Contents
Text Part Number OL-29168-01
Americas Headquarters
Page
Iii
N T E N T S
Advanced Setup for the Appliance
Interface Support
Understanding Inline Vlan Pair Mode
Vii
Configuring Alert Severity
Viii
Example String XL TCP Engine Match Offset Signature
Understanding Worms
Configuring Global Correlation
Configuring IP Logging
Xii
Routers
Xiii
Using Rommon
Xiv
Configuring the ASA 5585-X IPS SSP
Upgrading, Downgrading, and Installing System Images
Xvi
NotificationApp
Xvii
AIC Engine B-10
Xviii
Creating the Service Account C-5
Xix
Communication Problems
Understanding the show tech-support Command C-75
Xxi
CLI Validation Error Messages D-6
Xxii
Organization
Contents
Audience
Xxiv
Xxv
Conventions
Related Documentation
Convention Indication
Xxvi
Obtaining Documentation and Submitting a Service Request
Ii-1
Logging In Notes and Caveats
Supported User Roles
Ii-2
Logging In to the Appliance
For More Information
Exit Wr mem
Connecting an Appliance to a Terminal Server
Config t
Ii-3
Asa# session ips
Logging In to the ASA 5500-X IPS SSP
Ii-4
Asa# session
Logging In to the ASA 5585-X IPS SSP
Ii-5
Ii-6
Logging In to the Sensor
Ii-7
Ii-8
Supported IPS Platforms
IPS CLI Configuration Guide
Sensor Configuration Sequence
User Roles
Viewers
Administrator
Service
Operators
Help
CLI Behavior
Following tips help you use the Cisco IPS CLI
Prompts
Display Options
Command Line Editing
Recall
Case Sensitivity
Keys Description
String
IPS Command Modes
Regular Expression Syntax
Character Description
Or more times
Only if it is at the end of the string
Matches a as well as b
Matches any character
Sensor# configure terminal
Generic CLI Commands
CLI Keywords
OL-29168-01
Initializing Notes and Caveats
Initializing the Sensor
Understanding Initialization
Simplified Setup Mode
System Configuration Dialog
Example 2-1 Example System Configuration Dialog
Example 2-1shows a sample System Configuration Dialog
Initializing the Sensor Basic Sensor Setup
Basic Sensor Setup
Initializing the Sensor Basic Sensor Setup
Following configuration was entered
Initializing the Sensor Advanced Setup
Advanced Setup
Advanced Setup for the Appliance
Press Enter to return to the available interfaces menu
Enter 1 to edit the interface configuration
Enter a subinterface number and description
Enter numbers for Vlan 1
Press Enter to return to the top-level editing menu
Enter 2 to edit the virtual sensor configuration
Enter 2 to modify the virtual sensor configuration, vs0
Host-ip 192.168.1.2/24,192.168.1.1
Enter 2 to save the configuration
Reboot the appliance
Advanced Setup for the ASA 5500-X IPS SSP
Enter a name and description for your virtual sensor
Enter 2 to modify the virtual sensor vs0 configuration
Modify default threat prevention settings?no
Asa-ips#show tls fingerprint
Reboot the ASA 5500-X IPS SSP
Advanced Setup for the ASA 5585-X IPS SSP
Enter 2 to edit the virtual sensor configuration
Exit Service analysis-engine
Ips-ssp#show tls fingerprint
Reboot the ASA 5585-X IPS SSP
Verifying Initialization
Sensor# show configuration
View your configuration
Sensor# show tls fingerprint
Display the self-signed X.509 certificate needed by TLS
Setup Notes and Caveats
Setting Up the Sensor
Changing Network Settings
Understanding Sensor Setup
Changing the Hostname
Changing the IP Address, Netmask, and Gateway
Exit network settings mode
Enter network settings mode
Change the sensor IP address, netmask, and default gateway
Enabling and Disabling Telnet
Enable Telnet services
Verify that Telnet is enabled
Changing the Access List
Verify the value has been set back to the default
Verify the change you made to the access-list
Remove the entry from the access list
Change the value back to the default
Verify the FTP timeout change
Changing the FTP Timeout
To change the FTP timeout, follow these steps
Change the number of seconds of the FTP timeout
Verify the banner login text message
Adding a Login Banner
Add the banner login text
Verify the login text has been removed
Verify the settings
Enable a DNS server
Login-banner-text defaulted dns-primary-server
Enabling SSHv1 Fallback
Verify that SSHv1 fallback is enabled
Exit authentication mode
Changing the CLI Session Timeout
Change the number of seconds of the CLI session timeout
Verify the CLI session timeout change
TLSDHERSAWITHAES256CBCSHA256 TLSDHEDSSWITHAES256CBCSHA256
Changing Web Server Settings
When disabled, the client can use the following ciphers
Change the port number
Sensor# configure terminal Sensorconfig# service web-server
Turn on TLS client ciphers restriction
Specify the web session inactivity timeout
Turn on logging for web session inactivity timeouts
Verify the defaults have been replaced
Adding and Removing Users
Configuring Authentication and User Parameters
Sensor# show users all
Sensorconfig# username username password password privilege
Sensorconfig# username tester privilege administrator
Specify the parameters for the user
Sensor# configure terminal Sensorconfig# no username jsmith
Configuring Authentication
To remove a user, use the no form of the command
Radius Authentication Options
Configuring Local or Radius Authentication
Enter AAA submode
Sensorconfig-aaa-rad#default-user-role operator
Enter the Radius server IP address
Ips-role=administrator Ips-role=service
Enter the IP address of the second Radius server
Specify the type of console authentication
AAA Radius Users
Configuring Packet Command Restriction
Exit AAA mode
Sensorconfig-aut#permit-packet-logging false
Enter authentication submode
Check your new setting
Sensorconfig-aut#permit-packet-logging true
Sensorconfig# user username privilege service
Creating the Service Account
Exit configuration mode
Service Account and Radius Authentication
Radius Authentication Functionality and Limitations
Configuring Passwords
Changing User Privilege Levels
Change your password
Verify all users. The account of the user jsmith is locked
Showing User Status
Change the privilege level from viewer to operator
Display your current level of privilege
Example
Configuring the Password Policy
To unlock the account of jsmith, reset the password
Locking User Accounts
Set the value back to the system default setting
Check that the setting has returned to the default
Unlock the account
Enter global configuration mode
Unlocking User Accounts
Parentheses
IPS Standalone Appliances
Configuring Time
Time Sources and the Sensor
ASA IPS Modules
Configuring Time on the Sensor
Correcting Time on the Sensor
Sensor# show clock
Manually Setting the System Clock
Symbol
Displaying the System Clock
Sensor# clock set 1321 Mar 29
Configuring Recurring Summertime Settings
Enter the month you want to start summertime settings
Enter start summertime submode
Specify the local time zone used during summertime
Verify your settings
Enter the month you want to end summertime settings
Enter end summertime submode
Exit recurring summertime submode
Configuring Nonrecurring Summertime Settings
Exit non-recurring summertime submode
Sensorconfig-hos-tim#standard-time-zone-name CST
Configuring NTP
Configuring Time Zones Settings
Exit time zone settings submode
Example
Configuring a Cisco Router to be an NTP Server
Verify the unauthenticated NTP settings
Configuring the Sensor to Use an NTP Time Source
Enter service host mode
Configure unauthenticated NTP Enter NTP configuration mode
Exit NTP configuration mode
Configuring SSH
Configure authenticated NTP Enter NTP configuration mode
Verify the NTP settings
Adding Hosts to the SSH Known Hosts List
Understanding SSH
Sensor# show ssh host-keys
Sensorconfig# ssh host-key
Add an entry to the known hosts list
View the key for a specific IP address
Adding Authorized RSA1 and RSA2 Keys
Sensorconfig# no ssh host-key
Generating the RSA Server Host Key
Sensor# show ssh server-key
Sensor# ssh generate-key
Understanding TLS
Configuring TLS
Adding TLS Trusted Hosts
Sensorconfig# tls trusted-host ip-address 10.89.146.110 port
Verify that the key was generated
Displaying and Generating the Server Certificate
View the fingerprint for a specific host
Remove an entry from the trusted hosts list
Understanding the License Key
Installing the License Key
Obtaining and Installing the License Key
Service Programs for IPS Products
Installing the License Key
Verify the sensor is licensed
Licensing the ASA 5500-X IPS SSP
Sensor# erase license-key
Uninstalling the License Key
Verify the sensor key has been uninstalled
Setting Up the Sensor Installing the License Key
OL-29168-01
Interface Notes and Caveats
Configuring Interfaces
IPS Interfaces
Understanding Interfaces
Sensor Command and Control Interface
Command and Control Interface
Sensing Interfaces
TCP Reset Interfaces
Understanding Alternate TCP Reset Interfaces
None
Designating the Alternate TCP Reset Interface
2lists the alternate TCP reset interfaces
Sensor Alternate TCP Reset Interface
Base Chassis Cards Sensing Ports Inline Interface Pairs
Interface Support
Interfaces Not
Combinations Supporting Command and Control
Interface Configuration Restrictions
Configuring Interfaces Understanding Interfaces
Interface Configuration Sequence
Configuring Physical Interfaces
Display the list of available interfaces
Configuring the Physical Interface Settings
Specify the interface for promiscuous mode
Add a description of this interface
Remove TCP resets from an interface
Sensorconfig-int-phy#alt-tcp-reset-interface none
Exit interface submode
Configuring Promiscuous Mode
Understanding Promiscuous Mode
IPv6, Switches, and Lack of Vacl Capture
Configuring Promiscuous Mode
Set span 930, 932, 960, 962 4/1-4 both
Configuring Inline Interface Mode
Understanding Inline Interface Mode
Creating Inline Interface Pairs
Configuring Inline Interface Pairs
It can monitor traffic see Step
Enable the interfaces assigned to the interface pair
Name the inline pair
Display the available interfaces
Verify that the interfaces are enabled
Verify the inline interface pair has been deleted
Exit interface configuration submode
Sensorconfig-int#no inline-interfaces PAIR1
Understanding Inline Vlan Pair Mode
Configuring Inline Vlan Pair Mode
Configuring Inline Vlan Pairs
Been configured
Configuring Inline Vlan Pairs
OL-29168-01
Designate an interface
Set up the inline Vlan pair
Verify the inline Vlan pair settings
Sensorconfig-int#no inline-interfaces interfacename
To delete Vlan pairs Delete one Vlan pair
Configuring Vlan Group Mode
Understanding Vlan Group Mode
Deploying Vlan Groups
Configuring Vlan Groups
Configuring Inline Vlan Groups
None Subinterface-type
Assign the VLANs to this group Assign specific VLANs
Set up the Vlan group
Specify an interface
Add a description for the Vlan group
Configure unassigned VLANs
Verify the Vlan group settings
Delete Vlan groups Delete one Vlan group
Configuring Inline Bypass Mode
Understanding Inline Bypass Mode
Configure bypass mode
Configuring Inline Bypass Mode
Configuring Bypass Mode
Configuring Interface Notifications
Configuring Interface Notifications
Configuring CDP Mode
Displaying Interface Statistics
Enabling CDP Mode
Enable CDP mode
Sensorconfig-int#cdp-mode forward-cdp-packets
Sensor# show interfaces Interface Statistics
Sensor# show interfaces brief
Sensor# show interfaces clear Interface Statistics
Display the statistics for a specific interface
Clear the statistics
Sensor# show interfaces Management0/0
Displaying Interface Traffic History
Display the interface traffic history by the minute
Displaying Historical Interface Statistics
To display interface traffic history, follow these steps
Display the interface traffic history by the hour
Bytes Received Mbps
Virtual Sensor Notes and Caveats
Configuring Virtual Sensors
Advantages and Restrictions of Virtualization
Understanding the Analysis Engine
Understanding Virtual Sensors
Inline TCP Session Tracking Mode
Restrictions
Normalization and Inline TCP Evasion Protection Mode
Http Advanced Decoding
Adding, Editing, and Deleting Virtual Sensors
Adding Virtual Sensors
Add a description for this virtual sensor
Sensorconfig-ana-vir#description virtual sensor
Adding a Virtual Sensor
Add a virtual sensor
Assign a signature definition policy to this virtual sensor
Enable Http advanced decoding
Verify the virtual sensor settings
Assign an event action rules policy to this virtual sensor
Exit analysis engine mode
Edit the description of this virtual sensor
Editing and Deleting Virtual Sensors
Editing or Deleting a Virtual Sensor
Edit the virtual sensor, vs1
Delete a virtual sensor
Verify the edited virtual sensor settings
Sensorconfig-ana-vir#physical-interface GigabitEthernet0/2
Sensorconfig-ana# exit
Create the flow depth variable
Configuring Global Variables
Creating a Global Variable
Create the variable for the maximum number of open IP logs
Sensor# show statistic analysis-engine
Create the variable for service activity
Verify the global variable settings
OL-29168-01
Understanding Policies
Signature Definition Notes and Caveats
Sensor# copy signature-definition sig0 sig1
Sensor# list signature-definition-configurations
Working With Signature Definition Policies
Delete a signature definition policy
Confirm the signature definition policy has been deleted
Reset a signature definition policy to factory settings
Understanding Signatures
Creating Signature Variables
Configuring Signature Variables
Understanding Signature Variables
Adding, Editing, and Deleting Signature Variables
Signature Definition Options
Configuring Signatures
Configuring Alert Frequency
Specify the summary key
Configuring Alert Frequency
Specify the signature you want to configure
Enter alert frequency submode
Assign the alert severity
Configuring Alert Severity
Configuring Alert Severity
To configure the alert severity, follow these steps
Exit signatures submode
Configuring the Event Counter
Configuring the Event Counter
Enter event counter submode
Optional Enable alert interval
Specify the signature fidelity rating for this signature
Configuring Signature Fidelity Rating
Configuring the Signature Fidelity Rating
Change the status for this signature
Configuring the Status of Signatures
Choose the signature you want to configure
Changing the Signature Status
Specify the vulnerable OSes for this signature
Configuring the Vulnerable OSes for a Signature
Configuring Vulnerable OSes
Assigning Actions to Signatures
Specify the percentage for rate limiting
Configuring Event Actions
Configure the event action
Exit event action submode
Configuring AIC Signatures
Understanding the AIC Engine
AIC Engine and Sensor Performance
Configuring the Application Policy
Sensorconfig-sig-app-htt#aic-web-ports 80-80,3128-3128
Configuring the Application Policy
Enable inspection of FTP traffic
Enable Http application policy enforcement
Signature ID Define Request Method
AIC Request Method Signatures
Signature ID Signature Description
AIC Mime Define Content Type Signatures
Signature ID Signature Description
Signature ID Signature Description
Signature ID Transfer Encoding Method
AIC Transfer Encoding Signatures
Signature ID FTP Command
AIC FTP Commands Signatures
Creating an AIC Signature
Define the signature type
Define the content type
Defining a MIME-Type Policy Signature
Specify the event action
Signature ID and Name Description Range Default Action
Configuring IP Fragment Reassembly
Understanding IP Fragment Reassembly
For More Information
Specify the engine
Configuring IP Fragment Reassembly Parameters
Configuring the Method for IP Fragment Reassembly
Enter edit default signatures submode
Verify the setting
Configuring TCP Stream Reassembly
Understanding TCP Stream Reassembly
Configuring the IP Fragment Reassembly Method
TCP Stream Reassembly Signatures and Configurable Parameters
TCP Stream Reassembly Signatures
SYN
SYN
Configuring TCP Stream Reassembly Signatures
Configuring the Mode for TCP Stream Reassembly
Sensorconfig-sig-str#tcp-reassembly-mode strict
Configuring the TCP Stream Reassembly Parameters
Sensorconfig-sig-str#tcp-3-way-handshake-required true
Specify the length of time you want the sensor to log
Configuring IP Logging
Configuring IP Logging Parameters
Specify the number of packets you want logged
Sequence for Creating a Custom Signature
Creating Custom Signatures
Example String TCP Engine Signature
Creating a String TCP Engine Signature
Verify the settings
Example Service Http Engine Signature
Specify the alert traits. The valid range is from 0 to
Creating a Service Http Engine Signature
Enter signature description mode
Specify a signature name
Exit Regex submode
Configure the Regex parameters
Example Meta Engine Signature
Exit alert frequency submode
Meta Signature Engine Enhancement
Defining Signatures Creating Custom Signatures
Creating a Meta Engine Signature
Example IPv6 Engine Signature
Specify the L4 protocol
Sensorconfig-sig-sig#engine atomic-ip-advanced
Specify the IP version
Specify IPv6
Creating a String XL TCP Engine Signature
Example String XL TCP Engine Match Offset Signature
Specify an exact match offset for this signature
Sensorconfig-sig-sig-str#specify-exact-match-offset yes
Specify the String XL TCP engine
Specify the regex string to search for in the TCP packet
Specify a minimum match offset for this signature
Example String XL TCP Engine Minimum Match Length Signature
Specify a signature ID and subsignature ID for the signature
Specify a new Regex string to search for and turn on UTF-8
OL-29168-01
Event Action Rules Notes and Caveats
Configuring Event Action Rules
Understanding Event Action Rules
Understanding Security Policies
Signature Event Action Processor
Action filter
Alert and Log Actions
Deny Actions
Understanding Deny Packet Inline
Other Actions
TCP Normalizer Signature Warning
Event Action Rules Configuration Sequence
Sensor# copy event-action-rules rules0 rules1
Working With Event Action Rules Policies
Working With Event Action Rules Policies
Confirm the event action rules instance has been deleted
Reset an event action rules policy to factory settings
Event Action Variables
Delete an event action rules policy
IPv6 Addresses
When configuring IPv6 addresses, use the following format
Understanding Event Action Variables
IPv4 Addresses
Working With Event Action Variables
Sensorconfig-eve#variables variable-ipv4 address
Adding, Editing, and Deleting Event Action Variables
Verify the event action rules variable you deleted
Verify that you added the event action rules variable
Verify that you edited the event action rules variable
Delete an event action rules variable
Calculating the Risk Rating
Configuring Target Value Ratings
2illustrates the risk rating formula
Understanding Threat Rating
Adding, Editing, and Deleting Target Value Ratings
Adding, Editing, and Deleting Target Value Ratings
Understanding Event Action Overrides
Configuring Event Action Overrides
Configuring Event Action Overrides
Write events that request an Snmp trap to the Event Store
Log packets from both the attacker and victim IP addresses
Write an alert to Event Store
Write verbose alerts to Event Store
Understanding Event Action Filters
Configuring Event Action Filters
Configuring Event Action Filters
OL-29168-01
Configuring Event Action Filters
Edit the parameters see Steps 4a through 4l
Verify the settings for the filter
Add any comments you want to use to explain this filter
Edit an existing filter
Verify that the filter has been moved to the inactive list
Sensorconfig-eve#filters move name1 inactive
Move a filter to the inactive list
Understanding Passive OS Fingerprinting
Configuring OS Identifications
Passive OS Fingerprinting Configuration Considerations
Unix
Adding, Editing, Deleting, and Moving Configured OS Maps
IP Address Range Set
IOS
Specify the host OS type
Configuring OS Maps
Verify the settings for the OS map
Move an OS map to the inactive list
Enable passive OS fingerprinting
Edit an existing OS map
Verify that you have moved the OS maps
Verify that the OS map has been deleted
Sensorconfig-eve-os#no configured-os-map name2
Displaying and Clearing OS Identifications
Delete an OS map
Sensor# clear os-identification learned
Configuring General Settings
Displaying and Clearing OS Identifications
Verify that the OS IDs have been cleared
Understanding Event Action Aggregation
Understanding Event Action Summarization
Enter general submode
Configuring the General Settings
Configuring Event Action General Settings
Enable or disable the summarizer. The default is enabled
Adding a Deny Attacker Entry to the Denied Attackers List
Configuring the Denied Attackers List
Verify the settings for general submode
Sensorconfig-eve-gen#global-filters-status enabled disabled
Enter yes to remove the deny attacker entry from the list
Monitoring and Clearing the Denied Attackers List
Adding Entries to the Denied Attacker List
Remove the deny attacker entry from the list
Delete the denied attackers list
Displaying and Deleting Denied Attackers
Important to know if the list has been cleared
Monitoring Events
Displaying Events
Clear only the statistics
Sensor# show events
Displaying Events
To display events from the Event Store, follow these steps
Sensor# show events alert past
Sensor# show events error warning 100000 Feb 9
Display alerts from the past 45 seconds
Sensor# show events past
Clearing Events from Event Store
Display events that began 30 seconds in the past
Enter yes to clear the events
OL-29168-01
Anomaly Detection Notes and Caveats
Configuring Anomaly Detection
Understanding Worms
Understanding Anomaly Detection
Anomaly Detection Modes
Anomaly Detection Zones
Anomaly Detection Configuration Sequence
Signature ID Subsignature ID Name Description
Anomaly Detection Signatures
Signature ID Subsignature ID Name Description
Exit analysis engine submode
Enable anomaly detection operational mode
Enabling Anomaly Detection
Working With Anomaly Detection Policies
Sensor# copy anomaly-detection ad0 ad1
Working With Anomaly Detection Policies
Delete an anomaly detection policy
Verify that the anomaly detection instance has been deleted
Configuring Anomaly Detection Operational Settings
Reset an anomaly detection policy to factory settings
Sensor# list anomaly-detection-configurations
Sensorconfig-ano-ign#source-ip-address-range
Configuring the Internal Zone
Configuring Anomaly Detection Operational Settings
Specify the worm timeout
Configure TCP protocol Configure UDP protocol
Configuring the Internal Zone
Configuring the Internal Zone
Enable the internal zone
Enable TCP protocol
Configuring TCP Protocol for the Internal Zone
Configure the other protocols
Configuring Internal Zone TCP Protocol
Set the scanner threshold
Enable the service for that port
Them and configure your own scanner values
Verify the TCP configuration settings
Configuring UDP Protocol for the Internal Zone
Associate a specific port with UDP protocol
Configuring the Internal Zone UDP Protocol
Enable UDP protocol
Verify the UDP configuration settings
Configuring Anomaly Detection Configuring the Internal Zone
Associate a specific number for the other protocols
Configuring Other Protocols for the Internal Zone
Configuring the Internal Zone Other Protocols
Enable the other protocols
Verify the other configuration settings
Understanding the Illegal Zone
Configuring the Illegal Zone
Configuring the Illegal Zone
Configuring the Illegal Zone
Sensorconfig-ano-ill#ip-address-range
Configuring TCP Protocol for the Illegal Zone
Enable the illegal zone
Configuring the Illegal Zone TCP Protocol
Enabled true defaulted Sensorconfig-ano-ill-tcp#
Configuring the Illegal Zone UDP Protocol
Configuring UDP Protocol for the Illegal Zone
Sensorconfig-ano-ill-udp-dst-yes# scanner-threshold
Configuring the Illegal Zone Other Protocols
Configuring Other Protocols for the Illegal Zone
Verify the other protocols configuration settings
Understanding the External Zone
Configuring the External Zone
Configuring the External Zone
Enable the external zone
Configuring TCP Protocol for the External Zone
Configuring the External Zone
Configuring the External Zone TCP Protocol
Sensorconfig-ano-ext-tcp#
Configuring the External Zone UDP Protocol
Configuring UDP Protocol for the External Zone
Sensorconfig-ano-ext-udp-dst-yes# scanner-threshold
Configuring Other Protocols for the External Zone
To configure other protocols for a zone, follow these steps
Configuring the External Zone Other Protocols
KB and Histograms
Configuring Learning Accept Mode
Example Histogram
Configuring Learning Accept Mode
Configuring Learning Accept Mode
Sensorconfig-ano#learning-accept-mode manual
Sensorconfig-ano#learning-accept-mode auto
Sensor# show ad-knowledge-base files
Working With KB Files
Displaying KB Files
Display the KB files for all virtual sensors
Save the current KB file and store it as a new name
Saving and Loading KBs Manually
Display the KB files for a specific virtual sensor
Manually Saving and Loading KBs
Copying, Renaming, and Erasing KBs
Remove a KB file from a specific virtual sensor
Copying, Renaming, and Removing KB Files
Rename a KB file
Locate the file you want to compare
Displaying the Differences Between Two KBs
Comparing Two KBs
To compare two KBs, follow these steps
Displaying the Thresholds for a KB
Sensor# show ad-knowledge-base vs1 files Virtual Sensor vs1
Displaying KB Thresholds
Sensor# show statistics anomaly-detection vs0
Displaying Anomaly Detection Statistics
To display anomaly detection statistics, follow these steps
Display the statistics for all virtual sensors
Disabling Anomaly Detection
Disable anomaly detection operational mode
OL-29168-01
10-1
Global Correlation Notes and Caveats
10-2
Understanding Global Correlation
Participating in the SensorBase Network
10-3
Understanding Reputation
1shows how we use the data
Type of Data Purpose
10-4
Understanding Network Participation
10-5
Understanding Efficacy
10-6
Global Correlation Features and Goals
Understanding Reputation and Risk Rating
10-7
Global Correlation Requirements
10-8
Understanding Global Correlation Sensor Health Metrics
10-9
Global Correlation Update Client
Specify the level of global correlation inspection
Configuring Global Correlation
Sensorconfig-glo#global-correlation-inspection on
Turn on global correlation inspection
10-11
Configuring Network Participation
Turn on reputation filtering
Exit global correlation submode
10-12
Turning on Network Participation
Turn on network participation
Enter yes to agree to participate in the SensorBase Network
10-13
Troubleshooting Global Correlation
Disabling Global Correlation
10-14
Displaying Global Correlation Statistics
Disabling Global Correlation
10-15
Clear the statistics for global correlation
10-16
11-1
External Product Interface Notes and Caveats
Understanding External Product Interfaces
11-2
Understanding the CSA MC
11-3
External Product Interface Issues
11-4
Configuring the CSA MC to Support the IPS Interface
Adding External Product Interfaces and Posture ACLs
11-5
Adding External Product Interfaces
11-6
Choose the action deny or permit the posture ACL will take
Sensorconfig-ext-cis-hos#allow-unreachable-postures yes
Sensorconfig-ext-cis-hos#posture-acls insert name1 begin
Enter the network address the posture ACL will use
11-8
Troubleshooting External Product Interfaces
Exit external product interface submode
12-1
IP Logging Notes and Caveats
12-2
Configuring Automatic IP Logging
Understanding IP Logging
12-3
Configuring Automatic IP Logging
Sensor# iplog vs0 192.0.2.1 duration
Configuring Manual IP Logging
Monitor the IP log status with the iplog-status command
12-4
Displaying the Contents of IP Logs
Stop the IP log session
Stopping Active IP Logs
Display a brief list of all IP logs
Disabling IP Logging Sessions
12-7
Copying IP Log Files to Be Viewed
Stop all IP logging sessions on a virtual sensor
Copying IP Log Files
12-8
Copy the IP log to your FTP or SCP server
13-1
Packet Display And Capture Notes and Caveats
13-2
Understanding Packet Display and Capture
Displaying Live Traffic on an Interface
Sensor# packet display GigabitEthernet0/1
Displaying Live Traffic From an Interface
13-3
Expression ip proto \\tcp
Capturing Live Traffic on an Interface
Display information about the packet file
13-4
Sensor# packet capture GigabitEthernet0/1
Capturing Live Traffic on an Interface
View the captured packet file
13-5
13-6
Copying the Packet File
View any information about the packet file
Verify that you have erased the packet file
View the packet file with Wireshark or Tcpdump
Erasing the Packet File
Erase the packet file
13-8
14-1
Blocking Notes and Caveats
14-2
Understanding Blocking
14-3
Vlan B
Icmp
Understanding Rate Limiting
Destination IP Signature ID Signature Name Protocol
Data
TCP
Understanding Service Policies for Rate Limiting
Before Configuring ARC
UDP
14-6
Supported Devices
14-7
Configuring Blocking Properties
14-8
Enter network access submode
Sensorconfig# service network-access
Allowing the Sensor to Block Itself
14-9
Configure the sensor not to block itself
Exit network access submode
Disabling Blocking
Verify that the setting has been returned to the default
Blocks on the devices are updated
To disable blocking or rate limiting, follow these steps
Enable blocking on the sensor
14-11
Specifying Maximum Block Entries
14-12
Return to the default value of 250 blocks
Sensorconfig-net-gen#default block-max-entries
Change the maximum number of block entries
These steps
Time for manual blocks is set when you request the block
Specifying the Block Time
Signatures
14-14
Enabling ACL Logging
14-15
Enabling Writing to Nvram
14-16
Logging All Blocking Events and Errors
Disable writing to Nvram
Verify that writing to Nvram is disabled
14-17
Configuring the Maximum Number of Blocking Interfaces
Verify the number of maximum interfaces
Return the setting to the default
Verify the default setting
Specify the maximum number of interfaces
For a network
Configuring Addresses Never to Block
Configuring Addresses Never to Be Blocked
Sensorconfig-net-gen#never-block-hosts
Enter the username for that user profile
Configuring User Profiles
Specify the password for the user
Create the user profile name
14-21
Configuring Blocking and Rate Limiting Devices
Specify the enable password for the user
How the Sensor Manages Devices
14-22
Configuring the Sensor to Manage Cisco Routers
14-23
Routers and ACLs
Specify the IP address for the router controlled by the ARC
14-24
14-25
Switches and VACLs
14-26
Sensorconfig-net-cat#communication telnet ssh-3des
Optional Add the post-VACL name
Configuring the Sensor to Manage Cisco Firewalls
Specify the Vlan number
Optional Add the pre-VACL name
14-28
Configuring the Sensor to be a Master Blocking Sensor
14-29
Configuring the Master Blocking Sensor
Sensorconfig-web# exit
Specify whether or not the host uses TLS/SSL
Sensorconfig# tls trusted-host ip-address 192.0.2.1 port
Enter password
Add a master blocking sensor entry
End the host block
Configuring Host Blocking
Configuring Network Blocking
Blocking a Host
14-32
Configuring Connection Blocking
Blocking a Network
End the network block
Blocks are
Obtaining a List of Blocked Hosts and Connections
Blocking a Connection
End the connection block
14-34
15-1
Snmp Notes and Caveats
Understanding Snmp
15-2
Configuring Snmp
15-3
Configuring Snmp General Parameters
15-4
Configuring Snmp Traps
Exit notification submode
Enter the trap community string
Configuring Snmp Traps
Enable Snmp traps
Specify whether you want detailed Snmp traps
15-6
CISCO-ENHANCED-MEMPOOL-MIB CISCO-ENTITY-ALARM-MIB
Supported Mibs
CISCO-CIDS-MIB
15-7
15-8
16-1
Displaying the Current Configuration
16-2
First Review Cisco Confidential
16-3
Displaying the Current Submode Configuration
16-4
16-5
16-6
16-7
16-8
Sensorconfig# service health-monitor
16-9
16-10
16-11
16-12
16-13
Severity warning defaulted protected entry zone-name csi
16-14
16-15
Sensorconfig# service trusted-certificate
16-16
Filtering the Current Configuration Output
16-17
Filtering Using the More Command
To filter the more command, follow these steps
Press Ctrl-Cto stop the output and return to the CLI prompt
16-18
Filtering the Current Submode Configuration Output
Filtering the Submode Output
Displaying the Contents of a Logical File
16-20
Displaying the Logical File Contents
16-21
16-22
16-23
Backing Up the Current Configuration to a Remote Server
Restoring the Current Configuration From a Backup File
16-24
Creating and Using a Backup Configuration File
Erasing the Configuration File
16-25
Press Enter to continue or enter no to stop
16-26
17-1
Administrative Tasks for the Sensor
17-2
Administrative Notes and Caveats
Recovering the Password
Understanding Password Recovery
17-3
Recovering the Password for the Appliance
Using the Grub Menu
Platform Description Recovery Method
Sample Rommon session
Recovering the Password for the ASA 5500-X IPS SSP
Using Rommon
Enter the following commands to reset the password
17-5
Enter your new password twice
Press Enter to confirm
Session to the ASA 5500-X IPS SSP
17-6
Recovering the Password for the ASA 5585-X IPS SSP
Using the Asdm
Asa# hw-module module 1 password-reset
Asa# show module
Session to the ASA 5585-X IPS SSP
17-7
17-8
Disabling Password Recovery
Disabling Password Recovery Using the CLI
Disabling Password Recovery Using the IDM or IME
Clearing the Sensor Databases
Verifying the State of Password Recovery
Troubleshooting Password Recovery
Sensorconfig-hos#show settings include password
17-10
Clearing the Sensor Database
Enter yes to clear the inspectors database
17-11
Displaying the Inspection Load of the Sensor
Over the past 60 minutes and over the past 72 hours
Show the histogram of the inspection load
17-12
17-13
Configuring Health Status Information
17-14
Configuring Health Statistics
ASA 5500-X IPS SSP and Memory Usage
Platform Yellow Red Memory Used
17-15
17-16
Set the number of days since the last signature update
Set the threshold for memory usage
Set the missed packet threshold
17-17
Showing Sensor Overall Health Status
Exit health monitoring submode
Enter your message
Creating a Banner Login
Create the banner login
Show the health and security status of the sensor
Terminate the CLI session of jsmith
Find the CLI ID number associated with the login session
Terminating CLI Sessions
To terminate a CLI session, follow these steps
17-20
Configuring Events
Modifying Terminal Properties
17-21
17-22
17-23
Clearing Events from the Event Store
Sensor# show clock detail
Configuring the System Clock
Displaying the System Clock
17-24
17-25
Manually Setting the System Clock
Clearing the Denied Attackers List
17-26
17-27
Displaying Policy Lists
17-28
Displaying Statistics
Display the list of policies for event action rules
Display the list of policies for signature definition
17-29
Administrative Tasks for the Sensor
17-30
17-31
Display the statistics for authentication
Sensor# show statistics authentication
Display the statistics for anomaly detection
Sensor# show statistics event-server General
Display the statistics for the Event Server
Display the statistics for the Event Store
17-32
Show statistics host
Display the statistics for the host
17-33
Sensor# show statistics logger
Display the statistics for the logging application
Display the statistics for the ARC
17-34
17-35
17-36
17-37
Statistics web-server
Display the statistics for the web server
17-38
Sensor# show statistics logger clear
17-39
17-40
Displaying Tech Support Information
Varlog Files
Displaying Tech Support Information
Sensor# show version
Displaying Version Information
View version information
17-41
17-42
Cancel the output and get back to the CLI prompt
View configuration information
17-43
Diagnosing Network Connectivity
Following example shows an unsuccessful ping
Resetting the Appliance
Enter yes to continue the reset
Following example shows a successful ping
17-45
Displaying Command History
Stop all applications and power down the appliance
Enter yes to continue with the reset and power down
Sensor# show inventory
Displaying Hardware Inventory
17-46
PID IPS-4360-PWR-AC
17-47
Inventory
Tracing the Route of an IP Packet
Display the route of IP packet you are interested
17-48
17-49
Displaying Submode Settings
Show the current configuration for ARC submode
Sensor config# service network-access
17-50
17-51
Show the ARC settings in terse mode
17-52
18-1
Configuring the ASA 5500-X IPS SSP
18-2
Configuration Sequence for the ASA 5500-X IPS SSP
18-3
Verifying Initialization for the ASA 5500-X IPS SSP
Obtain the details about the ASA 5500-X IPS Ssps
Confirm the information
18-4
Creating Virtual Sensors for the ASA 5500-X IPS SSP
ASA 5500-X IPS SSP and Virtualization
Creating Virtual Sensors
18-5
Creating Virtual Sensors
18-6
Sensorconfig-ana-vir#physical-interface PortChannel0/0
Asa# show ips
Assigning Virtual Sensors to Contexts
18-7
18-8
Enter multiple mode
Add three context modes to multiple mode
Assign virtual sensors to the security contexts
SensorApp Fails
ASA 5500-X IPS SSP and Bypass Mode
Configure MPF for each context
Confirm the configuration
18-10
SensorApp is Reconfigured
ASA 5500-X IPS SSP and the Normalizer Engine
18-11
ASA 5500-X IPS SSP and Jumbo Packets
ASA 5500-X IPS SSP and Memory Usage
18-12
Health and Status Information
18-13
Asa-ips#debug module-boot
18-14
Early reservations == bootmem 0000000000
18-15
18-16
18-17
18-18
IRQ
18-19
ASA 5500-X IPS SSP Failover Scenarios
Single ASA in Fail-Open Mode
Single ASA in Fail-Close Mode
Two ASAs in Fail-Open Mode
18-21
New and Modified Commands
Two ASAs in Fail-Close Mode
Configuration Examples
Single Context System
Defaults
Firewall Mode Security Context Multiple Command Mode Routed
Allocate-ips
18-23
Command History Release Modification
Related Commands Description
Examples
18-24
19-1
ASA 5585-XIPS SSP Notes and Caveats
19-2
Configuration Sequence for the ASA 5585-X IPS SSP
Asa# show module 1 details
Verifying Initialization for the ASA 5585-X IPS SSP
Obtain the details about the ASA 5585-X IPS SSP
19-3
19-4
Creating Virtual Sensors for the ASA 5585-X IPS SSP
ASA 5585-X IPS SSP and Virtualization
19-5
ASA 5585-X IPS SSP Virtual Sensor Configuration Sequence
19-6
Command, for example sig1
Example, rules1
Virtual sensor that you create
19-7
19-8
Asaconfig-ctx#
Asaconfig-ctx# Config-url disk0/c2.cfg
19-9
19-10
ASA 5585-X IPS SSP and Bypass Mode
ASA 5585-X IPS SSP and the Normalizer Engine
19-11
ASA 5585-X IPS SSP and Jumbo Packets
19-12
Ips-ssp#hardware-module module 1 recover configure
Module 1 details
Asa# hw-module module 1 reset
19-13
19-14
Ips-ssp#hw-module module 1 recover configure
19-15
Traffic Flow Stopped on IPS Switchports
Asaconfig# debug module-boot
19-16
Failover Scenarios
19-17
19-18
20-1
IPS 7.2 File List
Obtaining Cisco IPS Software
20-2
Enter your username and password
IPS Software Versioning
Downloading Cisco IPS Software
Patch Release
Major Update
Minor Update
Service Pack
20-4
Signature Update
Signature Engine Update
20-5
Recovery and System Image Files
20-6
IPS Software Release Examples
20-7
Accessing IPS Documentation
20-8
Cisco Security Intelligence Operations
21-1
Upgrade Notes and Caveats
21-2
Upgrades, Downgrades, and System Images
21-3
Supported FTP and HTTP/HTTPS Servers
Upgrading the Sensor
IPS 7.21E4 Files
21-4
Upgrade Notes and Caveats
Manually Upgrading the Sensor
Upgrading the Sensor
Upgrade the sensor
Enter the password when prompted
Sensorconfig# upgrade url/IPS-SSP10-K9-7.2-1-E4.pkg
21-6
Working With Upgrade Files
21-7
Upgrading the Recovery Partition
21-8
Configuring Automatic Upgrades
Configuring Automatic Updates
Enter the server password. The upgrade process begins
21-9
21-10
Configuring Automatic Upgrades
21-11
Specify the username for authentication
Specify the password of the user
Exit automatic upgrade submode
Sensor# show statistics host
Applying an Immediate Update
Sensor# autoupdatenow
21-12
21-13
Recovering the Application Partition
Downgrading the Sensor
Sensorconfig# recover application-partition
Installing System Images
Recovering the Application Partition Image
Recover the application partition image
21-15
Connecting an Appliance to a Terminal Server
Tftp Servers
21-16
Installing the System Image for the IPS 4345 and IPS
PCI
21-17
Rommon ping server
Assign the Tftp server IP address
If necessary, assign the gateway IP address
21-18
21-19
Installing the System Image for the IPS 4510 and IPS
Rommon
21-20
21-21
If necessary, assign the Tftp server IP address
21-22
Installing the System Image for the ASA 5500-X IPS SSP
Periodically check the recovery until it is complete
Image the ASA 5500-X IPS SSP
21-23
Installing the System Image for the ASA 5585-X IPS SSP
21-24
Leave the Vlan ID at
Specify the default gateway of the ASA 5585-X IPS SSP
To enable debugging of the software installation process
Asa# hw-module module 1 recover boot
21-26
Installing the ASA 5585-X IPS SSP System Image Using Rommon
Rommon #0 set
21-27
21-28
21-29
21-30
IPS System Design
Understanding the IPS System Architecture
Figure A-1illustrates the system design for IPS software
Figure A-2 System Design for IPS 4500 Series Sensors
System Applications
Appendix a System Architecture System Applications
For detailed information about SDEE, see SDEE, page A-33
Security Features
ARC
MainApp
Understanding the MainApp
MainApp Responsibilities
Understanding the Event Store
Event Store
Stamp Value Meaning
Event Data Structures
Table A-1shows some examples
IPS Events
NotificationApp
Vlan
PEP
CtlTransSource
Figure A-3
Attack Response Controller
Figure A-4illustrates the ARC
Understanding the ARC
ARC Features
Supported Blocking Devices
Fwsm
ACLs and VACLs
Maintaining State Across Restarts
Scenario
Connection-Based and Unconditional Blocking
No shun ip
Blocking with Cisco Firewalls
To unblock an IP address
To clear all blocks
Logger
Blocking with Catalyst Switches
Configuring Authentication on the Sensor
AuthenticationApp
Understanding the AuthenticationApp
Authenticating Users
Managing TLS and SSH Trust Relationships
Web Server
SensorApp
Understanding the SensorApp
Inline, Normalization, and Event Risk Rating Features
Packet Flow
SensorApp New Features
Signature Event Action Processor
CollaborationApp
Update Components
Error Events
SwitchApp
User Roles
CLI
Communications
Service Account
Idapi
Idconf
Cidee
Cisco IPS File Structure
CLI
Using the Idapi
Summary of Cisco IPS Applications
Application Description
Events
IDM
Java applet that provides an Html IPS management interface
IME
Understanding Signature Engines
Signature Engines
Appendix B Signature Engines Understanding Signature Engines
Appendix B Signature Engines Understanding Signature Engines
Signature-id Specifies the ID of this signature
Master Engine
General Parameters
Parameter Description Value
Sig-name
Promiscuous Delta
Vulnerable OS List
Alert Frequency
Obsoletes
Event Actions
Name Description
To Match Regular Expression
AIC Engine
\NNN
AIC Engine Parameters
Understanding the AIC Engine
AIC Engine and Sensor Performance
Parameter Description
Alarm-on-non-http-traffic
Table B-6 AIC FTP Engine Parameters
Atomic ARP Engine
Atomic Engine
Atomic IP Advanced Engine
Atomic IP Advanced Engine Restrictions
Isatap
String
IPv6
Parameter Description Value
OL-29168-01
IPV4
L4 Protocol ICMPv6
Icmp ID
L4 Protocol TCP and UDP
OL-29168-01
Atomic IP Engine
Parameter Description Value
Appendix B Signature Engines
OL-29168-01
Atomic IPv6 Signatures
Atomic IPv6 Engine
Fixed Engine
Table B-11 Fixed TCP Engine Parameters
Flood Engine
Flood Net Engine Parameters
Meta Engine
Protocol Specifies which kind of traffic to inspect
Name1
Component-list Specifies the Meta engine component
Multi String Engine
Normalizer Engine
IPv6 Fragments
IP Fragmentation Normalization
TCP Normalization
ASA IPS Modules and the Normalizer Engine
Service Engines
Service DNS Engine
Understanding the Service Engines
Service FTP Engine
Service Generic Engine
Table B-20 Service Generic Engine Parameters
Service H225 Engine
Tpkt
Setup
Setup
ASN.1-PER
Service Http Engine
Crlfcrlf
Service Ident Engine
Service Msrpc Engine
Smbcomtransaction
Service Mssql Engine
Service NTP Engine
Service RPC Engine
Service P2P Engine
Parameter Description Value
Service SMB Advanced Engine
Msrpc Uuid
Service Snmp Engine
Specify-object-id-Enables
Service SSH Engine
Service TNS Engine
State Engine
Table B-32lists the parameters specific to the State engine
String Engines
Table B-33 String Icmp Engine Parameters
Table B-35 String UDP Engine
String XL Engines
Parameter Description Value
Unsupported String XL Parameters
Data Nodes
Sweep Engines
Sweep Engine
Type
Sweep Other TCP Engine
Sweep Other TCP Engine Parameters
Traffic Anomaly Engine
Signature
Traffic Icmp Engine
Trojan Engines
Bug Toolkit
Troubleshooting
Creating and Using a Backup Configuration File
Preventive Maintenance
Understanding Preventive Maintenance
Sensor# copy current-config backup-config
Backing Up the Current Configuration to a Remote Server
Creating the Service Account
Disaster Recovery
Password Recovery
ASA 5500 series adaptive Adaptive security appliance CLI
Security appliance IPS modules Command
Using Rommon
Password-Reset issued for module ips
Recovering the Password for the ASA 5585-X IPS SSP
0123 21E4
Disabling Password Recovery
Verifying the State of Password Recovery
Synchronizing IPS Clocks with Parent Device Clocks
For the procedure for configuring NTP, see Configuring NTP,
Time Sources and the Sensor
Generate the hosts statistics again after a few minutes
Verifying the Sensor is Synchronized with the NTP Server
Generate the host statistics
Advantages and Restrictions of Virtualization
TFor More Information
To learn more about Worms, see Understanding Worms,
When to Disable Anomaly Detection
Enter show tech-support and save the output
Reboot the sensor
Command output
Analysis Engine Not Responding
External Product Interfaces Issues
Troubleshooting Loose Connections
Troubleshooting the Appliance
External Product Interfaces Troubleshooting Tips
Analysis Engine is Busy
Communication Problems
Cannot Access the Sensor CLI Through Telnet or SSH
More
Sensor# show configuration include access-list
Correcting a Misconfigured Access List
Make sure the sensor cabling is correct
Duplicate IP Address Shuts Interface Down
Make sure the IP address is correct
SensorApp and Alerting
SensorApp is Not Running
AnalysisEngine 20130410110072014 Release
Physical Connectivity, SPAN, or Vacl Port Issue
Sensor# show interfaces
Unable to See Alerts
Sensor# show interfaces FastEthernet0/1
Make sure you have Produce Alert configured
Check for alerts
Sensor# show interfaces GigabitEthernet0/1
Sensorconfig-int#physical-interfaces GigabitEthernet0/1
Sensor Not Seeing Packets
Replace the virtual sensor file
Cleaning Up a Corrupted SensorApp Configuration
Exit the service account Log in to the sensor CLI
Check to see that the interface is up and receiving packets
Sensor# cids start
Troubleshooting Blocking
Start the IPS services
Blocking
Verifying the ARC is Running
Sensor# show events error 000000 Apr 01 2011 include nac
If the ARC is not connecting, look for recurring errors
Make sure you have the latest software updates
Sensor# show events error hhmmss month day year include nac
For More Information
Verify the IP address for the managed devices
Device Access Issues
Start the manual block of the bogus host IP address
Sensorname Sensor Management Time-Based Actions Host Blocks
Blocking Not Occurring for a Signature
Enabling SSH Connections to the Network Device
Verifying the Master Blocking Sensor Configuration
Exit network access general submode
Enabling Debug Logging
Enable debug logging for all zones
Logging
View the zone names
Turn on individual zone control
Exit master zone control
Protected entry zone-name nac
Exit the logger submode
Turn on debugging for a particular zone
Zone Name Description
Zone Names
Press Enter to apply changes or type no to discard them
Table C-2lists the debug logger zone names
Directing cidLog Messages to SysLog
TCP Reset Not Occurring for a Signature
Sensor# show events alert
Software Upgrades
Upgrading Error
Make sure the correct alarms are being generated
Issues With Automatic Update
Which Updates to Apply and Their Prerequisites
Updating a Sensor with the Update Stored on the Sensor
Click the Advanced tab
Troubleshooting the IDM
Cannot Launch the IDM Loading Java Applet Failed
Delete the temp files and clear the history in the browser
Cannot Launch the IDM-The Analysis Engine Busy
Signatures Not Producing Alerts
Troubleshooting the IME
Time Synchronization on IME and the Sensor
Troubleshooting the ASA 5500-X IPS SSP
Not Supported Error Message
Health and Status Information
E1000 00000005.0 PCI INT a disabled
303
Appendix C Troubleshooting
Usb
CRS
IRQ
Failover Scenerios
ASA 5500-X IPS SSP and the Normalizer Engine
ASA 5500-X IPS SSP and Jumbo Packets
ASA 5500-X IPS SSP and Memory Usage
Hw-module module 1 reset command
Troubleshooting the ASA 5585-X IPS SSP
Reset issued for module in slot Asa# show
Mgmt IP addr 192.0.2.3
Failover Scenarios
ASA 5585-X IPS SSP and the Normalizer Engine
Traffic Flow Stopped on IPS Switchports
ASA 5585-X IPS SSP and Jumbo Packets
Gathering Information
Tech Support Information
Health and Network Security Information
Displaying Tech Support Information
Understanding the show tech-support Command
Sensor# show tech-support page System Status Report
Tech Support Command Output
= No
Displaying Version Information
Understanding the show version Command
Version Information
Version 29.1 Platform IPS4360 Serial Number
Service aaa
Displaying Statistics
Understanding the show statistics Command
Statistics Information
Percentage Thread Sec Min Average
Inspection Stats Inspector Active Call Create Delete
Display the statistics for anomaly detection
Sensor# show statistics event-store
Sensor# show statistics denied-attackers
Sensor# show statistics event-server
Threat
Multicast MTU1500 Metric1
Appendix C Troubleshooting Gathering Information
Display the statistics for the notification application
Name Current
OL-29168-01
Sensor# show statistics web-server listener-443
Interfaces Information
Understanding the show interfaces Command
Displaying Interface Traffic History
Interfaces Command Output
Avg Load Peak Load
GigabitEthernet0/1 Time Packets Received Bytes Received Mbps
Events Information
Displaying Events
Understanding the show events Command
Sensor Events
Displaying Events
100
101
CidDump Script
Clearing Events
Usr/cids/idsRoot/bin/cidDump
Uploading and Accessing Files on the Cisco FTP Site
Enter the following command
102
URI
CLI Error Messages
Reason Command
Error Message Reason Command
User attempted to downgrade a
System that has not been upgraded
Packet-file but no packet-file has
Been captured
Administrator user attempted to log Initial login
User attempted to cancel a CLI
Operator or viewer user attempted to Initial login
Log in when the maximum number
Appendix D CLI Error Messages
Reason/Location
CLI Validation Error Messages
Interface set has already been assigned to another
Detection configuration file that is currently in use
Interface and optional sub-interface being
Added to the virtual sensor entry physical
OL-29168-01
GL-1
GL-2
To detect worm-infected hosts
GL-3
GL-4
Certificate for one CA issued by another CA
Authoritative private key
GL-5
GL-6
802.1q to be used
Dual In-line Memory Modules
A public outside network
To the transmit line and reads data from the receive line
GL-8
GL-9
Procedures, and basic data transport methods
An ITU standard that governs H.245 endpoint control
GL-10
GL-11
GL-12
GL-13
Proprietary branches
Detailed information about signatures
GL-14
GL-15
GL-16
Quality and service availability
GL-17
GL-18
Network devices. Used with the IDS MC
Unauthorized activity
Analysis Engine
GL-19
GL-20
GL-21
Authorization, and accounting
Network asset through its IP address
Local system. Telnet is defined in RFC
GL-22
GL-23
Through a switch. Also known as security ACLs
RFC
Version identifier. Part of the UDI
GL-24
GL-25
Payload reassembly
Hosts
GL-26
IN-1
AIC FTP
AIC Http
IN-2
IN-3
NAT
TACACS+
ARP
IN-4
Asdm
SSP
IN-5
Radius
IN-6
BO2K
URL Cidee
IN-7
Exec
IN-8
IN-9
IN-10
IN-11
CSA MC
IN-12
TFN
IN-13
AIC FTP AIC Http
IN-14
IN-15
IN-16
Idapi
Idconf
IN-17
Idiom
ASA 5500-X IPS SSP ASA 5585-X IPS SSP
IN-18
Tcpdump
IN-19
IPS SSP
IN-20
SSH
Loki
IN-21
Snmp
IN-22
IN-23
IN-24
IN-25
RTT
Sdee
Http A-33
IN-26
IN-27
IN-28
AIC
IN-29
Cidee Idconf Idiom Sdee
Smtp
IN-30
IN-31
TAC
TFN2K
TLS
IN-32
BO2K Loki TFN2K
Viewer role privileges
Upgrade command
Sensor initialization Sensor setup Version display
Sensing process not running
IN-34