Table Of Contents

IPS User Interface Reference

Signature Policies

Signatures Page

Edit Signature Dialog Box

Row Shortcut Menu

Add Custom Signature Dialog Box

Update Level Dialog Box

Actions Shortcut Menu

Edit Actions Dialog Box

Edit Fidelity Dialog Box

Accessing the Cisco NSDB

Edit Signature Parameters Dialog Box

Engine Options

Edit Signature Parameter—Component List Dialog Box

Add Signature Parameter—List Entry Dialog Box

Edit Signature Parameter—List Entry Dialog Box

Obsoletes Dialog Box

Add an Entry Dialog Box

Settings Page

Anomaly Detection Page

Anomaly Detection Page > Operation Settings Tab

Anomaly Detection Page > Learning Accept Mode Tab

Times Of Day Dialog Box

Days Of Week Dialog Box

Anomaly Detection Page > Internal Zone, External Zone, and Illegal Zone Tabs

General Sub-Tab

TCP Protocol Sub-Tab

UDP Protocol Sub-Tab

Other Protocols Sub-Tab

Denied Attackers Page

Denied Attacker Dialog Box

Event Action Policies

Event Action Filters Page

Filter Item Dialog Box

Event Action Overrides Page

Event Action Override Dialog Box

Network Information Page

Target Value Ratings Tab

OS Identification Tab

Event Actions > Settings Page

Interfaces Page

Physical Interfaces Tab

Modify Physical Interface Map Dialog Box

Inline Pairs Tab

Interface Pair Dialog Box

VLAN Pairs Tab

VLAN Pair Dialog Box

VLAN Groups Tab

VLAN Group Map Dialog Box

Summary Tab

Platform Policies

Device Admin Policies

Device Access Policies

Password Requirements Page

Server Access Policies

Logging Page

Interface Notifications Tab

Analysis Engine Tab

Security Policies

Blocking Page

IPS Updates Page

Virtual Sensors Page

Add Virtual Sensor Dialog Box

Edit Virtual Sensor Dialog Box

General Settings Page

Interface Rules Page

Add IPS Rule Dialog Box

Adding Pair Dialog Box

IPS User Interface Reference

---

The following topics describe the pages available for configuring policies for IPS sensors (appliances, switch modules, and network modules) and IOS IPS devices (Cisco IOS routers with IPS-enabled images and Cisco Integrated Services Routers):

•Signature Policies

•Anomaly Detection Page

•Denied Attackers Page

•Event Action Policies

•Interfaces Page

•Platform Policies

•Virtual Sensors Page

•General Settings Page

•Interface Rules Page

Signature Policies

The pages that you access from the Signatures folder from the Policies selector in Device View enable you to configure signatures and their settings.

These topics describe the main pages available from the Signatures folder:

•Signatures Page

•Settings Page

Signatures Page

Use the Signatures page to display the signature summary table, in which you can edit and delete IPS signatures. The primary function of this page is to tune the active signature set in a policy by enabling or disabling signatures. You can also use this page to unload signatures from the engine. In the signature summary table, you also can add a custom signature and access the Cisco NSDB.

Navigation Path

•(Device view) Select IPS > Signatures > Signatures from the Policy selector.

•(Policy view) Select Intrusion Prevention System > Signatures > Signatures from the Policy Type selector. Right-click Signatures to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

•Edit Signature Dialog Box

•Row Shortcut Menu

•Actions Shortcut Menu

•Edit Actions Dialog Box

•Accessing the Cisco NSDB

Field Reference

Table M-1 Signature Summary Table 

Element	Description
ID	Signature ID. Identifies the unique numerical value assigned to this signature. This value lets the sensor identify a particular signature. Clicking on the link in the ID column triggers a browser window that opens to the entry in MySDN for that signature. This column is visible by default.
Sub	Subsignature ID. Identifies the unique numerical value assigned to this subsignature. A Subsignature ID is used to identify a more granular version of a broad signature. This column is visible by default.
Name	Identifies the name assigned to the signature. This column is visible by default.
Action	Identifies the actions the sensor takes when this signature fires. Any changes made using Action will affect all of the rows selected. This column is visible by default.
Severity	Identifies the severity level that the signature reports: High, Informational, Low, Medium. Any changes made using Severity will affect all of the rows selected. This column is visible by default.
Fidelity	Identifies the weight associated with how well this signature might perform in the absence of specific knowledge of the target. Any changes made using Fidelity affects all of the rows selected. This column is visible by default.
Source	Displays the lowest policy in the inheritance hierarchy that overrides the settings for a signature. This column is visible by default.
Enabled	Identifies whether or not the signature is enabled in this policy. A signature must be enabled for the sensor to protect against the traffic specified by the signature. Possible values are: •true. The signature is enabled in this policy. •false. The signature is disabled in this policy.
Base Risk Rating	Displays the base risk rating value of each signature.
Retired	Identifies whether or not the signature is retired. A retired signature is removed from the signature engine.
Obsolete	Identifies whether or not the signature is obsolete. An obsolete signature is removed from the signature engine. It cannot be re-activated. This column is visible by default and it is read only.
Engine	Identifies the engine that parses and inspects the traffic specified by this signature. This column is visible by default.
Add button	Opens the Add Custom Signature dialog box.
Edit button	Opens the Edit Signature dialog box. If more than one row is selected, the Edit row option is disabled.
Delete button	Removes the selected signature(s) from the table. The Delete button is enabled only when the set of selected rows contains only custom signatures.

Edit Signature Dialog Box

Use the Edit Signature dialog box if you want the source of the signature settings to be anything other than the default policy. The default policy cannot be edited, so if you want to change the signature settings, you will have to override them in the local policy for the device. You can do this by selecting Local from the Source Policy dropdown list. After you change the source policy to Local, the controls are enabled.

Navigation Path

(Device view) Select IPS > Signatures > Signatures from the Policy selector. Click the Edit button to open the Edit Signature dialog box.

Related Topics

•Edit Actions Dialog Box

•Edit Signature Parameters Dialog Box

•Engine Options

Field Reference

Table M-2 Edit Signature Dialog Box 

Menu Command	Description
Source Policy	Values are Default or Local. For a newly added device, the source of the signature settings is the Default policy. Because this policy cannot be edited, if you want to change the values of these settings, you must override them in the local policy for the device; you do that by selecting Local.
Inheritance Mandatory	When selected, forces any policy that inherits from that policy to use the signature settings defined.
Enabled check box	Specifies that the signature is enabled.
Severity	Identifies the severity level that the signature will report: High, Informational, Low, Medium.
Fidelity Rating	Identifies the weight associated with how well this signature might perform in the absence of specific knowledge of the target.
Actions	Identifies the actions the sensor will take when this signature fires. For a complete list of actions, see the Edit Actions Dialog Box.
Base Risk Rating	Set the base risk rating value of the signature. Risk rating is calculated as the base risk rating by multiplying the fidelity rating and the severity factor and dividing them by 100 (Fidelity Rating x Severity Factor /100). Severity Factor has the following values: •Severity Factor = 100 if the signature's severity level is high •Severity Factor = 75 if signature's severity level is medium •Severity Factor = 50 if signature's severity level is low •Severity Factor = 25 if signature's severity level is informational
Engine	Identifies the engine that parses and inspects the traffic specified by this signature.
Retired	Identifies whether or not the signature is retired. A retired signature is removed from the signature engine. You can activate a retired signature to place it back in the signature engine. This column is visible by default. Timesaver Use the retired column to unload disabled signatures on your IOS-IPS device to achieve the most favorable memory consumption of that device.
Obsolete	Identifies whether or not the signature is obsolete. An obsolete signature is removed from the signature engine. It cannot be re-activated.
Restore Defaults button	Reverts to default values as defined by Cisco.
Edit Parameters button	Opens the Edit Signature Parameters dialog box.

Row Shortcut Menu

In the Signature Summary table, you can access a shortcut menu that enables you to add and edit signatures. This shortcut menu is available for all columns except Actions, Severity, and Fidelity.

Navigation Path

•(Device view) Select IPS > Signatures > Signatures from the Policy selector. Right-click a cell in a column other than Actions, Severity, or Fidelity.

Related Topics

•Actions Shortcut Menu

•Edit Actions Dialog Box

•Accessing the Cisco NSDB

Field Reference

Table M-3 Row Shortcut Menu Options 

Menu Command	Description
Add button	Opens the Add Custom Signature dialog box.
Edit button	Opens the Edit Signature dialog box. If more than one row is selected, the Edit row option is disabled.
Delete button	Removes the selected signature(s) from the table. The Delete button is enabled only when the set of selected rows contains only custom signatures.
Clone	Opens the Add Custom Signature dialog box with the properties of the selected signature shown. This enables you to create a custom signature with the settings that the selected signature has.
Enable/Disable	Places the signature in the enabled or disabled state, respectively. Disabled signatures appear with crosshatching over them.
Show Events	Enables navigation to MARS to view the realtime or historical events detected by the selected signature.

Add Custom Signature Dialog Box

Use the Add Custom Signature dialog box to create a custom signature. In the Add Custom Signature dialog box, you enter a name and then select an existing engine from a dropdown list. The signature ID and subsignature ID will be assigned by Security Manager. After you finish selecting the remaining parameters, the new signature is added to the Signatures page in the appropriate numerical location, and it is selected.

Navigation Path

(Device view) Select IPS > Signatures > Signatures from the Policy selector. Click the Add button to open the Add Custom Signature dialog box.

Related Topics

•Edit Signature Parameters Dialog Box

•Engine Options

Field Reference

Table M-4 Add Custom Signatures Dialog Box 

Menu Command	Description
Name	Name of the signature.
Engine	Specifies the engine to use for this signature. See Engine Options.
Actions	Identifies the actions the sensor will take when this signature fires. For a complete list of actions, see the Edit Actions Dialog Box.
Enabled check box	Specifies that the signature is enabled.
Severity	Identifies the severity level that the signature will report: High, Informational, Low, Medium.
Fidelity Rating	Identifies the weight associated with how well this signature might perform in the absence of specific knowledge of the target.
Risk Rating	Set the base risk rating value of the signature. Risk rating is calculated as the base risk rating by multiplying the fidelity rating and the severity factor and dividing them by 100 (Fidelity Rating x Severity Factor /100). Severity Factor has the following values: •Severity Factor = 100 if the signature's severity level is high •Severity Factor = 75 if signature's severity level is medium •Severity Factor = 50 if signature's severity level is low •Severity Factor = 25 if signature's severity level is informational
Edit Parameters button	Opens the Edit Signature Parameters dialog box. See Edit Signature Parameters Dialog Box.

Update Level Dialog Box

Displays the delta between the update packages applied in Security Manager and that deployed on the IPS device.

Differences between applied and deployed can occur when:

•the device is updated outside of Security Manager

•an update is applied to the policy in Security Manager but not yet published to the device

•during initial Security Manager deployment before the devices are under Security Manager control

Navigation Path

(Device view) Select IPS > Signatures > Signatures from the Policy selector. Click the View Update Level button to open the Update Level for... dialog box.

Field Reference

Table M-5 Update Level for Dialog Box 

Menu Command	Description
Applied Level	This column displays the patch level that is applied to this device in Security Manager.
Deployed Level	This column displays the patch level that is currently running on the selected device.
Major Update	Identifies the major update level.
Minor Update	Identifies the minor update level.
Service Pack	Identifies the service pack level.
Patch	Identifies the patch level.
Engine	Identifies the engine level.
Signature Update	Identifies the signature update level. Note This field is the only field on this page that applies to the IOS IPS devices; all of the other fields are exclusive to IPS devices.

Actions Shortcut Menu

In the Signature Summary table, you can access a shortcut menu that enables you to add and remove actions. This shortcut menu is available only for the Actions column.

Navigation Path

•(Device view) Select IPS > Signatures > Signatures from the Policy selector. Right-click a cell in the Actions column.

Related Topics

•Row Shortcut Menu

•Edit Actions Dialog Box

•Accessing the Cisco NSDB

Field Reference

Table M-6 Actions Shortcut Menu Options 

Menu Command	Description
Add to Actions	Adds an action to the current list of actions for the selected signature.
Delete from Actions	Deletes an action from the current list of actions for the selected signature.
Replace Actions With	Replace the current set of actions for the selected signature with the single action selected.
Edit Actions	Opens the Edit Actions dialog box.

Edit Actions Dialog Box

Use the Edit Actions dialog box to select an action that is not on the Add to Actions or Replace Actions with menus, or if you want to select more than one action.

---

Note When you open the Edit Actions dialog box, the list of actions that you see varies. The list of actions depends upon whether you (1) right-click in only one signature row in the Actions column or (2) select more than one signature row before right-clicking in the Actions column. If you right-click in only one signature row in the Actions column, the list of actions is that of the engine for that signature. If you select more than one signature row before right-clicking in the Actions column, the list of actions is that which is available for each affected engine. (It is the list of common actions, not the union of actions.)

---

Navigation Path

•(Device view) Select IPS > Signatures > Signatures from the Policy selector. Right-click a cell in the Actions column. Select Edit Actions from the shortcut menu.

Related Topics

•Row Shortcut Menu

•Actions Shortcut Menu

•Accessing the Cisco NSDB

Field Reference

Table M-7 Edit Actions Dialog Box 

Menu Command	Description
Deny Attacker Inline	Terminates the current packet and future packets from this attacker address for a specified period of time.
Deny Attacker/Service Pair Inline	Does not transmit this packet and future packets on the attacker address victim port pair for a specified period of time.
Deny Attacker/Victim Pair Inline	Does not transmit this packet and future packets on the attacker/victim address pair for a specified period of time.
Deny Connection Inline	Terminates the current packet and future packets on this TCP flow.
Deny Packet Inline	Terminates the packet.
Log Attacker Packets	Starts IP logging on packets that contain the attacker address and sends an alert. This action causes an alert to be written to the Event Store, even if Produce Alert is not selected.
Log Pair Packets	Starts IP Logging on packets that contain the attacker/victim address pair. This action causes an alert to be written to the Event Store, even if Produce Alert is not selected.
Log Victim Packets	Starts IP Logging on packets that contain the victim address and sends an alert. This action causes an alert to be written to the Event Store, even if Produce Alert is not selected.
Modify Packet Inline	Modifies packet data to remove ambiguity about what the endpoint might do with the packet.
Product Alert	Writes the event to the Event Store as an alert.
Produce Verbose Alert	Includes an encoded dump of the offending packet in the alert. This action causes an alert to be written to the Event Store, even if Produce Alert is not selected.
Request Block Connection	Sends a request to block this connection. You must have blocking devices configured to implement this action.
Request Block Host	Sends a request to block this attacker host. You must have blocking devices configured to implement this action.
Request Rate Limit	Sends a rate limit request to perform rate limiting. You must have rate limiting devices configured to implement this action.
Request SNMP Trap	Sends a request to the sensor to perform SNMP notification. This action causes an alert to be written even if Produce Alert is not selected. You must have SNMP configured on the sensor to implement this action.
Reset TCP Connection	Sends TCP resets to hijack and terminate the TCP flow. Reset TCP Connection only works on TCP signatures that analyze a single connection. It does not work for sweeps or floods.

Edit Fidelity Dialog Box

Use the Edit Fidelity dialog box make changes in the Fidelity Rating for a particular signature. The Fidelity Rating, or Signature Fidelity Rating (SFR), identifies the weight associated with how well this signature might perform in the absence of specific knowledge of the target. This rating can be any number from 0 to 100, with 100 indicating the most confidence in the signature.

Accessing the Cisco NSDB

The Cisco Network Security Database (NSDB) can be accessed, or invoked, through the user interface of Security Manager.

The NSDB is a database of security information that explains the signatures the IPS uses along with the vulnerabilities on which these signatures are based. The NSDB contains a description for each attack signature that the sensor can detect.

In Security Manager, the table in the content area of the IPS Signature policy contains several columns by default, one of which is Signature ID. The Signature ID column contains hyperlinks to the NSDB. Clicking on the link in the ID column will trigger the opening of an external browser window that opens to the entry in MySDN for that signature.

MySDN, which stands for My Self-Defending Network, provides up-to-date intelligence reports about current vulnerabilities and threats, as well as education on advanced security topics to help you protect your network, prioritize remediation, and structure your systems to reduce organizational risk. For more information, refer to http://www.cisco.com/go/MySDN.

If you have access to Cisco.com, then the signature ID is linked to MySDN. If you do not have access to Cisco.com, then the signature ID is linked to the local copy of the NSDB. Security Manager will detect whether or not you have access to Cisco.com and make the appropriate link for you without your having to set a preference.

Some signatures in IPS 5.x, IPS 6.0, and IOS IPS have special characteristics: Built-in signatures cannot be added, deleted, or renamed, because they are provided with IPS itself. ("Built-in" means all signatures other than those that you create.) The information for built-in signatures, such as their names and IDs, appears as it does in the NSDB.

---

Tip For a particular signature in the NSDB, the "Release Version" refers to the version of IPS that the signature first appeared in, or was last modified in. The "Release Version" appears in the bottom left-hand corner of the header information when you are looking at a particular signature.

---

Edit Signature Parameters Dialog Box

Use the Edit Signature Parameters dialog box to edit (also called tune) the built-in micro-engine parameters for a particular signature. Different engines have different parameters, so the appearance of the Edit Signature Parameters dialog box will vary.

Navigation Path

•(Device view) Select IPS > Signatures > Signatures from the Policy selector. Right-click the row containing the signature that you want to edit, and then click Edit Row in the shortcut menu that appears. Finally, click Edit Parameters.

Related Topics

•Add Custom Signature Dialog Box

•Edit Signature Dialog Box

•Engine Options

Field Reference

Table M-8 Edit Signature Parameters Dialog Box 

Primary and Secondary Elements		Description
Signature Definition		—
	Signature ID	Identifies the unique numerical value assigned to this signature. This value lets the sensor identify a particular signature. The value is 1000 to 65000.
	SubSignature ID	Identifies the unique numerical value assigned to this subsignature. The subsignature ID identifies a more granular version of a broad signature. The value is 0 to 255.
	Promiscuous Delta check box	Lets you determine the seriousness of the alert.
Sig Description		Lets you specify the following attributes that help you distinguish this signature from other signatures: •Alert Notes •User Comments •Alarm Traits •Release
	Alert Notes	Add alert notes in this field.
	User Comments	Add your comments about this signature in this field.
	Alert Traits	Add the alarm trait in this field. The value is 0 to 65535. The default is 0.
	Release	The release in which the signature was most recently updated.
Engine		Lets you choose the engine that parses and inspects the traffic specified by this signature. For the list of possible values, see Engine Options.
	Fragment Status	Specifies whether fragments are wanted or not: •Any fragment status. •Do not inspect fragments. •Inspect fragments.
Regex String		—
	Service Ports	A comma-separated list of ports or port ranges where the target service resides.
	Direction	Direction of traffic: •Traffic from service port destined to client port. •Traffic from client port destined to service port.
	Specify Exact Match Offset	(Optional) Enables exact match offset: •Specify Max Match Offset/Specify Min Match Offset—The exact stream offset the regular expression string must report for a match to be valid.
	Swap Attacker Victim	Yes if address (and ports) source and destination are swapped in the alert message. No for no swap (default).
Event Counter		Lets you configure how the sensor counts events. For example, you can specify that you want the sensor to send an alert only if the same signature fires 5 times for the same address set: •Event Count •Event Count Key •Specify Alert Interval
	Event Count	The number of times an event must occur before an alert is generated. The value is 1 to 65535. The default is 1.
	Event Count Key	The storage type used to count events for this signature. Choose attacker address, attacker address and victim port, attacker and victim addresses, attacker and victim addresses and ports, or victim address. The default is attacker address.
	Specify Alert Interval	Specifies the time in seconds before the event count is reset. Choose Yes or No from the drop-down list and then specify the amount of time.
Alert Frequency		Lets you configure how often the sensor alerts you when this signature is firing. Specify the following parameters for this signature: •Summary Mode •Summary Interval •Summary Key •Specify Global Summary Threshold
	Summary Mode	The mode of alert summarization. Choose Fire All, Fire Once, Global Summarize, or Summarize. Note When multiple contexts from the adaptive security appliance are contained in one virtual sensor, the summary alerts contain the context name of the last context that was summarized. Thus, the summary is the result of all alerts of this type from all contexts that are being summarized.
	Summary Mode Interval	The time in seconds used in each summary alert. The value is 1 to 65535. The default is 15.
	Summary Key	The storage type used to summarize alerts. Choose Attacker address, Attacker address and victim port, Attacker and victim addresses, Attacker and victim addresses and ports, or Victim address. The default is Attacker address.
	Specify Global Summary Threshold	Lets you specify the threshold number of events to take the alert into global summary. Choose Yes or No and then specify the threshold number of events.
Status		Lets you enable or disable a signature, or retire or unretire a signature: •Enabled—Lets you choose whether the signature is enabled or disabled.The default is yes (enabled). •Retired—Let you choose whether the signature is retired or not. The default is no (not retired).
	Obsoletes	Lists the signatures that are obsoleted by this signature.
Vulnerable OS List		Identifies the list of operating systems that this attack targets.
MARS Category		Identifies the category in Cisco Security MARS to which this signature belongs. This metadata is used to color the events generated in such a way as to provide MARS with the data that it needs to process this signature relative to the event categories that it studies.
Expand All		Expands all categories and subcategories.
Collapse All		Collapses all fields to the category.

Engine Options

Engine options for IOS IPS and IPS are as follows:

The following list identifies the options you can specifying the Engine field of the Edit Signature Parameters dialog box:

•AIC FTP—Inspects FTP traffic and lets you control the commands being issued.

•AIC HTTP—Provides granular control over HTTP sessions to prevent abuse of the HTTP protocol.

•Atomic ARP—Inspects Layer-2 ARP protocol. The Atomic ARP engine is different because most engines are based on Layer-3-IP.

•atomic-ip—Inspects IP protocol packets and associated Layer-4 transport protocols. For option detail, see Atomic IP Engine Options

•Atomic IPv6—Detects IOS vulnerabilities that are stimulated by malformed IPv6 traffic.

•Flood Host—Detects ICMP and UDP floods directed at hosts.

•Flood Net—Detects ICMP and UDP floods directed at networks.

•Meta—Defines events that occur in a related manner within a sliding time interval. This engine processes events rather than packets.

•multi-string—Defines signatures that inspect Layer 4 transport protocol (ICMP, TCP, and UDP) payloads using multiple string matches for one signature. You can specify a series of regular expression patterns that must be matched to fire the signature. For option detail, see Multi-String Engine Options

•normalizer—Configures how the IP and TCP normalizer functions and provides configuration for signature events related to the IP and TCP normalizer. Allows you to enforce RFC compliance. For option detail, see Normalizer Engine Options

•service-dns—Inspects DNS (TCP and UDP) traffic. For option detail, see Service DNS Engine Options

•service-ftp—Inspects FTP traffic. For option detail, see Service FTP Engine Options

•Service Generic—Decodes custom service and payload.

•Service Generic Advanced—Generically analyzes network protocols.

•Service H225—Inspects VoIP traffic.

•service-http—Inspects HTTP traffic. The WEBPORTS variable defines inspection port for HTTP traffic. For option detail, see HTTP Service Engine Options

•Service IDENT—Inspects IDENT (client and server) traffic.

•Service MSRPC—Inspects MSRPC traffic.

•Service MSSQL—Inspects Microsoft SQL traffic.

•Service NTP—Inspects NTP traffic.

•service-rpc—Inspects RPC traffic. For option detail, see RPC Service Engine Options

•Service SMB—Inspects SMB traffic.

•Service SMB Advanced—Processes Microsoft SMB and Microsoft RPC over SMB packets.

•Service SNMP—Inspects SNMP traffic.

•Service SSH—Inspects SSH traffic.

•Service TNS—Inspects TNS traffic.

•state—Stateful searches of strings in protocols such as SMTP. For option detail, see STATE Engine Options

•string-icmp—Searches on Regex strings based on ICMP protocol. For option detail, see String ICMP Engine Options

•string-tcp—Searches on Regex strings based on TCP protocol. For option detail, see String TCP Engine Options

•string-udp—Searches on Regex strings based on UDP protocol. For option detail, see String UDP Engine Options

•Sweep—Analyzes sweeps of ports, hosts, and services, from a single host (ICMP and TCP), from destination ports (TCP and UDP), and multiple ports with RPC requests between two nodes.

•Sweep Other TCP—Analyzes TCP flag combinations from reconnaissance scans that are trying to get information about a single host. The signatures look for flags A, B, and C. When all three are seen, an alert is fired.

•Traffic ICMP—Analyzes nonstandard protocols, such as TFN2K, LOKI, and DDOS. There are only two signatures with configurable parameters.

•Traffic Anomaly—Analyzes TCP, UDP, and other traffic for worm-infested hosts.

•Trojan Bo2k—Analyzes traffic from the nonstandard protocol BO2K. There are no user-configurable parameters in this engine.

•Trojan Tfn2k—Analyzes traffic from the nonstandard protocol TFN2K. There are no user-configurable parameters in this engine.

•Trojan UDP—Analyzes traffic from the UDP protocol. There are no user-configurable parameters in this engine.

Atomic IP Engine Options

Table M-9 lists the parameters that are specific to the Atomic IP engine.

Table M-9 Atomic IP Engine Parameters 

Parameter	Description
Fragment Status	Specifies whether or not fragments are wanted.
Specify Layer 4 Protocol	Specifies Layer 4 protocol.
Specify IP Payload Length	Specifies IP datagram payload length.
Specify IP Header Length	Specifies IP datagram header length.
Specify IP Type of Service	Specifies type of server.
Specify IP Time-to-Live	Specifies time to live.
Specify IP Version	Specifies IP protocol version.
Specify IP Identifier	Specifies IP identifier.
Specify IP Total Length	Specifies IP datagram total length.
Specify IP Option Inspection	Specifies IP options inspection.
Specify IP Addr Options	Specifies IP addresses.

Meta Engine Options

Table M-10 lists the parameters specific to the Meta engine.

Table M-10 Meta Engine Parameters 

Parameter	Description	Value
meta-reset-interval	Time in seconds to reset the META signature.	0 to 3600
component-list	List of Meta components: •edit—Edits an existing entry •insert—Inserts a new entry into the list: –begin—Places the entry at the beginning of the active list –end—Places the entry at the end of the active list –inactive—Places the entry into the inactive list –before—Places the entry before the specified entry –after—Places the entry after the specified entry •move—Moves an entry in the list	name1
meta-key	Storage type for the Meta signature: •Attacker address •Attacker and victim addresses •Attacker and victim addresses and ports •Victim address	AaBb AxBx Axxx xxBx
unique-victim-ports	Number of unique victims ports required per Meta signature.	1 to 256
component-list-in-order	Whether to fire the component list in order.	true | false

MSRPC Service Engine Options

Table M-11 lists the parameters specific to the Service MSRPC engine.

Table M-11 Service MSRPC Engine Parameters 

Parameter	Description	Value
protocol	Protocol of interest for this inspector.	tcp udp
specify-operation	(Optional) Enables using MSRPC operation: •operation—MSRPC operation requested. Required for SMB_COM_TRANSACTION commands. Exact match.	0 to 65535
specify-regex-string	(Optional) Enables using a regular expression string: •specify-exact-match-offset—Enables the exact match offset: –exact-match-offset—The exact stream offset the regular expression string must report for a match to be valid. •specify-min-match-length—Enables the minimum match length: –min-match-length—Minimum number of bytes the regular expression string must match.	0 to 65535
specify-uuid	(Optional) Enables UUID: •uuid—MSRPC UUID field.	000001a000000000c000000000000046

MSSQL Service Engine Options

The Service MSSQL engine inspects the protocol used by the Microsoft SQL server.

There is one MSSQL signature. It fires an alert when it detects an attempt to log in to an MSSQL server with the default sa account.

You can add custom signatures based on MSSQL protocol values, such as login username and whether a password was used.

Table M-12 lists the parameters specific to the Service MSSQL engine.

Table M-12 Service MSSQL Engine Parameters 

Parameter	Description	Value
password-present	Whether or not a password was used in an MS SQL login.	true | false
specify-sql-username	(Optional) Enables using an SQL username: •sql-username—Username (exact match) of user logging in to MS SQL service.	sa

Multi-String Engine Options

The Multi String engine lets you define signatures that inspect Layer 4 transport protocol (ICMP, TCP, and UDP) payloads using multiple string matches for one signature. You can specify a series of regular expression patterns that must be matched to fire the signature. For example, you can define a signature that looks for regex 1 followed by regex 2 on a UDP service. For UDP and TCP you can specify port numbers and direction. You can specify a single source port, a single destination port, or both ports. The string matching takes place in both directions.

Use the Multi String engine when you need to specify more than one regex pattern. Otherwise, you can use the String ICMP, String TCP, or String UDP engine to specify a single Regex pattern for one of those protocols.

Table M-13 lists the parameters specific to the Multi String Engine.

Table M-13 Multi String Engine Parameters 

Parameter	Description	Value
Inspect Length	Length of stream or packet that must contain all offending strings for the signature to fire.	0 to 4294967295
Protocol	Layer 4 protocol selection.	Icmp Tcp Udp
Regex Component	List of regex components: •Regex String—The string to search for. •Spacing Type—Type of spacing required from the match before or from the beginning of the stream/packet if it is the first entry in the list.	list (1 to 16 items) exact minimum
Port Selection	Type of TCP or UDP port to inspect. Only displays if TCP or UDP is selected in the Protocol field.	Both Ports Destination Source
Source Ports	Specifies a range of source ports. Note Port matching is performed bidirectionally for both the client-to-server and server-to-client traffic flow directions. For example, if the source-ports value is 80, in a client-to-server traffic flow direction, inspection occurs if the client port is 80. In a server-to-client traffic flow direction, inspection occurs if the server port is port 80.	0 to 65535 Note The second number in the range must be greater than or equal to the first number.
Dest Ports	Specifies a range of destination ports.	0 to 65535
Exact Spacing	Exact number of bytes that must be between this regex string and the one before, or from the beginning of the stream/packet if it is the first entry in the list.	0 to 4294967296
Minimum Spacing	Minimum number of bytes that must be between this regex string and the one before, or from the beginning of the stream/packet if it is the first entry in the list.	0 to 4294967296
Swap Attacker Victim	Yes if address (and ports) source and destination are swapped in the alert message. No for no swap (default).	Yes | No

---

Caution The Multi String engine can have a significant impact on memory usage.

---

Normalizer Engine Options

Table M-14 lists the parameters that are specific to the Normalizer engine.

Table M-14 Normalizer Engine Parameters 

Parameter	Description
Edit defaults
Specify Service Ports	(Optional) Enables service ports.
Specify TCP Max MSS	(Optional) Enables TCP maximum mss.
Specify TCP Min MSS	(Optional) Enables TCP minimum mss.
Specify TCP Option Number	(Optional) Enables TCP option number.
Specify TCP Max Queue	(Optional) Enables TCP maximum queue.
Specify TCP Closed Timeout	(Optional) Enables TCP closed timeout.
Specify TCP Embryonic Timeout	(Optional) Enables TCP embryonic timeout.
Specify TCP Idle Timeout	(Optional) Enables TCP idle timeout.
Specify Fragment Reassembly Timeout	(Optional) Enables fragment reassembly timeout.
Specify Max Fragments per Datagram	(Optional) Enables maximum fragments per datagram.
Specify Max Small Frags	(Optional) Enables maximum small fragments.
Specify Min Fragment Size	(Optional) Enables minimum fragment size.
Specify Max Partial Datagrams	(Optional) Enables maximum partial datagrams.
Specify Max Datagram Size	(Optional) Enables maximum datagram size.
Specify Max Fragments	(Optional) Enables maximum fragments.
Specify Max Last Fragments	(Optional) Enables maximum last fragments.
Specify Hijack Max Old Ack	(Optional) Enables hijack-max-old-ack.
Specify SYN Flood Max Embryonic	(Optional) Enables SYN flood maximum embryonic.

Atomic ARP Engine Options

The Atomic ARP engine defines basic Layer 2 ARP signatures and provides more advanced detection of the ARP spoof tools dsniff and ettercap.

Table M-15 lists the parameters that are specific to the Atomic ARP engine.

Table M-15 Atomic ARP Engine Parameters 

Parameter	Description
specify-mac-flip	Fires an alert when the MAC address changes more than this many times for this IP address.
specify-type-of-arp-sig	Specifies the type of ARP signatures you want to fire on: •Source Broadcast (default)—Fires an alarm for this signature when it sees an ARP source address of 255.255.255.255. •Destination Broadcast—Fires an alarm for this signature when it sees an ARP destination address of 255.255.255.255. •Same Source and Destination—Fires an alarm for this signature when it sees an ARP destination address with the same source and destination MAC address •Source Multicast—Fires an alarm for this signature when it sees an ARP source MAC address of 01:00:5e:(00-7f).
specify-request-inbalance	Fires an alert when there are this many more requests than replies on the IP address.
specify-arp-operation	The ARP operation code for this signature.

Service DNS Engine Options

The Service DNS engine specializes in advanced DNS decode, which includes anti-evasive techniques, such as following multiple jumps. It has many parameters such as lengths, opcodes, strings, and so forth. The Service DNS engine is a biprotocol inspector operating on both TCP and UDP port 53. It uses the stream for TCP and the quad for UDP.

Table M-16 lists the parameters specific to the Service DNS engine.

Table M-16 Service DNS Engine Parameters 

Parameter	Description	Value
Protocol	Protocol of interest for this inspector.	TCP UDP
Specify Query Type	(Optional) Enables the query type: •Query Type—DNS Query Type 2 Byte Value	0 to 65535
Specify Query Opcode	(Optional) Enables query opcode: •Query Opcode—DNS Query Opcode 1 byte Value	0 to 65535
Specify Query Record Data Length	(Optional) Enables the query record data length: •Query Record Data Length—DNS Response Record Data Length	0 to 65535
Specify Query Record Data Invalid	(Optional) Enables query record data invalid: •Query Record Data Invalid—DNS Record Data incomplete	Yes | No
Specify Query Src Port 53	(Optional) Enables the query source port 53: •Query Src Port 53—DNS packet source port 53	Yes | No
Specify Query Value	(Optional) Enables the query value: •Query Value—Query 0 Response 1	Yes | No
Specify Query Stream Length	(Optional) Enables the query stream length: •Query Stream Length—DNS Packet Length	0 to 65535
Specify Query Jump Count Exceeded	(Optional) Enables query jump count exceeded: •Query Jump Count Exceeded—DNS compression counter	Yes | No
Specify Query Invalid Domain Name	(Optional) Enables query invalid domain name: •Query Invalid Domain Name—DNS Query Length greater than 255	Yes | No
Specify Query Class	(Optional) Enables the query class: •Query Class—DNS Query Class 2 Byte Value	0 to 65535
Specify Query Chaos String	(Optional) Enables the DNS Query Class Chaos String.	query-chaos-string

Flood Engine Options

The Flood engine defines signatures that watch for any host or network sending multiple packets to a single host or network. For example, you can create a signature that fires when 150 or more packets per second (of the specific type) are found going to the victim host.

There are two types of Flood engines: Flood Host and Flood Net.

Table M-17 lists the parameters specific to the Flood Host engine.

Table M-17 Flood Host Engine Parameters 

Parameter	Description	Value
protocol	Which kind of traffic to inspect.	ICMP UDP
rate	Threshold number of packets per second.	0 to 65535
icmp-type	Specifies the value for the ICMP header type.	0 to 65535
dst-ports	Specifies the destination ports when you choose UDP protocol.	0 to 65535 a-b[,c-d]
src-ports	Specifies the source ports when you choose UDP protocol.	0 to 65535 a-b[,c-d]

Flood Net Engine Parameters

Table M-18 lists the parameters specific to the Flood Net engine.

Table M-18 Flood Net Engine Parameters 

Parameter	Description	Value
gap	Gap of time allowed (in seconds) for a flood signature.	0 to 65535
peaks	Number of allowed peaks of flood traffic.	0 to 65535
protocol	Which kind of traffic to inspect.	ICMP TCP UDP
rate	Threshold number of packets per second.	0 to 65535
sampling-interval	Interval used for sampling traffic.	1 to 3600
icmp-type	Specifies the value for the ICMP header type.	0 to 65535

Service FTP Engine Options

The Service FTP engine specializes in FTP port command decode, trapping invalid port commands and the PASV port spoof. It fills in the gaps when the String engine is not appropriate for detection. The parameters are Boolean and map to the various error trap conditions in the port command decode. The Service FTP engine runs on TCP ports 20 and 21. Port 20 is for data and the Service FTP engine does not do any inspection on this. It inspects the control transactions on port 21.

Table M-19 lists the parameters that are specific to the Service FTP engine.

Table M-19 Service FTP Engine Parameters 

Parameter	Description	Value
Direction	Direction of traffic: •Traffic from service port destined to client port •Traffic from client port destined to service port	From Service To Service
Service Ports	A comma-separated list of ports or port ranges where the target service resides.	0 to 65535 Note The second number in the range must be greater than or equal to the first number.
Swap Attacker Victim	Yes if address (and ports) source and destination are swapped in the alert message. No for no swap (default).	Yes | No
FTP Inspection Type	Type of inspection to perform: •Looks for an invalid address in the FTP port command •Looks for an invalid port in the FTP port command •Looks for the PASV port spoof	Invalid Address in PORT Command Invalid Port in PORT Command PASV Port Spoof

General Options for All Engines

The following parameters are part of the Master engine and apply to all signatures.

Table M-20 lists the general master engine parameters.

Table M-20 Master Engine General Parameters 

Parameter	Description	Value
Alert Severity	Severity of the alert: •Dangerous alert •Medium-level alert •Low-level alert •Informational alert	high medium low informational
Engine	Specifies the engine the signature belongs to.	—
Event Counter	Grouping for event count settings.	—
Event Count	Number of times an event must occur before an alert is generated.	1 to 65535
Event Count Key	The storage type on which to count events for this signature: •Attacker address •Attacker and victim addresses •Attacker address and victim port •Victim address •Attacker and victim addresses and ports	Axxx AxBx Axxb xxBx AaBb
Specify Alert Interval	Enables alert interval.	yes | no
Alert Interval	Time in seconds before the event count is reset.	2 to 1000
promisc-delta	Delta value used to determine seriousness of the alert.	0 to 30
sig-fidelity-rating	Rating of the fidelity of this signature.	0 to 100
sig-description	Grouping for your description of the signature.	—
sig-name	Name of the signature.	sig-name
sig-string-info	Additional information about this signature that will be included in the alert message.	sig-string-info
sig-comment	Comments about this signature.	sig-comment
Alert Traits	Traits you want to document about this signature.	0 to 65335
Release	The release in which the signature was most recently updated.	release
Status	Whether the signature is enabled or disabled, active or retired.	enabled retired

Generic Service Engine Options

The Service Generic engine allows programmatic signatures to be issued in a config-file-only signature update. It has a simple machine and assembly language that is defined in the configuration file. It runs the machine code (distilled from the assembly language) through its virtual machine, which processes the instructions and pulls the important pieces of information out of the packet and runs them through the comparisons and operations specified in the machine code.

It is intended as a rapid signature response engine to supplement the String and State engines.

---

Note You cannot use the Service Generic engine to create custom signatures.

---

---

Caution Due to the proprietary nature of this complex language, we do not recommend that you edit the Service Generic engine signature parameters other than severity and event action.

---

Table M-21 lists the parameters specific to the Service Generic engine.

Table M-21 Service Generic Engine Parameters 

Parameter	Description	Value
specify-dst-port	(Optional) Enables the destination port: •dst-port—Destination port of interest for this signature	0 to 65535
specify-ip-protocol	(Optional) Enables IP protocol: •ip-protocol—The IP protocol this inspector should examine	0 to 255
specify-payload-source	(Optional) Enables payload source inspection: •payload-source—Payload source inspection for the following types: –Inspects ICMP data –Inspects Layer 2 headers –Inspects Layer 3 headers –Inspects Layer 4 headers –Inspects TCP data –Inspects UDP data	icmp-data l2-header l3-header l4-header tcp-data udp-data
specify-src-port	(Optional) Enables the source port: •src-port—Source port of interest for this signature	0 to 65535

H225 Service Engine Options

Table M-22 lists parameters specific to the Service H225 engine.

Table M-22 Service H.225 Engine Parameters 

Parameter	Description	Value
message-type	Type of H225 message to which the signature applies: •SETUP •ASN.1-PER •Q.931 •TPKT	asn.1-per q.931 setup tpkt
policy-type	Type of H225 policy to which the signature applies: •Inspects field length. •Inspects presence. If certain fields are present in the message, an alert is sent. •Inspects regular expressions. •Inspects field validations. •Inspects values. Regex and presence are not valid for TPKT signatures.	length presence regex validate value
specify-field-name	(Optional) Enables field name for use. Only valid for SETUP and Q.931 message types. Gives a dotted representation of the field name that this signature applies to. •field-name—Field name to inspect.	1 to 512
specify-invalid-packet-index	(Optional) Enables invalid packet index for use for specific errors in ASN, TPKT, and other errors that have fixed mapping. •invalid-packet-index—Inspection for invalid packet index.	0 to 255
specify-regex-string	The regular expression to look for when the policy type is regex. This is never set for TPKT signatures: •A regular expression to search for in a single TCP packet •(Optional) Enables min match length for use. The minimum length of the Regex match required to constitute a match. This is never set for TPKT signatures.	regex-string specify-min-match-length
specify-value-range	Valid for the length or value policy types (0x00 to 6535). Not valid for other policy types. •value-range—Range of values.	0 to 65535 a-b

HTTP Service Engine Options

Table M-23 lists the parameters specific to the Service HTTP engine.

Table M-23 Service HTTP Engine Parameters 

Parameter	Description	Value
De Obfuscate	Applies anti-evasive deobfuscation before searching.	Yes | No
Max Field Sizes	Maximum field sizes grouping.	—
Specify Max URI Field Length	(Optional) Enables the maximum URI field length: •Max URI Field Length—Maximum length of the URI field.	0 to 65535
Specify Max Arg Field Length	(Optional) Enables maximum argument field length: •Max Arg Field Length—Maximum length of the arguments field.	0 to 65535
Specify Max Header Field Length	(Optional) Enables maximum header field length: •Max Header Field Length—Maximum length of the header field.	0 to 65535
Specify Max Request Length	(Optional) Enables maximum request field length: •Max Request Length—Maximum length of the request field.	0 to 65535
Regex	Regular expression grouping.	—
Specify URI Regex	(Optional) Regular expression to search in HTTP URI field. The URI field is defined to be after the HTTP method (GET, for example) and before the first CRLF. The regular expression is protected, which means you cannot change the value.	[/\\][a-zA-Z][a-zA-Z][a-zA-Z][a-zA-Z][a-zA-Z][a-zA-Z][a-zA-Z][.]jpeg
Specify Arg Name Regex	(Optional) Enables searching the Arguments field for a specific regular expression: •Arg Name Regex—Regular expression to search for in the HTTP Arguments field (after the ? and in the Entity body as defined by Content-Length).	—
Specify Header Regex	(Optional) Enables searching the Header field for a specific regular expression: •Header Regex—Regular Expression to search in the HTTP Header field. The Header is defined after the first CRLF and continues until CRLFCRLF.	—
Specify Request Regex	(Optional) Enables searching the Request field for a specific regular expression: •Request Regex—Regular expression to search in both HTTP URI and HTTP Argument fields. •Specify Min Request Match Length—Enables setting a minimum request match length.	0 to 65535
Service Ports	A comma-separated list of ports or port ranges where the target service resides.	0 to 65535 Note The second number in the range must be greater than or equal to the first number.
Swap Attacker Victim	Yes if address (and ports) source and destination are swapped in the alert message. No for no swap (default).	Yes | No

Alert Frequency Options

The purpose of the summary parameter is to reduce the volume of the alerts written to the Event Store to counter IDS DoS tools, such as stick. There are four modes: Fire All, Fire Once, Summarize, and Global Summarize. The summary mode is changed dynamically to adapt to the current alert volume. For example, you can configure the signature to Fire All, but after a certain threshold is reached, it will start summarizing.

Table M-24 MASTER Engine Alert Frequency Parameters 

Parameter	Description	Value
alert-frequency	Summary options for grouping alerts.
summary-mode	Mode used for summarizaion.
fire-all	Fires an alert on all events.
fire-once	Fires an alert only once.
global-summarize	Summarizes an alert so that it only fires once regardless of how many attackers or victims.
summarize	Summarizes alerts.
specify-summary-threshold	(Optional) Enables summary threshold.	yes | no
summary-threshold	Threshold number of alerts to send signature into summary mode.	0 to 65535
specify-global-summary-threshold	Enable global summary threshold.	yes | no
global-summary-threshold	Threshold number of events to take alerts into global summary.	1 to 65535
summary-interval	Time in seconds used in each summary alert	1 to 1000
summary-key	The storage type on which to summarize this signature: •Attacker address •Attacker and victim addresses •Attacker address and victim port •Victim address •Attacker and victim addresses and ports	Axxx AxBx Axxb xxBx AaBb

NTP Service Engine Options

The Service NTP engine inspects NTP protocol. There is one NTP signature, the NTPd readvar overflow signature, which fires an alert if a readvar command is seen with NTP data that is too large for the NTP service to capture.

You can tune this signature and create custom signatures based on NTP protocol values, such as mode and size of control packets.

Table M-25 lists the parameters specific to the Service NTP engine.

Table M-25 Service NTP Engine Parameters 

Parameter	Description	Value
inspection-type	Type of inspection to perform.
inspect-ntp-packets	Inspects NTP packets: •control-opcode—Opcode number of an NTP control packet according to RFC1305, Appendix B. •max-control-data-size—Maximum allowed amount of data sent in a control packet. •mode—Mode of operation of the NTP packet per RFC 1305.	0 to 65535
is-invalid-data-packet	Looks for invalid NTP data packets. Checks the structure of the NTP data packet to make sure it is the correct size.	true | false
is-non-ntp-traffic	Checks for nonNTP packets on an NTP port.	true | false

RPC Service Engine Options

Table M-26 lists the parameters specific to the Service RPC engine.

Table M-26 Service RPC Engine Parameters 

Parameter	Description	Value
Direction	Direction of traffic: •Traffic from service port destined to client port. •Traffic from client port destined to service port.	From Service To Service
Protocol	Protocol of interest.	TCP UDP
Service Ports	A comma-separated list of ports or port ranges where the target service resides.	0 to 65535 Note The second number in the range must be greater than or equal to the first number.
Specify Regex String	Enables regex fields: •Specify Exact Match Offset •Regex String •Specify Min Match Length	Yes | No
Specify Exact Match Offset	(Optional) Enables exact match offset: •Exact Match Offset—The exact stream offset the regular expression string must report for a match to be valid.	0 to 65535
Regex String	The string to search for.	—
Specify Min Match Length	(Optional) Enables minimum match length: •Min Match Length—Minimum number of bytes the regular expression string must match.	0 to 65535
Specify Port Map Program	(Optional) Enables the portmapper program: •Port Map Program—The program number sent to the portmapper for this signature.	0 to 9999999999
Specify RPC Program	(Optional) Enables RPC program: •RPC Program—RPC program number for this signature.	0 to 1000000
Specify Spoof Src	(Optional) Enables the spoof source address: •Spoof Src—Fires an alert when the source address is 127.0.0.1.	true | false
Specify RPC Max Length	(Optional) Enables RPC maximum length: •RPC Max Length—Maximum allowed length of the entire RPC message. Lengths longer than what you specify fire an alert.	0 to 65535
Specify RPC Procedure	(Optional) Enables RPC procedure: •RPC Procedure—RPC procedure number for this signature.	0 to 1000000

SMB Advanced Engine Options

Table M-27 lists the parameters specific to the Service SMB Advanced engine.

Table M-27 Service SMB Advanced Engine Parameters 

Parameter	Description	Value
service-ports	A comma-separated list of ports or port ranges where the target service resides.	0 to 65535 a-b[,c-d]
specify-command	(Optional) Enables SMB commands: •command—SMB command value; exact match required; defines the SMB packet type.	0 to 255
specify-direction	(Optional) Enables traffic direction: •direction—Lets you specify the direction of traffic: –from-service—Traffic from service port destined to client port. –to-service—Traffic from client port destined to service port.	from service to service
specify-operation	(Optional) Enables MSRPC over SMB: •msrpc-over-smb-operation—Required for SMB_COM_TRANSACTION commands, exact match required.	0 to 65535
specify-regex-string	(Optional) Enables searching for regex strings: •regex-string—A regular expression to search for in a single TCP packet.
specify-exact-match-offset	(Optional) Enables exact match offset: •exact-match-offset—The exact stream offset the Regex string must report a match to be valid.
specify-min-match-length	(Optional) Enables minimum match length: •min-match-length—Minimum number of bytes the Regex string must match.
specify-payload-source	(Optional) Enables payload source: •payload-source—Payload source inspection.
specify-scan-interval	(Optional) Enables scan interval: •scan-interval—The interval in seconds used to calculate alert rates.	1 to 131071
specify-tcp-flags	(Optional) Enables TCP flags: •msrpc-tcp-flags •msrpc-tcp-flags-mask	•concurrent execution •did not execute •first fragment •last fragment •maybe •object UUID •pending cancel •reserved
specify-type	(Optional) Enables type of MSRPC over SMB packet: •type—Type field of MSRPC over SMB packet	•0 = Request •2 = Response •11 = Bind •12 = Bind Ack
specify-uuid	(Optional) Enables MSRPC over UUID: •uuid—MSRPC UUID field	32-character string composed of hexadecimal characters 0-9, a-f, A-F.
specify-hit-count	(Optional) Enables hit counting: •hit-count—The threshold number of occurrences in scan-interval to fire alerts.	1 to 65535
swap-attacker-victim	True if address (and ports) source and destination are swapped in the alert message. False for no swap (default).	true | false

SMB Engine Options

The Service SMB engine inspects SMB packets. You can tune SMB signatures and create custom SMB signatures based on SMB control transaction exchanges and SMB NT_Create_AndX exchanges.

Table M-28 lists the parameters specific to the Service SMB engine.

Table M-28 Service SMB Engine Parameters 

Parameter	Description	Value
service-ports	A comma-separated list of ports or port ranges where the target service resides.	0 to 65535 a-b[,c-d]
specify-allocation-hint	(Optional) Enables MSRPC allocation hint: •allocation-hint—MSRPC Allocation Hint, which is used in SMB_COM_TRANSACTION command parsing.	0 to 42949677295
specify-byte-count	(Optional) Enables byte count: •byte-count—Byte count from SMB_COM_TRANSACTION structure.	0 to 65535
specify-command	(Optional) Enables SMB commands: •command—SMB command value.	0 to 255
specify-direction	(Optional) Enables traffic direction: •direction—Lets you specify the direction of traffic: –Traffic from service port destined to client port. –Traffic from client port destined to service port.	from service to service
specify-file-id	(Optional) Enables using a transaction file ID: •file-id—Transaction File ID. •This parameter may limit a signature to a specific exploit instance and its use should be carefully considered.	0 to 65535
specify-function	(Optional) Enables named pipe function: •function—Named Pipe function.	0 to 65535
specify-hit-count	(Optional) Enables hit counting: •hit-count—The threshold number of occurrences in scan-interval to fire alerts.	0 to 65535
specify-operation	(Optional) Enables MSRPC operation: •operation—MSRPC operation requested. Required for SMB_COM_TRANSACTION commands. An exact match is required.	0 to 65535
specify-resource	(Optional) Enables resource: •resource—Specifies that pipe or the SMB filename is used to qualify the alert. In ASCII format. An exact match is required.	resource
specify-scan-interval	(Optional) Enables scan interval: •scan-interval—The interval in seconds used to calculate alert rates.	0 to 131071
specify-set-count	(Optional) Enables counting setup words: •set-count—Number of Setup words.	0 to 255
specify-type	(Optional) Enables searching for the Type field of an MSRPC packet: •type—Type Field of MSRPC packet. 0 = Request; 2 = Response; 11 = Bind; 12 = Bind Ack	0 to 255
specify-word-count	(Optional) Enables word counting for command parameters: •word-count—Word count for the SMB_COM_TRANSACTION command parameters.	0 to 255
swap-attacker-victim	True if address (and ports) source and destination are swapped in the alert message. False for no swap (default).	true | false

SNMP Engine Options

The Service SNMP engine inspects all SNMP packets destined for port 161. You can tune SNMP signatures and create custom SNMP signatures based on specific community names and object identifiers.

Instead of using string comparison or regular expression operations to match the community name and object identifier, all comparisons are made using the integers to speed up the protocol decode and reduce storage requirements.

Table M-29 lists the parameters specific to the Service SNMP engine.

Table M-29 Service SNMP Engine Parameters 

Parameter	Description	Value
inspection-type	Type of inspection to perform.	—
brute-force-inspection	Inspects for brute force attempts: •brute-force-count—The number of unique SNMP community names that constitute a brute force attempt.	0 to 65535
invalid-packet-inspection	Inspects for SNMP protocol violations.	—
non-snmp-traffic-inspection	Inspects for non-SNMP traffic destined for UDP port 161.	—
snmp-inspection	Inspects SNMP traffic: •specify-community-name [yes | no]: –community-name—Searches for the SNMP community name, that is, the SNMP password. •specify-object-id [yes | no]: –object-id—Searches for the SNMP object identifier.	community-name object-id

SSH Engine Options

The Service SSH engine specializes in port 22 SSH traffic. Because all but the setup of an SSH session is encrypted, the engine only looks at the fields in the setup. There are two default signatures for SSH. You can tune these signatures, but you cannot create custom signatures.

Table M-30 lists the parameters specific to the Service SSH engine.

Table M-30 Service SSH Engine Parameters 

Parameter	Description	Value
length-type	Inspects for one of the following SSH length types: •key-length—Length of the SSH key to inspect for: –length—Keys larger than this fire the RSAREF overflow. •user-length—User length SSH inspection: –length—Keys larger than this fire the RSAREF overflow.	0 to 65535
service-ports	A comma-separated list of ports or port ranges where the target service resides.	0 to 65535 a-b[,c-d]
specify-packet-depth	(Optional) Enables packet depth: •packet-depth—Number of packets to watch before determining the session key was missed.	0 to 65535

STATE Engine Options

Table M-31 lists the parameters specific to the State engine.

Table M-31 State Engine Parameters 

Parameter	Description	Value
State Machine	State machine grouping.	—
Cisco Login	Specifies the state machine for Cisco login: •state-name—Name of the state required before the signature fires an alert: –Cisco device state –Control-C state –Password prompt state –Start state	cisco-device control-c pass-prompt start
LPR Format String	Specifies the state machine to inspect for the LPR format string vulnerability: •state-name—Name of the state required before the signature fires an alert: –Abort state to end LPR Format String inspection –Format character state –State state	abort format-char start
Specify Min Match Length	(Optional) Enables minimum match length: •Min Match Length—Minimum number of bytes the regular expression string must match.	0 to 65535 Note The second number in the range must be greater than or equal to the first number.
SMTP	Specifies the state machine for the SMTP protocol: •State Name—Name of the state required before the signature fires an alert: –Abort state to end LPR Format String inspection –Mail body state –Mail header state –SMTP commands state –Start state	abort mail-body mail-header smtp-commands start
Regex String	The string to search for.	—
Direction	Direction of the traffic: •Traffic from service port destined to client port. •Traffic from client port destined to service port.	From Service To Service
Service Ports	A comma-separated list of ports or port ranges where the target service resides.	0 to 65535
Swap Attacker Victim	Yes if address (and ports) source and destination are swapped in the alert message. No for no swap (default).	Yes | No
Specify Exact Match Offset	(Optional) Enables exact match offset: •Specify Max Match Offset/Specify Min Match Offset—The exact stream offset the regular expression string must report for a match to be valid.	0 to 65535

String ICMP Engine Options

Table M-32 lists the parameters specific to the String ICMP engine.

Table M-32 String ICMP Engine Parameters 

Parameter	Description	Value
Specify Min Match Length	(Optional) Enables minimum match length: •Min Match Length—Minimum number of bytes the regular expression string must match.	0 to 65535
Regex String	The string to search for.	—
Direction	Direction of the traffic: •Traffic from service port destined to client port. •Traffic from client port destined to service port.	From Service To Service
ICMP Type	ICMP header TYPE value.	0 to 18 Note The second number in the range must be greater than or equal to the first number.
Swap Attacker Victim	Yes if address (and ports) source and destination are swapped in the alert message. No for no swap (default).	Yes | No
Specify Exact Match Offset	(Optional) Enables exact match offset: •Specify Max Match Offset/Specify Min Match Offset—The exact stream offset the regular expression string must report for a match to be valid.	0 to 65535

String TCP Engine Options

Table M-33 lists the parameters specific to the String TCP engine.

Table M-33 String TCP Engine 

Parameter	Description	Value
Strip Telnet Options	Strips the Telnet option characters from the data before the pattern is searched. Note This parameter is primarily used as an IPS anti-evasion tool.	Yes | No
Specify Min Match Length	(Optional) Enables minimum match length: •Min Match Length—Minimum number of bytes the regular expression string must match.	0 to 65535
Regex String	The string to search for.	—
Service Ports	A comma-separated list of ports or port ranges where the target service resides.	0 to 65535 Note The second number in the range must be greater than or equal to the first number.
Direction	Direction of the traffic: •Traffic from service port destined to client port. •Traffic from client port destined to service port.	From Service To Service
Specify Exact Match Offset	(Optional) Enables exact match offset: •Specify Max Match Offset/Specify Min Match Offset—The exact stream offset the regular expression string must report for a match to be valid.	0 to 65535
Swap Attacker Victim	Yes if address (and ports) source and destination are swapped in the alert message. No for no swap (default).	Yes | No

String UDP Engine Options

Table M-34 lists the parameters specific to the String UDP engine.

Table M-34 String UDP Engine 

Parameter	Description	Value
Specify Min Match Length	(Optional) Enables minimum match length: •Min Match Length—Minimum number of bytes the regular expression string must match.	0 to 65535 Note The second number in the range must be greater than or equal to the first number.
Regex String	The string to search for.	—
Service Ports	A comma-separated list of ports or port ranges where the target service resides.	0 to 65535
Direction	Direction of the traffic: •Traffic from service port destined to client port. •Traffic from client port destined to service port.	From Service To Service
Swap Attacker Victim	Yes if address (and ports) source and destination are swapped in the alert message. No for no swap (default).	Yes | No
Specify Exact Match Offset	(Optional) Enables exact match offset: •Specify Max Match Offset/Specify Min Match Offset—The exact stream offset the regular expression string must report for a match to be valid.	0 to 65535

Sweep Other TCP Engine Options

Table M-35 lists the parameters specific to the Sweep Other TCP engine.

Table M-35 Sweep Other TCP Engine Parameters 

Parameter	Description	Value
specify-port-range	(Optional) Enables using a port range for inspection: •port-range—UDP port range used in inspection.	0 to 65535 a-b[,c-d]
set-tcp-flags	Lets you set TCP flags to match: •tcp-flags—TCP flags used in this inspection: –URG bit –ACK bit –PSH bit –RST bit –SYN bit –FIN bit	urg ack psh rst syn fin

Sweep Engine Options

Table M-36 lists the parameters specific to the Sweep engine.

Table M-36 Sweep Engine Parameters 

Parameter	Description	Value
protocol	Protocol of interest for this inspector.	icmp udp tcp
specify-icmp-type	(Optional) Enables the ICMP header type: •icmp-type—ICMP header TYPE value.	0 to 255
specify-port-range	(Optional) Enables using a port range for inspection: •port-range—UDP port range used in inspection.	0 to 65535 a-b[,c-d]
fragment-status	Specifies whether fragments are wanted or not: •Any fragment status. •Do not inspect fragments. •Inspect fragments.	any no-fragments want-fragments
inverted-sweep	Uses source port instead of destination port for unique counting.	true | false
mask	Mask used in TCP flags comparison: •URG bit •ACK bit •PSH bit •RST bit •SYN bit •FIN bit	urg ack psh rst syn fin
storage-key	Type of address key used to store persistent data: •Attacker address •Attacker and victim addresses •Attacker address and victim port	Axxx AxBx Axxb
suppress-reverse	Does not fire when a sweep has fired in the reverse direction on this address set.	true | false
swap-attacker-victim	True if address (and ports) source and destination are swapped in the alert message. False for no swap (default).	true | false
tcp-flags	TCP flags to match when masked by mask: •URG bit •ACK bit •PSH bit •RST bit •SYN bit •FIN bit	urg ack psh rst syn fin
unique	Threshold number of unique port connections between the two hosts.	0 to 65535

TNS Service Engine Options

Table M-37 lists the parameters specific to the Service TNS engine.

Table M-37 Service TNS Engine Parameters 

Parameter	Description	Value
type	Specifies the TNS frame value type: •1—Connect •2—Accept •4—Refuse •5—Redirect •6—Data •11—Resend •12—Marker	1 2 4 5 6 11 12
specify-regex-string	(Optional) Enables using a regular expression string: •specify-exact-match-offset—Enables the exact match offset: –exact-match-offset—The exact stream offset the regular expression string must report for a match to be valid. •specify-min-match-length—Enables the minimum match length: –min-match-length—Minimum number of bytes the regular expression string must match.	0 to 65535
specify-regex-payload	Specifies which protocol to inspect: •TCP data—Performs Regex over the data portion of the TCP packet. •TNS data—Performs Regex only over the TNS data (with all white space removed).	TCP TNS

Traffic ICMP Engine Options

The Traffic ICMP engine analyzes nonstandard protocols, such as TFN2K, LOKI, and DDoS. There are only two signatures (based on the LOKI protocol) with user-configurable parameters.

TFN2K is the newer version of the TFN. It is a DDoS agent that is used to control coordinated attacks by infected computers (zombies) to target a single computer (or domain) with bogus traffic floods from hundreds or thousands of unknown attacking hosts. TFN2K sends randomized packet header information, but it has two discriminators that can be used to define signatures. One is whether the L3 checksum is incorrect and the other is whether the character 64 `A' is found at the end of the payload. TFN2K can run on any port and can communicate with ICMP, TCP, UDP, or a combination of these protocols.

LOKI is a type of back door Trojan. When the computer is infected, the malicious code creates an ICMP Tunnel that can be used to send small payload in ICMP replies (which may go straight through a firewall if it is not configured to block ICMP.) The LOKI signatures look for an imbalance of ICMP echo requests to replies and simple ICMP code and payload discriminators.

The DDoS category (excluding TFN2K) targets ICMP-based DDoS agents. The main tools used here are TFN and Stacheldraht. They are similar in operation to TFN2K, but rely on ICMP only and have fixed commands: integers and strings.

Table M-38 lists the parameters specific to the Traffic ICMP engine.

Table M-38 TRAFFIC ICMP Engine Parameters 

Parameter	Description	Value
parameter-tunable-sig	Whether this signature has configurable parameters.	yes | no
inspection-type	Type of inspection to perform: •Inspects for original LOKI traffic. •Inspects for modified LOKI traffic.	is-loki is-mod-loki
reply-ratio	Inbalance of replies to requests. The alert fires when there are this many more replies than requests.	0 to 65535
want-request	Requires an ECHO REQUEST be seen before firing the alert.	true | false

Edit Signature Parameter—Component List Dialog Box

Use the Edit Signature Parameter—Component List dialog box to edit the component list for the meta engine.

Navigation Path

•(Device view) Select IPS > Signatures > Signatures from the Policy selector. Right-click a row containing a signature that uses the meta engine, and then click Edit Row in the shortcut menu that appears. Click Edit Parameters. In the Edit Signature Parameters dialog box, click List in the Value column.

Add Signature Parameter—List Entry Dialog Box

Use the Add Signature Parameter—List Entry dialog box to add components of the meta engine.

Edit Signature Parameter—List Entry Dialog Box

Use the Edit Signature Parameter—List Entry dialog box to edit components of the meta engine.

Obsoletes Dialog Box

Use the Obsoletes dialog box to identify obsolete signatures associated with a particular signature.

Add an Entry Dialog Box

Use the Add an Entry dialog box to add obsolete signatures associated with a particular signature.

Settings Page

Use the Settings page to define application policy (enable HTTP, maximum number of HTTP Requests, AIC web ports, and enable FTP), fragment reassembly policy, stream reassembly policy, and IP logging policy.These settings result in policies that can be shared but not inherited. When a new IPS device is added, it has a local policy that contains the default settings for all signatures.

Navigation Path

•(Device view) Select IPS > Signatures > Settings from the Policy selector.

•(Policy view) Select IPS > Signatures > Signature Settings from the Policy Type selector. Right-click Signature Settings to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

•Signature Policies

•Accessing the Cisco NSDB

Field Reference

Table M-39 Settings Page 

Element	Description
Enable HTTP	Enables protection for web services. Select Yes to require the sensor to inspect HTTP traffic for compliance with the RFC.
Max HTTP Requests	Specifies the maximum number of outstanding HTTP requests per connection.
AIC Web Ports	Specifies the variable for ports to look for AIC traffic.
Enable FTP	Enables protection for FTP services. Select Yes to require the sensor to inspect FTP traffic.
IP Reassembly Mode	Identifies the method the sensor uses to reassemble the fragments, based on the operating system.
TCP Handshake Required	Specifies that the sensor should only track sessions for which the three-way handshake is completed.
TCP Reassembly Mode	Specifies the mode the sensor should use to reassemble TCP sessions with the following options: •Asymmetric—May only be seeing one direction of bidirectional traffic flow. Note Asymmetric mode lets the sensor synchronize state with the flow and maintain inspection for those engines that do not require both directions. Asymmetric mode lowers security because full protection requires both sides of traffic to be seen. •Loose—Use in environments where packets might be dropped. •Strict—If a packet is missed for any reason, all packets after the missed packet are not processed.
Max IP Log Packets	Identifies the number of packets you want logged.
IP Log Time	Identifies the duration you want the sensor to log. A valid value is 1 to 60 seconds. The default is 30 seconds.
Max IP Log Bytes	Max IP Log Bytes—Identifies the maximum number of bytes you want logged.
Save	Applies your changes and saves the revised configuration.

Anomaly Detection Page

Use the Anomaly Detection page to configure anomaly detection. The anomaly detection policy can be shared but not inherited.

The following tabs are available on the Anomaly Detection page:

•Anomaly Detection Page > Operation Settings Tab

•Anomaly Detection Page > Learning Accept Mode Tab

•Anomaly Detection Page > Internal Zone, External Zone, and Illegal Zone Tabs

Navigation Path

•(Device view) Select IPS > Anomaly Detection from the Policy selector.

Related Topics

•Configuring Anomaly Detection, page 13-13

•Explaining Anomaly Detection, page 13-14

•Worm Viruses, page 13-14

•Learning Mode, page 13-15

•Anomaly Detection Zones, page 13-15

Anomaly Detection Page > Operation Settings Tab

Use the Operation Settings tab of the Anomaly Detection page to configure the worm timeout and the IP addresses that will be ignored during anomaly detection processing.

Navigation Path

(Device view) Select IPS > Anomaly Detection from the Policy selector. Click Operation Settings.

Related Topics

•Configuring Anomaly Detection, page 13-13

•Explaining Anomaly Detection, page 13-14

•Worm Viruses, page 13-14

•Learning Mode, page 13-15

•Anomaly Detection Zones, page 13-15

•Anomaly Detection Page > Learning Accept Mode Tab

•Anomaly Detection Page > Internal Zone, External Zone, and Illegal Zone Tabs

Field Reference

Table M-40 Operation Settings Tab 

Element	Description
Worm Timeout	The number of seconds you want to wait for a worm termination to time out. The range is 120 to 10,000,000 seconds. The default is 600 seconds.
Enabled Ignored Addresses	When selected, enables the lists of ignored source IP addresses and destination IP addresses. You must select the Enabled check box or none of the lists of ignored IP addresses you enter will be enabled.
Source Addresses to Ignore	The source IP address(es), or range(s) of source IP addresses, that you want the anomaly detection module to ignore. The valid form is 10.10.5.5,10.10.2.1-10.10.2.30.
Destination Addresses to Ignore	The destination IP address(es), or range(s) of destination IP addresses, that you want the anomaly detection module to ignore. The valid form is 10.10.5.5,10.10.2.1-10.10.2.30.
Save	Applies your changes and saves the revised configuration.

Anomaly Detection Page > Learning Accept Mode Tab

Use the Learning Accept Mode tab of the Anomaly Detection page to specify if and when the learning knowledge base in the anomaly detection module will be saved or loaded.

Navigation Path

(Device view) Select IPS > Anomaly Detection from the Policy selector. Click Learning Accept Mode.

Related Topics

•Configuring Anomaly Detection, page 13-13

•Explaining Anomaly Detection, page 13-14

•Worm Viruses, page 13-14

•Learning Mode, page 13-15

•Anomaly Detection Zones, page 13-15

•Anomaly Detection Page > Operation Settings Tab

•Anomaly Detection Page > Internal Zone, External Zone, and Illegal Zone Tabs

Field Reference

Table M-41 Learning Accept Mode Tab 

Element	Description
Automatically accept learning knowledge base	When selected, the anomaly detection module updates the knowledge base. When deselected, the anomaly detection module does not create a knowledge base. When you choose to automatically accept the learning knowledge base, you can specify the action, such as to only save the learned thresholds or to rotate (save and load) the learned thresholds automatically. You can also specify the time schedules upon which snapshots of the learning knowledge base will be taken and loaded. If you choose "Periodic Schedule," you need to specify the start time, which is the time to start the first learning knowledge base snapshot, and also the learning interval, which is the number of hours to wait between automatically performing learning knowledge base snapshots.
Action	Specifies whether to rotate or save the knowledge base: •Save Only—Creates a new knowledge base. You can examine it and decide whether to load it into the anomaly detection module. •Rotate—Creates a new knowledge base and loads it according to the schedule you choose.
Schedule	Allows you to choose Calendar Schedule or Periodic Schedule: •Periodic Schedule—Allows you to configure the first learning snapshot time of day and the interval of the subsequent snapshots. •Calendar Schedule—Allows you to configure the days and times of the day for the knowledge base to be created. The default schedule is the periodic schedule in 24-hour format.
Times of Day	Appears when you select Calendar from the Schedule list. Allows you to configure the days and times of the day for the knowledge base to be created. The valid format is hh:mm:ss.
Days of the Week	Appears when you select Periodic from the Schedule list. Allows you to configure the days of the week you want to configure.
Start Time	Appears when you select Calendar from the Schedule list. Specifies the time that you want the new knowledge base to start. The valid format is hh:mm:ss.
Learning Interval in hours	Appears when you select Periodic from the Schedule list. Specifies the time, in hours, that you want the anomaly detection module to learn from the network before creating a new knowledge base.

Times Of Day Dialog Box

Use the Times Of Day dialog box when using the Calendar Schedule selection, not the Periodic Schedule selection, on the Learning Accept Mode tab of the Anomaly Detection page. The Times Of Day dialog box appears as either Add Times Of Day or Modify Times Of Day.

In the Add appearance of the Times Of Day dialog box, add the clock hour times of day that you want anomaly detection to accept the learning knowledge base.

In the Modify appearance of the Times Of Day dialog box, modify the clock hour times of day that you want anomaly detection to accept the learning knowledge base.

Days Of Week Dialog Box

Use the Days of Week dialog box when using the Calendar Schedule selection, not the Periodic Schedule selection, on the Learning Accept Mode tab of the Anomaly Detection page. The Days Of Week dialog box appears as either Add Days Of Week or Modify Days Of Week.

In the Add appearance of the Days Of Week dialog box, add the days of the week that you want anomaly detection to accept the learning knowledge base.

In the Modify appearance of the Days Of Week dialog box, modify the days of the week that you want anomaly detection to accept the learning knowledge base.

Anomaly Detection Page > Internal Zone, External Zone, and Illegal Zone Tabs

The Anomaly Detection module divides the network into three zones, each represented by a unique tab:

•Internal Zone Tab. The internal zone should represent your internal network. It should receive all the traffic that comes to your IP address range.

•External Zone Tab. The external zone is the default zone with the default Internet range of 0.0.0.0-255.255.255.255. By default, the internal and illegal zones contain no IP addresses. Packets that do not match the set of IP addresses in the internal or illegal zone are handled by the external zone.

•Illegal Zone Tab. The illegal zone should represent IP address ranges that should never be seen in normal traffic, for example, unallocated IP addresses or part of your internal IP address range that is unoccupied.

Each of these three zones has its own designated set of IP addresses.

The following tabs are available on each of the zone tabs:

•General Sub-Tab

•TCP Protocol Sub-Tab

•UDP Protocol Sub-Tab

•Other Protocols Sub-Tab

Navigation Path

•(Device view) Select IPS > Anomaly Detection from the Policy selector. Click the Internal Zone tab.

•(Device view) Select IPS > Anomaly Detection from the Policy selector. Click the Illegal Zone tab.

•(Device view) Select IPS > Anomaly Detection from the Policy selector. Click the External Zone tab.

Related Topics

•Configuring Anomaly Detection, page 13-13

•Explaining Anomaly Detection, page 13-14

•Worm Viruses, page 13-14

•Learning Mode, page 13-15

•Anomaly Detection Zones, page 13-15

•Anomaly Detection Page > Operation Settings Tab

•Anomaly Detection Page > Learning Accept Mode Tab

General Sub-Tab

Use the General Sub-tab to enable the selected zone. In the case of the Internal and External zone, you can also identify the Service Subnets of those zones.

Field Reference

Table M-42 General Sub-Tab 

Element	Description
Enable this zone check box	If checked, enables the selected zone.
Service Subnets	(Visible on Internal and External Zones tabs only) Lets you enter the subnets that you want to apply to the selected zone. The valid format is 10.10.5.5,10.10.2.1-10.10.2.30.

TCP Protocol Sub-Tab

Use the TCP Protocol Sub-tab to enter TCP Destination Port Maps and to configure threshold histogram properties.

Related Topics

•Dest Port Map Dialog Box

•Histogram Dialog Box

Field Reference

Table M-43 TCP Protocol Sub-Tab 

Element	Description
Enabled check box	If checked, enables the selected zone.
Destination Port Map	(Visible on Internal and External Zones tabs only) Lets you enter the subnets that you want to apply to the selected zone. The valid format is 10.10.5.5,10.10.2.1-10.10.2.30.
Scanner Threshold	Lets you set the scanner threshold. The valid range is 5 to 1000. The default is 200.
Threshold Histogram	Displays the histograms that you added. •Number of Destination IP Addresses—Displays the number of destination IP addresses that you added. •Number of Source IP Addresses—Displays the number of source IP addresses that you added

Dest Port Map Dialog Box

Use the Dest Port Map dialog box to add or modify destination ports for the selected protocol. The Dest Port Map dialog box appears as either Add Dest Port Map or Modify Dest Port Map.

Field Reference

Table M-44 Destination Port Dialog Box 

Element	Description
Destination Port Number	Lets you enter the destination port number. The valid range is 0 to 65535.
Enabled check box	If checked, enables the service.
Override Scanner Settings check box	If checked, overrides the default scanner settings and lets you add, edit, delete, and select all histograms.
Scanner Threshold	Lets you set the scanner threshold. The valid range is 5 to 1000. The default is 200.
Threshold Histogram	Displays the histograms that you added. •Number of Destination IP Addresses—Displays the number of destination IP addresses that you added. •Number of Source IP Addresses—Displays the number of source IP addresses that you added

Histogram Dialog Box

Use the Histogram dialog box if you want to override the scanner settings instead of using the default histograms. Use the Histogram dialog box if you want to modify a previously defined histogram for the selected protocol.

The knowledge base has a tree structure and contains the following information:

•knowledge base name

•Zone name

•Protocol

•Service

The knowledge base holds a scanner threshold and a histogram for each service. If you have learning accept mode set to auto and the action set to rotate, a new knowledge base is created every 24 hours and used in the next 24 hours. If you have learning accept mode set to auto and the action is set to save only, a new knowledge base is created, but the current knowledge base is used. If you do not have learning accept mode set to auto, no knowledge base is created. For more information, see Anomaly Detection Page > Learning Accept Mode Tab.

---

Note Anomaly detection learning mode uses the sensor local time.

---

The scanner threshold defines the maximum number of zone IP addresses that a single source IP address can scan. The histogram threshold defines the maximum number of source IP addresses that can scan more than the specified numbers of zone IP addresses.

Anomaly detection identifies a worm attack when there is a deviation from the histogram that it has learned when no attack was in progress (that is, when the number of source IP addresses that concurrently scan more than the defined zone destination IP address is exceeded). For example, if the scanning threshold is 300 and the histogram for port 445, if anomaly detection identifies a scanner that scans 350 zone destination IP addresses, it produces an action indicating that a mass scanner was detected. However, this scanner does not yet verify that a worm attack is in progress. Table M-45 describes this example.

Table M-45 Example Histogram 

Number of source IP addresses	10	5	2
Number of destination IP addresses	5	20	100

When anomaly detection identifies six concurrent source IP addresses that scan more than 50 zone destination IP addresses on port 445, it produces an action with an unspecified source IP address that indicates anomaly detection has identified a worm attack on port 445. The dynamic filter threshold, 50, specifies the new internal scanning threshold and causes anomaly detection to lower the threshold definition of a scanner so that anomaly detection produces additional dynamic filters for each source IP address that scans more than the new scanning threshold (50).

You can override what the knowledge base learned per anomaly detection policy and per zone. If you understand your network traffic, you may want to use overrides to limit false positives.

Related Topics

•Learning Mode, page 13-15

•TCP Protocol Sub-Tab

•UDP Protocol Sub-Tab

•Other Protocols Sub-Tab

•Dest Port Map Dialog Box

•Protocol Map Dialog Box

Field Reference

Table M-46 Histogram Dialog Box 

Element	Description
Number of Destination IP Addresses	Lets you add a high, medium, or low number of destination IP addresses. Low is 5 destination IP addresses, medium is 20, and high is 100.
Number of Source IP Addresses	Lets you add the number of source IP addresses. The valid range is 0 to 4096.

UDP Protocol Sub-Tab

Use the UDP Protocol Sub-tab of the Internal Zone tab to enter UDP Destination Port Maps and to configure threshold histogram properties.

Related Topics

•Dest Port Map Dialog Box

•Histogram Dialog Box

Field Reference

Table M-47 UDP Protocol Sub-Tab 

Element	Description
Enabled check box	If checked, enables the selected zone.
Destination Port Map	(Visible on Internal and External Zones tabs only) Lets you enter the subnets that you want to apply to the selected zone. The valid format is 10.10.5.5,10.10.2.1-10.10.2.30.
Scanner Threshold	Lets you set the scanner threshold. The valid range is 5 to 1000. The default is 200.
Threshold Histogram	Displays the histograms that you added. •Number of Destination IP Addresses—Displays the number of destination IP addresses that you added. •Number of Source IP Addresses—Displays the number of source IP addresses that you added

Other Protocols Sub-Tab

Use the Other Protocols Sub-tab of the Internal Zone tab to enter protocol number maps for protocols other than TCP and UDP and to configure threshold histogram properties.

Related Topics

•Dest Port Map Dialog Box

•Histogram Dialog Box

Field Reference

Table M-48 Other Protocol Sub-Tab 

Element	Description
Enabled check box	If checked, enables the selected zone.
Protocol Number Map	(Visible on Internal and External Zones tabs only) Lets you enter the subnets that you want to apply to the selected zone. The valid format is 10.10.5.5,10.10.2.1-10.10.2.30.
Scanner Threshold	Lets you set the scanner threshold. The valid range is 5 to 1000. The default is 200.
Threshold Histogram	Displays the histograms that you added. •Number of Destination IP Addresses—Displays the number of destination IP addresses that you added. •Number of Source IP Addresses—Displays the number of source IP addresses that you added

Protocol Map Dialog Box

Use the Protocol Map dialog box to tab to specify protocols other than TCP and UDP. You can either use the default thresholds or override the scanner settings and add your own thresholds and histograms. The Protocol Map dialog box appears as either Add Protocol Map or Modify Protocol Map.

Related Topics

•Other Protocols Sub-Tab

•Histogram Dialog Box

Field Reference

Table M-49 Protocol Map Dialog Box 

Element	Description
Protocol Number	Lets you enter the protocol number. The valid range is 0 to 255.
Enabled check box	If checked, enables the service.
Override Scanner Settings check box	If checked, overrides the default scanner settings and lets you add, edit, delete, and select all histograms.
Scanner Threshold	Lets you set the scanner threshold. The valid range is 5 to 1000. The default is 200.
Threshold Histogram	Displays the histograms that you added. •Number of Destination IP Addresses—Displays the number of destination IP addresses that you added. •Number of Source IP Addresses—Displays the number of source IP addresses that you added

Denied Attackers Page

Use the Denied Attackers page to perform these tasks regarding denied attackers:

•To display the IP addresses of denied attackers

•To display the IP addresses of victims

•To display the port numbers of victims

Navigation Path

(Device view) Select IPS > Denied Attackers from the Policy selector.

Related Topics

•Denied Attacker Dialog Box

Field Reference

Table M-50 Denied Attackers Table 

Element	Description
Attacker IP	IP address of the attacker that the sensor is denying.
Victim IP	IP address of the victim that the sensor is denying.
Victim Port	Port number of the victim that the sensor is denying.
Add button	Opens the Add Custom Signature dialog box.
Edit button	Opens the Edit Signature dialog box. If more than one row is selected, the Edit row option is disabled.
Delete button	Removes the selected signature(s) from the table. The Delete button is enabled only when the set of selected rows contains only custom signatures.

Denied Attacker Dialog Box

Use the Denied Attacker dialog box to add a denied attacker or to edit the properties of a denied attacker that you already added.

Navigation Path

(Device view) Select IPS > Denied Attackers from the Policy selector. Click the Add button or the Edit button.

Related Topics

•Denied Attackers Page

Field Reference

Table M-51 Denied Attacker Dialog Box 

Element	Description
Attacker IP	IP address of the attacker that the sensor is denying.
Specify Victim Address or Port check box	When selected, enables the Victim IP and Victim Port fields.
Victim IP	(Optional) IP address of the victim the sensor is denying. Enabled only when the Specify Victim Address or Port check box is selected.
Victim Port	(Optional) Port of the host the sensor is denying. Enabled only when the Specify Victim Address or Port check box is selected.

Event Action Policies

The pages that you access from the Event Actions folder from the Policies selector in Device View enable you to configure event actions and related settings.

These topics describe the main pages available from the Event Actions folder:

•Event Action Filters Page

•Event Action Overrides Page

•Network Information Page

•Event Actions > Settings Page

Event Action Filters Page

Use the Event Action Filters page to remove specific actions from an event or to discard an entire event and prevent further processing by the sensor.

Navigation Path

(Device view) Select IPS > Event Actions > Event Action Filters from the Policy selector.

Related Topics

•Event Action Policies

•Filter Item Dialog Box

Field Reference

Table M-52 Event Action Filters Page 

Element	Description
Name	Identifies the filter by unique name.
IDs	Identifies the signature.
Subs	Identifies the subsignature.
Attackers	Identifies the IP address (or range) of the attacking host that triggers the filter.
Attack Ports	Identifies the port used by the attacker host that triggers the filter.
Victims	Identifies the IP address used by the attacker host that triggers the filter.
Victim Ports	Identifies the port targeted by the attacker host that triggers the filter.
Actions	Indicates the actions removed from the event when the filter is triggered.
RR	Indicates the risk rating range that triggers this event action filter. For detailed information on risk rating, see Calculating the Risk Rating in Installing and Using Cisco Intrusion Prevention System Device Manager 6.0.
Stop	Identifies whether or not this event will be processed against remaining filters in the event action filters list.
Active	Identifies whether the filter is in the filter list.
Up Row button	Moves the selected row up in the table. A first match rule order determines which filter is applied. If the conditions of an event match those defined for a filter, and the filter has the Stop field set to Yes, that filter is applied and no additional filters are considered. You should order the more restrictive rules before general rules in the table.
Down Row button	Moves the selected row down in the table.
Add button	Opens the Add Filter Item dialog box.
Edit button	Opens the Edit Filter Item dialog box.
Delete button	Removes the selected row from the EAF table.

Filter Item Dialog Box

Use the Filter Item dialog box to add items to a filter, remove items from a filter, and otherwise define the filter. Also, use the Filter Item dialog box to edit items in an existing filter.

The Filter Item dialog box appears as either Add Filter Item or Edit Filter Item.

In the Add appearance of the Filter Item dialog box, add items to a filter, remove items from a filter, and otherwise define the filter.

In the Modify appearance of the Filter Item dialog box, edit items in an existing filter.

Navigation Path

(Device view) Select IPS > Event Actions > Event Action Filters from the Policy selector. Click the Add button or the Edit button to open the Filter Item dialog box.

Related Topics

•Event Action Policies

•Event Action Filters Page

Field Reference

Table M-53 Filter Item Dialog Box 

Element	Description
Enabled	When selected, indicates that the filter is enabled. The default value is checked (enabled). If a filter is active but not enabled, it will still be included in the ordering list; it will be processed, but it will not be used.
Active	When selected, indicates that the filter has been put into the filter list and will take effect on filtering events. The default value is unchecked (not active). If a filter is not active, then it will not be included at all in the ordering of the filters; it will not be processed at all.
Name	Lets you name the filter you are adding. You need to name your filters so that you can move them around in the list and move them to the inactive list if needed. The following characters are valid for filter names: a-z, A-Z, 0-9, -, . (dot or period), : (colon), and _ (underscore).
Signature IDs	Identifies the unique numerical value assigned to this signature. This value lets the sensor identify a particular signature. You can also enter a range of signatures. The default values are in the range 900-65535
SubSignature ID	Identifies the unique numerical value assigned to this subsignature. The subSig ID identifies a more granular version of a broad signature. You can also enter a range of subSig IDs. The default value is the range of 0-255.
Attacker Address	Identifies the IP address of the host that sent the offending packet. You can also enter a range of addresses. The default value is a range of all addresses (0.0.0.0-255.255.255.255).
Attacker Port	Identifies the port used by the attacker host. This is the port from which the offending packet originated. You can also enter a range of ports. The default value is a range of all ports (0-65535).
Victim Address	Identifies the IP address used by the attacker host. You can also enter a range of addresses. The default value is a range of all addresses (0.0.0.0-255.255.255.255).
Victim Port	Identifies the port targeted by the attacker host. Valid values are between 0-65535. This is the port to which the offending packet was sent. You can also enter a range of ports. The default value is a range of all ports (0-65535).
Risk Rating Min. and Max.	Indicates the RR range between 0 and 100 that should be used to trigger this event action filter. The default value is the complete range (0-100). If an event occurs with an RR that falls within the minimum-maximum range you configure here, the event is processed against the rules of this event filter.
OS Relevance	Indicates whether the alert is relevant to the OS that has been identified for the victim. Possible values include one or more of the following: Not Relevant, Relevant, Unknown. Hold CTRL or SHIFT while clicking on the items to select multiple values. Note OS Relevance is applicable only to IPS 6.x devices, so for IOS IPS devices, this field is read-only and cannot be edited, and for IPS 5.x devices, this field is blank.
Comments	Displays the user comments associated with this filter.
Actions to Subtract	Indicates the actions that should be removed from the event, should the conditions of the event meet the criteria of the event action filter. You can select one or more actions in this list box. All selected actions are removed from the event. Hold CTRL or SHIFT while clicking on the items to select multiple values. For more information about the possible actions, see Edit Actions Dialog Box. For IOS IPS devices, the possible values are restricted to: •Deny Attacker Inline blocks the attacker's source IP address completely. No connection can be established from the attacker to the router until the shun time expires (this time is set by the user). •Deny Connection Inline blocks the appropriate TCP flow from the attacker. Other connections from the attacker can be established to the router. •Deny Packet Inline discards the packet without sending a reset. Cisco recommends using "drop and reset" in conjunction with alarm. •Produce Alert sends a notification about the attack through syslog or SDEE. •Reset TCP Connection is effective for TCP-based connections and sends a reset to both the source and destination addresses. For example, in case of a half-open SYN attack, Cisco IOS IPS can reset the TCP connections.
% to Deny	Indicates the percentage of packets to deny for deny attacker features. Valid values range between 1 and 100%. Note For IOS IPS devices, this field is read only and cannot be edited.
Stop on Match check box	Determines whether or not this event will be processed against remaining filters in the event action filters list. If set to No, the remaining filters are processed for a match until a Stop flag is encountered. If set to Yes, no further processing is done. The actions specified by this filter are removed and the remaining actions are performed.

Event Action Overrides Page

Use the Event Action Overrides page to view a summary page of event action overrides that act globally (rather than per signature) to override, or change, the actions associated with an event based on the risk rating of that event.

Navigation Path

(Device view) Select IPS > Event Actions > Event Action Overrides from the Policy selector.

Related Topics

•Event Action Override Dialog Box

•Edit Actions Dialog Box

Field Reference

Table M-54 Event Action Overrides Page 

Element	Description
Action	Specifies the event action that will be added to an event if the conditions of this event action override are satisfied.
Range	Indicates the risk rating range between 0 and 100 defined for this rule If an event occurs with a risk rating that falls within the minimum-maximum range defined, the event action override is added to the list of actions to be performed by when that event is triggered.
Enabled	Indicates whether or not the override is enabled.
Add button	Opens the Event Action Override dialog box.
Edit button	Opens the Event Action Override dialog box.
Delete button	Removes the selected event action overrides row from the table.

Event Action Override Dialog Box

Use the Event Action Override dialog box to add or edit an event action override that acts globally (rather than per signature) to change the actions associated with an event based on the risk rating of that event.

The Event Action Override dialog box appears as either Add Event Action Override or Edit Event Action Override. In the Add appearance of the Event Action Override dialog box, add an event action override. In the Edit appearance of the Event Action Override dialog box, edit an event action override.

Navigation Path

(Device view) Select IPS > Event Actions > Event Action Overrides from the Policy selector. Click the Add button or the Edit button to open the Event Action Override dialog box.

Related Topics

•Event Action Policies

•Event Action Overrides Page

•Edit Actions Dialog Box

Field Reference

Table M-55 Event Action Override Dialog Box 

Element	Description
Event Action	Specifies the event action that will be added to an event if the conditions of this event action override are satisfied.
Enabled	Indicates whether or not the override is enabled.
Risk Rating	Indicates the risk rating range between 0 and 100 that should be used to trigger this event action override. If an event occurs with a risk rating that falls within the minimum-maximum range you configure here, the event action is added to this event.

Network Information Page

Use the Network Information page to enable or disable passive operating system fingerprinting (POSFP), limit Attack Relevance Rating (ARR) computation to specific IP addresses, and define fixed OS mappings.

Target Value Ratings Tab

Use the Target Value Ratings tab to view a summary of Target Value Ratings (TVRs). TVR is a weight associated with the perceived value of the target. You can assign a TVR to your network assets. The TVR is one of the factors used to calculate the RR value for each alert. You can assign different TVRs to different targets. Events with a higher RR trigger more severe signature event actions.

TVR identifies the importance of a network asset through its IP address. You can develop a security policy that is strict for valuable corporate resources and lenient for less important resources.

Navigation Path

(Device view) Select IPS > Event Actions > Network Information from the Policy selector. Click the Target Value Ratings tab.

Related Topics

•Event Action Policies

•Target Value Rating Dialog Box

Field Reference

Table M-56 Target Value Tab 

Element	Description
Value	Indicates the perceived value selected for this target.
Targets	Identifies the targets associated with the selected value.
Add button	Opens the Add Target Value Rating dialog box.
Edit button	Opens the Edit Target Value Rating dialog box.
Delete button	Removes the selected Target Value Rating from the table.

Target Value Rating Dialog Box

Use the Target Value Rating dialog box to add a TVR to one or more IP addresses. Also, use the Target Value Rating dialog box to edit a TVR that has already been assigned.

The Target Value Rating dialog box appears as either Add Target Value Rating or Edit Target Value Rating. In the Add appearance of the Target Value Rating dialog box, add a TVR. In the Edit appearance of the Target Value Rating dialog box, edit a TVR.

Navigation Path

(Device view) Select IPS > Event Actions > Network Information from the Policy selector. Click the Target Value Ratings tab. Click the Add button or the Edit button to open the Target Value Rating dialog box.

Related Topics

•Event Action Policies

•Network Information Page

•Target Value Ratings Tab

Field Reference

Table M-57 Target Value Rating Dialog Box 

Element	Description
Value	Identifies the value assigned to this network asset. The value can be High, Low, Medium, Mission Critical, or No Value.
target-addresses	Identifies the IP address(es) of the network asset(s) you want to prioritize with a TVR.

OS Identification Tab

Use the OS Identification tab to configure OS host mappings, which take precedence over learned OS mappings. On the OS Identifications tab you can add, edit, and delete configured OS maps. You can move them up and down in the list to change the order in which the sensor computes the ARR and RR for that particular IP address and OS type combination.

---

Note OS Identification applies to IPS 6.x sensors only, not earlier versions.

---

You can also move them up and down in the list to change the order in which the sensor resolves the OS associated with a particular IP address. Configured OS mappings allow for ranges, so for network 192.168.1.0/24 an administrator might define the following:

IP Address Range Set	OS
192.168.1.1	IOS
192.168.1.2-192.168.1.10,192.168.1.25	UNIX
192.168.1.1-192.168.1.255	Windows

More specific mappings should be at the beginning of the list. Overlap in the IP address range sets is allowed, but the entry closest to the beginning of the list takes precedence.

Navigation Path

(Device view) Select IPS > Event Actions > Network Information from the Policy selector. Click the OS Identification Tab tab.

Related Topics

•Event Action Policies

•Network Information Page

•OS Map Dialog Box

Field Reference

Table M-58 OS Identification Tab 

Element	Description
Enable Passive OS Fingerprinting	When checked, lets the sensor perform passive OS analysis.
Restricted to these IP Addresses	Lets you configure the mapping of OS type to a specific IP address and have the sensor calculate the ARR for that IP address.
IP Addresses	Identifies the IP addresses associated with the selected OS type.
OS Type	Identifies the operating system(s) associated with the IP addresses.
Up Row button	Moves the selected row up in the table.
Down Row button	Moves the selected row down in the table.
Add button	Opens the Add OS Map dialog box.
Edit button	Opens the Edit OS Map dialog box.
Delete button	Removes the selected OS Map from the table.

OS Map Dialog Box

Use the OS Map dialog box to map a host through its IP address to an OS type. Also, use the OS Map dialog box to change the map of a host through its IP address to an OS type.

The OS Map dialog box appears as either Add OS Map or Edit OS Map. In the Add appearance of the OS Map dialog box, add an OS Map. In the Edit appearance of the OS Map dialog box, edit an OS Map.

Navigation Path

(Device view) Select IPS > Event Actions > Network Information from the Policy selector. Click the OS Identification tab. Click the Add button or the Edit button to open the OS Map dialog box.

Related Topics

•Event Action Policies

•Network Information Page

•OS Identification Tab

Field Reference

Table M-59 OS Map Dialog Box 

Element	Description
IP Addresses	Identifies the IP address of the selected device.
OS Type	Identifies the operating system type(s) associated with the selected IP addresses. Select one or more of the following values: •General OS •IOS •Mac OS •Netware •Other •UNIX •AIX •BSD •HP-UX •IRIX •Linux •Solaris •Windows •Windows NT/2K/XP •WinNT •Unknown OS Hold CTRL or SHIFT while clicking on the items to select multiple values.

Event Actions > Settings Page

Use the Event Actions > Settings page to define Event Actions. An event action is the sensor's response to an event.

Navigation Path

(Device view) Select IPS > Event Actions > Settings from the Policy selector.

Related Topics

•Event Actions > Settings Page

Field Reference

Table M-60 Settings Page 

Element	Description
Enable Event Action Override check box	When selected, enables override rules as defined on the Event Action Overrides page. You can add an event action override to change the actions associated with an event based on specific details about that event.
Enable Event Action Filters check box	When selected, enables the filter rules as defined on the Event Action Filters page. You can configure event action filters to remove specific actions from an event or to discard an entire event and prevent further processing by the sensor.
Enable Event Action Summarizer check box	When selected, enables the Summarizer component. The Summarizer groups events into a single alert, thus decreasing the number of alerts the sensor sends out. By default, the Summarizer is enabled. If you disable it, all signatures are set to Fire All with no summarization. If you configure individual signatures to summarize, this configuration is ignored when the Summarizer is not enabled.
Enable Meta Event Generator check box	When selected, enables the Meta Event Generator. The Meta Event Generator processes the component events, which lets the sensor watch for suspicious activity transpiring over a series of events. By default, the Meta Event Generator is enabled. If you disable the Meta Event Generator, all Meta engine signatures are disabled.
Enable Threat Rating Adjustment check box	When selected, enables threat rating adjustment, which adjusts the risk rating. If disabled, risk rating is equal to threat rating. The Threat Rating feature (new in Cisco IPS Sensor Software Version 6.0) provides a single view of the threat environment of the network. Threat Rating minimizes alarms and events through a customized view that show only events with a high Threat Rating value. The Threat Rating value is derived as follows: •Dynamic adjustment of event Risk Rating based on success of response action •If response action was applied, Risk Rating is deprecated (Threat Rating < Risk Rating) •If response action was not applied, Risk Rating remains unchanged (Threat Rating = Risk Rating) The result is a single value by which the threat risk is determined.
Deny Attacker Duration in seconds	Number of seconds to deny the attacker inline. The valid range is 0 to 518400. The default is 3600.
Block Attack Duration in minutes	Number of minutes to block a host or connection. The valid range is 0 to 10000000. The default is 30.
Maximum Number of Denied Attackers	Limits the number of denied attackers possible in the system at any one time. The valid range is 0 to 100000000. The default is 10000.
Enable One Way TCP Reset	When selected, enables one way TCP reset. Available only in inline mode. Tip In inline mode, all packets entering or leaving the network must pass through the sensor.

Interfaces Page

The following tabs are available on the Interfaces page:

•Physical Interfaces Tab

•Inline Pairs Tab

•VLAN Pairs Tab

•VLAN Groups Tab

•Summary Tab

Physical Interfaces Tab

The Physical Interfaces tab lists the existing physical interfaces on your sensor and their associated settings. The sensor detects the interfaces and populates the interfaces list in the Interfaces pane.

To configure the sensor to monitor traffic, you must enable the interface. When you initialized the sensor using the setup command (using the command line interface in Cisco IPS), you assigned the interface or the inline pair to a virtual sensor, and enabled the interface or inline pair. If you need to change your interfaces settings, you can do so in the Physical Interfaces tab. To assign an interface to a virtual sensor, select the Virtual Sensors policy. Click the Add/Edit button. Use the dialog to assign an available interface to the virtual sensor.

Navigation Path

(Device view) Select IPS > Interfaces from the Policy selector. Click the Physical Interfaces tab.

Related Topics

•Interfaces Page

Field Reference

Table M-61 Physical Interfaces Tab 

Element	Description
Interface Name	Name of the interface. The values are FastEthernet or GigabitEthernet for all interfaces.
Media Type	Indicates the media type. The media type options are the following: •TX—Copper media •SX—Fiber media •XL—Network accelerator card •Backplane interface—An internal interface that connects the module to the parent chassis' backplane
Description	Lets you provide a description of the interface.
Enabled	Whether or not the interface is enabled.
Duplex	Indicates the duplex setting of the interface. The duplex type options are the following: •Auto—Sets the interface to auto negotiate duplex •Full—Sets the interface to full duplex •Half—Sets the interface to half duplex
Speed	Indicates the speed setting of the interface. The speed type options are the following: •Auto—Sets the interface to auto negotiate speed •10 MB—Sets the interface to 10 MB (for TX interfaces only) •100 MB—Sets the interface to 100 MB (for TX interfaces only) •1000—Sets the interface to 1 GB (for gigabit interfaces only)
Specify Interface for TCP Reset	If selected, sends TCP resets on an alternate interface when this interface is used for promiscuous monitoring and the reset action is triggered by a signature firing.
Bypass Mode	A global setting that specifies the bypass mode setting for all interfaces on this device. Values are: •Off (Always inspect inline traffic) •On (Never inspect inline traffic) •Auto (Bypass inspection when analysis engine is stopped)
CDP Mode	A global setting, but one that applies only to inline interfaces (both inline-interface and inline-vlan-pair). Values are: •Forward CDP packets (enable forwarding of Cisco Discovery Protocol packets) •Drop CDP packets (disable forwarding of Cisco Discovery Protocol packets)

Modify Physical Interface Map Dialog Box

Use the Modify Physical Interface Map dialog box to change the configuration of the physical interfaces of a sensor.

Navigation Path

(Device view) Select IPS > Interfaces from the Policy selector. Click the Physical Interfaces tab. Click theEdit button to open the Modify Physical Interfaces dialog box. The fields in Table M-62 may be modified.

Related Topics

•Interfaces Page

Field Reference

Table M-62 Modify Physical Interfaces Dialog Box 

Element	Description
Description	Lets you provide a description of the interface.
Enabled	Specify whether or not the interface is enabled.
Duplex	Select the duplex setting of the interface. The duplex type options are the following: •Auto—Sets the interface to auto negotiate duplex. •Full—Sets the interface to full duplex. •Half—Sets the interface to half duplex.
Speed	Select the speed setting of the interface. The speed type options are the following: •Auto—Sets the interface to auto negotiate speed. •10 MB—Sets the interface to 10 MB (for TX interfaces only). •100 MB—Sets the interface to 100 MB (for TX interfaces only). •1000—Sets the interface to 1 GB (for gigabit interfaces only).
Default VLAN	Specify the Vlan ID associated with native traffic, or 0 if unknown or if you do not care which VLAN it is.
Specify Interface for TCP Reset	If selected, sends TCP resets on an alternate interface when this interface is used for promiscuous monitoring and the reset action is triggered by a signature firing.
interface-name	Select the interface that sends the TCP reset.

Inline Pairs Tab

Use the Inline Pairs tab to see the existing inline pairs configured on the IPS.

Navigation Path

(Device view) Select IPS > Interfaces from the Policy selector. Click the Inline Pairs tab.

Related Topics

•Interfaces Page

•Physical Interfaces Tab

Field Reference

Table M-63 Inline Pairs Tab 

Element	Description
Name	The name you give this inline interface pair.
Interface A	The first interface in the pair. The interface must be defined on the Physical Interfaces tab.
Interface B	The second interface in the pair. The interface must be defined on the Physical Interfaces tab.
Description	Lets you add a description of this interface pair.
Bypass Mode	A global setting that specifies the bypass mode setting for all interfaces on this device. Values are: •Off (Always inspect inline traffic) •On (Never inspect inline traffic) •Auto (Bypass inspection when analysis engine is stopped)
CDP Mode	A global setting, but one that applies only to inline interfaces (both inline-interface and inline-vlan-pair). Values are: •Forward CDP packets (enable forwarding of Cisco Discovery Protocol packets) •Drop CDP packets (disable forwarding of Cisco Discovery Protocol packets)

Interface Pair Dialog Box

You can pair interfaces on your sensor if your sensor is capable of inline monitoring. Use the Interface Pair dialog box to add an inline pair of interfaces to a sensor. Also, use the Interface Pair dialog box to edit an inline pair of interfaces that has already been added to a sensor.

The Interface Pair dialog box appears as either Add Interface Pair or Edit Interface Pair. In the Add appearance of the Interface Pair dialog box, add an inline pair of interfaces to a sensor. In the Edit appearance of the Interface Pair dialog box, edit an inline pair of interfaces that has already been added to a sensor.

You cannot delete an inline pair if there is an inline VLAN group. First delete the inline VLAN group from the VLAN Groups tab, and then delete the inline pair.

Navigation Path

(Device view) Select IPS > Interfaces from the Policy selector. Click the Inline Pairs tab. Click the Add button or the Edit button to open the Interface Pair dialog box.

Related Topics

•Interfaces Page

•Inline Pairs Tab

•Physical Interfaces Tab

Field Reference

Table M-64 Interface Pair Dialog Box 

Element	Description
Inline Interface Name	Enter the name of this inline interface pair. Must be less than 32 alphanumeric and/or underscore characters.
Interface A	Select the first interface in the pair. The interface must be defined on the Physical Interfaces tab.
Interface B	Select the second interface in the pair. The interface must be defined on the Physical Interfaces tab.
Description	Lets you add a description of this interface pair.

VLAN Pairs Tab

Use the VLAN Pairs tab to view a summary of the existing inline VLAN pairs for each physical interface.

The VLAN Pairs tab displays the existing inline VLAN pairs for each physical interface. Click Add to create an inline VLAN pair.

---

Note You cannot create an inline VLAN pair for an interface that has already been paired with another interface or for an interface that is in promiscuous mode and assigned to a virtual sensor.

---

To create an inline VLAN pair for an interface that is in promiscuous mode, you must remove the interface from the virtual sensor and then create the inline VLAN pair. If the interface is already paired or in promiscuous mode, you receive an error message when you try to create an inline VLAN pair.

---

Note If your sensor does not support inline VLAN pairs, the VLAN Pairs pane is not displayed. AIP-SSM and NM-CIDS do not support inline VLAN pairs.

---

Navigation Path

(Device view) Select IPS > Interfaces from the Policy selector. Click the VLAN Pairs tab.

Related Topics

•Interfaces Page

Field Reference

Table M-65 VLAN Pairs Tab 

Element	Description
Interface Name	Select the name of the inline VLAN pair.
Subinterface Number	Subinterface number of the inline VLAN pair. The value is 1 to 255.
Description	Lets you provide a description of the inline VLAN pair.
VLAN A	Displays the VLAN ID for the first VLAN. The value is 1 to 4095.
VLAN B	Displays the VLAN ID for the second VLAN. The value is 1 to 4095.
Bypass Mode	A global setting that specifies the bypass mode setting for all interfaces on this device. Values are: •Off (Always inspect inline traffic) •On (Never inspect inline traffic) •Auto (Bypass inspection when analysis engine is stopped)
CDP Mode	A global setting, but one that applies only to inline interfaces (both inline-interface and inline-vlan-pair). Values are: •Forward CDP packets (enable forwarding of Cisco Discovery Protocol packets) •Drop CDP packets (disable forwarding of Cisco Discovery Protocol packets)

VLAN Pair Dialog Box

Use the VLAN Pair dialog box to add a pair of VLANs to a sensor. Also, use the VLAN Pair dialog box to edit a pair of VLANs previously added to a sensor.

The VLAN Pair dialog box appears as either Add VLAN Pair or Edit VLAN Pair. In the Add appearance of the VLAN Pair dialog box, add a VLAN pair for a physical interface. In the Edit appearance of the VLAN Pair dialog box, edit a VLAN pair that has already been added to a physical interface.

---

Note You cannot pair a VLAN with itself.

---

---

Note The subinterface number and the VLAN numbers should be unique to each physical interface.

---

Navigation Path

(Device view) Select IPS > Interfaces from the Policy selector. Click the VLAN Pairs tab. Click the Add button or the Edit button to open the VLAN Pairs dialog box.

Related Topics

•Interfaces Page

Field Reference

Table M-66 VLAN Pairs Dialog Box 

Element	Description
Physical Interface	Select the physical interface to which this VLAN pair is assigned.
Subinterface Number	Specify the subinterface number of the inline VLAN pair. The value is 1 to 255.
Description	Lets you provide a description of the inline VLAN pair.
VLAN A	Specify the VLAN number for the first VLAN. The value is 1 to 4095.
VLAN B	Specify the VLAN number for the second VLAN. The value is 1 to 4095.

VLAN Groups Tab

In the VLAN Groups tab you can add, edit, or delete VLAN groups that you defined in the sensor interface configuration. A VLAN group consists of a group of VLAN IDs that exist on an interface. There are two types of VLAN groups: promiscuous and inline. Promiscuous VLAN groups are created on a promiscuous interface. Inline VLAN groups are created on an existing interface pair. Each VLAN group consists of at least one VLAN ID. You can have up to 255 VLAN groups per interface (logical or physical). Each group can contain any number of VLANs IDs. You then assign each VLAN group to a virtual sensor (but not multiple virtual sensors). You can assign different VLAN groups on the same sensor to different virtual sensors.

After you assign the VLAN IDs to the VLAN group, you must assign the VLAN group to a virtual sensor.

Navigation Path

(Device view) Select IPS > Interfaces from the Policy selector. Click the VLAN Groups tab.

Related Topics

•Interfaces Page

Field Reference

Table M-67 VLAN Groups Tab 

Element	Description
Name	The physical or logical interface name of the VLAN group.
Subinterface Number	Subinterface number of the VLAN group. The value is 1 to 255.
Description	Lets you provide a description of the VLAN group.
VLANs	Displays the range of VLAN IDs belonging to the VLAN group. Each VLAN ID is an number between 1 and 4095.
Bypass Mode	A global setting that specifies the bypass mode setting for all interfaces on this device. Values are: •Off (Always inspect inline traffic) •On (Never inspect inline traffic) •Auto (Bypass inspection when analysis engine is stopped)
CDP Mode	A global setting, but one that applies only to inline interfaces (both inline-interface and inline-vlan-pair). Values are: •Forward CDP packets (enable forwarding of Cisco Discovery Protocol packets) •Drop CDP packets (disable forwarding of Cisco Discovery Protocol packets)

VLAN Group Map Dialog Box

Use the VLAN Group Map dialog box to add a group of VLANs to a sensor. Also, use the VLAN Group Map dialog box to edit a pair of VLANs previously added to a sensor.

The VLAN Group Map dialog box appears as either Add VLAN Group Map or Edit VLAN Group Map. In the Add appearance of the VLAN Group Map dialog box, add a group of VLANs to a sensor. In the Edit appearance of the VLAN Group Map dialog box, edit a group of VLANs that has already been added to a sensor.

---

Note The subinterface number and VLAN IDs should be unique on each physical interface and inline pair.

---

Navigation Path

(Device view) Select IPS > Interfaces from the Policy selector. Click the VLAN Groups tab. Click the Add button or the Edit button to open the VLAN Group Map dialog box.

Related Topics

•Interfaces Page

Field Reference

Table M-68 VLAN Group Map Dialog Box 

Element	Description
Physical and Logical Interfaces	Select the physical or logical interface name of the VLAN group.
Subinterface Number	Specify the subinterface number of the VLAN group. The value is 1 to 255.
Description	Lets you provide a description of the VLAN group.
All Unassigned VLAN IDs	Selects all VLAN IDs that are not a member of another VLAN group definition.
Range of Free VLANs IDs	Specify the range of VLAN IDs belonging to the VLAN group. The format is dashed pairs of lower-upper IDs, separated by commas. For example, 23-44, 91-144.

Summary Tab

Use the Summary tab on the Interfaces page to see a summary of how you have configured the sensing interfaces—the interfaces you have configured for promiscuous mode, the interfaces you have configured as inline pairs, and the interfaces you have configured as inline VLAN pairs.

The content of this page changes when you change your interface configuration.

---

Caution You can configure any single physical interface to run in promiscuous mode, inline pair mode, inline VLAN pair mode, promiscuous VLAN group, or inline VLAN group, but you cannot configure an interface in a combination of these modes.

---

Navigation Path

(Device view) Select IPS > Interfaces from the Policy selector. Click the Summary tab.

Related Topics

•Interfaces Page

•Physical Interfaces Tab

•Inline Pairs Tab

•VLAN Pairs Tab

•VLAN Groups Tab

Field Reference

Table M-69 Summary Tab 

Element	Description
Name	Name of the interface. The values are FastEthernet or GigabitEthernet for promiscuous interfaces.
Subinterface Number	Subinterface number of the inline VLAN pair or VLAN group. The value is 1 to 255.
Inline Interface Name	The name of this inline interface pair.
Mode	Identifies whether the interface is promiscuous, inline, promiscuous VLAN group, or inline VLAN group and whether there are VLAN pairs.
VLAN A	Displays the VLAN ID for the first VLAN. The value is 1 to 4095.
VLAN B	Displays the VLAN ID for the second VLAN. The value is 1 to 4095.
VLANs Range	Displays the range of VLAN IDs belonging to the VLAN group. Each VLAN ID is an number between 1 and 4095.
Bypass Mode	A global setting that specifies the bypass mode setting for all interfaces on this device. Values are: •Off (Always inspect inline traffic) •On (Never inspect inline traffic) •Auto (Bypass inspection when analysis engine is stopped)
CDP Mode	A global setting, but one that applies only to inline interfaces (both inline-interface and inline-vlan-pair). Values are: •Forward CDP packets (enable forwarding of Cisco Discovery Protocol packets) •Drop CDP packets (disable forwarding of Cisco Discovery Protocol packets)

Platform Policies

The pages that you access from the Platform Policies folder from the Policies selector in Device View enable you to configure device administration, logging, and security.

These topics describe the folder and main pages available from the Platform Policies folder:

•Device Admin Policies

•Logging Page

•Security Policies

Device Admin Policies

The pages that you access from the Device Admin folder from the Policies selector in Device View enable you to configure device access and server access.

These topics describe the folders available from the Device Admin Policies folder:

•Device Access Policies

•Server Access Policies

Device Access Policies

The pages that you access from the Device Access folder from the Policies Selector in Device View enable you to identify allowed hosts and configure SNMP.

Allowed Hosts Page

Use the Allowed Hosts page to view a summary of the hosts that are allowed to connect to a sensor. By default, all hosts on your network can connect to a sensor to configure it and receive alarm data from it. However, you can identify the hosts that are allowed to connect to a sensor, and no other hosts will be allowed to connect.

---

Note If your Security Manager server is not an allowed host, then you are not able to connect to your IPS sensors and manage them.

---

Navigation Path

(Device view) Select Platform > Device Admin > Device Access > Allowed Hosts from the Policy selector.

Field Reference

Table M-70 Allowed Hosts Page 

Element	Description
Network address	Identifies the allowed host in prefix notation: <IP network>/subnet mask. For example, 64.0.0.0/8.
Add button	Opens the Add Access List dialog.
Edit button	Opens the Modify Access List dialog box.
Delete button	Deletes the selected allowed host.

Access List Dialog Box

The Access List dialog box appears as either the Add Access List dialog box or the Modify Access List dialog box. Use the Add Access List dialog box to identify the hosts that you want to be able to connect to a sensor. Use the Modify Access List dialog box to change an existing list of hosts that you want to be able to connect to a sensor.

Navigation Path

(Device view) Select Platform > Device Admin > Device Access > Allowed Hosts from the Policy selector. Click the Add button or the Edit button.

Field Reference

Table M-71 Access List Dialog Box 

Element	Description
Network address	Identifies the allowed host in prefix notation: <IP network>/subnet mask. For example, 64.0.0.0/8.
Select... button	Opens the Available Networks/Hosts dialog box.

SNMP Page

Use the SNMP page to configure Simple Network Management Protocol (SNMP). Security Manager does not use SNMP to manage sensors, but the sensors support SNMP and therefore require a means of configuration in Security Manager.

SNMP configuration has three parts:

•General Configuration—Enables you to configure general SNMP parameters and apply them to sensors.

•Traps Configuration—Enables you to configure traps and apply them to sensors.

•Traps Destination—Enables you to identify recipients that the traps should be sent to.

General Configuration Tab

Use the General Configuration tab on the SNMP page to configure general SNMP parameters and apply them to sensors.

Navigation Path

(Device view) Select Platform > Device Admin > Device Access > SNMP from the Policy selector. The General Configuration tab is active by default.

Field Reference

Table M-72 SNMP > General Configuration Tab 

Element	Description
Enable SNMP Gets/Sets	Allows you to enable the sensor to respond to get and set queries. If this field is disabled, the sensor does not respond to the query.
Read-Only Community String	Sets the read-only community string of the sensor to a string you specify. When a sensor receives an SNMP get request with the specified read-only community string, it responds. This string gives access to all SNMP get requests.
Read-Write Community String	Sets the read-write community string of the sensor to a string you specify. When a sensor receives an SNMP get request, or an SNMP set request, with the specified read-write community string, it responds. This string gives access to all SNMP get requests and set requests.
Sensor Contact	The network administrator who is responsible for this sensor.
Sensor Location	The physical location of the sensor appliance or other hardware used as a sensing device.
Sensor Agent Port	Instructs a sensor to run SNMP Agent in the specified port. Valid port numbers range from 1 to 65535.
Snmp Agent Protocol	Instructs a sensor to run SNMP on top of particular transport protocol. The options available are TCP (Transmission Control Protocol) and UDP (User Datagram Protocol).
Select... button	Opens the Port Lists Selector dialog box.

SNMP Trap Configuration Tab

Use the SNMP Trap Communication tab on the SNMP page to configure traps and apply them to sensors and to identify recipients that the traps should be sent to.

Navigation Path

(Device view) Select Platform > Device Admin > Device Access > SNMP from the Policy selector. Click the SNMP Trap Configuration tab.

Field Reference

Table M-73 SNMP > SNMP Trap Configuration Tab 

Element	Description
Enable Notifications	Allows you to enable the sensor to notify interested parties whenever a specific type of event occurs in a sensor. When you select this check box, the sensor is instructed to perform notification. (You can also use the Traps Destination function to configure interested parties.) If the Enable Notifications check box is not selected, the sensor does not respond to the query.
Error Filter	Use this set of filters to specify the level of notifications that are enabled. The three levels of notification are Fatal, Error, and Warning. When you select one or more of these filters, you enable the sensor to send notification of events that correspond to the levels selected.
Enable Detail Traps	When selected, this check box enables the sensor to send the detailed traps for all alerts.
Default Trap Community String	All traps that are being notified carry a community string. All traps that have a community string identical to that of the destination are taken by the destination. All other traps are discarded by the destination. This is a primary default condition, but this default can also be overridden at any destination.
Trap Destinations	A summary table of the traps that you have configured, with the following information listed: •IP Address •Trap Community String •Trap Port
Add button	Opens the Add Snmp Trap Communication dialog box.
Edit button	Opens the Modify Snmp Trap Communication dialog box.
Delete button	Deletes the selected allowed host.

Snmp Trap Communication Dialog Box

The Snmp Trap Communication dialog box appears as either the Add Snmp Trap Communication dialog box or the Modify Snmp Trap dialog box. Use the Add form of this dialog box to add an Snmp trap. Use the Modify form of this dialog box to modify an Snmp trap that you added earlier.

Navigation Path

(Device view) Select Platform > Device Admin > Device Access > SNMP from the Policy selector. Click the SNMP Trap Configuration tab. Click the Add button or the Edit button.

Field Reference

Table M-74 Add Snmp Trap Communication Dialog Box 

Element	Description
Ip Address	Identifies the trap destination in prefix notation: <IP network>/subnet mask. For example, 64.0.0.0/8. One of the three items that define a trap.
Select... button	Opens the Available Networks/Hosts dialog box.
Trap Community String	The community string of the trap. (All traps that are being notified carry a community string.) One of the three items that define a trap.
Trap Port	The port used by the trap. One of the three items that define a trap.
Select... button	Opens the Port Lists Selector dialog box.

Password Requirements Page

Use the Password Requirements page to configure how passwords are created for Cisco IPS sensors managed by Cisco Security Manager. All user-created sensor passwords must conform to the policy that you set on the Password Requirements page.

Navigation Path

•(Device view) Select Platform > Device Admin > Device Access > Password Requirements from the Policy selector.

•(Policy view) Select IPS > Platform > Device Admin > Password Requirements from the Policy Type selector. Right-click Password Requirements to create a policy, or select an existing policy from the Shared Policy selector.

Field Reference

Table M-75 Password Requirements Page 

Element	Description
Attempt Limit	Lets you lock accounts so that users cannot keep trying to log in after a certain number of failed attempts. The default is 0, which indicates unlimited authentication attempts. For security purposes, you should change this number.
Size Range	Range you specify for the minimum and maximum allowed size for a password. The valid range is 6 to 64 characters.
Minimum Digit Characters	Minimum number of numeric digits that you specify must be in a password.
Minimum Upper Case Characters	Maximum number of uppercase alphabet characters that you specify must be in a password.
Minimum Lower Case Characters	Minimum number of lowercase alphabet characters that you specify must be in a password.
Minimum Other Characters	Minimum number of non-alphanumeric printable characters that you specify must be in a password.
Number of Historical Passwords	Number of historical passwords you want the sensor to remember for each account. Any attempt to change the password of an account fails if the new password matches any of the remembered passwords. When this value is 0, no previous passwords are remembered.

---

Caution If the password policy includes minimum numbers of character sets, such as uppercase or number characters, the sum of the minimum number of required character sets cannot exceed the minimum password size. For example, you cannot set a minimum password size of eight and also require that passwords must contain at least five lowercase and five uppercase characters.

---

Server Access Policies

The pages that you access from the Server Access folder from the Policy Selector in Device View enable you to configure server access.

These topics describe the pages available from the Server Access folder:

•External Product Interface Page

•NTP Page

External Product Interface Page

Use the External Product Interface page to configure the way that Security Manager works with external products.

---

Note Management Center for Cisco Security Agents is the only external product for which interfaces can be configured for IPS in Security Manager.

---

Navigation Path

(Device view) Select Platform > Device Admin > Server Access > External Product Interface from the Policy selector.

Management Center for Cisco Security Agents Tab

Use the Management Center for Cisco Security Agents tab to configure the way that Security Manager works with Management Center for Cisco Security Agents.

---

Note Only two interfaces can be configured for Management Center for Cisco Security Agents.

---

Navigation Path

(Device view) Select Platform > Device Admin > Server Access > External Product Interface from the Policy selector. The Management Center for Cisco Security Agents tab is active by default.

Field Reference

Table M-76 External Product Interface > Management Center for Cisco Security Agents Tab 

Element	Description
IP Address	The IP address of the external product.
Interface Type	Identifies the physical interface type, that is, copper or fiber.
Enable	Specifies whether an agent is enabled to notify the management station of significant events by way of an unsolicited SNMP message.
URL	The URL of the external product.
Port	Specifies the port being used for communications.
Username	A valid user name for authentication to the external product.
Add button	Opens the Add External Product Interface dialog box.
Edit button	Opens the Edit External Product Interface dialog box.
Delete button	Deletes the selected External Product Interface.

External Product Interface Dialog Box

Use the External Product Interface dialog box to add or modify interfaces between Management Center for Cisco Security Agents and Security Manager. This dialog box appears in two forms: Add and Edit.

Also use the External Product Interface dialog box to add or modify Posture ACLs.

Navigation Path

(Device view) Select Platform > Device Admin > Server Access > External Product Interface from the Policy selector. The Management Center for Cisco Security Agents tab is active by default. Click the Add button or the Modify button.

Field Reference

Table M-77 External Product Interface Dialog Box 

Element	Description
External Product's IP Address	The IP address of the external product.
Select... button	Opens the Available Networks/Hosts dialog box.
Interface Type	Identifies the physical interface type, that is, copper or fiber.
Enable receipt of information	Specifies whether an agent is enabled to notify the management station of significant events by way of an unsolicited SNMP message.
SDEE URL	The URL of the external product.
Port	Specifies the port being used for communications.
Select... button	Opens the Port Lists Selector dialog box.
User name	A valid user name for authentication to the external product. A value in this field is mandatory.
Password	A valid password for authentication to the external product. A value in this field is mandatory.
Enable receipt of host postures	When checked, allows the host posture information to be passed from the external product to the sensor.
Allow unreachable hosts' postures	When checked, allows the host posture information from unreachable hosts to be passed from the external product to the sensor.
Add button	Opens the Add Posture Acl dialog box.
Edit button	Opens the Modify Access List dialog box.
Delete button	Deletes the selected allowed host.
Manual Watch List RR increase	Identifies the risk rating for the manual watch list. The default is 25, and the valid range is 0 to 35.
Session-based Watch List RR Increase	Identifies the risk rating for the session-based watch list. The default is 25, and the valid range is 0 to 35.
Packed-based Watch List RR Increase	Identifies the risk rating for the packet-based watch list. The default is 10, and the valid range is 0 to 35.

Posture Acl Dialog Box

Host Posture ACLs indicate how host postures received from Management Center for Security Agents should be handled.

Navigation Path

(Device view) Select Platform > Device Admin > Server Access > External Product Interface from the Policy selector. The Management Center for Cisco Security Agents tab is active by default. Click the Add button to open the Add External Product Interface dialog box. Click the Add button or the Edit button to open the Posture Acl dialog box.

Field Reference

Table M-78 Posture Acl Dialog Box 

Element	Description
Network Address	Network address of the posture ACL.
Select... button	Opens the Available Networks/Hosts dialog box.
Action	Action (deny or permit) the posture ACL will take.

NTP Page

Use the NTP page to identify a Network Time Protocol (NTP) server to use with a sensor. NTP server time can be used with a sensor that you manage with Security Manager.

Navigation Path

(Device view) Select Platform > Device Admin > Server Access > NTP from the Policy selector. The Network Time Protocol page appears.

Field Reference

Table M-79 NTP Page 

Element	Description
NTP Server IP Address	The IP address of the NTP server
Select button	Opens the Available Networks/Hosts dialog box.
Authenticated NTP check box	When selected, indicates that the NTP server is authenticated. When selected, enables the Key and Key ID fields.
Key	The key value of the NTP server (not required when configuring an NTP server; unauthenticated servers can be used—an NTP server IP with no Key or Key ID is interpreted to mean that the server is unauthenticated). The key is an MD5 type of key (either numeric or character); it is the key that was used to set up the NTP server. Enabled only when the Authenticated NTP check box is selected.
Key ID	The key ID value of the NTP server (not required when configuring an NTP server; unauthenticated servers can be used—an NTP server IP with no Key or Key ID is interpreted to mean that the server is unauthenticated). Enabled only when the Authenticated NTP check box is selected.

Logging Page

Use the Logging page to configure traffic flow notifications and Analysis Engine global variables.

Navigation Path

(Device view) Select Platform > Logging from the Policy selector.

Interface Notifications Tab

Use the Interface Notifications tab to configure traffic flow notifications.

Navigation Path

(Device view) Select Platform > Logging from the Policy selector. The Interface Notifications tab is active by default.

Field Reference

Table M-80 Logging > Interface Notifications Tab 

Element	Description
Missed Packets Threshold	The percent of missed packets that has to occur before you want to receive notification. The default value is 0, and the valid range is 0 through 100.
Notification Interval	The length of time in seconds that you want to check for the percentage of missed packets. The default value is 30, and the valid range is 5 to 3600.
Interface Idle Threshold	The length of time in seconds that you will allow an interface to be idle and not receiving packets before you want to be notified. The default value is 30, and the valid range is 5 to 3600.

Analysis Engine Tab

Use the Analysis Engine tab to configure the Analysis Engine global variables.

Navigation Path

(Device view) Select Platform > Logging from the Policy selector. Click the Analysis Engine tab.

Field Reference

Table M-81 Logging > Interface Notifications Tab 

Element	Description
Maximum Open IP Log Files	The maximum number of open IP log files that you want to have and enter that value in the Maximum Open IP Log Files field. The valid range is from 20 to 100. The default is 20.

Security Policies

The pages that you access from the Security folder in Device View help you configure blocking properties.

This topic describes the main page available from the Security folder:

•Blocking Page

Blocking Page

Use the Blocking page to configure sensor blocking properties. You can configure sensors to block attacks; you also can manage other devices to block attacks.

The following tabs are available on the Blocking page:

•Blocking Page > General Tab

•Blocking Page > User Profiles Tab

•Blocking Page > Master Blocking Sensors Tab

•Blocking Page > Router Tab

•Blocking Page > Firewall Tab

•Blocking Page > Catalyst 6K Tab

•Blocking Page > Never Block Hosts and Networks Tab

Navigation Path

(Device view) Select Platform > Security > Blocking from the Policy selector.

Related Topic

•Configuring Blocking, page 17-8

Blocking Page > General Tab

Use the General tab of the Blocking Properties page to configure the basic settings required to enable blocking and rate limiting.

Navigation Path

(Device view) Select Platform > Security > Blocking from the Policy selector. Click the General tab.

Related Topic

•Configuring Blocking, page 17-8

Field Reference

Table M-82 General Tab 

Element	Description
Log All Block Events and Errors	When selected, configures the sensor to log events that follow blocks from start to finish and any error messages that occur. When a block is added to or removed from a device, an event is logged. You may not want all these events and errors to be logged. Disabling this option suppresses new events and errors. The default is enabled. Note Log all block events and errors also applies to rate limiting.
Enable NVRAM Write	When selected, configures the sensor to have the router write to non-volatile RAM (NVRAM) when Attack Response Control (ARC) first connects. If enabled, NVRAM is written each time the ACLs are updated. The default is disabled. Enabling NVRAM writing ensures that all changes for blocking and rate limiting are written to NVRAM. If the router is rebooted, the correct blocks and rate limits will still be active. If NVRAM writing is disabled, a short time without blocking or rate limiting occurs after a router reboot. Not enabling NVRAM writing increases the life of the NVRAM and decreases the time for new blocks and rate limits to be configured.
Enable ACL Logging	When selected, causes ARC to append the log parameter to block entries in the access control list (ACL) or VLAN ACL (VACL). This causes the device to generate syslog events when packets are filtered. This option only applies to routers and switches. The default is disabled.
Allow Sensor IP address to be Blocked	When selected, specifies that the sensor IP address can be blocked. The default is disabled.
Enable Blocking	When selected, enables blocking of hosts. The default is enabled. Note When you enable blocking, you also enable rate limiting. When you disable blocking, you also disable rate limiting. This means that ARC cannot add new or remove existing blocks or rate limits. Even if you do not enable blocking, you can configure all other blocking settings.
Max Blocks	The maximum number of entries to block. The valid range is 1 to 65535. The default is 250.
Max Interfaces	Configures the maximum number of interfaces for performing blocks. For example, a PIX 500 series security appliance counts as one interface. A router with one interface counts as one, but a router with two interfaces counts as two. The maximum number of interfaces is 250 per device. The default is 250. Note You use Max Interfaces to set an upper limit on the number of devices and interfaces that ARC can manage. The total number of blocking devices (not including master blocking sensors) cannot exceed this value. The total number of blocking items also cannot exceed this value, where a blocking item is one security appliance context, one router blocking interface/direction, or one Catalyst Software switch blocking VLAN. In addition, the following maximum limits are fixed and you cannot change them: 100 interfaces per device, 250 security appliances, 250 routers, 250 Catalyst Software switches, and 100 master blocking sensors.
Max Ratelimits	Maximum number of rate limit entries.The maximum rate limit should be equal or less then the maximum blocking entries. If you configure more rate limit entries than block entries, you receive an error. The valid range is 1 to 32767. The default value is 250.

Blocking Page > User Profiles Tab

Use the User Profiles tab of the Blocking page to define connection credential information to the blocking devices. After you populate this table, you can choose one of the profiles from it when you define blocking devices.

Navigation Path

(Device view) Select Platform > Security > Blocking from the Policy selector. Click the User Profiles tab.

Related Topic

•Configuring Blocking, page 17-8.

Field Reference

Table M-83 User Profiles Tab 

Element	Description
Profile Name	Name of the profile.
Enable Password	(Optional) Enable password used on the blocking device. The enable password is found only in the Add User Profile dialog box. Note If a password exists, it is displayed with a fixed number of asterisks.
Password	(Optional) Login password used to log in to the blocking device. Found only in the Add User Profile dialog box. Note If a password exists, it is displayed with a fixed number of asterisks.
Username	(Optional) Username used to log in to the blocking device.
Add button	Opens the Add User Profile dialog box.
Edit button	Opens the Modify User Profile dialog box.
Delete button	Removes the selected user profile from the table.

User Profile Dialog Box

Use the User Profile Dialog Box to add or modify a user profile that you can use when you define blocking devices.

Navigation Path

(Device view) Select Platform > Security > Blocking from the Policy selector. Click the User Profiles tab. Select a row. Click the Add button or the Modify button.

Field Reference

Table M-84 User Profile Dialog Box 

Element	Description
Profile Name	Name of the profile.
Enable Password	(Optional) Enable password used on the blocking device. Note If a password exists, it is displayed with a fixed number of asterisks.
Password	(Optional) Login password used to log in to the blocking device. Note If a password exists, it is displayed with a fixed number of asterisks.
Username	(Optional) Username used to log in to the blocking device.

Blocking Page > Master Blocking Sensors Tab

Use the Master Blocking Sensors tab of the Blocking Properties page to configure a master blocking sensor. The master blocking sensor must have one blocking device assigned.

Navigation Path

(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Master Blocking Sensors tab.

Related Topic

•Configuring Blocking, page 17-8.

Field Reference

Table M-85 Master Blocking Sensors Tab 

Element	Description
IP Address	IP address of the master blocking sensor. You receive a warning if the IP address already exists. Security Manager allows you to specify the IP address in either of two ways: by entering it manually or by choosing an existing sensor that is known to Security Manager.
Username	Username used to log in to the blocking device.
Password	The login password used to log in to the master blocking sensor.
Port	(Optional) Port on which to connect on the master blocking sensor. The default is 443.
TLS	Whether or not to use transport layer security (TLS).
Username	(Optional) Username used to log in to the blocking device.
Add button	Opens the Add Master Blocking Sensor dialog box.
Edit button	Opens the Modify Master Blocking Sensor dialog box.
Delete button	Removes the selected Master Blocking Sensor from the table.

Master Blocking Sensor Dialog Box

Use the Master Blocking Sensor dialog box to add a master blocking sensor or to modify the properties of a master blocking sensor that you added previously.

Navigation Path

(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Master Blocking Sensors tab. Click the Add button to add a master blocking sensor. Select a row and click the Modify button to modify a master blocking sensor.

Related Topic

•Blocking Page > Master Blocking Sensors Tab

Field Reference

Table M-86 Master Blocking Sensor Dialog Box 

Element	Description
IP Address	The IP address of the master blocking sensor. You receive a warning if the IP address already exists. Security Manager allows you to specify the IP address in either of two ways: by entering it manually or by choosing an existing sensor that is known to Security Manager.
Username	Username used to log in to the blocking device.
Password	The login password used to log in to the master blocking sensor.
Port	(Optional) The port on which to connect on the master blocking sensor. The default is 443.
TLS	Specifies whether or not to use TLS.

Blocking Page > Router Tab

Use the Router Tab to configure an IOS router to be used as a blocking device.

Navigation Path

(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Router tab.

Related Topic

•Configuring Blocking, page 17-8.

Field Reference

Table M-87 Router Tab 

Element	Description
IP Address	The IP address of the router. You receive a warning if the IP address already exists. Security Manager allows you to specify the IP address in either of two ways: by entering it manually or by choosing an existing router that is known to Security Manager.
Communication Type	SSH DES, SSH 3DES, or Telnet
NAT Address	The network address translation (NAT) address, if any, to the router.
Profile Name	The name of the profile as specified in the Add User Profile dialog box or the Modify User Profile dialog box.
Response Capabilities	Indicates whether the device uses blocking or rate limiting or both.
Add button	Opens the Add Router Device dialog box.
Edit button	Opens the Modify Router Device dialog box.
Delete button	Removes the selected Router Device from the table.

Router Device Dialog Box

The Router Device dialog box appears in two forms, the Add Router Device dialog box and the Modify Router Device dialog box. Use the Router Device dialog box to add an IOS router to be used as a blocking device or to modify the properties of an IOS router previously added to be used as a blocking device.

Navigation Path

(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Router tab. Click the Add button or the Modify button.

Field Reference

Table M-88 Router Tab > Router Device Dialog Box 

Element	Description
IP Address	The IP address of the router. You receive a warning if the IP address already exists. Security Manager allows you to specify the IP address in either of two ways: by entering it manually or by choosing an existing router that is known to Security Manager.
Select... Button	Opens the Networks/Hosts Selector dialog box
Communication Type	SSH DES, SSH 3DES, or Telnet.
NAT Address	The NAT address, if any, to the router.
Select... Button	Opens the Networks/Hosts Selector dialog box.
Profile Name	The name of the profile as specified in the Add User Profile dialog box or the Modify User Profile dialog box.
Interfaces and directions where blocks will be applied	Lists block interfaces on the router in tabular format: •Interface Name •Direction •Pre-ACL Name •Post-ACL Name
Response Capabilities	Indicates whether the device uses blocking or rate limiting or both.
Add button	Opens the Add Router Block Interface dialog box.
Edit button	Opens the Modify Router Block Interface dialog box.
Delete button	Removes the selected router block interface from the table.

Router Block Interface Dialog Box

Use the Router Block Interface dialog box to add a block interface (the interface on the IOS router that the sensor uses for blocking) to an IOS router to be used as a blocking device. Also, use the Router Block Interface dialog box to modify a block interface that you previously added.

Navigation Path

(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Router tab. Click the Add button or the Modify button. In the Add Router Device dialog box, click the Add button or the Modify button.

Field Reference

Table M-89 Router Block Interface Dialog Box 

Element	Description
Interface Name	The name, assigned by the user, of the router interface used for blocking.
Direction	The direction of traffic across the router interface, in or out.
Pre Acl Name	The pre-ACL name assigned by the user.
Post Acl Name	The post-ACL name assigned by the user.

Blocking Page > Firewall Tab

Use the Firewall tab to configure a firewall to be used as a blocking device.

Navigation Path

(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Firewall tab.

Related Topic

•Configuring Blocking, page 17-8.

Field Reference

Table M-90 Firewall Tab 

Element	Description
IP Address	The IP address of the firewall. You receive a warning if the IP address already exists. Security Manager allows you to specify the IP address in either of two ways: by entering it manually or by choosing an existing firewall that is known to Security Manager.
Communication Type	SSH DES, SSH 3DES, or Telnet.
NAT Address	The NAT address, if any, to the firewall.
Profile Name	The name of the profile as specified in the Add User Profile dialog box or the Modify User Profile dialog box.
Add button	Opens the Add Firewall Device dialog box.
Edit button	Opens the Modify Firewall Device dialog box.
Delete button	Removes the selected firewall device from the table.