Home
/
Cisco
/
4215 - Intrusion Detection Sys Sensor
/
Configuration Manual

Cisco 4215 - Intrusion Detection Sys Sensor, Configuration Manual, Page: 105 / 536

Share

Page: 105 / 536

Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual Download Page 105

6-7

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0

78-16527-01

Chapter 6 Configuring Event Action Rules

Configuring Target Value Ratings

Configuring Target Value Ratings

You can assign a TVR to your network assets. T he TVR is one of the factors used to calculate the RR
value for each alert. You can assign different TVRs to different targets. Events with a higher RR trigger
more severe signature event actions.

Use the

target-value

[

zero value

|

low

|

medium

|

high

|

mission-critical

]

target-address

ip_address

range

command in service event action rules submode to set TVRs for your network assets. The default

is medium.

To configure TVRs for your network assets, follow these steps:

Step 1

Log in to the CLI using an account with administrator privileges.

Step 2

Enter event action rules submode:

sensor#

configure terminal

sensor(config)#

service event-action-rules rules0

Step 3

Assign the TVR to the network asset:

sensor(config-rul)#

target-value mission-critical target-address 10.89.130.108

Step 4

Check the TVR setting you just configured:

sensor(config-rul)#

show settings

-----------------------------------------------

target-value (min: 0, max: 5, current: 1)

-----------------------------------------------

target-value-setting: mission-critical

target-address: 10.89.130.108 default: 0.0.0.0-255.255.255.255

-----------------------------------------------

sensor(config-rul)#

Step 5

Exit event action rules submode:

sensor(config-rul)#

exit

Apply Changes:?[yes]:

Step 6

Press

Enter

to apply your changes or type

no

to discard them.

Event Action Overrides

This section describes event action overrides, and contains the following topics:

•

About Event Action Overrides, page 6-7

•

Configuring Event Action Overrides, page 6-8

About Event Action Overrides

You can add an event action override to change the actions associated with an event based on the RR of
that event. Event action overrides are a way to add event actions globally without having to configure
each signature individually. Each event action has an associated RR range. If a signature event occurs
and the RR for that event falls within the range for an event action, that action is added to the event. For

«
...
103
104
105
106
107
...
»

Summary of Contents for 4215 - Intrusion Detection Sys Sensor

Page 1: ...Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5 0 Customer Order Number DOC 7816527 Text Part Number 78 16527 01 ...

Page 2: ...ENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS CISCO AND THE ABOVE NAMED SUPPLIERS DISCLAIM ALL WARRANTIES EXPRESSED OR IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL...

Page 3: ...onfiguration Task Flow 1 2 User Roles 1 3 CLI Behavior 1 4 Command Line Editing 1 5 IPS Command Modes 1 6 Regular Expression Syntax 1 7 General CLI Commands 1 9 CLI Keywords 1 9 C H A P T E R 2 Logging In to the Sensor 2 1 Overview 2 1 Supported User Roles 2 1 Logging In to the Appliance 2 2 Setting Up a Terminal Server 2 3 Logging In to IDSM 2 2 4 Logging In to NM CIDS 2 5 Logging In to AIP SSM 2...

Page 4: ...ring Passwords 4 14 Changing User Privilege Levels 4 15 Viewing User Status 4 16 Configuring Account Locking 4 17 Configuring Time 4 18 Time Sources and the Sensor 4 18 Correcting Time on the Sensor 4 20 Configuring Time on the Sensor 4 21 System Clock 4 21 Configuring Summertime Settings 4 22 Configuring Timezones Settings 4 27 Configuring NTP 4 27 Configuring a Cisco Router to be an NTP Server 4...

Page 5: ...iguring Interface Notifications 5 10 C H A P T E R 6 Configuring Event Action Rules 6 1 About Event Action Rules 6 1 Signature Event Action Processor 6 2 Event Actions 6 3 Task List for Configuring Event Action Rules 6 4 Event Action Variables 6 4 About Event Action Variables 6 5 Configuring Event Action Variables 6 5 Calculating the Risk Rating 6 6 Configuring Target Value Ratings 6 7 Event Actio...

Page 6: ...signing Actions to Signatures 7 11 Configuring AIC Signatures 7 12 Overview 7 12 Configuring the Application Policy 7 13 AIC Request Method Signatures 7 15 AIC MIME Define Content Type Signatures 7 16 AIC Transfer Encoding Signatures 7 19 AIC FTP Commands Signatures 7 20 IP Fragment Reassembly 7 22 Overview 7 22 Configuring IP Fragment Reassembly Parameters 7 22 Configuring the Method for IP Fragm...

Page 7: ...10 1 Understanding Blocking 10 1 Blocking Prerequisites 10 3 Supported Blocking Devices 10 3 Configuring Blocking Properties 10 4 Allowing the Sensor to Block Itself 10 4 Disabling Blocking 10 6 Setting Maximum Block Entries 10 8 Setting the Block Time 10 10 Enabling ACL Logging 10 11 Enabling Writing to NVRAM 10 12 Logging All Blocking Events and Errors 10 13 Configuring the Maximum Number of Blo...

Page 8: ... 1 Displaying the Current Submode Configuration 12 3 Filtering the Current Configuration Output 12 9 Filtering the Current Submode Configuration Output 12 11 Displaying the Contents of a Logical File 12 13 Copying and Restoring the Configuration File Using a Remote Server 12 15 Creating and Using a Backup Configuration File 12 17 Erasing the Configuration File 12 17 C H A P T E R 13 Administrative...

Page 9: ...ting and Recovering AIP SSM 14 5 C H A P T E R 15 Configuring IDSM 2 15 1 Configuration Sequence 15 1 Verifying IDSM 2 Installation 15 2 Configuring the Catalyst 6500 Series Switch for Command and Control Access to IDSM 2 15 4 Catalyst Software 15 4 Cisco IOS Software 15 6 Configuring the Catalyst Series 6500 Switch for IDSM 2 in Promiscuous Mode 15 7 Using the TCP Reset Interface 15 7 Configuring...

Page 10: ...o IOS Software 15 29 EXEC Commands 15 30 Configuration Commands 15 31 C H A P T E R 16 Configuring NM CIDS 16 1 Configuration Sequence 16 1 Configuring IDS Sensor Interfaces on the Router 16 2 Establishing NM CIDS Sessions 16 3 Sessioning to NM CIDS 16 4 Telneting to NM CIDS 16 5 Configuring Packet Capture 16 5 Administrative Tasks for NM CIDS 16 7 Shutting Down Reloading and Resetting NM CIDS 16 ...

Page 11: ...he NM CIDS System Image 17 19 Overview 17 19 Installing the NM CIDS System Image 17 20 Upgrading the Bootloader 17 22 Installing the IDSM 2 System Image 17 25 Installing the System Image 17 25 Configuring the Maintenance Partition 17 27 Upgrading the Maintenance Partition 17 35 Installing the AIP SSM System Image 17 36 C H A P T E R 18 Obtaining Software 18 1 Obtaining Cisco IPS Software 18 1 IPS ...

Page 12: ...twork Access Controller A 12 Network Access Controller Features A 13 Supported Blocking Devices A 15 ACLs and VACLs A 16 Maintaining State Across Restarts A 16 Connection Based and Unconditional Blocking A 17 Blocking with Cisco Firewalls A 18 Blocking with Catalyst Switches A 19 LogApp A 19 AuthenticationApp A 20 AuthenticationApp Responsibilities A 20 Authenticating Users A 20 Configuring Authen...

Page 13: ...l Parameters B 3 Alert Frequency B 4 Event Actions B 5 AIC Engine B 6 Overview B 6 AIC Engine Parameters B 7 ATOMIC Engine B 8 ATOMIC ARP Engine B 8 ATOMIC IP Engine B 9 FLOOD Engine B 10 META Engine B 10 NORMALIZER Engine B 11 Overview B 12 NORMALIZER Engine Parameters B 12 SERVICE Engines B 13 SERVICE DNS Engine B 14 SERVICE FTP Engine B 15 SERVICE GENERIC Engine B 16 SERVICE H225 Engine B 16 Ov...

Page 14: ... Engines B 34 A P P E N D I X C Troubleshooting C 1 Preventive Maintenance C 1 Disaster Recovery C 2 Password Recovery C 3 Troubleshooting the 4200 Series Appliance C 3 Communication Problems C 4 Cannot Access the Sensor CLI Through Telnet or SSH C 4 Misconfigured Access List C 6 Duplicate IP Address Shuts Interface Down C 7 SensorApp and Alerting C 8 SensorApp Not Running C 8 Physical Connectivit...

Page 15: ...dating a Sensor with the Update Stored on the Sensor C 33 UNIX Style Directory Listings C 34 Troubleshooting IDM C 34 Increasing the Memory Size of the Java Plug In C 34 Java Plug In on Windows C 35 Java Plug In on Linux and Solaris C 35 Cannot Launch IDM Loading Java Applet Failed C 36 Cannot Launch IDM Analysis Engine Busy C 37 IDM Remote Manager or Sensing Interfaces Cannot Access the Sensor C ...

Page 16: ...Information C 50 Statistics Information C 52 Overview C 52 Displaying Statistics C 53 Interfaces Information C 61 Overview C 61 Interfaces Command Output C 61 Events Information C 62 Sensor Events C 63 Overview C 63 Displaying Events C 63 Clearing Events C 66 cidDump Script C 66 Uploading and Accessing Files on the Cisco FTP Site C 67 G L O S S A R Y I N D E X ...

Page 17: ... intended for administrators who need to do the following Configure the sensor for intrusion prevention using the CLI Secure their network with IPS sensors Prevent intrusion on their networks and monitor subsequent alerts Conventions This document uses the following conventions Convention Indication bold font Commands and keywords and user entered text appear in bold font italic font Document titl...

Page 18: ...ase Notes for Cisco Intrusion Prevention System Cisco Intrusion Prevention System Device Manager Configuration Guide Cisco Intrusion Prevention System Manager Express Configuration Guide Cisco Intrusion Prevention System Command Reference Cisco Intrusion Prevention System Appliance and Modules Installation Guide Installling and Removing Interface Cards in Cisco IPS 4260 and IPS 4270 20 Regulatory ...

Page 19: ... and gathering additional information see the monthly What s New in Cisco Product Documentation which also lists all new and revised Cisco technical documentation at http www cisco com en US docs general whatsnew whatsnew html Subscribe to the What s New in Cisco Product Documentation as a Really Simple Syndication RSS feed and set content to be delivered directly to your desktop using a reader ap...

Page 20: ...xx Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5 0 78 16527 01 Preface Obtaining Documentation and Submitting a Service Request ...

Page 21: ...sk based configuration guide for the IPS 5 0 CLI The term sensor is used throughout this guide to refer to all sensor models unless a procedure refers specifically to the appliance or one of the modules such as IDSM 2 NM CIDS or AIP SSM Refer to the Command Reference for Cisco Intrusion Prevention System 5 0 for an alphabetical list of all IPS commands Refer to the Documentation Roadmap for Cisco ...

Page 22: ...which makes the system vulnerable However you can use the service account to create a new password if the Administrator password is lost Analyze your situation to decide if you want a service account existing on the system 5 License the sensor For the procedure see Obtaining a License Key From Cisco com page 18 6 6 Perform the other initial tasks such as adding users and trusted hosts and so forth...

Page 23: ...rator Operator Viewer and Service The privilege levels for each role are different therefore the menus and available commands vary for each role Administrators This user role has the highest level of privileges Administrators have unrestricted view access and can perform the following functions Add users and assign passwords Enable and disable control of physical interfaces and virtual sensors Ass...

Page 24: ... needed Only a user with Administrator privileges can edit the service account CLI Behavior Follow these tips when using the IPS CLI Prompts You cannot change the prompt displayed for the CLI commands User interactive prompts occur when the system displays a question and waits for user input The default input is displayed inside brackets To accept the default input press Enter Help To display the ...

Page 25: ...the terminal output exceeds the allotted display space To display the remaining output press the Spacebar to display the next page of output or press Enter to display the output one line at a time To clear the current line contents and return to a blank command line press Ctrl C Command Line Editing Table 1 1 describes the command line editing capabilities provided by the CLI Table 1 1 Command Lin...

Page 26: ...rsor to the beginning of the line Ctrl B Moves the cursor back one character Ctrl D Deletes the character at the cursor Ctrl E Moves the cursor to the end of the command line Ctrl F Moves the cursor forward one character Ctrl K Deletes all characters from the cursor to the end of the command line Ctrl L Clears the screen and redisplays the system prompt and command line Ctrl T Transposes the chara...

Page 27: ...y digit To search for a specific special character you must use a backslash before the special character For example the single character regular expression matches a single asterisk The regular expressions defined in this section are similar to a subset of the POSIX Extended Regular Expression definitions In particular and expressions are not supported Also escaped expressions representing single...

Page 28: ... pattern and a backslash followed by a digit to reuse the remembered pattern The digit specifies the occurrence of a parentheses in the regular expression pattern If you have more than one remembered pattern in your regular expression then 1 indicates the first remembered pattern and 2 indicates the second remembered pattern and so on The following regular expression uses parentheses for recall a ...

Page 29: ...y configuration submodes It takes you back to the top level EXEC menu sensor configure terminal sensor config service event action rules rules0 sensor confg rul end sensor exit Exits any configuration mode or closes an active terminal session and terminates the EXEC mode It takes you to the previous menu session sensor configure terminal sensor config service event action rules rules0 sensor confg...

Page 30: ...1 10 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5 0 78 16527 01 Chapter 1 Introducing the CLI Configuration Guide CLI Keywords ...

Page 31: ... 2 8 Overview The number of concurrent CLI sessions is limited based on the platform IDS 4210 IDS 4215 and NM CIDS are limited to three concurrent CLI session All other platforms allow ten concurrent sessions Supported User Roles You can log in with the following user privileges Administrator Operator Viewer Service The service role does not have direct access to the CLI Service account users are ...

Page 32: ... console port to the sensor For the procedure see Setting Up a Terminal Server page 2 3 Connect a monitor and a keyboard to the sensor Step 2 Type your username and password at the login prompt Note The default username and password are both cisco You are prompted to change them the first time you log in to the appliance You must first enter the UNIX password which is cisco Then you must enter the...

Page 33: ... the console port on the appliance to a port on the terminal server For all other appliances connect the M A S H adapter part number 29 4077 01 to COM1 on the appliance and For RJ 45 connections connect a 180 rollover cable from the M A S H adapter to a port on the terminal server For hydra cable assemblies connect a straight through patch cable from the M A S H adapter to a port on the terminal s...

Page 34: ...uthorized access to the appliance If a terminal session is not stopped properly that is if it does not receive an exit 0 signal from the application that initiated the session the terminal session can remain open When terminal sessions are not stopped properly authentication is not performed on the next session that is opened on the serial port Caution Always exit your session and return to a logi...

Page 35: ...licable laws and regulations If you are unable to comply with U S and local laws return this product immediately A summary of U S laws governing Cisco cryptographic products may be found at http www cisco com wwl export crypto tool stqrg html If you require further assistance please contact us by sending email to export cisco com LICENSE NOTICE There is no license key installed on the system Pleas...

Page 36: ...rst enter the UNIX password which is cisco Then you must enter the new password twice login cisco Password NOTICE This product contains cryptographic features and is subject to United States and local country laws governing import export transfer and use Delivery of Cisco cryptographic products does not imply third party authority to import export distribute or use encryption Importers exporters d...

Page 37: ...irst time you log in to AIP SSM You must first enter the UNIX password which is cisco Then you must enter the new password twice login cisco Password NOTICE This product contains cryptographic features and is subject to United States and local country laws governing import export transfer and use Delivery of Cisco cryptographic products does not imply third party authority to import export distrib...

Page 38: ...ographic features and is subject to United States and local country laws governing import export transfer and use Delivery of Cisco cryptographic products does not imply third party authority to import export distribute or use encryption Importers exporters distributors and users are responsible for compliance with U S and local country laws By using this product you agree to comply with applicabl...

Page 39: ...up command an interactive dialog called the System Configuration Dialog appears on the system console screen The System Configuration Dialog guides you through the configuration process The values shown in brackets next to each prompt are the current values You must go through the entire System Configuration Dialog until you come to the option that you want to change To accept default settings for...

Page 40: ... with administrator privileges Log in to the appliance by using a serial connection or with a monitor and keyboard Note You cannot use a monitor and keyboard with IDS 4215 IPS 4240 or IPS 4255 Session to IDSM 2 For Catalyst software cat6k enable cat6k enable session module_number For Cisco IOS software router session slot slot_number processor 1 Session to NM CIDS router service module IDS Sensor ...

Page 41: ...et 0 standard time zone name UTC exit summertime option disabled ntp option disabled exit service web server port 443 exit Current time Wed May 5 10 25 35 2004 Step 4 Press the spacebar to get to the following question Continue with configuration dialog yes Press the spacebar to show one page at a time Press Enter to show one line at a time Step 5 Type yes to continue Step 6 Specify the hostname T...

Page 42: ...as a 32 bit address written as 4 octets separated by periods where X 0 255 nn specifies the number of bits in the netmask and Y Y Y Y specifies the default gateway as a 32 bit address written as 4 octets separated by periods where Y 0 255 c Repeat Step b until you have added all networks that you want to add to the access list d Press Enter at a blank permit line to proceed to the next step Step 1...

Page 43: ...er october november and december The default is october i Specify the week you want the summertime settings to end Valid entries are first second third fourth fifth and last The default is last j Specify the day you want the summertime settings to end Valid entries are sunday monday tuesday wednesday thursday friday and saturday The default is sunday k Specify the time you want summertime settings...

Page 44: ...me of the second interface in the inline pair interface2 Your configuration appears with the following options 0 Go to the command prompt without saving this config 1 Return back to the setup without saving this config 2 Save this configuration and exit setup Step 16 Type 2 to save the configuration Enter your selection 2 2 Configuration Saved Step 17 Type yes to modify the system date and time No...

Page 45: ...ou should verify that your sensor has been initialized correctly To verify that you initialized your sensor follow these steps Step 1 Log in to the sensor For the procedure see Chapter 2 Logging In to the Sensor Step 2 View your configuration sensor show configuration generating current config Version 5 0 1 Current configuration last modified Thu Aug 12 16 55 33 2004 service analysis engine global...

Page 46: ...hing alt tcp reset interface none exit bypass mode off interface notifications missed percentage threshold 2 exit exit exit exit exit sensor Note You can also use the more current config command to view your configuration Step 3 Display the self signed X 509 certificate needed by TLS sensor show tls fingerprint MD5 C4 BC F2 92 C2 E2 4D EB 92 0F E4 86 53 6A C6 01 SHA1 64 9B AC DE 21 62 0C D3 57 2E ...

Page 47: ...1 Changing Web Server Settings page 4 9 Configuring User Parameters page 4 11 Configuring Time page 4 18 Configuring SSH page 4 30 Configuring TLS page 4 34 Installing the License Key page 4 37 Changing Network Settings After you initialize your sensor you may need to change some of the network settings that you configured when you ran the setup command This section describes how to configure the ...

Page 48: ...ervice host sensor config hos network settings Step 3 Change the sensor hostname sensor config hos net host name firesafe Step 4 Verify the new hostname sensor config hos net show settings network settings host ip 10 89 130 108 23 10 89 130 1 default 10 1 9 201 24 10 1 9 1 host name firesafe default sensor telnet option enabled default disabled access list min 0 max 512 current 1 network address 0...

Page 49: ...ed by periods where X 0 255 nn specifies the number of bits in the netmask and Y Y Y Y specifies the default gateway as a 32 bit address written as 4 octets separated by periods where Y 0 255 To change the sensor IP address netmask and default gateway follow these steps Step 1 Log in to the sensor using an account with administrator privileges Step 2 Enter network settings mode sensor configure te...

Page 50: ...aulted login banner text defaulted sensor config hos net Step 7 Exit network settings mode sensor config hos net exit sensor config hos exit Apply Changes yes Step 8 Press Enter to apply the changes or type no to discard them Enabling and Disabling Telnet Use the telnet option enabled disabled command in the service host submode to enable Telnet for remote access to the sensor The default is disab...

Page 51: ... to connect For the procedure See Changing the Access List page 4 5 Changing the Access List Use the access list ip_address netmask command in the service host submode to configure the access list the list of hosts or networks that you want to have access to your sensor Use the no form of the command to remove an entry from the list The default access list is empty The following hosts must have an...

Page 52: ...lted Step 5 Remove the entry from the access list sensor config hos net no access list 10 89 146 110 32 Step 6 Verify the entry has been removed sensor config hos net show settings network settings host ip 10 1 9 201 24 10 1 9 1 defaulted host name sensor defaulted telnet option enabled default disabled access list min 0 max 512 current 1 network address 10 1 9 0 24 ftp timeout 300 seconds default...

Page 53: ... FTP server The default is 300 seconds Note You can use the FTP client for downloading updates and configuration files from your FTP server To change the FTP timeout follow these steps Step 1 Log in to the sensor using an account with administrator privileges Step 2 Enter network settings mode sensor configure terminal sensor config service host sensor config hos network settings Step 3 Change the...

Page 54: ...nsor config hos exit Apply Changes yes Step 8 Press Enter to apply the changes or type no to discard them Adding a Login Banner Use the login banner text text_message command to add a login banner that the user sees during login There is no default When you want to start a new line in your message press Ctrl V Enter To add a login banner follow these steps Step 1 Log in to the sensor using an acco...

Page 55: ...ig hos net Step 7 Exit network settings mode sensor config hos net exit sensor config hos exit Apply Changes yes Step 8 Press Enter to apply the changes or type no to discard them Changing Web Server Settings After you run the setup command you can change the following web server settings the web server port whether TLS encryption is being used and the HTTP server header message Note The default w...

Page 56: ...r is re started Step 4 Enable or disable TLS sensor config web enable tls true false If you disable TLS you receive the following message Warning TLS protocol support has been disabled This change will not take effect until the web server is re started Step 5 Change the HTTP server header sensor config web server id Nothing to see here Move along Step 6 Verify the web server changes sensor config ...

Page 57: ...form of this command to remove a user from the system This removes the user from CLI and web access Caution The username command provides username and password authentication for login purposes only You cannot use this command to remove a user who is logged in to the system You cannot use this command to remove yourself from the system If you do not specify a password the system prompts you for on...

Page 58: ...space and are allowed For example to add the user tester with a privilege level of administrator and the password testpassword type the following command Note If you do not want to see the password in clear text wait for the password prompt Do not type the password along with the username and privilege sensor config username tester privilege administrator Enter Login Password Re enter Login Passwo...

Page 59: ...sensor using either the recovery partition or a system image file For more information see Chapter 17 Upgrading Downgrading and Installing System Images Creating the Service Account You can create a service account for TAC to use during troubleshooting Although more than one user can have access to the sensor only one user can have service privileges on a sensor The service account is for support ...

Page 60: ...r is displayed and no service account is created Error Only one service account allowed in UserAccount document Step 5 Exit configuration mode sensor config exit sensor When you use the service account to log in to the CLI you receive the following warning WARNING UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED This account is intended to be used for support and troubleshooting purposes o...

Page 61: ...user Note You cannot use the privilege command to give a user service privileges If you want to give an existing user service privileges you must remove that user and then use the username command to create the service account There can only be one person with service privileges For the procedure see Creating the Service Account page 4 13 To change the privilege level for a user follow these steps...

Page 62: ...ged in to the sensor and all user accounts on the sensor regardless of login status An indicates the current user If an account is locked the username is surrounded by parentheses A locked account means that the user failed to enter the correct password after the configured attempts Note The number of concurrent CLI sessions is limited based on platform IDS 4210 IDS 4215 and NM CIDS are limited to...

Page 63: ...nfig service authentication Step 3 Set the number of attempts users will have to log in to accounts sensor config aut attemptLimit 3 Step 4 Check your new setting sensor config aut show settings attemptLimit 3 defaulted 0 sensor config aut Step 5 To set the value back to the system default setting sensor config aut default attemptLimit Step 6 Check that the setting has returned to the default sens...

Page 64: ...page 4 21 Configuring NTP page 4 27 Time Sources and the Sensor The sensor requires a reliable time source All events alerts must have the correct UTC and local time stamp otherwise you cannot correctly analyze the logs after an attack When you initialize the sensor you set up the time zones and summertime settings For more information see Initializing the Sensor page 3 2 Here is a summary of ways...

Page 65: ...you can set up NTP through the CLI IDM or ASDM Note We recommend that you use an NTP time synchronization source For NM CIDS NM CIDS can automatically synchronize its clock with the clock in the router chassis in which it is installed parent router This is the default Note The UTC time is synchronized between the parent router and NM CIDS The time zone and summertime settings are not synchronized ...

Page 66: ...ime synchronization source Correcting Time on the Sensor If you set the time incorrectly your stored events will have the incorrect time because they are stamped with the time the event was created The Event Store time stamp is always based on UTC time If during the original sensor setup you set the time incorrectly by specifying 8 00 p m rather than 8 00 a m when you do correct the error the corr...

Page 67: ...e the show clock detail command to display the system clock You can use the detail option to indicate the clock source NTP or system and the current summertime setting if any The system clock keeps an authoritative flag that indicates whether the time is authoritative believed to be accurate If the system clock has been set by a timing source such as NTP the flag is set To display the system clock...

Page 68: ... a valid outside timing mechanism such as an NTP clock source For the procedure for configuring NTP see Configuring NTP page 4 27 See Time Sources and the Sensor page 4 18 for an explanation of the importance of having a valid time source for the sensor For an explanation of what to do if you set the clock incorrectly see Correcting Time on the Sensor page 4 20 The clock set command does not apply...

Page 69: ...rtime option recurring Step 3 Enter start summertime submode sensor config hos rec start summertime Step 4 Configure the start summertime parameters d Type the day of the week you want to start summertime settings sensor config hos rec sta day of week monday e Type the month you want to start summertime settings sensor config hos rec sta month april f Type the time of day you want to start summert...

Page 70: ...s sensor config hos rec end show settings end summertime month october default october week of month last default last day of week friday default sunday time of day 05 15 00 default 02 00 00 sensor config hos rec end Step 7 Specify the local time zone used during summertime sensor config hos rec end exit sensor config hos rec summertime zone name CDT Step 8 Specify the offset sensor config hos rec...

Page 71: ...p 1 Log in to the sensor using an account with administrator privileges Step 2 Enter summertime non recurring submode sensor configure terminal sensor config service host sensor config hos summertime option non recurring Step 3 Enter start summertime submode sensor config hos non start summertime Step 4 Configure the start summertime parameters a Type the date you want to start summertime settings...

Page 72: ...time 12 00 00 sensor config hos non end Step 7 Specify the local time zone used during summertime sensor config hos non end exit sensor config hos non summertime zone name CDT Step 8 Specify the offset sensor config hos non offset 60 Note Changing the time zone offset requires the sensor to reboot Step 9 Verify your settings sensor config hos non show settings non recurring offset 60 minutes defau...

Page 73: ...default is UTC sensor config hos tim standard time zone name CST Step 4 Configure the offset in minutes The offset is the number of minutes you add to UTC to get the local time The default is 0 sensor config hos tim offset 360 Note Changing the time zone offset requires the sensor to reboot Step 5 Verify your settings sensor config hos tim show settings time zone settings offset 360 minutes defaul...

Page 74: ... Enter configuration mode router configure terminal Step 3 Create the key ID and key value router config ntp authentication key key_ID md5 key_value The key ID can be a number between 1 and 65535 The key value is text numeric or character It is encrypted later Example router config ntp authentication key 100 md5 attack Note The sensor only supports MD5 keys Note Keys may already exist on the route...

Page 75: ...o the CLI using an account with administrator privileges Step 2 Enter configuration mode sensor configure terminal Step 3 Enter service host mode sensor config service host Step 4 Enter NTP configuration mode sensor config hos ntp option enable Step 5 Type the NTP server IP address and key ID sensor config hos ena ntp servers ip_address key id key_ID The key ID is a number between 1 and 65535 This...

Page 76: ...SH SSH provides strong authentication and secure communications over channels that are not secure SSH encrypts your connection to the sensor and provides a key so you can validate that you are connecting to the correct sensor SSH also provides authenticated and encrypted access to other devices that the sensor connects to for blocking SSH authenticates the hosts or networks using one or more of th...

Page 77: ...obtain the required key over the network The specified host must by accessible at the moment the command is issued If the host is unreachable you must use the full form of the command ssh host key ip address key modulus length public exponent public modulus to confirm the fingerprint of the key displayed to protect yourself from accepting an attacker s key Note To modify a key for an IP address th...

Page 78: ...Keys Use the ssh authorized key command to define public keys for a client allowed to use RSA authentication to log in to the local SSH server The following options apply id 1 to 256 character string that uniquely identifies the authorized key You can use numbers _ and but spaces and are not acceptable key modulus length An ASCCI decimal integer in the range 511 2048 public exponent An ASCII decim...

Page 79: ...993932112503147452768378620911189986653716089813147922086044739911341369 642870682319361928148521864094557416306138786468335115835910404940213136954353396163449793 49705016792583146548622146467421997057 sensor config Step 3 Verify that the key was added sensor config exit sensor show ssh authorized keys system1 sensor Step 4 View the key for a specific ID sensor show ssh authorized keys system1 10...

Page 80: ... Display the current SSH server host key sensor show ssh server key 1024 35 137196765426571419509124895787229630062726389801071715581921573847280637533000158590028798 074385824867184332364758899959675370523879609376174812179228415215782949029183962207840731 771645803509837259475421477212459797170806510716077556010753169312675023860474987441651041 217710152766990480431898217878170000647 MD5 93 F5 5...

Page 81: ...e certificate that is returned fails because the sensor issues its own certificate the sensor is its own CA and the sensor is not already in the list of CAs trusted by your browser When you receive an error message from your browser you have three options Disconnect from the site immediately Accept the certificate for the remainder of the web browsing session Add the issuer identified in the certi...

Page 82: ...ed host sensor configure terminal sensor config tls trusted host ip address 10 16 0 0 Certificate MD5 fingerprint is 4F BA 15 67 D3 E6 FB 51 8A C4 57 93 4D F2 83 FE Certificate SHA1 fingerprint is B1 6F F5 DA F3 7A FB FB 93 E9 2D 39 B9 99 08 D4 47 02 F6 12 Would you like to add this to the trusted certificate table for this host yes The MD5 and SHA1 fingerprints appear You are prompted to add the ...

Page 83: ...usted hosts lists on remote IPS sensors using the tls trusted host command For the procedure see Adding TLS Trusted Hosts page 4 35 If the sensor is a master blocking sensor you must update the trusted hosts lists on the remote sensors that are sending block requests to the master blocking sensor To generate a new TLS certificate follow these steps Step 1 Log in to the CLI using an account with ad...

Page 84: ...lowing message if there is no license installed LICENSE NOTICE There is no license key installed on the system Please go to http www cisco com go license to obtain a new license or install a license You will continue to see this message until you have installed a license Go to http www cisco com go license and click IPS Signature Subscription Service to apply for a license Use the copy source url ...

Page 85: ...ress you specified Step 3 Save the license key to a system that has a web server FTP server or SCP server Step 4 Log in to the CLI using an account with administrator privileges Step 5 Copy the license key to the sensor sensor copy scp user 10 89 147 3 tftpboot dev lic license key Password Step 6 Verify the sensor is licensed sensor show version Application Partition Cisco Intrusion Prevention Sys...

Page 86: ...ration Tasks Installing the License Key Upgrade History IDS K9 maj 5 0 1 14 16 00 UTC Thu Mar 04 2004 Recovery Partition Version 1 1 5 0 1 S149 sensor Step 7 Copy your license key from a sensor to a server to keep a backup copy of the license sensor copy license key scp user 10 89 147 3 tftpboot dev lic Password sensor ...

Page 87: ...can monitor traffic Note On appliances the sensing interfaces are disabled by default On modules the sensing interfaces are always enabled and cannot be disabled The sensing interface does not have an IP address assigned to it and is therefore invisible to attackers This lets the sensor monitor the data stream without letting attackers know they are being watched Promiscuous mode is contrasted by ...

Page 88: ... Missed packet percentage threshold exceeded Interface Support Table 5 1 describes the interface support for appliances and modules running IPS 5 0 Table 5 1 Interface Support Base Chassis AddedPCI Cards Interfaces Supporting Inline Possible Port Combinations Interfaces Not Supporting Inline IDS 4210 None N A All IDS 4215 None N A All IDS 4215 4FE FastEthernet0 1 4FE FastEthernet1 0 FastEthernet1 ...

Page 89: ...abitEthernet2 0 GigabitEthernet2 1 2 0 2 1 GigabitEthernet0 0 GigabitEthernet0 1 IDSM 2 port 7 and 8 GigabitEthernet0 7 GigabitEthernet0 8 0 7 0 8 GigabitEthernet0 2 IPS 4240 4 onboard GE GigabitEthernet0 0 GigabitEthernet0 1 GigabitEthernet0 2 GigabitEthernet0 3 0 0 0 1 0 0 0 2 0 0 0 3 0 1 0 2 0 1 0 3 0 2 0 3 Management0 0 IPS 4255 4 onboard GE GigabitEthernet0 0 GigabitEthernet0 1 GigabitEtherne...

Page 90: ...ters and firewalls to respond to an attack While such response actions can prevent some classes of attacks for atomic attacks however the single packet has the chance of reaching the target system before the promiscuous based sensor can apply an ACL modification on a managed device such as a firewall switch or router Understanding TCP Reset You need to designate an alternate TCP reset interface in...

Page 91: ...not supported on modules IDSM 2 NM CIDS and AIP SSM and appliances that only have one sensing interface IDS 4210 IDS 4215 IDS 4235 and IDS 4250 without any additional NIC cards interface name The name of the interface on which TCP resets should be sent when this interface is used for promiscuous monitoring and the reset action is triggered by a signature firing This setting is ignored when this in...

Page 92: ...rface sensor config int physical interfaces Step 4 Enable the interface for promiscuous mode sensor config int physical interfaces GigabitEthernet0 2 Step 5 Enable the interface sensor config int phy admin state enabled The interface must be assigned to the virtual sensor see Assigning Interfaces to the Virtual Sensor page 5 8 and enabled to monitor traffic Step 6 Add a description of this interfa...

Page 93: ...nalyzing the contents and payload of the packets for more sophisticated embedded attacks layers 3 to 7 This deeper analysis lets the system identify and stop and or block attacks that would normally pass through a traditional firewall device In inline mode a packet comes in through the first interface of the pair of the sensor and out the second interface of the pair The packet is sent to the seco...

Page 94: ...sor config int inl interface2 GigabitEthernet0 1 Step 5 Add a description of the interface pair sensor config int inl description PAIR1 Gig0 0 Gig0 1 Step 6 Verify the settings sensor config int inl show settings name PAIR1 description PAIR1 Gig0 0 Gig0 1 default interface1 GigabitEthernet0 0 interface2 GigabitEthernet0 1 Step 7 Exit inline interfaces submode sensor config int inl exit sensor conf...

Page 95: ... tool and a failover protection mechanism You can set the sensor in a mode where all the IPS processing subsystems are bypassed and traffic is permitted to flow between the inline pairs directly The bypass mode ensures that packets continue to flow through the sensor when the sensor s processes are temporarily stopped for upgrades or when the sensor s monitoring processes fail There are three mode...

Page 96: ...with administrator privileges Step 2 Enter interface submode sensor configure terminal sensor config service interface Step 3 Configure bypass mode sensor config int bypass mode off Step 4 Verify the settings sensor config int show settings bypass mode off default auto interface notifications missed percentage threshold 0 percent defaulted notification interval 30 seconds defaulted idle interface ...

Page 97: ... Log in to the CLI using an account with administrator privileges Step 2 Enter global configuration mode sensor configure terminal Step 3 Enter interface submode sensor config service interface Step 4 Enter interface notifications submode sensor config int interface notifications Step 5 Configure the idle interface delay sensor config int int idle interface delay 60 Step 6 Configure the missed per...

Page 98: ...5 12 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5 0 78 16527 01 Chapter 5 Configuring Interfaces Configuring Interface Notifications ...

Page 99: ...Value Ratings page 6 7 Event Action Overrides page 6 7 Configuring Event Action Overrides page 6 8 Event Action Filters page 6 9 General Settings page 6 14 Event Action Rules Example page 6 19 About Event Action Rules Event action rules are a group of settings you configure for the event action processing component of the sensor These rules dictate the actions the sensor performs when an event occ...

Page 100: ...Signature event action filter SEAF Subtracts actions based on the signature event s SIGID addresses and RR The input to the SEAF is the signature event with actions possibly added by the SEAO Note The SEAF can only subtract actions it cannot add new actions The following parameters apply to the SEAF Signature ID Subsignature ID Attacker address Attacker port Victim address Victim port RR threshold...

Page 101: ...Event count Signature event action override Signature event action filter Signature event summary filter Signature event action handler Table 6 1 Event Actions Event Action Name Description Produce Alert Writes the event to the Event Store as an evIdsAlert Produce Verbose Alert Includes an encoded dump of the offending packet in the evIdsAlert Deny Attacker Inline Does not transmit this packet and...

Page 102: ...n the RR value Assign an RR to each event action type 4 Create filters Assign filters to subtract actions based on the signature s SIGID IP addresses and RR 5 Configure the general settings Specify whether you want to use the summarizer the meta event generator or configure denied attacker parameters Event Action Variables This section describes event action variables and contains the following to...

Page 103: ...9 10 10 10 89 10 23 Timesaver For example if you have an IP address space that applies to your engineering group and there are no Windows systems in that group and you are not worried about any Windows based attacks to that group you could set up a variable to be the engineering group s IP address space You could then use this variable to configure a filter that would ignore all Windows based atta...

Page 104: ...rom the alert severity parameter of the signature Signature Fidelity Rating A weight associated with how well this signature might perform in the absence of specific knowledge of the target SFR is calculated by the signature author on a per signature basis The signature author defines a baseline confidence ranking for the accuracy of the signature in the absence of qualifying intelligence on the t...

Page 105: ...VR to the network asset sensor config rul target value mission critical target address 10 89 130 108 Step 4 Check the TVR setting you just configured sensor config rul show settings target value min 0 max 5 current 1 target value setting mission critical target address 10 89 130 108 default 0 0 0 0 255 255 255 255 sensor config rul Step 5 Exit event action rules submode sensor config rul exit Appl...

Page 106: ...nistrator privileges Step 2 Enter event action rules submode sensor configure terminal sensor config service event action rules rules0 Step 3 To configure how packets are treated for overrides Note The default RR range is 0 to 100 Set it to a different value such as 85 to 100 a To deny packets from the source IP address of the attacker sensor config rul overrides deny attacker inline b To not tran...

Page 107: ...re sensor config rul ove exit sensor config rul overrides produce verbose alert c To write events that request an SNMP trap to the Event Store sensor config rul ove exit sensor config rul overrides request snmp trap Step 7 Exit event action rules submode sensor config rul ove exit sensor config rul Apply Changes yes Step 8 Press Enter to apply your changes or type no to discard them Event Action F...

Page 108: ...Action Variables page 6 5 Note You must preface the variable with a dollar sign to indicate that you are using a variable rather than a string Otherwise you receive the Bad source and destination error Use the filters edit insert move name1 begin end inactive before after command in service event action rules submode to set up event action filters To configure event action filters follow these ste...

Page 109: ...I Configuration Guide for IPS 5 0 78 16527 01 Chapter 6 Configuring Event Action Rules Event Action Filters d Set the victim address range sensor config rul fil victim address range 192 56 10 1 192 56 10 255 The default is 0 0 0 0 to 255 255 255 255 ...

Page 110: ...roduce alert Write evIdsAlert to EventStore produce verbose alert Write evIdsAlert to EventStore with triggerPacket request snmp trap Write evIdsAlert to EventStore with SNMP request in AlarmTraits h Set the status of the filter to either disabled or enabled sensor config rul fil filter item status enable disable The default is enabled i Set the stop on match parameter sensor config rul fil stop o...

Page 111: ... port range 0 65535 defaulted risk rating range 0 100 defaulted actions to remove defaulted filter item status Enabled defaulted stop on match False defaulted user comment defaulted NAME name1 signature id range 900 65535 defaulted subsignature id range 0 255 defaulted attacker address range 0 0 0 0 255 255 255 255 defaulted victim address range 0 0 0 0 255 255 255 255 defaulted attacker port rang...

Page 112: ...defaulted victim address range 0 0 0 0 255 255 255 255 defaulted attacker port range 0 65535 defaulted victim port range 0 65535 defaulted risk rating range 0 100 defaulted actions to remove defaulted filter item status Enabled defaulted stop on match False defaulted user comment defaulted sensor config rul Step 12 Exit event action rules submode sensor config rul exit Apply Changes yes Step 13 Pr...

Page 113: ...lert is created even if you do not select Produce Alert To prevent alerts from being created you must have all alert generating actions filtered out Summarization and event actions are processed after Engine META has processed the component events This lets the sensor watch for suspicious activity transpiring over a series of events Event Action Aggregation Basic aggregation provides two operating...

Page 114: ...ction The valid range is 0 to 10000000 The default is 30 minutes global deny timeout Number of seconds to deny attackers inline The valid range is 0 to 518400 The default is 3600 global filters status enabled disabled Enables or disables the use of the filters The default is enabled global metaevent status enabled disabled Enables or disables the use of the Meta Event Generator The default is enab...

Page 115: ...f minutes to block a host or a connection sensor config rul gen global block timeout 20 The default is 30 minutes Step 8 To enable or disable any overrides that you have set up sensor config rul gen global overrides status enabled disabled The default is enabled Step 9 To enable or disable any filters that you have set up sensor config rul gen global filters status enabled disabled The default is ...

Page 116: ...tatistics show that there are two IP addresses being denied at this time Step 3 Delete the denied attackers list sensor clear denied attackers Warning Executing this command will delete all addresses from the list of attackers currently being denied by the sensor Continue with clear yes Step 4 Type yes to clear the list Step 5 Verify that you have cleared the list sensor show statistics virtual se...

Page 117: ...t to know if the list has been cleared Event Action Rules Example The following example demonstrates how the individual components of your event action rules work together Risk Rating Ranges for Example 1 Produce Alert 1 100 Produce Verbose Alert 90 100 Request SNMP Trap 50 100 Log Pair Packets 90 100 Log Victim Packets 90 100 Log Attacker Packets 90 100 Reset TCP Connection 90 100 Request Block C...

Page 118: ...ons are subtracted If the attacker address is not 30 1 1 1 and the victim address is not 20 1 1 1 If the RR is 50 Produce Alert and Request SNMP Trap are added by the event action override component but Produce Alert is subtracted by the event action filter However the event action policy forces the alert action because Request SNMP Trap is dependent on the evIdsAlert If the RR is 89 Request SNMP ...

Page 119: ...ms may send out numerous ICMP messages which a signature based detection system might interpret as an attempt by an attacker to map out a network segment You can minimize false positives by tuning your signatures To configure a sensor to monitor network traffic for a particular signature you must enable the signature By default the most critical signatures are enabled when you install the signatur...

Page 120: ...variable When you change the value of a variable the variables in all signatures are updated This saves you from having to change the variable repeatedly as you configure signatures Note You must preface the variable with a dollar sign to indicate that you are using a variable rather than a string Some variables cannot be deleted because they are necessary to the signature system If a variable is ...

Page 121: ...iable affects all signatures that have web ports The default is 80 3128 8000 8010 8080 8888 24326 Step 5 Verify the changes sensor config sig show settings variables min 0 max 256 current 2 variable name IPADD ip addr range 10 1 1 1 10 1 1 24 protected entry variable name WEBPORTS web ports 80 3128 8000 default 80 80 3128 3128 8000 8000 8010 8010 80 80 8080 8888 8888 24326 24326 Step 6 Exit signat...

Page 122: ...to determine the seriousness of the alert Caution We do not recommend that you change the promisc delta setting for a signature Promiscuous delta lowers the RR of certain alerts in promiscuous mode Because the sensor does not know the attributes of the target system and in promiscuous mode cannot deny packets it is useful to lower the prioritization of promiscuous alerts based on the lower RR so t...

Page 123: ...n alert only once global summarize Summarizes an alert so that it only fires once regardless of how many attackers or victims summarize Summarize all the alerts summary interval Time in seconds used in each summary alert The value is 1 to 65535 summary key Storage type on which to summarize this signature Axxx Attacker address Axxb Attacker address and victim port AxBx Attacker and victim addresse...

Page 124: ...shold yes global summary threshold 3000 default 120 summary interval 5000 default 15 sensor config sig sig ale fir Step 6 Exit alert frequency submode sensor config sig sig ale fir exit sensor config sig sig ale exit sensor config sig sig exit sensor config sig exit Apply Changes yes Step 7 Press Enter to apply the changes or type no to discard them Configuring Alert Severity Use the alert severit...

Page 125: ...natures 9000 0 Step 4 Assign the alert severity sensor config sig sig alert severity medium Step 5 Verify the settings sensor config sig sig show settings protected entry sig id 9000 subsig id 0 alert severity medium default informational sig fidelity rating 75 defaulted promisc delta 0 defaulted sig description sig name Back Door Probe TCP 12345 defaulted sig string info SYN to TCP 12345 defaulte...

Page 126: ...fore the event count is reset The default is 60 To configure event counter follow these steps Step 1 Log in to the CLI using an account with administrator or operator privileges Step 2 Enter signature definition submode sensor configure terminal sensor config service signature definition sig0 Step 3 Choose the signature for which you want to configure event counter sensor config sig signatures 900...

Page 127: ...lies sig fidelity rating Identifies the weight associated with how well this signature might perform in the absence of specific knowledge of the target The valid value is 0 to 100 To configure the signature fidelity rating for a signature follow these steps Step 1 Log in to the CLI using an account with administrator or operator privileges Step 2 Enter signature definition submode sensor configure...

Page 128: ... apply status Identifies whether the signature is enabled disabled or retired enabled true false Enables the signature retired true false Retires the signature Caution Activating and retiring signatures can take 30 minutes or longer To change the status of a signature follow these steps Step 1 Log in to the CLI using an account with administrator or operator privileges Step 2 Enter signature defin...

Page 129: ...the TCP Flow inline only deny packet inline Does not transmit this packet log attacker packets Starts IP logging of packets containing the attacker address inline only log pair packets Starts IP logging of packets containing the attacker victim address pair log victim packets Starts IP logging of packets containing the victim address request block connection Requests Network Access Controller to b...

Page 130: ... config sig exit Apply Changes yes Step 8 Press Enter to apply the changes or type no to discard them Configuring AIC Signatures This section describes the AIC signatures and how to configure them It contains the following topics Overview page 7 12 Configuring the Application Policy page 7 13 AIC Request Method Signatures page 7 15 AIC MIME Define Content Type Signatures page 7 16 AIC Transfer Enc...

Page 131: ...f signature IDs and descriptions see AIC MIME Define Content Type Signatures page 7 16 For the procedure for creating a custom MIME signature see Example AIC MIME Type Signature page 7 36 Define web traffic policy There is one predefined signature 12674 that specifies the action to take when noncompliant HTTP traffic is seen The command alarm on non http traffic true false enables the signature By...

Page 132: ...s 1 to 16 The default is 10 To configure the application policy follow these steps Step 1 Log in to the CLI using an account with administrator or operator privileges Step 2 Enter application policy submode sensor configure terminal sensor config service signature definition sig0 sensor config sig application policy Step 3 Enable inspection of FTP traffic sensor config sig app ftp enable true Step...

Page 133: ...methods You can expand and modify the signatures define request method Recognized request methods Lists methods that are recognized by the sensor recognized request methods Table 7 1 lists the predefined define request method signatures Enable the signatures that have the predefined method you need For the procedure for enabling signatures see Configuring the Status of Signatures page 7 10 Table 7...

Page 134: ... 12700 Define Request Method UNEDIT 12701 Define Request Method SAVE 12702 Define Request Method LOCK 12703 Define Request Method UNLOCK 12704 Define Request Method REVLABEL 12705 Define Request Method REVLOG 12706 Define Request Method REVADD 12707 Define Request Method REVNUM 12708 Define Request Method SETATTRIBUTE 12709 Define Request Method GETATTRIBUTENAME 12710 Define Request Method GETPROP...

Page 135: ... Type audio basic Verification Failed 12635 0 12635 1 12635 2 Content Type audio mpeg Header Check Content Type audio mpeg Invalid Message Length Content Type audio mpeg Verification Failed 12636 0 12636 1 12636 2 Content Type audio x adpcm Header Check Content Type audio x adpcm Invalid Message Length Content Type audio x adpcm Verification Failed 12637 0 12637 1 12637 2 Content Type audio x aiff...

Page 136: ...i Header Check Content Type video x avi Invalid Message Length 12654 0 12654 1 12654 2 Content Type video x fli Header Check Content Type video x fli Invalid Message Length Content Type video x fli Verification Failed 12655 0 12655 1 12655 2 Content Type video x mng Header Check Content Type video x mng Invalid Message Length Content Type video x mng Verification Failed 12656 0 12656 1 12656 2 Con...

Page 137: ...ion x gzip Invalid Message Length Content Type application x gzip Verification Failed 12665 0 12665 1 Content Type application x java archive Header Check Content Type application x java archive Invalid Message Length 12666 0 12666 1 Content Type application x java vm Header Check Content Type application x java vm Invalid Message Length 12667 0 12667 1 12667 2 Content Type application pdf Header ...

Page 138: ...05 Define FTP command cdup 12906 Define FTP command cwd 12907 Define FTP command dele 12908 Define FTP command help 12909 Define FTP command list 12910 Define FTP command mkd 12911 Define FTP command mode 12912 Define FTP command nlst 12913 Define FTP command noop 12914 Define FTP command pass 12915 Define FTP command pasv 12916 Define FTP command port 12917 Define FTP command pwd 12918 Define FTP...

Page 139: ...em Sensor CLI Configuration Guide for IPS 5 0 78 16527 01 Chapter 7 Defining Signatures Configuring Signatures 12932 Define FTP command type 12933 Define FTP command user Table 4 FTP Commands Signatures continued Signature ID FTP Command ...

Page 140: ...s IP fragment reassembly signatures with the parameters that you can configure for IP fragment reassembly The IP fragment reassembly signatures are part of the NORMALIZER engine To configure IP fragment reassembly parameters follow these steps Step 1 Log in to the CLI using an account with administrator or operator privileges Step 2 Enter signature definition submode sensor configure terminal sens...

Page 141: ...ttings yes max fragments 20000 default 10000 sensor config sig sig nor def yes Step 8 Exit signature definition submode sensor config sig sig nor def yes exit sensor config sig sig nor def exit sensor config sig sig nor exit sensor config sig sig exit sensor config sig exit Apply Changes yes Step 9 Press Enter for apply the changes or type no to discard them Configuring the Method for IP Fragment ...

Page 142: ...ribes TCP stream reassembly and contains the following topics Overview page 7 24 Configuring TCP Stream Reassembly Parameters page 7 24 Configuring the Mode for TCP Stream Reassembly page 7 27 Overview You can configure the sensor to monitor only TCP sessions that have been established by a complete three way handshake You can also configure how long to wait for the handshake to complete and how l...

Page 143: ... TCP Retransmit Data Different None 1311 TCP Packet Exceeds MSS None 1312 TCP MSS Below Minimum tcp min mss 400 1313 TCP MSS Exceed Maximum tcp max mss 1460 1314 TCP SYN Packet with Data None 1330 0 TCP Drop Bad Checksum1 1330 1 TCP Drop Bad TCP Flags 1330 2 TCP Drop Urgent Pointer Without Flag 1330 3 TCP Drop Bad Option List 1330 4 TCP Drop Bad Option Length 1330 5 TCP Drop MSS Option in Non SYN ...

Page 144: ...nor def specify tcp max mss yes sensor config sig sig nor def yes tcp max mss 1380 Note Changing this parameter from the default of 1460 to 1380 helps prevent fragmentation of traffic going through a VPN tunnel Step 7 Verify the settings sensor config sig sig nor def yes show settings yes tcp max mss 1380 default 1460 sensor config sig sig nor def yes Step 8 Exit signature definition submode senso...

Page 145: ...c option disables TCP window evasion checking To configure the TCP stream reassembly parameters follow these steps Step 1 Log in to the CLI using an account with administrator or operator privileges Step 2 Enter TCP stream reassembly submode sensor configure terminal sensor config service signature definition sig0 sensor config sig stream reassembly Step 3 Specify that the sensor should only track...

Page 146: ...he default is 0 ip log time Identifies the duration you want the sensor to log The valid value is 30 to 300 seconds The default is 30 seconds Note When the sensor meets any one of the IP logging conditions it stops IP logging To configure the IP logging parameters follow these steps Step 1 Log in to the CLI using an account with administrator or operator privileges Step 2 Enter IP log submode sens...

Page 147: ...xample STRING TCP Signature page 7 30 Example SERVICE HTTP Signature page 7 32 Example MEG Signature page 7 33 Sequence for Creating a Custom Signature Use the following sequence when you create a custom signature Step 1 Select a signature engine Step 2 Assign the signature identifiers Signature ID SubSignature ID Signature name Alert notes optional User comments optional Step 3 Assign the engine ...

Page 148: ...be greater than or equal to the first number specify exact match offset yes no Enables exact match offset optional specify min match length yes no Enables min match length optional strip telnet options Strips Telnet option characters from data before searching swap attacker victim true false Whether address and ports source and destination are swapped in the alarm message The default is false for ...

Page 149: ...Step 11 Verify the settings sensor config sig sig str show settings string tcp event action produce alert defaulted strip telnet options false defaulted specify min match length no regex string This is my new Sig regex service ports 23 direction to service default to service specify exact match offset no specify max match offset no specify min match offset no swap attacker victim false defaulted s...

Page 150: ... name regex Enables arg name regex optional specify header regex Enables header regex optional specify request regex Enables request regex optional specify uri regex Enables uri regex optional service ports A comma separated list of ports or port ranges where the target service may reside swap attacker victim true false Whether address and ports source and destination are swapped in the alarm mess...

Page 151: ...sig sig ser reg specify uri regex yes sensor config sig sig ser reg yes uri regex Mm Yy Ff Oo Oo Step 11 Exit regex submode sensor config sig sig ser reg yes exit sensor config sig sig ser reg exit Step 12 Configure the service ports using the signature variable WEBPORTS sensor config sig sig ser service ports WEBPORTS Step 13 Exit signature definition submode sensor config sig sig ser exit sensor...

Page 152: ...nly does not transmit this packet and future packets on the TCP Flow deny packet inline Inline mode only does not transmit this packet log attacker packets Starts IP logging of packets containing the attacker address log pair packets Starts IP logging of packets containing the attacker victim address pair log victim packets Starts IP logging of packets containing the victim address request block c...

Page 153: ...g sig met component list insert c1 begin Step 6 Specify the signature ID of the signature on which to match this component sensor config sig sig met com component sig id 2000 Step 7 Exit component list submode sensor config sig sig met com exit Step 8 Insert another MEG signature named c2 at the end of the list sensor config sig sig met component list insert c2 end Step 9 Specify the signature ID ...

Page 154: ... deny attacker inline Does not transmit this packet and future packets from the attacker address for a specified period of time inline only deny connection inline Does not transmit this packet and future packets on the TCP flow inline only deny packet inline Does not transmit this packet inline only log attacker packets Starts IP logging of packets containing the attacker address log pair packets ...

Page 155: ...al sensor config service signature definition sig0 sensor config sig signatures 60001 0 sensor config sig sig engine application policy enforcement http Step 3 Specify the event action sensor config sig sig app event action produce alert log pair packets Step 4 Define the signature type sensor config sig sig app signature type content type define content type Step 5 Define the content type sensor ...

Page 156: ...7 38 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5 0 78 16527 01 Chapter 7 Defining Signatures Creating Custom Signatures ...

Page 157: ...can also have the sensor log IP packets every time a particular signature is fired You can specify how long you want the sensor to log IP traffic and how many packets and bytes you want logged Caution Turning on IP logging slows down system performance Note You cannot delete or manage IP log files The no iplog command does not delete IP logs it only stops more packets from being recorded for that ...

Page 158: ...eters is reached To reset the parameters use the default keyword To copy and view an IP log file see Copying IP Log Files to Be Viewed page 8 6 Automatic IP logging is configured on a per signature basis or as an event action override The following actions trigger automatic IP logging log attacker packets log victim packets log pair packets For more information see Chapter 6 Configuring Event Acti...

Page 159: ...ip address Logs packets containing the specified source and or destination IP address minutes Duration the logging should be active The valid range is 1 to 60 minutes The default is 10 minutes numPackets Maximum number of packets to log The valid range is 0 to 4294967295 The default is 1000 packets numBytes Maximum number of bytes to log The valid range is 0 to 4294967295 A value of 0 indicates un...

Page 160: ... sensor Note Each alert references IP logs that are created because of that alert If multiple alerts create IP logs for the same IP address only one IP log is created for all the alerts Each alert references the same IP log However the output of the IP log status only shows the event ID of the first alert triggering the IP log Stopping Active IP Logs Use the no iplog log id log id name name comman...

Page 161: ...Event ID 0 Bytes Captured 0 Packets Captured 0 sensor Note Each alert references IP logs that are created because of that alert If multiple alerts create IP logs for the same IP address only one IP log is created for all the alerts Each alert references the same IP log However the output of the IP log status only shows the event ID of the first alert triggering the IP log b Stop the IP log session...

Page 162: ...ou use FTP or SCP protocol you are prompted for a password To copy IP log files to an FTP or SCP server follow these steps Step 1 Log in to the CLI Step 2 Monitor the IP log status with the iplog status command until you see that the status reads completed for the log ID of the log file that you want to copy sensor iplog status Log ID 2425 IP Address 10 1 1 2 Virtual Sensor vs0 Status started Star...

Page 163: ... 0 78 16527 01 Chapter 8 Configuring IP Logging Copying IP Log Files to Be Viewed Step 4 Open the IP log using a sniffer program such as WireShark or TCPDUMP For more information on WireShark go to http www wireshark org For more information on TCPDUMP go to http www tcpdump org ...

Page 164: ...8 8 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5 0 78 16527 01 Chapter 8 Configuring IP Logging Copying IP Log Files to Be Viewed ...

Page 165: ...ay or capture live traffic from an interface and have the live traffic or a previously captured file put directly on the screen Storage is available for one local file only subsequent capture requests overwrites an existing file The size of the storage file varies depending on the platform A message may be displayed if the maximum file size is reached before the requested packet count is captured ...

Page 166: ... required length to catch whole packets count Maximum number of packets to capture optional The valid range is 1 to 10000 Note If you do not specify this option the capture terminates after the maximum file size is captured verbose Displays the protocol tree for each packet rather than a one line summary optional expression Packet display filter expression This expression is passed directly to TCP...

Page 167: ... tcp sum ok 664 904 240 ack 1 win 8576 nop nop timestamp 44085169 226014949 03 43 05 693628 IP tos 0x10 ttl 64 id 53737 offset 0 flags DF length 52 10 89 147 50 41805 10 89 147 31 22 tcp sum ok 1 1 0 ack 424 win 11704 nop nop timestamp 226014949 44085169 03 43 05 693654 IP tos 0x10 ttl 64 id 53738 offset 0 flags DF length 52 10 89 147 50 41805 10 89 147 31 22 tcp sum ok 1 1 0 ack 664 win 11704 nop...

Page 168: ...ack 1 win 8704 03 42 02 511408 IP tos 0x10 ttl 64 id 27746 offset 0 flags DF length 248 10 89 147 31 22 64 101 182 54 47039 P tcp sum ok 384 592 208 ack 1 win 8704 03 42 02 511545 IP tos 0x10 ttl 64 id 27747 offset 0 flags DF length 240 10 89 147 31 22 64 101 182 54 47039 P tcp sum ok 592 792 200 ack 1 win 8704 Step 4 To display information about the packet file sensor packet display file info Cap...

Page 169: ...the sensor using an account with administrator or operator privileges Step 2 Capture the live traffic on the interface you are interested in for example GigabitEthernet0 1 sensor packet capture GigabitEthernet0 1 Warning This command will cause significant performance degradation tcpdump WARNING ge0_1 no IPv4 address assigned tcpdump listening on ge0_1 link type EN10MB Ethernet capture size 65535 ...

Page 170: ...00 00 04 9a 66 35 01 8025 root 8000 0 0 04 6d f9 e8 82 pathcost 8 age 2 max 20 hello 2 fdelay 15 03 03 25 846552 IP 172 20 12 10 2984 10 89 130 127 445 S 1345848756 134584875 6 0 win 64240 mss 1460 nop nop sackOK 03 03 26 195342 IP 161 44 55 250 2178 10 89 130 65 445 S 3170518052 317051805 2 0 win 65520 mss 1260 nop nop sackOK 03 03 27 222725 802 1d config TOP_CHANGE 8000 00 04 9a 66 35 01 8025 ro...

Page 171: ...packet file to an FTP or SCP server sensor copy packet file scp jbrown 64 101 182 20 work Password packet file 100 1670 0 0KB s 00 00 sensor Step 3 View the packet file with Wireshark or TCP Dump Erasing the Packet File Use the erase packet file command to erase the packet file There is only one packet file It is 16 MB and is over written each time you use the packet capture command To erase the p...

Page 172: ...9 8 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5 0 78 16527 01 Chapter 9 Displaying and Capturing Live Traffic on an Interface Erasing the Packet File ...

Page 173: ...f Blocked Hosts and Connections page 10 28 Understanding Blocking Network Access Controller the blocking application on the sensor starts and stops blocks on routers switches PIX Firewalls FWSM and ASA Network Access Controller blocks the IP address on the devices it is managing It sends the same block to all the devices it is managing including any other master blocking sensors Network Access Con...

Page 174: ...rmit or deny passage of data packets through interface ports or VLANs Each ACL or VACL contains permit and deny conditions that apply to IP addresses The PIX Firewall FWSM and ASA do not use ACLs or VACLs The built in shun no shun command is used You need the following information for Network Access Controller to manage a device Login user ID if the device is configured with AAA Login password Ena...

Page 175: ...ow the names of the Pre Block ACL or VACL and Post Block ACL or VACL if needed Understand which interfaces should and should not be blocked and in which direction in or out You do not want to accidentally shut down an entire network Supported Blocking Devices By default Network Access Controller supports up to 250 devices in any combination The following devices are supported by Network Access Con...

Page 176: ...e them use the following procedures Allowing the Sensor to Block Itself page 10 4 Disabling Blocking page 10 6 Setting Maximum Block Entries page 10 8 Setting the Block Time page 10 10 Enabling ACL Logging page 10 11 Enabling Writing to NVRAM page 10 12 Logging All Blocking Events and Errors page 10 13 Configuring the Maximum Number of Blocking Interfaces page 10 14 Configuring Addresses Never to ...

Page 177: ...le nvram write false defaulted enable acl logging false defaulted allow sensor block true default false block enable true default true block max entries 100 default 250 max interfaces 250 defaulted master blocking sensors min 0 max 100 current 0 never block hosts min 0 max 250 current 1 ip address 11 11 11 11 never block networks min 0 max 250 current 1 ip address 12 12 0 0 16 block hosts min 0 ma...

Page 178: ... configure something on that device you should disable blocking first You want to avoid a situation in which both you and Network Access Controller could be making a change at the same time on the same device This could cause the device and or Network Access Controller to crash Caution If you disable blocking for maintenance on the devices make sure you enable it after the maintenance is complete ...

Page 179: ...min 0 max 100 current 0 never block hosts min 0 max 250 current 1 ip address 11 11 11 11 never block networks min 0 max 250 current 1 ip address 12 12 0 0 16 block hosts min 0 max 250 current 0 MORE Step 6 Enable blocking on the sensor sensor config net gen block enable true Step 7 Verify that the setting has been returned to the default sensor config net gen show settings general log all block ev...

Page 180: ...hun entries Refer to the documentation for each device to determine its limits before increasing this number Note The number of blocks will not exceed the maximum block entries If the maximum is reached new blocks will not occur until existing blocks time out and are removed To change the maximum number of block entries follow these steps Step 1 Log in to the CLI using an account with administrato...

Page 181: ...s Step 7 Verify the setting sensor config net gen show settings general log all block events and errors true defaulted enable nvram write false defaulted enable acl logging false defaulted allow sensor block false default false block enable true defaulted block max entries 250 defaulted max interfaces 250 defaulted master blocking sensors min 0 max 100 current 0 never block hosts min 0 max 250 cur...

Page 182: ...ensor configure terminal sensor config service event action rules rules0 Step 3 Enter general submode sensor config rul general Step 4 Configure the block time sensor config rul gen global block timeout 60 The value is the time duration of the block event in minutes 0 to 10000000 Step 5 Verify the setting sensor config rul gen show settings general global overrides status Enabled defaulted global ...

Page 183: ...general submode sensor config net general Step 4 Enable ACL logging sensor config net gen enable acl logging true Step 5 Verify that ACL logging is enabled sensor config net gen show settings general log all block events and errors true defaulted enable nvram write false defaulted enable acl logging true default false allow sensor block false defaulted block enable true defaulted block max entries...

Page 184: ... short time without blocking occurs after a router reboot And not enabling NVRAM writing increases the life of the NVRAM and decreases the time for new blocks to be configured To enable writing to NVRAM follow these steps Step 1 Log in to the CLI using an account with administrator privileges Step 2 Enter network access submode sensor configure terminal sensor config service network access Step 3 ...

Page 185: ...e service network access submode to configure the sensor to log events that follow blocks from start to finish For example when a block is added to or removed from a device an event is logged You may not want all of these events and errors to be logged Disabling log all block events and errors suppresses the new events and errors The default is enabled To disable blocking event and error logging f...

Page 186: ... Configuring the Maximum Number of Blocking Interfaces Use the max interfaces command to configure the maximum number of interfaces for performing blocks For example a PIX Firewall counts as one interface A router with one interface counts as one but a router with two interfaces counts as two You can configure up to 250 Catalyst 6K switches 250 routers and 250 firewalls The max interfaces command ...

Page 187: ...ault false allow sensor block false defaulted block enable true defaulted block max entries 250 defaulted max interfaces 250 defaulted master blocking sensors min 0 max 100 current 0 Step 8 Exit network access mode sensor config net gen exit sensor config net exit Apply Changes yes Step 9 Press Enter to apply the changes or type no to discard them Configuring Addresses Never to Block Use the never...

Page 188: ...block hosts 10 16 0 0 For an entire network sensor config net gen never block networks 10 0 0 0 8 Step 5 Verify the settings sensor config net gen show settings general log all block events and errors true defaulted enable nvram write false defaulted enable acl logging false defaulted allow sensor block false default false block enable true default true block max entries 100 default 250 max interf...

Page 189: ...before configuring the blocking device To set up user profiles follow these steps Step 1 Log in to the CLI using an account with administrator privileges Step 2 Enter network access mode sensor configure terminal sensor config service network access sensor config net Step 3 Create the user profile name sensor config net user profiles PROFILE1 Step 4 Type the username for that user profile sensor c...

Page 190: ...es Switches and Cisco 7600 Series Routers page 10 21 Configuring the Sensor to Manage Cisco Firewalls page 10 24 How the Sensor Manages Devices Network Access Controller uses ACLs on Cisco routers and switches to manage those devices These ACLs are built as follows 1 A permit line with the sensor s IP address or if specified the NAT address of the sensor Note If you permit the sensor to be blocked...

Page 191: ...page 10 6 Caution A single sensor can manage multiple devices but you cannot use multiple sensors to control a single device In this case use a master blocking sensor For the procedure see Configuring the Sensor to be a Master Blocking Sensor page 10 25 Configuring the Sensor to Manage Cisco Routers This section describes how to configure the sensor to manage Cisco routers It contains the followin...

Page 192: ... an interface or direction of the router it removes the application of any other ACL to that interface or direction Configuring the Sensor to Manage Cisco Routers To configure a sensor to manage Cisco routers follow these steps Step 1 Log in to the CLI using an account with administrator privileges Step 2 Enter network access submode sensor configure terminal sensor config service network access S...

Page 193: ... name post_acl_name Step 10 Exit network access submode sensor config net rou blo exit sensor config net rou exit sensor config net exit sensor config exit Apply Changes yes Step 11 Press Enter to apply the changes or type no to discard them Configuring the Sensor to Manage Catalyst 6500 Series Switches and Cisco 7600 Series Routers This section describes how to configure the sensor to manage Cisc...

Page 194: ... existing VACL on the VLAN that the sensor will manage the existing VACL can be used as a Post Block VACL If you do not have a Post Block V ACL the sensor inserts a permit ip any any at the end of the new VACL Note The IDSM 2 inserts a permit ip any any capture at the end of the new VACL When the sensor starts up it reads the contents of the two VACLs It creates a third VACL with the following ent...

Page 195: ...ure see Adding Hosts to the Known Hosts List page 4 31 Step 6 Specify the sensor s NAT address sensor config net cat nat address nat_address Note This changes the IP address in the first line of the ACL from the sensor s address to the NAT address This is not a NAT address configured on the device being managed It is the address the sensor is translated to by an intermediate device one that is bet...

Page 196: ... to see if the logical device exists Step 5 Designate the method used to access the sensor sensor config net fir communication telnet ssh des sh 3des If unspecified SSH 3DES is used Note If you are using DES or 3DES you must use the command ssh host key ip_address to accept the key or Network Access Controller cannot connect to the device For the procedure see Adding Hosts to the Known Hosts List ...

Page 197: ...he master blocking sensor is configured to manage the network devices Blocking forwarding sensors are not normally configured to manage other network devices although doing so is permissible Caution Only one sensor should control all blocking interfaces on a device Use the master blocking sensors mbs_ip_address command in the service network access submode to configure a master blocking sensor The...

Page 198: ... blocking sensor host sensor s certificate by logging in to the host sensor and typing the show tls fingerprint command to see that the host certificate s fingerprints match Step 4 Type yes to accept the certificate from the master blocking sensor Step 5 Enter network access mode sensor config service network access Step 6 Enter general submode sensor config net general Step 7 Add a master blockin...

Page 199: ...ou can also view a list of hosts and networks that are being blocked Note Manual blocks in the CLI are actually changes to the configuration so they are permanent You cannot do a timed manual block You cannot use the IPS manager to delete blocks created by the CLI Manual blocks have to be removed in the CLI Caution We recommend that you use manual blocking on a very limited basis if at all To manu...

Page 200: ...ions Use the show statistics command to obtain a list of blocked hosts and blocked connections To obtain a list of blocked hosts and connections follow these steps Step 1 Log in to the CLI Step 2 Check the statistics for Network Access Controller sensor show statistics network access Current Configuration LogAllBlockEventsAndSensors true EnableNvramWrite false EnableAclLogging false AllowSensorBlo...

Page 201: ... for IPS 5 0 78 16527 01 Chapter 10 Configuring Blocking Obtaining a List of Blocked Hosts and Connections BlockedAddr Host IP 192 168 1 1 Vlan ActualIp BlockMinutes 80 MinutesRemaining 76 The Host entry indicates which hosts are being blocked and how long the blocks are ...

Page 202: ...10 30 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5 0 78 16527 01 Chapter 10 Configuring Blocking Obtaining a List of Blocked Hosts and Connections ...

Page 203: ...tches routers and sensors You can configure the sensor to send SNMP traps SNMP traps enable an agent to notify the management station of significant events by way of an unsolicited SNMP message Trap directed notification has the following advantage if a manager is responsible for a large number of devices and each device has a large number of objects it is impractical to poll or request informatio...

Page 204: ...t option modifies the SNMPv2 MIB sysContact 0 value system location The location of the sensor The system location option modifies the SNMPv2 MIB sysLocation 0 value To configure SNMP general parameters follow these steps Step 1 Log in to the CLI using an account with administrator privileges Step 2 Enter notification submode sensor configure terminal sensor config service notification Step 3 Enab...

Page 205: ...he port or protocol f Select the protocol the sensor SNMP agent will use sensor config not snmp agent protocol udp Note You must reboot the sensor if you change the port or protocol Step 5 Verify the settings sensor config not show settings trap destinations min 0 max 10 current 0 error filter error fatal defaulted enable detail traps false defaulted enable notifications false defaulted enable set...

Page 206: ...s and alert events generated from signature actions trap community name The community name used when sending the trap If no community name is specified the general trap community name is used trap port The port number to send the SNMP trap to To configure SNMP traps follow these steps Step 1 Log in to the CLI using an account with administrator privileges Step 2 Enter notification submode sensor c...

Page 207: ... something that identifies the router or sensor specifically in your community string you can filter the traps based on the community string Step 6 Verify the settings sensor config not tra exit sensor config not show settings trap destinations min 0 max 10 current 1 ip address 10 1 1 1 trap community name AUSTIN_PUBLIC default trap port 161 default 162 error filter warning error fatal default err...

Page 208: ... on the sensor CISCO CIDS MIB CISCO PROCESS MIB CISCO ENHANCED MEMPOOL MIB CISCO ENTITY ALARM MIB You can obtain these private Cisco MIBs under the heading SNMP v2 MIBs at this URL http www cisco com public sw center netmgmt cmtk mibs shtml The management MIB supported on the sensor is the rfc1213 mib 2 You can obtain the mib 2 from any public domain such as http www ietf org rfc rfc1213 txt ...

Page 209: ...gical File page 12 13 Copying and Restoring the Configuration File Using a Remote Server page 12 15 Creating and Using a Backup Configuration File page 12 17 Erasing the Configuration File page 12 17 Displaying the Current Configuration Use the show configuration or the more current config command to display the contents of the current configuration To display the contents of the current configura...

Page 210: ...vice generic specify payload source yes payload source l2 header exit exit exit signatures 12300 0 status enabled true retired true exit exit signatures 1206 0 engine normalizer event action produce alert produce verbose alert deny attacker inline deny conne ction inline deny packet inline log attacker packets log pair packets log victim packets request block connection request block host request ...

Page 211: ... etIJLEeRFh mI2JcmwF2QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAAUI2PLANTOehxvCfwd6UAFXvy8ui fbjqKMC1jrrF f9KGkxmR XZvUaGOS83FYDXlXJvB5Xyxms Y01wGjzKKpxegBoan8OB8o193Ueszdpv z2xYmiEgywCDyVJRsw3hAFMXWMS5XsBUiHtw0btHH0j7ElFZxUjZv12fGz8hlnY exit service web server exit sensor Displaying the Current Submode Configuration Use the show settings command in a submode to display the current configuration of that subm...

Page 212: ... 256 current 0 overrides min 0 max 12 current 0 filters min 0 max 4096 current 0 0 active 0 inactive general global overrides status Enabled defaulted global filters status Enabled defaulted global summarization status Enabled defaulted global metaevent status Enabled defaulted global deny timeout 3600 defaulted global block timeout 30 defaulted max denied attackers 10000 defaulted target value mi...

Page 213: ...play the current configuration of the service interface submode sensor configure terminal sensor config service interface sensor config int show settings physical interfaces min 0 max 999999999 current 2 protected entry name GigabitEthernet0 1 media type backplane protected description defaulted admin state enabled protected duplex auto protected speed auto protected alt tcp reset interface none p...

Page 214: ...ontrol false defaulted zone control min 0 max 999999999 current 14 protected entry zone name Cid severity debug defaulted protected entry zone name AuthenticationApp severity warning defaulted protected entry zone name Cli severity warning defaulted protected entry zone name csi severity warning defaulted protected entry zone name ctlTransSource severity warning defaulted protected entry zone name...

Page 215: ...gging false defaulted allow sensor block false defaulted block enable true defaulted block max entries 250 defaulted max interfaces 250 defaulted master blocking sensors min 0 max 100 current 0 never block hosts min 0 max 250 current 0 never block networks min 0 max 250 current 0 block hosts min 0 max 250 current 0 block networks min 0 max 250 current 0 user profiles min 0 max 250 current 1 profil...

Page 216: ...d only community public defaulted read write community private defaulted trap community name public defaulted system location Unknown defaulted system contact Unknown defaulted sensor config not exit sensor config exit sensor Step 10 Display the current configuration for the signature definitions submode sensor configure terminal sensor config service signature definition sig0 sensor config sig sh...

Page 217: ...EChMTQ2lzY28gU3lzdGVtcywgSW5jLjESMBAGA1UECxMJU1NNLUlQUzIwMRYwFAYDV QQDEw0xMC44OS4xMzAuMTA4MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzldqLFG4MT4bfgh3mJ fP DCilnnaLfzHK9FdnhmWI4FY 9MVvAI7MOhAcuV6HYfyp6n6cYvH Eswzl9uv7H5nouID9St9GI3Yr SUtlIQAJ4QVL2DwWP230x6KdHrYqcj Nmhc7AnnPypjidwGSfF VetIJLEeRFh mI2JcmwF2QIDAQABM A0GCSqGSIb3DQEBBQUAA4GBAAUI2PLANTOehxvCfwd6UAFXvy8uifbjqKMC1jrrF f9KGkxmR XZvUaG OS83FYDXl...

Page 218: ...regular expression option is case sensitive and allows for complex matching requirements To search or filter the output of the contents of the current configuration follow these steps Step 1 Log in to the CLI using an account with administrator privileges Step 2 Search the configuration output beginning with the regular expression ssh for example Note The show configuration begin regular expressio...

Page 219: ...rd time zone name UTC exit exit exit MORE Note Press Ctrl C to stop the output and return to the CLI prompt Step 4 Filter the current configuration so that you include lines that contain a regular expression for example service sensor show configuration include service service analysis engine service authentication service event action rules rules0 service host service interface service logger ser...

Page 220: ... the CLI using an account with administrator privileges Step 2 Search the output of the event action rules settings for the regular expression filters for example sensor configure terminal sensor config service event action rules sensor config rul show settings begin filters filters min 0 max 4096 current 0 0 active 0 inactive general global overrides status Enabled defaulted global filters status...

Page 221: ...d Either the current config or the backup config current config The current running configuration This configuration becomes persistent as the commands are entered backup config The storage location for the configuration backup file Note Operators and viewers can only display the current configuration Only administrators can view hidden fields such as passwords You can disable the more prompt in m...

Page 222: ...ice logger exit service network access user profiles test1 exit cat6k devices 1 1 1 1 communication ssh 3des profile name test1 block vlans 234 pre vacl name aaaa post vacl name bbbb exit exit exit service notification exit service signature definition sig0 signatures 2200 0 engine service generic specify payload source yes payload source l2 header exit exit exit signatures 12300 0 status enabled ...

Page 223: ...RIwEAYDV QQLEwlTU00tSVBTMjAxFjAUBgNVBAMTDTEwLjg5LjEzMC4xMDgwHhcNMDMwMTAzMDE1MjEwWhcNMDUwM TAzMDE1MjEwWjBXMQswCQYDVQQGEwJVUzEcMBoGA1UEChMTQ2lzY28gU3lzdGVtcywgSW5jLjESMBAGA 1UECxMJU1NNLUlQUzIwMRYwFAYDVQQDEw0xMC44OS4xMzAuMTA4MIGfMA0GCSqGSIb3DQEBAQUAA4GNA DCBiQKBgQCzldqLFG4MT4bfgh3mJfP DCilnnaLfzHK9FdnhmWI4FY 9MVvAI7MOhAcuV6HYfyp6n6cY vH Eswzl9uv7H5nouID9St9GI3YrSUtlIQAJ4QVL2DwWP230x6KdHrYqcj Nmhc7Ann...

Page 224: ... filename ftp username location absoluteDirectory filename scp Source or destination URL for the SCP network server The syntax for this prefix is scp username location relativeDirectory filename scp username location absoluteDirectory filename http Source URL for the web server The syntax for this prefix is http username location directory filename https Source URL for the web server The syntax fo...

Page 225: ...te the current configuration file with the backup configuration file To back up your current configuration follow these steps Step 1 Log in to the CLI using an account with administrator privileges Step 2 Save the current configuration sensor copy current config backup config The current configuration is saved in a backup file Step 3 Display the backup configuration file sensor more backup config ...

Page 226: ...ck to the default follow these steps Step 1 Log in to the CLI using an account with administrator privileges sensor erase current config Warning Removing the current config file will result in all configuration being reset to default including system information such as IP address User accounts will not be erased They must be removed manually using the no username command Continue Step 2 Press Ent...

Page 227: ...Displaying Version Information page 13 19 Directing Output to a Serial Connection page 13 21 Diagnosing Network Connectivity page 13 22 Resetting the Appliance page 13 23 Displaying Command History page 13 24 Displaying Hardware Inventory page 13 24 Tracing the Route of an IP Packet page 13 25 Displaying Submode Settings page 13 26 Creating a Banner Login Use the banner login command to create a b...

Page 228: ...mmand to terminate another CLI session If you use the message keyword you can send a message along with the termination request to the receiving user The maximum message length is 2500 characters The following options apply cli id CLI ID number associated with the login session Use the show users command to find the CLI ID number message Message to send to the receiving user Caution You can only c...

Page 229: ...he following message from the administrator jtaylor sensor Termination request from jtaylor Sorry I need to terminate your session Modifying Terminal Properties Use the terminal length screen length command to modify terminal properties for a login session The screen length option lets you set the number of lines that appear on the screen before the more prompt is displayed A value of zero results...

Page 230: ... not specify an event type all events are displayed Note Events are displayed as a live feed until you cancel the request by pressing Ctrl C The following options apply alert Displays alerts Provides notification of some suspicious activity that may indicate an attack is in process or has been attempted If no level is selected informational low medium or high all alert events are displayed include...

Page 231: ...ntil you press Ctrl C Step 3 Display the block requests beginning at 10 00 a m on February 9 2005 sensor show events NAC 10 00 00 Feb 9 2005 evShunRqst eventId 1106837332219222281 vendor Cisco originator deviceName Sensor1 appName NetworkAccessControllerApp appInstance 654 time 2005 02 09 10 33 31 2004 08 09 13 13 31 shunInfo host connectionShun false srcAddr 11 0 0 1 destAddr srcPort destPort pro...

Page 232: ...95939102805308 severity medium vendor Cisco originator MORE Step 6 Display events that began 30 seconds in the past sensor show events past 00 00 30 evStatus eventId 1041526834774829055 vendor Cisco originator hostId sensor appName mainApp appInstanceId 2215 time 2003 01 08 02 41 00 2003 01 08 02 41 00 UTC controlTransaction command getVersion successful true description Control transaction respon...

Page 233: ...cs Displaying the System Clock page 13 7 Manually Setting the Clock page 13 8 Displaying the System Clock Use the show clock detail command to display the system clock You can use the detail option to indicate the clock source NTP or system and the current summertime setting if any The system clock keeps an authoritative flag that indicates whether the time is authoritative believed to be accurate...

Page 234: ...You do not need to set the system clock if your sensor is synchronized by a valid outside timing mechanism such as an NTP clock source For the procedure for configuring NTP see Configuring NTP page 4 27 For an explanation of the importance of having a valid time source for the sensor see Time Sources and the Sensor page 4 18 For an explanation of what to do if you set the clock incorrectly see Cor...

Page 235: ...attackers currently being denied by the sensor Continue with clear yes Step 4 Type yes to clear the list Step 5 Verify that you have cleared the list sensor show statistics virtual sensor Virtual Sensor Statistics Statistics for Virtual Sensor vs0 Name of current Signature Definition instance sig0 Name of current Event Action Rules instance rules0 List of interfaces monitored by this virtual senso...

Page 236: ...r Virtual Sensor vs0 Name of current Signature Definition instance sig0 Name of current Event Action Rules instance rules0 List of interfaces monitored by this virtual sensor fe0_1 General Statistics for this Virtual Sensor Number of seconds since a reset of the statistics 1675 Measure of the level of resource utilization 0 Total packets processed since reset 241 Total IP packets processed since r...

Page 237: ... reset 0 Fragments hitting too many fragments condition since last reset 0 Number of overlapping fragments since last reset 0 Number of Datagrams too big since last reset 0 Number of overwriting fragments since last reset 0 Number of Initial fragment missing since last reset 0 Fragments hitting the max partial dgrams limit since last reset 0 Fragments too small since last reset 0 Too many fragment...

Page 238: ...ets 0 produce alert 0 produce verbose alert 0 request block connection 0 request block host 0 request snmp trap 0 reset tcp connection 0 SigEvent Action Filter Stage Statistics Number of Alerts received to Action Filter Processor 0 Number of Alerts where an action was filtered 0 Number of Filter Line matches 0 Actions Filtered deny attacker inline 0 deny connection inline 0 deny packet inline 0 mo...

Page 239: ...P packets processed since reset 12 Transmitter Statistics Total number of packets transmitted 290 Total number of packets denied 0 Total number of packets reset 0 Fragment Reassembly Unit Statistics Number of fragments currently in FRU 0 Number of datagrams currently in FRU 0 TCP Stream Reassembly Unit Statistics TCP streams currently in the embryonic state 0 TCP streams currently in the establish...

Page 240: ...nts informational 60 Alert events low 1 Alert events medium 60 Alert events high 0 sensor Step 8 Display the statistics for the host sensor show statistics host General Statistics Last Change To Host Config UTC 16 11 05 Thu Feb 10 2005 Command Control Port Device FastEthernet0 0 Network Statistics fe0_0 Link encap Ethernet HWaddr 00 0B 46 53 06 AA inet addr 10 89 149 185 Bcast 10 89 149 255 Mask 2...

Page 241: ... Fatal Severity 0 Error Severity 64 Warning Severity 24 Timing Severity 311 Debug Severity 31522 Unknown Severity 7 TOTAL 31928 sensor Step 10 Display the stat its tics for Network Access Controller sensor show statistics network access Current Configuration LogAllBlockEventsAndSensors true EnableNvramWrite false EnableAclLogging false AllowSensorBlock false BlockMaxEntries 11 MaxDeviceInterfaces ...

Page 242: ...te BlockEnable true NetDevice IP 10 89 150 171 AclSupport Does not use ACLs Version 6 3 State Active Firewall type PIX NetDevice IP 10 89 150 219 AclSupport Does not use ACLs Version 7 0 State Active Firewall type ASA NetDevice IP 10 89 150 250 AclSupport Does not use ACLs Version 2 2 State Active Firewall type FWSM NetDevice IP 10 89 150 158 AclSupport uses Named ACLs Version 12 2 State Active Ne...

Page 243: ...e statistics for the transaction server sensor show statistics transaction server General totalControlTransactions 35 failedControlTransactions 0 sensor Step 14 Display the statistics for the transaction source sensor show statistics transaction source General totalControlTransactions 0 failedControlTransactions 0 sensor Step 15 Display the statistics for Web Server sensor show statistics web serv...

Page 244: ... log by severity Fatal Severity 0 Error Severity 0 Warning Severity 0 Timing Severity 0 Debug Severity 0 Unknown Severity 0 TOTAL 0 sensor The statistics all begin from 0 Displaying Tech Support Information Use the show tech support page password destination url destination url command to display system information on the screen or have it sent to a specific URL You can use the information as a tr...

Page 245: ...lativeDirectory filename or ftp username location absoluteDirectory filename scp Destination URL for the SCP network server The syntax for this prefix is scp username location relativeDirectory filename or scp username location absoluteDirectory filename For example to send the tech support output to the file absolute reports sensor1Report html sensor show tech support dest ftp csidsuser 10 2 1 2 ...

Page 246: ...18T03 13 47 0600 Upgrade History IDS K9 maj 5 0 0 29 S91 0 29 pkg 03 00 00 UTC Mon Feb 16 2004 Recovery Partition Version 1 1 5 0 0 29 S91 0 29 sensor Sample version output for NM CIDS nm cids show version Application Partition Cisco Intrusion Prevention System Version 5 0 0 27 S129 0 OS Version 2 4 26 IDS smp bigphys Platform NM CIDS Serial Number JAD06490681 No license present Sensor up time is ...

Page 247: ...ion rules rules0 exit service host network settings host ip 10 89 147 31 25 10 89 147 126 host name sensor access list 0 0 0 0 0 login banner text This message will be displayed on banner login exit time zone settings MORE Directing Output to a Serial Connection Use the display serial command to direct all output to a serial connection This lets you view system messages on a remote console using t...

Page 248: ...pt is available for this command It must run to completion To diagnose basic network connectivity follow these steps Step 1 Log in to the CLI Step 2 Ping the address you are interested in sensor ping ip address count The count is the number of echo requests to send If you do not specify a number 4 requests are sent The range is 1 to 10 000 Example of a successful ping sensor ping 10 89 146 110 6 P...

Page 249: ... AIP SSM page 14 5 Shut down stopping the applications begins immediately after you execute the command Shutdown can take a while and you can still access CLI commands while it is taking place but the session will be terminated without warning To reset the appliance follow these steps Step 1 Log in to the CLI using an account with administrator privileges Step 2 To stop all applications and reboot...

Page 250: ...mode sensor configure terminal sensor config service network access sensor config net show history show settings show settings terse show settings include profile name ip address exit show history sensor config net Displaying Hardware Inventory Use the show inventory command to display PEP information This command displays the UDI information that consists of the PID the VID and the SN of your sen...

Page 251: ...he valid values are 1 to 256 Caution There is no command interrupt available for this command It must run to completion To trace the route of an IP packet follow these steps Step 1 Log in to the CLI Step 2 Display the route of IP packet you are interested in sensor trace 10 1 1 1 traceroute to 10 1 1 1 10 1 1 1 4 hops max 40 byte packets 1 10 89 130 1 10 89 130 1 0 267 ms 0 262 ms 0 236 ms 2 10 89...

Page 252: ...l log all block events and errors true defaulted enable nvram write false defaulted enable acl logging false defaulted allow sensor block false defaulted block enable true defaulted block max entries 250 defaulted max interfaces 250 default 250 master blocking sensors min 0 max 100 current 0 never block hosts min 0 max 250 current 0 never block networks min 0 max 250 current 0 block hosts min 0 ma...

Page 253: ...den username defaulted profile name rcat enable password hidden password hidden username cisco default profile name nopass enable password hidden password hidden username defaulted profile name test enable password hidden password hidden username pix default profile name sshswitch enable password hidden password hidden username cisco default cat6k devices min 0 max 250 current 1 ip address 10 89 1...

Page 254: ...ile name insidePix ip address 10 89 147 82 communication ssh 3des defaulted nat address 0 0 0 0 defaulted profile name f1 sensor config net Step 3 Show the Network Access Controller settings in terse mode sensor config net show settings terse general log all block events and errors true defaulted enable nvram write false defaulted enable acl logging false defaulted allow sensor block false default...

Page 255: ... max 250 current 2 ip address 10 89 147 10 ip address 10 89 147 82 sensor config net Step 4 You can use the include keyword to show settings in a filtered output for example to show only profile names and IP addresses in the Network Access Controller configuration sensor config net show settings include profile name ip address profile name 2admin profile name r7200 profile name insidePix profile n...

Page 256: ...13 30 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5 0 78 16527 01 Chapter 13 Administrative Tasks for the Sensor Displaying Submode Settings ...

Page 257: ...2 Initialize AIP SSM Run the setup command to initialize AIP SSM For the procedure see Initializing the Sensor page 3 2 3 Verify the AIP SSM initialization For the procedure see Verifying AIP SSM Initialization page 14 2 4 Configure ASA to send IPS traffic to AIP SSM For the procedure see Sending Traffic to AIP SSM page 14 2 5 Perform other initial tasks such as adding users trusted hosts and so f...

Page 258: ...odule 20 Model AIP SSM 20 Hardware version 0 2 Serial Number P2B000005D0 Firmware version 1 0 10 0 Software version 5 0 0 27 S129 0 Status Up Mgmt IP addr 10 89 149 219 Mgmt web ports 881 Mgmt TLS enabled false hostname Step 3 Confirm the information If you need to change anything for the tasks you need to perform to update AIP SSM settings see Configuration Sequence page 14 1 Sending Traffic to A...

Page 259: ...ther a match or a no match access list Matches an access list any Matches any packet policy map policy_map_name Creates an IPS policy map by associating the traffic class with one or more actions ips inline promiscuous fail close fail open Assigns traffic to AIP SSM inline Places AIP SSM directly in the traffic flow No traffic can continue through ASA without first passing through and being inspec...

Page 260: ...nfig cmap match access list any Step 5 Define the IPS policy map asa config cmap policy map policy_map_name Step 6 Identify the class map from Step 4 to which you want to assign an action asa config pmap class class_map_name Step 7 Assign traffic to AIP SSM asa config pmap c ips inline promiscuous fail close fail open Step 8 Define the IPS service policy asa config pmap c service policy policymap_...

Page 261: ...trator or user contexts hw module module 1 reload This command reloads the software on AIP SSM without doing a hardware reset It is effective only when AIP SSM is in the Up state hw module module 1 shutdown This command shuts down the software on AIP SSM It is effective only when AIP SSM is in Up state hw module module 1 reset This command performs a hardware reset of AIP SSM It is applicable when...

Page 262: ... The essential parameters are the IP address and recovery image TFTP URL location Example asa hw module module 1 recover configure Image URL tftp 1 1 1 1 IPS SSM K9 sys 1 1 a 5 0 0 15 S91 0 15 img Port IP Address 1 1 1 23 VLAN ID 0 Gateway IP Address 0 0 0 0 1 1 1 2 hostname asa show module 1 recover Module 1 recover parameters Boot Recovery Image No Image URL tftp 1 1 1 1 IPS SSM K9 sys 1 1 a 5 0...

Page 263: ...figuring the Catalyst Series 6500 Switch for IDSM 2 in Promiscuous Mode page 15 7 Configuring the Catalyst Series 6500 Switch for IDSM 2 in Inline Mode page 15 16 Administrative Tasks for IDSM 2 page 15 24 Catalyst and Cisco IOS Software Commands page 15 27 Configuration Sequence Perform the following tasks to configure IDSM 2 1 Configure the Catalyst 6500 series switch for command and control acc...

Page 264: ...f the Administrator password is lost Analyze your situation to decide if you want a service account existing on the system 6 Perform the other initial tasks such as adding users trusted hosts and so forth For the procedures see Chapter 4 Initial Configuration Tasks 7 Configure intrusion prevention For the procedures see Chapter 6 Configuring Event Action Rules Chapter 7 Defining Signatures and Cha...

Page 265: ...8 48 port 10 100 mb RJ45 WS X6348 RJ 45 SAL04483QBL 3 48 SFM capable 48 port 10 100 1000mb RJ45 WS X6548 GE TX SAD073906GH 6 16 SFM capable 16 port 1000mb GBIC WS X6516A GBIC SAL0740MMYJ 7 2 Supervisor Engine 720 Active WS SUP720 3BXL SAD08320L2T 9 1 1 port 10 Gigabit Ethernet Module WS X6502 10GE SAD071903BT 10 3 Anomaly Detector Module WS SVC ADM 1 K9 SAD084104JR 11 8 Intrusion Detection System ...

Page 266: ...15 24 Configuring the Catalyst 6500 Series Switch for Command and Control Access to IDSM 2 You must configure the Catalyst 6500 series switch to have command and control access to IDSM 2 This section describes how to configure the switch to have command and control access to IDSM 2 and contains the following topics Catalyst Software page 15 4 Cisco IOS Software page 15 6 Catalyst Software To confi...

Page 267: ...mply with applicable laws and regulations If you are unable to comply with U S and local laws return this product immediately A summary of U S laws governing Cisco cryptographic products may be found at http www cisco com wwl export crypto tool stqrg html If you require further assistance please contact us by sending email to export cisco com LICENSE NOTICE There is no license key installed on the...

Page 268: ...res and is subject to United States and local country laws governing import export transfer and use Delivery of Cisco cryptographic products does not imply third party authority to import export distribute or use encryption Importers exporters distributors and users are responsible for compliance with U S and local country laws By using this product you agree to comply with applicable laws and reg...

Page 269: ...rts Caution If you configure both ports as monitoring ports make sure that they are configured to monitor different traffic Caution You should not configure an IDSM 2 data port as both a SPAN destination port and a VACL capture port because IDSM 2 will not receive traffic This dual configuration SPAN and VACL causes problems on the switch and traffic is not sent properly Note Prior to Catalyst Sof...

Page 270: ...y an Ethernet VLAN as the SPAN source This section describes how to configure SPAN and contains the following topics Catalyst Software page 15 8 Cisco IOS Software page 15 10 Catalyst Software Use the set span command in privileged mode to enable SPAN to IDSM 2 Note IDSM 2 port numbers are 7 or 8 only The following options apply disable Disables port monitoring module port Source module and port n...

Page 271: ...From a VLAN cat6k enable set span 650 13 7 rx Destination Port 13 7 Admin Source VLAN 650 Oper Source Port 11 1 13 1 Direction receive Incoming Packets disabled Learning enabled Multicast enabled Filter Session Number 1 cat6k enable Step 4 Show the SPAN sessions cat6k enable show span Destination Port 13 7 Admin Source VLAN 650 Oper Source Port 11 1 13 1 Direction receive Incoming Packets disabled...

Page 272: ... 3z Port channel Ethernet Channel of interfaces Specify another range of interfaces Specify a range of interfaces both Monitor received and transmitted traffic rx Monitor received traffic only tx Monitor transmitted traffic only intrusion detection module SPAN destination intrusion detection module destination SPAN destination interface or VLAN filter SPAN filter VLAN source SPAN source interface ...

Page 273: ...rom switch port trunks router config monitor session session_number filter vlan vlan_ID Example router config monitor session 1 filter vlan 146 Step 7 Exit configuration mode router config exit Step 8 To show current monitor sessions router show monitor session session_number Example router show monitor session 1 Session 1 Type Local Session Source Ports Both Gi2 23 Destination Ports intrusion det...

Page 274: ...ACL cram ip Sets IP security ACL features ipx Sets IPX security ACL features mac Sets MAC security ACL features map Sets security ACL to VLAN mapping permit Specifies packets to forward deny Specifies packets to reject redirect Specifies packets to redirect to ports before Inserts ACE before a specified ace in editbuffer capture Makes a copy of this flow in capture ports modify Modifies a specifie...

Page 275: ... capture 2 7 Successfully set 2 7 to capture ACL traffic Note For more information on trunk ports and ACLs refer to the appropriate Catalyst 6500 Series Switch Command Reference Cisco IOS Software Use the following commands to configure VACLs to capture IPS traffic on VLANs The following options apply ip access list Named access list extended Extended Access List hardware Enable Hardware Fragment ...

Page 276: ...outer config intrusion detection module module_number data port data_port_number capture allowed vlan capture_vlans Note When the switch is routing traffic you should configure IDSM 2 to monitor all VLANs being routed If you apply the VACL to a FlexWan2 port you need to configure IDSM 2 to monitor all VLANs Step 9 Enable the capture function on IDSM 2 router config intrusion detection module modul...

Page 277: ...s ip ids command on both the client side router interface and server side router interface so that both directions of the connection will be captured To use the mls ip ids command to capture IPS traffic follow these steps Step 1 Log in to the MSFC Step 2 Enter privileged mode cat6k enable Step 3 Enter configuration mode router configure terminal Step 4 Configure an ACL to designate which packets w...

Page 278: ...nterface interface_name Step 5 Specify the capture VLANs router config intrusion detection module module_number data port data_port_number capture allowed vlan capture_vlans Example router config intrusion detection module 4 data port 1 capture allowed vlan 165 Step 6 Apply the ACL created in Step 4 to the interface selected in Step 5 router config if mls ip ids word Caution For IDSM 2 to capture ...

Page 279: ...module_number IDSM 2 will be trunking all VLANs If the IDSM 2 interfaces are configured for inline spanning tree loops will likely be created and a storm will occur A storm is numerous packets looping and never reaching their destination To configure the monitoring ports on IDSM 2 for inline mode follow these steps Step 1 Log in to the console Step 2 Enter privileged mode cat6k enable Step 3 Set t...

Page 280: ...er config exit router exit Step 4 Configure an IOS access port for each interface on each inline VLAN if you have not done so already a Enter global configuration mode router configure terminal b Select the IOS interface to be configured router config interface interface_name c Enter a description so you know what the interface is for router config if description description d Configure the interf...

Page 281: ...t data_port_number state Example router show intrusion detection module 13 data port 1 state Intrusion detection module 13 data port 1 Switchport Enabled Administrative Mode static access Operational Mode static access Administrative Trunking Encapsulation dot1q Operational Trunking Encapsulation native Negotiation of Trunking Off Access Mode VLAN 661 inline vlan 1 Trunking Native Mode VLAN 1 defa...

Page 282: ...d balancing for IDSM 2 is only supported on Cisco IOS software Instructions for configuring EtherChannel load balancing on IDSM 2 for Cisco Catalyst software will be provided when the Catalyst release to support it is available Enabling EtherChanneling Note To configure EtherChannel load balancing on IDSM 2 you must install Cisco IOS 12 2 18 SXE and have Supervisor Engine 720 Cisco IOS only suppor...

Page 283: ...uence router config ext nacl vlan access map vlan_access_map_name sequence_number router config access map match ip address vacl_name router config access map action forward capture Step 7 Apply the VLAN access map to the VLAN s router config access map vlan filter vlan_access_map_name vlan list vlan_list Step 8 For each IDSM 2 add the desired data ports into the desired EtherChannel router config...

Page 284: ... Source XOR Destination IP address IPv6 Source XOR Destination IP address MPLS Label or IP Step 11 Set the VLANs to be captured to the EtherChannel router config intrusion detection port channel channel_number capture allowed vlan vlan_list Step 12 Enable capture to the EtherChannel router config intrusion detection port channel channel_number capture Step 13 Exit global configuration mode router ...

Page 285: ...nel Channel group listing Group 10 Group state L2 Ports 0 Maxports 8 Port channels 1 Max Port channels 1 Protocol cat6k Step 3 To see specific EtherChannel status router show etherchannel 1 summary detail port port channel protocol Example router show etherchannel 1 summary Flags D down P in port channel I stand alone s suspended H Hot standby LACP only R Layer3 S Layer2 U in use f failed to alloc...

Page 286: ...t Trunking VLANs Enabled NONE Pruning VLANs Enabled 2 1001 Vlans allowed on trunk none Vlans allowed and active in management domain none Vlans in spanning tree forwarding state and not pruned none Administrative Capture Mode Disabled Administrative Capture Allowed vlans empty Administrative Tasks for IDSM 2 This section contains procedures that help you with administrative tasks for IDSM 2 It con...

Page 287: ...et in the boot string cat6k enable The set boot device command can either contain cf 1 or hdd 1 Step 4 Reset IDSM 2 For the procedure see Resetting IDSM 2 page 15 26 The full memory test runs Note A full memory test takes more time to complete than a partial memory test Cisco IOS Software Use the hw module module module_number reset mem test full command to enable a full memory test The full memor...

Page 288: ...t IDSM 2 to the application partition or the maintenance partition cat6k enable reset module_number hdd 1 cf 1 Note If you do not specify either the application partition hdd 1 the default or the maintenance partition cf 1 IDSM 2 uses the boot device variable The following example shows the output of the reset command cat6k enable reset 3 2003 Feb 01 00 18 23 SYS 5 MOD_RESET Module 3 reset from co...

Page 289: ...et Warning Device list is not verified Proceed with reload of module confirm reset issued for module 8 router Catalyst and Cisco IOS Software Commands This section lists the Catalyst and Cisco IOS software commands that pertain to IDSM 2 Note For more detailed information on Catalyst and Cisco IOS software commands refer to the command references found on Cisco com For instructions on how to locat...

Page 290: ...ule power module_number up down Enables or disables power to the specified IDSM 2 set port name module_number Configures the name for the specified IDSM 2 port set span Configures port 1 as a SPAN destination port You cannot use port 1 on IDSM 2 as a SPAN source port set trunk Configures trunk ports set vlan Configures VLAN capture ports show config Displays the supervisor engine NVRAM configurati...

Page 291: ...set port disable set port enable set port flowcontrol set port gmrp set port gvrp set port host set port inlinepower set port jumbo set port membership set port negotiation set port protocol set port qos set port rsvp set port security set port speed set port trap set protocolfilter set rgmp set snmp set spantree set udld set vtp Cisco IOS Software This section lists the Cisco IOS software command...

Page 292: ...mber shutdown Shuts down the module so that it can be safely removed from the chassis reload Reloads the entire switch session slot slot_number processor processor_number Logs in to the console of IDSM 2 from the switch console show intrusion detection module module_number data port data_port_number state Displays the state of the specified IDSM 2 data port show intrusion detection module module_n...

Page 293: ...data port data_port_number capture allowed vlan allowed_capture_vlan s Configures the VLAN s for VACL capture intrusion detection module module_number data port data_port_number capture Enables VACL capture for the specified IDSM 2 data port ip access list extended word Creates access lists for use in the VACL maps monitor session session destination interface interface interface number vlan vlan ...

Page 294: ...as an access port switchport mode trunk Sets the interface as a trunk port switchport trunk allowed vlan vlans Sets the allowed VLANs for trunk switchport trunk encapsulation dot1q Sets dot1q as the encapsulation type switchport trunk native vlan vlan Sets the native VLAN for the trunk port VACL configuration submode action forward capture Designates that matched packets should be captured match i...

Page 295: ...ge 16 3 Configuring Packet Capture page 16 5 Administrative Tasks for NM CIDS page 16 7 Supported Cisco IOS Commands page 16 8 Configuration Sequence Perform the following tasks to configure NM CIDS 1 Configure the IDS interfaces on the router For the procedure see Configuring IDS Sensor Interfaces on the Router page 16 2 2 Log in to NM CIDS For the procedure see Establishing NM CIDS Sessions page...

Page 296: ...r the procedures see Installing the NM CIDS System Image page 17 19 Configuring IDS Sensor Interfaces on the Router NM CIDS does not have an external console port Console access to NM CIDS is enabled when you issue the service module ids module slot_number 0 session command on the router or when you initiate a Telnet connection into the router with the port number corresponding to the NM CIDS slot...

Page 297: ...s to the NM CIDS s internal interface to session in to NM CIDS Choose a network that does not overlap with any networks assigned to the other interfaces in the router It does not have to be a real IP address because you will not be using this address to access NM CIDS Step 5 Assign an unnumbered loopback interface to the ids sensor interface Use slot 1 for this example router config interface ids ...

Page 298: ...x The control character is specified as Ctrl or ASCII value 30 hex 1E Caution If you use the disconnect command to leave the session the session remains running The open session can be exploited by someone wanting to take advantage of a connection that is still in place To open and close sessions to NM CIDS follow these steps Step 1 Open a session from the router to NM CIDS router service module i...

Page 299: ...apture You must enable the desired interfaces including subinterfaces on the router for packet monitoring You can select any number of interfaces or subinterfaces to be monitored The packets sent and received on these interfaces are forwarded to NM CIDS for inspection You enable and disable the interfaces through the router CLI Cisco IOS Note If the router is performing encryption the NM CIDS rece...

Page 300: ...sts to the Known Hosts List page 4 31 b Log in to NM CIDS c View the interface statistics to make sure the monitoring interface is up nm cids show interface clear nm cids show interface MAC statistics from interface FastEthernet0 1 Media Type backplane Missed Packet Percentage 0 Inline Mode Unpaired Pair Status N A Link Status Up Link Speed Auto_100 Link Duplex Auto_Full Total Packets Received 23 ...

Page 301: ... Make sure you execute a shutdown command before you remove NM CIDS from the router Failing to do so can lead to the loss of data or the corruption of the hard disk drive reload Performs a graceful halt and reboot of the operating system on NM CIDS router service module ids sensor slot_number 0 reload reset Resets the hardware on NM CIDS Typically this command is used to recover from a shutdown ro...

Page 302: ...ry but the port is always 0 The following options apply Privileged mode EXEC service module ids sensor slot_number 0 reload Reloads the operating system on NM CIDS service module ids sensor slot_number 0 reset Provides a hardware reset to NM CIDS service module ids sensor slot_number 0 session The session command lets you access the IPS console service module ids sensor slot_number 0 shutdown Shut...

Page 303: ...u must reimage the sensor You can use the downgrade command for releases after 5 0 1 You can recover the application partition image on your sensor if it becomes unusable Using the recover command lets you retain your host settings while other settings revert to the factory defaults To install a new system image on the sensor use the recovery upgrade CD ROMMON the bootloader helper file or the mai...

Page 304: ...tes for example IPS K9 sp 5 0 2 pkg Recovery partition updates for example IPS K9 r 1 1 a 5 0 1 pkg Upgrading the sensor changes the software version of the sensor Upgrade Command and Options Use the auto upgrade option enabled command in the service host submode to configure automatic upgrades The following options apply default Sets the value back to the system default setting directory Director...

Page 305: ...c upgrade The valid value is hh mm ss user name Username for authentication on the file server Using the Upgrade Command To upgrade the sensor follow these steps Step 1 Download the major update file IPS K9 maj 6 0 1 pkg to an FTP SCP HTTP or HTTPS server that is accessible from your sensor For the procedure for locating software on Cisco com see Obtaining Cisco IPS Software page 18 1 Note You mus...

Page 306: ...elease 2005 03 04T14 35 11 0600 Upgrade History IDS K9 maj 5 0 1 14 16 00 UTC Thu Mar 04 2004 Recovery Partition Version 1 1 5 0 1 S149 sensor Upgrading the Recovery Partition Use the upgrade command to upgrade the recovery partition with the most recent version so that it is ready if you need to recover the application partition on your sensor Note Recovery partition images are generated for majo...

Page 307: ...pplication partition command For the procedure see Using the Recover Command page 17 9 Configuring Automatic Upgrades This section describes how to configure the sensor to automatically look for upgrades in the upgrade directory It contains the following topics Overview page 17 5 UNIX Style Directory Listings page 17 5 Auto upgrade Command and Options page 17 6 Using the auto upgrade Command page ...

Page 308: ...sh host key command to add the server to the SSH known hosts list so the sensor can communicate with it through SSH For the procedure see Adding Hosts to the Known Hosts List page 4 31 ip address IP address of the file server password User password for authentication on the file server schedule option Schedules when automatic upgrades occur Calendar scheduling starts upgrades at specific times on ...

Page 309: ...c periodic intervals sensor config hos ena schedule option periodic schedule sensor config hos ena per interval 24 sensor config hos ena per start time 13 00 00 Step 4 Specify the IP address of the file server sensor config hos ena per exit sensor config hos ena ip address 10 1 1 1 Step 5 Specify the directory where the upgrade files are located on the file server sensor config hos ena directory t...

Page 310: ...ou cannot use the downgrade command to go from 5 0 to 4 x To revert to 4 x you must reimage the sensor You can use the downgrade command for releases after 5 0 1 To remove the last applied upgrade from the sensor follow these steps Step 1 Log in to the sensor using an account with administrator privileges Step 2 Enter global configuration mode sensor configure terminal Step 3 Downgrade the sensor ...

Page 311: ...ding the recovery partition to the most recent version see Upgrading the Recovery Partition page 17 4 Because you can execute the recover application partition command through a Telnet or SSH connection we recommend using this command to recover sensors that are installed at remote locations Note If the appliance supports it you can also use the recovery upgrade CD to reinstall both the recovery a...

Page 312: ...he recover application partition command remotely you can SSH to the sensor with the default username and password cisco cisco and then initialize the sensor again with the setup command You cannot use Telnet until you initialize the sensor because Telnet is disabled by default If you cannot access the CLI to execute the recover application partition command you can reboot the sensor and select th...

Page 313: ...delivery of the image Be aware that some TFTP servers limit the maximum file size that can be transferred to 32 MB Installing the IDS 4215 System Image You can install the IDS 4215 system image by using the ROMMON on the appliance to TFTP the system image onto the compact flash device Caution Before installing the system image you must first upgrade the IDS 4215 BIOS to version 5 1 7 and the ROMMO...

Page 314: ...mation identified in Step 3 Step 5 If necessary change the port used for the TFTP download rommon interface port_number The port in use is listed just before the rommon prompt In the example port 1 is being used as noted by the text Using 1 i82557 PCI bus 0 dev 14 irq 11 MAC 0000 0001 0001 Note The default port used for TFTP downloads is port 1 which corresponds with the command and control interf...

Page 315: ...BIOS and ROMMON The BIOS ROMMON upgrade utility IDS 4215 bios 5 1 7 rom 1 4 bin upgrades the BIOS of IDS 4215 to version 5 1 7 and the ROMMON to version 1 4 To upgrade the BIOS and ROMMON on IDS 4215 follow these steps Step 1 Download the BIOS ROMMON upgrade utility IDS 4215 bios 5 1 7 rom 1 4 bin to the TFTP root directory of a TFTP server that is accessible from IDS 4215 For the procedure for lo...

Page 316: ...at is assigned to IDS 4215 Step 6 Specify the TFTP server IP address rommon server ip_address Step 7 Specify the gateway IP address rommon gateway ip_address Step 8 Verify that you have access to the TFTP server by pinging it from the local Ethernet port rommon ping server_ip_address rommon ping server Step 9 Specify the filename on the TFTP file server from which you are downloading the image rom...

Page 317: ...our IPS 4240 s Ethernet port Step 2 Boot IPS 4240 The console display resembles the following Booting system please wait CISCO SYSTEMS Embedded BIOS Version 1 0 5 0 09 14 04 12 23 35 90 Low Memory 631 KB High Memory 2048 MB PCI Device Table Bus Dev Func VendID DevID Class Irq 00 00 00 8086 2578 Host Bridge 00 01 00 8086 2579 PCI to PCI Bridge 00 03 00 8086 257B PCI to PCI Bridge 00 1C 00 8086 25AE...

Page 318: ...ings ADDRESS 0 0 0 0 SERVER 0 0 0 0 GATEWAY 0 0 0 0 PORT Management0 0 VLAN untagged IMAGE CONFIG The variables have the following definitions Address Local IP address of IPS 4240 Server TFTP server IP address where the application image is stored Gateway Gateway IP address used by IPS 4240 Port Ethernet interface used for IPS 4240 management VLAN VLAN ID number leave as untagged Image System imag...

Page 319: ...IMAGE path file_name Caution Make sure that you enter the IMAGE command in all uppercase You can enter the other ROMMON commands in either lower case or upper case but the IMAGE command specifically must be all uppercase UNIX example rommon IMAGE system_images IPS 4240 K9 sys 4 1 4 S91 img Note The path is relative to the UNIX TFTP server s default tftpboot directory Images located in the default ...

Page 320: ... You can obtain this information by generating a diagnostics report through IDM Signature updates occur approximately every week or more often if needed The most recent signature update will not be on the recovery upgrade CD that shipped with your appliance Download the most recent signature update and apply it after you have recovered the system image To recover the system image with the recovery...

Page 321: ...tep 8 Install the most recent service pack and signature update For the procedure for locating software on Cisco com see Obtaining Cisco IPS Software page 18 1 Installing the NM CIDS System Image This section describes how to install the NM CIDS system image and contains the following topics Overview page 17 19 Installing the NM CIDS System Image page 17 20 Upgrading the Bootloader page 17 22 Over...

Page 322: ... file when you reboot NM CIDS will be inaccessible and you will have to RMA it Installing the NM CIDS System Image Caution The NM CIDS bootloader must be at 1 0 17 1 before installing the 5 0 system image file For the procedure if needed see Upgrading the Bootloader page 17 22 Note The bootloader has a timeout of 10 minutes which means reimages over slow WAN links will fail To avoid this situation...

Page 323: ...rading the Bootloader page 17 22 Step 11 Configure the bootloader parameters ServicesEngine boot loader config Step 12 You are prompted for each value line by line a Specify the IP address The external fast Ethernet port on NM CIDS This must be a real IP address on your network b Specify the subnet mask The external fast Ethernet port on NM CIDS This must be a real IP address on your network c Spe...

Page 324: ...ion is migrated and the bootloader is upgraded to version 1 0 17 1 For the procedure to use the upgrade command see Upgrading the Sensor page 17 2 If you upgrade your NM CIDS with the upgrade file in the future you will not need to upgrade the bootloader before performing a system upgrade The NM CIDS system image IPS NM CIDS K9 sys 1 1 a 5 0 1 img does not migrate your existing configuration or up...

Page 325: ...der parameters ServicesEngine boot loader config Step 12 You are prompted for each value line by line a Specify the IP address The external fast Ethernet port on NM CIDS This must be a real IP address on your network b Specify the subnet mask The external fast Ethernet port on NM CIDS This must be a real IP address on your network c Specify the TFTP server IP address The IP address of the TFTP ser...

Page 326: ...h a Type 2 b Specify the SSH server username and password c Type the SSH server IP address d Type the full pathname of bootloader image from the root directory Selection 1234rh servicesengine boot 1 0 17 1_dev bin Ready to begin Are you sure y n e Type y to continue The operation was successful You are returned to the main menu with the Selection 1234rh prompt Continue with Step 18 Step 16 Configu...

Page 327: ...ult settings The user account and password are set to cisco You must initialize your NM CIDS with the setup command For the procedure see Initializing the Sensor page 3 2 Installing the IDSM 2 System Image If the IDSM 2 application partition becomes unusable you can reimage it from the maintenance partition After you reimage the application partition of IDSM 2 you must initialize IDSM 2 using the ...

Page 328: ...tion partition file has been downloaded you are asked if you want to proceed Upgrading will wipe out the contents on the hard disk Do you want to proceed installing it y n Step 7 Type y to continue When the application partition file has been installed you are returned to the maintenance partition CLI Step 8 Exit the maintenance partition CLI and return to the switch CLI Step 9 Reboot IDSM 2 to th...

Page 329: ...ed if you want to proceed Upgrading will wipe out the contents on the hard disk Do you want to proceed installing it y n Step 8 Type y to continue When the application partition file has been installed you are returned to the maintenance partition CLI Step 9 Exit the maintenance partition CLI and return to the switch CLI Step 10 Reboot IDSM 2 to the application partition router hw module module mo...

Page 330: ...ote You can change the guest password but we do not recommend it If you forget the maintenance partition guest password and you cannot log in to the IDSM 2 application partition for some reason you will have to RMA IDSM 2 login guest Password cisco Maintenance image version 2 1 2 guest idsm2 localdomain Step 5 View the IDSM 2 maintenance partition host configuration guest idsm2 localdomain show ip...

Page 331: ... s guest idsm2 localdomain Step 9 Verify the image installed on the application partition guest idsm2 localdomain show images Device name Partition Image name Hard disk hdd 1 5 0 1 guest idsm2 localdomain Step 10 Verify the maintenance partition version including the BIOS version guest idsm2 localdomain show version Maintenance image version 2 1 2 mp 2 1 2 bin Thu Nov 18 11 41 36 PST 2004 integ kp...

Page 332: ...r 11 21 22 06 2005 argv1 0 argv2 0 argv3 3 argv4 1 Fri Mar 11 21 22 06 2005 Creating IDS application image file Fri Mar 11 21 22 06 2005 footer XXXXXXXXXXXXXXXX Fri Mar 11 21 22 06 2005 exeoff 0000000000031729 Fri Mar 11 21 22 06 2005 image 0000000029323770 Fri Mar 11 21 22 06 2005 T 29323818 E 31729 I 29323770 Fri Mar 11 21 22 07 2005 partition dev hdc1 Fri Mar 11 21 22 07 2005 startIDSAppUpgrade...

Page 333: ... 146 114 ping statistics 5 packets transmitted 5 packets received 0 packet loss round trip min avg max mdev 0 127 0 182 0 381 0 099 ms guest idsm2 localdomain Step 17 Reset IDSM 2 Note You cannot specify a partition when issuing the reset command from the maintenance partition IDSM 2 boots to whichever partition is specified in the boot device variable If the boot device variable is blank IDSM 2 b...

Page 334: ...e maintenance partition host configuration guest idsm2 localdomain show ip IP address 10 89 149 74 Subnet Mask 255 255 255 128 IP Broadcast 10 255 255 255 DNS Name idsm2 localdomain Default Gateway 10 89 149 126 Nameserver s guest idsm2 localdomain Step 5 Clear the maintenance partition host configuration ip address gateway hostname guest idsm2 localdomain clear ip guest localhost localdomain show...

Page 335: ...r Phoenix Technologies Ltd BIOS Version 4 0 Rel 6 0 9 Total available memory 2012 MB Size of compact flash 61 MB Size of hard disk 19077 MB Daughter Card Info Falcon rev 3 FW ver 2 0 3 0 IDS SRAM 8 MB SDRAM 256 MB guest idsm2 localdomain Step 10 Upgrade the application partition guest idsm2 localdomain upgrade ftp jsmith 10 89 146 11 RELEASES Latest 5 0 1 WS SVC IDSM2 K9 sys 1 1 a 5 0 1 bin gz Dow...

Page 336: ...Mar 11 21 22 07 2005 Required disk size 524288 Kb blocks Fri Mar 11 21 22 07 2005 Available disk size 19535040 Kb blocks Fri Mar 11 21 22 13 2005 Partitions created on dev hdc Fri Mar 11 21 22 13 2005 Device dev hdc verified for OK Fri Mar 11 21 22 19 2005 Created ext2 fileSystem on dev hdc1 Fri Mar 11 21 22 19 2005 Directory mnt hd created Fri Mar 11 21 22 19 2005 Partition dev hdc1 mounted Fri M...

Page 337: ...ain Broadcast message from root Fri Mar 11 22 04 53 2005 The system is going down for system halt NOW Connection to 127 0 0 111 closed by foreign host router Upgrading the Maintenance Partition This section describes how to upgrade the maintenance partition and contains the following topics Catalyst Software page 17 35 Cisco IOS Software page 17 36 Catalyst Software To upgrade the maintenance part...

Page 338: ...on idsm2 config upgrade ftp user ftp_server_IP_address directory_path c6svc mp 2 1 1 bin gz Step 6 Specify the FTP server password Password You are prompted to continue Continue with upgrade Step 7 Type yes to continue Installing the AIP SSM System Image You can reimage the AIP SSM in one of the following ways From ASA using the hw module module 1 recover configure boot command See the following p...

Page 339: ...N ID 0 Step 7 Specify the default gateway of the AIP SSM Gateway IP Address 0 0 0 0 Example Gateway IP Address 0 0 0 0 10 89 149 254 Step 8 Execute the recovery asa hw module module 1 recover boot Step 9 Periodically check the recovery until it is complete Note The status reads Recovery during recovery and reads Up when reimaging is complete asa show module 1 Mod Card Type Model Serial No 0 ASA 55...

Page 340: ...figuration Guide for IPS 5 0 78 16527 01 Chapter 17 Upgrading Downgrading and Installing System Images Installing System Images Step 10 Session to AIP SSM and initialize AIP SSM with the setup command For the procedure see Initializing the Sensor page 3 2 ...

Page 341: ...posted to Cisco com approximately every week more often if needed Service packs are posted to Cisco com as needed Major and minor updates are also posted periodically Check Cisco com regularly for the latest IPS software You must have an account with cryptographic access before you can download software You set this account up the first time you download IPS software from the Download Software sit...

Page 342: ...rm and click Submit The Cisco Systems Inc Encryption Software Usage Handling and Distribution Policy appears Read the policy and click I Accept The Encryption Software Export Distribution Form appears If you previously filled out the Encryption Software Export Distribution Authorization form and read and accepted the Cisco Systems Inc Encryption Software Usage Handling and Distribution Policy thes...

Page 343: ...ure updates since the last major version and the new minor features being released The minor upgrade requires the major version Service packs are cumulative following a base version release minor or major Service packs are used for the release of defect fixes with no new enhancements Service packs contain all service pack fixes since the last base version minor or major and the new defect fixes be...

Page 344: ...not produced for subsequently released service packs Note The maintenance partition image file does not contain a signature designator 5 x Software Release Examples Table 18 1 lists platform independent IDS 5 x software release examples Refer to the readmes that accompany the software files for detailed instructions on how to install the files For instructions on how to access these files on Cisco...

Page 345: ...ires you to use the recover command or the recovery upgrade CD You can reimage your sensor in the following ways For IDS appliances with a CD ROM drive use the recovery upgrade CD For the procedure see Using the Recovery Upgrade CD page 17 18 For all sensors use the recover command For the procedure see Recovering the Application Partition page 17 9 For the IDS 4215 IPS 4240 and IPS 4255 use the R...

Page 346: ...nsed because of problems with your contract you can obtain a 60 day trial license that supports signature updates that require licensing You can obtain a license key from the Cisco com licensing server which is then delivered to the sensor Or you can update the license key from a license key provided in a local file Go to http www cisco com go license and click IPS Signature Subscription Service t...

Page 347: ...255 IPS 4260 IDSM 2 NM CIDS For ASA 5500 series adaptive security appliance products if you purchased one of the following ASA 5500 series adaptive security appliance products that do not contain IPS you must purchase a SMARTnet contract Note SMARTnet provides operating system updates access to Cisco com access to TAC and hardware replacement NBD on site ASA5510 K8 ASA5510 DC K8 ASA5510 SEC BUN K9...

Page 348: ... to IDM using an account with administrator privileges Step 2 Choose Configuration Licensing The Licensing pane displays the status of the current license If you have already installed your license you can click Download to save it if needed Step 3 Obtain a license key by doing one of the following Check the Cisco Connection Online check box to obtain the license from Cisco com IDM contacts the li...

Page 349: ...command to copy the license file to your sensor The following options apply source url The location of the source file to be copied It can be a URL or keyword destination url The location of the destination file to be copied It can be a URL or a keyword license key The subscription license file license_file_name The name of the license file you receive Note You cannot install an older license key ...

Page 350: ...pecified Step 3 Save the license key to a system that has a web server FTP server or SCP server Step 4 Log in to the CLI using an account with administrator privileges Step 5 Copy the license key to the sensor sensor copy scp user 10 89 147 3 tftpboot dev lic license key Password Step 6 Verify the sensor is licensed sensor show version Application Partition Cisco Intrusion Prevention System Versio...

Page 351: ...w signature available to deal with the threat The Cisco Security Center contains a Security News section that lists security articles of interest There are related security tools and links You can access the Cisco Security Center at this URL http tools cisco com MySDN Intelligence home x The Cisco Security Center is also a repository of information for individual signatures including signature ID ...

Page 352: ...e from the drop down list e Choose your company or organization type from the drop down list Step 10 Click Submit You receive e mail notifications of updates when they occur and instructions on how to obtain them Accessing IPS Documentation You can find IPS documentation at this URL http www cisco com en US products hw vpndevc ps4077 tsd_products_support_series_home html Or to access IPS documenta...

Page 353: ...S 5 0 78 16527 01 Chapter 18 Obtaining Software Accessing IPS Documentation Install and Upgrade Contains hardware installation and regulatory guides Configure Contains configuration guides for IPS CLI IDM and IME Troubleshoot and Alerts Contains TAC tech notes and field notices ...

Page 354: ...18 14 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5 0 78 16527 01 Chapter 18 Obtaining Software Accessing IPS Documentation ...

Page 355: ...w You can install Cisco IPS software on two platforms the appliances and the modules refer to Supported Sensors in Installing Cisco Intrusion Prevention System Appliances and Modules 5 0 for a list of current appliances and modules This section contains the following topics System Design page A 1 IPS 5 0 New Features page A 3 User Interaction page A 4 Security Features page A 5 System Design IPS s...

Page 356: ...ngs are speed duplex and administrative state LogApp Writes all the application s log messages to the log file and the application s error messages to the Event Store Network Access Controller Manages remote network devices firewalls routers and switches to provide blocking capabilities when an alert event has occurred Network Access Controller creates and applies ACLs on the controlled network de...

Page 357: ...mpletely reimage the application partition Network settings are preserved but all other configuration is lost IPS 5 0 New Features Cisco IPS 5 0 contains the following new features Ability to process and analyze traffic inline Former 4 x applications merged into one application The following applications have been merged in to one application with different threads supporting the old functions Mai...

Page 358: ...re that supports PEP PEP is the UDI information that consists of the PID VID and SN of the product Support added to Network Access Controller to control ASA and FWSM Client side IDM GUI The GUI is now a Java applet rather than HTML Limited IPv6 support IPv4 packets tunneled within IPv6 packets will be processed and have policy enforced on the packet However all analysis is done with the IPv4 packe...

Page 359: ...s from the system through the CLI IDM IDS MC ASDM or another application using RDEP or RDEP2 Security Features IPS 5 0 has the following security features Network access is restricted to hosts who are specifically allowed access All remote hosts who attempt to connect through Web Server SSH and SCP or Telnet will be authenticated By default Telnet access is disabled You can choose to enable Telnet...

Page 360: ...lowing applications are now part of MainApp and are responsible for event storage management actions and communication Event Store NotificationApp CtlTransSource Network Access Controller and LogApp These applications contain the following new features SNMP support through NotificationApp Support for SNMP is one of the most significant changes for the management interface of the system Through SNM...

Page 361: ...d a priority of low medium or high a single event query can specify a list of desired event types intrusion event priorities and a time range Table A 1 shows some examples The size of the Event Store allows sufficient buffering of the IPS events when the sensor is not connected to an IPS event consumer Sufficient buffering depends on your requirements and the capabilities of the nodes in use The o...

Page 362: ...cations IPS events have the following characteristics They are spontaneously generated by the application instances configured to do so There is no request from another application instance to generate a particular event They have no specific destination They are stored and then retrieved by one or more application instances Control transactions involve the following types of requests Request to u...

Page 363: ...s Controller log response actions TCP resets IP logging start and stop blocking start and stop trigger packet as status messages NotificationApp NotificationApp allows the sensor to send alerts and system error messages as SNMP traps It subscribes to events in the Event Store and translates them into SNMP MIBs and sends them to destinations through a public domain SNMP agent NotificationApp suppor...

Page 364: ...Event ID Event severity Time UTC and local time Error message NotificationApp supports GETs for the following general health and system information from the sensor Packet loss Packet denies Alarms generated Fragments in FRP Datagrams in FRP TCP streams in embryonic state TCP streams in established state TCP streams in closing state TCP streams in system TCP packets queued for reassembly Total node...

Page 365: ...and password basic authentication When the authentication is successful the requestor is assigned a cookie containing a user authentication that must be presented with each request on that connection The transactionHandlerLoop method in the CtlTransSource serves as a proxy for remote control transaction When a local application initiates a remote control transaction IDAPI initially directs the tra...

Page 366: ...s Network Access Controller which is the IPS application that starts and stops blocks on routers switches and firewalls A block is an entry in a device s configuration or ACL to block incoming and outgoing traffic for a specific host IP address or network address This section contains the following topics About Network Access Controller page A 12 Network Access Controller Features page A 13 Suppor...

Page 367: ...vice it initiates either a Telnet or SSH connection with the device Network Access Controller maintains the connection with each device After the block is initiated Network Access Controller pushes a new set of configurations or ACLs one for each interface direction to each controlled device When a block is completed all configurations or ACLs are updated to remove the block Network Access Control...

Page 368: ...0 25 Specifying blocking interfaces on a network device You can specify the interface and direction where blocking is performed in the Network Access Controller configuration for routers You can specify the interface where blocking is performed in the VACL configuration Note Cisco firewalls do not block based on interface or direction so this configuration is never specified for them Network Acces...

Page 369: ... device Single point of control Network Access Controller does not share control of network devices with administrators or other software If you must update a configuration shut down Network Access Controller until the change is complete You can enable or disable Network Access Controller through the CLI or any IPS manager When Network Access Controller is reenabled it completely reinitializes its...

Page 370: ...s A forever block is a normal block with a timeout value of 1 Network Access Controller only modifies ACLs that it owns It does not modify ACLs that you have defined The ACLs maintained by Network Access Controller have a specific format that should not be used for user defined ACLs The naming convention is IPS_ interface_name _ in out _ 0 1 interface_name corresponds to the name of the blocking i...

Page 371: ...The always block command entries from the configuration 3 Unexpired blocks from nac shun txt 4 The permit IP any any command Connection Based and Unconditional Blocking Network Access Controller supports two types of blocking for hosts and one type of blocking for networks Host blocks are connection based or unconditional Network blocks are always unconditional When a host block is received Networ...

Page 372: ...nnections are not broken but all incoming packets from the blocked host are dropped When Network Access Controller first starts up the active blocks in the firewall are compared to an internal blocking list Any blocks that do not have a corresponding internal list entry are removed For more information see Supported Blocking Devices page 10 3 Network Access Controller supports authentication on a ...

Page 373: ...ists commit security acl all To clear a single VACL clear security acl map acl_name To clear all VACLs clear security acl map all To map a VACL to a VLAN set sec acl acl_name vlans For more information see Supported Blocking Devices page 10 3 LogApp The sensor logs all events alert error status and debug messages in a persistent circular buffer The sensor also generates IP logs The messages and IP...

Page 374: ...the user s accounts privileges keys and certificates To configure which authentication methods are used by AuthenticationApp and other access services on the sensor Authenticating Users You must configure authentication on the sensor to establish appropriate security for user access When you install a sensor an initial cisco account with an expired password is created A user with administrative ac...

Page 375: ... the user is authenticated it launches the IPS CLI In this case the CLI sends a special form of the execAuthenticateUser control transaction to determine the privilege level of the logged in user The CLI then tailors the commands it makes available based on this privilege level Managing TLS and SSH Trust Relationships Encrypted communications over IP networks provide data privacy by making it impo...

Page 376: ...f TLS trusted certificates and SSH known hosts through the commands service trusted certificates and service ssh known hosts X 509 certificates include additional information that can increase the security of the trust relationship however these can lead to confusion For example an X 509 certificate includes a validity period during which the certificate can be trusted Typically this period is a n...

Page 377: ...e IP addresses Each entry in the list expires based on the global deny timer which you can configure in the virtual sensor configuration Signature Event Action Processor SEAP This processor processes event actions It supports the following event actions Reset TCP flow IP log Deny packets Deny flow Deny attacker Alert Block host Block connection Generate SNMP trap Capture trigger packet Event actio...

Page 378: ...wn period are allowed to continue Signature Analysis Processor SAP This processor dispatches packets to the inspectors that are not stream based and that are configured for interest in the packet in process Slave Dispatch Processor SDP A process found only on dual CPU systems Some of the processors call inspectors to perform signature analysis All inspectors can call the alarm channel to produce a...

Page 379: ... Subtracts actions based on the signature event s signature ID addresses and RR The input to the SEAF is the signature event with actions possibly added by the SEAO Note The SEAF can only subtract actions it cannot add new actions The following parameters apply to the SEAF Signature ID Subsignature ID Attacker address Attacker port Victim address Victim port RR threshold range Actions to subtract ...

Page 380: ...de such as deny packet deny flow and deny attacker All packets that are unknown or of no interest to the IPS are forwarded to the paired interface with no analysis All bridging and routing protocols are forwarded with no participation other than a possible deny due to policy violations There is no IP stack associated with any interface used for inline or promiscuous data processing The current sup...

Page 381: ... occur with no false positives and false negatives the state of the two TCP endpoints must be tracked and only the data that is actually processed by the real host endpoints should be passed on Overlaps in a TCP stream can occur but are extremely rare except for TCP segment retransmits Overwrites in the TCP session should not occur If overwrites do occur someone is intentionally trying to elude th...

Page 382: ...or each role Administrators This user role has the highest level of privileges Administrators have unrestricted view access and can perform the following functions Add users and assign passwords Enable and disable control of physical interfaces and virtual sensors Assign physical sensing interfaces to a virtual sensor Modify the list of hosts allowed to connect to the sensor as a configuring or vi...

Page 383: ...4 13 Only one service account is allowed per sensor and only one account is allowed a service role When the service account s password is set or reset the root account s password is set to the same password This allows the service account user to su to root using the same password When the service account is removed the root account s password is locked The service account is not intended to be us...

Page 384: ...en to view the valid tokens that complete the command If there is a trailing space between the token and the you receive an ambiguous command error sensor show c Ambiguous command show c If you enter the token without the space a selection of available tokens for the completion with no help description appears sensor show c clock configuration sensor show c Only commands available in the current m...

Page 385: ...his section describes the communications protocols used by IPS 5 0 It contains the following topics IDAPI page A 31 RDEP2 page A 32 IDIOM page A 34 IDCONF page A 34 SDEE page A 35 CIDEE page A 35 IDAPI IPS applications use an interprocess communication API called IDAPI to handle internal communications IDAPI reads and writes event data and provides a mechanism for control transactions IDAPI is the...

Page 386: ...nts use IP log requests to retrieve IP log data from servers Transaction messages are used to configure and control IPS servers RDEP2 uses the industry standards HTTP TLS and SSL and XML to provide a standardized interface between RDEP2 agents The RDEP2 protocol is a subset of the HTTP 1 1 protocol All RDEP2 messages are legal HTTP 1 1 messages RDEP2 uses HTTP s message formats and message exchang...

Page 387: ... The Control Transaction Server passes the control transaction through IDAPI to the appropriate application waits for the application s response and then returns the result Figure A 7 shows remote applications sending commands to the sensor through RDEP2 Figure A 7 Sending Commands Through RDEP2 119098 REDP2 Client Sensor Event Request Event Event Server Web Server Events Event Request Event HTTP ...

Page 388: ...en different hosts using the RDEP2 protocol are known as remote events and remote control transactions or collectively remote IDIOM messages Note IDIOM for the most part has been superseded by IDCONF SDEE and CIDEE IDCONF IPS 5 0 manages its configuration using XML documents IDCONF specifies the XML schema including IPS 5 0 control transactions The IDCONF schema does not specify the contents of th...

Page 389: ...fies the extensions to SDEE that are used by the Cisco IPS The CIDEE standard specifies all possible extensions that are supported by IPS Specific systems may implement a subset of CIDEE extensions However any extension that is designated as being required MUST be supported by all systems CIDEE specifies the IPS specific security device events as well as the IPS extensions to SDEE s evIdsAlert ele...

Page 390: ...nt Store application usr cids idsRoot var core Stores core files that are created during system crashes usr cids idsRoot var iplogs Stores iplog file data usr cids idsRoot bin Contains the binary executables usr cids idsRoot bin authentication Contains the authentication application usr cids idsRoot bin cidDump Contains the script that gathers data for tech support usr cids idsRoot bin cidwebserve...

Page 391: ...etwork Access Controller is run on every sensor Each Network Access Controller subscribes to network access events from its local Event Store The Network Access Controller configuration contains a list of sensors and the network access devices that its local Network Access Controller controls If a Network Access Controller is configured to send network access events to a master blocking sensor it ...

Page 392: ...plications IDM The Java applet that provides an HTML IPS management interface Web Server Waits for remote HTTP client requests and calls the appropriate servlet application 1 This is a web server servlet 2 This is a web server servlet 3 This is a remote control transaction proxy Table A 2 Summary of Applications continued Application Description ...

Page 393: ...nature Engines A signature engine is a component of the Cisco IPS that is designed to support many signatures in a certain category An engine is composed of a parser and an inspector Each engine has a set of parameters that have allowable ranges or sets of values Note The 5 0 engines support a standardized Regex IPS 5 0 contains the following signature engines AIC Provides deep analysis of web tra...

Page 394: ...ts ICMP and UDP floods directed at hosts and networks There are two FLOOD engines FLOOD HOST and FLOOD NET META Defines events that occur in a related manner within a sliding time interval This engine processes events rather than packets Note The META engine is new for IPS 5 0 NORMALIZER Configures how the IP and TCP normalizer functions and provides configuration for signature events related to t...

Page 395: ...ngine provides structures and methods to the other engines and handles input from configuration and alert output This section describes the MASTER engine and contains the following topics General Parameters page B 3 Alert Frequency page B 4 Event Actions page B 5 General Parameters The following parameters are part of the MASTER engine and apply to all signatures Caution We do not recommend that y...

Page 396: ...ounter Grouping for event count settings event count Number of times an event must occur before an alert is generated 1 to 65535 event count key The storage type on which to count events for this signature Attacker address Attacker and victim addresses Attacker address and victim port Victim address Attacker and victim addresses and ports Axxx AxBx Axxb xxBx AaBb specify alert interval Enables ale...

Page 397: ...dresses back on the network deny connection inline Does not transmit this packet and future packets on the TCP Flow inline only Table B 2 MASTER Engine Alert Frequency Parameters Parameter Description Value alert frequency Summary options for grouping alerts summary mode Mode used for summarization fire all Fires an alert on all events fire once Fires an alert only once global summarize Summarizes...

Page 398: ...ify packet inline Modifies packet contents inline only Note Modify packet inline is a new feature from the inline normalizer It scrubs the packet and corrects irregular issues such as bad checksum out of range values and other RFC violations AIC Engine The AIC engine inspects HTTP web traffic and enforces FTP commands This section describes the AIC engine and its parameters and contains the follow...

Page 399: ...eb ports If traffic is web traffic but not received on the AIC web ports the SERVICE HTTP engine is executed AIC inspection can be on any port if it is configured as an AIC web port and the traffic to be inspected is HTTP traffic Caution The AIC web ports are regular HTTP web ports You can turn on AIC web ports to distinguish which ports should watch for regular HTTP traffic and which ports should...

Page 400: ... look for specific patterns in the message body request methods AIC signature that allows actions to be associated with HTTP request methods define request method such as get put and so forth recognized request methods lists methods recognized by the sensor transfer encodings AIC signature that deals with transfer encodings define transfer encoding associates an action with each method such as com...

Page 401: ...ture when it sees an ARP destination address of 255 255 255 255 Same Source and Destination Fires an alarm for this signature when it sees an ARP destination address with the same source and destination MAC address Source Multicast Fires an alarm for this signature when it sees an ARP source MAC address of 01 00 5e 00 7f specify request inbalance Fires an alert when there are this many more reques...

Page 402: ...t are met Table B 7 FLOOD HOST Engine Parameters Parameter Description Value protocol Which kind of traffic to inspect ICMP UDP rate Threshold number of packets per second 0 to 655351 1 An alert fires when the rate is greater than the packets per second icmp type Specifies the value for the ICMP header type 0 to 65535 dst ports Specifies the destination ports when you choose UDP protocol 0 to 6553...

Page 403: ...s the following topics Overview page B 12 NORMALIZER Engine Parameters page B 12 Table B 9 META Engine Parameters Parameter Description Value meta reset interval Time in seconds to reset the META signature 0 to 3600 component list List of META components edit Edits an existing entry insert Inserts a new entry into the list begin Places the entry at the beginning of the active list end Places the e...

Page 404: ...and false negatives the state of the two TCP endpoints must be tracked and only the data that is actually processed by the real host endpoints should be passed on Overlaps in a TCP stream can occur but are extremely rare except for TCP segment retransmits Overwrites in the TCP session should not occur If overwrites do occur someone is intentionally trying to elude the security policy or the TCP st...

Page 405: ...C Engine page B 21 SERVICE MSSQL Engine page B 22 SERVICE NTP Engine page B 22 SERVICE RPC Engine page B 23 specify max fragments per dgram Optional Enables maximum fragments per datagram specify max last fragments Optional Enables maximum last fragments specify max partial dgrams Optional Enables maximum partial datagrams specify max small frags Optional Enables maximum small fragments specify mi...

Page 406: ...l Protocol of interest for this inspector TCP UDP specify query chaos string Optional Enables the DNS Query Class Chaos String query chaos string specify query class Optional Enables the query class query class DNS Query Class 2 Byte Value 0 to 65535 specify query invalid domain name Optional Enables query invalid domain name query invalid domain name DNS Query Length greater than 255 true false s...

Page 407: ... stream len DNS Packet Length 0 to 65535 specify query type Optional Enables the query type query type DNS Query Type 2 Byte Value 0 to 65535 specify query value Optional Enables the query value query value Query 0 Response 1 true false Table B 11 SERVICE DNS Engine Parameters continued Parameter Description Value Table B 12 SERVICE FTP Engine Parameters Parameter Description Value direction Direc...

Page 408: ...ers should tune SERVICE GENERIC engine signatures Table B 13 lists the parameters specific to the SERVICE GENERIC engine SERVICE H225 Engine This section describes the SERVICE H225 engine and contains the following topics Overview page B 17 SERVICE H255 Engine Parameters page B 17 Table B 13 SERVICE GENERIC Engine Parameters Parameter Description Value specify dst port Optional Enables the destina...

Page 409: ...message uses many of the commonly found fields in the call signaling messages and implementations that are exposed to probable attacks will mostly also fail the security checks for the SETUP messages Therefore it is highly important to check the H 225 0 SETUP message for validity and enforce checks on the perimeter of the network The H225 engine has built in signatures for TPKT validation Q 931 pr...

Page 410: ...r use Only valid for SETUP and Q 931 message types Gives a dotted representation of the field name that this signature applies to field name Field name to inspect 1 to 512 specify invalid packet index Optional Enables invalid packet index for use for specific errors in ASN TPKT and other errors that have fixed mapping invalid packet index Inspection for invalid packet index 0 to 255 specify regex ...

Page 411: ...I equivalent characters It is also known as ASCII normalization Before an HTTP packet can be inspected the data must be deobfuscated or normalized to the same representation that the target system sees when it processes the data It is ideal to have a customized decoding technique for each host target type which involves knowing what operating system and web server version is running on the target ...

Page 412: ...sion header regex Regular Expression to search in the HTTP Header field The Header is defined after the first CRLF and continues until CRLFCRLF specify request regex Optional Enables searching the Request field for a specific regular expression request regex Regular expression to search in both HTTP URI and HTTP Argument fields specify min request match length Enables setting a minimum request mat...

Page 413: ... to allow for fragmentation and reassembly of the MSRPC PDUs This communication channel is the source of recent Windows NT Windows 2000 and Window XP security vulnerabilities The SERVICE MSRPC engine only decodes the DCE and RPC protocol for the most common transaction types SERVICE MSRPC Engine Parameters Table B 17 on page B 22 lists the parameters specific to the SERVICE MSRPC engine Table B 16...

Page 414: ...ngine Parameters Parameter Description Value protocol Protocol of interest for this inspector tcp udp specify operation Optional Enables using MS RPC operation operation MS RPC operation requested Required for SMB_COM_TRANSACTION commands Exact match 0 to 65535 specify regex string Optional Enables using a regular expression string specify exact match offset Enables the exact match offset exact ma...

Page 415: ...ine Parameters Parameter Description Value inspection type Type of inspection to perform inspect ntp packets Inspects NTP packets control opcode Opcode number of an NTP control packet according to RFC1305 Appendix B max control data size Maximum allowed amount of data sent in a control packet mode Mode of operation of the NTP packet per RFC 1305 0 to 65535 is invalid data packet Looks for invalid ...

Page 416: ...specify rpc procedure Optional Enables RPC procedure rpc procedure RPC procedure number for this signature 0 to 1000000 specify rpc program Optional Enables RPC program rpc program RPC program number for this signature 0 to 1000000 1 The second number in the range must be greater than or equal to the first number Table B 20 SERVICE RPC Engine Parameters continued Parameter Description Value Table ...

Page 417: ...hit counting hit count The threshold number of occurrences in scan interval to fire alerts 7 0 to 65535 specify operation Optional Enables MS RPC operation operation MS RPC operation requested Required for SMB_COM_TRANSACTION commands An exact match is required 0 to 65535 specify resource Optional Enables resource resource Specifies that pipe or the SMB filename is used to qualify the alert In ASC...

Page 418: ... message False for no swap default true false 1 The second number in the range must be greater than or equal to the first number 2 An exact match is optional 3 An exact match is optional 4 An exact match is required Currently supporting the 37 0x25 SMB_COM_TRANSACTION command x26amp and the 162 0xA2 SMB_COM_NT_CREATE_ANDX command 5 An exact match is optional 6 An exact match is required Required f...

Page 419: ...nmp traffic inspection Inspects for non SNMP traffic destined for UDP port 161 snmp inspection Inspects SNMP traffic specify community name yes no community name Searches for the SNMP community name that is the SNMP password specify object id yes no object id Searches for the SNMP object identifier community name object id Table B 22 SERVICE SNMP Engine Parameters continued Parameter Description V...

Page 420: ...tate name Name of the state required before the signature fires an alert Abort state to end LPR Format String inspection Format character state State state abort format char start smtp Specifies the state machine for the SMTP protocol state name Name of the state required before the signature fires an alert Abort state to end LPR Format String inspection Mail body state Mail header state SMTP comm...

Page 421: ... For an example custom STRING engine signature see Example STRING TCP Signature page 7 30 STRING ICMP Engine Parameters Table B 25 lists the parameters specific to the STRING ICMP engine specify min match length Optional Enables minimum match length min match length Minimum number of bytes the regular expression string must match 0 to 65535 swap attacker victim True if address and ports source and...

Page 422: ...ue Table B 26 STRING TCP Engine Parameter Description Value direction Direction of the traffic Traffic from service port destined to client port Traffic from client port destined to service port from service to service service ports A comma separated list of ports or port ranges where the target service resides 0 to 655351 a b c d 1 The second number in the range must be greater than or equal to t...

Page 423: ...ion IP address filter parameters in the Sweep engine signatures A unique parameter must be specified for all signatures in the SWEEP engine A limit of 2 through 40 inclusive is enforced on the sweeps 2 is the absolute minimum for a sweep otherwise it is not a sweep of one host or port 40 is a practical maximum that must be enforced so that the sweep does not consume excess memory More realistic va...

Page 424: ...pecify icmp type Optional Enables the ICMP header type icmp type ICMP header TYPE value 0 to 255 specify port range Optional Enables using a port range for inspection port range UDP port range used in inspection 0 to 65535 a b c d fragment status Specifies whether fragments are wanted or not Any fragment status Do not inspect fragments Inspect fragments any no fragments want fragments inverted swe...

Page 425: ...mp Tunnel that can be used to send small payload in ICMP replies which may go straight through a firewall if it is not configured to block ICMP The LOKI signatures look for an imbalance of ICMP echo requests to replies and simple ICMP code and payload discriminators The DDoS category excluding TFN2K targets ICMP based DDoS agents The main tools used here are TFN Tribe Flood Net and Stacheldraht Th...

Page 426: ...aders that have certain cross packet characteristics BO2K also has a stealthy TCP module that was designed to encrypt the BO header and make the cross packet patterns nearly unrecognizable The UDP modes of BO and BO2K are handled by the TROJAN UDP engine The TCP modes are handled by the TROJAN BO2K engine There are no specific parameters to the TROJAN engines except for swap attacker victim in the...

Page 427: ...nce The following actions will help you maintain your sensor Back up a good configuration If your current configuration becomes unusable you can replace it with the backup version For the procedure see Creating and Using a Backup Configuration File page 12 17 Save your backup configuration to a remote system For the procedure see Copying and Restoring the Configuration File Using a Remote Server p...

Page 428: ... FTP or SCP server any time a change has been made For the procedure see Creating and Using a Backup Configuration File page 12 17 Note You should note the specific software version for that configuration You can apply the copied configuration only to a sensor of the same version Note You also need the list of user IDs that have been used on that sensor The list of user IDs and passwords are not s...

Page 429: ...see Adding Hosts to the Known Hosts List page 4 31 7 Create previous users For the procedure see Adding and Removing Users page 4 11 Password Recovery The following password recovery options exist If another Administrator account exists the other Administrator can change the password If a Service account exists you can log in to the service account and switch to user root using the command su root...

Page 430: ...ensor CLI Through Telnet or SSH If you cannot access the sensor CLI through Telnet if you already have it enabled or SSH follow these steps Note For the procedure for enabling and disabling Telnet on the sensor see Enabling and Disabling Telnet page 4 4 Step 1 Log in to the sensor CLI through a console terminal or module session For the various ways to open a CLI session directly on the sensor see...

Page 431: ...435730956 Total Transmit Errors 0 Total Transmit FIFO Overruns 0 sensor The management interface is the interface in the list with the status line Media Type TX If the Link Status is Down go to Step 3 If the Link Status is Up go to Step 5 Step 3 Make sure the sensor s IP address is unique sensor setup System Configuration Dialog At any point you may enter a question mark for help User ctrl c to ab...

Page 432: ...g the Access List page 4 5 Step 7 Make sure the network configuration allows the workstation to connect to the sensor If the sensor is protected behind a firewall and the workstation is in front of the firewall make sure the firewall is configured to allow the workstation to access the sensor Or if the workstation is behind a firewall that is performing network address translation on the workstati...

Page 433: ...me the interface shuts down Linux prevents the command and control interface from activating if it detects an address conflict with another host To verify that the sensor in question does not have an IP address conflict with another host on the network follow these steps Step 1 Log in to the CLI Step 2 Determine whether the interface is up sensor show interfaces Interface Statistics Total Packets ...

Page 434: ... If the output says the command and control interface link status is down there is a hardware issue or an IP address conflict Step 3 Make sure the sensor s cabling is correct Refer to the chapter for your sensor in Installing Cisco Intrusion Prevention System Appliances and Modules 5 0 Step 4 Run the setup command to make sure the IP address is correct For the procedure see Initializing the Sensor...

Page 435: ...ce 62 usage MainApp 2005_Mar_04_14 23 Release 2005 03 04T14 35 11 0600 Running AnalysisEngine 2005_Mar_04_14 23 Release 2005 03 04T14 35 11 0600 Not Running CLI 2005_Mar_04_14 23 Release 2005 03 04T14 35 11 0600 Upgrade History IDS K9 maj 5 0 1 14 16 00 UTC Thu Mar 04 2004 Recovery Partition Version 1 1 5 0 1 S149 sensor Step 3 If the AnalysisEngine is not running look for any errors connected to ...

Page 436: ...rom interface GigabitEthernet0 1 Media Type backplane Missed Packet Percentage 0 Inline Mode Unpaired Pair Status N A Link Status Up Link Speed Auto_1000 Link Duplex Auto_Full Total Packets Received 0 Total Bytes Received 0 Total Multicast Packets Received 0 Total Broadcast Packets Received 0 Total Jumbo Packets Received 0 Total Undersize Packets Received 0 Total Receive Errors 0 Total Receive FIF...

Page 437: ... that the interfaces are up and that the packet count is increasing sensor show interfaces Unable to See Alerts If you are not seeing alerts try the following Make sure the signature is enabled Make sure the signature is not retired Make sure that you have Produce Alert configured as an action Note If you choose Produce Alert but come back later and add another event action and do not add Produce ...

Page 438: ..._100 Link Duplex Auto_Full Total Packets Received 267581 Total Bytes Received 24886471 Total Multicast Packets Received 0 Total Broadcast Packets Received 0 Total Jumbo Packets Received 0 Total Undersize Packets Received 0 Total Receive Errors 0 Total Receive FIFO Overruns 0 Total Packets Transmitted 57301 Total Bytes Transmitted 3441000 Total Multicast Packets Transmitted 0 Total Broadcast Packet...

Page 439: ...ved 0 Total Undersize Packets Received 0 Total Receive Errors 0 Total Receive FIFO Overruns 0 Total Packets Transmitted 0 Total Bytes Transmitted 0 Total Multicast Packets Transmitted 0 Total Broadcast Packets Transmitted 0 Total Jumbo Packets Transmitted 0 Total Undersize Packets Transmitted 0 Total Transmit Errors 0 Total Transmit FIFO Overruns 0 sensor Step 3 If the interfaces are not up do the...

Page 440: ...FO Overruns 0 Total Packets Transmitted 0 Total Bytes Transmitted 0 Total Multicast Packets Transmitted 0 Total Broadcast Packets Transmitted 0 Total Jumbo Packets Transmitted 0 Total Undersize Packets Transmitted 0 Total Transmit Errors 0 Total Transmit FIFO Overruns 0 Cleaning Up a Corrupted SensorApp Configuration If the SensorApp configuration has become corrupted and SensorApp cannot run you ...

Page 441: ...ubleshooting Blocking page C 15 Verifying Network Access Controller is Running page C 16 Verifying Network Access Controller Connections are Active page C 17 Device Access Issues page C 18 Verifying the Interfaces and Directions on the Network Device page C 19 Enabling SSH Connections to the Network Device page C 20 Blocking Not Occurring for a Signature page C 21 Verifying the Master Blocking Sen...

Page 442: ...inApp Step 1 Log in to the CLI Step 2 Verify that MainApp is running sensor show version Application Partition Cisco Intrusion Prevention System Version 5 0 1 1 S152 0 OS Version 2 4 26 IDS smp bigphys Platform IPS 4255 K9 Serial Number JAB0815R017 No license present Sensor up time is 3 days Using 734863360 out of 3974291456 bytes of available memory 18 usage system is using 17 3M out of 29 0M byt...

Page 443: ...TAddr 0 0 0 0 Communications telnet BlockInterface InterfaceName fa0 0 InterfaceDirection in State BlockEnable true NetDevice IP 10 89 147 54 AclSupport uses Named ACLs Version 12 2 State Active sensor Step 3 If Network Access Controller is not connecting look for recurring errors sensor show events error hh mm ss month day year include nac Example sensor show events error 00 00 00 Apr 01 2005 inc...

Page 444: ...the devices it is managing Make sure the you have the correct IP address and username and password for the managed devices and the correct interface and direction configured Note SSH devices must support SSH 1 5 The sensor does not support SSH 2 0 To troubleshoot device access issues follow these steps Step 1 Log in to the CLI Step 2 Verify the IP address for the managed devices sensor configure t...

Page 445: ... sure you have used the correct username password and enable password and to ensure that the device is reachable from the sensor a Log in to the service account b Telnet or SSH to the network device to verify the configuration c Make sure you can reach the device d Verify the username and password Step 4 Verify that each interface and direction on each network device is correct For the procedure s...

Page 446: ...s or type no to discard them Step 5 Telnet to the router and verify that a deny entry for the blocked address exists in the router s ACL Refer to the router documentation for the procedure Step 6 Remove the manual block by repeating Steps 1 through 4 except in Step 2 place no in front of the command sensor config net gen no block hosts 10 16 0 0 Enabling SSH Connections to the Network Device If yo...

Page 447: ... event action is set to block the host Note If you want to receive alerts you must always add produce alert any time you configure the event actions sensor config sig signatures 1300 0 sensor config sig sig engine normalizer sensor config sig sig nor event action produce alert request block host sensor config sig sig nor show settings normalizer event action produce alert request block host defaul...

Page 448: ...Entries 250 MasterBlockingSensor SensorIp 10 89 149 46 SensorPort 443 UseTls 1 State ShunEnable true ShunnedAddr Host IP 122 122 122 44 ShunMinutes 60 MinutesRemaining 59 Step 2 If the master blocking sensor does not show up in the statistics you need to add it For the procedure see Configuring the Sensor to be a Master Blocking Sensor page 10 25 Step 3 Initiate a manual block to a bogus host IP a...

Page 449: ...re terminal sensor config tls trust ip master_blocking_sensor_ip_address Logging TAC may suggest that you turn on debug logging for troubleshooting purposes LogApp controls what log messages are generated by each application by controlling the logging severity for different logging zones By default debug logging is not turned on If you enable individual zone control each zone uses the level of log...

Page 450: ...ntrol enable debug true default false individual zone control false defaulted sensor config log mas Step 9 To turn on individual zone control sensor config log mas individual zone control true sensor config log mas show settings master control enable debug true default false individual zone control true default false sensor config log mas Step 10 Exit master zone control sensor config log mas exit...

Page 451: ...ed protected entry zone name tls severity warning defaulted sensor config log For a list of what each zone name refers to see Zone Names page C 27 Step 12 Change the severity level debug timing warning or error for a particular zone sensor config log zone control IdsEventStore severity error sensor config log show settings master control enable debug true default false individual zone control true...

Page 452: ...13 Turn on debugging for a particular zone sensor config log zone control nac severity debug sensor config log show settings master control enable debug true default false individual zone control true default false zone control min 0 max 999999999 current 14 protected entry zone name AuthenticationApp severity warning defaulted protected entry zone name Cid severity debug defaulted protected entry...

Page 453: ...ype no to discard them Zone Names Table C 1 lists the debug logger zone names Table C 1 Debug Logger Zone Names Zone Name Description AuthenticationApp Authentication zone Cid General logging zone Cli CLI zone IdapiCtlTrans All control transactions zone IdsEventStore Event Store zone MpInstaller IDSM 2 master partition installer zone cmgr Card Manager service zone1 1 The Card Manager service is us...

Page 454: ...mple shows the logging configuration file timemode local timemode utc logApp enabled true FIFO parameters fifoName logAppFifo fifoSizeInK 240 logApp zone and drain parameters zoneAndDrainName logApp fileName main log fileMaxSizeInK 500 zone Cid severity warning drain main zone IdsEventStore severity debug drain main drain main type syslog The syslog output is sent to the syslog facility local6 wit...

Page 455: ...itter 11 22 33 44 CHU_AUDIO 1 8 u 36 64 1 0 536 0 069 0 001 LOCAL 0 73 78 73 84 5 l 35 64 1 0 000 0 000 0 001 ind assID status conf reach auth condition last_event cnt 1 10372 f014 yes yes ok reject reachable 1 2 10373 9014 yes yes none reject reachable 1 status Not Synchronized Step 3 Generate the hosts statistics again after a few minutes sensor show statistics host NTP Statistics remote refid s...

Page 456: ...mode sensor config sig sig ato exit sensor config sig sig exit sensor config sig exit Apply Changes yes Step 4 Press Enter to apply the changes or type no to discard them Step 5 Make sure the correct alarms are being generated sensor show events alert evAlert eventId 1047575239898467370 severity medium originator hostId sj_4250_40 appName sensorApp appInstanceId 1004 signature sigId 20000 sigName ...

Page 457: ...ge C 33 UNIX Style Directory Listings page C 34 IDS 4235 and IDS 4250 Hang During A Software Upgrade If the BIOS of IDS 4235 and IDS 4250 is at A03 you must upgrade it to A04 before applying the most recent IPS software otherwise the appliances hang during the software upgrade process For the procedure for upgrading the BIOS refer to Upgrading the BIOS in Installing Cisco Intrusion Prevention Syst...

Page 458: ...em Images Look at the tcpDump output for errors coming back from the FTP server Make sure the sensor is in the correct directory The directory must be specified correctly This has caused issues with Windows FTP servers Sometimes an extra or even two are needed in front of the directory name To verify this use the same FTP commands you see in the tcpDump output through your own FTP connection Make ...

Page 459: ...ctly what you see on Downloads on Cisco com This includes capitalization Some Windows FTP servers allow access to the file with the incorrect capitalization but the sensor ultimately rejects the file because the name has changed If necessary run tcpDump on automatic update You can compare the successful manual update with the unsuccessful automatic update and troubleshoot from there Updating a Sen...

Page 460: ...ubleshooting procedures for IDM Note These procedures also apply to the IPS section of ASDM This section contains the following topics Increasing the Memory Size of the Java Plug In page C 34 Cannot Launch IDM Loading Java Applet Failed page C 36 Cannot Launch IDM Analysis Engine Busy page C 37 IDM Remote Manager or Sensing Interfaces Cannot Access the Sensor page C 37 Signatures Not Producing Ale...

Page 461: ...If you have Java Plug in 1 5 installed a Click Java The Java Control Panel appears b Click the Java tab c Click View under Java Applet Runtime Settings The Java Runtime Settings Panel appears d Type Xmx256m in the Java Runtime Parameters field and then click OK e Click OK and exit the Java Control Panel Java Plug In on Linux and Solaris To change the settings of Java Plug in 1 4 2 or 1 5 on Linux ...

Page 462: ...can occur if multiple Java Plug ins 1 4 x and or 1 3 x are installed on the machine on which you are launching the IDM Recommended Action Clear the Java cache and remove temp files and clear history in the browser you are using The result is that neither of these plug ins will be used by default and each applet should use the correct plug in To clear the cache follow these steps Step 1 Close all b...

Page 463: ...ger or sensing interfaces cannot access the sensor but you can access the sensor s CLI using SSH or Telnet if enabled follow these steps Note For the procedure for enabling and disabling Telnet on the sensor see Enabling and Disabling Telnet page 4 4 Step 1 Make sure the network configuration allows access to the web server port that is configured on the sensor sensor setup System Configuration Di...

Page 464: ...re actually replacing the list of event actions every time you configure it so make sure you choose Produce Alert every time you configure event actions For example if you choose Produce Alert but later add another event action and do not add Produce Alert to the new configuration alerts will not be sent to the Event Store To make sure you are getting alerts use statistics for the virtual sensor a...

Page 465: ...image IDSM 2 with the 4 1 4 application partition image you must apply the 4 1 4b patch For more information see CSCef12198 SensorApp either crashes or takes 99 of the CPU when IP logging is enabled for stream based signatures 1300 series See CSCed32093 for the workaround IDSM 2 appears to lock up and remote access is prohibited SSH Telnet IDM Event Server Control Transaction Server and IP log Ser...

Page 466: ... yes ok 15 1 1 Multilayer Switch Feature WS F6K MSFC no ok 2 2 48 10 100BaseTX Ethernet WS X6248 RJ 45 no ok 3 3 48 10 100 1000BaseT Ethernet WS X6548 GE TX no ok 4 4 16 1000BaseX Ethernet WS X6516A GBIC no ok 6 6 8 Intrusion Detection Mod WS SVC IDSM2 yes ok Mod Module Name Serial Num 1 SAD041308AN 15 SAD04120BRB 2 SAD03475400 3 SAD073906RC 4 SAL0751QYN0 6 SAD062004LV Mod MAC Address es Hw Fw Sw ...

Page 467: ...ROC Ok 3 000d 29f6 7a80 to 000d 29f6 7aaf 5 0 7 2 1 8 5 0 46 ROC Ok 5 0003 fead 651a to 0003 fead 6521 4 0 7 2 1 5 0 1 1 Ok 6 000d ed23 1658 to 000d ed23 1667 1 0 7 2 1 8 5 0 46 ROC Ok 7 0011 21a1 1398 to 0011 21a1 139b 4 0 8 1 3 12 2 PIKESPE Ok 9 000d 29c1 41bc to 000d 29c1 41bc 1 3 Unknown Unknown PwrDown 11 00e0 b0ff 3340 to 00e0 b0ff 3347 0 102 7 2 0 67 5 0 1 1 Ok 13 0003 feab c850 to 0003 fea...

Page 468: ... If IDSM 2 still does not come online make sure the hardware and operating system are ok router show test module_number Step 6 If the port status reads fail make sure IDSM 2 is firmly connected in the switch Step 7 If the hdd status reads fail you must reimage the application partition For the procedure see Installing the IDSM 2 System Image page 17 25 Cannot Communicate With IDSM 2 Command and Co...

Page 469: ... intrusion detection module 5 management port state Intrusion detection module 5 management port Switchport Enabled Administrative Mode dynamic desirable Operational Mode static access Administrative Trunking Encapsulation negotiate Operational Trunking Encapsulation native Negotiation of Trunking On Access Mode VLAN 1 default Trunking Native Mode VLAN 1 default Trunking VLANs Enabled ALL Pruning ...

Page 470: ...approximately in the center of the mother board If you are facing the module faceplate the RJ 45 port on the right is the serial console port Step 2 Connect a straight through cable to the right port on IDSM 2 and then connect the other end of the cable to a terminal server port Step 3 Configure the terminal server port to be 19200 baud 8 bits no parity You can now log directly in to IDSM 2 Note C...

Page 471: ...show module Mod Card Type Model Serial No 0 ASA 5520 Adaptive Security Appliance ASA5520 P2A00000014 1 ASA 5500 Series Security Services Module 10 AIP SSM 10 P2A0000067U Mod MAC Address Range Hw Version Fw Version Sw Version 0 000b fcf8 7bdc to 000b fcf8 7be0 0 2 1 0 10 0 7 0 1 1 000b fcf8 0176 to 000b fcf8 0176 0 2 1 0 10 0 5 1 0 1 S153 0 Mod Status 0 Up Sys 1 Up asa config If you have problems w...

Page 472: ...Version 1 0 10 0 0 Fri Mar 25 23 02 10 PST 2005 Slot 1 161 Platform AIP SSM 10 Slot 1 162 GigabitEthernet0 0 Slot 1 163 Link is UP Slot 1 164 MAC Address 000b fcf8 0176 Slot 1 165 ROMMON Variable Settings Slot 1 166 ADDRESS 10 89 150 227 Slot 1 167 SERVER 10 89 146 1 Slot 1 168 GATEWAY 10 89 149 254 Slot 1 169 PORT GigabitEthernet0 0 Slot 1 170 VLAN untagged Slot 1 171 IMAGE IPS SSM K9 sys 1 1 a 5...

Page 473: ...n the show tech support command before contacting TAC Displaying Tech Support Information Use the show tech support page password destination url destination url command to display system information on the screen or have it sent to a specific URL You can use the information as a troubleshooting tool with TAC The following parameters are optional page Displays the output one page of information at...

Page 474: ...port output to the file absolute reports sensor1Report html sensor show tech support dest ftp csidsuser 10 2 1 2 absolute reports sensor1Report html The password prompt appears b Type the password for this user account The Generating report message is displayed Tech Support Command Output The following is an example of the show tech support command output Note This output example shows the first p...

Page 475: ...0286 Total Multicast Packets Received 20 Total Receive Errors 0 Total Receive FIFO Overruns 0 Total Packets Transmitted 239437 Total Bytes Transmitted 107163351 Total Transmit Errors 0 Total Transmit FIFO Overruns 0 Output from show statistics networkAccess Current Configuration LogAllBlockEventsAndSensors true EnableNvramWrite false EnableAclLogging false AllowSensorBlock true BlockMaxEntries 250...

Page 476: ...ow version command to display version information for all installed operating system packages signature packages and IPS processes running on the system To view the configuration for the entire system use the more current config command To display the version and configuration follow these steps Step 1 Log in to the CLI Step 2 View version information sensor show version The following examples sho...

Page 477: ...f 29 0M bytes of available disk space 59 usage application data is using 31 1M out of 166 8M bytes of available disk space 20 usage boot is using 39 5M out of 68 6M bytes of available disk space 61 usage application log is using 529 6M out of 2 8G bytes of available disk space 20 usage MainApp 2005_Feb_09_03 00 Release 2005 02 09T03 22 27 0600 Running AnalysisEngine 2005_Feb_09_03 00 Release 2005 ...

Page 478: ...e zone settings MORE Statistics Information The show statistics command is useful for examining the state of the sensor s services This section describes the show statistics command and contains the following topics Overview page C 52 Displaying Statistics page C 53 Overview The show statistics command provides a snapshot of the state of the sensor s services The following services provide statist...

Page 479: ...utilization 0 Total packets processed since reset 241 Total IP packets processed since reset 12 Total packets that were not IP processed since reset 229 Total TCP packets processed since reset 0 Total UDP packets processed since reset 0 Total ICMP packets processed since reset 12 Total packets that were not TCP UDP or ICMP processed since reset 0 Total ARP packets processed since reset 0 Total ISL...

Page 480: ...nts per dgram limit since last reset 0 Number of datagram reassembly timeout since last reset 0 Too many fragments claiming to be the last since last reset 0 Fragments with bad fragment flags since last reset 0 TCP Normalizer stage statistics Packets Input 0 Packets Modified 0 Dropped packets from queue 0 Dropped packets due to deny connection 0 Current Streams 0 Current Streams Closed 0 Current S...

Page 481: ...line 0 modify packet inline 0 log attacker packets 0 log pair packets 0 log victim packets 0 produce alert 0 produce verbose alert 0 request block connection 0 request block host 0 request snmp trap 0 reset tcp connection 0 SigEvent Action Handling Stage Statistics Number of Alerts received to Action Handling Processor 491 Number of Alerts where produceAlert was forced 0 Number of Alerts where pro...

Page 482: ... TCP Stream Reassembly Unit Statistics TCP streams currently in the embryonic state 0 TCP streams currently in the established state 0 TCP streams currently in the closing state 0 TCP streams currently in the system 0 TCP Packets currently queued for reassembly 0 The Signature Database Statistics Total nodes active 0 TCP nodes keyed on both IP addresses and both ports 0 UDP nodes keyed on both IP ...

Page 483: ...istics host General Statistics Last Change To Host Config UTC 16 11 05 Thu Feb 10 2005 Command Control Port Device FastEthernet0 0 Network Statistics fe0_0 Link encap Ethernet HWaddr 00 0B 46 53 06 AA inet addr 10 89 149 185 Bcast 10 89 149 255 Mask 255 255 255 128 UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 RX packets 1001522 errors 0 dropped 0 overruns 0 frame 0 TX packets 469569 errors 0 d...

Page 484: ...isplay the statistics for Network Access Controller sensor show statistics network access Current Configuration LogAllBlockEventsAndSensors true EnableNvramWrite false EnableAclLogging false AllowSensorBlock false BlockMaxEntries 11 MaxDeviceInterfaces 250 NetDevice Type PIX IP 10 89 150 171 NATAddr 0 0 0 0 Communications ssh 3des NetDevice Type PIX IP 10 89 150 219 NATAddr 0 0 0 0 Communications ...

Page 485: ...7 0 State Active Firewall type ASA NetDevice IP 10 89 150 250 AclSupport Does not use ACLs Version 2 2 State Active Firewall type FWSM NetDevice IP 10 89 150 158 AclSupport uses Named ACLs Version 12 2 State Active NetDevice IP 10 89 150 138 AclSupport Uses VACLs Version 8 4 State Active BlockedAddr Host IP 22 33 4 5 Vlan ActualIp BlockMinutes Host IP 21 21 12 12 Vlan ActualIp BlockMinutes Host IP...

Page 486: ...trolTransactions 0 sensor Step 15 Display the statistics for Web Server sensor show statistics web server listener 443 number of server session requests handled 61 number of server session requests rejected 0 total HTTP requests handled 35 maximum number of session objects allowed 40 number of idle allocated session objects 10 number of busy allocated session objects 0 crypto library version 6 0 3...

Page 487: ...rfaces This section describes the show interfaces command and contains the following topics Overview page C 61 Interfaces Command Output page C 61 Overview You can learn the following information from the show interfaces command Whether the interface is up or down Whether or not packets are being seen and on which interfaces Whether or not packets are being dropped by SensorApp Whether or not ther...

Page 488: ...tal Broadcast Packets Transmitted 0 Total Jumbo Packets Transmitted 0 Total Undersize Packets Transmitted 0 Total Transmit Errors 0 Total Transmit FIFO Overruns 0 MAC statistics from interface GigabitEthernet0 0 Media Type TX Link Status Up Link Speed Auto_100 Link Duplex Auto_Full Total Packets Received 2211296 Total Bytes Received 157577635 Total Multicast Packets Received 20 Total Receive Error...

Page 489: ...show events cr alert Display local system alerts error Display error events hh mm ss Display start time log Display log events nac Display NAC shun events past Display events starting in the past specified time status Display status events Output modifiers Displaying Events Use the show events alert informational low medium high include traits traits exclude traits traits error warning error fatal...

Page 490: ...re follow these steps Step 1 Log in to the CLI Step 2 Display all events starting now sensor show events evError eventId 1041472274774840147 severity warning vendor Cisco originator hostId sensor2 appName cidwebserver appInstanceId 12075 time 2003 01 07 04 41 45 2003 01 07 04 41 45 UTC errorMessage name errWarning received fatal alert certificate_unknown evError eventId 1041472274774840148 severit...

Page 491: ...tId sensor appName sensorApp appInstanceId 367 time 2005 03 02 14 15 59 2005 03 02 14 15 59 UTC signature description Nachi Worm ICMP Echo Request id 2156 version S54 subsigId 0 sigDetails Nachi ICMP interfaceGroup vlan 0 participants attacker addr locality OUT 10 89 228 202 target addr locality OUT 10 89 150 185 riskRatingValue 70 interface fe0_1 protocol icmp evIdsAlert eventId 11096959391028053...

Page 492: ...t If you do not have access to IDM or the CLI you can run the underlying script cidDump from the Service account by logging in as root and running usr cids idsRoot bin cidDump The cidDump file s path is usr cids idsRoot htdocs private cidDump html cidDump is a script that captures a large amount of information including the IPS processes list log files OS information directory listings package inf...

Page 493: ...dDump html the show tech support command output and cores to the ftp sj server To upload and access files on the Cisco FTP site follow these steps Step 1 Log in to ftp sj cisco com as anonymous Step 2 Change to the incoming directory Step 3 Use the put command to upload the files Make sure to use the binary transfer type Step 4 To access uploaded files log in to an ECS supported host Step 5 Change...

Page 494: ...C 68 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5 0 78 16527 01 Appendix C Troubleshooting Gathering Information ...

Page 495: ...e ACLs are identified by number or by name ACLs can be standard enhanced or extended You can configure the sensor to manage ACLs action The sensor s response to an event An action only happens if the event is not filtered Possible actions include TCP reset block host block connection IP logging and capturing the alert trigger packet active ACL The ACL created and maintained by Network Access Contr...

Page 496: ...ddress Resolution Protocol Internet protocol used to map an IP address to a MAC address Defined in RFC 826 ASA Adaptive Security Appliance The ASA combines firewall VPN concentrator and intrusion prevention software functionality into one software image You can configure ASA in single mode or multi mode ASDM Adaptive Security Device Manager A web based application that lets you configure and manag...

Page 497: ...lic key that is signed with an authoritative private key cidDump A script that captures a large amount of information including the IPS processes list log files OS information directory listings package information and configuration files CIDEE Cisco Intrusion Detection Event Exchange Specifies the extensions to SDEE that are used by Cisco IPS systems The CIDEE standard specifies all possible exte...

Page 498: ...erver whenever the browser makes additional requests of the web server CTR Cisco Threat Response See Threat Response D Database Processor See DBP datagram Logical grouping of information sent as a network layer unit over a transmission medium without prior establishment of a virtual circuit IP datagrams are the primary information units in the Internet The terms cell frame message packet and segme...

Page 499: ...a to alter the appearance of the data making it incomprehensible to those who are not authorized to see the information engine A component of the sensor designed to support many signatures in a certain category Each engine has parameters that can be used to create signatures or tune existing signatures enterprise network Large and diverse network connecting most major points in a company or other ...

Page 500: ...ss of breaking a packet into smaller units when transmitting over a network medium that cannot support the original size of the packet Fragment Reassembly Processor See FRP FRP Fragment Reassembly Processor Reassembles fragmented IP datagrams It is also responsible for normalization of IP fragments when the sensor is in inline mode FTP File Transfer Protocol Application protocol part of the TCP IP...

Page 501: ...Service attack that sends a host more ICMP echo request ping packets than the protocol implementation can handle IDAPI Intrusion Detection Application Programming Interface Provides a simple interface between IPS architecture applications IDAPI reads and writes event data and provides a mechanism for control transactions IDCONF Intrusion Detection Configuration A data format standard that defines ...

Page 502: ...occurs when an attacker outside your network pretends to be a trusted user either by using an IP address that is within the range of IP addresses for your network or by using an authorized external IP address that you trust and to which you want to provide access to specified resources on your network Should an attacker get access to your IPSec security parameters that attacker can masquerade as t...

Page 503: ...d on the META engine The META engine takes alerts as input rather than packets META engine Defines events that occur in a related manner within a sliding time interval This engine processes events rather than packets MIB Management Information Base Database of network management information that is used and maintained by a network management protocol such as SNMP or CMIP The value of a MIB object ...

Page 504: ... element on the command and control network For example an appliance an IDSM 2 or a router NORMALIZER engine Configures how the IP and TCP normalizer functions and provides configuration for signature events related to the IP and TCP normalizer NSDB Network Security Database A database of security information that explains the signatures the IPS uses along with the vulnerabilities on which these s...

Page 505: ...nd packet PEP Cisco Product Evolution Program PEP is the UDI information that consists of the PID the VID and the SN of your sensor PEP provides hardware version and serial number visibility through electronic query product labels and shipping items PER packed encoding rules Instead of using a generic style of encoding that encodes all types in a uniform way PER specializes the encoding based on t...

Page 506: ... at the destination after it has been fragmented either at the source or at an intermediate node recovery partition image An IPS image file that includes the full application image and installer used for recovery on sensors RDEP2 Remote Data Exchange Protocol version 2 The published specification for remote data exchange over the command and control network using HTTP and TLS regex See regular exp...

Page 507: ...ices SDP Slave Dispatch Processor Secure Shell Protocol Protocol that provides a secure remote connection to a router through a Transmission Control Protocol TCP application SEAF signature event action filter Subtracts actions based on the signature event s signature ID addresses and RR The input to the SEAF is the signature event with actions possibly added by the SEAO SEAH signature event action...

Page 508: ...the router or switch shun command Enables a dynamic response to an attacking host by preventing new connections and disallowing packets from any existing connection It is used by Network Access Controller when blocking with a PIX Firewall Signature Analysis Processor See SAP signature A signature distills network information and compares it against a rule set that indicates typical intrusion activ...

Page 509: ... and accessing relational databases SRAM Type of RAM that retains its contents for as long as power is supplied SRAM does not require constant refreshing like DRAM SRP Stream Reassembly Processor Reorders TCP streams to ensure the arrival order of the packets at the various stream based inspectors It is also responsible for normalization of the TCP stream The normalizer engine lets you enable or d...

Page 510: ...interface on which the packets are monitored but on the IDS 4250 XL and IDSM 2 the sensing interfaces cannot be used for sending TCP resets On the IDS 4250 XL the TCP reset interface is the onboard 10 100 100 TX interface which is normally used on the IDS 4250 TX appliance when the XL card is not present On the IDSM 2 the TCP reset interface is designated as port 1 with Catalyst software and is no...

Page 511: ...not directly available Such characteristics include the identities and locations of the source s and destination s and the presence amount frequency and duration of occurrence TRAFFIC ICMP engine Analyzes traffic from nonstandard protocols such as TFN2K LOKI and DDOS Transaction Server A component of the IPS Transaction Source A component of the IPS trap Message sent by an SNMP agent to an NMS a c...

Page 512: ...ts host program be run to make the virus active virus update A signature update specifically addressing viruses VLAN Virtual Local Area Network Group of devices on one or more LANs that are configured using management software so that they can communicate as if they were attached to the same wire when in fact they are located on a number of different LAN segments Because VLANs are based on logical...

Page 513: ...rom a capture file on disk You can interactively browse the capture data viewing summary and detail information for each packet Wireshark has several powerful features including a rich display filter language and the ability to view the reconstructed stream of a TCP session For more information see http www wireshark org worm A computer program that can run independently can propagate a complete w...

Page 514: ...Glossary GL 20 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5 0 78 16527 01 ...

Page 515: ...described 7 12 features B 6 AIP SSM commands 14 5 configuration tasks 14 1 hw module module 1 recover 14 5 hw module module 1 reset 14 5 hw module module 1 shutdown 14 5 inline mode 14 2 inspecting IPS traffic 14 3 logging in 2 7 modes 14 2 promiscuous mode 14 2 recovering C 45 resetting C 45 sending traffic 14 2 session command 2 7 show module command 14 2 task sequence 14 1 time sources 4 20 ver...

Page 516: ...back door Trojan BO2K B 34 backing up configuration 12 17 current configuration 12 16 BackOrifice protocol B 34 backup config command 12 13 banner login command 13 1 block enable command 10 6 block hosts command 10 27 blocking addresses never to block 10 15 block time 10 10 described 10 1 10 3 disabling 10 6 list of blocked hosts 10 28 managing PIX Firewalls 10 24 managing routers 10 20 managing s...

Page 517: ...cisco default password 2 2 default username 2 2 Cisco com accessing software 18 1 account 18 6 Active Update Bulletins 18 11 18 12 cryptographic access 18 6 downloading software 18 1 downloading software updates 18 6 software downloads 18 1 Cisco IOS software configuration commands 15 31 EXEC commands 15 30 IDSM 2 command and control access 15 6 configuring VACLs 15 13 enabling full memory tests 1...

Page 518: ... 13 1 block enable 10 6 block hosts 10 27 block networks 10 27 bypass option 5 10 class map 14 2 clear denied attackers 6 18 13 8 clear events 4 20 13 7 C 66 clear line 13 2 clock set 4 22 13 8 copy backup config 12 15 copy current config 12 15 copy iplog 8 6 copy license key 4 38 18 9 copy packet file 9 6 current config 12 13 debug module boot C 45 display serial 13 21 downgrade 17 8 enable acl l...

Page 519: ...settings 12 3 12 11 13 26 show statistics 10 28 13 10 C 53 show statistics virtual sensor 13 10 C 53 show tech support 13 18 C 47 show users 4 16 show version 13 19 C 50 sig fidelity rating 7 9 snmp agent port 11 2 snmp agent protocol 11 2 ssh authorized key 4 32 ssh generate key 4 34 ssh host key 4 31 status 7 10 stream reassembly 7 27 summertime option non recurring 4 25 summertime option recurr...

Page 520: ...ever to block 10 16 NTP servers 4 28 NVRAM write 10 12 packet capture NM CIDS 16 5 passwords 4 14 physical interfaces 5 9 privilege 4 15 promiscuous mode 5 6 sensor to block itself 10 4 sensor to use NTP 4 29 SFR 7 9 signature fidelity rating 7 9 signature variables 7 3 status 7 10 summarizer 6 16 summertime non recurring 4 25 recurring 4 23 task sequence sensor 1 2 TCP stream reassembly 7 27 teln...

Page 521: ...ng network connectivity 13 22 directing output to serial port 13 22 disabling blocking 10 6 EtherChanneling 15 22 signatures 7 10 disaster recovery C 2 displaying contents of logical file 12 13 current configuration 12 1 current submode configuration 12 3 events 13 5 C 64 live traffic 9 3 PEP information 13 24 statistics 13 10 C 53 submode settings 13 26 system clock 4 21 13 7 tech support informa...

Page 522: ... table 6 3 event counter command 7 8 Event Store clearing events 4 20 data structures A 8 described A 2 examples A 7 responsibilities A 7 timestamp A 7 event types C 63 event variables describing 6 5 example 6 5 F files Cisco IPS 18 1 filtering current configuration 12 10 submode configuration 12 12 filters command 6 10 FLOOD HOST engine parameters table B 10 FLOOD NET engine parameters table B 10...

Page 523: ...4 RDEP2 A 34 XML A 34 IDIOM defined A 34 messages A 34 IDM certificates 4 34 error message Analysis Engine is busy C 37 Java Plug in C 34 memory C 34 TLS SSL 4 35 will not load clear Java cache C 36 IDS 4215 BIOS upgrade 17 13 installing system image 17 11 reimaging 17 11 ROMMON 17 9 ROMMON upgrade 17 13 upgrading BIOS 17 13 ROMMON 17 13 IDSM 2 administrative tasks 15 24 capturing IPS traffic desc...

Page 524: ...5 8 supported supervisor engine commands 15 28 TCP reset port 15 7 15 12 time sources 4 19 unsupported supervisor engine commands 15 29 upgrading maintenance partition Catalyst software 17 35 maintenance partition Cisco IOS software 17 36 VACLs configuring 15 11 described 15 11 verifying installation 15 2 initialization verifying 3 7 verifying AIP SSM 14 2 initializing the sensor 3 1 3 2 inline in...

Page 525: ...plication list A 2 available files 18 1 configuring device parameters A 4 directory structure A 36 Linux OS A 1 new features A 3 obtaining 18 1 platform dependent release examples 18 5 retrieving data A 5 security features A 5 tuning signatures A 5 updating A 5 user interaction A 4 versioning scheme 18 2 J Java Plug in Linux C 35 Solaris C 35 Windows C 35 K keywords default 1 9 no 1 9 L license ke...

Page 526: ...10 25 MASTER engine alert frequency B 4 alert frequency parameters table B 4 defined B 3 general parameters table B 4 promiscuous delta B 3 universal parameters B 3 max block entries command 10 8 max denied attackers command 6 16 MBS not set up properly C 22 memory IDM C 34 merging configuration files 12 17 META engine described B 10 parameters table B 11 MIBS supported 11 6 mls ip ids command 15 ...

Page 527: ...rks command 10 15 NM CIDS bootloader file 17 22 overview 17 22 checking IPS software status 16 7 configuration tasks 16 1 configuring ids sensor interfaces 16 2 packet capture 16 5 configuring interfaces 16 2 logging in 2 5 packet monitoring described 16 5 rebooting 16 7 reimaging 17 20 reimaging described 17 19 reload command 16 7 reset command 16 7 session command 16 2 shutdown command 16 7 supp...

Page 528: ...sical connectivity issues C 10 physical interface command 5 8 physical interfaces command 5 4 physical interfaces configuration 5 9 ping command 13 22 policy map command 14 2 Post Block ACLs 10 18 10 19 Pre Block ACLs 10 18 10 19 prerequisites for blocking 10 3 privilege command 4 11 4 15 configuring 4 15 promiscuous mode configuring 5 6 described 5 1 EtherChanneling 15 20 understanding 5 4 prompt...

Page 529: ...mapper B 23 RR calculating 6 6 described A 3 example 6 20 RSA authentication and authorized keys 4 32 RTT described 17 11 TFTP limitation 17 11 S scheduling automatic upgrades 17 7 SDEE defined A 35 HTTP A 35 protocol A 35 Server requests A 35 SEAF described 6 2 A 25 parameters 6 2 A 25 SEAO described 6 2 A 25 SEAP alarm channel 6 2 A 25 components 6 2 A 25 described A 23 flow of signature events ...

Page 530: ... B 14 SERVICE FTP engine described B 15 parameters table B 15 SERVICE GENERIC engine described B 16 parameters table B 16 SERVICE HTTP engine described B 19 parameters table B 19 signature 7 32 SERVICE IDENT engine described B 20 parameters table B 21 SERVICE MSRPC engine DCS RPC protocol B 21 described B 21 SERVICE MSSQL engine described B 22 MS SQL protocol B 22 parameters table B 22 SERVICE NTP...

Page 531: ...w version command 13 19 C 50 sig fidelity rating command 7 9 signature engines AIC B 7 ATOMIC B 8 ATOMIC ARP B 8 ATOMIC IP B 9 defined B 1 event actions B 5 FLOOD B 10 FLOOD HOST B 10 FLOOD NET B 10 H225 B 17 list B 1 META B 10 NORMALIZER B 12 SERVICE DNS B 14 SERVICE FTP B 15 SERVICE GENERIC B 16 SERVICE HTTP B 19 SERVICE IDENT B 20 SERVICE MSRPC B 21 SERVICE MSSQL B 22 SERVICE NTP engine B 22 SE...

Page 532: ...logging 8 4 stream reassembly command 7 27 STRING ICMP engine parameters table B 29 STRING TCP engine options 7 30 parameters table B 30 signature example 7 30 STRING UDP engine parameters table B 31 STRING engine described B 29 submode configuration filtering output 12 12 searching output 12 12 summarization described 6 15 Engine META 6 15 Fire All 6 15 Fire Once 6 16 Global Summarization 6 16 Su...

Page 533: ...le size limitation 17 11 RTT 17 11 time correction on sensors 4 20 time sources AIP SSM 4 20 appliances 4 18 IDSM 2 4 19 NM CIDS 4 19 time zone settings command 4 27 configuring 4 27 TLS certificate generation 4 37 certificates 4 34 described 4 34 handshaking 4 35 tls generate key command 4 37 tls trusted host command 4 36 trace command 13 25 IP packet route 13 25 TRAFFIC ICMP engine DDOS B 33 des...

Page 534: ... C 22 NTP C 29 physical connectivity issues C 10 preventive maintenance C 1 reset not occurring for a signature C 29 sensor events C 63 sensor not seeing packets C 13 sensor process not running C 8 service account 4 13 show events command C 62 show interfaces command C 61 show statistics command C 52 show tech support command C 47 show tech support command output C 48 show version command C 50 sof...

Page 535: ...logging C 23 TCP reset interface 5 4 V VACLs described 10 2 IDSM 2 15 11 Post Block 10 22 Pre Block 10 22 variables command 6 5 7 2 verifying EtherChanneling 15 23 IDSM 2 installation 15 2 sensor initialization 3 7 sensor setup 3 7 Viewer privileges 1 3 A 28 viewing user information 4 16 virtual sensor and assigning the interfaces 5 9 W Web Server described A 2 A 22 HTTP 1 0 and 1 1 support A 22 p...

Page 536: ...Index IN 22 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5 0 78 16527 01 ...

Reviews:

No comments