Feedback
Table Of Contents
Available Commands
This chapter contains the IPS 5.0 commands listed in alphabetical order. It contains the following sections:.
•
copy
•
•
•
•
banner login
To create a banner message to display on the terminal screen, use the banner login command in global configuration mode. To delete the login banner, use the no form of this command. The banner message appears when a user accesses the CLI and is displayed before the username and password prompts.
banner-login
no banner-login
Syntax Description
argument
Text that appears before you log in to the CLI. Maximum message length is 2500 characters. A carriage return or question mark (?) must be preceded by the keystroke Ctrl-V.
Defaults
No default behavior or values.
Command Modes
Global configuration
Supported User RolesAdministrator
Command History
Usage Guidelines
The banner login command lets you create a text message, up to 2500 characters, to display on the terminal screen. This message appears when you access the CLI. You can include a carriage return or question mark (?) in the message by first typing Ctrl-V followed by the carriage return or question mark. A carriage return is represented as ^M in the text message you create, but appears as an actual carriage return when the message is displayed to the user.
Type Ctrl-C at the
Messageprompt to cancel the message request.
Note
Examples
The following example creates a message to display on the terminal screen at login:
sensor(config)# banner loginBanner[]:This message will be displayed on login. ^M Thank you!At login, the following message appears:
This message will be displayed on login.Thank you!password:clear denied-attackers
To delete the current list of denied IP addresses, use the clear denied-attackers command in privileged EXEC mode.
clear denied-attackers
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
EXEC
Supported User RolesAdministrator
Command History
Usage Guidelines
The clear denied-attackers command lets you restore communication with previously denied IP addresses by clearing the list of denied attackers. You cannot select and delete individual IP addresses on this list. If you clear the denied attackers list, all IP addresses are removed from the list.
Note
Examples
The following example removes all IP addresses from the denied attackers list:
sensor#clear denied-attackersWarning: Executing this command will delete all addresses from the list of attackers currently being denied by the system.Continue with clear? []:yessensor#Related Commands
clear events
To clear the Event Store, use the clear events command in privileged EXEC mode.
clear events
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
EXEC
Supported User RolesAdministrator
Command History
Usage Guidelines
Use this command to clear all events from the Event Store.
Note
Examples
The following example clears the Event Store:
sensor#clear eventsWarning: Executing this command will remove all events currently stored in the event store.Continue with clear? []:yessensor#clear line
To terminate another CLI session, use the clear line command in privileged EXEC mode.
clear line cli-id [message]
Syntax Description
cli-id
The CLI ID number associated with the login session. See the show users command.
message
If selected, you are prompted for a message to send to the receiving user. (optional)
Defaults
No default behavior or values.
Command Modes
EXEC
Command History
Supported User RolesAdministrator, Operator, Viewer
Note
Usage Guidelines
Use the clear line command to log out of a specific session running on another line. Use the message keyword if you want to include an optional message to display on the terminal of the login session you are terminating.
You cannot use the clear line command to clear a Service account login.
Note
Examples
The following example illustrates the output displayed when a user with Administrator privileges attempts to log in after the maximum sessions have been reached:
Error: The maximum allowed CLI sessions are currently open, would you like to terminate one of the open sessions? [no]yesCLI ID User Privilege1253 admin1 administrator1267 cisco administrator1398 test operatorEnter the CLI ID to clear:1253Message:Sorry! I need access to the system, so I am terminating your session.sensor#The following example illustrates the message displayed on the terminal of admin1:
sensor#******Termination request from Admin0***Sorry! I need access to the system, so I am terminating your session.The following example illustrates the output displayed when a user with Operator or Viewer privileges attempts to log in after the maximum sessions have been reached:
Error: The maximum allowed CLI sessions are currently open, please try again later.Related Commands
clock set
To manually set the system clock on the appliance, use the clock set command in privileged EXEC mode.
clock set hh:mm[:ss] month day year
Syntax Description
hh:mm[:ss]
Current time in hours (24-hour format), minutes, and seconds
month
Current month (by name)
day
Current day (by date) in the month
year
Current year (no abbreviation)
Defaults
No default behavior or values.
Command Modes
EXEC
Supported User RolesAdministrator
Command History
Usage Guidelines
You do not need to set the system clock under the following circumstances:
•
•
Use the clock set command if no other time sources are available. The time specified in this command is relative to the configured time zone.
Examples
The following example manually sets the system clock to 1:32 p.m. on July 29.2002:
sensor# clock set 13:32 July 29 2002sensor#configure
To enter global configuration mode, use the configure terminal command in privileged EXEC mode.
configure terminal
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Supported User RolesAdministrator, Operator, Viewer
Usage Guidelines
Executing the configure terminal command enters global configuration mode.
Examples
The following example changes modes from privileged EXEC to global configuration:
sensor# configure terminalsensor(config)#copy
To copy iplogs and configuration files, use the copy command in privileged EXEC mode.
copy [/erase] source-url destination-url
copy iplog log-id destination-url
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Supported User RolesAdministrator, Operator (copy iplog or packet-file only), Viewer (copy iplog or packet-file only)
Command History
Usage Guidelines
The exact format of the source and destination URLs varies according to the file. The following valid types are supported:
Use keywords to designate the file location on the sensor. The following files are supported:
If FTP or SCP is the selected protocol, you are prompted for a password. If no password is necessary for the FTP session, you can press Return without entering anything.
You can enter all necessary source and destination URL information and the username on the command line, or you can enter the copy command and have the sensor prompt you for any missing information.
Warning
Note
Examples
The following example copies a file into the current configuration from the sensor with the IP address 10.1.1.1, directory/filename ~csidsuser/configuration/cfg, the directory and file are relative to the csidsuser's home account:
sensor# copy scp://csidsuser@10.1.1.1/configuration/cfg current-configPassword: *******WARNING: Copying over the current configuration may leave the box in an unstable state.Would you like to copy current-config to backup-config before proceeding? [yes]:csidsuser@10.1.1.1's password:cfg 100% |*********************************************************************| 36124 00:00sensor#The following example copies the iplog with ID 12345 to the sensor with the IP address 10.1.1.1, directory/filename ~csidsuser/iplog12345, the directory and file are relative to the csidsuser's home account:
sensor# copy iplog 12345 scp://csidsuser@10.1.1.1/iplog12345Password: *******iplog 100% |*********************************************************************|36124 00:00sensor#Related Commands
iplog-status
Displays a description of the available IP log contents.
more
Displays the contents of a logical file.
packet
Displays or captures live traffic on an interface.
display serial
To direct all output to the serial connection, use the display serial command in global configuration mode. Use the no display-serial command to reset the output to the local terminal.
display-serial
no display-serial
Syntax Description
This command has no arguments or keywords.
Defaults
The default setting is no display-serial.
Command Modes
EXEC
Supported User RolesAdministrator, Operator
Command History
Usage Guidelines
Using the display-serial command lets you view system messages on a remote console (using the serial port) during the boot process. The local console is not available as long as this option is enabled. Unless you set this option when you are connected to the serial port, you do not get any feedback until Linux has fully booted and enabled support for the serial connection.
Examples
The following example redirects output to the serial port:
sensor(config)# display-serialsensor(config)#downgrade
To remove the most recent upgrade, use the downgrade command in global configuration mode.
downgrade
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
Global configuration
Supported User RolesAdministrator
Command History
Examples
The following example removes the most recent upgrade from the system:
sensor(config)#downgradeWarning: Executing this command will reboot the system and downgrade to IDS-K9-sp-4.1-4-S91.rpm. Configuration changes made since the last upgrade will be lost and the system may be rebooted.Continue with downgrade?:yessensor#If the downgrade command is not available, for example, if no upgrades have been applied, the following is displayed:
sensor#downgradeError: No downgrade availablesensor#Related Commands
show version
Displays the version information for all installed OS packages, signature packages, and IPS processes running on the system.
end
To exit configuration mode, or any of the configuration submodes, use the end command in global configuration mode. This command exits to the top level EXEC menu.
end
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
All modes
Supported User RolesAdministrator, Operator, Viewer
Command History
Examples
The following example shows how to exit configuration and the interface configuration submode:
sensor# configure terminalsensor(config)# interface fastethernet 0/0sensor(config-if)# endsensor#erase
To delete a logical file, use the erase command in privileged EXEC mode.
erase { backup-config | current-config | packet-file }
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Supported User RolesAdministrator
Command History
Usage Guidelines
The IOS 12.0 version of this command lets you remove entire file systems. IPS does not support this concept.
Examples
The following example erases the current configuration file and returns all settings back to default. You may need to reboot the sensor with this command.
sensor# erase current-configWarning: Removing the current-config file will result in all configuration being reset to default, including system information such as IP address.User accounts will not be erased. They must be removed manually using the "no username" command.Continue? []: yessensor#exit
To exit a configuration mode or close an active terminal session and terminate privileged EXEC mode, use the exit command.
exit
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
All modes
Supported User RolesAdministrator, Operator, Viewer
Command History
Usage Guidelines
Use the exit command to return to the previous menu level. If you have made any changes in the contained submodes, you are asked if you want to apply them. If you select no, you are returned to the parent submode.
Examples
The following example shows how to return to the previous menu level:
sensor#configure terminalsensor(config)#exitsensor#iplog
To start IP logging on a virtual sensor, use the iplog command in privileged EXEC mode. Use the no form of this command to disable all logging sessions on a virtual sensor, a particular logging session based on log-id, or all logging sessions.
iplog name ip-address [ duration minutes ] [ packets numPackets ] [ bytes numBytes ]
no iplog [log-id log-id | name name ]
Syntax Description
Defaults
See the Syntax Description table.
Command Modes
EXEC
Supported User RolesAdministrator, Operator
Command History
Usage Guidelines
If the no form of this command is specified without parameters, all logging is stopped.
If duration, packets, and bytes are entered, logging terminates whenever the first event occurs.
Note
Examples
The following example begins logging all packets containing 10.2.3.1 in the source or destination address on virtual sensor vs0:
sensor# iplog vs0 10.2.3.1Logging started for virtual sensor vs0, IP address 10.2.3.1, Log ID 2342WARNING: IP Logging will affect system performance.sensor#Related Commands
iplog-status
Displays a description of the available IP log contents.
packet
Displays or captures live traffic on an interface.
iplog-status
To display a description of the available IP log contents, use the iplog-status command in privileged EXEC mode.
iplog-status
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
EXEC
Supported User RolesAdministrator, Operator, Viewer
Command History
4.0
This command was introduced.
4.0(2)
The Status field was added to this command.
Usage Guidelines
When the log is created, the status is
Banner[]:. If and when the first entry is inserted in the log, the status changes toThis message will be displayed on login.. When the log is completed, because it has reached the packet count limit for example, the status changes toThank you!.
Note
Examples
The following example displays the status of all IP logs:
sensor# iplog-statusLog ID: 2425IP Address: 10.1.1.2Virtual Sensor: vs0Status: startedStart Time: 2003/07/30 18:24:18 2002/07/30 12:24:18 CSTPackets Captured: 1039438Log ID: 2342IP Address: 10.2.3.1Virtual Sensor: vs0Status: completedEvent ID: 209348Start Time: 2003/07/30 18:24:18 2002/07/30 12:24:18 CSTEnd Time: 2003/07/30 18:34:18 2002/07/30 12:34:18 CSTsensor#Related Commands
more
To display the contents of a logical file, use the more command in privileged EXEC mode.
more keyword
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Supported User RolesAdministrator, Operator (current-config only), Viewer (current-config only)
Command History
Usage Guidelines
IPS allows display of logical files only.
Hidden fields, such as passwords, are displayed for Administrators only.
Note
Examples
The following example shows the output from the more command:
sensor# more current-config! ------------------------------! Version 5.0(0.26)! Current configuration last modified Thu Feb 17 04:25:15 2005! ------------------------------display-serial! ------------------------------service analysis-engineexit! ------------------------------service authenticationexit! ------------------------------service event-action-rules rules0exit! ------------------------------service hostnetwork-settingshost-ip 10.89.147.31/25,10.89.147.126host-name sensoraccess-list 0.0.0.0/0login-banner-text This message will be displayed on user login.exittime-zone-settingsoffset -360--MORE--Related Commands
more begin
To search the output of any more command, use the more begin command in privileged EXEC mode. This command begins unfiltered output of the more command with the first line that contains the regular expression specified.
more keyword | begin regular-expression
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Supported User RolesAdministrator, Operator (current-config only), Viewer (current-config only)
Command History
4.0
This command was introduced.
4.0(2)
The begin extension of the more command was introduced.
Usage Guidelines
The regular-expression argument is case sensitive and allows for complex matching requirements.
Examples
The following example shows how to search the more command output beginning with the regular expression "ip":
sensor# more current-config | begin iphost-ip 10.89.147.31/25,10.89.147.126host-name sensoraccess-list 0.0.0.0/0login-banner-text This message will be displayed on user login.exittime-zone-settingsoffset -360standard-time-zone-name CSTexitexit! ------------------------------service interfaceexit! ------------------------------service loggerexit! ------------------------------service network-accessuser-profiles monaenable-password foobarexitexit! ------------------------------service notification--MORE--Related Commands
more exclude
To filter the more command output so that it excludes lines that contain a particular regular expression, use the more exclude command in privileged EXEC mode.
more keyword | exclude regular-expression
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Supported User RolesAdministrator, Operator (current-config only), Viewer (current-config only)
Command History
4.0
This command was introduced.
4.0(2)
The exclude extension of the more command was added.
Usage Guidelines
The regular-expression argument is case sensitive and allows for complex matching requirements.
Examples
The following example shows how to search the more command output excluding the regular expression "ip":
sensor# more current-config | exclude ip! ------------------------------! Version 5.0(0.26)! Current configuration last modified Thu Feb 17 04:25:15 2005! ------------------------------display-serial! ------------------------------service analysis-engineexit! ------------------------------service authenticationexit! ------------------------------service event-action-rules rules0exit! ------------------------------service hostnetwork-settingshost-name sensoraccess-list 0.0.0.0/0login-banner-text This message will be displayed on user login.exittime-zone-settingsoffset -360standard-time-zone-name CST--MORE--Related Commands
more include
To filter the more command output so that it displays only lines that contain a particular regular expression, use the more include command in privileged EXEC mode.
more keyword | include regular-expression
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Supported User RolesAdministrator, Operator (current-config only), Viewer (current-config only)
Command History
4.0
This command was introduced.
4.0(2)
The include extension of the more command was added.
Usage Guidelines
The regular-expression argument is case sensitive and allows for complex matching requirements.
Examples
The following example shows how to search the more command output to include only the regular expression "ip":
sensor# more current-config | include iphost-ip 10.89.147.31/25,10.89.147.126sensor#Related Commands
packet
To display or capture live traffic on an interface, use the packet command in EXEC mode. Use the display option to dump live traffic or a previously captured file output directly to the screen. Use the capture option to capture the libpcap output into a local file. There is only one local file storage location, subsequent capture requests overwrite the existing file. You can copy the local file off the machine using the copy command with the packet-file keyword. You can view the local file using the display packet-file option. Use the info option to display information about the local file, if any. Use the packet display iplog id [verbose] [expression expression] to display iplogs.
packet display interface-name [snaplen length] [count count] [verbose] [expression expression]
packet display packet-file [verbose] [expression expression
packet display iplog id [verbose] [expression expression] vlan and
packet capture interface-name [snaplen length] [count count] [expression expression]
packet display file-info
Syntax Description
Defaults
See the Syntax Description table.
Command Modes
EXEC
Supported User RolesAdministrator, Operator, Viewer (display only)
Command History
Usage Guidelines
Storage is available for one local file. The size of this file varies depending on the platform. If possible, a message is displayed if the maximum file size is reached before the requested packet count is captured. Only one user can use the packet capture interface-name command at a time. A second user request results in an error message containing information about the user executing the capture. A configuration change involving the interface can result in abnormal termination of any packet command running on that interface.
Note
Caution
Note
Press Ctrl-C to terminate the live display or file capture.
The expression syntax is described in the ethereal-filter man page.
The file-info displays:
Captured by: user:id, Cmd: cliCmd
Start: yyyy/mm/dd hh:mm:ss zone, End: yyyy/mm/dd hh:mm:ss zone or in-progress
Where
user = Username of user initiating capture,
id = User's CLI ID,
cliCmd = Command entered to perform the capture.
Examples
The following example displays the live traffic occurring on FastEthernet 0/0:
sensor# packet display fastethernet0/0Warning This command will cause significant performance degradation.Executing command: tethereal -i fastethernet0/00.000000 10.89.147.56 -> 64.101.182.20 SSH Encrypted response packet len=560.000262 64.101.182.20 -> 10.89.147.56 TCP 33053 > ssh [ACK] Seq=3844631470 Ack=2972370007 Win=9184 Len=00.029148 10.89.147.56 -> 64.101.182.20 SSH Encrypted response packet len=2240.029450 64.101.182.20 -> 10.89.147.56 TCP 33053 > ssh [ACK] Seq=3844631470 Ack=2972370231 Win=9184 Len=00.030273 10.89.147.56 -> 64.101.182.20 SSH Encrypted response packet len=2240.030575 64.101.182.20 -> 10.89.147.56 TCP 33053 > ssh [ACK] Seq=3844631470 Ack=2972370455 Win=9184 Len=00.031361 10.89.147.56 -> 64.101.182.20 SSH Encrypted response packet len=2240.031666 64.101.182.20 -> 10.89.147.56 TCP 33053 > ssh [ACK] Seq=3844631470 Ack=2972370679 Win=9184 Len=00.032466 10.89.147.56 -> 64.101.182.20 SSH Encrypted response packet len=2240.032761 64.101.182.20 -> 10.89.147.56 TCP 33053 > ssh [ACK]The following example displays information about the stored capture file:
sensor# packet display file-infoCaptured by: raboyd:5292, Cmd: packet capture fastethernet0/0Start: 2004/01/07 11:16:21 CST, End: 2004/01/07 11:20:35 CSTRelated Commands
iplog
Starts IP logging on a virtual sensor.
iplog-status
Displays a description of the available IP log contents.
password
To update your password on the local sensor, use the password command in global configuration mode. The administrator can also use the password command to change the password for an existing user. The administrator can use the no form of the command to disable a user account.
password
Administrator syntax: password [ name [ newPassword ] ]
no password [ name ]
Syntax Description
Defaults
The cisco account default password is cisco.
Command Modes
Global configuration
Supported User RolesAdministrator, Operator (current user's password only), Viewer (current user's password only)
Command History
Usage Guidelines
Use the password command to update the current user's login password. The administrator can also use this command to modify the password for an existing user. The administrator is not prompted for the current password in this case.
You receive an error if you try to disable the last administrator account. Use the password command to reenable a disabled user account and reset the user password.
The password is protected in IPS.
Note
Examples
The following example shows how to modify the current user's password:
sensor(config)# passwordEnter Old Login Password: **********Enter New Login Password: ******Re-enter New Login Password: ******sensor(config)#The following example modifies the password for the user
password:. Only Administrators can execute this command:sensor(config)# password testerEnter New Login Password: ******Re-enter New Login Password: ******sensor(config)#Related Commands
ping
To diagnose basic network connectivity, use the ping command in privileged EXEC mode.
ping address [count]
Syntax Description
address
IP address of the system to ping.
count
Number of echo requests to send. If no value is entered, four requests are sent. The valid range is 1 to 10000.
Defaults
See the Syntax Description table.
Command Modes
EXEC
Command History
Supported User RolesAdministrator, Operator, Viewer
Usage Guidelines
This command is implemented using the ping command provided by the operating system. The output from the command varies slightly between operating systems.
Examples
The following example shows the output of the ping command for Solaris systems:
sensor# ping 10.1.1.1PING 10.1.1.1: 32 data bytes40 bytes from 10.1.1.1: icmp_seq=0. time=0. ms40 bytes from 10.1.1.1: icmp_seq=1. time=0. ms40 bytes from 10.1.1.1: icmp_seq=2. time=0. ms40 bytes from 10.1.1.1: icmp_seq=3. time=0. ms----10.1.1.1 PING Statistics----4 packets transmitted, 4 packets received, 0% packet lossround-trip (ms) min/avg/max = 0/0/0sensor#The following example shows the output of the ping command for Linux systems:
sensor# ping 10.1.1.1 2PING 10.1.1.1 from 10.1.1.2 : 32(60) bytes of data.40 bytes from 10.1.1.1: icmp_seq=0 ttl=255 time=0.2 ms40 bytes from 10.1.1.1: icmp_seq=1 ttl=255 time=0.2 ms--- 10.1.1.1 ping statistics ---2 packets transmitted, 2 packets received, 0% packet lossround-trip min/avg/max = 0.2/0.2/0.2 mssensor#The following example shows the output for an unreachable address:
sensor#ping 172.21.172.1PING 172.21.172.1 (172.21.172.1) from 10.89.175.50 : 56(84) bytes of data.—-172.21.172.1 ping statistics—-5 packets transmitted, 0 packets received, 100% packet losssensor#privilege
To modify the privilege level for an existing user, use the privilege command in global configuration mode. You can also specify the privilege while creating a user with the username command.
privilege user name [ administrator | operator | viewer ]
Syntax Description
name
Specifies the users's name. A valid username is 1 to 64 characters in length. The username must begin with an alphanumeric character, otherwise all characters except spaces are accepted.
Defaults
No default behavior or values.
Command Modes
Global configuration
Supported User RolesAdministrator
Command History
Usage Guidelines
Use the command to modify the privilege for a user.
Note
Examples
The following example changes the privilege of the user "tester" to operator.
sensor(config)# privilege user tester operatorWarning: The privilege change does not apply to current CLI sessions. It will be applied to subsequent logins.sensor(config)#Related Commands
recover
To reimage the application partition with the application image stored on the recovery partition, use the recover command in privileged EXEC mode. The sensor is rebooted multiple times and most configuration—except for network, access list, and time parameters—is reset to the default settings.
More specifically, the following settings are maintained after a local recovery using the "recover application-partition" command: Network Settings (IP Address, Netmask, Default Gateway, Hostname, and Telnet (enabled/disabled)); Access List Entries/ACL0 Settings (IP Address and Netmask); and Time Settings (Offset and Standard Time Zone Name); the rest of the parameters are reset to the default settings.
recover application-partition
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Supported User RolesAdministrator
Usage Guidelines
Valid answers to the continue with recover question are yes or no. Y or N are not valid responses.
Shutdown begins immediately after the command is executed. Because shutdown may take a little time, you may continue to access CLI commands (access is not denied), but access is terminated without warning. If necessary, a period (.) will be displayed on the screen once a second to indicate progress while the applications are shutting down.
Note
Examples
The following example reimages the application partition using the version 4.0(1)S29 image stored on the recovery partition:
sensor(config)#recover application-partitionWarning: Executing this command will stop all applications and re-image the node to version 5.0(1)Sx. All configuration changes except for network settings will be reset to default.Continue with recovery? []:yesRequest Succeededsensor(config)#reset
To shut down the applications running on the sensor and reboot the appliance, use the reset command in privileged EXEC mode. If the powerdown option is included, the appliance is powered off if possible or left in a state where the power can be turned off.
reset [powerdown]
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Command History
Supported User RolesAdministrator
Usage Guidelines
Valid answers to the continue with reset question are yes or no. Y or N are not valid responses.
Shutdown begins immediately after the command is executed. Access to the CLI commands is not denied during the shutdown, however, an open session is terminated without warning as soon as the shutdown is completed. If necessary, a period (.) will be displayed on the screen once a second to indicate progress while the applications are shutting down.
Note
Examples
The following example reboots the sensor:
sensor#resetWarning: Executing this command will stop all applications and reboot the node.Continue with reset? []:yessensor#service
To enter configuration menus for various sensor services, use the service command in global configuration mode. Use the default form of the command to reset the entire configuration for the application back to factory defaults.
service { authentication | analysis-engine | event-action-rules name | host | interface | logger | network-access | notification | signature-definition name | ssh-known-hosts | trusted-certificate | web-server }
default service { authentication | analysis-engine | host | interface | logger | network-access | notification | ssh-known-hosts | trusted-certificate | web-server }
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Supported User RolesAdministrator, Operator, Viewer (display only)
Command History
4.0
This command was introduced.
5.0
The default keyword was added. Notification application support was added.
Usage Guidelines
This command lets you configure service-specific parameters. The items and menus in this configuration are service dependent and are built dynamically based on the configuration retrieved from the service when the command is executed.
Caution
The command mode is indicated on the command prompt by the name of the service. For example, service authentication has the following prompt:
sensor(config-aut)#This command is IPS-specific.
Note
Within the service event-action-rules and service signature-definition modes, you can create variables and configure rules to filter events. If you use a variable in a filter, you must use a dollar sign ($SIG1) in front of the variable to indicate that the string you have entered represents a variable.
To enter more than one IP address, use a comma (no space) between the addresses. An IP address range can be expressed in the form A.B.C.D/b, where A.B.C.D represents an IP address and b represents the number of low-order bits that are masked in the IP address to specify the range. For example, the value 10.1.0.0/8 indicates an IP address of 10.1.0.0 with the lower 8 bits masked off to form a range of 10.1.0.0-10.1.0.255. Partial IP addresses can be used as part of the v4 IP address range when the allowPartialInput attribute is set to true. Because the range values are inclusive, the range 10.2-10.3 is equivalent to 10.2.0.0-10.3.255.255. The data for a range type can also be a set of ranges. A set of ranges consists of two or more ranges separated by commas—for example, 10.1.9.20-10.1.9.30,10.1.10.40-10.1.10.50,10.2-10.3.
A configuration can only be deleted if it is not assigned to a virtual sensor.
Note
Examples
The following command enters the configuration mode for the authentication service:
sensor(config)# service authenticationsensor(config-aut)#The following command enters the configuration mode for the analysis engine service:
sensor(config)# service analysis-enginesensor(config-ana)#The following command enters the configuration mode for the event action rules service:
sensor(config)# service event-action-rules rules0sensor(config-rul)#The following command enters the configuration mode for the host service:
sensor(config)# service hostsensor(config-hos)#The following command enters the configuration mode for the interface service:
sensor(config)# service interfacesensor(config-int)#The following command enters the configuration mode for the logger service:
sensor(config)# service loggersensor(config-log)#The following command enters the configuration mode for the NAC service:
sensor(config)# service network-accesssensor(config-net)#The following command enters the configuration mode for the SNMP notification service:
sensor(config)# service notificationsensor(config-not)#The following command enters the configuration mode for the signature definition service:
sensor(config)# service signature-definition sig0sensor(config-sig)#The following command enters the configuration mode for the SSH known hosts service:
sensor(config)# service ssh-known-hostssensor(config-ssh)#The following command enters the configuration mode for the trusted certificate service:
sensor(config)# service trusted-certificatesensor(config-tru)#The following command enters the configuration mode for the web server service:
sensor(config)# service web-serversensor(config-web)#setup
To configure basic sensor configuration, use the setup command in privileged EXEC mode.
setup
Syntax Description
This command has no arguments or keywords.
Defaults
hostname sensor
IP interface 10.1.9.201/24,10.1.9.1
telnet-server disabled
web-server port 443
summer time disabled
If summer time is enabled by the user, the defaults are as follows:
Summertime type Recurring
Start Month april
Start Week first
Start Day sunday
Start Time 02:00:00
End Month october
End Week last
End Day sunday
End Time 02:00:00
Offset 60
System timezone defaults:
Timezone UTC
UTC Offset 0
Command Modes
EXEC
Supported User RolesAdministrator
Command History
Usage Guidelines
When you type the setup command, an interactive dialog called the System Configuration Dialog appears on the system console screen. The System Configuration Dialog guides you through the configuration process.
The values shown in brackets next to each prompt are the default values last set.
You must run through the entire System Configuration Dialog until you come to the item that you want to change. To accept default settings for items that you do not want to change, press Enter.
To return to the EXEC prompt without making changes and without running through the entire System Configuration Dialog, press Ctrl-C.
The facility also provides help text for each prompt. To access help text, type the question mark (?) at a prompt.
When you complete your changes, the configuration that was created during the setup session appears. You are prompted to save this configuration. If you type yes, the configuration is saved to disk. If you type no, the configuration is not saved and the process begins again. There is no default for this prompt; you must type either yes or no.
Valid ranges for configurable parameters are as follows:
IP Address/Netmask/Gateway: X.X.X.X/nn,Y.Y.Y.Y, where
X.X.X.X specifies the sensor IP address as a 32-bit address written as four octets separated by periods where X = 0-255.
nn specifies the number of bits in the netmask.
Y.Y.Y.Y specifies the default gateway as a 32-bit address written as four octets separated by periods where Y = 0-255.
Host Name: Case sensitive character string, up to 256 characters. Numbers, "_" and "-" are valid, spaces are not accepted.
Enter the clock settings in setup mode only if the system is NOT using NTP. NTP commands are provided separately.
You can configure daylight savings time either in recurring mode or date mode. If you select recurring mode, the start and end days are entered based on week, day, month, and time. If you select date mode, the start and end days are entered based on month, day, year, and time. Selecting disable turns off daylight savings time.
Table 2-1 shows the clock setting parameters.
You can also edit the default virtual sensor, vs0. You can assign promiscuous and/or inline pairs to the virtual sensor, which in turn enables the assigned interfaces. After setup is complete, the virtual sensor is configured to monitor traffic.
Examples
The following example shows the setup command and the System Configuration program:
sensor# setup--- System Configuration Dialog ---At any point you may enter a question mark '?' for help.User ctrl-c to abort configuration dialog at any prompt.Default settings are in square brackets '[]'.Current Configuration:service hostnetwork-settingshost-ip 172.21.172.25/8,172.21.172.1host-name sensortelnet-option disabledaccess-list 10.0.0.0/24access-list 172.0.0.0/24ftp-timeout 300login-banner-textexittime-zone-settingsoffset 0standard-time-zone-name UTCexitsummertime-option disabledntp-option disabledexitservice web-serverport 443exitservice interfacephysical-interfaces GigbitEthernet0/0admin-state enabledexitexitservice analysis-enginevirtual-sensor vs0physical-interface GigabitEthernet0/0exitexitCurrent time: Wed May 5 10:25:35 2004Setup Configuration last modified: Mon May 3 15:34:30 2004Continue with configuration dialog?[yes]:Enter host name[sensor]:Enter IP interface[172.21.172.25/8,172.21.172.1]:Enter telnet-server status[enabled]:Enter web-server port[8080]: 80Modify current access list? [no]: yesCurrent access list entries:[1] 10.0.0.0/24[2] 172.0.0.0/24Delete: 1Delete:Permit: 173.0.0.0/24Permit:Modify system clock settings? [no]: yesUse NTP? [yes] noModify summer time settings? [no]: yesRecurring, Date or Disable[recurring]:Start Month[apr]:Start Week[1]:Start Day[sun]:Start Time[02:00:00]:End Month[oct]:End Week[last]:End Day[sun]:End Time[02:00:00]:DST Zone[]: CDTOffset[60]:Modify system timezone? [no]: yesTimezone[UTC]: CSTGMT Offset[-360]Modify virtual sensor (vs0} configuration?[no]: yesCurrent interface configurationCommand control: GigabitEthernet0/1Unused:GigabitEthernet2/1GigabitEthernet2/0Promiscuous:GigabitEthernet0/0Inline:NoneDelete Promiscuous interfaces?[no]:Add Promiscuous interfaces?[no]:Add Inline pairs?[no]: yesPair name: testDescription[Created via setup by user cisco]:Interface1[]: GigabitEthernet2/0Interface2[]: GigabitEthernet2/1Pair name:The following configuration was entered.service hostnetwork-settingshost-ip 172.21.172.25/8,172.21.172.1host-name sensortelnet-option enabledaccess-list 172.0.0.0/24access-list 173.0.0.0/24ftp-timeout 300login-banner-textexittime-zone-settingsoffset -360standard-time-zone-name CSTexitsummertime-option recurringoffset 60summertime-zone-name CDTstart-summertimemonth aprilweek-of-month firstday-of-week sundaytime-of-day 02:00:00exitend-summertimemonth octoberweek-of-month lastday-of-week sundaytime-of-day 02:00:00exitexitntp-option disabledexitservice web-serverport 80exitservice interfacephysical-interfaces GigabitEthernet0/0admin-state enabledexitphysical-interfaces GigabitEthernet2/1admin-state enabledexitphysical-interfaces GigabitEthernet2/0admin-state enabledexitinline-interfaces testdescription Created via setup by user ciscointerface1 GigabitEthernet2/0interface2 GigabitEthernet2/1exitexitservice analysis-enginevirtual-sensor vs0physical-interface GigabitEthernet0/0logical-interface testexitexit[0] Go to the command prompt without saving this config.[1] Return back to the setup without saving this config.[2] Save this configuration and exit.Enter your selection [2]:Configuration Saved.Modify system date and time? [no] yesLocal Date[]: 2003-01-18Local Time[4:33:49]: 10:33:49System Time Updated successfullysensor#show begin
To search the output of certain show commands, use the show begin command in privileged EXEC mode. This command begins unfiltered output of the show command with the first line that contains the regular expression specified.
show [ configuration | events | settings ] | begin regular-expression
Syntax Description
|
A vertical bar indicates that an output processing specification follows.
regular-expression
Any regular expression found in show command output.
Defaults
No default behavior or values.
Command Modes
EXEC
Supported User RolesAdministrator, Operator (current-config only), Viewer (current-config only)
Command History
4.0
This command was introduced.
4.0(2)
The begin extension of the show command was added.
Usage Guidelines
The regular-expression argument is case sensitive and allows for complex matching requirements.
Examples
The following example shows the output beginning with the regular expression "ip":
sensor# show configuration | begin iphost-ip 10.89.147.31/25,10.89.147.126host-name sensoraccess-list 0.0.0.0/0login-banner-text This message will be displayed on user login.exittime-zone-settingsoffset -360standard-time-zone-name CSTexitexit! ------------------------------service interfaceexit! ------------------------------service loggerexit! ------------------------------service network-accessuser-profiles monaenable-password foobarexitexit! ------------------------------service notification--MORE--Related Commands
show clock
To display the system clock, use the show clock command in privileged EXEC mode.
show clock [detail]
Syntax Description
detail
Indicates the clock source (NTP or system) and the current summertime setting (if any). (optional)
Defaults
No default behavior or values.
Command Modes
EXEC
Supported User RolesAdministrator, Operator, Viewer
Command History
Usage Guidelines
The system clock keeps an "authoritative" flag that indicates whether the time is authoritative (believed to be accurate). If the system clock has been set by a timing source such as NTP, the flag is set. Table 2-2 shows the authoritative flags.
Table 2-2 Authoritative Flags
*
Time is not authoritative.
(blank)
Time is authoritative.
.
Time is authoritative, but NTP is not synchronized.
Examples
The following example shows NTP configured and synchronized:
sensor# show clock detail12:30:02 CST Tues Dec 19 2002Time source is NTPSummer time starts 03:00:00 CDT Sun Apr 7 2003Summer time ends 01:00:00 CST Sun Oct 27 2003sensor#The following example shows no time source configured:
sensor# show clock*12:30:02 EST Tues Dec 19 2002sensor#The following example shows no time source is configured:
sensor# show clock detail*12:30:02 CST Tues Dec 19 2002No time sourceSummer time starts 02:00:00 CST Sun Apr 7 2003Summer time ends 02:00:00 CDT Sun Oct 27 2003show configuration
See the more current-config command under the more command.
Command History
show events
To display the local event log contents, use the show events command in privileged EXEC mode.
show events [ { [alert [ informational ] [ low] [ medium ] [ high ] [include-traits traits] [exclude-traits traits] | error [ warning] [ error ] [fatal ] | NAC | status} ] [hh:mm:ss [ month day [ year] ] | past hh:mm:ss ]
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Supported User RolesAdministrator, Operator, Viewer
Command History
4.0
This command was introduced.
4.02
Ability to select multiple error event levels simultaneously was added.
4.1(1)
include-traits, exclude-traits, and past options were added.
Usage Guidelines
The show events command displays the requested event types beginning at the requested start time. If no start time is entered, the selected events are displayed beginning at the current time. If no event types are entered, all events are displayed. Events are displayed as a live feed. You can cancel the live feed by the pressing Ctrl-C.
Use the regular expression | include shunInfo with the show events command to view the blocking information, including source address, for the event.
Note
Examples
The following example displays block requests beginning at 10:00 a.m. on December 25, 2000:
sensor#show events NAC time 10:00:00 Dec 25 2000The following example displays error and fatal error messages beginning at the current time:
sensor#show events error fatal errorThe following example displays all events beginning at 10:00 a.m. on December 25, 2000:
sensor#show events 10:00:00 Dec 25 2000The following example displays all events beginning 30 seconds in the past:
sensor#show events past 00:00:30The following output is taken from the XML content:
evAlert: eventId=1025376040313262350 severity=highoriginator:deviceName: sensor1appName: sensorApptime: 2002/07/30 18:24:18 2002/07/30 12:24:18 CSTsignature: sigId=4500 subSigId=0 version=1.0 IOS Embedded SNMP Community Namesparticipants:attack:attacker: proxy=falseaddr: 132.206.27.3port: 61476victim:addr: 132.202.9.254port: 161protocol: udpshow exclude
To filter the show command output so that it excludes lines that contain a particular regular expression, use the show exclude command in privileged EXEC mode.
show [ configuration | events | settings ] | exclude regular-expression
Syntax Description
|
A vertical bar indicates that an output processing specification follows.
regular-expression
Any regular expression found in show command output.
Defaults
No default behavior or values.
Command Modes
EXEC
Supported User RolesAdministrator, Operator (current-config only), Viewer (current-config only)
Command History
4.0
This command was introduced.
4.0(2)
The exclude extension of the show command was added.
Usage Guidelines
The regular-expression argument is case sensitive and allows for complex matching requirements.
Examples
The following example shows the regular expression "ip" being excluded from the output:
sensor# show configuration | exclude ip! ------------------------------! Version 5.0(0.26)! Current configuration last modified Thu Feb 17 04:25:15 2005! ------------------------------display-serial! ------------------------------service analysis-engineexit! ------------------------------service authenticationexit! ------------------------------service event-action-rules rules0exit! ------------------------------service hostnetwork-settingshost-name sensoraccess-list 0.0.0.0/0login-banner-text This message will be displayed on user login.exittime-zone-settingsoffset -360standard-time-zone-name CST--MORE-Related Commands
show history
To list the commands you have entered in the current menu, use the show history command in all modes.
show history
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
All modes
Supported User RolesAdministrator, Operator, Viewer
Command History
Usage Guidelines
The show history command provides a record of the commands you have entered in the current menu. The number of commands that the history buffer records is 50.
Examples
The following example shows the command record for the show history command:
sensor#show historyshow usersshow eventssensor#show include
To filter the show command output so that it displays only lines that contain a particular regular expression, use the show include command in privileged EXEC mode.
show [ configuration | events | settings ] | include regular-expression
Syntax Description
|
A vertical bar indicates that an output processing specification follows.
regular-expression
Any regular expression found in show command output.
Defaults
No default behavior or values.
Command Modes
EXEC
Supported User RolesAdministrator, Operator (current-config only), Viewer (current-config only)
Command History
4.0
This command was introduced.
4.0(2)
The include extension of the show command was added.
Usage Guidelines
The regular-expression argument is case sensitive and allows for complex matching requirements.
The show settings command output also displays header information for the matching request so that the context of the match can be determined.
Examples
The following example shows only the regular expression "ip" being included in the output:
sensor# show configuration | include iphost-ip 10.89.147.31/25,10.89.147.126sensor#Related Commands
show interfaces
To display statistics for all system interfaces, use the show interfaces command in privileged EXEC mode. This command displays show interfaces management, show interfaces fastethernet, and show interface gigabitethernet.
show interfaces [clear]
show interfaces {fastethernet | gigabitethernet | management } [slot/port]
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Supported User RolesAdministrator, Operator, Viewer
Command History
5.0
show interfaces group, show interfaces sensing and show interfaces command-control were removed.
Usage Guidelines
This command displays statistics for the command control and sensing interfaces. The clear option also clears statistics that can be reset.
Examples
The following example shows the interface statistics:
sensor# show interfacesInterface StatisticsTotal Packets Received = 0Total Bytes Received = 0Missed Packet Percentage = 0Current Bypass Mode = Auto_offMAC statistics from interface GigabitEthernet0/0Media Type = TXMissed Packet Percentage = 0Inline Mode = UnpairedPair Status = N/ALink Status = DownLink Speed = N/ALink Duplex = N/ATotal Packets Received = 0Total Bytes Received = 0Total Multicast Packets Received = 0Total Broadcast Packets Received = 0Total Jumbo Packets Received = 0Total Undersize Packets Received = 0Total Receive Errors = 0Total Receive FIFO Overruns = 0Total Packets Transmitted = 0Total Bytes Transmitted = 0Total Multicast Packets Transmitted = 0--MORE--show inventory
To display PEP information, use the show inventory command in privileged EXEC mode. This command displays the UDI information that consists of PID, VID and SN of the sensor.
show inventory
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
EXEC
Supported User RolesAdministrator, Operator, Viewer
Command History
Usage Guidelines
This is same as the show inventory IOS command required by Cisco PEP policy. The output of show inventory is different depending on the hardware.
Examples
The following example shows a sample show inventory command output:
sensor# show inventoryNAME: "Chassis", DESCR: "Chasis-4240"PID: 4240-515E , VID: V04, SN: 639156NAME: "slot 0", DESCR: "4 port I/O card"PID: 4240-4IOE , VID: V04, SN: 4356785466sensor#show privilege
To display your current level of privilege, use the show privilege command in privileged EXEC mode.
show privilege
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
EXEC
Supported User RolesAdministrator, Operator, Viewer
Command History
Usage Guidelines
Use this command to display your current level of privilege. A privilege level can only be modified by the administrator. See the username command for more information.
Examples
The following example shows the privilege of the user:
sensor# show privilegeCurrent privilege level is viewersensor#Related Commands
show settings
To display the contents of the configuration contained in the current submode, use the show settings command in any service command mode.
show settings [ terse ]
Syntax Description
Defaults
No default behavior or values.
Command Modes
All service command modes.
Supported User RolesAdministrator, Operator, Viewer (only presented with the top-level command tree)
Command History
Usage Guidelines
This command is IPS-specific.
Note
Examples
The following example shows the output for the show settings command in NAC configuration mode.
sensor# configure terminalsensor(config)# service network-accesssensor(config-net)# show settingsgeneral-----------------------------------------------log-all-block-events-and-errors: true <defaulted>enable-nvram-write: false <defaulted>enable-acl-logging: false <defaulted>allow-sensor-block: true default: falseblock-enable: true <defaulted>block-max-entries: 250 <defaulted>max-interfaces: 250 <defaulted>master-blocking-sensors (min: 0, max: 100, current: 0)----------------------------------------------------------------------------------------------never-block-hosts (min: 0, max: 250, current: 0)----------------------------------------------------------------------------------------------never-block-networks (min: 0, max: 250, current: 0)----------------------------------------------------------------------------------------------block-hosts (min: 0, max: 250, current: 0)----------------------------------------------------------------------------------------------block-networks (min: 0, max: 250, current: 0)---------------------------------------------------------------------------------------------------------------------------------------------user-profiles (min: 0, max: 250, current: 0)----------------------------------------------------------------------------------------------cat6k-devices (min: 0, max: 250, current: 0)----------------------------------------------------------------------------------------------router-devices (min: 0, max: 250, current: 0)----------------------------------------------------------------------------------------------firewall-devices (min: 0, max: 250, current: 0)----------------------------------------------------------------------------------------------sensor(config-net)#The following example shows the show settings terse output for the signature definition submode.
sensor# configure terminalsensor(config)# service signature-definition sig0sensor(config-sig)# show settings tersevariables (min: 0, max: 256, current: 2)-----------------------------------------------<protected entry>variable-name: WEBPORTSvariable-name: user2-----------------------------------------------application-policy-----------------------------------------------http-policy-----------------------------------------------http-enable: false <defaulted>max-outstanding-http-requests-per-connection: 10 <defaulted>aic-web-ports: 80-80,3128-3128,8000-8000,8010-8010,8080-8080,8888-8888,24326-24326 <defaulted>-----------------------------------------------ftp-enable: true default: false-----------------------------------------------fragment-reassembly-----------------------------------------------ip-reassemble-mode: nt <defaulted>-----------------------------------------------stream-reassembly-----------------------------------------------tcp-3-way-handshake-required: true <defaulted>tcp-reassembly-mode: strict <defaulted>--MORE--The following example shows the show settings filtered output. The command indicates the output should only include lines containing HTTP.
sensor# configure terminalsensor(config)# service signature-definition sig0sensor(config-sig)# show settings | include HTTPSearching:sig-string-info: Bagle.Q HTTP propagation (jpeg) <defaulted>sig-string-info: Bagle.Q HTTP propagation (php) <defaulted>sig-string-info: GET ftp://@@@:@@@/pub HTTP/1.0 <defaulted>sig-name: IMail HTTP Get Buffer Overflow <defaulted>sig-string-info: GET shellcode HTTP/1.0 <defaulted>sig-string-info: ..%c0%af..*HTTP <defaulted>sig-string-info: ..%c1%9c..*HTTP <defaulted>sig-name: IOS HTTP Unauth Command Execution <defaulted>sig-name: Null Byte In HTTP Request <defaulted>sig-name: HTTP tunneling <defaulted>sig-name: HTTP tunneling <defaulted>sig-name: HTTP tunneling <defaulted>sig-name: HTTP tunneling <defaulted>sig-name: HTTP CONNECT Tunnel <defaulted>sig-string-info: CONNECT.*HTTP/ <defaulted>sig-name: HTTP 1.1 Chunked Encoding Transfer <defaulted>sig-string-info: INDEX / HTTP <defaulted>sig-name: Long HTTP Request <defaulted>sig-string-info: GET \x3c400+ chars>? HTTP/1.0 <defaulted>sig-name: Long HTTP Request <defaulted>sig-string-info: GET ......?\x3c400+ chars> HTTP/1.0 <defaulted>sig-string-info: /mod_ssl:error:HTTP-request <defaulted>sig-name: Dot Dot Slash in HTTP Arguments <defaulted>sig-name: HTTPBench Information Disclosure <defaulted>--MORE--show ssh authorized-keys
To display the public RSA keys for the current user, use the show ssh authorized-keys command in privileged EXEC mode.
show ssh authorized-keys [ id]
Syntax Description
id
1 to 256-character string uniquely identifying the authorized key. Numbers, "_" and "-" are valid; spaces and `?' are not accepted.
Defaults
No default behavior or values.
Command Modes
EXEC
Supported User RolesAdministrator, Operator, Viewer
Command History
Usage Guidelines
Running this command without the optional ID displays a list of the configured IDs in the system. Running the command with a specific ID displays the key associated with the ID. This command is IPS-specific.
Note
Examples
The following example shows the list of SSH authorized keys:
sensor# show ssh authorized-keyssystem1system2system3system4The following example shows the SSH key for system1:
sensor# show ssh authorized-keys system11023 37 660222729556609833380897067163729433570828686860008172017802434921804214207813035920829509 101701358480525039993932112503147452768378620911189986653716089813147922086044739911341369 642870682319361928148521864094557416306138786468335115835910404940213136954353396163449793 49705016792583146548622146467421997057sensor#Related Commands
ssh authorized-key
Adds a public key to the current user for a client allowed to use RSA authentication to log in to the local SSH server.
show ssh server-key
To display the SSH server's host key and host key's fingerprint, use the show ssh server-key command in privileged EXEC mode.
show ssh server-key
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
EXEC
Supported User RolesAdministrator, Operator, Viewer
Command History
Usage Guidelines
This command is IPS-specific.
Note
Examples
The following example shows the output from the show ssh server-key command:
sensor# show ssh server-key1024 35 144719237233791547030730646600884648599022074867561982783071499320643934487344960727793754895844072492598400377093548506291259419308284286051831157771906995346009751038801142466381823478305387221055488938441723213215375096328332277852374794118697053304026570851868326130246348580479834689461788376232451955011MD5: F3:10:3E:BA:1E:AB:88:F8:F5:56:D3:A6:63:42:1C:11Bubble Babble: xucis-hehon-kizog-nedeg-zunom-kolyn-syzec-zasyk-symuf-rykum-sexyxsensor#Related Commands
ssh generate-key
Changes the server host key used by the SSH server on the sensor.
show ssh host-keys
To display the known hosts table containing the public keys of remote SSH servers with which the sensor can connect, use the show ssh host-keys in privileged EXEC mode.
show ssh host-keys [ ipaddress]
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Supported User RolesAdministrator, Operator, Viewer
Command History
4.0
This command was introduced.
4.0(1)
Bubble Babble and MD5 output to the command were added.
Usage Guidelines
Running this command without the optional IP address ID displays a list of the IP addresses configured with public keys. Running the command with a specific IP address displays the key associated with the IP address. This command is IPS-specific.
Note
Examples
The following example shows the output of the show ssh host-keys command:
sensor# show ssh host-keys 10.1.2.31024 35 144719237233791547030730646600884648599022074867561982783071499320643934487344960727793754895844072492598400377093548506291259419308284286051831157771906995346009751038801142466381823478305387221055488938441723213215375096328332277852374794118697053304026570851868326130246348580479834689461788376232451955011MD5: F3:10:3E:BA:1E:AB:88:F8:F5:56:D3:A6:63:42:1C:11Bubble Babble: xucis-hehon-kizog-nedeg-zunom-kolyn-syzec-zasyk-symuf-rykum-sexyxsensor#Related Commands
show statistics
To display the requested statistics, use the show statistics command in privileged EXEC mode.
show statistics { analysis-engine | authentication | denied-attackers | event-server | event-store | host | logger | network-access | notification | sdee-server | transaction-source | virtual-sensor | web-server } [ clear ]
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Supported User RolesAdministrator, Operator, Viewer
Command History
4.0
This command was introduced.
5.0
analysis-engine, virtual-sensor, and denied-attackers were added.
Note
Examples
The following example shows the authentication statistics:
sensor# show statistics authenticationGeneraltotalAuthenticationAttempts = 9failedAuthenticationAttempts = 0sensor#The following example shows the statistics for the Event Store:
sensor# show statistics event-storeEvent store statisticsGeneral information about the event storeThe current number of open subscriptions = 1The number of events lost by subscriptions and queries = 0The number of queries issued = 1The number of times the event store circular buffer has wrapped = 0Number of events of each type currently storedDebug events = 0Status events = 129Log transaction events = 0Shun request events = 0Error events, warning = 8Error events, error = 13Error events, fatal = 0Alert events, informational = 0Alert events, low = 0Alert events, medium = 0Alert events, high = 0sensor#The following example shows the logger statistics:
sensor# show statistics loggerThe number of Log interprocessor FIFO overruns = 0The number of syslog messages received = 27The number of <evError> events written to the event store by severityFatal Severity = 0Error Severity = 13Warning Severity = 35TOTAL = 48The number of log messages written to the message log by severityFatal Severity = 0Error Severity = 13Warning Severity = 8Timing Severity = 0Debug Severity = 0Unknown Severity = 26TOTAL = 47sensor#The following example shows the NAC statistics:
sensor# show statistics network-accessCurrent ConfigurationLogAllBlockEventsAndSensors = trueEnableNvramWrite = falseEnableAclLogging = falseAllowSensorBlock = falseBlockMaxEntries = 250MaxDeviceInterfaces = 250StateBlockEnable = truesensor#show tech-support
To display the current system status, use the show tech-support command in privileged EXEC mode.
show tech-support [page] [password] [destination-url destination url]
Syntax Description
Defaults
See Syntax Description table.
Command Modes
EXEC
Supported User RolesAdministrator
Command History
Usage Guidelines
Note
The exact format of the destination URL varies according to the file. You can select a filename, but it must be terminated by .html.
You can specify the following destination types:
•
•
The report contains HTML-linked output from the following commands:
•
•
•
Examples
The following example places the tech support output into the file
sensor#. The path is relative to csidsuser's home account:sensor#show tech support destination-url ftp://csidsuser@10.2.1.2/reports/sensor1Report.html password:*******The following example places the tech support output into the file
Warning: Executing this command will delete all addresses from the list of attackers currently being denied by the system.:sensor#show tech support destination-url ftp://csidsuser@10.2.1.2//absolute/reports/sensor1Report.html password:*******show tls-fingerprint
To display the server's TLS certificate fingerprint, use the show tls-fingerprint in privileged EXEC mode.
show tls fingerprint
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
EXEC
Supported User RolesAdministrator, Operator, Viewer
Command History
Usage Guidelines
This command is IPS-specific.
Note
Examples
The following example shows the output of the show tls-fingerprint command:
sensor# show tls fingerprintMD5: 1F:94:6F:2E:38:AD:FB:2C:42:0C:AE:61:EC:29:74:BBSHA1: 16:AC:EC:AC:9D:BC:84:F5:D8:E4:1A:05:C4:01:BB:65:7B:4F:FC:AAsensor#Related Commands
show tls trusted-hosts
To display the sensor's trusted hosts, use the show tls trusted-hosts command in privileged EXEC mode.
show tls trusted-hosts [ id ]
Syntax Description
id
1 to 32 character string uniquely identifying the authorized key. Numbers, "_" and "-" are valid; spaces and `?' are not accepted.
Defaults
No default behavior or values.
Command Modes
EXEC
Supported User RolesAdministrator, Operator, Viewer
Command History
Usage Guidelines
Running this command without the optional ID displays a list of the configured IDs in the system. Running the command with a specific ID displays the fingerprint of the certificate associated with the ID.
This command is IPS-specific.
Note
Examples
The following example shows the output from the show tls trusted-hosts command:
sensor# show tls trusted-hosts 172.21.172.1MD5: 1F:94:6F:2E:38:AD:FB:2C:42:0C:AE:61:EC:29:74:BBSHA1: 16:AC:EC:AC:9D:BC:84:F5:D8:E4:1A:05:C4:01:BB:65:7B:4F:FC:AAsensor#Related Commands
show users
To display information about users currently logged in to the CLI, use the show users command in privileged EXEC mode:
show users [ all ]
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Supported User RolesAdministrator, Operator, Viewer (can only view their own logins)
Command History
4.0
This command was introduced.
4.1
Updated this command to display locked accounts. Limited viewer display for show users all.
Usage Guidelines
For the CLI, this command displays an ID, username, and privilege. An '*' next to the description indicates the current user. A username surrounded by parenthesis "( )" indicates that the account is locked. An account is locked if the user fails to enter the correct password in X subsequent attempts. Resetting the locked user's password with the password command unlocks an account.
The maximum number of concurrent CLI users allowed is based on platform.
Note
Examples
The following example shows the output of the show users command:
sensor# show usersCLI ID User Privilege1234 notheruser viewer* 9802 curuser operator5824 tester administratorThe following example shows user tester2's account is locked:
sensor# show users allCLI ID User Privilege1234 notheruser viewer* 9802 curuser operator5824 tester administrator(tester2) viewerfoobar operatorThe following example shows the show users all output for a viewer:
sensor# show users allCLI ID User Privilege* 9802 tester viewer5824 tester viewerRelated Commands
show version
To display the version information for all installed OS packages, signature packages, and IPS processes running on the system, use the show version command in privileged EXEC mode.
show version
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
EXEC
Supported User RolesAdministrator, Operator, Viewer
Command History
Usage Guidelines
The output for the show version command is IPS-specific and differs from the output for the IOS command. The recovery partition information is available for appliances only.
The license information follows the serial number and can be one of the following:
Continue with clear? []:
sensor#<expiration-date>
sensor#<expiration-date>
Warning: Executing this command will remove all events currently stored in the event store.<expiration-date>where expired license is the form dd-mon-yyyy, for example, 04-dec-2004.
Examples
The following example shows the output for the show version command:
sensor# show versionApplication Partition:Cisco Intrusion Prevention System, Version 5.0(0.1)S91(0.1)OS Version 2.4.26-IDS-smp-bigphysPlatform: IDS-4235No license presentSensor up-time is 6 days.Using 701513728 out of 922509312 bytes of available memory (76% usage)Using 527.6M out of 15.9G bytes of available disk space (3% usage)Using 192.0k out of 31.0M bytes of available disk space (1% usage)MainApp 2004_Aug_16_03.00 (Release) 2004-08-16T03:19:41-0500 RunningAnalysisEngine 2004_Aug_16_03.00 (Release) 2004-08-16T03:19:41-0500 RunningCLI 2004_Aug_16_03.00 (Release) 2004-08-16T03:19:41-0500Upgrade History:No upgrades installedRecovery Partition Version 5.0.1.S91.0.1sensor#ssh authorized-key
To add a public key to the current user for a client allowed to use RSA authentication to log in to the local SSH server, use the ssh authorized-key command in global configuration mode. Use the no form of this command to remove an authorized key from the system.
ssh authorized-key id key-modulus-length public-exponent public-modulus
no ssh authorized-key id
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Supported User RolesAdministrator, Operator, Viewer
Command History
Usage Guidelines
This command adds an entry to the known hosts table for the current user. To modify a key the entry must be removed and recreated.
This command is IPS-specific.
Note
Examples
The following example shows how to add an entry to the known hosts table:
sensor(config)# ssh authorized-key system1 1023 37 660222729556609833380897067163729433570828686860008172017802434921804214207813035920829509 101701358480525039993932112503147452768378620911189986653716089813147922086044739911341369 642870682319361928148521864094557416306138786468335115835910404940213136954353396163449793 49705016792583146548622146467421997057sensor(config)#Related Commands
ssh generate-key
To change the server host key used by the SSH server on the sensor, use the ssh generate-key command in privileged EXEC mode.
ssh generate-key
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
EXEC
Supported User RolesAdministrator
Command History
Usage Guidelines
The displayed key fingerprint matches that displayed in the remote SSH client in future connections with this sensor if the remote client is using SSH protocol version 1.5.
This command is IPS-specific.
Note
Examples
The following example shows how to generate a new ssh server host key:
sensor# ssh generate-keyMD5: 49:3F:FD:62:26:58:94:A3:E9:88:EF:92:5F:52:6E:7BBubble Babble: xebiz-vykyk-fekuh-rukuh-cabaz-paret-gosym-serum-korus-fypop-huxyxsensor#Related Commands
show ssh server-key
Displays the SSH server's host key and host key's fingerprint.
ssh host-key
To add an entry to the known hosts table, use the ssh host-key command in global configuration mode. If the modulus, exponent, and length are not provided, the system displays the MD5 fingerprint and bubble babble for the requested IP address and allows you to add the key to the table. Use the no form of this command to remove an entry from the known hosts table.
ssh host-key ipaddress [ key-modulus-length public-exponent public-modulus ]
no ssh host-key ipaddress
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Supported User RolesAdministrator, Operator
Command History
Usage Guidelines
The ssh host-key command adds an entry to the known hosts table. To modify a key for an IP address, the entry must be removed and recreated.
If the modulus, exponent, and length are not provided, the SSH server at the specified IP address is contacted to obtain the required key over the network. The specified host must be accessible at the moment the command is issued.
This command is IPS-specific.
Note
Examples
The following example shows how to add an entry to the known hosts table for 10.1.2.3:
sensor(config)# ssh host-key 10.1.2.31024 35 139306213541835240385332922253968814685684523520064131997839905113640120217816869696708721 704631322844292073851730565044879082670677554157937058485203995572114631296604552161309712 601068614812749969593513740598331393154884988302302182922353335152653860589163651944997842 874583627883277460138506084043415861927sensor(config)#The following example shows how to add an entry to the known hosts table for 10.1.2.3:
sensor(config)# ssh host-key 10.1.2.3MD5 fingerprint is 49:3F:FD:62:26:58:94:A3:E9:88:EF:92:5F:52:6E:7BBubble Babble is xebiz-vykyk-fekuh-rukuh-cabaz-paret-gosym-serum-korus-fypop-huxyxWould you like to add this to the known hosts table for this host? [yes]sensor(config)#Related Commands
show ssh host-key
Displays the known hosts table containing the public keys of remote SSH servers with which the sensor can connect.
terminal
To modify terminal properties for a login session, use the terminal command in privileged EXEC mode.
terminal [length screen-length ]
Syntax Description
Defaults
See Syntax Description table.
Command Modes
EXEC
Supported User RolesAdministrator, Operator, Viewer
Command History
Usage Guidelines
The terminal length command sets the number of lines that are displayed before the
Continue with clear? []:prompt is displayed.Examples
The following example sets the CLI to not pause between screens for multiple-screen displays:
sensor#terminal length 0sensor#The following example sets the CLI to display 10 lines per screen for multiple-screen displays:
sensor#terminal length 10sensor#tls generate-key
To regenerate the server's self-signed X.509 certificate, use the tls generate-key in privileged EXEC mode. An error is returned if the host is not using a self-signed certificate.
tls generate-key
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
EXEC
Supported User RolesAdministrator
Command History
Usage Guidelines
This command is IPS-specific.
Note
Examples
The following example shows how to generate the server's self-signed certificate:
sensor(config)# tls generate-keyMD5: 1F:94:6F:2E:38:AD:FB:2C:42:0C:AE:61:EC:29:74:BBSHA1: 16:AC:EC:AC:9D:BC:84:F5:D8:E4:1A:05:C4:01:BB:65:7B:4F:FC:AAsensor(config)#Related Commands
tls trusted-host
To add a trusted host to the system, use the tls trusted-host command in global configuration mode.
tls trusted-host ip-address ip-address [ port port ]
no tls trusted-host ip-address ip-address [ port port ]
no tls trusted-host id id
Syntax Description
ip-address
IP address of host to add or remove.
port
Port number of host to contact. The defaults is port 443. (optional)
Defaults
See Syntax Description table.
Command Modes
Global configuration
Supported User RolesAdministrator, Operator
Command History
Usage Guidelines
This command retrieves the current fingerprint for the requested host/port and displays the result. You can choose to accept or reject the fingerprint based on information retrieved directly from the host being requested to add.
Each certificate is stored with an identifier field. For IP address and default port, the identifier field is ipaddress, for IP address and specified port, the identifier field is ipaddress:port.
Note
Examples
The following command adds an entry to the trusted host table for IP address 172.21.172.1, port 443:
sensor(config)# tls trusted-host ip-address 172.21.172.1Certificate MD5 fingerprint is D4:C2:2F:78:B5:C6:30:F2:C4:6A:8E:5D:6D:C0:DE:32Certificate SHA1 fingerprint is 36:42:C9:1B:9F:A4:A8:91:7F:DF:F0:32:04:26:E4:3A:7A:70:B9:95Would you like to add this to the trusted certificate table for this host? [yes]Certificate ID: 172.21.172.1 successfully added to the TLS trusted host table.sensor(config)#
Note
The following command removes the trusted host entry for IP address 172.21.172.1, port 443:
sensor(config)# no tls trusted-host ip-address 172.21.172.1sensor(config)#Or you can use the following command to remove the trusted host entry for IP address 172.21.172.1, port 443:
sensor(config)# no tls trusted-host id 172.21.172.1sensor(config)#The following command adds an entry to the trusted host table for IP address 10.1.1.1, port 8000:
sensor(config)# tls trusted-host ip-address 10.1.1.1 port 8000Certificate MD5 fingerprint is D4:C2:2F:78:B5:C6:30:F2:C4:6A:8E:5D:6D:C0:DE:32Certificate SHA1 fingerprint is 36:42:C9:1B:9F:A4:A8:91:7F:DF:F0:32:04:26:E4:3A:7A:70:B9:95Would you like to add this to the trusted certificate table for this host? [yes]Certificate ID: 10.1.1.1:8000 successfully added to the TLS trusted host table.sensor(config)#
Note
The following command removes the trusted host entry for IP address 10.1.1.1, port 8000:
sensor(config)# no tls trusted-host ip-address 10.1.1.1 port 8000sensor(config)#Or you can use the following command to remove the trusted host entry for IP address 10.1.1.1, port 8000:
sensor(config)# no tls trusted-host id 10.1.1.1:8000sensor(config)#Related Commands
trace
To display the route an IP packet takes to a destination, use the trace command in privileged EXEC mode.
trace address [count]
Syntax Description
address
Address of system to trace route to.
count
Number of hops to take. Default is 4. Valid values are 1-256.
Defaults
See Syntax Description table.
Command Modes
EXEC
Command Types
Administrator, Operator, Viewer
Command History
Usage Guidelines
There is no command interrupt for the trace command. The command must run to completion.
Examples
The following example shows the output for the trace command:
sensor#trace 10.1.1.1traceroute to 172.21.172.24 (172.21.172.24), 30 hops max, 40 byte packets 1 171.69.162.2 (171.69.162.2) 1.25 ms 1.37 ms 1.58 ms 2 172.21.172.24 (172.21.172.24) 0.77 ms 0.66 ms 0.68 mssensor#upgrade
To apply a service pack, signature update, or image upgrade, use the upgrade command in global configuration mode.
upgrade source-url
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Supported User RolesAdministrator
Command History
Usage Guidelines
From the command line, you can type all necessary source and destination URL information and the username. If you type only the command (upgrade) followed by a prefix (ftp: or scp:), you are prompted for any missing information, including a password where applicable.
The directory specification should be an absolute path to the desired file. For recurring upgrades, do not specify a filename. You can configure the sensor for recurring upgrades that occur on specific days at specific times, or you can configure a recurring upgrade to occur after a specific number of hours have elapsed from the initial upgrade.
Use the following guidelines when designating the source:
•
•
•
Note
•
Note
Examples
The following example prompts the sensor to immediately check for the specified upgrade. The directory and path are relative to the tester's user account.
sensor(config)#upgrade scp://tester@10.1.1.1/upgrade/sp.rpmEnter password:*****Re-enter password:****username
To create users on the local sensor, use the username command in global configuration mode. You must be Administrator to create users. Use the no form of the command to remove a user from the sensor. This removes the users from both CLI and web access.
username name [ password password ] [privilege privilege]
no username name
Syntax Description
Defaults
See Syntax Description table.
Command Modes
Global configuration
Supported User RolesAdministrator
Command History
Usage Guidelines
The username command provides username and/or password authentication for login purposes only. The user executing the command cannot remove himself or herself.
If the password is not provided on the command line, the user is prompted. Use the password command to change the password for the current user or for a user already existing in the system. Use the privilege command to change the privilege for a user already existing in the system.
Examples
The following example adds a user called tester with a privilege of viewer and the password testerpassword.
sensor(config)# username tester password testerpasswordThe following example shows the password being entered as protected:
sensor(config)# username testerEnter Login Password: **************Re-enter Login Password: **************The following command changes the privilege of user "tester" to operator:
sensor(config)# username tester privilege operatorRelated Commands
password
Updates your password on the local sensor.
privilege
Modifies the privilege level for an existing user.
