Main
Page
CONTENTS
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Preface
Contents
Audience
Organization
Page
Conventions
Related Documentation
Obtaining Documentation and Submitting a Service Request
ii
Logging In to the Sensor
Logging In Notes and Caveats
Supported User Roles
Logging In to the Appliance
Connecting an Appliance to a Terminal Server
Logging In to the ASA 5500-X IPS SSP
Logging In to the ASA 5585-X IPS SSP
Logging In to the Sensor
ii-7
Page
Introducing the CLI Configuration Guide
Supported IPS Platforms
IPS CLI Configuration Guide
Sensor Configuration Sequence
User Roles
Page
CLI Behavior
Command Line Editing
Page
IPS Command Modes
Regular Expression Syntax
Page
Generic CLI Commands
CLI Keywords
Page
Initializing the Sensor
Initializing Notes and Caveats
Understanding Initialization
Simplified Setup Mode
System Configuration Dialog
2-3
Example 2-1 Example System Configuration Dialog
Basic Sensor Setup
Page
Page
Advanced Setup
Advanced Setup for the Appliance
Page
Page
Page
2-12
Enter
Step 28
to save the configuration.
Advanced Setup for the ASA 5500-X IPS SSP
Page
Page
2-16
Enter
Step 28
Step 27
Step 26
Advanced Setup for the ASA 5585-X IPS SSP
Page
2-19
Enter
Step 22
Enter
Step 21
Verifying Initialization
2-21
To verify that you initialized your sensor, follow these steps:
Log in to the sensor.
View your configuration.
2-22
You can also use the more current-config command to view your configuration.
For the procedure for logging in to the sensor, see Chapter ii, Logging In to the Sensor.
Display the self-signed X.509 certificate (needed by TLS).
Setting Up the Sensor
Setup Notes and Caveats
Understanding Sensor Setup
Changing Network Settings
Changing the Hostname
Changing the IP Address, Netmask, and Gateway
Enabling and Disabling Telnet
Changing the Access List
3-7
To modify the access list, follow these steps:
Log in to the sensor using an account with administrator privileges.
Enter network settings mode.
Add an entry to the access list. The netmask for a single host is 32.
Changing the FTP Timeout
Adding a Login Banner
Configuring the DNS and Proxy Servers for Global Correlation and Automatic Update
Page
3-12
Exit network settings mode.
Press Enter to apply the changes or enter
to discard them.
For the procedure for configuring automatic update, see Configuring Automatic Upgrades, page 21-8.
Enabling SSHv1 Fallback
Changing the CLI Session Timeout
Changing Web Server Settings
Page
Page
Configuring Authentication and User Parameters
Adding and Removing Users
Page
Configuring Authentication
Page
Page
Page
Page
Page
Configuring Packet Command Restriction
Page
Creating the Service Account
The Service Account and RADIUS Authentication
RADIUS Authentication Functionality and Limitations
Configuring Passwords
Changing User Privilege Levels
Showing User Status
Configuring the Password Policy
Locking User Accounts
Unlocking User Accounts
Configuring Time
Time Sources and the Sensor
Synchronizing IPS Module System Clocks with the Parent Device System Clock
Correcting Time on the Sensor
Configuring Time on the Sensor
Displaying the System Clock
Manually Setting the System Clock
Configuring Recurring Summertime Settings
Page
Configuring Nonrecurring Summertime Settings
3-41
c.
b.
a.
Enter end summertime submode.
Configuring NTP
Configuring a Cisco Router to be an NTP Server
Configuring the Sensor to Use an NTP Time Source
Configuring SSH
Understanding SSH
Adding Hosts to the SSH Known Hosts List
Page
Adding Authorized RSA1 and RSA2 Keys
Generating the RSA Server Host Key
Page
Configuring TLS
Understanding TLS
Adding TLS Trusted Hosts
Displaying and Generating the Server Certificate
Installing the License Key
Understanding the License Key
Service Programs for IPS Products
Obtaining and Installing the License Key
Page
Licensing the ASA 5500-X IPS SSP
Uninstalling the License Key
3-59
Page
Configuring Interfaces
Interface Notes and Caveats
Understanding Interfaces
IPS Interfaces
Command and Control Interface
Sensing Interfaces
TCP Reset Interfaces
Understanding Alternate TCP Reset Interfaces
Designating the Alternate TCP Reset Interface
Interface Support
Page
Interface Configuration Restrictions
Page
Interface Configuration Sequence
Configuring Physical Interfaces
Page
Page
Configuring Promiscuous Mode
Understanding Promiscuous Mode
Configuring Promiscuous Mode
IPv6, Switches, and Lack of VACL Capture
Configuring Inline Interface Mode
Understanding Inline Interface Mode
Configuring Inline Interface Pairs
4-18
Name the inline pair.
Display the available interfaces.
Add a description of the interface pair.
Enable the interfaces assigned to the interface pair.
4-19
Verify that the interfaces are enabled.
Page
Configuring Inline VLAN Pair Mode
Understanding Inline VLAN Pair Mode
Configuring Inline VLAN Pairs
4-23
Configuring Inline VLAN Pairs
To configure the inline VLAN pair settings on the sensor, follow these steps:
Enter interface submode.
4-24
Page
Configuring VLAN Group Mode
Understanding VLAN Group Mode
Deploying VLAN Groups
Configuring VLAN Groups
4-29
subinterface nameDefines the subinterface as a VLAN group:
Configuring Inline VLAN Groups
To configure the inline VLAN group settings on the sensor, follow these steps:
Enter interface submode.
4-30
Page
Page
Configuring Inline Bypass Mode
Understanding Inline Bypass Mode
Configuring Inline Bypass Mode
Configuring Interface Notifications
Configuring CDP Mode
Displaying Interface Statistics
Page
4-39
Display the statistics for a specific interface.
Clear the statistics.
Displaying Interface Traffic History
4-41
Displaying Historical Interface Statistics
To display interface traffic history, follow these steps:
Display the interface traffic history by the hour.
Display the interface traffic history by the minute.
4-42
Display the interface traffic history for a specific interface.
Configuring Virtual Sensors
Virtual Sensor Notes and Caveats
Understanding the Analysis Engine
Understanding Virtual Sensors
Advantages and Restrictions of Virtualization
Inline TCP Session Tracking Mode
Normalization and Inline TCP Evasion Protection Mode
HTTP Advanced Decoding
Adding, Editing, and Deleting Virtual Sensors
Adding Virtual Sensors
Page
Page
Page
Editing and Deleting Virtual Sensors
5-10
Display the list of available interfaces.
Change the promiscuous mode interfaces assigned to this virtual sensor.
Verify the edited virtual sensor settings.
Delete a virtual sensor.
Page
Configuring Global Variables
5-13
Create the variable for service activity.
Press Enter to apply the changes or enter
Verify the global variable settings.
Exit analysis engine mode.
Page
Defining Signatures
Signature Definition Notes and Caveats
Understanding Policies
Working With Signature Definition Policies
Understanding Signatures
Configuring Signature Variables
Understanding Signature Variables
Creating Signature Variables
Page
Configuring Signatures
Signature Definition Options
Configuring Alert Frequency
Page
Configuring Alert Severity
Configuring the Event Counter
Page
Configuring Signature Fidelity Rating
Configuring the Status of Signatures
Configuring the Vulnerable OSes for a Signature
Assigning Actions to Signatures
Page
Configuring AIC Signatures
Understanding the AIC Engine
AIC Engine and Sensor Performance
Configuring the Application Policy
Page
AIC Request Method Signatures
AIC MIME Define Content Type Signatures
Page
Page
AIC Transfer Encoding Signatures
AIC FTP Commands Signatures
Creating an AIC Signature
Page
Configuring IP Fragment Reassembly
Understanding IP Fragment Reassembly
IP Fragment Reassembly Signatures and Configurable Parameters
Page
Configuring IP Fragment Reassembly Parameters
Configuring the Method for IP Fragment Reassembly
Configuring TCP Stream Reassembly
Understanding TCP Stream Reassembly
TCP Stream Reassembly Signatures and Configurable Parameters
Page
Page
Page
7-36
For more information about the Normalizer engine, see Normalizer Engine, page B-36.
Enter signature definition submode.
Configuring TCP Stream Reassembly Signatures
To configure TCP stream reassembly for a specific signature, follow these steps:
Log in to the CLI using an account with administrator or operator privileges.
Configuring the Mode for TCP Stream Reassembly
Page
Configuring IP Logging
Creating Custom Signatures
Sequence for Creating a Custom Signature
Example String TCP Engine Signature
Page
Page
Example Service HTTP Engine Signature
Page
Example Meta Engine Signature
Page
Page
Page
7-50
Press Enter to apply the changes or enter
to discard them.
For more information on the Meta engine, see Meta Engine, page B-33.
Example IPv6 Engine Signature
Page
Example String XL TCP Engine Match Offset Signature
Page
7-54
Specify a minimum match offset for this signature.
Example String XL TCP Engine Minimum Match Length Signature
Page
7-57
Verify the settings:
For detailed information about the String XL signature engine, see String XL Engines, page B-65.
Press Enter to apply the changes or enter
Specify a new Regex string to search for and turn on UTF-8.
Page
Configuring Event Action Rules
Event Action Rules Notes and Caveats
Understanding Security Policies
Understanding Event Action Rules
Signature Event Action Processor
Event Actions
Page
Page
Event Action Rules Configuration Sequence
Working With Event Action Rules Policies
Event Action Variables
Understanding Event Action Variables
Adding, Editing, and Deleting Event Action Variables
8-12
Verify that you added the event action rules variable.
to discard them.
Press Enter to apply your changes or enter
To edit an event action rules variable, change the IPv6 address to a range.
Configuring Target Value Ratings
Calculating the Risk Rating
Understanding Threat Rating
*
RR = ASR
TVR
*
Adding, Editing, and Deleting Target Value Ratings
Page
Configuring Event Action Overrides
Understanding Event Action Overrides
Adding, Editing, Enabling, and Disabling Event Action Overrides
Page
Page
Configuring Event Action Filters
Understanding Event Action Filters
Configuring Event Action Filters
Page
Page
8-24
l.
Add any comments you want to use to explain this filter.
Verify the settings for the filter.
Edit an existing filter.
8-25
Move a filter to the inactive list.
Verify that the filter has been moved to the inactive list.
Configuring OS Identifications
Understanding Passive OS Fingerprinting
Passive OS Fingerprinting Configuration Considerations
Adding, Editing, Deleting, and Moving Configured OS Maps
Page
8-30
Specify the attack relevance rating range for the IP address.
Enable passive OS fingerprinting.
Edit an existing OS map.
Edit the parameters (see Steps 4 through 7).
Displaying and Clearing OS Identifications
Configuring General Settings
Understanding Event Action Summarization
Understanding Event Action Aggregation
Configuring the General Settings
Configuring the Denied Attackers List
Adding a Deny Attacker Entry to the Denied Attackers List
Monitoring and Clearing the Denied Attackers List
Page
Monitoring Events
Displaying Events
Page
8-40
8-41
Clearing Events from Event Store
to clear the events.
Enter
Clear the Event Store.
Page
Configuring Anomaly Detection
Anomaly Detection Notes and Caveats
Understanding Security Policies
Understanding Anomaly Detection
Understanding Worms
Anomaly Detection Modes
Anomaly Detection Zones
Anomaly Detection Configuration Sequence
Anomaly Detection Signatures
Page
Enabling Anomaly Detection
Working With Anomaly Detection Policies
Page
Configuring Anomaly Detection Operational Settings
Configuring the Internal Zone
Understanding the Internal Zone
Configuring the Internal Zone
Configuring TCP Protocol for the Internal Zone
9-14
Enable the service for that port.
Verify the TCP configuration settings.
Configuring UDP Protocol for the Internal Zone
Page
9-17
Configuring Other Protocols for the Internal Zone
9-19
Verify the other configuration settings.
Configuring the Illegal Zone
Understanding the Illegal Zone
Configuring the Illegal Zone
Configuring TCP Protocol for the Illegal Zone
Page
9-23
Configuring UDP Protocol for the Illegal Zone
9-25
Verify the UDP configuration settings.
Configuring Other Protocols for the Illegal Zone
9-27
Enable the other protocols.
Associate a specific number for the other protocols.
Enable the service for that port.
Add a histogram for the new scanner settings. Enter the number of destination IP addresses (low,
Configuring the External Zone
Understanding the External Zone
Configuring the External Zone
Configuring TCP Protocol for the External Zone
Page
9-31
Configuring UDP Protocol for the External Zone
9-33
Add a histogram for the new scanner settings. Enter the number of destination IP addresses (low,
Verify the UDP configuration settings.
Configuring Other Protocols for the External Zone
Page
Configuring Learning Accept Mode
The KB and Histograms
Page
Configuring Learning Accept Mode
Page
Working With KB Files
Displaying KB Files
Saving and Loading KBs Manually
Copying, Renaming, and Erasing KBs
Page
Displaying the Differences Between Two KBs
Displaying the Thresholds for a KB
9-46
Displaying KB Thresholds
To display the KB thresholds, follow these steps:
Locate the file for which you want to display thresholds:
Display thresholds contained in a specific file for the illegal zone.
Displaying Anomaly Detection Statistics
).
Display the anomaly detection statistics for a specific virtual sensor.
9-48
Display the statistics for all virtual sensors.
Disabling Anomaly Detection
Enter analysis engine submode.
Page
Page
Configuring Global Correlation
Global Correlation Notes and Caveats
Understanding Global Correlation
Participating in the SensorBase Network
Understanding Reputation
Understanding Network Participation
Understanding Efficacy
Understanding Reputation and Risk Rating
Global Correlation Features and Goals
Global Correlation Requirements
Understanding Global Correlation Sensor Health Metrics
Configuring Global Correlation Inspection and Reputation Filtering
Understanding Global Correlation Inspection and Reputation Filtering
Configuring Global Correlation Inspection and Reputation Filtering
Configuring Network Participation
10-12
You must accept the network participation disclaimer to turn on network participation.
Enter
Turning on Network Participation
To turn on network participation, follow these steps:
Troubleshooting Global Correlation
Disabling Global Correlation
Displaying Global Correlation Statistics
10-15
Clear the statistics for global correlation:
Page
Configuring External Product Interfaces
External Product Interface Notes and Caveats
Understanding External Product Interfaces
Understanding the CSA MC
External Product Interface Issues
Configuring the CSA MC to Support the IPS Interface
Adding External Product Interfaces and Posture ACLs
Page
Page
Page
Troubleshooting External Product Interfaces
Configuring IP Logging
IP Logging Notes and Caveats
Understanding IP Logging
Configuring Automatic IP Logging
Configuring Manual IP Logging for a Specific IP Address
Page
Displaying the Contents of IP Logs
Stopping Active IP Logs
Copying IP Log Files to Be Viewed
Page
Displaying and Capturing Live Traffic on an Interface
Packet Display And Capture Notes and Caveats
Understanding Packet Display and Capture
Displaying Live Traffic on an Interface
13-3
Executing the packet display command causes significant performance degradation.
Displaying Live Traffic From an Interface
To configure the sensor to display live traffic from an interface on the screen, follow these steps:
Log in to the sensor using an account with administrator or oper ator privileges.
Capturing Live Traffic on an Interface
Page
13-6
View any information about the packet file.
Copying the Packet File
Erasing the Packet File
Page
Configuring Attack Response Controller for Blocking and Rate Limiting
Blocking Notes and Caveats
Understanding Blocking
Page
Understanding Rate Limiting
Understanding Service Policies for Rate Limiting
Before Configuring ARC
Supported Devices
Configuring Blocking Properties
Allowing the Sensor to Block Itself
Disabling Blocking
Page
Specifying Maximum Block Entries
14-12
Enter network access submode.
Enter general submode.
Change the maximum number of block entries.
Verify the setting.
Specifying the Block Time
Enabling ACL Logging
Enabling Writing to NVRAM
Logging All Blocking Events and Errors
Configuring the Maximum Number of Blocking Interfaces
Page
Configuring Addresses Never to Block
Configuring User Profiles
Configuring Blocking and Rate Limiting Devices
How the Sensor Manages Devices
Configuring the Sensor to Manage Cisco Routers
Routers and ACLs
Page
Configuring the Sensor to Manage Catalyst 6500 Series Switches and Cisco 7600 Series Routers
Switches and VACLs
Configuring the Sensor to Manage Catalyst 6500 Series Switches and Cisco 7600 Series Routers
Configuring the Sensor to Manage Cisco Firewalls
Configuring the Sensor to be a Master Blocking Sensor
Page
Page
Configuring Host Blocking
Configuring Network Blocking
Configuring Connection Blocking
Obtaining a List of Blocked Hosts and Connections
Page
Configuring SNMP
SNMP Notes and Caveats
Understanding SNMP
Configuring SNMP
Page
Configuring SNMP Traps
Page
Supported MIBS
Page
Page
FIRST
REVIEW
CISCO
Working With Configuration Files
Displaying the Current Configuration
16-2
16-3
Displaying the Current Submode Configuration
Display the current configuration of the service analysis engine submode.
Display the current configuration of the service anomaly detection submode.
16-4
16-5
16-6
16-7
Display the current configuration of the service authentication submode.
Display the current configuration of the service event action rules submode.
16-8
Display the current configuration of the external product interface submode.
Display the current configuration of the service global-correlation submode.
Display the current configuration of the service health-monitor submode.
16-9
16-10
Display the current configuration of the service host submode.
16-11
Display the current configuration of the service interface submode.
16-12
16-13
Display the current configuration for the service logger submode.
16-14
Display the current configuration for the service network access submode.
Display the current configuration for the notification submode.
16-15
Display the current configuration for the signature definition submode.
Display the current configuration for the SSH known hosts submode.
Display the current configuration for the trusted certificates submode.
Filtering the Current Configuration Output
16-17
Filtering Using the More Command
To filter the more command, follow these steps:
Filter the current-config output beginning with the regular expression ip, for example.
Press Ctrl-C to stop the output and return to the CLI prompt.
Filtering the Current Submode Configuration Output
16-19
Filter the output of the network access settings to exclude the regular expression.
Filter the output of the host settings to include the regular expression ip.
Displaying the Contents of a Logical File
Page
16-21
For the procedure for using the terminal comman d, see Modifying Terminal Properties, page 17-20.
Backing Up and Restoring the Configuration File Using a Remote Server
Page
Creating and Using a Backup Configuration File
Erasing the Configuration File
Page
Page
Administrative Tasks for the Sensor
Administrative Notes and Caveats
Recovering the Password
Understanding Password Recovery
Recovering the Password for the Appliance
Using the GRUB Menu
Using ROMMON
Recovering the Password for the ASA 5500-X IPS SSP
17-5
To reset the password on the ASA 5500-X IPS SSP, follow these steps:
Verify the status of the module. Once the status reads
Log into the adaptive security appliance and enter the following command:
Press Enter to confirm.
Recovering the Password for the ASA 5585-X IPS SSP
17-7
Verify the status of the module. Once the status reads
, you can session to the ASA 5585-X IPS SSP.
Session to the ASA 5585-X IPS SSP.
Enter the default username (cisco) and password (cisco) at the login prompt.
Disabling Password Recovery
Verifying the State of Password Recovery
Troubleshooting Password Recovery
Clearing the Sensor Databases
Page
Displaying the Inspection Load of the Sensor
17-12
Configuring Health Status Information
Page
17-15
Enable the metrics for bypass policy.
Enable the metrics for sensor health and security monitoring.
Set the event retrieval thresholds for event retrieval metrics.
Enable health metrics for global correlation.
17-16
Set the threshold for memory usage.
Set the missed packet threshold.
Set the number of days since the last signature update.
Showing Sensor Overall Health Status
Creating a Banner Login
Terminating CLI Sessions
Modifying Terminal Properties
Configuring Events
Displaying Events
17-22
Displaying Events
To display events from the Event Store, follow these steps:
Display all events starting now. The feed continues showing all events until you press Ctrl-C.
17-23
Clearing Events from the Event Store
Clear the Event Store.
Configuring the System Clock
Displaying the System Clock
Manually Setting the System Clock
Clearing the Denied Attackers List
Page
Displaying Policy Lists
Displaying Statistics
17-29
17-30
17-31
Display the statistics for anomaly detection.
Display the statistics for authentication.
Display the statistics for the denied attackers in the system.
17-32
Display the statistics for the Event Server.
Display the statistics for the Event Store.
17-33
Display the statistics for global correlation.
Display the statistics for the host.
17-34
Display the statistics for the logging application.
Display the statistics for the ARC.
17-35
17-36
Display the statistics for the notification application.
Display the statistics for OS identification.
Display the statistics for the SDEE server.
Display the statistics for the transaction server.
17-37
17-38
Display the statistics for the web server.
17-39
Step 19
Verify that the statistics have been cleared. The statistics now all begin from 0.
Displaying Tech Support Information
Displaying Version Information
17-42
If the
View configuration information.
You can use the more current-config or show configuration commands.
17-43
Diagnosing Network Connectivity
Resetting the Appliance
Displaying Command History
Displaying Hardware Inventory
17-47
Tracing the Route of an IP Packet
17-49
Displaying Submode Settings
Show the current configuration for ARC submode.
17-50
17-51
Show the ARC settings in terse mode.
17-52
Configuring the ASA 5500-X IPS SSP
Notes and Caveats for ASA 5500-X IPS SSP
Configuration Sequence for the ASA 5500-X IPS SSP
Verifying Initialization for the ASA 5500-X IPS SSP
Creating Virtual Sensors for the ASA 5500-X IPS SSP
The ASA 5500-X IPS SSP and Virtualization
Virtual Sensor Configuration Sequence for ASA 5500-X IPS SSP
Creating Virtual Sensors
Page
Page
Assigning Virtual Sensors to Adaptive Security Appliance Contexts
18-8
Enter configuration mode.
Enter multiple mode.
Add three context modes to multiple mode.
Assign virtual sensors to the security contexts.
The ASA 5500-X IPS SSP and Bypass Mode
The ASA 5500-X IPS SSP and the Normalizer Engine
The ASA 5500-X IPS SSP and Jumbo Packets
The ASA 5500-X IPS SSP and Memory Usage
Reloading, Shutting Down, Resetting, and Recovering the ASA 5500-X IPS SSP
Health and Status Information
18-13
The output shows that the ASA 5500-X IPS SSP is up. If the status reads
18-14
18-15
18-16
18-17
18-18
18-19
ASA 5500-X IPS SSP Failover Scenarios
New and Modified Commands
allocate-ips
Page
Page
Configuring the ASA 5585-X IPS SSP
ASA 5585-X
IPS SSP Notes and Caveats
Configuration Sequence for the ASA 5585-X IPS SSP
Verifying Initialization for the ASA 5585-X IPS SSP
Creating Virtual Sensors for the ASA 5585-X IPS SSP
The ASA 5585-X IPS SSP and Virtualization
The ASA 5585-X IPS SSP Virtual Sensor Configuration Sequence
Creating Virtual Sensors
Page
Assigning Virtual Sensors to Adaptive Security Appliance Contexts
Page
19-9
Assign virtual sensors to the security contexts.
Configure MPF for each context.
The following example shows context 3 (c3).
Confirm the configuration.
The ASA 5585-X IPS SSP and the Normalizer Engine
The ASA 5585-X IPS SSP and Bypass Mode
ASA 5585-X IPS SSP and Jumbo Packets
ASA 5585-X
Reloading, Shutting Down, Resetting, and Recovering the
IPS SSP
Health and Status Information
19-13
The output shows that the ASA 5585-X IPS SSP is up. If the status reads
, you can reset it using the hw-module module 1 reset command.
19-14
19-15
Traffic Flow Stopped on IPS Switchports
Solution
Possible Cause
Problem
Failover Scenarios
19-17
Page
Obtaining Software
IPS 7.2 File List
Obtaining Cisco IPS Software
IPS Software Versioning
Page
IPS-identifier-K9-x.y-z[a or p1]-E1.pkg
IPS-identifier-[sig]-[S]-req-E1.pkg
IPS-identifier-[engine]-[E]-req-x.y-z.pkg
IPS-identifier-K9-[mfq,sys,r,]-x.y-a-*.img, pkg, or
IPS Software Release Examples
Accessing IPS Documentation
Cisco Security Intelligence Operations
Upgrading, Downgrading, and Installing System Images
Upgrade Notes and Caveats
Upgrades, Downgrades, and System Images
Supported FTP and HTTP/HTTPS Servers
Upgrading the Sensor
IPS 7.2(1)E4 Files
Upgrade Notes and Caveats
Manually Upgrading the Sensor
Page
Working With Upgrade Files
Upgrading the Recovery Partition
Configuring Automatic Upgrades
Configuring Automatic Updates
Page
Page
Page
Applying an Immediate Update
Downgrading the Sensor
Recovering the Application Partition
Installing System Images
ROMMON
TFTP Servers
Connecting an Appliance to a Terminal Server
Installing the System Image for the IPS 4345 and IPS 4360
21-17
The system enters ROMMON mode. The
You have ten seconds to press Break or Esc.
prompt appears.
Check the current network settings.
Page
Installing the System Image for the IPS 4510 and IPS 4520
Page
Page
Installing the System Image for the ASA 5500-X IPS SSP
Installing the System Image for the ASA 5585-X IPS SSP
Installing the ASA 5585-X IPS SSP System Image Using the hw-module Command
Page
Installing the ASA 5585-X IPS SSP System Image Using ROMMON
Page
Page
Page
Page
A
System Architecture
Understanding the IPS System Architecture
IPS System Design
A-2
Figure A-1 illustrates the system design for IPS software.
A-3
Figure A-2 illustrates the system design for IPS software for the IPS 4500 series sensors.
Each application has its own configuration file in XML format.
System Applications
Page
Security Features
MainApp
Understanding the MainApp
MainApp Responsibilities
Event Store
Understanding the Event Store
Event Data Structures
IPS Events
NotificationApp
Page
CtlTransSource
Attack Response Controller
Understanding the ARC
ARC Features
Supported Blocking Devices
ACLs and VACLs
Maintaining State Across Restarts
Connection-Based and Unconditional Blocking
Blocking with Cisco Firewalls
Blocking with Catalyst Switches
Logger
AuthenticationApp
Understanding the AuthenticationApp
Authenticating Users
Configuring Authentication on the Sensor
Managing TLS and SSH Trust Relationships
Web Server
SensorApp
Understanding the SensorApp
Inline, Normalization, and Event Risk Rating Features
SensorApp New Features
Packet Flow
Signature Event Action Processor
CollaborationApp
Understanding the CollaborationApp
Update Components
Error Events
SwitchApp
CLI
User Roles
Service Account
Communications
IDAPI
IDIOM
IDCONF
SDEE
CIDEE
Cisco IPS File Structure
Summary of Cisco IPS Applications
Page
B
Signature Engines
Understanding Signature Engines
Page
Page
Master Engine
General Parameters
Page
Page
Alert Frequency
Event Actions
Regular Expression Syntax
AIC Engine
Understanding the AIC Engine
AIC Engine and Sensor Performance
AIC Engine Parameters
Page
Page
Atomic Engine
Atomic ARP Engine
Atomic IP Advanced Engine
Page
Page
Page
Page
Page
Page
Page
Page
Page
Atomic IP Engine
Page
Page
Page
Atomic IPv6 Engine
Fixed Engine
Page
Flood Engine
Meta Engine
Page
Multi String Engine
Normalizer Engine
Page
Page
Service Engines
Understanding the Service Engines
Service DNS Engine
Service FTP Engine
Service Generic Engine
Page
Service H225 Engine
Page
Service HTTP Engine
Page
Service IDENT Engine
Service MSRPC Engine
Page
Service MSSQL Engine
Service NTP Engine
Service P2P Engine
Service RPC Engine
Page
Service SMB Advanced Engine
Page
Service SNMP Engine
Service SSH Engine
Service TNS Engine
State Engine
Page
String Engines
Page
Page
String XL Engines
Page
Page
Sweep Engines
Sweep Engine
Page
Sweep Other TCP Engine
Traffic Anomaly Engine
Page
Traffic ICMP Engine
Trojan Engines
C
Troubleshooting
Bug Toolkit
Preventive Maintenance
Understanding Preventive Maintenance
Creating and Using a Backup Configuration File
Backing Up and Restoring the Configuration File Using a Remote Server
Page
Creating the Service Account
Disaster Recovery
Password Recovery
Understanding Password Recovery
Recovering the Password for the Appliance
Using the GRUB Menu
Using ROMMON
Recovering the Password for the ASA 5500-X IPS SSP
Recovering the Password for the ASA 5585-X IPS SSP
Page
Disabling Password Recovery
Verifying the State of Password Recovery
Troubleshooting Password Recovery
Time Sources and the Sensor
Time Sources and the Sensor
Synchronizing IPS Clocks with Parent Device Clocks
Verifying the Sensor is Synchronized with the NTP Server
Correcting Time on the Sensor
Advantages and Restrictions of Virtualization
Supported MIBs
Troubleshooting Global Correlation
When to Disable Anomaly Detection
Analysis Engine Not Responding
Troubleshooting External Product Interfaces
External Product Interfaces Issues
External Product Interfaces Troubleshooting Tips
Troubleshooting the Appliance
Troubleshooting Loose Connections
The Analysis Engine is Busy
Communication Problems
C-24
Duplicate IP Address Shuts Interface Down, page C-27
. If the Link Status is
Cannot Access the Sensor CLI Through Telnet or SSH
Log in to the sensor CLI through a console, terminal, or module session.
, go to Step 3. If the Link Status is
, go to Step 5.
Page
Correcting a Misconfigured Access List
C-27
Duplicate IP Address Shuts Interface Down
Make sure the sensor cabling is correct.
The SensorApp and Alerting
The SensorApp is Not Running
Page
C-30
Physical Connectivity, SPAN, or VACL Port Issue
Make sure the sensing port is connected to the correct SPAN or VACL capture port on IDSM2.
Make sure the interfaces are up and that the packet count is increasing.
If the Link Status is down, make sure the sensing port is connected properly:
Make sure the sensing port is connected properly on the appliance.
Unable to See Alerts
C-32
Make sure you have Produce Alert configured.
Make sure the sensor is seeing packets.
Check for alerts.
C-33
Sensor Not Seeing Packets
Make sure the interfaces are up and receiving packets.
If the interfaces are not up, do the following:
Check the cabling.
Enable the interface.
Cleaning Up a Corrupted SensorApp Configuration
Blocking
Troubleshooting Blocking
Verifying the ARC is Running
Verifying ARC Connections are Active
Page
C-39
Device Access Issues
Verify the IP address for the managed devices.
Verifying the Interfaces and Directions on the Network Device
Enabling SSH Connections to the Network Device
Blocking Not Occurring for a Signature
C-42
Press Enter to apply the changes or type
to discard them.
Verifying the Master Blocking Sensor Configuration
View the ARC statistics and verify that the master blocking sensor entries are in the statistics.
C-43
If the master blocking sensor does not show up in the statistics, you need to add it.
Press Enter to apply the changes or type
Exit network access general submode.
to discard them.
Logging
Enabling Debug Logging
C-45
Turn on individual zone control.
Exit master zone control.
View the zone names.
C-46
Change the severity level (debug, timing, warning, or error) for a particular zone.
C-47
Turn on debugging for a particular zone.
Exit the logger submode.
Zone Names
Directing cidLog Messages to SysLog
TCP Reset Not Occurring for a Signature
Software Upgrades
Upgrading Error
Which Updates to Apply and Their Prerequisites
Issues With Automatic Update
Updating a Sensor with the Update Stored on the Sensor
Troubleshooting the IDM
Cannot Launch the IDM - Loading Java Applet Failed
Cannot Launch the IDM-The Analysis Engine Busy
The IDM, Remote Manager, or Sensing Interfaces Cannot Access Sensor
Signatures Not Producing Alerts
Troubleshooting the IME
Time Synchronization on IME and the Sensor
Not Supported Error Message
Troubleshooting the ASA 5500-X IPS SSP
C-58
The ASA 5500-X IPS SSP and Jumbo Packets, page C-67
The output shows that the ASA 5500-X IPS SSP is up. If the status reads
Health and Status Information
To see the general health of the ASA 5500-X IPS SSP, use the show module ips details command.
C-59
C-60
C-61
C-62
C-63
C-64
Failover Scenerios
The ASA 5500-X IPS SSP and the Normalizer Engine
The ASA 5500-X IPS SSP and Memory Usage
The ASA 5500-X IPS SSP and Jumbo Packets
Troubleshooting the ASA 5585-X IPS SSP
Health and Status Information
C-69
C-70
Failover Scenarios
Traffic Flow Stopped on IPS Switchports
The ASA 5585-X IPS SSP and the Normalizer Engine
The ASA 5585-X IPS SSP and Jumbo Packets
Gathering Information
Health and Network Security Information
Tech Support Information
Understanding the show tech-support Command
Displaying Tech Support Information
Tech Support Command Output
C-77
Version Information
Understanding the show version Command
Displaying Version Information
C-79
If the
View configuration information.
You can use the more current-config or show configuration commands.
C-80
Statistics Information
Understanding the show statistics Command
Displaying Statistics
Page
C-83
C-84
Display the statistics for anomaly detection.
C-85
Display the statistics for authentication.
Display the statistics for the denied attackers in the system.
Display the statistics for the Event Server.
Display the statistics for the Event Store.
C-86
Display the statistics for global correlation.
Display the statistics for the host.
C-87
Display the statistics for the logging application.
Display the statistics for the ARC.
C-88
C-89
Display the statistics for the notification application.
Display the statistics for OS identification.
Display the statistics for the SDEE server.
C-90
Display the statistics for the transaction server.
Display the statistics for a virtual sensor.
C-91
C-92
Display the statistics for the web server.
Interfaces Information
Understanding the show interfaces Command
C-94
Interfaces Command Output
The following example shows the output from the show interfaces command:
Displaying Interface Traffic History
Page
C-96
Display the interface traffic history by the minute.
C-97
Display the interface traffic history for a specific interface.
Clearing Events, page C-101
Events Information
Sensor Events, pageC-98
Understanding the show events Command, page C-98
Displaying Events, page C-98
Sensor Events
Understanding the show events Command
Displaying Events
Page
C-100
Clearing Events
cidDump Script
Uploading and Accessing Files on the Cisco FTP Site
D
CLI Error Messages
CLI Error Messages
Page
Page
Page
Page
CLI Validation Error Messages
Page
Page
GLOSSARY
Numerals
A
Page
B
C
Page
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
Page
S
Page
Page
T
Page
U
V
W
X
Z
Page
INDEX
Numerics
A
Page
Page
Page
B
C
Page
Page
Page
Page
Page
D
E
Page
F
G
H
I
Page
Page
K
L
M
N
O
P
Page
Q
R
S
Page
Page
Page
Page
Page
T
Page
U
V
W
Z