Page 409
Appendix E Troubleshooting
Gathering Information
The following options apply:
•alert—Displays alerts. Provides notification of some suspicious activity that may indicate an attack is in process or has been attempted. Alert events are generated by the Analysis Engine whenever a signature is triggered by network activity. If no level is selected (informational, low, medium, or high), all alert events are displayed.
•include-traits—Displays alerts that have the specified traits.
•exclude-traits—Does not display alerts that have the specified traits.
•traits—Specifies the trait bit position in decimal (0 to 15).
•min-threat-rating—Displays events with a threat rating above or equal to this value. The default is 0. The valid range is 0 to 100.
•max-threat-rating—Displays events with a threat rating below or equal to this value. The default is 100. The valid range is 0 to 100.
•error—Displays error events. Error events are generated by services when error conditions are encountered. If no level is selected (warning, error, or fatal), all error events are displayed.
•NAC—Displays the ARC (block) requests.
Note The ARC is formerly known as NAC. This name change has not been completely implemented throughout the IDM, the IME, and the CLI for Cisco IPS 7.1.
•status—Displays status events.
•past—Displays events starting in the past for the specified hours, minutes, and seconds.
•hh:mm:ss—Specifies the hours, minutes, and seconds in the past to begin the display.
Note The show events command continues to display events until a specified event is available. To exit, press
Ctrl-C.
Displaying Events
To display events from the Event Store, follow these steps:
Step 1 Log in to the CLI.
Step 2 Display all events starting now. The feed continues showing all events until you press Ctrl-C.
sensor# show events
evError: eventId=1041472274774840147 severity=warning vendor=Cisco originator:
hostId: sensor2
appName: cidwebserver
appInstanceId: 12075
time: 2011/01/07 04:41:45 2011/01/07 04:41:45 UTC
errorMessage: name=errWarning received fatal alert: certificate_unknown
evError: eventId=1041472274774840148 severity=error vendor=Cisco originator:
hostId: sensor2
appName: cidwebserver
appInstanceId: 351
time: 2011/01/07 04:41:45 2011/01/07 04:41:45 UTC
errorMessage: name=errTransport WebSession::sessionTask(6) TLS connection exception: handshake incomplete.
| | Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 | | | |
| | |
| OL-24002-01 | | | E-103 | |
| | | |
Contents
Text Part Number OL-24002-01
Americas Headquarters
Page
Iii
N T E N T S
Verifying the Sensor is Synchronized with the NTP Server
Accessories
Understanding the Power Supplies
Vii
Removing and Installing the Fan Module
Viii
Logging In to the ASA 5500 AIP SSP A-4
Obtaining and Installing the License Key Using the CLI C-11
Supported MIBs
Verifying the Master Blocking Sensor Configuration E-42
Statistics Information E-88
Xiii
10/100BaseT and 10/100/1000BaseT Connectors F-1
Xiv
Audience
Contents
Xvi
Comply with Local and National Electrical Codes
Section Title Description
Organization
Xvii
Related Documentation
Conventions
Convention Indication
Xviii
Xix
Obtaining Documentation and Submitting a Service Request
OL-24002-01
Capturing Network Traffic
How the Sensor Functions
Comprehensive Deployment Solutions
Your Network Topology
Tuning the IPS
Correctly Deploying the Sensor
Understanding Sensor Interfaces
Sensor Interfaces
For More Information
Sensor Command and Control Interface
Command and Control Interface
Interface Support
Sensing Interfaces
IPS Management 0/0
Interfaces Not
Combinations Supporting Command and Control
2SX
4GE-BP
Interfaces Not
OL-24002-01
Sensor Alternate TCP Reset Interface
TCP Reset Interfaces
IPS Any sensing interface
Interface Restrictions
Introducing the Sensor How the Sensor Functions
Interface Modes
IPv6, Switches, and Lack of Vacl Capture
Promiscuous Mode
Set span 930, 932, 960, 962 4/1-4 both
Inline Interface Pair Mode
3illustrates inline interface pair mode
Inline Vlan Pair Mode
Deploying Vlan Groups
Vlan Group Mode
Model Name Part Number Optional Interfaces Appliances
Supported Sensors
IPS-4GE-BP-INT=
IPS-2SX-INT=
Modules
IPS Appliances
Introducing the IPS Appliance
Config t
Connecting an Appliance to a Terminal Server
Appliance Restrictions
Exit Wr mem
Sensor and Time Sources
Time Sources and the Sensor
IPS Standalone Appliances
ASA IPS Modules
Correcting the Time on the Sensor
Verifying the Sensor is Synchronized with the NTP Server
Log in to the sensor
Generate the host statistics
For More Information
OL-24002-01
Installation Preparation
Preparing the Appliance for Installation
Safety Guidelines
Safety Recommendations
Electricity Safety Guidelines
Preventing Electrostatic Discharge Damage
Copper foil
Working in an ESD Environment
General Site Requirements
Preventive Site Configuration
Site Environment
Configuring Equipment Racks
Power Supply Considerations
Installation Notes and Caveats
Installing the IPS 4240 and IPS
Product Overview
Indicator Description
Front and Back Panel Features
Indicator Color Description
Specifications
Dimensions and Weight
Power
Accessories
Connecting the IPS 4240 to a Cisco 7200 Series Router
Environment
Rack Mounting
Installing the IPS 4240 and IPS
148406
Attach the network cables
Installing the IPS 4240-DC
148401
148405
For More Information
OL-24002-01
Installing the IPS
Installing the IPS Product Overview
4GE Bypass Interface Card
Supported Interface Cards
2SX Interface Card
10GE Interface Card
Hardware Bypass
4GE Bypass Interface Card
Hardware Bypass Configuration Restrictions
Hardware Bypass and Link Changes and Drops
IPS 4260 Front Panel Features
5shows the back view of the IPS
4lists the specifications for the IPS
3lists the power supply indicator
Color Description
Installing the IPS Accessories
Installing the IPS 4260 in a 4-Post Rack
153315
153317
Installing the IPS 4260 in a 2-Post Rack
153322
Installing the IPS
153309
Power on the IPS
Removing and Replacing the Chassis Cover
Sensor# reset powerdown
Installing and Removing Interface Cards
153312
Installing and Removing the Power Supply
Installing the IPS Installing and Removing the Power Supply
For More Information
OL-24002-01
Installing the IPS
Product Overview
WWW
2shows the 4GE bypass interface card
3shows the 2SX interface card
4GE Bypass Interface Card
Hardware Bypass and Link Changes and Drops
6shows the front panel switches and indicators
Front Panel Switches and Indicators
7shows the back view of the IPS
Indicator Indicator Green Description
2describes the Ethernet port indicators
Power Indicator Description Amber Green
Off Flashing AC power present Standby mode Normal
9shows the internal components
Indicator Component
Diagnostic Panel
5lists the specifications for the IPS
Understanding the Rail System Kit
Installing the Rail System Kit
Space and Airflow Requirements
Rail System Kit Contents
Repeat for each chassis side rail
Installing the IPS 4270-20 in the Rack
250221
250207
250208
250209
Repeat for each slide assembly
Extend the slide assemblies out of the rack
250212
Extending the IPS 4270-20 from the Rack
Install the electrical cables at the back of the IPS
250222
Installing the Cable Management Arm
PS1 UID Console
250215
250216
Converting the Cable Management Arm
250218
250219
250220
Installing the IPS
RJ-45 to DB-9 adapter RJ-45 to DB-9 serial cable Null-modem
Sensing
Removing and Replacing the Chassis Cover
Sensor# reset powerdown
Slide the chassis cover back and up to remove it
Lift up the cover latch on the top of the chassis
Accessing the Diagnostic Panel
Step
250204
Installing and Removing the Power Supply
PS1
Remove the power supply by pulling it away from the chassis
PCI-E x4 4
Lock the power supply handle
12 Fan, Connector, and Indicator
Installing and Removing Fans
250203
Troubleshooting Loose Connections
Installing the IPS 4345 and IPS
Dimensions and Weight IPS
1lists the specifications for the IPS 4345 and the IPS
Installing the IPS 4345 and IPS Specifications
IPS 4345 Packing Box Contents
IPS 4360 Packing Box Contents
Power button Indicators
Active
Boot
PS0
Alarm
HD1 HD2
3describes the rear Mgmt and network interface indicators
7shows the back panel features of the IPS
Rack-Mounting Guidelines
Rack Mount Installation
Removing the Brackets from the Front of the Chassis
Installing the IPS 4345 in a Rack
10 Rack-Mounting the Chassis
Installing the Appliance on the Network
Management 0/0 port RJ-45 Ethernet cable
92685
Understanding the Power Supplies
Removing and Installing the Power Supply
11 AC Power Supply and DC Power Supply
Indicator Color and State Description
Removing and Installing the AC Power Supply
12 Removing the Slot Cover
PS0PS1
Installing DC Input Power
16 IPS 4345 Back Panel
Fixed fan Fixed DC power supply
Statement
We recommend that you strip the wire to 0.27 inch 7 mm
Negative lead wire Ground lead wire Positive + lead wire
20shows the DC power supply with lead wires
Gently pull the wires out of the power supply
Removing and Installing the DC Power Supply
24 Removing the DC Power Supply
Installing the IPS 4510 and IPS
IDM
IME
HDD1 HDD2
PWR Boot Alarm ACT VPN PS1 PS0
PWR
Not supported at this time
Back panel
OUT Fail
FAN OK
Off-No AC power cord connected or AC
Indicates status of power supply module
Power switch off
Green-AC power cord connected and AC
SFP
Installing the IPS 4510 and IPS Accessories
Power Supply Module Requirements
Memory Configurations
Supported SFP/SFP+ Modules
1G SFP Module
Installing the IPS 4510 and IPS
10G SFP+ Module
Install the SFP/SFP+ module
Connect one RJ-45 connector to the Management 0/0 interface
Connect one end of the LC cable to the SFP/SFP+ module
Removing and Installing the Core IPS SSP
331818
Removing and Installing the Power Supply Module
Tighten the captive screws
Removing and Installing the Fan Module
Installing the Slide Rail Kit Hardware
344202
Installing and Removing the Slide Rail Kit
Installing the Chassis in the Rack
Package Contents
Square Studs for Square Hole Post
Securing the Slide Rail to the Rack Post
10 Installing the #10-32 Cage Nuts
11 Installing the Chassis on the Outer Rail
12 Securing the Chassis to the Outer Rail
Pull out the chassis to the locked position
Removing the Chassis from the Rack
14 Pressing Down the Release Hook
Rack-Mounting the Chassis Using the Fixed Rack Mount
331821
331822
Reattach the power cable to the sensor Power on the sensor
16 Cable Management Brackets for the Fixed Rack Mount
Installing the Cable Management Brackets
17 Cable Management Brackets for the Slide Rail
IPS 4500 Series Sensors and the SwitchApp
Installing and Removing the ASA 5500 AIP SSM
CIS
DMZ Configuration
Specification Description
Memory Specifications
Hardware and Software Requirements
Installation and Removal Instructions
Indicators
Installing the ASA 5500 AIP SSM
Color State Description
Insert the ASA 5500 AIP SSM through the slot opening
Removing the ASA 5500 AIP SSM
Verifying the Status of the ASA 5500 AIP SSM
Asa# hw-module module 1 reset
Installing and Removing the ASA 5585-X IPS SSP
ASA 5585-X SSP-10 With IPS SSP-10
Introducing the ASA 5585-X IPS SSP
ASA 5585-X SSP-20 With IPS SSP-20
1lists the specifications for the ASA 5585-X IPS SSP
ASA 5585-X SSP-40 With IPS SSP-40
ASA 5585-X SSP-60 With IPS SSP-60
1shows the front view of the IPS SSP-10 and IPS SSP-20
Front Panel Features
2shows the front view of IPS SSP-40 and IPS SSP-60
PWR Boot Alarm ACT VPN PS1 PS0 HDD1 HDD2
3shows the front panel indicators
Green-Status of an HA pair
Indicates the status of an HA pair
Indicates whether a VPN tunnel has been established
Green-VPN tunnel is established
Memory Requirements
3shows the Ethernet port indicators
Power off the ASA
Installing the ASA 5585-X IPS SSP
Remove the power cable from the ASA
SFP/SFP+ Modules
ASA 5585-X IPS SSP
Installing SFP/SFP+ Modules
Connect one end of the LC cable to the SFP/SFP+
Verifying the Status of the ASA 5585-X IPS SSP
Verify the status of the ASA 5585-X IPS SSP
Removing and Replacing the ASA 5585-X IPS SSP
ASA 5585-X IPS SSP Ejection levers
For More Information
OL-24002-01
Supported User Roles
Logging In to the Sensor
Logging In to the Appliance
Connecting an Appliance to a Terminal Server
Asa# session
Logging In to the ASA 5500 AIP SSP
Asa# session ips
Logging In to the ASA 5500-X IPS SSP
Logging In to the ASA 5585-X IPS SSP
Logging In to the Sensor
OL-24002-01
Understanding Initialization
Initializing the Sensor
System Configuration Dialog
Simplified Setup Mode
Use Http proxy server for Global Correlation?no
Appendix B Initializing the Sensor Basic Sensor Setup
Basic Sensor Setup
Appendix B Initializing the Sensor Basic Sensor Setup
Following configuration was entered
Advanced Setup for the Appliance
Advanced Setup
Enter 1 to edit the interface configuration
Enter numbers for Vlan 1
Enter a subinterface number and description
Press Enter to return to the available interfaces menu
Enter 2 to modify the virtual sensor configuration, vs0
Enter 2 to edit the virtual sensor configuration
Press Enter to return to the top-level editing menu
Enter 3 to add inline Vlan pair GigabitEthernet0/01
Host-ip 192.168.1.2/24,192.168.1.1
Reboot the appliance
Enter 2 to save the configuration
Enter yes to continue the reboot
Advanced Setup for the ASA 5500 AIP SSM
Enter a name and description for your virtual sensor
Enter 2 to modify the virtual sensor vs0 configuration
Modify default threat prevention settings?no
Aip-ssm#show tls fingerprint
Reboot the ASA 5500 AIP SSM
Advanced Setup for the ASA 5500-X IPS SSP
Enter 2 to create a signature-definition configuration file
Host-name asa-ips
Asa-ips#show tls fingerprint
Reboot the ASA 5500-X IPS SSP
Advanced Setup for the ASA 5585-X IPS SSP
Enter 2 to edit the virtual sensor configuration
Modify default threat prevention settings?no
Verifying Initialization
Reboot the ASA 5585-X IPS SSP
Ips-ssp#show tls fingerprint
View your configuration
Sensor# show tls fingerprint
Display the self-signed X.509 certificate needed by TLS
Downloading Cisco IPS Software
Obtaining Cisco IPS Software
IPS 7.1 Files
Enter your username and password
Minor Update
Major Update
Service Pack
IPS Software Versioning
IPS-identifier-K9-x.y-za or p1-E1.pkg
Signature Update
Recovery and System Image Files
Signature Engine Update
IPS Software Release Examples
Documentation is on this
Accessing IPS Documentation
Obtaining a License Key From Cisco.com
Cisco Security Intelligence Operations
Understanding Licensing
Service Programs for IPS Products
OL-24002-01
Obtaining and Installing the License Key Using the CLI
OL-24002-01
CLI
Verify the sensor is licensed
Obtaining a License for the IPS
Verify the sensor key has been uninstalled
Uninstalling the License Key
Licensing the ASA 5500-X IPS SSP
Sensor# erase license-key
MainApp 2012APR26074571468 Release
System Image Notes and Caveats
Upgrading, Downgrading, and Installing System Images
Supported FTP and HTTP/HTTPS Servers
Upgrades, Downgrades, and System Images
Upgrade Notes and Caveats
IPS 7.1 Upgrade Files
Upgrading the Sensor
Manually Upgrading the Sensor
Enter the password when prompted
Upgrade the sensor
Enter yes to complete the upgrade
Upgrading the Sensor
Verify your new sensor version
Upgrading the Recovery Partition
Configuring Automatic Upgrades
Upgrade the recovery partition
Enter the server password. The upgrade process begins
Automatically Upgrading the Sensor
Understanding Automatic Upgrades
Configuring Automatic Upgrades
Specify the password of the user
Specify the username for authentication
Verify the settings
On Cisco.com. Continue with Step
Downgrading the Sensor
Exit automatic upgrade submode
Press Enter to apply the changes or type no to discard them
Recovering the Application Partition Image
Recovering the Application Partition
Recover the application partition image
Sensorconfig# recover application-partition
Rommon
Installing System Images
Tftp Servers
Installing the IPS 4270-20 System Image
Rommon
Download and install the system image
Installing the IPS 4345 and IPS 4360 System Images
Boot IPS
IMAGE= CONFIG=
Rommon IMAGE=systemimages/IPS-4345-K9-sys-1.1-a-7.1-3-E4.img
Assign the Tftp server IP address
Installing the IPS 4510 and IPS 4520 System Image
If necessary, assign the Tftp server IP address
Installing the ASA 5500-X IPS SSP System Image
Asa enable
Periodically check the recovery until it is complete
Asa# sw-module module ips recover boot
Image the ASA 5500-X IPS SSP
Installing the ASA 5585-X IPS SSP System Image
Specify the default gateway of the ASA 5585-X IPS SSP
Configure the recovery settings for the ASA 5585-X IPS SSP
Specify the Tftp URL for the software image
Example
Installing the ASA 5585-X IPS SSP System Image Using Rommon
Cisco Systems
Boot the ASA 5585-X IPS SSP
If necessary, assign the Tftp server IP address
For More Information
Preventive Maintenance
Troubleshooting
Creating and Using a Backup Configuration File
Understanding Preventive Maintenance
Sensor# copy current-config backup-config
Sensor# more backup-config
Sensor# copy /erase backup-config current-config
Restoring the Current Configuration From a Backup File
Backing Up the Current Configuration to a Remote Server
Exit configuration mode
Creating the Service Account
Sensorconfig# user username privilege service
Appendix E Troubleshooting Disaster Recovery
Disaster Recovery
Understanding Password Recovery
Recovering the Password
Platform Description Recovery Method
ASA 5500-X IPS SSP
Using the Grub Menu
Recovering the Password for the Appliance
Using Rommon
Enter the following commands to reset the password
Recovering the ASA 5500-X IPS SSP Password
Confreg 0x7 boot
Sample Rommon session
Session to the ASA 5500-X IPS SSP
Enter your new password twice
Using the Asdm
Recovering the ASA 5585-X IPS SSP Password
Asa# hw-module module 1 password-reset
Session to the ASA 5585-X IPS SSP
Verifying the State of Password Recovery
Disabling Password Recovery
Disabling Password Recovery Using the CLI
Disabling Password Recovery Using
Sensorconfig-hos#show settings include password
Troubleshooting Password Recovery
Time Sources and the Sensor
Synchronizing IPS Module Clocks with Parent Device Clocks
Correcting Time on the Sensor
Advantages and Restrictions of Virtualization
Supported MIBs
CISCO-ENHANCED-MEMPOOL-MIB CISCO-ENTITY-ALARM-MIB
CISCO-CIDS-MIB
Troubleshooting Global Correlation
When to Disable Anomaly Detection
Disable anomaly detection operational mode
Exit analysis engine submode
Analysis Engine is not running
Analysis Engine Not Responding
Resolved
Sensor# show version
External Product Interfaces Issues
Troubleshooting External Product Interfaces
External Product Interfaces Troubleshooting Tips
Troubleshooting the Appliance
You can configure a maximum of two external product devices
Appliance and Jumbo Packet Frame Size
Troubleshooting Loose Connections
Analysis Engine is Busy
Communication Problems
Sensor# show statistics virtual-sensor
Cannot Access the Sensor CLI Through Telnet or SSH
More
Sensor# show configuration include access-list
Correcting a Misconfigured Access List
Duplicate IP Address Shuts Interface Down
Total Transmit Fifo Overruns = 0 sensor#
SensorApp Is Not Running
SensorApp and Alerting
Sensor# show interfaces
Physical Connectivity, SPAN, or Vacl Port Issue
OL-24002-01
Unable to See Alerts
Make sure you have Produce Alert configured
Check for alerts
Sensor Not Seeing Packets
Sensor# show interfaces FastEthernet0/1
Sensor# show interfaces GigabitEthernet0/1
Check to see that the interface is up and receiving packets
Sensor# configure terminal sensorconfig# service interface
Replace the virtual sensor file
Cleaning Up a Corrupted SensorApp Configuration
Remove the cache files
Blocking
Troubleshooting Blocking
Verify that the MainApp is running
Verifying ARC is Running
Make sure you have the latest software updates
If the ARC is not connecting, look for recurring errors
Sensor# show events error hhmmss month day year include nac
Sensor# show events error 000000 Apr 01 2011 include nac
For More Information
Sensor config# service network-access
Device Access Issues
Verify the IP address for the managed devices
Router
Sensorconfig# service network-access
Enter ARC general submode
Start the manual block of the bogus host IP address
Type yes when prompted to accept the device
Enable SSH-3DES
Blocking Not Occurring for a Signature
Enabling SSH Connections to the Network Device
Exit signature definition submode
Verifying the Master Blocking Sensor Configuration
Exit network access general submode
Logging
Enable debug logging for all zones
Enabling Debug Logging
Exit master zone control
Turn on individual zone control
View the zone names
Turn on debugging for a particular zone
Sensorconfig-log#zone-control nac severity debug
Press Enter to apply changes or type no to discard them
Exit the logger submode
Zone Names
To learn more about the IPS Logger service, refer to Logger
Table E-2lists the debug logger zone names
Zone Name Description
Directing cidLog Messages to SysLog
Sensor# show events alert
TCP Reset Not Occurring for a Signature
Upgrading and Analysis Engine
Software Upgrades
Issues With Automatic Update
Which Updates to Apply and Their Prerequisites
Updating a Sensor with the Update Stored on the Sensor
Cannot Launch IDM Loading Java Applet Failed
Troubleshooting the IDM
Delete the temp files and clear the history in the browser
Cannot Launch the IDM-the Analysis Engine Busy
Signatures Not Producing Alerts
Troubleshooting the IME
Not Supported Error Message
Troubleshooting the ASA 5500 AIP SSM
Time Synchronization on the IME and the Sensor
Health and Status Information
Reset
Show module
Asaconfig# hw-module module 1 recover configure
Failover Scenarios
ASA 5500 AIP SSM and the Normalizer Engine
ASA 5500 AIP SSM and Jumbo Packet Frame Size
ASA 5500 AIP SSM and the Data Plane
ASA 5500 AIP SSM and Jumbo Packets
Single ASA 5500-X in Fail-Open Mode
Troubleshooting the ASA 5500-X IPS SSP
Single ASA 5500-X in Fail-Close Mode
Two ASA 5500-Xs in Fail-Open Mode
Asa# show module ips details
Two ASA 5500-Xs in Fail-Close Mode
Asa-ips#debug module-boot
Appendix E
Mod-ips 351 Freeing SMP alternatives 29k freed
Mod-ips 384 CPU L2 cache 4096K
CRS
Legacy
IRQ
ASA 5500-X IPS SSP and the Normalizer Engine
ASA 5500-X IPS SSP and Jumbo Packet Frame Size
ASA 5500-X IPS SSP and Memory Usage
ASA 5500-X IPS SSP and Jumbo Packets
Platform Yellow Red Memory Used
Single ASA 5585-X in Fail-Open Mode
Troubleshooting the ASA 5585-X IPS SSP
Two ASA 5585-Xs in Fail-Open Mode
Single ASA 5585-X in Fail-Close Mode
Two ASA 5585-Xs in Fail-Close Mode
ABC1234DEFG
Traffic Flow Stopped on IPS Switchports
App. Status
Asaconfig# debug module-boot
Ips-ssp#hw-module module 1 recover configure
ASA 5585-X IPS SSP and the Normalizer Engine
ASA 5585-X IPS SSP and Jumbo Packet Frame Size
Gathering Information
ASA 5585-X IPS SSP and Jumbo Packets
This section contains the following topics
Health and Network Security Information
Show the health and security status of the sensor
Sensor# show health
Tech Support Information
Understanding the show tech-support Command
Displaying Tech Support Information
Displaying Tech Support Information
Sensor# show tech-support destination-url destinationurl
Tech Support Command Output
Sensor# show tech-support page System Status Report
Default Vlan = InlineMode = Unpaired
Version Information
Displaying Version Information
Understanding the show version Command
View version information
View configuration information
Cancel the output and get back to the CLI prompt
Sensor# more current-config
Statistics Information
Understanding the show statistics Command
Transaction Source Virtual Sensor Web Server
Displaying Statistics
Display the statistics for the Analysis Engine
Sensor# show statistics analysis-engine
Msrpctcp Msrpcudp
Display the statistics for anomaly detection
Display the statistics for the Event Server
Display the statistics for authentication
Display the statistics for the Event Store
Display the statistics for the host
Display the statistics for global correlation
Show statistics host
Display the statistics for the logging application
Sensor# show statistics network-access
Display the statistics for the ARC
Sensor# show statistics logger
Type = PIX
Display the statistics for OS identification
Display the statistics for the notification application
Display the statistics for the Sdee server
Display the statistics for a virtual sensor
Display the statistics for the transaction server
Sensor# show statistics transaction-server General
Packets Modified = Dropped
Sensor# show statistics web-server listener-443
Display the statistics for the web server
Sensor# show statistics logger clear
Interfaces Information
Understanding the show interfaces Command
100
Events Information
Interfaces Command Output
101
Sensor Events
Understanding the show events Command
Displaying Events
102
103
Displaying Events
Display events that began 30 seconds in the past
Display alerts from the past 45 seconds
104
CidDump Script
Clearing Events
Enter yes to clear the events
105
Enter the following command
Uploading and Accessing Files on the Cisco FTP Site
106
Usr/cids/idsRoot/bin/cidDump
Figure F-1shows the 10/100BaseT RJ-45 port pinouts
10/100BaseT and 10/100/1000BaseT Connectors
Figure F-2shows the 10/100/1000BaseT RJ-45 port pinouts
Console Port RJ-45
RJ-45 to DB-9 or DB-25
Signal Console Port RJ-45 Pin DB-9 Pin
Pin
OL-24002-01
Can configure the sensor to manage ACLs
Method for access control in Cisco devices
Event occurred for example, the receipt of a message
GL-1
GL-2
To detect worm-infected hosts
GL-3
GL-4
Certificate for one CA issued by another CA
GL-5
To legitimate users
Communication networks
Addresses
GL-6
Dual In-line Memory Modules
Than an algorithm
A public outside network
GL-7
GL-8
An ITU standard that governs H.245 endpoint control
Procedures, and basic data transport methods
GL-9
GL-10
Tcpdump
Through network traffic analysis techniques
GL-11
GL-12
GL-13
GL-14
GL-15
GL-16
GL-17
Accepts requests for events from remote clients
Types of security devices
TCP application
GL-18
GL-19
GL-20
GL-21
Local system. Telnet is defined in RFC
GL-22
GL-23
GL-24
At the IP level
Hosts
Payload reassembly
GL-25
GL-26
IN-1
Span
ARC
Applying software updates
ASA 5500 AIP SSM
IN-2
URL
Converting Copy backup-config Copy current-config
IPS 4270-20 Clearing Events
IN-3
Show health Show module 1 details
Show events
IN-4
Span configuration for IPv6 support
Examples ASA failover configuration
Types E-102 Event Store Clearing
Clearing events 1-24,E-16 No alerts Time stamp
IME
IDM
ASA 5500 AIP SSM ASA 5500-X IPS SSP ASA 5585-X IPS SSP
ASA 5500-X IPS SSP ASA 5585-X IPS SSP
Intrusion Prevention System Manager Express. See
ASA 5500 AIP SSM ASA 5585-X IPS SSP
IME IPS
IN-7
IN-8
OIR
Fan supply modules Not supported Power supply modules
SFP/SFP+
IN-9
Supported SFP modules
SwitchApp Two power supply modules
IN-10
IDS
SSH
IN-11
IN-12
Password recovery Appliances
Rommon ASA 5585-X IPS SSP
Asdm
IN-13
IN-14
RTT
Appliances Port issues Specifications
Show statistics virtual-sensor command
With hardware bypass
IN-15
Unix
TAC
IN-16
Sensor loose connections
Show interfaces command
Tips
IN-17
IN-18