Cisco Systems IPS4510K9 Configuring Anomaly Detection

CHAPT ER

9-1

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

Configuring Anomaly Detection

This chapter describes anomaly detection (AD) and its features and how to configure them. This chapter

contains the following topics:

•

Anomaly Detection Notes and Caveats, page 9-1

•

Understanding Security Policies, page 9-2

•

Understanding Anomaly Detection, page 9-2

•

Understanding Worms, page 9-2

•

Anomaly Detection Modes, page9-3

•

Anomaly Detection Zones, page 9-4

•

Anomaly Detection Configuration Sequence, page 9-5

•

Anomaly Detection Signatures, page 9-6

•

Enabling Anomaly Detection, page9-8

•

Working With Anomaly Detection Policies, page 9-8

•

Configuring Anomaly Detection Operational Settings, page 9-10

•

Configuring the Internal Zone, page 9-11

•

Configuring the Illegal Zone, page 9-20

•

Configuring the External Zone, page 9-28

•

Configuring Learning Accept Mode, page 9-36

•

Working With KB Files, page 9-40

•

Displaying Anomaly Detection Statistics, page 9-47

•

Disabling Anomaly Detection, page 9-48

Anomaly Detection Notes and Caveats

The following notes and caveats apply to configuring anomaly detection:

•

Anomaly detection is disabled by default. You must enable it to configure or apply an anomaly

detection policy. Enabling anomaly detection results in a decrease in performance.

•

Anomaly detection assumes it gets traffic from both directions. If the sensor is configured to see

only one direction of traffic, you should turn off anomaly detection. Otherwise, w hen anomaly

detection is running in an asymmetric environment, it identifies all traffic as having incomplete

Contents

Main Page CONTENTS Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Preface Contents Audience Organization Page Conventions Related Documentation Obtaining Documentation and Submitting a Service Request ii Logging In to the Sensor Logging In Notes and Caveats Supported User Roles Logging In to the Appliance Connecting an Appliance to a Terminal Server Logging In to the ASA 5500-X IPS SSP Logging In to the ASA 5585-X IPS SSP Logging In to the Sensor ii-7 Page Introducing the CLI Configuration Guide Supported IPS Platforms IPS CLI Configuration Guide Sensor Configuration Sequence User Roles Page CLI Behavior Command Line Editing Page IPS Command Modes Regular Expression Syntax Page Generic CLI Commands CLI Keywords Page Initializing the Sensor Initializing Notes and Caveats Understanding Initialization Simplified Setup Mode System Configuration Dialog 2-3 Example 2-1 Example System Configuration Dialog Basic Sensor Setup Page Page Advanced Setup Advanced Setup for the Appliance Page Page Page 2-12 Enter Step 28 to save the configuration. Advanced Setup for the ASA 5500-X IPS SSP Page Page 2-16 Enter Step 28 Step 27 Step 26 Advanced Setup for the ASA 5585-X IPS SSP Page 2-19 Enter Step 22 Enter Step 21 Verifying Initialization 2-21 To verify that you initialized your sensor, follow these steps: Log in to the sensor. View your configuration. 2-22 You can also use the more current-config command to view your configuration. For the procedure for logging in to the sensor, see Chapter ii, Logging In to the Sensor. Display the self-signed X.509 certificate (needed by TLS). Setting Up the Sensor Setup Notes and Caveats Understanding Sensor Setup Changing Network Settings Changing the Hostname Changing the IP Address, Netmask, and Gateway Enabling and Disabling Telnet Changing the Access List 3-7 To modify the access list, follow these steps: Log in to the sensor using an account with administrator privileges. Enter network settings mode. Add an entry to the access list. The netmask for a single host is 32. Changing the FTP Timeout Adding a Login Banner Configuring the DNS and Proxy Servers for Global Correlation and Automatic Update Page 3-12 Exit network settings mode. Press Enter to apply the changes or enter to discard them. For the procedure for configuring automatic update, see Configuring Automatic Upgrades, page 21-8. Enabling SSHv1 Fallback Changing the CLI Session Timeout Changing Web Server Settings Page Page Configuring Authentication and User Parameters Adding and Removing Users Page Configuring Authentication Page Page Page Page Page Configuring Packet Command Restriction Page Creating the Service Account The Service Account and RADIUS Authentication RADIUS Authentication Functionality and Limitations Configuring Passwords Changing User Privilege Levels Showing User Status Configuring the Password Policy Locking User Accounts Unlocking User Accounts Configuring Time Time Sources and the Sensor Synchronizing IPS Module System Clocks with the Parent Device System Clock Correcting Time on the Sensor Configuring Time on the Sensor Displaying the System Clock Manually Setting the System Clock Configuring Recurring Summertime Settings Page Configuring Nonrecurring Summertime Settings 3-41 c. b. a. Enter end summertime submode. Configuring NTP Configuring a Cisco Router to be an NTP Server Configuring the Sensor to Use an NTP Time Source Configuring SSH Understanding SSH Adding Hosts to the SSH Known Hosts List Page Adding Authorized RSA1 and RSA2 Keys Generating the RSA Server Host Key Page Configuring TLS Understanding TLS Adding TLS Trusted Hosts Displaying and Generating the Server Certificate Installing the License Key Understanding the License Key Service Programs for IPS Products Obtaining and Installing the License Key Page Licensing the ASA 5500-X IPS SSP Uninstalling the License Key 3-59 Page Configuring Interfaces Interface Notes and Caveats Understanding Interfaces IPS Interfaces Command and Control Interface Sensing Interfaces TCP Reset Interfaces Understanding Alternate TCP Reset Interfaces Designating the Alternate TCP Reset Interface Interface Support Page Interface Configuration Restrictions Page Interface Configuration Sequence Configuring Physical Interfaces Page Page Configuring Promiscuous Mode Understanding Promiscuous Mode Configuring Promiscuous Mode IPv6, Switches, and Lack of VACL Capture Configuring Inline Interface Mode Understanding Inline Interface Mode Configuring Inline Interface Pairs 4-18 Name the inline pair. Display the available interfaces. Add a description of the interface pair. Enable the interfaces assigned to the interface pair. 4-19 Verify that the interfaces are enabled. Page Configuring Inline VLAN Pair Mode Understanding Inline VLAN Pair Mode Configuring Inline VLAN Pairs 4-23 Configuring Inline VLAN Pairs To configure the inline VLAN pair settings on the sensor, follow these steps: Enter interface submode. 4-24 Page Configuring VLAN Group Mode Understanding VLAN Group Mode Deploying VLAN Groups Configuring VLAN Groups 4-29 subinterface nameDefines the subinterface as a VLAN group: Configuring Inline VLAN Groups To configure the inline VLAN group settings on the sensor, follow these steps: Enter interface submode. 4-30 Page Page Configuring Inline Bypass Mode Understanding Inline Bypass Mode Configuring Inline Bypass Mode Configuring Interface Notifications Configuring CDP Mode Displaying Interface Statistics Page 4-39 Display the statistics for a specific interface. Clear the statistics. Displaying Interface Traffic History 4-41 Displaying Historical Interface Statistics To display interface traffic history, follow these steps: Display the interface traffic history by the hour. Display the interface traffic history by the minute. 4-42 Display the interface traffic history for a specific interface. Configuring Virtual Sensors Virtual Sensor Notes and Caveats Understanding the Analysis Engine Understanding Virtual Sensors Advantages and Restrictions of Virtualization Inline TCP Session Tracking Mode Normalization and Inline TCP Evasion Protection Mode HTTP Advanced Decoding Adding, Editing, and Deleting Virtual Sensors Adding Virtual Sensors Page Page Page Editing and Deleting Virtual Sensors 5-10 Display the list of available interfaces. Change the promiscuous mode interfaces assigned to this virtual sensor. Verify the edited virtual sensor settings. Delete a virtual sensor. Page Configuring Global Variables 5-13 Create the variable for service activity. Press Enter to apply the changes or enter Verify the global variable settings. Exit analysis engine mode. Page Defining Signatures Signature Definition Notes and Caveats Understanding Policies Working With Signature Definition Policies Understanding Signatures Configuring Signature Variables Understanding Signature Variables Creating Signature Variables Page Configuring Signatures Signature Definition Options Configuring Alert Frequency Page Configuring Alert Severity Configuring the Event Counter Page Configuring Signature Fidelity Rating Configuring the Status of Signatures Configuring the Vulnerable OSes for a Signature Assigning Actions to Signatures Page Configuring AIC Signatures Understanding the AIC Engine AIC Engine and Sensor Performance Configuring the Application Policy Page AIC Request Method Signatures AIC MIME Define Content Type Signatures Page Page AIC Transfer Encoding Signatures AIC FTP Commands Signatures Creating an AIC Signature Page Configuring IP Fragment Reassembly Understanding IP Fragment Reassembly IP Fragment Reassembly Signatures and Configurable Parameters Page Configuring IP Fragment Reassembly Parameters Configuring the Method for IP Fragment Reassembly Configuring TCP Stream Reassembly Understanding TCP Stream Reassembly TCP Stream Reassembly Signatures and Configurable Parameters Page Page Page 7-36 For more information about the Normalizer engine, see Normalizer Engine, page B-36. Enter signature definition submode. Configuring TCP Stream Reassembly Signatures To configure TCP stream reassembly for a specific signature, follow these steps: Log in to the CLI using an account with administrator or operator privileges. Configuring the Mode for TCP Stream Reassembly Page Configuring IP Logging Creating Custom Signatures Sequence for Creating a Custom Signature Example String TCP Engine Signature Page Page Example Service HTTP Engine Signature Page Example Meta Engine Signature Page Page Page 7-50 Press Enter to apply the changes or enter to discard them. For more information on the Meta engine, see Meta Engine, page B-33. Example IPv6 Engine Signature Page Example String XL TCP Engine Match Offset Signature Page 7-54 Specify a minimum match offset for this signature. Example String XL TCP Engine Minimum Match Length Signature Page 7-57 Verify the settings: For detailed information about the String XL signature engine, see String XL Engines, page B-65. Press Enter to apply the changes or enter Specify a new Regex string to search for and turn on UTF-8. Page Configuring Event Action Rules Event Action Rules Notes and Caveats Understanding Security Policies Understanding Event Action Rules Signature Event Action Processor Event Actions Page Page Event Action Rules Configuration Sequence Working With Event Action Rules Policies Event Action Variables Understanding Event Action Variables Adding, Editing, and Deleting Event Action Variables 8-12 Verify that you added the event action rules variable. to discard them. Press Enter to apply your changes or enter To edit an event action rules variable, change the IPv6 address to a range. Configuring Target Value Ratings Calculating the Risk Rating Understanding Threat Rating * RR = ASR TVR * Adding, Editing, and Deleting Target Value Ratings Page Configuring Event Action Overrides Understanding Event Action Overrides Adding, Editing, Enabling, and Disabling Event Action Overrides Page Page Configuring Event Action Filters Understanding Event Action Filters Configuring Event Action Filters Page Page 8-24 l. Add any comments you want to use to explain this filter. Verify the settings for the filter. Edit an existing filter. 8-25 Move a filter to the inactive list. Verify that the filter has been moved to the inactive list. Configuring OS Identifications Understanding Passive OS Fingerprinting Passive OS Fingerprinting Configuration Considerations Adding, Editing, Deleting, and Moving Configured OS Maps Page 8-30 Specify the attack relevance rating range for the IP address. Enable passive OS fingerprinting. Edit an existing OS map. Edit the parameters (see Steps 4 through 7). Displaying and Clearing OS Identifications Configuring General Settings Understanding Event Action Summarization Understanding Event Action Aggregation Configuring the General Settings Configuring the Denied Attackers List Adding a Deny Attacker Entry to the Denied Attackers List Monitoring and Clearing the Denied Attackers List Page Monitoring Events Displaying Events Page 8-40 8-41 Clearing Events from Event Store to clear the events. Enter Clear the Event Store. Page Configuring Anomaly Detection Anomaly Detection Notes and Caveats Understanding Security Policies Understanding Anomaly Detection Understanding Worms Anomaly Detection Modes Anomaly Detection Zones Anomaly Detection Configuration Sequence Anomaly Detection Signatures Page Enabling Anomaly Detection Working With Anomaly Detection Policies Page Configuring Anomaly Detection Operational Settings Configuring the Internal Zone Understanding the Internal Zone Configuring the Internal Zone Configuring TCP Protocol for the Internal Zone 9-14 Enable the service for that port. Verify the TCP configuration settings. Configuring UDP Protocol for the Internal Zone Page 9-17 Configuring Other Protocols for the Internal Zone 9-19 Verify the other configuration settings. Configuring the Illegal Zone Understanding the Illegal Zone Configuring the Illegal Zone Configuring TCP Protocol for the Illegal Zone Page 9-23 Configuring UDP Protocol for the Illegal Zone 9-25 Verify the UDP configuration settings. Configuring Other Protocols for the Illegal Zone 9-27 Enable the other protocols. Associate a specific number for the other protocols. Enable the service for that port. Add a histogram for the new scanner settings. Enter the number of destination IP addresses (low, Configuring the External Zone Understanding the External Zone Configuring the External Zone Configuring TCP Protocol for the External Zone Page 9-31 Configuring UDP Protocol for the External Zone 9-33 Add a histogram for the new scanner settings. Enter the number of destination IP addresses (low, Verify the UDP configuration settings. Configuring Other Protocols for the External Zone Page Configuring Learning Accept Mode The KB and Histograms Page Configuring Learning Accept Mode Page Working With KB Files Displaying KB Files Saving and Loading KBs Manually Copying, Renaming, and Erasing KBs Page Displaying the Differences Between Two KBs Displaying the Thresholds for a KB 9-46 Displaying KB Thresholds To display the KB thresholds, follow these steps: Locate the file for which you want to display thresholds: Display thresholds contained in a specific file for the illegal zone. Displaying Anomaly Detection Statistics ). Display the anomaly detection statistics for a specific virtual sensor. 9-48 Display the statistics for all virtual sensors. Disabling Anomaly Detection Enter analysis engine submode. Page Page Configuring Global Correlation Global Correlation Notes and Caveats Understanding Global Correlation Participating in the SensorBase Network Understanding Reputation Understanding Network Participation Understanding Efficacy Understanding Reputation and Risk Rating Global Correlation Features and Goals Global Correlation Requirements Understanding Global Correlation Sensor Health Metrics Configuring Global Correlation Inspection and Reputation Filtering Understanding Global Correlation Inspection and Reputation Filtering Configuring Global Correlation Inspection and Reputation Filtering Configuring Network Participation 10-12 You must accept the network participation disclaimer to turn on network participation. Enter Turning on Network Participation To turn on network participation, follow these steps: Troubleshooting Global Correlation Disabling Global Correlation Displaying Global Correlation Statistics 10-15 Clear the statistics for global correlation: Page Configuring External Product Interfaces External Product Interface Notes and Caveats Understanding External Product Interfaces Understanding the CSA MC External Product Interface Issues Configuring the CSA MC to Support the IPS Interface Adding External Product Interfaces and Posture ACLs Page Page Page Troubleshooting External Product Interfaces Configuring IP Logging IP Logging Notes and Caveats Understanding IP Logging Configuring Automatic IP Logging Configuring Manual IP Logging for a Specific IP Address Page Displaying the Contents of IP Logs Stopping Active IP Logs Copying IP Log Files to Be Viewed Page Displaying and Capturing Live Traffic on an Interface Packet Display And Capture Notes and Caveats Understanding Packet Display and Capture Displaying Live Traffic on an Interface 13-3 Executing the packet display command causes significant performance degradation. Displaying Live Traffic From an Interface To configure the sensor to display live traffic from an interface on the screen, follow these steps: Log in to the sensor using an account with administrator or oper ator privileges. Capturing Live Traffic on an Interface Page 13-6 View any information about the packet file. Copying the Packet File Erasing the Packet File Page Configuring Attack Response Controller for Blocking and Rate Limiting Blocking Notes and Caveats Understanding Blocking Page Understanding Rate Limiting Understanding Service Policies for Rate Limiting Before Configuring ARC Supported Devices Configuring Blocking Properties Allowing the Sensor to Block Itself Disabling Blocking Page Specifying Maximum Block Entries 14-12 Enter network access submode. Enter general submode. Change the maximum number of block entries. Verify the setting. Specifying the Block Time Enabling ACL Logging Enabling Writing to NVRAM Logging All Blocking Events and Errors Configuring the Maximum Number of Blocking Interfaces Page Configuring Addresses Never to Block Configuring User Profiles Configuring Blocking and Rate Limiting Devices How the Sensor Manages Devices Configuring the Sensor to Manage Cisco Routers Routers and ACLs Page Configuring the Sensor to Manage Catalyst 6500 Series Switches and Cisco 7600 Series Routers Switches and VACLs Configuring the Sensor to Manage Catalyst 6500 Series Switches and Cisco 7600 Series Routers Configuring the Sensor to Manage Cisco Firewalls Configuring the Sensor to be a Master Blocking Sensor Page Page Configuring Host Blocking Configuring Network Blocking Configuring Connection Blocking Obtaining a List of Blocked Hosts and Connections Page Configuring SNMP SNMP Notes and Caveats Understanding SNMP Configuring SNMP Page Configuring SNMP Traps Page Supported MIBS Page Page FIRST REVIEW CISCO Working With Configuration Files Displaying the Current Configuration 16-2 16-3 Displaying the Current Submode Configuration Display the current configuration of the service analysis engine submode. Display the current configuration of the service anomaly detection submode. 16-4 16-5 16-6 16-7 Display the current configuration of the service authentication submode. Display the current configuration of the service event action rules submode. 16-8 Display the current configuration of the external product interface submode. Display the current configuration of the service global-correlation submode. Display the current configuration of the service health-monitor submode. 16-9 16-10 Display the current configuration of the service host submode. 16-11 Display the current configuration of the service interface submode. 16-12 16-13 Display the current configuration for the service logger submode. 16-14 Display the current configuration for the service network access submode. Display the current configuration for the notification submode. 16-15 Display the current configuration for the signature definition submode. Display the current configuration for the SSH known hosts submode. Display the current configuration for the trusted certificates submode. Filtering the Current Configuration Output 16-17 Filtering Using the More Command To filter the more command, follow these steps: Filter the current-config output beginning with the regular expression ip, for example. Press Ctrl-C to stop the output and return to the CLI prompt. Filtering the Current Submode Configuration Output 16-19 Filter the output of the network access settings to exclude the regular expression. Filter the output of the host settings to include the regular expression ip. Displaying the Contents of a Logical File Page 16-21 For the procedure for using the terminal comman d, see Modifying Terminal Properties, page 17-20. Backing Up and Restoring the Configuration File Using a Remote Server Page Creating and Using a Backup Configuration File Erasing the Configuration File Page Page Administrative Tasks for the Sensor Administrative Notes and Caveats Recovering the Password Understanding Password Recovery Recovering the Password for the Appliance Using the GRUB Menu Using ROMMON Recovering the Password for the ASA 5500-X IPS SSP 17-5 To reset the password on the ASA 5500-X IPS SSP, follow these steps: Verify the status of the module. Once the status reads Log into the adaptive security appliance and enter the following command: Press Enter to confirm. Recovering the Password for the ASA 5585-X IPS SSP 17-7 Verify the status of the module. Once the status reads , you can session to the ASA 5585-X IPS SSP. Session to the ASA 5585-X IPS SSP. Enter the default username (cisco) and password (cisco) at the login prompt. Disabling Password Recovery Verifying the State of Password Recovery Troubleshooting Password Recovery Clearing the Sensor Databases Page Displaying the Inspection Load of the Sensor 17-12 Configuring Health Status Information Page 17-15 Enable the metrics for bypass policy. Enable the metrics for sensor health and security monitoring. Set the event retrieval thresholds for event retrieval metrics. Enable health metrics for global correlation. 17-16 Set the threshold for memory usage. Set the missed packet threshold. Set the number of days since the last signature update. Showing Sensor Overall Health Status Creating a Banner Login Terminating CLI Sessions Modifying Terminal Properties Configuring Events Displaying Events 17-22 Displaying Events To display events from the Event Store, follow these steps: Display all events starting now. The feed continues showing all events until you press Ctrl-C. 17-23 Clearing Events from the Event Store Clear the Event Store. Configuring the System Clock Displaying the System Clock Manually Setting the System Clock Clearing the Denied Attackers List Page Displaying Policy Lists Displaying Statistics 17-29 17-30 17-31 Display the statistics for anomaly detection. Display the statistics for authentication. Display the statistics for the denied attackers in the system. 17-32 Display the statistics for the Event Server. Display the statistics for the Event Store. 17-33 Display the statistics for global correlation. Display the statistics for the host. 17-34 Display the statistics for the logging application. Display the statistics for the ARC. 17-35 17-36 Display the statistics for the notification application. Display the statistics for OS identification. Display the statistics for the SDEE server. Display the statistics for the transaction server. 17-37 17-38 Display the statistics for the web server. 17-39 Step 19 Verify that the statistics have been cleared. The statistics now all begin from 0. Displaying Tech Support Information Displaying Version Information 17-42 If the View configuration information. You can use the more current-config or show configuration commands. 17-43 Diagnosing Network Connectivity Resetting the Appliance Displaying Command History Displaying Hardware Inventory 17-47 Tracing the Route of an IP Packet 17-49 Displaying Submode Settings Show the current configuration for ARC submode. 17-50 17-51 Show the ARC settings in terse mode. 17-52 Configuring the ASA 5500-X IPS SSP Notes and Caveats for ASA 5500-X IPS SSP Configuration Sequence for the ASA 5500-X IPS SSP Verifying Initialization for the ASA 5500-X IPS SSP Creating Virtual Sensors for the ASA 5500-X IPS SSP The ASA 5500-X IPS SSP and Virtualization Virtual Sensor Configuration Sequence for ASA 5500-X IPS SSP Creating Virtual Sensors Page Page Assigning Virtual Sensors to Adaptive Security Appliance Contexts 18-8 Enter configuration mode. Enter multiple mode. Add three context modes to multiple mode. Assign virtual sensors to the security contexts. The ASA 5500-X IPS SSP and Bypass Mode The ASA 5500-X IPS SSP and the Normalizer Engine The ASA 5500-X IPS SSP and Jumbo Packets The ASA 5500-X IPS SSP and Memory Usage Reloading, Shutting Down, Resetting, and Recovering the ASA 5500-X IPS SSP Health and Status Information 18-13 The output shows that the ASA 5500-X IPS SSP is up. If the status reads 18-14 18-15 18-16 18-17 18-18 18-19 ASA 5500-X IPS SSP Failover Scenarios New and Modified Commands allocate-ips Page Page Configuring the ASA 5585-X IPS SSP ASA 5585-X IPS SSP Notes and Caveats Configuration Sequence for the ASA 5585-X IPS SSP Verifying Initialization for the ASA 5585-X IPS SSP Creating Virtual Sensors for the ASA 5585-X IPS SSP The ASA 5585-X IPS SSP and Virtualization The ASA 5585-X IPS SSP Virtual Sensor Configuration Sequence Creating Virtual Sensors Page Assigning Virtual Sensors to Adaptive Security Appliance Contexts Page 19-9 Assign virtual sensors to the security contexts. Configure MPF for each context. The following example shows context 3 (c3). Confirm the configuration. The ASA 5585-X IPS SSP and the Normalizer Engine The ASA 5585-X IPS SSP and Bypass Mode ASA 5585-X IPS SSP and Jumbo Packets ASA 5585-X Reloading, Shutting Down, Resetting, and Recovering the IPS SSP Health and Status Information 19-13 The output shows that the ASA 5585-X IPS SSP is up. If the status reads , you can reset it using the hw-module module 1 reset command. 19-14 19-15 Traffic Flow Stopped on IPS Switchports Solution Possible Cause Problem Failover Scenarios 19-17 Page Obtaining Software IPS 7.2 File List Obtaining Cisco IPS Software IPS Software Versioning Page IPS-identifier-K9-x.y-z[a or p1]-E1.pkg IPS-identifier-[sig]-[S]-req-E1.pkg IPS-identifier-[engine]-[E]-req-x.y-z.pkg IPS-identifier-K9-[mfq,sys,r,]-x.y-a-*.img, pkg, or IPS Software Release Examples Accessing IPS Documentation Cisco Security Intelligence Operations Upgrading, Downgrading, and Installing System Images Upgrade Notes and Caveats Upgrades, Downgrades, and System Images Supported FTP and HTTP/HTTPS Servers Upgrading the Sensor IPS 7.2(1)E4 Files Upgrade Notes and Caveats Manually Upgrading the Sensor Page Working With Upgrade Files Upgrading the Recovery Partition Configuring Automatic Upgrades Configuring Automatic Updates Page Page Page Applying an Immediate Update Downgrading the Sensor Recovering the Application Partition Installing System Images ROMMON TFTP Servers Connecting an Appliance to a Terminal Server Installing the System Image for the IPS 4345 and IPS 4360 21-17 The system enters ROMMON mode. The You have ten seconds to press Break or Esc. prompt appears. Check the current network settings. Page Installing the System Image for the IPS 4510 and IPS 4520 Page Page Installing the System Image for the ASA 5500-X IPS SSP Installing the System Image for the ASA 5585-X IPS SSP Installing the ASA 5585-X IPS SSP System Image Using the hw-module Command Page Installing the ASA 5585-X IPS SSP System Image Using ROMMON Page Page Page Page A System Architecture Understanding the IPS System Architecture IPS System Design A-2 Figure A-1 illustrates the system design for IPS software. A-3 Figure A-2 illustrates the system design for IPS software for the IPS 4500 series sensors. Each application has its own configuration file in XML format. System Applications Page Security Features MainApp Understanding the MainApp MainApp Responsibilities Event Store Understanding the Event Store Event Data Structures IPS Events NotificationApp Page CtlTransSource Attack Response Controller Understanding the ARC ARC Features Supported Blocking Devices ACLs and VACLs Maintaining State Across Restarts Connection-Based and Unconditional Blocking Blocking with Cisco Firewalls Blocking with Catalyst Switches Logger AuthenticationApp Understanding the AuthenticationApp Authenticating Users Configuring Authentication on the Sensor Managing TLS and SSH Trust Relationships Web Server SensorApp Understanding the SensorApp Inline, Normalization, and Event Risk Rating Features SensorApp New Features Packet Flow Signature Event Action Processor CollaborationApp Understanding the CollaborationApp Update Components Error Events SwitchApp CLI User Roles Service Account Communications IDAPI IDIOM IDCONF SDEE CIDEE Cisco IPS File Structure Summary of Cisco IPS Applications Page B Signature Engines Understanding Signature Engines Page Page Master Engine General Parameters Page Page Alert Frequency Event Actions Regular Expression Syntax AIC Engine Understanding the AIC Engine AIC Engine and Sensor Performance AIC Engine Parameters Page Page Atomic Engine Atomic ARP Engine Atomic IP Advanced Engine Page Page Page Page Page Page Page Page Page Atomic IP Engine Page Page Page Atomic IPv6 Engine Fixed Engine Page Flood Engine Meta Engine Page Multi String Engine Normalizer Engine Page Page Service Engines Understanding the Service Engines Service DNS Engine Service FTP Engine Service Generic Engine Page Service H225 Engine Page Service HTTP Engine Page Service IDENT Engine Service MSRPC Engine Page Service MSSQL Engine Service NTP Engine Service P2P Engine Service RPC Engine Page Service SMB Advanced Engine Page Service SNMP Engine Service SSH Engine Service TNS Engine State Engine Page String Engines Page Page String XL Engines Page Page Sweep Engines Sweep Engine Page Sweep Other TCP Engine Traffic Anomaly Engine Page Traffic ICMP Engine Trojan Engines C Troubleshooting Bug Toolkit Preventive Maintenance Understanding Preventive Maintenance Creating and Using a Backup Configuration File Backing Up and Restoring the Configuration File Using a Remote Server Page Creating the Service Account Disaster Recovery Password Recovery Understanding Password Recovery Recovering the Password for the Appliance Using the GRUB Menu Using ROMMON Recovering the Password for the ASA 5500-X IPS SSP Recovering the Password for the ASA 5585-X IPS SSP Page Disabling Password Recovery Verifying the State of Password Recovery Troubleshooting Password Recovery Time Sources and the Sensor Time Sources and the Sensor Synchronizing IPS Clocks with Parent Device Clocks Verifying the Sensor is Synchronized with the NTP Server Correcting Time on the Sensor Advantages and Restrictions of Virtualization Supported MIBs Troubleshooting Global Correlation When to Disable Anomaly Detection Analysis Engine Not Responding Troubleshooting External Product Interfaces External Product Interfaces Issues External Product Interfaces Troubleshooting Tips Troubleshooting the Appliance Troubleshooting Loose Connections The Analysis Engine is Busy Communication Problems C-24 Duplicate IP Address Shuts Interface Down, page C-27 . If the Link Status is Cannot Access the Sensor CLI Through Telnet or SSH Log in to the sensor CLI through a console, terminal, or module session. , go to Step 3. If the Link Status is , go to Step 5. Page Correcting a Misconfigured Access List C-27 Duplicate IP Address Shuts Interface Down Make sure the sensor cabling is correct. The SensorApp and Alerting The SensorApp is Not Running Page C-30 Physical Connectivity, SPAN, or VACL Port Issue Make sure the sensing port is connected to the correct SPAN or VACL capture port on IDSM2. Make sure the interfaces are up and that the packet count is increasing. If the Link Status is down, make sure the sensing port is connected properly: Make sure the sensing port is connected properly on the appliance. Unable to See Alerts C-32 Make sure you have Produce Alert configured. Make sure the sensor is seeing packets. Check for alerts. C-33 Sensor Not Seeing Packets Make sure the interfaces are up and receiving packets. If the interfaces are not up, do the following: Check the cabling. Enable the interface. Cleaning Up a Corrupted SensorApp Configuration Blocking Troubleshooting Blocking Verifying the ARC is Running Verifying ARC Connections are Active Page C-39 Device Access Issues Verify the IP address for the managed devices. Verifying the Interfaces and Directions on the Network Device Enabling SSH Connections to the Network Device Blocking Not Occurring for a Signature C-42 Press Enter to apply the changes or type to discard them. Verifying the Master Blocking Sensor Configuration View the ARC statistics and verify that the master blocking sensor entries are in the statistics. C-43 If the master blocking sensor does not show up in the statistics, you need to add it. Press Enter to apply the changes or type Exit network access general submode. to discard them. Logging Enabling Debug Logging C-45 Turn on individual zone control. Exit master zone control. View the zone names. C-46 Change the severity level (debug, timing, warning, or error) for a particular zone. C-47 Turn on debugging for a particular zone. Exit the logger submode. Zone Names Directing cidLog Messages to SysLog TCP Reset Not Occurring for a Signature Software Upgrades Upgrading Error Which Updates to Apply and Their Prerequisites Issues With Automatic Update Updating a Sensor with the Update Stored on the Sensor Troubleshooting the IDM Cannot Launch the IDM - Loading Java Applet Failed Cannot Launch the IDM-The Analysis Engine Busy The IDM, Remote Manager, or Sensing Interfaces Cannot Access Sensor Signatures Not Producing Alerts Troubleshooting the IME Time Synchronization on IME and the Sensor Not Supported Error Message Troubleshooting the ASA 5500-X IPS SSP C-58 The ASA 5500-X IPS SSP and Jumbo Packets, page C-67 The output shows that the ASA 5500-X IPS SSP is up. If the status reads Health and Status Information To see the general health of the ASA 5500-X IPS SSP, use the show module ips details command. C-59 C-60 C-61 C-62 C-63 C-64 Failover Scenerios The ASA 5500-X IPS SSP and the Normalizer Engine The ASA 5500-X IPS SSP and Memory Usage The ASA 5500-X IPS SSP and Jumbo Packets Troubleshooting the ASA 5585-X IPS SSP Health and Status Information C-69 C-70 Failover Scenarios Traffic Flow Stopped on IPS Switchports The ASA 5585-X IPS SSP and the Normalizer Engine The ASA 5585-X IPS SSP and Jumbo Packets Gathering Information Health and Network Security Information Tech Support Information Understanding the show tech-support Command Displaying Tech Support Information Tech Support Command Output C-77 Version Information Understanding the show version Command Displaying Version Information C-79 If the View configuration information. You can use the more current-config or show configuration commands. C-80 Statistics Information Understanding the show statistics Command Displaying Statistics Page C-83 C-84 Display the statistics for anomaly detection. C-85 Display the statistics for authentication. Display the statistics for the denied attackers in the system. Display the statistics for the Event Server. Display the statistics for the Event Store. C-86 Display the statistics for global correlation. Display the statistics for the host. C-87 Display the statistics for the logging application. Display the statistics for the ARC. C-88 C-89 Display the statistics for the notification application. Display the statistics for OS identification. Display the statistics for the SDEE server. C-90 Display the statistics for the transaction server. Display the statistics for a virtual sensor. C-91 C-92 Display the statistics for the web server. Interfaces Information Understanding the show interfaces Command C-94 Interfaces Command Output The following example shows the output from the show interfaces command: Displaying Interface Traffic History Page C-96 Display the interface traffic history by the minute. C-97 Display the interface traffic history for a specific interface. Clearing Events, page C-101 Events Information Sensor Events, pageC-98 Understanding the show events Command, page C-98 Displaying Events, page C-98 Sensor Events Understanding the show events Command Displaying Events Page C-100 Clearing Events cidDump Script Uploading and Accessing Files on the Cisco FTP Site D CLI Error Messages CLI Error Messages Page Page Page Page CLI Validation Error Messages Page Page GLOSSARY Numerals A Page B C Page D E F G H I J K L M N O P Q R Page S Page Page T Page U V W X Z Page INDEX Numerics A Page Page Page B C Page Page Page Page Page D E Page F G H I Page Page K L M N O P Page Q R S Page Page Page Page Page T Page U V W Z