IPS User Interface Reference
The following topics describe the pages available for configuring policies for IPS sensors (appliances, switch modules, and network modules) and IOS IPS devices (Cisco IOS routers with IPS-enabled images and Cisco Integrated Services Routers):
•Signature Policies
•Anomaly Detection Page
•Global Correlation Policies
•Event Action Policies
•Interfaces Page
•Platform Policies
•Virtual Sensors Page
•General Settings Page
•Interface Rules Page
Signature Policies
The pages that you access from the Signatures folder in Device View enable you to configure signatures and their settings.
These topics describe the main pages available from the Signatures folder:
•Signatures Page
•Settings Page
Signatures Page
Use the Signatures page to display the signature summary table, in which you can edit and delete IPS signatures. The primary function of this page is to tune the active signature set in a policy by enabling or disabling signatures. You can also use this page to unload signatures from the engine. In the signature summary table, you also can add a custom signature and access the Cisco NSDB.
Navigation Path
•(Device view) Select IPS > Signatures > Signatures from the Policy selector.
•(Policy view) Select Intrusion Prevention System > Signatures > Signatures from the Policy Type selector. Right-click Signatures to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Edit Signature Dialog Box
•Row Shortcut Menu
•Actions Shortcut Menu
•Edit Actions Dialog Box
•Accessing the Cisco NSDB
Field Reference
Table M-1 Signature Summary Table
|
|
ID |
Signature ID. Identifies the unique numerical value assigned to this signature. This value lets the sensor identify a particular signature. Clicking on the link in the ID column triggers a browser window that opens to the entry in MySDN for that signature. This column is visible by default. |
Sub |
Subsignature ID. Identifies the unique numerical value assigned to this subsignature. A Subsignature ID is used to identify a more granular version of a broad signature. This column is visible by default. |
Name |
Identifies the name assigned to the signature. This column is visible by default. |
Action |
Identifies the actions the sensor takes when this signature fires. Any changes made using Action will affect all of the rows selected. This column is visible by default. |
Severity |
Identifies the severity level that the signature reports: High, Informational, Low, Medium. Any changes made using Severity will affect all of the rows selected. This column is visible by default. |
Fidelity |
Identifies the weight associated with how well this signature might perform in the absence of specific knowledge of the target. Any changes made using Fidelity affects all of the rows selected. This column is visible by default. |
Source |
Displays the lowest policy in the inheritance hierarchy that overrides the settings for a signature. This column is visible by default. |
Enabled |
Identifies whether or not the signature is enabled in this policy. A signature must be enabled for the sensor to protect against the traffic specified by the signature. Possible values are: •true. The signature is enabled in this policy. •false. The signature is disabled in this policy. |
Base Risk Rating |
Displays the base risk rating value of each signature. |
Retired |
Identifies whether or not the signature is retired. A retired signature is removed from the signature engine. |
Obsolete |
Identifies whether or not the signature is obsolete. An obsolete signature is removed from the signature engine. It cannot be re-activated. This column is visible by default and it is read only. |
Engine |
Identifies the engine that parses and inspects the traffic specified by this signature. This column is visible by default. |
View Update Level button |
Click this button to open the Update Level dialog box for the current device. |
Export to File button |
Click this button to export the signature summary for the current device to a comma-separated values (CSV) file. You are prompted to select the folder on the Security Manager server and to specify a file name. |
Add button |
Opens the Add Custom Signature dialog box. |
Edit button |
Opens the Edit Signature dialog box. If more than one row is selected, the Edit row option is disabled. |
Delete button |
Removes the selected signature(s) from the table. The Delete button is enabled only when the set of selected rows contains only custom signatures. |
Edit Signature Dialog Box
Use the Edit Signature dialog box if you want the source of the signature settings to be anything other than the default policy. The default policy cannot be edited, so if you want to change the signature settings, you will have to override them in the local policy for the device. You can do this by selecting Local from the Source Policy dropdown list. After you change the source policy to Local, the controls are enabled.
Navigation Path
(Device view) Select IPS > Signatures > Signatures from the Policy selector. Click the Edit button to open the Edit Signature dialog box.
Related Topics
•Edit Actions Dialog Box
•Edit Signature Parameters Dialog Box
•Engine Options
Field Reference
Table M-2 Edit Signature Dialog Box
|
|
Source Policy |
Values are Default or Local. For a newly added device, the source of the signature settings is the Default policy. Because this policy cannot be edited, if you want to change the values of these settings, you must override them in the local policy for the device; you do that by selecting Local. |
Inheritance Mandatory |
When selected, forces any policy that inherits from that policy to use the signature settings defined. |
Enabled check box |
Specifies that the signature is enabled. |
Severity |
Identifies the severity level that the signature will report: High, Informational, Low, Medium. |
Fidelity Rating |
Identifies the weight associated with how well this signature might perform in the absence of specific knowledge of the target. |
Actions |
Identifies the actions the sensor will take when this signature fires. For a complete list of actions, see the Edit Actions Dialog Box. |
Base Risk Rating |
Set the base risk rating value of the signature. Risk rating is calculated as the base risk rating by multiplying the fidelity rating and the severity factor and dividing them by 100 (Fidelity Rating x Severity Factor /100). Severity Factor has the following values: •Severity Factor = 100 if the signature's severity level is high •Severity Factor = 75 if signature's severity level is medium •Severity Factor = 50 if signature's severity level is low •Severity Factor = 25 if signature's severity level is informational |
Engine |
Identifies the engine that parses and inspects the traffic specified by this signature. |
Retired |
Identifies whether or not the signature is retired. A retired signature is removed from the signature engine. You can activate a retired signature to place it back in the signature engine. This column is visible by default.
Timesaver
Use the retired column to unload disabled signatures on your IOS-IPS device to achieve the most favorable memory consumption of that device.
|
Obsolete |
Identifies whether or not the signature is obsolete. An obsolete signature is removed from the signature engine. It cannot be re-activated. |
Restore Defaults button |
Reverts to default values as defined by Cisco. |
Edit Parameters button |
Opens the Edit Signature Parameters dialog box. |
Row Shortcut Menu
In the Signature Summary table, you can access a shortcut menu that enables you to add and edit signatures. This shortcut menu is available for all columns except Actions, Severity, and Fidelity.
Navigation Path
•(Device view) Select IPS > Signatures > Signatures from the Policy selector. Right-click a cell in a column other than Actions, Severity, or Fidelity.
Related Topics
•Actions Shortcut Menu
•Edit Actions Dialog Box
•Accessing the Cisco NSDB
Field Reference
Table M-3 Row Shortcut Menu Options
|
|
Add button |
Opens the Add Custom Signature dialog box. |
Edit button |
Opens the Edit Signature dialog box. If more than one row is selected, the Edit row option is disabled. |
Delete button |
Removes the selected signature(s) from the table. The Delete button is enabled only when the set of selected rows contains only custom signatures. |
Clone |
Opens the Add Custom Signature dialog box with the properties of the selected signature shown. This enables you to create a custom signature with the settings that the selected signature has. |
Enable/Disable |
Places the signature in the enabled or disabled state, respectively. Disabled signatures appear with crosshatching over them. |
Show Events |
Enables navigation to MARS to view the realtime or historical events detected by the selected signature. |
Add Custom Signature Dialog Box
Use the Add Custom Signature dialog box to create a custom signature. In the Add Custom Signature dialog box, you enter a name and then select an existing engine from a dropdown list. The signature ID and subsignature ID will be assigned by Security Manager. After you finish selecting the remaining parameters, the new signature is added to the Signatures page in the appropriate numerical location, and it is selected.
Navigation Path
(Device view) Select IPS > Signatures > Signatures from the Policy selector. Click the Add button to open the Add Custom Signature dialog box.
Related Topics
•Edit Signature Parameters Dialog Box
•Engine Options
Field Reference
Table M-4 Add Custom Signatures Dialog Box
|
|
Name |
Name of the signature. |
Engine |
Specifies the engine to use for this signature. See Engine Options. |
Actions |
Identifies the actions the sensor will take when this signature fires. For a complete list of actions, see the Edit Actions Dialog Box. |
Enabled check box |
Specifies that the signature is enabled. |
Severity |
Identifies the severity level that the signature will report: High, Informational, Low, Medium. |
Fidelity Rating |
Identifies the weight associated with how well this signature might perform in the absence of specific knowledge of the target. |
Risk Rating |
Set the base risk rating value of the signature. Risk rating is calculated as the base risk rating by multiplying the fidelity rating and the severity factor and dividing them by 100 (Fidelity Rating x Severity Factor /100). Severity Factor has the following values: •Severity Factor = 100 if the signature's severity level is high •Severity Factor = 75 if signature's severity level is medium •Severity Factor = 50 if signature's severity level is low •Severity Factor = 25 if signature's severity level is informational |
Edit Parameters button |
Opens the Edit Signature Parameters dialog box. See Edit Signature Parameters Dialog Box. |
Update Level Dialog Box
Displays the delta between the update packages applied in Security Manager and that deployed on the IPS device.
Differences between applied and deployed can occur when:
•the device is updated outside of Security Manager
•an update is applied to the policy in Security Manager but not yet published to the device
•during initial Security Manager deployment before the devices are under Security Manager control
Navigation Path
(Device view) Select IPS > Signatures > Signatures from the Policy selector. Click the View Update Level button to open the Update Level for... dialog box.
Field Reference
Table M-5 Update Level for Dialog Box
|
|
Applied Level |
This column displays the patch level that is applied to this device in Security Manager. |
Deployed Level |
This column displays the patch level that is currently running on the selected device. |
Major Update |
Identifies the major update level. |
Minor Update |
Identifies the minor update level. |
Service Pack |
Identifies the service pack level. |
Patch |
Identifies the patch level. |
Engine |
Identifies the engine level. |
Signature Update |
Identifies the signature update level. Note This field is the only field on this page that applies to the IOS IPS devices; all of the other fields are exclusive to IPS devices. |
Revert button |
If you mistakenly modify Applied Level, allows you to discard that new Applied Level; clicking Revert syncs the Applied Level to the Deployed Level.
Tip
A warning dialog appears before performing Revert. Also, a warning dialog appears asking you to submit the activity.
|
Actions Shortcut Menu
In the Signature Summary table, you can access a shortcut menu that enables you to add and remove actions. This shortcut menu is available only for the Actions column.
Navigation Path
•(Device view) Select IPS > Signatures > Signatures from the Policy selector. Right-click a cell in the Actions column.
Related Topics
•Row Shortcut Menu
•Edit Actions Dialog Box
•Accessing the Cisco NSDB
Field Reference
Table M-6 Actions Shortcut Menu Options
|
|
Add to Actions |
Adds an action to the current list of actions for the selected signature. |
Delete from Actions |
Deletes an action from the current list of actions for the selected signature. |
Replace Actions With |
Replace the current set of actions for the selected signature with the single action selected. |
Edit Actions |
Opens the Edit Actions dialog box. |
Edit Actions Dialog Box
Use the Edit Actions dialog box to select an action that is not on the Add to Actions or Replace Actions with menus, or if you want to select more than one action.
Note When you open the Edit Actions dialog box, the list of actions that you see varies. The list of actions depends upon whether you (1) right-click in only one signature row in the Actions column or (2) select more than one signature row before right-clicking in the Actions column. If you right-click in only one signature row in the Actions column, the list of actions is that of the engine for that signature. If you select more than one signature row before right-clicking in the Actions column, the list of actions is that which is available for each affected engine. (It is the list of common actions, not the union of actions.)
Navigation Path
•(Device view) Select IPS > Signatures > Signatures from the Policy selector. Right-click a cell in the Actions column. Select Edit Actions from the shortcut menu.
Related Topics
•Row Shortcut Menu
•Actions Shortcut Menu
•Accessing the Cisco NSDB
Field Reference
Table M-7 Edit Actions Dialog Box
|
|
Deny Attacker Inline |
Terminates the current packet and future packets from this attacker address for a specified period of time. |
Deny Attacker/Service Pair Inline |
Does not transmit this packet and future packets on the attacker address victim port pair for a specified period of time. |
Deny Attacker/Victim Pair Inline |
Does not transmit this packet and future packets on the attacker/victim address pair for a specified period of time. |
Deny Connection Inline |
Terminates the current packet and future packets on this TCP flow. |
Deny Packet Inline |
Terminates the packet. |
Log Attacker Packets |
Starts IP logging on packets that contain the attacker address and sends an alert. This action causes an alert to be written to the Event Store, even if Produce Alert is not selected. |
Log Pair Packets |
Starts IP Logging on packets that contain the attacker/victim address pair. This action causes an alert to be written to the Event Store, even if Produce Alert is not selected. |
Log Victim Packets |
Starts IP Logging on packets that contain the victim address and sends an alert. This action causes an alert to be written to the Event Store, even if Produce Alert is not selected. |
Modify Packet Inline |
Modifies packet data to remove ambiguity about what the endpoint might do with the packet. |
Product Alert |
Writes the event to the Event Store as an alert. |
Produce Verbose Alert |
Includes an encoded dump of the offending packet in the alert. This action causes an alert to be written to the Event Store, even if Produce Alert is not selected. |
Request Block Connection |
Sends a request to block this connection. You must have blocking devices configured to implement this action. |
Request Block Host |
Sends a request to block this attacker host. You must have blocking devices configured to implement this action. |
Request Rate Limit |
Sends a rate limit request to perform rate limiting. You must have rate limiting devices configured to implement this action. |
Request SNMP Trap |
Sends a request to the sensor to perform SNMP notification. This action causes an alert to be written even if Produce Alert is not selected. You must have SNMP configured on the sensor to implement this action. |
Reset TCP Connection |
Sends TCP resets to hijack and terminate the TCP flow. Reset TCP Connection only works on TCP signatures that analyze a single connection. It does not work for sweeps or floods. |
Edit Fidelity Dialog Box
Use the Edit Fidelity dialog box make changes in the Fidelity Rating for a particular signature. The Fidelity Rating, or Signature Fidelity Rating (SFR), identifies the weight associated with how well this signature might perform in the absence of specific knowledge of the target. This rating can be any number from 0 to 100, with 100 indicating the most confidence in the signature.
Accessing the Cisco NSDB
The Cisco Network Security Database (NSDB) can be accessed, or invoked, through the user interface of Security Manager.
The NSDB is a database of security information that explains the signatures the IPS uses along with the vulnerabilities on which these signatures are based. The NSDB contains a description for each attack signature that the sensor can detect.
Some signatures in IPS 5.x and later and IOS IPS have special characteristics: Built-in signatures cannot be added, deleted, or renamed, because they are provided with IPS itself. ("Built-in" means all signatures other than those that you create.) The information for built-in signatures, such as their names and IDs, appears as it does in the NSDB.
Tip For a particular signature in the NSDB, the "Release Version" refers to the version of IPS that the signature first appeared in, or was last modified in. The "Release Version" appears in the bottom left-hand corner of the header information when you are looking at a particular signature.
Edit Signature Parameters Dialog Box
Use the Edit Signature Parameters dialog box to edit (also called tune) the built-in micro-engine parameters for a particular signature. Different engines have different parameters, so the appearance of the Edit Signature Parameters dialog box will vary.
Navigation Path
•(Device view) Select IPS > Signatures > Signatures from the Policy selector. Right-click the row containing the signature that you want to edit, and then click Edit Row in the shortcut menu that appears. Finally, click Edit Parameters.
Related Topics
•Add Custom Signature Dialog Box
•Edit Signature Dialog Box
•Engine Options
Field Reference
Table M-8 Edit Signature Parameters Dialog Box
Primary and Secondary Elements
|
|
Signature Definition |
— |
|
Signature ID |
Identifies the unique numerical value assigned to this signature. This value lets the sensor identify a particular signature. The value is 1000 to 65000. |
|
SubSignature ID |
Identifies the unique numerical value assigned to this subsignature. The subsignature ID identifies a more granular version of a broad signature. The value is 0 to 255. |
|
Promiscuous Delta check box |
Lets you determine the seriousness of the alert. |
Sig Description |
Lets you specify the following attributes that help you distinguish this signature from other signatures: •Alert Notes •User Comments •Alarm Traits •Release |
|
Alert Notes |
Add alert notes in this field. |
|
User Comments |
Add your comments about this signature in this field. |
|
Alert Traits |
Add the alarm trait in this field. The value is 0 to 65535. The default is 0. |
|
Release |
The release in which the signature was most recently updated. |
Engine |
Lets you choose the engine that parses and inspects the traffic specified by this signature. For the list of possible values, see Engine Options. |
|
Fragment Status |
Specifies whether fragments are wanted or not: •Any fragment status. •Do not inspect fragments. •Inspect fragments. |
Regex String |
— |
|
Service Ports |
A comma-separated list of ports or port ranges where the target service resides. |
|
Direction |
Direction of traffic: •Traffic from service port destined to client port. •Traffic from client port destined to service port. |
|
Specify Exact Match Offset |
(Optional) Enables exact match offset: •Specify Max Match Offset/Specify Min Match Offset—The exact stream offset the regular expression string must report for a match to be valid. |
|
Swap Attacker Victim |
Yes if address (and ports) source and destination are swapped in the alert message. No for no swap (default). |
Event Counter |
Lets you configure how the sensor counts events. For example, you can specify that you want the sensor to send an alert only if the same signature fires 5 times for the same address set: •Event Count •Event Count Key •Specify Alert Interval |
|
Event Count |
The number of times an event must occur before an alert is generated. The value is 1 to 65535. The default is 1. |
|
Event Count Key |
The storage type used to count events for this signature. Choose attacker address, attacker address and victim port, attacker and victim addresses, attacker and victim addresses and ports, or victim address. The default is attacker address. |
|
Specify Alert Interval |
Specifies the time in seconds before the event count is reset. Choose Yes or No from the drop-down list and then specify the amount of time. |
Alert Frequency |
Lets you configure how often the sensor alerts you when this signature is firing. Specify the following parameters for this signature: •Summary Mode •Summary Interval •Summary Key •Specify Global Summary Threshold |
|
Summary Mode |
The mode of alert summarization. Choose Fire All, Fire Once, Global Summarize, or Summarize. Note When multiple contexts from the adaptive security appliance are contained in one virtual sensor, the summary alerts contain the context name of the last context that was summarized. Thus, the summary is the result of all alerts of this type from all contexts that are being summarized. |
|
Summary Mode Interval |
The time in seconds used in each summary alert. The value is 1 to 65535. The default is 15. |
|
Summary Key |
The storage type used to summarize alerts. Choose Attacker address, Attacker address and victim port, Attacker and victim addresses, Attacker and victim addresses and ports, or Victim address. The default is Attacker address. |
|
Specify Global Summary Threshold |
Lets you specify the threshold number of events to take the alert into global summary. Choose Yes or No and then specify the threshold number of events. |
Status |
Lets you enable or disable a signature, or retire or unretire a signature: •Enabled—Lets you choose whether the signature is enabled or disabled.The default is yes (enabled). •Retired—Let you choose whether the signature is retired or not. The default is no (not retired). |
|
Obsoletes |
Lists the signatures that are obsoleted by this signature. |
Vulnerable OS List |
Identifies the list of operating systems that this attack targets. |
MARS Category |
Identifies the category in Cisco Security MARS to which this signature belongs. This metadata is used to color the events generated in such a way as to provide MARS with the data that it needs to process this signature relative to the event categories that it studies. |
Expand All |
Expands all categories and subcategories. |
Collapse All |
Collapses all fields to the category. |
Engine Options
Engine options for IOS IPS and IPS are as follows:
The following list identifies the options you can specifying the Engine field of the Edit Signature Parameters dialog box:
•AIC FTP—Inspects FTP traffic and lets you control the commands being issued.
•AIC HTTP—Provides granular control over HTTP sessions to prevent abuse of the HTTP protocol.
•Atomic ARP—Inspects Layer-2 ARP protocol. The Atomic ARP engine is different because most engines are based on Layer-3-IP.
•atomic-ip—Inspects IP protocol packets and associated Layer-4 transport protocols. For option detail, see Atomic IP Engine Options
•Atomic IPv6—Detects IOS vulnerabilities that are stimulated by malformed IPv6 traffic.
•Flood Host—Detects ICMP and UDP floods directed at hosts.
•Flood Net—Detects ICMP and UDP floods directed at networks.
•Meta—Defines events that occur in a related manner within a sliding time interval. This engine processes events rather than packets.
•multi-string—Defines signatures that inspect Layer 4 transport protocol (ICMP, TCP, and UDP) payloads using multiple string matches for one signature. You can specify a series of regular expression patterns that must be matched to fire the signature. For option detail, see Multi-String Engine Options
•normalizer—Configures how the IP and TCP normalizer functions and provides configuration for signature events related to the IP and TCP normalizer. Allows you to enforce RFC compliance. For option detail, see Normalizer Engine Options
•service-dns—Inspects DNS (TCP and UDP) traffic. For option detail, see Service DNS Engine Options
•service-ftp—Inspects FTP traffic. For option detail, see Service FTP Engine Options
•Service Generic—Decodes custom service and payload.
•Service Generic Advanced—Generically analyzes network protocols.
•Service H225—Inspects VoIP traffic.
•service-http—Inspects HTTP traffic. The WEBPORTS variable defines inspection port for HTTP traffic. For option detail, see HTTP Service Engine Options
•Service IDENT—Inspects IDENT (client and server) traffic.
•Service MSRPC—Inspects MSRPC traffic.
•Service MSSQL—Inspects Microsoft SQL traffic.
•Service NTP—Inspects NTP traffic.
•service-rpc—Inspects RPC traffic. For option detail, see RPC Service Engine Options
•Service SMB—Inspects SMB traffic.
•Service SMB Advanced—Processes Microsoft SMB and Microsoft RPC over SMB packets.
•Service SNMP—Inspects SNMP traffic.
•Service SSH—Inspects SSH traffic.
•Service TNS—Inspects TNS traffic.
•state—Stateful searches of strings in protocols such as SMTP. For option detail, see STATE Engine Options
•string-icmp—Searches on Regex strings based on ICMP protocol. For option detail, see String ICMP Engine Options
•string-tcp—Searches on Regex strings based on TCP protocol. For option detail, see String TCP Engine Options
•string-udp—Searches on Regex strings based on UDP protocol. For option detail, see String UDP Engine Options
•Sweep—Analyzes sweeps of ports, hosts, and services, from a single host (ICMP and TCP), from destination ports (TCP and UDP), and multiple ports with RPC requests between two nodes.
•Sweep Other TCP—Analyzes TCP flag combinations from reconnaissance scans that are trying to get information about a single host. The signatures look for flags A, B, and C. When all three are seen, an alert is fired.
•Traffic ICMP—Analyzes nonstandard protocols, such as TFN2K, LOKI, and DDOS. There are only two signatures with configurable parameters.
•Traffic Anomaly—Analyzes TCP, UDP, and other traffic for worm-infested hosts.
•Trojan Bo2k—Analyzes traffic from the nonstandard protocol BO2K. There are no user-configurable parameters in this engine.
•Trojan Tfn2k—Analyzes traffic from the nonstandard protocol TFN2K. There are no user-configurable parameters in this engine.
•Trojan UDP—Analyzes traffic from the UDP protocol. There are no user-configurable parameters in this engine.
Atomic IP Engine Options
Table M-9 lists the parameters that are specific to the Atomic IP engine.
Table M-9 Atomic IP Engine Parameters
|
|
Fragment Status |
Specifies whether or not fragments are wanted. |
Specify Layer 4 Protocol |
Specifies Layer 4 protocol. |
Specify IP Payload Length |
Specifies IP datagram payload length. |
Specify IP Header Length |
Specifies IP datagram header length. |
Specify IP Type of Service |
Specifies type of server. |
Specify IP Time-to-Live |
Specifies time to live. |
Specify IP Version |
Specifies IP protocol version. |
Specify IP Identifier |
Specifies IP identifier. |
Specify IP Total Length |
Specifies IP datagram total length. |
Specify IP Option Inspection |
Specifies IP options inspection. |
Specify IP Addr Options |
Specifies IP addresses. |
Meta Engine Options
Table M-10 lists the parameters specific to the Meta engine.
Table M-10 Meta Engine Parameters
|
|
|
meta-reset-interval |
Time in seconds to reset the META signature. |
0 to 3600 |
component-list |
List of Meta components: •edit—Edits an existing entry •insert—Inserts a new entry into the list: –begin—Places the entry at the beginning of the active list –end—Places the entry at the end of the active list –inactive—Places the entry into the inactive list –before—Places the entry before the specified entry –after—Places the entry after the specified entry •move—Moves an entry in the list |
name1 |
meta-key |
Storage type for the Meta signature: •Attacker address •Attacker and victim addresses •Attacker and victim addresses and ports •Victim address |
AaBb AxBx Axxx xxBx |
unique-victim-ports |
Number of unique victims ports required per Meta signature. |
1 to 256 |
component-list-in-order |
Whether to fire the component list in order. |
true | false |
MSRPC Service Engine Options
Table M-11 lists the parameters specific to the Service MSRPC engine.
Table M-11 Service MSRPC Engine Parameters
|
|
|
protocol |
Protocol of interest for this inspector. |
tcp udp |
specify-operation |
(Optional) Enables using MSRPC operation: •operation—MSRPC operation requested. Required for SMB_COM_TRANSACTION commands. Exact match. |
0 to 65535 |
specify-regex-string |
(Optional) Enables using a regular expression string: •specify-exact-match-offset—Enables the exact match offset: –exact-match-offset—The exact stream offset the regular expression string must report for a match to be valid. •specify-min-match-length—Enables the minimum match length: –min-match-length—Minimum number of bytes the regular expression string must match. |
0 to 65535 |
specify-uuid |
(Optional) Enables UUID: •uuid—MSRPC UUID field. |
000001a000000000c000000000000046 |
MSSQL Service Engine Options
The Service MSSQL engine inspects the protocol used by the Microsoft SQL server.
There is one MSSQL signature. It fires an alert when it detects an attempt to log in to an MSSQL server with the default sa account.
You can add custom signatures based on MSSQL protocol values, such as login username and whether a password was used.
Table M-12 lists the parameters specific to the Service MSSQL engine.
Table M-12 Service MSSQL Engine Parameters
|
|
|
password-present |
Whether or not a password was used in an MS SQL login. |
true | false |
specify-sql-username |
(Optional) Enables using an SQL username: •sql-username—Username (exact match) of user logging in to MS SQL service. |
sa |
Multi-String Engine Options
The Multi String engine lets you define signatures that inspect Layer 4 transport protocol (ICMP, TCP, and UDP) payloads using multiple string matches for one signature. You can specify a series of regular expression patterns that must be matched to fire the signature. For example, you can define a signature that looks for regex 1 followed by regex 2 on a UDP service. For UDP and TCP you can specify port numbers and direction. You can specify a single source port, a single destination port, or both ports. The string matching takes place in both directions.
Use the Multi String engine when you need to specify more than one regex pattern. Otherwise, you can use the String ICMP, String TCP, or String UDP engine to specify a single Regex pattern for one of those protocols.
Table M-13 lists the parameters specific to the Multi String Engine.
Table M-13 Multi String Engine Parameters
|
|
|
Inspect Length |
Length of stream or packet that must contain all offending strings for the signature to fire. |
0 to 4294967295 |
Protocol |
Layer 4 protocol selection. |
Icmp Tcp Udp |
Regex Component |
List of regex components: •Regex String—The string to search for. •Spacing Type—Type of spacing required from the match before or from the beginning of the stream/packet if it is the first entry in the list. |
list (1 to 16 items) exact minimum |
Port Selection |
Type of TCP or UDP port to inspect. Only displays if TCP or UDP is selected in the Protocol field. |
Both Ports Destination Source |
Source Ports |
Specifies a range of source ports. Note Port matching is performed bidirectionally for both the client-to-server and server-to-client traffic flow directions. For example, if the source-ports value is 80, in a client-to-server traffic flow direction, inspection occurs if the client port is 80. In a server-to-client traffic flow direction, inspection occurs if the server port is port 80. |
0 to 65535 Note The second number in the range must be greater than or equal to the first number. |
Dest Ports |
Specifies a range of destination ports. |
0 to 65535 |
Exact Spacing |
Exact number of bytes that must be between this regex string and the one before, or from the beginning of the stream/packet if it is the first entry in the list. |
0 to 4294967296 |
Minimum Spacing |
Minimum number of bytes that must be between this regex string and the one before, or from the beginning of the stream/packet if it is the first entry in the list. |
0 to 4294967296 |
Swap Attacker Victim |
Yes if address (and ports) source and destination are swapped in the alert message. No for no swap (default). |
Yes | No |
Caution
The Multi String engine can have a significant impact on memory usage.
Normalizer Engine Options
Table M-14 lists the parameters that are specific to the Normalizer engine.
Table M-14 Normalizer Engine Parameters
|
|
Edit defaults |
Specify Service Ports |
(Optional) Enables service ports. |
Specify TCP Max MSS |
(Optional) Enables TCP maximum mss. |
Specify TCP Min MSS |
(Optional) Enables TCP minimum mss. |
Specify TCP Option Number |
(Optional) Enables TCP option number. |
Specify TCP Max Queue |
(Optional) Enables TCP maximum queue. |
Specify TCP Closed Timeout |
(Optional) Enables TCP closed timeout. |
Specify TCP Embryonic Timeout |
(Optional) Enables TCP embryonic timeout. |
Specify TCP Idle Timeout |
(Optional) Enables TCP idle timeout. |
Specify Fragment Reassembly Timeout |
(Optional) Enables fragment reassembly timeout. |
Specify Max Fragments per Datagram |
(Optional) Enables maximum fragments per datagram. |
Specify Max Small Frags |
(Optional) Enables maximum small fragments. |
Specify Min Fragment Size |
(Optional) Enables minimum fragment size. |
Specify Max Partial Datagrams |
(Optional) Enables maximum partial datagrams. |
Specify Max Datagram Size |
(Optional) Enables maximum datagram size. |
Specify Max Fragments |
(Optional) Enables maximum fragments. |
Specify Max Last Fragments |
(Optional) Enables maximum last fragments. |
Specify Hijack Max Old Ack |
(Optional) Enables hijack-max-old-ack. |
Specify SYN Flood Max Embryonic |
(Optional) Enables SYN flood maximum embryonic. |
Atomic ARP Engine Options
The Atomic ARP engine defines basic Layer 2 ARP signatures and provides more advanced detection of the ARP spoof tools dsniff and ettercap.
Table M-15 lists the parameters that are specific to the Atomic ARP engine.
Table M-15 Atomic ARP Engine Parameters
|
|
specify-mac-flip |
Fires an alert when the MAC address changes more than this many times for this IP address. |
specify-type-of-arp-sig |
Specifies the type of ARP signatures you want to fire on: •Source Broadcast (default)—Fires an alarm for this signature when it sees an ARP source address of 255.255.255.255. •Destination Broadcast—Fires an alarm for this signature when it sees an ARP destination address of 255.255.255.255. •Same Source and Destination—Fires an alarm for this signature when it sees an ARP destination address with the same source and destination MAC address •Source Multicast—Fires an alarm for this signature when it sees an ARP source MAC address of 01:00:5e:(00-7f). |
specify-request-inbalance |
Fires an alert when there are this many more requests than replies on the IP address. |
specify-arp-operation |
The ARP operation code for this signature. |
Service DNS Engine Options
The Service DNS engine specializes in advanced DNS decode, which includes anti-evasive techniques, such as following multiple jumps. It has many parameters such as lengths, opcodes, strings, and so forth. The Service DNS engine is a biprotocol inspector operating on both TCP and UDP port 53. It uses the stream for TCP and the quad for UDP.
Table M-16 lists the parameters specific to the Service DNS engine.
Table M-16 Service DNS Engine Parameters
|
|
|
Protocol |
Protocol of interest for this inspector. |
TCP UDP |
Specify Query Type |
(Optional) Enables the query type: •Query Type—DNS Query Type 2 Byte Value |
0 to 65535 |
Specify Query Opcode |
(Optional) Enables query opcode: •Query Opcode—DNS Query Opcode 1 byte Value |
0 to 65535 |
Specify Query Record Data Length |
(Optional) Enables the query record data length: •Query Record Data Length—DNS Response Record Data Length |
0 to 65535 |
Specify Query Record Data Invalid |
(Optional) Enables query record data invalid: •Query Record Data Invalid—DNS Record Data incomplete |
Yes | No |
Specify Query Src Port 53 |
(Optional) Enables the query source port 53: •Query Src Port 53—DNS packet source port 53 |
Yes | No |
Specify Query Value |
(Optional) Enables the query value: •Query Value—Query 0 Response 1 |
Yes | No |
Specify Query Stream Length |
(Optional) Enables the query stream length: •Query Stream Length—DNS Packet Length |
0 to 65535 |
Specify Query Jump Count Exceeded |
(Optional) Enables query jump count exceeded: •Query Jump Count Exceeded—DNS compression counter |
Yes | No |
Specify Query Invalid Domain Name |
(Optional) Enables query invalid domain name: •Query Invalid Domain Name—DNS Query Length greater than 255 |
Yes | No |
Specify Query Class |
(Optional) Enables the query class: •Query Class—DNS Query Class 2 Byte Value |
0 to 65535 |
Specify Query Chaos String |
(Optional) Enables the DNS Query Class Chaos String. |
query-chaos-string |
Flood Engine Options
The Flood engine defines signatures that watch for any host or network sending multiple packets to a single host or network. For example, you can create a signature that fires when 150 or more packets per second (of the specific type) are found going to the victim host.
There are two types of Flood engines: Flood Host and Flood Net.
Table M-17 lists the parameters specific to the Flood Host engine.
Table M-17 Flood Host Engine Parameters
|
|
|
protocol |
Which kind of traffic to inspect. |
ICMP UDP |
rate |
Threshold number of packets per second. |
0 to 65535 |
icmp-type |
Specifies the value for the ICMP header type. |
0 to 65535 |
dst-ports |
Specifies the destination ports when you choose UDP protocol. |
0 to 65535 a-b[,c-d] |
src-ports |
Specifies the source ports when you choose UDP protocol. |
0 to 65535 a-b[,c-d] |
Flood Net Engine Parameters
Table M-18 lists the parameters specific to the Flood Net engine.
Table M-18 Flood Net Engine Parameters
|
|
|
gap |
Gap of time allowed (in seconds) for a flood signature. |
0 to 65535 |
peaks |
Number of allowed peaks of flood traffic. |
0 to 65535 |
protocol |
Which kind of traffic to inspect. |
ICMP TCP UDP |
rate |
Threshold number of packets per second. |
0 to 65535 |
sampling-interval |
Interval used for sampling traffic. |
1 to 3600 |
icmp-type |
Specifies the value for the ICMP header type. |
0 to 65535 |
Service FTP Engine Options
The Service FTP engine specializes in FTP port command decode, trapping invalid port commands and the PASV port spoof. It fills in the gaps when the String engine is not appropriate for detection. The parameters are Boolean and map to the various error trap conditions in the port command decode. The Service FTP engine runs on TCP ports 20 and 21. Port 20 is for data and the Service FTP engine does not do any inspection on this. It inspects the control transactions on port 21.
Table M-19 lists the parameters that are specific to the Service FTP engine.
Table M-19 Service FTP Engine Parameters
|
|
|
Direction |
Direction of traffic: •Traffic from service port destined to client port •Traffic from client port destined to service port |
From Service To Service |
Service Ports |
A comma-separated list of ports or port ranges where the target service resides. |
0 to 65535 Note The second number in the range must be greater than or equal to the first number. |
Swap Attacker Victim |
Yes if address (and ports) source and destination are swapped in the alert message. No for no swap (default). |
Yes | No |
FTP Inspection Type |
Type of inspection to perform: •Looks for an invalid address in the FTP port command •Looks for an invalid port in the FTP port command •Looks for the PASV port spoof |
Invalid Address in PORT Command Invalid Port in PORT Command PASV Port Spoof |
General Options for All Engines
The following parameters are part of the Master engine and apply to all signatures.
Table M-20 lists the general master engine parameters.
Table M-20 Master Engine General Parameters
|
|
|
Alert Severity |
Severity of the alert: •Dangerous alert •Medium-level alert •Low-level alert •Informational alert |
high medium low informational |
Engine |
Specifies the engine the signature belongs to. |
— |
Event Counter |
Grouping for event count settings. |
— |
Event Count |
Number of times an event must occur before an alert is generated. |
1 to 65535 |
Event Count Key |
The storage type on which to count events for this signature: •Attacker address •Attacker and victim addresses •Attacker address and victim port •Victim address •Attacker and victim addresses and ports |
Axxx AxBx Axxb xxBx AaBb |
Specify Alert Interval |
Enables alert interval. |
yes | no |
Alert Interval |
Time in seconds before the event count is reset. |
2 to 1000 |
promisc-delta |
Delta value used to determine seriousness of the alert. |
0 to 30 |
sig-fidelity-rating |
Rating of the fidelity of this signature. |
0 to 100 |
sig-description |
Grouping for your description of the signature. |
— |
sig-name |
Name of the signature. |
sig-name |
sig-string-info |
Additional information about this signature that will be included in the alert message. |
sig-string-info |
sig-comment |
Comments about this signature. |
sig-comment |
Alert Traits |
Traits you want to document about this signature. |
0 to 65335 |
Release |
The release in which the signature was most recently updated. |
release |
Status |
Whether the signature is enabled or disabled, active or retired. |
enabled retired |
Generic Service Engine Options
The Service Generic engine allows programmatic signatures to be issued in a config-file-only signature update. It has a simple machine and assembly language that is defined in the configuration file. It runs the machine code (distilled from the assembly language) through its virtual machine, which processes the instructions and pulls the important pieces of information out of the packet and runs them through the comparisons and operations specified in the machine code.
It is intended as a rapid signature response engine to supplement the String and State engines.
Note You cannot use the Service Generic engine to create custom signatures.
Caution
Due to the proprietary nature of this complex language, we do not recommend that you edit the Service Generic engine signature parameters other than severity and event action.
Table M-21 lists the parameters specific to the Service Generic engine.
Table M-21 Service Generic Engine Parameters
|
|
|
specify-dst-port |
(Optional) Enables the destination port: •dst-port—Destination port of interest for this signature |
0 to 65535 |
specify-ip-protocol |
(Optional) Enables IP protocol: •ip-protocol—The IP protocol this inspector should examine |
0 to 255 |
specify-payload-source |
(Optional) Enables payload source inspection: •payload-source—Payload source inspection for the following types: –Inspects ICMP data –Inspects Layer 2 headers –Inspects Layer 3 headers –Inspects Layer 4 headers –Inspects TCP data –Inspects UDP data |
icmp-data l2-header l3-header l4-header tcp-data udp-data |
specify-src-port |
(Optional) Enables the source port: •src-port—Source port of interest for this signature |
0 to 65535 |
H225 Service Engine Options
Table M-22 lists parameters specific to the Service H225 engine.
Table M-22 Service H.225 Engine Parameters
|
|
|
message-type |
Type of H225 message to which the signature applies: •SETUP •ASN.1-PER •Q.931 •TPKT |
asn.1-per q.931 setup tpkt |
policy-type |
Type of H225 policy to which the signature applies: •Inspects field length. •Inspects presence. If certain fields are present in the message, an alert is sent. •Inspects regular expressions. •Inspects field validations. •Inspects values. Regex and presence are not valid for TPKT signatures. |
length presence regex validate value |
specify-field-name |
(Optional) Enables field name for use. Only valid for SETUP and Q.931 message types. Gives a dotted representation of the field name that this signature applies to. •field-name—Field name to inspect. |
1 to 512 |
specify-invalid-packet-index |
(Optional) Enables invalid packet index for use for specific errors in ASN, TPKT, and other errors that have fixed mapping. •invalid-packet-index—Inspection for invalid packet index. |
0 to 255 |
specify-regex-string |
The regular expression to look for when the policy type is regex. This is never set for TPKT signatures: •A regular expression to search for in a single TCP packet •(Optional) Enables min match length for use. The minimum length of the Regex match required to constitute a match. This is never set for TPKT signatures. |
regex-string specify-min-match-length |
specify-value-range |
Valid for the length or value policy types (0x00 to 6535). Not valid for other policy types. •value-range—Range of values. |
0 to 65535 a-b |
HTTP Service Engine Options
Table M-23 lists the parameters specific to the Service HTTP engine.
Table M-23 Service HTTP Engine Parameters
|
|
|
De Obfuscate |
Applies anti-evasive deobfuscation before searching. |
Yes | No |
Max Field Sizes |
Maximum field sizes grouping. |
— |
Specify Max URI Field Length |
(Optional) Enables the maximum URI field length: •Max URI Field Length—Maximum length of the URI field. |
0 to 65535 |
Specify Max Arg Field Length |
(Optional) Enables maximum argument field length: •Max Arg Field Length—Maximum length of the arguments field. |
0 to 65535 |
Specify Max Header Field Length |
(Optional) Enables maximum header field length: •Max Header Field Length—Maximum length of the header field. |
0 to 65535 |
Specify Max Request Length |
(Optional) Enables maximum request field length: •Max Request Length—Maximum length of the request field. |
0 to 65535 |
Regex |
Regular expression grouping. |
— |
Specify URI Regex |
(Optional) Regular expression to search in HTTP URI field. The URI field is defined to be after the HTTP method (GET, for example) and before the first CRLF. The regular expression is protected, which means you cannot change the value. |
[/\\][a-zA-Z][a-zA-Z][a-zA-Z][a-zA-Z][a-zA-Z][a-zA-Z][a-zA-Z][.]jpeg |
Specify Arg Name Regex |
(Optional) Enables searching the Arguments field for a specific regular expression: •Arg Name Regex—Regular expression to search for in the HTTP Arguments field (after the ? and in the Entity body as defined by Content-Length). |
— |
Specify Header Regex |
(Optional) Enables searching the Header field for a specific regular expression: •Header Regex—Regular Expression to search in the HTTP Header field. The Header is defined after the first CRLF and continues until CRLFCRLF. |
— |
Specify Request Regex |
(Optional) Enables searching the Request field for a specific regular expression: •Request Regex—Regular expression to search in both HTTP URI and HTTP Argument fields. •Specify Min Request Match Length—Enables setting a minimum request match length. |
0 to 65535 |
Service Ports |
A comma-separated list of ports or port ranges where the target service resides. |
0 to 65535 Note The second number in the range must be greater than or equal to the first number. |
Swap Attacker Victim |
Yes if address (and ports) source and destination are swapped in the alert message. No for no swap (default). |
Yes | No |
Alert Frequency Options
The purpose of the summary parameter is to reduce the volume of the alerts written to the Event Store to counter IDS DoS tools, such as stick. There are four modes: Fire All, Fire Once, Summarize, and Global Summarize. The summary mode is changed dynamically to adapt to the current alert volume. For example, you can configure the signature to Fire All, but after a certain threshold is reached, it will start summarizing.
Table M-24 MASTER Engine Alert Frequency Parameters
|
|
|
alert-frequency |
Summary options for grouping alerts. |
|
summary-mode |
Mode used for summarization. |
|
fire-all |
Fires an alert on all events. |
|
fire-once |
Fires an alert only once. |
|
global-summarize |
Summarizes an alert so that it only fires once regardless of how many attackers or victims. |
|
summarize |
Summarizes alerts. |
|
specify-summary-threshold |
(Optional) Enables summary threshold. |
yes | no |
summary-threshold |
Threshold number of alerts to send signature into summary mode. |
0 to 65535 |
specify-global-summary-threshold |
Enable global summary threshold. |
yes | no |
global-summary-threshold |
Threshold number of events to take alerts into global summary. |
1 to 65535 |
summary-interval |
Time in seconds used in each summary alert |
1 to 1000 |
summary-key |
The storage type on which to summarize this signature: •Attacker address •Attacker and victim addresses •Attacker address and victim port •Victim address •Attacker and victim addresses and ports |
Axxx AxBx Axxb xxBx AaBb |
NTP Service Engine Options
The Service NTP engine inspects NTP protocol. There is one NTP signature, the NTPd readvar overflow signature, which fires an alert if a readvar command is seen with NTP data that is too large for the NTP service to capture.
You can tune this signature and create custom signatures based on NTP protocol values, such as mode and size of control packets.
Table M-25 lists the parameters specific to the Service NTP engine.
Table M-25 Service NTP Engine Parameters
|
|
|
inspection-type |
Type of inspection to perform. |
|
inspect-ntp-packets |
Inspects NTP packets: •control-opcode—Opcode number of an NTP control packet according to RFC1305, Appendix B. •max-control-data-size—Maximum allowed amount of data sent in a control packet. •mode—Mode of operation of the NTP packet per RFC 1305. |
0 to 65535 |
is-invalid-data-packet |
Looks for invalid NTP data packets. Checks the structure of the NTP data packet to make sure it is the correct size. |
true | false |
is-non-ntp-traffic |
Checks for nonNTP packets on an NTP port. |
true | false |
RPC Service Engine Options
Table M-26 lists the parameters specific to the Service RPC engine.
Table M-26 Service RPC Engine Parameters
|
|
|
Direction |
Direction of traffic: •Traffic from service port destined to client port. •Traffic from client port destined to service port. |
From Service To Service |
Protocol |
Protocol of interest. |
TCP UDP |
Service Ports |
A comma-separated list of ports or port ranges where the target service resides. |
0 to 65535 Note The second number in the range must be greater than or equal to the first number. |
Specify Regex String |
Enables regex fields: •Specify Exact Match Offset •Regex String •Specify Min Match Length |
Yes | No |
Specify Exact Match Offset |
(Optional) Enables exact match offset: •Exact Match Offset—The exact stream offset the regular expression string must report for a match to be valid. |
0 to 65535 |
Regex String |
The string to search for. |
— |
Specify Min Match Length |
(Optional) Enables minimum match length: •Min Match Length—Minimum number of bytes the regular expression string must match. |
0 to 65535 |
Specify Port Map Program |
(Optional) Enables the portmapper program: •Port Map Program—The program number sent to the portmapper for this signature. |
0 to 9999999999 |
Specify RPC Program |
(Optional) Enables RPC program: •RPC Program—RPC program number for this signature. |
0 to 1000000 |
Specify Spoof Src |
(Optional) Enables the spoof source address: •Spoof Src—Fires an alert when the source address is 127.0.0.1. |
true | false |
Specify RPC Max Length |
(Optional) Enables RPC maximum length: •RPC Max Length—Maximum allowed length of the entire RPC message. Lengths longer than what you specify fire an alert. |
0 to 65535 |
Specify RPC Procedure |
(Optional) Enables RPC procedure: •RPC Procedure—RPC procedure number for this signature. |
0 to 1000000 |
SMB Advanced Engine Options
Table M-27 lists the parameters specific to the Service SMB Advanced engine.
Table M-27 Service SMB Advanced Engine Parameters
|
|
|
service-ports |
A comma-separated list of ports or port ranges where the target service resides. |
0 to 65535 a-b[,c-d] |
specify-command |
(Optional) Enables SMB commands: •command—SMB command value; exact match required; defines the SMB packet type. |
0 to 255 |
specify-direction |
(Optional) Enables traffic direction: •direction—Lets you specify the direction of traffic: –from-service—Traffic from service port destined to client port. –to-service—Traffic from client port destined to service port. |
from service to service |
specify-operation |
(Optional) Enables MSRPC over SMB: •msrpc-over-smb-operation—Required for SMB_COM_TRANSACTION commands, exact match required. |
0 to 65535 |
specify-regex-string |
(Optional) Enables searching for regex strings: •regex-string—A regular expression to search for in a single TCP packet. |
|
specify-exact-match-offset |
(Optional) Enables exact match offset: •exact-match-offset—The exact stream offset the Regex string must report a match to be valid. |
|
specify-min-match-length |
(Optional) Enables minimum match length: •min-match-length—Minimum number of bytes the Regex string must match. |
|
specify-payload-source |
(Optional) Enables payload source: •payload-source—Payload source inspection. |
|
specify-scan-interval |
(Optional) Enables scan interval: •scan-interval—The interval in seconds used to calculate alert rates. |
1 to 131071 |
specify-tcp-flags |
(Optional) Enables TCP flags: •msrpc-tcp-flags •msrpc-tcp-flags-mask |
•concurrent execution •did not execute •first fragment •last fragment •maybe •object UUID •pending cancel •reserved |
specify-type |
(Optional) Enables type of MSRPC over SMB packet: •type—Type field of MSRPC over SMB packet |
•0 = Request •2 = Response •11 = Bind •12 = Bind Ack |
specify-uuid |
(Optional) Enables MSRPC over UUID: •uuid—MSRPC UUID field |
32-character string composed of hexadecimal characters 0-9, a-f, A-F. |
specify-hit-count |
(Optional) Enables hit counting: •hit-count—The threshold number of occurrences in scan-interval to fire alerts. |
1 to 65535 |
swap-attacker-victim |
True if address (and ports) source and destination are swapped in the alert message. False for no swap (default). |
true | false |
SMB Engine Options
The Service SMB engine inspects SMB packets. You can tune SMB signatures and create custom SMB signatures based on SMB control transaction exchanges and SMB NT_Create_AndX exchanges.
Table M-28 lists the parameters specific to the Service SMB engine.
Table M-28 Service SMB Engine Parameters
|
|
|
service-ports |
A comma-separated list of ports or port ranges where the target service resides. |
0 to 65535 a-b[,c-d] |
specify-allocation-hint |
(Optional) Enables MSRPC allocation hint: •allocation-hint—MSRPC Allocation Hint, which is used in SMB_COM_TRANSACTION command parsing. |
0 to 42949677295 |
specify-byte-count |
(Optional) Enables byte count: •byte-count—Byte count from SMB_COM_TRANSACTION structure. |
0 to 65535 |
specify-command |
(Optional) Enables SMB commands: •command—SMB command value. |
0 to 255 |
specify-direction |
(Optional) Enables traffic direction: •direction—Lets you specify the direction of traffic: –Traffic from service port destined to client port. –Traffic from client port destined to service port. |
from service to service |
specify-file-id |
(Optional) Enables using a transaction file ID: •file-id—Transaction File ID. •This parameter may limit a signature to a specific exploit instance and its use should be carefully considered. |
0 to 65535 |
specify-function |
(Optional) Enables named pipe function: •function—Named Pipe function. |
0 to 65535 |
specify-hit-count |
(Optional) Enables hit counting: •hit-count—The threshold number of occurrences in scan-interval to fire alerts. |
0 to 65535 |
specify-operation |
(Optional) Enables MSRPC operation: •operation—MSRPC operation requested. Required for SMB_COM_TRANSACTION commands. An exact match is required. |
0 to 65535 |
specify-resource |
(Optional) Enables resource: •resource—Specifies that pipe or the SMB filename is used to qualify the alert. In ASCII format. An exact match is required. |
resource |
specify-scan-interval |
(Optional) Enables scan interval: •scan-interval—The interval in seconds used to calculate alert rates. |
0 to 131071 |
specify-set-count |
(Optional) Enables counting setup words: •set-count—Number of Setup words. |
0 to 255 |
specify-type |
(Optional) Enables searching for the Type field of an MSRPC packet: •type—Type Field of MSRPC packet. 0 = Request; 2 = Response; 11 = Bind; 12 = Bind Ack |
0 to 255 |
specify-word-count |
(Optional) Enables word counting for command parameters: •word-count—Word count for the SMB_COM_TRANSACTION command parameters. |
0 to 255 |
swap-attacker-victim |
True if address (and ports) source and destination are swapped in the alert message. False for no swap (default). |
true | false |
SNMP Engine Options
The Service SNMP engine inspects all SNMP packets destined for port 161. You can tune SNMP signatures and create custom SNMP signatures based on specific community names and object identifiers.
Instead of using string comparison or regular expression operations to match the community name and object identifier, all comparisons are made using the integers to speed up the protocol decode and reduce storage requirements.
Table M-29 lists the parameters specific to the Service SNMP engine.
Table M-29 Service SNMP Engine Parameters
|
|
|
inspection-type |
Type of inspection to perform. |
— |
brute-force-inspection |
Inspects for brute force attempts: •brute-force-count—The number of unique SNMP community names that constitute a brute force attempt. |
0 to 65535 |
invalid-packet-inspection |
Inspects for SNMP protocol violations. |
— |
non-snmp-traffic-inspection |
Inspects for non-SNMP traffic destined for UDP port 161. |
— |
snmp-inspection |
Inspects SNMP traffic: •specify-community-name [yes | no]: –community-name—Searches for the SNMP community name, that is, the SNMP password. •specify-object-id [yes | no]: –object-id—Searches for the SNMP object identifier. |
community-name object-id |
SSH Engine Options
The Service SSH engine specializes in port 22 SSH traffic. Because all but the setup of an SSH session is encrypted, the engine only looks at the fields in the setup. There are two default signatures for SSH. You can tune these signatures, but you cannot create custom signatures.
Table M-30 lists the parameters specific to the Service SSH engine.
Table M-30 Service SSH Engine Parameters
|
|
|
length-type |
Inspects for one of the following SSH length types: •key-length—Length of the SSH key to inspect for: –length—Keys larger than this fire the RSAREF overflow. •user-length—User length SSH inspection: –length—Keys larger than this fire the RSAREF overflow. |
0 to 65535 |
service-ports |
A comma-separated list of ports or port ranges where the target service resides. |
0 to 65535 a-b[,c-d] |
specify-packet-depth |
(Optional) Enables packet depth: •packet-depth—Number of packets to watch before determining the session key was missed. |
0 to 65535 |
STATE Engine Options
Table M-31 lists the parameters specific to the State engine.
Table M-31 State Engine Parameters
|
|
|
State Machine |
State machine grouping. |
— |
Cisco Login |
Specifies the state machine for Cisco login: •state-name—Name of the state required before the signature fires an alert: –Cisco device state –Control-C state –Password prompt state –Start state |
cisco-device control-c pass-prompt start |
LPR Format String |
Specifies the state machine to inspect for the LPR format string vulnerability: •state-name—Name of the state required before the signature fires an alert: –Abort state to end LPR Format String inspection –Format character state –State state |
abort format-char start |
Specify Min Match Length |
(Optional) Enables minimum match length: •Min Match Length—Minimum number of bytes the regular expression string must match. |
0 to 65535 Note The second number in the range must be greater than or equal to the first number. |
SMTP |
Specifies the state machine for the SMTP protocol: •State Name—Name of the state required before the signature fires an alert: –Abort state to end LPR Format String inspection –Mail body state –Mail header state –SMTP commands state –Start state |
abort mail-body mail-header smtp-commands start |
Regex String |
The string to search for. |
— |
Direction |
Direction of the traffic: •Traffic from service port destined to client port. •Traffic from client port destined to service port. |
From Service To Service |
Service Ports |
A comma-separated list of ports or port ranges where the target service resides. |
0 to 65535 |
Swap Attacker Victim |
Yes if address (and ports) source and destination are swapped in the alert message. No for no swap (default). |
Yes | No |
Specify Exact Match Offset |
(Optional) Enables exact match offset: •Specify Max Match Offset/Specify Min Match Offset—The exact stream offset the regular expression string must report for a match to be valid. |
0 to 65535 |
String ICMP Engine Options
Table M-32 lists the parameters specific to the String ICMP engine.
Table M-32 String ICMP Engine Parameters
|
|
|
Specify Min Match Length |
(Optional) Enables minimum match length: •Min Match Length—Minimum number of bytes the regular expression string must match. |
0 to 65535 |
Regex String |
The string to search for. |
— |
Direction |
Direction of the traffic: •Traffic from service port destined to client port. •Traffic from client port destined to service port. |
From Service To Service |
ICMP Type |
ICMP header TYPE value. |
0 to 18 Note The second number in the range must be greater than or equal to the first number. |
Swap Attacker Victim |
Yes if address (and ports) source and destination are swapped in the alert message. No for no swap (default). |
Yes | No |
Specify Exact Match Offset |
(Optional) Enables exact match offset: •Specify Max Match Offset/Specify Min Match Offset—The exact stream offset the regular expression string must report for a match to be valid. |
0 to 65535 |
String TCP Engine Options
Table M-33 lists the parameters specific to the String TCP engine.
Table M-33 String TCP Engine
|
|
|
Strip Telnet Options |
Strips the Telnet option characters from the data before the pattern is searched. Note This parameter is primarily used as an IPS anti-evasion tool. |
Yes | No |
Specify Min Match Length |
(Optional) Enables minimum match length: •Min Match Length—Minimum number of bytes the regular expression string must match. |
0 to 65535 |
Regex String |
The string to search for. |
— |
Service Ports |
A comma-separated list of ports or port ranges where the target service resides. |
0 to 65535 Note The second number in the range must be greater than or equal to the first number. |
Direction |
Direction of the traffic: •Traffic from service port destined to client port. •Traffic from client port destined to service port. |
From Service To Service |
Specify Exact Match Offset |
(Optional) Enables exact match offset: •Specify Max Match Offset/Specify Min Match Offset—The exact stream offset the regular expression string must report for a match to be valid. |
0 to 65535 |
Swap Attacker Victim |
Yes if address (and ports) source and destination are swapped in the alert message. No for no swap (default). |
Yes | No |
String UDP Engine Options
Table M-34 lists the parameters specific to the String UDP engine.
Table M-34 String UDP Engine
|
|
|
Specify Min Match Length |
(Optional) Enables minimum match length: •Min Match Length—Minimum number of bytes the regular expression string must match. |
0 to 65535 Note The second number in the range must be greater than or equal to the first number. |
Regex String |
The string to search for. |
— |
Service Ports |
A comma-separated list of ports or port ranges where the target service resides. |
0 to 65535 |
Direction |
Direction of the traffic: •Traffic from service port destined to client port. •Traffic from client port destined to service port. |
From Service To Service |
Swap Attacker Victim |
Yes if address (and ports) source and destination are swapped in the alert message. No for no swap (default). |
Yes | No |
Specify Exact Match Offset |
(Optional) Enables exact match offset: •Specify Max Match Offset/Specify Min Match Offset—The exact stream offset the regular expression string must report for a match to be valid. |
0 to 65535 |
Sweep Other TCP Engine Options
Table M-35 lists the parameters specific to the Sweep Other TCP engine.
Table M-35 Sweep Other TCP Engine Parameters
|
|
|
specify-port-range |
(Optional) Enables using a port range for inspection: •port-range—UDP port range used in inspection. |
0 to 65535 a-b[,c-d] |
set-tcp-flags |
Lets you set TCP flags to match: •tcp-flags—TCP flags used in this inspection: –URG bit –ACK bit –PSH bit –RST bit –SYN bit –FIN bit |
urg ack psh rst syn fin |
Sweep Engine Options
Table M-36 lists the parameters specific to the Sweep engine.
Table M-36 Sweep Engine Parameters
|
|
|
protocol |
Protocol of interest for this inspector. |
icmp udp tcp |
specify-icmp-type |
(Optional) Enables the ICMP header type: •icmp-type—ICMP header TYPE value. |
0 to 255 |
specify-port-range |
(Optional) Enables using a port range for inspection: •port-range—UDP port range used in inspection. |
0 to 65535 a-b[,c-d] |
fragment-status |
Specifies whether fragments are wanted or not: •Any fragment status. •Do not inspect fragments. •Inspect fragments. |
any no-fragments want-fragments |
inverted-sweep |
Uses source port instead of destination port for unique counting. |
true | false |
mask |
Mask used in TCP flags comparison: •URG bit •ACK bit •PSH bit •RST bit •SYN bit •FIN bit |
urg ack psh rst syn fin |
storage-key |
Type of address key used to store persistent data: •Attacker address •Attacker and victim addresses •Attacker address and victim port |
Axxx AxBx Axxb |
suppress-reverse |
Does not fire when a sweep has fired in the reverse direction on this address set. |
true | false |
swap-attacker-victim |
True if address (and ports) source and destination are swapped in the alert message. False for no swap (default). |
true | false |
tcp-flags |
TCP flags to match when masked by mask: •URG bit •ACK bit •PSH bit •RST bit •SYN bit •FIN bit |
urg ack psh rst syn fin |
unique |
Threshold number of unique port connections between the two hosts. |
0 to 65535 |
TNS Service Engine Options
Table M-37 lists the parameters specific to the Service TNS engine.
Table M-37 Service TNS Engine Parameters
|
|
|
type |
Specifies the TNS frame value type: •1—Connect •2—Accept •4—Refuse •5—Redirect •6—Data •11—Resend •12—Marker |
1 2 4 5 6 11 12 |
specify-regex-string |
(Optional) Enables using a regular expression string: •specify-exact-match-offset—Enables the exact match offset: –exact-match-offset—The exact stream offset the regular expression string must report for a match to be valid. •specify-min-match-length—Enables the minimum match length: –min-match-length—Minimum number of bytes the regular expression string must match. |
0 to 65535 |
specify-regex-payload |
Specifies which protocol to inspect: •TCP data—Performs Regex over the data portion of the TCP packet. •TNS data—Performs Regex only over the TNS data (with all white space removed). |
TCP TNS |
Traffic ICMP Engine Options
The Traffic ICMP engine analyzes nonstandard protocols, such as TFN2K, LOKI, and DDoS. There are only two signatures (based on the LOKI protocol) with user-configurable parameters.
TFN2K is the newer version of the TFN. It is a DDoS agent that is used to control coordinated attacks by infected computers (zombies) to target a single computer (or domain) with bogus traffic floods from hundreds or thousands of unknown attacking hosts. TFN2K sends randomized packet header information, but it has two discriminators that can be used to define signatures. One is whether the L3 checksum is incorrect and the other is whether the character 64 `A' is found at the end of the payload. TFN2K can run on any port and can communicate with ICMP, TCP, UDP, or a combination of these protocols.
LOKI is a type of back door Trojan. When the computer is infected, the malicious code creates an ICMP Tunnel that can be used to send small payload in ICMP replies (which may go straight through a firewall if it is not configured to block ICMP.) The LOKI signatures look for an imbalance of ICMP echo requests to replies and simple ICMP code and payload discriminators.
The DDoS category (excluding TFN2K) targets ICMP-based DDoS agents. The main tools used here are TFN and Stacheldraht. They are similar in operation to TFN2K, but rely on ICMP only and have fixed commands: integers and strings.
Table M-38 lists the parameters specific to the Traffic ICMP engine.
Table M-38 TRAFFIC ICMP Engine Parameters
|
|
|
parameter-tunable-sig |
Whether this signature has configurable parameters. |
yes | no |
inspection-type |
Type of inspection to perform: •Inspects for original LOKI traffic. •Inspects for modified LOKI traffic. |
is-loki is-mod-loki |
reply-ratio |
Inbalance of replies to requests. The alert fires when there are this many more replies than requests. |
0 to 65535 |
want-request |
Requires an ECHO REQUEST be seen before firing the alert. |
true | false |
Edit Signature Parameter—Component List Dialog Box
Use the Edit Signature Parameter—Component List dialog box to edit the component list for the meta engine.
Navigation Path
•(Device view) Select IPS > Signatures > Signatures from the Policy selector. Right-click a row containing a signature that uses the meta engine, and then click Edit Row in the shortcut menu that appears. Click Edit Parameters. In the Edit Signature Parameters dialog box, click List in the Value column.
Add Signature Parameter—List Entry Dialog Box
Use the Add Signature Parameter—List Entry dialog box to add components of the meta engine.
Edit Signature Parameter—List Entry Dialog Box
Use the Edit Signature Parameter—List Entry dialog box to edit components of the meta engine.
Obsoletes Dialog Box
Use the Obsoletes dialog box to identify obsolete signatures associated with a particular signature.
Add an Entry Dialog Box
Use the Add an Entry dialog box to add obsolete signatures associated with a particular signature.
Settings Page
Use the Settings page to define application policy (enable HTTP, maximum number of HTTP Requests, AIC web ports, and enable FTP), fragment reassembly policy, stream reassembly policy, and IP logging policy.These settings result in policies that can be shared but not inherited. When a new IPS device is added, it has a local policy that contains the default settings for all signatures.
Navigation Path
•(Device view) Select IPS > Signatures > Settings from the Policy selector.
•(Policy view) Select IPS > Signatures > Signature Settings from the Policy Type selector. Right-click Signature Settings to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Signature Policies
•Accessing the Cisco NSDB
Field Reference
Table M-39 Settings Page
|
|
Enable HTTP |
Enables protection for web services. Select Yes to require the sensor to inspect HTTP traffic for compliance with the RFC. |
Max HTTP Requests |
Specifies the maximum number of outstanding HTTP requests per connection. |
AIC Web Ports |
Specifies the variable for ports to look for AIC traffic. |
Enable FTP |
Enables protection for FTP services. Select Yes to require the sensor to inspect FTP traffic. |
IP Reassembly Mode |
Identifies the method the sensor uses to reassemble the fragments, based on the operating system. |
TCP Handshake Required |
Specifies that the sensor should only track sessions for which the three-way handshake is completed. |
TCP Reassembly Mode |
Specifies the mode the sensor should use to reassemble TCP sessions with the following options: •Asymmetric—May only be seeing one direction of bidirectional traffic flow. Note Asymmetric mode lets the sensor synchronize state with the flow and maintain inspection for those engines that do not require both directions. Asymmetric mode lowers security because full protection requires both sides of traffic to be seen. •Loose—Use in environments where packets might be dropped. •Strict—If a packet is missed for any reason, all packets after the missed packet are not processed. |
Max IP Log Packets |
Identifies the number of packets you want logged. |
IP Log Time |
Identifies the duration you want the sensor to log. A valid value is 1 to 60 seconds. The default is 30 seconds. |
Max IP Log Bytes |
Max IP Log Bytes—Identifies the maximum number of bytes you want logged. |
Anomaly Detection Page
Use the Anomaly Detection page to configure anomaly detection. The anomaly detection policy can be shared but not inherited.
The following tabs are available on the Anomaly Detection page:
•Anomaly Detection Page > Operation Settings Tab
•Anomaly Detection Page > Learning Accept Mode Tab
•Anomaly Detection Page > Internal Zone, External Zone, and Illegal Zone Tabs
Navigation Path
•(Device view) Select IPS > Anomaly Detection from the Policy selector.
Related Topics
•Configuring Anomaly Detection, page 12-13
•Explaining Anomaly Detection, page 12-13
•Worm Viruses, page 12-13
•Learning Mode, page 12-14
•Anomaly Detection Zones, page 12-15
Anomaly Detection Page > Operation Settings Tab
Use the Operation Settings tab of the Anomaly Detection page to configure the worm timeout and the IP addresses that will be ignored during anomaly detection processing.
Navigation Path
(Device view) Select IPS > Anomaly Detection from the Policy selector. Click Operation Settings.
Related Topics
•Configuring Anomaly Detection, page 12-13
•Explaining Anomaly Detection, page 12-13
•Worm Viruses, page 12-13
•Learning Mode, page 12-14
•Anomaly Detection Zones, page 12-15
•Anomaly Detection Page > Learning Accept Mode Tab
•Anomaly Detection Page > Internal Zone, External Zone, and Illegal Zone Tabs
Field Reference
Table M-40 Operation Settings Tab
|
|
Worm Timeout |
The number of seconds you want to wait for a worm termination to time out. The range is 120 to 10,000,000 seconds. The default is 600 seconds. |
Enabled Ignored Addresses |
When selected, enables the lists of ignored source IP addresses and destination IP addresses. You must select the Enabled check box or none of the lists of ignored IP addresses you enter will be enabled. |
Source Addresses to Ignore |
The source IP address(es), or range(s) of source IP addresses, that you want the anomaly detection module to ignore. The valid form is 10.10.5.5,10.10.2.1-10.10.2.30. |
Destination Addresses to Ignore |
The destination IP address(es), or range(s) of destination IP addresses, that you want the anomaly detection module to ignore. The valid form is 10.10.5.5,10.10.2.1-10.10.2.30. |
Anomaly Detection Page > Learning Accept Mode Tab
Use the Learning Accept Mode tab of the Anomaly Detection page to specify if and when the learning knowledge base in the anomaly detection module will be saved or loaded.
Navigation Path
(Device view) Select IPS > Anomaly Detection from the Policy selector. Click Learning Accept Mode.
Related Topics
•Configuring Anomaly Detection, page 12-13
•Explaining Anomaly Detection, page 12-13
•Worm Viruses, page 12-13
•Learning Mode, page 12-14
•Anomaly Detection Zones, page 12-15
•Anomaly Detection Page > Operation Settings Tab
•Anomaly Detection Page > Internal Zone, External Zone, and Illegal Zone Tabs
Field Reference
Table M-41 Learning Accept Mode Tab
|
|
Automatically accept learning knowledge base |
When selected, the anomaly detection module updates the knowledge base. When deselected, the anomaly detection module does not create a knowledge base. When you choose to automatically accept the learning knowledge base, you can specify the action, such as to only save the learned thresholds or to rotate (save and load) the learned thresholds automatically. You can also specify the time schedules upon which snapshots of the learning knowledge base will be taken and loaded. If you choose "Periodic Schedule," you need to specify the start time, which is the time to start the first learning knowledge base snapshot, and also the learning interval, which is the number of hours to wait between automatically performing learning knowledge base snapshots. |
Action |
Specifies whether to rotate or save the knowledge base: •Save Only—Creates a new knowledge base. You can examine it and decide whether to load it into the anomaly detection module. •Rotate—Creates a new knowledge base and loads it according to the schedule you choose. |
Schedule |
Allows you to choose Calendar Schedule or Periodic Schedule: •Periodic Schedule—Allows you to configure the first learning snapshot time of day and the interval of the subsequent snapshots. •Calendar Schedule—Allows you to configure the days and times of the day for the knowledge base to be created. The default schedule is the periodic schedule in 24-hour format. |
Times of Day |
Appears when you select Calendar from the Schedule list. Allows you to configure the days and times of the day for the knowledge base to be created. The valid format is hh:mm:ss. |
Days of the Week |
Appears when you select Periodic from the Schedule list. Allows you to configure the days of the week you want to configure. |
Start Time |
Appears when you select Calendar from the Schedule list. Specifies the time that you want the new knowledge base to start. The valid format is hh:mm:ss. |
Learning Interval in hours |
Appears when you select Periodic from the Schedule list. Specifies the time, in hours, that you want the anomaly detection module to learn from the network before creating a new knowledge base. |
Times Of Day Dialog Box
Use the Times Of Day dialog box when using the Calendar Schedule selection, not the Periodic Schedule selection, on the Learning Accept Mode tab of the Anomaly Detection page. The Times Of Day dialog box appears as either Add Times Of Day or Modify Times Of Day.
In the Add appearance of the Times Of Day dialog box, add the clock hour times of day that you want anomaly detection to accept the learning knowledge base.
In the Modify appearance of the Times Of Day dialog box, modify the clock hour times of day that you want anomaly detection to accept the learning knowledge base.
Days Of Week Dialog Box
Use the Days of Week dialog box when using the Calendar Schedule selection, not the Periodic Schedule selection, on the Learning Accept Mode tab of the Anomaly Detection page. The Days Of Week dialog box appears as either Add Days Of Week or Modify Days Of Week.
In the Add appearance of the Days Of Week dialog box, add the days of the week that you want anomaly detection to accept the learning knowledge base.
In the Modify appearance of the Days Of Week dialog box, modify the days of the week that you want anomaly detection to accept the learning knowledge base.
Anomaly Detection Page > Internal Zone, External Zone, and Illegal Zone Tabs
The Anomaly Detection module divides the network into three zones, each represented by a unique tab:
•Internal Zone Tab. The internal zone should represent your internal network. It should receive all the traffic that comes to your IP address range.
•External Zone Tab. The external zone is the default zone with the default Internet range of 0.0.0.0-255.255.255.255. By default, the internal and illegal zones contain no IP addresses. Packets that do not match the set of IP addresses in the internal or illegal zone are handled by the external zone.
•Illegal Zone Tab. The illegal zone should represent IP address ranges that should never be seen in normal traffic, for example, unallocated IP addresses or part of your internal IP address range that is unoccupied.
Each of these three zones has its own designated set of IP addresses.
The following tabs are available on each of the zone tabs:
•General Sub-Tab
•TCP Protocol Sub-Tab
•UDP Protocol Sub-Tab
•Other Protocols Sub-Tab
Navigation Path
•(Device view) Select IPS > Anomaly Detection from the Policy selector. Click the Internal Zone tab.
•(Device view) Select IPS > Anomaly Detection from the Policy selector. Click the Illegal Zone tab.
•(Device view) Select IPS > Anomaly Detection from the Policy selector. Click the External Zone tab.
Related Topics
•Configuring Anomaly Detection, page 12-13
•Explaining Anomaly Detection, page 12-13
•Worm Viruses, page 12-13
•Learning Mode, page 12-14
•Anomaly Detection Zones, page 12-15
•Anomaly Detection Page > Operation Settings Tab
•Anomaly Detection Page > Learning Accept Mode Tab
General Sub-Tab
Use the General Sub-tab to enable the selected zone. In the case of the Internal and External zone, you can also identify the Service Subnets of those zones.
Field Reference
Table M-42 General Sub-Tab
|
|
Enable this zone check box |
If checked, enables the selected zone. |
Service Subnets |
(Visible on Internal and External Zones tabs only) Lets you enter the subnets that you want to apply to the selected zone. The valid format is 10.10.5.5,10.10.2.1-10.10.2.30. |
TCP Protocol Sub-Tab
Use the TCP Protocol Sub-tab to enter TCP Destination Port Maps and to configure threshold histogram properties.
Related Topics
•Dest Port Map Dialog Box
•Histogram Dialog Box
Field Reference
Table M-43 TCP Protocol Sub-Tab
|
|
Enabled check box |
If checked, enables the selected zone. |
Destination Port Map |
(Visible on Internal and External Zones tabs only) Lets you enter the subnets that you want to apply to the selected zone. The valid format is 10.10.5.5,10.10.2.1-10.10.2.30. |
Scanner Threshold |
Lets you set the scanner threshold. The valid range is 5 to 1000. The default is 200. |
Threshold Histogram |
Displays the histograms that you added. •Number of Destination IP Addresses—Displays the number of destination IP addresses that you added. •Number of Source IP Addresses—Displays the number of source IP addresses that you added |
Dest Port Map Dialog Box
Use the Dest Port Map dialog box to add or modify destination ports for the selected protocol. The Dest Port Map dialog box appears as either Add Dest Port Map or Modify Dest Port Map.
Field Reference
Table M-44 Destination Port Dialog Box
|
|
Destination Port Number |
Lets you enter the destination port number. The valid range is 0 to 65535. |
Enabled check box |
If checked, enables the service. |
Override Scanner Settings check box |
If checked, overrides the default scanner settings and lets you add, edit, delete, and select all histograms. |
Scanner Threshold |
Lets you set the scanner threshold. The valid range is 5 to 1000. The default is 200. |
Threshold Histogram |
Displays the histograms that you added. •Number of Destination IP Addresses—Displays the number of destination IP addresses that you added. •Number of Source IP Addresses—Displays the number of source IP addresses that you added |
Histogram Dialog Box
Use the Histogram dialog box if you want to override the scanner settings instead of using the default histograms. Use the Histogram dialog box if you want to modify a previously defined histogram for the selected protocol.
The knowledge base has a tree structure and contains the following information:
•knowledge base name
•Zone name
•Protocol
•Service
The knowledge base holds a scanner threshold and a histogram for each service. If you have learning accept mode set to auto and the action set to rotate, a new knowledge base is created every 24 hours and used in the next 24 hours. If you have learning accept mode set to auto and the action is set to save only, a new knowledge base is created, but the current knowledge base is used. If you do not have learning accept mode set to auto, no knowledge base is created. For more information, see Anomaly Detection Page > Learning Accept Mode Tab.
Note Anomaly detection learning mode uses the sensor local time.
The scanner threshold defines the maximum number of zone IP addresses that a single source IP address can scan. The histogram threshold defines the maximum number of source IP addresses that can scan more than the specified numbers of zone IP addresses.
Anomaly detection identifies a worm attack when there is a deviation from the histogram that it has learned when no attack was in progress (that is, when the number of source IP addresses that concurrently scan more than the defined zone destination IP address is exceeded). For example, if the scanning threshold is 300 and the histogram for port 445, if anomaly detection identifies a scanner that scans 350 zone destination IP addresses, it produces an action indicating that a mass scanner was detected. However, this scanner does not yet verify that a worm attack is in progress. Table M-45 describes this example.
Table M-45 Example Histogram
Number of source IP addresses |
10 |
5 |
2 |
Number of destination IP addresses |
5 |
20 |
100 |
When anomaly detection identifies six concurrent source IP addresses that scan more than 50 zone destination IP addresses on port 445, it produces an action with an unspecified source IP address that indicates anomaly detection has identified a worm attack on port 445. The dynamic filter threshold, 50, specifies the new internal scanning threshold and causes anomaly detection to lower the threshold definition of a scanner so that anomaly detection produces additional dynamic filters for each source IP address that scans more than the new scanning threshold (50).
You can override what the knowledge base learned per anomaly detection policy and per zone. If you understand your network traffic, you may want to use overrides to limit false positives.
Related Topics
•Learning Mode, page 12-14
•TCP Protocol Sub-Tab
•UDP Protocol Sub-Tab
•Other Protocols Sub-Tab
•Dest Port Map Dialog Box
•Protocol Map Dialog Box
Field Reference
Table M-46 Histogram Dialog Box
|
|
Number of Destination IP Addresses |
Lets you add a high, medium, or low number of destination IP addresses. Low is 5 destination IP addresses, medium is 20, and high is 100. |
Number of Source IP Addresses |
Lets you add the number of source IP addresses. The valid range is 0 to 4096. |
UDP Protocol Sub-Tab
Use the UDP Protocol Sub-tab of the Internal Zone tab to enter UDP Destination Port Maps and to configure threshold histogram properties.
Related Topics
•Dest Port Map Dialog Box
•Histogram Dialog Box
Field Reference
Table M-47 UDP Protocol Sub-Tab
|
|
Enabled check box |
If checked, enables the selected zone. |
Destination Port Map |
(Visible on Internal and External Zones tabs only) Lets you enter the subnets that you want to apply to the selected zone. The valid format is 10.10.5.5,10.10.2.1-10.10.2.30. |
Scanner Threshold |
Lets you set the scanner threshold. The valid range is 5 to 1000. The default is 200. |
Threshold Histogram |
Displays the histograms that you added. •Number of Destination IP Addresses—Displays the number of destination IP addresses that you added. •Number of Source IP Addresses—Displays the number of source IP addresses that you added |
Other Protocols Sub-Tab
Use the Other Protocols Sub-tab of the Internal Zone tab to enter protocol number maps for protocols other than TCP and UDP and to configure threshold histogram properties.
Related Topics
•Dest Port Map Dialog Box
•Histogram Dialog Box
Field Reference
Table M-48 Other Protocol Sub-Tab
|
|
Enabled check box |
If checked, enables the selected zone. |
Protocol Number Map |
(Visible on Internal and External Zones tabs only) Lets you enter the subnets that you want to apply to the selected zone. The valid format is 10.10.5.5,10.10.2.1-10.10.2.30. |
Scanner Threshold |
Lets you set the scanner threshold. The valid range is 5 to 1000. The default is 200. |
Threshold Histogram |
Displays the histograms that you added. •Number of Destination IP Addresses—Displays the number of destination IP addresses that you added. •Number of Source IP Addresses—Displays the number of source IP addresses that you added |
Protocol Map Dialog Box
Use the Protocol Map dialog box to tab to specify protocols other than TCP and UDP. You can either use the default thresholds or override the scanner settings and add your own thresholds and histograms. The Protocol Map dialog box appears as either Add Protocol Map or Modify Protocol Map.
Related Topics
•Other Protocols Sub-Tab
•Histogram Dialog Box
Field Reference
Table M-49 Protocol Map Dialog Box
|
|
Protocol Number |
Lets you enter the protocol number. The valid range is 0 to 255. |
Enabled check box |
If checked, enables the service. |
Override Scanner Settings check box |
If checked, overrides the default scanner settings and lets you add, edit, delete, and select all histograms. |
Scanner Threshold |
Lets you set the scanner threshold. The valid range is 5 to 1000. The default is 200. |
Threshold Histogram |
Displays the histograms that you added. •Number of Destination IP Addresses—Displays the number of destination IP addresses that you added. •Number of Source IP Addresses—Displays the number of source IP addresses that you added |
Global Correlation Policies
The pages that you access from the Global Correlation folder in Device View enable you to configure Inspection/Reputation and Network Participation.
Global Correlation policies are not available on sensors running a version of Cisco IPS software earlier than 7.0.
Note AIP-SSC-5 supports only IPS 6.2; therefore, it does not support Global Correlation policies.
These topics describe the main pages available from the Collaboration folder:
•Inspection/Reputation Page
•Network Participation Page
Inspection/Reputation Page
Use the Inspection/Reputation page to configure Global Correlation inspection and reputation.
Navigation Path
•(Device view) Select IPS > Global Correlation > Inspection/Reputation from the Policy selector.
•(Policy view) Select IPS > Global Correlation > Inspection/Reputation from the Policy Type selector.
Related Topics
•Network Participation Page
Field Reference
Table M-50 Global Correlation Table
|
|
Global Correlation Inspection |
If checked, enables Global Correlation inspection and reputation. Global Correlation inspection and reputation is turned off by default. You must accept the disclaimer to participate in Global Correlation inspection and reputation. |
Global Correlation Influence |
Identifies how you want the sensor to use Global Correlation information to initiate deny actions: •Permissive—Has the least aggressive effect on deny actions. •Standard—Has a moderately aggressive effect on deny actions. •Aggressive—Has a very aggressive effect on deny actions. |
Reputation Filtering |
If selected, the sensor maintains a list of attackers being denied by the system. |
Test Global Correlation |
If checked, does not enable reputation filtering to deny access to known malicious hosts; only a report of what could have happened is generated. |
Network Participation Page
Use the Network Participation page to set one of three modes for Network Participation.
Navigation Path
•(Device view) Select IPS > Global Correlation > Network Participation from the Policy selector.
•(Policy view) Select IPS > Global Correlation > Network Participation from the Policy Type selector.
Related Topics
•Inspection/Reputation Page
Field Reference
Table M-51 Network Participation Table
|
|
Network Participation |
Identifies how you want to configure Network Participation: •Off—No data is contributed to the SensorBase network. •Partial—Data is contributed to the SensorBase network but potentially sensitive information is withheld. Note Configuring the sensor for partial network participation limits a third party from extracting reconnaissance information about your internal network from the Global Correlation database. •Full—All data is contributed to the SensorBase network. |
Event Action Policies
The pages that you access from the Event Actions folder from the Policies selector in Device View enable you to configure event actions and related settings.
These topics describe the main pages available from the Event Actions folder:
•Event Action Filters Page
•Event Action Overrides Page
•Network Information Page
•Event Actions > Settings Page
Event Action Filters Page
Use the Event Action Filters page to remove specific actions from an event or to discard an entire event and prevent further processing by the sensor.
Navigation Path
(Device view) Select IPS > Event Actions > Event Action Filters from the Policy selector.
Related Topics
•Event Action Policies
•Filter Item Dialog Box
Field Reference
Table M-52 Event Action Filters Page
|
|
Name |
Identifies the filter by unique name. |
IDs |
Identifies the signature. |
Subs |
Identifies the subsignature. |
Attackers |
Identifies the IP address (or range) of the attacking host that triggers the filter. |
Attack Ports |
Identifies the port used by the attacker host that triggers the filter. |
Victims |
Identifies the IP address used by the attacker host that triggers the filter. |
Victim Ports |
Identifies the port targeted by the attacker host that triggers the filter. |
Actions |
Indicates the actions removed from the event when the filter is triggered. |
RR |
Indicates the risk rating range that triggers this event action filter. For detailed information on risk rating, see Calculating the Risk Rating in Installing and Using Cisco Intrusion Prevention System Device Manager 6.0. |
Stop |
Identifies whether or not this event will be processed against remaining filters in the event action filters list. |
Active |
Identifies whether the filter is in the filter list. |
Export to File button |
Click this button to export the event action filters summary for the current device to a comma-separated values (CSV) file. You are prompted to select the folder on the Security Manager server and to specify a file name. |
Up Row button |
Moves the selected row up in the table. A first match rule order determines which filter is applied. If the conditions of an event match those defined for a filter, and the filter has the Stop field set to Yes, that filter is applied and no additional filters are considered. You should order the more restrictive rules before general rules in the table. |
Down Row button |
Moves the selected row down in the table. |
Add button |
Opens the Add Filter Item dialog box. |
Edit button |
Opens the Edit Filter Item dialog box. |
Delete button |
Removes the selected row from the EAF table. |
Filter Item Dialog Box
Use the Filter Item dialog box to add items to a filter, remove items from a filter, and otherwise define the filter. Also, use the Filter Item dialog box to edit items in an existing filter.
The Filter Item dialog box appears as either Add Filter Item or Edit Filter Item.
In the Add appearance of the Filter Item dialog box, add items to a filter, remove items from a filter, and otherwise define the filter.
In the Modify appearance of the Filter Item dialog box, edit items in an existing filter.
Navigation Path
(Device view) Select IPS > Event Actions > Event Action Filters from the Policy selector. Click the Add button or the Edit button to open the Filter Item dialog box.
Related Topics
•Event Action Policies
•Event Action Filters Page
Field Reference
Table M-53 Filter Item Dialog Box
|
|
Enabled |
When selected, indicates that the filter is enabled. The default value is checked (enabled). If a filter is active but not enabled, it will still be included in the ordering list; it will be processed, but it will not be used. |
Active |
When selected, indicates that the filter has been put into the filter list and will take effect on filtering events. The default value is unchecked (not active). If a filter is not active, then it will not be included at all in the ordering of the filters; it will not be processed at all. |
Name |
Lets you name the filter you are adding. You need to name your filters so that you can move them around in the list and move them to the inactive list if needed. The following characters are valid for filter names: a-z, A-Z, 0-9, -, . (dot or period), : (colon), and _ (underscore). |
Signature IDs |
Identifies the unique numerical value assigned to this signature. This value lets the sensor identify a particular signature. You can also enter a range of signatures. The default values are in the range 900-65535 |
SubSignature ID |
Identifies the unique numerical value assigned to this subsignature. The subSig ID identifies a more granular version of a broad signature. You can also enter a range of subSig IDs. The default value is the range of 0-255. |
Attacker Address |
Identifies the IP address of the host that sent the offending packet. You can also enter a range of addresses. The default value is a range of all addresses (0.0.0.0-255.255.255.255). |
Attacker Port |
Identifies the port used by the attacker host. This is the port from which the offending packet originated. You can also enter a range of ports. The default value is a range of all ports (0-65535). |
Victim Address |
Identifies the IP address used by the attacker host. You can also enter a range of addresses. The default value is a range of all addresses (0.0.0.0-255.255.255.255). |
Victim Port |
Identifies the port targeted by the attacker host. Valid values are between 0-65535. This is the port to which the offending packet was sent. You can also enter a range of ports. The default value is a range of all ports (0-65535). |
Risk Rating Min. and Max. |
Indicates the RR range between 0 and 100 that should be used to trigger this event action filter. The default value is the complete range (0-100). If an event occurs with an RR that falls within the minimum-maximum range you configure here, the event is processed against the rules of this event filter. |
OS Relevance |
Indicates whether the alert is relevant to the OS that has been identified for the victim. Possible values include one or more of the following: Not Relevant, Relevant, Unknown. Hold CTRL or SHIFT while clicking on the items to select multiple values. Note OS Relevance is applicable only to IPS 6.x devices, so for IOS IPS devices, this field is read-only and cannot be edited, and for IPS 5.x devices, this field is blank. |
Comments |
Displays the user comments associated with this filter. |
Actions to Subtract |
Indicates the actions that should be removed from the event, should the conditions of the event meet the criteria of the event action filter. You can select one or more actions in this list box. All selected actions are removed from the event. Hold CTRL or SHIFT while clicking on the items to select multiple values. For more information about the possible actions, see Edit Actions Dialog Box. For IOS IPS devices, the possible values are restricted to: •Deny Attacker Inline blocks the attacker's source IP address completely. No connection can be established from the attacker to the router until the shun time expires (this time is set by the user). •Deny Connection Inline blocks the appropriate TCP flow from the attacker. Other connections from the attacker can be established to the router. •Deny Packet Inline discards the packet without sending a reset. Cisco recommends using "drop and reset" in conjunction with alarm. •Produce Alert sends a notification about the attack through syslog or SDEE. •Reset TCP Connection is effective for TCP-based connections and sends a reset to both the source and destination addresses. For example, in case of a half-open SYN attack, Cisco IOS IPS can reset the TCP connections. |
% to Deny |
Indicates the percentage of packets to deny for deny attacker features. Valid values range between 1 and 100%. Note For IOS IPS devices, this field is read only and cannot be edited. |
Stop on Match check box |
Determines whether or not this event will be processed against remaining filters in the event action filters list. If set to No, the remaining filters are processed for a match until a Stop flag is encountered. If set to Yes, no further processing is done. The actions specified by this filter are removed and the remaining actions are performed. |
Event Action Overrides Page
Use the Event Action Overrides page to view a summary page of event action overrides that act globally (rather than per signature) to override, or change, the actions associated with an event based on the risk rating of that event.
Navigation Path
(Device view) Select IPS > Event Actions > Event Action Overrides from the Policy selector.
Related Topics
•Event Action Override Dialog Box
•Edit Actions Dialog Box
Field Reference
Table M-54 Event Action Overrides Page
|
|
Action |
Specifies the event action that will be added to an event if the conditions of this event action override are satisfied. |
Range |
Indicates the risk rating range between 0 and 100 defined for this rule If an event occurs with a risk rating that falls within the minimum-maximum range defined, the event action override is added to the list of actions to be performed by when that event is triggered. |
Enabled |
Indicates whether or not the override is enabled. |
Export to File button |
Click this button to export the event action overrides summary for the current device to a comma-separated values (CSV) file. You are prompted to select the folder on the Security Manager server and to specify a file name. |
Add button |
Opens the Event Action Override dialog box. |
Edit button |
Opens the Event Action Override dialog box. |
Delete button |
Removes the selected event action overrides row from the table. |
Event Action Override Dialog Box
Use the Event Action Override dialog box to add or edit an event action override that acts globally (rather than per signature) to change the actions associated with an event based on the risk rating of that event.
The Event Action Override dialog box appears as either Add Event Action Override or Edit Event Action Override. In the Add appearance of the Event Action Override dialog box, add an event action override. In the Edit appearance of the Event Action Override dialog box, edit an event action override.
Navigation Path
(Device view) Select IPS > Event Actions > Event Action Overrides from the Policy selector. Click the Add button or the Edit button to open the Event Action Override dialog box.
Related Topics
•Event Action Policies
•Event Action Overrides Page
•Edit Actions Dialog Box
Field Reference
Table M-55 Event Action Override Dialog Box
|
|
Event Action |
Specifies the event action that will be added to an event if the conditions of this event action override are satisfied. |
Enabled |
Indicates whether or not the override is enabled. |
Risk Rating |
Indicates the risk rating range between 0 and 100 that should be used to trigger this event action override. If an event occurs with a risk rating that falls within the minimum-maximum range you configure here, the event action is added to this event. |
Network Information Page
Use the Network Information page to enable or disable passive operating system fingerprinting (POSFP), limit Attack Relevance Rating (ARR) computation to specific IP addresses, and define fixed OS mappings.
Target Value Ratings Tab
Use the Target Value Ratings tab to view a summary of Target Value Ratings (TVRs). TVR is a weight associated with the perceived value of the target. You can assign a TVR to your network assets. The TVR is one of the factors used to calculate the RR value for each alert. You can assign different TVRs to different targets. Events with a higher RR trigger more severe signature event actions.
TVR identifies the importance of a network asset through its IP address. You can develop a security policy that is strict for valuable corporate resources and lenient for less important resources.
Navigation Path
(Device view) Select IPS > Event Actions > Network Information from the Policy selector. Click the Target Value Ratings tab.
Related Topics
•Event Action Policies
•Target Value Rating Dialog Box
Field Reference
Table M-56 Target Value Tab
|
|
Value |
Indicates the perceived value selected for this target. |
Targets |
Identifies the targets associated with the selected value. |
Add button |
Opens the Add Target Value Rating dialog box. |
Edit button |
Opens the Edit Target Value Rating dialog box. |
Delete button |
Removes the selected Target Value Rating from the table. |
Target Value Rating Dialog Box
Use the Target Value Rating dialog box to add a TVR to one or more IP addresses. Also, use the Target Value Rating dialog box to edit a TVR that has already been assigned.
The Target Value Rating dialog box appears as either Add Target Value Rating or Edit Target Value Rating. In the Add appearance of the Target Value Rating dialog box, add a TVR. In the Edit appearance of the Target Value Rating dialog box, edit a TVR.
Navigation Path
(Device view) Select IPS > Event Actions > Network Information from the Policy selector. Click the Target Value Ratings tab. Click the Add button or the Edit button to open the Target Value Rating dialog box.
Related Topics
•Event Action Policies
•Network Information Page
•Target Value Ratings Tab
Field Reference
Table M-57 Target Value Rating Dialog Box
|
|
Value |
Identifies the value assigned to this network asset. The value can be High, Low, Medium, Mission Critical, or No Value. |
target-addresses |
Identifies the IP address(es) of the network asset(s) you want to prioritize with a TVR. |
OS Identification Tab
Use the OS Identification tab to configure OS host mappings, which take precedence over learned OS mappings. On the OS Identifications tab you can add, edit, and delete configured OS maps. You can move them up and down in the list to change the order in which the sensor computes the ARR and RR for that particular IP address and OS type combination.
Note OS Identification applies to IPS 6.x sensors only, not earlier versions.
You can also move them up and down in the list to change the order in which the sensor resolves the OS associated with a particular IP address. Configured OS mappings allow for ranges, so for network 192.168.1.0/24 an administrator might define the following:
|
|
192.168.1.1 |
IOS |
192.168.1.2-192.168.1.10,192.168.1.25 |
UNIX |
192.168.1.1-192.168.1.255 |
Windows |
More specific mappings should be at the beginning of the list. Overlap in the IP address range sets is allowed, but the entry closest to the beginning of the list takes precedence.
In the fields listed, do not use 0.0.0.0-255.255.255.255 because it causes problems with TVR. Use 0.0.0.1-255.255.255.255 instead. For more information, refer to CSCsr19163 in the Bug Toolkit.
Navigation Path
(Device view) Select IPS > Event Actions > Network Information from the Policy selector. Click the OS Identification Tab tab.
Related Topics
•Event Action Policies
•Network Information Page
•OS Map Dialog Box
Field Reference
Table M-58 OS Identification Tab
|
|
Enable Passive OS Fingerprinting |
When checked, lets the sensor perform passive OS analysis. |
Restricted to these IP Addresses |
Lets you configure the mapping of OS type to a specific IP address and have the sensor calculate the ARR for that IP address. |
IP Addresses |
Identifies the IP addresses associated with the selected OS type. |
OS Type |
Identifies the operating system(s) associated with the IP addresses. |
Up Row button |
Moves the selected row up in the table. |
Down Row button |
Moves the selected row down in the table. |
Add button |
Opens the Add OS Map dialog box. |
Edit button |
Opens the Edit OS Map dialog box. |
Delete button |
Removes the selected OS Map from the table. |
OS Map Dialog Box
Use the OS Map dialog box to map a host through its IP address to an OS type. Also, use the OS Map dialog box to change the map of a host through its IP address to an OS type.
The OS Map dialog box appears as either Add OS Map or Edit OS Map. In the Add appearance of the OS Map dialog box, add an OS Map. In the Edit appearance of the OS Map dialog box, edit an OS Map.
Navigation Path
(Device view) Select IPS > Event Actions > Network Information from the Policy selector. Click the OS Identification tab. Click the Add button or the Edit button to open the OS Map dialog box.
Related Topics
•Event Action Policies
•Network Information Page
•OS Identification Tab
Field Reference
Table M-59 OS Map Dialog Box
|
|
IP Addresses |
Identifies the IP address of the selected device. |
OS Type |
Identifies the operating system type(s) associated with the selected IP addresses. Select one or more of the following values: •General OS •IOS •Mac OS •Netware •Other •UNIX •AIX •BSD •HP-UX •IRIX •Linux •Solaris •Windows •Windows NT/2K/XP •WinNT •Unknown OS Hold CTRL or SHIFT while clicking on the items to select multiple values. |
Event Actions > Settings Page
Use the Event Actions > Settings page to define Event Actions. An event action is the sensor's response to an event.
Navigation Path
(Device view) Select IPS > Event Actions > Settings from the Policy selector.
Related Topics
•Event Actions > Settings Page
Field Reference
Table M-60 Settings Page
|
|
Enable Event Action Override check box |
When selected, enables override rules as defined on the Event Action Overrides page. You can add an event action override to change the actions associated with an event based on specific details about that event. |
Enable Event Action Filters check box |
When selected, enables the filter rules as defined on the Event Action Filters page. You can configure event action filters to remove specific actions from an event or to discard an entire event and prevent further processing by the sensor. |
Enable Event Action Summarizer check box |
When selected, enables the Summarizer component. The Summarizer groups events into a single alert, thus decreasing the number of alerts the sensor sends out. By default, the Summarizer is enabled. If you disable it, all signatures are set to Fire All with no summarization. If you configure individual signatures to summarize, this configuration is ignored when the Summarizer is not enabled. |
Enable Meta Event Generator check box |
When selected, enables the Meta Event Generator. The Meta Event Generator processes the component events, which lets the sensor watch for suspicious activity transpiring over a series of events. By default, the Meta Event Generator is enabled. If you disable the Meta Event Generator, all Meta engine signatures are disabled. |
Enable Threat Rating Adjustment check box |
When selected, enables threat rating adjustment, which adjusts the risk rating. If disabled, risk rating is equal to threat rating. The Threat Rating feature (new in Cisco IPS Sensor Software Version 6.0) provides a single view of the threat environment of the network. Threat Rating minimizes alarms and events through a customized view that show only events with a high Threat Rating value. The Threat Rating value is derived as follows: •Dynamic adjustment of event Risk Rating based on success of response action •If response action was applied, Risk Rating is deprecated (Threat Rating < Risk Rating) •If response action was not applied, Risk Rating remains unchanged (Threat Rating = Risk Rating) The result is a single value by which the threat risk is determined. |
Deny Attacker Duration in seconds |
Number of seconds to deny the attacker inline. The valid range is 0 to 518400. The default is 3600. |
Block Attack Duration in minutes |
Number of minutes to block a host or connection. The valid range is 0 to 10000000. The default is 30. |
Maximum Number of Denied Attackers |
Limits the number of denied attackers possible in the system at any one time. The valid range is 0 to 100000000. The default is 10000. |
Enable One Way TCP Reset |
When selected, enables one way TCP reset. Available only in inline mode.
Tip
In inline mode, all packets entering or leaving the network must pass through the sensor.
|
Interfaces Page
The following tabs are available on the Interfaces page:
•Physical Interfaces Tab
•Inline Pairs Tab
•VLAN Pairs Tab
•VLAN Groups Tab
•Summary Tab
Physical Interfaces Tab
The Physical Interfaces tab lists the existing physical interfaces on your sensor and their associated settings. The sensor detects the interfaces and populates the interfaces list in the Interfaces pane.
To configure the sensor to monitor traffic, you must enable the interface. When you initialized the sensor using the setup command (using the command line interface in Cisco IPS), you assigned the interface or the inline pair to a virtual sensor, and enabled the interface or inline pair. If you need to change your interfaces settings, you can do so in the Physical Interfaces tab. To assign an interface to a virtual sensor, select the Virtual Sensors policy. Click the Add/Edit button. Use the dialog to assign an available interface to the virtual sensor.
Navigation Path
(Device view) Select IPS > Interfaces from the Policy selector. Click the Physical Interfaces tab.
Related Topics
•Interfaces Page
Field Reference
Table M-61 Physical Interfaces Tab
|
|
Interface Name |
Name of the interface. The values are FastEthernet or GigabitEthernet for all interfaces. |
Media Type |
Indicates the media type. The media type options are the following: •TX—Copper media •SX—Fiber media •XL—Network accelerator card •Backplane interface—An internal interface that connects the module to the parent chassis' backplane |
Description |
Lets you provide a description of the interface. |
Enabled |
Whether or not the interface is enabled. |
Duplex |
Indicates the duplex setting of the interface. The duplex type options are the following: •Auto—Sets the interface to auto negotiate duplex •Full—Sets the interface to full duplex •Half—Sets the interface to half duplex |
Speed |
Indicates the speed setting of the interface. The speed type options are the following: •Auto—Sets the interface to auto negotiate speed •10 MB—Sets the interface to 10 MB (for TX interfaces only) •100 MB—Sets the interface to 100 MB (for TX interfaces only) •1000—Sets the interface to 1 GB (for gigabit interfaces only) |
Specify Interface for TCP Reset |
If selected, sends TCP resets on an alternate interface when this interface is used for promiscuous monitoring and the reset action is triggered by a signature firing. |
Bypass Mode |
A global setting that specifies the bypass mode setting for all interfaces on this device. Values are: •Off (Always inspect inline traffic) •On (Never inspect inline traffic) •Auto (Bypass inspection when analysis engine is stopped) |
CDP Mode |
A global setting, but one that applies only to inline interfaces (both inline-interface and inline-vlan-pair). Values are: •Forward CDP packets (enable forwarding of Cisco Discovery Protocol packets) •Drop CDP packets (disable forwarding of Cisco Discovery Protocol packets) |
Modify Physical Interface Map Dialog Box
Use the Modify Physical Interface Map dialog box to change the configuration of the physical interfaces of a sensor.
Navigation Path
(Device view) Select IPS > Interfaces from the Policy selector. Click the Physical Interfaces tab. Click the Edit button to open the Modify Physical Interfaces dialog box. The fields in Table M-62 may be modified.
Related Topics
•Interfaces Page
Field Reference
Table M-62 Modify Physical Interfaces Dialog Box
|
|
Description |
Lets you provide a description of the interface. |
Enabled |
Specify whether or not the interface is enabled. |
Duplex |
Select the duplex setting of the interface. The duplex type options are the following: •Auto—Sets the interface to auto negotiate duplex. •Full—Sets the interface to full duplex. •Half—Sets the interface to half duplex. |
Speed |
Select the speed setting of the interface. The speed type options are the following: •Auto—Sets the interface to auto negotiate speed. •10 MB—Sets the interface to 10 MB (for TX interfaces only). •100 MB—Sets the interface to 100 MB (for TX interfaces only). •1000—Sets the interface to 1 GB (for gigabit interfaces only). |
Default VLAN |
Specify the Vlan ID associated with native traffic, or 0 if unknown or if you do not care which VLAN it is. |
Specify Interface for TCP Reset |
If selected, sends TCP resets on an alternate interface when this interface is used for promiscuous monitoring and the reset action is triggered by a signature firing. |
interface-name |
Select the interface that sends the TCP reset. |
Inline Pairs Tab
Use the Inline Pairs tab to see the existing inline pairs configured on the IPS.
Navigation Path
(Device view) Select IPS > Interfaces from the Policy selector. Click the Inline Pairs tab.
Related Topics
•Interfaces Page
•Physical Interfaces Tab
Field Reference
Table M-63 Inline Pairs Tab
|
|
Name |
The name you give this inline interface pair. |
Interface A |
The first interface in the pair. The interface must be defined on the Physical Interfaces tab. |
Interface B |
The second interface in the pair. The interface must be defined on the Physical Interfaces tab. |
Description |
Lets you add a description of this interface pair. |
Bypass Mode |
A global setting that specifies the bypass mode setting for all interfaces on this device. Values are: •Off (Always inspect inline traffic) •On (Never inspect inline traffic) •Auto (Bypass inspection when analysis engine is stopped) |
CDP Mode |
A global setting, but one that applies only to inline interfaces (both inline-interface and inline-vlan-pair). Values are: •Forward CDP packets (enable forwarding of Cisco Discovery Protocol packets) •Drop CDP packets (disable forwarding of Cisco Discovery Protocol packets) |
Interface Pair Dialog Box
You can pair interfaces on your sensor if your sensor is capable of inline monitoring. Use the Interface Pair dialog box to add an inline pair of interfaces to a sensor. Also, use the Interface Pair dialog box to edit an inline pair of interfaces that has already been added to a sensor.
The Interface Pair dialog box appears as either Add Interface Pair or Edit Interface Pair. In the Add appearance of the Interface Pair dialog box, add an inline pair of interfaces to a sensor. In the Edit appearance of the Interface Pair dialog box, edit an inline pair of interfaces that has already been added to a sensor.
You cannot delete an inline pair if there is an inline VLAN group. First delete the inline VLAN group from the VLAN Groups tab, and then delete the inline pair.
Navigation Path
(Device view) Select IPS > Interfaces from the Policy selector. Click the Inline Pairs tab. Click the Add button or the Edit button to open the Interface Pair dialog box.
Related Topics
•Interfaces Page
•Inline Pairs Tab
•Physical Interfaces Tab
Field Reference
Table M-64 Interface Pair Dialog Box
|
|
Inline Interface Name |
Enter the name of this inline interface pair. Must be less than 32 alphanumeric and/or underscore characters. |
Interface A |
Select the first interface in the pair. The interface must be defined on the Physical Interfaces tab. |
Interface B |
Select the second interface in the pair. The interface must be defined on the Physical Interfaces tab. |
Description |
Lets you add a description of this interface pair. |
VLAN Pairs Tab
Use the VLAN Pairs tab to view a summary of the existing inline VLAN pairs for each physical interface.
The VLAN Pairs tab displays the existing inline VLAN pairs for each physical interface. Click Add to create an inline VLAN pair.
Note You cannot create an inline VLAN pair for an interface that has already been paired with another interface or for an interface that is in promiscuous mode and assigned to a virtual sensor.
To create an inline VLAN pair for an interface that is in promiscuous mode, you must remove the interface from the virtual sensor and then create the inline VLAN pair. If the interface is already paired or in promiscuous mode, you receive an error message when you try to create an inline VLAN pair.
Note If your sensor does not support inline VLAN pairs, the VLAN Pairs pane is not displayed. AIP-SSM and NM-CIDS do not support inline VLAN pairs.
Navigation Path
(Device view) Select IPS > Interfaces from the Policy selector. Click the VLAN Pairs tab.
Related Topics
•Interfaces Page
Field Reference
Table M-65 VLAN Pairs Tab
|
|
Interface Name |
Select the name of the inline VLAN pair. |
Subinterface Number |
Subinterface number of the inline VLAN pair. The value is 1 to 255. |
Description |
Lets you provide a description of the inline VLAN pair. |
VLAN A |
Displays the VLAN ID for the first VLAN. The value is 1 to 4095. |
VLAN B |
Displays the VLAN ID for the second VLAN. The value is 1 to 4095. |
Bypass Mode |
A global setting that specifies the bypass mode setting for all interfaces on this device. Values are: •Off (Always inspect inline traffic) •On (Never inspect inline traffic) •Auto (Bypass inspection when analysis engine is stopped) |
CDP Mode |
A global setting, but one that applies only to inline interfaces (both inline-interface and inline-vlan-pair). Values are: •Forward CDP packets (enable forwarding of Cisco Discovery Protocol packets) •Drop CDP packets (disable forwarding of Cisco Discovery Protocol packets) |
VLAN Pair Dialog Box
Use the VLAN Pair dialog box to add a pair of VLANs to a sensor. Also, use the VLAN Pair dialog box to edit a pair of VLANs previously added to a sensor.
The VLAN Pair dialog box appears as either Add VLAN Pair or Edit VLAN Pair. In the Add appearance of the VLAN Pair dialog box, add a VLAN pair for a physical interface. In the Edit appearance of the VLAN Pair dialog box, edit a VLAN pair that has already been added to a physical interface.
Note You cannot pair a VLAN with itself.
Note The subinterface number and the VLAN numbers should be unique to each physical interface.
Navigation Path
(Device view) Select IPS > Interfaces from the Policy selector. Click the VLAN Pairs tab. Click the Add button or the Edit button to open the VLAN Pairs dialog box.
Related Topics
•Interfaces Page
Field Reference
Table M-66 VLAN Pairs Dialog Box
|
|
Physical Interface |
Select the physical interface to which this VLAN pair is assigned. |
Subinterface Number |
Specify the subinterface number of the inline VLAN pair. The value is 1 to 255. |
Description |
Lets you provide a description of the inline VLAN pair. |
VLAN A |
Specify the VLAN number for the first VLAN. The value is 1 to 4095. |
VLAN B |
Specify the VLAN number for the second VLAN. The value is 1 to 4095. |
VLAN Groups Tab
In the VLAN Groups tab you can add, edit, or delete VLAN groups that you defined in the sensor interface configuration. A VLAN group consists of a group of VLAN IDs that exist on an interface. There are two types of VLAN groups: promiscuous and inline. Promiscuous VLAN groups are created on a promiscuous interface. Inline VLAN groups are created on an existing interface pair. Each VLAN group consists of at least one VLAN ID. You can have up to 255 VLAN groups per interface (logical or physical). Each group can contain any number of VLANs IDs. You then assign each VLAN group to a virtual sensor (but not multiple virtual sensors). You can assign different VLAN groups on the same sensor to different virtual sensors.
After you assign the VLAN IDs to the VLAN group, you must assign the VLAN group to a virtual sensor.
Navigation Path
(Device view) Select IPS > Interfaces from the Policy selector. Click the VLAN Groups tab.
Related Topics
•Interfaces Page
Field Reference
Table M-67 VLAN Groups Tab
|
|
Name |
The physical or logical interface name of the VLAN group. |
Subinterface Number |
Subinterface number of the VLAN group. The value is 1 to 255. |
Description |
Lets you provide a description of the VLAN group. |
VLANs |
Displays the range of VLAN IDs belonging to the VLAN group. Each VLAN ID is an number between 1 and 4095. |
Bypass Mode |
A global setting that specifies the bypass mode setting for all interfaces on this device. Values are: •Off (Always inspect inline traffic) •On (Never inspect inline traffic) •Auto (Bypass inspection when analysis engine is stopped) |
CDP Mode |
A global setting, but one that applies only to inline interfaces (both inline-interface and inline-vlan-pair). Values are: •Forward CDP packets (enable forwarding of Cisco Discovery Protocol packets) •Drop CDP packets (disable forwarding of Cisco Discovery Protocol packets) |
VLAN Group Map Dialog Box
Use the VLAN Group Map dialog box to add a group of VLANs to a sensor. Also, use the VLAN Group Map dialog box to edit a pair of VLANs previously added to a sensor.
The VLAN Group Map dialog box appears as either Add VLAN Group Map or Edit VLAN Group Map. In the Add appearance of the VLAN Group Map dialog box, add a group of VLANs to a sensor. In the Edit appearance of the VLAN Group Map dialog box, edit a group of VLANs that has already been added to a sensor.
Note The subinterface number and VLAN IDs should be unique on each physical interface and inline pair.
Navigation Path
(Device view) Select IPS > Interfaces from the Policy selector. Click the VLAN Groups tab. Click the Add button or the Edit button to open the VLAN Group Map dialog box.
Related Topics
•Interfaces Page
Field Reference
Table M-68 VLAN Group Map Dialog Box
|
|
Physical and Logical Interfaces |
Select the physical or logical interface name of the VLAN group. |
Subinterface Number |
Specify the subinterface number of the VLAN group. The value is 1 to 255. |
Description |
Lets you provide a description of the VLAN group. |
All Unassigned VLAN IDs |
Selects all VLAN IDs that are not a member of another VLAN group definition. |
Range of Free VLANs IDs |
Specify the range of VLAN IDs belonging to the VLAN group. The format is dashed pairs of lower-upper IDs, separated by commas. For example, 23-44, 91-144. |
Summary Tab
Use the Summary tab on the Interfaces page to see a summary of how you have configured the sensing interfaces—the interfaces you have configured for promiscuous mode, the interfaces you have configured as inline pairs, and the interfaces you have configured as inline VLAN pairs.
The content of this page changes when you change your interface configuration.
Caution
You can configure any single physical interface to run in promiscuous mode, inline pair mode, inline VLAN pair mode, promiscuous VLAN group, or inline VLAN group, but you cannot configure an interface in a combination of these modes.
Navigation Path
(Device view) Select IPS > Interfaces from the Policy selector. Click the Summary tab.
Related Topics
•Interfaces Page
•Physical Interfaces Tab
•Inline Pairs Tab
•VLAN Pairs Tab
•VLAN Groups Tab
Field Reference
Table M-69 Summary Tab
|
|
Name |
Name of the interface. The values are FastEthernet or GigabitEthernet for promiscuous interfaces. |
Subinterface Number |
Subinterface number of the inline VLAN pair or VLAN group. The value is 1 to 255. |
Inline Interface Name |
The name of this inline interface pair. |
Mode |
Identifies whether the interface is promiscuous, inline, promiscuous VLAN group, or inline VLAN group and whether there are VLAN pairs. |
VLAN A |
Displays the VLAN ID for the first VLAN. The value is 1 to 4095. |
VLAN B |
Displays the VLAN ID for the second VLAN. The value is 1 to 4095. |
VLANs Range |
Displays the range of VLAN IDs belonging to the VLAN group. Each VLAN ID is an number between 1 and 4095. |
Bypass Mode |
A global setting that specifies the bypass mode setting for all interfaces on this device. Values are: •Off (Always inspect inline traffic) •On (Never inspect inline traffic) •Auto (Bypass inspection when analysis engine is stopped) |
CDP Mode |
A global setting, but one that applies only to inline interfaces (both inline-interface and inline-vlan-pair). Values are: •Forward CDP packets (enable forwarding of Cisco Discovery Protocol packets) •Drop CDP packets (disable forwarding of Cisco Discovery Protocol packets) |
Platform Policies
The pages that you access from the Platform Policies folder from the Policies selector in Device View enable you to configure device administration, logging, and security.
These topics describe the folder and main pages available from the Platform Policies folder:
•Device Admin Policies
•Logging Page
•Security Policies
Device Admin Policies
The pages that you access from the Device Admin folder from the Policies selector in Device View enable you to configure device access and server access.
These topics describe the folders available from the Device Admin Policies folder:
•Device Access Policies
•Server Access Policies
Device Access Policies
The pages that you access from the Device Access folder from the Policies Selector in Device View enable you to identify allowed hosts and configure SNMP.
Allowed Hosts Page
Use the Allowed Hosts page to view a summary of the hosts that are allowed to connect to a sensor. By default, all hosts on your network can connect to a sensor to configure it and receive alarm data from it. However, you can identify the hosts that are allowed to connect to a sensor, and no other hosts will be allowed to connect.
Note If your Security Manager server is not an allowed host, then you are not able to connect to your IPS sensors and manage them.
Navigation Path
(Device view) Select Platform > Device Admin > Device Access > Allowed Hosts from the Policy selector.
Field Reference
Table M-70 Allowed Hosts Page
|
|
Network address |
Identifies the allowed host in prefix notation: <IP network>/subnet mask. For example, 64.0.0.0/8. |
Add button |
Opens the Add Access List dialog. |
Edit button |
Opens the Modify Access List dialog box. |
Delete button |
Deletes the selected allowed host. |
Access List Dialog Box
The Access List dialog box appears as either the Add Access List dialog box or the Modify Access List dialog box. Use the Add Access List dialog box to identify the hosts that you want to be able to connect to a sensor. Use the Modify Access List dialog box to change an existing list of hosts that you want to be able to connect to a sensor.
Navigation Path
(Device view) Select Platform > Device Admin > Device Access > Allowed Hosts from the Policy selector. Click the Add button or the Edit button.
Field Reference
Table M-71 Access List Dialog Box
|
|
Network address |
Identifies the allowed host in prefix notation: <IP network>/subnet mask. For example, 64.0.0.0/8. |
Select... button |
Opens the Available Networks/Hosts dialog box. |
SNMP Page
Use the SNMP page to configure Simple Network Management Protocol (SNMP). Security Manager does not use SNMP to manage sensors, but the sensors support SNMP and therefore require a means of configuration in Security Manager.
SNMP configuration has three parts:
•General Configuration—Enables you to configure general SNMP parameters and apply them to sensors.
•Traps Configuration—Enables you to configure traps and apply them to sensors.
•Traps Destination—Enables you to identify recipients that the traps should be sent to.
General Configuration Tab
Use the General Configuration tab on the SNMP page to configure general SNMP parameters and apply them to sensors.
Navigation Path
(Device view) Select Platform > Device Admin > Device Access > SNMP from the Policy selector. The General Configuration tab is active by default.
Field Reference
Table M-72 SNMP > General Configuration Tab
|
|
Enable SNMP Gets/Sets |
Allows you to enable the sensor to respond to get and set queries. If this field is disabled, the sensor does not respond to the query. |
Read-Only Community String |
Sets the read-only community string of the sensor to a string you specify. When a sensor receives an SNMP get request with the specified read-only community string, it responds. This string gives access to all SNMP get requests. |
Read-Write Community String |
Sets the read-write community string of the sensor to a string you specify. When a sensor receives an SNMP get request, or an SNMP set request, with the specified read-write community string, it responds. This string gives access to all SNMP get requests and set requests. |
Sensor Contact |
The network administrator who is responsible for this sensor. |
Sensor Location |
The physical location of the sensor appliance or other hardware used as a sensing device. |
Sensor Agent Port |
Instructs a sensor to run SNMP Agent in the specified port. Valid port numbers range from 1 to 65535. |
Snmp Agent Protocol |
Instructs a sensor to run SNMP on top of particular transport protocol. The options available are TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). |
Select... button |
Opens the Port Lists Selector dialog box. |
SNMP Trap Configuration Tab
Use the SNMP Trap Communication tab on the SNMP page to configure traps and apply them to sensors and to identify recipients that the traps should be sent to.
Navigation Path
(Device view) Select Platform > Device Admin > Device Access > SNMP from the Policy selector. Click the SNMP Trap Configuration tab.
Field Reference
Table M-73 SNMP > SNMP Trap Configuration Tab
|
|
Enable Notifications |
Allows you to enable the sensor to notify interested parties whenever a specific type of event occurs in a sensor. When you select this check box, the sensor is instructed to perform notification. (You can also use the Traps Destination function to configure interested parties.) If the Enable Notifications check box is not selected, the sensor does not respond to the query. |
Error Filter |
Use this set of filters to specify the level of notifications that are enabled. The three levels of notification are Fatal, Error, and Warning. When you select one or more of these filters, you enable the sensor to send notification of events that correspond to the levels selected. |
Enable Detail Traps |
When selected, this check box enables the sensor to send the detailed traps for all alerts. |
Default Trap Community String |
All traps that are being notified carry a community string. All traps that have a community string identical to that of the destination are taken by the destination. All other traps are discarded by the destination. This is a primary default condition, but this default can also be overridden at any destination. |
Trap Destinations |
A summary table of the traps that you have configured, with the following information listed: •IP Address •Trap Community String •Trap Port |
Add button |
Opens the Add Snmp Trap Communication dialog box. |
Edit button |
Opens the Modify Snmp Trap Communication dialog box. |
Delete button |
Deletes the selected allowed host. |
Snmp Trap Communication Dialog Box
The Snmp Trap Communication dialog box appears as either the Add Snmp Trap Communication dialog box or the Modify Snmp Trap dialog box. Use the Add form of this dialog box to add an Snmp trap. Use the Modify form of this dialog box to modify an Snmp trap that you added earlier.
Navigation Path
(Device view) Select Platform > Device Admin > Device Access > SNMP from the Policy selector. Click the SNMP Trap Configuration tab. Click the Add button or the Edit button.
Field Reference
Table M-74 Add Snmp Trap Communication Dialog Box
|
|
Ip Address |
Identifies the trap destination in prefix notation: <IP network>/subnet mask. For example, 64.0.0.0/8. One of the three items that define a trap. |
Select... button |
Opens the Available Networks/Hosts dialog box. |
Trap Community String |
The community string of the trap. (All traps that are being notified carry a community string.) One of the three items that define a trap. |
Trap Port |
The port used by the trap. One of the three items that define a trap. |
Select... button |
Opens the Port Lists Selector dialog box. |
Password Requirements Page
Use the Password Requirements page to configure how passwords are created for Cisco IPS sensors managed by Cisco Security Manager. All user-created sensor passwords must conform to the policy that you set on the Password Requirements page.
Navigation Path
•(Device view) Select Platform > Device Admin > Device Access > Password Requirements from the Policy selector.
•(Policy view) Select IPS > Platform > Device Admin > Password Requirements from the Policy Type selector. Right-click Password Requirements to create a policy, or select an existing policy from the Shared Policy selector.
Field Reference
Table M-75 Password Requirements Page
|
|
Attempt Limit |
Lets you lock accounts so that users cannot keep trying to log in after a certain number of failed attempts. The default is 0, which indicates unlimited authentication attempts. For security purposes, you should change this number. |
Size Range |
Range you specify for the minimum and maximum allowed size for a password. The valid range is 6 to 64 characters. |
Minimum Digit Characters |
Minimum number of numeric digits that you specify must be in a password. |
Minimum Upper Case Characters |
Maximum number of uppercase alphabet characters that you specify must be in a password. |
Minimum Lower Case Characters |
Minimum number of lowercase alphabet characters that you specify must be in a password. |
Minimum Other Characters |
Minimum number of non-alphanumeric printable characters that you specify must be in a password. |
Number of Historical Passwords |
Number of historical passwords you want the sensor to remember for each account. Any attempt to change the password of an account fails if the new password matches any of the remembered passwords. When this value is 0, no previous passwords are remembered. |
Caution
If the password policy includes minimum numbers of character sets, such as uppercase or number characters, the sum of the minimum number of required character sets cannot exceed the minimum password size. For example, you cannot set a minimum password size of eight and also require that passwords must contain at least five lowercase and five uppercase characters.
Server Access Policies
The pages that you access from the Server Access folder from the Policy Selector in Device View enable you to configure server access.
These topics describe the pages available from the Server Access folder:
•External Product Interface Page
•NTP Page
•DNS Page
•HTTP Proxy Page
External Product Interface Page
Use the External Product Interface page to configure the way that Security Manager works with external products.
Note Management Center for Cisco Security Agents is the only external product for which interfaces can be configured for IPS in Security Manager.
Navigation Path
(Device view) Select Platform > Device Admin > Server Access > External Product Interface from the Policy selector.
Management Center for Cisco Security Agents Tab
Use the Management Center for Cisco Security Agents tab to configure the way that Security Manager works with Management Center for Cisco Security Agents.
Note Only two interfaces can be configured for Management Center for Cisco Security Agents.
Navigation Path
(Device view) Select Platform > Device Admin > Server Access > External Product Interface from the Policy selector. The Management Center for Cisco Security Agents tab is active by default.
Field Reference
Table M-76 External Product Interface > Management Center for Cisco Security Agents Tab
|
|
IP Address |
The IP address of the external product. |
Interface Type |
Identifies the physical interface type, that is, copper or fiber. |
Enable |
Specifies whether an agent is enabled to notify the management station of significant events by way of an unsolicited SNMP message. |
URL |
The URL of the external product. |
Port |
Specifies the port being used for communications. |
Username |
A valid user name for authentication to the external product. |
Add button |
Opens the Add External Product Interface dialog box. |
Edit button |
Opens the Edit External Product Interface dialog box. |
Delete button |
Deletes the selected External Product Interface. |
External Product Interface Dialog Box
Use the External Product Interface dialog box to add or modify interfaces between Management Center for Cisco Security Agents and Security Manager. This dialog box appears in two forms: Add and Edit.
Also use the External Product Interface dialog box to add or modify Posture ACLs.
Navigation Path
(Device view) Select Platform > Device Admin > Server Access > External Product Interface from the Policy selector. The Management Center for Cisco Security Agents tab is active by default. Click the Add button or the Modify button.
Field Reference
Table M-77 External Product Interface Dialog Box
|
|
External Product's IP Address |
The IP address of the external product. |
Select... button |
Opens the Available Networks/Hosts dialog box. |
Interface Type |
Identifies the physical interface type, that is, copper or fiber. |
Enable receipt of information |
Specifies whether an agent is enabled to notify the management station of significant events by way of an unsolicited SNMP message. |
SDEE URL |
The URL of the external product. |
Port |
Specifies the port being used for communications. |
Select... button |
Opens the Port Lists Selector dialog box. |
User name |
A valid user name for authentication to the external product. A value in this field is mandatory. |
Password |
A valid password for authentication to the external product. A value in this field is mandatory. |
Enable receipt of host postures |
When checked, allows the host posture information to be passed from the external product to the sensor. |
Allow unreachable hosts' postures |
When checked, allows the host posture information from unreachable hosts to be passed from the external product to the sensor. |
Add button |
Opens the Add Posture Acl dialog box. |
Edit button |
Opens the Modify Access List dialog box. |
Delete button |
Deletes the selected allowed host. |
Manual Watch List RR increase |
Identifies the risk rating for the manual watch list. The default is 25, and the valid range is 0 to 35. |
Session-based Watch List RR Increase |
Identifies the risk rating for the session-based watch list. The default is 25, and the valid range is 0 to 35. |
Packed-based Watch List RR Increase |
Identifies the risk rating for the packet-based watch list. The default is 10, and the valid range is 0 to 35. |
Posture Acl Dialog Box
Host Posture ACLs indicate how host postures received from Management Center for Security Agents should be handled.
Navigation Path
(Device view) Select Platform > Device Admin > Server Access > External Product Interface from the Policy selector. The Management Center for Cisco Security Agents tab is active by default. Click the Add button to open the Add External Product Interface dialog box. Click the Add button or the Edit button to open the Posture Acl dialog box.
Field Reference
Table M-78 Posture Acl Dialog Box
|
|
Network Address |
Network address of the posture ACL. |
Select... button |
Opens the Available Networks/Hosts dialog box. |
Action |
Action (deny or permit) the posture ACL will take. |
NTP Page
Use the NTP page to identify a Network Time Protocol (NTP) server to use with a sensor. NTP server time can be used with a sensor that you manage with Security Manager.
Navigation Path
(Device view) Select Platform > Device Admin > Server Access > NTP from the Policy selector. The Network Time Protocol page appears.
Field Reference
Table M-79 NTP Page
|
|
NTP Server IP Address |
The IP address of the NTP server |
Select button |
Opens the Available Networks/Hosts dialog box. |
Authenticated NTP check box |
When selected, indicates that the NTP server is authenticated. When selected, enables the Key and Key ID fields. |
Key |
The key value of the NTP server (not required when configuring an NTP server; unauthenticated servers can be used—an NTP server IP with no Key or Key ID is interpreted to mean that the server is unauthenticated). The key is an MD5 type of key (either numeric or character); it is the key that was used to set up the NTP server. Enabled only when the Authenticated NTP check box is selected. |
Key ID |
The key ID value of the NTP server (not required when configuring an NTP server; unauthenticated servers can be used—an NTP server IP with no Key or Key ID is interpreted to mean that the server is unauthenticated). Enabled only when the Authenticated NTP check box is selected. |
DNS Page
Use the DNS page to identify a Domain Name System (DNS) server to use with Collaboration policies.
Collaboration policies are not available on sensors running a version of Cisco IPS software earlier than 7.0.
Navigation Path
(Device view) Select Platform > Device Admin > Server Access > DNS from the Policy selector. The Domain Name Server page appears.
Field Reference
Table M-80 Domain Name Server Page
|
|
Name Server 1 |
The IP address of the primary DNS server used in Collaboration policies. |
Select... button |
Opens the Available Networks/Hosts dialog box. |
Name Server 2 |
The IP address of the secondary DNS server used in Collaboration policies. |
Name Server 3 |
The IP address of the tertiary DNS server used in Collaboration policies. |
HTTP Proxy Page
Use the HTTP Proxy page to identify a proxy server and port to use with Collaboration policies.
Collaboration policies are not available on sensors running a version of Cisco IPS software earlier than 7.0.
You may need a proxy server to download Global Correlation updates if customer networks use proxy in their networks.
Navigation Path
(Device view) Select Platform > Device Admin > Server Access > HTTP Proxy from the Policy selector. The HTTP Proxy page appears.
Field Reference
Table M-81 HTTP Proxy Page
|
|
HTTP Proxy Server |
The IP address of the proxy server used in Collaboration policies. |
HTTP Proxy Port |
The HTTP port number for the proxy server used in Collaboration policies. |
Logging Page
Use the Logging page to configure traffic flow notifications and Analysis Engine global variables.
Navigation Path
(Device view) Select Platform > Logging from the Policy selector.
Interface Notifications Tab
Use the Interface Notifications tab to configure traffic flow notifications.
Navigation Path
(Device view) Select Platform > Logging from the Policy selector. The Interface Notifications tab is active by default.
Field Reference
Table M-82 Logging > Interface Notifications Tab
|
|
Missed Packets Threshold |
The percent of missed packets that has to occur before you want to receive notification. The default value is 0, and the valid range is 0 through 100. |
Notification Interval |
The length of time in seconds that you want to check for the percentage of missed packets. The default value is 30, and the valid range is 5 to 3600. |
Interface Idle Threshold |
The length of time in seconds that you will allow an interface to be idle and not receiving packets before you want to be notified. The default value is 30, and the valid range is 5 to 3600. |
Analysis Engine Tab
Use the Analysis Engine tab to configure the Analysis Engine global variables.
Navigation Path
(Device view) Select Platform > Logging from the Policy selector. Click the Analysis Engine tab.
Field Reference
Table M-83 Logging > Interface Notifications Tab
|
|
Maximum Open IP Log Files |
The maximum number of open IP log files that you want to have and enter that value in the Maximum Open IP Log Files field. The valid range is from 20 to 100. The default is 20. |
Security Policies
The pages that you access from the Security folder in Device View help you configure blocking properties.
This topic describes the main page available from the Security folder:
•Blocking Page
Blocking Page
Use the Blocking page to configure sensor blocking properties. You can configure sensors to block attacks; you also can manage other devices to block attacks.
The following tabs are available on the Blocking page:
•Blocking Page > General Tab
•Blocking Page > User Profiles Tab
•Blocking Page > Master Blocking Sensors Tab
•Blocking Page > Router Tab
•Blocking Page > Firewall Tab
•Blocking Page > Catalyst 6K Tab
•Blocking Page > Never Block Hosts and Networks Tab
Navigation Path
(Device view) Select Platform > Security > Blocking from the Policy selector.
Related Topic
•Configuring Blocking, page 16-9
Blocking Page > General Tab
Use the General tab of the Blocking Properties page to configure the basic settings required to enable blocking and rate limiting.
Navigation Path
(Device view) Select Platform > Security > Blocking from the Policy selector. Click the General tab.
Related Topic
•Configuring Blocking, page 16-9
Field Reference
Table M-84 General Tab
|
|
Log All Block Events and Errors |
When selected, configures the sensor to log events that follow blocks from start to finish and any error messages that occur. When a block is added to or removed from a device, an event is logged. You may not want all these events and errors to be logged. Disabling this option suppresses new events and errors. The default is enabled. Note Log all block events and errors also applies to rate limiting. |
Enable NVRAM Write |
When selected, configures the sensor to have the router write to non-volatile RAM (NVRAM) when Attack Response Control (ARC) first connects. If enabled, NVRAM is written each time the ACLs are updated. The default is disabled. Enabling NVRAM writing ensures that all changes for blocking and rate limiting are written to NVRAM. If the router is rebooted, the correct blocks and rate limits will still be active. If NVRAM writing is disabled, a short time without blocking or rate limiting occurs after a router reboot. Not enabling NVRAM writing increases the life of the NVRAM and decreases the time for new blocks and rate limits to be configured. |
Enable ACL Logging |
When selected, causes ARC to append the log parameter to block entries in the access control list (ACL) or VLAN ACL (VACL). This causes the device to generate syslog events when packets are filtered. This option only applies to routers and switches. The default is disabled. |
Allow Sensor IP address to be Blocked |
When selected, specifies that the sensor IP address can be blocked. The default is disabled. |
Enable Blocking |
When selected, enables blocking of hosts. The default is enabled. Note When you enable blocking, you also enable rate limiting. When you disable blocking, you also disable rate limiting. This means that ARC cannot add new or remove existing blocks or rate limits. Even if you do not enable blocking, you can configure all other blocking settings. |
Max Blocks |
The maximum number of entries to block. The valid range is 1 to 65535. The default is 250. |
Max Interfaces |
Configures the maximum number of interfaces for performing blocks. For example, a PIX 500 series security appliance counts as one interface. A router with one interface counts as one, but a router with two interfaces counts as two. The maximum number of interfaces is 250 per device. The default is 250. Note You use Max Interfaces to set an upper limit on the number of devices and interfaces that ARC can manage. The total number of blocking devices (not including master blocking sensors) cannot exceed this value. The total number of blocking items also cannot exceed this value, where a blocking item is one security appliance context, one router blocking interface/direction, or one Catalyst Software switch blocking VLAN. In addition, the following maximum limits are fixed and you cannot change them: 100 interfaces per device, 250 security appliances, 250 routers, 250 Catalyst Software switches, and 100 master blocking sensors. |
Max Ratelimits |
Maximum number of rate limit entries.The maximum rate limit should be equal or less then the maximum blocking entries. If you configure more rate limit entries than block entries, you receive an error. The valid range is 1 to 32767. The default value is 250. |
Blocking Page > User Profiles Tab
Use the User Profiles tab of the Blocking page to define connection credential information to the blocking devices. After you populate this table, you can choose one of the profiles from it when you define blocking devices.
Navigation Path
(Device view) Select Platform > Security > Blocking from the Policy selector. Click the User Profiles tab.
Related Topic
•Configuring Blocking, page 16-9.
Field Reference
Table M-85 User Profiles Tab
|
|
Profile Name |
Name of the profile. |
Enable Password |
(Optional) Enable password used on the blocking device. The enable password is found only in the Add User Profile dialog box. Note If a password exists, it is displayed with a fixed number of asterisks. |
Password |
(Optional) Login password used to log in to the blocking device. Found only in the Add User Profile dialog box. Note If a password exists, it is displayed with a fixed number of asterisks. |
Username |
(Optional) Username used to log in to the blocking device. |
Add button |
Opens the Add User Profile dialog box. |
Edit button |
Opens the Modify User Profile dialog box. |
Delete button |
Removes the selected user profile from the table. |
User Profile Dialog Box
Use the User Profile Dialog Box to add or modify a user profile that you can use when you define blocking devices.
Navigation Path
(Device view) Select Platform > Security > Blocking from the Policy selector. Click the User Profiles tab. Select a row. Click the Add button or the Modify button.
Field Reference
Table M-86 User Profile Dialog Box
|
|
Profile Name |
Name of the profile. |
Enable Password |
(Optional) Enable password used on the blocking device. Note If a password exists, it is displayed with a fixed number of asterisks. |
Password |
(Optional) Login password used to log in to the blocking device. Note If a password exists, it is displayed with a fixed number of asterisks. |
Username |
(Optional) Username used to log in to the blocking device. |
Blocking Page > Master Blocking Sensors Tab
Use the Master Blocking Sensors tab of the Blocking Properties page to configure a master blocking sensor. The master blocking sensor must have one blocking device assigned.
Navigation Path
(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Master Blocking Sensors tab.
Related Topic
•Configuring Blocking, page 16-9.
Field Reference
Table M-87 Master Blocking Sensors Tab
|
|
IP Address |
IP address of the master blocking sensor. You receive a warning if the IP address already exists. Security Manager allows you to specify the IP address in either of two ways: by entering it manually or by choosing an existing sensor that is known to Security Manager. |
Username |
Username used to log in to the blocking device. |
Password |
The login password used to log in to the master blocking sensor. |
Port |
(Optional) Port on which to connect on the master blocking sensor. The default is 443. |
TLS |
Whether or not to use transport layer security (TLS). |
Username |
(Optional) Username used to log in to the blocking device. |
Add button |
Opens the Add Master Blocking Sensor dialog box. |
Edit button |
Opens the Modify Master Blocking Sensor dialog box. |
Delete button |
Removes the selected Master Blocking Sensor from the table. |
Master Blocking Sensor Dialog Box
Use the Master Blocking Sensor dialog box to add a master blocking sensor or to modify the properties of a master blocking sensor that you added previously.
Navigation Path
(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Master Blocking Sensors tab. Click the Add button to add a master blocking sensor. Select a row and click the Modify button to modify a master blocking sensor.
Related Topic
•Blocking Page > Master Blocking Sensors Tab
Field Reference
Table M-88 Master Blocking Sensor Dialog Box
|
|
IP Address |
The IP address of the master blocking sensor. You receive a warning if the IP address already exists. Security Manager allows you to specify the IP address in either of two ways: by entering it manually or by choosing an existing sensor that is known to Security Manager. |
Username |
Username used to log in to the blocking device. |
Password |
The login password used to log in to the master blocking sensor. |
Port |
(Optional) The port on which to connect on the master blocking sensor. The default is 443. |
TLS |
Specifies whether or not to use TLS. |
Blocking Page > Router Tab
Use the Router Tab to configure an IOS router to be used as a blocking device.
Navigation Path
(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Router tab.
Related Topic
•Configuring Blocking, page 16-9.
Field Reference
Table M-89 Router Tab
|
|
IP Address |
The IP address of the router. You receive a warning if the IP address already exists. Security Manager allows you to specify the IP address in either of two ways: by entering it manually or by choosing an existing router that is known to Security Manager. |
Communication Type |
SSH DES, SSH 3DES, or Telnet |
NAT Address |
The network address translation (NAT) address, if any, to the router. |
Profile Name |
The name of the profile as specified in the Add User Profile dialog box or the Modify User Profile dialog box. |
Response Capabilities |
Indicates whether the device uses blocking or rate limiting or both. |
Add button |
Opens the Add Router Device dialog box. |
Edit button |
Opens the Modify Router Device dialog box. |
Delete button |
Removes the selected Router Device from the table. |
Router Device Dialog Box
The Router Device dialog box appears in two forms, the Add Router Device dialog box and the Modify Router Device dialog box. Use the Router Device dialog box to add an IOS router to be used as a blocking device or to modify the properties of an IOS router previously added to be used as a blocking device.
Navigation Path
(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Router tab. Click the Add button or the Modify button.
Field Reference
Table M-90 Router Tab > Router Device Dialog Box
|
|
IP Address |
The IP address of the router. You receive a warning if the IP address already exists. Security Manager allows you to specify the IP address in either of two ways: by entering it manually or by choosing an existing router that is known to Security Manager. |
Select... Button |
Opens the Networks/Hosts Selector dialog box |
Communication Type |
SSH DES, SSH 3DES, or Telnet. |
NAT Address |
The NAT address, if any, to the router. |
Select... Button |
Opens the Networks/Hosts Selector dialog box. |
Profile Name |
The name of the profile as specified in the Add User Profile dialog box or the Modify User Profile dialog box. |
Interfaces and directions where blocks will be applied |
Lists block interfaces on the router in tabular format: •Interface Name •Direction •Pre-ACL Name •Post-ACL Name |
Response Capabilities |
Indicates whether the device uses blocking or rate limiting or both. |
Add button |
Opens the Add Router Block Interface dialog box. |
Edit button |
Opens the Modify Router Block Interface dialog box. |
Delete button |
Removes the selected router block interface from the table. |
Router Block Interface Dialog Box
Use the Router Block Interface dialog box to add a block interface (the interface on the IOS router that the sensor uses for blocking) to an IOS router to be used as a blocking device. Also, use the Router Block Interface dialog box to modify a block interface that you previously added.
Navigation Path
(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Router tab. Click the Add button or the Modify button. In the Add Router Device dialog box, click the Add button or the Modify button.
Field Reference
Table M-91 Router Block Interface Dialog Box
|
|
Interface Name |
The name, assigned by the user, of the router interface used for blocking. |
Direction |
The direction of traffic across the router interface, in or out. |
Pre Acl Name |
The pre-ACL name assigned by the user. |
Post Acl Name |
The post-ACL name assigned by the user. |
Blocking Page > Firewall Tab
Use the Firewall tab to configure a firewall to be used as a blocking device.
Navigation Path
(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Firewall tab.
Related Topic
•Configuring Blocking, page 16-9.
Field Reference
Table M-92 Firewall Tab
|
|
IP Address |
The IP address of the firewall. You receive a warning if the IP address already exists. Security Manager allows you to specify the IP address in either of two ways: by entering it manually or by choosing an existing firewall that is known to Security Manager. |
Communication Type |
SSH DES, SSH 3DES, or Telnet. |
NAT Address |
The NAT address, if any, to the firewall. |
Profile Name |
The name of the profile as specified in the Add User Profile dialog box or the Modify User Profile dialog box. |
Add button |
Opens the Add Firewall Device dialog box. |
Edit button |
Opens the Modify Firewall Device dialog box. |
Delete button |
Removes the selected firewall device from the table. |
Firewall Device Dialog Box
The Firewall Device dialog box appears in two forms, Add and Modify. Use the Firewall Device dialog box to identify a firewall to be used as a blocking device and configure it. Also, use the Firewall Device dialog box to modify the configuration of a firewall previously identified as a blocking device.
Navigation Path
(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Firewall tab. Click the Add button or the Modify button.
Field Reference
Table M-93 Firewall Tab > Firewall Device Dialog Box
|
|
IP Address |
The IP address of the firewall. You receive a warning if the IP address already exists. Security Manager allows you to specify the IP address in either of two ways: by entering it manually or by choosing an existing firewall that is known to Security Manager. |
Select... Button |
Opens the Networks/Hosts Selector dialog box. |
Communication Type |
SSH DES, SSH 3DES, or Telnet. |
NAT Address |
The NAT address, if any, to the firewall. |
Select... Button |
Opens the Networks/Hosts Selector dialog box. |
Profile Name |
The name of the profile as specified in the Add User Profile dialog box or the Modify User Profile dialog box. |
Blocking Page > Catalyst 6K Tab
Use the Catalyst 6K Tab to configure a Catalyst 6000 series switch to be used as a blocking device.
Navigation Path
(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Catalyst 6K tab.
Related Topic
•Configuring Blocking, page 16-9.
Field Reference
Table M-94 Catalyst 6K Tab
|
|
IP Address |
The IP address of the switch. You receive a warning if the IP address already exists. Security Manager allows you to specify the IP address in either of two ways: by entering it manually or by choosing an existing switch that is known to Security Manager. |
Communication Type |
SSH DES, SSH 3DES, or Telnet. |
NAT Address |
The NAT address, if any, to the switch. |
Profile Name |
The name of the profile as specified in the Add User Profile dialog box or the Modify User Profile dialog box. |
Add button |
Opens the Add Cat6k Device dialog box. |
Edit button |
Opens the Modify Cat6k Device dialog box. |
Delete button |
Removes the selected Cat6k device from the table. |
Cat6k Device Dialog Box
The Cat6k Device dialog box appears in two forms, Add and Modify. Use the Cat6k Device dialog box to identify a Catalyst 6000 series switch to be used as a blocking device and configure it. Also, use the Cat6k Device dialog box to modify the configuration of a Catalyst 6000 series switch previously identified as a blocking device.
Navigation Path
(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Catalyst 6K tab. Click the Add button or the Modify button.
Field Reference
Table M-95 Catalyst 6K Tab > Cat6k Device Dialog Box
|
|
IP Address |
The IP address of the switch. You receive a warning if the IP address already exists. Security Manager allows you to specify the IP address in either of two ways: by entering it manually or by choosing an existing switch that is known to Security Manager. |
Select... button |
Opens the Networks/Hosts Selector dialog box. |
Communication Type |
SSH DES, SSH 3DES, or Telnet. |
NAT Address |
The NAT address, if any, to the switch. |
Select... button |
Opens the Networks/Hosts Selector dialog box. |
Profile Name |
The name of the profile as specified in the Add User Profile dialog box or the Modify User Profile dialog box. |
Vlans where blocks will be applied |
Identifies the VLANs on the Catalyst 6000 Series switch where blocks will be applied. |
Add button |
Opens the Add Cat6k Block Vlan dialog box. |
Edit button |
Opens the Modify Cat6k Block Vlan dialog box. |
Delete button |
Removes the selected Cat6k Block Vlan from the table. |
Cat6k Block Vlan Dialog Box
The Cat6k Block Vlan dialog box appears in two forms, Add and Modify. Use the Cat6k Block Vlan dialog box to identify the VLANs to be used with a Catalyst 6000 series switch to be used as a blocking device and configure them. Also, use the Cat6k Block Vlan dialog box to modify the configuration of VLANs previously identified for use with a Catalyst 6000 series switch to be used as a blocking device.
Navigation Path
(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Catalyst 6K tab. Click the Add button or the Modify button. On the Add Cat6k Device dialog box, click the Add button or the Modify button.
Field Reference
Table M-96 Add Cat6k Block Vlan Dialog Box
|
|
Vlan |
Identifies the VLANS on the Catalyst 6000 Series switch where blocks will be applied. |
Pre VACL name |
The pre-VACL name assigned by the user. |
Post VACL name |
The post-VACL name assigned by the user. |
Blocking Page > Never Block Hosts and Networks Tab
Use the Never Block Hosts and networks tab to identify hosts and networks that should never be blocked.
Navigation Path
(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Never Block Hosts and Networks tab.
Related Topic
•Configuring Blocking, page 16-9.
Field Reference
Table M-97 Never Block Hosts and Networks Tab
|
|
Never Block Hosts |
The IP address of the trusted hosts that should never be blocked. |
Add button |
Opens the Add Never Block Host dialog box. |
Edit button |
Opens the Modify Never Block Host dialog box. |
Delete button |
Removes the selected Never Block Host from the table. |
Never Block Networks |
The network address of the trusted networks that should never be blocked. |
Add button |
Opens the Add Never Block Network dialog box. |
Edit button |
Opens the Modify Never Block Network dialog box. |
Delete button |
Removes the selected Never Block Network from the table. |
Never Block Host Dialog Box
Use the Never Block Host dialog box to add a trusted host to the list of those that should never be blocked. Also, use the Never Block Host dialog box to modify the list of hosts that should never be blocked.
Navigation Path
(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Never Block Hosts and Networks tab. In the Never Block Hosts area, click the Add button or the Modify button.
Field Reference
Table M-98 Add Never Block Hosts Dialog Box
|
|
IP Address |
The IP address of the trusted host that should never be blocked. |
Select... button |
Opens the Networks/Hosts Selector dialog box. |
Never Block Networks Dialog Box
Use the Never Block Networks dialog box to add a trusted network to the list of those that should never be blocked. Also, use the Never Block Network dialog box to modify the list of networks that should never be blocked.
Navigation Path
(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Never Block Hosts and Networks tab. In the Never Block Networks area, click the Add button or the Modify button.
Field Reference
Table M-99 Add Never Block Networks Dialog Box
|
|
IP Address |
The IP address of the trusted network that should never be blocked. |
Select... button |
Opens the Networks/Hosts Selector dialog box. |
IPS Updates Page
Use the IPS Updates page to perform some of the tasks associated with keeping your sensors up to date with regard to signatures, patches, service packs, and other updates. For more information, refer to IPS Updates Page, page A-17.
Virtual Sensors Page
Use the Virtual Sensors page to create and name virtual sensors on your Cisco IPS devices. The process of creating and naming virtual sensors on your Cisco IPS devices is sometimes called "virtualization." The Virtual Sensors policy cannot be inherited or shared.
Note A Cisco IPS sensor monitors traffic that traverses (1) interfaces, (2) interface pairs, or (3) VLAN pairs assigned to a virtual sensor.
To create a virtual sensor, you need to assign signature policies, event action policies, and anomaly detection policies. To complete the virtualization process, you need to apply these policies to the virtual sensor.
You can assign one or more of the following types of interfaces to a virtual sensor:
•Promiscuous Interface
•Inline Interface Pair
•Inline VLAN Pair
•Promiscuous VLAN Group
•Inline VLAN Group
A Promiscuous VLAN Group is a VLAN group assigned to a subinterface on an interface. The interface can not already be used for an inline interface or VLAN pair. There can be many promiscuous VLAN groups on the same promiscuous interface, but the VLANs assigned cannot overlap. Once a VLAN group is assigned to a promiscuous interface it is no longer a plain promiscuous interface and can only be used for promiscuous VLAN groups.
An Inline VLAN Group is a VLAN group assigned to a subinterface of an existing inline interface pair. There can be many inline VLAN groups on the same inline interface pair, but the VLANs assigned cannot overlap. Once a VLAN group is assigned to an inline interface pair it is no longer an plain inline interface pair and can only be used for inline VLAN groups.
VLAN groups cannot be assigned to Inline VLAN Pairs.
Navigation Path
(Device view) Select IPS > Virtual Sensors from the Policy selector.
Related Topics
•Signature Policies
•Event Action Policies
•Anomaly Detection Page
Field Reference
Table M-100 Virtual Sensors Table
|
|
Name |
The name of the virtual sensor. The default virtual sensor is "vs0." |
Assignment |
The interfaces or interface pairs that belong to this virtual sensor. |
Anomaly Detection Mode |
The mode (detect, inactive, learn) that anomaly detection is operating in. |
Inline TCP Session Tracking Mode |
Interface and VLAN, VLAN only, or Virtual Sensor. |
Normalizer Mode |
Allows the choice of strict evasion protection mode or asymmetric mode. |
Description |
The description of the virtual sensor. |
Add button |
Opens the Add Virtual Sensor dialog box. |
Edit button |
Opens the Edit Virtual Sensor dialog box. |
Delete button |
Removes the selected virtual sensor(s) from the table. The Delete button is enabled only when one or more virtual sensors other than the default virtual sensor (vs0) are present; the reason is that vs0 cannot be deleted. |
Add Virtual Sensor Dialog Box
Use the Add Virtual Sensor dialog box to add a virtual sensor.
Navigation Path
(Device view) Select IPS > Virtual Sensors from the Policy selector. Click the Add button.
Related Topics
•Virtual Sensors Page
•Understanding Normalizer Mode, page 16-13
Field Reference
Table M-101 Add Virtual Sensor Dialog Box
|
|
Virtual Sensor Name |
The name of the virtual sensor. The default virtual sensor is "vs0." The virtual sensor name must contain fewer than 64 characters and must not use spaces. |
Assignments |
The interfaces or interface pairs that belong to this virtual sensor. |
Anomaly Detect |
The mode (detect, inactive, learn) that anomaly detection is operating in. |
Inline TCP Session |
Interface and VLAN, VLAN only, or Virtual Sensor. |
Normalizer Mode |
Allows the choice of strict evasion protection mode or asymmetric mode. |
Description |
The description of the virtual sensor. |
Edit Virtual Sensor Dialog Box
Use the Edit Virtual Sensor dialog box to modify the policies assigned to a virtual sensor.
Navigation Path
(Device view) Select IPS > Virtual Sensors from the Policy selector. Select a row. Click the Edit button.
Related Topics
•Virtual Sensors Page
•Understanding Normalizer Mode, page 16-13
Field Reference
Table M-102 Edit Virtual Sensor Dialog Box
|
|
Virtual Sensor Name |
The name of the virtual sensor. The default virtual sensor is "vs0." You cannot edit the virtual sensor name.
Tip
If you find that the name of a virtual sensor is unacceptable, you can delete that virtual sensor and add a new virtual sensor with a name that is acceptable.
The maximum number of characters allowed in the name of the virtual sensor is 64, and blank spaces are not allowed. |
Assignments |
The interfaces or interface pairs that belong to this virtual sensor. |
Anomaly Detect |
The mode (detect, inactive, learn) that anomaly detection is operating in. |
Inline TCP Session |
Interface and VLAN, VLAN only, or Virtual Sensor. |
Normalizer Mode |
Allows the choice of strict evasion protection mode or asymmetric mode. |
Description |
The description of the virtual sensor. |
General Settings Page
The General Settings page applies to IOS IPS devices. Use the General Settings page to specify the global settings used for IPS properties defined for a particular router.
Navigation Path
(Device view) Select IPS > General Settings from the Policy selector.
Related Topics
•Interface Rules Page
Field Reference
Table M-103 General Settings Page
|
|
Block Traffic when IPS engine is unavailable check box |
If selected, this option specifies that all traffic should be denied if the IPS engine is unavailable. Otherwise, traffic is allowed to pass in accordance with the other rules in place on the router. |
Apply Deny Action On |
This option is applicable if signature actions are configured to "denyAttackerInline" or "denyFlowInline." By default, Cisco IPS applies ACLs to the interfaces from which attack traffic came, and not to Cisco IPS interfaces. Enabling this option causes Cisco IPS to apply the ACLs directly to the Cisco IPS interfaces, and not to the interfaces that originally received the attack traffic. If the router is not performing load balancing, do not enable this setting. If the router is performing load balancing, we recommend that you enable this setting. Select one of the following values: •Ingress Interface. Specifies that the deny action should be enforced by the interface attached to the network from which the traffic originated. •IPS enabled interface. Specifies that the deny action should be enforced by the interface on which the triggered IPS rule is applied. |
SDEE Properties |
Maximum Subscriptions |
Identifies the maximum number of concurrent SDEE subscriptions allowed, in the range of 1-3. An SDEE subscription is a live feed of SDEE events. The default value is 1. |
Maximum Alerts |
Identifies the maximum number of SDEE alerts that you want the router to store, in the range of 10-2000. Storing more alerts uses more router memory. The default value is 200. |
Maximum Messages |
Identifies the maximum number of SDEE messages that you want the router to store, in the range of 10-500. Storing more messages uses more router memory. The default value is 200. |
IPS Config Location Properties |
IPS Config Location |
Identifies the location the router will save IOS IPS specific configuration files to. These configuration files are automatically updated every time IOS IPS configuration is changed or updated from Security Manager. When the router reboots, the IOS IPS configuration is retrieved and restored from these configuration files. To specify a location on the router, enter directory in which you want to store the configuration information. Note If the router has a LEFS-based file system, you will be unable to create a directory in router memory. In this case, flash: is used as the config location. To specify a location on a remote system, specify the protocol and path of the URL needed to reach the location. For example, if you want to save the config files to an HTTP server, then enter http://172.27.108.5/ips-cfg. Other supported servers to save the IOS IPS configuration files to are: http://, https://, ftp://, rcp://, scp://, and tftp://. |
Max retries |
If a configuration location is specified in the IPS Config Location field, specify how many times the router is to attempt to contact the remote system. The default value is 1. |
Timeout seconds between retries |
If a configuration is specified in the IPS Config Location field, specify how long the router is to wait before attempting to contact the configuration location again. The default value is 0. |
Interface Rules Page
Cisco IPS rules specify the interface or interfaces and the direction of traffic relative to the interface(s) that Cisco IPS is to examine. Additionally, the interface rule may also define a sub-set of the IP traffic to be examined, by assigning an ACL to select or filter IP traffic.
The Interface Rules page summarizes the rules currently applied, and it allows you to add rules that define which traffic flows through the router should be inspected using the defined signature policy.
Navigation Path
(Device view) Select IPS > Interface Rules from the Policy selector.
Related Topics
•General Settings Page
•Add IPS Rule Dialog Box
•Adding Pair Dialog Box
Field Reference
Table M-104 Interface Rules Page
|
|
Enable IPS check box |
When selected, enables the deployment of IOS IPS configuration to the device. If Enable IPS is unchecked, IPS rules are removed from all the router interfaces, which disables IPS. Also, no signature or event action policy will be deployed. |
No. |
Identifies the rule number. The ordering has no effect on traffic monitoring. |
Rule Name |
Identifies the IPS rule name. |
ACL Name |
Identifies the ACL, and thereby the traffic flow, to be inspected using the signature policy. |
Interface (Direction) |
Identifies the interfaces and directions to which the IPS rule applies. |
Add button |
Opens the Add IPS Rule dialog box. |
Edit button |
Opens the Edit IPS Rule dialog box. If more than one row is selected, the Edit row option is disabled. |
Delete button |
Removes the selected rule(s) from the table. |
Add IPS Rule Dialog Box
Use the Add IPS Rule dialog box to specify the traffic flows to be inspected using the active signature policy.
Navigation Path
(Device view) Select IPS > Interface Rules from the Policy selector. Click the Add button.
Related Topics
•Signatures Page
•General Settings Page
•Interface Rules Page
•Adding Pair Dialog Box
Field Reference
Table M-105 Add IPS Rule Dialog Box
|
|
Rule Name |
Identifies a unique name for this IPS rule. IPS rule names are not case sensitive. You cannot use a rule name that contain the same characters as another one previously defined but using a different case. For example MYRULE and MyRule are the same. |
ACL Name |
Specifies an ACL name. Click Select to either select a predefined ACL object or to create a new one. The ACL will determine what traffic is monitored by the IPS rule according to the ACEs defined. Permit entries cause that particular traffic to monitored by the IPS rule. Deny entries cause that particular traffic to be ignored by the IPS rule. When no ACLs are defined, all traffic in the configured direction is monitored.
Tip
All ACLs have an implicit deny all as the last entry. Remember to always specify the traffic to be monitored as a permit entry when using ACLs.
|
Select button |
Allows you to select from existing ACLs or define a new one. The selected value populates the ACL Name field. |
Add button |
Opens the Adding Pair dialog box. |
Edit button |
Opens the Editing Pair dialog box. If more than one row is selected, the Edit row option is disabled. |
Delete button |
Deletes the selected rule(s) from the table. |
Adding Pair Dialog Box
Use the Adding Pair dialog box to identify the traffic flows, based on an interface and traffic direction pair, that the selected IPS rule inspects.
Navigation Path
(Device view) Select IPS > Interface Rules from the Policy selector. Click the Add button to open the Add IPS Rule dialog box. Then, click the Add button in the Add IPS Rule dialog box itself.
Related Topics
•General Settings Page
•Interface Rules Page
•Add IPS Rule Dialog Box
Field Reference
Table M-106 Adding Pair Dialog Box
|
|
Direction |
Identifies whether the rule is to be applied to inbound traffic or outbound traffic. If you select both, the rule applies to traffic flowing in both directions. Select one of the following values: •In. Specifies that this IPS rule should be applied to inbound traffic on the selected interface. •Out. Specifies that this IPS rule should be applied to outbound on the selected interface. •Both. Specifies that this rule should be applied to both inbound and outbound traffic on the selected interface. |
Interfaces |
Identifies the interfaces on which to apply this Cisco IPS rule. Click Select to either select a predefined Interface or to create a new one. |
Select button |
Displays the list of interfaces defined for this router. You can select one or more of the interfaces to populate the Interfaces field. |