Index
Numerics
802.1q encapsulation for VLAN groups
5-27
A
AAA authentication
configuring
4-23
AAA RADIUS
functionality
4-30
limitations
4-30
accessing
IPS software
20-2
service account
4-28, C-5
access-list command
4-6
access list misconfiguration
C-26
access lists
changing
4-7
configuring
4-7
account locking
configuring
4-34
security
4-34
account unlocking configuring
4-35
ACLs
described
14-3
Post-Block
14-22, 14-23
Pre-Block
14-22, 14-23
adding
denied attackers
8-36
event action overrides
8-18
external product interfaces
11-5
global parameters
6-12
hosts to the SSH known hosts list
4-47, 4-48
login banners
4-9
signature variables
7-10
target value ratings
8-16
trusted hosts
4-53, 4-55
users
4-18, 4-19, 4-31, 4-32
virtual sensors
6-6, 6-9
virtual sensors (ASA 5500-X IPS SSP)
18-5
virtual sensors (ASA 5585-X IPS SSP)
19-5
Address Resolution Protocol. See ARP.
administrative tasks notes and caveats
17-2
administrator role privileges
1-3
aggregation
alert frequency
8-34
operating modes
8-34
AIC engine
AIC FTP
B-11
AIC FTP engine parameters (table)
B-13
AIC HTTP
B-11
AIC HTTP engine parameters (table)
B-12
described
B-11
features
B-11
signature categories
7-23
AIC policy enforcement
default configuration
7-23, B-11
described
7-23, B-11
sensor oversubscription
7-23, B-11
Alarm Channel
described
8-3, A-26
risk rating
10-6
alert and log actions (list)
8-5
alert-frequency command
7-12
alert frequency modes
B-7
alert-severity command
7-14
alert severity configuring
7-14
allocate-ips command
18-4, 19-4
ASA 5500-X IPS SSP
18-23
allow-sensor-block command
14-8
alternate TCP reset interface
configuration restrictions
5-9
designating
5-5
restrictions
5-3
Analysis Engine
described
6-2
error messages
C-23
IDM exits
C-54
sensing interfaces
5-4
verify it is running
C-20
virtual sensors
6-2
anomaly detection
9-1
asymmetric traffic
9-1, 9-2
caution
9-1, 9-2
configuration sequence
9-5
default anomaly detection configuration
9-4
default configuration (example)
9-4
described
9-2
detect mode
9-4
enabling
9-8
event actions
9-6, B-70
inactive mode
9-4
learning accept mode
9-3
learning process
9-3
limiting false positives
9-37
protocols
9-3
signatures (table)
9-6, B-71
signatures described
9-6
worms
attacks
9-37
described
9-3
zones
9-4
anomaly detection disabling
9-49, C-19
anomaly-detection load command
9-41
anomaly detection operational settings
configuring
9-11, 9-38
described
9-10
anomaly detection policies
copying
9-9
creating
9-9
deleting
9-9
displaying
9-9
editing
9-9
lists
17-29
anomaly-detection save command
9-41
anomaly detection statistics
clearing
9-47
displaying
9-47
Anomaly Detection zones
illegal
9-20
internal
9-12
appliances
GRUB menu
17-3, C-8
initializing
3-9
logging in
2-2
password recovery
17-3, C-8
resetting
17-46
setting system clock
4-39, 17-27
terminal servers
described
2-3, 21-16
setting up
2-3, 21-16
time sources
4-36, C-15
upgrading recovery partition
21-7
Application Inspection and Control. See AIC.
application partition
described
A-4
image recovery
21-14
application-policy command
7-23
application policy configuring
7-24
application policy enforcement described
7-23, B-11
applications in XML format
A-4
applying
software updates
C-51
threat profiles
7-6
ARC
ACLs
14-22, A-14
authentication
A-15
blocking
connection-based
A-17
response
A-13
unconditional blocking
A-17
blocking application
14-2
blocking not occurring for signature
C-41
Catalyst switches
VACL commands
A-19
VACLs
A-16, A-19
VLANs
A-16
checking status
14-4, 14-5
described
A-4
design
14-2
device access issues
C-39
enabling SSH
C-41
features
A-14
firewalls
AAA
A-18
connection blocking
A-18
NAT
A-18
network blocking
A-18
postblock ACL
A-16
preblock ACL
A-16
shun command
A-18
TACACS+
A-18
formerly Network Access Controller
14-1
functions
14-2, A-12
illustration
A-13
inactive state
C-37
interfaces
A-14
maintaining states
A-16
master blocking sensors
A-14
maximum blocks
14-2
misconfigured master blocking sensor
C-42
nac.shun.txt file
A-16
NAT addressing
A-15
number of blocks
A-15
postblock ACL
A-16
preblock ACL
A-16
prerequisites
14-6
rate limiting
14-4
responsibilities
A-13
single point of control
A-15
SSH
A-14
supported devices
14-6, A-15
Telnet
A-14
troubleshooting
C-35
VACLs
A-14
verifying device interfaces
C-40
verifying status
C-36
ARP
Layer 2 signatures
B-14
protocol
B-14
ARP spoof tools
dsniff
B-14
ettercap
B-14
ASA 5500 AIP SSC-5
time sources
4-36
ASA 5500 AIP SSM
IPS reloading messages
C-67, C-73
time sources
4-36
ASA 5500-X IPS SSP
assigning virtual sensors
18-7
bypass mode
18-9, 19-11
creating virtual sensors
18-5
Deny Connection Inline
18-11
Deny Packet Inline
18-11
IPS reloading messages
18-11, C-67, C-73
logging in
2-4, 3-14
memory usage
17-16, 18-11, C-66
memory usage values (table)
17-16, 18-11, C-66
no CDP mode support
5-45
Normalizer engine
18-9, C-65
notes and caveats
18-1
password recovery
17-4, C-10
Reset TCP Connection
18-11
resetting the password
17-5, C-10
sensing interface
18-4
session command
2-4, 3-14
sessioning in
2-4, 3-14
show module command
18-3
sw-module module 1 recover configure
18-12
sw-module module slot_number password-reset
18-12
sw-module module slot_number reload
18-12
sw-module module slot_number reset
18-12
sw-module module slot_number shutdown
18-12
task sequence
18-2
TCP reset differences
8-7
TCP reset packets
18-11
time sources
4-36, C-15
verifying initialization
18-3
virtual sensors
assigning policies
18-4, 19-5
assigning the interface
18-4, 19-5
virtual sensor sequence
18-4, 19-5
ASA 5585-X IPS SSP
assigning virtual sensors
19-8
bypass mode
19-10
creating virtual sensors
19-5
Deny Connection Inline
19-11
Deny Packet Inline
19-11
hw-module module 1 recover configure
19-13
hw-module module slot_number password-reset
19-12
hw-module module slot_number recover boot
19-12
hw-module module slot_number recover stop
19-12
hw-module module slot_number reload
19-12
hw-module module slot_number reset
19-12
hw-module module slot_number shutdown
19-12
installing system image
21-24
interfaces
command and control
19-4
described
19-4
port numbers
19-4
sensing
19-4
slot numbers
19-4
IPS reloading messages
19-12, C-67, C-73
logging in
2-5, 3-15
no CDP mode support
5-45, 19-1
Normalizer engine
19-10, C-72
notes and caveats
19-1
password recovery
17-6, C-12
Reset TCP Connection
19-11
resetting the password
17-7, C-12
session command
2-5, 3-15
sessioning in
2-5, 3-15
task sequence
18-2, 19-2
TCP reset differences
8-7
TCP reset packets
19-11
time sources
4-36, C-15
virtual sensors
assigning policies
18-4, 19-5
assigning the interface
18-4, 19-5
sequence
19-5
ASA IPS modules
jumbo packet count
5-46, 18-10, 19-11, C-66, C-73
ASDM
resetting passwords
17-6, 17-8, C-11, C-13
assigning
interfaces to virtual sensors (ASA 5500-X IPS SSP)
18-4, 19-5
interfaces to virtual sensors (ASA 5585-X IPS SSP)
18-4, 19-5
policies to virtual sensors (ASA 5500-X IPS SSP)
18-4, 19-5
policies to virtual sensors (ASA 5585-X IPS SSP)
18-4, 19-5
assigning interfaces to virtual sensors
6-5
assigning policies to virtual sensors
6-5
asymmetric mode
described
6-4
normalization
6-4
asymmetric traffic
anomaly detection
9-1, 9-2
caution
9-1, 9-2
asymmetric traffic and disabling anomaly detection
9-48, C-18
Atomic ARP engine
described
B-14
parameters (table)
B-14
Atomic IP Advanced engine
described
B-15
parameters (table)
B-17
restrictions
B-16
Atomic IP engine
described
B-25
parameters (table)
B-25
Atomic IPv6 engine
described
B-28
Neighborhood Discovery protocol
B-29
signatures
B-29
attack relevance rating
calculating risk rating
8-14
described
8-14, 8-27
Attack Response Controller
described
A-4
formerly known as Network Access Controller
A-4
See ARC
attack severity rating
calculating risk rating
8-14
described
8-14
attempt limit
RADIUS
C-20
attemptLimit command
4-34
audit mode
described
10-9
testing global correlation
10-9
authenticated NTP
4-2, 4-36, 4-45, C-15
authentication
local
4-20
RADIUS
4-20
AuthenticationApp
authenticating users
A-20
described
A-4
login attempt limit
A-20
method
A-20
responsibilities
A-20
secure communications
A-21
sensor configuration
A-20
Authentication pane
user roles
A-30
authorized keys
defining
4-49
RSA authentication
4-49
automatic setup
3-3
automatic update
DNS servers
4-11
immediate
21-11
proxy server
4-11
automatic upgrade
information required
21-8
troubleshooting
C-51
autoupdatenow command
21-11
auto-upgrade-option command
21-8
B
backing up
configuration
16-24, C-2
current configuration
16-23, C-4
BackOrifice. See BO.
BackOrifice 2000. See BO2K.
backup-config command
16-20
banner login command
17-20
basic setup
3-5
block connection command
14-33
block-enable command
14-9
block hosts command
14-31
blocking
addresses never to block
14-19
block time
14-13
connection
14-33
described
14-2
disabling
14-10
hosts
14-31
list of blocked hosts
14-34
managing firewalls
14-27
managing routers
14-23
managing switches
14-26
master blocking sensor
14-28
maximum entries
14-11
necessary information
14-3
notes and caveats
14-1
prerequisites
14-6
properties
14-7
sensor block itself
14-8
show statistics
14-34
supported devices
14-6
types
14-3
user profiles
14-20
blocking not occurring for signature
C-41
block network command
14-32
BO
described
B-73
Trojans
B-73
BO2K
described
B-73
Trojans
B-73
BST
described
C-1
URL
C-1
Bug Search Tool. See BST.
bypass mode
ASA 5500-X IPS SSP
18-9, 19-11
ASA 5585-X IPS SSP
19-10
configuring
5-43
described
5-42
bypass-option command
5-43
C
calculating risk rating
attack relevance rating
8-14
attack severity rating
8-14
promiscuous delta
8-14
signature fidelity rating
8-14
target value rating
8-14
watch list rating
8-14
cannot access sensor
C-24
capture packet files
notes and caveats
13-1
capturing live traffic
13-5
caution for clearing databases
17-10
CDP mode
ASA 5500-X IPS SSP
5-45
ASA 5585-X IPS SSP
5-45, 19-1
configuring
5-45
described
5-45
interfaces
5-45
certificates (IDM)
4-52
changing
4-30
access lists
4-7
CLI inactivity timeout
4-14
FTP timeout
4-8
host IP address
4-4
hostname
4-3
passwords
4-30
privilege
4-31
web server settings
4-16
cidDump obtaining information
C-102
CIDEE
defined
A-34
example
A-34
IPS extensions
A-34
protocol
A-34
supported IPS events
A-34
cisco
default password
2-2
default username
2-2
Cisco.com
accessing software
20-2
downloading software
20-1
software downloads
20-1
Cisco Bug Search Tool
described
C-1
Cisco Discovery Protocol. See CDP.
Cisco IOS rate limiting
14-4
cisco-security-agents-mc-settings command
11-4
Cisco Security Intelligence Operations
described
20-7
URL
20-7
Cisco Services for IPS
service contract
4-59
supported products
4-59
clear database command
17-10
clear denied-attackers command
8-37, 17-27
clear events command
4-37, 8-42, 17-25, C-17, C-102
clearing
anomaly detection statistics
9-47
denied attackers statistics
8-37, 17-27
events
8-42, 17-25, C-102
global correlation statistics
10-14
OS IDs
8-32
sensor databases
17-10
statistics
17-30, C-83
clearing databases caution
17-10
clear line command
17-20
clear os-identification command
8-32
CLI
command line editing
1-6
command modes
1-7
default keywords
1-10
described
A-4, A-30
error messages
D-1
generic commands
1-10
password recovery
17-8, C-14
regular expression syntax
1-8
CLI behavior
1-5
case sensitivity
1-6
display options
1-6
help
1-5
prompts
1-5
recall
1-5
tab completion
1-5
client manifest described
A-28
CLI guide introduction
1-1
CLI inactivity timeout
configuring
4-14
described
4-14
cli-inactivity-timeout command
4-14
CLI session termination
17-21
clock set command
4-38, 17-26
CollaborationApp described
A-4, A-28
command and control interface
described
5-3
list
5-3
command and control interface described (ASA 5585-X IPS SSP)
19-4
command line editing (table)
1-6
command modes
1-7
anomaly detection configuration
1-7
event action rules configuration
1-7
EXEC
1-7
global configuration
1-7
privileged EXEC
1-7
service mode configuration
1-7
signature definition configuration
1-7
commands
15-8, 18-3, 19-3
access-list
4-6
alert-frequency
7-12
alert-severity
7-14
allocate-ips
18-4, 19-4
allow-sensor-block
14-8
anomaly-detection load
9-41
anomaly-detection save
9-41
application-policy
7-23
attemptLimit
4-34
autoupdatenow
21-11
auto-upgrade-option
21-8
backup-config
16-20
banner login
17-20
block connection
14-33
block-enable
14-9
block hosts
14-31
block network
14-32
bypass-option
5-43
cisco-security-agents-mc-settings
11-4
clear database
17-10
clear denied-attackers
8-37, 17-27
clear events
4-37, 8-42, 17-25, C-17, C-102
clear line
17-20
clear os-identification
8-32
cli-inactivity-timeout
4-14
clock set
4-38, 17-26
copy ad-knowledge-base
9-42
copy anomaly-detection
9-8
copy backup-config
16-21, C-3
copy current-config
16-21, C-3
copy event-action-rules
8-8
copy iplog
12-7
copy license-key
4-60
copy packet-file
13-6
copy signature-definition
7-2
current-config
16-20
default service anomaly-detection
9-9
default service event-action-rules
8-8
default service signature-definition
7-2
deny attacker
8-36
downgrade
21-12
enable-acl-logging
14-14
enable-detail-traps
15-8
enable-nvram-write
14-15
erase
16-24
erase ad-knowledge-base
9-42
erase license-key
4-62
erase packet-file
13-7
event-action
7-20
event-action-rules-configurations
17-29
event-counter
7-15
external-zone
9-28
filters
8-22
fragment-reassembly
7-36
ftp-timeout
4-8
global-block-timeout
8-34, 14-13
global-deny-timeout
8-34
global-filters-status
8-34
global-metaevent-status
8-34
global-overrides-status
8-34
global-parameters
6-12
global-summarization
8-35
health-monitor
10-8
host-ip
4-4
host-name
4-3
hw-module module 1 recover configure
19-13
hw-module module slot_number password-reset
17-6, 19-12, C-12
hw-module module slot_number recover boot
19-12
hw-module module slot_number recover stop
19-12
hw-module module slot_number reload
19-12
hw-module module slot_number reset
19-12
hw-module module slot_number shutdown
19-12
ignore
9-10
illegal-zone
9-20
inline-interfaces
5-17
interface-notifications
5-44
internal-zone
9-12
ip-log
7-45
iplog
12-3
ip-log-bytes
12-2
ip-log-packets
12-2
iplog-status
12-5
ip-log-time
12-2
ipv6-target-value
8-15
learning-accept-mode
9-38
list anomaly-detection-configurations
9-9, 17-29
list event-action-rules-configurations
8-8
list signature-definition-configurations
7-2
log-all-block-events-and-errors
14-16
login-banner-text
4-9
max-block-entries
14-11
max-denied-attackers
8-35
max-interfaces
14-17
more
16-20
more current-config
16-1
never-block-hosts
14-19
never-block-networks
14-19
no iplog
12-6
no ipv6-target-value
8-15
no service anomaly-detection
9-9
no service event-action-rules
8-8
no service signature-definition
7-2
no target-value
8-15
no variables
8-12
os-identifications
8-28
other
9-18, 9-26, 9-34
overrides
8-18
packet capture
13-4
packet-display
13-2
password
4-18, 4-30
permit-packet-logging
4-26
physical-interfaces
5-11, 5-22, 5-28
ping
17-45
privilege
4-18, 4-31
rename ad-knowledge-base
9-42
reset
17-46
service anomaly-detection
9-8
service event-action-rules
8-8
service signature-definition
7-2
setup
3-1, 3-5, 3-9
show ad-knowledge-base diff
9-44, 9-45
show ad-knowledge-base files
9-40, 9-41
show clock
4-37, 17-25
show configuration
16-1
show context
18-7, 19-8
show events
8-39, 17-22, C-99
show health
10-9, 17-19, C-74
show history
17-47
show inspection-load
17-12
show interfaces
5-46
show interfaces-history
5-48, C-96
show inventory
17-47
show lacp
5-38
show module 1 details
19-13, C-57, C-67
show os-identification
8-32
show settings
16-3, 16-18, 17-9, 17-49, C-14
show statistics
14-34, 17-30, C-83
show statistics anomaly-detection
9-47
show statistics denied-attackers
8-37, 17-27
show statistics virtual-sensor
17-30, C-23, C-83
show tech-support
17-42, C-75
show tls trusted-root-certificates
4-57
show users
4-32
show version
17-43, C-79
sig-fidelity-rating
7-17, 7-19
signature-definition-configurations
17-29
snmp-agent-port
15-3
snmp-agent-protocol
15-3
ssh authorized-key
4-49
ssh-generate-key
4-50
ssh host-key
4-47
sshv1-fallback
4-13
status
7-18
stream-reassembly
7-44
strict-tls-server-validation
4-54
subinterface-type
5-22, 5-28
summertime-option non-recurring
4-41
summertime-option recurring
4-39
sw-module module 1 recover configure
18-12
sw-module module slot_number password-reset
17-5, 18-12, C-10
sw-module module slot_number reload
18-12
sw-module module slot_number reset
18-12
sw-module module slot_number shutdown
18-12
target-value
8-15
tcp
9-13, 9-21, 9-29
telnet-option
4-5
terminal
17-21
threat-profile
7-5
time-zone-settings
4-43
tls generate-key
4-58
tls trusted-host
4-53, 4-55
trace
17-48
trap-community-name
15-8
trap-destinations
15-8
udp
9-15, 9-24, 9-32
unlock user username
4-35
upgrade
21-4, 21-6
username
4-18
user-profile
14-20
variables
7-10, 8-12
virtual-sensor name
6-5, 18-4, 19-5
worm-timeout
9-10
comparing KBs
9-44
configuration files
backing up
16-24, C-2
merging
16-24, C-2
configuration restrictions
alternate TCP reset interface
5-9
inline interface pairs
5-9
inline VLAN pairs
5-9
interfaces
5-8
physical interfaces
5-8
VLAN groups
5-10
configuration sequence
ASA 5500-X IPS SSP
18-2
ASA 5585-X IPS SSP
18-2, 19-2
configured OS mapping (example)
8-28
configuring
AAA authentication
4-23
access lists
4-7
account locking
4-34
account unlocking
4-35
ACL logging
14-14
alert frequency parameters
7-13
alert severity
7-14
anomaly detection operational settings
9-11, 9-38
application policy
7-24, 7-33
automatic IP logging
12-3
automatic upgrades
21-9
blocking
firewalls
14-27
routers
14-23
switches
14-26
time
14-13
bypass mode
5-43
CDP mode
5-45
cli-inactivity-timeout
4-14
connection blocking
14-33
CSA MC IPS interfaces
11-4
DNS servers
4-11
event action filters
8-23
event actions
7-21
event counter
7-16
external zone
9-29
ftp-timeout
4-8
global correlation
10-10, 10-12
health statistics
17-16
host blocks
14-31
host IP address
4-4
hostname
4-3
hosts never to block
14-19
illegal zone
9-20
inline interface pairs
5-17
inline VLAN groups
5-29
inline VLAN pairs
5-23
internal zone
9-12
IP fragment reassembly
7-37
IP fragment reassembly parameters
7-36, 7-43
IP logging
7-45
LACP
5-37
logging all blocking events and errors
14-16
logical devices
14-20
login-banner-text
4-9
manual IP logging
12-4
master blocking sensor
14-29
maximum block entries
14-12
maximum blocking interfaces
14-18
maximum denied attackers
8-35
Meta Event Generator
8-35
network blocks
14-32
networks never to block
14-19
NTP servers
4-44
NVRAM write
14-15
OS maps
8-30
other protocols
external zone
9-35
illegal zone
9-26
internal zone
9-18
packet command restrictions
4-27
password policy
4-33
passwords
4-30
physical interfaces
5-12
privilege
4-31
proxy servers
4-11
sensor sequence
1-2
sensor to block itself
14-8
sensor to use NTP
4-45
signature fidelity rating
7-17, 7-19
sshv1-fallback
4-13
status
7-18
summarizer
8-35
summertime
non-recurring
4-41
recurring
4-39
TCP
external zone
9-30
illegal zone
9-22
internal zone
9-13
TCP stream reassembly
7-44
telnet-option
4-5
threat profiles
7-6
time zone settings
4-43
traffic flow notifications
5-44
UDP
external zone
9-32
illegal zone
9-24
internal zone
9-16
upgrades
21-5
user profiles
14-20
users (SNMPv3)
15-4
web server settings
4-15
configuring interfaces
notes and caveats
5-1
sequence
5-10
control transactions
characteristics
A-9
request types
A-9
copy ad-knowledge-base command
9-42
copy anomaly-detection command
9-8
copy backup-config command
16-21, C-3
copy command syntax
9-42
copy current-config command
16-21, C-3
copy event-action-rules command
8-8
copying
anomaly detection policies
9-9
event action rules policies
8-9
IP log files
12-7
KBs
9-42, 9-43
packet files
13-7
signature definition policies
7-2
copy iplog command
12-7
copy license-key command
4-60
copy packet-file command
13-6
copy signature-definition command
7-2
correcting time on the sensor
4-37, C-17
creating
anomaly detection policies
9-9
Atomic IP Advanced signatures
7-57
banner logins
17-20
custom signatures
7-46
event action rules policies
8-9
event action variables
8-12
global parameters
6-12
Meta signatures
7-55
OS maps
8-30
Post-Block VACLs
14-26
Pre-Block VACLs
14-26
service HTTP signatures
7-51
signature definition policies
7-2
string TCP signatures
7-48
string TCP XL signatures
7-58, 7-62
user profiles
14-20
virtual sensors
6-6, 6-9
creating the service account
4-29, C-6
cryptographic account
Encryption Software Export Distribution Authorization from
20-2
obtaining
20-2
CSA MC
configuring IPS interfaces
11-4
host posture events
11-2, 11-4
quarantined IP address events
11-2
supported IPS interfaces
11-4
CtlTransSource
described
A-4, A-11
illustration
A-12
Ctrl-N
1-5
Ctrl-P
1-5
current-config command
16-20
current configuration back up
16-24, C-2
custom signatures
AIC MIME-type
7-33
Atomic IP Advanced signature
7-57
configuration sequence
7-46
described
7-4
Meta signature
7-55
service HTTP example
7-51
String TCP
7-48
String TCP XL
7-58, 7-62
D
data nodes
B-68
data structures (examples)
A-8
DDoS
protocols
B-72
Stacheldraht
B-72
TFN
B-72
debug logging enable
C-44
default blocking time
14-13
default keywords
1-10
defaults
password
2-2
username
2-2
virtual sensor vs0
6-2
default service anomaly-detection command
9-9
default service event-action-rules command
8-8
default service signature-definition command
7-2
defining authorized keys
4-49
defining signatures
7-1
deleting
anomaly detection policies
9-9
denied attackers list
8-37, 17-27
event action rules policies
8-9
event action variables
8-12
inline interface pairs
5-20
inline VLAN pairs
5-26
OS maps
8-31
signature definition policies
7-2
signature variables
7-10
target value ratings
8-16
VLAN groups
5-32
Denial of Service. See DoS.
denied attackers add
8-36
deny actions (list)
8-5
deny attacker command
8-36
deny-packet-inline described
8-7
detect mode (anomaly detection)
9-4
device access issues
C-39
diagnosing network connectivity
17-45
disabling
anomaly detection
9-49, C-19
blocking
14-10
global correlation
10-14
password recovery
17-8, C-14
signatures
7-18
SSHv1 fallback
4-13
Telnet
4-5
disaster recovery
C-6
displaying
anomaly detection policies
9-9
anomaly detection policy lists
17-29
anomaly detection statistics
9-47
contents of logical file
16-20
current configuration
16-1
current submode configuration
16-3
event action rules policies
8-9
event actions rules lists
17-29
events
8-40, 17-23, C-100
global correlation statistics
10-14
health status
17-19, C-74
inspection load
17-13
interface statistics
5-40, 5-46
interface traffic history
5-49, C-97
IP log contents
12-5
KB files
9-40
KB thresholds
9-46
LACP information
5-40
live traffic
13-3
OS IDs
8-32
password recovery setting
17-9, C-14
PEP information
17-47
policy lists
17-29
signature definition lists
17-29
statistics
17-30, C-83
submode settings
17-49
system clock
4-38, 17-26
tech support information
17-42, C-76
threat profiles
7-6
TLS trusted root certificates
4-57
version
17-43, C-80
Distributed Denial of Service. See DDoS.
DNS servers
configuring
4-11
DoS tools
Stacheldraht
B-72
stick
B-7
TFN
B-72
downgrade command
21-12
downgrading sensors
21-12
downloading Cisco software
20-1
duplicate IP addresses
C-27
E
editing
anomaly detection policies
9-9
event action rules policies
8-9
event action variables
8-12
signature definition policies
7-2
signature variables
7-10
target value ratings
8-16
efficacy
described
10-5
measurements
10-5
enable-acl-logging command
14-14
enable-detail-traps command
15-8
enable-nvram-write command
14-15
enabling
anomaly detection
9-8
signatures
7-18
SSHv1 fallback
4-13
strict TLS server validation
4-54
Telnet
4-5
enabling debug logging
C-44
Encryption Software Export Distribution Authorization form
cryptographic account
20-2
described
20-2
engines
AIC
7-22, B-11
AIC FTP
B-11
AIC HTTP
B-11
Atomic ARP
B-14
Atomic IP
B-25
Atomic IP Advanced
B-15
Atomic IPv6
B-28
Fixed
B-29
Fixed ICMP
B-29
Fixed TCP
B-29
Fixed UDP
B-29
Flood
B-32
Flood Host
B-32
Flood Net
B-32
Master
B-4
Meta
7-53, B-33
Multi String
B-35
Normalizer
B-36
Service
B-39
Service DNS
B-39
Service FTP
B-40
Service Generic
B-41
Service H225
B-43
Service HTTP
7-50, B-45
Service IDENT
B-47
Service MSRPC
B-48
Service MSSQL
B-50
Service NTP
B-51
Service P2P
B-52
Service RPC
B-52
Service SMB Advanced
B-54
Service SNMP
B-56
Service SSH
B-57
Service TNS
B-58
State
B-59
String
7-47, B-61
String ICMP
7-47, B-61
String TCP
7-47, B-61
String UDP
7-47, B-61
Sweep
B-67
Sweep Other TCP
B-69
Traffic Anomaly
B-70
Traffic ICMP
B-72
Trojan
B-73
erase ad-knowledge-base command
9-42
erase command
16-24
erase license-key command
4-62
erase packet-file command
13-7
erasing
current configuration
16-24
KBs
9-42, 9-43
packet files
13-7
error messages
described
D-1
validation
D-6
evAlert
A-9
event-action command
7-20
event action filters
described
8-21
using variables
8-21
event action overrides
described
8-17
risk rating range
8-17
event action rules
described
8-2
functions
8-2
notes and caveats
8-1
task list
8-8
event action rules lists display
17-29
event action rules policies
copying
8-9
creating
8-9
deleting
8-9
displaying
8-9
editing
8-9
event actions
risk ratings
8-15
threat ratings
8-15
event actions configure
7-21
event-counter command
7-15
event counter configure
7-16
events
clearing
8-42, 17-25, C-102
displaying
8-40, 17-23, C-100
host posture
11-2
quarantined IP address
11-2
Event Store
clearing
8-42, 17-25, C-102
clearing events
4-37, C-17
data structures
A-8
described
A-4
examples
A-8
no alerts
C-31
responsibilities
A-7
time stamp
4-37, C-17
timestamp
A-7
event types
C-98
event variables
described
8-10
example
8-11
evError
A-9
evLogTransaction
A-9
evShunRqst
A-9
evStatus
A-9
examples
ASA failover configuration
18-21, 19-17, C-65, C-71
default anomaly detection configuration
9-4
KB histogram
9-37
password
4-19
password policy
4-33
privilege
4-19
SPAN configuration for IPv6 support
5-16
System Configuration Dialog
3-4
username
4-19
external product interfaces
adding
11-5
described
11-1
issues
11-3, C-21
notes and caveats
11-1
troubleshooting
11-8, C-22
external zone
configuring
9-29
configuring other protocols
9-35
configuring TCP
9-30
configuring UDP
9-32
described
9-28
external-zone command
9-28
F
failover
TCP support
5-36
fallback
TCP support
5-36
false positives described
7-4
files
Cisco IPS (list)
20-1
filtering
more command
16-17
submode configuration
16-18
filters command
8-22
Fixed engine described
B-29
Fixed ICMP engine parameters (table)
B-30
Fixed TCP engine parameters (table)
B-30
Fixed UDP engine parameters (table)
B-31
Flood engine described
B-32
Flood Host engine parameters (table)
B-32
Flood Net engine parameters (table)
B-33
fragment-reassembly command
7-36
FTP servers and software updates
21-3
FTP timeout
configuring
4-8
described
4-8
ftp-timeout command
4-8
G
generating
SSH server host key
4-51
TLS certificate
4-58
generic commands
1-10
global-block-timeout command
8-34, 14-13
global correlation
10-1
described
3-2, 10-2
disabling about
10-13
DNS server
10-7
DNS servers
4-11
error messages
A-29
features
10-6
goals
10-6
health metrics
10-8
health status
10-8
HTTP proxy server
10-7
IPS reloading messages
18-11, 19-12, C-67, C-73
license
3-1, 3-6, 10-1, 10-7, 10-9
no IPv6 support
8-1, 8-10, 8-11, 8-15, 8-21, 10-2, 10-7
notes and caveats
10-1
options
10-10, 10-11, 10-13
Produce Alert
8-5
proxy servers
4-11
requirements
10-7
risk rating
10-6
troubleshooting
10-13, C-20
update client (illustration)
10-9
Global Correlation Update
client described
A-28
server described
A-28
global-deny-timeout command
8-34
global-filters-status command
8-34
global-metaevent-status command
8-34
global-overrides-status command
8-34
global parameters
adding
6-12
creating
6-12
maximum open IP logs
6-12
options
6-12
global-parameters command
6-12
global-summarization command
8-35
GRUB menu password recovery
17-3, C-8
H
H.225.0 protocol
B-43
H.323 protocol
B-43
health-monitor command
10-8
health statistics configuration
17-16
health status
display
17-19, C-74
global correlation
10-8
help
question mark
1-5
using
1-5
host blocks configure
14-31
host IP address
changing
4-4
configuring
4-4
host-ip command
4-4
hostname
changing
4-3
configuring
4-3
host-name command
4-3
host posture events
CSA MC
11-4
described
11-2
HTTP/HTTPS servers supported
21-3
HTTP advanced decoding
described
6-4
platform support
6-4
restrictions
6-4
HTTP deobfuscation
ASCII normalization
7-50, B-45
described
7-50, B-45
hw-module module 1 recover configure command
19-13
hw-module module slot_number password-reset command
17-6, 19-12, C-12
hw-module module slot_number recover boot command
19-12
hw-module module slot_number recover stop command
19-12
hw-module module slot_number reload command
19-12
hw-module module slot_number reset command
19-12
hw-module module slot_number shutdown command
19-12
I
IDAPI
communications
A-4, A-32
described
A-4
functions
A-32
illustration
A-32
responsibilities
A-32
IDCONF
described
A-33
example
A-33
RDEP2
A-33
XML
A-33
IDIOM
defined
A-32
messages
A-32
IDM
Analysis Engine is busy
C-54
certificates
4-52
TLS
4-52
will not load
C-53
ignore command
9-10
illegal zone
configuring
9-20
configuring other protocols
9-26
configuring TCP
9-22
configuring UDP
9-24
described
9-20
protocols
9-20
illegal-zone command
9-20
IME time synchronization problems
C-56
inactive mode (anomaly detection)
9-4
initializing
appliances
3-9
sensors
3-1, 3-5
user roles
3-1, 3-2
verifying
3-16
verifying (ASA 5500-X IPS SSP)
18-3
verifying (IPS SSP)
18-3, 19-3
initializing the sensor (notes and caveats)
3-1
inline interface pair mode
configuration restrictions
5-9
described
5-16
illustration
5-17
inline interface pairs
configuring
5-17
deleting
5-20
inline-interfaces command
5-17
inline mode
interface cards
5-4
normalization
6-4
pairing interfaces
5-4
inline TCP session tracking modes described
6-3
inline VLAN groups
configuring
5-29
deleting
5-32
inline VLAN pair mode
configuration restrictions
5-9
described
5-21
illustration
5-21
supported sensors
5-21
inline VLAN pairs
configuring
5-23
deleting
5-26
inspection load
description
17-12
displaying
17-13
installer major version
20-5
installer minor version
20-5
installing
license key
4-61
system image
ASA 5500-X IPS SSP
21-22
ASA 5585-X IPS SSP
21-24
IPS 4345
21-17
IPS 4360
21-17
IPS 4510
21-20
IPS 4520
21-20
InterfaceApp described
A-4
interface configuration sequence
5-10
interface-notifications command
5-44
interfaces
alternate TCP reset
5-3
command and control
5-3
configuration restrictions
5-8
described
5-2
displaying live traffic
13-3
port numbers
5-2
sensing
5-3, 5-4
slot numbers
5-2
support (table)
5-6
TCP reset
5-4
interface statistics displaying
5-40, 5-46
interface traffic history displaying
5-49, C-97
internal zone
configuring
9-12
configuring other protocols
9-18
configuring TCP
9-13
configuring UDP
9-16
described
9-12
protocols
9-12
internal-zone command
9-12
introducing the CLI guide
1-1
IP fragmentation described
B-36
IP fragment reassembly
described
7-34
parameters (table)
7-34
signatures (table)
7-34
ip-log-bytes command
12-2
ip-log command
7-45
iplog command
12-3
IP log contents
displaying
12-5
viewing
12-5
IP log files copying
12-7
IP logging
automatic
12-2
configuring
12-2
copying files
12-7
described
7-45, 12-2
manual
12-4
notes and caveats
12-1
ip-log-packets command
12-2
ip logs
TCPDUMP
12-2
Wireshark
12-2
iplog-status command
12-5
ip-log-time command
12-2
IP packet trace
17-48
IPS 4345
installing system image
21-17
password recovery
17-3, 17-4, C-8, C-9
reimaging
21-16
IPS 4360
installing system image
21-17
password recovery
17-3, 17-4, C-8, C-9
reimaging
21-16
IPS 4510
installing system image
21-20
LACP grouping
5-33
password recovery
17-3, 17-4, C-8, C-9
reimaging
21-20
SwitchApp
A-29
IPS 4520
installing system image
21-20
LACP grouping
5-33
password recovery
17-3, 17-4, C-8, C-9
reimaging
21-20
SwitchApp
A-29
IPS appliances
Deny Connection Inline
8-7, 18-11, 19-11
Deny Packet Inline
8-7, 18-11, 19-11
Reset TCP Connection
8-7, 18-11, 19-11
TCP reset packets
8-7, 18-11, 19-11
IPS applications
summary
A-35
table
A-35
XML format
A-4
IPS clock synchronization
4-37, C-16
IPS data
types
A-8
XML document
A-9
IPS events
evAlert
A-9
evError
A-9
evLogTransaction
A-9
evShunRqst
A-9
evStatus
A-9
list
A-9
types
A-9
IPS internal communications
A-32
IPS port channel
illustration
5-34
IPS software
application list
A-4
available files
20-1
configuring device parameters
A-5
directory structure
A-34
Linux OS
A-1
obtaining
20-1
retrieving data
A-5
security features
A-5
tuning signatures
A-5
updating
A-5
user interaction
A-5
versioning scheme
20-3
IPS software file names
major updates (illustration)
20-4
minor updates (illustration)
20-4
patch releases (illustration)
20-4
service packs (illustration)
20-4
IPS SSP
show module command
18-3, 19-3
verifying initialization
18-3, 19-3
virtual sensors
assigning to security context
19-7
IPv4
address format
8-11
event variables
8-11
IPv6
address format
8-11
described
B-28
event variables
8-11
SPAN ports
5-15
switches
5-15
ipv6-target-value command
8-15
K
KB files
displaying
9-40
KBs
comparing
9-44
copying
9-42, 9-43
described
9-3
erasing
9-42, 9-43
histogram
9-36
initial baseline
9-3
manually loading
9-41
manually saving
9-41
renaming
9-42, 9-43
scanner threshold
9-36
tree structure
9-36
KB thresholds display
9-46
keywords
default
1-10
no
1-10
Knowledge Base. See KB.
L
LACP
configuring
5-37
displaying information
5-40
link states
5-36
restrictions
5-35
learning accept mode
anomaly detection
9-3
learning-accept-mode command
9-38
license key
installing
4-61
obtaining
4-59
trial
4-59
uninstalling
4-62
viewing status of
4-59
licensing
described
4-59
IPS device serial number
4-59
Licensing pane
described
4-59
limitations for concurrent CLI sessions
18-1, 19-1
Link Aggregation Control Protocol. See LACP.
Link Aggregation Control Protocol Data Unit. See LACPDU.
list anomaly-detection-configurations command
9-9, 17-29
list event-action-rules-configurations command
8-8, 17-29
list of blocked hosts
14-34
list signature-definition-configurations command
7-2, 17-29
loading
KBs
9-41
log-all-block-events-and-errors command
14-16
Logger
described
A-4, A-19
functions
A-19
syslog messages
A-19
logging in
appliances
2-2
ASA 5500-X IPS SSP
2-4, 3-14
ASA 5585-X IPS SSP
2-5, 3-15
notes and caveats
2-1
sensors
SSH
2-6
Telnet
2-6
service role
2-2
terminal servers
2-3, 21-16
user role
2-1
login banners
adding
4-9
login-banner-text
command
4-9
configuring
4-9
LOKI
described
B-72
protocol
B-72
loose connections on sensors
C-23
M
MainApp
components
A-6
described
A-4, A-6
host statistics
A-6
responsibilities
A-6
show version command
A-6
major updates described
20-3
managing
firewalls
14-27
routers
14-23
switches
14-26
manifests
client
A-28
server
A-28
manual blocking
14-31, 14-33
manual block to bogus host
C-41
manually loading KBs
9-41
manually saving
KBs
9-41
master blocking sensor
described
14-28
not set up properly
C-42
verifying configuration
C-42
Master engine
alert frequency
B-7
alert frequency parameters (table)
B-7
described
B-4
event actions
B-8
general parameters (table)
B-4
universal parameters
B-4
master engine parameters
obsoletes
B-6
promiscuous delta
B-6
vulnerable OSes
B-6
max-block-entries command
14-11
max-denied-attackers command
8-35
maximum open IP logs
6-12
max-interfaces command
14-17
merging configuration files
16-24, C-2
Meta engine
described
7-53, B-33
parameters (table)
B-34
Signature Event Action Processor
7-53, B-33
MIBs supported
15-11, C-18
minor updates described
20-3
modes
anomaly detection detect
9-4
anomaly detection learning accept
9-3
asymmetric
6-4
bypass
5-42
inactive (anomaly detection)
9-4
inline interface pair
5-16
inline TCP tracking
6-3
inline VLAN pair
5-21
Normalizer
6-4
promiscuous
5-14
VLAN groups
5-27
modifying
terminal properties
17-22
monitoring
viewer privileges
1-4
more command
16-20
filtering
16-17
more current-config command
16-1
moving
OS maps
8-30
Multi String engine
described
B-35
parameters (table)
B-35
Regex
B-35
N
Neighborhood Discovery
options
B-29
types
B-29
network blocks
configuring
14-32
network connectivity diagnosis
17-45
network participation
data gathered
10-4
data use (table)
3-2, 10-3
described
10-4
health metrics
10-8
modes
10-5
requirements
10-4
SensorBase Network
10-5
statistics
10-5
network participation data
improving signature fidelity
10-5
understanding sensor deployment
10-5
never-block-hosts command
14-19
never-block-networks command
14-19
no iplog command
12-6
no ipv6-target-value command
8-15
normalization described
6-4
Normalizer engine
described
B-36
IPv6 fragments
B-37
modify packets inline
6-3
parameters (table)
B-37
no service anomaly-detection command
9-9
no service event-action-rules command
8-8
no service signature-definition command
7-2
no target-value command
8-15
notes and caveats
7-1, 9-1, 10-1
administrative tasks
17-2
anomaly detection
9-1
ASA 5500-X IPS SSP
18-1
ASA 5585-X IPS SSP
19-1
blocking
14-1
capture packet files
13-1
configuring interfaces
5-1
event action rules
8-1
external product interfaces
11-1
initializing the sensor
3-1
IP logging
12-1
logging in
2-1
setting up the sensor
4-1
SNMP
15-1
virtual sensors
6-1
NotificationApp
alert information
A-9
described
A-4
functions
A-9
SNMP gets
A-9
SNMP traps
A-9
statistics
A-11
system health information
A-10
no variables command
8-12
NTP
authenticated
4-2, 4-36, 4-45, C-15
configuring servers
4-44
described
4-36, C-15
incorrect configuration
C-16
sensor time source
4-43, 4-45
time synchronization
4-36, C-15
unauthenticated
4-2, 4-36, 4-45, C-15
O
obsoletes field described
B-6
obtaining
command history
17-47
cryptographic account
20-2
IPS software
20-1
license key
4-59
list of blocked hosts and connections
14-34
used commands list
17-47
operator role privileges
1-4
options
global correlation
10-10, 10-11, 10-13
os-identifications command
8-28
OS IDs
clearing
8-32
displaying
8-32
OS information sources
8-27
OS maps
creating
8-30
deleting
8-31
moving
8-30
other actions (list)
8-6
other command
9-18, 9-26, 9-34
output
clearing current line
1-6
displaying
1-6
overrides command
8-18
P
P2P networks described
B-52
packet capture command
13-4
packet command restrictions
configuring
4-27
packet display command
13-2
packet files
viewing
TCPDUMP
13-7
Wireshark
13-7
partitions
application
A-4
recovery
A-4
passive OS fingerprinting
components
8-27
configuring
8-28
described
8-26
enabled (default)
8-28
password command
4-18, 4-30
password policy
caution
4-32
configuring
4-33
password recovery
appliances
17-3, C-8
ASA 5500-X IPS SSP
17-4, C-10
ASA 5585-X IPS SSP
17-6, C-12
CLI
17-8, C-14
described
17-2, C-8
disabling
17-8, C-14
displaying setting
17-9, C-14
GRUB menu
17-3, C-8
IPS 4345
17-3, 17-4, C-8, C-9
IPS 4360
17-3, 17-4, C-8, C-9
IPS 4510
17-3, 17-4, C-8, C-9
IPS 4520
17-3, 17-4, C-8, C-9
platforms
17-2, C-8
ROMMON
17-4, C-9
troubleshooting
17-9, C-15
verifying
17-9, C-14
passwords
4-30
changing
4-30
configuring
4-30
policy
4-32
patch releases described
20-3
peacetime learning (anomaly detection)
9-3
Peer-to-Peer. See P2P.
PEP information
PID
17-47
SN
17-47
VID
17-47
permit-packet-logging command
4-26
physical connectivity issues
C-30
physical interfaces
configuration restrictions
5-8
configuring
5-12
physical-interfaces command
5-11, 5-22, 5-28
ping command
17-45
platforms concurrent CLI sessions
18-1, 19-1
policies
passwords
4-32
policy lists
displaying
17-29
port channel configuration
illustration
5-34
switch
5-34
Post-Block ACLs
14-22, 14-23
Pre-Block ACLs
14-22, 14-23
prerequisites for blocking
14-6
privilege
changing
4-31
configuring
4-31
privilege command
4-18, 4-31
privilege levels
administrator
1-3
operators
1-3
service
1-3
viewers
1-3
promiscuous delta
calculating risk rating
8-14
described
7-12, 8-14, B-6
promiscuous mode
atomic attacks
5-15
configuring
5-15
described
5-14
illustration
5-15
packet flow
5-14
SPAN ports
5-15
TCP reset interfaces
5-4
VACL capture
5-15
prompts
default input
1-5
protocols
ARP
B-14
CDP
5-45
CIDEE
A-34
DCE
B-48
DDoS
B-72
H.323
B-43
H225.0
B-43
HTTP
4-15
ICMPv6
B-15
IDAPI
A-32
IDCONF
A-33
IDIOM
A-32
IPv6
B-28
LOKI
B-72
MSSQL
B-50
Neighborhood Discovery
B-29
Q.931
B-43
RPC
B-48
SDEE
A-33
proxy servers
configuring
4-11
Q
Q.931 protocol
described
B-43
SETUP messages
B-43
quarantined IP address events described
11-2
R
RADIUS
attempt limit
C-20
multiple cisco av-pairs
4-22, 4-24
RADIUS authentication
described
4-20
service account
4-29
shared secret
4-24, 4-25
rate limiting
ACLs
14-5
described
14-4
routers
14-4
service policies
14-5
supported signatures
14-4
raw expression syntax
described
B-64
expert mode
B-64
Raw Regex
described
7-59, 7-62, B-64
expert mode
7-59, 7-62, B-64
recall
help and tab completion
1-5
using
1-5
recover command
21-14
recovering the application partition image
21-14
recovery partition
described
A-4
upgrade
21-7
Regex
described
1-8
Multi String engine
B-35
standardized
B-1
Regular Expression. See also Regex.
regular expression syntax
described
1-8
raw Regex
7-59, 7-62, B-64
signatures
B-9
table
1-8
reimaging
ASA 5500-X IPS SSP
21-22
described
21-2
IPS 4345
21-16
IPS 4360
21-16
IPS 4510
21-20
IPS 4520
21-20
sensors
21-2, 21-14
removing
last applied
service pack
21-12
signature update
21-12
threat profiles
7-6
users
4-19
rename ad-knowledge-base command
9-42
renaming
KBs
9-42, 9-43
reputation
described
10-3
illustration
10-4
servers
10-3
reset command
17-46
reset not occurring for a signature
C-49
resetting
passwords
ASDM
17-6, 17-8, C-11, C-13
hw-module command
17-6, C-12
sw-module command
17-5, C-10
resetting appliances
17-46
resetting the password
ASA 5500-X IPS SSP
17-5, C-10
ASA 5585-X IPS SSP
17-7, C-12
restoring the current configuration
16-23, C-5
retiring signatures
7-18
risk rating
Alarm Channel
10-6
calculating
8-13
described
8-27
global correlation
10-6
reputation score
10-6
ROMMON
ASA 5585-X IPS SSP
21-26
described
21-15
IPS 4345
17-4, 21-17, C-9
IPS 4360
17-4, 21-17, C-9
IPS 4510
17-4, 21-20, C-9
IPS 4520
17-4, 21-20, C-9
password recovery
17-4, C-9
remote sensors
21-15
serial console port
21-15
TFTP
21-15
round-trip time. See RTT.
RPC portmapper
B-52
RSA authentication
authorized keys
4-49
RTT
described
21-15
TFTP limitation
21-15
S
saving
KBs
9-41
scheduling automatic upgrades
21-9
SDEE
described
A-33
HTTP
A-33
protocol
A-33
server requests
A-34
searching
submode configuration
16-18
security
account locking
4-34
information on Cisco Security Intelligence Operations
20-7
SSH
4-47
security policies described
7-2, 8-2, 9-2
sensing interface
ASA 5500-X IPS SSP
18-4
sensing interfaces
Analysis Engine
5-4
described
5-4
interface cards
5-4
modes
5-4
sensing interfaces described (ASA 5585-X IPS SSP)
19-4
SensorApp
Alarm Channel
A-24
Analysis Engine
A-24
described
A-4
event action filtering
A-25
inline packet processing
A-24
IP normalization
A-24
packet flow
A-25
processors
A-23
responsibilities
A-23
risk rating
A-25
Signature Event Action Processor
A-23
TCP normalization
A-24
SensorBase Network
described
3-2, 10-2
network participation
10-5
participation
3-2, 10-2
servers
3-2, 10-2
sensor databases
clearing
17-10
Sensor Key pane
described
4-50
sensors
access problems
C-24
application partition image
21-14
asymmetric traffic and disabling anomaly detection
9-48, C-18
command and control interfaces (list)
5-3
configuration sequence
1-2
configuring to use NTP
4-45
corrupted SensorApp configuration
C-34
disaster recovery
C-6
downgrading
21-12
incorrect NTP configuration
C-16
initializing
3-1, 3-5
interface support
5-6
IP address conflicts
C-27
logging in
SSH
2-6
Telnet
2-6
loose connections
C-23
managing
firewalls
14-27
routers
14-23
switches
14-26
misconfigured access lists
C-26
no alerts
C-31, C-55
not seeing packets
C-33
NTP time source
4-45
NTP time synchronization
4-36, C-15
partitions
A-4
physical connectivity
C-30
preventive maintenance
C-2
reimaging
21-2
sensing process not running
C-28
setup command
3-1, 3-5, 3-9
time sources
4-36, C-15
troubleshooting software upgrades
C-52
upgrading
21-5
using NTP time source
4-43
server manifest described
A-28
service account
accessing
4-28, C-5
cautions
4-2, 4-28, C-5
creating
4-29, C-6
described
4-28, A-31, C-5
RADIUS authentication
4-29
TAC
A-31
troubleshooting
A-31
service anomaly-detection command
9-8
Service DNS engine
described
B-39
parameters (table)
B-39
Service engine
described
B-39
Layer 5 traffic
B-39
service event-action-rules command
8-8
Service FTP engine
described
B-40
parameters (table)
B-41
PASV port spoof
B-40
Service Generic engine
described
B-41
no custom signatures
B-41
parameters (table)
B-42
Service H225 engine
ASN.1PER validation
B-43
described
B-43
features
B-43
parameters (table)
B-44
TPKT validation
B-43
Service HTTP engine
described
7-50, B-45
parameters (table)
B-46
service HTTP engine
signature
7-51
Service IDENT engine
described
B-47
parameters (table)
B-48
Service MSRPC engine
DCS/RPC protocol
B-48
described
B-48
parameters (table)
B-49
Service MSSQL engine
described
B-50
MSSQL protocol
B-50
parameters (table)
B-51
Service NTP engine
described
B-51
parameters (table)
B-51
Service P2P engine described
B-52
service packs described
20-3
service role
described
1-4, 2-2, A-30
privileges
1-4
Service RPC engine
described
B-52
parameters (table)
B-52
RPC portmapper
B-52
service signature-definition command
7-2
Service SMB Advanced engine
described
B-54
parameters (table)
B-54
Service SNMP engine
described
B-56
parameters (table)
B-56
Service SSH engine
described
B-57
parameters (table)
B-57
Service TNS engine
described
B-58
parameters (table)
B-58
session command
ASA 5500-X IPS SSP
2-4, 3-14
ASA 5585-X IPS SSP
2-5, 3-15
sessioning in
ASA 5500-X IPS SSP
2-4, 3-14
ASA 5585-X IPS SSP
2-5, 3-15
setting
system clock
4-39, 17-27
setting up
notes and caveats
4-1
terminal servers
2-3, 21-16
setup
automatic
3-3
command
3-1, 3-5, 3-9
simplified mode
3-3
setup command
user roles
3-1, 3-2
shared secret
described
4-24, 4-25
RADIUS authentication
4-24, 4-25
show ad-knowledge-base diff command
9-44, 9-45
show ad-knowledge-base files command
9-40, 9-41
show clock command
4-37, 17-25
show configuration command
16-1
show context command
18-7, 19-8
show events command
8-39, 17-22, C-98, C-99
show health command
10-9, 17-19, C-74
show history command
17-47
showing user information
4-32
show inspection-load command
17-12
show interfaces command
5-46, C-94
show interfaces-history command
5-48, C-96
show inventory command
17-47
show lacp command
5-38
show module
18-3
show module 1 details command
19-13, C-57, C-67
show module command
18-3, 19-3
show os-identification command
8-32
show settings command
7-8, 16-3, 16-18, 17-9, 17-49, C-14
show statistics anomaly-detection command
9-47
show statistics command
14-34, 17-30, C-82, C-83
show statistics denied-attackers command
8-37, 17-27
show statistics virtual-sensor command
17-30, C-23, C-83
show tech-support command
17-42, C-75
show tls trusted-root-certificates command
4-57
show users command
4-32
show version command
7-8, 17-43, C-79
sig-fidelity-rating command
7-17, 7-19
signature definition lists
displaying
17-29
signature definition policies
copying
7-2
creating
7-2
deleting
7-2
editing
7-2
signature engines
AIC
7-22, B-11
Atomic
B-14
Atomic ARP
B-14
Atomic IP
B-25
Atomic IP Advanced
B-15
Atomic IPv6
B-28
described
B-1
Fixed
B-29
Flood
B-32
Flood Host
B-32
Flood Net
B-33
list
B-2
Master
B-4
Meta
7-53, B-33
Multi String
B-35
Normalizer
B-36
Regex
patterns
B-10
syntax
B-9
Service
B-39
Service DNS
B-39
Service FTP
B-40
Service Generic
B-41
Service H225
B-43
Service HTTP
7-50, B-45
Service IDENT
B-47
Service MSRPC
B-48
Service MSSQL
B-50
Service NTP
B-51
Service P2P
B-52
Service RPC
B-52
Service SMB Advanced
B-54
Service SNMP
B-56
Service SSH engine
B-57
Service TNS
B-58
State
B-59
String
7-47, B-61
Sweep
B-67
Sweep Other TCP
B-69
Traffic Anomaly
B-70
Traffic ICMP
B-72
Trojan
B-73
Signature Event Action Filter
described
8-3, A-26
parameters
8-3, A-26
Signature Event Action Handler described
8-4, A-26
Signature Event Action Override described
8-3, A-26
Signature Event Action Processor
Alarm Channel
8-3, A-26
components
8-3, A-26
described
8-3, A-23, A-26
signature fidelity rating
calculating risk rating
8-14
configuring
7-17, 7-19
described
8-14
signatures
custom
7-4
default
7-4
described
7-3
false positives
7-4
general parameters
7-11
rate limits
14-4
service HTTP
7-51
string TCP
7-48
string TCP XL
7-58, 7-62
subsignatures
7-4
TCP reset
C-49
threat profile tuned
7-8
tuned
7-4
signature threat profiles
platform support
7-4
signature update
files
20-4
IPS reloading messages
18-11, 19-12, C-67, C-73
signature variables
adding
7-10
deleting
7-10
described
7-9
editing
7-10
SNMP
configuring
agent parameters
15-3
traps
15-9
described
15-1
general parameters
15-2
Get
15-1
GetNext
15-1
notes and caveats
15-1
Set
15-1
supported MIBs
15-11, C-18
Trap
15-1
snmp-agent-port command
15-3
snmp-agent-protocol command
15-3
SNMP traps
described
15-2
SNMPv3
configuring
users
15-5
configuring users
15-4
software architecture
ARC (illustration)
A-13
IDAPI (illustration)
A-32
software downloads Cisco.com
20-1
software file names
recovery (illustration)
20-5
signature/virus updates (illustration)
20-4
system image (illustration)
20-5
software release examples
platform identifiers
20-6
platform-independent
20-5
software updates
supported FTP servers
21-3
supported HTTP/HTTPS servers
21-3
SPAN port issues
C-30
specifying
worm timeout
9-11, 9-38
SSH
adding hosts
4-48
described
4-47
security
4-47
ssh authorized-key command
4-49
ssh generate-key command
4-50
ssh host-key command
4-47
SSH known hosts list
adding hosts
4-47
SSH Server
private keys
A-21
public keys
A-21
SSH server host key
generating
4-51
SSHv1 fallback
disabling
4-13
enabling
4-13
sshv1-fallback
command
4-13
configuring
4-13
standards
CIDEE
A-34
IDCONF
A-33
IDIOM
A-32
SDEE
A-33
State engine
Cisco Login
B-59
described
B-59
LPR Format String
B-59
parameters (table)
B-60
SMTP
B-59
statistic display
17-30, C-83
status command
7-18
stopping
IP logging
12-6
stream-reassembly command
7-44
strict-tls-server-validation command
4-54
String engine described
7-47, B-61
String ICMP engine parameters (table)
B-62
String TCP engine
parameters
7-47
parameters (table)
B-62
signature (example)
7-48
String TCP XL signature
example
7-58, 7-62
String UDP engine parameters (table)
B-63
String XL engine
description
B-64
hardware support
6-12, B-3, B-64
parameters (table)
B-64
unsupported parameters
B-67
subinterface 0 described
5-27
subinterface-type command
5-22, 5-28
submode configuration
filtering output
16-18
searching output
16-18
submode settings display
17-49
subsignatures described
7-4
summarization
described
8-33
fire-all
8-34
fire-once
8-34
global-summarization
8-34
Meta engine
8-34
summary
8-34
summertime
configuring
non-recurring
4-41
recurring
4-39
summertime-option non-recurring command
4-41
summertime-option recurring command
4-39
supported
FTP servers
21-3
HTTP/HTTPS servers
21-3
IPS interfaces for CSA MC
11-4
supported sensors
signature threat profiles
7-4
Sweep engine
B-68
described
B-67
parameters (table)
B-68
Sweep Other TCP engine
described
B-69
parameters (table)
B-70
SwitchApp
described
A-29
switches
TCP reset interfaces
5-5
sw-module module 1 recover configure command
18-12
sw-module module slot_number password-reset command
17-5, 18-12, C-10
sw-module module slot_number reload command
18-12
sw-module module slot_number reset command
18-12
sw-module module slot_number shutdown command
18-12
syntax
case sensitivity
1-6
system architecture
directory structure
A-34
supported platforms
A-1
system clock
displaying
4-38, 17-26
setting
4-39, 17-27
system components IDAPI
A-32
System Configuration Dialog
described
3-3
example
3-4
system design (illustration)
A-2, A-3
system images
installing
ASA 5500-X IPS SSP
21-22
IPS 4345
21-17
IPS 4360
21-17
IPS 4510
21-20
IPS 4520
21-20
T
tab completion
using
1-5
TAC
PEP information
17-47
service account
4-28, A-31, C-5
show tech-support command
17-42, C-75
troubleshooting
A-31
target-value command
8-15
IPv4
8-15
IPv6
8-15
target value rating
calculating risk rating
8-14
described
8-14, 8-15
tasks
configuring the sensor
1-2
tcp command
9-13, 9-21, 9-29
TCPDUMP
copy packet-file command
13-6
expression syntax
13-2
ip logs
12-2
packet capture command
13-5
packet display command
13-2
TCP fragmentation described
B-37
TCP reset interfaces
conditions
5-5
described
5-4
list
5-5
promiscuous mode
5-4
switches
5-5
TCP resets
not occurring
C-49
TCP stream reassembly
described
7-37
parameters (table)
7-38, 7-43
signatures (table)
7-38, 7-43
tech support information display
17-42, C-76
Telnet
disabling
4-5
enabling
4-5
telnet-option
command
4-5
configuring
4-5
terminal
command
17-21
modifying length
17-22
terminal server setup
2-3, 21-16
terminating
CLI sessions
17-21
TFN2K
described
B-72
Trojans
B-73
TFTP servers
recommended
UNIX
21-15
Windows
21-15
RTT
21-15
threat-profile command
7-5
threat profiles
applying
7-6
displaying
7-6
removing
7-6
threat rating
described
8-15
risk rating
8-15
time
correction on the sensor
4-37, C-17
sensors
4-36, C-15
synchronizing IPS clocks
4-37, C-16
time sources
appliances
4-36, C-15
ASA 5500 AIP SSC-5
4-36
ASA 5500 AIP SSM
4-36
ASA 5500-X IPS SSP
4-36, C-15
ASA 5585-X IPS SSP
4-36, C-15
time zone settings
configuring
4-43
time-zone-settings command
4-43
TLS
handshaking
4-52
IDM
4-52
web server
4-52
TLS certificates
generating
4-58
tls generate-key command
4-58
tls trusted-host command
4-53, 4-55
TLS trusted root certificates
displaying
4-57
trace command
17-48
tracing IP packet route
17-48
Traffic Anomaly engine
described
B-70
protocols
B-70
signatures
B-70
traffic flow notifications
configuring
5-44
described
5-44
Traffic ICMP engine
DDoS
B-72
described
B-72
LOKI
B-72
parameters (table)
B-73
TFN2K
B-72
trap-community-name
15-8
trap-destinations command
15-8
trial license key
4-59
Tribe Flood Network. See TFN.
Tribe Flood Network 2000. See TFN2K.
Trojan engine
BO2K
B-73
described
B-73
TFN2K
B-73
Trojans
BO
B-73
BO2K
B-73
LOKI
B-72
TFN2K
B-73
troubleshooting
C-1
Analysis Engine busy
C-54
applying software updates
C-51
ARC
blocking not occurring for signature
C-41
device access issues
C-39
enabling SSH
C-41
inactive state
C-37
misconfigured master blocking sensor
C-42
verifying device interfaces
C-40
ASA 5500-X IPS SSP
commands
C-57
failover scenarios
18-20, C-64
ASA 5585-X IPS SSP
commands
19-13, C-67
failover scenarios
19-16, C-70
traffic flow stopped
19-16, C-72
automatic updates
C-51
cannot access sensor
C-24
cidDump
C-102
cidLog messages to syslog
C-48
communication
C-24
corrupted SensorApp configuration
C-34
debug logger zone names (table)
C-48
debug logging
C-44
disaster recovery
C-6
duplicate sensor IP addresses
C-27
enabling debug logging
C-44
external product interfaces
11-8, C-22
gathering information
C-73
global correlation
10-13, C-20
IDM
cannot access sensor
C-54
will not load
C-53
IME time synchronization
C-56
IPS clock time drift
4-37, C-16
manual block to bogus host
C-41
misconfigured access list
C-26
no alerts
C-31, C-55
NTP
C-49
password recovery
17-9, C-15
physical connectivity issues
C-30
preventive maintenance
C-2
RADIUS
attempt limit
C-20
reset not occurring for a signature
C-49
sensing process not running
C-28
sensor events
C-98
sensor loose connections
C-23
sensor not seeing packets
C-33
sensor software upgrade
C-52
service account
4-28, C-5
show events command
C-98
show interfaces command
C-94
show statistics command
C-82
show tech-support command
C-74, C-75, C-76
show version command
C-79
software upgrades
C-51
SPAN
port issue
C-30
verifying Analysis Engine is running
C-20
verifying ARC status
C-36
trusted hosts add
4-53, 4-55
tuned signatures described
7-4
U
udp command
9-15, 9-24, 9-32
unassigned VLAN groups described
5-27
unauthenticated NTP
4-2, 4-36, 4-45, C-15
uninstalling
license key
4-62
unlocking accounts
4-35
unlock user username command
4-35
updating the sensor immediately
21-11
upgrade command
21-4, 21-6
upgrade notes and caveats
upgrading IPS software
21-1
upgrading
application partition
21-14
recovery partition
21-7
sensors
21-5
upgrading IPS software
upgrade notes and caveats
21-1
URLs for Cisco Security Intelligence Operations
20-7
username command
4-18
user-profile command
14-20
user profiles
14-20
user roles
administrator
1-3
authentication
4-20
operator
1-3
service
1-3
viewer
1-3
users
adding
4-18, 4-19
removing
4-18, 4-19
using
debug logging
C-44
TCP reset interfaces
5-5
V
VACLs
described
14-3
Post-Block
14-26
Pre-Block
14-26
validation error messages described
D-6
variables command
7-10, 8-12
IPv4
8-12
IPv6
8-12
verifying
password recovery
17-9, C-14
sensor initialization
3-16
sensor setup
3-16
version display
17-43, C-80
viewer role privileges
1-4
viewing
IP log contents
12-5
license key status
4-59
threat profile tuned signatures
7-8
user information
4-32
virtualization
advantages
6-2, C-17
restrictions
6-3, C-17
supported sensors
6-3, C-18
traffic capture requirements
6-3, C-17
virtual-sensor name command
6-5, 18-4, 19-5
virtual sensors
adding
6-6, 6-9
adding (ASA 5500-X IPS SSP)
18-5
adding (ASA 5585-X IPS SSP)
19-5
ASA 5500-X IPS SSP
18-7
ASA 5585-X IPS SSP
19-8
assigning interfaces
6-5
assigning policies
6-5
creating
6-6, 6-9
creating (ASA 5500-X IPS SSP)
18-5
creating (ASA 5585-X IPS SSP)
19-5
default virtual sensor
6-2
described
6-2
displaying KB files
9-40
notes and caveats
6-1
options
6-5, 18-4, 19-5
VLAN groups
802.1q encapsulation
5-27
configuration restrictions
5-10
deploying
5-27
switches
5-27
VLAN groups mode
described
5-27
vulnerable OSes field described
B-6
W
watch list rating
calculating risk rating
8-14
described
8-14
web server
described
A-4, A-22
HTTP 1.0 and 1.1 support
A-22
HTTP protocol
4-15
port (default)
4-1, 4-15
private keys
A-21
public keys
A-21
SDEE support
A-22
TLS
4-52
web server settings
changing
4-16
configuring
4-15
Wireshark
copy packet-file command
13-6
ip logs
12-2
worms
Blaster
9-2
Code Red
9-2
histograms
9-37
Nimbda
9-2
protocols
9-3
Sasser
9-2
scanners
9-3
Slammer
9-2
SQL Slammer
9-2
worm-timeout command
9-10
worm timeout specify
9-11, 9-38
Z
zones
external
9-4
illegal
9-4
internal
9-4