Numerics -
A -
B -
C -
D -
E -
F -
G -
H -
I -
K -
L -
M -
N -
O -
P -
Q -
R -
S -
T -
U -
V -
W -
Z
Index
Numerics
4GE bypass interface card
configuration restrictions 7-11
described 7-10
802.1q encapsulation for VLAN groups 7-15
A
AAA RADIUS
functionality 6-20
limitations 6-20
accessing IPS software 24-2
access lists
misconfiguration C-28
necessary hosts 5-4
account locking
configuring 6-27
security 6-27
account unlocking
configuring 6-26
ACLs
adding 5-4
described 15-3
Post-Block 15-17, 15-18
Pre-Block 15-17, 15-18
Active Host Blocks pane
field descriptions 19-6
user roles 19-6
ad0 pane
default 11-10
described 11-10
tabs 11-10
Add ACL Entry dialog box field descriptions 5-4
Add Active Host Block dialog box field descriptions 19-7
Add Allowed Host dialog box
field descriptions 6-5
user roles 6-5
Add Authorized Key dialog box
field descriptions 14-3
user roles 14-2
Add Blocking Device dialog box
field descriptions 15-15
user roles 15-14
Add Cat 6K Blocking Device Interface dialog box
field descriptions 15-23
user roles 15-22
Add Configured OS Map dialog box field descriptions 8-26, 12-27
Add Destination Port dialog box field descriptions 11-16, 11-23, 11-30
Add Device Login Profile dialog box
field descriptions 15-13
user roles 15-12
Add Event Action Filter dialog box
field descriptions 8-14, 12-16
user roles 8-13, 12-15
Add Event Action Override dialog box
field descriptions 8-11, 12-13
user roles 8-10, 12-13
Add Event Variable dialog box
field descriptions 8-29, 12-30
user roles 8-28, 12-29
Add External Product Interface dialog box
field descriptions 17-6
user roles 17-5
Add Filter dialog box field descriptions 3-19
Add Histogram dialog box field descriptions 11-17, 11-24, 11-30
adding
ACLs 5-4
a host never to be blocked 15-11
anomaly detection policies 11-9
CSA MC interfaces 17-7
denied attackers 19-5
event action filters 8-16, 12-18
event action overrides 12-14
event action rules policies 12-12
event variables 8-29, 12-31
external product interfaces 17-7
host blocks 19-7
IPv4 target value rating 8-19, 12-21
IPv6 target value rating 8-22, 12-23
network blocks 19-9
OS maps 8-26, 12-28
risk categories 8-32, 12-33
signature definition policies 9-3
signatures 9-13
signature variables 9-27
virtual sensors 5-13, 8-11
Add Inline VLAN Pair dialog box field descriptions 5-10, 7-22
Add Interface Pair dialog box field descriptions 7-20
Add IP Logging dialog box field descriptions 19-14
Add IPv4 Target Value Rating dialog box
field descriptions 8-19, 12-21
user roles 8-19, 12-20
Add IPv6 Target Value Rating dialog box
field descriptions 8-21, 12-22
user roles 8-21, 12-22
Add Known Host Key dialog box
field descriptions 14-5
user roles 14-5
Add Master Blocking Sensor dialog box
field descriptions 15-26
user roles 15-25
Add Network Block dialog box field descriptions 19-9
Add Never Block Address dialog box
field descriptions 15-11
user roles 15-7
Add Policy dialog box field descriptions 9-2, 11-9, 12-11
Add Posture ACL dialog box field descriptions 17-7
Add Protocol Number dialog box field descriptions 11-18, 11-25, 11-32
Add Rate Limit dialog box
field descriptions 19-11
user role 19-10
Address Resolution Protocol. See ARP.
Add Risk Level dialog box field descriptions 8-32, 12-33
Add Router Blocking Device Interface dialog box
field descriptions 15-20
user roles 15-17
Add Signature dialog box field descriptions 9-8
Add Signature Variable dialog box
field descriptions 9-27
user roles 9-27
Add SNMP Trap Destination dialog box field descriptions 16-4
Add Trusted Host dialog box
field descriptions 14-10
user roles 14-9
Add User dialog box
field descriptions 6-23
user roles 6-17
Add Virtual Sensor dialog box
described 5-12, 8-9
field descriptions 5-12, 8-9
Add VLAN Group dialog box field descriptions 7-25
Advanced Alert Behavior Wizard
Alert Dynamic Response Fire All window field descriptions 10-29
Alert Dynamic Response Fire Once window field descriptions 10-30
Alert Dynamic Response Summary window field descriptions 10-30
Alert Summarization window field descriptions 10-29
Event Count and Interval window field descriptions 10-28
Global Summarization window field descriptions 10-31
AIC
policy 9-37
signatures (example) 9-38
AIC engine
AIC FTP B-11
AIC FTP engine parameters (table) B-13
AIC HTTP B-11
AIC HTTP engine parameters (table) B-12
described B-11
features B-11
signature categories 9-31
AIC policy enforcement
default configuration 9-31, B-11
described 9-31, B-11
sensor oversubscription 9-31, B-11
AIM IPS
initializing 23-13
installing system image 25-21
logging in 22-5
session command 22-5
sessioning 22-4, 22-5
setup command 23-13
AIP SSM
bypass mode 7-28
Deny Connection Inline 12-10, C-72
Deny Packet Inline 12-10, C-72
initializing 23-16
installing system image 25-25
logging in 22-6
Normalizer engine B-39, C-71
password recovery 18-6, C-10
recovering C-68
reimaging 25-24
Reset TCP Connection 12-10, C-72
resetting C-68
resetting the password 18-7, C-11
session command 22-6
setup command 23-16
TCP reset packets 12-10, C-72
time sources 6-8, C-17
Alarm Channel described 12-6, A-26
alert and log actions (list) 12-8
alert behavior
normal 10-28
Signature Wizard 10-28
alert frequency
aggregation 9-18
configuring 9-19
controlling 9-18
modes B-6
Allowed Hosts/Networks pane
configuring 6-5
field descriptions 6-5
alternate TCP reset interface 7-9
Analysis Engine
described 8-2
error messages C-25
IDM exits C-58
verify it is running C-21
virtual sensors 8-2
anomaly detection
asymmetric traffic 11-2, 11-35
caution 11-2, 11-35
configuration sequence 11-5
default configuration (example) 11-4
described 11-2
detect mode 11-4
disabling 11-36, C-20
event actions 11-6, B-66
inactive mode 11-4
learning accept mode 11-3
learning process 11-3
limiting false positives 11-13, 19-17
operation settings 11-11
protocols 11-3
signatures 11-6
signatures (table) 11-7, B-66
worms
attacks 11-12
described 11-3
zones 11-4
Anomaly Detection pane
button functions 19-17
described 19-16
field descriptions 19-17
user roles 19-16
anomaly detection policies
ad0 11-8
adding 11-9
cloning 11-9
default policy 11-8
deleting 11-9
Anomaly Detections pane
described 11-8
field descriptions 11-9
appliances
application partition image 25-11
GRUB menu 18-4, C-8
initializing 23-8
logging in 22-2
password recovery 18-4, C-8
terminal servers
described 22-3, 25-13
setting up 22-3, 25-13
time sources 6-7, C-16
UDLD protocol 7-23
upgrading recovery partition 25-5
Application Inspection and Control. See AIC.
application partition
described A-3
image recovery 25-11
application policy enforcement
described 9-31, B-11
disabled (default) 9-31, B-11
applications in XML format A-2
applying software updates C-54
ARC
ACLs 15-18, A-13
authentication A-14
blocking
application 15-2
connection-based A-16
not occurring for signature C-44
unconditional blocking A-16
block response A-13
Catalyst 6000 series switch
VACL commands A-18
VACLs A-18
Catalyst switches
VACLs A-15
VLANs A-15
checking status 15-3, 15-4
described A-3
design 15-2
device access issues C-41
enabling SSH C-43
features A-13
firewalls
AAA A-17
connection blocking A-17
NAT A-18
network blocking A-17
postblock ACL A-15
preblock ACL A-15
shun command A-17
TACACS+ A-18
formerly Network Access Controller 15-1, 15-3
functions 15-2
illustration A-12
inactive state C-39
interfaces A-13
maintaining states A-16
managed devices 15-8
master blocking sensors A-13
maximum blocks 15-2
misconfigured master blocking sensor C-45
nac.shun.txt file A-16
NAT addressing A-14
number of blocks A-14
postblock ACL A-15
preblock ACL A-15
prerequisites 15-5
rate limiting 15-4
responsibilities A-12
single point of control A-14
SSH A-13
supported devices 15-6, A-15
Telnet A-13
troubleshooting C-38
VACLs A-13
verifying device interfaces C-42
verifying status C-38
ARP
Layer 2 signatures B-13
protocol B-13
ARP spoof tools
dsniff B-13
ettercap B-13
ASA modules time sources C-17
ASDM resetting passwords 18-8, C-12
assigning actions to signatures 9-17
asymmetric traffic
anomaly detection 11-2, 11-35
caution 11-2, 11-35
disabling anomaly detection C-19
Atomic ARP engine
described B-13
parameters (table) B-13
Atomic IP Advanced engine
described B-14
restrictions B-15
Atomic IP engine
described 10-14, B-24
parameters (table) B-25
Atomic IPv6 engine
described B-28
signatures B-28
signatures (table) B-29
attack relevance rating
calculating risk rating 8-6, 12-3
described 8-6, 8-23, 12-3, 12-25
Attack Response Controller
described A-3
formerly known as Network Access Controller A-3
Attack Response Controller. See ARC.
attack severity rating
calculating risk rating 8-5, 12-3
described 8-5, 12-3
Attacks Over Time gadgets
configuring 3-13
described 3-13
attemptLimit command 6-27
audit mode
described 13-9
testing global correlation 13-9
authenticated NTP 6-7, 6-14, C-16
authentication
local 6-17
RADIUS 6-17
AuthenticationApp
authenticating users A-20
described A-3
login attempt limit A-20
method A-20
responsibilities A-20
secure communications A-21
sensor configuration A-20
Authentication pane
configuring 6-23
described 6-17
field descriptions 6-21
user roles 6-18
Authorized Keys pane
configuring 14-3
described 14-2
field descriptions 14-2
RSA authentication 14-2
RSA key generation tool 14-3
Auto/Cisco.com Update pane
button functions 18-20
configuring 18-21
described 18-19
field descriptions 18-20
UNIX-style directory listings 18-19
user roles 18-19
automatic setup 23-2
automatic updates
Cisco.com 18-19
servers
FTP 18-19
SCP 18-19
troubleshooting C-55
automatic upgrade
information required 25-6
autonegotiation for hardware bypass 7-11
auto-upgrade-option command 25-6
B
backing up
configuration C-3
current configuration C-4, C-5
BackOrifice. See BO.
BackOrifice 2000. See BO2K.
BackOrifice see BO
basic setup 23-4
blocking
described 15-2
disabling 15-8
master blocking sensor 15-25
necessary information 15-3
not occurring for signature C-44
prerequisites 15-5
supported devices 15-6
types 15-2
Blocking Devices pane
configuring 15-15
described 15-14
field descriptions 15-15
ssh host-key command 15-15
Blocking Properties pane
adding a host never to be blocked 15-11
configuring 15-10
described 15-7
field descriptions 15-8
BO
described B-68
Trojans B-68
BO2K
described B-68
Trojans B-68
Bug Toolkit
described C-1
URL C-1
bypass mode
AIP SSM 7-28
described 7-27
Bypass pane field descriptions 7-27
C
calculating risk rating
attack relevance rating 8-6, 12-3
attack severity rating 8-5, 12-3
promiscuous delta 8-6, 12-3
signature fidelity rating 8-5, 12-3
target value rating 8-5, 12-3
watch list rating 8-6, 12-4
cannot access sensor C-26
Cat 6K Blocking Device Interfaces pane
configuring 15-23
described 15-22
field descriptions 15-23
CDP mode
configuring 7-30
described 7-30
CDP Mode pane
configuring 7-30
field descriptions 7-30
certificates
displaying 14-11
generating 14-11
IDM 14-8
changing Microsoft IIS to UNIX-style directory listings 18-20
cidDump obtaining information C-95
CIDEE
defined A-34
example A-34
IPS extensions A-34
protocol A-34
supported IPS events A-34
cisco
default password 22-2
default username 22-2
Cisco.com
accessing software 24-2
downloading software 24-1
IPS software 24-1
software downloads 24-1
Cisco IOS software and rate limiting 15-4
Cisco Security Intelligence Operations
described 24-10
URL 24-10
Cisco Services for IPS
service contract 18-13
supported products 18-13
clear events command 6-12, 6-16, 19-4, C-18, C-95
Clear Flow States pane
described 19-27
field descriptions 19-28
clearing
events 6-16, 19-4, C-95
flow states 19-28
statistics C-80
clear password command 18-6, 18-10, C-10, C-13
CLI described A-3, A-29
client manifest described A-28
clock set command 6-16
Clone Event Action Rules dialog box field descriptions 12-11
Clone Policy dialog box field descriptions 9-2, 11-9
Clone Signature dialog box field descriptions 9-8
cloning
anomaly detection policies 11-9
event action rules policies 12-12
signature definition policies 9-3
signatures 9-15
CollaborationApp described A-3, A-27
color rules described 20-2
command and control interface
described 7-2
list 7-2
commands
attemptLimit 6-27
auto-upgrade-option 25-6
clear events 6-12, 6-16, 19-4, C-18, C-95
clear password 18-6, 18-10, C-10, C-13
clock set 6-16
copy backup-config C-3
copy current-config C-3
debug module-boot C-68
downgrade 25-10
erase license-key 18-16
hw-module module 1 reset C-68
hw-module module slot_number password-reset 18-6, C-10
session 22-5, 22-10
setup 6-1, 23-1, 23-4, 23-8, 23-13, 23-16, 23-20, 23-24
show events C-92
show health C-73
show settings 18-12, C-15
show statistics C-80
show statistics virtual-sensor C-25, C-80
show tech-support C-74
show version C-77
unlock user username 6-26
upgrade 25-3, 25-5
Compare Knowledge Bases dialog box field descriptions 19-20
comparing KBs 19-20, 19-21
component signatures
Meta engine B-34
risk rating B-34
configuration files
backing up C-3
merging C-3
configuration restrictions
alternate TCP reset interface 7-9
inline interface pairs 7-8
inline VLAN pairs 7-8
interfaces 7-8
physical interfaces 7-8
VLAN groups 7-9
Configured OS Map dialog box user roles 8-25, 12-24
Configure Summertime dialog box field descriptions 5-4, 6-10
configuring
account locking 6-27
account unlocking 6-26
AIC policy parameters 9-37
allowed hosts 6-5
allowed networks 6-5
application policy 9-38
Attacks Over Time gadgets 3-13
authorized keys 14-3
automatic upgrades 25-8
blocking devices 15-15
blocking properties 15-10
Cat 6K blocking device interfaces 15-23
CDP mode 7-30
CPU, Memory, & Load gadget 3-10
CSA MC IPS interfaces 17-4
device login profiles 15-13
event action filters 8-16, 12-18
events 19-3
event variables 8-29, 12-31
external zone 11-32
general settings 8-34, 12-36
Global Correlation Health gadget 3-8
Global Correlation Reports gadget 3-7
host blocks 19-7
illegal zone 11-25
inline VLAN pairs 5-11
inspection/reputation 13-10
interface pairs 7-20
interfaces 7-18
Interface Status gadget 3-6
internal zone 11-18
IP fragment reassembly signatures 9-41
IP logging 19-15
IPv4 target value rating 8-19, 12-21
IPv6 target value rating 8-22, 12-23
known host keys 14-6
learning accept mode 11-14
Licensing gadget 3-5
local authentication 6-23
maintenance partition
IDSM2 (Catalyst software) 25-30
IDSM2 (Cisco IOS software) 25-34
master blocking sensor 15-26
network blocks 19-9
network participation 13-11
Network Security gadget 3-9
network settings 6-3
NTP servers 6-13
operation settings 11-11
OS maps 8-26, 12-28
RADIUS authentication 6-24
rate limiting 19-11
rate limiting devices 15-15
risk categories 8-32, 12-33
router blocking device interfaces 15-20
RSS Feed gadgets 3-11
RSS feeds 4-2
Sensor Health gadget 3-5
Sensor Information gadget 3-3
Sensor Setup window 5-5
sensor to use NTP 6-14
SNMP 16-3
SNMP traps 16-4
TCP fragment reassembly parameters 9-48
time 6-10
Top Applications gadget 3-9
Top Attackers gadgets 3-11
Top Signatures gadgets 3-12
Top Victims gadgets 3-12
traffic flow notifications 7-29
trusted hosts 14-10
UDLD protocol 7-23
upgrades 25-4
users 6-23
VLAN groups 7-26
VLAN pairs 7-22
control transactions
characteristics A-8
request types A-8
copy backup-config command C-3
copy current-config command C-3
correcting time on the sensor 6-12, C-18
CPU, Memory, & Load gadget
configuring 3-10
described 3-10
creating
Atomic IP Advanced signature 9-25, 10-16
custom signatures
not using signature engines 10-4
Service HTTP 10-19
String TCP 10-24
using signature engines 10-2
IPv6 signatures 9-25, 10-16
Meta signatures 9-22
Post-Block VACLs 15-22
Pre-Block VACLs 15-22
service account C-6
cryptographic features (IME) 1-2
CSA MC
adding interfaces 17-7
configuring IPS interfaces 17-4
host posture events 17-1, 17-4
quarantined IP address events 17-1
supported IPS interfaces 17-4
CtlTransSource
described A-2, A-11
illustration A-11
current configuration back up C-3
current KB setting 19-22
custom signatures
described 9-5
IPv6 signature 9-25, 10-16
Meta signature 9-22
Custom Signature Wizard
Alert Response window field descriptions 10-28
Atomic IP Engine Parameters window field descriptions 10-15
ICMP Traffic Type window field descriptions 10-13
Inspect Data window field descriptions 10-13
MSRPC Engine Parameters window field descriptions 10-13
no signature engine sequence 10-4
Protocol Type window field descriptions 10-12
Service HTTP Engine Parameters window field descriptions 10-18
Service RPC Engine Parameters window field descriptions 10-21
Service Type window field descriptions 10-14
signature engine sequence 10-2
Signature Identification window field descriptions 10-12
State Engine Parameters window field descriptions 10-22
String ICMP Engine Parameters window field descriptions 10-23
String TCP Engine Parameters window field descriptions 10-23
String UDP Engine Parameters window field descriptions 10-26
Sweep Engine Parameters window field descriptions 10-27
TCP Sweep Type window field descriptions 10-14
TCP Traffic Type window field descriptions 10-14
UDP Sweep Type window field descriptions 10-14
UDP Traffic Type window field descriptions 10-13
Welcome window field descriptions 10-11
D
Dashboard pane gadgets 3-1
Data Archive pane
configuring 1-9
described 1-9
field descriptions 1-9
user roles 1-9
data archiving
configuring 1-9
data structures (examples) A-7
DDoS
protocols B-68
Stacheldraht B-68
TFN B-68
debug logging enable C-46
debug-module-boot command C-68
default policies
ad0 11-8
rules0 12-12
sig0 9-2
defaults
KB filename 11-12
password 22-2
restoring 18-25
username 22-2
virtual sensor vs0 8-3
deleting
anomaly detection policies 11-9
event action filters 8-16, 12-18
event action overrides 12-14
event action rules policies 12-12
event variables 8-29, 12-31
imported OS values 19-27
IPv4 target value rating 8-19, 12-21
IPv6 target value rating 8-22, 12-23
KBs 19-23
learned OS values 19-26
OS maps 8-26, 12-28
risk categories 8-32, 12-33
signature definition policies 9-3
signature variables 9-27
virtual sensors 8-11
Demo mode (IME) 1-6
Denial of Service. See DoS.
denied attackers
adding 19-5
clearing list 19-5
hit count 19-4
resetting hit counts 19-5
Denied Attackers pane
described 19-4
field descriptions 19-5
user roles 19-4
using 19-5
deny actions (list) 12-8
Deny Packet Inline described 8-11, 12-10, B-9
detect mode (anomaly detection) 11-4
device access issues C-41
Device Details pane described 2-1
Device List pane
described 2-1
field descriptions 2-2
Device Login Profiles pane
configuring 15-13
described 15-12
field descriptions 15-12
devices
adding 2-4
deleting 2-4
editing 2-4
device tools
DNS lookup 2-6
ping 2-6
traceroute 2-6
whois 2-6
Diagnostics Report pane
button functions 19-30
described 19-30
user roles 19-30
using 19-30
diagnostics reports 19-30
Differences between knowledge bases KB_Name and KB_Name window field descriptions 19-20
disabling
anomaly detection 11-36, C-20
blocking 15-8
global correlation 13-12
interfaces 7-18
password recovery 18-10, C-14
disaster recovery C-6
displaying
events C-93
health status C-73
password recovery setting 18-12, C-15
statistics C-80
tech support information C-74
version C-77
Distributed Denial of Service. See DDoS.
DNS lookup device tool (IME) 1-3
DNS lookup device tools (IME) 2-6
DoS tools B-6
downgrade command 25-10
downgrading sensors 25-10
downloading
software 24-1
downloading KBs 19-24
Download Knowledge Base From Sensor dialog box
described 19-24
field descriptions 19-24
duplicate IP addresses C-29
E
Edit Actions dialog box field descriptions 9-9
Edit Allowed Host dialog box
field descriptions 6-5
user roles 6-5
Edit Authorized Key dialog box
field descriptions 14-3
user roles 14-2
Edit Blocking Device dialog box
field descriptions 15-15
user roles 15-14
Edit Cat 6K Blocking Device Interface dialog box
field descriptions 15-23
user roles 15-22
Edit Configured OS Map dialog box field descriptions 8-26, 12-27
Edit Destination Port dialog box field descriptions 11-16, 11-23, 11-30
Edit Device Login Profile dialog box
field descriptions 15-13
user roles 15-12
Edit Event Action Filter dialog box
field descriptions 8-14, 12-16
user roles 8-13, 12-15
Edit Event Action Override dialog box
field descriptions 8-11, 12-13
user roles 8-10, 12-13
Edit Event Variable dialog box
field descriptions 8-29, 12-30
user roles 8-28, 12-29
Edit External Product Interface dialog box
field descriptions 17-6
user roles 17-5
Edit Filter dialog box field descriptions 3-19
Edit Histogram dialog box field descriptions 11-17, 11-24, 11-30
editing
event action filters 8-16, 12-18
event action overrides 12-14
event variables 8-29, 12-31
interfaces 7-18
IPv4 target value rating 8-19, 12-21
IPv6 target value rating 8-22, 12-23
OS maps 8-26, 12-28
risk categories 8-32, 12-33
signatures 9-16
signature variables 9-27
virtual sensors 8-11
Edit Inline VLAN Pair dialog box field descriptions 5-10, 7-22
Edit Interface dialog box field descriptions 7-17
Edit Interface Pair dialog box field descriptions 7-20
Edit IP Logging dialog box field descriptions 19-14
Edit IPv4 Target Value Rating dialog box
field descriptions 8-19, 12-21
user roles 8-19, 12-20
Edit IPv6 Target Value Rating dialog box
field descriptions 8-21, 12-22
user roles 8-21, 12-22
Edit Known Host Key dialog box
field descriptions 14-5
user roles 14-5
Edit Master Blocking Sensor dialog box
field descriptions 15-26
user roles 15-25
Edit Never Block Address dialog box
field descriptions 15-11
user roles 15-7
Edit Posture ACL dialog box field descriptions 17-7
Edit Protocol Number dialog box field descriptions 11-18, 11-25, 11-32
Edit Risk Level dialog box field descriptions 8-32, 12-33
Edit Router Blocking Device Interface dialog box
field descriptions 15-20
user roles 15-17
Edit Signature dialog box field descriptions 9-8
Edit Signature Variable dialog box
field descriptions 9-27
user roles 9-27
Edit SNMP Trap Destination dialog box field descriptions 16-4
Edit User dialog box
field descriptions 6-23
user roles 6-17
Edit Virtual Sensor dialog box
field descriptions 8-9
user roles 8-9
Edit VLAN Group dialog box field descriptions 7-25
efficacy
described 13-4
measurements 13-4
email notification
configuring 1-11
enabling
debug logging C-46
event action filters 8-16, 12-18
event action overrides 12-14
interfaces 7-18
Encryption Software Export Distribution Authorization 24-2
engines
AIC B-11
Fixed B-30
Flood B-33
Master B-4
Meta 9-21, B-34
Multi String B-36
Normalizer B-38
Service DNS B-41
Service FTP B-42
Service Generic B-43
Service H225 B-44
Service HTTP 10-18, B-47
Service IDENT B-49
Service MSRPC 10-12, B-49
Service MSSQL B-51
Service NTP B-51
Service P2P B-52
Service RPC 10-21, B-52
Service SMB Advanced B-53
Service SNMP B-55
Service SSH B-56
Service TNS B-57
State 10-22, B-58
String 10-22, 10-23, 10-26, B-60
Sweep 10-26, B-63
Sweep Other TCP B-65
Traffic ICMP B-68
Trojan B-68
EPS
described 1-3
IME Home pane 1-3
erase license-key command 18-16
evAlert A-8
event action filters
adding 8-16, 12-18
configuring 8-16, 12-18
deleting 8-16, 12-18
described 8-13, 12-5
editing 8-16, 12-18
enabling 8-16, 12-18
Event Action Filters tab
button functions 12-16
configuring 8-16, 12-18
described 8-13, 12-15
field descriptions 8-14, 12-16
event action overrides
adding 12-14
deleting 12-14
described 8-4, 12-4
editing 12-14
enabling 12-14
risk rating range 8-4, 12-4
Event Action Overrides tab
described 12-13
field descriptions 12-13
event action rules
described 12-2
functions 12-2
Event Action Rules (rules0) pane described 12-12
Event Action Rules pane
described 12-11
field descriptions 12-11
user roles 12-11
event action rules policies
adding 12-12
cloning 12-12
deleting 12-12
event actions and threat rating 12-4
event connection status
displaying 2-5
starting 2-5
stopping 2-5
events
displaying C-93
host posture 17-2
quarantined IP address 17-2
Events pane
configuring 19-3
described 19-2
field descriptions 19-2
events per second. See EPS.
Event Store
clearing events 6-12, C-18
data structures A-7
described A-2
examples A-7
responsibilities A-7
timestamp A-7
event types C-91
event variables
adding 8-29, 12-31
configuring 8-29, 12-31
deleting 8-29, 12-31
described 8-28, 12-29
editing 8-29, 12-31
example 8-28, 12-30
Event Variables tab
configuring 8-29, 12-31
field descriptions 8-29, 12-30
Event Viewer
described 20-1
field descriptions 19-3
event views using 20-4
evError A-8
evLogTransaction A-8
evShunRqst A-8
evStatus A-8
example custom signatures
Atomic IP Advanced 9-25, 10-16
Meta 9-22
examples
ASA failover configuration C-70
email notifications 1-12
Meta engine signature 9-22
external product interfaces
adding 17-7
described 17-1
issues 17-3, C-22
troubleshooting 17-10, C-22
trusted hosts 17-5
External Product Interfaces pane
described 17-5
field descriptions 17-5
external zone
configuring 11-32
protocols 11-29
user roles 11-29
External Zone tab
described 11-29
tabs 11-29
user roles 11-29
F
fail-over testing 7-10
false positives described 9-5
files
IDSM2 password recovery 18-9, C-13
filtering described 20-2
filters configuring 3-16, 20-6
Filter tab field descriptions 20-3
Fixed engine described B-30
Fixed ICMP engine parameters (table) B-30
Fixed TCP engine parameters (table) B-31
Fixed UDP engine parameters (table) B-32
Flood engine described B-33
Flood Host engine parameters (table) B-33
Flood Net engine parameters (table) B-33
flow states clearing 19-28
FTP servers supported 18-19, 25-2
G
gadgets
Attacks Over Time 3-13
CPU, Memory, & Load 3-10
Dashboard pane 3-1
Global Correlation Health 3-7
Global Correlation Reports 3-6
IDM 3-1
IME 3-1
Interface Status 3-6
Licensing 3-5
Network Security 3-8
RSS Feed 3-11
Sensor Health 3-4
Sensor Information 3-3
Top Applications 3-9
Top Attackers 3-11
Top Signatures 3-12
Top Victims 3-12
General pane
configuring 1-13
described 1-13
field descriptions 1-13
user roles 1-13
general settings
configuring 8-34, 12-36
described 8-33, 12-34
General Settings tab
configuring 8-34, 12-36
described 8-33, 12-34
field descriptions 8-34
user roles 8-33, 12-34
General tab
described 11-15, 11-22
enabling zones 11-15, 11-22
field descriptions 12-35
generating diagnostics reports 19-30
global correlation
described 1-2, 13-1, 13-2, A-3
disabling 13-12
DNS server 13-6
error messages A-29
features 13-5
goals 13-5
health metrics 13-7
HTTP proxy server 13-6
IPv6 support 8-29, 13-7
license 6-3, 13-6, 13-9, 23-1, 23-5
Produce Alert 9-10, 12-8, B-7
requirements 13-6
troubleshooting 13-12, C-21
update client (illustration) 13-8
global correlation connection status
displaying 2-5
starting 2-5
stopping 2-5
Global Correlation Health gadget
configuring 3-8
described 3-7
Global Correlation Reports gadget
configuring 3-7
described 3-6
Global Variables pane field description 18-18
Grouping events described 20-2
GRUB menu password recovery 18-4, C-8
H
H.225.0 protocol B-44
H.323 protocol B-44
hardware bypass
autonegotiation 7-11
configuration restrictions 7-11
fail-over 7-10
IPS 4270-20 7-10
supported configurations 7-10
with software bypass 7-10
health connection status
displaying 2-5
starting 2-5
stopping 2-5
Host Blocks pane
configuring 19-7
described 19-6
host posture events
CSA MC 17-4
described 17-2
HTTP/HTTPS servers 18-19, 25-2
HTTP deobfuscation
ASCII normalization 10-18, B-47
described 10-18, B-47
hw-module module 1 reset command C-68
hw-module module slot_number password-reset command 18-6, C-10
I
IDAPI
communications A-3, A-32
described A-3
functions A-32
illustration A-32
responsibilities A-32
IDCONF
described A-33
example A-33
IDIOM messages A-33
XML A-33
IDIOM
defined A-32
messages A-32
IDM
Analysis Engine is busy C-58
certificates 14-8
gadgets 3-1
Signature Wizard supported signature engines 10-3
TLS 14-8
will not load C-57
IDSM2
command and control port C-65
configuring
maintenance partition (Catalyst software) 25-30
maintenance partition (Cisco IOS software) 25-34
initializing 23-20
installing
system image (Catalyst software) 25-27
system image (Cisco IOS software) 25-28, 25-29
logging in 22-8
password recovery 18-8, C-12
password recovery image file 18-9, C-13
reimaging 25-27
sessioning 22-8
setup command 23-20
supported configurations C-62
TCP reset port C-66
time sources 6-7, C-16
upgrading
maintenance partition (Catalyst software) 25-37
maintenance partition (Cisco IOS software) 25-38
illegal zones
configuring 11-25
user roles 11-22
Illegal Zone tab
described 11-22
user roles 11-22
IME
color rules 20-2
configuring
email notification 1-11
filters 3-16, 20-6
RSS feeds 4-2
views 3-16, 20-6
cryptographic features 1-2
Demo mode 1-6
described 1-1
devices
adding 2-4
deleting 2-4
editing 2-4
email notification example 1-12
EPS 1-3
event connection status
displaying 2-5
starting 2-5
stopping 2-5
Event Viewer 20-1
filtering 20-2
gadgets 3-1
global correlation connection status
displaying 2-5
starting 2-5
stopping 2-5
grouping events 20-2
health connection status
displaying 2-5
starting 2-5
stopping 2-5
installation notes and caveats 1-7
IPS versions 1-5
menu features 1-3
MySQL database 1-7
password requirements 1-7
reports
configuring 21-2
described 21-1
generating 21-2
types 21-1
supported platforms 1-4
system requirements 1-4
using event views 20-4
video help 1-3
working with
top attacker IP addresses 3-13
top signatures 3-15
top victim IP addresses 3-13
IME Home pane
described 1-3
EPS 1-3
features 1-3
IME time synchronization problems C-59
Imported OS pane
clearing 19-27
described 19-26
field descriptions 19-27
inactive mode (anomaly detection) 11-4
initializing
AIM IPS 23-13
AIP SSM 23-16
appliances 23-8
IDSM2 23-20
NME IPS 23-24
sensors 6-1, 23-1, 23-4
user roles 23-2
verifying 23-27
inline interface pair mode
configuration restrictions 7-8
described 7-13
illustration 7-13
Inline Interface Pair window
described 5-9
Startup Wizard 5-9
inline VLAN pair mode
configuration restrictions 7-8
configuring 5-11
described 7-14
illustration 7-14
supported sensors 7-14
UDLD protocol 7-23
Inline VLAN Pairs window
described 5-9
field descriptions 5-10
Startup Wizard 5-9
Inspection/Reputation pane
configuring 13-10
described 13-8
field descriptions 13-9
installing
sensor license 18-15
system image
AIM IPS 25-21
AIP SSM 25-25
IDSM2 (Catalyst software) 25-27
IDSM2 (Cisco IOS software) 25-28, 25-29
IPS 4240 25-14
IPS 4255 25-14
IPS 4260 25-17
IPS 4270-20 25-19
NME IPS 25-39
InterfaceApp
described A-19
interactions A-19
NIC drivers A-19
InterfaceApp described A-3
interface pairs
configuring 7-20
described 7-19
Interface Pairs pane
configuring 7-20
described 7-19
field descriptions 7-20
interfaces
alternate TCP reset 7-2
command and control 7-2
configuration restrictions 7-8
configuring 7-18
described 5-7, 7-1
disabling 7-18
editing 7-18
enabling 7-18
logical 5-7
physical 5-7
port numbers 7-1
sensing 7-2, 7-3
slot numbers 7-1
support (table) 7-4
TCP reset 7-6
VLAN groups 7-2
Interface Selection window
described 5-9
Startup Wizard 5-9
Interfaces pane
configuring 7-18
described 7-16
field descriptions 7-17
Interface Status gadget
configuring 3-6
described 3-6
Interface Summary window
described 5-7
internal zones
configuring 11-18
user roles 11-15
Internal Zone tab
described 11-15
user roles 11-15
IP fragmentation described B-38
IP fragment reassembly
configuring 9-41
described 9-39
example signature 9-41
mode 9-41
parameters (table) 9-39
signatures 9-41
signatures (table) 9-39
IP logging
described 9-49, 19-13
event actions 19-13
system performance 19-13
IP Logging pane
configuring 19-15
described 19-13
field descriptions 19-14
user roles 19-13
IP Logging Variables pane described 18-18
IP logs
circular buffer 19-13
states 19-13
TCPDUMP 19-13
viewing 19-15
WireShark 19-13
IPS 4240
installing system image 25-14
password recovery 18-5, C-9
reimaging 25-14
IPS 4255
installing system image 25-14
password recovery 18-5, C-9
reimaging 25-14
IPS 4260
installing system image 25-17
reimaging 25-17
IPS 4270-20
hardware bypass 7-10
installing system image 25-19
reimaging 25-19
IPS appliances
Deny Connection Inline 12-10, C-72
Deny Packet Inline 12-10, C-72
Reset TCP Connection 12-10, C-72
TCP reset packets 12-10, C-72
IPS applications
summary A-35
table A-35
XML format A-2
IPS data
types A-8
XML document A-8
IPS events
evAlert A-8
evError A-8
evLogTransaction A-8
evShunRqst A-8
evStatus A-8
list A-8
types A-8
IPS internal communications A-32
IPS Manager Express described 1-1
IPS modules
time synchronization 6-8, C-17
unsupported features 5-1
IPS Policies pane
described 8-8
field descriptions 8-9
IPS software
application list A-2
available files 24-1
configuring device parameters A-4
directory structure A-34
Linux OS A-1
obtaining 24-1
platform-dependent release examples 24-6
retrieving data A-4
security features A-5
tuning signatures A-4
updating A-4
user interaction A-4
versioning scheme 24-3
IPS software file names
major updates (illustration) 24-4
minor updates (illustration) 24-4
patch releases (illustration) 24-4
service packs (illustration) 24-4
IPS versions supported (IME) 1-5
IPv4 target value rating
adding 8-19, 12-21
configuring 8-19
deleting 8-19, 12-21
editing 8-19, 12-21
IPv4 Target Value Rating tab
configuring 8-19, 12-21
field descriptions 8-19, 12-21
IPv6
described B-28
SPAN ports 7-12
switches 7-12
IPv6 target value rating
adding 8-22, 12-23
configuring 8-22, 12-23
deleting 8-22, 12-23
editing 8-22, 12-23
IPv6 Target Value Rating tab
configuring 8-22, 12-23
field descriptions 8-21, 12-22
K
KBs
comparing 19-21
default filename 11-12
deleting 19-23
described 11-3
downloading 19-24
histogram 11-12, 19-16
initial baseline 11-3
learning accept mode 11-12
loading 19-22
monitoring 19-19
renaming 19-23
saving 19-22
scanner threshold 11-12, 19-16
tree structure 11-12, 19-16
uploading 19-25
Knowledge Base. See KB.
Known Host Keys pane
configuring 14-6
described 14-5
field descriptions 14-5
L
Learned OS pane
clearing 19-26
described 19-26
field descriptions 19-26
learned OS values
clearing 19-26
deleting 19-26
learning accept mode
anomaly detection 11-3
configuring 11-14
user roles 11-12
Learning Accept Mode tab
described 11-12
field descriptions 11-13, 11-14
user roles 11-12
license files
BSD license D-3
expat license D-12
GNU Lesser license D-33
GNU license D-28
license key
uninstalling 18-16
license key trial 18-13
licensing
described 18-13
IPS device serial number 18-13
Licensing gadget
configuring 3-5
described 3-5
Licensing pane
configuring 18-15
described 18-13
field descriptions 18-14
user roles 18-12
limitations for concurrent CLI sessions 22-1, A-29
listings UNIX-style 18-19
loading KBs 19-22
local authentication configuring 6-23
Logger
described A-3, A-19
functions A-19
syslog messages A-19
logging in
AIM IPS 22-5
AIP SSM 22-6
appliances 22-2
IDSM2 22-8
NME IPS 22-10
sensors
SSH 22-11
Telnet 22-11
service role 22-2
terminal servers 22-3, 25-13
user role 22-1
LOKI
described B-68
protocol B-68
loose connections on sensors C-23
M
MainApp
components A-5
described A-2, A-5
host statistics A-6
responsibilities A-6
show version command A-6
maintenance partition
configuring
IDSM2 (Catalyst software) 25-30
IDSM2 (Cisco IOS software) 25-34
maintenance partition described A-3
major updates described 24-3
Manage Filter Rules dialog box field descriptions 3-18
managing rate limiting 19-11
manifests
client A-28
server A-28
manual block to bogus host C-43
master blocking sensor
described 15-25
not set up properly C-45
Master Blocking Sensor pane
configuring 15-26
described 15-25
field descriptions 15-26
Master engine
alert frequency B-6
alert frequency parameters (table) B-6
described B-3
event actions B-7
general parameters (table) B-4
universal parameters B-4, B-6
master engine parameters
obsoletes B-6
promiscous delta B-5
vulnerable OSes B-6
merging configuration files C-3
Meta engine
component signatures B-34
described 9-21, B-34
parameters (table) B-35
Signature Event Action Processor 9-22, B-34
Meta Event Generator described 8-33, 12-34
Meta signature
component signatures B-34
MIBs supported 16-6, C-19
minor updates described 24-3
Miscellaneous tab
button functions 9-30
configuring
application policy 9-37
IP fragment reassembly mode 9-41
IP logging 9-49
TCP stream reassembly mode 9-47
described 9-29
field descriptions 9-30
user roles 9-29
modes
anomaly detection detect 11-4
anomaly detection inactive 11-4
anomaly detection learning accept 11-3
bypass 7-27
inline interface pair 7-13
inline VLAN pair 7-14
promiscuous 7-11, 7-12
VLAN Groups 7-14
modify packets inline modes 8-4
monitoring
events 19-3
KBs 19-19
moving OS maps 8-26, 12-28
Multi String engine
described B-36
parameters (table) B-37
Regex B-36
MySDN described 9-5
MySQL database
coexisting with IME 1-7
installing IME 1-7
N
NAS-ID
described 6-24
RADIUS authentication 6-24
Neighborhood Discovery
Atomic IPv6 engine B-28
options B-29
types B-29
Network Blocks pane
configuring 19-9
described 19-9
field descriptions 19-9
user roles 19-8
Network pane
configuring 6-3
field descriptions 6-2
TLS/SSL 6-4
user roles 6-2
network participation
data gathered 13-3
data use (table) 1-2, 13-2
described 13-3
health metrics 13-7
modes 13-4
requirements 13-4
statistics 13-4
Network Participation pane
configuring 13-11
described 13-10
field descriptions 13-11
Network Security gadget
configuring 3-9
described 3-8
network security health data resetting 19-29
never block
hosts 15-8
networks 15-8
NME IPS
initializing 23-24
installing system image 25-39
logging in 22-10
reimaging 25-39
session command 22-10
sessioning 22-9, 22-10
setup command 23-24
Normalizer engine
described B-38
parameters (table) B-40
Normalizer mode described 8-4
NotificationApp
alert information A-9
described A-3
functions A-9
SNMP gets A-9
SNMP traps A-9
statistics A-10
system health information A-10
Notification pane
configuring 1-11
field descriptions 1-10
user roles 1-10
NTP
authenticated 6-7, 6-14, C-16
configuring servers 6-13
described 6-7, C-16
incorrect configuration 6-8, C-17
sensor time source 6-13, 6-14
time synchronization 6-7, C-16
unauthenticated 6-7, 6-14, C-16
verifying configuration 6-9
O
obsoletes field described B-6
one-way TCP reset described 8-33, 12-35
Operation Settings tab
described 11-10
field descriptions 11-11
OS Identifications tab
described 8-25, 12-24
field descriptions 8-25, 12-27
OS maps
adding 8-26, 12-28
configuring 8-26, 12-28
deleting 8-26, 12-28
editing 8-26, 12-28
moving 8-26, 12-28
other actions (list) 12-9
Other Protocols tab
described 11-17, 11-24, 11-25, 11-31
enabling other protocols 11-17
external zone 11-31
field descriptions 11-18, 11-31
illegal zone 11-24, 11-25
P
P2P networks described B-52
partitions
application A-3
maintenance A-3
recovery A-3
passive OS fingerprinting
components 8-23, 12-25
configuring 8-24, 12-26
described 8-23, 12-25
password policy caution 18-2, 18-3
password recovery
AIP SSM 18-6, C-10
appliances 18-4, C-8
CLI 18-11, C-14
described 18-3, C-8
disabling 18-10, C-14
GRUB menu 18-4, C-8
IDSM2 18-8, C-12
IPS 4240 18-5, C-9
IPS 4255 18-5, C-9
platforms 18-3, C-8
ROMMON 18-5, C-9
troubleshooting 18-11, C-15
verifying 18-12, C-15
password requirements configuring 18-2
Passwords pane
described 18-1
field descriptions 18-2
patch releases described 24-3
peacetime learning (anomaly detection) 11-3
Peer-to-Peer. See P2P.
physical connectivity issues C-32
physical interfaces configuration restrictions 7-8
ping device tool (IME) 1-3
ping IME device tools 2-6
platforms and concurrent CLI sessions 22-1, A-29
Post-Block ACLs 15-17, 15-18
Pre-Block ACLs 15-17, 15-18
prerequisites for blocking 15-5
promiscuous delta
calculating risk rating 8-6, 12-3
described 8-6, 12-3
promiscuous delta described B-5
promiscuous mode
atomic attacks 7-12
described 7-11, 7-12
illustration 7-12
packet flow 7-11, 7-12
SPAN ports 7-12
VACL capture 7-12
protocols
ARP B-13
CDP 7-30
CIDEE A-34
DCE 10-13, B-49
DDoS B-68
H.323 B-44
H225.0 B-44
ICMPv6 B-14
IDAPI A-32
IDCONF A-33
IDIOM A-32
IPv6 B-28
LOKI B-68
MSSQL B-51
Neighborhood Discovery B-29
Q.931 B-45
RPC 10-13, B-49
SDEE A-33
Signature Wizard 10-12
UDLD 7-23
Q
Q.931 protocol
described B-45
SETUP messages B-45
quarantined IP address events described 17-2
R
RADIUS authentication
configuring 6-24
described 6-17
NAS-ID 6-24
service account 6-20
shared secret 6-25
rate limiting
ACLs 15-5
configuring 19-11
described 15-4
managing 19-11
percentages 19-10
routers 15-4
service policies 15-5
supported signatures 15-4
Rate Limits pane
described 19-10
field descriptions 19-11
rebooting the sensor 18-26
Reboot Sensor pane
configuring 18-26
described 18-26
user roles 18-26
receiving RSS feeds 4-1
recover command 25-10
recovering
AIP SSM C-68
application partition image 25-11
recovery partition
described A-3
upgrading 25-5
Regular Expression. See Regex.
regular expression syntax signatures B-9
reimaging
AIP SSM 25-24
appliances 25-10
described 25-1
IDSM2 25-27
IPS 4240 25-14
IPS 4255 25-14
IPS 4260 25-17
IPS 4270-20 25-19
NME IPS 25-39
sensors 24-8, 25-1
removing
last applied
service pack 25-10
signature update 25-10
Rename Knowledge Base dialog box field descriptions 19-23
renaming KBs 19-23
reports
configuring 21-2
described 21-1
generating 21-2
report types
Attacks Over Time 21-1
Top Attackers 21-1
Top Signatures 21-1
Top Victim 21-1
reputation
described 13-2
illustration 13-3
servers 13-3
requirements
IME passwords 1-7
Reset Network Security Health pane
described 19-29
field descriptions 19-29
user roles 19-29
reset not occurring for a signature C-52
resetting
AIP SSM C-68
network security health data 19-29
passwords
ASDM 18-8, C-12
hw-module command 18-6, C-10
resetting the password
AIP SSM 18-7, C-11
Restore Default Interface dialog box field descriptions 5-8
Restore Defaults pane
configuring 18-25
described 18-25
user roles 18-25
restoring
current configuration C-5
defaults 18-25
restoring the current configuration C-4, C-5
risk categories
adding 8-32, 12-33
configuring 8-32, 12-33
deleting 8-32, 12-33
editing 8-32, 12-33
Risk Category tab
configuring 8-32, 12-33
described 8-31, 12-32
field descriptions 8-31, 12-33
risk rating
Alarm Channel 13-5
calculating 8-5, 12-2
component signatures B-34
described 8-23, 12-25
reputation score 13-4
ROMMON
described 25-12
IPS 4240 25-14
IPS 4255 25-14
IPS 4260 25-17
IPS 4270-20 25-17, 25-19
password recovery 18-5, C-9
remote sensors 25-12
serial console port 25-12
TFTP 25-12
round-trip time. See RTT.
Router Blocking Device Interfaces pane
configuring 15-20
described 15-17
field descriptions 15-19
RPC portmapper 10-21, B-52
RSS Feed gadgets
configuring 3-11
described 3-11
RSS feeds
channels 4-1
configuring 4-2
described 4-1
formats 4-1
receiving 4-1
RTT
described 25-13
TFTP limitation 25-13
S
Save Knowledge Base dialog box
described 19-22
field descriptions 19-22
saving KBs 19-22
scheduling automatic upgrades 25-8
SDEE
described A-33
HTTP A-33
protocol A-33
server requests A-33
security
account locking 6-27
information on Cisco Security Intelligence Operations 24-10
MySDN 9-5
security policies described 8-1, 9-1, 11-1, 12-1
security SSH 14-1
sensing interfaces
described 7-3
interface cards 7-3
modes 7-3
SensorApp
Alarm Channel A-24
Analysis Engine A-24
anomaly detection A-25
described A-3
event action filtering A-25
inline packet processing A-24
IP normalization A-24
packet flow A-25
process not running C-30
processors A-22
responsibilities A-22
Signature Event Action Processor A-23, A-25
TCP normalization A-24
SensorBase Network
described 1-2, 13-1, A-3
participation 1-2, 13-2
servers 1-2
Sensor Health gadget
configuring 3-5
described 3-4
metrics 3-4
status 3-4
Sensor Health pane
described 18-17
field descriptions 18-17
Sensor Information gadget
configuring 3-3
described 3-3
Sensor Key pane
button functions 14-7
described 14-7
field descriptions 14-7
sensor SSH key
displaying 14-7
generating 14-7
user roles 14-7
sensors
access problems C-26
asymmetric traffic and disabling anomaly detection C-19
blocking themselves 15-8
configuring to use NTP 6-14
corrupted SensorApp configuration C-37
diagnostics reports 19-30
disaster recovery C-6
downgrading 25-10
incorrect NTP configuration 6-8, C-17
initializing 6-1, 23-1, 23-4
interface support 7-4
IP address conflicts C-29
license 18-15
logging in
SSH 22-11
Telnet 22-11
loose connections C-23
misconfigured access lists C-28
no alerts C-33, C-59
not seeing packets C-35
NTP time source 6-14
NTP time synchronization 6-7, C-16
partitions A-3
physical connectivity C-32
preventive maintenance C-2
rebooting 18-26
recovering the system image 24-8
reimaging 24-8, 25-1
restoring defaults 18-25
sensing process not running C-30
setting up 6-1
setup command 6-1, 23-1, 23-4, 23-8
shutting down 18-26
statistics 19-31
system images 24-8
system information 19-32
time sources 6-7, C-16
troubleshooting software upgrades C-56
updating 18-21, 18-24
upgrading 25-4
using NTP time source 6-13
Sensor Setup window
described 5-2
Startup Wizard 5-2
Server Certificate pane
button functions 14-11
certificate
displaying 14-11
generating 14-11
described 14-11
field descriptions 14-11
user roles 14-11
server manifest described A-28
service account
creating C-6
described 6-19, A-31, C-5
RADIUS authentication 6-20
TAC A-31
troubleshooting A-31
Service DNS engine
described B-41
parameters (table) B-41
Service engine
described B-41
Layer 5 traffic B-41
Service FTP engine
described B-42
parameters (table) B-43
PASV port spoof B-42
Service Generic engine
described B-43
parameters (table) B-44
Service H225 engine
ASN.1PER validation B-45
described B-44
features B-45
parameters (table) B-46
TPKT validation B-45
Service HTTP engine
custom signature 10-19
described 10-18, B-47
example signature 10-19
parameters (table) B-47
Service IDENT engine
described B-49
parameters (table) B-49
service-module ids-sensor slot/port session command 22-4, 22-9
Service MSRPC engine
DCS/RPC protocol 10-13, B-49
described 10-12, B-49
parameters (table) B-50
Service MSSQL engine
described B-51
MSSQL protocol B-51
parameters (table) B-51
Service NTP engine
described B-51
parameters (table) B-51
Service P2P engine described B-52
service packs described 24-3
service role 6-19, 22-2, A-30
Service RPC engine
described 10-21, B-52
parameters (table) 10-21, B-52
RPC portmapper 10-21, B-52
Service SMB Advanced engine
described B-53
parameters (table) B-54
Service SNMP engine
described B-55
parameters (table) B-56
Service SSH engine
described B-56
parameters (table) B-56
Service TNS engine
described B-57
parameters (table) B-57
session command
AIM IPS 22-5
AIP SSM 22-6
IDSM2 22-8
NME IPS 22-10
sessioning
AIM IPS 22-5
AIP SSM 22-6
IDSM2 22-8
NME IPS 22-10
setting
current KB 19-22
system clock 6-16
setting up
sensors 6-1
terminal servers 22-3, 25-13
setup
automatic 23-2
command 6-1, 23-1, 23-4, 23-8, 23-13, 23-16, 23-20, 23-24
simplified mode 23-2
shared secret
described 6-25
RADIUS authentication 6-25
show events command C-91, C-92
show health command C-73
show interfaces command C-90
show settings command 18-12, C-15
show statistics command C-79, C-80
show statistics virtual-sensor command C-25, C-80
show tech-support command C-74
show version command C-77
Shut Down Sensor pane
configuring 18-26
described 18-26
user roles 18-26
shutting down the sensor 18-26
sig0 pane
default 9-4
described 9-4
signatures
assigning actions 9-17
cloning 9-14
tuning 9-16
tabs 9-4
sig0 pane field descriptions 9-7
signature/virus update files described 24-4
signature definition policies
adding 9-3
cloning 9-3
default policy 9-2
deleting 9-3
sig0 9-2
Signature Definitions pane
described 9-2
field descriptions 9-2
signature engines
AIC B-11
Atomic B-13
Atomic ARP B-13
Atomic IP 10-14, B-24
Atomic IP Advanced B-14
Atomic IPv6 B-28
creating custom signatures 10-2
described B-1
event actions B-7
Fixed B-30
Flood B-33
Flood Host B-33
Flood Net B-33
list B-2
Master B-4
Meta 9-21, B-34
Multi String B-36
Normalizer B-38
Regex
patterns B-10
syntax B-9
Service B-41
Service DNS B-41
Service FTP B-42
Service Generic B-43
Service H225 B-44
Service HTTP 10-18, B-47
Service IDENT B-49
Service MSRPC 10-12, B-49
Service MSSQL B-51
Service NTP engine B-51
Service P2P B-52
Service RPC 10-21, B-52
Service SMB Advanced B-53
Service SNMP B-55
Service SSH engine B-56
Service TNS B-57
State 10-22, B-58
String 10-22, 10-23, 10-26, B-60
supported by IDM 10-3
Sweep Other TCP B-65
Traffic Anomaly B-66
Traffic ICMP B-68
Trojan B-68
signature engine update files described 24-4
Signature Event Action Filter
described 12-6, A-26
parameters 12-6, A-26
Signature Event Action Handler described 12-6, A-26
Signature Event Action Override described 12-6, A-26
Signature Event Action Processor
Alarm Channel 12-6, A-26
components 12-6, A-26
described 12-6, A-23, A-25, A-26
signature fidelity rating
calculating risk rating 8-5, 12-3
described 8-5, 12-3
signatures
adding 9-13
alert frequency 9-19
assigning actions 9-17
cloning 9-15
custom 9-5
default 9-5
described 9-4
editing 9-16
false positives 9-5
rate limits 15-4
subsignatures 9-5
tuned 9-5
tuning 9-16
signatures and TCP reset C-52
signature updates installation time 18-20
signature variables
adding 9-27
deleting 9-27
described 9-27
editing 9-27
Signature Variables tab
configuring 9-27
field descriptions 9-27
Signature Wizard
alert behavior 10-28
described 10-1
protocols 10-12
signature identification 10-12
supported signature engines 10-3
using 10-5
SNMP
configuring 16-3
described 16-1
Get 16-1
GetNext 16-1
Set 16-1
supported MIBs 16-6, C-19
Trap 16-1
SNMP General Configuration pane
configuring 16-3
described 16-2
field descriptions 16-2
user roles 16-2
SNMP traps
configuring 16-4
described 16-1
SNMP Traps Configuration pane
button functions 16-4
described 16-4
field descriptions 16-4
software architecture
ARC (illustration) A-12
IDAPI (illustration) A-32
software bypass
supported configurations 7-10
with hardware bypass 7-10
software downloads Cisco.com 24-1
software file names
recovery (illustration) 24-5
signature/virus updates (illustration) 24-4
signature engine updates (illustration) 24-5
system image (illustration) 24-5
software release examples
platform-dependent 24-6
platform identifiers 24-7
platform-independent 24-6
software updates
supported FTP servers 18-19, 25-2
supported HTTP/HTTPS servers 18-19, 25-2
SPAN port issues C-32
SSH
described 14-1
security 14-1
SSH Server
private keys A-21
public keys A-21
standards for CIDEE A-34
Startup Wizard
access lists 5-4
adding virtual sensors 5-13
Add Virtual Sensor dialog box 5-12
AIP SSM 5-2
described 5-1
Inline Interface Pair window
described 5-9
field descriptions 5-9
Inline VLAN Pairs window configuring 5-11
Interface Selection window 5-9
Interface Summary window 5-7
Sensor Setup window 5-2
configuring 5-5
field descriptions 5-2
Traffic Inspection Mode window 5-8
Virtual Sensors window
described 5-12
field descriptions 5-12
VLAN groups unsupported 5-1, 5-8
State engine
Cisco Login 10-22, B-58
described 10-22, B-58
LPR Format String 10-22, B-58
parameters (table) B-59
SMTP 10-22, B-58
Statistics pane
button functions 19-31, 19-32
categories 19-31
described 19-31
using 19-31
statistics viewing 19-31
String engine described 10-22, 10-23, 10-26, B-60
String ICMP engine parameters (table) B-61
String TCP engine
custom signature 10-24
example signature 10-24
parameters (table) B-61
String UDP engine parameters (table) B-62
subinterface 0 described 7-15
subsignatures described 9-5
summarization
described 8-7, 12-5
Fire All 8-7, 12-5
Fire Once 8-7, 12-6
Global Summarization 8-7, 12-6
Meta engine 8-7, 12-5
Summary 8-7, 12-5
Summarizer described 8-33, 12-34
Summary pane
button functions 7-16
described 7-15
field descriptions 5-8, 7-16
supported
FTP servers 18-19, 25-2
HTTP/HTTPS servers 18-19, 25-2
IDSM2 configurations C-62
IPS interfaces for CSA MC 17-4
platforms for IME 1-4
Sweep engine
described 10-26, B-63
parameters (table) B-64, B-65
Sweep Other TCP engine described B-65
switch commands for troubleshooting C-62
system architecture
directory structure A-34
supported platforms A-1
system clock setting 6-16
System Configuration Dialog
described 23-2
example 23-2
system design (illustration) A-2
system image
installing
AIM IPS 25-21
AIP SSC-5 25-25
AIP SSM 25-25
IDSM2 (Catalyst software) 25-27
IDSM2 (Cisco IOS software) 25-28
IPS 4240 25-14
IPS 4255 25-14
IPS 4260 25-17
IPS 4270-20 25-19
NME IPS 25-39
sensors 24-8
System Information pane
described 19-31
using 19-32
system information viewing 19-32
system requirements for IME 1-4
T
TAC
service account 6-19, A-31, C-5
show tech-support command C-74
target value rating
calculating risk rating 8-5, 12-3
described 8-5, 8-19, 8-21, 12-3, 12-20, 12-22
TCP fragmentation described B-38
TCP Protocol tab
described 11-16, 11-23, 11-29
enabling TCP 11-16
external zone 11-29
field descriptions 11-16
illegal zone 11-23
TCP reset
not occurring C-52
TCP reset interfaces
conditions 7-7
described 7-6
list 7-7
TCP resets
IDSM2 port C-66
TCP stream reassembly
described 9-42
mode 9-47
parameters (table) 9-43
signatures (table) 9-43
terminal server setup 22-3, 25-13
testing fail-over 7-10
TFN2K
described B-68
Trojans B-68
TFTP servers
maximum file size limitation 25-13
RTT 25-12
threat rating
described 8-6, 12-4
risk rating 12-4
Thresholds for KB Name window
described 19-18
field descriptions 19-19
filtering information 19-18
time
correction on the sensor 6-12, C-18
sensors 6-7, C-16
synchronization for IPS modules 6-8, C-17
Time pane
configuring 6-10
described 6-7
field definitions 6-9, 6-10
user roles 6-7
time sources
AIP SSM 6-8, C-17
appliances 6-7, C-16
ASA modules C-17
IDSM2 6-7, C-16
TLS
described 6-4
handshaking 14-8
IDM 14-8
Top Applications gadget
configuring 3-9
described 3-9
Top Attackers gadgets
configuring 3-11
described 3-11
Top Signatures gadgets
configuring 3-12
described 3-12
Top Victims gadgets
configuring 3-12
described 3-12
traceroute device tool (IME) 1-3
traceroute IME device tools 2-6
Traffic Anomaly engine
described B-66
protocols B-66
signatures B-66
traffic flow notifications
configuring 7-29
described 7-29
Traffic Flow Notifications pane
configuring 7-29
field descriptions 7-29
Traffic ICMP engine
DDoS B-68
described B-68
LOKI B-68
parameters (table) B-68
TFN2K B-68
Traffic Inspection Mode window described 5-8
Traps Configuration pane configuring 16-4
trial license key 18-13
Tribe Flood Network. See TFN.
Tribe Flood Network 2000. See TFN2K.
Trojan engine
BO2K B-68
described B-68
TFN2K B-68
Trojans
BO B-68
BO2K B-68
LOKI B-68
TFN2K B-68
troubleshooting C-1
AIP SSM
debugging C-68
recovering C-68
reset C-68
Analysis Engine busy C-58
applying software updates C-54
ARC
blocking not occurring for signature C-44
device access issues C-41
enabling SSH C-43
inactive state C-39
misconfigured master blocking sensor C-45
verifying device interfaces C-42
ASA 5500 AIP SSM
failover scenarios C-69
automatic updates C-55
cannot access sensor C-26
cidDump C-95
cidLog messages to syslog C-51
communication C-26
corrupted SensorApp configuration C-37
debug logger zone names (table) C-50
debug logging C-46
disaster recovery C-6
duplicate sensor IP addresses C-29
enabling debug logging C-46
external product interfaces 17-10, C-22
gathering information C-73
global correlation 13-12, C-21
IDM
cannot access sensor C-58
will not load C-57
IDSM2
command and control port C-65
diagnosing problems C-60
not online C-64
serial cable C-67
status indicator C-63
switch commands C-62
IME time synchronization C-59
IPS modules time drift 6-8, C-17
manual block to bogus host C-43
misconfigured access list C-28
no alerts C-33, C-59
NTP C-52
password recovery 18-11, C-15
physical connectivity issues C-32
preventive maintenance C-2
reset not occurring for a signature C-52
sensing process not running C-30
sensor events C-91
sensor loose connections C-23
sensor not seeing packets C-35
sensor software upgrade C-56
service account 6-19, C-5
show events command C-91
show interfaces command C-90
show statistics command C-79
show tech-support command C-74, C-75
show version command C-77
software upgrades C-53
SPAN port issue C-32
upgrading C-54
verifying Analysis Engine is running C-21
verifying ARC status C-38
Trusted Hosts pane
configuring 14-10
described 14-9
field descriptions 14-9
tuned signatures described 9-5
tuning
AIC signatures 9-38
IP fragment reassembly signatures 9-41
signatures 9-16
U
UDLD described 7-23
UDP Protocol tab
described 11-17, 11-24, 11-31
enabling UDP 11-17
external zone 11-31
field descriptions 11-31
illegal zone 11-24
unassigned VLAN groups described 7-15
unauthenticated NTP 6-7, 6-14, C-16
UniDirectional Link Detection. See UDLD.
uninstalling
license key 18-16
UNIX-style directory listings 18-19
unlocking accounts 6-26
unlock user username command 6-26
updater client described A-28
Update Sensor pane
configuring 18-24
described 18-23
field descriptions 18-23
user roles 18-23
updating
Cisco.com 18-23
FTP server 18-23
sensors 18-24
upgrade command 25-3, 25-5
upgrading
latest version C-54
maintenance partition
IDSM2 (Catalyst software) 25-37
IDSM2 (Cisco IOS software) 25-38
minimum required version 24-7
recovery partition 25-5, 25-10
sensors 25-4
to 6.2 24-7
to 7.0 24-7
uploading KBs
FTP 19-24
SCP 19-24
Upload Knowledge Base to Sensor dialog box
described 19-24
field descriptions 19-24
URLs for Cisco Security Intelligence Operations 24-10
user roles authentication 6-17
users
configuring 6-23
Users pane
configuring 6-23
user roles A-30
using
debug logging C-46
TCP reset interfaces 7-7
V
VACLs
described 15-3
Post-Block 15-22
Pre-Block 15-22
verifying
NTP configuration 6-9
password recovery 18-12, C-15
sensor initialization 23-27
sensor setup 23-27
video help described 1-3
viewing
IP logs 19-15
statistics 19-31
system information 19-32
virtual sensors
adding 5-13, 8-11
default virtual sensor 8-3, 8-8
deleting 8-11
described 8-2, 8-8
editing 8-11
stream segregation 8-4
Virtual Sensors window described 5-12
VLAN groups
802.1q encapsulation 7-15
configuration restrictions 7-9
configuring 7-26
deploying 7-24
described 7-14
switches 7-24
VLAN Groups pane
configuring 7-26
described 7-24
field descriptions 7-25
VLAN IDs 7-24
VLAN Pairs pane
configuring 7-22
describing 7-21
field descriptions 7-21
vulnerable OSes field
described B-6
W
watch list rating
calculating risk rating 8-6, 12-4
described 8-6, 12-4
Web Server
described A-3, A-22
HTTP 1.0 and 1.1 support A-22
private keys A-21
public keys A-21
SDEE support A-22
whois device tool (IME) 1-3
whois IME device tools 2-6
worms
Blaster 11-2
Code Red 11-2
histograms 11-12
Nimbda 11-2
protocols 11-3
Sasser 11-2
scanners 11-3
Slammer 11-2
SQL Slammer 11-2
Z
zones
external 11-4
illegal 11-4
internal 11-4