Manuals / Cisco Systems / Household Appliance / Home Security System

Cisco Systems IPS4510K9 manual Configuring Event Action Filters

Models: IPS4510K9

1 854

Download 854 pages 14.35 Kb

Page 263

Image 263

Chapter 8 Configuring Event Action Rules

Configuring Event Action Filters

Caution Event action filters based on source and destination IP addresses do not function for the Sweep engine, because they do not filter as regular signatures. To filter source and destination IP addresses in sweep alerts, use the source and destination IP address filter parameters in the Sweep engine signatures.

Configuring Event Action Filters

Note Global correlation inspection and the reputation filtering deny features do not support IPv6 addresses. For global correlation inspection, the sensor does not receive or process reputation data for IPv6 addresses. The risk rating for IPv6 addresses is not modified for global correlation inspection. Similarly, network participation does not include event data for attacks from IPv6 addresses. And finally, IPv6 addresses do not appear in the deny list.

Note Rate limiting and blocking are not supported for IPv6 traffic. If a signature is configured with a block or rate limit event action and is triggered by IPv6 traffic, an alert is generated but the action is not carried out.

You can configure event action filters to remove specific actions from an event or to discard an entire event and prevent further processing by the sensor. You can use event action variables that you defined to group addresses for your filters.

Note You must preface the event variable with a dollar sign ($) to indicate that you are using a variable rather than a string. Otherwise, you receive the Bad source and destination error.

Use the filters {edit insert move] name1 [begin end inactive before after} command in service event action rules submode to set up event action filters.

The following options apply:

•actions-to-remove—Specifies the event actions to remove for this filter item.

•attacker-address-range—Specifies the range set of IPv4 attacker address(es) for this item (for example, 192.0.2.0-192.0.2.254,192.3.2.0-192.3.2.254).

Note The second IP address in the range must be greater then or equal to the first IP address. If you do not specify an attacker address range, all IPv4 attacker addresses are matched.

•attacker-port-range—Specifies the range set of attacker port(s) for this item (for example, 147-147,8000-10000).

•default—Sets the value back to the system default setting.

•deny-attacker-percentage—Specifies the percentage of packets to deny for deny attacker features. The valid range is 0 to 100. The default is 100.

•filter-item-status{enabled disabled}—Enables or disables the use of this filter item.

	Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01		8-21
OL-29168-01		8-21

Page 263

Image 263

Cisco Systems IPS4510K9 manual Configuring Event Action Filters

IPS4510K9 specifications

Cisco Systems has long been a leading player in network security, and its IPS (Intrusion Prevention System) series is a testament to its commitment to safeguarding digital environments. Among its notable offerings are the IPS4510K9 and IPS4520K9 models, both designed to provide advanced threat protection for mid-sized to large enterprise networks.

The Cisco IPS4510K9 and IPS4520K9 are distinguished by their cutting-edge features that help organizations defend against a myriad of cyber threats. These systems utilize a multi-layered approach to security, integrating intrusion prevention, advanced malware protection, and comprehensive visibility across the network.

One of the primary characteristics of the IPS4510K9 is its high performance. It boasts a throughput of up to 1 Gbps, making it suitable for environments that demand rapid data processing and real-time responses to threats. The IPS4520K9, on the other hand, enhances that capability with improved throughput of up to 2 Gbps, accommodating larger enterprises with heavier network traffic. These models are equipped with powerful processors that support complex signature matching and can intelligently distinguish between legitimate traffic and potential threats.

In addition to performance, both models are designed with scalability in mind. They can be easily integrated into existing Cisco infrastructures. This facilitates a seamless enhancement of security without causing significant interruptions to ongoing operations. Moreover, they offer flexible deployment options, allowing organizations to operate them inline or out of band depending on their specific needs.

The Cisco IPS4510K9 and IPS4520K9 leverage advanced detection technologies, utilizing a variety of signature types and heuristic analysis to detect known and unknown threats effectively. They are equipped with real-time alerting and reporting capabilities, giving security teams immediate visibility into potential breaches and enabling them to respond swiftly.

Furthermore, both models support a range of management options through the Cisco Security Manager, allowing for centralized administration, streamlined policy management, and enhanced monitoring capabilities. Automated updates ensure the systems remain current with the latest threat intelligence, vital for staying ahead of evolving cyber threats.

In summary, the Cisco Systems IPS4510K9 and IPS4520K9 represent powerful solutions for organizations seeking robust intrusion prevention capabilities. With their high performance, scalability, and advanced detection technologies, these systems are essential tools in the ever-changing landscape of cybersecurity, providing enterprises with the peace of mind needed to operate securely in today's digital world.

Contents

Text Part Number OL-29168-01 Americas HeadquartersPage Iii N T E N T SAdvanced Setup for the Appliance Interface Support Understanding Inline Vlan Pair Mode Vii Configuring Alert SeverityViii Example String XL TCP Engine Match Offset SignatureUnderstanding Worms Configuring Global Correlation Configuring IP Logging Xii RoutersXiii Using RommonXiv Configuring the ASA 5585-X IPS SSPUpgrading, Downgrading, and Installing System Images Xvi NotificationAppXvii AIC Engine B-10Xviii Creating the Service Account C-5Xix Communication ProblemsUnderstanding the show tech-support Command C-75 Xxi CLI Validation Error Messages D-6Xxii Organization ContentsAudience Xxiv Xxv ConventionsRelated Documentation Convention IndicationXxvi Obtaining Documentation and Submitting a Service RequestIi-1 Logging In Notes and CaveatsSupported User Roles Ii-2 Logging In to the ApplianceFor More Information Exit Wr mem Connecting an Appliance to a Terminal ServerConfig t Ii-3Asa# session ips Logging In to the ASA 5500-X IPS SSPIi-4 Asa# session Logging In to the ASA 5585-X IPS SSPIi-5 Ii-6 Logging In to the SensorIi-7 Ii-8 Supported IPS Platforms IPS CLI Configuration GuideSensor Configuration Sequence User Roles Viewers AdministratorService OperatorsHelp CLI BehaviorFollowing tips help you use the Cisco IPS CLI PromptsDisplay Options Command Line EditingRecall Case SensitivityKeys Description String IPS Command ModesRegular Expression Syntax Character DescriptionOr more times Only if it is at the end of the stringMatches a as well as b Matches any characterSensor# configure terminal Generic CLI CommandsCLI Keywords OL-29168-01 Initializing Notes and Caveats Initializing the SensorUnderstanding Initialization Simplified Setup ModeSystem Configuration Dialog Example 2-1 Example System Configuration Dialog Example 2-1shows a sample System Configuration DialogInitializing the Sensor Basic Sensor Setup Basic Sensor SetupInitializing the Sensor Basic Sensor Setup Following configuration was entered Initializing the Sensor Advanced Setup Advanced SetupAdvanced Setup for the Appliance Press Enter to return to the available interfaces menu Enter 1 to edit the interface configurationEnter a subinterface number and description Enter numbers for Vlan 1Press Enter to return to the top-level editing menu Enter 2 to edit the virtual sensor configurationEnter 2 to modify the virtual sensor configuration, vs0 Host-ip 192.168.1.2/24,192.168.1.1 Enter 2 to save the configuration Reboot the appliance Advanced Setup for the ASA 5500-X IPS SSPEnter a name and description for your virtual sensor Enter 2 to modify the virtual sensor vs0 configurationModify default threat prevention settings?no Asa-ips#show tls fingerprint Reboot the ASA 5500-X IPS SSPAdvanced Setup for the ASA 5585-X IPS SSP Enter 2 to edit the virtual sensor configuration Exit Service analysis-engine Ips-ssp#show tls fingerprint Reboot the ASA 5585-X IPS SSPVerifying Initialization Sensor# show configuration View your configurationSensor# show tls fingerprint Display the self-signed X.509 certificate needed by TLSSetup Notes and Caveats Setting Up the SensorChanging Network Settings Understanding Sensor SetupChanging the Hostname Changing the IP Address, Netmask, and Gateway Exit network settings modeEnter network settings mode Change the sensor IP address, netmask, and default gatewayEnabling and Disabling Telnet Enable Telnet servicesVerify that Telnet is enabled Changing the Access ListVerify the value has been set back to the default Verify the change you made to the access-listRemove the entry from the access list Change the value back to the defaultVerify the FTP timeout change Changing the FTP TimeoutTo change the FTP timeout, follow these steps Change the number of seconds of the FTP timeoutVerify the banner login text message Adding a Login BannerAdd the banner login text Verify the login text has been removed Verify the settings Enable a DNS serverLogin-banner-text defaulted dns-primary-server Enabling SSHv1 Fallback Verify that SSHv1 fallback is enabledExit authentication mode Changing the CLI Session TimeoutChange the number of seconds of the CLI session timeout Verify the CLI session timeout changeTLSDHERSAWITHAES256CBCSHA256 TLSDHEDSSWITHAES256CBCSHA256 Changing Web Server SettingsWhen disabled, the client can use the following ciphers Change the port number Sensor# configure terminal Sensorconfig# service web-serverTurn on TLS client ciphers restriction Specify the web session inactivity timeoutTurn on logging for web session inactivity timeouts Verify the defaults have been replacedAdding and Removing Users Configuring Authentication and User ParametersSensor# show users all Sensorconfig# username username password password privilegeSensorconfig# username tester privilege administrator Specify the parameters for the userSensor# configure terminal Sensorconfig# no username jsmith Configuring AuthenticationTo remove a user, use the no form of the command Radius Authentication Options Configuring Local or Radius Authentication Enter AAA submode Sensorconfig-aaa-rad#default-user-role operatorEnter the Radius server IP address Ips-role=administrator Ips-role=serviceEnter the IP address of the second Radius server Specify the type of console authenticationAAA Radius Users Configuring Packet Command RestrictionExit AAA mode Sensorconfig-aut#permit-packet-logging false Enter authentication submodeCheck your new setting Sensorconfig-aut#permit-packet-logging trueSensorconfig# user username privilege service Creating the Service AccountExit configuration mode Service Account and Radius AuthenticationRadius Authentication Functionality and Limitations Configuring PasswordsChanging User Privilege Levels Change your passwordVerify all users. The account of the user jsmith is locked Showing User StatusChange the privilege level from viewer to operator Display your current level of privilegeExample Configuring the Password PolicyTo unlock the account of jsmith, reset the password Locking User Accounts Set the value back to the system default settingCheck that the setting has returned to the default Unlock the account Enter global configuration modeUnlocking User Accounts ParenthesesIPS Standalone Appliances Configuring TimeTime Sources and the Sensor ASA IPS Modules Configuring Time on the SensorCorrecting Time on the Sensor Sensor# show clock Manually Setting the System ClockSymbol Displaying the System ClockSensor# clock set 1321 Mar 29 Configuring Recurring Summertime SettingsEnter the month you want to start summertime settings Enter start summertime submodeSpecify the local time zone used during summertime Verify your settingsEnter the month you want to end summertime settings Enter end summertime submodeExit recurring summertime submode Configuring Nonrecurring Summertime SettingsExit non-recurring summertime submode Sensorconfig-hos-tim#standard-time-zone-name CST Configuring NTPConfiguring Time Zones Settings Exit time zone settings submodeExample Configuring a Cisco Router to be an NTP ServerVerify the unauthenticated NTP settings Configuring the Sensor to Use an NTP Time SourceEnter service host mode Configure unauthenticated NTP Enter NTP configuration modeExit NTP configuration mode Configuring SSHConfigure authenticated NTP Enter NTP configuration mode Verify the NTP settingsAdding Hosts to the SSH Known Hosts List Understanding SSHSensor# show ssh host-keys Sensorconfig# ssh host-keyAdd an entry to the known hosts list View the key for a specific IP addressAdding Authorized RSA1 and RSA2 Keys Sensorconfig# no ssh host-keyGenerating the RSA Server Host Key Sensor# show ssh server-key Sensor# ssh generate-keyUnderstanding TLS Configuring TLSAdding TLS Trusted Hosts Sensorconfig# tls trusted-host ip-address 10.89.146.110 portVerify that the key was generated Displaying and Generating the Server CertificateView the fingerprint for a specific host Remove an entry from the trusted hosts listUnderstanding the License Key Installing the License KeyObtaining and Installing the License Key Service Programs for IPS ProductsInstalling the License Key Verify the sensor is licensed Licensing the ASA 5500-X IPS SSPSensor# erase license-key Uninstalling the License KeyVerify the sensor key has been uninstalled Setting Up the Sensor Installing the License Key OL-29168-01 Interface Notes and Caveats Configuring InterfacesIPS Interfaces Understanding InterfacesSensor Command and Control Interface Command and Control InterfaceSensing Interfaces TCP Reset InterfacesUnderstanding Alternate TCP Reset Interfaces None Designating the Alternate TCP Reset Interface2lists the alternate TCP reset interfaces Sensor Alternate TCP Reset InterfaceBase Chassis Cards Sensing Ports Inline Interface Pairs Interface SupportInterfaces Not Combinations Supporting Command and Control Interface Configuration Restrictions Configuring Interfaces Understanding Interfaces Interface Configuration Sequence Configuring Physical Interfaces Display the list of available interfaces Configuring the Physical Interface SettingsSpecify the interface for promiscuous mode Add a description of this interface Remove TCP resets from an interfaceSensorconfig-int-phy#alt-tcp-reset-interface none Exit interface submode Configuring Promiscuous ModeUnderstanding Promiscuous Mode IPv6, Switches, and Lack of Vacl Capture Configuring Promiscuous ModeSet span 930, 932, 960, 962 4/1-4 both Configuring Inline Interface ModeUnderstanding Inline Interface Mode Creating Inline Interface Pairs Configuring Inline Interface PairsIt can monitor traffic see Step Enable the interfaces assigned to the interface pairName the inline pair Display the available interfacesVerify that the interfaces are enabled Verify the inline interface pair has been deleted Exit interface configuration submodeSensorconfig-int#no inline-interfaces PAIR1 Understanding Inline Vlan Pair Mode Configuring Inline Vlan Pair ModeConfiguring Inline Vlan Pairs Been configured Configuring Inline Vlan PairsOL-29168-01 Designate an interface Set up the inline Vlan pairVerify the inline Vlan pair settings Sensorconfig-int#no inline-interfaces interfacenameTo delete Vlan pairs Delete one Vlan pair Configuring Vlan Group ModeUnderstanding Vlan Group Mode Deploying Vlan Groups Configuring Vlan Groups Configuring Inline Vlan Groups None Subinterface-type Assign the VLANs to this group Assign specific VLANs Set up the Vlan groupSpecify an interface Add a description for the Vlan group Configure unassigned VLANsVerify the Vlan group settings Delete Vlan groups Delete one Vlan group Configuring Inline Bypass ModeUnderstanding Inline Bypass Mode Configure bypass mode Configuring Inline Bypass ModeConfiguring Bypass Mode Configuring Interface Notifications Configuring Interface NotificationsConfiguring CDP Mode Displaying Interface Statistics Enabling CDP ModeEnable CDP mode Sensorconfig-int#cdp-mode forward-cdp-packetsSensor# show interfaces Interface Statistics Sensor# show interfaces briefSensor# show interfaces clear Interface Statistics Display the statistics for a specific interfaceClear the statistics Sensor# show interfaces Management0/0Displaying Interface Traffic History Display the interface traffic history by the minute Displaying Historical Interface StatisticsTo display interface traffic history, follow these steps Display the interface traffic history by the hourBytes Received Mbps Virtual Sensor Notes and Caveats Configuring Virtual SensorsAdvantages and Restrictions of Virtualization Understanding the Analysis EngineUnderstanding Virtual Sensors Inline TCP Session Tracking Mode Restrictions Normalization and Inline TCP Evasion Protection ModeHttp Advanced Decoding Adding, Editing, and Deleting Virtual SensorsAdding Virtual Sensors Add a description for this virtual sensor Sensorconfig-ana-vir#description virtual sensorAdding a Virtual Sensor Add a virtual sensorAssign a signature definition policy to this virtual sensor Enable Http advanced decodingVerify the virtual sensor settings Assign an event action rules policy to this virtual sensorExit analysis engine mode Edit the description of this virtual sensor Editing and Deleting Virtual SensorsEditing or Deleting a Virtual Sensor Edit the virtual sensor, vs1Delete a virtual sensor Verify the edited virtual sensor settingsSensorconfig-ana-vir#physical-interface GigabitEthernet0/2 Sensorconfig-ana# exit Create the flow depth variable Configuring Global VariablesCreating a Global Variable Create the variable for the maximum number of open IP logsSensor# show statistic analysis-engine Create the variable for service activityVerify the global variable settings OL-29168-01 Understanding Policies Signature Definition Notes and CaveatsSensor# copy signature-definition sig0 sig1 Sensor# list signature-definition-configurationsWorking With Signature Definition Policies Delete a signature definition policyConfirm the signature definition policy has been deleted Reset a signature definition policy to factory settingsUnderstanding Signatures Creating Signature Variables Configuring Signature VariablesUnderstanding Signature Variables Adding, Editing, and Deleting Signature Variables Signature Definition Options Configuring SignaturesConfiguring Alert Frequency Specify the summary key Configuring Alert FrequencySpecify the signature you want to configure Enter alert frequency submodeAssign the alert severity Configuring Alert SeverityConfiguring Alert Severity To configure the alert severity, follow these stepsExit signatures submode Configuring the Event CounterConfiguring the Event Counter Enter event counter submode Optional Enable alert intervalSpecify the signature fidelity rating for this signature Configuring Signature Fidelity RatingConfiguring the Signature Fidelity Rating Change the status for this signature Configuring the Status of SignaturesChoose the signature you want to configure Changing the Signature StatusSpecify the vulnerable OSes for this signature Configuring the Vulnerable OSes for a SignatureConfiguring Vulnerable OSes Assigning Actions to Signatures Specify the percentage for rate limiting Configuring Event ActionsConfigure the event action Exit event action submode Configuring AIC SignaturesUnderstanding the AIC Engine AIC Engine and Sensor Performance Configuring the Application PolicySensorconfig-sig-app-htt#aic-web-ports 80-80,3128-3128 Configuring the Application PolicyEnable inspection of FTP traffic Enable Http application policy enforcementSignature ID Define Request Method AIC Request Method SignaturesSignature ID Signature Description AIC Mime Define Content Type SignaturesSignature ID Signature Description Signature ID Signature Description Signature ID Transfer Encoding Method AIC Transfer Encoding SignaturesSignature ID FTP Command AIC FTP Commands SignaturesCreating an AIC Signature Define the signature type Define the content typeDefining a MIME-Type Policy Signature Specify the event actionSignature ID and Name Description Range Default Action Configuring IP Fragment ReassemblyUnderstanding IP Fragment Reassembly For More Information Specify the engine Configuring IP Fragment Reassembly ParametersConfiguring the Method for IP Fragment Reassembly Enter edit default signatures submodeVerify the setting Configuring TCP Stream ReassemblyUnderstanding TCP Stream Reassembly Configuring the IP Fragment Reassembly MethodTCP Stream Reassembly Signatures and Configurable Parameters TCP Stream Reassembly Signatures SYN SYN Configuring TCP Stream Reassembly Signatures Configuring the Mode for TCP Stream Reassembly Sensorconfig-sig-str#tcp-reassembly-mode strict Configuring the TCP Stream Reassembly ParametersSensorconfig-sig-str#tcp-3-way-handshake-required true Specify the length of time you want the sensor to log Configuring IP LoggingConfiguring IP Logging Parameters Specify the number of packets you want loggedSequence for Creating a Custom Signature Creating Custom SignaturesExample String TCP Engine Signature Creating a String TCP Engine Signature Verify the settings Example Service Http Engine Signature Specify the alert traits. The valid range is from 0 to Creating a Service Http Engine SignatureEnter signature description mode Specify a signature nameExit Regex submode Configure the Regex parametersExample Meta Engine Signature Exit alert frequency submodeMeta Signature Engine Enhancement Defining Signatures Creating Custom Signatures Creating a Meta Engine Signature Example IPv6 Engine Signature Specify the L4 protocol Sensorconfig-sig-sig#engine atomic-ip-advancedSpecify the IP version Specify IPv6Creating a String XL TCP Engine Signature Example String XL TCP Engine Match Offset SignatureSpecify an exact match offset for this signature Sensorconfig-sig-sig-str#specify-exact-match-offset yesSpecify the String XL TCP engine Specify the regex string to search for in the TCP packetSpecify a minimum match offset for this signature Example String XL TCP Engine Minimum Match Length Signature Specify a signature ID and subsignature ID for the signature Specify a new Regex string to search for and turn on UTF-8 OL-29168-01 Event Action Rules Notes and Caveats Configuring Event Action RulesUnderstanding Event Action Rules Understanding Security PoliciesSignature Event Action Processor Action filter Alert and Log ActionsDeny Actions Understanding Deny Packet Inline Other ActionsTCP Normalizer Signature Warning Event Action Rules Configuration SequenceSensor# copy event-action-rules rules0 rules1 Working With Event Action Rules PoliciesWorking With Event Action Rules Policies Confirm the event action rules instance has been deleted Reset an event action rules policy to factory settingsEvent Action Variables Delete an event action rules policyIPv6 Addresses When configuring IPv6 addresses, use the following formatUnderstanding Event Action Variables IPv4 AddressesWorking With Event Action Variables Sensorconfig-eve#variables variable-ipv4 addressAdding, Editing, and Deleting Event Action Variables Verify the event action rules variable you deleted Verify that you added the event action rules variableVerify that you edited the event action rules variable Delete an event action rules variableCalculating the Risk Rating Configuring Target Value Ratings2illustrates the risk rating formula Understanding Threat RatingAdding, Editing, and Deleting Target Value Ratings Adding, Editing, and Deleting Target Value Ratings Understanding Event Action Overrides Configuring Event Action OverridesConfiguring Event Action Overrides Write events that request an Snmp trap to the Event Store Log packets from both the attacker and victim IP addressesWrite an alert to Event Store Write verbose alerts to Event StoreUnderstanding Event Action Filters Configuring Event Action FiltersConfiguring Event Action Filters OL-29168-01 Configuring Event Action Filters Edit the parameters see Steps 4a through 4l Verify the settings for the filterAdd any comments you want to use to explain this filter Edit an existing filterVerify that the filter has been moved to the inactive list Sensorconfig-eve#filters move name1 inactiveMove a filter to the inactive list Understanding Passive OS Fingerprinting Configuring OS IdentificationsPassive OS Fingerprinting Configuration Considerations Unix Adding, Editing, Deleting, and Moving Configured OS MapsIP Address Range Set IOSSpecify the host OS type Configuring OS MapsVerify the settings for the OS map Move an OS map to the inactive list Enable passive OS fingerprintingEdit an existing OS map Verify that you have moved the OS mapsVerify that the OS map has been deleted Sensorconfig-eve-os#no configured-os-map name2Displaying and Clearing OS Identifications Delete an OS mapSensor# clear os-identification learned Configuring General SettingsDisplaying and Clearing OS Identifications Verify that the OS IDs have been clearedUnderstanding Event Action Aggregation Understanding Event Action SummarizationEnter general submode Configuring the General SettingsConfiguring Event Action General Settings Enable or disable the summarizer. The default is enabledAdding a Deny Attacker Entry to the Denied Attackers List Configuring the Denied Attackers ListVerify the settings for general submode Sensorconfig-eve-gen#global-filters-status enabled disabledEnter yes to remove the deny attacker entry from the list Monitoring and Clearing the Denied Attackers ListAdding Entries to the Denied Attacker List Remove the deny attacker entry from the listDelete the denied attackers list Displaying and Deleting Denied AttackersImportant to know if the list has been cleared Monitoring EventsDisplaying Events Clear only the statisticsSensor# show events Displaying EventsTo display events from the Event Store, follow these steps Sensor# show events alert past Sensor# show events error warning 100000 Feb 9Display alerts from the past 45 seconds Sensor# show events past Clearing Events from Event StoreDisplay events that began 30 seconds in the past Enter yes to clear the eventsOL-29168-01 Anomaly Detection Notes and Caveats Configuring Anomaly DetectionUnderstanding Worms Understanding Anomaly DetectionAnomaly Detection Modes Anomaly Detection Zones Anomaly Detection Configuration Sequence Signature ID Subsignature ID Name Description Anomaly Detection SignaturesSignature ID Subsignature ID Name Description Exit analysis engine submode Enable anomaly detection operational modeEnabling Anomaly Detection Working With Anomaly Detection PoliciesSensor# copy anomaly-detection ad0 ad1 Working With Anomaly Detection PoliciesDelete an anomaly detection policy Verify that the anomaly detection instance has been deleted Configuring Anomaly Detection Operational SettingsReset an anomaly detection policy to factory settings Sensor# list anomaly-detection-configurationsSensorconfig-ano-ign#source-ip-address-range Configuring the Internal ZoneConfiguring Anomaly Detection Operational Settings Specify the worm timeoutConfigure TCP protocol Configure UDP protocol Configuring the Internal ZoneConfiguring the Internal Zone Enable the internal zoneEnable TCP protocol Configuring TCP Protocol for the Internal ZoneConfigure the other protocols Configuring Internal Zone TCP ProtocolSet the scanner threshold Enable the service for that portThem and configure your own scanner values Verify the TCP configuration settingsConfiguring UDP Protocol for the Internal Zone Associate a specific port with UDP protocol Configuring the Internal Zone UDP ProtocolEnable UDP protocol Verify the UDP configuration settingsConfiguring Anomaly Detection Configuring the Internal Zone Associate a specific number for the other protocols Configuring Other Protocols for the Internal ZoneConfiguring the Internal Zone Other Protocols Enable the other protocolsVerify the other configuration settings Understanding the Illegal Zone Configuring the Illegal ZoneConfiguring the Illegal Zone Configuring the Illegal ZoneSensorconfig-ano-ill#ip-address-range Configuring TCP Protocol for the Illegal ZoneEnable the illegal zone Configuring the Illegal Zone TCP Protocol Enabled true defaulted Sensorconfig-ano-ill-tcp# Configuring the Illegal Zone UDP Protocol Configuring UDP Protocol for the Illegal ZoneSensorconfig-ano-ill-udp-dst-yes# scanner-threshold Configuring the Illegal Zone Other Protocols Configuring Other Protocols for the Illegal ZoneVerify the other protocols configuration settings Understanding the External Zone Configuring the External ZoneConfiguring the External Zone Enable the external zone Configuring TCP Protocol for the External ZoneConfiguring the External Zone Configuring the External Zone TCP Protocol Sensorconfig-ano-ext-tcp# Configuring the External Zone UDP Protocol Configuring UDP Protocol for the External ZoneSensorconfig-ano-ext-udp-dst-yes# scanner-threshold Configuring Other Protocols for the External Zone To configure other protocols for a zone, follow these steps Configuring the External Zone Other ProtocolsKB and Histograms Configuring Learning Accept ModeExample Histogram Configuring Learning Accept Mode Configuring Learning Accept ModeSensorconfig-ano#learning-accept-mode manual Sensorconfig-ano#learning-accept-mode autoSensor# show ad-knowledge-base files Working With KB FilesDisplaying KB Files Display the KB files for all virtual sensorsSave the current KB file and store it as a new name Saving and Loading KBs ManuallyDisplay the KB files for a specific virtual sensor Manually Saving and Loading KBsCopying, Renaming, and Erasing KBs Remove a KB file from a specific virtual sensor Copying, Renaming, and Removing KB FilesRename a KB file Locate the file you want to compare Displaying the Differences Between Two KBsComparing Two KBs To compare two KBs, follow these stepsDisplaying the Thresholds for a KB Sensor# show ad-knowledge-base vs1 files Virtual Sensor vs1 Displaying KB ThresholdsSensor# show statistics anomaly-detection vs0 Displaying Anomaly Detection StatisticsTo display anomaly detection statistics, follow these steps Display the statistics for all virtual sensors Disabling Anomaly DetectionDisable anomaly detection operational mode OL-29168-01 10-1 Global Correlation Notes and Caveats10-2 Understanding Global CorrelationParticipating in the SensorBase Network 10-3 Understanding Reputation1shows how we use the data Type of Data Purpose10-4 Understanding Network Participation10-5 Understanding Efficacy10-6 Global Correlation Features and GoalsUnderstanding Reputation and Risk Rating 10-7 Global Correlation Requirements10-8 Understanding Global Correlation Sensor Health Metrics10-9 Global Correlation Update ClientSpecify the level of global correlation inspection Configuring Global CorrelationSensorconfig-glo#global-correlation-inspection on Turn on global correlation inspection10-11 Configuring Network ParticipationTurn on reputation filtering Exit global correlation submode10-12 Turning on Network ParticipationTurn on network participation Enter yes to agree to participate in the SensorBase Network10-13 Troubleshooting Global CorrelationDisabling Global Correlation 10-14 Displaying Global Correlation StatisticsDisabling Global Correlation 10-15 Clear the statistics for global correlation10-16 11-1 External Product Interface Notes and CaveatsUnderstanding External Product Interfaces 11-2 Understanding the CSA MC11-3 External Product Interface Issues11-4 Configuring the CSA MC to Support the IPS InterfaceAdding External Product Interfaces and Posture ACLs 11-5 Adding External Product Interfaces11-6 Choose the action deny or permit the posture ACL will take Sensorconfig-ext-cis-hos#allow-unreachable-postures yesSensorconfig-ext-cis-hos#posture-acls insert name1 begin Enter the network address the posture ACL will use11-8 Troubleshooting External Product InterfacesExit external product interface submode 12-1 IP Logging Notes and Caveats12-2 Configuring Automatic IP LoggingUnderstanding IP Logging 12-3 Configuring Automatic IP LoggingSensor# iplog vs0 192.0.2.1 duration Configuring Manual IP LoggingMonitor the IP log status with the iplog-status command 12-4Displaying the Contents of IP Logs Stop the IP log session Stopping Active IP LogsDisplay a brief list of all IP logs Disabling IP Logging Sessions12-7 Copying IP Log Files to Be ViewedStop all IP logging sessions on a virtual sensor Copying IP Log Files12-8 Copy the IP log to your FTP or SCP server13-1 Packet Display And Capture Notes and Caveats13-2 Understanding Packet Display and CaptureDisplaying Live Traffic on an Interface Sensor# packet display GigabitEthernet0/1 Displaying Live Traffic From an Interface13-3 Expression ip proto \\tcp Capturing Live Traffic on an InterfaceDisplay information about the packet file 13-4Sensor# packet capture GigabitEthernet0/1 Capturing Live Traffic on an InterfaceView the captured packet file 13-513-6 Copying the Packet FileView any information about the packet file Verify that you have erased the packet file View the packet file with Wireshark or TcpdumpErasing the Packet File Erase the packet file13-8 14-1 Blocking Notes and Caveats14-2 Understanding Blocking14-3 Vlan BIcmp Understanding Rate LimitingDestination IP Signature ID Signature Name Protocol DataTCP Understanding Service Policies for Rate LimitingBefore Configuring ARC UDP14-6 Supported Devices14-7 Configuring Blocking Properties14-8 Enter network access submodeSensorconfig# service network-access Allowing the Sensor to Block Itself14-9 Configure the sensor not to block itselfExit network access submode Disabling BlockingVerify that the setting has been returned to the default Blocks on the devices are updatedTo disable blocking or rate limiting, follow these steps Enable blocking on the sensor14-11 Specifying Maximum Block Entries14-12 Return to the default value of 250 blocksSensorconfig-net-gen#default block-max-entries Change the maximum number of block entriesThese steps Time for manual blocks is set when you request the blockSpecifying the Block Time Signatures14-14 Enabling ACL Logging14-15 Enabling Writing to Nvram14-16 Logging All Blocking Events and ErrorsDisable writing to Nvram Verify that writing to Nvram is disabled14-17 Configuring the Maximum Number of Blocking InterfacesVerify the number of maximum interfaces Return the setting to the defaultVerify the default setting Specify the maximum number of interfacesFor a network Configuring Addresses Never to BlockConfiguring Addresses Never to Be Blocked Sensorconfig-net-gen#never-block-hostsEnter the username for that user profile Configuring User ProfilesSpecify the password for the user Create the user profile name14-21 Configuring Blocking and Rate Limiting DevicesSpecify the enable password for the user How the Sensor Manages Devices14-22 Configuring the Sensor to Manage Cisco Routers14-23 Routers and ACLsSpecify the IP address for the router controlled by the ARC 14-24 14-25 Switches and VACLs14-26 Sensorconfig-net-cat#communication telnet ssh-3desOptional Add the post-VACL name Configuring the Sensor to Manage Cisco FirewallsSpecify the Vlan number Optional Add the pre-VACL name14-28 Configuring the Sensor to be a Master Blocking Sensor14-29 Configuring the Master Blocking SensorSensorconfig-web# exit Specify whether or not the host uses TLS/SSL Sensorconfig# tls trusted-host ip-address 192.0.2.1 portEnter password Add a master blocking sensor entryEnd the host block Configuring Host BlockingConfiguring Network Blocking Blocking a Host14-32 Configuring Connection BlockingBlocking a Network End the network blockBlocks are Obtaining a List of Blocked Hosts and ConnectionsBlocking a Connection End the connection block14-34 15-1 Snmp Notes and CaveatsUnderstanding Snmp 15-2 Configuring Snmp15-3 Configuring Snmp General Parameters15-4 Configuring Snmp TrapsExit notification submode Enter the trap community string Configuring Snmp TrapsEnable Snmp traps Specify whether you want detailed Snmp traps15-6 CISCO-ENHANCED-MEMPOOL-MIB CISCO-ENTITY-ALARM-MIBSupported Mibs CISCO-CIDS-MIB15-7 15-8 16-1 Displaying the Current Configuration16-2 First Review Cisco Confidential16-3 Displaying the Current Submode Configuration16-4 16-5 16-6 16-7 16-8 Sensorconfig# service health-monitor16-9 16-10 16-11 16-12 16-13 Severity warning defaulted protected entry zone-name csi16-14 16-15 Sensorconfig# service trusted-certificate16-16 Filtering the Current Configuration Output16-17 Filtering Using the More CommandTo filter the more command, follow these steps Press Ctrl-Cto stop the output and return to the CLI prompt16-18 Filtering the Current Submode Configuration OutputFiltering the Submode Output Displaying the Contents of a Logical File 16-20 Displaying the Logical File Contents16-21 16-22 16-23 Backing Up the Current Configuration to a Remote ServerRestoring the Current Configuration From a Backup File 16-24 Creating and Using a Backup Configuration FileErasing the Configuration File 16-25 Press Enter to continue or enter no to stop16-26 17-1 Administrative Tasks for the Sensor17-2 Administrative Notes and CaveatsRecovering the Password Understanding Password Recovery17-3 Recovering the Password for the ApplianceUsing the Grub Menu Platform Description Recovery MethodSample Rommon session Recovering the Password for the ASA 5500-X IPS SSPUsing Rommon Enter the following commands to reset the password17-5 Enter your new password twicePress Enter to confirm Session to the ASA 5500-X IPS SSP17-6 Recovering the Password for the ASA 5585-X IPS SSPUsing the Asdm Asa# hw-module module 1 password-resetAsa# show module Session to the ASA 5585-X IPS SSP17-7 17-8 Disabling Password RecoveryDisabling Password Recovery Using the CLI Disabling Password Recovery Using the IDM or IMEClearing the Sensor Databases Verifying the State of Password RecoveryTroubleshooting Password Recovery Sensorconfig-hos#show settings include password17-10 Clearing the Sensor DatabaseEnter yes to clear the inspectors database 17-11 Displaying the Inspection Load of the SensorOver the past 60 minutes and over the past 72 hours Show the histogram of the inspection load17-12 17-13 Configuring Health Status Information17-14 Configuring Health StatisticsASA 5500-X IPS SSP and Memory Usage Platform Yellow Red Memory Used17-15 17-16 Set the number of days since the last signature updateSet the threshold for memory usage Set the missed packet threshold17-17 Showing Sensor Overall Health StatusExit health monitoring submode Enter your message Creating a Banner LoginCreate the banner login Show the health and security status of the sensorTerminate the CLI session of jsmith Find the CLI ID number associated with the login sessionTerminating CLI Sessions To terminate a CLI session, follow these steps17-20 Configuring EventsModifying Terminal Properties 17-21 17-22 17-23 Clearing Events from the Event StoreSensor# show clock detail Configuring the System ClockDisplaying the System Clock 17-2417-25 Manually Setting the System ClockClearing the Denied Attackers List 17-26 17-27 Displaying Policy Lists17-28 Displaying StatisticsDisplay the list of policies for event action rules Display the list of policies for signature definition17-29 Administrative Tasks for the Sensor17-30 17-31 Display the statistics for authenticationSensor# show statistics authentication Display the statistics for anomaly detectionSensor# show statistics event-server General Display the statistics for the Event ServerDisplay the statistics for the Event Store 17-32Show statistics host Display the statistics for the host17-33 Sensor# show statistics logger Display the statistics for the logging applicationDisplay the statistics for the ARC 17-3417-35 17-36 17-37 Statistics web-server Display the statistics for the web server17-38 Sensor# show statistics logger clear 17-3917-40 Displaying Tech Support InformationVarlog Files Displaying Tech Support InformationSensor# show version Displaying Version InformationView version information 17-4117-42 Cancel the output and get back to the CLI promptView configuration information 17-43 Diagnosing Network ConnectivityFollowing example shows an unsuccessful ping Resetting the ApplianceEnter yes to continue the reset Following example shows a successful ping17-45 Displaying Command HistoryStop all applications and power down the appliance Enter yes to continue with the reset and power downSensor# show inventory Displaying Hardware Inventory17-46 PID IPS-4360-PWR-AC 17-47Inventory Tracing the Route of an IP PacketDisplay the route of IP packet you are interested 17-4817-49 Displaying Submode SettingsShow the current configuration for ARC submode Sensor config# service network-access17-50 17-51 Show the ARC settings in terse mode17-52 18-1 Configuring the ASA 5500-X IPS SSP18-2 Configuration Sequence for the ASA 5500-X IPS SSP18-3 Verifying Initialization for the ASA 5500-X IPS SSPObtain the details about the ASA 5500-X IPS Ssps Confirm the information18-4 Creating Virtual Sensors for the ASA 5500-X IPS SSPASA 5500-X IPS SSP and Virtualization Creating Virtual Sensors18-5 Creating Virtual Sensors18-6 Sensorconfig-ana-vir#physical-interface PortChannel0/0Asa# show ips Assigning Virtual Sensors to Contexts18-7 18-8 Enter multiple modeAdd three context modes to multiple mode Assign virtual sensors to the security contextsSensorApp Fails ASA 5500-X IPS SSP and Bypass ModeConfigure MPF for each context Confirm the configuration18-10 SensorApp is ReconfiguredASA 5500-X IPS SSP and the Normalizer Engine 18-11 ASA 5500-X IPS SSP and Jumbo PacketsASA 5500-X IPS SSP and Memory Usage 18-12 Health and Status Information18-13 Asa-ips#debug module-boot18-14 Early reservations == bootmem 000000000018-15 18-16 18-17 18-18 IRQ 18-19ASA 5500-X IPS SSP Failover Scenarios Single ASA in Fail-Open ModeSingle ASA in Fail-Close Mode Two ASAs in Fail-Open Mode18-21 New and Modified CommandsTwo ASAs in Fail-Close Mode Configuration ExamplesSingle Context System DefaultsFirewall Mode Security Context Multiple Command Mode Routed Allocate-ips18-23 Command History Release ModificationRelated Commands Description Examples18-24 19-1 ASA 5585-XIPS SSP Notes and Caveats19-2 Configuration Sequence for the ASA 5585-X IPS SSPAsa# show module 1 details Verifying Initialization for the ASA 5585-X IPS SSPObtain the details about the ASA 5585-X IPS SSP 19-319-4 Creating Virtual Sensors for the ASA 5585-X IPS SSPASA 5585-X IPS SSP and Virtualization 19-5 ASA 5585-X IPS SSP Virtual Sensor Configuration Sequence19-6 Command, for example sig1Example, rules1 Virtual sensor that you create19-7 19-8 Asaconfig-ctx#Asaconfig-ctx# Config-url disk0/c2.cfg 19-9 19-10 ASA 5585-X IPS SSP and Bypass ModeASA 5585-X IPS SSP and the Normalizer Engine 19-11 ASA 5585-X IPS SSP and Jumbo Packets19-12 Ips-ssp#hardware-module module 1 recover configureModule 1 details Asa# hw-module module 1 reset19-13 19-14 Ips-ssp#hw-module module 1 recover configure19-15 Traffic Flow Stopped on IPS SwitchportsAsaconfig# debug module-boot 19-16 Failover Scenarios19-17 19-18 20-1 IPS 7.2 File ListObtaining Cisco IPS Software 20-2 Enter your username and passwordIPS Software Versioning Downloading Cisco IPS SoftwarePatch Release Major UpdateMinor Update Service Pack20-4 Signature UpdateSignature Engine Update 20-5 Recovery and System Image Files20-6 IPS Software Release Examples20-7 Accessing IPS Documentation20-8 Cisco Security Intelligence Operations21-1 Upgrade Notes and Caveats21-2 Upgrades, Downgrades, and System Images21-3 Supported FTP and HTTP/HTTPS ServersUpgrading the Sensor IPS 7.21E4 Files21-4 Upgrade Notes and CaveatsManually Upgrading the Sensor Upgrading the Sensor Upgrade the sensorEnter the password when prompted Sensorconfig# upgrade url/IPS-SSP10-K9-7.2-1-E4.pkg21-6 Working With Upgrade Files21-7 Upgrading the Recovery Partition21-8 Configuring Automatic UpgradesConfiguring Automatic Updates Enter the server password. The upgrade process begins21-9 21-10 Configuring Automatic Upgrades21-11 Specify the username for authenticationSpecify the password of the user Exit automatic upgrade submodeSensor# show statistics host Applying an Immediate UpdateSensor# autoupdatenow 21-1221-13 Recovering the Application PartitionDowngrading the Sensor Sensorconfig# recover application-partition Installing System ImagesRecovering the Application Partition Image Recover the application partition image21-15 Connecting an Appliance to a Terminal ServerTftp Servers 21-16 Installing the System Image for the IPS 4345 and IPSPCI 21-17Rommon ping server Assign the Tftp server IP addressIf necessary, assign the gateway IP address 21-1821-19 Installing the System Image for the IPS 4510 and IPSRommon 21-20 21-21 If necessary, assign the Tftp server IP address21-22 Installing the System Image for the ASA 5500-X IPS SSPPeriodically check the recovery until it is complete Image the ASA 5500-X IPS SSP21-23 Installing the System Image for the ASA 5585-X IPS SSP21-24 Leave the Vlan ID at Specify the default gateway of the ASA 5585-X IPS SSPTo enable debugging of the software installation process Asa# hw-module module 1 recover boot21-26 Installing the ASA 5585-X IPS SSP System Image Using RommonRommon #0 set 21-2721-28 21-29 21-30 IPS System Design Understanding the IPS System ArchitectureFigure A-1illustrates the system design for IPS software Figure A-2 System Design for IPS 4500 Series Sensors System ApplicationsAppendix a System Architecture System Applications For detailed information about SDEE, see SDEE, page A-33 Security FeaturesARC MainAppUnderstanding the MainApp MainApp ResponsibilitiesUnderstanding the Event Store Event StoreStamp Value Meaning Event Data StructuresTable A-1shows some examples IPS Events NotificationAppVlan PEP CtlTransSourceFigure A-3 Attack Response ControllerFigure A-4illustrates the ARC Understanding the ARCARC Features Supported Blocking Devices Fwsm ACLs and VACLsMaintaining State Across Restarts Scenario Connection-Based and Unconditional BlockingNo shun ip Blocking with Cisco FirewallsTo unblock an IP address To clear all blocksLogger Blocking with Catalyst SwitchesConfiguring Authentication on the Sensor AuthenticationAppUnderstanding the AuthenticationApp Authenticating UsersManaging TLS and SSH Trust Relationships Web Server SensorAppUnderstanding the SensorApp Inline, Normalization, and Event Risk Rating Features Packet Flow SensorApp New FeaturesSignature Event Action Processor CollaborationApp Update Components Error Events SwitchAppUser Roles CLICommunications Service AccountIdapi Idconf Cidee Cisco IPS File StructureCLI Using the IdapiSummary of Cisco IPS Applications Application DescriptionEvents IDMJava applet that provides an Html IPS management interface IMEUnderstanding Signature Engines Signature EnginesAppendix B Signature Engines Understanding Signature Engines Appendix B Signature Engines Understanding Signature Engines Signature-id Specifies the ID of this signature Master EngineGeneral Parameters Parameter Description ValueSig-name Promiscuous Delta Vulnerable OS List Alert FrequencyObsoletes Event Actions Name Description To Match Regular Expression AIC Engine\NNN AIC Engine Parameters Understanding the AIC EngineAIC Engine and Sensor Performance Parameter Description Alarm-on-non-http-trafficTable B-6 AIC FTP Engine Parameters Atomic ARP Engine Atomic EngineAtomic IP Advanced Engine Atomic IP Advanced Engine Restrictions IsatapString IPv6 Parameter Description Value OL-29168-01 IPV4 L4 Protocol ICMPv6 Icmp IDL4 Protocol TCP and UDP OL-29168-01 Atomic IP Engine Parameter Description Value Appendix B Signature Engines OL-29168-01 Atomic IPv6 Signatures Atomic IPv6 EngineFixed Engine Table B-11 Fixed TCP Engine Parameters Flood Engine Flood Net Engine Parameters Meta EngineProtocol Specifies which kind of traffic to inspect Name1 Component-list Specifies the Meta engine componentMulti String Engine Normalizer Engine IPv6 Fragments IP Fragmentation NormalizationTCP Normalization ASA IPS Modules and the Normalizer Engine Service Engines Service DNS Engine Understanding the Service EnginesService FTP Engine Service Generic Engine Table B-20 Service Generic Engine Parameters Service H225 Engine Tpkt SetupSetup ASN.1-PERService Http Engine Crlfcrlf Service Ident Engine Service Msrpc Engine Smbcomtransaction Service Mssql Engine Service NTP Engine Service RPC Engine Service P2P EngineParameter Description Value Service SMB Advanced Engine Msrpc Uuid Service Snmp Engine Specify-object-id-Enables Service SSH EngineService TNS Engine State Engine Table B-32lists the parameters specific to the State engine String Engines Table B-33 String Icmp Engine Parameters Table B-35 String UDP Engine String XL Engines Parameter Description Value Unsupported String XL Parameters Data Nodes Sweep EnginesSweep Engine Type Sweep Other TCP Engine Sweep Other TCP Engine Parameters Traffic Anomaly EngineSignature Traffic Icmp Engine Trojan Engines Bug Toolkit TroubleshootingCreating and Using a Backup Configuration File Preventive MaintenanceUnderstanding Preventive Maintenance Sensor# copy current-config backup-config Backing Up the Current Configuration to a Remote Server Creating the Service Account Disaster Recovery Password Recovery ASA 5500 series adaptive Adaptive security appliance CLI Security appliance IPS modules CommandUsing Rommon Password-Reset issued for module ips Recovering the Password for the ASA 5585-X IPS SSP 0123 21E4 Disabling Password Recovery Verifying the State of Password Recovery Synchronizing IPS Clocks with Parent Device Clocks For the procedure for configuring NTP, see Configuring NTP,Time Sources and the Sensor Generate the hosts statistics again after a few minutes Verifying the Sensor is Synchronized with the NTP ServerGenerate the host statistics Advantages and Restrictions of Virtualization TFor More Information To learn more about Worms, see Understanding Worms, When to Disable Anomaly DetectionEnter show tech-support and save the output Reboot the sensorCommand output Analysis Engine Not RespondingExternal Product Interfaces Issues Troubleshooting Loose Connections Troubleshooting the ApplianceExternal Product Interfaces Troubleshooting Tips Analysis Engine is Busy Communication ProblemsCannot Access the Sensor CLI Through Telnet or SSH More Sensor# show configuration include access-list Correcting a Misconfigured Access ListMake sure the sensor cabling is correct Duplicate IP Address Shuts Interface DownMake sure the IP address is correct SensorApp and AlertingSensorApp is Not Running AnalysisEngine 20130410110072014 Release Physical Connectivity, SPAN, or Vacl Port Issue Sensor# show interfaces Unable to See AlertsSensor# show interfaces FastEthernet0/1 Make sure you have Produce Alert configuredCheck for alerts Sensor# show interfaces GigabitEthernet0/1 Sensorconfig-int#physical-interfaces GigabitEthernet0/1Sensor Not Seeing Packets Replace the virtual sensor file Cleaning Up a Corrupted SensorApp ConfigurationExit the service account Log in to the sensor CLI Check to see that the interface is up and receiving packetsSensor# cids start Troubleshooting BlockingStart the IPS services BlockingVerifying the ARC is Running Sensor# show events error 000000 Apr 01 2011 include nac If the ARC is not connecting, look for recurring errorsMake sure you have the latest software updates Sensor# show events error hhmmss month day year include nacFor More Information Verify the IP address for the managed devices Device Access IssuesStart the manual block of the bogus host IP address Sensorname Sensor Management Time-Based Actions Host BlocksBlocking Not Occurring for a Signature Enabling SSH Connections to the Network DeviceVerifying the Master Blocking Sensor Configuration Exit network access general submode Enabling Debug Logging Enable debug logging for all zonesLogging View the zone names Turn on individual zone controlExit master zone control Protected entry zone-name nac Exit the logger submode Turn on debugging for a particular zoneZone Name Description Zone NamesPress Enter to apply changes or type no to discard them Table C-2lists the debug logger zone namesDirecting cidLog Messages to SysLog TCP Reset Not Occurring for a Signature Sensor# show events alert Software UpgradesUpgrading Error Make sure the correct alarms are being generatedIssues With Automatic Update Which Updates to Apply and Their PrerequisitesUpdating a Sensor with the Update Stored on the Sensor Click the Advanced tab Troubleshooting the IDMCannot Launch the IDM Loading Java Applet Failed Delete the temp files and clear the history in the browser Cannot Launch the IDM-The Analysis Engine BusySignatures Not Producing Alerts Troubleshooting the IMETime Synchronization on IME and the Sensor Troubleshooting the ASA 5500-X IPS SSPNot Supported Error Message Health and Status Information E1000 00000005.0 PCI INT a disabled 303 Appendix C Troubleshooting Usb CRS IRQ Failover Scenerios ASA 5500-X IPS SSP and the Normalizer Engine ASA 5500-X IPS SSP and Jumbo Packets ASA 5500-X IPS SSP and Memory UsageHw-module module 1 reset command Troubleshooting the ASA 5585-X IPS SSPReset issued for module in slot Asa# show Mgmt IP addr 192.0.2.3 Failover Scenarios ASA 5585-X IPS SSP and the Normalizer Engine Traffic Flow Stopped on IPS SwitchportsASA 5585-X IPS SSP and Jumbo Packets Gathering InformationTech Support Information Health and Network Security InformationDisplaying Tech Support Information Understanding the show tech-support CommandSensor# show tech-support page System Status Report Tech Support Command Output= No Displaying Version Information Understanding the show version CommandVersion Information Version 29.1 Platform IPS4360 Serial Number Service aaa Displaying Statistics Understanding the show statistics CommandStatistics Information Percentage Thread Sec Min Average Inspection Stats Inspector Active Call Create Delete Display the statistics for anomaly detection Sensor# show statistics event-store Sensor# show statistics denied-attackersSensor# show statistics event-server Threat Multicast MTU1500 Metric1 Appendix C Troubleshooting Gathering Information Display the statistics for the notification application Name Current OL-29168-01 Sensor# show statistics web-server listener-443 Interfaces Information Understanding the show interfaces CommandDisplaying Interface Traffic History Interfaces Command OutputAvg Load Peak Load GigabitEthernet0/1 Time Packets Received Bytes Received Mbps Events Information Displaying Events Understanding the show events CommandSensor Events Displaying Events 100 101 CidDump ScriptClearing Events Usr/cids/idsRoot/bin/cidDump Uploading and Accessing Files on the Cisco FTP SiteEnter the following command 102URI CLI Error MessagesReason Command Error Message Reason Command User attempted to downgrade a System that has not been upgradedPacket-file but no packet-file has Been capturedAdministrator user attempted to log Initial login User attempted to cancel a CLIOperator or viewer user attempted to Initial login Log in when the maximum numberAppendix D CLI Error Messages Reason/Location CLI Validation Error MessagesInterface set has already been assigned to another Detection configuration file that is currently in useInterface and optional sub-interface being Added to the virtual sensor entry physicalOL-29168-01 GL-1 GL-2 To detect worm-infected hostsGL-3 GL-4 Certificate for one CA issued by another CAAuthoritative private key GL-5 GL-6 802.1q to be used Dual In-line Memory ModulesA public outside network To the transmit line and reads data from the receive lineGL-8 GL-9 Procedures, and basic data transport methodsAn ITU standard that governs H.245 endpoint control GL-10 GL-11 GL-12 GL-13 Proprietary branchesDetailed information about signatures GL-14 GL-15 GL-16 Quality and service availabilityGL-17 GL-18 Network devices. Used with the IDS MCUnauthorized activity Analysis EngineGL-19 GL-20 GL-21 Authorization, and accountingNetwork asset through its IP address Local system. Telnet is defined in RFCGL-22 GL-23 Through a switch. Also known as security ACLsRFC Version identifier. Part of the UDIGL-24 GL-25 Payload reassemblyHosts GL-26 IN-1 AIC FTPAIC Http IN-2 IN-3 NATTACACS+ ARPIN-4 AsdmSSP IN-5 RadiusIN-6 BO2KURL Cidee IN-7 ExecIN-8 IN-9 IN-10 IN-11 CSA MCIN-12 TFNIN-13 AIC FTP AIC HttpIN-14 IN-15 IN-16 IdapiIdconf IN-17 IdiomASA 5500-X IPS SSP ASA 5585-X IPS SSP IN-18 TcpdumpIN-19 IPS SSPIN-20 SSHLoki IN-21 SnmpIN-22 IN-23 IN-24 IN-25 RTTSdee Http A-33IN-26 IN-27 IN-28 AICIN-29 Cidee Idconf Idiom SdeeSmtp IN-30 IN-31 TACTFN2K TLSIN-32 BO2K Loki TFN2KViewer role privileges Upgrade commandSensor initialization Sensor setup Version display Sensing process not runningIN-34