Summary of Contents for Cisco 4215 - Intrusion Detection Sys Sensor
Page 1
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Customer Order Number: DOC-7816527= Text Part Number: 78-16527-01...
Page 2
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Logging In to NM-CIDS Logging In to AIP-SSM Logging In to the Sensor Initializing the Sensor C H A P T E R Overview System Configuration Dialog Initializing the Sensor Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 4
Generating a New SSH Server Key 4-34 Configuring TLS 4-34 About TLS 4-34 Adding TLS Trusted Hosts 4-35 Displaying and Generating the Server Certificate 4-37 Installing the License Key 4-37 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 5
Event Action Filters About Event Action Filters Configuring Event Action Filters 6-10 General Settings 6-14 About General Settings 6-15 Event Action Summarization 6-15 Event Action Aggregation 6-15 Deny Attackers 6-16 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 6
Creating Custom Signatures 7-29 Sequence for Creating a Custom Signature 7-29 Example STRING.TCP Signature 7-30 Example SERVICE.HTTP Signature 7-32 Example MEG Signature 7-33 Example AIC MIME-Type Signature 7-36 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 7
10-19 Routers and ACLs 10-19 Configuring the Sensor to Manage Cisco Routers 10-20 Configuring the Sensor to Manage Catalyst 6500 Series Switches and Cisco 7600 Series Routers 10-21 Switches and VACLs 10-21 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0...
Page 8
Contents Configuring the Sensor to Manage Catalyst 6500 Series Switches and Cisco 7600 Series Routers 10-22 Configuring the Sensor to Manage Cisco Firewalls 10-24 Configuring the Sensor to be a Master Blocking Sensor 10-25 Configuring Manual Blocking 10-27 Obtaining a List of Blocked Hosts and Connections...
Page 9
Cisco IOS Software 15-15 Configuring the Catalyst Series 6500 Switch for IDSM-2 in Inline Mode 15-16 Catalyst Software 15-17 Cisco IOS Software 15-18 Configuring EtherChanneling 15-20 Overview 15-20 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 10
C H A P T E R Overview 17-1 Upgrading the Sensor 17-2 Overview 17-2 Upgrade Command and Options 17-2 Using the Upgrade Command 17-3 Upgrading the Recovery Partition 17-4 Configuring Automatic Upgrades 17-5 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 11
Service Programs for IPS Products 18-7 Installing the License Key 18-8 Using IDM 18-8 Using the CLI 18-9 Cisco Security Center 18-11 Cisco IPS Active Update Bulletins 18-11 Accessing IPS Documentation 18-12 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 12
A-21 Web Server A-22 SensorApp A-22 Responsibilities and Components A-23 Packet Flow A-24 SEAP A-25 New Features A-26 A-28 User Roles A-28 Service Account A-29 CLI Behavior A-30 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 14
Cleaning Up a Corrupted SensorApp Configuration C-14 Bad Memory on IDS-4250-XL C-15 Blocking C-15 Troubleshooting Blocking C-15 Verifying Network Access Controller is Running C-16 Verifying Network Access Controller Connections are Active C-17 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 15
Connecting a Serial Cable to IDSM-2 C-44 Troubleshooting AIP-SSM C-44 Gathering Information C-46 Tech Support Information C-47 Overview C-47 Displaying Tech Support Information C-47 Tech Support Command Output C-48 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 16
C-63 Clearing Events C-66 cidDump Script C-66 Uploading and Accessing Files on the Cisco FTP Site C-67 L O S S A R Y N D E X Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 17
Elements in square brackets are optional. {x | y | z } Required alternative keywords are grouped in braces and separated by vertical bars. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 xvii 78-16527-01...
Page 18
Means reader be warned. In this situation, you might perform an action that could result in bodily injury. Related Documentation For more information on Cisco IPS, refer to the following documentation found at this URL: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/tsd_products_support_series_home.html Documentation Roadmap for Cisco Intrusion Prevention System •...
Page 19
Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html...
Page 20
Preface Obtaining Documentation and Submitting a Service Request Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Documentation Roadmap for Cisco Intrusion Prevention System 5.0 that shipped with your sensor for information on locating all IPS 5.0 documents on Cisco.com. You can also use an IPS manager to configure your sensor. Refer to the Documentation Roadmap for Cisco Intrusion Prevention System 5.0...
Chapter 8, “Configuring IP Logging.” Configure blocking. For the procedures, see Chapter 10, “Configuring Blocking.” Configure SNMP if you are going to use it. For the procedures, see Chapter 11, “Configuring SNMP.” Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Monitoring applications only require viewer access to the sensor. You can use the CLI to set up a user account with viewer privileges and then configure the event viewer to use this account to connect to the sensor. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
If you enter the token without the space, a selection of available tokens for the completion (with no help description) appears: sensor# show c? clock configuration sensor# show c Only commands available in the current mode are displayed by help. • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Spacebar Enables you to see more output on the terminal screen. Press the Spacebar when you see the line on the screen to display the next screen. ---More--- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
The IPS CLI has the following command modes: privileged EXEC—Entered when you log in to the CLI interface. • global configuration—Entered from privileged EXEC mode by typing • configure terminal The command prompt is sensor(config)# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Similar to * but there should be at least one match of the character to the left of the + sign in the expression. Matches the character to its left 0 or 1 times. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 28
For example, the regular expression can match aZbcTZT. The software remembers that the first character is Z and the second character is T and then uses Z and T again later in the regular expression. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
You can only use the default keyword with commands that specify a default value in the configuration files. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 30
Chapter 1 Introducing the CLI Configuration Guide CLI Keywords Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 1-10 78-16527-01...
Use this account for support and troubleshooting purposes only. Unauthorized modifications are not supported and will require the sensor to be reimaged to guarantee proper operation. You can create only one user with the service role. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
The default username and password are both cisco. You are prompted to change them the first time you log in to the appliance.You must first enter the UNIX password, which is cisco. Then you must enter the new password twice.
You can use terminal servers to remotely manage network equipment, including appliances. To set up a Cisco terminal server with RJ-45 or hydra cable assembly connections, follow these steps: Connect to a terminal server using one of the following methods:...
To session to IDSM-2, follow these steps Session to IDSM-2 from the switch: Step 1 For Catalyst Software: • cat6k>(enable) session slot_number For Cisco IOS software: • router# session slot_number processor 1 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
The default username and password are both cisco. You are prompted to change them the first Note time you log in to IDSM-2.You must first enter the UNIX password, which is cisco. Then you must enter the new password twice.
Page 36
The default username and password are both cisco. You are prompted to change them the first Note time you log in to NM-CIDS. You must first enter the UNIX password, which is cisco. Then you must enter the new password twice.
The default username and password are both cisco. You are prompted to change them the first Note time you log in to AIP-SSM. You must first enter the UNIX password, which is cisco. Then you must enter the new password twice.
If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com.
, the configuration is saved. If you type , the configuration is not saved and the process begins again. There is no default for this prompt; you must type either Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Or, if you have created the service account for support purposes, you can have TAC create a password. For more information, see Creating the Service Account, page 4-13. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
0-255, nn specifies the number of bits in the netmask, and Y.Y.Y.Y specifies the default gateway as a 32-bit address written as 4 octets separated by periods where Y = 0-255. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 42
The default is april. Specify the week you want to start summertime settings. Valid entries are first, second, third, fourth, fifth, and last. The default is first. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 43
Specify the standard time offset. The default is 0. Specify the standard time zone offset from UTC in minutes (negative numbers represent time zones west of the Prime Meridian). Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 44
Continue with reset? []: Step 19 Type to continue the reboot. Step 20 Display the self-signed X.509 certificate (needed by TLS): sensor# show tls fingerprint MD5: C4:BC:F2:92:C2:E2:4D:EB:92:0F:E4:86:53:6A:C6:01 SHA1: 64:9B:AC:DE:21:62:0C:D3:57:2E:9B:E5:3D:04:8F:A7:FD:CD:6F:27 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 46
SHA1: 64:9B:AC:DE:21:62:0C:D3:57:2E:9B:E5:3D:04:8F:A7:FD:CD:6F:27 Write down the certificate fingerprints. Step 4 You will need these to check the authenticity of the certificate when connecting to this sensor with a web browser. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Log in to the sensor using an account with administrator privileges. Step 1 Enter network settings mode: Step 2 sensor# configure terminal sensor(config)# service host sensor(config-hos)# network-settings Enable Telnet services: Step 3 sensor(config-hos-net)# telnet-option enabled Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
To modify the access list, follow these steps: Log in to the sensor using an account with administrator privileges. Step 1 Enter network settings mode: Step 2 sensor# configure terminal sensor(config)# service host sensor(config-hos)# network-settings Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 52
Verify the value has been set back to the default: Step 8 sensor(config-hos-net)# show settings network-settings ----------------------------------------------- host-ip: 10.89.130.108/23,10.89.130.1 default: 10.1.9.201/24,10.1.9.1 host-name: sensor <defaulted> telnet-option: enabled default: disabled access-list (min: 0, max: 512, current: 0) ----------------------------------------------- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
This is the banner login text message. Step 4 Verify the banner login text message: sensor(config-hos-net)# show settings network-settings ----------------------------------------------- host-ip: 10.89.130.108/23,10.89.130.1 default: 10.1.9.201/24,10.1.9.1 host-name: sensor default: sensor telnet-option: enabled default: disabled Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
We recommend that you not reveal to attackers that you have an IPS sensor. Change the server-id to anything that does not reveal any information, especially if your web server is available to the Internet. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 56
Verify the defaults have been replaced: sensor(config-web)# show settings enable-tls: true <defaulted> port: 443 <defaulted> server-id: HTTP/1.1 compliant <defaulted> sensor(config-web)# Exit web server submode: Step 9 sensor(config-web)# exit Apply Changes:?[yes]: Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-10 78-16527-01...
For the procedure, see Creating the Service Account, page 4-13. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-11 78-16527-01...
Page 58
A list of users is displayed. To remove a user, use the no form of the command: Step 5 sensor# configure terminal sensor(config)# no username jsmith Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-12 78-16527-01...
Adding services to the operating system through the service account affects proper performance and functioning of the other IPS services. TAC does not support a sensor on which additional services have been added. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-13 78-16527-01...
To change the password for another user or reset the password for a locked account, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Enter configuration mode: sensor# configure terminal Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-14 78-16527-01...
Warning: The privilege change does not apply to current CLI sessions. It will be applied to subsequent logins. sensor(config)# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-15 78-16527-01...
Step 3 sensor# show users all CLI ID User Privilege 13491 cisco administrator 5824 (jsmith) viewer 9802 tester operator sensor# The account of the user is locked. jsmith Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-16 78-16527-01...
If you experience problems after your SSH client connects but before it prompts for a password, you need to enable challenge-response authentication. Refer to the documentation for your SSH client for instructions. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-17 78-16527-01...
NTP key ID, and the NTP key value. You can set up NTP on the appliance during initialization or you can configure NTP through the CLI, IDM, or ASDM. Note We recommend that you use an NTP time synchronization source. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-18 78-16527-01...
Page 65
You can configure NM-CIDS to use NTP during initialization or you can set up NTP through the CLI, IDM, or ASDM. We recommend that you use an NTP time synchronization source. Note Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-19 78-16527-01...
For more information on the clear events command, Clearing Events from the Event Store, page 13-7. You cannot remove individual events. Caution Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-20 78-16527-01...
22:39:21 CST Sat Jan 25 2003 Time source is NTP Summer time starts 02:00:00 CST Sun Apr 7 2004 Summer time ends 02:00:00 CDT Sun Oct 27 2004 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-21 78-16527-01...
You can configure summertime settings if you did not do so during initialization of the sensor. Or you can change them after initialization. Summertime is a term for daylight saving time. Note Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-22 78-16527-01...
Page 69
12:00:00 default: 02:00:00 ----------------------------------------------- sensor(config-hos-rec-sta)# Enter end summertime submode: Step 5 sensor(config-hos-rec-sta)# exit sensor(config-hos-rec)# end-summertime Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-23 78-16527-01...
Page 70
12:00:00 default: 02:00:00 ----------------------------------------------- end-summertime ----------------------------------------------- month: october default: october week-of-month: last default: last day-of-week: friday default: sunday time-of-day: 05:15:00 default: 02:00:00 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-24 78-16527-01...
Page 71
The format is hh:mm:ss. Verify your settings: sensor(config-hos-non-sta)# show settings start-summertime ----------------------------------------------- date: 2004-05-15 time: 12:00:00 ----------------------------------------------- sensor(config-hos-non-sta)# Enter end summertime submode: Step 5 sensor(config-hos-non-sta)# exit sensor(config-hos-non)# end-summertime Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-25 78-16527-01...
Page 72
----------------------------------------------- sensor(config-hos-non)# Exit non-recurring summertime submode: Step 10 sensor(config-hos-non)# exit sensor(config-hos)# exit Apply Changes:?[yes]: Step 11 Press Enter to apply the changes or type to discard them. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-26 78-16527-01...
Step 7 Configuring NTP This section describes how to configure a Cisco router to be an NTP server and how to configure the sensor to use an NTP server as its time source. It contains the following topics: Configuring a Cisco Router to be an NTP Server, page 4-28 •...
Page 74
The sensor requires an authenticated connection with an NTP server if it is going to use the NTP server as its time source. The sensor supports only the MD5 hash algorithm for key encryption. Use the following procedure to activate a Cisco router to act as an NTP server and use its internal clock as the time source.
IP source routing—A host pretends an IP packet comes from another trusted host. • DNS spoofing—An attacker forges name server records. • Interception of clear text passwords and other data by intermediate hosts. • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-30 78-16527-01...
SSH. These hosts are SSH servers that the sensor needs to connect to for upgrades and file copying, and other hosts, such as Cisco routers, PIX Firewalls, and Catalyst switches that the sensor will connect to for blocking.
You configure your own list of SSH authorized keys. An administrator cannot manage the list of SSH Note authorized keys for other users on the sensor. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-32 78-16527-01...
Page 79
If you type the former id, you receive an error message: sensor# show ssh authorized-keys system1 Error: Requested id does not exist for the current user. sensor# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-33 78-16527-01...
SSL protocol. When you enter a URL into the web browser that starts with ip_address, the web browser responds by using either TLS or SSL protocol to negotiate an https:// encrypted session with the host. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-34 78-16527-01...
For these sessions to be secure from man-in-the-middle attacks you must establish trust of the remote web servers’ TLS certificates. A copy of the TLS certificate of each trusted remote host is stored in the trusted hosts list. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-35 78-16527-01...
Page 82
Remove an entry from the trusted hosts list: Step 6 sensor# configure terminal sensor(config)# no tls trusted-host 10.89.146.110 The host is removed from the trusted hosts list. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-36 78-16527-01...
Although the sensor functions without the license, you must have a license to obtain signature updates. To obtain a license, you must have a Cisco Service for IPS contract. Contact your reseller, Cisco service or product sales to purchase a contract.
Page 84
You can view the status of the IPS subscription license key on the Licensing panel in IDM or ASDM. You can obtain a license key from the Cisco.com licensing server, which is then delivered to the sensor. Or, you can update the sensor license key from a license key provided in a local file.
Page 85
Note the device with that number. Your Cisco IPS Signature Subscription Service license key will be sent by e-mail to the e-mail address you specified. Save the license key to a system that has a web server, FTP server, or SCP server.
Copy your license key from a sensor to a server to keep a backup copy of the license: Step 7 sensor# copy license-key scp://user@10.89.147.3://tftpboot/dev.lic Password: ******* sensor# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-40 78-16527-01...
To configure the sensor so that traffic continues to flow through inline pairs even when SensorApp is not running, you can enable bypass mode. Bypass mode minimizes dataflow interruptions during reconfiguration, service pack installation, or software failure. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
AIP-SSM is configured for promiscuous mode from the ASA CLI and not from the IPS CLI. For the Note procedure, see Configuring ASA to Send IPS Traffic to AIP-SSM, page 14-3. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 91
100—Sets the interface to 100 MB (for TX interfaces only). 1000—Sets the interface to 1 GB (for Gigabit interfaces only). – The speed option is protected on all modules. Note Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 92
GigabitEthernet0/2 ----------------------------------------------- media-type: tx <protected> description: INT1 default: admin-state: enabled default: disabled duplex: full default: auto speed: 1000 default: auto alt-tcp-reset-interface ----------------------------------------------- none ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- sensor(config-int-phy)# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
• default—Sets the value back to the system default setting. • description—Your description of the inline interface pair. • interface1—The first interface in the inline interface pair. • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
You can assign either a physical interface or a logical inline interface pair to the virtual sensor. Make sure that you have created any inline pairs before assigning them to the virtual sensor. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Bypass mode only functions when the operating system is running. If the sensor is powered off or shut down, bypass mode does not work—traffic is not passed to the sensor. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Use the interface-notifications command in the service interface submode to configure traffic notifications. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 5-10 78-16527-01...
Page 97
----------------------------------------------- sensor(config-int-int)# Step 9 Exit interface notifications submode: sensor(config-int-int)# exit sensor(config-int)# exit Apply Changes:?[yes]: Step 10 Press Enter to apply the changes or type to discard them. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 5-11 78-16527-01...
It starts with the signature event with configured action received in the alarm channel and flows top-to-bottom as the signature event passes through the functional components of the SEAP. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Deny Connection Inline Does not transmit this packet and future packets on the TCP flow (inline mode only). Deny Packet Inline Does not transmit this packet (inline only). Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
The valid values for address are A.B.C.D-A.B.C.D [,A.B.C.D-A.B.C.D]. Check the variable you just made: Step 4 sensor(config-rul)# show settings variables (min: 0, max: 256, current: 2) ----------------------------------------------- variableName: variable1 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
RR than attacks against the desktop node. RR is a product of ASR, SFR, TVR, and ARR with an optional PD (promiscuous delta) subtracted in Note promiscuous mode only. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Each event action has an associated RR range. If a signature event occurs and the RR for that event falls within the range for an event action, that action is added to the event. For Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Step 4 To request a block of the connection: sensor(config-rul-ove)# exit sensor(config-rul)# overrides request-block-connection To request a block of the attacker host: sensor(config-rul-ove)# exit sensor(config-rul-ove)# exit sensor(config-rul)# overrides request-block-host Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Filters work by removing actions from an event. A filter that removes all actions from an event effectively consumes the event. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Set the subsignature ID range: sensor(config-rul-fil)# subsignature-id-range 1-5 The default is 0 to 255. Set the attacker address range: sensor(config-rul-fil)# attacker-address-range 10.89.10.10-10.89.10.23 The default is 0.0.0.0 to 255.255.255.255. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 6-10 78-16527-01...
Page 109
Chapter 6 Configuring Event Action Rules Event Action Filters Set the victim address range: sensor(config-rul-fil)# victim-address-range 192.56.10.1-192.56.10.255 The default is 0.0.0.0 to 255.255.255.255. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 6-11 78-16527-01...
Page 110
1-343 default: 0-65535 risk-rating-range: 85-100 default: 0-100 actions-to-remove: reset-tcp-connection default: filter-item-status: Enabled default: Enabled stop-on-match: True default: False user-comment: This is a new filter. default: ----------------------------------------------- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 6-12 78-16527-01...
Only one alert every summary interval should fire for each address set. If the global summary threshold is reached, the signature goes into Global Summarization mode. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 6-15 78-16527-01...
Log in to the CLI using an account with administrator privileges. Step 1 Enter event action rules submode: Step 2 sensor# configure terminal sensor(config)# service event-action-rules rules0 Enter general submode: Step 3 sensor(config)# general Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 6-16 78-16527-01...
Page 115
Exit event action rules submode: Step 11 sensor(config-rul-gen)# exit sensor(config-rul)# exit Apply Changes:?[yes]: Press Enter to apply your changes or type to discard them. Step 12 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 6-17 78-16527-01...
Verify that you have cleared the statistics: JWK-4255# show statistics virtual-sensor Virtual Sensor Statistics Statistics for Virtual Sensor vs0 Name of current Signature-Definition instance = sig0 Name of current Event-Action-Rules instance = rules0 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 6-18 78-16527-01...
SigID=2004, Attacker Address=*, Victim Address=20.1.1.1, Actions to Remove=ALL, Risk Rating Range=1-100, StopOnMatch=True SigID=2004, Attacker Address=30.1.1.1, Victim Address=*, Actions to Remove=ALL, Risk Rating Range=1-100, StopOnMatch=True SigID=2004, Attacker Address=*, Victim Address=*, Actions to Remove=None, Risk Rating Range=95-100, StopOnMatch=True Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 6-19 78-16527-01...
Page 118
The third filter line with the filter action NONE is optional, but is presented as a clearer way to define this type of filter. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 6-20 78-16527-01...
You can later activate retired signatures; however, this process requires the sensing engines to rebuild their Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
HTTP traffic. • To designate multiple port numbers for a single variable, place a comma between the entries. For example, 80, 3128, 8000, 8010, 8080, 8888, 24326. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Configuring Signature Fidelity Rating, page 7-9. status—Sets the status of the signature to enabled or retired. • For the procedure, see Configuring the Status of Signatures, page 7-10. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Specify the signature you want to configure: Step 3 sensor(config-sig)# signatures 9000 0 Enter alert frequency submode: Step 4 sensor(config-sig-sig)# alert-frequency Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
A subsignature ID is used to identify a more granular version of a broad signature. The value is 0 to 255. alert-severity—Severity of the alert: • high —Dangerous alert. – medium—Medium level alert. – Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 125
<defaulted> specify-l4-protocol ----------------------------------------------- --MORE-- Exit signatures submode: Step 6 sensor(config-sig-sig)# exit sensor(config-sig)# exit Apply Changes:?[yes]: Press Enter to apply the changes or type to discard them. Step 7 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
(Optional) Specify the amount of time in seconds before the event count should be reset: sensor(config-sig-sig-eve-yes)# alert-interval 30 Verify the settings: Step 9 sensor(config-sig-sig-eve-yes)# exit sensor(config-sig-sig-eve)# show settings event-counter ----------------------------------------------- event-count: 2 default: 1 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Change the status for this signature: Step 4 sensor(config-sig-sig)# status sensor(config-sig-sig-sta)# enabled true Step 5 Verify the settings: sensor(config-sig-sig-sta)# show settings status ----------------------------------------------- enabled: true default: false retired: false <defaulted> ----------------------------------------------- sensor(config-sig-sig-sta)# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-10 78-16527-01...
Choose the signature you want to configure: Step 3 sensor(config-sig)# signatures 1200 0 Enter the normalizer engine: Step 4 sensor(config-sig-sig)# engine normalizer Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-11 78-16527-01...
AIC also provides a way to inspect FTP traffic and control the commands being issued. You can enable or disable the predefined signatures or you can create policies through custom signatures. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-12 78-16527-01...
The following options apply: ftp-enable [true | false]—Enables protection for FTP services. Set to true to require the sensor to • inspect FTP traffic. The default is false. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-13 78-16527-01...
Page 132
We recommend that you not configure AIC web ports, but rather use the default web ports. Note Verify your settings: Step 5 sensor(config-sig-app)# show settings application-policy ----------------------------------------------- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-14 78-16527-01...
Log in to the CLI using an account with administrator or operator privileges. Step 1 Enter signature definition submode: Step 2 sensor# configure terminal sensor(config)# service signature-definition sig0 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-22 78-16527-01...
Page 141
– nt—Windows systems. – solaris—Solaris systems. – linux—GNU/Linux systems. bsd—BSD UNIX systems. – The default is nt. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-23 78-16527-01...
TCP stream reassembly signatures with the parameters that you can configure for TCP stream reassembly. The TCP stream reassembly signatures are part of the NORMALIZER engine. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-24 78-16527-01...
Page 143
1330 18 TCP Drop - Segment out of Window 3050 Half Open SYN Attack syn-flood-max-embryonic 5000 3250 TCP Hijack max-old-ack 200 3251 TCP Hijack Simplex Mode max-old-ack 100 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-25 78-16527-01...
Page 144
Step 8 sensor(config-sig-sig-nor-def-yes)# exit sensor(config-sig-sig-nor-def)# exit sensor(config-sig-sig-nor)# exit sensor(config-sig-sig)# exit sensor(config-sig)# exit Apply Changes:?[yes]: Press Enter for apply the changes or type to discard them. Step 9 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-26 78-16527-01...
Page 145
----------------------------------------------- sensor(config-sig-str)# Exit TCP reassembly submode: Step 6 sensor(config-sig-str)# exit sensor(config-sig)# exit Apply Changes:?[yes]: Press Enter to apply the changes or type to discard them. Step 7 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-27 78-16527-01...
Step 5 sensor(config-sig-sig-sig)# sig-name This is my new name Exit signature description submode: Step 6 sensor(config-sig-sig-sig)# exit Specify the string TCP engine: Step 7 sensor(config-sig-sig)# engine string-tcp Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-30 78-16527-01...
Page 149
Exit signature definition submode: Step 12 sensor(config-sig-sig-str)# exit sensor(config-sig-sig)# exit sensor(config-sig)# exit Apply Changes:?[yes]: Press Enter to apply the changes or type to discard them. Step 13 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-31 78-16527-01...
Specify a signature name: Step 5 sensor(config-sig-sig-sig)# sig-name myWebSig Specify the alert traits: Step 6 sensor(config-sig-sig-sig)# alert-traits 2 The valid range is from 0 to 65535. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-32 78-16527-01...
META components. • edit—Edits an existing entry in the list. – insert name1—Inserts a new entry into the list. – move—Moves an entry in the list. – Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-33 78-16527-01...
Page 152
3000 subsignature 0 on the same source address. The source address selection is a result of the meta key default value of Axxx. You can change the behavior by changing the meta key setting to xxBx (destination address) for example. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-34 78-16527-01...
TCP RESETS to hijack and terminate the TCP flow • no—Removes an entry or selection setting signature-type—Type of signature desired • content-types—Content-types – define-web-traffic-policy—Defines web traffic policy – Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-36 78-16527-01...
Page 155
Step 7 Exit signatures submode: sensor(config-sig-sig-app-def)# exit sensor(config-sig-sig-app)# exit sensor(config-sig-sig)# exit sensor(config-sig)# exit Apply Changes:?[yes]: Press Enter to apply the changes or type to discard them. Step 8 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-37 78-16527-01...
IP address, only one IP log is created for all the alerts. Each alert references the same IP log. However, the output of the IP log status only shows the event ID of the first alert triggering the IP log. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Configure the duration you want the sensor to log packets: Step 4 sensor(config-sig-ip)# ip-log-time 60 Step 5 Configure the number of bytes you want logged: sensor(config-sig-ip)# ip-log-bytes 5024 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Configuring Automatic IP Logging, page 8-2. To copy and view an IP log file, see Copying IP Log Files to Be Viewed, page 8-6. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
• log-id—Log ID of the logging session to stop. Use the iplog-status command to find the log ID. name—Virtual sensor on which to begin or end logging. • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 161
Log ID: IP Address 1: 10.16.0.0 Virtual Sensor: Status: completed Event ID: Bytes Captured: Packets Captured: sensor# When the logs are stopped, the status shows them as completed. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
227 Entering Passive Mode (2,4,6,8,179,125) 150 Opening BINARY mode data connection for iplog1. 226 Transfer complete. 30650 bytes sent in 0.00246 secs (1.2e+04 Kbytes/sec) ftp> Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 163
Open the IP log using a sniffer program such as WireShark or TCPDUMP. Step 4 For more information on WireShark go to http://www.wireshark.org. For more information on TCPDUMP, go to http://www.tcpdump.org/. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 164
Chapter 8 Configuring IP Logging Copying IP Log Files to Be Viewed Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Changing the interface configuration results in abnormal termination of any packet command running on that interface. Executing the packet display or capture command causes significant performance degradation. Caution Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
= username of user initiating capture id = user’s CLI ID cliCmd = command entered to perform the capture Executing the packet display command causes significant performance degradation. Caution Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 167
03:43:05.694808 IP (tos 0x10, ttl 64, id 55471, offset 0, flags [DF], length: 300) 10.89.147.31.22 > 10.89.147.50.41805: P [tcp sum ok] 2344:2592(248) ack 1 win 8576 <nop,nop,timestamp 44085169 226014950> Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
You can only use an interface name that exists in the system. snaplen—Maximum number of bytes captured for each packet (optional). • The valid range is 68 to 1600. The default is 0. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 169
03:03:15.218814 802.1d config TOP_CHANGE 8000.00:04:9a:66:35:01.8025 root 8000.0 0:04:6d:f9:e8:82 pathcost 8 age 2 max 20 hello 2 fdelay 15 03:03:15.546866 IP 64.101.182.244.1978 > 10.89.130.108.23: P 0:2(2) ack 157 win 65535 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
The exact format of the source and destination URLs varies according to the file. Note ftp:—Destination URL for an FTP network server. The syntax for this prefix is: – ftp:[//[username@] location]/relativeDirectory]/filename Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Erase the packet file: Step 2 sensor# erase packet-file sensor# Verify that you have erased the packet file: Step 3 sensor# packet display file-info No packet-file available. sensor# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 172
Chapter 9 Displaying and Capturing Live Traffic on an Interface Erasing the Packet File Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Host block—Blocks all traffic from a given IP address. • Connection block—Blocks traffic from a given source IP address to a given destination IP address • and destination port. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-1 78-16527-01...
Page 174
On Cisco routers and Catalyst 6500 series switches, Network Access Controller creates blocks by applying ACLs or VACLs. ACLs and VACLs permit or deny passage of data packets through interface ports or VLANs.
You can configure this option if you can ensure that if the sensor creates a rule to block its own IP address, it will not prevent the sensor from accessing the blocking device. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-4...
Log in to the CLI using an account with administrator privileges. Step 1 Enter network access submode: Step 2 sensor# configure terminal Step 3 Enter general submode: sensor(config-net)# general Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-6 78-16527-01...
Apply Changes:?[yes]: Press Enter to apply the changes or type to discard them. Step 7 There is a time delay while the signatures are updated. Note Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-10 78-16527-01...
Enter network access mode: Step 2 sensor# configure terminal sensor(config)# service network-access Step 3 Enter general submode: sensor(config-net)# general Configure the maximum number of interfaces: Step 4 sensor(config-net-gen)# max-interfaces 50 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-14 78-16527-01...
Such a device should never be blocked, and trusted, internal networks should never be blocked. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-15 78-16527-01...
Page 188
12.12.0.0/16 --MORE-- Exit network access submode: Step 6 sensor(config-net-gen)# exit sensor(config-net)# exit Apply Changes:?[yes]: Step 7 Press Enter to apply the changes or type to discard them. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-16 78-16527-01...
• How the Sensor Manages Devices Network Access Controller uses ACLs on Cisco routers and switches to manage those devices. These ACLs are built as follows: A permit line with the sensor’s IP address or, if specified, the NAT address of the sensor If you permit the sensor to be blocked, this line does not appear in the ACL.
Configuring the Sensor to be a Master Blocking Sensor, page 10-25. Configuring the Sensor to Manage Cisco Routers This section describes how to configure the sensor to manage Cisco routers. It contains the following topics: Routers and ACLs, page 10-19 •...
Page 192
When the new ACL is applied to an interface or direction of the router, it removes the application of any other ACL to that interface or direction. Configuring the Sensor to Manage Cisco Routers To configure a sensor to manage Cisco routers, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges.
You can configure Network Access Controller to block using VACLs on the switch itself when running Cisco Catalyst software, or to block using router ACLs on the MSFC or on the switch itself when running Cisco IOS software. This section describes blocking using VACLs. For blocking using the router ACLS Configuring the Sensor to Manage Cisco Routers, page 10-19.
Page 194
VLAN. Configuring the Sensor to Manage Catalyst 6500 Series Switches and Cisco 7600 Series Routers To configure the sensor to manage Catalyst 6500 series switches and Cisco 7600 series routers, follow these steps: Log in to the CLI using an account with administrator privileges.
Page 195
Exit network access submode: sensor(config-net-cat-blo)# exit sensor(config-net-cat)# exit sensor(config-net)# exit sensor(config)# exit Apply Changes:?[yes]: Step 11 Press Enter to apply the changes or type to discard them. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-23 78-16527-01...
Configuring Blocking Configuring Blocking Devices Configuring the Sensor to Manage Cisco Firewalls To configure the sensor to manage Cisco firewalls, follow these steps: Log in to the CLI using an account with administrator privileges. Step 1 Enter network access submode:...
On the master blocking sensor, check to see if it requires TLS and what port number is used: sensor(config)# service web-server sensor(config-web)# show settings enable-tls: true <defaulted> port: 443 <defaulted> server-id: HTTP/1.1 compliant <defaulted> sensor(config-web)# is true, go to Step b. enable-tls Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-25 78-16527-01...
Page 198
Set the status of whether or not the host uses TLS/SSL: Step 11 sensor(config-net-gen-mas)# tls [true | false] sensor(config-net-gen-mas) If you set the value to true, you need to use the command tls trusted-host ip-address Note mbs_ip_address. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-26 78-16527-01...
For a host IP address: sensor(config-net-gen)# block-hosts ip_address For a network IP address: sensor(config-net-gen)# block-networks ip_address/netmask The format for ip_address/netmask is A.B.C.D/nn. Example: sensor (config-net-gen)# block-networks 10.0.0.0/8 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-27 78-16527-01...
Communications = telnet BlockInterface InterfaceName = fa0/0 InterfaceDirection = in State BlockEnable = true NetDevice IP = 10.1.1.1 AclSupport = uses Named ACLs Version = 12.2 State = Active Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-28 78-16527-01...
Page 201
IP = 192.168.1.1 Vlan = ActualIp = BlockMinutes = 80 MinutesRemaining = 76 entry indicates which hosts are being blocked and how long the blocks are. Host Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-29 78-16527-01...
Page 202
Chapter 10 Configuring Blocking Obtaining a List of Blocked Hosts and Connections Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-30 78-16527-01...
SNMP requests. However, it is not possible to totally eliminate SNMP polling. SNMP requests are required for discovery and topology changes. In addition, a managed device agent cannot send a trap if the device has had a catastrophic outage. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 11-1 78-16527-01...
The read-only community name specifies the password for queries to the SNMP agent. Assign the read-write community string: sensor(config-not)# read-write-community PRIVATE1 The read-write community name specifies the password for sets to the SNMP agent. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 11-2 78-16527-01...
Page 205
BUSINESS default: Unknown sensor(config-not)# Exit notification submode: Step 6 sensor(config-not)# exit Apply Changes:?[yes]: Press Enter to apply the changes or type to discard them. Step 7 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 11-3 78-16527-01...
It filters in (not filters out) the traps based on severity. Choose whether you want detailed SNMP traps: sensor(config-not)# enable-detail-traps true Type the community string to be included in the detailed traps: sensor(config-not)# trap-community-name TRAP1 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 11-4 78-16527-01...
Page 207
BUSINESS default: Unknown sensor(config-not)# Exit notification submode: Step 7 sensor(config-not)# exit Apply Changes:?[yes]: Press Enter to apply the changes or type to discard them. Step 8 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 11-5 78-16527-01...
• CISCO-ENTITY-ALARM-MIB • You can obtain these private Cisco MIBs under the heading SNMP v2 MIBs at this URL: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml The management MIB supported on the sensor is the rfc1213 (mib-2). You can obtain the mib-2 from any public domain, such as http://www.ietf.org/rfc/rfc1213.txt.
! Current configuration last modified Fri Dec 17 21:38:23 2004 ! ------------------------------ service analysis-engine exit ! ------------------------------ service authentication exit ! ------------------------------ service event-action-rules rules0 exit ! ------------------------------ service host network-settings Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-1 78-16527-01...
Use the show configuration | [begin | exclude | include] regular-expression command to search or filter the output of the contents of the current configuration. Users with operator or viewer privileges can search or filter the current-config only. Note Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-9 78-16527-01...
Page 218
12300 0 status enabled true retired true --MORE-- Press Ctrl-C to stop the output and return to the CLI prompt. Note Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-10 78-16527-01...
Use the show settings | [begin | exclude | include] keyword command in the submode you are interested in to search or filter the output of the contents of the submode configuration. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-11...
Step 2 sensor# more current-config Generating current config: The current configuration is displayed. ! ------------------------------ ! Version 5.0(0.22) ! Current configuration last modified Fri Dec 17 21:38:23 2004 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-13 78-16527-01...
You can then restore the current configuration from the remote server. You are prompted to back up the current configuration first. We recommend copying the current configuration file to a remote server before upgrading. Note Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-15 78-16527-01...
Page 224
Log in to the CLI using an account with administrator privileges. Step 1 To back up the current configuration to the remote server: Step 2 sensor# copy current-config ftp://qa_user@10.89.146.1//tftpboot/update/qmaster89.cfg Password: ******** Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-16 78-16527-01...
Use the erase [backup-config | current-config] command to delete a logical file. The following options apply: • current-config—The current running configuration. The configuration becomes persistent as the commands are entered. • backup-config—The storage location for the configuration backup. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-17 78-16527-01...
Page 226
User accounts will not be erased. They must be removed manually using the "no username" command. Continue? []: Press Enter to continue or type to stop. Step 2 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-18 78-16527-01...
To create a banner login, follow these steps: Log in to the CLI using an account with administrator privileges. Step 1 Enter global configuration mode: Step 2 sensor# configure terminal Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-1 78-16527-01...
If an operator or viewer tries to log in when the maximum sessions are open, the following message appears: Error: The maximum allowed CLI sessions are currently open, please try again later. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-2 78-16527-01...
To have no pause between multi-screen outputs, use 0 for the screen length value: Step 2 sensor# terminal length 0 Note The screen length values are not saved between login sessions. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-3 78-16527-01...
• The show events command waits until a specified event is available. It continues to wait and display Note events until you exit by pressing Ctrl-C. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-4 78-16527-01...
Page 231
Display alerts from the past 45 seconds: Step 5 sensor# show events alert past 00:00:45 evIdsAlert: eventId=1109695939102805307 severity=medium vendor=Cisco originator: hostId: sensor Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-5 78-16527-01...
Page 232
2316 evStatus: eventId=1041526834774829056 vendor=Cisco originator: hostId: sensor appName: login(pam_unix) appInstanceId: 2315 time: 2003/01/08 02:41:00 2003/01/08 02:41:00 UTC syslogMessage: description: session opened for user cisco by cisco(uid=0) Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-6 78-16527-01...
22:39:21 UTC Sat Jan 25 2003 Step 3 Display the system clock with details: sensor# show clock detail 22:39:21 CST Sat Jan 25 2003 Time source is NTP Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-7 78-16527-01...
Clearing the Denied Attackers List Use the clear denied-attackers command in service event action rules submode to delete the denied attackers list and clear the virtual sensor statistics. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-8 78-16527-01...
Page 235
Number of Active Denied Attackers = 2 Number of Denied Attackers Inserted = 0 Number of Denied Attackers Total Hits = 0 Number of times max-denied-attackers limited creation of new entry = 0 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-9 78-16527-01...
Number of Denied Attackers Total Hits = 0 Number of times max-denied-attackers limited creation of new entry = 0 Number of exec Clear commands during uptime = 0 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-10 78-16527-01...
Page 237
TCP packets that arrived out of sequence order for their stream = 0 TCP packets that arrived out of state order for their stream = 0 The rate of TCP connections tracked per second since reset = 0 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-11 78-16527-01...
Page 239
= 0 sensor# Step 5 Display the statistics for the denied attackers in the system: sensor# show statistics denied-attackers Denied Attackers and hit count for each. sensor# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-13 78-16527-01...
Page 240
Usage over last 5 seconds = 0 Usage over last minute = 1 Usage over last 5 minutes = 1 Memory Statistics Memory usage (bytes) = 500498432 Memory free (bytes) = 894976032 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-14 78-16527-01...
Page 241
Type = Cisco IP = 10.89.150.158 NATAddr = 0.0.0.0 Communications = telnet BlockInterface InterfaceName = ethernet0/1 InterfaceDirection = out InterfacePostBlock = Post_Acl_Test BlockInterface InterfaceName = ethernet0/1 InterfaceDirection = in Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-15 78-16527-01...
Page 243
To clear the statistics for an application, for example, logger: Step 16 sensor# show statistics logger clear The number of Log interprocessor FIFO overruns = 0 The number of syslog messages received = 141 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-17 78-16527-01...
HTML. The URL specifies where • the information should be sent. If you do not use this keyword, the information is displayed on the screen. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-18 78-16527-01...
Log in to the CLI. Step 1 View version information: Step 2 sensor# show version The following examples show sample version output for the appliance and the NM-CIDS. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-19 78-16527-01...
Page 246
(Release) 2005-02-09T03:22:27-0600 Running AnalysisEngine 2005_Feb_09_03.00 (Release) 2005-02-09T03:22:27-0600 Running 2005_Feb_09_03.00 (Release) 2005-02-09T03:22:27-0600 Upgrade History: IDS-K9-maj-5.0-0.27-S91-0.27-.pkg 03:00:00 UTC Thu Feb 05 2004 Recovery Partition Version 1.1 - 5.0(0.27)S91(0.27) nm-cids# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-20 78-16527-01...
If you are connected to the serial port, you will not get any feedback until Linux has fully booted and enabled support for the serial connection. The display-serial command does not apply to the following platforms: IDSM-2 • • NM-CIDS • IDS-4215 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-21 78-16527-01...
If the node can not be powered off it will be left in a state that is safe to manually power down. Continue with reset? []: Step 5 Type yes to continue with the reset and powerdown: sensor# yes Request Succeeded. sensor# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-23 78-16527-01...
* 10.89.128.17 (10.89.128.17) 0.304 ms * 10.89.128.17 (10.89.128.17) 0.527 ms * 0.402 ms * 10.89.128.17 (10.89.128.17) 0.39 ms * 10.89.128.17 (10.89.128.17) 0.37 ms * 0.486 ms sensor# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-25 78-16527-01...
AIP-SSM. You can configure AIP-SSM to inspect traffic in inline or promiscuous mode and in fail-open or fail-over mode. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 14-2 78-16527-01...
[global | interface interface_name]—Creates an IPS security • policy by associating the policy map with one or more interfaces. global—Applies the policy map to all interfaces. – Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 14-3 78-16527-01...
Page 260
Exit and save the configuration: Step 10 asa(config-pmap-c)# exit asa(config-pmap)# exit asa(config)# exit asa# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 14-4 78-16527-01...
30 to 45 seconds after starting AIP-SSM recovery. Waiting any longer can lead to unexpected consequences, for example, AIP-SSM may come up in the Unresponsive state. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 14-5...
Page 262
1 recover Module 1 recover parameters... Boot Recovery Image: No Image URL: tftp://1.1.1.1/IPS-SSM-K9-sys-1.1-a-5.0-0.15-S91-0.15.img Port IP Address: 1.1.1.23 Gateway IP Address: 1.1.1.2 VLAN ID: Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 14-6 78-16527-01...
For the procedure to session to the IDSM-2, see Logging In to IDSM-2, page 2-4. Initialize IDSM-2. Run the setup command to initialize IDSM-2. For the procedure, see Initializing the Sensor, page 3-2. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-1 78-16527-01...
Put the command and control port into the correct VLAN: Step 3 cat6k> (enable) set vlan command_and_control_vlan_number idsm2_slot_number/command_and_control_port_number Example: cat6k> (enable) set vlan 147 6/2 VLAN 147 modified. VLAN 146 modified. VLAN Mod/Ports Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-4 78-16527-01...
Page 267
If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com.
If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com.
Using the TCP Reset Interface The IDSM-2 has a TCP reset interface—port 1. The IDSM-2 has a specific TCP reset interface because it cannot send TCP resets on its sensing ports. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-7 78-16527-01...
• tx —Transmitting traffic. • To enable SPAN on IDSM-2, follow these steps: Log in to the console. Step 1 Enter privileged mode: Step 2 cat6k> enable Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-8 78-16527-01...
Page 271
This command will disable your span session. Do you want to continue (y/n) [n]? y Disabled Port 13/7 to monitor receive traffic of VLAN 650 cat6k> (enable) Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-9 78-16527-01...
You can set VACLs to capture traffic for IPS from a single VLAN or from multiple VLANs or from FLexWAN2 ports on the 7600 router when using Cisco IOS software. This section describes how to configure VACLs, and contains the following topics: Catalyst Software, page 15-12 •...
(enable) set security acl ip CAPTUREALL permit ip any any capture CAPTUREALL editbuffer modified. Use 'commit' command to apply changes. Commit the VACL: Step 4 console> (enable) commit security acl CAPTUREALL ACL commit in progress. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-12 78-16527-01...
This section describes how to use the mls ip ids command to capture IPS traffic, and contains the following topics: Catalyst Software, page 15-15 • Cisco IOS Software, page 15-15 • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-14 78-16527-01...
Configuring the Catalyst Series 6500 Switch for IDSM-2 in Promiscuous Mode Catalyst Software When you are running the Cisco IOS Firewall on the MSFC, you cannot use VACLs to capture traffic for IDSM-2, because you cannot apply VACLs to a VLAN in which you have applied an IP inspect rule for the Cisco IOS Firewall.
For the procedure for configuring IDSM-2 to run in promiscuous or inline mode, see Chapter 5, “Configuring Interfaces.” This section contains the following topics: Catalyst Software, page 15-17 • Cisco IOS Software, page 15-18 • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-16 78-16527-01...
Configuring IDSM-2 Configuring the Catalyst Series 6500 Switch for IDSM-2 in Inline Mode Cisco IOS Software Cisco IOS software 12.2(18)SXE with Supervisor Engine 720 supports only one IDSM-2 inline between Note two VLANs. Configure the IDSM-2 monitoring ports as access ports for inline operation.
Port 1 is a TCP/IP reset port. Port 2 is the command and control port. Ports 7 and 8 are the sensing ports for Catalyst software and data ports 1 and 2 for Cisco IOS software. The other ports are not used.
Page 283
Chapter 15 Configuring IDSM-2 Configuring EtherChanneling For more information on EtherChanneling, refer to Catalyst 6500 Series Cisco IOS Software Configuration Guide, 12.2SX. To configure EtherChannel load balancing on IDSM-2, follow these steps: Configure each IDSM-2 for promiscuous operation. Step 1 For the procedure, see Chapter 5, “Configuring Interfaces.”...
Step 2 Enter global configuration mode: router# configure terminal To remove a single IDSM-2 from the EtherChannel: Step 3 router(config)# no intrusion-detection module module_number data-port data_port_number channel-group channel_number Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-22 78-16527-01...
Number of aggregators: Group Port-channel Protocol Ports ------+-------------+-----------+---------------------------- router# Step 4 To see the EtherChannel load balance setting: router# show etherchannel load-balance EtherChannel Load-Balancing Configuration: src-dst-ip mpls label-ip Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-23 78-16527-01...
When IDSM-2 initially boots, by default it runs a partial memory test. You can enable a full memory test in Catalyst software and Cisco IOS software. This section describes how to enable full memory tests, and contains the following topics: •...
Proceed with reload of module?[confirm] % reset issued for module 9 router# Reset IDSM-2. Step 3 For the procedure, see Resetting IDSM-2, page 15-26. The full memory test runs. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-25 78-16527-01...
IDSM-2 more than once. If IDSM-2 fails to respond after three reset attempts, boot the maintenance partition, and perform the instructions for restoring the application partition. For the procedure, see Installing the IDSM-2 System Image, page 17-25. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-26 78-16527-01...
Catalyst and Cisco IOS Software Commands This section lists the Catalyst and Cisco IOS software commands that pertain to IDSM-2. For more detailed information on Catalyst and Cisco IOS software commands, refer to the command Note references found on Cisco.com. For instructions on how to locate these documents, refer to the Documentation Roadmap for Cisco Intrusion Prevention System that shipped with your IDSM-2.
Displays the errors reported from the diagnostic tests for both the SPAN port (port 1) and the management port (port 2) and the BIOS and CMOS boot results. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-28...
• set vtp • Cisco IOS Software This section lists the Cisco IOS software commands that IDSM-2 supports. These commands are grouped according to mode. This section contains the following topics: EXEC Commands, page 15-30 • Configuration Commands, page 15-31 •...
Page 292
• Displays the configuration that is currently running. show startup-config • Displays the saved configuration. show vlan access-map • Displays all current VLAN access maps. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-30 78-16527-01...
Maps the VACL maps to VLANs. Interface configuration mode • switchport – Sets the interface as a switch port. – switchport access vlan vlan Sets the access VLAN for the interface. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-31 78-16527-01...
Page 294
VACL configuration submode – action forward capture Designates that matched packets should be captured. match ip address [1-199 | 1300-2699 | acl_name] – Specifies filtering in the VACL. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-32 78-16527-01...
For the procedure, see Configuring Packet Capture, page 16-5. Create the service account. A service account is needed for password recovery and other special debug situations directed by TAC. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 16-1 78-16527-01...
NM-CIDS, in which you can issue any IPS configuration commands. After completing work in the session and exiting the IPS CLI, you are returned to Cisco IOS CLI. The session command starts a reverse Telnet connection using the IP address of the ids-sensor interface.
Chapter 16 Configuring NM-CIDS Establishing NM-CIDS Sessions Cisco IOS gives NM-CIDS the name “IDS-Sensor.” In this example, 1 is the slot number and 0 Note is the port number, because there is only one port. Step 2 Enable the CEF switching path:...
When you are finished with a session, you need to return to the router to establish the association Note between a session (the IPS application) and the router interfaces you want to monitor. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 16-4 78-16527-01...
You can choose more than one interface or subinterface to monitor, but you can only edit one Note interface at a time. Enter global configuration mode: Step 4 router# configure terminal Specify the interface or subinterface: Step 5 router(config)# interface FastEthernet0/0 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 16-5 78-16527-01...
Page 300
Total Transmit Errors = 0 Total Transmit FIFO Overruns = 0 Repeat Step c to see the counters gradually increasing. This indicates that NM-CIDS is receiving network traffic. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 16-6 78-16527-01...
FastEthernet0/0 was added to the virtual sensor when you initialized the NM-CIDS with the setup command. Administrative Tasks for NM-CIDS The following section describes how to reboot NM-CIDS and how to check the status of the Cisco IPS software. It contains the following topics: •...
Shuts down the IPS applications running on NM-CIDS. Removing the NM-CIDS without proper shutdown can result in the hard-disk drive being corrupted. Caution After successful shutdown of the NM-CIDS applications, Cisco IOS prints a message indicating that you can now remove NM-CIDS. service-module ids-sensor slot_number/0 status –...
When you install a new system image on your sensor, all accounts are removed and the default cisco account is reset to use the default password “cisco.” After installing the system image, you must initialize the sensor again.
Adding Hosts to the Known Hosts List, page 4-31. ip-address— IP address of the file server. • password— User password for authentication on the file server. • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-2 78-16527-01...
Obtaining Cisco IPS Software, page 18-1. You must log in to Cisco.com using an account with cryptographic privileges to download the Note file. Do not change the file name. You must preserve the original file name for the sensor to accept the update.
Some browsers add an extension to the filename. The filename of the saved file must match what is Caution displayed on the download page or you cannot use it to upgrade the recovery partition. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-4 78-16527-01...
You can configure the sensor to look for new upgrade files in your upgrade directory automatically. You must download the software upgrade from Cisco.com and copy it to the upgrade directory before the sensor can poll for automatic upgrades. For the procedure for locating software on Cisco.com, see Obtaining Cisco IPS Software, page 18-1.
Valid values are 0 to 8760. start-time—The time of day to start the first automatic upgrade. The valid value is hh:mm[:ss]. user-name—Username for authentication on the file server. • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-6 78-16527-01...
SSH. For the procedure, see Adding Hosts to the Known Hosts List, page 4-31. Verify the settings: Step 9 sensor(config-hos-ena)# show settings enabled ----------------------------------------------- schedule-option ----------------------------------------------- periodic-schedule ----------------------------------------------- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-7 78-16527-01...
Step 4 If there is no recently applied service pack or signature update, the downgrade command is not Step 5 available: sensor(config)# downgrade No downgrade available. sensor(config)# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-8 78-16527-01...
Make sure you can access the TFTP server location from the network connected to your sensor’s Note Ethernet port. Log in to the CLI using an account with administrator privileges. Step 2 Enter configuration mode: Step 3 sensor# configure terminal Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-9 78-16527-01...
If you executed the recover application-partition command remotely, you can SSH to the sensor with the default username and password (cisco/cisco) and then initialize the sensor again with the setup command. You cannot use Telnet until you initialize the sensor because Telnet is disabled by default.
CISCO SYSTEMS IDS-4215 Embedded BIOS Version 5.1.7 02/23/04 15:50:39.31 Compiled by dnshep Evaluating Run Options ... Cisco ROMMON (1.4) #3: Mon Feb 23 15:52:45 MST 2004 Platform IDS-4215 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-11 78-16527-01...
Page 314
Verify that you have access to the TFTP server by pinging it from the local Ethernet port: Step 9 rommon> ping server_ip_address rommon> ping server Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-12 78-16527-01...
Embedded BIOS Version 5.1.3 05/12/03 10:18:14.84 Compiled by ciscouser Evaluating Run Options ... Cisco ROMMON (1.2) #0: Mon May 12 10:21:46 MDT 2003 Platform IDS-4215 0: i8255X @ PCI(bus:0 dev:13 irq:11) Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-13 78-16527-01...
Page 316
Do not remove power to IDS-4215 during the update process, otherwise the upgrade can get corrupted. Caution If this occurs, IDS-4215 will be unusable and require an RMA. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-14 78-16527-01...
1209 Ethernet 8086 1209 Ethernet Evaluating BIOS Options ... Launch BIOS Extension to setup ROMMON Cisco Systems ROMMON Version (1.0(5)0) #1: Tue Sep 14 12:20:30 PDT 2004 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-15 78-16527-01...
Page 318
If necessary, change the interface used for the TFTP download: Step 5 The default interface used for TFTP downloads is Management0/0, which corresponds to the Note MGMT interface of IPS-4240. rommon> PORT=interface_name Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-16 78-16527-01...
Page 319
Download and install the system image: Step 12 rommon> tftp To avoid corrupting the system image, do not remove power from IPS-4240 while the system image is Caution being installed. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-17 78-16527-01...
Insert the recovery/upgrade CD into the CD-ROM drive. Step 2 Power off the appliance and then power it back on. The boot menu appears, which lists important notices Step 3 and boot options. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-18 78-16527-01...
The 5.0 upgrade also updates the bootloader with the new bootloader file (servicesengine-boot-1.0-17-1_dev.bin), then reimages the hard-disk drive with the new image. We recommend that you use the upgrade command. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-19 78-16527-01...
NM-CIDS’ Ethernet port. Log in to the router. Step 2 Step 3 Enter enable mode: router# enable router(enable)# Session to NM-CIDS: Step 4 router(enable)# service-module IDS-Sensor slot_number/0 session Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-20 78-16527-01...
Page 323
Specify the default boot device—The default boot device is always set to disk. Specify the default bootloader—The default bootloader is always set to primary. If you made any changes, the bootloader stores them permanently. The bootloader command prompt appears. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-21 78-16527-01...
Download the bootloader file (servicesengine-boot-1.0-17-1_dev.bin) and the helper file Step 1 (NM-CIDS-K9-helper-1.0-1.bin) to the TFTP root directory of a TFTP server that is accessible from your NM-CIDS. For the procedure for locating software on Cisco.com, see Obtaining Cisco IPS Software, page 18-1.
Page 325
The bootloader displays a spinning line while loading the helper image from the TFTP server. When the helper is loaded, it is booted. The NM-CIDS helper displays its main menu when it launches. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-23...
Page 326
Continue with Step 18. Selection [1234rh]: Step 18 Type to reboot NM-CIDS: Selection [1234rh]: r About to exit and reset Services Engine. Are you sure? [y/N] Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-24 78-16527-01...
This section describes how to install the IDSM-2 system image, and contains the following topics: Catalyst Software, page 17-25 • Cisco IOS Software, page 17-26 • Catalyst Software To install the system image, follow these steps: Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-25 78-16527-01...
Page 328
Obtaining Cisco IPS Software, page 18-1. Log in to the switch CLI. Step 2 Boot IDSM-2 to the maintenance partition: Step 3 router# hw-module module module_number reset cf:1 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-26 78-16527-01...
This section describes how to configure the maintenance partition on IDSM-2, and contains the following topics: Catalyst Software, page 17-28 • Cisco IOS Software, page 17-31 • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-27 78-16527-01...
Page 330
Clear the IDSM-2 maintenance partition host configuration (ip address, gateway, hostname): guest@idsm2.localdomain# clear ip guest@localhost.localdomain# show ip IP address : 0.0.0.0 Subnet Mask : 0.0.0.0 IP Broadcast : 0.0.0.0 DNS Name : localhost.localdomain Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-28 78-16527-01...
Page 331
Daughter Card Info: Falcon rev 3, FW ver 2.0.3.0 (IDS), SRAM 8 MB, SDRAM 256 MB guest@idsm2.localdomain# Upgrade the application partition: Step 11 guest@idsm2.localdomain# upgrade ftp://jsmith@10.89.146.11//RELEASES/Latest/5.0-1/WS-SVC-IDSM2-K9-sys-1.1-a-5.0-1.bin.gz Downloading the image. This may take several minutes... Password for jsmith@10.89.146.114: Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-29 78-16527-01...
Page 332
Fri Mar 11 21:22:28 2005 : Partition '/dev/hdc1' unmounted. Fri Mar 11 21:22:28 2005 : Directory changed to '/tmp'. Application image upgrade complete. You can boot the image now. Partition upgraded successfully Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-30 78-16527-01...
Page 333
The default escape character is Ctrl-^, then x. You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.111 ... Open Cisco Maintenance image Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-31 78-16527-01...
Page 334
Configure the maintenance partition host configuration: Step 6 Specify the IP address: guest@localhost.localdomain# ip address ip_address netmask Specify the default gateway: guest@localhost.localdomain# ip gateway gateway_ip_address Specify the hostname: guest@localhost.localdomain# ip host hostname Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-32 78-16527-01...
Page 335
Step 11 Proceeding with upgrade. Please do not interrupt. If the upgrade is interrupted or fails, boot into maintenance image again and restart upgrade. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-33 78-16527-01...
Page 336
PING 10.89.146.114 (10.89.146.114) from 10.89.149.74 : 56(84) bytes of data. 64 bytes from 10.89.146.114: icmp_seq=0 ttl=254 time=381 usec 64 bytes from 10.89.146.114: icmp_seq=1 ttl=254 time=133 usec 64 bytes from 10.89.146.114: icmp_seq=2 ttl=254 time=129 usec Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-34 78-16527-01...
To upgrade the maintenance partition, follow these steps: Download the IDSM-2 maintenance partition file (c6svc-mp.2-1-1.bin.gz) to the FTP root directory of Step 1 a FTP server that is accessible from your IDSM-2. For the procedure for locating software on Cisco.com, Obtaining Cisco IPS Software, page 18-1.
To upgrade the maintenance partition, follow these steps: Download the IDSM-2 maintenance partition file (c6svc-mp.2-1-1.bin.gz) to the FTP root directory of Step 1 a FTP server that is accessible from your IDSM-2. For the procedure for locating software on Cisco.com, Obtaining Cisco IPS Software, page 18-1.
Page 339
1 Up asa# To debug any errors that may happen in the recovery process, use the debug module-boot Note command to enable debugging of the system reimaging process. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-37 78-16527-01...
Page 340
Upgrading, Downgrading, and Installing System Images Installing System Images Session to AIP-SSM and initialize AIP-SSM with the setup command. For the procedure, see Step 10 Initializing the Sensor, page 3-2. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-38 78-16527-01...
IPS software from the Download Software site. You can sign up for IPS Alert Bulletins to receive information on the latest software releases. You must be logged in to Cisco.com to download software. You must have an active IPS maintenance Note contract and a Cisco.com password to download software.
Click Agree to accept the software download rules. Step 10 The first time you download a file from Cisco.com, you must fill in the Encryption Software Export Distribution Authorization form before you can download the software. Fill out the form and click Submit.
Page 343
To install the most recent signature update, you must have the most recent minor version. Service packs are dependent on the most recent minor version, which is dependent on the most recent major version. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 18-3...
If there are defect fixes for the installer, for example, the underlying application version may still be 5.0(1), but the recovery partition image will be r 1.2. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 18-4...
(WS-X6381) with IDSM-2 (WS-SVC-IDSM2-K9), which supports version 5.0. The minimum required version for upgrading to 5.0 is 4.1(1). The upgrade from Cisco 4.1 to 5.0 is available as a download from Cisco.com. For the procedure for accessing Downloads on Cisco.com, see Obtaining Cisco IPS Software, page 18-1.
Obtaining a License Key From Cisco.com This section describes how to obtain a license key from Cisco.com and how to install it using the CLI or IDM. This section contains the following topics: Overview, page 18-6 •...
Service Programs for IPS Products You must have a Cisco Services for IPS service contract for any IPS product so that you can download a license key and obtain the latest IPS signature updates. If you have a direct relationship with Cisco Systems, contact your account manager or service account manager to purchase the Cisco Services for IPS service contract.
ASA-SSM-AIP-10-K9, you must now purchase the Cisco Services for IPS service contract. After you have the Cisco Services for IPS service contract, you must also have your product serial number to apply for the license key. For the procedure, see Installing the License Key, page 18-8.
Page 349
URL for the web server. The syntax for this prefix is: • http:[[/[username@]location]/directory]/filename https:—Source URL for the web server. The syntax for this prefix is: • https:[[/[username@]location]/directory]/filename Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 18-9 78-16527-01...
Page 350
Note the device with that number. Your Cisco IPS Signature Subscription Service license key will be sent by e-mail to the e-mail address you specified. Save the license key to a system that has a web server, FTP server, or SCP server.
You should be aware of the most recent security threats so that you can most effectively secure and manage your network. The Cisco Security Center contains the top ten intelligence reports listed by date, severity, urgency, and whether there is a new signature available to deal with the threat.
Enter the name of your company in the Company field. Choose your country from the drop-down menu. Enter your e-mail address in the E-mail field. Check the check box if you want to receive further information about Cisco products and offerings by Step 8 e-mail.
Page 353
Install and Upgrade—Contains hardware installation and regulatory guides. • Configure—Contains configuration guides for IPS CLI, IDM, and IME. • Troubleshoot and Alerts—Contains TAC tech notes and field notices. • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 18-13 78-16527-01...
Summary of IPS 5.0 Applications, page A-37 • System Overview You can install Cisco IPS software on two platforms: the appliances and the modules (refer to “Supported Sensors,” in Installing Cisco Intrusion Prevention System Appliances and Modules 5.0 for a list of current appliances and modules).
Page 356
Web Server (HTTP RDEP2 server)—Provides a web interface and communication with other – IPS devices through RDEP2 using several servlets to provide IPS services. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
The IPS signature update process is now similar to antivirus DAT file updates. – RDEP2 • RDEP has been revised to RDEPv2, which supports an event standard called SDEE. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
The system has reasonable default values to minimize the number of modifications you must make. You can configure IPS 5.0 through the CLI, IDM, IDS MC, ASDM or through another application using RDEP2 and IDCONF. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
By default Web Server uses TLS or SSL. You can choose to disable TLS and SSL. • Unnecessary services are disabled. • Only the SNMP set required by the Cisco MIB Police is allowed within the CISCO-CIDS-MIB. • OIDs implemented by the public domain SNMP agent will be writeable when specified by the MIB. MainApp MainApp now includes all IPS components except SensorApp and the CLI.
New “health” control transaction • A new health and welfare type of control transaction is defined in the IDCONF specification. This control transaction reports the status and welfare of the system. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
IPS event consumer. Sufficient buffering depends on your requirements and the capabilities of the nodes in use. The oldest events in the circular buffer are replaced by the newest events. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
IPS applications generate IPS events to report the occurrence of some stimulus. The events are the data, such as the alerts generated by SensorApp or errors generated by any application. Events are stored in a local database known as the Event Store. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Event ID • Event severity • Time (UTC and local time) • Signature name • Signature ID • Subsignature ID • Version • Summary • • Interface group Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 364
IP nodes keyed on both IP address • Sensor memory critical stage • Interface status • Command and control packet statistics • Fail-over state • • System uptime • CPU usage Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-10 78-16527-01...
RDEP control transaction message. The transactionHandlerLoop uses the HttpClient classes to issue the RDEP control transaction request to the HTTP server on the remote node. The remote HTTP Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-11...
Control Transaction Server, which passes it to the Network Access Controller. Network Access Controller on the master blocking sensor then interacts with the devices it is managing to enable the block. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-12 78-16527-01...
Only the protocol specified in the Network Access Controller configuration for that device is attempted. If the connection fails for any reason, Network Access Controller attempts to reestablish Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-13...
Page 368
You can specify the interface and direction where blocking is performed in the Network Access Controller configuration for routers. You can specify the interface where blocking is performed in the VACL configuration. Cisco firewalls do not block based on interface or direction, so this configuration is never Note specified for them.
You must have the RSM because blocking is performed on the RSM. Note Catalyst 6000 series switches with PFC installed running Catalyst software 5.3 or later • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-15 78-16527-01...
Appendix A System Architecture MainApp Catalyst 6000 MSFC2 with Catalyst software 5.4(3) or later and Cisco IOS 12.1(2)E or later on the • MSFC2 • Cisco ASA 500 series models: ASA 5510, ASA 5520, and ASA 5540 FWSM • The FWSM cannot block in multi-mode admin context.
If the time for the new block is less than or equal to the remaining minutes, no action is taken. Otherwise, the new block timeout replaces the existing block timeout. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-17...
Appendix A System Architecture MainApp Cisco firewalls do not support connection blocking of hosts. When a connection block is applied, the Caution firewall treats it like an unconditional block. Cisco firewalls also do not support network blocking. Network Access Controller never tries to apply a network block to a Cisco firewall.
The main.log is included in the show tech-support command output. If the message is logged at warning level or above (error or fatal), LogApp converts the message to an evError event (with the corresponding error severity) and inserts it in Event Store. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-19 78-16527-01...
CLI or an IPS manager, such as IDM or ASDM, by logging in to the sensor using the default administrative account (cisco). In the CLI, the Administrator is prompted to change the password. IPS managers initiate a setEnableAuthenticationTokenStatus control transaction to change the account’s password.
If the fingerprints match, the trust relationship is established and henceforth the client can automatically connect with that server and be confident that the remote server is not an imposter. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-21 78-16527-01...
SSL. SensorApp This section describes SensorApp, and contains the following topics: Responsibilities and Components, page A-23 • Packet Flow, page A-24 • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-22 78-16527-01...
The layer 2 processor updates statistics about packets that have been denied because of the policy you have configured. Database Processor (DBP) • This processor maintains the signature state and flow databases. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-23 78-16527-01...
Page 379
It starts with the signature event with configured action received in the alarm channel and flows top to bottom as the signature event passes through the functional components of the SEAP. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-25 78-16527-01...
Page 380
There is no IP stack associated with any interface used for inline (or promiscuous) data processing. The current support for 802.1q packets in promiscuous mode is extended to inline mode. Enhanced configuration • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-26 78-16527-01...
Page 381
Driver support for concurrent SensorApp and TCPdump capture • The drivers for the data interfaces support concurrent use of the interfaces by SensorApp and TCPdump or other libpcap based reader Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-27 78-16527-01...
Monitoring applications only require viewer access to the sensor. You can use the CLI to set up a user account with viewer privileges and then configure the event viewer to use this account to connect to the sensor. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-28 78-16527-01...
The service account is not intended to be used for configuration purposes. Only modifications made to the sensor through the service account under the direction of TAC are supported. Cisco Systems does not support the addition and/or running of an additional service to the operating system through the service account, because it affects proper performance and proper functioning of the other IPS services.
To recall the commands entered in a mode, use the Up Arrow or Down Arrow keys or press Ctrl-P or Ctrl-N. Note Help and tab complete requests are not reported in the recall list. • A blank prompt indicates the end of the recall list. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-30 78-16527-01...
SensorApp generates a block event, which is also stored in the Event Store. Figure A-5 illustrates the IDAPI interface. Figure A-5 IDAPI Alert Alert SensorApp IDAPI Event Store Block Block request request Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-31 78-16527-01...
Page 386
Web Server, which passes it to the Event Server. The Event Server queries the Event Store through IDAPI and then returns the result. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-32...
Page 387
Sending Commands Through RDEP2 IDS-MC and Third-Party Event Management Applications REDP2 Client Sensor HTTP POST Response CT Request Web Server CT Request Application IDAPI CT Server CT Response CT Response Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-33 78-16527-01...
Page 389
CIDEE CIDEE specifies the extensions to SDEE that are used by the Cisco IPS. The CIDEE standard specifies all possible extensions that are supported by IPS. Specific systems may implement a subset of CIDEE extensions.
/usr/cids/idsRoot/bin/falcondump—Contains the application for getting packet dumps on the sensing ports of the IDS-4250-XL and IDSM-2. • /usr/cids/idsRoot/etc—Stores sensor configuration files. • /usr/cids/idsRoot/htdocs—Contains the IDM files for the web server. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-36 78-16527-01...
Control Transaction Source Waits for control transactions directed to remote applications, forwards the control transactions to the remote node using RDEP2, and returns the response to the initiator. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-37 78-16527-01...
Page 392
Waits for remote HTTP client requests and calls the appropriate servlet application. 1. This is a web server servlet. 2. This is a web server servlet. 3. This is a remote control transaction proxy. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-38 78-16527-01...
About Signature Engines A signature engine is a component of the Cisco IPS that is designed to support many signatures in a certain category. An engine is composed of a parser and an inspector. Each engine has a set of parameters that have allowable ranges or sets of values.
Page 394
The WEBPORTS variable defines inspection port for HTTP traffic. IDENT—Inspects IDENT (client and server) traffic. – MSRPC—Inspects MSRPC traffic. – MSSQL—Inspects Microsoft SQL traffic. – NTP—Inspects NTP traffic. – Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Signatures that are not service, OS, or application-specific have 0 for the promiscuously delta. If the signature is specific to an OS, service, or application, it has a promiscuous delta of 5, 10, or 15 calculated from 5 points for each category. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
For example, you can configure the signature to Fire All, but after a certain threshold is reached, it starts summarizing. Table B-2 on page B-5 lists the alert frequency parameters. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Event Action Rules. You can clear all denied attacker entries with the clear denied-attackers command, which permits the addresses back on the network. deny-connection-inline —Does not transmit this packet and future packets on the TCP Flow (inline • only). Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Response message validation – MIME type enforcement – – Transfer encoding type validation – Content control based on message content and type of data being transferred – URI length enforcement Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 399
Specifies the action to take when noncompliant HTTP traffic is seen. The alarm-on-non-http-traffic [true | false] command enables the signature. max-outstanding-requests-overrun Maximum allowed HTTP requests per connection (1 to 16). Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
The ATOMIC.ARP engine defines basic Layer-2 ARP signatures and provides more advanced detection of the ARP spoof tools dsniff and ettercap. Table B-5 on page B-9 lists the parameters that are specific to the ATOMIC.ARP engine. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Specifies IP datagram total length. specify-ip-option-inspection Specifies IP options inspection. specify-l4-protocol Specifies Layer-4 protocol. specify-ip-tos Specifies type of server. specify-ip-ttl Specifies time to live. specify-ip-version Specifies IP protocol version. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
META definitions. The META engine generates a signature event after all requirements for the event are met. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-10 78-16527-01...
The NORMALIZER engine deals with IP fragmentation and TCP normalization. This section describes the NORMALIZER engine, and contains the following topics: Overview, page B-12 • NORMALIZER Engine Parameters, page B-12 • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-11 78-16527-01...
Page 406
(Optional) Enables query record data true | false invalid: • query-record-data-invalid—DNS Record Data incomplete specify-query-record-data-len (Optional) Enables the query record data 0 to 65535 length: • query-record-data-len—DNS Response Record Data Length Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-14 78-16527-01...
False for no swap (default). 1. The second number in the range must be greater than or equal to the first number. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-15 78-16527-01...
SETUP signatures, you can add signatures for length and regular expression checks on various SETUP message fields. SERVICE.H255 Engine Parameters Table B-14 on page B-18 lists parameters specific to the SERVICE.H225 engine. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-17 78-16527-01...
Page 410
This is never set for TPKT signatures. specify-value-range Valid for the length or value policy types 0 to 65535 (0x00 to 6535). Not valid for other policy types. value-range—Range of values. • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-18 78-16527-01...
The SERVICE.HTTP engine has default deobfuscation behavior for the Microsoft IIS web server. For an example SERVICE.HTTP custom signature, refer to “Example SERVICE.HTTP Signature,” in Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 5.0. SERVICE.HTTP Engine Parameters Table B-15 lists the parameters specific the SERVICES.HTTP engine.
1. The second number in the range must be greater than or equal to the first number. SERVICE.IDENT Engine The SERVICE.IDENT engine inspects TCP port 113 traffic. It has basic decode and provides parameters to specify length overflows. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-20 78-16527-01...
The SERVICE.MSRPC engine only decodes the DCE and RPC protocol for the most common transaction types. SERVICE.MSRPC Engine Parameters Table B-17 on page B-22 lists the parameters specific to the SERVICE.MSRPC engine. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-21 78-16527-01...
The SERVICE.NTP engine inspects NTP protocol. There is one NTP signature, the NTPd readvar overflow signature, which fires an alert if a readvar command is seen with NTP data that is too large for the NTP service to capture. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-22 78-16527-01...
0 to 65535 the target service resides. a-b[,c-d] specify-is-spoof-src (Optional) Enables the spoof source address: true | false is-spoof-src—Fires an alert when the source • address is 127.0.0.1. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-23 78-16527-01...
(Optional) Enables byte count: 0 to 65535 byte-count—Byte count from • SMB_COM_TRANSACTION structure. specify-command (Optional) Enables SMB commands: 0 to 255 command—SMB command value. • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-24 78-16527-01...
Page 417
(Optional) Enables searching for the Type field of an 0 to 255 MS RPC packet: • type —Type Field of MSRPC packet. 0 = Request; 2 = Response; 11 = Bind; 12 = Bind Ack Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-25 78-16527-01...
Inspects for brute force attempts: 0 to 65535 • brute-force-count—The number of unique SNMP community names that constitute a brute force attempt. invalid-packet-inspection Inspects for SNMP protocol violations. — Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-26 78-16527-01...
State machines are used to describe a specific event that causes an output or alarm. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-27...
Page 420
Appendix B Signature Engines STATE Engine There are three state machines in the STATE engine: SMTP, Cisco Login, and LPR Format String. Table B-24 lists the parameters specific to the STATE engine. Table B-24 STATE Engine Parameters Parameter Description Value state-machine State machine grouping.
Traffic from service port destined to client port. • Traffic from client port destined to service port. • icmp-type ICMP header TYPE value. 0 to 18 a-b[,c-d] Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-29 78-16527-01...
1. The second number in the range must be greater than or equal to the first number. 2. This parameter is primarily used as an IPS anti-evasion tool. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-30...
More realistic values for unique range between 5 and 15. TCP sweeps must have a TCP flag and mask specified to determine which sweep inspector slot in which to count the distinct connections. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-31 78-16527-01...
Page 424
• Attacker address and victim port • suppress-reverse Does not fire when a sweep has fired in the reverse direction true | false on this address set. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-32 78-16527-01...
Whether this signature has configurable parameters. yes | no inspection-type Type of inspection to perform: is-loki is-mod-loki Inspects for original LOKI traffic. • Inspects for modified LOKI traffic. • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-33 78-16527-01...
The UDP modes of BO and BO2K are handled by the TROJAN.UDP engine. The TCP modes are handled by the TROJAN.BO2K engine. There are no specific parameters to the TROJAN engines, except for swap-attacker-victim in the TROJAN.UDP engine. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-34 78-16527-01...
Create a service account. • A service account is needed for password recovery and other special debug situations directed by TAC. For the procedure, see Creating the Service Account, page 4-13. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 428
For the procedures for appliances and modules, see Chapter 17, “Upgrading, Downgrading, and Installing System Images.” Log in to the sensor with the default user ID and password—cisco. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Before troubleshooting the appliance, check the Caveats section of the Readme for the software version you have installed on your sensor to see if you are dealing with a known issue. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Link Speed = Auto_1000 Link Duplex = Auto_Full Total Packets Received = 0 Total Bytes Received = 0 Total Multicast Packets Received = 0 Total Broadcast Packets Received = 0 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 431
Make sure the management port is connected to an active network connection. Step 4 If the management port is not connected to an active network connection, the management interface will not come up. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Verify that the client IP address is listed in the allowed networks. If it is not, add it: Step 3 sensor# configure terminal sensor(config)# service host sensor(config-hos)# network-settings sensor(config-hos-net)# access-list 171.69.70.0/24 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Total Jumbo Packets Received = 0 Total Undersize Packets Received = 0 Total Receive Errors = 0 Total Receive FIFO Overruns = 0 Total Packets Transmitted = 0 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
The sensing process, SensorApp, should always be running. If it is not, you do not receive any alerts. SensorApp is part of AnalysisEngine, so you must make sure the AnalysisEngine is running. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 435
Step 4 Make sure you have the latest software updates: sensor# show version Upgrade History: IDS-K9-maj-5.0-1- 14:16:00 UTC Thu Mar 04 2004 Recovery Partition Version 1.1 - 5.0(1)S149 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Appendix C Troubleshooting Troubleshooting the 4200 Series Appliance If you do not have the latest software updates, download them from Cisco.com. For the procedure, see Obtaining Cisco IPS Software, page 18-1. Step 5 Read the Readme that accompanies the software upgrade for any known DDTS for SensorApp or AnalysisEngine.
Step 3 Make sure the sensing port is connected properly on the appliance. See the chapter on your appliance in Installing Cisco Intrusion Prevention System Appliances and Modules 5.0. Make sure the sensing port is connected to the correct SPAN or VACL capture port on IDSM-2.
Page 438
Number of Summary Intermediate Alerts Number of Regular Summary Final Alerts Number of Global Summary Final Alerts Number of Alerts Output for further processing = 0alertDetails: Traffic Source: int0 ; Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-12 78-16527-01...
If the interfaces are not up, do the following: Step 3 Check the cabling. Refer to the chapter in Installing Cisco Intrusion Prevention System Appliances and Modules 5.0that pertains to your sensor for information on installing the sensor properly. Enable the interface.
Step 4 cp /usr/cids/idsRoot/etc/defVirtualSensorConfig.xml /usr/cids/idsRoot/etc/VS-Config/virtualSensor.xml Step 5 Remove the cache files: rm /usr/cids/idsRoot/var/virtualSensor/*.pmz Step 6 Exit the service account. Step 7 Log in to the sensor CLI. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-14 78-16527-01...
Verifying Network Access Controller is Running, page C-16. Verify that Network Access Controller is connecting to the network devices. For the procedure see Verifying Network Access Controller Connections are Active, page C-17. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-15 78-16527-01...
12:53:00 UTC Fri Mar 18 2005 Recovery Partition Version 1.1 - 5.0(1.1) sensor# If MainApp displays , Network Access Controller has failed. Contact the TAC. Step 3 Not Running Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-16 78-16527-01...
Upgrade History: IDS-K9-maj-5.0-1- 14:16:00 UTC Thu Mar 04 2004 Recovery Partition Version 1.1 - 5.0(1)S149 If you do not have the latest software updates, download them from Cisco.com. For the procedure, see Obtaining Cisco IPS Software, page 18-1. Step 5 Read the Readme that accompanies the software upgrade for any known DDTS for Network Access Controller.
ACL. You can also perform a manual block from IDM by clicking Monitoring > Active Host Blocks. Note Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-19 78-16527-01...
Exit signature definition submode: Step 4 sensor(config-sig-sig-nor)# exit sensor(config-sig-sig)# exit sensor(config-sig)# exit Apply Changes:?[yes]: Step 5 Press Enter to apply the changes or type to discard them. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-21 78-16527-01...
Verify that the block shows up in the Network Access Controller’s statistics: Step 6 sensor# show statistics network-access Current Configuration AllowSensorShun = false ShunMaxEntries = 100 State ShunEnable = true ShunnedAddr Host IP = 10.16.0.0 ShunMinutes = Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-22 78-16527-01...
Log in to the service account. Step 1 Edit the log.conf file to increase the size of the log to accommodate the additional log statements: Step 2 vi /usr/cids/idsRoot/etc/log.conf Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-23 78-16527-01...
1. The Card Manager service is used on AIP-SSM to exchange control and state information between modules in the chassis. 2. The Control Plane is the transport communications layer used by Card Manager on AIP-SSM. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-27 78-16527-01...
The syslog output is sent to the syslog facility local6 with the following correspondence to syslog message priorities: LOG_DEBUG, debug LOG_INFO, timing LOG_WARNING, warning LOG_ERR, error LOG_CRIT fatal Note Make sure that your /etc/syslog.conf has that facility enabled at the proper priority. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-28 78-16527-01...
To troubleshoot a reset not occurring for a specific signature, follow these steps: Log in to the CLI. Step 1 Make sure the event action is set to TCP reset: Step 2 sensor# configure terminal Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-29 78-16527-01...
Page 456
Make sure the resets are being sent: Step 7 root# ./tcpdump -i eth0 src host 172.16.171.19 tcpdump: WARNING: eth0: no IPv4 address assigned tcpdump: listening on eth0 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-30 78-16527-01...
Signature updates require the minimum version listed in the filename. Service packs require the correct minor version. • Minor versions require the correct major version. • Major versions require the previous major version. • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-31 78-16527-01...
• If you modify the FTP prompts to give security warnings, for example, this causes a problem, because the sensor is expecting a hard-coded list of responses. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-32 78-16527-01...
You must change the memory settings of Java Plug-in before using IDM and ASDM. The mandatory minimum memory size is 256 MB. This section contains the following topics: Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-34 78-16527-01...
Java 2 SDK is installed at /usr/j2se, the full path is /usr/j2se/jre/bin/ControlPanel. In a Java 2 Runtime Environment installation, the file is located at <JRE installation Note directory>/bin/ControlPanel. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-35 78-16527-01...
Under Java Runtime Environment, select JRE 1.3.x from the drop-down menu. Click the Cache tab. Click the Browser tab. Deselect all browser check boxes. Click Clear Cache. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-36 78-16527-01...
Cannot Communicate With IDSM-2 Command and Control Port, page C-42 • Using the TCP Reset Interface, page C-44 Connecting a Serial Cable to IDSM-2, page C-44 • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-38 78-16527-01...
Page 465
The following switch commands help you troubleshoot IDSM-2: show module (Cisco Catalyst Software and Cisco IOS Software) • show version (Cisco Catalyst Software and Cisco IOS Software) • • show port (Cisco Catalyst Software) Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-39 78-16527-01...
Page 467
. Allow up to 5 minutes for IDSM-2 to come online. If the status does not read , turn the module on: Step 3 router# set module power up module_number Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-41 78-16527-01...
Make sure the command and control port is in the correct VLAN: Step 4 For Catalyst software: cat6k> (enable) show port 6/8 * = Configured MAC Address # = 802.1X Authenticated Port Name. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-42 78-16527-01...
Page 469
If the command and control port is not in the correct VLAN, put it in the correct VLAN. For the procedure, refer to Configuring the Catalyst 6500 Series Switch for Command and Control Access to IDSM-2, page 15-4. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-43 78-16527-01...
Getting details from the Service Module, please wait... ASA 5500 Series Security Services Module-20 Model: AIP-SSM-20 Hardware version: Serial Number: P2B000005D0 Firmware version: 1.0(10)0 Software version: 5.1(0.1)S153.0 Status: Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-44 78-16527-01...
Page 471
The module in slot 1 will be recovered. This may erase all configuration and all data on that device and attempt to download a new image for it. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-45 78-16527-01...
To display tech support information, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. View the output on the screen: Step 2 sensor# show tech-support page Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-47 78-16527-01...
Page 474
Total Packets Received = 0 Total Bytes Received = 0 Total Multicast Packets Received = 0 Total Broadcast Packets Received = 0 Total Jumbo Packets Received = 0 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-48 78-16527-01...
Page 475
Linux version 2.4.26-IDS-smp-bigphys (csailer@mcq) (gcc version 2.96 20000731 (R ed Hat Linux 7.3 2.96-112)) #2 SMP Fri Mar 4 04:11:31 CST 2005 03:33:54 up 21 days, 23:15, 3 users, load average: 0.96, 0.86, 0.78 --MORE-- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-49 78-16527-01...
Page 476
36.3M out of 166.8M bytes of available disk space (23% usage) boot is using 39.4M out of 68.6M bytes of available disk space (61% usage) Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-50...
Page 477
Note sensor# more current-config ! ------------------------------ ! Version 5.0(0.26) ! Current configuration last modified Wed Feb 16 03:20:54 2005 ! ------------------------------ display-serial ! ------------------------------ service analysis-engine exit Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-51 78-16527-01...
Page 478
Event Store • Host • Logger • Network Access • Notification • SDEE Server • Transaction Server • Transaction Source • Virtual Sensor • • Web Server Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-52 78-16527-01...
Page 479
UDP nodes keyed on both IP addresses and both ports = 0 IP nodes keyed on both IP addresses = 0 The number of each type of node inserted since reset Total nodes inserted = 28 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-53 78-16527-01...
Page 480
Number of FireOnce Intermediate Alerts = 480 Number of Summary First Alerts Number of Summary Intermediate Alerts Number of Regular Summary Final Alerts Number of Global Summary Final Alerts Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-54 78-16527-01...
Page 481
Number of Alerts where deny-connection was forced for deny-packet action = 0 Number of Alerts where deny-packet was forced for non-TCP deny-connection action Per-Signature SigEvent count since reset Sig 2004 = 5 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-55 78-16527-01...
Page 482
Denied Attackers and hit count for each. sensor# Step 6 Display the statistics for the event server: sensor# show statistics event-server General openSubscriptions = 0 blockedSubscriptions = 0 Subscriptions sensor# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-56 78-16527-01...
Page 484
InterfacePostBlock = Post_Acl_Test BlockInterface InterfaceName = ethernet0/1 InterfaceDirection = in InterfacePreBlock = Pre_Acl_Test InterfacePostBlock = Post_Acl_Test NetDevice Type = CAT6000_VACL IP = 10.89.150.138 NATAddr = 0.0.0.0 Communications = telnet Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-58 78-16527-01...
Page 485
Mask = 255.255.0.0 BlockMinutes = sensor# Display the statistics for the notification application: Step 11 sensor# show statistics notification General Number of SNMP set requests = 0 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-59 78-16527-01...
Page 486
Error Severity = 14 Warning Severity = 1 Timing Severity = 0 Debug Severity = 0 Unknown Severity = 28 TOTAL = 43 The statistics were retrieved and cleared. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-60 78-16527-01...
Page 487
The following example shows the output from the show interfaces command: sensor# show interfaces Interface Statistics Total Packets Received = 0 Total Bytes Received = 0 Missed Packet Percentage = 0 Current Bypass Mode = Auto_off Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-61 78-16527-01...
Page 488
This section describes the show events command, and contains these topics: • Sensor Events, page C-63 • Overview, page C-63 • Displaying Events, page C-63 Clearing Events, page C-66 • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-62 78-16527-01...
Page 489
If no level is selected (informational, low, medium, or high), all alert events are displayed. include-traits—Displays alerts that have the specified traits. • exclude-traits—Does not display alerts that have the specified traits. • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-63 78-16527-01...
Page 492
Send the resulting HTML file to TAC or the IPS developers in case of a problem. For the procedure, see Uploading and Accessing Files on the Cisco FTP Site, page C-67. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-66 78-16527-01...
Page 493
You can upload large files, for example, cidDump.html, the show tech-support command output, and cores, to the ftp-sj server. To upload and access files on the Cisco FTP site, follow these steps: Log in to ftp-sj.cisco.com as anonymous. Step 1 Change to the /incoming directory.
Page 494
Appendix C Troubleshooting Gathering Information Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-68 78-16527-01...
Page 495
Specifically, an IPS event type; it is written to the Event Store as an evidsAlert. In general, an alert is alert an IPS message that indicates a network exploit in progress or a potential security problem occurrence. Also known as an alarm. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 GL-1 78-16527-01...
Page 496
Typically, APIs make it easier for software developers to create links that an application needs to communicate with the operating system or with the network. Any program (process) designed to run in the Cisco IPS environment. application A specific application running on a specific piece of hardware in the IPS environment. An application application instance instance is addressable by its name and the IP address of its host computer.
Page 497
Cisco Intrusion Detection Event Exchange. Specifies the extensions to SDEE that are used by Cisco CIDEE IPS systems. The CIDEE standard specifies all possible extensions that may be supported by Cisco IPS systems. The header that is attached to each packet in the IPS system. It contains packet classification, packet CIDS header length, checksum results, timestamp, and the receive interface.
Page 498
Address of a network device that is receiving data. destination address Deny Filters Processor. Handles the deny attacker functions. It maintains a list of denied source IP addresses. Dual In-line Memory Modules. DIMM. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 GL-4 78-16527-01...
Page 499
The XML entity written to the Event Store that represents an alert. evIdsAlert A signature is not fired when offending traffic is detected. false negative Normal traffic or a benign action causes a signature to fire. false positive Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 GL-5 78-16527-01...
Page 500
Greenwich Mean Time. Time zone at zero degrees longitude. Now called Coordinated Universal Time (UTC). An ITU standard that governs H.225.0 session establishment and packetization. H.225.0 actually H.225.0 describes several different protocols: RAS, use of Q.931, and use of RTP. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 GL-6 78-16527-01...
Page 501
Describes the messages transferred over the command and control interface between IPS applications. IPS data or message Intrusion Detection System Module. A switching module that performs intrusion detection in the IDSM-2 Catalyst 6500 series switch. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 GL-7 78-16527-01...
Page 502
Remote access, back door Trojan, ICMP tunneling software. When the computer is infected, the LOKI malicious code creates an ICMP tunnel that can be used to send small payload ICMP replies Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 GL-8 78-16527-01...
Page 503
Hash Algorithm (SHA) are variations on MD4 and strengthen the security of the MD4 hashing algorithm. Cisco uses hashes for authentication within the IPSec framework. Also used for message authentication in SNMP v.2. MD5 verifies the integrity of the communication, authenticates the origin, and checks for timeliness.
Page 504
Feature that permits you to add, replace, or remove cards without interrupting the system power, entering console commands, or causing other software or interfaces to shutdown. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 GL-10 78-16527-01...
Page 505
OSI term for packet. See also BPDU and packet. Cisco Product Evolution Program. PEP is the UDI information that consists of the PID, the VID, and the SN of your sensor. PEP provides hardware version and serial number visibility through electronic query, product labels, and shipping items.
Page 506
Risk Rating. An RR is a value between 0 and 100 that represents a numerical quantification of the risk associated with a particular event on the network. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 GL-12 78-16527-01...
Page 507
Signature Analysis Processor. Dispatches packets to the inspectors that are not stream-based and that are configured for interest in the packet in process. Simple Certificate Enrollment Protocol. The Cisco Systems PKI communication protocol that SCEP leverages existing technology by using PKCS#7 and PKCS#10. SCEP is the evolution of the enrollment protocol.
Page 508
Server Message Block. File-system protocol used in LAN manager and similar NOSs to package data and exchange information with other systems. Serial Number. Part of the UDI. The SN is the serial number of your Cisco product. Deals with specific protocols, such as DNS, FTP, H255, HTTP, IDENT, MS RPC, MS SL. NTP, RPC, SERVICE engine SMB, SNMP, and SSH.
Page 509
Refers to attaching rubber feet to the bottom of a sensor when it is installed on a flat surface. The rubber surface mounting feet allow proper airflow around the sensor and they also absorb vibration so that the hard-disk drive is less impacted. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 GL-15 78-16527-01...
Page 510
IDS-4250-TX appliance when the XL card is not present. On the IDSM-2 the TCP reset interface is designated as port 1 with Catalyst software, and is not visible to the user in Cisco IOS software. The TCP reset action is only appropriate as an action selection on those signatures that are associated with a TCP-based service.
Page 511
Adjusting signature parameters to modify an existing signature. tune Unique Device Identifier. Provides a unique identity for every Cisco product. The UDI is composed of the PID, VID, and SN. The UDI is stored in the Cisco IPS ID PROM.
Page 512
IP level. One or more attributes of a computer or a network that permit a subject to initiate patterns of misuse vulnerability on that computer or network. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 GL-18 78-16527-01...
Page 513
Standard that defines information contained in a certificate. X.509 eXtensible Markup Language. Textual file format used for data interchange between heterogeneous hosts. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 GL-19 78-16527-01...
Page 514
Glossary Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 GL-20 78-16527-01...
Page 515
4-18 described 7-12 upgrading recovery partition 17-4 features application partition AIP-SSM described commands 14-5 image recovery 17-9 configuration tasks 14-1 application-policy command 7-13 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-1 78-16527-01...
Page 516
B-34 backing up configuration 12-17 current configuration 12-16 BackOrifice protocol cannot access sensor B-34 backup-config command 12-13 capturing live traffic banner login command 13-1 block-enable command 10-6 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-2 78-16527-01...
Page 524
15-28 parameters (table) 7-22 TCP reset port 15-7, 15-12 signatures (table) 7-22 time sources 4-19 ip-log-bytes command unsupported supervisor engine commands 15-29 ip-log command 7-28 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-10 78-16527-01...
Page 525
Linux OS locked account reset 4-14 new features log-all-block-events-and-errors command 10-13 obtaining 18-1 LogApp platform-dependent release examples 18-5 described A-2, A-19 retrieving data functions A-19 security features Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-11 78-16527-01...
Page 526
Catalyst 6000 series switch 10-25 MASTER engine VACL commands A-19 alert frequency VACLs A-19 alert frequency parameters (table) Catalyst switches defined VACLs A-16 general parameters (table) VLANs A-16 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-12 78-16527-01...
Page 527
4-28, 4-29 file server configuration 17-22 4-28 overview time synchronization 17-22 4-18 checking IPS software status 16-7 configuration tasks 16-1 configuring ids-sensor interfaces 16-2 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-13 78-16527-01...
Page 529
A-27 described inline packet processing A-26 example 6-20 IP normalization A-27 RSA authentication and authorized keys 4-32 new features A-26 packet flow A-24 described 17-11 processors A-23 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-15 78-16527-01...
Page 530
1-4, A-29 parameters (table) B-15 A-29 SERVICE.GENERIC engine troubleshooting A-29 described B-16 service-policy command 14-2 parameters (table) Service privileges B-16 1-4, A-29 service role 1-4, 2-2, A-29 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-16 78-16527-01...
Page 531
B-10 FLOOD.HOST B-10 configuring FLOOD.NET agent parameters B-10 11-2 H225 traps B-17 11-4 list general parameters 11-2 META B-10 11-1 NORMALIZER GetNext B-12 11-1 SERVICE.DNS B-14 11-1 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-17 78-16527-01...
Page 532
System Configuration Dialog described 7-27 STRING.ICMP engine parameters (table) system design (illustration) B-29 STRING.TCP engine system image options installing 7-30 parameters (table) IPS-4240 B-30 17-15 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-18 78-16527-01...
Page 533
17-11 described B-34 17-11 TFN2K B-34 time correction on sensors 4-20 troubleshooting time sources accessing files on FTP site C-67 AIP-SSM 4-20 access list misconfiguration appliances 4-18 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-19 78-16527-01...
Page 534
18-5 sensor events C-63 recovery partition 17-4, 17-9 sensor not seeing packets C-13 URLs for Cisco Security Center 18-11 sensor process not running username command 4-11 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-20 78-16527-01...
Page 535
Viewer privileges 1-3, A-28 viewing user information 4-16 virtual sensor and assigning the interfaces Web Server described A-2, A-22 HTTP 1.0 and 1.1 support A-22 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-21 78-16527-01...
Page 536
Index Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-22 78-16527-01...
Need help?
Do you have a question about the 4215 - Intrusion Detection Sys Sensor and is the answer not in the manual?
Questions and answers