Cisco SystemsメーカーIPS4510K9の使用説明書/サービス説明書
ページ先へ移動 of 854
Americas Headquarters Cisco System s, Inc . 170 West Tasm an Drive San Jos e, CA 95 134-1706 USA http://www .cisco .com Tel: 408 526-4000 800 553- NETS ( 6387) Fax: 408 527-0883 Cisco Intrusion P re v ention S ystem Sensor CLI Configuration Guide f or IPS 7 .
THE SPECIFICATIONS AND INFORM ATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOU T NOTICE. ALL STATEMENT S, INFORMATI ON, AND RECOMMENDATI ONS IN TH IS MANUAL ARE BELIEVED TO BE ACCURATE BUT A RE PRESEN TED WITHOUT WARRANTY OF ANY KIND, EXPRES S OR IMPLIED.
iii Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 CONTENTS Content s xxiii Audienc e xxiii Organi zation i-xxiii Conv enti ons i-xxv Relate d Document.
Cont ents iv Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 System Con figurat ion Dial og 2-2 Basic Sen sor Setup 2-4 Advanced Setup 2-7 Advanced Setup f or.
Content s v Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Correc ting Time on the Sens or 3-36 Config uring Time on the Sen sor 3-36 Displa ying the S.
Cont ents vi Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Config uring Promiscu ous Mode 4-14 Underst andi ng Promisc uous Mode 4-14 Config uring Promiscu .
Content s vii Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Underst andi ng Polici es 7-1 Working With Si gnat ure Def initi on Poli cies 7-2 Underst .
Cont ents viii Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Example Meta Engine Si gnature 7-46 Example IPv6 Eng ine Signa ture 7-50 Exam ple String XL T C.
Content s ix Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Monitor ing Event s 8-38 Displa ying Ev ents 8-38 Cleari ng E vents f rom E vent St ore 8-4.
Cont ents x Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Displa ying KB Files 9-40 Saving and Loading KBs Manually 9-41 Copyin g, Renaming , and Erasi ng K.
Content s xi Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 CHAPTER 12 Configur ing I P Logg ing 12-1 IP Loggi ng Note s and Caveat s 12-1 Underst andi.
Cont ents xii Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Config uring the Sensor to Manage Cisco Route rs 14-22 Router s and ACLs 14-23 Config uring the .
Content s xiii Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Using th e GRUB Menu 17-3 Using ROMMON 17-4 Recover ing th e Password f or the ASA 5500 -.
Cont ents xiv Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 The ASA 5500- X IPS SSP and Virtua lizati on 18-4 Virtu al Sensor Co nfiguration Sequenc e for A.
Content s xv Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 CHAPTER 21 Upgrading , Downgrading, and Instal ling System Ima ges 21-1 Upgrade Notes and C aveats 21-1 Upgrade s, Do wngrades, and S ystem Images 21-2 Support ed FTP and HTTP/H TTPS Server s 21-3 Upgradi ng t he Sens or 21-3 IPS 7.
Cont ents xvi Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Notifi cation App A-9 CtlTr ansSou rce A-11 Attac k Resp onse Contro ller A-12 Underst andi ng t.
Content s xvii Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Summ ary o f Cis co IPS Appl icatio ns A-3 5 APPENDI X B Signatur e Engines B-1 Underst a.
Cont ents xviii Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Servic e SSH Engine B-58 Servic e TNS Engine B-59 State En gine B-60 Strin g Engin es B-62 Str.
Content s xix Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 When to D isable Anom aly D etec tion C-19 Analysi s Engine Not Respo nding C-20 Troubl es.
Cont ents xx Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Cannot La unch the IDM-Th e Analysi s Engin e Busy C-55 The IDM, Remote Manage r, or Sens ing Int.
Content s xxi Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 cidDump Sc ript C-101 Uploadi ng and Ac cessing F iles on th e Cisco FTP Site C-10 2 APPEN.
Cont ents xxii Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01.
-x xiii Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Preface Published: April 29, 2013, OL-2916 8-01 Contents This do cument d escribes how to c onfigure the sens or using the C isco IPS 7.
-xxi v Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter Organizat ion 5 “Configuring Interfaces” Describes how to configure promiscuous, inline , inl ine VLAN pa ir , and VLAN group interf aces . 6 “Configuring V irtual Sensors” Describes h ow to configure virtual s ensors.
-xxv Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter Convent ions Conven tions This document uses the followi ng con ventions: Note Means r eader ta ke no te . Ti p Means the following information will help you solve a pr oblem .
-xxvi Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter Obtaining Documenta tion and Subm itting a Service Re quest For a complete list of the Cisco ASA 55 00 series do cu mentation a nd whe re to find it, re fer to the following URL: http://www .
CH A P T E R ii-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 ii Logging In to the Sensor This chapter explains ho w to log in to the sensor .
ii-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter ii Logg ing In to the Sensor Logging I n to the Applianc e The servic e role does not have direct access to the CL I. Service ac count users are logge d directly into a bash shell.
ii-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter ii Logging In to the Sensor Connect ing an Applianc e to a Ter minal S erver ***LICENSE NOTICE*** There is no license key installed on the system. Please go to http://www.
ii-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter ii Logg ing In to the Sensor Logging In to the ASA 5500-X IPS SSP Cautio n If a connection is drop ped or termina ted by accident, you should reestablish the conn ection an d exit normally to prev e nt unautho rized acce ss to the applia nce.
ii-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter ii Logging In to the Sensor Logging In to the ASA 5585-X IPS SSP ***LICENSE NOTICE*** There is no license key installed on this IPS platform. The system will continue to operate with the currently installed signature set.
ii-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter ii Logg ing In to the Sensor Logging I n to the Sensor A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.
ii-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter ii Logging In to the Sensor Logging In to the Senso r ***LICENSE NOTICE*** There is no license key installed on the system. Please go to http://www.
ii-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter ii Logg ing In to the Sensor Logging I n to the Sensor.
CH A P T E R 1-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 1 Introducing the CLI Configuration Guide This cha pter introdu ces the IPS CLI configurat io.
1-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 1 Introduc ing the CLI Configuration Guide Sensor Configu ration Sequence For an alphabetical list of all IPS commands, refer to the Comm and Reference for Cisco Intrusion Pr evention Syste m 7.
1-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 1 Introd ucing the CLI Con figuration Guide User Roles For More Informatio n • For the proc edure for logging in to your sensor , see Chapter ii, “Logging In to the Sensor .
1-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 1 Introduc ing the CLI Configuration Guide User Roles Administrator This user role has the highest le vel of privil eges.
1-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 1 Introd ucing the CLI Con figuration Guide CLI Behavior Note For IPS 5.0 and later , you can no longe r remove the cisco a ccount. Y ou can disabl e it using th e no password cisco command , but you cannot remove it.
1-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 1 Introduc ing the CLI Configuration Guide Command L ine Editing Recall • T o recall th e comm ands ente red in a mo de, use th e Up Arrow or Down Arrow keys or press Ctrl-P or Ctrl-N .
1-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 1 Introd ucing the CLI Con figuration Guide Comman d Line Edit ing Spaceba r Enables you to se e more output on the te rminal screen. Press the Spacebar when you see the line ---More-- - on the s creen to displa y the next sc reen.
1-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 1 Introduc ing the CLI Configuration Guide IPS Command Mod es IPS Command Modes The Cisco IPS CLI ha s the follo wing comm and modes: • pri vileged EXEC—En tered w hen you log i n to the CLI interf ace.
1-9 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 1 Introd ucing the CLI Con figuration Guide Regular Expressi on Syntax The fol lo wing ex amples demons trate the spec ial characters : • a* matche s any number of occurr ences o f the letter a, includin g none.
1-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 1 Introduc ing the CLI Configuration Guide Generic CLI Command s T o create a re gular exp ressio.
1-11 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 1 Introd ucing the CLI Con figuration Guide CL I Keyword s CLI Keywords In ge nera l, use the no form o f a command to disable a feature or f unction.
1-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 1 Introduc ing the CLI Configuration Guide CLI Keywords.
CH A P T E R 2-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 2 Initializing the Sensor This chapter de scribes how to use the setup command to initialize .
2-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 2 Initializing the Sensor Underst anding Initializa tion Understandin g Initialization After you insta ll the sensor on your networ k, you mu st use the se tup command to initialize it so that you can comm unicate with it over the network.
2-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 2 Initializing t he Sensor System Conf igurati on Dialog Note Y ou only ne ed to set the date and time in the System Configuration Dialog if the syste m is an appliance and is NOT usin g NTP .
2-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 2 Initializing the Sensor Basic Sensor Setu p Local Date as YYYY-MM-DD[2013-03-06]: Local Time as HH:MM:SS[]: Participation in the SensorBase Network allows Cisco to collect aggregated statistics about traffic sent to your IPS.
2-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 2 Initializing t he Sensor Basic Senso r Setup Step 6 Ente r yes to modify the n etwork access list: a. If you want to de lete an entry , en ter the num ber of the e ntry and pre ss Ent er , or press Ente r to get to the Permit line.
2-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 2 Initializing the Sensor Basic Sensor Setu p g. Specify the mo nth you want su mmertim e settings to en d. V a lid entries are januar y , february , ma rch, april, ma y , june, ju ly , august, septemb er , october , november, and decembe r .
2-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 2 Initializing t he Sensor Advanced Setup exit summertime-option recurring offset 60 summertime-zo.
2-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 2 Initializing the Sensor Advance d Setup Advanced Setup for the A ppliance Note The curr ently sup ported Cisco IPS applianc es are the IPS 4 345, IPS 4360 , IPS 4510, an d IPS 4520.
2-9 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 2 Initializing t he Sensor Advanced Setup [1] Edit Interface Configuration [2] Edit Virtual Sensor Configuration [3] Display configuration Option: Step 8 Ente r 1 to edit the inte rface c onfiguration.
2-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 2 Initializing the Sensor Advance d Setup Note At this point, you can con f igur e another inter face, for exam ple, Giga bitEthernet 0/ 1, for inlin e VLAN pair .
2-11 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 2 Initializing t he Sensor Advanced Setup [1] GigabitEthernet0/3 [2] GigabitEthernet0/0 Inline Vl.
2-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 2 Initializing the Sensor Advance d Setup standard-time-zone-name UTC exit summertime-option disa.
2-13 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 2 Initializing t he Sensor Advanced Setup Step 29 Reboot the appliance. sensor# reset Warning: Executing this command will stop all applications and reboot the node.
2-14 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 2 Initializing the Sensor Advance d Setup Step 8 Ente r 1 to edit the inte rface c onfiguration. Note Y ou do not ne ed to configure interfaces on the ASA 5500-X IPS SSP .
2-15 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 2 Initializing t he Sensor Advanced Setup Step 16 Ente r 1 to use the existing anomaly- detect ion conf igurati on, ad0.
2-16 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 2 Initializing the Sensor Advance d Setup ftp-timeout 300 no login-banner-text exit time-zone-set.
2-17 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 2 Initializing t he Sensor Advanced Setup For More Informatio n For the procedure for obtaining the most recent IPS software, see O btaining Cisco IPS Software, page 20-1 .
2-18 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 2 Initializing the Sensor Advance d Setup [2] Edit Virtual Sensor Configuration [3] Display configuration Option: Step 10 Ente r 2 to edit the virtual sensor configuration.
2-19 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 2 Initializing t he Sensor Advanced Setup Step 19 Ente r 1 to use the existi ng e vent actio n rules conf iguration, rules0. Note If PortChan nel 0/0 has no t been assig ned to vs0, y ou are prom pted to assign it to the new virtual sensor .
2-20 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 2 Initializing the Sensor Veri fyin g Init iali zati on virtual-sensor newVs description New Sens.
2-21 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 2 Initializing t he Sensor Verifying Initialization T o verify that you initialized your sensor , f ollo w these steps: Step 1 Log in to the sensor .
2-22 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 2 Initializing the Sensor Veri fyin g Init iali zati on service trusted-certificates exit ! -----.
CH A P T E R 3-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 3 Setting Up th e Sensor This chap ter cont ains procedur es for the s etting up the senso r .
3-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Underst anding Sensor Set up • Y ou ca nnot use the privilege comma nd to give a user servic e privileges.
3-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Changing Network Settings Changing the Hostn ame Note The CLI prom pt of the current session a nd other ex isting sessions will not be updated with the new hostname.
3-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Changing Ne twork Settings ftp-timeout: 300 seconds <defaulted> login-banner-text: <defaulted> ----------------------------------------------- sensor(config-hos-net)# Step 7 Exit ne twork settings m ode.
3-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Changing Network Settings ftp-timeout: 300 seconds <defaulted> logi.
3-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Changing Ne twork Settings Step 4 V erify that T elnet is enabled. sensor(config-hos-net)# show settings network-settings ----------------------------------------------- host-ip: 192.
3-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Changing Network Settings T o modify the access list, follo w these steps: Step 1 Log in to the se nsor using an acc o unt with administrator pri vileges.
3-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Changing Ne twork Settings ----------------------------------------------- host-ip: 192.
3-9 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Changing Network Settings -----------------------------------------------.
3-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Changing Ne twork Settings ----------------------------------------------- host-ip: 192.0.2.1/24,192.0.2.2 default: 192.168.
3-11 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Changing Network Settings serv er and it must b e reacha ble for automati c update and glob al correlation u pdates to be successful.
3-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Changing Ne twork Settings ----------------------------------------------- host-ip: 10.89.147.24/25,10.89.147.126 default: 192.
3-13 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Changing Network Settings Enabling S SHv1 Fallba ck Note The IPS supports managing bo th SSHv1 and SSHv2.
3-14 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Changing the CLI Session Timeout Changing the CLI Sessio n Timeout Use the c li-inactivity-timeout command in the service authentication submode to change the number of seconds that the CLI w aits before timing out.
3-15 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Changi ng Web Se rver Se ttings Step 8 Press Enter to a pply the chan ges or enter no to di scard them. Changing Web Se rver Settings Note The de fault web ser ver port is 44 3 if TLS is enabled and 80 if TLS is disa bled.
3-16 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Changing Web Serv er Settings – TLS_DHE_ DSS_WITH_AES_ 256_CBC _SHA .
3-17 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Changi ng Web Se rver Se ttings If you disable TL S, you receive this message : Warning: TLS protocol support has been disabled.
3-18 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Configuring A uthenticatio n and User Pa rameters Note If you c hange the port or e nable TLS se ttings, you must reset the se nsor to make th e web server uses the new settings.
3-19 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Confi guring Authentic ation and User Pa ramet ers If you do not specify a pa ssword, the system prompts you for one . Use the password command to ch ange the password for existing users.
3-20 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Configuring A uthenticatio n and User Pa rameters Step 5 T o remo ve a us er , use the no form of t he co mmand .
3-21 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Confi guring Authentic ation and User Pa ramet ers Y ou ca n also configure the sensor to use local authenticat ion (local fallback) if no RADIUS servers are responding.
3-22 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Configuring A uthenticatio n and User Pa rameters • pri mary- ser ver —Lets you conf igure th e main RADI US server : – server-address —IP addr ess of the RADIUS ser ver .
3-23 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Confi guring Authentic ation and User Pa ramet ers Note Enablin g RADIUS authe ntication on the sensor does not disconnec t already establishe d connec tions.
3-24 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Configuring A uthenticatio n and User Pa rameters – ips-rol e=admini.
3-25 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Confi guring Authentic ation and User Pa ramet ers b. Enter th e IP address o f the second RADIUS serv er . sensor(config-aaa-rad-sec)# server-address 10.
3-26 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Configuring A uthenticatio n and User Pa rameters Step 10 Exit AAA mo de.
3-27 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Confi guring Authentic ation and User Pa ramet ers Statu s Event s As pa.
3-28 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Configuring A uthenticatio n and User Pa rameters Step 7 Exit a uthenti cation mo de. sensor(config-aut)# exit Apply Changes:?[yes]: Step 8 Press Enter to a pply the chan ges or enter no to di scard them.
3-29 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Confi guring Authentic ation and User Pa ramet ers Step 4 Specify a pas sword when pro mpted. A valid password is 8 to 32 characters long.
3-30 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Configuring A uthenticatio n and User Pa rameters T o change the pass .
3-31 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Confi guring Authentic ation and User Pa ramet ers Step 3 Change the p ri vile ge le vel fr om vie wer to oper ator .
3-32 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Configuring A uthenticatio n and User Pa rameters 9802 tester operator sensor# Step 4 T o unlock the account of jsmith, reset the password.
3-33 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Confi guring Authentic ation and User Pa ramet ers Step 7 Set the nu mber of old passwor ds to rem ember fo r each a ccount.
3-34 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Configuring A uthenticatio n and User Pa rameters Note When you appl y.
3-35 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Co nfiguring Time Step 5 Check yo ur ne w setting. The ac count of t he user jsm ith is no w unlocked as indicated by the lack of parenthesis.
3-36 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Configuring Ti me The ASA IPS Modul es • The ASA 5500-X IPS SSP and ASA 5 585-X IPS SSP auto matically synchronize their clocks with the cloc k in the adapti ve security ap pliance in which they are installe d.
3-37 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Co nfiguring Time Displaying the System Clock Use the show clock [ detai l ] comm and to d isplay the system cl ock.
3-38 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Configuring Ti me Use the clock set hh:mm [:ss ] month d ay year command to manually set the cloc k on the app liance. Use this command if no o ther ti me sources are a vaila ble.
3-39 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Co nfiguring Time d. Ent er the wee k of the month you wa nt to start summertime settings. The values are f irst through fifth, or last.
3-40 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Configuring Ti me offset: 60 minutes default: 60 summertime-zone-name:.
3-41 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Co nfiguring Time c. V erify y our settings.
3-42 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Configuring Ti me sensor(config-hos)# exit Apply Changes:?[yes]: Step 11 Press Enter to a pply the chan ges or enter no to di scard them.
3-43 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Co nfiguring Time Configuring a Cisco Router to be an NTP Server The sensor requires an au thenticated c onnection w ith an NTP server if it is going to use the NTP server as its time s ource.
3-44 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Configuring Ti me Step 6 Specify the NTP master stratum nu mber to be assi gned to the sensor . The NTP ma ster stratum numb er identif ies the relati ve positio n of the serv er in the NTP hierarch y .
3-45 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Config uring SSH Step 5 Conf igure authentica ted NTP: a. Enter N TP configuration m ode. sensor(config-hos)# ntp-option enable b.
3-46 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Configuring SSH • Adding A uthorized RSA1 an d RSA2 Keys, page 3 -48.
3-47 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Config uring SSH Cautio n When yo u use th e ssh host-key comm and, t he SSH s erv er at th e speci fied IP address is c ontacted to obtain the requir ed key o ver the network.
3-48 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Configuring SSH Step 7 Remov e an entry . The host is removed from the SSH kno wn hosts list. sensor(config)# no ssh host-key 10.
3-49 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Config uring SSH T o add a ke y entry to t he SSHv1 or SSHv2 autho rized ke ys list for the curr ent user , follo w these steps: Step 1 Log in to the CLI.
3-50 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Configuring SSH Use the ssh g enera te-k ey command to change the SSH server host ke y .
3-51 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Configuring TLS Configuring TLS This section describes TLS on the sens o.
3-52 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Configuring TL S The most con venient option is to permanently trust the i ssuer . However , be fore you a dd the issu er , use out-of-ba nd methods to examine the fingerprint of the certificate.
3-53 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Configuring TLS Step 4 V erif y that the host was added. sensor(config)# exit sensor# show tls trusted-hosts 10.89.146.110 sensor# Step 5 V ie w the f i ngerprint for a specif ic host.
3-54 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Installing the Li cense Key For More Informatio n For the procedure for u pdating the trusted hosts lists on re mote sensors, se e Adding TL S T r usted Hosts, page 3-52 .
3-55 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Installing the License Key Service Programs for IP S Products Y ou m ust.
3-56 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Installing the Li cense Key Use t he copy sour ce-url licen se_file_name l icense-k ey comm and to copy the license key to your se nsor .
3-57 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Installing the License Key Step 5 Log in to the CLI using an acco unt with administrator privileges. Step 6 Copy the license key to the sensor .
3-58 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Installing the Li cense Key For More Informatio n • For more information about getting started using the ASA 5500 -X IPS SSP , refer to the Cisc o IPS Module on the ASA Q uick Start Guide .
3-59 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Installing the License Key IPS-K9-7.
3-60 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Installing the Li cense Key.
CH A P T E R 4-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 4 Configuring Interfaces This ch apter de scribe s ho w to conf igure int erfac es on the sensor .
4-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Underst anding Interf aces • The ASA IPS modules (ASA 5500-X IPS SSP a nd ASA 5585-X IPS SSP) do not support inline VLAN pair s.
4-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Understanding Interfaces • Alternate TCP rese t There ar e restrictions on w hich roles you ca n assign to specific interface s and some interfaces hav e multiple roles.
4-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Underst anding Interf aces Sensing In terfaces Sensing inter faces are used by the sensor to analy ze traff ic for secu rity violations.
4-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Understanding Interfaces Note There is only one sensing interface on th e ASA I PS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP), so you cannot designa te an alternate TCP reset interface.
4-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Underst anding Interf aces Cautio n Y ou ca n only assign a sensing inter face as an alte rnate TCP re set interface. Y ou cannot co nfigure the managem ent inte rfac e as a n altern ate TCP rese t interf ace.
4-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Understanding Interfaces IPS 4345 — GigabitEthernet 0/0 GigabitEtherne.
4-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Underst anding Interf aces Interface Con figuration Restric tions The.
4-9 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Understanding Interfaces – For Gigabit (cop per or fiber) inter faces, if the spee d is configured for 1 000 Mbps, the only valid duplex setting is auto.
4-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Underst anding Interf aces – Y ou ca n only configure interfaces that are capab le of TCP resets as a lternate TCP reset interface s.
4-11 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Confi guring Physica l Interfa ces For More Informatio n • For the proc edure f or configuring the physical interface sett ings, see Configuring Physical Interfa ces, page 4-11 .
4-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Configuring Ph ysical Interf aces • duplex —Spe cifi es the duple x setting of the i nterface: – auto —Sets the interface to auto negotiate duplex.
4-13 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Confi guring Physica l Interfa ces Step 5 Enable the inte rface. Y ou must assigned the interf ace to a virtual sensor and e nable it before it can monitor traf fic.
4-14 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Configuring Pro miscuous Mod e media-type: tx <protected> desc.
4-15 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Conf iguring Promi scuous Mode intend ed tar g et f or certa in type s of at tacks, s uch as atom ic attac ks (single -pack et att acks).
4-16 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Configuring I nline Interface Mod e The following configuration uses on e SP AN session to send all of the traf f ic o n any of the specifie d VLANs to all of the specif ied ports.
4-17 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Configuring Inline Interface Mode Figure 4-2 illustrates inline interfa.
4-18 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Configuring I nline Interface Mod e Step 3 V erif y that the subinterfa ce mode is “ none” f or both o f the physic al interfaces you are p airing in the inline interface.
4-19 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Configuring Inline Interface Mode sensor(config-int)# physical-interfac.
4-20 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Configuring I nline Interface Mod e speed: auto <defaulted> de.
4-21 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Configuring Inline VLAN Pair M ode Configuring Inli ne VLAN Pair Mode This section de scribes inline VLAN pair mode and how to configure inline VLA N pairs.
4-22 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Configuring Inl ine VLAN Pair Mode Configuring In line VLAN Pairs Use the phys ical-int erfaces interface_name command in the se rvice interf ace submode to conf igure inline VLAN pairs.
4-23 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Configuring Inline VLAN Pair M ode Configuring Inline VLAN Pairs T o configure the inline VLAN pair settin gs on the sensor , follow these steps: Step 1 Log in to the CLI using an acco unt with administrator privileges.
4-24 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Configuring Inl ine VLAN Pair Mode description: <defaulted> ad.
4-25 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Configuring Inline VLAN Pair M ode bypass-mode: auto <defaulted> .
4-26 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Configuring VL AN Group Mode ----------------------------------------------- sensor(config-int-phy-inl-sub)# Step 14 T o delete VLAN pairs: a.
4-27 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Configuri ng VLAN Group Mode Y ou c an divide each physical in terface or inlin e interface into VLA N group subinterfaces, e ach of which consists of a group of VLA Ns on that interface.
4-28 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Configuring VL AN Group Mode In the seco nd va riatio n, the two ports are co nf igur ed as trunk por ts, so th ey can carry mult iple VLA Ns.
4-29 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Configuri ng VLAN Group Mode • subinterface name —D efines the subinterface as a VL AN group : – vlans {range | unassigned} —Specif ies the set of VLANs in the VLAN group.
4-30 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Configuring VL AN Group Mode ---------------------------------------.
4-31 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Configuri ng VLAN Group Mode ------------------------------------------.
4-32 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Configuring VL AN Group Mode b.
4-33 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Configuring Inline Bypass Mode Step 15 Delete V LAN grou ps: a.
4-34 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Configuring I nline Bypass Mode Cautio n There a re security conse quences whe n you put the sensor in b ypass mode .
4-35 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Configuring Interface Notifications Step 4 V erify the settings.
4-36 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Configuring CDP Mo de Step 3 Enter interface submode. sensor(config)# service interface Step 4 Enter inte rface no tifications submod e.
4-37 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Config uring CD P Mode User the cdp- mode comma nd in ser vice interface m ode to have the sensor either f orward or drop CD P packets.
4-38 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Configuring CDP Mo de Use the show interfaces [ clear | br ief ] command in EXEC mode to disp lay statistics for all system interf aces.
4-39 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Config uring CD P Mode GigabitEthernet0/2 Disabled Down Unpaired N/A GigabitEthernet0/3 Disabled Down Unpaired N/A sensor# Step 4 Display the statistics for a specif ic interface.
4-40 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Displa ying Interf ace Traffi c History Displaying I nterface Traf f.
4-41 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Displaying Interface Traffic History Displaying Historical Interface Statistics T o display interface traf fic history , follo w these steps: Step 1 Log in to the CLI.
4-42 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Displa ying Interf ace Traffi c History 0 0 0 0 12:23:37 UTC Tue Mar.
CH A P T E R 5-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 5 Configuring Virtual Se nsors This chapter explains the function of the Analysis Engine and how to create, edit, and delete virt ual sensors. It also explains how to assign interfaces to a virtual sensor .
5-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 5 Conf iguri ng Virt ual Sen sors Underst anding the Ana lysis Engine Understandin g the Analysis En gine The Ana lysis Engine pe rforms pa cket analysis and a ler t detection.
5-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 5 Config urin g Vi rt ual Sens ors Inli ne TCP Sessi on Tracki ng Mode V irtualization has the follo wing restrictions: • Y ou must assign both sides of asym metric traf fic to t he same virtual sensor .
5-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 5 Conf iguri ng Virt ual Sen sors Normalizatio n and Inline TCP Evasio n Protection Mode • V irtual Sensor— All packets with the sa me session key (AaBb) within a virtual sensor belong to th e same session.
5-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 5 Config urin g Vi rt ual Sens ors Adding, E diting, and Deleting Virtual Sensors Adding Virtual S ensors Use the virtual-sensor name command in servic e analy sis engine submode to create a virtual senso r .
5-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 5 Conf iguri ng Virt ual Sen sors Adding, Edi ting, and Dele ting Virtual Sens ors Note For the ASA IPS modules (ASA 550 0-X IPS SSP and ASA 5585-X IPS SSP), normalization is perf ormed by the adapti ve security applia nc e and not the IPS.
5-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 5 Config urin g Vi rt ual Sens ors Adding, E diting, and Deleting Virtual Sensors Step 6 Assign an eve nt action rules policy to this v irtual sensor .
5-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 5 Conf iguri ng Virt ual Sen sors Adding, Edi ting, and Dele ting Virtual Sens ors event-action-r.
5-9 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 5 Config urin g Vi rt ual Sens ors Adding, E diting, and Deleting Virtual Sensors Edit ing and Del.
5-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 5 Conf iguri ng Virt ual Sen sors Adding, Edi ting, and Dele ting Virtual Sens ors Step 8 Change the inline TCP session tracking mo de. The de fau lt is virtual sensor mode, which is almost al ways the best option to cho ose.
5-11 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 5 Config urin g Vi rt ual Sens ors Adding, E diting, and Deleting Virtual Sensors Step 15 V erif y the delete d virtual se nsor . Only the default virtual sensor, vs0, is pr esent.
5-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 5 Conf iguri ng Virt ual Sen sors Configuring G lobal Variables Configuring Globa l Variables Us.
5-13 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 5 Config urin g Vi rt ual Sens ors Configuring Global Variables sensor(config-ana)# Step 5 Create the v ariable for servic e acti vity .
5-14 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 5 Conf iguri ng Virt ual Sen sors Configuring G lobal Variables.
CH A P T E R 7-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 7 Defining Signatures This chap ter de scribe s ho w to def ine and create sig natures.
7-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Working With Si gnature De finition Policies Working With Signature Definition Policies Use the service signatu re-definitio n name co mmand in se rvice si gnatur e defi n ition mode to create a signature def inition policy .
7-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Understa nding Si gnatures sensor# Note Y ou cannot delete the default signature def inition policy , sig0. Step 7 Confirm the signature def inition policy has been deleted.
7-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Configuring Signa ture Variab les The Cisco IPS contains o ver 10,000 b uilt-in default sign atures.
7-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Confi guring Signature Variab les Addi ng, Edi ting, and Delet ing Si gnatu.
7-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Configuring Signa tures Configuri ng Signatures This section describes how .
7-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Config uring Signatu res • vulnerable-os —Specifies the list of OS types that ar e vulnerable to this attack signature.
7-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Configuring Signa tures • specify-global-summary-thr eshold {yes | no } .
7-9 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Config uring Signatu res Step 7 Press Enter to a pply the chan ges or enter no to di scard them.
7-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Configuring Signa tures engine -------------------------------------------.
7-11 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Config uring Signatu res Step 4 Enter e vent counter submod e. sensor(config-sig-sig)# event-counter Step 5 Specify ho w man y times an e ve nt must occur before an aler t is generat ed.
7-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Configuring Signa tures Configuring S ignature Fide lity Rating Use t he sig-f ideli ty-r atin g command in signatur e definition submode to configure the signatur e fidelity rati ng for a signa ture.
7-13 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Config uring Signatu res Configuring th e Status of Sig natures Use the status comm and in signature definition submo de to spe cify the status of a specific signa ture.
7-14 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Configuring Signa tures Configuring th e Vulnerable OSes for a Sign ature Use the vulnerable-os command in sign ature definition submod e to configure the list of vulnerable OSes for a si gnature.
7-15 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Config uring Signatu res sig-string-info: My Sig Info <defaulted> si.
7-16 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Configuring Signa tures – reque st-rate-limit —Sends a rate limit request to th e ARC to perform rate limiti ng.
7-17 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Config uring Signatu res percentage ----------------------------------------------- external-rate-limit-percentage: 50 default: 100 ----------------------------------------------- Step 9 Exit ev ent action subm ode.
7-18 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Configuring Signa tures AIC has the fo llo wing categor ies of si gnatur e.
7-19 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Config uring Signatu res The following options ap ply: • ftp-enable {true | false} —Enables protect ion for FTP services.
7-20 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Configuring Signa tures ----------------------------------------------- ftp-enable: true default: false ----------------------------------------------- sensor(config-sig-app)# Step 6 Exit signature def i nition submode.
7-21 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Config uring Signatu res For More Informatio n For the proc edure f or enabling signatures, se e Configuring the Status of Signatures, page 7-1 3.
7-22 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Configuring Signa tures 12627 0 12627 1 12627 2 Content T y pe imag e/x-po.
7-23 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Config uring Signatu res 12646 0 12646 1 12646 2 Content T ype text/xml He.
7-24 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Configuring Signa tures For More Informatio n • For the proc edure f or enabling signatures, se e Configuring the Status of Signatures, page 7-1 3.
7-25 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Config uring Signatu res For More Informatio n For the proc edure f or enabling signatures, se e Configuring the Status of Signatures, page 7-1 3.
7-26 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Configuring Signa tures For More Informatio n For the proc edure f or enabling signatures, se e Configuring the Status of Signatures, page 7-1 3.
7-27 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Config uring Signatu res – modify -packet- inline — Modifies pa cket data to remove a mbiguity about wh at the end point might do with th e packet.
7-28 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Configuring Signa tures Step 8 Press Enter to a pply the chan ges or enter no to di scard them.
7-29 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Config uring Signatu res For More Informatio n For more information about the Normalizer engine, see Norm alizer E ngine, pa ge B-36 .
7-30 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Configuring Signa tures Configuring IP Fragment Reassembly Parameters T o .
7-31 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Config uring Signatu res – solaris —Specifies the Solaris systems. – linux —Specif ies the GNU/Linu x systems. – bsd —Specifies the BSD UNIX systems.
7-32 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Configuring Signa tures sensor from crea ting alerts wher e a v alid TCP session has not been e stablished.
7-33 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Config uring Signatu res 1306 0 T CP O ption Other Fires when a TCP option in the range of TCP Option Num ber is seen. All 13 06 signatur es f ire an alert and do not fun ction in promisc uous mode .
7-34 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Configuring Signa tures 1309 TCP R eserv ed Flags Set Fires when the reserved bits (including bits used f or ECN ) are se t on the TCP he ader .
7-35 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Config uring Signatu res 1330 7 TC P Drop - Ba d W inScale Option Va l u e Fires when a TC P packet has a bad win do w scal e va lue.
7-36 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Configuring Signa tures For More Informatio n For more information about the Normalizer engine, see Norm alizer E ngine, page B-36 .
7-37 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Config uring Signatu res sensor# configure terminal sensor(config)# service signature-definition sig1 Step 3 Specify the TCP stream reassembly sig nature ID and subsign ature ID.
7-38 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Configuring Signa tures The following options ap ply: • tcp-3-way-handshake-re quired [true | false] —Specifies that the sensor sho uld only track session s for which the 3-way handshake is completed.
7-39 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Config uring Signatu res Configurin g IP Loggin g Y ou ca n configure a sen sor to genera te an IP sessi on log wh en the sensor de tects an attack .
7-40 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Creating Custom Signatures sensor(config-sig-ip)# Step 5 Exit signature def i nition submode.
7-41 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Creating C ustom Si gnatu res Example String TCP En gine Signatu re The String engine is a generic-base d pattern-matc hing inspection engin e for ICMP , TCP , and UDP protocols.
7-42 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Creating Custom Signatures • no —Remove s an entry or selection setting. • regex-string —Specifies a reg ular e x press ion to searc h for in a sing le TCP pack et.
7-43 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Creating C ustom Si gnatu res Step 10 Specif y the regex string to sear ch for in the TCP packe t. Y ou can chan ge the e vent action s if needed according to your security policy using the event-action c ommand.
7-44 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Creating Custom Signatures Example Service HTTP Engine Sig nature The Serv ice HTTP engi ne is a servi ce-specif ic stri ng-base d pattern-m atching inspection en gine.
7-45 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Creating C ustom Si gnatu res – modify -packet- inline — Modifies pa cket data to remove a mbiguity about wh at the end point might do with th e packet.
7-46 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Creating Custom Signatures sensor(config-sig-sig-ale-fir-yes)# summary-threshold 200 Step 9 Exit al ert fre quen cy submod e.
7-47 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Creating C ustom Si gnatu res Meta Si gnatu re Engine En hancement The purpos e of the Meta engi ne is to detect a specified payload from a n attacker and a corr espondin g payload from the victim.
7-48 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Creating Custom Signatures • all-not-components-r equire d {true | f alse} —Spe cifies to us e all of the NO T compo nen ts.
7-49 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Creating C ustom Si gnatu res Creat ing a Met a Engi ne Sign ature T o create a signatur e based on the Meta e ngine, follow these steps: Step 1 Log in to the CLI using an account with ad ministrator or o perator privileges.
7-50 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Creating Custom Signatures component-sig-id: 1000 component-subsig-id: 0 d.
7-51 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Creating C ustom Si gnatu res The following example Atom ic IP Ad vanced cu stom signatur e prohibits Protocol ID 88 over IPv6.
7-52 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Creating Custom Signatures For More Informatio n • For more info rmati on about th e Atomic IP Adva nced e ngine and a list of the pa rameters, se e Atomic IP Advanced Engine, page B -15 .
7-53 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Creating C ustom Si gnatu res Step 5 Specify a name fo r the new signature.
7-54 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Creating Custom Signatures Step 16 Specify a minimum ma tch offset for this sign ature.
7-55 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Creating C ustom Si gnatu res Step 18 Exit signature def i nition submode.
7-56 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Creating Custom Signatures T o create a cu stom si gnature b ased o n the .
7-57 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Creating C ustom Si gnatu res sensor(config-sig-sig-str-no-yes)# exit sens.
7-58 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Creating Custom Signatures.
CH A P T E R 8-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 8 Configuring Event Action Rules This ch apter explains ho w to add e vent action r ules policies and how to configure event action rules.
8-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Underst anding Securit y Policies • Y ou ca nnot delete the event action override for deny-packet-inline be cause it is protec ted.
8-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules Signat ure Event Act ion Processor Signature Event Action Proces.
8-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Event Actions Figur e 8-1 Signat ur e Event Thr ough Signat ur e Event A ction P ro cessor For More Informatio n Fo r more i nfor mati on on ri sk ra ting, see Calculating the Risk Rating, page 8-13 .
8-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules Event Acti ons Note There are other e vent actio ns that forc e a produc e-alert. These actio ns use p roduce-aler t as the v ehicl e for perf orming the act ion.
8-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Event Actions Note Y ou cannot use modi fy-packet-inlin e as an a ction when a dding event action filters or over rid e s.
8-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules Event Action R ules Conf igurat ion Sequen ce When a deny -conn ection- inline occurs, the IP S also automatically sends a T CP one-way reset, whic h sho ws up as a TCP one- way rese t sent in the ale rt.
8-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Working Wit h Event Action Rules Policies 3. Create ov errides t o add ac tions based on the r isk r ating v alue. Ass ign a risk rat ing to each e ven t action type.
8-9 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules Event Action Variab les f.
8-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Event Action Var iables Understand ing Event Action V ariables Note Global c orrelation in spection and the reputation filtering deny feature s do not support IPv6 address es.
8-11 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules Event Action Variab les T imesaver If you have an IP address sp.
8-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Event Action Var iables sensor(config-eve)# variables variable-ipv6 ipv6-address 2001:0db8:3c4d:0015:0000:0000:abcd:ef12 Step 5 V erif y that you added the event action rules variable.
8-13 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules Conf igurin g Target Val ue Rati ngs Configuring Targe t Value Ratings Thi s section descri bes what risk rati ng is and ho w to use it to conf igure tar get v alue ratings.
8-14 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Configuring Ta rget Value Ratings • T arge t va lue rati ng (TVR)—A wei ght associated with the perc eive d value of the tar get.
8-15 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules Conf igurin g Target Val ue Rati ngs Adding, Editin g, and D eleting Target Value Rating s Note Global c orrelation in spection and the reputation filtering deny features do not support IPv6 address es.
8-16 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Configuring Ta rget Value Ratings • ipv6-targe t-address ip_a.
8-17 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules Confi guring Eve nt Acti on Overrides ipv6-target-value (min: 0.
8-18 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Configuring Ev ent Action Overrides The following options ap ply: • no overri des —Remov e s an entry or selection setting.
8-19 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules Confi guring Eve nt Acti on Overrides • Log packets fro m both the attacker and victim IP ad dresses. sensor(config-eve)# overrides log-pair-packets sensor(config-eve-ove)# • Write an alert to Event Store.
8-20 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Configuring Ev ent Action Filters action-to-add: deny-attacker-.
8-21 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules Confi guring Even t Action Filters Cautio n Event a ction filter s based on sour ce and destination IP a ddresses do not function for the Sweep engine, because the y do not f ilter a s regular signatur es.
8-22 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Configuring Ev ent Action Filters • ipv6-attacker-address-ran.
8-23 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules Confi guring Even t Action Filters Configuring Event Action Filters T o configure e vent act ion filters, follo w these steps: Step 1 Log in to the CLI using an acco unt with administrator privileges.
8-24 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Configuring Ev ent Action Filters l. Add any comments you want to use to e x plain this f ilter . sensor(config-eve-fil)# user-comment NEW FILTER Step 5 V erify the settings for the f ilter .
8-25 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules Confi guring Even t Action Filters NAME: name1 ----------------.
8-26 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Configuring O S Identification s Step 12 Exit ev e nt action rules subm ode. sensor(config-eve)# exit Apply Changes:?[yes]: Step 13 Press Enter to a pply y our change s or en ter no to discard them.
8-27 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules Configuring OS Id entifications There are three sour ces of OS infor mation. Th e sensor ran ks the sources of OS inform ation in the following orde r: 1.
8-28 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Configuring O S Identification s Adding, Editin g, Deleting, an.
8-29 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules Configuring OS Id entifications – hp-ux —V ariants of HP-UX.
8-30 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Configuring O S Identification s Step 6 Specify the attack rele vance rating range for the IP address. sensor(config-eve-os-con)# exit sensor(config-eve-os)# calc-arr-for-ip-range 192.
8-31 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules Configuring OS Id entifications -------------------------------.
8-32 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Configuring G eneral Settings The following options ap ply: • virtual-sensor —(Optional) Specifie s the learned addresse s of the v irtual sensor tha t should be displayed or cleare d.
8-33 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules Config uring General S ettings • Configuring the General Sett.
8-34 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Configuring G eneral Settings Configuring th e General Settin g.
8-35 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules Config uring the D enied Att acker s List Step 8 Enable or disa ble any o verrides that you have set up. The default is enabled .
8-36 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Configuring t he Denied At tackers Lis t Adding Entries to the .
8-37 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules Config uring the D enied Att acker s List Disp layi ng and De l.
8-38 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Moni torin g Even ts Name of current Event-Action-Rules instanc.
8-39 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules M onitoring Eve nts Use the show e vents [{ alert [informationa.
8-40 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Moni torin g Even ts evError: eventId=1041472274774840148 sever.
8-41 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules M onitoring Eve nts evIdsAlert: eventId=1109695939102805308 severity=medium vendor=Cisco originator: --MORE-- Step 6 Display events that began 30 se conds in the past.
8-42 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Moni torin g Even ts.
CH A P T E R 9-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 9 Configuring Anomaly Detection This chapter describes anom aly detection (AD ) and its features and ho w to configure them.
9-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Underst anding Securit y Policies connect ions, that is, as scanners , and sends al erts for all traf fic f lo ws.
9-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Anomaly Det ection Mo des Anomaly detection identifie s worm-infected hosts b y th eir b eha vior as scan ners . T o spread , a wo rm mu st find ne w hosts.
9-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Anomaly Detection Zo nes • Detect mode —For ongoing opera tion, the sensor sho uld remain in detect mode. This is for 24 hours a day , 7 days a week.
9-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Anomaly Det ection Con figurat ion Sequence Anomaly Detectio n Configuration Se quence Y ou ca n configure the de tection part of an omaly det e ction.
9-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Anomaly Detection Signa tures • For more information on configurin g anomaly de tection signa tures, see Anomaly Detecti o n Signatures, pa ge 9-6 .
9-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Anomaly Detecti on Signatures 13002 1 Internal Other Scanner Ide.
9-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Enabling Anomaly Det ection For More Informatio n For the proc edure for assigning a ctions to signa tures, see Assign ing Actions to Signatures, page 7- 15 .
9-9 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Working With Anomaly Detection Po licies edit t he values o f the new policy as need ed. Use the list anomaly- detection-conf igurat ions comman d in pri vileged EXEC mode to list the anom aly det ection po licies.
9-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Configuring A nomaly Dete ction Operatio nal Settings Step 7 V e rify th at the an omal y detect ion in stan ce has be en dele ted.
9-11 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Configuri ng the Intern al Zone Configuring Anomaly Detection O.
9-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Configuring t he Internal Zone Understand ing the Interna l Zone The inter nal zone should re presen t your internal ne twork.
9-13 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Configuri ng the Intern al Zone Step 7 Configure the other protocol s.
9-14 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Configuring t he Internal Zone sensor(config-ano-int-tcp-dst)# Step 5 Enab le th e servic e for th at port. sensor(config-ano-int-tcp-dst)# enabled true Step 6 T o override the scanne r values for that port.
9-15 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Configuri ng the Intern al Zone -------------------------------.
9-16 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Configuring t he Internal Zone • ov errid e-scanner -setti ngs.
9-17 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Configuri ng the Intern al Zone -------------------------------.
9-18 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Configuring t he Internal Zone sensor(config-ano-int-udp)# Confi.
9-19 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Configuri ng the Intern al Zone Step 7 T o a dd a h istogram for th e new scanne r settings.
9-20 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Configuring t he Illegal Zone Configuring the Illegal Zone This .
9-21 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Configuring the Illegal Zone sensor(config-ano-ill)# Step 3 Enable the ille gal zone. sensor(config-ano-ill)# enabled true Step 4 Conf igure the IP addr esses to be included in the il legal zone.
9-22 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Configuring t he Illegal Zone Configuring the Illegal Zone TCP Protocol T o configure TCP protocol for illegal zone, follo w these steps: Step 1 Log in to the CLI using an acco unt with administrator privileges.
9-23 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Configuring the Illegal Zone threshold-histogram (min: 0, max: .
9-24 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Configuring t he Illegal Zone Configuring UD P Protocol for the .
9-25 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Configuring the Illegal Zone Step 8 Set the scanner th reshold. sensor(config-ano-ill-udp-dst-yes)# scanner-threshold 100 Step 9 Configure the default thresholds for all other unspecified ports.
9-26 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Configuring t he Illegal Zone enabled: true <defaulted> --.
9-27 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Configuring the Illegal Zone sensor(config-ano)# illegal-zone sensor(config-ano-ill)# Step 3 Enable the other protoc ols.
9-28 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Configuring t he External Zon e --------------------------------.
9-29 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Config uring the E xterna l Zon e • other —Le ts you configure other pr o tocols besides TCP an d UDP .
9-30 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Configuring t he External Zon e – scanner -threshold —Sets the sc anner th reshold.
9-31 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Config uring the E xterna l Zon e yes -------------------------.
9-32 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Configuring t he External Zon e Conf igur ing UDP Pro tocol f or.
9-33 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Config uring the E xterna l Zon e Step 7 Add a histogram f or the new scann er settings.
9-34 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Configuring t he External Zon e no -----------------------------.
9-35 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Config uring the E xterna l Zon e Confi guri ng th e Exte rnal .
9-36 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Configuring L earning Accep t Mode -----------------------------.
9-37 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Confi guring Learnin g Accept Mo de Note Learn ing acc ept mode uses the se nsor local t ime.
9-38 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Configuring L earning Accep t Mode Conf igur ing Le arni ng Acce.
9-39 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Confi guring Learnin g Accept Mo de Step 3 Specify how the KB is sa ved and loaded: a. Speci fy that the KB is auto matic ally sav ed an d load ed.
9-40 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Working With KB Files For More Informatio n For the proc edures for saving and loa ding anoma ly detection KBs manua lly , see Sa ving a nd Loadi ng KBs Manua lly , page 9-41 .
9-41 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Working With KB File s 2003-Jan-05-10_00_00 84 10:00:00 CDT Sun Jan 05 2003 2003-Jan-06-10_00_00 84 10:00:00 CDT Mon Jan 06 2003 sensor# Step 3 Display the KB files for a specif ic virtual sensor .
9-42 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Working With KB Files Note An error is generated if anomaly detection is not ac ti ve when you en ter this command .
9-43 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Working With KB File s Note If you use HTTPS p rotocol, the remote host m ust be a T LS trusted host.
9-44 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Working With KB Files • For the proc edure for adding T LS trusted hosts, see A dding TL S T rusted H osts, page 3 -52 .
9-45 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Working With KB File s None Thresholds differ more than 10% Ext.
9-46 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Working With KB Files Displaying KB Thresholds T o d isplay the KB thresholds, follow these steps: Step 1 Log in to the CLI.
9-47 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Displaying Anomaly Det ection Stat istics Default Scanner Thres.
9-48 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Disabl ing Anom aly Det ection TCP Protocol UDP Protocol Other Protocol sensor# Step 3 Display the statistics for all virtual sensors.
9-49 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Disabling Anomaly De tection sensor(config)# service analysis-engine sensor(config-ana)# Step 3 Enter the virtual se nsor nam e that conta ins the an omaly de tection policy you want to disable .
9-50 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Disabl ing Anom aly Det ection.
CH A P T E R 10-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 10 Configuring Global Correlation This chapter provides information for configuring global correlation.
10-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 10 Configurin g Global Correlation Underst anding Globa l Correlation • Global c orrelation inspe ction and the reputation filtering d eny features do not supp ort IPv6 addresse s.
10-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 10 Configur ing Global Cor relation Understa nding Rep utati on T ab le 10-1 shows how we use the da ta. When you enable P artial or Full Ne twork P articipati on, the Netw ork Pa rticipation Disclaimer appears.
10-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 10 Configurin g Global Correlation Underst anding Netw ork Participatio n Figure 10-1 sho ws the role of t he sensor and the gl obal corre lation serv ers.
10-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 10 Configur ing Global Cor relation Understanding Efficacy • Data gathered from the sensor heal.
10-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 10 Configurin g Global Correlation Understand ing Reputation and Risk Rating Understandin g Reputation and Risk Rati ng Risk rating i s the concept of t h e probabilit y that a netw ork e vent i s malicious.
10-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 10 Configur ing Global Cor relation Global Co rrelat ion Requireme nts Global Correlati on Requir.
10-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 10 Configurin g Global Correlation Underst anding Globa l Correlation Sensor Health Metrics • F.
10-9 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 10 Configur ing Global Cor relation Configu ring Glob al Correl ation I nspect ion and Rep utatio.
10-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 10 Configurin g Global Correlation Configuring G lobal Correla tion Inspectio n and Reputatio n .
10-11 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 10 Configur ing Global Cor relation Configuring Network Participation Step 5 T urn on reputation filt ering. sensor(config-glo)# reputation-filtering on sensor(config-glo)# Step 6 T est global correlation data, but do not actually deny traf fic.
10-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 10 Configurin g Global Correlation Configuring N etwork Particip ation Note Y ou must ac cept the network participation di sclaimer to turn on network participat ion .
10-13 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 10 Configur ing Global Cor relation Troubl eshoo ting Globa l Correlat ion Step 7 Press Enter to a pply y our change s or en ter no to discard them.
10-14 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 10 Configurin g Global Correlation Displa ying Global Correlation Stati stics – full — All data is contributed to the Se nsorBase n etwork.
10-15 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 10 Configur ing Global Cor relation Displaying Gl obal Co rrelati on Stati stics Network Partici.
10-16 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 10 Configurin g Global Correlation Displa ying Global Correlation Stati stics.
CH A P T E R 11-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 11 Configuring External Product Interfaces This c hapter explai ns how to configure exter nal pr o duct interfaces.
11-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 11 Confi guring Ex ternal Produ ct Interf aces Underst anding the CSA MC Understandin g the CSA MC The CSA MC en forces a secur ity policy on network hosts.
11-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 11 Configur ing External Produc t Interfaces Exter nal Produc t Inte rface Is sues Note Y ou ca n only enable two CS A MC interfaces. Cautio n Y ou must ad d the CSA MC as a trusted hos t so the sensor can com municate w ith it.
11-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 11 Confi guring Ex ternal Produ ct Interf aces Configuring the CSA MC to Support the IPS Interfa.
11-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 11 Configur ing External Produc t Interfaces Ad ding Extern al Pr oduct Inter faces and Postur e ACL s The following options ap ply: • enab led {yes | no} —Enables/disables the receipt of information from the CSA M C.
11-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 11 Confi guring Ex ternal Produ ct Interf aces Adding Ex ternal Produ ct Interface s and Posture A CLs sensor(config)# service external-product-interface Step 3 Add the CSA MC interf ace.
11-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 11 Configur ing External Produc t Interfaces Ad ding Extern al Pr oduct Inter faces and Postur e ACL s Step 9 (Optional) Al low the host posture infor mation from unr eachable ho sts to be passed from the extern al product to the sensor .
11-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 11 Confi guring Ex ternal Produ ct Interf aces Troubles hooting Exter nal Product Interf aces ----------------------------------------------- NAME: name1 ----------------------------------------------- network-address: 192.
CH A P T E R 12-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 12 Configuring IP Logg ing This cha pter describ es how to configure IP logging on the sensor .
12-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 12 Co nfiguring IP Logging Underst anding IP Lo gging Understandin g IP Logging Y ou ca n manually co nfigure the sensor to capture all IP tr aff ic asso cia ted with a host you specif y by IP address.
12-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 12 Configur ing IP Logging Confi guring Manual IP Logging for a Speci fic IP Address Configuring .
12-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 12 Co nfiguring IP Logging Configuring M anual IP Lo gging for a Speci fic IP Address • minutes —Specifies the dura tion the logging should be acti ve.
12-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 12 Configur ing IP Logging Displaying the Cont ents of IP Logs • T o copy an d view an IP log file, see Copying IP Log Files to Be V iewed, page 1 2-7 .
12-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 12 Co nfiguring IP Logging Stopping Active IP Logs Step 3 Display a brief list of all IP logs. sensor# iplog-status brief Log ID VS IP Address1 Status Event ID Start Date 2425 vs0 192.
12-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 12 Configur ing IP Logging Copyi ng IP Log Fil es to Be Vi ewed Step 3 Stop all IP log ging sessions on a virtual sensor . sensor# no iplog name vs0 Step 4 V erif y that IP logging has be en stopped.
12-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 12 Co nfiguring IP Logging Copying IP Log Files to Be Viewed Packets Captured: 1039438 Log ID: 2342 IP Address: 192.
CH A P T E R 13-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 13 Displaying and Ca pturing Live Traffic on an Interface This chapte r des cribe s ho w to displa y , ca pture, c opy , and eras e pac ket fi les.
13-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapt er 13 Displaying and Capt uring L ive Traffi c on an Interface Underst anding Packet D isplay and C.
13-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 13 Display ing and Capturing L ive Traffic on an Interfa ce Displaying Live Traffic on an Interface Start: yyyy/mm/dd hh:mm:ss zone, End: yyyy/mm/dd hh:mm:ss zone or in-progress.
13-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapt er 13 Displaying and Capt uring L ive Traffi c on an Interface Capturing Live Tr affic on an Interface 03:43:05.694402 IP (tos 0x10, ttl 64, id 55469, offset 0, flags [DF], length: 292) 10.
13-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 13 Display ing and Capturing L ive Traffic on an Interfa ce Capturing Live Traffic on an In terface The packet captur e comma nd captur es the libp cap out put into a local f ile.
13-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapt er 13 Displaying and Capt uring L ive Traffi c on an Interface Copying the Pack et File 03:03:15.218814 802.1d config TOP_CHANGE 8000.00:04:9a:66:35:01.
13-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 13 Display ing and Capturing L ive Traffic on an Interfa ce Erasin g the Pa cket File Note The exact form at of the source and destin a tion URLs varies accor ding to the file.
13-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapt er 13 Displaying and Capt uring L ive Traffi c on an Interface Erasing the Pac ket File.
CH A P T E R 14-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 14 Configuring Attack Response Controller for Blocking and Rate Limiting This chapter pro vides information for setting up th e ARC to perform blocking a nd rate limiting on the sensor .
14-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 14 Configuring Attack Re sponse Controller for Blocking and Rate Limiting Underst anding Bl ocking • Do not con fuse block ing with the ab ility of the sensor to dr op packets.
14-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 14 Configur ing Attack Res ponse Controlle r for Blockin g and Rate Limiting Unders tanding Bl ocking is configured for VLAN A, but is blocking on a dif f erent security app liance custom er contex t that is configured fo r VLA N B.
14-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 14 Configuring Attack Re sponse Controller for Blocking and Rate Limiting Underst anding Rate Li miting • Ho w long you wa nt the bloc ks to last.
14-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 14 Configur ing Attack Res ponse Controlle r for Blockin g and Rate Limiting Understandi ng Serv ice Poli cies for Rate L imiting Ti p T o check the stat us of the ARC, typ e show statistics network-access at the sensor# .
14-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 14 Configuring Attack Re sponse Controller for Blocking and Rate Limiting Supported Dev ices Befo.
14-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 14 Configur ing Attack Res ponse Controlle r for Blockin g and Rate Limiting Config uring Blo cking Proper ties Note W e sup port V A C L blocking on the Supe rvis or Engine and A CL blockin g on the MSFC.
14-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 14 Configuring Attack Re sponse Controller for Blocking and Rate Limiting Configuring B locking P.
14-9 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 14 Configur ing Attack Res ponse Controlle r for Blockin g and Rate Limiting Disabling Block ing Step 6 Configure the sensor not to block itself. sensor(config-net-gen)# allow-sensor-block false Step 7 V erify the setting.
14-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 14 Configuring Attack Re sponse Controller for Blocking and Rate Limiting Disabl ing Block ing N.
14-11 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 14 Configur ing Attack Res ponse Controlle r for Blockin g and Rate Limiting Disabling Block ing.
14-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 14 Configuring Attack Re sponse Controller for Blocking and Rate Limiting Disabl ing Block ing Step 1 Log in to the CLI using an acco unt with administrator privileges.
14-13 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 14 Configur ing Attack Res ponse Controlle r for Blockin g and Rate Limiting Disabling Block ing ----------------------------------------------- ip-address: 192.
14-14 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 14 Configuring Attack Re sponse Controller for Blocking and Rate Limiting Disabl ing Block ing g.
14-15 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 14 Configur ing Attack Res ponse Controlle r for Blockin g and Rate Limiting Disabling Block ing Step 6 Disable ACL logging by using the false keyword.
14-16 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 14 Configuring Attack Re sponse Controller for Blocking and Rate Limiting Disabl ing Block ing g.
14-17 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 14 Configur ing Attack Res ponse Controlle r for Blockin g and Rate Limiting Disabling Block ing Step 4 Disable bl ocking event and err or logging.
14-18 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 14 Configuring Attack Re sponse Controller for Blocking and Rate Limiting Disabl ing Block ing T.
14-19 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 14 Configur ing Attack Res ponse Controlle r for Blockin g and Rate Limiting Disabling Block ing.
14-20 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 14 Configuring Attack Re sponse Controller for Blocking and Rate Limiting Configuring U ser Prof.
14-21 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 14 Configur ing Attack Res ponse Controlle r for Blockin g and Rate Limiting Config uring Blo cking an d Rate Li miting Devi ces Enter password[]: ******** Re-enter password ******** Step 6 Speci fy the en able password for the use r .
14-22 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 14 Configuring Attack Re sponse Controller for Blocking and Rate Limiting Configuring B locking and Rat e Limiting Devic es Note The ARC reads th e lines in the A CL and copies these lin es to the be ginning of the A CL.
14-23 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 14 Configur ing Attack Res ponse Controlle r for Blockin g and Rate Limiting Config uring Blo cking an d Rate Li miting Devi ces Routers and ACLs Note Pre-Block and Post-B lock A CLS do not apply to rate limiting.
14-24 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 14 Configuring Attack Re sponse Controller for Blocking and Rate Limiting Configuring B locking and Rat e Limiting Devic es Step 5 Specify the method us ed to access t he sensor .
14-25 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 14 Configur ing Attack Res ponse Controlle r for Blockin g and Rate Limiting Config uring Blo ck.
14-26 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 14 Configuring Attack Re sponse Controller for Blocking and Rate Limiting Configuring B locking and Rat e Limiting Devic es The Post-Block V A CL is best us ed for additional blocking or p ermitting that you want to occur on the same VLAN.
14-27 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 14 Configur ing Attack Res ponse Controlle r for Blockin g and Rate Limiting Config uring Blo ck.
14-28 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 14 Configuring Attack Re sponse Controller for Blocking and Rate Limiting Configuring t he Senso.
14-29 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 14 Configur ing Attack Res ponse Controlle r for Blockin g and Rate Limiting Confi gurin g the S.
14-30 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 14 Configuring Attack Re sponse Controller for Blocking and Rate Limiting Configuring t he Sensor to be a Ma ster Blocki ng Sensor Exam ple sensor(config)# tls trusted-host ip-address 19 2.
14-31 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 14 Configur ing Attack Res ponse Controlle r for Blockin g and Rate Limiting Configuring Host Blocking Step 13 Press Enter to a pply the chan ges or enter no to di scard them.
14-32 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 14 Configuring Attack Re sponse Controller for Blocking and Rate Limiting Configuring Co nnection Blo cking Use the block network ip-addr ess/ne tmask [ time out minut es ] comm and in p rivile ge d EXE C mode to block a network .
14-33 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 14 Configur ing Attack Res ponse Controlle r for Blockin g and Rate Limiting Obtainin g a List o.
14-34 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 14 Configuring Attack Re sponse Controller for Blocking and Rate Limiting Obtaini ng a List of B.
CH A P T E R 15-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 15 Configuring SNMP This chap ter de scribe s ho w to con fig ure SNMP , and contains the fo.
15-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 15 C onfigur ing SNMP Configuring SN MP Y ou ca n configure the sensor to send SNMP trap s. SN MP trap s enab le an a g ent to no tify th e mana geme nt station of significant e ve nts by way of an unsolicited SNMP messag e.
15-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 15 Configuring SNMP Configu ring SNMP Configuring SNMP General Parameters T o configure SNMP general par ameters, follo w these steps: Step 1 Log in to the CLI using an acco unt with administrator privileges.
15-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 15 C onfigur ing SNMP Configuring SN MP Traps ----------------------------------------------- --.
15-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 15 Configuring SNMP Config uring SNMP Tr aps • trap -des tinat ions —Defines the destinations.
15-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 15 C onfigur ing SNMP Supported M IBS Note The community string appears in the t rap and is useful i f you are rece iving multiple types of traps from multi ple agents.
15-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 15 Configuring SNMP Supported MI BS Note MIB II is a vaila ble on the sensor , but we do not support it. W e know that some elements are not correct (for e xample, the pack et count s from the IF MIB on t he sensi ng interf aces) .
15-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 15 C onfigur ing SNMP Supported M IBS.
CH A P T E R FIRST REVIEW — CISCO CONFIDENTIAL 16-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 16 Working With Configu r ation Files This chapte r des cribes ho w to use co mmands th at sh ow , cop y , an d er ase the conf iguration f ile.
FIRS T REVIEW—CISCO C ONFIDENTIAL 16-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 16 Working Wit h Configur ation Fil es Displa ying the Curre.
FIRS T REVIEW—CISCO C ONFIDENTIAL 16-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 16 Worki ng With Configurat ion Files Displayi ng the Current.
FIRS T REVIEW—CISCO C ONFIDENTIAL 16-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 16 Working Wit h Configur ation Fil es Displa ying the Curre.
FIRS T REVIEW—CISCO C ONFIDENTIAL 16-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 16 Worki ng With Configurat ion Files Displayi ng the Current.
FIRS T REVIEW—CISCO C ONFIDENTIAL 16-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 16 Working Wit h Configur ation Fil es Displa ying the Curre.
FIRS T REVIEW—CISCO C ONFIDENTIAL 16-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 16 Worki ng With Configurat ion Files Displayi ng the Current.
FIRS T REVIEW—CISCO C ONFIDENTIAL 16-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 16 Working Wit h Configur ation Fil es Displa ying the Curre.
FIRS T REVIEW—CISCO C ONFIDENTIAL 16-9 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 16 Worki ng With Configurat ion Files Displayi ng the Current.
FIRS T REVIEW—CISCO C ONFIDENTIAL 16-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 16 Working Wit h Configur ation Fil es Displa ying the Current Submode Configuration Step 9 Displa y the curr ent conf iguration of the service h ost subm ode.
FIRS T REVIEW—CISCO C ONFIDENTIAL 16-11 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 16 Worki ng With Configurat ion Files Displayi ng the Curren.
FIRS T REVIEW—CISCO C ONFIDENTIAL 16-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 16 Working Wit h Configur ation Fil es Displa ying the Curr.
FIRS T REVIEW—CISCO C ONFIDENTIAL 16-13 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 16 Worki ng With Configurat ion Files Displayi ng the Curren.
FIRS T REVIEW—CISCO C ONFIDENTIAL 16-14 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 16 Working Wit h Configur ation Fil es Displa ying the Current Submode Configuration Step 12 Displa y the curr ent conf iguration fo r the servic e networ k acces s submode .
FIRS T REVIEW—CISCO C ONFIDENTIAL 16-15 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 16 Worki ng With Configurat ion Files Displayi ng the Curren.
FIRS T REVIEW—CISCO C ONFIDENTIAL 16-16 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 16 Working Wit h Configur ation Fil es Filtering the Cu rrent Configura tion Output common-name: 10.
FIRS T REVIEW—CISCO C ONFIDENTIAL 16-17 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 16 Worki ng With Configurat ion Files Filtering the Current .
FIRS T REVIEW—CISCO C ONFIDENTIAL 16-18 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 16 Working Wit h Configur ation Fil es Filtering the Cu rrent Subm ode Configurat ion Output access-list 10.0.
FIRS T REVIEW—CISCO C ONFIDENTIAL 16-19 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 16 Worki ng With Configurat ion Files Displaying t he Conten.
FIRS T REVIEW—CISCO C ONFIDENTIAL 16-20 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 16 Working Wit h Configur ation Fil es Dis play ing the Con.
FIRS T REVIEW—CISCO C ONFIDENTIAL 16-21 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 16 Worki ng With Configurat ion Files Displaying t he Conten.
FIRS T REVIEW—CISCO C ONFIDENTIAL 16-22 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 16 Working Wit h Configur ation Fil es Backing U p and Rest.
FIRS T REVIEW—CISCO C ONFIDENTIAL 16-23 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 16 Worki ng With Configurat ion Files Backing Up and Restor ing the Configu ration Fi le Using a Remote S erver – https:— Source U RL for the we b server .
FIRS T REVIEW—CISCO C ONFIDENTIAL 16-24 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 16 Working Wit h Configur ation Fil es Creating an d Using .
FIRS T REVIEW—CISCO C ONFIDENTIAL 16-25 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 16 Worki ng With Configurat ion Files Erasing the Configuration File User accounts will not be erased. They must be removed manually using the "no username" command.
FIRS T REVIEW—CISCO C ONFIDENTIAL 16-26 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 16 Working Wit h Configur ation Fil es Erasing the Con figu.
CH A P T E R 17-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 17 Administrative Tasks for the Sensor This chapter contains procedures th at will help you with th e administ rativ e aspects of your sensor .
17-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Adminis trative Not es and Cavea ts Administrative Note.
17-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Recove ring the Passwor d T ab le 17-1 lists the password r ecov ery me thods acco rding to pla tform.
17-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Recovering the Pas sword Using ROMMON For the IPS 4345, IPS 4360, IPS 45 10, and IPS 452 0, you ca n use the R O MMON to recover the password.
17-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Recove ring the Passwor d T o r eset the password o n th.
17-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Recovering the Pas sword A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.
17-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Recove ring the Passwor d Step 3 V erify the status of the mo dule. Once th e status reads Up , you c an session to the AS A 5585-X IPS SSP .
17-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Recovering the Pas sword Using the ASDM T o re set the password in the ASDM, follo w these steps: Step 1 From the ASDM menu bar, choose T oo ls > IPS P assword Reset .
17-9 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Cleari ng the Sen sor Datab ases Step 3 T o disable password recovery , unch eck the Allow Passw ord Recove ry check box .
17-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Clea rin g th e Se nsor Dat abase s The following options ap ply: • virtual-sensor —Spec ifies the name of a virtual sensor co nfigured on the sensor .
17-11 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Displayin g the Insp ection Load of the Sen sor Display.
17-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Displa ying the Ins pection Load o f the Sensor 10 ************************************************************ 0.
17-13 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Configuring Health Status Information Inspection Load P.
17-14 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Configuring Heal th Status Informat ion • memory-usa.
17-15 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Configuring Health Status Information sensor(config-hea-app)# status red sensor(config-hea-app)# exit sensor(config-hea)# Step 4 Enable the metrics for bypass polic y .
17-16 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Configuring Heal th Status Informat ion Step 12 Set the threshold for m emory usage.
17-17 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Showing S ensor Overal l Health Status enable: true def.
17-18 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Creating a Bann er Login T o display the ov erall health status of the sen sor , follo w these s teps: Step 1 Log in to the CLI.
17-19 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Terminating CLI Sessions Step 5 Remove the banne r login.
17-20 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Modi fying Term ina l Pr oper ties sensor# The user jsmith recei ves the foll owi ng message from the administrator jtaylor .
17-21 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Configur ing Events Displa ying Event s Note The E ven t Stor e has a f ixed size o f 30 MB fo r all p latfo rms.
17-22 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Configuring Ev ents Displ aying Ev ents T o d isplay ev ents f rom the Ev ent Stor e, follo w these steps: Step 1 Log in to the CLI.
17-23 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Configur ing Events appInstanceId: 367 time: 2011/03/02.
17-24 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Configuring t he System Clock sensor# clear events Warning: Executing this command will remove all events currently stored in the event store.
17-25 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Clear ing th e Deni ed Att acker s List No time source .
17-26 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Clearing the D enied Attac kers List Disp layi ng and .
17-27 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Displaying Poli cy Lists Name of current Event-Action-R.
17-28 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Displa ying Statis tics Step 3 Display the list of policies for ev ent action rules.
17-29 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Displayi ng Stati stics Thread 5 sec 1 min 5 min 0 1 1 .
17-30 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Displa ying Statis tics SigVersion = 645.
17-31 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Displayi ng Stati stics TCPMissedPacketsDueToUpdate = 0.
17-32 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Displa ying Statis tics Denied Attackers with percent denied and hit count for each. Denied Attackers with percent denied and hit count for each.
17-33 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Displayi ng Stati stics sensor# Step 8 Display the statistics for global correlation.
17-34 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Displa ying Statis tics lastInstallAttempt = N/A nextAttempt = N/A Auxilliary Processors Installed sensor# Step 10 Display the statistics for the logging application.
17-35 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Displayi ng Stati stics NetDevice Type = CAT6000_VACL IP = 192.
17-36 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Displa ying Statis tics Step 12 Display the statistics for the notif ication application.
17-37 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Displayi ng Stati stics Total IPv6 Fragment packets pro.
17-38 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Displa ying Statis tics Number of complete datagrams r.
17-39 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Displayi ng Stati stics last request method = GET last request URI = cgi-bin/sdee-server last protocol version = HTTP/1.
17-40 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Displa ying Tech Su pport Informat ion Displaying T ech Supp ort Informati on Note The show t ech-support command now displays historical interfa ce da ta fo r each inte rface f or the past 72 hours.
17-41 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Displaying Version Information Exam ple T o sen d the tech support output to the file /absolut e/repo rts/sensor 1Repor t.
17-42 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Display ing Version Informat ion CollaborationApp V-20.
17-43 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Diagnosing Network Con nectivit y dns-tertiary-server d.
17-44 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Resetting the A ppliance T o di agnose basic networ k connec ti vity , follow these steps: Step 1 Log in to the CLI.
17-45 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Displaying C ommand History sensor# Step 4 Stop all app lications and p o wer down the appliance .
17-46 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Displa ying Hard ware Invent ory Displaying Hardware Inventory Use the show in ventor y command to display PEP informa tion.
17-47 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Displaying Har dware Invent ory Name: "Chassis&quo.
17-48 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Tracing the Rout e of an IP Packet Name: "power s.
17-49 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Displa ying Sub m ode S etti ngs Displaying Submode Setti ngs Use the show settings [ terse ] comman d in any subm ode to view the con tents of the current configuration.
17-50 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Displa ying Submod e Settings password: <hidden>.
17-51 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Displa ying Sub m ode S etti ngs ----------------------------------------------- ip-address: 192.
17-52 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Displa ying Submod e Settings profile-name: 2admin pro.
CH A P T E R 18-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 18 Configuring the AS A 5500-X IPS SS P This chap ter cont ains proc edures that are spec ific to conf iguring the ASA 5500-X IPS SSP .
18-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 18 Configuri ng the ASA 5500-X IPS SSP Configuration Seq uence for th e ASA 5500-X IPS SSP • Th.
18-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 18 Configuring the ASA 5500-X IPS SSP Verifying Initialization for the ASA 5500-X IPS SSP • Fo .
18-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 18 Configuri ng the ASA 5500-X IPS SSP Creating Virtual Sensors for the ASA 5500-X IPS SSP Creati.
18-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 18 Configuring the ASA 5500-X IPS SSP Creating Virtua l Sensors for the ASA 5500-X IPS SSP Use the virtual-sensor name command in service a nalys is engin e submode to create virtual sensors on the ASA 5500-X IPS SSP.
18-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 18 Configuri ng the ASA 5500-X IPS SSP Creating Virtual Sensors for the ASA 5500-X IPS SSP Step 7 Assign a signature def i nition policy t o this virtual se nsor .
18-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 18 Configuring the ASA 5500-X IPS SSP Creating Virtua l Sensors for the ASA 5500-X IPS SSP Assign.
18-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 18 Configuri ng the ASA 5500-X IPS SSP Creating Virtual Sensors for the ASA 5500-X IPS SSP Sensor Name Sensor ID ----------- --------- vs0 1 vs1 2 asa# Step 3 Enter c onfiguration mode.
18-9 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 18 Configuring the ASA 5500-X IPS SSP The ASA 5500-X IPS SSP and Bypass Mode Step 7 Conf igure MPF for ea ch conte x t. Note The following example shows cont ext 3 (c 3).
18-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 18 Configuri ng the ASA 5500-X IPS SSP The ASA 5500-X I PS SSP and the Normalize r Engine The S .
18-11 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 18 Configuring the ASA 5500-X IPS SSP The ASA 5500-X IPS SS P and Jumbo Pack ets For More Informatio n For detaile d information about the Normalizer engine, see Nor maliz er Eng ine, pa ge B-36 .
18-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 18 Configuri ng the ASA 5500-X IPS SSP Health and Sta tus Informatio n Use the follow ing comman.
18-13 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 18 Configuring the ASA 5500-X IPS SSP Health and Status Information Firmware version: N/A Software version: 7.2(1)E4 MAC Address Range: 503d.e59c.7ca0 to 503d.
18-14 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 18 Configuri ng the ASA 5500-X IPS SSP Health and Sta tus Informatio n Mod-ips 251> -NG-1.4.1) ) #56 SMP Tue Dec 6 00:46:11 CST 2011 Mod-ips 252> Command line: ro initfsDev=/dev/hda1 init=loader.
18-15 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 18 Configuring the ASA 5500-X IPS SSP Health and Status Information Mod-ips 313> ACPI: INT_SR.
18-16 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 18 Configuri ng the ASA 5500-X IPS SSP Health and Sta tus Informatio n Mod-ips 369> CPU: L1 I.
18-17 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 18 Configuring the ASA 5500-X IPS SSP Health and Status Information Mod-ips 430> TCP establis.
18-18 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 18 Configuri ng the ASA 5500-X IPS SSP Health and Sta tus Informatio n Mod-ips 493> processor.
18-19 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 18 Configuring the ASA 5500-X IPS SSP Health and Status Information Mod-ips 555> cpuidle: using governor ladder Mod-ips 556> usbcore: registered new interface driver usbhid Mod-ips 557> usbhid: v2.
18-20 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 18 Configuri ng the ASA 5500-X IPS SSP ASA 5500-X IPS SSP Failover Scenarios Mod-ips 616> Creating boot.
18-21 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 18 Configuring the ASA 5500-X IPS SSP New and Modi fied C ommands Two AS As i n Fai l-Clo se Mo .
18-22 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 18 Configuri ng the ASA 5500-X IPS SSP allocate-ips allocat e-ips T o allocate an IPS virtual sensor to a security c ontext if you ha ve the ASA 5500-X IPS SSP installed, use the a lloca te-ip s comm and in context configuration mod e.
18-23 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 18 Configuring the ASA 5500-X IPS SSP allocate-ips Comma nd His tory Usage Guid elines Y o u can assign one or more IPS virtua l sensors to e ach co ntext.
18-24 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 18 Configuri ng the ASA 5500-X IPS SSP allocate-ips.
CH A P T E R 19-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 19 Configuring the AS A 5585-X IPS SS P This chap ter cont ains proc edures that are spec ific to conf iguring the ASA 5585-X IPS SSP .
19-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 19 Configuri ng the ASA 5585-X IPS SSP Configuration Seq uence for th e ASA 5585-X IPS SSP • The ASA 5585- X IPS SSP has fou r types of ports (console, management, GigabitEthernet, and 10GE).
19-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 19 Configuring the ASA 5585-X IPS SSP Verifying Initialization for the ASA 5585-X IPS SSP • For the proced ure for crea ting virtual sensor s, see Crea ting V irtual Sen sors for th e ASA 55 85-X IPS SSP , page 1 9-4 .
19-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 19 Configuri ng the ASA 5585-X IPS SSP Creating Virtual Sensors for the ASA 5585-X IPS SSP Creati.
19-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 19 Configuring the ASA 5585-X IPS SSP Creating Virtua l Sensors for the ASA 5585-X IPS SSP The AS.
19-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 19 Configuri ng the ASA 5585-X IPS SSP Creating Virtual Sensors for the ASA 5585-X IPS SSP Step 3 Add a virtual sensor . sensor(config-ana)# virtual-sensor vs1 sensor(config-ana-vir)# Step 4 Add a description fo r this virtual sensor .
19-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 19 Configuring the ASA 5585-X IPS SSP Creating Virtua l Sensors for the ASA 5585-X IPS SSP sensor(config-ana)# exit Apply Changes:?[yes]: sensor(config)# Step 11 Press Enter to a pply the chan ges or enter no to di scard them.
19-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 19 Configuri ng the ASA 5585-X IPS SSP Creating Virtual Sensors for the ASA 5585-X IPS SSP • show context [ detail ]—Updated to display informa tion about virtual se nsors.
19-9 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 19 Configuring the ASA 5585-X IPS SSP Creating Virtua l Sensors for the ASA 5585-X IPS SSP asa(co.
19-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 19 Configuri ng the ASA 5585-X IPS SSP The ASA 5585-X I PS SSP and the Normalize r Engine The AS.
19-11 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 19 Configuring the ASA 5585-X IPS SSP ASA 5585-X IPS SSP and J umbo Packets The Se nsorAp p Fail.
19-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 19 Configuri ng the ASA 5585-X IPS SSP Health and Sta tus Informatio n Use the follow ing comman.
19-13 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 19 Configuring the ASA 5585-X IPS SSP Health and Status Information Software version: 7.2(1)E4 MAC Address Range: 8843.e12f.5414 to 8843.e12f.541f App.
19-14 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 19 Configuri ng the ASA 5585-X IPS SSP Health and Sta tus Informatio n Firmware version: 2.0(7)0 Software version: 7.2(1)E4 MAC Address Range: 5475.
19-15 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 19 Configuring the ASA 5585-X IPS SSP Traf fic Flow Stop ped on IPS Switc hports asa(config)# debug module-boot debug module-boot enabled at level 1 asa(config)# hw-module module 1 recover boot The module in slot 1 will be recovered.
19-16 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 19 Configuri ng the ASA 5585-X IPS SSP Failove r Scenarios Failover Scenarios The following fail.
19-17 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 19 Configuring the ASA 5585-X IPS SSP Failover Scenarios failover failover lan unit secondary failover lan interface folink GigabitEthernet0/7 failover interface ip folink 172.
19-18 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 19 Configuri ng the ASA 5585-X IPS SSP.
CH A P T E R 20-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 20 Obta ining Software This chap ter pro vides informat ion on obtaining the latest Cisco IPS software. It contains the following sections: • IPS 7.
20-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 20 Obtaining So ftware IPS Software Versioning Downloading Cisco IPS Software T o down load sof twar e on Cisc o.com, follo w these steps: Step 1 Log in to Cisco.
20-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 20 Obtaining Software IPS Software Ve rsioning Major Update A major u pdate co ntains new func tionality or a n archite ctural c hange in the pro duct.
20-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 20 Obtaining So ftware IPS Software Versioning Figure 20-1 illustrates what each part of the IPS software file represents for major a nd minor updates, service pack s, and patc h releases.
20-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 20 Obtaining Software IPS Software Ve rsioning Figure 20-3 illustrates what e ach part of the IPS sof tware file repre sents for signature en gine upda tes.
20-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 20 Obtaining So ftware IPS Software Versioning IPS Software Release Ex amples T ab le 20-1 lists platf orm-ind epend ent Cisco IPS so ftware r elease examples.
20-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 20 Obtaining Software Acce ssing I PS Docu mentati on T ab le 20-1 describes the platform identifier s used in pla tform-spe cific names. For More Informatio n For instructions on how to access these files on Cisco.
20-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 20 Obtaining So ftware Cisco Security Inte lligence Operatio ns • Rele ase an d Gene ral In formati on —Co ntains docu mentation r oadmaps a nd relea se notes.
CH A P T E R 21-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 21 Upgrading, Downgrading, a nd Installing System Images This ch apte r descr ibes how to upgr ade, downgrade, an d install syste m images.
21-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 21 Upgra ding, Downgr ading, an d Instal ling Syst em Images Upgrades , Downgrad es, and System Ima ges • All user co nfi guration se ttings are lost when you in stall the s ystem imag e.
21-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 21 Upgr ading, Downgr ading, and Inst alling System Im ages Support ed FTP an d HTTP/HT TPS Serv ers For More Informatio n • For the procedure for initializing the sensor , see Basic Sensor Setup, page 2-4 .
21-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 21 Upgra ding, Downgr ading, an d Instal ling Syst em Images Upgradin g the Sensor Upgr ade Notes.
21-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 21 Upgr ading, Downgr ading, and Inst alling System Im ages Upgradi ng the Sen sor Upgrad ing t he Sen sor Note The CLI output is an example of wh at your configuration may look like.
21-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 21 Upgra ding, Downgr ading, an d Instal ling Syst em Images Upgradin g the Sensor boot is using 61.2M out of 70.1M bytes of available disk space (92% usage) application-log is using 494.
21-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 21 Upgr ading, Downgr ading, and Inst alling System Im ages Upgradi ng the Sen sor T o work with upgrade files, follo w these steps: Step 1 Log in to the se nsor using an acc o unt with administrator pri vileges.
21-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 21 Upgra ding, Downgr ading, an d Instal ling Syst em Images Configuring A utomatic Up grades sensor(config)# upgrade ftp :// user@serve r_ipad dress//upgrade_path / IPS-SSP_10-K9-r-1.
21-9 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 21 Upgr ading, Downgr ading, and Inst alling System Im ages Configuring Automatic Upgrade s Y ou .
21-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 21 Upgra ding, Downgr ading, an d Instal ling Syst em Images Configuring A utomatic Up grades • user-name user_nam e —Specif ies the us ername for serve r au thenticatio n.
21-11 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 21 Upgr ading, Downgr ading, and Inst alling System Im ages Configuring Automatic Upgrade s Step 4 Specify the username for authentication. sensor(config-hos-ena)# user-name tester Step 5 Specify the password o f the use r .
21-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 21 Upgra ding, Downgr ading, an d Instal ling Syst em Images Configuring A utomatic Up grades • For the ou tput of th e show statistics host comm and, se e Displa ying Statistics, page 17 -28 .
21-13 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 21 Upgr ading, Downgr ading, and Inst alling System Im ages Downgradi ng the Sen sor For More Informatio n • For the procedu re for configuring auto matic update, see Configuring Automa tic Updates, page 21-8 .
21-14 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 21 Upgra ding, Downgr ading, an d Instal ling Syst em Images Installing Syst em Images Recoverin.
21-15 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 21 Upgr ading, Downgr ading, and Inst alling System Im ages Installing System Images • Install.
21-16 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 21 Upgra ding, Downgr ading, an d Instal ling Syst em Images Installing Syst em Images Step 2 Configure the line and port on the terminal se rver .
21-17 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 21 Upgr ading, Downgr ading, and Inst alling System Im ages Installing System Images Low Memory: 631 KB High Memory: 2048 MB PCI Device Table.
21-18 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 21 Upgra ding, Downgr ading, an d Instal ling Syst em Images Installing Syst em Images The v ariables ha ve the f ollo wing defi nitions: • Address—L ocal IP addre ss of the IPS 4345.
21-19 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 21 Upgr ading, Downgr ading, and Inst alling System Im ages Installing System Images UNIX Exam ple rommon> IMAGE=system_images/IPS-4345-K9-sys-1.
21-20 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 21 Upgra ding, Downgr ading, an d Instal ling Syst em Images Installing Syst em Images Y ou ca n install the IPS 4510 and IPS 4520 system image by using the R O MMON on the a ppliance to TFTP the sys tem image onto the co mpact flas h de vice.
21-21 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 21 Upgr ading, Downgr ading, and Inst alling System Im ages Installing System Images Step 5 If nece ssary , assign an IP ad dress fo r the Manag ment port on the IPS 4510.
21-22 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 21 Upgra ding, Downgr ading, an d Instal ling Syst em Images Installing Syst em Images Note If the n etwork settings ar e correct, the system downloads an d boots the sp ecified image on the IP S 4 510.
21-23 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 21 Upgr ading, Downgr ading, and Inst alling System Im ages Installing System Images Mod Card Type Model Serial No.
21-24 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 21 Upgra ding, Downgr ading, an d Instal ling Syst em Images Installing Syst em Images Installin.
21-25 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 21 Upgr ading, Downgr ading, and Inst alling System Im ages Installing System Images Exam ple Port IP Address [0.0.0.0]: 10.89.149.231 Step 7 Lea ve the VLAN ID a t 0.
21-26 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 21 Upgra ding, Downgr ading, an d Instal ling Syst em Images Installing Syst em Images Step 11 Session to the ASA 5585-X IPS SSP . Step 12 Ente r cisco three times and your n e w password twice.
21-27 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 21 Upgr ading, Downgr ading, and Inst alling System Im ages Installing System Images Use BREAK or ESC to interrupt boot. Use SPACE to begin boot immediately.
21-28 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 21 Upgra ding, Downgr ading, an d Instal ling Syst em Images Installing Syst em Images Step 9 V erif y that you hav e access to the TFTP server by pi nging it f rom your local E thernet port w ith one o f the follow ing commands.
21-29 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 21 Upgr ading, Downgr ading, and Inst alling System Im ages Installing System Images For More Informatio n • For more information about TFTP servers, see TFTP Servers, page 21-15 .
21-30 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 21 Upgra ding, Downgr ading, an d Instal ling Syst em Images Installing Syst em Images.
A- 1 Cisco In trusi on Preven tion Syst em Sens or CLI Conf iguration Gui de for IP S 7.2 OL-29168-01 APPENDIX A System Architecture This append ix describes the IPS syste m architec ture, and con tai.
A- 2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x A System Archit ecture IPS System Design Figure A-1 illustrates the system design for IPS software.
A-3 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix A System Archite cture System Appl icati ons Figure A-2 illustrates the system design for IPS sof tware for the IPS 4500 series se nsors.
A- 4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x A System Archit ecture System Applications The Cisco IPS software incl udes the following applications: • MainApp—Initialize s the system, start s and stops the other applications, conf igures the OS, and perform s upgrad es.
A-5 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix A System Archite cture Securi ty Featu res Y ou interact with the Cisc o IPS in the follo wing w ays: • Conf igure de vice p arame ters Y ou generate the initial configurati on for the sy stem and its features.
A- 6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x A System Archit ecture MainApp MainApp This section describes the MainApp, and contains the fol.
A-7 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix A System Archite cture MainAp p Note In the C isco IPS, the M ainApp ca n automati cally do wnload signatur e and signature e ngine upda tes from Cis co.
A- 8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x A System Archit ecture MainApp Ta b l e A - 1 shows some examples: The size of the Event Store allo ws suff icient b uf fering of the IPS ev ents when the sensor is not connected to an IPS event consumer .
A-9 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix A System Archite cture MainAp p Control transactions in volv e the follo wing types of r e.
A-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x A System Archit ecture MainApp • T ime (UTC and lo cal time) • Signature nam e • Signat u.
A-11 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix A System Archite cture MainAp p • TCP stream s in embry onic stat e • TCP stream s in.
A-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x A System Archit ecture MainApp Figure A-3 shows the transact ionHandlerLoop method in the CtlT ra nsSource.
A-13 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix A System Archite cture MainAp p Understanding the ARC The main respon sibility of the ARC is to block ev ents .
A-14 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x A System Archit ecture MainApp ARC Features The ARC has the follo wing featur es: • Communication through T elnet and SSH 1.
A-15 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix A System Archite cture MainAp p • Maintaining blocking state ac ro ss network de v ice r estarts The ARC reap plies blocks an d removes expired blo cks as need ed whene ver a n etw ork de vice i s shut do wn and resta rted.
A-16 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x A System Archit ecture MainApp • Catalyst 6000 MSFC2 with Cataly st software 5.
A-17 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix A System Archite cture MainAp p The fo llo w ing scenarios demonstrate h o w the AR C maintains state a cross restarts. Scen ario 1 There ar e two blocks in effect when the ARC stops and one of them expires before the ARC re starts.
A-18 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x A System Archit ecture MainApp Cautio n Cisco fire walls do not support conne ction blocki ng of hosts. Whe n a connection block is applied, the fi re wall treats it like an unconditional block.
A-19 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix A System Archite cture MainAp p Blocking with Catalyst Swit ches Catalyst switches w ith a PFC f i lter pac kets using V A CLs. V A CLs f ilter all packe ts between VLANs and withi n a VLAN.
A-20 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x A System Archit ecture MainApp The Logg er can c ontrol what log messag es are genera ted by each application b y controlling the logging se verity for different logging zones.
A-21 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix A System Archite cture MainAp p AuthenticationApp to authenticate the identity of the user .
A-22 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x A System Archit ecture SensorApp Each TLS cl ient has dif ferent pro cedure s for estab lishing this trust.
A-23 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix A System Archite cture SensorA pp Understand ing the Sens orApp The Senso rApp p erforms pack et capture and anal ysis.
A-24 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x A System Archit ecture SensorApp that were quiesce nt during the hold-do wn period will not be f orwarded and will be allo wed to timeout. Those streams that were synchron ized during the hold -down period are allowed to continue.
A-25 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix A System Archite cture SensorA pp • Event risk rat ing Event risk rating help s reduce false positives from the system and g i ves yo u more contr ol ov er what causes an alarm .
A-26 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x A System Archit ecture SensorApp Signature Event Action Proc essor The Signature Event Action P.
A-27 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix A System Archite cture CollaborationApp Figur e A -5 Signatur e Ev ent Thr ough Signatur .
A-28 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x A System Archit ecture CollaborationA pp • Set of rules score weight va lues • Set of IP ad.
A-29 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix A System Archite cture Switch App Cautio n Y ou receive a warning message if you hav e enable d globa l correlation, but you have not configured a DNS or HTTP p roxy server .
A-30 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x A System Archit ecture CLI CLI The CL I provid es the sens or user interfa ce for a ll direc t node acc ess such a s T elnet , SSH, a nd seri al interf ace.
A-31 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix A System Archite cture Commun icati ons Note For IPS 5.0 and later , you can no longe r remove the cisco a ccount. Y ou can disabl e it using th e no password cisco command , but you cannot remove it.
A-32 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x A System Archit ecture Communications IDAPI IPS applic ations u se an i n terpr ocess comm unica tion API called the ID API to handle internal commun ications .
A-33 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix A System Archite cture Commun icati ons IDCONF The Cisco IPS manag es its configuration using XML docu ments. IDCO NF specifies the XML sch ema including the Cisco IPS control transactions.
A-34 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x A System Archit ecture Cisco IPS File Structure CIDEE CIDEE sp ecif ies the exten sions to SDE E that are used b y the Ci sco IPS. The CIDEE standa rd specif ies all possible exten sions that are supp orted by the Cisc o IPS.
A-35 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix A System Archite cture Summar y of Cisco I PS Applicat ions • /usr/cids/idsRoot/b in—Contains the bi nary ex ecutables. • /usr/cids/idsRoot/bin/authe nticatio n—Contains the au thentication application.
A-36 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x A System Archit ecture Summary of Cisc o IPS Applications IDM The Jav a apple t that provides an HTML IPS manageme nt interface. IME The Jav a applet that pr ovides an interface f or viewing and arch iving eve n t s .
B-1 Cisco In trusi on Preven tion Syst em Sens or CLI Conf iguration Gui de for IP S 7.2 OL-29168-01 APPENDIX B Signature Engines This append ix describes the IPS signa ture engines, an d contains the.
B-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Underst anding Signat ure Engines Cisco IPS conta ins the follo wing sign ature engine s: • AIC—Provides tho rough an alysis of web tr aff i c.
B-3 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Unders tanding Signatu re Engi nes – HTTP V2— Supports I OS IPS. This sign ature engi ne p rovides a pr otocol decod e engine tuned for IO S IPS.
B-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Master Engin e Note The R ege x acceler ator card i s used for both t he standa rd String engines an d the String XL engines.
B-5 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Master Engine alert-se verity Spe cifies t he sev erity of the alert: .
B-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Master Engin e Promiscuous Delta The prom iscuous delta lowers the r isk rating of c ertain aler ts in promiscuo us mode.
B-7 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Master Engine Obsoletes The C isco si gnature team uses the ob soletes.
B-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Master Engin e Event Action s The Cisco IPS supports the followi ng ev ent actions. Most of the ev ent act ions belong to each signature engine u nless they are not app rop riat e for that pa rticu lar engin e.
B-9 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Regular Expressi on Syntax • deny-attacker-inline (inlin e mode on ly)—Does no t transmit this packet and future pac kets from the attack er addr ess for a specif ied perio d of time.
B-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines AIC Engine All repetition operators will match the shortest possible str ing as opposed to other operators that cons ume as much of the string as possi ble thus giving the longest string match.
B-11 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines AIC Engine Understand ing the AIC En gine AIC provides thorou gh analysis of web traff ic . It provides gran ular control over HTT P sessions to prev ent abuse of th e HTT P protocol.
B-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines AIC Engine • FTP traf fic: – FTP comman d auth orizat ion a nd en forcem ent Ta b l e B - 5 lists the p arameter s that are sp ecif ic to the AIC HTTP engine.
B-13 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines AIC Engine Ta b l e B - 6 lists the p arameter s that are specif ic to the AIC FTP engine. For More Informatio n • For the procedure s for configuring AIC engine signatures, see Configuring AIC Signatures, page 7-17 .
B-14 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Atomic En gine • For more info rmation o n the paramet ers common to all si gnatur e engi nes, see Master Engine, page B-4 .
B-15 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Atomic Engine For More Informatio n For more information on the parameters common to all signature engines, see Mas ter En gine, pa ge B-4 .
B-16 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Atomic En gine Only the outermost IP tunnel is iden tif ied. When an IPv6 tunne l or IPv6 traff ic inside of an IPv 4 tunnel is detected, a signature f ires an alert.
B-17 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Atomic Engine Ta b l e B - 8 lists the p arameter s that are specific to the A tomic IP A dvanced engine.
B-18 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Atomic En gine specify-max-match-offset {yes | no} Enables maxim um match offset: • max-match -offset—Specifies the maxi mum s tream o f fset the regex-string m ust repo rt for a match t o be valid.
B-19 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Atomic Engine spec ify -flow-lab el {yes | no} (Option al) Ena bles inspec tion of t he flow label: • flo w-label—Specif ies the v alue of the flo w label to inspect.
B-20 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Atomic En gine specify-ipv6-addr-options {yes | no} (Optional) Enables the IPv6 address options: • ipv6-addr-options —Specifies the IPv6 address op tions: – address-w ith-localhost—IP address wi th ::1.
B-21 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Atomic Engine spec ify-routing- header { yes | no} (Optional) Enables inspection of the routing head er: • rh-pre s ent —Inspects the routin g header .
B-22 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Atomic En gine specify-ip-ttl { yes | no} (Optional) Enables inspecti on of the IP time-to-li ve: • ip-ttl—Specif ies the value of the IP TTL to ins pect .
B-23 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Atomic Engine spe cify- icmp v6- code {yes | n o} ( Optio nal) Enables inspection of the Laye r 4 I CMPv 6 code : • icmpv6 -code—Sp ecif ies th e v alue of the ICM Pv6 he ader CO DE.
B-24 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Atomic En gine specify-tcp-mask {yes | no} (Optional) Enables the TCP mask.
B-25 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Atomic Engine For More Informatio n • For an example custom I Pv6 signatur e, see Example IPv6 En gine Signatur e, p age 7-50 .
B-26 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Atomic En gine spe cify- ip-i d {yes | no} (Opti onal ) Enables inspection of the IP identifie r: • ip-id—Specifie s the IP ID to inspect.
B-27 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Atomic Engine specify-icmp-id {yes | n o} (Optional) Enables inspection of the Laye r 4 ICMP ID: • icmp-id—Speci fies the v alue of the ICMP header IDEN TIFIER .
B-28 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Atomic En gine specify-tcp-flags {yes | no} (Optional) Enables TCP flags f.
B-29 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Atomic Engine For More Informatio n For more information on the parameters common to all signature engines, see Mas ter En gine, pa ge B-4 .
B-30 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Fixed Engi ne Each Neigh borhood Discovery type can have one or more Neigh borhood Disc overy options. The Atomic IPv6 engine inspects the length of each option for complianc e with the legal v alues stated in RFC 2461 .
B-31 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Fi xed Engine Ta b l e B - 1 1 lists the parameters specif ic to the Fixed TCP engine.
B-32 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Flood Engi ne Ta b l e B - 1 2 lists the parameters specif ic to the Fixed UDP engine. For More Informatio n • For more info rmation o n the paramet ers common to all si gnatur e engi nes, see Master Engine, page B-4 .
B-33 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Meta En gine Ta b l e B - 1 3 lists the parameters specif ic to the Floo d Ho st engine. Flood Ne t Engin e Parame ters Ta b l e B - 1 4 lists the parameters specif ic to the Flood Net engine.
B-34 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Meta Engine All signature ev ents are hande d of f to the Meta engine by the Signature Event Action Proce ssor . The Signature Event Action Processor ha nds off the e v ent af ter proces sing the minimum hits option.
B-35 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Multi String Engine For More Informatio n • For an exa mple of a cus tom Meta engine sign ature, see Example Meta Engine Signa ture, page 7-46 .
B-36 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Normalizer E ngine For More Informatio n • For more info rmation o n the paramet ers common to all si gnatur e engi nes, see Master Engine, page B-4 .
B-37 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Normali zer Eng ine The Normal izer eng ine de als w ith IP frag ment r eass embly and TCP strea m re assem bly .
B-38 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Normalizer E ngine ASA IPS Modules an d the Norm alizer Engine The majorit.
B-39 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Servi ce Engi nes For More Informatio n • For the proce d ure fo r conf iguring I P fragme nt reass embly si gnatur es in the No rmalizer engin e, see Configuring IP Fra gment Re assembly , pa ge 7-28 .
B-40 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Service Engin es • Serv ice NTP E ngin e, page B-52 • Serv ice P2P Eng.
B-41 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Servi ce Engi nes For More Informatio n For more information on the parameters common to all signature engines, see Mas ter En gine, pa ge B-4 .
B-42 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Service Engin es Ta b l e B - 1 9 lists the parameters that are sp ecif ic to the Service F TP engine.
B-43 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Servi ce Engi nes Ta b l e B - 2 0 lists the parameters specif ic to the Servi ce Generic eng ine.
B-44 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Service Engin es Servi ce H225 Engi ne The Serv ice H2 25 engine ana lyzes H22 5.0 pro tocol, w hic h consists of many subprotocols and is part of the H.
B-45 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Servi ce Engi nes Ta b l e B - 2 1 lists parameters specif ic to the Service H225 engine.
B-46 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Service Engin es For More Informatio n • For more info rmation o n the paramet ers common to all si gnatur e engi nes, see Master Engine, page B-4 .
B-47 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Servi ce Engi nes Before an HTTP pa cket can be inspecte d, the data must be deobfusc ated or normalize d to the same representation that the tar get s ystem sees when it processes the data.
B-48 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Service Engin es For More Informatio n • For an example Serv ice H TTP custom signa ture, see Example Service HT TP Engine Signatur e, page 7-44 .
B-49 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Servi ce Engi nes Ta b l e B - 2 3 lists the parameters specif ic to the Service IDENT engine.
B-50 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Service Engin es Ta b l e B - 2 4 lists the parameters specif ic to the Service MSRPC engine.
B-51 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Servi ce Engi nes For More Informatio n • For more info rmation o n the paramet ers common to all si gnatur e engi nes, see Master Engine, page B-4 .
B-52 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Service Engin es Ta b l e B - 2 5 lists the parameters specif ic to the Service MSSQL engine. For More Informatio n For more information on the parameters common to all signature engines, see Mas ter En gine, pa ge B-4 .
B-53 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Servi ce Engi nes For More Informatio n For more information on the parameters common to all signature engines, see Mas ter En gine, pa ge B-4 .
B-54 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Service Engin es For More Informatio n • For more info rmation o n the paramet ers common to all si gnatur e engi nes, see Master Engine, page B-4 .
B-55 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Servi ce Engi nes Service SMB Advan ced En gine Note The SMB engine has been replaced by the SMB Adv an ced engine.
B-56 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Service Engin es specify-exact-match-of f set {yes | no} (Optional) Enables exact matc h of fset: • ex act-match-of fset—Specifies the e xact stream offset the R egex string mus t report for a matc h to be v alid.
B-57 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Servi ce Engi nes For More Informatio n • For more info rmation o n the paramet ers common to all si gnatur e engi nes, see Master Engine, page B-4 .
B-58 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Service Engin es For More Informatio n For more information on the parameters common to all signature engines, see Mas ter En gine, pa ge B-4 .
B-59 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Servi ce Engi nes For More Informatio n For more information on the parameters common to all signature engines, see Mas ter En gine, pa ge B-4 .
B-60 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines State Engine For More Informatio n • For more info rmation o n the paramet ers common to all si gnatur e engi nes, see Master Engine, page B-4 .
B-61 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines State Engine Ta b l e B - 3 2 lists the parameters specif ic to the State engine. T able B-32 Stat e Engine P aram eter s Parame ter Description V alue state-m achine Specif ies the s tate machine grou ping.
B-62 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines String Engines For More Informatio n For more information on the parameters common to all signature engines, see Mas ter En gine, pa ge B-4 .
B-63 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines St ring Engi nes Ta b l e B - 3 3 lists the parameters specif ic to the String ICMP engine. Ta b l e B - 3 4 lists the parameters specif ic to the String TCP engine.
B-64 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines String Engines Ta b l e B - 3 5 lists the parameters specif ic to the String UDP engine. For More Informatio n For an ex ample custo m Stri ng e ngine signat ure, see Ex ampl e Strin g TCP Engi ne Signa ture, page 7-4 1 .
B-65 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Strin g XL Engi nes String XL Engine s Note The IPS 434 5, IPS 4360, .
B-66 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines String XL Engines no-case Specif ies to treat all al phabetic ch aract ers in the expression as case inse nsitiv e.
B-67 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Strin g XL Engi nes Unsu pported String XL Param eters Although you see the end-o ptional and specify- max-strea m-length pa rameters in the String XL engine, the y are disa bled.
B-68 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Sweep Engines Apply Changes?[yes]: yes Error: string-xl-tcp 60003.0 : Maximum Stream Length is currently not supported. Please don't use this option.
B-69 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Sweep Engines per-stream/per-sourc e/per-destination bas is The data node c ontaining the swe ep determines wh en the sweep should expire.
B-70 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Sweep Engines For More Informatio n For more information on the parameters common to all signature engines, see Mas ter En gine, pa ge B-4 .
B-71 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Traffi c Anomaly Engine Swee p Oth er TCP Engin e Par ameter s Ta b l e B - 3 8 lists the parameters specif ic to the Sw eep Other TCP engine .
B-72 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Traffic Anom aly Engine • log-pair-packets—Sta rts IP logging for packets that contain the attacker and victim a ddress pa ir .
B-73 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Traffic ICMP Engine For More Informatio n For more information on the parameters common to all signature engines, see Mas ter En gine, pa ge B-4 .
B-74 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Trojan Engine s Ta b l e B - 4 0 lists the parameters specif ic to the T raf fic ICMP engine. For More Informatio n For more information on the parameters common to all signature engines, see Mas ter En gine, pa ge B-4 .
C-1 Cisco In trusi on Preven tion Syst em Sens or CLI Conf iguration Gui de for IP S 7.2 OL-29168-01 APPENDIX C Troubleshooting This appe ndix conta ins troub leshooting tips and pro cedur es for sensors an d so ftware.
C-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Preventive M aintenance If you ar e a register ed Cisc o.com use r , you can view the Bug T oolkit at this URL: http://tools.cisco.
C-3 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting P reven tive Mainte nance T o bac k up your curr ent configuration, follow these steps: Step 1 Log in to the CLI using an acco unt with administrator privileges.
C-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Preventive M aintenance Note Y o u are promp ted for a pa ssword. – scp:—Sour ce or destination URL for the SCP network server .
C-5 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting P reven tive Mainte nance Rest oring the Cu rrent Confi guration From a .
C-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Disast er Recovery Note For IPS 5.0 and later , you can no longe r remove the cisco accou nt. Y ou can di sable it using the no password cisco command , but you cannot remove it.
C-7 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Password Re covery 2. Log in to the sensor with th e default user ID a nd password— ci sco . Note Y ou are prompt ed to chan ge the cisco password.
C-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Password Reco very • V erif ying the State of Password Recov ery , page C-.
C-9 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Password Re covery ------------------------------------------- Use the ^ and v keys to select which entry is highlighted.
C-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Password Reco very Recovering the Password for the ASA 5500-X IPS S SP Y ou ca n reset the password to the default ( cisco ) f or the ASA 5500-X IPS SSP using the CLI or the ASDM.
C-11 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Password Re covery Step 6 Enter yo ur new passwor d twice.
C-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Password Reco very Use th e hw-module module slot_numb er password- reset command to reset the password to the default cisc o .
C-13 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Password Re covery A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.
C-14 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Password Reco very Step 4 Disable password recovery .
C-15 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Time Sour ces and the Sensor Time Sources and the Senso r This section .
C-16 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Time Sources and the Sensor Verifying the Sensor is Sync hronized with the NTP Server In IPS, you can not apply an incorre ct NTP configuration, such a s an in valid NTP ke y value or ID, to the sensor .
C-17 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Advant ages and Res trict ions of V irtuali zation T o ensure the inte grity o f the time sta mp on the ev ent records, you must clear the ev ent archiv e of the older ev e nts by using the clear event s command .
C-18 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Supported M IBs Supported MIBs T o avoid problems with configuring SNMP , be awar e of the MIBs that are supp orted on the sensor .
C-19 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting When to Disable Anomaly Detect ion When to Disable Ano maly Detection I.
C-20 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Analys is Engine Not Responding Analysis Engine No t Respondin g Error Message Output from show sta tistics analysis-engine Error: getAnalysisEngineStatistics : c t-sensorApp.
C-21 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troubl esho oting Ext ernal Product Interf aces Troubleshooting External Pro duct Interfaces This section lists issues that c an occur with external produc t interfaces an d provides troublesh ooting tips.
C-22 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubles hooting the Appl iance External Produ ct Interfaces Troublesho oti.
C-23 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troubl eshoot ing the App liance • Make sure each devi ce is p roper ly seate d . • If a de vice has latche s, mak e sure the y are comp letely clos ed and lock ed.
C-24 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubles hooting the Appl iance • Duplicate I P Addr ess Shuts Interface .
C-25 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troubl eshoot ing the App liance Step 3 Make sur e the sensor IP addr ess is u nique. If th e manageme nt interface detects that anothe r device on the network h as the sa me IP add ress, it does not come up .
C-26 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubles hooting the Appl iance For More Informatio n • For the procedu re for enab ling and disabling T eln et on the sensor , see E nabling and Disabling T eln et, pa ge 3-5 .
C-27 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troubl eshoot ing the App liance Duplicate IP Address Shuts Inter face Down If you hav e two newly im aged se nsors with the same IP address tha t come up on the same network at the same time, the interf ace shut s do wn.
C-28 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubles hooting the Appl iance Step 4 Make sure the IP address is cor rect.
C-29 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troubl eshoot ing the App liance AnalysisEngine V-2013_04_10_11_00_7_2_.
C-30 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubles hooting the Appl iance Physical Connectivity, SPAN, or VACL Port Issue If the sensor is not conn ected prope rly , you do not receive any alerts.
C-31 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troubl eshoot ing the App liance Step 4 V erify the interface configuration: • Make sure you ha ve the interfaces configured properly .
C-32 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubles hooting the Appl iance Step 3 Make sure you have Produce Alert co nfigured.
C-33 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troubl eshoot ing the App liance Sensor Not Seeing Packets If the senso r is no t seeing a ny packets on the network, you cou ld have the interfaces se t up incorre ctly .
C-34 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubles hooting the Appl iance Step 4 Check to see that the interface is up an d receiving packe ts.
C-35 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troubl eshoot ing the App liance Step 8 Start the IPS services. sensor# cids start Step 9 Log in to an account with administrator privi leges.
C-36 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubles hooting the Appl iance For More Informatio n • For the procedure to veri fy th at the ARC is r unning , see V e rifying the ARC is Runnin g, page C-36 .
C-37 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troubl eshoot ing the App liance Host Certificate Valid from: 17-Apr-2013 to 18-Apr-2015 sensor# Step 3 If the Ma inApp displays Not Runnin g , the ARC has fail ed.
C-38 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubles hooting the Appl iance Realm Keys key1.0 Signature Definition: Signature Update S697.0 2013-02-15 OS Version: 2.6.29.
C-39 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troubl eshoot ing the App liance Device Access Issues The ARC may not be able to acc ess the de vices it is managing.
C-40 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubles hooting the Appl iance profile-name: r7200 block-interfaces (min: .
C-41 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troubl eshoot ing the App liance Step 3 Exit gene ral submode. sensor(config-net-gen)# exit sensor(config-net)# exit Apply Changes:? [yes]: Step 4 Press Enter to a pply the chan ges or type no to discard them.
C-42 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubles hooting the Appl iance sensor(config-sig-sig)# engine normalizer s.
C-43 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troubl eshoot ing the App liance State ShunEnable = true ShunnedAddr Host IP = 122.
C-44 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubles hooting the Appl iance Step 9 If the rem ote master bloc king sensor is using T LS for web access , make sure the f orwar ding s ensor is configured a s a TL S host.
C-45 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troubl eshoot ing the App liance master-control -----------------------.
C-46 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubles hooting the Appl iance <protected entry> zone-name: nac seve.
C-47 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troubl eshoot ing the App liance severity: warning <defaulted> ----------------------------------------------- sensor(config-log)# Step 13 T urn on d ebugging for a particula r zone .
C-48 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubles hooting the Appl iance Step 15 Press Enter to apply chang es or type no to discard them: For More Informatio n For a list of wha t each zone n ame refers t o, see Zone Names, page C- 48 .
C-49 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troubl eshoot ing the App liance Directing cidLog Messages to SysLog It might be useful to direct cidLog messages to syslog.
C-50 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubles hooting the Appl iance TCP Rese t Not Occurring for a S ignature N.
C-51 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troubl eshoot ing the App liance Step 5 Make sure the corr ect alarms a re being generated .
C-52 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubles hooting the Appl iance Or you can use the sys tem image f ile to reimag e the sensor d irectly to th e ver sion you want.
C-53 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troubl eshoot ing the App liance T r y the manual upgrade comma nd before attem pting the auto matic update.
C-54 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubles hooting the IDM For More Informatio n For the proc edure f or obtaining Cisco IPS software, see Obtaining Cisco IPS Software , page 20-1 .
C-55 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troubl eshoo ting the I DM c. Under Jav a Ru ntime Environment, select JRE 1. 3.x from the dr op-down menu. d. Click the Cache tab .
C-56 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubles hooting the IME exit summertime-option disabled ntp-option disable.
C-57 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troublesho oting the ASA 5500-X IPS SSP Time Syn chronization on IME and the Sensor Sympto m The I ME displ ays No Data A vailab le on the Events dashb oard.
C-58 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubleshoot ing the ASA 550 0-X IPS SSP • The ASA 5500-X IPS SSP and Jum.
C-59 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troublesho oting the ASA 5500-X IPS SSP Mod-ips 239> e1000 0000:00:05.0: PCI INT A disabled Mod-ips 240> Restarting system.
C-60 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubleshoot ing the ASA 550 0-X IPS SSP Mod-ips 298> Normal 0x00100000 .
C-61 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troublesho oting the ASA 5500-X IPS SSP Mod-ips 357> Initializing CPU#1 Mod-ips 358> Calibrating delay using timer specific routine.
C-62 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubleshoot ing the ASA 550 0-X IPS SSP Mod-ips 415> ACPI: PCI Interrup.
C-63 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troublesho oting the ASA 5500-X IPS SSP Mod-ips 478> acpiphp: Slot [.
C-64 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubleshoot ing the ASA 550 0-X IPS SSP Mod-ips 541> uhci_hcd: USB Universal Host Controller Interface driver Mod-ips 542> Initializing USB Mass Storage driver.
C-65 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troublesho oting the ASA 5500-X IPS SSP Mod-ips 601> Create node: Mod-ips 602> ln: /etc/modprobe.conf: File exists Mod-ips 603> Shutting down network.
C-66 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubleshoot ing the ASA 550 0-X IPS SSP Two ASAs in Fail-Open Mode • If .
C-67 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troublesho oting the ASA 5500-X IPS SSP • 1311.0 • 1315.0 • 1316.0 • 1317.0 • 1330.0 • 1330.1 • 1330.2 • 1330.
C-68 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubleshoot ing the ASA 558 5-X IPS SSP This miscount is a result of header bytes added to th e packet by the ASA before the pa cket is transmitted to the IPS.
C-69 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troublesho oting the ASA 5585-X IPS SSP Reset issued for module in slot 1 asa# show module 1 details Getting details from the Service Module, please wait.
C-70 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubleshoot ing the ASA 558 5-X IPS SSP Mgmt IP addr: 192.0.2.3 Mgmt Network mask: 255.255.255.0 Mgmt Gateway: 192.0.2.254 Mgmt Access List: 0.
C-71 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troublesho oting the ASA 5585-X IPS SSP Slot-1 155> RETRY=20 Slot-1 156> tftp IPS-SSP_10-K9-sys-1.1-a-7.2-1.img@192.
C-72 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubleshoot ing the ASA 558 5-X IPS SSP Two ASA 5585-X s in Fail- Close Mo.
C-73 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Gathering Information • 1305.0 • 1307.0 • 1308.0 • 1309.0 • 1311.0 • 1315.0 • 1316.0 • 1317.0 • 1330.0 • 1330.
C-74 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Gath erin g Info rmat ion • Events Informa tion, page C-97 • cidDump Sc.
C-75 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Gathering Information Understanding the show tech-support Command Note The /va r/log/messages fi le is now pe rsistent ac ross reboots and the info rmation is displayed in the output of the show tech-support command.
C-76 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Gath erin g Info rmat ion sensor# show tech-support page Step 3 T o s end the output (in HTML format) to a file: a. Enter the follo wing command, follo wed by a v alid destination.
C-77 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Gathering Information Recovery Partition Version 1.
C-78 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Gath erin g Info rmat ion Version Informatio n The sh ow ve r si on com mand is useful f or obtaining se nsor infor mation.
C-79 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Gathering Information OS Version: 2.6.29.1 Platform: IPS4360 Serial Number: FCH1504V0CF No license present Sensor up-time is 3 days.
C-80 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Gath erin g Info rmat ion exit ! ------------------------------ service aut.
C-81 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Gathering Information Statistics Information The show statistics command is us eful for examining the stat e of the sensor services.
C-82 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Gath erin g Info rmat ion Note The clear op tion is not av ailable f or the ana lysis engine , anomaly detection, ho st, network ac cess, or OS identif ication applications.
C-83 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Gathering Information Statistics for Signature Events Number of SigEven.
C-84 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Gath erin g Info rmat ion SimulatedTcpDeniesDueToGlobalCorrelation = 0 Simu.
C-85 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Gathering Information Detection - ON Learning - ON Next KB rotation at .
C-86 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Gath erin g Info rmat ion Number of events of each type currently stored St.
C-87 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Gathering Information Network Statistics = ma0_0 Link encap:Ethernet HWaddr 00:04:23:D5:A1:8D = inet addr:10.89.130.98 Bcast:10.
C-88 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Gath erin g Info rmat ion MaxDeviceInterfaces = 250 NetDevice Type = PIX IP = 10.89.150.171 NATAddr = 0.0.0.0 Communications = ssh-3des NetDevice Type = PIX IP = 192.
C-89 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Gathering Information Version = 12.2 State = Active NetDevice IP = 192.0.2.10 AclSupport = Uses VACLs Version = 8.4 State = Active BlockedAddr Host IP = 203.
C-90 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Gath erin g Info rmat ion Step 15 Display the statistics for the transacti on server .
C-91 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Gathering Information Denied Attackers and hit count for each. Denied Attackers with percent denied and hit count for each.
C-92 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Gath erin g Info rmat ion Cumulative Statistics for the TCP Stream Reassemb.
C-93 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Gathering Information Error Severity = 14 Warning Severity = 1 Timing Severity = 0 Debug Severity = 0 Unknown Severity = 28 TOTAL = 43 Step 19 V erify that the statistic s hav e been clear ed.
C-94 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Gath erin g Info rmat ion Interfaces Command Output The following exampl e .
C-95 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Gathering Information Note Y ou must have health monitori ng enabled to support th e historic in terface f unction.
C-96 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Gath erin g Info rmat ion GigabitEthernet0/1 Time Packets Received Bytes Re.
C-97 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Gathering Information 0 0 0 0 12:15:00 UTC Tue Mar 05 2013 0 0 0 0 0 0 .
C-98 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Gath erin g Info rmat ion Sensor Events Ther e are fiv e types of events: .
C-99 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Gathering Information The following options ap ply: • alert —Displays alerts. Provides notif ication of some su spicious activity that ma y indicat e an attac k is in process or has been attemp ted.
C-100 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Gath erin g Info rmat ion Step 3 Dis play th e bloc k requ ests beg inni ng at 10: 00 a.
C-101 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Gathering Information originator: hostId: sensor appName: mainApp appI.
C-102 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Gath erin g Info rmat ion Step 3 Enter the follo wing command. /usr/cids/idsRoot/bin/cidDump Step 4 Enter the followi n g command to compress the resu lt ing /u sr/ cid s/ ids Roo t /log/cidDum p.
D- 1 Cisco In trusi on Preven tion Syst em Sens or CLI Conf iguration Gui de for IP S 7.2 OL-29168-01 APPENDIX D CLI Error Messages This appendix lists the CLI error messages and CLI v a lidation error messages.
D- 2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x D CLI Error Mess ages CLI Error Mes sages The file name <f ile> is not a valid u pgrade file type . Attempt to install the wrong file for your platfor m and version.
D-3 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix D CLI Error Message s CLI Err or Messa ges Packet- file d oes not ex ist. The use r attempte d to cop y or erase the pa cket- file b ut no packet -file h as been ca ptured.
D- 4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x D CLI Error Mess ages CLI Error Mes sages You do n ot have permissio n to termina te the requested CLI session . An op erator o r viewer user attem pted to terminate a CLI session belonging to another user .
D-5 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix D CLI Error Message s CLI Err or Messa ges 2. This erro r only o ccurs on p latforms that do not support vir tual policies . 3. This erro r only o ccurs on p latforms that do not support vir tual policies .
D- 6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x D CLI Error Mess ages CLI Validation Er ror Messag es CLI Validation Error Messag es Ta b l e D - 2 describes the validation er ror messages.
D-7 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix D CLI Error Message s CLI Validation Error Messages Interfa ce alr eady assig ned to virtual sensor ‘vs name.
D- 8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x D CLI Error Mess ages CLI Validation Er ror Messag es.
GL-1 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 GLOSSAR Y Revised: Apr il 25, 2013 Numerals 3DES T riple Data Encryption Standard. A stronger ver sio n of DES, which is the default encryption method for SSH version 1.
Glos sary GL-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 ASA 5500-X IPS SSP Intrus ion Pre vention System Secu rity Serv ices Proces sor . The IPS is run ning as a service an d ASA controls sending a nd receiving traffic to and from the IPS.
Glossary GL-3 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 ASDM Adaptive Security Device M anager . A web-ba sed app lication that lets you c onfigure and man age your adap tiv e sec urity device. ASN.
Glos sary GL-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 BIOS Basic Input/O utput System. Th e program tha t starts the sensor and c ommunica tes between the devices in the sensor and the system.
Glossary GL-5 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 cidDump A scrip t that captu res a lar ge am ount of information including the IPS processes list, log files, OS information, director y listings, pack ag e in formation, and configuration files.
Glos sary GL-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 CSA MC Cisco Secu rity Agent Ma nagement Cen ter . CSA MC recei ves host postu re information from the C SA agents it manages. It also maintains a wat ch list of IP addresses that it has determined should be quarantined fr om the network.
Glossary GL-7 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 DIMM Dual In-line Memory Modules. DMZ demilitarized zone. A separate networ k located in th e neutral zone between a pri v ate (inside) net work and a public (outside) network.
Glos sary GL-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 F fail clos ed Blocks traffi c on the device after a hardware failure. fail open Lets traf f ic pass through the d e v ice after a hardware failure.
Glossary GL-9 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 FQDN Fully Qualif ied Domain Name.A doma in name that specifies its e xact loca tion in the tree h ierarch y of the DNS. It specif ies all domain lev els, including th e top-le vel domain, relati ve to the root d omain.
Glos sary GL-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 hardwa re bypass A specialized interf ace card that pairs physical inte r faces so that when a.
Glossary GL-11 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 intrusion de tection system IDS. A security serv ice that mo nitors an d analyzes system events to find and provide real-time or near real-ti me warning of atte mpts to access syste m resour ces in an unau thorized manner .
Glos sary GL-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 L LACP Link Aggregation Control Protoc ol . LA CP aids in the au tomatic crea tion of EtherChannel links by exchanging LACP packets between LAN por ts.
Glossary GL-13 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 MIB Managem ent Informa tion Base. Da tabase of network mana gement informa tion that is used and maintained by a network m anagem ent protocol, such a s SNMP or CMIP .
Glos sary GL-14 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 network device A device that controls IP traff ic on a network and c an block an attacking host. An exam ple of a network device is a Cisco router or PIX Firewall.
Glossary GL-15 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 P P2P Peer-to-Peer . P2 P networks use n odes that can sim ultaneously fu nction as both c lient and se rver for the purpose of file sharing.
Glos sary GL-16 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 ping packet inter net groper . Often used in IP networks to test the reachability of a netw ork device. It w orks by sending IC MP ec ho req uest pa ckets to th e targ et h ost and listeni ng for e cho respon se replie s.
Glossary GL-17 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 RBCP Rout er Blad e Cont rol Pr otoc ol. RBC P is based on S CP , bu t modif ied spec ific ally fo r the router application. It is designed to run over Ethernet interfaces and use s 802.
Glos sary GL-18 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 RTT round-trip time. A measure of the time delay im posed by a network on a host f rom the sending of a packet until ackno wledgement of the receipt.
Glossary GL-19 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 shar ed sec ret A piece of data kno wn only to th e parti es in volv ed in a secure commun ication. The shared secret ca n be a p assword, a passphrase , a big nu mber, or an arra y of randomly chosen bytes.
Glos sary GL-20 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 SNAP Subnetwork Acce ss Protocol. Internet p rotocol that operates b etween a network entity in the subnetwork a nd a network e ntity in the end sys tem.
Glossary GL-21 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 String eng ine A signature engine that pro vides regular e xpression-based pattern inspection and alert functionality for multiple transpor t protocols, including TCP , UDP , and ICM P .
Glos sary GL-22 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 terminal server A router w ith multiple, lo w speed, asynchrono us por ts that are c onnected to other se rial devices. T erminal servers can be u sed to re motely ma nage n etwork eq uipment, includin g sensors.
Glossary GL-23 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 trusted certifica te Certificate upon which a certificate user relies as be ing valid without the ne ed for validation testing; especial ly a public-ke y certif icat e that is used to pro vide the first public key in a certif ication path.
Glos sary GL-24 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 virtual senso r A logical group ing of sensing interfaces an d the configuration policy for the signa ture engines and alarm f ilters to apply to them.
Glossary GL-25 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Web Server A component of the IPS. W aits for re mote HTTP c lient r equests and calls the appropria te servle t application.
Glos sary GL-26 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01.
IN-1 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 INDEX Numerics 802.1q e ncapsulation f or VLAN groups 4-27 A AAA aut henticat ion configuring 3-23 .
Index IN-2 Cisco Intrusion Prevention System Sensor C LI Configuration Guide for IPS 7.2 OL-29168-01 aler t-seve rity co mmand 7-9 alert severity configur ing 7-9 allocat e-ips command 18-4, 19-4 ASA .
Index IN-3 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 ARC ACLs 14-21, A-14 authenti cation A-15 blocking connec tion-based A-17 response A-13 uncon.
Index IN-4 Cisco Intrusion Prevention System Sensor C LI Configuration Guide for IPS 7.2 OL-29168-01 sw-module m odule slot_number password -reset 18-12 sw-module module slot_number reload 18-12 sw-mo.
Index IN-5 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 para mete rs (ta ble) B-17 restric tions B-16 Atomic I P engine describe d B-25 para mete rs .
Index IN-6 Cisco Intrusion Prevention System Sensor C LI Configuration Guide for IPS 7.2 OL-29168-01 notes and cave ats 14-1 prerequ isites 14-6 properties 14-7 sensor blo ck itself 14-8 show statisti.
Index IN-7 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 supported pro ducts 3-55 clear database co mmand 17-9 clear denie d-att acke rs comman d 8-36.
Index IN-8 Cisco Intrusion Prevention System Sensor C LI Configuration Guide for IPS 7.2 OL-29168-01 clear os-identifica tion 8-31 cli-inactivity-timeout 3-14 cloc k set 3-38, 17-25 copy ad -knowled g.
Index IN-9 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 no service event-ac tion-rules 8-8 no service signature-definition 7-2 no target-va lue 8-15 .
Index IN- 10 Cisco Intrusion Prevention System Sensor C LI Configuration Guide for IPS 7.2 OL-29168-01 worm -timeou t 9-10 compa ring K Bs 9-44 configura tion files backing up 16-24, C-2 mergin g 16-2.
Index IN- 11 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 passwords 3-30 physical interfaces 4-12 privilege 3-30 proxy serve rs 3-11 sensor se quence.
Index IN- 12 Cisco Intrusion Prevention System Sensor C LI Configuration Guide for IPS 7.2 OL-29168-01 host posture events 11-2, 11-4 quarantine d IP address ev ents 11-2 supported IPS inter faces 11-.
Index IN- 13 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 even ts 8-39, 17-22, C-99 global correlation statistics 10-14 health status 17-18, C-74 ins.
Index IN- 14 Cisco Intrusion Prevention System Sensor C LI Configuration Guide for IPS 7.2 OL-29168-01 Service DN S B-40 Service FT P B-41 Serv ice Ge neri c B-42 Service H225 B-44 Service HT TP 7-44,.
Index IN- 15 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 even t types C-98 even t varia bles describe d 8-10 exam ple 8-11 evEr ror A-9 evLogTr ansa.
Index IN- 16 Cisco Intrusion Prevention System Sensor C LI Configuration Guide for IPS 7.2 OL-29168-01 proxy serve rs 3-11 requiremen ts 10-7 risk rati ng 10-6 troubleshooting 10-13, C-18 update clien.
Index IN- 17 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 IDIOM defined A-32 messages A-32 IDM Analysis Engine is busy C-55 certifi cates 3-51 TLS 3-.
Index IN- 18 Cisco Intrusion Prevention System Sensor C LI Configuration Guide for IPS 7.2 OL-29168-01 slot numbers 4-2 support (table) 4-6 TCP re set 4-4 interface st atistics displaying 4-38 interfa.
Index IN- 19 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 types A-9 IPS inte rnal co mmunicat ions A-32 IPS softw are application list A-4 available .
Index IN- 20 Cisco Intrusion Prevention System Sensor C LI Configuration Guide for IPS 7.2 OL-29168-01 list anomaly-detect ion-configurations command 9-9, 17-27 list event-ac tion-rules-configurations.
Index IN- 21 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 MIBs supporte d 15-6, C-18 minor update s described 20-3 modes anomaly de tection de tect 9.
Index IN- 22 Cisco Intrusion Prevention System Sensor C LI Configuration Guide for IPS 7.2 OL-29168-01 NotificationApp alert i nformation A-9 describe d A-4 fu ncti ons A-9 SNMP gets A-9 SNMP traps A-.
Index IN- 23 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 GRUB me nu 17-3, C-8 IPS 4345 17-3, 17-4, C-8, C -9 IPS 4360 17-3, 17-4, C-8, C -9 IPS 4510.
Index IN- 24 Cisco Intrusion Prevention System Sensor C LI Configuration Guide for IPS 7.2 OL-29168-01 SDEE A-33 proxy serve rs configuring 3-11 Q Q.931 proto col describe d B-44 SETUP messages B-44 q.
Index IN- 25 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 rese tti ng th e pass word ASA 5500-X IPS SSP 17-5, C-10 ASA 5585-X IPS SSP 17-6, C-12 rest.
Index IN- 26 Cisco Intrusion Prevention System Sensor C LI Configuration Guide for IPS 7.2 OL-29168-01 Sens or Ke y pane describe d 3-49 sensors access problems C-24 application partition image 21-14 .
Index IN- 27 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 para mete rs (ta ble) B-49 Serv ice MSRP C en gine DCS/R PC pr otoc ol B-49 describe d B-49.
Index IN- 28 Cisco Intrusion Prevention System Sensor C LI Configuration Guide for IPS 7.2 OL-29168-01 show users co mmand 3-31 show version com mand 17-41, C-78 sig-fidelity-ra ting command 7-12, 7-1.
Index IN- 29 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 TCP re set C-50 tuned 7-4 signature upd ate files 20-4 signature variab les adding 7-5 dele.
Index IN- 30 Cisco Intrusion Prevention System Sensor C LI Configuration Guide for IPS 7.2 OL-29168-01 stopping IP logging 12-6 stream-reasse mbly comma nd 7-37 String engine described 7-41, B-62 Stri.
Index IN- 31 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 T tab completion using 1-5 TAC PEP information 17-46 servic e accoun t 3-28, A-31, C-5 show.
Index IN- 32 Cisco Intrusion Prevention System Sensor C LI Configuration Guide for IPS 7.2 OL-29168-01 TLS certifica tes generating 3-53 tls generate- key command 3-53 tls trusted-host co mmand 3-52 t.
Index IN- 33 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 sensing proce ss not running C-28 senso r events C-98 sensor loose co nnectio ns C-22 senso.
Index IN- 34 Cisco Intrusion Prevention System Sensor C LI Configuration Guide for IPS 7.2 OL-29168-01 viewing IP log conten ts 12-5 licens e key stat us 3-54 user information 3-31 virtualization adva.
デバイスCisco Systems IPS4510K9の購入後に(又は購入する前であっても)重要なポイントは、説明書をよく読むことです。その単純な理由はいくつかあります:
Cisco Systems IPS4510K9をまだ購入していないなら、この製品の基本情報を理解する良い機会です。まずは上にある説明書の最初のページをご覧ください。そこにはCisco Systems IPS4510K9の技術情報の概要が記載されているはずです。デバイスがあなたのニーズを満たすかどうかは、ここで確認しましょう。Cisco Systems IPS4510K9の取扱説明書の次のページをよく読むことにより、製品の全機能やその取り扱いに関する情報を知ることができます。Cisco Systems IPS4510K9で得られた情報は、きっとあなたの購入の決断を手助けしてくれることでしょう。
Cisco Systems IPS4510K9を既にお持ちだが、まだ読んでいない場合は、上記の理由によりそれを行うべきです。そうすることにより機能を適切に使用しているか、又はCisco Systems IPS4510K9の不適切な取り扱いによりその寿命を短くする危険を犯していないかどうかを知ることができます。
ですが、ユーザガイドが果たす重要な役割の一つは、Cisco Systems IPS4510K9に関する問題の解決を支援することです。そこにはほとんどの場合、トラブルシューティング、すなわちCisco Systems IPS4510K9デバイスで最もよく起こりうる故障・不良とそれらの対処法についてのアドバイスを見つけることができるはずです。たとえ問題を解決できなかった場合でも、説明書にはカスタマー・サービスセンター又は最寄りのサービスセンターへの問い合わせ先等、次の対処法についての指示があるはずです。
