Page 41
Chapter 1 Introducing the Sensor
IPS Appliances
Introducing the IPS Appliance
Note The currently supported Cisco IPS appliances are the IPS 4240, IPS 4255, and IPS 4260 [IPS 7.0(x) and later and IPS 7.1(5) and later], IPS 4270-20 [IPS 7.1(3) and later], IPS 4345 and IPS 4360 [IPS 7.1(3) and later], and IPS 4510 and IPS 4520 [IPS 7.1(4) and later].
The IPS appliance is a high-performance, plug-and-play device. The appliance is a component of the IPS, a network-based, real-time intrusion prevention system. You can use the IPS CLI, IDM, IME, ASDM, or CSM to configure the appliance. For a list of IPS documents and how to access them, refer to Documentation Roadmap for Cisco Intrusion Prevention System 7.1.
You can configure the appliance to respond to recognized signatures as it captures and analyzes network traffic. These responses include logging the event, forwarding the event to the manager, performing a TCP reset, generating an IP log, capturing the alert trigger packet, and reconfiguring a router. The appliance offers significant protection to your network by helping to detect, classify, and stop threats including worms, spyware and adware, network viruses, and application abuse.
After being installed at key points in the network, the appliance monitors and performs real-time analysis of network traffic by looking for anomalies and misuse based on an extensive, embedded signature library. When the system detects unauthorized activity, appliances can terminate the specific connection, permanently block the attacking host, log the incident, and send an alert to the manager. Other legitimate connections continue to operate independently without interruption.
Appliances are optimized for specific data rates and are packaged in Ethernet, Fast Ethernet, and Gigabit Ethernet configurations. In switched environments, appliances must be connected to the SPAN port or VACL capture port of the switch.
The Cisco IPS appliances provide the following:
•Protection of multiple network subnets through the use of up to eight interfaces
•Simultaneous, dual operation in both promiscuous and inline modes
•A wide array of performance options—from 80 Mbps to multiple gigabits
•Embedded web-based management solutions packaged with the sensor
For More Information
•For a list of supported appliances, see Supported Sensors, page 1-19.
•For a description of the IPS 4240 and IPS 4255, see Chapter 3, “Installing the IPS 4240 and IPS 4255.”
•For a description of the IPS 4270-20, see Chapter 5, “Installing the IPS 4270-20.”
•For a description of the IPS 4345 and IPS 4360, see Chapter 6, “Installing the IPS 4345 and IPS 4360.”
•For a description of the IPS 4510 and IPS 4520, see Chapter 7, “Installing the IPS 4510 and IPS 4520.”
•For a description of the ASA 5500 AIP SSM, see Chapter 8, “Installing and Removing the ASA 5500 AIP SSM.”
•For a description of the ASA 5585-X IPS SSP, see Chapter 9, “Installing and Removing the ASA 5585-X IPS SSP.”
| | Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 | | |
| | |
| OL-24002-01 | | | 1-21 | |
| | | |
Contents
Text Part Number OL-24002-01
Americas Headquarters
Page
Iii
N T E N T S
Verifying the Sensor is Synchronized with the NTP Server
Accessories
Understanding the Power Supplies
Vii
Removing and Installing the Fan Module
Viii
Logging In to the ASA 5500 AIP SSP A-4
Obtaining and Installing the License Key Using the CLI C-11
Supported MIBs
Verifying the Master Blocking Sensor Configuration E-42
Statistics Information E-88
Xiii
10/100BaseT and 10/100/1000BaseT Connectors F-1
Xiv
Audience
Contents
Xvi
Comply with Local and National Electrical Codes
Xvii
Organization
Section Title Description
Related Documentation
Conventions
Convention Indication
Xviii
Xix
Obtaining Documentation and Submitting a Service Request
OL-24002-01
Capturing Network Traffic
How the Sensor Functions
Comprehensive Deployment Solutions
Correctly Deploying the Sensor
Tuning the IPS
Your Network Topology
For More Information
Sensor Interfaces
Understanding Sensor Interfaces
Sensor Command and Control Interface
Command and Control Interface
Interface Support
Sensing Interfaces
IPS Management 0/0
Interfaces Not
Combinations Supporting Command and Control
2SX
4GE-BP
Interfaces Not
OL-24002-01
Sensor Alternate TCP Reset Interface
TCP Reset Interfaces
IPS Any sensing interface
Interface Restrictions
Introducing the Sensor How the Sensor Functions
Interface Modes
IPv6, Switches, and Lack of Vacl Capture
Promiscuous Mode
Set span 930, 932, 960, 962 4/1-4 both
Inline Interface Pair Mode
3illustrates inline interface pair mode
Inline Vlan Pair Mode
Deploying Vlan Groups
Vlan Group Mode
Model Name Part Number Optional Interfaces Appliances
Supported Sensors
IPS-4GE-BP-INT=
IPS-2SX-INT=
Modules
IPS Appliances
Introducing the IPS Appliance
Config t
Connecting an Appliance to a Terminal Server
Appliance Restrictions
Exit Wr mem
Sensor and Time Sources
Time Sources and the Sensor
IPS Standalone Appliances
ASA IPS Modules
Correcting the Time on the Sensor
Verifying the Sensor is Synchronized with the NTP Server
Log in to the sensor
Generate the host statistics
For More Information
OL-24002-01
Installation Preparation
Preparing the Appliance for Installation
Electricity Safety Guidelines
Safety Recommendations
Safety Guidelines
Preventing Electrostatic Discharge Damage
Copper foil
Working in an ESD Environment
Site Environment
Preventive Site Configuration
General Site Requirements
Configuring Equipment Racks
Power Supply Considerations
Installation Notes and Caveats
Installing the IPS 4240 and IPS
Product Overview
Indicator Description
Front and Back Panel Features
Indicator Color Description
Specifications
Dimensions and Weight
Power
Environment
Connecting the IPS 4240 to a Cisco 7200 Series Router
Accessories
Rack Mounting
Installing the IPS 4240 and IPS
148406
Attach the network cables
Installing the IPS 4240-DC
148401
148405
For More Information
OL-24002-01
Installing the IPS
Installing the IPS Product Overview
2SX Interface Card
Supported Interface Cards
4GE Bypass Interface Card
10GE Interface Card
Hardware Bypass
4GE Bypass Interface Card
Hardware Bypass Configuration Restrictions
Hardware Bypass and Link Changes and Drops
IPS 4260 Front Panel Features
5shows the back view of the IPS
Color Description
3lists the power supply indicator
4lists the specifications for the IPS
Installing the IPS Accessories
Installing the IPS 4260 in a 4-Post Rack
153315
153317
Installing the IPS 4260 in a 2-Post Rack
153322
Installing the IPS
153309
Power on the IPS
Removing and Replacing the Chassis Cover
Sensor# reset powerdown
Installing and Removing Interface Cards
153312
Installing and Removing the Power Supply
Installing the IPS Installing and Removing the Power Supply
For More Information
OL-24002-01
Installing the IPS
Product Overview
WWW
2shows the 4GE bypass interface card
3shows the 2SX interface card
4GE Bypass Interface Card
Hardware Bypass and Link Changes and Drops
6shows the front panel switches and indicators
Front Panel Switches and Indicators
7shows the back view of the IPS
Power Indicator Description Amber Green
2describes the Ethernet port indicators
Indicator Indicator Green Description
Off Flashing AC power present Standby mode Normal
9shows the internal components
Indicator Component
Diagnostic Panel
5lists the specifications for the IPS
Understanding the Rail System Kit
Installing the Rail System Kit
Space and Airflow Requirements
Rail System Kit Contents
Repeat for each chassis side rail
Installing the IPS 4270-20 in the Rack
250221
250207
250208
250209
Repeat for each slide assembly
Extend the slide assemblies out of the rack
250212
Extending the IPS 4270-20 from the Rack
Install the electrical cables at the back of the IPS
250222
Installing the Cable Management Arm
PS1 UID Console
250215
250216
Converting the Cable Management Arm
250218
250219
250220
Installing the IPS
RJ-45 to DB-9 adapter RJ-45 to DB-9 serial cable Null-modem
Sensing
Removing and Replacing the Chassis Cover
Sensor# reset powerdown
Slide the chassis cover back and up to remove it
Lift up the cover latch on the top of the chassis
Accessing the Diagnostic Panel
Step
250204
Installing and Removing the Power Supply
PS1
Remove the power supply by pulling it away from the chassis
PCI-E x4 4
Lock the power supply handle
12 Fan, Connector, and Indicator
Installing and Removing Fans
250203
Troubleshooting Loose Connections
Installing the IPS 4345 and IPS
Dimensions and Weight IPS
1lists the specifications for the IPS 4345 and the IPS
Installing the IPS 4345 and IPS Specifications
IPS 4345 Packing Box Contents
IPS 4360 Packing Box Contents
Power button Indicators
Active
Boot
HD1 HD2
Alarm
PS0
3describes the rear Mgmt and network interface indicators
7shows the back panel features of the IPS
Rack-Mounting Guidelines
Rack Mount Installation
Removing the Brackets from the Front of the Chassis
Installing the IPS 4345 in a Rack
10 Rack-Mounting the Chassis
Installing the Appliance on the Network
Management 0/0 port RJ-45 Ethernet cable
92685
Understanding the Power Supplies
Removing and Installing the Power Supply
11 AC Power Supply and DC Power Supply
Indicator Color and State Description
Removing and Installing the AC Power Supply
12 Removing the Slot Cover
PS0PS1
Installing DC Input Power
16 IPS 4345 Back Panel
Fixed fan Fixed DC power supply
Statement
We recommend that you strip the wire to 0.27 inch 7 mm
Negative lead wire Ground lead wire Positive + lead wire
20shows the DC power supply with lead wires
Gently pull the wires out of the power supply
Removing and Installing the DC Power Supply
24 Removing the DC Power Supply
Installing the IPS 4510 and IPS
IDM
IME
HDD1 HDD2
PWR Boot Alarm ACT VPN PS1 PS0
PWR
Not supported at this time
Back panel
OUT Fail
FAN OK
Off-No AC power cord connected or AC
Indicates status of power supply module
Power switch off
Green-AC power cord connected and AC
SFP
Installing the IPS 4510 and IPS Accessories
Supported SFP/SFP+ Modules
Memory Configurations
Power Supply Module Requirements
10G SFP+ Module
Installing the IPS 4510 and IPS
1G SFP Module
Install the SFP/SFP+ module
Connect one RJ-45 connector to the Management 0/0 interface
Connect one end of the LC cable to the SFP/SFP+ module
Removing and Installing the Core IPS SSP
331818
Removing and Installing the Power Supply Module
Tighten the captive screws
Removing and Installing the Fan Module
Installing the Slide Rail Kit Hardware
344202
Installing and Removing the Slide Rail Kit
Installing the Chassis in the Rack
Package Contents
Square Studs for Square Hole Post
Securing the Slide Rail to the Rack Post
10 Installing the #10-32 Cage Nuts
11 Installing the Chassis on the Outer Rail
12 Securing the Chassis to the Outer Rail
Pull out the chassis to the locked position
Removing the Chassis from the Rack
14 Pressing Down the Release Hook
Rack-Mounting the Chassis Using the Fixed Rack Mount
331821
331822
Reattach the power cable to the sensor Power on the sensor
16 Cable Management Brackets for the Fixed Rack Mount
Installing the Cable Management Brackets
17 Cable Management Brackets for the Slide Rail
IPS 4500 Series Sensors and the SwitchApp
Installing and Removing the ASA 5500 AIP SSM
CIS
DMZ Configuration
Hardware and Software Requirements
Memory Specifications
Specification Description
Installation and Removal Instructions
Indicators
Installing the ASA 5500 AIP SSM
Color State Description
Insert the ASA 5500 AIP SSM through the slot opening
Removing the ASA 5500 AIP SSM
Verifying the Status of the ASA 5500 AIP SSM
Asa# hw-module module 1 reset
Installing and Removing the ASA 5585-X IPS SSP
ASA 5585-X SSP-10 With IPS SSP-10
Introducing the ASA 5585-X IPS SSP
ASA 5585-X SSP-20 With IPS SSP-20
1lists the specifications for the ASA 5585-X IPS SSP
ASA 5585-X SSP-40 With IPS SSP-40
ASA 5585-X SSP-60 With IPS SSP-60
1shows the front view of the IPS SSP-10 and IPS SSP-20
Front Panel Features
2shows the front view of IPS SSP-40 and IPS SSP-60
PWR Boot Alarm ACT VPN PS1 PS0 HDD1 HDD2
3shows the front panel indicators
Green-Status of an HA pair
Indicates the status of an HA pair
Indicates whether a VPN tunnel has been established
Green-VPN tunnel is established
Memory Requirements
3shows the Ethernet port indicators
Power off the ASA
Installing the ASA 5585-X IPS SSP
Remove the power cable from the ASA
SFP/SFP+ Modules
ASA 5585-X IPS SSP
Installing SFP/SFP+ Modules
Connect one end of the LC cable to the SFP/SFP+
Verifying the Status of the ASA 5585-X IPS SSP
Verify the status of the ASA 5585-X IPS SSP
Removing and Replacing the ASA 5585-X IPS SSP
ASA 5585-X IPS SSP Ejection levers
For More Information
OL-24002-01
Supported User Roles
Logging In to the Sensor
Logging In to the Appliance
Connecting an Appliance to a Terminal Server
Asa# session
Logging In to the ASA 5500 AIP SSP
Asa# session ips
Logging In to the ASA 5500-X IPS SSP
Logging In to the ASA 5585-X IPS SSP
Logging In to the Sensor
OL-24002-01
Understanding Initialization
Initializing the Sensor
System Configuration Dialog
Simplified Setup Mode
Use Http proxy server for Global Correlation?no
Appendix B Initializing the Sensor Basic Sensor Setup
Basic Sensor Setup
Appendix B Initializing the Sensor Basic Sensor Setup
Following configuration was entered
Advanced Setup for the Appliance
Advanced Setup
Enter 1 to edit the interface configuration
Press Enter to return to the available interfaces menu
Enter a subinterface number and description
Enter numbers for Vlan 1
Enter 2 to modify the virtual sensor configuration, vs0
Enter 2 to edit the virtual sensor configuration
Press Enter to return to the top-level editing menu
Enter 3 to add inline Vlan pair GigabitEthernet0/01
Host-ip 192.168.1.2/24,192.168.1.1
Enter yes to continue the reboot
Enter 2 to save the configuration
Reboot the appliance
Advanced Setup for the ASA 5500 AIP SSM
Enter a name and description for your virtual sensor
Enter 2 to modify the virtual sensor vs0 configuration
Modify default threat prevention settings?no
Aip-ssm#show tls fingerprint
Reboot the ASA 5500 AIP SSM
Advanced Setup for the ASA 5500-X IPS SSP
Enter 2 to create a signature-definition configuration file
Host-name asa-ips
Asa-ips#show tls fingerprint
Reboot the ASA 5500-X IPS SSP
Advanced Setup for the ASA 5585-X IPS SSP
Enter 2 to edit the virtual sensor configuration
Modify default threat prevention settings?no
Ips-ssp#show tls fingerprint
Reboot the ASA 5585-X IPS SSP
Verifying Initialization
View your configuration
Sensor# show tls fingerprint
Display the self-signed X.509 certificate needed by TLS
Downloading Cisco IPS Software
Obtaining Cisco IPS Software
IPS 7.1 Files
Enter your username and password
Minor Update
Major Update
Service Pack
IPS Software Versioning
IPS-identifier-K9-x.y-za or p1-E1.pkg
Signature Update
Recovery and System Image Files
Signature Engine Update
IPS Software Release Examples
Documentation is on this
Accessing IPS Documentation
Obtaining a License Key From Cisco.com
Cisco Security Intelligence Operations
Understanding Licensing
Service Programs for IPS Products
OL-24002-01
Obtaining and Installing the License Key Using the CLI
OL-24002-01
CLI
Verify the sensor is licensed
Obtaining a License for the IPS
Verify the sensor key has been uninstalled
Uninstalling the License Key
Licensing the ASA 5500-X IPS SSP
Sensor# erase license-key
MainApp 2012APR26074571468 Release
System Image Notes and Caveats
Upgrading, Downgrading, and Installing System Images
Supported FTP and HTTP/HTTPS Servers
Upgrades, Downgrades, and System Images
Upgrade Notes and Caveats
IPS 7.1 Upgrade Files
Upgrading the Sensor
Manually Upgrading the Sensor
Enter the password when prompted
Upgrade the sensor
Enter yes to complete the upgrade
Upgrading the Sensor
Verify your new sensor version
Upgrading the Recovery Partition
Configuring Automatic Upgrades
Upgrade the recovery partition
Enter the server password. The upgrade process begins
Automatically Upgrading the Sensor
Understanding Automatic Upgrades
Configuring Automatic Upgrades
Specify the password of the user
Specify the username for authentication
Verify the settings
On Cisco.com. Continue with Step
Press Enter to apply the changes or type no to discard them
Exit automatic upgrade submode
Downgrading the Sensor
Recovering the Application Partition Image
Recovering the Application Partition
Recover the application partition image
Sensorconfig# recover application-partition
Rommon
Installing System Images
Tftp Servers
Installing the IPS 4270-20 System Image
Rommon
Boot IPS
Installing the IPS 4345 and IPS 4360 System Images
Download and install the system image
IMAGE= CONFIG=
Rommon IMAGE=systemimages/IPS-4345-K9-sys-1.1-a-7.1-3-E4.img
Assign the Tftp server IP address
Installing the IPS 4510 and IPS 4520 System Image
If necessary, assign the Tftp server IP address
Installing the ASA 5500-X IPS SSP System Image
Asa enable
Periodically check the recovery until it is complete
Asa# sw-module module ips recover boot
Image the ASA 5500-X IPS SSP
Installing the ASA 5585-X IPS SSP System Image
Specify the default gateway of the ASA 5585-X IPS SSP
Configure the recovery settings for the ASA 5585-X IPS SSP
Specify the Tftp URL for the software image
Example
Installing the ASA 5585-X IPS SSP System Image Using Rommon
Cisco Systems
Boot the ASA 5585-X IPS SSP
If necessary, assign the Tftp server IP address
For More Information
Preventive Maintenance
Troubleshooting
Creating and Using a Backup Configuration File
Understanding Preventive Maintenance
Sensor# copy current-config backup-config
Sensor# more backup-config
Sensor# copy /erase backup-config current-config
Restoring the Current Configuration From a Backup File
Backing Up the Current Configuration to a Remote Server
Sensorconfig# user username privilege service
Creating the Service Account
Exit configuration mode
Appendix E Troubleshooting Disaster Recovery
Disaster Recovery
Understanding Password Recovery
Recovering the Password
Platform Description Recovery Method
ASA 5500-X IPS SSP
Using Rommon
Recovering the Password for the Appliance
Using the Grub Menu
Enter the following commands to reset the password
Recovering the ASA 5500-X IPS SSP Password
Confreg 0x7 boot
Sample Rommon session
Session to the ASA 5500-X IPS SSP
Enter your new password twice
Asa# hw-module module 1 password-reset
Recovering the ASA 5585-X IPS SSP Password
Using the Asdm
Session to the ASA 5585-X IPS SSP
Verifying the State of Password Recovery
Disabling Password Recovery
Disabling Password Recovery Using the CLI
Disabling Password Recovery Using
Time Sources and the Sensor
Troubleshooting Password Recovery
Sensorconfig-hos#show settings include password
Synchronizing IPS Module Clocks with Parent Device Clocks
Correcting Time on the Sensor
Advantages and Restrictions of Virtualization
CISCO-CIDS-MIB
CISCO-ENHANCED-MEMPOOL-MIB CISCO-ENTITY-ALARM-MIB
Supported MIBs
Troubleshooting Global Correlation
When to Disable Anomaly Detection
Disable anomaly detection operational mode
Exit analysis engine submode
Analysis Engine is not running
Analysis Engine Not Responding
Resolved
Sensor# show version
External Product Interfaces Issues
Troubleshooting External Product Interfaces
You can configure a maximum of two external product devices
Troubleshooting the Appliance
External Product Interfaces Troubleshooting Tips
Appliance and Jumbo Packet Frame Size
Troubleshooting Loose Connections
Sensor# show statistics virtual-sensor
Communication Problems
Analysis Engine is Busy
Cannot Access the Sensor CLI Through Telnet or SSH
More
Duplicate IP Address Shuts Interface Down
Correcting a Misconfigured Access List
Sensor# show configuration include access-list
Total Transmit Fifo Overruns = 0 sensor#
SensorApp Is Not Running
SensorApp and Alerting
Sensor# show interfaces
Physical Connectivity, SPAN, or Vacl Port Issue
OL-24002-01
Unable to See Alerts
Make sure you have Produce Alert configured
Check for alerts
Sensor Not Seeing Packets
Sensor# show interfaces FastEthernet0/1
Sensor# show interfaces GigabitEthernet0/1
Check to see that the interface is up and receiving packets
Sensor# configure terminal sensorconfig# service interface
Remove the cache files
Cleaning Up a Corrupted SensorApp Configuration
Replace the virtual sensor file
Blocking
Troubleshooting Blocking
Verify that the MainApp is running
Verifying ARC is Running
Make sure you have the latest software updates
If the ARC is not connecting, look for recurring errors
Sensor# show events error hhmmss month day year include nac
Sensor# show events error 000000 Apr 01 2011 include nac
For More Information
Verify the IP address for the managed devices
Device Access Issues
Sensor config# service network-access
Router
Sensorconfig# service network-access
Enter ARC general submode
Start the manual block of the bogus host IP address
Type yes when prompted to accept the device
Enable SSH-3DES
Blocking Not Occurring for a Signature
Enabling SSH Connections to the Network Device
Exit signature definition submode
Verifying the Master Blocking Sensor Configuration
Exit network access general submode
Enabling Debug Logging
Enable debug logging for all zones
Logging
View the zone names
Turn on individual zone control
Exit master zone control
Turn on debugging for a particular zone
Sensorconfig-log#zone-control nac severity debug
Press Enter to apply changes or type no to discard them
Exit the logger submode
Zone Names
To learn more about the IPS Logger service, refer to Logger
Table E-2lists the debug logger zone names
Zone Name Description
Directing cidLog Messages to SysLog
Sensor# show events alert
TCP Reset Not Occurring for a Signature
Upgrading and Analysis Engine
Software Upgrades
Issues With Automatic Update
Which Updates to Apply and Their Prerequisites
Updating a Sensor with the Update Stored on the Sensor
Cannot Launch IDM Loading Java Applet Failed
Troubleshooting the IDM
Delete the temp files and clear the history in the browser
Cannot Launch the IDM-the Analysis Engine Busy
Signatures Not Producing Alerts
Troubleshooting the IME
Time Synchronization on the IME and the Sensor
Troubleshooting the ASA 5500 AIP SSM
Not Supported Error Message
Show module
Reset
Health and Status Information
Asaconfig# hw-module module 1 recover configure
Failover Scenarios
ASA 5500 AIP SSM and the Normalizer Engine
ASA 5500 AIP SSM and Jumbo Packets
ASA 5500 AIP SSM and the Data Plane
ASA 5500 AIP SSM and Jumbo Packet Frame Size
Single ASA 5500-X in Fail-Open Mode
Troubleshooting the ASA 5500-X IPS SSP
Single ASA 5500-X in Fail-Close Mode
Two ASA 5500-Xs in Fail-Open Mode
Asa# show module ips details
Two ASA 5500-Xs in Fail-Close Mode
Asa-ips#debug module-boot
Appendix E
Mod-ips 351 Freeing SMP alternatives 29k freed
Mod-ips 384 CPU L2 cache 4096K
CRS
Legacy
IRQ
ASA 5500-X IPS SSP and the Normalizer Engine
ASA 5500-X IPS SSP and Jumbo Packet Frame Size
ASA 5500-X IPS SSP and Memory Usage
ASA 5500-X IPS SSP and Jumbo Packets
Platform Yellow Red Memory Used
Single ASA 5585-X in Fail-Open Mode
Troubleshooting the ASA 5585-X IPS SSP
Two ASA 5585-Xs in Fail-Close Mode
Single ASA 5585-X in Fail-Close Mode
Two ASA 5585-Xs in Fail-Open Mode
ABC1234DEFG
Traffic Flow Stopped on IPS Switchports
App. Status
Asaconfig# debug module-boot
Ips-ssp#hw-module module 1 recover configure
ASA 5585-X IPS SSP and the Normalizer Engine
ASA 5585-X IPS SSP and Jumbo Packets
Gathering Information
ASA 5585-X IPS SSP and Jumbo Packet Frame Size
This section contains the following topics
Health and Network Security Information
Show the health and security status of the sensor
Sensor# show health
Tech Support Information
Understanding the show tech-support Command
Displaying Tech Support Information
Displaying Tech Support Information
Sensor# show tech-support page System Status Report
Tech Support Command Output
Sensor# show tech-support destination-url destinationurl
Default Vlan = InlineMode = Unpaired
Version Information
View version information
Understanding the show version Command
Displaying Version Information
Sensor# more current-config
Cancel the output and get back to the CLI prompt
View configuration information
Statistics Information
Understanding the show statistics Command
Transaction Source Virtual Sensor Web Server
Displaying Statistics
Display the statistics for the Analysis Engine
Sensor# show statistics analysis-engine
Msrpctcp Msrpcudp
Display the statistics for anomaly detection
Display the statistics for the Event Store
Display the statistics for authentication
Display the statistics for the Event Server
Show statistics host
Display the statistics for global correlation
Display the statistics for the host
Display the statistics for the logging application
Sensor# show statistics network-access
Display the statistics for the ARC
Sensor# show statistics logger
Type = PIX
Display the statistics for the Sdee server
Display the statistics for the notification application
Display the statistics for OS identification
Sensor# show statistics transaction-server General
Display the statistics for the transaction server
Display the statistics for a virtual sensor
Packets Modified = Dropped
Sensor# show statistics logger clear
Display the statistics for the web server
Sensor# show statistics web-server listener-443
100
Understanding the show interfaces Command
Interfaces Information
101
Interfaces Command Output
Events Information
Sensor Events
Understanding the show events Command
Displaying Events
102
103
Displaying Events
104
Display alerts from the past 45 seconds
Display events that began 30 seconds in the past
CidDump Script
Clearing Events
Enter yes to clear the events
105
Enter the following command
Uploading and Accessing Files on the Cisco FTP Site
106
Usr/cids/idsRoot/bin/cidDump
Figure F-1shows the 10/100BaseT RJ-45 port pinouts
10/100BaseT and 10/100/1000BaseT Connectors
Figure F-2shows the 10/100/1000BaseT RJ-45 port pinouts
Console Port RJ-45
Pin
Signal Console Port RJ-45 Pin DB-9 Pin
RJ-45 to DB-9 or DB-25
OL-24002-01
Can configure the sensor to manage ACLs
Method for access control in Cisco devices
Event occurred for example, the receipt of a message
GL-1
GL-2
To detect worm-infected hosts
GL-3
GL-4
Certificate for one CA issued by another CA
GL-5
To legitimate users
Communication networks
Addresses
GL-6
Dual In-line Memory Modules
Than an algorithm
A public outside network
GL-7
GL-8
GL-9
Procedures, and basic data transport methods
An ITU standard that governs H.245 endpoint control
GL-10
GL-11
Through network traffic analysis techniques
Tcpdump
GL-12
GL-13
GL-14
GL-15
GL-16
GL-17
Accepts requests for events from remote clients
Types of security devices
TCP application
GL-18
GL-19
GL-20
GL-21
Local system. Telnet is defined in RFC
GL-22
GL-23
GL-24
At the IP level
GL-25
Payload reassembly
Hosts
GL-26
IN-1
Span
ARC
Applying software updates
ASA 5500 AIP SSM
IN-2
URL
Converting Copy backup-config Copy current-config
IPS 4270-20 Clearing Events
IN-3
IN-4
Show events
Show health Show module 1 details
Span configuration for IPv6 support
Examples ASA failover configuration
Types E-102 Event Store Clearing
Clearing events 1-24,E-16 No alerts Time stamp
IME
IDM
ASA 5500 AIP SSM ASA 5500-X IPS SSP ASA 5585-X IPS SSP
ASA 5500-X IPS SSP ASA 5585-X IPS SSP
Intrusion Prevention System Manager Express. See
ASA 5500 AIP SSM ASA 5585-X IPS SSP
IME IPS
IN-7
IN-8
OIR
Fan supply modules Not supported Power supply modules
SFP/SFP+
IN-9
IN-10
SwitchApp Two power supply modules
Supported SFP modules
IN-11
SSH
IDS
IN-12
Password recovery Appliances
IN-13
Asdm
Rommon ASA 5585-X IPS SSP
IN-14
RTT
Appliances Port issues Specifications
Show statistics virtual-sensor command
With hardware bypass
IN-15
IN-16
TAC
Unix
Sensor loose connections
Show interfaces command
Tips
IN-17
IN-18