Americas Headquarters
Text Part Number OL-29168-01
Page
N T E N T S
Iii
Advanced Setup for the Appliance
Interface Support
Understanding Inline Vlan Pair Mode
Configuring Alert Severity
Vii
Example String XL TCP Engine Match Offset Signature
Viii
Understanding Worms
Configuring Global Correlation
Configuring IP Logging
Routers
Xii
Using Rommon
Xiii
Configuring the ASA 5585-X IPS SSP
Xiv
Upgrading, Downgrading, and Installing System Images
NotificationApp
Xvi
AIC Engine B-10
Xvii
Creating the Service Account C-5
Xviii
Communication Problems
Xix
Understanding the show tech-support Command C-75
CLI Validation Error Messages D-6
Xxi
Xxii
Contents
Audience
Organization
Xxiv
Conventions
Related Documentation
Convention Indication
Xxv
Obtaining Documentation and Submitting a Service Request
Xxvi
Logging In Notes and Caveats
Supported User Roles
Ii-1
Logging In to the Appliance
For More Information
Ii-2
Connecting an Appliance to a Terminal Server
Config t
Ii-3
Exit Wr mem
Logging In to the ASA 5500-X IPS SSP
Ii-4
Asa# session ips
Logging In to the ASA 5585-X IPS SSP
Ii-5
Asa# session
Logging In to the Sensor
Ii-6
Ii-7
Ii-8
IPS CLI Configuration Guide
Supported IPS Platforms
Sensor Configuration Sequence
User Roles
Administrator
Service
Operators
Viewers
CLI Behavior
Following tips help you use the Cisco IPS CLI
Prompts
Help
Command Line Editing
Recall
Case Sensitivity
Display Options
Keys Description
IPS Command Modes
Regular Expression Syntax
Character Description
String
Only if it is at the end of the string
Matches a as well as b
Matches any character
Or more times
Generic CLI Commands
Sensor# configure terminal
CLI Keywords
OL-29168-01
Initializing the Sensor
Initializing Notes and Caveats
Simplified Setup Mode
System Configuration Dialog
Understanding Initialization
Example 2-1shows a sample System Configuration Dialog
Example 2-1 Example System Configuration Dialog
Basic Sensor Setup
Initializing the Sensor Basic Sensor Setup
Initializing the Sensor Basic Sensor Setup
Following configuration was entered
Advanced Setup
Initializing the Sensor Advanced Setup
Advanced Setup for the Appliance
Enter 1 to edit the interface configuration
Enter a subinterface number and description
Enter numbers for Vlan 1
Press Enter to return to the available interfaces menu
Enter 2 to edit the virtual sensor configuration
Enter 2 to modify the virtual sensor configuration, vs0
Press Enter to return to the top-level editing menu
Host-ip 192.168.1.2/24,192.168.1.1
Enter 2 to save the configuration
Advanced Setup for the ASA 5500-X IPS SSP
Reboot the appliance
Enter 2 to modify the virtual sensor vs0 configuration
Enter a name and description for your virtual sensor
Modify default threat prevention settings?no
Reboot the ASA 5500-X IPS SSP
Asa-ips#show tls fingerprint
Advanced Setup for the ASA 5585-X IPS SSP
Enter 2 to edit the virtual sensor configuration
Exit Service analysis-engine
Reboot the ASA 5585-X IPS SSP
Verifying Initialization
Ips-ssp#show tls fingerprint
View your configuration
Sensor# show configuration
Display the self-signed X.509 certificate needed by TLS
Sensor# show tls fingerprint
Setting Up the Sensor
Setup Notes and Caveats
Understanding Sensor Setup
Changing Network Settings
Changing the Hostname
Exit network settings mode
Enter network settings mode
Change the sensor IP address, netmask, and default gateway
Changing the IP Address, Netmask, and Gateway
Enable Telnet services
Enabling and Disabling Telnet
Changing the Access List
Verify that Telnet is enabled
Verify the change you made to the access-list
Remove the entry from the access list
Change the value back to the default
Verify the value has been set back to the default
Changing the FTP Timeout
To change the FTP timeout, follow these steps
Change the number of seconds of the FTP timeout
Verify the FTP timeout change
Adding a Login Banner
Add the banner login text
Verify the banner login text message
Verify the login text has been removed
Enable a DNS server
Verify the settings
Login-banner-text defaulted dns-primary-server
Verify that SSHv1 fallback is enabled
Enabling SSHv1 Fallback
Changing the CLI Session Timeout
Change the number of seconds of the CLI session timeout
Verify the CLI session timeout change
Exit authentication mode
Changing Web Server Settings
When disabled, the client can use the following ciphers
TLSDHERSAWITHAES256CBCSHA256 TLSDHEDSSWITHAES256CBCSHA256
Sensor# configure terminal Sensorconfig# service web-server
Change the port number
Specify the web session inactivity timeout
Turn on logging for web session inactivity timeouts
Verify the defaults have been replaced
Turn on TLS client ciphers restriction
Configuring Authentication and User Parameters
Adding and Removing Users
Sensorconfig# username username password password privilege
Sensorconfig# username tester privilege administrator
Specify the parameters for the user
Sensor# show users all
Configuring Authentication
To remove a user, use the no form of the command
Sensor# configure terminal Sensorconfig# no username jsmith
Radius Authentication Options
Configuring Local or Radius Authentication
Sensorconfig-aaa-rad#default-user-role operator
Enter AAA submode
Ips-role=administrator Ips-role=service
Enter the Radius server IP address
Specify the type of console authentication
Enter the IP address of the second Radius server
Configuring Packet Command Restriction
Exit AAA mode
AAA Radius Users
Enter authentication submode
Check your new setting
Sensorconfig-aut#permit-packet-logging true
Sensorconfig-aut#permit-packet-logging false
Creating the Service Account
Sensorconfig# user username privilege service
Service Account and Radius Authentication
Radius Authentication Functionality and Limitations
Configuring Passwords
Exit configuration mode
Change your password
Changing User Privilege Levels
Showing User Status
Change the privilege level from viewer to operator
Display your current level of privilege
Verify all users. The account of the user jsmith is locked
Configuring the Password Policy
To unlock the account of jsmith, reset the password
Example
Set the value back to the system default setting
Check that the setting has returned to the default
Locking User Accounts
Enter global configuration mode
Unlocking User Accounts
Parentheses
Unlock the account
Configuring Time
Time Sources and the Sensor
IPS Standalone Appliances
Configuring Time on the Sensor
Correcting Time on the Sensor
ASA IPS Modules
Manually Setting the System Clock
Symbol
Displaying the System Clock
Sensor# show clock
Configuring Recurring Summertime Settings
Enter the month you want to start summertime settings
Enter start summertime submode
Sensor# clock set 1321 Mar 29
Verify your settings
Enter the month you want to end summertime settings
Enter end summertime submode
Specify the local time zone used during summertime
Configuring Nonrecurring Summertime Settings
Exit recurring summertime submode
Exit non-recurring summertime submode
Configuring NTP
Configuring Time Zones Settings
Exit time zone settings submode
Sensorconfig-hos-tim#standard-time-zone-name CST
Configuring a Cisco Router to be an NTP Server
Example
Configuring the Sensor to Use an NTP Time Source
Enter service host mode
Configure unauthenticated NTP Enter NTP configuration mode
Verify the unauthenticated NTP settings
Configuring SSH
Configure authenticated NTP Enter NTP configuration mode
Verify the NTP settings
Exit NTP configuration mode
Understanding SSH
Adding Hosts to the SSH Known Hosts List
Sensorconfig# ssh host-key
Add an entry to the known hosts list
View the key for a specific IP address
Sensor# show ssh host-keys
Sensorconfig# no ssh host-key
Adding Authorized RSA1 and RSA2 Keys
Generating the RSA Server Host Key
Sensor# ssh generate-key
Sensor# show ssh server-key
Configuring TLS
Understanding TLS
Sensorconfig# tls trusted-host ip-address 10.89.146.110 port
Adding TLS Trusted Hosts
Displaying and Generating the Server Certificate
View the fingerprint for a specific host
Remove an entry from the trusted hosts list
Verify that the key was generated
Installing the License Key
Understanding the License Key
Service Programs for IPS Products
Obtaining and Installing the License Key
Installing the License Key
Licensing the ASA 5500-X IPS SSP
Verify the sensor is licensed
Uninstalling the License Key
Verify the sensor key has been uninstalled
Sensor# erase license-key
Setting Up the Sensor Installing the License Key
OL-29168-01
Configuring Interfaces
Interface Notes and Caveats
Understanding Interfaces
IPS Interfaces
Command and Control Interface
Sensor Command and Control Interface
TCP Reset Interfaces
Understanding Alternate TCP Reset Interfaces
Sensing Interfaces
Designating the Alternate TCP Reset Interface
2lists the alternate TCP reset interfaces
Sensor Alternate TCP Reset Interface
None
Interface Support
Interfaces Not
Base Chassis Cards Sensing Ports Inline Interface Pairs
Combinations Supporting Command and Control
Interface Configuration Restrictions
Configuring Interfaces Understanding Interfaces
Interface Configuration Sequence
Configuring Physical Interfaces
Configuring the Physical Interface Settings
Specify the interface for promiscuous mode
Display the list of available interfaces
Remove TCP resets from an interface
Sensorconfig-int-phy#alt-tcp-reset-interface none
Add a description of this interface
Configuring Promiscuous Mode
Understanding Promiscuous Mode
Exit interface submode
Configuring Promiscuous Mode
IPv6, Switches, and Lack of Vacl Capture
Configuring Inline Interface Mode
Understanding Inline Interface Mode
Set span 930, 932, 960, 962 4/1-4 both
Configuring Inline Interface Pairs
Creating Inline Interface Pairs
Enable the interfaces assigned to the interface pair
Name the inline pair
Display the available interfaces
It can monitor traffic see Step
Verify that the interfaces are enabled
Exit interface configuration submode
Sensorconfig-int#no inline-interfaces PAIR1
Verify the inline interface pair has been deleted
Configuring Inline Vlan Pair Mode
Understanding Inline Vlan Pair Mode
Configuring Inline Vlan Pairs
Configuring Inline Vlan Pairs
Been configured
OL-29168-01
Set up the inline Vlan pair
Verify the inline Vlan pair settings
Sensorconfig-int#no inline-interfaces interfacename
Designate an interface
Configuring Vlan Group Mode
Understanding Vlan Group Mode
To delete Vlan pairs Delete one Vlan pair
Deploying Vlan Groups
Configuring Vlan Groups
Configuring Inline Vlan Groups
None Subinterface-type
Set up the Vlan group
Specify an interface
Assign the VLANs to this group Assign specific VLANs
Configure unassigned VLANs
Verify the Vlan group settings
Add a description for the Vlan group
Configuring Inline Bypass Mode
Understanding Inline Bypass Mode
Delete Vlan groups Delete one Vlan group
Configuring Inline Bypass Mode
Configuring Bypass Mode
Configure bypass mode
Configuring Interface Notifications
Configuring Interface Notifications
Configuring CDP Mode
Enabling CDP Mode
Enable CDP mode
Sensorconfig-int#cdp-mode forward-cdp-packets
Displaying Interface Statistics
Sensor# show interfaces brief
Sensor# show interfaces Interface Statistics
Display the statistics for a specific interface
Clear the statistics
Sensor# show interfaces Management0/0
Sensor# show interfaces clear Interface Statistics
Displaying Interface Traffic History
Displaying Historical Interface Statistics
To display interface traffic history, follow these steps
Display the interface traffic history by the hour
Display the interface traffic history by the minute
Bytes Received Mbps
Configuring Virtual Sensors
Virtual Sensor Notes and Caveats
Understanding the Analysis Engine
Understanding Virtual Sensors
Advantages and Restrictions of Virtualization
Inline TCP Session Tracking Mode
Normalization and Inline TCP Evasion Protection Mode
Http Advanced Decoding
Adding, Editing, and Deleting Virtual Sensors
Restrictions
Adding Virtual Sensors
Sensorconfig-ana-vir#description virtual sensor
Adding a Virtual Sensor
Add a virtual sensor
Add a description for this virtual sensor
Enable Http advanced decoding
Verify the virtual sensor settings
Assign an event action rules policy to this virtual sensor
Assign a signature definition policy to this virtual sensor
Exit analysis engine mode
Editing and Deleting Virtual Sensors
Editing or Deleting a Virtual Sensor
Edit the virtual sensor, vs1
Edit the description of this virtual sensor
Verify the edited virtual sensor settings
Sensorconfig-ana-vir#physical-interface GigabitEthernet0/2
Delete a virtual sensor
Sensorconfig-ana# exit
Configuring Global Variables
Creating a Global Variable
Create the variable for the maximum number of open IP logs
Create the flow depth variable
Create the variable for service activity
Verify the global variable settings
Sensor# show statistic analysis-engine
OL-29168-01
Signature Definition Notes and Caveats
Understanding Policies
Sensor# list signature-definition-configurations
Working With Signature Definition Policies
Delete a signature definition policy
Sensor# copy signature-definition sig0 sig1
Reset a signature definition policy to factory settings
Understanding Signatures
Confirm the signature definition policy has been deleted
Configuring Signature Variables
Understanding Signature Variables
Creating Signature Variables
Adding, Editing, and Deleting Signature Variables
Configuring Signatures
Signature Definition Options
Configuring Alert Frequency
Configuring Alert Frequency
Specify the signature you want to configure
Enter alert frequency submode
Specify the summary key
Configuring Alert Severity
Configuring Alert Severity
To configure the alert severity, follow these steps
Assign the alert severity
Configuring the Event Counter
Configuring the Event Counter
Exit signatures submode
Optional Enable alert interval
Enter event counter submode
Configuring Signature Fidelity Rating
Configuring the Signature Fidelity Rating
Specify the signature fidelity rating for this signature
Configuring the Status of Signatures
Choose the signature you want to configure
Changing the Signature Status
Change the status for this signature
Configuring the Vulnerable OSes for a Signature
Configuring Vulnerable OSes
Specify the vulnerable OSes for this signature
Assigning Actions to Signatures
Configuring Event Actions
Configure the event action
Specify the percentage for rate limiting
Configuring AIC Signatures
Understanding the AIC Engine
Exit event action submode
Configuring the Application Policy
AIC Engine and Sensor Performance
Configuring the Application Policy
Enable inspection of FTP traffic
Enable Http application policy enforcement
Sensorconfig-sig-app-htt#aic-web-ports 80-80,3128-3128
AIC Request Method Signatures
Signature ID Define Request Method
AIC Mime Define Content Type Signatures
Signature ID Signature Description
Signature ID Signature Description
Signature ID Signature Description
AIC Transfer Encoding Signatures
Signature ID Transfer Encoding Method
AIC FTP Commands Signatures
Signature ID FTP Command
Creating an AIC Signature
Define the content type
Defining a MIME-Type Policy Signature
Specify the event action
Define the signature type
Configuring IP Fragment Reassembly
Understanding IP Fragment Reassembly
Signature ID and Name Description Range Default Action
For More Information
Configuring IP Fragment Reassembly Parameters
Configuring the Method for IP Fragment Reassembly
Enter edit default signatures submode
Specify the engine
Configuring TCP Stream Reassembly
Understanding TCP Stream Reassembly
Configuring the IP Fragment Reassembly Method
Verify the setting
TCP Stream Reassembly Signatures and Configurable Parameters
TCP Stream Reassembly Signatures
SYN
SYN
Configuring TCP Stream Reassembly Signatures
Configuring the Mode for TCP Stream Reassembly
Configuring the TCP Stream Reassembly Parameters
Sensorconfig-sig-str#tcp-3-way-handshake-required true
Sensorconfig-sig-str#tcp-reassembly-mode strict
Configuring IP Logging
Configuring IP Logging Parameters
Specify the number of packets you want logged
Specify the length of time you want the sensor to log
Creating Custom Signatures
Sequence for Creating a Custom Signature
Example String TCP Engine Signature
Creating a String TCP Engine Signature
Verify the settings
Example Service Http Engine Signature
Creating a Service Http Engine Signature
Enter signature description mode
Specify a signature name
Specify the alert traits. The valid range is from 0 to
Configure the Regex parameters
Example Meta Engine Signature
Exit alert frequency submode
Exit Regex submode
Meta Signature Engine Enhancement
Defining Signatures Creating Custom Signatures
Creating a Meta Engine Signature
Example IPv6 Engine Signature
Sensorconfig-sig-sig#engine atomic-ip-advanced
Specify the IP version
Specify IPv6
Specify the L4 protocol
Example String XL TCP Engine Match Offset Signature
Creating a String XL TCP Engine Signature
Sensorconfig-sig-sig-str#specify-exact-match-offset yes
Specify the String XL TCP engine
Specify the regex string to search for in the TCP packet
Specify an exact match offset for this signature
Specify a minimum match offset for this signature
Example String XL TCP Engine Minimum Match Length Signature
Specify a signature ID and subsignature ID for the signature
Specify a new Regex string to search for and turn on UTF-8
OL-29168-01
Configuring Event Action Rules
Event Action Rules Notes and Caveats
Understanding Security Policies
Understanding Event Action Rules
Signature Event Action Processor
Alert and Log Actions
Action filter
Deny Actions
Other Actions
Understanding Deny Packet Inline
Event Action Rules Configuration Sequence
TCP Normalizer Signature Warning
Working With Event Action Rules Policies
Working With Event Action Rules Policies
Sensor# copy event-action-rules rules0 rules1
Reset an event action rules policy to factory settings
Event Action Variables
Delete an event action rules policy
Confirm the event action rules instance has been deleted
When configuring IPv6 addresses, use the following format
Understanding Event Action Variables
IPv4 Addresses
IPv6 Addresses
Sensorconfig-eve#variables variable-ipv4 address
Adding, Editing, and Deleting Event Action Variables
Working With Event Action Variables
Verify that you added the event action rules variable
Verify that you edited the event action rules variable
Delete an event action rules variable
Verify the event action rules variable you deleted
Configuring Target Value Ratings
Calculating the Risk Rating
Understanding Threat Rating
2illustrates the risk rating formula
Adding, Editing, and Deleting Target Value Ratings
Adding, Editing, and Deleting Target Value Ratings
Configuring Event Action Overrides
Understanding Event Action Overrides
Configuring Event Action Overrides
Log packets from both the attacker and victim IP addresses
Write an alert to Event Store
Write verbose alerts to Event Store
Write events that request an Snmp trap to the Event Store
Configuring Event Action Filters
Understanding Event Action Filters
Configuring Event Action Filters
OL-29168-01
Configuring Event Action Filters
Verify the settings for the filter
Add any comments you want to use to explain this filter
Edit an existing filter
Edit the parameters see Steps 4a through 4l
Sensorconfig-eve#filters move name1 inactive
Move a filter to the inactive list
Verify that the filter has been moved to the inactive list
Configuring OS Identifications
Understanding Passive OS Fingerprinting
Passive OS Fingerprinting Configuration Considerations
Adding, Editing, Deleting, and Moving Configured OS Maps
IP Address Range Set
IOS
Unix
Configuring OS Maps
Verify the settings for the OS map
Specify the host OS type
Enable passive OS fingerprinting
Edit an existing OS map
Verify that you have moved the OS maps
Move an OS map to the inactive list
Sensorconfig-eve-os#no configured-os-map name2
Displaying and Clearing OS Identifications
Delete an OS map
Verify that the OS map has been deleted
Configuring General Settings
Displaying and Clearing OS Identifications
Verify that the OS IDs have been cleared
Sensor# clear os-identification learned
Understanding Event Action Summarization
Understanding Event Action Aggregation
Configuring the General Settings
Configuring Event Action General Settings
Enable or disable the summarizer. The default is enabled
Enter general submode
Configuring the Denied Attackers List
Verify the settings for general submode
Sensorconfig-eve-gen#global-filters-status enabled disabled
Adding a Deny Attacker Entry to the Denied Attackers List
Monitoring and Clearing the Denied Attackers List
Adding Entries to the Denied Attacker List
Remove the deny attacker entry from the list
Enter yes to remove the deny attacker entry from the list
Displaying and Deleting Denied Attackers
Delete the denied attackers list
Monitoring Events
Displaying Events
Clear only the statistics
Important to know if the list has been cleared
Displaying Events
To display events from the Event Store, follow these steps
Sensor# show events
Sensor# show events error warning 100000 Feb 9
Display alerts from the past 45 seconds
Sensor# show events alert past
Clearing Events from Event Store
Display events that began 30 seconds in the past
Enter yes to clear the events
Sensor# show events past
OL-29168-01
Configuring Anomaly Detection
Anomaly Detection Notes and Caveats
Understanding Anomaly Detection
Understanding Worms
Anomaly Detection Modes
Anomaly Detection Zones
Anomaly Detection Configuration Sequence
Anomaly Detection Signatures
Signature ID Subsignature ID Name Description
Signature ID Subsignature ID Name Description
Enable anomaly detection operational mode
Enabling Anomaly Detection
Working With Anomaly Detection Policies
Exit analysis engine submode
Working With Anomaly Detection Policies
Delete an anomaly detection policy
Sensor# copy anomaly-detection ad0 ad1
Configuring Anomaly Detection Operational Settings
Reset an anomaly detection policy to factory settings
Sensor# list anomaly-detection-configurations
Verify that the anomaly detection instance has been deleted
Configuring the Internal Zone
Configuring Anomaly Detection Operational Settings
Specify the worm timeout
Sensorconfig-ano-ign#source-ip-address-range
Configuring the Internal Zone
Configuring the Internal Zone
Enable the internal zone
Configure TCP protocol Configure UDP protocol
Configuring TCP Protocol for the Internal Zone
Configure the other protocols
Configuring Internal Zone TCP Protocol
Enable TCP protocol
Enable the service for that port
Them and configure your own scanner values
Verify the TCP configuration settings
Set the scanner threshold
Configuring UDP Protocol for the Internal Zone
Configuring the Internal Zone UDP Protocol
Enable UDP protocol
Verify the UDP configuration settings
Associate a specific port with UDP protocol
Configuring Anomaly Detection Configuring the Internal Zone
Configuring Other Protocols for the Internal Zone
Configuring the Internal Zone Other Protocols
Enable the other protocols
Associate a specific number for the other protocols
Verify the other configuration settings
Configuring the Illegal Zone
Configuring the Illegal Zone
Configuring the Illegal Zone
Understanding the Illegal Zone
Configuring TCP Protocol for the Illegal Zone
Enable the illegal zone
Sensorconfig-ano-ill#ip-address-range
Configuring the Illegal Zone TCP Protocol
Enabled true defaulted Sensorconfig-ano-ill-tcp#
Configuring UDP Protocol for the Illegal Zone
Configuring the Illegal Zone UDP Protocol
Sensorconfig-ano-ill-udp-dst-yes# scanner-threshold
Configuring Other Protocols for the Illegal Zone
Configuring the Illegal Zone Other Protocols
Verify the other protocols configuration settings
Configuring the External Zone
Configuring the External Zone
Understanding the External Zone
Configuring TCP Protocol for the External Zone
Configuring the External Zone
Enable the external zone
Configuring the External Zone TCP Protocol
Sensorconfig-ano-ext-tcp#
Configuring UDP Protocol for the External Zone
Configuring the External Zone UDP Protocol
Sensorconfig-ano-ext-udp-dst-yes# scanner-threshold
Configuring Other Protocols for the External Zone
Configuring the External Zone Other Protocols
To configure other protocols for a zone, follow these steps
Configuring Learning Accept Mode
KB and Histograms
Example Histogram
Configuring Learning Accept Mode
Configuring Learning Accept Mode
Sensorconfig-ano#learning-accept-mode auto
Sensorconfig-ano#learning-accept-mode manual
Working With KB Files
Displaying KB Files
Display the KB files for all virtual sensors
Sensor# show ad-knowledge-base files
Saving and Loading KBs Manually
Display the KB files for a specific virtual sensor
Manually Saving and Loading KBs
Save the current KB file and store it as a new name
Copying, Renaming, and Erasing KBs
Copying, Renaming, and Removing KB Files
Rename a KB file
Remove a KB file from a specific virtual sensor
Displaying the Differences Between Two KBs
Comparing Two KBs
To compare two KBs, follow these steps
Locate the file you want to compare
Displaying the Thresholds for a KB
Displaying KB Thresholds
Sensor# show ad-knowledge-base vs1 files Virtual Sensor vs1
Displaying Anomaly Detection Statistics
To display anomaly detection statistics, follow these steps
Sensor# show statistics anomaly-detection vs0
Disabling Anomaly Detection
Display the statistics for all virtual sensors
Disable anomaly detection operational mode
OL-29168-01
Global Correlation Notes and Caveats
10-1
Understanding Global Correlation
Participating in the SensorBase Network
10-2
Understanding Reputation
1shows how we use the data
Type of Data Purpose
10-3
Understanding Network Participation
10-4
Understanding Efficacy
10-5
Global Correlation Features and Goals
Understanding Reputation and Risk Rating
10-6
Global Correlation Requirements
10-7
Understanding Global Correlation Sensor Health Metrics
10-8
Global Correlation Update Client
10-9
Configuring Global Correlation
Sensorconfig-glo#global-correlation-inspection on
Turn on global correlation inspection
Specify the level of global correlation inspection
Configuring Network Participation
Turn on reputation filtering
Exit global correlation submode
10-11
Turning on Network Participation
Turn on network participation
Enter yes to agree to participate in the SensorBase Network
10-12
Troubleshooting Global Correlation
Disabling Global Correlation
10-13
Displaying Global Correlation Statistics
Disabling Global Correlation
10-14
Clear the statistics for global correlation
10-15
10-16
External Product Interface Notes and Caveats
Understanding External Product Interfaces
11-1
Understanding the CSA MC
11-2
External Product Interface Issues
11-3
Configuring the CSA MC to Support the IPS Interface
Adding External Product Interfaces and Posture ACLs
11-4
Adding External Product Interfaces
11-5
11-6
Sensorconfig-ext-cis-hos#allow-unreachable-postures yes
Sensorconfig-ext-cis-hos#posture-acls insert name1 begin
Enter the network address the posture ACL will use
Choose the action deny or permit the posture ACL will take
Troubleshooting External Product Interfaces
Exit external product interface submode
11-8
IP Logging Notes and Caveats
12-1
Configuring Automatic IP Logging
Understanding IP Logging
12-2
Configuring Automatic IP Logging
12-3
Configuring Manual IP Logging
Monitor the IP log status with the iplog-status command
12-4
Sensor# iplog vs0 192.0.2.1 duration
Displaying the Contents of IP Logs
Stopping Active IP Logs
Display a brief list of all IP logs
Disabling IP Logging Sessions
Stop the IP log session
Copying IP Log Files to Be Viewed
Stop all IP logging sessions on a virtual sensor
Copying IP Log Files
12-7
Copy the IP log to your FTP or SCP server
12-8
Packet Display And Capture Notes and Caveats
13-1
Understanding Packet Display and Capture
Displaying Live Traffic on an Interface
13-2
Displaying Live Traffic From an Interface
13-3
Sensor# packet display GigabitEthernet0/1
Capturing Live Traffic on an Interface
Display information about the packet file
13-4
Expression ip proto \\tcp
Capturing Live Traffic on an Interface
View the captured packet file
13-5
Sensor# packet capture GigabitEthernet0/1
Copying the Packet File
View any information about the packet file
13-6
View the packet file with Wireshark or Tcpdump
Erasing the Packet File
Erase the packet file
Verify that you have erased the packet file
13-8
Blocking Notes and Caveats
14-1
Understanding Blocking
14-2
Vlan B
14-3
Understanding Rate Limiting
Destination IP Signature ID Signature Name Protocol
Data
Icmp
Understanding Service Policies for Rate Limiting
Before Configuring ARC
UDP
TCP
Supported Devices
14-6
Configuring Blocking Properties
14-7
Enter network access submode
Sensorconfig# service network-access
Allowing the Sensor to Block Itself
14-8
Configure the sensor not to block itself
Exit network access submode
Disabling Blocking
14-9
Blocks on the devices are updated
To disable blocking or rate limiting, follow these steps
Enable blocking on the sensor
Verify that the setting has been returned to the default
Specifying Maximum Block Entries
14-11
Return to the default value of 250 blocks
Sensorconfig-net-gen#default block-max-entries
Change the maximum number of block entries
14-12
Time for manual blocks is set when you request the block
Specifying the Block Time
Signatures
These steps
Enabling ACL Logging
14-14
Enabling Writing to Nvram
14-15
Logging All Blocking Events and Errors
Disable writing to Nvram
Verify that writing to Nvram is disabled
14-16
Configuring the Maximum Number of Blocking Interfaces
14-17
Return the setting to the default
Verify the default setting
Specify the maximum number of interfaces
Verify the number of maximum interfaces
Configuring Addresses Never to Block
Configuring Addresses Never to Be Blocked
Sensorconfig-net-gen#never-block-hosts
For a network
Configuring User Profiles
Specify the password for the user
Create the user profile name
Enter the username for that user profile
Configuring Blocking and Rate Limiting Devices
Specify the enable password for the user
How the Sensor Manages Devices
14-21
Configuring the Sensor to Manage Cisco Routers
14-22
Routers and ACLs
Specify the IP address for the router controlled by the ARC
14-23
14-24
Switches and VACLs
14-25
Sensorconfig-net-cat#communication telnet ssh-3des
14-26
Configuring the Sensor to Manage Cisco Firewalls
Specify the Vlan number
Optional Add the pre-VACL name
Optional Add the post-VACL name
Configuring the Sensor to be a Master Blocking Sensor
14-28
Configuring the Master Blocking Sensor
Sensorconfig-web# exit
14-29
Sensorconfig# tls trusted-host ip-address 192.0.2.1 port
Enter password
Add a master blocking sensor entry
Specify whether or not the host uses TLS/SSL
Configuring Host Blocking
Configuring Network Blocking
Blocking a Host
End the host block
Configuring Connection Blocking
Blocking a Network
End the network block
14-32
Obtaining a List of Blocked Hosts and Connections
Blocking a Connection
End the connection block
Blocks are
14-34
Snmp Notes and Caveats
Understanding Snmp
15-1
Configuring Snmp
15-2
Configuring Snmp General Parameters
15-3
Configuring Snmp Traps
Exit notification submode
15-4
Configuring Snmp Traps
Enable Snmp traps
Specify whether you want detailed Snmp traps
Enter the trap community string
CISCO-ENHANCED-MEMPOOL-MIB CISCO-ENTITY-ALARM-MIB
Supported Mibs
CISCO-CIDS-MIB
15-6
15-7
15-8
Displaying the Current Configuration
16-1
First Review Cisco Confidential
16-2
Displaying the Current Submode Configuration
16-3
16-4
16-5
16-6
16-7
Sensorconfig# service health-monitor
16-8
16-9
16-10
16-11
16-12
Severity warning defaulted protected entry zone-name csi
16-13
16-14
Sensorconfig# service trusted-certificate
16-15
Filtering the Current Configuration Output
16-16
Filtering Using the More Command
To filter the more command, follow these steps
Press Ctrl-Cto stop the output and return to the CLI prompt
16-17
Filtering the Current Submode Configuration Output
Filtering the Submode Output
16-18
Displaying the Contents of a Logical File
Displaying the Logical File Contents
16-20
16-21
16-22
Backing Up the Current Configuration to a Remote Server
Restoring the Current Configuration From a Backup File
16-23
Creating and Using a Backup Configuration File
Erasing the Configuration File
16-24
Press Enter to continue or enter no to stop
16-25
16-26
Administrative Tasks for the Sensor
17-1
Administrative Notes and Caveats
Recovering the Password
Understanding Password Recovery
17-2
Recovering the Password for the Appliance
Using the Grub Menu
Platform Description Recovery Method
17-3
Recovering the Password for the ASA 5500-X IPS SSP
Using Rommon
Enter the following commands to reset the password
Sample Rommon session
Enter your new password twice
Press Enter to confirm
Session to the ASA 5500-X IPS SSP
17-5
Recovering the Password for the ASA 5585-X IPS SSP
Using the Asdm
Asa# hw-module module 1 password-reset
17-6
Session to the ASA 5585-X IPS SSP
17-7
Asa# show module
Disabling Password Recovery
Disabling Password Recovery Using the CLI
Disabling Password Recovery Using the IDM or IME
17-8
Verifying the State of Password Recovery
Troubleshooting Password Recovery
Sensorconfig-hos#show settings include password
Clearing the Sensor Databases
Clearing the Sensor Database
Enter yes to clear the inspectors database
17-10
Displaying the Inspection Load of the Sensor
Over the past 60 minutes and over the past 72 hours
Show the histogram of the inspection load
17-11
17-12
Configuring Health Status Information
17-13
Configuring Health Statistics
ASA 5500-X IPS SSP and Memory Usage
Platform Yellow Red Memory Used
17-14
17-15
Set the number of days since the last signature update
Set the threshold for memory usage
Set the missed packet threshold
17-16
Showing Sensor Overall Health Status
Exit health monitoring submode
17-17
Creating a Banner Login
Create the banner login
Show the health and security status of the sensor
Enter your message
Find the CLI ID number associated with the login session
Terminating CLI Sessions
To terminate a CLI session, follow these steps
Terminate the CLI session of jsmith
Configuring Events
Modifying Terminal Properties
17-20
17-21
17-22
Clearing Events from the Event Store
17-23
Configuring the System Clock
Displaying the System Clock
17-24
Sensor# show clock detail
Manually Setting the System Clock
Clearing the Denied Attackers List
17-25
17-26
Displaying Policy Lists
17-27
Displaying Statistics
Display the list of policies for event action rules
Display the list of policies for signature definition
17-28
Administrative Tasks for the Sensor
17-29
17-30
Display the statistics for authentication
Sensor# show statistics authentication
Display the statistics for anomaly detection
17-31
Display the statistics for the Event Server
Display the statistics for the Event Store
17-32
Sensor# show statistics event-server General
Display the statistics for the host
17-33
Show statistics host
Display the statistics for the logging application
Display the statistics for the ARC
17-34
Sensor# show statistics logger
17-35
17-36
17-37
Display the statistics for the web server
17-38
Statistics web-server
17-39
Sensor# show statistics logger clear
Displaying Tech Support Information
Varlog Files
Displaying Tech Support Information
17-40
Displaying Version Information
View version information
17-41
Sensor# show version
Cancel the output and get back to the CLI prompt
View configuration information
17-42
Diagnosing Network Connectivity
17-43
Resetting the Appliance
Enter yes to continue the reset
Following example shows a successful ping
Following example shows an unsuccessful ping
Displaying Command History
Stop all applications and power down the appliance
Enter yes to continue with the reset and power down
17-45
Displaying Hardware Inventory
17-46
Sensor# show inventory
17-47
PID IPS-4360-PWR-AC
Tracing the Route of an IP Packet
Display the route of IP packet you are interested
17-48
Inventory
Displaying Submode Settings
Show the current configuration for ARC submode
Sensor config# service network-access
17-49
17-50
Show the ARC settings in terse mode
17-51
17-52
Configuring the ASA 5500-X IPS SSP
18-1
Configuration Sequence for the ASA 5500-X IPS SSP
18-2
Verifying Initialization for the ASA 5500-X IPS SSP
Obtain the details about the ASA 5500-X IPS Ssps
Confirm the information
18-3
Creating Virtual Sensors for the ASA 5500-X IPS SSP
ASA 5500-X IPS SSP and Virtualization
Creating Virtual Sensors
18-4
Creating Virtual Sensors
18-5
Sensorconfig-ana-vir#physical-interface PortChannel0/0
18-6
Assigning Virtual Sensors to Contexts
18-7
Asa# show ips
Enter multiple mode
Add three context modes to multiple mode
Assign virtual sensors to the security contexts
18-8
ASA 5500-X IPS SSP and Bypass Mode
Configure MPF for each context
Confirm the configuration
SensorApp Fails
SensorApp is Reconfigured
ASA 5500-X IPS SSP and the Normalizer Engine
18-10
ASA 5500-X IPS SSP and Jumbo Packets
ASA 5500-X IPS SSP and Memory Usage
18-11
Health and Status Information
18-12
Asa-ips#debug module-boot
18-13
Early reservations == bootmem 0000000000
18-14
18-15
18-16
18-17
18-18
18-19
IRQ
Single ASA in Fail-Open Mode
Single ASA in Fail-Close Mode
Two ASAs in Fail-Open Mode
ASA 5500-X IPS SSP Failover Scenarios
New and Modified Commands
Two ASAs in Fail-Close Mode
Configuration Examples
18-21
Defaults
Firewall Mode Security Context Multiple Command Mode Routed
Allocate-ips
Single Context System
Command History Release Modification
Related Commands Description
Examples
18-23
18-24
ASA 5585-XIPS SSP Notes and Caveats
19-1
Configuration Sequence for the ASA 5585-X IPS SSP
19-2
Verifying Initialization for the ASA 5585-X IPS SSP
Obtain the details about the ASA 5585-X IPS SSP
19-3
Asa# show module 1 details
Creating Virtual Sensors for the ASA 5585-X IPS SSP
ASA 5585-X IPS SSP and Virtualization
19-4
ASA 5585-X IPS SSP Virtual Sensor Configuration Sequence
19-5
Command, for example sig1
Example, rules1
Virtual sensor that you create
19-6
19-7
Asaconfig-ctx#
Asaconfig-ctx# Config-url disk0/c2.cfg
19-8
19-9
ASA 5585-X IPS SSP and Bypass Mode
ASA 5585-X IPS SSP and the Normalizer Engine
19-10
ASA 5585-X IPS SSP and Jumbo Packets
19-11
Ips-ssp#hardware-module module 1 recover configure
19-12
Asa# hw-module module 1 reset
19-13
Module 1 details
Ips-ssp#hw-module module 1 recover configure
19-14
Traffic Flow Stopped on IPS Switchports
Asaconfig# debug module-boot
19-15
Failover Scenarios
19-16
19-17
19-18
IPS 7.2 File List
Obtaining Cisco IPS Software
20-1
Enter your username and password
IPS Software Versioning
Downloading Cisco IPS Software
20-2
Major Update
Minor Update
Service Pack
Patch Release
Signature Update
Signature Engine Update
20-4
Recovery and System Image Files
20-5
IPS Software Release Examples
20-6
Accessing IPS Documentation
20-7
Cisco Security Intelligence Operations
20-8
Upgrade Notes and Caveats
21-1
Upgrades, Downgrades, and System Images
21-2
Supported FTP and HTTP/HTTPS Servers
Upgrading the Sensor
IPS 7.21E4 Files
21-3
Upgrade Notes and Caveats
Manually Upgrading the Sensor
21-4
Upgrade the sensor
Enter the password when prompted
Sensorconfig# upgrade url/IPS-SSP10-K9-7.2-1-E4.pkg
Upgrading the Sensor
Working With Upgrade Files
21-6
Upgrading the Recovery Partition
21-7
Configuring Automatic Upgrades
Configuring Automatic Updates
Enter the server password. The upgrade process begins
21-8
21-9
Configuring Automatic Upgrades
21-10
Specify the username for authentication
Specify the password of the user
Exit automatic upgrade submode
21-11
Applying an Immediate Update
Sensor# autoupdatenow
21-12
Sensor# show statistics host
Recovering the Application Partition
Downgrading the Sensor
21-13
Installing System Images
Recovering the Application Partition Image
Recover the application partition image
Sensorconfig# recover application-partition
Connecting an Appliance to a Terminal Server
Tftp Servers
21-15
Installing the System Image for the IPS 4345 and IPS
21-16
21-17
PCI
Assign the Tftp server IP address
If necessary, assign the gateway IP address
21-18
Rommon ping server
Installing the System Image for the IPS 4510 and IPS
Rommon
21-19
21-20
If necessary, assign the Tftp server IP address
21-21
Installing the System Image for the ASA 5500-X IPS SSP
Periodically check the recovery until it is complete
Image the ASA 5500-X IPS SSP
21-22
Installing the System Image for the ASA 5585-X IPS SSP
21-23
21-24
Specify the default gateway of the ASA 5585-X IPS SSP
To enable debugging of the software installation process
Asa# hw-module module 1 recover boot
Leave the Vlan ID at
Installing the ASA 5585-X IPS SSP System Image Using Rommon
21-26
21-27
Rommon #0 set
21-28
21-29
21-30
Understanding the IPS System Architecture
IPS System Design
Figure A-1illustrates the system design for IPS software
System Applications
Figure A-2 System Design for IPS 4500 Series Sensors
Appendix a System Architecture System Applications
Security Features
For detailed information about SDEE, see SDEE, page A-33
MainApp
Understanding the MainApp
MainApp Responsibilities
ARC
Event Store
Understanding the Event Store
Event Data Structures
Table A-1shows some examples
Stamp Value Meaning
NotificationApp
IPS Events
Vlan
CtlTransSource
PEP
Attack Response Controller
Figure A-3
Understanding the ARC
Figure A-4illustrates the ARC
ARC Features
Supported Blocking Devices
ACLs and VACLs
Maintaining State Across Restarts
Fwsm
Connection-Based and Unconditional Blocking
Scenario
Blocking with Cisco Firewalls
To unblock an IP address
To clear all blocks
No shun ip
Blocking with Catalyst Switches
Logger
AuthenticationApp
Understanding the AuthenticationApp
Authenticating Users
Configuring Authentication on the Sensor
Managing TLS and SSH Trust Relationships
SensorApp
Web Server
Understanding the SensorApp
Inline, Normalization, and Event Risk Rating Features
SensorApp New Features
Packet Flow
Signature Event Action Processor
CollaborationApp
Update Components
SwitchApp
Error Events
CLI
User Roles
Service Account
Communications
Idapi
Idconf
Cisco IPS File Structure
Cidee
Using the Idapi
Summary of Cisco IPS Applications
Application Description
CLI
IDM
Java applet that provides an Html IPS management interface
IME
Events
Signature Engines
Understanding Signature Engines
Appendix B Signature Engines Understanding Signature Engines
Appendix B Signature Engines Understanding Signature Engines
Master Engine
General Parameters
Parameter Description Value
Signature-id Specifies the ID of this signature
Sig-name
Promiscuous Delta
Alert Frequency
Obsoletes
Vulnerable OS List
Event Actions
Name Description
AIC Engine
\NNN
To Match Regular Expression
Understanding the AIC Engine
AIC Engine and Sensor Performance
AIC Engine Parameters
Alarm-on-non-http-traffic
Parameter Description
Table B-6 AIC FTP Engine Parameters
Atomic Engine
Atomic ARP Engine
Atomic IP Advanced Engine
Isatap
Atomic IP Advanced Engine Restrictions
String
IPv6
Parameter Description Value
OL-29168-01
IPV4
Icmp ID
L4 Protocol ICMPv6
L4 Protocol TCP and UDP
OL-29168-01
Atomic IP Engine
Parameter Description Value
Appendix B Signature Engines
OL-29168-01
Atomic IPv6 Engine
Atomic IPv6 Signatures
Fixed Engine
Table B-11 Fixed TCP Engine Parameters
Flood Engine
Meta Engine
Protocol Specifies which kind of traffic to inspect
Flood Net Engine Parameters
Component-list Specifies the Meta engine component
Name1
Multi String Engine
Normalizer Engine
IP Fragmentation Normalization
TCP Normalization
IPv6 Fragments
ASA IPS Modules and the Normalizer Engine
Service Engines
Understanding the Service Engines
Service DNS Engine
Service FTP Engine
Service Generic Engine
Table B-20 Service Generic Engine Parameters
Service H225 Engine
Setup
Setup
ASN.1-PER
Tpkt
Service Http Engine
Crlfcrlf
Service Ident Engine
Service Msrpc Engine
Smbcomtransaction
Service Mssql Engine
Service NTP Engine
Service P2P Engine
Service RPC Engine
Parameter Description Value
Service SMB Advanced Engine
Msrpc Uuid
Service Snmp Engine
Service SSH Engine
Specify-object-id-Enables
Service TNS Engine
State Engine
Table B-32lists the parameters specific to the State engine
String Engines
Table B-33 String Icmp Engine Parameters
Table B-35 String UDP Engine
String XL Engines
Parameter Description Value
Unsupported String XL Parameters
Sweep Engines
Sweep Engine
Data Nodes
Type
Sweep Other TCP Engine
Traffic Anomaly Engine
Sweep Other TCP Engine Parameters
Signature
Traffic Icmp Engine
Trojan Engines
Troubleshooting
Bug Toolkit
Preventive Maintenance
Understanding Preventive Maintenance
Creating and Using a Backup Configuration File
Sensor# copy current-config backup-config
Backing Up the Current Configuration to a Remote Server
Creating the Service Account
Disaster Recovery
Password Recovery
Security appliance IPS modules Command
ASA 5500 series adaptive Adaptive security appliance CLI
Using Rommon
Password-Reset issued for module ips
Recovering the Password for the ASA 5585-X IPS SSP
0123 21E4
Disabling Password Recovery
Verifying the State of Password Recovery
For the procedure for configuring NTP, see Configuring NTP,
Time Sources and the Sensor
Synchronizing IPS Clocks with Parent Device Clocks
Verifying the Sensor is Synchronized with the NTP Server
Generate the host statistics
Generate the hosts statistics again after a few minutes
Advantages and Restrictions of Virtualization
TFor More Information
When to Disable Anomaly Detection
To learn more about Worms, see Understanding Worms,
Reboot the sensor
Command output
Analysis Engine Not Responding
Enter show tech-support and save the output
External Product Interfaces Issues
Troubleshooting the Appliance
External Product Interfaces Troubleshooting Tips
Troubleshooting Loose Connections
Communication Problems
Analysis Engine is Busy
Cannot Access the Sensor CLI Through Telnet or SSH
More
Correcting a Misconfigured Access List
Sensor# show configuration include access-list
Duplicate IP Address Shuts Interface Down
Make sure the sensor cabling is correct
SensorApp and Alerting
SensorApp is Not Running
Make sure the IP address is correct
AnalysisEngine 20130410110072014 Release
Physical Connectivity, SPAN, or Vacl Port Issue
Unable to See Alerts
Sensor# show interfaces
Make sure you have Produce Alert configured
Check for alerts
Sensor# show interfaces FastEthernet0/1
Sensorconfig-int#physical-interfaces GigabitEthernet0/1
Sensor Not Seeing Packets
Sensor# show interfaces GigabitEthernet0/1
Cleaning Up a Corrupted SensorApp Configuration
Exit the service account Log in to the sensor CLI
Check to see that the interface is up and receiving packets
Replace the virtual sensor file
Troubleshooting Blocking
Start the IPS services
Blocking
Sensor# cids start
Verifying the ARC is Running
If the ARC is not connecting, look for recurring errors
Make sure you have the latest software updates
Sensor# show events error hhmmss month day year include nac
Sensor# show events error 000000 Apr 01 2011 include nac
For More Information
Device Access Issues
Verify the IP address for the managed devices
Sensorname Sensor Management Time-Based Actions Host Blocks
Start the manual block of the bogus host IP address
Enabling SSH Connections to the Network Device
Blocking Not Occurring for a Signature
Verifying the Master Blocking Sensor Configuration
Exit network access general submode
Enable debug logging for all zones
Logging
Enabling Debug Logging
Turn on individual zone control
Exit master zone control
View the zone names
Protected entry zone-name nac
Turn on debugging for a particular zone
Exit the logger submode
Zone Names
Press Enter to apply changes or type no to discard them
Table C-2lists the debug logger zone names
Zone Name Description
Directing cidLog Messages to SysLog
TCP Reset Not Occurring for a Signature
Software Upgrades
Upgrading Error
Make sure the correct alarms are being generated
Sensor# show events alert
Which Updates to Apply and Their Prerequisites
Issues With Automatic Update
Updating a Sensor with the Update Stored on the Sensor
Troubleshooting the IDM
Cannot Launch the IDM Loading Java Applet Failed
Click the Advanced tab
Cannot Launch the IDM-The Analysis Engine Busy
Delete the temp files and clear the history in the browser
Troubleshooting the IME
Signatures Not Producing Alerts
Troubleshooting the ASA 5500-X IPS SSP
Not Supported Error Message
Time Synchronization on IME and the Sensor
Health and Status Information
E1000 00000005.0 PCI INT a disabled
303
Appendix C Troubleshooting
Usb
CRS
IRQ
Failover Scenerios
ASA 5500-X IPS SSP and the Normalizer Engine
ASA 5500-X IPS SSP and Memory Usage
ASA 5500-X IPS SSP and Jumbo Packets
Troubleshooting the ASA 5585-X IPS SSP
Hw-module module 1 reset command
Reset issued for module in slot Asa# show
Mgmt IP addr 192.0.2.3
Failover Scenarios
Traffic Flow Stopped on IPS Switchports
ASA 5585-X IPS SSP and the Normalizer Engine
Gathering Information
ASA 5585-X IPS SSP and Jumbo Packets
Health and Network Security Information
Tech Support Information
Understanding the show tech-support Command
Displaying Tech Support Information
Tech Support Command Output
Sensor# show tech-support page System Status Report
= No
Understanding the show version Command
Version Information
Displaying Version Information
Version 29.1 Platform IPS4360 Serial Number
Service aaa
Understanding the show statistics Command
Statistics Information
Displaying Statistics
Percentage Thread Sec Min Average
Inspection Stats Inspector Active Call Create Delete
Display the statistics for anomaly detection
Sensor# show statistics denied-attackers
Sensor# show statistics event-server
Sensor# show statistics event-store
Threat
Multicast MTU1500 Metric1
Appendix C Troubleshooting Gathering Information
Display the statistics for the notification application
Name Current
OL-29168-01
Sensor# show statistics web-server listener-443
Understanding the show interfaces Command
Interfaces Information
Interfaces Command Output
Displaying Interface Traffic History
Avg Load Peak Load
GigabitEthernet0/1 Time Packets Received Bytes Received Mbps
Events Information
Understanding the show events Command
Sensor Events
Displaying Events
Displaying Events
100
CidDump Script
Clearing Events
101
Uploading and Accessing Files on the Cisco FTP Site
Enter the following command
102
Usr/cids/idsRoot/bin/cidDump
CLI Error Messages
Reason Command
URI
Error Message Reason Command
System that has not been upgraded
Packet-file but no packet-file has
Been captured
User attempted to downgrade a
User attempted to cancel a CLI
Operator or viewer user attempted to Initial login
Log in when the maximum number
Administrator user attempted to log Initial login
Appendix D CLI Error Messages
CLI Validation Error Messages
Reason/Location
Detection configuration file that is currently in use
Interface and optional sub-interface being
Added to the virtual sensor entry physical
Interface set has already been assigned to another
OL-29168-01
GL-1
To detect worm-infected hosts
GL-2
GL-3
Certificate for one CA issued by another CA
Authoritative private key
GL-4
GL-5
GL-6
Dual In-line Memory Modules
A public outside network
To the transmit line and reads data from the receive line
802.1q to be used
GL-8
Procedures, and basic data transport methods
An ITU standard that governs H.245 endpoint control
GL-9
GL-10
GL-11
GL-12
Proprietary branches
Detailed information about signatures
GL-13
GL-14
GL-15
Quality and service availability
GL-16
GL-17
Network devices. Used with the IDS MC
Unauthorized activity
Analysis Engine
GL-18
GL-19
GL-20
Authorization, and accounting
Network asset through its IP address
Local system. Telnet is defined in RFC
GL-21
GL-22
Through a switch. Also known as security ACLs
RFC
Version identifier. Part of the UDI
GL-23
GL-24
Payload reassembly
Hosts
GL-25
GL-26
AIC FTP
AIC Http
IN-1
IN-2
NAT
TACACS+
ARP
IN-3
Asdm
SSP
IN-4
Radius
IN-5
BO2K
URL Cidee
IN-6
Exec
IN-7
IN-8
IN-9
IN-10
CSA MC
IN-11
TFN
IN-12
AIC FTP AIC Http
IN-13
IN-14
IN-15
Idapi
Idconf
IN-16
Idiom
ASA 5500-X IPS SSP ASA 5585-X IPS SSP
IN-17
Tcpdump
IN-18
IPS SSP
IN-19
SSH
Loki
IN-20
Snmp
IN-21
IN-22
IN-23
IN-24
RTT
Sdee
Http A-33
IN-25
IN-26
IN-27
AIC
IN-28
Cidee Idconf Idiom Sdee
Smtp
IN-29
IN-30
TAC
TFN2K
TLS
IN-31
BO2K Loki TFN2K
IN-32
Upgrade command
Sensor initialization Sensor setup Version display
Sensing process not running
Viewer role privileges
IN-34
