Numerics -
A -
B -
C -
D -
E -
F -
G -
H -
I -
J -
K -
L -
M -
N -
O -
P -
Q -
R -
S -
T -
U -
V -
W -
Z
Index
Numerics
4GE bypass interface card
configuration restrictions 5-9
described 5-8
802.1q encapsulation
VLAN groups 5-27
A
accessing IPS software 22-2
access list
configuring 4-5
misconfiguring D-26
access-list
command 4-5
configuring 4-5
account locking
configuring 4-17
described 4-17
ACLs
described 13-2
Post-Block 13-21, 13-22
Pre-Block 13-21, 13-22
adding
event action overrides 8-15
external product interfaces 10-5
global parameters 7-9
hosts to the SSH known hosts list 4-31, 4-32
signature variables 6-4
target value ratings 8-13
trusted hosts 4-37
users 4-11, 4-15, 4-16
virtual sensors 7-4, 7-7, 18-4
Address Resolution Protocol. See ARP.
administrator privileges 1-4, A-27
aggregation
alert frequency 8-30
operating modes 8-30
AIC engine
AIC FTP B-11
AIC HTTP B-11
described 6-17, B-11
features B-11
AIC FTP engine parameters (table) B-13
AIC HTTP engine parameters (table) B-12
AIC policy enforcement
default configuration 6-18, B-12
described 6-18, B-12
sensor oversubscription 6-18, B-12
AIM IPS
configuration sequence 17-1
configuration tasks 17-1
configuring interfaces 17-5, 17-7, 17-9, 17-10, 17-11, 17-12
initializing 3-19
interface sequence 17-4
logging in 2-9, 17-15
NAT 17-5
RBCP 17-17
rebooting 17-17
resetting 17-17
resetting heartbeat 17-18
session command 2-9, 17-14
sessioning 2-9, 17-15
setting up interfaces 17-4
setup command 3-19
shutting down 17-17
status display 17-16
time sources 4-19
verifying installation 17-2, D-72
AIP SSM
assigning policies 18-4
assigning virtual sensors 18-7
configuration tasks 18-1
creating virtual sensors 18-4
Deny Connection Inline 8-6, D-71
Deny Packet Inline 8-6, D-71
hw-module module 1 recover 18-14
hw-module module 1 reset 18-14
hw-module module 1 shutdown 18-13
initializing 3-24
inline mode 18-9
inspecting IPS traffic 18-9
installing system image 21-49
interfaces 18-3
logging in 2-10
modes 18-9
Normalizer engine 18-12, B-21, D-70
password recovery 16-5, D-12
promiscuous mode 18-9
recovering D-67
reimaging 21-49
Reset TCP Connection 8-6, D-71
resetting D-67
resetting the password 16-6, D-12
sending traffic 18-9
session command 2-10
setup command 3-24
show context 18-6
show ips command 18-6
show module command 18-2
task sequence 18-1
TCP reset packets 8-6, D-71
time sources 4-19
verifying initialization 18-2
virtual sensors
assigning interfaces 18-4
assigning to security context 18-6
virtual sensor sequence 18-3
AIP-SSM
bypass mode 18-12
Alarm Channel described 8-2, A-25
alert and log actions (list) 8-4
alert-frequency command 6-7
alert frequency modes B-6
alert-severity
command 6-8
configuring 6-9
allocate-ips command 18-3
allow-sensor-block command 13-7
alternate TCP reset interface configuration restrictions 5-11
alternate TCP reset interfaces
conditions 5-5
described 5-4
alternateTCP reset interfaces (table) 5-4
Analysis Engine
busy D-23
described 7-1
IDM exits D-57
is busy error messages D-23
verify it is running D-20
virtual sensors 7-1
anomaly detection
asymmetric environment 9-1, 9-2
caution 9-1, 9-2
clearing statistics 9-47
configuration sequence 9-5
default configuration (example) 9-4
described 9-2
detect mode 9-3
disabling 9-48, D-19
displaying policy lists 16-20
event actions 9-6, B-48
inactive mode 9-4
learning accept mode 9-3
learning process 9-3
limiting false positives 9-37
protocols 9-2
signatures (table) 9-7, B-49
statistics display 9-47
worm attacks 9-36
worms 9-2
zones 9-4
anomaly-detection
load command 9-41
save command 9-41
anomaly detection operational settings
configuring 9-10, 9-38
described 9-10
anomaly detection policies
copying 9-8
creating 9-8
deleting 9-8
displaying 9-8
editing 9-8
anomaly detection zones
illegal 9-19
internal 9-11
appliances
application partition image 21-12
GRUB menu 16-3, D-9
initializing 3-4
logging in 2-2
password recovery 16-3, D-9
recovering software image 21-27
resetting 16-35
terminal servers
described 2-3, 21-14
setting up 2-3, 21-14
time sources 4-19
upgrading recovery partition 21-6
Application Inspection and Control. See AIC.
application partition
described A-3
image recovery 21-12
application-policy
command 6-18
configuring 6-18
application policy enforcement
described 6-18, B-12
applications in XML format A-2
applying software updates D-53
ARC
ACLs 13-21, A-13
authentication A-14
blocking
application 13-1
connection-based A-17
unconditional blocking A-17
blocking not occurring for signature D-41
block response A-12
Catalyst 6000 series switch
VACL commands A-18
VACLs A-18
Catalyst switches
VACLs A-15
VLANs A-15
checking status 13-3
described A-2
design 13-2
device access issues D-38
enabling SSH D-40
features A-13
firewalls
AAA A-18
connection blocking A-17
NAT A-18
network blocking A-17
postblock ACL A-15
preblock ACL A-15
shun command A-17
TACACS+ A-18
formerly Network Access Controller 13-3
functions 13-1, A-11
illustration A-12
inactive state D-37
interfaces A-13
maintaining states A-16
master blocking sensors A-13
maximum blocks 13-2
misconfigured MBS D-42
nac.shun.txt file A-16
NAT addressing A-14
number of blocks A-14
postblock ACL A-15
preblock ACL A-15
prerequisites 13-4
rate limiting 13-3
responsibilities A-12
single point of control A-14
SSH A-13
supported devices 13-5, A-15
Telnet A-13
troubleshooting D-35
VACLs A-13
verifying device interfaces D-40
verifying status D-36
ARP
Layer 2 signatures B-14
protocol B-14
ARP spoof tools
dsniff B-14
ettercap B-14
ASDM resetting passwords 16-7, D-14
assigning interfaces
AIP SSM 18-4
virtual sensors 7-4
assigning policies
AIP SSM 18-4
virtual sensors 7-4
asymmetric environment and anomaly detection 9-1, 9-2
asymmetric traffic and disabling anomaly detection 9-48, D-19
Atomic ARP engine
described B-14
parameters (table) B-14
Atomic IP engine
described B-14
parameters (table) B-14
Atomic IPv6 engine
described B-15
Neighborhood Discovery protocol B-15
signatures B-15
signatures (table) B-16
attack relevance rating
described 8-12
target host OS 8-23
Attack Response Controller
described A-2
formerly known as Network Access Controller A-2
Attack Response Controller. See ARC.
attack severity rating
calculating risk rating 8-11
described 8-11
attemptLimit command 4-17
authenticated NTP 4-19, 4-29
AuthenticationApp
authenticating users A-21
described A-3
login attempt limit A-20
method A-20
responsibilities A-20
secure communications A-21
sensor configuration A-20
authorized keys
defining 4-33
RSA authentication 4-33
automatic upgrades
information required 21-7
troubleshooting D-53
autonegotiation and hardware bypass 5-10
auto-upgrade-option command 21-7
B
backing up
configuration 15-22, D-3
current configuration 15-21, 15-22, D-4, D-5
BackOrifice. See BO.
BackOrifice 2000. See BO2K.
backup-config command 15-18
banner login command 16-10
block-enable command 13-8
block-hosts command 13-31
blocking
addresses never to block 13-18
block time 13-12
described 13-1
disabling 13-9
list of blocked hosts 13-32
managing
firewalls 13-27
routers 13-23
switches 13-26
manual 13-31
master blocking sensor 13-28
maximum entries 13-10
necessary information 13-3
not occurring for signature D-41
prerequisites 13-4
properties 13-6
sensor block itself 13-7
show statistics 13-32
supported devices 13-5
types 13-2
user profiles 13-19
block-networks command 13-31
BO
described B-51
Trojans B-51
BO2K
described B-51
Trojans B-51
bootloader
understanding 21-31
upgrading 21-31
Bug Toolkit
described D-2
URL D-2
bypass mode
AIP-SSM 18-12
configuring 5-34
described 5-34
bypass-option command 5-34
C
calculating risk rating
attack severity rating 8-11
watch list rating 8-12
cannot access sensor D-24
capturing live traffic 12-5
Catalyst software
command and control access 19-5
IDSM2
command and control access 19-5
configuring VACLs 19-15
enabling full memory tests 19-40
enabling SPAN 19-11
mls ip ids command 19-18
resetting 19-41
set span command 19-10
supervisor engine commands
supported 19-43
unsupported 19-44
changing passwords 4-15
changing the memory
Java Plug-in on Linux D-56
Java Plug-in on Solaris D-56
Java Plug-in on Windows D-55
checking NM CIDS IPS software status 20-8
cidDump and obtaining information D-93
CIDEE
defined A-33
example A-33
IPS extensions A-33
protocol A-33
supported IPS events A-33
cisco
default password 2-2
default username 2-2
Cisco.com
accessing software 22-2
downloading software 22-1
IPS software 22-1
software downloads 22-1
Cisco IOS software
configuration commands 19-46
EXEC commands 19-45
IDSM2
command and control access 19-7
configuring VACLs 19-16
enabling full memory tests 19-40
enabling SPAN 19-13
mls ip ids command 19-19
resetting 19-42
rate limiting 13-3
SPAN options 19-12
cisco-security-agents-mc-settings command 10-4
Cisco Security Intelligence Operations
described 22-15
URL 22-15
Cisco Services for IPS
service contract 4-39, 22-10
supported products 4-39, 22-10
class-map command 18-9
clear denied-attackers command 8-33, 16-18
clear events command 4-20, 8-39, 16-16, D-17, D-93
clearing
anomaly detection statistics 9-47
denied attackers statistics 8-33, 16-18
events 8-39, 16-16, D-93
OS IDs 8-29
statistics 16-21, D-79
clear line command 16-11
clear os-identification command 8-28
clear password command 16-5, 16-8, D-11, D-14
CLI
command line editing 1-6
command modes 1-7
default keywords 1-10
described A-3, A-26
error messages C-1
generic commands 1-10
introducing 1-1
regular expression syntax 1-8
CLI behavior
case sensitivity 1-6
display options 1-6
help 1-5
prompts 1-5
recall 1-5
tab completion 1-5
clock set command 4-22, 16-17
command 17-17
command and control access
Catalyst software 19-5
Cisco IOS software 19-7
described 19-5
command and control interfaces
described 5-2
list 5-3
command line editing (table) 1-6
command modes
described 1-7
event action rules configuration 1-8
EXEC 1-7
global configuration 1-7
privileged EXEC 1-7
service mode configuration 1-7
signature definition configuration 1-8
commands
access-list 4-5
alert-frequency 6-7
alert-severity 6-8
allocate-ips 18-3
allow-sensor-block 13-7
anomaly-detection load 9-41
anomaly-detection save 9-41
application-policy 6-18
attemptLimit 4-17
auto-upgrade-option 21-7
backup-config 15-18
banner login 16-10
block-enable 13-8
block-hosts 13-31
block-networks 13-31
bypass-option 5-34
cisco-security-agents-mc-settings 10-4
class-map 18-9
clear denied-attackers 8-33, 16-18
clear events 4-20, 8-39, 16-16, D-17, D-93
clear line 16-11
clear os-identification 8-28
clear password 16-5, 16-8, D-11, D-14
clock set 4-22, 16-17
copy ad-knowledge-base 9-41
copy anomaly-detection 9-8
copy backup-config 15-20, 15-22, D-3
copy current-config 15-20, 15-22, D-3
copy event-action-rules 8-7
copy iplog 11-7
copy license-key 4-40, 22-12
copy packet-file 12-6
copy signature-definition 6-1
current-config 15-18
debug module-boot D-67
default service anomaly-detection 9-8
default service event-action-rules 8-7
default service signature-definition 6-1
display-serial 2-5, 16-33
downgrade 21-10
enable-acl-logging 13-13
enable-detail-traps 14-4
enable-nvram-write 13-14
erase 15-23
erase ad-knowledge-base 9-42
erase packet-file 12-7
event-action 6-14
event-action-rules-configurations 16-20
event-counter 6-10
external-zone 9-28
filters 8-18
fragment-reassembly 6-30
ftp-timeout 4-7
global-block-timeout 8-31, 13-12
global-deny-timeout 8-31
global-filters-status 8-31
global-metaevent-status 8-31
global-overrides-status 8-31
global-parameters 7-9
global-summarization 8-31
host-ip 4-3
host-name 4-1
hw-module module 1 recover 18-14
hw-module module 1 reset 18-14, D-67
hw-module module 1 shutdown 18-13
hw-module module slot_number password-reset 16-6, D-12
ignore 9-10
illegal-zone 9-20
inline-interfaces 5-17
interface GigabitEthernet 17-21
interface IDS-Sensor 17-19
interface-notifications 5-35
internal-zone 9-11
ip-access-list 19-16
ip-log 6-38
iplog 11-3
ip-log-bytes 11-2
ip-log-packets 11-2
iplog-status 11-4
ip-log-time 11-2
learning-accept-mode 9-37
list anomaly-detection-configurations 9-8, 16-20
list event-action-rules-configurations 8-7
list signature-definition-configurations 6-1
log-all-block-events-and-errors 13-15
login-banner-text 4-8
max-block-entries 13-10
max-denied-attackers 8-31
max-interfaces 13-16
mls ip ids 19-18, 19-19
more 15-18
more current-config 15-1
never-block-hosts 13-18
never-block-networks 13-18
no iplog 11-6
no service anomaly-detection 9-8
no service event-action-rules 8-7
no service signature-definition 6-1
no target-value 8-13
no variables 8-9
os-identifications 8-25
other 9-17, 9-26, 9-34
overrides 8-14
packet capture 12-4
packet-display 12-2
password 4-11
physical-interfaces 5-12, 5-22, 5-28
ping 16-34
policy-map 18-9
privilege 4-11, 4-15
rename ad-knowledge-base 9-42
reset 16-34
service anomaly-detection 9-8
service event-action-rules 8-7
service-module IDS-Sensor 17-22
service-module ids-sensor slot/port heartbeat reset 17-18
service-module ids-sensor slot/port status 17-16
service-policy 18-9
service signature-definition 6-1
session 2-9, 17-15
set security acl 19-14
set span 19-10
setup 3-1, 3-4, 3-12, 3-19, 3-24, 3-31
show ad-knowledge-base diff 9-44, 9-45
show ad-knowledge-base files 9-40, 9-41
show clock 4-21, 16-16
show configuration 15-1, 15-15
show context 18-6
show events 8-36, 16-13, D-90
show history 16-35
show interfaces 5-36
show inventory 16-36, 17-2, D-72
show ips 18-6
show module 1 details D-66
show os-identification 8-28
show settings 15-3, 15-17, 16-9, 16-37, D-16
show statistics 13-32, 16-20, D-79
show statistics anomaly-detection 9-47
show statistics denied-attackers 8-33, 16-18
show statistics virtual-sensor 16-20, D-23, D-79
show tech-support 16-29, D-73
show users 4-16
show version 16-30, D-76
sig-fidelity-rating 6-11, 6-13
signature-definition-configurations 16-20
snmp-agent-port 14-2
snmp-agent-protocol 14-2
ssh authorized-key 4-33
ssh-generate-key 4-34
ssh host-key 4-31
status 6-12
stream-reassembly 6-37
subinterface-type 5-22, 5-29
summertime-option non-recurring 4-25
summertime-option recurring 4-23
target-value 8-13
tcp 9-12, 9-21, 9-29
telnet-option 4-4
terminal 16-12
time-zone-settings 4-27
tls generate-key 4-38
tls trusted-host 4-36
trace 16-37
trap-community-name 14-4
trap-destinations 14-4
udp 9-15, 9-23, 9-31
upgrade 21-3, 21-6
username 4-11
user-profile 13-19
variables 6-4, 8-9
virtual-sensor name 7-4, 18-4
worm-timeout 9-10
comparing KBs 9-44
configuration files
backing up 15-22, D-3
merging 15-22, D-3
configuration restrictions
alternate TCP reset interface 5-11
inline interface pairs 5-10
inline VLAN pairs 5-11
interfaces 5-10
physical interfaces 5-10
VLAN groups 5-11
configuration sequence
AIM IPS 17-1
AIP SSM 18-1
configured OS mapping (example) 8-25
configuring
access-list 4-5
account locking 4-17
ACL logging 13-13
AIM IPS interfaces 17-5, 17-7, 17-9, 17-10, 17-11, 17-12
alert frequency parameters 6-7
alert severity 6-9
anomaly detection operational settings 9-10, 9-38
application policy 6-18, 6-26
automatic IP logging 11-2
automatic upgrades 21-9
blocking
firewalls 13-27
routers 13-23
switches 13-26
time 13-12
bypass mode 5-34
CSA MC IPS interfaces 10-4
event action filters 8-19
event actions 6-15
event counter 6-10
external zone 9-28
ftp-timeout 4-7
host-ip 4-3
host manual blocks 13-31
host name 4-2
hosts never to block 13-18
illegal zone 9-20
inline interface pairs 5-18
inline VLAN groups 5-29
inline VLAN pairs 5-23
interfaces (sequence) 5-12
internal zone 9-12
IP fragment reassembly 6-30
IP fragment reassembly parameters 6-29, 6-36
IP logging 6-39
logging all blocking events and errors 13-15
logical devices 13-19
login-banner-text 4-8
maintenance partition
IDSM2 (Catalyst software) 21-37
IDSM2 (Cisco IOS software) 21-41
manual IP logging 11-4
master blocking sensor 13-29
maximum block entries 13-11
maximum blocking interfaces 13-17
maximum denied attackers 8-31
meta event generator 8-31
network manual blocks 13-31
networks never to block 13-18
NM CIDS
interfaces 20-3
packet capture 20-5
NTP servers 4-28
NVRAM write 13-14
OS maps 8-26
other protocols
external zone 9-34
illegal zone 9-26
internal zone 9-18
passwords 4-15
privilege 4-15
promiscuous mode 5-14
sensors (task sequence) 1-1
sensor to block itself 13-7
sensor to use NTP 4-29
signature fidelity rating 6-11
status 6-12
summarizer 8-31
summertime
non-recurring 4-25
recurring 4-23
TCP
external zone 9-29
illegal zone 9-21
internal zone 9-13
stream reassembly 6-37
telnet-option 4-4
timezone settings 4-27
traffic flow notifications 5-35
UDP
external zone 9-32
illegal zone 9-23
internal zone 9-15
upgrades 21-4
user profiles 13-20
Web Server settings 4-9
control transactions
characteristics A-8
request types A-7
copy ad-knowledge-base command 9-41
copy anomaly-detection command 9-8
copy backup-config command 15-20, 15-22, D-3
copy command syntax 9-42
copy current-config command 15-20, 15-22, D-3
copy event-action-rules command 8-7
copying
anomaly detection policies 9-8
event action rules policies 8-7
IP log files 11-7
KBs 9-41, 9-43
packet files 12-7
signature definition policies 6-2
copy iplog command 11-7
copy license-key command 4-40, 22-12
copy packet-file command 12-6
copy signature-definition command 6-1
correcting time on the sensor 4-20, D-17
creating
anomaly detection policies 9-8
banner logins 16-10
custom signatures 6-40
event action rules policies 8-7
event action variables 8-10
global parameters 7-9
OS maps 8-26
service account 4-14, D-6
service HTTP signatures 6-45
signature definition policies 6-2
string TCP signatures 6-42
user profiles 13-19
VACLs
Post-Block 13-25
Pre-Block 13-25
virtual sensors 7-4, 7-7
cryptographic account
Encryption Software Export Distribution Authorization from 22-2
obtaining 22-2
CSA MC
configuring IPS interfaces 10-4
host posture events 10-1, 10-3
quarantined IP address events 10-1
supported IPS interfaces 10-3
CtlTransSource
described A-2, A-10
illustration A-11
Ctrl-N 1-5
Ctrl-P 1-5
current-config command 15-18
current configuration
backing up 15-22, D-3
filtering output 15-15
searching output 15-15
custom signatures
configuration sequence 6-40
described 6-3
service HTTP example 6-45
String TCP 6-40
D
data ports restoring defaults 19-28
data structures (examples) A-7
DDoS
protocols B-50
Stacheldraht B-50
TFN B-50
debug logging enabling D-43
debug-module-boot command D-67
default
blocking time 13-12
keywords 1-10
password 2-2
username 2-2
virtual sensor vs0 7-2
default service anomaly-detection command 9-8
default service event-action-rules command 8-7
default service signature-definition command 6-1
defining authorized keys 4-33
deleting
anomaly detection policies 9-8
denied attackers list 8-33, 16-18
event action rules policies 8-7
event action variables 8-10
inline interface pairs 5-20
inline VLAN pairs 5-26
OS maps 8-28
signature definition policies 6-2
signature variables 6-4
target value ratings 8-13
VLAN groups 5-33
Denial of Service. See DoS.
deny actions (list) 8-4
deny-packet-inline described 8-6, B-9
detect mode (anomaly detection) 9-3
device access issues D-38
diagnosing network connectivity 16-34
directing output to serial port 2-5, 16-33
disabling
anomaly detection 9-48, D-19
blocking 13-9
ECLB (Cisco IOS software) 19-36
password recovery 16-9, D-15
signatures 6-12
disaster recovery D-7
displaying
AIM IPS status 17-16
anomaly detection
policies 9-8
policy lists 16-20
statistics 9-47
contents of logical file 15-19
current configuration 15-1
current submode configuration 15-3
event action rules policies 8-7
event actions rules lists 16-20
events 8-37, 16-14, D-91
interface statistics 5-37
IP log contents 11-5
KB files 9-40
KB thresholds 9-45
live traffic 12-3
OS IDs 8-29
password recovery setting 16-9, D-16
PEP information 16-36
policy lists 16-20
signature definition lists 16-20
statistics 16-21, D-79
submode settings 16-37
system clock 4-21, 16-16
tech support information 16-30, D-74
version 16-31, D-76
display-serial
command 2-5, 16-33
supported platforms 2-5, 16-33
Distributed Denial of Service. See DDoS.
DoS tools (stick) B-6
downgrade command 21-10
downgrading sensors 21-11
downloading software 22-1
duplicate IP addresses D-27
E
ECLB
described 19-25
disabling (Cisco IOS software) 19-36
options 19-29
promiscuous mode 19-29
requirements 19-29
sensing modes 19-26
editing
anomaly detection policies 9-8
event action rules policies 8-7
event action variables 8-10
signature definition policies 6-2
signature variables 6-4
target value ratings 8-13
enable-acl-logging command 13-13
enable-detail-traps command 14-4
enable-nvram-write command 13-14
enabling
full memory tests
Catalyst software 19-40
Cisco IOS software 19-40
signatures 6-12
SPAN
Catalyst software 19-11
Cisco IOS software 19-13
enabling debug logging D-43
Encryption Software Export Distribution Authorization form
cryptographic account 22-2
described 22-2
engines
AIC 6-17
Master B-4
Sweep B-45
erase ad-knowledge-base command 9-42
erase command 15-23
erase packet-file command 12-7
erasing
current configuration 15-23
KBs 9-41, 9-43
packet files 12-7
error messages
Analysis Engine is busy D-23
described C-1
validation C-5
EtherChannel Load Balancing. See ECLB.
event-action command 6-14
event action filters described 8-17
event action overrides described 8-14
event action rules
example 8-35
functions 8-1
lists 16-20
task list 8-7
understanding 8-1
event action rules policies
copying 8-7
creating 8-7
deleting 8-7
displaying 8-7
editing 8-7
event actions
configuring 6-15
deny attackers inline 8-31
described B-7
table B-7
event-counter
command 6-10
configuring 6-10
events
displaying 8-37, 16-14, D-91
host posture 10-2
quarantined IP address 10-2
Event Store
clearing events 4-20, D-17
data structures A-7
described A-2
examples A-6
responsibilities A-6
timestamp A-6
event types D-90
event variables
described 8-9
example 8-9
examples
ASA failover configuration D-69
external product interfaces
adding 10-5
described 10-1
issues 10-3, D-21
troubleshooting 10-8, D-21
external zone
configuring 9-28
configuring other protocols 9-34
configuring TCP 9-29
configuring UDP 9-32
described 9-28
external-zone command 9-28
F
fail-over testing 5-9
false positives described 6-3
files
IDSM2 password recovery 16-4, D-11
upgrade 21-3
filtering
current configuration 15-15
submode configuration 15-17
filters command 8-18
finding serial number 17-2, D-72
Flood engine described B-16
Flood Host engine parameters (table) B-16
Flood Net engine parameters (table) B-17
fragment-reassembly command 6-30
FTP servers supported 21-2
ftp-timeout
command 4-7
configuring 4-7
G
generating
SSH server host key 4-34
TLS certificate 4-38
generic commands 1-10
global-block-timeout command 8-31, 13-12
global correlation
Produce Alert 8-4
global-deny-timeout command 8-31
global-filters-status command 8-31
global-metaevent-status command 8-31
global-overrides-status command 8-31
global parameters
adding 7-9
creating 7-9
maximum open IP logs 7-9
options 7-9
global-parameters command 7-9
global-summarization command 8-31
GRUB menu password recovery 16-3, D-9
H
H.225.0 protocol B-27
H.323 protocol B-27
hardware bypass
autonegotiation 5-10
configuration restrictions 5-9
fail-over 5-9
IPS 4260 5-8
IPS 4270-20 5-8
supported configurations 5-9
with software bypass 5-9
help
question mark 1-5
using 1-5
host-ip
command 4-3
configuring 4-3
host-name
command 4-1
configuring 4-2
host posture events
CSA MC 10-3
described 10-2
HTTP/HTTPS servers supported 21-2
HTTP deobfuscation
ASCII normalization 6-43, B-30
described 6-43, B-30
hw-module module 1 recover command 18-14
hw-module module 1 reset command 18-14, D-67
hw-module module 1 shutdown command 18-13
hw-module module slot_number password-reset command 16-6, D-12
I
IDAPI
communications A-3, A-29
described A-3
functions A-29
illustration A-29
responsibilities A-29
IDCONF
described A-32
example A-32
RDEP2 A-32
XML A-32
IDIOM
defined A-31
messages A-31
IDM
Analysis Engine is busy D-57
certificates 4-35
Java Plug-in D-55
memory D-55
TLS and SSL 4-35
will not load D-57
IDS 4215
BIOS upgrade 21-18
installing system image 21-16
ROMMON upgrade 21-18
upgrading
BIOS 21-18
ROMMON 21-18
IDSM2
administrative tasks 19-39
capturing IPS traffic
described 19-14
mls ip id command 19-18
SPAN 19-10
Catalyst software
command and control access 19-5
inline mode 19-20
inline VLAN pair mode 19-23
Cisco IOS software
command and control access 19-7
inline mode 19-21
inline VLAN pair mode 19-24
command and control
access 19-5
port 19-9
command and control access 19-7
command and control port D-64
configuration tasks 19-1
configuring
command and control access 19-5
ECLB 19-29, 19-31, 19-34
ECLB inline mode 19-27
ECLB inline VLAN pair mode 19-26
ECLB promiscuous mode 19-26
inline mode 19-20, 19-21
inline VLAN pair mode 19-24
inline VLAN pair mode (Catalyst software) 19-23
load balancing 19-29, 19-31, 19-34
maintenance partition (Catalyst software) 21-37
maintenance partition (Cisco IOS software) 21-41
mls ip ids command 19-18
sequence 19-1
SPAN 19-10
tasks 19-1
configuring VACLs
Catalyst software 19-15
Cisco IOS software 19-16
disabling
ECLB (Catalyst software) 19-36
ECLB (Cisco IOS software) 19-36
ECLB
disabling (Catalyst software) 19-36
disabling (Cisco IOS software) 19-36
requirements 19-29
verifying (Catalyst software) 19-37
verifying (Cisco IOS software) 19-38
enabling full memory tests
Catalyst software 19-40
Cisco IOS software 19-40
initializing 3-12
inline mode
Catalyst software 19-20
Cisco IOS software 19-21
described 19-8, 19-20
requirements (Catalyst software) 19-20, 19-23
inline VLAN pair mode
Catalyst software 19-23
Cisco IOS software 19-24
described 19-8, 19-22
installing
system image (Catalyst software) 21-34
system image (Cisco IOS software) 21-35
logging in 2-5
mixing sensing modes 19-8
mls ip ids command
Catalyst software 19-18
Cisco IOS software 19-19
described 19-9
monitoring ports 19-9
not online D-64
password recovery 16-4, D-11
password recovery image file 16-4, D-11
promiscuous mode 19-8, 19-9
reimaging 21-34
resetting
Catalyst software 19-41
Cisco IOS software 19-42
described 19-41
restoring data port defaults 19-28
sensing ports 19-14
set span command 19-10
setup command 3-12
supported configurations 19-5, D-60
supported supervisor engine commands 19-43
TCP reset port 19-9, 19-10, 19-14, D-65
time sources 4-19
unsupported supervisor engine commands 19-44
upgrading
maintenance partition (Catalyst software) 21-44
maintenance partition (Cisco IOS software) 21-45
VACLs
configuring 19-14
described 19-14
verifying
ECLB (Catalyst software) 19-37
ECLB (Cisco IOS software) 19-38
verifying installation 19-3
IDS-Sensor interface ip unnumbered 17-5, 17-7
ignore command 9-10
illegal zone
configuring 9-20
configuring other protocols 9-26
configuring TCP 9-21
configuring UDP 9-23
described 9-19
protocols 9-19
illegal-zone command 9-20
inactive mode (anomaly detection) 9-4
initialization
verifying 3-37
verifying (AIP SSM) 18-2
initializing
AIM IPS 3-19
AIP SSM 3-24
appliances 3-4
IDSM2 3-12
NM CIDS 3-31
sensors 3-1
inline interface pair mode described 5-16
inline interface pairs
configuration restrictions 5-10
configuring 5-18
deleting 5-20
inline-interfaces command 5-17
inline mode (IDSM2) 19-8
inline VLAN groups configuration 5-29
inline VLAN pair mode
described 5-21
supported sensors 5-21
inline VLAN pair mode (IDSM2) 19-8
inline VLAN pairs
configuration restrictions 5-11
configuring 5-23
deleting 5-26
installer major version 22-5
installer minor version 22-5
installing
license key 4-41, 22-14
sensor license 22-11
system image
AIP SSM 21-49
IDS 4215 21-16
IDSM2 (Catalyst software) 21-34
IDSM2 (Cisco IOS software) 21-35
IPS 4240 21-20
IPS 4255 21-20
IPS 4260 21-23
IPS 4270-20 21-25
InterfaceApp
described A-19
interactions A-19
NIC drivers A-19
InterfaceApp described A-2
interface configuration sequence 5-12
interface GigabitEthernet command 17-21
interface IDS-Sensor command 17-19
interface-notifications command 5-35
interfaces
AIM IPS 17-4
alternate TCP reset 5-2, 5-4
command and control 5-2
configuration restrictions 5-10
described 5-2
displaying live traffic 12-3
port numbers 5-2
sensing 5-2, 5-3
slot numbers 5-2
VLAN groups 5-2
interface statistics display 5-37
interface support (table) 5-5
internal zone
configuring 9-12
configuring other protocols 9-18
configuring TCP 9-13
configuring UDP 9-15
described 9-11
protocols 9-11
internal-zone command 9-11
introducing the CLI 1-1
ip-access-list command 19-16
IP fragmentation described B-20
IP fragment reassembly
described 6-27
parameters (table) 6-28
signatures (table) 6-28
ip-log-bytes command 11-2
ip-log command 6-38
iplog command 11-3
IP log contents
displaying 11-5
viewing 11-5
IP log files copying 11-7
IP logging
automatic 11-2
configuring 11-1
copying files 11-7
described 6-38, 11-1
manual 11-4
ip-log-packets command 11-2
iplog-status command 11-4
ip-log-time command 11-2
IPS
external communications A-30
internal communications A-29
IPS 4240
installing system image 21-20
password recovery 16-3
reimaging 21-20
router speed D-23
IPS 4255
installing system image 21-20
password recovery 16-3
reimaging 21-20
IPS 4260
hardware bypass 5-8
installing system image 21-23
reimaging 21-23
IPS 4270-20
hardware bypass 5-8
installing system image 21-25
reimaging 21-25
IPS appliances
Deny Connection Inline 8-6, D-71
Deny Packet Inline 8-6, D-71
Reset TCP Connection 8-6, D-71
TCP reset packets 8-6, D-71
IPS applications
summary A-34
table A-34
XML format A-2
IPS data
types A-7
XML document A-8
IPS events
listed A-8
types A-8
IPS modules and time synchronization 4-20
IPS software
application list A-2
available files 22-1
configuring device parameters A-4
directory structure A-33
Linux OS A-1
new features A-3
obtaining 22-1
platform-dependent release examples 22-6
retrieving data A-4
security features A-5
tuning signatures A-4
updating A-4
user interaction A-4
versioning scheme 22-3
IPS software file names
major updates (illustration) 22-4
minor updates (illustration) 22-4
patch releases (illustration) 22-4
service packs (illustration) 22-4
ip unnumbered command 17-5, 17-7
IPv6 described B-15
J
Java Plug-in
Linux D-56
Solaris D-56
Windows D-55
K
KB
file display 9-40
threshold display 9-45
KBs
comparing 9-44
copying 9-41, 9-43
described 9-3
erasing 9-41, 9-43
histogram 9-36
initial baseline 9-3
loading 9-41
manually loading 9-41
manually saving 9-41
renaming 9-41, 9-43
saving 9-41
scanner threshold 9-36
tree structure 9-36
keywords
default 1-10
no 1-10
Knowledge Base. See KB.
L
learning accept mode (anomaly detection) 9-3
learning-accept-mode command 9-37
license key
installing 4-41, 22-14
status 4-39, 22-9
trial 4-39, 22-9
licensing
described 4-39, 22-9
IPS device serial number 4-39, 22-9
Licensing pane described 22-11
limitations on concurrent CLI sessions 1-3, 2-1, 17-1
list anomaly-detection-configurations command 9-8, 16-20
list event-action-rules-configurations command 8-7, 16-20
list of blocked hosts 13-32
list signature-definition-configurations command 6-1, 16-20
load balancing options 19-29
loading KBs 9-41
locked account reset 4-15
log-all-block-events-and-errors command 13-15
LogApp
described A-2, A-19
functions A-19
syslog messages A-19
logging in
AIM IPS 2-9, 17-15
AIP SSM 2-10
appliances 2-2
IDSM2 2-5
NM CIDS 2-6
sensors
SSH 2-12
Telnet 2-12
service role 2-2
terminal servers 2-3, 21-14
user role 2-1
login-banner-text
command 4-8
configuring 4-8
LOKI
described B-50
protocol B-50
M
MainApp
applications A-6
described A-2
host statistics A-5
responsibilities A-5
show version command A-5
maintenance partition
configuring
IDSM2 (Catalyst software) 21-37
IDSM2 (Cisco IOS software) 21-41
described A-3
major updates described 22-3
managing
firewalls 13-27
routers 13-23
switches 13-26
manual blocking 13-31
manual block to bogus host D-40
manually
loading KBs 9-41
saving KBs 9-41
master blocking sensor described 13-28
Master engine
alert frequency B-6
alert frequency parameters (table) B-6
described B-3
event actions B-7
general parameters (table) B-4
universal parameters B-4
master engine parameters
obsoletes B-6
promiscous delta B-5
vulnerable OSes B-6
max-block-entries command 13-10
max-denied-attackers command 8-31
maximum open IP logs 7-9
max-interfaces command 13-16
MBS not set up properly D-42
memory (IDM) D-55
merging configuration files 15-22, D-3
Meta engine
described 6-46, B-17
parameters (table) B-18
Signature Event Action Processor 6-46, B-17
MIBs supported 14-6, D-18
minor updates described 22-3
mls ip ids command
described 19-18
IDSM2 19-18
modes
anomaly detection detect 9-3
anomaly detection inactive 9-4
anomaly detection learning accept 9-3
bypass 5-34
inline interface pair 5-16
inline VLAN pair 5-21
promiscuous 5-16
VLAN groups 5-27
modifying terminal properties 16-12
modify packets inline modes 7-3
monitoring and viewer privileges 1-4, A-27
more command 15-18
more current-config command 15-1
moving OS maps 8-27
Multi String engine
described B-18
parameters (table) B-19
Regex B-18
N
NAT and AIM IPS 17-5
Neighborhood Discovery
options B-15
types B-15
Network Access Controller. See NAC.
Network Timing Protocol. See NTP.
never-block-hosts command 13-18
never-block-networks command 13-18
NM CIDS
bootloader
file 21-31
overview 21-31
checking IPS software status 20-8
configuration tasks 20-1
configuring
ids-sensor interfaces 20-2
interfaces 20-3
packet capture 20-5
initializing 3-31
logging in 2-6
packet monitoring 20-5
password recovery 16-5, D-11
rebooting 20-7
reimaging 21-28, 21-29
reload command 20-7
reset command 20-7
session command 20-2
setup command 3-31
shutdown command 20-7
supported Cisco IOS software commands 20-8
system image file 21-28
telneting to the router 20-5
upgrading bootloader 21-31
no iplog command 11-6
Normalizer engine
described B-20
IP fragment reassembly B-20
parameters (table) B-22
TCP stream reassembly B-20
no service anomaly-detection command 9-8
no service event-action-rules command 8-7
no service signature-definition command 6-1
no target-value command 8-13
NotificationApp
alert information A-8
described A-3
functions A-8
SNMP gets A-8
SNMP traps A-8
statistics A-10
system health information A-9
no variables command 8-9
NTP
authenticated 4-19, 4-29
configuring servers 4-28
described 4-18
incorrect configuration D-49
sensor time source 4-28, 4-29
time synchronization 4-18
unauthenticated 4-19, 4-29
O
obsoletes field
described B-6
obtaining
command history 16-35
cryptographic account 22-2
IPS sofware 22-1
list of blocked hosts and connections 13-32
used commands list 16-35
operator privileges 1-4, A-27
os-identifications command 8-25
OS IDs
clearing 8-29
displaying 8-29
OS maps
creating 8-26
deleting 8-28
moving 8-27
other actions (list) 8-5
other command 9-17, 9-26, 9-34
output
clearing current line 1-6
displaying 1-6
overrides command 8-14
P
packet capture command 12-4
packet display command 12-2
partitions
application A-3
maintenance A-3
recovery A-3
passive OS fingerprinting
components 8-23
configuring 8-24
described 8-23
password command 4-11
password recovery
AIP SSM 16-5, D-12
appliances 16-3, D-9
described 16-2, D-8
disabling 16-9, D-15
GRUB menu 16-3, D-9
IDSM2 16-4, D-11
IPS 4240 16-3
IPS 4255 16-3
NM CIDS 16-5, D-11
platforms 16-2, D-8
ROMMON 16-3, D-10
troubleshooting 16-10, D-16
verifying 16-9, D-16
passwords
changing 4-15
configuring 4-15
patch releases described 22-3
peacetime learning (anomaly detection) 9-3
PEP information
PID 16-36
SN 16-36
VID 16-36
physical connectivity issues D-30
physical-interfaces command 5-12, 5-22, 5-28
physical interfaces configuration restrictions 5-10
ping command 16-34
platforms and concurrent CLI sessions 1-3, 2-1, 17-1
policy lists display 16-20
policy-map command 18-9
Post-Block ACLs 13-21, 13-22
Pre-Block ACLs 13-21, 13-22
prerequisites for blocking 13-4
privilege
command 4-11, 4-15
configuring 4-15
promiscuous delta
described B-5
promiscuous delta described 8-12
promiscuous mode
configuring 5-14, 5-16
described 5-16
ECLB 19-29
IDSM2 19-8
packet flow 5-16
prompts and default input 1-5
protocols
ARP B-14
CIDEE A-33
DCE B-32
DDoS B-50
H.323 B-27
H225.0 B-27
IPv6 B-15
LOKI B-50
MSSQL B-33
Neighborhood Discovery B-15
Q.931 B-27
RPC B-32
Q
Q.931 protocol
described B-27
SETUP messages B-27
quarantined IP address events described 10-2
R
rate limiting
described 13-3
routers 13-3
supported signatures 13-3
RBCP (AIM IPS) 17-17
RDEP2
described A-30
functions A-30
messages A-30
responsibilities A-30
rebooting
AIM IPS 17-17
NM CIDS 20-7
recall
help and tab completion 1-5
using 1-5
recover command 21-11
recovering
AIP SSM D-67
application partition image 21-12
recovery/upgrade CD 21-27
recovery partition
described A-3
upgrading 21-6
Regular Expression. See Regex.
regular expression syntax
described 1-8
signatures B-9
table 1-8
reimaging
AIP SSM 21-49
appliances 21-11
described 21-1
IDS 4215 21-16
IDSM2 21-34
IPS 4240 21-20
IPS 4255 21-20
IPS 4260 21-23
IPS 4270-20 21-25
NM CIDS 21-29
sensors 21-1, 22-8
service-module ids-sensor slot/port 17-17
removing last applied upgrade 21-11
rename ad-knowledge-base command 9-42
renaming KBs 9-41, 9-43
reset command 16-34
reset not occurring for a signature D-49
resetting
AIM IPS 17-17
AIP SSM D-67
appliances 16-35
heartbeat (AIM IPS) 17-18
IDSM2 19-41
passwords
ASDM 16-7, D-14
hw-module command 16-6, D-12
resetting the password
AIP SSM 16-6, D-12
restoring
data port defaults 19-28
restoring the current configuration 15-21, 15-22, D-4, D-5
retiring signatures 6-12
retrieving events through RDEP2 (illlustration) A-30
risk rating
calculating 8-11
described 8-23
example 8-35
ROMMON
described 21-14
IDS 4215 21-16
IPS 4240 21-20
IPS 4255 21-20
IPS 4260 21-23
IPS 4270-20 21-25
password recovery 16-3, D-10
remote sensors 21-14
serial console port 21-14
TFTP 21-14
round-trip time. See RTT.
RPC portmapper B-34
RSA authentication and authorized keys 4-33
RTT
described 21-14
TFTP limitation 21-14
S
saving KBs 9-41
scheduling automatic upgrades 21-9
SDEE
defined A-32
HTTP A-32
protocol A-32
Server requests A-32
searching
current configuration 15-15
submode configuration 15-17
security
account locking 4-17
information on Cisco Security Intelligence Operations 22-15
SSH 4-31
security policies described 6-1, 8-1, 9-2
sending commands through RDEP2 (illustration) A-31
sensing interfaces
described 5-3
modes 5-3
PCI cards 5-3
SensorApp
Alarm Channel A-24
Analysis Engine A-24
described A-3
packet flow A-24
processors A-23
responsibilities A-23
Signature Event Action Processor A-23
sensors
access problems D-24
asymmetric traffic and disabling anomaly detection 9-48, D-19
configuration task sequence 1-1
configuring to use NTP 4-29
corrupted SensorApp configuration D-34
disaster recovery D-7
downgrading 21-11
incorrect NTP configuration D-49
initializing 3-1
interface support 5-5
IP address conflicts D-27
license 22-11
logging in
SSH 2-12
Telnet 2-12
managing
firewalls 13-27
routers 13-23
switches 13-26
misconfigured access lists D-26
no alerts D-31, D-59
not seeing packets D-33
NTP time source 4-29
NTP time synchronization 4-18
partitions A-3
physical connectivity D-30
preventive maintenance D-2
process not running D-28
recovering the system image 22-8
reimaging 21-1, 22-8
sensing process not running D-28
setup command 3-1, 3-4
system images 22-8
time sources 4-18
troubleshooting software upgrades D-54
using NTP time source 4-28
serial connection and supported platforms 2-5, 16-33
serial number and show inventory command 17-2, D-72
service account
creating 4-14, D-6
described 4-13, A-28, D-5
privileges 1-4, A-27
TAC A-28
troubleshooting A-28
service anomaly-detection command 9-8
Service DNS engine
described B-24
parameters (table) B-24
Service engine
described B-23
Layer 5 traffic B-23
service event-action-rules command 8-7
Service FTP engine
described B-25
parameters (table) B-25
PASV port spoof B-25
Service Generic Advanced engine described B-27
Service Generic engine
described B-26
parameters (table) B-26
Service H225 engine
ASN.1PER validation B-27
described B-27
features B-28
parameters (table) B-28
TPKT validation B-27
Service HTTP engine
described 6-43, B-29
parameters (table) B-30
Service IDENT engine
described B-31
parameters (table) B-32
service-module IDS-Sensor command 17-22
service-module ids-sensor slot/port heartbeat reset command 17-18
service-module ids-sensor slot/port status command 17-16
Service MSRPC engine
DCS/RPC protocol B-32
described B-32
parameters (table) B-33
Service MSSQL engine
described B-33
MSSQL protocol B-33
parameters (table) B-33
Service NTP engine
described B-34
parameters (table) B-34
service packs described 22-3
service-policy command 18-9
service privileges 1-4, A-27
service role 1-4, 2-2, A-27
Service RPC engine
described B-34
parameters (table) B-34
RPC portmapper B-34
service signature-definition command 6-1
Service SMB Advanced engine
described B-37
parameters (table) B-37
Service SMB engine
described B-35
parameters (table) B-35
Service SNMP engine
described B-39
parameters (table) B-39
Service SSH engine
described B-40
parameters (table) B-40
Service TNS engine
described B-40
parameters (table) B-41
session command
AIM IPS 2-9, 17-14
AIP SSM 2-10
described 2-9
IDSM2 2-5
NM CIDS 2-6
session command described 17-15
sessioning
AIM IPS 2-9, 17-15
AIP SSM 2-10
IDSM2 2-6
NM CIDS 2-7
set security acl command 19-14
setting system clock 4-22, 16-17
setting up a terminal server 2-3, 21-14
setup command 3-1, 3-4, 3-12, 3-19, 3-24, 3-31
show ad-knowledge-base diff command 9-44, 9-45
show ad-knowledge-base files command 9-40, 9-41
show clock command 4-21, 16-16
show configuration command 15-1, 15-15
show context command 18-6
show events command 8-36, 16-13, D-90
show history command 16-35
show interfaces command 5-36, D-88
show inventory command 16-36, 17-2, D-72
show ips command 18-6
show module 1 details command D-66
show module command 18-2
show os-identification command 8-28
show settings command 15-3, 15-17, 16-9, 16-37, D-16
show statistics anomaly-detection command 9-47
show statistics command 13-32, 16-20, D-78, D-79
show statistics denied-attackers command 8-33, 16-18
show statistics virtual-sensor command 16-20, D-23, D-79
show tech-support command 16-29, D-73
show tech-support command output D-74
show users command 4-16
show version command 16-30, D-76
shutting down AIM IPS 17-17
sig-fidelity-rating command 6-11, 6-13
signature/virus update files described 22-4
signature definition list display 16-20
signature definition policies
copying 6-2
creating 6-2
deleting 6-2
editing 6-2
signature engines
AIC B-12
Atomic B-13
Atomic ARP B-14
Atomic IP B-14
Atomic IPv6 B-15
described B-1
Flood B-16
Flood Host B-16
Flood Net B-17
list B-2
Master B-4
Meta 6-46, B-17
Multi String B-18
Normalizer B-20
Regex
patterns B-10
syntax B-9
Service B-23
Service DNS B-24
Service FTP B-25
Service Generic B-26
Service Generic Advanced B-27
Service H225 B-27
Service HTTP 6-43, B-29
Service IDENT B-31
Service MSRPC B-32
Service MSSQL B-33
Service NTP engine B-34
Service RPC B-34
Service SMB B-35
Service SMB Advanced B-37
Service SNMP B-39
Service SSH engine B-40
Service TNS B-40
State B-41
String 6-40, B-43
Sweep B-46
Sweep Other TCP B-48
Traffic Anomaly 9-6, B-48
Traffic ICMP B-50
Trojan B-51
signature engine update files described 22-5
Signature Event Action Filter
described 8-2, A-25
parameters 8-2, A-25
Signature Event Action Handler described 8-3, A-25
Signature Event Action Override described 8-2, A-25
Signature Event Action Processor
Alarm Channel 8-2
alarm channel A-25
components 8-2, A-25
described 8-2, A-23, A-25
figure A-25
flow of signature events 8-3, A-25
illustration 8-3
signature fidelity rating
configuring 6-11
described 8-11
signatures
custom 6-3
default 6-3
described 6-3
false positives 6-3
no TCP reset D-49
rate limits 13-3
string TCP 6-42
subsignatures 6-3
tuned 6-3
signature variables
adding 6-4
deleting 6-4
described 6-4
editing 6-4
SNMP
configuring
agent parameters 14-2
traps 14-4
described 14-1
general parameters 14-2
Get 14-1
GetNext 14-1
Set 14-1
supported MIBs 14-6, D-18
trap 14-1
snmp-agent-port command 14-2
snmp-agent-protocol command 14-2
SNMP traps described 14-1
software architecture
ARC (illustration) A-12
IDAPI (illustration) A-29
RDEP2 (illustration) A-30
software bypass
supported configurations 5-9
with hardware bypass 5-9
software downloads Cisco.com 22-1
software file names
recovery (illustration) 22-5
signature/virus updates (illustration) 22-4
signature engine updates (illustration) 22-5
system image (illustration) 22-5
software release examples
platform-dependent 22-6
platform identifiers 22-7
platform-independent 22-6
software updates
supported FTP servers 21-2
supported HTTP/HTTPS servers 21-2
SPAN
configuring 19-10
options 19-12
port issues D-30
specifying worm timeout 9-10, 9-38
SSH
adding hosts 4-32
security 4-31
understanding 4-31
ssh authorized-key command 4-33
ssh generate-key command 4-34
ssh host-key command 4-31
SSH known hosts list adding hosts 4-31
SSH Server
host key generation 4-34
private keys A-21
public keys A-21
standards
CIDEE A-33
IDCONF A-32
SDEE A-32
State engine
Cisco Login B-41
described B-41
LPR Format String B-41
parameters (table) B-42
SMTP B-41
status command 6-12
stopping IP logging 11-6
stream-reassembly command 6-37
String engine described 6-40, B-43
String ICMP engine parameters (table) B-43
String TCP engine
options 6-40
parameters (table) B-44
signature 6-40
String UDP engine parameters (table) B-45
subinterface 0 described 5-27
subinterface-type command 5-22, 5-29
submode configuration
filtering output 15-17
searching output 15-17
subsignatures described 6-3
summarization
described 8-30
fire-all 8-30
fire-once 8-31
global-summarization 8-31
Meta engine 8-30
summary 8-30
summertime
configuring
non-recurring 4-25
recurring 4-23
summertime-option non-recurring command 4-25
summertime-option recurring command 4-23
supervisor engine commands
supported 19-43
unsupported 19-44
supported Cisco IOS software commands (NM CIDS) 20-8
supported FTP servers 21-2
supported IPS interfaces (CSA MC) 10-3
Sweep engine
described B-45, B-46
parameters (table) B-46, B-48
Sweep Other TCP engine described B-48
switch commands for troubleshooting D-61
syntax and case sensitivity 1-6
system architecture
directory structure A-33
supported platforms A-1
system clock
displaying 4-21, 16-16
setting 4-22, 16-17
System Configuration Dialog
described 3-1
example 3-2
system design (illustration) A-1
system images
installing
IDSM2 (Cisco IOS software) 21-35
IPS 4240 21-20
IPS 4255 21-20
sensors 22-8
T
tab completion use 1-5
TAC
PEP information 16-36
service account 4-13, A-28, D-5
show tech-support command 16-29, D-73
target-value command 8-13
target value rating
described 8-12, 8-13
settings 8-13
tasks
configuring AIM IPS 17-1
configuring IDSM2 19-1
configuring NM CIDS 20-1
configuring the sensor 1-1
tcp command 9-12, 9-21, 9-29
TCP fragmentation described B-20
TCP reset
not occurring D-49
TCP resets
IDSM2 port 19-10, D-65
TCP stream reassembly
described 6-31
parameters (table) 6-32, 6-36
signatures (table) 6-32, 6-36
telnet (NM CIDS) 20-5
telnet-option
command 4-4
configuring 4-4
terminal
command 16-12
modifying length 16-12
server setup 2-3, 21-14
terminating CLI session 16-11
testing fail-over 5-9
TFN2K
described B-50
Trojans B-51
TFTP servers
maximum file size limitation 21-14
RTT 21-14
threat rating described 8-12
time
correcting on the sensor 4-20, D-17
sensor 4-18
synchronization on IPS modules 4-20
time sources
AIM IPS 4-19
AIP SSM 4-19
appliances 4-19
IDSM2 4-19
time-zone-settings
command 4-27
configuring 4-27
TLS
certificate generation 4-38
certificates 4-35
handshaking 4-36
understanding 4-35
tls generate-key command 4-38
tls trusted-host command 4-36
trace
command 16-37
IP packet route 16-37
Traffic Anomaly engine
described 9-6, B-48
protocols 9-6, B-48
signatures 9-6, B-48
traffic flow notifications
configuring 5-35
described 5-35
Traffic ICMP engine
DDoS B-50
described B-50
LOKI B-50
parameters (table) B-50
TFN2K B-50
Transport Layer Security. See TLS.
trap-community-name 14-4
trap-destinations command 14-4
trial license key 4-39, 22-9
Tribe Flood Network. See TFN.
Tribe Flood Network 2000. See TFN2K.
Trojan engine
BO2K B-51
described B-51
TFN2K B-51
Trojans
BO B-51
BO2K B-51
LOKI B-50
TFN2K B-51
troubleshooting
accessing files on FTP site D-94
AIP SSM
commands D-66
debugging D-67
failover scenarios D-68
recovering D-67
reset D-67
Analysis Engine busy D-57
applying software updates D-53
ARC
blocking not occurring for signature D-41
device access issues D-38
enabling SSH D-40
inactive state D-37
misconfigured MBS D-42
procedures D-35
verifying device interfaces D-40
automatic updates D-53
cannot access sensor D-24
cidDump D-93
cidLog messages to syslog D-48
communication D-24
corrupted SensorApp configuration D-34
debug logger zone names (table) D-47
debug logging D-43
disaster recovery D-7
duplicate sensor IP addresses D-27
enabling debug logging D-43
external product interfaces 10-8, D-21
faulty DIMMs D-35
gathering information D-72
IDM
cannot access sensor D-58
will not load D-57
IDSM2
command and control port D-64
diagnosing problems D-59
not online D-63, D-64
serial cable D-65
status indicator D-61
switch commands D-61
IPS 4240 router speed D-23
IPS and PIX devices D-22
manual block to bogus host D-40
misconfigured access list D-26
no alerts D-31, D-59
normalizer inline mode D-22
NTP D-49
password recovery 16-10, D-16
physical connectivity issues D-30
preventive maintenance D-2
procedures D-1
reset not occurring for a signature D-49
sensing process not running D-28
sensor events D-90
sensor not seeing packets D-33
sensor software upgrade D-54
service account 4-13, D-5
show events command D-89
show interfaces command D-88
show statistics command D-78
show tech-support command D-73, D-74
show version command D-76
software upgrade
IDS 4235 D-52
IDS 4250 D-52
SPAN port issue D-30
upgrading from 5.x to 6.0 D-51
uploading files to FTP site D-94
verifying Analysis Engine is running D-20
verifying ARC status D-36
trusted hosts adding 4-37
tuned signatures described 6-3
U
udp command 9-15, 9-23, 9-31
unassigned VLAN groups described 5-27
unauthenticated NTP 4-19, 4-29
unsupported supervisor engine commands 19-44
upgrade
command 21-3, 21-6
files 21-3
upgrading
5.x to 6.0 22-7
files 21-3
from 5.x to 6.0 D-51
maintenance partition
IDSM2 (Catalyst software) 21-44
IDSM2 (Cisco IOS software) 21-45
minimum required version 22-7
recovery partition 21-6, 21-11
URLs for Cisco Security Intelligence Operations 22-15
username command 4-11
user-profile command 13-19
user profiles 13-19
user roles
administrator 1-3, A-27
operator 1-3, A-27
service 1-3, A-27
viewer 1-3, A-27
users
adding 4-11
removing 4-11
using
alternate TCP reset interface 5-5
debug logging D-43
V
VACLs
described 13-2
IDSM2 19-14
Post-Block 13-25
Pre-Block 13-25
validation error messages described C-5
variables command 6-4, 8-9
verifying
ECLB (Catalyst software) 19-37
ECLB (Cisco IOS software) 19-38
IDSM2 installation 19-3
installation
AIM IPS 17-2, D-72
NME IPS D-72
password recovery 16-9, D-16
sensor initialization 3-37
sensor setup 3-37
viewer privileges 1-4, A-27
viewing
IP log contents 11-5
user information 4-17
virtual-sensor name command 7-4, 18-4
virtual sensors
adding 7-4, 7-7, 18-4
assigning interfaces 7-4
assigning policies 7-4
creating 7-4, 7-7, 18-4
default virtual sensor 7-2
described 7-1
displaying KB files 9-40
options 7-4, 18-4
stream segregation 7-3
VLAN groups
802.1q encapsulation 5-27
configuration restrictions 5-11
deleting 5-33
deploying 5-27
described 5-27
switches 5-27
vulnerable OS field described B-6
W
watch list rating
calculating risk rating 8-12
described 8-12
Web Server
configuring 4-9
described A-3, A-22
HTTP 1.0 and 1.1 support A-22
private keys A-21
public keys A-21
RDEP2 support A-22
worm attacks and histograms 9-36
worms
Blaster 9-2
Code Red 9-2
described 9-2
Nimbda 9-2
protocols 9-2
Sasser 9-2
scanners 9-2
Slammer 9-2
SQL Slammer 9-2
worm-timeout
command 9-10
specifying 9-10, 9-38
Z
zones
external 9-4
illegal 9-4
internal 9-4