Download Print this page

Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual

Configuration guide.
Hide thumbs
   
1
2
Table of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536

Advertisement

Cisco Intrusion Prevention System Sensor
CLI Configuration Guide for IPS 5.0
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Customer Order Number: DOC-7816527=
Text Part Number: 78-16527-01

Advertisement

   Related Manuals for Cisco 4215 - Intrusion Detection Sys Sensor

No related manuals

   Summary of Contents for Cisco 4215 - Intrusion Detection Sys Sensor

  • Page 1

    Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Customer Order Number: DOC-7816527= Text Part Number: 78-16527-01...

  • Page 2

    OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.

  • Page 3: Table Of Contents

    Logging In to NM-CIDS Logging In to AIP-SSM Logging In to the Sensor Initializing the Sensor C H A P T E R Overview System Configuration Dialog Initializing the Sensor Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 4: Table Of Contents

    Generating a New SSH Server Key 4-34 Configuring TLS 4-34 About TLS 4-34 Adding TLS Trusted Hosts 4-35 Displaying and Generating the Server Certificate 4-37 Installing the License Key 4-37 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 5: Table Of Contents

    Event Action Filters About Event Action Filters Configuring Event Action Filters 6-10 General Settings 6-14 About General Settings 6-15 Event Action Summarization 6-15 Event Action Aggregation 6-15 Deny Attackers 6-16 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 6: Table Of Contents

    Creating Custom Signatures 7-29 Sequence for Creating a Custom Signature 7-29 Example STRING.TCP Signature 7-30 Example SERVICE.HTTP Signature 7-32 Example MEG Signature 7-33 Example AIC MIME-Type Signature 7-36 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 7: Table Of Contents

    10-19 Routers and ACLs 10-19 Configuring the Sensor to Manage Cisco Routers 10-20 Configuring the Sensor to Manage Catalyst 6500 Series Switches and Cisco 7600 Series Routers 10-21 Switches and VACLs 10-21 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0...

  • Page 8: Table Of Contents

    Contents Configuring the Sensor to Manage Catalyst 6500 Series Switches and Cisco 7600 Series Routers 10-22 Configuring the Sensor to Manage Cisco Firewalls 10-24 Configuring the Sensor to be a Master Blocking Sensor 10-25 Configuring Manual Blocking 10-27 Obtaining a List of Blocked Hosts and Connections...

  • Page 9: Table Of Contents

    Cisco IOS Software 15-15 Configuring the Catalyst Series 6500 Switch for IDSM-2 in Inline Mode 15-16 Catalyst Software 15-17 Cisco IOS Software 15-18 Configuring EtherChanneling 15-20 Overview 15-20 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 10: Table Of Contents

    C H A P T E R Overview 17-1 Upgrading the Sensor 17-2 Overview 17-2 Upgrade Command and Options 17-2 Using the Upgrade Command 17-3 Upgrading the Recovery Partition 17-4 Configuring Automatic Upgrades 17-5 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 11: Table Of Contents

    Service Programs for IPS Products 18-7 Installing the License Key 18-8 Using IDM 18-8 Using the CLI 18-9 Cisco Security Center 18-11 Cisco IPS Active Update Bulletins 18-11 Accessing IPS Documentation 18-12 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 12

    A-21 Web Server A-22 SensorApp A-22 Responsibilities and Components A-23 Packet Flow A-24 SEAP A-25 New Features A-26 A-28 User Roles A-28 Service Account A-29 CLI Behavior A-30 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 13

    SERVICE.FTP Engine B-15 SERVICE.GENERIC Engine B-16 SERVICE.H225 Engine B-16 Overview B-17 SERVICE.H255 Engine Parameters B-17 SERVICE.HTTP Engine B-19 Overview B-19 SERVICE.HTTP Engine Parameters B-19 SERVICE.IDENT Engine B-20 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 xiii 78-16527-01...

  • Page 14

    Cleaning Up a Corrupted SensorApp Configuration C-14 Bad Memory on IDS-4250-XL C-15 Blocking C-15 Troubleshooting Blocking C-15 Verifying Network Access Controller is Running C-16 Verifying Network Access Controller Connections are Active C-17 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 15

    Connecting a Serial Cable to IDSM-2 C-44 Troubleshooting AIP-SSM C-44 Gathering Information C-46 Tech Support Information C-47 Overview C-47 Displaying Tech Support Information C-47 Tech Support Command Output C-48 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 16

    C-63 Clearing Events C-66 cidDump Script C-66 Uploading and Accessing Files on the Cisco FTP Site C-67 L O S S A R Y N D E X Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 17

    Elements in square brackets are optional. {x | y | z } Required alternative keywords are grouped in braces and separated by vertical bars. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 xvii 78-16527-01...

  • Page 18

    Means reader be warned. In this situation, you might perform an action that could result in bodily injury. Related Documentation For more information on Cisco IPS, refer to the following documentation found at this URL: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/tsd_products_support_series_home.html Documentation Roadmap for Cisco Intrusion Prevention System •...

  • Page 19

    Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html...

  • Page 20

    Preface Obtaining Documentation and Submitting a Service Request Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 21: Overview

    Documentation Roadmap for Cisco Intrusion Prevention System 5.0 that shipped with your sensor for information on locating all IPS 5.0 documents on Cisco.com. You can also use an IPS manager to configure your sensor. Refer to the Documentation Roadmap for Cisco Intrusion Prevention System 5.0...

  • Page 22: Sensor Configuration Task Flow

    Chapter 8, “Configuring IP Logging.” Configure blocking. For the procedures, see Chapter 10, “Configuring Blocking.” Configure SNMP if you are going to use it. For the procedures, see Chapter 11, “Configuring SNMP.” Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 23: User Roles

    Monitoring applications only require viewer access to the sensor. You can use the CLI to set up a user account with viewer privileges and then configure the event viewer to use this account to connect to the sensor. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 24: Cli Behavior

    If you enter the token without the space, a selection of available tokens for the completion (with no help description) appears: sensor# show c? clock configuration sensor# show c Only commands available in the current mode are displayed by help. • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 25: Command Line Editing

    Spacebar Enables you to see more output on the terminal screen. Press the Spacebar when you see the line on the screen to display the next screen. ---More--- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 26: Ips Command Modes

    The IPS CLI has the following command modes: privileged EXEC—Entered when you log in to the CLI interface. • global configuration—Entered from privileged EXEC mode by typing • configure terminal The command prompt is sensor(config)# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 27: Regular Expression Syntax

    Similar to * but there should be at least one match of the character to the left of the + sign in the expression. Matches the character to its left 0 or 1 times. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 28

    For example, the regular expression can match aZbcTZT. The software remembers that the first character is Z and the second character is T and then uses Z and T again later in the regular expression. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 29: General Cli Commands, Cli Keywords

    You can only use the default keyword with commands that specify a default value in the configuration files. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 30

    Chapter 1 Introducing the CLI Configuration Guide CLI Keywords Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 1-10 78-16527-01...

  • Page 31: Supported User Roles, Overview

    Use this account for support and troubleshooting purposes only. Unauthorized modifications are not supported and will require the sensor to be reimaged to guarantee proper operation. You can create only one user with the service role. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 32: Logging In To The Appliance

    The default username and password are both cisco. You are prompted to change them the first time you log in to the appliance.You must first enter the UNIX password, which is cisco. Then you must enter the new password twice.

  • Page 33: Setting Up A Terminal Server

    You can use terminal servers to remotely manage network equipment, including appliances. To set up a Cisco terminal server with RJ-45 or hydra cable assembly connections, follow these steps: Connect to a terminal server using one of the following methods:...

  • Page 34: Logging In To Idsm-2

    To session to IDSM-2, follow these steps Session to IDSM-2 from the switch: Step 1 For Catalyst Software: • cat6k>(enable) session slot_number For Cisco IOS software: • router# session slot_number processor 1 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 35: Logging In To Nm-cids

    The default username and password are both cisco. You are prompted to change them the first Note time you log in to IDSM-2.You must first enter the UNIX password, which is cisco. Then you must enter the new password twice.

  • Page 36

    The default username and password are both cisco. You are prompted to change them the first Note time you log in to NM-CIDS. You must first enter the UNIX password, which is cisco. Then you must enter the new password twice.

  • Page 37: Logging In To Aip-ssm

    The default username and password are both cisco. You are prompted to change them the first Note time you log in to AIP-SSM. You must first enter the UNIX password, which is cisco. Then you must enter the new password twice.

  • Page 38: Logging In To The Sensor

    If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com.

  • Page 39

    , the configuration is saved. If you type , the configuration is not saved and the process begins again. There is no default for this prompt; you must type either Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 40: Chapter 3 Initializing The Sensor

    Or, if you have created the service account for support purposes, you can have TAC create a password. For more information, see Creating the Service Account, page 4-13. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 41: Initializing The Sensor

    0-255, nn specifies the number of bits in the netmask, and Y.Y.Y.Y specifies the default gateway as a 32-bit address written as 4 octets separated by periods where Y = 0-255. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 42

    The default is april. Specify the week you want to start summertime settings. Valid entries are first, second, third, fourth, fifth, and last. The default is first. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 43

    Specify the standard time offset. The default is 0. Specify the standard time zone offset from UTC in minutes (negative numbers represent time zones west of the Prime Meridian). Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 44

    Continue with reset? []: Step 19 Type to continue the reboot. Step 20 Display the self-signed X.509 certificate (needed by TLS): sensor# show tls fingerprint MD5: C4:BC:F2:92:C2:E2:4D:EB:92:0F:E4:86:53:6A:C6:01 SHA1: 64:9B:AC:DE:21:62:0C:D3:57:2E:9B:E5:3D:04:8F:A7:FD:CD:6F:27 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 45

    ! ------------------------------ service host network-settings host-ip 10.89.146.110/24,10.89.146.254 host-name sensor telnet-option enabled access-list 10.0.0.0/8 access-list 10.89.0.0/16 access-list 64.101.0.0/16 access-list 10.89.149.31/32 access-list 64.102.0.0/16 ftp-timeout 150 exit exit time-zone-settings offset -360 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 46: Verifying Initialization

    SHA1: 64:9B:AC:DE:21:62:0C:D3:57:2E:9B:E5:3D:04:8F:A7:FD:CD:6F:27 Write down the certificate fingerprints. Step 4 You will need these to check the authenticity of the certificate when connecting to this sensor with a web browser. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 47: Changing Network Settings

    Enabling and Disabling Telnet, page 4-4 • Changing the Access List, page 4-5 • Changing the FTP Timeout, page 4-7 • Adding a Login Banner, page 4-8 • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 48: Changing The Hostname

    Step 6 sensor(config-hos-net)# show settings network-settings ----------------------------------------------- host-ip: 10.89.130.108/23,10.89.130.1 default: 10.1.9.201/24,10.1.9.1 host-name: sensor <defaulted> telnet-option: enabled default: disabled access-list (min: 0, max: 512, current: 1) ----------------------------------------------- network-address: 0.0.0.0/0 ----------------------------------------------- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 49

    ----------------------------------------------- host-ip: 10.89.146.110/24,10.89.146.254 default: 10.1.9.201/24,10.1.9.1 host-name: sensor default: sensor telnet-option: enabled default: disabled access-list (min: 0, max: 512, current: 1) ----------------------------------------------- network-address: 0.0.0.0/0 ----------------------------------------------- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 50

    Log in to the sensor using an account with administrator privileges. Step 1 Enter network settings mode: Step 2 sensor# configure terminal sensor(config)# service host sensor(config-hos)# network-settings Enable Telnet services: Step 3 sensor(config-hos-net)# telnet-option enabled Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 51: Changing The Access List

    To modify the access list, follow these steps: Log in to the sensor using an account with administrator privileges. Step 1 Enter network settings mode: Step 2 sensor# configure terminal sensor(config)# service host sensor(config-hos)# network-settings Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 52

    Verify the value has been set back to the default: Step 8 sensor(config-hos-net)# show settings network-settings ----------------------------------------------- host-ip: 10.89.130.108/23,10.89.130.1 default: 10.1.9.201/24,10.1.9.1 host-name: sensor <defaulted> telnet-option: enabled default: disabled access-list (min: 0, max: 512, current: 0) ----------------------------------------------- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 53: Changing The Ftp Timeout

    (min: 0, max: 512, current: 1) ----------------------------------------------- network-address: 0.0.0.0/0 ----------------------------------------------- ----------------------------------------------- ftp-timeout: 500 seconds default: 300 login-banner-text: <defaulted> ----------------------------------------------- sensor(config-hos-net)# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 54: Adding A Login Banner

    This is the banner login text message. Step 4 Verify the banner login text message: sensor(config-hos-net)# show settings network-settings ----------------------------------------------- host-ip: 10.89.130.108/23,10.89.130.1 default: 10.1.9.201/24,10.1.9.1 host-name: sensor default: sensor telnet-option: enabled default: disabled Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 55: Changing Web Server Settings

    We recommend that you not reveal to attackers that you have an IPS sensor. Change the server-id to anything that does not reveal any information, especially if your web server is available to the Internet. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 56

    Verify the defaults have been replaced: sensor(config-web)# show settings enable-tls: true <defaulted> port: 443 <defaulted> server-id: HTTP/1.1 compliant <defaulted> sensor(config-web)# Exit web server submode: Step 9 sensor(config-web)# exit Apply Changes:?[yes]: Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-10 78-16527-01...

  • Page 57: Configuring User Parameters, Adding And Removing Users

    For the procedure, see Creating the Service Account, page 4-13. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-11 78-16527-01...

  • Page 58

    A list of users is displayed. To remove a user, use the no form of the command: Step 5 sensor# configure terminal sensor(config)# no username jsmith Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-12 78-16527-01...

  • Page 59: Password Recovery, Creating The Service Account

    Adding services to the operating system through the service account affects proper performance and functioning of the other IPS services. TAC does not support a sensor on which additional services have been added. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-13 78-16527-01...

  • Page 60: Configuring Passwords

    To change the password for another user or reset the password for a locked account, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Enter configuration mode: sensor# configure terminal Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-14 78-16527-01...

  • Page 61: Changing User Privilege Levels

    Warning: The privilege change does not apply to current CLI sessions. It will be applied to subsequent logins. sensor(config)# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-15 78-16527-01...

  • Page 62: Viewing User Status

    Step 3 sensor# show users all CLI ID User Privilege 13491 cisco administrator 5824 (jsmith) viewer 9802 tester operator sensor# The account of the user is locked. jsmith Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-16 78-16527-01...

  • Page 63: Configuring Account Locking

    If you experience problems after your SSH client connects but before it prompts for a password, you need to enable challenge-response authentication. Refer to the documentation for your SSH client for instructions. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-17 78-16527-01...

  • Page 64: Configuring Time, Time Sources And The Sensor

    NTP key ID, and the NTP key value. You can set up NTP on the appliance during initialization or you can configure NTP through the CLI, IDM, or ASDM. Note We recommend that you use an NTP time synchronization source. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-18 78-16527-01...

  • Page 65

    You can configure NM-CIDS to use NTP during initialization or you can set up NTP through the CLI, IDM, or ASDM. We recommend that you use an NTP time synchronization source. Note Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-19 78-16527-01...

  • Page 66: Correcting Time On The Sensor

    For more information on the clear events command, Clearing Events from the Event Store, page 13-7. You cannot remove individual events. Caution Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-20 78-16527-01...

  • Page 67: Configuring Time On The Sensor, System Clock

    22:39:21 CST Sat Jan 25 2003 Time source is NTP Summer time starts 02:00:00 CST Sun Apr 7 2004 Summer time ends 02:00:00 CDT Sun Oct 27 2004 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-21 78-16527-01...

  • Page 68: Configuring Summertime Settings

    You can configure summertime settings if you did not do so during initialization of the sensor. Or you can change them after initialization. Summertime is a term for daylight saving time. Note Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-22 78-16527-01...

  • Page 69

    12:00:00 default: 02:00:00 ----------------------------------------------- sensor(config-hos-rec-sta)# Enter end summertime submode: Step 5 sensor(config-hos-rec-sta)# exit sensor(config-hos-rec)# end-summertime Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-23 78-16527-01...

  • Page 70

    12:00:00 default: 02:00:00 ----------------------------------------------- end-summertime ----------------------------------------------- month: october default: october week-of-month: last default: last day-of-week: friday default: sunday time-of-day: 05:15:00 default: 02:00:00 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-24 78-16527-01...

  • Page 71

    The format is hh:mm:ss. Verify your settings: sensor(config-hos-non-sta)# show settings start-summertime ----------------------------------------------- date: 2004-05-15 time: 12:00:00 ----------------------------------------------- sensor(config-hos-non-sta)# Enter end summertime submode: Step 5 sensor(config-hos-non-sta)# exit sensor(config-hos-non)# end-summertime Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-25 78-16527-01...

  • Page 72

    ----------------------------------------------- sensor(config-hos-non)# Exit non-recurring summertime submode: Step 10 sensor(config-hos-non)# exit sensor(config-hos)# exit Apply Changes:?[yes]: Step 11 Press Enter to apply the changes or type to discard them. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-26 78-16527-01...

  • Page 73: Configuring Timezones Settings, Configuring Ntp

    Step 7 Configuring NTP This section describes how to configure a Cisco router to be an NTP server and how to configure the sensor to use an NTP server as its time source. It contains the following topics: Configuring a Cisco Router to be an NTP Server, page 4-28 •...

  • Page 74

    The sensor requires an authenticated connection with an NTP server if it is going to use the NTP server as its time source. The sensor supports only the MD5 hash algorithm for key encryption. Use the following procedure to activate a Cisco router to act as an NTP server and use its internal clock as the time source.

  • Page 75

    100 md5-key attack Verify the NTP settings: Step 7 sensor(config-hos-ena)# show settings enabled ----------------------------------------------- ntp-keys (min: 1, max: 1, current: 1) ----------------------------------------------- key-id: 100 ----------------------------------------------- md5-key: attack Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-29 78-16527-01...

  • Page 76: About Ssh

    IP source routing—A host pretends an IP packet comes from another trusted host. • DNS spoofing—An attacker forges name server records. • Interception of clear text passwords and other data by intermediate hosts. • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-30 78-16527-01...

  • Page 77: Adding Hosts To The Known Hosts List

    SSH. These hosts are SSH servers that the sensor needs to connect to for upgrades and file copying, and other hosts, such as Cisco routers, PIX Firewalls, and Catalyst switches that the sensor will connect to for blocking.

  • Page 78: Adding Ssh Authorized Public Keys

    You configure your own list of SSH authorized keys. An administrator cannot manage the list of SSH Note authorized keys for other users on the sensor. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-32 78-16527-01...

  • Page 79

    If you type the former id, you receive an error message: sensor# show ssh authorized-keys system1 Error: Requested id does not exist for the current user. sensor# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-33 78-16527-01...

  • Page 80: Generating A New Ssh Server Key, Configuring Tls, About Tls

    SSL protocol. When you enter a URL into the web browser that starts with ip_address, the web browser responds by using either TLS or SSL protocol to negotiate an https:// encrypted session with the host. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-34 78-16527-01...

  • Page 81: Adding Tls Trusted Hosts

    For these sessions to be secure from man-in-the-middle attacks you must establish trust of the remote web servers’ TLS certificates. A copy of the TLS certificate of each trusted remote host is stored in the trusted hosts list. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-35 78-16527-01...

  • Page 82

    Remove an entry from the trusted hosts list: Step 6 sensor# configure terminal sensor(config)# no tls trusted-host 10.89.146.110 The host is removed from the trusted hosts list. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-36 78-16527-01...

  • Page 83

    Although the sensor functions without the license, you must have a license to obtain signature updates. To obtain a license, you must have a Cisco Service for IPS contract. Contact your reseller, Cisco service or product sales to purchase a contract.

  • Page 84

    You can view the status of the IPS subscription license key on the Licensing panel in IDM or ASDM. You can obtain a license key from the Cisco.com licensing server, which is then delivered to the sensor. Or, you can update the sensor license key from a license key provided in a local file.

  • Page 85

    Note the device with that number. Your Cisco IPS Signature Subscription Service license key will be sent by e-mail to the e-mail address you specified. Save the license key to a system that has a web server, FTP server, or SCP server.

  • Page 86: Cisco Intrusion Prevention System Sensor Cli Configuration Guide For Ips

    Copy your license key from a sensor to a server to keep a backup copy of the license: Step 7 sensor# copy license-key scp://user@10.89.147.3://tftpboot/dev.lic Password: ******* sensor# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-40 78-16527-01...

  • Page 87: Understanding Interfaces

    To configure the sensor so that traffic continues to flow through inline pairs even when SensorApp is not running, you can enable bypass mode. Bypass mode minimizes dataflow interruptions during reconfiguration, service pack installation, or software failure. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 88: Interface Support

    1/0<->1/2 GigabitEthernet0/1 FastEthernet1/1 1/0<->1/3 FastEthernet1/2 1/1<->1/2 FastEthernet1/3 1/1<->1/3 1/2<->1/3 IDS-4235 TX (GE) TX onboard + TX PCI 0/0<->1/0 GigabitEthernet0/1 GigabitEthernet0/0 + 0/0<->2/0 GigabitEthernet1/0 or GigabitEthernet2/0 IDS-4250 — None Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 89

    0/0<->0/1 Management0/0 GigabitEthernet0/0 0/0<->0/2 GigabitEthernet0/1 0/0<->0/3 GigabitEthernet0/2 0/1<->0/2 GigabitEthernet0/3 0/1<->0/3 0/2<->0/3 NM-CIDS — None AIP-SSM-10 — GigabitEthernet0/1 By security GigabitEthernet0/0 context AIP-SSM-20 — GigabitEthernet0/1 By security GigabitEthernet0/0 context Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 90: Promiscuous Mode, Understanding Tcp Reset, Configuring Promiscuous Mode

    AIP-SSM is configured for promiscuous mode from the ASA CLI and not from the IPS CLI. For the Note procedure, see Configuring ASA to Send IPS Traffic to AIP-SSM, page 14-3. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 91

    100—Sets the interface to 100 MB (for TX interfaces only). 1000—Sets the interface to 1 GB (for Gigabit interfaces only). – The speed option is protected on all modules. Note Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 92

    GigabitEthernet0/2 ----------------------------------------------- media-type: tx <protected> description: INT1 default: admin-state: enabled default: disabled duplex: full default: auto speed: 1000 default: auto alt-tcp-reset-interface ----------------------------------------------- none ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- sensor(config-int-phy)# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 93: Inline Mode, Understanding Inline Mode, Configuring Inline Mode

    • default—Sets the value back to the system default setting. • description—Your description of the inline interface pair. • interface1—The first interface in the inline interface pair. • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 94

    You can assign either a physical interface or a logical inline interface pair to the virtual sensor. Make sure that you have created any inline pairs before assigning them to the virtual sensor. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 95: Understanding Bypass Mode

    Bypass mode only functions when the operating system is running. If the sensor is powered off or shut down, bypass mode does not work—traffic is not passed to the sensor. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 96: Configuring Bypass Mode, Configuring Interface Notifications

    Use the interface-notifications command in the service interface submode to configure traffic notifications. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 5-10 78-16527-01...

  • Page 97

    ----------------------------------------------- sensor(config-int-int)# Step 9 Exit interface notifications submode: sensor(config-int-int)# exit sensor(config-int)# exit Apply Changes:?[yes]: Step 10 Press Enter to apply the changes or type to discard them. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 5-11 78-16527-01...

  • Page 98

    Chapter 5 Configuring Interfaces Configuring Interface Notifications Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 5-12 78-16527-01...

  • Page 99: About Event Action Rules

    • • Adding event action overrides • Filtering event action • Executing the resulting event action Summarizing and aggregating events • Maintaining a list of denied attackers • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 100: Signature Event Action Processor

    It starts with the signature event with configured action received in the alarm channel and flows top-to-bottom as the signature event passes through the functional components of the SEAP. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 101: Event Actions

    Deny Connection Inline Does not transmit this packet and future packets on the TCP flow (inline mode only). Deny Packet Inline Does not transmit this packet (inline only). Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 102

    Event Action Variables This section describes event action variables, and contains the following topics: About Event Action Variables, page 6-5 • Configuring Event Action Variables, page 6-5 • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 103: About Event Action Variables, Configuring Event Action Variables

    The valid values for address are A.B.C.D-A.B.C.D [,A.B.C.D-A.B.C.D]. Check the variable you just made: Step 4 sensor(config-rul)# show settings variables (min: 0, max: 256, current: 2) ----------------------------------------------- variableName: variable1 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 104: Calculating The Risk Rating

    RR than attacks against the desktop node. RR is a product of ASR, SFR, TVR, and ARR with an optional PD (promiscuous delta) subtracted in Note promiscuous mode only. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 105: Configuring Target Value Ratings, Event Action Overrides, About Event Action Overrides

    Each event action has an associated RR range. If a signature event occurs and the RR for that event falls within the range for an event action, that action is added to the event. For Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 106: Configuring Event Action Overrides

    Step 4 To request a block of the connection: sensor(config-rul-ove)# exit sensor(config-rul)# overrides request-block-connection To request a block of the attacker host: sensor(config-rul-ove)# exit sensor(config-rul-ove)# exit sensor(config-rul)# overrides request-block-host Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 107: Event Action Filters, About Event Action Filters

    Filters work by removing actions from an event. A filter that removes all actions from an event effectively consumes the event. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 108: Configuring Event Action Filters

    Set the subsignature ID range: sensor(config-rul-fil)# subsignature-id-range 1-5 The default is 0 to 255. Set the attacker address range: sensor(config-rul-fil)# attacker-address-range 10.89.10.10-10.89.10.23 The default is 0.0.0.0 to 255.255.255.255. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 6-10 78-16527-01...

  • Page 109

    Chapter 6 Configuring Event Action Rules Event Action Filters Set the victim address range: sensor(config-rul-fil)# victim-address-range 192.56.10.1-192.56.10.255 The default is 0.0.0.0 to 255.255.255.255. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 6-11 78-16527-01...

  • Page 110

    1-343 default: 0-65535 risk-rating-range: 85-100 default: 0-100 actions-to-remove: reset-tcp-connection default: filter-item-status: Enabled default: Enabled stop-on-match: True default: False user-comment: This is a new filter. default: ----------------------------------------------- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 6-12 78-16527-01...

  • Page 111

    0.0.0.0-255.255.255.255 <defaulted> victim-address-range: 0.0.0.0-255.255.255.255 <defaulted> attacker-port-range: 0-65535 <defaulted> victim-port-range: 0-65535 <defaulted> risk-rating-range: 0-100 <defaulted> actions-to-remove: <defaulted> filter-item-status: Enabled <defaulted> stop-on-match: False <defaulted> user-comment: <defaulted> ----------------------------------------------- ----------------------------------------------- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 6-13 78-16527-01...

  • Page 112: General Settings

    • Event Action Aggregation, page 6-15 • Deny Attackers, page 6-16 • Configuring the General Settings, page 6-16 • Clearing the Denied Attackers List, page 6-18 • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 6-14 78-16527-01...

  • Page 113: About General Settings, Event Action Summarization, Event Action Aggregation

    Only one alert every summary interval should fire for each address set. If the global summary threshold is reached, the signature goes into Global Summarization mode. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 6-15 78-16527-01...

  • Page 114: Deny Attackers, Configuring The General Settings

    Log in to the CLI using an account with administrator privileges. Step 1 Enter event action rules submode: Step 2 sensor# configure terminal sensor(config)# service event-action-rules rules0 Enter general submode: Step 3 sensor(config)# general Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 6-16 78-16527-01...

  • Page 115

    Exit event action rules submode: Step 11 sensor(config-rul-gen)# exit sensor(config-rul)# exit Apply Changes:?[yes]: Press Enter to apply your changes or type to discard them. Step 12 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 6-17 78-16527-01...

  • Page 116: Clearing The Denied Attackers List

    Verify that you have cleared the statistics: JWK-4255# show statistics virtual-sensor Virtual Sensor Statistics Statistics for Virtual Sensor vs0 Name of current Signature-Definition instance = sig0 Name of current Event-Action-Rules instance = rules0 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 6-18 78-16527-01...

  • Page 117: Event Action Rules Example

    SigID=2004, Attacker Address=*, Victim Address=20.1.1.1, Actions to Remove=ALL, Risk Rating Range=1-100, StopOnMatch=True SigID=2004, Attacker Address=30.1.1.1, Victim Address=*, Actions to Remove=ALL, Risk Rating Range=1-100, StopOnMatch=True SigID=2004, Attacker Address=*, Victim Address=*, Actions to Remove=None, Risk Rating Range=95-100, StopOnMatch=True Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 6-19 78-16527-01...

  • Page 118

    The third filter line with the filter action NONE is optional, but is presented as a clearer way to define this type of filter. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 6-20 78-16527-01...

  • Page 119: About Signatures

    You can later activate retired signatures; however, this process requires the sensing engines to rebuild their Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 120: Signature Variables, About Signature Variables, Configuring Signature Variables

    HTTP traffic. • To designate multiple port numbers for a single variable, place a comma between the entries. For example, 80, 3128, 8000, 8010, 8080, 8888, 24326. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 121: Configuring Signatures

    Configuring Event Counter, page 7-8 • Configuring Signature Fidelity Rating, page 7-9 • • Configuring the Status of Signatures, page 7-10 • Assigning Actions to Signatures, page 7-11 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 122: Configuring General Signature Parameters

    Configuring Signature Fidelity Rating, page 7-9. status—Sets the status of the signature to enabled or retired. • For the procedure, see Configuring the Status of Signatures, page 7-10. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 123: Configuring Alert Frequency

    Specify the signature you want to configure: Step 3 sensor(config-sig)# signatures 9000 0 Enter alert frequency submode: Step 4 sensor(config-sig-sig)# alert-frequency Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 124: Configuring Alert Severity

    A subsignature ID is used to identify a more granular version of a broad signature. The value is 0 to 255. alert-severity—Severity of the alert: • high —Dangerous alert. – medium—Medium level alert. – Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 125

    <defaulted> specify-l4-protocol ----------------------------------------------- --MORE-- Exit signatures submode: Step 6 sensor(config-sig-sig)# exit sensor(config-sig)# exit Apply Changes:?[yes]: Press Enter to apply the changes or type to discard them. Step 7 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 126: Configuring Event Counter

    (Optional) Specify the amount of time in seconds before the event count should be reset: sensor(config-sig-sig-eve-yes)# alert-interval 30 Verify the settings: Step 9 sensor(config-sig-sig-eve-yes)# exit sensor(config-sig-sig-eve)# show settings event-counter ----------------------------------------------- event-count: 2 default: 1 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 127: Configuring Signature Fidelity Rating

    50 Step 5 Verify the settings: sensor(config-sig-sig)# show settings <protected entry> sig-id: 12000 subsig-id: 0 ----------------------------------------------- alert-severity: low <defaulted> sig-fidelity-rating: 50 default: 85 promisc-delta: 15 <defaulted> sig-description ----------------------------------------------- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 128: Configuring The Status Of Signatures

    Change the status for this signature: Step 4 sensor(config-sig-sig)# status sensor(config-sig-sig-sta)# enabled true Step 5 Verify the settings: sensor(config-sig-sig-sta)# show settings status ----------------------------------------------- enabled: true default: false retired: false <defaulted> ----------------------------------------------- sensor(config-sig-sig-sta)# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-10 78-16527-01...

  • Page 129: Assigning Actions To Signatures

    Choose the signature you want to configure: Step 3 sensor(config-sig)# signatures 1200 0 Enter the normalizer engine: Step 4 sensor(config-sig-sig)# engine normalizer Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-11 78-16527-01...

  • Page 130: Configuring Aic Signatures, Overview

    AIC also provides a way to inspect FTP traffic and control the commands being issued. You can enable or disable the predefined signatures or you can create policies through custom signatures. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-12 78-16527-01...

  • Page 131: Configuring The Application Policy

    The following options apply: ftp-enable [true | false]—Enables protection for FTP services. Set to true to require the sensor to • inspect FTP traffic. The default is false. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-13 78-16527-01...

  • Page 132

    We recommend that you not configure AIC web ports, but rather use the default web ports. Note Verify your settings: Step 5 sensor(config-sig-app)# show settings application-policy ----------------------------------------------- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-14 78-16527-01...

  • Page 133: Aic Request Method Signatures

    Define Request Method TRACE 12695 Define Request Method INDEX 12696 Define Request Method MOVE 12697 Define Request Method MKDIR 12698 Define Request Method COPY 12699 Define Request Method EDIT Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-15 78-16527-01...

  • Page 134: Aic Mime Define Content Type Signatures

    Content Type image/tiff Verification Failed 12624 0 Content Type image/x-3ds Header Check 12624 1 Content Type image/x-3ds Invalid Message Length 12624 2 Content Type image/x-3ds Verification Failed Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-16 78-16527-01...

  • Page 135

    Content Type text/plain Header Check 12643 1 Content Type text/plain Invalid Message Length 12644 0 Content Type text/richtext Header Check 12644 1 Content Type text/richtext Invalid Message Length Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-17 78-16527-01...

  • Page 136

    Content Type application/vnd.ms-excel Header Check 12661 1 Content Type application/vnd.ms-excel Invalid Message Length 12662 0 Content Type application/vnd.ms-powerpoint Header Check 12662 1 Content Type application/vnd.ms-powerpoint Invalid Message Length Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-18 78-16527-01...

  • Page 137: Aic Transfer Encoding Signatures

    Define Transfer Encoding Deflate 12688 Define Transfer Encoding Identity 12689 Define Transfer Encoding Compress 12690 Define Transfer Encoding GZIP 12693 Define Transfer Encoding Chunked 12694 Chunked Transfer Encoding Error Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-19 78-16527-01...

  • Page 138: Aic Ftp Commands Signatures

    Define FTP command smnt 12927 Define FTP command stat 12928 Define FTP command stor 12929 Define FTP command stou 12930 Define FTP command stru 12931 Define FTP command syst Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-20 78-16527-01...

  • Page 139

    Chapter 7 Defining Signatures Configuring Signatures Table 4 FTP Commands Signatures (continued) Signature ID FTP Command 12932 Define FTP command type 12933 Define FTP command user Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-21 78-16527-01...

  • Page 140: Ip Fragment Reassembly, Overview, Configuring Ip Fragment Reassembly Parameters

    Log in to the CLI using an account with administrator or operator privileges. Step 1 Enter signature definition submode: Step 2 sensor# configure terminal sensor(config)# service signature-definition sig0 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-22 78-16527-01...

  • Page 141

    – nt—Windows systems. – solaris—Solaris systems. – linux—GNU/Linux systems. bsd—BSD UNIX systems. – The default is nt. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-23 78-16527-01...

  • Page 142

    TCP stream reassembly signatures with the parameters that you can configure for TCP stream reassembly. The TCP stream reassembly signatures are part of the NORMALIZER engine. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-24 78-16527-01...

  • Page 143

    1330 18 TCP Drop - Segment out of Window 3050 Half Open SYN Attack syn-flood-max-embryonic 5000 3250 TCP Hijack max-old-ack 200 3251 TCP Hijack Simplex Mode max-old-ack 100 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-25 78-16527-01...

  • Page 144

    Step 8 sensor(config-sig-sig-nor-def-yes)# exit sensor(config-sig-sig-nor-def)# exit sensor(config-sig-sig-nor)# exit sensor(config-sig-sig)# exit sensor(config-sig)# exit Apply Changes:?[yes]: Press Enter for apply the changes or type to discard them. Step 9 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-26 78-16527-01...

  • Page 145: Configuring The Mode For Tcp Stream Reassembly

    ----------------------------------------------- sensor(config-sig-str)# Exit TCP reassembly submode: Step 6 sensor(config-sig-str)# exit sensor(config-sig)# exit Apply Changes:?[yes]: Press Enter to apply the changes or type to discard them. Step 7 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-27 78-16527-01...

  • Page 146: Configuring Ip Logging

    60 Verify the settings: Step 4 sensor(config-sig-ip)# show settings ip-log ----------------------------------------------- ip-log-packets: 150 default: 0 ip-log-time: 60 default: 30 ip-log-bytes: 200000 default: 0 ----------------------------------------------- sensor(config-sig-ip)# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-28 78-16527-01...

  • Page 147: Creating Custom Signatures, Sequence For Creating A Custom Signature

    Step 4 Assign the alert response: • Signature fidelity rating Severity of the alert • Assign the alert behavior. Step 5 Apply the changes. Step 6 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-29 78-16527-01...

  • Page 148: Example String.tcp Signature

    Step 5 sensor(config-sig-sig-sig)# sig-name This is my new name Exit signature description submode: Step 6 sensor(config-sig-sig-sig)# exit Specify the string TCP engine: Step 7 sensor(config-sig-sig)# engine string-tcp Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-30 78-16527-01...

  • Page 149

    Exit signature definition submode: Step 12 sensor(config-sig-sig-str)# exit sensor(config-sig-sig)# exit sensor(config-sig)# exit Apply Changes:?[yes]: Press Enter to apply the changes or type to discard them. Step 13 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-31 78-16527-01...

  • Page 150: Example Service.http Signature

    Specify a signature name: Step 5 sensor(config-sig-sig-sig)# sig-name myWebSig Specify the alert traits: Step 6 sensor(config-sig-sig-sig)# alert-traits 2 The valid range is from 0 to 65535. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-32 78-16527-01...

  • Page 151: Example Meg Signature

    META components. • edit—Edits an existing entry in the list. – insert name1—Inserts a new entry into the list. – move—Moves an entry in the list. – Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-33 78-16527-01...

  • Page 152

    3000 subsignature 0 on the same source address. The source address selection is a result of the meta key default value of Axxx. You can change the behavior by changing the meta key setting to xxBx (destination address) for example. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-34 78-16527-01...

  • Page 153

    NAME: c1 ----------------------------------------------- component-sig-id: 2000 component-subsig-id: 0 <defaulted> component-count: 1 <defaulted> ----------------------------------------------- ----------------------------------------------- NAME: c2 ----------------------------------------------- component-sig-id: 3000 component-subsig-id: 0 <defaulted> component-count: 1 <defaulted> ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-35 78-16527-01...

  • Page 154: Example Aic Mime-type Signature

    TCP RESETS to hijack and terminate the TCP flow • no—Removes an entry or selection setting signature-type—Type of signature desired • content-types—Content-types – define-web-traffic-policy—Defines web traffic policy – Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-36 78-16527-01...

  • Page 155

    Step 7 Exit signatures submode: sensor(config-sig-sig-app-def)# exit sensor(config-sig-sig-app)# exit sensor(config-sig-sig)# exit sensor(config-sig)# exit Apply Changes:?[yes]: Press Enter to apply the changes or type to discard them. Step 8 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-37 78-16527-01...

  • Page 156

    Chapter 7 Defining Signatures Creating Custom Signatures Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-38 78-16527-01...

  • Page 157: About Ip Logging

    IP address, only one IP log is created for all the alerts. Each alert references the same IP log. However, the output of the IP log status only shows the event ID of the first alert triggering the IP log. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 158: Configuring Automatic Ip Logging

    Configure the duration you want the sensor to log packets: Step 4 sensor(config-sig-ip)# ip-log-time 60 Step 5 Configure the number of bytes you want logged: sensor(config-sig-ip)# ip-log-bytes 5024 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 159: Configuring Manual Ip Logging For A Specific Ip Address Stopping Active Ip Logs

    Configuring Automatic IP Logging, page 8-2. To copy and view an IP log file, see Copying IP Log Files to Be Viewed, page 8-6. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 160

    • log-id—Log ID of the logging session to stop. Use the iplog-status command to find the log ID. name—Virtual sensor on which to begin or end logging. • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 161

    Log ID: IP Address 1: 10.16.0.0 Virtual Sensor: Status: completed Event ID: Bytes Captured: Packets Captured: sensor# When the logs are stopped, the status shows them as completed. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 162: Copying Ip Log Files To Be Viewed

    227 Entering Passive Mode (2,4,6,8,179,125) 150 Opening BINARY mode data connection for iplog1. 226 Transfer complete. 30650 bytes sent in 0.00246 secs (1.2e+04 Kbytes/sec) ftp> Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 163

    Open the IP log using a sniffer program such as WireShark or TCPDUMP. Step 4 For more information on WireShark go to http://www.wireshark.org. For more information on TCPDUMP, go to http://www.tcpdump.org/. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 164

    Chapter 8 Configuring IP Logging Copying IP Log Files to Be Viewed Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 165: About Packet Display And Capture

    Changing the interface configuration results in abnormal termination of any packet command running on that interface. Executing the packet display or capture command causes significant performance degradation. Caution Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 166: Displaying Live Traffic On An Interface

    = username of user initiating capture id = user’s CLI ID cliCmd = command entered to perform the capture Executing the packet display command causes significant performance degradation. Caution Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 167

    03:43:05.694808 IP (tos 0x10, ttl 64, id 55471, offset 0, flags [DF], length: 300) 10.89.147.31.22 > 10.89.147.50.41805: P [tcp sum ok] 2344:2592(248) ack 1 win 8576 <nop,nop,timestamp 44085169 226014950> Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 168: Capturing Live Traffic On An Interface

    You can only use an interface name that exists in the system. snaplen—Maximum number of bytes captured for each packet (optional). • The valid range is 68 to 1600. The default is 0. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 169

    03:03:15.218814 802.1d config TOP_CHANGE 8000.00:04:9a:66:35:01.8025 root 8000.0 0:04:6d:f9:e8:82 pathcost 8 age 2 max 20 hello 2 fdelay 15 03:03:15.546866 IP 64.101.182.244.1978 > 10.89.130.108.23: P 0:2(2) ack 157 win 65535 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 170: Copying The Packet File

    The exact format of the source and destination URLs varies according to the file. Note ftp:—Destination URL for an FTP network server. The syntax for this prefix is: – ftp:[//[username@] location]/relativeDirectory]/filename Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 171: Erasing The Packet File

    Erase the packet file: Step 2 sensor# erase packet-file sensor# Verify that you have erased the packet file: Step 3 sensor# packet display file-info No packet-file available. sensor# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 172

    Chapter 9 Displaying and Capturing Live Traffic on an Interface Erasing the Packet File Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 173: Understanding Blocking

    Host block—Blocks all traffic from a given IP address. • Connection block—Blocks traffic from a given source IP address to a given destination IP address • and destination port. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-1 78-16527-01...

  • Page 174

    On Cisco routers and Catalyst 6500 series switches, Network Access Controller creates blocks by applying ACLs or VACLs. ACLs and VACLs permit or deny passage of data packets through interface ports or VLANs.

  • Page 175: Blocking Prerequisites, Supported Blocking Devices

    Supervisor Engine 1A with PFC – Supervisor Engine 1A with MSFC1 – Supervisor Engine 1A with MFSC2 – Supervisor Engine 2 with MSFC2 – Supervisor Engine 720 with MSFC3 – Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-3 78-16527-01...

  • Page 176: Configuring Blocking Properties, Allowing The Sensor To Block Itself

    You can configure this option if you can ensure that if the sensor creates a rule to block its own IP address, it will not prevent the sensor from accessing the blocking device. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-4...

  • Page 177

    <defaulted> enable-acl-logging: false <defaulted> allow-sensor-block: false default: false block-enable: true default: true block-max-entries: 100 default: 250 max-interfaces: 250 <defaulted> master-blocking-sensors (min: 0, max: 100, current: 0) Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-5 78-16527-01...

  • Page 178: Disabling Blocking

    Log in to the CLI using an account with administrator privileges. Step 1 Enter network access submode: Step 2 sensor# configure terminal Step 3 Enter general submode: sensor(config-net)# general Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-6 78-16527-01...

  • Page 179

    (min: 0, max: 100, current: 0) ----------------------------------------------- ----------------------------------------------- never-block-hosts (min: 0, max: 250, current: 1) ----------------------------------------------- ip-address: 11.11.11.11 ----------------------------------------------- ----------------------------------------------- never-block-networks (min: 0, max: 250, current: 1) ----------------------------------------------- ip-address: 12.12.0.0/16 ----------------------------------------------- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-7 78-16527-01...

  • Page 180: Setting Maximum Block Entries

    Step 5 sensor(config-net-gen)# show settings general ----------------------------------------------- log-all-block-events-and-errors: true <defaulted> enable-nvram-write: false <defaulted> enable-acl-logging: false <defaulted> allow-sensor-block: false default: false block-enable: true <defaulted> block-max-entries: 100 default: 250 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-8 78-16527-01...

  • Page 181

    ----------------------------------------------- --MORE-- Exit network access submode: Step 8 sensor(config-net-gen)# exit sensor(config-net)# exit Apply Changes:?[yes]: Press Enter to apply the changes or type to discard them. Step 9 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-9 78-16527-01...

  • Page 182: Setting The Block Time

    Apply Changes:?[yes]: Press Enter to apply the changes or type to discard them. Step 7 There is a time delay while the signatures are updated. Note Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-10 78-16527-01...

  • Page 183: Enabling Acl Logging

    <defaulted> enable-acl-logging: false default: false allow-sensor-block: false <defaulted> block-enable: true <defaulted> block-max-entries: 250 <defaulted> max-interfaces: 250 <defaulted> master-blocking-sensors (min: 0, max: 100, current: 0) ----------------------------------------------- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-11 78-16527-01...

  • Page 184: Enabling Writing To Nvram

    <defaulted> block-enable: true <defaulted> block-max-entries: 250 <defaulted> max-interfaces: 250 <defaulted> master-blocking-sensors (min: 0, max: 100, current: 0) ----------------------------------------------- Disable writing to NVRAM: Step 6 sensor(config-net-gen)# enable-nvram-write false Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-12 78-16527-01...

  • Page 185: Logging All Blocking Events And Errors

    Verify that logging is disabled: sensor(config-net-gen)# show settings general ----------------------------------------------- log-all-block-events-and-errors: false default: true enable-nvram-write: false default: false enable-acl-logging: false default: false allow-sensor-block: false <defaulted> block-enable: true <defaulted> Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-13 78-16527-01...

  • Page 186

    Enter network access mode: Step 2 sensor# configure terminal sensor(config)# service network-access Step 3 Enter general submode: sensor(config-net)# general Configure the maximum number of interfaces: Step 4 sensor(config-net-gen)# max-interfaces 50 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-14 78-16527-01...

  • Page 187

    Such a device should never be blocked, and trusted, internal networks should never be blocked. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-15 78-16527-01...

  • Page 188

    12.12.0.0/16 --MORE-- Exit network access submode: Step 6 sensor(config-net-gen)# exit sensor(config-net)# exit Apply Changes:?[yes]: Step 7 Press Enter to apply the changes or type to discard them. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-16 78-16527-01...

  • Page 189: Configuring User Profiles

    Enter enable-password[]: ******** Re-enter enable-password ******** Verify the settings: Step 7 sensor(config-net-use)# show settings profile-name: PROFILE1 ----------------------------------------------- enable-password: <hidden> password: <hidden> username: jsmith default: ----------------------------------------------- sensor(config-net-use)# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-17 78-16527-01...

  • Page 190: Configuring Blocking Devices, How The Sensor Manages Devices

    • How the Sensor Manages Devices Network Access Controller uses ACLs on Cisco routers and switches to manage those devices. These ACLs are built as follows: A permit line with the sensor’s IP address or, if specified, the NAT address of the sensor If you permit the sensor to be blocked, this line does not appear in the ACL.

  • Page 191: Configuring The Sensor To Manage Cisco Routers, Routers And Acls

    Configuring the Sensor to be a Master Blocking Sensor, page 10-25. Configuring the Sensor to Manage Cisco Routers This section describes how to configure the sensor to manage Cisco routers. It contains the following topics: Routers and ACLs, page 10-19 •...

  • Page 192

    When the new ACL is applied to an interface or direction of the router, it removes the application of any other ACL to that interface or direction. Configuring the Sensor to Manage Cisco Routers To configure a sensor to manage Cisco routers, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges.

  • Page 193: Routers, Switches And Vacls

    You can configure Network Access Controller to block using VACLs on the switch itself when running Cisco Catalyst software, or to block using router ACLs on the MSFC or on the switch itself when running Cisco IOS software. This section describes blocking using VACLs. For blocking using the router ACLS Configuring the Sensor to Manage Cisco Routers, page 10-19.

  • Page 194

    VLAN. Configuring the Sensor to Manage Catalyst 6500 Series Switches and Cisco 7600 Series Routers To configure the sensor to manage Catalyst 6500 series switches and Cisco 7600 series routers, follow these steps: Log in to the CLI using an account with administrator privileges.

  • Page 195

    Exit network access submode: sensor(config-net-cat-blo)# exit sensor(config-net-cat)# exit sensor(config-net)# exit sensor(config)# exit Apply Changes:?[yes]: Step 11 Press Enter to apply the changes or type to discard them. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-23 78-16527-01...

  • Page 196: Configuring The Sensor To Manage Cisco Firewalls

    Configuring Blocking Configuring Blocking Devices Configuring the Sensor to Manage Cisco Firewalls To configure the sensor to manage Cisco firewalls, follow these steps: Log in to the CLI using an account with administrator privileges. Step 1 Enter network access submode:...

  • Page 197: Configuring The Sensor To Be A Master Blocking Sensor

    On the master blocking sensor, check to see if it requires TLS and what port number is used: sensor(config)# service web-server sensor(config-web)# show settings enable-tls: true <defaulted> port: 443 <defaulted> server-id: HTTP/1.1 compliant <defaulted> sensor(config-web)# is true, go to Step b. enable-tls Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-25 78-16527-01...

  • Page 198

    Set the status of whether or not the host uses TLS/SSL: Step 11 sensor(config-net-gen-mas)# tls [true | false] sensor(config-net-gen-mas) If you set the value to true, you need to use the command tls trusted-host ip-address Note mbs_ip_address. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-26 78-16527-01...

  • Page 199: Configuring Manual Blocking

    For a host IP address: sensor(config-net-gen)# block-hosts ip_address For a network IP address: sensor(config-net-gen)# block-networks ip_address/netmask The format for ip_address/netmask is A.B.C.D/nn. Example: sensor (config-net-gen)# block-networks 10.0.0.0/8 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-27 78-16527-01...

  • Page 200: Obtaining A List Of Blocked Hosts And Connections

    Communications = telnet BlockInterface InterfaceName = fa0/0 InterfaceDirection = in State BlockEnable = true NetDevice IP = 10.1.1.1 AclSupport = uses Named ACLs Version = 12.2 State = Active Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-28 78-16527-01...

  • Page 201

    IP = 192.168.1.1 Vlan = ActualIp = BlockMinutes = 80 MinutesRemaining = 76 entry indicates which hosts are being blocked and how long the blocks are. Host Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-29 78-16527-01...

  • Page 202

    Chapter 10 Configuring Blocking Obtaining a List of Blocked Hosts and Connections Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-30 78-16527-01...

  • Page 203: About Snmp

    SNMP requests. However, it is not possible to totally eliminate SNMP polling. SNMP requests are required for discovery and topology changes. In addition, a managed device agent cannot send a trap if the device has had a catastrophic outage. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 11-1 78-16527-01...

  • Page 204: Configuring Snmp

    The read-only community name specifies the password for queries to the SNMP agent. Assign the read-write community string: sensor(config-not)# read-write-community PRIVATE1 The read-write community name specifies the password for sets to the SNMP agent. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 11-2 78-16527-01...

  • Page 205

    BUSINESS default: Unknown sensor(config-not)# Exit notification submode: Step 6 sensor(config-not)# exit Apply Changes:?[yes]: Press Enter to apply the changes or type to discard them. Step 7 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 11-3 78-16527-01...

  • Page 206: Configuring Snmp Traps

    It filters in (not filters out) the traps based on severity. Choose whether you want detailed SNMP traps: sensor(config-not)# enable-detail-traps true Type the community string to be included in the detailed traps: sensor(config-not)# trap-community-name TRAP1 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 11-4 78-16527-01...

  • Page 207

    BUSINESS default: Unknown sensor(config-not)# Exit notification submode: Step 7 sensor(config-not)# exit Apply Changes:?[yes]: Press Enter to apply the changes or type to discard them. Step 8 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 11-5 78-16527-01...

  • Page 208: Supported Mibs

    • CISCO-ENTITY-ALARM-MIB • You can obtain these private Cisco MIBs under the heading SNMP v2 MIBs at this URL: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml The management MIB supported on the sensor is the rfc1213 (mib-2). You can obtain the mib-2 from any public domain, such as http://www.ietf.org/rfc/rfc1213.txt.

  • Page 209: Displaying The Current Configuration

    ! Current configuration last modified Fri Dec 17 21:38:23 2004 ! ------------------------------ service analysis-engine exit ! ------------------------------ service authentication exit ! ------------------------------ service event-action-rules rules0 exit ! ------------------------------ service host network-settings Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-1 78-16527-01...

  • Page 210

    1206 0 engine normalizer event-action produce-alert|produce-verbose-alert|deny-attacker-inline|deny-conne ction-inline|deny-packet-inline|log-attacker-packets|log-pair-packets|log-victim -packets|request-block-connection|request-block-host|request-snmp-trap|reset-tcp -connection|modify-packet-inline exit exit signatures 1300 0 engine normalizer event-action produce-alert|produce-verbose-alert|deny-attacker-inline|deny-conne ction-inline|deny-packet-inline|log-attacker-packets|log-pair-packets|log-victim -packets|request-block-connection|request-block-host|request-snmp-trap|reset-tcp -connection|modify-packet-inline edit-default-sigs-only default-signatures-only specify-syn-flood-max-embrionic yes exit Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-2 78-16527-01...

  • Page 211: Displaying The Current Submode Configuration

    <defaulted> signature-definition: sig0 <protected> event-action-rules: rules0 <protected> physical-interface (min: 0, max: 999999999, current: 0) ----------------------------------------------- ----------------------------------------------- logical-interface (min: 0, max: 999999999, current: 0) Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-3 78-16527-01...

  • Page 212

    (min: 0, max: 512, current: 1) ----------------------------------------------- network-address: 0.0.0.0/0 ----------------------------------------------- ----------------------------------------------- ftp-timeout: 300 seconds <defaulted> login-banner-text: <defaulted> ----------------------------------------------- time-zone-settings Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-4 78-16527-01...

  • Page 213

    <protected entry> name: GigabitEthernet0/0 ----------------------------------------------- media-type: tx <protected> description: <defaulted> admin-state: disabled <protected> duplex: auto <defaulted> speed: auto <defaulted> alt-tcp-reset-interface ----------------------------------------------- none ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-5 78-16527-01...

  • Page 214

    <defaulted> <protected entry> zone-name: tls severity: warning <defaulted> <protected entry> zone-name: intfc severity: warning <defaulted> <protected entry> zone-name: cmgr severity: warning <defaulted> <protected entry> Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-6 78-16527-01...

  • Page 215

    (min: 0, max: 100, current: 1) ----------------------------------------------- vlan: 234 ----------------------------------------------- pre-vacl-name: aaaa default: post-vacl-name: bbbb default: ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- router-devices (min: 0, max: 250, current: 0) Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-7 78-16527-01...

  • Page 216

    ----------------------------------------------- http-policy ----------------------------------------------- http-enable: false <defaulted> max-outstanding-http-requests-per-connection: 10 <defaulted> aic-web-ports: 80-80,3128-3128,8000-8000,8010-8010,8080-8080,8888-8888, 24326-24326 <defaulted> ----------------------------------------------- ftp-enable: false <defaulted> ----------------------------------------------- fragment-reassembly ----------------------------------------------- ip-reassemble-mode: nt <defaulted> ----------------------------------------------- stream-reassembly ----------------------------------------------- --MORE-- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-8 78-16527-01...

  • Page 217: Filtering The Current Configuration Output

    Use the show configuration | [begin | exclude | include] regular-expression command to search or filter the output of the contents of the current configuration. Users with operator or viewer privileges can search or filter the current-config only. Note Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-9 78-16527-01...

  • Page 218

    12300 0 status enabled true retired true --MORE-- Press Ctrl-C to stop the output and return to the CLI prompt. Note Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-10 78-16527-01...

  • Page 219: Filtering The Current Submode Configuration Output

    Use the show settings | [begin | exclude | include] keyword command in the submode you are interested in to search or filter the output of the contents of the submode configuration. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-11...

  • Page 220

    11 default: 250 max-interfaces: 13 default: 250 master-blocking-sensors (min: 0, max: 100, current: 1) ----------------------------------------------- ipaddress: 10.89.149.124 ----------------------------------------------- password: <hidden> port: 443 default: 443 tls: true default: true Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-12 78-16527-01...

  • Page 221: Displaying The Contents Of A Logical File

    Step 2 sensor# more current-config Generating current config: The current configuration is displayed. ! ------------------------------ ! Version 5.0(0.22) ! Current configuration last modified Fri Dec 17 21:38:23 2004 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-13 78-16527-01...

  • Page 222

    12300 0 status enabled true retired true exit exit signatures 1206 0 engine normalizer event-action produce-alert|produce-verbose-alert|deny-attacker-inline|deny-conne ction-inline|deny-packet-inline|log-attacker-packets|log-pair-packets|log-victim -packets|request-block-connection|request-block-host|request-snmp-trap|reset-tcp Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-14 78-16527-01...

  • Page 223

    You can then restore the current configuration from the remote server. You are prompted to back up the current configuration first. We recommend copying the current configuration file to a remote server before upgrading. Note Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-15 78-16527-01...

  • Page 224

    Log in to the CLI using an account with administrator privileges. Step 1 To back up the current configuration to the remote server: Step 2 sensor# copy current-config ftp://qa_user@10.89.146.1//tftpboot/update/qmaster89.cfg Password: ******** Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-16 78-16527-01...

  • Page 225

    Use the erase [backup-config | current-config] command to delete a logical file. The following options apply: • current-config—The current running configuration. The configuration becomes persistent as the commands are entered. • backup-config—The storage location for the configuration backup. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-17 78-16527-01...

  • Page 226

    User accounts will not be erased. They must be removed manually using the "no username" command. Continue? []: Press Enter to continue or type to stop. Step 2 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-18 78-16527-01...

  • Page 227: Creating A Banner Login

    To create a banner login, follow these steps: Log in to the CLI using an account with administrator privileges. Step 1 Enter global configuration mode: Step 2 sensor# configure terminal Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-1 78-16527-01...

  • Page 228: Terminating Cli Sessions

    If an operator or viewer tries to log in when the maximum sessions are open, the following message appears: Error: The maximum allowed CLI sessions are currently open, please try again later. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-2 78-16527-01...

  • Page 229: Modifying Terminal Properties

    To have no pause between multi-screen outputs, use 0 for the screen length value: Step 2 sensor# terminal length 0 Note The screen length values are not saved between login sessions. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-3 78-16527-01...

  • Page 230: Events, Displaying Events

    • The show events command waits until a specified event is available. It continues to wait and display Note events until you exit by pressing Ctrl-C. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-4 78-16527-01...

  • Page 231

    Display alerts from the past 45 seconds: Step 5 sensor# show events alert past 00:00:45 evIdsAlert: eventId=1109695939102805307 severity=medium vendor=Cisco originator: hostId: sensor Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-5 78-16527-01...

  • Page 232

    2316 evStatus: eventId=1041526834774829056 vendor=Cisco originator: hostId: sensor appName: login(pam_unix) appInstanceId: 2315 time: 2003/01/08 02:41:00 2003/01/08 02:41:00 UTC syslogMessage: description: session opened for user cisco by cisco(uid=0) Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-6 78-16527-01...

  • Page 233: Clearing Events From The Event Store, System Clock, Displaying The System Clock

    22:39:21 UTC Sat Jan 25 2003 Step 3 Display the system clock with details: sensor# show clock detail 22:39:21 CST Sat Jan 25 2003 Time source is NTP Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-7 78-16527-01...

  • Page 234: Manually Setting The Clock, Clearing The Denied Attackers List

    Clearing the Denied Attackers List Use the clear denied-attackers command in service event action rules submode to delete the denied attackers list and clear the virtual sensor statistics. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-8 78-16527-01...

  • Page 235

    Number of Active Denied Attackers = 2 Number of Denied Attackers Inserted = 0 Number of Denied Attackers Total Hits = 0 Number of times max-denied-attackers limited creation of new entry = 0 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-9 78-16527-01...

  • Page 236: Displaying Statistics

    Number of Denied Attackers Total Hits = 0 Number of times max-denied-attackers limited creation of new entry = 0 Number of exec Clear commands during uptime = 0 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-10 78-16527-01...

  • Page 237

    TCP packets that arrived out of sequence order for their stream = 0 TCP packets that arrived out of state order for their stream = 0 The rate of TCP connections tracked per second since reset = 0 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-11 78-16527-01...

  • Page 238

    = 0 log-pair-packets = 0 log-victim-packets = 0 produce-alert = 11 produce-verbose-alert = 0 request-block-connection = 0 request-block-host = 5 request-snmp-trap = 0 reset-tcp-connection = 0 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-12 78-16527-01...

  • Page 239

    = 0 sensor# Step 5 Display the statistics for the denied attackers in the system: sensor# show statistics denied-attackers Denied Attackers and hit count for each. sensor# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-13 78-16527-01...

  • Page 240

    Usage over last 5 seconds = 0 Usage over last minute = 1 Usage over last 5 minutes = 1 Memory Statistics Memory usage (bytes) = 500498432 Memory free (bytes) = 894976032 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-14 78-16527-01...

  • Page 241

    Type = Cisco IP = 10.89.150.158 NATAddr = 0.0.0.0 Communications = telnet BlockInterface InterfaceName = ethernet0/1 InterfaceDirection = out InterfacePostBlock = Post_Acl_Test BlockInterface InterfaceName = ethernet0/1 InterfaceDirection = in Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-15 78-16527-01...

  • Page 242

    ActualIp = BlockMinutes = Host IP = 21.21.12.12 Vlan = ActualIp = BlockMinutes = Host IP = 122.122.33.4 Vlan = ActualIp = BlockMinutes = 60 MinutesRemaining = 24 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-16 78-16527-01...

  • Page 243

    To clear the statistics for an application, for example, logger: Step 16 sensor# show statistics logger clear The number of Log interprocessor FIFO overruns = 0 The number of syslog messages received = 141 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-17 78-16527-01...

  • Page 244: Displaying Tech Support Information

    HTML. The URL specifies where • the information should be sent. If you do not use this keyword, the information is displayed on the screen. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-18 78-16527-01...

  • Page 245: Displaying Version Information

    Log in to the CLI. Step 1 View version information: Step 2 sensor# show version The following examples show sample version output for the appliance and the NM-CIDS. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-19 78-16527-01...

  • Page 246

    (Release) 2005-02-09T03:22:27-0600 Running AnalysisEngine 2005_Feb_09_03.00 (Release) 2005-02-09T03:22:27-0600 Running 2005_Feb_09_03.00 (Release) 2005-02-09T03:22:27-0600 Upgrade History: IDS-K9-maj-5.0-0.27-S91-0.27-.pkg 03:00:00 UTC Thu Feb 05 2004 Recovery Partition Version 1.1 - 5.0(0.27)S91(0.27) nm-cids# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-20 78-16527-01...

  • Page 247: Directing Output To A Serial Connection

    If you are connected to the serial port, you will not get any feedback until Linux has fully booted and enabled support for the serial connection. The display-serial command does not apply to the following platforms: IDSM-2 • • NM-CIDS • IDS-4215 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-21 78-16527-01...

  • Page 248: Diagnosing Network Connectivity

    64 bytes from 10.89.146.110: icmp_seq=5 ttl=61 time=0.2 ms --- 10.89.146.110 ping statistics --- 6 packets transmitted, 6 packets received, 0% packet loss round-trip min/avg/max = 0.1/0.1/0.3 ms Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-22 78-16527-01...

  • Page 249: Resetting The Appliance

    If the node can not be powered off it will be left in a state that is safe to manually power down. Continue with reset? []: Step 5 Type yes to continue with the reset and powerdown: sensor# yes Request Succeeded. sensor# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-23 78-16527-01...

  • Page 250: Displaying Command History, Displaying Hardware Inventory

    Log in to the CLI. Step 2 Display the PEP information: sensor# show inventory Name: "Chassis", DESCR: "IPS 4255 Intrusion Prevention Sensor" PID: IPS-4255-K9, VID: V01 , SN: JAB0815R017 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-24 78-16527-01...

  • Page 251: Tracing The Route Of An Ip Packet

    * 10.89.128.17 (10.89.128.17) 0.304 ms * 10.89.128.17 (10.89.128.17) 0.527 ms * 0.402 ms * 10.89.128.17 (10.89.128.17) 0.39 ms * 10.89.128.17 (10.89.128.17) 0.37 ms * 0.486 ms sensor# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-25 78-16527-01...

  • Page 252: Displaying Submode Settings

    ----------------------------------------------- profile-name: r7200 ----------------------------------------------- enable-password: <hidden> password: <hidden> username: netrangr default: ----------------------------------------------- profile-name: insidePix ----------------------------------------------- enable-password: <hidden> password: <hidden> username: <defaulted> ----------------------------------------------- profile-name: qatest ----------------------------------------------- enable-password: <hidden> Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-26 78-16527-01...

  • Page 253

    (min: 0, max: 100, current: 1) ----------------------------------------------- vlan: 1 ----------------------------------------------- pre-vacl-name: <defaulted> post-vacl-name: <defaulted> ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- router-devices (min: 0, max: 250, current: 1) Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-27 78-16527-01...

  • Page 254

    (min: 0, max: 250, current: 0) ----------------------------------------------- ----------------------------------------------- block-networks (min: 0, max: 250, current: 0) ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- user-profiles (min: 0, max: 250, current: 11) ----------------------------------------------- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-28 78-16527-01...

  • Page 255

    10.89.147.61 profile-name: cat ip-address: 10.89.147.54 profile-name: r7200 ip-address: 10.89.147.10 profile-name: insidePix ip-address: 10.89.147.82 profile-name: test sensor(config-net)# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-29 78-16527-01...

  • Page 256

    Chapter 13 Administrative Tasks for the Sensor Displaying Submode Settings Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-30 78-16527-01...

  • Page 257

    Chapter 6, “Configuring Event Action Rules,” Chapter 7, “Defining Signatures,” Chapter 10, “Configuring Blocking.” Perform miscellaneous tasks to keep your AIP-SSM running smoothly. For the procedures, see Chapter 13, “Administrative Tasks for the Sensor.” Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 14-1 78-16527-01...

  • Page 258: Chapter 14 Configuring Aip-ssm, Configuration Sequence

    AIP-SSM. You can configure AIP-SSM to inspect traffic in inline or promiscuous mode and in fail-open or fail-over mode. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 14-2 78-16527-01...

  • Page 259

    [global | interface interface_name]—Creates an IPS security • policy by associating the policy map with one or more interfaces. global—Applies the policy map to all interfaces. – Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 14-3 78-16527-01...

  • Page 260

    Exit and save the configuration: Step 10 asa(config-pmap-c)# exit asa(config-pmap)# exit asa(config)# exit asa# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 14-4 78-16527-01...

  • Page 261

    30 to 45 seconds after starting AIP-SSM recovery. Waiting any longer can lead to unexpected consequences, for example, AIP-SSM may come up in the Unresponsive state. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 14-5...

  • Page 262

    1 recover Module 1 recover parameters... Boot Recovery Image: No Image URL: tftp://1.1.1.1/IPS-SSM-K9-sys-1.1-a-5.0-0.15-S91-0.15.img Port IP Address: 1.1.1.23 Gateway IP Address: 1.1.1.2 VLAN ID: Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 14-6 78-16527-01...

  • Page 263: Configuration Sequence

    For the procedure to session to the IDSM-2, see Logging In to IDSM-2, page 2-4. Initialize IDSM-2. Run the setup command to initialize IDSM-2. For the procedure, see Initializing the Sensor, page 3-2. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-1 78-16527-01...

  • Page 264: Verifying Idsm-2 Installation

    Mod Slot Ports Module-Type Model Sub Status --- ---- ----- ------------------------- ------------------- --- -------- 1000BaseX Supervisor WS-X6K-SUP1A-2GE yes ok Multilayer Switch Feature WS-F6K-MSFC 10/100BaseTX Ethernet WS-X6248-RJ-45 10/100/1000BaseT Ethernet WS-X6548-GE-TX Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-2 78-16527-01...

  • Page 265

    7 Policy Feature Card 3 WS-F6K-PFC3BXL SAD083305A1 7 MSFC3 Daughterboard WS-SUP720 SAD083206JX 11 IDS 2 accelerator board WS-SVC-IDSUPG 13 IDS 2 accelerator board WS-SVC-IDSUPG 0347331976 Mod Online Diag Status Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-3 78-16527-01...

  • Page 266: Catalyst Software

    Put the command and control port into the correct VLAN: Step 3 cat6k> (enable) set vlan command_and_control_vlan_number idsm2_slot_number/command_and_control_port_number Example: cat6k> (enable) set vlan 147 6/2 VLAN 147 modified. VLAN 146 modified. VLAN Mod/Ports Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-4 78-16527-01...

  • Page 267

    If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com.

  • Page 268: Cisco Ios Software

    If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com.

  • Page 269

    Using the TCP Reset Interface The IDSM-2 has a TCP reset interface—port 1. The IDSM-2 has a specific TCP reset interface because it cannot send TCP resets on its sensing ports. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-7 78-16527-01...

  • Page 270: Configuring Span, Catalyst Software

    • tx —Transmitting traffic. • To enable SPAN on IDSM-2, follow these steps: Log in to the console. Step 1 Enter privileged mode: Step 2 cat6k> enable Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-8 78-16527-01...

  • Page 271

    This command will disable your span session. Do you want to continue (y/n) [n]? y Disabled Port 13/7 to monitor receive traffic of VLAN 650 cat6k> (enable) Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-9 78-16527-01...

  • Page 272

    (config)# monitor session (session_number) source interface interface/port_number [, | - | rx | tx | both] Example: router (config)# monitor session 1 source interface GigabitEthernet2/23 both Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-10 78-16527-01...

  • Page 273: Configuring Vacls

    You can set VACLs to capture traffic for IPS from a single VLAN or from multiple VLANs or from FLexWAN2 ports on the 7600 router when using Cisco IOS software. This section describes how to configure VACLs, and contains the following topics: Catalyst Software, page 15-12 •...

  • Page 274

    (enable) set security acl ip CAPTUREALL permit ip any any capture CAPTUREALL editbuffer modified. Use 'commit' command to apply changes. Commit the VACL: Step 4 console> (enable) commit security acl CAPTUREALL ACL commit in progress. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-12 78-16527-01...

  • Page 275

    Enter global configuration mode: Step 2 router# configure terminal Step 3 Define the ACL: router (config)# ip access-list [standard | extended] acl_name Example: router(config)# ip access-list standard CAPTUREALL Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-13 78-16527-01...

  • Page 276: Configuring The Mls Ip Ids Command

    This section describes how to use the mls ip ids command to capture IPS traffic, and contains the following topics: Catalyst Software, page 15-15 • Cisco IOS Software, page 15-15 • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-14 78-16527-01...

  • Page 277

    Configuring the Catalyst Series 6500 Switch for IDSM-2 in Promiscuous Mode Catalyst Software When you are running the Cisco IOS Firewall on the MSFC, you cannot use VACLs to capture traffic for IDSM-2, because you cannot apply VACLs to a VLAN in which you have applied an IP inspect rule for the Cisco IOS Firewall.

  • Page 278

    For the procedure for configuring IDSM-2 to run in promiscuous or inline mode, see Chapter 5, “Configuring Interfaces.” This section contains the following topics: Catalyst Software, page 15-17 • Cisco IOS Software, page 15-18 • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-16 78-16527-01...

  • Page 279

    (enable)> clear trunk 9/8 1-651,653-4094 Enable Bpdu spantree filtering on the IDSM-2 monitoring ports: Step 5 cat6k (enable)> set spantree bpdu-filter 6/7-8 enable For IPS 5.0(2), omit this step. Note Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-17 78-16527-01...

  • Page 280

    Configuring IDSM-2 Configuring the Catalyst Series 6500 Switch for IDSM-2 in Inline Mode Cisco IOS Software Cisco IOS software 12.2(18)SXE with Supervisor Engine 720 supports only one IDSM-2 inline between Note two VLANs. Configure the IDSM-2 monitoring ports as access ports for inline operation.

  • Page 281

    ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ enet 100661 1500 Remote SPAN VLAN ---------------- Disabled Primary Secondary Type Ports ------- --------- ----------------- ------------------------------------------ router# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-19 78-16527-01...

  • Page 282: Configuring Etherchanneling, Overview, Enabling Etherchanneling

    Port 1 is a TCP/IP reset port. Port 2 is the command and control port. Ports 7 and 8 are the sensing ports for Catalyst software and data ports 1 and 2 for Cisco IOS software. The other ports are not used.

  • Page 283

    Chapter 15 Configuring IDSM-2 Configuring EtherChanneling For more information on EtherChanneling, refer to Catalyst 6500 Series Cisco IOS Software Configuration Guide, 12.2SX. To configure EtherChannel load balancing on IDSM-2, follow these steps: Configure each IDSM-2 for promiscuous operation. Step 1 For the procedure, see Chapter 5, “Configuring Interfaces.”...

  • Page 284: Disabling Etherchanneling

    Step 2 Enter global configuration mode: router# configure terminal To remove a single IDSM-2 from the EtherChannel: Step 3 router(config)# no intrusion-detection module module_number data-port data_port_number channel-group channel_number Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-22 78-16527-01...

  • Page 285: Verifying Etherchanneling

    Number of aggregators: Group Port-channel Protocol Ports ------+-------------+-----------+---------------------------- router# Step 4 To see the EtherChannel load balance setting: router# show etherchannel load-balance EtherChannel Load-Balancing Configuration: src-dst-ip mpls label-ip Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-23 78-16527-01...

  • Page 286: Administrative Tasks For Idsm-2, Enabling Full Memory Tests, Catalyst Software

    When IDSM-2 initially boots, by default it runs a partial memory test. You can enable a full memory test in Catalyst software and Cisco IOS software. This section describes how to enable full memory tests, and contains the following topics: •...

  • Page 287

    Proceed with reload of module?[confirm] % reset issued for module 9 router# Reset IDSM-2. Step 3 For the procedure, see Resetting IDSM-2, page 15-26. The full memory test runs. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-25 78-16527-01...

  • Page 288: Resetting Idsm-2, Catalyst Software

    IDSM-2 more than once. If IDSM-2 fails to respond after three reset attempts, boot the maintenance partition, and perform the instructions for restoring the application partition. For the procedure, see Installing the IDSM-2 System Image, page 17-25. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-26 78-16527-01...

  • Page 289: Catalyst And Cisco Ios Software Commands, Cisco Ios Software, Catalyst Software

    Catalyst and Cisco IOS Software Commands This section lists the Catalyst and Cisco IOS software commands that pertain to IDSM-2. For more detailed information on Catalyst and Cisco IOS software commands, refer to the command Note references found on Cisco.com. For instructions on how to locate these documents, refer to the Documentation Roadmap for Cisco Intrusion Prevention System that shipped with your IDSM-2.

  • Page 290: Supported Supervisor Engine Commands

    Displays the errors reported from the diagnostic tests for both the SPAN port (port 1) and the management port (port 2) and the BIOS and CMOS boot results. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-28...

  • Page 291: Unsupported Supervisor Engine Commands, Cisco Ios Software

    • set vtp • Cisco IOS Software This section lists the Cisco IOS software commands that IDSM-2 supports. These commands are grouped according to mode. This section contains the following topics: EXEC Commands, page 15-30 • Configuration Commands, page 15-31 •...

  • Page 292: Exec Commands

    • Displays the configuration that is currently running. show startup-config • Displays the saved configuration. show vlan access-map • Displays all current VLAN access maps. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-30 78-16527-01...

  • Page 293: Configuration Commands

    Maps the VACL maps to VLANs. Interface configuration mode • switchport – Sets the interface as a switch port. – switchport access vlan vlan Sets the access VLAN for the interface. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-31 78-16527-01...

  • Page 294

    VACL configuration submode – action forward capture Designates that matched packets should be captured. match ip address [1-199 | 1300-2699 | acl_name] – Specifies filtering in the VACL. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-32 78-16527-01...

  • Page 295

    For the procedure, see Configuring Packet Capture, page 16-5. Create the service account. A service account is needed for password recovery and other special debug situations directed by TAC. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 16-1 78-16527-01...

  • Page 296: Configuring Ids-sensor Interfaces On The Router

    NM-CIDS, in which you can issue any IPS configuration commands. After completing work in the session and exiting the IPS CLI, you are returned to Cisco IOS CLI. The session command starts a reverse Telnet connection using the IP address of the ids-sensor interface.

  • Page 297: Establishing Nm-cids Sessions

    Chapter 16 Configuring NM-CIDS Establishing NM-CIDS Sessions Cisco IOS gives NM-CIDS the name “IDS-Sensor.” In this example, 1 is the slot number and 0 Note is the port number, because there is only one port. Step 2 Enable the CEF switching path:...

  • Page 298: Sessioning To Nm-cids

    When you are finished with a session, you need to return to the router to establish the association Note between a session (the IPS application) and the router interfaces you want to monitor. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 16-4 78-16527-01...

  • Page 299: Telneting To Nm-cids, Configuring Packet Capture

    You can choose more than one interface or subinterface to monitor, but you can only edit one Note interface at a time. Enter global configuration mode: Step 4 router# configure terminal Specify the interface or subinterface: Step 5 router(config)# interface FastEthernet0/0 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 16-5 78-16527-01...

  • Page 300

    Total Transmit Errors = 0 Total Transmit FIFO Overruns = 0 Repeat Step c to see the counters gradually increasing. This indicates that NM-CIDS is receiving network traffic. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 16-6 78-16527-01...

  • Page 301

    FastEthernet0/0 was added to the virtual sensor when you initialized the NM-CIDS with the setup command. Administrative Tasks for NM-CIDS The following section describes how to reboot NM-CIDS and how to check the status of the Cisco IPS software. It contains the following topics: •...

  • Page 302: Supported Cisco Ios Commands

    Shuts down the IPS applications running on NM-CIDS. Removing the NM-CIDS without proper shutdown can result in the hard-disk drive being corrupted. Caution After successful shutdown of the NM-CIDS applications, Cisco IOS prints a message indicating that you can now remove NM-CIDS. service-module ids-sensor slot_number/0 status –...

  • Page 303

    When you install a new system image on your sensor, all accounts are removed and the default cisco account is reset to use the default password “cisco.” After installing the system image, you must initialize the sensor again.

  • Page 304: Upgrading The Sensor, Overview, Upgrade Command And Options

    Adding Hosts to the Known Hosts List, page 4-31. ip-address— IP address of the file server. • password— User password for authentication on the file server. • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-2 78-16527-01...

  • Page 305: Using The Upgrade Command

    Obtaining Cisco IPS Software, page 18-1. You must log in to Cisco.com using an account with cryptographic privileges to download the Note file. Do not change the file name. You must preserve the original file name for the sensor to accept the update.

  • Page 306: Upgrading The Recovery Partition

    Some browsers add an extension to the filename. The filename of the saved file must match what is Caution displayed on the download page or you cannot use it to upgrade the recovery partition. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-4 78-16527-01...

  • Page 307: Configuring Automatic Upgrades, Overview, Unix-style Directory Listings

    You can configure the sensor to look for new upgrade files in your upgrade directory automatically. You must download the software upgrade from Cisco.com and copy it to the upgrade directory before the sensor can poll for automatic upgrades. For the procedure for locating software on Cisco.com, see Obtaining Cisco IPS Software, page 18-1.

  • Page 308: Auto-upgrade Command And Options

    Valid values are 0 to 8760. start-time—The time of day to start the first automatic upgrade. The valid value is hh:mm[:ss]. user-name—Username for authentication on the file server. • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-6 78-16527-01...

  • Page 309: Using The Auto-upgrade Command

    SSH. For the procedure, see Adding Hosts to the Known Hosts List, page 4-31. Verify the settings: Step 9 sensor(config-hos-ena)# show settings enabled ----------------------------------------------- schedule-option ----------------------------------------------- periodic-schedule ----------------------------------------------- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-7 78-16527-01...

  • Page 310: Downgrading The Sensor

    Step 4 If there is no recently applied service pack or signature update, the downgrade command is not Step 5 available: sensor(config)# downgrade No downgrade available. sensor(config)# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-8 78-16527-01...

  • Page 311: Recovering The Application Partition, Overview, Using The Recover Command

    Make sure you can access the TFTP server location from the network connected to your sensor’s Note Ethernet port. Log in to the CLI using an account with administrator privileges. Step 2 Enter configuration mode: Step 3 sensor# configure terminal Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-9 78-16527-01...

  • Page 312: Installing System Images

    If you executed the recover application-partition command remotely, you can SSH to the sensor with the default username and password (cisco/cisco) and then initialize the sensor again with the setup command. You cannot use Telnet until you initialize the sensor because Telnet is disabled by default.

  • Page 313: Installing The Ids-4215 System Image, Overview

    CISCO SYSTEMS IDS-4215 Embedded BIOS Version 5.1.7 02/23/04 15:50:39.31 Compiled by dnshep Evaluating Run Options ... Cisco ROMMON (1.4) #3: Mon Feb 23 15:52:45 MST 2004 Platform IDS-4215 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-11 78-16527-01...

  • Page 314

    Verify that you have access to the TFTP server by pinging it from the local Ethernet port: Step 9 rommon> ping server_ip_address rommon> ping server Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-12 78-16527-01...

  • Page 315: Upgrading The Ids-4215 Bios And Rommon

    Embedded BIOS Version 5.1.3 05/12/03 10:18:14.84 Compiled by ciscouser Evaluating Run Options ... Cisco ROMMON (1.2) #0: Mon May 12 10:21:46 MDT 2003 Platform IDS-4215 0: i8255X @ PCI(bus:0 dev:13 irq:11) Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-13 78-16527-01...

  • Page 316

    Do not remove power to IDS-4215 during the update process, otherwise the upgrade can get corrupted. Caution If this occurs, IDS-4215 will be unusable and require an RMA. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-14 78-16527-01...

  • Page 317

    1209 Ethernet 8086 1209 Ethernet Evaluating BIOS Options ... Launch BIOS Extension to setup ROMMON Cisco Systems ROMMON Version (1.0(5)0) #1: Tue Sep 14 12:20:30 PDT 2004 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-15 78-16527-01...

  • Page 318

    If necessary, change the interface used for the TFTP download: Step 5 The default interface used for TFTP downloads is Management0/0, which corresponds to the Note MGMT interface of IPS-4240. rommon> PORT=interface_name Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-16 78-16527-01...

  • Page 319

    Download and install the system image: Step 12 rommon> tftp To avoid corrupting the system image, do not remove power from IPS-4240 while the system image is Caution being installed. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-17 78-16527-01...

  • Page 320

    Insert the recovery/upgrade CD into the CD-ROM drive. Step 2 Power off the appliance and then power it back on. The boot menu appears, which lists important notices Step 3 and boot options. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-18 78-16527-01...

  • Page 321: Installing The Nm-cids System Image, Overview

    The 5.0 upgrade also updates the bootloader with the new bootloader file (servicesengine-boot-1.0-17-1_dev.bin), then reimages the hard-disk drive with the new image. We recommend that you use the upgrade command. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-19 78-16527-01...

  • Page 322

    NM-CIDS’ Ethernet port. Log in to the router. Step 2 Step 3 Enter enable mode: router# enable router(enable)# Session to NM-CIDS: Step 4 router(enable)# service-module IDS-Sensor slot_number/0 session Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-20 78-16527-01...

  • Page 323

    Specify the default boot device—The default boot device is always set to disk. Specify the default bootloader—The default bootloader is always set to primary. If you made any changes, the bootloader stores them permanently. The bootloader command prompt appears. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-21 78-16527-01...

  • Page 324: Upgrading The Bootloader

    Download the bootloader file (servicesengine-boot-1.0-17-1_dev.bin) and the helper file Step 1 (NM-CIDS-K9-helper-1.0-1.bin) to the TFTP root directory of a TFTP server that is accessible from your NM-CIDS. For the procedure for locating software on Cisco.com, see Obtaining Cisco IPS Software, page 18-1.

  • Page 325

    The bootloader displays a spinning line while loading the helper image from the TFTP server. When the helper is loaded, it is booted. The NM-CIDS helper displays its main menu when it launches. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-23...

  • Page 326

    Continue with Step 18. Selection [1234rh]: Step 18 Type to reboot NM-CIDS: Selection [1234rh]: r About to exit and reset Services Engine. Are you sure? [y/N] Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-24 78-16527-01...

  • Page 327: Installing The Idsm-2 System Image, Installing The System Image

    This section describes how to install the IDSM-2 system image, and contains the following topics: Catalyst Software, page 17-25 • Cisco IOS Software, page 17-26 • Catalyst Software To install the system image, follow these steps: Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-25 78-16527-01...

  • Page 328

    Obtaining Cisco IPS Software, page 18-1. Log in to the switch CLI. Step 2 Boot IDSM-2 to the maintenance partition: Step 3 router# hw-module module module_number reset cf:1 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-26 78-16527-01...

  • Page 329: Configuring The Maintenance Partition

    This section describes how to configure the maintenance partition on IDSM-2, and contains the following topics: Catalyst Software, page 17-28 • Cisco IOS Software, page 17-31 • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-27 78-16527-01...

  • Page 330

    Clear the IDSM-2 maintenance partition host configuration (ip address, gateway, hostname): guest@idsm2.localdomain# clear ip guest@localhost.localdomain# show ip IP address : 0.0.0.0 Subnet Mask : 0.0.0.0 IP Broadcast : 0.0.0.0 DNS Name : localhost.localdomain Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-28 78-16527-01...

  • Page 331

    Daughter Card Info: Falcon rev 3, FW ver 2.0.3.0 (IDS), SRAM 8 MB, SDRAM 256 MB guest@idsm2.localdomain# Upgrade the application partition: Step 11 guest@idsm2.localdomain# upgrade ftp://jsmith@10.89.146.11//RELEASES/Latest/5.0-1/WS-SVC-IDSM2-K9-sys-1.1-a-5.0-1.bin.gz Downloading the image. This may take several minutes... Password for jsmith@10.89.146.114: Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-29 78-16527-01...

  • Page 332

    Fri Mar 11 21:22:28 2005 : Partition '/dev/hdc1' unmounted. Fri Mar 11 21:22:28 2005 : Directory changed to '/tmp'. Application image upgrade complete. You can boot the image now. Partition upgraded successfully Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-30 78-16527-01...

  • Page 333

    The default escape character is Ctrl-^, then x. You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.111 ... Open Cisco Maintenance image Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-31 78-16527-01...

  • Page 334

    Configure the maintenance partition host configuration: Step 6 Specify the IP address: guest@localhost.localdomain# ip address ip_address netmask Specify the default gateway: guest@localhost.localdomain# ip gateway gateway_ip_address Specify the hostname: guest@localhost.localdomain# ip host hostname Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-32 78-16527-01...

  • Page 335

    Step 11 Proceeding with upgrade. Please do not interrupt. If the upgrade is interrupted or fails, boot into maintenance image again and restart upgrade. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-33 78-16527-01...

  • Page 336

    PING 10.89.146.114 (10.89.146.114) from 10.89.149.74 : 56(84) bytes of data. 64 bytes from 10.89.146.114: icmp_seq=0 ttl=254 time=381 usec 64 bytes from 10.89.146.114: icmp_seq=1 ttl=254 time=133 usec 64 bytes from 10.89.146.114: icmp_seq=2 ttl=254 time=129 usec Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-34 78-16527-01...

  • Page 337: Upgrading The Maintenance Partition

    To upgrade the maintenance partition, follow these steps: Download the IDSM-2 maintenance partition file (c6svc-mp.2-1-1.bin.gz) to the FTP root directory of Step 1 a FTP server that is accessible from your IDSM-2. For the procedure for locating software on Cisco.com, Obtaining Cisco IPS Software, page 18-1.

  • Page 338: Installing The Aip-ssm System Image

    To upgrade the maintenance partition, follow these steps: Download the IDSM-2 maintenance partition file (c6svc-mp.2-1-1.bin.gz) to the FTP root directory of Step 1 a FTP server that is accessible from your IDSM-2. For the procedure for locating software on Cisco.com, Obtaining Cisco IPS Software, page 18-1.

  • Page 339

    1 Up asa# To debug any errors that may happen in the recovery process, use the debug module-boot Note command to enable debugging of the system reimaging process. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-37 78-16527-01...

  • Page 340

    Upgrading, Downgrading, and Installing System Images Installing System Images Session to AIP-SSM and initialize AIP-SSM with the setup command. For the procedure, see Step 10 Initializing the Sensor, page 3-2. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-38 78-16527-01...

  • Page 341

    IPS software from the Download Software site. You can sign up for IPS Alert Bulletins to receive information on the latest software releases. You must be logged in to Cisco.com to download software. You must have an active IPS maintenance Note contract and a Cisco.com password to download software.

  • Page 342: Ips Software Image Naming Conventions

    Click Agree to accept the software download rules. Step 10 The first time you download a file from Cisco.com, you must fill in the Encryption Software Export Distribution Authorization form before you can download the software. Fill out the form and click Submit.

  • Page 343

    To install the most recent signature update, you must have the most recent minor version. Service packs are dependent on the most recent minor version, which is dependent on the most recent major version. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 18-3...

  • Page 344: X Software Release Examples

    If there are defect fixes for the installer, for example, the underlying application version may still be 5.0(1), but the recovery partition image will be r 1.2. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 18-4...

  • Page 345

    (WS-X6381) with IDSM-2 (WS-SVC-IDSM2-K9), which supports version 5.0. The minimum required version for upgrading to 5.0 is 4.1(1). The upgrade from Cisco 4.1 to 5.0 is available as a download from Cisco.com. For the procedure for accessing Downloads on Cisco.com, see Obtaining Cisco IPS Software, page 18-1.

  • Page 346: Obtaining A License Key From Cisco.com, Overview

    Obtaining a License Key From Cisco.com This section describes how to obtain a license key from Cisco.com and how to install it using the CLI or IDM. This section contains the following topics: Overview, page 18-6 •...

  • Page 347: Service Programs For Ips Products

    Service Programs for IPS Products You must have a Cisco Services for IPS service contract for any IPS product so that you can download a license key and obtain the latest IPS signature updates. If you have a direct relationship with Cisco Systems, contact your account manager or service account manager to purchase the Cisco Services for IPS service contract.

  • Page 348: Installing The License Key, Using Idm

    ASA-SSM-AIP-10-K9, you must now purchase the Cisco Services for IPS service contract. After you have the Cisco Services for IPS service contract, you must also have your product serial number to apply for the license key. For the procedure, see Installing the License Key, page 18-8.

  • Page 349: Using The Cli

    URL for the web server. The syntax for this prefix is: • http:[[/[username@]location]/directory]/filename https:—Source URL for the web server. The syntax for this prefix is: • https:[[/[username@]location]/directory]/filename Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 18-9 78-16527-01...

  • Page 350

    Note the device with that number. Your Cisco IPS Signature Subscription Service license key will be sent by e-mail to the e-mail address you specified. Save the license key to a system that has a web server, FTP server, or SCP server.

  • Page 351: Cisco Security Center, Cisco Ips Active Update Bulletins

    You should be aware of the most recent security threats so that you can most effectively secure and manage your network. The Cisco Security Center contains the top ten intelligence reports listed by date, severity, urgency, and whether there is a new signature available to deal with the threat.

  • Page 352: Accessing Ips Documentation

    Enter the name of your company in the Company field. Choose your country from the drop-down menu. Enter your e-mail address in the E-mail field. Check the check box if you want to receive further information about Cisco products and offerings by Step 8 e-mail.

  • Page 353

    Install and Upgrade—Contains hardware installation and regulatory guides. • Configure—Contains configuration guides for IPS CLI, IDM, and IME. • Troubleshoot and Alerts—Contains TAC tech notes and field notices. • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 18-13 78-16527-01...

  • Page 354

    Chapter 18 Obtaining Software Accessing IPS Documentation Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 18-14 78-16527-01...

  • Page 355

    Summary of IPS 5.0 Applications, page A-37 • System Overview You can install Cisco IPS software on two platforms: the appliances and the modules (refer to “Supported Sensors,” in Installing Cisco Intrusion Prevention System Appliances and Modules 5.0 for a list of current appliances and modules).

  • Page 356

    Web Server (HTTP RDEP2 server)—Provides a web interface and communication with other – IPS devices through RDEP2 using several servlets to provide IPS services. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 357

    The IPS signature update process is now similar to antivirus DAT file updates. – RDEP2 • RDEP has been revised to RDEPv2, which supports an event standard called SDEE. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 358

    The system has reasonable default values to minimize the number of modifications you must make. You can configure IPS 5.0 through the CLI, IDM, IDS MC, ASDM or through another application using RDEP2 and IDCONF. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 359

    By default Web Server uses TLS or SSL. You can choose to disable TLS and SSL. • Unnecessary services are disabled. • Only the SNMP set required by the Cisco MIB Police is allowed within the CISCO-CIDS-MIB. • OIDs implemented by the public domain SNMP agent will be writeable when specified by the MIB. MainApp MainApp now includes all IPS components except SensorApp and the CLI.

  • Page 360

    New “health” control transaction • A new health and welfare type of control transaction is defined in the IDCONF specification. This control transaction reports the status and welfare of the system. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 361

    IPS event consumer. Sufficient buffering depends on your requirements and the capabilities of the nodes in use. The oldest events in the circular buffer are replaced by the newest events. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 362

    IPS applications generate IPS events to report the occurrence of some stimulus. The events are the data, such as the alerts generated by SensorApp or errors generated by any application. Events are stored in a local database known as the Event Store. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 363

    Event ID • Event severity • Time (UTC and local time) • Signature name • Signature ID • Subsignature ID • Version • Summary • • Interface group Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 364

    IP nodes keyed on both IP address • Sensor memory critical stage • Interface status • Command and control packet statistics • Fail-over state • • System uptime • CPU usage Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-10 78-16527-01...

  • Page 365

    RDEP control transaction message. The transactionHandlerLoop uses the HttpClient classes to issue the RDEP control transaction request to the HTTP server on the remote node. The remote HTTP Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-11...

  • Page 366

    Control Transaction Server, which passes it to the Network Access Controller. Network Access Controller on the master blocking sensor then interacts with the devices it is managing to enable the block. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-12 78-16527-01...

  • Page 367

    Only the protocol specified in the Network Access Controller configuration for that device is attempted. If the connection fails for any reason, Network Access Controller attempts to reestablish Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-13...

  • Page 368

    You can specify the interface and direction where blocking is performed in the Network Access Controller configuration for routers. You can specify the interface where blocking is performed in the VACL configuration. Cisco firewalls do not block based on interface or direction, so this configuration is never Note specified for them.

  • Page 369

    You must have the RSM because blocking is performed on the RSM. Note Catalyst 6000 series switches with PFC installed running Catalyst software 5.3 or later • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-15 78-16527-01...

  • Page 370

    Appendix A System Architecture MainApp Catalyst 6000 MSFC2 with Catalyst software 5.4(3) or later and Cisco IOS 12.1(2)E or later on the • MSFC2 • Cisco ASA 500 series models: ASA 5510, ASA 5520, and ASA 5540 FWSM • The FWSM cannot block in multi-mode admin context.

  • Page 371

    If the time for the new block is less than or equal to the remaining minutes, no action is taken. Otherwise, the new block timeout replaces the existing block timeout. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-17...

  • Page 372

    Appendix A System Architecture MainApp Cisco firewalls do not support connection blocking of hosts. When a connection block is applied, the Caution firewall treats it like an unconditional block. Cisco firewalls also do not support network blocking. Network Access Controller never tries to apply a network block to a Cisco firewall.

  • Page 373

    The main.log is included in the show tech-support command output. If the message is logged at warning level or above (error or fatal), LogApp converts the message to an evError event (with the corresponding error severity) and inserts it in Event Store. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-19 78-16527-01...

  • Page 374

    CLI or an IPS manager, such as IDM or ASDM, by logging in to the sensor using the default administrative account (cisco). In the CLI, the Administrator is prompted to change the password. IPS managers initiate a setEnableAuthenticationTokenStatus control transaction to change the account’s password.

  • Page 375

    If the fingerprints match, the trust relationship is established and henceforth the client can automatically connect with that server and be confident that the remote server is not an imposter. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-21 78-16527-01...

  • Page 376

    SSL. SensorApp This section describes SensorApp, and contains the following topics: Responsibilities and Components, page A-23 • Packet Flow, page A-24 • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-22 78-16527-01...

  • Page 377

    The layer 2 processor updates statistics about packets that have been denied because of the policy you have configured. Database Processor (DBP) • This processor maintains the signature state and flow databases. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-23 78-16527-01...

  • Page 378

    Execution Thread 1 TP --> L2P --> DFP --> FRP --> SP --> DBP --> SAP --> SDP --> | Execution Thread 2 DBP --> SRP --> EAP Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-24...

  • Page 379

    It starts with the signature event with configured action received in the alarm channel and flows top to bottom as the signature event passes through the functional components of the SEAP. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-25 78-16527-01...

  • Page 380

    There is no IP stack associated with any interface used for inline (or promiscuous) data processing. The current support for 802.1q packets in promiscuous mode is extended to inline mode. Enhanced configuration • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-26 78-16527-01...

  • Page 381

    Driver support for concurrent SensorApp and TCPdump capture • The drivers for the data interfaces support concurrent use of the interfaces by SensorApp and TCPdump or other libpcap based reader Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-27 78-16527-01...

  • Page 382

    Monitoring applications only require viewer access to the sensor. You can use the CLI to set up a user account with viewer privileges and then configure the event viewer to use this account to connect to the sensor. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-28 78-16527-01...

  • Page 383

    The service account is not intended to be used for configuration purposes. Only modifications made to the sensor through the service account under the direction of TAC are supported. Cisco Systems does not support the addition and/or running of an additional service to the operating system through the service account, because it affects proper performance and proper functioning of the other IPS services.

  • Page 384

    To recall the commands entered in a mode, use the Up Arrow or Down Arrow keys or press Ctrl-P or Ctrl-N. Note Help and tab complete requests are not reported in the recall list. • A blank prompt indicates the end of the recall list. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-30 78-16527-01...

  • Page 385

    SensorApp generates a block event, which is also stored in the Event Store. Figure A-5 illustrates the IDAPI interface. Figure A-5 IDAPI Alert Alert SensorApp IDAPI Event Store Block Block request request Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-31 78-16527-01...

  • Page 386

    Web Server, which passes it to the Event Server. The Event Server queries the Event Store through IDAPI and then returns the result. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-32...

  • Page 387

    Sending Commands Through RDEP2 IDS-MC and Third-Party Event Management Applications REDP2 Client Sensor HTTP POST Response CT Request Web Server CT Request Application IDAPI CT Server CT Response CT Response Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-33 78-16527-01...

  • Page 388

    <component name="userAccount"> <config typedefsVersion="2004-03-01" xmlns="http://www.cisco.com/cids/idconf"> <struct> <map name="user-accounts“ editOp=“merge”> <mapEntry> <key> <var name="name">cisco</var> </key> <struct> <struct name="credentials"> <var name="role">administrator</var> </struct> </struct> </mapEntry> </map> </struct> </config> </component> </editDefaultConfig> </request> Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-34 78-16527-01...

  • Page 389

    CIDEE CIDEE specifies the extensions to SDEE that are used by the Cisco IPS. The CIDEE standard specifies all possible extensions that are supported by IPS. Specific systems may implement a subset of CIDEE extensions.

  • Page 390

    /usr/cids/idsRoot/bin/falcondump—Contains the application for getting packet dumps on the sensing ports of the IDS-4250-XL and IDSM-2. • /usr/cids/idsRoot/etc—Stores sensor configuration files. • /usr/cids/idsRoot/htdocs—Contains the IDM files for the web server. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-36 78-16527-01...

  • Page 391

    Control Transaction Source Waits for control transactions directed to remote applications, forwards the control transactions to the remote node using RDEP2, and returns the response to the initiator. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-37 78-16527-01...

  • Page 392

    Waits for remote HTTP client requests and calls the appropriate servlet application. 1. This is a web server servlet. 2. This is a web server servlet. 3. This is a remote control transaction proxy. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-38 78-16527-01...

  • Page 393

    About Signature Engines A signature engine is a component of the Cisco IPS that is designed to support many signatures in a certain category. An engine is composed of a parser and an inspector. Each engine has a set of parameters that have allowable ranges or sets of values.

  • Page 394

    The WEBPORTS variable defines inspection port for HTTP traffic. IDENT—Inspects IDENT (client and server) traffic. – MSRPC—Inspects MSRPC traffic. – MSSQL—Inspects Microsoft SQL traffic. – NTP—Inspects NTP traffic. – Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 395

    Signatures that are not service, OS, or application-specific have 0 for the promiscuously delta. If the signature is specific to an OS, service, or application, it has a promiscuous delta of 5, 10, or 15 calculated from 5 points for each category. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 396

    For example, you can configure the signature to Fire All, but after a certain threshold is reached, it starts summarizing. Table B-2 on page B-5 lists the alert frequency parameters. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 397

    Event Action Rules. You can clear all denied attacker entries with the clear denied-attackers command, which permits the addresses back on the network. deny-connection-inline —Does not transmit this packet and future packets on the TCP Flow (inline • only). Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 398

    Response message validation – MIME type enforcement – – Transfer encoding type validation – Content control based on message content and type of data being transferred – URI length enforcement Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 399

    Specifies the action to take when noncompliant HTTP traffic is seen. The alarm-on-non-http-traffic [true | false] command enables the signature. max-outstanding-requests-overrun Maximum allowed HTTP requests per connection (1 to 16). Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 400

    The ATOMIC.ARP engine defines basic Layer-2 ARP signatures and provides more advanced detection of the ARP spoof tools dsniff and ettercap. Table B-5 on page B-9 lists the parameters that are specific to the ATOMIC.ARP engine. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 401

    Specifies IP datagram total length. specify-ip-option-inspection Specifies IP options inspection. specify-l4-protocol Specifies Layer-4 protocol. specify-ip-tos Specifies type of server. specify-ip-ttl Specifies time to live. specify-ip-version Specifies IP protocol version. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 402

    META definitions. The META engine generates a signature event after all requirements for the event are met. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-10 78-16527-01...

  • Page 403

    The NORMALIZER engine deals with IP fragmentation and TCP normalization. This section describes the NORMALIZER engine, and contains the following topics: Overview, page B-12 • NORMALIZER Engine Parameters, page B-12 • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-11 78-16527-01...

  • Page 404

    NORMALIZER Engine Parameters Parameter Description edit-default-sigs-only Editable signatures. specify-fragment-reassembly-timeout (Optional) Enables fragment reassembly timeout. specify-hijack-max-old-ack (Optional) Enables hijack-max-old-ack. specify-max-dgram-size (Optional) Enables maximum datagram size. specify-max-fragments (Optional) Enables maximum fragments. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-12 78-16527-01...

  • Page 405

    SERVICE.HTTP Engine, page B-19 • SERVICE.IDENT Engine, page B-20 • SERVICE.MSRPC Engine, page B-21 • • SERVICE.MSSQL Engine, page B-22 • SERVICE.NTP Engine, page B-22 • SERVICE.RPC Engine, page B-23 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-13 78-16527-01...

  • Page 406

    (Optional) Enables query record data true | false invalid: • query-record-data-invalid—DNS Record Data incomplete specify-query-record-data-len (Optional) Enables the query record data 0 to 65535 length: • query-record-data-len—DNS Response Record Data Length Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-14 78-16527-01...

  • Page 407

    False for no swap (default). 1. The second number in the range must be greater than or equal to the first number. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-15 78-16527-01...

  • Page 408

    • SERVICE.H225 Engine This section describes the SERVICE.H225 engine, and contains the following topics: • Overview, page B-17 SERVICE.H255 Engine Parameters, page B-17 • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-16 78-16527-01...

  • Page 409

    SETUP signatures, you can add signatures for length and regular expression checks on various SETUP message fields. SERVICE.H255 Engine Parameters Table B-14 on page B-18 lists parameters specific to the SERVICE.H225 engine. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-17 78-16527-01...

  • Page 410

    This is never set for TPKT signatures. specify-value-range Valid for the length or value policy types 0 to 65535 (0x00 to 6535). Not valid for other policy types. value-range—Range of values. • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-18 78-16527-01...

  • Page 411

    The SERVICE.HTTP engine has default deobfuscation behavior for the Microsoft IIS web server. For an example SERVICE.HTTP custom signature, refer to “Example SERVICE.HTTP Signature,” in Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 5.0. SERVICE.HTTP Engine Parameters Table B-15 lists the parameters specific the SERVICES.HTTP engine.

  • Page 412

    1. The second number in the range must be greater than or equal to the first number. SERVICE.IDENT Engine The SERVICE.IDENT engine inspects TCP port 113 traffic. It has basic decode and provides parameters to specify length overflows. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-20 78-16527-01...

  • Page 413

    The SERVICE.MSRPC engine only decodes the DCE and RPC protocol for the most common transaction types. SERVICE.MSRPC Engine Parameters Table B-17 on page B-22 lists the parameters specific to the SERVICE.MSRPC engine. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-21 78-16527-01...

  • Page 414

    The SERVICE.NTP engine inspects NTP protocol. There is one NTP signature, the NTPd readvar overflow signature, which fires an alert if a readvar command is seen with NTP data that is too large for the NTP service to capture. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-22 78-16527-01...

  • Page 415

    0 to 65535 the target service resides. a-b[,c-d] specify-is-spoof-src (Optional) Enables the spoof source address: true | false is-spoof-src—Fires an alert when the source • address is 127.0.0.1. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-23 78-16527-01...

  • Page 416

    (Optional) Enables byte count: 0 to 65535 byte-count—Byte count from • SMB_COM_TRANSACTION structure. specify-command (Optional) Enables SMB commands: 0 to 255 command—SMB command value. • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-24 78-16527-01...

  • Page 417

    (Optional) Enables searching for the Type field of an 0 to 255 MS RPC packet: • type —Type Field of MSRPC packet. 0 = Request; 2 = Response; 11 = Bind; 12 = Bind Ack Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-25 78-16527-01...

  • Page 418

    Inspects for brute force attempts: 0 to 65535 • brute-force-count—The number of unique SNMP community names that constitute a brute force attempt. invalid-packet-inspection Inspects for SNMP protocol violations. — Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-26 78-16527-01...

  • Page 419

    State machines are used to describe a specific event that causes an output or alarm. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-27...

  • Page 420

    Appendix B Signature Engines STATE Engine There are three state machines in the STATE engine: SMTP, Cisco Login, and LPR Format String. Table B-24 lists the parameters specific to the STATE engine. Table B-24 STATE Engine Parameters Parameter Description Value state-machine State machine grouping.

  • Page 421

    Traffic from service port destined to client port. • Traffic from client port destined to service port. • icmp-type ICMP header TYPE value. 0 to 18 a-b[,c-d] Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-29 78-16527-01...

  • Page 422

    1. The second number in the range must be greater than or equal to the first number. 2. This parameter is primarily used as an IPS anti-evasion tool. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-30...

  • Page 423

    More realistic values for unique range between 5 and 15. TCP sweeps must have a TCP flag and mask specified to determine which sweep inspector slot in which to count the distinct connections. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-31 78-16527-01...

  • Page 424

    • Attacker address and victim port • suppress-reverse Does not fire when a sweep has fired in the reverse direction true | false on this address set. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-32 78-16527-01...

  • Page 425

    Whether this signature has configurable parameters. yes | no inspection-type Type of inspection to perform: is-loki is-mod-loki Inspects for original LOKI traffic. • Inspects for modified LOKI traffic. • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-33 78-16527-01...

  • Page 426

    The UDP modes of BO and BO2K are handled by the TROJAN.UDP engine. The TCP modes are handled by the TROJAN.BO2K engine. There are no specific parameters to the TROJAN engines, except for swap-attacker-victim in the TROJAN.UDP engine. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-34 78-16527-01...

  • Page 427

    Create a service account. • A service account is needed for password recovery and other special debug situations directed by TAC. For the procedure, see Creating the Service Account, page 4-13. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 428

    For the procedures for appliances and modules, see Chapter 17, “Upgrading, Downgrading, and Installing System Images.” Log in to the sensor with the default user ID and password—cisco. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 429

    Before troubleshooting the appliance, check the Caveats section of the Readme for the software version you have installed on your sensor to see if you are dealing with a known issue. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 430

    Link Speed = Auto_1000 Link Duplex = Auto_Full Total Packets Received = 0 Total Bytes Received = 0 Total Multicast Packets Received = 0 Total Broadcast Packets Received = 0 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 431

    Make sure the management port is connected to an active network connection. Step 4 If the management port is not connected to an active network connection, the management interface will not come up. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 432

    Verify that the client IP address is listed in the allowed networks. If it is not, add it: Step 3 sensor# configure terminal sensor(config)# service host sensor(config-hos)# network-settings sensor(config-hos-net)# access-list 171.69.70.0/24 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 433

    Total Jumbo Packets Received = 0 Total Undersize Packets Received = 0 Total Receive Errors = 0 Total Receive FIFO Overruns = 0 Total Packets Transmitted = 0 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 434

    The sensing process, SensorApp, should always be running. If it is not, you do not receive any alerts. SensorApp is part of AnalysisEngine, so you must make sure the AnalysisEngine is running. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 435

    Step 4 Make sure you have the latest software updates: sensor# show version Upgrade History: IDS-K9-maj-5.0-1- 14:16:00 UTC Thu Mar 04 2004 Recovery Partition Version 1.1 - 5.0(1)S149 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...

  • Page 436

    Appendix C Troubleshooting Troubleshooting the 4200 Series Appliance If you do not have the latest software updates, download them from Cisco.com. For the procedure, see Obtaining Cisco IPS Software, page 18-1. Step 5 Read the Readme that accompanies the software upgrade for any known DDTS for SensorApp or AnalysisEngine.

  • Page 437

    Step 3 Make sure the sensing port is connected properly on the appliance. See the chapter on your appliance in Installing Cisco Intrusion Prevention System Appliances and Modules 5.0. Make sure the sensing port is connected to the correct SPAN or VACL capture port on IDSM-2.

  • Page 438

    Number of Summary Intermediate Alerts Number of Regular Summary Final Alerts Number of Global Summary Final Alerts Number of Alerts Output for further processing = 0alertDetails: Traffic Source: int0 ; Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-12 78-16527-01...

  • Page 439

    If the interfaces are not up, do the following: Step 3 Check the cabling. Refer to the chapter in Installing Cisco Intrusion Prevention System Appliances and Modules 5.0that pertains to your sensor for information on installing the sensor properly. Enable the interface.

  • Page 440

    Step 4 cp /usr/cids/idsRoot/etc/defVirtualSensorConfig.xml /usr/cids/idsRoot/etc/VS-Config/virtualSensor.xml Step 5 Remove the cache files: rm /usr/cids/idsRoot/var/virtualSensor/*.pmz Step 6 Exit the service account. Step 7 Log in to the sensor CLI. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-14 78-16527-01...

  • Page 441

    Verifying Network Access Controller is Running, page C-16. Verify that Network Access Controller is connecting to the network devices. For the procedure see Verifying Network Access Controller Connections are Active, page C-17. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-15 78-16527-01...

  • Page 442

    12:53:00 UTC Fri Mar 18 2005 Recovery Partition Version 1.1 - 5.0(1.1) sensor# If MainApp displays , Network Access Controller has failed. Contact the TAC. Step 3 Not Running Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-16 78-16527-01...

  • Page 443

    Upgrade History: IDS-K9-maj-5.0-1- 14:16:00 UTC Thu Mar 04 2004 Recovery Partition Version 1.1 - 5.0(1)S149 If you do not have the latest software updates, download them from Cisco.com. For the procedure, see Obtaining Cisco IPS Software, page 18-1. Step 5 Read the Readme that accompanies the software upgrade for any known DDTS for Network Access Controller.

  • Page 444

    (min: 0, max: 250, current: 0) ----------------------------------------------- ----------------------------------------------- block-networks (min: 0, max: 250, current: 0) ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- user-profiles (min: 0, max: 250, current: 1) ----------------------------------------------- profile-name: r7200 ----------------------------------------------- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-18 78-16527-01...

  • Page 445

    ACL. You can also perform a manual block from IDM by clicking Monitoring > Active Host Blocks. Note Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-19 78-16527-01...

  • Page 446

    Step 1 Enter configuration mode: Step 2 sensor# configure terminal Enable SSH: Step 3 sensor(config)# ssh host blocking_device_ip_ address Type when prompted to accept the device. Step 4 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-20 78-16527-01...

  • Page 447

    Exit signature definition submode: Step 4 sensor(config-sig-sig-nor)# exit sensor(config-sig-sig)# exit sensor(config-sig)# exit Apply Changes:?[yes]: Step 5 Press Enter to apply the changes or type to discard them. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-21 78-16527-01...

  • Page 448

    Verify that the block shows up in the Network Access Controller’s statistics: Step 6 sensor# show statistics network-access Current Configuration AllowSensorShun = false ShunMaxEntries = 100 State ShunEnable = true ShunnedAddr Host IP = 10.16.0.0 ShunMinutes = Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-22 78-16527-01...

  • Page 449

    Log in to the service account. Step 1 Edit the log.conf file to increase the size of the log to accommodate the additional log statements: Step 2 vi /usr/cids/idsRoot/etc/log.conf Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-23 78-16527-01...

  • Page 450

    <defaulted> <protected entry> zone-name: Cid severity: debug <defaulted> <protected entry> zone-name: Cli severity: warning <defaulted> <protected entry> zone-name: IdapiCtlTrans severity: warning <defaulted> <protected entry> zone-name: IdsEventStore Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-24 78-16527-01...

  • Page 451

    <defaulted> <protected entry> zone-name: IdapiCtlTrans severity: warning <defaulted> <protected entry> zone-name: IdsEventStore severity: error default: warning <protected entry> zone-name: MpInstaller severity: warning <defaulted> <protected entry> zone-name: cmgr Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-25 78-16527-01...

  • Page 452

    MpInstaller severity: warning <defaulted> <protected entry> zone-name: cmgr severity: warning <defaulted> <protected entry> zone-name: cplane severity: warning <defaulted> <protected entry> zone-name: csi severity: warning <defaulted> <protected entry> Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-26 78-16527-01...

  • Page 453

    1. The Card Manager service is used on AIP-SSM to exchange control and state information between modules in the chassis. 2. The Control Plane is the transport communications layer used by Card Manager on AIP-SSM. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-27 78-16527-01...

  • Page 454

    The syslog output is sent to the syslog facility local6 with the following correspondence to syslog message priorities: LOG_DEBUG, debug LOG_INFO, timing LOG_WARNING, warning LOG_ERR, error LOG_CRIT fatal Note Make sure that your /etc/syslog.conf has that facility enabled at the proper priority. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-28 78-16527-01...

  • Page 455

    To troubleshoot a reset not occurring for a specific signature, follow these steps: Log in to the CLI. Step 1 Make sure the event action is set to TCP reset: Step 2 sensor# configure terminal Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-29 78-16527-01...

  • Page 456

    Make sure the resets are being sent: Step 7 root# ./tcpdump -i eth0 src host 172.16.171.19 tcpdump: WARNING: eth0: no IPv4 address assigned tcpdump: listening on eth0 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-30 78-16527-01...

  • Page 457

    Signature updates require the minimum version listed in the filename. Service packs require the correct minor version. • Minor versions require the correct major version. • Major versions require the previous major version. • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-31 78-16527-01...

  • Page 458

    • If you modify the FTP prompts to give security warnings, for example, this causes a problem, because the sensor is expecting a hard-coded list of responses. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-32 78-16527-01...

  • Page 459

    Store the sensor’s host key: Step 7 sensor# configure terminal sensor(config)# service ssh sensor(config-ssh)# rsa1-keys sensor_ip_address Upgrade the sensor: Step 8 sensor(config)# upgrade scp://service@ ensor_ip_address/upgrade/ips_package_file_name Enter password: ***** Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-33 78-16527-01...

  • Page 460

    You must change the memory settings of Java Plug-in before using IDM and ASDM. The mandatory minimum memory size is 256 MB. This section contains the following topics: Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-34 78-16527-01...

  • Page 461

    Java 2 SDK is installed at /usr/j2se, the full path is /usr/j2se/jre/bin/ControlPanel. In a Java 2 Runtime Environment installation, the file is located at <JRE installation Note directory>/bin/ControlPanel. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-35 78-16527-01...

  • Page 462

    Under Java Runtime Environment, select JRE 1.3.x from the drop-down menu. Click the Cache tab. Click the Browser tab. Deselect all browser check boxes. Click Clear Cache. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-36 78-16527-01...

  • Page 463

    10.89.130.108/23,10.89.130.1 host-name sensor telnet-option enabled access-list 0.0.0.0/0 ftp-timeout 300 no login-banner-text exit time-zone-settings offset 0 standard-time-zone-name UTC exit summertime-option disabled ntp-option disabled exit Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-37 78-16527-01...

  • Page 464

    Cannot Communicate With IDSM-2 Command and Control Port, page C-42 • Using the TCP Reset Interface, page C-44 Connecting a Serial Cable to IDSM-2, page C-44 • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-38 78-16527-01...

  • Page 465

    The following switch commands help you troubleshoot IDSM-2: show module (Cisco Catalyst Software and Cisco IOS Software) • show version (Cisco Catalyst Software and Cisco IOS Software) • • show port (Cisco Catalyst Software) Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-39 78-16527-01...

  • Page 466

    00-e0-b0-ff-3b-80 to 00-e0-b0-ff-3b-87 0.102 7.2(0.67) 5.0(0.30) Mod Sub-Type Sub-Model Sub-Serial Sub-Hw Sub-Sw --- ----------------------- ------------------- ----------- ------ ------ L3 Switching Engine WS-F6K-PFC SAD041303G6 1.1 IDS 2 accelerator board WS-SVC-IDSUPG Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-40 78-16527-01...

  • Page 467

    . Allow up to 5 minutes for IDSM-2 to come online. If the status does not read , turn the module on: Step 3 router# set module power up module_number Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-41 78-16527-01...

  • Page 468

    Make sure the command and control port is in the correct VLAN: Step 4 For Catalyst software: cat6k> (enable) show port 6/8 * = Configured MAC Address # = 802.1X Authenticated Port Name. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-42 78-16527-01...

  • Page 469

    If the command and control port is not in the correct VLAN, put it in the correct VLAN. For the procedure, refer to Configuring the Catalyst 6500 Series Switch for Command and Control Access to IDSM-2, page 15-4. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-43 78-16527-01...

  • Page 470

    Getting details from the Service Module, please wait... ASA 5500 Series Security Services Module-20 Model: AIP-SSM-20 Hardware version: Serial Number: P2B000005D0 Firmware version: 1.0(10)0 Software version: 5.1(0.1)S153.0 Status: Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-44 78-16527-01...

  • Page 471

    The module in slot 1 will be recovered. This may erase all configuration and all data on that device and attempt to download a new image for it. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-45 78-16527-01...

  • Page 472

    Slot-1 157> TFTP failure: Packet verify failed after 20 retries Slot-1 158> Rebooting due to Autoboot error ... Slot-1 159> Rebooting..Slot-1 160> Cisco Systems ROMMON Version (1.0(10)0) #0: Fri Mar 25 23:02:10 PST 2005 Slot-1 161> Platform AIP-SSM-10 Slot-1 162> GigabitEthernet0/0 Slot-1 163>...

  • Page 473

    To display tech support information, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. View the output on the screen: Step 2 sensor# show tech-support page Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-47 78-16527-01...

  • Page 474

    Total Packets Received = 0 Total Bytes Received = 0 Total Multicast Packets Received = 0 Total Broadcast Packets Received = 0 Total Jumbo Packets Received = 0 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-48 78-16527-01...

  • Page 475

    Linux version 2.4.26-IDS-smp-bigphys (csailer@mcq) (gcc version 2.96 20000731 (R ed Hat Linux 7.3 2.96-112)) #2 SMP Fri Mar 4 04:11:31 CST 2005 03:33:54 up 21 days, 23:15, 3 users, load average: 0.96, 0.86, 0.78 --MORE-- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-49 78-16527-01...

  • Page 476

    36.3M out of 166.8M bytes of available disk space (23% usage) boot is using 39.4M out of 68.6M bytes of available disk space (61% usage) Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-50...

  • Page 477

    Note sensor# more current-config ! ------------------------------ ! Version 5.0(0.26) ! Current configuration last modified Wed Feb 16 03:20:54 2005 ! ------------------------------ display-serial ! ------------------------------ service analysis-engine exit Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-51 78-16527-01...

  • Page 478

    Event Store • Host • Logger • Network Access • Notification • SDEE Server • Transaction Server • Transaction Source • Virtual Sensor • • Web Server Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-52 78-16527-01...

  • Page 479

    UDP nodes keyed on both IP addresses and both ports = 0 IP nodes keyed on both IP addresses = 0 The number of each type of node inserted since reset Total nodes inserted = 28 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-53 78-16527-01...

  • Page 480

    Number of FireOnce Intermediate Alerts = 480 Number of Summary First Alerts Number of Summary Intermediate Alerts Number of Regular Summary Final Alerts Number of Global Summary Final Alerts Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-54 78-16527-01...

  • Page 481

    Number of Alerts where deny-connection was forced for deny-packet action = 0 Number of Alerts where deny-packet was forced for non-TCP deny-connection action Per-Signature SigEvent count since reset Sig 2004 = 5 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-55 78-16527-01...

  • Page 482

    Denied Attackers and hit count for each. sensor# Step 6 Display the statistics for the event server: sensor# show statistics event-server General openSubscriptions = 0 blockedSubscriptions = 0 Subscriptions sensor# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-56 78-16527-01...

  • Page 483

    Memory Statistics Memory usage (bytes) = 500498432 Memory free (bytes) = 894976032 Auto Update Statistics lastDirectoryReadAttempt = N/A lastDownloadAttempt = N/A lastInstallAttempt = N/A nextAttempt = N/A sensor# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-57 78-16527-01...

  • Page 484

    InterfacePostBlock = Post_Acl_Test BlockInterface InterfaceName = ethernet0/1 InterfaceDirection = in InterfacePreBlock = Pre_Acl_Test InterfacePostBlock = Post_Acl_Test NetDevice Type = CAT6000_VACL IP = 10.89.150.138 NATAddr = 0.0.0.0 Communications = telnet Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-58 78-16527-01...

  • Page 485

    Mask = 255.255.0.0 BlockMinutes = sensor# Display the statistics for the notification application: Step 11 sensor# show statistics notification General Number of SNMP set requests = 0 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-59 78-16527-01...

  • Page 486

    Error Severity = 14 Warning Severity = 1 Timing Severity = 0 Debug Severity = 0 Unknown Severity = 28 TOTAL = 43 The statistics were retrieved and cleared. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-60 78-16527-01...

  • Page 487

    The following example shows the output from the show interfaces command: sensor# show interfaces Interface Statistics Total Packets Received = 0 Total Bytes Received = 0 Missed Packet Percentage = 0 Current Bypass Mode = Auto_off Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-61 78-16527-01...

  • Page 488

    This section describes the show events command, and contains these topics: • Sensor Events, page C-63 • Overview, page C-63 • Displaying Events, page C-63 Clearing Events, page C-66 • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-62 78-16527-01...

  • Page 489

    If no level is selected (informational, low, medium, or high), all alert events are displayed. include-traits—Displays alerts that have the specified traits. • exclude-traits—Does not display alerts that have the specified traits. • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-63 78-16527-01...

  • Page 490

    Sensor1 appName: NetworkAccessControllerApp appInstance: 654 time: 2005/02/09 10:33:31 2004/08/09 13:13:31 shunInfo: host: connectionShun=false srcAddr: 11.0.0.1 destAddr: srcPort: destPort: protocol: numericType=0 other timeoutMinutes: 40 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-64 78-16527-01...

  • Page 491

    2003/01/08 02:41:00 2003/01/08 02:41:00 UTC controlTransaction: command=getVersion successful=true description: Control transaction response. requestor: user: cids application: hostId: 64.101.182.101 appName: -cidcli appInstanceId: 2316 evStatus: eventId=1041526834774829056 vendor=Cisco originator: hostId: sensor Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-65 78-16527-01...

  • Page 492

    Send the resulting HTML file to TAC or the IPS developers in case of a problem. For the procedure, see Uploading and Accessing Files on the Cisco FTP Site, page C-67. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-66 78-16527-01...

  • Page 493

    You can upload large files, for example, cidDump.html, the show tech-support command output, and cores, to the ftp-sj server. To upload and access files on the Cisco FTP site, follow these steps: Log in to ftp-sj.cisco.com as anonymous. Step 1 Change to the /incoming directory.

  • Page 494

    Appendix C Troubleshooting Gathering Information Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-68 78-16527-01...

  • Page 495

    Specifically, an IPS event type; it is written to the Event Store as an evidsAlert. In general, an alert is alert an IPS message that indicates a network exploit in progress or a potential security problem occurrence. Also known as an alarm. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 GL-1 78-16527-01...

  • Page 496

    Typically, APIs make it easier for software developers to create links that an application needs to communicate with the operating system or with the network. Any program (process) designed to run in the Cisco IPS environment. application A specific application running on a specific piece of hardware in the IPS environment. An application application instance instance is addressable by its name and the IP address of its host computer.

  • Page 497

    Cisco Intrusion Detection Event Exchange. Specifies the extensions to SDEE that are used by Cisco CIDEE IPS systems. The CIDEE standard specifies all possible extensions that may be supported by Cisco IPS systems. The header that is attached to each packet in the IPS system. It contains packet classification, packet CIDS header length, checksum results, timestamp, and the receive interface.

  • Page 498

    Address of a network device that is receiving data. destination address Deny Filters Processor. Handles the deny attacker functions. It maintains a list of denied source IP addresses. Dual In-line Memory Modules. DIMM. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 GL-4 78-16527-01...

  • Page 499

    The XML entity written to the Event Store that represents an alert. evIdsAlert A signature is not fired when offending traffic is detected. false negative Normal traffic or a benign action causes a signature to fire. false positive Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 GL-5 78-16527-01...

  • Page 500

    Greenwich Mean Time. Time zone at zero degrees longitude. Now called Coordinated Universal Time (UTC). An ITU standard that governs H.225.0 session establishment and packetization. H.225.0 actually H.225.0 describes several different protocols: RAS, use of Q.931, and use of RTP. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 GL-6 78-16527-01...

  • Page 501

    Describes the messages transferred over the command and control interface between IPS applications. IPS data or message Intrusion Detection System Module. A switching module that performs intrusion detection in the IDSM-2 Catalyst 6500 series switch. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 GL-7 78-16527-01...

  • Page 502

    Remote access, back door Trojan, ICMP tunneling software. When the computer is infected, the LOKI malicious code creates an ICMP tunnel that can be used to send small payload ICMP replies Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 GL-8 78-16527-01...

  • Page 503

    Hash Algorithm (SHA) are variations on MD4 and strengthen the security of the MD4 hashing algorithm. Cisco uses hashes for authentication within the IPSec framework. Also used for message authentication in SNMP v.2. MD5 verifies the integrity of the communication, authenticates the origin, and checks for timeliness.

  • Page 504

    Feature that permits you to add, replace, or remove cards without interrupting the system power, entering console commands, or causing other software or interfaces to shutdown. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 GL-10 78-16527-01...

  • Page 505

    OSI term for packet. See also BPDU and packet. Cisco Product Evolution Program. PEP is the UDI information that consists of the PID, the VID, and the SN of your sensor. PEP provides hardware version and serial number visibility through electronic query, product labels, and shipping items.

  • Page 506

    Risk Rating. An RR is a value between 0 and 100 that represents a numerical quantification of the risk associated with a particular event on the network. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 GL-12 78-16527-01...

  • Page 507

    Signature Analysis Processor. Dispatches packets to the inspectors that are not stream-based and that are configured for interest in the packet in process. Simple Certificate Enrollment Protocol. The Cisco Systems PKI communication protocol that SCEP leverages existing technology by using PKCS#7 and PKCS#10. SCEP is the evolution of the enrollment protocol.

  • Page 508

    Server Message Block. File-system protocol used in LAN manager and similar NOSs to package data and exchange information with other systems. Serial Number. Part of the UDI. The SN is the serial number of your Cisco product. Deals with specific protocols, such as DNS, FTP, H255, HTTP, IDENT, MS RPC, MS SL. NTP, RPC, SERVICE engine SMB, SNMP, and SSH.

  • Page 509

    Refers to attaching rubber feet to the bottom of a sensor when it is installed on a flat surface. The rubber surface mounting feet allow proper airflow around the sensor and they also absorb vibration so that the hard-disk drive is less impacted. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 GL-15 78-16527-01...

  • Page 510

    IDS-4250-TX appliance when the XL card is not present. On the IDSM-2 the TCP reset interface is designated as port 1 with Catalyst software, and is not visible to the user in Cisco IOS software. The TCP reset action is only appropriate as an action selection on those signatures that are associated with a TCP-based service.

  • Page 511

    Adjusting signature parameters to modify an existing signature. tune Unique Device Identifier. Provides a unique identity for every Cisco product. The UDI is composed of the PID, VID, and SN. The UDI is stored in the Cisco IPS ID PROM.

  • Page 512

    IP level. One or more attributes of a computer or a network that permit a subject to initiate patterns of misuse vulnerability on that computer or network. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 GL-18 78-16527-01...

  • Page 513

    Standard that defines information contained in a certificate. X.509 eXtensible Markup Language. Textual file format used for data interchange between heterogeneous hosts. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 GL-19 78-16527-01...

  • Page 514

    Glossary Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 GL-20 78-16527-01...

  • Page 515

    4-18 described 7-12 upgrading recovery partition 17-4 features application partition AIP-SSM described commands 14-5 image recovery 17-9 configuration tasks 14-1 application-policy command 7-13 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-1 78-16527-01...

  • Page 516

    B-34 backing up configuration 12-17 current configuration 12-16 BackOrifice protocol cannot access sensor B-34 backup-config command 12-13 capturing live traffic banner login command 13-1 block-enable command 10-6 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-2 78-16527-01...

  • Page 517

    A-3, A-28 Cisco.com generic commands accessing software 18-1 introducing account 18-6 regular expression syntax Active Update Bulletins 18-11, 18-12 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-3 78-16527-01...

  • Page 518

    1 shutdown 14-5 block-enable inline-interfaces 10-6 block-hosts interface-notifications 10-27 5-10 block-networks ip-access-list 10-27 15-13 bypass-option 5-10 ip-log 7-28 class-map iplog 14-2 clear denied-attackers ip-log-bytes 6-18, 13-8 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-4 78-16527-01...

  • Page 519

    10-28, 13-10, C-53 show statistics virtual-sensor automatic upgrades 13-10, C-53 17-7 show tech-support 13-18, C-47 blocking show users firewalls 4-16 10-24 show version routers 13-19, C-50 10-20 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-5 78-16527-01...

  • Page 520

    7-32 privilege string TCP signatures 4-15 7-30 promiscuous mode user profiles 10-17 sensor to block itself cryptographic access to Cisco.com 10-4 18-6 sensor to use NTP 4-29 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-6 78-16527-01...

  • Page 521

    13-22 Cisco IOS software 15-10 disabling enabling debug logging C-23 blocking 10-6 Encryption Software Export Distribution Authorization EtherChanneling 15-22 form signatures cryptographic account 7-10 18-2 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-7 78-16527-01...

  • Page 522

    6-16 Event Store global-summarization command 6-16 clearing events 4-20 data structures described examples H.225.0 protocol B-17 responsibilities H.323 protocol B-17 timestamp event types C-63 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-8 78-16527-01...

  • Page 523

    15-21 RDEP2 A-34 maintenance partition (Catalyst Software) 17-28 A-34 maintenance partition (Cisco IOS) 17-31 IDIOM mls ip ids command 15-15 defined A-34 sequence 15-1 messages A-34 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-9 78-16527-01...

  • Page 524

    15-28 parameters (table) 7-22 TCP reset port 15-7, 15-12 signatures (table) 7-22 time sources 4-19 ip-log-bytes command unsupported supervisor engine commands 15-29 ip-log command 7-28 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-10 78-16527-01...

  • Page 525

    Linux OS locked account reset 4-14 new features log-all-block-events-and-errors command 10-13 obtaining 18-1 LogApp platform-dependent release examples 18-5 described A-2, A-19 retrieving data functions A-19 security features Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-11 78-16527-01...

  • Page 526

    Catalyst 6000 series switch 10-25 MASTER engine VACL commands A-19 alert frequency VACLs A-19 alert frequency parameters (table) Catalyst switches defined VACLs A-16 general parameters (table) VLANs A-16 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-12 78-16527-01...

  • Page 527

    4-28, 4-29 file server configuration 17-22 4-28 overview time synchronization 17-22 4-18 checking IPS software status 16-7 configuration tasks 16-1 configuring ids-sensor interfaces 16-2 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-13 78-16527-01...

  • Page 528

    AIP-SSM C-45 physical-interfaces command application partition image 17-9 physical interfaces configuration recovery/upgrade CD 17-18 ping command 13-22 recovery partition policy-map command 14-2 described Post-Block ACLs 10-18, 10-19 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-14 78-16527-01...

  • Page 529

    A-27 described inline packet processing A-26 example 6-20 IP normalization A-27 RSA authentication and authorized keys 4-32 new features A-26 packet flow A-24 described 17-11 processors A-23 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-15 78-16527-01...

  • Page 530

    1-4, A-29 parameters (table) B-15 A-29 SERVICE.GENERIC engine troubleshooting A-29 described B-16 service-policy command 14-2 parameters (table) Service privileges B-16 1-4, A-29 service role 1-4, 2-2, A-29 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-16 78-16527-01...

  • Page 531

    B-10 FLOOD.HOST B-10 configuring FLOOD.NET agent parameters B-10 11-2 H225 traps B-17 11-4 list general parameters 11-2 META B-10 11-1 NORMALIZER GetNext B-12 11-1 SERVICE.DNS B-14 11-1 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-17 78-16527-01...

  • Page 532

    System Configuration Dialog described 7-27 STRING.ICMP engine parameters (table) system design (illustration) B-29 STRING.TCP engine system image options installing 7-30 parameters (table) IPS-4240 B-30 17-15 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-18 78-16527-01...

  • Page 533

    17-11 described B-34 17-11 TFN2K B-34 time correction on sensors 4-20 troubleshooting time sources accessing files on FTP site C-67 AIP-SSM 4-20 access list misconfiguration appliances 4-18 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-19 78-16527-01...

  • Page 534

    18-5 sensor events C-63 recovery partition 17-4, 17-9 sensor not seeing packets C-13 URLs for Cisco Security Center 18-11 sensor process not running username command 4-11 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-20 78-16527-01...

  • Page 535

    Viewer privileges 1-3, A-28 viewing user information 4-16 virtual sensor and assigning the interfaces Web Server described A-2, A-22 HTTP 1.0 and 1.1 support A-22 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-21 78-16527-01...

  • Page 536

    Index Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-22 78-16527-01...

Comments to this Manuals

Symbols: 0
Latest comments: