Page 1 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Customer Order Number: DOC-7816527= Text Part Number: 78-16527-01...
Page 2 OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Page 3: Table Of Contents
Logging In to NM-CIDS Logging In to AIP-SSM Logging In to the Sensor Initializing the Sensor C H A P T E R Overview System Configuration Dialog Initializing the Sensor Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 4 Generating a New SSH Server Key 4-34 Configuring TLS 4-34 About TLS 4-34 Adding TLS Trusted Hosts 4-35 Displaying and Generating the Server Certificate 4-37 Installing the License Key 4-37 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 5 Event Action Filters About Event Action Filters Configuring Event Action Filters 6-10 General Settings 6-14 About General Settings 6-15 Event Action Summarization 6-15 Event Action Aggregation 6-15 Deny Attackers 6-16 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 6 Creating Custom Signatures 7-29 Sequence for Creating a Custom Signature 7-29 Example STRING.TCP Signature 7-30 Example SERVICE.HTTP Signature 7-32 Example MEG Signature 7-33 Example AIC MIME-Type Signature 7-36 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 7 10-19 Routers and ACLs 10-19 Configuring the Sensor to Manage Cisco Routers 10-20 Configuring the Sensor to Manage Catalyst 6500 Series Switches and Cisco 7600 Series Routers 10-21 Switches and VACLs 10-21 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0...
Page 8 Contents Configuring the Sensor to Manage Catalyst 6500 Series Switches and Cisco 7600 Series Routers 10-22 Configuring the Sensor to Manage Cisco Firewalls 10-24 Configuring the Sensor to be a Master Blocking Sensor 10-25 Configuring Manual Blocking 10-27 Obtaining a List of Blocked Hosts and Connections...
Page 9 Cisco IOS Software 15-15 Configuring the Catalyst Series 6500 Switch for IDSM-2 in Inline Mode 15-16 Catalyst Software 15-17 Cisco IOS Software 15-18 Configuring EtherChanneling 15-20 Overview 15-20 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 10 C H A P T E R Overview 17-1 Upgrading the Sensor 17-2 Overview 17-2 Upgrade Command and Options 17-2 Using the Upgrade Command 17-3 Upgrading the Recovery Partition 17-4 Configuring Automatic Upgrades 17-5 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 11 Service Programs for IPS Products 18-7 Installing the License Key 18-8 Using IDM 18-8 Using the CLI 18-9 Cisco Security Center 18-11 Cisco IPS Active Update Bulletins 18-11 Accessing IPS Documentation 18-12 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 12 A-21 Web Server A-22 SensorApp A-22 Responsibilities and Components A-23 Packet Flow A-24 SEAP A-25 New Features A-26 A-28 User Roles A-28 Service Account A-29 CLI Behavior A-30 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 13 SERVICE.FTP Engine B-15 SERVICE.GENERIC Engine B-16 SERVICE.H225 Engine B-16 Overview B-17 SERVICE.H255 Engine Parameters B-17 SERVICE.HTTP Engine B-19 Overview B-19 SERVICE.HTTP Engine Parameters B-19 SERVICE.IDENT Engine B-20 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 xiii 78-16527-01...
Page 14 Cleaning Up a Corrupted SensorApp Configuration C-14 Bad Memory on IDS-4250-XL C-15 Blocking C-15 Troubleshooting Blocking C-15 Verifying Network Access Controller is Running C-16 Verifying Network Access Controller Connections are Active C-17 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 15 Connecting a Serial Cable to IDSM-2 C-44 Troubleshooting AIP-SSM C-44 Gathering Information C-46 Tech Support Information C-47 Overview C-47 Displaying Tech Support Information C-47 Tech Support Command Output C-48 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 16 C-63 Clearing Events C-66 cidDump Script C-66 Uploading and Accessing Files on the Cisco FTP Site C-67 L O S S A R Y N D E X Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 17 Elements in square brackets are optional. {x | y | z } Required alternative keywords are grouped in braces and separated by vertical bars. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 xvii 78-16527-01...
Page 18 Means reader be warned. In this situation, you might perform an action that could result in bodily injury. Related Documentation For more information on Cisco IPS, refer to the following documentation found at this URL: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/tsd_products_support_series_home.html Documentation Roadmap for Cisco Intrusion Prevention System •...
Page 19 Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html...
Page 20 Preface Obtaining Documentation and Submitting a Service Request Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 21: Overview
Documentation Roadmap for Cisco Intrusion Prevention System 5.0 that shipped with your sensor for information on locating all IPS 5.0 documents on Cisco.com. You can also use an IPS manager to configure your sensor. Refer to the Documentation Roadmap for Cisco Intrusion Prevention System 5.0...
Page 22: Sensor Configuration Task Flow
Chapter 8, “Configuring IP Logging.” Configure blocking. For the procedures, see Chapter 10, “Configuring Blocking.” Configure SNMP if you are going to use it. For the procedures, see Chapter 11, “Configuring SNMP.” Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 23: User Roles
Monitoring applications only require viewer access to the sensor. You can use the CLI to set up a user account with viewer privileges and then configure the event viewer to use this account to connect to the sensor. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 24: Cli Behavior
If you enter the token without the space, a selection of available tokens for the completion (with no help description) appears: sensor# show c? clock configuration sensor# show c Only commands available in the current mode are displayed by help. • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 25: Command Line Editing
Spacebar Enables you to see more output on the terminal screen. Press the Spacebar when you see the line on the screen to display the next screen. ---More--- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 26: Ips Command Modes
The IPS CLI has the following command modes: privileged EXEC—Entered when you log in to the CLI interface. • global configuration—Entered from privileged EXEC mode by typing • configure terminal The command prompt is sensor(config)# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 27: Regular Expression Syntax
Similar to * but there should be at least one match of the character to the left of the + sign in the expression. Matches the character to its left 0 or 1 times. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 28 For example, the regular expression can match aZbcTZT. The software remembers that the first character is Z and the second character is T and then uses Z and T again later in the regular expression. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 29: General Cli Commands
You can only use the default keyword with commands that specify a default value in the configuration files. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 30 Chapter 1 Introducing the CLI Configuration Guide CLI Keywords Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 1-10 78-16527-01...
Page 31: Logging In To The Sensor
Use this account for support and troubleshooting purposes only. Unauthorized modifications are not supported and will require the sensor to be reimaged to guarantee proper operation. You can create only one user with the service role. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 32: Logging In To The Appliance
The default username and password are both cisco. You are prompted to change them the first time you log in to the appliance.You must first enter the UNIX password, which is cisco. Then you must enter the new password twice.
Page 33: Setting Up A Terminal Server
You can use terminal servers to remotely manage network equipment, including appliances. To set up a Cisco terminal server with RJ-45 or hydra cable assembly connections, follow these steps: Connect to a terminal server using one of the following methods:...
Page 34: Logging In To Idsm-2
To session to IDSM-2, follow these steps Session to IDSM-2 from the switch: Step 1 For Catalyst Software: • cat6k>(enable) session slot_number For Cisco IOS software: • router# session slot_number processor 1 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 35: Logging In To Nm-Cids
The default username and password are both cisco. You are prompted to change them the first Note time you log in to IDSM-2.You must first enter the UNIX password, which is cisco. Then you must enter the new password twice.
Page 36 The default username and password are both cisco. You are prompted to change them the first Note time you log in to NM-CIDS. You must first enter the UNIX password, which is cisco. Then you must enter the new password twice.
Page 37: Logging In To Aip-Ssm
The default username and password are both cisco. You are prompted to change them the first Note time you log in to AIP-SSM. You must first enter the UNIX password, which is cisco. Then you must enter the new password twice.
Page 38: Logging In To The Sensor
If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com.
Page 39: Chapter 3 Initializing The Sensor
, the configuration is saved. If you type , the configuration is not saved and the process begins again. There is no default for this prompt; you must type either Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 40: Initializing The Sensor
Or, if you have created the service account for support purposes, you can have TAC create a password. For more information, see Creating the Service Account, page 4-13. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 41: Initializing The Sensor
0-255, nn specifies the number of bits in the netmask, and Y.Y.Y.Y specifies the default gateway as a 32-bit address written as 4 octets separated by periods where Y = 0-255. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 42 The default is april. Specify the week you want to start summertime settings. Valid entries are first, second, third, fourth, fifth, and last. The default is first. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 43 Specify the standard time offset. The default is 0. Specify the standard time zone offset from UTC in minutes (negative numbers represent time zones west of the Prime Meridian). Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 44 Continue with reset? []: Step 19 Type to continue the reboot. Step 20 Display the self-signed X.509 certificate (needed by TLS): sensor# show tls fingerprint MD5: C4:BC:F2:92:C2:E2:4D:EB:92:0F:E4:86:53:6A:C6:01 SHA1: 64:9B:AC:DE:21:62:0C:D3:57:2E:9B:E5:3D:04:8F:A7:FD:CD:6F:27 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 45: Verifying Initialization
! ------------------------------ service host network-settings host-ip 10.89.146.110/24,10.89.146.254 host-name sensor telnet-option enabled access-list 10.0.0.0/8 access-list 10.89.0.0/16 access-list 64.101.0.0/16 access-list 10.89.149.31/32 access-list 64.102.0.0/16 ftp-timeout 150 exit exit time-zone-settings offset -360 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 46 SHA1: 64:9B:AC:DE:21:62:0C:D3:57:2E:9B:E5:3D:04:8F:A7:FD:CD:6F:27 Write down the certificate fingerprints. Step 4 You will need these to check the authenticity of the certificate when connecting to this sensor with a web browser. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 47: Changing Network Settings
Enabling and Disabling Telnet, page 4-4 • Changing the Access List, page 4-5 • Changing the FTP Timeout, page 4-7 • Adding a Login Banner, page 4-8 • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 48: Changing The Hostname
Step 6 sensor(config-hos-net)# show settings network-settings ----------------------------------------------- host-ip: 10.89.130.108/23,10.89.130.1 default: 10.1.9.201/24,10.1.9.1 host-name: sensor <defaulted> telnet-option: enabled default: disabled access-list (min: 0, max: 512, current: 1) ----------------------------------------------- network-address: 0.0.0.0/0 ----------------------------------------------- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 49: Changing The Ip Address, Netmask, And Gateway
----------------------------------------------- host-ip: 10.89.146.110/24,10.89.146.254 default: 10.1.9.201/24,10.1.9.1 host-name: sensor default: sensor telnet-option: enabled default: disabled access-list (min: 0, max: 512, current: 1) ----------------------------------------------- network-address: 0.0.0.0/0 ----------------------------------------------- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 50: Enabling And Disabling Telnet
Log in to the sensor using an account with administrator privileges. Step 1 Enter network settings mode: Step 2 sensor# configure terminal sensor(config)# service host sensor(config-hos)# network-settings Enable Telnet services: Step 3 sensor(config-hos-net)# telnet-option enabled Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 51: Changing The Access List
To modify the access list, follow these steps: Log in to the sensor using an account with administrator privileges. Step 1 Enter network settings mode: Step 2 sensor# configure terminal sensor(config)# service host sensor(config-hos)# network-settings Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 52 Verify the value has been set back to the default: Step 8 sensor(config-hos-net)# show settings network-settings ----------------------------------------------- host-ip: 10.89.130.108/23,10.89.130.1 default: 10.1.9.201/24,10.1.9.1 host-name: sensor <defaulted> telnet-option: enabled default: disabled access-list (min: 0, max: 512, current: 0) ----------------------------------------------- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 53: Changing The Ftp Timeout
(min: 0, max: 512, current: 1) ----------------------------------------------- network-address: 0.0.0.0/0 ----------------------------------------------- ----------------------------------------------- ftp-timeout: 500 seconds default: 300 login-banner-text: <defaulted> ----------------------------------------------- sensor(config-hos-net)# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 54: Adding A Login Banner
This is the banner login text message. Step 4 Verify the banner login text message: sensor(config-hos-net)# show settings network-settings ----------------------------------------------- host-ip: 10.89.130.108/23,10.89.130.1 default: 10.1.9.201/24,10.1.9.1 host-name: sensor default: sensor telnet-option: enabled default: disabled Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 55: Changing Web Server Settings
We recommend that you not reveal to attackers that you have an IPS sensor. Change the server-id to anything that does not reveal any information, especially if your web server is available to the Internet. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 56 Verify the defaults have been replaced: sensor(config-web)# show settings enable-tls: true <defaulted> port: 443 <defaulted> server-id: HTTP/1.1 compliant <defaulted> sensor(config-web)# Exit web server submode: Step 9 sensor(config-web)# exit Apply Changes:?[yes]: Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-10 78-16527-01...
Page 57: Configuring User Parameters
For the procedure, see Creating the Service Account, page 4-13. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-11 78-16527-01...
Page 58 A list of users is displayed. To remove a user, use the no form of the command: Step 5 sensor# configure terminal sensor(config)# no username jsmith Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-12 78-16527-01...
Page 59: Password Recovery
Adding services to the operating system through the service account affects proper performance and functioning of the other IPS services. TAC does not support a sensor on which additional services have been added. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-13 78-16527-01...
Page 60: Configuring Passwords
To change the password for another user or reset the password for a locked account, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Enter configuration mode: sensor# configure terminal Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-14 78-16527-01...
Page 61: Changing User Privilege Levels
Warning: The privilege change does not apply to current CLI sessions. It will be applied to subsequent logins. sensor(config)# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-15 78-16527-01...
Page 62: Viewing User Status
Step 3 sensor# show users all CLI ID User Privilege 13491 cisco administrator 5824 (jsmith) viewer 9802 tester operator sensor# The account of the user is locked. jsmith Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-16 78-16527-01...
Page 63: Configuring Account Locking
If you experience problems after your SSH client connects but before it prompts for a password, you need to enable challenge-response authentication. Refer to the documentation for your SSH client for instructions. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-17 78-16527-01...
Page 64: Configuring Time
NTP key ID, and the NTP key value. You can set up NTP on the appliance during initialization or you can configure NTP through the CLI, IDM, or ASDM. Note We recommend that you use an NTP time synchronization source. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-18 78-16527-01...
Page 65 You can configure NM-CIDS to use NTP during initialization or you can set up NTP through the CLI, IDM, or ASDM. We recommend that you use an NTP time synchronization source. Note Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-19 78-16527-01...
Page 66: Correcting Time On The Sensor
For more information on the clear events command, Clearing Events from the Event Store, page 13-7. You cannot remove individual events. Caution Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-20 78-16527-01...
Page 67: Configuring Time On The Sensor
22:39:21 CST Sat Jan 25 2003 Time source is NTP Summer time starts 02:00:00 CST Sun Apr 7 2004 Summer time ends 02:00:00 CDT Sun Oct 27 2004 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-21 78-16527-01...
Page 68: Configuring Summertime Settings
You can configure summertime settings if you did not do so during initialization of the sensor. Or you can change them after initialization. Summertime is a term for daylight saving time. Note Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-22 78-16527-01...
Page 69 12:00:00 default: 02:00:00 ----------------------------------------------- sensor(config-hos-rec-sta)# Enter end summertime submode: Step 5 sensor(config-hos-rec-sta)# exit sensor(config-hos-rec)# end-summertime Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-23 78-16527-01...
Page 70 12:00:00 default: 02:00:00 ----------------------------------------------- end-summertime ----------------------------------------------- month: october default: october week-of-month: last default: last day-of-week: friday default: sunday time-of-day: 05:15:00 default: 02:00:00 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-24 78-16527-01...
Page 71 The format is hh:mm:ss. Verify your settings: sensor(config-hos-non-sta)# show settings start-summertime ----------------------------------------------- date: 2004-05-15 time: 12:00:00 ----------------------------------------------- sensor(config-hos-non-sta)# Enter end summertime submode: Step 5 sensor(config-hos-non-sta)# exit sensor(config-hos-non)# end-summertime Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-25 78-16527-01...
Page 72 ----------------------------------------------- sensor(config-hos-non)# Exit non-recurring summertime submode: Step 10 sensor(config-hos-non)# exit sensor(config-hos)# exit Apply Changes:?[yes]: Step 11 Press Enter to apply the changes or type to discard them. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-26 78-16527-01...
Page 73: Configuring Timezones Settings
Step 7 Configuring NTP This section describes how to configure a Cisco router to be an NTP server and how to configure the sensor to use an NTP server as its time source. It contains the following topics: Configuring a Cisco Router to be an NTP Server, page 4-28 •...
Page 74 The sensor requires an authenticated connection with an NTP server if it is going to use the NTP server as its time source. The sensor supports only the MD5 hash algorithm for key encryption. Use the following procedure to activate a Cisco router to act as an NTP server and use its internal clock as the time source.
Page 75 100 md5-key attack Verify the NTP settings: Step 7 sensor(config-hos-ena)# show settings enabled ----------------------------------------------- ntp-keys (min: 1, max: 1, current: 1) ----------------------------------------------- key-id: 100 ----------------------------------------------- md5-key: attack Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-29 78-16527-01...
Page 76: Configuring Ssh
IP source routing—A host pretends an IP packet comes from another trusted host. • DNS spoofing—An attacker forges name server records. • Interception of clear text passwords and other data by intermediate hosts. • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-30 78-16527-01...
Page 77: Adding Hosts To The Known Hosts List
SSH. These hosts are SSH servers that the sensor needs to connect to for upgrades and file copying, and other hosts, such as Cisco routers, PIX Firewalls, and Catalyst switches that the sensor will connect to for blocking.
Page 78: Adding Ssh Authorized Public Keys
You configure your own list of SSH authorized keys. An administrator cannot manage the list of SSH Note authorized keys for other users on the sensor. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-32 78-16527-01...
Page 79 If you type the former id, you receive an error message: sensor# show ssh authorized-keys system1 Error: Requested id does not exist for the current user. sensor# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-33 78-16527-01...
Page 80: Generating A New Ssh Server Key
SSL protocol. When you enter a URL into the web browser that starts with ip_address, the web browser responds by using either TLS or SSL protocol to negotiate an https:// encrypted session with the host. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-34 78-16527-01...
Page 81: Adding Tls Trusted Hosts
For these sessions to be secure from man-in-the-middle attacks you must establish trust of the remote web servers’ TLS certificates. A copy of the TLS certificate of each trusted remote host is stored in the trusted hosts list. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-35 78-16527-01...
Page 82 Remove an entry from the trusted hosts list: Step 6 sensor# configure terminal sensor(config)# no tls trusted-host 10.89.146.110 The host is removed from the trusted hosts list. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-36 78-16527-01...
Page 83: Displaying And Generating The Server Certificate
Although the sensor functions without the license, you must have a license to obtain signature updates. To obtain a license, you must have a Cisco Service for IPS contract. Contact your reseller, Cisco service or product sales to purchase a contract.
Page 84 You can view the status of the IPS subscription license key on the Licensing panel in IDM or ASDM. You can obtain a license key from the Cisco.com licensing server, which is then delivered to the sensor. Or, you can update the sensor license key from a license key provided in a local file.
Page 85 Note the device with that number. Your Cisco IPS Signature Subscription Service license key will be sent by e-mail to the e-mail address you specified. Save the license key to a system that has a web server, FTP server, or SCP server.
Page 86: Cisco Intrusion Prevention System Sensor Cli Configuration Guide For Ips
Copy your license key from a sensor to a server to keep a backup copy of the license: Step 7 sensor# copy license-key scp://user@10.89.147.3://tftpboot/dev.lic Password: ******* sensor# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 4-40 78-16527-01...
Page 87: Understanding Interfaces
To configure the sensor so that traffic continues to flow through inline pairs even when SensorApp is not running, you can enable bypass mode. Bypass mode minimizes dataflow interruptions during reconfiguration, service pack installation, or software failure. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 88: Interface Support
1/0<->1/2 GigabitEthernet0/1 FastEthernet1/1 1/0<->1/3 FastEthernet1/2 1/1<->1/2 FastEthernet1/3 1/1<->1/3 1/2<->1/3 IDS-4235 TX (GE) TX onboard + TX PCI 0/0<->1/0 GigabitEthernet0/1 GigabitEthernet0/0 + 0/0<->2/0 GigabitEthernet1/0 or GigabitEthernet2/0 IDS-4250 — None Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 89 0/0<->0/1 Management0/0 GigabitEthernet0/0 0/0<->0/2 GigabitEthernet0/1 0/0<->0/3 GigabitEthernet0/2 0/1<->0/2 GigabitEthernet0/3 0/1<->0/3 0/2<->0/3 NM-CIDS — None AIP-SSM-10 — GigabitEthernet0/1 By security GigabitEthernet0/0 context AIP-SSM-20 — GigabitEthernet0/1 By security GigabitEthernet0/0 context Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 90: Promiscuous Mode
AIP-SSM is configured for promiscuous mode from the ASA CLI and not from the IPS CLI. For the Note procedure, see Configuring ASA to Send IPS Traffic to AIP-SSM, page 14-3. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 91 100—Sets the interface to 100 MB (for TX interfaces only). 1000—Sets the interface to 1 GB (for Gigabit interfaces only). – The speed option is protected on all modules. Note Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 92 GigabitEthernet0/2 ----------------------------------------------- media-type: tx <protected> description: INT1 default: admin-state: enabled default: disabled duplex: full default: auto speed: 1000 default: auto alt-tcp-reset-interface ----------------------------------------------- none ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- sensor(config-int-phy)# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 93: Inline Mode
• default—Sets the value back to the system default setting. • description—Your description of the inline interface pair. • interface1—The first interface in the inline interface pair. • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 94: Assigning Interfaces To The Virtual Sensor
You can assign either a physical interface or a logical inline interface pair to the virtual sensor. Make sure that you have created any inline pairs before assigning them to the virtual sensor. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 95: Bypass Mode
Bypass mode only functions when the operating system is running. If the sensor is powered off or shut down, bypass mode does not work—traffic is not passed to the sensor. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 96: Configuring Bypass Mode
Use the interface-notifications command in the service interface submode to configure traffic notifications. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 5-10 78-16527-01...
Page 97 ----------------------------------------------- sensor(config-int-int)# Step 9 Exit interface notifications submode: sensor(config-int-int)# exit sensor(config-int)# exit Apply Changes:?[yes]: Step 10 Press Enter to apply the changes or type to discard them. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 5-11 78-16527-01...
Page 98 Chapter 5 Configuring Interfaces Configuring Interface Notifications Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 5-12 78-16527-01...
Page 99: About Event Action Rules
• • Adding event action overrides • Filtering event action • Executing the resulting event action Summarizing and aggregating events • Maintaining a list of denied attackers • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 100: Signature Event Action Processor
It starts with the signature event with configured action received in the alarm channel and flows top-to-bottom as the signature event passes through the functional components of the SEAP. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 101: Event Actions
Deny Connection Inline Does not transmit this packet and future packets on the TCP flow (inline mode only). Deny Packet Inline Does not transmit this packet (inline only). Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 102: Task List For Configuring Event Action Rules
Event Action Variables This section describes event action variables, and contains the following topics: About Event Action Variables, page 6-5 • Configuring Event Action Variables, page 6-5 • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 103: About Event Action Variables
The valid values for address are A.B.C.D-A.B.C.D [,A.B.C.D-A.B.C.D]. Check the variable you just made: Step 4 sensor(config-rul)# show settings variables (min: 0, max: 256, current: 2) ----------------------------------------------- variableName: variable1 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 104: Calculating The Risk Rating
RR than attacks against the desktop node. RR is a product of ASR, SFR, TVR, and ARR with an optional PD (promiscuous delta) subtracted in Note promiscuous mode only. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 105: Configuring Target Value Ratings
Each event action has an associated RR range. If a signature event occurs and the RR for that event falls within the range for an event action, that action is added to the event. For Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 106: Configuring Event Action Overrides
Step 4 To request a block of the connection: sensor(config-rul-ove)# exit sensor(config-rul)# overrides request-block-connection To request a block of the attacker host: sensor(config-rul-ove)# exit sensor(config-rul-ove)# exit sensor(config-rul)# overrides request-block-host Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 107: Event Action Filters
Filters work by removing actions from an event. A filter that removes all actions from an event effectively consumes the event. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 108: Configuring Event Action Filters
Set the subsignature ID range: sensor(config-rul-fil)# subsignature-id-range 1-5 The default is 0 to 255. Set the attacker address range: sensor(config-rul-fil)# attacker-address-range 10.89.10.10-10.89.10.23 The default is 0.0.0.0 to 255.255.255.255. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 6-10 78-16527-01...
Page 109 Chapter 6 Configuring Event Action Rules Event Action Filters Set the victim address range: sensor(config-rul-fil)# victim-address-range 192.56.10.1-192.56.10.255 The default is 0.0.0.0 to 255.255.255.255. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 6-11 78-16527-01...
Page 110 1-343 default: 0-65535 risk-rating-range: 85-100 default: 0-100 actions-to-remove: reset-tcp-connection default: filter-item-status: Enabled default: Enabled stop-on-match: True default: False user-comment: This is a new filter. default: ----------------------------------------------- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 6-12 78-16527-01...
Page 111 0.0.0.0-255.255.255.255 <defaulted> victim-address-range: 0.0.0.0-255.255.255.255 <defaulted> attacker-port-range: 0-65535 <defaulted> victim-port-range: 0-65535 <defaulted> risk-rating-range: 0-100 <defaulted> actions-to-remove: <defaulted> filter-item-status: Enabled <defaulted> stop-on-match: False <defaulted> user-comment: <defaulted> ----------------------------------------------- ----------------------------------------------- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 6-13 78-16527-01...
Page 112: General Settings
• Event Action Aggregation, page 6-15 • Deny Attackers, page 6-16 • Configuring the General Settings, page 6-16 • Clearing the Denied Attackers List, page 6-18 • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 6-14 78-16527-01...
Page 113: About General Settings
Only one alert every summary interval should fire for each address set. If the global summary threshold is reached, the signature goes into Global Summarization mode. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 6-15 78-16527-01...
Page 114: Deny Attackers
Log in to the CLI using an account with administrator privileges. Step 1 Enter event action rules submode: Step 2 sensor# configure terminal sensor(config)# service event-action-rules rules0 Enter general submode: Step 3 sensor(config)# general Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 6-16 78-16527-01...
Page 115 Exit event action rules submode: Step 11 sensor(config-rul-gen)# exit sensor(config-rul)# exit Apply Changes:?[yes]: Press Enter to apply your changes or type to discard them. Step 12 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 6-17 78-16527-01...
Page 116: Clearing The Denied Attackers List
Verify that you have cleared the statistics: JWK-4255# show statistics virtual-sensor Virtual Sensor Statistics Statistics for Virtual Sensor vs0 Name of current Signature-Definition instance = sig0 Name of current Event-Action-Rules instance = rules0 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 6-18 78-16527-01...
Page 117: Event Action Rules Example
SigID=2004, Attacker Address=*, Victim Address=20.1.1.1, Actions to Remove=ALL, Risk Rating Range=1-100, StopOnMatch=True SigID=2004, Attacker Address=30.1.1.1, Victim Address=*, Actions to Remove=ALL, Risk Rating Range=1-100, StopOnMatch=True SigID=2004, Attacker Address=*, Victim Address=*, Actions to Remove=None, Risk Rating Range=95-100, StopOnMatch=True Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 6-19 78-16527-01...
Page 118 The third filter line with the filter action NONE is optional, but is presented as a clearer way to define this type of filter. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 6-20 78-16527-01...
Page 119: Chapter 7 Defining Signatures
You can later activate retired signatures; however, this process requires the sensing engines to rebuild their Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 120: Signature Variables
HTTP traffic. • To designate multiple port numbers for a single variable, place a comma between the entries. For example, 80, 3128, 8000, 8010, 8080, 8888, 24326. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 121: Configuring Signatures
Configuring Event Counter, page 7-8 • Configuring Signature Fidelity Rating, page 7-9 • • Configuring the Status of Signatures, page 7-10 • Assigning Actions to Signatures, page 7-11 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 122: Configuring General Signature Parameters
Configuring Signature Fidelity Rating, page 7-9. status—Sets the status of the signature to enabled or retired. • For the procedure, see Configuring the Status of Signatures, page 7-10. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 123: Configuring Alert Frequency
Specify the signature you want to configure: Step 3 sensor(config-sig)# signatures 9000 0 Enter alert frequency submode: Step 4 sensor(config-sig-sig)# alert-frequency Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 124: Configuring Alert Severity
A subsignature ID is used to identify a more granular version of a broad signature. The value is 0 to 255. alert-severity—Severity of the alert: • high —Dangerous alert. – medium—Medium level alert. – Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 125 <defaulted> specify-l4-protocol ----------------------------------------------- --MORE-- Exit signatures submode: Step 6 sensor(config-sig-sig)# exit sensor(config-sig)# exit Apply Changes:?[yes]: Press Enter to apply the changes or type to discard them. Step 7 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 126: Configuring Event Counter
(Optional) Specify the amount of time in seconds before the event count should be reset: sensor(config-sig-sig-eve-yes)# alert-interval 30 Verify the settings: Step 9 sensor(config-sig-sig-eve-yes)# exit sensor(config-sig-sig-eve)# show settings event-counter ----------------------------------------------- event-count: 2 default: 1 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 127: Configuring Signature Fidelity Rating
50 Step 5 Verify the settings: sensor(config-sig-sig)# show settings <protected entry> sig-id: 12000 subsig-id: 0 ----------------------------------------------- alert-severity: low <defaulted> sig-fidelity-rating: 50 default: 85 promisc-delta: 15 <defaulted> sig-description ----------------------------------------------- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 128: Configuring The Status Of Signatures
Change the status for this signature: Step 4 sensor(config-sig-sig)# status sensor(config-sig-sig-sta)# enabled true Step 5 Verify the settings: sensor(config-sig-sig-sta)# show settings status ----------------------------------------------- enabled: true default: false retired: false <defaulted> ----------------------------------------------- sensor(config-sig-sig-sta)# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-10 78-16527-01...
Page 129: Assigning Actions To Signatures
Choose the signature you want to configure: Step 3 sensor(config-sig)# signatures 1200 0 Enter the normalizer engine: Step 4 sensor(config-sig-sig)# engine normalizer Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-11 78-16527-01...
Page 130: Configuring Aic Signatures
AIC also provides a way to inspect FTP traffic and control the commands being issued. You can enable or disable the predefined signatures or you can create policies through custom signatures. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-12 78-16527-01...
Page 131: Configuring The Application Policy
The following options apply: ftp-enable [true | false]—Enables protection for FTP services. Set to true to require the sensor to • inspect FTP traffic. The default is false. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-13 78-16527-01...
Page 132 We recommend that you not configure AIC web ports, but rather use the default web ports. Note Verify your settings: Step 5 sensor(config-sig-app)# show settings application-policy ----------------------------------------------- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-14 78-16527-01...
Page 133: Aic Request Method Signatures
Define Request Method TRACE 12695 Define Request Method INDEX 12696 Define Request Method MOVE 12697 Define Request Method MKDIR 12698 Define Request Method COPY 12699 Define Request Method EDIT Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-15 78-16527-01...
Page 134: Aic Mime Define Content Type Signatures
Content Type image/tiff Verification Failed 12624 0 Content Type image/x-3ds Header Check 12624 1 Content Type image/x-3ds Invalid Message Length 12624 2 Content Type image/x-3ds Verification Failed Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-16 78-16527-01...
Page 135 Content Type text/plain Header Check 12643 1 Content Type text/plain Invalid Message Length 12644 0 Content Type text/richtext Header Check 12644 1 Content Type text/richtext Invalid Message Length Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-17 78-16527-01...
Page 136 Content Type application/vnd.ms-excel Header Check 12661 1 Content Type application/vnd.ms-excel Invalid Message Length 12662 0 Content Type application/vnd.ms-powerpoint Header Check 12662 1 Content Type application/vnd.ms-powerpoint Invalid Message Length Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-18 78-16527-01...
Page 137: Aic Transfer Encoding Signatures
Define Transfer Encoding Deflate 12688 Define Transfer Encoding Identity 12689 Define Transfer Encoding Compress 12690 Define Transfer Encoding GZIP 12693 Define Transfer Encoding Chunked 12694 Chunked Transfer Encoding Error Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-19 78-16527-01...
Page 138: Aic Ftp Commands Signatures
Define FTP command smnt 12927 Define FTP command stat 12928 Define FTP command stor 12929 Define FTP command stou 12930 Define FTP command stru 12931 Define FTP command syst Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-20 78-16527-01...
Page 139 Chapter 7 Defining Signatures Configuring Signatures Table 4 FTP Commands Signatures (continued) Signature ID FTP Command 12932 Define FTP command type 12933 Define FTP command user Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-21 78-16527-01...
Page 140: Ip Fragment Reassembly
Log in to the CLI using an account with administrator or operator privileges. Step 1 Enter signature definition submode: Step 2 sensor# configure terminal sensor(config)# service signature-definition sig0 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-22 78-16527-01...
Page 141 – nt—Windows systems. – solaris—Solaris systems. – linux—GNU/Linux systems. bsd—BSD UNIX systems. – The default is nt. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-23 78-16527-01...
Page 142: Configuring Tcp Stream Reassembly
TCP stream reassembly signatures with the parameters that you can configure for TCP stream reassembly. The TCP stream reassembly signatures are part of the NORMALIZER engine. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-24 78-16527-01...
Page 143 1330 18 TCP Drop - Segment out of Window 3050 Half Open SYN Attack syn-flood-max-embryonic 5000 3250 TCP Hijack max-old-ack 200 3251 TCP Hijack Simplex Mode max-old-ack 100 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-25 78-16527-01...
Page 144 Step 8 sensor(config-sig-sig-nor-def-yes)# exit sensor(config-sig-sig-nor-def)# exit sensor(config-sig-sig-nor)# exit sensor(config-sig-sig)# exit sensor(config-sig)# exit Apply Changes:?[yes]: Press Enter for apply the changes or type to discard them. Step 9 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-26 78-16527-01...
Page 145 ----------------------------------------------- sensor(config-sig-str)# Exit TCP reassembly submode: Step 6 sensor(config-sig-str)# exit sensor(config-sig)# exit Apply Changes:?[yes]: Press Enter to apply the changes or type to discard them. Step 7 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-27 78-16527-01...
Page 146: Configuring Ip Logging
60 Verify the settings: Step 4 sensor(config-sig-ip)# show settings ip-log ----------------------------------------------- ip-log-packets: 150 default: 0 ip-log-time: 60 default: 30 ip-log-bytes: 200000 default: 0 ----------------------------------------------- sensor(config-sig-ip)# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-28 78-16527-01...
Page 147: Creating Custom Signatures
Step 4 Assign the alert response: • Signature fidelity rating Severity of the alert • Assign the alert behavior. Step 5 Apply the changes. Step 6 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-29 78-16527-01...
Page 148: Example String.tcp Signature
Step 5 sensor(config-sig-sig-sig)# sig-name This is my new name Exit signature description submode: Step 6 sensor(config-sig-sig-sig)# exit Specify the string TCP engine: Step 7 sensor(config-sig-sig)# engine string-tcp Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-30 78-16527-01...
Page 149 Exit signature definition submode: Step 12 sensor(config-sig-sig-str)# exit sensor(config-sig-sig)# exit sensor(config-sig)# exit Apply Changes:?[yes]: Press Enter to apply the changes or type to discard them. Step 13 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-31 78-16527-01...
Page 150: Example Service.http Signature
Specify a signature name: Step 5 sensor(config-sig-sig-sig)# sig-name myWebSig Specify the alert traits: Step 6 sensor(config-sig-sig-sig)# alert-traits 2 The valid range is from 0 to 65535. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-32 78-16527-01...
Page 151: Example Meg Signature
META components. • edit—Edits an existing entry in the list. – insert name1—Inserts a new entry into the list. – move—Moves an entry in the list. – Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-33 78-16527-01...
Page 152 3000 subsignature 0 on the same source address. The source address selection is a result of the meta key default value of Axxx. You can change the behavior by changing the meta key setting to xxBx (destination address) for example. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-34 78-16527-01...
Page 153 NAME: c1 ----------------------------------------------- component-sig-id: 2000 component-subsig-id: 0 <defaulted> component-count: 1 <defaulted> ----------------------------------------------- ----------------------------------------------- NAME: c2 ----------------------------------------------- component-sig-id: 3000 component-subsig-id: 0 <defaulted> component-count: 1 <defaulted> ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-35 78-16527-01...
Page 154: Example Aic Mime-Type Signature
TCP RESETS to hijack and terminate the TCP flow • no—Removes an entry or selection setting signature-type—Type of signature desired • content-types—Content-types – define-web-traffic-policy—Defines web traffic policy – Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-36 78-16527-01...
Page 155 Step 7 Exit signatures submode: sensor(config-sig-sig-app-def)# exit sensor(config-sig-sig-app)# exit sensor(config-sig-sig)# exit sensor(config-sig)# exit Apply Changes:?[yes]: Press Enter to apply the changes or type to discard them. Step 8 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-37 78-16527-01...
Page 156 Chapter 7 Defining Signatures Creating Custom Signatures Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 7-38 78-16527-01...
Page 157: About Ip Logging
IP address, only one IP log is created for all the alerts. Each alert references the same IP log. However, the output of the IP log status only shows the event ID of the first alert triggering the IP log. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 158: Configuring Automatic Ip Logging
Configure the duration you want the sensor to log packets: Step 4 sensor(config-sig-ip)# ip-log-time 60 Step 5 Configure the number of bytes you want logged: sensor(config-sig-ip)# ip-log-bytes 5024 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 159: Configuring Manual Ip Logging For A Specific Ip Address
Configuring Automatic IP Logging, page 8-2. To copy and view an IP log file, see Copying IP Log Files to Be Viewed, page 8-6. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 160: Stopping Active Ip Logs
• log-id—Log ID of the logging session to stop. Use the iplog-status command to find the log ID. name—Virtual sensor on which to begin or end logging. • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 161 Log ID: IP Address 1: 10.16.0.0 Virtual Sensor: Status: completed Event ID: Bytes Captured: Packets Captured: sensor# When the logs are stopped, the status shows them as completed. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 162: Copying Ip Log Files To Be Viewed
227 Entering Passive Mode (2,4,6,8,179,125) 150 Opening BINARY mode data connection for iplog1. 226 Transfer complete. 30650 bytes sent in 0.00246 secs (1.2e+04 Kbytes/sec) ftp> Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 163 Open the IP log using a sniffer program such as WireShark or TCPDUMP. Step 4 For more information on WireShark go to http://www.wireshark.org. For more information on TCPDUMP, go to http://www.tcpdump.org/. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 164 Chapter 8 Configuring IP Logging Copying IP Log Files to Be Viewed Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 165: About Packet Display And Capture
Changing the interface configuration results in abnormal termination of any packet command running on that interface. Executing the packet display or capture command causes significant performance degradation. Caution Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 166: Displaying Live Traffic On An Interface
= username of user initiating capture id = user’s CLI ID cliCmd = command entered to perform the capture Executing the packet display command causes significant performance degradation. Caution Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 167 03:43:05.694808 IP (tos 0x10, ttl 64, id 55471, offset 0, flags [DF], length: 300) 10.89.147.31.22 > 10.89.147.50.41805: P [tcp sum ok] 2344:2592(248) ack 1 win 8576 <nop,nop,timestamp 44085169 226014950> Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 168: Capturing Live Traffic On An Interface
You can only use an interface name that exists in the system. snaplen—Maximum number of bytes captured for each packet (optional). • The valid range is 68 to 1600. The default is 0. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 169 03:03:15.218814 802.1d config TOP_CHANGE 8000.00:04:9a:66:35:01.8025 root 8000.0 0:04:6d:f9:e8:82 pathcost 8 age 2 max 20 hello 2 fdelay 15 03:03:15.546866 IP 64.101.182.244.1978 > 10.89.130.108.23: P 0:2(2) ack 157 win 65535 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 170: Copying The Packet File
The exact format of the source and destination URLs varies according to the file. Note ftp:—Destination URL for an FTP network server. The syntax for this prefix is: – ftp:[//[username@] location]/relativeDirectory]/filename Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 171: Erasing The Packet File
Erase the packet file: Step 2 sensor# erase packet-file sensor# Verify that you have erased the packet file: Step 3 sensor# packet display file-info No packet-file available. sensor# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 172 Chapter 9 Displaying and Capturing Live Traffic on an Interface Erasing the Packet File Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 173: Understanding Blocking
Host block—Blocks all traffic from a given IP address. • Connection block—Blocks traffic from a given source IP address to a given destination IP address • and destination port. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-1 78-16527-01...
Page 174 On Cisco routers and Catalyst 6500 series switches, Network Access Controller creates blocks by applying ACLs or VACLs. ACLs and VACLs permit or deny passage of data packets through interface ports or VLANs.
Page 175: Blocking Prerequisites
Supervisor Engine 1A with PFC – Supervisor Engine 1A with MSFC1 – Supervisor Engine 1A with MFSC2 – Supervisor Engine 2 with MSFC2 – Supervisor Engine 720 with MSFC3 – Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-3 78-16527-01...
Page 176: Configuring Blocking Properties
You can configure this option if you can ensure that if the sensor creates a rule to block its own IP address, it will not prevent the sensor from accessing the blocking device. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-4...
Page 177 <defaulted> enable-acl-logging: false <defaulted> allow-sensor-block: false default: false block-enable: true default: true block-max-entries: 100 default: 250 max-interfaces: 250 <defaulted> master-blocking-sensors (min: 0, max: 100, current: 0) Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-5 78-16527-01...
Page 178: Disabling Blocking
Log in to the CLI using an account with administrator privileges. Step 1 Enter network access submode: Step 2 sensor# configure terminal Step 3 Enter general submode: sensor(config-net)# general Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-6 78-16527-01...
Page 179 (min: 0, max: 100, current: 0) ----------------------------------------------- ----------------------------------------------- never-block-hosts (min: 0, max: 250, current: 1) ----------------------------------------------- ip-address: 11.11.11.11 ----------------------------------------------- ----------------------------------------------- never-block-networks (min: 0, max: 250, current: 1) ----------------------------------------------- ip-address: 12.12.0.0/16 ----------------------------------------------- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-7 78-16527-01...
Page 180: Setting Maximum Block Entries
Step 5 sensor(config-net-gen)# show settings general ----------------------------------------------- log-all-block-events-and-errors: true <defaulted> enable-nvram-write: false <defaulted> enable-acl-logging: false <defaulted> allow-sensor-block: false default: false block-enable: true <defaulted> block-max-entries: 100 default: 250 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-8 78-16527-01...
Page 181 ----------------------------------------------- --MORE-- Exit network access submode: Step 8 sensor(config-net-gen)# exit sensor(config-net)# exit Apply Changes:?[yes]: Press Enter to apply the changes or type to discard them. Step 9 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-9 78-16527-01...
Page 182: Setting The Block Time
Apply Changes:?[yes]: Press Enter to apply the changes or type to discard them. Step 7 There is a time delay while the signatures are updated. Note Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-10 78-16527-01...
Page 183: Enabling Acl Logging
<defaulted> enable-acl-logging: false default: false allow-sensor-block: false <defaulted> block-enable: true <defaulted> block-max-entries: 250 <defaulted> max-interfaces: 250 <defaulted> master-blocking-sensors (min: 0, max: 100, current: 0) ----------------------------------------------- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-11 78-16527-01...
Page 184: Enabling Writing To Nvram
<defaulted> block-enable: true <defaulted> block-max-entries: 250 <defaulted> max-interfaces: 250 <defaulted> master-blocking-sensors (min: 0, max: 100, current: 0) ----------------------------------------------- Disable writing to NVRAM: Step 6 sensor(config-net-gen)# enable-nvram-write false Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-12 78-16527-01...
Page 185: Logging All Blocking Events And Errors
Verify that logging is disabled: sensor(config-net-gen)# show settings general ----------------------------------------------- log-all-block-events-and-errors: false default: true enable-nvram-write: false default: false enable-acl-logging: false default: false allow-sensor-block: false <defaulted> block-enable: true <defaulted> Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-13 78-16527-01...
Page 186: Configuring The Maximum Number Of Blocking Interfaces
Enter network access mode: Step 2 sensor# configure terminal sensor(config)# service network-access Step 3 Enter general submode: sensor(config-net)# general Configure the maximum number of interfaces: Step 4 sensor(config-net-gen)# max-interfaces 50 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-14 78-16527-01...
Page 187: Configuring Addresses Never To Block
Such a device should never be blocked, and trusted, internal networks should never be blocked. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-15 78-16527-01...
Page 188 12.12.0.0/16 --MORE-- Exit network access submode: Step 6 sensor(config-net-gen)# exit sensor(config-net)# exit Apply Changes:?[yes]: Step 7 Press Enter to apply the changes or type to discard them. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-16 78-16527-01...
Page 189: Configuring User Profiles
Enter enable-password[]: ******** Re-enter enable-password ******** Verify the settings: Step 7 sensor(config-net-use)# show settings profile-name: PROFILE1 ----------------------------------------------- enable-password: <hidden> password: <hidden> username: jsmith default: ----------------------------------------------- sensor(config-net-use)# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-17 78-16527-01...
Page 190: Configuring Blocking Devices
• How the Sensor Manages Devices Network Access Controller uses ACLs on Cisco routers and switches to manage those devices. These ACLs are built as follows: A permit line with the sensor’s IP address or, if specified, the NAT address of the sensor If you permit the sensor to be blocked, this line does not appear in the ACL.
Page 191: Configuring The Sensor To Manage Cisco Routers
Configuring the Sensor to be a Master Blocking Sensor, page 10-25. Configuring the Sensor to Manage Cisco Routers This section describes how to configure the sensor to manage Cisco routers. It contains the following topics: Routers and ACLs, page 10-19 •...
Page 192 When the new ACL is applied to an interface or direction of the router, it removes the application of any other ACL to that interface or direction. Configuring the Sensor to Manage Cisco Routers To configure a sensor to manage Cisco routers, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges.
Page 193: Switches And Vacls
You can configure Network Access Controller to block using VACLs on the switch itself when running Cisco Catalyst software, or to block using router ACLs on the MSFC or on the switch itself when running Cisco IOS software. This section describes blocking using VACLs. For blocking using the router ACLS Configuring the Sensor to Manage Cisco Routers, page 10-19.
Page 194 VLAN. Configuring the Sensor to Manage Catalyst 6500 Series Switches and Cisco 7600 Series Routers To configure the sensor to manage Catalyst 6500 series switches and Cisco 7600 series routers, follow these steps: Log in to the CLI using an account with administrator privileges.
Page 195 Exit network access submode: sensor(config-net-cat-blo)# exit sensor(config-net-cat)# exit sensor(config-net)# exit sensor(config)# exit Apply Changes:?[yes]: Step 11 Press Enter to apply the changes or type to discard them. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-23 78-16527-01...
Page 196: Configuring The Sensor To Manage Cisco Firewalls
Configuring Blocking Configuring Blocking Devices Configuring the Sensor to Manage Cisco Firewalls To configure the sensor to manage Cisco firewalls, follow these steps: Log in to the CLI using an account with administrator privileges. Step 1 Enter network access submode:...
Page 197: Configuring The Sensor To Be A Master Blocking Sensor
On the master blocking sensor, check to see if it requires TLS and what port number is used: sensor(config)# service web-server sensor(config-web)# show settings enable-tls: true <defaulted> port: 443 <defaulted> server-id: HTTP/1.1 compliant <defaulted> sensor(config-web)# is true, go to Step b. enable-tls Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-25 78-16527-01...
Page 198 Set the status of whether or not the host uses TLS/SSL: Step 11 sensor(config-net-gen-mas)# tls [true | false] sensor(config-net-gen-mas) If you set the value to true, you need to use the command tls trusted-host ip-address Note mbs_ip_address. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-26 78-16527-01...
Page 199: Configuring Manual Blocking
For a host IP address: sensor(config-net-gen)# block-hosts ip_address For a network IP address: sensor(config-net-gen)# block-networks ip_address/netmask The format for ip_address/netmask is A.B.C.D/nn. Example: sensor (config-net-gen)# block-networks 10.0.0.0/8 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-27 78-16527-01...
Page 200: Obtaining A List Of Blocked Hosts And Connections
Communications = telnet BlockInterface InterfaceName = fa0/0 InterfaceDirection = in State BlockEnable = true NetDevice IP = 10.1.1.1 AclSupport = uses Named ACLs Version = 12.2 State = Active Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-28 78-16527-01...
Page 201 IP = 192.168.1.1 Vlan = ActualIp = BlockMinutes = 80 MinutesRemaining = 76 entry indicates which hosts are being blocked and how long the blocks are. Host Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-29 78-16527-01...
Page 202 Chapter 10 Configuring Blocking Obtaining a List of Blocked Hosts and Connections Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 10-30 78-16527-01...
Page 203: Chapter 11 Configuring Snmp
SNMP requests. However, it is not possible to totally eliminate SNMP polling. SNMP requests are required for discovery and topology changes. In addition, a managed device agent cannot send a trap if the device has had a catastrophic outage. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 11-1 78-16527-01...
Page 204: Configuring Snmp
The read-only community name specifies the password for queries to the SNMP agent. Assign the read-write community string: sensor(config-not)# read-write-community PRIVATE1 The read-write community name specifies the password for sets to the SNMP agent. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 11-2 78-16527-01...
Page 205 BUSINESS default: Unknown sensor(config-not)# Exit notification submode: Step 6 sensor(config-not)# exit Apply Changes:?[yes]: Press Enter to apply the changes or type to discard them. Step 7 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 11-3 78-16527-01...
Page 206: Configuring Snmp Traps
It filters in (not filters out) the traps based on severity. Choose whether you want detailed SNMP traps: sensor(config-not)# enable-detail-traps true Type the community string to be included in the detailed traps: sensor(config-not)# trap-community-name TRAP1 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 11-4 78-16527-01...
Page 207 BUSINESS default: Unknown sensor(config-not)# Exit notification submode: Step 7 sensor(config-not)# exit Apply Changes:?[yes]: Press Enter to apply the changes or type to discard them. Step 8 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 11-5 78-16527-01...
Page 208: Supported Mibs
• CISCO-ENTITY-ALARM-MIB • You can obtain these private Cisco MIBs under the heading SNMP v2 MIBs at this URL: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml The management MIB supported on the sensor is the rfc1213 (mib-2). You can obtain the mib-2 from any public domain, such as http://www.ietf.org/rfc/rfc1213.txt.
Page 209: Displaying The Current Configuration
! Current configuration last modified Fri Dec 17 21:38:23 2004 ! ------------------------------ service analysis-engine exit ! ------------------------------ service authentication exit ! ------------------------------ service event-action-rules rules0 exit ! ------------------------------ service host network-settings Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-1 78-16527-01...
Page 210 1206 0 engine normalizer event-action produce-alert|produce-verbose-alert|deny-attacker-inline|deny-conne ction-inline|deny-packet-inline|log-attacker-packets|log-pair-packets|log-victim -packets|request-block-connection|request-block-host|request-snmp-trap|reset-tcp -connection|modify-packet-inline exit exit signatures 1300 0 engine normalizer event-action produce-alert|produce-verbose-alert|deny-attacker-inline|deny-conne ction-inline|deny-packet-inline|log-attacker-packets|log-pair-packets|log-victim -packets|request-block-connection|request-block-host|request-snmp-trap|reset-tcp -connection|modify-packet-inline edit-default-sigs-only default-signatures-only specify-syn-flood-max-embrionic yes exit Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-2 78-16527-01...
Page 211: Displaying The Current Submode Configuration
<defaulted> signature-definition: sig0 <protected> event-action-rules: rules0 <protected> physical-interface (min: 0, max: 999999999, current: 0) ----------------------------------------------- ----------------------------------------------- logical-interface (min: 0, max: 999999999, current: 0) Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-3 78-16527-01...
Page 212 (min: 0, max: 512, current: 1) ----------------------------------------------- network-address: 0.0.0.0/0 ----------------------------------------------- ----------------------------------------------- ftp-timeout: 300 seconds <defaulted> login-banner-text: <defaulted> ----------------------------------------------- time-zone-settings Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-4 78-16527-01...
Page 213 <protected entry> name: GigabitEthernet0/0 ----------------------------------------------- media-type: tx <protected> description: <defaulted> admin-state: disabled <protected> duplex: auto <defaulted> speed: auto <defaulted> alt-tcp-reset-interface ----------------------------------------------- none ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-5 78-16527-01...
Page 214 <defaulted> <protected entry> zone-name: tls severity: warning <defaulted> <protected entry> zone-name: intfc severity: warning <defaulted> <protected entry> zone-name: cmgr severity: warning <defaulted> <protected entry> Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-6 78-16527-01...
Page 215 (min: 0, max: 100, current: 1) ----------------------------------------------- vlan: 234 ----------------------------------------------- pre-vacl-name: aaaa default: post-vacl-name: bbbb default: ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- router-devices (min: 0, max: 250, current: 0) Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-7 78-16527-01...
Page 216 ----------------------------------------------- http-policy ----------------------------------------------- http-enable: false <defaulted> max-outstanding-http-requests-per-connection: 10 <defaulted> aic-web-ports: 80-80,3128-3128,8000-8000,8010-8010,8080-8080,8888-8888, 24326-24326 <defaulted> ----------------------------------------------- ftp-enable: false <defaulted> ----------------------------------------------- fragment-reassembly ----------------------------------------------- ip-reassemble-mode: nt <defaulted> ----------------------------------------------- stream-reassembly ----------------------------------------------- --MORE-- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-8 78-16527-01...
Page 217: Filtering The Current Configuration Output
Use the show configuration | [begin | exclude | include] regular-expression command to search or filter the output of the contents of the current configuration. Users with operator or viewer privileges can search or filter the current-config only. Note Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-9 78-16527-01...
Page 218 12300 0 status enabled true retired true --MORE-- Press Ctrl-C to stop the output and return to the CLI prompt. Note Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-10 78-16527-01...
Page 219: Filtering The Current Submode Configuration Output
Use the show settings | [begin | exclude | include] keyword command in the submode you are interested in to search or filter the output of the contents of the submode configuration. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-11...
Page 220 11 default: 250 max-interfaces: 13 default: 250 master-blocking-sensors (min: 0, max: 100, current: 1) ----------------------------------------------- ipaddress: 10.89.149.124 ----------------------------------------------- password: <hidden> port: 443 default: 443 tls: true default: true Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-12 78-16527-01...
Page 221: Displaying The Contents Of A Logical File
Step 2 sensor# more current-config Generating current config: The current configuration is displayed. ! ------------------------------ ! Version 5.0(0.22) ! Current configuration last modified Fri Dec 17 21:38:23 2004 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-13 78-16527-01...
Page 222 12300 0 status enabled true retired true exit exit signatures 1206 0 engine normalizer event-action produce-alert|produce-verbose-alert|deny-attacker-inline|deny-conne ction-inline|deny-packet-inline|log-attacker-packets|log-pair-packets|log-victim -packets|request-block-connection|request-block-host|request-snmp-trap|reset-tcp Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-14 78-16527-01...
Page 223: Copying And Restoring The Configuration File Using A Remote Server
You can then restore the current configuration from the remote server. You are prompted to back up the current configuration first. We recommend copying the current configuration file to a remote server before upgrading. Note Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-15 78-16527-01...
Page 224 Log in to the CLI using an account with administrator privileges. Step 1 To back up the current configuration to the remote server: Step 2 sensor# copy current-config ftp://qa_user@10.89.146.1//tftpboot/update/qmaster89.cfg Password: ******** Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-16 78-16527-01...
Page 225: Creating And Using A Backup Configuration File
Use the erase [backup-config | current-config] command to delete a logical file. The following options apply: • current-config—The current running configuration. The configuration becomes persistent as the commands are entered. • backup-config—The storage location for the configuration backup. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-17 78-16527-01...
Page 226 User accounts will not be erased. They must be removed manually using the "no username" command. Continue? []: Press Enter to continue or type to stop. Step 2 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 12-18 78-16527-01...
Page 227: Creating A Banner Login
To create a banner login, follow these steps: Log in to the CLI using an account with administrator privileges. Step 1 Enter global configuration mode: Step 2 sensor# configure terminal Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-1 78-16527-01...
Page 228: Terminating Cli Sessions
If an operator or viewer tries to log in when the maximum sessions are open, the following message appears: Error: The maximum allowed CLI sessions are currently open, please try again later. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-2 78-16527-01...
Page 229: Modifying Terminal Properties
To have no pause between multi-screen outputs, use 0 for the screen length value: Step 2 sensor# terminal length 0 Note The screen length values are not saved between login sessions. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-3 78-16527-01...
Page 230: Events
• The show events command waits until a specified event is available. It continues to wait and display Note events until you exit by pressing Ctrl-C. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-4 78-16527-01...
Page 231 Display alerts from the past 45 seconds: Step 5 sensor# show events alert past 00:00:45 evIdsAlert: eventId=1109695939102805307 severity=medium vendor=Cisco originator: hostId: sensor Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-5 78-16527-01...
Page 232 2316 evStatus: eventId=1041526834774829056 vendor=Cisco originator: hostId: sensor appName: login(pam_unix) appInstanceId: 2315 time: 2003/01/08 02:41:00 2003/01/08 02:41:00 UTC syslogMessage: description: session opened for user cisco by cisco(uid=0) Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-6 78-16527-01...
Page 233: Clearing Events From The Event Store
22:39:21 UTC Sat Jan 25 2003 Step 3 Display the system clock with details: sensor# show clock detail 22:39:21 CST Sat Jan 25 2003 Time source is NTP Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-7 78-16527-01...
Page 234: Manually Setting The Clock
Clearing the Denied Attackers List Use the clear denied-attackers command in service event action rules submode to delete the denied attackers list and clear the virtual sensor statistics. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-8 78-16527-01...
Page 235 Number of Active Denied Attackers = 2 Number of Denied Attackers Inserted = 0 Number of Denied Attackers Total Hits = 0 Number of times max-denied-attackers limited creation of new entry = 0 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-9 78-16527-01...
Page 236: Displaying Statistics
Number of Denied Attackers Total Hits = 0 Number of times max-denied-attackers limited creation of new entry = 0 Number of exec Clear commands during uptime = 0 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-10 78-16527-01...
Page 237 TCP packets that arrived out of sequence order for their stream = 0 TCP packets that arrived out of state order for their stream = 0 The rate of TCP connections tracked per second since reset = 0 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-11 78-16527-01...
Page 238 = 0 log-pair-packets = 0 log-victim-packets = 0 produce-alert = 11 produce-verbose-alert = 0 request-block-connection = 0 request-block-host = 5 request-snmp-trap = 0 reset-tcp-connection = 0 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-12 78-16527-01...
Page 239 = 0 sensor# Step 5 Display the statistics for the denied attackers in the system: sensor# show statistics denied-attackers Denied Attackers and hit count for each. sensor# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-13 78-16527-01...
Page 240 Usage over last 5 seconds = 0 Usage over last minute = 1 Usage over last 5 minutes = 1 Memory Statistics Memory usage (bytes) = 500498432 Memory free (bytes) = 894976032 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-14 78-16527-01...
Page 241 Type = Cisco IP = 10.89.150.158 NATAddr = 0.0.0.0 Communications = telnet BlockInterface InterfaceName = ethernet0/1 InterfaceDirection = out InterfacePostBlock = Post_Acl_Test BlockInterface InterfaceName = ethernet0/1 InterfaceDirection = in Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-15 78-16527-01...
Page 242 ActualIp = BlockMinutes = Host IP = 21.21.12.12 Vlan = ActualIp = BlockMinutes = Host IP = 122.122.33.4 Vlan = ActualIp = BlockMinutes = 60 MinutesRemaining = 24 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-16 78-16527-01...
Page 243 To clear the statistics for an application, for example, logger: Step 16 sensor# show statistics logger clear The number of Log interprocessor FIFO overruns = 0 The number of syslog messages received = 141 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-17 78-16527-01...
Page 244: Displaying Tech Support Information
HTML. The URL specifies where • the information should be sent. If you do not use this keyword, the information is displayed on the screen. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-18 78-16527-01...
Page 245: Displaying Version Information
Log in to the CLI. Step 1 View version information: Step 2 sensor# show version The following examples show sample version output for the appliance and the NM-CIDS. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-19 78-16527-01...
Page 246 (Release) 2005-02-09T03:22:27-0600 Running AnalysisEngine 2005_Feb_09_03.00 (Release) 2005-02-09T03:22:27-0600 Running 2005_Feb_09_03.00 (Release) 2005-02-09T03:22:27-0600 Upgrade History: IDS-K9-maj-5.0-0.27-S91-0.27-.pkg 03:00:00 UTC Thu Feb 05 2004 Recovery Partition Version 1.1 - 5.0(0.27)S91(0.27) nm-cids# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-20 78-16527-01...
Page 247: Directing Output To A Serial Connection
If you are connected to the serial port, you will not get any feedback until Linux has fully booted and enabled support for the serial connection. The display-serial command does not apply to the following platforms: IDSM-2 • • NM-CIDS • IDS-4215 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-21 78-16527-01...
Page 248: Diagnosing Network Connectivity
64 bytes from 10.89.146.110: icmp_seq=5 ttl=61 time=0.2 ms --- 10.89.146.110 ping statistics --- 6 packets transmitted, 6 packets received, 0% packet loss round-trip min/avg/max = 0.1/0.1/0.3 ms Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-22 78-16527-01...
Page 249: Resetting The Appliance
If the node can not be powered off it will be left in a state that is safe to manually power down. Continue with reset? []: Step 5 Type yes to continue with the reset and powerdown: sensor# yes Request Succeeded. sensor# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-23 78-16527-01...
Page 250: Displaying Command History
Log in to the CLI. Step 2 Display the PEP information: sensor# show inventory Name: "Chassis", DESCR: "IPS 4255 Intrusion Prevention Sensor" PID: IPS-4255-K9, VID: V01 , SN: JAB0815R017 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-24 78-16527-01...
Page 251: Tracing The Route Of An Ip Packet
* 10.89.128.17 (10.89.128.17) 0.304 ms * 10.89.128.17 (10.89.128.17) 0.527 ms * 0.402 ms * 10.89.128.17 (10.89.128.17) 0.39 ms * 10.89.128.17 (10.89.128.17) 0.37 ms * 0.486 ms sensor# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-25 78-16527-01...
Page 252: Displaying Submode Settings
----------------------------------------------- profile-name: r7200 ----------------------------------------------- enable-password: <hidden> password: <hidden> username: netrangr default: ----------------------------------------------- profile-name: insidePix ----------------------------------------------- enable-password: <hidden> password: <hidden> username: <defaulted> ----------------------------------------------- profile-name: qatest ----------------------------------------------- enable-password: <hidden> Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-26 78-16527-01...
Page 253 (min: 0, max: 100, current: 1) ----------------------------------------------- vlan: 1 ----------------------------------------------- pre-vacl-name: <defaulted> post-vacl-name: <defaulted> ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- router-devices (min: 0, max: 250, current: 1) Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-27 78-16527-01...
Page 254 (min: 0, max: 250, current: 0) ----------------------------------------------- ----------------------------------------------- block-networks (min: 0, max: 250, current: 0) ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- user-profiles (min: 0, max: 250, current: 11) ----------------------------------------------- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-28 78-16527-01...
Page 255 10.89.147.61 profile-name: cat ip-address: 10.89.147.54 profile-name: r7200 ip-address: 10.89.147.10 profile-name: insidePix ip-address: 10.89.147.82 profile-name: test sensor(config-net)# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-29 78-16527-01...
Page 256 Chapter 13 Administrative Tasks for the Sensor Displaying Submode Settings Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 13-30 78-16527-01...
Page 257: Configuring Aip-Ssm
Chapter 6, “Configuring Event Action Rules,” Chapter 7, “Defining Signatures,” Chapter 10, “Configuring Blocking.” Perform miscellaneous tasks to keep your AIP-SSM running smoothly. For the procedures, see Chapter 13, “Administrative Tasks for the Sensor.” Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 14-1 78-16527-01...
Page 258: Verifying Aip-Ssm Initialization
AIP-SSM. You can configure AIP-SSM to inspect traffic in inline or promiscuous mode and in fail-open or fail-over mode. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 14-2 78-16527-01...
Page 259: Configuring Asa To Send Ips Traffic To Aip-Ssm
[global | interface interface_name]—Creates an IPS security • policy by associating the policy map with one or more interfaces. global—Applies the policy map to all interfaces. – Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 14-3 78-16527-01...
Page 260 Exit and save the configuration: Step 10 asa(config-pmap-c)# exit asa(config-pmap)# exit asa(config)# exit asa# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 14-4 78-16527-01...
Page 261: Reloading, Shutting Down, Resetting, And Recovering Aip-Ssm
30 to 45 seconds after starting AIP-SSM recovery. Waiting any longer can lead to unexpected consequences, for example, AIP-SSM may come up in the Unresponsive state. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 14-5...
Page 262 1 recover Module 1 recover parameters... Boot Recovery Image: No Image URL: tftp://1.1.1.1/IPS-SSM-K9-sys-1.1-a-5.0-0.15-S91-0.15.img Port IP Address: 1.1.1.23 Gateway IP Address: 1.1.1.2 VLAN ID: Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 14-6 78-16527-01...
Page 263: Configuring Idsm-2
For the procedure to session to the IDSM-2, see Logging In to IDSM-2, page 2-4. Initialize IDSM-2. Run the setup command to initialize IDSM-2. For the procedure, see Initializing the Sensor, page 3-2. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-1 78-16527-01...
Page 264: Verifying Idsm-2 Installation
Mod Slot Ports Module-Type Model Sub Status --- ---- ----- ------------------------- ------------------- --- -------- 1000BaseX Supervisor WS-X6K-SUP1A-2GE yes ok Multilayer Switch Feature WS-F6K-MSFC 10/100BaseTX Ethernet WS-X6248-RJ-45 10/100/1000BaseT Ethernet WS-X6548-GE-TX Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-2 78-16527-01...
Page 265 7 Policy Feature Card 3 WS-F6K-PFC3BXL SAD083305A1 7 MSFC3 Daughterboard WS-SUP720 SAD083206JX 11 IDS 2 accelerator board WS-SVC-IDSUPG 13 IDS 2 accelerator board WS-SVC-IDSUPG 0347331976 Mod Online Diag Status Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-3 78-16527-01...
Page 266: Configuring The Catalyst 6500 Series Switch For Command And Control Access To Idsm-2
Put the command and control port into the correct VLAN: Step 3 cat6k> (enable) set vlan command_and_control_vlan_number idsm2_slot_number/command_and_control_port_number Example: cat6k> (enable) set vlan 147 6/2 VLAN 147 modified. VLAN 146 modified. VLAN Mod/Ports Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-4 78-16527-01...
Page 267 If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com.
Page 268: Cisco Ios Software
If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com.
Page 269: Configuring The Catalyst Series 6500 Switch For Idsm-2 In Promiscuous Mode
Using the TCP Reset Interface The IDSM-2 has a TCP reset interface—port 1. The IDSM-2 has a specific TCP reset interface because it cannot send TCP resets on its sensing ports. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-7 78-16527-01...
Page 270: Configuring Span
• tx —Transmitting traffic. • To enable SPAN on IDSM-2, follow these steps: Log in to the console. Step 1 Enter privileged mode: Step 2 cat6k> enable Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-8 78-16527-01...
Page 271 This command will disable your span session. Do you want to continue (y/n) [n]? y Disabled Port 13/7 to monitor receive traffic of VLAN 650 cat6k> (enable) Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-9 78-16527-01...
Page 272: Cisco Ios Software
(config)# monitor session (session_number) source interface interface/port_number [, | - | rx | tx | both] Example: router (config)# monitor session 1 source interface GigabitEthernet2/23 both Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-10 78-16527-01...
Page 273: Configuring Vacls
You can set VACLs to capture traffic for IPS from a single VLAN or from multiple VLANs or from FLexWAN2 ports on the 7600 router when using Cisco IOS software. This section describes how to configure VACLs, and contains the following topics: Catalyst Software, page 15-12 •...
Page 274: Catalyst Software
(enable) set security acl ip CAPTUREALL permit ip any any capture CAPTUREALL editbuffer modified. Use 'commit' command to apply changes. Commit the VACL: Step 4 console> (enable) commit security acl CAPTUREALL ACL commit in progress. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-12 78-16527-01...
Page 275: Cisco Ios Software
Enter global configuration mode: Step 2 router# configure terminal Step 3 Define the ACL: router (config)# ip access-list [standard | extended] acl_name Example: router(config)# ip access-list standard CAPTUREALL Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-13 78-16527-01...
Page 276: Configuring The Mls Ip Ids Command
This section describes how to use the mls ip ids command to capture IPS traffic, and contains the following topics: Catalyst Software, page 15-15 • Cisco IOS Software, page 15-15 • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-14 78-16527-01...
Page 277: Catalyst Software
Configuring the Catalyst Series 6500 Switch for IDSM-2 in Promiscuous Mode Catalyst Software When you are running the Cisco IOS Firewall on the MSFC, you cannot use VACLs to capture traffic for IDSM-2, because you cannot apply VACLs to a VLAN in which you have applied an IP inspect rule for the Cisco IOS Firewall.
Page 278: Configuring The Catalyst Series 6500 Switch For Idsm-2 In Inline Mode
For the procedure for configuring IDSM-2 to run in promiscuous or inline mode, see Chapter 5, “Configuring Interfaces.” This section contains the following topics: Catalyst Software, page 15-17 • Cisco IOS Software, page 15-18 • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-16 78-16527-01...
Page 279: Catalyst Software
(enable)> clear trunk 9/8 1-651,653-4094 Enable Bpdu spantree filtering on the IDSM-2 monitoring ports: Step 5 cat6k (enable)> set spantree bpdu-filter 6/7-8 enable For IPS 5.0(2), omit this step. Note Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-17 78-16527-01...
Page 280: Cisco Ios Software
Configuring IDSM-2 Configuring the Catalyst Series 6500 Switch for IDSM-2 in Inline Mode Cisco IOS Software Cisco IOS software 12.2(18)SXE with Supervisor Engine 720 supports only one IDSM-2 inline between Note two VLANs. Configure the IDSM-2 monitoring ports as access ports for inline operation.
Page 281 ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ enet 100661 1500 Remote SPAN VLAN ---------------- Disabled Primary Secondary Type Ports ------- --------- ----------------- ------------------------------------------ router# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-19 78-16527-01...
Page 282: Configuring Etherchanneling
Port 1 is a TCP/IP reset port. Port 2 is the command and control port. Ports 7 and 8 are the sensing ports for Catalyst software and data ports 1 and 2 for Cisco IOS software. The other ports are not used.
Page 283 Chapter 15 Configuring IDSM-2 Configuring EtherChanneling For more information on EtherChanneling, refer to Catalyst 6500 Series Cisco IOS Software Configuration Guide, 12.2SX. To configure EtherChannel load balancing on IDSM-2, follow these steps: Configure each IDSM-2 for promiscuous operation. Step 1 For the procedure, see Chapter 5, “Configuring Interfaces.”...
Page 284: Disabling Etherchanneling
Step 2 Enter global configuration mode: router# configure terminal To remove a single IDSM-2 from the EtherChannel: Step 3 router(config)# no intrusion-detection module module_number data-port data_port_number channel-group channel_number Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-22 78-16527-01...
Page 285: Verifying Etherchanneling
Number of aggregators: Group Port-channel Protocol Ports ------+-------------+-----------+---------------------------- router# Step 4 To see the EtherChannel load balance setting: router# show etherchannel load-balance EtherChannel Load-Balancing Configuration: src-dst-ip mpls label-ip Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-23 78-16527-01...
Page 286: Administrative Tasks For Idsm-2
When IDSM-2 initially boots, by default it runs a partial memory test. You can enable a full memory test in Catalyst software and Cisco IOS software. This section describes how to enable full memory tests, and contains the following topics: •...
Page 287: Cisco Ios Software
Proceed with reload of module?[confirm] % reset issued for module 9 router# Reset IDSM-2. Step 3 For the procedure, see Resetting IDSM-2, page 15-26. The full memory test runs. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-25 78-16527-01...
Page 288: Resetting Idsm-2
IDSM-2 more than once. If IDSM-2 fails to respond after three reset attempts, boot the maintenance partition, and perform the instructions for restoring the application partition. For the procedure, see Installing the IDSM-2 System Image, page 17-25. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-26 78-16527-01...
Page 289: Catalyst Software
Catalyst and Cisco IOS Software Commands This section lists the Catalyst and Cisco IOS software commands that pertain to IDSM-2. For more detailed information on Catalyst and Cisco IOS software commands, refer to the command Note references found on Cisco.com. For instructions on how to locate these documents, refer to the Documentation Roadmap for Cisco Intrusion Prevention System that shipped with your IDSM-2.
Page 290: Supported Supervisor Engine Commands
Displays the errors reported from the diagnostic tests for both the SPAN port (port 1) and the management port (port 2) and the BIOS and CMOS boot results. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-28...
Page 291: Unsupported Supervisor Engine Commands
• set vtp • Cisco IOS Software This section lists the Cisco IOS software commands that IDSM-2 supports. These commands are grouped according to mode. This section contains the following topics: EXEC Commands, page 15-30 • Configuration Commands, page 15-31 •...
Page 292 • Displays the configuration that is currently running. show startup-config • Displays the saved configuration. show vlan access-map • Displays all current VLAN access maps. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-30 78-16527-01...
Page 293: Configuration Commands
Maps the VACL maps to VLANs. Interface configuration mode • switchport – Sets the interface as a switch port. – switchport access vlan vlan Sets the access VLAN for the interface. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-31 78-16527-01...
Page 294 VACL configuration submode – action forward capture Designates that matched packets should be captured. match ip address [1-199 | 1300-2699 | acl_name] – Specifies filtering in the VACL. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 15-32 78-16527-01...
Page 295: Configuration Sequence
For the procedure, see Configuring Packet Capture, page 16-5. Create the service account. A service account is needed for password recovery and other special debug situations directed by TAC. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 16-1 78-16527-01...
Page 296: Configuring Ids-Sensor Interfaces On The Router
NM-CIDS, in which you can issue any IPS configuration commands. After completing work in the session and exiting the IPS CLI, you are returned to Cisco IOS CLI. The session command starts a reverse Telnet connection using the IP address of the ids-sensor interface.
Page 297: Establishing Nm-Cids Sessions
Chapter 16 Configuring NM-CIDS Establishing NM-CIDS Sessions Cisco IOS gives NM-CIDS the name “IDS-Sensor.” In this example, 1 is the slot number and 0 Note is the port number, because there is only one port. Step 2 Enable the CEF switching path:...
Page 298: Sessioning To Nm-Cids
When you are finished with a session, you need to return to the router to establish the association Note between a session (the IPS application) and the router interfaces you want to monitor. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 16-4 78-16527-01...
Page 299: Telneting To Nm-Cids
You can choose more than one interface or subinterface to monitor, but you can only edit one Note interface at a time. Enter global configuration mode: Step 4 router# configure terminal Specify the interface or subinterface: Step 5 router(config)# interface FastEthernet0/0 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 16-5 78-16527-01...
Page 300 Total Transmit Errors = 0 Total Transmit FIFO Overruns = 0 Repeat Step c to see the counters gradually increasing. This indicates that NM-CIDS is receiving network traffic. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 16-6 78-16527-01...
Page 301: Administrative Tasks For Nm-Cids
FastEthernet0/0 was added to the virtual sensor when you initialized the NM-CIDS with the setup command. Administrative Tasks for NM-CIDS The following section describes how to reboot NM-CIDS and how to check the status of the Cisco IPS software. It contains the following topics: •...
Page 302: Supported Cisco Ios Commands
Shuts down the IPS applications running on NM-CIDS. Removing the NM-CIDS without proper shutdown can result in the hard-disk drive being corrupted. Caution After successful shutdown of the NM-CIDS applications, Cisco IOS prints a message indicating that you can now remove NM-CIDS. service-module ids-sensor slot_number/0 status –...
Page 303: Overview
When you install a new system image on your sensor, all accounts are removed and the default cisco account is reset to use the default password “cisco.” After installing the system image, you must initialize the sensor again.
Page 304: Upgrading The Sensor
Adding Hosts to the Known Hosts List, page 4-31. ip-address— IP address of the file server. • password— User password for authentication on the file server. • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-2 78-16527-01...
Page 305: Using The Upgrade Command
Obtaining Cisco IPS Software, page 18-1. You must log in to Cisco.com using an account with cryptographic privileges to download the Note file. Do not change the file name. You must preserve the original file name for the sensor to accept the update.
Page 306: Upgrading The Recovery Partition
Some browsers add an extension to the filename. The filename of the saved file must match what is Caution displayed on the download page or you cannot use it to upgrade the recovery partition. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-4 78-16527-01...
Page 307: Configuring Automatic Upgrades
You can configure the sensor to look for new upgrade files in your upgrade directory automatically. You must download the software upgrade from Cisco.com and copy it to the upgrade directory before the sensor can poll for automatic upgrades. For the procedure for locating software on Cisco.com, see Obtaining Cisco IPS Software, page 18-1.
Page 308: Auto-Upgrade Command And Options
Valid values are 0 to 8760. start-time—The time of day to start the first automatic upgrade. The valid value is hh:mm[:ss]. user-name—Username for authentication on the file server. • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-6 78-16527-01...
Page 309: Using The Auto-Upgrade Command
SSH. For the procedure, see Adding Hosts to the Known Hosts List, page 4-31. Verify the settings: Step 9 sensor(config-hos-ena)# show settings enabled ----------------------------------------------- schedule-option ----------------------------------------------- periodic-schedule ----------------------------------------------- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-7 78-16527-01...
Page 310: Downgrading The Sensor
Step 4 If there is no recently applied service pack or signature update, the downgrade command is not Step 5 available: sensor(config)# downgrade No downgrade available. sensor(config)# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-8 78-16527-01...
Page 311: Recovering The Application Partition
Make sure you can access the TFTP server location from the network connected to your sensor’s Note Ethernet port. Log in to the CLI using an account with administrator privileges. Step 2 Enter configuration mode: Step 3 sensor# configure terminal Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-9 78-16527-01...
Page 312: Installing System Images
If you executed the recover application-partition command remotely, you can SSH to the sensor with the default username and password (cisco/cisco) and then initialize the sensor again with the setup command. You cannot use Telnet until you initialize the sensor because Telnet is disabled by default.
Page 313: Overview
CISCO SYSTEMS IDS-4215 Embedded BIOS Version 5.1.7 02/23/04 15:50:39.31 Compiled by dnshep Evaluating Run Options ... Cisco ROMMON (1.4) #3: Mon Feb 23 15:52:45 MST 2004 Platform IDS-4215 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-11 78-16527-01...
Page 314 Verify that you have access to the TFTP server by pinging it from the local Ethernet port: Step 9 rommon> ping server_ip_address rommon> ping server Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-12 78-16527-01...
Page 315: Upgrading The Ids-4215 Bios And Rommon
Embedded BIOS Version 5.1.3 05/12/03 10:18:14.84 Compiled by ciscouser Evaluating Run Options ... Cisco ROMMON (1.2) #0: Mon May 12 10:21:46 MDT 2003 Platform IDS-4215 0: i8255X @ PCI(bus:0 dev:13 irq:11) Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-13 78-16527-01...
Page 316 Do not remove power to IDS-4215 during the update process, otherwise the upgrade can get corrupted. Caution If this occurs, IDS-4215 will be unusable and require an RMA. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-14 78-16527-01...
Page 317: Installing The Ips-4240 And Ips-4255 System Image
1209 Ethernet 8086 1209 Ethernet Evaluating BIOS Options ... Launch BIOS Extension to setup ROMMON Cisco Systems ROMMON Version (1.0(5)0) #1: Tue Sep 14 12:20:30 PDT 2004 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-15 78-16527-01...
Page 318 If necessary, change the interface used for the TFTP download: Step 5 The default interface used for TFTP downloads is Management0/0, which corresponds to the Note MGMT interface of IPS-4240. rommon> PORT=interface_name Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-16 78-16527-01...
Page 319 Download and install the system image: Step 12 rommon> tftp To avoid corrupting the system image, do not remove power from IPS-4240 while the system image is Caution being installed. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-17 78-16527-01...
Page 320: Using The Recovery/Upgrade Cd
Insert the recovery/upgrade CD into the CD-ROM drive. Step 2 Power off the appliance and then power it back on. The boot menu appears, which lists important notices Step 3 and boot options. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-18 78-16527-01...
Page 321: Installing The Nm-Cids System Image
The 5.0 upgrade also updates the bootloader with the new bootloader file (servicesengine-boot-1.0-17-1_dev.bin), then reimages the hard-disk drive with the new image. We recommend that you use the upgrade command. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-19 78-16527-01...
Page 322: Installing The Nm-Cids System Image
NM-CIDS’ Ethernet port. Log in to the router. Step 2 Step 3 Enter enable mode: router# enable router(enable)# Session to NM-CIDS: Step 4 router(enable)# service-module IDS-Sensor slot_number/0 session Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-20 78-16527-01...
Page 323 Specify the default boot device—The default boot device is always set to disk. Specify the default bootloader—The default bootloader is always set to primary. If you made any changes, the bootloader stores them permanently. The bootloader command prompt appears. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-21 78-16527-01...
Page 324: Upgrading The Bootloader
Download the bootloader file (servicesengine-boot-1.0-17-1_dev.bin) and the helper file Step 1 (NM-CIDS-K9-helper-1.0-1.bin) to the TFTP root directory of a TFTP server that is accessible from your NM-CIDS. For the procedure for locating software on Cisco.com, see Obtaining Cisco IPS Software, page 18-1.
Page 325 The bootloader displays a spinning line while loading the helper image from the TFTP server. When the helper is loaded, it is booted. The NM-CIDS helper displays its main menu when it launches. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-23...
Page 326 Continue with Step 18. Selection [1234rh]: Step 18 Type to reboot NM-CIDS: Selection [1234rh]: r About to exit and reset Services Engine. Are you sure? [y/N] Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-24 78-16527-01...
Page 327: Installing The Idsm-2 System Image
This section describes how to install the IDSM-2 system image, and contains the following topics: Catalyst Software, page 17-25 • Cisco IOS Software, page 17-26 • Catalyst Software To install the system image, follow these steps: Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-25 78-16527-01...
Page 328 Obtaining Cisco IPS Software, page 18-1. Log in to the switch CLI. Step 2 Boot IDSM-2 to the maintenance partition: Step 3 router# hw-module module module_number reset cf:1 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-26 78-16527-01...
Page 329: Configuring The Maintenance Partition
This section describes how to configure the maintenance partition on IDSM-2, and contains the following topics: Catalyst Software, page 17-28 • Cisco IOS Software, page 17-31 • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-27 78-16527-01...
Page 330 Clear the IDSM-2 maintenance partition host configuration (ip address, gateway, hostname): guest@idsm2.localdomain# clear ip guest@localhost.localdomain# show ip IP address : 0.0.0.0 Subnet Mask : 0.0.0.0 IP Broadcast : 0.0.0.0 DNS Name : localhost.localdomain Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-28 78-16527-01...
Page 331 Daughter Card Info: Falcon rev 3, FW ver 2.0.3.0 (IDS), SRAM 8 MB, SDRAM 256 MB guest@idsm2.localdomain# Upgrade the application partition: Step 11 guest@idsm2.localdomain# upgrade ftp://jsmith@10.89.146.11//RELEASES/Latest/5.0-1/WS-SVC-IDSM2-K9-sys-1.1-a-5.0-1.bin.gz Downloading the image. This may take several minutes... Password for jsmith@10.89.146.114: Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-29 78-16527-01...
Page 332 Fri Mar 11 21:22:28 2005 : Partition '/dev/hdc1' unmounted. Fri Mar 11 21:22:28 2005 : Directory changed to '/tmp'. Application image upgrade complete. You can boot the image now. Partition upgraded successfully Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-30 78-16527-01...
Page 333 The default escape character is Ctrl-^, then x. You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.111 ... Open Cisco Maintenance image Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-31 78-16527-01...
Page 334 Configure the maintenance partition host configuration: Step 6 Specify the IP address: guest@localhost.localdomain# ip address ip_address netmask Specify the default gateway: guest@localhost.localdomain# ip gateway gateway_ip_address Specify the hostname: guest@localhost.localdomain# ip host hostname Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-32 78-16527-01...
Page 335 Step 11 Proceeding with upgrade. Please do not interrupt. If the upgrade is interrupted or fails, boot into maintenance image again and restart upgrade. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-33 78-16527-01...
Page 336 PING 10.89.146.114 (10.89.146.114) from 10.89.149.74 : 56(84) bytes of data. 64 bytes from 10.89.146.114: icmp_seq=0 ttl=254 time=381 usec 64 bytes from 10.89.146.114: icmp_seq=1 ttl=254 time=133 usec 64 bytes from 10.89.146.114: icmp_seq=2 ttl=254 time=129 usec Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-34 78-16527-01...
Page 337: Upgrading The Maintenance Partition
To upgrade the maintenance partition, follow these steps: Download the IDSM-2 maintenance partition file (c6svc-mp.2-1-1.bin.gz) to the FTP root directory of Step 1 a FTP server that is accessible from your IDSM-2. For the procedure for locating software on Cisco.com, Obtaining Cisco IPS Software, page 18-1.
Page 338: Installing The Aip-Ssm System Image
To upgrade the maintenance partition, follow these steps: Download the IDSM-2 maintenance partition file (c6svc-mp.2-1-1.bin.gz) to the FTP root directory of Step 1 a FTP server that is accessible from your IDSM-2. For the procedure for locating software on Cisco.com, Obtaining Cisco IPS Software, page 18-1.
Page 339 1 Up asa# To debug any errors that may happen in the recovery process, use the debug module-boot Note command to enable debugging of the system reimaging process. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-37 78-16527-01...
Page 340 Upgrading, Downgrading, and Installing System Images Installing System Images Session to AIP-SSM and initialize AIP-SSM with the setup command. For the procedure, see Step 10 Initializing the Sensor, page 3-2. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 17-38 78-16527-01...
Page 341: Chapter 18 Obtaining Software
IPS software from the Download Software site. You can sign up for IPS Alert Bulletins to receive information on the latest software releases. You must be logged in to Cisco.com to download software. You must have an active IPS maintenance Note contract and a Cisco.com password to download software.
Page 342: Ips Software Image Naming Conventions
Click Agree to accept the software download rules. Step 10 The first time you download a file from Cisco.com, you must fill in the Encryption Software Export Distribution Authorization form before you can download the software. Fill out the form and click Submit.
Page 343 To install the most recent signature update, you must have the most recent minor version. Service packs are dependent on the most recent minor version, which is dependent on the most recent major version. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 18-3...
Page 344: 5.X Software Release Examples
If there are defect fixes for the installer, for example, the underlying application version may still be 5.0(1), but the recovery partition image will be r 1.2. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 18-4...
Page 345: Upgrading Cisco Ips Software To 5.0
(WS-X6381) with IDSM-2 (WS-SVC-IDSM2-K9), which supports version 5.0. The minimum required version for upgrading to 5.0 is 4.1(1). The upgrade from Cisco 4.1 to 5.0 is available as a download from Cisco.com. For the procedure for accessing Downloads on Cisco.com, see Obtaining Cisco IPS Software, page 18-1.
Page 346: Obtaining A License Key From Cisco.com
Obtaining a License Key From Cisco.com This section describes how to obtain a license key from Cisco.com and how to install it using the CLI or IDM. This section contains the following topics: Overview, page 18-6 •...
Page 347: Service Programs For Ips Products
Service Programs for IPS Products You must have a Cisco Services for IPS service contract for any IPS product so that you can download a license key and obtain the latest IPS signature updates. If you have a direct relationship with Cisco Systems, contact your account manager or service account manager to purchase the Cisco Services for IPS service contract.
Page 348: Installing The License Key
ASA-SSM-AIP-10-K9, you must now purchase the Cisco Services for IPS service contract. After you have the Cisco Services for IPS service contract, you must also have your product serial number to apply for the license key. For the procedure, see Installing the License Key, page 18-8.
Page 349 URL for the web server. The syntax for this prefix is: • http:[[/[username@]location]/directory]/filename https:—Source URL for the web server. The syntax for this prefix is: • https:[[/[username@]location]/directory]/filename Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 18-9 78-16527-01...
Page 350 Note the device with that number. Your Cisco IPS Signature Subscription Service license key will be sent by e-mail to the e-mail address you specified. Save the license key to a system that has a web server, FTP server, or SCP server.
Page 351: Cisco Security Center
You should be aware of the most recent security threats so that you can most effectively secure and manage your network. The Cisco Security Center contains the top ten intelligence reports listed by date, severity, urgency, and whether there is a new signature available to deal with the threat.
Page 352: Accessing Ips Documentation
Enter the name of your company in the Company field. Choose your country from the drop-down menu. Enter your e-mail address in the E-mail field. Check the check box if you want to receive further information about Cisco products and offerings by Step 8 e-mail.
Page 353 Install and Upgrade—Contains hardware installation and regulatory guides. • Configure—Contains configuration guides for IPS CLI, IDM, and IME. • Troubleshoot and Alerts—Contains TAC tech notes and field notices. • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 18-13 78-16527-01...
Page 354 Chapter 18 Obtaining Software Accessing IPS Documentation Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 18-14 78-16527-01...
Page 355: Appendix
Summary of IPS 5.0 Applications, page A-37 • System Overview You can install Cisco IPS software on two platforms: the appliances and the modules (refer to “Supported Sensors,” in Installing Cisco Intrusion Prevention System Appliances and Modules 5.0 for a list of current appliances and modules).
Page 356 Web Server (HTTP RDEP2 server)—Provides a web interface and communication with other – IPS devices through RDEP2 using several servlets to provide IPS services. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 357: Ips 5.0 New Features
The IPS signature update process is now similar to antivirus DAT file updates. – RDEP2 • RDEP has been revised to RDEPv2, which supports an event standard called SDEE. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 358: User Interaction
The system has reasonable default values to minimize the number of modifications you must make. You can configure IPS 5.0 through the CLI, IDM, IDS MC, ASDM or through another application using RDEP2 and IDCONF. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 359: Security Features
By default Web Server uses TLS or SSL. You can choose to disable TLS and SSL. • Unnecessary services are disabled. • Only the SNMP set required by the Cisco MIB Police is allowed within the CISCO-CIDS-MIB. • OIDs implemented by the public domain SNMP agent will be writeable when specified by the MIB. MainApp MainApp now includes all IPS components except SensorApp and the CLI.
Page 360: Mainapp Responsibilities
New “health” control transaction • A new health and welfare type of control transaction is defined in the IDCONF specification. This control transaction reports the status and welfare of the system. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 361: Event Store
IPS event consumer. Sufficient buffering depends on your requirements and the capabilities of the nodes in use. The oldest events in the circular buffer are replaced by the newest events. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 362: Event Data Structures
IPS applications generate IPS events to report the occurrence of some stimulus. The events are the data, such as the alerts generated by SensorApp or errors generated by any application. Events are stored in a local database known as the Event Store. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 363: Notificationapp
Event ID • Event severity • Time (UTC and local time) • Signature name • Signature ID • Subsignature ID • Version • Summary • • Interface group Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 364 IP nodes keyed on both IP address • Sensor memory critical stage • Interface status • Command and control packet statistics • Fail-over state • • System uptime • CPU usage Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-10 78-16527-01...
Page 365: Ctltranssource
RDEP control transaction message. The transactionHandlerLoop uses the HttpClient classes to issue the RDEP control transaction request to the HTTP server on the remote node. The remote HTTP Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-11...
Page 366: Network Access Controller
Control Transaction Server, which passes it to the Network Access Controller. Network Access Controller on the master blocking sensor then interacts with the devices it is managing to enable the block. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-12 78-16527-01...
Page 367: Network Access Controller Features
Only the protocol specified in the Network Access Controller configuration for that device is attempted. If the connection fails for any reason, Network Access Controller attempts to reestablish Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-13...
Page 368 You can specify the interface and direction where blocking is performed in the Network Access Controller configuration for routers. You can specify the interface where blocking is performed in the VACL configuration. Cisco firewalls do not block based on interface or direction, so this configuration is never Note specified for them.
Page 369: Supported Blocking Devices
You must have the RSM because blocking is performed on the RSM. Note Catalyst 6000 series switches with PFC installed running Catalyst software 5.3 or later • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-15 78-16527-01...
Page 370: Acls And Vacls
Appendix A System Architecture MainApp Catalyst 6000 MSFC2 with Catalyst software 5.4(3) or later and Cisco IOS 12.1(2)E or later on the • MSFC2 • Cisco ASA 500 series models: ASA 5510, ASA 5520, and ASA 5540 FWSM • The FWSM cannot block in multi-mode admin context.
Page 371: Connection-Based And Unconditional Blocking
If the time for the new block is less than or equal to the remaining minutes, no action is taken. Otherwise, the new block timeout replaces the existing block timeout. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-17...
Page 372: Blocking With Cisco Firewalls
Appendix A System Architecture MainApp Cisco firewalls do not support connection blocking of hosts. When a connection block is applied, the Caution firewall treats it like an unconditional block. Cisco firewalls also do not support network blocking. Network Access Controller never tries to apply a network block to a Cisco firewall.
Page 373: Blocking With Catalyst Switches
The main.log is included in the show tech-support command output. If the message is logged at warning level or above (error or fatal), LogApp converts the message to an evError event (with the corresponding error severity) and inserts it in Event Store. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-19 78-16527-01...
Page 374: Authenticationapp
CLI or an IPS manager, such as IDM or ASDM, by logging in to the sensor using the default administrative account (cisco). In the CLI, the Administrator is prompted to change the password. IPS managers initiate a setEnableAuthenticationTokenStatus control transaction to change the account’s password.
Page 375: Configuring Authentication On The Sensor
If the fingerprints match, the trust relationship is established and henceforth the client can automatically connect with that server and be confident that the remote server is not an imposter. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-21 78-16527-01...
Page 376: Web Server
SSL. SensorApp This section describes SensorApp, and contains the following topics: Responsibilities and Components, page A-23 • Packet Flow, page A-24 • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-22 78-16527-01...
Page 377: Seap
The layer 2 processor updates statistics about packets that have been denied because of the policy you have configured. Database Processor (DBP) • This processor maintains the signature state and flow databases. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-23 78-16527-01...
Page 378 Execution Thread 1 TP --> L2P --> DFP --> FRP --> SP --> DBP --> SAP --> SDP --> | Execution Thread 2 DBP --> SRP --> EAP Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-24...
Page 379 It starts with the signature event with configured action received in the alarm channel and flows top to bottom as the signature event passes through the functional components of the SEAP. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-25 78-16527-01...
Page 380 There is no IP stack associated with any interface used for inline (or promiscuous) data processing. The current support for 802.1q packets in promiscuous mode is extended to inline mode. Enhanced configuration • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-26 78-16527-01...
Page 381 Driver support for concurrent SensorApp and TCPdump capture • The drivers for the data interfaces support concurrent use of the interfaces by SensorApp and TCPdump or other libpcap based reader Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-27 78-16527-01...
Page 382: Cli
Monitoring applications only require viewer access to the sensor. You can use the CLI to set up a user account with viewer privileges and then configure the event viewer to use this account to connect to the sensor. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-28 78-16527-01...
Page 383: Service Account
The service account is not intended to be used for configuration purposes. Only modifications made to the sensor through the service account under the direction of TAC are supported. Cisco Systems does not support the addition and/or running of an additional service to the operating system through the service account, because it affects proper performance and proper functioning of the other IPS services.
Page 384: Cli Behavior
To recall the commands entered in a mode, use the Up Arrow or Down Arrow keys or press Ctrl-P or Ctrl-N. Note Help and tab complete requests are not reported in the recall list. • A blank prompt indicates the end of the recall list. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-30 78-16527-01...
Page 385: Communications
SensorApp generates a block event, which is also stored in the Event Store. Figure A-5 illustrates the IDAPI interface. Figure A-5 IDAPI Alert Alert SensorApp IDAPI Event Store Block Block request request Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-31 78-16527-01...
Page 386 Web Server, which passes it to the Event Server. The Event Server queries the Event Store through IDAPI and then returns the result. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-32...
Page 387 Sending Commands Through RDEP2 IDS-MC and Third-Party Event Management Applications REDP2 Client Sensor HTTP POST Response CT Request Web Server CT Request Application IDAPI CT Server CT Response CT Response Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-33 78-16527-01...
Page 388 <component name="userAccount"> <config typedefsVersion="2004-03-01" xmlns="http://www.cisco.com/cids/idconf"> <struct> <map name="user-accounts“ editOp=“merge”> <mapEntry> <key> <var name="name">cisco</var> </key> <struct> <struct name="credentials"> <var name="role">administrator</var> </struct> </struct> </mapEntry> </map> </struct> </config> </component> </editDefaultConfig> </request> Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-34 78-16527-01...
Page 389 CIDEE CIDEE specifies the extensions to SDEE that are used by the Cisco IPS. The CIDEE standard specifies all possible extensions that are supported by IPS. Specific systems may implement a subset of CIDEE extensions.
Page 390: Ips 5.0 File Structure
/usr/cids/idsRoot/bin/falcondump—Contains the application for getting packet dumps on the sensing ports of the IDS-4250-XL and IDSM-2. • /usr/cids/idsRoot/etc—Stores sensor configuration files. • /usr/cids/idsRoot/htdocs—Contains the IDM files for the web server. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-36 78-16527-01...
Page 391: Summary Of Ips 5.0 Applications
Control Transaction Source Waits for control transactions directed to remote applications, forwards the control transactions to the remote node using RDEP2, and returns the response to the initiator. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-37 78-16527-01...
Page 392 Waits for remote HTTP client requests and calls the appropriate servlet application. 1. This is a web server servlet. 2. This is a web server servlet. 3. This is a remote control transaction proxy. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 A-38 78-16527-01...
Page 393: Appendix
About Signature Engines A signature engine is a component of the Cisco IPS that is designed to support many signatures in a certain category. An engine is composed of a parser and an inspector. Each engine has a set of parameters that have allowable ranges or sets of values.
Page 394 The WEBPORTS variable defines inspection port for HTTP traffic. IDENT—Inspects IDENT (client and server) traffic. – MSRPC—Inspects MSRPC traffic. – MSSQL—Inspects Microsoft SQL traffic. – NTP—Inspects NTP traffic. – Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 395: Master Engine
Signatures that are not service, OS, or application-specific have 0 for the promiscuously delta. If the signature is specific to an OS, service, or application, it has a promiscuous delta of 5, 10, or 15 calculated from 5 points for each category. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 396: Alert Frequency
For example, you can configure the signature to Fire All, but after a certain threshold is reached, it starts summarizing. Table B-2 on page B-5 lists the alert frequency parameters. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 397: Event Actions
Event Action Rules. You can clear all denied attacker entries with the clear denied-attackers command, which permits the addresses back on the network. deny-connection-inline —Does not transmit this packet and future packets on the TCP Flow (inline • only). Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 398: Aic Engine
Response message validation – MIME type enforcement – – Transfer encoding type validation – Content control based on message content and type of data being transferred – URI length enforcement Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 399 Specifies the action to take when noncompliant HTTP traffic is seen. The alarm-on-non-http-traffic [true | false] command enables the signature. max-outstanding-requests-overrun Maximum allowed HTTP requests per connection (1 to 16). Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 400: Atomic Engine
The ATOMIC.ARP engine defines basic Layer-2 ARP signatures and provides more advanced detection of the ARP spoof tools dsniff and ettercap. Table B-5 on page B-9 lists the parameters that are specific to the ATOMIC.ARP engine. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 401: Atomic.ip Engine
Specifies IP datagram total length. specify-ip-option-inspection Specifies IP options inspection. specify-l4-protocol Specifies Layer-4 protocol. specify-ip-tos Specifies type of server. specify-ip-ttl Specifies time to live. specify-ip-version Specifies IP protocol version. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 402: Flood Engine
META definitions. The META engine generates a signature event after all requirements for the event are met. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-10 78-16527-01...
Page 403: Normalizer Engine
The NORMALIZER engine deals with IP fragmentation and TCP normalization. This section describes the NORMALIZER engine, and contains the following topics: Overview, page B-12 • NORMALIZER Engine Parameters, page B-12 • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-11 78-16527-01...
Page 404: Overview
NORMALIZER Engine Parameters Parameter Description edit-default-sigs-only Editable signatures. specify-fragment-reassembly-timeout (Optional) Enables fragment reassembly timeout. specify-hijack-max-old-ack (Optional) Enables hijack-max-old-ack. specify-max-dgram-size (Optional) Enables maximum datagram size. specify-max-fragments (Optional) Enables maximum fragments. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-12 78-16527-01...
Page 405: Service Engines
SERVICE.HTTP Engine, page B-19 • SERVICE.IDENT Engine, page B-20 • SERVICE.MSRPC Engine, page B-21 • • SERVICE.MSSQL Engine, page B-22 • SERVICE.NTP Engine, page B-22 • SERVICE.RPC Engine, page B-23 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-13 78-16527-01...
Page 406 (Optional) Enables query record data true | false invalid: • query-record-data-invalid—DNS Record Data incomplete specify-query-record-data-len (Optional) Enables the query record data 0 to 65535 length: • query-record-data-len—DNS Response Record Data Length Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-14 78-16527-01...
Page 407: Service.ftp Engine
False for no swap (default). 1. The second number in the range must be greater than or equal to the first number. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-15 78-16527-01...
Page 408: Service.generic Engine
• SERVICE.H225 Engine This section describes the SERVICE.H225 engine, and contains the following topics: • Overview, page B-17 SERVICE.H255 Engine Parameters, page B-17 • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-16 78-16527-01...
Page 409: Overview
SETUP signatures, you can add signatures for length and regular expression checks on various SETUP message fields. SERVICE.H255 Engine Parameters Table B-14 on page B-18 lists parameters specific to the SERVICE.H225 engine. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-17 78-16527-01...
Page 410 This is never set for TPKT signatures. specify-value-range Valid for the length or value policy types 0 to 65535 (0x00 to 6535). Not valid for other policy types. value-range—Range of values. • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-18 78-16527-01...
Page 411: Service.http Engine
The SERVICE.HTTP engine has default deobfuscation behavior for the Microsoft IIS web server. For an example SERVICE.HTTP custom signature, refer to “Example SERVICE.HTTP Signature,” in Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 5.0. SERVICE.HTTP Engine Parameters Table B-15 lists the parameters specific the SERVICES.HTTP engine.
Page 412: Service.ident Engine
1. The second number in the range must be greater than or equal to the first number. SERVICE.IDENT Engine The SERVICE.IDENT engine inspects TCP port 113 traffic. It has basic decode and provides parameters to specify length overflows. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-20 78-16527-01...
Page 413: Service.msrpc Engine
The SERVICE.MSRPC engine only decodes the DCE and RPC protocol for the most common transaction types. SERVICE.MSRPC Engine Parameters Table B-17 on page B-22 lists the parameters specific to the SERVICE.MSRPC engine. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-21 78-16527-01...
Page 414: Service.mssql Engine
The SERVICE.NTP engine inspects NTP protocol. There is one NTP signature, the NTPd readvar overflow signature, which fires an alert if a readvar command is seen with NTP data that is too large for the NTP service to capture. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-22 78-16527-01...
Page 415: Service.rpc Engine
0 to 65535 the target service resides. a-b[,c-d] specify-is-spoof-src (Optional) Enables the spoof source address: true | false is-spoof-src—Fires an alert when the source • address is 127.0.0.1. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-23 78-16527-01...
Page 416: Service Smb Engine
(Optional) Enables byte count: 0 to 65535 byte-count—Byte count from • SMB_COM_TRANSACTION structure. specify-command (Optional) Enables SMB commands: 0 to 255 command—SMB command value. • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-24 78-16527-01...
Page 417 (Optional) Enables searching for the Type field of an 0 to 255 MS RPC packet: • type —Type Field of MSRPC packet. 0 = Request; 2 = Response; 11 = Bind; 12 = Bind Ack Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-25 78-16527-01...
Page 418: Service.snmp Engine
Inspects for brute force attempts: 0 to 65535 • brute-force-count—The number of unique SNMP community names that constitute a brute force attempt. invalid-packet-inspection Inspects for SNMP protocol violations. — Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-26 78-16527-01...
Page 419: Service.ssh Engine
State machines are used to describe a specific event that causes an output or alarm. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-27...
Page 420 Appendix B Signature Engines STATE Engine There are three state machines in the STATE engine: SMTP, Cisco Login, and LPR Format String. Table B-24 lists the parameters specific to the STATE engine. Table B-24 STATE Engine Parameters Parameter Description Value state-machine State machine grouping.
Page 421: String Engines
Traffic from service port destined to client port. • Traffic from client port destined to service port. • icmp-type ICMP header TYPE value. 0 to 18 a-b[,c-d] Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-29 78-16527-01...
Page 422: String.tpc Engine Parameters
1. The second number in the range must be greater than or equal to the first number. 2. This parameter is primarily used as an IPS anti-evasion tool. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-30...
Page 423: String-Udp Engine Parameters
More realistic values for unique range between 5 and 15. TCP sweeps must have a TCP flag and mask specified to determine which sweep inspector slot in which to count the distinct connections. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-31 78-16527-01...
Page 424 • Attacker address and victim port • suppress-reverse Does not fire when a sweep has fired in the reverse direction true | false on this address set. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-32 78-16527-01...
Page 425: Traffic Icmp Engine
Whether this signature has configurable parameters. yes | no inspection-type Type of inspection to perform: is-loki is-mod-loki Inspects for original LOKI traffic. • Inspects for modified LOKI traffic. • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-33 78-16527-01...
Page 426: Trojan Engines
The UDP modes of BO and BO2K are handled by the TROJAN.UDP engine. The TCP modes are handled by the TROJAN.BO2K engine. There are no specific parameters to the TROJAN engines, except for swap-attacker-victim in the TROJAN.UDP engine. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 B-34 78-16527-01...
Page 427: Appendix
Create a service account. • A service account is needed for password recovery and other special debug situations directed by TAC. For the procedure, see Creating the Service Account, page 4-13. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 428 For the procedures for appliances and modules, see Chapter 17, “Upgrading, Downgrading, and Installing System Images.” Log in to the sensor with the default user ID and password—cisco. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 429: Password Recovery
Before troubleshooting the appliance, check the Caveats section of the Readme for the software version you have installed on your sensor to see if you are dealing with a known issue. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 430: Communication Problems
Link Speed = Auto_1000 Link Duplex = Auto_Full Total Packets Received = 0 Total Bytes Received = 0 Total Multicast Packets Received = 0 Total Broadcast Packets Received = 0 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 431 Make sure the management port is connected to an active network connection. Step 4 If the management port is not connected to an active network connection, the management interface will not come up. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 432: Misconfigured Access List
Verify that the client IP address is listed in the allowed networks. If it is not, add it: Step 3 sensor# configure terminal sensor(config)# service host sensor(config-hos)# network-settings sensor(config-hos-net)# access-list 171.69.70.0/24 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 433: Duplicate Ip Address Shuts Interface Down
Total Jumbo Packets Received = 0 Total Undersize Packets Received = 0 Total Receive Errors = 0 Total Receive FIFO Overruns = 0 Total Packets Transmitted = 0 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 434: Sensorapp And Alerting
The sensing process, SensorApp, should always be running. If it is not, you do not receive any alerts. SensorApp is part of AnalysisEngine, so you must make sure the AnalysisEngine is running. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 435 Step 4 Make sure you have the latest software updates: sensor# show version Upgrade History: IDS-K9-maj-5.0-1- 14:16:00 UTC Thu Mar 04 2004 Recovery Partition Version 1.1 - 5.0(1)S149 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 78-16527-01...
Page 436: Physical Connectivity, Span, Or Vacl Port Issue
Appendix C Troubleshooting Troubleshooting the 4200 Series Appliance If you do not have the latest software updates, download them from Cisco.com. For the procedure, see Obtaining Cisco IPS Software, page 18-1. Step 5 Read the Readme that accompanies the software upgrade for any known DDTS for SensorApp or AnalysisEngine.
Page 437: Unable To See Alerts
Step 3 Make sure the sensing port is connected properly on the appliance. See the chapter on your appliance in Installing Cisco Intrusion Prevention System Appliances and Modules 5.0. Make sure the sensing port is connected to the correct SPAN or VACL capture port on IDSM-2.
Page 438 Number of Summary Intermediate Alerts Number of Regular Summary Final Alerts Number of Global Summary Final Alerts Number of Alerts Output for further processing = 0alertDetails: Traffic Source: int0 ; Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-12 78-16527-01...
Page 439: Sensor Not Seeing Packets
If the interfaces are not up, do the following: Step 3 Check the cabling. Refer to the chapter in Installing Cisco Intrusion Prevention System Appliances and Modules 5.0that pertains to your sensor for information on installing the sensor properly. Enable the interface.
Page 440: Cleaning Up A Corrupted Sensorapp Configuration
Step 4 cp /usr/cids/idsRoot/etc/defVirtualSensorConfig.xml /usr/cids/idsRoot/etc/VS-Config/virtualSensor.xml Step 5 Remove the cache files: rm /usr/cids/idsRoot/var/virtualSensor/*.pmz Step 6 Exit the service account. Step 7 Log in to the sensor CLI. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-14 78-16527-01...
Page 441: Bad Memory On Ids-4250-Xl
Verifying Network Access Controller is Running, page C-16. Verify that Network Access Controller is connecting to the network devices. For the procedure see Verifying Network Access Controller Connections are Active, page C-17. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-15 78-16527-01...
Page 442: Verifying Network Access Controller Is Running
12:53:00 UTC Fri Mar 18 2005 Recovery Partition Version 1.1 - 5.0(1.1) sensor# If MainApp displays , Network Access Controller has failed. Contact the TAC. Step 3 Not Running Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-16 78-16527-01...
Page 443: Verifying Network Access Controller Connections Are Active
Upgrade History: IDS-K9-maj-5.0-1- 14:16:00 UTC Thu Mar 04 2004 Recovery Partition Version 1.1 - 5.0(1)S149 If you do not have the latest software updates, download them from Cisco.com. For the procedure, see Obtaining Cisco IPS Software, page 18-1. Step 5 Read the Readme that accompanies the software upgrade for any known DDTS for Network Access Controller.
Page 444: Device Access Issues
(min: 0, max: 250, current: 0) ----------------------------------------------- ----------------------------------------------- block-networks (min: 0, max: 250, current: 0) ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- user-profiles (min: 0, max: 250, current: 1) ----------------------------------------------- profile-name: r7200 ----------------------------------------------- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-18 78-16527-01...
Page 445: Verifying The Interfaces And Directions On The Network Device
ACL. You can also perform a manual block from IDM by clicking Monitoring > Active Host Blocks. Note Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-19 78-16527-01...
Page 446: Enabling Ssh Connections To The Network Device
Step 1 Enter configuration mode: Step 2 sensor# configure terminal Enable SSH: Step 3 sensor(config)# ssh host blocking_device_ip_ address Type when prompted to accept the device. Step 4 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-20 78-16527-01...
Page 447: Blocking Not Occurring For A Signature
Exit signature definition submode: Step 4 sensor(config-sig-sig-nor)# exit sensor(config-sig-sig)# exit sensor(config-sig)# exit Apply Changes:?[yes]: Step 5 Press Enter to apply the changes or type to discard them. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-21 78-16527-01...
Page 448: Verifying The Master Blocking Sensor Configuration
Verify that the block shows up in the Network Access Controller’s statistics: Step 6 sensor# show statistics network-access Current Configuration AllowSensorShun = false ShunMaxEntries = 100 State ShunEnable = true ShunnedAddr Host IP = 10.16.0.0 ShunMinutes = Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-22 78-16527-01...
Page 449: Logging
Log in to the service account. Step 1 Edit the log.conf file to increase the size of the log to accommodate the additional log statements: Step 2 vi /usr/cids/idsRoot/etc/log.conf Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-23 78-16527-01...
Page 450 <defaulted> <protected entry> zone-name: Cid severity: debug <defaulted> <protected entry> zone-name: Cli severity: warning <defaulted> <protected entry> zone-name: IdapiCtlTrans severity: warning <defaulted> <protected entry> zone-name: IdsEventStore Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-24 78-16527-01...
Page 451 <defaulted> <protected entry> zone-name: IdapiCtlTrans severity: warning <defaulted> <protected entry> zone-name: IdsEventStore severity: error default: warning <protected entry> zone-name: MpInstaller severity: warning <defaulted> <protected entry> zone-name: cmgr Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-25 78-16527-01...
Page 452 MpInstaller severity: warning <defaulted> <protected entry> zone-name: cmgr severity: warning <defaulted> <protected entry> zone-name: cplane severity: warning <defaulted> <protected entry> zone-name: csi severity: warning <defaulted> <protected entry> Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-26 78-16527-01...
Page 453: Zone Names
1. The Card Manager service is used on AIP-SSM to exchange control and state information between modules in the chassis. 2. The Control Plane is the transport communications layer used by Card Manager on AIP-SSM. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-27 78-16527-01...
Page 454: Directing Cidlog Messages To Syslog
The syslog output is sent to the syslog facility local6 with the following correspondence to syslog message priorities: LOG_DEBUG, debug LOG_INFO, timing LOG_WARNING, warning LOG_ERR, error LOG_CRIT fatal Note Make sure that your /etc/syslog.conf has that facility enabled at the proper priority. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-28 78-16527-01...
Page 455: Verifying The Sensor Is Synchronized With The Ntp Server
To troubleshoot a reset not occurring for a specific signature, follow these steps: Log in to the CLI. Step 1 Make sure the event action is set to TCP reset: Step 2 sensor# configure terminal Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-29 78-16527-01...
Page 456 Make sure the resets are being sent: Step 7 root# ./tcpdump -i eth0 src host 172.16.171.19 tcpdump: WARNING: eth0: no IPv4 address assigned tcpdump: listening on eth0 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-30 78-16527-01...
Page 457: Software Upgrades
Signature updates require the minimum version listed in the filename. Service packs require the correct minor version. • Minor versions require the correct major version. • Major versions require the previous major version. • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-31 78-16527-01...
Page 458: Issues With Automatic Update
• If you modify the FTP prompts to give security warnings, for example, this causes a problem, because the sensor is expecting a hard-coded list of responses. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-32 78-16527-01...
Page 459: Updating A Sensor With The Update Stored On The Sensor
Store the sensor’s host key: Step 7 sensor# configure terminal sensor(config)# service ssh sensor(config-ssh)# rsa1-keys sensor_ip_address Upgrade the sensor: Step 8 sensor(config)# upgrade scp://service@ ensor_ip_address/upgrade/ips_package_file_name Enter password: ***** Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-33 78-16527-01...
Page 460: Unix-Style Directory Listings
You must change the memory settings of Java Plug-in before using IDM and ASDM. The mandatory minimum memory size is 256 MB. This section contains the following topics: Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-34 78-16527-01...
Page 461: Java Plug-In On Windows
Java 2 SDK is installed at /usr/j2se, the full path is /usr/j2se/jre/bin/ControlPanel. In a Java 2 Runtime Environment installation, the file is located at <JRE installation Note directory>/bin/ControlPanel. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-35 78-16527-01...
Page 462: Cannot Launch Idm - Loading Java Applet Failed
Under Java Runtime Environment, select JRE 1.3.x from the drop-down menu. Click the Cache tab. Click the Browser tab. Deselect all browser check boxes. Click Clear Cache. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-36 78-16527-01...
Page 463: Cannot Launch Idm -Analysis Engine Busy
10.89.130.108/23,10.89.130.1 host-name sensor telnet-option enabled access-list 0.0.0.0/0 ftp-timeout 300 no login-banner-text exit time-zone-settings offset 0 standard-time-zone-name UTC exit summertime-option disabled ntp-option disabled exit Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-37 78-16527-01...
Page 464: Signatures Not Producing Alerts
Cannot Communicate With IDSM-2 Command and Control Port, page C-42 • Using the TCP Reset Interface, page C-44 Connecting a Serial Cable to IDSM-2, page C-44 • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-38 78-16527-01...
Page 465 The following switch commands help you troubleshoot IDSM-2: show module (Cisco Catalyst Software and Cisco IOS Software) • show version (Cisco Catalyst Software and Cisco IOS Software) • • show port (Cisco Catalyst Software) Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-39 78-16527-01...
Page 466: Status Led Off
00-e0-b0-ff-3b-80 to 00-e0-b0-ff-3b-87 0.102 7.2(0.67) 5.0(0.30) Mod Sub-Type Sub-Model Sub-Serial Sub-Hw Sub-Sw --- ----------------------- ------------------- ----------- ------ ------ L3 Switching Engine WS-F6K-PFC SAD041303G6 1.1 IDS 2 accelerator board WS-SVC-IDSUPG Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-40 78-16527-01...
Page 467 . Allow up to 5 minutes for IDSM-2 to come online. If the status does not read , turn the module on: Step 3 router# set module power up module_number Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-41 78-16527-01...
Page 468: Status Led On But Idsm-2 Does Not Come Online
Make sure the command and control port is in the correct VLAN: Step 4 For Catalyst software: cat6k> (enable) show port 6/8 * = Configured MAC Address # = 802.1X Authenticated Port Name. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-42 78-16527-01...
Page 469 If the command and control port is not in the correct VLAN, put it in the correct VLAN. For the procedure, refer to Configuring the Catalyst 6500 Series Switch for Command and Control Access to IDSM-2, page 15-4. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-43 78-16527-01...
Page 470: Using The Tcp Reset Interface
Getting details from the Service Module, please wait... ASA 5500 Series Security Services Module-20 Model: AIP-SSM-20 Hardware version: Serial Number: P2B000005D0 Firmware version: 1.0(10)0 Software version: 5.1(0.1)S153.0 Status: Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-44 78-16527-01...
Page 471 The module in slot 1 will be recovered. This may erase all configuration and all data on that device and attempt to download a new image for it. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-45 78-16527-01...
Page 472: Gathering Information
Slot-1 157> TFTP failure: Packet verify failed after 20 retries Slot-1 158> Rebooting due to Autoboot error ... Slot-1 159> Rebooting..Slot-1 160> Cisco Systems ROMMON Version (1.0(10)0) #0: Fri Mar 25 23:02:10 PST 2005 Slot-1 161> Platform AIP-SSM-10 Slot-1 162> GigabitEthernet0/0 Slot-1 163>...
Page 473: Overview
To display tech support information, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. View the output on the screen: Step 2 sensor# show tech-support page Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-47 78-16527-01...
Page 474 Total Packets Received = 0 Total Bytes Received = 0 Total Multicast Packets Received = 0 Total Broadcast Packets Received = 0 Total Jumbo Packets Received = 0 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-48 78-16527-01...
Page 475 Linux version 2.4.26-IDS-smp-bigphys (csailer@mcq) (gcc version 2.96 20000731 (R ed Hat Linux 7.3 2.96-112)) #2 SMP Fri Mar 4 04:11:31 CST 2005 03:33:54 up 21 days, 23:15, 3 users, load average: 0.96, 0.86, 0.78 --MORE-- Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-49 78-16527-01...
Page 476 36.3M out of 166.8M bytes of available disk space (23% usage) boot is using 39.4M out of 68.6M bytes of available disk space (61% usage) Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-50...
Page 477 Note sensor# more current-config ! ------------------------------ ! Version 5.0(0.26) ! Current configuration last modified Wed Feb 16 03:20:54 2005 ! ------------------------------ display-serial ! ------------------------------ service analysis-engine exit Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-51 78-16527-01...
Page 478 Event Store • Host • Logger • Network Access • Notification • SDEE Server • Transaction Server • Transaction Source • Virtual Sensor • • Web Server Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-52 78-16527-01...
Page 479 UDP nodes keyed on both IP addresses and both ports = 0 IP nodes keyed on both IP addresses = 0 The number of each type of node inserted since reset Total nodes inserted = 28 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-53 78-16527-01...
Page 480 Number of FireOnce Intermediate Alerts = 480 Number of Summary First Alerts Number of Summary Intermediate Alerts Number of Regular Summary Final Alerts Number of Global Summary Final Alerts Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-54 78-16527-01...
Page 481 Number of Alerts where deny-connection was forced for deny-packet action = 0 Number of Alerts where deny-packet was forced for non-TCP deny-connection action Per-Signature SigEvent count since reset Sig 2004 = 5 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-55 78-16527-01...
Page 482 Denied Attackers and hit count for each. sensor# Step 6 Display the statistics for the event server: sensor# show statistics event-server General openSubscriptions = 0 blockedSubscriptions = 0 Subscriptions sensor# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-56 78-16527-01...
Page 483 Memory Statistics Memory usage (bytes) = 500498432 Memory free (bytes) = 894976032 Auto Update Statistics lastDirectoryReadAttempt = N/A lastDownloadAttempt = N/A lastInstallAttempt = N/A nextAttempt = N/A sensor# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-57 78-16527-01...
Page 484 InterfacePostBlock = Post_Acl_Test BlockInterface InterfaceName = ethernet0/1 InterfaceDirection = in InterfacePreBlock = Pre_Acl_Test InterfacePostBlock = Post_Acl_Test NetDevice Type = CAT6000_VACL IP = 10.89.150.138 NATAddr = 0.0.0.0 Communications = telnet Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-58 78-16527-01...
Page 485 Mask = 255.255.0.0 BlockMinutes = sensor# Display the statistics for the notification application: Step 11 sensor# show statistics notification General Number of SNMP set requests = 0 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-59 78-16527-01...
Page 486 Error Severity = 14 Warning Severity = 1 Timing Severity = 0 Debug Severity = 0 Unknown Severity = 28 TOTAL = 43 The statistics were retrieved and cleared. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-60 78-16527-01...
Page 487 The following example shows the output from the show interfaces command: sensor# show interfaces Interface Statistics Total Packets Received = 0 Total Bytes Received = 0 Missed Packet Percentage = 0 Current Bypass Mode = Auto_off Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-61 78-16527-01...
Page 488 This section describes the show events command, and contains these topics: • Sensor Events, page C-63 • Overview, page C-63 • Displaying Events, page C-63 Clearing Events, page C-66 • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-62 78-16527-01...
Page 489 If no level is selected (informational, low, medium, or high), all alert events are displayed. include-traits—Displays alerts that have the specified traits. • exclude-traits—Does not display alerts that have the specified traits. • Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-63 78-16527-01...
Page 490 Sensor1 appName: NetworkAccessControllerApp appInstance: 654 time: 2005/02/09 10:33:31 2004/08/09 13:13:31 shunInfo: host: connectionShun=false srcAddr: 11.0.0.1 destAddr: srcPort: destPort: protocol: numericType=0 other timeoutMinutes: 40 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-64 78-16527-01...
Page 491 2003/01/08 02:41:00 2003/01/08 02:41:00 UTC controlTransaction: command=getVersion successful=true description: Control transaction response. requestor: user: cids application: hostId: 64.101.182.101 appName: -cidcli appInstanceId: 2316 evStatus: eventId=1041526834774829056 vendor=Cisco originator: hostId: sensor Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-65 78-16527-01...
Page 492 Send the resulting HTML file to TAC or the IPS developers in case of a problem. For the procedure, see Uploading and Accessing Files on the Cisco FTP Site, page C-67. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-66 78-16527-01...
Page 493 You can upload large files, for example, cidDump.html, the show tech-support command output, and cores, to the ftp-sj server. To upload and access files on the Cisco FTP site, follow these steps: Log in to ftp-sj.cisco.com as anonymous. Step 1 Change to the /incoming directory.
Page 494 Appendix C Troubleshooting Gathering Information Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 C-68 78-16527-01...
Page 495 Specifically, an IPS event type; it is written to the Event Store as an evidsAlert. In general, an alert is alert an IPS message that indicates a network exploit in progress or a potential security problem occurrence. Also known as an alarm. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 GL-1 78-16527-01...
Page 496 Typically, APIs make it easier for software developers to create links that an application needs to communicate with the operating system or with the network. Any program (process) designed to run in the Cisco IPS environment. application A specific application running on a specific piece of hardware in the IPS environment. An application application instance instance is addressable by its name and the IP address of its host computer.
Page 497 Cisco Intrusion Detection Event Exchange. Specifies the extensions to SDEE that are used by Cisco CIDEE IPS systems. The CIDEE standard specifies all possible extensions that may be supported by Cisco IPS systems. The header that is attached to each packet in the IPS system. It contains packet classification, packet CIDS header length, checksum results, timestamp, and the receive interface.
Page 498 Address of a network device that is receiving data. destination address Deny Filters Processor. Handles the deny attacker functions. It maintains a list of denied source IP addresses. Dual In-line Memory Modules. DIMM. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 GL-4 78-16527-01...
Page 499 The XML entity written to the Event Store that represents an alert. evIdsAlert A signature is not fired when offending traffic is detected. false negative Normal traffic or a benign action causes a signature to fire. false positive Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 GL-5 78-16527-01...
Page 500 Greenwich Mean Time. Time zone at zero degrees longitude. Now called Coordinated Universal Time (UTC). An ITU standard that governs H.225.0 session establishment and packetization. H.225.0 actually H.225.0 describes several different protocols: RAS, use of Q.931, and use of RTP. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 GL-6 78-16527-01...
Page 501 Describes the messages transferred over the command and control interface between IPS applications. IPS data or message Intrusion Detection System Module. A switching module that performs intrusion detection in the IDSM-2 Catalyst 6500 series switch. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 GL-7 78-16527-01...
Page 502 Remote access, back door Trojan, ICMP tunneling software. When the computer is infected, the LOKI malicious code creates an ICMP tunnel that can be used to send small payload ICMP replies Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 GL-8 78-16527-01...
Page 503 Hash Algorithm (SHA) are variations on MD4 and strengthen the security of the MD4 hashing algorithm. Cisco uses hashes for authentication within the IPSec framework. Also used for message authentication in SNMP v.2. MD5 verifies the integrity of the communication, authenticates the origin, and checks for timeliness.
Page 504 Feature that permits you to add, replace, or remove cards without interrupting the system power, entering console commands, or causing other software or interfaces to shutdown. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 GL-10 78-16527-01...
Page 505 OSI term for packet. See also BPDU and packet. Cisco Product Evolution Program. PEP is the UDI information that consists of the PID, the VID, and the SN of your sensor. PEP provides hardware version and serial number visibility through electronic query, product labels, and shipping items.
Page 506 Risk Rating. An RR is a value between 0 and 100 that represents a numerical quantification of the risk associated with a particular event on the network. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 GL-12 78-16527-01...
Page 507 Signature Analysis Processor. Dispatches packets to the inspectors that are not stream-based and that are configured for interest in the packet in process. Simple Certificate Enrollment Protocol. The Cisco Systems PKI communication protocol that SCEP leverages existing technology by using PKCS#7 and PKCS#10. SCEP is the evolution of the enrollment protocol.
Page 508 Server Message Block. File-system protocol used in LAN manager and similar NOSs to package data and exchange information with other systems. Serial Number. Part of the UDI. The SN is the serial number of your Cisco product. Deals with specific protocols, such as DNS, FTP, H255, HTTP, IDENT, MS RPC, MS SL. NTP, RPC, SERVICE engine SMB, SNMP, and SSH.
Page 509 Refers to attaching rubber feet to the bottom of a sensor when it is installed on a flat surface. The rubber surface mounting feet allow proper airflow around the sensor and they also absorb vibration so that the hard-disk drive is less impacted. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 GL-15 78-16527-01...
Page 510 IDS-4250-TX appliance when the XL card is not present. On the IDSM-2 the TCP reset interface is designated as port 1 with Catalyst software, and is not visible to the user in Cisco IOS software. The TCP reset action is only appropriate as an action selection on those signatures that are associated with a TCP-based service.
Page 511 Adjusting signature parameters to modify an existing signature. tune Unique Device Identifier. Provides a unique identity for every Cisco product. The UDI is composed of the PID, VID, and SN. The UDI is stored in the Cisco IPS ID PROM.
Page 512 IP level. One or more attributes of a computer or a network that permit a subject to initiate patterns of misuse vulnerability on that computer or network. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 GL-18 78-16527-01...
Page 513 Standard that defines information contained in a certificate. X.509 eXtensible Markup Language. Textual file format used for data interchange between heterogeneous hosts. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 GL-19 78-16527-01...
Page 514 Glossary Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 GL-20 78-16527-01...
Page 515 4-18 described 7-12 upgrading recovery partition 17-4 features application partition AIP-SSM described commands 14-5 image recovery 17-9 configuration tasks 14-1 application-policy command 7-13 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-1 78-16527-01...
Page 516 B-34 backing up configuration 12-17 current configuration 12-16 BackOrifice protocol cannot access sensor B-34 backup-config command 12-13 capturing live traffic banner login command 13-1 block-enable command 10-6 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-2 78-16527-01...
Page 517 A-3, A-28 Cisco.com generic commands accessing software 18-1 introducing account 18-6 regular expression syntax Active Update Bulletins 18-11, 18-12 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-3 78-16527-01...
Page 518 1 shutdown 14-5 block-enable inline-interfaces 10-6 block-hosts interface-notifications 10-27 5-10 block-networks ip-access-list 10-27 15-13 bypass-option 5-10 ip-log 7-28 class-map iplog 14-2 clear denied-attackers ip-log-bytes 6-18, 13-8 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-4 78-16527-01...
Page 519 10-28, 13-10, C-53 show statistics virtual-sensor automatic upgrades 13-10, C-53 17-7 show tech-support 13-18, C-47 blocking show users firewalls 4-16 10-24 show version routers 13-19, C-50 10-20 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-5 78-16527-01...
Page 520 7-32 privilege string TCP signatures 4-15 7-30 promiscuous mode user profiles 10-17 sensor to block itself cryptographic access to Cisco.com 10-4 18-6 sensor to use NTP 4-29 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-6 78-16527-01...
Page 521 13-22 Cisco IOS software 15-10 disabling enabling debug logging C-23 blocking 10-6 Encryption Software Export Distribution Authorization EtherChanneling 15-22 form signatures cryptographic account 7-10 18-2 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-7 78-16527-01...
Page 522 6-16 Event Store global-summarization command 6-16 clearing events 4-20 data structures described examples H.225.0 protocol B-17 responsibilities H.323 protocol B-17 timestamp event types C-63 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-8 78-16527-01...
Page 523 15-21 RDEP2 A-34 maintenance partition (Catalyst Software) 17-28 A-34 maintenance partition (Cisco IOS) 17-31 IDIOM mls ip ids command 15-15 defined A-34 sequence 15-1 messages A-34 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-9 78-16527-01...
Page 524 15-28 parameters (table) 7-22 TCP reset port 15-7, 15-12 signatures (table) 7-22 time sources 4-19 ip-log-bytes command unsupported supervisor engine commands 15-29 ip-log command 7-28 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-10 78-16527-01...
Page 525 Linux OS locked account reset 4-14 new features log-all-block-events-and-errors command 10-13 obtaining 18-1 LogApp platform-dependent release examples 18-5 described A-2, A-19 retrieving data functions A-19 security features Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-11 78-16527-01...
Page 526 Catalyst 6000 series switch 10-25 MASTER engine VACL commands A-19 alert frequency VACLs A-19 alert frequency parameters (table) Catalyst switches defined VACLs A-16 general parameters (table) VLANs A-16 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-12 78-16527-01...
Page 527 4-28, 4-29 file server configuration 17-22 4-28 overview time synchronization 17-22 4-18 checking IPS software status 16-7 configuration tasks 16-1 configuring ids-sensor interfaces 16-2 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-13 78-16527-01...
Page 528 AIP-SSM C-45 physical-interfaces command application partition image 17-9 physical interfaces configuration recovery/upgrade CD 17-18 ping command 13-22 recovery partition policy-map command 14-2 described Post-Block ACLs 10-18, 10-19 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-14 78-16527-01...
Page 529 A-27 described inline packet processing A-26 example 6-20 IP normalization A-27 RSA authentication and authorized keys 4-32 new features A-26 packet flow A-24 described 17-11 processors A-23 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-15 78-16527-01...
Page 530 1-4, A-29 parameters (table) B-15 A-29 SERVICE.GENERIC engine troubleshooting A-29 described B-16 service-policy command 14-2 parameters (table) Service privileges B-16 1-4, A-29 service role 1-4, 2-2, A-29 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-16 78-16527-01...
Page 531 B-10 FLOOD.HOST B-10 configuring FLOOD.NET agent parameters B-10 11-2 H225 traps B-17 11-4 list general parameters 11-2 META B-10 11-1 NORMALIZER GetNext B-12 11-1 SERVICE.DNS B-14 11-1 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-17 78-16527-01...
Page 532 System Configuration Dialog described 7-27 STRING.ICMP engine parameters (table) system design (illustration) B-29 STRING.TCP engine system image options installing 7-30 parameters (table) IPS-4240 B-30 17-15 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-18 78-16527-01...
Page 533 17-11 described B-34 17-11 TFN2K B-34 time correction on sensors 4-20 troubleshooting time sources accessing files on FTP site C-67 AIP-SSM 4-20 access list misconfiguration appliances 4-18 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-19 78-16527-01...
Page 534 18-5 sensor events C-63 recovery partition 17-4, 17-9 sensor not seeing packets C-13 URLs for Cisco Security Center 18-11 sensor process not running username command 4-11 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-20 78-16527-01...
Page 535 Viewer privileges 1-3, A-28 viewing user information 4-16 virtual sensor and assigning the interfaces Web Server described A-2, A-22 HTTP 1.0 and 1.1 support A-22 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-21 78-16527-01...
Page 536 Index Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0 IN-22 78-16527-01...

Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual

CHAPTER 1 Introducing the CLI Configuration Guide1-1

CHAPTER 2 Logging in to the Sensor

Chapter 3 Initializing the Sensor

CHAPTER 4 Initial Configuration Tasks4-1

CHAPTER 5 Configuring Interfaces5-1

CHAPTER 6 Configuring Event Action Rules6-1

Chapter 7 Defining Signatures

CHAPTER 8 Configuring IP Logging8-1

CHAPTER 9 Displaying and Capturing Live Traffic on an Interface9-1

CHAPTER 10 Configuring Blocking10-1

Chapter 11 Configuring SNMP

CHAPTER 12 Working with Configuration Files12-1

CHAPTER 13 Administrative Tasks for the Sensor

Events

Chapter 14 Configuring AIP-SSM

CHAPTER 15 Configuring IDSM-2

CHAPTER 16 Configuring NM-CIDS16-1

CHAPTER 17 Upgrading, Downgrading, and Installing System Images17-1

Quick Links

Troubleshooting

Related Manuals for Cisco 4215 - Intrusion Detection Sys Sensor

Summary of Contents for Cisco 4215 - Intrusion Detection Sys Sensor