Router Device dialog box.
|
Edit button
|
Opens the Modify Router Device dialog box.
|
Delete button
|
Removes the selected Router Device from the table.
|
Router Device Dialog Box
The Router Device dialog box appears in two forms, the Add Router Device dialog box and the Modify Router Device dialog box. Use the Router Device dialog box to add an IOS router to be used as a blocking device or to modify the properties of an IOS router previously added to be used as a blocking device.
Navigation Path
(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Router tab. Click the Add button or the Modify button.
Field Reference
.
Table N-67 Router Tab > Router Device Dialog Box
Element
|
Description
|
IP Address
|
The IP address of the router. You receive a warning if the IP address already exists. Security Manager allows you to specify the IP address in either of two ways: by entering it manually or by choosing an existing router that is known to Security Manager.
|
Select. . . Button
|
Opens the Networks/Hosts Selector dialog box
|
Communication Type
|
SSH DES, SSH 3DES, or Telnet.
|
NAT Address
|
The NAT address, if any, to the router.
|
Select. . . Button
|
Opens the Networks/Hosts Selector dialog box.
|
Profile Name
|
The name of the profile as specified in the Add User Profile dialog box or the Modify User Profile dialog box.
|
Interfaces and directions where blocks will be applied
|
Lists block interfaces on the router in tabular format:
•Interface Name
•Direction
•Pre-ACL Name
•Post-ACL Name
|
Response Capabilities
|
Indicates whether the device uses blocking or rate limiting or both.
|
Add button
|
Opens the Add Router Block Interface dialog box.
|
Edit button
|
Opens the Modify Router Block Interface dialog box.
|
Delete button
|
Removes the selected router block interface from the table.
|
Router Block Interface Dialog Box
Use the Router Block Interface dialog box to add a block interface (the interface on the IOS router that the sensor uses for blocking) to an IOS router to be used as a blocking device. Also, use the Router Block Interface dialog box to modify a block interface that you previously added.
Navigation Path
(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Router tab. Click the Add button or the Modify button. In the Add Router Device dialog box, click the Add button or the Modify button.
Field Reference
.
Table N-68 Router Block Interface Dialog Box
Element
|
Description
|
Interface Name
|
The name, assigned by the user, of the router interface used for blocking.
|
Direction
|
The direction of traffic across the router interface, in or out.
|
Pre Acl Name
|
The pre-ACL name assigned by the user.
|
Post Acl Name
|
The post-ACL name assigned by the user.
|
Blocking Page > Firewall Tab
Use the Firewall tab to configure a firewall to be used as a blocking device.
Navigation Path
(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Firewall tab.
Related Topic
•Configuring Blocking, page 17-11.
Field Reference
.
Table N-69 Firewall Tab
Element
|
Description
|
IP Address
|
The IP address of the firewall. You receive a warning if the IP address already exists. Security Manager allows you to specify the IP address in either of two ways: by entering it manually or by choosing an existing firewall that is known to Security Manager.
|
Communication Type
|
SSH DES, SSH 3DES, or Telnet.
|
NAT Address
|
The NAT address, if any, to the firewall.
|
Profile Name
|
The name of the profile as specified in the Add User Profile dialog box or the Modify User Profile dialog box.
|
Add button
|
Opens the Add Firewall Device dialog box.
|
Edit button
|
Opens the Modify Firewall Device dialog box.
|
Delete button
|
Removes the selected firewall device from the table.
|
Firewall Device Dialog Box
The Firewall Device dialog box appears in two forms, Add and Modify. Use the Firewall Device dialog box to identify a firewall to be used as a blocking device and configure it. Also, use the Firewall Device dialog box to modify the configuration of a firewall previously identified as a blocking device.
Navigation Path
(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Firewall tab. Click the Add button or the Modify button.
Field Reference
.
Table N-70 Firewall Tab > Firewall Device Dialog Box
Element
|
Description
|
IP Address
|
The IP address of the firewall. You receive a warning if the IP address already exists. Security Manager allows you to specify the IP address in either of two ways: by entering it manually or by choosing an existing firewall that is known to Security Manager.
|
Select. . . Button
|
Opens the Networks/Hosts Selector dialog box.
|
Communication Type
|
SSH DES, SSH 3DES, or Telnet.
|
NAT Address
|
The NAT address, if any, to the firewall.
|
Select. . . Button
|
Opens the Networks/Hosts Selector dialog box.
|
Profile Name
|
The name of the profile as specified in the Add User Profile dialog box or the Modify User Profile dialog box.
|
Blocking Page > Catalyst 6K Tab
Use the Catalyst 6K Tab to configure a Catalyst 6000 series switch to be used as a blocking device.
Navigation Path
(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Catalyst 6K tab.
Related Topic
•Configuring Blocking, page 17-11.
Field Reference
.
Table N-71 Catalyst 6K Tab
Element
|
Description
|
IP Address
|
The IP address of the switch. You receive a warning if the IP address already exists. Security Manager allows you to specify the IP address in either of two ways: by entering it manually or by choosing an existing switch that is known to Security Manager.
|
Communication Type
|
SSH DES, SSH 3DES, or Telnet.
|
NAT Address
|
The NAT address, if any, to the switch.
|
Profile Name
|
The name of the profile as specified in the Add User Profile dialog box or the Modify User Profile dialog box.
|
Add button
|
Opens the Add Cat6k Device dialog box.
|
Edit button
|
Opens the Modify Cat6k Device dialog box.
|
Delete button
|
Removes the selected Cat6k device from the table.
|
Cat6k Device Dialog Box
The Cat6k Device dialog box appears in two forms, Add and Modify. Use the Cat6k Device dialog box to identify a Catalyst 6000 series switch to be used as a blocking device and configure it. Also, use the Cat6k Device dialog box to modify the configuration of a Catalyst 6000 series switch previously identified as a blocking device.
Navigation Path
(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Catalyst 6K tab. Click the Add button or the Modify button.
Field Reference
.
Table N-72 Catalyst 6K Tab > Cat6k Device Dialog Box
Element
|
Description
|
IP Address
|
The IP address of the switch. You receive a warning if the IP address already exists. Security Manager allows you to specify the IP address in either of two ways: by entering it manually or by choosing an existing switch that is known to Security Manager.
|
Select. . . button
|
Opens the Networks/Hosts Selector dialog box.
|
Communication Type
|
SSH DES, SSH 3DES, or Telnet.
|
NAT Address
|
The NAT address, if any, to the switch.
|
Select. . . button
|
Opens the Networks/Hosts Selector dialog box.
|
Profile Name
|
The name of the profile as specified in the Add User Profile dialog box or the Modify User Profile dialog box.
|
Vlans where blocks will be applied
|
Identifies the VLANs on the Catalyst 6000 Series switch where blocks will be applied.
|
Add button
|
Opens the Add Cat6k Block Vlan dialog box.
|
Edit button
|
Opens the Modify Cat6k Block Vlan dialog box.
|
Delete button
|
Removes the selected Cat6k Block Vlan from the table.
|
Cat6k Block Vlan Dialog Box
The Cat6k Block Vlan dialog box appears in two forms, Add and Modify. Use the Cat6k Block Vlan dialog box to identify the VLANs to be used with a Catalyst 6000 series switch to be used as a blocking device and configure them. Also, use the Cat6k Block Vlan dialog box to modify the configuration of VLANs previously identified for use with a Catalyst 6000 series switch to be used as a blocking device.
Navigation Path
(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Catalyst 6K tab. Click the Add button or the Modify button. On the Add Cat6k Device dialog box, click the Add button or the Modify button.
Field Reference
.
Table N-73 Add Cat6k Block Vlan Dialog Box
Element
|
Description
|
Vlan
|
Identifies the VLANS on the Catalyst 6000 Series switch where blocks will be applied.
|
Pre VACL name
|
The pre-VACL name assigned by the user.
|
Post VACL name
|
The post-VACL name assigned by the user.
|
Blocking Page > Never Block Hosts and Networks Tab
Use the Never Block Hosts and networks tab to identify hosts and networks that should never be blocked.
Navigation Path
(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Never Block Hosts and Networks tab.
Related Topic
•Configuring Blocking, page 17-11.
Field Reference
.
Table N-74 Never Block Hosts and Networks Tab
Element
|
Description
|
Never Block Hosts
|
The IP address of the trusted hosts that should never be blocked.
|
Add button
|
Opens the Add Never Block Host dialog box.
|
Edit button
|
Opens the Modify Never Block Host dialog box.
|
Delete button
|
Removes the selected Never Block Host from the table.
|
Never Block Networks
|
The network address of the trusted networks that should never be blocked.
|
Add button
|
Opens the Add Never Block Network dialog box.
|
Edit button
|
Opens the Modify Never Block Network dialog box.
|
Delete button
|
Removes the selected Never Block Network from the table.
|
Never Block Host Dialog Box
Use the Never Block Host dialog box to add a trusted host to the list of those that should never be blocked. Also, use the Never Block Host dialog box to modify the list of hosts that should never be blocked.
Navigation Path
(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Never Block Hosts and Networks tab. In the Never Block Hosts area, click the Add button or the Modify button.
Field Reference
.
Table N-75 Add Never Block Hosts Dialog Box
Element
|
Description
|
IP Address
|
The IP address of the trusted host that should never be blocked.
|
Select. . . button
|
Opens the Networks/Hosts Selector dialog box.
|
Never Block Networks Dialog Box
Use the Never Block Networks dialog box to add a trusted network to the list of those that should never be blocked. Also, use the Never Block Network dialog box to modify the list of networks that should never be blocked.
Navigation Path
(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Never Block Hosts and Networks tab. In the Never Block Networks area, click the Add button or the Modify button.
Field Reference
.
Table N-76 Add Never Block Networks Dialog Box
Element
|
Description
|
IP Address
|
The IP address of the trusted network that should never be blocked.
|
Select. . . button
|
Opens the Networks/Hosts Selector dialog box.
|
IPS Updates Page
Use the IPS Updates page to perform some of the tasks associated with keeping your sensors up to date with regard to signatures, patches, service packs, and other updates. For more information, refer to IPS Updates Page, page A-19.
Virtual Sensors Page
Use the Virtual Sensors page to create and name virtual sensors on your Cisco IPS devices. The process of creating and naming virtual sensors on your Cisco IPS devices is sometimes called "virtualization." The Virtual Sensors policy cannot be inherited or shared.
Note A Cisco IPS sensor monitors traffic that traverses (1) interfaces, (2) interface pairs, or (3) VLAN pairs assigned to a virtual sensor.
To create a virtual sensor, you need to assign signature policies, event action policies, and anomaly detection policies. To complete the virtualization process, you need to apply these policies to the virtual sensor.
You can assign one or more of the following types of interfaces to a virtual sensor:
•Promiscuous Interface
•Inline Interface Pair
•Inline VLAN Pair
•Promiscuous VLAN Group
•Inline VLAN Group
A Promiscuous VLAN Group is a VLAN group assigned to a subinterface on an interface. The interface can not already be used for an inline interface or VLAN pair. There can be many promiscuous VLAN groups on the same promiscuous interface, but the VLANs assigned cannot overlap. Once a VLAN group is assigned to a promiscuous interface it is no longer a plain promiscuous interface and can only be used for promiscuous VLAN groups.
An Inline VLAN Group is a VLAN group assigned to a subinterface of an existing inline interface pair. There can be many inline VLAN groups on the same inline interface pair, but the VLANs assigned cannot overlap. Once a VLAN group is assigned to an inline interface pair it is no longer an plain inline interface pair and can only be used for inline VLAN groups.
VLAN groups cannot be assigned to Inline VLAN Pairs.
Navigation Path
(Device view) Select IPS > Virtual Sensors from the Policy selector.
Related Topics
•Signature Policies
•Event Action Policies
•Anomaly Detection Page
Field Reference
Table N-77 Virtual Sensors Table
Element
|
Description
|
Name
|
The name of the virtual sensor. The default virtual sensor is "vs0."
|
Assignment
|
The interfaces or interface pairs that belong to this virtual sensor.
|
Anomaly Detection Mode
|
The mode (detect, inactive, learn) that anomaly detection is operating in.
|
Inline TCP Session Tracking Mode
|
Interface and VLAN, VLAN only, or Virtual Sensor.
|
Description
|
The description of the virtual sensor.
|
Add button
|
Opens the Add Custom Signature dialog box.
|
Edit button
|
Opens the Edit Signature dialog box. If more than one row is selected, the Edit row option is disabled.
|
Delete button
|
Removes the selected signature(s) from the table. The Delete button is enabled only when the set of selected rows contains only custom signatures.
|
Add Virtual Sensor Dialog Box
Use the Add Virtual Sensor dialog box to add a virtual sensor.
Navigation Path
(Device view) Select IPS > Virtual Sensors from the Policy selector. Click the Add button.
Related Topics
•Virtual Sensors Page
Field Reference
.
Table N-78 Add Virtual Sensor Dialog Box
Element
|
Description
|
Virtual Sensor Name
|
The name of the virtual sensor. The default virtual sensor is "vs0." The virtual sensor name must contain fewer than 64 characters and must not use spaces.
|
Assignments
|
The interfaces or interface pairs that belong to this virtual sensor.
|
Anomaly Detect
|
The mode (detect, inactive, learn) that anomaly detection is operating in.
|
Inline TCP Session
|
Interface and VLAN, VLAN only, or Virtual Sensor.
|
Description
|
The description of the virtual sensor.
|
Edit Virtual Sensor Dialog Box
Use the Edit Virtual Sensor dialog box to modify the policies assigned to a virtual sensor.
Navigation Path
(Device view) Select IPS > Virtual Sensors from the Policy selector. Select a row. Click the Edit button.
Related Topics
•Virtual Sensors Page
Field Reference
.
Table N-79 Edit Virtual Sensor Dialog Box
Element
|
Description
|
Virtual Sensor Name
|
The name of the virtual sensor. The default virtual sensor is "vs0." You cannot edit the virtual sensor name.
Tip If you find that the name of a virtual sensor is unacceptable, you can delete that virtual sensor and add a new virtual sensor with a name that is acceptable.
The maximum number of characters allowed in the name of the virtual sensor is 64, and blank spaces are not allowed.
|
Assignments
|
The interfaces or interface pairs that belong to this virtual sensor.
|
Anomaly Detect
|
The mode (detect, inactive, learn) that anomaly detection is operating in.
|
Inline TCP Session
|
Interface and VLAN, VLAN only, or Virtual Sensor.
|
Description
|
The description of the virtual sensor.
|
General Settings Page
The General Settings page applies to IOS IPS devices. Use the General Settings page to specify the global settings used for IPS properties defined for a particular router.
Navigation Path
(Device view) Select IPS > General Settings from the Policy selector.
Related Topics
•Interface Rules Page
Field Reference
.
Table N-80 General Settings Page
Element
|
Description
|
Block Traffic when IPS engine is unavailable check box
|
If selected, this option specifies that all traffic should be denied if the IPS engine is unavailable. Otherwise, traffic is allowed to pass in accordance with the other rules in place on the router.
|
Apply Deny Action On
|
This option is applicable if signature actions are configured to "denyAttackerInline" or "denyFlowInline." By default, Cisco IPS applies ACLs to the interfaces from which attack traffic came, and not to Cisco IPS interfaces. Enabling this option causes Cisco IPS to apply the ACLs directly to the Cisco IPS interfaces, and not to the interfaces that originally received the attack traffic. If the router is not performing load balancing, do not enable this setting. If the router is performing load balancing, we recommend that you enable this setting.
Select one of the following values:
•Ingress Interface. Specifies that the deny action should be enforced by the interface attached to the network from which the traffic originated.
•IPS enabled interface. Specifies that the deny action should be enforced by the interface on which the triggered IPS rule is applied.
|
SDEE Properties
|
Maximum Subscriptions
|
Identifies the maximum number of concurrent SDEE subscriptions allowed, in the range of 1-3. An SDEE subscription is a live feed of SDEE events.
The default value is 1.
|
Maximum Alerts
|
Identifies the maximum number of SDEE alerts that you want the router to store, in the range of 10-2000. Storing more alerts uses more router memory.
The default value is 200.
|
Maximum Messages
|
Identifies the maximum number of SDEE messages that you want the router to store, in the range of 10-500. Storing more messages uses more router memory.
The default value is 200.
|
IPS Config Location Properties
|
IPS Config Location
|
Identifies the location the router will save IOS IPS specific configuration files to. These configuration files are automatically updated every time IOS IPS configuration is changed or updated from Security Manager. When the router reboots, the IOS IPS configuration is retrieved and restored from these configuration files.
To specify a location on the router, enter directory in which you want to store the configuration information.
Note If the router has a LEFS-based file system, you will be unable to create a directory in router memory. In this case, flash: is used as the config location.
To specify a location on a remote system, specify the protocol and path of the URL needed to reach the location. For example, if you want to save the config files to an HTTP server, then enter http://172.27.108.5/ips-cfg.
Other supported servers to save the IOS IPS configuration files to are: http://, https://, ftp://, rcp://, scp://, and tftp://.
|
Max retries
|
If a configuration location is specified in the IPS Config Location field, specify how many times the router is to attempt to contact the remote system.
The default value is 1.
|
Timeout seconds between retries
|
If a configuration is specified in the IPS Config Location field, specify how long the router is to wait before attempting to contact the configuration location again.
The default value is 0.
|
Interface Rules Page
Cisco IPS rules specify the interface or interfaces and the direction of traffic relative to the interface(s) that Cisco IPS is to examine. Additionally, the interface rule may also define a sub-set of the IP traffic to be examined, by assigning an ACL to select or filter IP traffic.
The Interface Rules page summarizes the rules currently applied, and it allows you to add rules that define which traffic flows through the router should be inspected using the defined signature policy.
Navigation Path
(Device view) Select IPS > Interface Rules from the Policy selector.
Related Topics
•General Settings Page
•Add IPS Rule Dialog Box
•Adding Pair Dialog Box
Field Reference
.
Table N-81 Interface Rules Page
Element
|
Description
|
Enable IPS check box
|
When selected, enables the deployment of IOS IPS configuration to the device. If Enable IPS is unchecked, IPS rules are removed from all the router interfaces, which disables IPS. Also, no signature or event action policy will be deployed.
|
No.
|
Identifies the rule number. The ordering has no effect on traffic monitoring.
|
Rule Name
|
Identifies the IPS rule name.
|
ACL Name
|
Identifies the ACL, and thereby the traffic flow, to be inspected using the signature policy.
|
Interface (Direction)
|
Identifies the interfaces and directions to which the IPS rule applies.
|
Add button
|
Opens the Add IPS Rule dialog box.
|
Edit button
|
Opens the Edit IPS Rule dialog box. If more than one row is selected, the Edit row option is disabled.
|
Delete button
|
Removes the selected rule(s) from the table.
|
Add IPS Rule Dialog Box
Use the Add IPS Rule dialog box to specify the traffic flows to be inspected using the active signature policy.
Navigation Path
(Device view) Select IPS > Interface Rules from the Policy selector. Click the Add button.
Related Topics
•Signatures Page
•General Settings Page
•Interface Rules Page
•Adding Pair Dialog Box
Field Reference
.
Table N-82 Add IPS Rule Dialog Box
Element
|
Description
|
Rule Name
|
Identifies a unique name for this IPS rule. IPS rule names are not case sensitive. You cannot use a rule name that contain the same characters as another one previously defined but using a different case. For example MYRULE and MyRule are the same.
|
ACL Name
|
Specifies an ACL name. Click Select to either select a predefined ACL object or to create a new one. The ACL will determine what traffic is monitored by the IPS rule according to the ACEs defined. Permit entries cause that particular traffic to monitored by the IPS rule. Deny entries cause that particular traffic to be ignored by the IPS rule. When no ACLs are defined, all traffic in the configured direction is monitored.
Tip All ACLs have an implicit deny all as the last entry. Remember to always specify the traffic to be monitored as a permit entry when using ACLs.
|
Select button
|
Allows you to select from existing ACLs or define a new one. The selected value populates the ACL Name field.
|
Add button
|
Opens the Adding Pair dialog box.
|
Edit button
|
Opens the Editing Pair dialog box. If more than one row is selected, the Edit row option is disabled.
|
Delete button
|
Deletes the selected rule(s) from the table.
|
Adding Pair Dialog Box
Use the Adding Pair dialog box to identify the traffic flows, based on an interface and traffic direction pair, that the selected IPS rule inspects.
Navigation Path
(Device view) Select IPS > Interface Rules from the Policy selector. Click the Add button to open the Add IPS Rule dialog box. Then, click the Add button in the Add IPS Rule dialog box itself.
Related Topics
•General Settings Page
•Interface Rules Page
•Add IPS Rule Dialog Box
Field Reference
.
Table N-83 Adding Pair Dialog Box
Element
|
Description
|
Direction
|
Identifies whether the rule is to be applied to inbound traffic or outbound traffic. If you select both, the rule applies to traffic flowing in both directions.
Select one of the following values:
•In. Specifies that this IPS rule should be applied to inbound traffic on the selected interface.
•Out. Specifies that this IPS rule should be applied to outbound on the selected interface.
•Both. Specifies that this rule should be applied to both inbound and outbound traffic on the selected interface.
|
Interfaces
|
Identifies the interfaces on which to apply this Cisco IPS rule. Click Select to either select a predefined Interface or to create a new one.
|
Select button
|
Displays the list of interfaces defined for this router. You can select one or more of the interfaces to populate the Interfaces field.
|
