Cisco Intrusion Prevention System CLI Configuration Guide for IPS 7.1 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
CONTENTS Preface xxxi Contents xxxi Audience xxxi Organization xxxii Conventions xxxiii Related Documentation xxxiv Obtaining Documentation, Using the Cisco Bug Search Tool, and Submitting a Service Request xxxv CHAPTER 1 Getting Started 1-1 Introducing the IME Advisory 1-1 1-2 Participating in the SensorBase Network IME Home Pane 1-2 1-3 System Requirements IME Demo Mode 1-4 1-7 Installing the IME and Migrating Data In to the IME Creating and Changing the IME Password Recovering t
Contents Starting, Stopping, and Displaying Device, Event, Health, and Global Correlation Connection Status 2-5 Using Tools for Devices CHAPTER 3 Configuring Dashboards 2-6 3-1 Understanding Dashboards 3-1 Adding and Deleting Dashboards 3-1 IME Gadgets 3-2 Sensor Information Gadget 3-2 Sensor Health Gadget 3-3 Licensing Gadget 3-5 Interface Status Gadget 3-5 Global Correlation Reports Gadget 3-6 Global Correlation Health Gadget 3-7 Network Security Gadget 3-8 Top Applications Gadget 3-9 Memory & L
Contents Configuring Sensor Settings 5-4 Configuring Interfaces 5-7 Interface Summary Window 5-7 Restore Defaults to an Interface Dialog Box 5-8 Traffic Inspection Mode Window 5-8 Interface Selection Window 5-9 Inline Interface Pair Window 5-9 Inline VLAN Pairs Window 5-9 Add and Edit Inline VLAN Pair Entry Dialog Boxes Configuring Inline VLAN Pairs 5-10 Configuring Virtual Sensors 5-11 Virtual Sensors Window 5-11 Add Virtual Sensor Dialog Box Adding a Virtual Sensor 5-13 Applying Signature Threat Profil
Contents Configuring the Sensor to Use an NTP Time Source Manually Setting the System Clock 6-15 Clearing Events 6-16 6-14 Configuring Authentication 6-16 Understanding User Roles 6-17 Understanding the Service Account 6-18 The Service Account and RADIUS Authentication 6-18 RADIUS Authentication Functionality and Limitations 6-19 Authentication Pane 6-19 Authentication Pane Field Definitions 6-20 Add and Edit User Dialog Boxes Field Definitions 6-22 Adding, Editing, Deleting Users, and Creating Accounts
Contents Edit Interface Dialog Box Field Definitions Editing Interfaces 7-21 7-20 Configuring Inline Interface Pairs 7-22 Interface Pairs Pane 7-22 Interface Pairs Pane Field Definitions 7-22 Add and Edit Interface Pair Dialog Boxes Field Definitions Configuring Inline Interface Pairs 7-23 Configuring Inline VLAN Pairs 7-23 VLAN Pairs Pane 7-23 VLAN Pairs Pane Field Definitions 7-24 Add and Edit VLAN Pair Dialog Boxes Field Definitions Configuring Inline VLAN Pairs 7-25 Configuring VLAN Groups 7-25 VLAN
Contents Configuring IPS Policies 8-8 IPS Policies Pane 8-8 IPS Policies Pane Field Definitions 8-9 Add and Edit Virtual Sensor Dialog Boxes Field Definitions 8-10 Add and Edit Event Action Override Dialog Boxes Field Definitions 8-12 Adding, Editing, and Deleting Virtual Sensors 8-13 The ASA 5500 AIP SSM, ASA 5500-X IPS SSP, ASA 5585-X IPS SSP, and Virtual Sensors 8-15 Understanding the ASA IPS Modules and Virtual Sensors 8-15 Configuration Sequence for the ASA IPS Modules 8-15 Creating Virtual Sensors on
Contents Adding, Editing, and Deleting Event Variables 8-36 Configuring Risk Category 8-37 Risk Category Tab 8-37 Risk Category Tab Field Definitions 8-38 Add and Edit Risk Level Dialog Boxes Field Definitions Adding, Editing, and Deleting Risk Categories 8-38 Configuring Threat Category 8-38 8-39 Configuring General Settings 8-40 General Tab 8-40 General Tab Field Definitions 8-41 Configuring the General Settings 8-41 CHAPTER 9 Configuring Shared Policies and Group Policies Configuring Shared Polic
Contents Cloning Signatures 10-19 Tuning Signatures 10-20 Assigning Actions to Signatures 10-21 Configuring Alert Frequency 10-23 Example Meta Engine Signature 10-25 Example Atomic IP Advanced Engine Signature 10-28 Example String XL TCP Match Offset Signature 10-30 Example String XL TCP Engine Minimum Match Length Signature Configuring Signature Variables 10-36 Signature Variables Tab 10-36 Signature Variables Field Definitions 10-36 Adding, Editing, and Deleting Signature Variables 10-37 Configuring Mi
Contents Signature Engines Not Supported for the Custom Signature Wizard Not Using a Signature Engine Creating Custom Signatures 11-2 11-4 11-4 Custom Signature Wizard Field Definitions 11-9 Welcome Window 11-10 Protocol Type Window 11-10 Signature Identification Window 11-11 Service MSRPC Engine Parameters Window 11-11 ICMP Traffic Type Window 11-12 Inspect Data Window 11-12 UDP Traffic Type Window 11-12 UDP Sweep Type Window 11-12 TCP Traffic Type Window 11-12 Service Type Window 11-13 TCP Sweep Type
Contents Calculating the Risk Rating 12-2 Understanding Threat Rating 12-4 Understanding Event Action Overrides 12-4 Understanding Event Action Filters 12-4 Event Action Summarization 12-5 Event Action Aggregation 12-5 Signature Event Action Processor 12-6 Event Actions 12-8 Configuring Event Action Rules Policies 12-11 Event Action Rules Pane 12-11 Event Action Rules Pane Field Definitions 12-12 Add and Clone Policy Dialog Boxes Field Definitions 12-12 Adding, Cloning, and Deleting Event Action Rules Poli
Contents Add and Edit Configured OS Map Dialog Boxes Field Definitions 12-26 Adding, Editing, Deleting, and Moving Configured OS Maps 12-27 Configuring Event Variables 12-28 Event Variables Tab 12-28 Event Variables Tab Field Definitions 12-29 Add and Edit Event Variable Dialog Boxes Field Definitions Adding, Editing, and Deleting Event Variables 12-29 Configuring Risk Category 12-31 Risk Category Tab 12-31 Risk Category Tab Field Definitions 12-31 Add and Edit Risk Level Dialog Boxes Field Definitions Add
Contents Configuring Learning Accept Mode 13-12 Learning Accept Mode Tab 13-12 The KB and Histograms 13-12 Learning Accept Mode Tab Field Definitions 13-14 Add and Edit Start Time Dialog Boxes Field Definitions Configuring Learning Accept Mode 13-14 13-14 Configuring the Internal Zone 13-15 Internal Zone Tab 13-15 General Tab 13-16 TCP Protocol Tab 13-16 Add and Edit Destination Port Dialog Boxes Field Definitions 13-17 Add and Edit Histogram Dialog Boxes Field Definitions 13-17 UDP Protocol Tab 13-17 Ot
Contents Participating in the SensorBase Network Understanding Reputation 14-2 Understanding Network Participation Understanding Efficacy 14-2 14-3 14-4 Reputation and Risk Rating 14-5 Global Correlation Features and Goals Global Correlation Requirements 14-5 14-6 Understanding Global Correlation Sensor Health Metrics 14-7 Configuring Global Correlation Inspection and Reputation Filtering 14-7 Inspection/Reputation Pane 14-8 Inspection/Reputation Pane Field Definitions 14-9 Configuring Global
Contents Known Host RSA1 Keys Pane Field Definitions 15-9 Add and Edit Known Host RSA1 Key Dialog Boxes Field Definitions Defining Known Host RSA1 Keys 15-9 Generating the Sensor Key 15-10 Understanding Certificates 15-11 Configuring Trusted Hosts 15-12 Trusted Hosts Pane 15-13 Trusted Hosts Pane Field Definitions 15-13 Add Trusted Host Dialog Box Field Definitions Adding Trusted Hosts 15-13 15-9 15-13 Adding Trusted Root Certificates 15-14 Trusted Root Certificates Pane 15-14 Trusted Root Certifica
Contents Add and Edit Blocking Device Dialog Boxes Field Definitions 16-15 Adding, Editing, and Deleting Blocking and Rate Limiting Devices 16-15 Configuring Router Blocking Device Interfaces 16-17 Router Blocking Device Interfaces Pane 16-17 Understanding Router Blocking Device Interfaces 16-17 How the Sensor Manages Devices 16-18 Router Blocking Device Interfaces Pane Field Definitions 16-19 Add and Edit Router Blocking Device Interface Dialog Boxes Field Definitions Configuring the Router Blocking and R
Contents Monitoring the Denied Attackers List and Adding Denied Attackers Configuring Host Blocks 18-3 Host Blocks Pane 18-3 Host Block Pane Field Definitions 18-3 Add Host Block Dialog Box Field Definitions Adding, Deleting, and Managing Host Blocks 18-2 18-4 18-4 Configuring Network Blocks 18-5 Network Blocks Pane 18-6 Network Blocks Pane Field Definitions 18-6 Add Network Block Dialog Box Field Definitions Adding, Deleting, and Managing Network Blocks 18-6 18-6 Configuring Rate Limits 18-7 Rate Lim
Contents Passwords Pane 20-1 Passwords Pane Field Definitions 20-2 Configuring Password Requirements 20-2 Configuring Packet Logging 20-3 Recovering the Password 20-4 Understanding Password Recovery 20-4 Recovering the Appliance Password 20-5 Using the GRUB Menu 20-5 Using ROMMON 20-6 Recovering the ASA 5500 AIP SSM Password 20-7 Recovering the ASA 5500-X IPS SSP Password 20-9 Recovering the ASA 5585-X IPS SSP Password 20-11 Disabling Password Recovery 20-13 Troubleshooting Password Recovery 20-14 Verify
Contents Shutting Down the Sensor CHAPTER 21 Monitoring the Sensor 20-30 21-1 Monitoring Events 21-1 Events Pane 21-1 Events Pane Field Definitions 21-2 Event Viewer Pane Field Definitions Configuring Event Display 21-3 Clearing Event Store 21-4 Displaying Inspection Load Statistics Displaying Interface Statistics 21-3 21-4 21-5 Monitoring Anomaly Detection KBs 21-7 Anomaly Detection Pane 21-7 Understanding KBs 21-8 Anomaly Detection Pane Field Definitions 21-8 Showing Thresholds 21-9 Threshold fo
Contents Clearing Flow States 21-19 Resetting Network Security Health Generating a Diagnostics Report Viewing Statistics 22 21-20 21-21 Viewing System Information CHAPTER 21-20 21-22 Configuring Event Monitoring 22-1 Understanding Event Monitoring 22-1 Group By, Color Rules, Fields, and General Tabs Understanding Filters 22-2 22-2 Filter Tab and Add Filter Dialog Box Field Definitions Working With Event Views 22-4 Working With a Single Event 22-5 Configuring Filters for Event Views CHAP
Contents ASA 5500-X IPS SSP Advanced Setup ASA 5585-X IPS SSP Advanced Setup Verifying Initialization CHAPTER 26 Obtaining Software 26-1 IPS 7.
Contents Installing the ASA 5585-X IPS SSP System Image Using the hw-module Command 27-31 Installing the ASA 5585-X IPS SSP System Image Using ROMMON 27-33 APPENDIX A System Architecture A-1 Purpose of Cisco IPS System Design A-1 System Applications User Interaction Security Features A-1 A-4 A-5 A-5 MainApp A-6 Understanding the MainApp A-6 MainApp Responsibilities A-6 Event Store A-7 Understanding the Event Store A-7 Event Data Structures A-8 IPS Events A-9 NotificationApp A-9 CtlTransSource A-1
Contents SensorApp New Features A-25 Packet Flow A-26 Signature Event Action Processor A-26 CollaborationApp A-28 Understanding the CollaborationApp Update Components A-28 Error Events A-29 SwitchApp CLI A-28 A-30 A-30 Understanding the CLI A-30 User Roles A-30 Service Account A-31 Communications A-32 IDAPI A-32 IDIOM A-33 IDCONF A-33 SDEE A-34 CIDEE A-34 Cisco IPS File Structure A-35 Summary of Cisco IPS Applications APPENDIX B Signature Engines A-36 B-1 Understanding Signature Engines B-1
Contents Flood Engine B-31 Meta Engine B-32 Multi String Engine B-34 Normalizer Engine B-36 Service Engines B-39 Understanding the Service Engines B-39 Service DNS Engine B-39 Service FTP Engine B-41 Service Generic Engine B-42 Service H225 Engine B-43 Service HTTP Engine B-46 Service IDENT Engine B-48 Service MSRPC Engine B-48 Service MSSQL Engine B-50 Service NTP Engine B-51 Service P2P B-52 Service RPC Engine B-52 Service SMB Advanced Engine B-54 Service SNMP Engine B-56 Service SSH Engine B-57
Contents Disaster Recovery C-6 Password Recovery C-7 Understanding Password Recovery C-7 Recovering the Appliance Password C-8 Using the GRUB Menu C-8 Using ROMMON C-9 Recovering the ASA 5500 AIP SSM Password C-10 Recovering the ASA 5500-X IPS SSP Password C-12 Recovering the ASA 5585-X IPS SSP Password C-14 Disabling Password Recovery C-15 Verifying the State of Password Recovery C-16 Troubleshooting Password Recovery C-17 Time Sources and the Sensor C-17 Time Sources and the Sensor C-17 Synchronizing I
Contents Sensor Not Seeing Packets C-36 Cleaning Up a Corrupted SensorApp Configuration C-37 Blocking C-38 Troubleshooting Blocking C-38 Verifying the ARC is Running C-39 Verifying ARC Connections are Active C-40 Device Access Issues C-42 Verifying the Interfaces and Directions on the Network Device C-43 Enabling SSH Connections to the Network Device C-44 Blocking Not Occurring for a Signature C-45 Verifying the Master Blocking Sensor Configuration C-46 Logging C-47 Understanding Debug Logging C-47 Enablin
Contents IPS Reloading Messages C-67 Troubleshooting the ASA 5500-X IPS SSP C-67 Failover Scenarios C-68 Health and Status Information C-69 The ASA 5500-X IPS SSP and the Normalizer Engine C-70 The ASA 5500-X IPS SSP and Memory Usage C-71 The ASA 5500-X IPS SSP and Jumbo Packet Frame Size C-71 The ASA 5500-X IPS SSP and Jumbo Packets C-72 TCP Reset Differences Between IPS Appliances and ASA IPS Modules IPS Reloading Messages C-72 IPS Not Loading C-73 Troubleshooting the ASA 5585-X IPS SSP C-73 Failover S
Contents Displaying Events C-102 Clearing Events C-105 cidDump Script C-105 Uploading and Accessing Files on the Cisco FTP Site APPENDIX D Open Source License Files Used In Cisco IPS 7.1 Contents D-1 bash 3.2 D-2 busybox 1.13.1 D-7 cracklib 2.8.12 D-13 curl 7.18.2 1 D-1 D-18 diffutils 2.8.1 D-19 e2fsprogs 1.39 D-23 Expat XML parser 2.0.1 expect 5.4.3 D-28 D-29 freeradius-server 2.1.8 D-29 freeradius-server-src-lib 2.1.8 glibc 2.9 C-106 D-34 D-40 gnupg 1.4.
Contents procps 3.2.7 D-111 sysfsutils 2.1.0 sysstat 8.1.3 tcl 8.4.9 D-115 D-116 D-120 tcpdump 3.9.8 1.0.1.0801182 tipc 1.7.6-bundle util-linux 2.12r zlib 1.2.3 D-121 D-121 D-123 D-124 G LOSSARY I NDEX Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.
Preface Published: March 31, 2011 , OL-19892-01 Revised: October 17, 2014 Contents This document describes how to configure the sensor using the Cisco IPS 7.1 CLI.
Section Title Description 3 “Initializing the Sensor” Describes how to use the setup command to initialize sensors. 4 “Setting Up the Sensor” Describes how to use the CLI to configure initial settings on the sensor. 5 “Configuring Interfaces” Describes how to configure promiscuous, inline, inline VLAN pair, and VLAN group interfaces. 6 “Configuring Virtual Sensors” Describes how to configure virtual sensors.
Section Title Description D “CLI Error Messages” Lists the CLI error messages. E “Open Source License Files Used In Cisco IPS 7.1” Lists the open source license files used by the IPS. “Glossary” Contains IPS acronyms and terms. Conventions This document uses the following conventions: Convention Indication bold font Commands and keywords and user-entered text appear in bold font.
Warning Means reader be warned. In this situation, you might perform an action that could result in bodily injury. Related Documentation For more information on Cisco IPS, refer to the following documentation found at this URL: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/tsd_products_support_series_home.
CH A P T E R 1 Introducing the CLI Configuration Guide This chapter introduces the IPS CLI configuration guide, and contains the following sections: • Sensor Configuration Sequence, page 1-1 • IPS CLI Configuration Guide, page 1-1 • User Roles, page 1-3 • CLI Behavior, page 1-5 • Command Line Editing, page 1-6 • IPS Command Modes, page 1-7 • Regular Expression Syntax, page 1-8 • Generic CLI Commands, page 1-10 • CLI Keywords, page 1-10 IPS CLI Configuration Guide This guide is a task-bas
Chapter 1 Introducing the CLI Configuration Guide Sensor Configuration Sequence 4. Create the service account. A service account is needed for special debug situations directed by TAC. Only one user with the role of service is allowed. 5. License the sensor. 6. Perform the other initial tasks, such as adding users and trusted hosts, and so forth. 7. Make changes to the interface configuration if necessary. You configure the interfaces during initialization. 8.
Chapter 1 Introducing the CLI Configuration Guide User Roles • For the procedures for configuring signatures for intrusion prevention, see Chapter 8, “Defining Signatures.” • For the procedures for configuring global correlation, see Chapter 10, “Configuring Global Correlation.” • For the procedure for configuring anomaly detection policies, see Chapter 9, “Configuring Anomaly Detection.
Chapter 1 Introducing the CLI Configuration Guide User Roles Operators This user role has the second highest level of privileges. Operators have unrestricted view access and can perform the following functions: • Modify their passwords • Tune signatures • Manage routers • Assign configuration to a virtual sensor Viewers This user role has the lowest level of privileges. Viewers can view configuration and event data and can modify their passwords.
Chapter 1 Introducing the CLI Configuration Guide CLI Behavior CLI Behavior The following tips help you use the Cisco IPS CLI. Prompts • You cannot change the prompt displayed for the CLI commands. • User interactive prompts occur when the system displays a question and waits for user input. The default input is displayed inside brackets [ ]. To accept the default input, press Enter. Help • To display the help for a command, type ? after the command.
Chapter 1 Introducing the CLI Configuration Guide Command Line Editing Case Sensitivity • The CLI is not case sensitive, but it does echo back the text in the same case you typed it. For example, if you type: sensor# CONF and press Tab, the sensor displays: sensor# CONFigure Note CLI commands are not case sensitive, but values are case sensitive. Remember this when you are creating regular expressions in signatures. A regular expression of “STRING” will not match “string” seen in a packet.
Chapter 1 Introducing the CLI Configuration Guide IPS Command Modes Table 1-1 Command Line Editing (continued) Keys Description Down Arrow or Ctrl-N Returns to more recent commands in the history buffer after recalling commands with the Up Arrow or Ctrl-P. Repeat the key sequence to recall successively more recent commands. Ctrl-A Moves the cursor to the beginning of the line. Ctrl-B Moves the cursor back one character. Ctrl-D Deletes the character at the cursor.
Chapter 1 Introducing the CLI Configuration Guide Regular Expression Syntax Regular Expression Syntax Note The syntax in this section applies only to regular expressions used as part of a CLI command. It does not apply to regular expressions used by signatures. Regular expressions are text patterns that are used for string matching. Regular expressions contain a mix of plain text and special characters to indicate what kind of matching to do.
Chapter 1 Introducing the CLI Configuration Guide Regular Expression Syntax Table 1-2 Regular Expression Syntax (continued) Character Description [] Enclosing a set of characters indicates that any of the enclosed characters may match the target character. \ Allows specifying a character that would otherwise be interpreted as special. \xHH represents the character whose value is the same as the value represented by (HH) hexadecimal digits [0-9A-Fa-f]. The value must be non-zero.
Chapter 1 Introducing the CLI Configuration Guide Generic CLI Commands Generic CLI Commands The following CLI commands are generic to the Cisco IPS. • configure terminal—Enters global configuration mode. Global configuration commands apply to features that affect the system as a whole rather than just one protocol or interface.
CH A P T E R 2 Logging In to the Sensor This chapter explains how to log in to the sensor.
Chapter 2 Logging In to the Sensor Logging In to the Appliance The service role does not have direct access to the CLI. Service account users are logged directly into a bash shell. Use this account for support and troubleshooting purposes only. Unauthorized modifications are not supported and will require the sensor to be reimaged to guarantee proper operation. You can create only one user with the service role.
Chapter 2 Logging In to the Sensor Connecting an Appliance to a Terminal Server If you require further assistance please contact us by sending email to export@cisco.com. ***LICENSE NOTICE*** There is no license key installed on the system. Please go to http://www.cisco.com/go/license to obtain a new license or install a license. sensor# For More Information • For the procedure for connecting an appliance to a terminal server, see Connecting an Appliance to a Terminal Server, page 2-3.
Chapter 2 Logging In to the Sensor Logging In to the ASA 5500 AIP SSM Caution If a connection is dropped or terminated by accident, you should reestablish the connection and exit normally to prevent unauthorized access to the appliance. Logging In to the ASA 5500 AIP SSM You log in to the ASA 5500 AIP SSM from the adaptive security appliance. To session in to the ASA 5500 AIP SSM from the adaptive security appliance, follow these steps: Step 1 Log in to the adaptive security appliance.
Chapter 2 Logging In to the Sensor Logging In to the ASA 5500-X IPS SSP Step 4 To escape from a session and return to the adaptive security appliance prompt, do one of the following: • Enter exit. • Press CTRL-Shift-6-x (represented as CTRL^X). For More Information For the procedure for using the setup command to initialize the ASA 5500 AIP SSM, see Advanced Setup for the ASA 5500 AIP SSM, page 3-14.
Chapter 2 Logging In to the Sensor Logging In to the ASA 5585-X IPS SSP signature updates. Please go to http://www.cisco.com/go/license to obtain a new license or install a license. asa-ips# Step 4 To escape from a session and return to the adaptive security appliance prompt, do one of the following: • Enter exit. • Press CTRL-Shift-6-x (represented as CTRL^X).
Chapter 2 Logging In to the Sensor Logging In to the Sensor ***LICENSE NOTICE*** There is no license key installed on the system. Please go to http://www.cisco.com/go/license to obtain a new license or install a license. ips-ssp# Step 4 To escape from a session and return to the adaptive security appliance prompt, do one of the following: • Enter exit. • Press CTRL-Shift-6-x (represented as CTRL^X).
Chapter 2 Logging In to the Sensor Logging In to the Sensor Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.
CH A P T E R 3 Initializing the Sensor This chapter describes how to use the setup command to initialize the sensor, and contains the following sections: • Initializing Notes and Caveats, page 3-1 • Understanding Initialization, page 3-2 • Participating in the SensorBase Network, page 3-2 • Simplified Setup Mode, page 3-3 • System Configuration Dialog, page 3-3 • Basic Sensor Setup, page 3-5 • Advanced Setup, page 3-8 • Advanced Setup, page 3-8 • Verifying Initialization, page 3-25 Initi
Chapter 3 Initializing the Sensor Understanding Initialization Understanding Initialization After you install the sensor on your network, you must use the setup command to initialize it so that you can communicate with it over the network. You cannot use the IDM or the IME to configure the sensor until you initialize the sensor using the setup command.
Chapter 3 Initializing the Sensor Simplified Setup Mode When you enable Partial or Full Network Participation, the Network Participation Disclaimer appears. You must click Agree to participate. If you do not have a license installed, you receive a warning telling you that global correlation inspection and reputation filtering are disabled until the sensor is licensed. You can obtain a license at http://www.cisco.com/go/license.
Chapter 3 Initializing the Sensor System Configuration Dialog Note The System Configuration Dialog is an interactive dialog. The default settings are displayed. Example 3-1 shows a sample System Configuration Dialog. Example 3-1 Example System Configuration Dialog --- Basic Setup ----- System Configuration Dialog --At any point you may enter a question mark '?' for help. User ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'.
Chapter 3 Initializing the Sensor Basic Sensor Setup This includes summary data on the Cisco IPS network traffic properties and how this traffic was handled by the Cisco appliances. We do not collect the data content of traffic or other sensitive business or personal information. All data is aggregated and sent via secure HTTP to the Cisco SensorBase Network servers in periodic intervals. All data shared with Cisco will be anonymous and treated as strictly confidential.
Chapter 3 Initializing the Sensor Basic Sensor Setup Note c. Step 7 Caution Step 8 For example, 10.0.0.0/8 permits all IP addresses on the 10.0.0.0 network (10.0.0.0-10.255.255.255) and 10.1.1.0/24 permits only the IP addresses on the 10.1.1.0 subnet (10.1.1.0-10.1.1.255). If you want to permit access to a single IP address than the entire network, use a 32-bit netmask. For example, 10.1.1.1/32 permits just the 10.1.1.1 address.
Chapter 3 Initializing the Sensor Basic Sensor Setup Step 9 i. Specify the day you want the summertime settings to end. Valid entries are sunday, monday, tuesday, wednesday, thursday, friday, and saturday. The default is sunday. j. Specify the time you want summertime settings to end. The default is 02:00:00. k. Specify the DST zone. The zone name is a character string up to 24 characters long in the pattern [A-Za-z0-9()+:,_/-]+$. l. Specify the summertime offset.
Chapter 3 Initializing the Sensor Advanced Setup day-of-week sunday time-of-day 02:00:00 exit end-summertime month november week-of-month first day-of-week sunday time-of-day 02:00:00 exit exit ntp-option enabled ntp-keys 1 md5-key 8675309 ntp-servers 10.10.1.2 key-id 1 exit service global-correlation network-participation full exit [0] [1] [2] [3] Step 11 Go to the command prompt without saving this config. Return to setup without saving this config. Save this configuration and exit setup.
Chapter 3 Initializing the Sensor Advanced Setup Note Adding new subinterfaces is a two-step process. You first organize the interfaces when you edit the virtual sensor configuration. You then choose which interfaces and subinterfaces are assigned to which virtual sensors. The interfaces change according to the appliance model, but the prompts are the same for all models.
Chapter 3 Initializing the Sensor Advanced Setup Note The following options let you create and delete interfaces. You assign the interfaces to virtual sensors in the virtual sensor configuration. If you are using promiscuous mode for your interfaces and are not subdividing them by VLAN, no additional configuration is necessary. [1] Remove interface configurations. [2] Add/Modify Inline Vlan Pairs. [3] Add/Modify Promiscuous Vlan Groups. [4] Add/Modify Inline Interface Pairs.
Chapter 3 Initializing the Sensor Advanced Setup [3] Add/Modify Promiscuous Vlan Groups. [4] Add/Modify Inline Interface Pairs. [5] Add/Modify Inline Interface Pair Vlan Groups. [6] Modify interface default-vlan. Option: Step 15 Enter 4 to add an inline interface pair and see these options. Available Interfaces GigabitEthernet0/1 GigabitEthernet0/2 GigabitEthernet0/3 Step 16 Enter the pair name, description, and which interfaces you want to pair.
Chapter 3 Initializing the Sensor Advanced Setup Step 22 Enter 4 to add inline interface pair NewPair. Step 23 Press Enter to return to the top-level virtual sensor menu. Virtual Sensor: vs0 Anomaly Detection: ad0 Event Action Rules: rules0 Signature Definitions: sig0 Inline Vlan Pair: GigabitEthernet0/0:1 (Vlans: 200, 300) Inline Interface Pair: newPair (GigabitEthernet0/1, GigabitEthernet0/2) [1] Remove virtual sensor. [2] Modify "vs0" virtual sensor configuration. [3] Create new virtual sensor.
Chapter 3 Initializing the Sensor Advanced Setup admin-state enabled subinterface-type inline-vlan-pair subinterface 1 description Created via setup by user asmith vlan1 200 vlan2 300 exit exit exit physical-interfaces GigabitEthernet0/1 admin-state enabled exit physical-interfaces GigabitEthernet0/2 admin-state enabled exit physical-interfaces GigabitEthernet0/0 admin-state enabled exit inline-interfaces newPair description Created via setup by user asmith interface1 GigabitEthernet0/1 interface2 Gigabit
Chapter 3 Initializing the Sensor Advanced Setup Step 31 Apply the most recent service pack and signature update. You are now ready to configure your appliance for intrusion prevention. For More Information For the procedure for obtaining the most recent IPS software, see Obtaining Cisco IPS Software, page 21-1.
Chapter 3 Initializing the Sensor Advanced Setup [1] Modify interface default-vlan. Option: Step 9 Press Enter to return to the top-level interface and virtual sensor configuration menu. [1] Edit Interface Configuration [2] Edit Virtual Sensor Configuration [3] Display configuration Option: Step 10 Enter 2 to edit the virtual sensor configuration. [1] Remove virtual sensor. [2] Modify "vs0" virtual sensor configuration. [3] Create new virtual sensor.
Chapter 3 Initializing the Sensor Advanced Setup Step 18 Enter the signature-definition configuration name, newSig. Event Action Rules Configuration [1] rules0 [2] Create a new event action rules configuration Option[2]: Step 19 Enter 1 to use the existing event-action-rules configuration, rules0. Note If GigabitEthernet 0/1 has not been assigned to vs0, you are prompted to assign it to the new virtual sensor.
Chapter 3 Initializing the Sensor Advanced Setup ntp-option disabled exit service web-server port 342 exit service analysis-engine virtual-sensor newVs description New Sensor signature-definition newSig event-action-rules rules0 anomaly-detection anomaly-detection-name ad0 exit physical-interfaces GigabitEthernet0/1 exit exit service event-action-rules rules0 overrides deny-packet-inline override-item-status Disabled risk-rating-range 90-100 exit exit [0] Go to the command prompt without saving this confi
Chapter 3 Initializing the Sensor Advanced Setup Advanced Setup for the ASA 5500-X IPS SSP To continue with advanced setup for the ASA 5500-X IPS SSP, follow these steps: Step 1 Session in to the IPS using an account with administrator privileges. asa# session ips Step 2 Enter the setup command. The System Configuration Dialog is displayed. Press Enter or the spacebar to skip to the menu to access advanced setup. Step 3 Enter 3 to access advanced setup. Step 4 Specify the Telnet server status.
Chapter 3 Initializing the Sensor Advanced Setup Step 10 Enter 2 to edit the virtual sensor configuration. [1] Remove virtual sensor. [2] Modify "vs0" virtual sensor configuration. [3] Create new virtual sensor. Option: Step 11 Enter 2 to modify the virtual sensor vs0 configuration. Virtual Sensor: vs0 Anomaly Detection: ad0 Event Action Rules: rules0 Signature Definitions: sig0 No Interfaces to remove.
Chapter 3 Initializing the Sensor Advanced Setup Note If PortChannel 0/0 has not been assigned to vs0, you are prompted to assign it to the new virtual sensor. Virtual Sensor: newVs Anomaly Detection: ad0 Event Action Rules: rules0 Signature Definitions: newSig Monitored: PortChannel0/0 [1] Remove [2] Modify [3] Modify [4] Create Option: Step 20 virtual sensor. "newVs" virtual sensor configuration. "vs0" virtual sensor configuration. new virtual sensor.
Chapter 3 Initializing the Sensor Advanced Setup signature-definition newSig event-action-rules rules0 anomaly-detection anomaly-detection-name ad0 exit physical-interfaces PortChannel0/0 exit exit service event-action-rules rules0 overrides deny-packet-inline override-item-status Disabled risk-rating-range 90-100 exit exit [0] Go to the command prompt without saving this config. [1] Return back to the setup without saving this config. [2] Save this configuration and exit setup.
Chapter 3 Initializing the Sensor Advanced Setup Step 3 Enter 3 to access advanced setup. Step 4 Specify the Telnet server status. You can disable or enable Telnet services. The default is disabled. Step 5 Specify the SSHv1 fallback setting. The default is enabled. Step 6 Specify the web server port. The web server port is the TCP port used by the web server (1 to 65535). The default is 443. Note Step 7 The web server is configured to use TLS/SSL encryption by default.
Chapter 3 Initializing the Sensor Advanced Setup Unassigned: Monitored: [1] PortChannel0/0 Add Interface: Step 12 Enter 1 to add PortChannel 0/0 to virtual sensor vs0. Note Multiple virtual sensors are supported. The adaptive security appliance can direct packets to specific virtual sensors or can send packets to be monitored by a default virtual sensor. The default virtual sensor is the virtual sensor to which you assign PortChannel 0/0.
Chapter 3 Initializing the Sensor Advanced Setup [4] Create new virtual sensor. Option: Step 20 Press Enter to exit the interface and virtual sensor configuration menu. Modify default threat prevention settings?[no]: Step 21 Enter yes if you want to modify the default threat prevention settings. Note The sensor comes with a built-in override to add the deny packet event action to high risk rating alerts. If you do not want this protection, disable automatic threat prevention.
Chapter 3 Initializing the Sensor Verifying Initialization [1] Return back to the setup without saving this config. [2] Save this configuration and exit setup. Step 23 Enter 2 to save the configuration. Enter your selection[2]: 2 Configuration Saved. Step 24 Reboot the ASA 5585-X IPS SSP. ips-ssp# reset Warning: Executing this command will stop all applications and reboot the node. Continue with reset? []: Step 25 Enter yes to continue the reboot.
Chapter 3 Initializing the Sensor Verifying Initialization service authentication permit-packet-logging true exit ! -----------------------------service event-action-rules rules0 exit ! -----------------------------service host network-settings host-ip 192.168.1.2/24,192.168.1.1 host-name sensor telnet-option enabled sshv1-fallback enabled access-list 0.0.0.
Chapter 3 Initializing the Sensor Verifying Initialization ! -----------------------------service trusted-certificates exit ! -----------------------------service web-server exit ! -----------------------------service anomaly-detection ad0 exit ! -----------------------------service external-product-interface exit ! -----------------------------service health-monitor exit ! -----------------------------service global-correlation exit ! -----------------------------service aaa exit ! ----------------------
Chapter 3 Initializing the Sensor Verifying Initialization Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.
CH A P T E R 4 Setting Up the Sensor This chapter contains procedures for the setting up the sensor, and contains the following sections: • Setup Notes and Caveats, page 4-1 • Understanding Sensor Setup, page 4-2 • Changing Network Settings, page 4-2 • Changing the CLI Session Timeout, page 4-13 • Changing Web Server Settings, page 4-14 • Configuring Authentication and User Parameters, page 4-16 • Configuring Time, page 4-34 • Configuring SSH, page 4-44 • Configuring TLS, page 4-50 • In
Chapter 4 Setting Up the Sensor Understanding Sensor Setup • You cannot use the privilege command to give a user service privileges. If you want to give an existing user service privileges, you must remove that user and then use the username command to create the service account. • Do not make modifications to the sensor through the service account except under the direction of TAC. If you use the service account to configure the sensor, your configuration is not supported by TAC.
Chapter 4 Setting Up the Sensor Changing Network Settings Changing the Hostname Note The CLI prompt of the current session and other existing sessions will not be updated with the new hostname. Subsequent CLI login sessions will reflect the new hostname in the prompt. Use the host-name host_name command in the service host submode to change the hostname of the sensor after you have run the setup command. The default is sensor.
Chapter 4 Setting Up the Sensor Changing Network Settings sensor(config-hos-net)# Step 7 Exit network settings mode. sensor(config-hos-net)# exit sensor(config-hos)# exit Apply Changes:?[yes]: Step 8 Press Enter to apply the changes or enter no to discard them. Changing the IP Address, Netmask, and Gateway Use the host-ip ip_address/netmask,default_gateway command in the service host submode to change the IP address, netmask, and default gateway after you have run the setup command.
Chapter 4 Setting Up the Sensor Changing Network Settings Step 5 To change the information back to the default setting, use the default form of the command. sensor(config-hos-net)# default host-ip Step 6 Verify that the host IP is now the default of 192.168.1.2/24,192.168.1.1. sensor(config-hos-net)# show settings network-settings ----------------------------------------------host-ip: 192.168.1.2/24,192.168.1.
Chapter 4 Setting Up the Sensor Changing Network Settings host-ip: 192.0.2.1/24,192.0.2.2 default: 192.168.1.2/24,192.168.1.1 host-name: sensor default: sensor telnet-option: enabled default: disabled access-list (min: 0, max: 512, current: 1) ----------------------------------------------network-address: 0.0.0.
Chapter 4 Setting Up the Sensor Changing Network Settings Step 3 Add an entry to the access list. The netmask for a single host is 32. sensor(config-hos-net)# access-list 192.0.2.110/32 Step 4 Verify the change you made to the access-list. sensor(config-hos-net)# show settings network-settings ----------------------------------------------host-ip: 192.168.1.2/24,192.168.1.
Chapter 4 Setting Up the Sensor Changing Network Settings Step 9 Exit network settings mode. sensor(config-hos-net)# exit sensor(config-hos)# exit Apply Changes:?[yes]: Step 10 Press Enter to apply the changes or enter no to discard them. Changing the FTP Timeout Note You can use the FTP client for downloading updates and configuration files from your FTP server.
Chapter 4 Setting Up the Sensor Changing Network Settings host-name: sensor default: sensor telnet-option: enabled default: disabled access-list (min: 0, max: 512, current: 1) ----------------------------------------------network-address: 0.0.0.
Chapter 4 Setting Up the Sensor Changing Network Settings Step 5 To remove the login banner text, use the no form of the command. sensor(config-hos-net)# no login-banner-text Step 6 Verify the login text has been removed. sensor(config-hos-net)# show settings network-settings ----------------------------------------------host-ip: 192.0.2.1/24,192.0.2.2 default: 192.168.1.2/24,192.168.1.
Chapter 4 Setting Up the Sensor Changing Network Settings • dns-primary-server {enabled | disabled}—Enables a DNS primary server: – address ip_address —Specifies the IP address of the DNS primary server. • dns-secondary-server {enabled | disabled}—Enables a DNS secondary server: – address ip_address —Specifies the IP address of the DNS secondary server.
Chapter 4 Setting Up the Sensor Changing Network Settings ----------------------------------------------dns-tertiary-server ----------------------------------------------disabled ------------------------------------------------------------------------------------------------------------------------------------------http-proxy ----------------------------------------------proxy-server ----------------------------------------------address: 10.10.10.
Chapter 4 Setting Up the Sensor Changing the CLI Session Timeout network-settings ----------------------------------------------host-ip: 10.106.164.52/24,10.106.164.1 default: 192.168.1.2/24,192.168.1.1 host-name: p32-ips4240-52 default: sensor telnet-option: enabled default: disabled sshv1-fallback: enabled default: enabled access-list (min: 0, max: 512, current: 1) ----------------------------------------------network-address: 0.0.0.
Chapter 4 Setting Up the Sensor Changing Web Server Settings Step 5 Change the value back to the default. sensor(config-aut)# default cli-inactivity-timeout Step 6 Verify the value has been set back to the default.
Chapter 4 Setting Up the Sensor Changing Web Server Settings Step 3 Change the port number. sensor(config-web)# port 8080 If you change the port number from the default of 443 to 8080, you receive this message: Warning: The web server’s listening port number has changed from 443 to 8080. This change will not take effect until the web server is re-started Step 4 Enable or disable TLS.
Chapter 4 Setting Up the Sensor Configuring Authentication and User Parameters Note If you change the port or enable TLS settings, you must reset the sensor to make the web server use the new settings. For More Information • For the procedure for resetting the appliance, see Resetting the Appliance, page 17-47. • For the procedure for resetting the ASA 5500 AIP SSM, see Reloading, Shutting Down, Resetting, and Recovering the ASA 5500 AIP SSM, page 18-15.
Chapter 4 Setting Up the Sensor Configuring Authentication and User Parameters Caution The username command provides username and password authentication for login purposes only. You cannot use this command to remove a user who is logged in to the system. You cannot use this command to remove yourself from the system. If you do not specify a password, the system prompts you for one. Use the password command to change the password for existing users.
Chapter 4 Setting Up the Sensor Configuring Authentication and User Parameters * 13491 cisco jsmith jtaylor jroberts administrator operator service viewer sensor# Step 5 To remove a user, use the no form of the command. sensor# configure terminal sensor(config)# no username jsmith Note Step 6 You cannot use this command to remove yourself from the system. Verify that the user has been removed. The user jsmith has been removed.
Chapter 4 Setting Up the Sensor Configuring Authentication and User Parameters You can configure a primary RADIUS server and a secondary RADIUS server. The secondary RADIUS server authenticates and authorizes users if the primary RADIUS server is unresponsive. You can also configure the sensor to use local authentication (local fallback) if no RADIUS servers are responding. In this case, the sensor authenticates against the locally configured user accounts.
Chapter 4 Setting Up the Sensor Configuring Authentication and User Parameters Caution Do not add multiple Cisco av-pairs with the same key. You should have only one instance of ips-role=value. Make sure the key and the value are correct or the feature may not work as expected. For example, do not use the following configuration: ips-role= administer ips-role=ad – local-fallback {enabled | disabled}—Lets you default to local authentication if the RADIUS servers are not responding.
Chapter 4 Setting Up the Sensor Configuring Authentication and User Parameters Configuring Local or RADIUS Authentication Caution Make sure you have a RADIUS server already configured before you configure RADIUS authentication on the sensor. IPS has been tested with CiscoSecure ACS 4.2 and 5.1 servers. Refer to your RADIUS server documentation for information on how to set up a RADIUS server. Note Enabling RADIUS authentication on the sensor does not disconnect already established connections.
Chapter 4 Setting Up the Sensor Configuring Authentication and User Parameters d. Configure a Cisco av pair. If you do not want to configure a default user role on the sensor that is applied in the absence of a Cisco av pair, you need to configure the Cisco IOS/PIX 6.
Chapter 4 Setting Up the Sensor Configuring Authentication and User Parameters e. Enter the secret value that you obtained from the RADIUS server. The shared secret is a piece of data known only to the parties involved in a secure communication.
Chapter 4 Setting Up the Sensor Configuring Authentication and User Parameters timeout: 3 ----------------------------------------------secondary-server ----------------------------------------------enabled ----------------------------------------------server-address: 10.4.5.
Chapter 4 Setting Up the Sensor Configuring Authentication and User Parameters The following options apply: • permit-packet-logging true—Allows users to execute packet-related commands based on privilege level. • permit-packet-logging false—Restricts all users from executing any packet-related commands. AAA RADIUS Users AAA RADIUS users with the correct av-pair are authorized to execute packet capture/display and IP logging commands. RADIUS users with no av-pair value are restricted.
Chapter 4 Setting Up the Sensor Configuring Authentication and User Parameters sensor(config-aut)# Step 5 Restrict all users from executing packet capture/display and IP log commands. sensor(config-aut)# permit-packet-logging false Step 6 Check your new setting.
Chapter 4 Setting Up the Sensor Configuring Authentication and User Parameters Note For IPS 5.0 and later, you can no longer remove the cisco account. You can disable it using the no password cisco command, but you cannot remove it. To use the no password cisco command, there must be another administrator account on the sensor. Removing the cisco account through the service account is not supported.
Chapter 4 Setting Up the Sensor Configuring Authentication and User Parameters RADIUS Authentication Functionality and Limitations The current AAA RADIUS implementation has the following functionality and limitations: • Authentication with a RADIUS server—However, you cannot change the password of the RADIUS server from the IPS. • Authorization—You can perform role-based authorization by specifying the IPS role of the user on the RADIUS server.
Chapter 4 Setting Up the Sensor Configuring Authentication and User Parameters Changing User Privilege Levels Note You cannot use the privilege command to give a user service privileges. If you want to give an existing user service privileges, you must remove that user and then use the username command to create the service account. There can only be one person with service privileges. Use the privilege command to change the privilege level—administrator, operator, viewer—for a user.
Chapter 4 Setting Up the Sensor Configuring Authentication and User Parameters Showing User Status Note All IPS platforms allow ten concurrent log in sessions. Use the show users command to view information about the username and privilege of all users logged in to the sensor, and all user accounts on the sensor regardless of login status. An asterisk (*) indicates the current user. If an account is locked, the username is surrounded by parentheses.
Chapter 4 Setting Up the Sensor Configuring Authentication and User Parameters Example For example, you can set a policy where passwords must have at least 10 characters and no more than 40, and must have a minimum of 2 upper case and 2 numeric characters. Once that policy is set, every password configured for each user account must conform to this password policy. To set up a password policy, follow these steps: Step 1 Log in to the sensor using an account with administrator privileges.
Chapter 4 Setting Up the Sensor Configuring Authentication and User Parameters Locking User Accounts Note When you configure account locking, local authentication, as well as RADIUS authentication, is affected. After a specified number of failed attempts to log in locally or in to a RADIUS account, the account is locked locally on the sensor. For local accounts, you can reset the password or use the unlock user username command to unlock the account.
Chapter 4 Setting Up the Sensor Configuring Authentication and User Parameters sensor(config-aut)# exit sensor(config)# exit sensor# show users all CLI ID User Privilege * 1349 cisco administrator 5824 (jsmith) viewer 9802 tester operator Step 8 To unlock the account of jsmith, reset the password.
Chapter 4 Setting Up the Sensor Configuring Time Step 5 Check your new setting. The account of the user jsmith is now unlocked as indicated by the lack of parenthesis. sensor# show CLI ID * 1349 5824 9802 users all User cisco jsmith tester Privilege administrator viewer operator For More Information For the procedure for locking the user accounts, see Locking User Accounts, page 4-32. Configuring Time This section describes the importance of having a reliable time source for the sensor.
Chapter 4 Setting Up the Sensor Configuring Time The ASA IPS Modules • The ASA 5500 AIP SSM, ASA 5500-X IPS SSP, and ASA 5585-X IPS SSP automatically synchronize their clocks with the clock in the adaptive security appliance in which they are installed. This is the default. • Configure them to get their time from an NTP time synchronization source, such as a Cisco router other than the parent router.
Chapter 4 Setting Up the Sensor Configuring Time Displaying the System Clock Use the show clock [detail] command to display the system clock. You can use the detail option to indicate the clock source (NTP or system) and the current summertime setting (if any). The system clock keeps an authoritative flag that indicates whether the time is authoritative (believed to be accurate). If the system clock has been set by a timing source, such as NTP, the flag is set. Table 4-1 lists the system clock flags.
Chapter 4 Setting Up the Sensor Configuring Time • ASA 5500 AIP SSM • ASA 5500-X IPS SSP • ASA 5585-X IPS SSP To manually set the clock on the appliance, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Set the clock manually. sensor# clock set 13:21 Mar 29 2011 Note The time format is 24-hour time. Configuring Recurring Summertime Settings Note Summertime is a term for daylight saving time.
Chapter 4 Setting Up the Sensor Configuring Time e. Verify your settings. sensor(config-hos-rec-sta)# show settings start-summertime ----------------------------------------------month: april default: april week-of-month: first default: first day-of-week: monday default: sunday time-of-day: 12:00:00 default: 02:00:00 ----------------------------------------------sensor(config-hos-rec-sta)# Step 5 Enter end summertime submode.
Chapter 4 Setting Up the Sensor Configuring Time week-of-month: first default: first day-of-week: monday default: sunday time-of-day: 12:00:00 default: 02:00:00 ----------------------------------------------end-summertime ----------------------------------------------month: october default: october week-of-month: last default: last day-of-week: friday default: sunday time-of-day: 05:15:00 default: 02:00:00 --------------------------------------------------------------------------------------------- Step
Chapter 4 Setting Up the Sensor Configuring Time ----------------------------------------------sensor(config-hos-non-sta)# Step 5 Enter end summertime submode. sensor(config-hos-non-sta)# exit sensor(config-hos-non)# end-summertime Step 6 Configure the end summertime parameters: a. Enter the date you want to end summertime settings. The format is yyyy-mm-dd. sensor(config-hos-non-end)# date 2004-10-31 b. Enter the time you want to end summertime settings. The format is hh:mm:ss.
Chapter 4 Setting Up the Sensor Configuring Time Configuring Time Zones Settings Use the time-zone-settings command to configure the time zone settings on the sensor, such as the time zone name the sensor displays whenever summertime settings are not in effect and the offset. To configure the time zone settings on the sensor, follow these steps: Step 1 Log in to the sensor using an account with administrator privileges. Step 2 Enter time zone settings submode.
Chapter 4 Setting Up the Sensor Configuring Time Caution The sensor NTP capability is designed to be compatible with Cisco routers acting as NTP servers. The sensor may work with other NTP servers, but is not tested or supported. Note Remember the NTP server key ID and key values. You need them along with the NTP server IP address when you configure the sensor to use the NTP server as its time source. To set up a Cisco router to act as an NTP server, follow these steps: Step 1 Log in to the router.
Chapter 4 Setting Up the Sensor Configuring Time Step 6 Specify the NTP master stratum number to be assigned to the sensor. The NTP master stratum number identifies the relative position of the server in the NTP hierarchy. You can choose a number between 1 and 15. It is not important to the sensor which number you choose. router(config)# ntp master stratum_number Example router(config)# ntp master 6 Configuring the Sensor to Use an NTP Time Source The sensor requires a consistent time source.
Chapter 4 Setting Up the Sensor Configuring SSH Step 5 Configure authenticated NTP: a. Enter NTP configuration mode. sensor(config-hos)# ntp-option enable b. Specify the NTP server IP address and key ID. The key ID is a number between 1 and 65535. This is the key ID that you already set up on the NTP server. sensor(config-hos-ena)# ntp-servers ip_address key-id key_ID Example sensor(config-hos-ena)# ntp-servers 10.16.0.0 key-id 100 c. Specify the key value NTP server.
Chapter 4 Setting Up the Sensor Configuring SSH • Adding Authorized RSA1 and RSA2 Keys, page 4-47 • Generating a RSA Server Host Key, page 4-48 Understanding SSH SSH provides strong authentication and secure communications over channels that are not secure. SSH encrypts your connection to the sensor and provides a key so you can validate that you are connecting to the correct sensor. SSH also provides authenticated and encrypted access to other devices that the sensor connects to for blocking.
Chapter 4 Setting Up the Sensor Configuring SSH Caution When you use the ssh host-key ip-address command, the SSH server at the specified IP address is contacted to obtain the required key over the network. The specified host must be accessible at the moment the command is issued.
Chapter 4 Setting Up the Sensor Configuring SSH Step 7 Remove an entry. The host is removed from the SSH known hosts list. sensor(config)# no ssh host-key 10.16.0.0 Step 8 Verify the host was removed. The IP address no longer appears in the list. sensor(config)# exit sensor# show ssh host-keys Adding Authorized RSA1 and RSA2 Keys Use the ssh authorized-key command to define public keys for a client allowed to use RSA1 or RSA2 authentication to log in to the local SSH server. The default is RSA2.
Chapter 4 Setting Up the Sensor Configuring SSH To add a key entry to the SSHv1 or SSHv2 authorized keys list for the current user, follow these steps: Step 1 Log in to the CLI. Step 2 Add a key to the authorized keys list for the current user. Note You recieve an error message if you try to add a key less than the 2048-bit key size and if the measured key length and input key length do not match.
Chapter 4 Setting Up the Sensor Configuring SSH Use the ssh generate-key command to change the SSH server host key. The displayed fingerprint matches the one displayed in the remote SSH client in future connections with this sensor if the remote client is using SSH. Note The sensor only supports RSA keys. Peers that communicate with IPS need to support RSA keys; otherwise, the connection is not established.
Chapter 4 Setting Up the Sensor Configuring TLS Configuring TLS This section describes TLS on the sensor, and contains the following topics: • Understanding TLS, page 4-50 • Adding TLS Trusted Hosts, page 4-51 • Enabling Strict TLS Certificate Checks, page 4-52 • Adding and Updating TLS Trusted Root Certificates, page 4-53 • Displaying TLS Trusted Root Certificates, page 4-55 • Displaying and Generating the Server Certificate, page 4-56 Understanding TLS The Cisco IPS contains a web server th
Chapter 4 Setting Up the Sensor Configuring TLS • Add the issuer identified in the certificate to the list of trusted CAs of the web browser and trust the certificate until it expires. The most convenient option is to permanently trust the issuer. However, before you add the issuer, use out-of-band methods to examine the fingerprint of the certificate. This prevents you from being victimized by an attacker posing as a sensor.
Chapter 4 Setting Up the Sensor Configuring TLS Step 3 Enter yes to accept the fingerprint. The host is added to the TLS trusted host list. The Certificate ID stored for the requested certificate is displayed when the command is successful. Certificate ID: 10.89.146.110 successfully added to the TLS trusted host table. sensor(config)# Step 4 Verify that the host was added. sensor(config)# exit sensor# show tls trusted-hosts 10.89.146.110 sensor# Step 5 View the fingerprint for a specific host.
Chapter 4 Setting Up the Sensor Configuring TLS Step 5 Verify the web server changes. sensor(config-web)# show settings enable-tls: true strict-tls-server-validation: enable default: disable port: 443 server-id: HTTP/1.
Chapter 4 Setting Up the Sensor Configuring TLS Server's IP Address: 173.39.51.249 Port[22]: File name: /ws/jsmith-bgl/CertiPostRootCert.cer Password: ************ SHA1 fingerprint of this certificate is 74:2c:df:15:94:04:9c:bf:17:a2:04:6c:c6:39:bb:38:88:e0:2e:33 Would you like to add this to the TLS trusted certificate store (yes/no)?[yes]: Step 3 Enter yes to accept the trusted root certificate. The certificate is added to the TLS trusted root certificates list.
Chapter 4 Setting Up the Sensor Configuring TLS Expiration Date: Sat May 21 04:00:00 2022 sensor# Displaying TLS Trusted Root Certificates Use the show tls trusted-root-certificates command in privileged EXEC mode to list the current TLS trusted root certificates on the sensor. To display the TLS trusted root certificates on the sensor, follow these steps: Step 1 Log in to the CLI.
Chapter 4 Setting Up the Sensor Installing the License Key Expiration Date: sensor# Fri Jan 1 23:59:59 2021 Displaying and Generating the Server Certificate A TLS certificate is generated when the sensor is first started. Use the tls generate-key command to generate a new server self-signed X.509 certificate. The IP address of the sensor is included in the certificate. If you change the sensor IP address, the sensor automatically generates a new certificate.
Chapter 4 Setting Up the Sensor Installing the License Key • Uninstalling the License Key, page 4-61 Understanding the License Key Although the sensor functions without the license key, you must have a license key to obtain signature updates and use the global correlation features. To obtain a license key, you must have the following: • Cisco Service for IPS service contract—Contact your reseller, Cisco service or product sales to purchase a contract.
Chapter 4 Setting Up the Sensor Installing the License Key • IPS 4260 • IPS 4270-20 • IPS 4345 • IPS 4360 • IPS 4510 • IPS 4520 When you purchase an ASA 5500 series adaptive security appliance product that does not contain IPS, you must purchase a SMARTnet contract. Note SMARTnet provides operating system updates, access to Cisco.com, access to TAC, and hardware replacement NBD on site.
Chapter 4 Setting Up the Sensor Installing the License Key ftp://[[username@]location][//absoluteDirectory]/filename Note • You are prompted for a password. scp:—Source URL for the SCP network server. The syntax for this prefix is: scp://[[username@]location][/relativeDirectory]/filename scp://[[username@]location][//absoluteDirectory]/filename Note • You are prompted for a password. You must add the remote host to the SSH known hosts list. http:—Source URL for the web server.
Chapter 4 Setting Up the Sensor Installing the License Key Step 7 Verify the sensor is licensed. sensor# show version Application Partition: Cisco Intrusion Prevention System, Version 7.1(3)E4 Host: Realm Keys key1.0 Signature Definition: Signature Update S605.0 2011-10-25 OS Version: 2.6.29.1 Platform: ASA5585-SSP-IPS10 Serial Number: 123456789AB Licensed, expires: <07-Aug-2013 UTC > Sensor up-time is 12 days. Using 4395M out of 5839M bytes of available memory (75% usage) system is using 26.
Chapter 4 Setting Up the Sensor Installing the License Key Caution You must have the correct IPS device serial number and product identifier (PID) because the license key only functions on the device with that number. Step 6 Save the license key to a hard-disk drive or a network drive that the client running the IDM or the IME can access. Step 7 Log in to the IDM or the IME. Step 8 For the IDM choose Configuration > Sensor Management > Licensing.
Chapter 4 Setting Up the Sensor Installing the License Key sensor# Step 3 Verify the sensor key has been uninstalled. sensor# show version Application Partition: Cisco Intrusion Prevention System, Version 7.1(5)E4 Host: Realm Keys key1.0 Signature Definition: Signature Update S615.0 2012-01-03 OS Version: 2.6.29.1 Platform: IPS-4345-K9 Serial Number: FCH1445V00N No license present Sensor up-time is 5 days. Using 5318M out of 7864M bytes of available memory (67% usage) system is using 33.6M out of 160.
CH A P T E R 5 Configuring Interfaces This chapter describes how to configure interfaces on the sensor. You configured the interfaces when you initialized the sensor with the setup command, but if you need to change or add anything to your interface configuration, use the following procedures. For more information on configuring interfaces using the setup command, see Chapter 3, “Initializing the Sensor.
Chapter 5 Configuring Interfaces Understanding Interfaces • You configure the ASA IPS modules (ASA 5500 AIP SSM, ASA 5500-X IPS SSP ASA 5585-X IPS SSP) for promiscuous mode from the adaptive security appliance CLI and not from the Cisco IPS CLI. • You can configure the ASA IPS modules (ASA 5500 AIP SSM, ASA 5500-X IPS SSP, and ASA 5585-X IPS SSP) to operate inline even though they have only one sensing interface.
Chapter 5 Configuring Interfaces Understanding Interfaces • Interface Support, page 5-7 • Hardware Bypass Mode, page 5-11 • Interface Configuration Restrictions, page 5-12 • Interface Configuration Sequence, page 5-15 IPS Interfaces The sensor interfaces are named according to the maximum speed and physical location of the interface. The physical location consists of a port number and a slot number.
Chapter 5 Configuring Interfaces Understanding Interfaces Table 5-1 lists the command and control interfaces for each sensor.
Chapter 5 Configuring Interfaces Understanding Interfaces For More Information • For more information on supported interfaces, see Interface Support, page 5-7. • For more information on interface modes, see Configuring Promiscuous Mode, page 5-20, Configuring Inline Interface Pairs, page 5-21, Understanding Inline VLAN Pair Mode, page 5-25, Understanding VLAN Group Mode, page 5-31, Configuring Inline Bypass Mode, page 5-38.
Chapter 5 Configuring Interfaces Understanding Interfaces Table 5-2 Alternate TCP Reset Interfaces (continued) Sensor Alternate TCP Reset Interface ASA 5585-X IPS SSP-20 None ASA 5585-X IPS SSP-40 None ASA 5585-X IPS SSP-60 None IPS 4240 Any sensing interface IPS 4255 Any sensing interface IPS 4260 Any sensing interface IPS 4270-20 Any sensing interface IPS 4345 Any sensing interface IPS 4360 Any sensing interface IPS 4510 Any sensing interface IPS 4520 Any sensing interface For
Chapter 5 Configuring Interfaces Understanding Interfaces Interface Support Table 5-3 describes the interface support for appliances and modules running Cisco IPS.
Chapter 5 Configuring Interfaces Understanding Interfaces Table 5-3 Interface Support (continued) Interfaces Not Supporting Inline (Command and Control Port) Base Chassis Added Interface Cards Interfaces Supporting Inline VLAN Pairs (Sensing Ports) ASA 5585-X IPS SSP-60 — PortChannel 0/0 by security PortChannel 0/0 by security Management 0/0 context instead of VLAN context instead of VLAN pair or inline interface pair pair or inline interface pair IPS 4240 — GigabitEthernet 0/0 GigabitEthernet
Chapter 5 Configuring Interfaces Understanding Interfaces Table 5-3 Interface Support (continued) Base Chassis Added Interface Cards IPS 4270-20 4GE-BP IPS 4270-20 IPS 4270-20 IPS 4345 Interfaces Supporting Inline VLAN Pairs (Sensing Ports) Combinations Supporting Inline Interface Pairs Interfaces Not Supporting Inline (Command and Control Port) Management 0/0 Management 0/14 Slot 1 GigabitEthernet 3/0 GigabitEthernet 3/1 GigabitEthernet 3/2 GigabitEthernet 3/3 3/0<->3/14 3/2<->3/3 Slot 2
Chapter 5 Configuring Interfaces Understanding Interfaces Table 5-3 Interface Support (continued) Base Chassis Added Interface Cards Interfaces Supporting Inline VLAN Pairs (Sensing Ports) IPS 4360 — GigabitEthernet 0/0 GigabitEthernet 0/1 Combinations Supporting Inline Interface Pairs Interfaces Not Supporting Inline (Command and Control Port) All sensing ports can be paired together Management 0/0 Management 0/15 All sensing ports can be paired together Management 0/0 Management 0/1 All s
Chapter 5 Configuring Interfaces Understanding Interfaces Note The IPS 4260 supports a mixture of 4GE-BP, 2SX, and 10GE cards. The IPS 4270-20 supports a mixture of 4GE-BP, 2SX, and 10GE cards up to a total of either six cards, or sixteen total ports, which ever is reached first, but is limited to only two 10GE card in the mix of cards. Hardware Bypass Mode In addition to Cisco IPS software bypass, the IPS 4260 and the IPS 4270-20 also support hardware bypass.
Chapter 5 Configuring Interfaces Understanding Interfaces For More Information For the procedure for configuring inline bypass mode, see Configuring Inline Bypass Mode, page 5-39. Hardware Bypass Configuration Restrictions To use the hardware bypass feature on the 4GE bypass interface card, you must pair interfaces to support the hardware design of the card.
Chapter 5 Configuring Interfaces Understanding Interfaces http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html#wp1328 869 Note A jumbo frame is an Ethernet packet that is larger than the standard maximum of 1518 bytes (including Layer 2 header and FCS). The following restrictions apply to configuring interfaces on the sensor: • Physical Interfaces – In IPS 7.1, rx/tx flow control is disabled on the IPS 4200 series sensors. This is a change from IPS 7.
Chapter 5 Configuring Interfaces Understanding Interfaces – The ASA IPS modules (ASA 5500 AIP SSM, ASA 5500-X IPS SSP, and ASA 5585-X IPS SSP) do not support inline VLAN pairs. – For the IPS 4510 and IPS 4520, the maximum number of inline VLAN pairs you can create system wide is 150. On all other platforms, the limit is 255 per interface. • Alternate TCP Reset Interface – You can only assign the alternate TCP reset interface to a sensing interface.
Chapter 5 Configuring Interfaces Configuring Physical Interfaces For More Information • For a list of supported sensor interfaces, see Interface Support, page 5-7. • For more information on alternate TCP reset, see TCP Reset Interfaces, page 5-5. • For more information on physical interfaces, see Configuring Physical Interfaces, page 5-15. Interface Configuration Sequence Follow these steps to configure interfaces on the sensor: 1.
Chapter 5 Configuring Interfaces Configuring Physical Interfaces • alt-tcp-reset-interface—Sends TCP resets out an alternate interface when this interface is used for promiscuous monitoring and the reset action is triggered by a signature firing. Note You can only assign a sensing interface as an alternate TCP reset interface. You cannot configure the management interface as an alternate TCP reset interface.
Chapter 5 Configuring Interfaces Configuring Physical Interfaces Configuring the Physical Interface Settings To configure the physical interface settings for promiscuous mode on the sensor, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Enter interface submode. sensor# configure terminal sensor(config)# service interface Step 3 Display the list of available interfaces.
Chapter 5 Configuring Interfaces Configuring Physical Interfaces duplex: full default: auto speed: 1000 default: auto alt-tcp-reset-interface ----------------------------------------------interface-name: GigabitEthernet2/0 ----------------------------------------------subinterface-type ----------------------------------------------none ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Chapter 5 Configuring Interfaces Configuring Promiscuous Mode • For the procedure for configuring inline VLAN pairs, see Configuring Inline VLAN Pair Mode, page 5-25. • For the procedure for adding interfaces to virtual sensors, see Adding, Editing, and Deleting Virtual Sensors, page 6-5.
Chapter 5 Configuring Interfaces Configuring Inline Interface Mode Configuring Promiscuous Mode By default, all sensing interfaces are in promiscuous mode. To change an interface from inline mode to promiscuous mode, delete the inline interface that contains that interface from the interface configuration. IPv6, Switches, and Lack of VACL Capture VACLs on Catalyst switches do not have IPv6 support.
Chapter 5 Configuring Interfaces Configuring Inline Interface Mode and payload of the packets for more sophisticated embedded attacks (Layers 3 to 7). This deeper analysis lets the system identify and stop and/or block attacks that would normally pass through a traditional firewall device. In inline interface pair mode, a packet comes in through the first interface of the pair on the sensor and out the second interface of the pair.
Chapter 5 Configuring Interfaces Configuring Inline Interface Mode • no—Removes an entry or selection setting. • admin-state {enabled | disabled}—Specifies the administrative link state of the interface, whether the interface is enabled or disabled. Note On all backplane sensing interfaces on all modules, admin-state is set to enabled and is protected (you cannot change the setting). The admin-state has no effect (and is protected) on the command and control interface.
Chapter 5 Configuring Interfaces Configuring Inline Interface Mode Step 6 Configure two interfaces into a pair. You must assign the interface to a virtual sensor and enable it before it can monitor traffic (see Step 10). sensor(config-int-inl)# interface1 GigabitEthernet0/0 sensor(config-int-inl)# interface2 GigabitEthernet0/1 Step 7 Add a description of the interface pair.
Chapter 5 Configuring Interfaces Configuring Inline Interface Mode description: admin-state: enabled default: disabled duplex: auto speed: auto default-vlan: 0 alt-tcp-reset-interface ----------------------------------------------none ------------------------------------------------------------------------------------------------------------------------------------------subinterface-type ----------------------------------------------none -------------------
Chapter 5 Configuring Interfaces Configuring Inline VLAN Pair Mode Step 14 Exit interface configuration submode. sensor(config-int)# exit Apply Changes:?[yes]: Step 15 Press Enter to apply the changes or enter no to discard them. For More Information • For the procedure for configuring inline interface mode for the ASA 5500 AIP SSM, see Sending Traffic to the ASA 5500 AIP SSM, page 18-10.
Chapter 5 Configuring Interfaces Configuring Inline VLAN Pair Mode Inline VLAN pair mode is an active sensing mode where a sensing interface acts as an 802.1q trunk port, and the sensor performs VLAN bridging between pairs of VLANs on the trunk. The sensor inspects the traffic it receives on each VLAN in each pair, and can either forward the packets on the other VLAN in the pair, or drop the packet if an intrusion attempt is detected.
Chapter 5 Configuring Interfaces Configuring Inline VLAN Pair Mode – half—Sets the interface to half duplex. Note The duplex option is protected on all modules. • no—Removes an entry or selection setting. • speed—Specifies the speed setting of the interface: – auto—Sets the interface to auto negotiate speed. – 10—Sets the interface to 10 MB (for TX interfaces only). – 100—Sets the interface to 100 MB (for TX interfaces only). – 1000—Sets the interface to 1 GB (for Gigabit interfaces only).
Chapter 5 Configuring Interfaces Configuring Inline VLAN Pair Mode ----------------------------------------------subinterface-type ----------------------------------------------none ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- name: GigabitEthernet0/1 ----------------------------------------------media-type: tx description:
Chapter 5 Configuring Interfaces Configuring Inline VLAN Pair Mode subinterface-type ----------------------------------------------none ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- name: Management0/0 ----------------------------------------------media-type: tx description: admin-state: disabled duplex:
Chapter 5 Configuring Interfaces Configuring Inline VLAN Pair Mode Step 7 Enable the interface. You must assign the interface to a virtual sensor and enable it before it can monitor traffic. sensor(config-int-phy)# admin-state enabled Step 8 Add a description of this interface. sensor(config-int-phy)# description INT1 Step 9 Configure the duplex settings. This option is not available on the ASA IPS modules (ASA 5500 AIP SSM, ASA 5500-X IPS SSP, and ASA 5585-X IPS SSP).
Chapter 5 Configuring Interfaces Configuring VLAN Group Mode sensor(config-int)# exit Apply Changes:?[yes]: Step 16 Press Enter to apply the changes or enter no to discard them. For More Information For the procedure for assigning inline interface pairs to a virtual sensor, or deleting the inline interface pair from the virtual sensor to which it is assigned, see Adding, Editing, and Deleting Virtual Sensors, page 6-5.
Chapter 5 Configuring Interfaces Configuring VLAN Group Mode Packets in the native VLAN of an 802.1q trunk do not normally have 802.1q encapsulation headers to identify the VLAN number to which the packets belong. A default VLAN variable is associated with each physical interface and you should set this variable to the VLAN number of the native VLAN or to 0. The value 0 indicates that the native VLAN is either unknown or you do not care if it is specified.
Chapter 5 Configuring Interfaces Configuring VLAN Group Mode The following options apply: • admin-state {enabled | disabled}—Specifies the administrative link state of the interface, whether the interface is enabled or disabled. Note On all backplane sensing interfaces on all modules, admin-state is set to enabled and is protected (you cannot change the setting). The admin-state has no effect (and is protected) on the command and control interface. It only affects sensing interfaces.
Chapter 5 Configuring Interfaces Configuring VLAN Group Mode sensor(config)# service interface sensor(config-int)# Step 3 Verify if any inline interfaces exist (the subinterface type should read “none” if no inline interfaces have been configured).
Chapter 5 Configuring Interfaces Configuring VLAN Group Mode ----------------------------------------------subinterface-type ----------------------------------------------none ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- name: GigabitEthernet0/3 ----------------------------------------------media-type: tx description:
Chapter 5 Configuring Interfaces Configuring VLAN Group Mode Step 4 If there are inline interfaces that are using this physical interface, remove them. sensor(config-int)# no inline-interfaces interface_name Step 5 Display the list of available interfaces. sensor(config-int)# physical-interfaces ? GigabitEthernet0/0 GigabitEthernet0/0 physical interface. GigabitEthernet0/1 GigabitEthernet0/1 physical interface. GigabitEthernet0/2 GigabitEthernet0/2 physical interface.
Chapter 5 Configuring Interfaces Configuring VLAN Group Mode d. Verify the settings.
Chapter 5 Configuring Interfaces Configuring Inline Bypass Mode Step 16 Exit interface submode. sensor(config-int-phy-vla-sub)# exit sensor(config-int-phy-vla)# exit sensor(config-int-phy)# exit sensor(config-int)# exit Apply Changes:?[yes]: Step 17 Press Enter to apply the changes or enter no to discard them.
Chapter 5 Configuring Interfaces Configuring Inline Bypass Mode You can use inline bypass as a diagnostic tool and a failover protection mechanism. Normally, the sensor Analysis Engine performs packet analysis. When inline bypass is activated, the Analysis Engine is bypassed, allowing traffic to flow through the inline interfaces and inline VLAN pairs without inspection.
Chapter 5 Configuring Interfaces Configuring Interface Notifications Step 5 Exit interface submode. sensor(config-int)# exit Apply Changes:?[yes]: Step 6 Press Enter to apply the changes or enter no to discard them. For More Information • For detailed information on the ASA 5500 AIP SSM and bypass mode, see The Adaptive Security Appliance, ASA 5500 AIP SSM, and Bypass Mode, page 18-12. • For more information on inline bypass mode, see Configuring Inline Bypass Mode, page 5-38.
Chapter 5 Configuring Interfaces Configuring CDP Mode Step 6 Specify the missed percentage threshold. sensor(config-int-int)# missed-percentage-threshold 1 Step 7 Specify the notification interval. sensor(config-int-int)# notification-interval 60 Step 8 Verify the settings.
Chapter 5 Configuring Interfaces Displaying Interface Statistics sensor(config)# service interface Step 3 Enable CDP mode. sensor(config-int)# cdp-mode forward-cdp-packets Step 4 Verify the settings.
Chapter 5 Configuring Interfaces Displaying Interface Statistics The following options apply: • clear—(Optional) Clears the diagnostics. • brief—(Optional) Displays a summary of the usability status information for each interface. • FastEthernet—Displays statistics for FastEthernet interfaces. • GigabitEthernet—Displays statistics for GigabitEthernet interfaces. • Management—Displays statistics for Management interfaces.
Chapter 5 Configuring Interfaces Displaying Interface Statistics Step 4 Display the statistics for a specific interface.
Chapter 5 Configuring Interfaces Displaying Interface Traffic History Displaying Interface Traffic History Use the show interfaces-history [traffic-by-hour | traffic-by-minute] command in EXEC mode to display historical interfaces statistics for all system interfaces. The historical information for each interface is maintained for three days with 60 seconds granularity.
Chapter 5 Configuring Interfaces Displaying Interface Traffic History Displaying Historical Interface Statistics Use the show interfaces-history [traffic-by-hour | traffic-by-minute] command in EXEC mode to display historical interfaces statistics for all system interfaces. The historical information for each interface is maintained for three days with 60 seconds granularity.
Chapter 5 Configuring Interfaces Displaying Interface Traffic History Displaying Historical Interface Statistics To display interface traffic history, follow these steps: Step 1 Log in to the CLI. Step 2 Display the interface traffic history by the hour.
Chapter 5 Configuring Interfaces Displaying Interface Traffic History Step 4 Display the interface traffic history for a specific interface.
CH A P T E R 6 Configuring Virtual Sensors This chapter explains the function of the Analysis Engine and how to create, edit, and delete virtual sensors. It also explains how to assign interfaces to a virtual sensor.
Chapter 6 Configuring Virtual Sensors Understanding the Analysis Engine Understanding the Analysis Engine The Analysis Engine performs packet analysis and alert detection. It monitors traffic that flows through specified interfaces. You create virtual sensors in the Analysis Engine. Each virtual sensor has a unique name with a list of interfaces, inline interface pairs, inline VLAN pairs, and VLAN groups associated with it.
Chapter 6 Configuring Virtual Sensors Inline TCP Session Tracking Mode Virtualization has the following restrictions: • You must assign both sides of asymmetric traffic to the same virtual sensor. • Using VACL capture or SPAN (promiscuous monitoring) is inconsistent with regard to VLAN tagging, which causes problems with VLAN groups. – When using Cisco IOS software, a VACL capture port or a SPAN target does not always receive tagged packets even if it is configured for trunking.
Chapter 6 Configuring Virtual Sensors Normalization and Inline TCP Evasion Protection Mode The following inline TCP session tracking modes apply: • Interface and VLAN—All packets with the same session key (AaBb) in the same VLAN (or inline VLAN pair) and on the same interface belong to the same session. Packets with the same key but on different VLANs are tracked separately.
Chapter 6 Configuring Virtual Sensors Adding, Editing, and Deleting Virtual Sensors Note Because HTTP advanced decoding requires the Regex card and the String XL engine, it is available only to those platforms that have them. HTTP advanced decoding is supported on the IPS 4345, IPS 4360, IPS 4510, IPS 4520, ASA 5585-X IPS SSP, ASA 5525-X IPS SSP, ASA 5545-X IPS SSP, and ASA 5555-X IPS SSP.
Chapter 6 Configuring Virtual Sensors Adding, Editing, and Deleting Virtual Sensors • inline-TCP-evasion-protection-mode—Lets you choose which type of normalization you need for traffic inspection: – asymmetric —Specifies that the sensor can only see one direction of bidirectional traffic flow. Asymmetric mode protection relaxes the evasion protection at the TCP layer.
Chapter 6 Configuring Virtual Sensors Adding, Editing, and Deleting Virtual Sensors Adding a Virtual Sensor To add a virtual sensor, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Enter service analysis mode. sensor# configure terminal sensor(config)# service analysis-engine sensor(config-ana)# Step 3 Add a virtual sensor. sensor(config-ana)# virtual-sensor vs1 sensor(config-ana-vir)# Step 4 Add a description for this virtual sensor.
Chapter 6 Configuring Virtual Sensors Adding, Editing, and Deleting Virtual Sensors sensor(config-ana-vir)# physical-interface sensor(config-ana-vir)# logical-interface ? Step 13 Assign the promiscuous mode interfaces you want to add to this virtual sensor. Repeat this step for all the promiscuous interfaces that you want to assign to this virtual sensor.
Chapter 6 Configuring Virtual Sensors Adding, Editing, and Deleting Virtual Sensors For More Information • For the procedure for creating virtual sensors on the ASA 5500 AIP SSM, see Creating Virtual Sensors for the ASA 5500 AIP SSM, page 18-4. • For the procedure for creating virtual sensors on the ASA 5500-X IPS SSP, see Creating Virtual Sensors for the ASA 5500-X IPS SSP, page 19-3.
Chapter 6 Configuring Virtual Sensors Adding, Editing, and Deleting Virtual Sensors Editing or Deleting a Virtual Sensor To edit or delete a virtual sensor, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Enter analysis engine mode. sensor# configure terminal sensor(config)# service analysis-engine sensor(config-ana)# Step 3 Edit the virtual sensor, vs1.
Chapter 6 Configuring Virtual Sensors Adding, Editing, and Deleting Virtual Sensors Step 12 Change the subinterface with the inline VLAN pairs or groups assigned to this virtual sensor. You must have already subdivided any interfaces into VLAN pairs or groups. sensor(config-ana-vir)# physical-interface GigabitEthernet2/0 subinterface-number subinterface_number Step 13 Verify the edited virtual sensor settings.
Chapter 6 Configuring Virtual Sensors Configuring Global Variables ----------------------------------------------sensor(config-ana)# Step 16 Exit analysis engine mode. sensor(config-ana)# exit sensor(config)# Apply Changes:?[yes]: Step 17 Press Enter to apply the changes or enter no to discard them. For More Information • For more information on creating and configuring anomaly detection policies, see Working With Anomaly Detection Policies, page 9-9.
Chapter 6 Configuring Virtual Sensors Configuring Global Variables To create a global variable, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Enter service analysis mode. sensor# configure terminal sensor(config)# service analysis-engine sensor(config-ana)# Step 3 Create the variable for the maximum number of open IP logs.
Chapter 6 Configuring Virtual Sensors Configuring Global Variables Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.
CH A P T E R 7 Configuring Event Action Rules This chapter explains how to add event action rules policies and how to configure event action rules.
Chapter 7 Configuring Event Action Rules Understanding Security Policies • You must preface the event variable with a dollar ($) sign to indicate that you are using a variable rather than a string. • Connection blocks and network blocks are not supported on adaptive security appliances. Adaptive security appliances only support host blocks with additional connection information. • You cannot delete the event action override for deny-packet-inline because it is protected.
Chapter 7 Configuring Event Action Rules Signature Event Action Processor Signature Event Action Processor The Signature Event Action Processor coordinates the data flow from the signature event in the Alarm Channel to processing through the Signature Event Action Override, the Signature Event Action Filter, and the Signature Event Action Handler.
Chapter 7 Configuring Event Action Rules Signature Event Action Processor Figure 7-1 Signature Event Through Signature Event Action Processor Signature event with configured action Event count Consumed signature event Signature event Signature event action override Add action based on RR Signature event action filter Subtract action based on signature, address, port, RR, etc.
Chapter 7 Configuring Event Action Rules Event Actions Event Actions The Cisco IPS supports the following event actions. Most of the event actions belong to each signature engine unless they are not appropriate for that particular engine. Alert and Log Actions • produce-alert—Writes the event to the Event Store as an alert. Note The produce-alert action is not automatic when you enable alerts for a signature. To have an alert created in the Event Store, you must select produce-alert.
Chapter 7 Configuring Event Action Rules Event Actions • deny-attacker-victim-pair-inline (inline only)—Does not transmit this packet and future packets on the attacker/victim address pair for a specified period of time. • deny-attacker-service-pair-inline (inline only)—Does not transmit this packet and future packets on the attacker address victim port pair for a specified period of time.
Chapter 7 Configuring Event Action Rules Event Actions Understanding deny-packet-inline For signatures that have deny-packet-inline configured as an action or for an event action override that adds deny-packet-inline as an action, the following actions may be taken: • dropped-packet • denied-flow • tcp-one-way-reset-sent The deny-packet-inline action is represented as a dropped packet action in the alert.
Chapter 7 Configuring Event Action Rules Event Action Rules Configuration Sequence • Configuring reset-tcp-connection alone only resets the TCP connection but the attack packet is not denied from reaching the victim. • Configuring deny-packet-inline alone only denies the attack packet from reaching the victim. It does not trigger a TCP reset. For More Information • For procedure for configuring denied attackers, see Monitoring and Clearing the Denied Attackers List, page 7-37.
Chapter 7 Configuring Event Action Rules Working With Event Action Rules Policies Working With Event Action Rules Policies To create, copy, display, edit, and delete event action rules policies, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Create an event action rules policy.
Chapter 7 Configuring Event Action Rules Event Action Variables sensor# Step 8 Reset an event action rules policy to factory settings. sensor# configure terminal sensor(config)# default service event-action-rules rules1 sensor(config)# For More Information • For the procedure for adding event action rules variables, see Event Action Variables, page 7-10. • For the procedure for configuring event action rules overrides, see Configuring Event Action Overrides, page 7-17.
Chapter 7 Configuring Event Action Rules Event Action Variables Note You must preface the event variable with a dollar ($) sign to indicate that you are using a variable rather than a string. Some variables cannot be deleted because they are necessary to the signature system. If a variable is protected, you cannot select it to edit it. You receive an error message if you try to delete protected variables. You can edit only one variable at a time.
Chapter 7 Configuring Event Action Rules Event Action Variables Use the variables variable_name address ip_address command in service event action rules submode to create an IPv4 event action variable. The IPv4 address can be one address, a range, or ranges separated by a comma. Use the variables variable_name ipv6-address ip_address command in service event action rules submode to create an IPv6 event action variable.
Chapter 7 Configuring Event Action Rules Configuring Target Value Ratings ----------------------------------------------ipv6-address: ::0-FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF default: ::0 FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF ----------------------------------------------- Step 8 Delete an event action rules variable. sensor(config-eve)# no variables variable-ipv6 Step 9 Verify the event action rules variable you deleted.
Chapter 7 Configuring Event Action Rules Configuring Target Value Ratings The following values are used to calculate the risk rating for a particular event: • Signature fidelity rating (SFR)—A weight associated with how well this signature might perform in the absence of specific knowledge of the target. The signature fidelity rating is configured per signature and indicates how accurately the signature detects the event or condition it describes.
Chapter 7 Configuring Event Action Rules Configuring Target Value Ratings Understanding Threat Rating Threat rating is risk rating that has been lowered by event actions that have been taken. Nonlogging event actions have a threat rating adjustment. The largest threat rating from all the event actions taken is subtracted from the risk rating.
Chapter 7 Configuring Event Action Rules Configuring Target Value Ratings The following options apply: • target-value—Specifies the IPv4 target value rating: – zerovalue—No value of this target. – low—Lower value of this target. – medium—Normal value of this target (default). – high—Elevated value of this target. – mission-critical—Extreme value of this target. • no target-value—Removes the IPv4 target value rating.
Chapter 7 Configuring Event Action Rules Configuring Event Action Overrides ipv6-target-value (min: 0, max: 5, current: 2) ----------------------------------------------ipv6-target-value-setting: mission-critical ipv6-target-address: 2001:0db8:3c4d:0015:0000:0000:abcd:ef12 default: ::0FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF ----------------------------------------------sensor(config-eve)# Step 6 To edit a target value rating, change the target value rating setting of the asset.
Chapter 7 Configuring Event Action Rules Configuring Event Action Overrides action is added to the event. For example, if you want any event with a risk rating of 85 or more to generate an SNMP trap, you can set the risk rating range for request-snmp-trap to 85-100. If you do not want to use action overrides, you can disable the entire event action override component. Note Connection blocks and network blocks are not supported on adaptive security appliances.
Chapter 7 Configuring Event Action Rules Configuring Event Action Overrides • Do not transmit packets on the specified TCP connection. sensor(config-eve)# overrides deny-connection-inline sensor(config-eve-ove)# • Send TCP RST packets to terminate the connection. sensor(config-eve)# overrides reset-tcp-connection sensor(config-eve-ove)# • Request a block of the connection. sensor(config-eve)# overrides request-block-connection sensor(config-eve-ove)# • Request a block of the attacker host.
Chapter 7 Configuring Event Action Rules Configuring Event Action Filters ----------------------------------------------- Step 7 Edit the risk rating of an event action override. sensor(config-eve)# overrides deny-attacker-inline sensor(config-eve-ove)# risk-rating 95-100 Step 8 Verify that you edited the event action override.
Chapter 7 Configuring Event Action Rules Configuring Event Action Filters Understanding Event Action Filters Note Global correlation inspection and the reputation filtering deny features do not support IPv6 addresses. For global correlation inspection, the sensor does not receive or process reputation data for IPv6 addresses. The risk rating for IPv6 addresses is not modified for global correlation inspection. Similarly, network participation does not include event data for attacks from IPv6 addresses.
Chapter 7 Configuring Event Action Rules Configuring Event Action Filters Note You must preface the event variable with a dollar sign ($) to indicate that you are using a variable rather than a string. Otherwise, you receive the Bad source and destination error. Use the filters {edit | insert | move] name1 [begin | end | inactive | before | after} command in service event action rules submode to set up event action filters.
Chapter 7 Configuring Event Action Rules Configuring Event Action Filters • signature-id-range—Specifies the range set of signature ID(s) for this item (for example, 1000-2000,3000-3000). • stop-on-match {true | false}—Specifies to continue evaluating filters or stop when this filter item is matched. • subsignature-id-range—Specifies the range set of subsignature ID(s) for this item (for example, 0-2,5-5). • user-comment —Lets you add your comments about this filter item.
Chapter 7 Configuring Event Action Rules Configuring Event Action Filters f. Specify the OS relevance. The default is 0 to 100. sensor(config-eve-fil)# os-relevance relevant g. Specify the risk rating range.The default is 0 to 100. sensor(config-eve-fil)# risk-rating-range 85-100 h. Specify the actions to remove. sensor(config-eve-fil)# actions-to-remove reset-tcp-connection i. If you are filtering a deny action, set the percentage of deny actions you want. The default is 100.
Chapter 7 Configuring Event Action Rules Configuring Event Action Filters sensor(config-eve-fil)# exit sensor(config-eve)# show settings ----------------------------------------------filters (min: 0, max: 4096, current: 5 - 4 active, 1 inactive) ----------------------------------------------ACTIVE list-contents ----------------------------------------------NAME: name5 ----------------------------------------------signature-id-range: 900-65535 subsignature-id-range: 0-255 attacker-a
Chapter 7 Configuring Event Action Rules Configuring OS Identifications Step 11 Verify that the filter has been moved to the inactive list.
Chapter 7 Configuring Event Action Rules Configuring OS Identifications The sensor then uses the OS of the target host OS to determine the relevance of the attack to the victim by computing the attack relevance rating component of the risk rating. Based on the relevance of the attack, the sensor may alter the risk rating of the alert for the attack and/or the sensor may filter the alert for the attack.
Chapter 7 Configuring Event Action Rules Configuring OS Identifications Passive OS Fingerprinting Configuration Considerations You do not have to configure passive OS fingerprinting for it to function. IPS provides a default vulnerable OS list for each signature and passive analysis is enabled by default. You can configure the following aspects of passive OS fingerprinting: • Define OS maps—We recommend configuring OS maps to define the identity of the OS running on critical systems.
Chapter 7 Configuring Event Action Rules Configuring OS Identifications • configured-os-map {edit | insert | move] name1[begin | end | inactive | before | after}—Specifies a collection of administrator-defined mappings of IP addresses to OS IDs (configured OS mappings take precedence over imported and learned OS mappings). • ip—Specifies the host IP address (or addresses) running the specified OS. The value is -[,-], for example, 10.20.1.0-10.20.1.255,10.20.5.0-10.
Chapter 7 Configuring Event Action Rules Configuring OS Identifications Step 3 Create the OS map. Use name1, name2, and so forth to name your OS maps. Use the begin | end | inactive | before | after keywords to specify where you want to insert the filter. sensor(config-eve)# os-identification sensor(config-eve-os)# configured-os-map insert name1 begin sensor(config-eve-os-con)# Step 4 Specify the values for this OS map: a. Specify the host IP address. sensor(config-eve-os-con)# ip 192.0.2.0-192.0.2.
Chapter 7 Configuring Event Action Rules Configuring OS Identifications os: aix --------------------------------------------------------------------------------------------NAME: name1 ----------------------------------------------ip: 192.0.2.0-192.0.2.
Chapter 7 Configuring Event Action Rules Configuring OS Identifications ------------------------------------------------------------------------------------------------------------------------------------------passive-traffic-analysis: Enabled default: Enabled ----------------------------------------------ips-ssp(config-eve-os)# Step 16 Exit event action rules submode.
Chapter 7 Configuring Event Action Rules Configuring General Settings Step 3 Clear the learned OS IDs for a specific IP address on all virtual sensors. sensor# clear os-identification learned 192.0.2.0 Step 4 Verify that the OS IDs have been cleared.
Chapter 7 Configuring Event Action Rules Configuring General Settings alerts when that threshold is met. In this example, a hit is a term used to describe an event, which is basically an alert, but it is not sent out of the sensor as an alert until the threshold number of hits has been exceeded. You can choose from the following summarization options: • fire-all—Fires an alert each time the signature is triggered.
Chapter 7 Configuring Event Action Rules Configuring General Settings Step 3 Enter general submode. sensor(config)# general Step 4 Enable or disable the meta event generator. The default is enabled. sensor(config-eve-gen)# global-metaevent-status {enabled | disabled} Step 5 Enable or disable the summarizer. The default is enabled. sensor(config-eve-gen)# global-summarization-status {enabled | disabled} Step 6 Configure the denied attackers inline event action: a.
Chapter 7 Configuring Event Action Rules Configuring the Denied Attackers List Configuring the Denied Attackers List This section describes the denied attackers list and how to add, clear, and monitor the list.
Chapter 7 Configuring Event Action Rules Configuring the Denied Attackers List For More Information For the procedure for clearing denied attackers permanently from the denied attackers list, see Monitoring and Clearing the Denied Attackers List, page 7-37. Monitoring and Clearing the Denied Attackers List Use the show statistics denied-attackers command to display the list of denied attackers.
Chapter 7 Configuring Event Action Rules Configuring the Denied Attackers List Step 8 Enter yes to clear the list. Step 9 Verify that you have cleared the list. You can use the show statistics denied-attackers or show statistics virtual-sensor command. sensor# show statistics denied-attackers Denied Attackers and hit count for each. Denied Attackers and hit count for each. Statistics for Virtual Sensor vs0 Denied Attackers with percent denied and hit count for each.
Chapter 7 Configuring Event Action Rules Monitoring Events Monitoring Events This section describes how to display and clear events from the Event Store, and contains the following topics: • Displaying Events, page 7-39 • Clearing Events from Event Store, page 7-42 Displaying Events Note The Event Store has a fixed size of 30 MB for all platforms. Note Events are displayed as a live feed. To cancel the request, press Ctrl-C.
Chapter 7 Configuring Event Action Rules Monitoring Events Note The show events command continues to display events until a specified event is available. To exit, press Ctrl-C. Displaying Events To display events from the Event Store, follow these steps: Step 1 Log in to the CLI. Step 2 Display all events starting now. The feed continues showing all events until you press Ctrl-C.
Chapter 7 Configuring Event Action Rules Monitoring Events Step 5 Display alerts from the past 45 seconds. sensor# show events alert past 00:00:45 evIdsAlert: eventId=1109695939102805307 severity=medium vendor=Cisco originator: hostId: sensor appName: sensorApp appInstanceId: 367 time: 2011/03/02 14:15:59 2011/03/02 14:15:59 UTC signature: description=Nachi Worm ICMP Echo Request id=2156 version=S54 subsigId: 0 sigDetails: Nachi ICMP interfaceGroup: vlan: 0 participants: attacker: addr: locality=OUT 10.
Chapter 7 Configuring Event Action Rules Monitoring Events Clearing Events from Event Store Use the clear events command to clear the Event Store. To clear events from the Event Store, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Clear the Event Store. sensor# clear events Warning: Executing this command will remove all events currently stored in the event store. Continue with clear? []: Step 3 Enter yes to clear the events.
CH A P T E R 8 Defining Signatures This chapter describes how to define and create signatures.
Chapter 8 Defining Signatures Working With Signature Definition Policies Working With Signature Definition Policies Use the service signature-definition name command in service signature definition mode to create a signature definition policy. The values of this signature definition policy are the same as the default signature definition policy, sig0, until you edit them.
Chapter 8 Defining Signatures Understanding Signatures sensor# Note Step 7 You cannot delete the default signature definition policy, sig0. Confirm the signature definition policy has been deleted. sensor# list signature-definition-configurations Signature Definition Instance Size Virtual Sensor sig0 255 vs0 temp 707 N/A sig1 141 vs1 sensor# Step 8 Reset a signature definition policy to factory settings.
Chapter 8 Defining Signatures Configuring Signature Variables The Cisco IPS contains over 10,000 built-in default signatures. You cannot rename or delete signatures from the list of built-in signatures, but you can retire signatures to remove them from the sensing engine. You can later activate retired signatures; however, this process requires the sensing engines to rebuild their configuration, which takes time and could delay the processing of traffic.
Chapter 8 Defining Signatures Configuring Signature Variables Adding, Editing, and Deleting Signature Variables To add, edit, and delete signature variables, follow these steps: Step 1 Log in to the CLI using an account with administrator or operator privileges. Step 2 Enter signature definition submode. sensor# configure terminal sensor(config)# service signature-definition sig1 Step 3 Create a signature variable for a group of IP addresses. sensor(config-sig)# variables IPADD ip-addr-range 10.1.1.
Chapter 8 Defining Signatures Configuring Signatures Configuring Signatures This section describes how to configure signature parameters, and contains the following topics: • Signature Definition Options, page 8-6 • Configuring Alert Frequency, page 8-7 • Configuring Alert Severity, page 8-9 • Configuring the Event Counter, page 8-10 • Configuring Signature Fidelity Rating, page 8-12 • Configuring the Status of Signatures, page 8-13 • Configuring the Vulnerable OSes for a Signature, page 8-1
Chapter 8 Defining Signatures Configuring Signatures • vulnerable-os—Specifies the list of OS types that are vulnerable to this attack signature. For More Information • For the procedure for configuring alert frequency, see Configuring Alert Frequency, page 8-7. • For more information about signature engines, see Appendix B, “Signature Engines.” • For the procedure for assigning actions, see Assigning Actions to Signatures, page 8-15.
Chapter 8 Defining Signatures Configuring Signatures • specify-global-summary-threshold {yes | no}—(Optional) Enables global summary threshold mode: – global-summary-threshold—Specifies the threshold number of events to take alert in to global summary. The value is 1 to 65535. Configuring Alert Frequency To configure the alert frequency parameters of a signature, follow these steps: Step 1 Log in to the CLI using an account with administrator or operator privileges.
Chapter 8 Defining Signatures Configuring Signatures Step 7 Press Enter to apply the changes or enter no to discard them. Configuring Alert Severity Use the alert-severity command in signature definition submode to configure the severity of a signature. The following options apply: • sig_id—Identifies the unique numerical value assigned to this signature. This value lets the sensor identify a particular signature. The value is 1000 to 65000.
Chapter 8 Defining Signatures Configuring Signatures engine ----------------------------------------------atomic-ip ----------------------------------------------event-action: produce-alert fragment-status: any specify-l4-protocol ------------------------------------------------MORE-- Step 6 Exit signatures submode. sensor(config-sig-sig)# exit sensor(config-sig)# exit Apply Changes:?[yes]: Step 7 Press Enter to apply the changes or enter no to discard them.
Chapter 8 Defining Signatures Configuring Signatures Step 4 Enter event counter submode. sensor(config-sig-sig)# event-counter Step 5 Specify how many times an event must occur before an alert is generated. sensor(config-sig-sig-eve)# event-count 2 Step 6 Specify the storage type on which you want to count events for this signature. sensor(config-sig-sig-eve)# event-count-key AxBx Step 7 (Optional) Enable alert interval.
Chapter 8 Defining Signatures Configuring Signatures Configuring Signature Fidelity Rating Use the sig-fidelity-rating command in signature definition submode to configure the signature fidelity rating for a signature. The following option applies: • sig-fidelity-rating—Identifies the weight associated with how well this signature might perform in the absence of specific knowledge of the target. The valid value is 0 to 100.
Chapter 8 Defining Signatures Configuring Signatures Configuring the Status of Signatures Use the status command in signature definition submode to specify the status of a specific signature. The following options apply: • status—Identifies whether the signature is enabled, disabled, or retired: – enabled {true | false}—Enables the signature. – retired {true | false}—Retires the signature. – obsoletes signature_ID—Shows the other signatures that have been obsoleted by this signature.
Chapter 8 Defining Signatures Configuring Signatures Configuring the Vulnerable OSes for a Signature Use the vulnerable-os command in signature definition submode to configure the list of vulnerable OSes for a signature.
Chapter 8 Defining Signatures Configuring Signatures alert-traits: 0 release: custom ----------------------------------------------vulnerable-os: aix|linux default: general-os *---> engine --------------------------------------------------------------------------------------------event-counter ----------------------------------------------event-count: 1 event-count-key: Axxx specify-alert-interval ------------------------------------------------MORE-- Step
Chapter 8 Defining Signatures Configuring Signatures – reset-tcp-connection—Sends TCP resets to hijack and terminate the TCP flow. – modify-packet-inline— Modifies packet data to remove ambiguity about what the end point might do with the packet. • event-action-settings—Enables the external-rate-limit-type: – none—No rate limiting configured. – percentage—Specifies the rate limit by traffic percentage (external-rate-limit-percentage).
Chapter 8 Defining Signatures Configuring Signatures Step 9 Exit event action submode. sensor(config-sig-sig-nor-eve-per)# exit sensor(config-sig-sig-nor-eve)# exit sensor(config-sig-sig-nor)# exit sensor(config-sig-sig)# exit sensor(config-sig)# exit Apply Changes:?[yes]: Step 10 Press Enter to apply the changes or enter no to discard them. For More Information For a detailed description of the event actions, see Event Actions, page 7-5.
Chapter 8 Defining Signatures Configuring Signatures • MIME type – Define content type – Recognized content type • Define web traffic policy There is one predefined signature, 12674, that specifies the action to take when noncompliant HTTP traffic is seen. The parameter Alarm on Non HTTP Traffic enables the signature. By default this signature is enabled.
Chapter 8 Defining Signatures Configuring Signatures The following options apply: • ftp-enable {true | false}—Enables protection for FTP services. Set to true to require the sensor to inspect FTP traffic. The default is false. • http-policy—Enables inspection of HTTP traffic: – aic-web-ports—Specifies the variable for ports to look for AIC traffic. The valid range is 0 to 65535. A comma-separated list of integer ranges a-b[,c-d] within 0-65535.
Chapter 8 Defining Signatures Configuring Signatures ----------------------------------------------ftp-enable: true default: false ----------------------------------------------sensor(config-sig-app)# Step 6 Exit signature definition submode. sensor(config-sig-app)# exit sensor(config-sig)# exit Apply Changes:?[yes]: Step 7 Press Enter to apply the changes or enter no to discard them.
Chapter 8 Defining Signatures Configuring Signatures Table 8-1 Request Method Signatures (continued) Signature ID Define Request Method 12704 Define Request Method REVLABEL 12705 Define Request Method REVLOG 12706 Define Request Method REVADD 12707 Define Request Method REVNUM 12708 Define Request Method SETATTRIBUTE 12709 Define Request Method GETATTRIBUTENAME 12710 Define Request Method GETPROPERTIES 12711 Define Request Method STARTENV 12712 Define Request Method STOPREV For More
Chapter 8 Defining Signatures Configuring Signatures Table 8-2 Define Content Type Signatures (continued) Signature ID Signature Description 12627 0 12627 1 12627 2 Content Type image/x-portable-graymap Header Check Content Type image/x-portable-graymap Invalid Message Length Content Type image/x-portable-graymap Verification Failed 12628 0 12628 1 12628 2 Content Type image/jpeg Header Check Content Type image/jpeg Invalid Message Length Content Type image/jpeg Verification Failed 12629 0 12629
Chapter 8 Defining Signatures Configuring Signatures Table 8-2 Define Content Type Signatures (continued) Signature ID Signature Description 12646 0 12646 1 12646 2 Content Type text/xml Header Check Content Type text/xml Invalid Message Length Content Type text/xml Verification Failed 12648 0 12648 1 12648 2 Content Type video/flc Header Check Content Type video/flc Invalid Message Length Content Type video/flc Verification Failed 12649 0 12649 1 12649 2 Content Type video/mpeg Header Check Cont
Chapter 8 Defining Signatures Configuring Signatures Table 8-2 Define Content Type Signatures (continued) Signature ID Signature Description 12664 0 12664 1 12664 2 Content Type application/x-gzip Header Check Content Type application/x-gzip Invalid Message Length Content Type application/x-gzip Verification Failed 12665 0 12665 1 Content Type application/x-java-archive Header Check Content Type application/x-java-archive Invalid Message Length 12666 0 12666 1 Content Type application/x-java-vm
Chapter 8 Defining Signatures Configuring Signatures For More Information For the procedure for enabling signatures, see Configuring the Status of Signatures, page 8-13. AIC FTP Commands Signatures Table 8-4 lists the predefined FTP commands signatures. Enable the signatures that have the predefined FTP command you need.
Chapter 8 Defining Signatures Configuring Signatures Table 8-4 FTP Commands Signatures (continued) Signature ID FTP Command 12930 Define FTP command stru 12931 Define FTP command syst 12932 Define FTP command type 12933 Define FTP command user For More Information For the procedure for enabling signatures, see Configuring the Status of Signatures, page 8-13. Creating an AIC Signature Caution A custom signature can affect the performance of your sensor.
Chapter 8 Defining Signatures Configuring Signatures – modify-packet-inline— Modifies packet data to remove ambiguity about what the end point might do with the packet. • no—Removes an entry or selection setting • signature-type—Specifies the type of signature desired: – content-types—Content-types. – define-web-traffic-policy—Defines web traffic policy. – max-outstanding-requests-overrun—Inspects for large number of outstanding HTTP requests. – msg-body-pattern—Message body pattern.
Chapter 8 Defining Signatures Configuring Signatures Step 8 Press Enter to apply the changes or enter no to discard them. Configuring IP Fragment Reassembly This section describes IP fragment reassembly, lists the IP fragment reassembly signatures with the configurable parameters, describes how to configure these parameters, and how to configure the method for IP fragment reassembly.
Chapter 8 Defining Signatures Configuring Signatures Table 8-5 IP Fragment Reassembly Signatures (continued) Signature ID and Name Parameter With Default Value and Range Description 1204 IP Fragment Missing Fires when the datagram is Initial Fragment incomplete and missing the initial fragment.
Chapter 8 Defining Signatures Configuring Signatures Configuring IP Fragment Reassembly Parameters To configure IP fragment reassembly parameters for a specific signature, follow these steps: Step 1 Log in to the CLI using an account with administrator or operator privileges. Step 2 Enter signature definition submode. sensor# configure terminal sensor(config)# service signature-definition sig1 Step 3 Specify the IP fragment reassembly signature ID and subsignature ID.
Chapter 8 Defining Signatures Configuring Signatures – solaris—Specifies the Solaris systems. – linux—Specifies the GNU/Linux systems. – bsd—Specifies the BSD UNIX systems. Configuring the IP Fragment Reassembly Method To configure the method for IP fragment reassembly, follow these steps: Step 1 Log in to the CLI using an account with administrator or operator privileges. Step 2 Enter fragment reassembly submode.
Chapter 8 Defining Signatures Configuring Signatures sensor from creating alerts where a valid TCP session has not been established. There are known attacks against sensors that try to get the sensor to generate alerts by simply replaying pieces of an attack. The TCP session reassembly feature helps to mitigate these types of attacks against the sensor. You configure TCP stream reassembly parameters per signature. You can configure the mode for TCP stream reassembly.
Chapter 8 Defining Signatures Configuring Signatures Table 8-6 TCP Stream Reassembly Signatures (continued) Signature ID and Name Description Parameter With Default Value and Range 1306 0 TCP Option Other Fires when a TCP option in the range of TCP Option Number is seen. All 1306 signatures fire an alert and do not function in promiscuous mode.
Chapter 8 Defining Signatures Configuring Signatures Table 8-6 TCP Stream Reassembly Signatures (continued) Parameter With Default Value and Range Signature ID and Name Description 1307 TCP Window Variation Fires when the right edge TCP Idle Timeout 3600 of the recv window for TCP moves to the right (decreases). Deny Connection Inline Produce Alert15 1308 TTL Evasion16 Fires when the TTL seen TCP Idle Timeout 3600 on one direction of a session is higher than the minimum that has been observed.
Chapter 8 Defining Signatures Configuring Signatures Table 8-6 TCP Stream Reassembly Signatures (continued) Parameter With Default Value and Range Default Actions Signature ID and Name Description 1330 3 TCP Drop - Bad Option List Fires when TCP packet has a bad option list. — Deny Packet Inline 1330 4 TCP Drop - Bad Option Length Fires when TCP packet has a bad option length.
Chapter 8 Defining Signatures Configuring Signatures Table 8-6 TCP Stream Reassembly Signatures (continued) Parameter With Default Value and Range Default Actions — Deny Packet Inline 1330 17 TCP Drop - Segment out of State Fires when TCP packet is — Order not proper for the TCP session state. Deny Packet Inline — Deny Packet Inline Signature ID and Name Description 1330 16 TCP Drop - PAWS Failed Fires when TCP packet fails PAWS check.
Chapter 8 Defining Signatures Configuring Signatures 20. 2.4.21-15.EL.cisco.1 Modify Packet Inline raises the MSS value to TCP Min MSS. Deny Connection Inline drops the current packet and the TCP session. Deny Packet Inline drops the packet 2.4.21-15.EL.cisco.1. 21. Modify Packet Inline lowers the MSS value to TCP Max MSS. Deny Connection Inline drops the current packet and the TCP session. Deny Packet Inline drops the packet 2.4.21-15.EL.cisco.1. 22. Modify Packet Inline has no effect on this signature.
Chapter 8 Defining Signatures Configuring Signatures sensor(config-sig-sig-nor)# exit sensor(config-sig-sig)# exit sensor(config-sig)# exit Apply Changes:?[yes]: Step 9 Press Enter for apply the changes or enter no to discard them. Configuring the Mode for TCP Stream Reassembly Note The parameters tcp-3-way-handshake-required and tcp-reassembly-mode only impact sensors inspecting traffic in promiscuous mode, not inline mode.
Chapter 8 Defining Signatures Configuring Signatures sensor(config-sig-str)# Step 6 Exit signature definition submode. sensor(config-sig-str)# exit sensor(config-sig)# exit Apply Changes:?[yes]: Step 7 Press Enter to apply the changes or enter no to discard them. For More Information For information on asymmetric inspection options for sensors configured in inline mode, see Inline TCP Session Tracking Mode, page 6-3 and Adding, Editing, and Deleting Virtual Sensors, page 6-5.
Chapter 8 Defining Signatures Creating Custom Signatures Step 3 Specify the IP logging parameters: a. Specify the maximum number of bytes you want logged. sensor(config-sig-ip)# ip-log-bytes 200000 b. Specify the number of packets you want logged. sensor(config-sig-ip)# ip-log-packets 150 c. Specify the length of time you want the sensor to log. sensor(config-sig-ip)# ip-log-time 60 Step 4 Verify the settings.
Chapter 8 Defining Signatures Creating Custom Signatures Sequence for Creating a Custom Signature Use the following sequence when you create a custom signature: Step 1 Select a signature engine. Step 2 Assign the signature identifiers: • Signature ID • SubSignature ID • Signature name • Alert notes (optional) • User comments (optional) Step 3 Assign the engine-specific parameters.
Chapter 8 Defining Signatures Creating Custom Signatures – deny-attacker-service-pair-inline (inline only)—Does not transmit this packet and future packets on the attacker address victim port pair for a specified period of time. – deny-attacker-victim-pair-inline (inline only)—Does not transmit this packet and future packets on the attacker/victim address pair for a specified period of time. – deny-connection-inline (inline only)—Does not transmit this packet and future packets on the TCP flow.
Chapter 8 Defining Signatures Creating Custom Signatures Creating a String TCP Engine Signature To create a signature based on the String TCP engine, follow these steps: Step 1 Log in to the CLI using an account with administrator or operator privileges. Step 2 Enter signature definition submode. sensor# configure terminal sensor(config)# service signature-definition sig1 Step 3 Specify a signature ID and subsignature ID for the signature. Custom signatures are in the range of 60000 to 65000.
Chapter 8 Defining Signatures Creating Custom Signatures no ------------------------------------------------------------------------------------------------------------------------------------------regex-string: This-is-my-new-Sig-regex service-ports: 23 direction: to-service default: to-service specify-exact-match-offset ----------------------------------------------no ----------------------------------------------specify-max-match-offset ----------------------------------------------no ----------------
Chapter 8 Defining Signatures Creating Custom Signatures The following options apply: • de-obfuscate {true | false}—Applies anti-evasive deobfuscation before searching. • default—Sets the value back to the system default setting. • event-action —Specifies the action(s) to perform when alert is triggered: – deny-attacker-inline (inline only)—Does not transmit this packet and future packets from the attacker address for a specified period of time.
Chapter 8 Defining Signatures Creating Custom Signatures • swap-attacker-victim {true | false}—Whether address (and ports) source and destination are swapped in the alarm message. The default is false for no swapping. Creating a Service HTTP Engine Signature To create a custom signature based on the Service HTTP engine, follow these steps: Step 1 Log in to the CLI using an account with administrator or operator privileges. Step 2 Enter signature definition submode.
Chapter 8 Defining Signatures Creating Custom Signatures Step 11 Configure the Regex parameters. sensor(config-sig-sig)# engine service-http sensor(config-sig-sig-ser)# regex sensor(config-sig-sig-ser-reg)# specify-uri-regex yes sensor(config-sig-sig-ser-reg-yes)# uri-regex [Mm][Yy][Ff][Oo][Oo] Step 12 Exit Regex submode. sensor(config-sig-sig-ser-reg-yes)# exit sensor(config-sig-sig-ser-reg-)# exit Step 13 Configure the service ports using the signature variable WEBPORTS.
Chapter 8 Defining Signatures Creating Custom Signatures – is-not-component {true | false}—Specifies that the component is a NOT component. • component-list-in-order {true | false}—Specifies whether to have the component list fire in order. For example, if signature 1001 in the m2 component fires before signature 1000 in the m1 component, the Meta signature will not fire. • all-components-required {true | false}—Specifies to use all components.
Chapter 8 Defining Signatures Creating Custom Signatures – modify-packet-inline— Modifies packet data to remove ambiguity about what the end point might do with the packet. Note Signature 64000 subsignature 0 will fire when it sees the alerts from signature 1000 subsignature 0 and signature 1001 subsignature 0 on the same source address. The source address selection is a result of the meta key default value of Axxx.
Chapter 8 Defining Signatures Creating Custom Signatures meta ----------------------------------------------event-action: produce-alert swap-attacker-victim: false meta-reset-interval: 60 component-list (ordered min: 1, max: 32, current: 2 - 2 active, 0 inactive) ----------------------------------------------ACTIVE list-contents ----------------------------------------------NAME: m1 ----------------------------------------------component-sig-id: 1000 component-subsig-i
Chapter 8 Defining Signatures Creating Custom Signatures Example IPv6 Engine Signature Caution A custom signature can affect the performance of your sensor. Test the custom signature against a baseline sensor performance for your network to determine the overall impact of the signature. The following example Atomic IP Advanced custom signature prohibits Protocol ID 88 over IPv6.
Chapter 8 Defining Signatures Creating Custom Signatures Step 11 Press Enter to apply the changes or enter no to discard them. For More Information • For more information about the Atomic IP Advanced engine and a list of the parameters, see Atomic IP Advanced Engine, page B-15. • For more information on the Atomic engines, see Atomic Engine, page B-14. Example String XL TCP Engine Match Offset Signature Caution Note A custom signature can affect the performance of your sensor.
Chapter 8 Defining Signatures Creating Custom Signatures Step 4 Enter signature description submode. sensor(config-sig-sig)# sig-description Step 5 Specify a name for the new signature. You can also specify a additional comments about the sig using the sig-comment command or additional information about the signature using the sig-string-info command. sensor(config-sig-sig-sig)# sig-name This is my new name Step 6 Exit signature description submode.
Chapter 8 Defining Signatures Creating Custom Signatures sensor(config-sig-sig-str-no-yes)# max-match-offset 30 Step 16 Specify a minimum match offset for this signature. sensor(config-sig-sig-str-no-yes)# exit sensor(config-sig-sig-str-no)# specify-min-match-offset yes sensor(config-sig-sig-str-no-yes)# min-match-offset 20 Step 17 Verify the settings.
Chapter 8 Defining Signatures Creating Custom Signatures ----------------------------------------------sensor(config-sig-sig-str)# Step 18 Exit signature definition submode. sensor(config-sig-sig-str)# exit sensor(config-sig-sig)# exit sensor(config-sig)# exit Apply Changes:?[yes]: Step 19 Press Enter to apply the changes or enter no to discard them. For More Information For detailed information about the String XL signature engine, see String XL Engines, page B-66.
Chapter 8 Defining Signatures Creating Custom Signatures Creating a String XL TCP Engine Signature The following example demonstrates how to create a custom String XL TCP signature that searches for minimum match length with stingy, dot all, and UTF-8 turned on.
Chapter 8 Defining Signatures Creating Custom Signatures Step 13 Specify a minimum match length for this signature that can only be used with stingy. sensor(config-sig-sig-str-no)# specify-min-match-length yes sensor(config-sig-sig-str-no-yes)# min-match-length 100 sensor(config-sig-sig-str-no-yes)# exit sensor(config-sig-sig-str-no)# stingy true Step 14 Verify the settings. sensor(config-sig-sig-str-no)# show settings no ----------------------------------------------regex-string: ht+p[\r\].
Chapter 8 Defining Signatures Creating Custom Signatures Step 18 Press Enter to apply the changes or enter no to discard them. For More Information For detailed information about the String XL signature engine, see String XL Engines, page B-66. Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.
CH A P T E R 9 Configuring Anomaly Detection This chapter describes anomaly detection (AD) and its features and how to configure them.
Chapter 9 Configuring Anomaly Detection Anomaly Detection Notes and Caveats Anomaly Detection Notes and Caveats The following notes and caveats apply to configuring anomaly detection: • Anomaly detection is disabled by default in IPS 7.1(2)E4 and later. You must enable it to configure or apply an anomaly detection policy. Enabling anomaly detection results in a decrease in performance. • Anomaly detection assumes it gets traffic from both directions.
Chapter 9 Configuring Anomaly Detection Anomaly Detection Modes as scanners, and sends alerts for all traffic flows. Using asymmetric mode protection with anomaly detection enabled causes excessive resource usage and possible false positives for anomaly detection signatures. Worms are automated, self-propagating, intrusion agents that make copies of themselves and then facilitate their spread. Worms attack a vulnerable host, infect it, and then use it as a base to attack other vulnerable hosts.
Chapter 9 Configuring Anomaly Detection Anomaly Detection Zones Anomaly detection has the following modes: • Learning accept mode—Anomaly detection conducts an initial learning accept mode for the default period of 24 hours. We assume that during this phase no attack is being carried out. Anomaly detection creates an initial baseline, known as a knowledge base (KB), of the network traffic.
Chapter 9 Configuring Anomaly Detection Anomaly Detection Configuration Sequence The external zone is the default zone with the default Internet range of 0.0.0.0-255.255.255.255. By default, the internal and illegal zones contain no IP addresses. Packets that do not match the set of IP addresses in the internal or illegal zone are handled by the external zone. We recommend that you configure the internal zone with the IP address range of your internal network.
Chapter 9 Configuring Anomaly Detection Anomaly Detection Signatures • Configure the 18 anomaly detection worm signatures to have more event actions than just the default produce-alert. For example, configure them to have deny-attacker event actions. For More Information • For the procedures for putting anomaly detection in different modes, see Adding, Editing, and Deleting Virtual Sensors, page 6-5.
Chapter 9 Configuring Anomaly Detection Anomaly Detection Signatures Table 9-1 lists the anomaly detection worm signatures. Table 9-1 Anomaly Detection Worm Signatures Signature ID Subsignature ID Name Description 13000 0 Internal TCP Scanner Identified a single scanner over a TCP protocol in the internal zone.
Chapter 9 Configuring Anomaly Detection Enabling Anomaly Detection Table 9-1 Anomaly Detection Worm Signatures (continued) Signature ID Subsignature ID Name Description 13006 0 Illegal TCP Scanner Identified a single scanner over a TCP protocol in the illegal zone. 13006 1 Illegal TCP Scanner Identified a worm attack over a TCP protocol in the illegal zone; the TCP histogram threshold was crossed and a scanner over a TCP protocol was identified.
Chapter 9 Configuring Anomaly Detection Working With Anomaly Detection Policies Step 5 Exit analysis engine submode. sensor(config-ana-vir-ano)# exit sensor(config-ana-vir)# exit sensor(config-ana-)# exit Apply Changes:?[yes]: Step 6 Press Enter to apply your changes or enter no to discard them. Working With Anomaly Detection Policies Use the service anomaly-detection name command in service anomaly detection submode to create an anomaly detection policy.
Chapter 9 Configuring Anomaly Detection Configuring Anomaly Detection Operational Settings Step 5 Display a list of anomaly detection policies on the sensor. sensor# list anomaly-detection-configurations Anomaly Detection Instance Size Virtual Sensor ad0 255 vs0 temp 707 N/A MyAnomaly Detection 255 N/A ad1 141 vs1 sensor# Step 6 Delete an anomaly detection policy.
Chapter 9 Configuring Anomaly Detection Configuring Anomaly Detection Operational Settings The following options apply: • worm-timeout—Specifies the amount of time in seconds for the worm termination timeout. The range is 120 to 10,000,000 seconds. The default is 600 seconds. • ignore—Specifies the IP addresses that should be ignored while anomaly detection is processing: – enabled {true | false}—Enables/disables the list of ignored IP addresses. The default is enabled.
Chapter 9 Configuring Anomaly Detection Configuring the Internal Zone Step 9 Press Enter to apply your changes or enter no to discard them.
Chapter 9 Configuring Anomaly Detection Configuring the Internal Zone Configuring the Internal Zone To configure the internal zone, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Enter anomaly detection internal zone submode. sensor# configure terminal sensor(config)# service anomaly-detection ad0 sensor(config-ano)# internal-zone sensor(config-ano-int)# Step 3 Enable the internal zone.
Chapter 9 Configuring Anomaly Detection Configuring the Internal Zone – scanner-threshold—Sets the scanner threshold. The default is 200. Configuring Internal Zone TCP Protocol To configure TCP protocol for the internal zone, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Enter anomaly detection internal zone submode.
Chapter 9 Configuring Anomaly Detection Configuring the Internal Zone yes ----------------------------------------------scanner-threshold: 120 default: 200 threshold-histogram (min: 0, max: 3, current: 1) ----------------------------------------------dest-ip-bin: low num-source-ips: 100 ------------------------------------------------------------------------------------------------------------------------------------------enabled: true default: true ----------------------------------------------number: 23
Chapter 9 Configuring Anomaly Detection Configuring the Internal Zone enabled: true ----------------------------------------------sensor(config-ano-int-tcp)# Configuring UDP Protocol for the Internal Zone Use the udp {enabled | dst-port number | default-thresholds} command in service anomaly detection internal zone submode to enable and configure the UDP service. The following options apply: • enabled {false | true}—Enables/disables UDP protocol.
Chapter 9 Configuring Anomaly Detection Configuring the Internal Zone Step 7 To add a histogram for the new scanner settings. Enter the number of destination IP addresses (low, medium, or high) and the number of source IP addresses you want associated with this histogram. sensor(config-ano-int-udp-dst-yes)# threshold-histogram low num-source-ips 100 Step 8 Set the scanner threshold.
Chapter 9 Configuring Anomaly Detection Configuring the Internal Zone ----------------------------------------------no ------------------------------------------------------------------------------------------------------------------------------------------enabled: true --------------------------------------------------------------------------------------------default-thresholds ----------------------------------------------scanner-threshold: 120 default: 200 threshold-histogram (min: 0, max:
Chapter 9 Configuring Anomaly Detection Configuring the Internal Zone Configuring the Internal Zone Other Protocols To configure other protocols for a zone, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Enter anomaly detection internal zone submode. sensor# configure terminal sensor(config)# service anomaly-detection ad0 sensor(config-ano)# internal-zone sensor(config-ano-int)# Step 3 Enable the other protocols.
Chapter 9 Configuring Anomaly Detection Configuring the Illegal Zone ----------------------------------------------dest-ip-bin: high num-source-ips: 75 ------------------------------------------------------------------------------------------------------------------------------------------enabled: true default: true --------------------------------------------------------------------------------------------default-thresholds ----------------------------------------------scanner-threshold: 200
Chapter 9 Configuring Anomaly Detection Configuring the Illegal Zone Configuring the Illegal Zone Use the illegal-zone {enabled | ip-address-range | tcp | udp |other} command in service anomaly detection submode to enable the illegal zone, add IP addresses to the illegal zone, and specify protocols. The following options apply: • enabled {false | true}—Enables/disables the zone. • ip-address-range—Specifies the IP addresses of the subnets in the zone. The valid value is -[,
Chapter 9 Configuring Anomaly Detection Configuring the Illegal Zone Configuring TCP Protocol for the Illegal Zone Use the tcp {enabled | dst-port number | default-thresholds} command in service anomaly detection illegal zone submode to enable and configure the TCP service. The following options apply: • enabled {false | true}—Enables/disables TCP protocol.
Chapter 9 Configuring Anomaly Detection Configuring the Illegal Zone Step 8 Set the scanner threshold. sensor(config-ano-ill-tcp-dst-yes)# scanner-threshold 100 Step 9 Configure the default thresholds for all other unspecified ports.
Chapter 9 Configuring Anomaly Detection Configuring the Illegal Zone enabled: true --------------------------------------------------------------------------------------------default-thresholds ----------------------------------------------scanner-threshold: 120 default: 200 threshold-histogram (min: 0, max: 3, current: 3) ---------------------------------------------- dest-ip-bin: low num-source-ips: 10 dest-ip-bin: medium num-source
Chapter 9 Configuring Anomaly Detection Configuring the Illegal Zone Step 3 Enable UDP protocol. sensor(config-ano-ill)# udp sensor(config-ano-ill-udp)# enabled true Step 4 Associate a specific port with UDP protocol. sensor(config-ano-ill-udp)# dst-port 20 sensor(config-ano-ill-udp-dst)# Step 5 Enable the service for that port. sensor(config-ano-ill-udp-dst)# enabled true Step 6 Override the scanner values for that port.
Chapter 9 Configuring Anomaly Detection Configuring the Illegal Zone ----------------------------------------------no ------------------------------------------------------------------------------------------------------------------------------------------enabled: true ----------------------------------------------number: 113 ----------------------------------------------override-scanner-settings ----------------------------------------------no ------------------------------------------------
Chapter 9 Configuring Anomaly Detection Configuring the Illegal Zone Configuring Other Protocols for the Illegal Zone Use the other {enabled | protocol number | default-thresholds} command in service anomaly detection illegal zone submode to enable and configure the other services. The following options apply: • enabled {false | true}—Enables/disables other protocols.
Chapter 9 Configuring Anomaly Detection Configuring the Illegal Zone Step 8 Set the scanner threshold. sensor(config-ano-ill-oth-pro-yes)# scanner-threshold 100 Step 9 Configure the default thresholds for all other unspecified ports.
Chapter 9 Configuring Anomaly Detection Configuring the External Zone Configuring the External Zone This section describes how to configure the external zone, and contains the following topics: • Understanding the External Zone, page 9-29 • Configuring the External Zone, page 9-29 • Configuring TCP Protocol for the External Zone, page 9-30 • Configuring UDP Protocol for the External Zone, page 9-32 • Configuring Other Protocols for the External Zone, page 9-35 Understanding the External Zone The
Chapter 9 Configuring Anomaly Detection Configuring the External Zone Step 6 Configure the other protocols. For More Information • For the procedure for configuring TCP protocol, see Configuring TCP Protocol for the External Zone, page 9-30. • For the procedure for configuring UDP protocol, see Configuring UDP Protocol for the External Zone, page 9-32. • For the procedure for configuring other protocols, see Configuring Other Protocols for the External Zone, page 9-35.
Chapter 9 Configuring Anomaly Detection Configuring the External Zone Step 5 Enable the service for that port. sensor(config-ano-ext-tcp-dst)# enabled true Step 6 Override the scanner values for that port. You can use the default scanner values, or you can override them and configure your own scanner values. sensor(config-ano-ext-tcp-dst)# override-scanner-settings yes sensor(config-ano-ext-tcp-dst-yes)# Step 7 Add a histogram for the new scanner settings.
Chapter 9 Configuring Anomaly Detection Configuring the External Zone ----------------------------------------------no ------------------------------------------------------------------------------------------------------------------------------------------enabled: true ----------------------------------------------number: 567 ----------------------------------------------override-scanner-settings ----------------------------------------------no -----------------------------------------------
Chapter 9 Configuring Anomaly Detection Configuring the External Zone • override-scanner-settings {yes | no}—Lets you override the scanner values: – threshold-histogram {low | medium | high} num-source-ips number—Sets values in the threshold histogram. – scanner-threshold—Sets the scanner threshold. The default is 200. Configuring the External Zone UDP Protocol To configure UDP protocol for a zone, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges.
Chapter 9 Configuring Anomaly Detection Configuring the External Zone ----------------------------------------------override-scanner-settings ----------------------------------------------yes ----------------------------------------------scanner-threshold: 100 default: 200 threshold-histogram (min: 0, max: 3, current: 1) ----------------------------------------------dest-ip-bin: low num-source-ips: 100 -------------------------------------------------------------------------------------------------------
Chapter 9 Configuring Anomaly Detection Configuring the External Zone sensor(config-ano-ext-udp)# Configuring Other Protocols for the External Zone Use the other {enabled | protocol number | default-thresholds} command in service anomaly detection external zone submode to enable and configure the other services. The following options apply: • enabled {false | true}—Enables/disables other protocols.
Chapter 9 Configuring Anomaly Detection Configuring the External Zone Step 7 Add a histogram for the new scanner settings. Enter the number of destination IP addresses (low, medium, or high) and the number of source IP addresses you want associated with this histogram. sensor(config-ano-ext-oth-pro-yes)# threshold-histogram high num-source-ips 75 Step 8 Set the scanner threshold.
Chapter 9 Configuring Anomaly Detection Configuring Learning Accept Mode Configuring Learning Accept Mode This section describes KBs and histograms and how to configure learning accept mode.
Chapter 9 Configuring Anomaly Detection Configuring Learning Accept Mode Triggering the High Category Histogram Before the Single-Scanner Threshold Based on the default histogram (nonlearned knowledge base [KB]) values, histogram-based detection can occur before single-scanner detection. Single scanner detection is based on the scanner threshold settings. The scanner threshold setting is a single number for that port or protocol and zone.
Chapter 9 Configuring Anomaly Detection Configuring Learning Accept Mode – periodic-schedule {interval} {start-time}—Starts learning accept mode at specific periodic intervals. Configuring Learning Accept Mode The first saving begins after a full interval between configuration time and start time. For example, if the time is now 16:00 and you configure start time at 16:30 with an interval of one hour, the first KB is saved at 17:30, because there was no one-hour interval between 16:00 and 16:30.
Chapter 9 Configuring Anomaly Detection Working With KB Files start-time: 12:00:00 default: 10:00:00 interval: 24 hours default: 24 ------------------------------------------------------------------------------------------------------------------------------------------- Step 7 Exit anomaly detection submode. sensor(config-ano-aut)# exit sensor(config-ano)# exit Apply Changes:?[yes]: Step 8 Press Enter to apply your changes or enter no to discard them.
Chapter 9 Configuring Anomaly Detection Working With KB Files initial 2006-Mar-16-10_00_00 2006-Mar-17-10_00_00 2006-Mar-18-10_00_00 2006-Mar-19-10_00_00 2006-Mar-20-10_00_00 2006-Mar-21-10_00_00 2006-Mar-22-10_00_00 2006-Mar-23-10_00_00 2006-Mar-24-10_00_00 2006-Mar-25-10_00_00 2006-Mar-26-10_00_00 2006-Mar-27-10_00_00 2003-Jan-02-10_00_00 2003-Jan-03-10_00_00 2003-Jan-04-10_00_00 2003-Jan-05-10_00_00 2003-Jan-06-10_00_00 sensor# Step 3 84 84 84 84 84 84 84 84 84 84 84 84 84 84 84 84 84 84 14:35:38 10
Chapter 9 Configuring Anomaly Detection Working With KB Files 2006-Mar-18-10_00_00 2006-Mar-19-10_00_00 2006-Mar-20-10_00_00 Step 3 84 84 84 10:00:00 CDT Sat Mar 18 2006 10:00:00 CDT Sun Mar 19 2006 10:00:00 CDT Mon Mar 20 2006 Load the KB file as the current KB file for a specific virtual sensor. sensor# anomaly-detection vs0 load file 2006-Mar-16-10_00_00 sensor# Step 4 Save the current KB file and store it as a new name.
Chapter 9 Configuring Anomaly Detection Working With KB Files • scp:—Source URL for the SCP network server. The syntax for this prefix is: scp://[[username@]location][/relativeDirectory]/filename scp://[[username@]location][//absoluteDirectory]/filename Note • You are prompted for a password. You must add the remote host to the SSH known hosts list. http:—Source URL for the web server.
Chapter 9 Configuring Anomaly Detection Working With KB Files Warning: Executing this command will delete all virtual sensor 'vs0' knowledge bases except the file loaded as current and the initial knowledge base. Continue with erase? [yes]: yes sensor# Step 7 Remove all KB files except the file loaded as current and the initial KB file from all virtual sensors.
Chapter 9 Configuring Anomaly Detection Working With KB Files Step 3 Compare the currently loaded file (the file with the *) with the initial KB for virtual sensor vs0.
Chapter 9 Configuring Anomaly Detection Working With KB Files • illegal—Displays the thresholds for the illegal zone. • internal—Displays the thresholds for the internal zone. • protocol—(Optional) Displays the thresholds for the specified protocol. The default displays information about all protocols. • tcp—Displays the thresholds for the TCP protocol. • udp—Displays the thresholds for the UDP protocol. • other—Displays the thresholds for the other protocols besides TCP or UDP.
Chapter 9 Configuring Anomaly Detection Displaying Anomaly Detection Statistics High = 1 Other Services Default Scanner Threshold User Configuration = 200 Threshold Histogram - User Configuration Low = 10 Medium = 3 High = 1 sensor# Step 4 Display thresholds contained in the current KB illegal zone, protocol TCP, and destination port 20.
Chapter 9 Configuring Anomaly Detection Displaying Anomaly Detection Statistics To display anomaly detection statistics, follow these steps: Step 1 Log in to the CLI. Step 2 Display the anomaly detection statistics for a specific virtual sensor.
Chapter 9 Configuring Anomaly Detection Disabling Anomaly Detection Illegal Zone TCP Protocol UDP Protocol Other Protocol sensor# Disabling Anomaly Detection If you have anomaly detection enabled and you have your sensor configured to see only one direction of traffic, you should disable anomaly detection. Otherwise, you will receive many alerts, because anomaly detection sees asymmetric traffic as having incomplete connections, that is, like worm scanners, and fires alerts.
Chapter 9 Configuring Anomaly Detection Disabling Anomaly Detection Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.
CH A P T E R 10 Configuring Global Correlation This chapter provides information for configuring global correlation.
Chapter 10 Configuring Global Correlation Understanding Global Correlation • Global correlation inspection and the reputation filtering deny features do not support IPv6 addresses. For global correlation inspection, the sensor does not receive or process reputation data for IPv6 addresses. The risk rating for IPv6 addresses is not modified for global correlation inspection. Similarly, network participation does not include event data for attacks from IPv6 addresses.
Chapter 10 Configuring Global Correlation Understanding Reputation Table 10-1 shows how we use the data. Table 10-1 Cisco Network Participation Data Use Participation Level Type of Data Purpose Partial Protocol attributes Tracks potential threats and helps us to (TCP maximum segment size and understand threat exposure. options string, for example) Attack type Used to understand current attacks and (signature fired and risk rating, for attack severity.
Chapter 10 Configuring Global Correlation Understanding Network Participation Figure 10-1 shows the role of the sensor and the global correlation servers.
Chapter 10 Configuring Global Correlation Understanding Efficacy • Data gathered from the sensor health metrics The statistics for network participation show the hits and misses for alerts, the reputation actions, and the counters of packets that have been denied. Note Network participation requires a network connection to the Internet.
Chapter 10 Configuring Global Correlation Understanding Reputation and Risk Rating Understanding Reputation and Risk Rating Risk rating is the concept of the probability that a network event is malicious. You assign a numerical quantification of the risk associated with a particular event on the network. By default, an alert with an extreme risk rating shuts down traffic.
Chapter 10 Configuring Global Correlation Global Correlation Requirements Global Correlation Requirements Global correlation has the following requirements: • Valid license—You must have a valid sensor license for global correlation features to function. You can still configure and display statistics for the global correlation features, but the global correlation databases are cleared and no updates are attempted. Once you install a valid license, the global correlation features are reactivated.
Chapter 10 Configuring Global Correlation Understanding Global Correlation Sensor Health Metrics • For information about configuring an HTTP proxy or DNS server to support global correlation, see Configuring the DNS and Proxy Servers for Global Correlation, page 4-10. Understanding Global Correlation Sensor Health Metrics For global correlation, the following metrics are added to sensor health monitoring: • Green indicates that the last update was successful.
Chapter 10 Configuring Global Correlation Configuring Global Correlation Inspection and Reputation Filtering Understanding Global Correlation Inspection and Reputation Filtering You can configure the sensor to use updates from the SensorBase Network to adjust the risk rating. The client determines which updates are available and applicable to the sensor by communicating with the global correlation update server and a file server, which is a two-phase process.
Chapter 10 Configuring Global Correlation Configuring Global Correlation Inspection and Reputation Filtering For More Information • For the procedure for configuring global correlation features, see Configuring Global Correlation Inspection and Reputation Filtering, page 10-10. • For the procedure to view sensor health metrics, see Showing Sensor Overall Health Status, page 17-20. • For information on the CollaborationApp, see CollaborationApp, page A-28.
Chapter 10 Configuring Global Correlation Configuring Network Participation Step 5 Turn on reputation filtering. sensor(config-glo)# reputation-filtering on sensor(config-glo)# Step 6 Test global correlation data, but do not actually deny traffic. sensor(config-glo)# test-global-correlation on sensor(config-glo)# Step 7 Verify the settings.
Chapter 10 Configuring Global Correlation Configuring Network Participation Note You must accept the network participation disclaimer to turn on network participation. Turning on Network Participation To turn on network participation, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Enter global correlation submode. sensor# configure terminal sensor(config)# service global-correlation sensor(config-glo)# Step 3 Turn on network participation.
Chapter 10 Configuring Global Correlation Troubleshooting Global Correlation Step 7 Press Enter to apply your changes or enter no to discard them. For More Information For more information about participating in the SensorBase Network, see Participating in the SensorBase Network, page 10-2.
Chapter 10 Configuring Global Correlation Displaying Global Correlation Statistics – full—All data is contributed to the SensorBase network. Disabling Global Correlation To disable global correlation features, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Enter global correlation submode. sensor# configure terminal sensor(config)# service global-correlation sensor(config-glo)# Step 3 Turn off global correlation inspection.
Chapter 10 Configuring Global Correlation Displaying Global Correlation Statistics To display and clear global correlation statistics for the sensor, follow these steps: Step 1 Log in to the CLI. Step 2 Display the statistics for global correlation.
Chapter 10 Configuring Global Correlation Displaying Global Correlation Statistics Update Interval In Seconds = 300 Update Server = update-manifests.ironport.com Update Server Address = Unknown Current Versions: Warnings: Details: Last fail log = sensor# Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.
CHAPTER 11 Configuring External Product Interfaces This chapter explains how to configure external product interfaces.
Chapter 11 Configuring External Product Interfaces Understanding the CSA MC Understanding the CSA MC The CSA MC enforces a security policy on network hosts. It has two components: • Agents that reside on and protect network hosts. • Management Console (MC)—An application that manages agents. It downloads security policy updates to agents and uploads operational information from agents. The CSA MC receives host posture information from the CSA agents it manages.
Chapter 11 Configuring External Product Interfaces External Product Interface Issues Note Caution You can only enable two CSA MC interfaces. You must add the CSA MC as a trusted host so the sensor can communicate with it. For More Information For the procedure for adding trusted hosts, see Adding TLS Trusted Hosts, page 4-51.
Chapter 11 Configuring External Product Interfaces Configuring the CSA MC to Support the IPS Interface Configuring the CSA MC to Support the IPS Interface Note For more detailed information about host posture events and quarantined IP address events, refer to Using Management Center for Cisco Security Agents 5.1. You must configure the CSA MC to send host posture events and quarantined IP address events to the sensor.
Chapter 11 Configuring External Product Interfaces Adding External Product Interfaces and Posture ACLs Use the cisco-security-agents-mc-settings ip-address command in service external product interfaces submode to add the CSA MC as an external product interface. The following options apply: • enabled {yes | no}—Enables/disables the receipt of information from the CSA MC.
Chapter 11 Configuring External Product Interfaces Adding External Product Interfaces and Posture ACLs Adding External Product Interfaces To add external product interfaces, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Enter external product interfaces submode. sensor# configure terminal sensor(config)# service external-product-interface Step 3 Add the CSA MC interface. sensor(config-ext)# cisco-security-agents-mc-settings 209.165.200.
Chapter 11 Configuring External Product Interfaces Adding External Product Interfaces and Posture ACLs Step 8 (Optional) Allow the host posture information to be passed from the external product to the sensor. sensor(config-ext-cis)# host-posture-settings sensor(config-ext-cis-hos)# enabled yes Note Step 9 If you do not enable the host posture information, the host posture information received from a CSA MC is deleted.
Chapter 11 Configuring External Product Interfaces Troubleshooting External Product Interfaces username: jsmith password: host-posture-settings ----------------------------------------------enabled: yes default: yes allow-unreachable-postures: yes default: yes posture-acls (ordered min: 0, max: 10, current: 1 - 1 active, 0 inactive) ----------------------------------------------ACTIVE list-contents ----------------------------------------------NAME: name1 ----------------------------------------
Chapter 11 Configuring External Product Interfaces Troubleshooting External Product Interfaces For More Information • For the procedure for adding trusted hosts, see Adding TLS Trusted Hosts, page 4-51. • For the procedure for displaying events, see Clearing Events from Event Store, page 7-42. Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.
Chapter 11 Configuring External Product Interfaces Troubleshooting External Product Interfaces Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.
CH A P T E R 12 Configuring IP Logging This chapter describes how to configure IP logging on the sensor.
Chapter 12 Configuring IP Logging Understanding IP Logging Understanding IP Logging You can manually configure the sensor to capture all IP traffic associated with a host you specify by IP address. You can specify how long you want the IP traffic to be logged, how many packets you want logged, and how many bytes you want logged. The sensor stops logging IP traffic at the first parameter you specify. You can also have the sensor log IP packets every time a particular signature is fired.
Chapter 12 Configuring IP Logging Configuring Manual IP Logging for a Specific IP Address Configuring Automatic IP Logging To configure automatic IP logging parameters, follow these steps: Step 1 Log in to the CLI using an account with administrator or operator privileges. Step 2 Enter signature definition IP log configuration submode.
Chapter 12 Configuring IP Logging Configuring Manual IP Logging for a Specific IP Address Note • numPackets—Specifies the maximum number of packets to log. The valid range is 0 to 4294967295. The default is 1000 packets. • numBytes—Specifies the maximum number of bytes to log. The valid range is 0 to 4294967295. A value of 0 indicates unlimited bytes. The minutes, numPackets, and numBytes parameters are optional, you do not have to specify all three.
Chapter 12 Configuring IP Logging Displaying the Contents of IP Logs Displaying the Contents of IP Logs Use the iplog-status [log-id log_id] [brief] [reverse] [ | {begin regular_expression | exclude regular_expression | include regular_expression}] command to display the description of the available IP log contents. When the log is created, the status reads added. If and when the first entry is inserted in the log, the status changes to started.
Chapter 12 Configuring IP Logging Stopping Active IP Logs Step 3 Display a brief list of all IP logs. sensor# iplog-status brief Log ID VS IP Address1 2425 vs0 192.0.2.10 2342 vs0 192.0.2.20 sensor# Status started completed Event ID N/A 209348 Start Date 2003/07/30 2003/07/30 Stopping Active IP Logs Use the no iplog [log-id log_id | name name] command to stop logging for the logs that are in the started state and to remove logs that are in the added state.
Chapter 12 Configuring IP Logging Copying IP Log Files to Be Viewed Step 3 Stop all IP logging sessions on a virtual sensor. sensor# no iplog name vs0 Step 4 Verify that IP logging has been stopped. When the logs are stopped, the status shows them as completed. sensor# iplog-status Log ID: 1 IP Address 1: 192.0.2.
Chapter 12 Configuring IP Logging Copying IP Log Files to Be Viewed Log ID: IP Address: Virtual Sensor: Status: Event ID: Start Time: End Time: sensor# Step 3 2342 192.0.2.2 vs0 completed 209348 2003/07/30 18:24:18 2002/07/30 12:24:18 CST 2003/07/30 18:34:18 2002/07/30 12:34:18 CST Copy the IP log to your FTP or SCP server. sensor# copy iplog 2342 ftp://root@209.165.200.225/user/iplog1 Password: ******** Connected to 209.165.200.225 (209.165.200.225). 220 linux.machine.com FTP server (Version wu-2.6.
CH A P T E R 13 Displaying and Capturing Live Traffic on an Interface This chapter describes how to display, capture, copy, and erase packet files.
Chapter 13 Displaying and Capturing Live Traffic on an Interface Understanding Packet Display and Capture Understanding Packet Display and Capture You can display or capture live traffic from an interface and have the live traffic or a previously captured file put directly on the screen. Storage is available for one local file only, subsequent capture requests overwrites an existing file. The size of the storage file varies depending on the platform.
Chapter 13 Displaying and Capturing Live Traffic on an Interface Displaying Live Traffic on an Interface • file-info—Displays information about the stored packet file. File-info displays the following information: Captured by: user:id, Cmd: cliCmd Start: yyyy/mm/dd hh:mm:ss zone, End: yyyy/mm/dd hh:mm:ss zone or in-progress. Where user = the username of user initiating capture, id = the CLI ID of the user, and cliCmd = the command entered to perform the capture.
Chapter 13 Displaying and Capturing Live Traffic on an Interface Capturing Live Traffic on an Interface 03:43:05.694283 IP (tos 0x10, ttl 64, id 55468, 10.89.147.31.22 > 10.89.147.50.41805: P [tcp sum 03:43:05.694402 IP (tos 0x10, ttl 64, id 55469, 10.89.147.31.22 > 10.89.147.50.41805: P [tcp sum 03:43:05.694521 IP (tos 0x10, ttl 64, id 55470, 10.89.147.31.22 > 10.89.147.50.
Chapter 13 Displaying and Capturing Live Traffic on an Interface Capturing Live Traffic on an Interface The packet capture command captures the libpcap output into a local file. Use the packet display packet-file [verbose] [expression expression] command to view the local file. Use the packet display file-info to display information about the local file, if any. The following options apply: • interface_name—Specifies the logical interface name.
Chapter 13 Displaying and Capturing Live Traffic on an Interface Copying the Packet File 03:03:15.218814 802.1d config TOP_CHANGE 8000.00:04:9a:66:35:01.8025 root 8000.0 0:04:6d:f9:e8:82 pathcost 8 age 2 max 20 hello 2 fdelay 15 03:03:15.546866 IP 64.101.182.244.1978 > 10.89.130.108.23: P 0:2(2) ack 157 win 65535 03:03:15.546923 IP 10.89.130.108.23 > 64.101.182.244.1978: P 157:159(2) ack 2 wi n 5840 03:03:15.736377 IP 64.101.182.244.1978 > 10.89.130.108.23: . ack 159 win 65533 03:03:17.219612 802.
Chapter 13 Displaying and Capturing Live Traffic on an Interface Erasing the Packet File Note The exact format of the source and destination URLs varies according to the file. – ftp:—Destination URL for an FTP network server. The syntax for this prefix is: ftp:[//[username@] location]/relativeDirectory]/filename ftp:[//[username@]location]//absoluteDirectory]/filename – scp:—Destination URL for the SCP network server.
Chapter 13 Displaying and Capturing Live Traffic on an Interface Erasing the Packet File Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.
CH A P T E R 14 Configuring Attack Response Controller for Blocking and Rate Limiting This chapter provides information for setting up the ARC to perform blocking and rate limiting on the sensor.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Understanding Blocking • Do not confuse blocking with the ability of the sensor to drop packets. The sensor can drop packets when the following actions are configured for a sensor in inline mode: deny packet inline, deny connection inline, and deny attacker inline. • The ACLs that ARC makes should never be modified by you or any other system.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Understanding Blocking is configured for VLAN A, but is blocking on a different security appliance customer context that is configured for VLAN B. Addresses that trigger blocks on VLAN A may refer to a different host on VLAN B. There are three types of blocks: Note Caution • Host block—Blocks all traffic from a given IP address.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Understanding Rate Limiting • How long you want the blocks to last. Tip To check the status of the ARC, type show statistics network-access at the sensor#. The output shows the devices you are managing, any active blocks and rate limits, and the status of all devices. Note Rate limiting and blocking are not supported for IPv6 traffic.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Understanding Service Policies for Rate Limiting Table 14-1 Tip Rate Limiting Signatures (continued) Signature ID Signature Name Protocol Destination IP Address Allowed Data 4002 UDP Flood Host UDP Yes none 6901 Net Flood ICMP Reply ICMP No echo-reply 6902 Net Flood ICMP Request ICMP No echo-request 6903 Net Flood ICMP Any ICMP No None 6910 Net Flood UDP UDP No None 6920 Net Flood TCP TCP No
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Supported Devices Before you configure the ARC for blocking or rate limiting, make sure you do the following: • Analyze your network topology to understand which devices should be blocked by which sensor, and which addresses should never be blocked. • Gather the usernames, device passwords, enable passwords, and connections types (Telnet or SSH) needed to log in to each device. • Know the interface names on the devices.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Configuring Blocking Properties Note • We support VACL blocking on the Supervisor Engine and ACL blocking on the MSFC. PIX Firewall with version 6.0 or later (shun command) – 501 – 506E – 515E – 525 – 535 • ASA with version 7.0 or later (shun command) – ASA 5510 – ASA 5520 – ASA 5540 • FWSM 1.1 or later (shun command) You configure blocking using either ACLs, VACLS, or the shun command.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Configuring Blocking Properties • Enabling Writing to NVRAM, page 14-15 • Logging All Blocking Events and Errors, page 14-16 • Configuring the Maximum Number of Blocking Interfaces, page 14-17 • Configuring Addresses Never to Block, page 14-19 Allowing the Sensor to Block Itself Caution We recommend that you do not permit the sensor to block itself, because it may stop communicating with the blocking device.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Disabling Blocking Step 6 Configure the sensor not to block itself. sensor(config-net-gen)# allow-sensor-block false Step 7 Verify the setting.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Disabling Blocking Note While blocking is disabled, the ARC continues to receive blocks and track the time on active blocks, but will not apply new blocks or remove blocks from the managed devices. After blocking is reenabled, the blocks on the devices are updated. To disable blocking or rate limiting, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Disabling Blocking enable-acl-logging: false allow-sensor-block: false default: false block-enable: true default: true block-max-entries: 100 default: 250 max-interfaces: 250 master-blocking-sensors (min: 0, max: 100, current: 0) --------------------------------------------------------------------------------------------never-block-hosts (min: 0, max: 250, current: 1) ----------------------------------
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Disabling Blocking To change the maximum number of block entries, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Enter network access submode. sensor# configure terminal sensor(config)# service network-access sensor(config-net)# Step 3 Enter general submode. sensor(config-net)# general Step 4 Change the maximum number of block entries.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Disabling Blocking ----------------------------------------------never-block-hosts (min: 0, max: 250, current: 1) ----------------------------------------------ip-address: 192.0.2.1 --------------------------------------------------------------------------------------------never-block-networks (min: 0, max: 250, current: 1) ----------------------------------------------ip-address: 209.165.200.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Disabling Blocking global-overrides-status: Enabled global-filters-status: Enabled global-summarization-status: Enabled global-metaevent-status: Enabled global-deny-timeout: 3600 global-block-timeout: 60 default: 30 max-denied-attackers: 10000 ----------------------------------------------sensor(config-rul-gen)# Step 6 Exit event action rules submode.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Disabling Blocking master-blocking-sensors (min: 0, max: 100, current: 0) ----------------------------------------------- Step 6 Disable ACL logging by using the false keyword. sensor(config-net-gen)# enable-acl-logging false Step 7 Verify that ACL logging is disabled.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Disabling Blocking Step 5 Verify that writing to NVRAM is enabled.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Disabling Blocking Step 3 Enter general submode. sensor(config-net)# general Step 4 Disable blocking event and error logging. sensor(config-net-gen)# log-all-block-events-and-errors false Step 5 Verify that logging is disabled.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Disabling Blocking The max-interfaces command configures the limit of the sum total of all interfaces and devices. In addition to configuring the limit on the sum total of interfaces and devices, there is a fixed limit on the number of blocking interfaces you can configure per device. Use the show settings command in network access mode to view the specific maximum limits per device.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Disabling Blocking Step 9 Press Enter to apply the changes or enter no to discard them. Configuring Addresses Never to Block Use the never-block-hosts and the never-block-networks commands in the service network access submode to configure hosts and network that should never be blocked. The following options apply: • ip_address—Specifies the IP address of the device that should never be blocked.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Configuring User Profiles block-max-entries: 100 default: 250 max-interfaces: 250 master-blocking-sensors (min: 0, max: 100, current: 0) --------------------------------------------------------------------------------------------never-block-hosts (min: 0, max: 250, current: 2) ----------------------------------------------ip-address: 192.0.2.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Configuring Blocking and Rate Limiting Devices Step 4 Enter the username for that user profile. sensor(config-net-use)# username username Step 5 Specify the password for the user. sensor(config-net-use)# password Enter password[]: ******** Re-enter password ******** Step 6 Specify the enable password for the user.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Configuring Blocking and Rate Limiting Devices The ARC uses ACLs on Cisco routers and switches to manage those devices. These ACLs are built as follows: 1. A permit line with the sensor IP address or, if specified, the NAT address of the sensor. Note 2. If you permit the sensor to be blocked, this line does not appear in the ACL. Pre-Block ACL (if specified). This ACL must already exist on the device.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Configuring Blocking and Rate Limiting Devices Configuring the Sensor to Manage Cisco Routers This section describes how to configure the sensor to manage Cisco routers. It contains the following topics: • Routers and ACLs, page 14-23 • Configuring the Sensor to Manage Cisco Routers, page 14-23 Routers and ACLs Note Pre-Block and Post-Block ACLS do not apply to rate limiting.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Configuring Blocking and Rate Limiting Devices sensor(config-net)# Step 3 Specify the IP address for the router controlled by the ARC. sensor(config-net)# router-devices ip_address Step 4 Enter the logical device name that you created when you configured the user profile. The ARC accepts anything you enter. It does not check to see if the user profile exists.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Configuring Blocking and Rate Limiting Devices Step 11 Verify the settings. sensor(config-net-rou-blo)# exit sensor(config-net-rou)# show settings ip-address: 192.0.2.1 ----------------------------------------------communication: ssh-3des default: ssh-3des nat-address: 19.89.149.219 default: 0.0.0.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Configuring Blocking and Rate Limiting Devices You create and save Pre-Block and Post-Block VACLs in your switch configuration. These VACLs must be extended IP VACLs, either named or numbered. See your switch documentation for more information on creating VACLs. Enter the names of these VACLs that are already configured on your switch in the Pre-Block VACL and Post-Block VACL fields.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Configuring Blocking and Rate Limiting Devices Step 5 Specify the method used to access the sensor. If unspecified, SSH 3DES is used. sensor(config-net-cat)# communication {telnet | ssh-3des} Note Step 6 If you are using 3DES, you must use the command ssh host-key ip_address to accept the key or ARC cannot connect to the device. Specify the sensor NAT address.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Configuring the Sensor to be a Master Blocking Sensor sensor(config-net)# Step 3 Specify the IP address for the firewall controlled by the ARC. sensor(config-net)# firewall-devices ip_address Step 4 Enter the user profile name that you created when you configured the user profile. ARC accepts anything you type. It does not check to see if the logical device exists.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Configuring the Sensor to be a Master Blocking Sensor Caution Two sensors cannot control blocking or rate limiting on the same device. If this situation is needed, configure one sensor as the master blocking sensor to manage the devices and the other sensors can forward their requests to the master blocking sensor. When you add a master blocking sensor, you reduce the number of blocking devices per sensor.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Configuring the Sensor to be a Master Blocking Sensor sensor(config-web)# show settings enable-tls: true port: 443 server-id: HTTP/1.1 compliant sensor(config-web)# b. On the blocking forwarding sensor, configure it to accept the X.509 certificate of the master blocking sensor.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Configuring Host Blocking Note Step 12 If you set the value to true, you need to use the command tls trusted-host ip-address master_blocking_sensor_ip_address. Exit network access submode. sensor(config-net-gen-mas)# exit sensor(config-net-gen)# exit sensor(config-net)# exit sensor(config)# exit Apply Changes:?[yes]: Step 13 Press Enter to apply the changes or enter no to discard them.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Configuring Network Blocking Step 4 End the host block. sensor# no block host 192.0.2.1 sensor# Configuring Network Blocking Note Connection blocks and network blocks are not supported on adaptive security appliances. Adaptive security appliances only support host blocks with additional connection information. Use the block network ip-address/netmask [timeout minutes] command in privileged EXEC mode to block a network.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Obtaining a List of Blocked Hosts and Connections Use the block connection source-ip-address destination-ip-address [port port-number] [protocol type] [timeout minutes] command in privileged EXEC mode to block a connection between two IP addresses. Use the no form of the command to remove the connection block. You must have blocking configured before you can set up connection blocks.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Obtaining a List of Blocked Hosts and Connections IP = 10.1.1.1 NATAddr = 0.0.0.0 Communications = telnet BlockInterface InterfaceName = fa0/0 InterfaceDirection = in State BlockEnable = true NetDevice IP = 10.1.1.1 AclSupport = uses Named ACLs Version = 12.2 State = Active BlockedAddr Host IP = 192.168.1.
CH A P T E R 15 Configuring SNMP This chapter describes how to configure SNMP, and contains the following sections: • SNMP Notes and Caveats, page 15-1 • Understanding SNMP, page 15-1 • Configuring SNMP, page 15-2 • Configuring SNMP Traps, page 15-4 • Supported MIBS, page 15-6 SNMP Notes and Caveats The following notes and caveats apply to SNMP: • To have the sensor send SNMP traps, you must also select request-snmp-trap as the event action when you configure signatures.
Chapter 15 Configuring SNMP Configuring SNMP You can configure the sensor to send SNMP traps. SNMP traps enable an agent to notify the management station of significant events by way of an unsolicited SNMP message. Trap-directed notification has the following advantage—if a manager is responsible for a large number of devices, and each device has a large number of objects, it is impractical to poll or request information from every object on every device.
Chapter 15 Configuring SNMP Configuring SNMP Configuring SNMP General Parameters To configure SNMP general parameters, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Enter notification submode. sensor# configure terminal sensor(config)# service notification sensor(config-not)# Step 3 Enable SNMP so that the SNMP management workstation can issue requests to the sensor SNMP agent.
Chapter 15 Configuring SNMP Configuring SNMP Traps --------------------------------------------------------------------------------------------error-filter: error|fatal enable-detail-traps: false enable-notifications: false enable-set-get: true default: false snmp-agent-port: 161 default: 161 snmp-agent-protocol: udp default: udp read-only-community: PUBLIC1 default: public read-write-community: PRIVATE1 default: private trap-community-name: public system-l
Chapter 15 Configuring SNMP Configuring SNMP Traps – trap-community-name—Specifies the community name used when sending the trap. If no community name is specified the general trap community name is used. – trap-port—Specifies the port number to send the SNMP trap to. Configuring SNMP Traps To configure SNMP traps, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Enter notification submode.
Chapter 15 Configuring SNMP Supported MIBS Note Step 6 The community string appears in the trap and is useful if you are receiving multiple types of traps from multiple agents. For example, a router or sensor could be sending the traps, and if you put something that identifies the router or sensor specifically in your community string, you can filter the traps based on the community string. Verify the settings.
Chapter 15 Configuring SNMP Supported MIBS Note MIB II is available on the sensor, but we do not support it. We know that some elements are not correct (for example, the packet counts from the IF MIB on the sensing interfaces). While you can use elements from MIB II, we do not guarantee that they all provide correct information. We fully support the other listed MIBs and their output is correct. Note CISCO-PROCESS-MIB is available on the sensor, but we do not support it.
Chapter 15 Configuring SNMP Supported MIBS Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.
CH A P T E R 16 Working With Configuration Files This chapter describes how to use commands that show, copy, and erase the configuration file.
Chapter 16 Working With Configuration Files Displaying the Current Configuration exit ! -----------------------------service authentication exit ! -----------------------------service event-action-rules rules0 exit ! -----------------------------service host network-settings host-ip 192.0.2.0/24,192.0.2.17 telnet-option enabled access-list 0.0.0.
Chapter 16 Working With Configuration Files Displaying the Current Submode Configuration Displaying the Current Submode Configuration Use the show settings command in a submode to display the current configuration of that submode. To display the current configuration of a submode, follow these steps: Step 1 Log in to the CLI. Step 2 Display the current configuration of the service analysis engine submode.
Chapter 16 Working With Configuration Files Displaying the Current Submode Configuration ip-address-range: 0.0.0.
Chapter 16 Working With Configuration Files Displaying the Current Submode Configuration dest-ip-bin: high num-source-ips: 1 --------------------------------------------------------------------------------------------enabled: true --------------------------------------------------------------------------------------------illegal-zone ----------------------------------------------enabled: true ip-address-range: 0.0.0.
Chapter 16 Working With Configuration Files Displaying the Current Submode Configuration scanner-threshold: 100 threshold-histogram (min: 0, max: 3, current: 3) ---------------------------------------------- dest-ip-bin: low num-source-ips: 10 dest-ip-bin: medium num-source-ips: 1 dest-ip-bin: high num-source-ips: 1 ------------------------------------------------------
Chapter 16 Working With Configuration Files Displaying the Current Submode Configuration enabled: true ----------------------------------------------other ----------------------------------------------protocol-number (min: 0, max: 255, current: 0) --------------------------------------------------------------------------------------------default-thresholds ----------------------------------------------scanner-threshold: 100 threshold-histogram (min: 0, max: 3, current: 3) ---------
Chapter 16 Working With Configuration Files Displaying the Current Submode Configuration global-metaevent-status: Enabled global-deny-timeout: 3600 global-block-timeout: 30 max-denied-attackers: 10000 ----------------------------------------------target-value (min: 0, max: 5, current: 0) --------------------------------------------------------------------------------------------sensor(config-rul)# exit sensor(config)# exit sensor# exit Step 6 Display the
Chapter 16 Working With Configuration Files Displaying the Current Submode Configuration enable: true yellow-threshold: 80 percent red-threshold: 91 percent ----------------------------------------------missed-packet-policy ----------------------------------------------enable: true yellow-threshold: 1 percent red-threshold: 6 percent ----------------------------------------------memory-usage-policy ------------------------------------
Chapter 16 Working With Configuration Files Displaying the Current Submode Configuration network-address: 64.0.0.
Chapter 16 Working With Configuration Files Displaying the Current Submode Configuration 45289795777973491984056587045214514820063366950731346400044308491594626434706999 47608668822814014830063399534204647069509052443439525363706527255224510771122235 80181150460544783251498481432705991010069844368525754878413669427639752950801767 99905309235232456295580086724203297914095984224328444391582223138423799100838191 9 -----------------------------------------------------------------------------------
Chapter 16 Working With Configuration Files Displaying the Current Submode Configuration ----------------------------------------------media-type: xl description: admin-state: disabled duplex: auto speed: auto alt-tcp-reset-interface ----------------------------------------------none ------------------------------------------------------------------------------------------------------------------------------------------subinterface-type --------
Chapter 16 Working With Configuration Files Displaying the Current Submode Configuration individual-zone-control: false ----------------------------------------------zone-control (min: 0, max: 999999999, current: 14) ---------------------------------------------- zone-name: Cid severity: debug zone-name: AuthenticationApp severity: warning zone-name: Cli severity: warning zone-name: csi s
Chapter 16 Working With Configuration Files Displaying the Current Submode Configuration max-interfaces: 250 rate-limit-max-entries: 250 master-blocking-sensors (min: 0, max: 100, current: 0) --------------------------------------------------------------------------------------------never-block-hosts (min: 0, max: 250, current: 0) --------------------------------------------------------------------------------------------never-block-networks (min: 0, max: 250, current: 0) --------
Chapter 16 Working With Configuration Files Displaying the Current Submode Configuration Step 14 Display the current configuration for the signature definition submode.
Chapter 16 Working With Configuration Files Filtering the Current Configuration Output sensor(config)# exit sensor# Step 17 Display the current configuration for the web server submode. sensor# configure terminal sensor(config)# service web-server sensor(config-web)# show settings enable-tls: true port: 443 server-id: HTTP/1.
Chapter 16 Working With Configuration Files Filtering the Current Configuration Output exit time-zone-settings offset 0 standard-time-zone-name UTC exit exit ! -----------------------------service interface exit ! -----------------------------service logger master-control enable-debug true exit exit ! -----------------------------service network-access general log-all-block-events-and-errors true --MORE-- Note Step 3 Press Ctrl-C to stop the output and return to the CLI prompt.
Chapter 16 Working With Configuration Files Filtering the Current Submode Configuration Output host-ip 192.0.2.0/24,192.0.2.17 engine atomic-ip Filtering the Current Submode Configuration Output Use the show settings | [begin | exclude | include] regular_expression command in the submode you are interested in to search or filter the output of the contents of the submode configuration. The following options apply: • |—The pipe symbol indicates that an output processing specification follows.
Chapter 16 Working With Configuration Files Displaying the Contents of a Logical File sensor(config-net)# show settings | exclude false general ----------------------------------------------log-all-block-events-and-errors: true default: true block-enable: true default: true block-max-entries: 11 default: 250 max-interfaces: 13 default: 250 master-blocking-sensors (min: 0, max: 100, current: 1) ----------------------------------------------ipaddress: 192.0.2.
Chapter 16 Working With Configuration Files Displaying the Contents of a Logical File Displaying the Logical File Contents To display the contents of a logical file, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Display the contents of the current configuration file. sensor# more current-config Generating current config: The current configuration is displayed.
Chapter 16 Working With Configuration Files Backing Up and Restoring the Configuration File Using a Remote Server service external-product-interface exit ! -----------------------------service health-monitor exit ! -----------------------------service global-correlation exit ! -----------------------------service analysis-engine exit sensor# For More Information For the procedure for using the terminal command, see Modifying Terminal Properties, page 17-23.
Chapter 16 Working With Configuration Files Backing Up and Restoring the Configuration File Using a Remote Server Note • If you use FTP or SCP protocol, you are prompted for a password. If you use SCP protocol, you must also add the remote host to the SSH known hosts list. http:—Source URL for the web server. The syntax for this prefix is: http://[[username@]location]/directory]/filename • https:—Source URL for the web server.
Chapter 16 Working With Configuration Files Creating and Using a Backup Configuration File Step 4 Enter no to retain the currently configured hostname, IP address, subnet mask, management interface, and access list. We recommend you retain this information to preserve access to your sensor after the rest of the configuration has been restored. For More Information • For the procedure for adding the remote host to the SSH known host list, see Adding Hosts to the SSH Known Hosts List, page 4-45.
Chapter 16 Working With Configuration Files Erasing the Configuration File To erase the current configuration and return all settings back to the default, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. sensor# erase current-config Warning: Removing the current-config file will result in all configuration being reset to default, including system information such as IP address. User accounts will not be erased.
CH A P T E R 17 Administrative Tasks for the Sensor This chapter contains procedures that will help you with the administrative aspects of your sensor.
Chapter 17 Administrative Tasks for the Sensor Administrative Notes and Caveats Administrative Notes and Caveats The following notes and caveats apply to administrative tasks for the sensor: • Administrators may need to disable the password recovery feature for security reasons. • If you try to recover the password on a sensor on which password recovery is disabled, the process proceeds with no errors or warnings; however, the password is not reset.
Chapter 17 Administrative Tasks for the Sensor Recovering the Password Password recovery implementations vary according to IPS platform requirements. Password recovery is implemented only for the cisco administrative account and is enabled by default. The IPS administrator can then recover user passwords for other accounts using the CLI. The cisco user password reverts to cisco and must be changed after the next login. Table 17-1 lists the password recovery methods according to platform.
Chapter 17 Administrative Tasks for the Sensor Recovering the Password Step 3 Choose 2: Cisco IPS Clear Password (cisco). The password is reset to cisco. Log in to the CLI with username cisco and password cisco. You can then change the password. Using ROMMON For the IPS 4240, IPS 4255, IPS 4345, IPS 4360, IPS 4510, and IPS 4520, you can use the ROMMON to recover the password. To access the ROMMON CLI, reboot the sensor from a terminal server or direct connection and interrupt the boot process.
Chapter 17 Administrative Tasks for the Sensor Recovering the Password Recovering the Password for the ASA 5500 AIP SSM Note To reset the password, you must have ASA 7.2.2 or later. You can reset the password to the default (cisco) for the ASA 5500 AIP SSM using the CLI or the ASDM. Resetting the password causes it to reboot. IPS services are not available during a reboot. Use the hw-module module slot_number password-reset command to reset the password to the default cisco.
Chapter 17 Administrative Tasks for the Sensor Recovering the Password --- ------------------------------ ---------------- -------------------------1 IPS Up 7.0(7)E4 Mod Status Data Plane Status Compatibility --- ------------------ --------------------- ------------1 Up Up Step 5 Session to the ASA 5500 AIP SSM. asa# session 1 Opening command session with slot 1. Connected to slot 1. Escape character sequence is 'CTRL-^X'.
Chapter 17 Administrative Tasks for the Sensor Recovering the Password Step 2 In the IPS Password Reset confirmation dialog box, click OK to reset the password to the default (cisco). A dialog box displays the success or failure of the password reset. If the reset fails, make sure you have the correct ASA and IPS software versions. Step 3 Click Close to close the dialog box. The sensor reboots.
Chapter 17 Administrative Tasks for the Sensor Recovering the Password Connected to module ips. Escape character sequence is 'CTRL-^X'. Step 5 Enter the default username (cisco) and password (cisco) at the login prompt. login: cisco Password: cisco You are required to change your password immediately (password aged) Changing password for cisco. (current) password: cisco Step 6 Enter your new password twice.
Chapter 17 Administrative Tasks for the Sensor Recovering the Password Recovering the Password for the ASA 5585-X IPS SSP Note To reset the password, you must have ASA 8.2.(4.4) or later or ASA 8.4.2 or later. The ASA 5585-X IPS SSP is not supported in ASA 8.3(x). You can reset the password to the default (cisco) for the ASA 5585-X IPS SSP using the CLI or the ASDM. Resetting the password causes it to reboot. IPS services are not available during a reboot.
Chapter 17 Administrative Tasks for the Sensor Recovering the Password Step 6 Enter your new password twice. New password: new password Retype new password: new password ***NOTICE*** This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption.
Chapter 17 Administrative Tasks for the Sensor Recovering the Password Password recovery is enabled by default. You can disable password recovery through the CLI, IDM, or IME. Disabling Password Recovery Using the CLI To disable password recovery in the CLI, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Enter global configuration mode. sensor# configure terminal Step 3 Enter host mode.
Chapter 17 Administrative Tasks for the Sensor Clearing the Sensor Databases Troubleshooting Password Recovery When you troubleshoot password recovery, pay attention to the following: • You cannot determine whether password recovery has been disabled in the sensor configuration from the ROMMON prompt, GRUB menu, switch CLI, or router CLI. If you attempt password recovery, it always appears to succeed. If it has been disabled, the password is not reset to cisco. The only option is to reimage the sensor.
Chapter 17 Administrative Tasks for the Sensor Displaying the Inspection Load of the Sensor Step 4 Clear the packet nodes. sensor# clear database nodes Warning: Executing this command will delete database on all virtual sensors Continue? [yes]: Step 5 Enter yes to clear the packet nodes database. Step 6 Clear the alerts database on a specific virtual sensor.
Chapter 17 Administrative Tasks for the Sensor Displaying the Inspection Load of the Sensor sensor 15:36:42 UTC Mon Jan 30 2012 sensor 08:18:13 PM Friday Jan 15 2011 UTC Inspection Load Percentage = 65 100 90 80 70 * * 60 * * *** * ****** ** * * * * * * ** ** * 50 * * *** * ****** ** * * * * * * ** ** * 40 * *** ********************* * * * * ** * * * * * *********** 30 ********************************* ************ ************* 20 ************************************************************ 10 ********
Chapter 17 Administrative Tasks for the Sensor Configuring Health Status Information 100 90 80 70 60 * * *** * ****** ** * * * * * * ** ** * * * *** * 50 * * *** * ****** ** * * * * * * ** ** * * * *** * 40 * *** ********************* * * * * ** * * * * * *********** * * *** 30 ******###**#**######**##****#*#*# *********#*# #*##****##**# #*#*### 20 ##################################################################### 10 ##################################################################### 0....5....1....
Chapter 17 Administrative Tasks for the Sensor Configuring Health Status Information Note The event retrieval metric keeps track of when the last event was retrieved by an external monitoring application such as the IME. Disable event retrieval policy if you are not doing external event monitoring. • global-correlation-policy {enable | disable} {true | false}—Lets you apply this metric to the overall sensor health rating.
Chapter 17 Administrative Tasks for the Sensor Configuring Health Status Information Table 17-2 lists the yellow-threshold health values. Table 17-2 ASA 5500-X IPS SSP Memory Usage Values Platform Yellow Red Memory Used ASA 5512-X IPS SSP 85% 91% 28% ASA 5515-X IPS SSP 88% 92% 14% ASA 5525-X IPS SSP 88% 92% 14% ASA 5545-X IPS SSP 93% 96% 13% ASA 5555-X IPS SSP 95% 98% 17% Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.
Chapter 17 Administrative Tasks for the Sensor Configuring Health Status Information Configuring Health Statistics To configure the health statistics for the sensor, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Enter service health monitor submode. sensor# configure terminal sensor(config)# service health-monitor sensor(config-hea)# Step 3 Enable the metrics for application failure status.
Chapter 17 Administrative Tasks for the Sensor Configuring Health Status Information sensor(config-hea-int)# enable true sensor(config-hea-int)# status yellow sensor(config-hea-int)# exit sensor(config-hea)# Step 11 Set the number of days until the license expires.
Chapter 17 Administrative Tasks for the Sensor Showing Sensor Overall Health Status ----------------------------------------------interface-down-policy ----------------------------------------------enable: true default: true status: yellow default: red ----------------------------------------------inspection-load-policy ----------------------------------------------enable: true default: true yellow-threshold: 50 percent default: 80 red-threshold: 100 percent default: 91 ----------------------------------
Chapter 17 Administrative Tasks for the Sensor Creating a Banner Login Note The ASA 5500-X IPS SSP and the ASA 5585-X IPS SSP do not support bypass mode. The adaptive security appliance will either fail open, fail close, or fail over depending on the configuration of the adaptive security appliance and the type of activity being done on the IPS. Use the show health command in privileged EXEC mode to display the overall health status information of the sensor.
Chapter 17 Administrative Tasks for the Sensor Terminating CLI Sessions Note To use a ? or a carriage return in the message, press Ctrl-V-? or Ctrl-V-Enter. They are represented by ^M. Example This message will be displayed on login. Thank you login: cisco Password:**** Step 5 Remove the banner login. The banner no longer appears at login. sensor(config)# no banner login Terminating CLI Sessions Caution You can only clear CLI login sessions with the clear line command.
Chapter 17 Administrative Tasks for the Sensor Modifying Terminal Properties Step 3 Terminate the CLI session of jsmith. sensor# clear line cli_id message Message[]: Example sensor# clear line 15689 message Message{}: Sorry! I need to terminate your session. sensor# The user jsmith receives the following message from the administrator jtaylor. sensor# *** *** *** Termination request from jtaylor *** Sorry! I need to terminate your session.
Chapter 17 Administrative Tasks for the Sensor Configuring Events Configuring Events This section describes how to display and clear events from the Event Store, and contains the following topics: • Displaying Events, page 17-24 • Clearing Events from the Event Store, page 17-27 Displaying Events Note The Event Store has a fixed size of 30 MB for all platforms. Note Events are displayed as a live feed. To cancel the request, press Ctrl-C.
Chapter 17 Administrative Tasks for the Sensor Configuring Events Note The show events command continues to display events until a specified event is available. To exit, press Ctrl-C. Displaying Events To display events from the Event Store, follow these steps: Step 1 Log in to the CLI. Step 2 Display all events starting now. The feed continues showing all events until you press Ctrl-C.
Chapter 17 Administrative Tasks for the Sensor Configuring Events Step 5 Display alerts from the past 45 seconds.
Chapter 17 Administrative Tasks for the Sensor Configuring the System Clock Clearing Events from the Event Store Use the clear events command to clear the Event Store. To clear events from the Event Store, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Clear the Event Store. sensor# clear events Warning: Executing this command will remove all events currently stored in the event store. Continue with clear? []: Step 3 Enter yes to clear the events.
Chapter 17 Administrative Tasks for the Sensor Clearing the Denied Attackers List Step 3 Display the system clock with details. The following example indicates that the sensor is getting its time from NTP and that is configured and synchronized. sensor# show clock detail 20:09:43 UTC Thu Apr 03 2011 Time source is NTP Summer time starts 03:00:00 UTC Sun Mar 09 2011 Summer time stops 01:00:00 UTC Sun Nov 02 2011 Step 4 Display the system clock with details.
Chapter 17 Administrative Tasks for the Sensor Clearing the Denied Attackers List If your sensor is configured to operate in inline mode, the traffic is passing through the sensor. You can configure signatures to deny packets, connections, and attackers while in inline mode, which means that single packets, connections, and specific attackers are denied, that is, not transmitted, when the sensor encounters them. When the signature fires, the attacker is denied and placed in a list.
Chapter 17 Administrative Tasks for the Sensor Displaying Policy Lists Statistics for Virtual Sensor vs1 Denied Attackers with percent denied and hit count for each. Denied Attackers with percent denied and hit count for each.
Chapter 17 Administrative Tasks for the Sensor Displaying Statistics To display a list of policies on the sensor, follow these steps: Step 1 Log in to the CLI. Step 2 Display the list of policies for anomaly detection. sensor# list anomaly-detection-configurations Anomaly Detection Instance Size Virtual Sensor ad0 255 vs0 temp 707 N/A MyAD 255 N/A ad1 141 vs1 sensor# Step 3 Display the list of policies for event action rules.
Chapter 17 Administrative Tasks for the Sensor Displaying Statistics Note The Ethernet controller statistics are polled at an interval of 5 seconds from the hardware side. The keepalives are sent or updated at an interval of 10 ms. Because of this, there may be a disparity in the actual count reflected in the total packets transmitted. At times, it is even possible that the total packets transmitted may be less that the keepalive packets transmitted.
Chapter 17 Administrative Tasks for the Sensor Displaying Statistics ServiceDnsUdp ServiceGeneric ServiceHttp ServiceNtp ServiceP2PTCP ServiceRpcUDP ServiceRpcTCP ServiceSMBAdvanced ServiceSnmp ServiceTNS String SweepUDP SweepTCP SweepOtherTcp TrojanBO2K TrojanUdp 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1841 2016 2 3682 21 1841 130 139 1841 18 225 1808 576 288 261 1808 3 14 2 3176 9 3 9 3 3 14 16 1555 17 6 11 1555 3 14 2 3176 9 3 9 3 3 14 16 1555 17 6 11 1555 0 1 51 0 0 0 0 0 0 0 0 6 0 0 0 0 GlobalCorrelati
Chapter 17 Administrative Tasks for the Sensor Displaying Statistics SimulatedLateStageDenyDueToOther = 0 AlertHistogram RiskHistogramEarlyStage RiskHistogramLateStage ConfigAggressiveMode = 0 ConfigAuditMode = 0 RegexAccelerationStats Status = Enabled DriverVersion = 6.2.
Chapter 17 Administrative Tasks for the Sensor Displaying Statistics Illegal Zone TCP Protocol UDP Protocol Other Protocol sensor# Step 4 Display the statistics for authentication. sensor# show statistics authentication General totalAuthenticationAttempts = 128 failedAuthenticationAttempts = 0 sensor# Step 5 Display the statistics for the denied attackers in the system. sensor# show statistics denied-attackers Denied Attackers and hit count for each. Denied Attackers and hit count for each.
Chapter 17 Administrative Tasks for the Sensor Displaying Statistics Alert events, threat rating Alert events, threat rating Alert events, threat rating Alert events, threat rating Cumulative number of each type Status events = 4257 Shun request events = 0 Error events, warning = 669 Error events, error = 8 Error events, fatal = 0 Alert events, informational Alert events, low = 0 Alert events, medium = 0 Alert events, high = 0 Alert events, threat rating Alert events, threat rating Alert events, threat r
Chapter 17 Administrative Tasks for the Sensor Displaying Statistics Memory Usage usedBytes = 1889357824 freeBytes = 2210988032 totalBytes = 4100345856 CPU Statistics Note: CPU Usage statistics are not a good indication of the sensor processin load. The Inspection Load Percentage in the output of 'show inspection-load' should be used instead.
Chapter 17 Administrative Tasks for the Sensor Displaying Statistics NetDevice Type = PIX IP = 192.0.2.5 NATAddr = 0.0.0.0 Communications = telnet NetDevice Type = Cisco IP = 192.0.2.6 NATAddr = 0.0.0.0 Communications = telnet BlockInterface InterfaceName = ethernet0/1 InterfaceDirection = out InterfacePostBlock = Post_Acl_Test BlockInterface InterfaceName = ethernet0/1 InterfaceDirection = in InterfacePreBlock = Pre_Acl_Test InterfacePostBlock = Post_Acl_Test NetDevice Type = CAT6000_VACL IP = 192.0.2.
Chapter 17 Administrative Tasks for the Sensor Displaying Statistics ActualIp = BlockMinutes = Host IP = 203.0.113.2 Vlan = ActualIp = BlockMinutes = Host IP = 203.0.113.4 Vlan = ActualIp = BlockMinutes = 60 MinutesRemaining = 24 Network IP = 203.0.113.9 Mask = 255.255.0.0 BlockMinutes = sensor# Step 12 Display the statistics for the notification application.
Chapter 17 Administrative Tasks for the Sensor Displaying Statistics Statistics for Virtual Sensor vs0 Name of current Signature-Defintion instance = sig0 Name of current Event-Action-Rules instance = rules0 List of interfaces monitored by this virtual sensor = General Statistics for this Virtual Sensor Number of seconds since a reset of the statistics = 1151770 MemoryAlloPercent = 23 MemoryUsedPercent = 22 MemoryMaxCapacity = 3500000 MemoryMaxHighUsed = 4193330 MemoryCurrentAllo = 805452 MemoryCurrentUs
Chapter 17 Administrative Tasks for the Sensor Displaying Statistics Total nodes inserted = 0 TCP nodes keyed on both IP addresses and both ports = 0 UDP nodes keyed on both IP addresses and both ports = 0 IP nodes keyed on both IP addresses = 0 The rate of nodes per second for each time since reset Nodes per second = 0 TCP nodes keyed on both IP addresses and both ports per second = 0 UDP nodes keyed on both IP addresses and both ports per second = 0 IP nodes keyed on both IP addresses per second = 0 The
Chapter 17 Administrative Tasks for the Sensor Displaying Statistics Number Number Number Number Number Number Number Number of of of of of of of of FireOnce First Alerts = 0 FireOnce Intermediate Alerts = 0 Summary First Alerts = 0 Summary Intermediate Alerts = 0 Regular Summary Final Alerts = 0 Global Summary Final Alerts = 0 Active SigEventDataNodes = 0 Alerts Output for further processing = 0 --MORE-- Step 17 Display the statistics for the web server.
Chapter 17 Administrative Tasks for the Sensor Displaying Tech Support Information The number of syslog messages received = 0 The number of events written to the event store by severity Fatal Severity = 0 Error Severity = 0 Warning Severity = 0 TOTAL = 0 The number of log messages written to the message log by severity Fatal Severity = 0 Error Severity = 0 Warning Severity = 0 Timing Severity = 0 Debug Severity = 0 Unknown Severity = 0 TOTAL = 0 sensor# Displaying Tech Support Information Note
Chapter 17 Administrative Tasks for the Sensor Displaying Version Information Displaying Tech Support Information To display tech support information, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 View the output on the screen. The system information appears on the screen, one page at a time.
Chapter 17 Administrative Tasks for the Sensor Displaying Version Information Platform: ASA5585-SSP-IPS10 Serial Number: 123456789AB No license present Sensor up-time is 13 days. Using 4395M out of 5839M bytes of available memory (75% usage) system is using 26.2M out of 160.0M bytes of available disk space (16% usage) application-data is using 69.7M out of 171.6M bytes of available disk space (43% usage) boot is using 57.3M out of 70.
Chapter 17 Administrative Tasks for the Sensor Diagnosing Network Connectivity host-ip 192.168.1.2/24, 192.168.1.1 host-name sensor telnet-option enabled access-list 0.0.0.
Chapter 17 Administrative Tasks for the Sensor Resetting the Appliance Step 1 Log in to the CLI. Step 2 Ping the address you are interested in. The count is the number of echo requests to send. If you do not specify a number, 4 requests are sent. The range is 1 to 10,000. sensor# ping ip_address count The following example shows a successful ping: sensor# ping 192.0.2.1 6 PING 192.0.2.1 (192.0.2.1): 56 data 64 bytes from 192.0.2.1: icmp_seq=0 64 bytes from 192.0.2.1: icmp_seq=1 64 bytes from 192.0.2.
Chapter 17 Administrative Tasks for the Sensor Displaying Command History To reset the appliance, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 To stop all applications and reboot the appliance, follow these Steps 2 and 3. Otherwise, to power down the appliance, go to Steps 4 and 5. sensor# reset Warning: Executing this command will stop all applications and reboot the node. Continue with reset? []: Step 3 Enter yes to continue the reset.
Chapter 17 Administrative Tasks for the Sensor Displaying Hardware Inventory Step 3 Show the history of the commands you have used in network access mode, for example. sensor# configure terminal sensor (config)# service network-access sensor (config-net)# show history show settings show settings terse show settings | include profile-name|ip-address exit show history sensor (config-net)# Displaying Hardware Inventory Use the show inventory command to display PEP information.
Chapter 17 Administrative Tasks for the Sensor Displaying Hardware Inventory PID: IPS-4345-PWR-AC sensor# , VID: A0, SN: 003437 sensor# show inventory Name: "Module", DESCR: "IPS 4520- 6 Gig E, 4 10 Gig E SFP+" PID: IPS-4520-INC-K9 , VID: V01, SN: JAF1547BJTJ Name: "Chassis", DESCR: "ASA 5585-X" PID: ASA5585 , VID: V02, SN: JMX1552705O Name: "power supply 0", DESCR: "ASA 5585-X AC Power Supply" PID: ASA5585-PWR-AC , VID: V03, SN: POG153700UC Name: "power supply 1", DESCR: "ASA 5585-X AC Power Supply" P
Chapter 17 Administrative Tasks for the Sensor Tracing the Route of an IP Packet PID: IPS-4360 , VID: V01 , SN: FGL162740J6 Name: "RegexAccelerator/0", DESCR: "LCPX8640 (humphrey)" PID: FCH162077NK , VID: 33554537, SN: LXXXXXYYYY Name: "power supply 1", DESCR: "IPS4360 AC Power Supply " PID: IPS-4360-PWR-AC , VID: 0700A, SN: 25Y1Y8 Name: "power supply 2", DESCR: "IPS4360 AC Power Supply " PID: IPS-4360-PWR-AC , VID: 0700A, SN: 25Y1Y9 Tracing the Route of an IP Packet Caution There is no command interr
Chapter 17 Administrative Tasks for the Sensor Displaying Submode Settings Displaying Submode Settings Use the show settings [terse] command in any submode to view the contents of the current configuration. To display the current configuration settings for a submode, follow these steps: Step 1 Log in to the CLI. Step 2 Show the current configuration for ARC submode.
Chapter 17 Administrative Tasks for the Sensor Displaying Submode Settings password: username: ----------------------------------------------profile-name: fwsm ----------------------------------------------enable-password: password: username: pix default: ----------------------------------------------profile-name: outsidePix ----------------------------------------------enable-password: password: username: pix default: ------------------------------
Chapter 17 Administrative Tasks for the Sensor Displaying Submode Settings ----------------------------------------------ip-address: 192.0.2.25 ----------------------------------------------communication: telnet default: ssh-3des nat-address: 0.0.0.
Chapter 17 Administrative Tasks for the Sensor Displaying Submode Settings profile-name: 2admin profile-name: r7200 profile-name: insidePix profile-name: qatest profile-name: fwsm profile-name: outsidePix profile-name: cat profile-name: rcat profile-name: nopass profile-name: test profile-name: sshswitch ----------------------------------------------cat6k-devices (min: 0, max: 250, current: 1) ----------------------------------------------ip-address: 192.0.2.
Chapter 17 Administrative Tasks for the Sensor Displaying Submode Settings Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.
CH A P T E R 18 Configuring the ASA 5500 AIP SSM This chapter contains procedures that are specific to configuring the ASA 5500 AIP SSM.
Chapter 18 Configuring the ASA 5500 AIP SSM ASA 5500 AIP SSM Configuration Sequence • IPS appliances reset both the attacker and victim when the Reset TCP Connection is selected and they reset the victim when Deny Connection Inline is selected. For the ASA IPS modules, TCP resets are sent by the ASA. The ASA resets the server, which in some cases is the attacker and in others the victim. The ASA does not always reset the client.
Chapter 18 Configuring the ASA 5500 AIP SSM Verifying ASA 5500 AIP SSM Initialization 9. Configure intrusion prevention. 10. Configure global correlation. 11. Configure global correlation. 12. Perform miscellaneous tasks to keep your ASA 5500 AIP SSM running smoothly. 13. Upgrade the IPS software with new signature updates and service packs as they become available. 14. Reimage the ASA 5500 AIP SSM when needed.
Chapter 18 Configuring the ASA 5500 AIP SSM Creating Virtual Sensors for the ASA 5500 AIP SSM Software version: 7.0(1)E3 MAC Address Range: 0012.d948.fe73 to 0012.d948.fe73 App. name: IPS App. Status: Up App. Status Desc: App. version: 6.2(1)E3 Data plane Status: Up Status: Up Mgmt IP addr: 171.69.36.171 Mgmt web ports: 443 Mgmt TLS enabled: true asa# Step 3 Confirm the information. Creating Virtual Sensors for the ASA 5500 AIP SSM Note Cisco Adaptive Security Appliance Software 7.2.
Chapter 18 Configuring the ASA 5500 AIP SSM Creating Virtual Sensors for the ASA 5500 AIP SSM ASA 5500 AIP SSM Virtual Sensor Configuration Sequence Follow this sequence to create virtual sensors on the ASA 5500 AIP SSM, and to assign them to adaptive security appliance contexts: 1. Configure up to four virtual sensors. 2. Assign the ASA 5500 AIP SSM sensing interface (GigabitEthernet 0/1) to one of the virtual sensors. 3.
Chapter 18 Configuring the ASA 5500 AIP SSM Creating Virtual Sensors for the ASA 5500 AIP SSM Step 3 Add a virtual sensor. sensor(config-ana)# virtual-sensor vs1 sensor(config-ana-vir)# Step 4 Add a description for this virtual sensor. sensor(config-ana-vir)# description virtual sensor 1 Step 5 Assign an anomaly detection policy and operational mode to this virtual sensor if you have enabled anomaly detection.
Chapter 18 Configuring the ASA 5500 AIP SSM Creating Virtual Sensors for the ASA 5500 AIP SSM sensor(config-ana)# exit Apply Changes:?[yes]: sensor(config)# Step 11 Press Enter to apply the changes or enter no to discard them. For More Information • For the procedures for creating and configuring anomaly detection policies, see Working With Anomaly Detection Policies, page 9-9.
Chapter 18 Configuring the ASA 5500 AIP SSM Creating Virtual Sensors for the ASA 5500 AIP SSM • show context [detail]—Updated to display information about virtual sensors. In user context mode, a new line is added to show the mapped names of all virtual sensors that have been allocated to this context. In system mode, two new lines are added to show the real and mapped names of virtual sensors allocated to this context. You can assign multiple virtual sensors to a context.
Chapter 18 Configuring the ASA 5500 AIP SSM Creating Virtual Sensors for the ASA 5500 AIP SSM asa(config-ctx)# asa(config-ctx)# asa(config-ctx)# asa(config-ctx)# asa(config-ctx)# all allocate-in allocate-interface g0/2 allocate-interface g0/3 config-url disk0:/c3.cfg WARNING: Could not fetch the URL disk0:/c3.cfg INFO: Creating context with default config asa(config-ctx)# Step 6 Assign virtual sensors to the security contexts.
Chapter 18 Configuring the ASA 5500 AIP SSM Sending Traffic to the ASA 5500 AIP SSM Sending Traffic to the ASA 5500 AIP SSM Note This section applies to Cisco Adaptive Security Appliance Software 7.2 or earlier for ASA 5500 AIP SSM. This section describes how to configure ASA 5500 AIP SSM to receive IPS traffic from the adaptive security appliance (inline or promiscuous mode) if it is running Cisco Adaptive Security Appliance Software 7.2 or earlier.
Chapter 18 Configuring the ASA 5500 AIP SSM Sending Traffic to the ASA 5500 AIP SSM Step 4 Define an IPS class map to identify the traffic you want to send to ASA 5500 AIP SSM. asa(config)# class-map class_map_name Example asa(config)# class-map ips_class Note Step 5 You can create multiple traffic class maps to send multiple traffic classes to ASA 5500 AIP SSM. Specify the traffic in the class map.
Chapter 18 Configuring the ASA 5500 AIP SSM The Adaptive Security Appliance, ASA 5500 AIP SSM, and Bypass Mode Step 12 Verify the settings. asa# show running-config Step 13 Exit and save the configuration. For More Information For more information on bypass mode, see The Adaptive Security Appliance, ASA 5500 AIP SSM, and Bypass Mode, page 18-12.
Chapter 18 Configuring the ASA 5500 AIP SSM The ASA 5500 AIP SSM and the Normalizer Engine The ASA 5500 AIP SSM and the Normalizer Engine The majority of the features in the Normalizer engine are not used on the ASA 5500 AIP SSM , because the ASA itself handles the normalization. Packets on the ASA IPS modules go through a special path in the Normalizer that only reassembles fragments and puts packets in the right order for the TCP stream.
Chapter 18 Configuring the ASA 5500 AIP SSM ASA 5500 AIP SSM Failover Scenarios Single ASA in Fail-Open Mode • If the ASA is configured in fail-open mode for the ASA 5500 AIP SSM, and the ASA 5500 AIP SSM experiences a configuration change or signature/signature engine update, traffic is passed through the ASA without being inspected.
Chapter 18 Configuring the ASA 5500 AIP SSM The ASA 5500 AIP SSM and the Data Plane The ASA 5500 AIP SSM and the Data Plane Symptom The ASA 5500 AIP SSM data plane is kept in the Up state while applying signature updates. You can check the ASA 5500 AIP SSM data plane status by using the show module command during signature updates. Possible Cause Bypass mode is set to off. The issue is seen when updating signatures, and when you use either CSM or IDM to apply signature updates.
Chapter 18 Configuring the ASA 5500 AIP SSM New and Modified Commands • hw-module module slot_number recover [boot | stop | configure]—The recover command displays a set of interactive options for setting or changing the recovery parameters. To change the parameter or keep the existing setting, press Enter. – hw-module module slot_number recover boot—This command initiates recovery of the ASA 5500 AIP SSM. It is applicable only when the module is in the Up state.
Chapter 18 Configuring the ASA 5500 AIP SSM New and Modified Commands Syntax Description default (Optional) Sets one sensor per context as the default sensor; if the context configuration does not specify a sensor name, the context uses this default sensor. You can only configure one default sensor per context. If you want to change the default sensor, enter the no allocate-ips sensor_name command to remove the current default sensor before you allocate a new default sensor.
Chapter 18 Configuring the ASA 5500 AIP SSM New and Modified Commands Note Examples You do not need to be in multiple context mode to use virtual sensors; you can be in single mode and use different sensors for different traffic flows. The following example assigns sensor1 and sensor2 to context A, and sensor1 and sensor3 to context B. Both contexts map the sensor names to “ips1” and “ips2.
CH A P T E R 19 Configuring the ASA 5500-X IPS SSP This chapter contains procedures that are specific to configuring the ASA 5500-X IPS SSP.
Chapter 19 Configuring the ASA 5500-X IPS SSP Configuration Sequence for the ASA 5500-X IPS SSP • All IPS platforms allow ten concurrent CLI sessions. • The ASA 5500-X IPS SSP does not support bypass mode. The adaptive security appliance will either fail open, fail close, or fail over depending on the configuration of the adaptive security appliance and the type of activity being done on the IPS.
Chapter 19 Configuring the ASA 5500-X IPS SSP Verifying Initialization for the ASA 5500-X IPS SSP • For more information on how to obtain Cisco IPS software, see Chapter 21, “Obtaining Software.” • For the procedure for reimaging the ASA 5500-X IPS SSP, see Installing the System Image for the ASA 5500-X IPS SSP, page 22-31.
Chapter 19 Configuring the ASA 5500-X IPS SSP Creating Virtual Sensors for the ASA 5500-X IPS SSP The ASA 5500-X IPS SSP and Virtualization The ASA 5500-X IPS SSP has one sensing interface, PortChannel 0/0. When you create multiple virtual sensors, you must assign this interface to only one virtual sensor. For the other virtual sensors you do not need to designate an interface.
Chapter 19 Configuring the ASA 5500-X IPS SSP Creating Virtual Sensors for the ASA 5500-X IPS SSP • description—Provides a description of the virtual sensor. • event-action-rules—Specifies the name of the event action rules policy. • signature-definition—Specifies the name of the signature definition policy. • physical-interfaces—Specifies the name of the physical interface. • no—Removes an entry or selection.
Chapter 19 Configuring the ASA 5500-X IPS SSP Creating Virtual Sensors for the ASA 5500-X IPS SSP signature-definition: sig0 event-action-rules: rules0 anomaly-detection ----------------------------------------------anomaly-detection-name: ad0 operational-mode: inactive ----------------------------------------------physical-interface (min: 0, max: 999999999, current: 1) ----------------------------------------------name: PortChannel0/0 ---------------------
Chapter 19 Configuring the ASA 5500-X IPS SSP Creating Virtual Sensors for the ASA 5500-X IPS SSP Note The mapped name is used to hide the real name of the virtual sensor from the context, usually done for reasons of security or convenience to make the context configuration more generic. If no mapped name is used, the real virtual sensor name is used. You cannot reuse a mapped name for two different virtual sensors in a context.
Chapter 19 Configuring the ASA 5500-X IPS SSP Creating Virtual Sensors for the ASA 5500-X IPS SSP Step 5 Add three context modes to multiple mode. asa(config)# admin-context admin Creating context 'admin'... Done. (13) asa(config)# context admin asa(config-ctx)# allocate-interface GigabitEthernet0/0.101 asa(config-ctx)# allocate-interface GigabitEthernet0/1.102 asa(config-ctx)# allocate-interface Management0/0 asa(config-ctx)# config-url disk0:/admin.
Chapter 19 Configuring the ASA 5500-X IPS SSP TCP Reset Differences Between IPS Appliances and ASA IPS Modules asa/c3(config)# Step 8 Confirm the configuration.
Chapter 19 Configuring the ASA 5500-X IPS SSP ASA 5500-X IPS SSP Default Gateway ASA 5500-X IPS SSP Default Gateway To access the Internet from the ASA 5500-X IPS SSP and to manage it from hosts behind other interfaces on the ASA 5500-X, connect the Management 0/0 interface on the ASA 5500-X to a Layer 3 device. Configure the default gateway on the sensor as the Layer 3 device.
Chapter 19 Configuring the ASA 5500-X IPS SSP The ASA 5500-X IPS SSP and the Normalizer Engine The SensorApp is Reconfigured The following occurs when the SensorApp is reconfigured: Note • If set to fail-open, the adaptive security appliance passes traffic without sending it to the ASA IPS module. • If set to fail-close, the adaptive security appliancestops passing traffic until the ASA IPS module is restarted.
Chapter 19 Configuring the ASA 5500-X IPS SSP The ASA 5500-X IPS SSP and Memory Usage For More Information For detailed information about the Normalizer engine, see Normalizer Engine, page B-37. The ASA 5500-X IPS SSP and Memory Usage For the ASA 5500-X IPS SSP, the memory usage is 93%. The default health thresholds for the sensor are 80% for yellow and 91% for red, so the sensor health will be shown as red on these platforms even for normal operating conditions.
Chapter 19 Configuring the ASA 5500-X IPS SSP Health and Status Information Use the following commands to reload, shut down, reset, recover the password, and recover the ASA 5500-X IPS SSP directly from the adaptive security appliance: Caution • sw-module module ips reload—This command reloads the software on the ASA 5500-X IPS SSP without doing a hardware reset. It is effective only when the module is in the Up state.
Chapter 19 Configuring the ASA 5500-X IPS SSP Health and Status Information Firmware version: Software version: MAC Address Range: App. name: App. Status: App. Status Desc: App. version: Data Plane Status: Status: License: Mgmt IP addr: Mgmt Network mask: Mgmt Gateway: Mgmt web ports: Mgmt TLS enabled: asa# N/A 7.1(3)E4 503d.e59c.7ca0 to 503d.e59c.7ca0 IPS Up Normal Operation 7.1(3)E4 Up Up IPS Module Enabled perpetual 192.168.1.2 255.255.255.0 192.168.1.
Chapter 19 Configuring the ASA 5500-X IPS SSP ASA 5500-X IPS SSP Failover Scenarios ASA 5500-X IPS SSP Failover Scenarios The following failover scenarios apply to the ASA 5500-X series in the event of configuration changes, signature/signature engine updates, service packs, and SensorApp crashes on theASA 5500-X IPS SSP.
Chapter 19 Configuring the ASA 5500-X IPS SSP New and Modified Commands failover failover lan unit secondary failover lan interface folink GigabitEthernet0/7 failover interface ip folink 172.27.48.1 255.255.255.0 standby 172.27.48.2 New and Modified Commands This section describes the new and modified Cisco ASA commands that support the ASA 5500-X IPS SSP and are used to configure the ASA 5500-X IPS SSP.
Chapter 19 Configuring the ASA 5500-X IPS SSP New and Modified Commands mapped_name (Optional) Sets a mapped name as an alias for the sensor name that can be used within the context instead of the actual sensor name. If you do not specify a mapped name, the sensor name is used within the context. For security purposes, you might not want the context administrator to know which sensors are being used by the context. Or you might want to genericize the context configuration.
Chapter 19 Configuring the ASA 5500-X IPS SSP New and Modified Commands Examples The following example assigns sensor1 and sensor2 to context A, and sensor1 and sensor3 to context B. Both contexts map the sensor names to “ips1” and “ips2.” In context A, sensor1 is set as the default sensor, but in context B, no default is set so the default that is configured on the ASA 5500-X IPS SSP is used.
CH A P T E R 20 Configuring the ASA 5585-X IPS SSP This chapter contains procedures that are specific to configuring the ASA 5585-X IPS SSP.
Chapter 20 Configuring the ASA 5585-X IPS SSP Configuration Sequence for the ASA 5585-X IPS SSP • The ASA 5585-X IPS SSP has four types of ports (console, management, GigabitEthernet, and 10GE). The console and management ports (on the right front panel of the ASA 5585-X IPS SSP) are configured and controlled by IPS software. The GigabitEthernet and 10GE ports (on the left front panel of the ASA 5585-X IPS SSP) are configured and controlled by ASA software rather than IPS software.
Chapter 20 Configuring the ASA 5585-X IPS SSP Verifying Initialization for the ASA 5585-X IPS SSP 9. Configure global correlation. 10. Perform miscellaneous tasks to keep your ASA 5585-X IPS SSP running smoothly. 11. Upgrade the IPS software with new signature updates and service packs as they become available. 12. Reimage the ASA 5585-X IPS SSP when needed. For More Information • For the procedure for logging in to the ASA 5585-X IPS SSP, see Chapter 2, “Logging In to the Sensor.
Chapter 20 Configuring the ASA 5585-X IPS SSP Creating Virtual Sensors for the ASA 5585-X IPS SSP App. Status Desc: App. version: Data plane Status: Status: Mgmt IP addr: Mgmt Network mask: Mgmt Gateway: Mgmt Access List: Mgmt Access List: Mgmt web ports: Mgmt TLS enabled asa Step 3 Normal Operation 7.1(2)E4 Up Up 192.0.2.3 255.255.255.0 192.0.2.254 10.0.0.0/8 64.0.0.0/8 443 true Confirm the information.
Chapter 20 Configuring the ASA 5585-X IPS SSP Creating Virtual Sensors for the ASA 5585-X IPS SSP The ASA 5585-X IPS SSP has one sensing interface, PortChannel 0/0. When you create multiple virtual sensors, you must assign this interface to only one virtual sensor. For the other virtual sensors you do not need to designate an interface. After you create virtual sensors, you must map them to a security context on the adaptive security appliance using the allocate-ips command.
Chapter 20 Configuring the ASA 5585-X IPS SSP Creating Virtual Sensors for the ASA 5585-X IPS SSP • signature-definition—Specifies the name of the signature definition policy. • physical-interfaces—Specifies the name of the physical interface. • no—Removes an entry or selection. Creating Virtual Sensors To create a virtual sensor on the ASA 5585-X IPS SSP, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Enter service analysis mode.
Chapter 20 Configuring the ASA 5585-X IPS SSP Creating Virtual Sensors for the ASA 5585-X IPS SSP anomaly-detection-name: ad1 default: ad0 operational-mode: learn default: detect ----------------------------------------------physical-interface (min: 0, max: 999999999, current: 2) ----------------------------------------------name: PortChannel0/0 subinterface-number: 0 --------------------------------------------------------------------------------------------logical-interface (min: 0, max: 999
Chapter 20 Configuring the ASA 5585-X IPS SSP Creating Virtual Sensors for the ASA 5585-X IPS SSP Note The mapped name is used to hide the real name of the virtual sensor from the context, usually done for reasons of security or convenience to make the context configuration more generic. If no mapped name is used, the real virtual sensor name is used. You cannot reuse a mapped name for two different virtual sensors in a context.
Chapter 20 Configuring the ASA 5585-X IPS SSP Creating Virtual Sensors for the ASA 5585-X IPS SSP Step 5 Add three context modes to multiple mode. asa(config)# admin-context admin Creating context 'admin'... Done. (13) asa(config)# context admin asa(config-ctx)# allocate-interface GigabitEthernet0/0.101 asa(config-ctx)# allocate-interface GigabitEthernet0/1.102 asa(config-ctx)# allocate-interface Management0/0 asa(config-ctx)# config-url disk0:/admin.
Chapter 20 Configuring the ASA 5585-X IPS SSP The ASA 5585-X IPS SSP and the Normalizer Engine asa/c3(config)# Step 8 Confirm the configuration.
Chapter 20 Configuring the ASA 5585-X IPS SSP The ASA 5585-X IPS SSP and Bypass Mode • 1330.18 For More Information For detailed information about the Normalizer engine, see Normalizer Engine, page B-37. The ASA 5585-X IPS SSP and Bypass Mode The ASA 5585-X IPS SSP does not support bypass mode. The adaptive security appliance will either fail open, fail close, or fail over depending on the configuration of the adaptive security appliance and the type of activity being done on the ASA 5585-X IPS SSP.
Chapter 20 Configuring the ASA 5585-X IPS SSP Reloading, Shutting Down, Resetting, and Recovering the ASA 5585-X IPS SSP Reloading, Shutting Down, Resetting, and Recovering the ASA 5585-X IPS SSP Note You can enter the hw-module commands from privileged EXEC mode or from global configuration mode. You can enter the commands in single routed mode and single transparent mode.
Chapter 20 Configuring the ASA 5585-X IPS SSP Health and Status Information Health and Status Information To see the general health of the ASA 5585-X IPS SSP, use the show module 1 details command. asa# show module 1 details Getting details from the Service Module, please wait... ASA 5585-X IPS Security Services Processor-20 with 8GE Model: ASA5585-SSP-IPS20 Hardware version: 1.0 Serial Number: ABC1234DEFG Firmware version: 2.0(1)3 Software version: 7.1(1)E4 MAC Address Range: 8843.e12f.5414 to 8843.e12f.
Chapter 20 Configuring the ASA 5585-X IPS SSP Health and Status Information App. Status: Not Applicable App. Status Desc: Not Applicable App. version: 7.1(1)E4 Data plane Status: Not Applicable Status: Down asa# show module 1 details Getting details from the Service Module, please wait... Unable to read details from slot 1 ASA 5585-X IPS Security Services Processor-20 with 8GE Model: ASA5585-SSP-IPS20 Hardware version: 1.0 Serial Number: ABC1234DEFG Firmware version: 2.0(7)0 Software version: 7.
Chapter 20 Configuring the ASA 5585-X IPS SSP Health and Status Information If you have problems with reimaging the ASA 5585-X IPS SSP, use the debug module-boot command to see the output as it boots. Make sure you have the correct IP address for the TFTP server and you have the correct file on the TFTP server. Then use the hw-module module 1 recover command again to reimage the module. ips-ssp# hw-module module 1 recover configure Image URL [tftp://0.0.0.0/]: tftp://10.10.10.10//IPS-SSP_20-K9-sys-1.
Chapter 20 Configuring the ASA 5585-X IPS SSP Traffic Flow Stopped on IPS Switchports Traffic Flow Stopped on IPS Switchports Problem Traffic on any port located on the ASA 5585-X IPS SSP (1/x) no longer passes through the adaptive security appliance when the ASA 5585-X IPS SSP is reset or shut down. This affects all traffic through these ports regardless of whether or not the traffic would have been monitored by the IPS.
Chapter 20 Configuring the ASA 5585-X IPS SSP Failover Scenarios • If the ASAs are configured in fail-close mode, and if the ASA 5585-X IPS SSP on the active ASA experiences a SensorApp crash or a service pack upgrade, failover is triggered and traffic passes through the ASA 5585-X IPS SSP that was previously the standby for the ASA 5585-X IPS SSP.
Chapter 20 Configuring the ASA 5585-X IPS SSP Failover Scenarios Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.
CH A P T E R 21 Obtaining Software This chapter provides information on obtaining the latest Cisco IPS software. It contains the following sections: • IPS 7.1 File List, page 21-1 • Obtaining Cisco IPS Software, page 21-1 • IPS Software Versioning, page 21-3 • Accessing IPS Documentation, page 21-7 • Cisco Security Intelligence Operations, page 21-7 IPS 7.1 File List The currently supported IPS 7.1(x) versions are 7.1(1)E4, 7.1(2)E4, 7.1(3)E4, and 7.1(4)E4, 7.1(5)E4, 7.1(6)E4, 7.1(7)E4, IPS 7.
Chapter 21 Obtaining Software Obtaining Cisco IPS Software Downloading Cisco IPS Software To download software on Cisco.com, follow these steps: Step 1 Log in to Cisco.com. Step 2 From the Support drop-down menu, choose Download Software. Step 3 Under Select a Software Product Category, choose Security Software. Step 4 Choose Intrusion Prevention System (IPS). Step 5 Enter your username and password.
Chapter 21 Obtaining Software IPS Software Versioning IPS Software Versioning When you download IPS software images from Cisco.com, you should understand the versioning scheme so that you know which files are base files, which are cumulative, and which are incremental. Major Update A major update contains new functionality or an architectural change in the product. For example, the Cisco IPS 7.
Chapter 21 Obtaining Software IPS Software Versioning Figure 21-1 illustrates what each part of the IPS software file represents for major and minor updates, service packs, and patch releases. Figure 21-1 IPS Software File Name for Major and Minor Updates, Service Packs, and Patch Releases IPS-identifier-K9-x.y-z[a or p1]-E1.
Chapter 21 Obtaining Software IPS Software Versioning Recovery and System Image Files Recovery and system image files contain separate versions for the installer and the underlying application. The installer version contains a major and minor version field. The major version is incremented by one of any major changes to the image installer, for example, switching from .tar to rpm or changing kernels.
Chapter 21 Obtaining Software IPS Software Versioning 1. Signature updates include the latest cumulative IPS signatures. Signature engine updates add new engines or engine parameters that are used by new signatures in later signature updates. 2. Service packs include new features and defect fixes. 3. Minor versions include new minor version features and/or minor version functionality. 4. Major versions include new major version functionality or new architecture. 5. Patch releases are for interim fixes.
Chapter 21 Obtaining Software Accessing IPS Documentation Accessing IPS Documentation You can find IPS documentation at this URL: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/tsd_products_support_series_home.html Or to access IPS documentation from Cisco.com, follow these steps: Step 1 Log in to Cisco.com. Step 2 Click Support. Step 3 Under Support at the bottom of the page, click Documentation.
Chapter 21 Obtaining Software Cisco Security Intelligence Operations Cisco Security Intelligence Operations is also a repository of information for individual signatures, including signature ID, type, structure, and description. You can search for security alerts and signatures at this URL: http://tools.cisco.com/security/center/search.x Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.
CH A P T E R 22 Upgrading, Downgrading, and Installing System Images This chapter describes how to upgrade, downgrade, and install system images.
Chapter 22 Upgrading, Downgrading, and Installing System Images Upgrades, Downgrades, and System Images • During a signature upgrade all signature configurations are retained, both the signature tunings as well as the custom signatures. During a signature downgrade the current signature configuration is replaced with the old signature configuration. So if the last signature set had custom signatures and/or signature tunings, these are restored during the downgrade.
Chapter 22 Upgrading, Downgrading, and Installing System Images Supported FTP and HTTP/HTTPS Servers Note During a signature upgrade all signature configurations are retained, both the signature tunings as well as the custom signatures. During a signature downgrade the current signature configuration is replaced with the old signature configuration. So if the last signature set had custom signatures and/or signature tunings, these are restored during the downgrade.
Chapter 22 Upgrading, Downgrading, and Installing System Images Upgrading the Sensor Upgrading the Sensor This section explains how to use the upgrade command to upgrade the software on the sensor. It contains the following topics: • IPS 7.1 Upgrade Files, page 22-4 • Upgrade Notes and Caveats, page 22-4 • Manually Upgrading the Sensor, page 22-4 • Upgrading the Sensor, page 22-5 • Upgrading the Recovery Partition, page 22-7 IPS 7.1 Upgrade Files The currently supported IPS 7.
Chapter 22 Upgrading, Downgrading, and Installing System Images Upgrading the Sensor Use the upgrade source-url command to apply service pack, signature update, engine update, minor version, major version, or recovery partition file upgrades. The following options apply: • source-url—Specifies the location of the source file to be copied: – ftp:—Source URL for an FTP network server.
Chapter 22 Upgrading, Downgrading, and Installing System Images Upgrading the Sensor The URL points to where the update file is located, for example, to retrieve the update using FTP, enter the following: sensor(config)# upgrade ftp://username@ip_address//directory/IPS-SSP_10-K9-7.1-3-E4.pkg Step 5 Enter the password when prompted. Enter password: ******** Step 6 Step 7 Enter yes to complete the upgrade.
Chapter 22 Upgrading, Downgrading, and Installing System Images Upgrading the Sensor For More Information • For a list of supported FTP and HTTP/HTTPS servers, see Supported FTP and HTTP/HTTPS Servers, page 22-3. • For a list of the specific upgrade files, see IPS 7.1 Upgrade Files, page 22-4. • For the procedure for locating software on Cisco and obtaining an account with cryptographic privileges, see Obtaining Cisco IPS Software, page 21-1.
Chapter 22 Upgrading, Downgrading, and Installing System Images Configuring Automatic Upgrades Note This procedure only reimages the recovery partition. The application partition is not modified by this upgrade. To reimage the application partition after the recovery partition, use the recover application-partition command. For More Information • For a list of supported FTP and HTTP/HTTPS servers, see Supported FTP and HTTP/HTTPS Servers, page 22-3.
Chapter 22 Upgrading, Downgrading, and Installing System Images Configuring Automatic Upgrades • default— Sets the value back to the system default setting. • directory— Specifies the directory where upgrade files are located on the file server. A leading ‘/’ indicates an absolute path. • file-copy-protocol— Specifies the file copy protocol used to download files from the file server. The valid values are ftp or scp.
Chapter 22 Upgrading, Downgrading, and Installing System Images Configuring Automatic Upgrades Caution In IPS 7.1(5)E4 and later the default value of the Cisco server IP address has been changed from 198.133.219.25 to 72.163.4.161 in the Auto Update URL configuration. If you have automatic update configured on your sensor, you may need to update firewall rules to allow the sensor to connect to this new IP address.
Chapter 22 Upgrading, Downgrading, and Installing System Images Downgrading the Sensor b. For periodic scheduling (starts upgrades at specific periodic intervals): sensor(config-hos-ena)# schedule-option periodic-schedule sensor(config-hos-ena-per)# interval 24 sensor(config-hos-ena-per)# start-time 13:00:00 Step 7 Verify the settings.
Chapter 22 Upgrading, Downgrading, and Installing System Images Recovering the Application Partition Note You cannot downgrade the sensor using the recovery partition. To downgrade to an earlier version, you must install the appropriate system image file (.img file). Use the downgrade command to remove the last applied signature upgrade or signature engine upgrade from the sensor.
Chapter 22 Upgrading, Downgrading, and Installing System Images Installing System Images Warning: Executing this command will stop all applications and re-image the node to version 7.1(x)E4. All configuration changes except for network settings will be reset to default. Continue with recovery? []: Step 5 Enter yes to continue. Shutdown begins immediately after you execute the recover command.
Chapter 22 Upgrading, Downgrading, and Installing System Images Installing System Images ROMMON Some Cisco sensors include a preboot CLI called ROMMON, which lets you boot images on sensors where the image on the primary device is missing, corrupt, or otherwise unable to boot the normal application. ROMMON is particularly useful for recovering remote sensors as long as the serial console port is available.
Chapter 22 Upgrading, Downgrading, and Installing System Images Installing System Images Step 3 Be sure to properly close a terminal session to avoid unauthorized access to the appliance. If a terminal session is not stopped properly, that is, if it does not receive an exit(0) signal from the application that initiated the session, the terminal session can remain open. When terminal sessions are not stopped properly, authentication is not performed on the next session that is opened on the serial port.
Chapter 22 Upgrading, Downgrading, and Installing System Images Installing System Images 00 00 00 00 00 02 03 03 03 03 03 04 04 1E 1F 1F 1F 1F 01 01 02 02 03 03 02 03 00 00 02 03 05 00 00 00 01 00 01 00 00 8086 8086 8086 8086 8086 8086 177D 8086 8086 8086 8086 8086 8086 244E 25A1 25A3 25A4 25A6 1075 0003 1079 1079 1079 1079 1209 1209 PCI-to-PCI Bridge ISA Bridge IDE Controller Serial Bus Audio Ethernet Encrypt/Decrypt Ethernet Ethernet Ethernet Ethernet Ethernet Ethernet 11 5 5 11 9 9 9 9 9 11 5 E
Chapter 22 Upgrading, Downgrading, and Installing System Images Installing System Images Note Step 5 Not all values are required to establish network connectivity. The address, server, gateway, and image values are required. If you are not sure of the settings needed for your local environment, contact your system administrator. If necessary, change the interface used for the TFTP download.
Chapter 22 Upgrading, Downgrading, and Installing System Images Installing System Images Step 11 Enter set and press Enter to verify the network settings. Note Step 12 You can use the sync command to store these settings in NVRAM so they are maintained across boots. Otherwise, you must enter this information each time you want to boot an image from ROMMON. Download and install the system image.
Chapter 22 Upgrading, Downgrading, and Installing System Images Installing System Images Link is UP MAC Address: 0004.23cc.6047 Use ? for help. rommon #0> Step 4 If necessary, change the port used for the TFTP download. rommon #1> interface name The port in use is listed just after the platform identification. In the example, port Management 0/0 is being used.
Chapter 22 Upgrading, Downgrading, and Installing System Images Installing System Images Step 10 Download and install the system image. rommon> tftp Note The IPS 4260 reboots once during the reimaging process. Do not remove power from the IPS 4260 during the update process or the upgrade can become corrupted. For More Information • For more information about TFTP servers, see TFTP Servers, page 22-14. • For a list of the specific system image files, see IPS 7.1 Upgrade Files, page 22-4.
Chapter 22 Upgrading, Downgrading, and Installing System Images Installing System Images Step 4 Check the current network settings. rommon> set ROMMON Variable Settings: ADDRESS=0.0.0.0 SERVER=0.0.0.0 GATEWAY=0.0.0.0 PORT=Management0/0 VLAN=untagged IMAGE= CONFIG= LINKTIMEOUT=20 PKTTIMEOUT=2 RETRY=20 The variables have the following definitions: • Address—Specifies the local IP address of the IPS 4270-20. • Server—Specifies the TFTP server IP address where the application image is stored.
Chapter 22 Upgrading, Downgrading, and Installing System Images Installing System Images UNIX Example rommon> IMAGE=/system_images/IPS-4270_20-K9-sys-1.1-a-7.1-3-E4.img Note The path is relative to the UNIX TFTP server default tftpboot directory. Images located in the default tftpboot directory do not have any directory names or slashes in the IMAGE specification. Windows Example rommon> IMAGE=\system_images\IPS-4270_20-K9-sys-1.1-a-7.1-3-E4.
Chapter 22 Upgrading, Downgrading, and Installing System Images Installing System Images You can install the IPS 4345 and IPS 4360 system image by using the ROMMON on the appliance to TFTP the system image on to the compact flash device. To install the IPS 4345 and IPS 4360 system image, follow these steps: Step 1 Download the IPS 4345 system image file to the tftp root directory of a TFTP server that is accessible from your IPS 4345.
Chapter 22 Upgrading, Downgrading, and Installing System Images Installing System Images Use BREAK or ESC to interrupt boot. Use SPACE to begin boot immediately. The system enters ROMMON mode. The rommon> prompt appears. Step 4 Check the current network settings. rommon> set ROMMON Variable Settings: ADDRESS=0.0.0.0 SERVER=0.0.0.0 GATEWAY=0.0.0.0 PORT=Management0/0 VLAN=untagged IMAGE= CONFIG= The variables have the following definitions: • Address—Local IP address of the IPS 4345.
Chapter 22 Upgrading, Downgrading, and Installing System Images Installing System Images Step 9 Verify that you have access to the TFTP server by pinging it from your local Ethernet port with one of the following commands: rommon> ping server_ip_address rommon> ping server Step 10 If necessary define the path and filename on the TFTP file server from which you are downloading the image. rommon> IMAGE=path file_name Caution Make sure that you enter the IMAGE command in all uppercase.
Chapter 22 Upgrading, Downgrading, and Installing System Images Installing System Images Installing the System Image for the IPS 4510 and IPS 4520 Note The following procedure references the IPS 4510 but it also refers to the IPS 4520. You can install the IPS 4510 and IPS 4520 system image by using the ROMMON on the appliance to TFTP the system image onto the compact flash device.
Chapter 22 Upgrading, Downgrading, and Installing System Images Installing System Images Note Step 5 Not all values are required to establish network connectivity. The address, server, gateway, and image values are required. If you are not sure of the settings needed for your local environment, contact your system administrator. If necessary, assign an IP address for the Managment port on the IPS 4510. rommon> ADDRESS=ip_address Note Step 6 Use the same IP address that is assigned to the IPS 4510.
Chapter 22 Upgrading, Downgrading, and Installing System Images Installing System Images Note If the network settings are correct, the system downloads and boots the specified image on the IPS 4510. Be sure to use the IPS 4510 image. For More Information • For more information about TFTP servers, see TFTP Servers, page 22-14. • For a list of the specific system image files, see IPS 7.1 Upgrade Files, page 22-4. • For the procedure for locating software on Cisco.
Chapter 22 Upgrading, Downgrading, and Installing System Images Installing System Images If the ASA 5500 AIP SSM suffers a failure and the module application image cannot run, you can transfer application images from a TFTP server to the module using the adaptive security appliance CLI. The adaptive security appliance can communicate with the module ROMMON application to transfer the image.
Chapter 22 Upgrading, Downgrading, and Installing System Images Installing System Images Step 9 Execute the recovery. asa# hw-module module 1 recover boot This transfers the image from the TFTP server to the ASA 5500 AIP SSM. Step 10 Periodically check the recovery until it is complete. Note The status reads Recovery during recovery and reads Up when reimaging is complete.
Chapter 22 Upgrading, Downgrading, and Installing System Images Installing System Images Installing the System Image for the ASA 5500-X IPS SSP Note Be sure the TFTP server that you specify can transfer files up to 60 MB in size. Note The CLI output is an example of what your configuration may look like. It will not match exactly due to the optional setup choices, sensor model, and IPS 7.1 version you have installed.
Chapter 22 Upgrading, Downgrading, and Installing System Images Installing System Images 1 Up Up asa# Step 8 Note The Status field in the output indicates the operational status of the ASA 5500-X IPS SSP. An ASA 5500-X IPS SSP operating normally shows a status of “Up.” While the adaptive security appliance transfers an application image to the ASA 5500-X IPS SSP, the Status field in the output reads “Recover.
Chapter 22 Upgrading, Downgrading, and Installing System Images Installing System Images To install the system image, transfer the software image from a TFTP server to the ASA 5585-X IPS SSP using the adaptive security appliance CLI. The adaptive security appliance can communicate with the ROMMON application of the ASA 5585-X IPS SSP to transfer the image.
Chapter 22 Upgrading, Downgrading, and Installing System Images Installing System Images Step 10 Periodically check the recovery until it is complete. Note The status reads Recovery during recovery and reads Up when installation is complete. asa# show module 1 details Getting details from the Service Module, please wait... ASA 5585-X IPS Security Services Processor-10 with 8GE Model: ASA5585-SSP-IPS40 Hardware version: 1.0 Serial Number: JAF1350ABSL Firmware version: 2.0(1)3 Software version: 7.
Chapter 22 Upgrading, Downgrading, and Installing System Images Installing System Images Installing the ASA 5585-X IPS SSP System Image Using ROMMON You can install the ASA 5585-X IPS SSP system image by using the ROMMON on the adaptive security appliance to TFTP the system image onto the ASA 5585-X IPS SSP.
Chapter 22 Upgrading, Downgrading, and Installing System Images Installing System Images LINKTIMEOUT=20 PKTTIMEOUT=4 RETRY=20 The variables have the following definitions: • Address—Specifies the local IP address of the ASA 5585-X IPS SSP. • Server—Specifies the TFTP server IP address where the application image is stored. • Gateway—Specifies the gateway IP address used by the ASA 5585-X IPS SSP. • Port—Specifies the ethernet interface used for the ASA 5585-X IPS SSP management.
Chapter 22 Upgrading, Downgrading, and Installing System Images Installing System Images Caution Make sure that you enter the IMAGE command in all uppercase. You can enter the other ROMMON commands in either lower case or upper case, but the IMAGE command specifically must be all uppercase. UNIX Example rommon> IMAGE=/system_images/IPS-SSP_10-K9-sys-1.1-a-7.1-3-E4.img Note The path is relative to the default tftpboot directory of the UNIX TFTP server.
Chapter 22 Upgrading, Downgrading, and Installing System Images Installing System Images Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.
A P P E N D I X A System Architecture This appendix describes the IPS system architecture, and contains the following sections: • IPS System Design, page A-1 • System Applications, page A-3 • User Interaction, page A-5 • Security Features, page A-5 • MainApp, page A-6 • SensorApp, page A-23 • CollaborationApp, page A-28 • SwitchApp, page A-30 • CLI, page A-30 • Communications, page A-32 • Cisco IPS File Structure, page A-35 • Summary of Cisco IPS Applications, page A-36 Understandi
Appendix A System Architecture IPS System Design Figure A-1 illustrates the system design for IPS software.
Appendix A System Architecture System Applications Figure A-1 illustrates the system design for IPS software for the IPS 4500 series sensors.
Appendix A System Architecture System Applications The Cisco IPS software includes the following applications: • MainApp—Initializes the system, starts and stops the other applications, configures the OS, and performs upgrades. It contains the following components: – ctlTransSource (Control Transaction server)—Allows sensors to send control transactions. This is used to enable the master blocking sensor capability of Attack Response Controller (formerly known as Network Access Controller).
Appendix A System Architecture User Interaction User Interaction You interact with the Cisco IPS in the following ways: • Configure device parameters You generate the initial configuration for the system and its features. This is an infrequent task, usually done only once. The system has reasonable default values to minimize the number of modifications you must make. You can configure Cisco IPS through the CLI, IDM, IME, CSM, ASDM, or through another application using SDEE.
Appendix A System Architecture MainApp MainApp This section describes the MainApp, and contains the following topics: • Understanding the MainApp, page A-6 • MainApp Responsibilities, page A-6 • Event Store, page A-7 • NotificationApp, page A-9 • CtlTransSource, page A-11 • Attack Response Controller, page A-12 • Logger, page A-19 • InterfaceApp, page A-20 • AuthenticationApp, page A-20 • Web Server, page A-23 Understanding the MainApp The MainApp includes all IPS components except Se
Appendix A System Architecture MainApp Note • In the Cisco IPS, the MainApp can automatically download signature and signature engine updates from Cisco.com.
Appendix A System Architecture MainApp Table A-1 shows some examples: Table A-1 IPS Event Examples IPS Event Type Intrusion Event Priority Start Time Stamp Value Stop Time Stamp Value status — 0 Maximum value Get all status events that are stored. error status — 0 65743 status — 65743 Maximum value Get status events that were stored at or after time 65743. intrusion low attack response 0 Maximum value Get all intrusion and attack response events with low priority that are stored.
Appendix A System Architecture MainApp Control transactions involve the following types of requests: • Request to update the configuration data of an application instance • Request for the diagnostic data of an application instance • Request to reset the diagnostic data of an application instance • Request to restart an application instance • Request for ARC, such as a block request Control transactions have the following characteristics: • They always consist of a request followed by a respons
Appendix A System Architecture MainApp • Time (UTC and local time) • Signature name • Signature ID • Subsignature ID • Participant information • Alarm traits The NotificationApp sends the following information from the evAlert event in detail mode: • Originator information • Event ID • Event severity • Time (UTC and local time) • Signature name • Signature ID • Subsignature ID • Version • Summary • Interface group • VLAN • Participant information • Actions • Alarm t
Appendix A System Architecture MainApp • TCP streams in embryonic state • TCP streams in established state • TCP streams in closing state • TCP streams in system • TCP packets queued for reassembly • Total nodes active • TCP nodes keyed on both IP addresses and both ports • UDP nodes keyed on both IP addresses and both ports • IP nodes keyed on both IP addresses • Sensor memory critical stage • Interface status • Command and control packet statistics • Fail-over state • System u
Appendix A System Architecture MainApp Figure A-3 shows the transactionHandlerLoop method in the CtlTransSource. Figure A-3 CtlTransSource CtlTransSource IDAPI HTTP Client 119595 +CtlTransSource0 +transaction HandlerLoop When the transactionHandlerLoop receives a remotely addressed transaction, it tries to forward the remote control transaction to its remote destination. The transactionHandlerLoop formats the transaction into a control transaction message.
Appendix A System Architecture MainApp Understanding the ARC The main responsibility of the ARC is to block events. When it responds to a block, it either interacts with the devices it is managing directly to enable the block or it sends a block request through the Control Transaction Server to a master blocking sensor. The web server on the master blocking sensor receives the control transaction and passes it to the Control Transaction Server, which passes it to the ARC.
Appendix A System Architecture MainApp ARC Features The ARC has the following features: • Communication through Telnet and SSH 1.5 with 3DES (the default) or DES encryption Only the protocol specified in the ARC configuration for that device is attempted. If the connection fails for any reason, the ARC attempts to reestablish it.
Appendix A System Architecture MainApp • Maintaining blocking state across network device restarts The ARC reapplies blocks and removes expired blocks as needed whenever a network device is shut down and restarted. The ARC is not affected by simultaneous or overlapping shutdowns and restarts of the ARC. • Authentication and authorization The ARC can establish a communications session with a network device that uses AAA authentication and authorization including the use of remote TACACS+ servers.
Appendix A System Architecture MainApp • Catalyst 6000 MSFC2 with Catalyst software 5.4(3) or later and Cisco IOS 12.1(2)E or later on the MSFC2 • Cisco ASA 5500 series models: ASA 5510, ASA 5520, and ASA 5540 • FWSM Note The FWSM cannot block in multi-mode admin context. ACLs and VACLs If you want to filter packets on an interface or direction that the ARC controls, you can configure the ARC to apply an ACL before any blocks (preblock ACL) and to apply an ACL after any blocks (postblock ACL).
Appendix A System Architecture MainApp The following scenarios demonstrate how the ARC maintains state across restarts. Scenario 1 There are two blocks in effect when the ARC stops and one of them expires before the ARC restarts. When the ARC restarts, it first reads the nac.shun.txt file. It then reads the preblock and postblock ACLs or VACLs. The active ACL or VACL is built in the following order: 1. The allow sensor_ ip_address command (unless the allow sensor shun command has been configured) 2.
Appendix A System Architecture MainApp Caution Cisco firewalls do not support connection blocking of hosts. When a connection block is applied, the firewall treats it like an unconditional block. Cisco firewalls also do not support network blocking. ARC never tries to apply a network block to a Cisco firewall. Blocking with Cisco Firewalls The ARC performs blocks on firewalls using the shun command.
Appendix A System Architecture MainApp Blocking with Catalyst Switches Catalyst switches with a PFC filter packets using VACLs. VACLs filter all packets between VLANs and within a VLAN. MSFC router ACLs are supported when WAN cards are installed and you want the sensor to control the interfaces through the MSFC2. Note An MSFC2 card is not a required part of a Catalyst switch configuration for blocking with VACLs.
Appendix A System Architecture MainApp The Logger can control what log messages are generated by each application by controlling the logging severity for different logging zones. You would only access the individual-zone-control of the logger service at the request and supervision of a TAC engineer or developer. For troubleshooting purposes, TAC might request that you turn on debug logging.
Appendix A System Architecture MainApp IDM or the ASDM, by logging in to the sensor using the default administrative account (cisco). In the CLI, the administrator is prompted to change the password. IPS managers initiate a setEnableAuthenticationTokenStatus control transaction to change the password of an account. Through the CLI or an IPS manager, the administrator configures which authentication method is used, such as username and password or an SSH authorized key.
Appendix A System Architecture MainApp The IPS web server and SSH server are server endpoints of encrypted communications. They protect their identities with a private key and offer a public key to clients that connect to them. For TLS this public key is included inside an X.509 certificate, which includes other information. Remote systems that connect to the sensor should verify that the public key received during connection establishment is the key they expect.
Appendix A System Architecture SensorApp Web Server The web server provides SDEE support, which enables the sensor to report security events, receive IDIOM transactions, and serve IP logs. The web server supports HTTP 1.0 and 1.1. Communications with the web server often include sensitive information, such as passwords, that would severely compromise the security of the system if an attacker were able to eavesdrop. For this reason, sensors ship with TLS enabled.
Appendix A System Architecture SensorApp – Alert – Block host – Block connection – Generate SNMP trap – Capture trigger packet • Statistics Processor—This processor keeps track of system statistics such as packet counts and packet arrival rates. • Layer 2 Processor—This processor processes layer 2-related events. It also identifies malformed packets and removes them from the processing path.
Appendix A System Architecture SensorApp All packets that are unknown or of no interest to the IPS are forwarded to the paired interface with no analysis. All bridging and routing protocols are forwarded with no participation other than a possible deny due to policy violations. There is no IP stack associated with any interface used for inline (or promiscuous) data processing. The current support for 802.1q packets in promiscuous mode is extended to inline mode.
Appendix A System Architecture SensorApp • Clear Flow state—Lets you clear the database, which causes the sensor to start fresh just as in a restart. • Restart status—Reports periodically the current start and restart stages of the sensor. Packet Flow Packets are received by the NIC and placed in the kernel user-mapped memory space by the IPS-shared driver. The packet is prepended by the IPS header.
Appendix A System Architecture SensorApp – Victim port – Risk rating threshold range – Actions to subtract – Sequence identifier (optional) – Stop-or-continue bit – Enable action filter line bit – Victim OS relevance or OS relevance • Signature Event Action Handler—Performs the requested actions. The output from the Signature Event Action Handler is the actions being performed and possibly an evIdsAlert written to the Event Store.
Appendix A System Architecture CollaborationApp CollaborationApp This section describes the CollaborationApp, and contains the following sections: • Understanding the CollaborationApp, page A-28 • Update Components, page A-28 • Error Events, page A-29 Understanding the CollaborationApp The CollaborationApp is a peer of the MainApp and the SensorApp.
Appendix A System Architecture CollaborationApp The client manifest contains the UDI of the sensor, which includes the serial number of the sensor, and an encrypted shared secret that the server uses to verify the sensor is an authentic Cisco IPS sensor. The server manifest contains a list of update files available for each component. For each update file in the list, the server manifest contains data, such as the update version, type, order, location, file transfer protocol, and so forth.
Appendix A System Architecture SwitchApp SwitchApp The 4500 series sensors have a built in switch that provides the external monitoring interfaces of the sensor. The SwitchApp is part of the IPS 4500 series design that enables the InterfaceApp and sensor initialization scripts to communicate and control the switch. Any application that needs to get or set information on the switch must communicate with the SwitchApp.
Appendix A System Architecture CLI – Assignment of physical sensing interfaces – Enable or disable control of physical interfaces – Add and delete users and passwords – Generate new SSH host keys and server certificates • Service—Only one user with service privileges can exist on a sensor. The service user cannot log in to the IDM or the IME. The service user logs in to a bash shell rather than the CLI. The service role is a special role that allows you to bypass the CLI if needed.
Appendix A System Architecture Communications Communications This section describes the communications protocols used by the Cisco IPS. It contains the following topics: • IDAPI, page A-32 • IDIOM, page A-33 • IDCONF, page A-33 • SDEE, page A-34 • CIDEE, page A-34 IDAPI IPS applications use an interprocess communication API called the IDAPI to handle internal communications. The IDAPI reads and writes event data and provides a mechanism for control transactions.
Appendix A System Architecture Communications IDIOM IDIOM is a data format standard that defines the event messages that are reported by the IPS as well as the operational messages that are used to configure and control intrusion detection systems. These messages consist of XML documents that conform to the IDIOM XML schema. IDIOM supports two types of interactions: event and control transaction. Event interactions are used to exchange IPS events such as alerts.
Appendix A System Architecture Communications SDEE The Cisco IPS produces various types of events including intrusion alerts and status events. The IPS communicates events to clients such as management applications using the proprietary IPS-industry leading protocol, SDEE, which is a product-independent standard for communicating security device events. SDEE adds extensibility features that are needed for communicating events generated by various types of security devices.
Appendix A System Architecture Cisco IPS File Structure 1043238671706378000 0 … Cisco IPS File Structure The Cisco IPS has the following directory structure: • /usr/cids/idsRoot—Main installation directory. • /usr/cids/idsRoot/shared—Stores files used during system recovery.
Appendix A System Architecture Summary of Cisco IPS Applications Summary of Cisco IPS Applications Table A-2 gives a summary of the applications that make up the IPS. Table A-2 Summary of Applications Application Description AuthenticationApp Authorizes and authenticates users based on IP address, password, and digital certificates. Attack Response Controller An ARC is run on every sensor. Each ARC subscribes to network access events from its local Event Store.
Appendix A System Architecture Summary of Cisco IPS Applications Table A-2 Summary of Applications (continued) Application Description SwitchApp Part of the IPS 4500 series design that enables the InterfaceApp and sensor initialization scripts to communicate with and control the built-in switch. Any application that needs to get or set information on the switch must communicate with the SwitchApp. Web Server Waits for remote HTTP client requests and calls the appropriate servlet application. 1.
Appendix A System Architecture Summary of Cisco IPS Applications Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.
A P P E N D I X B Signature Engines This appendix describes the IPS signature engines, and contains the following sections: • Understanding Signature Engines, page B-1 • Master Engine, page B-4 • Regular Expression Syntax, page B-9 • AIC Engine, page B-10 • Atomic Engine, page B-14 • Fixed Engine, page B-30 • Flood Engine, page B-32 • Meta Engine, page B-33 • Multi String Engine, page B-36 • Normalizer Engine, page B-37 • Service Engines, page B-40 • State Engine, page B-61 • Stri
Appendix B Signature Engines Understanding Signature Engines Cisco IPS contains the following signature engines: • AIC—Provides thorough analysis of web traffic. The AIC engine provides granular control over HTTP sessions to prevent abuse of the HTTP protocol. It allows administrative control over applications, such as instant messaging and gotomypc, that try to tunnel over specified ports. You can also use AIC to inspect FTP traffic and control the commands being issued.
Appendix B Signature Engines Understanding Signature Engines – HTTP V2—Supports IOS IPS. This signature engine provides a protocol decode engine tuned for IOS IPS. If you try to use this engine, you receive an error message. – IDENT—Inspects IDENT (client and server) traffic. – MSRPC—Inspects MSRPC traffic. – MSSQL—Inspects Microsoft SQL traffic. – NTP—Inspects NTP traffic. – P2P—Inspects P2P traffic. – RPC—Inspects RPC traffic.
Appendix B Signature Engines Master Engine Note The Regex accelerator card is used for both the standard String engines and the String XL engines. Most standard String engine signatures can be compiled and analyzed by the Regex accelerator card without modification. However, there are special circumstances in which the standard String engine signatures cannot be compiled for the Regex accelerator card.
Appendix B Signature Engines Master Engine Table B-1 Master Engine Parameters (continued) Parameter Description Value alert-severity Specifies the severity of the alert: high • Dangerous alert medium • Medium-level alert low • Low-level alert informational (default) • Informational alert sig-fidelity-rating Specifies the rating of the fidelity of this signature. 0 to 100 (default = 100) promisc-delta Specifies the delta value used to determine the seriousness of the alert.
Appendix B Signature Engines Master Engine Table B-1 Master Engine Parameters (continued) Parameter Description Value specify-alert-interval Enables the alert interval: {yes | no} • alert-interval—Specifies the time in seconds before the event count is reset. 2 to 1000 status Specifies whether the signature is enabled or disabled, active or retired. enabled | retired {yes | no} obsoletes Indicates that a newer signature has disabled an older — signature.
Appendix B Signature Engines Master Engine Obsoletes The Cisco signature team uses the obsoletes field to indicate obsoleted, older signatures that have been replaced by newer, better signatures, and to indicate disabled signatures in an engine when a better instance of that engine is available. For example, some String XL hardware-accelerated signatures now replace equivalent signatures that were defined in the String engine.
Appendix B Signature Engines Master Engine Table B-2 Master Engine Alert Frequency Parameters (continued) Parameter Description Value specify-global-summary-thres Enables global summary threshold mode: hold {yes |no} • global-summary-threshold—Specifies the threshold number of events to take alerts into global summary.
Appendix B Signature Engines Regular Expression Syntax • deny-attacker-inline (inline mode only)—Does not transmit this packet and future packets from the attacker address for a specified period of time. Note • This is the most severe of the deny actions. It denies the current and future packets from a single attacker address. Each deny address times out for X seconds from the first event that caused the deny to start, where X is the amount of seconds that you configured.
Appendix B Signature Engines AIC Engine Table B-3 Signature Regular Expression Syntax (continued) Metacharacter Name Description [a-z] Character range class Any character listed inclusively in the range. () Parenthesis Used to limit the scope of other metacharacters. | Alternation, or Matches either expression it separates. ^ caret The beginning of the line. \char Escaped character When char is a metacharacter or not, matches the literal char.
Appendix B Signature Engines AIC Engine Understanding the AIC Engine AIC provides thorough analysis of web traffic. It provides granular control over HTTP sessions to prevent abuse of the HTTP protocol. It allows administrative control over applications, such as instant messaging and gotomypc, that try to tunnel over specified ports. Inspection and policy checks for P2P and instant messaging are possible if these applications are running over HTTP.
Appendix B Signature Engines AIC Engine • FTP traffic: – FTP command authorization and enforcement Table B-5 lists the parameters that are specific to the AIC HTTP engine. Table B-5 AIC HTTP Engine Parameters Parameter Description signature-type Specifies the type of AIC signature.
Appendix B Signature Engines AIC Engine Table B-5 AIC HTTP Engine Parameters (continued) Parameter Description request-methods Specifies an AIC signature that allows — actions to be associated with HTTP request methods: transfer-encodings • define-request-method—Specifies get, put, and so forth. • recognized-request-methods—Lists methods recognized by the sensor.
Appendix B Signature Engines Atomic Engine For More Information • For the procedures for configuring AIC engine signatures, see Configuring AIC Signatures, page 8-17. • For an example of a custom AIC signature, see Creating an AIC Signature, page 8-26. • For more information on the parameters common to all signature engines, see Master Engine, page B-4. Atomic Engine The Atomic engine contains signatures for simple, single packet conditions that cause alerts to be fired.
Appendix B Signature Engines Atomic Engine Table B-7 Atomic ARP Engine Parameters (continued) Parameter Description specify-type-of-arp-sig {yes (Optional) Enables the ARP signature type: | no} • type-of-arp-sig—Specifies the type of ARP signatures you want to fire on: – Destination Broadcast—Fires an alert for this signature when it sees an ARP destination address of 255.255.255.255.
Appendix B Signature Engines Atomic Engine Only the outermost IP tunnel is identified. When an IPv6 tunnel or IPv6 traffic inside of an IPv4 tunnel is detected, a signature fires an alert. All of the other IPv6 traffic in embedded tunnels is not inspected. The following tunneling methods are supported, but not individually detected.
Appendix B Signature Engines Atomic Engine Table B-8 lists the parameters that are specific to the Atomic IP Advanced engine. Note The second number in the ranges must be greater than or equal to the first number. Table B-8 Atomic IP Advanced Engine Parameters Parameter Description Value fragment-status Specifies whether or not fragments are wanted.
Appendix B Signature Engines Atomic Engine Table B-8 Atomic IP Advanced Engine Parameters (continued) Parameter Description Value specify-min-match-offset {yes | Enables minimum match offset: no} • min-match-offset—Specifies the minimum stream offset the regex-string must report for a match to be valid.
Appendix B Signature Engines Atomic Engine Table B-8 Atomic IP Advanced Engine Parameters (continued) Parameter Description Value specify-first-next-header {yes | (Optional) Enables inspection of the first next 0 to 255 no} header: • specify-flow-label {yes | no} (Optional) Enables inspection of the flow label: • specify-headers-out-of-order {yes | no} first-next-header—Specifies the value of the first next header to inspect. flow-label—Specifies the value of the flow label to inspect.
Appendix B Signature Engines Atomic Engine Table B-8 Atomic IP Advanced Engine Parameters (continued) Parameter Description specify-ipv6-addr-options {yes (Optional) Enables the IPv6 address options: | no} • ipv6-addr-options—Specifies the IPv6 address options: Value true | false – address-with-localhost—IP address with ::1. – documentation-address—IP address with 2001:db8::/32 prefix. – ipv6-addr—IP address. – link-local-address—Inspects for an IPv6 link local address.
Appendix B Signature Engines Atomic Engine Table B-8 Atomic IP Advanced Engine Parameters (continued) Parameter Description Value specify-traffic-class {yes | no} (Optional) Enables inspection of the traffic class: 0 to 255 • traffic-class—Specifies the value of the traffic class to inspect. IPV4 specify-ip-addr-options {yes | no} (Optional) Enables IP address options: • address-with-localh ost ip-addr-options—Specifies the IP address options.
Appendix B Signature Engines Atomic Engine Table B-8 Atomic IP Advanced Engine Parameters (continued) Parameter Description Value specify-ip-version {yes | no} (Optional) Enables inspection of the IP version: 0 to 16 • ip-version—Specifies which IP version to inspect. L4 Protocol specify-l4-protocol {yes | no} (Optional) Enables inspection of Layer 4 protocol: • l4-protocol—Specifies which Layer 4 protocol to inspect.
Appendix B Signature Engines Atomic Engine Table B-8 Atomic IP Advanced Engine Parameters (continued) Parameter Description Value specify-icmpv6-id {yes | no} (Optional) Enables inspection of the Layer 4 ICMPv6 identifier: 0 to 65535 • specify-icmpv6-length {yes | no} icmpv6-id—Specifies the value of the ICMPv6 header IDENTIFIER. (Optional) Enables inspection of the Layer 4 ICMPv6 length: • icmpv6-length—Specifies the value of the ICMPv6 header LENGTH.
Appendix B Signature Engines Atomic Engine Table B-8 Atomic IP Advanced Engine Parameters (continued) Parameter Description Value specify-tcp-mask {yes | no} (Optional) Enables the TCP mask for use: urg tcp-mask—Specifies the mask used in TCP flags comparison: ack • – URG bit specify-tcp-flags {yes | no} – ACK bit – PSH bit – RST bit – SYN bit – FIN bit (Optional) Enables TCP flags for use: • tcp-flags—Specifies the TCP flags to match when masked by mask: – URG bit – ACK bit – PSH
Appendix B Signature Engines Atomic Engine Table B-8 Atomic IP Advanced Engine Parameters (continued) Parameter Description Value specify-udp-valid-length {yes | (Optional) Enables inspection of the Layer 4 no} UDP valid length: • specify-udp-length-mismatch {yes | no} 0 to 65535 udp-valid-length—Specifies the UDP packet lengths that are considered valid and should not be inspected.
Appendix B Signature Engines Atomic Engine Table B-9 Atomic IP Engine Parameters (continued) Parameter Description specify-ip-id {yes | no} (Optional) Enables inspection of the IP 0 to 255 identifier: • specify-ip-option-inspection {yes | no} Value ip-id—Specifies the IP ID to inspect. (Optional) Enables inspection of the IP 0 to 65535 options: • ip-option-inspection—Specifies the value of the IP option: – ip-option—Specifies the IP OPTION code to match.
Appendix B Signature Engines Atomic Engine Table B-9 Atomic IP Engine Parameters (continued) Parameter Description Value specify-icmp-id {yes | no} (Optional) Enables inspection of the Layer 4 ICMP ID: 0 to 65535 • specify-icmp-seq {yes | no} icmp-id—Specifies the value of the ICMP header IDENTIFIER. (Optional) Enables inspection of the Layer 4 ICMP sequence: • specify-icmp-type {yes | no} icmp-seq—Specifies the ICMP sequence to inspect.
Appendix B Signature Engines Atomic Engine Table B-9 Atomic IP Engine Parameters (continued) Parameter Description specify-tcp-flags {yes | no} (Optional) Enables TCP flags for use: urg • Value tcp-flags—Specifies the TCP flags ack to match when masked by mask: psh – URG bit rst – ACK bit – PSH bit syn fin – RST bit – SYN bit – FIN bit specify-tcp-reserved {yes | no} (Optional) Enables TCP reserved for use: • tcp-reserved—Specifies the value of TCP reserved.
Appendix B Signature Engines Atomic Engine Table B-9 Atomic IP Engine Parameters (continued) Parameter Description Value specify-udp-valid-length {yes | no} (Optional) Enables inspection of the Layer 4 UDP valid length: 0 to 65535 • udp-valid-length—Specifies UDP packet lengths that are considered valid and should not be inspected.
Appendix B Signature Engines Fixed Engine Each Neighborhood Discovery type can have one or more Neighborhood Discovery options. The Atomic IPv6 engine inspects the length of each option for compliance with the legal values stated in RFC 2461. Violations of the length of an option results in an alert corresponding to the option type where the malformed length was encountered (signatures 1601 to 1605). Note The Atomic IPv6 signatures do not have any specific parameters to configure.
Appendix B Signature Engines Fixed Engine Table B-10 Fixed ICMP Engine Parameters (continued) Parameter Description Value specify-icmp-type {yes | no} (Optional) Enables inspection of the Layer 4 ICMP header type: 0 to 65535 • swap-attacker-victim icmp-type—Specifies the value of the ICMP header TYPE. Swaps the attacker and victim addresses and ports (source and destination) in the alert message and in any actions taken.
Appendix B Signature Engines Flood Engine Table B-12 lists the parameters specific to the Fixed UDP engine. Table B-12 Fixed UDP Engine Parameters Parameter Description Value direction Specifies the direction of traffic: from-service to-service • Traffic from service port destined to client port. • Traffic from client port destined to service port max-payload-inspect-length Specifies the maximum inspection depth for the signature.
Appendix B Signature Engines Meta Engine Table B-13 lists the parameters specific to the Flood Host engine. Table B-13 Flood Host Engine Parameters Parameter Description Value protocol Specifies which kind of traffic to inspect. ICMP UDP rate Specifies the threshold number of packets per second. 0 to 655351 icmp-type Specifies the value for the ICMP header type. 0 to 65535 dst-ports Specifies the destination ports when you choose UDP protocol.
Appendix B Signature Engines Meta Engine All signature events are handed off to the Meta engine by the Signature Event Action Processor. The Signature Event Action Processor hands off the event after processing the minimum hits option. Summarization and event action are processed after the Meta engine has processed the component events. Component Signatures and the Meta Engine Component signatures are not independent signatures, they are pieces of a Meta signature.
Appendix B Signature Engines Meta Engine Table B-15 lists the parameters specific to the Meta engine. Table B-15 Meta Engine Parameters Parameter Description Value component-list Specifies the Meta engine component: name1 • edit—Edits an existing entry. • insert—Inserts a new entry into the list: – begin—Places the entry at the beginning of the active list. – end—Places the entry at the end of the active list. – inactive—Places the entry into the inactive list.
Appendix B Signature Engines Multi String Engine For More Information • For an example of a custom Meta engine signature, see Example Meta Engine Signature, page 8-47. • For more information on the parameters common to all signature engines, see Master Engine, page B-4. • For more information on Signature Event Action Processor, see Signature Event Action Processor, page 7-3. Multi String Engine Caution The Multi String engine can have a significant impact on memory usage.
Appendix B Signature Engines Normalizer Engine Table B-16 Multi String Engine Parameters (continued) Parameter Description Value port-selection Specifies the type of TCP or UDP port to inspect: 0 to 65535 2 • both-ports—Specifies both source and destination port. • dest-ports—Specifies a range of destination ports. • source-ports—Specifies a range of source ports.
Appendix B Signature Engines Normalizer Engine Caution For signature 3050 Half Open SYN Attack, if you choose modify-packet-inline as the action, you can see as much as 20 to 30% performance degradation while the protection is active. The protection is only active during an actual SYN flood. IP Fragmentation Normalization Intentional or unintentional fragmentation of IP datagrams can hide exploits making them difficult or impossible to detect.
Appendix B Signature Engines Normalizer Engine fragments and puts packets in the right order for the TCP stream. The Normalizer does not do any of the normalization that is done on an inline IPS appliance, because that causes problems in the way the ASA handles the packets. The following Normalizer engine signatures are not supported: • 1300.0 • 1304.0 • 1305.0 • 1307.0 • 1308.0 • 1309.0 • 1311.0 • 1315.0 • 1316.0 • 1317.0 • 1330.0 • 1330.1 • 1330.2 • 1330.9 • 1330.
Appendix B Signature Engines Service Engines Table B-17 Normalizer Engine Parameters (continued) Parameter Description specify-max-small-fragss (Optional) Enables maximum small fragments. specify-min-fragment-size (Optional) Enables minimum fragment size. specify-service-ports (Optional) Enables service ports. specify-syn-flood-max-embryonic (Optional) Enables SYN flood maximum embryonic. specify-tcp-closed-timeout (Optional) Enables TCP closed timeout.
Appendix B Signature Engines Service Engines • Service SMB Advanced Engine, page B-56 • Service SNMP Engine, page B-58 • Service SSH Engine, page B-59 • Service TNS Engine, page B-60 Understanding the Service Engines The Service engines analyze Layer 5+ traffic between two hosts. These are one-to-one signatures that track persistent data. The engines analyze the Layer 5+ payload in a manner similar to the live service.
Appendix B Signature Engines Service Engines Table B-18 Service DNS Engine Parameters (continued) Parameter Description Value specify-query-opcode {yes |no} (Optional) Enables query opcode: 0 to 65535 • specify-query-record-data-invalid {yes |no} (Optional) Enables query record data invalid: • specify-query-record-data-len {yes |no} query-src-port-53—Specifies the DNS packet source port 53. 0 to 65535 query-type—Specifies the DNS Query Type 2 Byte Value.
Appendix B Signature Engines Service Engines Table B-19 lists the parameters that are specific to the Service FTP engine. Table B-19 Service FTP Engine Parameters Parameter Description Value direction Specifies the direction of traffic: from-service to-service ftp-inspection-type service-ports • Traffic from service port destined to client port. • Traffic from client port destined to service port.
Appendix B Signature Engines Service Engines Table B-20 lists the parameters specific to the Service Generic engine. Table B-20 Service Generic Engine Parameters Parameter Description Value specify-dst-port {yes | no} (Optional) Enables the destination port: 0 to 65535 specify-ip-protocol {yes | no} (Optional) Enables IP protocol: • • dst-port—Specifies the destination port of interest for this signature. 0 to 255 ip-protocol—Specifies the IP protocol this inspector should examine.
Appendix B Signature Engines Service Engines Service H225 Engine The Service H225 engine analyzes H225.0 protocol, which consists of many subprotocols and is part of the H.323 suite. H.323 is a collection of protocols and other standards that together enable conferencing over packet-based networks. H.225.0 call signaling and status messages are part of the H.323 call setup. Various H.323 entities in a network, such as the gatekeeper and endpoint terminals, run implementations of the H.225.
Appendix B Signature Engines Service Engines Table B-21 lists parameters specific to the Service H225 engine. Table B-21 Service H.225 Engine Parameters Parameter Description Value message-type Specifies the type of H225 message to which the signature applies: asn.1-per policy-type SETUP setup • ASN.1-PER tpkt • Q.931 • TPKT Specifies the type of H225 policy to which length the signature applies: presence • Inspects field length. regex • Inspects presence.
Appendix B Signature Engines Service Engines Table B-21 Service H.225 Engine Parameters (continued) Parameter Description specify-regex-string {yes | no} Specifies the regular expression to look for string when the policy type is Regex: 0 to 65535 • regex-string—Specifies a regular expression to search for in a single TCP packet.
Appendix B Signature Engines Service Engines Before an HTTP packet can be inspected, the data must be deobfuscated or normalized to the same representation that the target system sees when it processes the data. It is ideal to have a customized decoding technique for each host target type, which involves knowing what operating system and web server version is running on the target. The Service HTTP engine has default deobfuscation behavior for the Microsoft IIS web server.
Appendix B Signature Engines Service Engines Table B-22 Service HTTP Engine Parameters (continued) Parameter Description specify-request-regex {yes | no} (Optional) Enables searching the Request field for 0 to 65535 a specific regular expression: • request-regex—Specifies the regular expression to search in both HTTP URI and HTTP Argument fields.
Appendix B Signature Engines Service Engines Table B-23 lists the parameters specific to the Service IDENT engine. Table B-23 Service IDENT Engine Parameters Parameter Description Value inspection-type Specifies the type of inspection to perform. has-newline has-bad-port size has-newline Inspects payload for a nonterminating new line character. — has-bad-port Inspects payload for a bad port.
Appendix B Signature Engines Service Engines Table B-24 lists the parameters specific to the Service MSRPC engine. Table B-24 Service MSRPC Engine Parameters Parameter Description protocol Enables the protocol of interest for this inspector: tcp • specify-flags {yes | no} type—Specifies UDP or TCP. Enables the flags to set: Value udp concurrent-execution • msrpc-flags—Specifies MSRPC TCP flags. did-not-execute • msrpc-tcp-flags-mask—Specifies the MSRPC TCP flags mask.
Appendix B Signature Engines Service Engines Table B-24 Service MSRPC Engine Parameters (continued) Parameter Description Value specify-regex-string {yes | no} (Optional) Enables using a regular expression string: 0 to 65535 • specify-exact-match-offset—Enables the exact match offset: – exact-match-offset—Specifies the exact stream offset the regular expression string must report for a match to be valid.
Appendix B Signature Engines Service Engines Table B-25 lists the parameters specific to the Service MSSQL engine. Table B-25 Service MSSQL Engine Parameters Parameter Description password-present Specifies whether or not a password was used in an MS SQL true | false login. specify-sql-username (Optional) Enables using an SQL username: • Value sa sql-username—Specifies the username (exact match) of user logging in to MS SQL service.
Appendix B Signature Engines Service Engines For More Information For more information on the parameters common to all signature engines, see Master Engine, page B-4. Service P2P Engine P2P networks use nodes that can simultaneously function as both client and server for the purpose of file sharing. P2P networks often contain copyrighted material and their use on a corporate network can violate company policy.
Appendix B Signature Engines Service Engines Table B-27 Service RPC Engine Parameters (continued) Parameter Description Value specify-regex-string {yes | (Optional) Enables using a regular expression string: 0 to 65535 no} • specify-exact-match-offset—Enables the exact match offset: – exact-match-offset—Specifies the exact stream offset the regular expression string must report for a match to be valid.
Appendix B Signature Engines Service Engines Service SMB Advanced Engine Note The SMB engine has been replaced by the SMB Advanced engine. Even though the SMB engine is still visible in IDM, IME, and the CLI, its signatures have been obsoleted; that is, the new signatures have the obsoletes parameter set with the IDs of their corresponding old signatures. Use the new SMB Advanced engine to rewrite any custom signature that were in the SMB engine.
Appendix B Signature Engines Service Engines Table B-28 Service SMB Advanced Engine Parameters (continued) Parameter Description Value specify-exact-match-offset {yes | no} (Optional) Enables exact match offset: 0 to 65535 specify-min-match-length {yes | no} (Optional) Enables minimum match length: 0 to 65535 specify-regex-payload-sour ce {yes | no} (Optional) Enables payload source inspection: • • • exact-match-offset—Specifies the exact stream offset the Regex string must report for a mat
Appendix B Signature Engines Service Engines For More Information • For more information on the parameters common to all signature engines, see Master Engine, page B-4. • For a list of the signature regular expression syntax, see Regular Expression Syntax, page B-9. Service SNMP Engine The Service SNMP engine inspects all SNMP packets destined for port 161. You can tune SNMP signatures and create custom SNMP signatures based on specific community names and object identifiers.
Appendix B Signature Engines Service Engines Table B-29 Service SNMP Engine Parameters (continued) Parameter Description non-snmp-traffic-inspection Inspects for non-SNMP traffic destined — for UDP port 161. snmp-inspection {yes | no} Enables inspection of SNMP traffic: • specify-object-id—Enables inspection of the SNMP Object identifier: Value object-id community-name – object-id—Specifies to search for the SNMP object identifier.
Appendix B Signature Engines Service Engines 1. The second number in the range must be greater than or equal to the first number. For More Information For more information on the parameters common to all signature engines, see Master Engine, page B-4. Service TNS Engine The Service TNS engine inspects TNS protocol. TNS provides database applications with a single common interface to all industry-standard network protocols.
Appendix B Signature Engines State Engine Table B-31 Service TNS Engine Parameters (continued) Parameter Description Value specify-regex-payload-src {yes | no} Enables the inspection of TCP or TNS protocol: tcp data • payload-src—Specifies which protocol to inspect: tns data – tcp-data—Performs Regex over the data portion of the TCP packet. – tns-data—Performs Regex only over the TNS data (with all white space removed).
Appendix B Signature Engines State Engine Table B-32 lists the parameters specific to the State engine. Table B-32 State Engine Parameters Parameter Description Value state-machine Specifies the state machine grouping.
Appendix B Signature Engines String Engines Table B-32 State Engine Parameters (continued) Parameter Description Value direction Specifies the direction of the traffic: from-service service-ports • Traffic from service port destined to client port. • Traffic from client port destined to service port. to-service Specifies a comma-separated list of ports or port ranges 0 to 655351 where the target service resides.
Appendix B Signature Engines String Engines Table B-33 lists the parameters specific to the String ICMP engine. Table B-33 String ICMP Engine Parameters Parameter Description Value direction Specifies the direction of the traffic: from-service • Traffic from service port destined to client port. • Traffic from client port destined to service port. to-service icmp-type Specifies the value of the ICMP header TYPE. 0 to 181 a-b[,c-d] regex-string The Regex pattern to use in the search.
Appendix B Signature Engines String Engines Table B-34 String TCP Engine (continued) Parameter Description Value specify-min-matchlength {yes | no} (Optional) Enables minimum match length: 0 to 65535 strip-telnet-options Strips the Telnet option characters from the data true | false before the pattern is searched.2 swap-attacker-victim Swaps the attacker and victim addresses and ports (source and destination) in the alert message and in any actions taken.
Appendix B Signature Engines String XL Engines For More Information • For an example custom String engine signature, see Example String TCP Engine Signature, page 8-41. • For more information on the parameters common to all signature engines, see Master Engine, page B-4. String XL Engines Note The IPS 4345, IPS 4360, IPS 4510, IPS 4520, ASA 5525-X IPS SSP, ASA 5545-X IPS SSP, ASA 5555-X IPS SSP, and ASA 5585-X IPS SSP support the String XL engines and the Regex accelerator card.
Appendix B Signature Engines String XL Engines Table B-36 lists the parameters specific to the String XL engines (TCP, ICMP, and UDP). Table B-36 String XL Engine Parameters Parameter Description Value direction (Required) Direction of the traffic to inspect: from-service • Traffic from service port destined to client port. • Traffic from client port destined to service port.
Appendix B Signature Engines String XL Engines Table B-36 String XL Engine Parameters (continued) (continued) Parameter Description Value specify-max-match-offset {yes | No} Enables maximum match offset: 0 to 65535 • maximum-match-offset—Specifies the maximum stream offset in bytes the regular expression string must report for a match to be valid.
Appendix B Signature Engines Sweep Engines Table B-36 String XL Engine Parameters (continued) (continued) Parameter Description Value strip-telnet-options Strips the Telnet option characters from the data before the pattern is searched.2 true | false (default) swap-attacker-victim True if address (and ports) source and destination true| false are swapped in the alert message. False for no (default) swap (default).
Appendix B Signature Engines Sweep Engines The alert conditions of the Sweep engine ultimately depend on the count of the unique parameter. The unique parameter is the threshold number of distinct hosts or ports depending on the type of sweep. The unique parameter triggers the alert when more than the unique number of ports or hosts is seen on the address set within the time period. The processing of unique port and host tracking is called counting.
Appendix B Signature Engines Sweep Engines Table B-37 Sweep Engine Parameters (continued) Parameter Description Value specify-icmp-type {yes | no} (Optional) Enables the ICMP header type: 0 to 255 specify-port-range {yes | no} (Optional) Enables using a port range for inspection: fragment-status Specifies whether fragments are wanted or not: • • icmp-type—Specifies the value of the ICMP header TYPE. port-range—Specifies the UDP port range used in inspection.
Appendix B Signature Engines Traffic Anomaly Engine For More Information For more information on the parameters common to all signature engines, see Master Engine, page B-4. Sweep Other TCP Engine The Sweep Other TCP engine analyzes traffic between two hosts looking for abnormal packets typically used to fingerprint a victim. You can tune the existing signatures or create custom signatures. TCP sweeps must have a TCP flag and mask specified. You can specify multiple entries in the set of TCP flags.
Appendix B Signature Engines Traffic Anomaly Engine When a scanner is detected but no histogram anomaly occurred, the scanner signature fires for that attacker (scanner) IP address. If the histogram signature is triggered, the attacker addresses that are doing the scanning each trigger the worm signature (instead of the scanner signature). The alert details state which threshold is being used for the worm detection now that the histogram has been triggered.
Appendix B Signature Engines Traffic ICMP Engine Table B-39 Anomaly Detection Worm Signatures (continued) Signature ID Subsignature ID Name 13004 1 External UDP Scanner Identified a worm attack over a UDP protocol in the external zone; the UDP histogram threshold was crossed and a scanner over a UDP protocol was identified. 13005 0 External Other Scanner Identified a single scanner over an Other protocol in the external zone.
Appendix B Signature Engines Trojan Engines LOKI is a type of back door Trojan. When the computer is infected, the malicious code creates an ICMP Tunnel that can be used to send small payload in ICMP replies (which may go straight through a firewall if it is not configured to block ICMP.) The LOKI signatures look for an imbalance of ICMP echo requests to replies and simple ICMP code and payload discriminators. The DDoS category (excluding TFN2K) targets ICMP-based DDoS agents.
Appendix B Signature Engines Trojan Engines Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.
A P P E N D I X C Troubleshooting This appendix contains troubleshooting tips and procedures for sensors and software.
Appendix C Troubleshooting Preventive Maintenance Check out Bug Search Tools & Resources on Cisco.com. For more details on the tool overview and functionalities, check out the help page, located at http://www.cisco.com/web/applicat/cbsshelp/help.
Appendix C Troubleshooting Preventive Maintenance To back up your current configuration, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Save the current configuration. The current configuration is saved in a backup file. sensor# copy current-config backup-config Step 3 Display the backup configuration file. The backup configuration file is displayed.
Appendix C Troubleshooting Preventive Maintenance scp://[[username@] location]//absoluteDirectory]/filename Note • If you use FTP or SCP protocol, you are prompted for a password. If you use SCP protocol, you must also add the remote host to the SSH known hosts list. http:—Source URL for the web server. The syntax for this prefix is: http://[[username@]location]/directory]/filename • https:—Source URL for the web server.
Appendix C Troubleshooting Preventive Maintenance Would you like to replace existing network settings (host-ipaddress/netmask/gateway/access-list) on sensor before proceeding? [no]: sensor# Step 4 Enter no to retain the currently configured hostname, IP address, subnet mask, management interface, and access list. We recommend you retain this information to preserve access to your sensor after the rest of the configuration has been restored.
Appendix C Troubleshooting Disaster Recovery Step 3 Specify the parameters for the service account. The username follows the pattern ^[A-Za-z0-9()+:,_/-]+$, which means the username must start with a letter or number, and can include any letter A to Z (capital or small), any number 0 to 9, - and _, and can contain 1 to 64 characters. sensor(config)# user Step 4 username privilege service Specify a password when prompted. A valid password is 8 to 32 characters long.
Appendix C Troubleshooting Password Recovery 6. Update clients to use the new key and certificate of the sensor. Reimaging changes the sensor SSH keys and HTTPS certificate, so you must add the hosts back to the SSN known hosts list. 7. Create previous users. For More Information • For the procedure for backing up a configuration file, see Creating and Using a Backup Configuration File, page C-2.
Appendix C Troubleshooting Password Recovery Password recovery implementations vary according to IPS platform requirements. Password recovery is implemented only for the cisco administrative account and is enabled by default. The IPS administrator can then recover user passwords for other accounts using the CLI. The cisco user password reverts to cisco and must be changed after the next login. Table C-1 lists the password recovery methods according to platform.
Appendix C Troubleshooting Password Recovery Step 3 Choose 2: Cisco IPS Clear Password (cisco). The password is reset to cisco. Log in to the CLI with username cisco and password cisco. You can then change the password. Using ROMMON For the IPS 4240, IPS 4255, IPS 4345, IPS 4360, IPS 4510, and IPS 4520, you can use the ROMMON to recover the password. To access the ROMMON CLI, reboot the sensor from a terminal server or direct connection and interrupt the boot process.
Appendix C Troubleshooting Password Recovery Recovering the Password for the ASA 5500 AIP SSM Note To reset the password, you must have ASA 7.2.2 or later. You can reset the password to the default (cisco) for the ASA 5500 AIP SSM using the CLI or the ASDM. Resetting the password causes it to reboot. IPS services are not available during a reboot. Use the hw-module module slot_number password-reset command to reset the password to the default cisco.
Appendix C Troubleshooting Password Recovery --- ------------------------------ ---------------- -------------------------1 IPS Up 7.0(7)E4 Mod Status Data Plane Status Compatibility --- ------------------ --------------------- ------------1 Up Up Step 5 Session to the ASA 5500 AIP SSM. asa# session 1 Opening command session with slot 1. Connected to slot 1. Escape character sequence is 'CTRL-^X'. Step 6 Enter the default username (cisco) and password (cisco) at the login prompt.
Appendix C Troubleshooting Password Recovery Step 2 In the IPS Password Reset confirmation dialog box, click OK to reset the password to the default (cisco). A dialog box displays the success or failure of the password reset. If the reset fails, make sure you have the correct ASA and IPS software versions. Step 3 Click Close to close the dialog box. The sensor reboots.
Appendix C Troubleshooting Password Recovery Connected to module ips. Escape character sequence is 'CTRL-^X'. Step 5 Enter the default username (cisco) and password (cisco) at the login prompt. login: cisco Password: cisco You are required to change your password immediately (password aged) Changing password for cisco. (current) password: cisco Step 6 Enter your new password twice.
Appendix C Troubleshooting Password Recovery Recovering the Password for the ASA 5585-X IPS SSP Note To reset the password, you must have ASA 8.2.(4.4) or later or ASA 8.4.2 or later. The ASA 5585-X IPS SSP is not supported in ASA 8.3(x). You can reset the password to the default (cisco) for the ASA 5585-X IPS SSP using the CLI or the ASDM. Resetting the password causes it to reboot. IPS services are not available during a reboot.
Appendix C Troubleshooting Password Recovery Step 6 Enter your new password twice. New password: new password Retype new password: new password ***NOTICE*** This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption.
Appendix C Troubleshooting Password Recovery Password recovery is enabled by default. You can disable password recovery through the CLI, IDM, or IME. Disabling Password Recovery Using the CLI To disable password recovery in the CLI, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Enter global configuration mode. sensor# configure terminal Step 3 Enter host mode. sensor(config)# service host Step 4 Disable password recovery.
Appendix C Troubleshooting Time Sources and the Sensor Troubleshooting Password Recovery When you troubleshoot password recovery, pay attention to the following: • You cannot determine whether password recovery has been disabled in the sensor configuration from the ROMMON prompt, GRUB menu, switch CLI, or router CLI. If you attempt password recovery, it always appears to succeed. If it has been disabled, the password is not reset to cisco. The only option is to reimage the sensor.
Appendix C Troubleshooting Time Sources and the Sensor The ASA IPS Modules • The ASA 5500 AIP SSM, ASA 5500-X IPS SSP, and ASA 5585-X IPS SSP automatically synchronize their clocks with the clock in the adaptive security appliance in which they are installed. This is the default. • Configure them to get their time from an NTP time synchronization source, such as a Cisco router other than the parent router. For More Information For the procedure for configuring NTP, see Configuring NTP, page 4-41.
Appendix C Troubleshooting Advantages and Restrictions of Virtualization status = Synchronized Step 4 If the status continues to read Not Synchronized, check with the NTP server administrator to make sure the NTP server is configured correctly. Correcting Time on the Sensor If you set the time incorrectly, your stored events will have the incorrect time because they are stamped with the time the event was created. The Event Store time stamp is always based on UTC time.
Appendix C Troubleshooting Supported MIBs • Persistent store is limited. Virtualization has the following traffic capture requirements: • The virtual sensor must receive traffic that has 802.1q headers (other than traffic on the native VLAN of the capture port). • The sensor must see both directions of traffic in the same VLAN group in the same virtual sensor for any given sensor.
Appendix C Troubleshooting Troubleshooting RADIUS Authentication Troubleshooting RADIUS Authentication Symptom Attempt limit configured on the IPS sensor may not be enforced for a RADIUS user. Conditions Applicable for RADIUS users only. The RADIUS user must have logged in to the sensor at least once after RADIUS authentication is enabled or after the sensor is reset or rebooted.
Appendix C Troubleshooting Analysis Engine Not Responding sensor(config-ana)# Step 3 Enter the virtual sensor name that contains the anomaly detection policy you want to disable. sensor(config-ana)# virtual-sensor vs0 sensor(config-ana-vir)# Step 4 Disable anomaly detection operational mode. sensor(config-ana-vir)# anomaly-detection sensor(config-ana-vir-ano)# operational-mode inactive sensor(config-ana-vir-ano)# Step 5 Exit analysis engine submode.
Appendix C Troubleshooting Troubleshooting External Product Interfaces ----MainApp N-2007_JUN_19_16_45 (Release) 2007-06-19T17:10:20-0500 Running AnalysisEngine N-2007_JUN_19_16_45 (Release) 2007-06-19T17:10:20-0500 Not Running CLI N-2007_JUN_19_16_45 (Release) 2007-06-19T17:10:20-0500 Step 3 Enter show tech-support and save the output. Step 4 Reboot the sensor. Step 5 Enter show version after the sensor has stabilized to see if the issue is resolved.
Appendix C Troubleshooting Troubleshooting the Appliance • You can configure a maximum of two external product devices. For More Information • For more information on working with OS maps and identifications, see Adding, Editing, Deleting, and Moving Configured OS Maps, page 7-28 and Displaying and Clearing OS Identifications, page 7-32. • For the procedure for adding trusted hosts, see Adding TLS Trusted Hosts, page 4-51.
Appendix C Troubleshooting Troubleshooting the Appliance Tip Before troubleshooting the appliance, check the Caveats section of the Readme for the software version you have installed on your sensor to see if you are dealing with a known issue. The Appliance and Jumbo Packet Frame Size For IPS standalone appliances with 1 G and 10 G fixed or add-on interfaces, the maximum jumbo frame size is 9216 bytes.
Appendix C Troubleshooting Troubleshooting the Appliance sensor(config-sig-sig-sta)# exit sensor(config-sig-sig)# exit sensor(config-sig)# exit Apply Changes?[yes]: Error: editConfigDeltaSignatureDefinition : Analysis Engine is busy rebuilding regex tables. This may take a while. The configuration changes failed validation, no changes were applied. Would you like to return to edit mode to correct the errors? [yes]: no No changes were made to the configuration.
Appendix C Troubleshooting Troubleshooting the Appliance Interface Statistics Total Packets Received = 0 Total Bytes Received = 0 Missed Packet Percentage = 0 Current Bypass Mode = Auto_off MAC statistics from interface GigabitEthernet0/1 Media Type = backplane Missed Packet Percentage = 0 Inline Mode = Unpaired Pair Status = N/A Link Status = Up Link Speed = Auto_1000 Link Duplex = Auto_Full Total Packets Received = 0 Total Bytes Received = 0 Total Multicast Packets Received = 0 Total Broadcast Packets R
Appendix C Troubleshooting Troubleshooting the Appliance access-list 0.0.0.0/0 ftp-timeout 300 no login-banner-text exit --MORE-- Step 4 Make sure the management port is connected to an active network connection. If the management port is not connected to an active network connection, the management interface does not come up. Step 5 Make sure the IP address of the workstation that is trying to connect to the sensor is permitted in the sensor access list.
Appendix C Troubleshooting Troubleshooting the Appliance Correcting a Misconfigured Access List To correct a misconfigured access list, follow these steps: Step 1 Log in to the CLI. Step 2 View your configuration to see the access list. sensor# show configuration | include access-list access-list 10.0.0.0/8 access-list 64.0.0.0/8 sensor# Step 3 Verify that the client IP address is listed in the allowed networks. If it is not, add it.
Appendix C Troubleshooting Troubleshooting the Appliance Total Bytes Received = 0 Missed Packet Percentage = 0 Current Bypass Mode = Auto_off MAC statistics from interface GigabitEthernet0/1 Media Type = backplane Missed Packet Percentage = 0 Inline Mode = Unpaired Pair Status = N/A Link Status = Up Link Speed = Auto_1000 Link Duplex = Auto_Full Total Packets Received = 0 Total Bytes Received = 0 Total Multicast Packets Received = 0 Total Broadcast Packets Received = 0 Total Jumbo Packets Received = 0 To
Appendix C Troubleshooting Troubleshooting the Appliance The SensorApp and Alerting This section helps you troubleshoot issues with the SensorApp and alerting.
Appendix C Troubleshooting Troubleshooting the Appliance Recovery Partition Version 1.1 - 7.1(3)E4 Host Certificate Valid from: 16-Nov-2011 to 16-Nov-2013 sensor# Step 3 If the Analysis Engine is not running, look for any errors connected to it.
Appendix C Troubleshooting Troubleshooting the Appliance Inline Mode = Unpaired Pair Status = N/A Link Status = Up Link Speed = Auto_1000 Link Duplex = Auto_Full Total Packets Received = 0 Total Bytes Received = 0 Total Multicast Packets Received = 0 Total Broadcast Packets Received = 0 Total Jumbo Packets Received = 0 Total Undersize Packets Received = 0 Total Receive Errors = 0 Total Receive FIFO Overruns = 0 Total Packets Transmitted = 0 Total Bytes Transmitted = 0 Total Multicast Packets Transmitted =
Appendix C Troubleshooting Troubleshooting the Appliance Unable to See Alerts If you are not seeing alerts, try the following: • Make sure the signature is enabled • Make sure the signature is not retired • Make sure that you have Produce Alert configured as an action Note If you choose Produce Alert, but come back later and add another event action and do not add Produce Alert to the new configuration, alerts are not sent to the Event Store.
Appendix C Troubleshooting Troubleshooting the Appliance Inline Mode = Unpaired Pair Status = N/A Link Status = Up Link Speed = Auto_100 Link Duplex = Auto_Full Total Packets Received = 267581 Total Bytes Received = 24886471 Total Multicast Packets Received = 0 Total Broadcast Packets Received = 0 Total Jumbo Packets Received = 0 Total Undersize Packets Received = 0 Total Receive Errors = 0 Total Receive FIFO Overruns = 0 Total Packets Transmitted = 57301 Total Bytes Transmitted = 3441000 Total Multicast
Appendix C Troubleshooting Troubleshooting the Appliance Total Total Total Total Total Total Total Total Total Total Total Total Total sensor# Step 3 Broadcast Packets Received = 0 Jumbo Packets Received = 0 Undersize Packets Received = 0 Receive Errors = 0 Receive FIFO Overruns = 0 Packets Transmitted = 0 Bytes Transmitted = 0 Multicast Packets Transmitted = 0 Broadcast Packets Transmitted = 0 Jumbo Packets Transmitted = 0 Undersize Packets Transmitted = 0 Transmit Errors = 0 Transmit FIFO Overruns =
Appendix C Troubleshooting Troubleshooting the Appliance Total Total Total Total Total Broadcast Packets Transmitted = 0 Jumbo Packets Transmitted = 0 Undersize Packets Transmitted = 0 Transmit Errors = 0 Transmit FIFO Overruns = 0 ... For More Information For the procedure for installing the sensor properly, refer to your sensor chapter in Cisco Intrusion Prevention System Appliances and Modules Installation Guide for IPS 7.1.
Appendix C Troubleshooting Troubleshooting the Appliance Blocking This section provides troubleshooting help for blocking and the ARC service. It contains the following topics.
Appendix C Troubleshooting Troubleshooting the Appliance Verifying the ARC is Running To verify that the ARC is running, use the show version command. If the MainApp is not running, the ARC cannot run. The ARC is part of the MainApp. To verify that the ARC is running, follow these steps: Step 1 Log in to the CLI. Step 2 Verify that the MainApp is running. sensor# show version Application Partition: Cisco Intrusion Prevention System, Version 7.1(3)E4 Host: Realm Keys key1.
Appendix C Troubleshooting Troubleshooting the Appliance Verifying ARC Connections are Active If the State is not Active in the ARC statistics, there is a problem. To verify that the State is Active in the statistics, follow these steps: Step 1 Log in to the CLI. Step 2 Verify that the ARC is connecting. Check the State section of the output to verify that all devices are connecting.
Appendix C Troubleshooting Troubleshooting the Appliance boot is using 57.3M out of 70.5M bytes of available disk space (86% usage) application-log is using 494.0M out of 513.
Appendix C Troubleshooting Troubleshooting the Appliance Note SSH devices must support SSH 1.5. The sensor does not support SSH 2.0. To troubleshoot device access issues, follow these steps: Step 1 Log in to the CLI. Step 2 Verify the IP address for the managed devices.
Appendix C Troubleshooting Troubleshooting the Appliance post-acl-name: ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------firewall-devices (min: 0, max: 250, current: 0) --------------------------------------------------------------------------------------------sensor(config-net)# Step 3 Step 4 Manually connect to the device to make sure you have used the cor
Appendix C Troubleshooting Troubleshooting the Appliance Step 5 Telnet to the router and verify that a deny entry for the blocked address exists in the router ACL. Refer to the router documentation for the procedure. Step 6 Remove the manual block by repeating Steps 1 through 4 except in Step 2 place no in front of the command. sensor(config-net-gen)# no block-hosts 10.16.0.
Appendix C Troubleshooting Troubleshooting the Appliance edit-default-sigs-only ----------------------------------------------default-signatures-only ----------------------------------------------specify-service-ports ----------------------------------------------no ------------------------------------------------------------------------------------------------------------------------------------------specify-tcp-max-mss ----------------------------------------------no ------------------------------------
Appendix C Troubleshooting Troubleshooting the Appliance Step 3 If the master blocking sensor does not show up in the statistics, you need to add it. Step 4 Initiate a manual block to a bogus host IP address to make sure the master blocking sensor is initiating blocks. sensor# configure terminal sensor(config)# service network-access sensor(config-net)# general sensor(config-net-gen)# block-hosts 10.16.0.0 Step 5 Exit network access general submode.
Appendix C Troubleshooting Troubleshooting the Appliance Logging TAC may suggest that you turn on debug logging for troubleshooting purposes. Logger controls what log messages are generated by each application by controlling the logging severity for different logging zones. By default, debug logging is not turned on. If you enable individual zone control, each zone uses the level of logging that it is configured for. Otherwise, the same logging level is used for all zones.
Appendix C Troubleshooting Troubleshooting the Appliance enable-debug: true default: false individual-zone-control: true default: false ----------------------------------------------sensor(config-log-mas)# Step 10 Exit master zone control. sensor(config-log-mas)# exit Step 11 View the zone names.
Appendix C Troubleshooting Troubleshooting the Appliance Step 12 Change the severity level (debug, timing, warning, or error) for a particular zone.
Appendix C Troubleshooting Troubleshooting the Appliance ----------------------------------------------zone-control (min: 0, max: 999999999, current: 14) ---------------------------------------------- zone-name: AuthenticationApp severity: warning zone-name: Cid severity: debug zone-name: Cli severity: warning zone-name: IdapiCtlTrans severity: warning zone-name: IdsEve
Appendix C Troubleshooting Troubleshooting the Appliance Zone Names Table C-2 lists the debug logger zone names: Table C-2 Debug Logger Zone Names Zone Name Description AD Anomaly Detection zone AuthenticationApp Authentication zone Cid General logging zone Cli CLI zone IdapiCtlTrans All control transactions zone IdsEventStore Event Store zone MpInstaller IDSM-2 master partition installer zone cmgr Card Manager service zone1 cplane Control Plane zone2 csi CIDS Servlet Interface3 ct
Appendix C Troubleshooting Troubleshooting the Appliance b. Set [drain/main] type=syslog The following example shows the logging configuration file: timemode=local ;timemode=utc [logApp] ;enabled=true ;-------- FIFO parameters -------fifoName=logAppFifo fifoSizeInK=240 ;-------- logApp zone and drain parameters -------zoneAndDrainName=logApp fileName=main.
Appendix C Troubleshooting Troubleshooting the Appliance If you do not have the event action set to reset, the TCP reset does not occur for a specific signature. Note TCP Resets are not supported over MPLS links or the following tunnels: GRE, IPv4 in IPv4, IPv6 in IPv4, or IPv4 in IPv6. To troubleshoot a reset not occurring for a specific signature, follow these steps: Step 1 Log in to the CLI. Step 2 Make sure the event action is set to TCP reset.
Appendix C Troubleshooting Troubleshooting the Appliance port: 32771 victim: addr: locality=OUT 172.16.171.13 port: 23 actions: tcpResetSent: true Step 6 Make sure the switch is allowing incoming TCP reset packet from the sensor. Refer to your switch documentation for more information. Step 7 Make sure the resets are being sent. root# ./tcpdump -i eth0 src host 172.16.171.19 tcpdump: WARNING: eth0: no IPv4 address assigned tcpdump: listening on eth0 13:58:03.823929 172.16.171.19.32770 > 172.16.171.
Appendix C Troubleshooting Troubleshooting the Appliance For More Information • For more information on running the setup command, see Chapter 3, “Initializing the Sensor.” • For more information on reimaging your sensor, see Chapter 22, “Upgrading, Downgrading, and Installing System Images.” Which Updates to Apply and Their Prerequisites You must have the correct service pack and minor and major version of the software.
Appendix C Troubleshooting Troubleshooting the Appliance to download the chosen package from a Cisco file server. The IP address may change for the Cisco file server, but you can find it in the lastDownloadAttempt section in the output of the show statistics host command. Try the manual upgrade command before attempting the automatic update. If it works with the upgrade command and does not work with the automatic update, try the following: • Determine which IPS software version your sensor has.
Appendix C Troubleshooting Troubleshooting the IDM Step 8 Upgrade the sensor. sensor(config)# upgrade scp://service@sensor_ip_address/upgrade/ips_package_file_name Enter password: ***** Re-enter password: ***** For More Information For the procedure for obtaining Cisco IPS software, see Obtaining Cisco IPS Software, page 21-1. Troubleshooting the IDM This section contains troubleshooting procedures for the IDM.
Appendix C Troubleshooting Troubleshooting the IDM Step 3 Step 4 d. Click the Cache tab. e. Click Clear. If you have Java Plug-in 1.4.x installed: a. Click Start > Settings > Control Panel > Java Plug-in 1.4.x. b. Click the Advanced tab. c. Under Java Runtime Environment, select JRE 1.3.x from the drop-down menu. d. Click the Cache tab. e. Click the Browser tab. f. Deselect all browser check boxes. g. Click Clear Cache. Delete the temp files and clear the history in the browser.
Appendix C Troubleshooting Troubleshooting the IME telnet-option enabled access-list 0.0.0.0/0 ftp-timeout 300 no login-banner-text exit time-zone-settings offset 0 standard-time-zone-name UTC exit summertime-option disabled ntp-option disabled exit service web-server port 443 exit Step 2 If network devices, such as routers, switches, or firewalls, are between the sensor and the workstation, make sure these devices are configured to allow the workstation to access the sensor web server port.
Appendix C Troubleshooting Troubleshooting the IME • Installation Error, page C-60 Time Synchronization on the IME and the Sensor Symptom The IME displays No Data Available on the Events dashboard. A historical query does not return any events; however, events are coming in to the IME and they appear in the real-time event viewer. Possible Cause The time is not synchronized between the sensor and the IME local server. The IME dashboards use a time relative to the IME local time.
Appendix C Troubleshooting Troubleshooting the ASA 5500 AIP SSM Troubleshooting the ASA 5500 AIP SSM Tip Before troubleshooting the ASA 5500 AIP SSM, check the Caveats section of the Readme for the software version you have installed on your sensor to see if you are dealing with a known issue.
Appendix C Troubleshooting Troubleshooting the ASA 5500 AIP SSM Mod Status --- -----------------0 Up Sys 1 Shutting Down **************************************************** asa(config)# show module Mod --0 1 Card Type -------------------------------------------ASA 5520 Adaptive Security Appliance ASA 5500 Series Security Services Module-10 Mod --0 1 MAC Address Range --------------------------------000b.fcf8.7bdc to 000b.fcf8.7be0 000b.fcf8.0176 to 000b.fcf8.
Appendix C Troubleshooting Troubleshooting the ASA 5500 AIP SSM Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 161> 162> 163> 164> 165> 166> 167> 168> 169> 170> 171> 172> 173> 174> 175> 176> Platform ASA-SSM-10 GigabitEthernet0/0 Link is UP MAC Address: 000b.fcf8.0176 ROMMON Variable Settings: ADDRESS=10.89.150.227 SERVER=10.89.146.1 GATEWAY=10.89.149.254 PORT=GigabitEthernet0/0 VLAN=untagged IMAGE=IPS-SSM-K9-sys-1.1-a-5.1-0.1.
Appendix C Troubleshooting Troubleshooting the ASA 5500 AIP SSM • If the ASAs are configured in fail-close mode, and if the ASA 5500 AIP SSM on the active ASA experiences a SensorApp crash or a service pack upgrade, failover is triggered and traffic passes through the module that was previously the standby for the ASA 5500 AIP SSM.
Appendix C Troubleshooting Troubleshooting the ASA 5500 AIP SSM • 1311.0 • 1315.0 • 1316.0 • 1317.0 • 1330.0 • 1330.1 • 1330.2 • 1330.9 • 1330.10 • 1330.12 • 1330.14 • 1330.15 • 1330.16 • 1330.17 • 1330.18 The ASA 5500 AIP SSM and Jumbo Packet Frame Size Refer to the following URL for information abou the ASA 5500 AIP SSM jumbo packet frame size: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.
Appendix C Troubleshooting Troubleshooting the ASA 5500-X IPS SSP • When TCP-based signatures and reset-tcp-connectionReset TCP Connection have NOT been selected In the case of the ASA IPS module, the TCP reset request is sent to the ASA, and the ASA then sends the TCP reset packets. The ASA sends TCP reset packets to both the attacker and victim when the reset-tcp-connectionReset TCP Connection is selected.
Appendix C Troubleshooting Troubleshooting the ASA 5500-X IPS SSP • The ASA 5500-X IPS SSP and the Normalizer Engine, page C-75 • The ASA 5500-X IPS SSP and Memory Usage, page C-76 • The ASA 5500-X IPS SSP and Jumbo Packet Frame Size, page C-77 • The ASA 5500-X IPS SSP and Jumbo Packets, page C-77 • TCP Reset Differences Between IPS Appliances and ASA IPS Modules, page C-77 • IPS Reloading Messages, page C-78 • IPS Not Loading, page C-78 Health and Status Information To see the general healt
Appendix C Troubleshooting Troubleshooting the ASA 5500-X IPS SSP asa-ips# Mod-ips 228> *** Mod-ips 229> *** EVENT: The module is reloading. Mod-ips 230> *** TIME: 08:07:36 CST Jan 17 2012 Mod-ips 231> *** Mod-ips 232> Mod-ips 233> The system is going down NOW! Mod-ips 234> Sending SIGTERM to all processes Mod-ips 235> Sending SIGKILL to all processes Mod-ips 236> Requesting system reboot Mod-ips 237> e1000 0000:00:07.0: PCI INT A disabled Mod-ips 238> e1000 0000:00:06.
Appendix C Troubleshooting Troubleshooting the ASA 5500-X IPS SSP Mod-ips 288> Mod-ips 289> Mod-ips 290> Mod-ips 291> Mod-ips 292> Mod-ips 293> Mod-ips 294> Mod-ips 295> Mod-ips 296> Mod-ips 297> Mod-ips 298> Mod-ips 299> Mod-ips 300> Mod-ips 301> Mod-ips 302> Mod-ips 303> Mod-ips 304> Mod-ips 305> Mod-ips 306> Mod-ips 307> Mod-ips 308> Mod-ips 309> Mod-ips 310> Mod-ips 311> Mod-ips 312> Mod-ips 313> Mod-ips 314> Mod-ips 315> Mod-ips 316> Mod-ips 317> Mod-ips 318> Mod-ips 319> Mod-ips 320> Mod-ips 321> Mo
Appendix C Troubleshooting Troubleshooting the ASA 5500-X IPS SSP Mod-ips 347> Mount-cache hash table entries: 256 Mod-ips 348> CPU: L1 I cache: 32K, L1 D cache: 32K Mod-ips 349> CPU: L2 cache: 4096K Mod-ips 350> CPU 0/0x0 -> Node 0 Mod-ips 351> Freeing SMP alternatives: 29k freed Mod-ips 352> ACPI: Core revision 20081204 Mod-ips 353> Setting APIC routing to flat Mod-ips 354> ..TIMER: vector=0x30 apic1=0 pin1=0 apic2=-1 pin2=-1 Mod-ips 355> CPU0: Intel QEMU Virtual CPU version 0.12.
Appendix C Troubleshooting Troubleshooting the ASA 5500-X IPS SSP Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips FS Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips M
Appendix C Troubleshooting Troubleshooting the ASA 5500-X IPS SSP Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod
Appendix C Troubleshooting Troubleshooting the ASA 5500-X IPS SSP Mod-ips 531> ISA IDE ports Mod-ips 532> ide-gd driver 1.18 Mod-ips 533> hda: max request size: 512KiB Mod-ips 534> hda: 7815168 sectors (4001 MB) w/256KiB Cache, CHS=7753/255/63 Mod-ips 535> hda: cache flushes supported Mod-ips 536> hda: hda1 hda2 hda3 hda4 Mod-ips 537> Driver 'sd' needs updating - please use bus_type methods Mod-ips 538> Driver 'sr' needs updating - please use bus_type methods Mod-ips 539> ehci_hcd: USB 2.
Appendix C Troubleshooting Troubleshooting the ASA 5500-X IPS SSP Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips IRQ Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips 592> 593> 594> 595> 596> [ OK ] Unloading REGEX-CP drivers ... Loading REGEX-CP drivers ...
Appendix C Troubleshooting Troubleshooting the ASA 5500-X IPS SSP Single ASA in Fail-Close Mode • If the ASA is configured in fail-close mode for the ASA 5500-X IPS SSP, and the ASA 5500-X IPS SSP experiences a configuration change or a signature/signature engine update, traffic is stopped from passing through the ASA.
Appendix C Troubleshooting Troubleshooting the ASA 5500-X IPS SSP The following Normalizer engine signatures are not supported: • 1300.0 • 1304.0 • 1305.0 • 1307.0 • 1308.0 • 1309.0 • 1311.0 • 1315.0 • 1316.0 • 1317.0 • 1330.0 • 1330.1 • 1330.2 • 1330.9 • 1330.10 • 1330.12 • 1330.14 • 1330.15 • 1330.16 • 1330.17 • 1330.18 The ASA 5500-X IPS SSP and Memory Usage For the ASA 5500-X IPS SSP, the memory usage is 93%.
Appendix C Troubleshooting Troubleshooting the ASA 5500-X IPS SSP Table C-3 ASA 5500-X IPS SSP Memory Usage Values Platform Yellow Red Memory Used ASA 5545-X IPS SSP 93% 96% 13% ASA 5555-X IPS SSP 95% 98% 17% The ASA 5500-X IPS SSP and Jumbo Packet Frame Size Refer to the following URL for information abou the ASA 5500-X IPS SSP jumbo packet frame size: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.
Appendix C Troubleshooting Troubleshooting the ASA 5585-X IPS SSP IPS Reloading Messages Symptom ASA syslog messages similar to the following are observed and the root cause of the message is not clear: %ASA-1-505013: ASA-SSM-10 Module in slot 1, application reloading "IPS", version "7.1(6)E4" Config Change %ASA-1-505013: ASA5585-SSP-IPS10 Module in slot 1, application reloading "IPS", version "7.
Appendix C Troubleshooting Troubleshooting the ASA 5585-X IPS SSP • The ASA 5585-X IPS SSP and the Normalizer Engine, page C-83 • The ASA 5585-X IPS SSP and Jumbo Packet Frame Size, page C-84 • The ASA 5585-X IPS SSP and Jumbo Packets, page C-84 • TCP Reset Differences Between IPS Appliances and ASA IPS Modules, page C-84 • IPS Reloading Messages, page C-85 Health and Status Information To see the general health of the ASA 5585-X IPS SSP, use the show module 1 details command.
Appendix C Troubleshooting Troubleshooting the ASA 5585-X IPS SSP Getting details from the Service Module, please wait... Unable to read details from slot 1 ASA 5585-X IPS Security Services Processor-20 with 8GE Model: ASA5585-SSP-IPS20 Hardware version: 1.0 Serial Number: ABC1234DEFG Firmware version: 2.0(7)0 Software version: 7.1(1)E4 MAC Address Range: 5475.d029.7f9c to 5475.d029.7fa7 App. name: IPS App. Status: Not Applicable App. Status Desc: Not Applicable App. version: 7.
Appendix C Troubleshooting Troubleshooting the ASA 5585-X IPS SSP App. version: Data plane Status: Status: Mgmt IP addr: Mgmt Network mask: Mgmt Gateway: Mgmt Access List: Mgmt web ports: Mgmt TLS enabled: asa# 7.1(1)E4 Up Up 192.0.2.3 255.255.255.0 192.0.2.254 0.0.0.0/0 443 true If you have problems with reimaging the ASA 5585-X IPS SSP, use the debug module-boot command to see the output as it boots.
Appendix C Troubleshooting Troubleshooting the ASA 5585-X IPS SSP Slot-1 Slot-1 Slot-1 Slot-1 173> LINKTIMEOUT=20 174> PKTTIMEOUT=4 175> RETRY=20 176> tftp IPS-SSP_10-K9-sys-1.1-a-7.1-0.1.img@192.0.2.15 via 192.0.2.254 Failover Scenarios The following failover scenarios apply to the ASA 5585-X in the event of configuration changes, signature/signature engine updates, service packs, and SensorApp crashes on the ASA 5585-X IPS SSP.
Appendix C Troubleshooting Troubleshooting the ASA 5585-X IPS SSP failover interface ip folink 172.27.48.1 255.255.255.0 standby 172.27.48.2 Use the following configuration for the secondary ASA: interface GigabitEthernet0/7 description LAN Failover Interface failover failover lan unit secondary failover lan interface folink GigabitEthernet0/7 failover interface ip folink 172.27.48.1 255.255.255.0 standby 172.27.48.
Appendix C Troubleshooting Troubleshooting the ASA 5585-X IPS SSP • 1330.9 • 1330.10 • 1330.12 • 1330.14 • 1330.15 • 1330.16 • 1330.17 • 1330.18 The ASA 5585-X IPS SSP and Jumbo Packet Frame Size Refer to the following URL for information abou the ASA 5585-X IPS SSP jumbo packet frame size: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.
Appendix C Troubleshooting Gathering Information For More Information For a detailed description of all the event actions, see Event Actions, page 7-5. IPS Reloading Messages Symptom ASA syslog messages similar to the following are observed and the root cause of the message is not clear: %ASA-1-505013: ASA-SSM-10 Module in slot 1, application reloading "IPS", version "7.1(6)E4" Config Change %ASA-1-505013: ASA5585-SSP-IPS10 Module in slot 1, application reloading "IPS", version "7.
Appendix C Troubleshooting Gathering Information Health and Network Security Information Caution Note When the sensor is first starting, it is normal for certain health metric statuses to be red until the sensor is fully up and running. The ASA 5500-X IPS SSP and the ASA 5585-X IPS SSP do not support bypass mode.
Appendix C Troubleshooting Gathering Information Understanding the show tech-support Command The show tech-support command captures all status and configuration information on the sensor and includes the current configuration, version information, and cidDump information. The output can be large, over 1 MB. You can transfer the output to a remote system. For the procedure for copying the output to a remote system, see Displaying Tech Support Information, page C-87.
Appendix C Troubleshooting Gathering Information Displaying Tech Support Information To display tech support information, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 View the output on the screen. The system information appears on the screen, one page at a time. Press the spacebar to view the next page or press Ctrl-C to return to the prompt sensor# show tech-support page Step 3 To send the output (in HTML format) to a file: a.
Appendix C Troubleshooting Gathering Information MainApp 6-0600 Running AnalysisEngine 6-0600 Running CollaborationApp 6-0600 Running CLI 6-0600 S-2011_NOV_16_00_20_7_1_3_46 (Release) 2011-11-16T00:23:0 S-2011_NOV_16_00_20_7_1_3_46 (Release) 2011-11-16T00:23:0 S-2011_NOV_16_00_20_7_1_3_46 (Release) 2011-11-16T00:23:0 S-2011_NOV_16_00_20_7_1_3_46 (Release) 2011-11-16T00:23:0 Upgrade History: IPS-K9-7.1-3-E4 00:30:07 UTC Wed Nov 16 2011 Recovery Partition Version 1.1 - 7.
Appendix C Troubleshooting Gathering Information Total Bytes Transmitted = 548558080 Total Multicast Packets Transmitted = 0 Total Broadcast Packets Transmitted = 0 Total Jumbo Packets Transmitted = 0 Total Undersize Packets Transmitted = 0 Total Transmit Errors = 0 Total Transmit FIFO Overruns = 0 MAC statistics from interface Management0/1 Interface function = Reserved for future use Output from show statistics authentication General totalAuthenticationAttempts = 237 failedAuthenticationAttempts = 14 O
Appendix C Troubleshooting Gathering Information Version Information The show version command is useful for obtaining sensor information. This section describes the show version command, and contains the following topics: • Understanding the show version Command, page C-91 • Displaying Version Information, page C-91 Understanding the show version Command The show version command shows the basic sensor information and can indicate where a failure is occurring.
Appendix C Troubleshooting Gathering Information OS Version: 2.6.29.1 Platform: ASA5585-SSP-IPS10 Serial Number: 123456789AB No license present Sensor up-time is 13 days. Using 4395M out of 5839M bytes of available memory (75% usage) system is using 26.2M out of 160.0M bytes of available disk space (16% usage) application-data is using 69.7M out of 171.6M bytes of available disk space (43% usage) boot is using 57.3M out of 70.5M bytes of available disk space (86% usage) application-log is using 494.
Appendix C Troubleshooting Gathering Information network-settings host-ip 192.168.1.2/24, 192.168.1.1 host-name sensor telnet-option enabled access-list 0.0.0.
Appendix C Troubleshooting Gathering Information Understanding the show statistics Command The show statistics command provides a snapshot of the state of the sensor services.
Appendix C Troubleshooting Gathering Information Note The Ethernet controller statistics are polled at an interval of 5 seconds from the hardware side. The keepalives are sent or updated at an interval of 10 ms. Because of this, there may be a disparity in the actual count reflected in the total packets transmitted. At times, it is even possible that the total packets transmitted may be less that the keepalive packets transmitted.
Appendix C Troubleshooting Gathering Information ServiceDnsUdp ServiceGeneric ServiceHttp ServiceNtp ServiceP2PTCP ServiceRpcUDP ServiceRpcTCP ServiceSMBAdvanced ServiceSnmp ServiceTNS String SweepUDP SweepTCP SweepOtherTcp TrojanBO2K TrojanUdp 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1841 2016 2 3682 21 1841 130 139 1841 18 225 1808 576 288 261 1808 3 14 2 3176 9 3 9 3 3 14 16 1555 17 6 11 1555 3 14 2 3176 9 3 9 3 3 14 16 1555 17 6 11 1555 0 1 51 0 0 0 0 0 0 0 0 6 0 0 0 0 GlobalCorrelationStats SwVersion =
Appendix C Troubleshooting Gathering Information SimulatedLateStageDenyDueToOther = 0 AlertHistogram RiskHistogramEarlyStage RiskHistogramLateStage ConfigAggressiveMode = 0 ConfigAuditMode = 0 RegexAccelerationStats Status = Enabled DriverVersion = 6.2.
Appendix C Troubleshooting Gathering Information Illegal Zone TCP Protocol UDP Protocol Other Protocol sensor# Step 4 Display the statistics for authentication. sensor# show statistics authentication General totalAuthenticationAttempts = 128 failedAuthenticationAttempts = 0 sensor# Step 5 Display the statistics for the denied attackers in the system. sensor# show statistics denied-attackers Denied Attackers and hit count for each. Denied Attackers and hit count for each.
Appendix C Troubleshooting Gathering Information Alert events, threat rating Alert events, threat rating Alert events, threat rating Alert events, threat rating Cumulative number of each type Status events = 4257 Shun request events = 0 Error events, warning = 669 Error events, error = 8 Error events, fatal = 0 Alert events, informational Alert events, low = 0 Alert events, medium = 0 Alert events, high = 0 Alert events, threat rating Alert events, threat rating Alert events, threat rating Alert events, t
Appendix C Troubleshooting Gathering Information Memory Usage usedBytes = 1889357824 freeBytes = 2210988032 totalBytes = 4100345856 CPU Statistics Note: CPU Usage statistics are not a good indication of the sensor processin load. The Inspection Load Percentage in the output of 'show inspection-load' should be used instead.
Appendix C Troubleshooting Gathering Information NetDevice Type = PIX IP = 192.0.2.5 NATAddr = 0.0.0.0 Communications = telnet NetDevice Type = Cisco IP = 192.0.2.6 NATAddr = 0.0.0.0 Communications = telnet BlockInterface InterfaceName = ethernet0/1 InterfaceDirection = out InterfacePostBlock = Post_Acl_Test BlockInterface InterfaceName = ethernet0/1 InterfaceDirection = in InterfacePreBlock = Pre_Acl_Test InterfacePostBlock = Post_Acl_Test NetDevice Type = CAT6000_VACL IP = 192.0.2.1 NATAddr = 0.0.0.
Appendix C Troubleshooting Gathering Information ActualIp = BlockMinutes = Host IP = 203.0.113.2 Vlan = ActualIp = BlockMinutes = Host IP = 203.0.113.4 Vlan = ActualIp = BlockMinutes = 60 MinutesRemaining = 24 Network IP = 203.0.113.9 Mask = 255.255.0.0 BlockMinutes = sensor# Step 12 Display the statistics for the notification application.
Appendix C Troubleshooting Gathering Information Statistics for Virtual Sensor vs0 Name of current Signature-Defintion instance = sig0 Name of current Event-Action-Rules instance = rules0 List of interfaces monitored by this virtual sensor = General Statistics for this Virtual Sensor Number of seconds since a reset of the statistics = 1151770 MemoryAlloPercent = 23 MemoryUsedPercent = 22 MemoryMaxCapacity = 3500000 MemoryMaxHighUsed = 4193330 MemoryCurrentAllo = 805452 MemoryCurrentUsed = 789047 Processin
Appendix C Troubleshooting Gathering Information Total nodes inserted = 0 TCP nodes keyed on both IP addresses and both ports = 0 UDP nodes keyed on both IP addresses and both ports = 0 IP nodes keyed on both IP addresses = 0 The rate of nodes per second for each time since reset Nodes per second = 0 TCP nodes keyed on both IP addresses and both ports per second = 0 UDP nodes keyed on both IP addresses and both ports per second = 0 IP nodes keyed on both IP addresses per second = 0 The number of root nod
Appendix C Troubleshooting Gathering Information Number Number Number Number Number Number Number Number of of of of of of of of FireOnce First Alerts = 0 FireOnce Intermediate Alerts = 0 Summary First Alerts = 0 Summary Intermediate Alerts = 0 Regular Summary Final Alerts = 0 Global Summary Final Alerts = 0 Active SigEventDataNodes = 0 Alerts Output for further processing = 0 --MORE-- Step 17 Display the statistics for the web server.
Appendix C Troubleshooting Gathering Information The number of syslog messages received = 0 The number of events written to the event store by severity Fatal Severity = 0 Error Severity = 0 Warning Severity = 0 TOTAL = 0 The number of log messages written to the message log by severity Fatal Severity = 0 Error Severity = 0 Warning Severity = 0 Timing Severity = 0 Debug Severity = 0 Unknown Severity = 0 TOTAL = 0 sensor# Interfaces Information The show interfaces command is useful for gathering
Appendix C Troubleshooting Gathering Information Link Speed = Auto_1000 Link Duplex = Auto_Full Total Packets Received = 0 Total Bytes Received = 0 Total Multicast Packets Received = 0 Total Broadcast Packets Received = 0 Total Jumbo Packets Received = 0 Total Undersize Packets Received = 0 Total Receive Errors = 0 Total Receive FIFO Overruns = 0 Total Packets Transmitted = 0 Total Bytes Transmitted = 0 Total Multicast Packets Transmitted = 0 Total Broadcast Packets Transmitted = 0 Total Jumbo Packets Tra
Appendix C Troubleshooting Gathering Information Understanding the show events Command Note The Event Store has a fixed size of 30 MB for all platforms. The show events command is useful for troubleshooting event capture issues in which you are not seeing events in Event Viewer or Security Monitor. You can use the show events command to determine which events are being generated on the sensor to make sure events are being generated and that the fault lies with the monitoring side.
Appendix C Troubleshooting Gathering Information • error—Displays error events. Error events are generated by services when error conditions are encountered. If no level is selected (warning, error, or fatal), all error events are displayed. • NAC—Displays the ARC (block) requests. Note Note The ARC is formerly known as NAC. This name change has not been completely implemented throughout the IDM, the IME, and the CLI for Cisco IPS 7.1. • status—Displays status events.
Appendix C Troubleshooting Gathering Information evAlertRef: hostId=esendHost 123456789012345678 sensor# Step 4 Display errors with the warning level starting at 10:00 a.m. on February 9, 2011.
Appendix C Troubleshooting Gathering Information appName: login(pam_unix) appInstanceId: 2315 time: 2011/01/08 02:41:00 2011/01/08 02:41:00 UTC syslogMessage: description: session opened for user cisco by cisco(uid=0) Clearing Events Use the clear events command to clear the Event Store. To clear events from the Event Store, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Clear the Event Store.
Appendix C Troubleshooting Gathering Information Uploading and Accessing Files on the Cisco FTP Site You can upload large files, for example, cidDump.html, the show tech-support command output, and cores, to the ftp-sj server. To upload and access files on the Cisco FTP site, follow these steps: Step 1 Log in to ftp-sj.cisco.com as anonymous. Step 2 Change to the /incoming directory. Step 3 Use the put command to upload the files. Make sure to use the binary transfer type.
A P P E N D I X D CLI Error Messages This appendix lists the CLI error messages and CLI validation error messages. It contains the following sections: • CLI Error Messages, page D-1 • CLI Validation Error Messages, page D-5 CLI Error Messages Table D-1 describes CLI error messages.
Appendix D CLI Error Messages CLI Error Messages Table D-1 CLI Error Messages (continued) Error Message Reason Command The filename is not a valid upgrade file type. Attempt to install the wrong file for your platform and version. upgrade idsPackageMgr: digital signature of the update was not valid The signature update or service pack upgrade is corrupt. Contact TAC. Cannot create a new event-action-rules configuration. “rules0” is currently the only configuration allowed.
Appendix D CLI Error Messages CLI Error Messages Table D-1 CLI Error Messages (continued) Error Message Reason Command Packet-file does not exist. The user attempted to copy or erase copy the packet-file but no packet-file has erase been captured. No downgrade available. The user attempted to downgrade a system that has not been upgraded. downgrade No packet-file available. The user attempted to display the file-info or the packet-file but no packet-file exists.
Appendix D CLI Error Messages CLI Error Messages Table D-1 CLI Error Messages (continued) Error Message Reason Command Virtual sensor name does not exist. The user attempted to start or stop an iplog iplog on a non-existent virtual sensor. You do not have permission to terminate the requested CLI session. An operator or viewer user attempted clear line to terminate a CLI session belonging to another user.
Appendix D CLI Error Messages CLI Validation Error Messages CLI Validation Error Messages Table D-2 describes the validation error messages. Table D-2 Validation Error Messages Error Message Reason/Location Interface ‘name’ has not been subdivided. The physical interface or inline interface name subinterface type is none (service interface submode). Interface ‘name’ subinterface ‘num’ does not exist.
Appendix D CLI Error Messages CLI Validation Error Messages Table D-2 Validation Error Messages (continued) Error Message Reason/Location Interface already assigned to virtual sensor ‘vsname.’ The interface and optional sub-interface being added to the virtual sensor entry physical interface set has already been assigned to another virtual sensor entry. The instance cannot be removed. Instance assigned to virtual sensor ‘vsname.
A P P E N D I X E Open Source License Files Used In Cisco IPS 7.1 Published: November 12, 2010 Revised: September 23, 2011 This document contains the licenses and notices for open source software used in Cisco IPS 7.1(x).
Appendix E Open Source License Files Used In Cisco IPS 7.1 bash 3.2 • KVM inter-VM shared memory module, page E-73 • libpcap 0.9.8, page E-77 • libtecla 1.6.1, page E-78 • Linux-Pam 1.0.1, page E-78 • lm_sensors 3.0.2, page E-79 • module-init-tools 3.2.2 1.0.0.0900084, page E-84 • Ncurses 5.6, page E-88 • net-snmp 5.4.1, page E-89 • NTP 4.2.4p5, page E-93 • openssh 5.1p1, page E-96 • openssl 0.9.8j, page E-102 • pciutils 3.0.1, page E-105 • procps 3.2.
Appendix E Open Source License Files Used In Cisco IPS 7.1 bash 3.2 To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have.
Appendix E Open Source License Files Used In Cisco IPS 7.1 bash 3.
Appendix E Open Source License Files Used In Cisco IPS 7.1 bash 3.2 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License.
Appendix E Open Source License Files Used In Cisco IPS 7.1 bash 3.2 NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Appendix E Open Source License Files Used In Cisco IPS 7.1 busybox 1.13.1 The hypothetical commands ‘show w’ and ‘show c’ should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than ‘show w’ and ‘show c’; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a “copyright disclaimer” for the program, if necessary.
Appendix E Open Source License Files Used In Cisco IPS 7.1 busybox 1.13.1 For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.
Appendix E Open Source License Files Used In Cisco IPS 7.1 busybox 1.13.1 user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole.
Appendix E Open Source License Files Used In Cisco IPS 7.1 busybox 1.13.1 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients’ exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7.
Appendix E Open Source License Files Used In Cisco IPS 7.1 busybox 1.13.1 TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12.
Appendix E Open Source License Files Used In Cisco IPS 7.1 busybox 1.13.1 This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License.
Appendix E Open Source License Files Used In Cisco IPS 7.1 cracklib 2.8.
Appendix E Open Source License Files Used In Cisco IPS 7.1 cracklib 2.8.12 Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone’s free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow.
Appendix E Open Source License Files Used In Cisco IPS 7.1 cracklib 2.8.12 Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.
Appendix E Open Source License Files Used In Cisco IPS 7.1 cracklib 2.8.12 and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.
Appendix E Open Source License Files Used In Cisco IPS 7.1 cracklib 2.8.12 SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Appendix E Open Source License Files Used In Cisco IPS 7.1 curl 7.18.2 1 curl 7.18.2 1 Available under license: COPYRIGHT AND PERMISSION NOTICE Copyright (c) 1996 - 2008, Daniel Stenberg,
Appendix E Open Source License Files Used In Cisco IPS 7.1 diffutils 2.8.1 diffutils 2.8.1 Available under license: GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it.
Appendix E Open Source License Files Used In Cisco IPS 7.1 diffutils 2.8.1 Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1.
Appendix E Open Source License Files Used In Cisco IPS 7.1 diffutils 2.8.1 c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it.
Appendix E Open Source License Files Used In Cisco IPS 7.1 diffutils 2.8.1 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
Appendix E Open Source License Files Used In Cisco IPS 7.1 e2fsprogs 1.39 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Appendix E Open Source License Files Used In Cisco IPS 7.1 e2fsprogs 1.39 The release schedules for this package are flexible, if you give me enough lead time. Theodore Ts’o 15-Mar-2003 GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
Appendix E Open Source License Files Used In Cisco IPS 7.1 e2fsprogs 1.39 Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1.
Appendix E Open Source License Files Used In Cisco IPS 7.1 e2fsprogs 1.39 c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it.
Appendix E Open Source License Files Used In Cisco IPS 7.1 e2fsprogs 1.39 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
Appendix E Open Source License Files Used In Cisco IPS 7.1 Expat XML parser 2.0.1 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Appendix E Open Source License Files Used In Cisco IPS 7.1 expect 5.4.3 OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. expect 5.4.3 Available under license: Written by: Don Libes, NIST, 2/6/90 Design and implementation of this program was paid for by U.S. tax dollars. Therefore it is public domain.
Appendix E Open Source License Files Used In Cisco IPS 7.1 freeradius-server 2.1.8 Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone’s free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow.
Appendix E Open Source License Files Used In Cisco IPS 7.1 freeradius-server 2.1.8 Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.
Appendix E Open Source License Files Used In Cisco IPS 7.1 freeradius-server 2.1.8 and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.
Appendix E Open Source License Files Used In Cisco IPS 7.1 freeradius-server 2.1.8 SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Appendix E Open Source License Files Used In Cisco IPS 7.1 freeradius-server-src-lib 2.1.8 freeradius-server-src-lib 2.1.8 Available under license: GNU LESSER GENERAL PUBLIC LICENSE Version 2.1, February 1999 Copyright (C) 1991, 1999 Free Software Foundation, Inc. 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. [This is the first released version of the Lesser GPL.
Appendix E Open Source License Files Used In Cisco IPS 7.1 freeradius-server-src-lib 2.1.8 Most GNU software, including some libraries, is covered by the ordinary GNU General Public License. This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs.
Appendix E Open Source License Files Used In Cisco IPS 7.1 freeradius-server-src-lib 2.1.8 Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it).
Appendix E Open Source License Files Used In Cisco IPS 7.1 freeradius-server-src-lib 2.1.8 This option is useful when you wish to copy part of the code of the Library into a program that is not a library. 4.
Appendix E Open Source License Files Used In Cisco IPS 7.1 freeradius-server-src-lib 2.1.8 c) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution. d) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place.
Appendix E Open Source License Files Used In Cisco IPS 7.1 freeradius-server-src-lib 2.1.8 If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances.
Appendix E Open Source License Files Used In Cisco IPS 7.1 glibc 2.9 How to Apply These Terms to Your New Libraries If you develop a new library, and you want it to be of the greatest possible use to the public, we recommend making it free software that everyone can redistribute and change. You can do so by permitting redistribution under these terms (or, alternatively, under the terms of the ordinary General Public License). To apply these terms, attach the following notices to the library.
Appendix E Open Source License Files Used In Cisco IPS 7.1 glibc 2.9 Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2.
Appendix E Open Source License Files Used In Cisco IPS 7.1 glibc 2.9 SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC OR ANY PART THEREOF. In no event will Sun Microsystems, Inc. be liable for any lost revenue or profits or other special, indirect and consequential damages, even if Sun has been advised of the possibility of such damages.
Appendix E Open Source License Files Used In Cisco IPS 7.1 glibc 2.9 The following license covers the files from Intel’s “Highly Optimized Mathematical Functions for Itanium” collection: Intel License Agreement Copyright (c) 2000, Intel Corporation All rights reserved.
Appendix E Open Source License Files Used In Cisco IPS 7.1 gnupg 1.4.5 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Appendix E Open Source License Files Used In Cisco IPS 7.1 gnupg 1.4.5 Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone’s free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow.
Appendix E Open Source License Files Used In Cisco IPS 7.1 gnupg 1.4.5 Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.
Appendix E Open Source License Files Used In Cisco IPS 7.1 gnupg 1.4.5 and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.
Appendix E Open Source License Files Used In Cisco IPS 7.1 gnupg 1.4.5 SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Appendix E Open Source License Files Used In Cisco IPS 7.1 hotplug 2004_03_29 hotplug 2004_03_29 Available under license: GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it.
Appendix E Open Source License Files Used In Cisco IPS 7.1 hotplug 2004_03_29 Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1.
Appendix E Open Source License Files Used In Cisco IPS 7.1 hotplug 2004_03_29 c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it.
Appendix E Open Source License Files Used In Cisco IPS 7.1 hotplug 2004_03_29 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
Appendix E Open Source License Files Used In Cisco IPS 7.1 i2c-tools 3.0.2 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Appendix E Open Source License Files Used In Cisco IPS 7.1 i2c-tools 3.0.2 When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things.
Appendix E Open Source License Files Used In Cisco IPS 7.1 i2c-tools 3.0.2 b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.
Appendix E Open Source License Files Used In Cisco IPS 7.1 i2c-tools 3.0.2 However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License.
Appendix E Open Source License Files Used In Cisco IPS 7.1 i2c-tools 3.0.2 NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Appendix E Open Source License Files Used In Cisco IPS 7.1 ipmiutil 2.3.3 The hypothetical commands ‘show w’ and ‘show c’ should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than ‘show w’ and ‘show c’; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a “copyright disclaimer” for the program, if necessary.
Appendix E Open Source License Files Used In Cisco IPS 7.1 iptables 1.4.1 iptables 1.4.1 Available under license: GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 675 Mass Ave, Cambridge, MA 02139, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it.
Appendix E Open Source License Files Used In Cisco IPS 7.1 iptables 1.4.1 Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1.
Appendix E Open Source License Files Used In Cisco IPS 7.1 iptables 1.4.1 c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it.
Appendix E Open Source License Files Used In Cisco IPS 7.1 iptables 1.4.1 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
Appendix E Open Source License Files Used In Cisco IPS 7.1 kernel 2.6.29.1 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Appendix E Open Source License Files Used In Cisco IPS 7.1 kernel 2.6.29.1 Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users.
Appendix E Open Source License Files Used In Cisco IPS 7.1 kernel 2.6.29.1 You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2.
Appendix E Open Source License Files Used In Cisco IPS 7.1 kernel 2.6.29.1 is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.
Appendix E Open Source License Files Used In Cisco IPS 7.1 kernel 2.6.29.1 Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and “any later version”, you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation.
Appendix E Open Source License Files Used In Cisco IPS 7.1 kernel 2.6.29.1 Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type ‘show w’. This is free software, and you are welcome to redistribute it under certain conditions; type ‘show c’ for details.
Appendix E Open Source License Files Used In Cisco IPS 7.1 kernel 2.6.29.1 USER ACKNOWLEDGES AND AGREES THAT USE OF THIS PROGRAM WILL NOT CREATE OR GIVE GROUNDS FOR A LICENSE BY IMPLICATION, ESTOPPEL, OR OTHERWISE IN ANY INTELLECTUAL PROPERTY RIGHTS (PATENT, COPYRIGHT, TRADE SECRET, MASK WORK, OR OTHER PROPRIETARY RIGHT) EMBODIED IN ANY OTHER QLOGIC HARDWARE OR SOFTWARE EITHER SOLELY OR IN COMBINATION WITH THIS PROGRAM.
Appendix E Open Source License Files Used In Cisco IPS 7.1 kernel 2.6.29.1 This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY, without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See either the GNU General Public License or the BSD-style License below for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc.
Appendix E Open Source License Files Used In Cisco IPS 7.1 kernel 2.6.29.
Appendix E Open Source License Files Used In Cisco IPS 7.1 kernel 2.6.29.1 You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. M. Welsh, 6 July 1996 linux-2.6.29.1/drivers/net/LICENSE.SRC Code in this directory written at the IDA Supercomputing Research Center carries the following copyright and license.
Appendix E Open Source License Files Used In Cisco IPS 7.1 KVM inter-VM shared memory module KVM inter-VM shared memory module Available under license: Nahanni/ivshmem guest-code (C) Cam Macdonell 2009-2011 This code is released under the GNU Public License V2 a copy of which is included below ----------GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc.
Appendix E Open Source License Files Used In Cisco IPS 7.1 KVM inter-VM shared memory module 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.
Appendix E Open Source License Files Used In Cisco IPS 7.1 KVM inter-VM shared memory module 3.
Appendix E Open Source License Files Used In Cisco IPS 7.1 KVM inter-VM shared memory module It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices.
Appendix E Open Source License Files Used In Cisco IPS 7.1 libpcap 0.9.8 If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program.
Appendix E Open Source License Files Used In Cisco IPS 7.1 libtecla 1.6.1 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. The names of the authors may not be used to endorse or promote products derived from this software without specific prior written permission.
Appendix E Open Source License Files Used In Cisco IPS 7.1 lm_sensors 3.0.2 3. The name of any author may not be used to endorse or promote products derived from this software without their specific prior written permission. ALTERNATIVELY, this product may be distributed under the terms of the GNU Library General Public License (LGPL), in which case the provisions of the GNU LGPL are required INSTEAD OF the above restrictions.
Appendix E Open Source License Files Used In Cisco IPS 7.1 lm_sensors 3.0.2 Also, for each author’s protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors’ reputations.
Appendix E Open Source License Files Used In Cisco IPS 7.1 lm_sensors 3.0.2 separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.
Appendix E Open Source License Files Used In Cisco IPS 7.1 lm_sensors 3.0.2 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License.
Appendix E Open Source License Files Used In Cisco IPS 7.1 lm_sensors 3.0.2 12.
Appendix E Open Source License Files Used In Cisco IPS 7.1 module-init-tools 3.2.2 1.0.0.0900084 This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. module-init-tools 3.2.2 1.0.0.
Appendix E Open Source License Files Used In Cisco IPS 7.1 module-init-tools 3.2.2 1.0.0.0900084 TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.
Appendix E Open Source License Files Used In Cisco IPS 7.1 module-init-tools 3.2.2 1.0.0.0900084 3.
Appendix E Open Source License Files Used In Cisco IPS 7.1 module-init-tools 3.2.2 1.0.0.0900084 If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.
Appendix E Open Source License Files Used In Cisco IPS 7.1 Ncurses 5.6 How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program.
Appendix E Open Source License Files Used In Cisco IPS 7.1 net-snmp 5.4.
Appendix E Open Source License Files Used In Cisco IPS 7.1 net-snmp 5.4.1 Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Appendix E Open Source License Files Used In Cisco IPS 7.1 net-snmp 5.4.1 This distribution may include materials developed by third parties. Sun, Sun Microsystems, the Sun logo and Solaris are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries.
Appendix E Open Source License Files Used In Cisco IPS 7.1 net-snmp 5.4.1 Center of Beijing University of Posts and Telecommunications. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Appendix E Open Source License Files Used In Cisco IPS 7.1 NTP 4.2.4p5 NTP 4.2.4p5 Available under license: This file is automatically generated from html/copyright.html Copyright Notice jpg “Clone me,” says Dolly sheepishly Last update: 20:31 UTC Saturday, January 06, 2007 The following copyright notice applies to all files collectively called the Network Time Protocol Version 4 Distribution.
Appendix E Open Source License Files Used In Cisco IPS 7.1 NTP 4.2.4p5 20. Jim Jagielski
Appendix E Open Source License Files Used In Cisco IPS 7.1 NTP 4.2.4p5 2. mailto:altmeier@atlsoft.de 3. mailto:vbais@mailman1.intel.co 4. mailto:kirkwood@striderfm.intel.com 5. mailto:michael.barone@lmco.com 6. mailto:Jean-Francois.Boudreault@viagenie.qc.ca 7. mailto:karl@owl.HQ.ileaf.com 8. mailto:greg.brackley@bigfoot.com 9. mailto:Marc.Brett@westgeo.com 10. mailto:Piete.Brooks@cl.cam.ac.uk 11. mailto:reg@dwf.com 12. mailto:clift@ml.csiro.au 13. mailto:casey@csc.co.za 14. mailto:Sven_Dietrich@trimble.
Appendix E Open Source License Files Used In Cisco IPS 7.1 openssh 5.1p1 40. mailto:derek@toybox.demon.co.uk 41. mailto:d@hd.org 42. mailto:Rainer.Pruy@informatik.uni-erlangen.de 43. mailto:dirce@zk3.dec.com 44. mailto:wsanchez@apple.com 45. mailto:mrapple@quack.kfu.com 46. mailto:jack@innovativeinternet.com 47. mailto:schnitz@unipress.com 48. mailto:shields@tembel.org 49. mailto:pebbles.jpl.nasa.gov 50. mailto:harlan@pfcs.com 51. mailto:ken@sdd.hp.com 52. mailto:ajit@ee.udel.edu 53. mailto:tsuruoka@nc.
Appendix E Open Source License Files Used In Cisco IPS 7.1 openssh 5.1p1 [However, none of that term is relevant at this point in time. All of these restrictively licensed software components which he talks about have been removed from OpenSSH, i.e.
Appendix E Open Source License Files Used In Cisco IPS 7.1 openssh 5.1p1 Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that this copyright notice is retained. THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A.
Appendix E Open Source License Files Used In Cisco IPS 7.1 openssh 5.1p1 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
Appendix E Open Source License Files Used In Cisco IPS 7.1 openssh 5.1p1 Juha Yrj?l? Michael Stone Networks Associates Technology, Inc. Solar Designer Todd C. Miller Wayne Schroeder William Jones Darren Tucker Sun Microsystems The SCO Group Daniel Walsh Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1.
Appendix E Open Source License Files Used In Cisco IPS 7.1 openssh 5.1p1 Some code is licensed under a 3-term BSD license, to the following copyright holders: Todd C. Miller Theo de Raadt Damien Miller Eric P. Allman The Regents of the University of California Constantin S. Svintsoff Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1.
Appendix E Open Source License Files Used In Cisco IPS 7.1 openssl 0.9.
Appendix E Open Source License Files Used In Cisco IPS 7.1 openssl 0.9.8j 4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org. 5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in their names without prior written permission of the OpenSSL Project. 6.
Appendix E Open Source License Files Used In Cisco IPS 7.1 openssl 0.9.8j 4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: “This product includes software written by Tim Hudson (tjh@cryptsoft.
Appendix E Open Source License Files Used In Cisco IPS 7.1 pciutils 3.0.1 All rights reserved. This package is an DES implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with MIT’s libdes. This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution.
Appendix E Open Source License Files Used In Cisco IPS 7.1 pciutils 3.0.1 Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation’s software and to any other program whose authors commit to using it.
Appendix E Open Source License Files Used In Cisco IPS 7.1 pciutils 3.0.1 You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2.
Appendix E Open Source License Files Used In Cisco IPS 7.1 pciutils 3.0.1 is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.
Appendix E Open Source License Files Used In Cisco IPS 7.1 pciutils 3.0.1 Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and “any later version”, you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation.
Appendix E Open Source License Files Used In Cisco IPS 7.1 pciutils 3.0.1 Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type ‘show w’. This is free software, and you are welcome to redistribute it under certain conditions; type ‘show c’ for details.
Appendix E Open Source License Files Used In Cisco IPS 7.1 procps 3.2.7 procps 3.2.7 Available under license: GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it.
Appendix E Open Source License Files Used In Cisco IPS 7.1 procps 3.2.7 Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1.
Appendix E Open Source License Files Used In Cisco IPS 7.1 procps 3.2.7 c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it.
Appendix E Open Source License Files Used In Cisco IPS 7.1 procps 3.2.7 This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8.
Appendix E Open Source License Files Used In Cisco IPS 7.1 sysfsutils 2.1.0 Copyright (C)
Appendix E Open Source License Files Used In Cisco IPS 7.1 sysstat 8.1.3 sysstat 8.1.3 Available under license: GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 675 Mass Ave, Cambridge, MA 02139, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it.
Appendix E Open Source License Files Used In Cisco IPS 7.1 sysstat 8.1.3 it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term “modification”.) Each licensee is addressed as “you”. Activities other than copying, distribution and modification are not covered by this License; they are outside its scope.
Appendix E Open Source License Files Used In Cisco IPS 7.1 sysstat 8.1.
Appendix E Open Source License Files Used In Cisco IPS 7.1 sysstat 8.1.3 This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8.
Appendix E Open Source License Files Used In Cisco IPS 7.1 tcl 8.4.9 Copyright (C) 19yy
Appendix E Open Source License Files Used In Cisco IPS 7.1 tcpdump 3.9.8 1.0.1.0801182 IN NO EVENT SHALL THE AUTHORS OR DISTRIBUTORS BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS SOFTWARE, ITS DOCUMENTATION, OR ANY DERIVATIVES THEREOF, EVEN IF THE AUTHORS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Appendix E Open Source License Files Used In Cisco IPS 7.1 tipc 1.7.6-bundle Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2.
Appendix E Open Source License Files Used In Cisco IPS 7.1 util-linux 2.12r util-linux 2.12r Available under license: GNU GENERAL PUBLIC LICENSE Copyright (c) 1989 The Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2.
Appendix E Open Source License Files Used In Cisco IPS 7.1 zlib 1.2.3 INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. zlib 1.2.3 Available under license: License attached zlib.h -- interface of the ‘zlib’ general purpose compression library version 1.2.
GLOSSARY Revised: September 1, 2014 Numerals 3DES Triple Data Encryption Standard. A stronger version of DES, which is the default encryption method for SSH version 1.5. Used when establishing an SSH session with the sensor. It can be used when the sensor is managing a device. 802.x A set of IEEE standards for the definition of LAN protocols. A AAA authentication, authorization, and accounting. Pronounced “triple a.” The primary and recommended method for access control in Cisco devices.
Glossary ASA 5500 AIP SSM Advanced Inspection and Prevention Security Services Module. The IPS plug-in module in the Cisco ASA 5500 series adaptive security appliance. The ASA 5500 AIP SSM is an IPS services module that monitors and performs real-time analysis of network traffic by looking for anomalies and misuse based on an extensive, embedded signature library.
Glossary architecture The overall structure of a computer or communication system. The architecture influences the capabilities and limitations of the system. ARP Address Resolution Protocol. Internet protocol used to map an IP address to a MAC address. Defined in RFC 826. ASDM Adaptive Security Device Manager. A web-based application that lets you configure and manage your adaptive security device. ASN.1 Abstract Syntax Notation 1. Standard for data presentation.
Glossary B backplane The physical connection between an interface processor or card and the data buses and the power distribution buses inside a chassis. base version A software release that must be installed before a follow-up release, such as a service pack or signature update, can be installed. Major and minor updates are base version releases. benign trigger A situation in which a signature is fired correctly, but the source of the traffic is nonmalicious. BIOS Basic Input/Output System.
Glossary certificate Digital representation of user or device attributes, including a public key, that is signed with an authoritative private key. cidDump A script that captures a large amount of information including the IPS processes list, log files, OS information, directory listings, package information, and configuration files. CIDEE Cisco Intrusion Detection Event Exchange. Specifies the extensions to SDEE that are used by Cisco IPS systems.
Glossary cookie A piece of information sent by a web server to a web browser that the browser is expected to save and send back to the web server whenever the browser makes additional requests of the web server. CSA MC Cisco Security Agent Management Center. CSA MC receives host posture information from the CSA agents it manages. It also maintains a watch list of IP addresses that it has determined should be quarantined from the network.
Glossary DES Data Encryption Standard. A strong encryption method where the strength lies in a 56-bit key rather than an algorithm. destination address Address of a network device that is receiving data. DIMM Dual In-line Memory Modules. DMZ demilitarized zone. A separate network located in the neutral zone between a private (inside) network and a public (outside) network. DNS Domain Name System. An Internet-wide hostname to IP address mapping.
Glossary F fail closed Blocks traffic on the device after a hardware failure. fail open Lets traffic pass through the device after a hardware failure. false negative A signature is not fired when offending traffic is detected. false positive Normal traffic or a benign action causes a signature to fire. Fast Ethernet Any of a number of 100-Mbps Ethernet specifications.
Glossary FQDN Fully Qualified Domain Name.A domain name that specifies its exact location in the tree hierarchy of the DNS. It specifies all domain levels, including the top-level domain, relative to the root domain. A fully qualified domain name is distinguished by this absoluteness in the name space. FWSM Firewall Security Module. A module that can be installed in a Catalyst 6500 series switch. It uses the shun command to block. You can configure the FWSM in either single mode or multi-mode.
Glossary hardware bypass A specialized interface card that pairs physical interfaces so that when a software error is detected, a bypass mechanism is engaged that directly connects the physical interfaces and allows traffic to flow through the pair. Hardware bypass passes traffic at the network interface, does not pass it to the IPS system. host block ARC blocks all traffic from a given IP address. HTTP Hypertext Transfer Protocol.
Glossary InterfaceApp A component of the IPS. Handles bypass and physical settings and defines paired interfaces. Physical settings are speed, duplex, and administrative state. intrusion detection system IDS. A security service that monitors and analyzes system events to find and provide real-time or near real-time warning of attempts to access system resources in an unauthorized manner. IP address 32-bit address assigned to hosts using TCP/IP.
Glossary K KB Knowledge Base. The sets of thresholds learned by Anomaly Detection and used for worm virus detection. Knowledge Base See KB. L LACP Link Aggregation Control Protocol. LACP aids in the automatic creation of EtherChannel links by exchanging LACP packets between LAN ports. This protocol is defined in IEEE 802.3ad. LAN Local Area Network. Refers to the Layer 2 network domain local to a given host. Packets exchanged between two hosts on the same LAN do not require Layer 3 routing.
Glossary MD5 Message Digest 5. A one-way hashing algorithm that produces a 128-bit hash. Both MD5 and Secure Hash Algorithm (SHA) are variations on MD4 and strengthen the security of the MD4 hashing algorithm. Cisco uses hashes for authentication within the IPSec framework. Also used for message authentication in SNMP v.2. MD5 verifies the integrity of the communication, authenticates the origin, and checks for timeliness.
Glossary NBD Next Business Day. The arrival of replacement hardware according to Cisco service contracts. Neighborhood Discovery Protocol for IPv6. IPv6 nodes on the same link use Neighbor Discovery to discover each other’s presence, to determine each other’s link-layer addresses, to find routers, and to maintain reachability information about the paths to active neighbors. Network Access ID See NAS-ID. network device A device that controls IP traffic on a network and can block an attacking host.
Glossary O OIR online insertion and removal. Feature that permits you to add, replace, or remove cards without interrupting the system power, entering console commands, or causing other software or interfaces to shutdown. OPS Outbreak Prevention Service. P P2P Peer-to-Peer. P2P networks use nodes that can simultaneously function as both client and server for the purpose of file sharing.
Glossary PER packed encoding rules. Instead of using a generic style of encoding that encodes all types in a uniform way, PER specializes the encoding based on the date type to generate much more compact representations. PFC Policy Feature Card. An optional card on a Catalyst 6000 supervisor engine that supports VACL packet filtering. PID Product Identifier. The orderable product identifier that is one of the three parts of the UDI. The UDI is part of the PEP policy. ping packet internet groper.
Glossary RAM random-access memory. Volatile memory that can be read and written by a microprocessor. RAS Registration, Admission, and Status Protocol. Protocol that is used between endpoints and the gatekeeper to perform management functions. RAS signaling function performs registration, admissions, bandwidth changes, status, and disengage procedures between the VoIP gateway and the gatekeeper. RBCP Router Blade Control Protocol.
Glossary RTP Real-Time Transport Protocol. Commonly used with IP networks. RTP is designed to provide end-to-end network transport functions for applications transmitting real-time data, such as audio, video, or simulation data, over multicast or unicast network services. RTP provides such services as payload type identification, sequence numbering, timestamping, and delivery monitoring to real-time applications. RTT round-trip time.
Glossary session command Command used on routers and switches to provide either Telnet or console access to a module in the router or switch. SFP Small Form-factor Pluggable. Often refers to a fiber optic transceiver that adapts optical cabling to fiber interfaces. See GBIC for more information. shared secret A piece of data known only to the parties involved in a secure communication. The shared secret can be a password, a passphrase, a big number, or an array of randomly chosen bytes.
Glossary SN Serial Number. Part of the UDI. The SN is the serial number of your Cisco product. SNAP Subnetwork Access Protocol. Internet protocol that operates between a network entity in the subnetwork and a network entity in the end system. SNAP specifies a standard method of encapsulating IP datagrams and ARP messages on IEEE networks.
Glossary subsignature A more granular representation of a general signature. It typically further defines a broad scope signature. surface mounting Refers to attaching rubber feet to the bottom of a sensor when it is installed on a flat surface. The rubber feet allow proper airflow around the sensor and they also absorb vibration so that the hard-disk drive is less impacted. switch Network device that filters, forwards, and floods frames based on the destination address of each frame.
Glossary TFTP Trivial File Transfer Protocol. Simplified version of FTP that lets files be transferred from one computer to another over a network, usually without the use of client authentication (for example, username and password). threat rating TR. A threat rating is a value between 0 and 100 that represents a numerical decrease of the risk rating of an attack based on the response action that depicts the threat of an alert on the monitored network.
Glossary U UDI Unique Device Identifier. Provides a unique identity for every Cisco product. The UDI is composed of the PID, VID, and SN. The UDI is stored in the Cisco IPS ID PROM. UDLD UniDirectional Link Detection. Cisco proprietary protocol that allows devices connected through fiber-optic or copper Ethernet cables connected to LAN ports to monitor the physical configuration of the cables and detect when a unidirectional link exists.
Glossary virus Hidden, self-replicating section of computer software, usually malicious logic, that propagates by infecting—that is, inserting a copy of itself into and becoming part of—another program. A virus cannot run by itself; it requires that its host program be run to make the virus active. virus update A signature update specifically addressing viruses. VLAN Virtual Local Area Network.
Glossary Wireshark Wireshark is a free network protocol analyzer for UNIX and Windows. It lets you examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Wireshark has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. For more information, see http://www.wireshark.org.
Glossary Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.
INDEX Add/Update Trusted Root Certificate dialog box Numerics field descriptions 4GE bypass interface card Add ACL Entry dialog box field descriptions configuration restrictions described 15-15 7-10 Add Allowed Host dialog box 7-10 field descriptions 802.
Index user roles virtual sensors (ASA 5585-X IPS SSP) 8-12, 12-13 Add Event Variable dialog box field descriptions user roles Add Inline VLAN Pair dialog box field descriptions 8-35, 12-29 user roles 8-34, 12-28 Add External Product Interface dialog box field descriptions user roles field descriptions 3-19, 22-3 field descriptions user roles 18-4 field descriptions user roles a host never to be blocked 16-11 anomaly detection policies 13-10 blocking devices 15-9 15-8 field descriptions
Index Add Signature dialog box field descriptions operating modes 10-12 Add Signature Variable dialog box field descriptions user roles AIC policy 10-36 Add SNMP Trap Destination dialog box user roles AIC FTP 17-5 AIC HTTP described Add Target Value Rating dialog box user roles default configuration described 15-13 described 6-22 user roles Custom Signature Wizard 5-13, 8-10 normal 8-10 7-26 Advanced Alert Behavior Wizard Alert Summarization window field descriptions 8-7, 12-5 10-23
Index error messages errors deleting C-26 Anomaly Detections pane C-55 IDM exits described C-59 sensing interfaces virtual sensors user roles C-22 initializing 13-2 configuration sequence default anomaly detection configuration 13-4 13-3 operation settings 13-13, 21-8 6-10, C-17 27-6 application partition A-4 image recovery 27-11 applications in XML format 13-7, B-70 signatures described 13-7 worms A-4 applying signature threat profiles applying software updates 10-41, B-11 5-1
Index design ARP 16-2 device access issues enabling SSH features Layer 2 signatures C-42 protocol C-44 dsniff firewalls connection blocking assigning virtual sensors network blocking initializing A-16 shun command logging in A-18 formerly Network Access Controller 16-1 16-2 inactive state interfaces maintaining states password recovery 20-7, 20-11, C-10 C-64 C-64 sensing interface A-16 managed devices maximum blocks sessioning in A-14 misconfigured master blocking sensor nac.
Index session command sessioning in policies to virtual sensors (ASA 5500-X IPS SSP) 8-16 24-5 24-5 setup command time sources policies to virtual sensors (ASA 5585-X IPS SSP) 8-16 25-17 6-11, C-18 assigning actions to signatures virtual sensors asymmetric mode assigning policies 8-16 assigning the interface virtual sensor sequence described 8-16 8-4 asymmetric traffic anomaly detection assigning virtual sensors 8-18 creating virtual sensors caution 8-16 13-2 IPS reloading messages
Index Attacks Over Time Reports described field descriptions 1-18, 23-2 attempt limit UNIX-style directory listings RADIUS user roles C-23 attemptLimit command 20-22 automatic setup described testing global correlation 5-17, 20-25 cryptographic account 6-19 AuthenticationApp described sensor configuration A-20 6-19 configuration 6-20 C-4 BackOrifice. See BO. BackOrifice 2000. See BO2K.
Index Blocking Devices pane configuring described CDP mode 16-15 16-14 field descriptions 16-14 ssh host-key command 16-15 blocking not occurring for signature C-45 adding a host never to be blocked described 16-8 BO 7-31 interfaces 7-31 CDP Mode pane 16-11 BO2K field descriptions 7-31 7-31 displaying 15-16 generating 15-16 15-11 cidDump obtaining information B-72 defined bypass mode ASA 5500 AIP SSM 7-30 example A-34 A-34 IPS extensions 7-29 signature updates protocol 2
Index Clear Flow States pane described 21-18 field descriptions C-3 debug module-boot C-64 downgrade 21-19 clearing 27-10 erase license-key denied attackers events statistics setup C-89 CLI A-4, A-30 password recovery clock set command C-102 show health C-81 C-63, C-69, C-75 20-14, C-16 show statistics C-89 show statistics virtual-sensor Clone Policy dialog box user roles show events show settings A-29 6-16 field descriptions 6-1, 25-1, 25-4, 25-8, 25-13, 25-17, 25-21 show mod
Index account unlocking AIC policy parameters allowed hosts known host keys 6-26 10-48 6-6 allowed networks application policy signatures Attacks Over Time gadgets blocking devices local authentication NTP servers OS maps 14-11 device login profiles event action filters 16-23 6-3 6-13 8-33, 12-27 rate limiting router blocking device interfaces 19-3 RSS Feed gadgets 16-13 RSS feeds 8-23, 12-17 4-2 8-41, 12-34 Global Correlation Health gadget 3-8 Global Correlation Reports gadget
Index request types custom signatures A-9 copy backup-config command C-3 Custom Signature Wizard copy current-config command C-3 described correcting time on the sensor 6-12, C-19 CPU, Memory, & Load gadget configuring 10-2 IPv6 signature 10-29, 11-14 Meta signature 10-26 sensor performance 3-11 creating String TCP XL Atomic IP Advanced engine signature 10-29, 11-14 not using signature engines Service HTTP String TCP 11-22 11-1 IPv6 signatures 10-29, 11-14 Meta signatures 10-26
Index using host blocks 11-5 Welcome window field descriptions D 11-10 imported OS values 8-26, 12-20 IPv6 target value ratings 8-28, 12-22 adding network blocks 3-1 deleting OS maps 3-1 configuring described signature variables 1-13 virtual sensors 11-25, B-67 Demo mode (IME) A-8 protocols 10-37 1-7 23-1 Denial of Service. See DoS.
Index Device Login Profiles pane configuring described statistics tech support information 16-13 version 16-12 field descriptions C-82 C-86 Distributed Denial of Service. See DDoS.
Index user roles Edit Inline VLAN Pair dialog box 8-31, 12-23 field descriptions Edit Destination Port dialog box field descriptions user roles user roles 13-17, 13-23, 13-30 13-15 Edit Device dialog box field descriptions 2-3 user roles user roles 16-12 user roles 12-15 field descriptions 8-12, 12-13 user roles Edit Event Variable dialog box user roles 15-6 field descriptions 19-4 Edit Filter dialog box field descriptions 3-19 user roles 16-25 16-24 Edit Never Block Address dial
Index user roles engines 17-4 AIC Edit Start Time dialog box field descriptions user roles AIC FTP 13-14 field descriptions Atomic IP 8-26, 8-28 Fixed 6-22 8-10 Edit VLAN Group dialog box field descriptions B-28 Meta B-31 B-31 B-31 B-4 10-25, B-32 Multi String 14-4 Normalizer 14-4 Service configuring (IME) example (IME) B-39 B-43 11-16, B-46 Service IDENT 1-14 1-14 11-11, B-48 Service MSSQL B-50 Service NTP event action filters 8-23, 12-17 Service P2P event action overrid
Index String UDP Sweep user roles 11-21, 11-24, B-61 event action rules policies 11-24, B-66 Sweep Other TCP Traffic Anomaly Traffic ICMP Trojan 12-11 adding B-69 B-69 B-72 12-12 cloning 12-12 deleting 12-12 event action rules variables B-72 EPS 8-21, 12-15 event actions described risk ratings 1-3 IME Home pane threat ratings 1-3 erase license-key command errors (Analysis Engine) evAlert displaying C-55 starting event action filters deleting filters 8-20, 12-4 disabling 8-
Index event variables adding Meta engine signature Service HTTP engine signature 8-36, 12-29 configuring deleting editing String TCP engine signature System Configuration Dialog Event Variables tab configuring adding 8-36, 12-29 19-7 described 8-35, 12-29 Event Viewer pane issues 19-1 19-3, C-24 displaying events 21-3 troubleshooting field descriptions 21-3 trusted hosts event views using described 22-4 19-4 19-5 external zone A-9 evLogTransaction evShunRqst 19-4 field descri
Index Fixed UDP engine parameters (table) Flood engine described described (IME) Flood Net engine parameters (table) B-31 B-32 13-16, 13-23 field descriptions user roles FTP servers 8-40, 12-33 global correlation 20-22 signature updates 20-27 FTP servers and software updates 20-23, 27-2 1-2, 14-1, 14-2 disabling 14-12 disabling about 14-12 14-6 error messages G features goals gadgets Attacks Over Time deleting Global Correlation Reports Interface Status 3-7 3-6 3-8 Top Application
Index grouping events HTTP advanced decoding 22-2 GRUB menu password recovery described 20-5, C-8 8-4 platform support restrictions H 8-5 8-4 HTTP deobfuscation H.225.0 protocol ASCII normalization B-43 H.
Index IME health connection status color rules displaying 22-2 Color Rules tab starting 22-2 configuring 2-5 2-5 stopping automatic reporting email notification filters 1-19 views installing 1-20, C-61 1-6 known host key retrieval 3-16, 22-6 menu features 1-2 dashboards 1-8 password recovery 3-1 20-13, C-16 deleting 3-1 password requirements Demo mode 1-7 reports described configuring 1-1 devices described adding deleting editing report types 2-4 2-4 email notificat
Index initializing installer minor version appliances installing 25-8 ASA 5500 AIP SSM IME 25-13 1-8 ASA 5500-X IPS SSP 25-17 sensor license ASA 5585-X IPS SSP 25-21 system image sensors 25-24 inline interface pair mode configuration restrictions described illustration 7-12 7-15 7-16 Inline Interface Pair window described 5-9 inline mode interface cards normalization 7-3 inline VLAN pair mode illustration 5-10 7-16 7-16 Inline VLAN Pairs window field descriptions 5-10 describe
Index editing signatures (table) 7-21 enabling logical IP logging 7-20 described 5-7 physical port numbers slot numbers configuring described 7-4 described 5-9 states viewing described 7200 series router password recovery 3-5 reimaging 13-19 Internal Zone tab user roles 13-15 mode B-36 reimaging 27-17 C-8 27-17 IPS 4270-20 10-49 hardware bypass 10-51 signatures 7-10 installing system image password recovery 10-51 parameters (table) 20-6, C-9 27-14 hardware bypass IP
Index IPS 4345 field descriptions installing system image password recovery reimaging 27-22 20-5, 20-6, C-8, C-9 27-21 IPS 4360 IPS software application list A-4 available files 26-1 configuring device parameters installing system image password recovery reimaging 27-22 20-5, C-8, C-9 27-21 IPS 4510 directory structure Linux OS A-1 obtaining 26-1 retrieving data installing system image password recovery reimaging 27-25 20-5, 20-6, C-8, C-9 IPS 4520 A-35 A-5 tuning signatures A-
Index event variables SPAN ports switches described 8-35, 12-28 field descriptions 7-14 15-9 Known Host RSA Keys pane 7-14 configuring IPv6 Add Target Value Rating dialog box field descriptions user roles 15-8 described 12-22 15-7 15-6 field descriptions 12-21 15-7 IPv6 Edit Target Value Rating dialog box field descriptions user roles 12-22 12-21 IPv6 target value ratings adding Learned OS pane 8-28, 12-22 configuring deleting clearing 8-28, 12-22 21-17 learned OS values IPv6 Ta
Index limitations for concurrent CLI sessions listings UNIX-style loading KBs manifests 24-1 20-23 21-13 local authentication configuring client A-29 server A-29 manually updating sensor 6-23 Logger 20-27 master blocking sensor described A-4, A-19 described functions A-19 not set up properly syslog messages C-46 Master Blocking Sensor pane appliances configuring 24-2 ASA 5500 AIP SSM described 24-4 ASA 5500-X IPS SSP 24-5 ASA 5585-X IPS SSP 24-6 16-25 16-24 field descript
Index IP logging 10-60 N TCP stream reassembly mode described 10-58 NAS-ID 10-38 field descriptions described 10-39 IP fragment reassembly options IP logging options RADIUS authentication options 10-38 types 10-38 B-28 B-28 network blocks modes anomaly detection detect adding 13-4 anomaly detection learning accept asymmetric bypass 13-3 18-7 deleting 18-7 managing 8-4 18-7 Network Blocks pane 7-29 inactive (anomaly detection) 13-4 configuring 18-7 inline interface pair 7-
Index Network Security gadget configuring O 3-9 described Obfuscated Traffic/Attacks reports described 3-8 obsoletes field described never block hosts B-6 obtaining 16-7 networks cryptographic account 16-7 normalization described IPS software 8-4 license key Normalizer engine ASA 5500 AIP SSM 26-1 20-15 sensor license B-37 26-2 20-17 ASA 5500-X IPS SSP B-37 one-way TCP reset described ASA 5585-X IPS SSP B-37 Operation Settings tab described described B-36 IP fragment reasse
Index partitions Peer-to-Peer. See P2P.
Index Q.931 RPC deleting B-43 Rate Limits pane 11-11, B-48 SDEE 18-9 configuring A-34 Signature Wizard described 11-10 18-9 18-7 field descriptions 18-8 raw expression syntax Q described B-63 expert mode Q.
Index IPS 4345 27-21 IPS 4360 27-21 reset not occurring for a signature IPS 4510 27-25 resetting IPS 4520 27-25 sensors user roles 21-20 ASA 5500 AIP SSM removing network security health data last applied ASDM 27-10 signature update 27-10 Rename Knowledge Base dialog box field descriptions 21-14 renaming KBs 21-14 configuring 23-3 customizing 23-3 20-7, 20-11, C-10, C-14 sw-module command 20-9, C-12 resetting the password ASA 5500-X IPS SSP 20-9, C-12 ASA 5585-X IPS SSP C-1
Index reputation score field descriptions 14-5 ROMMON saving KBs ASA 5585-X IPS SSP 27-33 21-13 scheduling automatic upgrades described 27-13 IPS 4240 20-6, 27-14, C-9 described IPS 4255 20-6, 27-14, C-9 HTTP IPS 4260 27-17 protocol IPS 4270-20 21-13 27-9 SDEE A-34 A-34 A-34 server requests 27-19 A-34 IPS 4345 20-6, 27-22, C-9 IPS 4360 27-22, C-9 account locking IPS 4510 20-6, 27-25, C-9 IPS 4520 20-6, 27-25, C-9 information on Cisco Security Intelligence Operations 26-
Index SensorBase Network described corrupted SensorApp configuration network participation participation servers diagnostics reports 1-2, 14-1, 14-2 downgrading 1-2, 14-2 sensor health initializing critical settings metrics status SSH 3-4 no alerts 6-14 NTP time synchronization 20-20 Sensor Information gadget configuring C-36 NTP time source 20-21 C-29 C-34, C-60 not seeing packets 20-20 field descriptions partitions C-33 preventive maintenance 3-2 button functions 15-11 reb
Index certificate parameters (table) displaying 15-16 generating 15-16 described Service IDENT engine described field descriptions DCS/RPC protocol server manifest described A-29 service account described 11-11, B-48 6-18, C-5 described creating C-5 MSSQL protocol RADIUS authentication 6-18 Service DNS engine service packs described B-40 B-40 Service engine described B-39 PASV port spoof B-41 described B-42 B-42 ASN.
Index sessioning in configuration buttons ASA 5500 AIP SSM default 24-4 10-9 ASA 5500-X IPS SSP 24-5 described ASA 5585-X IPS SSP 24-6 field descriptions setting 10-9 10-11 signatures current KB assigning actions 21-13 system clock cloning 6-16 setting up terminal servers tabs 1-14 10-20 10-9 signature definition policies 24-3, 27-13 adding setup 10-8 automatic 25-2 cloning command 6-1, 25-1, 25-4, 25-8, 25-13, 25-17, 25-21 default policy simplified mode sig0 10-8 10
Index Service assigning actions B-39 Service DNS B-40 Service FTP B-41 Service Generic Service H225 B-42 B-43 Service HTTP 11-16, B-46 Service IDENT cloning 10-19 custom 10-2 default 10-2 described 10-1 disabling 10-17 editing B-48 10-20 Service MSRPC 11-11, B-48 enabling Service MSSQL B-50 false positives Service NTP Service P2P retiring B-52 Service RPC Service SMB Advanced Service TNS State String Traffic Anomaly 5-14 5-14 signature threat profiles B-69 applying
Index Signature Wizard protocols supported HTTP/HTTPS servers SPAN port issues 11-10 signature identification specialized 11-11 SNMP C-33 23-2 Specialized Reports described configuring described described 17-1 General Configuration pane field descriptions Get security Set 15-1 private keys 17-2 A-22 public keys CIDEE supported MIBs A-34 IDCONF 17-6, C-20 IDIOM 17-1 A-33 A-33 Traps Configuration pane SDEE field descriptions Startup Wizard user roles 17-4 described A-34 ac
Index State engine supported Cisco Login described platforms for IME B-59 C-89 Statistics pane button functions categories 21-21 described 21-21 using B-67 B-69 B-69 A-30 switches and TCP reset interfaces 11-21, 11-24, B-61 system architecture 11-22 parameters (table) B-61 directory structure A-35 supported platforms String TCP XL signature (example) String UDP engine parameters (table) 10-31, 10-34 B-62 system clock setting A-1 6-16 system components IDAPI A-32 System Configur
Index System Information pane described using TFN2K described 21-22 Trojans 21-23 system information viewing B-72 TFTP servers 21-23 system requirements for IME B-72 maximum file size limitation 1-4 RTT 27-13 27-13 Threat Category tab T described field descriptions TAC contact information service account described 6-18, A-31, C-5 troubleshooting C-82 8-6, 12-3 8-6, 8-26, 8-27, 12-3, 12-20, 12-21 TCP fragmentation described B-36 enabling TCP 13-16 external zone 13-29 field d
Index Top Attackers gadgets configuring described TFN2K Trojans 3-12 BO 3-11 Top Signature Reports described 1-18, 23-2 Top Signatures gadgets configuring described BO2K B-72 LOKI B-72 B-72 troubleshooting 3-13 Top Victim Reports described Analysis Engine busy 1-18, 23-2 Top Victims gadgets described B-72 TFN2K 3-13 configuring B-72 C-59 applying software updates C-55 ARC 3-12 blocking not occurring for signature 3-12 traceroute device tool (IME) 1-4, 2-6, 3-15, 3-16, 22-6 T
Index enabling debug logging external product interfaces gathering information global correlation Trusted Root Certificates pane C-47 configuring 19-10, C-24 described C-80 15-15 15-14 field descriptions 14-11, C-23 IDM 15-15 tuned signatures described cannot access sensor will not load 10-2 tuning C-59 AIC signatures C-58 IME 10-48 IP fragment reassembly signatures installation error IME time synchronization IPS clock time drift 10-20 TCP fragment reassembly signatures C-61 C-2
Index uploading KBs virtual-sensor name command FTP 21-15 virtual sensors SCP 21-15 adding Upload Knowledge Base to Sensor dialog box described 21-15 URLs for Cisco Security Intelligence Operations user-defined reports described user roles authentication users configuring 23-1 6-19 26-8 using C-47 TCP reset interfaces adding (ASA 5500-X IPS SSP) 8-16 adding (ASA 5585-X IPS SSP) 8-16 ASA 5500 AIP SSM 8-18 ASA 5585-X IPS SSP 8-18 8-16 creating (ASA 5585-X IPS SSP) 8-16 8-2, 8-8 ed
Index W watch list rating calculating risk rating described 8-6, 12-3 8-6, 12-3 web server described A-4, A-23 HTTP 1.0 and 1.
