Numerics -
A -
B -
C -
D -
E -
F -
G -
H -
I -
K -
L -
M -
N -
O -
P -
Q -
R -
S -
T -
U -
V -
W -
Z
Index
Numerics
4GE bypass interface card
configuration restrictions 5-9
described 5-8
802.1q encapsulation
VLAN groups 5-28
A
accessing IPS software 22-2
access-list command 4-5
access lists
changing 4-5
configuring 4-5
misconfiguration C-29
account locking
configuring 4-19
security 4-19
ACLs
described 13-2
Post-Block 13-22, 13-23
Pre-Block 13-22, 13-23
adaptive security appliance
sending IPS traffic (AIP SSC-5) 18-7
sending IPS traffic (AIP SSM) 19-9
adding
denied attackers 7-34
event action overrides 7-17
external product interfaces 10-5
global parameters 6-10
hosts to the SSH known hosts list 4-32, 4-33
login banners 4-8
signature variables 8-4
target value rating 7-15
trusted hosts 4-37
users 4-12, 4-16, 4-17
virtual sensors 6-5, 6-7, 19-4
Address Resolution Protocol. See ARP.
administrator role privileges 1-3
AIC engine
AIC FTP B-11
AIC FTP engine parameters (table) B-12
AIC HTTP B-11
AIC HTTP engine parameters (table) B-11
described B-11
features B-11
signature categories 8-17
AIC policy enforcement
default configuration 8-18, B-11
described 8-18, B-10
sensor oversubscription 8-18, B-11
AIM IPS
configuration sequence 17-1
configuring interfaces 17-5, 17-7, 17-9, 17-11, 17-13
displaying status 17-16
initializing 3-13
installing system image 23-22
interfaces described 17-3
interface sequence 17-4
logging in 2-5, 17-15
NAT 17-5
RBCP 17-18
rebooting 17-18
resetting 17-18
resetting heartbeat 17-17
session command 2-5, 17-15
sessioning 2-4, 2-5, 17-14, 17-15
setup command 3-13
shutting down 17-18
time sources 4-21, C-18
AIP SSC-5
bypass mode 18-9
changing default network settings 18-4
configuration tasks 18-1
default network parameters (table) 18-3
fail-open mode 18-5
fail-over mode 18-5
hw-module module 1 recover configure 18-11
hw-module module slot_number password-reset 18-10
hw-module module slot_number recover boot 18-10
hw-module module slot_number recover stop 18-10
hw-module module slot_number reload 18-10
hw-module module slot_number reset 18-10
hw-module module slot_number shutdown 18-10
initializing 3-7
inline mode 18-5
installing system image 23-26
logging in 2-6
management interface example 18-5
management VLAN 18-3
no external interfaces 18-3
Normalizer engine B-37
password recovery 16-5, C-10
promiscuous mode 18-5
receiving IPS traffic 18-7
resetting the password 16-5, C-11
session command 2-6
show module command 18-2
task sequence 18-1
traffic commands (list) 18-6
verifying initialization 18-2
AIP SSM
assigning virtual sensors 19-6
bypass mode 19-10
configuration tasks 19-1
creating virtual sensors 19-4
Deny Connection Inline 7-7, C-73
Deny Packet Inline 7-7, C-73
fail-open mode 19-8
fail-over mode 19-8
hw-module module 1 recover configure 19-13
hw-module module slot_number password-reset 19-12
hw-module module slot_number recover boot 19-12
hw-module module slot_number recover stop 19-12
hw-module module slot_number reload 19-12
hw-module module slot_number reset 19-12
hw-module module slot_number shutdown 19-12
initializing 3-15
inline mode 19-8
installing system image 23-26
interfaces 19-3
logging in 2-6
Normalizer engine 19-11, B-37, C-72
password recovery 16-7, C-12
promiscuous mode 19-8
receiving IPS traffic 19-9
recovering C-70
reimaging 23-25
Reset TCP Connection 7-7, C-73
resetting C-69
resetting the password 16-7, C-13
session command 2-6
setup command 3-15
show context 19-6
show ips command 19-6
show module command 19-2
task sequence 19-1
TCP reset packets 7-7, C-73
time sources 4-21, C-19
verifying initialization 19-2
virtual sensors
assigning policies 19-4
assigning the interface 19-4
assigning to security context 19-5
configuration sequence 19-3
Alarm Channel 7-2, A-26
alert and log actions (list) 7-4
alert-frequency
modes B-6
alert-frequency command 8-7
alert-severity
command 8-9
configuring 8-9
allocate-ips command 19-3
allow-sensor-block command 13-8
alternate TCP reset interface 5-10
Analysis Engine
described 6-1
error messages C-26
IDM exits C-59
verify it is running C-23
virtual sensors 6-1
anomaly detection
asymmetric traffic 9-1, 9-2
caution 9-1, 9-2
configuration sequence 9-5
configuring learning accept mode 9-38
default configuration (example) 9-4
described 9-2
detect mode 9-4
disabling 9-49, C-22
event actions 9-6, B-63
inactive mode 9-4
learning accept mode 9-3
learning process 9-3
limiting false positives 9-37
protocols 9-3
signatures (table) 9-6, B-63
worms
attacks 9-37
described 9-3
zones 9-4
anomaly-detection load command 9-41
anomaly detection operational settings
configuring 9-10
described 9-10
anomaly detection policies
copying 9-8
creating 9-8
deleting 9-8
displaying 9-8
editing 9-8
lists 16-27
anomaly-detection save command 9-41
anomaly detection statistics
clearing 9-47
displaying 9-47
anomaly detection zones
illegal 9-20
internal 9-11
appliances
application partition image 23-12
GRUB menu 16-3, C-8
initializing 3-7
logging in 2-2
password recovery 16-3, C-8
resetting 16-41
terminal servers
described 2-3, 23-13
setting up 2-3, 23-13
time sources 4-20, C-18
upgrading recovery partition 23-6
Application Inspection and Control. See AIC.
application partition
described A-3
recovering image 23-12
application-policy
command 8-18
configuring 8-19
application policy enforcement
described 8-18, B-10
disabled (default) 8-18, B-11
applications in XML format A-2
applying software updates C-55
ARC
ACLs 13-22, A-13
authentication A-14
blocking
application 13-1
connection-based A-16
not occurring for signature C-45
unconditional blocking A-16
block response A-13
Catalyst 6000 series switch
VACL commands A-18
VACLs A-18
Catalyst switches
VACLs A-15
VLANs A-15
checking status 13-3, 13-4
described A-3
design 13-2
device access issues C-42
enabling SSH C-44
features A-13
firewalls
AAA A-17
connection blocking A-17
NAT A-18
network blocking A-17
postblock ACL A-15
preblock ACL A-15
shun command A-17
TACACS+ A-18
formerly Network Access Controller 13-1, 13-3
functions 13-1, A-12
illustration A-12
inactive state C-40
interfaces A-13
maintaining states A-16
master blocking sensors A-13
maximum blocks 13-2
misconfigured master blocking sensor C-46
nac.shun.txt file A-16
NAT addressing A-14
number of blocks A-14
postblock ACL A-15
preblock ACL A-15
prerequisites 13-5
rate limiting 13-4
responsibilities A-12
single point of control A-14
SSH A-13
supported devices 13-6, A-15
Telnet A-13
troubleshooting C-39
VACLs A-13
verifying
device interfaces C-43
status C-39
ARP
Layer 2 signatures B-13
protocol B-13
ARP spoof tools
dsniff B-13
ettercap B-13
ASDM resetting passwords 16-6, 16-8, C-12, C-14
assigning interfaces
virtual sensors 6-4
virtual sensors (AIP SSM) 19-4
assigning policies
virtual sensors 6-4
virtual sensors (AIP SSM) 19-4
asymmetric traffic
anomaly detection 9-1, 9-2
disabling anomaly detection 9-48, C-22
Atomic ARP engine
described B-13
parameters (table) B-13
Atomic IP Advanced engine
described B-14
restrictions B-15
Atomic IP engine
described B-24
parameters (table) B-25
Atomic IPv6 engine
described B-28
Neighborhood Discovery protocol B-28
signatures B-28
signatures (table) B-29
attack relevance rating
calculating risk rating 7-13
described 7-13, 7-25
Attack Response Controller
described A-3
formerly known as Network Access Controller A-3
Attack Response Controller. See ARC.
attack severity rating
calculating risk rating 7-13
described 7-13
attemptLimit command 4-19
authenticated NTP 4-20, 4-30, C-18
AuthenticationApp
authenticating users A-20
described A-3
login attempt limit A-20
method A-20
responsibilities A-20
secure communications A-21
sensor configuration A-20
authorized keys
defining 4-34
RSA authentication 4-34
automatic setup 3-2
automatic upgrade
information required 23-7
troubleshooting C-56
autonegotiation for hardware bypass 5-9
auto-upgrade-option command 23-7
B
backing up
configuration 15-22, C-3
current configuration 15-21, C-4, C-5
BackOrifice. See BO.
BackOrifice 2000. See BO2K.
backup-config command 15-18
banner login command 16-18
basic setup 3-4
block connection command 13-33
block-enable command 13-9
block hosts command 13-32
blocking
addresses never to block 13-19
block time 13-13
connection 13-33, 13-34
described 13-1
disabling 13-10
hosts 13-32
list of blocked hosts 13-34
managing firewalls 13-28
managing routers 13-24
managing switches 13-27
master blocking sensor 13-29
maximum entries 13-11
necessary information 13-3
not occurring for signature C-45
prerequisites 13-5
properties 13-7
sensor block itself 13-8
show statistics 13-34
supported devices 13-6
types 13-2
user profiles 13-20
block network command 13-32
BO
described B-65
Trojans B-65
BO2K
described B-65
Trojans B-65
Bug Toolkit
described C-1
URL C-1
bypass mode
AIP SSM 19-10
configuring 5-35
described 5-35
bypass-option command 5-35
C
calculating risk rating
attack relevance rating 7-13
attack severity rating 7-13
promiscuous delta 7-13
signature fidelity rating 7-12
target value rating 7-13
watch list rating 7-13
cannot access sensor C-27
capturing live traffic 12-5
Catalyst software
command and control access 20-5
IDSM2
command and control access 20-5
configuring VACLs 20-15
enabling full memory tests 20-40
enabling SPAN 20-11
mls ip ids command 20-18
resetting 20-41
set span command 20-11
supervisor engine commands
supported 20-43
unsupported 20-44
caution for clearing databases 16-12
certificates IDM 4-36
changing
access lists 4-5
FTP timeout 4-7
host IP address 4-3
host-name 4-2
passwords 4-15
privilege 4-16
Web Server settings 4-10
cidDump obtaining information C-96
CIDEE
defined A-32
example A-32
IPS extensions A-32
protocol A-32
supported IPS events A-32
cisco
default password 2-2
default username 2-2
Cisco.com
accessing software 22-2
downloading software 22-1
IPS software 22-1
software downloads 22-1
Cisco IOS software
command and control access 20-7
configuration commands 20-46
EXEC commands 20-45
IDSM2
command and control access 20-7
configuring VACLs 20-16
enabling full memory tests 20-40
enabling SPAN 20-13
mls ip ids command 20-19
resetting 20-42
rate limiting 13-4
SPAN options 20-12
Cisco IPS software
files 23-3
new features A-3
cisco-security-agents-mc-settings command 10-4
Cisco Security Intelligence Operations
described 22-9
URL 22-9
Cisco Services for IPS
service contract 4-40, 22-11
supported products 4-40, 22-11
clear database command 16-12
clear denied-attackers command 7-35, 16-25
clear events command 4-22, 7-40, 16-23, C-20, C-96
clearing
anomaly detection statistics 9-47
databases caution 16-12
denied attackers statistics 7-35, 16-25
events 7-40, 16-23, C-96
OS IDs 7-31
sensor databases 16-13
statistics 16-28, C-82
clear line command 16-18
clear os-identification command 7-30
clear password command 16-4, 16-10, C-10, C-15
CLI
command line editing 1-6
command modes 1-7
default keywords 1-10
described A-3, A-27
error messages D-1
generic commands 1-10
guide introduction 1-1
regular expression syntax 1-8
CLI behavior
case sensitivity 1-6
described 1-5
display options 1-6
help 1-5
prompts 1-5
recall 1-5
tab completion 1-5
clock set command 4-23, 16-24
command and control access
Catalyst software 20-5
described 20-5
command and control interface
described 5-2
list 5-3
command line editing (table) 1-6
command modes
anomaly detection configuration 1-8
event action rules configuration 1-8
EXEC 1-7
global configuration 1-7
privileged EXEC 1-7
service mode configuration 1-7
signature definition configuration 1-8
commands
access-list 4-5
alert-frequency 8-7
alert-severity 8-9
allocate-ips 19-3
allow-sensor-block 13-8
anomaly-detection load 9-41
anomaly-detection save 9-41
application-policy 8-18
attemptLimit 4-19
auto-upgrade-option 23-7
backup-config 15-18
banner login 16-18
block connection 13-33
block-enable 13-9
block hosts 13-32
block network 13-32
bypass-option 5-35
cisco-security-agents-mc-settings 10-4
clear database 16-12
clear denied-attackers 7-35, 16-25
clear events 4-22, 7-40, 16-23, C-20, C-96
clear line 16-18
clear os-identification 7-30
clear password 16-4, 16-10, C-10, C-15
clock set 4-23, 16-24
copy ad-knowledge-base 9-42
copy anomaly-detection 9-8
copy backup-config 15-20, C-3
copy current-config 15-20, C-3
copy event-action-rules 7-7
copy iplog 11-7
copy license-key 4-41, 22-13
copy packet-file 12-6
copy signature-definition 8-1
current-config 15-18
debug module-boot C-70
default service anomaly-detection 9-8
default service event-action-rules 7-8
default service signature-definition 8-2
deny attacker 7-34
downgrade 23-10
enable-acl-logging 13-14
enable-detail-traps 14-4
enable-nvram-write 13-15
erase 15-22
erase ad-knowledge-base 9-42
erase packet-file 12-7
event-action 8-15
event-action-rules-configurations 16-27
event-counter 8-10
external-zone 9-28
filters 7-20
fragment-reassembly 8-30
ftp-timeout 4-7
global-block-timeout 7-33, 13-13
global-deny-timeout 7-33
global-filters-status 7-33
global-metaevent-status 7-33
global-overrides-status 7-33
global-parameters 6-10
global-summarization 7-33
health-monitor 16-13
host-ip 4-3
host-name 4-2
hw-module module 1 recover configure 18-11, 19-13
hw-module module 1 reset C-69
hw-module module slot_number password-reset 16-5, 16-7, 18-10, 19-12, C-11, C-12
hw-module module slot_number recover boot 18-10, 19-12
hw-module module slot_number recover stop 18-10, 19-12
hw-module module slot_number reload 18-10, 19-12
hw-module module slot_number reset 18-10, 19-12
hw-module module slot_number shutdown 18-10, 19-12
ignore 9-10
illegal-zone 9-20
inline-interfaces 5-18
interface GigabitEthernet 17-21, 21-15
interface IDS-Sensor 17-19, 21-13
interface-notifications 5-36
internal-zone 9-11
ip-access-list 20-16
ip-log 8-39
iplog 11-3
ip-log-bytes 11-2
ip-log-packets 11-2
iplog-status 11-4
ip-log-time 11-2
ipv6-target-value 7-14
learning-accept-mode 9-38
list anomaly-detection-configurations 9-8, 16-27
list event-action-rules-configurations 7-7
list signature-definition-configurations 8-1
log-all-block-events-and-errors 13-16
login-banner-text 4-8
max-block-entries 13-11
max-denied-attackers 7-33
max-interfaces 13-17
mls ip ids 20-18, 20-19
more 15-18
more current-config 15-1
never-block-hosts 13-19
never-block-networks 13-19
no iplog 11-5
no ipv6-target-value 7-14
no service anomaly-detection 9-8
no service event-action-rules 7-8
no service signature-definition 8-2
no target-value 7-14
no variables 7-10
os-identifications 7-26
other 9-18, 9-26, 9-34
overrides 7-16
packet capture 12-4
packet-display 12-2
password 4-12, 4-15
physical-interfaces 5-12, 5-23, 5-29
ping 16-40
privilege 4-12, 4-16
rename ad-knowledge-base 9-42
reset 16-40
service anomaly-detection 9-8
service event-action-rules 7-7
service-module IDS-Sensor 17-22, 21-16
service-module ids-sensor slot/port 17-18, 21-12
service-module ids-sensor slot/port heartbeat reset 17-17, 21-11
service-module ids-sensor slot/port status 17-16, 21-10
service signature-definition 8-1
session 2-5, 2-9, 17-15, 21-9
set security acl 20-14
set span 20-11
setup 3-1, 3-4, 3-7, 3-13, 3-15, 3-20, 3-24
show ad-knowledge-base diff 9-44, 9-45
show ad-knowledge-base files 9-40, 9-41
show clock 4-22, 16-24
show configuration 15-1
show context 19-6
show events 7-37, 16-20, C-93
show health 16-17, C-75
show history 16-41
show interfaces 5-38
show inventory 16-42, 17-2, 21-2
show ips 19-6
show module 1 details C-69
show os-identification 7-30
show settings 15-3, 15-16, 16-11, 16-43, C-17
show statistics 13-34, 16-28, C-82
show statistics anomaly-detection 9-47
show statistics denied-attackers 7-35, 16-25
show statistics virtual-sensor 16-28, C-26, C-82
show tech-support 16-37, C-76
show users 4-17
show version 16-38, C-79
sig-fidelity-rating 8-11, 8-13
signature-definition-configurations 16-27
snmp-agent-port 14-2
snmp-agent-protocol 14-2
ssh authorized-key 4-34
ssh-generate-key 4-35
ssh host-key 4-32
status 8-12
stream-reassembly 8-38
subinterface-type 5-24, 5-30
summertime-option non-recurring 4-26
summertime-option recurring 4-24
target-value 7-14
tcp 9-13, 9-21, 9-29
telnet-option 4-4
terminal 16-19
time-zone-settings 4-28
tls generate-key 4-38
tls trusted-host 4-37
trace 16-43
trap-community-name 14-4
trap-destinations 14-4
udp 9-15, 9-24, 9-32
upgrade 23-3, 23-5
username 4-12
user-profile 13-20
variables 7-10, 8-4
virtual-sensor name 6-4, 19-4
worm-timeout 9-10
comparing KBs 9-44
configuration files
backing up 15-22, C-3
merging 15-22, C-3
configuration restrictions
alternate TCP reset interface 5-10
inline interface pairs 5-10
inline VLAN pairs 5-10
interfaces 5-9
physical interfaces 5-9
VLAN groups 5-11
configuration sequence
AIM IPS 17-1
AIP SSC-5 18-1
AIP SSM 19-1
NME IPS 21-1
configured OS mapping (example) 7-27
configuring
access lists 4-5
account locking 4-19
ACL logging 13-14
alert frequency parameters 8-8
alert severity 8-9
anomaly detection operational settings 9-10
application policy 8-19, 8-27
automatic IP logging 11-2
automatic upgrades 23-9
blocking
firewalls 13-28
routers 13-24
switches 13-27
time 13-13
bypass mode 5-35
connection blocking 13-34
CSA MC IPS interfaces 10-4
event action filters 7-21
event actions 8-16
event counter 8-10
external zone 9-29
ftp-timeout 4-7
health statistics 16-14
host blocks 13-32
host IP address 4-3
host-name 4-2
hosts never to block 13-19
illegal zone 9-20
inline interface pairs 5-18
inline VLAN groups 5-30
inline VLAN pairs 5-24
interfaces
AIM IPS 17-5, 17-7, 17-9, 17-11, 17-13
NME IPS 21-7
sequence 5-11
internal zone 9-12
IP fragment reassembly 8-31
IP fragment reassembly parameters 8-30, 8-37
IP logging 8-39
learning accept mode 9-38
logging all blocking events and errors 13-16
logical devices 13-20
login-banner-text 4-8
maintenance partition
IDSM2 (Catalyst software) 23-31
IDSM2 (Cisco IOS software) 23-35
manual IP logging 11-4
master blocking sensor 13-30
maximum
block entries 13-12
blocking interfaces 13-18
denied attackers 7-33
meta event generator 7-33
network blocks 13-33
networks never to block 13-19
NME IPS interfaces 21-6
NTP servers 4-29
NVRAM write 13-15
OS maps 7-28
other protocols
external zone 9-35
illegal zone 9-26
internal zone 9-18
password policy 4-18
passwords 4-15
privilege 4-16
promiscuous mode 5-13
sensors
block themselves 13-8
sequence 1-1
to use NTP 4-30
signature fidelity rating 8-11, 8-14
status 8-13
summarizer 7-33
summertime
non-recurring 4-26
recurring 4-24
TCP
external zone 9-30
illegal zone 9-21
internal zone 9-13
stream reassembly 8-38
telnet-option 4-4
time zone settings 4-28
traffic flow notifications 5-36
UDP
external zone 9-32
illegal zone 9-24
internal zone 9-15
upgrades 23-5
user profiles 13-21
Web Server settings 4-9
control transactions
characteristics A-8
request types A-8
copy ad-knowledge-base command 9-42
copy anomaly-detection command 9-8
copy backup-config command 15-20, C-3
copy command syntax 9-42
copy current-config command 15-20, C-3
copy event-action-rules command 7-7
copying
anomaly detection policies 9-8
event action rules policies 7-8
IP log files 11-7
KBs 9-42, 9-43
packet files 12-7
signature definition policies 8-2
copy iplog command 11-7
copy license-key command 4-41, 22-13
copy packet-file command 12-6
copy signature-definition command 8-1
correcting time on the sensor 4-22, C-20
creating
anomaly detection policies 9-8
Atomic IP Advanced signatures 8-50
banner logins 16-18
custom signatures 8-40
event action rules policies 7-8
event action variables 7-11
global parameters 6-10
Meta signatures 8-49
OS maps 7-28
Post-Block VACLs 13-26
Pre-Block VACLs 13-26
service account 4-14, C-6
service HTTP signatures 8-46
signature definition policies 8-2
string TCP signatures 8-42
user profiles 13-20
virtual sensors 6-5, 6-7
cryptographic account
Encryption Software Export Distribution Authorization from 22-2
obtaining 22-2
CSA MC
configuring IPS interfaces 10-4
host posture events 10-1, 10-3
quarantined IP address events 10-1
supported IPS interfaces 10-3
CtlTransSource
described A-2, A-11
illustration A-11
Ctrl-N 1-5
Ctrl-P 1-5
current-config command 15-18
current configuration back up 15-22, C-3
custom signatures
Atomic IP Advanced signature 8-50
configuration sequence 8-40
described 8-4
Meta signature 8-49
service HTTP example 8-46
D
data ports restore defaults 20-28
data structures (examples) A-7
DDoS
protocols B-65
Stacheldraht B-65
TFN B-65
debug logging enable C-47
debug-module-boot command C-70
default
blocking time 13-13
keywords 1-10
password 2-2
username 2-2
virtual sensor vs0 6-2
default service anomaly-detection command 9-8
default service event-action-rules command 7-8
default service signature-definition command 8-2
defining authorized keys 4-34
deleting
anomaly detection policies 9-8
denied attackers list 7-35, 16-25
event action rules policies 7-8
event action variables 7-11
inline interface pairs 5-21
inline VLAN pairs 5-27
OS maps 7-30
signature definition policies 8-2
signature variables 8-4
target value rating 7-15
VLAN groups 5-34
Denial of Service. See DoS.
deny actions (list) 7-5
deny attacker
add 7-34
command 7-34
deny-packet-inline described 7-6, B-8
detect mode (anomaly detection) 9-4
device access issues C-42
diagnosing network connectivity 16-40
disabling
anomaly detection 9-49, C-22
blocking 13-10
ECLB (Cisco IOS software) 20-36
password recovery 16-10, C-16
signatures 8-13
Telnet 4-4
disaster recovery C-6
displaying
AIM IPS status 17-16
anomaly detection policies 9-8
anomaly detection policy lists 16-27
anomaly detection statistics 9-47
contents of logical file 15-18
current configuration 15-1
current submode configuration 15-3
event action rules policies 7-8
event actions rules lists 16-27
events 7-38, 16-21, C-94
health status 16-17, C-75
interface statistics 5-38
IP log contents 11-5
KB files 9-40
KB thresholds 9-46
live traffic 12-3
NME IPS status 21-10
OS IDs 7-31
password recovery setting 16-11, C-17
PEP information 16-42
policy lists 16-27
signature definition lists 16-27
statistics 16-28, C-82
submode settings 16-43
system clock 4-23, 16-24
tech support information 16-37, C-76
version 16-38, C-79
Distributed Denial of Service. See DDoS
DoS tools B-6
downgrade command 23-10
downgrading sensors 23-11
downloading software 22-1
duplicate IP addresses C-30
E
ECLB
described 20-25
disabling (Cisco IOS software) 20-36
options 20-28
promiscuous mode 20-28
requirements 20-28
sensing modes 20-25
editing
anomaly detection policies 9-8
event action rules policies 7-8
event action variables 7-11
signature definition policies 8-2
signature variables 8-4
target value rating 7-15
enable-acl-logging command 13-14
enable-detail-traps command 14-4
enable-nvram-write command 13-15
enabling
debug logging C-47
full memory tests
Catalyst software 20-40
Cisco IOS software 20-40
signatures 8-13
SPAN
Catalyst software 20-11
Cisco IOS software 20-13
Telnet 4-4
Encryption Software Export Distribution Authorization form
cryptographic account 22-2
described 22-2
engines
AIC 8-17, B-10
Fixed B-29
Flood B-32
Master B-4
Meta 8-47, B-33
Multi String B-34
Normalizer B-36
Service DNS B-39
Service FTP B-40
Service Generic B-41
Service H225 B-42
Service HTTP 8-44, B-45
Service IDENT B-47
Service MSRPC B-47
Service MSSQL B-48
Service NTP B-49
Service P2P B-49
Service RPC B-50
Service SMB B-53
Service SMB Advanced B-51
Service SSH B-54
Service TNS B-54
State B-55
String 8-41, B-57
Sweep B-60
Sweep Other TCP B-62
Traffic ICMP B-64
Trojan B-65
erase ad-knowledge-base command 9-42
erase command 15-22
erase packet-file command 12-7
erasing
current configuration 15-23
KBs 9-42, 9-43
packet files 12-7
error messages
described D-1
validation D-5
EtherChannel Load Balancing. See ECLB.
evAlert A-8
event-action command 8-15
event action filters
described 7-19
using variables 7-20
event action overrides
described 7-16
risk rating range 7-16
event action rules
described 7-2
functions 7-2
lists display 16-27
task list 7-7
event action rules policies
copying 7-8
creating 7-8
deleting 7-8
displaying 7-8
editing 7-8
event actions configure 8-16
event-counter
command 8-10
configuring 8-10
events
displaying 7-38, 16-21, C-94
host posture 10-2
quarantined IP address 10-2
types C-92
Event Store
clearing events 4-22, C-20
data structures A-7
described A-2
examples A-7
responsibilities A-7
timestamp A-7
event variables
described 7-9
example 7-10
evError A-8
evLogTransaction A-8
evShunRqst A-8
evStatus A-8
examples
ASA failover configuration C-72
external product interfaces
adding 10-5
described 10-1
issues 10-3, C-24
troubleshooting 10-8, C-24
external zone
configuring 9-29
configuring other protocols 9-35
configuring TCP 9-30
configuring UDP 9-32
described 9-28
external-zone command 9-28
F
fail-over testing 5-9
false positives described 8-3
files
Cisco IPS 23-3
IDSM2 password recovery 16-9, C-15
filtering
more command 15-15
submode configuration 15-17
filters command 7-20
finding the serial number
AIM IPS 17-2
NME IPS 21-2
Fixed engine described B-29
Fixed ICMP engine parameters (table) B-30
Fixed TCP engine parameters (table) B-31
Fixed UDP engine parameters (table) B-31
Flood engine described B-32
Flood Host engine parameters (table) B-32
Flood Net engine parameters (table) B-33
fragment-reassembly command 8-30
FTP servers supported 23-2
FTP timeout
configuring 4-7
described 4-7
ftp-timeout command 4-7
G
generating
SSH server host key 4-35
TLS certificate 4-39
generic commands 1-10
global-block-timeout command 7-33, 13-13
global-deny-timeout command 7-33
global-filters-status command 7-33
global-metaevent-status command 7-33
global-overrides-status command 7-33
global parameters
adding 6-10
creating 6-10
maximum open IP logs 6-10
options 6-10
global-parameters command 6-10
global-summarization command 7-33
GRUB menu password recovery 16-3, C-8
H
H.225.0 protocol B-42
H.323 protocol B-42
hardware bypass
autonegotiation 5-9
configuration restrictions 5-9
fail-over 5-9
IPS 4270-20 5-8
supported configurations 5-8
with software bypass 5-8
health-monitor command 16-13
health statistics configure 16-14
help
question mark 1-5
using 1-5
host blocks configure 13-32
host IP address
changing 4-3
configuring 4-3
host-ip command 4-3
host-name
changing 4-2
command 4-2
configuring 4-2
host posture events
CSA MC 10-3
described 10-2
HTTP/HTTPS servers 23-2
HTTP deobfuscation
ASCII normalization 8-44, B-45
described 8-44, B-45
HTTP web server protocol 4-9
hw-module module 1 recover configure command 18-11, 19-13
hw-module module 1 reset command C-69
hw-module module slot_number password-reset command 16-5, 16-7, 18-10, 19-12, C-11, C-12
hw-module module slot_number recover boot command 18-10, 19-12
hw-module module slot_number recover stop command 18-10, 19-12
hw-module module slot_number reload command 18-10, 19-12
hw-module module slot_number reset command 18-10, 19-12
hw-module module slot_number shutdown command 18-10, 19-12
I
IDAPI
communications A-3, A-30
described A-3
functions A-30
illustration A-30
responsibilities A-30
IDCONF
described A-31
example A-31
XML A-31
IDIOM
defined A-30
messages A-30
IDM
Analysis Engine is busy C-59
certificates 4-36
TLS 4-36
will not load C-58
IDSM2
administrative tasks 20-39
capturing IPS traffic
mls ip id command 20-17
SPAN 20-10, 20-25, 20-43, 23-34, 23-38, C-18, C-61, C-62
Catalyst software
command and control access 20-5
inline mode 20-20
inline VLAN pair mode 20-22
Cisco IOS software
command and control access 20-7
inline mode 20-21
inline VLAN pair mode 20-23
command and control access
configuring 20-7
described 20-5
command and control port 20-9, C-66
configuration tasks 20-1
configuring
command and control access 20-5
ECLB 20-29, 20-31, 20-33
ECLB inline mode 20-27
ECLB inline VLAN pair mode 20-26
ECLB promiscuous mode 20-26
inline mode 20-20, 20-21
inline VLAN pair mode 20-23
inline VLAN pair mode (Catalyst software) 20-22
load balancing 20-29, 20-31, 20-33
maintenance partition (Catalyst software) 23-31
maintenance partition (Cisco IOS software) 23-35
mls ip ids command 20-18
sequence 20-1
SPAN 20-10, 20-25, 20-43, 23-34, 23-38, C-18, C-61, C-62
tasks 20-1
configuring VACLs
Catalyst software 20-15
Cisco IOS software 20-16
disabling
ECLB (Catalyst software) 20-36
ECLB (Cisco IOS software) 20-36
ECLB
disabling (Catalyst software) 20-36
disabling (Cisco IOS software) 20-36
requirements 20-28
verifying (Catalyst software) 20-37
verifying (Cisco IOS software) 20-38
enabling full memory tests
Catalyst software 20-40
Cisco IOS software 20-40
initializing 3-20
inline mode
Catalyst software 20-20
Cisco IOS software 20-21
described 20-8, 20-19
requirements (Catalyst software) 20-20, 20-22
inline VLAN pair mode
Catalyst software 20-22
Cisco IOS software 20-23
described 20-8, 20-22
installing
system image (Catalyst software) 23-28
system image (Cisco IOS software) 23-29, 23-30
logging in 2-7
mixing sensing modes 20-9
mls ip ids command
Catalyst software 20-18
Cisco IOS software 20-19
described 20-9
monitoring ports 20-9
password recovery 16-9, C-14
password recovery image file 16-9, C-15
promiscuous mode 20-8, 20-9
reimaging 23-28
resetting
Catalyst software 20-41
Cisco IOS software 20-42
described 20-41
restoring data port defaults 20-28
sensing ports 20-14
sessioning 2-8
set span command 20-11
setup command 3-20
supported configurations 20-4, C-63
supported supervisor engine commands 20-43
TCP reset port 20-9, 20-10, 20-14, C-68
time sources 4-20, C-18
unsupported supervisor engine commands 20-44
upgrading
maintenance partition (Catalyst software) 23-38
maintenance partition (Cisco IOS software) 23-39
VACLs
configuring 20-14
described 20-14
verifying
ECLB (Catalyst software) 20-37
ECLB (Cisco IOS software) 20-38
installation 20-2
IDS-Sensor interface ip unnumbered 17-6, 17-8
ignore command 9-10
illegal zone
configuring 9-20
configuring other protocols 9-26
configuring TCP 9-21
configuring UDP 9-24
described 9-20
protocols 9-20
illegal-zone command 9-20
IME time synchronization problems C-61
inactive mode (anomaly detection) 9-4
initialization
verifying (AIP SSC-5) 18-2
verifying (AIP SSM) 19-2
initializing
AIM IPS 3-13
AIP SSC-5 3-7
AIP SSM 3-15
appliances 3-7
IDSM2 3-20
NME IPS 3-24
sensors 3-1, 3-4
user roles 3-1
verifying 3-27
inline interface pair mode described 5-17
inline interface pairs
configuration restrictions 5-10
configuring 5-18
deleting 5-21
inline-interfaces command 5-18
inline VLAN groups configuration 5-30
inline VLAN pair mode
described 5-22
IDSM2 20-8
supported sensors 5-22
inline VLAN pairs
configuration restrictions 5-10
configuring 5-24
deleting 5-27
installer major version 22-5
installer minor version 22-5
installing
license key 4-42, 22-14
sensor license 22-12
system image
AIM IPS 23-22
AIP SSC-5 23-26
AIP SSM 23-26
IDSM2 (Catalyst software) 23-28
IDSM2 (Cisco IOS software) 23-29, 23-30
IPS 4240 23-14, 23-15
IPS 4255 23-14, 23-15
IPS 4260 23-18
IPS 4270-20 23-19
NME IPS 23-40
InterfaceApp
described A-19
interactions A-19
NIC drivers A-19
InterfaceApp described A-3
interface GigabitEthernet command 17-21, 21-15
interface IDS-Sensor command 17-19, 21-13
interface-notifications command 5-36
interfaces
alternate TCP reset 5-2
command and control 5-2
configuration restrictions 5-9
configuration sequence 5-11
described 5-2
displaying live traffic 12-3
port numbers 5-2
sensing 5-2, 5-3
slot numbers 5-2
statistics display 5-38
support (table) 5-5
TCP reset 5-4
VLAN groups 5-2
internal zone
configuring 9-12
configuring other protocols 9-18
configuring TCP 9-13
configuring UDP 9-15
described 9-11
protocols 9-11
internal-zone command 9-11
introducing the CLI guide 1-1
ip-access-list command 20-16
IP fragmentation described B-36
IP fragment reassembly
described 8-28
parameters (table) 8-28
signatures (table) 8-28
ip-log-bytes command 11-2
ip-log command 8-39
iplog command 11-3
IP log contents
displaying 11-5
viewing 11-5
IP log files
copying 11-7
TCPDUMP 11-1
Wireshark 11-1
IP logging
automatic 11-2
configuring 11-1
copying files 11-7
described 8-39, 11-1
manual 11-4
ip-log-packets command 11-2
iplog-status command 11-4
ip-log-time command 11-2
IPS 4240
installing system image 23-14
password recovery 16-3, C-9
reimaging 23-14
IPS 4255
installing system image 23-14
password recovery 16-3, C-9
reimaging 23-14
IPS 4260
installing system image 23-18
reimaging 23-18
IPS 4270-20
hardware bypass 5-8
installing system image 23-19
reimaging 23-19
IPS appliances
Deny Connection Inline 7-6, C-73
Deny Packet Inline 7-6, C-73
Reset TCP Connection 7-6, C-73
TCP reset packets 7-6, C-73
IPS applications
summary A-33
table A-33
XML format A-2
IPS data
types A-8
XML document A-8
IPS events
evAlert A-8
evError A-8
evLogTransaction A-8
evShunRqst A-8
evStatus A-8
list A-8
types A-8
IPS internal communications A-30
IPS modules and time synchronization 4-21, C-19
IPS software
application list A-2
available files 22-1
configuring device parameters A-4
directory structure A-32
obtaining 22-1
platform-dependent release examples 22-6
retrieving data A-5
security features A-5
tuning signatures A-4
updating A-4
user interaction A-4
IPS software file names
major updates (illustration) 22-4
minor updates (illustration) 22-4
patch releases (illustration) 22-4
service packs (illustration) 22-4
ip unnumbered command 17-6, 17-8
IPv6
described B-28
SPAN ports 5-16, A-4
switches 5-16, A-4
ipv6-target-value command 7-14
K
KBs
comparing 9-44
copying 9-42, 9-43
described 9-3
displaying 9-40
erasing 9-42, 9-43
histogram 9-36
initial baseline 9-3
manually loading 9-41
manually saving 9-41
renaming 9-42, 9-43
scanner threshold 9-36
thresholds display 9-46
tree structure 9-36
keywords
default 1-10
no 1-10
Knowledge Base. See KB.
L
learning accept mode
configuring 9-38
described 9-3
learning-accept-mode command 9-38
license files
BSD license E-3
expat license E-12
GNU Lesser license E-21
GNU license E-17
license key
installing 4-42, 22-14
trial 4-40, 22-10
licensing
described 4-39, 22-10
IPS device serial number 4-39, 22-10
Licensing pane
configuring 22-12
described 4-39, 22-10
limitations for concurrent CLI sessions 1-3, 2-1, 17-1, 18-1, 19-1, 20-1, 21-1
list anomaly-detection-configurations command 9-8, 16-27
list event-action-rules-configurations command 7-7, 16-27
list of blocked hosts 13-34
list signature-definition-configurations command 8-1, 16-27
load balancing options 20-28
loading KBs 9-41
log-all-block-events-and-errors command 13-16
Logger
described A-3, A-19
functions A-19
syslog messages A-19
logging in
AIM IPS 2-5, 17-15
AIP SSC-5 2-6
AIP SSM 2-6
appliances 2-2
IDSM2 2-7
NME IPS 2-10, 21-9
sensors
SSH 2-11
Telnet 2-11
Service role 2-2
terminal servers 2-3, 23-13
user role 2-1
login-banner-text
adding 4-8
command 4-8
configuring 4-8
LOKI
described B-65
protocol B-64
loose connections on sensors C-25
M
MainApp
components A-5
described A-2, A-5
host statistics A-6
responsibilities A-6
show version command A-6
maintenance partition
configuring
IDSM2 (Catalyst software) 23-31
IDSM2 (Cisco IOS software) 23-35
described A-3
major updates described 22-3
managing
firewalls 13-28
routers 13-24
switches 13-27
manual blocking 13-32, 13-33
manual block to bogus host C-44
manually
loading KBs 9-41
saving KBs 9-41
master blocking sensor
described 13-29
not set up properly C-46
Master engine
alert frequency B-6
alert frequency parameters (table) B-6
described B-3
event actions B-7
general parameters (table) B-4
universal parameters B-4
master engine parameters
obsoletes B-6
promiscous delta B-5
vulnerable OSes B-6
max-block-entries command 13-11
max-denied-attackers command 7-33
maximum open IP logs 6-10
max-interfaces command 13-17
merging configuration files 15-22, C-3
Meta engine
described 8-47, B-33
parameters (table) B-33
Signature Event Action Processor 8-47, B-33
MIBs supported 14-6, C-21
minor updates described 22-3
mls ip ids command 20-18, 20-19
modes
AIP SSC-5 18-5
AIP SSM 19-8
anomaly detection detect 9-4
anomaly detection inactive 9-4
anomaly detection learning accept 9-3
bypass 5-35
inline interface pair 5-17
inline VLAN pair 5-22
promiscuous 5-15
VLAN groups 5-28
modify
packet inline modes 6-3
terminal properties 16-20
more command
described 15-18
filtering 15-15
more current-config command 15-1
moving OS maps 7-29
Multi String engine
described B-34
parameters (table) B-35
Regex B-34
N
NAT
advantages 17-5, 21-5
AIM IPS 17-5
NME IPS 21-5
Neighborhood Discovery
options B-29
types B-29
network blocks configuration 13-33
Network Timing Protocol. See NTP.
never-block-hosts command 13-19
never-block-networks command 13-19
NME IPS
configuration sequence 21-1
configuring interfaces 21-6, 21-7
displaying status 21-10
initializing 3-24
installing system image 23-40
interface sequence 21-5
logging in 2-10, 21-9
NAT 21-5
RBCP 21-12
rebooting 21-12
reimaging 23-40
resetting 21-12
resetting heartbeat 21-11
session command 2-9, 21-9
sessioning 2-9, 2-10, 21-8, 21-9
setup command 3-24
shutting down 21-12
time sources 4-21, C-18
verifying installation 21-2
no iplog command 11-5
no ipv6-target-value command 7-14
Normalizer engine
described B-36
IP fragment reassembly B-36
parameters (table) B-38
TCP stream reassembly B-36
no service anomaly-detection command 9-8
no service event-action-rules command 7-8
no service signature-definition command 8-2
no target-value command 7-14
NotificationApp
alert information A-9
described A-3
functions A-9
SNMP gets A-9
SNMP traps A-9
statistics A-10
system health information A-10
no variables command 7-10
NTP
authenticated 4-20, 4-30, C-18
configuring servers 4-29
described 4-20, C-18
incorrect configuration C-19
sensor time source 4-29, 4-30
time synchronization 4-20, C-18
unauthenticated 4-20, 4-30, C-18
O
obsoletes field described B-6
obtaining
command history 16-41
cryptographic account 22-2
IPS software 22-1
list of blocked hosts and connections 13-34
used commands list 16-41
operator role privileges 1-4
os-identifications command 7-26
OS IDs
clearing 7-31
displaying 7-31
OS maps
creating 7-28
deleting 7-30
moving 7-29
other actions (list) 7-6
other command 9-18, 9-26, 9-34
output
clearing current line 1-6
displaying 1-6
overrides command 7-16
P
P2P networks described B-49
packet capture command 12-4
packet display command 12-2
packet files
viewing
TCPDUMP 12-7
Wireshark 12-7
partitions
application A-3
maintenance A-3
recovery A-3
passive OS fingerprinting
components 7-25
configuring 7-26
described 7-25
password command 4-12, 4-15
password policy
caution 4-18
configuring 4-18
password recovery
AIP SSC-5 16-5, C-10
AIP SSM 16-7, C-12
appliances 16-3, C-8
CLI 16-11, C-16
described 16-2, C-8
disabling 16-10, C-16
GRUB menu 16-3, C-8
IDSM2 16-9, C-14
IPS 4240 16-3, C-9
IPS 4255 16-3, C-9
platforms 16-2, C-8
ROMMON 16-3, C-9
troubleshooting 16-12, C-17
verifying 16-11, C-17
passwords
changing 4-15
configuring 4-15
patch releases described 22-3
peacetime learning (anomaly detection) 9-3
Peer-to-Peer. See P2P.
PEP information
PID 16-42
SN 16-42
VID 16-42
physical connectivity issues C-33
physical-interfaces command 5-12, 5-23, 5-29
physical interfaces configuration restrictions 5-9
ping command 16-40
platforms concurrent CLI sessions 1-3, 2-1, 17-1, 18-1, 19-1, 20-1, 21-1
policy lists display 16-27
Post-Block ACLs 13-22, 13-23
Pre-Block ACLs 13-22, 13-23
prerequisites for blocking 13-5
privilege
changing 4-16
command 4-12, 4-16
configuring 4-16
privilege levels
administrator 1-3
operators 1-3
service 1-3
viewers 1-3
promiscuous delta
calculating risk rating 7-13
described 7-13, 8-6
promiscuous delta described B-5
promiscuous mode
configuring 5-13, 5-16
described 5-15
ECLB 20-28
IDSM2 20-8
packet flow 5-15
SPAN ports 5-16, A-4
VACL capture 5-16, A-4
prompts and default input 1-5
protocols
ARP B-13
CIDEE A-32
DCE B-47
DDoS B-65
H.323 B-42
H225.0 B-42
HTTP 4-9
ICMPv6 B-14
IDAPI A-30
IDCONF A-31
IDIOM A-30
IPv6 B-28
LOKI B-64
MSSQL B-48
Neighborhood Discovery B-28, B-29
Q.931 B-43
RPC B-47
SDEE A-31
Q
Q.931 protocol
described B-43
SETUP messages B-43
quarantined IP address events described 10-2
R
rate limiting
ACLs 13-5
described 13-4
routers 13-4
service policies 13-5
supported signatures 13-4
RBCP
AIM IPS 17-18
NME IPS 21-12
RDEP event server
deprecated A-22
replaced by SDEE event server A-22
rebooting
AIM IPS 17-18
NME IPS 21-12
recall
help and tab completion 1-5
using 1-5
recover command 23-11
recovering
AIP SSM C-70
application partition image 23-12
recovery partition
described A-3
upgrading 23-6
regex described 1-8
Regular Expression. See Regex.
regular expression syntax
described 1-8
signatures B-9
table 1-8
reimaging
AIM IPS 23-22
AIP SSM 23-25
appliances 23-11
described 23-1
IDSM2 23-28
IPS 4240 23-14
IPS 4255 23-14
IPS 4260 23-18
IPS 4270-20 23-19
NME IPS 23-40
sensors 22-8, 23-1
removing
last applied
service pack 23-11
signature update 23-11
users 4-12
rename ad-knowledge-base command 9-42
renaming KBs 9-42, 9-43
reset
command 16-40
not occurring for a signature C-53
resetting
AIM IPS 17-18
AIP SSM C-69
appliances 16-41
IDSM2 20-41
NME IPS 21-12
passwords
ASDM 16-6, 16-8, C-12, C-14
hw-module command 16-5, 16-7, C-11, C-12
resetting heartbeat
AIM IPS 17-17
NME IPS 21-11
resetting the password
AIP SSC-5 16-5, C-11
AIP SSM 16-7, C-13
restoring
data port defaults 20-28
restoring the current configuration 15-21, C-4, C-5
retiring signatures 8-13
risk rating
calculating 7-12
described 7-13, 7-25
ROMMON
described 23-13
IPS 4240 23-14
IPS 4255 23-14
IPS 4260 23-18
IPS 4270-20 23-18, 23-19
password recovery 16-3, C-9
remote sensors 23-13
serial console port 23-13
TFTP 23-13
round-trip time. See RTT.
RPC portmapper B-50
RSA authentication and authorized keys 4-34
RTT
described 23-13
TFTP limitation 23-13
S
saving KBs 9-41
scheduling automatic upgrades 23-9
SDEE
described A-31
HTTP A-31
protocol A-31
server requests A-32
searching the submode configuration 15-17
security
account locking 4-19
information on Cisco Security Intelligence Operations 22-9
policies described 7-1, 8-1, 9-2
SSH 4-32
sensing interfaces
described 5-3
interface cards 5-3
modes 5-3
SensorApp
Alarm Channel A-24
Analysis Engine A-24
described A-3
event action filtering A-25
inline packet processing A-24
IP normalization A-24
packet flow A-25
processors A-22
responsibilities A-22
risk rating A-25
Signature Event Action Processor A-23, A-25
TCP normalization A-24
sensors
access problems C-27
asymmetric traffic and disabling anomaly detection 9-48, C-22
clearing databases 16-13
configuration sequence 1-1
configuring to use NTP 4-30
corrupted SensorApp configuration C-38
disaster recovery C-6
downgrading 23-11
incorrect NTP configuration C-19
initializing 3-1, 3-4
interface support 5-5
IP address conflicts C-30
license 22-12
logging in
SSH 2-11
Telnet 2-11
loose connections C-25
managing
firewalls 13-28
routers 13-24
switches 13-27
misconfigured access lists C-29
no alerts C-34, C-60
not seeing packets C-36
NTP time source 4-30
NTP time synchronization 4-20, C-18
partitions A-3
physical connectivity C-33
preventive maintenance C-2
process not running C-31
recovering the system image 22-8
reimaging 22-8, 23-1
sensing process not running C-31
setup command 3-1, 3-4, 3-7
system images 22-8
time sources 4-20, C-18
troubleshooting software upgrades C-57
upgrading 23-5
using NTP time source 4-29
sequence
AIM IPS interfaces 17-4
NME IPS interfaces 21-5
serial number
show inventory command
AIM IPS 17-2
NME IPS 21-2
service account
creating 4-14, C-6
described 4-14, A-29, C-5
TAC A-29
troubleshooting A-29
service anomaly-detection command 9-8
Service DNS engine
described B-39
parameters (table) B-39
Service engine
described B-39
Layer 5 traffic B-39
service event-action-rules command 7-7
Service FTP engine
described B-40
parameters (table) B-41
PASV port spoof B-40
Service Generic engine
described B-41
parameters (table) B-42
Service H225 engine
ASN.1PER validation B-43
described B-42
features B-43
parameters (table) B-44
TPKT validation B-43
Service HTTP engine
described 8-44, B-45
parameters (table) B-45
Service IDENT engine
described B-47
parameters (table) B-47
service-module IDS-Sensor command 17-22, 21-16
service-module ids-sensor slot/port command 17-18, 21-12
service-module ids-sensor slot/port heartbeat reset command 17-17, 21-11
service-module ids-sensor slot/port session command 2-4, 2-9, 17-14, 21-8
service-module ids-sensor slot/port status command 17-16, 21-10
Service MSRPC engine
DCS/RPC protocol B-47
described B-47
parameters (table) B-48
Service MSSQL engine
described B-48
MSSQL protocol B-48
parameters (table) B-49
Service NTP engine
described B-49
parameters (table) B-49
Service P2P engine described B-49
service packs described 22-3
Service role
described 1-4, A-28
logging in 2-2
privileges 1-4
Service RPC engine
described B-50
parameters (table) B-50
RPC portmapper B-50
service signature-definition command 8-1
Service SMB Advanced engine
described B-51
parameters (table) B-51
Service SNMP engine
described B-53
parameters (table) B-53
Service SSH engine
described B-54
parameters (table) B-54
Service TNS engine
described B-54
parameters (table) B-55
session command
AIM IPS 2-5, 17-15
AIP SSC-5 2-6
AIP SSM 2-6
IDSM2 2-7
NME IPS 2-9, 21-9
sessioning
AIM IPS 2-5, 17-15
AIP SSC-5 2-6
AIP SSM 2-6
IDSM2 2-8
NME IPS 2-10, 21-9
set security acl command 20-14
setting the system clock 4-23, 16-25
setup
automatic 3-2
command
AIM IPS 3-13
AIP SSM 3-15
appliance 3-7
basic 3-4
IDSM2 3-20
NME IPS 3-24
simplified mode 3-2
terminal servers 2-3, 23-13
show ad-knowledge-base diff command 9-44, 9-45
show ad-knowledge-base files command 9-40, 9-41
show clock command 4-22, 16-24
show configuration command 15-1
show context command 19-6
show events command 7-37, 16-20, C-93
show health command 16-17, C-75
show history command 16-41
showing user information 4-17
show interfaces command 5-38, C-91
show inventory command 16-42, 17-2, 21-2
show ips command 19-6
show module 1 details command C-69
show module command 18-2, 19-2
show os-identification command 7-30
show settings command 15-3, 15-16, 16-11, 16-43, C-17
show statistics anomaly-detection command 9-47
show statistics command 13-34, 16-28, C-81, C-82
show statistics denied-attackers command 7-35, 16-25
show statistics virtual-sensor command 16-28, C-26, C-82
show tech-support command 16-37, C-76
show users command 4-17
show version command 16-38, C-79
shutting down
AIM IPS 17-18
NME IPS 21-12
sig-fidelity-rating command 8-11, 8-13
signature/virus update files described 22-4
signature definition list display 16-27
signature definition policies
copying 8-2
creating 8-2
deleting 8-2
editing 8-2
signature engines
AIC 8-17, B-10
Atomic B-13
Atomic ARP B-13
Atomic IP B-24
Atomic IP Advanced B-14
Atomic IPv6 B-28
described B-1
event actions B-7
Fixed B-29
Flood B-32
Flood Host B-32
Flood Net B-33
list B-2
Master B-4
Meta 8-47, B-33
Multi String B-34
Normalizer B-36
Regex
patterns B-10
syntax B-9
Service B-39
Service DNS B-39
Service FTP B-40
Service Generic B-41
Service H225 B-42
Service HTTP 8-44, B-45
Service IDENT B-47
Service MSRPC B-47
Service MSSQL B-48
Service NTP engine B-49
Service P2P B-49
Service RPC B-50
Service SMB Advanced B-51
Service SNMP B-53
Service SSH engine B-54
Service TNS B-54
State B-55
String 8-41, B-57
Sweep Other TCP B-62
Traffic Anomaly 9-6, B-62
Traffic ICMP B-64
Trojan B-65
signature engine update files described 22-4
Signature Event Action Filter
described 7-2, A-26
parameters 7-3, A-26
Signature Event Action Handler described 7-3, A-26
Signature Event Action Override described 7-2, A-26
Signature Event Action Processor
Alarm Channel 7-2, A-26
components 7-2, A-26
described 7-2, A-23, A-25, A-26
illustration 7-3, A-26
logical flow of events 7-3, A-26
signature fidelity rating
calculating risk rating 7-12
configuring 8-11, 8-14
described 7-12
signatures
custom 8-4
default 8-3
described 8-3
false positives 8-3
general parameters 8-6
no TCP reset C-53
rate limits 13-4
string TCP 8-42
subsignatures 8-3
tuned 8-3
signature variables
adding 8-4
deleting 8-4
described 8-4
editing 8-4
SNMP
configuring
agent parameters 14-2
traps 14-4
described 14-1
general parameters 14-2
Get 14-1
GetNext 14-1
Set 14-1
supported MIBs 14-6, C-21
Trap 14-1
snmp-agent-port command 14-2
snmp-agent-protocol command 14-2
software architecture
ARC (illustration) A-12
IDAPI (illustration) A-30
software bypass
supported configurations 5-8
with hardware bypass 5-8
software downloads Cisco.com 22-1
software file names
recovery (illustration) 22-5
signature/virus updates (illustration) 22-4
signature engine updates (illustration) 22-5
system image (illustration) 22-5
software release examples
platform-dependent 22-6
platform identifiers 22-7
platform-independent 22-6
software updates
supported FTP servers 23-2
supported HTTP/HTTPS servers 23-2
SPAN
configuring 20-10, 20-25, 20-43, 23-34, 23-38, C-18, C-61, C-62
options 20-12
port issues C-33
specifying worm timeout 9-10
SSH
adding hosts 4-33
known hosts list 4-32
security 4-32
understanding 4-32
ssh authorized-key command 4-34
ssh generate-key command 4-35
ssh host-key command 4-32
SSH Server
host key generation 4-35
private keys A-21
public keys A-21
standards
CIDEE A-32
IDCONF A-31
SDEE A-31
State engine
Cisco Login B-55
described B-55
LPR Format String B-55
parameters (table) B-56
SMTP B-55
status command 8-12
stopping IP logging 11-5
stream-reassembly command 8-38
String engine described 8-41, B-57
String ICMP engine parameters (table) B-58
String TCP engine
options 8-41
parameters (table) B-58
String UDP engine parameters (table) B-59
subinterface 0 described 5-28
subinterface-type command 5-24, 5-30
submode configuration
filtering output 15-17
searching output 15-17
subsignatures described 8-3
summarization
described 7-32
Fire All 7-32
Fire Once 7-32
Global Summarization 7-32
Meta engine 7-32
Summary 7-32
summertime
configuring
non-recurring 4-26
recurring 4-24
summertime-option non-recurring command 4-26
summertime-option recurring command 4-24
supervisor engine commands
supported 20-43
unsupported 20-44
supported
FTP servers 23-2
HTTP/HTTPS servers 23-2
IDSM2 configurations C-63
IIDSM2 configurations 20-4
IPS interfaces (CSA MC) 10-3
Sweep engine
described B-60
parameters (table) B-61, B-62
Sweep Other TCP engine described B-62
switch commands for troubleshooting C-63
syntax and case sensitivity 1-6
system architecture
directory structure A-32
supported platforms A-1
system clock
displaying 4-23, 16-24
setting 4-23, 16-25
System Configuration Dialog
described 3-2
example 3-3
system design (illustration) A-2
system image
installing
IDSM-2 (Cisco IOS software) 23-29
IPS 4240 23-15
IPS 4255 23-15
sensors 22-8
T
tab completion use 1-5
TAC
PEP information 16-42
service account 4-14, A-29, C-5
show tech-support command 16-37, C-76
target-value command
IPv4 7-14
IPv6 7-14
target value rating
calculating risk rating 7-13
described 7-13, 7-14
tasks
configuring IDSM2 20-1
configuring the sensor 1-1
tcp command 9-13, 9-21, 9-29
TCPDUMP
copy packet-file command 12-6
expression syntax 12-2
ip logs 11-1
packet capture command 12-5
packet display command 12-2
TCP fragmentation described B-36
TCP reset interfaces
conditions 5-5
described 5-4
list 5-4
TCP resets
IDSM2 port 20-10, C-68
not occurring C-53
TCP stream reassembly
described 8-32
parameters (table) 8-32, 8-37
signatures (table) 8-32, 8-37
Telnet
disabling 4-4
enabling 4-4
telnet-option
command 4-4
configuring 4-4
terminal
command 16-19
modifying length 16-20
server setup 2-3, 23-13
terminating CLI sessions 16-19
testing fail-over 5-9
TFN2K
described B-64
Trojans B-65
TFTP servers
maximum file size limitation 23-13
RTT 23-13
time
correcting on the sensor 4-22, C-20
sensors 4-20, C-18
synchronization and IPS modules 4-21, C-19
time sources
AIM IPS 4-21, C-18
AIP SSM 4-21, C-19
appliances 4-20, C-18
IDSM2 4-20, C-18
NME IPS 4-21, C-18
time-zone-settings
command 4-28
configuring 4-28
TLS
certificate generation 4-39
handshaking 4-36
IDM 4-36
tls generate-key command 4-38
tls trusted-host command 4-37
trace
command 16-43
IP packet route 16-43
Traffic Anomaly engine
described 9-6, B-62
protocols 9-6, B-62
signatures 9-6, B-62
traffic flow notifications
configuring 5-36
described 5-36
Traffic ICMP engine
DDoS B-64
described B-64
LOKI B-64
parameters (table) B-65
TFN2K B-64
trap-community-name 14-4
trap-destinations command 14-4
trial license key 4-40, 22-10
Tribe Flood Network. See TFN.
Tribe Flood Network 2000. See TFN2K.
Trojan engine
BO2K B-65
described B-65
TFN2K B-65
Trojans
BO B-65
BO2K B-65
LOKI B-65
TFN2K B-65
troubleshooting
AIP SSM
commands C-69
debugging C-70
failover scenarios C-71
recovering C-70
reset C-69
Analysis Engine busy C-59
applying software updates C-55
ARC
blocking not occurring for signature C-45
device access issues C-42
enabling SSH C-44
inactive state C-40
misconfigured master blocking sensor C-46
verifying device interfaces C-43
automatic updates C-56
cannot access sensor C-27
cidDump C-96
cidLog messages to syslog C-52
communication C-27
corrupted SensorApp configuration C-38
debug logger zone names (table) C-51
debug logging C-47
disaster recovery C-6
duplicate sensor IP addresses C-30
enabling debug logging C-47
external product interfaces 10-8, C-24
gathering information C-74
IDM
cannot access sensor C-59
will not load C-58
IDSM2
command and control port C-66
diagnosing problems C-62
not online C-65, C-66
serial cable C-68
status indicator C-64
switch commands C-63
IME time synchronization C-61
IPS modules time drift 4-21, C-19
manual block to bogus host C-44
misconfigured access list C-29
no alerts C-34, C-60
NTP C-53
password recovery 16-12, C-17
physical connectivity issues C-33
preventive maintenance C-2
reset not occurring for a signature C-53
sensing process not running C-31
sensor events C-92
sensor loose connections C-25
sensor not seeing packets C-36
sensor software upgrade C-57
service account 4-14, C-5
show events command C-92
show interfaces command C-91
show statistics command C-81
show tech-support command C-75, C-76, C-77
show version command C-79
software upgrades C-54
SPAN port issue C-33
verifying Analysis Engine is running C-23
verifying ARC status C-39
trusted hosts add 4-37
tuned signatures described 8-3
U
udp command 9-15, 9-24, 9-32
unassigned VLAN groups described 5-28
unauthenticated NTP 4-20, 4-30, C-18
unsupported supervisor engine commands 20-44
upgrade command 23-3, 23-5
upgrading
6.x to 6.2 22-7
maintenance partition
IDSM2 (Catalyst software) 23-38
IDSM2 (Cisco IOS software) 23-39
minimum required version 22-7
recovery partition 23-6, 23-11
sensors 23-5
URLs for Cisco Security Intelligence Operations 22-9
username command 4-12
user-profiles
command 13-20
configuring 13-21
user roles
administrator 1-3
operator 1-3
service 1-3
viewer 1-3
users
adding 4-12
removing 4-12
using
debug logging C-47
TCP reset interfaces 5-5
V
VACLs
described 13-2
IDSM2 20-14
Post-Block 13-26
Pre-Block 13-26
validation error messages described D-5
variables command 7-10, 8-4
verifying
ECLB (Catalyst software) 20-37
ECLB (Cisco IOS software) 20-38
IDSM2 installation 20-2
NME IPS installation 21-2
password recovery 16-11, C-17
sensor initialization 3-27
sensor setup 3-27
viewer role privileges 1-4
viewing
IP log contents 11-5
user information 4-17
virtual-sensor name command 6-4, 19-4
virtual sensors
adding 6-5, 6-7, 19-4
assigning interfaces 6-4
assigning policies 6-4
creating 6-5, 6-7, 19-4
default virtual sensor 6-2
described 6-2
displaying KB files 9-40
options 6-4, 19-4
stream segregation 6-3
VLAN groups
802.1q encapsulation 5-28
configuration restrictions 5-11
deleting 5-34
deploying 5-29
described 5-28
switches 5-29
vulnerable OSes field
described B-6
W
watch list rating
calculating risk rating 7-13
described 7-13
Web Server
changing settings 4-10
configuring settings 4-9
default port 4-9
described A-3, A-22
HTTP 1.0 and 1.1 support A-22
HTTP protocol 4-9
private keys A-21
public keys A-21
SDEE support A-22
Wireshark
copy packet-file command 12-6
ip logs 11-1
worms
Blaster 9-2
Code Red 9-2
described 9-2
histograms 9-37
Nimbda 9-2
protocols 9-3
Sasser 9-2
scanners 9-3
Slammer 9-2
SQL Slammer 9-2
worm-timeout
command 9-10
specifying 9-10
Z
zones
external 9-4
illegal 9-4
internal 9-4