Configuring OS Maps

Chapter 8 Configuring Event Action Rules

Configuring OS Identifications

–hp-ux—Variants of HP-UX

–irix—Variants of IRIX

–linux—Variants of Linux

–solaris—Variants of Solaris

–windows—Variants of Microsoft Windows

–windows-nt-2k-xp—Variants of NT, 2000, and XP

–win-nt—Specific variants of Windows NT

–unknown—Unknown OS

•default—Sets the value back to the system default setting.

•no—Removes an entry or selection setting.

•passive-traffic-analysis {enabled disabled}—Enables/disables passive OS fingerprinting analysis.

To configure OS maps, follow these steps:

Step 1 Log in to the CLI using an account with administrator privileges.

Step 2 Enter event action rules submode.

sensor# configure terminal

sensor(config)# service event-action-rules rules1

sensor(config-eve)#

Step 3 Create the OS map. Use inactive before after

name1, name2, and so forth to name your OS maps. Use the begin end keywords to specify where you want to insert the filter.

sensor(config-eve)# os-identificationsensor(config-eve-os)# configured-os-map insert name1 begin sensor(config-eve-os-con)#

Step 4 Specify the values for this OS map:

a.Specify the host IP address.

sensor(config-eve-os-con)# ip 192.0.2.0-192.0.2.255

b.Specify the host OS type.

sensor(config-eve-os-con)# os unix

Caution You can specify multiple operating systems for the same IP address. The last one in the list is the operating system that is matched.

Step 5 Verify the settings for the OS map.

sensor(config-eve-os-con)# show settings NAME: name1

-----------------------------------------------

	ip: 192.0.2.0-192.0.2.255 default:
	os: unix
	-----------------------------------------------
	sensor(config-eve-os-con)#
	Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01		8-29
OL-29168-01		8-29

Page 271

Image 271

Cisco Systems IPS4510K9 manual Configuring OS Maps, Specify the host OS type, Verify the settings for the OS map

IPS4510K9 specifications

Cisco Systems has long been a leading player in network security, and its IPS (Intrusion Prevention System) series is a testament to its commitment to safeguarding digital environments. Among its notable offerings are the IPS4510K9 and IPS4520K9 models, both designed to provide advanced threat protection for mid-sized to large enterprise networks.

The Cisco IPS4510K9 and IPS4520K9 are distinguished by their cutting-edge features that help organizations defend against a myriad of cyber threats. These systems utilize a multi-layered approach to security, integrating intrusion prevention, advanced malware protection, and comprehensive visibility across the network.

One of the primary characteristics of the IPS4510K9 is its high performance. It boasts a throughput of up to 1 Gbps, making it suitable for environments that demand rapid data processing and real-time responses to threats. The IPS4520K9, on the other hand, enhances that capability with improved throughput of up to 2 Gbps, accommodating larger enterprises with heavier network traffic. These models are equipped with powerful processors that support complex signature matching and can intelligently distinguish between legitimate traffic and potential threats.

In addition to performance, both models are designed with scalability in mind. They can be easily integrated into existing Cisco infrastructures. This facilitates a seamless enhancement of security without causing significant interruptions to ongoing operations. Moreover, they offer flexible deployment options, allowing organizations to operate them inline or out of band depending on their specific needs.

The Cisco IPS4510K9 and IPS4520K9 leverage advanced detection technologies, utilizing a variety of signature types and heuristic analysis to detect known and unknown threats effectively. They are equipped with real-time alerting and reporting capabilities, giving security teams immediate visibility into potential breaches and enabling them to respond swiftly.

Furthermore, both models support a range of management options through the Cisco Security Manager, allowing for centralized administration, streamlined policy management, and enhanced monitoring capabilities. Automated updates ensure the systems remain current with the latest threat intelligence, vital for staying ahead of evolving cyber threats.

In summary, the Cisco Systems IPS4510K9 and IPS4520K9 represent powerful solutions for organizations seeking robust intrusion prevention capabilities. With their high performance, scalability, and advanced detection technologies, these systems are essential tools in the ever-changing landscape of cybersecurity, providing enterprises with the peace of mind needed to operate securely in today's digital world.

Contents

Text Part Number OL-29168-01 Americas HeadquartersPage Iii N T E N T S Advanced Setup for the Appliance Interface Support Understanding Inline Vlan Pair Mode Vii Configuring Alert Severity Viii Example String XL TCP Engine Match Offset Signature Understanding Worms Configuring Global Correlation Configuring IP Logging Xii Routers Xiii Using Rommon Xiv Configuring the ASA 5585-X IPS SSP Upgrading, Downgrading, and Installing System Images Xvi NotificationApp Xvii AIC Engine B-10 Xviii Creating the Service Account C-5 Xix Communication Problems Understanding the show tech-support Command C-75 Xxi CLI Validation Error Messages D-6 Xxii Audience ContentsOrganization Xxiv Xxv ConventionsRelated Documentation Convention Indication Xxvi Obtaining Documentation and Submitting a Service Request Supported User Roles Logging In Notes and CaveatsIi-1 For More Information Logging In to the ApplianceIi-2 Exit Wr mem Connecting an Appliance to a Terminal ServerConfig t Ii-3 Ii-4 Logging In to the ASA 5500-X IPS SSPAsa# session ips Ii-5 Logging In to the ASA 5585-X IPS SSPAsa# session Ii-6 Logging In to the Sensor Ii-7 Ii-8 Supported IPS Platforms IPS CLI Configuration Guide Sensor Configuration Sequence User Roles Viewers AdministratorService Operators Help CLI BehaviorFollowing tips help you use the Cisco IPS CLI Prompts Display Options Command Line EditingRecall Case Sensitivity Keys Description String IPS Command ModesRegular Expression Syntax Character Description Or more times Only if it is at the end of the stringMatches a as well as b Matches any character Sensor# configure terminal Generic CLI Commands CLI Keywords OL-29168-01 Initializing Notes and Caveats Initializing the Sensor System Configuration Dialog Simplified Setup ModeUnderstanding Initialization Example 2-1 Example System Configuration Dialog Example 2-1shows a sample System Configuration Dialog Initializing the Sensor Basic Sensor Setup Basic Sensor Setup Initializing the Sensor Basic Sensor Setup Following configuration was entered Initializing the Sensor Advanced Setup Advanced Setup Advanced Setup for the Appliance Press Enter to return to the available interfaces menu Enter 1 to edit the interface configurationEnter a subinterface number and description Enter numbers for Vlan 1 Enter 2 to modify the virtual sensor configuration, vs0 Enter 2 to edit the virtual sensor configurationPress Enter to return to the top-level editing menu Host-ip 192.168.1.2/24,192.168.1.1 Enter 2 to save the configuration Reboot the appliance Advanced Setup for the ASA 5500-X IPS SSP Enter a name and description for your virtual sensor Enter 2 to modify the virtual sensor vs0 configuration Modify default threat prevention settings?no Asa-ips#show tls fingerprint Reboot the ASA 5500-X IPS SSP Advanced Setup for the ASA 5585-X IPS SSP Enter 2 to edit the virtual sensor configuration Exit Service analysis-engine Verifying Initialization Reboot the ASA 5585-X IPS SSPIps-ssp#show tls fingerprint Sensor# show configuration View your configuration Sensor# show tls fingerprint Display the self-signed X.509 certificate needed by TLS Setup Notes and Caveats Setting Up the Sensor Changing Network Settings Understanding Sensor Setup Changing the Hostname Changing the IP Address, Netmask, and Gateway Exit network settings modeEnter network settings mode Change the sensor IP address, netmask, and default gateway Enabling and Disabling Telnet Enable Telnet services Verify that Telnet is enabled Changing the Access List Verify the value has been set back to the default Verify the change you made to the access-listRemove the entry from the access list Change the value back to the default Verify the FTP timeout change Changing the FTP TimeoutTo change the FTP timeout, follow these steps Change the number of seconds of the FTP timeout Add the banner login text Adding a Login BannerVerify the banner login text message Verify the login text has been removed Verify the settings Enable a DNS server Login-banner-text defaulted dns-primary-server Enabling SSHv1 Fallback Verify that SSHv1 fallback is enabled Exit authentication mode Changing the CLI Session TimeoutChange the number of seconds of the CLI session timeout Verify the CLI session timeout change When disabled, the client can use the following ciphers Changing Web Server SettingsTLSDHERSAWITHAES256CBCSHA256 TLSDHEDSSWITHAES256CBCSHA256 Change the port number Sensor# configure terminal Sensorconfig# service web-server Turn on TLS client ciphers restriction Specify the web session inactivity timeoutTurn on logging for web session inactivity timeouts Verify the defaults have been replaced Adding and Removing Users Configuring Authentication and User Parameters Sensor# show users all Sensorconfig# username username password password privilegeSensorconfig# username tester privilege administrator Specify the parameters for the user To remove a user, use the no form of the command Configuring AuthenticationSensor# configure terminal Sensorconfig# no username jsmith Radius Authentication Options Configuring Local or Radius Authentication Enter AAA submode Sensorconfig-aaa-rad#default-user-role operator Enter the Radius server IP address Ips-role=administrator Ips-role=service Enter the IP address of the second Radius server Specify the type of console authentication Exit AAA mode Configuring Packet Command RestrictionAAA Radius Users Sensorconfig-aut#permit-packet-logging false Enter authentication submodeCheck your new setting Sensorconfig-aut#permit-packet-logging true Sensorconfig# user username privilege service Creating the Service Account Exit configuration mode Service Account and Radius AuthenticationRadius Authentication Functionality and Limitations Configuring Passwords Changing User Privilege Levels Change your password Verify all users. The account of the user jsmith is locked Showing User StatusChange the privilege level from viewer to operator Display your current level of privilege To unlock the account of jsmith, reset the password Configuring the Password PolicyExample Check that the setting has returned to the default Set the value back to the system default settingLocking User Accounts Unlock the account Enter global configuration modeUnlocking User Accounts Parentheses Time Sources and the Sensor Configuring TimeIPS Standalone Appliances Correcting Time on the Sensor Configuring Time on the SensorASA IPS Modules Sensor# show clock Manually Setting the System ClockSymbol Displaying the System Clock Sensor# clock set 1321 Mar 29 Configuring Recurring Summertime SettingsEnter the month you want to start summertime settings Enter start summertime submode Specify the local time zone used during summertime Verify your settingsEnter the month you want to end summertime settings Enter end summertime submode Exit recurring summertime submode Configuring Nonrecurring Summertime Settings Exit non-recurring summertime submode Sensorconfig-hos-tim#standard-time-zone-name CST Configuring NTPConfiguring Time Zones Settings Exit time zone settings submode Example Configuring a Cisco Router to be an NTP Server Verify the unauthenticated NTP settings Configuring the Sensor to Use an NTP Time SourceEnter service host mode Configure unauthenticated NTP Enter NTP configuration mode Exit NTP configuration mode Configuring SSHConfigure authenticated NTP Enter NTP configuration mode Verify the NTP settings Adding Hosts to the SSH Known Hosts List Understanding SSH Sensor# show ssh host-keys Sensorconfig# ssh host-keyAdd an entry to the known hosts list View the key for a specific IP address Adding Authorized RSA1 and RSA2 Keys Sensorconfig# no ssh host-key Generating the RSA Server Host Key Sensor# show ssh server-key Sensor# ssh generate-key Understanding TLS Configuring TLS Adding TLS Trusted Hosts Sensorconfig# tls trusted-host ip-address 10.89.146.110 port Verify that the key was generated Displaying and Generating the Server CertificateView the fingerprint for a specific host Remove an entry from the trusted hosts list Understanding the License Key Installing the License Key Obtaining and Installing the License Key Service Programs for IPS Products Installing the License Key Verify the sensor is licensed Licensing the ASA 5500-X IPS SSP Verify the sensor key has been uninstalled Uninstalling the License KeySensor# erase license-key Setting Up the Sensor Installing the License Key OL-29168-01 Interface Notes and Caveats Configuring Interfaces IPS Interfaces Understanding Interfaces Sensor Command and Control Interface Command and Control Interface Understanding Alternate TCP Reset Interfaces TCP Reset InterfacesSensing Interfaces None Designating the Alternate TCP Reset Interface2lists the alternate TCP reset interfaces Sensor Alternate TCP Reset Interface Interfaces Not Interface SupportBase Chassis Cards Sensing Ports Inline Interface Pairs Combinations Supporting Command and Control Interface Configuration Restrictions Configuring Interfaces Understanding Interfaces Interface Configuration Sequence Configuring Physical Interfaces Specify the interface for promiscuous mode Configuring the Physical Interface SettingsDisplay the list of available interfaces Sensorconfig-int-phy#alt-tcp-reset-interface none Remove TCP resets from an interfaceAdd a description of this interface Understanding Promiscuous Mode Configuring Promiscuous ModeExit interface submode IPv6, Switches, and Lack of Vacl Capture Configuring Promiscuous Mode Understanding Inline Interface Mode Configuring Inline Interface ModeSet span 930, 932, 960, 962 4/1-4 both Creating Inline Interface Pairs Configuring Inline Interface Pairs It can monitor traffic see Step Enable the interfaces assigned to the interface pairName the inline pair Display the available interfaces Verify that the interfaces are enabled Sensorconfig-int#no inline-interfaces PAIR1 Exit interface configuration submodeVerify the inline interface pair has been deleted Understanding Inline Vlan Pair Mode Configuring Inline Vlan Pair Mode Configuring Inline Vlan Pairs Been configured Configuring Inline Vlan Pairs OL-29168-01 Designate an interface Set up the inline Vlan pairVerify the inline Vlan pair settings Sensorconfig-int#no inline-interfaces interfacename Understanding Vlan Group Mode Configuring Vlan Group ModeTo delete Vlan pairs Delete one Vlan pair Deploying Vlan Groups Configuring Vlan Groups Configuring Inline Vlan Groups None Subinterface-type Specify an interface Set up the Vlan groupAssign the VLANs to this group Assign specific VLANs Verify the Vlan group settings Configure unassigned VLANsAdd a description for the Vlan group Understanding Inline Bypass Mode Configuring Inline Bypass ModeDelete Vlan groups Delete one Vlan group Configuring Bypass Mode Configuring Inline Bypass ModeConfigure bypass mode Configuring Interface Notifications Configuring Interface Notifications Configuring CDP Mode Displaying Interface Statistics Enabling CDP ModeEnable CDP mode Sensorconfig-int#cdp-mode forward-cdp-packets Sensor# show interfaces Interface Statistics Sensor# show interfaces brief Sensor# show interfaces clear Interface Statistics Display the statistics for a specific interfaceClear the statistics Sensor# show interfaces Management0/0 Displaying Interface Traffic History Display the interface traffic history by the minute Displaying Historical Interface StatisticsTo display interface traffic history, follow these steps Display the interface traffic history by the hour Bytes Received Mbps Virtual Sensor Notes and Caveats Configuring Virtual Sensors Understanding Virtual Sensors Understanding the Analysis EngineAdvantages and Restrictions of Virtualization Inline TCP Session Tracking Mode Restrictions Normalization and Inline TCP Evasion Protection ModeHttp Advanced Decoding Adding, Editing, and Deleting Virtual Sensors Adding Virtual Sensors Add a description for this virtual sensor Sensorconfig-ana-vir#description virtual sensorAdding a Virtual Sensor Add a virtual sensor Assign a signature definition policy to this virtual sensor Enable Http advanced decodingVerify the virtual sensor settings Assign an event action rules policy to this virtual sensor Exit analysis engine mode Edit the description of this virtual sensor Editing and Deleting Virtual SensorsEditing or Deleting a Virtual Sensor Edit the virtual sensor, vs1 Sensorconfig-ana-vir#physical-interface GigabitEthernet0/2 Verify the edited virtual sensor settingsDelete a virtual sensor Sensorconfig-ana# exit Create the flow depth variable Configuring Global VariablesCreating a Global Variable Create the variable for the maximum number of open IP logs Verify the global variable settings Create the variable for service activitySensor# show statistic analysis-engine OL-29168-01 Understanding Policies Signature Definition Notes and Caveats Sensor# copy signature-definition sig0 sig1 Sensor# list signature-definition-configurationsWorking With Signature Definition Policies Delete a signature definition policy Understanding Signatures Reset a signature definition policy to factory settingsConfirm the signature definition policy has been deleted Understanding Signature Variables Configuring Signature VariablesCreating Signature Variables Adding, Editing, and Deleting Signature Variables Signature Definition Options Configuring Signatures Configuring Alert Frequency Specify the summary key Configuring Alert FrequencySpecify the signature you want to configure Enter alert frequency submode Assign the alert severity Configuring Alert SeverityConfiguring Alert Severity To configure the alert severity, follow these steps Configuring the Event Counter Configuring the Event CounterExit signatures submode Enter event counter submode Optional Enable alert interval Configuring the Signature Fidelity Rating Configuring Signature Fidelity RatingSpecify the signature fidelity rating for this signature Change the status for this signature Configuring the Status of SignaturesChoose the signature you want to configure Changing the Signature Status Configuring Vulnerable OSes Configuring the Vulnerable OSes for a SignatureSpecify the vulnerable OSes for this signature Assigning Actions to Signatures Configure the event action Configuring Event ActionsSpecify the percentage for rate limiting Understanding the AIC Engine Configuring AIC SignaturesExit event action submode AIC Engine and Sensor Performance Configuring the Application Policy Sensorconfig-sig-app-htt#aic-web-ports 80-80,3128-3128 Configuring the Application PolicyEnable inspection of FTP traffic Enable Http application policy enforcement Signature ID Define Request Method AIC Request Method Signatures Signature ID Signature Description AIC Mime Define Content Type Signatures Signature ID Signature Description Signature ID Signature Description Signature ID Transfer Encoding Method AIC Transfer Encoding Signatures Signature ID FTP Command AIC FTP Commands Signatures Creating an AIC Signature Define the signature type Define the content typeDefining a MIME-Type Policy Signature Specify the event action Understanding IP Fragment Reassembly Configuring IP Fragment ReassemblySignature ID and Name Description Range Default Action For More Information Specify the engine Configuring IP Fragment Reassembly ParametersConfiguring the Method for IP Fragment Reassembly Enter edit default signatures submode Verify the setting Configuring TCP Stream ReassemblyUnderstanding TCP Stream Reassembly Configuring the IP Fragment Reassembly Method TCP Stream Reassembly Signatures and Configurable Parameters TCP Stream Reassembly Signatures SYN SYN Configuring TCP Stream Reassembly Signatures Configuring the Mode for TCP Stream Reassembly Sensorconfig-sig-str#tcp-3-way-handshake-required true Configuring the TCP Stream Reassembly ParametersSensorconfig-sig-str#tcp-reassembly-mode strict Specify the length of time you want the sensor to log Configuring IP LoggingConfiguring IP Logging Parameters Specify the number of packets you want logged Sequence for Creating a Custom Signature Creating Custom Signatures Example String TCP Engine Signature Creating a String TCP Engine Signature Verify the settings Example Service Http Engine Signature Specify the alert traits. The valid range is from 0 to Creating a Service Http Engine SignatureEnter signature description mode Specify a signature name Exit Regex submode Configure the Regex parametersExample Meta Engine Signature Exit alert frequency submode Meta Signature Engine Enhancement Defining Signatures Creating Custom Signatures Creating a Meta Engine Signature Example IPv6 Engine Signature Specify the L4 protocol Sensorconfig-sig-sig#engine atomic-ip-advancedSpecify the IP version Specify IPv6 Creating a String XL TCP Engine Signature Example String XL TCP Engine Match Offset Signature Specify an exact match offset for this signature Sensorconfig-sig-sig-str#specify-exact-match-offset yesSpecify the String XL TCP engine Specify the regex string to search for in the TCP packet Specify a minimum match offset for this signature Example String XL TCP Engine Minimum Match Length Signature Specify a signature ID and subsignature ID for the signature Specify a new Regex string to search for and turn on UTF-8 OL-29168-01 Event Action Rules Notes and Caveats Configuring Event Action Rules Understanding Event Action Rules Understanding Security Policies Signature Event Action Processor Action filter Alert and Log Actions Deny Actions Understanding Deny Packet Inline Other Actions TCP Normalizer Signature Warning Event Action Rules Configuration Sequence Working With Event Action Rules Policies Working With Event Action Rules PoliciesSensor# copy event-action-rules rules0 rules1 Confirm the event action rules instance has been deleted Reset an event action rules policy to factory settingsEvent Action Variables Delete an event action rules policy IPv6 Addresses When configuring IPv6 addresses, use the following formatUnderstanding Event Action Variables IPv4 Addresses Adding, Editing, and Deleting Event Action Variables Sensorconfig-eve#variables variable-ipv4 addressWorking With Event Action Variables Verify the event action rules variable you deleted Verify that you added the event action rules variableVerify that you edited the event action rules variable Delete an event action rules variable Calculating the Risk Rating Configuring Target Value Ratings 2illustrates the risk rating formula Understanding Threat Rating Adding, Editing, and Deleting Target Value Ratings Adding, Editing, and Deleting Target Value Ratings Understanding Event Action Overrides Configuring Event Action Overrides Configuring Event Action Overrides Write events that request an Snmp trap to the Event Store Log packets from both the attacker and victim IP addressesWrite an alert to Event Store Write verbose alerts to Event Store Understanding Event Action Filters Configuring Event Action Filters Configuring Event Action Filters OL-29168-01 Configuring Event Action Filters Edit the parameters see Steps 4a through 4l Verify the settings for the filterAdd any comments you want to use to explain this filter Edit an existing filter Move a filter to the inactive list Sensorconfig-eve#filters move name1 inactiveVerify that the filter has been moved to the inactive list Understanding Passive OS Fingerprinting Configuring OS Identifications Passive OS Fingerprinting Configuration Considerations Unix Adding, Editing, Deleting, and Moving Configured OS MapsIP Address Range Set IOS Verify the settings for the OS map Configuring OS MapsSpecify the host OS type Move an OS map to the inactive list Enable passive OS fingerprintingEdit an existing OS map Verify that you have moved the OS maps Verify that the OS map has been deleted Sensorconfig-eve-os#no configured-os-map name2Displaying and Clearing OS Identifications Delete an OS map Sensor# clear os-identification learned Configuring General SettingsDisplaying and Clearing OS Identifications Verify that the OS IDs have been cleared Understanding Event Action Aggregation Understanding Event Action Summarization Enter general submode Configuring the General SettingsConfiguring Event Action General Settings Enable or disable the summarizer. The default is enabled Adding a Deny Attacker Entry to the Denied Attackers List Configuring the Denied Attackers ListVerify the settings for general submode Sensorconfig-eve-gen#global-filters-status enabled disabled Enter yes to remove the deny attacker entry from the list Monitoring and Clearing the Denied Attackers ListAdding Entries to the Denied Attacker List Remove the deny attacker entry from the list Delete the denied attackers list Displaying and Deleting Denied Attackers Important to know if the list has been cleared Monitoring EventsDisplaying Events Clear only the statistics To display events from the Event Store, follow these steps Displaying EventsSensor# show events Display alerts from the past 45 seconds Sensor# show events error warning 100000 Feb 9Sensor# show events alert past Sensor# show events past Clearing Events from Event StoreDisplay events that began 30 seconds in the past Enter yes to clear the events OL-29168-01 Anomaly Detection Notes and Caveats Configuring Anomaly Detection Understanding Worms Understanding Anomaly Detection Anomaly Detection Modes Anomaly Detection Zones Anomaly Detection Configuration Sequence Signature ID Subsignature ID Name Description Anomaly Detection Signatures Signature ID Subsignature ID Name Description Exit analysis engine submode Enable anomaly detection operational modeEnabling Anomaly Detection Working With Anomaly Detection Policies Delete an anomaly detection policy Working With Anomaly Detection PoliciesSensor# copy anomaly-detection ad0 ad1 Verify that the anomaly detection instance has been deleted Configuring Anomaly Detection Operational SettingsReset an anomaly detection policy to factory settings Sensor# list anomaly-detection-configurations Sensorconfig-ano-ign#source-ip-address-range Configuring the Internal ZoneConfiguring Anomaly Detection Operational Settings Specify the worm timeout Configure TCP protocol Configure UDP protocol Configuring the Internal ZoneConfiguring the Internal Zone Enable the internal zone Enable TCP protocol Configuring TCP Protocol for the Internal ZoneConfigure the other protocols Configuring Internal Zone TCP Protocol Set the scanner threshold Enable the service for that portThem and configure your own scanner values Verify the TCP configuration settings Configuring UDP Protocol for the Internal Zone Associate a specific port with UDP protocol Configuring the Internal Zone UDP ProtocolEnable UDP protocol Verify the UDP configuration settings Configuring Anomaly Detection Configuring the Internal Zone Associate a specific number for the other protocols Configuring Other Protocols for the Internal ZoneConfiguring the Internal Zone Other Protocols Enable the other protocols Verify the other configuration settings Understanding the Illegal Zone Configuring the Illegal ZoneConfiguring the Illegal Zone Configuring the Illegal Zone Enable the illegal zone Configuring TCP Protocol for the Illegal ZoneSensorconfig-ano-ill#ip-address-range Configuring the Illegal Zone TCP Protocol Enabled true defaulted Sensorconfig-ano-ill-tcp# Configuring the Illegal Zone UDP Protocol Configuring UDP Protocol for the Illegal Zone Sensorconfig-ano-ill-udp-dst-yes# scanner-threshold Configuring the Illegal Zone Other Protocols Configuring Other Protocols for the Illegal Zone Verify the other protocols configuration settings Configuring the External Zone Configuring the External ZoneUnderstanding the External Zone Configuring the External Zone Configuring TCP Protocol for the External ZoneEnable the external zone Configuring the External Zone TCP Protocol Sensorconfig-ano-ext-tcp# Configuring the External Zone UDP Protocol Configuring UDP Protocol for the External Zone Sensorconfig-ano-ext-udp-dst-yes# scanner-threshold Configuring Other Protocols for the External Zone To configure other protocols for a zone, follow these steps Configuring the External Zone Other Protocols KB and Histograms Configuring Learning Accept Mode Example Histogram Configuring Learning Accept Mode Configuring Learning Accept Mode Sensorconfig-ano#learning-accept-mode manual Sensorconfig-ano#learning-accept-mode auto Sensor# show ad-knowledge-base files Working With KB FilesDisplaying KB Files Display the KB files for all virtual sensors Save the current KB file and store it as a new name Saving and Loading KBs ManuallyDisplay the KB files for a specific virtual sensor Manually Saving and Loading KBs Copying, Renaming, and Erasing KBs Rename a KB file Copying, Renaming, and Removing KB FilesRemove a KB file from a specific virtual sensor Locate the file you want to compare Displaying the Differences Between Two KBsComparing Two KBs To compare two KBs, follow these steps Displaying the Thresholds for a KB Sensor# show ad-knowledge-base vs1 files Virtual Sensor vs1 Displaying KB Thresholds To display anomaly detection statistics, follow these steps Displaying Anomaly Detection StatisticsSensor# show statistics anomaly-detection vs0 Display the statistics for all virtual sensors Disabling Anomaly Detection Disable anomaly detection operational mode OL-29168-01 10-1 Global Correlation Notes and Caveats Participating in the SensorBase Network Understanding Global Correlation10-2 10-3 Understanding Reputation1shows how we use the data Type of Data Purpose 10-4 Understanding Network Participation 10-5 Understanding Efficacy Understanding Reputation and Risk Rating Global Correlation Features and Goals10-6 10-7 Global Correlation Requirements 10-8 Understanding Global Correlation Sensor Health Metrics 10-9 Global Correlation Update Client Specify the level of global correlation inspection Configuring Global CorrelationSensorconfig-glo#global-correlation-inspection on Turn on global correlation inspection 10-11 Configuring Network ParticipationTurn on reputation filtering Exit global correlation submode 10-12 Turning on Network ParticipationTurn on network participation Enter yes to agree to participate in the SensorBase Network Disabling Global Correlation Troubleshooting Global Correlation10-13 Disabling Global Correlation Displaying Global Correlation Statistics10-14 10-15 Clear the statistics for global correlation 10-16 Understanding External Product Interfaces External Product Interface Notes and Caveats11-1 11-2 Understanding the CSA MC 11-3 External Product Interface Issues Adding External Product Interfaces and Posture ACLs Configuring the CSA MC to Support the IPS Interface11-4 11-5 Adding External Product Interfaces 11-6 Choose the action deny or permit the posture ACL will take Sensorconfig-ext-cis-hos#allow-unreachable-postures yesSensorconfig-ext-cis-hos#posture-acls insert name1 begin Enter the network address the posture ACL will use Exit external product interface submode Troubleshooting External Product Interfaces11-8 12-1 IP Logging Notes and Caveats Understanding IP Logging Configuring Automatic IP Logging12-2 12-3 Configuring Automatic IP Logging Sensor# iplog vs0 192.0.2.1 duration Configuring Manual IP LoggingMonitor the IP log status with the iplog-status command 12-4 Displaying the Contents of IP Logs Stop the IP log session Stopping Active IP LogsDisplay a brief list of all IP logs Disabling IP Logging Sessions 12-7 Copying IP Log Files to Be ViewedStop all IP logging sessions on a virtual sensor Copying IP Log Files 12-8 Copy the IP log to your FTP or SCP server 13-1 Packet Display And Capture Notes and Caveats Displaying Live Traffic on an Interface Understanding Packet Display and Capture13-2 13-3 Displaying Live Traffic From an InterfaceSensor# packet display GigabitEthernet0/1 Expression ip proto \\tcp Capturing Live Traffic on an InterfaceDisplay information about the packet file 13-4 Sensor# packet capture GigabitEthernet0/1 Capturing Live Traffic on an InterfaceView the captured packet file 13-5 View any information about the packet file Copying the Packet File13-6 Verify that you have erased the packet file View the packet file with Wireshark or TcpdumpErasing the Packet File Erase the packet file 13-8 14-1 Blocking Notes and Caveats 14-2 Understanding Blocking 14-3 Vlan B Icmp Understanding Rate LimitingDestination IP Signature ID Signature Name Protocol Data TCP Understanding Service Policies for Rate LimitingBefore Configuring ARC UDP 14-6 Supported Devices 14-7 Configuring Blocking Properties 14-8 Enter network access submodeSensorconfig# service network-access Allowing the Sensor to Block Itself 14-9 Configure the sensor not to block itselfExit network access submode Disabling Blocking Verify that the setting has been returned to the default Blocks on the devices are updatedTo disable blocking or rate limiting, follow these steps Enable blocking on the sensor 14-11 Specifying Maximum Block Entries 14-12 Return to the default value of 250 blocksSensorconfig-net-gen#default block-max-entries Change the maximum number of block entries These steps Time for manual blocks is set when you request the blockSpecifying the Block Time Signatures 14-14 Enabling ACL Logging 14-15 Enabling Writing to Nvram 14-16 Logging All Blocking Events and ErrorsDisable writing to Nvram Verify that writing to Nvram is disabled 14-17 Configuring the Maximum Number of Blocking Interfaces Verify the number of maximum interfaces Return the setting to the defaultVerify the default setting Specify the maximum number of interfaces For a network Configuring Addresses Never to BlockConfiguring Addresses Never to Be Blocked Sensorconfig-net-gen#never-block-hosts Enter the username for that user profile Configuring User ProfilesSpecify the password for the user Create the user profile name 14-21 Configuring Blocking and Rate Limiting DevicesSpecify the enable password for the user How the Sensor Manages Devices 14-22 Configuring the Sensor to Manage Cisco Routers Specify the IP address for the router controlled by the ARC Routers and ACLs14-23 14-24 14-25 Switches and VACLs 14-26 Sensorconfig-net-cat#communication telnet ssh-3des Optional Add the post-VACL name Configuring the Sensor to Manage Cisco FirewallsSpecify the Vlan number Optional Add the pre-VACL name 14-28 Configuring the Sensor to be a Master Blocking Sensor Sensorconfig-web# exit Configuring the Master Blocking Sensor14-29 Specify whether or not the host uses TLS/SSL Sensorconfig# tls trusted-host ip-address 192.0.2.1 portEnter password Add a master blocking sensor entry End the host block Configuring Host BlockingConfiguring Network Blocking Blocking a Host 14-32 Configuring Connection BlockingBlocking a Network End the network block Blocks are Obtaining a List of Blocked Hosts and ConnectionsBlocking a Connection End the connection block 14-34 Understanding Snmp Snmp Notes and Caveats15-1 15-2 Configuring Snmp 15-3 Configuring Snmp General Parameters Exit notification submode Configuring Snmp Traps15-4 Enter the trap community string Configuring Snmp TrapsEnable Snmp traps Specify whether you want detailed Snmp traps 15-6 CISCO-ENHANCED-MEMPOOL-MIB CISCO-ENTITY-ALARM-MIBSupported Mibs CISCO-CIDS-MIB 15-7 15-8 16-1 Displaying the Current Configuration 16-2 First Review Cisco Confidential 16-3 Displaying the Current Submode Configuration 16-4 16-5 16-6 16-7 16-8 Sensorconfig# service health-monitor 16-9 16-10 16-11 16-12 16-13 Severity warning defaulted protected entry zone-name csi 16-14 16-15 Sensorconfig# service trusted-certificate 16-16 Filtering the Current Configuration Output 16-17 Filtering Using the More CommandTo filter the more command, follow these steps Press Ctrl-Cto stop the output and return to the CLI prompt Filtering the Submode Output Filtering the Current Submode Configuration Output16-18 Displaying the Contents of a Logical File 16-20 Displaying the Logical File Contents 16-21 16-22 Restoring the Current Configuration From a Backup File Backing Up the Current Configuration to a Remote Server16-23 Erasing the Configuration File Creating and Using a Backup Configuration File16-24 16-25 Press Enter to continue or enter no to stop 16-26 17-1 Administrative Tasks for the Sensor 17-2 Administrative Notes and CaveatsRecovering the Password Understanding Password Recovery 17-3 Recovering the Password for the ApplianceUsing the Grub Menu Platform Description Recovery Method Sample Rommon session Recovering the Password for the ASA 5500-X IPS SSPUsing Rommon Enter the following commands to reset the password 17-5 Enter your new password twicePress Enter to confirm Session to the ASA 5500-X IPS SSP 17-6 Recovering the Password for the ASA 5585-X IPS SSPUsing the Asdm Asa# hw-module module 1 password-reset 17-7 Session to the ASA 5585-X IPS SSPAsa# show module 17-8 Disabling Password RecoveryDisabling Password Recovery Using the CLI Disabling Password Recovery Using the IDM or IME Clearing the Sensor Databases Verifying the State of Password RecoveryTroubleshooting Password Recovery Sensorconfig-hos#show settings include password Enter yes to clear the inspectors database Clearing the Sensor Database17-10 17-11 Displaying the Inspection Load of the SensorOver the past 60 minutes and over the past 72 hours Show the histogram of the inspection load 17-12 17-13 Configuring Health Status Information 17-14 Configuring Health StatisticsASA 5500-X IPS SSP and Memory Usage Platform Yellow Red Memory Used 17-15 17-16 Set the number of days since the last signature updateSet the threshold for memory usage Set the missed packet threshold Exit health monitoring submode Showing Sensor Overall Health Status17-17 Enter your message Creating a Banner LoginCreate the banner login Show the health and security status of the sensor Terminate the CLI session of jsmith Find the CLI ID number associated with the login sessionTerminating CLI Sessions To terminate a CLI session, follow these steps Modifying Terminal Properties Configuring Events17-20 17-21 17-22 17-23 Clearing Events from the Event Store Sensor# show clock detail Configuring the System ClockDisplaying the System Clock 17-24 Clearing the Denied Attackers List Manually Setting the System Clock17-25 17-26 17-27 Displaying Policy Lists 17-28 Displaying StatisticsDisplay the list of policies for event action rules Display the list of policies for signature definition 17-29 Administrative Tasks for the Sensor 17-30 17-31 Display the statistics for authenticationSensor# show statistics authentication Display the statistics for anomaly detection Sensor# show statistics event-server General Display the statistics for the Event ServerDisplay the statistics for the Event Store 17-32 17-33 Display the statistics for the hostShow statistics host Sensor# show statistics logger Display the statistics for the logging applicationDisplay the statistics for the ARC 17-34 17-35 17-36 17-37 17-38 Display the statistics for the web serverStatistics web-server Sensor# show statistics logger clear 17-39 17-40 Displaying Tech Support InformationVarlog Files Displaying Tech Support Information Sensor# show version Displaying Version InformationView version information 17-41 View configuration information Cancel the output and get back to the CLI prompt17-42 17-43 Diagnosing Network Connectivity Following example shows an unsuccessful ping Resetting the ApplianceEnter yes to continue the reset Following example shows a successful ping 17-45 Displaying Command HistoryStop all applications and power down the appliance Enter yes to continue with the reset and power down 17-46 Displaying Hardware InventorySensor# show inventory PID IPS-4360-PWR-AC 17-47 Inventory Tracing the Route of an IP PacketDisplay the route of IP packet you are interested 17-48 17-49 Displaying Submode SettingsShow the current configuration for ARC submode Sensor config# service network-access 17-50 17-51 Show the ARC settings in terse mode 17-52 18-1 Configuring the ASA 5500-X IPS SSP 18-2 Configuration Sequence for the ASA 5500-X IPS SSP 18-3 Verifying Initialization for the ASA 5500-X IPS SSPObtain the details about the ASA 5500-X IPS Ssps Confirm the information 18-4 Creating Virtual Sensors for the ASA 5500-X IPS SSPASA 5500-X IPS SSP and Virtualization Creating Virtual Sensors 18-5 Creating Virtual Sensors 18-6 Sensorconfig-ana-vir#physical-interface PortChannel0/0 18-7 Assigning Virtual Sensors to ContextsAsa# show ips 18-8 Enter multiple modeAdd three context modes to multiple mode Assign virtual sensors to the security contexts SensorApp Fails ASA 5500-X IPS SSP and Bypass ModeConfigure MPF for each context Confirm the configuration ASA 5500-X IPS SSP and the Normalizer Engine SensorApp is Reconfigured18-10 ASA 5500-X IPS SSP and Memory Usage ASA 5500-X IPS SSP and Jumbo Packets18-11 18-12 Health and Status Information 18-13 Asa-ips#debug module-boot 18-14 Early reservations == bootmem 0000000000 18-15 18-16 18-17 18-18 IRQ 18-19 ASA 5500-X IPS SSP Failover Scenarios Single ASA in Fail-Open ModeSingle ASA in Fail-Close Mode Two ASAs in Fail-Open Mode 18-21 New and Modified CommandsTwo ASAs in Fail-Close Mode Configuration Examples Single Context System DefaultsFirewall Mode Security Context Multiple Command Mode Routed Allocate-ips 18-23 Command History Release ModificationRelated Commands Description Examples 18-24 19-1 ASA 5585-XIPS SSP Notes and Caveats 19-2 Configuration Sequence for the ASA 5585-X IPS SSP Asa# show module 1 details Verifying Initialization for the ASA 5585-X IPS SSPObtain the details about the ASA 5585-X IPS SSP 19-3 ASA 5585-X IPS SSP and Virtualization Creating Virtual Sensors for the ASA 5585-X IPS SSP19-4 19-5 ASA 5585-X IPS SSP Virtual Sensor Configuration Sequence 19-6 Command, for example sig1Example, rules1 Virtual sensor that you create 19-7 Asaconfig-ctx# Config-url disk0/c2.cfg Asaconfig-ctx#19-8 19-9 ASA 5585-X IPS SSP and the Normalizer Engine ASA 5585-X IPS SSP and Bypass Mode19-10 19-11 ASA 5585-X IPS SSP and Jumbo Packets 19-12 Ips-ssp#hardware-module module 1 recover configure 19-13 Asa# hw-module module 1 resetModule 1 details 19-14 Ips-ssp#hw-module module 1 recover configure Asaconfig# debug module-boot Traffic Flow Stopped on IPS Switchports19-15 19-16 Failover Scenarios 19-17 19-18 Obtaining Cisco IPS Software IPS 7.2 File List20-1 20-2 Enter your username and passwordIPS Software Versioning Downloading Cisco IPS Software Patch Release Major UpdateMinor Update Service Pack Signature Engine Update Signature Update20-4 20-5 Recovery and System Image Files 20-6 IPS Software Release Examples 20-7 Accessing IPS Documentation 20-8 Cisco Security Intelligence Operations 21-1 Upgrade Notes and Caveats 21-2 Upgrades, Downgrades, and System Images 21-3 Supported FTP and HTTP/HTTPS ServersUpgrading the Sensor IPS 7.21E4 Files Manually Upgrading the Sensor Upgrade Notes and Caveats21-4 Upgrading the Sensor Upgrade the sensorEnter the password when prompted Sensorconfig# upgrade url/IPS-SSP10-K9-7.2-1-E4.pkg 21-6 Working With Upgrade Files 21-7 Upgrading the Recovery Partition 21-8 Configuring Automatic UpgradesConfiguring Automatic Updates Enter the server password. The upgrade process begins 21-9 21-10 Configuring Automatic Upgrades 21-11 Specify the username for authenticationSpecify the password of the user Exit automatic upgrade submode Sensor# show statistics host Applying an Immediate UpdateSensor# autoupdatenow 21-12 Downgrading the Sensor Recovering the Application Partition21-13 Sensorconfig# recover application-partition Installing System ImagesRecovering the Application Partition Image Recover the application partition image Tftp Servers Connecting an Appliance to a Terminal Server21-15 21-16 Installing the System Image for the IPS 4345 and IPS PCI 21-17 Rommon ping server Assign the Tftp server IP addressIf necessary, assign the gateway IP address 21-18 Rommon Installing the System Image for the IPS 4510 and IPS21-19 21-20 21-21 If necessary, assign the Tftp server IP address 21-22 Installing the System Image for the ASA 5500-X IPS SSPPeriodically check the recovery until it is complete Image the ASA 5500-X IPS SSP 21-23 Installing the System Image for the ASA 5585-X IPS SSP 21-24 Leave the Vlan ID at Specify the default gateway of the ASA 5585-X IPS SSPTo enable debugging of the software installation process Asa# hw-module module 1 recover boot 21-26 Installing the ASA 5585-X IPS SSP System Image Using Rommon Rommon #0 set 21-27 21-28 21-29 21-30 IPS System Design Understanding the IPS System Architecture Figure A-1illustrates the system design for IPS software Figure A-2 System Design for IPS 4500 Series Sensors System Applications Appendix a System Architecture System Applications For detailed information about SDEE, see SDEE, page A-33 Security Features ARC MainAppUnderstanding the MainApp MainApp Responsibilities Understanding the Event Store Event Store Table A-1shows some examples Event Data StructuresStamp Value Meaning IPS Events NotificationApp Vlan PEP CtlTransSource Figure A-3 Attack Response Controller Figure A-4illustrates the ARC Understanding the ARC ARC Features Supported Blocking Devices Maintaining State Across Restarts ACLs and VACLsFwsm Scenario Connection-Based and Unconditional Blocking No shun ip Blocking with Cisco FirewallsTo unblock an IP address To clear all blocks Logger Blocking with Catalyst Switches Configuring Authentication on the Sensor AuthenticationAppUnderstanding the AuthenticationApp Authenticating Users Managing TLS and SSH Trust Relationships Web Server SensorApp Understanding the SensorApp Inline, Normalization, and Event Risk Rating Features Packet Flow SensorApp New Features Signature Event Action Processor CollaborationApp Update Components Error Events SwitchApp User Roles CLI Communications Service Account Idapi Idconf Cidee Cisco IPS File Structure CLI Using the IdapiSummary of Cisco IPS Applications Application Description Events IDMJava applet that provides an Html IPS management interface IME Understanding Signature Engines Signature Engines Appendix B Signature Engines Understanding Signature Engines Appendix B Signature Engines Understanding Signature Engines Signature-id Specifies the ID of this signature Master EngineGeneral Parameters Parameter Description Value Sig-name Promiscuous Delta Obsoletes Alert FrequencyVulnerable OS List Event Actions Name Description \NNN AIC EngineTo Match Regular Expression AIC Engine and Sensor Performance Understanding the AIC EngineAIC Engine Parameters Parameter Description Alarm-on-non-http-traffic Table B-6 AIC FTP Engine Parameters Atomic ARP Engine Atomic Engine Atomic IP Advanced Engine Atomic IP Advanced Engine Restrictions Isatap String IPv6 Parameter Description Value OL-29168-01 IPV4 L4 Protocol ICMPv6 Icmp ID L4 Protocol TCP and UDP OL-29168-01 Atomic IP Engine Parameter Description Value Appendix B Signature Engines OL-29168-01 Atomic IPv6 Signatures Atomic IPv6 Engine Fixed Engine Table B-11 Fixed TCP Engine Parameters Flood Engine Protocol Specifies which kind of traffic to inspect Meta EngineFlood Net Engine Parameters Name1 Component-list Specifies the Meta engine component Multi String Engine Normalizer Engine TCP Normalization IP Fragmentation NormalizationIPv6 Fragments ASA IPS Modules and the Normalizer Engine Service Engines Service DNS Engine Understanding the Service Engines Service FTP Engine Service Generic Engine Table B-20 Service Generic Engine Parameters Service H225 Engine Tpkt SetupSetup ASN.1-PER Service Http Engine Crlfcrlf Service Ident Engine Service Msrpc Engine Smbcomtransaction Service Mssql Engine Service NTP Engine Service RPC Engine Service P2P Engine Parameter Description Value Service SMB Advanced Engine Msrpc Uuid Service Snmp Engine Specify-object-id-Enables Service SSH Engine Service TNS Engine State Engine Table B-32lists the parameters specific to the State engine String Engines Table B-33 String Icmp Engine Parameters Table B-35 String UDP Engine String XL Engines Parameter Description Value Unsupported String XL Parameters Sweep Engine Sweep EnginesData Nodes Type Sweep Other TCP Engine Sweep Other TCP Engine Parameters Traffic Anomaly Engine Signature Traffic Icmp Engine Trojan Engines Bug Toolkit Troubleshooting Understanding Preventive Maintenance Preventive MaintenanceCreating and Using a Backup Configuration File Sensor# copy current-config backup-config Backing Up the Current Configuration to a Remote Server Creating the Service Account Disaster Recovery Password Recovery ASA 5500 series adaptive Adaptive security appliance CLI Security appliance IPS modules Command Using Rommon Password-Reset issued for module ips Recovering the Password for the ASA 5585-X IPS SSP 0123 21E4 Disabling Password Recovery Verifying the State of Password Recovery Time Sources and the Sensor For the procedure for configuring NTP, see Configuring NTP,Synchronizing IPS Clocks with Parent Device Clocks Generate the host statistics Verifying the Sensor is Synchronized with the NTP ServerGenerate the hosts statistics again after a few minutes Advantages and Restrictions of Virtualization TFor More Information To learn more about Worms, see Understanding Worms, When to Disable Anomaly Detection Enter show tech-support and save the output Reboot the sensorCommand output Analysis Engine Not Responding External Product Interfaces Issues External Product Interfaces Troubleshooting Tips Troubleshooting the ApplianceTroubleshooting Loose Connections Analysis Engine is Busy Communication Problems Cannot Access the Sensor CLI Through Telnet or SSH More Sensor# show configuration include access-list Correcting a Misconfigured Access List Make sure the sensor cabling is correct Duplicate IP Address Shuts Interface Down SensorApp is Not Running SensorApp and AlertingMake sure the IP address is correct AnalysisEngine 20130410110072014 Release Physical Connectivity, SPAN, or Vacl Port Issue Sensor# show interfaces Unable to See Alerts Check for alerts Make sure you have Produce Alert configuredSensor# show interfaces FastEthernet0/1 Sensor Not Seeing Packets Sensorconfig-int#physical-interfaces GigabitEthernet0/1Sensor# show interfaces GigabitEthernet0/1 Replace the virtual sensor file Cleaning Up a Corrupted SensorApp ConfigurationExit the service account Log in to the sensor CLI Check to see that the interface is up and receiving packets Sensor# cids start Troubleshooting BlockingStart the IPS services Blocking Verifying the ARC is Running Sensor# show events error 000000 Apr 01 2011 include nac If the ARC is not connecting, look for recurring errorsMake sure you have the latest software updates Sensor# show events error hhmmss month day year include nac For More Information Verify the IP address for the managed devices Device Access Issues Start the manual block of the bogus host IP address Sensorname Sensor Management Time-Based Actions Host Blocks Blocking Not Occurring for a Signature Enabling SSH Connections to the Network Device Verifying the Master Blocking Sensor Configuration Exit network access general submode Logging Enable debug logging for all zonesEnabling Debug Logging Exit master zone control Turn on individual zone controlView the zone names Protected entry zone-name nac Exit the logger submode Turn on debugging for a particular zone Zone Name Description Zone NamesPress Enter to apply changes or type no to discard them Table C-2lists the debug logger zone names Directing cidLog Messages to SysLog TCP Reset Not Occurring for a Signature Sensor# show events alert Software UpgradesUpgrading Error Make sure the correct alarms are being generated Issues With Automatic Update Which Updates to Apply and Their Prerequisites Updating a Sensor with the Update Stored on the Sensor Cannot Launch the IDM Loading Java Applet Failed Troubleshooting the IDMClick the Advanced tab Delete the temp files and clear the history in the browser Cannot Launch the IDM-The Analysis Engine Busy Signatures Not Producing Alerts Troubleshooting the IME Not Supported Error Message Troubleshooting the ASA 5500-X IPS SSPTime Synchronization on IME and the Sensor Health and Status Information E1000 00000005.0 PCI INT a disabled 303 Appendix C Troubleshooting Usb CRS IRQ Failover Scenerios ASA 5500-X IPS SSP and the Normalizer Engine ASA 5500-X IPS SSP and Jumbo Packets ASA 5500-X IPS SSP and Memory Usage Hw-module module 1 reset command Troubleshooting the ASA 5585-X IPS SSP Reset issued for module in slot Asa# show Mgmt IP addr 192.0.2.3 Failover Scenarios ASA 5585-X IPS SSP and the Normalizer Engine Traffic Flow Stopped on IPS Switchports ASA 5585-X IPS SSP and Jumbo Packets Gathering Information Tech Support Information Health and Network Security Information Displaying Tech Support Information Understanding the show tech-support Command Sensor# show tech-support page System Status Report Tech Support Command Output = No Version Information Understanding the show version CommandDisplaying Version Information Version 29.1 Platform IPS4360 Serial Number Service aaa Statistics Information Understanding the show statistics CommandDisplaying Statistics Percentage Thread Sec Min Average Inspection Stats Inspector Active Call Create Delete Display the statistics for anomaly detection Sensor# show statistics event-server Sensor# show statistics denied-attackersSensor# show statistics event-store Threat Multicast MTU1500 Metric1 Appendix C Troubleshooting Gathering Information Display the statistics for the notification application Name Current OL-29168-01 Sensor# show statistics web-server listener-443 Interfaces Information Understanding the show interfaces Command Displaying Interface Traffic History Interfaces Command Output Avg Load Peak Load GigabitEthernet0/1 Time Packets Received Bytes Received Mbps Events Information Sensor Events Understanding the show events CommandDisplaying Events Displaying Events 100 Clearing Events CidDump Script101 Usr/cids/idsRoot/bin/cidDump Uploading and Accessing Files on the Cisco FTP SiteEnter the following command 102 Reason Command CLI Error MessagesURI Error Message Reason Command User attempted to downgrade a System that has not been upgradedPacket-file but no packet-file has Been captured Administrator user attempted to log Initial login User attempted to cancel a CLIOperator or viewer user attempted to Initial login Log in when the maximum number Appendix D CLI Error Messages Reason/Location CLI Validation Error Messages Interface set has already been assigned to another Detection configuration file that is currently in useInterface and optional sub-interface being Added to the virtual sensor entry physical OL-29168-01 GL-1 GL-2 To detect worm-infected hosts GL-3 Authoritative private key Certificate for one CA issued by another CAGL-4 GL-5 GL-6 802.1q to be used Dual In-line Memory ModulesA public outside network To the transmit line and reads data from the receive line GL-8 An ITU standard that governs H.245 endpoint control Procedures, and basic data transport methodsGL-9 GL-10 GL-11 GL-12 Detailed information about signatures Proprietary branchesGL-13 GL-14 GL-15 GL-16 Quality and service availability GL-17 GL-18 Network devices. Used with the IDS MCUnauthorized activity Analysis Engine GL-19 GL-20 GL-21 Authorization, and accountingNetwork asset through its IP address Local system. Telnet is defined in RFC GL-22 GL-23 Through a switch. Also known as security ACLsRFC Version identifier. Part of the UDI GL-24 Hosts Payload reassemblyGL-25 GL-26 AIC Http AIC FTPIN-1 IN-2 IN-3 NATTACACS+ ARP SSP AsdmIN-4 IN-5 Radius URL Cidee BO2KIN-6 IN-7 Exec IN-8 IN-9 IN-10 IN-11 CSA MC IN-12 TFN IN-13 AIC FTP AIC Http IN-14 IN-15 Idconf IdapiIN-16 ASA 5500-X IPS SSP ASA 5585-X IPS SSP IdiomIN-17 IN-18 Tcpdump IN-19 IPS SSP Loki SSHIN-20 IN-21 Snmp IN-22 IN-23 IN-24 IN-25 RTTSdee Http A-33 IN-26 IN-27 IN-28 AIC Smtp Cidee Idconf Idiom SdeeIN-29 IN-30 IN-31 TACTFN2K TLS IN-32 BO2K Loki TFN2K Viewer role privileges Upgrade commandSensor initialization Sensor setup Version display Sensing process not running IN-34