Download Print this page

Cisco IDS-4230-FE - Intrusion Detection Sys Fast Ethernet Sensor Installation And Configuration Manual

Intrusion detection system appliance and module

Table Of Contents

Table of Contents

Advertisement

Quick Links

Download this manual

Cisco Intrusion Detection System

Appliance and Module Installation

and Configuration Guide

Version 4.1

Corporate Headquarters

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, CA 95134-1706

USA

http://www.cisco.com

Tel:

408 526-4000

800 553-NETS (6387)

Fax:

408 526-4100

Customer Order Number: DOC-7815597=

Text Part Number: 78-15597-02

Table of Contents

Advertisement

Table of Contents

Troubleshooting

Need help?

Need help?

Do you have a question about the IDS-4230-FE - Intrusion Detection Sys Fast Ethernet Sensor and is the answer not in the manual?

Questions and answers

Summary of Contents for Cisco IDS-4230-FE - Intrusion Detection Sys Fast Ethernet Sensor

Page 1 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7815597=...
Page 2 You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Cisco equipment or one of its peripheral devices. If the equipment causes interference to radio or television reception, try to correct the interference by using one or more of the following measures: •...
Page 3 CCSP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE,...
Page 5 Appliances Introducing the Appliance How the Appliance Functions Your Network Topology Placing an Appliance on Your Network Deployment Considerations Appliance Restrictions Setting Up a Terminal Server Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 6: Table Of Contents
Installing Front Mount Brackets 2-11 Installing the IDS-4215 C H A P T E R Front and Back Panel Features Specifications Accessories Surface Mounting Rack Mounting Installing the IDS-4215 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 7 Front-Panel Features and Indicators Back-Panel Features and Indicators Specifications Installing Spare Hard-Disk Drives Upgrading the BIOS Using the TCP Reset Interface Installing the IDS-4235 and IDS-4250 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 8 Installing the IPS-4240 and IPS-4255 C H A P T E R Front and Back Panel Features Specifications Accessories Rack Mounting Installing the IPS-4240 and IPS-4255 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 viii 78-15597-02...
Page 9 Using the TCP Reset Interface Front Panel Description Installation and Removal Instructions Required Tools Slot Assignments Installing the IDSM-2 Verifying the IDSM-2 Installation 8-11 Removing the IDSM-2 8-13 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 10 Displaying the Current Version and Configuration Information 10-24 Creating and Using a Backup Configuration File 10-28 Displaying and Clearing Events 10-28 Rebooting or Powering Down the Appliance 10-30 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 11 Configuring Cisco IDS Interfaces on the Router 10-78 Establishing Cisco IDS Console Sessions 10-80 Using the Session Command 10-80 Suspending a Session and Returning to the Router 10-81 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 12 Installing the IPS-4240 and IPS-4255 System Image 10-116 Reimaging the NM-CIDS Application Partition 10-119 Reimaging the IDSM-2 10-124 Reimaging the IDSM-2 10-125 Reimaging the Maintenance Partition 10-127 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 13 Blocking with the Catalyst 6000 A-27 TransactionSource A-28 WebServer A-29 A-29 User Account Roles A-30 Service Account A-31 CLI Behavior A-32 Regular Expression Syntax A-34 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 xiii 78-15597-02...
Page 14 B-14 Sensor Not Seeing Packets B-15 Cleaning Up a Corrupted SensorApp Configuration B-16 Running SensorApp in Single CPU Mode B-17 Bad Memory on the IDS-4250-XL B-18 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 15 Troubleshooting the IDSM-2 B-44 Diagnosing IDSM-2 Problems B-44 Switch Commands for Troubleshooting B-46 Status LED Off B-46 Status LED On But IDSM-2 Does Not Come Online B-48 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 16 Command Output B-69 cidDump Script B-70 Uploading and Accessing Files on the Cisco FTP Site B-71 L O S S A R Y N D E X Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 17 This guide is intended for audiences who need to do the following: Install appliances and modules. • • Secure their network with sensors. Detect intrusion on their networks and monitor subsequent alarms. • Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 xvii 78-15597-02...
Page 18 To see translations of the warnings that in this publication, refer to the Regulatory Compliance and Safety Information document that accompanied this device. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 xviii 78-15597-02...
Page 19 These sections explain how to obtain technical information from Cisco Systems. Cisco.com You can access the most current Cisco documentation at this URL: http://www.cisco.com/univercd/home/home.htm Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 20 Cisco Systems Attn: Customer Document Ordering 170 West Tasman Drive San Jose, CA 95134-9883 We appreciate your comments. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 21 URL: http://www.cisco.com/techsupport Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL: http://tools.cisco.com/RPF/register/register.do...
Page 22 For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
Page 23 Magazine is the quarterly publication from Cisco Systems designed to • help growing companies learn how they can use technology to increase revenue, streamline their business, and expand services. The publication Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 xxiii 78-15597-02...
Page 24 You can access the Internet Protocol Journal at this URL: http://www.cisco.com/ipj World-class networking training is available from Cisco. You can view • current offerings at this URL: http://www.cisco.com/en/US/learning/index.html Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 xxiv 78-15597-02...
Page 25 How the Appliance Functions, page 1-3 • • Your Network Topology, page 1-4 Placing an Appliance on Your Network, page 1-6 • • Deployment Considerations, page 1-8 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 26 Fast Ethernet, and Gigabit Ethernet configurations. In switched environments, appliances must be connected to the switch’s Switched Port Analyzer (SPAN) port or VLAN Access Control list (VACL) capture port. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 27 TCP protocol. On the IDS-4250-XL, TCP resets are sent through the TCP Reset interface. Make access control list (ACL) changes on routers that the appliance • manages. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 28 These connections fall into four categories, or locations, as illustrated in Figure 1-1 on page 1-5. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 29 The network of another department may contain company-specific research and development or other engineering information and should be given additional protection. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 30 An internal attacker taking advantage of vulnerabilities in network services would remain undetected by the external appliance (see Figure 1-2 on page 1-7). Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 31 Placing an appliance behind a firewall allows it to monitor internal traffic, but it cannot monitor any policy violations that the firewall rejects (see Figure 1-3 on page 1-8). Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 32 Enable SSH services on the router if available, otherwise, enable Telnet. • • Add the router to the device management list of the appliance (via the IDS manager). Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 33 Cisco Systems prohibits modifying or installing any hardware or software in • the appliance that is not part of the normal operation of the Cisco IDS. Setting Up a Terminal Server A terminal server is a router with multiple, low speed, asynchronous ports that are connected to other serial devices.
Page 34 Chapter 1 Introducing the Sensor Appliances To set up a Cisco terminal server with RJ-45 or hydra cable assembly connections, follow these steps: Step 1 Connect to a terminal server using one of the following methods: For the IDS-4215, IPS-4240, and IPS-4255: •...
Page 35 If a connection is dropped or terminated by accident, you should reestablish the Caution connection and exit normally to prevent unauthorized access to the appliance. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 1-11 78-15597-02...
Page 36: Modules
IDS at your remote branch offices. You can install the NM-CIDS in any one of the network module slots on the Cisco 2600, 3600, and 3700 series routers. The NM-CIDS can monitor up to 45 Mbps of network traffic.
Page 37 ACL changes on the router to block the attack, or it can send a TCP reset packet to the sender to stop the TCP session that is causing the attack. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 1-13 78-15597-02...
Page 38: Introducing The Cisco Catalyst 6500 Series Intrusion Detection System Services Module
You cannot manually set the time on the NM-CIDS. The NM-CIDS gets its time from the Cisco router in which it is installed. Routers do not have a battery so they cannot preserve a time setting when they are powered off. You must set the router’s clock each time you power up or reset the router, or you can configure...
Page 39 Alerts are generated by the IDSM-2 through the Catalyst 6500 series switch backplane to the IDS manager, where they are logged or displayed on a graphical user interface. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 1-15 78-15597-02...
Page 40: Supported Sensors
(appliances and modules) that are supported in this document and that are supported by the most recent Cisco IDS software. Note For instructions on how to obtain the most recent Cisco IDS software, see Obtaining Cisco IDS Software, page 9-1.
Page 41 • NRS-2E-DM • • NRS-2FE NRS-2FE-DM • • NRS-TR NRS-TR-DM • NRS-SFDDI • • NRS-SFDDI-DM NRS-DFDDI • • NRS-DFDDI-DM • IDS-4220-TR IDS-4230-SFDDI • • IDS-4230-DFDDI Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 1-17 78-15597-02...
Page 42: Setting The Time On Sensors
Sensor to Use an NTP Server as its Time Source, page 10-21, for more information. Note We recommend that you use an NTP time synchronization source. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 1-18 78-15597-02...
Page 43 The GMT time is synchronized between the parent router and the NM-CIDS. The time zone and summer time settings are not synchronized between the parent router and the NM-CIDS. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 1-19 78-15597-02...
Page 44: Installation Preparation
Unpack the sensor. Step 4 Place the sensor in an ESD-controlled environment. Step 5 Working in an ESD Environment, page 1-21, for the procedure. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 1-20 78-15597-02...
Page 45: Working In An Esd Environment
Attach the wrist strap to your wrist and to the terminal on the work surface. If you Step 3 are using a disposable wrist strap, connect the wrist strap directly to an unpainted metal surface of the chassis. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 1-21 78-15597-02...
Page 46 Note If you are upgrading a component, do not remove the component from the ESD packaging until you are ready to install it. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 1-22 78-15597-02...
Page 47: Chapter 2 Installing The Ids-4210
Installing the IDS-4210, page 2-5 • • Installing the Accessories, page 2-8 Front Panel Features and Indicators Figure 2-1 on page 2-2shows the front panel indicators on the IDS-4210. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 48 LAN2 activity/link Amber Lights up when the LAN2 connector is linked to an Ethernet port; blinks when activity occurs on this channel. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 49: Upgrading The Memory
Upgrading the Memory The IDS-4210, IDS-4210-K9, IDS-4210-NFR, and IDS-4220-E sensors must have 512 MB RAM to support Cisco IDS 4.1 software. If you are upgrading an existing IDS-4210, IDS-4210-K9, IDS-4210-NFR, or IDS-4220-E sensor to version 4.1, you must insert additional Dual In-line Memory Modules (DIMMs) (see part numbers below for supported DIMMs) to upgrade the memory to the required 512 MB minimum.
Page 50 Step 8 Locate the ejector tabs on either side of the DIMM socket. Press down and out on tabs to open the slot in the socket. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 51: Installing The Ids-4210
Upgrading the Memory, page 2-3, for more information. If you purchase an IDS-4210 during July, it comes from the factory with the memory upgrade and version 4.1 installed. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 52 We recommend that you use the dual serial communication cable (PN Caution 72-1847-01, included in the accessory kit) rather than a keyboard and monitor, because some keyboards and monitors may be incompatible with the appliance. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 53 Initializing the Sensor, page 10-2, for the procedure. Upgrade your appliance to the latest Cisco IDS software. Step 8 Obtaining Cisco IDS Software, page 9-1, for the procedure. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 54: Installing The Accessories
The following items are shipped in the accessories package for the IDS-4210: Cisco IDS-4210 bezel • Power cable • • Network patch cable Computer interconnection cable • • Dual serial communication cable Rack mounting brackets • Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 55: Installing And Removing The Bezel
To install the center mount brackets in a two-post, open-frame relay rack, follow these steps: Step 1 Determine where you want to place your appliance. Mark the upper and lower mounting positions on the two posts. Step 2 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 56 Lift the appliance into position between the two posts with the hole in the mounting bracket aligned one hole above the mark you made in the two posts (see Figure 2-2). Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 2-10 78-15597-02...
Page 57: Installing Front Mount Brackets
The front mount bracket assembly is not intended for use as a slide rail system. The server must be firmly attached to the rack, as shown in Figure 2-3 on page 2-12. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 2-11 78-15597-02...
Page 58 10,000 cycles of opening and closing. Higher cycles or frequency will lower the load rating. The chassis support brackets are meant to support the weight of only one appliance. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 2-12 78-15597-02...
Page 59 Use the bolts provided with the rack to fasten the appliance’s front flanges to the rack. When you are done, the appliance should not slide on the channel bar. Note Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 2-13 78-15597-02...
Page 60 Chapter 2 Installing the IDS-4210 Installing the Accessories Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 2-14 78-15597-02...
Page 61 C H A P T E R Installing the IDS-4215 The Cisco IDS-4215 can monitor up to 80 Mbps of aggregate traffic and is suitable for T1/E1 and T3 environments. With the addition of the four-port fast Ethernet (4FE) card, the IDS-4215 supports five monitoring interfaces (10/100BASE-TX), which provide simultaneous protection for multiple subnets.
Page 62: Installing The Ids-4215
Blinks when network traffic is passing over either of the two built-in Ethernet ports; does not indicate traffic on any of the four ports of the 4FE card. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 63 Lights up when the port is connected to another Ethernet port and traffic can be passed between them. Blinks when network traffic is being received on the port. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 64: Specifications
100V to 240V AC Frequency 50 to 60 Hz, single phase Operating current 1.5 A Steady state Maximum peak Maximum heat dissipation 410 BTU/hr, full power usage (65W) Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 65: Accessories
Use the statement number provided at the end of each warning to locate its translation in the translated safety warnings that accompanied this device. Statement 1071 SAVE THESE INSTRUCTIONS Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 66: Surface Mounting
If you are not rack mounting the IDS-4215, you must attach the rubber feet to the bottom of the IDS-4215 as shown in Figure 3-4 on page 3-7. The rubber feet are shipped in the accessories kit. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 67: Rack Mounting
When mounting this unit in a partially filled rack, load the rack from the bottom to the Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 68 I D S - 4 2 In tr u si o n D et ec ti o n S en so r Step 2 Attach the appliance to the equipment rack. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 69: Installing The Ids-4215
Be sure to read the safety warnings in the Regulatory Compliance and Safety Caution Information for the Cisco Intrusion Detection System 4200 Series Appliance Sensor and follow proper safety procedures when performing these steps. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 70 Locate the serial cable from the accessory kit. The serial cable assembly consists of a 180/rollover cable with RJ-45 connectors (DB-9 connector adapter PN 74-0495-01 and DB-25 connector adapter PN 29-0810-01). Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 3-10 78-15597-02...
Page 71 Obtaining Cisco IDS Software, page 9-1, for the procedure. Step 9 Assign the interfaces: Assigning and Enabling the Sensing Interface, page 10-9, for the procedure. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 3-11 78-15597-02...
Page 72: Removing And Replacing The Chassis Cover
Statement 1029 This unit might have more than one power supply connection. All connections Warning must be removed to de-energize the unit. Statement 1028 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 3-12 78-15597-02...
Page 73: Removing The Chassis Cover
Place the appliance in an ESD-controlled environment. Step 5 Working in an ESD Environment, page 1-21, for more information. Step 6 Remove the screws from the rear of the chassis. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 3-13 78-15597-02...
Page 74 With the front of the unit facing you, push the top panel back one inch. CISCO IDS-4215 Intrusion Detection Sensor POWER NETWORK Pull the top panel up and put it in a safe place. Step 8 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 3-14 78-15597-02...
Page 75: Replacing The Chassis Cover
Place the chassis on a secure surface with the front panel facing you. Step 1 Hold the top panel so the tabs at the rear of the top panel are aligned with the Step 2 chassis bottom. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 3-15 78-15597-02...
Page 76 CISCO IDS-4215 Intrusion Detection Sensor POWER NETWORK Fasten the top panel with the screws you set aside earlier. Step 5 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 3-16 78-15597-02...
Page 77: Removing And Replacing The Ide Hard-Disk Drive
Be sure to read the safety warnings in the Regulatory Compliance and Safety Caution Information for the Cisco Intrusion Detection System 4200 Series Appliance Sensor and follow proper safety procedures when removing and replacing the hard-disk drive. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 3-17 78-15597-02...
Page 78: Removing The Hard-Disk Drive
Remove the chassis cover. Step 6 Removing the Chassis Cover, page 3-13, for the procedure. Step 7 Loosen the two captive screws from the hard-disk drive carrier. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 3-18 78-15597-02...
Page 79 Grasp the hard-disk drive and pull straight backwards until it is free of the riser card connector. Do not lift or wiggle the hard-disk drive side to side until it is completely free of the connector. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 3-19 78-15597-02...
Page 80: Replacing The Hard-Disk Drive
Push the hard-disk drive straight into the riser card connector. Do not lift or Step 3 wiggle the hard-disk drive side to side. Push carefully until the hard-disk drive is seated. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 3-20 78-15597-02...
Page 81: Removing And Replacing The Compact Flash Device
Step 1 Prepare the appliance to be powered off: Step 2 sensor# reset powerdown Wait for the power down message before continuing with Step 3. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 3-21 78-15597-02...
Page 82 Removing the Hard-Disk Drive, page 3-18, for the procedure. Grasp the compact flash device and carefully remove it from the connector on the Step 8 riser card. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 3-22 78-15597-02...
Page 83: Replacing The Compact Flash Device
Step 1 Working in an ESD Environment, page 1-21 for more information. Align the compact flash device with the connector on the riser card. Step 2 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 3-23 78-15597-02...
Page 84 Step 4 Replacing the Hard-Disk Drive, page 3-20, for the procedure. Replace the chassis cover. Step 5 Replacing the Chassis Cover, page 3-15, for the procedure. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 3-24 78-15597-02...
Page 85: Removing And Installing The 4Fe Card
Power off the appliance. Step 3 Remove the power cord and other cables from the appliance. Step 4 Step 5 Place the appliance in an ESD-controlled environment. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 3-25 78-15597-02...
Page 86 Step 10 Replace the lower slot cover from the back cover plate. Replace the back cover plate and tighten the two captive screws. Step 11 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 3-26 78-15597-02...
Page 87: Installing The 4Fe Card
We recommend that you install the 4FE card in the bottom slot. We do not support installation of the 4FE card in the top slot. Only one 4FE card is supported on the IDS-4215. Note Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 3-27 78-15597-02...
Page 88 Loosen the two captive screws from the back cover plate on the left and put the back cover plate aside. Step 7 Insert the 4FE card through the cage opening and into the lower slot. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 3-28 78-15597-02...
Page 89 Attach the back cover plate making sure that the connecting flange on the 4FE Step 9 card goes through the slot on the back cover plate. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 3-29 78-15597-02...
Page 90 You will need to assign the new interfaces (int2, int3, int4, and int5). See Assigning and Enabling the Sensing Interface, page 10-9, for the procedure. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 3-30 78-15597-02...
Page 91: Chapter 4 Installing The Ids-4220 And Ids-4230
• Recommended Keyboards and Monitors, page 4-4 Upgrading the IDS-4220-E and IDS-4230-FE to 4.x Software, page 4-5 • Installing the IDS-4220 and IDS-4230, page 4-6 • Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 92: Front And Back Panel Features
Figure 4-2 on page 4-3 shows the back panel features (the onboard NIC and the SMC9432FTX network card indicators) of the IDS-4220 and IDS-4230. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 93 The SMC9432FTX network card includes four status indicators. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 94: Recommended Keyboards And Monitors
The following keyboards and monitors have been tested with the IDS-4220 and IDS-4230: Keyboards • – KeyTronic E03601QUS201-C KeyTronic LT DESIGNER – Monitors • – MaxTech XT-7800 Dell D1025HT – Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 95: Upgrading The Ids-4220-E And Ids-4230-Fe To 4.X Software
Monitor Caution If the cables on the IDS-4220-E or IDS-4230-FE are not swapped, you may not be able to connect to your appliance through the network. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 96: Installing The Ids-4220 And Ids-4230
Step 2 Attach the power cord to the appliance and plug it in to a power source (a UPS is recommended). Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 97 See Setting Up a Terminal Server, page 1-9, for the instructions for setting up a terminal server. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 98 Assign the interfaces. Step 9 Assigning and Enabling the Sensing Interface, page 10-9, for the procedure. You are now ready to configure intrusion detection on your appliance. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 99: Chapter 5 Installing The Ids-4235 And Ids-4250
C H A P T E R Installing the IDS-4235 and IDS-4250 You can deploy the Cisco IDS-4235 at 250 Mbps to provide protection in switched environments and on multiple T3 subnets. With the support of 10/100/1000 interfaces you can also deploy it on partially utilized gigabit links. The monitoring interface and the command and control interface are both 10/100/1000BASE-TX.
Page 100: Front-Panel Features And Indicators
Note conditions: 2700 new TCP connections per second, 2700 HTTP transactions per second, average packet size of 595 bytes, system running Cisco IDS 4.1 sensor software. Or you can order the IDS-4250-XL with the XL card already installed. At 1 Gbps, the IDS 4250-XL provides customized hardware acceleration to protect fully saturated gigabit links as well as multiple partially utilized gigabit subnets.
Page 101 The front panel also has a video connector for connecting a monitor and a PS/2 connector for connecting a keyboard. Table 5-1 on page 5-4 describes the appearance of the front panel indicators for the IDS-4235 and IDS-4250. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 102: Back-Panel Features And Indicators
You can use only one PCI slot for either the SX card, the XL card, or the 4FE card. Caution Only one card is supported per chassis. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 103: Specifications
(optional) Main power Video connector Keyboard connector System status indicator connector System identification button Specifications Table 5-2 on page 5-6 lists the IDS-4235 and IDS-4250 specifications. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 104: Installing Spare Hard-Disk Drives
5-20, for the procedure. The replacement hard-disk drive is shipped blank from the factory. You must reimage it. See Reimaging the Appliance, page 10-110, for the procedure. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 105: Upgrading The Bios
Double-click the downloaded BIOS update file, BIOS_A04.exe, on the Windows Step 3 system to generate the BIOS update diskette. Insert the newly created BIOS update diskette in your IDS-4235 or IDS-4250. Step 4 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 106: Using The Tcp Reset Interface
VLAN, and the reset port needs to trunk all the VLANs being trunked by both the sensing ports. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 107: Installing The Ids-4235 And Ids-4250
Table 5-3 Terminal Settings Terminal Setting Bits per second 9600 Data bits Parity None Stop bits Flow control Hardware or RTS/CTS Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 108 XL card sensing ports. int2 through int5 are the optional 4FE card sensing ports. • Power on the appliance. Step 5 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 5-10 78-15597-02...
Page 109: Installing The Accessories
Disconnecting the XL Card Fiber Ports, page 5-19 • Removing and Replacing the SCSI Hard-Disk Drive, page 5-20 • • Four-Post Rack Installation, page 5-23 Two-Post Rack Installation, page 5-34 • Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 5-11 78-15597-02...
Page 110: Accessories Package Contents
Detection System 4200 Series Appliance Sensor Installing and Removing the Bezel Figure 5-3 on page 5-13 shows the Cisco bezel that you can install on your IDS-4235 or IDS-4250. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 5-12 78-15597-02...
Page 111: Installing The Power Supply
Be sure to read the safety warnings in the Regulatory Compliance and Safety Caution Information for the Cisco Intrusion Detection System 4200 Series Appliance Sensor and follow proper safety procedures when performing the following steps. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 5-13 78-15597-02...
Page 112 To install the new power supply, align the stud on the side of the power supply Step 9 with the corresponding notch in the chassis, and then lower the power supply into the chassis (see Figure 5-4 on page 5-15). Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 5-14 78-15597-02...
Page 113 Slide the power supply toward the PDB until the power-supply edge connector is Step 10 fully seated in the PDB connector (see Figure 5-4). Figure 5-4 Power Supply and Power-Supply Cooling Fan Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 5-15 78-15597-02...
Page 114: Installing Optional Pci Cards
4FE card (four-port 10/100BASE-TX fast Ethernet sensing interface, part • number IDS-4FE-INT=) You can install the 4FE card in the lower PCI slot in the IDS-4235 and IDS-4250 series appliances. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 5-16 78-15597-02...
Page 115 Use the tab at the rear of the system to lift the left side of the cover. Use the tab at the rear of the system to lift the right side of the cover. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 5-17...
Page 116 Make sure the fiber ports are not connected the first time you boot the appliance Caution after you have installed the XL card. For more information, see Disconnecting the XL Card Fiber Ports, page 5-19. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 5-18 78-15597-02...
Page 117: Disconnecting The Xl Card Fiber Ports
You can also power down the sensor from IDM or IDS MC. Note Step 3 Power off the appliance. Step 4 Remove the fiber connections from the XL card. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 5-19 78-15597-02...
Page 118: Removing And Replacing The Scsi Hard-Disk Drive
Figure 5-5 on page 5-21 shows the SCSI hard-disk drive indicators. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 5-20 78-15597-02...
Page 119: Removing The Scsi Hard-Disk Drive
Power off the appliance by pressing the power button. Step 3 Step 4 Remove the front bezel. Installing and Removing the Bezel, page 5-12, for the procedure. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 5-21 78-15597-02...
Page 120 Replacement drives are shipped without an image. You must reimage the Note hard-disk drive. See Reimaging the Appliance, page 10-110, for more information. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 5-22 78-15597-02...
Page 121: Four-Post Rack Installation
• One cable-management arm One stop block • • One status-indicator cable assembly Ten 10-32 x 0.5-inch flange-head Phillips screws • Releaseable tie wraps • Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 5-23 78-15597-02...
Page 122 Install two 10-32 x 0.5-inch flange-head Phillips screws in the mounting flange’s top and bottom holes to secure the slide assembly to the front vertical rail (see Figure 5-6 on page 5-25). Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 5-24 78-15597-02...
Page 123 At the back of the cabinet, pull back on the mounting-bracket flange until the Step 6 mounting holes align with their respective holes on the back vertical rail. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 5-25 78-15597-02...
Page 124 Lower the front of the appliance and engage the front shoulder screws in the front Step 7 slot behind the appliance release latch (see Figure 5-7 on page 5-27). Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 5-26 78-15597-02...
Page 125 Use the appliance release latch when you want to remove the appliance Note from the slide assemblies. Figure 5-7 Installing the Appliance in the Rack Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 5-27 78-15597-02...
Page 126: Installing The Cable-Management Arm
The latch clicks when locked. Note Install a stop block on the latch on the end of the opposite slide assembly (see Step 4 Figure 5-8 on page 5-29). Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 5-28 78-15597-02...
Page 127 You can only install the proper stop block. Figure 5-8 Cable-Management Arm Install the status-indicator cable plug into its connector (see Figure 5-9 on Step 5 page 5-30). Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 5-29 78-15597-02...
Page 128 (see Figure 5-9). Figure 5-9 Installing the Cable-Management Arm Connect the power cords to their receptacles on the back panel. Step 8 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 5-30 78-15597-02...
Page 129 Bend the power cords back beside the power receptacle housing and form a tight loop. Install the strain-relief tie-wrap loosely around the looped power cord (see Figure 5-10). Figure 5-10 Power Cord Strain Relief Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 5-31 78-15597-02...
Page 130: Routing The Cables
Do not fully tighten the tie-wraps at this time (see Figure 5-11 on page 5-33). Allow some cable slack in the cable-management arm to prevent damage to the cables. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 5-32 78-15597-02...
Page 131 To push the appliance back into the rack, press the slide release latch on the side of the slide, and then slide the appliance completely into the rack. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 5-33 78-15597-02...
Page 132: Two-Post Rack Installation
This section contains these topics: • Recommended Tools and Supplies, page 5-35 Rack Kit Contents, page 5-35 • Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 5-34 78-15597-02...
Page 133: Recommended Tools And Supplies
Marking the Rack You must allow 1 RU (44 mm or 1.75 inches) of vertical space for each appliance you install in the two-post rack. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 5-35 78-15597-02...
Page 134 This section contains these topics: Center-Mount Installation, page 5-36 • Flush-Mount Installation, page 5-39 • Center-Mount Installation The two-post rack kit is shipped with brackets configured for center-mount installation. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 5-36 78-15597-02...
Page 135 12-24 x 0.5-inch pan-head Phillips screws (Figure 5-12 on page 5-38). Repeat Steps 1 and 2 to install the left side assembly in the rack. Step 3 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 5-37 78-15597-02...
Page 136 Chapter 5 Installing the IDS-4235 and IDS-4250 Installing the Accessories Figure 5-12 Slide Assemblies for Center-Mount Configuration Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 5-38 78-15597-02...
Page 137 12-24 x 0.5-inch pan-head Phillips screws you removed in Step 2 (see Figure 5-13 on page 5-40). The joined bracket becomes the new extended rear bracket. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 5-39 78-15597-02...
Page 138 Use and 11/32-inch wrench or nut driver to fully tighten the nuts on the mounting Step 11 brackets on both slide assemblies that you tightened with your fingers. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 5-40 78-15597-02...
Page 139 Chapter 5 Installing the IDS-4235 and IDS-4250 Installing the Accessories Figure 5-14 Installing the Slide Assemblies for Flush-Mount Configuration Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 5-41 78-15597-02...
Page 140 Chapter 5 Installing the IDS-4235 and IDS-4250 Installing the Accessories Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 5-42 78-15597-02...
Page 141: Chapter 6 Installing The Ips-4240 And Ips-4255
The 250-Mbps performance for the IPS-4240 is based on the following conditions: 2500 new TCP connections per second, 2500 HTTP transactions per second, average packet size of 445 bytes, system running Cisco IDS 4.1 sensor software. The 250-Mbps performance is traffic combined from all four sniffing interfaces.
Page 142: Front And Back Panel Features
The 600-Mbps performance for the IPS-4255 is based on the following Note conditions: 6000 new TCP connections per second, 6000 HTTP transactions per second, average packet size of 445 bytes, system running Cisco IDS 4.1 sensor software. The 600-Mbps performance is traffic combined from all four sniffing interfaces.
Page 143 Amber when the power-up diagnostics have failed. Flash Off when the compact flash device is not being accessed. Blinks green when the compact flash device is being accessed. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 144 Figure 6-3 shows the four built-in Ethernet ports, which have two indicators per port. Figure 6-3 Ethernet Port Indicators LINK SPD LINK SPD LINK SPD LINK SPD Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 145: Specifications
50 to 60 Hz, single phase Operating current 1.5 A Steady state 50 W Maximum peak 65 W Maximum heat dissipation 410 BTU/hr, full power usage (65 W) Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 146: Accessories
Statement 1071 SAVE THESE INSTRUCTIONS Only trained and qualified personnel should be allowed to install, replace, or Warning service this equipment. Statement 1030 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 147: Rack Mounting
I P S 4 2 s e r ie s In tr u s io n P re v e n ti o n S e n s o Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 148 To remove the appliance from the rack, remove the screws that attach the Step 3 appliance to the rack, and then remove the appliance. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 149: Installing The Ips-4240 And Ips-4255
Locate the serial cable from the accessory kit. The serial cable assembly consists of a 180/rollover cable with RJ-45 connectors (DB-9 connector adapter PN 74-0495-01 and DB-25 connector adapter PN 29-0810-01). Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 150 DB-9 or DB-25 connector on your computer. FLASH Computer serial port Console DB-9 or DB-25 port (RJ-45) RJ-45 to DB-9 or DB-25 serial cable (null-modem) Step 6 Attach the network cables. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 6-10 78-15597-02...
Page 151 Assigning and Enabling the Sensing Interface, page 10-9, for the procedure. The interfaces are disabled by default. Note You are now ready to configure intrusion detection on your appliance. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 6-11 78-15597-02...
Page 152 Chapter 6 Installing the IPS-4240 and IPS-4255 Installing the IPS-4240 and IPS-4255 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 6-12 78-15597-02...
Page 153 Installing the NM-CIDS This chapter lists the software and hardware requirements of the NM-CIDS, and describes how to install and remove it. In Cisco IOS documentation, the NM-CIDS is referred to as the Cisco IDS Note network module. This chapter contains the following sections: Specifications, page 7-1 •...
Page 154: Installing The Nm-Cids
Caution Do not confuse Cisco IOS IDS (a software-based intrusion-detection application that runs in the Cisco IOS) with the IDS that runs on the NM-CIDS. The NM-CIDS runs Cisco IDS version 4.1. Because performance can be reduced and duplicate alarms can be generated, we recommend that you do not run Cisco IOS IDS and Cisco IDS 4.1 simultaneously.
Page 155 Table 7-3 Hardware Requirements Feature Description Processor 500 Mhz Intel Mobile Pentium III Default SDRAM 512 MB Maximum DSRAM 512 MB Internal disk storage NM-CIDS 20-GB IDE Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 156: Hardware Architecture
Controlled by IOS Flash Router PCI Bus UART Fast Ethernet NM-CIDS Console Content CPU Fast Ethernet 1 Controlled by IDS Disk Memory Flash Fast Ethernet 0 NM-CIDS Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 157: Front Panel Features
You must assign the IP address to the interface to get console access to the IDS. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 158: Installation And Removal Instructions
NM-CIDS into a chassis slot or remove the NM-CIDS from a chassis slot. Cisco 3660 and Cisco 3700 series routers allow you to replace network modules without switching off the router or affecting the operation of other interfaces.
Page 159: Required Tools
Removing the NM-CIDS, page 7-11 • • Blank Network Module Panels, page 7-14 Required Tools You need the following tools and equipment to install an NM-CIDS in a Cisco modular router chassis slot: • #1 Phillips screwdriver or small flat-blade screwdriver ESD-preventive wrist strap •...
Page 160 Phillips or flat-blade screwdriver. If the router was previously running, reinstall the network interface cables and Step 7 turn ON power to the router. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 161 Step 12 Assign the interfaces. Assigning and Enabling the Sensing Interface, page 10-9, for the procedure. You are now ready to configure intrusion detection on your NM-CIDS. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 162 Step 3 Tighten the two captive screws on the faceplate. Connect the command and control port to a hub or switch. Step 4 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 7-10 78-15597-02...
Page 163: Removing The Nm-Cids
Removing the NM-CIDS This section contains the following topics: • Removing the NM-CIDS Offline, page 7-12 Removing the NM-CIDS Using OIR Support, page 7-13 • Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 7-11 78-15597-02...
Page 164 Installing the NM-CIDS Note Offline, page 7-7, for the procedure) or install a blank panel (see Blank Network Module Panels, page 7-14, for the procedure). Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 7-12 78-15597-02...
Page 165 Installing the NM-CIDS Installation and Removal Instructions Removing the NM-CIDS Using OIR Support Cisco 3660 and Cisco 3700 series routers support OIR with similar modules only. Caution If you remove an NM-CIDS, install another NM-CIDS in its place. To remove an NM-CIDS with OIR support, follow these steps:...
Page 166: Blank Network Module Panels
If the router is not fully configured with network modules, make sure that blank panels fill the unoccupied chassis slots to provide proper airflow as shown in Figure 7-4: Figure 7-4 Blank Network Module Panel Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 7-14 78-15597-02...
Page 167: Installing The Idsm-2
1.18 x 15.51 x 16.34 in (30 x 394 x 415 mm) Weight Minimum: 3 lb (1.36 kg) Maximum: 5 lb (2.27 kg) Operating temperature 32° to 104°F (0° to 40°C) Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 168: Software And Hardware Requirements
Cisco IOS software release 12.2(14)SX1 with supervisor engine 720 • Cisco IDS software release 4.0 or later • • Any Catalyst 6500 series switch chassis or 7600 router Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 169: Supported Idsm-2 Configurations
1. VACL blocking by the IDSM-2 is supported on Catalyst software and not on Cisco IOS for this configuration. 2. Cisco IOS is supported on Supervisor 1A with PFC1 or MSFC1; however, the IDSM-2 is not supported on this configuration.
Page 170: Using The Tcp Reset Interface
The IDSM-2 is running through its boot and self-test diagnostics sequence, or the IDSM-2 is disabled, or the IDSM-2 is in the shutdown state. The IDSM-2 power is off. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 171: Installation And Removal Instructions
This section contains the following topics: Required Tools, page 8-6 • Slot Assignments, page 8-6 • • Installing the IDSM-2, page 8-7 Removing the IDSM-2, page 8-13 • Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 172: Required Tools
You can install the IDSM-2 in any slot that is not used by the supervisor engine. • You can install up to eight IDSM-2s in a single chassis. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 173: Installing The Idsm-2
Remove the installation screws (use a screwdriver, if necessary) that secure the filler plate to the desired slot. Step 4 Remove the filler plate by prying it out carefully. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 174 Statement 1029 Hold the IDSM-2 with one hand, and place your other hand under the IDSM-2 Step 5 carrier to support it. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 175 Keeping the IDSM-2 at a 90-degree orientation to the backplane, carefully push it into the slot until the notches on both ejector levers engage the chassis sides. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 176 Verify that you have correctly installed the IDSM-2 and can bring it online. See Step 10 Verifying the IDSM-2 Installation, page 8-11, for the procedure. Initialize the IDSM-2. Step 11 Initializing the Sensor, page 10-2, for the procedure. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 8-10 78-15597-02...
Page 177: Verifying The Idsm-2 Installation
Intrusion Detection Sys WS-X6381-IDS faulty 1000BaseX Ethernet WS-X6408-GBIC Intrusion Detection Sys WS-X6381-IDS FlexWAN Module WS-X6182-2PA Intrusion Detection Sys WS-x6381-IDS Intrusion Detection Sys WS-SVC-IDSM2 yes ok Mod Module-Name Serial-Num Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 8-11 78-15597-02...
Page 178 WS-F6K-PFC2 SAD044302BP 1.0 IDS 2 accelerator board WS-SVC-IDSUPG console> (enable) Step 3 For Cisco IOS software, verify that the IDSM-2 is online by typing the following: Router# show module Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ -----------...
Page 179: Removing The Idsm-2
During this procedure, wear grounding wrist straps to avoid ESD damage to the Warning card. Do not touch the backplane with your hand or any metal tool, or you could shock yourself. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 8-13 78-15597-02...
Page 180 IDSM-2 from the backplane connector. As you pull the IDSM-2 out of the slot, place one hand under the carrier to support Step 5 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 8-14 78-15597-02...
Page 181 Do not operate the system unless all cards, faceplates, front covers, and rear covers are in place. Statement 1029 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 8-15 78-15597-02...
Page 182 Chapter 8 Installing the IDSM-2 Installation and Removal Instructions Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 8-16 78-15597-02...
Page 183: Obtaining Software
(NSDB) updates, are posted to Cisco.com approximately every two weeks. Service packs are posted to Cisco.com as needed. Major and minor feature releases are also posted periodically. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 184 IDS file versioning scheme. You must type your Cisco.com username and password again. Step 8 The first time you download a file from Cisco.com, you must fill in the Note Encryption Software Export Distribution Authorization form before you can download the software and click Submit.
Page 185: Ids Software Versioning
You can determine which software version is installed on your sensor by using the Note show version command. Figure 9-1 on page 9-4 illustrates what each part of the IDS software file represents: Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 186 Signature updates are cumulative and increment by one with each new release (for example, S45, S46, S47). Signature updates include every signature since the initial signature release (S1) in addition to the new signatures being released. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 187 A service pack may be released to address defects identified in existing maintenance partition images, but new maintenance partition images are not produced for subsequently released service packs. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 188: 4.X Software Release Examples
2. Service packs include defect fixes. 3. Minor versions include new features and/or functionality (for example, signature engines). 4. Major versions include new functionality or new architecture. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 189 1. The system image includes the combined recovery and application image used to reimage an entire sensor. 2. The application partition image includes the full image for the application partition. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 190: Upgrading Cisco Ids Software From Version 4.0 To 4.1
You cannot upgrade the IDSM (WS-X6381) to Cisco IDS 4.1. You must replace your IDSM (WS-X6381) with the IDSM-2 (WS-SVC-IDSM2-K9), which supports version 4.x. The upgrade from Cisco IDS software version 4.0 to 4.1 is available as a download from Cisco.com. See Obtaining Cisco IDS Software, page 9-1, for the procedure for accessing the Software Center on Cisco.com.
Page 191: Using The Recovery/Upgrade Cd With The Appliance
If you install an upgrade on your sensor and the sensor is unusable after it reboots, you must recover the system image of your sensor. Upgrading a sensor from any Cisco IDS version before 4.0 also requires you to use the recover command or the recovery/upgrade CD.
Page 192 WILL BE LOST) Type k if you are installing from a keyboard, or type s if you are installing from Step 4 a serial connection. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 9-10 78-15597-02...
Page 193: Applying For A Cisco.com Account With Cryptographic Access
9-1, for the procedure. Applying for a Cisco.com Account with Cryptographic Access To download software updates, you must have a Cisco.com account with cryptographic access. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 9-11 78-15597-02...
Page 194: Ids Bulletin
Obtaining Software IDS Bulletin To apply for cryptographic access, follow these steps: If you have a Cisco.com account, skip to Step 2. If you do not have a Cisco.com Step 1 account, register for one by going to the following URL: http://tools.cisco.com/RPF/register/register.do...
Page 195 Select your country from the menu. Type your e-mail address in the E-mail box. Step 3 Select the check box if you would like to receive further information about Cisco products and offerings by e-mail. Select the e-mail format you prefer from the menu.
Page 196 Chapter 9 Obtaining Software IDS Bulletin Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 9-14 78-15597-02...
Page 197 Sensor Configuration Tasks, page 10-35 • • NM-CIDS Configuration Tasks, page 10-77 IDSM-2 Configuration Tasks, page 10-87 • • Reimaging Appliances and Modules, page 10-110 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-1 78-15597-02...
Page 198: Sensor Initial Configuration Tasks
For support reasons, you should set up the service account after initializing the Note sensor. See Creating the Service Account, page 10-12, for the procedure. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-2 78-15597-02...
Page 199 Or, if you have created the service account, you can have TAC create a password. See Creating the Service Account, page 10-12, for more information. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-3 78-15597-02...
Page 200 Step 4 Continue with configuration dialog?[yes]: Press the spacebar to show one page at a time. Press Enter to show one line at a time. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-4 78-15597-02...
Page 201 Specify the netmask if the IP address is a network address (as opposed to a host address). Repeat Step b until you have entered all networks that you want to add to the access list. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-5 78-15597-02...
Page 202 2 a.m. on the first Sunday in April, and a stop time of 2 a.m. on the fourth Sunday in October. The default summertime offset is 60 minutes. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-6 78-15597-02...
Page 203 [1] Return back to the setup without saving this config. [2] Save this configuration and exit setup. Type 2 to save the configuration. Step 14 Enter your selection[2]: 2 Configuration Saved. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-7 78-15597-02...
Page 204 Assign the interfaces. Step 21 Assigning and Enabling the Sensing Interface, page 10-9, for the procedure. You are now ready to configure your sensor for intrusion detection. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-8 78-15597-02...
Page 205: Assigning And Enabling The Sensing Interface
0 and enable the interface. Review the following guidelines: If you purchased a new sensor that shipped with Cisco IDS version 4.1: • The sensor detects the available sensing (monitoring) interfaces during –...
Page 206 If you are using the command and control interface as the sensing interface, you Warning receive an error the first time Cisco IDS 4.1 boots. The sensor detects that the command and control interface is an invalid interface for interface group 0. You must use the IDS CLI or other IDS manager to remove the command and control interface from interface group 0 and add a valid sensing interface.
Page 207: Sensing Interfaces
Enabling or disabling the interface group enables or disables all sensing interfaces contained in the group. Sensing Interfaces Table 10-1 on page 10-12 lists the sensing interfaces for each IDS platform. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-11 78-15597-02...
Page 208: Creating The Service Account
IDS services. TAC does not support a sensor on which additional services have been added. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-12 78-15597-02...
Page 209 Unauthorized modifications are not supported and will require this device to be reimaged to guarantee proper operation. ****************************************************************** Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-13 78-15597-02...
Page 210: Logging In To The Sensor
Router# session slot processor SSH or Telnet to the NM-CIDS: ip_address slot_number service-module IDS-Sensor /0 session ip_address telnet slot_number service-module IDS-Sensor /0 session Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-14 78-15597-02...
Page 211: Changing A Password
Change the password for a specific user: sensor(config)# password tester Enter New Login Password: ****** Re-enter New Login Password: ****** This example modifies the password for the user “tester.” Note Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-15 78-15597-02...
Page 212: Adding A User
To add a user, follow these steps: Log in to the CLI using an account with administrator privileges. Step 1 Enter configuration mode: Step 2 sensor# configure terminal Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-16 78-15597-02...
Page 213: Removing A User
To remove a user, follow these steps: Log in to the CLI using an account with administrator privileges. Step 1 Step 2 Enter configuration mode: sensor# configure terminal Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-17 78-15597-02...
Page 214: Adding Trusted Hosts
Enter configuration mode for network parameters: sensor(config-Host)# networkParams Specify the allowed host: Step 5 ip_address sensor(config-Host-net)# accessList ipAddress The IP address is now in the list of trusted hosts. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-18 78-15597-02...
Page 215: Adding Known Hosts To The Ssh Known Hosts List
For example, to add the remote host 10.16.0.0 to the SSH known hosts list, type the following command: 10.16.0.0 sensor(config)# ssh host-key Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-19 78-15597-02...
Page 216 (min: 0, max: 500, current: 0) Exit service mode for SSH known hosts: Step 7 sensor(config-SshKnownHosts)# exit You are prompted to apply the changes: Apply Changes:?[yes]: Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-20 78-15597-02...
Page 217: Configuring The Sensor To Use An Ntp Server As Its Time Source
Enter time configuration parameters mode: sensor(config-Host)# timeParams Type the NTP server’s IP address: Step 5 ip_address sensor(config-Host-tim)# ntp ipAddress For example: sensor(config-Host-tim)# ntp ipAddress 10.16.0.0 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-21 78-15597-02...
Page 218: Configuring A Cisco Router To Be An Ntp Server
Use the following procedure to activate a Cisco router to act as an NTP server and use its internal clock as the time source. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-22...
Page 219 Configuring the Sensor to Use an NTP Server as its Time Source, page 10-21, for this procedure. To set up a Cisco router to act as an NTP server, follow these steps: Step 1 Log in to the router. Enter configuration mode:...
Page 220: Sensor Administrative Tasks
(OS) packages, signature packages, and IDS processes running on the system. To view the configuration for the entire system, use the more current-config command. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-24 78-15597-02...
Page 221 Note —MORE— information or Ctrl-C to cancel the output and get back to the CLI prompt. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-25 78-15597-02...
Page 222 Configuration information (similar to the following) appears: sensor# more current-config ! ------------------------------ service Authentication general methods method Local exit exit exit ! ------------------------------ service Host networkParams Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-26 78-15597-02...
Page 223 ! ------------------------------ service Logger masterControl enable-debug false exit zoneControl zoneName Cid severity debug exit zoneControl zoneName AuthenticationApp severity warning exit zoneControl zoneName Cli --MORE-- Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-27 78-15597-02...
Page 224: Creating And Using A Backup Configuration File
Use the show events command to display the local event log. You can display new events or events from a specific time or of a specific severity, and you can delete all events. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-28 78-15597-02...
Page 225 For example, show events alert high 10:00 September 22 2002 displays all high severity events since 10:00 a.m. September 22, 2002. Events from the specified time are displayed. Step 5 Show events that began in the past: Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-29 78-15597-02...
Page 226: Rebooting Or Powering Down The Appliance
To stop all applications and reboot the appliance, follow these steps:, otherwise, Step 2 to power down the appliance, skip to Step 3. Reset the appliance: sensor# reset A warning appears: Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-30 78-15597-02...
Page 227: Displaying Tech Support Information
Log in to the CLI using an account with administrator privileges. Step 1 Step 2 View the optional parameters for the show tech-support command: sensor# show tech-support ? Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-31 78-15597-02...
Page 228 For example, to send the tech support output to the file , type the following command: /absolute/reports/sensor1Report.html sensor# show tech support dest ftp://csidsuser@10.2.1.2//absolute/reports/sensor1Report.html prompt appears. password: Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-32 78-15597-02...
Page 229: Displaying And Clearing Statistics
General information about the event store The current number of open subscriptions = 0 The number of events lost by subscriptions and queries = 0 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-33 78-15597-02...
Page 230 Alert events, medium = 0 Alert events, high = 0 The next time you want to see the statistics for EventStore, the counters are reset. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-34 78-15597-02...
Page 231: Sensor Configuration Tasks
If you use a variable in a filter, you must use a dollar sign (for example, $SIG1) in front of the variable to indicate that the string you have entered represents a variable. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-35 78-15597-02...
Page 232 Type the name of the system variable you want to configure, followed by a valid value for that variable. For example, to set the value of system variable SIG1 to 2001-2006, type the following command: sensor(config-acc-virtualAlarm-sys)# SIG1 2001-2006 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-36 78-15597-02...
Page 233: Configuring Alarm Channel Event Filters
($) in front of the variable (for example, $SIG1) to indicate that the string you have entered represents a variable. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-37...
Page 234 If you use a variable, you must use a dollar sign ($USER-ADDRS1) in front of the variable. See Configuring Alarm Channel System Variables, page 10-35, for more information. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-38 78-15597-02...
Page 235: Viewing Signature Engine Parameters
Enter configuration mode: sensor# configure terminal Enter service virtual sensor configuration mode: Step 3 sensor(config)# service virtual-sensor-configuration virtualSensor Step 4 Enter tune micro-engines mode: sensor(config-vsc)# tune-micro-engines Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-39 78-15597-02...
Page 236 Ident service (client and server) alarms. SERVICE.MSSQL Microsoft (R) SQL service inspection engine SERVICE.NTP Network Time Protocol based signature engine SERVICE.RPC RPC SERVICE analysis engine Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-40 78-15597-02...
Page 237 Step 7 View the parameters for that specific signature engine: sensor(config-vsc-virtualSensor-SER)# show settings SERVICE.NTP ----------------------------------------------- version: 4.0 <protected> signatures (min: 0, max: 1000, current: 1) ----------------------------------------------- Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-41 78-15597-02...
Page 238: Configuring Virtual Sensor System Variables
You can change the value of a system variable but you cannot add or delete variables. You cannot change the name or type of a variable. Only one virtual sensor is supported; therefore, you cannot select the virtual sensor. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-42 78-15597-02...
Page 239 For example, to change the maximum number of fragments the system will queue from the default value (10000) to 5000, type the following command: sensor(config-vsc-virtualSensor-sys)# IPReassembleMaxFrags 5000 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-43 78-15597-02...
Page 240 The IPReassembleMaxFrags value is returned to the default value and settings for the IPReassembleMaxFrags appear as IPReassembleMaxFrags: 10000 <defaulted> Step 10 Exit system variable mode: sensor(config-vsc-virtualSensor-sys)# exit sensor(config-vsc-virtualSensor)# exit Apply Changes?:[yes]: Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-44 78-15597-02...
Page 241: Tuning Signature Engines
Log in to the CLI using an account with administrator or operator privileges. Step 1 Enter configuration mode: Step 2 sensor# configure terminal Enter virtual sensor configuration mode: Step 3 sensor(config)# service virtual-sensor-configuration virtualSensor Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-45 78-15597-02...
Page 242 CapturePacket: False <defaulted> ChokeThreshold: 100 <defaulted> DstIpAddr: DstIpMask: DstPort: 2140 <defaulted> Enabled: False <defaulted> EventAction: FlipAddr: MaxInspectLength: MaxTTL: MinHits: MinUDPLength: Protocol: UDP <defaulted> ResetAfterIdle: 15 <defaulted> ShortUDPLength: Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-46 78-15597-02...
Page 243 SigName: Back Door (UDP 47262) <protected> SigStringInfo: UDP 47262 (backdoor) <defaulted> SigVersion: S37 <defaulted> SrcIpAddr: SrcIpMask: SrcPort: StorageKey: xxxx <defaulted> SummaryKey: AxBx <defaulted> ThrottleInterval: 30 <defaulted> WantFrag: ----------------------------------------------- Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-47 78-15597-02...
Page 244 True to Enable the Sig. False to Disable the Sig. EventAction What action(s) to perform when the alarm is fired. exit Exit signatures configuration submode Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-48 78-15597-02...
Page 245 For example, to change the destination port for signature ID 9019 from the default 2140 to 2139, type the following command: sensor(config-vsc-virtualSensor-ATO-sig)# dstport 2139 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-49 78-15597-02...
Page 246: Ip Logging
IP traffic to be logged at the IP address, and/or how many packets you want logged, and/or how many bytes you want logged. The sensor stops logging IP traffic at the first parameter you specify. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-50 78-15597-02...
Page 247: Manual Ip Logging For A Specific Ip Address
Start IP logging for a specific IP address: group-id ip-address minutes sensor# iplog [duration ] [packets numPackets numBytes ] [bytes There is only one interface group, 0. Note Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-51 78-15597-02...
Page 248 Packets Captured: Log ID: 137857512 IP Address: 10.16.0.0 Group: Status: completed Start Time: 1070363599443768000 End Time: 1070363892909384000 Bytes Captured: 30650 Packets Captured: Log ID: 137857513 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-52 78-15597-02...
Page 249: Automatic Ip Logging For A Specific Signature
You can view a list of all signature engines by typing a question mark (?) at the prompt. sensor(config-vsc-virtualSensor)# For example, to tune a simple UDP packet alarm, type the following command: sensor(config-vsc-virtualSensor)# ATOMIC.UDP Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-53 78-15597-02...
Page 250 Exit tuning mode for this signature: sensor(config-vsc-virtualSensor-ATO-sig)# exit sensor(config-vsc-virtualSensor-ATO)# exit sensor(config-vsc-virtualSensor)# exit Apply Changes?:[yes]: Step 11 Type yes to apply the changes. message is displayed. Processing config: Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-54 78-15597-02...
Page 251: Disabling Ip Logging
Bytes Captured: 30650 Packets Captured: Disable the IP log session: sensor# no iplog 137857512 To disable all IP logging sessions: Step 3 sensor# no iplog sensor# Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-55 78-15597-02...
Page 252: Copying Ip Log Files To Be Viewed
Open the IP log using a sniffer program such as Ethereal or TCPDUMP. For more information on Ethereal go to http://www.ethereal.com. For more information on TCPDUMP, go to http://www.tcpdump.org/. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-56 78-15597-02...
Page 253: Configuring Blocking
Multiple connection blocks from the same source IP address to either a different Note destination IP address or destination port automatically switch the block from a connection block to a host block. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-57 78-15597-02...
Page 254 To check the status of NAC, type show statistics networkAccess at the sensor# The output shows the devices you are managing, any active blocks, and the status for all the devices. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-58 78-15597-02...
Page 255: Before Configuring Blocking
Cisco 7500 series router – • Catalyst 5000 switches with RSM/RSFC with IOS 11.2(9)P or later (ACLs) Catalyst 6000 switches with IOS 12.1(13)E or later (ACLs) • Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-59 78-15597-02...
Page 256: Configuring Blocking Properties
Allowing the Sensor to Block Itself, page 10-61 Disabling Blocking, page 10-62 • Setting Maximum Block Entries, page 10-63 • • Setting the Block Time, page 10-64 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-60 78-15597-02...
Page 257 Type yes to apply changes. Step 7 To reverse this procedure, follow the steps but change the value in Step 5 Note from true to false. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-61 78-15597-02...
Page 258 Step 7 Type yes to apply changes. Note To enable blocking, follow the steps but change the value in Step 5 from false to true. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-62 78-15597-02...
Page 259 Change the maximum number of block entries: value sensor(config-NetworkAccess-gen)# shun-max-entries Exit general submode: Step 6 sensor(config-NetworkAccess-gen)# exit sensor(config-NetworkAccess)# exit Apply Changes:?[yes]: Type yes to apply changes. Step 7 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-63 78-15597-02...
Page 260 The value is the time duration of the shun event in minutes (0-4294967295). Step 7 Exit shun event submode: sensor(config-vsc-VirtualSensor-Shu)# exit sensor(config-vsc-VirtualSensor)# exit Apply Changes:?[yes]: Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-64 78-15597-02...
Page 261: Configuring Addresses Never To Block
Step 1 Step 2 Enter configuration mode: sensor# configure terminal Enter network access mode: Step 3 sensor(config)# service networkAccess Enter general submode: Step 4 sensor(config-NetworkAccess)# general Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-65 78-15597-02...
Page 262: Configuring Logical Devices
Log in to the CLI using an account with administrator privileges. Step 1 Enter configuration mode: Step 2 sensor# configure terminal Enter Network Access mode: Step 3 sensor(config)# service networkAccess Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-66 78-15597-02...
Page 263: Configuring Blocking Devices
Step 9 Type yes to apply changes. Configuring Blocking Devices NAC uses ACLs on Cisco routers and switches to manage those devices. These ACLs are built as follows: line with the sensor’s IP address, or if specified, the NAT address...
Page 264 To configure a sensor to manager a Cisco router, follow these steps: Log in to the CLI using an account with administrator privileges. Step 1 Step 2 Enter configuration mode: sensor# configure terminal Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-68 78-15597-02...
Page 265 ACL attached to interface-name Step 9 Add the preShun ACL name (optional): pre_shun_acl_name sensor(config-NetworkAccess-rou-shu)# pre-acl-name Add the postShun ACL name (optional): Step 10 post_shun_acl_name sensor(config-NetworkAccess-rou-shu)# post-acl-name Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-69 78-15597-02...
Page 266 NAC accepts anything you type. It does not check to see if the logical device exists. Designate the method used to access the sensor: Step 5 telnet/ssh-des/ssh-3des sensor(config-NetworkAccess-cat)# communication If unspecified, SSH 3DES is used. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-70 78-15597-02...
Page 267 Apply Changes:?[yes]: You receive an error if the logical device name does not exist. Note Step 11 Type yes to apply changes. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-71 78-15597-02...
Page 268 Configuring the Sensor Using the CLI Sensor Configuration Tasks Configuring the Sensor to Manage a Cisco PIX Firewall To configure the sensor to manage a Cisco PIX Firewall, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges.
Page 269: Configuring The Sensor To Be A Master Blocking Sensor
Only one sensor should control all blocking interfaces on a device. Caution Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-73 78-15597-02...
Page 270 Specify the username for an administrative account on the MBS host: username sensor(config-networkAccess-gen-mas)# mbs-username Specify the password for the user: Step 9 sensor(config-networkAccess-gen-mas)# mbs-password Enter mbs-password []: ***** Re-enter mbs-password []: ***** Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-74 78-15597-02...
Page 271: Obtaining A List Of Blocked Hosts And Connections
Current Configuration AllowSensorShun = false ShunMaxEntries = 250 NetDevice Type = Cisco IP = 10.89.150.160 NATAddr = 0.0.0.0 Communications = telnet Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-75 78-15597-02...
Page 272: How To Set Up Manual Blocking And How To Unblock
MC to delete blocks created by the CLI. Manual blocks have to be removed in the CLI. We recommend that you use manual blocking on a very limited basis, if at all. Caution Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-76 78-15597-02...
Page 273: Nm-Cids Configuration Tasks
This section describes the tasks you need to perform to set up the NM-CIDS and get it ready to receive traffic. After that you are ready to configure intrusion detection. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-77 78-15597-02...
Page 274: Configuring Cisco Ids Interfaces On The Router
Confirm the NM-CIDS slot number in your router: Step 1 slot_number Router # show interfaces ids-sensor You can also use the show run command. Look for “IDS-Sensor” and the Note slot number. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-78 78-15597-02...
Page 275 Router(config)# interface ids-sensor 1/0 Router(config-if)# ip unnumbered loopback 0 Activate the port: Step 6 Router(config-if)# no shutdown Step 7 Exit configuration mode: Router(config-if)# end Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-79 78-15597-02...
Page 276: Establishing Cisco Ids Console Sessions
Use the session command to establish a session in the NM-CIDS (in slot 1 in this example): Router# service-module ids-sensor 1/0 session A Telnet session is initiated: Trying 10.16.0.0, 2033 ... Open Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-80 78-15597-02...
Page 277: Suspending A Session And Returning To The Router
If you use the Telnet disconnect command to leave the session, the session remains running. The open session can be exploited by someone wanting to take advantage of a connection that is still in place. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-81 78-15597-02...
Page 278: Using Telnet
For example, for slot 1, the port number is 2033, for slot 2, it is 2065, and so forth. To use Telnet to invoke a session to port 2033: Router# telnet 10.16.0.0 2033 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-82 78-15597-02...
Page 279: Rebooting The Nm-Cids
Hard-disk drive data loss only occurs if you issue the reset command without first Caution shutting down the NM-CIDS. You can use the reset command safely in other situations. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-83 78-15597-02...
Page 280: Setting Up Packet Capture
Step 5 Configure the interface to copy network traffic to the NM-CIDS: Router(config-if)# ids-service-module monitoring Use the command no ids-service-module monitoring to turn off Note monitoring. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-84 78-15597-02...
Page 281: Checking The Status Of The Cisco Ids Software
Repeat Step c to see the counters gradually increasing. This indicates that the NM-CIDS is receiving network traffic. Checking the Status of the Cisco IDS Software To check the status of the Cisco IDS software running on the router: Router# service-module ids-sensor slot_number/0 status Something similar to the following output appears:...
Page 282: Supported Cisco Ios Commands
– Router# Entering Console for IDS sensor Module in slot slot_number. The session command allows you access to the IDS console. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-86 78-15597-02...
Page 283: Idsm-2 Configuration Tasks
Caution Removing the NM-CIDS without proper shutdown can result in the hard-disk drive being corrupted. After successful shutdown of the NM-CIDS applications, Cisco IOS prints a message indicating that you can now remove the NM-CIDS. – service-module ids-sensor slot_number/0 status Router# Provides information on the status of the Cisco IDS software.
Page 284 Control Access to the IDSM-2 After you initialize the IDSM-2, you must configure the Catalyst 6500 series switch to have command and control access to the IDSM-2. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-88 78-15597-02...
Page 285: Catalyst Software
To configure the Catalyst 6500 series switch to have command and control access to the IDSM-2, follow these steps: Log in to the console. Step 1 Step 2 Enter configuration mode: Router# configure terminal Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-89 78-15597-02...
Page 286: Using Span For Capturing Ids Traffic
This section describes how to use SPAN to capture IDS traffic. The section contains the following topics: • Catalyst Software, page 10-91 • Cisco IOS Software, page 10-91 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-90 78-15597-02...
Page 287 Cisco IOS Software To enable SPAN on the IDSM-2, follow these steps: Step 1 Log in to the console. Enter configuration mode: Step 2 Router# configure terminal Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-91 78-15597-02...
Page 288: Configuring Vacls To Capture Ids Traffic
VLANs. This section describes how to configure VACLs to capture IDS traffic. This section contains the following topics: • Catalyst Software, page 10-93 Cisco IOS Software, page 10-94 • Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-92 78-15597-02...
Page 289 10.1.6.1 eq 80 capture permit tcp any host 10.1.6.2 eq 80 capture deny ip any host 10.1.6.1 deny ip any host 10.1.6.2 permit ip any any Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-93 78-15597-02...
Page 290 Router(config)# vlan access-map [0-65535] Configure a match clause in a VLAN access map sequence: Step 5 Router (config-access-map)# match {ip address {1-199 | 1300-2699 | acl_name Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-94 78-15597-02...
Page 291 4 data-port 1 capture vlan access-map CAPTUREALL 10 match ip address MATCHALL action forward capture ip access-list extended MATCHALL permit ip any any Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-95 78-15597-02...
Page 292: Using The Mls Ip Ids Command For Capturing Ids Traffic
VACLs to a VLAN in which you have applied an IP inspect rule for the Cisco IOS Firewall. However, you can use the mls ip ids command to designate which packets are captured. Packets that are permitted by the ACL are captured.
Page 293 To use the mls ip ids command to capture IDS traffic, follow these steps: Step 1 Log in to the console. Enter privileged mode: Step 2 Router> enable Step 3 Enter configuration mode: Router# configure terminal Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-97 78-15597-02...
Page 294: Miscellaneous Tasks
Guide that shipped with your IDSM-2 for instructions on how to locate these documents. This section contains the following topics: Enabling a Full Memory Test, page 10-99 • Resetting the IDSM-2, page 10-101 • Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-98 78-15597-02...
Page 295 You can enable a full memory test when you use the set boot device bootseq module_number mem-test-full command. The long memory test takes about 12 minutes. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-99 78-15597-02...
Page 296 Type the following commands: Router# set boot device cf:1 4 mem-test-full Router# show boot device 4 The set boot device command can either contain cf:1 or hdd:1. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-100 78-15597-02...
Page 297 Step 2 Enter privileged mode: Console> enable Reset the IDSM-2 to the application partition or the maintenance partition: Step 3 module_number Console> (enable) reset [hdd:1/cf:1] Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-101 78-15597-02...
Page 298 Reset the IDSM-2: Step 3 module_number Router# hw-module module reset [hdd:1/cf:1] This example shows the output of the reset command: Router# hw-module module 8 reset Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-102 78-15597-02...
Page 299: Catalyst Software Commands
– Sets the name of the module. – set module power module_number up | down Enables or disables power to the specified IDSM-2. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-103 78-15597-02...
Page 300 Displays the errors reported from the diagnostic tests for both the SPAN port (port 1) and the management port (port 2) and the BIOS and CMOS boot results. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-104 78-15597-02...
Page 301 • • set port trap set protocolfilter • • set rgmp set snmp • set spantree • • set udld set vtp • Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-105 78-15597-02...
Page 302: Cisco Ios Software Commands
• hw-module module slot_number shutdown Shuts down the module so that it can be safely removed from the chassis. reload • Reloads the entire switch. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-106 78-15597-02...
Page 303 Displays the configuration that is currently running. show startup-config • Displays the saved configuration. show vlan access-map • Displays all current VLAN access maps. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-107 78-15597-02...
Page 304 | {vlan vlan-id}} [ , | - | rx | tx | both] Sets the sources for a SPAN session. no power enable module slot_number – Shuts down the IDSM-2 and removes power. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-108 78-15597-02...
Page 305 – action forward capture Designates that matched packets should be captured. match ip address {1-199 | 1300-2699 | acl_name} – Specifies filtering in the VACL. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-109 78-15597-02...
Page 306: Reimaging Appliances And Modules
Reimaging Appliances and Modules This section provides procedures for reimaging the sensor image. When you reimage the sensor, all accounts are removed and the default cisco account is reset to use the default password “cisco”. After reimage, you must initialize the sensor again.
Page 307: Recovering The Application Partition Image
The application partition is reimaged with the original factory image from the recovery partition. You must now initialize the appliance with the setup command. See Initializing the Sensor, page 10-2, for the procedure. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-111 78-15597-02...
Page 308: Upgrading The Recovery Partition Image
Upgrade the recovery partition: Step 4 sensor(config)# upgrade user@server_ipaddress upgrade_path recovery_partition_file scp:// The recovery partition image filename looks similar to this: IDS-42XX-K9-r-1.1-a-4.0-1-S37.tar.pkg Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-112 78-15597-02...
Page 309: Installing The Ids-4215 System Image
IDS-4215-bios-5.1.7-rom-1.4.bin available for download at the following URL: http://www.cisco.com/cgi-bin/tablebuild.pl/ids-firmware We recommend the following TFTP servers: For Windows: • Tftpd32 version 2.0, available at: http://membres.lycos.fr/phjounin/P_tftpd32.htm For UNIX: • Tftp-hpa series, available at: http://www.kernel.org/pub/software/network/tftp/ Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-113 78-15597-02...
Page 310 0: i8255X @ PCI(bus:0 dev:13 irq:11) 1: i8255X @ PCI(bus:0 dev:14 irq:11) Using 1: i82557 @ PCI(bus:0 dev:14 irq:11), MAC: 0000.c0ff.ee01 Use ? for help. rommon> Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-114 78-15597-02...
Page 311 Define the path and filename on the TFTP file server from which you are Step 10 downloading the image: rommon> file <path/filename> Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-115 78-15597-02...
Page 312 Other IDS appliances use the recovery/upgrade CD rather than the system image. We recommend the following TFTP servers: For Windows: • Tftpd32 version 2.0, available at: http://membres.lycos.fr/phjounin/P_tftpd32.htm For UNIX: • Tftp-hpa series, available at: http://www.kernel.org/pub/software/network/tftp/ Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-116 78-15597-02...
Page 313 Address—Local IP address of the sensor • Server—TFTP server IP address where the application image is stored • • Gateway—Gateway IP address used by the sensor Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-117 78-15597-02...
Page 314 Otherwise, this information must be typed each time you want to boot an image from ROMMON. Step 10 Download and install the system image: rommon> tftp Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-118 78-15597-02...
Page 315: Reimaging The Nm-Cids Application Partition
# scp tftpboot The following example shows what a helper image file looks like: NM-CIDS-K9-helper-1.0-1.bin Most TFTP servers offer the directory /tftpboot to TFTP clients. Note Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-119 78-15597-02...
Page 316 Specify the IP address. The IP address applies to the external fast Ethernet port on the NM-CIDS. This must be a real IP address on your network. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-120 78-15597-02...
Page 317 When the TFTP load actually begins, a spinning character is displayed to indicate packets arriving from the TFTP server. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-121 78-15597-02...
Page 318 Type the secure shell server username. Type the secure shell server IP address. Type the full pathname of recovery image: full pathname of recovery image: /path /NM-CIDS-K9-a-4.1-1-S42.bin Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-122 78-15597-02...
Page 319 Type the full pathname of recovery image: full pathname of recovery image: /path /NM-CIDS-K9-a-4.1-1-S42.bin Type y to continue. Ready to begin Are you sure? y/n Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-123 78-15597-02...
Page 320: Reimaging The Idsm-2
Catalyst software and Cisco IOS software. This section contains the following topics: • Reimaging the IDSM-2, page 10-125 Reimaging the Maintenance Partition, page 10-127 • Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-124 78-15597-02...
Page 321: Reimaging The Idsm-2
When the application partition file has been installed, you are returned to the maintenance partition CLI. Step 8 Exit the maintenance partition CLI and return to the switch CLI. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-125 78-15597-02...
Page 322 After the application partition file has been downloaded, you are asked if you want to proceed: Upgrading will wipe out the contents on the hard disk. Do you want to proceed installing it [y|n]: Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-126 78-15597-02...
Page 323: Reimaging The Maintenance Partition
Obtaining Cisco IDS Software, page 9-1, for instructions on how to access the Software Center on Cisco.com. Log in to the IDSM-2 CLI. Step 2 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-127 78-15597-02...
Page 324 1 Step 4 Enter configuration mode: cat6k# configure terminal Reimage the maintenance partition: Step 5 cat6k(config)# upgrade user@ftp_server_IP_address directory_path image_file ftp:// Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-128 78-15597-02...
Page 325 Reimaging Appliances and Modules Specify the FTP server password: Step 6 Password: ******** You are prompted to continue: Continue with upgrade? : Step 7 Type yes to continue. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-129 78-15597-02...
Page 326 Chapter 10 Configuring the Sensor Using the CLI Reimaging Appliances and Modules Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 10-130 78-15597-02...
Page 327: Appendix
System Architectural Details, page A-44 Summary of Applications, page A-49 • System Overview You can install Cisco IDS software on two platforms: the appliances and the modules (see Supported Sensors, page 1-16, for a list of current appliances and modules).
Page 328: System Overview
LoggerApp EventStore MainApp Telnet IDAPI SSH/SCP AuthenticationApp CT Source NotificationApp EventServer/CT Server/IDM Web Server SNMP Traps Sensor RDEP-HTTP/SSL HTTP/SSL Master Blocking Sensor Browsers SNMP Server IEV/MDC/... Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 329 Transaction server—Allows external management applications such as – the IDS MC to send control transactions to the sensor. IP log server—Used to serve IP logs to external systems. – Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 330: Show Version Command Output
The following is a sample output from the show version command. All the sensor’s applications are displayed with their current status. sensor# show version Application Partition: Cisco Systems Intrusion Detection Sensor, Version 4.1(3)S61 OS Version 2.4.18-5smpbigphys Platform: IDS-4235 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 331: User Interaction
After initially installing the IDS on the network, you can tune it until it is operating efficiently and only producing information you think is useful. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 332: New Features In Version 4.X
• Version 4.x offers the following scalability enhancements: Provides gigabit sensing – – Addresses the scaling and performance limitations that are inherent in the postoffice architecture Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 333: System Components
Inline intrusion prevention System Components This section describes IDS components in more detail. This section contains the following topics: MainApp, page A-8 • SensorApp, page A-11 • Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 334: Mainapp
MainApp generates an error event identifying all applications that did not start. Close status event subscription. Start the upgrade scheduler. Register for control transaction requests, and service them as received. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 335 MainApp shuts itself and all IDS components and applications down in the following sequence: Deregister control transaction requests. Stop the update scheduler. Open evStatus event subscription. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 336 Next downgrade version of each installed upgrade • • Platform version (for example, IDS-4240, WS-SVC-IDSM2) Version of sensor build on the other partition • MainApp also gathers the host statistics. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-10 78-15597-02...
Page 337 An engine is composed of a parser and an inspector. Each engine has a set of legal parameters that have allowable ranges or sets of values. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-11...
Page 338: Configuring Authentication On The Sensor
If the user’s identity cannot be authenticated, AuthenticationApp returns an unauthenticated status and anonymous user privileges in the control transaction response. The control transaction response also indicates if the Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-12 78-15597-02...
Page 339 Configuring Authentication on the Sensor You must configure authentication on the sensor to establish appropriate security for user access. When you install a sensor, an initial cisco account with an expired password is created. A user with administrative access to the sensor accesses the sensor through the CLI or an IDS manager by logging in to the sensor using the default administrative account (cisco).
Page 340 After verifying this, add this certificate to the browser’s list of trusted Certificate Authorities (CAs) to establish permanent trust. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-14 78-15597-02...
Page 341: Logapp
The sensor also generates IP logs. The messages and IP logs are accessible through the CLI, IDM, and RDEP clients. Note The legacy applications are loggerd and sapd. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-15 78-15597-02...
Page 342: Nac
PIX Firewalls. A block is an entry in a device’s configuration or ACL to block incoming/outgoing traffic for a specific host IP address or network address. The legacy application is managed. Note Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-16 78-15597-02...
Page 343: About Nac
NAC application. The NAC application on the master blocking sensor then interacts with the devices it is managing to enable the block. Figure A-2 illustrates the NAC application. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-17 78-15597-02...
Page 344 • A block configured manually through the CLI, IDM, or the IDS MC A block configured permanently against a host or network address • Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-18 78-15597-02...
Page 345: Nac-Controlled Devices
ACL or after any blocks by specifying a postblock ACL. The Catalyst 6000 VACL device types can have a preblock and postblock VACL specified for each interface Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-19 78-15597-02...
Page 346 NAC Events, page A-42, for more information. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-20 78-15597-02...
Page 347 You can enable/disable NAC through the IDS CLI or any IDS manager. When NAC is reenabled, it completely reinitializes itself, including rereading the current configuration for each controlled network device. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-21 78-15597-02...
Page 348: Acls And Vacls
The ACLs maintained by NAC have a specific format that should not be used by user-defined ACLs. The naming convention is IDS_<ifname>_[in|out]_[0|1]. <ifname> corresponds to the name of the blocking interface as given in the NAC configuration. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-22 78-15597-02...
Page 349: Maintaining State Across Restarts
The allow sensor_ ip_address command (unless the allow sensor shun command has been configured) Preblock ACL The always block command entries from the configuration Unexpired blocks from nac.shun.txt Postblock ACL Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-23 78-15597-02...
Page 350: Connection-Based And Unconditional Blocking
If the time for the new block is less than or equal to the remaining minutes, no action is taken. Otherwise, the new block timeout replaces the existing block timeout. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-24 78-15597-02...
Page 351: Blocking With The Pix Firewall
The shun command does not replace existing ACLs, conduits, or outbound commands, so there is no need to cache the existing PIX Firewall configuration, nor to merge blocks into the PIX configuration. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-25 78-15597-02...
Page 352 PAT addressing, the PIX Firewall could block the entire inside network. To avoid these situations, position your sensor on the inside interface or do not configure the sensor to block. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-26 78-15597-02...
Page 353: Blocking With The Catalyst 6000
To map a VACL to a VLAN: • aclname vlans set sec acl { Configuring Blocking Devices, page 10-67, for more information. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-27 78-15597-02...
Page 354: Transactionsource
The transactionHandlerLoop uses the HttpClient classes to issue the RDEP control transaction request to the HTTP server on the remote node. The remote HTTP server handles the remote control transaction and returns the Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-28 78-15597-02...
Page 355: Webserver
This section contains the following topics: User Account Roles, page A-30 • CLI Behavior, page A-32 • Service Account, page A-31 • • Regular Expression Syntax, page A-34 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-29 78-15597-02...
Page 356 Operators can perform all viewing and some administrative operations on a sensor including the following: Modify their passwords – – Tune signatures Manage routers – Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-30 78-15597-02...
Page 357 The service account is not intended to be used for configuration purposes. Only modifications made to the sensor through the service account under the direction of TAC are supported. Cisco Systems does not support the addition and/or running of an additional service to the operating system through the service account, because it affects proper performance and proper functioning of the other IDS services.
Page 358 If multiple commands match for tab completion, nothing is displayed, the terminal repeats the current line you typed. • Only commands available in the current mode are displayed by tab complete and help. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-32 78-15597-02...
Page 359 The default form of a command returns the command setting to the default value. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-33 78-15597-02...
Page 360 +—The plus (+) is similar to asterisk but there should be at least one match of the character to the left of the + sign in the expression. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-34...
Page 361 Thus, the regular expression matches A9b3, but not 9Ab3 because the letters are specified before the numbers. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-35 78-15597-02...
Page 362: Eventstore
SensorApp is the only application that writes alert events into the EventStore. All applications write log, status, and error events into the EventStore. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-36 78-15597-02...
Page 363 IDS event consumer. Sufficient buffering depends on your requirements and the capabilities of the nodes in use. The oldest events in the circular buffer are replaced by the newest events. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-37 78-15597-02...
Page 364 Request to reset an application instance’s diagnostic data Request to restart an application instance • Request for the NAC, such as a block request • Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-38 78-15597-02...
Page 365 This section contains the following topics: • Alert Events, page A-40 Status Events, page A-40 • • Error Events, page A-41 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-39 78-15597-02...
Page 366 The state information that may be reported varies by application, and many of the state elements are specific to a single application. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-40 78-15597-02...
Page 367 Error events are generated by an IDS application when the application detects an error or warning condition. The evError event contains error code and a textual description of the error. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-41 78-15597-02...
Page 368 NAC communicates with other IDS applications through IDIOM control transactions and events. NAC generates evStatus events when the internal state changes and evError events when errors are detected. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-42 78-15597-02...
Page 369 Alerts that have been configured for resetting that do not use TCP protocol are ignored. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-43 78-15597-02...
Page 370: System Architectural Details
This section provides information about other system architecture details. This section contains the following topics: Communications, page A-45 • • IDAPI, page A-46 RDEP, page A-47 • Sensor Directory Structure, page A-48 • Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-44 78-15597-02...
Page 371 IDS as well as the operational messages that are used to configure and control intrusion detection systems. These messages consist of XML documents that conform to the IDIOM XML schema. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-45 78-15597-02...
Page 372: Idapi
IDAPI provides the following services: Control transactions • Initiates the control transaction. – – Waits for the inbound control transaction. Responds to the control transaction. – Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-46 78-15597-02...
Page 373: Rdep
Retrieving Events Through RDEP IEV, IDS-MC, Third Party Event Management Applications RDEP Client Sensor HTTP GET Events Event WebServer Request Event Request EventStore IDAPI EventServer Event Event Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-47 78-15597-02...
Page 374: Sensor Directory Structure
/usr/cids/idsRoot/var—Stores files created dynamically while the sensor is • running. /usr/cids/idsRoot/var/updates—Stores files and logs for update installations. • • /usr/cids/idsRoot/var/virtualSensor—Stores files used by SensorApp to analyze regular expressions. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-48 78-15597-02...
Page 375: Summary Of Applications
/usr/cids/idsRoot/tmp—Stores the temporary files created during run time of the sensor. Summary of Applications Table A-2 gives a summary of the applications that make up IDS. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-49 78-15597-02...
Page 376 Responds to IP logging control transactions that turn logging on and off and that send and delete IP log files. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-50 78-15597-02...
Page 377 4. SensorApp is formerly known as packetd in the legacy IDS. 5. This is a WebServer servlet. 6. This is a remote control transaction proxy. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-51 78-15597-02...
Page 378 Appendix A Intrusion Detection System Architecture Summary of Applications Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-52 78-15597-02...
Page 379: Appendix
You should back up a good configuration. If your current configuration • becomes unusable, you can replace it with the backup version. Creating and Using a Backup Configuration File, page 10-28, for the procedure. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 380: Disaster Recovery
IDs. Note You should note the specific software version for that configuration. You can push the copied configuration only to a sensor of the same version. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 381 Reimaging changes the sensor’s SSH keys and HTTPS certificate. See Adding Known Hosts to the SSH Known Hosts List, page 10-19, for the procedure. Create previous users. Adding a User, page 10-16, for the procedure. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 382: Troubleshooting The 4200 Series Appliance
Cannot Access the Sensor Through the IDM or Telnet and/or SSH, page B-5 • • IDM Cannot Access the Sensor, page B-7 Access List Misconfiguration, page B-10 • Duplicate IP Address Shuts Interface Down, page B-10 • Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 383: Cannot Access The Sensor Through The Idm Or Telnet And/Or Ssh
—- System Configuration Dialog —- At any point you may enter a question mark ’?’ for help. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 384 Internet address is 10.89.146.110, subnet mask is 255.255.255.0, telnet is enabled. Hardware is eth1, tx Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 385: Idm Cannot Access The Sensor
If you can access the sensor through SSH, verify that you are accessing the correct Step 1 port on the sensor and that you are making the correct HTTP versus HTTPs selection. You are correctly addressing the sensor. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 386 Sensor up-time is 20 days. Using 214319104 out of 921522176 bytes of available memory (23% usage) Using 596M out of 15G bytes of available disk space (5% usage) Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 387 Step 4 If the Web server is still running, verify that the firewall has an open port for the sensor. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02...
Page 388: Access List Misconfiguration
Linux prevents the command and control interface Ethernet port from activating if it detects an address conflict with another host. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-10 78-15597-02...
Page 389: Sensorapp And Alerting
Bad Memory on the IDS-4250-XL, page B-18 Sensing Process Not Running The sensing process (SensorApp) should always be running. If it is not, you do not receive any alerts. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-11 78-15597-02...
Page 390: Physical Connectivity, Span, Or Vacl Port Issue
* IDS-K9-min-4.1-1-S47 12:00:00 UTC Thu Jun 30 2005 IDS-K9-sp-4.1-3-S61.rpm.pkg 14:14:55 UTC Fri Feb 20 2004 Recovery Partition Version 1.2 - 4.1(1)S47 If you do not have the latest software updates, download them from Cisco.com. Obtaining Cisco IDS Software, page 9-1, for the procedure.
Page 391 Verify again that the interfaces are up and that the packet count is increasing. Step 5 sensor# show interface sensing Sensing int0 is up Hardware is eth0, TX Reset port Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-13 78-15597-02...
Page 392: Unable To See Alerts
SIGID: 2000 <protected> SubSig: 0 <protected> AlarmDelayTimer: AlarmInterval: AlarmSeverity: informational <defaulted> AlarmThrottle: Summarize <defaulted> AlarmTraits: CapturePacket: False <defaulted> ChokeThreshold: 100 <defaulted> DstIpAddr: DstIpMask: Enabled: False <defaulted> Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-14 78-15597-02...
Page 393 Make sure the interfaces are up and receiving packets: Step 2 sensor# show interfaces sensing Sensing int0 is down Hardware is eth0, TX Reset port Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-15 78-15597-02...
Page 394: Cleaning Up A Corrupted Sensorapp Configuration
To delete SensorApp, follow these steps: Log in to the service account. Step 1 Step 2 Su to root. Stop the IDS applications: Step 3 /etc/init.d/cids stop Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-16 78-15597-02...
Page 395: Running Sensorapp In Single Cpu Mode
Arg02=single This forces the sensorApp to run in single processor mode. Running SensorApp in single processor mode can cause a drop in Note packet-processing performance. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-17 78-15597-02...
Page 396: Bad Memory On The Ids-4250-Xl
Verifying NAC is Running, page B-19, for the procedure. Verify that NAC is connecting to the network devices. Verifying NAC is Connecting, page B-20, for the procedure. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-18 78-15597-02...
Page 397: Verifying Nac Is Running
Sensor up-time is 20 days. Using 214319104 out of 921522176 bytes of available memory (23% usage) Using 596M out of 15G bytes of available disk space (5% usage) Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-19 78-15597-02...
Page 398: Verifying Nac Is Connecting
Communications = telnet NetDevice Type = Cisco IP = 5.5.5.5 NATAddr = 0.0.0.0 Communications = ssh-des ShunInterface InterfaceName = fa0/0 InterfaceDirection = in InterfacePreShun = preAcl Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-20 78-15597-02...
Page 399 IDS-K9-sp-4.1-3-S61.rpm.pkg 14:14:55 UTC Fri Feb 20 2004 Recovery Partition Version 1.2 - 4.1(1)S47 If you do not have the latest software updates, download them from Cisco.com. Obtaining Cisco IDS Software, page 9-1, for the procedure. Read the Readme that accompanies the software upgrade for any known DDTS Step 5 for NetworkAccess.
Page 400: Device Access Issues
(min: 0, max: 100, current: 2) post-vacl-name: testPostACL pre-vacl-name: testPreACL vlan: 1 units: none post-vacl-name: pre-vacl-name: lan: 5 units: none general ———————————— allow-sensor-shun: false enable-acl-logging: false Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-22 78-15597-02...
Page 401: Verifying The Interfaces/Directions On The Network Device
> Manual Blocking > Host Manual Blocks. To initiate a manual block to a bogus host, follow these steps: Enter configuration mode: Step 1 sensor# configure terminal Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-23 78-15597-02...
Page 402: Enabling Ssh Connections To The Network Device
To enable SSH connections to the network device, follow these steps: Log in to the CLI. Step 1 Enter configuration mode: Step 2 sensor# configure terminal Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-24 78-15597-02...
Page 403: Blocking Not Occurring For A Signature
SubSig: 0 <protected> AlarmDelayTimer: AlarmInterval: AlarmSeverity: informational <defaulted> AlarmThrottle: Summarize <defaulted> AlarmTraits: CapturePacket: False <defaulted> ChokeThreshold: 100 <defaulted> DstIpAddr: DstIpMask: Enabled: False <defaulted> EventAction: shunHost Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-25 78-15597-02...
Page 404: Verifying The Master Blocking Sensor Configuration
Initiate a manual block to a bogus host IP address to make sure the MBS is initialing blocks: Enter configuration mode: sensor# configure terminal Enter the NAC’s service configuration mode: sensor(config)# service NetworkAccess Enter general NAC configuration mode: sensor(config-NetworkAccess)# general Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-26 78-15597-02...
Page 405 MasterBlockingSensor SensorIp = 10.89.149.46 SensorPort = 443 UseTls = 1 State ShunEnable = true ShunnedAddr Host IP = 10.16.0.0 ShunMinutes = 60 MinutesRemaining = 59 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-27 78-15597-02...
Page 406: Logging
Directing cidLog Messages to SysLog, page B-31 • Enabling Debug Logging Caution Enabling debug logging seriously affects performance and should only be done when instructed by TAC. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-28 78-15597-02...
Page 407 ----------------------------------------------- zoneControl (min: 0, max: 999999999, current: 8) ----------------------------------------------- zoneName: Cid default: Cid severity: debug default: debug Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-29 78-15597-02...
Page 408 Enter the submode for a specific zone, for example, the EventStore: Step 14 sensor(config-Logger)# zoneControl zoneName IdsEventStore Step 15 Turn on debugging for the EventStore: sensor(config-Logger-zon)# severity debug Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-30 78-15597-02...
Page 409: Zone Names
IDSM-2 master partition installer zone ctlTransSource Outbound control transactions zone SSL/TLS zone Directing cidLog Messages to SysLog It might be useful to direct cidLog messages to syslog. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-31 78-15597-02...
Page 410 The syslog output is sent to the syslog facility local6 with the following correspondence to syslog message priorities: LOG_DEBUG, // debug LOG_INFO, timing LOG_WARNING, // warning LOG_ERR, error LOG_CRIT fatal Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-32 78-15597-02...
Page 411: Ntp
Verifying that the Sensor is Synchronized with the NTP Server, page B-34 • • NTP Server Connectivity Problem, page B-35 NTP Reconfiguration Defect, page B-35 • Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-33 78-15597-02...
Page 412 1052 f614 sys.peer reachable 1053 9014 none reject reachable Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-34 78-15597-02...
Page 413: Ntp Server Connectivity Problem
, and you do not have occurred. Node MUST be rebooted to enable alarming NTP server connectivity problem, you have encountered the NTP reconfiguration defect (CSCed84480). Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-35 78-15597-02...
Page 414 Here is an example of an NTP configuration: sensor(config-Host-tim)# ntpServers ipAddress 10.87.126.52 sensor(config-Host-tim-ntp)# keyid 10 sensor(config-Host-tim-ntp)# keyvalue cisco Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-36 78-15597-02...
Page 415: Tcp Reset
Enter virtual sensor mode: sensor(config)# service virtual-sensor-configuration virtualSensor Check the EventAction parameter: sensor(config-vsc)# tune-micro-engines sensor(config-vsc-virtualSensor# string.tcp sensor(config-vsc-virtualSensor-/STR)# sig sigid 20000 sensor(config-vsc-virtualSensor-STR-sig)# show settings Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-37 78-15597-02...
Page 416 13:58:03.823930 172.16.171.19.32770 > 172.16.171.13.telnet: R 80:80(0) ack 62 win 0 13:58:03.823930 172.16.171.19.32770 > 172.16.171.13.telnet: R 80:80(0) ack 62 win 0 13:58:03.823930 172.16.171.19.32770 > 172.16.171.13.telnet: R 80:80(0) ack 62 win 0 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-38 78-15597-02...
Page 417: Software Upgrade
Verifying the Version of the IDSM-2 and NM-CIDS 4.1(4) Images, page B-42 • Updating a Sensor with the Update Stored on the Sensor, page B-43 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-39 78-15597-02...
Page 418: Ids-4235 And Ids-4250 Hang During A Software Upgrade
IDS-maj-w.x-y-Sz.rpm.pkg Update Type Major Version Level Minor Version Level Service Pack Level Signature Level IDS-sig-4.0-2-S44.rpm.pkg–Signature Update IDS-K9-sp-4.0-2-S42.rpm.pkg–Service Pack Update IDS-K9-min-4.1-1-S50.rpm.pkg–Minor Version Update IDS-K9-maj-5.0-1-S60.rpm.pkg–Major Version Update Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-40 78-15597-02...
Page 419 If you modify the FTP prompts to give security warnings, for example, this causes a problem, because the sensor is expecting a hard-coded list of responses. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-41 78-15597-02...
Page 420: Verifying The Version Of The Idsm-2 And Nm-Cids 4.1(4) Images
Verifying the Version of the IDSM-2 and NM-CIDS 4.1(4) Images The 4.1(4) application partition files for the IDSM-2 and the NM-CIDS have been repackaged. The following new files exist: • IDSM-2—WS-SVC-IDSM2-K9-a-4.1-4-S91a.bin.gz NM-CIDS—NM-CIDS-K9-a-4.1-4-S91a.bin • Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-42 78-15597-02...
Page 421: Updating A Sensor With The Update Stored On The Sensor
Store the sensor’s host key: sensor# configure terminal sensor_ip_address sensor(config)# ssh host-key Upgrade the sensor: Step 8 sensor(config)# upgrade sensor_ip_address IDS_package_file_name scp://service@ /upgrade/ Enter password: ***** Re-enter password: ***** Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-43 78-15597-02...
Page 422: Troubleshooting The Idsm-2
Some IDSM-2s were shipped with faulty DIMMs. • See the Partner Field 52563 for the procedure for checking the IDSM-2 for faulty memory. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-44 78-15597-02...
Page 423 Determine if the IDSM-2 responds to pings and if you can log in through the service account. If you can log in, obtain a cidDump and any core files and contact TAC. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-45 78-15597-02...
Page 424 Multilayer Switch Featu WS-F6K-MSFC2 10/100BaseTX Ethernet WS-X6548-RJ-45 1000BaseX Ethernet WS-X6408-GBIC Intrusion Detection Sys WS-X6381-IDS FlexWAN Module WS-X6182-2PA Intrusion Detection Sys WS-x6381-IDS Intrusion Detection Sys WS-SVC-IDSM2 yes ok Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-46 78-15597-02...
Page 425 0002.7e38.7630 to 0002.7e38.7631 7.1(1) 12.1(19)E1 000e.8336.d730 to 000e.8336.d75f 7.2(1) 7.6(1.6)T195 Ok 0030.961a.b194 to 0030.961a.b19b 5.4(2) 7.6(1.6)T195 Ok 0002.7ef9.9c80 to 0002.7ef9.9c81 4B4LZ0XA 3.0(6)S42 0008.7cd5.2340 to 0008.7cd5.237f 12.1(19)E1 12.1(19)E1 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-47 78-15597-02...
Page 426 If the hard-disk drive status has failed, reimage the application partition. • To enable the module, follow these steps: Log in to the console. Step 1 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-48 78-15597-02...
Page 427 Make sure you can ping the command port from any other system. Step 2 Step 3 Make sure the IP address, mask, and gateway settings are correct: router# show configuration Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-49 78-15597-02...
Page 428 Intrusion-detection module 6 management-port: Switchport: Enabled Administrative Mode: dynamic desirable Operational Mode: static access Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: native Negotiation of Trunking: On Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-50 78-15597-02...
Page 429 Step 3 Configure the terminal server port to be 19200 baud, 8 bits, no parity. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-51 78-15597-02...
Page 430: Gathering Information
The show tech-support command is useful for capturing all the sensor’s status and configuration information. This section contains the following topics: show tech-support Command, page B-53 • • Displaying Tech Support Information, page B-53 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-52 78-15597-02...
Page 431: Displaying Tech Support Information
The following parameters are optional: • page—Displays the output, one page of information at a time. password—Leaves passwords and other security information in the output. • Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-53 78-15597-02...
Page 432 , type the following command: /absolute/reports/sensor1Report.html sensor# show tech support dest ftp://csidsuser@10.2.1.2//absolute/reports/sensor1Report.html prompt appears. password: Type the password for this user account. message is displayed. Generating report: Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-54 78-15597-02...
Page 433: Show Tech-Support Command Output
9.10.11.12 netmask 255.255.0.0 exit optionalAutoUpgrade active-selection none exit timeParams summerTimeParams active-selection none exit ntpServers ipAddress 10.10.10.10 keyId 2 keyValue none exit exit exit Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-55 78-15597-02...
Page 434: Show Version Command
The show version command is useful for establishing the general health of the sensor. This section contains the following topics: show version Command, page B-57 • Displaying the Current Version, page B-57 • Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-56 78-15597-02...
Page 435: Displaying The Current Version
Sensor up-time is 20 days. Using 214319104 out of 921522176 bytes of available memory (23% usage) Using 596M out of 15G bytes of available disk space (5% usage) Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-57 78-15597-02...
Page 436 2003-05-09T06:09:22-0500 Running Logger 2003_May_09_06.00 (Release) 2003-05-09T06:09:22-0500 Running NetworkAccess 2003_May_09_06.00 (Release) 2003-05-09T06:09:22-0500 Running TransactionSource 2003_May_09_06.00 (Release) 2003-05-09T06:09:22-0500 Running WebServer 2003_May_09_06.00 (Release) 2003-05-09T06:09:22-0500 Running 2003_May_09_06.00 (Release) 2003-05-09T06:09:22-0500 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-58 78-15597-02...
Page 437 Appendix B Troubleshooting Gathering Information Upgrade History: No upgrades installed Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-59 78-15597-02...
Page 438: Show Configuration/More Current-Config Command
10.0.0.0 netmask 255.0.0.0 accessList ipAddress 10.16.0.0 netmask 255.255.0.0 exit optionalAutoUpgrade active-selection autoUpgradeParams autoUpgradeParams schedule active-selection calendarUpgrade calendarUpgrade timesOfDay time 14:40:00 daysOfWeek day wed exit exit Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-60 78-15597-02...
Page 439: Show Statistics Command
Use the show statistics ?command to list the following services that provide the statistics: • Authentication EventServer • • EventStore • Host Logger • Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-61 78-15597-02...
Page 440: Displaying Statistics
For example, here are statistics for the EventStore: sensor# show statistics EventStore Event store statistics General information about the event store The current number of open subscriptions = 0 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-62 78-15597-02...
Page 441: Show Statistics Command Output
Alert events, medium = 0 Alert events, high = 0 The following is an example of the show statistics command output for the Logger service: Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-63 78-15597-02...
Page 442: Show Interfaces Command
Whether or not packets are being dropped by SensorApp • • Whether or not there are errors being reported by the interfaces that can result in packet drops Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-64 78-15597-02...
Page 443: Show Interfaces Command Output
RX bytes:143231073 (136.5 Mb) TX bytes:1783147 (1.7 Mb) Interrupt:16 Base address:0xdcc0 Memory:feb20000-feb40000 The command and control port is up. You are receiving packets and none are being dropped. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-65 78-15597-02...
Page 444: Show Events Command
Gathering Information show events Command You can use the show events command to view the alerts generated by SensorApp and errors generated by an application. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-66 78-15597-02...
Page 445: Sensor Events
Here are the parameters for the show events command: sensor# show events <cr> alert Display local system alerts error Display error events hh:mm[:ss] Display start time Display log events Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-67 78-15597-02...
Page 446: Displaying And Clearing Events
Display events from a specific time: hh:mm month day year sensor# show events For example, show events 14:00 September 2 2002 displays all events since 2:00 p.m. September 2, 2002. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-68 78-15597-02...
Page 447: Show Events Command Output
2004/06/24 13:21:33 2004/06/24 13:21:33 EST interfaceGroup: 0 vlan: 0 signature: sigId=7102 sigName=Reply-to-Broadcast subSigId=0 version=S37 participants: attack: attacker: proxy=false addr: locality=OUT 10.89.146.24 victim: addr: locality=OUT 10.89.146.24 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-69 78-15597-02...
Page 448: Ciddump Script
To run the cidDump script, follow these steps: Log in to the sensor service account. Step 1 Step 2 Su to root using the service account password. Type cidDump /usr/cids/idsRoot/bin/cidDump. Step 3 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-70 78-15597-02...
Page 449: Uploading And Accessing Files On The Cisco Ftp Site
You can upload large files, for example, cidDump.html, the show tech-support command output, and cores, to the ftp-sj server. To upload and access files on the Cisco FTP site, follow these steps: Log in to ftp-sj.cisco.com as anonymous. Step 1 Change to the /incoming directory.
Page 450 Appendix B Troubleshooting...