Page is loading ...
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this
URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the
document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2
© 2013 Cisco Systems, Inc. All rights reserved.
iii
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2
OL-29168-01
CONTENTS
Contents
xxiii
Audience
xxiii
Organization
i-xxiii
Conventions
i-xxv
Related Documentation
xxv
Obtaining Documentation and Submitting a Service Request
i-xxvi
CHAPTER
ii
Logging In to the Sensor
ii-1
Logging In Notes and Caveats
ii-1
Supported User Roles
ii-1
Logging In to the Appliance
ii-2
Connecting an Appliance to a Terminal Server
ii-3
Logging In to the ASA 5500-X IPS SSP
ii-4
Logging In to the ASA 5585-X IPS SSP
ii-5
Logging In to the Sensor
ii-6
CHAPTER
1
Introducing the CLI Configuration Guide
1-1
Supported IPS Platforms
1-1
IPS CLI Configuration Guide
1-1
Sensor Configuration Sequence
1-2
User Roles
1-3
CLI Behavior
1-5
Command Line Editing
1-6
IPS Command Modes
1-8
Regular Expression Syntax
1-8
Generic CLI Commands
1-10
CLI Keywords
1-11
CHAPTER
2
Initializing the Sensor
2-1
Initializing Notes and Caveats
2-1
Understanding Initialization
2-2
Simplified Setup Mode
2-2
Contents
iv
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2
OL-29168-01
System Configuration Dialog
2-2
Basic Sensor Setup
2-4
Advanced Setup
2-7
Advanced Setup for the Appliance
2-8
Advanced Setup for the ASA 5500-X IPS SSP
2-13
Advanced Setup for the ASA 5585-X IPS SSP
2-17
Verifying Initialization
2-20
CHAPTER
3
Setting Up the Sensor
3-1
Setup Notes and Caveats
3-1
Understanding Sensor Setup
3-2
Changing Network Settings
3-2
Changing the Hostname
3-3
Changing the IP Address, Netmask, and Gateway
3-4
Enabling and Disabling Telnet
3-5
Changing the Access List
3-6
Changing the FTP Timeout
3-8
Adding a Login Banner
3-9
Configuring the DNS and Proxy Servers for Global Correlation and Automatic Update
3-10
Enabling SSHv1 Fallback
3-13
Changing the CLI Session Timeout
3-14
Changing Web Server Settings
3-15
Configuring Authentication and User Parameters
3-18
Adding and Removing Users
3-18
Configuring Authentication
3-20
Configuring Packet Command Restriction
3-26
Creating the Service Account
3-28
The Service Account and RADIUS Authentication
3-29
RADIUS Authentication Functionality and Limitations
3-29
Configuring Passwords
3-29
Changing User Privilege Levels
3-30
Showing User Status
3-31
Configuring the Password Policy
3-32
Locking User Accounts
3-33
Unlocking User Accounts
3-34
Configuring Time
3-35
Time Sources and the Sensor
3-35
Synchronizing IPS Module System Clocks with the Parent Device System Clock
3-36
Contents
v
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2
OL-29168-01
Correcting Time on the Sensor
3-36
Configuring Time on the Sensor
3-36
Displaying the System Clock
3-37
Manually Setting the System Clock
3-37
Configuring Recurring Summertime Settings
3-38
Configuring Nonrecurring Summertime Settings
3-40
Configuring Time Zones Settings
3-42
Configuring NTP
3-42
Configuring a Cisco Router to be an NTP Server
3-43
Configuring the Sensor to Use an NTP Time Source
3-44
Configuring SSH
3-45
Understanding SSH
3-46
Adding Hosts to the SSH Known Hosts List
3-46
Adding Authorized RSA1 and RSA2 Keys
3-48
Generating the RSA Server Host Key
3-49
Configuring TLS
3-51
Understanding TLS
3-51
Adding TLS Trusted Hosts
3-52
Displaying and Generating the Server Certificate
3-53
Installing the License Key
3-54
Understanding the License Key
3-54
Service Programs for IPS Products
3-55
Obtaining and Installing the License Key
3-55
Licensing the ASA 5500-X IPS SSP
3-57
Uninstalling the License Key
3-58
CHAPTER
4
Configuring Interfaces
4-1
Interface Notes and Caveats
4-1
Understanding Interfaces
4-2
IPS Interfaces
4-2
Command and Control Interface
4-3
Sensing Interfaces
4-4
TCP Reset Interfaces
4-4
Understanding Alternate TCP Reset Interfaces
4-4
Designating the Alternate TCP Reset Interface
4-5
Interface Support
4-6
Interface Configuration Restrictions
4-8
Interface Configuration Sequence
4-10
Configuring Physical Interfaces
4-11
Contents
vi
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2
OL-29168-01
Configuring Promiscuous Mode
4-14
Understanding Promiscuous Mode
4-14
Configuring Promiscuous Mode
4-15
IPv6, Switches, and Lack of VACL Capture
4-15
Configuring Inline Interface Mode
4-16
Understanding Inline Interface Mode
4-16
Configuring Inline Interface Pairs
4-17
Configuring Inline VLAN Pair Mode
4-21
Understanding Inline VLAN Pair Mode
4-21
Configuring Inline VLAN Pairs
4-22
Configuring VLAN Group Mode
4-26
Understanding VLAN Group Mode
4-26
Deploying VLAN Groups
4-27
Configuring VLAN Groups
4-28
Configuring Inline Bypass Mode
4-33
Understanding Inline Bypass Mode
4-33
Configuring Inline Bypass Mode
4-34
Configuring Interface Notifications
4-35
Configuring CDP Mode
4-36
Displaying Interface Statistics
4-37
Displaying Interface Traffic History
4-40
CHAPTER
5
Configuring Virtual Sensors
5-1
Virtual Sensor Notes and Caveats
5-1
Understanding the Analysis Engine
5-2
Understanding Virtual Sensors
5-2
Advantages and Restrictions of Virtualization
5-2
Inline TCP Session Tracking Mode
5-3
Normalization and Inline TCP Evasion Protection Mode
5-4
HTTP Advanced Decoding
5-4
Adding, Editing, and Deleting Virtual Sensors
5-4
Adding Virtual Sensors
5-5
Editing and Deleting Virtual Sensors
5-9
Configuring Global Variables
5-12
CHAPTER
7
Defining Signatures
7-1
Signature Definition Notes and Caveats
7-1
Contents
vii
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2
OL-29168-01
Understanding Policies
7-1
Working With Signature Definition Policies
7-2
Understanding Signatures
7-3
Configuring Signature Variables
7-4
Understanding Signature Variables
7-4
Creating Signature Variables
7-4
Configuring Signatures
7-6
Signature Definition Options
7-6
Configuring Alert Frequency
7-7
Configuring Alert Severity
7-9
Configuring the Event Counter
7-10
Configuring Signature Fidelity Rating
7-12
Configuring the Status of Signatures
7-13
Configuring the Vulnerable OSes for a Signature
7-14
Assigning Actions to Signatures
7-15
Configuring AIC Signatures
7-17
Understanding the AIC Engine
7-17
AIC Engine and Sensor Performance
7-18
Configuring the Application Policy
7-18
AIC Request Method Signatures
7-20
AIC MIME Define Content Type Signatures
7-21
AIC Transfer Encoding Signatures
7-24
AIC FTP Commands Signatures
7-25
Creating an AIC Signature
7-26
Configuring IP Fragment Reassembly
7-28
Understanding IP Fragment Reassembly
7-28
IP Fragment Reassembly Signatures and Configurable Parameters
7-28
Configuring IP Fragment Reassembly Parameters
7-30
Configuring the Method for IP Fragment Reassembly
7-30
Configuring TCP Stream Reassembly
7-31
Understanding TCP Stream Reassembly
7-31
TCP Stream Reassembly Signatures and Configurable Parameters
7-32
Configuring TCP Stream Reassembly Signatures
7-36
Configuring the Mode for TCP Stream Reassembly
7-37
Configuring IP Logging
7-39
Creating Custom Signatures
7-40
Sequence for Creating a Custom Signature
7-40
Example String TCP Engine Signature
7-41
Example Service HTTP Engine Signature
7-44
Contents
viii
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2
OL-29168-01
Example Meta Engine Signature
7-46
Example IPv6 Engine Signature
7-50
Example String XL TCP Engine Match Offset Signature
7-52
Example String XL TCP Engine Minimum Match Length Signature
7-55
CHAPTER
8
Configuring Event Action Rules
8-1
Event Action Rules Notes and Caveats
8-1
Understanding Security Policies
8-2
Understanding Event Action Rules
8-2
Signature Event Action Processor
8-3
Event Actions
8-4
Event Action Rules Configuration Sequence
8-7
Working With Event Action Rules Policies
8-8
Event Action Variables
8-9
Understanding Event Action Variables
8-10
Adding, Editing, and Deleting Event Action Variables
8-11
Configuring Target Value Ratings
8-13
Calculating the Risk Rating
8-13
Understanding Threat Rating
8-14
Adding, Editing, and Deleting Target Value Ratings
8-15
Configuring Event Action Overrides
8-17
Understanding Event Action Overrides
8-17
Adding, Editing, Enabling, and Disabling Event Action Overrides
8-17
Configuring Event Action Filters
8-20
Understanding Event Action Filters
8-20
Configuring Event Action Filters
8-21
Configuring OS Identifications
8-26
Understanding Passive OS Fingerprinting
8-26
Passive OS Fingerprinting Configuration Considerations
8-27
Adding, Editing, Deleting, and Moving Configured OS Maps
8-28
Displaying and Clearing OS Identifications
8-31
Configuring General Settings
8-32
Understanding Event Action Summarization
8-33
Understanding Event Action Aggregation
8-33
Configuring the General Settings
8-34
Configuring the Denied Attackers List
8-35
Adding a Deny Attacker Entry to the Denied Attackers List
8-35
Monitoring and Clearing the Denied Attackers List
8-36
Contents
ix
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2
OL-29168-01
Monitoring Events
8-38
Displaying Events
8-38
Clearing Events from Event Store
8-41
CHAPTER
9
Configuring Anomaly Detection
9-1
Anomaly Detection Notes and Caveats
9-1
Understanding Security Policies
9-2
Understanding Anomaly Detection
9-2
Understanding Worms
9-2
Anomaly Detection Modes
9-3
Anomaly Detection Zones
9-4
Anomaly Detection Configuration Sequence
9-5
Anomaly Detection Signatures
9-6
Enabling Anomaly Detection
9-8
Working With Anomaly Detection Policies
9-8
Configuring Anomaly Detection Operational Settings
9-10
Configuring the Internal Zone
9-11
Understanding the Internal Zone
9-12
Configuring the Internal Zone
9-12
Configuring TCP Protocol for the Internal Zone
9-13
Configuring UDP Protocol for the Internal Zone
9-15
Configuring Other Protocols for the Internal Zone
9-18
Configuring the Illegal Zone
9-20
Understanding the Illegal Zone
9-20
Configuring the Illegal Zone
9-20
Configuring TCP Protocol for the Illegal Zone
9-21
Configuring UDP Protocol for the Illegal Zone
9-24
Configuring Other Protocols for the Illegal Zone
9-26
Configuring the External Zone
9-28
Understanding the External Zone
9-28
Configuring the External Zone
9-28
Configuring TCP Protocol for the External Zone
9-29
Configuring UDP Protocol for the External Zone
9-32
Configuring Other Protocols for the External Zone
9-34
Configuring Learning Accept Mode
9-36
The KB and Histograms
9-36
Configuring Learning Accept Mode
9-38
Working With KB Files
9-40
Contents
x
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2
OL-29168-01
Displaying KB Files
9-40
Saving and Loading KBs Manually
9-41
Copying, Renaming, and Erasing KBs
9-42
Displaying the Differences Between Two KBs
9-44
Displaying the Thresholds for a KB
9-45
Displaying Anomaly Detection Statistics
9-47
Disabling Anomaly Detection
9-48
CHAPTER
10
Configuring Global Correlation
10-1
Global Correlation Notes and Caveats
10-1
Understanding Global Correlation
10-2
Participating in the SensorBase Network
10-2
Understanding Reputation
10-3
Understanding Network Participation
10-4
Understanding Efficacy
10-5
Understanding Reputation and Risk Rating
10-6
Global Correlation Features and Goals
10-6
Global Correlation Requirements
10-7
Understanding Global Correlation Sensor Health Metrics
10-8
Configuring Global Correlation Inspection and Reputation Filtering
10-8
Understanding Global Correlation Inspection and Reputation Filtering
10-9
Configuring Global Correlation Inspection and Reputation Filtering
10-10
Configuring Network Participation
10-11
Troubleshooting Global Correlation
10-13
Disabling Global Correlation
10-13
Displaying Global Correlation Statistics
10-14
CHAPTER
11
Configuring External Product Interfaces
11-1
External Product Interface Notes and Caveats
11-1
Understanding External Product Interfaces
11-1
Understanding the CSA MC
11-2
External Product Interface Issues
11-3
Configuring the CSA MC to Support the IPS Interface
11-4
Adding External Product Interfaces and Posture ACLs
11-4
Troubleshooting External Product Interfaces
11-8
Contents
xi
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2
OL-29168-01
CHAPTER
12
Configuring IP Logging
12-1
IP Logging Notes and Caveats
12-1
Understanding IP Logging
12-2
Configuring Automatic IP Logging
12-2
Configuring Manual IP Logging for a Specific IP Address
12-3
Displaying the Contents of IP Logs
12-5
Stopping Active IP Logs
12-6
Copying IP Log Files to Be Viewed
12-7
CHAPTER
13
Displaying and Capturing Live Traffic on an Interface
13-1
Packet Display And Capture Notes and Caveats
13-1
Understanding Packet Display and Capture
13-2
Displaying Live Traffic on an Interface
13-2
Capturing Live Traffic on an Interface
13-4
Copying the Packet File
13-6
Erasing the Packet File
13-7
CHAPTER
14
Configuring Attack Response Controller for Blocking and Rate Limiting
14-1
Blocking Notes and Caveats
14-1
Understanding Blocking
14-2
Understanding Rate Limiting
14-4
Understanding Service Policies for Rate Limiting
14-5
Before Configuring ARC
14-5
Supported Devices
14-6
Configuring Blocking Properties
14-7
Allowing the Sensor to Block Itself
14-8
Disabling Blocking
14-9
Specifying Maximum Block Entries
14-11
Specifying the Block Time
14-13
Enabling ACL Logging
14-14
Enabling Writing to NVRAM
14-15
Logging All Blocking Events and Errors
14-16
Configuring the Maximum Number of Blocking Interfaces
14-17
Configuring Addresses Never to Block
14-19
Configuring User Profiles
14-20
Configuring Blocking and Rate Limiting Devices
14-21
How the Sensor Manages Devices
14-21
Contents
xii
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2
OL-29168-01
Configuring the Sensor to Manage Cisco Routers
14-22
Routers and ACLs
14-23
Configuring the Sensor to Manage Cisco Routers
14-23
Configuring the Sensor to Manage Catalyst 6500 Series Switches and Cisco 7600 Series
Routers
14-25
Switches and VACLs
14-25
Configuring the Sensor to Manage Catalyst 6500 Series Switches and Cisco 7600 Series
Routers
14-26
Configuring the Sensor to Manage Cisco Firewalls
14-27
Configuring the Sensor to be a Master Blocking Sensor
14-28
Configuring Host Blocking
14-31
Configuring Network Blocking
14-31
Configuring Connection Blocking
14-32
Obtaining a List of Blocked Hosts and Connections
14-33
CHAPTER
15
Configuring SNMP
15-1
SNMP Notes and Caveats
15-1
Understanding SNMP
15-1
Configuring SNMP
15-2
Configuring SNMP Traps
15-4
Supported MIBS
15-6
CHAPTER
16
Working With Configuration Files
16-1
Displaying the Current Configuration
16-1
Displaying the Current Submode Configuration
16-3
Filtering the Current Configuration Output
16-16
Filtering the Current Submode Configuration Output
16-18
Displaying the Contents of a Logical File
16-19
Backing Up and Restoring the Configuration File Using a Remote Server
16-22
Creating and Using a Backup Configuration File
16-24
Erasing the Configuration File
16-24
CHAPTER
17
Administrative Tasks for the Sensor
17-1
Administrative Notes and Caveats
17-2
Recovering the Password
17-2
Understanding Password Recovery
17-2
Recovering the Password for the Appliance
17-3
Contents
xiii
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2
OL-29168-01
Using the GRUB Menu
17-3
Using ROMMON
17-4
Recovering the Password for the ASA 5500-X IPS SSP
17-4
Recovering the Password for the ASA 5585-X IPS SSP
17-6
Disabling Password Recovery
17-8
Verifying the State of Password Recovery
17-9
Troubleshooting Password Recovery
17-9
Clearing the Sensor Databases
17-9
Displaying the Inspection Load of the Sensor
17-11
Configuring Health Status Information
17-13
Showing Sensor Overall Health Status
17-17
Creating a Banner Login
17-18
Terminating CLI Sessions
17-19
Modifying Terminal Properties
17-20
Configuring Events
17-20
Displaying Events
17-21
Clearing Events from the Event Store
17-23
Configuring the System Clock
17-24
Displaying the System Clock
17-24
Manually Setting the System Clock
17-25
Clearing the Denied Attackers List
17-25
Displaying Policy Lists
17-27
Displaying Statistics
17-28
Displaying Tech Support Information
17-40
Displaying Version Information
17-41
Diagnosing Network Connectivity
17-43
Resetting the Appliance
17-44
Displaying Command History
17-45
Displaying Hardware Inventory
17-46
Tracing the Route of an IP Packet
17-48
Displaying Submode Settings
17-49
CHAPTER
18
Configuring the ASA 5500-X IPS SSP
18-1
Notes and Caveats for ASA 5500-X IPS SSP
18-1
Configuration Sequence for the ASA 5500-X IPS SSP
18-2
Verifying Initialization for the ASA 5500-X IPS SSP
18-3
Creating Virtual Sensors for the ASA 5500-X IPS SSP
18-4
Contents
xiv
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2
OL-29168-01
The ASA 5500-X IPS SSP and Virtualization
18-4
Virtual Sensor Configuration Sequence for ASA 5500-X IPS SSP
18-4
Creating Virtual Sensors
18-4
Assigning Virtual Sensors to Adaptive Security Appliance Contexts
18-7
The ASA 5500-X IPS SSP and Bypass Mode
18-9
The ASA 5500-X IPS SSP and the Normalizer Engine
18-10
The ASA 5500-X IPS SSP and Jumbo Packets
18-11
The ASA 5500-X IPS SSP and Memory Usage
18-11
Reloading, Shutting Down, Resetting, and Recovering the ASA 5500-X IPS SSP
18-11
Health and Status Information
18-12
ASA 5500-X IPS SSP Failover Scenarios
18-20
New and Modified Commands
18-21
CHAPTER
19
Configuring the ASA 5585-X IPS SSP
19-1
ASA 5585-X IPS SSP Notes and Caveats
19-1
Configuration Sequence for the ASA 5585-X IPS SSP
19-2
Verifying Initialization for the ASA 5585-X IPS SSP
19-3
Creating Virtual Sensors for the ASA 5585-X IPS SSP
19-4
The ASA 5585-X IPS SSP and Virtualization
19-4
The ASA 5585-X IPS SSP Virtual Sensor Configuration Sequence
19-5
Creating Virtual Sensors
19-5
Assigning Virtual Sensors to Adaptive Security Appliance Contexts
19-7
The ASA 5585-X IPS SSP and the Normalizer Engine
19-10
The ASA 5585-X IPS SSP and Bypass Mode
19-10
ASA 5585-X IPS SSP and Jumbo Packets
19-11
Reloading, Shutting Down, Resetting, and Recovering the ASA 5585-X IPS SSP
19-11
Health and Status Information
19-12
Traffic Flow Stopped on IPS Switchports
19-15
Failover Scenarios
19-16
CHAPTER
20
Obtaining Software
20-1
IPS 7.2 File List
20-1
Obtaining Cisco IPS Software
20-1
IPS Software Versioning
20-2
IPS Software Release Examples
20-6
Accessing IPS Documentation
20-7
Cisco Security Intelligence Operations
20-8
Contents
xv
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2
OL-29168-01
CHAPTER
21
Upgrading, Downgrading, and Installing System Images
21-1
Upgrade Notes and Caveats
21-1
Upgrades, Downgrades, and System Images
21-2
Supported FTP and HTTP/HTTPS Servers
21-3
Upgrading the Sensor
21-3
IPS 7.2(1)E4 Files
21-3
Upgrade Notes and Caveats
21-4
Manually Upgrading the Sensor
21-4
Working With Upgrade Files
21-6
Upgrading the Recovery Partition
21-7
Configuring Automatic Upgrades
21-8
Configuring Automatic Updates
21-8
Applying an Immediate Update
21-12
Downgrading the Sensor
21-13
Recovering the Application Partition
21-13
Installing System Images
21-14
ROMMON
21-15
TFTP Servers
21-15
Connecting an Appliance to a Terminal Server
21-15
Installing the System Image for the IPS 4345 and IPS 4360
21-16
Installing the System Image for the IPS 4510 and IPS 4520
21-19
Installing the System Image for the ASA 5500-X IPS SSP
21-22
Installing the System Image for the ASA 5585-X IPS SSP
21-23
Installing the ASA 5585-X IPS SSP System Image Using the hw-module Command
21-24
Installing the ASA 5585-X IPS SSP System Image Using ROMMON
21-26
APPENDIX
A
System Architecture
A-1
Understanding the IPS System Architecture
A-1
IPS System Design
A-1
System Applications
A-3
Security Features
A-5
MainApp
A-6
Understanding the MainApp
A-6
MainApp Responsibilities
A-6
Event Store
A-7
Understanding the Event Store
A-7
Event Data Structures
A-8
IPS Events
A-9
Contents
xvi
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2
OL-29168-01
NotificationApp
A-9
CtlTransSource
A-11
Attack Response Controller
A-12
Understanding the ARC
A-13
ARC Features
A-14
Supported Blocking Devices
A-15
ACLs and VACLs
A-16
Maintaining State Across Restarts
A-16
Connection-Based and Unconditional Blocking
A-17
Blocking with Cisco Firewalls
A-18
Blocking with Catalyst Switches
A-19
Logger
A-19
AuthenticationApp
A-20
Understanding the AuthenticationApp
A-20
Authenticating Users
A-20
Configuring Authentication on the Sensor
A-20
Managing TLS and SSH Trust Relationships
A-21
Web Server
A-22
SensorApp
A-22
Understanding the SensorApp
A-23
Inline, Normalization, and Event Risk Rating Features
A-24
SensorApp New Features
A-25
Packet Flow
A-25
Signature Event Action Processor
A-26
CollaborationApp
A-27
Understanding the CollaborationApp
A-27
Update Components
A-28
Error Events
A-29
SwitchApp
A-29
CLI
A-30
User Roles
A-30
Service Account
A-31
Communications
A-31
IDAPI
A-32
IDIOM
A-32
IDCONF
A-33
SDEE
A-33
CIDEE
A-34
Cisco IPS File Structure
A-34
Contents
xvii
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2
OL-29168-01
Summary of Cisco IPS Applications
A-35
APPENDIX
B
Signature Engines
B-1
Understanding Signature Engines
B-1
Master Engine
B-4
General Parameters
B-4
Alert Frequency
B-7
Event Actions
B-8
Regular Expression Syntax
B-9
AIC Engine
B-10
Understanding the AIC Engine
B-11
AIC Engine and Sensor Performance
B-11
AIC Engine Parameters
B-11
Atomic Engine
B-14
Atomic ARP Engine
B-14
Atomic IP Advanced Engine
B-15
Atomic IP Engine
B-25
Atomic IPv6 Engine
B-29
Fixed Engine
B-30
Flood Engine
B-32
Meta Engine
B-33
Multi String Engine
B-35
Normalizer Engine
B-36
Service Engines
B-39
Understanding the Service Engines
B-40
Service DNS Engine
B-40
Service FTP Engine
B-41
Service Generic Engine
B-42
Service H225 Engine
B-44
Service HTTP Engine
B-46
Service IDENT Engine
B-48
Service MSRPC Engine
B-49
Service MSSQL Engine
B-51
Service NTP Engine
B-52
Service P2P Engine
B-53
Service RPC Engine
B-53
Service SMB Advanced Engine
B-55
Service SNMP Engine
B-57
Contents
xviii
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2
OL-29168-01
Service SSH Engine
B-58
Service TNS Engine
B-59
State Engine
B-60
String Engines
B-62
String XL Engines
B-65
Sweep Engines
B-68
Sweep Engine
B-68
Sweep Other TCP Engine
B-70
Traffic Anomaly Engine
B-71
Traffic ICMP Engine
B-73
Trojan Engines
B-74
APPENDIX
C
Troubleshooting
C-1
Bug Toolkit
C-1
Preventive Maintenance
C-2
Understanding Preventive Maintenance
C-2
Creating and Using a Backup Configuration File
C-2
Backing Up and Restoring the Configuration File Using a Remote Server
C-3
Creating the Service Account
C-5
Disaster Recovery
C-6
Password Recovery
C-7
Understanding Password Recovery
C-8
Recovering the Password for the Appliance
C-8
Using the GRUB Menu
C-8
Using ROMMON
C-9
Recovering the Password for the ASA 5500-X IPS SSP
C-10
Recovering the Password for the ASA 5585-X IPS SSP
C-11
Disabling Password Recovery
C-13
Verifying the State of Password Recovery
C-14
Troubleshooting Password Recovery
C-14
Time Sources and the Sensor
C-15
Time Sources and the Sensor
C-15
Synchronizing IPS Clocks with Parent Device Clocks
C-15
Verifying the Sensor is Synchronized with the NTP Server
C-16
Correcting Time on the Sensor
C-16
Advantages and Restrictions of Virtualization
C-17
Supported MIBs
C-18
Troubleshooting Global Correlation
C-18
Contents
xix
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2
OL-29168-01
When to Disable Anomaly Detection
C-19
Analysis Engine Not Responding
C-20
Troubleshooting External Product Interfaces
C-21
External Product Interfaces Issues
C-21
External Product Interfaces Troubleshooting Tips
C-22
Troubleshooting the Appliance
C-22
Troubleshooting Loose Connections
C-22
The Analysis Engine is Busy
C-23
Communication Problems
C-23
Cannot Access the Sensor CLI Through Telnet or SSH
C-24
Correcting a Misconfigured Access List
C-26
Duplicate IP Address Shuts Interface Down
C-27
The SensorApp and Alerting
C-28
The SensorApp is Not Running
C-28
Physical Connectivity, SPAN, or VACL Port Issue
C-30
Unable to See Alerts
C-31
Sensor Not Seeing Packets
C-33
Cleaning Up a Corrupted SensorApp Configuration
C-34
Blocking
C-35
Troubleshooting Blocking
C-35
Verifying the ARC is Running
C-36
Verifying ARC Connections are Active
C-37
Device Access Issues
C-39
Verifying the Interfaces and Directions on the Network Device
C-40
Enabling SSH Connections to the Network Device
C-41
Blocking Not Occurring for a Signature
C-41
Verifying the Master Blocking Sensor Configuration
C-42
Logging
C-44
Enabling Debug Logging
C-44
Zone Names
C-48
Directing cidLog Messages to SysLog
C-49
TCP Reset Not Occurring for a Signature
C-50
Software Upgrades
C-51
Upgrading Error
C-51
Which Updates to Apply and Their Prerequisites
C-52
Issues With Automatic Update
C-52
Updating a Sensor with the Update Stored on the Sensor
C-53
Troubleshooting the IDM
C-54
Cannot Launch the IDM - Loading Java Applet Failed
C-54
Contents
xx
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2
OL-29168-01
Cannot Launch the IDM-The Analysis Engine Busy
C-55
The IDM, Remote Manager, or Sensing Interfaces Cannot Access Sensor
C-55
Signatures Not Producing Alerts
C-56
Troubleshooting the IME
C-56
Time Synchronization on IME and the Sensor
C-57
Not Supported Error Message
C-57
Troubleshooting the ASA 5500-X IPS SSP
C-57
Health and Status Information
C-58
Failover Scenerios
C-65
The ASA 5500-X IPS SSP and the Normalizer Engine
C-66
The ASA 5500-X IPS SSP and Memory Usage
C-67
The ASA 5500-X IPS SSP and Jumbo Packets
C-67
Troubleshooting the ASA 5585-X IPS SSP
C-68
Health and Status Information
C-68
Failover Scenarios
C-71
Traffic Flow Stopped on IPS Switchports
C-72
The ASA 5585-X IPS SSP and the Normalizer Engine
C-72
The ASA 5585-X IPS SSP and Jumbo Packets
C-73
Gathering Information
C-73
Health and Network Security Information
C-74
Tech Support Information
C-74
Understanding the show tech-support Command
C-75
Displaying Tech Support Information
C-75
Tech Support Command Output
C-76
Version Information
C-78
Understanding the show version Command
C-78
Displaying Version Information
C-78
Statistics Information
C-81
Understanding the show statistics Command
C-81
Displaying Statistics
C-81
Interfaces Information
C-93
Understanding the show interfaces Command
C-93
Interfaces Command Output
C-94
Displaying Interface Traffic History
C-94
Events Information
C-97
Sensor Events
C-98
Understanding the show events Command
C-98
Displaying Events
C-98
Clearing Events
C-101
/
