Cisco Systems IPS4510K9 manual Configuring the Internal Zone UDP Protocol, Enable UDP protocol

Page 300

Chapter 9 Configuring Anomaly Detection

Configuring the Internal Zone

override-scanner-settings{yes no}—Lets you override the scanner values:

threshold-histogram {low medium high} num-source-ips number—Sets values in the threshold histogram.

scanner-threshold—Sets the scanner threshold. The default is 200.

Configuring the Internal Zone UDP Protocol

To configure UDP protocol for a zone, follow these steps:

Step 1 Log in to the CLI using an account with administrator privileges.

Step 2 Enter anomaly detection internal zone submode.

sensor# configure terminal

sensor(config)# service anomaly-detection ad0 sensor(config-ano)#internal-zone sensor(config-ano-int)#

Step 3 Enable UDP protocol.

sensor(config-ano-int)# udp sensor(config-ano-int-udp)# enabled true

Step 4 Associate a specific port with UDP protocol.

sensor(config-ano-int-udp)# dst-port 20

sensor(config-ano-int-udp-dst)#

Step 5 Enable the service for that port.

sensor(config-ano-int-udp-dst)# enabled true

Step 6 To override the scanner values for that port. You can use the default scanner values, or you can override them and configure your own scanner values.

sensor(config-ano-int-udp-dst)# override-scanner-settings yes

sensor(config-ano-int-udp-dst-yes)#

Step 7 To add a histogram for the new scanner settings. Enter the number of destination IP addresses (low, medium, or high) and the number of source IP addresses you want associated with this histogram.

sensor(config-ano-int-udp-dst-yes)#threshold-histogram low num-source-ips 100

Step 8 Set the scanner threshold.

sensor(config-ano-int-udp-dst-yes)# scanner-threshold 100

Step 9 Configure the default thresholds for all other unspecified ports.

sensor(config-ano-int-udp-dst-yes)# exit sensor(config-ano-int-udp-dst)# exit sensor(config-ano-int-udp)# default-thresholdssensor(config-ano-int-udp-def)# default-thresholds

sensor(config-ano-int-udp-def)#threshold-histogram medium num-source-ips 120 sensor(config-ano-int-udp-def)#scanner-threshold 120

Step 10 Verify the UDP configuration settings.

sensor(config-ano-int-udp)# show settings udp

-----------------------------------------------

dst-port (min: 0, max: 65535, current: 4)

 

 

-----------------------------------------------

 

 

 

 

number: 20

 

 

 

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

 

 

 

 

9-16

 

OL-29168-01

 

 

 

 

Page 299 Page 301
Image 300
Page 299 Page 301
Contents Americas Headquarters Text Part Number OL-29168-01Page N T E N T S IiiAdvanced Setup for the Appliance Interface Support Understanding Inline Vlan Pair Mode Configuring Alert Severity ViiExample String XL TCP Engine Match Offset Signature ViiiUnderstanding Worms Configuring Global Correlation Configuring IP Logging Routers XiiUsing Rommon XiiiConfiguring the ASA 5585-X IPS SSP XivUpgrading, Downgrading, and Installing System Images NotificationApp XviAIC Engine B-10 XviiCreating the Service Account C-5 XviiiCommunication Problems XixUnderstanding the show tech-support Command C-75 CLI Validation Error Messages D-6 XxiXxii Contents AudienceOrganization Xxiv Conventions Related DocumentationConvention Indication XxvObtaining Documentation and Submitting a Service Request XxviLogging In Notes and Caveats Supported User RolesIi-1 Logging In to the Appliance For More InformationIi-2 Connecting an Appliance to a Terminal Server Config tIi-3 Exit Wr memLogging In to the ASA 5500-X IPS SSP Ii-4Asa# session ips Logging In to the ASA 5585-X IPS SSP Ii-5Asa# session Logging In to the Sensor Ii-6Ii-7 Ii-8 IPS CLI Configuration Guide Supported IPS PlatformsSensor Configuration Sequence User Roles Administrator ServiceOperators ViewersCLI Behavior Following tips help you use the Cisco IPS CLIPrompts HelpCommand Line Editing RecallCase Sensitivity Display OptionsKeys Description IPS Command Modes Regular Expression SyntaxCharacter Description StringOnly if it is at the end of the string Matches a as well as bMatches any character Or more timesGeneric CLI Commands Sensor# configure terminalCLI Keywords OL-29168-01 Initializing the Sensor Initializing Notes and CaveatsSimplified Setup Mode System Configuration DialogUnderstanding Initialization Example 2-1shows a sample System Configuration Dialog Example 2-1 Example System Configuration DialogBasic Sensor Setup Initializing the Sensor Basic Sensor SetupInitializing the Sensor Basic Sensor Setup Following configuration was entered Advanced Setup Initializing the Sensor Advanced SetupAdvanced Setup for the Appliance Enter 1 to edit the interface configuration Enter a subinterface number and descriptionEnter numbers for Vlan 1 Press Enter to return to the available interfaces menuEnter 2 to edit the virtual sensor configuration Enter 2 to modify the virtual sensor configuration, vs0Press Enter to return to the top-level editing menu Host-ip 192.168.1.2/24,192.168.1.1 Enter 2 to save the configuration Advanced Setup for the ASA 5500-X IPS SSP Reboot the applianceEnter 2 to modify the virtual sensor vs0 configuration Enter a name and description for your virtual sensorModify default threat prevention settings?no Reboot the ASA 5500-X IPS SSP Asa-ips#show tls fingerprintAdvanced Setup for the ASA 5585-X IPS SSP Enter 2 to edit the virtual sensor configuration Exit Service analysis-engine Reboot the ASA 5585-X IPS SSP Verifying InitializationIps-ssp#show tls fingerprint View your configuration Sensor# show configurationDisplay the self-signed X.509 certificate needed by TLS Sensor# show tls fingerprintSetting Up the Sensor Setup Notes and CaveatsUnderstanding Sensor Setup Changing Network SettingsChanging the Hostname Exit network settings mode Enter network settings modeChange the sensor IP address, netmask, and default gateway Changing the IP Address, Netmask, and GatewayEnable Telnet services Enabling and Disabling TelnetChanging the Access List Verify that Telnet is enabledVerify the change you made to the access-list Remove the entry from the access listChange the value back to the default Verify the value has been set back to the defaultChanging the FTP Timeout To change the FTP timeout, follow these stepsChange the number of seconds of the FTP timeout Verify the FTP timeout changeAdding a Login Banner Add the banner login textVerify the banner login text message Verify the login text has been removed Enable a DNS server Verify the settingsLogin-banner-text defaulted dns-primary-server Verify that SSHv1 fallback is enabled Enabling SSHv1 FallbackChanging the CLI Session Timeout Change the number of seconds of the CLI session timeoutVerify the CLI session timeout change Exit authentication modeChanging Web Server Settings When disabled, the client can use the following ciphersTLSDHERSAWITHAES256CBCSHA256 TLSDHEDSSWITHAES256CBCSHA256 Sensor# configure terminal Sensorconfig# service web-server Change the port numberSpecify the web session inactivity timeout Turn on logging for web session inactivity timeoutsVerify the defaults have been replaced Turn on TLS client ciphers restrictionConfiguring Authentication and User Parameters Adding and Removing UsersSensorconfig# username username password password privilege Sensorconfig# username tester privilege administratorSpecify the parameters for the user Sensor# show users allConfiguring Authentication To remove a user, use the no form of the commandSensor# configure terminal Sensorconfig# no username jsmith Radius Authentication Options Configuring Local or Radius Authentication Sensorconfig-aaa-rad#default-user-role operator Enter AAA submodeIps-role=administrator Ips-role=service Enter the Radius server IP addressSpecify the type of console authentication Enter the IP address of the second Radius serverConfiguring Packet Command Restriction Exit AAA modeAAA Radius Users Enter authentication submode Check your new settingSensorconfig-aut#permit-packet-logging true Sensorconfig-aut#permit-packet-logging falseCreating the Service Account Sensorconfig# user username privilege serviceService Account and Radius Authentication Radius Authentication Functionality and LimitationsConfiguring Passwords Exit configuration modeChange your password Changing User Privilege LevelsShowing User Status Change the privilege level from viewer to operatorDisplay your current level of privilege Verify all users. The account of the user jsmith is lockedConfiguring the Password Policy To unlock the account of jsmith, reset the passwordExample Set the value back to the system default setting Check that the setting has returned to the defaultLocking User Accounts Enter global configuration mode Unlocking User AccountsParentheses Unlock the accountConfiguring Time Time Sources and the SensorIPS Standalone Appliances Configuring Time on the Sensor Correcting Time on the SensorASA IPS Modules Manually Setting the System Clock SymbolDisplaying the System Clock Sensor# show clockConfiguring Recurring Summertime Settings Enter the month you want to start summertime settingsEnter start summertime submode Sensor# clock set 1321 Mar 29Verify your settings Enter the month you want to end summertime settingsEnter end summertime submode Specify the local time zone used during summertimeConfiguring Nonrecurring Summertime Settings Exit recurring summertime submodeExit non-recurring summertime submode Configuring NTP Configuring Time Zones SettingsExit time zone settings submode Sensorconfig-hos-tim#standard-time-zone-name CSTConfiguring a Cisco Router to be an NTP Server ExampleConfiguring the Sensor to Use an NTP Time Source Enter service host modeConfigure unauthenticated NTP Enter NTP configuration mode Verify the unauthenticated NTP settingsConfiguring SSH Configure authenticated NTP Enter NTP configuration modeVerify the NTP settings Exit NTP configuration modeUnderstanding SSH Adding Hosts to the SSH Known Hosts ListSensorconfig# ssh host-key Add an entry to the known hosts listView the key for a specific IP address Sensor# show ssh host-keysSensorconfig# no ssh host-key Adding Authorized RSA1 and RSA2 KeysGenerating the RSA Server Host Key Sensor# ssh generate-key Sensor# show ssh server-keyConfiguring TLS Understanding TLSSensorconfig# tls trusted-host ip-address 10.89.146.110 port Adding TLS Trusted HostsDisplaying and Generating the Server Certificate View the fingerprint for a specific hostRemove an entry from the trusted hosts list Verify that the key was generatedInstalling the License Key Understanding the License KeyService Programs for IPS Products Obtaining and Installing the License KeyInstalling the License Key Licensing the ASA 5500-X IPS SSP Verify the sensor is licensedUninstalling the License Key Verify the sensor key has been uninstalledSensor# erase license-key Setting Up the Sensor Installing the License Key OL-29168-01 Configuring Interfaces Interface Notes and CaveatsUnderstanding Interfaces IPS InterfacesCommand and Control Interface Sensor Command and Control InterfaceTCP Reset Interfaces Understanding Alternate TCP Reset InterfacesSensing Interfaces Designating the Alternate TCP Reset Interface 2lists the alternate TCP reset interfacesSensor Alternate TCP Reset Interface NoneInterface Support Interfaces NotBase Chassis Cards Sensing Ports Inline Interface Pairs Combinations Supporting Command and Control Interface Configuration Restrictions Configuring Interfaces Understanding Interfaces Interface Configuration Sequence Configuring Physical Interfaces Configuring the Physical Interface Settings Specify the interface for promiscuous modeDisplay the list of available interfaces Remove TCP resets from an interface Sensorconfig-int-phy#alt-tcp-reset-interface noneAdd a description of this interface Configuring Promiscuous Mode Understanding Promiscuous ModeExit interface submode Configuring Promiscuous Mode IPv6, Switches, and Lack of Vacl CaptureConfiguring Inline Interface Mode Understanding Inline Interface ModeSet span 930, 932, 960, 962 4/1-4 both Configuring Inline Interface Pairs Creating Inline Interface PairsEnable the interfaces assigned to the interface pair Name the inline pairDisplay the available interfaces It can monitor traffic see StepVerify that the interfaces are enabled Exit interface configuration submode Sensorconfig-int#no inline-interfaces PAIR1Verify the inline interface pair has been deleted Configuring Inline Vlan Pair Mode Understanding Inline Vlan Pair ModeConfiguring Inline Vlan Pairs Configuring Inline Vlan Pairs Been configuredOL-29168-01 Set up the inline Vlan pair Verify the inline Vlan pair settingsSensorconfig-int#no inline-interfaces interfacename Designate an interfaceConfiguring Vlan Group Mode Understanding Vlan Group ModeTo delete Vlan pairs Delete one Vlan pair Deploying Vlan Groups Configuring Vlan Groups Configuring Inline Vlan Groups None Subinterface-type Set up the Vlan group Specify an interfaceAssign the VLANs to this group Assign specific VLANs Configure unassigned VLANs Verify the Vlan group settingsAdd a description for the Vlan group Configuring Inline Bypass Mode Understanding Inline Bypass ModeDelete Vlan groups Delete one Vlan group Configuring Inline Bypass Mode Configuring Bypass ModeConfigure bypass mode Configuring Interface Notifications Configuring Interface NotificationsConfiguring CDP Mode Enabling CDP Mode Enable CDP modeSensorconfig-int#cdp-mode forward-cdp-packets Displaying Interface StatisticsSensor# show interfaces brief Sensor# show interfaces Interface StatisticsDisplay the statistics for a specific interface Clear the statisticsSensor# show interfaces Management0/0 Sensor# show interfaces clear Interface StatisticsDisplaying Interface Traffic History Displaying Historical Interface Statistics To display interface traffic history, follow these stepsDisplay the interface traffic history by the hour Display the interface traffic history by the minuteBytes Received Mbps Configuring Virtual Sensors Virtual Sensor Notes and CaveatsUnderstanding the Analysis Engine Understanding Virtual SensorsAdvantages and Restrictions of Virtualization Inline TCP Session Tracking Mode Normalization and Inline TCP Evasion Protection Mode Http Advanced DecodingAdding, Editing, and Deleting Virtual Sensors RestrictionsAdding Virtual Sensors Sensorconfig-ana-vir#description virtual sensor Adding a Virtual SensorAdd a virtual sensor Add a description for this virtual sensorEnable Http advanced decoding Verify the virtual sensor settingsAssign an event action rules policy to this virtual sensor Assign a signature definition policy to this virtual sensorExit analysis engine mode Editing and Deleting Virtual Sensors Editing or Deleting a Virtual SensorEdit the virtual sensor, vs1 Edit the description of this virtual sensorVerify the edited virtual sensor settings Sensorconfig-ana-vir#physical-interface GigabitEthernet0/2Delete a virtual sensor Sensorconfig-ana# exit Configuring Global Variables Creating a Global VariableCreate the variable for the maximum number of open IP logs Create the flow depth variableCreate the variable for service activity Verify the global variable settingsSensor# show statistic analysis-engine OL-29168-01 Signature Definition Notes and Caveats Understanding PoliciesSensor# list signature-definition-configurations Working With Signature Definition PoliciesDelete a signature definition policy Sensor# copy signature-definition sig0 sig1Reset a signature definition policy to factory settings Understanding SignaturesConfirm the signature definition policy has been deleted Configuring Signature Variables Understanding Signature VariablesCreating Signature Variables Adding, Editing, and Deleting Signature Variables Configuring Signatures Signature Definition OptionsConfiguring Alert Frequency Configuring Alert Frequency Specify the signature you want to configureEnter alert frequency submode Specify the summary keyConfiguring Alert Severity Configuring Alert SeverityTo configure the alert severity, follow these steps Assign the alert severityConfiguring the Event Counter Configuring the Event CounterExit signatures submode Optional Enable alert interval Enter event counter submodeConfiguring Signature Fidelity Rating Configuring the Signature Fidelity RatingSpecify the signature fidelity rating for this signature Configuring the Status of Signatures Choose the signature you want to configureChanging the Signature Status Change the status for this signatureConfiguring the Vulnerable OSes for a Signature Configuring Vulnerable OSesSpecify the vulnerable OSes for this signature Assigning Actions to Signatures Configuring Event Actions Configure the event actionSpecify the percentage for rate limiting Configuring AIC Signatures Understanding the AIC EngineExit event action submode Configuring the Application Policy AIC Engine and Sensor PerformanceConfiguring the Application Policy Enable inspection of FTP trafficEnable Http application policy enforcement Sensorconfig-sig-app-htt#aic-web-ports 80-80,3128-3128AIC Request Method Signatures Signature ID Define Request MethodAIC Mime Define Content Type Signatures Signature ID Signature DescriptionSignature ID Signature Description Signature ID Signature Description AIC Transfer Encoding Signatures Signature ID Transfer Encoding MethodAIC FTP Commands Signatures Signature ID FTP CommandCreating an AIC Signature Define the content type Defining a MIME-Type Policy SignatureSpecify the event action Define the signature typeConfiguring IP Fragment Reassembly Understanding IP Fragment ReassemblySignature ID and Name Description Range Default Action For More Information Configuring IP Fragment Reassembly Parameters Configuring the Method for IP Fragment ReassemblyEnter edit default signatures submode Specify the engineConfiguring TCP Stream Reassembly Understanding TCP Stream ReassemblyConfiguring the IP Fragment Reassembly Method Verify the settingTCP Stream Reassembly Signatures and Configurable Parameters TCP Stream Reassembly Signatures SYN SYN Configuring TCP Stream Reassembly Signatures Configuring the Mode for TCP Stream Reassembly Configuring the TCP Stream Reassembly Parameters Sensorconfig-sig-str#tcp-3-way-handshake-required trueSensorconfig-sig-str#tcp-reassembly-mode strict Configuring IP Logging Configuring IP Logging ParametersSpecify the number of packets you want logged Specify the length of time you want the sensor to logCreating Custom Signatures Sequence for Creating a Custom SignatureExample String TCP Engine Signature Creating a String TCP Engine Signature Verify the settings Example Service Http Engine Signature Creating a Service Http Engine Signature Enter signature description modeSpecify a signature name Specify the alert traits. The valid range is from 0 toConfigure the Regex parameters Example Meta Engine SignatureExit alert frequency submode Exit Regex submodeMeta Signature Engine Enhancement Defining Signatures Creating Custom Signatures Creating a Meta Engine Signature Example IPv6 Engine Signature Sensorconfig-sig-sig#engine atomic-ip-advanced Specify the IP versionSpecify IPv6 Specify the L4 protocolExample String XL TCP Engine Match Offset Signature Creating a String XL TCP Engine SignatureSensorconfig-sig-sig-str#specify-exact-match-offset yes Specify the String XL TCP engineSpecify the regex string to search for in the TCP packet Specify an exact match offset for this signatureSpecify a minimum match offset for this signature Example String XL TCP Engine Minimum Match Length Signature Specify a signature ID and subsignature ID for the signature Specify a new Regex string to search for and turn on UTF-8 OL-29168-01 Configuring Event Action Rules Event Action Rules Notes and CaveatsUnderstanding Security Policies Understanding Event Action RulesSignature Event Action Processor Alert and Log Actions Action filterDeny Actions Other Actions Understanding Deny Packet InlineEvent Action Rules Configuration Sequence TCP Normalizer Signature WarningWorking With Event Action Rules Policies Working With Event Action Rules PoliciesSensor# copy event-action-rules rules0 rules1 Reset an event action rules policy to factory settings Event Action VariablesDelete an event action rules policy Confirm the event action rules instance has been deletedWhen configuring IPv6 addresses, use the following format Understanding Event Action VariablesIPv4 Addresses IPv6 AddressesSensorconfig-eve#variables variable-ipv4 address Adding, Editing, and Deleting Event Action VariablesWorking With Event Action Variables Verify that you added the event action rules variable Verify that you edited the event action rules variableDelete an event action rules variable Verify the event action rules variable you deletedConfiguring Target Value Ratings Calculating the Risk RatingUnderstanding Threat Rating 2illustrates the risk rating formulaAdding, Editing, and Deleting Target Value Ratings Adding, Editing, and Deleting Target Value Ratings Configuring Event Action Overrides Understanding Event Action OverridesConfiguring Event Action Overrides Log packets from both the attacker and victim IP addresses Write an alert to Event StoreWrite verbose alerts to Event Store Write events that request an Snmp trap to the Event StoreConfiguring Event Action Filters Understanding Event Action FiltersConfiguring Event Action Filters OL-29168-01 Configuring Event Action Filters Verify the settings for the filter Add any comments you want to use to explain this filterEdit an existing filter Edit the parameters see Steps 4a through 4lSensorconfig-eve#filters move name1 inactive Move a filter to the inactive listVerify that the filter has been moved to the inactive list Configuring OS Identifications Understanding Passive OS FingerprintingPassive OS Fingerprinting Configuration Considerations Adding, Editing, Deleting, and Moving Configured OS Maps IP Address Range SetIOS UnixConfiguring OS Maps Verify the settings for the OS mapSpecify the host OS type Enable passive OS fingerprinting Edit an existing OS mapVerify that you have moved the OS maps Move an OS map to the inactive listSensorconfig-eve-os#no configured-os-map name2 Displaying and Clearing OS IdentificationsDelete an OS map Verify that the OS map has been deletedConfiguring General Settings Displaying and Clearing OS IdentificationsVerify that the OS IDs have been cleared Sensor# clear os-identification learnedUnderstanding Event Action Summarization Understanding Event Action AggregationConfiguring the General Settings Configuring Event Action General SettingsEnable or disable the summarizer. The default is enabled Enter general submodeConfiguring the Denied Attackers List Verify the settings for general submodeSensorconfig-eve-gen#global-filters-status enabled disabled Adding a Deny Attacker Entry to the Denied Attackers ListMonitoring and Clearing the Denied Attackers List Adding Entries to the Denied Attacker ListRemove the deny attacker entry from the list Enter yes to remove the deny attacker entry from the listDisplaying and Deleting Denied Attackers Delete the denied attackers listMonitoring Events Displaying EventsClear only the statistics Important to know if the list has been clearedDisplaying Events To display events from the Event Store, follow these stepsSensor# show events Sensor# show events error warning 100000 Feb 9 Display alerts from the past 45 secondsSensor# show events alert past Clearing Events from Event Store Display events that began 30 seconds in the pastEnter yes to clear the events Sensor# show events pastOL-29168-01 Configuring Anomaly Detection Anomaly Detection Notes and CaveatsUnderstanding Anomaly Detection Understanding WormsAnomaly Detection Modes Anomaly Detection Zones Anomaly Detection Configuration Sequence Anomaly Detection Signatures Signature ID Subsignature ID Name DescriptionSignature ID Subsignature ID Name Description Enable anomaly detection operational mode Enabling Anomaly DetectionWorking With Anomaly Detection Policies Exit analysis engine submodeWorking With Anomaly Detection Policies Delete an anomaly detection policySensor# copy anomaly-detection ad0 ad1 Configuring Anomaly Detection Operational Settings Reset an anomaly detection policy to factory settingsSensor# list anomaly-detection-configurations Verify that the anomaly detection instance has been deletedConfiguring the Internal Zone Configuring Anomaly Detection Operational SettingsSpecify the worm timeout Sensorconfig-ano-ign#source-ip-address-rangeConfiguring the Internal Zone Configuring the Internal ZoneEnable the internal zone Configure TCP protocol Configure UDP protocolConfiguring TCP Protocol for the Internal Zone Configure the other protocolsConfiguring Internal Zone TCP Protocol Enable TCP protocolEnable the service for that port Them and configure your own scanner valuesVerify the TCP configuration settings Set the scanner thresholdConfiguring UDP Protocol for the Internal Zone Configuring the Internal Zone UDP Protocol Enable UDP protocolVerify the UDP configuration settings Associate a specific port with UDP protocolConfiguring Anomaly Detection Configuring the Internal Zone Configuring Other Protocols for the Internal Zone Configuring the Internal Zone Other ProtocolsEnable the other protocols Associate a specific number for the other protocolsVerify the other configuration settings Configuring the Illegal Zone Configuring the Illegal ZoneConfiguring the Illegal Zone Understanding the Illegal ZoneConfiguring TCP Protocol for the Illegal Zone Enable the illegal zoneSensorconfig-ano-ill#ip-address-range Configuring the Illegal Zone TCP Protocol Enabled true defaulted Sensorconfig-ano-ill-tcp# Configuring UDP Protocol for the Illegal Zone Configuring the Illegal Zone UDP ProtocolSensorconfig-ano-ill-udp-dst-yes# scanner-threshold Configuring Other Protocols for the Illegal Zone Configuring the Illegal Zone Other ProtocolsVerify the other protocols configuration settings Configuring the External Zone Configuring the External ZoneUnderstanding the External Zone Configuring TCP Protocol for the External Zone Configuring the External ZoneEnable the external zone Configuring the External Zone TCP Protocol Sensorconfig-ano-ext-tcp# Configuring UDP Protocol for the External Zone Configuring the External Zone UDP ProtocolSensorconfig-ano-ext-udp-dst-yes# scanner-threshold Configuring Other Protocols for the External Zone Configuring the External Zone Other Protocols To configure other protocols for a zone, follow these stepsConfiguring Learning Accept Mode KB and HistogramsExample Histogram Configuring Learning Accept Mode Configuring Learning Accept ModeSensorconfig-ano#learning-accept-mode auto Sensorconfig-ano#learning-accept-mode manualWorking With KB Files Displaying KB FilesDisplay the KB files for all virtual sensors Sensor# show ad-knowledge-base filesSaving and Loading KBs Manually Display the KB files for a specific virtual sensorManually Saving and Loading KBs Save the current KB file and store it as a new nameCopying, Renaming, and Erasing KBs Copying, Renaming, and Removing KB Files Rename a KB fileRemove a KB file from a specific virtual sensor Displaying the Differences Between Two KBs Comparing Two KBsTo compare two KBs, follow these steps Locate the file you want to compareDisplaying the Thresholds for a KB Displaying KB Thresholds Sensor# show ad-knowledge-base vs1 files Virtual Sensor vs1Displaying Anomaly Detection Statistics To display anomaly detection statistics, follow these stepsSensor# show statistics anomaly-detection vs0 Disabling Anomaly Detection Display the statistics for all virtual sensorsDisable anomaly detection operational mode OL-29168-01 Global Correlation Notes and Caveats 10-1Understanding Global Correlation Participating in the SensorBase Network10-2 Understanding Reputation 1shows how we use the dataType of Data Purpose 10-3Understanding Network Participation 10-4Understanding Efficacy 10-5Global Correlation Features and Goals Understanding Reputation and Risk Rating10-6 Global Correlation Requirements 10-7Understanding Global Correlation Sensor Health Metrics 10-8Global Correlation Update Client 10-9Configuring Global Correlation Sensorconfig-glo#global-correlation-inspection onTurn on global correlation inspection Specify the level of global correlation inspectionConfiguring Network Participation Turn on reputation filteringExit global correlation submode 10-11Turning on Network Participation Turn on network participationEnter yes to agree to participate in the SensorBase Network 10-12Troubleshooting Global Correlation Disabling Global Correlation10-13 Displaying Global Correlation Statistics Disabling Global Correlation10-14 Clear the statistics for global correlation 10-1510-16 External Product Interface Notes and Caveats Understanding External Product Interfaces11-1 Understanding the CSA MC 11-2External Product Interface Issues 11-3Configuring the CSA MC to Support the IPS Interface Adding External Product Interfaces and Posture ACLs11-4 Adding External Product Interfaces 11-511-6 Sensorconfig-ext-cis-hos#allow-unreachable-postures yes Sensorconfig-ext-cis-hos#posture-acls insert name1 beginEnter the network address the posture ACL will use Choose the action deny or permit the posture ACL will takeTroubleshooting External Product Interfaces Exit external product interface submode11-8 IP Logging Notes and Caveats 12-1Configuring Automatic IP Logging Understanding IP Logging12-2 Configuring Automatic IP Logging 12-3Configuring Manual IP Logging Monitor the IP log status with the iplog-status command12-4 Sensor# iplog vs0 192.0.2.1 durationDisplaying the Contents of IP Logs Stopping Active IP Logs Display a brief list of all IP logsDisabling IP Logging Sessions Stop the IP log sessionCopying IP Log Files to Be Viewed Stop all IP logging sessions on a virtual sensorCopying IP Log Files 12-7Copy the IP log to your FTP or SCP server 12-8Packet Display And Capture Notes and Caveats 13-1Understanding Packet Display and Capture Displaying Live Traffic on an Interface13-2 Displaying Live Traffic From an Interface 13-3Sensor# packet display GigabitEthernet0/1 Capturing Live Traffic on an Interface Display information about the packet file13-4 Expression ip proto \\tcpCapturing Live Traffic on an Interface View the captured packet file13-5 Sensor# packet capture GigabitEthernet0/1Copying the Packet File View any information about the packet file13-6 View the packet file with Wireshark or Tcpdump Erasing the Packet FileErase the packet file Verify that you have erased the packet file13-8 Blocking Notes and Caveats 14-1Understanding Blocking 14-2Vlan B 14-3Understanding Rate Limiting Destination IP Signature ID Signature Name ProtocolData IcmpUnderstanding Service Policies for Rate Limiting Before Configuring ARCUDP TCPSupported Devices 14-6Configuring Blocking Properties 14-7Enter network access submode Sensorconfig# service network-accessAllowing the Sensor to Block Itself 14-8Configure the sensor not to block itself Exit network access submodeDisabling Blocking 14-9Blocks on the devices are updated To disable blocking or rate limiting, follow these stepsEnable blocking on the sensor Verify that the setting has been returned to the defaultSpecifying Maximum Block Entries 14-11Return to the default value of 250 blocks Sensorconfig-net-gen#default block-max-entriesChange the maximum number of block entries 14-12Time for manual blocks is set when you request the block Specifying the Block TimeSignatures These stepsEnabling ACL Logging 14-14Enabling Writing to Nvram 14-15Logging All Blocking Events and Errors Disable writing to NvramVerify that writing to Nvram is disabled 14-16Configuring the Maximum Number of Blocking Interfaces 14-17Return the setting to the default Verify the default settingSpecify the maximum number of interfaces Verify the number of maximum interfacesConfiguring Addresses Never to Block Configuring Addresses Never to Be BlockedSensorconfig-net-gen#never-block-hosts For a networkConfiguring User Profiles Specify the password for the userCreate the user profile name Enter the username for that user profileConfiguring Blocking and Rate Limiting Devices Specify the enable password for the userHow the Sensor Manages Devices 14-21Configuring the Sensor to Manage Cisco Routers 14-22Routers and ACLs Specify the IP address for the router controlled by the ARC14-23 14-24 Switches and VACLs 14-25Sensorconfig-net-cat#communication telnet ssh-3des 14-26Configuring the Sensor to Manage Cisco Firewalls Specify the Vlan numberOptional Add the pre-VACL name Optional Add the post-VACL nameConfiguring the Sensor to be a Master Blocking Sensor 14-28Configuring the Master Blocking Sensor Sensorconfig-web# exit14-29 Sensorconfig# tls trusted-host ip-address 192.0.2.1 port Enter passwordAdd a master blocking sensor entry Specify whether or not the host uses TLS/SSLConfiguring Host Blocking Configuring Network BlockingBlocking a Host End the host blockConfiguring Connection Blocking Blocking a NetworkEnd the network block 14-32Obtaining a List of Blocked Hosts and Connections Blocking a ConnectionEnd the connection block Blocks are14-34 Snmp Notes and Caveats Understanding Snmp15-1 Configuring Snmp 15-2Configuring Snmp General Parameters 15-3Configuring Snmp Traps Exit notification submode15-4 Configuring Snmp Traps Enable Snmp trapsSpecify whether you want detailed Snmp traps Enter the trap community stringCISCO-ENHANCED-MEMPOOL-MIB CISCO-ENTITY-ALARM-MIB Supported MibsCISCO-CIDS-MIB 15-615-7 15-8 Displaying the Current Configuration 16-1First Review Cisco Confidential 16-2Displaying the Current Submode Configuration 16-316-4 16-5 16-6 16-7 Sensorconfig# service health-monitor 16-816-9 16-10 16-11 16-12 Severity warning defaulted protected entry zone-name csi 16-1316-14 Sensorconfig# service trusted-certificate 16-15Filtering the Current Configuration Output 16-16Filtering Using the More Command To filter the more command, follow these stepsPress Ctrl-Cto stop the output and return to the CLI prompt 16-17Filtering the Current Submode Configuration Output Filtering the Submode Output16-18 Displaying the Contents of a Logical File Displaying the Logical File Contents 16-2016-21 16-22 Backing Up the Current Configuration to a Remote Server Restoring the Current Configuration From a Backup File16-23 Creating and Using a Backup Configuration File Erasing the Configuration File16-24 Press Enter to continue or enter no to stop 16-2516-26 Administrative Tasks for the Sensor 17-1Administrative Notes and Caveats Recovering the PasswordUnderstanding Password Recovery 17-2Recovering the Password for the Appliance Using the Grub MenuPlatform Description Recovery Method 17-3Recovering the Password for the ASA 5500-X IPS SSP Using RommonEnter the following commands to reset the password Sample Rommon sessionEnter your new password twice Press Enter to confirmSession to the ASA 5500-X IPS SSP 17-5Recovering the Password for the ASA 5585-X IPS SSP Using the AsdmAsa# hw-module module 1 password-reset 17-6Session to the ASA 5585-X IPS SSP 17-7Asa# show module Disabling Password Recovery Disabling Password Recovery Using the CLIDisabling Password Recovery Using the IDM or IME 17-8Verifying the State of Password Recovery Troubleshooting Password RecoverySensorconfig-hos#show settings include password Clearing the Sensor DatabasesClearing the Sensor Database Enter yes to clear the inspectors database17-10 Displaying the Inspection Load of the Sensor Over the past 60 minutes and over the past 72 hoursShow the histogram of the inspection load 17-1117-12 Configuring Health Status Information 17-13Configuring Health Statistics ASA 5500-X IPS SSP and Memory UsagePlatform Yellow Red Memory Used 17-1417-15 Set the number of days since the last signature update Set the threshold for memory usageSet the missed packet threshold 17-16Showing Sensor Overall Health Status Exit health monitoring submode17-17 Creating a Banner Login Create the banner loginShow the health and security status of the sensor Enter your messageFind the CLI ID number associated with the login session Terminating CLI SessionsTo terminate a CLI session, follow these steps Terminate the CLI session of jsmithConfiguring Events Modifying Terminal Properties17-20 17-21 17-22 Clearing Events from the Event Store 17-23Configuring the System Clock Displaying the System Clock17-24 Sensor# show clock detailManually Setting the System Clock Clearing the Denied Attackers List17-25 17-26 Displaying Policy Lists 17-27Displaying Statistics Display the list of policies for event action rulesDisplay the list of policies for signature definition 17-28Administrative Tasks for the Sensor 17-2917-30 Display the statistics for authentication Sensor# show statistics authenticationDisplay the statistics for anomaly detection 17-31Display the statistics for the Event Server Display the statistics for the Event Store17-32 Sensor# show statistics event-server GeneralDisplay the statistics for the host 17-33Show statistics host Display the statistics for the logging application Display the statistics for the ARC17-34 Sensor# show statistics logger17-35 17-36 17-37 Display the statistics for the web server 17-38Statistics web-server 17-39 Sensor# show statistics logger clearDisplaying Tech Support Information Varlog FilesDisplaying Tech Support Information 17-40Displaying Version Information View version information17-41 Sensor# show versionCancel the output and get back to the CLI prompt View configuration information17-42 Diagnosing Network Connectivity 17-43Resetting the Appliance Enter yes to continue the resetFollowing example shows a successful ping Following example shows an unsuccessful pingDisplaying Command History Stop all applications and power down the applianceEnter yes to continue with the reset and power down 17-45Displaying Hardware Inventory 17-46Sensor# show inventory 17-47 PID IPS-4360-PWR-ACTracing the Route of an IP Packet Display the route of IP packet you are interested17-48 InventoryDisplaying Submode Settings Show the current configuration for ARC submodeSensor config# service network-access 17-4917-50 Show the ARC settings in terse mode 17-5117-52 Configuring the ASA 5500-X IPS SSP 18-1Configuration Sequence for the ASA 5500-X IPS SSP 18-2Verifying Initialization for the ASA 5500-X IPS SSP Obtain the details about the ASA 5500-X IPS SspsConfirm the information 18-3Creating Virtual Sensors for the ASA 5500-X IPS SSP ASA 5500-X IPS SSP and VirtualizationCreating Virtual Sensors 18-4Creating Virtual Sensors 18-5Sensorconfig-ana-vir#physical-interface PortChannel0/0 18-6Assigning Virtual Sensors to Contexts 18-7Asa# show ips Enter multiple mode Add three context modes to multiple modeAssign virtual sensors to the security contexts 18-8ASA 5500-X IPS SSP and Bypass Mode Configure MPF for each contextConfirm the configuration SensorApp FailsSensorApp is Reconfigured ASA 5500-X IPS SSP and the Normalizer Engine18-10 ASA 5500-X IPS SSP and Jumbo Packets ASA 5500-X IPS SSP and Memory Usage18-11 Health and Status Information 18-12Asa-ips#debug module-boot 18-13Early reservations == bootmem 0000000000 18-1418-15 18-16 18-17 18-18 18-19 IRQSingle ASA in Fail-Open Mode Single ASA in Fail-Close ModeTwo ASAs in Fail-Open Mode ASA 5500-X IPS SSP Failover ScenariosNew and Modified Commands Two ASAs in Fail-Close ModeConfiguration Examples 18-21Defaults Firewall Mode Security Context Multiple Command Mode RoutedAllocate-ips Single Context SystemCommand History Release Modification Related Commands DescriptionExamples 18-2318-24 ASA 5585-XIPS SSP Notes and Caveats 19-1Configuration Sequence for the ASA 5585-X IPS SSP 19-2Verifying Initialization for the ASA 5585-X IPS SSP Obtain the details about the ASA 5585-X IPS SSP19-3 Asa# show module 1 detailsCreating Virtual Sensors for the ASA 5585-X IPS SSP ASA 5585-X IPS SSP and Virtualization19-4 ASA 5585-X IPS SSP Virtual Sensor Configuration Sequence 19-5Command, for example sig1 Example, rules1Virtual sensor that you create 19-619-7 Asaconfig-ctx# Asaconfig-ctx# Config-url disk0/c2.cfg19-8 19-9 ASA 5585-X IPS SSP and Bypass Mode ASA 5585-X IPS SSP and the Normalizer Engine19-10 ASA 5585-X IPS SSP and Jumbo Packets 19-11Ips-ssp#hardware-module module 1 recover configure 19-12Asa# hw-module module 1 reset 19-13Module 1 details Ips-ssp#hw-module module 1 recover configure 19-14Traffic Flow Stopped on IPS Switchports Asaconfig# debug module-boot19-15 Failover Scenarios 19-1619-17 19-18 IPS 7.2 File List Obtaining Cisco IPS Software20-1 Enter your username and password IPS Software VersioningDownloading Cisco IPS Software 20-2Major Update Minor UpdateService Pack Patch ReleaseSignature Update Signature Engine Update20-4 Recovery and System Image Files 20-5IPS Software Release Examples 20-6Accessing IPS Documentation 20-7Cisco Security Intelligence Operations 20-8Upgrade Notes and Caveats 21-1Upgrades, Downgrades, and System Images 21-2Supported FTP and HTTP/HTTPS Servers Upgrading the SensorIPS 7.21E4 Files 21-3Upgrade Notes and Caveats Manually Upgrading the Sensor21-4 Upgrade the sensor Enter the password when promptedSensorconfig# upgrade url/IPS-SSP10-K9-7.2-1-E4.pkg Upgrading the SensorWorking With Upgrade Files 21-6Upgrading the Recovery Partition 21-7Configuring Automatic Upgrades Configuring Automatic UpdatesEnter the server password. The upgrade process begins 21-821-9 Configuring Automatic Upgrades 21-10Specify the username for authentication Specify the password of the userExit automatic upgrade submode 21-11Applying an Immediate Update Sensor# autoupdatenow21-12 Sensor# show statistics hostRecovering the Application Partition Downgrading the Sensor21-13 Installing System Images Recovering the Application Partition ImageRecover the application partition image Sensorconfig# recover application-partitionConnecting an Appliance to a Terminal Server Tftp Servers21-15 Installing the System Image for the IPS 4345 and IPS 21-1621-17 PCIAssign the Tftp server IP address If necessary, assign the gateway IP address21-18 Rommon ping serverInstalling the System Image for the IPS 4510 and IPS Rommon21-19 21-20 If necessary, assign the Tftp server IP address 21-21Installing the System Image for the ASA 5500-X IPS SSP Periodically check the recovery until it is completeImage the ASA 5500-X IPS SSP 21-22Installing the System Image for the ASA 5585-X IPS SSP 21-2321-24 Specify the default gateway of the ASA 5585-X IPS SSP To enable debugging of the software installation processAsa# hw-module module 1 recover boot Leave the Vlan ID atInstalling the ASA 5585-X IPS SSP System Image Using Rommon 21-2621-27 Rommon #0 set21-28 21-29 21-30 Understanding the IPS System Architecture IPS System DesignFigure A-1illustrates the system design for IPS software System Applications Figure A-2 System Design for IPS 4500 Series SensorsAppendix a System Architecture System Applications Security Features For detailed information about SDEE, see SDEE, page A-33MainApp Understanding the MainAppMainApp Responsibilities ARCEvent Store Understanding the Event StoreEvent Data Structures Table A-1shows some examplesStamp Value Meaning NotificationApp IPS EventsVlan CtlTransSource PEPAttack Response Controller Figure A-3Understanding the ARC Figure A-4illustrates the ARCARC Features Supported Blocking Devices ACLs and VACLs Maintaining State Across RestartsFwsm Connection-Based and Unconditional Blocking ScenarioBlocking with Cisco Firewalls To unblock an IP addressTo clear all blocks No shun ipBlocking with Catalyst Switches LoggerAuthenticationApp Understanding the AuthenticationAppAuthenticating Users Configuring Authentication on the SensorManaging TLS and SSH Trust Relationships SensorApp Web ServerUnderstanding the SensorApp Inline, Normalization, and Event Risk Rating Features SensorApp New Features Packet FlowSignature Event Action Processor CollaborationApp Update Components SwitchApp Error EventsCLI User RolesService Account CommunicationsIdapi Idconf Cisco IPS File Structure CideeUsing the Idapi Summary of Cisco IPS ApplicationsApplication Description CLIIDM Java applet that provides an Html IPS management interfaceIME EventsSignature Engines Understanding Signature EnginesAppendix B Signature Engines Understanding Signature Engines Appendix B Signature Engines Understanding Signature Engines Master Engine General ParametersParameter Description Value Signature-id Specifies the ID of this signatureSig-name Promiscuous Delta Alert Frequency ObsoletesVulnerable OS List Event Actions Name Description AIC Engine \NNNTo Match Regular Expression Understanding the AIC Engine AIC Engine and Sensor PerformanceAIC Engine Parameters Alarm-on-non-http-traffic Parameter DescriptionTable B-6 AIC FTP Engine Parameters Atomic Engine Atomic ARP EngineAtomic IP Advanced Engine Isatap Atomic IP Advanced Engine RestrictionsString IPv6 Parameter Description Value OL-29168-01 IPV4 Icmp ID L4 Protocol ICMPv6L4 Protocol TCP and UDP OL-29168-01 Atomic IP Engine Parameter Description Value Appendix B Signature Engines OL-29168-01 Atomic IPv6 Engine Atomic IPv6 SignaturesFixed Engine Table B-11 Fixed TCP Engine Parameters Flood Engine Meta Engine Protocol Specifies which kind of traffic to inspectFlood Net Engine Parameters Component-list Specifies the Meta engine component Name1Multi String Engine Normalizer Engine IP Fragmentation Normalization TCP NormalizationIPv6 Fragments ASA IPS Modules and the Normalizer Engine Service Engines Understanding the Service Engines Service DNS EngineService FTP Engine Service Generic Engine Table B-20 Service Generic Engine Parameters Service H225 Engine Setup SetupASN.1-PER TpktService Http Engine Crlfcrlf Service Ident Engine Service Msrpc Engine Smbcomtransaction Service Mssql Engine Service NTP Engine Service P2P Engine Service RPC EngineParameter Description Value Service SMB Advanced Engine Msrpc Uuid Service Snmp Engine Service SSH Engine Specify-object-id-EnablesService TNS Engine State Engine Table B-32lists the parameters specific to the State engine String Engines Table B-33 String Icmp Engine Parameters Table B-35 String UDP Engine String XL Engines Parameter Description Value Unsupported String XL Parameters Sweep Engines Sweep EngineData Nodes Type Sweep Other TCP Engine Traffic Anomaly Engine Sweep Other TCP Engine ParametersSignature Traffic Icmp Engine Trojan Engines Troubleshooting Bug ToolkitPreventive Maintenance Understanding Preventive MaintenanceCreating and Using a Backup Configuration File Sensor# copy current-config backup-config Backing Up the Current Configuration to a Remote Server Creating the Service Account Disaster Recovery Password Recovery Security appliance IPS modules Command ASA 5500 series adaptive Adaptive security appliance CLIUsing Rommon Password-Reset issued for module ips Recovering the Password for the ASA 5585-X IPS SSP 0123 21E4 Disabling Password Recovery Verifying the State of Password Recovery For the procedure for configuring NTP, see Configuring NTP, Time Sources and the SensorSynchronizing IPS Clocks with Parent Device Clocks Verifying the Sensor is Synchronized with the NTP Server Generate the host statisticsGenerate the hosts statistics again after a few minutes Advantages and Restrictions of Virtualization TFor More Information When to Disable Anomaly Detection To learn more about Worms, see Understanding Worms,Reboot the sensor Command outputAnalysis Engine Not Responding Enter show tech-support and save the outputExternal Product Interfaces Issues Troubleshooting the Appliance External Product Interfaces Troubleshooting TipsTroubleshooting Loose Connections Communication Problems Analysis Engine is BusyCannot Access the Sensor CLI Through Telnet or SSH More Correcting a Misconfigured Access List Sensor# show configuration include access-listDuplicate IP Address Shuts Interface Down Make sure the sensor cabling is correctSensorApp and Alerting SensorApp is Not RunningMake sure the IP address is correct AnalysisEngine 20130410110072014 Release Physical Connectivity, SPAN, or Vacl Port Issue Unable to See Alerts Sensor# show interfacesMake sure you have Produce Alert configured Check for alertsSensor# show interfaces FastEthernet0/1 Sensorconfig-int#physical-interfaces GigabitEthernet0/1 Sensor Not Seeing PacketsSensor# show interfaces GigabitEthernet0/1 Cleaning Up a Corrupted SensorApp Configuration Exit the service account Log in to the sensor CLICheck to see that the interface is up and receiving packets Replace the virtual sensor fileTroubleshooting Blocking Start the IPS servicesBlocking Sensor# cids startVerifying the ARC is Running If the ARC is not connecting, look for recurring errors Make sure you have the latest software updatesSensor# show events error hhmmss month day year include nac Sensor# show events error 000000 Apr 01 2011 include nacFor More Information Device Access Issues Verify the IP address for the managed devicesSensorname Sensor Management Time-Based Actions Host Blocks Start the manual block of the bogus host IP addressEnabling SSH Connections to the Network Device Blocking Not Occurring for a SignatureVerifying the Master Blocking Sensor Configuration Exit network access general submode Enable debug logging for all zones LoggingEnabling Debug Logging Turn on individual zone control Exit master zone controlView the zone names Protected entry zone-name nac Turn on debugging for a particular zone Exit the logger submodeZone Names Press Enter to apply changes or type no to discard themTable C-2lists the debug logger zone names Zone Name DescriptionDirecting cidLog Messages to SysLog TCP Reset Not Occurring for a Signature Software Upgrades Upgrading ErrorMake sure the correct alarms are being generated Sensor# show events alertWhich Updates to Apply and Their Prerequisites Issues With Automatic UpdateUpdating a Sensor with the Update Stored on the Sensor Troubleshooting the IDM Cannot Launch the IDM Loading Java Applet FailedClick the Advanced tab Cannot Launch the IDM-The Analysis Engine Busy Delete the temp files and clear the history in the browserTroubleshooting the IME Signatures Not Producing AlertsTroubleshooting the ASA 5500-X IPS SSP Not Supported Error MessageTime Synchronization on IME and the Sensor Health and Status Information E1000 00000005.0 PCI INT a disabled 303 Appendix C Troubleshooting Usb CRS IRQ Failover Scenerios ASA 5500-X IPS SSP and the Normalizer Engine ASA 5500-X IPS SSP and Memory Usage ASA 5500-X IPS SSP and Jumbo PacketsTroubleshooting the ASA 5585-X IPS SSP Hw-module module 1 reset commandReset issued for module in slot Asa# show Mgmt IP addr 192.0.2.3 Failover Scenarios Traffic Flow Stopped on IPS Switchports ASA 5585-X IPS SSP and the Normalizer EngineGathering Information ASA 5585-X IPS SSP and Jumbo PacketsHealth and Network Security Information Tech Support InformationUnderstanding the show tech-support Command Displaying Tech Support InformationTech Support Command Output Sensor# show tech-support page System Status Report= No Understanding the show version Command Version InformationDisplaying Version Information Version 29.1 Platform IPS4360 Serial Number Service aaa Understanding the show statistics Command Statistics InformationDisplaying Statistics Percentage Thread Sec Min Average Inspection Stats Inspector Active Call Create Delete Display the statistics for anomaly detection Sensor# show statistics denied-attackers Sensor# show statistics event-serverSensor# show statistics event-store Threat Multicast MTU1500 Metric1 Appendix C Troubleshooting Gathering Information Display the statistics for the notification application Name Current OL-29168-01 Sensor# show statistics web-server listener-443 Understanding the show interfaces Command Interfaces InformationInterfaces Command Output Displaying Interface Traffic HistoryAvg Load Peak Load GigabitEthernet0/1 Time Packets Received Bytes Received Mbps Events Information Understanding the show events Command Sensor EventsDisplaying Events Displaying Events 100 CidDump Script Clearing Events101 Uploading and Accessing Files on the Cisco FTP Site Enter the following command102 Usr/cids/idsRoot/bin/cidDumpCLI Error Messages Reason CommandURI Error Message Reason Command System that has not been upgraded Packet-file but no packet-file hasBeen captured User attempted to downgrade aUser attempted to cancel a CLI Operator or viewer user attempted to Initial loginLog in when the maximum number Administrator user attempted to log Initial loginAppendix D CLI Error Messages CLI Validation Error Messages Reason/LocationDetection configuration file that is currently in use Interface and optional sub-interface beingAdded to the virtual sensor entry physical Interface set has already been assigned to anotherOL-29168-01 GL-1 To detect worm-infected hosts GL-2GL-3 Certificate for one CA issued by another CA Authoritative private keyGL-4 GL-5 GL-6 Dual In-line Memory Modules A public outside networkTo the transmit line and reads data from the receive line 802.1q to be usedGL-8 Procedures, and basic data transport methods An ITU standard that governs H.245 endpoint controlGL-9 GL-10 GL-11 GL-12 Proprietary branches Detailed information about signaturesGL-13 GL-14 GL-15 Quality and service availability GL-16GL-17 Network devices. Used with the IDS MC Unauthorized activityAnalysis Engine GL-18GL-19 GL-20 Authorization, and accounting Network asset through its IP addressLocal system. Telnet is defined in RFC GL-21GL-22 Through a switch. Also known as security ACLs RFCVersion identifier. Part of the UDI GL-23GL-24 Payload reassembly HostsGL-25 GL-26 AIC FTP AIC HttpIN-1 IN-2 NAT TACACS+ARP IN-3Asdm SSPIN-4 Radius IN-5BO2K URL CideeIN-6 Exec IN-7IN-8 IN-9 IN-10 CSA MC IN-11TFN IN-12AIC FTP AIC Http IN-13IN-14 IN-15 Idapi IdconfIN-16 Idiom ASA 5500-X IPS SSP ASA 5585-X IPS SSPIN-17 Tcpdump IN-18IPS SSP IN-19SSH LokiIN-20 Snmp IN-21IN-22 IN-23 IN-24 RTT SdeeHttp A-33 IN-25IN-26 IN-27 AIC IN-28Cidee Idconf Idiom Sdee SmtpIN-29 IN-30 TAC TFN2KTLS IN-31BO2K Loki TFN2K IN-32Upgrade command Sensor initialization Sensor setup Version displaySensing process not running Viewer role privilegesIN-34
Related manuals
Manual 36 pages 45.7 Kb

IPS4510K9 specifications

Cisco Systems has long been a leading player in network security, and its IPS (Intrusion Prevention System) series is a testament to its commitment to safeguarding digital environments. Among its notable offerings are the IPS4510K9 and IPS4520K9 models, both designed to provide advanced threat protection for mid-sized to large enterprise networks.

The Cisco IPS4510K9 and IPS4520K9 are distinguished by their cutting-edge features that help organizations defend against a myriad of cyber threats. These systems utilize a multi-layered approach to security, integrating intrusion prevention, advanced malware protection, and comprehensive visibility across the network.

One of the primary characteristics of the IPS4510K9 is its high performance. It boasts a throughput of up to 1 Gbps, making it suitable for environments that demand rapid data processing and real-time responses to threats. The IPS4520K9, on the other hand, enhances that capability with improved throughput of up to 2 Gbps, accommodating larger enterprises with heavier network traffic. These models are equipped with powerful processors that support complex signature matching and can intelligently distinguish between legitimate traffic and potential threats.

In addition to performance, both models are designed with scalability in mind. They can be easily integrated into existing Cisco infrastructures. This facilitates a seamless enhancement of security without causing significant interruptions to ongoing operations. Moreover, they offer flexible deployment options, allowing organizations to operate them inline or out of band depending on their specific needs.

The Cisco IPS4510K9 and IPS4520K9 leverage advanced detection technologies, utilizing a variety of signature types and heuristic analysis to detect known and unknown threats effectively. They are equipped with real-time alerting and reporting capabilities, giving security teams immediate visibility into potential breaches and enabling them to respond swiftly.

Furthermore, both models support a range of management options through the Cisco Security Manager, allowing for centralized administration, streamlined policy management, and enhanced monitoring capabilities. Automated updates ensure the systems remain current with the latest threat intelligence, vital for staying ahead of evolving cyber threats.

In summary, the Cisco Systems IPS4510K9 and IPS4520K9 represent powerful solutions for organizations seeking robust intrusion prevention capabilities. With their high performance, scalability, and advanced detection technologies, these systems are essential tools in the ever-changing landscape of cybersecurity, providing enterprises with the peace of mind needed to operate securely in today's digital world.
Top Page Image Contents