Cisco Systems IPS4510K9 инструкция обслуживания

Americas Headquarters Cisco System s, Inc . 170 West Tasm an Drive San Jos e, CA 95 134-1706 USA http://www .cisco .com Tel: 408 526-4000 800 553- NETS ( 6387) Fax: 408 527-0883 Cisco Intrusion P re v ention S ystem Sensor CLI Configuration Guide f or IPS 7 .2 Text Pa rt Num ber: OL -29168-0 1[...]

THE SPECIFICATIONS AND INFORM ATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOU T NOTICE. ALL STATEMENT S, INFORMATI ON, AND RECOMMENDATI ONS IN TH IS MANUAL ARE BELIEVED TO BE ACCURATE BUT A RE PRESEN TED WITHOUT WARRANTY OF ANY KIND, EXPRES S OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRO D[...]

iii Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 CONTENTS Content s xxiii Audienc e xxiii Organi zation i-xxiii Conv enti ons i-xxv Relate d Documentation xxv Obtain ing Documentati on and Sub mitting a Servic e Reque st i-xxvi CHAPTER ii Logging In to the Senso r ii-1 Logg ing In Note s and Cave a[...]

Cont ents iv Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 System Con figurat ion Dial og 2-2 Basic Sen sor Setup 2-4 Advanced Setup 2-7 Advanced Setup f or the Appli ance 2-8 Advanced Setup f or the ASA 5500- X IPS SSP 2-13 Advanced Setup f or the ASA 5585- X IPS SSP 2-17 Verify ing In itializ ation 2-20[...]

Content s v Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Correc ting Time on the Sens or 3-36 Config uring Time on the Sen sor 3-36 Displa ying the Sy stem Clock 3-37 Manu ally Se tting th e Syste m Clock 3-37 Config urin g Recurri ng Summert ime Setti ngs 3-38 Config uring Nonrecur ring Su mmertim[...]

Cont ents vi Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Config uring Promiscu ous Mode 4-14 Underst andi ng Promisc uous Mode 4-14 Config uring Promiscu ous Mode 4-15 IPv6, Sw itch es, an d Lack of VACL Cap ture 4-15 Config uring Inline Inter face Mod e 4-16 Underst andi ng Inlin e Interf ace Mode 4-16[...]

Content s vii Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Underst andi ng Polici es 7-1 Working With Si gnat ure Def initi on Poli cies 7-2 Underst andi ng Signatu res 7-3 Config uring Signatur e Vari ables 7-4 Underst andi ng Signatu re Vari ables 7-4 Creati ng Si gnatur e Varia bles 7-4 Config u[...]

Cont ents viii Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Example Meta Engine Si gnature 7-46 Example IPv6 Eng ine Signa ture 7-50 Exam ple String XL T CP En gine Mat ch Of fset S ign ature 7-52 Example String XL TCP Engine Mini mum Match Lengt h Signat ure 7-55 CHAPTER 8 Configur ing E vent Act ion Ru[...]

Content s ix Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Monitor ing Event s 8-38 Displa ying Ev ents 8-38 Cleari ng E vents f rom E vent St ore 8-41 CHAPTER 9 Configur ing A nomaly Dete ction 9-1 Anomaly Det ection Notes and Caveats 9-1 Underst andi ng Securit y Polici es 9-2 Underst andi ng Anom[...]

Cont ents x Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Displa ying KB Files 9-40 Saving and Loading KBs Manually 9-41 Copyin g, Renaming , and Erasi ng KBs 9-42 Displa ying the Di fferences Betwe en Two KBs 9-44 Displa ying t he Thresho lds fo r a KB 9-45 Displa ying Anomal y Detec tion Stat istic s 9-[...]

Content s xi Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 CHAPTER 12 Configur ing I P Logg ing 12-1 IP Loggi ng Note s and Caveat s 12-1 Underst andi ng IP Loggi ng 12-2 Config uring Automatic IP Logging 12-2 Config uring Manual I P Logging for a Spec ific IP Address 12-3 Displa ying t he Content s[...]

Cont ents xii Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Config uring the Sensor to Manage Cisco Route rs 14-22 Router s and ACLs 14-23 Config uring the Sensor to Manage Cisco Route rs 14-23 Config uring the Sensor to Manage Catalyst 6500 Ser ies Switch es and Cisco 7600 Ser i es Router s 14-25 Switche[...]

Content s xiii Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Using th e GRUB Menu 17-3 Using ROMMON 17-4 Recover ing th e Password f or the ASA 5500 -X IPS SSP 17-4 Recover ing th e Password f or the ASA 5585 -X IPS SSP 17-6 Disabl ing Pas sword Recov ery 17-8 Verif ying t he State of Pa ssword R ec[...]

Cont ents xiv Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 The ASA 5500- X IPS SSP and Virtua lizati on 18-4 Virtu al Sensor Co nfiguration Sequenc e for ASA 5500- X IPS SSP 18-4 Creati ng Vi rtual Sensors 18-4 Assigni ng V irtual Sensor s to Adapti ve Se curity Applia nce Contexts 18-7 The ASA 5500- X I[...]

Content s xv Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 CHAPTER 21 Upgrading , Downgrading, and Instal ling System Ima ges 21-1 Upgrade Notes and C aveats 21-1 Upgrade s, Do wngrades, and S ystem Images 21-2 Support ed FTP and HTTP/H TTPS Server s 21-3 Upgradi ng t he Sens or 21-3 IPS 7.2( 1)E4 F[...]

Cont ents xvi Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Notifi cation App A-9 CtlTr ansSou rce A-11 Attac k Resp onse Contro ller A-12 Underst andi ng the ARC A-13 ARC Feat ures A-14 Support ed Blocking Device s A-1 5 ACLs and VACL s A-1 6 Main tainin g St ate A cross Rest arts A-16 Connect ion-Based [...]

Content s xvii Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Summ ary o f Cis co IPS Appl icatio ns A-3 5 APPENDI X B Signatur e Engines B-1 Underst andi ng Signatu re Engine s B-1 Master En gine B-4 General Parameter s B-4 Alert Fr equen cy B-7 Event Act ions B-8 Regular Expre ssion Synt ax B-9 AIC[...]

Cont ents xviii Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Servic e SSH Engine B-58 Servic e TNS Engine B-59 State En gine B-60 Strin g Engin es B-62 Strin g XL Engines B-65 Sweep Engi nes B-68 Sweep Engi ne B-68 Sweep Other TCP Engine B-70 Traff ic Anomal y En gine B-71 Traff ic ICMP Engi ne B-73 Troj[...]

Content s xix Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 When to D isable Anom aly D etec tion C-19 Analysi s Engine Not Respo nding C-20 Troubl eshooting E xternal Pro duct Interf aces C-21 Exte rnal Pro duct In terfac es Iss ues C-21 Extern al Product Int erfac es Troubl eshoo ting Tips C-22 Tr[...]

Cont ents xx Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Cannot La unch the IDM-Th e Analysi s Engin e Busy C-55 The IDM, Remote Manage r, or Sens ing Interface s Cannot Access Sens or C-55 Signat ures Not Pr oducing Alerts C-56 Troubl eshoo ting t he I ME C-56 Time Sync hroni zation on IME and the Sen [...]

Content s xxi Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 cidDump Sc ript C-101 Uploadi ng and Ac cessing F iles on th e Cisco FTP Site C-10 2 APPENDI X D CLI Error Messages D-1 CLI Err or Messag es D-1 CLI Va lidation E rror Messages D-6 G LOS SAR Y I NDEX[...]

Cont ents xxii Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01[...]

-x xiii Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Preface Published: April 29, 2013, OL-2916 8-01 Contents This do cument d escribes how to c onfigure the sens or using the C isco IPS 7.2 CLI . It contai ns the follo wing sections: • Audien ce, pa ge xxiii • Organization, page xxiii • Related Do[...]

-xxi v Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter Organizat ion 5 “Configuring Interfaces” Describes how to configure promiscuous, inline , inl ine VLAN pa ir , and VLAN group interf aces . 6 “Configuring V irtual Sensors” Describes h ow to configure virtual s ensors. 7 “Configuring E[...]

-xxv Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter Convent ions Conven tions This document uses the followi ng con ventions: Note Means r eader ta ke no te . Ti p Means the following information will help you solve a pr oblem . Cautio n Means re a d e r b e c a re f u l . In this situation, you m [...]

-xxvi Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter Obtaining Documenta tion and Subm itting a Service Re quest For a complete list of the Cisco ASA 55 00 series do cu mentation a nd whe re to find it, re fer to the following URL: http://www .cisco.com/en/US/docs/se curity/asa/r oadmap /asaroadmap[...]

CH A P T E R ii-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 ii Logging In to the Sensor This chapter explains ho w to log in to the sensor . It contains the follo wing sections: • Logging I n Notes and C av eats, pa ge ii-1 • Supported User Roles, page ii-1 • Logging I n to the A ppliance, page [...]

ii-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter ii Logg ing In to the Sensor Logging I n to the Applianc e The servic e role does not have direct access to the CL I. Service ac count users are logge d directly into a bash shell. Use this accou nt for s upport and trou bleshooting purposes only [...]

ii-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter ii Logging In to the Sensor Connect ing an Applianc e to a Ter minal S erver ***LICENSE NOTICE*** There is no license key installed on the system. Please go to http://www.cisco.com/go/license to obtain a new license or install a license. sensor# F[...]

ii-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter ii Logg ing In to the Sensor Logging In to the ASA 5500-X IPS SSP Cautio n If a connection is drop ped or termina ted by accident, you should reestablish the conn ection an d exit normally to prev e nt unautho rized acce ss to the applia nce. Logg[...]

ii-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter ii Logging In to the Sensor Logging In to the ASA 5585-X IPS SSP ***LICENSE NOTICE*** There is no license key installed on this IPS platform. The system will continue to operate with the currently installed signature set. A valid license must be o[...]

ii-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter ii Logg ing In to the Sensor Logging I n to the Sensor A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sen[...]

ii-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter ii Logging In to the Sensor Logging In to the Senso r ***LICENSE NOTICE*** There is no license key installed on the system. Please go to http://www.cisco.com/go/license to obtain a new license or install a license. sensor#[...]

ii-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter ii Logg ing In to the Sensor Logging I n to the Sensor[...]

CH A P T E R 1-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 1 Introducing the CLI Configuration Guide This cha pter introdu ces the IPS CLI configurat ion guide, and contains the following sec tions: • Supported IPS Platfo rms, pag e 1-1 • Sensor Co nfiguration Seque nce, pag e 1-2 • IPS CLI C on[...]

1-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 1 Introduc ing the CLI Configuration Guide Sensor Configu ration Sequence For an alphabetical list of all IPS commands, refer to the Comm and Reference for Cisco Intrusion Pr evention Syste m 7.2 . For info rmation on locating all IPS 7.2 documents[...]

1-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 1 Introd ucing the CLI Con figuration Guide User Roles For More Informatio n • For the proc edure for logging in to your sensor , see Chapter ii, “Logging In to the Sensor . ” • For the procedure for using the setup command to initialize yo[...]

1-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 1 Introduc ing the CLI Configuration Guide User Roles Administrator This user role has the highest le vel of privil eges. Administrators ha ve unrestricted vie w access and can perform the following function s: • Add users and assign passwords ?[...]

1-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 1 Introd ucing the CLI Con figuration Guide CLI Behavior Note For IPS 5.0 and later , you can no longe r remove the cisco a ccount. Y ou can disabl e it using th e no password cisco command , but you cannot remove it. T o use the no password cisco [...]

1-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 1 Introduc ing the CLI Configuration Guide Command L ine Editing Recall • T o recall th e comm ands ente red in a mo de, use th e Up Arrow or Down Arrow keys or press Ctrl-P or Ctrl-N . Note Help and tab complete requests are not reported in the [...]

1-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 1 Introd ucing the CLI Con figuration Guide Comman d Line Edit ing Spaceba r Enables you to se e more output on the te rminal screen. Press the Spacebar when you see the line ---More-- - on the s creen to displa y the next sc reen. Left arro w M o [...]

1-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 1 Introduc ing the CLI Configuration Guide IPS Command Mod es IPS Command Modes The Cisco IPS CLI ha s the follo wing comm and modes: • pri vileged EXEC—En tered w hen you log i n to the CLI interf ace. • global con f iguration— Entered f r[...]

1-9 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 1 Introd ucing the CLI Con figuration Guide Regular Expressi on Syntax The fol lo wing ex amples demons trate the spec ial characters : • a* matche s any number of occurr ences o f the letter a, includin g none. • a+ requires that at least one [...]

1-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 1 Introduc ing the CLI Configuration Guide Generic CLI Command s T o create a re gular exp ressio n that rec alls a pr ev ious pattern, you use parentheses to ind icate me mory of a speci fic patte rn and a ba ckslash () follo wed by a dig it to [...]

1-11 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 1 Introd ucing the CLI Con figuration Guide CL I Keyword s CLI Keywords In ge nera l, use the no form o f a command to disable a feature or f unction. Use the command withou t the keyword no to enable a dis abled fea ture o r function. For exa mpl[...]

1-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 1 Introduc ing the CLI Configuration Guide CLI Keywords[...]

CH A P T E R 2-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 2 Initializing the Sensor This chapter de scribes how to use the setup command to initialize the sensor , and contains the follo wing sections: • Initializing Notes a nd Cav eats, page 2-1 • Understanding Initialization, page 2-2 • Simpl[...]

2-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 2 Initializing the Sensor Underst anding Initializa tion Understandin g Initialization After you insta ll the sensor on your networ k, you mu st use the se tup command to initialize it so that you can comm unicate with it over the network. Wi t h t[...]

2-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 2 Initializing t he Sensor System Conf igurati on Dialog Note Y ou only ne ed to set the date and time in the System Configuration Dialog if the syste m is an appliance and is NOT usin g NTP . Note The System Configuration Dia log is an interactiv [...]

2-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 2 Initializing the Sensor Basic Sensor Setu p Local Date as YYYY-MM-DD[2013-03-06]: Local Time as HH:MM:SS[]: Participation in the SensorBase Network allows Cisco to collect aggregated statistics about traffic sent to your IPS. SensorBase Network P[...]

2-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 2 Initializing t he Sensor Basic Senso r Setup Step 6 Ente r yes to modify the n etwork access list: a. If you want to de lete an entry , en ter the num ber of the e ntry and pre ss Ent er , or press Ente r to get to the Permit line. b. Enter the I[...]

2-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 2 Initializing the Sensor Basic Sensor Setu p g. Specify the mo nth you want su mmertim e settings to en d. V a lid entries are januar y , february , ma rch, april, ma y , june, ju ly , august, septemb er , october , november, and decembe r . Th e [...]

2-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 2 Initializing t he Sensor Advanced Setup exit summertime-option recurring offset 60 summertime-zone-name CDT start-summertime month march week-of-month second day-of-week sunday time-of-day 02:00:00 exit end-summertime month november week-of-month[...]

2-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 2 Initializing the Sensor Advance d Setup Advanced Setup for the A ppliance Note The curr ently sup ported Cisco IPS applianc es are the IPS 4 345, IPS 4360 , IPS 4510, an d IPS 4520. Note Adding new subinte rfaces is a two-step proce ss. Y ou firs[...]

2-9 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 2 Initializing t he Sensor Advanced Setup [1] Edit Interface Configuration [2] Edit Virtual Sensor Configuration [3] Display configuration Option: Step 8 Ente r 1 to edit the inte rface c onfiguration. Note The follo w ing options let you create an[...]

2-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 2 Initializing the Sensor Advance d Setup Note At this point, you can con f igur e another inter face, for exam ple, Giga bitEthernet 0/ 1, for inlin e VLAN pair . Step 14 Press Enter to return to the top-le vel interfa ce editing menu. [1] Remove[...]

2-11 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 2 Initializing t he Sensor Advanced Setup [1] GigabitEthernet0/3 [2] GigabitEthernet0/0 Inline Vlan Pair: [3] GigabitEthernet0/0:1 (Vlans: 200, 300) Inline Interface Pair: [4] newPair (GigabitEthernet0/1, GigabitEthernet0/2) Add Interface: Step 21[...]

2-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 2 Initializing the Sensor Advance d Setup standard-time-zone-name UTC exit summertime-option disabled ntp-option disabled exit service web-server port 342 exit service interface physical-interfaces GigabitEthernet0/0 admin-state enabled subinterfa[...]

2-13 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 2 Initializing t he Sensor Advanced Setup Step 29 Reboot the appliance. sensor# reset Warning: Executing this command will stop all applications and reboot the node. Continue with reset? []: Step 30 Ente r yes to continue the rebo ot. Step 31 Appl[...]

2-14 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 2 Initializing the Sensor Advance d Setup Step 8 Ente r 1 to edit the inte rface c onfiguration. Note Y ou do not ne ed to configure interfaces on the ASA 5500-X IPS SSP . Y ou should igno re the modify interf ace def ault VLAN setting. T he se pa[...]

2-15 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 2 Initializing t he Sensor Advanced Setup Step 16 Ente r 1 to use the existing anomaly- detect ion conf igurati on, ad0. Signature Definition Configuration [1] sig0 [2] Create a new signature definition configuration Option[2]: Step 17 Ente r 2 to[...]

2-16 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 2 Initializing the Sensor Advance d Setup ftp-timeout 300 no login-banner-text exit time-zone-settings offset 0 standard-time-zone-name UTC exit summertime-option disabled ntp-option disabled exit service web-server port 342 exit service analysis-[...]

2-17 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 2 Initializing t he Sensor Advanced Setup For More Informatio n For the procedure for obtaining the most recent IPS software, see O btaining Cisco IPS Software, page 20-1 . Advanced Setup for the A SA 5585-X IPS SS P T o c ontinue w ith advanced s[...]

2-18 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 2 Initializing the Sensor Advance d Setup [2] Edit Virtual Sensor Configuration [3] Display configuration Option: Step 10 Ente r 2 to edit the virtual sensor configuration. [1] Remove virtual sensor. [2] Modify "vs0" virtual sensor confi[...]

2-19 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 2 Initializing t he Sensor Advanced Setup Step 19 Ente r 1 to use the existi ng e vent actio n rules conf iguration, rules0. Note If PortChan nel 0/0 has no t been assig ned to vs0, y ou are prom pted to assign it to the new virtual sensor . Virtu[...]

2-20 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 2 Initializing the Sensor Veri fyin g Init iali zati on virtual-sensor newVs description New Sensor signature-definition newSig event-action-rules rules0 anomaly-detection anomaly-detection-name ad0 exit physical-interfaces PortChannel0/0 exit exi[...]

2-21 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 2 Initializing t he Sensor Verifying Initialization T o verify that you initialized your sensor , f ollo w these steps: Step 1 Log in to the sensor . Step 2 V iew your configuration. sensor# show configuration ! ------------------------------ ! Cu[...]

2-22 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 2 Initializing the Sensor Veri fyin g Init iali zati on service trusted-certificates exit ! ------------------------------ service web-server websession-inactivity-timeout 3600 exit ! ------------------------------ service anomaly-detection ad0 ex[...]

CH A P T E R 3-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 3 Setting Up th e Sensor This chap ter cont ains procedur es for the s etting up the senso r , and contains the follo wing sections: • Setup Notes a nd Caveats, page 3-1 • Understandin g Sensor Setup, page 3-2 • Chan ging Netw or k Setti[...]

3-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Underst anding Sensor Set up • Y ou ca nnot use the privilege comma nd to give a user servic e privileges. If you want to g iv e an existing user ser vice pri vileges, you must remov e that user an d then use the userna[...]

3-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Changing Network Settings Changing the Hostn ame Note The CLI prom pt of the current session a nd other ex isting sessions will not be updated with the new hostname. Subsequent CLI login se ssions will re flect the new host[...]

3-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Changing Ne twork Settings ftp-timeout: 300 seconds <defaulted> login-banner-text: <defaulted> ----------------------------------------------- sensor(config-hos-net)# Step 7 Exit ne twork settings m ode. senso[...]

3-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Changing Network Settings ftp-timeout: 300 seconds <defaulted> login-banner-text: <defaulted> ----------------------------------------------- Step 5 T o change the info rmatio n back to the default setting, use [...]

3-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Changing Ne twork Settings Step 4 V erify that T elnet is enabled. sensor(config-hos-net)# show settings network-settings ----------------------------------------------- host-ip: 192.0.2.1/24,192.0.2.2 default: 192.168.1.[...]

3-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Changing Network Settings T o modify the access list, follo w these steps: Step 1 Log in to the se nsor using an acc o unt with administrator pri vileges. Step 2 Ent er net wo rk set ti ngs mo de. sensor# configure terminal[...]

3-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Changing Ne twork Settings ----------------------------------------------- host-ip: 192.168.1.2/24,192.168.1.1 <defaulted> host-name: sensor <defaulted> telnet-option: enabled default: disabled sshv1-fallback:[...]

3-9 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Changing Network Settings ----------------------------------------------- ftp-timeout: 500 seconds default: 300 login-banner-text: <defaulted> ----------------------------------------------- sensor(config-hos-net)# St[...]

3-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Changing Ne twork Settings ----------------------------------------------- host-ip: 192.0.2.1/24,192.0.2.2 default: 192.168.1.2/24,192.168.1.1 host-name: sensor default: sensor telnet-option: enabled default: disabled ss[...]

3-11 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Changing Network Settings serv er and it must b e reacha ble for automati c update and glob al correlation u pdates to be successful. Y o u can configure other DNS servers as backup servers. DNS queries are sent to the fir[...]

3-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Changing Ne twork Settings ----------------------------------------------- host-ip: 10.89.147.24/25,10.89.147.126 default: 192.168.1.2/24,192.168.1.1 host-name: sensor <defaulted> telnet-option: enabled default: di[...]

3-13 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Changing Network Settings Enabling S SHv1 Fallba ck Note The IPS supports managing bo th SSHv1 and SSHv2. The d efault is SSHv2 , but you ca n configure the sensor to fallback to SSHv1 if the p e er client/server does not [...]

3-14 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Changing the CLI Session Timeout Changing the CLI Sessio n Timeout Use the c li-inactivity-timeout command in the service authentication submode to change the number of seconds that the CLI w aits before timing out. Se t[...]

3-15 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Changi ng Web Se rver Se ttings Step 8 Press Enter to a pply the chan ges or enter no to di scard them. Changing Web Se rver Settings Note The de fault web ser ver port is 44 3 if TLS is enabled and 80 if TLS is disa bled.[...]

3-16 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Changing Web Serv er Settings – TLS_DHE_ DSS_WITH_AES_ 256_CBC _SHA – TLS_RSA_ WITH_AES_ 256_CBC_SHA – TLS_ECDHE _RSA_WITH_AE S_256_C BC_SHA – TLS_ECD H_RSA_WITH_ AES_256_C BC_SHA – TLS_ECDH E_ECDSA_WITH _AES_2[...]

3-17 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Changi ng Web Se rver Se ttings If you disable TL S, you receive this message : Warning: TLS protocol support has been disabled. This change will not take effect until the web server is re-started. Step 5 Change the HTTP s[...]

3-18 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Configuring A uthenticatio n and User Pa rameters Note If you c hange the port or e nable TLS se ttings, you must reset the se nsor to make th e web server uses the new settings. For More Informatio n • For the procedu[...]

3-19 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Confi guring Authentic ation and User Pa ramet ers If you do not specify a pa ssword, the system prompts you for one . Use the password command to ch ange the password for existing users. Use the privilege command to cha n[...]

3-20 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Configuring A uthenticatio n and User Pa rameters Step 5 T o remo ve a us er , use the no form of t he co mmand . sensor# configure terminal sensor(config)# no username jsmith Note Y ou ca nnot use this command to rem ov[...]

3-21 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Confi guring Authentic ation and User Pa ramet ers Y ou ca n also configure the sensor to use local authenticat ion (local fallback) if no RADIUS servers are responding. In this case, the sens or a uthenticate s agains t t[...]

3-22 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Configuring A uthenticatio n and User Pa rameters • pri mary- ser ver —Lets you conf igure th e main RADI US server : – server-address —IP addr ess of the RADIUS ser ver . – server -port — Port of the RADIUS [...]

3-23 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Confi guring Authentic ation and User Pa ramet ers Note Enablin g RADIUS authe ntication on the sensor does not disconnec t already establishe d connec tions. RADIUS authentication is only enfor ced for ne w conn ectio ns [...]

3-24 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Configuring A uthenticatio n and User Pa rameters – ips-rol e=administrator – ips-r ole=service Note If the se nsor is not configured to use a default us er role and th e sensor user ro le information in not in the A[...]

3-25 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Confi guring Authentic ation and User Pa ramet ers b. Enter th e IP address o f the second RADIUS serv er . sensor(config-aaa-rad-sec)# server-address 10.4.5.6 sensor(config-aaa-rad-sec)# c. Enter the RADI US server port. [...]

3-26 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Configuring A uthenticatio n and User Pa rameters Step 10 Exit AAA mo de. sensor(config-aaa-rad)# exit sensor(config-aaa)# exit Apply Changes:?[yes]: Step 11 Press Enter to a pply the chan ges or enter no to di scard the[...]

3-27 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Confi guring Authentic ation and User Pa ramet ers Statu s Event s As par t of the p acket command restrictio n option, st atus e vents are tr iggered for the fol lowing ac tions: • When an administrat or enabl es or d i[...]

3-28 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Configuring A uthenticatio n and User Pa rameters Step 7 Exit a uthenti cation mo de. sensor(config-aut)# exit Apply Changes:?[yes]: Step 8 Press Enter to a pply the chan ges or enter no to di scard them. Creating the S [...]

3-29 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Confi guring Authentic ation and User Pa ramet ers Step 4 Specify a pas sword when pro mpted. A valid password is 8 to 32 characters long. All charac ters except space are allowed. If a service acc ount already exists for [...]

3-30 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Configuring A uthenticatio n and User Pa rameters T o change the pass word, fo llo w these step s: Step 1 T o change the passwo rd for an other u ser or res et the pa sswor d for a lock ed account, foll ow these st eps: [...]

3-31 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Confi guring Authentic ation and User Pa ramet ers Step 3 Change the p ri vile ge le vel fr om vie wer to oper ator . sensor# configure terminal sensor(config)# privilege user jsmith operator Warning: The privilege change [...]

3-32 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Configuring A uthenticatio n and User Pa rameters 9802 tester operator sensor# Step 4 T o unlock the account of jsmith, reset the password. sensor# configure terminal sensor(config)# password jsmith Enter New Login Passw[...]

3-33 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Confi guring Authentic ation and User Pa ramet ers Step 7 Set the nu mber of old passwor ds to rem ember fo r each a ccount. A new password ca nnot ma tch any o f the old pa sswords of an ac count. sensor(config-aut-pas)# [...]

3-34 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Configuring A uthenticatio n and User Pa rameters Note When you appl y a config uration that conta ins a non-z ero v alue for attemptLim it, a change is made in the SSH server that ma y subsequently impact your abi lity [...]

3-35 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Co nfiguring Time Step 5 Check yo ur ne w setting. The ac count of t he user jsm ith is no w unlocked as indicated by the lack of parenthesis. sensor# show users all CLI ID User Privilege * 1349 cisco administrator 5824 js[...]

3-36 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Configuring Ti me The ASA IPS Modul es • The ASA 5500-X IPS SSP and ASA 5 585-X IPS SSP auto matically synchronize their clocks with the cloc k in the adapti ve security ap pliance in which they are installe d. This is[...]

3-37 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Co nfiguring Time Displaying the System Clock Use the show clock [ detai l ] comm and to d isplay the system cl ock. Y ou can use the detail op tion to indica te the clock source ( NTP or system ) and the c urrent su mmert[...]

3-38 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Configuring Ti me Use the clock set hh:mm [:ss ] month d ay year command to manually set the cloc k on the app liance. Use this command if no o ther ti me sources are a vaila ble. The cl ock set command does not apply to[...]

3-39 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Co nfiguring Time d. Ent er the wee k of the month you wa nt to start summertime settings. The values are f irst through fifth, or last. sensor(config-hos-rec-sta)# week-of-month first e. V erify y our settings. sensor(con[...]

3-40 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Configuring Ti me offset: 60 minutes default: 60 summertime-zone-name: CDT start-summertime ----------------------------------------------- month: april default: april week-of-month: first default: first day-of-week: mon[...]

3-41 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Co nfiguring Time c. V erify y our settings. sensor(config-hos-non-sta)# show settings start-summertime ----------------------------------------------- date: 2004-05-15 time: 12:00:00 --------------------------------------[...]

3-42 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Configuring Ti me sensor(config-hos)# exit Apply Changes:?[yes]: Step 11 Press Enter to a pply the chan ges or enter no to di scard them. Configuring Time Zones Se ttings Use the time-zone-se ttings command to co nf igur[...]

3-43 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Co nfiguring Time Configuring a Cisco Router to be an NTP Server The sensor requires an au thenticated c onnection w ith an NTP server if it is going to use the NTP server as its time s ource. The sensor sup ports only th [...]

3-44 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Configuring Ti me Step 6 Specify the NTP master stratum nu mber to be assi gned to the sensor . The NTP ma ster stratum numb er identif ies the relati ve positio n of the serv er in the NTP hierarch y . Y ou can choo se [...]

3-45 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Config uring SSH Step 5 Conf igure authentica ted NTP: a. Enter N TP configuration m ode. sensor(config-hos)# ntp-option enable b. Specify the NT P server IP add ress and key ID. The key ID is a number between 1 a nd 65535[...]

3-46 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Configuring SSH • Adding A uthorized RSA1 an d RSA2 Keys, page 3 -48 • Gene rating the R SA Serv er Host K ey , pag e 3-49 Understand ing SSH SSH provid es stro ng authen tica tion and se cure comm unicat ions o ver [...]

3-47 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Config uring SSH Cautio n When yo u use th e ssh host-key comm and, t he SSH s erv er at th e speci fied IP address is c ontacted to obtain the requir ed key o ver the network. The specif ied host must b e acces sible at t[...]

3-48 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Configuring SSH Step 7 Remov e an entry . The host is removed from the SSH kno wn hosts list. sensor(config)# no ssh host-key 10.16.0.0 Step 8 V erif y the host was removed. T he IP ad dress no longer appears in the list[...]

3-49 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Config uring SSH T o add a ke y entry to t he SSHv1 or SSHv2 autho rized ke ys list for the curr ent user , follo w these steps: Step 1 Log in to the CLI. Step 2 Add a ke y to the authorized ke ys list for the c urrent use[...]

3-50 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Configuring SSH Use the ssh g enera te-k ey command to change the SSH server host ke y . The displayed fingerpr int matches the one displayed in the remo te SSH client in future connections with this sensor if the remote[...]

3-51 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Configuring TLS Configuring TLS This section describes TLS on the sens or , and contain s the follo wing topics: • Understandin g TLS, page 3-51 • Adding T LS T r usted Hosts , page 3-52 • Displaying and Generating t[...]

3-52 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Configuring TL S The most con venient option is to permanently trust the i ssuer . However , be fore you a dd the issu er , use out-of-ba nd methods to examine the fingerprint of the certificate. This prev ents you from [...]

3-53 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Configuring TLS Step 4 V erif y that the host was added. sensor(config)# exit sensor# show tls trusted-hosts 10.89.146.110 sensor# Step 5 V ie w the f i ngerprint for a specif ic host. sensor# show tls trusted-hosts 10.89.[...]

3-54 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Installing the Li cense Key For More Informatio n For the procedure for u pdating the trusted hosts lists on re mote sensors, se e Adding TL S T r usted Hosts, page 3-52 . Installing the License Key This section describe[...]

3-55 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Installing the License Key Service Programs for IP S Products Y ou m ust have a Cisco Service s for IPS service cont ra ct for a ny IPS product so that you can download a license key and obtain the latest I PS signature up[...]

3-56 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Installing the Li cense Key Use t he copy sour ce-url licen se_file_name l icense-k ey comm and to copy the license key to your se nsor . The following options ap ply: • sour ce-url —The loca tion of the sourc e fi l[...]

3-57 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Installing the License Key Step 5 Log in to the CLI using an acco unt with administrator privileges. Step 6 Copy the license key to the sensor . sensor# copy scp://user@192.168.1.2/24://tftpboot/dev.lic license-key Passwor[...]

3-58 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Installing the Li cense Key For More Informatio n • For more information about getting started using the ASA 5500 -X IPS SSP , refer to the Cisc o IPS Module on the ASA Q uick Start Guide . • For the pro cedures fo r[...]

3-59 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 3 Setting U p the Sensor Installing the License Key IPS-K9-7.2-1-E4 11:17:07 UTC Thu Jan 10 2013 Recovery Partition Version 1.1 - 7.2(1)E4 Host Certificate Valid from: 17-Apr-2013 to 18-Apr-2015 sensor#[...]

3-60 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 3 Se tting U p the Sensor Installing the Li cense Key[...]

CH A P T E R 4-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 4 Configuring Interfaces This ch apter de scribe s ho w to conf igure int erfac es on the sensor . Y ou configured the interfaces when you initialized the sensor with the setup command , b ut if you need to change or add anything to your inter[...]

4-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Underst anding Interf aces • The ASA IPS modules (ASA 5500-X IPS SSP a nd ASA 5585-X IPS SSP) do not support inline VLAN pair s. • The ASA IPS modules (ASA 5500-X IPS SSP a nd ASA 5585-X IPS SSP) do not support VLAN[...]

4-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Understanding Interfaces • Alternate TCP rese t There ar e restrictions on w hich roles you ca n assign to specific interface s and some interfaces hav e multiple roles. Y ou can con f igure any sensing interf ace to any[...]

4-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Underst anding Interf aces Sensing In terfaces Sensing inter faces are used by the sensor to analy ze traff ic for secu rity violations. A se nsor has one or more se nsing interface s depending on the se nsor . Sensing [...]

4-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Understanding Interfaces Note There is only one sensing interface on th e ASA I PS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP), so you cannot designa te an alternate TCP reset interface. Ta b l e 4 - 2 lists the al[...]

4-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Underst anding Interf aces Cautio n Y ou ca n only assign a sensing inter face as an alte rnate TCP re set interface. Y ou cannot co nfigure the managem ent inte rfac e as a n altern ate TCP rese t interf ace. Int erf a[...]

4-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Understanding Interfaces IPS 4345 — GigabitEthernet 0/0 GigabitEthernet 0/1 GigabitEthernet 0/2 GigabitEthernet 0/3 GigabitEthernet 0/4 GigabitEthernet 0/5 Gigabitethernet 0/6 GigabitEthernet 0/7 All sensing p orts can b[...]

4-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Underst anding Interf aces Interface Con figuration Restric tions The following restrictions apply to configuring interfaces on the sensor: • Physical Interfa ces – On the ASA I PS modules (ASA 5500-X IPS SSP and AS[...]

4-9 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Understanding Interfaces – For Gigabit (cop per or fiber) inter faces, if the spee d is configured for 1 000 Mbps, the only valid duplex setting is auto. – The comm and and control interface canno t also serve as a sen[...]

4-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Underst anding Interf aces – Y ou ca n only configure interfaces that are capab le of TCP resets as a lternate TCP reset interface s. Note There is only one sensing interface on the ASA IPS modules (ASA 5500-X IPS SS[...]

4-11 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Confi guring Physica l Interfa ces For More Informatio n • For the proc edure f or configuring the physical interface sett ings, see Configuring Physical Interfa ces, page 4-11 . • For the procedu res for cr eating an[...]

4-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Configuring Ph ysical Interf aces • duplex —Spe cifi es the duple x setting of the i nterface: – auto —Sets the interface to auto negotiate duplex. – full — Sets the interface to full duplex. – half —Se[...]

4-13 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Confi guring Physica l Interfa ces Step 5 Enable the inte rface. Y ou must assigned the interf ace to a virtual sensor and e nable it before it can monitor traf fic. sensor(config-int-phy)# admin-state enabled Step 6 Add [...]

4-14 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Configuring Pro miscuous Mod e media-type: tx <protected> description: <defaulted> admin-state: disabled <protected> duplex: auto <defaulted> speed: auto <defaulted> alt-tcp-reset-interfac[...]

4-15 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Conf iguring Promi scuous Mode intend ed tar g et f or certa in type s of at tacks, s uch as atom ic attac ks (single -pack et att acks). T he respon se actions imp lemented by pro miscuous se nsor devices are p ost-ev en[...]

4-16 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Configuring I nline Interface Mod e The following configuration uses on e SP AN session to send all of the traf f ic o n any of the specifie d VLANs to all of the specif ied ports. Each port c onfiguration on ly allows[...]

4-17 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Configuring Inline Interface Mode Figure 4-2 illustrates inline interface pair mode: Figur e 4-2 Inline Int erf ace P air Mode Configuring In line Interface P airs Use the inline-i nterfaces name co mmand in the s ervice [...]

4-18 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Configuring I nline Interface Mod e Step 3 V erif y that the subinterfa ce mode is “ none” f or both o f the physic al interfaces you are p airing in the inline interface. sensor(config-int)# show settings physical[...]

4-19 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Configuring Inline Interface Mode sensor(config-int)# physical-interfaces GigabitEthernet0/0 sensor(config-int-phy)# admin-state enabled sensor(config-int-phy)# exit sensor(config-int)# physical-interfaces GigabitEthernet[...]

4-20 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Configuring I nline Interface Mod e speed: auto <defaulted> default-vlan: 0 <defaulted> alt-tcp-reset-interface ----------------------------------------------- none -----------------------------------------[...]

4-21 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Configuring Inline VLAN Pair M ode Configuring Inli ne VLAN Pair Mode This section de scribes inline VLAN pair mode and how to configure inline VLA N pairs. It contain s the follo wing topics: • Understandin g Inline VL[...]

4-22 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Configuring Inl ine VLAN Pair Mode Configuring In line VLAN Pairs Use the phys ical-int erfaces interface_name command in the se rvice interf ace submode to conf igure inline VLAN pairs. The inte rface name is F a stEt[...]

4-23 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Configuring Inline VLAN Pair M ode Configuring Inline VLAN Pairs T o configure the inline VLAN pair settin gs on the sensor , follow these steps: Step 1 Log in to the CLI using an acco unt with administrator privileges. S[...]

4-24 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Configuring Inl ine VLAN Pair Mode description: <defaulted> admin-state: disabled <defaulted> duplex: auto <defaulted> speed: auto <defaulted> alt-tcp-reset-interface ---------------------------[...]

4-25 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Configuring Inline VLAN Pair M ode bypass-mode: auto <defaulted> interface-notifications ----------------------------------------------- missed-percentage-threshold: 0 percent <defaulted> notification-interval[...]

4-26 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Configuring VL AN Group Mode ----------------------------------------------- sensor(config-int-phy-inl-sub)# Step 14 T o delete VLAN pairs: a. Delete o ne VLAN pair . sensor(config-int-phy-inl-sub)# exit sensor(config-[...]

4-27 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Configuri ng VLAN Group Mode Y ou c an divide each physical in terface or inlin e interface into VLA N group subinterfaces, e ach of which consists of a group of VLA Ns on that interface. Analysis Engin e suppor ts multip[...]

4-28 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Configuring VL AN Group Mode In the seco nd va riatio n, the two ports are co nf igur ed as trunk por ts, so th ey can carry mult iple VLA Ns. In this conf iguration, the se nsor bridges multipl e VLANs between the two[...]

4-29 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Configuri ng VLAN Group Mode • subinterface name —D efines the subinterface as a VL AN group : – vlans {range | unassigned} —Specif ies the set of VLANs in the VLAN group. The v alue for rang e is 1 to 4095 in a c[...]

4-30 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Configuring VL AN Group Mode ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- <protected entry> name: GigabitEthernet[...]

4-31 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Configuri ng VLAN Group Mode ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- command-control: Management0/0 <protected>[...]

4-32 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Configuring VL AN Group Mode b. V erify the settings. sensor(config-int-phy-vla-sub)# show settings subinterface-number: 1 ----------------------------------------------- description: <defaulted> vlans ----------[...]

4-33 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Configuring Inline Bypass Mode Step 15 Delete V LAN grou ps: a. Delete one VLA N group. sensor(config-int-phy-vla-sub)# exit sensor(config-int-phy-vla)# no subinterface 1 If this VLAN group is the last one on the sensor, [...]

4-34 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Configuring I nline Bypass Mode Cautio n There a re security conse quences whe n you put the sensor in b ypass mode . When bypass mode is on, the traff ic bypasses the sensor and is not inspected; ther efore, the sen s[...]

4-35 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Configuring Interface Notifications Step 4 V erify the settings. sensor(config-int)# show settings ----------------------------------------------- bypass-mode: off default: auto interface-notifications -------------------[...]

4-36 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Configuring CDP Mo de Step 3 Enter interface submode. sensor(config)# service interface Step 4 Enter inte rface no tifications submod e. sensor(config-int)# interface-notifications Step 5 Specify the i dle interface de[...]

4-37 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Config uring CD P Mode User the cdp- mode comma nd in ser vice interface m ode to have the sensor either f orward or drop CD P packets. The follo wing o ption appli es: • cdp-mode { forward- cdp-packet s | drop-cdp-pack[...]

4-38 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Configuring CDP Mo de Use the show interfaces [ clear | br ief ] command in EXEC mode to disp lay statistics for all system interf aces. Use the show inte rfaces { Fa s t E t h e r ne t | Gigab itEthe rnet | Management[...]

4-39 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Config uring CD P Mode GigabitEthernet0/2 Disabled Down Unpaired N/A GigabitEthernet0/3 Disabled Down Unpaired N/A sensor# Step 4 Display the statistics for a specif ic interface. sensor# show interfaces Management0/0 MAC[...]

4-40 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Displa ying Interf ace Traffi c History Displaying I nterface Traf fic History Use the show interfaces- history [ tr aff ic-by- hour | traff ic-by-minute ] comm and in E XEC mo de t o display historical interf aces sta[...]

4-41 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 4 Conf iguring Interfaces Displaying Interface Traffic History Displaying Historical Interface Statistics T o display interface traf fic history , follo w these steps: Step 1 Log in to the CLI. Step 2 Display the interface traf fic history by the [...]

4-42 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 4 Confi gurin g Interf aces Displa ying Interf ace Traffi c History 0 0 0 0 12:23:37 UTC Tue Mar 05 2013 0 0 0 0 0 0 0 0 12:22:30 UTC Tue Mar 05 2013 0 0 0 0 0 0 0 0 12:21:31 UTC Tue Mar 05 2013 0 0 0 0 0 0 0 0 12:20:29 UTC Tue Mar 05 2013 0 0 0 [...]

CH A P T E R 5-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 5 Configuring Virtual Se nsors This chapter explains the function of the Analysis Engine and how to create, edit, and delete virt ual sensors. It also explains how to assign interfaces to a virtual sensor . It contains the following sections: [...]

5-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 5 Conf iguri ng Virt ual Sen sors Underst anding the Ana lysis Engine Understandin g the Analysis En gine The Ana lysis Engine pe rforms pa cket analysis and a ler t detection. It monitors traff ic th at flo ws thr ough specif ied interfaces. Y ou[...]

5-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 5 Config urin g Vi rt ual Sens ors Inli ne TCP Sessi on Tracki ng Mode V irtualization has the follo wing restrictions: • Y ou must assign both sides of asym metric traf fic to t he same virtual sensor . • Using V A CL capture or SP AN (promisc[...]

5-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 5 Conf iguri ng Virt ual Sen sors Normalizatio n and Inline TCP Evasio n Protection Mode • V irtual Sensor— All packets with the sa me session key (AaBb) within a virtual sensor belong to th e same session. This is the defaul t and alm ost alw[...]

5-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 5 Config urin g Vi rt ual Sens ors Adding, E diting, and Deleting Virtual Sensors Adding Virtual S ensors Use the virtual-sensor name command in servic e analy sis engine submode to create a virtual senso r . Y ou c an create u p to four v irtual s[...]

5-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 5 Conf iguri ng Virt ual Sen sors Adding, Edi ting, and Dele ting Virtual Sens ors Note For the ASA IPS modules (ASA 550 0-X IPS SSP and ASA 5585-X IPS SSP), normalization is perf ormed by the adapti ve security applia nc e and not the IPS. • in[...]

5-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 5 Config urin g Vi rt ual Sens ors Adding, E diting, and Deleting Virtual Sensors Step 6 Assign an eve nt action rules policy to this v irtual sensor . sensor(config-ana-vir-ano)# exit sensor(config-ana-vir)# event-action-rules rules1 Step 7 Assign[...]

5-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 5 Conf iguri ng Virt ual Sen sors Adding, Edi ting, and Dele ting Virtual Sens ors event-action-rules: rules1 default: rules0 anomaly-detection ----------------------------------------------- anomaly-detection-name: ad1 default: ad0 operational-mo[...]

5-9 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 5 Config urin g Vi rt ual Sens ors Adding, E diting, and Deleting Virtual Sensors Edit ing and Del eti ng Vir tual Sen sors Y ou can edit the f ollo wing parameters of a virtual sensor: • Signature definition policy • Event a ction rules polic [...]

5-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 5 Conf iguri ng Virt ual Sen sors Adding, Edi ting, and Dele ting Virtual Sens ors Step 8 Change the inline TCP session tracking mo de. The de fau lt is virtual sensor mode, which is almost al ways the best option to cho ose. sensor(config-ana-vi[...]

5-11 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 5 Config urin g Vi rt ual Sens ors Adding, E diting, and Deleting Virtual Sensors Step 15 V erif y the delete d virtual se nsor . Only the default virtual sensor, vs0, is pr esent. sensor(config-ana)# show settings global-parameters --------------[...]

5-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 5 Conf iguri ng Virt ual Sen sors Configuring G lobal Variables Configuring Globa l Variables Use the global-paramete rs command in ser vice analysis en gine submo de to cr eate global variables, such as IP logging, se rvice activity , an d speci[...]

5-13 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 5 Config urin g Vi rt ual Sens ors Configuring Global Variables sensor(config-ana)# Step 5 Create the v ariable for servic e acti vity . sensor(config-ana-glo)# serviceActivity sensor(config-ana-glo-ser)# enable-serviceactivity 1 sensor(config-ana[...]

5-14 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 5 Conf iguri ng Virt ual Sen sors Configuring G lobal Variables[...]

CH A P T E R 7-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 7 Defining Signatures This chap ter de scribe s ho w to def ine and create sig natures. It contain s the foll ow ing sect ions: • Signature Definition No tes and Caveats, page 7-1 • Understandin g Policies , pag e 7-1 • W o rking W ith S[...]

7-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Working With Si gnature De finition Policies Working With Signature Definition Policies Use the service signatu re-definitio n name co mmand in se rvice si gnatur e defi n ition mode to create a signature def inition policy .[...]

7-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Understa nding Si gnatures sensor# Note Y ou cannot delete the default signature def inition policy , sig0. Step 7 Confirm the signature def inition policy has been deleted. sensor# list signature-definition-configurations Si[...]

7-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Configuring Signa ture Variab les The Cisco IPS contains o ver 10,000 b uilt-in default sign atures. Y ou cannot rename or delete signatures from the list of b uilt-in signatures, b ut you can retire signatures to remov e the[...]

7-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Confi guring Signature Variab les Addi ng, Edi ting, and Delet ing Si gnatu re V ariabl es T o add, edit, an d delete si gnat ure v ari ables, fol lo w these steps: Step 1 Log in to the CLI using an account with ad ministrato[...]

7-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Configuring Signa tures Configuri ng Signatures This section describes how to configure signatur e parame ters, and co ntains the following topics: • Signature Definition Op tions, page 7-6 • Conf igur ing Ale rt Freque n[...]

7-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Config uring Signatu res • vulnerable-os —Specifies the list of OS types that ar e vulnerable to this attack signature. For More Information • For the proc edure f or configuring alert frequ ency , see Configuring Aler [...]

7-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Configuring Signa tures • specify-global-summary-thr eshold {yes | no } —(Optional) Enables global sum mary thresho ld mode: – global-summary-threshold —Specifies the thresh old number of ev ents to take alert in to g[...]

7-9 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Config uring Signatu res Step 7 Press Enter to a pply the chan ges or enter no to di scard them. Configuring Ale rt Severity Use the alert-severity command in si gnatur e def inition submod e to conf igure the se ve rity of a[...]

7-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Configuring Signa tures engine ----------------------------------------------- atomic-ip ----------------------------------------------- event-action: produce-alert <defaulted> fragment-status: any <defaulted> sp[...]

7-11 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Config uring Signatu res Step 4 Enter e vent counter submod e. sensor(config-sig-sig)# event-counter Step 5 Specify ho w man y times an e ve nt must occur before an aler t is generat ed. sensor(config-sig-sig-eve)# event-cou[...]

7-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Configuring Signa tures Configuring S ignature Fide lity Rating Use t he sig-f ideli ty-r atin g command in signatur e definition submode to configure the signatur e fidelity rati ng for a signa ture. The follo wing o ption [...]

7-13 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Config uring Signatu res Configuring th e Status of Sig natures Use the status comm and in signature definition submo de to spe cify the status of a specific signa ture. The following options ap ply: • status —Identif ie[...]

7-14 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Configuring Signa tures Configuring th e Vulnerable OSes for a Sign ature Use the vulnerable-os command in sign ature definition submod e to configure the list of vulnerable OSes for a si gnature. The following options ap pl[...]

7-15 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Config uring Signatu res sig-string-info: My Sig Info <defaulted> sig-comment: Sig Comment <defaulted> alert-traits: 0 <defaulted> release: custom <defaulted> -----------------------------------------[...]

7-16 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Configuring Signa tures – reque st-rate-limit —Sends a rate limit request to th e ARC to perform rate limiti ng. – request-snmp-trap —Sends a re quest to the Notifi cation Application compon ent of the sensor to perf[...]

7-17 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Config uring Signatu res percentage ----------------------------------------------- external-rate-limit-percentage: 50 default: 100 ----------------------------------------------- Step 9 Exit ev ent action subm ode. sensor(c[...]

7-18 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Configuring Signa tures AIC has the fo llo wing categor ies of si gnatur es: • HTTP r eques t method – Def ine reques t meth od – Recogniz ed reques t method s • MIME t ype – Def ine cont ent type – Recognized co[...]

7-19 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Config uring Signatu res The following options ap ply: • ftp-enable {true | false} —Enables protect ion for FTP services. Set to true to require the sensor to inspect FTP traf fic . The defa ult is fals e. • http-polic[...]

7-20 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Configuring Signa tures ----------------------------------------------- ftp-enable: true default: false ----------------------------------------------- sensor(config-sig-app)# Step 6 Exit signature def i nition submode. sens[...]

7-21 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Config uring Signatu res For More Informatio n For the proc edure f or enabling signatures, se e Configuring the Status of Signatures, page 7-1 3. AIC MIME Defi ne Content Type Signatures Ther e are two pol icie s as socia t[...]

7-22 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Configuring Signa tures 12627 0 12627 1 12627 2 Content T y pe imag e/x-port able-graymap Header Check Content T ype ima ge/x-portable -graymap In valid Message Length Content T ype ima ge/x-por table-graymap V erification F[...]

7-23 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Config uring Signatu res 12646 0 12646 1 12646 2 Content T ype text/xml Header Check Content T ype text/xml Inv a lid Message Length Content T ype text /xml V erif ication Failed 12648 0 12648 1 12648 2 Content T ype vid eo/[...]

7-24 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Configuring Signa tures For More Informatio n • For the proc edure f or enabling signatures, se e Configuring the Status of Signatures, page 7-1 3. • For the proce dure for cr eating an A CI signature, see Creating an AI[...]

7-25 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Config uring Signatu res For More Informatio n For the proc edure f or enabling signatures, se e Configuring the Status of Signatures, page 7-1 3. AIC FTP Command s Signatures Ta b l e 7 - 4 lists the predef ined FTP command[...]

7-26 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Configuring Signa tures For More Informatio n For the proc edure f or enabling signatures, se e Configuring the Status of Signatures, page 7-1 3. Creating an AI C Signature Cautio n A custo m signat ure can af fect the perf [...]

7-27 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Config uring Signatu res – modify -packet- inline — Modifies pa cket data to remove a mbiguity about wh at the end point might do with th e packet. • no —Remove s an entry or selection setting • signature-type —S[...]

7-28 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Configuring Signa tures Step 8 Press Enter to a pply the chan ges or enter no to di scard them. Configuring IP Fragment Rea ssembly This section de scribes IP f ragment rea ssembly , lists the IP fragmen t reassemb ly sign a[...]

7-29 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Config uring Signatu res For More Informatio n For more information about the Normalizer engine, see Norm alizer E ngine, pa ge B-36 . 1204 IP Fra gment Missing Initial Fragment Fires when the da tagram is incomplete and mis[...]

7-30 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Configuring Signa tures Configuring IP Fragment Reassembly Parameters T o conf igure IP fr agment reasse mbly par ameters fo r a speci fi c signat ure, follo w these step s: Step 1 Log in to the CLI using an account with adm[...]

7-31 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Config uring Signatu res – solaris —Specifies the Solaris systems. – linux —Specif ies the GNU/Linu x systems. – bsd —Specifies the BSD UNIX systems. Configuring the IP Fragment Reassembly Method T o configure th[...]

7-32 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Configuring Signa tures sensor from crea ting alerts wher e a v alid TCP session has not been e stablished. There ar e known attacks against sensor s that try to get the sen sor to ge nerate al erts by simply replay ing piec[...]

7-33 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Config uring Signatu res 1306 0 T CP O ption Other Fires when a TCP option in the range of TCP Option Num ber is seen. All 13 06 signatur es f ire an alert and do not fun ction in promisc uous mode . TCP Option Number 6-7,9-[...]

7-34 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Configuring Signa tures 1309 TCP R eserv ed Flags Set Fires when the reserved bits (including bits used f or ECN ) are se t on the TCP he ader . TCP Idle T im eout 3600 Modify Packet Inline Produc e Aler t 18 1311 TCP P acke[...]

7-35 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Config uring Signatu res 1330 7 TC P Drop - Ba d W inScale Option Va l u e Fires when a TC P packet has a bad win do w scal e va lue. Modify Packet Inline sets the v a lue to the clos est cons traint va lu e . Modify Packet [...]

7-36 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Configuring Signa tures For More Informatio n For more information about the Normalizer engine, see Norm alizer E ngine, page B-36 . Configuring TCP Str eam Reassembly Signatures T o conf igure TC P stream reas sembly fo r a[...]

7-37 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Config uring Signatu res sensor# configure terminal sensor(config)# service signature-definition sig1 Step 3 Specify the TCP stream reassembly sig nature ID and subsign ature ID. sensor(config-sig)# signatures 1313 0 Step 4 [...]

7-38 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Configuring Signa tures The following options ap ply: • tcp-3-way-handshake-re quired [true | false] —Specifies that the sensor sho uld only track session s for which the 3-way handshake is completed. The default is true[...]

7-39 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Config uring Signatu res Configurin g IP Loggin g Y ou ca n configure a sen sor to genera te an IP sessi on log wh en the sensor de tects an attack . When IP logging is configured as a respon se action for a sign ature and t[...]

7-40 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Creating Custom Signatures sensor(config-sig-ip)# Step 5 Exit signature def i nition submode. sensor(config-sig-ip)# exit sensor(config-sig)# exit Apply Changes:?[yes]: Step 6 Press Enter to a pply the chan ges or enter no t[...]

7-41 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Creating C ustom Si gnatu res Example String TCP En gine Signatu re The String engine is a generic-base d pattern-matc hing inspection engin e for ICMP , TCP , and UDP protocols. The String engin e uses a reg ular exp ressio[...]

7-42 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Creating Custom Signatures • no —Remove s an entry or selection setting. • regex-string —Specifies a reg ular e x press ion to searc h for in a sing le TCP pack et. • ser vice-port s —Specif ies the ports or po r[...]

7-43 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Creating C ustom Si gnatu res Step 10 Specif y the regex string to sear ch for in the TCP packe t. Y ou can chan ge the e vent action s if needed according to your security policy using the event-action c ommand. The default[...]

7-44 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Creating Custom Signatures Example Service HTTP Engine Sig nature The Serv ice HTTP engi ne is a servi ce-specif ic stri ng-base d pattern-m atching inspection en gine. The HTTP protocol is one of the most commonly used in n[...]

7-45 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Creating C ustom Si gnatu res – modify -packet- inline — Modifies pa cket data to remove a mbiguity about wh at the end point might do with th e packet. • max-field-sizes —Group ing for maximum field siz es: – spe [...]

7-46 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Creating Custom Signatures sensor(config-sig-sig-ale-fir-yes)# summary-threshold 200 Step 9 Exit al ert fre quen cy submod e. sensor(config-sig-sig-ale-fir-yes)# exit sensor(config-sig-sig-ale-fir)# exit sensor(config-sig-si[...]

7-47 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Creating C ustom Si gnatu res Meta Si gnatu re Engine En hancement The purpos e of the Meta engi ne is to detect a specified payload from a n attacker and a corr espondin g payload from the victim. I t is also used to inspec[...]

7-48 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Creating Custom Signatures • all-not-components-r equire d {true | f alse} —Spe cifies to us e all of the NO T compo nen ts. • swap-a ttacker-victim {t rue | false} —Swaps the attacker and victim a ddresses and ports[...]

7-49 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Creating C ustom Si gnatu res Creat ing a Met a Engi ne Sign ature T o create a signatur e based on the Meta e ngine, follow these steps: Step 1 Log in to the CLI using an account with ad ministrator or o perator privileges.[...]

7-50 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Creating Custom Signatures component-sig-id: 1000 component-subsig-id: 0 default: 0 component-count: 1 default: 1 is-not-component: false <defaulted> ----------------------------------------------- --------------------[...]

7-51 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Creating C ustom Si gnatu res The following example Atom ic IP Ad vanced cu stom signatur e prohibits Protocol ID 88 over IPv6. T o create a signature base d on the Atomic IP Advanced signatu re engine , follow these step s:[...]

7-52 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Creating Custom Signatures For More Informatio n • For more info rmati on about th e Atomic IP Adva nced e ngine and a list of the pa rameters, se e Atomic IP Advanced Engine, page B -15 . • For more infor mation on the [...]

7-53 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Creating C ustom Si gnatu res Step 5 Specify a name fo r the new signature. Y ou can al so spe cify a add itional co mments about the sig using the sig-comment command or additional infor mation abo ut the signa ture using t[...]

7-54 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Creating Custom Signatures Step 16 Specify a minimum ma tch offset for this sign ature. sensor(config-sig-sig-str-no-yes)# exit sensor(config-sig-sig-str-no)# specify-min-match-offset yes sensor(config-sig-sig-str-no-yes)# m[...]

7-55 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Creating C ustom Si gnatu res Step 18 Exit signature def i nition submode. sensor(config-sig-sig-str)# exit sensor(config-sig-sig)# exit sensor(config-sig)# exit Apply Changes:?[yes]: Step 19 Press Enter to a pply the chan g[...]

7-56 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Creating Custom Signatures T o create a cu stom si gnature b ased o n the Strin g XL TCP e ngine that search es for mi nimum m atch len gth with stingy , dot all, and U TF-8 turned on, follow these steps: Step 1 Log in to th[...]

7-57 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 7 Defi ning Signatures Creating C ustom Si gnatu res sensor(config-sig-sig-str-no-yes)# exit sensor(config-sig-sig-str-no)# stingy true Step 14 V erify the settings: sensor(config-sig-sig-str-no)# show settings no ---------------------------------[...]

7-58 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 7 Defining Signatur es Creating Custom Signatures[...]

CH A P T E R 8-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 8 Configuring Event Action Rules This ch apter explains ho w to add e vent action r ules policies and how to configure event action rules. It contains the following sections: • Event Action Rules Notes an d Cav eats, page 8-1 • Understandi[...]

8-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Underst anding Securit y Policies • Y ou ca nnot delete the event action override for deny-packet-inline be cause it is protec ted. If you do not want to use that o verride, set the o verride -item-st atus to di [...]

8-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules Signat ure Event Act ion Processor Signature Event Action Processor The Signature Event Action Processor coordina tes the data flo w from the signatu re e vent in the Alarm Channel to proces sing through the Signat[...]

8-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Event Actions Figur e 8-1 Signat ur e Event Thr ough Signat ur e Event A ction P ro cessor For More Informatio n Fo r more i nfor mati on on ri sk ra ting, see Calculating the Risk Rating, page 8-13 . Event Actions[...]

8-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules Event Acti ons Note There are other e vent actio ns that forc e a produc e-alert. These actio ns use p roduce-aler t as the v ehicl e for perf orming the act ion. Ev en if pr oduce-alert is not selected or is filte[...]

8-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Event Actions Note Y ou cannot use modi fy-packet-inlin e as an a ction when a dding event action filters or over rid e s. Other Action s • request-b lock-conn ection—Send s a reque st to AR C to bloc k this co[...]

8-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules Event Action R ules Conf igurat ion Sequen ce When a deny -conn ection- inline occurs, the IP S also automatically sends a T CP one-way reset, whic h sho ws up as a TCP one- way rese t sent in the ale rt. When the [...]

8-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Working Wit h Event Action Rules Policies 3. Create ov errides t o add ac tions based on the r isk r ating v alue. Ass ign a risk rat ing to each e ven t action type. 4. Create f ilters. Assign f ilters to subtract[...]

8-9 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules Event Action Variab les f. Configure the e vent action rules OS identif ication set tings. Step 5 Display a list of ev ent action rules po licie s on the senso r: sensor# list event-action-rules-configurations Even[...]

8-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Event Action Var iables Understand ing Event Action V ariables Note Global c orrelation in spection and the reputation filtering deny feature s do not support IPv6 address es. For global corre lation inspec tion, [...]

8-11 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules Event Action Variab les T imesaver If you have an IP address space tha t applies to your e ngineering gro up and there a re no W i ndows systems in that grou p, an d you ar e not worrie d about a ny W indows-based[...]

8-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Event Action Var iables sensor(config-eve)# variables variable-ipv6 ipv6-address 2001:0db8:3c4d:0015:0000:0000:abcd:ef12 Step 5 V erif y that you added the event action rules variable. sensor(config-eve)# show set[...]

8-13 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules Conf igurin g Target Val ue Rati ngs Configuring Targe t Value Ratings Thi s section descri bes what risk rati ng is and ho w to use it to conf igure tar get v alue ratings. This section contains the following top[...]

8-14 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Configuring Ta rget Value Ratings • T arge t va lue rati ng (TVR)—A wei ght associated with the perc eive d value of the tar get. T arget v alue rati ng is a user -configurable v alue (zero, lo w , medium, hig[...]

8-15 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules Conf igurin g Target Val ue Rati ngs Adding, Editin g, and D eleting Target Value Rating s Note Global c orrelation in spection and the reputation filtering deny features do not support IPv6 address es. For global[...]

8-16 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Configuring Ta rget Value Ratings • ipv6-targe t-address ip_ad dr e ss —Specif ies the ra nge set of IP ad dress( es) f or IPv 6 address es in the following form: <XXXX:XXXX: XXXX:XXXX:XXXX:XXXX:X XXX:XXXX&[...]

8-17 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules Confi guring Eve nt Acti on Overrides ipv6-target-value (min: 0, max: 5, current: 0) ----------------------------------------------- ----------------------------------------------- Step 10 Exit ev e nt action rule[...]

8-18 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Configuring Ev ent Action Overrides The following options ap ply: • no overri des —Remov e s an entry or selection setting. • ov errid e-item-st atus { ena ble d | disabled }—Enables or disables the use of[...]

8-19 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules Confi guring Eve nt Acti on Overrides • Log packets fro m both the attacker and victim IP ad dresses. sensor(config-eve)# overrides log-pair-packets sensor(config-eve-ove)# • Write an alert to Event Store. sen[...]

8-20 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Configuring Ev ent Action Filters action-to-add: deny-attacker-inline ----------------------------------------------- override-item-status: Enabled <defaulted> risk-rating-range: 95 default: 0-100 ----------[...]

8-21 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules Confi guring Even t Action Filters Cautio n Event a ction filter s based on sour ce and destination IP a ddresses do not function for the Sweep engine, because the y do not f ilter a s regular signatur es. T o f i[...]

8-22 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Configuring Ev ent Action Filters • ipv6-attacker-address-range —Specifie s the range set of IPv6 attacker address(es) for this item (for example, <XXXX:XXXX: XXXX:XXXX:XXXX:XXXX:X XXX:XXXX>-<X XXX:XX[...]

8-23 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules Confi guring Even t Action Filters Configuring Event Action Filters T o configure e vent act ion filters, follo w these steps: Step 1 Log in to the CLI using an acco unt with administrator privileges. Step 2 Enter[...]

8-24 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Configuring Ev ent Action Filters l. Add any comments you want to use to e x plain this f ilter . sensor(config-eve-fil)# user-comment NEW FILTER Step 5 V erify the settings for the f ilter . sensor(config-eve-fil[...]

8-25 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules Confi guring Even t Action Filters NAME: name1 ----------------------------------------------- signature-id-range: 900-65535 <defaulted> subsignature-id-range: 0-255 <defaulted> attacker-address-range:[...]

8-26 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Configuring O S Identification s Step 12 Exit ev e nt action rules subm ode. sensor(config-eve)# exit Apply Changes:?[yes]: Step 13 Press Enter to a pply y our change s or en ter no to discard them. For More Infor[...]

8-27 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules Configuring OS Id entifications There are three sour ces of OS infor mation. Th e sensor ran ks the sources of OS inform ation in the following orde r: 1. Configured OS maps—OS ma ps you enter . C onfigured OS m[...]

8-28 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Configuring O S Identification s Adding, Editin g, Deleting, an d Moving Con figured OS Ma ps Use the os-identif ications command in the service ev ent action rules submode to configure OS host mappi ngs, which ta[...]

8-29 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules Configuring OS Id entifications – hp-ux —V ariants of HP-UX – irix —V ariants of IRIX – linux —V ariants o f Linux – solaris —V a riants of Solaris – windows —V ar iants of Micr osof t W indo w[...]

8-30 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Configuring O S Identification s Step 6 Specify the attack rele vance rating range for the IP address. sensor(config-eve-os-con)# exit sensor(config-eve-os)# calc-arr-for-ip-range 192.0.2.1 to 192.0.2.25 Step 7 En[...]

8-31 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules Configuring OS Id entifications ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- INACTIVE list-contents --------------[...]

8-32 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Configuring G eneral Settings The following options ap ply: • virtual-sensor —(Optional) Specifie s the learned addresse s of the v irtual sensor tha t should be displayed or cleare d. • ip-address —(Optio[...]

8-33 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules Config uring General S ettings • Configuring the General Settings, page 8-34 Understand ing Event Action S ummarization Summarization de creases the volume of alerts sent out from the sensor by providing basic a[...]

8-34 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Configuring G eneral Settings Configuring th e General Settin gs Use the follow ing commands in se rvice e vent action rules submode to configure general ev en t action rules settings: • global-block-timeout —[...]

8-35 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules Config uring the D enied Att acker s List Step 8 Enable or disa ble any o verrides that you have set up. The default is enabled . sensor(config-eve-gen)# global-overrides-status {enabled | disabled} Step 9 Enable [...]

8-36 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Configuring t he Denied At tackers Lis t Adding Entries to the Den ied Attacker List T o add a den y attack er entry to the list of denied attack ers, fo llo w these step s: Step 1 Log in to the CLI using an accou[...]

8-37 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules Config uring the D enied Att acker s List Disp layi ng and De letin g Denie d Atta ckers T o di splay the list of denied attackers and delete the list and clear the stat istics, f ollo w these steps: Step 1 Log in[...]

8-38 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Moni torin g Even ts Name of current Event-Action-Rules instance = rules0 List of interfaces monitored by this virtual sensor = mypair Denied Address Information Number of Active Denied Attackers = 0 Number of Den[...]

8-39 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules M onitoring Eve nts Use the show e vents [{ alert [informational] [low ] [medium] [high] [ includ e-tra its traits ] [ exclude-t raits traits ] [ min-threat-rat ing min-rr ] [ max- thr eat-rat ing max- rr ] | er r[...]

8-40 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Moni torin g Even ts evError: eventId=1041472274774840148 severity=error vendor=Cisco originator: hostId: sensor2 appName: cidwebserver appInstanceId: 351 time: 2011/01/07 04:41:45 2011/01/07 04:41:45 UTC errorMes[...]

8-41 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 8 Conf iguring Event Action Rules M onitoring Eve nts evIdsAlert: eventId=1109695939102805308 severity=medium vendor=Cisco originator: --MORE-- Step 6 Display events that began 30 se conds in the past. sensor# show events past 00:00:30 evStatus: e[...]

8-42 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 8 Co nfiguring Event Action Rules Moni torin g Even ts[...]

CH A P T E R 9-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 9 Configuring Anomaly Detection This chapter describes anom aly detection (AD ) and its features and ho w to configure them. This ch apter contains the following topics: • Anomaly Detection Note s and Caveats, page 9- 1 • Understanding Sec[...]

9-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Underst anding Securit y Policies connect ions, that is, as scanners , and sends al erts for all traf fic f lo ws. Using asy mmetric mode protection with a nomaly detection en abled cau ses excess iv e resour ce us [...]

9-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Anomaly Det ection Mo des Anomaly detection identifie s worm-infected hosts b y th eir b eha vior as scan ners . T o spread , a wo rm mu st find ne w hosts. It finds them by scanning the Intern et or network using [...]

9-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Anomaly Detection Zo nes • Detect mode —For ongoing opera tion, the sensor sho uld remain in detect mode. This is for 24 hours a day , 7 days a week. Once a KB is crea ted an d replaces the initial KB, anomaly d[...]

9-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Anomaly Det ection Con figurat ion Sequence Anomaly Detectio n Configuration Se quence Y ou ca n configure the de tection part of an omaly det e ction. Y ou can co nfigure a set of thresholds that override the KB l[...]

9-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Anomaly Detection Signa tures • For more information on configurin g anomaly de tection signa tures, see Anomaly Detecti o n Signatures, pa ge 9-6 . • For more information on Deny Attack er ev ent actions, see E[...]

9-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Anomaly Detecti on Signatures 13002 1 Internal Other Scanner Ide ntifi ed a worm atta ck ov er an Othe r protocol in t he internal zone; the Other histogram thresh old was crossed and a scan ner o ver an Ot her pr [...]

9-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Enabling Anomaly Det ection For More Informatio n For the proc edure for assigning a ctions to signa tures, see Assign ing Actions to Signatures, page 7- 15 . Enabling Anomaly Dete ction T o enable anomaly detectio [...]

9-9 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Working With Anomaly Detection Po licies edit t he values o f the new policy as need ed. Use the list anomaly- detection-conf igurat ions comman d in pri vileged EXEC mode to list the anom aly det ection po licies.[...]

9-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Configuring A nomaly Dete ction Operatio nal Settings Step 7 V e rify th at the an omal y detect ion in stan ce has be en dele ted. sensor# list anomaly-detection-configurations Anomaly Detection Instance Size Virt[...]

9-11 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Configuri ng the Intern al Zone Configuring Anomaly Detection Operational Settings T o s pecify anomaly detection operational settings, follo w these steps: Step 1 Log in to the CLI using an acco unt with administ[...]

9-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Configuring t he Internal Zone Understand ing the Interna l Zone The inter nal zone should re presen t your internal ne twork. It sh ould rec ei ve all the traffic that com es to your IP address range. If the zone [...]

9-13 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Configuri ng the Intern al Zone Step 7 Configure the other protocol s. For More Informatio n • For the proc edure f or configuring TC P protocol, see Con figuring TCP Protocol for the Interna l Zone, pa ge 9-13 [...]

9-14 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Configuring t he Internal Zone sensor(config-ano-int-tcp-dst)# Step 5 Enab le th e servic e for th at port. sensor(config-ano-int-tcp-dst)# enabled true Step 6 T o override the scanne r values for that port. Y ou c[...]

9-15 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Configuri ng the Intern al Zone ----------------------------------------------- override-scanner-settings ----------------------------------------------- no ----------------------------------------------- --------[...]

9-16 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Configuring t he Internal Zone • ov errid e-scanner -setti ngs { ye s | no }—Lets yo u override the sca nner values: – threshold-histogram {low | medium | high} num-source-ips number —Sets values in the thr[...]

9-17 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Configuri ng the Intern al Zone ----------------------------------------------- override-scanner-settings ----------------------------------------------- yes ----------------------------------------------- scanner[...]

9-18 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Configuring t he Internal Zone sensor(config-ano-int-udp)# Configuring Oth er Protocols fo r the Internal Zon e Use the o ther { enabled | pr ot ocol number | default- thr esh olds } com mand in ser vice an omaly d[...]

9-19 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Configuri ng the Intern al Zone Step 7 T o a dd a h istogram for th e new scanne r settings. E nter the number of destina tion IP a ddresses (lo w , medium, or high) and the num ber of source IP ad dr esses you wa[...]

9-20 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Configuring t he Illegal Zone Configuring the Illegal Zone This section describes how to conf igure the illegal zone, and c ontains the follo wing topics: • Understandin g the Illegal Zone, page 9-20 • Configur[...]

9-21 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Configuring the Illegal Zone sensor(config-ano-ill)# Step 3 Enable the ille gal zone. sensor(config-ano-ill)# enabled true Step 4 Conf igure the IP addr esses to be included in the il legal zone. sensor(config-ano[...]

9-22 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Configuring t he Illegal Zone Configuring the Illegal Zone TCP Protocol T o configure TCP protocol for illegal zone, follo w these steps: Step 1 Log in to the CLI using an acco unt with administrator privileges. St[...]

9-23 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Configuring the Illegal Zone threshold-histogram (min: 0, max: 3, current: 1) ----------------------------------------------- dest-ip-bin: low num-source-ips: 100 ----------------------------------------------- --[...]

9-24 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Configuring t he Illegal Zone Configuring UD P Protocol for the Illegal Zone Use th e udp { enabled | dst-port numbe r | default-thresholds } command in service anomaly detection illega l zone submode to enable and[...]

9-25 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Configuring the Illegal Zone Step 8 Set the scanner th reshold. sensor(config-ano-ill-udp-dst-yes)# scanner-threshold 100 Step 9 Configure the default thresholds for all other unspecified ports. sensor(config-ano-[...]

9-26 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Configuring t he Illegal Zone enabled: true <defaulted> ----------------------------------------------- ----------------------------------------------- default-thresholds -------------------------------------[...]

9-27 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Configuring the Illegal Zone sensor(config-ano)# illegal-zone sensor(config-ano-ill)# Step 3 Enable the other protoc ols. sensor(config-ano-ill)# other sensor(config-ano-ill-oth)# enabled true Step 4 Associa te a [...]

9-28 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Configuring t he External Zon e ----------------------------------------------- scanner-threshold: 200 <defaulted> threshold-histogram (min: 0, max: 3, current: 3) --------------------------------------------[...]

9-29 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Config uring the E xterna l Zon e • other —Le ts you configure other pr o tocols besides TCP an d UDP . Confi guri ng th e Exte rnal Zone T o configure the exter nal zone, follo w these steps: Step 1 Log in to[...]

9-30 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Configuring t he External Zon e – scanner -threshold —Sets the sc anner th reshold. T he default is 2 00. Confi guri ng th e Exte rnal Zone TCP P rotoco l T o conf igure TCP p rotocol for th e e x tern al zon e[...]

9-31 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Config uring the E xterna l Zon e yes ----------------------------------------------- scanner-threshold: 100 default: 200 threshold-histogram (min: 0, max: 3, current: 1) ------------------------------------------[...]

9-32 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Configuring t he External Zon e Conf igur ing UDP Pro tocol f or th e Ext ernal Zone Use th e udp { enabled | dst-port numbe r | default-thresholds } command in service anomaly detection extern al zo ne sub mode to[...]

9-33 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Config uring the E xterna l Zon e Step 7 Add a histogram f or the new scann er settings. Enter the number of des tination IP ad dresses ( low , medium, or high) and the num ber of source IP ad dr esses you want as[...]

9-34 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Configuring t he External Zon e no ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- enabled: true <defaulted> ---[...]

9-35 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Config uring the E xterna l Zon e Confi guri ng th e Exte rnal Zone Othe r Pro tocols T o conf igure othe r pro tocol s for a zone, follo w these st eps: Step 1 Log in to the CLI using an acco unt with administrat[...]

9-36 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Configuring L earning Accep t Mode ----------------------------------------------- dest-ip-bin: high num-source-ips: 75 ----------------------------------------------- ----------------------------------------------[...]

9-37 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Confi guring Learnin g Accept Mo de Note Learn ing acc ept mode uses the se nsor local t ime. The sc anner th resh old def ines the max imum nu mber o f zone IP a ddress es that a si ngle so urce IP addres s can s[...]

9-38 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Configuring L earning Accep t Mode Conf igur ing Le arni ng Acce pt Mo de Use the learning-acc ept-mode command in service anomaly dete ction submode to configure whether you want th e sen sor to cr eate a new KB e[...]

9-39 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Confi guring Learnin g Accept Mo de Step 3 Specify how the KB is sa ved and loaded: a. Speci fy that the KB is auto matic ally sav ed an d load ed. Go to Step 4. sensor(config-ano)# learning-accept-mode auto senso[...]

9-40 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Working With KB Files For More Informatio n For the proc edures for saving and loa ding anoma ly detection KBs manua lly , see Sa ving a nd Loadi ng KBs Manua lly , page 9-41 . Working With KB Files This section de[...]

9-41 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Working With KB File s 2003-Jan-05-10_00_00 84 10:00:00 CDT Sun Jan 05 2003 2003-Jan-06-10_00_00 84 10:00:00 CDT Mon Jan 06 2003 sensor# Step 3 Display the KB files for a specif ic virtual sensor . sensor# show ad[...]

9-42 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Working With KB Files Note An error is generated if anomaly detection is not ac ti ve when you en ter this command . Y ou cannot ov erwrite the initial file. Copying, R enaming , and Erasing KBs Use these commands [...]

9-43 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Working With KB File s Note If you use HTTPS p rotocol, the remote host m ust be a T LS trusted host. Copying, Renaming, and Removing KB Files T o copy , rename, and re move KB files, follow these steps: Step 1 Lo[...]

9-44 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Working With KB Files • For the proc edure for adding T LS trusted hosts, see A dding TL S T rusted H osts, page 3 -52 . Displaying the Diffe rences Between T wo KBs Use t he show ad-knowledge -base virtual-sens [...]

9-45 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Working With KB File s None Thresholds differ more than 10% External Zone None Illegal Zone TCP Services Service = 31 Service = 22 UDP Services None Other Protocols Protocol = 3 Internal Zone None sensor# Displayi[...]

9-46 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Working With KB Files Displaying KB Thresholds T o d isplay the KB thresholds, follow these steps: Step 1 Log in to the CLI. Step 2 Locate the f ile for which you want to display thresholds: sensor# show ad-knowled[...]

9-47 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Displaying Anomaly Det ection Stat istics Default Scanner Threshold User Configuration = 200 Threshold Histogram - User Configuration Low = 10 Medium = 3 High = 1 sensor# Step 5 Display thresholds contained in the[...]

9-48 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Disabl ing Anom aly Det ection TCP Protocol UDP Protocol Other Protocol sensor# Step 3 Display the statistics for all virtual sensors. sensor# show statistics anomaly-detection Statistics for Virtual Sensor vs0 No [...]

9-49 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 9 Conf iguring Anoma ly Detection Disabling Anomaly De tection sensor(config)# service analysis-engine sensor(config-ana)# Step 3 Enter the virtual se nsor nam e that conta ins the an omaly de tection policy you want to disable . sensor(config-ana[...]

9-50 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 9 Co nfiguring Anomaly Detection Disabl ing Anom aly Det ection[...]

CH A P T E R 10-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 10 Configuring Global Correlation This chapter provides information for configuring global correlation. It contains the follo wing sections: • Glob al Corr elat ion No tes and C a veat s, page 10-1 • Understandin g Global Correlation, p a[...]

10-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 10 Configurin g Global Correlation Underst anding Globa l Correlation • Global c orrelation inspe ction and the reputation filtering d eny features do not supp ort IPv6 addresse s. For global c orrelation in spection, the se nsor doe s not rece [...]

10-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 10 Configur ing Global Cor relation Understa nding Rep utati on T ab le 10-1 shows how we use the da ta. When you enable P artial or Full Ne twork P articipati on, the Netw ork Pa rticipation Disclaimer appears. Yo u m u s t e n t e r ye s to p ar[...]

10-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 10 Configurin g Global Correlation Underst anding Netw ork Participatio n Figure 10-1 sho ws the role of t he sensor and the gl obal corre lation serv ers. Figur e 1 0-1 IP S Management and Globa l Cor relatio n Server Int er action The glob al co[...]

10-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 10 Configur ing Global Cor relation Understanding Efficacy • Data gathered from the sensor health metrics The statistics f or network participation sho w the hits and misses for a lerts, the reputa tion actions, and the cou nters o f pack ets th[...]

10-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 10 Configurin g Global Correlation Understand ing Reputation and Risk Rating Understandin g Reputation and Risk Rati ng Risk rating i s the concept of t h e probabilit y that a netw ork e vent i s malicious. Y ou assign a numerical quantific ation[...]

10-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 10 Configur ing Global Cor relation Global Co rrelat ion Requireme nts Global Correlati on Requirements Global corr elation ha s the following requirem ents: • V alid li cense—Y ou must ha ve a v alid sensor licen se for global co rrel atio n [...]

10-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 10 Configurin g Global Correlation Underst anding Globa l Correlation Sensor Health Metrics • For informatio n about configuring an HTTP pr oxy or DN S server to su pport global cor relation, see Configuring the DN S and Pr oxy Servers for Glob [...]

10-9 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 10 Configur ing Global Cor relation Configu ring Glob al Correl ation I nspect ion and Rep utation Fi lter ing Understand ing Globa l Correlation Inspection a nd Reputa tion Filtering Y ou ca n configure the sen sor to use updates from the Se nsor[...]

10-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 10 Configurin g Global Correlation Configuring G lobal Correla tion Inspectio n and Reputatio n Filtering For More Informatio n • For the proc edure f or configuring glob al co rrelation f eatures, se e Configuring Glob al Correlation Inspectio[...]

10-11 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 10 Configur ing Global Cor relation Configuring Network Participation Step 5 T urn on reputation filt ering. sensor(config-glo)# reputation-filtering on sensor(config-glo)# Step 6 T est global correlation data, but do not actually deny traf fic. [...]

10-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 10 Configurin g Global Correlation Configuring N etwork Particip ation Note Y ou must ac cept the network participation di sclaimer to turn on network participat ion . Turning on Network Participation T o turn on network participat ion, follo w t[...]

10-13 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 10 Configur ing Global Cor relation Troubl eshoo ting Globa l Correlat ion Step 7 Press Enter to a pply y our change s or en ter no to discard them. For More Informatio n For more information about participa ting in the SensorBase Network, see Pa[...]

10-14 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 10 Configurin g Global Correlation Displa ying Global Correlation Stati stics – full — All data is contributed to the Se nsorBase n etwork. Disabling Global Correlation T o disabl e global corr elation feat ures, f ollo w these ste p s: Step [...]

10-15 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 10 Configur ing Global Cor relation Displaying Gl obal Co rrelati on Stati stics Network Participation: Counters: Total Connection Attempts = 4347 Total Connection Failures = 155 Connection Failures Since Last Success = 0 Connection History: Conn[...]

10-16 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 10 Configurin g Global Correlation Displa ying Global Correlation Stati stics[...]

CH A P T E R 11-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 11 Configuring External Product Interfaces This c hapter explai ns how to configure exter nal pr o duct interfaces. It contains the follo wing sections: • Externa l Product Interfac e Notes and Caveats, page 11-1 • Understandin g Externa [...]

11-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 11 Confi guring Ex ternal Produ ct Interf aces Underst anding the CSA MC Understandin g the CSA MC The CSA MC en forces a secur ity policy on network hosts. It has two compo nents: • Agents that reside on and pro tect network hosts. • Managem[...]

11-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 11 Configur ing External Produc t Interfaces Exter nal Produc t Inte rface Is sues Note Y ou ca n only enable two CS A MC interfaces. Cautio n Y ou must ad d the CSA MC as a trusted hos t so the sensor can com municate w ith it. For More Informati[...]

11-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 11 Confi guring Ex ternal Produ ct Interf aces Configuring the CSA MC to Support the IPS Interfa ce Configuring the CSA MC to Support the IPS Interface Note For more detailed informa tion about host posture events and quarantined IP add ress e ve[...]

11-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 11 Configur ing External Produc t Interfaces Ad ding Extern al Pr oduct Inter faces and Postur e ACL s The following options ap ply: • enab led {yes | no} —Enables/disables the receipt of information from the CSA M C. • host-post ure-setting[...]

11-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 11 Confi guring Ex ternal Produ ct Interf aces Adding Ex ternal Produ ct Interface s and Posture A CLs sensor(config)# service external-product-interface Step 3 Add the CSA MC interf ace. sensor(config-ext)# cisco-security-agents-mc-settings 209.[...]

11-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 11 Configur ing External Produc t Interfaces Ad ding Extern al Pr oduct Inter faces and Postur e ACL s Step 9 (Optional) Al low the host posture infor mation from unr eachable ho sts to be passed from the extern al product to the sensor . sensor(c[...]

11-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 11 Confi guring Ex ternal Produ ct Interf aces Troubles hooting Exter nal Product Interf aces ----------------------------------------------- NAME: name1 ----------------------------------------------- network-address: 192.0.2.0/24 action: permit[...]

CH A P T E R 12-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 12 Configuring IP Logg ing This cha pter describ es how to configure IP logging on the sensor . It conta ins the following se ctions: • Understandin g IP Logg ing, page 12-2 • Configuring Autom atic IP L ogging, pa ge 12-2 • Configuring[...]

12-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 12 Co nfiguring IP Logging Underst anding IP Lo gging Understandin g IP Logging Y ou ca n manually co nfigure the sensor to capture all IP tr aff ic asso cia ted with a host you specif y by IP address. Y ou can spe cify how lo ng you wa nt the IP [...]

12-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 12 Configur ing IP Logging Confi guring Manual IP Logging for a Speci fic IP Address Configuring Automatic IP Logging T o configure automatic IP loggin g parame ters, fo llow these steps: Step 1 Log in to the CLI using an account with ad ministrat[...]

12-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 12 Co nfiguring IP Logging Configuring M anual IP Lo gging for a Speci fic IP Address • minutes —Specifies the dura tion the logging should be acti ve. The valid range is 1 to 60 minutes. The default is 10 minutes. • numP ack ets —S pecifi[...]

12-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 12 Configur ing IP Logging Displaying the Cont ents of IP Logs • T o copy an d view an IP log file, see Copying IP Log Files to Be V iewed, page 1 2-7 . Displaying the Co ntents of IP Logs Use the iplog-status [ log-id log_id ] [ brief ] [ rever[...]

12-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 12 Co nfiguring IP Logging Stopping Active IP Logs Step 3 Display a brief list of all IP logs. sensor# iplog-status brief Log ID VS IP Address1 Status Event ID Start Date 2425 vs0 192.0.2.10 started N/A 2003/07/30 2342 vs0 192.0.2.20 completed 209[...]

12-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 12 Configur ing IP Logging Copyi ng IP Log Fil es to Be Vi ewed Step 3 Stop all IP log ging sessions on a virtual sensor . sensor# no iplog name vs0 Step 4 V erif y that IP logging has be en stopped. Whe n the logs are stopped, the sta tus shows t[...]

12-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 12 Co nfiguring IP Logging Copying IP Log Files to Be Viewed Packets Captured: 1039438 Log ID: 2342 IP Address: 192.0.2.2 Virtual Sensor: vs0 Status: completed Event ID: 209348 Start Time: 2003/07/30 18:24:18 2002/07/30 12:24:18 CST End Time: 2003[...]

CH A P T E R 13-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 13 Displaying and Ca pturing Live Traffic on an Interface This chapte r des cribe s ho w to displa y , ca pture, c opy , and eras e pac ket fi les. It cont ains the fo llo wing sections: • Pa cket Disp lay And Capt ure Notes and Ca veats, p[...]

13-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapt er 13 Displaying and Capt uring L ive Traffi c on an Interface Underst anding Packet D isplay and Captu re Understandin g Packet Disp lay and Capture Y ou ca n display or captu re li ve traf fic from an interface and have the li ve traff ic or a pre[...]

13-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 13 Display ing and Capturing L ive Traffic on an Interfa ce Displaying Live Traffic on an Interface Start: yyyy/mm/dd hh:mm:ss zone, End: yyyy/mm/dd hh:mm:ss zone or in-progress. Where use r = the username of user initiating capture , id = the CLI[...]

13-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapt er 13 Displaying and Capt uring L ive Traffi c on an Interface Capturing Live Tr affic on an Interface 03:43:05.694402 IP (tos 0x10, ttl 64, id 55469, offset 0, flags [DF], length: 292) 10.89.147.31.22 > 10.89.147.50.41805: P [tcp sum ok] 1864:21[...]

13-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 13 Display ing and Capturing L ive Traffic on an Interfa ce Capturing Live Traffic on an In terface The packet captur e comma nd captur es the libp cap out put into a local f ile. Use the packet dis play packet -f ile [ verbose ] [ ex pression e x[...]

13-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapt er 13 Displaying and Capt uring L ive Traffi c on an Interface Copying the Pack et File 03:03:15.218814 802.1d config TOP_CHANGE 8000.00:04:9a:66:35:01.8025 root 8000.0 0:04:6d:f9:e8:82 pathcost 8 age 2 max 20 hello 2 fdelay 15 03:03:15.546866 IP 64[...]

13-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 13 Display ing and Capturing L ive Traffic on an Interfa ce Erasin g the Pa cket File Note The exact form at of the source and destin a tion URLs varies accor ding to the file. – ftp:—D estin ation U RL for an F TP net work server . The syntax[...]

13-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapt er 13 Displaying and Capt uring L ive Traffi c on an Interface Erasing the Pac ket File[...]

CH A P T E R 14-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 14 Configuring Attack Response Controller for Blocking and Rate Limiting This chapter pro vides information for setting up th e ARC to perform blocking a nd rate limiting on the sensor . It the f ollow ing sections: • Blocking Note s and Ca[...]

14-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 14 Configuring Attack Re sponse Controller for Blocking and Rate Limiting Underst anding Bl ocking • Do not con fuse block ing with the ab ility of the sensor to dr op packets. The sensor c an drop pac kets when the fo llo wing actions are conf [...]

14-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 14 Configur ing Attack Res ponse Controlle r for Blockin g and Rate Limiting Unders tanding Bl ocking is configured for VLAN A, but is blocking on a dif f erent security app liance custom er contex t that is configured fo r VLA N B. Add resses tha[...]

14-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 14 Configuring Attack Re sponse Controller for Blocking and Rate Limiting Underst anding Rate Li miting • Ho w long you wa nt the bloc ks to last. Ti p T o check the stat us of the ARC, typ e show statistics network-access at the sensor# . The o[...]

14-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 14 Configur ing Attack Res ponse Controlle r for Blockin g and Rate Limiting Understandi ng Serv ice Poli cies for Rate L imiting Ti p T o check the stat us of the ARC, typ e show statistics network-access at the sensor# . The output shows the dev[...]

14-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 14 Configuring Attack Re sponse Controller for Blocking and Rate Limiting Supported Dev ices Before yo u configure the ARC for blocking o r rate limiting , make sure y ou do the following: • Analyze y our n etwork topology to und erstand wh ic h[...]

14-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 14 Configur ing Attack Res ponse Controlle r for Blockin g and Rate Limiting Config uring Blo cking Proper ties Note W e sup port V A C L blocking on the Supe rvis or Engine and A CL blockin g on the MSFC. • PIX Firewall with version 6 .0 or lat[...]

14-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 14 Configuring Attack Re sponse Controller for Blocking and Rate Limiting Configuring B locking Proper ties • Enab ling Writing to NVR AM, pa ge 14-15 • Logging A ll Blocking E vents and Erro rs, page 14-16 • Configuring the M aximum Number [...]

14-9 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 14 Configur ing Attack Res ponse Controlle r for Blockin g and Rate Limiting Disabling Block ing Step 6 Configure the sensor not to block itself. sensor(config-net-gen)# allow-sensor-block false Step 7 V erify the setting. sensor(config-net-gen)# [...]

14-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 14 Configuring Attack Re sponse Controller for Blocking and Rate Limiting Disabl ing Block ing Note While blocking is disab led, the ARC co ntinues to receive blocks and track the time on ac tiv e bloc ks, but will not apply new blocks or rem ov [...]

14-11 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 14 Configur ing Attack Res ponse Controlle r for Blockin g and Rate Limiting Disabling Block ing enable-acl-logging: false <defaulted> allow-sensor-block: false default: false block-enable: true default: true block-max-entries: 100 default:[...]

14-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 14 Configuring Attack Re sponse Controller for Blocking and Rate Limiting Disabl ing Block ing Step 1 Log in to the CLI using an acco unt with administrator privileges. Step 2 Enter ne twork ac cess submode . sensor# configure terminal sensor(con[...]

14-13 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 14 Configur ing Attack Res ponse Controlle r for Blockin g and Rate Limiting Disabling Block ing ----------------------------------------------- ip-address: 192.0.2.1 ----------------------------------------------- -------------------------------[...]

14-14 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 14 Configuring Attack Re sponse Controller for Blocking and Rate Limiting Disabl ing Block ing global-summarization-status: Enabled <defaulted> global-metaevent-status: Enabled <defaulted> global-deny-timeout: 3600 <defaulted> g[...]

14-15 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 14 Configur ing Attack Res ponse Controlle r for Blockin g and Rate Limiting Disabling Block ing Step 6 Disable ACL logging by using the false keyword. sensor(config-net-gen)# enable-acl-logging false Step 7 V erify that A CL log ging is disabled[...]

14-16 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 14 Configuring Attack Re sponse Controller for Blocking and Rate Limiting Disabl ing Block ing general ----------------------------------------------- log-all-block-events-and-errors: true <defaulted> enable-nvram-write: true default: false[...]

14-17 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 14 Configur ing Attack Res ponse Controlle r for Blockin g and Rate Limiting Disabling Block ing Step 4 Disable bl ocking event and err or logging. sensor(config-net-gen)# log-all-block-events-and-errors false Step 5 V erif y that logging is disa[...]

14-18 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 14 Configuring Attack Re sponse Controller for Blocking and Rate Limiting Disabl ing Block ing T o con f igure the ma ximum numbe r of blocking interfaces , follo w these steps : Step 1 Log in to the CLI using an acco unt with administrator privi[...]

14-19 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 14 Configur ing Attack Res ponse Controlle r for Blockin g and Rate Limiting Disabling Block ing Configurin g Addresse s Never to Block Use the never -block-hosts and the ne ver -block-networks commands in the servic e network access submode to c[...]

14-20 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 14 Configuring Attack Re sponse Controller for Blocking and Rate Limiting Configuring U ser Profiles ----------------------------------------------- ----------------------------------------------- never-block-hosts (min: 0, max: 250, current: 2) [...]

14-21 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 14 Configur ing Attack Res ponse Controlle r for Blockin g and Rate Limiting Config uring Blo cking an d Rate Li miting Devi ces Enter password[]: ******** Re-enter password ******** Step 6 Speci fy the en able password for the use r . sensor(con[...]

14-22 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 14 Configuring Attack Re sponse Controller for Blocking and Rate Limiting Configuring B locking and Rat e Limiting Devic es Note The ARC reads th e lines in the A CL and copies these lin es to the be ginning of the A CL. 3. Any activ e blocks. 4.[...]

14-23 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 14 Configur ing Attack Res ponse Controlle r for Blockin g and Rate Limiting Config uring Blo cking an d Rate Li miting Devi ces Routers and ACLs Note Pre-Block and Post-B lock A CLS do not apply to rate limiting. Y ou c reate and save Pre-Block [...]

14-24 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 14 Configuring Attack Re sponse Controller for Blocking and Rate Limiting Configuring B locking and Rat e Limiting Devic es Step 5 Specify the method us ed to access t he sensor . If unspecif ied, SSH 3DES is used. sensor(config-net-rou)# communi[...]

14-25 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 14 Configur ing Attack Res ponse Controlle r for Blockin g and Rate Limiting Config uring Blo cking an d Rate Li miting Devi ces direction: in ----------------------------------------------- pre-acl-name: <defaulted> post-acl-name: <defa[...]

14-26 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 14 Configuring Attack Re sponse Controller for Blocking and Rate Limiting Configuring B locking and Rat e Limiting Devic es The Post-Block V A CL is best us ed for additional blocking or p ermitting that you want to occur on the same VLAN. If you[...]

14-27 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 14 Configur ing Attack Res ponse Controlle r for Blockin g and Rate Limiting Config uring Blo cking an d Rate Li miting Devi ces Note This ch anges the IP address in the f irst line of t he A CL from the IP addr ess of the sen sor to t he N A T a[...]

14-28 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 14 Configuring Attack Re sponse Controller for Blocking and Rate Limiting Configuring t he Sensor to be a Ma ster Blocki ng Sensor Note If you a re using 3DES, you must use the command ssh host-key ip_ addr ess to accept th e ke y or the ARC can [...]

14-29 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 14 Configur ing Attack Res ponse Controlle r for Blockin g and Rate Limiting Confi gurin g the Sensor to be a Master Blo cking Sen sor If the m aster blocking sensor requires TLS for we b conn ections, you must co nfigure the ARC of the blocking [...]

14-30 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 14 Configuring Attack Re sponse Controller for Blocking and Rate Limiting Configuring t he Sensor to be a Ma ster Blocki ng Sensor Exam ple sensor(config)# tls trusted-host ip-address 19 2.0. 2.1 po rt 8080 Certifica te MD5 finger print is F4:4A:[...]

14-31 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 14 Configur ing Attack Res ponse Controlle r for Blockin g and Rate Limiting Configuring Host Blocking Step 13 Press Enter to a pply the chan ges or enter no to di scard them. Step 14 On the master b locking sen sor , add the block fo rwarding se[...]

14-32 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 14 Configuring Attack Re sponse Controller for Blocking and Rate Limiting Configuring Co nnection Blo cking Use the block network ip-addr ess/ne tmask [ time out minut es ] comm and in p rivile ge d EXE C mode to block a network . Use the no for [...]

14-33 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 14 Configur ing Attack Res ponse Controlle r for Blockin g and Rate Limiting Obtainin g a List of Bl ocked Hosts an d Connect ions Bloc king a Conn ecti on T o block a conn ection, follo w these steps: Step 1 Log in to the CLI using an account wi[...]

14-34 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 14 Configuring Attack Re sponse Controller for Blocking and Rate Limiting Obtaini ng a List of B locked Ho sts and Con nections BlockMinutes = 80 MinutesRemaining = 76[...]

CH A P T E R 15-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 15 Configuring SNMP This chap ter de scribe s ho w to con fig ure SNMP , and contains the follo wing sectio ns: • SNMP Notes and Caveats, page 15-1 • Understandin g SNMP , pa ge 15-1 • Conf igur ing SNMP , page 15 -2 • Configuring SNM[...]

15-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 15 C onfigur ing SNMP Configuring SN MP Y ou ca n configure the sensor to send SNMP trap s. SN MP trap s enab le an a g ent to no tify th e mana geme nt station of significant e ve nts by way of an unsolicited SNMP messag e. T rap-directed notifi[...]

15-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 15 Configuring SNMP Configu ring SNMP Configuring SNMP General Parameters T o configure SNMP general par ameters, follo w these steps: Step 1 Log in to the CLI using an acco unt with administrator privileges. Step 2 Enter no tification sub mode. s[...]

15-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 15 C onfigur ing SNMP Configuring SN MP Traps ----------------------------------------------- ----------------------------------------------- error-filter: error|fatal <defaulted> enable-detail-traps: false <defaulted> enable-notifica[...]

15-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 15 Configuring SNMP Config uring SNMP Tr aps • trap -des tinat ions —Defines the destinations to send e rror events and aler t ev ents gene rated from signature actions: – trap -communi ty-n ame —Specif ies the c ommunity name us ed when s[...]

15-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 15 C onfigur ing SNMP Supported M IBS Note The community string appears in the t rap and is useful i f you are rece iving multiple types of traps from multi ple agents. F or e xample , a router or sen sor co uld be s ending the traps, and if you [...]

15-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 15 Configuring SNMP Supported MI BS Note MIB II is a vaila ble on the sensor , but we do not support it. W e know that some elements are not correct (for e xample, the pack et count s from the IF MIB on t he sensi ng interf aces) . While you c an [...]

15-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chap ter 15 C onfigur ing SNMP Supported M IBS[...]

CH A P T E R FIRST REVIEW — CISCO CONFIDENTIAL 16-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 16 Working With Configu r ation Files This chapte r des cribes ho w to use co mmands th at sh ow , cop y , an d er ase the conf iguration f ile. It contains the follo wing sections: • Displayin g the Curr[...]

FIRS T REVIEW—CISCO C ONFIDENTIAL 16-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 16 Working Wit h Configur ation Fil es Displa ying the Current Configura tion physical-interfaces GigabitEthernet0/0 admin-state enabled exit physical-interfaces GigabitEthernet0/1 admin-state enabled exit inli[...]

FIRS T REVIEW—CISCO C ONFIDENTIAL 16-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 16 Worki ng With Configurat ion Files Displayi ng the Current Submode C onfigu ration ! ------------------------------ service aaa exit ! ------------------------------ service analysis-engine virtual-sensor vs0[...]

FIRS T REVIEW—CISCO C ONFIDENTIAL 16-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 16 Working Wit h Configur ation Fil es Displa ying the Current Submode Configuration action: rotate <defaulted> schedule ----------------------------------------------- periodic-schedule -----------------[...]

FIRS T REVIEW—CISCO C ONFIDENTIAL 16-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 16 Worki ng With Configurat ion Files Displayi ng the Current Submode C onfigu ration ----------------------------------------------- ----------------------------------------------- default-thresholds ----------[...]

FIRS T REVIEW—CISCO C ONFIDENTIAL 16-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 16 Working Wit h Configur ation Fil es Displa ying the Current Submode Configuration <protected entry> dest-ip-bin: high <defaulted> num-source-ips: 1 <defaulted> -----------------------------[...]

FIRS T REVIEW—CISCO C ONFIDENTIAL 16-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 16 Worki ng With Configurat ion Files Displayi ng the Current Submode C onfigu ration scanner-threshold: 100 <defaulted> threshold-histogram (min: 0, max: 3, current: 3) -----------------------------------[...]

FIRS T REVIEW—CISCO C ONFIDENTIAL 16-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 16 Working Wit h Configur ation Fil es Displa ying the Current Submode Configuration sensor(config-rul)# show settings variables (min: 0, max: 256, current: 0) ----------------------------------------------- --[...]

FIRS T REVIEW—CISCO C ONFIDENTIAL 16-9 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 16 Worki ng With Configurat ion Files Displayi ng the Current Submode C onfigu ration status: red <defaulted> ----------------------------------------------- bypass-policy ---------------------------------[...]

FIRS T REVIEW—CISCO C ONFIDENTIAL 16-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 16 Working Wit h Configur ation Fil es Displa ying the Current Submode Configuration Step 9 Displa y the curr ent conf iguration of the service h ost subm ode. sensor# configure terminal sensor(config)# servic[...]

FIRS T REVIEW—CISCO C ONFIDENTIAL 16-11 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 16 Worki ng With Configurat ion Files Displayi ng the Current Submode C onfigu ration ----------------------------------------------- ----------------------------------------------- <protected entry> name[...]

FIRS T REVIEW—CISCO C ONFIDENTIAL 16-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 16 Working Wit h Configur ation Fil es Displa ying the Current Submode Configuration ----------------------------------------------- none ----------------------------------------------- -----------------------[...]

FIRS T REVIEW—CISCO C ONFIDENTIAL 16-13 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 16 Worki ng With Configurat ion Files Displayi ng the Current Submode C onfigu ration idle-interface-delay: 30 seconds <defaulted> ----------------------------------------------- sensor(config-int)# exit [...]

FIRS T REVIEW—CISCO C ONFIDENTIAL 16-14 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 16 Working Wit h Configur ation Fil es Displa ying the Current Submode Configuration Step 12 Displa y the curr ent conf iguration fo r the servic e networ k acces s submode . sensor# configure terminal sensor([...]

FIRS T REVIEW—CISCO C ONFIDENTIAL 16-15 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 16 Worki ng With Configurat ion Files Displayi ng the Current Submode C onfigu ration enable-notifications: false <defaulted> enable-set-get: false <defaulted> snmp-agent-port: 161 <defaulted>[...]

FIRS T REVIEW—CISCO C ONFIDENTIAL 16-16 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 16 Working Wit h Configur ation Fil es Filtering the Cu rrent Configura tion Output common-name: 10.89.130.108 certificate: MIICJDCCAY0CCPbSkgXUchJIMA0GCSqGSIb3DQEBBQUAMFcxCzAJBgNVBAYTA lVTMRwwGgYDVQQKExNDaXNj[...]

FIRS T REVIEW—CISCO C ONFIDENTIAL 16-17 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 16 Worki ng With Configurat ion Files Filtering the Current Con figuration Output Filtering Using the Mo re Command T o filter the more command, follo w these ste ps: Step 1 Log in to the CLI using an acco unt [...]

FIRS T REVIEW—CISCO C ONFIDENTIAL 16-18 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 16 Working Wit h Configur ation Fil es Filtering the Cu rrent Subm ode Configurat ion Output access-list 10.0.0.0/8 access-list 64.0.0.0/8 exit time-zone-settings --MORE-- Note Press Ctrl-C to stop the output [...]

FIRS T REVIEW—CISCO C ONFIDENTIAL 16-19 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 16 Worki ng With Configurat ion Files Displaying t he Contents of a Logi cal File global-summarization-status: Enabled <defaulted> global-metaevent-status: Enabled <defaulted> global-deny-timeout: 3[...]

FIRS T REVIEW—CISCO C ONFIDENTIAL 16-20 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 16 Working Wit h Configur ation Fil es Dis play ing the Cont ent s of a Lo gica l Fi le Use the more ke yw or d comman d to di splay t he cont ents of a log ical f ile, such as the current system configuration[...]

FIRS T REVIEW—CISCO C ONFIDENTIAL 16-21 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 16 Worki ng With Configurat ion Files Displaying t he Contents of a Logi cal File dns-primary-server disabled dns-secondary-server disabled dns-tertiary-server disabled exit exit ! -----------------------------[...]

FIRS T REVIEW—CISCO C ONFIDENTIAL 16-22 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 16 Working Wit h Configur ation Fil es Backing U p and Restorin g the Configura tion File Using a Rem ote Server Backing Up and Restoring the Con figuration File Using a Remote Server Note W e reco mmend copyi[...]

FIRS T REVIEW—CISCO C ONFIDENTIAL 16-23 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 16 Worki ng With Configurat ion Files Backing Up and Restor ing the Configu ration Fi le Using a Remote S erver – https:— Source U RL for the we b server . The syn tax fo r this p ref ix is : https://[ [use[...]

FIRS T REVIEW—CISCO C ONFIDENTIAL 16-24 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 16 Working Wit h Configur ation Fil es Creating an d Using a Back up Configu ration File For More Informatio n • For the proc edure for adding the remote h ost to the SSH k nown host list, see A dding Hosts [...]

FIRS T REVIEW—CISCO C ONFIDENTIAL 16-25 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 16 Worki ng With Configurat ion Files Erasing the Configuration File User accounts will not be erased. They must be removed manually using the "no username" command. Continue? []: Step 2 Press Enter t[...]

FIRS T REVIEW—CISCO C ONFIDENTIAL 16-26 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 16 Working Wit h Configur ation Fil es Erasing the Con figuration File[...]

CH A P T E R 17-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 17 Administrative Tasks for the Sensor This chapter contains procedures th at will help you with th e administ rativ e aspects of your sensor . It contains the following sections: • Admi nist rati ve Not es and Cav eats, page 1 7-2 • Reco[...]

17-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Adminis trative Not es and Cavea ts Administrative Notes and Ca veats The following notes an d cav eats apply to administra ti ve tasks for the sensor: • Admini strators ma y need to disab le the pas swo[...]

17-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Recove ring the Passwor d T ab le 17-1 lists the password r ecov ery me thods acco rding to pla tform. Recovering the Password for the App liance This section describes the two ways to recover the password [...]

17-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Recovering the Pas sword Using ROMMON For the IPS 4345, IPS 4360, IPS 45 10, and IPS 452 0, you ca n use the R O MMON to recover the password. T o access the R OMM ON CLI, reboot th e sensor from a term in[...]

17-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Recove ring the Passwor d T o r eset the password o n the A SA 5500-X IPS SSP , follow these steps: Step 1 Log into th e adapti ve security app lia nce and enter the following command: asa# sw-module module[...]

17-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Recovering the Pas sword A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please conta[...]

17-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Recove ring the Passwor d Step 3 V erify the status of the mo dule. Once th e status reads Up , you c an session to the AS A 5585-X IPS SSP . asa# show module 1 Mod Card Type Model Serial No. --- ----------[...]

17-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Recovering the Pas sword Using the ASDM T o re set the password in the ASDM, follo w these steps: Step 1 From the ASDM menu bar, choose T oo ls > IPS P assword Reset . Note This option does not appear i[...]

17-9 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Cleari ng the Sen sor Datab ases Step 3 T o disable password recovery , unch eck the Allow Passw ord Recove ry check box . Verifying the State o f Passwo rd Recovery Use the show settings | include password[...]

17-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Clea rin g th e Se nsor Dat abase s The following options ap ply: • virtual-sensor —Spec ifies the name of a virtual sensor co nfigured on the sensor . • all — Clears all no des, insp ectors , and[...]

17-11 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Displayin g the Insp ection Load of the Sen sor Displaying the Insp ection Load of the Sensor Use the show inspection-load comm and in pr ivile ged EXE C mode to display a timestam p and the current inspec[...]

17-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Displa ying the Ins pection Load o f the Sensor 10 ************************************************************ 0.........1.........2.........3.........4.........5.........6 Inspection Load Percentage (la[...]

17-13 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Configuring Health Status Information Inspection Load Percentage (last 72 hours) *=maximum #=average sensor# Configuring Healt h Status Info rmation Configure the health statistic s for the sensor in servi[...]

17-14 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Configuring Heal th Status Informat ion • memory-usage-policy {enable | disable} {tru e | false} red-t hres hold yello w-thr eshold —Lets you set a thr eshold percen tage for memory usag e an d wh et [...]

17-15 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Configuring Health Status Information sensor(config-hea-app)# status red sensor(config-hea-app)# exit sensor(config-hea)# Step 4 Enable the metrics for bypass polic y . sensor(config-hea)# bypass-policy se[...]

17-16 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Configuring Heal th Status Informat ion Step 12 Set the threshold for m emory usage. sensor(config-hea)# memory-usage-policy sensor(config-hea-mem)# enable true sensor(config-hea-mem)# red-threshold 100 s[...]

17-17 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Showing S ensor Overal l Health Status enable: true default: true yellow-threshold: 20 percent default: 1 red-threshold: 50 percent default: 6 ----------------------------------------------- memory-usage-p[...]

17-18 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Creating a Bann er Login T o display the ov erall health status of the sen sor , follo w these s teps: Step 1 Log in to the CLI. Step 2 Show the health and securi ty status of the sensor . sensor# show he[...]

17-19 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Terminating CLI Sessions Step 5 Remove the banne r login. T he ban ner no longer a ppears at login. sensor(config)# no banner login Terminating CLI Sessions Cautio n Y ou c an only clea r CLI login session[...]

17-20 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Modi fying Term ina l Pr oper ties sensor# The user jsmith recei ves the foll owi ng message from the administrator jtaylor . sensor# *** *** *** Termination request from jtaylor *** Sorry! I need to term[...]

17-21 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Configur ing Events Displa ying Event s Note The E ven t Stor e has a f ixed size o f 30 MB fo r all p latfo rms. Note Events ar e displa yed as a li ve feed. T o canc el the re quest , pres s Ctrl- C. Use[...]

17-22 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Configuring Ev ents Displ aying Ev ents T o d isplay ev ents f rom the Ev ent Stor e, follo w these steps: Step 1 Log in to the CLI. Step 2 Display all e vents starting no w . The feed continues sho wing [...]

17-23 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Configur ing Events appInstanceId: 367 time: 2011/03/02 14:15:59 2011/03/02 14:15:59 UTC signature: description=Nachi Worm ICMP Echo Request id=2156 version=S54 subsigId: 0 sigDetails: Nachi ICMP interface[...]

17-24 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Configuring t he System Clock sensor# clear events Warning: Executing this command will remove all events currently stored in the event store. Continue with clear? []: Step 3 Ente r yes to clea r the even[...]

17-25 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Clear ing th e Deni ed Att acker s List No time source Summer time starts 03:00:00 UTC Sun Mar 09 2011 Summer time stops 01:00:00 UTC Sun Nov 02 2011 Manually S etting the System C lock Note Y ou do not ne[...]

17-26 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Clearing the D enied Attac kers List Disp layi ng and De letin g Denie d Atta ckers T o di splay the list of denied attackers and delete the list and clear the stat istics, follo w these steps: Step 1 Log[...]

17-27 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Displaying Poli cy Lists Name of current Event-Action-Rules instance = rules0 List of interfaces monitored by this virtual sensor = mypair Denied Address Information Number of Active Denied Attackers = 0 N[...]

17-28 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Displa ying Statis tics Step 3 Display the list of policies for ev ent action rules. sensor# list event-action-rules-configurations Event Action Rules Instance Size Virtual Sensor rules0 112 vs0 rules1 14[...]

17-29 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Displayi ng Stati stics Thread 5 sec 1 min 5 min 0 1 1 1 1 1 1 1 2 1 1 1 3 1 1 1 4 1 1 1 5 1 1 1 6 1 1 1 Average 1 1 1 The rate of TCP connections tracked per second = 0 The rate of packets per second = 0 [...]

17-30 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Displa ying Statis tics SigVersion = 645.0 DatabaseRecordCount = 0 DatabaseVersion = 0 RuleVersion = 0 ReputationFilterVersion = 0 AlertsWithHit = 0 AlertsWithMiss = 0 AlertsWithModifiedRiskRating = 0 Ale[...]

17-31 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Displayi ng Stati stics TCPMissedPacketsDueToUpdate = 0 UDPMissedPacketsDueToUpdate = 0 MemorySize = 1073741824 HostDirectMemSize = 0 MaliciousSiteDenyHitCounts MaliciousSiteDenyHitCountsAUDIT Ethernet Con[...]

17-32 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Displa ying Statis tics Denied Attackers with percent denied and hit count for each. Denied Attackers with percent denied and hit count for each. Statistics for Virtual Sensor vs1 Denied Attackers with pe[...]

17-33 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Displayi ng Stati stics sensor# Step 8 Display the statistics for global correlation. sensor# show statistics global-correlation Network Participation: Counters: Total Connection Attempts = 0 Total Connect[...]

17-34 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Displa ying Statis tics lastInstallAttempt = N/A nextAttempt = N/A Auxilliary Processors Installed sensor# Step 10 Display the statistics for the logging application. sensor# show statistics logger The nu[...]

17-35 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Displayi ng Stati stics NetDevice Type = CAT6000_VACL IP = 192.0.2.1 NATAddr = 0.0.0.0 Communications = telnet BlockInterface InterfaceName = 502 InterfacePreBlock = Pre_Acl_Test BlockInterface InterfaceNa[...]

17-36 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Displa ying Statis tics Step 12 Display the statistics for the notif ication application. sensor# show statistics notification General Number of SNMP set requests = 0 Number of SNMP get requests = 0 Numbe[...]

17-37 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Displayi ng Stati stics Total IPv6 Fragment packets processed since reset = 0 Total IPv6 Routing Header packets processed since reset = 0 Total IPv6 ICMP packets processed since reset = 0 Total packets tha[...]

17-38 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Displa ying Statis tics Number of complete datagrams reassembled since last reset = 0 Fragments hitting too many fragments condition since last reset = 0 Number of overlapping fragments since last reset =[...]

17-39 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Displayi ng Stati stics last request method = GET last request URI = cgi-bin/sdee-server last protocol version = HTTP/1.1 session state = processingGetServlet number of server session requests handled = 95[...]

17-40 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Displa ying Tech Su pport Informat ion Displaying T ech Supp ort Informati on Note The show t ech-support command now displays historical interfa ce da ta fo r each inte rface f or the past 72 hours. Use [...]

17-41 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Displaying Version Information Exam ple T o sen d the tech support output to the file /absolut e/repo rts/sensor 1Repor t.html : sensor# show tech support dest ftp://csidsuser@10.2.1.2//absolute/reports/se[...]

17-42 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Display ing Version Informat ion CollaborationApp V-2013_04_10_11_00_7_2_0_14 (Release) 2013-04-10T11:05:55-0500 Running CLI V-2013_04_10_11_00_7_2_0_14 (Release) 2013-04-10T11:05:55-0500 Upgrade History:[...]

17-43 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Diagnosing Network Con nectivit y dns-tertiary-server disabled exit exit ! ------------------------------ service logger exit ! ------------------------------ service network-access exit ! ----------------[...]

17-44 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Resetting the A ppliance T o di agnose basic networ k connec ti vity , follow these steps: Step 1 Log in to the CLI. Step 2 Ping the a ddress yo u are interested in. The co unt is the nu mber of echo requ[...]

17-45 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Displaying C ommand History sensor# Step 4 Stop all app lications and p o wer down the appliance . sensor# reset powerdown Warning: Executing this command will stop all applications and power off the node [...]

17-46 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Displa ying Hard ware Invent ory Displaying Hardware Inventory Use the show in ventor y command to display PEP informa tion. This command displays the UDI information that consists of the PID , the VI D, [...]

17-47 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Displaying Har dware Invent ory Name: "Chassis", DESCR: "ASA 5585-X" PID: ASA5585 , VID: V02, SN: JMX1552705O Name: "power supply 0", DESCR: "ASA 5585-X AC Power Supply&q[...]

17-48 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Tracing the Rout e of an IP Packet Name: "power supply 2", DESCR: "IPS4360 AC Power Supply " PID: IPS-4360-PWR-AC , VID: 0700A, SN: 25Y1Y9 sensor# show inventory Name: "power supp[...]

17-49 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Displa ying Sub m ode S etti ngs Displaying Submode Setti ngs Use the show settings [ terse ] comman d in any subm ode to view the con tents of the current configuration. T o display the current confi gura[...]

17-50 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Displa ying Submod e Settings password: <hidden> username: <defaulted> ----------------------------------------------- profile-name: fwsm ----------------------------------------------- enable[...]

17-51 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 17 Admi nistrative Ta sks for the Sensor Displa ying Sub m ode S etti ngs ----------------------------------------------- ip-address: 192.0.2.25 ----------------------------------------------- communication: telnet default: ssh-3des nat-address: [...]

17-52 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapte r 17 Administrativ e Tasks for the Sen sor Displa ying Submod e Settings profile-name: 2admin profile-name: r7200 profile-name: insidePix profile-name: qatest profile-name: fwsm profile-name: outsidePix profile-name: cat profile-name: rcat profile[...]

CH A P T E R 18-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 18 Configuring the AS A 5500-X IPS SS P This chap ter cont ains proc edures that are spec ific to conf iguring the ASA 5500-X IPS SSP . It contains the follo wing sections: • Notes a nd Caveats for ASA 5 500-X I PS SSP , page 18 -1 • Conf[...]

18-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 18 Configuri ng the ASA 5500-X IPS SSP Configuration Seq uence for th e ASA 5500-X IPS SSP • The ASA 5500- X IPS SSP (except the ASA 5512-X IPS SSP and the ASA 5515-X IPS SSP) supports the String I CMP XL, String TCP XL , an d String UDP XL e ng[...]

18-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 18 Configuring the ASA 5500-X IPS SSP Verifying Initialization for the ASA 5500-X IPS SSP • Fo r the proc edures for co nf iguring i ntr usion pre vent ion , see Chap ter 8, “ Confi guring Ev ent Act ion Rules, ” Chap ter 7, “Defi ning Si [...]

18-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 18 Configuri ng the ASA 5500-X IPS SSP Creating Virtual Sensors for the ASA 5500-X IPS SSP Creating Virtual Sensors for the ASA 5500-X IPS SSP This section describes how to create virt ual sensors o n the ASA 5500-X IPS SSP , a nd contain s the fo[...]

18-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 18 Configuring the ASA 5500-X IPS SSP Creating Virtua l Sensors for the ASA 5500-X IPS SSP Use the virtual-sensor name command in service a nalys is engin e submode to create virtual sensors on the ASA 5500-X IPS SSP. Y ou assign policies (anomaly[...]

18-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 18 Configuri ng the ASA 5500-X IPS SSP Creating Virtual Sensors for the ASA 5500-X IPS SSP Step 7 Assign a signature def i nition policy t o this virtual se nsor . If you do not wan t to use the default signature definition policy , sig0, you must[...]

18-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 18 Configuring the ASA 5500-X IPS SSP Creating Virtua l Sensors for the ASA 5500-X IPS SSP Assigning V irtual Sensors to Adaptive S ecurity Applian ce Contex ts After you create virtual sen sors on the ASA 5500-X I PS SSP , you must assign the v i[...]

18-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 18 Configuri ng the ASA 5500-X IPS SSP Creating Virtual Sensors for the ASA 5500-X IPS SSP Sensor Name Sensor ID ----------- --------- vs0 1 vs1 2 asa# Step 3 Enter c onfiguration mode. asa# configu re terminal asa(config)# Step 4 Enter multiple m[...]

18-9 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 18 Configuring the ASA 5500-X IPS SSP The ASA 5500-X IPS SSP and Bypass Mode Step 7 Conf igure MPF for ea ch conte x t. Note The following example shows cont ext 3 (c 3). asa(config)# context c3 asa/c3(config)# class-map any asa/c3(config-cmap)# m[...]

18-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 18 Configuri ng the ASA 5500-X IPS SSP The ASA 5500-X I PS SSP and the Normalize r Engine The S ensor App is Reco nfig ured The fo llo wing occ urs when the Sen sorAp p is reconfigured: • If set to f ail-open, the adapti ve security appliance p[...]

18-11 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 18 Configuring the ASA 5500-X IPS SSP The ASA 5500-X IPS SS P and Jumbo Pack ets For More Informatio n For detaile d information about the Normalizer engine, see Nor maliz er Eng ine, pa ge B-36 . The ASA 5500-X IPS SSP and Jumbo Packets The jumb[...]

18-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 18 Configuri ng the ASA 5500-X IPS SSP Health and Sta tus Informatio n Use the follow ing commands to re load, shut down, reset, recover the password, an d recover the ASA 5500-X IPS SSP directly from the adaptiv e security appliance: • sw-modu[...]

18-13 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 18 Configuring the ASA 5500-X IPS SSP Health and Status Information Firmware version: N/A Software version: 7.2(1)E4 MAC Address Range: 503d.e59c.7ca0 to 503d.e59c.7ca0 App. name: IPS App. Status: Up App. Status Desc: Normal Operation App. versio[...]

18-14 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 18 Configuri ng the ASA 5500-X IPS SSP Health and Sta tus Informatio n Mod-ips 251> -NG-1.4.1) ) #56 SMP Tue Dec 6 00:46:11 CST 2011 Mod-ips 252> Command line: ro initfsDev=/dev/hda1 init=loader.run rootrw=/dev/hda2 initfs=runti Mod-ips 253[...]

18-15 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 18 Configuring the ASA 5500-X IPS SSP Health and Status Information Mod-ips 313> ACPI: INT_SRC_OVR (bus 0 bus_irq 5 global_irq 5 high level) Mod-ips 314> ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level) Mod-ips 315> ACPI: INT_[...]

18-16 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 18 Configuri ng the ASA 5500-X IPS SSP Health and Sta tus Informatio n Mod-ips 369> CPU: L1 I cache: 32K, L1 D cache: 32K Mod-ips 370> CPU: L2 cache: 4096K Mod-ips 371> CPU 2/0x2 -> Node 0 Mod-ips 372> CPU2: Intel QEMU Virtual CPU [...]

18-17 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 18 Configuring the ASA 5500-X IPS SSP Health and Status Information Mod-ips 430> TCP established hash table entries: 524288 (order: 11, 8388608 bytes) Mod-ips 431> TCP bind hash table entries: 65536 (order: 8, 1048576 bytes) Mod-ips 432>[...]

18-18 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 18 Configuri ng the ASA 5500-X IPS SSP Health and Sta tus Informatio n Mod-ips 493> processor ACPI_CPU:01: registered as cooling_device1 Mod-ips 494> processor ACPI_CPU:02: registered as cooling_device2 Mod-ips 495> processor ACPI_CPU:03[...]

18-19 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 18 Configuring the ASA 5500-X IPS SSP Health and Status Information Mod-ips 555> cpuidle: using governor ladder Mod-ips 556> usbcore: registered new interface driver usbhid Mod-ips 557> usbhid: v2.6:USB HID core driver Mod-ips 558> TC[...]

18-20 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 18 Configuri ng the ASA 5500-X IPS SSP ASA 5500-X IPS SSP Failover Scenarios Mod-ips 616> Creating boot.info[ OK ] Mod-ips 617> Checking for system modifications since last boot[ OK ] Mod-ips 618> Checking model identification[ OK ] Mod-[...]

18-21 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 18 Configuring the ASA 5500-X IPS SSP New and Modi fied C ommands Two AS As i n Fai l-Clo se Mo de • If the ASAs are conf igured in fail-close mode , and if the ASA 5500-X IPS SSP on the acti ve ASA experien ces a configuration c hange or a sig[...]

18-22 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 18 Configuri ng the ASA 5500-X IPS SSP allocate-ips allocat e-ips T o allocate an IPS virtual sensor to a security c ontext if you ha ve the ASA 5500-X IPS SSP installed, use the a lloca te-ip s comm and in context configuration mod e. T o remov [...]

18-23 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 18 Configuring the ASA 5500-X IPS SSP allocate-ips Comma nd His tory Usage Guid elines Y o u can assign one or more IPS virtua l sensors to e ach co ntext. Then, when you configure the context to send traf fic to the ASA 5500-X IPS SSP u sing the[...]

18-24 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 18 Configuri ng the ASA 5500-X IPS SSP allocate-ips[...]

CH A P T E R 19-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 19 Configuring the AS A 5585-X IPS SS P This chap ter cont ains proc edures that are spec ific to conf iguring the ASA 5585-X IPS SSP . It contains the follo wing sections: • ASA 5585-X IPS SSP Notes and Cav eats, page 19-1 • Configuratio[...]

19-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 19 Configuri ng the ASA 5585-X IPS SSP Configuration Seq uence for th e ASA 5585-X IPS SSP • The ASA 5585- X IPS SSP has fou r types of ports (console, management, GigabitEthernet, and 10GE). The console and ma nagement ports (on the right front[...]

19-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 19 Configuring the ASA 5585-X IPS SSP Verifying Initialization for the ASA 5585-X IPS SSP • For the proced ure for crea ting virtual sensor s, see Crea ting V irtual Sen sors for th e ASA 55 85-X IPS SSP , page 1 9-4 . • For the procedure s fo[...]

19-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 19 Configuri ng the ASA 5585-X IPS SSP Creating Virtual Sensors for the ASA 5585-X IPS SSP Creating Virtual Sensors for the ASA 5585-X IPS SSP This section describes how to create virt ual sensors o n the ASA 5585-X IPS SSP , a nd contain s the fo[...]

19-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 19 Configuring the ASA 5585-X IPS SSP Creating Virtua l Sensors for the ASA 5585-X IPS SSP The ASA 55 85-X IPS S SP Virtual S ensor Config uration Sequ ence Foll ow this sequence to create virtual sensors on the ASA 5 585-X I PS SSP , and to assi [...]

19-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 19 Configuri ng the ASA 5585-X IPS SSP Creating Virtual Sensors for the ASA 5585-X IPS SSP Step 3 Add a virtual sensor . sensor(config-ana)# virtual-sensor vs1 sensor(config-ana-vir)# Step 4 Add a description fo r this virtual sensor . sensor(conf[...]

19-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 19 Configuring the ASA 5585-X IPS SSP Creating Virtua l Sensors for the ASA 5585-X IPS SSP sensor(config-ana)# exit Apply Changes:?[yes]: sensor(config)# Step 11 Press Enter to a pply the chan ges or enter no to di scard them. For More Informatio [...]

19-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 19 Configuri ng the ASA 5585-X IPS SSP Creating Virtual Sensors for the ASA 5585-X IPS SSP • show context [ detail ]—Updated to display informa tion about virtual se nsors. In user context mode, a new line is added to show the mapped names of [...]

19-9 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 19 Configuring the ASA 5585-X IPS SSP Creating Virtua l Sensors for the ASA 5585-X IPS SSP asa(config-ctx)# all asa(config-ctx)# allocate-in asa(config-ctx)# allocate-interface g0/2 asa(config-ctx)# allocate-interface g0/3 asa(config-ctx)# config-[...]

19-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 19 Configuri ng the ASA 5585-X IPS SSP The ASA 5585-X I PS SSP and the Normalize r Engine The ASA 5585-X IPS SSP and the Normalizer Engin e The major ity of the featur es in the Norm alizer en gine are not used on the ASA 5585-X IPS SSP , because[...]

19-11 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 19 Configuring the ASA 5585-X IPS SSP ASA 5585-X IPS SSP and J umbo Packets The Se nsorAp p Fails The fo llowing occurs when the S ensorAp p fails: • If the adap tiv e security ap plianc e is conf igured for failo ver , then the adapti ve secur[...]

19-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 19 Configuri ng the ASA 5585-X IPS SSP Health and Sta tus Informatio n Use the follow ing commands to re load, shut down, reset, recover the password, an d recover the ASA 5585-X IPS SSP directly from the adaptiv e security appliance: • hw-modu[...]

19-13 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 19 Configuring the ASA 5585-X IPS SSP Health and Status Information Software version: 7.2(1)E4 MAC Address Range: 8843.e12f.5414 to 8843.e12f.541f App. name: IPS App. Status: Up App. Status Desc: Normal Operation App. version: 7.2(1)E4 Data plane[...]

19-14 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 19 Configuri ng the ASA 5585-X IPS SSP Health and Sta tus Informatio n Firmware version: 2.0(7)0 Software version: 7.2(1)E4 MAC Address Range: 5475.d029.7f9c to 5475.d029.7fa7 App. name: IPS App. Status: Not Applicable App. Status Desc: Not Appli[...]

19-15 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 19 Configuring the ASA 5585-X IPS SSP Traf fic Flow Stop ped on IPS Switc hports asa(config)# debug module-boot debug module-boot enabled at level 1 asa(config)# hw-module module 1 recover boot The module in slot 1 will be recovered. This may era[...]

19-16 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 19 Configuri ng the ASA 5585-X IPS SSP Failove r Scenarios Failover Scenarios The following failover scenarios apply to the A SA 5585- X in the e vent of configuration change s, signature/signatur e engine upda tes, service p acks, and Se nsorApp[...]

19-17 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 19 Configuring the ASA 5585-X IPS SSP Failover Scenarios failover failover lan unit secondary failover lan interface folink GigabitEthernet0/7 failover interface ip folink 172.27.48.1 255.255.255.0 standby 172.27.48.2[...]

19-18 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 19 Configuri ng the ASA 5585-X IPS SSP[...]

CH A P T E R 20-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 20 Obta ining Software This chap ter pro vides informat ion on obtaining the latest Cisco IPS software. It contains the following sections: • IPS 7.2 Fil e Lis t, page 2 0-1 • Obtaining C isco IPS Software, pa ge 20-1 • IPS Soft ware V [...]

20-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 20 Obtaining So ftware IPS Software Versioning Downloading Cisco IPS Software T o down load sof twar e on Cisc o.com, follo w these steps: Step 1 Log in to Cisco.com . Step 2 From the Support dro p-down menu, choose Download Softwar e . Step 3 Und[...]

20-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 20 Obtaining Software IPS Software Ve rsioning Major Update A major u pdate co ntains new func tionality or a n archite ctural c hange in the pro duct. For exampl e, the Cisco IPS 7 .2 base version includes everything (except deprecated f eatures)[...]

20-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 20 Obtaining So ftware IPS Software Versioning Figure 20-1 illustrates what each part of the IPS software file represents for major a nd minor updates, service pack s, and patc h releases. Figur e 20-1 IPS Sof twar e File Name f or Major an d Mino[...]

20-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 20 Obtaining Software IPS Software Ve rsioning Figure 20-3 illustrates what e ach part of the IPS sof tware file repre sents for signature en gine upda tes. Figur e 20-3 IPS Soft war e File Name for Signat ure Engine Upd a te s Reco very an d Sy s[...]

20-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 20 Obtaining So ftware IPS Software Versioning IPS Software Release Ex amples T ab le 20-1 lists platf orm-ind epend ent Cisco IPS so ftware r elease examples. T able 20-1 Platfo r m-Indepen dent Release Examples Rel eas e Ta r g e t Frequency Ide[...]

20-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 20 Obtaining Software Acce ssing I PS Docu mentati on T ab le 20-1 describes the platform identifier s used in pla tform-spe cific names. For More Informatio n For instructions on how to access these files on Cisco.com, see Obtaining Cisco IPS Sof[...]

20-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 20 Obtaining So ftware Cisco Security Inte lligence Operatio ns • Rele ase an d Gene ral In formati on —Co ntains docu mentation r oadmaps a nd relea se notes. • Refer ence Guides —Contains comm and refe rences and tec hnical refere nces. [...]

CH A P T E R 21-1 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 21 Upgrading, Downgrading, a nd Installing System Images This ch apte r descr ibes how to upgr ade, downgrade, an d install syste m images. It co ntains the f ollo wing sections: • Upgrad e Notes and Caveats, page 21-1 • Upgrad es, Downgr[...]

21-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 21 Upgra ding, Downgr ading, an d Instal ling Syst em Images Upgrades , Downgrad es, and System Ima ges • All user co nfi guration se ttings are lost when you in stall the s ystem imag e. Be fore tryi ng to recov er the sensor by installing the [...]

21-3 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 21 Upgr ading, Downgr ading, and Inst alling System Im ages Support ed FTP an d HTTP/HT TPS Serv ers For More Informatio n • For the procedure for initializing the sensor , see Basic Sensor Setup, page 2-4 . • For the procedu re for locating s[...]

21-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 21 Upgra ding, Downgr ading, an d Instal ling Syst em Images Upgradin g the Sensor Upgr ade Notes and Ca veats For a list of the upgr ade notes and ca ve ats for eac h IPS v ersion, ref er to the Rel ease Note s for your IPS version found at this [...]

21-5 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 21 Upgr ading, Downgr ading, and Inst alling System Im ages Upgradi ng the Sen sor Upgrad ing t he Sen sor Note The CLI output is an example of wh at your configuration may look like. It will not ma tch exactly due to the optional setup ch oices, [...]

21-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 21 Upgra ding, Downgr ading, an d Instal ling Syst em Images Upgradin g the Sensor boot is using 61.2M out of 70.1M bytes of available disk space (92% usage) application-log is using 494.0M out of 513.0M bytes of available disk space (96% usage) M[...]

21-7 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 21 Upgr ading, Downgr ading, and Inst alling System Im ages Upgradi ng the Sen sor T o work with upgrade files, follo w these steps: Step 1 Log in to the se nsor using an acc o unt with administrator pri vileges. Step 2 Copy the upgra de file. sen[...]

21-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 21 Upgra ding, Downgr ading, an d Instal ling Syst em Images Configuring A utomatic Up grades sensor(config)# upgrade ftp :// user@serve r_ipad dress//upgrade_path / IPS-SSP_10-K9-r-1.1-a-7.2-1-E4.pkg Step 5 Enter the server passwor d. The upgrade[...]

21-9 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 21 Upgr ading, Downgr ading, and Inst alling System Im ages Configuring Automatic Upgrade s Y ou specify the follo wing info rmation to schedule a utomatic upgrades: • Serv er IP addr ess • Path of the d irector y on th e file server whe re th[...]

21-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 21 Upgra ding, Downgr ading, an d Instal ling Syst em Images Configuring A utomatic Up grades • user-name user_nam e —Specif ies the us ername for serve r au thenticatio n. • user -server {disabled | enabled} —En ables automatic upgrad es[...]

21-11 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 21 Upgr ading, Downgr ading, and Inst alling System Im ages Configuring Automatic Upgrade s Step 4 Specify the username for authentication. sensor(config-hos-ena)# user-name tester Step 5 Specify the password o f the use r . sensor(config-hos-ena[...]

21-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 21 Upgra ding, Downgr ading, an d Instal ling Syst em Images Configuring A utomatic Up grades • For the ou tput of th e show statistics host comm and, se e Displa ying Statistics, page 17 -28 . • For the IDM pro cedure for au tomati cal ly up[...]

21-13 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 21 Upgr ading, Downgr ading, and Inst alling System Im ages Downgradi ng the Sen sor For More Informatio n • For the procedu re for configuring auto matic update, see Configuring Automa tic Updates, page 21-8 . • For the proc edure f or confi[...]

21-14 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 21 Upgra ding, Downgr ading, an d Instal ling Syst em Images Installing Syst em Images Recovering the Application Partition Image T o re co ver the application par tition image, follo w these steps: Step 1 Do wnload the reco very p artition im ag[...]

21-15 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 21 Upgr ading, Downgr ading, and Inst alling System Im ages Installing System Images • Installing the System Im age for the IPS 4345 and IPS 4360, page 2 1-16 • Installing the System Im age for the IPS 4510 and IPS 4520, page 2 1-19 • Insta[...]

21-16 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 21 Upgra ding, Downgr ading, an d Instal ling Syst em Images Installing Syst em Images Step 2 Configure the line and port on the terminal se rver . In enable mode, enter the following configura tion, where # is the line number of the port to be c[...]

21-17 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 21 Upgr ading, Downgr ading, and Inst alling System Im ages Installing System Images Low Memory: 631 KB High Memory: 2048 MB PCI Device Table. Bus Dev Func VendID DevID Class Irq 00 00 00 8086 2578 Host Bridge 00 01 00 8086 2579 PCI-to-PCI Bridge[...]

21-18 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 21 Upgra ding, Downgr ading, an d Instal ling Syst em Images Installing Syst em Images The v ariables ha ve the f ollo wing defi nitions: • Address—L ocal IP addre ss of the IPS 4345. • Serv er—TFTP serv er IP address wher e the appli cat[...]

21-19 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 21 Upgr ading, Downgr ading, and Inst alling System Im ages Installing System Images UNIX Exam ple rommon> IMAGE=system_images/IPS-4345-K9-sys-1.1-a-7.2-1-E4.img Note The path is relati ve to the def a ult tftpboot di re ctory of the UNIX TFTP[...]

21-20 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 21 Upgra ding, Downgr ading, an d Instal ling Syst em Images Installing Syst em Images Y ou ca n install the IPS 4510 and IPS 4520 system image by using the R O MMON on the a ppliance to TFTP the sys tem image onto the co mpact flas h de vice. T [...]

21-21 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 21 Upgr ading, Downgr ading, and Inst alling System Im ages Installing System Images Step 5 If nece ssary , assign an IP ad dress fo r the Manag ment port on the IPS 4510. rommon> ADDRESS= ip_addr ess Note Use the same IP ad dress th at is ass[...]

21-22 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 21 Upgra ding, Downgr ading, an d Instal ling Syst em Images Installing Syst em Images Note If the n etwork settings ar e correct, the system downloads an d boots the sp ecified image on the IP S 4 510. Be sure to use the IPS 4 510 image. For Mor[...]

21-23 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 21 Upgr ading, Downgr ading, and Inst alling System Im ages Installing System Images Mod Card Type Model Serial No. --- -------------------------------------------- ------------------ ----------- 0 Cisco ASA 5545 Appliance with 8 GE ports, 1 ASA5[...]

21-24 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 21 Upgra ding, Downgr ading, an d Instal ling Syst em Images Installing Syst em Images Installing the ASA 5585-X IPS SSP System Image Using the hw-module Comm and Note Be sure the TFTP server that you specify can tra nsfer files up to 60 MB in si[...]

21-25 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 21 Upgr ading, Downgr ading, and Inst alling System Im ages Installing System Images Exam ple Port IP Address [0.0.0.0]: 10.89.149.231 Step 7 Lea ve the VLAN ID a t 0. VLAN ID [0]: Step 8 Specify the default gate way of the ASA 5585-X IPS SSP . G[...]

21-26 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 21 Upgra ding, Downgr ading, an d Instal ling Syst em Images Installing Syst em Images Step 11 Session to the ASA 5585-X IPS SSP . Step 12 Ente r cisco three times and your n e w password twice. Step 13 Initialize the ASA 5585-X IPS SSP with the [...]

21-27 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 21 Upgr ading, Downgr ading, and Inst alling System Im ages Installing System Images Use BREAK or ESC to interrupt boot. Use SPACE to begin boot immediately. The sys tem en ters R O MMON mode. T he rommon> prompt ap pears. Step 4 Check the cur[...]

21-28 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 21 Upgra ding, Downgr ading, an d Instal ling Syst em Images Installing Syst em Images Step 9 V erif y that you hav e access to the TFTP server by pi nging it f rom your local E thernet port w ith one o f the follow ing commands. rommon> ping [...]

21-29 Cisco Intrusion Prevention System Sensor CLI Configuration Gu ide for IPS 7.2 OL-29168-01 Chapter 21 Upgr ading, Downgr ading, and Inst alling System Im ages Installing System Images For More Informatio n • For more information about TFTP servers, see TFTP Servers, page 21-15 . • For a list of the sp ecific s ystem imag e files, se e IPS [...]

21-30 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Chapter 21 Upgra ding, Downgr ading, an d Instal ling Syst em Images Installing Syst em Images[...]

A- 1 Cisco In trusi on Preven tion Syst em Sens or CLI Conf iguration Gui de for IP S 7.2 OL-29168-01 APPENDIX A System Architecture This append ix describes the IPS syste m architec ture, and con tains the following sections: • IPS System Design, page A-1 • System Applications, page A -3 • •Reco ve ry parti tion—A speci al purpose image [...]

A- 2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x A System Archit ecture IPS System Design Figure A-1 illustrates the system design for IPS software. Figur e A -1 Sys tem Des ign f or the IPS MainApp CLI ID API CIDS Ethernet SensorApp - Signature Definition - Event Action Rules Master Blocking [...]

A-3 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix A System Archite cture System Appl icati ons Figure A-2 illustrates the system design for IPS sof tware for the IPS 4500 series se nsors. Figur e A -2 Sys tem Design f or IPS 45 00 Seri es Sensors For More Informatio n • For detaile d inf[...]

A- 4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x A System Archit ecture System Applications The Cisco IPS software incl udes the following applications: • MainApp—Initialize s the system, start s and stops the other applications, conf igures the OS, and perform s upgrad es. It contains th [...]

A-5 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix A System Archite cture Securi ty Featu res Y ou interact with the Cisc o IPS in the follo wing w ays: • Conf igure de vice p arame ters Y ou generate the initial configurati on for the sy stem and its features. This is an infrequent task,[...]

A- 6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x A System Archit ecture MainApp MainApp This section describes the MainApp, and contains the following topics: • Understandin g the MainApp, pag e A-6 • MainApp Responsibilities, page A-6 • Ev ent Stor e, pag e A-7 • Notif icationApp, pag[...]

A-7 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix A System Archite cture MainAp p Note In the C isco IPS, the M ainApp ca n automati cally do wnload signatur e and signature e ngine upda tes from Cis co. com. • Shut down or reboot the operating system The MainApp responds to the show ver[...]

A- 8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x A System Archit ecture MainApp Ta b l e A - 1 shows some examples: The size of the Event Store allo ws suff icient b uf fering of the IPS ev ents when the sensor is not connected to an IPS event consumer . Suff icient buf f ering depends on your[...]

A-9 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix A System Archite cture MainAp p Control transactions in volv e the follo wing types of r equests: • Request to update the co nfiguration data of an applica tion instance • Reques t for the d iagnostic data o f an applicat ion instance ?[...]

A-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x A System Archit ecture MainApp • T ime (UTC and lo cal time) • Signature nam e • Signat ure ID • Subsignature ID • Participant informat ion • Alarm traits The Notif icationApp sends the follo wing inform ation from the evAler t ev en[...]

A-11 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix A System Archite cture MainAp p • TCP stream s in embry onic stat e • TCP stream s in establi shed state • TCP stream s in closing st ate • TCP streams in system • TCP pa ckets queued for reas sembl y • T otal nodes acti ve •[...]

A-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x A System Archit ecture MainApp Figure A-3 shows the transact ionHandlerLoop method in the CtlT ra nsSource. Figur e A -3 CtlT ransSo urce When the tran sactionHa n dlerL oop recei ves a remo tely addr essed tr ansact ion, it tries to for ward th[...]

A-13 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix A System Archite cture MainAp p Understanding the ARC The main respon sibility of the ARC is to block ev ents . When it responds to a block, it either interacts with the devices it is ma naging directly to enable the block or it sends a bl[...]

A-14 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x A System Archit ecture MainApp ARC Features The ARC has the follo wing featur es: • Communication through T elnet and SSH 1.5 w ith 3DES (the defau lt) or DE S encryptio n Only the protocol specif ied in th e ARC conf iguration for that device[...]

A-15 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix A System Archite cture MainAp p • Maintaining blocking state ac ro ss network de v ice r estarts The ARC reap plies blocks an d removes expired blo cks as need ed whene ver a n etw ork de vice i s shut do wn and resta rted. Th e ARC is n[...]

A-16 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x A System Archit ecture MainApp • Catalyst 6000 MSFC2 with Cataly st software 5.4( 3) or later and Ci sco IOS 12.1(2)E or later on the MSFC2 • Cisco ASA 5500 se ries models: A SA 5510 , ASA 5520, and ASA 5540 • FWSM Note The FWSM c annot bl[...]

A-17 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix A System Archite cture MainAp p The fo llo w ing scenarios demonstrate h o w the AR C maintains state a cross restarts. Scen ario 1 There ar e two blocks in effect when the ARC stops and one of them expires before the ARC re starts. When t[...]

A-18 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x A System Archit ecture MainApp Cautio n Cisco fire walls do not support conne ction blocki ng of hosts. Whe n a connection block is applied, the fi re wall treats it like an unconditional block. Cisco fi re walls also do not sup port network b l[...]

A-19 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix A System Archite cture MainAp p Blocking with Catalyst Swit ches Catalyst switches w ith a PFC f i lter pac kets using V A CLs. V A CLs f ilter all packe ts between VLANs and withi n a VLAN. MSFC rout er A CLs are supp orted when W AN card[...]

A-20 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x A System Archit ecture MainApp The Logg er can c ontrol what log messag es are genera ted by each application b y controlling the logging se verity for different logging zones. Y ou would only acc ess the indi vidual-z one-control of the logg er[...]

A-21 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix A System Archite cture MainAp p AuthenticationApp to authenticate the identity of the user . The c ont rol transaction request typica lly includ es the user name an d a passw ord, or the identit y of the user can be au thentica ted using a[...]

A-22 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x A System Archit ecture SensorApp Each TLS cl ient has dif ferent pro cedure s for estab lishing this trust. The sensor itself includes a TLS client that is used to send contro l transactions to other se nsors and download upgrades and configurat[...]

A-23 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix A System Archite cture SensorA pp Understand ing the Sens orApp The Senso rApp p erforms pack et capture and anal ysis. Poli cy violatio ns are dete cted thro ugh sig natures in the SensorA pp and the in formation a bout the violations is [...]

A-24 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x A System Archit ecture SensorApp that were quiesce nt during the hold-do wn period will not be f orwarded and will be allo wed to timeout. Those streams that were synchron ized during the hold -down period are allowed to continue. • Signat ure[...]

A-25 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix A System Archite cture SensorA pp • Event risk rat ing Event risk rating help s reduce false positives from the system and g i ves yo u more contr ol ov er what causes an alarm . The e vent risk rating incorp orates the follo wing add it[...]

A-26 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x A System Archit ecture SensorApp Signature Event Action Proc essor The Signature Event Action Processor coordina tes the data flo w from the signatu re e vent in the A larm Channel to proces sing through the Signature Event Action O verride, the[...]

A-27 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix A System Archite cture CollaborationApp Figur e A -5 Signatur e Ev ent Thr ough Signatur e Ev ent A ction Pr ocessor CollaborationApp This section desc ribes the Collaboration App, and contain s the follo wing sections: • Understandin g [...]

A-28 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x A System Archit ecture CollaborationA pp • Set of rules score weight va lues • Set of IP addresse s and address ranges , which t ogether with the rules and aler ts provide the information needed to calculate reputation scores • List of IP [...]

A-29 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix A System Archite cture Switch App Cautio n Y ou receive a warning message if you hav e enable d globa l correlation, but you have not configured a DNS or HTTP p roxy server . This warning is a reminde r to either disable glob al corr elati[...]

A-30 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x A System Archit ecture CLI CLI The CL I provid es the sens or user interfa ce for a ll direc t node acc ess such a s T elnet , SSH, a nd seri al interf ace. Y ou configu re the sensor applicati ons with the CLI. Dir ect acce ss to the underlyin [...]

A-31 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix A System Archite cture Commun icati ons Note For IPS 5.0 and later , you can no longe r remove the cisco a ccount. Y ou can disabl e it using th e no password cisco command , but you cannot remove it. T o use the no password cisco comman d[...]

A-32 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x A System Archit ecture Communications IDAPI IPS applic ations u se an i n terpr ocess comm unica tion API called the ID API to handle internal commun ications . The ID API re ads and writes e ven t data and prov ides a mecha nism fo r cont rol t[...]

A-33 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix A System Archite cture Commun icati ons IDCONF The Cisco IPS manag es its configuration using XML docu ments. IDCO NF specifies the XML sch ema including the Cisco IPS control transactions. The IDC ONF sch ema does not speci fy the con ten[...]

A-34 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x A System Archit ecture Cisco IPS File Structure CIDEE CIDEE sp ecif ies the exten sions to SDE E that are used b y the Ci sco IPS. The CIDEE standa rd specif ies all possible exten sions that are supp orted by the Cisc o IPS. Speci fic s ystems [...]

A-35 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix A System Archite cture Summar y of Cisco I PS Applicat ions • /usr/cids/idsRoot/b in—Contains the bi nary ex ecutables. • /usr/cids/idsRoot/bin/authe nticatio n—Contains the au thentication application. • /usr/cids/idsRoot/bin/ci[...]

A-36 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x A System Archit ecture Summary of Cisc o IPS Applications IDM The Jav a apple t that provides an HTML IPS manageme nt interface. IME The Jav a applet that pr ovides an interface f or viewing and arch iving eve n t s . Interface App Hand les bypa[...]

B-1 Cisco In trusi on Preven tion Syst em Sens or CLI Conf iguration Gui de for IP S 7.2 OL-29168-01 APPENDIX B Signature Engines This append ix describes the IPS signa ture engines, an d contains the following sections: • Understandin g Signature Engines, page B-1 • Master Engi ne, page B-4 • Regular Expression Syntax, page B -9 • AIC Engi[...]

B-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Underst anding Signat ure Engines Cisco IPS conta ins the follo wing sign ature engine s: • AIC—Provides tho rough an alysis of web tr aff i c. The AIC en gine provides granul ar control over HTTP sessions to prevent abus[...]

B-3 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Unders tanding Signatu re Engi nes – HTTP V2— Supports I OS IPS. This sign ature engi ne p rovides a pr otocol decod e engine tuned for IO S IPS. If you try to use this en gine, you receive an erro r messa ge. – ID[...]

B-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Master Engin e Note The R ege x acceler ator card i s used for both t he standa rd String engines an d the String XL engines. M ost standard String engine signatures can be com piled and analyz ed by the Rege x accelerator ca[...]

B-5 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Master Engine alert-se verity Spe cifies t he sev erity of the alert: • Danger ous alert • Medium-level alert • Lo w-lev el al ert • Informational a lert high medium low informational (def ault) sig-fidelity-rat [...]

B-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Master Engin e Promiscuous Delta The prom iscuous delta lowers the r isk rating of c ertain aler ts in promiscuo us mode. Be cause the senso r does not know the attributes of the tar get system and in promiscuous mode ca nnot[...]

B-7 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Master Engine Obsoletes The C isco si gnature team uses the ob soletes f ield to indicate obsoleted , older signatures that have been replaced by ne wer , better signatures, and to indica te disabled signa tures in an en[...]

B-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Master Engin e Event Action s The Cisco IPS supports the followi ng ev ent actions. Most of the ev ent act ions belong to each signature engine u nless they are not app rop riat e for that pa rticu lar engin e. Alert an d Log[...]

B-9 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Regular Expressi on Syntax • deny-attacker-inline (inlin e mode on ly)—Does no t transmit this packet and future pac kets from the attack er addr ess for a specif ied perio d of time. Note This is the most s e vere o[...]

B-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines AIC Engine All repetition operators will match the shortest possible str ing as opposed to other operators that cons ume as much of the string as possi ble thus giving the longest string match. Ta b l e B - 4 lists exam ples[...]

B-11 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines AIC Engine Understand ing the AIC En gine AIC provides thorou gh analysis of web traff ic . It provides gran ular control over HTT P sessions to prev ent abuse of th e HTT P protocol. It allows admini strat i ve co ntro[...]

B-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines AIC Engine • FTP traf fic: – FTP comman d auth orizat ion a nd en forcem ent Ta b l e B - 5 lists the p arameter s that are sp ecif ic to the AIC HTTP engine. T able B-5 AIC HT TP Eng ine P aramet ers Parameter De script[...]

B-13 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines AIC Engine Ta b l e B - 6 lists the p arameter s that are specif ic to the AIC FTP engine. For More Informatio n • For the procedure s for configuring AIC engine signatures, see Configuring AIC Signatures, page 7-17 .[...]

B-14 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Atomic En gine • For more info rmation o n the paramet ers common to all si gnatur e engi nes, see Master Engine, page B-4 . Atomic Engine The Ato mic engi ne cont ains si gnatur es for s imple, si ngle packe t condit ions[...]

B-15 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Atomic Engine For More Informatio n For more information on the parameters common to all signature engines, see Mas ter En gine, pa ge B-4 . Atomic IP Adv anced Engin e The Atom ic IP Adv anced engine pars es and inte r[...]

B-16 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Atomic En gine Only the outermost IP tunnel is iden tif ied. When an IPv6 tunne l or IPv6 traff ic inside of an IPv 4 tunnel is detected, a signature f ires an alert. All of the othe r IPv6 traff ic in embedded tun nels is n[...]

B-17 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Atomic Engine Ta b l e B - 8 lists the p arameter s that are specific to the A tomic IP A dvanced engine. T able B-8 Ato mic IP A dv anced Engine P aramet ers Parameter Desc ription V alu e Global fragme nt-sta tus Sp e[...]

B-18 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Atomic En gine specify-max-match-offset {yes | no} Enables maxim um match offset: • max-match -offset—Specifies the maxi mum s tream o f fset the regex-string m ust repo rt for a match t o be valid. 0 to 65535 IPv6 speci[...]

B-19 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Atomic Engine spec ify -flow-lab el {yes | no} (Option al) Ena bles inspec tion of t he flow label: • flo w-label—Specif ies the v alue of the flo w label to inspect. 0 to 1048575 spec ify-hea ders-out-o f-orde r {y[...]

B-20 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Atomic En gine specify-ipv6-addr-options {yes | no} (Optional) Enables the IPv6 address options: • ipv6-addr-options —Specifies the IPv6 address op tions: – address-w ith-localhost—IP address wi th ::1. – docume nt[...]

B-21 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Atomic Engine spec ify-routing- header { yes | no} (Optional) Enables inspection of the routing head er: • rh-pre s ent —Inspects the routin g header . hav e-rh | no-r h specify- traff ic-class {yes | no } (Opt iona[...]

B-22 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Atomic En gine specify-ip-ttl { yes | no} (Optional) Enables inspecti on of the IP time-to-li ve: • ip-ttl—Specif ies the value of the IP TTL to ins pect . 0 to 255 specify-ip-version { yes | no} (Optional) Enables inspe[...]

B-23 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Atomic Engine spe cify- icmp v6- code {yes | n o} ( Optio nal) Enables inspection of the Laye r 4 I CMPv 6 code : • icmpv6 -code—Sp ecif ies th e v alue of the ICM Pv6 he ader CO DE. 0 to 255 specify-icmpv6-id {yes [...]

B-24 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Atomic En gine specify-tcp-mask {yes | no} (Optional) Enables the TCP mask for use: • tcp-m ask —Spe cifies the ma sk used in TCP flag s comparison : – URG bit – AC K b i t – PSH bit – RST bit – SYN bi t – FI[...]

B-25 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Atomic Engine For More Informatio n • For an example custom I Pv6 signatur e, see Example IPv6 En gine Signatur e, p age 7-50 . • For a list of the signature regular expression syntax , see Regular Expr ession Synta[...]

B-26 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Atomic En gine spe cify- ip-i d {yes | no} (Opti onal ) Enables inspection of the IP identifie r: • ip-id—Specifie s the IP ID to inspect. 0 to 255 specify-ip-option-inspection {yes | no} (Optional) Enables inspection of[...]

B-27 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Atomic Engine specify-icmp-id {yes | n o} (Optional) Enables inspection of the Laye r 4 ICMP ID: • icmp-id—Speci fies the v alue of the ICMP header IDEN TIFIER . 0 to 655 35 specify-icmp-seq {yes | no} (Optional) En[...]

B-28 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Atomic En gine specify-tcp-flags {yes | no} (Optional) Enables TCP flags for use: • tcp-flags—Specif ies the TCP f lags to match when ma sked b y mask: – URG bit – AC K b i t – PSH bit – RST bit – SYN bit – F[...]

B-29 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Atomic Engine For More Informatio n For more information on the parameters common to all signature engines, see Mas ter En gine, pa ge B-4 . Atomic IPv6 Engine The Atomic IPv6 engine detects two IOS vulnerabilities t ha[...]

B-30 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Fixed Engi ne Each Neigh borhood Discovery type can have one or more Neigh borhood Disc overy options. The Atomic IPv6 engine inspects the length of each option for complianc e with the legal v alues stated in RFC 2461 . V i[...]

B-31 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Fi xed Engine Ta b l e B - 1 1 lists the parameters specif ic to the Fixed TCP engine. specify-icmp-type {yes | no} (Opti onal) Enables inspection of the Lay er 4 ICMP he ader type: • icmp-type—Specif ies the value [...]

B-32 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Flood Engi ne Ta b l e B - 1 2 lists the parameters specif ic to the Fixed UDP engine. For More Informatio n • For more info rmation o n the paramet ers common to all si gnatur e engi nes, see Master Engine, page B-4 . •[...]

B-33 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Meta En gine Ta b l e B - 1 3 lists the parameters specif ic to the Floo d Ho st engine. Flood Ne t Engin e Parame ters Ta b l e B - 1 4 lists the parameters specif ic to the Flood Net engine. For More Informatio n For [...]

B-34 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Meta Engine All signature ev ents are hande d of f to the Meta engine by the Signature Event Action Proce ssor . The Signature Event Action Processor ha nds off the e v ent af ter proces sing the minimum hits option. Summari[...]

B-35 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Multi String Engine For More Informatio n • For an exa mple of a cus tom Meta engine sign ature, see Example Meta Engine Signa ture, page 7-46 . • For more info rmation o n the paramet ers common to all si gnatur e [...]

B-36 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Normalizer E ngine For More Informatio n • For more info rmation o n the paramet ers common to all si gnatur e engi nes, see Master Engine, page B-4 . • For a list of the signature regular expression syntax , see Regular[...]

B-37 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Normali zer Eng ine The Normal izer eng ine de als w ith IP frag ment r eass embly and TCP strea m re assem bly . With th e Normalizer engine you can set limits on system resour ce usage, for example, the maxim um numbe[...]

B-38 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Normalizer E ngine ASA IPS Modules an d the Norm alizer Engine The majority of the features in the N ormalizer engine are not used on the ASA 5500-X IPS SSP or ASA 5585-X IPS SSP , because the ASA itself handles the normaliz[...]

B-39 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Servi ce Engi nes For More Informatio n • For the proce d ure fo r conf iguring I P fragme nt reass embly si gnatur es in the No rmalizer engin e, see Configuring IP Fra gment Re assembly , pa ge 7-28 . • For the pr[...]

B-40 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Service Engin es • Serv ice NTP E ngin e, page B-52 • Serv ice P2P Engi ne, page B-53 • Service RPC En gine, page B-53 • Serv ice S MB Adv anced En gine, page B-55 • Service SNMP En gine, page B-57 • Service SSH [...]

B-41 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Servi ce Engi nes For More Informatio n For more information on the parameters common to all signature engines, see Mas ter En gine, pa ge B-4 . Service FTP En gine The Service FT P engine specializes in FTP port comman[...]

B-42 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Service Engin es Ta b l e B - 1 9 lists the parameters that are sp ecif ic to the Service F TP engine. For More Informatio n For more information on the parameters common to all signature engines, see Mas ter En gine, pa ge [...]

B-43 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Servi ce Engi nes Ta b l e B - 2 0 lists the parameters specif ic to the Servi ce Generic eng ine. For More Informatio n • For more info rmation o n the paramet ers common to all si gnatur e engi nes, see Master Engin[...]

B-44 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Service Engin es Servi ce H225 Engi ne The Serv ice H2 25 engine ana lyzes H22 5.0 pro tocol, w hic h consists of many subprotocols and is part of the H.3 23 suite . H.323 i s a colle ction o f prot ocols and oth er sta ndar[...]

B-45 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Servi ce Engi nes Ta b l e B - 2 1 lists parameters specif ic to the Service H225 engine. T a ble B -21 Ser vice H. 225 Engi ne Parameters Parameter Desc ription V alu e messag e-type Spec if ies the type of H 225 messa[...]

B-46 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Service Engin es For More Informatio n • For more info rmation o n the paramet ers common to all si gnatur e engi nes, see Master Engine, page B-4 . • For a list of the signature regular expression syntax , see Regular E[...]

B-47 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Servi ce Engi nes Before an HTTP pa cket can be inspecte d, the data must be deobfusc ated or normalize d to the same representation that the tar get s ystem sees when it processes the data. It is idea l to have a custo[...]

B-48 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Service Engin es For More Informatio n • For an example Serv ice H TTP custom signa ture, see Example Service HT TP Engine Signatur e, page 7-44 . • For more info rmation o n the paramet ers common to all si gnatur e eng[...]

B-49 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Servi ce Engi nes Ta b l e B - 2 3 lists the parameters specif ic to the Service IDENT engine. For More Informatio n For more information on the parameters common to all signature engines, see Mas ter En gine, pa ge B-4[...]

B-50 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Service Engin es Ta b l e B - 2 4 lists the parameters specif ic to the Service MSRPC engine. T able B-24 Service MSRPC Eng ine P aramet ers Parameter D escription V alu e protocol Enables the protocol o f interest for this [...]

B-51 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Servi ce Engi nes For More Informatio n • For more info rmation o n the paramet ers common to all si gnatur e engi nes, see Master Engine, page B-4 . • For a list of the signature regular expression syntax , see Reg[...]

B-52 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Service Engin es Ta b l e B - 2 5 lists the parameters specif ic to the Service MSSQL engine. For More Informatio n For more information on the parameters common to all signature engines, see Mas ter En gine, pa ge B-4 . Ser[...]

B-53 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Servi ce Engi nes For More Informatio n For more information on the parameters common to all signature engines, see Mas ter En gine, pa ge B-4 . Service P2P En gine P2P networks use nodes that can simultane ously functi[...]

B-54 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Service Engin es For More Informatio n • For more info rmation o n the paramet ers common to all si gnatur e engi nes, see Master Engine, page B-4 . • For a list of the signature regular expression syntax , see Regular E[...]

B-55 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Servi ce Engi nes Service SMB Advan ced En gine Note The SMB engine has been replaced by the SMB Adv an ced engine. Even though the SMB engine is still visible in IDM, IME, and the CLI, its signatures have been obsolete[...]

B-56 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Service Engin es specify-exact-match-of f set {yes | no} (Optional) Enables exact matc h of fset: • ex act-match-of fset—Specifies the e xact stream offset the R egex string mus t report for a matc h to be v alid. 0 to 6[...]

B-57 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Servi ce Engi nes For More Informatio n • For more info rmation o n the paramet ers common to all si gnatur e engi nes, see Master Engine, page B-4 . • For a list of the signature regular expression syntax , see Reg[...]

B-58 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Service Engin es For More Informatio n For more information on the parameters common to all signature engines, see Mas ter En gine, pa ge B-4 . Ser vice S SH En gine The Se rvice SSH engi ne sp ecializes in port 22 SSH traff[...]

B-59 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Servi ce Engi nes For More Informatio n For more information on the parameters common to all signature engines, see Mas ter En gine, pa ge B-4 . Ser vice T NS En gine The Ser vice TN S engine inspects TN S protocol. TNS[...]

B-60 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines State Engine For More Informatio n • For more info rmation o n the paramet ers common to all si gnatur e engi nes, see Master Engine, page B-4 . • For a list of the signature regular expression syntax , see Regular Expr [...]

B-61 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines State Engine Ta b l e B - 3 2 lists the parameters specif ic to the State engine. T able B-32 Stat e Engine P aram eter s Parame ter Description V alue state-m achine Specif ies the s tate machine grou ping. cisco-l ogi[...]

B-62 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines String Engines For More Informatio n For more information on the parameters common to all signature engines, see Mas ter En gine, pa ge B-4 . String Engines The String engine is a generic-base d pattern-matc hing inspection [...]

B-63 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines St ring Engi nes Ta b l e B - 3 3 lists the parameters specif ic to the String ICMP engine. Ta b l e B - 3 4 lists the parameters specif ic to the String TCP engine. T able B-33 Str ing ICMP Engine P ara met ers Paramet[...]

B-64 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines String Engines Ta b l e B - 3 5 lists the parameters specif ic to the String UDP engine. For More Informatio n For an ex ample custo m Stri ng e ngine signat ure, see Ex ampl e Strin g TCP Engi ne Signa ture, page 7-4 1 . ?[...]

B-65 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Strin g XL Engi nes String XL Engine s Note The IPS 434 5, IPS 4360, IPS 451 0, IPS 4520, ASA 5525- X IPS SSP , ASA 554 5-X IPS SSP , ASA 5555-X IPS SSP , and ASA 55 85-X IPS SSP suppo rt the String XL engines and the R[...]

B-66 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines String XL Engines no-case Specif ies to treat all al phabetic ch aract ers in the expression as case inse nsitiv e. true | false (default) raw-re gex If set t o true, min-match-l ength, max-m atch-length, min-wh ole-length, [...]

B-67 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Strin g XL Engi nes Unsu pported String XL Param eters Although you see the end-o ptional and specify- max-strea m-length pa rameters in the String XL engine, the y are disa bled. Y ou rece i ve an error me ssage if you[...]

B-68 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Sweep Engines Apply Changes?[yes]: yes Error: string-xl-tcp 60003.0 : Maximum Stream Length is currently not supported. Please don't use this option. The configuration changes failed validation, no changes were applied.[...]

B-69 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Sweep Engines per-stream/per-sourc e/per-destination bas is The data node c ontaining the swe ep determines wh en the sweep should expire. T he data no de stops a sweep w hen the data node has not seen any tr aff ic for[...]

B-70 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Sweep Engines For More Informatio n For more information on the parameters common to all signature engines, see Mas ter En gine, pa ge B-4 . Sweep Oth er TCP Engin e The Swe ep Other TCP en gine analyzes traff i c between tw[...]

B-71 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Traffi c Anomaly Engine Swee p Oth er TCP Engin e Par ameter s Ta b l e B - 3 8 lists the parameters specif ic to the Sw eep Other TCP engine . For More Informatio n For more information on the parameters common to all [...]

B-72 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Traffic Anom aly Engine • log-pair-packets—Sta rts IP logging for packets that contain the attacker and victim a ddress pa ir . • deny-atta cker -service-pair -inline—Blocks the so urce IP addre ss and the destinatio[...]

B-73 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix B Signature Engines Traffic ICMP Engine For More Informatio n For more information on the parameters common to all signature engines, see Mas ter En gine, pa ge B-4 . Traffic ICMP Engi ne The T r affi c IC MP en gine analy zes n onstanda r[...]

B-74 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x B Signat ure Engines Trojan Engine s Ta b l e B - 4 0 lists the parameters specif ic to the T raf fic ICMP engine. For More Informatio n For more information on the parameters common to all signature engines, see Mas ter En gine, pa ge B-4 . Tro[...]

C-1 Cisco In trusi on Preven tion Syst em Sens or CLI Conf iguration Gui de for IP S 7.2 OL-29168-01 APPENDIX C Troubleshooting This appe ndix conta ins troub leshooting tips and pro cedur es for sensors an d so ftware. It contai ns the follo wing sections: • Bug T oolkit , page C -1 • Pre venti ve Maintenance, page C-2 • Disaster Recovery , [...]

C-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Preventive M aintenance If you ar e a register ed Cisc o.com use r , you can view the Bug T oolkit at this URL: http://tools.cisco.com/Support/Bug T oolK it/action.do?hdn Action=searchBugs T o become a re gistered cis co.co m [...]

C-3 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting P reven tive Mainte nance T o bac k up your curr ent configuration, follow these steps: Step 1 Log in to the CLI using an acco unt with administrator privileges. Step 2 Sav e the cur rent configuration. T he curren t confi[...]

C-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Preventive M aintenance Note Y o u are promp ted for a pa ssword. – scp:—Sour ce or destination URL for the SCP network server . The syntax for this prefi x is: scp:/ /[[us ername@] locati on][/rela tiv eDirecto ry]/f ilen[...]

C-5 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting P reven tive Mainte nance Rest oring the Cu rrent Confi guration From a Backu p File T o r estore y our curre nt configuration from a back up file, follow these steps: Step 1 Log in to the CLI using an acco unt with admini[...]

C-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Disast er Recovery Note For IPS 5.0 and later , you can no longe r remove the cisco accou nt. Y ou can di sable it using the no password cisco command , but you cannot remove it. T o use the no password cisco co mmand, there m[...]

C-7 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Password Re covery 2. Log in to the sensor with th e default user ID a nd password— ci sco . Note Y ou are prompt ed to chan ge the cisco password. 3. Initial ize the sensor . 4. Upgrad e the sensor to the IPS software v[...]

C-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Password Reco very • V erif ying the State of Password Recov ery , page C-1 4 • T r oubleshooting Passw ord Recovery , page C- 14 Understand ing Pa ssword R ecove ry Note Admini strators ma y need to disab le the pas swo r[...]

C-9 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Password Re covery ------------------------------------------- Use the ^ and v keys to select which entry is highlighted. Press enter to boot the selected OS, 'e' to edit the Commands before booting, or 'c&a[...]

C-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Password Reco very Recovering the Password for the ASA 5500-X IPS S SP Y ou ca n reset the password to the default ( cisco ) f or the ASA 5500-X IPS SSP using the CLI or the ASDM. Resetting the p assword c auses it to reboot.[...]

C-11 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Password Re covery Step 6 Enter yo ur new passwor d twice. New password: new password Retype new password: new password ***NOTICE*** This product contains cryptographic features and is subject to United States and local c[...]

C-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Password Reco very Use th e hw-module module slot_numb er password- reset command to reset the password to the default cisc o . If the m odule in the spe cified slot has an IPS version that does not suppo rt password rec ov e[...]

C-13 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Password Re covery A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email[...]

C-14 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Password Reco very Step 4 Disable password recovery . sensor(config-hos)# password-recovery disallowed Disabling Password Recovery Usin g the IDM or IME T o disab le password recovery in the IDM or IME, follow these steps: St[...]

C-15 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Time Sour ces and the Sensor Time Sources and the Senso r This section describes ho w to maintain accurate time on the sensor , an d contains the following topics: • T i me Sources an d the Sensor , page C-15 • Synchr[...]

C-16 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Time Sources and the Sensor Verifying the Sensor is Sync hronized with the NTP Server In IPS, you can not apply an incorre ct NTP configuration, such a s an in valid NTP ke y value or ID, to the sensor . If you try to app ly [...]

C-17 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Advant ages and Res trict ions of V irtuali zation T o ensure the inte grity o f the time sta mp on the ev ent records, you must clear the ev ent archiv e of the older ev e nts by using the clear event s command . Note Y [...]

C-18 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Supported M IBs Supported MIBs T o avoid problems with configuring SNMP , be awar e of the MIBs that are supp orted on the sensor . The fo llowing priv ate MI Bs are suppo rted o n the sensor: • CISCO-CIDS- MIB The CISCO -C[...]

C-19 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting When to Disable Anomaly Detect ion When to Disable Ano maly Detection If you have anomaly d etection en abled and you have your senso r configured to see only one direct ion of traf fic, you should disable anom aly detect[...]

C-20 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Analys is Engine Not Responding Analysis Engine No t Respondin g Error Message Output from show sta tistics analysis-engine Error: getAnalysisEngineStatistics : c t-sensorApp.424 not responding, please check system processes [...]

C-21 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troubl esho oting Ext ernal Product Interf aces Troubleshooting External Pro duct Interfaces This section lists issues that c an occur with external produc t interfaces an d provides troublesh ooting tips. For more inform[...]

C-22 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubles hooting the Appl iance External Produ ct Interfaces Troublesho oting Tips T o troub leshoot extern al product interfaces, check the follo wing : • Make sure the inter face is acti ve b y checking the out put from t[...]

C-23 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troubl eshoot ing the App liance • Make sure each devi ce is p roper ly seate d . • If a de vice has latche s, mak e sure the y are comp letely clos ed and lock ed. • Check an y interlock or interco nnect indi cator[...]

C-24 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubles hooting the Appl iance • Duplicate I P Addr ess Shuts Interface Down, page C-27 Cannot Access the Sensor CLI Through Telnet or SSH If you ca nnot access the se nsor CLI throug h T elnet (if you al ready have it ena[...]

C-25 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troubl eshoot ing the App liance Step 3 Make sur e the sensor IP addr ess is u nique. If th e manageme nt interface detects that anothe r device on the network h as the sa me IP add ress, it does not come up . sensor# set[...]

C-26 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubles hooting the Appl iance For More Informatio n • For the procedu re for enab ling and disabling T eln et on the sensor , see E nabling and Disabling T eln et, pa ge 3-5 . • For the various ways to open a CL I sessi[...]

C-27 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troubl eshoot ing the App liance Duplicate IP Address Shuts Inter face Down If you hav e two newly im aged se nsors with the same IP address tha t come up on the same network at the same time, the interf ace shut s do wn.[...]

C-28 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubles hooting the Appl iance Step 4 Make sure the IP address is cor rect. For More Informatio n • T o ma ke sure the sensor cabling is correct, refe r to the chapter for your sensor i n Cisco Intrusion Pr evention System[...]

C-29 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troubl eshoot ing the App liance AnalysisEngine V-2013_04_10_11_00_7_2_0_14 (Release) 2013-04-10T11:05:55-0500 Running CollaborationApp V-2013_04_10_11_00_7_2_0_14 (Release) 2013-04-10T11:05:55-0500 Running CLI V-2013_04_[...]

C-30 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubles hooting the Appl iance Physical Connectivity, SPAN, or VACL Port Issue If the sensor is not conn ected prope rly , you do not receive any alerts. T o ma ke sure the sensor is connected properly , follo w these steps:[...]

C-31 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troubl eshoot ing the App liance Step 4 V erify the interface configuration: • Make sure you ha ve the interfaces configured properly . • V erif y the SP A N and V ACL capture p ort configuration on the Cisco switch. [...]

C-32 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubles hooting the Appl iance Step 3 Make sure you have Produce Alert co nfigured. sensor# configu re terminal sensor(config)# service s ignature-defin ition sig0 sensor(config-sig)# signature s 1300 0 sensor(config-sig-sig[...]

C-33 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troubl eshoot ing the App liance Sensor Not Seeing Packets If the senso r is no t seeing a ny packets on the network, you cou ld have the interfaces se t up incorre ctly . If the sensor is not seeing packets, follow these[...]

C-34 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubles hooting the Appl iance Step 4 Check to see that the interface is up an d receiving packe ts. sensor# show interfaces MAC statistics from interface GigabitEthernet0/1 Media Type = TX Missed Packet Percentage = 0 Inlin[...]

C-35 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troubl eshoot ing the App liance Step 8 Start the IPS services. sensor# cids start Step 9 Log in to an account with administrator privi leges. Step 10 Reboot the sensor . sensor# reset Warning: Executing this command will[...]

C-36 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubles hooting the Appl iance For More Informatio n • For the procedure to veri fy th at the ARC is r unning , see V e rifying the ARC is Runnin g, page C-36 . • For the proc edure to verify that th e ARC is connect ing[...]

C-37 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troubl eshoot ing the App liance Host Certificate Valid from: 17-Apr-2013 to 18-Apr-2015 sensor# Step 3 If the Ma inApp displays Not Runnin g , the ARC has fail ed. Contact T A C. For More Informatio n T o learn m ore abo[...]

C-38 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubles hooting the Appl iance Realm Keys key1.0 Signature Definition: Signature Update S697.0 2013-02-15 OS Version: 2.6.29.1 Platform: IPS4360 Serial Number: FCH1504V0CF No license present Sensor up-time is 3 days. Using 1[...]

C-39 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troubl eshoot ing the App liance Device Access Issues The ARC may not be able to acc ess the de vices it is managing. Make sure the yo u have the correct IP address and us ername a nd passwo rd for th e mana ged devices a[...]

C-40 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubles hooting the Appl iance profile-name: r7200 block-interfaces (min: 0, max: 100, current: 1) ----------------------------------------------- interface-name: fa0/0 direction: in -----------------------------------------[...]

C-41 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troubl eshoot ing the App liance Step 3 Exit gene ral submode. sensor(config-net-gen)# exit sensor(config-net)# exit Apply Changes:? [yes]: Step 4 Press Enter to a pply the chan ges or type no to discard them. Step 5 T el[...]

C-42 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubles hooting the Appl iance sensor(config-sig-sig)# engine normalizer sensor(config-sig-sig-nor)# event-action produce-alert|request-b lock-host sensor(config-sig-sig-nor)# show set tings normalizer ----------------------[...]

C-43 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troubl eshoot ing the App liance State ShunEnable = true ShunnedAddr Host IP = 122.122.122.44 ShunMinutes = 60 MinutesRemaining = 59 Step 3 If the m aster blocking sensor doe s not show up in the statistics, you need to a[...]

C-44 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubles hooting the Appl iance Step 9 If the rem ote master bloc king sensor is using T LS for web access , make sure the f orwar ding s ensor is configured a s a TL S host. sensor# configure terminal sensor(config)# tls tru[...]

C-45 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troubl eshoot ing the App liance master-control ----------------------------------------------- enable-debug: true default: false individual-zone-control: false <defaulted> ------------------------------------------[...]

C-46 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubles hooting the Appl iance <protected entry> zone-name: nac severity: warning <defaulted> <protected entry> zone-name: sensorApp severity: warning <defaulted> <protected entry> zone-name: tl[...]

C-47 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troubl eshoot ing the App liance severity: warning <defaulted> ----------------------------------------------- sensor(config-log)# Step 13 T urn on d ebugging for a particula r zone . sensor(config-log)# zone-contro[...]

C-48 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubles hooting the Appl iance Step 15 Press Enter to apply chang es or type no to discard them: For More Informatio n For a list of wha t each zone n ame refers t o, see Zone Names, page C- 48 . Zone Names Ta b l e C - 2 li[...]

C-49 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troubl eshoot ing the App liance Directing cidLog Messages to SysLog It might be useful to direct cidLog messages to syslog. T o d irect cidL og messages to syslog, follow these steps: Step 1 Go to the idsRoot/etc/log.con[...]

C-50 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubles hooting the Appl iance TCP Rese t Not Occurring for a S ignature Note Ther e is o nly o ne se ns ing interface on the ASA IPS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP), so you cannot designa te an alternate[...]

C-51 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troubl eshoot ing the App liance Step 5 Make sure the corr ect alarms a re being generated . sensor# show events alert evAlert: eventId=1047575239898467370 severity=medium originator: hostId: sj_4250_40 appName: sensorApp[...]

C-52 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubles hooting the Appl iance Or you can use the sys tem image f ile to reimag e the sensor d irectly to th e ver sion you want. Y ou can reimage a s ensor an d av oid the error because the reimage process do es not chec k [...]

C-53 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troubl eshoot ing the App liance T r y the manual upgrade comma nd before attem pting the auto matic update. If it wo rks with the upgrade comm and an d d oes no t work with the automatic update, try the f ollo wing: • [...]

C-54 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubles hooting the IDM For More Informatio n For the proc edure f or obtaining Cisco IPS software, see Obtaining Cisco IPS Software , page 20-1 . Troubleshooting the IDM Note These pr ocedu res also appl y to the IPS sectio[...]

C-55 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troubl eshoo ting the I DM c. Under Jav a Ru ntime Environment, select JRE 1. 3.x from the dr op-down menu. d. Click the Cache tab . e. Click the Bro wser tab . f. Desele ct all bro wser check box es. g. Click Clea r Cac [...]

C-56 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubles hooting the IME exit summertime-option disabled ntp-option disabled exit service web-server port 443 exit Step 2 If network devices, such as routers, sw itches, or f irewalls, are between the se nsor and the worksta [...]

C-57 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troublesho oting the ASA 5500-X IPS SSP Time Syn chronization on IME and the Sensor Sympto m The I ME displ ays No Data A vailab le on the Events dashb oard. A historical query does no t return an y e vents; ho wev er, e [...]

C-58 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubleshoot ing the ASA 550 0-X IPS SSP • The ASA 5500-X IPS SSP and Jumbo Pa ckets, page C-67 Health and S tatus Information T o s ee the general health of the A SA 5500-X IP S SSP , use the show module ips details comm a[...]

C-59 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troublesho oting the ASA 5500-X IPS SSP Mod-ips 239> e1000 0000:00:05.0: PCI INT A disabled Mod-ips 240> Restarting system. Mod-ips 241> machine restart Mod-ips 242> IVSHMEM: addr = 4093640704 size = 67108864 [...]

C-60 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubleshoot ing the ASA 550 0-X IPS SSP Mod-ips 298> Normal 0x00100000 -> 0x00201400 Mod-ips 299> Movable zone start PFN for each node Mod-ips 300> early_node_map[3] active PFN ranges Mod-ips 301> 0: 0x0000000[...]

C-61 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troublesho oting the ASA 5500-X IPS SSP Mod-ips 357> Initializing CPU#1 Mod-ips 358> Calibrating delay using timer specific routine.. 5585.16 BogoMIPS (lpj=2792581) Mod-ips 359> CPU: L1 I cache: 32K, L1 D cache: [...]

C-62 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubleshoot ing the ASA 550 0-X IPS SSP Mod-ips 415> ACPI: PCI Interrupt Link [LNKA] (IRQs 5 *10 11) Mod-ips 416> ACPI: PCI Interrupt Link [LNKB] (IRQs 5 *10 11) Mod-ips 417> ACPI: PCI Interrupt Link [LNKC] (IRQs 5 [...]

C-63 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troublesho oting the ASA 5500-X IPS SSP Mod-ips 478> acpiphp: Slot [27] registered Mod-ips 479> acpiphp: Slot [28] registered Mod-ips 480> acpiphp: Slot [29] registered Mod-ips 481> acpiphp: Slot [30] register[...]

C-64 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubleshoot ing the ASA 550 0-X IPS SSP Mod-ips 541> uhci_hcd: USB Universal Host Controller Interface driver Mod-ips 542> Initializing USB Mass Storage driver... Mod-ips 543> usbcore: registered new interface drive[...]

C-65 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troublesho oting the ASA 5500-X IPS SSP Mod-ips 601> Create node: Mod-ips 602> ln: /etc/modprobe.conf: File exists Mod-ips 603> Shutting down network... ifconfig lo down Mod-ips 604> ifconfig lo down Mod-ips 6[...]

C-66 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubleshoot ing the ASA 550 0-X IPS SSP Two ASAs in Fail-Open Mode • If the ASAs ar e conf igured in fail -open mode and if the ASA 5500-X IPS SSP on the acti ve ASA experiences a configuration change or a signatur e/signa[...]

C-67 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troublesho oting the ASA 5500-X IPS SSP • 1311.0 • 1315.0 • 1316.0 • 1317.0 • 1330.0 • 1330.1 • 1330.2 • 1330.9 • 1330.10 • 1330.12 • 1330.14 • 1330.15 • 1330.16 • 1330.17 • 1330.18 The ASA 5[...]

C-68 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubleshoot ing the ASA 558 5-X IPS SSP This miscount is a result of header bytes added to th e packet by the ASA before the pa cket is transmitted to the IPS. For IPv4, 58 bytes of heade r data ar e added. For IPv6, 78 byte[...]

C-69 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troublesho oting the ASA 5585-X IPS SSP Reset issued for module in slot 1 asa# show module 1 details Getting details from the Service Module, please wait... Unable to read details from slot 1 ASA 5585-X IPS Security Servi[...]

C-70 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubleshoot ing the ASA 558 5-X IPS SSP Mgmt IP addr: 192.0.2.3 Mgmt Network mask: 255.255.255.0 Mgmt Gateway: 192.0.2.254 Mgmt Access List: 0.0.0.0/0 Mgmt web ports: 443 Mgmt TLS enabled: true asa# show module 1 details Get[...]

C-71 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Troublesho oting the ASA 5585-X IPS SSP Slot-1 155> RETRY=20 Slot-1 156> tftp IPS-SSP_10-K9-sys-1.1-a-7.2-1.img@192.0.2.15 via 192.0.2.254 Slot-1 157> TFTP failure: Packet verify failed after 20 retries Slot-1 15[...]

C-72 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Troubleshoot ing the ASA 558 5-X IPS SSP Two ASA 5585-X s in Fail- Close Mode • If the ASAs are conf igured in fail-close mode , and if the ASA 5585-X IPS SSP on the acti ve ASA experien ces a configuration c hange o r a si[...]

C-73 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Gathering Information • 1305.0 • 1307.0 • 1308.0 • 1309.0 • 1311.0 • 1315.0 • 1316.0 • 1317.0 • 1330.0 • 1330.1 • 1330.2 • 1330.9 • 1330.10 • 1330.12 • 1330.14 • 1330.15 • 1330.16 • 133[...]

C-74 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Gath erin g Info rmat ion • Events Informa tion, page C-97 • cidDump Script, pa ge C-101 • Uploading and Accessing Files on the Cisco FTP Site, page C- 102 Health and Ne twork Security Info rmation Cautio n When the sen[...]

C-75 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Gathering Information Understanding the show tech-support Command Note The /va r/log/messages fi le is now pe rsistent ac ross reboots and the info rmation is displayed in the output of the show tech-support command. Note[...]

C-76 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Gath erin g Info rmat ion sensor# show tech-support page Step 3 T o s end the output (in HTML format) to a file: a. Enter the follo wing command, follo wed by a v alid destination. The password: prompt a ppears. sensor# show [...]

C-77 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Gathering Information Recovery Partition Version 1.1 - 7.2(1)E4 Host Certificate Valid from: 17-Apr-2013 to 18-Apr-2015 Output from show interfaces Interface Statistics Total Packets Received = 135259 Total Bytes Received[...]

C-78 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Gath erin g Info rmat ion Version Informatio n The sh ow ve r si on com mand is useful f or obtaining se nsor infor mation. Th is section describ es the sho w vers ion comm and, and co ntains the foll o wing topi cs: • Unde[...]

C-79 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Gathering Information OS Version: 2.6.29.1 Platform: IPS4360 Serial Number: FCH1504V0CF No license present Sensor up-time is 3 days. Using 14470M out of 15943M bytes of available memory (90% usage) system is using 32.4M o[...]

C-80 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Gath erin g Info rmat ion exit ! ------------------------------ service authentication exit ! ------------------------------ service event-action-rules rules0 exit ! ------------------------------ service host network-setting[...]

C-81 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Gathering Information Statistics Information The show statistics command is us eful for examining the stat e of the sensor services. This section describe s the show s tat isti cs co mman d, and contain s the follo wing t[...]

C-82 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Gath erin g Info rmat ion Note The clear op tion is not av ailable f or the ana lysis engine , anomaly detection, ho st, network ac cess, or OS identif ication applications. For the IPS 45 10 and IPS 4520, at the end of the c[...]

C-83 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Gathering Information Statistics for Signature Events Number of SigEvents since reset = 0 Statistics for Actions executed on a SigEvent Number of Alerts written to the IdsEventStore = 0 Inspection Stats Inspector active c[...]

C-84 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Gath erin g Info rmat ion SimulatedTcpDeniesDueToGlobalCorrelation = 0 SimulatedTcpDeniesDueToOverride = 0 SimulatedTcpDeniesDueToOverlap = 0 SimulatedTcpDeniesDueToOther = 0 LateStageDenyDueToGlobalCorrelation = 0 LateStageD[...]

C-85 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Gathering Information Detection - ON Learning - ON Next KB rotation at 10:00:00 UTC Sat Jan 18 2008 Internal Zone TCP Protocol UDP Protocol Other Protocol External Zone TCP Protocol UDP Protocol Other Protocol Illegal Zon[...]

C-86 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Gath erin g Info rmat ion Number of events of each type currently stored Status events = 4257 Shun request events = 0 Error events, warning = 669 Error events, error = 8 Error events, fatal = 0 Alert events, informational = 0[...]

C-87 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Gathering Information Network Statistics = ma0_0 Link encap:Ethernet HWaddr 00:04:23:D5:A1:8D = inet addr:10.89.130.98 Bcast:10.89.131.255 Mask:255.255.254.0 = UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 = RX packets[...]

C-88 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Gath erin g Info rmat ion MaxDeviceInterfaces = 250 NetDevice Type = PIX IP = 10.89.150.171 NATAddr = 0.0.0.0 Communications = ssh-3des NetDevice Type = PIX IP = 192.0.2.4 NATAddr = 0.0.0.0 Communications = ssh-3des NetDevice[...]

C-89 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Gathering Information Version = 12.2 State = Active NetDevice IP = 192.0.2.10 AclSupport = Uses VACLs Version = 8.4 State = Active BlockedAddr Host IP = 203.0.113.1 Vlan = ActualIp = BlockMinutes = Host IP = 203.0.113.2 V[...]

C-90 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Gath erin g Info rmat ion Step 15 Display the statistics for the transacti on server . sensor# show statistics transaction-server General totalControlTransactions = 35 failedControlTransactions = 0 sensor# Step 16 Display the[...]

C-91 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Gathering Information Denied Attackers and hit count for each. Denied Attackers with percent denied and hit count for each. The Signature Database Statistics. The Number of each type of node active in the system Total nod[...]

C-92 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Gath erin g Info rmat ion Cumulative Statistics for the TCP Stream Reassembly Unit since reset TCP streams that have been tracked since last reset = 0 TCP streams that had a gap in the sequence jumped = 0 TCP streams that was[...]

C-93 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Gathering Information Error Severity = 14 Warning Severity = 1 Timing Severity = 0 Debug Severity = 0 Unknown Severity = 28 TOTAL = 43 Step 19 V erify that the statistic s hav e been clear ed. The statistic s no w all be [...]

C-94 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Gath erin g Info rmat ion Interfaces Command Output The following exampl e sh o w s the outpu t from the show interfaces command: sensor# show interfaces Interface Statistics Total Packets Received = 0 Total Bytes Received = [...]

C-95 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Gathering Information Note Y ou must have health monitori ng enabled to support th e historic in terface f unction. Each record has the following details: • T otal packet s recei ved • T otal bytes recei ved • FIFO [...]

C-96 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Gath erin g Info rmat ion GigabitEthernet0/1 Time Packets Received Bytes Received Mbps MPP FIFO Overruns Receive Errors Avg Load Peak Load 11:30:31 UTC Tue Mar 05 2013 0 0 0 0 0 0 0 0 10:27:32 UTC Tue Mar 05 2013 0 0 0 0 0 0 [...]

C-97 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Gathering Information 0 0 0 0 12:15:00 UTC Tue Mar 05 2013 0 0 0 0 0 0 0 0 12:13:54 UTC Tue Mar 05 2013 0 0 0 0 0 0 0 0 12:12:49 UTC Tue Mar 05 2013 0 0 0 0 0 0 0 0 12:11:43 UTC Tue Mar 05 2013 0 0 0 0 0 0 0 0 12:10:36 UT[...]

C-98 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Gath erin g Info rmat ion Sensor Events Ther e are fiv e types of events: • e vAlert—Intrusion detection alerts • e vEr ror—A pplicati on errors • e v Status —Status chan ges, such as an IP log being cre ated • [...]

C-99 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Gathering Information The following options ap ply: • alert —Displays alerts. Provides notif ication of some su spicious activity that ma y indicat e an attac k is in process or has been attemp ted. Alert ev ents are [...]

C-100 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Gath erin g Info rmat ion Step 3 Dis play th e bloc k requ ests beg inni ng at 10: 00 a.m . on Febr uary 9, 201 1. sensor# show events NAC 10:00:00 Feb 9 2011 evShunRqst: eventId=1106837332219222281 vendor=Cisco originator: [...]

C-101 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix C Troubleshooting Gathering Information originator: hostId: sensor appName: mainApp appInstanceId: 2215 time: 2011/01/08 02:41:00 2011/01/08 02:41:00 UTC controlTransaction: command=getVersion successful=true description: Control transact[...]

C-102 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x C Trouble shooti ng Gath erin g Info rmat ion Step 3 Enter the follo wing command. /usr/cids/idsRoot/bin/cidDump Step 4 Enter the followi n g command to compress the resu lt ing /u sr/ cid s/ ids Roo t /log/cidDum p.html file. gzip /usr/cids/id[...]

D- 1 Cisco In trusi on Preven tion Syst em Sens or CLI Conf iguration Gui de for IP S 7.2 OL-29168-01 APPENDIX D CLI Error Messages This appendix lists the CLI error messages and CLI v a lidation error messages. It c ontains the follo wing sections: • CLI Er ror Mes sages, p age D-1 • CLI V alid ation E rror Me ssages, pa ge D-6 CLI Error Messa[...]

D- 2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x D CLI Error Mess ages CLI Error Mes sages The file name <f ile> is not a valid u pgrade file type . Attempt to install the wrong file for your platfor m and version. upgrade idsPackageMgr: digital signature of the update was not valid The [...]

D-3 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix D CLI Error Message s CLI Err or Messa ges Packet- file d oes not ex ist. The use r attempte d to cop y or erase the pa cket- file b ut no packet -file h as been ca ptured. copy erase No down grade available. The use r attempte d to do wngr[...]

D- 4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x D CLI Error Mess ages CLI Error Mes sages You do n ot have permissio n to termina te the requested CLI session . An op erator o r viewer user attem pted to terminate a CLI session belonging to another user . clear line Invalid CLI ID specif ied,[...]

D-5 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix D CLI Error Message s CLI Err or Messa ges 2. This erro r only o ccurs on p latforms that do not support vir tual policies . 3. This erro r only o ccurs on p latforms that do not support vir tual policies .[...]

D- 6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x D CLI Error Mess ages CLI Validation Er ror Messag es CLI Validation Error Messag es Ta b l e D - 2 describes the validation er ror messages. T able D-2 V alidation Er ror M e ssag es Error Message Reas on/Locatio n Interfa ce ‘na me’ has no[...]

D-7 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Append ix D CLI Error Message s CLI Validation Error Messages Interfa ce alr eady assig ned to virtual sensor ‘vs name.’ The interfac e and optional sub-interface being added to the virtual sensor entry physical interface set has alrea dy been as[...]

D- 8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 Appendi x D CLI Error Mess ages CLI Validation Er ror Messag es[...]

GL-1 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 GLOSSAR Y Revised: Apr il 25, 2013 Numerals 3DES T riple Data Encryption Standard. A stronger ver sio n of DES, which is the default encryption method for SSH version 1.5. Used when e stablishing a n SSH session w ith the sensor . It can be used whe[...]

Glos sary GL-2 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 ASA 5500-X IPS SSP Intrus ion Pre vention System Secu rity Serv ices Proces sor . The IPS is run ning as a service an d ASA controls sending a nd receiving traffic to and from the IPS. The IPS serv ices proce ssor monitors and perform s real-tim[...]

Glossary GL-3 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 ASDM Adaptive Security Device M anager . A web-ba sed app lication that lets you c onfigure and man age your adap tiv e sec urity device. ASN.1 Abstract Syntax No tation 1. Standard for da ta presentatio n. asp ect ve rsio n V ersio n infor[...]

Glos sary GL-4 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 BIOS Basic Input/O utput System. Th e program tha t starts the sensor and c ommunica tes between the devices in the sensor and the system. blackhol e Rout ing term for an area of the inte rnetw ork where p ackets en ter , but do not emerg e, due[...]

Glossary GL-5 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 cidDump A scrip t that captu res a lar ge am ount of information including the IPS processes list, log files, OS information, director y listings, pack ag e in formation, and configuration files. CIDEE Cisc o Intru sion Det ecti on Event Ex[...]

Glos sary GL-6 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 CSA MC Cisco Secu rity Agent Ma nagement Cen ter . CSA MC recei ves host postu re information from the C SA agents it manages. It also maintains a wat ch list of IP addresses that it has determined should be quarantined fr om the network. CSM Ci[...]

Glossary GL-7 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 DIMM Dual In-line Memory Modules. DMZ demilitarized zone. A separate networ k located in th e neutral zone between a pri v ate (inside) net work and a public (outside) network. DNS Domain Nam e System. An Internet-wide hostname to IP ad dre[...]

Glos sary GL-8 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 F fail clos ed Blocks traffi c on the device after a hardware failure. fail open Lets traf f ic pass through the d e v ice after a hardware failure. false ne gative A signatur e is not fired when offending traffic is detec ted. false positiv e N[...]

Glossary GL-9 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 FQDN Fully Qualif ied Domain Name.A doma in name that specifies its e xact loca tion in the tree h ierarch y of the DNS. It specif ies all domain lev els, including th e top-le vel domain, relati ve to the root d omain. A fully qualified do[...]

Glos sary GL-10 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 hardwa re bypass A specialized interf ace card that pairs physical inte r faces so that when a softw are err or is detected, a bypass mechan ism is e ngaged tha t directly connec ts the physical interfaces and allo ws traf fic to flo w through [...]

Glossary GL-11 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 intrusion de tection system IDS. A security serv ice that mo nitors an d analyzes system events to find and provide real-time or near real-ti me warning of atte mpts to access syste m resour ces in an unau thorized manner . IP add ress 32-[...]

Glos sary GL-12 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 L LACP Link Aggregation Control Protoc ol . LA CP aids in the au tomatic crea tion of EtherChannel links by exchanging LACP packets between LAN por ts. This protocol is defined in IEEE 802.3ad. LAN Local Area Network. Refers to the Layer 2 netw[...]

Glossary GL-13 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 MIB Managem ent Informa tion Base. Da tabase of network mana gement informa tion that is used and maintained by a network m anagem ent protocol, such a s SNMP or CMIP . The value of a M IB object can be change d or re triev ed using SN MP [...]

Glos sary GL-14 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 network device A device that controls IP traff ic on a network and c an block an attacking host. An exam ple of a network device is a Cisco router or PIX Firewall. network participation Networks contributing learned info rmatio n to the global [...]

Glossary GL-15 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 P P2P Peer-to-Peer . P2 P networks use n odes that can sim ultaneously fu nction as both c lient and se rver for the purpose of file sharing. packet Logical g rouping of informa tion that includ es a h eader conta ining con trol info rmati[...]

Glos sary GL-16 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 ping packet inter net groper . Often used in IP networks to test the reachability of a netw ork device. It w orks by sending IC MP ec ho req uest pa ckets to th e targ et h ost and listeni ng for e cho respon se replie s. PIX Fire wall Pri vate[...]

Glossary GL-17 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 RBCP Rout er Blad e Cont rol Pr otoc ol. RBC P is based on S CP , bu t modif ied spec ific ally fo r the router application. It is designed to run over Ethernet interfaces and use s 802.2 SNAP encapsulation fo r messages. reassembly The pu[...]

Glos sary GL-18 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 RTT round-trip time. A measure of the time delay im posed by a network on a host f rom the sending of a packet until ackno wledgement of the receipt. RU rack unit. A rack is measur ed in rack un its . An R U is equal to 44 mm or 1.75 inc hes. S[...]

Glossary GL-19 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 shar ed sec ret A piece of data kno wn only to th e parti es in volv ed in a secure commun ication. The shared secret ca n be a p assword, a passphrase , a big nu mber, or an arra y of randomly chosen bytes. shun comman d Enables a dyn ami[...]

Glos sary GL-20 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 SNAP Subnetwork Acce ss Protocol. Internet p rotocol that operates b etween a network entity in the subnetwork a nd a network e ntity in the end sys tem. SNAP specifies a standard method of encapsulatin g IP datagrams and ARP m essages on IEEE [...]

Glossary GL-21 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 String eng ine A signature engine that pro vides regular e xpression-based pattern inspection and alert functionality for multiple transpor t protocols, including TCP , UDP , and ICM P . subsigna ture A more granular representa tion of a g[...]

Glos sary GL-22 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 terminal server A router w ith multiple, lo w speed, asynchrono us por ts that are c onnected to other se rial devices. T erminal servers can be u sed to re motely ma nage n etwork eq uipment, includin g sensors. TFN T r ibe Flood Network. A co[...]

Glossary GL-23 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 trusted certifica te Certificate upon which a certificate user relies as be ing valid without the ne ed for validation testing; especial ly a public-ke y certif icat e that is used to pro vide the first public key in a certif ication path.[...]

Glos sary GL-24 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01 virtual senso r A logical group ing of sensing interfaces an d the configuration policy for the signa ture engines and alarm f ilters to apply to them. I n other words, mu ltiple virtual sensors runni ng on the same appliance, each con fi g ure[...]

Glossary GL-25 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 Web Server A component of the IPS. W aits for re mote HTTP c lient r equests and calls the appropria te servle t application. WHOIS A TCP-based que ry/respon se protocol used for querying an off ici al database to determine the owner of a [...]

Glos sary GL-26 Cisco Intrusion Prevention System Se nsor CLI Configuration Guide for IPS 7.2 OL-29168-01[...]

IN-1 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 INDEX Numerics 802.1q e ncapsulation f or VLAN groups 4-27 A AAA aut henticat ion configuring 3-23 AAA RAD IUS functionality 3-29 limitations 3-29 acce ssing IPS softw are 20-2 servic e accoun t 3-28, C-5 acces s-list com mand 3-6 access list miscon[...]

Index IN-2 Cisco Intrusion Prevention System Sensor C LI Configuration Guide for IPS 7.2 OL-29168-01 aler t-seve rity co mmand 7-9 alert severity configur ing 7-9 allocat e-ips command 18-4, 19-4 ASA 5500-X IPS SSP 18-22 allow-sensor-block command 14-8 alternate TCP re set interface configura tion restrictions 4-9 designating 4-5 restric tions 4-3 [...]

Index IN-3 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 ARC ACLs 14-21, A-14 authenti cation A-15 blocking connec tion-based A-17 response A-13 unconditional blocking A-17 blocking applic ation 14-2 blocking no t occurring for signatu re C-41 Catalyst switches VACL co mmand s A-19 VACLs A-16, A-19 [...]

Index IN-4 Cisco Intrusion Prevention System Sensor C LI Configuration Guide for IPS 7.2 OL-29168-01 sw-module m odule slot_number password -reset 18-12 sw-module module slot_number reload 18-12 sw-module module slot_number reset 18-12 sw-module module slot_number shutdown 18-12 task seque nce 18-2 time soruces 3-36, C-15 verifying init ialization [...]

Index IN-5 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 para mete rs (ta ble) B-17 restric tions B-16 Atomic I P engine describe d B-25 para mete rs (ta ble) B-25 Atomic I Pv6 en gine describe d B-29 Neighborhoo d Discove ry protoc ol B-29 signatures B-29 attack relevance rati ng calculating risk r[...]

Index IN-6 Cisco Intrusion Prevention System Sensor C LI Configuration Guide for IPS 7.2 OL-29168-01 notes and cave ats 14-1 prerequ isites 14-6 properties 14-7 sensor blo ck itself 14-8 show statistics 14-33 supported de vices 14-6 types 14-3 user profiles 14-20 blocking no t occurring for signatu re C-41 block netwo rk comman d 14-32 BO describe [...]

Index IN-7 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 supported pro ducts 3-55 clear database co mmand 17-9 clear denie d-att acke rs comman d 8-36, 17-25 clear ev ents command 3-36, 8-41, 17-23, C-16, C-101 clearin g anomaly de tection statistics 9-47 denied attackers statistics 8-37, 17-26 even[...]

Index IN-8 Cisco Intrusion Prevention System Sensor C LI Configuration Guide for IPS 7.2 OL-29168-01 clear os-identifica tion 8-31 cli-inactivity-timeout 3-14 cloc k set 3-38, 17-25 copy ad -knowled ge-base 9-42 copy an omaly-de tection 9-8 copy back up-co nfig 16-22, C-3 copy cu rren t-confi g 16-22, C-3 copy ev ent-a ction -rule s 8-8 copy iplog [...]

Index IN-9 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 no service event-ac tion-rules 8-8 no service signature-definition 7-2 no target-va lue 8-15 no variables 8-11 os-i dentific ations 8-28 other 9-18, 9-26, 9-34 overrides 8-17 packet captur e 13-4 packet -displ ay 13-2 password 3-18, 3-29 permi[...]

Index IN- 10 Cisco Intrusion Prevention System Sensor C LI Configuration Guide for IPS 7.2 OL-29168-01 worm -timeou t 9-10 compa ring K Bs 9-44 configura tion files backing up 16-24, C-2 mergin g 16-24, C-2 configura tion restrictions alternate TCP re set interface 4-9 inline interface pairs 4-9 inline VLAN pairs 4-9 interfaces 4-8 physical interfa[...]

Index IN- 11 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 passwords 3-30 physical interfaces 4-12 privilege 3-30 proxy serve rs 3-11 sensor se quence 1-2 sensor to block itself 14-8 sensor to use NT P 3-44 signature fidelity r ating 7-12, 7-14 sshv1-fallbac k 3-13 status 7-13 summarizer 8-34 summer[...]

Index IN- 12 Cisco Intrusion Prevention System Sensor C LI Configuration Guide for IPS 7.2 OL-29168-01 host posture events 11-2, 11-4 quarantine d IP address ev ents 11-2 supported IPS inter faces 11-4 CtlTransSource describe d A-4, A- 11 illustration A-12 Ctrl-N 1-6 Ctrl-P 1-6 curr ent-co nfig c omma nd 16-20 current co nfiguration ba ck up 16-24,[...]

Index IN- 13 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 even ts 8-39, 17-22, C-99 global correlation statistics 10-14 health status 17-18, C-74 inspection load 17-11 interface st atistics 4-38 interf ace t raffic history 4-41, C-95 IP log conten ts 12-5 KB files 9-40 KB thres holds 9-46 live tr a[...]

Index IN- 14 Cisco Intrusion Prevention System Sensor C LI Configuration Guide for IPS 7.2 OL-29168-01 Service DN S B-40 Service FT P B-41 Serv ice Ge neri c B-42 Service H225 B-44 Service HT TP 7-44, B-46 Service I DENT B-48 Service M SRPC B-49 Service M SSQL B-51 Service NT P B-52 Service P2P B-53 Service RPC B-53 Service SM B Advanced B-55 Servi[...]

Index IN- 15 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 even t types C-98 even t varia bles describe d 8-10 exam ple 8-11 evEr ror A-9 evLogTr ansaction A-9 evShunRqst A-9 evSt atus A-9 exam ples ASA failove r configura tion 18-21, 19-16, C -66, C-72 default anom aly detection configuration 9-4 K[...]

Index IN- 16 Cisco Intrusion Prevention System Sensor C LI Configuration Guide for IPS 7.2 OL-29168-01 proxy serve rs 3-11 requiremen ts 10-7 risk rati ng 10-6 troubleshooting 10-13, C-18 update client (illustration) 10-9 Glob al Co rrela tion Upda te cli ent desc ribe d A-28 server described A-28 global-den y-timeou t comma nd 8-34 global-filters-[...]

Index IN- 17 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 IDIOM defined A-32 messages A-32 IDM Analysis Engine is busy C-55 certifi cates 3-51 TLS 3-51 will not load C-54 ignore com mand 9-10 illegal zone configuring 9-20 configuring other p rotocols 9-26 configuring TCP 9-22 configuring UDP 9-24 d[...]

Index IN- 18 Cisco Intrusion Prevention System Sensor C LI Configuration Guide for IPS 7.2 OL-29168-01 slot numbers 4-2 support (table) 4-6 TCP re set 4-4 interface st atistics displaying 4-38 interface traffic history displaying 4-41, C-95 internal zone configuring 9-12 configuring other p rotocols 9-18 configuring TCP 9-13 configuring UDP 9-16 de[...]

Index IN- 19 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 types A-9 IPS inte rnal co mmunicat ions A-32 IPS softw are application list A-4 available f iles 20-1 configuring device parameters A-5 directory stru cture A-34 Linux OS A-1 obtaining 20-1 retrieving data A-5 secu rity fe ature s A-5 tunin[...]

Index IN- 20 Cisco Intrusion Prevention System Sensor C LI Configuration Guide for IPS 7.2 OL-29168-01 list anomaly-detect ion-configurations command 9-9, 17-27 list event-ac tion-rules-configurations command 8-8, 17-27 list of blocked hosts 14-33 list signature-definition-configurations command 7-2, 17-27 loading KBs 9-41 log-all -block -event s-a[...]

Index IN- 21 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 MIBs supporte d 15-6, C-18 minor update s described 20-3 modes anomaly de tection de tect 9-4 anomaly de tection lea rning accept 9-3 asy mmet ric 5-4 bypass 4-34 inactive (anomaly detection) 9-4 inline interface pair 4-16 inline TCP trackin[...]

Index IN- 22 Cisco Intrusion Prevention System Sensor C LI Configuration Guide for IPS 7.2 OL-29168-01 NotificationApp alert i nformation A-9 describe d A-4 fu ncti ons A-9 SNMP gets A-9 SNMP traps A-9 statistics A-11 system health information A-10 no var iables co mmand 8-11 NTP authenti cated 3-2, 3-35, 3-44, C-15 configuring serv ers 3-43 descri[...]

Index IN- 23 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 GRUB me nu 17-3, C-8 IPS 4345 17-3, 17-4, C-8, C -9 IPS 4360 17-3, 17-4, C-8, C -9 IPS 4510 17-3, 17-4, C-8, C -9 IPS 4520 17-3, 17-4, C-8, C -9 platforms 17-2, C-8 ROMMON 17-4, C-9 troubleshooting 17-9, C-14 verify ing 17-9, C-14 passwords [...]

Index IN- 24 Cisco Intrusion Prevention System Sensor C LI Configuration Guide for IPS 7.2 OL-29168-01 SDEE A-33 proxy serve rs configuring 3-11 Q Q.931 proto col describe d B-44 SETUP messages B-44 quarantined IP ad dress even ts described 11-2 R RADIUS auth entication describe d 3-20 servic e accoun t 3-29 shared secr et 3-24, 3-25 rate li miting[...]

Index IN- 25 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 rese tti ng th e pass word ASA 5500-X IPS SSP 17-5, C-10 ASA 5585-X IPS SSP 17-6, C-12 restoring the cu rrent configu ration 16-23, C-5 retiring signatures 7-13 risk rati ng Alar m Channel 10-6 calculating 8-13 describe d 8-26 global cor rel[...]

Index IN- 26 Cisco Intrusion Prevention System Sensor C LI Configuration Guide for IPS 7.2 OL-29168-01 Sens or Ke y pane describe d 3-49 sensors access problems C-24 application partition image 21-14 asymmetr ic traffic and disabling an omaly detection 9-48, C-19 command and control interfaces (list) 4-3 configura tion sequenc e 1-2 configuring to [...]

Index IN- 27 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 para mete rs (ta ble) B-49 Serv ice MSRP C en gine DCS/R PC pr otoc ol B-49 describe d B-49 para mete rs (ta ble) B-50 Service MSSQL engine describe d B-51 MSSQL protoc ol B-51 para mete rs (ta ble) B-52 Service NTP e ngine describe d B-52 p[...]

Index IN- 28 Cisco Intrusion Prevention System Sensor C LI Configuration Guide for IPS 7.2 OL-29168-01 show users co mmand 3-31 show version com mand 17-41, C-78 sig-fidelity-ra ting command 7-12, 7-14 signature definition lists displaying 17-27 signature definition policies copying 7-2 crea ting 7-2 deleting 7-2 editing 7-2 signature en gines AIC [...]

Index IN- 29 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 TCP re set C-50 tuned 7-4 signature upd ate files 20-4 signature variab les adding 7-5 deleting 7-5 describe d 7-4 editing 7-5 SNMP configuring agen t parame ters 15-3 traps 15-5 describe d 15-1 general pa rameters 15-2 Get 15-1 GetNext 15-1[...]

Index IN- 30 Cisco Intrusion Prevention System Sensor C LI Configuration Guide for IPS 7.2 OL-29168-01 stopping IP logging 12-6 stream-reasse mbly comma nd 7-37 String engine described 7-41, B-62 String IC MP engi ne param eters (tabl e) B-63 String TCP engine parameter s 7-41 para mete rs (ta ble) B-63 signature ex ample 7-42 String TCP XL signatu[...]

Index IN- 31 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 T tab completion using 1-5 TAC PEP information 17-46 servic e accoun t 3-28, A-31, C-5 show tech-s upport comma nd 17-40, C-75 troubleshooting A-31 target -value command 8-15 IPv4 8-15 IPv6 8-15 target value rating calculating risk rating 8-[...]

Index IN- 32 Cisco Intrusion Prevention System Sensor C LI Configuration Guide for IPS 7.2 OL-29168-01 TLS certifica tes generating 3-53 tls generate- key command 3-53 tls trusted-host co mmand 3-52 trace co mmand 17-48 tracing IP pack et route 17-48 Tra ffic Anom aly en gine describe d B-71 protocols B-71 signatures B-71 traffic flow notifications[...]

Index IN- 33 Cisco In trusi on Preven tion System Sen sor CLI C onfigur ation Gui de for IPS 7.2 OL-29168-01 sensing proce ss not running C-28 senso r events C-98 sensor loose co nnectio ns C-22 sensor no t seeing p ackets C-33 sensor softwar e upgra de C-53 servic e accoun t 3-28, C-5 show ev ents comma nd C-97 show interfaces c ommand C-93 show s[...]

Index IN- 34 Cisco Intrusion Prevention System Sensor C LI Configuration Guide for IPS 7.2 OL-29168-01 viewing IP log conten ts 12-5 licens e key stat us 3-54 user information 3-31 virtualization advant ages 5-2, C-17 restric tions 5-3, C-17 supported sen sors 5-3, C-17 traff ic capture requi rement s 5-3, C-17 virtual-senso r name command 5-5, 18-[...]