Manuals / Cisco Systems / Household Appliance / Home Security System

Cisco Systems IPS4510K9 manual Atomic IP Advanced Engine

Models: IPS4510K9

1 854

Download 854 pages 14.35 Kb

Page 625

Appendix B Signature Engines

Atomic Engine

Table B-7	Atomic ARP Engine Parameters (continued)

Parameter		Description		Value

specify-type-of-arp-sig {yes no}		(Optional) Enables the ARP signature type:		dst-broadcast
		• type-of-arp-sig—Specifies the type of ARP		same-src-dst
			signatures you want to fire on:	src-broadcast
				src-broadcast
			– Destination Broadcast—Fires an alert	src-multicast
			for this signature when it sees an ARP	src-multicast
			for this signature when it sees an ARP
			destination address of 255.255.255.255.
			– Same Source and Destination—Fires an
			alert for this signature when it sees an
			ARP destination address with the same
			source and destination MAC address
			– Source Broadcast (default)—Fires an
			alert for this signature when it sees an
			ARP source address of 255.255.255.255.
			– Source Multicast—Fires an alert for this
			signature when it sees an ARP source
			MAC address of 01:00:5e:(00-7f).

storage-key		Specifies the type of address key used to store		Axxx
		persistent data:		AxBx
				AxBx
		•	Attacker address	xxBx
				xxBx
		• Attacker and victim addresses		xxxx
				xxxx
		•	Victim address
		•	Global

For More Information

For more information on the parameters common to all signature engines, see Master Engine, page B-4.

Atomic IP Advanced Engine

The Atomic IP Advanced engine parses and interprets the IPv6 header and its extensions, the IPv4 header and its options, ICMP, ICMPv6, TCP, and UDP, and seeks out anomalies that indicate unusual activity.

Atomic IP Advanced engine signatures do the following:

•Inspect for anomalies in IP addresses, for example, spoofed addresses.

•Inspect for bad information in the length fields of the packet.

•Fire informational alerts about the packet.

•Fire higher severity alerts for the limited set of known vulnerabilities.

•Duplicate any IPv6-specific signatures in Engine Atomic IP that can also apply to IPv6.

•Provide default signatures for identifying tunneled traffic based on IP address, port, protocol, and limited information from the packet data.

		Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

	OL-29168-01			B-15
	OL-29168-01			B-15

Image 625

Cisco Systems IPS4510K9 manual Atomic IP Advanced Engine

Contents

Text Part Number OL-29168-01 Americas HeadquartersPage Iii N T E N T SAdvanced Setup for the Appliance Interface Support Understanding Inline Vlan Pair Mode Vii Configuring Alert SeverityViii Example String XL TCP Engine Match Offset SignatureUnderstanding Worms Configuring Global Correlation Configuring IP Logging Xii RoutersXiii Using RommonXiv Configuring the ASA 5585-X IPS SSPUpgrading, Downgrading, and Installing System Images Xvi NotificationAppXvii AIC Engine B-10Xviii Creating the Service Account C-5Xix Communication ProblemsUnderstanding the show tech-support Command C-75 Xxi CLI Validation Error Messages D-6Xxii Audience ContentsOrganization Xxiv Related Documentation ConventionsConvention Indication XxvXxvi Obtaining Documentation and Submitting a Service RequestSupported User Roles Logging In Notes and CaveatsIi-1 For More Information Logging In to the ApplianceIi-2 Config t Connecting an Appliance to a Terminal ServerIi-3 Exit Wr memIi-4 Logging In to the ASA 5500-X IPS SSPAsa# session ips Ii-5 Logging In to the ASA 5585-X IPS SSPAsa# session Ii-6 Logging In to the SensorIi-7 Ii-8 Supported IPS Platforms IPS CLI Configuration GuideSensor Configuration Sequence User Roles Service AdministratorOperators ViewersFollowing tips help you use the Cisco IPS CLI CLI BehaviorPrompts HelpRecall Command Line EditingCase Sensitivity Display OptionsKeys Description Regular Expression Syntax IPS Command ModesCharacter Description StringMatches a as well as b Only if it is at the end of the stringMatches any character Or more timesSensor# configure terminal Generic CLI CommandsCLI Keywords OL-29168-01 Initializing Notes and Caveats Initializing the SensorSystem Configuration Dialog Simplified Setup ModeUnderstanding Initialization Example 2-1 Example System Configuration Dialog Example 2-1shows a sample System Configuration DialogInitializing the Sensor Basic Sensor Setup Basic Sensor SetupInitializing the Sensor Basic Sensor Setup Following configuration was entered Initializing the Sensor Advanced Setup Advanced SetupAdvanced Setup for the Appliance Enter a subinterface number and description Enter 1 to edit the interface configurationEnter numbers for Vlan 1 Press Enter to return to the available interfaces menuEnter 2 to modify the virtual sensor configuration, vs0 Enter 2 to edit the virtual sensor configurationPress Enter to return to the top-level editing menu Host-ip 192.168.1.2/24,192.168.1.1 Enter 2 to save the configuration Reboot the appliance Advanced Setup for the ASA 5500-X IPS SSPEnter a name and description for your virtual sensor Enter 2 to modify the virtual sensor vs0 configurationModify default threat prevention settings?no Asa-ips#show tls fingerprint Reboot the ASA 5500-X IPS SSPAdvanced Setup for the ASA 5585-X IPS SSP Enter 2 to edit the virtual sensor configuration Exit Service analysis-engine Verifying Initialization Reboot the ASA 5585-X IPS SSPIps-ssp#show tls fingerprint Sensor# show configuration View your configurationSensor# show tls fingerprint Display the self-signed X.509 certificate needed by TLSSetup Notes and Caveats Setting Up the SensorChanging Network Settings Understanding Sensor SetupChanging the Hostname Enter network settings mode Exit network settings modeChange the sensor IP address, netmask, and default gateway Changing the IP Address, Netmask, and GatewayEnabling and Disabling Telnet Enable Telnet servicesVerify that Telnet is enabled Changing the Access ListRemove the entry from the access list Verify the change you made to the access-listChange the value back to the default Verify the value has been set back to the defaultTo change the FTP timeout, follow these steps Changing the FTP TimeoutChange the number of seconds of the FTP timeout Verify the FTP timeout changeAdd the banner login text Adding a Login BannerVerify the banner login text message Verify the login text has been removed Verify the settings Enable a DNS serverLogin-banner-text defaulted dns-primary-server Enabling SSHv1 Fallback Verify that SSHv1 fallback is enabledChange the number of seconds of the CLI session timeout Changing the CLI Session TimeoutVerify the CLI session timeout change Exit authentication modeWhen disabled, the client can use the following ciphers Changing Web Server SettingsTLSDHERSAWITHAES256CBCSHA256 TLSDHEDSSWITHAES256CBCSHA256 Change the port number Sensor# configure terminal Sensorconfig# service web-serverTurn on logging for web session inactivity timeouts Specify the web session inactivity timeoutVerify the defaults have been replaced Turn on TLS client ciphers restrictionAdding and Removing Users Configuring Authentication and User ParametersSensorconfig# username tester privilege administrator Sensorconfig# username username password password privilegeSpecify the parameters for the user Sensor# show users allTo remove a user, use the no form of the command Configuring AuthenticationSensor# configure terminal Sensorconfig# no username jsmith Radius Authentication Options Configuring Local or Radius Authentication Enter AAA submode Sensorconfig-aaa-rad#default-user-role operatorEnter the Radius server IP address Ips-role=administrator Ips-role=serviceEnter the IP address of the second Radius server Specify the type of console authenticationExit AAA mode Configuring Packet Command RestrictionAAA Radius Users Check your new setting Enter authentication submodeSensorconfig-aut#permit-packet-logging true Sensorconfig-aut#permit-packet-logging falseSensorconfig# user username privilege service Creating the Service AccountRadius Authentication Functionality and Limitations Service Account and Radius AuthenticationConfiguring Passwords Exit configuration modeChanging User Privilege Levels Change your passwordChange the privilege level from viewer to operator Showing User StatusDisplay your current level of privilege Verify all users. The account of the user jsmith is lockedTo unlock the account of jsmith, reset the password Configuring the Password PolicyExample Check that the setting has returned to the default Set the value back to the system default settingLocking User Accounts Unlocking User Accounts Enter global configuration modeParentheses Unlock the accountTime Sources and the Sensor Configuring TimeIPS Standalone Appliances Correcting Time on the Sensor Configuring Time on the SensorASA IPS Modules Symbol Manually Setting the System ClockDisplaying the System Clock Sensor# show clockEnter the month you want to start summertime settings Configuring Recurring Summertime SettingsEnter start summertime submode Sensor# clock set 1321 Mar 29Enter the month you want to end summertime settings Verify your settingsEnter end summertime submode Specify the local time zone used during summertimeExit recurring summertime submode Configuring Nonrecurring Summertime SettingsExit non-recurring summertime submode Configuring Time Zones Settings Configuring NTPExit time zone settings submode Sensorconfig-hos-tim#standard-time-zone-name CSTExample Configuring a Cisco Router to be an NTP ServerEnter service host mode Configuring the Sensor to Use an NTP Time SourceConfigure unauthenticated NTP Enter NTP configuration mode Verify the unauthenticated NTP settingsConfigure authenticated NTP Enter NTP configuration mode Configuring SSHVerify the NTP settings Exit NTP configuration modeAdding Hosts to the SSH Known Hosts List Understanding SSHAdd an entry to the known hosts list Sensorconfig# ssh host-keyView the key for a specific IP address Sensor# show ssh host-keysAdding Authorized RSA1 and RSA2 Keys Sensorconfig# no ssh host-keyGenerating the RSA Server Host Key Sensor# show ssh server-key Sensor# ssh generate-keyUnderstanding TLS Configuring TLSAdding TLS Trusted Hosts Sensorconfig# tls trusted-host ip-address 10.89.146.110 portView the fingerprint for a specific host Displaying and Generating the Server CertificateRemove an entry from the trusted hosts list Verify that the key was generatedUnderstanding the License Key Installing the License KeyObtaining and Installing the License Key Service Programs for IPS ProductsInstalling the License Key Verify the sensor is licensed Licensing the ASA 5500-X IPS SSPVerify the sensor key has been uninstalled Uninstalling the License KeySensor# erase license-key Setting Up the Sensor Installing the License Key OL-29168-01 Interface Notes and Caveats Configuring InterfacesIPS Interfaces Understanding InterfacesSensor Command and Control Interface Command and Control InterfaceUnderstanding Alternate TCP Reset Interfaces TCP Reset InterfacesSensing Interfaces 2lists the alternate TCP reset interfaces Designating the Alternate TCP Reset InterfaceSensor Alternate TCP Reset Interface NoneInterfaces Not Interface SupportBase Chassis Cards Sensing Ports Inline Interface Pairs Combinations Supporting Command and Control Interface Configuration Restrictions Configuring Interfaces Understanding Interfaces Interface Configuration Sequence Configuring Physical Interfaces Specify the interface for promiscuous mode Configuring the Physical Interface SettingsDisplay the list of available interfaces Sensorconfig-int-phy#alt-tcp-reset-interface none Remove TCP resets from an interfaceAdd a description of this interface Understanding Promiscuous Mode Configuring Promiscuous ModeExit interface submode IPv6, Switches, and Lack of Vacl Capture Configuring Promiscuous ModeUnderstanding Inline Interface Mode Configuring Inline Interface ModeSet span 930, 932, 960, 962 4/1-4 both Creating Inline Interface Pairs Configuring Inline Interface PairsName the inline pair Enable the interfaces assigned to the interface pairDisplay the available interfaces It can monitor traffic see StepVerify that the interfaces are enabled Sensorconfig-int#no inline-interfaces PAIR1 Exit interface configuration submodeVerify the inline interface pair has been deleted Understanding Inline Vlan Pair Mode Configuring Inline Vlan Pair ModeConfiguring Inline Vlan Pairs Been configured Configuring Inline Vlan PairsOL-29168-01 Verify the inline Vlan pair settings Set up the inline Vlan pairSensorconfig-int#no inline-interfaces interfacename Designate an interfaceUnderstanding Vlan Group Mode Configuring Vlan Group ModeTo delete Vlan pairs Delete one Vlan pair Deploying Vlan Groups Configuring Vlan Groups Configuring Inline Vlan Groups None Subinterface-type Specify an interface Set up the Vlan groupAssign the VLANs to this group Assign specific VLANs Verify the Vlan group settings Configure unassigned VLANsAdd a description for the Vlan group Understanding Inline Bypass Mode Configuring Inline Bypass ModeDelete Vlan groups Delete one Vlan group Configuring Bypass Mode Configuring Inline Bypass ModeConfigure bypass mode Configuring Interface Notifications Configuring Interface NotificationsConfiguring CDP Mode Enable CDP mode Enabling CDP ModeSensorconfig-int#cdp-mode forward-cdp-packets Displaying Interface StatisticsSensor# show interfaces Interface Statistics Sensor# show interfaces briefClear the statistics Display the statistics for a specific interfaceSensor# show interfaces Management0/0 Sensor# show interfaces clear Interface StatisticsDisplaying Interface Traffic History To display interface traffic history, follow these steps Displaying Historical Interface StatisticsDisplay the interface traffic history by the hour Display the interface traffic history by the minuteBytes Received Mbps Virtual Sensor Notes and Caveats Configuring Virtual SensorsUnderstanding Virtual Sensors Understanding the Analysis EngineAdvantages and Restrictions of Virtualization Inline TCP Session Tracking Mode Http Advanced Decoding Normalization and Inline TCP Evasion Protection ModeAdding, Editing, and Deleting Virtual Sensors RestrictionsAdding Virtual Sensors Adding a Virtual Sensor Sensorconfig-ana-vir#description virtual sensorAdd a virtual sensor Add a description for this virtual sensorVerify the virtual sensor settings Enable Http advanced decodingAssign an event action rules policy to this virtual sensor Assign a signature definition policy to this virtual sensorExit analysis engine mode Editing or Deleting a Virtual Sensor Editing and Deleting Virtual SensorsEdit the virtual sensor, vs1 Edit the description of this virtual sensorSensorconfig-ana-vir#physical-interface GigabitEthernet0/2 Verify the edited virtual sensor settingsDelete a virtual sensor Sensorconfig-ana# exit Creating a Global Variable Configuring Global VariablesCreate the variable for the maximum number of open IP logs Create the flow depth variableVerify the global variable settings Create the variable for service activitySensor# show statistic analysis-engine OL-29168-01 Understanding Policies Signature Definition Notes and CaveatsWorking With Signature Definition Policies Sensor# list signature-definition-configurationsDelete a signature definition policy Sensor# copy signature-definition sig0 sig1Understanding Signatures Reset a signature definition policy to factory settingsConfirm the signature definition policy has been deleted Understanding Signature Variables Configuring Signature VariablesCreating Signature Variables Adding, Editing, and Deleting Signature Variables Signature Definition Options Configuring SignaturesConfiguring Alert Frequency Specify the signature you want to configure Configuring Alert FrequencyEnter alert frequency submode Specify the summary keyConfiguring Alert Severity Configuring Alert SeverityTo configure the alert severity, follow these steps Assign the alert severityConfiguring the Event Counter Configuring the Event CounterExit signatures submode Enter event counter submode Optional Enable alert intervalConfiguring the Signature Fidelity Rating Configuring Signature Fidelity RatingSpecify the signature fidelity rating for this signature Choose the signature you want to configure Configuring the Status of SignaturesChanging the Signature Status Change the status for this signatureConfiguring Vulnerable OSes Configuring the Vulnerable OSes for a SignatureSpecify the vulnerable OSes for this signature Assigning Actions to Signatures Configure the event action Configuring Event ActionsSpecify the percentage for rate limiting Understanding the AIC Engine Configuring AIC SignaturesExit event action submode AIC Engine and Sensor Performance Configuring the Application PolicyEnable inspection of FTP traffic Configuring the Application PolicyEnable Http application policy enforcement Sensorconfig-sig-app-htt#aic-web-ports 80-80,3128-3128Signature ID Define Request Method AIC Request Method SignaturesSignature ID Signature Description AIC Mime Define Content Type SignaturesSignature ID Signature Description Signature ID Signature Description Signature ID Transfer Encoding Method AIC Transfer Encoding SignaturesSignature ID FTP Command AIC FTP Commands SignaturesCreating an AIC Signature Defining a MIME-Type Policy Signature Define the content typeSpecify the event action Define the signature typeUnderstanding IP Fragment Reassembly Configuring IP Fragment ReassemblySignature ID and Name Description Range Default Action For More Information Configuring the Method for IP Fragment Reassembly Configuring IP Fragment Reassembly ParametersEnter edit default signatures submode Specify the engineUnderstanding TCP Stream Reassembly Configuring TCP Stream ReassemblyConfiguring the IP Fragment Reassembly Method Verify the settingTCP Stream Reassembly Signatures and Configurable Parameters TCP Stream Reassembly Signatures SYN SYN Configuring TCP Stream Reassembly Signatures Configuring the Mode for TCP Stream Reassembly Sensorconfig-sig-str#tcp-3-way-handshake-required true Configuring the TCP Stream Reassembly ParametersSensorconfig-sig-str#tcp-reassembly-mode strict Configuring IP Logging Parameters Configuring IP LoggingSpecify the number of packets you want logged Specify the length of time you want the sensor to logSequence for Creating a Custom Signature Creating Custom SignaturesExample String TCP Engine Signature Creating a String TCP Engine Signature Verify the settings Example Service Http Engine Signature Enter signature description mode Creating a Service Http Engine SignatureSpecify a signature name Specify the alert traits. The valid range is from 0 toExample Meta Engine Signature Configure the Regex parametersExit alert frequency submode Exit Regex submodeMeta Signature Engine Enhancement Defining Signatures Creating Custom Signatures Creating a Meta Engine Signature Example IPv6 Engine Signature Specify the IP version Sensorconfig-sig-sig#engine atomic-ip-advancedSpecify IPv6 Specify the L4 protocolCreating a String XL TCP Engine Signature Example String XL TCP Engine Match Offset SignatureSpecify the String XL TCP engine Sensorconfig-sig-sig-str#specify-exact-match-offset yesSpecify the regex string to search for in the TCP packet Specify an exact match offset for this signatureSpecify a minimum match offset for this signature Example String XL TCP Engine Minimum Match Length Signature Specify a signature ID and subsignature ID for the signature Specify a new Regex string to search for and turn on UTF-8 OL-29168-01 Event Action Rules Notes and Caveats Configuring Event Action RulesUnderstanding Event Action Rules Understanding Security PoliciesSignature Event Action Processor Action filter Alert and Log ActionsDeny Actions Understanding Deny Packet Inline Other ActionsTCP Normalizer Signature Warning Event Action Rules Configuration SequenceWorking With Event Action Rules Policies Working With Event Action Rules PoliciesSensor# copy event-action-rules rules0 rules1 Event Action Variables Reset an event action rules policy to factory settingsDelete an event action rules policy Confirm the event action rules instance has been deletedUnderstanding Event Action Variables When configuring IPv6 addresses, use the following formatIPv4 Addresses IPv6 AddressesAdding, Editing, and Deleting Event Action Variables Sensorconfig-eve#variables variable-ipv4 addressWorking With Event Action Variables Verify that you edited the event action rules variable Verify that you added the event action rules variableDelete an event action rules variable Verify the event action rules variable you deletedCalculating the Risk Rating Configuring Target Value Ratings2illustrates the risk rating formula Understanding Threat RatingAdding, Editing, and Deleting Target Value Ratings Adding, Editing, and Deleting Target Value Ratings Understanding Event Action Overrides Configuring Event Action OverridesConfiguring Event Action Overrides Write an alert to Event Store Log packets from both the attacker and victim IP addressesWrite verbose alerts to Event Store Write events that request an Snmp trap to the Event StoreUnderstanding Event Action Filters Configuring Event Action FiltersConfiguring Event Action Filters OL-29168-01 Configuring Event Action Filters Add any comments you want to use to explain this filter Verify the settings for the filterEdit an existing filter Edit the parameters see Steps 4a through 4lMove a filter to the inactive list Sensorconfig-eve#filters move name1 inactiveVerify that the filter has been moved to the inactive list Understanding Passive OS Fingerprinting Configuring OS IdentificationsPassive OS Fingerprinting Configuration Considerations IP Address Range Set Adding, Editing, Deleting, and Moving Configured OS MapsIOS UnixVerify the settings for the OS map Configuring OS MapsSpecify the host OS type Edit an existing OS map Enable passive OS fingerprintingVerify that you have moved the OS maps Move an OS map to the inactive listDisplaying and Clearing OS Identifications Sensorconfig-eve-os#no configured-os-map name2Delete an OS map Verify that the OS map has been deletedDisplaying and Clearing OS Identifications Configuring General SettingsVerify that the OS IDs have been cleared Sensor# clear os-identification learnedUnderstanding Event Action Aggregation Understanding Event Action SummarizationConfiguring Event Action General Settings Configuring the General SettingsEnable or disable the summarizer. The default is enabled Enter general submodeVerify the settings for general submode Configuring the Denied Attackers ListSensorconfig-eve-gen#global-filters-status enabled disabled Adding a Deny Attacker Entry to the Denied Attackers ListAdding Entries to the Denied Attacker List Monitoring and Clearing the Denied Attackers ListRemove the deny attacker entry from the list Enter yes to remove the deny attacker entry from the listDelete the denied attackers list Displaying and Deleting Denied AttackersDisplaying Events Monitoring EventsClear only the statistics Important to know if the list has been clearedTo display events from the Event Store, follow these steps Displaying EventsSensor# show events Display alerts from the past 45 seconds Sensor# show events error warning 100000 Feb 9Sensor# show events alert past Display events that began 30 seconds in the past Clearing Events from Event StoreEnter yes to clear the events Sensor# show events pastOL-29168-01 Anomaly Detection Notes and Caveats Configuring Anomaly DetectionUnderstanding Worms Understanding Anomaly DetectionAnomaly Detection Modes Anomaly Detection Zones Anomaly Detection Configuration Sequence Signature ID Subsignature ID Name Description Anomaly Detection SignaturesSignature ID Subsignature ID Name Description Enabling Anomaly Detection Enable anomaly detection operational modeWorking With Anomaly Detection Policies Exit analysis engine submodeDelete an anomaly detection policy Working With Anomaly Detection PoliciesSensor# copy anomaly-detection ad0 ad1 Reset an anomaly detection policy to factory settings Configuring Anomaly Detection Operational SettingsSensor# list anomaly-detection-configurations Verify that the anomaly detection instance has been deletedConfiguring Anomaly Detection Operational Settings Configuring the Internal ZoneSpecify the worm timeout Sensorconfig-ano-ign#source-ip-address-rangeConfiguring the Internal Zone Configuring the Internal ZoneEnable the internal zone Configure TCP protocol Configure UDP protocolConfigure the other protocols Configuring TCP Protocol for the Internal ZoneConfiguring Internal Zone TCP Protocol Enable TCP protocolThem and configure your own scanner values Enable the service for that portVerify the TCP configuration settings Set the scanner thresholdConfiguring UDP Protocol for the Internal Zone Enable UDP protocol Configuring the Internal Zone UDP ProtocolVerify the UDP configuration settings Associate a specific port with UDP protocolConfiguring Anomaly Detection Configuring the Internal Zone Configuring the Internal Zone Other Protocols Configuring Other Protocols for the Internal ZoneEnable the other protocols Associate a specific number for the other protocolsVerify the other configuration settings Configuring the Illegal Zone Configuring the Illegal ZoneConfiguring the Illegal Zone Understanding the Illegal ZoneEnable the illegal zone Configuring TCP Protocol for the Illegal ZoneSensorconfig-ano-ill#ip-address-range Configuring the Illegal Zone TCP Protocol Enabled true defaulted Sensorconfig-ano-ill-tcp# Configuring the Illegal Zone UDP Protocol Configuring UDP Protocol for the Illegal ZoneSensorconfig-ano-ill-udp-dst-yes# scanner-threshold Configuring the Illegal Zone Other Protocols Configuring Other Protocols for the Illegal ZoneVerify the other protocols configuration settings Configuring the External Zone Configuring the External ZoneUnderstanding the External Zone Configuring the External Zone Configuring TCP Protocol for the External ZoneEnable the external zone Configuring the External Zone TCP Protocol Sensorconfig-ano-ext-tcp# Configuring the External Zone UDP Protocol Configuring UDP Protocol for the External ZoneSensorconfig-ano-ext-udp-dst-yes# scanner-threshold Configuring Other Protocols for the External Zone To configure other protocols for a zone, follow these steps Configuring the External Zone Other ProtocolsKB and Histograms Configuring Learning Accept ModeExample Histogram Configuring Learning Accept Mode Configuring Learning Accept ModeSensorconfig-ano#learning-accept-mode manual Sensorconfig-ano#learning-accept-mode autoDisplaying KB Files Working With KB FilesDisplay the KB files for all virtual sensors Sensor# show ad-knowledge-base filesDisplay the KB files for a specific virtual sensor Saving and Loading KBs ManuallyManually Saving and Loading KBs Save the current KB file and store it as a new nameCopying, Renaming, and Erasing KBs Rename a KB file Copying, Renaming, and Removing KB FilesRemove a KB file from a specific virtual sensor Comparing Two KBs Displaying the Differences Between Two KBsTo compare two KBs, follow these steps Locate the file you want to compareDisplaying the Thresholds for a KB Sensor# show ad-knowledge-base vs1 files Virtual Sensor vs1 Displaying KB ThresholdsTo display anomaly detection statistics, follow these steps Displaying Anomaly Detection StatisticsSensor# show statistics anomaly-detection vs0 Display the statistics for all virtual sensors Disabling Anomaly DetectionDisable anomaly detection operational mode OL-29168-01 10-1 Global Correlation Notes and CaveatsParticipating in the SensorBase Network Understanding Global Correlation10-2 1shows how we use the data Understanding ReputationType of Data Purpose 10-310-4 Understanding Network Participation10-5 Understanding EfficacyUnderstanding Reputation and Risk Rating Global Correlation Features and Goals10-6 10-7 Global Correlation Requirements10-8 Understanding Global Correlation Sensor Health Metrics10-9 Global Correlation Update ClientSensorconfig-glo#global-correlation-inspection on Configuring Global CorrelationTurn on global correlation inspection Specify the level of global correlation inspectionTurn on reputation filtering Configuring Network ParticipationExit global correlation submode 10-11Turn on network participation Turning on Network ParticipationEnter yes to agree to participate in the SensorBase Network 10-12Disabling Global Correlation Troubleshooting Global Correlation10-13 Disabling Global Correlation Displaying Global Correlation Statistics10-14 10-15 Clear the statistics for global correlation10-16 Understanding External Product Interfaces External Product Interface Notes and Caveats11-1 11-2 Understanding the CSA MC11-3 External Product Interface IssuesAdding External Product Interfaces and Posture ACLs Configuring the CSA MC to Support the IPS Interface11-4 11-5 Adding External Product Interfaces11-6 Sensorconfig-ext-cis-hos#posture-acls insert name1 begin Sensorconfig-ext-cis-hos#allow-unreachable-postures yesEnter the network address the posture ACL will use Choose the action deny or permit the posture ACL will takeExit external product interface submode Troubleshooting External Product Interfaces11-8 12-1 IP Logging Notes and CaveatsUnderstanding IP Logging Configuring Automatic IP Logging12-2 12-3 Configuring Automatic IP LoggingMonitor the IP log status with the iplog-status command Configuring Manual IP Logging12-4 Sensor# iplog vs0 192.0.2.1 durationDisplaying the Contents of IP Logs Display a brief list of all IP logs Stopping Active IP LogsDisabling IP Logging Sessions Stop the IP log sessionStop all IP logging sessions on a virtual sensor Copying IP Log Files to Be ViewedCopying IP Log Files 12-712-8 Copy the IP log to your FTP or SCP server13-1 Packet Display And Capture Notes and CaveatsDisplaying Live Traffic on an Interface Understanding Packet Display and Capture13-2 13-3 Displaying Live Traffic From an InterfaceSensor# packet display GigabitEthernet0/1 Display information about the packet file Capturing Live Traffic on an Interface13-4 Expression ip proto \\tcpView the captured packet file Capturing Live Traffic on an Interface13-5 Sensor# packet capture GigabitEthernet0/1View any information about the packet file Copying the Packet File13-6 Erasing the Packet File View the packet file with Wireshark or TcpdumpErase the packet file Verify that you have erased the packet file13-8 14-1 Blocking Notes and Caveats14-2 Understanding Blocking14-3 Vlan BDestination IP Signature ID Signature Name Protocol Understanding Rate LimitingData IcmpBefore Configuring ARC Understanding Service Policies for Rate LimitingUDP TCP14-6 Supported Devices14-7 Configuring Blocking PropertiesSensorconfig# service network-access Enter network access submodeAllowing the Sensor to Block Itself 14-8Exit network access submode Configure the sensor not to block itselfDisabling Blocking 14-9To disable blocking or rate limiting, follow these steps Blocks on the devices are updatedEnable blocking on the sensor Verify that the setting has been returned to the default14-11 Specifying Maximum Block EntriesSensorconfig-net-gen#default block-max-entries Return to the default value of 250 blocksChange the maximum number of block entries 14-12Specifying the Block Time Time for manual blocks is set when you request the blockSignatures These steps14-14 Enabling ACL Logging14-15 Enabling Writing to NvramDisable writing to Nvram Logging All Blocking Events and ErrorsVerify that writing to Nvram is disabled 14-1614-17 Configuring the Maximum Number of Blocking InterfacesVerify the default setting Return the setting to the defaultSpecify the maximum number of interfaces Verify the number of maximum interfacesConfiguring Addresses Never to Be Blocked Configuring Addresses Never to BlockSensorconfig-net-gen#never-block-hosts For a networkSpecify the password for the user Configuring User ProfilesCreate the user profile name Enter the username for that user profileSpecify the enable password for the user Configuring Blocking and Rate Limiting DevicesHow the Sensor Manages Devices 14-2114-22 Configuring the Sensor to Manage Cisco RoutersSpecify the IP address for the router controlled by the ARC Routers and ACLs14-23 14-24 14-25 Switches and VACLs14-26 Sensorconfig-net-cat#communication telnet ssh-3desSpecify the Vlan number Configuring the Sensor to Manage Cisco FirewallsOptional Add the pre-VACL name Optional Add the post-VACL name14-28 Configuring the Sensor to be a Master Blocking SensorSensorconfig-web# exit Configuring the Master Blocking Sensor14-29 Enter password Sensorconfig# tls trusted-host ip-address 192.0.2.1 portAdd a master blocking sensor entry Specify whether or not the host uses TLS/SSLConfiguring Network Blocking Configuring Host BlockingBlocking a Host End the host blockBlocking a Network Configuring Connection BlockingEnd the network block 14-32Blocking a Connection Obtaining a List of Blocked Hosts and ConnectionsEnd the connection block Blocks are14-34 Understanding Snmp Snmp Notes and Caveats15-1 15-2 Configuring Snmp15-3 Configuring Snmp General ParametersExit notification submode Configuring Snmp Traps15-4 Enable Snmp traps Configuring Snmp TrapsSpecify whether you want detailed Snmp traps Enter the trap community stringSupported Mibs CISCO-ENHANCED-MEMPOOL-MIB CISCO-ENTITY-ALARM-MIBCISCO-CIDS-MIB 15-615-7 15-8 16-1 Displaying the Current Configuration16-2 First Review Cisco Confidential16-3 Displaying the Current Submode Configuration16-4 16-5 16-6 16-7 16-8 Sensorconfig# service health-monitor16-9 16-10 16-11 16-12 16-13 Severity warning defaulted protected entry zone-name csi16-14 16-15 Sensorconfig# service trusted-certificate16-16 Filtering the Current Configuration OutputTo filter the more command, follow these steps Filtering Using the More CommandPress Ctrl-Cto stop the output and return to the CLI prompt 16-17Filtering the Submode Output Filtering the Current Submode Configuration Output16-18 Displaying the Contents of a Logical File 16-20 Displaying the Logical File Contents16-21 16-22 Restoring the Current Configuration From a Backup File Backing Up the Current Configuration to a Remote Server16-23 Erasing the Configuration File Creating and Using a Backup Configuration File16-24 16-25 Press Enter to continue or enter no to stop16-26 17-1 Administrative Tasks for the SensorRecovering the Password Administrative Notes and CaveatsUnderstanding Password Recovery 17-2Using the Grub Menu Recovering the Password for the AppliancePlatform Description Recovery Method 17-3Using Rommon Recovering the Password for the ASA 5500-X IPS SSPEnter the following commands to reset the password Sample Rommon sessionPress Enter to confirm Enter your new password twiceSession to the ASA 5500-X IPS SSP 17-5Using the Asdm Recovering the Password for the ASA 5585-X IPS SSPAsa# hw-module module 1 password-reset 17-617-7 Session to the ASA 5585-X IPS SSPAsa# show module Disabling Password Recovery Using the CLI Disabling Password RecoveryDisabling Password Recovery Using the IDM or IME 17-8Troubleshooting Password Recovery Verifying the State of Password RecoverySensorconfig-hos#show settings include password Clearing the Sensor DatabasesEnter yes to clear the inspectors database Clearing the Sensor Database17-10 Over the past 60 minutes and over the past 72 hours Displaying the Inspection Load of the SensorShow the histogram of the inspection load 17-1117-12 17-13 Configuring Health Status InformationASA 5500-X IPS SSP and Memory Usage Configuring Health StatisticsPlatform Yellow Red Memory Used 17-1417-15 Set the threshold for memory usage Set the number of days since the last signature updateSet the missed packet threshold 17-16Exit health monitoring submode Showing Sensor Overall Health Status17-17 Create the banner login Creating a Banner LoginShow the health and security status of the sensor Enter your messageTerminating CLI Sessions Find the CLI ID number associated with the login sessionTo terminate a CLI session, follow these steps Terminate the CLI session of jsmithModifying Terminal Properties Configuring Events17-20 17-21 17-22 17-23 Clearing Events from the Event StoreDisplaying the System Clock Configuring the System Clock17-24 Sensor# show clock detailClearing the Denied Attackers List Manually Setting the System Clock17-25 17-26 17-27 Displaying Policy ListsDisplay the list of policies for event action rules Displaying StatisticsDisplay the list of policies for signature definition 17-2817-29 Administrative Tasks for the Sensor17-30 Sensor# show statistics authentication Display the statistics for authenticationDisplay the statistics for anomaly detection 17-31Display the statistics for the Event Store Display the statistics for the Event Server17-32 Sensor# show statistics event-server General17-33 Display the statistics for the hostShow statistics host Display the statistics for the ARC Display the statistics for the logging application17-34 Sensor# show statistics logger17-35 17-36 17-37 17-38 Display the statistics for the web serverStatistics web-server Sensor# show statistics logger clear 17-39Varlog Files Displaying Tech Support InformationDisplaying Tech Support Information 17-40View version information Displaying Version Information17-41 Sensor# show versionView configuration information Cancel the output and get back to the CLI prompt17-42 17-43 Diagnosing Network ConnectivityEnter yes to continue the reset Resetting the ApplianceFollowing example shows a successful ping Following example shows an unsuccessful pingStop all applications and power down the appliance Displaying Command HistoryEnter yes to continue with the reset and power down 17-4517-46 Displaying Hardware InventorySensor# show inventory PID IPS-4360-PWR-AC 17-47Display the route of IP packet you are interested Tracing the Route of an IP Packet17-48 InventoryShow the current configuration for ARC submode Displaying Submode SettingsSensor config# service network-access 17-4917-50 17-51 Show the ARC settings in terse mode17-52 18-1 Configuring the ASA 5500-X IPS SSP18-2 Configuration Sequence for the ASA 5500-X IPS SSPObtain the details about the ASA 5500-X IPS Ssps Verifying Initialization for the ASA 5500-X IPS SSPConfirm the information 18-3ASA 5500-X IPS SSP and Virtualization Creating Virtual Sensors for the ASA 5500-X IPS SSPCreating Virtual Sensors 18-418-5 Creating Virtual Sensors18-6 Sensorconfig-ana-vir#physical-interface PortChannel0/018-7 Assigning Virtual Sensors to ContextsAsa# show ips Add three context modes to multiple mode Enter multiple modeAssign virtual sensors to the security contexts 18-8Configure MPF for each context ASA 5500-X IPS SSP and Bypass ModeConfirm the configuration SensorApp FailsASA 5500-X IPS SSP and the Normalizer Engine SensorApp is Reconfigured18-10 ASA 5500-X IPS SSP and Memory Usage ASA 5500-X IPS SSP and Jumbo Packets18-11 18-12 Health and Status Information18-13 Asa-ips#debug module-boot18-14 Early reservations == bootmem 000000000018-15 18-16 18-17 18-18 IRQ 18-19Single ASA in Fail-Close Mode Single ASA in Fail-Open ModeTwo ASAs in Fail-Open Mode ASA 5500-X IPS SSP Failover ScenariosTwo ASAs in Fail-Close Mode New and Modified CommandsConfiguration Examples 18-21Firewall Mode Security Context Multiple Command Mode Routed DefaultsAllocate-ips Single Context SystemRelated Commands Description Command History Release ModificationExamples 18-2318-24 19-1 ASA 5585-XIPS SSP Notes and Caveats19-2 Configuration Sequence for the ASA 5585-X IPS SSPObtain the details about the ASA 5585-X IPS SSP Verifying Initialization for the ASA 5585-X IPS SSP19-3 Asa# show module 1 detailsASA 5585-X IPS SSP and Virtualization Creating Virtual Sensors for the ASA 5585-X IPS SSP19-4 19-5 ASA 5585-X IPS SSP Virtual Sensor Configuration SequenceExample, rules1 Command, for example sig1Virtual sensor that you create 19-619-7 Asaconfig-ctx# Config-url disk0/c2.cfg Asaconfig-ctx#19-8 19-9 ASA 5585-X IPS SSP and the Normalizer Engine ASA 5585-X IPS SSP and Bypass Mode19-10 19-11 ASA 5585-X IPS SSP and Jumbo Packets19-12 Ips-ssp#hardware-module module 1 recover configure19-13 Asa# hw-module module 1 resetModule 1 details 19-14 Ips-ssp#hw-module module 1 recover configureAsaconfig# debug module-boot Traffic Flow Stopped on IPS Switchports19-15 19-16 Failover Scenarios19-17 19-18 Obtaining Cisco IPS Software IPS 7.2 File List20-1 IPS Software Versioning Enter your username and passwordDownloading Cisco IPS Software 20-2Minor Update Major UpdateService Pack Patch ReleaseSignature Engine Update Signature Update20-4 20-5 Recovery and System Image Files20-6 IPS Software Release Examples20-7 Accessing IPS Documentation20-8 Cisco Security Intelligence Operations21-1 Upgrade Notes and Caveats21-2 Upgrades, Downgrades, and System ImagesUpgrading the Sensor Supported FTP and HTTP/HTTPS ServersIPS 7.21E4 Files 21-3Manually Upgrading the Sensor Upgrade Notes and Caveats21-4 Enter the password when prompted Upgrade the sensorSensorconfig# upgrade url/IPS-SSP10-K9-7.2-1-E4.pkg Upgrading the Sensor21-6 Working With Upgrade Files21-7 Upgrading the Recovery PartitionConfiguring Automatic Updates Configuring Automatic UpgradesEnter the server password. The upgrade process begins 21-821-9 21-10 Configuring Automatic UpgradesSpecify the password of the user Specify the username for authenticationExit automatic upgrade submode 21-11Sensor# autoupdatenow Applying an Immediate Update21-12 Sensor# show statistics hostDowngrading the Sensor Recovering the Application Partition21-13 Recovering the Application Partition Image Installing System ImagesRecover the application partition image Sensorconfig# recover application-partitionTftp Servers Connecting an Appliance to a Terminal Server21-15 21-16 Installing the System Image for the IPS 4345 and IPSPCI 21-17If necessary, assign the gateway IP address Assign the Tftp server IP address21-18 Rommon ping serverRommon Installing the System Image for the IPS 4510 and IPS21-19 21-20 21-21 If necessary, assign the Tftp server IP addressPeriodically check the recovery until it is complete Installing the System Image for the ASA 5500-X IPS SSPImage the ASA 5500-X IPS SSP 21-2221-23 Installing the System Image for the ASA 5585-X IPS SSP21-24 To enable debugging of the software installation process Specify the default gateway of the ASA 5585-X IPS SSPAsa# hw-module module 1 recover boot Leave the Vlan ID at21-26 Installing the ASA 5585-X IPS SSP System Image Using RommonRommon #0 set 21-2721-28 21-29 21-30 IPS System Design Understanding the IPS System ArchitectureFigure A-1illustrates the system design for IPS software Figure A-2 System Design for IPS 4500 Series Sensors System ApplicationsAppendix a System Architecture System Applications For detailed information about SDEE, see SDEE, page A-33 Security FeaturesUnderstanding the MainApp MainAppMainApp Responsibilities ARCUnderstanding the Event Store Event StoreTable A-1shows some examples Event Data StructuresStamp Value Meaning IPS Events NotificationAppVlan PEP CtlTransSourceFigure A-3 Attack Response ControllerFigure A-4illustrates the ARC Understanding the ARCARC Features Supported Blocking Devices Maintaining State Across Restarts ACLs and VACLsFwsm Scenario Connection-Based and Unconditional BlockingTo unblock an IP address Blocking with Cisco FirewallsTo clear all blocks No shun ipLogger Blocking with Catalyst SwitchesUnderstanding the AuthenticationApp AuthenticationAppAuthenticating Users Configuring Authentication on the SensorManaging TLS and SSH Trust Relationships Web Server SensorAppUnderstanding the SensorApp Inline, Normalization, and Event Risk Rating Features Packet Flow SensorApp New FeaturesSignature Event Action Processor CollaborationApp Update Components Error Events SwitchAppUser Roles CLICommunications Service AccountIdapi Idconf Cidee Cisco IPS File StructureSummary of Cisco IPS Applications Using the IdapiApplication Description CLIJava applet that provides an Html IPS management interface IDMIME EventsUnderstanding Signature Engines Signature EnginesAppendix B Signature Engines Understanding Signature Engines Appendix B Signature Engines Understanding Signature Engines General Parameters Master EngineParameter Description Value Signature-id Specifies the ID of this signatureSig-name Promiscuous Delta Obsoletes Alert FrequencyVulnerable OS List Event Actions Name Description \NNN AIC EngineTo Match Regular Expression AIC Engine and Sensor Performance Understanding the AIC EngineAIC Engine Parameters Parameter Description Alarm-on-non-http-trafficTable B-6 AIC FTP Engine Parameters Atomic ARP Engine Atomic EngineAtomic IP Advanced Engine Atomic IP Advanced Engine Restrictions IsatapString IPv6 Parameter Description Value OL-29168-01 IPV4 L4 Protocol ICMPv6 Icmp IDL4 Protocol TCP and UDP OL-29168-01 Atomic IP Engine Parameter Description Value Appendix B Signature Engines OL-29168-01 Atomic IPv6 Signatures Atomic IPv6 EngineFixed Engine Table B-11 Fixed TCP Engine Parameters Flood Engine Protocol Specifies which kind of traffic to inspect Meta EngineFlood Net Engine Parameters Name1 Component-list Specifies the Meta engine componentMulti String Engine Normalizer Engine TCP Normalization IP Fragmentation NormalizationIPv6 Fragments ASA IPS Modules and the Normalizer Engine Service Engines Service DNS Engine Understanding the Service EnginesService FTP Engine Service Generic Engine Table B-20 Service Generic Engine Parameters Service H225 Engine Setup SetupASN.1-PER TpktService Http Engine Crlfcrlf Service Ident Engine Service Msrpc Engine Smbcomtransaction Service Mssql Engine Service NTP Engine Service RPC Engine Service P2P EngineParameter Description Value Service SMB Advanced Engine Msrpc Uuid Service Snmp Engine Specify-object-id-Enables Service SSH EngineService TNS Engine State Engine Table B-32lists the parameters specific to the State engine String Engines Table B-33 String Icmp Engine Parameters Table B-35 String UDP Engine String XL Engines Parameter Description Value Unsupported String XL Parameters Sweep Engine Sweep EnginesData Nodes Type Sweep Other TCP Engine Sweep Other TCP Engine Parameters Traffic Anomaly EngineSignature Traffic Icmp Engine Trojan Engines Bug Toolkit TroubleshootingUnderstanding Preventive Maintenance Preventive MaintenanceCreating and Using a Backup Configuration File Sensor# copy current-config backup-config Backing Up the Current Configuration to a Remote Server Creating the Service Account Disaster Recovery Password Recovery ASA 5500 series adaptive Adaptive security appliance CLI Security appliance IPS modules CommandUsing Rommon Password-Reset issued for module ips Recovering the Password for the ASA 5585-X IPS SSP 0123 21E4 Disabling Password Recovery Verifying the State of Password Recovery Time Sources and the Sensor For the procedure for configuring NTP, see Configuring NTP,Synchronizing IPS Clocks with Parent Device Clocks Generate the host statistics Verifying the Sensor is Synchronized with the NTP ServerGenerate the hosts statistics again after a few minutes Advantages and Restrictions of Virtualization TFor More Information To learn more about Worms, see Understanding Worms, When to Disable Anomaly DetectionCommand output Reboot the sensorAnalysis Engine Not Responding Enter show tech-support and save the outputExternal Product Interfaces Issues External Product Interfaces Troubleshooting Tips Troubleshooting the ApplianceTroubleshooting Loose Connections Analysis Engine is Busy Communication ProblemsCannot Access the Sensor CLI Through Telnet or SSH More Sensor# show configuration include access-list Correcting a Misconfigured Access ListMake sure the sensor cabling is correct Duplicate IP Address Shuts Interface DownSensorApp is Not Running SensorApp and AlertingMake sure the IP address is correct AnalysisEngine 20130410110072014 Release Physical Connectivity, SPAN, or Vacl Port Issue Sensor# show interfaces Unable to See AlertsCheck for alerts Make sure you have Produce Alert configuredSensor# show interfaces FastEthernet0/1 Sensor Not Seeing Packets Sensorconfig-int#physical-interfaces GigabitEthernet0/1Sensor# show interfaces GigabitEthernet0/1 Exit the service account Log in to the sensor CLI Cleaning Up a Corrupted SensorApp ConfigurationCheck to see that the interface is up and receiving packets Replace the virtual sensor fileStart the IPS services Troubleshooting BlockingBlocking Sensor# cids startVerifying the ARC is Running Make sure you have the latest software updates If the ARC is not connecting, look for recurring errorsSensor# show events error hhmmss month day year include nac Sensor# show events error 000000 Apr 01 2011 include nacFor More Information Verify the IP address for the managed devices Device Access IssuesStart the manual block of the bogus host IP address Sensorname Sensor Management Time-Based Actions Host BlocksBlocking Not Occurring for a Signature Enabling SSH Connections to the Network DeviceVerifying the Master Blocking Sensor Configuration Exit network access general submode Logging Enable debug logging for all zonesEnabling Debug Logging Exit master zone control Turn on individual zone controlView the zone names Protected entry zone-name nac Exit the logger submode Turn on debugging for a particular zonePress Enter to apply changes or type no to discard them Zone NamesTable C-2lists the debug logger zone names Zone Name DescriptionDirecting cidLog Messages to SysLog TCP Reset Not Occurring for a Signature Upgrading Error Software UpgradesMake sure the correct alarms are being generated Sensor# show events alertIssues With Automatic Update Which Updates to Apply and Their PrerequisitesUpdating a Sensor with the Update Stored on the Sensor Cannot Launch the IDM Loading Java Applet Failed Troubleshooting the IDMClick the Advanced tab Delete the temp files and clear the history in the browser Cannot Launch the IDM-The Analysis Engine BusySignatures Not Producing Alerts Troubleshooting the IMENot Supported Error Message Troubleshooting the ASA 5500-X IPS SSPTime Synchronization on IME and the Sensor Health and Status Information E1000 00000005.0 PCI INT a disabled 303 Appendix C Troubleshooting Usb CRS IRQ Failover Scenerios ASA 5500-X IPS SSP and the Normalizer Engine ASA 5500-X IPS SSP and Jumbo Packets ASA 5500-X IPS SSP and Memory UsageHw-module module 1 reset command Troubleshooting the ASA 5585-X IPS SSPReset issued for module in slot Asa# show Mgmt IP addr 192.0.2.3 Failover Scenarios ASA 5585-X IPS SSP and the Normalizer Engine Traffic Flow Stopped on IPS SwitchportsASA 5585-X IPS SSP and Jumbo Packets Gathering InformationTech Support Information Health and Network Security InformationDisplaying Tech Support Information Understanding the show tech-support CommandSensor# show tech-support page System Status Report Tech Support Command Output= No Version Information Understanding the show version CommandDisplaying Version Information Version 29.1 Platform IPS4360 Serial Number Service aaa Statistics Information Understanding the show statistics CommandDisplaying Statistics Percentage Thread Sec Min Average Inspection Stats Inspector Active Call Create Delete Display the statistics for anomaly detection Sensor# show statistics event-server Sensor# show statistics denied-attackersSensor# show statistics event-store Threat Multicast MTU1500 Metric1 Appendix C Troubleshooting Gathering Information Display the statistics for the notification application Name Current OL-29168-01 Sensor# show statistics web-server listener-443 Interfaces Information Understanding the show interfaces CommandDisplaying Interface Traffic History Interfaces Command OutputAvg Load Peak Load GigabitEthernet0/1 Time Packets Received Bytes Received Mbps Events Information Sensor Events Understanding the show events CommandDisplaying Events Displaying Events 100 Clearing Events CidDump Script101 Enter the following command Uploading and Accessing Files on the Cisco FTP Site102 Usr/cids/idsRoot/bin/cidDumpReason Command CLI Error MessagesURI Error Message Reason Command Packet-file but no packet-file has System that has not been upgradedBeen captured User attempted to downgrade aOperator or viewer user attempted to Initial login User attempted to cancel a CLILog in when the maximum number Administrator user attempted to log Initial loginAppendix D CLI Error Messages Reason/Location CLI Validation Error MessagesInterface and optional sub-interface being Detection configuration file that is currently in useAdded to the virtual sensor entry physical Interface set has already been assigned to anotherOL-29168-01 GL-1 GL-2 To detect worm-infected hostsGL-3 Authoritative private key Certificate for one CA issued by another CAGL-4 GL-5 GL-6 A public outside network Dual In-line Memory ModulesTo the transmit line and reads data from the receive line 802.1q to be usedGL-8 An ITU standard that governs H.245 endpoint control Procedures, and basic data transport methodsGL-9 GL-10 GL-11 GL-12 Detailed information about signatures Proprietary branchesGL-13 GL-14 GL-15 GL-16 Quality and service availabilityGL-17 Unauthorized activity Network devices. Used with the IDS MCAnalysis Engine GL-18GL-19 GL-20 Network asset through its IP address Authorization, and accountingLocal system. Telnet is defined in RFC GL-21GL-22 RFC Through a switch. Also known as security ACLsVersion identifier. Part of the UDI GL-23GL-24 Hosts Payload reassemblyGL-25 GL-26 AIC Http AIC FTPIN-1 IN-2 TACACS+ NATARP IN-3SSP AsdmIN-4 IN-5 RadiusURL Cidee BO2KIN-6 IN-7 ExecIN-8 IN-9 IN-10 IN-11 CSA MCIN-12 TFNIN-13 AIC FTP AIC HttpIN-14 IN-15 Idconf IdapiIN-16 ASA 5500-X IPS SSP ASA 5585-X IPS SSP IdiomIN-17 IN-18 TcpdumpIN-19 IPS SSPLoki SSHIN-20 IN-21 SnmpIN-22 IN-23 IN-24 Sdee RTTHttp A-33 IN-25IN-26 IN-27 IN-28 AICSmtp Cidee Idconf Idiom SdeeIN-29 IN-30 TFN2K TACTLS IN-31IN-32 BO2K Loki TFN2KSensor initialization Sensor setup Version display Upgrade commandSensing process not running Viewer role privilegesIN-34