Cisco Systems Home Security System IPS4510K9 User Manual

Cisco Intrusion Prevention System Sensor

CLI Configuration Guide for IPS 7.2

Americas Headquarters

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, CA 95134-1706

USA

http://www.cisco.com

Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 527-0883

Text Part Number: OL-29168-01

Download from Www.Somanuals.com. All Manuals Search And Download.

C O N T E N T S

Contents xxiii

Audience xxiii

Organization i-xxiii

Conventions i-xxv

Related Documentation

For a complete list of the Cisco IPS 7.2 documentation and where to find it, refer to the following URL:

http://www.cisco.com/en/US/docs/security/ips/7.2/roadmap/roadmap7_2.html

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

-xxv

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter

Obtaining Documentation and Submitting a Service Request

For a complete list of the Cisco ASA 5500 series documentation and where to find it, refer to the

following URL:

http://www.cisco.com/en/US/docs/security/asa/roadmap/asaroadmap.html

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional

information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and

revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed

and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free

service and Cisco currently supports RSS Version 2.0.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

-xxvi

Download from Www.Somanuals.com. All Manuals Search And Download.

C H A P T E R

Logging In to the Sensor

This chapter explains how to log in to the sensor. It contains the following sections:

•

Logging In Notes and Caveats, page ii-1

Supported User Roles, page ii-1

Logging In to the Appliance, page ii-2

Connecting an Appliance to a Terminal Server, page ii-3

Logging In to the ASA 5500-X IPS SS P , p age ii-4

Logging In to the ASA 5585-X IPS SS P , p age ii-5

Logging In to the Sensor, page ii-6

Logging In Notes and Caveats

The following notes and caveats apply to logging in to the sensor:

•

All IPS platforms allow ten concurrent log in sessions.

The service role is a special role that allows you to bypass the CLI if needed. Only a user with

administrator privileges can edit the service account.

•

You must initialize the appliance (run the setup command) from the console. After networking is

configured, SSH and Telnet are available. You can log in to the appliance from a console port.

You log in to the ASA 5500-X IPS SSP and ASA 5585-X IPS SSP from the adaptive security

appliance.

Supported User Roles

You can log in with the following user privileges:

Administrator

Operator

•

Viewer

Service

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

ii-1

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter ii Logging In to the Sensor

Logging In to the Appliance

The service role does not have direct access to the CLI. Service account users are logged directly into a

bash shell. Use this account for support and troubleshooting purposes only. Unauthorized modifications

are not supported and will require the sensor to be reimaged to guarantee proper operation. You can

create only one user with the service role.

When you log in to the service account, you receive the following warning:

******************************** WARNING *****************************************

UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.

This account is intended to be used for support and troubleshooting purposes only.

Unauthorized modifications are not supported and will require this device to be re-imaged

to guarantee proper operation.

**********************************************************************************

Note

The service role is a special role that allows you to bypass the CLI if needed. Only a user with

administrator privileges can edit the service account.

For More Information

•

For the procedure for creating the service account, see Creating the Service Account, page 3-28.

For the procedures for adding and deleting users, see Configuring Authentication and User

Parameters, page 3-18.

Logging In to the Appliance

Note

You can log in to the appliance from a console port. The currently supported Cisco IPS appliances are

the IPS 4345, IPS 4360, IPS 4510, and IPS 4520.

To log in to the appliance, follow these steps:

Step 1

Step 2

Connect a console port to the sensor to log in to the appliance.

Enter your username and password at the login prompt.

Note

The default username and password are both cisco. You are prompted to change them the first

time you log in to the appliance.You must first enter the UNIX password, which is cisco. Then

you must enter the new password twice.

Password:

***NOTICE***

This product contains cryptographic features and is subject to United States and local

country laws governing import, export, transfer and use. Delivery of Cisco cryptographic

products does not imply third-party authority to import, export, distribute or use

encryption. Importers, exporters, distributors and users are responsible for compliance

with U.S. and local country laws. By using this product you agree to comply with

applicable laws and regulations. If you are unable to comply with U.S. and local laws,

return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to [email protected].

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

ii-2

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter ii Logging In to the Sensor

Connecting an Appliance to a Terminal Server

***LICENSE NOTICE***

There is no license key installed on the system.

Please go to http://www.cisco.com/go/license to obtain a new license or install a license.

sensor#

For More Information

•

For the procedure for connecting an appliance to a terminal server, see Connecting an Appliance to

a Terminal Server, page ii-3.

•

For the procedure for using the setup command to initialize the appliance, see Basic Sensor Setup,

page 2-4.

Connecting an Appliance to a Terminal Server

A terminal server is a router with multiple, low speed, asynchronous ports that are connected to other

serial devices. You can use terminal servers to remotely manage network equipment, including

appliances. To set up a Cisco terminal server with RJ-45 or hydra cable assembly connections, follow

these steps:

Step 1

Step 2

Connect to a terminal server using one of the following methods:

•

For terminal servers with RJ-45 connections, connect a rollover cable from the console port on the

appliance to a port on the terminal server.

•

For hydra cable assemblies, connect a straight-through patch cable from the console port on the

appliance to a port on the terminal server.

Configure the line and port on the terminal server. In enable mode, enter the following configuration,

where # is the line number of the port to be configured.

config t

line #

transport input all

stopbits 1

flowcontrol hardware

speed 9600

exit

wr mem

Step 3

Be sure to properly close a terminal session to avoid unauthorized access to the appliance. If a terminal

session is not stopped properly, that is, if it does not receive an exit(0) signal from the application that

initiated the session, the terminal session can remain open. When terminal sessions are not stopped

properly, authentication is not performed on the next session that is opened on the serial port.

Caution

Always exit your session and return to a login prompt before terminating the application used to establish

the connection.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

ii-3

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter ii Logging In to the Sensor

Logging In to the ASA 5500-X IPS SSP

Caution

If a connection is dropped or terminated by accident, you should reestablish the connection and exit

normally to prevent unauthorized access to the appliance.

Logging In to the ASA 5500-X IPS SSP

You log in to the ASA 5500-X IPS SSP from the adaptive security appliance.

To session in to the ASA 5500-X IPS SSP from the adaptive security appliance, follow these steps:

Step 1

Note

If the adaptive security appliance is operating in multi-mode, use the change system command

to get to the system level prompt before continuing.

Step 2

Step 3

Session to the IPS. You have 60 seconds to log in before the session times out.

asa# session ips

Opening command session with slot 1.

Connected to slot 1. Escape character sequence is 'CTRL-^X'.

Enter your username and password at the login prompt.

Note

The default username and password are both cisco. You are prompted to change them the first

time you log in to the module. You must first enter the UNIX password, which is cisco. Then

you must enter the new password twice.

Password:

***NOTICE***

This product contains cryptographic features and is subject to United States and local

country laws governing import, export, transfer and use. Delivery of Cisco cryptographic

products does not imply third-party authority to import, export, distribute or use

encryption. Importers, exporters, distributors and users are responsible for compliance

with U.S. and local country laws. By using this product you agree to comply with

applicable laws and regulations. If you are unable to comply with U.S. and local laws,

return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to [email protected].

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

ii-4

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter ii Logging In to the Sensor

Logging In to the ASA 5585-X IPS SSP

***LICENSE NOTICE***

There is no license key installed on this IPS platform.

The system will continue to operate with the currently installed

signature set. A valid license must be obtained in order to apply

signature updates. Please go to http://www.cisco.com/go/license

to obtain a new license or install a license.

asa-ips#

Step 4

To escape from a session and return to the adaptive security appliance prompt, do one of the following:

•

Enter exit.

Press CTRL-Shift-6-x (represented as CTRL^X).

For More Information

For the procedure for using the setup command to initialize the ASA 5500-X IPS SSP, see Advanced

Setup for the ASA 5500-X IPS SS P , p age 2-13.

Logging In to the ASA 5585-X IPS SSP

You log in to the ASA 5585-X IPS SSP from the adaptive security appliance.

To session in to the ASA 5585-X IPS SSP from the adaptive security appliance, follow these steps:

Step 1

Note

If the adaptive security appliance is operating in multi-mode, use the change system command

to get to the system level prompt before continuing.

Step 2

Step 3

Session to the ASA 5585-X IPS SSP. You have 60 seconds to log in before the session times out.

asa# session 1

Opening command session with slot 1.

Connected to slot 1. Escape character sequence is 'CTRL-^X'.

Enter your username and password at the login prompt.

Note

The default username and password are both cisco. You are prompted to change them the first

time you log in to the module. You must first enter the UNIX password, which is cisco. Then

you must enter the new password twice.

Password:

***NOTICE***

This product contains cryptographic features and is subject to United States and local

country laws governing import, export, transfer and use. Delivery of Cisco cryptographic

products does not imply third-party authority to import, export, distribute or use

encryption. Importers, exporters, distributors and users are responsible for compliance

with U.S. and local country laws. By using this product you agree to comply with

applicable laws and regulations. If you are unable to comply with U.S. and local laws,

return this product immediately.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

ii-5

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter ii Logging In to the Sensor

Logging In to the Sensor

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to [email protected].

***LICENSE NOTICE***

There is no license key installed on the system.

Please go to http://www.cisco.com/go/license to obtain a new license or install a license.

ips-ssp#

Step 4

To escape from a session and return to the adaptive security appliance prompt, do one of the following:

•

Enter exit.

Press CTRL-Shift-6-x (represented as CTRL^X).

For More Information

For the procedure for using the setup command to initialize the ASA 5585-X IPS SSP, see Advanced

Setup for the ASA 5585-X IPS SS P , p age 2-17.

Logging In to the Sensor

Note

After you have initialized the sensor using the setup command and enabled Telnet, you can use SSH or

Telnet to log in to the sensor.

To log in to the sensor using Telnet or SSH, follow these steps:

Step 1

Step 2

To log in to the sensor over the network using SSH or Telnet.

ssh sensor_ip_address

telnet sensor_ip_address

Enter your username and password at the login prompt.

Password: ******

***NOTICE***

This product contains cryptographic features and is subject to United States and local

country laws governing import, export, transfer and use. Delivery of Cisco cryptographic

products does not imply third-party authority to import, export, distribute or use

encryption. Importers, exporters, distributors and users are responsible for compliance

with U.S. and local country laws. By using this product you agree to comply with

applicable law s and regulations. If you are unable to comply with U.S. and local laws,

return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to [email protected].

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

ii-6

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter ii Logging In to the Sensor

Logging In to the Sensor

***LICENSE NOTICE***

There is no license key installed on the system.

Please go to http://www.cisco.com/go/license to obtain a new license or install a license.

sensor#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

ii-7

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter ii Logging In to the Sensor

Logging In to the Sensor

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

ii-8

Download from Www.Somanuals.com. All Manuals Search And Download.

C H A P T E R

Introducing the CLI Configuration Guide

This chapter introduces the IPS CLI configuration guide, and contains the following sections:

•

Supported IPS Platforms, page 1-1

Sensor Configuration Sequence, page 1-2

IPS CLI Configuration Guide, page 1-1

User Roles, page 1-3

CLI Behavior, page 1-5

Command Line Editing, page 1-6

IPS Command Modes, page 1-8

Regular Expression Syntax, page 1-8

Generic CLI Commands, page 1-10

CLI Keywords, page 1-11

Supported IPS Platforms

IPS 7.2(1)E4 supports the following IPS platforms:

IPS 4345

IPS 4360

•

IPS 4510

IPS 4520

ASA 5500-X IPS SSP

ASA 5585-X IPS SSP

IPS CLI Configuration Guide

This guide is a task-based configuration guide for the Cisco IPS 7.2 CLI. The term “sensor” is used

throughout this guide to refer to all sensor models, unless a procedure refers to a specific appliance or

to one of the modules, then the specific model name is used.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

1-1

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 1 Introducing the CLI Configuration Guide

Sensor Configuration Sequence

For an alphabetical list of all IPS commands, refer to the Command Reference for Cisco Intrusion

Prevention System 7.2. For information on locating all IPS 7.2 documents on Cisco.com, refer to the

Documentation Roadmap for Cisco Intrusion Prevention System 7.2.

You can also use an IPS manager to configure your sensor. For information on how to access

documentation that describes how to use IPS managers, refer to the Documentation Roadmap for Cisco

Intrusion Prevention System 7.2.

Sensor Configuration Sequence

Perform the following tasks to configure the sensor:

1. Log in to the sensor.

2. Initialize the sensor by running the setup command.

3. Verify the sensor initialization.

4. Create the service account. A service account is needed for special debug situations directed by

TAC.

Note

Only one user with the role of service is allowed.

5. License the sensor.

6. Perform the other initial tasks, such as adding users and trusted hosts, and so forth.

7. Make changes to the interface configuration if necessary. You configure the interfaces during

initialization.

8. Add or delete virtual sensors as necessary. You configure the virtual sensors during initialization.

9. Configure event action rules.

10. Configure the signatures for intrusion prevention.

11. Configure the sensor for global correlation.

12. Configure anomaly detection if needed. You can run anomaly detection using the default values or

you can tailor it to suit your network needs.

Note

Anomaly detection is disabled by default. You must enable it to configure or apply an

anomaly detection policy. Enabling anomaly detection results in a decrease in performance.

13. Set up any external product interfaces if needed. The CSA MC is the only external product

supported by the Cisco IPS.

14. Configure IP logging if needed.

15. Configure blocking if needed.

16. Configure SNMP if needed.

17. Perform miscellaneous tasks to keep your sensor running smoothly.

18. Upgrade the IPS software with new signature updates and service packs.

19. Reimage the application partition when needed.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

1-2

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 1 Introducing the CLI Configuration Guide

User Roles

For More Information

•

For the procedure for logging in to your sensor, see Chapter ii, “Logging In to the Sensor.”

For the procedure for using the setup command to initialize your sensor, see Chapter 2, “Initializing

the Sensor.”

•

For the procedure for verifying sensor initialization, see V e rifying Initialization, page 2-20.

For the procedure for obtaining and installing the license key, see Installing the License Key,

page 3-54.

•

For the procedures for setting up your sensor, see Chapter 3, “Setting Up the Sensor.”

For the procedure for creating the service account, see Creating the Service Account, page 3-28.

For the procedures for configuring interfaces on your sensor, see Chapter 4, “Configuring

Interfaces.”

•

For the procedures for configuring virtual sensors on your sensor, see Chapter 5, “Configuring

Virtual Sensors.”

For the procedures for configuring event action rules policies, see Chapter 8, “Configuring Event

Action Rules.”

For the procedures for configuring signatures for intrusion prevention, see Chapter 7, “Defining

Signatures.”

For the procedures for configuring global correlation, see Chapter 10, “Configuring Global

Correlation.”

For the procedure for configuring anomaly detection policies, see Chapter 9, “Configuring Anomaly

Detection.”

For the procedure for setting up external product interfaces, see Chapter 11, “Configuring External

Product Interfaces.”

•

For the procedures for configuring IP logging, see Chapter 12, “Configuring IP Logging.”

For the procedures for configuring blocking on your sensor, see Chapter 14, “Configuring Attack

Response Controller for Blocking and Rate Limiting.”

•

For the procedures for configuring SNMP on your sensor, see Chapter 15, “Configuring SNM P .”

For the administrative procedures, see Chapter 17, “Administrative Tasks for the Sensor.”

For more information on how to obtain Cisco IPS software, see Chapter 20, “Obtaining Software.”

For the procedures for installing system images, see Chapter 21, “Upgrading, Downgrading, and

Installing System Images.”

•

For the procedures specific to the ASA 5500-X IPS SSP, see Chapter 18, “Configuring the ASA

5500-X IPS SS P .”

For the procedures specific to the ASA 5585-X IPS SSP, see Chapter 19, “Configuring the ASA

5585-X IPS SS P .”

User Roles

The Cisco CLI permits multiple users to log in at the same time. You can create and remove users from

the local sensor. You can modify only one user account at a time. Each user is associated with a role that

controls what that user can and cannot modify. The CLI supports four user roles: administrator, operator,

viewer, and service. The privilege levels for each role are different; therefore, the menus and available

commands vary for each role.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

1-3

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 1 Introducing the CLI Configuration Guide

User Roles

Administrator

This user role has the highest level of privileges. Administrators have unrestricted view access and can

perform the following functions:

•

Add users and assign passwords

Enable and disable control of physical interfaces and virtual sensors

Assign physical sensing interfaces to a virtual sensor

Modify the list of hosts allowed to connect to the sensor as a configuring or viewing agent

Modify sensor address configuration

Tune signatures

Assign configuration to a virtual sensor

Manage routers

Operators

This user role has the second highest level of privileges. Operators have unrestricted view access and can

perform the following functions:

•

Modify their passwords

Tune signatures

Manage routers

Assign configuration to a virtual sensor

Viewers

This user role has the lowest level of privileges. Viewers can view configuration and event data and can

modify their passwords.

Tip

Monitoring applications only require viewer access to the sensor. You can use the CLI to set up a user

account with viewer privileges and then configure the event viewer to use this account to connect to the

sensor.

Service

This user role does not have direct access to the CLI. Service account users are logged directly into a

bash shell. Use this account for support and troubleshooting purposes only. Unauthorized modifications

are not supported and require the device to be reimaged to guarantee proper operation. You can create

only one user with the service role. In the service account you can also switch to user root by executing

su-. The root password is synchronized to the service account password. Some troubleshooting

procedures may require you to execute commands as the root user.

When you log in to the service account, you receive the following warning:

******************************* WARNING *****************************************

UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.

This account is intended to be used for support and troubleshooting purposes only.

Unauthorized modifications are not supported and will require this device to be re-imaged

to guarantee proper operation.

*********************************************************************************

Note

The service role is a special role that allows you to bypass the CLI if needed. Only a user with

administrator privileges can edit the service account.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

1-4

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 1 Introducing the CLI Configuration Guide

CLI Behavior

Note

For IPS 5.0 and later, you can no longer remove the cisco account. You can disable it using the no

password cisco command, but you cannot remove it. To use the no password cisco command, there

must be another administrator account on the sensor. Removing the cisco account through the service

account is not supported. If you remove the cisco account through the service account, the sensor most

likely will not boot up, so to recover the sensor you must reinstall the sensor system image.

CLI Behavior

The following tips help you use the Cisco IPS CLI.

Prompts

•

You cannot change the prompt displayed for the CLI commands.

User interactive prompts occur when the system displays a question and waits for user input. The

default input is displayed inside brackets [ ]. To accept the default input, press Enter.

Help

•

To display the help for a command, type ? after the command.

The following example demonstrates the ? function:

sensor# configure ?

terminal

Configure from the terminal

sensor# configure

Note

When the prompt returns from displaying help, the command previously entered is displayed

without the ?.

•

You can type ? after an incomplete token to view the valid tokens that complete the command. If

there is a trailing space between the token and the ?, you receive an ambiguous command error:

sensor# show c ?

% Ambiguous command: “show c”

If you enter the token without the space, a selection of available tokens for the completion (with no

help description) appears:

sensor# show c?

clock configuration

sensor# show c

•

Only commands available in the current mode are displayed by help.

Tab Completion

•

Only commands available in the current mode are displayed by tab complete and help.

If you are unsure of the complete syntax for a command, you can type a portion of the command and

press Tab to complete the command.

•

If multiple commands match for tab completion, nothing is displayed.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

1-5

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 1 Introducing the CLI Configuration Guide

Command Line Editing

Recall

•

To recall the commands entered in a mode, use the Up Arrow or Down Arrow keys or press Ctrl-P

or Ctrl-N.

Note

Help and tab complete requests are not reported in the recall list.

•

A blank prompt indicates the end of the recall list.

Case Sensitivity

The CLI is not case sensitive, but it does echo back the text in the same case you typed it. For

•

example, if you type:

sensor# CONF

and press Tab, the sensor displays:

sensor# CONFigure

Note

CLI commands are not case sensitive, but values are case sensitive. Remember this when you

are creating regular expressions in signatures. A regular expression of “STRING” will not

match “string” seen in a packet.

Display Options

•

—More— is an interactive prompt that indicates that the terminal output exceeds the allotted display

space. To display the remaining output, press the spacebar to display the next page of output or

press Enter to display the output one line at a time.

•

To clear the current line contents and return to a blank command line, press Ctrl-C.

For More Information

For more information on CLI command regular expression syntax, see Regular Expression Syntax,

page 1-8.

Command Line Editing

Table 1-1 describes the command line editing capabilities provided by the Cisco IPS CLI.

Table 1-1

Command Line Editing

Keys

Description

Tab

Completes a partial command name entry. When you type a unique set of characters and

press Tab, the system completes the command name. If you type a set of characters that

could indicate more than one command, the system beeps to indicate an error. Type a

question mark (?) immediately following the partial command (no space). The system

provides a list of commands that begin with that string.

Backspace Erases the character to the left of the cursor.

Enter

At the command line, pressing Enter processes a command. At the ---More--- prompt

on a terminal screen, pressing Enter scrolls down a line.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

1-6

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 1 Introducing the CLI Configuration Guide

Command Line Editing

Table 1-1

Command Line Editing (continued)

Description

Keys

Spacebar

Enables you to see more output on the terminal screen. Press the Spacebar when you see

the line ---More---on the screen to display the next screen.

Left arrow Moves the cursor one character to the left. When you type a command that extends

beyond a single line, you can press the Left Arrow key repeatedly to scroll back toward

the system prompt and verify the beginning of the command entry.

Right arrow Moves the cursor one character to the right.

Up Arrow

or Ctrl-P

Recalls commands in the history buffer, beginning with the most recent command.

Repeat the key sequence to recall successively older commands.

Down

Arrow or

Ctrl-N

Returns to more recent commands in the history buffer after recalling commands with

the Up Arrow or Ctrl-P. Repeat the key sequence to recall successively more recent

commands.

Ctrl-A

Ctrl-B

Ctrl-D

Ctrl-E

Ctrl-F

Ctrl-K

Ctrl-L

Ctrl-T

Ctrl-U

Ctrl-V

Moves the cursor to the beginning of the line.

Moves the cursor back one character.

Deletes the character at the cursor.

Moves the cursor to the end of the command line.

Moves the cursor forward one character.

Deletes all characters from the cursor to the end of the command line.

Clears the screen and redisplays the system prompt and command line

Transposes the character to the left of the cursor with the character located at the cursor.

Deletes all characters from the cursor to the beginning of the command line.

Inserts a code to indicate to the system that the keystroke immediately following should

be treated as a command entry, not as an editing key.

Ctrl-W

Ctrl-Y

Deletes the word to the left of the cursor.

Recalls the most recent entry in the delete buffer. The delete buffer contains the last ten

items you deleted or cut.

Ctrl-Z

Esc-B

Esc-C

Esc-D

Esc-F

Esc-L

Esc-U

Ends configuration mode and returns you to the EXEC prompt.

Moves the cursor back one word.

Capitalizes the word at the cursor.

Deletes from the cursor to the end of the word.

Moves the cursor forward one word.

Changes the word at the cursor to lowercase.

Capitalizes from the cursor to the end of the word.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

1-7

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 1 Introducing the CLI Configuration Guide

IPS Command Modes

The Cisco IPS CLI has the following command modes:

•

privileged EXEC—Entered when you log in to the CLI interface.

global configuration—Entered from privileged EXEC mode by entering configure terminal. The

command prompt is sensor(config)#.

•

service mode configuration—Entered from global configuration mode by entering service

service-name. The command prompt is sensor(config-ser)#, where ser is the first three

characters of the service name.

multi-instance service mode—Entered from global configuration mode by entering service

service-name log-instance-name. The command prompt is sensor(config-log)#where log is the

first three characters of the log instance name. The only multi-instance services in the system are

anomaly detection, signature definition, and event action rules.

Regular Expression Syntax

Note

The syntax in this section applies only to regular expressions used as part of a CLI command. It does not

apply to regular expressions used by signatures.

Regular expressions are text patterns that are used for string matching. Regular expressions contain a

mix of plain text and special characters to indicate what kind of matching to do. For example, if you are

looking for a numeric digit, the regular expression to search for is “[0-9]”. The brackets indicate that the

character being compared should match any one of the characters enclosed within the bracket. The dash

(-) between 0 and 9 indicates that it is a range from 0 to 9. Therefore, this regular expression will match

any character from 0 to 9, that is, any digit.

To search for a specific special character, you must use a backslash before the special character. For

example, the single character regular expression “\*” matches a single asterisk.

The regular expressions defined in this section are similar to a subset of the POSIX Extended Regular

Expression definitions. In particular, “[..]”, “[==]”, and “[::]” expressions are not supported. Also,

escaped expressions representing single characters are supported. A character can be represented as its

hexadecimal value, for example, \x61 equals ‘a,’ so \x61 is an escaped expression representing the

character ‘a.’

The regular expressions are case sensitive. To match “STRING” or “string” use the following regular

expression: “[Ss][Tt][Rr][Ii][Nn][Gg].”

Table 1-2 lists the special characters.

Table 1-2

Regular Expression Syntax

Character

Description

Beginning of the string. The expression “^A” will match an “A” only at the beginning

of the string.

Immediately following the left-bracket ([). Excludes the remaining characters within

brackets from matching the target string. The expression “[^0-9]” indicates that the

target character should not be a digit.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

1-8

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 1 Introducing the CLI Configuration Guide

Regular Expression Syntax

Table 1-2

Regular Expression Syntax (continued)

Description

Character

Matches the end of the string. The expression “abc$” matches the sub-string “abc”

only if it is at the end of the string.

Allows the expression on either side to match the target string. The expression “a|b”

matches “a” as well as “b.”

Matches any character.

Indicates that the character to the left of the asterisk in the expression should match 0

or more times.

Similar to * but there should be at least one match of the character to the left of the +

Matches the character to its left 0 or 1 times.

()

Affects the order of pattern evaluation and also serves as a tagged expression that can

be used when replacing the matched sub-string with another expression.

[]

Enclosing a set of characters indicates that any of the enclosed characters may match

the target character.

Allows specifying a character that would otherwise be interpreted as special.

\xHH represents the character whose value is the same as the value represented by

(HH) hexadecimal digits [0-9A-Fa-f]. The value must be non-zero.

BEL is the same as \x07, BS is \x08, FF is \x0C, LF is \x0A, CR is \x0D, TAB is \x09,

and VT is \x0B.

For any other character ‘c’, ‘\c’ is the same as ‘c’ except that it is never interpreted as

special

The following examples demonstrate the special characters:

•

a* matches any number of occurrences of the letter a, including none.

a+ requires that at least one letter a be in the string to be matched.

ba?b matches the string bb or bab.

\** matches any number of asterisks (*).

To use multipliers with multiple-character patterns, you enclose the pattern in parentheses.

•

(ab)* matches any number of the multiple-character string ab.

([A-Za-z][0-9])+ matches one or more instances of alphanumeric pairs, but not none (that is, an

empty string is not a match).

The order for matches using multipliers (*, +, or ?) is to put the longest construct first. Nested constructs

are matched from outside to inside. Concatenated constructs are matched beginning at the left side of the

construct. Thus, the regular expression matches A9b3, but not 9Ab3 because the letters are specified

before the numbers.

You can also use parentheses around a single- or multiple-character pattern to instruct the software to

remember a pattern for use elsewhere in the regular expression.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

1-9

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 1 Introducing the CLI Configuration Guide

Generic CLI Commands

To create a regular expression that recalls a previous pattern, you use parentheses to indicate memory of

a specific pattern and a backslash (\) followed by a digit to reuse the remembered pattern. The digit

specifies the occurrence of a parentheses in the regular expression pattern. If you have more than one

remembered pattern in your regular expression, \1 indicates the first remembered pattern, and \2

indicates the second remembered pattern, and so on.

The following regular expression uses parentheses for recall:

•

a(.)bc(.)\1\2 matches an a followed by any character, followed by bc followed by any character,

followed by the first any character again, followed by the second any character again.

For example, the regular expression can match aZbcTZT. The software remembers that the first

character is Z and the second character is T and then uses Z and T again later in the regular

expression.

Generic CLI Commands

The following CLI commands are generic to the Cisco IPS.

•

configure terminal—Enters global configuration mode.

Global configuration commands apply to features that affect the system as a whole rather than just

one protocol or interface.

sensor# configure terminal

sensor(config)#

•

service—Takes you to the following configuration submodes: analysis-engine, anomaly-detection,

authentication, event-action-rules, external-product-interfaces, global-correlation, health-monitor,

host, interface, logger, network-access, notification, signature-definition, ssh-known-hosts,

trusted-certificates, and web-server.

Note

The anomaly-detection, event-action-rules, and signature-definition submodes are multiple

instance services. One predefined instance is allowed for each. For anomaly-detection, the

predefined instance name is ad0. For event-action-rules, the predefined instance name is

rules0. For signature-definition, the predefined instance name is sig0. You can create

additional instances.

sensor# configure terminal

sensor(config)# service event-action-rules rules0

sensor(config-rul)#

•

end—Exits configuration mode or any configuration submodes. It takes you back to the top-level

EXEC menu.

sensor# configure terminal

sensor(config)# end

sensor#

exit—Exits any configuration mode or closes an active terminal session and terminates the EXEC

mode. It takes you to the previous menu session.

sensor# configure terminal

sensor(config)# service event-action-rules rules0

sensor(config-rul)# exit

sensor(config)# exit

sensor#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

1-10

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 1 Introducing the CLI Configuration Guide

CLI Keywords

In general, use the no form of a command to disable a feature or function. Use the command without the

keyword no to enable a disabled feature or function. For example, the command ssh host-key ip_address

adds an entry to the known hosts table, the command no ssh host-key ip_address removes the entry from

the known hosts table. Refer to the individual commands for a complete description of what the no form

of that command does.

Service configuration commands can also have a default form. Use the default form of the command to

return the command setting to its default. This keyword applies to the service submenu commands used

for application configuration. Entering ^defaultwith the command resets the parameter to the default

value. You can only use the default keyword with commands that specify a default value in the

configuration files.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

1-11

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 1 Introducing the CLI Configuration Guide

CLI Keywords

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

1-12

Download from Www.Somanuals.com. All Manuals Search And Download.

C H A P T E R

Initializing the Sensor

This chapter describes how to use the setup command to initialize the sensor, and contains the following

sections:

•

Initializing Notes and Caveats, page 2-1

Understanding Initialization, page 2-2

Simplified Setup Mode, page 2-2

System Configuration Dialog, page 2-2

Basic Sensor Setup, page 2-4

Advanced Setup, page 2-7

V e rifying Initialization, page 2-20

Initializing Notes and Caveats

The following notes and caveats apply to initializing the sensor:

•

You must be administrator to use the setup command.

You must have a valid sensor license for automatic signature updates and global correlation features

to function. You can still configure and display statistics for the global correlation features, but the

global correlation databases are cleared and no updates are attempted. Once you install a valid

license, the global correlation features are reactivated.

•

The currently supported Cisco IPS appliances are the IPS 4345, IPS 4360, IPS 4510, and IPS 4520.

You do not need to configure interfaces on the ASA IPS modules (ASA 5500-X IPS SSP and

ASA 5585-X IPS SSP). You should ignore the modify interface default VLAN setting in setup. The

separation of traffic across virtual sensors is configured differently for the ASA IPS modules than

for other sensors.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

2-1

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 2 Initializing the Sensor

Understanding Initialization

After you install the sensor on your network, you must use the setup command to initialize it so that you

can communicate with it over the network.

With the setup command, you configure basic sensor settings, including the hostname, IP interfaces,

access control lists, global correlation servers, and time settings. You can continue using advanced setup

in the CLI to enable Telnet, configure the web server, enable SSHv1 fallback, and assign and enable

virtual sensors and interfaces, or you can use the Startup Wizard in the IDM or IME. After you configure

the sensor with the setup command, you can change the network settings in the IDM or IME.

Note

You must be administrator to use the setup command.

Simplified Setup Mode

The sensor automatically calls the setup command when you connect to the sensor using a console cable

and the sensor basic network settings have not yet been configured. The sensor does not call automatic

setup under the following conditions:

•

When initialization has already been successfully completed.

If you have recovered or downgraded the sensor.

If you have set the host configuration to default after successfully configuring the sensor using

automatic setup.

When you enter the setup command, an interactive dialog called the System Configuration Dialog

appears on the system console screen. The System Configuration Dialog guides you through the

configuration process. The values shown in brackets next to each prompt are the default values last set.

System Configuration Dialog

When you enter the setup command, an interactive dialog called the System Configuration Dialog

appears on the system console screen. The System Configuration Dialog guides you through the

configuration process. The values shown in brackets next to each prompt are the current values.

You must go through the entire System Configuration Dialog until you come to the option that you want

to change. To accept default settings for items that you do not want to change, press Enter.

To return to the EXEC prompt without making changes and without going through the entire System

Configuration Dialog, press Ctrl-C. The System Configuration Dialog also provides help text for each

prompt. To access the help text, enter ^?at a prompt.

When you complete your changes, the System Configuration Dialog shows you the configuration that

you created during the setup session. It also asks you if you want to use this configuration. If you enter

yes, the configuration is saved. If you enter no, the configuration is not saved and the process begins

again. There is no default for this prompt; you must enter either ^yesor no.

You can configure daylight savings time either in recurring mode or date mode. If you choose recurring

mode, the start and end days are based on week, day, month, and time. If you choose date mode, the start

and end days are based on month, day, year, and time. Choosing disable turns off daylight savings time.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

2-2

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 2 Initializing the Sensor

System Configuration Dialog

Note

You only need to set the date and time in the System Configuration Dialog if the system is an appliance

and is NOT using NTP.

The System Configuration Dialog is an interactive dialog. The default settings are displayed.

Example 2-1 shows a sample System Configuration Dialog.

Example 2-1 Example System Configuration Dialog

--- Basic Setup ---

--- System Configuration Dialog ---

At any point you may enter a question mark '?' for help.

User ctrl-c to abort configuration dialog at any prompt.

Default settings are in square brackets '[]'.

Current time: Wed Mar 6 00:07:23 2013

Setup Configuration last modified:

Enter host name[sensor]:

Enter IP interface[192.168.1.2/24,192.168.1.1]:

Modify current access list?[no]:

Current access list entries:

[1] 0.0.0.0/0

Delete:

Permit:

Use DNS server for Auto-Updates from www.cisco.com and Global Correlation?[no]:

DNS server IP address[171.68.226.120]:

Use HTTP proxy server for Auto-Updates from www.cisco.com and Global Correlation?[no]:

HTTP proxy server IP address:

HTTP proxy server Port number:

Modify system clock settings?[no]:

Modify summer time settings?[no]:

Use USA SummerTime Defaults?[yes]:

Recurring, Date or Disable?[Recurring]:

Start Month[march]:

Start Week[second]:

Start Day[sunday]:

Start Time[02:00:00]:

End Month[november]:

End Week[first]:

End Day[sunday]:

End Time[02:00:00]:

DST Zone[]:

Offset[60]:

Modify system timezone?[no]:

Timezone[UTC]:

UTC Offset[0]:

Use NTP?[no]:

NTP Server IP Address[]:

Use NTP Authentication?[no]:

NTP Key ID[]:

NTP Key Value[]:

Modify system date and time?[no]:

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

2-3

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 2 Initializing the Sensor

Basic Sensor Setup

Local Date as YYYY-MM-DD[2013-03-06]:

Local Time as HH:MM:SS[]:

Participation in the SensorBase Network allows Cisco to collect aggregated statistics

about traffic sent to your IPS.

SensorBase Network Participation level?[off]:

If you agree to participate in the SensorBase Network, Cisco will collect aggregated

statistics about traffic sent to your IPS.

This includes summary data on the Cisco IPS network traffic properties and how this

traffic was handled by the Cisco appliances. We do not collect the data content of

traffic or other sensitive business or personal information. All data is aggregated and

sent via secure HTTP to the Cisco SensorBase Network servers in periodic intervals. All

data shared with Cisco will be anonymous and treated as strictly confidential.

The table below describes how the data will be used by Cisco.

Participation Level = "Partial":

* Type of Data: Protocol Attributes (e.g. TCP max segment size and

options string)

Purpose: Track potential threats and understand threat exposure

* Type of Data: Attack Type (e.g. Signature Fired and Risk Rating)

Purpose: Used to understand current attacks and attack severity

* Type of Data: Connecting IP Address and port

Purpose: Identifies attack source

* Type of Data: Summary IPS performance (CPU utilization memory usage,

inline vs. promiscuous, etc)

Purpose: Tracks product efficacy

Participation Level = "Full" additionally includes:

* Type of Data: Victim IP Address and port

Purpose: Detect threat behavioral patterns

Do you agree to participate in the SensorBase Network?[no]:

Basic Sensor Setup

You can perform basic sensor setup using the setup command, and then finish setting up the sensor using

the CLI, IDM, or IME.

To perform basic sensor setup using the setup command, follow these steps:

Step 1

Step 2

Note

Both the default username and password are cisco.

The first time you log in to the sensor you are prompted to change the default password. Passwords must

be at least eight characters long and be strong, that is, not be a dictionary word. After you change the

password, basic setup begins.

Step 3

Step 4

Enter the setupcommand. The System Configuration Dialog is displayed.

Specify the hostname. The hostname is a case-sensitive character string up to 64 characters. Numbers,

“_” and “-” are valid, but spaces are not acceptable. The default is sensor.

Step 5

Specify the IP interface. The IP interface is in the form of IP Address/Netmask,Gateway:

X.X.X.X/nn,Y.Y.Y.Y, where X.X.X.X specifies the sensor IP address as a 32-bit address written as 4 octets

separated by periods, nn specifies the number of bits in the netmask, and Y.Y.Y.Y specifies the default

gateway as a 32-bit address written as 4 octets separated by periods.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

2-4

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 2 Initializing the Sensor

Basic Sensor Setup

Step 6

Enter yesto modify the network access list:

a. If you want to delete an entry, enter the number of the entry and press Enter, or press Enter to get

to the Permit line.

b. Enter the IP address and netmask of the network you want to add to the access list.

Note

For example, 10.0.0.0/8 permits all IP addresses on the 10.0.0.0 network

(10.0.0.0-10.255.255.255) and 10.1.1.0/24 permits only the IP addresses on the 10.1.1.0

subnet (10.1.1.0-10.1.1.255). If you want to permit access to a single IP address than the

entire network, use a 32-bit netmask. For example, 10.1.1.1/32 permits just the 10.1.1.1

address.

c. Repeat Step b until you have added all networks that you want to add to the access list, and then

press Enter at a blank permit line to go to the next step.

Step 7

You must configure a DNS server or an HTTP proxy server for automatic updates from www.cisco.com

and global correlation to operate:

a. Enter yesto add a DNS server, and then enter the DNS server IP address.

b. Enter yes to add an HTTP proxy server, and then enter the HTTP proxy server IP address and port

number.

Caution

Step 8

You must have a valid sensor license for automatic signature updates and global correlation features to

function. You can still configure and display statistics for the global correlation features, but the global

correlation databases are cleared and no updates are attempted. Once you install a valid license, the

global correlation features are reactivated.

Enter yesto modify the system clock settings:

a. Enter yesto modify summertime settings.

Note

Summertime is also known as DST. If your location does not use Summertime, go to Step m.

b. Enter yesto choose the USA summertime defaults, or enter noand choose recurring, date, or disable

to specify how you want to configure summertime settings. The default is recurring.

c. If you chose recurring, specify the month you want to start summertime settings. Valid entries are

january, february, march, april, may, june, july, august, september, october, november, and

december. The default is march.

d. Specify the week you want to start summertime settings. Valid entries are first, second, third, fourth,

fifth, and last. The default is second.

e. Specify the day you want to start summertime settings. Valid entries are sunday, monday, tuesday,

wednesday, thursday, friday, and saturday. The default is sunday.

f. Specify the time you want to start summertime settings. The default is 02:00:00.

Note

The default recurring summertime parameters are correct for time zones in the United States.

The default values specify a start time of 2:00 a.m. on the second Sunday in March, and a

stop time of 2:00 a.m. on the first Sunday in November. The default summertime offset is 60

minutes.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

2-5

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 2 Initializing the Sensor

Basic Sensor Setup

g. Specify the month you want summertime settings to end. Valid entries are january, february, march,

april, may, june, july, august, september, october, november, and december. The default is november.

h. Specify the week you want the summertime settings to end. Valid entries are first, second, third,

fourth, fifth, and last. The default is first.

i. Specify the day you want the summertime settings to end. Valid entries are sunday, monday, tuesday,

wednesday, thursday, friday, and saturday. The default is sunday.

j. Specify the time you want summertime settings to end. The default is 02:00:00.

k. Specify the DST zone. The zone name is a character string up to 24 characters long in the pattern

[A-Za-z0-9()+:,_/-]+$.

l. Specify the summertime offset. Specify the summertime offset from UTC in minutes (negative

numbers represent time zones west of the Prime Meridian). The default is 60.

m. Enter yesto modify the system time zone.

n. Specify the standard time zone name. The zone name is a character string up to 24 characters long.

o. Specify the standard time zone offset. Specify the standard time zone offset from UTC in minutes

(negative numbers represent time zones west of the Prime Meridian). The default is 0.

p. Enter yesif you want to use NTP. To use authenticated NTP, you need the NTP server IP address,

the NTP key ID, and the NTP key value. If you do not have those at this time, you can configure

NTP later. Otherwise, you can choose unauthenticated NTP.

Step 9

Enter off, partial, or full to participate in the SensorBase Network Participation:

•

Off—No data is contributed to the SensorBase Network.

Partial—Data is contributed to the SensorBase Network, but data considered potentially sensitive is

filtered out and never sent.

•

Full—All data is contributed to the SensorBase Network except the attacker/victim IP addresses that

you exclude.

The SensorBase Network Participation disclaimer appears. It explains what is involved in participating

in the SensorBase Network.

Step 10 Enter yesto participate in the SensorBase Network.

The following configuration was entered.

service host

network-settings

host-ip 192.168.1.2/24, 192.168.1.1

host-name sensor

telnet-option disabled

sshv1-fallback disabled

access-list 10.0.0.0/8

ftp-timeout 300

no login-banner-text

dns-primary-server enabled

address 171.68.226.120

exit

dns-secondary-server disabled

dns-tertiary-server disabled

http-proxy proxy-server

address 128.107.241.170

port 8080

exit

time-zone-settings

offset -360

standard-time-zone-name CST

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

2-6

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 2 Initializing the Sensor

Advanced Setup

exit

summertime-option recurring

offset 60

summertime-zone-name CDT

start-summertime

month march

week-of-month second

day-of-week sunday

time-of-day 02:00:00

exit

end-summertime

month november

week-of-month first

day-of-week sunday

time-of-day 02:00:00

exit

ntp-option enabled

ntp-keys 1 md5-key 8675309

ntp-servers 10.10.1.2 key-id 1

exit

service global-correlation

network-participation full

exit

[0] Go to the command prompt without saving this config.

[1] Return to setup without saving this config.

[2] Save this configuration and exit setup.

[3] Continue to Advanced setup.

Step 11 Enter

to save the configuration (or

to continue with advanced setup using the CLI).

Enter your selection[2]: 2

Configuration Saved.

Step 12 If you changed the time setting, enter yes to reboot the sensor.

For More Information

For the procedure for obtaining the most recent IPS software, see Obtaining Cisco IPS Software,

page 20-1.

Advanced Setup

This section describes how to continue with advanced setup in the CLI for the sensor. It contains the

following sections:

•

Advanced Setup for the Appliance, page 2-8

Advanced Setup for the ASA 5500-X IPS SS P , p age 2-13

Advanced Setup for the ASA 5585-X IPS SS P , p age 2-17

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

2-7

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 2 Initializing the Sensor

Advanced Setup

Advanced Setup for the Appliance

Note

The currently supported Cisco IPS appliances are the IPS 4345, IPS 4360, IPS 4510, and IPS 4520.

Note

Adding new subinterfaces is a two-step process. You first organize the interfaces when you edit the

virtual sensor configuration. You then choose which interfaces and subinterfaces are assigned to which

virtual sensors.

The interfaces change according to the appliance model, but the prompts are the same for all models.

To continue with advanced setup for the appliance, follow these steps:

Step 1

Step 2

Enter the setupcommand. The System Configuration Dialog is displayed. Press Enter or the spacebar

to skip to the menu to access advanced setup.

Step 3

Step 4

Step 5

Step 6

Enter

to access advanced setup.

Specify the Telnet server status. The default is disabled.

Specify the SSHv1 fallback setting. The default is disabled.

Specify the web server port. The web server port is the TCP port used by the web server (1 to 65535).

The default is 443.

Note

The web server is configured to use TLS/SSL encryption by default. Setting the port to 80 does

not disable the encryption.

Step 7

Enter yesto modify the interface and virtual sensor configuration and to see the current interface

configuration.

Current interface configuration

Command control: Management0/0

Unassigned:

Promiscuous:

GigabitEthernet0/0

GigabitEthernet0/1

GigabitEthernet0/2

GigabitEthernet0/3

Virtual Sensor: vs0

Anomaly Detection: ad0

Event Action Rules: rules0

Signature Definitions: sig0

Virtual Sensor: vs1

Anomaly Detection: ad0

Event Action Rules: rules0

Signature Definitions: sig0

Virtual Sensor: vs2

Anomaly Detection: ad0

Event Action Rules: rules0

Signature Definitions: sig0

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

2-8

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 2 Initializing the Sensor

Advanced Setup

[1] Edit Interface Configuration

[2] Edit Virtual Sensor Configuration

[3] Display configuration

Option:

Step 8

Enter

to edit the interface configuration.

Note

The following options let you create and delete interfaces. You assign the interfaces to virtual

sensors in the virtual sensor configuration. If you are using promiscuous mode for your

interfaces and are not subdividing them by VLAN, no additional configuration is necessary.

[1] Remove interface configurations.

[2] Add/Modify Inline Vlan Pairs.

[3] Add/Modify Promiscuous Vlan Groups.

[4] Add/Modify Inline Interface Pairs.

[5] Add/Modify Inline Interface Pair Vlan Groups.

[6] Modify interface default-vlan.

Option:

Step 9

Enter

to add inline VLAN pairs and display the list of available interfaces.

Caution

The new VLAN pair is not automatically added to a virtual sensor.

Available Interfaces

[1] GigabitEthernet0/0

[2] GigabitEthernet0/1

[3] GigabitEthernet0/2

[4] GigabitEthernet0/3

Option:

Step 10 Enter

to add an inline VLAN pair to GigabitEthernet 0/0, for example.

Inline Vlan Pairs for GigabitEthernet0/0

None

Step 11 Enter a subinterface number and description.

Subinterface Number:

Description[Created via setup by user asmith]:

Step 12 Enter numbers for VLAN 1 and 2.

Vlan1[]: 200

Vlan2[]: 300

Step 13 Press Enter to return to the available interfaces menu.

Note

Entering a carriage return at a prompt without a value returns you to the previous menu.

[1] GigabitEthernet0/0

[2] GigabitEthernet0/1

[3] GigabitEthernet0/2

[4] GigabitEthernet0/3

Option:

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

2-9

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 2 Initializing the Sensor

Advanced Setup

Note

At this point, you can configure another interface, for example, GigabitEthernet 0/1, for inline

VLAN pair.

Step 14 Press Enter to return to the top-level interface editing menu.

[1] Remove interface configurations.

[2] Add/Modify Inline Vlan Pairs.

[3] Add/Modify Promiscuous Vlan Groups.

[4] Add/Modify Inline Interface Pairs.

[5] Add/Modify Inline Interface Pair Vlan Groups.

[6] Modify interface default-vlan.

Option:

Step 15 Enter

to add an inline interface pair and see these options.

Available Interfaces

GigabitEthernet0/1

GigabitEthernet0/2

GigabitEthernet0/3

Step 16 Enter the pair name, description, and which interfaces you want to pair.

Pair name: newPair

Description[Created via setup by user asmith:

Interface1[]: GigabitEthernet0/1

Interface2[]: GigabitEthernet0/2

Pair name:

Step 17 Press Enter to return to the top-level interface editing menu.

[1] Remove interface configurations.

[2] Add/Modify Inline Vlan Pairs.

[3] Add/Modify Promiscuous Vlan Groups.

[4] Add/Modify Inline Interface Pairs.

[5] Add/Modify Inline Interface Pair Vlan Groups.

[6] Modify interface default-vlan.

Option:

Step 18 Press Enter to return to the top-level editing menu.

[1] Edit Interface Configuration

[2] Edit Virtual Sensor Configuration

[3] Display configuration

Option:

Step 19 Enter

to edit the virtual sensor configuration.

[1] Remove virtual sensor.

[2] Modify "vs0" virtual sensor configuration.

[3] Create new virtual sensor.

Option:

Step 20 Enter

to modify the virtual sensor configuration, vs0.

Virtual Sensor: vs0

Anomaly Detection: ad0

Event Action Rules: rules0

Signature Definitions: sig0

No Interfaces to remove.

Unassigned:

Promiscuous:

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

2-10

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 2 Initializing the Sensor

Advanced Setup

[1] GigabitEthernet0/3

[2] GigabitEthernet0/0

Inline Vlan Pair:

[3] GigabitEthernet0/0:1 (Vlans: 200, 300)

Inline Interface Pair:

[4] newPair (GigabitEthernet0/1, GigabitEthernet0/2)

Add Interface:

Step 21 Enter

Step 22 Enter

to add inline VLAN pair GigabitEthernet0/0:1.

to add inline interface pair NewPair.

Step 23 Press Enter to return to the top-level virtual sensor menu.

Virtual Sensor: vs0

Anomaly Detection: ad0

Event Action Rules: rules0

Signature Definitions: sig0

Inline Vlan Pair:

GigabitEthernet0/0:1 (Vlans: 200, 300)

Inline Interface Pair:

newPair (GigabitEthernet0/1, GigabitEthernet0/2)

[1] Remove virtual sensor.

[2] Modify "vs0" virtual sensor configuration.

[3] Create new virtual sensor.

Option: GigabitEthernet0/1, GigabitEthernet0/2)

Add Interface:

Step 24 Press Enter to return to the top-level interface and virtual sensor configuration menu.

[1] Edit Interface Configuration

[2] Edit Virtual Sensor Configuration

[3] Display configuration

Option:

Step 25 Enter yesif you want to modify the default threat prevention settings.

Note

The sensor comes with a built-in override to add the deny packet event action to high risk rating

alerts. If you do not want this protection, disable automatic threat prevention.

Virtual sensor newVs is configured to prevent high risk threats in inline mode. (Risk

Rating 90-100)

Virtual sensor vs0 is configured to prevent high risk threats in inline mode.(Risk Rating

90-100)

Do you want to disable automatic threat prevention on all virtual sensors?[no]:

Step 26 Enter yesto disable automatic threat prevention on all virtual sensors.

Step 27 Press Enter to exit the interface and virtual sensor configuration.

The following configuration was entered.

service host

network-settings

host-ip 192.168.1.2/24,192.168.1.1

host-name sensor

telnet-option disabled

sshv1-fallback disabled

ftp-timeout 300

no login-banner-text

exit

time-zone-settings

offset 0

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

2-11

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 2 Initializing the Sensor

Advanced Setup

standard-time-zone-name UTC

exit

summertime-option disabled

ntp-option disabled

exit

service web-server

port 342

exit

service interface

physical-interfaces GigabitEthernet0/0

admin-state enabled

subinterface-type inline-vlan-pair

subinterface 1

description Created via setup by user asmith

vlan1 200

vlan2 300

exit

physical-interfaces GigabitEthernet0/1

admin-state enabled

exit

physical-interfaces GigabitEthernet0/2

admin-state enabled

exit

physical-interfaces GigabitEthernet0/0

admin-state enabled

exit

inline-interfaces newPair

description Created via setup by user asmith

interface1 GigabitEthernet0/1

interface2 GigabitEthernet0/2

exit

service analysis-engine

virtual-sensor newVs

description Created via setup by user cisco

signature-definition newSig

event-action-rules rules0

anomaly-detection

anomaly-detection-name ad0

operational-mode inactive

exit

physical-interface GigabitEthernet0/0

exit

virtual-sensor vs0

physical-interface GigabitEthernet0/0 subinterface-number 1

logical-interface newPair

service event-action-rules rules0

overrides deny-packet-inline

override-item-status Disabled

risk-rating-range 90-100

exit

[0] Go to the command prompt without saving this config.

[1] Return back to the setup without saving this config.

[2] Save this configuration and exit setup.

Step 28 Enter

to save the configuration.

Enter your selection[2]: 2

Configuration Saved.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

2-12

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 2 Initializing the Sensor

Advanced Setup

Step 29 Reboot the appliance.

sensor# reset

Warning: Executing this command will stop all applications and reboot the node.

Continue with reset? []:

Step 30 Enter yesto continue the reboot.

Step 31 Apply the most recent service pack and signature update. You are now ready to configure your appliance

for intrusion prevention.

For More Information

For the procedure for obtaining the most recent IPS software, see Obtaining Cisco IPS Software,

page 20-1.

Advanced Setup for the ASA 5500-X IPS SSP

To continue with advanced setup for the ASA 5500-X IPS SSP, follow these steps:

Step 1

Step 2

Session in to the IPS using an account with administrator privileges.

asa# session ips

Enter the setupcommand. The System Configuration Dialog is displayed. Press Enter or the spacebar

to skip to the menu to access advanced setup.

Step 3

Step 4

Step 5

Step 6

Enter

to access advanced setup.

Specify the Telnet server status. You can disable or enable Telnet services. The default is disabled.

Specify the SSHv1 fallback setting. The default is disabled.

Specify the web server port. The web server port is the TCP port used by the web server (1 to 65535).

The default is 443.

Note

The web server is configured to use TLS/SSL encryption by default. Setting the port to 80 does

not disable the encryption.

Step 7

Enter yesto modify the interface and virtual sensor configuration.

Current interface configuration

Command control: Management0/0

Unassigned:

Monitored:

PortChannel 0/0

Virtual Sensor: vs0

Anomaly Detection: ad0

Event Action Rules: rules0

Signature Definitions: sig0

[1] Edit Interface Configuration

[2] Edit Virtual Sensor Configuration

[3] Display configuration

Option:

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

2-13

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 2 Initializing the Sensor

Advanced Setup

Step 8

Enter

to edit the interface configuration.

Note

You do not need to configure interfaces on the ASA 5500-X IPS SSP. You should ignore the

modify interface default VLAN setting. The separation of traffic across virtual sensors is

configured differently for the ASA 5500-X IPS SSP than for other sensors.

[1] Modify interface default-vlan.

Option:

Step 9

Press Enter to return to the top-level interface and virtual sensor configuration menu.

[1] Edit Interface Configuration

[2] Edit Virtual Sensor Configuration

[3] Display configuration

Option:

Step 10 Enter

to edit the virtual sensor configuration.

[1] Remove virtual sensor.

[2] Modify "vs0" virtual sensor configuration.

[3] Create new virtual sensor.

Option:

Step 11 Enter

to modify the virtual sensor vs0 configuration.

Virtual Sensor: vs0

Anomaly Detection: ad0

Event Action Rules: rules0

Signature Definitions: sig0

No Interfaces to remove.

Unassigned:

Monitored:

[1] PortChannel 0/0

Add Interface:

Step 12 Enter

to add PortChannel 0/0 to virtual sensor vs0.

Note

Multiple virtual sensors are supported. The adaptive security appliance can direct packets to

specific virtual sensors or can send packets to be monitored by a default virtual sensor. The

default virtual sensor is the virtual sensor to which you assign PortChannel 0/0. We recommend

that you assign PortChannel 0/0 to vs0, but you can assign it to another virtual sensor if you want

to.

Step 13 Press Enter to return to the main virtual sensor menu.

Step 14 Enter to create a virtual sensor.

Name[]:

Step 15 Enter a name and description for your virtual sensor.

Name[]: newVs

Description[Created via setup by user cisco]: New Sensor

Anomaly Detection Configuration

[1] ad0

[2] Create a new anomaly detection configuration

Option[2]:

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

2-14

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 2 Initializing the Sensor

Advanced Setup

Step 16 Enter

to use the existing anomaly-detection configuration, ad0.

Signature Definition Configuration

[1] sig0

[2] Create a new signature definition configuration

Option[2]:

Step 17 Enter

to create a signature-definition configuration file.

Step 18 Enter the signature-definition configuration name, newSig.

Event Action Rules Configuration

[1] rules0

[2] Create a new event action rules configuration

Option[2]:

Step 19 Enter

to use the existing event-action-rules configuration, rules0.

Note

If PortChannel 0/0 has not been assigned to vs0, you are prompted to assign it to the new virtual

sensor.

Virtual Sensor: newVs

Anomaly Detection: ad0

Event Action Rules: rules0

Signature Definitions: newSig

Monitored:

PortChannel0/0

[1] Remove virtual sensor.

[2] Modify "newVs" virtual sensor configuration.

[3] Modify "vs0" virtual sensor configuration.

[4] Create new virtual sensor.

Option:

Step 20 Press Enter to exit the interface and virtual sensor configuration menu.

Modify default threat prevention settings?[no]:

Step 21 Enter yesif you want to modify the default threat prevention settings.

Note

The sensor comes with a built-in override to add the deny packet event action to high risk rating

alerts. If you do not want this protection, disable automatic threat prevention.

Virtual sensor newVs is configured to prevent high risk threats in inline mode. (Risk

Rating 90-100)

Virtual sensor vs0 is configured to prevent high risk threats in inline mode.(Risk Rating

90-100)

Do you want to disable automatic threat prevention on all virtual sensors?[no]:

Step 22 Enter yesto disable automatic threat prevention on all virtual sensors.

The following configuration was entered.

service host

network-settings

host-ip 192.168.1.2/24,192.168.1.1

host-name asa-ips

telnet-option disabled

sshv1-fallback disabled

access-list 10.0.0.0/8

access-list 64.0.0.0/8

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

2-15

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 2 Initializing the Sensor

Advanced Setup

ftp-timeout 300

no login-banner-text

exit

time-zone-settings

offset 0

standard-time-zone-name UTC

exit

summertime-option disabled

ntp-option disabled

exit

service web-server

port 342

exit

service analysis-engine

virtual-sensor newVs

description New Sensor

signature-definition newSig

event-action-rules rules0

anomaly-detection

anomaly-detection-name ad0

exit

physical-interfaces PortChannel0/0

exit

service event-action-rules rules0

overrides deny-packet-inline

override-item-status Disabled

risk-rating-range 90-100

exit

[0] Go to the command prompt without saving this config.

[1] Return back to the setup without saving this config.

[2] Save this configuration and exit setup.

Step 23 Enter

to save the configuration.

Enter your selection[2]: 2

Configuration Saved.

Step 24 Reboot the ASA 5500-X IPS SSP.

asa-ips# reset

Warning: Executing this command will stop all applications and reboot the node.

Continue with reset? []:

Step 25 Enter yesto continue the reboot.

Step 26 After reboot, log in to the sensor, and display the self-signed X.509 certificate (needed by TLS).

asa-ips# show tls fingerprint

SHA1: 64:9B:AC:DE:21:62:0C:D3:57:2E:9B:E5:3D:04:8F:A7:FD:CD:6F:27

Step 27 Write down the certificate fingerprints. You need the fingerprints to check the authenticity of the

certificate when using HTTPS to connect to this ASA 5500-X IPS SSP with a web browser.

Step 28 Apply the most recent service pack and signature update. You are now ready to configure the

ASA 5500-X IPS SSP for intrusion prevention.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

2-16

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 2 Initializing the Sensor

Advanced Setup

For More Information

For the procedure for obtaining the most recent IPS software, see Obtaining Cisco IPS Software,

page 20-1.

Advanced Setup for the ASA 5585-X IPS SSP

To continue with advanced setup for the ASA 5585-X IPS SSP, follow these steps:

Step 1

Step 2

Session in to the ASA 5585-X IPS SSP using an account with administrator privileges.

asa# session 1

Enter the setupcommand. The System Configuration Dialog is displayed. Press Enter or the spacebar

to skip to the menu to access advanced setup.

Step 3

Step 4

Step 5

Step 6

Enter

to access advanced setup.

Specify the Telnet server status. You can disable or enable Telnet services. The default is disabled.

Specify the SSHv1 fallback setting. The default is disabled.

Specify the web server port. The web server port is the TCP port used by the web server (1 to 65535).

The default is 443.

Note

The web server is configured to use TLS/SSL encryption by default. Setting the port to 80 does

not disable the encryption.

Step 7

Enter yesto modify the interface and virtual sensor configuration.

Current interface configuration

Command control: Management0/0

Unassigned:

Monitored:

PortChannel0/0

Virtual Sensor: vs0

Anomaly Detection: ad0

Event Action Rules: rules0

Signature Definitions: sig0

[1] Edit Interface Configuration

[2] Edit Virtual Sensor Configuration

[3] Display configuration

Option:

Step 8

Enter

to edit the interface configuration.

Note

You do not need to configure interfaces on the ASA 5585-X IPS SSP. You should ignore the

modify interface default VLAN setting. The separation of traffic across virtual sensors is

configured differently for the ASA 5585-X IPS SSP than for other sensors.

[1] Modify interface default-vlan.

Option:

Step 9

Press Enter to return to the top-level interface and virtual sensor configuration menu.

[1] Edit Interface Configuration

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

2-17

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 2 Initializing the Sensor

Advanced Setup

[2] Edit Virtual Sensor Configuration

[3] Display configuration

Option:

Step 10 Enter

to edit the virtual sensor configuration.

[1] Remove virtual sensor.

[2] Modify "vs0" virtual sensor configuration.

[3] Create new virtual sensor.

Option:

Step 11 Enter

to modify the virtual sensor vs0 configuration.

Virtual Sensor: vs0

Anomaly Detection: ad0

Event Action Rules: rules0

Signature Definitions: sig0

No Interfaces to remove.

Unassigned:

Monitored:

[1] PortChannel0/0

Add Interface:

Step 12 Enter

to add PortChannel 0/0 to virtual sensor vs0.

Note

Multiple virtual sensors are supported. The adaptive security appliance can direct packets to

specific virtual sensors or can send packets to be monitored by a default virtual sensor. The

default virtual sensor is the virtual sensor to which you assign PortChannel 0/0. We recommend

that you assign PortChannel 0/0 to vs0, but you can assign it to another virtual sensor if you want

to.

Step 13 Press Enter to return to the main virtual sensor menu.

Step 14 Enter to create a virtual sensor.

Name[]:

Step 15 Enter a name and description for your virtual sensor.

Name[]: newVs

Description[Created via setup by user cisco]: New Sensor

Anomaly Detection Configuration

[1] ad0

[2] Create a new anomaly detection configuration

Option[2]:

Step 16 Enter

to use the existing anomaly-detection configuration, ad0.

Signature Definition Configuration

[1] sig0

[2] Create a new signature definition configuration

Option[2]:

Step 17 Enter

to create a signature-definition configuration file.

Step 18 Enter the signature-definition configuration name, newSig.

Event Action Rules Configuration

[1] rules0

[2] Create a new event action rules configuration

Option[2]:

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

2-18

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 2 Initializing the Sensor

Advanced Setup

Step 19 Enter

to use the existing event action rules configuration, rules0.

Note

If PortChannel 0/0 has not been assigned to vs0, you are prompted to assign it to the new virtual

sensor.

Virtual Sensor: newVs

Anomaly Detection: ad0

Event Action Rules: rules0

Signature Definitions: newSig

Monitored:

PortChannel0/0

[1] Remove virtual sensor.

[2] Modify "newVs" virtual sensor configuration.

[3] Modify "vs0" virtual sensor configuration.

[4] Create new virtual sensor.

Option:

Step 20 Press Enter to exit the interface and virtual sensor configuration menu.

Modify default threat prevention settings?[no]:

Step 21 Enter yesif you want to modify the default threat prevention settings.

Note

The sensor comes with a built-in override to add the deny packet event action to high risk rating

alerts. If you do not want this protection, disable automatic threat prevention.

Virtual sensor newVs is configured to prevent high risk threats in inline mode. (Risk

Rating 90-100)

Virtual sensor vs0 is configured to prevent high risk threats in inline mode.(Risk Rating

90-100)

Do you want to disable automatic threat prevention on all virtual sensors?[no]:

Step 22 Enter yesto disable automatic threat prevention on all virtual sensors.

The following configuration was entered.

service host

network-settings

host-ip 10.1.9.201/24,10.1.9.1

host-name ips-ssm

telnet-option disabled

sshv1-fallback disabled

access-list 10.0.0.0/8

access-list 64.0.0.0/8

ftp-timeout 300

no login-banner-text

exit

time-zone-settings

offset 0

standard-time-zone-name UTC

exit

summertime-option disabled

ntp-option disabled

exit

service web-server

port 342

exit

service analysis-engine

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

2-19

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 2 Initializing the Sensor

Verifying Initialization

virtual-sensor newVs

description New Sensor

signature-definition newSig

event-action-rules rules0

anomaly-detection

anomaly-detection-name ad0

exit

physical-interfaces PortChannel0/0

exit

service event-action-rules rules0

overrides deny-packet-inline

override-item-status Disabled

risk-rating-range 90-100

exit

[0] Go to the command prompt without saving this config.

[1] Return back to the setup without saving this config.

[2] Save this configuration and exit setup.

Step 23 Enter

to save the configuration.

Enter your selection[2]: 2

Configuration Saved.

Step 24 Reboot the ASA 5585-X IPS SSP.

ips-ssp# reset

Warning: Executing this command will stop all applications and reboot the node.

Continue with reset? []:

Step 25 Enter yesto continue the reboot.

Step 26 After reboot, log in to the sensor, and display the self-signed X.509 certificate (needed by TLS).

ips-ssp# show tls fingerprint

SHA1: 64:9B:AC:DE:21:62:0C:D3:57:2E:9B:E5:3D:04:8F:A7:FD:CD:6F:27

Step 27 Write down the certificate fingerprints. You need the fingerprints to check the authenticity of the

certificate when using HTTPS to connect to this ASA 5585-X IPS SSP with a web browser.

Step 28 Apply the most recent service pack and signature update. You are now ready to configure your

ASA 5585-X IPS SSP for intrusion prevention.

For More Information

For the procedure for obtaining the most recent IPS software, see Obtaining Cisco IPS Software,

page 20-1.

Verifying Initialization

Note

The CLI output is an example of what your configuration may look like. It will not match exactly due to

the optional setup choices, sensor model, and IPS version you have installed.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

2-20

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 2 Initializing the Sensor

Verifying Initialization

To verify that you initialized your sensor, follow these steps:

Step 1

Step 2

View your configuration.

sensor# show configuration

! ------------------------------

! Current configuration last modified Fri Apr 19 19:01:05 2013

! ------------------------------

! Version 7.2(1)

! Host:

Realm Keys

! Signature Definition:

Signature Update

key1.0

S697.0

2013-02-15

! ------------------------------

service interface

physical-interfaces GigabitEthernet0/0

admin-state enabled

exit

physical-interfaces GigabitEthernet0/1

admin-state enabled

exit

inline-interfaces pair0

interface1 GigabitEthernet0/0

interface2 GigabitEthernet0/1

exit

bypass-mode auto

exit

! ------------------------------

service authentication

exit

! ------------------------------

service event-action-rules rules0

exit

! ------------------------------

service host

network-settings

host-ip 10.106.133.159/23,10.106.132.1

host-name q4360-159

telnet-option enabled

access-list 0.0.0.0/0

dns-primary-server disabled

dns-secondary-server disabled

dns-tertiary-server disabled

exit

! ------------------------------

service logger

exit

! ------------------------------

service network-access

exit

! ------------------------------

service notification

exit

! ------------------------------

service signature-definition sig0

exit

! ------------------------------

service ssh-known-hosts

exit

! ------------------------------

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

2-21

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 2 Initializing the Sensor

Verifying Initialization

service trusted-certificates

exit

! ------------------------------

service web-server

websession-inactivity-timeout 3600

exit

! ------------------------------

service anomaly-detection ad0

exit

! ------------------------------

service external-product-interface

exit

! ------------------------------

service health-monitor

exit

! ------------------------------

service global-correlation

exit

! ------------------------------

service aaa

exit

! ------------------------------

service analysis-engine

virtual-sensor vs0

logical-interface pair0

exit

sensor#

Note

You can also use the more current-config command to view your configuration.

Step 3

Step 4

Display the self-signed X.509 certificate (needed by TLS).

sensor# show tls fingerprint

SHA1: 64:9B:AC:DE:21:62:0C:D3:57:2E:9B:E5:3D:04:8F:A7:FD:CD:6F:27

Write down the certificate fingerprints. You need the fingerprints to check the authenticity of the

certificate when connecting to this sensor with a web browser.

For More Information

For the procedure for logging in to the sensor, see Chapter ii, “Logging In to the Sensor.”

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

2-22

Download from Www.Somanuals.com. All Manuals Search And Download.

C H A P T E R

Setting Up the Sensor

This chapter contains procedures for the setting up the sensor, and contains the following sections:

•

Setup Notes and Caveats, page 3-1

Understanding Sensor Setup, page 3-2

Changing Network Settings, page 3-2

Changing the CLI Session Timeout, page 3-14

Changing Web Server Settings, page 3-15

Configuring Authentication and User Parameters, page 3-18

Configuring Time, page 3-35

Configuring SSH, page 3-45

Configuring TLS, page 3-51

Installing the License Key, page 3-54

Setup Notes and Caveats

The following notes and caveats apply to setting up the sensor:

•

By default SSHv2 is enabled and SSHv1 is disabled.

When updating the hostname, the CLI prompt of the current session and other existing sessions is

not updated with the new hostname immediately. Subsequent CLI login sessions reflect the new

hostname in the prompt.

•

Telnet is not a secure access service and therefore is disabled by default on the sensor. However,

SSH is always running on the sensor and it is a secure service.

For automatic and global correlation updates to function, you must have either a DNS server or an

HTTP proxy server configured at all times.

DNS resolution is supported for accessing the global correlation update server as well as

www.cisco.com for automatic updates.

•

The default web server port is 443 if TLS is enabled and 80 if TLS is disabled.

The username command provides username and password authentication for login purposes only.

You cannot use this command to remove a user who is logged in to the system. You cannot use this

command to remove yourself from the system.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-1

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Understanding Sensor Setup

•

You cannot use the privilege command to give a user service privileges. If you want to give an

existing user service privileges, you must remove that user and then use the username command to

create the service account.

Do not make modifications to the sensor through the service account except under the direction of

TAC. If you use the service account to configure the sensor, your configuration is not supported by

TAC. Adding services to the operating system through the service account affects proper

performance and functioning of the other IPS services. TAC does not support a sensor on which

additional services have been added.

•

You should carefully consider whether you want to create a service account. The service account

provides shell access to the system, which makes the system vulnerable. However, you can use the

service account to create a password if the administrator password is lost. Analyze your situation to

decide if you want a service account existing on the system.

•

Administrators may need to disable the password recovery feature for security reasons.

We recommend that you use an NTP server to regulate time on your sensor. You can use

authenticated or unauthenticated NTP. For authenticated NTP, you must obtain the NTP server IP

address, NTP server key ID, and the key value from the NTP server. You can set up NTP during

initialization or you can configure NTP through the CLI, IDM, IME, or ASDM.

•

In addition to a valid Cisco.com username and password, you must also have a Cisco Services for

IPS service contract before you can apply for a license key.

Understanding Sensor Setup

Setting up the sensor involves such tasks as changing sensor initialization information, adding and

deleting users, configuring time and setting up NTP, creating a service account, configuring SSH and

TLS, and installing the license key. You configured most of these settings when you initialized the sensor

using the setup command.

For More Information

For more information on using the setup command to initialize the sensor, see Chapter 2, “Initializing

the Sensor.”

Changing Network Settings

After you initialize your sensor, you may need to change some of the network settings that you

configured when you ran the setup command. This section describes how to change network settings,

and contains the following topics:

•

Changing the Hostname, page 3-3

Changing the IP Address, Netmask, and Gateway, page 3-4

Enabling and Disabling Telnet, page 3-5

Changing the Access List, page 3-6

Changing the FTP Timeout, page 3-8

Adding a Login Banner, page 3-9

Configuring the DNS and Proxy Servers for Global Correlation and Automatic Update, page 3-10

Enabling SSHv1 Fallback, page 3-13

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-2

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Changing Network Settings

Changing the Hostname

Note

The CLI prompt of the current session and other existing sessions will not be updated with the new

hostname. Subsequent CLI login sessions will reflect the new hostname in the prompt.

Use the host-name host_name command in the service host submode to change the hostname of the

sensor after you have run the setup command. The default is sensor.

To change the sensor hostname, follow these steps:

Step 1

Step 2

Enter network settings submode.

sensor# configure terminal

sensor(config)# service host

sensor(config-hos)# network-settings

Step 3

Step 4

Change the sensor hostname.

sensor(config-hos-net)# host-name firesafe

Verify the new hostname.

sensor(config-hos-net)# show settings

network-settings

-----------------------------------------------

host-ip: 192.0.2.1/24,192.0.2.2 default:

192.168.1.2/24,192.168.1.1

host-name: firesafe default: sensor

telnet-option: enabled default: disabled

sshv1-fallback: disabled default: disabled

access-list (min: 0, max: 512, current: 1)

-----------------------------------------------

network-address: 0.0.0.0/0

-----------------------------------------------

ftp-timeout: 300 seconds <defaulted>

-----------------------------------------------

sensor(config-hos-net)#

Step 5

Step 6

To change the hostname back to the default setting, use the default form of the command.

sensor(config-hos-net)# default host-name

Verify the change to the default hostname sensor.

sensor(config-hos-net)# show settings

network-settings

-----------------------------------------------

host-ip: 192.0.2.1/24,192.0.2.2 default:

192.168.1.2/24,192.168.1.1

host-name: sensor <defaulted>

telnet-option: enabled default: disabled

sshv1-fallback: disabled default: disabled

access-list (min: 0, max: 512, current: 1)

-----------------------------------------------

network-address: 0.0.0.0/0

-----------------------------------------------

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-3

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Changing Network Settings

ftp-timeout: 300 seconds <defaulted>

-----------------------------------------------

sensor(config-hos-net)#

Step 7

Step 8

Exit network settings mode.

sensor(config-hos-net)# exit

sensor(config-hos)# exit

Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

Changing the IP Address, Netmask, and Gateway

Use the host-ip ip_address/netmask,default_gateway command in the service host submode to change

the IP address, netmask, and default gateway after you have run the setup command. The default is

192.168.1.2/24,192.168.1.1.

The host-ip is in the form of IP Address/Netmask/Gateway: X.X.X.X/nn,Y.Y.Y.Y, where X.X.X.X

specifies the sensor IP address as a 32-bit address written as 4 octets separated by periods where X =

0-255, nn specifies the number of bits in the netmask, and Y.Y.Y.Y specifies the default gateway as a

32-bit address written as 4 octets separated by periods where Y = 0-255.

To change the sensor IP address, netmask, and default gateway, follow these steps:

Step 1

Step 2

Enter network settings mode.

sensor# configure terminal

sensor(config)# service host

sensor(config-hos)# network-settings

Step 3

Change the sensor IP address, netmask, and default gateway.

sensor(config-hos-net)# host-ip 192.0.2.1/24,192.0.2.2

Note

The default gateway must be in the same subnet as the IP address of the sensor or the sensor

generates an error and does not accept the configuration change.

Step 4

Verify the new information.

sensor(config-hos-net)# show settings

network-settings

-----------------------------------------------

host-ip: 192.0.2.1/24,192.0.2.2

default: 192.168.1.2/24,192.168.1.1

host-name: sensor default: sensor

telnet-option: enabled default: disabled

sshv1-fallback: disabled default: disabled

access-list (min: 0, max: 512, current: 1)

-----------------------------------------------

network-address: 0.0.0.0/0

-----------------------------------------------

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-4

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Changing Network Settings

ftp-timeout: 300 seconds <defaulted>

-----------------------------------------------

Step 5

Step 6

To change the information back to the default setting, use the default form of the command.

sensor(config-hos-net)# default host-ip

Verify that the host IP is now the default of 192.168.1.2/24,192.168.1.1.

sensor(config-hos-net)# show settings

network-settings

-----------------------------------------------

host-ip: 192.168.1.2/24,192.168.1.1 <defaulted>

host-name: sensor default: sensor

telnet-option: enabled default: disabled

sshv1-fallback: disabled default: disabled

access-list (min: 0, max: 512, current: 1)

-----------------------------------------------

network-address: 0.0.0.0/0

-----------------------------------------------

ftp-timeout: 300 seconds <defaulted>

-----------------------------------------------

sensor(config-hos-net)#

Step 7

Step 8

Exit network settings mode.

sensor(config-hos-net)# exit

sensor(config-hos)# exit

Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

Enabling and Disabling Telnet

Caution

Telnet is not a secure access service and therefore is disabled by default. However, SSH is always

running on the sensor and it is a secure service.

Use the telnet-option {enabled | disabled} command in the service host submode to enable Telnet for

remote access to the sensor. The default is disabled.

To enable or disable Telnet services, follow these steps:

Step 1

Step 2

Enter network settings mode.

sensor# configure terminal

sensor(config)# service host

sensor(config-hos)# network-settings

Step 3

Enable Telnet services.

sensor(config-hos-net)# telnet-option enabled

sensor(config-hos-net)#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-5

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Changing Network Settings

Step 4

Verify that Telnet is enabled.

sensor(config-hos-net)# show settings

network-settings

-----------------------------------------------

host-ip: 192.0.2.1/24,192.0.2.2

default: 192.168.1.2/24,192.168.1.1

host-name: sensor default: sensor

telnet-option: enabled default: disabled

sshv1-fallback: disabled default: disabled

access-list (min: 0, max: 512, current: 1)

-----------------------------------------------

network-address: 0.0.0.0/0

-----------------------------------------------

ftp-timeout: 300 seconds <defaulted>

-----------------------------------------------

sensor(config-hos-net)#

Step 5

Exit network settings mode.

sensor(config-hos-net)# exit

sensor(config-hos)# exit

Apply Changes:?[yes]:

Step 6

Note

Press Enter to apply the changes or enter no to discard them.

To Telnet to the sensor, you must enable Telnet and configure the access list to allow the Telnet clients

to connect.

For More Information

For the procedure for configuring the access list, see Changing the Access List, page 3-6.

Changing the Access List

Use the access-list ip_address/netmask command in the service host submode to configure the access

list, the list of hosts or networks that you want to have access to your sensor. Use the no form of the

command to remove an entry from the list. The default access list is empty.

The following hosts must have an entry in the access list:

•

Hosts that need to Telnet to your sensor.

Hosts that need to use SSH with your sensor.

Hosts, such as the IDM and the IME, that need to access your sensor from a web browser.

Management stations, such as the CSM, that need access to your sensor.

If your sensor is a master blocking sensor, the IP addresses of the blocking forwarding sensors must

have an entry in the list.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-6

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Changing Network Settings

To modify the access list, follow these steps:

Step 1

Step 2

Enter network settings mode.

sensor# configure terminal

sensor(config)# service host

sensor(config-hos)# network-settings

Step 3

Step 4

Add an entry to the access list. The netmask for a single host is 32.

sensor(config-hos-net)# access-list 192.0.2.110/32

Verify the change you made to the access-list.

sensor(config-hos-net)# show settings

network-settings

-----------------------------------------------

host-ip: 192.168.1.2/24,192.168.1.1 <defaulted>

host-name: sensor <defaulted>

telnet-option: enabled default: disabled

sshv1-fallback: disabled default: disabled

access-list (min: 0, max: 512, current: 2)

-----------------------------------------------

network-address: 10.1.9.0/24

-----------------------------------------------

network-address: 192.0.2.110/32

-----------------------------------------------

ftp-timeout: 300 seconds <defaulted>

-----------------------------------------------

Step 5

Step 6

Remove the entry from the access list.

sensor(config-hos-net)# no access-list 192.0.2.110/32

Verify that the host is no longer in the list.

sensor(config-hos-net)# show settings

network-settings

-----------------------------------------------

host-ip: 192.168.1.2/24,192.168.1.1 <defaulted>

host-name: sensor <defaulted>

telnet-option: enabled default: disabled

sshv1-fallback: disabled default: disabled

access-list (min: 0, max: 512, current: 1)

-----------------------------------------------

network-address: 10.1.9.0/24

-----------------------------------------------

ftp-timeout: 300 seconds <defaulted>

-----------------------------------------------

sensor(config-hos-net)#

Step 7

Step 8

Change the value back to the default.

sensor(config-hos-net)# default access-list

Verify the value has been set back to the default.

sensor(config-hos-net)# show settings

network-settings

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-7

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Changing Network Settings

-----------------------------------------------

host-ip: 192.168.1.2/24,192.168.1.1 <defaulted>

host-name: sensor <defaulted>

telnet-option: enabled default: disabled

sshv1-fallback: disabled default: disabled

access-list (min: 0, max: 512, current: 0)

-----------------------------------------------

ftp-timeout: 300 seconds <defaulted>

-----------------------------------------------

sensor(config-hos-net)#

Step 9

Exit network settings mode.

sensor(config-hos-net)# exit

sensor(config-hos)# exit

Apply Changes:?[yes]:

Step 10 Press Enter to apply the changes or enter no to discard them.

Changing the FTP Timeout

Note

You can use the FTP client for downloading updates and configuration files from your FTP server.

Use the ftp-timeout command in the service host submode to change the number of seconds that the FTP

client waits before timing out when the sensor is communicating with an FTP server. The default is 300

seconds.

To change the FTP timeout, follow these steps:

Step 1

Step 2

Enter network settings mode.

sensor# configure terminal

sensor(config)# service host

sensor(config-hos)# network-settings

Step 3

Step 4

Change the number of seconds of the FTP timeout.

sensor(config-hos-net)# ftp-timeout 500

Verify the FTP timeout change.

sensor(config-hos-net)# show settings

network-settings

-----------------------------------------------

host-ip: 192.0.2.1/24,192.0.2.2

default: 192.168.1.2/24,192.168.1.1

host-name: sensor default: sensor

telnet-option: enabled default: disabled

sshv1-fallback: disabled default: disabled

access-list (min: 0, max: 512, current: 1)

-----------------------------------------------

network-address: 0.0.0.0/0

-----------------------------------------------

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-8

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Changing Network Settings

-----------------------------------------------

ftp-timeout: 500 seconds default: 300

-----------------------------------------------

sensor(config-hos-net)#

Step 5

Step 6

Change the value back to the default.

sensor(config-hos-net)# default ftp-timeout

Verify the value has been set back to the default.

sensor(config-hos-net)# show settings

network-settings

-----------------------------------------------

host-ip: 192.0.2.1/24,192.0.2.2

default: 192.168.1.2/24,192.168.1.1

host-name: sensor default: sensor

telnet-option: enabled default: disabled

sshv1-fallback: disabled default: disabled

access-list (min: 0, max: 512, current: 1)

-----------------------------------------------

network-address: 0.0.0.0/0

-----------------------------------------------

ftp-timeout: 300 seconds <defaulted>

-----------------------------------------------

sensor(config-hos-net)#

Step 7

Step 8

Exit network settings mode.

sensor(config-hos-net)# exit

sensor(config-hos)# exit

Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

Adding a Login Banner

Use the login-banner-text text_message command to add a login banner that the user sees during login.

There is no default. When you want to start a new line in your message, press Ctrl-V Enter.

To add a login banner, follow these steps:

Step 1

Step 2

Enter network settings mode.

sensor# configure terminal

sensor(config)# service host

sensor(config-hos)# network-settings

Step 3

Step 4

Add the banner login text.

sensor(config-hos-net)# login-banner-text This is the banner login text message.

Verify the banner login text message.

sensor(config-hos-net)# show settings

network-settings

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-9

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Changing Network Settings

-----------------------------------------------

host-ip: 192.0.2.1/24,192.0.2.2

default: 192.168.1.2/24,192.168.1.1

host-name: sensor default: sensor

telnet-option: enabled default: disabled

sshv1-fallback: disabled default: disabled

access-list (min: 0, max: 512, current: 1)

-----------------------------------------------

network-address: 0.0.0.0/0

-----------------------------------------------

ftp-timeout: 300 seconds <defaulted>

-----------------------------------------------

sensor(config-hos-net)#

Step 5

Step 6

To remove the login banner text, use the no form of the command.

sensor(config-hos-net)# no login-banner-text

Verify the login text has been removed.

sensor(config-hos-net)# show settings

network-settings

-----------------------------------------------

host-ip: 192.0.2.1/24,192.0.2.2

default: 192.168.1.2/24,192.168.1.1

host-name: sensor default: sensor

telnet-option: enabled default: disabled

sshv1-fallback: disabled default: disabled

access-list (min: 0, max: 512, current: 1)

-----------------------------------------------

network-address: 0.0.0.0/0

-----------------------------------------------

ftp-timeout: 300 seconds <defaulted>

-----------------------------------------------

sensor(config-hos-net)#

Step 7

Step 8

Exit network settings mode.

sensor(config-hos-net)# exit

sensor(config-hos)# exit

Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

Configuring the DNS and Proxy Servers for Global Correlation and Automatic

Update

Use the http-proxy, dns-primary-server, dns-secondary-server, and dns-tertiary-server commands

in network-settings submode to configure servers to support the automatic update and global correlation

features.

You must configure either an HTTP proxy server or DNS server to support automatic update and global

correlation. You may need a proxy server to download automatic update and global correlation updates

if you use proxy in your network. If you are using a DNS server, you must configure at least one DNS

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-10

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Changing Network Settings

server and it must be reachable for automatic update and global correlation updates to be successful. You

can configure other DNS servers as backup servers. DNS queries are sent to the first server in the list. If

it is unreachable, DNS queries are sent to the next configured DNS server.

Caution

For automatic and global correlation updates to function, you must have either a DNS server or an HTTP

proxy server configured at all times.

DNS resolution is supported for accessing the global correlation update server as well as www.cisco.com

for automatic updates.

The following options apply:

•

http-proxy {no-proxy | proxy-sensor}—Configures the HTTP proxy server:

–

address ip_address —Specifies the IP address of the HTTP proxy server.

port port_number —Specifies the port number of the HTTP proxy server.

•

dns-primary-server {enabled | disabled}—Enables a DNS primary server:

address ip_address —Specifies the IP address of the DNS primary server.

dns-secondary-server {enabled | disabled}—Enables a DNS secondary server:

address ip_address —Specifies the IP address of the DNS secondary server.

dns-tertiary-server {enabled | disabled}—Enables the DNS tertiary server:

address ip_address —Specifies the IP address of the DNS tertiary server.

–

Configuring DNS and Proxy Servers for Automatic Update and Global Correlation

To configure DNS and proxy servers to support automatic update and global correlation, follow these

steps:

Step 1

Step 2

Enter network settings submode.

sensor# configure terminal

sensor(config)# service host

sensor(config-hos)# network-settings

Step 3

Enable a proxy or DNS server to support global correlation:

a. Enable a proxy server.

sensor(config-hos-net)# http-proxy proxy-server

sensor(config-hos-net-pro)# address 10.10.10.1

sensor(config-hos-net-pro)# port 65

sensor(config-hos-net-pro)#

b. Enable a DNS server.

sensor(config-hos-net)# dns-primary-server enabled

sensor(config-hos-net-ena)# address 10.10.10.1

sensor(config-hos-net-ena)#

Step 4

Verify the settings.

sensor(config-hos-net)# show settings

network-settings

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-11

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Changing Network Settings

-----------------------------------------------

host-ip: 10.89.147.24/25,10.89.147.126 default: 192.168.1.2/24,192.168.1.1

host-name: sensor <defaulted>

telnet-option: enabled default: disabled

sshv1-fallback: disabled default: disabled

access-list (min: 0, max: 512, current: 1)

-----------------------------------------------

network-address: 0.0.0.0/0

-----------------------------------------------

ftp-timeout: 300 seconds <defaulted>

dns-primary-server

-----------------------------------------------

enabled

-----------------------------------------------

address: 10.10.10.1

-----------------------------------------------

dns-secondary-server

-----------------------------------------------

disabled

-----------------------------------------------

dns-tertiary-server

-----------------------------------------------

disabled

-----------------------------------------------

http-proxy

-----------------------------------------------

proxy-server

-----------------------------------------------

address: 10.10.10.1

port: 65

-----------------------------------------------

sensor(config-hos-net)#

Step 5

Step 6

Exit network settings mode.

sensor(config-hos-net)# exit

sensor(config-hos)# exit

Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

For More Information

•

For the procedure for configuring automatic update, see Configuring Automatic Upgrades,

page 21-8.

•

For more information on global correlation features, see Chapter 10, “Configuring Global

Correlation.”

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-12

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Changing Network Settings

Enabling SSHv1 Fallback

Note

The IPS supports managing both SSHv1 and SSHv2. The default is SSHv2, but you can configure the

sensor to fallback to SSHv1 if the peer client/server does not support SSHv2

Use the sshv1-fallback {enabled | disabled} command in the service host submode to enable the sensor

to fall back to SSH protocol version 1. Fallback to SSHv1 is provided in case the peer client/server does

not support SSHv2. SSHv2 is the default SSH version.

To enable or disable SSHv1 fallback, follow these steps:

Step 1

Step 2

Enter network settings mode.

sensor# configure terminal

sensor(config)# service host

sensor(config-hos)# network-settings

Step 3

Step 4

Enable Telnet services.

sensor(config-hos-net)# sshv1-fallback enabled

sensor(config-hos-net)#

Verify that SSHv1 fallback is enabled.

sensor(config-hos-net)# show settings

network-settings

-----------------------------------------------

host-ip: 10.106.164.52/24,10.106.164.1 default: 192.168.1.2/24,192.168.1.1

host-name: p32-ips4240-52 default: sensor

telnet-option: enabled default: disabled

sshv1-fallback: enabled default: disabled

access-list (min: 0, max: 512, current: 1)

-----------------------------------------------

network-address: 0.0.0.0/0

-----------------------------------------------

ftp-timeout: 300 seconds <defaulted>

sensor(config-hos-net)#

Step 5

Step 6

Exit network settings mode.

sensor(config-hos-net)# exit

sensor(config-hos)# exit

Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

For More Information

For more information about configuring SSH, see Configuring SSH, page 3-45.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-13

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Changing the CLI Session Timeout

Use the cli-inactivity-timeout command in the service authentication submode to change the number of

seconds that the CLI waits before timing out. Setting the CLI session timeout increases the security of a

CLI session. The default is 0 seconds, which means that it is an unlimited value and thus will never time

out. The valid range is 0 to 100,000 minutes.

To change the CLI session timeout, follow these steps:

Step 1

Step 2

Enter authentication mode.

sensor# configure terminal

sensor(config)# service authentication

Step 3

Step 4

Change the number of seconds of the CLI session timeout.

sensor(config-aut)# cli-inactivity-timeout 5000

Verify the CLI session timeout change.

sensor(config-aut)# show settings

attemptLimit: 0 <defaulted>

password-strength

-----------------------------------------------

size: 8-64 <defaulted>

digits-min: 0 <defaulted>

uppercase-min: 0 <defaulted>

lowercase-min: 0 <defaulted>

other-min: 0 <defaulted>

number-old-passwords: 0 <defaulted>

-----------------------------------------------

permit-packet-logging: true <defaulted>

cli-inactivity-timeout: 5000 default: 0

sensor(config-aut)#

Step 5

Step 6

Change the value back to the default.

sensor(config-aut)# default cli-inactivity-timeout

Verify the value has been set back to the default.

sensor(config-aut)# show settings

attemptLimit: 0 <defaulted>

password-strength

-----------------------------------------------

size: 8-64 <defaulted>

digits-min: 0 <defaulted>

uppercase-min: 0 <defaulted>

lowercase-min: 0 <defaulted>

other-min: 0 <defaulted>

number-old-passwords: 0 <defaulted>

-----------------------------------------------

permit-packet-logging: true <defaulted>

cli-inactivity-timeout: 0 <defaulted>

sensor(config-aut)#

Step 7

Exit authentication mode.

sensor(config-aut)# exit

Apply Changes:?[yes]:

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-14

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Changing Web Server Settings

Step 8

Press Enter to apply the changes or enter no to discard them.

Changing Web Server Settings

Note

The default web server port is 443 if TLS is enabled and 80 if TLS is disabled.

After you run the setup command, you can change the following web server settings: the web server port,

whether TLS encryption is being used, the HTTP server header message, restriction of TLS client

ciphers, web session inactivity timeout, and logging of web session inactivity timeouts.

HTTP is the protocol that web clients use to make requests from web servers. The HTTP specification

requires a server to identify itself in each response. Attackers sometimes exploit this protocol feature to

perform reconnaissance. If the IPS web server identified itself by providing a predictable response, an

attacker might learn that an IPS sensor is present.

We recommend that you not reveal to attackers that you have an IPS sensor. Change the server-id to

anything that does not reveal any information, especially if your web server is available to the Internet.

For example, if you forward a port through a firewall so you can monitor a sensor remotely, you need to

set the server-id.

The following options apply:

•

enable-tls {false | true}—Enables encryption (TLSv1) on the system. The default is enabled.

enable-websession-inactivity-timeout-logging {false | true}—Enables logging for web session

inactivity timeouts. The default is disabled.

•

port port_number—Specifies the port on which the web server listens for connections. The valid

range is 1 to 65535. The default is 443.

server-id server_id—Specifies the textual message the web server returns in the HTTP Server

header. The default is HTTP/1.1 compliant configurable-service.

tls-client-ciphers-restriction {false | true}—Enables the client to use only restricted mode ciphers;

disabling allows all ciphers. The default is enabled. When IPS acts as a TLS client, you can

configure restriciton on the TLS ciphers.

Note

Changes take place for the next sessions only. The current web session is not affected.

When enabled, the client can use the following restricted ciphers:

–

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

When disabled, the client can use the following ciphers:

–

TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-15

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Changing Web Server Settings

–

TLS_DHE_DSS_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA

–

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA

TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

TLS_DHE_DSS_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_ECDH_RSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA

•

websession-inactivity-timeout seconds—Specifies the duration in seconds at which inactive web

sessions time out. The valid range is 600 to 3600 seconds. The default is 3600 seconds.

To change the web server settings, follow these steps:

Step 1

Step 2

Enter web server mode.

sensor# configure terminal

sensor(config)# service web-server

Step 3

Change the port number.

sensor(config-web)# port 8080

If you change the port number from the default of 443 to 8080, you receive this message:

Warning: The web server’s listening port number has changed from 443 to 8080. This change

will not take effect until the web server is re-started

Step 4

Enable TLS.

sensor(config-web)# enable-tls true

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-16

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Changing Web Server Settings

If you disable TLS, you receive this message:

Warning: TLS protocol support has been disabled. This change will not take effect until

the web server is re-started.

Step 5

Step 6

Step 7

Step 8

Step 9

Change the HTTP server header.

sensor(config-web)# server-id Nothing to see here. Move along.

Specify the web session inactivity timeout.

sensor(config-web)# websession-inactivity-timeout 800

Turn on logging for web session inactivity timeouts.

sensor(config-web)# enable-websession-inactivity-timeout-logging true

Turn on TLS client ciphers restriction.

sensor(config-web)# tls-client-ciphers-restriction enable

Verify the web server changes.

sensor(config-web)# show settings

enable-tls: true default: true

port: 8080 default: 443

server-id: Nothing to see here. Move along. default: HTTP/1.1 compliant

configurable-service (min: 0, max: 99, current: 0)

-----------------------------------------------

websession-inactivity-timeout: 800 default: 3600

enable-websession-inactivity-timeout-logging: true default: false

tls-client-ciphers-restriction: enable default: enable

sensor(config-web)#

Step 10 To revert to the defaults, use the default form of the commands.

sensor(config-web)# default port

sensor(config-web)# default enable-tls

sensor(config-web)# default server-id

Step 11 Verify the defaults have been replaced.

sensor(config-web)# show settings

enable-tls: true <defaulted>

port: 443 <defaulted>

server-id: HTTP/1.1 compliant <defaulted>

configurable-service (min: 0, max: 99, current: 0)

-----------------------------------------------

websession-inactivity-timeout: 3600 <defaulted>

enable-websession-inactivity-timeout-logging: false <defaulted>

tls-client-ciphers-restriction: enable <defaulted>

sensor(config-web)#

Step 12 Exit web server submode.

sensor(config-web)# exit

Apply Changes:?[yes]:

Step 13 Press Enter to apply the changes or enter no to discard them.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-17

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Configuring Authentication and User Parameters

Note

If you change the port or enable TLS settings, you must reset the sensor to make the web server uses the

new settings.

For More Information

•

For the procedure for enabling SSHv1 fallback, see Enabling SSHv1 Fallback, page 3-13.

For the procedure for resetting the appliance, see Resetting the Appliance, page 17-44.

For the procedure for resetting the ASA 5500-X IPS SSP, see Reloading, Shutting Down, Resetting,

and Recovering the ASA 5500-X IPS SS P , p age 18-11.

•

For the procedure for resetting the ASA 5585-X IPS SSP, see Reloading, Shutting Down, Resetting,

and Recovering the ASA 5585-X IPS SS P , p age 19-11.

Configuring Authentication and User Parameters

The following section explains how to create users, configure RADIUS authentication, create the service

account, configure passwords, specify privilege level, view a list of users, configure password policy,

and lock and unlock user accounts. It contains the following topics:

•

Adding and Removing Users, page 3-18

Configuring Authentication, page 3-20

Configuring Packet Command Restriction, page 3-26

Creating the Service Account, page 3-28

The Service Account and RADIUS Authentication, page 3-29

RADIUS Authentication Functionality and Limitations, page 3-29

Configuring Passwords, page 3-29

Changing User Privilege Levels, page 3-30

Showing User Status, page 3-31

Configuring the Password Policy, page 3-32

Locking User Accounts, page 3-33

Unlocking User Accounts, page 3-34

Adding and Removing Users

Use the username command to create users on the local system. You can add a new user, set the privilege

level—administrator, operator, viewer—and set the password for the new user. Use the no form of this

command to remove a user from the system. This removes the user from CLI and web access.

Caution

The username command provides username and password authentication for login purposes only. You

cannot use this command to remove a user who is logged in to the system. You cannot use this command

to remove yourself from the system.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-18

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Configuring Authentication and User Parameters

If you do not specify a password, the system prompts you for one. Use the password command to change

the password for existing users. Use the privilege command to change the privilege for existing users.

The username follows the pattern ^[A-Za-z0-9()+:,_/-]+$, which means the username must start with a

letter or number, and can include any letter A to Z (capital or small), any number 0 to 9, - and _, and can

contain 1 to 64 characters. A valid password is 8 to 32 characters long. All characters except space are

allowed.

You receive the following error messages if you do not create a valid password:

•

Error: setEnableAuthenticationTokenStatus : The password is too short.

Error: setEnableAuthenticationTokenStatus : Failure setting the account’s password:

it does not contain enough DIFFERENT characters

Note

You cannot use the privilege command to give a user service privileges. If you want to give an existing

user service privileges, you must remove that user and then use the username command to create the

service account.

To add and remove users, follow these steps:

Step 1

Step 2

Enter configuration mode.

sensor# configure terminal

Step 3

Specify the parameters for the user.

sensor(config)# username username password password privilege

administrator/operator/viewer

For example, to add the user “tester” with a privilege level of administrator and the password

“testpassword,” enter the following command:

Note

If you do not want to see the password in clear text, wait for the password prompt. Do not enter

the password along with the username and privilege.

sensor(config)# username tester privilege administrator

Enter Login Password: ************

Re-enter Login Password: ************

sensor(config)#

Note

If you do not specify a privilege level for the user, the user is assigned the default viewer

privilege.

Step 4

Verify that the user has been added. A list of users is displayed.

sensor(config)# exit

sensor# show users all

CLI ID

13491

User

cisco

jsmith

jtaylor

jroberts

Privilege

administrator

operator

service

viewer

sensor#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-19

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Configuring Authentication and User Parameters

Step 5

To remove a user, use the no form of the command.

sensor# configure terminal

sensor(config)# no username jsmith

Note

You cannot use this command to remove yourself from the system.

Step 6

Verify that the user has been removed. The user jsmithhas been removed.

sensor(config)# exit

sensor# show users all

CLI ID

13491

User

cisco

jtaylor

jroberts

Privilege

administrator

service

viewer

sensor#

For More Information

•

For the procedure for creating the service account, see Creating the Service Account, page 3-28.

For the procedure for configuring local or RADIUS authentication, see Configuring Authentication,

page 3-20.

Configuring Authentication

Caution

Make sure you have a RADIUS server already configured before you configure RADIUS authentication

on the sensor. IPS has been tested with CiscoSecure ACS 4.2 and 5.1 servers. Refer to your RADIUS

server documentation for information on how to set up a RADIUS server.

You can create and remove users from the local sensor. You can only modify one user account at a time.

Each user is associated with a role that controls what that user can and cannot modify. The requirements

that must be used for user passwords are set with the password command.

Users are authenticated through AAA either locally or through RADIUS servers. Local authentication

is enabled by default. You must configure RADIUS authentication before it is active.

You must specify the user role that is authenticated through RADIUS either by configuring the user role

on the RADIUS server or specifying a default user role. The username and password are sent in an

authentication request to the configured RADIUS server. The response of the server determines whether

the login is authenticated.

Note

If the sensor is not configured to use a default user role and the sensor user role information in not in the

Accept Message of the CiscoSecure ACS server, the sensor rejects RADIUS authentication even if the

CiscoSecure ACS server accepts the username and password.

You can configure a primary RADIUS server and a secondary RADIUS server. The secondary RADIUS

server authenticates and authorizes users if the primary RADIUS server is unresponsive.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-20

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Configuring Authentication and User Parameters

You can also configure the sensor to use local authentication (local fallback) if no RADIUS servers are

responding. In this case, the sensor authenticates against the locally configured user accounts. The

sensor will only use local authentication if the RADIUS servers are not available, not if the RADIUS

server rejects the authentication requests of the user. You can also configure how users connected

through the console port are authenticated—through local user accounts, through RADIUS first and if

that fails through local user accounts, or through RADIUS alone.

To configure a RADIUS server, you must have the IP address, port, and shared secret of the RADIUS

server. You must also either have the NAS-ID of the RADIUS server, or have the RADIUS server

configured to authenticate clients without a NAS-ID or with the default IPS NAS-ID of cisco-ips.

Note

Enabling RADIUS authentication on the sensor does not disconnect already established connections.

RADIUS authentication is only enforced for new connections to the sensor. Existing CLI, IDM, and IME

connections remain established with the login credentials used prior to configuring RADIUS

authentication. To force disconnection of these established connections, you must reset the sensor after

RADIUS is configured.

RADIUS Authentication Options

Use the aaa command in service aaa submode to configure either local authentication or authentication

using a RADIUS server.

The following options apply:

•

local—Lets you specify local authentication. To continue to create users, use the password

command.

•

radius—Lets you specify RADIUS as the method of authentication:

–

nas-id—Identifies the service requesting authentication. The value can be no nas-id, cisco-ips,

or a NAS-ID already configured on the RADIUS server. The default is cisco-ips.

–

default-user-role—Lets you assign a default user role on the sensor that is only applied when

there is NOT a Cisco av pair specifying the user role. The value can be unspecified, viewer,

operator, or administrator. Service cannot be the default user role. The default is unspecified.

If you do not want to configure a default user role on the sensor that is applied in the absence

of a Cisco av pair, you need to configure the Cisco IOS/PIX 6.x RADIUS Attributes [009\001]

cisco-av-pair under the group or user profile with one of the following options:

ips-role=viewer, ips-role=operator, ips-role=administrator, ips-role=service, or

ips-role=unspecified. The default is ips-role=unspecified.

Note

If the sensor is not configured to use a default user role and the sensor user role

information in not in the Accept Message of the CiscoSecure ACS server, the sensor

rejects RADIUS authentication even if the CiscoSecure ACS server accepts the

username and password.

Note

The default user role is used only when the user has not been configured with a specific

role on the ACS server. Local users are always configured with a specific role so the

default user role will never apply to locally authenticated users.

–

local-fallback {enabled | disabled}—Lets you default to local authentication if the RADIUS

servers are not responding. The default is enabled.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-21

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Configuring Authentication and User Parameters

•

primary-server—Lets you configure the main RADIUS server:

–

server-address—IP address of the RADIUS server.

server-port—Port of the RADIUS server. If not specified, the default RADIUS port is used.

timeout (seconds)—Specifies the number of seconds the sensor waits for a response from a

RADIUS server before it considers the server to be unresponsive.

–

shared-secret—The secret value configured on the RADIUS server. You must obtain the secret

value of the RADIUS server to enter with the shared-secret command.

Note

You must have the same secret value configured on both the RADIUS server and the IPS

sensor so that the server can authenticate the requests of the client and the client can

authenticate the responses of the server.

•

secondary-server {enabled | disabled}— (Optional) Lets you configure a secondary RADIUS

server:

–

server-address—IP address of the RADIUS server.

server-port—Port of the RADIUS server. If not specified, the default RADIUS port is used.

timeout (seconds)—Specifies the number of seconds the sensor waits for a response from a

RADIUS server before it considers the server to be unresponsive.

–

shared-secret—The secret value configured on the RADIUS server. You must obtain the secret

value of the RADIUS server to enter with the shared-secret command.

Note

You must have the same secret value configured on both the RADIUS server and the IPS

sensor so that the server can authenticate the requests of the client and the client can

authenticate the responses of the server.

•

console-authentication—Lets you choose how users connected through the console port are

authenticated:

–

local—Users connected through the console port are authenticated through local user accounts.

radius-and-local—Users connected through the console port are authenticated through

RADIUS first. If RADIUS fails, local authentication is attempted. This is the default.

–

radius—Users connected through the console port are authenticated by RADIUS. If you also

have local-fallback enabled, users can also be authenticated through the local user accounts.

Configuring Local or RADIUS Authentication

Caution

Make sure you have a RADIUS server already configured before you configure RADIUS authentication

on the sensor. IPS has been tested with CiscoSecure ACS 4.2 and 5.1 servers. Refer to your RADIUS

server documentation for information on how to set up a RADIUS server.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-22

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Configuring Authentication and User Parameters

Note

Enabling RADIUS authentication on the sensor does not disconnect already established connections.

RADIUS authentication is only enforced for new connections to the sensor. Existing CLI, IDM, and IME

connections remain established with the login credentials used prior to configuring RADIUS

authentication. To force disconnection of these established connections, you must reset the sensor after

RADIUS is configured.

To configure local or RADIUS AAA authentication on the sensor, follow these steps:

Step 1

Step 2

Enter configuration mode.

sensor# configure terminal

Step 3

Step 4

Enter AAA submode.

sensor(config)# service aaa

sensor(config-aaa)#

Configure local authentication. To continue to create users on the local system, enter yesto save your

configuration, and use the username command in configure terminal mode. To configure AAA RADIUS

authentication, go to Step 5.

sensor(config-aaa)# aaa local

sensor(config-aaa)# exit

Apply Changes?[yes]:yes

Step 5

Configure AAA RADIUS authentication:

a. Enter RADIUS authentication submode.

sensor(config-aaa)# aaa radius

sensor(config-aaa-rad)#

b. Enter the Network Access ID. The NAS-ID is an identifier that clients send to servers to

communicate the type of service they are attempting to authenticate. The value can be no nas-id,

cisco-ips, or a NAS-ID already configured on the RADIUS server. The default is cisco-ips.

sensor(config-aaa-rad)# nas-id cisco-ips

sensor(config-aaa-rad)#

c. (Optional) Configure a default user role if you are not configuring a Cisco av pair. You can configure

a default user role on the sensor that is only applied when there is NOT a Cisco av pair specifying

the user role. The values are unspecified, viewer, operator, or administrator. The default is

unspecified.

sensor(config-aaa-rad)# default-user-role operator

sensor(config-aaa-rad)#

Note

Service cannot be the default role.

d. Configure a Cisco av pair. If you do not want to configure a default user role on the sensor that is

applied in the absence of a Cisco av pair, you need to configure the Cisco IOS/PIX 6.x RADIUS

Attributes [009\001] cisco-av-pair under the group or user profile with one of the following options:

–

ips-role=viewer

ips-role=operator

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-23

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Configuring Authentication and User Parameters

–

ips-role=administrator

ips-role=service

Note

If the sensor is not configured to use a default user role and the sensor user role

information in not in the Accept Message of the CiscoSecure ACS server, the sensor

rejects RADIUS authentication even if the CiscoSecure ACS server accepts the

username and password.

Note

The default user role is used only when the user has not been configured with a specific

role on the ACS server. Local users are always configured with a specific role so the

default user role will never apply to locally authenticated users.

e. Configure the sensor to switch over to local authentication if the RADIUS server becomes

unresponsive.

sensor(config-aaa-rad)# local-fallback enabled

sensor(config-aaa-rad)#

Step 6

Configure the primary RADIUS server:

a. Enter primary server submode.

sensor(config-aaa-rad)# primary-server

sensor(config-aaa-rad-pri)#

b. Enter the RADIUS server IP address.

sensor(config-aaa-rad-pri)# server-address 10.1.2.3

sensor(config-aaa-rad-pri)#

c. Enter the RADIUS server port. If not specified, the default RADIUS port is used.

sensor(config-aaa-rad-pri)# server-port 1812

sensor(config-aaa-rad-pri)#

d. Enter the amount of time in seconds you want to wait for the RADIUS server to respond.

sensor(config-aaa-rad-pri)# time-out 5

sensor(config-aaa-rad-pri)#

e. Enter the secret value that you obtained from the RADIUS server. The shared secret is a piece of

data known only to the parties involved in a secure communication.

sensor(config-aaa-rad-pri)# shared-secret kkkk

sensor(config-aaa-rad-pri)#

Note

You must have the same secret value configured on both the RADIUS server and the IPS

sensor so that the server can authenticate the requests of the client and the client can

authenticate the responses of the server.

Step 7

(Optional) Enable a secondary RADIUS server to perform authentication in case the primary RADIUS

server is not responsive:

a. Enter secondary server submode.

sensor(config-aaa-rad)# secondary-server enabled

sensor(config-aaa-rad-sec)#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-24

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Configuring Authentication and User Parameters

b. Enter the IP address of the second RADIUS server.

sensor(config-aaa-rad-sec)# server-address 10.4.5.6

sensor(config-aaa-rad-sec)#

c. Enter the RADIUS server port. If not specified, the default RADIUS port is used.

sensor(config-aaa-rad-sec)# server-port 1812

sensor(config-aaa-rad-sec)#

d. Enter the amount of time in seconds you want to wait for the RADIUS server to respond.

sensor(config-aaa-rad-sec)# time-out 8

sensor(config-aaa-rad-sec)#

e. Enter the secret value you obtained for this RADIUS server. The shared secret is a piece of data

known only to the parties involved in a secure communication.

sensor(config-aaa-rad-sec)# shared-secret yyyyy

sensor(config-aaa-rad-sec)#

Note

You must have the same secret value configured on both the RADIUS server and the IPS

sensor so that the server can authenticate the requests of the client and the client can

authenticate the responses of the server.

Step 8

Step 9

Specify the type of console authentication.

sensor(config-aaa-rad)# console-authentication radius-and-local

sensor(config-aaa-rad)#

You can choose local, local and RADIUS, or RADIUS.

Verify the settings:

sensor(config-aaa-rad)# show settings

radius

-----------------------------------------------

primary-server

-----------------------------------------------

server-address: 10.1.2.3

server-port: 1812 <defaulted>

shared-secret: kkkk

timeout: 3 <defaulted>

-----------------------------------------------

secondary-server

-----------------------------------------------

enabled

-----------------------------------------------

server-address: 10.4.5.6

server-port: 1816 default: 1812

shared-secret: yyyyy

timeout: 8 default: 3

-----------------------------------------------

nas-id: cisco-ips default: cisco-ips

local-fallback: enabled default: enabled

console-authentication: radius-and-local <defaulted>

default-user-role: operator default: unspecified

-----------------------------------------------

sensor(config-aaa-rad)#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-25

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Configuring Authentication and User Parameters

Step 10 Exit AAA mode.

sensor(config-aaa-rad)# exit

sensor(config-aaa)# exit

Apply Changes:?[yes]:

Step 11 Press Enter to apply the changes or enter no to discard them.

For More Information

•

For the procedure for adding and removing users, see Adding and Removing Users, page 3-18.

For the procedure for configuring passwords, see Configuring Passwords, page 3-29.

For the procedure for specifying password requirements, see Configuring the Password Policy,

page 3-32.

•

For detailed information on RADIUS and the service account, see The Service Account and

RADIUS Authentication, page 3-29.

Configuring Packet Command Restriction

Use the permit-packet-logging command to restrict the use of packet capture-related

commands—packet capture/display and IP logging—for local and AAA RADIUS users. The default is

to permit packet capture/display and IP log commands. Local users with the correct permissions can use

the packet capture/display and IP log commands. AAA RADIUS users with the correct av-pair can use

the packet capture/display and IP log commands.

Note

IP log actions configured for signatures are not impacted by the packet command restriction feature.

When you modify the packet command restriction option, you receive the following warning:

Modified packet settings would take effect only for new sessions, existing sessions will

continue with previous settings.

The following options apply:

•

permit-packet-logging true—Allows users to execute packet-related commands based on privilege

level.

•

permit-packet-logging false—Restricts all users from executing any packet-related commands.

AAA RADIUS Users

AAA RADIUS users with the correct av-pair are authorized to execute packet capture/display and IP

logging commands. RADIUS users with no av-pair value are restricted. The correct av-pair,

permit-packet-logging=true, allows users to execute packet-related commands based on privilege

level. This av-pair is in addition to the authentication role related av-pair:

•

ips-role=viewer

ips-role=operator

ips-role=administrator

ips-role=service

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-26

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Configuring Authentication and User Parameters

Status Events

As part of the packet command restriction option, status events are triggered for the following actions:

•

When an administrator enables or disables the packet command restriction.

When an authorized user executes any of the restricted commands.

When an unauthorized user executes any of the restricted commands.

To permit or restrict packet command restrictions, follow these steps:

Step 1

Step 2

Enter authentication submode.

sensor# configure terminal

sensor(config)# service authentication

sensor(config-aut)#

Step 3

Allow AAA RADIUS users with the correct av-pair (permit-packet-logging=true) and local users with

the correct privilege levels to execute all packet capture/display and IP log commands.

sensor(config-aut)# permit-packet-logging true

Note

Existing CLI sessions are not affected by the changes made in restriction settings.

Step 4

Check your new setting.

sensor(config-aut)# show settings

attemptLimit: 0 <defaulted>

password-strength

-----------------------------------------------

size: 8-64 <defaulted>

digits-min: 0 <defaulted>

uppercase-min: 0 <defaulted>

lowercase-min: 0 <defaulted>

other-min: 0 <defaulted>

number-old-passwords: 0 <defaulted>

-----------------------------------------------

permit-packet-logging: true default: true

cli-inactivity-timeout: 0 <defaulted>

sensor(config-aut)#

Step 5

Step 6

Restrict all users from executing packet capture/display and IP log commands.

sensor(config-aut)# permit-packet-logging false

Check your new setting.

sensor(config-aut)# show settings

attemptLimit: 0 <defaulted>

password-strength

-----------------------------------------------

size: 8-64 <defaulted>

digits-min: 0 <defaulted>

uppercase-min: 0 <defaulted>

lowercase-min: 0 <defaulted>

other-min: 0 <defaulted>

number-old-passwords: 0 <defaulted>

-----------------------------------------------

permit-packet-logging: false default: true

cli-inactivity-timeout: 0 <defaulted>

sensor(config-aut)#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-27

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Configuring Authentication and User Parameters

Step 7

Step 8

Exit authentication mode.

sensor(config-aut)# exit

Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

Creating the Service Account

You can create a service account for TAC to use during troubleshooting. Although more than one user

can have access to the sensor, only one user can have service privileges on a sensor. The service account

is for support purposes only.

The root user password is synchronized to the service account password when the service account is

created. To gain root access you must log in with the service account and switch to user root with the

su - root command.

Caution

Do not make modifications to the sensor through the service account except under the direction of TAC.

If you use the service account to configure the sensor, your configuration is not supported by TAC.

Adding services to the operating system through the service account affects proper performance and

functioning of the other IPS services. TAC does not support a sensor on which additional services have

been added.

Caution

You should carefully consider whether you want to create a service account. The service account

provides shell access to the system, which makes the system vulnerable. However, you can use the

service account to create a password if the administrator password is lost. Analyze your situation to

decide if you want a service account existing on the system.

Note

For IPS 5.0 and later, you can no longer remove the cisco account. You can disable it using the no

password cisco command, but you cannot remove it. To use the no password cisco command, there

must be another administrator account on the sensor. Removing the cisco account through the service

account is not supported. If you remove the cisco account through the service account, the sensor most

likely will not boot up, so to recover the sensor you must reinstall the sensor system image.

To create the service account, follow these steps:

Step 1

Step 2

Enter configuration mode.

sensor# configure terminal

Step 3

Specify the parameters for the service account. The username follows the pattern

^[A-Za-z0-9()+:,_/-]+$, which means the username must start with a letter or number, and can include

any letter A to Z (capital or small), any number 0 to 9, - and _, and can contain 1 to 64 characters.

sensor(config)# user username privilege service

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-28

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Configuring Authentication and User Parameters

Step 4

Step 5

Specify a password when prompted. A valid password is 8 to 32 characters long. All characters except

space are allowed. If a service account already exists for this sensor, the following error is displayed and

no service account is created.

Error: Only one service account may exist

Exit configuration mode.

sensor(config)# exit

sensor#

When you use the service account to log in to the CLI, you receive this warning.

************************ WARNING *******************************************************

UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. This account is intended to be

used for support and troubleshooting purposes only. Unauthorized modifications are not

supported and will require this device to be reimaged to guarantee proper operation.

****************************************************************************************

The Service Account and RADIUS Authentication

If you are using RADIUS authentication and want to create and use a service account, you must create

the service account both on your sensor and on the RADIUS server. You must use local authentication

to access the service account on the sensor. The service account must be created manually as a local

account on the sensor. Then when you configure RADIUS authentication, the service account must also

be configured manually on the RADIUS server with the accept message set to ip-role=service.

When you log in to the service account, you are authenticated against both the sensor account and the

RADIUS server account. By whatever method you use to access the service account—serial console

port, direct monitor/keyboard (for sensors that support it), or a network connection, such as SSH or

Telnet—you have to log in using local authentication.

RADIUS Authentication Functionality and Limitations

The current AAA RADIUS implementation has the following functionality and limitations:

•

Authentication with a RADIUS server—However, you cannot change the password of the RADIUS

server from the IPS.

Authorization—You can perform role-based authorization by specifying the IPS role of the user on

the RADIUS server.

Accounting—The login attempts of the user and the configuration changes are logged as events

locally on the IPS. However, these account messages are not communicated to the RADIUS server.

Configuring Passwords

Use the password command to update the password on the local sensor. You can also use this command

to change the password for an existing user or to reset the password for a locked account. A valid

password is 8 to 32 characters long. All characters except space are allowed.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-29

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Configuring Authentication and User Parameters

To change the password, follow these steps:

Step 1

To change the password for another user or reset the password for a locked account, follow these steps:

a. Log in to the CLI using an account with administrator privileges.

b. Enter configuration mode.

sensor# configure terminal

c. Change the password for a specific user. This example modifies the password for the user “tester.”

sensor(config)# password tester

Enter New Login Password: ******

Re-enter New Login Password: ******

Step 2

To change your password, follow these steps:

a. Log in to the CLI.

b. Enter configuration mode.

sensor# configure terminal

c. Change your password.

sensor(config)# password

Enter Old Login Password:************

Enter New Login Password: ************

Re-enter New Login Password: ************

For More Information

For the procedures for recovering sensor passwords, see Recovering the Password, page 17-2.

Changing User Privilege Levels

Note

You cannot use the privilege command to give a user service privileges. If you want to give an existing

user service privileges, you must remove that user and then use the username command to create the

service account. There can only be one person with service privileges.

Use the privilege command to change the privilege level—administrator, operator, viewer—for a user.

To change the privilege level for a user, follow these steps:

Step 1

Step 2

Verify the current privilege of the user jsmith.

sensor# show users all

CLI ID

13491

User

cisco

jsmith

operator

service

viewer

Privilege

administrator

viewer

operator

service

viewer

sensor#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-30

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Configuring Authentication and User Parameters

Step 3

Step 4

Change the privilege level from viewer to operator.

sensor# configure terminal

sensor(config)# privilege user jsmith operator

Warning: The privilege change does not apply to current CLI sessions. It will be applied

to subsequent logins.

sensor(config)#

Verify that the privilege of the user has been changed. The privilege of the user jsmithhas been changed

from viewer to operator.

sensor(config)# exit

sensor# show users all

CLI ID

13491

User

cisco

jsmith

operator

service

viewer

Privilege

administrator

operator

service

viewer

sensor#

Step 5

Display your current level of privilege.

sensor# show privilege

Current privilege level is administrator

For More Information

For the procedure for creating the service account, see Creating the Service Account, page 3-28.

Showing User Status

Note

All IPS platforms allow ten concurrent log in sessions.

Use the show users command to view information about the username and privilege of all users logged

in to the sensor, and all user accounts on the sensor regardless of login status. An asterisk (*) indicates

the current user. If an account is locked, the username is surrounded by parentheses. A locked account

means that the user failed to enter the correct password after the configured attempts.

To show user information, follow these steps:

Step 1

Step 2

Verify the users logged in to the sensor.

sensor# show users

CLI ID

13491

User

cisco

Privilege

administrator

sensor#

Step 3

Verify all users. The account of the user jsmith is locked.

sensor# show users all

CLI ID

13491

5824

User

cisco

(jsmith)

Privilege

administrator

viewer

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-31

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Configuring Authentication and User Parameters

9802

sensor#

tester

operator

Step 4

To unlock the account of jsmith, reset the password.

sensor# configure terminal

sensor(config)# password jsmith

Enter New Login Password: ******

Re-enter New Login Password: ******

Configuring the Password Policy

As sensor administrator, you can configure how passwords are created. All user-created passwords must

conform to the policy that you set up. You can set login attempts and the size and minimum characters

requirements for a password. The minimum password length is eight characters. If you forget your

password, there are various ways to recover the password depending on your sensor platform.

Caution

If the password policy includes minimum numbers of character sets, such as upper case or number

characters, the sum of the minimum number of required character sets cannot exceed the minimum

password size. For example, you cannot set a minimum password size of eight and also require that

passwords must contain at least five lowercase and five uppercase characters.

Example

For example, you can set a policy where passwords must have at least 10 characters and no more than

40, and must have a minimum of 2 upper case and 2 numeric characters. Once that policy is set, every

password configured for each user account must conform to this password policy.

To set up a password policy, follow these steps:

Step 1

Step 2

Enter password strength authentication submode.

sensor# configure terminal

sensor(config)# service authentication

sensor(config-aut)# password-strength

Step 3

Step 4

Set the minimum number of numeric digits that must be in a password. The range is 0 to 64.

sensor(config-aut-pas)# digits-min 6

Set the minimum number of nonalphanumeric printable characters that must be in a password. The range

is 0 to 64.

sensor(config-aut-pas)# other-min 3

Step 5

Step 6

Set the minimum number of uppercase alphabet characters that must be in a password. The range is 0 to

64.

sensor(config-aut-pas)# uppercase-min 3

Set the minimum number of lower-case alphabet characters that must be in a password.

sensor(config-aut-pas)# lowercase-min 3

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-32

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Configuring Authentication and User Parameters

Step 7

Step 8

Set the number of old passwords to remember for each account. A new password cannot match any of

the old passwords of an account.

sensor(config-aut-pas)# number-old-passwords 3

Check your new setting.

sensor(config-aut-pas)# show settings

password-strength

-----------------------------------------------

size: 8-64 <defaulted>

digits-min: 6 default: 0

uppercase-min: 3 default: 0

lowercase-min: 3 default: 0

other-min: 3 default: 0

number-old-passwords: 3 default: 0

-----------------------------------------------

sensor(config-aut-pas)#

For More Information

For the procedures for recovering sensor passwords, see Recovering the Password, page 17-2.

Locking User Accounts

Use the attemptLimit number command in authentication submode to lock accounts so that users cannot

keep trying to log in after a certain number of failed attempts. The default is 0, which indicates unlimited

authentication attempts. For security purposes, you should change this number.

To configure account locking, follow these steps:

Step 1

Step 2

Enter service authentication submode.

sensor# configure terminal

sensor(config)# service authentication

Step 3

Step 4

Set the number of attempts users will have to log in to accounts.

sensor(config-aut)# attemptLimit 3

Check your new setting.

sensor(config-aut)# show settings

attemptLimit: 3 defaulted: 0

sensor(config-aut)#

Step 5

Step 6

Set the value back to the system default setting.

sensor(config-aut)# default attemptLimit

Check that the setting has returned to the default.

sensor(config-aut)# show settings

attemptLimit: 0 <defaulted>

sensor(config-aut)#

Step 7

Check to see if any users have locked accounts. The account of the user jsmithis locked as indicated by

the parentheses.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-33

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Configuring Authentication and User Parameters

Note

When you apply a configuration that contains a non-zero value for attemptLimit, a change is

made in the SSH server that may subsequently impact your ability to connect with the sensor.

When attemptLimit is non-zero, the SSH server requires the client to support challenge-response

authentication. If you experience problems after your SSH client connects but before it prompts

for a password, you need to enable challenge-response authentication. Refer to the

documentation for your SSH client for instructions.

sensor(config-aut)# exit

sensor(config)# exit

sensor# show users all

CLI ID

1349

5824

User

cisco

(jsmith)

tester

Privilege

administrator

viewer

9802

operator

Step 8

To unlock the account of jsmith, reset the password.

sensor# configure terminal

sensor(config)# password jsmith

Enter New Login Password: ******

Re-enter New Login Password: ******

For More Information

For the procedure for unlocking the user accounts, see Unlocking User Accounts, page 3-34.

Unlocking User Accounts

Use the unlock user username command in global configuration mode to unlock accounts for users who

have been locked out after a specified number of failed attempts.

To configure account unlocking, follow these steps:

Step 1

Step 2

Check to see if any users have locked accounts. The account of the user jsmith is locked as indicated by

the parentheses.

sensor# show users all

CLI ID

1349

5824

User

cisco

(jsmith)

tester

Privilege

administrator

viewer

9802

operator

Step 3

Step 4

Enter global configuration mode.

sensor# configure terminal

sensor(config)#

Unlock the account.

sensor(config)# unlock user jsmith

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-34

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Configuring Time

Step 5

Check your new setting. The account of the user jsmith is now unlocked as indicated by the lack of

parenthesis.

sensor# show users all

CLI ID

1349

5824

User

Privilege

administrator

viewer

cisco

jsmith

tester

9802

operator

For More Information

For the procedure for locking the user accounts, see Locking User Accounts, page 3-33.

Configuring Time

This section describes the importance of having a reliable time source for the sensor. It contains the

following topics:

•

Time Sources and the Sensor, page 3-35

Synchronizing IPS Module System Clocks with the Parent Device System Clock, page 3-36

Correcting Time on the Sensor, page 3-36

Configuring Time on the Sensor, page 3-36

Configuring NT P , p age 3-42

Time Sources and the Sensor

Note

We recommend that you use an NTP server to regulate time on your sensor. You can use authenticated

or unauthenticated NTP. For authenticated NTP, you must obtain the NTP server IP address, NTP server

key ID, and the key value from the NTP server. You can set up NTP during initialization or you can

configure NTP through the CLI, IDM, IME, or ASDM.

The sensor requires a reliable time source. All events (alerts) must have the correct UTC and local time

stamp, otherwise, you cannot correctly analyze the logs after an attack. When you initialize the sensor,

you set up the time zones and summertime settings. This section provides a summary of the various ways

to set the time on sensors.

The IPS Standalone Appliances

•

Use the clock set command to set the time. This is the default.

Configure the appliance to get its time from an NTP time synchronization source.

Note

The currently supported Cisco IPS appliances are the IPS 4345, IPS 4360, IPS 4510, and

IPS 4520.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-35

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Configuring Time

The ASA IPS Modules

•

The ASA 5500-X IPS SSP and ASA 5585-X IPS SSP automatically synchronize their clocks with

the clock in the adaptive security appliance in which they are installed. This is the default.

•

Configure them to get their time from an NTP time synchronization source, such as a Cisco router

other than the parent router.

Synchronizing IPS Module System Clocks with the Parent Device System Clock

The ASAIPS modules (ASA 5500 AIP SSM, ASA 5500-X IPS SSP, ASA 5585-X IPS SSP) synchronize

their clocks to the parent chassis clock (switch, router, or adaptive security appliance) each time the IPS

boots up and any time the parent chassis clock is set. The IPS clock and parent chassis clock tend to drift

apart over time. The difference can be as much as several seconds per day. To avoid this problem, make

sure that both the IPS clock and the parent clock are synchronized to an external NTP server. If only the

IPS clock or only the parent chassis clock is synchronized to an NTP server, the time drift occurs.

Correcting Time on the Sensor

If you set the time incorrectly, your stored events will have the incorrect time because they are stamped

with the time the event was created. The Event Store time stamp is always based on UTC time. If during

the original sensor setup, you set the time incorrectly by specifying 8:00 p.m. rather than 8:00 a.m.,

when you do correct the error, the corrected time will be set backwards. New events might have times

older than old events.

For example, if during the initial setup, you configure the sensor as central time with daylight saving

time enabled and the local time is 8:04 p.m., the time is displayed as 20:04:37 CDT and has an offset

from UTC of -5 hours (01:04:37 UTC, the next day). A week later at 9:00 a.m., you discover the error:

the clock shows 21:00:23 CDT. You then change the time to 9:00 a.m. and now the clock shows

09:01:33 CDT. Because the offset from UTC has not changed, it requires that the UTC time now be

14:01:33 UTC, which creates the time stamp problem.

To ensure the integrity of the time stamp on the event records, you must clear the event archive of the

older events by using the clear events command.

Note

You cannot remove individual events.

Configuring Time on the Sensor

This section describes how to configure time on the sensor so that your events are time-stamped

correctly. It contains the following topics:

•

Displaying the System Clock, page 3-37

Manually Setting the System Clock, page 3-37

Configuring Recurring Summertime Settings, page 3-38

Configuring Nonrecurring Summertime Settings, page 3-40

Configuring Time Zones Settings, page 3-42

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-36

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Configuring Time

Displaying the System Clock

Use the show clock [detail] command to display the system clock. You can use the detail option to

indicate the clock source (NTP or system) and the current summertime setting (if any). The system clock

keeps an authoritative flag that indicates whether the time is authoritative (believed to be accurate). If

the system clock has been set by a timing source, such as NTP, the flag is set.

Table 3-1 lists the system clock flags.

Table 3-1

System Clock Flags

Symbol

Description

Time is not authoritative.

Time is authoritative.

(blank)

Time is authoritative, but NTP is not synchronized.

To display the system clock, follow these steps:

Step 1

Step 2

Display the system clock.

sensor# show clock

*19:04:52 UTC Thu Apr 03 2008

Step 3

Display the system clock with details. The following example indicates that the sensor is getting its time

from NTP and that is configured and synchronized.

sensor# show clock detail

20:09:43 UTC Thu Apr 03 2011

Time source is NTP

Summer time starts 03:00:00 UTC Sun Mar 09 2011

Summer time stops 01:00:00 UTC Sun Nov 02 2011

Step 4

Display the system clock with details. The following example indicates that no time source is configured.

sensor# show clock detail

*20:09:43 UTC Thu Apr 03 2011

No time source

Summer time starts 03:00:00 UTC Sun Mar 09 2011

Summer time stops 01:00:00 UTC Sun Nov 02 2011

Manually Setting the System Clock

Note

You do not need to set the system clock if your sensor is synchronized by a valid outside timing

mechanism such as an NTP clock source.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-37

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Configuring Time

Use the clock set hh:mm [:ss] month day year command to manually set the clock on the appliance. Use

this command if no other time sources are available. The clock set command does not apply to the

following platforms, because they get their time from the adaptive security appliance in which they are

installed:

•

ASA 5500-X IPS SSP

ASA 5585-X IPS SSP

To manually set the clock on the appliance, follow these steps:

Step 1

Step 2

Set the clock manually.

sensor# clock set 13:21 Mar 29 2011

Note

The time format is 24-hour time.

Configuring Recurring Summertime Settings

Note

Summertime is a term for daylight saving time.

Use the summertime-option recurring command to configure the sensor to switch to summertime

settings on a recurring basis. The default is recurring.

To configure the sensor to switch to summertime settings on a recurring basis, follow these steps:

Step 1

Step 2

Enter summertime recurring submode.

sensor# configure terminal

sensor(config)# service host

sensor(config-hos)# summertime-option recurring

Step 3

Step 4

Enter start summertime submode.

sensor(config-hos-rec)# start-summertime

Configure the start summertime parameters:

a. Enter the day of the week you want to start summertime settings.

sensor(config-hos-rec-sta)# day-of-week monday

b. Enter the month you want to start summertime settings.

sensor(config-hos-rec-sta)# month april

c. Enter the time of day you want to start summertime settings. The format is hh:mm:ss.

sensor(config-hos-rec-sta)# time-of-day 12:00:00

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-38

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Configuring Time

d. Enter the week of the month you want to start summertime settings. The values are first through

fifth, or last.

sensor(config-hos-rec-sta)# week-of-month first

e. Verify your settings.

sensor(config-hos-rec-sta)# show settings

start-summertime

-----------------------------------------------

month: april default: april

week-of-month: first default: first

day-of-week: monday default: sunday

time-of-day: 12:00:00 default: 02:00:00

-----------------------------------------------

sensor(config-hos-rec-sta)#

Step 5

Step 6

Enter end summertime submode.

sensor(config-hos-rec-sta)# exit

sensor(config-hos-rec)# end-summertime

Configure the end summertime parameters:

a. Enter the day of the week you want to end summertime settings.

sensor(config-hos-rec-end)# day-of-week friday

b. Enter the month you want to end summertime settings.

sensor(config-hos-rec-end)# month october

c. Enter the time of day you want to end summertime settings. The format is hh:mm:ss.

sensor(config-hos-rec-end)# time-of-day 05:15:00

d. Enter the week of the month you want to end summertime settings. The values are first through fifth,

or last.

sensor(config-hos-rec-end)# week-of-month last

e. Verify your settings.

sensor(config-hos-rec-end)# show settings

end-summertime

-----------------------------------------------

month: october default: october

week-of-month: last default: last

day-of-week: friday default: sunday

time-of-day: 05:15:00 default: 02:00:00

-----------------------------------------------

sensor(config-hos-rec-end)#

Step 7

Specify the local time zone used during summertime.

sensor(config-hos-rec-end)# exit

sensor(config-hos-rec)# summertime-zone-name CDT

Step 8

Step 9

Specify the offset.

sensor(config-hos-rec)# offset 60

Verify your settings.

sensor(config-hos-rec)# show settings

recurring

-----------------------------------------------

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-39

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Configuring Time

offset: 60 minutes default: 60

summertime-zone-name: CDT

start-summertime

-----------------------------------------------

month: april default: april

week-of-month: first default: first

day-of-week: monday default: sunday

time-of-day: 12:00:00 default: 02:00:00

-----------------------------------------------

end-summertime

-----------------------------------------------

month: october default: october

week-of-month: last default: last

day-of-week: friday default: sunday

time-of-day: 05:15:00 default: 02:00:00

-----------------------------------------------

Step 10 Exit recurring summertime submode.

sensor(config-hos-rec)# exit

sensor(config-hos)# exit

Apply Changes:?[yes]:

Step 11 Press Enter to apply the changes or enter no to discard them.

Configuring Nonrecurring Summertime Settings

Note

Summertime is a term for daylight saving time.

Use the summertime-option non-recurring command to configure the sensor to switch to summer time

settings on a one-time basis. The default is recurring.

To configure the sensor to switch to summertime settings on a one-time basis, follow these steps:

Step 1

Step 2

Enter summertime non-recurring submode.

sensor# configure terminal

sensor(config)# service host

sensor(config-hos)# summertime-option non-recurring

Step 3

Step 4

Enter start summertime submode.

sensor(config-hos-non)# start-summertime

Configure the start summertime parameters:

a. Enter the date you want to start summertime settings. The format is yyyy-mm-dd.

sensor(config-hos-non-sta)# date 2004-05-15

b. Enter the time you want to start summertime settings. The format is hh:mm:ss.

sensor(config-hos-non-sta)# time 12:00:00

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-40

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Configuring Time

c. Verify your settings.

sensor(config-hos-non-sta)# show settings

start-summertime

-----------------------------------------------

date: 2004-05-15

time: 12:00:00

-----------------------------------------------

sensor(config-hos-non-sta)#

Step 5

Step 6

Enter end summertime submode.

sensor(config-hos-non-sta)# exit

sensor(config-hos-non)# end-summertime

Configure the end summertime parameters:

a. Enter the date you want to end summertime settings. The format is yyyy-mm-dd.

sensor(config-hos-non-end)# date 2004-10-31

b. Enter the time you want to end summertime settings. The format is hh:mm:ss.

sensor(config-hos-non-end)# time 12:00:00

c. Verify your settings.

sensor(config-hos-non-end)# show settings

end-summertime

-----------------------------------------------

date: 2004-10-31

time: 12:00:00

-----------------------------------------------

sensor(config-hos-non-end)#

Step 7

Specify the local time zone used during summertime.

sensor(config-hos-non-end)# exit

sensor(config-hos-non)# summertime-zone-name CDT

Step 8

Step 9

Specify the offset.

sensor(config-hos-non)# offset 60

Verify your settings.

sensor(config-hos-non)# show settings

non-recurring

-----------------------------------------------

offset: 60 minutes default: 60

summertime-zone-name: CDT

start-summertime

-----------------------------------------------

date: 2004-05-15

time: 12:00:00

-----------------------------------------------

end-summertime

-----------------------------------------------

date: 2004-10-31

time: 12:00:00

-----------------------------------------------

sensor(config-hos-non)#

Step 10 Exit non-recurring summertime submode.

sensor(config-hos-non)# exit

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-41

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Configuring Time

sensor(config-hos)# exit

Apply Changes:?[yes]:

Step 11 Press Enter to apply the changes or enter no to discard them.

Configuring Time Zones Settings

Use the time-zone-settings command to configure the time zone settings on the sensor, such as the time

zone name the sensor displays whenever summertime settings are not in effect and the offset.

To configure the time zone settings on the sensor, follow these steps:

Step 1

Step 2

Enter time zone settings submode.

sensor# configure terminal

sensor(config)# service host

sensor(config-hos)# time-zone-settings

Step 3

Step 4

Step 5

Configure the time zone name that is displayed whenever summertime settings are not in effect. The

default is UTC.

sensor(config-hos-tim)# standard-time-zone-name CST

Configure the offset in minutes. The offset is the number of minutes you add to UTC to get the local

time. The default is 0.

sensor(config-hos-tim)# offset -360

Verify your settings.

sensor(config-hos-tim)# show settings

time-zone-settings

-----------------------------------------------

offset: -360 minutes default: 0

standard-time-zone-name: CST default: UTC

-----------------------------------------------

sensor(config-hos-tim)#

Step 6

Step 7

Exit time zone settings submode.

sensor(config-hos-tim)# exit

sensor(config-hos)# exit

Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

Configuring NTP

This section describes how to configure a Cisco router to be an NTP server and how to configure the

sensor to use an NTP server as its time source. It contains the following topics:

•

Configuring a Cisco Router to be an NTP Server, page 3-43

Configuring the Sensor to Use an NTP Time Source, page 3-44

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-42

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Configuring Time

Configuring a Cisco Router to be an NTP Server

The sensor requires an authenticated connection with an NTP server if it is going to use the NTP server

as its time source. The sensor supports only the MD5 hash algorithm for key encryption. Use the

following procedure to activate a Cisco router to act as an NTP server and use its internal clock as the

time source.

Caution

Note

The sensor NTP capability is designed to be compatible with Cisco routers acting as NTP servers. The

sensor may work with other NTP servers, but is not tested or supported.

Remember the NTP server key ID and key values. You need them along with the NTP server IP address

when you configure the sensor to use the NTP server as its time source.

To set up a Cisco router to act as an NTP server, follow these steps:

Step 1

Step 2

Enter configuration mode.

router# configure terminal

Step 3

Create the key ID and key value. The key ID can be a number between 1 and 65535. The key value is

text (numeric or character). It is encrypted later.

router(config)# ntp authentication-key key_ID md5 key_value

Example

router(config)# ntp authentication-key 100 md5 attack

Note

The sensor only supports MD5 keys.

Keys may already exist on the router. Use the show running configuration command to check

for other keys. You can use those values for the trusted key in Step 4.

Step 4

Step 5

Designate the key you just created in Step 3 as the trusted key (or use an existing key). The trusted key

ID is the same number as the key ID in Step 3.

router(config)# ntp trusted-key key_ID

Example

router(config)# ntp trusted-key 100

Specify the interface on the router with which the sensor will communicate.

router(config)# ntp source interface_name

Example

router(config)# ntp source FastEthernet 1/0

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-43

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Configuring Time

Step 6

Specify the NTP master stratum number to be assigned to the sensor. The NTP master stratum number

identifies the relative position of the server in the NTP hierarchy. You can choose a number between 1

and 15. It is not important to the sensor which number you choose.

router(config)# ntp master stratum_number

Example

router(config)# ntp master 6

Configuring the Sensor to Use an NTP Time Source

The sensor requires a consistent time source. We recommend that you use an NTP server. Use the

following procedure to configure the sensor to use the NTP server as its time source. You can use

authenticated or unauthenticated NTP.

Note

For authenticated NTP, you must obtain the NTP server IP address, NTP server key ID, and the key value

from the NTP server.

Caution

The sensor NTP capability is designed to be compatible with Cisco routers acting as NTP servers. The

sensor may work with other NTP servers, but is not tested or supported.

To configure the sensor to use an NTP server as its time source, follow these steps:

Step 1

Step 2

Enter configuration mode.

sensor# configure terminal

Step 3

Step 4

Enter service host mode.

sensor(config)# service host

Configure unauthenticated NTP:

a. Enter NTP configuration mode.

sensor(config-hos)# ntp-option enabled-ntp-unauthenticated

b. Specify the NTP server IP address.

sensor(config-hos-ena)# ntp-server ip_address

c. Verify the unauthenticated NTP settings.

sensor(config-hos-ena)# show settings

enabled-ntp-unauthenticated

-----------------------------------------------

ntp-server: 10.89.147.45

-----------------------------------------------

sensor(config-hos-ena)#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-44

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Configuring SSH

Step 5

Configure authenticated NTP:

a. Enter NTP configuration mode.

sensor(config-hos)# ntp-option enable

b. Specify the NTP server IP address and key ID. The key ID is a number between 1 and 65535. This

is the key ID that you already set up on the NTP server.

sensor(config-hos-ena)# ntp-servers ip_address key-id key_ID

Example

sensor(config-hos-ena)# ntp-servers 10.16.0.0 key-id 100

c. Specify the key value NTP server. The key value is text (numeric or character). This is the key value

that you already set up on the NTP server.

sensor(config-hos-ena)# ntp-keys key_ID md5-key key_value

Example

sensor(config-hos-ena)# ntp-keys 100 md5-key attack

d. Verify the NTP settings.

sensor(config-hos-ena)# show settings

enabled

-----------------------------------------------

ntp-keys (min: 1, max: 1, current: 1)

-----------------------------------------------

key-id: 100

-----------------------------------------------

md5-key: attack

-----------------------------------------------

ntp-servers (min: 1, max: 1, current: 1)

-----------------------------------------------

ip-address: 10.16.0.0

key-id: 100

-----------------------------------------------

sensor(config-hos-ena)#

Step 6

Step 7

Exit NTP configuration mode.

sensor(config-hos-ena)# exit

sensor(config-hos)# exit

Apply Changes:?[yes]

Press Enter to apply the changes or enter no to discard them.

Configuring SSH

This section describes SSH on the sensor, and contains the following topics:

•

Understanding SSH, page 3-46

Adding Hosts to the SSH Known Hosts List, page 3-46

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-45

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Configuring SSH

•

Adding Authorized RSA1 and RSA2 Keys, page 3-48

Generating the RSA Server Host Key, page 3-49

Understanding SSH

SSH provides strong authentication and secure communications over channels that are not secure. SSH

encrypts your connection to the sensor and provides a key so you can validate that you are connecting

to the correct sensor. SSH also provides authenticated and encrypted access to other devices that the

sensor connects to for blocking. The IPS supports managing both SSHv1 and SSHv2. The default is

SSHv2, but you can configure the sensor to fallback to SSHv1 if the peer client/server does not support

SSHv2.

SSH authenticates the hosts or networks using one or both of the following:

•

Password

User RSA public key

Note

SSH never sends passwords in clear text.

SSH protects against the following:

•

IP spoofing—A remote host sends out packets pretending to come from another trusted host.

Note

SSH even protects against a spoofer on the local network who can pretend he is your router

to the outside.

•

IP source routing—A host pretends an IP packet comes from another trusted host.

DNS spoofing—An attacker forges name server records.

Interception of clear text passwords and other data by intermediate hosts.

Manipulation of data by those in control of intermediate hosts.

Attacks based on listening to X authentication data and spoofed connection to the X11 server.

Adding Hosts to the SSH Known Hosts List

You must add hosts to the SSH known hosts list so that the sensor can recognize the hosts that it can

communicate with through SSH. These hosts are SSH servers that the sensor needs to connect to for

upgrades and file copying, and other hosts, such as Cisco routers, firewalls, and switches that the sensor

will connect to for blocking.

For SSHv1, use the ssh host-key ip-address rsa1-key [key-modulus-length public-exponent

public-modulus] command to add an entry to the known hosts list. If you do not know the values for the

modulus, exponent, and length, the system displays the bubble babble for the requested IP address. You

can then choose to add the key to the list. To modify a key for an IP address, the entry must be removed

and recreated. Use the no form of the command to remove the entry.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-46

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Configuring SSH

Caution

When you use the ssh host-key command, the SSH server at the specified IP address is contacted to

obtain the required key over the network. The specified host must be accessible at the moment the

command is issued. If the host is unreachable, you must use the full form of the command, ssh host-key

ip-address rsa1-key [key-modulus-length public-exponent public-modulus], to confirm the fingerprint

of the key displayed to protect yourself from accepting the key of an attacker.

For SSHv2, use the ssh host-key ip-address rsa-key key command to add an entry to the known hosts

list.

The following options apply:

•

ip address—Specifies the IP address to add to the system.

rsa-key—Specifies the RSA (SSHv2) key details.

–

key—Specifies the Base64 encoded public key.

•

rsa1-key—Specifies the RSA1 (SSHv1) key details:

–

key-modulus-length—Specifies an ASCCI decimal integer in the range[511, 2048].

public-exponent—Specifies an ASCII decimal integer in the range [3, 2^32].

public-modulus—Specifies an ASCII decimal integer, x, such that (2^(key-modulus-length-1))

< x < (2^(key-modulus-length)).

To add a host to the SSH known hosts list, follow these steps:

Step 1

Step 2

Enter configuration mode.

sensor# configure terminal

Step 3

Add an entry to the known hosts list.

sensor(config)# ssh host-key 10.16.0.0

Bubble Babble is xucis-hehon-kizog-nedeg-zunom-kolyn-syzec-zasyk-symuf-rykum-sexyx

Would you like to add this to the known hosts table for this host?[yes]

The Bubble Babble appears. You are prompted to add it to the known hosts list.

If the host is not accessible when the command is issued, this message appears.

Error: getHostSshKey : Failed to fetch RSA key

Step 4

Step 5

Enter yes to have the fingerprint added to the known hosts list.

Verify that the host was added.

sensor(config)# exit

sensor# show ssh host-keys

10.89.146.110

Step 6

View the key for a specific IP address.

sensor# show ssh host-keys 10.16.0.0

1024 35

139306213541835240385332922253968814685684523520064131997839905113640120217816869696708721

704631322844292073851730565044879082670677554157937058485203995572114631296604552161309712

601068614812749969593513740598331393154884988302302182922353335152653860589163651944997842

874583627883277460138506084043415861927

Bubble Babble: xebiz-vykyk-fekuh-rukuh-cabaz-paret-gosym-serum-korus-fypop-huxyx

sensor#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-47

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Configuring SSH

Step 7

Step 8

Remove an entry. The host is removed from the SSH known hosts list.

sensor(config)# no ssh host-key 10.16.0.0

Verify the host was removed. The IP address no longer appears in the list.

sensor(config)# exit

sensor# show ssh host-keys

Adding Authorized RSA1 and RSA2 Keys

Use the ssh authorized-key command to define public keys for a client allowed to use RSA1 or RSA2

authentication to log in to the local SSH server. The default is RSA2. You can configure the sensor to

fall back to RSA1. To modify an authorized key, you must remove and recreate the entry. Use the no

form of the command to remove the entry. Users can only create and remove their own keys.

The following options apply:

•

id—Specifies a 1 to 256-character string that uniquely identifies the authorized key. You can use

numbers, “_,” and “-,” but spaces and “?” are not accepted.

•

rsa-pubkey—Specifies the RSA (SSHv2) key details.

–

pubkey—Specifies the Base64 encoded public key.

•

rsa1-pubkey—Specifies the RSA1 (SSHv1) key details:

–

key-modulus-length—Specifies an ASCCI decimal integer in the range[511, 2048].

public-exponent—Specifies an ASCII decimal integer in the range [3, 2^32].

public-modulus—Specifies an ASCII decimal integer, x, such that (2^(key-modulus-length-1))

< x < (2^(key-modulus-length)).

Each user who can log in to the sensor has a list of authorized public keys. An SSH client with access to

any of the corresponding RSA private keys can log in to the sensor as the user without entering a

password.

For SSHv1, use an RSA key generation tool on the client where the private key is going to reside. Then,

display the generated public key as a set of three numbers (modulus length, public exponent, public

modulus) and enter those numbers as parameters for the ssh authorized-key command. For SSHv2, you

just need the ID and the public key.

Note

You configure your own list of SSH authorized keys. An administrator cannot manage the list of SSH

authorized keys for other users on the sensor.

An SSH authorized key provides better security than passwords if the private key is adequately

safeguarded. The best practice is to create the private key on the same host where it will be used and

store it with a pass phrase on a local file system. To minimize password or pass phrase prompts, use a

key agent.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-48

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Configuring SSH

To add a key entry to the SSHv1 or SSHv2 authorized keys list for the current user, follow these steps:

Step 1

Step 2

Add a key to the authorized keys list for the current user.

Note

You recieve an error message if you try to add a key less than the 2048-bit key size and if the

measured key length and input key length do not match.

For SSHv1:

sensor# configure terminal

sensor(config)# ssh authorized-key mhs rsa1-pubkey 512 34 8777777777777

sensor(config)#

For SSHv2:

sensor# configure terminal

sensor(config)# ssh authorized-key phs rsa-pubkey AAAAAAAAAAslkfjslkfjsjfs

Step 3

Step 4

Enter yesto add the key to the authorized key list.

Verify that the key was added.

sensor(config)# exit

sensor# show ssh authorized-keys

mhs

phs

sensor#

Step 5

View the key for a specific ID.

sensor# show ssh authorized-keys mhs

512 34 8777777777777

sensor#

Step 6

Step 7

Step 8

Remove an entry from the list of SSH authorized keys.

sensor# configure terminal

sensor(config)# no ssh authorized-key mhs rsa1-key

Verify the entry was removed.

sensor(config)# exit

sensor# show ssh authorized-keys

If you enter the former ID, you receive an error message.

sensor# show ssh authorized-keys mhs

Error: Requested id does not exist for the current user.

sensor#

Generating the RSA Server Host Key

The server uses the SSHv1 or SSHv2 host key to prove its identity. Clients know they have contacted the

correct server when they see a known key. The sensor generates an SSHv1 or SSHv2 host key the first

time it starts up.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-49

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Configuring SSH

Use the ssh generate-key command to change the SSH server host key. The displayed fingerprint

matches the one displayed in the remote SSH client in future connections with this sensor if the remote

client is using SSH.

Note

The sensor only supports RSA keys. Peers that communicate with IPS need to support RSA keys;

otherwise, the connection is not established.

To generate a new SSH server host key, follow these steps:

Step 1

Step 2

Generate the new server host key.

sensor# ssh generate-key

RSA1 Bubble Babble: xucor-gidyg-comym-zipib-pilyk-vucal-pekyd-hipuc-tuven-gigyr-fixyx

RSA Bubble Babble: xucot-sapaf-sufiz-duriv-rigud-kezol-tupif-buvih-zokap-sohoz-kixox

sensor#

Caution

Step 3

The new key replaces the existing key, which requires you to update the known hosts tables on remote

systems with the new host key so that future connections succeed. You can update the known hosts tables

on remote systems using the ssh host-key command.

Display the current SSH server host key. The sensor displays the RSA1 (SSHv1) and the RSA (SSHv2)

keys.

sensor# show ssh server-key

RSA1 Key: 2048 65537 21281522654207836691935756443555553045267729811163188158123

19221105282706971156372834395971442406711584211050336190060471149429624658777668

77772213935517164097668879617982452141055538222385354775671320871325156194364534

01964293900473562985740703815287014221909604447874565966052932190994239169399973

09451774745322103150629685832787333113245586019053499876586171642882215702812368

29552879443164044336379548314607826859130457872422419997317349512539506437629934

62410481738789963850532157078406908293224279442047344280835594921181229802312694

953678513524852911662327237984274983550808940893737598517019547234622411280871

RSA1 Bubble Babble: xucor-gidyg-comym-zipib-pilyk-vucal-pekyd-hipuc-tuven-gigyr-fixyx

RSA Key: AAAAB3NzaC1yc2EAAAADAQABAAABAQC/zpG5nXqlAfc/aNzgQweipp9tjAqd1Xr5tuCJa+m

ccscEPHc25zUKLQG+8HkvieG2Pf11Y7mZk2POJICjXSV5izFczaFnZhBBUS+QOMH0nsk+S6F9Cujmz99

/OseRwQK16o2o2ds9otNfctAhVgex86SX5cWI0dyAYU1ZpwZCpK5sKxTtgzUkOEOSFPcHthf1DJvJfuj

1rWSJ/VAUHH4T5aomZ4m/is8jTp+nog5O5tDt6huqWYZt6MNTRoXTq0UgDgGOlueoGM6Sqk0nCwUlsBG

TNaEoJbN0elRk+qNnSGo4FQYLVCryMZYi6GOxZVxwPST3IGuEHTunAw6aUnRl

RSA Bubble Babble: xucot-sapaf-sufiz-duriv-rigud-kezol-tupif-buvih-zokap-sohoz-kixox

sensor#

For More Information

For the procedure for updating the known hosts table, see Adding Hosts to the SSH Known Hosts List,

page 3-46.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-50

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Configuring TLS

This section describes TLS on the sensor, and contains the following topics:

•

Understanding TLS, page 3-51

Adding TLS Trusted Hosts, page 3-52

Displaying and Generating the Server Certificate, page 3-53

Understanding TLS

The Cisco IPS contains a web server that is running the IDM. Management stations connect to this web

server. Blocking forwarding sensors also connect to the web server of the master blocking sensor. To

provide security, this web server uses an encryption protocol known as TLS, which is closely related to

SSL protocol. When you enter a URL into the web browser that starts with https://ip_address, the

web browser responds by using either TLS or SSL protocol to negotiate an encrypted session with the

host.

Caution

Note

The web browser initially rejects the certificate presented by the IDM because it does not trust the

certificate authority (CA).

The IDM is enabled by default to use TLS and SSL.We highly recommend that you use TLS and SSL.

The process of negotiating an encrypted session in TLS is called “handshaking,” because it involves a

number of coordinated exchanges between client and server. The server sends its certificate to the client.

The client performs the following three-part test on this certificate:

1. Is the issuer identified in the certificate trusted?

Every web browser ships with a list of trusted third-party CAs. If the issuer identified in the

certificate is among the list of CAs trusted by your browser, the first test is passed.

2. Is the date within the range of dates during which the certificate is considered valid?

Each certificate contains a Validity field, which is a pair of dates. If the date falls within this range

of dates, the second test is passed.

3. Does the common name of the subject identified in the certificate match the URL hostname?

The URL hostname is compared with the subject common name. If they match, the third test is

passed.

When you direct your web browser to connect with the IDM, the certificate that is returned fails because

the sensor issues its own certificate (the sensor is its own CA) and the sensor is not already in the list of

CAs trusted by your browser.

When you receive an error message from your browser, you have three options:

•

Disconnect from the site immediately.

Accept the certificate for the remainder of the web browsing session.

Add the issuer identified in the certificate to the list of trusted CAs of the web browser and trust the

certificate until it expires.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-51

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Configuring TLS

The most convenient option is to permanently trust the issuer. However, before you add the issuer, use

out-of-band methods to examine the fingerprint of the certificate. This prevents you from being

victimized by an attacker posing as a sensor. Confirm that the fingerprint of the certificate appearing in

your web browser is the same as the one on your sensor.

Caution

If you change the organization name or hostname of the sensor, a new certificate is generated the next

time the sensor is rebooted. The next time your web browser connects to the IDM, you will receive the

manual override dialog boxes. You must perform the certificate fingerprint validation again for Internet

Explorer and Firefox.

Adding TLS Trusted Hosts

In certain situations, the sensor uses TLS/SSL to protect a session it establishes with a remote web

server. For these sessions to be secure from man-in-the-middle attacks you must establish trust of the

TLS certificates of the remote web servers. A copy of the TLS certificate of each trusted remote host is

stored in the trusted hosts list.

Use the tls trusted-host ip-address ip-address [port port] command to add a trusted host to the trusted

hosts list. This command retrieves the TLS certificate from the specified host/port and displays its

fingerprint. You can accept or reject the fingerprint based on information retrieved directly from the host

you are requesting to add. The default port is 443.

Each certificate is stored with an identifier field (id). For the IP address and default port, the identifier

field is ipaddress. For the IP address and specified port, the identifier field is ipaddress:port.

Caution

TLS at the specified IP address is contacted to obtain the required fingerprint over the network. The

specified host must by accessible at the moment the command is issued. Use an alternate method to

confirm the fingerprint to protect yourself from accepting a certificate of an attacker.

To add a trusted host to the trusted hosts list, follow these steps:

Step 1

Step 2

Add the trusted host.

sensor# configure terminal

sensor(config)# tls trusted-host ip-address 10.16.0.0

Certificate SHA1 fingerprint is B1:6F:F5:DA:F3:7A:FB:FB:93:E9:2D:39:B9:99:08:D4:

47:02:F6:12

Would you like to add this to the trusted certificate table for this host?[yes]:

The SHA1 fingerprints appear. You are prompted to add the trusted host.

If the connection cannot be established, the transaction fails.

sensor(config)# tls trusted-host ip-address 10.89.146.110 port 8000

Error: getHostCertificate : socket connect failed [4,111]

Step 3

Enter yes to accept the fingerprint. The host is added to the TLS trusted host list. The Certificate ID

stored for the requested certificate is displayed when the command is successful.

Certificate ID: 10.89.146.110 successfully added to the TLS trusted host table.

sensor(config)#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-52

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Configuring TLS

Step 4

Step 5

Verify that the host was added.

sensor(config)# exit

sensor# show tls trusted-hosts

10.89.146.110

sensor#

View the fingerprint for a specific host.

sensor# show tls trusted-hosts 10.89.146.110

SHA1: B1:6F:F5:DA:F3:7A:FB:FB:93:E9:2D:39:B9:99:08:D4:47:02:F6:12

sensor#

Step 6

Step 7

Remove an entry from the trusted hosts list.

sensor# configure terminal

sensor(config)# no tls trusted-host 10.89.146.110

Verify the entry was removed from the trusted host list. The IP address no longer appears in the list.

sensor(config)# exit

sensor# show tls trusted-hosts

No entries

Displaying and Generating the Server Certificate

A TLS certificate is generated when the sensor is first started. Use the tls generate-key command to

generate a new server self-signed X.509 certificate. The IP address of the sensor is included in the

certificate. If you change the sensor IP address, the sensor automatically generates a new certificate.

Caution

The new certificate replaces the existing certificate, which requires you to update the trusted hosts lists

on remote systems with the new certificate so that future connections succeed. You can update the trusted

hosts lists on remote IPS sensors using the tls trusted-host command. If the sensor is a master blocking

sensor, you must update the trusted hosts lists on the remote sensors that are sending block requests to

the master blocking sensor.

To generate a new TLS certificate, follow these steps:

Step 1

Step 2

Generate the new certificate.

sensor# tls generate-key

SHA1 fingerprint is 4A:2B:79:A0:82:8B:65:3A:83:B5:D9:50:C0:8E:F6:C6:B0:30:47:BB

sensor#

Step 3

Verify that the key was generated.

sensor# show tls fingerprint

SHA1: 4A:2B:79:A0:82:8B:65:3A:83:B5:D9:50:C0:8E:F6:C6:B0:30:47:BB

sensor#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-53

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Installing the License Key

For More Information

For the procedure for updating the trusted hosts lists on remote sensors, see Adding TLS Trusted Hosts,

page 3-52.

Installing the License Key

This section describes the IPS license key and how to install it. It contains the following topics:

•

Understanding the License Key, page 3-54

Service Programs for IPS Products, page 3-55

Obtaining and Installing the License Key, page 3-55

Licensing the ASA 5500-X IPS SS P , p age 3-57

Uninstalling the License Key, page 3-58

Understanding the License Key

Although the sensor functions without the license key, you must have a license key to obtain signature

updates and use the global correlation features. To obtain a license key, you must have the following:

•

Cisco Service for IPS service contract—Contact your reseller, Cisco service or product sales to

purchase a contract.

•

Your IPS device serial number—To find the IPS device serial number in the IDM or the IME, for

the IDM choose Configuration > Sensor Management > Licensing, and for the IME choose

Configuration > sensor_name > Sensor Management > Licensing, or in the CLI use the show

version command.

•

Valid Cisco.com username and password.

Trial license keys are also available. If you cannot get your sensor licensed because of problems with

your contract, you can obtain a 60-day trial license that supports signature updates that require licensing.

You can obtain a license key from the Cisco.com licensing server, which is then delivered to the sensor.

Or, you can update the license key from a license key provided in a local file. Go to

http://www.cisco.com/go/license and click IPS Signature Subscription Service to apply for a license

key.

You can view the status of the license key in these places:

•

The IDM Home window Licensing section on the Health tab

The IDM Licensing pane (Configuration > Licensing)

The IME Home page in the Device Details section on the Licensing tab

License Notice at CLI login

Whenever you start the IDM, the IME, or the CLI, you are informed of your license status—whether you

have a trial, invalid, or expired license key. With no license key, an invalid license key, or an expired

license key, you can continue to use the IDM, the IME, and the CLI, but you cannot download signature

updates.

If you already have a valid license on the sensor, you can click Download on the License pane to

download a copy of your license key to the computer that the IDM or the IME is running on and save it

to a local file. You can then replace a lost or corrupted license, or reinstall your license after you have

reimaged the sensor.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-54

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Installing the License Key

Service Programs for IPS Products

You must have a Cisco Services for IPS service contract for any IPS product so that you can download

a license key and obtain the latest IPS signature updates. If you have a direct relationship with Cisco

Systems, contact your account manager or service account manager to purchase the Cisco Services for

IPS service contract. If you do not have a direct relationship with Cisco Systems, you can purchase the

service account from a one-tier or two-tier partner.

When you purchase the following IPS products you must also purchase a Cisco Services for IPS service

contract:

•

IPS 4345

IPS 4345-DC

IPS 4360

IPS 4510

IPS 4520

When you purchase an ASA 5500 series adaptive security appliance product that does not contain IPS,

you must purchase a SMARTnet contract.

Note

SMARTnet provides operating system updates, access to Cisco.com, access to TAC, and hardware

replacement NBD on site.

When you purchase an ASA 5500 series adaptive security appliance product that ships with an IPS

module installed, or if you purchase one to add to your ASA 5500 series adaptive security appliance

product, you must purchase the Cisco Services for IPS service contract.

Cisco Services for IPS provides IPS signature updates, operating system updates, access to Cisco.com,

access to TAC, and hardware replacement NBD on site.

For example, if you purchase an ASA 5585-X and then later want to add IPS and purchase an

ASA-IPS10-K9, you must now purchase the Cisco Services for IPS service contract. After you have the

Cisco Services for IPS service contract, you must also have your product serial number to apply for the

license key.

Caution

If you ever send your product for RMA, the serial number changes. You must then get a new license key

for the new serial number.

Obtaining and Installing the License Key

Note

You cannot install an older license key over a newer license key.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-55

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Installing the License Key

Use the copy source-url license_file_name license-key command to copy the license key to your sensor.

The following options apply:

•

source-url—The location of the source file to be copied. It can be a URL or keyword.

destination-url—The location of the destination file to be copied. It can be a URL or a keyword.

license-key—The subscription license file.

license_file_name—The name of the license file you receive.

The exact format of the source and destination URLs varies according to the file. Here are the valid

types:

•

ftp:—Source or destination URL for an FTP network server. The syntax for this prefix is:

ftp://[[username@]location][/relativeDirectory]/filename

ftp://[[username@]location][//absoluteDirectory]/filename

scp:—Source or destination URL for the SCP network server. The syntax for this prefix is:

scp://[[username@]location][/relativeDirectory]/filename

scp://[[username@]location][//absoluteDirectory]/filename

Note

If you use FTP or SCP protocol, you are prompted for a password. If you use SCP protocol,

you must add the remote host to the SSH known hosts list.

•

http:—Source URL for the Web server. The syntax for this prefix is:

http://[[username@]location][/directory]/filename

https:—Source URL for the Web server. The syntax for this prefix is:

https://[[username@]location][/directory]/filename

Note

If you use HTTPS protocol, the remote host must be a TLS trusted host.

Installing the License Key

To install the license key, follow these steps:

Step 1

Step 2

Apply for the license key at this URL: www.cisco.com/go/license.

Note

In addition to a valid Cisco.com username and password, you must also have a Cisco Services

for IPS service contract before you can apply for a license key.

Step 3

Fill in the required fields. Your Cisco IPS Signature Subscription Service license key will be sent by

email to the e-mail address you specified.

Note

You must have the correct IPS device serial number and product identifier (PID) because the

license key only functions on the device with that number.

Step 4

Save the license key to a system that has a Web server, FTP server, or SCP server.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-56

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Installing the License Key

Step 5

Step 6

Copy the license key to the sensor.

sensor# copy scp://[email protected]/24://tftpboot/dev.lic license-key

Password: *******

Step 7

Verify the sensor is licensed.

sensor# show version

Application Partition:

Cisco Intrusion Prevention System, Version 7.2(1)E4

Host:

Realm Keys

Signature Definition:

Signature Update

OS Version:

key1.0

S697.0

2.6.29.1

IPS4360

2013-02-15

Platform:

Serial Number:

No license present

FCH1504V0CF

Sensor up-time is 3 days.

Using 14470M out of 15943M bytes of available memory (90% usage)

system is using 32.4M out of 160.0M bytes of available disk space (20% usage)

application-data is using 87.1M out of 376.1M bytes of available disk space (24% usage)

boot is using 61.2M out of 70.1M bytes of available disk space (92% usage)

application-log is using 494.0M out of 513.0M bytes of available disk space (96% usage)

MainApp

Running

AnalysisEngine

Running

CollaborationApp

Running

V-2013_04_10_11_00_7_2_1

(Release)

2013-04-10T11:05:55-0500

CLI

Upgrade History:

IPS-K9-7.2-1-E4

11:17:07 UTC Thu Jan 10 2013

Recovery Partition Version 1.1 - 7.2(1)E4

Host Certificate Valid from: 17-Apr-2013 to 18-Apr-2015

sensor#

Licensing the ASA 5500-X IPS SSP

For the ASA 5500-X series adaptive security appliances with the IPS SSP, the ASA requires the IPS

Module license. To view your current ASA licenses, in ASDM choose Home > Device Dashboard >

Device Information > Device License. For more information about ASA licenses, refer to the licensing

chapter in the configuration guide. After you obtain the ASA IPS Module license, you can obtain and

install the IPS license key.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-57

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Installing the License Key

For More Information

•

For more information about getting started using the ASA 5500-X IPS SSP, refer to the Cisco IPS

Module on the ASA Quick Start Guide.

•

For the procedures for obtaining and installing the IPS License key, see Obtaining and Installing the

License Key.

Uninstalling the License Key

Use the erase license-key command to uninstall the license key on your sensor. This allows you to delete

an installed license key from a sensor without restarting the sensor or logging into the sensor using the

service account.

To uninstall the license key, follow these steps:

Step 1

Step 2

Uninstall the license key on the sensor.

sensor# erase license-key

Warning: Executing this command will remove the license key installed on the sensor.

You must have a valid license key installed on the sensor to apply the Signature Updates

and use the Global Correlation features.

Continue? []: yes

sensor#

Step 3

Verify the sensor key has been uninstalled.

sensor# show version

Application Partition:

Cisco Intrusion Prevention System, Version 7.2(1)E4

Host:

Realm Keys

Signature Definition:

Signature Update

OS Version:

key1.0

S697.0

2.6.29.1

IPS4360

2013-02-15

Platform:

Serial Number:

No license present

FCH1504V0CF

Sensor up-time is 3 days.

Using 14470M out of 15943M bytes of available memory (90% usage)

system is using 32.4M out of 160.0M bytes of available disk space (20% usage)

application-data is using 87.1M out of 376.1M bytes of available disk space (24% usage)

boot is using 61.2M out of 70.1M bytes of available disk space (92% usage)

application-log is using 494.0M out of 513.0M bytes of available disk space (96% usage)

MainApp

Running

AnalysisEngine

Running

CollaborationApp

Running

V-2013_04_10_11_00_7_2_1

(Release)

2013-04-10T11:05:55-0500

CLI

Upgrade History:

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-58

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Installing the License Key

IPS-K9-7.2-1-E4

11:17:07 UTC Thu Jan 10 2013

Recovery Partition Version 1.1 - 7.2(1)E4

Host Certificate Valid from: 17-Apr-2013 to 18-Apr-2015

sensor#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-59

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 3 Setting Up the Sensor

Installing the License Key

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

3-60

Download from Www.Somanuals.com. All Manuals Search And Download.

C H A P T E R

Configuring Interfaces

This chapter describes how to configure interfaces on the sensor. You configured the interfaces when you

initialized the sensor with the setup command, but if you need to change or add anything to your

interface configuration, use the following procedures. For more information on configuring interfaces

using the setup command, see Chapter 2, “Initializing the Sensor.”

This chapter contains the following sections:

•

Understanding Interfaces, page 4-2

Configuring Physical Interfaces, page 4-11

Configuring Promiscuous Mode, page 4-14

Configuring Inline Interface Mode, page 4-16

Configuring Inline VLAN Pair Mode, page 4-21

Configuring VLAN Group Mode, page 4-26

Configuring Inline Bypass Mode, page 4-33

Configuring Interface Notifications, page 4-35

Configuring CDP Mode, page 4-36

Displaying Interface Statistics, page 4-37

Displaying Interface Traffic History, page 4-40

Interface Notes and Caveats

The following notes and caveats apply to configuring interfaces on the sensor:

•

On appliances, all sensing interfaces are disabled by default. You must enable them to use them. On

modules, the sensing interfaces are permanently enabled.

There is only one sensing interface on the ASA IPS modules (ASA 5500-X IPS SSP and

ASA 5585-X IPS SSP), so you cannot designate an alternate TCP reset interface.

You can only assign a sensing interface as an alternate TCP reset interface. You cannot configure

the management interface as an alternate TCP reset interface.

You configure the ASA IPS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP) for

promiscuous mode from the adaptive security appliance CLI and not from the Cisco IPS CLI.

You can configure the ASA IPS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP) to

operate inline even though they have only one sensing interface.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-1

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Understanding Interfaces

•

The ASA IPS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP) do not support inline

VLAN pairs.

The ASA IPS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP) do not support VLAN

groups mode.

There are security consequences when you put the sensor in bypass mode. When bypass mode is on,

the traffic bypasses the sensor and is not inspected; therefore, the sensor cannot prevent malicious

attacks.

•

As with signature updates, when the sensor applies a global correlation update, it may trigger

bypass. Whether or not bypass is triggered depends on the traffic load of the sensor and the size of

the signature/global correlation update. If bypass mode is turned off, an inline sensor stops passing

traffic while the update is being applied.

The ASA 5500-X IPS SSP and the ASA 5585-X IPS SSP do not support bypass mode. The adaptive

security appliance will either fail open, fail close, or fail over depending on the configuration of the

adaptive security appliance and the type of activity being done on the IPS.

•

The show interface command output for the IPS 4510 and IPS 4520 does not include the total

undersize packets or total transmit FIFO overruns.

When the IPS 4510 and IPS 4520 are configured in VLAN pairs, the packet display command does

not work without the VLAN option if the expression keyword is also used.

On the IPS 4510 and IPS 4520, no interface-related configurations are allowed when the SensorApp

is down.

Understanding Interfaces

This section describes the IPS interfaces and modes, and contains the following topics:

IPS Interfaces, page 4-2

Command and Control Interface, page 4-3

•

Sensing Interfaces, page 4-4

TCP Reset Interfaces, page 4-4

Interface Support, page 4-6

Interface Configuration Restrictions, page 4-8

Interface Configuration Sequence, page 4-10

IPS Interfaces

The sensor interfaces are named according to the maximum speed and physical location of the interface.

The physical location consists of a port number and a slot number. All interfaces that are built-in on the

sensor motherboard are in slot 0, and the interface card expansion slots are numbered beginning with

slot 1 for the bottom slot with the slot numbers increasing from bottom to top. Each physical interface

can be divided in to VLAN group subinterfaces, each of which consists of a group of VLANs on that

interface.

There are three interface roles:

•

Command and control

Sensing

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-2

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Understanding Interfaces

•

Alternate TCP reset

There are restrictions on which roles you can assign to specific interfaces and some interfaces have

multiple roles. You can configure any sensing interface to any other sensing interface as its TCP reset

interface. The TCP reset interface can also serve as an IDS (promiscuous) sensing interface at the same

time. The following restrictions apply:

•

The TCP reset interface that is assigned to a sensing interface has no effect in inline interface or

inline VLAN pair mode, because TCP resets are always sent on the sensing interfaces in those

modes.

Note

There is only one sensing interface on the ASA IPS modules (ASA 5500-X IPS SSP and

ASA 5585-X IPS SSP), so you cannot designate an alternate TCP reset interface.

Caution

On the IPS 4510 and IPS 4520, no interface-related configurations are allowed when the SensorApp is

down.

Command and Control Interface

The command and control interface has an IP address and is used for configuring the sensor. It receives

security and status events from the sensor and queries the sensor for statistics. The command and control

interface is permanently enabled. It is permanently mapped to a specific physical interface, which

depends on the specific model of sensor. You cannot use the command and control interface as either a

sensing or alternate TCP reset interface.

Table 4-1 lists the command and control interfaces for each sensor.

Table 4-1

Command and Control Interfaces

Sensor

Command and Control Interface

Management 0/0

ASA 5512-X IPS SSP

ASA 5515-X IPS SSP

ASA 5525-X IPS SSP

ASA 5545-X IPS SSP

ASA 5555-X IPS SSP

ASA 5585-X IPS SSP-10

ASA 5585-X IPS SSP-20

ASA 5585-X IPS SSP-40

ASA 5585-X IPS SSP-60

IPS 4345

Management 0/0

Management 0/0¹

IPS 4345-DC

IPS 4360

IPS 4510

IPS 4520

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-3

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Understanding Interfaces

1. The 4500 series sensors have two management ports, Management 0/0 and

Management 0/1, but Management 0/1 is reserved for future use.

Sensing Interfaces

Sensing interfaces are used by the sensor to analyze traffic for security violations. A sensor has one or

more sensing interfaces depending on the sensor. Sensing interfaces can operate individually in

promiscuous mode or you can pair them to create inline interfaces.

Note

On appliances, all sensing interfaces are disabled by default. You must enable them to use them. On

modules, the sensing interfaces are permanently enabled.

Some appliances support optional interface cards that add sensing interfaces to the sensor. You must

insert or remove these optional cards while the sensor is powered off. The sensor detects the addition or

removal of a supported interface card. If you remove an optional interface card, some of the interface

configuration is deleted, such as the speed, duplex, description string, enabled/disabled state of the

interface, and any inline interface pairings. These settings are restored to their default settings when the

card is reinstalled. However, the assignment of promiscuous and inline interfaces to the Analysis Engine

is not deleted from the Analysis Engine configuration, but is ignored until those cards are reinserted and

you create the inline interface pairs again.

For More Information

•

For more information on supported interfaces, see Interface Support, page 4-6.

For more information on interface modes, see Configuring Promiscuous Mode, page 4-14,

Configuring Inline Interface Mode, page 4-16, Configuring Inline VLAN Pair Mode, page 4-21,

Configuring VLAN Group Mode, page 4-26, Configuring Inline Bypass Mode, page 4-33.

TCP Reset Interfaces

This section explains the TCP reset interfaces and when to use them. It contains the following topics:

•

Understanding Alternate TCP Reset Interfaces, page 4-4

Designating the Alternate TCP Reset Interface, page 4-5

Understanding Alternate TCP Reset Interfaces

You can configure sensors to send TCP reset packets to try to reset a network connection between an

attacker host and its intended target host. In some installations when the interface is operating in

promiscuous mode, the sensor may not be able to send the TCP reset packets over the same sensing

interface on which the attack was detected. In such cases, you can associate the sensing interface with

an alternate TCP reset interface and any TCP resets that would otherwise be sent on the sensing interface

when it is operating in promiscuous mode are instead sent out on the associated alternate TCP reset

interface.

If a sensing interface is associated with an alternate TCP reset interface, that association applies when

the sensor is configured for promiscuous mode but is ignored when the sensing interface is configured

for inline mode. any sensing interface can serve as the alternate TCP reset interface for another sensing

interface.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-4

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Understanding Interfaces

Note

There is only one sensing interface on the ASA IPS modules (ASA 5500-X IPS SSP and

ASA 5585-X IPS SSP), so you cannot designate an alternate TCP reset interface.

Table 4-2 lists the alternate TCP reset interfaces.

Table 4-2

Alternate TCP Reset Interfaces

Sensor

Alternate TCP Reset Interface

None

ASA 5512-X IPS SSP

ASA 5515-X IPS SSP

ASA 5525-X IPS SSP

ASA 5545-X IPS SSP

ASA 5555-X IPS SSP

ASA 5585-X IPS SSP-10

ASA 5585-X IPS SSP-20

ASA 5585-X IPS SSP-40

ASA 5585-X IPS SSP-60

IPS 4345

None

Any sensing interface

IPS 4345-DC

IPS 4360

IPS 4510

IPS 4520

For More Information

For more information on choosing the alternate TCP interface, see Designating the Alternate TCP Reset

Interface, page 4-5.

Designating the Alternate TCP Reset Interface

Note

There is only one sensing interface on the ASA IPS modules (ASA 5500-X IPS SSP and

ASA 5585-X IPS SSP), so you cannot designate an alternate TCP reset interface.

You need to designate an alternate TCP reset interface in the following situations:

•

When a switch is being monitored with either SPAN or VACL capture and the switch does not accept

incoming packets on the SPAN or VACL capture port.

When a switch is being monitored with either SPAN or VACL capture for multiple VLANs, and the

switch does not accept incoming packets with 802.1q headers. The TCP resets need 802.1q headers

to tell which VLAN the resets should be sent on.

•

When a network tap is used for monitoring a connection. Taps do not permit incoming traffic from

the sensor.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-5

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Understanding Interfaces

Caution

You can only assign a sensing interface as an alternate TCP reset interface. You cannot configure the

management interface as an alternate TCP reset interface.

Interface Support

Table 4-3 describes the interface support for appliances and modules running Cisco IPS.

Table 4-3

Interface Support

Interfaces Not

Supporting Inline

(Command and Control

Port)

Added

Interfaces Supporting

Interface Inline VLAN Pairs

Cards

Combinations Supporting

Inline Interface Pairs

Base Chassis

(Sensing Ports)

ASA 5512-X IPS SSP

—

PortChannel 0/0 by security PortChannel 0/0 by security Management 0/0

context instead of VLAN context instead of VLAN

pair or inline interface pair pair or inline interface pair

ASA 5515-X IPS SSP

ASA 5525-X IPS SSP

ASA 5545-X IPS SSP

ASA 5555-X IPS SSP

ASA 5585-X IPS SSP-10

ASA 5585-X IPS SSP-20

ASA 5585-X IPS SSP-40

ASA 5585-X IPS SSP-60

—

PortChannel 0/0 by security PortChannel 0/0 by security Management 0/0

context instead of VLAN

pair or inline interface pair pair or inline interface pair

PortChannel 0/0 by security PortChannel 0/0 by security Management 0/0

context instead of VLAN

pair or inline interface pair pair or inline interface pair

PortChannel 0/0 by security PortChannel 0/0 by security Management 0/0

context instead of VLAN

pair or inline interface pair pair or inline interface pair

PortChannel 0/0 by security PortChannel 0/0 by security Management 0/0

context instead of VLAN

pair or inline interface pair pair or inline interface pair

PortChannel 0/0 by security PortChannel 0/0 by security Management 0/0

context instead of VLAN

pair or inline interface pair pair or inline interface pair

PortChannel 0/0 by security PortChannel 0/0 by security Management 0/0

context instead of VLAN

pair or inline interface pair pair or inline interface pair

PortChannel 0/0 by security PortChannel 0/0 by security Management 0/0

context instead of VLAN

pair or inline interface pair pair or inline interface pair

PortChannel 0/0 by security PortChannel 0/0 by security Management 0/0

context instead of VLAN

pair or inline interface pair pair or inline interface pair

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-6

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Understanding Interfaces

Table 4-3

Interface Support (continued)

Interfaces Not

Supporting Inline

(Command and Control

Port)

Added

Interfaces Supporting

Interface Inline VLAN Pairs

Cards

Combinations Supporting

Inline Interface Pairs

Base Chassis

(Sensing Ports)

IPS 4345

—

GigabitEthernet 0/0

GigabitEthernet 0/1

GigabitEthernet 0/2

GigabitEthernet 0/3

GigabitEthernet 0/4

GigabitEthernet 0/5

Gigabitethernet 0/6

GigabitEthernet 0/7

GigabitEthernet 0/0

GigabitEthernet 0/1

GigabitEthernet 0/2

GigabitEthernet 0/3

GigabitEthernet 0/4

GigabitEthernet 0/5

Gigabitethernet 0/6

GigabitEthernet 0/7

GigabitEthernet 0/0

GigabitEthernet 0/1

GigabitEthernet 0/2

GigabitEthernet 0/3

GigabitEthernet 0/4

GigabitEthernet 0/5

GigabitEthernet 0/6

GigabitEthernet 0/7

All sensing ports can be

paired together

Management 0/0

Management 0/1¹

IPS 4345-DC

—

All sensing ports can be

paired together

Management 0/0

Management 0/1¹

IPS 4360

—

All sensing ports can be

paired together

Management 0/0

Management 0/1¹

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-7

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Understanding Interfaces

Table 4-3

Interface Support (continued)

Interfaces Not

Supporting Inline

(Command and Control

Port)

Added

Interfaces Supporting

Interface Inline VLAN Pairs

Cards

Combinations Supporting

Inline Interface Pairs

Base Chassis

(Sensing Ports)

IPS 4510

—

GigabitEthernet 0/0

GigabitEthernet 0/1

GigabitEthernet 0/2

GigabitEthernet 0/3

GigabitEthernet 0/4

GigabitEthernet 0/5

TenGigabitEthernet 0/6

TenGigabitEthernet 0/7

TenGigabitEthernet 0/8

TenGigabitEthernet 0/9

GigabitEthernet 0/0

GigabitEthernet 0/1

GigabitEthernet 0/2

GigabitEthernet 0/3

GigabitEthernet 0/4

GigabitEthernet 0/5

TenGigabitEthernet 0/6

TenGigabitEthernet 0/7

TenGigabitEthernet 0/8

TenGigabitEthernet 0/9

All sensing ports can be

paired together

Management 0/0

Management 0/1²

IPS 4520

—TX

All sensing ports can be

paired together

Management 0/0

Management 0/1²

1. Does not currently support hardware bypass.

2. Reserved for future use.

Interface Configuration Restrictions

The following restrictions apply to configuring interfaces on the sensor:

•

Physical Interfaces

–

On the ASA IPS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP) all backplane

interfaces have fixed speed, duplex, and state settings. These settings are protected in the default

configuration on all backplane interfaces.

–

For nonbackplane FastEthernet interfaces the valid speed settings are 10 Mbps, 100 Mbps, and

auto. Valid duplex settings are full, half, and auto.

For Gigabit copper interfaces (1000-TX on the IPS 4345, IPS 4360, IPS 4510, and IPS 4520),

valid speed settings are 10 Mbps, 100 Mbps, 1000 Mbps, and auto. Valid duplex settings are

full, half, and auto.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-8

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Understanding Interfaces

–

For Gigabit (copper or fiber) interfaces, if the speed is configured for 1000 Mbps, the only valid

duplex setting is auto.

The command and control interface cannot also serve as a sensing interface.

•

Inline Interface Pairs

–

Inline interface pairs can contain any combination of sensing interfaces regardless of the

physical interface type (copper versus fiber), speed, or duplex settings of the interface.

However, pairing interfaces of different media type, speeds, and duplex settings may not be

fully tested or supported.

–

The command and control interface cannot be a member of an inline interface pair.

You cannot pair a physical interface with itself in an inline interface pair.

A physical interface can be a member of only one inline interface pair.

You can only configure bypass mode and create inline interface pairs on sensor platforms that

support inline mode.

–

A physical interface cannot be a member of an inline interface pair unless the subinterface mode

of the physical interface is none.

Note

You can configure the ASA IPS modules (ASA 5500-X IPS SSP and

ASA 5585-X IPS SSP) to operate inline even though they have only one sensing

interface.

•

Inline VLAN Pairs

–

You cannot pair a VLAN with itself.

You cannot use the default VLAN as one of the paired VLANs in an inline VLAN pair.

For a given sensing interface, a VLAN can be a member of only one inline VLAN pair.

However, a given VLAN can be a member of an inline VLAN pair on more than one sensing

interface.

–

The order in which you specify the VLANs in an inline VLAN pair is not significant.

A sensing interface in Inline VLAN Pair mode can have from 1 to 255 inline VLAN pairs.

Note

The ASA IPS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP) do not

support inline VLAN pairs.

•

Alternate TCP Reset Interface

–

You can only assign the alternate TCP reset interface to a sensing interface. You cannot

configure the command and control interface as an alternate TCP reset interface. The alternate

TCP reset interface option is set to none as the default and is protected for all interfaces except

the sensing interfaces.

–

You can assign the same physical interface as an alternate TCP reset interface for multiple

sensing interfaces.

–

A physical interface can serve as both a sensing interface and an alternate TCP reset interface.

The command and control interface cannot serve as the alternate TCP reset interface for a

sensing interface.

–

A sensing interface cannot serve as its own alternate TCP reset interface.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-9

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Understanding Interfaces

–

You can only configure interfaces that are capable of TCP resets as alternate TCP reset

interfaces.

Note

There is only one sensing interface on the ASA IPS modules (ASA 5500-X IPS SSP and

ASA 5585-X IPS SSP), so you cannot designate an alternate TCP reset interface.

•

VLAN Groups

–

You can configure any single interface for promiscuous, inline interface pair, or inline VLAN

pair mode, but no combination of these modes is allowed.

–

You cannot add a VLAN to more than one group on each interface.

You cannot add a VLAN group to multiple virtual sensors.

An interface can have no more than 255 user-defined VLAN groups.

When you pair a physical interface, you cannot subdivide it; you can subdivide the pair.

You can use a VLAN on multiple interfaces; however, you receive a warning for this

configuration.

–

You can assign a virtual sensor to any combination of one or more physical interfaces and inline

VLAN pairs, subdivided or not.

–

You can subdivide both physical and logical interfaces into VLAN groups.

The CLI, IDM, and IME prompt you to remove any dangling references. You can leave the

dangling references and continue editing the configuration.

–

The CLI, IDM, and IME do not allow configuration changes in Analysis Engine that conflict

with the interface configuration.

The CLI allows configuration changes in the interface configuration that cause conflicts in the

Analysis Engine configuration. The IDM and IME do not allow changes in the interface

configuration that cause conflicts in the Analysis Engine configuration.

Note

The ASA IPS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP) do not

support VLAN groups mode.

For More Information

•

For a list of supported sensor interfaces, see Interface Support, page 4-6.

For more information on alternate TCP reset, see TCP Reset Interfaces, page 4-4.

For more information on physical interfaces, see Configuring Physical Interfaces, page 4-11.

Interface Configuration Sequence

Follow these steps to configure interfaces on the sensor:

1. Configure the physical interface settings (speed, duplex, and so forth) and enable the interfaces.

2. Create or delete inline interfaces, inline VLAN subinterfaces, and VLAN groups, and set the inline

bypass mode.

3. Assign the physical, subinterfaces, and inline interfaces to the virtual sensor.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-10

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Configuring Physical Interfaces

For More Information

•

For the procedure for configuring the physical interface settings, see Configuring Physical

Interfaces, page 4-11.

•

For the procedures for creating and deleting different kinds of interfaces, see Configuring Inline

Interface Mode, page 4-16, Configuring Inline VLAN Pair Mode, page 4-21, Configuring VLAN

Group Mode, page 4-26, and Configuring Inline Bypass Mode, page 4-33.

•

For the procedure for configuring virtual sensors, see Adding, Editing, and Deleting Virtual Sensors,

page 5-4.

Configuring Physical Interfaces

Use the physical-interfaces interface_name command in the service interface submode to configure

promiscuous interfaces. The interface name is FastEthernet, GigabitEthernet, or PortChannel.

Note

You configure the ASA IPS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP) for

promiscuous mode from the adaptive security appliance CLI and not from the Cisco IPS CLI.

The following options apply:

•

admin-state {enabled | disabled}—Specifies the administrative link state of the interface, whether

the interface is enabled or disabled.

Note

On all backplane sensing interfaces on all modules, admin-state is set to enabled and is

protected (you cannot change the setting). The admin-state has no effect (and is protected)

on the command and control interface. It only affects sensing interfaces. The command and

control interface does not need to be enabled because it cannot be monitored.

•

alt-tcp-reset-interface—Sends TCP resets out an alternate interface when this interface is used for

promiscuous monitoring and the reset action is triggered by a signature firing.

Note

You can only assign a sensing interface as an alternate TCP reset interface. You cannot

configure the management interface as an alternate TCP reset interface.

Note

There is only one sensing interface on the ASA IPS modules (ASA 5500-X IPS SSP and

ASA 5585-X IPS SSP), so you cannot designate an alternate TCP reset interface.

–

interface_name—Specifies the name of the interface on which TCP resets should be sent when

this interface is used for promiscuous monitoring and the reset action is triggered by a signature

firing. This setting is ignored when this interface is a member of an inline interface.

–

none —Disables the use of an alternate TCP reset interface. TCP resets triggered by the reset

action when in promiscuous mode will be sent out of this interface instead.

•

default—Sets the value back to the system default setting.

description—Specifies your description of the promiscuous interface.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-11

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Configuring Physical Interfaces

•

duplex—Specifies the duplex setting of the interface:

–

auto—Sets the interface to auto negotiate duplex.

full—Sets the interface to full duplex.

half—Sets the interface to half duplex.

Note

The duplex option is protected on all modules.

For TenGigabit SFP+ ports, the permitted values are auto and full.

•

no—Removes an entry or selection setting.

speed—Specifies the speed setting of the interface:

–

auto—Sets the interface to auto negotiate speed.

10—Sets the interface to 10 MB (for TX interfaces only).

100—Sets the interface to 100 MB (for TX interfaces only).

1000—Sets the interface to 1 GB (for Gigabit interfaces only).

Note

The speed option is protected on all modules.

For TenGigabit SFP+ ports with a 10 Gb connector, the permitted values are auto and

10000, and for TenGigabit SFP+ ports with a 1 Gb connector, the permitted value is

auto.

Configuring the Physical Interface Settings

To configure the physical interface settings for promiscuous mode on the sensor, follow these steps:

Step 1

Step 2

Enter interface submode.

sensor# configure terminal

sensor(config)# service interface

Step 3

Display the list of available interfaces.

sensor(config-int)# physical-interfaces ?

GigabitEthernet0/0

GigabitEthernet0/1

GigabitEthernet0/2

GigabitEthernet0/3

Management0/0

GigabitEthernet0/0 physical interface.

GigabitEthernet0/1 physical interface.

GigabitEthernet0/2 physical interface.

GigabitEthernet0/3 physical interface.

Management0/0 physical interface.

sensor(config-int)# physical-interfaces

Step 4

Specify the interface for promiscuous mode.

sensor(config-int)# physical-interfaces GigabitEthernet0/2

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-12

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Configuring Physical Interfaces

Step 5

Enable the interface. You must assigned the interface to a virtual sensor and enable it before it can

monitor traffic.

sensor(config-int-phy)# admin-state enabled

Step 6

Step 7

Add a description of this interface.

sensor(config-int-phy)# description INT1

Specify the duplex settings. This option is not available on the ASA IPS modules (ASA 5500-X IPS SSP

and ASA 5585-X IPS SSP).

sensor(config-int-phy)# duplex full

Step 8

Step 9

Specify the speed. This option is not available on the ASA IPS modules (ASA 5500-X IPS SSP and

ASA 5585-X IPS SSP).

sensor(config-int-phy)# speed 1000

Enable TCP resets for this interface if desired. This option is not available on the ASA IPS modules

(ASA 5500-X IPS SSP and ASA 5585-X IPS SSP).

sensor(config-int-phy)# alt-tcp-reset-interface interface-name GigabitEthernet2/0

Step 10 Repeat Steps 4 through 9 for any other interfaces you want to designate as promiscuous interfaces.

Step 11 Verify the settings.

Note

Make sure the subinterface-typeis none, the default. You use the subinterface-type command

to configure inline VLAN pairs.

sensor(config-int-phy)# show settings

-----------------------------------------------

media-type: tx <protected>

description: INT1 default:

admin-state: enabled default: disabled

duplex: full default: auto

speed: 1000 default: auto

alt-tcp-reset-interface

-----------------------------------------------

interface-name: GigabitEthernet2/0

-----------------------------------------------

subinterface-type

-----------------------------------------------

none

-----------------------------------------------

sensor(config-int-phy)#

Step 12 Remove TCP resets from an interface.

sensor(config-int-phy)# alt-tcp-reset-interface none

Step 13 Verify the settings.

sensor(config-int-phy)# show settings

-----------------------------------------------

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-13

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Configuring Promiscuous Mode

media-type: tx <protected>

description: <defaulted>

admin-state: disabled <protected>

duplex: auto <defaulted>

speed: auto <defaulted>

alt-tcp-reset-interface

-----------------------------------------------

none

-----------------------------------------------

sensor(config-int-phy)#

Step 14 Exit interface submode.

sensor(config-int-phy)# exit

sensor(config-int)# exit

Apply Changes:?[yes]:

Step 15 Press Enter to apply the changes or enter no to discard them.

For More Information

•

For a list of possible interfaces for your sensor, see Interface Support, page 4-6.

For the procedure for sending traffic to the ASA 5500-X IPS SSP, see Creating Virtual Sensors for

the ASA 5500-X IPS SS P , p age 18-4.

•

For the procedure for sending traffic to the ASA 5585-X IPS SSP, see Creating Virtual Sensors for

the ASA 5585-X IPS SS P , p age 19-4.

For more information on the alternate TCP reset interface, see Understanding Alternate TCP Reset

Interfaces, page 4-4 and Designating the Alternate TCP Reset Interface, page 4-5.

For the procedure for configuring inline VLAN pairs, see Configuring Inline VLAN Pairs,

page 4-22.

For the procedure for adding interfaces to virtual sensors, see Adding, Editing, and Deleting Virtual

Sensors, page 5-4.

Configuring Promiscuous Mode

This section describes promiscuous mode on the sensor, and contains the following topics:

Understanding Promiscuous Mode, page 4-14

Configuring Promiscuous Mode, page 4-15

IPv6, Switches, and Lack of V A C L Capture, page 4-15

•

Understanding Promiscuous Mode

In promiscuous mode, packets do not flow through the sensor. The sensor analyzes a copy of the

monitored traffic rather than the actual forwarded packet. The advantage of operating in promiscuous

mode is that the sensor does not affect the packet flow with the forwarded traffic. The disadvantage of

operating in promiscuous mode, however, is the sensor cannot stop malicious traffic from reaching its

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-14

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Configuring Promiscuous Mode

intended target for certain types of attacks, such as atomic attacks (single-packet attacks). The response

actions implemented by promiscuous sensor devices are post-event responses and often require

assistance from other networking devices, for example, routers and firewalls, to respond to an attack.

While such response actions can prevent some classes of attacks, in atomic attacks the single packet has

the chance of reaching the target system before the promiscuous-based sensor can apply an ACL

modification on a managed device (such as a firewall, switch, or router).

By default, all sensing interfaces are in promiscuous mode. To change an interface from inline interface

mode to promiscuous mode, delete any inline interface that contains that interface and delete any inline

VLAN pair subinterfaces of that interface from the interface configuration.

Figure 4-1 illustrates promiscuous mode:

Figure 4-1

Promiscuous Mode

Switch

VLAN A

Router

Host

Span port sending

copies of VLAN A traffic

Sensor

Configuring Promiscuous Mode

By default, all sensing interfaces are in promiscuous mode. To change an interface from inline mode to

promiscuous mode, delete the inline interface that contains that interface from the interface

configuration.

IPv6, Switches, and Lack of VACL Capture

VACLs on Catalyst switches do not have IPv6 support. The most common method for copying traffic to

a sensor configured in promiscuous mode is to use VACL capture. If you want to have IPv6 support, you

can use SPAN ports.

However, you can only configure up to two monitor sessions on a switch unless you use the following

configuration:

•

Monitor session

Multiple trunks to one or more sensors

Restrict per trunk port which VLANs are allowed to perform monitoring of many VLANs to more

than two different sensors or virtual sensors within one IPS

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-15

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Configuring Inline Interface Mode

The following configuration uses one SPAN session to send all of the traffic on any of the specified

VLANs to all of the specified ports. Each port configuration only allows a particular VLAN or VLANs

to pass. Thus you can send data from different VLANs to different sensors or virtual sensors all with one

SPAN configuration line:

clear trunk 4/1-4 1-4094

set trunk 4/1 on dot1q 930

set trunk 4/2 on dot1q 932

set trunk 4/3 on dot1q 960

set trunk 4/4 on dot1q 962

set span 930, 932, 960, 962 4/1-4 both

Note

The SPAN/Monitor configuration is valuable when you want to assign different IPS policies per VLAN

or when you have more bandwidth to monitor than one interface can handle.

Configuring Inline Interface Mode

This section describes inline mode on the sensor, and contains the following topics:

Understanding Inline Interface Mode, page 4-16

Configuring Inline Interface Pairs, page 4-17

•

Understanding Inline Interface Mode

Operating in inline interface pair mode puts the IPS directly into the traffic flow and affects

packet-forwarding rates making them slower by adding latency. This allows the sensor to stop attacks by

dropping malicious traffic before it reaches the intended target, thus providing a protective service. Not

only is the inline device processing information on Layers 3 and 4, but it is also analyzing the contents

and payload of the packets for more sophisticated embedded attacks (Layers 3 to 7). This deeper analysis

lets the system identify and stop and/or block attacks that would normally pass through a traditional

firewall device.

In inline interface pair mode, a packet comes in through the first interface of the pair on the sensor and

out the second interface of the pair. The packet is sent to the second interface of the pair unless that

packet is being denied or modified by a signature.

Note

You can configure the ASA IPS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP) to operate

inline even though they have only one sensing interface.

If the paired interfaces are connected to the same switch, you should configure them on the switch as

access ports with different access VLANs for the two ports. Otherwise, traffic does not flow through the

inline interface.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-16

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Configuring Inline Interface Mode

Figure 4-2 illustrates inline interface pair mode:

Figure 4-2 Inline Interface Pair Mode

Traffic passes

through interface pair

VLAN A

Switch

Router

Sensor

Host

Configuring Inline Interface Pairs

Use the inline-interfaces name command in the service interface submode to create inline interface

pairs.

Note

You can configure the ASA IPS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP) to operate

inline even though they have only one sensing interface.

The following options apply:

•

inline-interfaces name—Specifies the name of the logical inline interface pair.

default—Sets the value back to the system default setting.

description—Specifies your description of the inline interface pair.

interface1 interface_name—Specifies the first interface in the inline interface pair.

interface2 interface_name—Specifies the second interface in the inline interface pair.

no—Removes an entry or selection setting.

admin-state {enabled | disabled}—Specifies the administrative link state of the interface, whether

the interface is enabled or disabled.

Note

On all backplane sensing interfaces on all modules, admin-state is set to enabled and is

protected (you cannot change the setting). The admin-state has no effect (and is protected)

on the command and control interface. It only affects sensing interfaces. The command and

control interface does not need to be enabled because it cannot be monitored.

Creating Inline Interface Pairs

To create inline interface pairs, follow these steps:

Step 1

Step 2

Enter interface submode.

sensor# configure terminal

sensor(config)# service interface

sensor(config-int)#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-17

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Configuring Inline Interface Mode

Step 3

Verify that the subinterface mode is “none” for both of the physical interfaces you are pairing in the

inline interface.

sensor(config-int)# show settings

physical-interfaces (min: 0, max: 999999999, current: 2)

-----------------------------------------------

-----------------------------------------------

media-type: tx <protected>

description: <defaulted>

admin-state: disabled <protected>

duplex: auto <defaulted>

speed: auto <defaulted>

alt-tcp-reset-interface

-----------------------------------------------

none

-----------------------------------------------

subinterface-type

-----------------------------------------------

none

-----------------------------------------------

Step 4

Step 5

Name the inline pair.

sensor(config-int)# inline-interfaces PAIR1

Display the available interfaces.

sensor(config-int)# interface1 ?

GigabitEthernet0/0

GigabitEthernet0/1

GigabitEthernet0/2

GigabitEthernet0/3

Management0/0

GigabitEthernet0/0 physical interface.

GigabitEthernet0/1 physical interface.

GigabitEthernet0/2 physical interface.

GigabitEthernet0/3 physical interface.

Management0/0 physical interface.

Step 6

Step 7

Configure two interfaces into a pair. You must assign the interface to a virtual sensor and enable it before

it can monitor traffic (see Step 10).

sensor(config-int-inl)# interface1 GigabitEthernet0/0

sensor(config-int-inl)# interface2 GigabitEthernet0/1

Add a description of the interface pair.

sensor(config-int-inl)# description PAIR1 Gig0/0 and Gig0/1

Step 8

Step 9

Repeat Steps 4 through 7 for any other interfaces that you want to configure into inline interface pairs.

Verify the settings.

sensor(config-int-inl)# show settings

-----------------------------------------------

description: PAIR1 Gig0/0 & Gig0/1 default:

interface1: GigabitEthernet0/0

interface2: GigabitEthernet0/1

-----------------------------------------------

Step 10 Enable the interfaces assigned to the interface pair.

sensor(config-int)# exit

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-18

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Configuring Inline Interface Mode

sensor(config-int)# physical-interfaces GigabitEthernet0/0

sensor(config-int-phy)# admin-state enabled

sensor(config-int-phy)# exit

sensor(config-int)# physical-interfaces GigabitEthernet0/1

sensor(config-int-phy)# admin-state enabled

sensor(config-int-phy)# exit

sensor(config-int)#

Step 11 Verify that the interfaces are enabled.

sensor(config-int)# show settings

physical-interfaces (min: 0, max: 999999999, current: 5)

-----------------------------------------------

-----------------------------------------------

media-type: tx <protected>

description: <defaulted>

admin-state: enabled default: disabled

duplex: auto <defaulted>

speed: auto <defaulted>

default-vlan: 0 <defaulted>

alt-tcp-reset-interface

-----------------------------------------------

none

-----------------------------------------------

subinterface-type

-----------------------------------------------

none

-----------------------------------------------

-----------------------------------------------

media-type: tx <protected>

description: <defaulted>

admin-state: enabled default: disabled

duplex: auto <defaulted>

speed: auto <defaulted>

default-vlan: 0 <defaulted>

alt-tcp-reset-interface

-----------------------------------------------

none

-----------------------------------------------

subinterface-type

-----------------------------------------------

none

-----------------------------------------------

-----------------------------------------------

media-type: tx <protected>

description: <defaulted>

admin-state: disabled <defaulted>

duplex: auto <defaulted>

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-19

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Configuring Inline Interface Mode

speed: auto <defaulted>

default-vlan: 0 <defaulted>

alt-tcp-reset-interface

-----------------------------------------------

none

-----------------------------------------------

subinterface-type

-----------------------------------------------

none

-----------------------------------------------

-----------------------------------------------

media-type: tx <protected>

--MORE--

Step 12 Delete an inline interface pair and return the interfaces to promiscuous mode. You must also delete the

inline interface pair from the virtual sensor to which it is assigned.

sensor(config-int)# no inline-interfaces PAIR1

Step 13 Verify the inline interface pair has been deleted.

sensor(config-int)# show settings

-----------------------------------------------

command-control: Management0/0 <protected>

inline-interfaces (min: 0, max: 999999999, current: 0)

-----------------------------------------------

bypass-mode: auto <defaulted>

interface-notifications

-----------------------------------------------

Step 14 Exit interface configuration submode.

sensor(config-int)# exit

Apply Changes:?[yes]:

Step 15 Press Enter to apply the changes or enter no to discard them.

For More Information

•

For the procedure for configuring inline interface mode for the ASA 5500-X IPS SSP, see Assigning

Virtual Sensors to Adaptive Security Appliance Contexts, page 18-7.

For the procedure for configuring inline interface mode for the ASA 5585-X IPS SSP, see Assigning

Virtual Sensors to Adaptive Security Appliance Contexts, page 19-7.

For the procedure for assigning inline interface pairs to a virtual sensor, or deleting the inline

interface pair from the virtual sensor to which it is assigned, see Adding, Editing, and Deleting

Virtual Sensors, page 5-4.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-20

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Configuring Inline VLAN Pair Mode

This section describes inline VLAN pair mode and how to configure inline VLAN pairs. It contains the

following topics:

•

Understanding Inline VLAN Pair Mode, page 4-21

Configuring Inline VLAN Pairs, page 4-22

Understanding Inline VLAN Pair Mode

Note

The ASAIPS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP) do not support inline VLAN

pairs.

You can associate VLANs in pairs on a physical interface. This is known as inline VLAN pair mode.

Packets received on one of the paired VLANs are analyzed and then forwarded to the other VLAN in the

pair.

Inline VLAN pair mode is an active sensing mode where a sensing interface acts as an 802.1q trunk port,

and the sensor performs VLAN bridging between pairs of VLANs on the trunk. The sensor inspects the

traffic it receives on each VLAN in each pair, and can either forward the packets on the other VLAN in

the pair, or drop the packet if an intrusion attempt is detected. You can configure an IPS sensor to

simultaneously bridge up to 255 VLAN pairs on each sensing interface. The sensor replaces the

VLAN ID field in the 802.1q header of each received packet with the ID of the egress VLAN on which

the sensor forwards the packet. The sensor drops all packets received on any VLANs that are not

assigned to inline VLAN pairs.

Note

You cannot use the default VLAN as one of the paired VLANs in an inline VLAN pair.

Figure 4-3 illustrates inline VLAN pair mode:

Figure 4-3

Inline VLAN Pair Mode

Switch

VLAN B VLAN A

Router

Host

Trunk port carrying

VLAN A and B

Pairing VLAN A and B

Sensor

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-21

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Configuring Inline VLAN Pair Mode

Configuring Inline VLAN Pairs

Use the physical-interfaces interface_name command in the service interface submode to configure

inline VLAN pairs. The interface name is FastEthernet or GigabitEthernet.

The following options apply:

•

admin-state {enabled | disabled}—Specifies the administrative link state of the interface, whether

the interface is enabled or disabled.

Note

On all backplane sensing interfaces on all modules, admin-state is set to enabled and is

protected (you cannot change the setting). The admin-state has no effect (and is protected)

on the command and control interface. It only affects sensing interfaces. The command and

control interface does not need to be enabled because it cannot be monitored.

•

default—Sets the value back to the system default setting.

description—Specifies the description of the interface.

duplex—Specifies the duplex setting of the interface:

–

auto—Sets the interface to auto negotiate duplex.

full—Sets the interface to full duplex.

half—Sets the interface to half duplex.

Note

The duplex option is protected on all modules.

•

no—Removes an entry or selection setting.

speed—Specifies the speed setting of the interface:

–

auto—Sets the interface to auto negotiate speed.

10—Sets the interface to 10 MB (for TX interfaces only).

100—Sets the interface to 100 MB (for TX interfaces only).

1000—Sets the interface to 1 GB (for Gigabit interfaces only).

Note

The speed option is protected on all modules.

•

subinterface-type—Specifies that the interface is a subinterface and what type of subinterface is

defined.

–

inline-vlan-pair—Lets you define the subinterface as an inline VLAN pair.

none—No subinterfaces defined.

subinterface name—Defines the subinterface as an inline VLAN pair:

–

vlan1—Specifies the first VLAN in the inline VLAN pair.

vlan2—Specifies the second VLAN in the inline VLAN pair.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-22

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Configuring Inline VLAN Pair Mode

Configuring Inline VLAN Pairs

To configure the inline VLAN pair settings on the sensor, follow these steps:

Step 1

Step 2

Enter interface submode.

sensor# configure terminal

sensor(config)# service interface

sensor(config-int)#

Step 3

Verify if any inline interfaces exist (the subinterface type should read “none” if no inline interfaces have

been configured).

sensor(config-int)# show settings

physical-interfaces (min: 0, max: 999999999, current: 5)

-----------------------------------------------

-----------------------------------------------

media-type: tx <protected>

description: <defaulted>

admin-state: disabled <defaulted>

duplex: auto <defaulted>

speed: auto <defaulted>

alt-tcp-reset-interface

-----------------------------------------------

none

-----------------------------------------------

subinterface-type

-----------------------------------------------

none

-----------------------------------------------

-----------------------------------------------

media-type: tx <protected>

description: <defaulted>

admin-state: disabled <defaulted>

duplex: auto <defaulted>

speed: auto <defaulted>

alt-tcp-reset-interface

-----------------------------------------------

none

-----------------------------------------------

subinterface-type

-----------------------------------------------

none

-----------------------------------------------

-----------------------------------------------

media-type: tx <protected>

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-23

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Configuring Inline VLAN Pair Mode

description: <defaulted>

admin-state: disabled <defaulted>

duplex: auto <defaulted>

speed: auto <defaulted>

alt-tcp-reset-interface

-----------------------------------------------

none

-----------------------------------------------

subinterface-type

-----------------------------------------------

none

-----------------------------------------------

-----------------------------------------------

media-type: tx <protected>

description: <defaulted>

admin-state: disabled <defaulted>

duplex: auto <defaulted>

speed: auto <defaulted>

alt-tcp-reset-interface

-----------------------------------------------

none

-----------------------------------------------

subinterface-type

-----------------------------------------------

none

-----------------------------------------------

-----------------------------------------------

media-type: tx <protected>

description: <defaulted>

admin-state: disabled <protected>

duplex: auto <defaulted>

speed: auto <defaulted>

alt-tcp-reset-interface

-----------------------------------------------

none

-----------------------------------------------

subinterface-type

-----------------------------------------------

none

-----------------------------------------------

command-control: Management0/0 <protected>

inline-interfaces (min: 0, max: 999999999, current: 0)

-----------------------------------------------

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-24

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Configuring Inline VLAN Pair Mode

bypass-mode: auto <defaulted>

interface-notifications

-----------------------------------------------

missed-percentage-threshold: 0 percent <defaulted>

notification-interval: 30 seconds <defaulted>

idle-interface-delay: 30 seconds <defaulted>

-----------------------------------------------

sensor(config-int)#

Step 4

Step 5

If there are inline interfaces that are using this physical interface, remove them. You must also delete the

inline interface from the virtual sensor to which it is assigned.

sensor(config-int)# no inline-interfaces interface_name

Display the list of available interfaces.

sensor(config-int)# physical-interfaces ?

GigabitEthernet0/0

GigabitEthernet0/1

GigabitEthernet0/2

GigabitEthernet0/3

Management0/0

GigabitEthernet0/0 physical interface.

GigabitEthernet0/1 physical interface.

GigabitEthernet0/2 physical interface.

GigabitEthernet0/3 physical interface.

Management0/0 physical interface.

sensor(config-int)# physical-interfaces

Step 6

Step 7

Designate an interface.

sensor(config-int)# physical-interfaces GigabitEthernet0/2

Enable the interface. You must assign the interface to a virtual sensor and enable it before it can monitor

traffic.

sensor(config-int-phy)# admin-state enabled

Step 8

Step 9

Add a description of this interface.

sensor(config-int-phy)# description INT1

Configure the duplex settings. This option is not available on the ASA IPS modules

(ASA 5500-X IPS SSP and ASA 5585-X IPS SSP).

sensor(config-int-phy)# duplex full

Step 10 Configure the speed. This option is not available on the ASA IPS modules (ASA 5500-X IPS SSP and

ASA 5585-X IPS SSP).

sensor(config-int-phy)# speed 1000

Step 11 Set up the inline VLAN pair.

sensor(config-int-phy)# subinterface-type inline-vlan-pair

sensor(config-int-phy-inl)# subinterface 1

sensor(config-int-phy-inl-sub)# vlan1 52

sensor(config-int-phy-inl-sub)# vlan2 53

Step 12 Add a description for the inline VLAN pair.

sensor(config-int-phy-inl-sub)# description INT1 vlans 52 and 53

Step 13 Verify the inline VLAN pair settings.

sensor(config-int-phy-inl-sub)# show settings

subinterface-number: 1

-----------------------------------------------

description: INT1 vlans 52 and 53 default:

vlan1: 52

vlan2: 53

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-25

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Configuring VLAN Group Mode

-----------------------------------------------

sensor(config-int-phy-inl-sub)#

Step 14 To delete VLAN pairs:

a. Delete one VLAN pair.

sensor(config-int-phy-inl-sub)# exit

sensor(config-int-phy-inl)# no subinterface 1

If this VLAN pair is the last one on the sensor, you receive the following error message:

Error: This "subinterface-type" contains less than the required number of

"subinterface" entries. Please add entry(s) to reach the minimum required entries or

select a different "subinterface-type".

Go to Step b to remove the last VLAN pair.

b. Delete all VLAN pairs.

sensor(config-int-phy-inl-sub)# exit

sensor(config-int-phy-inl)# exit

sensor(config-int-phy)# subinterface-type none

Step 15 Exit interface submode. You must also delete the interface from the virtual sensor to which it is assigned.

sensor(config-int-phy-inl-sub)# exit

sensor(config-int-phy-inl)# exit

sensor(config-int-phy)# exit

sensor(config-int)# exit

Apply Changes:?[yes]:

Step 16 Press Enter to apply the changes or enter no to discard them.

For More Information

For the procedure for assigning inline interface pairs to a virtual sensor, or deleting the inline interface

pair from the virtual sensor to which it is assigned, see Adding, Editing, and Deleting Virtual Sensors,

page 5-4.

Configuring VLAN Group Mode

This section describes VLAN Group mode and how to configure VLAN groups. It contains the following

topics:

•

Understanding VLAN Group Mode, page 4-26

Deploying VLAN Groups, page 4-27

Configuring VLAN Groups, page 4-28

Understanding VLAN Group Mode

Note

The ASAIPS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP) do not support VLAN groups

mode.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-26

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Configuring VLAN Group Mode

You can divide each physical interface or inline interface into VLAN group subinterfaces, each of which

consists of a group of VLANs on that interface. Analysis Engine supports multiple virtual sensors, each

of which can monitor one or more of these interfaces. This lets you apply multiple policies to the same

sensor. The advantage is that now you can use a sensor with only a few interfaces as if it had many

interfaces.

Note

You cannot divide physical interfaces that are in inline VLAN pairs into VLAN groups.

VLAN group subinterfaces associate a set of VLANs with a physical or inline interface. No VLAN can

be a member of more than one VLAN group subinterface. Each VLAN group subinterface is identified

by a number between 1 and 255. Subinterface 0 is a reserved subinterface number used to represent the

entire unvirtualized physical or logical interface. You cannot create, delete, or modify subinterface 0 and

no statistics are reported for it.

An unassigned VLAN group is maintained that contains all VLANs that are not specifically assigned to

another VLAN group. You cannot directly specify the VLANs that are in the unassigned group. When a

VLAN is added to or deleted from another VLAN group subinterface, the unassigned group is updated.

Packets in the native VLAN of an 802.1q trunk do not normally have 802.1q encapsulation headers to

identify the VLAN number to which the packets belong. A default VLAN variable is associated with

each physical interface and you should set this variable to the VLAN number of the native VLAN or to 0.

The value 0 indicates that the native VLAN is either unknown or you do not care if it is specified. If the

default VLAN setting is 0, the following occurs:

•

Any alerts triggered by packets without 802.1q encapsulation have a VLAN value of 0 reported in

the alert.

•

Non-802.1q encapsulated traffic is associated with the unassigned VLAN group and it is not

possible to assign the native VLAN to any other VLAN group.

Note

You can configure a port on a switch as either an access port or a trunk port. On an access port, all traffic

is in a single VLAN is called the access VLAN. On a trunk port, multiple VLANs can be carried over

the port, and each packet has a special header attached called the 802.1q header that contains the VLAN

ID. This header is commonly referred as the VLAN tag. However, a trunk port has a special VLAN called

the native VLAN. Packets in the native VLAN do not have the 802.1q headers attached.

Deploying VLAN Groups

Because a VLAN group of an inline pair does not translate the VLAN ID, an inline paired interface must

exist between two switches to use VLAN groups on a logical interface. For an appliance, you can connect

the two pairs to the same switch, make them access ports, and then set the access VLANs for the two

ports differently. In this configuration, the sensor connects between two VLANs, because each of the

two ports is in access mode and carries only one VLAN. In this case the two ports must be in different

VLANs, and the sensor bridges the two VLANs, monitoring any traffic that flows between the two

VLANs.

You can also connect appliances between two switches. There are two variations. In the first variation,

the two ports are configured as access ports, so they carry a single VLAN. In this way, the sensor bridges

a single VLAN between the two switches.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-27

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Configuring VLAN Group Mode

In the second variation, the two ports are configured as trunk ports, so they can carry multiple VLANs.

In this configuration, the sensor bridges multiple VLANs between the two switches. Because multiple

VLANs are carried over the inline interface pair, the VLANs can be divided into groups and each group

can be assigned to a virtual sensor.

Configuring VLAN Groups

Use the physical-interfaces interface_name command in the service interface submode to configure

inline VLAN groups. The interface name is FastEthernet or GigabitEthernet.

The following options apply:

•

admin-state {enabled | disabled}—Specifies the administrative link state of the interface, whether

the interface is enabled or disabled.

Note

On all backplane sensing interfaces on all modules, admin-state is set to enabled and is

protected (you cannot change the setting). The admin-state has no effect (and is protected)

on the command and control interface. It only affects sensing interfaces. The command and

control interface does not need to be enabled because it cannot be monitored.

•

default—Sets the value back to the system default setting.

description—Specifies the description of the interface.

duplex—Specifies the duplex setting of the interface:

–

auto—Sets the interface to auto negotiate duplex.

full—Sets the interface to full duplex.

half—Sets the interface to half duplex.

Note

The duplex option is protected on all modules.

•

no—Removes an entry or selection setting.

speed—Specifies the speed setting of the interface:

–

auto—Sets the interface to auto negotiate speed.

10—Sets the interface to 10 MB (for TX interfaces only).

100—Sets the interface to 100 MB (for TX interfaces only).

1000—Sets the interface to 1 GB (for Gigabit interfaces only).

Note

The speed option is protected on all modules.

•

subinterface-type—Specifies that the interface is a subinterface and what type of subinterface is

defined.

–

vlan-group—Lets you define the subinterface as a VLAN group.

none—Speechifies that no subinterfaces are defined.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-28

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Configuring VLAN Group Mode

•

subinterface name—Defines the subinterface as a VLAN group:

–

vlans {range | unassigned}—Specifies the set of VLANs in the VLAN group. The value for

range is 1 to 4095 in a comma-separated pattern of individual VLAN IDs or ranges:

1,5-8,10-15. There are no spaces between the entries.

Configuring Inline VLAN Groups

To configure the inline VLAN group settings on the sensor, follow these steps:

Step 1

Step 2

Enter interface submode.

sensor# configure terminal

sensor(config)# service interface

sensor(config-int)#

Step 3

Verify if any inline interfaces exist (the subinterface type should read “none” if no inline interfaces have

been configured).

sensor(config-int)# show settings

physical-interfaces (min: 0, max: 999999999, current: 5)

-----------------------------------------------

-----------------------------------------------

media-type: tx <protected>

description: <defaulted>

admin-state: disabled <defaulted>

duplex: auto <defaulted>

speed: auto <defaulted>

alt-tcp-reset-interface

-----------------------------------------------

none

-----------------------------------------------

subinterface-type

-----------------------------------------------

none

-----------------------------------------------

-----------------------------------------------

media-type: tx <protected>

description: <defaulted>

admin-state: disabled <defaulted>

duplex: auto <defaulted>

speed: auto <defaulted>

alt-tcp-reset-interface

-----------------------------------------------

none

-----------------------------------------------

subinterface-type

-----------------------------------------------

none

-----------------------------------------------

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-29

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Configuring VLAN Group Mode

-----------------------------------------------

-----------------------------------------------

media-type: tx <protected>

description: <defaulted>

admin-state: disabled <defaulted>

duplex: auto <defaulted>

speed: auto <defaulted>

alt-tcp-reset-interface

-----------------------------------------------

none

-----------------------------------------------

subinterface-type

-----------------------------------------------

none

-----------------------------------------------

-----------------------------------------------

media-type: tx <protected>

description: <defaulted>

admin-state: disabled <defaulted>

duplex: auto <defaulted>

speed: auto <defaulted>

alt-tcp-reset-interface

-----------------------------------------------

none

-----------------------------------------------

subinterface-type

-----------------------------------------------

none

-----------------------------------------------

-----------------------------------------------

media-type: tx <protected>

description: <defaulted>

admin-state: disabled <protected>

duplex: auto <defaulted>

speed: auto <defaulted>

alt-tcp-reset-interface

-----------------------------------------------

none

-----------------------------------------------

subinterface-type

-----------------------------------------------

none

-----------------------------------------------

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-30

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Configuring VLAN Group Mode

-----------------------------------------------

command-control: Management0/0 <protected>

inline-interfaces (min: 0, max: 999999999, current: 0)

-----------------------------------------------

bypass-mode: auto <defaulted>

interface-notifications

-----------------------------------------------

missed-percentage-threshold: 0 percent <defaulted>

notification-interval: 30 seconds <defaulted>

idle-interface-delay: 30 seconds <defaulted>

-----------------------------------------------

sensor(config-int)#

Step 4

Step 5

If there are inline interfaces that are using this physical interface, remove them.

sensor(config-int)# no inline-interfaces interface_name

Display the list of available interfaces.

sensor(config-int)# physical-interfaces ?

GigabitEthernet0/0

GigabitEthernet0/1

GigabitEthernet0/2

GigabitEthernet0/3

Management0/0

GigabitEthernet0/0 physical interface.

GigabitEthernet0/1 physical interface.

GigabitEthernet0/2 physical interface.

GigabitEthernet0/3 physical interface.

Management0/0 physical interface.

sensor(config-int)# physical-interfaces

Step 6

Step 7

Specify an interface.

sensor(config-int)# physical-interfaces GigabitEthernet0/2

Enable the interface. You must also assign the interface to a virtual sensor and enable it before it can

monitor traffic.

sensor(config-int-phy)# admin-state enabled

Step 8

Step 9

Add a description of this interface.

sensor(config-int-phy)# description INT1

Specify the duplex settings. This option is not available on the ASA IPS modules (ASA 5500-X IPS SSP

and ASA 5585-X IPS SSP).

sensor(config-int-phy)# duplex full

Step 10 Specify the speed. This option is not available on the ASA IPS modules (ASA 5500-X IPS SSP and

ASA 5585-X IPS SSP).

sensor(config-int-phy)# speed 1000

Step 11 Set up the VLAN group.

sensor(config-int-phy)# subinterface-type vlan-group

sensor(config-int-phy-vla)# subinterface 1

Step 12 Assign the VLANs to this group:

a. Assign specific VLANs.

sensor(config-int-phy-vla-sub)# vlans range 1,5-8,10-15

sensor(config-int-phy-vla-sub)#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-31

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Configuring VLAN Group Mode

b. Verify the settings.

sensor(config-int-phy-vla-sub)# show settings

subinterface-number: 1

-----------------------------------------------

description: <defaulted>

vlans

-----------------------------------------------

range: 1,5-8,10-15

-----------------------------------------------

sensor(config-int-phy-vla-sub)#

c. Configure unassigned VLANs.

sensor(config-int-phy-vla-sub)# vlans unassigned

sensor(config-int-phy-vla-sub)#

d. Verify the settings.

sensor(config-int-phy-vla-sub)# show settings

subinterface-number: 1

-----------------------------------------------

description: <defaulted>

vlans

-----------------------------------------------

unassigned

-----------------------------------------------

sensor(config-int-phy-vla-sub)#

Note

Assigning the unassigned VLANs to a separate virtual sensor allows you to specify a policy

for all VLANs that you have not specifically assigned to other groups. For example, you can

group your important internal VLANs in one group and apply a stringent security policy to

that group. You can group the other less important unassigned VLANs into another group,

and apply the default security policy to that group, so that only very serious alerts are

reported.

Step 13 Add a description for the VLAN group.

sensor(config-int-phy-inl-sub)# description INT1 vlans 52 and 53

Step 14 Verify the VLAN group settings.

sensor(config-int-phy-vla-sub)# show settings

subinterface-number: 1

-----------------------------------------------

description: GROUP1 default:

vlans

-----------------------------------------------

unassigned

-----------------------------------------------

sensor(config-int-phy-vla-sub)#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-32

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Configuring Inline Bypass Mode

Step 15 Delete VLAN groups:

a. Delete one VLAN group.

sensor(config-int-phy-vla-sub)# exit

sensor(config-int-phy-vla)# no subinterface 1

If this VLAN group is the last one on the sensor, you receive an error message.

Error: This "subinterface-type" contains less than the required number of

"subinterface" entries. Please add entry(s) to reach the minimum required entries or

select a different "subinterface-type".

Go to Step b to remove the last VLAN group.

b. Delete all VLAN groups. You must also delete the VLAN group from the virtual sensor to which it

is assigned.

sensor(config-int-phy-vla-sub)# exit

sensor(config-int-phy-vla)# exit

sensor(config-int-phy)# subinterface-type none

Step 16 Exit interface submode.

sensor(config-int-phy-vla-sub)# exit

sensor(config-int-phy-vla)# exit

sensor(config-int-phy)# exit

sensor(config-int)# exit

Apply Changes:?[yes]:

Step 17 Press Enter to apply the changes or enter no to discard them.

For More Information

For the procedure for assigning inline interface pairs to a virtual sensor, or deleting the inline interface

pair from the virtual sensor to which it is assigned, see Adding, Editing, and Deleting Virtual Sensors,

page 5-4.

Configuring Inline Bypass Mode

This section describes inline bypass mode for sensors configured as inline interface and inline VLAN

pairs, and contains the following topics:

•

Understanding Inline Bypass Mode, page 4-33

Configuring Inline Bypass Mode, page 4-34

Understanding Inline Bypass Mode

Note

The ASA 5500-X IPS SSP and the ASA 5585-X IPS SSP do not support bypass mode. The adaptive

security appliance will either fail open, fail close, or fail over depending on the configuration of the

adaptive security appliance and the type of activity being done on the IPS.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-33

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Configuring Inline Bypass Mode

Caution

There are security consequences when you put the sensor in bypass mode. When bypass mode is on, the

traffic bypasses the sensor and is not inspected; therefore, the sensor cannot prevent malicious attacks.

As with signature updates, when the sensor applies a global correlation update, it may trigger bypass.

Whether or not bypass is triggered depends on the traffic load of the sensor and the size of the

signature/global correlation update. If bypass mode is turned off, an inline sensor stops passing traffic

while the update is being applied.

You can use inline bypass as a diagnostic tool and a failover protection mechanism. Normally, the sensor

Analysis Engine performs packet analysis. When inline bypass is activated, the Analysis Engine is

bypassed, allowing traffic to flow through the inline interfaces and inline VLAN pairs without

inspection. Inline bypass ensures that packets continue to flow through the sensor when the sensor

processes are temporarily stopped for upgrades or when the sensor monitoring processes fail. There are

three modes: on, off, and automatic. By default, bypass mode is set to automatic.

The inline bypass functionality is implemented in software, so it only functions when the operating

system is running. If the sensor is powered off or shut down, inline bypass does not work—traffic does

not flow through the sensor.

For IPS 4510 and IPS 4520, when the SensorApp is not running or if bypass mode is on, the following

occurs:

•

The output from the packet capture/display command does not show any packets.

The show interface and show interface interface_name commands do not show VLAN statistics.

Configuring Inline Bypass Mode

Use the bypass-mode command in the service interface submode to configure bypass mode. The

following options apply:

•

off—Turns off inline bypassing. Packet inspection is performed on inline data traffic. However,

inline traffic is interrupted if the Analysis Engine is stopped.

on—Turns on inline bypassing. No packet inspection is performed on the traffic. Inline traffic

continues to flow even if the Analysis Engine is stopped.

auto—Turns on automatic bypassing. The sensor automatically begins bypassing inline packet

inspection if the Analysis Engine stops processing packets. This prevents data interruption on inline

interfaces. This is the default.

Configuring Bypass Mode

To configure bypass mode, follow these steps:

Step 1

Step 2

Enter interface submode.

sensor# configure terminal

sensor(config)# service interface

Step 3

Configure bypass mode.

sensor(config-int)# bypass-mode off

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-34

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Configuring Interface Notifications

Step 4

Verify the settings.

sensor(config-int)# show settings

-----------------------------------------------

bypass-mode: off default: auto

interface-notifications

-----------------------------------------------

missed-percentage-threshold: 0 percent <defaulted>

notification-interval: 30 seconds <defaulted>

idle-interface-delay: 30 seconds <defaulted>

-----------------------------------------------

sensor(config-int)#

Step 5

Step 6

Exit interface submode.

sensor(config-int)# exit

Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

For More Information

For more information on inline bypass mode, see Configuring Inline Bypass Mode, page 4-33.

Configuring Interface Notifications

You can configure the sensor to monitor the flow of packets across an interface and send notification if

that flow changes (starts/stops) during a specified interval. You can configure the missed packet

threshold within a specific notification interval and also configure the interface idle delay before a status

event is reported.

Use the interface-notifications command in the service interface submode to configure traffic

notifications.

The following options apply:

•

default—Sets the value back to the system default setting.

idle-interface-delay—Specifies the number of seconds an interface must be idle before sending a

notification. The valid range is 5 to 3600. The default is 30 seconds.

•

missed-percentage-threshold—Specifies the percentage of packets that must be missed during a

specified interval before notification will be sent. The valid range is 0 to 100. The default is 0.

notification-interval—Specifies the interval to check for missed packet percentage. The valid range

is 5 to 3600. The default is 30 seconds

Configuring Interface Notifications

To configure the interface notification settings, follow these steps:

Step 1

Step 2

Enter global configuration mode.

sensor# configure terminal

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-35

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Configuring CDP Mode

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Enter interface submode.

sensor(config)# service interface

Enter interface notifications submode.

sensor(config-int)# interface-notifications

Specify the idle interface delay.

sensor(config-int-int)# idle-interface-delay 60

Specify the missed percentage threshold.

sensor(config-int-int)# missed-percentage-threshold 1

Specify the notification interval.

sensor(config-int-int)# notification-interval 60

Verify the settings.

sensor(config-int-int)# show settings

interface-notifications

-----------------------------------------------

missed-percentage-threshold: 1 percent default: 0

notification-interval: 60 seconds default: 30

idle-interface-delay: 60 seconds default: 30

-----------------------------------------------

sensor(config-int-int)#

Step 9

Exit interface notifications submode.

sensor(config-int-int)# exit

sensor(config-int)# exit

Apply Changes:?[yes]:

Step 10 Press Enter to apply the changes or enter no to discard them.

Configuring CDP Mode

Note

The ASA 5500-X IPS SSP and the ASA 5585-X IPS SSP do not support CDP mode.

You can configure the sensor to enable or disable the forwarding of CDP packets. This action applies

globally to all interfaces.

Cisco Discovery Protocol is a media- and protocol-independent device-discovery protocol that runs on

all Cisco-manufactured equipment, including routers, access servers, bridges, and switches. Using CDP,

a device can advertise its existence to other devices and receive information about other devices on the

same LAN or on the remote side of a WAN. CDP runs on all media that support SNAP, including LANs,

Frame Relay, and ATM media.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-36

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Configuring CDP Mode

User the cdp-mode command in service interface mode to have the sensor either forward or drop CDP

packets.

The following option applies:

•

cdp-mode {forward-cdp-packets | drop-cdp-packets}—Configures the sensor to either forward

CDP packets or drop CDP packets. The default is drop-cdp-packets.

Enabling CDP Mode

To configure CDP mode, follow these steps:

Step 1

Step 2

Enter interface submode.

sensor# configure terminal

sensor(config)# service interface

Step 3

Step 4

Enable CDP mode.

sensor(config-int)# cdp-mode forward-cdp-packets

Verify the settings.

sensor(config-int)# show settings

-----------------------------------------------

bypass-mode: auto <defaulted>

interface-notifications

-----------------------------------------------

missed-percentage-threshold: 0 percent <defaulted>

notification-interval: 30 seconds <defaulted>

idle-interface-delay: 30 seconds <defaulted>

-----------------------------------------------

cdp-mode: forward-cdp-packets default: drop-cdp-packets

sensor(config-int)#

Displaying Interface Statistics

Note

The show interface command output for the IPS 4510 and IPS 4520 does not include the total undersize

packets or total transmit FIFO overruns.

Note

When the IPS 4510 and IPS 4520 are in bypass mode, VLAN statistics in the show interface and packet

display/capture command output do not show any packets.

The jumbo packet count in the show interface command output from the lines Total Jumbo Packets

Received and Total Jumbo Packets Transmitted for ASA IPS modules may be larger than expected

due to some packets that were almost jumbo size on the wire being counted as jumbo size by the IPS.

This miscount is a result of header bytes added to the packet by the ASA before the packet is transmitted

to the IPS. For IPv4, 58 bytes of header data are added. For IPv6, 78 bytes of header data are added. The

ASA removes the added IPS header before the packet leaves the ASA.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-37

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Configuring CDP Mode

Use the show interfaces [clear | brief] command in EXEC mode to display statistics for all system

interfaces. Use the show interfaces {FastEthernet | GigabitEthernet | Management | PortChannel}

[slot/port] command to display statistics for specific interfaces.

The following options apply:

•

clear—(Optional) Clears the diagnostics.

brief—(Optional) Displays a summary of the usability status information for each interface.

FastEthernet—Displays statistics for FastEthernet interfaces.

GigabitEthernet—Displays statistics for GigabitEthernet interfaces.

Management—Displays statistics for Management interfaces.

Note

Only platforms with external ports marked Management support this keyword.

•

PortChannel—Displays statistics for PortChannel interfaces

slot/port—Displays statistics for the specific slot/port of the interface.

To display interface statistics, follow these steps:

Step 1

Step 2

Display statistics for all interfaces.

sensor# show interfaces

Interface Statistics

Total Packets Received = 0

Total Bytes Received = 0

Missed Packet Percentage = 0

Current Bypass Mode = Auto_off

MAC statistics from interface GigabitEthernet0/0

Statistics From Subinterface 12

Vlans in this group = 12

Total Packets Received On This Vlan Group = 0

Total Bytes Received On This Vlan Group = 0

Total Packets Transmitted On This Vlan Group = 0

Total Bytes Transmitted On This Vlan Group = 0

Statistics From Subinterface 16

Vlans in this group = 10

Total Packets Received On This Vlan Group = 0

Total Bytes Received On This Vlan Group = 0

Total Packets Transmitted On This Vlan Group = 0

Total Bytes Transmitted On This Vlan Group = 0

Statistics From Subinterface 25

Vlans in this group = 11

Total Packets Received On This Vlan Group = 0

Total Bytes Received On This Vlan Group = 0

Total Packets Transmitted On This Vlan Group = 0

Total Bytes Transmitted On This Vlan Group = 0

--MORE--

Step 3

Show a brief summary of the interfaces. The * indicates that the interface is the command and control

interface.

sensor# show interfaces brief

Interface

GigabitEthernet0/0

Management0/0

Sensing State

Disabled

Link

Down

Inline Mode

Unpaired

Pair Status

N/A

GigabitEthernet0/1

Disabled

Down

Unpaired

N/A

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-38

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Configuring CDP Mode

GigabitEthernet0/2

GigabitEthernet0/3

sensor#

Disabled

Down

Unpaired

N/A

Step 4

Display the statistics for a specific interface.

sensor# show interfaces Management0/0

MAC statistics from interface Management0/0

Interface function = Command-control interface

Description =

Media Type = TX

Default Vlan = 0

Link Status = Up

Link Speed = Auto_100

Link Duplex = Auto_Full

Total Packets Received = 4305909

Total Bytes Received = 280475712

Total Multicast Packets Received = 0

Total Receive Errors = 0

Total Receive FIFO Overruns = 0

Total Packets Transmitted = 973627

Total Bytes Transmitted = 437632618

Total Transmit Errors = 0

Total Transmit FIFO Overruns = 0

sensor#

Step 5

Clear the statistics.

sensor# show interfaces clear

Interface Statistics

Total Packets Received = 0

Total Bytes Received = 0

Missed Packet Percentage = 0

Current Bypass Mode = Auto_off

MAC statistics from interface GigabitEthernet0/0

Statistics From Subinterface 12

Vlans in this group = 12

Total Packets Received On This Vlan Group = 0

Total Bytes Received On This Vlan Group = 0

Total Packets Transmitted On This Vlan Group = 0

Total Bytes Transmitted On This Vlan Group = 0

Statistics From Subinterface 16

Vlans in this group = 10

Total Packets Received On This Vlan Group = 0

Total Bytes Received On This Vlan Group = 0

Total Packets Transmitted On This Vlan Group = 0

Total Bytes Transmitted On This Vlan Group = 0

Statistics From Subinterface 25

Vlans in this group = 11

Total Packets Received On This Vlan Group = 0

Total Bytes Received On This Vlan Group = 0

Total Packets Transmitted On This Vlan Group = 0

Total Bytes Transmitted On This Vlan Group = 0

--MORE--

For More Information

For information on slot and port numbers and which platforms have a Management port, refer to Cisco

Intrusion Prevention System Appliances and Modules Installation Guide for IPS 7.2.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-39

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Displaying Interface Traffic History

Use the show interfaces-history [traffic-by-hour | traffic-by-minute] command in EXEC mode to

display historical interfaces statistics for all system interfaces. The historical information for each

interface is maintained for three days with 60 seconds granularity. Use the show interfaces-history

{FastEthernet | GigabitEthernet | Management | PortChannel} [traffic-by-hour |

traffic-by-minute] command to display statistics for specific interfaces.

Note

You must have health monitoring enabled to support the historic interface function.

Each record has the following details:

•

Total packets received

Total bytes received

FIFO overruns

Receive errors

Received Mbps

Missed packet percentage

Average load

Peak load

Note

Historical data for each interface for the past 72 hours is also included in the show tech-support

command.

The following options apply:

•

traffic-by-hour—Displays interface traffic history by the hour.

traffic-by-minute—Displays interface traffic history by the minute.

past—Displays historical interface traffic information.

HH:MM—Specifies the amount of time to go back in the past to begin the traffic display. The range

for HH is 0 to 72. The range for MM is 0 to 59. The minimum value is 00:01 and the maximum value

is 72:00.

•

FastEthernet—Displays statistics for FastEthernet interfaces.

GigabitEthernet—Displays statistics for GigabitEthernet interfaces.

Management—Displays statistics for Management interfaces.

Note

Only platforms with external ports marked Management support this keyword.

•

PortChannel—Displays statistics for PortChannel interfaces.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-40

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Displaying Interface Traffic History

Displaying Historical Interface Statistics

To display interface traffic history, follow these steps:

Step 1

Step 2

Display the interface traffic history by the hour.

sensor# show interfaces-history traffic-by-hour past 02:15

GigabitEthernet0/0

Time

FIFO Overruns

11:30:31 UTC Tue Mar 05 2013

10:27:32 UTC Tue Mar 05 2013

Packets Received

Bytes Received

Mbps

MPP

Receive Errors

Avg Load

Peak Load

GigabitEthernet0/1

Time

Packets Received

Bytes Received

Mbps

MPP

FIFO Overruns

Receive Errors

Avg Load

Peak Load

11:30:31 UTC Tue Mar 05 2013

10:27:32 UTC Tue Mar 05 2013

GigabitEthernet0/2

Time

Packets Received

Bytes Received

Mbps

MPP

FIFO Overruns

Receive Errors

Avg Load

Peak Load

11:30:31 UTC Tue Mar 05 2013

10:27:32 UTC Tue Mar 05 2013

GigabitEthernet0/3

Time

Packets Received

Bytes Received

Mbps

MPP

FIFO Overruns

Receive Errors

Avg Load

Peak Load

11:30:31 UTC Tue Mar 05 2013

10:27:32 UTC Tue Mar 05 2013

Management0/0

Time

FIFO Overruns

11:30:31 UTC Tue Mar 05 2013

Packets Received

Avg Load

31071600

Bytes Received

3240924703

Mbps

MPP

Receive Errors

Peak Load

10:27:32 UTC Tue Mar 05 2013

30859941

3216904786

--MORE--

Step 3

Display the interface traffic history by the minute.

sensor# show interfaces-history traffic-by-minute past 00:45

GigabitEthernet0/0

Time

FIFO Overruns

12:27:49 UTC Tue Mar 05 2013

12:26:45 UTC Tue Mar 05 2013

12:25:48 UTC Tue Mar 05 2013

Packets Received

Bytes Received

Mbps

MPP

Receive Errors

Avg Load

Peak Load

12:24:42 UTC Tue Mar 05 2013

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-41

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 4 Configuring Interfaces

Displaying Interface Traffic History

12:23:37 UTC Tue Mar 05 2013

12:22:30 UTC Tue Mar 05 2013

12:21:31 UTC Tue Mar 05 2013

12:20:29 UTC Tue Mar 05 2013

12:19:25 UTC Tue Mar 05 2013

12:18:18 UTC Tue Mar 05 2013

12:17:12 UTC Tue Mar 05 2013

12:16:07 UTC Tue Mar 05 2013

12:15:00 UTC Tue Mar 05 2013

12:13:54 UTC Tue Mar 05 2013

12:12:49 UTC Tue Mar 05 2013

12:11:43 UTC Tue Mar 05 2013

12:10:36 UTC Tue Mar 05 2013

12:09:30 UTC Tue Mar 05 2013

12:08:24 UTC Tue Mar 05 2013

12:07:25 UTC Tue Mar 05 2013

12:06:23 UTC Tue Mar 05 2013

12:05:25 UTC Tue Mar 05 2013

sensor#

Step 4

Display the interface traffic history for a specific interface.

sensor# show interfaces-history GigabitEthernet0/0 traffic-by-minute past 00:05

GigabitEthernet0/0

Time

FIFO Overruns

13:34:38 UTC Thu Mar 07 2013

13:33:35 UTC Thu Mar 07 2013

13:32:32 UTC Thu Mar 07 2013

13:31:27 UTC Thu Mar 07 2013

13:30:25 UTC Thu Mar 07 2013

Packets Received

Receive Errors Avg Load Peak Load

Bytes Received

Mbps

MPP

sensor#

For More Information

For information on enabling health monitoring, see Configuring Health Status Information, page 17-13.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

4-42

Download from Www.Somanuals.com. All Manuals Search And Download.

C H A P T E R

Configuring Virtual Sensors

This chapter explains the function of the Analysis Engine and how to create, edit, and delete virtual

sensors. It also explains how to assign interfaces to a virtual sensor. It contains the following sections:

•

Virtual Sensor Notes and Caveats, page 5-1

Understanding the Analysis Engine, page 5-2

Understanding Virtual Sensors, page 5-2

Advantages and Restrictions of Virtualization, page 5-2

Inline TCP Session Tracking Mode, page 5-3

Normalization and Inline TCP Evasion Protection Mode, page 5-4

HTTP Advanced Decoding, page 5-4

Adding, Editing, and Deleting Virtual Sensors, page 5-4

Configuring Global V a riables, page 5-12

Virtual Sensor Notes and Caveats

The following notes and caveats apply to configuring the virtual sensor:

•

The Cisco IPS does not support more than four virtual sensors. You cannot delete the default virtual

sensor vs0.

The ASA IPS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP) do not support the inline

TCP session tracking mode.

For the ASA IPS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP), normalization is

performed by the adaptive security appliance and not the IPS.

Anomaly detection is disabled by default. You must enable it to configure or apply an anomaly

detection policy. Enabling anomaly detection results in a decrease in performance.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

5-1

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 5 Configuring Virtual Sensors

Understanding the Analysis Engine

The Analysis Engine performs packet analysis and alert detection. It monitors traffic that flows through

specified interfaces.

You create virtual sensors in the Analysis Engine. Each virtual sensor has a unique name with a list of

interfaces, inline interface pairs, inline VLAN pairs, and VLAN groups associated with it. To avoid

definition ordering issues, no conflicts or overlaps are allowed in assignments. You assign interfaces,

inline interface pairs, inline VLAN pairs, and VLAN groups to a specific virtual sensor so that no packet

is processed by more than one virtual sensor. Each virtual sensor is also associated with a specifically

named signature definition, event action rules, and anomaly detection configuration. Packets from

interfaces, inline interface pairs, inline VLAN pairs, and VLAN groups that are not assigned to any

virtual sensor are disposed of according to the inline bypass configuration.

Note

The Cisco IPS does not support more than four virtual sensors. You cannot delete the default virtual

sensor vs0.

Understanding Virtual Sensors

The sensor can receive data inputs from one or many monitored data streams. These monitored data

streams can either be physical interface ports or virtual interface ports. For example, a single sensor can

monitor traffic from in front of the firewall, from behind the firewall, or from in front of and behind the

firewall concurrently. And a single sensor can monitor one or more data streams. In this situation a single

sensor policy or configuration is applied to all monitored data streams.

A virtual sensor is a collection of data that is defined by a set of configuration policies. The virtual sensor

is applied to a set of packets as defined by interface component.

A virtual sensor can monitor multiple segments, and you can apply a different policy or configuration

for each virtual sensor within a single physical sensor. You can set up a different policy per monitored

segment under analysis. You can also apply the same policy instance, for example, sig0, rules0, or ad0,

to different virtual sensors. You can assign interfaces, inline interface pairs, inline VLAN pairs, and

VLAN groups to a virtual sensor.

Note

The default virtual sensor is vs0. You cannot delete the default virtual sensor. The interface list, the

anomaly detection operational mode, the inline TCP session tracking mode, and the virtual sensor

description are the only configuration features you can change for the default virtual sensor. You cannot

change the signature definition, event action rules, or anomaly detection policies.

Advantages and Restrictions of Virtualization

Virtualization has the following advantages:

•

You can apply different configurations to different sets of traffic.

You can monitor two networks with overlapping IP spaces with one sensor.

You can monitor both inside and outside of a firewall or NAT device.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

5-2

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 5 Configuring Virtual Sensors

Inline TCP Session Tracking Mode

Virtualization has the following restrictions:

•

You must assign both sides of asymmetric traffic to the same virtual sensor.

Using VACL capture or SPAN (promiscuous monitoring) is inconsistent with regard to VLAN

tagging, which causes problems with VLAN groups.

–

When using Cisco IOS software, a VACL capture port or a SPAN target does not always receive

tagged packets even if it is configured for trunking.

–

When using the MSFC, fast path switching of learned routes changes the behavior of VACL

captures and SPAN.

•

Persistent store is limited.

Virtualization has the following traffic capture requirements:

•

The virtual sensor must receive traffic that has 802.1q headers (other than traffic on the native VLAN

of the capture port).

•

The sensor must see both directions of traffic in the same VLAN group in the same virtual sensor

for any given sensor.

The following sensors support virtualization:

•

ASA 5500-X IPS SSP

ASA 5585-X IPS SSP

IPS 4345

IPS 4345-DC

IPS 4360

IPS 4510

IPS 4520

Inline TCP Session Tracking Mode

Note

The ASA IPS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP) do not support the inline TCP

session tracking mode.

When you choose to modify packets inline, if the packets from a stream are seen twice by the Normalizer

engine, it cannot properly track the stream state and often the stream is dropped. This situation occurs

most often when a stream is routed through multiple VLANs or interfaces that are being monitored by

the IPS. A further complication in this situation is the necessity of allowing asymmetric traffic to merge

for proper tracking of streams when the traffic for either direction is received from different VLANs or

interfaces. To deal with this situation, you can set the mode so that streams are perceived as unique if

they are received on separate interfaces and/or VLANs (or the subinterface for VLAN pairs).

The following inline TCP session tracking modes apply:

•

Interface and VLAN—All packets with the same session key (AaBb) in the same VLAN (or inline

VLAN pair) and on the same interface belong to the same session. Packets with the same key but on

different VLANs are tracked separately.

•

VLAN Only—All packets with the same session key (AaBb) in the same VLAN (or inline VLAN

pair) regardless of the interface belong to the same session. Packets with the same key but on

different VLANs are tracked separately.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

5-3

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 5 Configuring Virtual Sensors

Normalization and Inline TCP Evasion Protection Mode

•

Virtual Sensor—All packets with the same session key (AaBb) within a virtual sensor belong to the

same session. This is the default and almost always the best option to choose.

Normalization and Inline TCP Evasion Protection Mode

Note

For the ASA IPS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP), normalization is

performed by the adaptive security appliance and not the IPS.

Normalization only applies when the sensor is operating in inline mode. The default is strict evasion

protection, which is full enforcement of TCP state and sequence tracking. The Normalizer enforces

duplicate packets, changed packets, out-of-order packets, and so forth, which helps prevent attackers

from evading the IPS.

Asymmetric mode disables most of the Normalizer checks. Use asymmetric mode only when the entire

stream cannot be inspected, because in this situation, attackers can now evade the IPS.

HTTP Advanced Decoding

HTTP advanced decoding facilitates analysis of encoded HTTP return web traffic by using on-the-fly

decoding. Changes to HTTP advanced decoding take effect immediately and only affect the new traffic

flows.

Restrictions

The following restrictions apply when you enable HTTP advanced decoding:

•

Although HTTP advanced decoding does not fire any new signatures, drop packets, or modify

traffic, it allows existing signatures to match on content that was previously not detectable because

of encodings.

•

HTTP advanced decoding only acts on return web response traffic.

Caution

Note

Enabling HTTP advanced decoding severely impacts system performance.

Because HTTP advanced decoding requires the Regex card and the String XL engine, it is available only

to those platforms that have them. HTTP advanced decoding is supported on the IPS 4345, IPS 4360,

IPS 4510, IPS 4520, ASA 5585-X IPS SSP, ASA 5525-X IPS SSP, ASA 5545-X IPS SSP, and

ASA 5555-X IPS SSP.

Adding, Editing, and Deleting Virtual Sensors

This section describes how to add, edit, and delete virtual sensors, and contains the following topics:

Adding Virtual Sensors, page 5-5

Editing and Deleting Virtual Sensors, page 5-9

•

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

5-4

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 5 Configuring Virtual Sensors

Adding, Editing, and Deleting Virtual Sensors

Adding Virtual Sensors

Use the virtual-sensor name command in service analysis engine submode to create a virtual sensor.

You can create up to four virtual sensors. You assign policies (anomaly detection, event action rules, and

signature definition) to the virtual sensor. Then you assign interfaces (promiscuous, inline interface

pairs, inline VLAN pairs, and VLAN groups) to the virtual sensor. You must configure the inline

interface pairs and VLAN pairs before you can assign them to a virtual sensor.

Note

Anomaly detection is disabled by default. You must enable it to configure or apply an anomaly detection

policy. Enabling anomaly detection results in a decrease in performance.

The following options apply:

•

http-advanced-decoding {true | false}—Enables deeper inspection of HTTP traffic. The default is

disabled.

Note

Enabling HTTP advanced decoding severely impacts system performance.

HTTP advanced decoding is supported on the IPS 4345, IPS 4360, IPS 4510, IPS 4520,

ASA 5585-X IPS SSP, ASA 5525-X IPS SSP, ASA 5545-X IPS SSP, and

ASA 5555-X IPS SSP.

•

anomaly-detection—Specifies the anomaly detection parameters:

–

anomaly-detection-name name—Specifies the name of the anomaly detection policy.

operational-mode—Specifies the anomaly detection mode (inactive, learn, detect).

•

description—Description of the virtual sensor.

event-action-rules—Specifies the name of the event action rules policy.

inline-TCP-evasion-protection-mode—Lets you choose which type of normalization you need for

traffic inspection:

–

asymmetric —Specifies that the sensor can only see one direction of bidirectional traffic flow.

Asymmetric mode protection relaxes the evasion protection at the TCP layer.

Note

Asymmetric mode lets the sensor synchronize state with the flow and maintain

inspection for those engines that do not require both directions. Asymmetric mode

lowers security because full protection requires both sides of traffic to be seen.

–

strict—Specifies that if a packet is missed for any reason, all packets after the missed packet

are not processed. Strict evasion protection provides full enforcement of TCP state and

sequence tracking.

Note

Any out-of-order packets or missed packets can produce Normalizer engine signatures

1300 or 1330 firings, which try to correct the situation, but can result in denied

connections.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

5-5

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 5 Configuring Virtual Sensors

Adding, Editing, and Deleting Virtual Sensors

Note

For the ASA IPS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP),

normalization is performed by the adaptive security appliance and not the IPS.

•

inline-TCP-session-tracking-mode—Enables an advanced method used to identify duplicate TCP

sessions in inline traffic. The default is virtual sensor, which is almost always the best choice.

–

virtual-sensor —Specifies that all packets with the same session key (AaBb) within a virtual

sensor belong to the same session.

–

interface-and-vlan—Specifies that all packets with the same session key (AaBb) in the same

VLAN (or inline VLAN pair) and on the same interface belong to the same session. Packets with

the same key but on different VLANs or interfaces are tracked independently.

–

vlan-only—Specifies that all packets with the same session key (AaBb) in the same VLAN (or

inline VLAN pair) regardless of the interface belong to the same session. Packets with the same

key but on different VLANs are tracked independently.

Note

The ASA IPS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP) do not

support the inline TCP session tracking mode.

•

signature-definition—Specifies the name of the signature definition policy.

logical-interfaces—Specifies the name of the logical interfaces (inline interface pairs).

physical-interfaces—Specifies the name of the physical interfaces (promiscuous, inline VLAN

pairs, and VLAN groups):

–

subinterface-number—Specifies the physical subinterface number. If the subinterface-type is

none, the value of 0 indicates the entire interface is assigned in promiscuous mode.

•

no—Removes an entry or selection.

Adding a Virtual Sensor

To add a virtual sensor, follow these steps:

Step 1

Step 2

Enter service analysis mode.

sensor# configure terminal

sensor(config)# service analysis-engine

sensor(config-ana)#

Step 3

Add a virtual sensor.

sensor(config-ana)# virtual-sensor vs1

sensor(config-ana-vir)#

Step 4

Step 5

Add a description for this virtual sensor.

sensor(config-ana-vir)# description virtual sensor 1

Assign an anomaly detection policy and operational mode to this virtual sensor.

sensor(config-ana-vir)# anomaly-detection

sensor(config-ana-vir-ano)# anomaly-detection-name ad1

sensor(config-ana-vir-ano)# operational-mode learn

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

5-6

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 5 Configuring Virtual Sensors

Adding, Editing, and Deleting Virtual Sensors

Step 6

Assign an event action rules policy to this virtual sensor.

sensor(config-ana-vir-ano)# exit

sensor(config-ana-vir)# event-action-rules rules1

Step 7

Step 8

Assign a signature definition policy to this virtual sensor.

sensor(config-ana-vir)# signature-definition sig1

Enable HTTP advanced decoding.

sensor(config-ana-vir)# http-advanced-decoding true

Caution

Step 9

Enabling HTTP advanced decoding severely impacts system performance.

Assign the inline TCP session tracking mode. The default is virtual sensor mode, which is almost always

the best option to choose.

sensor(config-ana-vir)# inline-TCP-session-tracking-mode virtual-sensor

Step 10 Assign the inline TCP evasion protection mode. The default is strict mode, which is almost always the

best option to choose.

sensor(config-ana-vir)# inline-TCP-evasion-protection-mode strict

Step 11 Enable HTTP advanced decoding.

sensor(config-ana-vir)# http-advanced-decoding true

Step 12 Display the list of available interfaces.

sensor(config-ana-vir)# physical-interface ?

GigabitEthernet0/0

GigabitEthernet0/1

GigabitEthernet2/0

GigabitEthernet2/1

GigabitEthernet0/0 physical interface.

GigabitEthernet0/1 physical interface.

GigabitEthernet0/2 physical interface.

GigabitEthernet0/3 physical interface.

sensor(config-ana-vir)# physical-interface

sensor(config-ana-vir)# logical-interface ?

Step 13 Assign the promiscuous mode interfaces you want to add to this virtual sensor. Repeat this step for all

the promiscuous interfaces that you want to assign to this virtual sensor.

sensor(config-ana-vir)# physical-interface GigabitEthernet0/3

Step 14 Assign the inline interface pairs you want to add to this virtual sensor. You must have already paired the

interfaces.

sensor(config-ana-vir)# logical-interface inline_interface_pair_name

Step 15 Assign the subinterfaces of the inline VLAN pairs or groups you want to add to this virtual sensor. You

must have already subdivided any interfaces into VLAN pairs or groups.

sensor(config-ana-vir)# physical-interface GigabitEthernet2/0 subinterface-number

subinterface_number

Step 16 Verify the virtual sensor settings.

sensor(config-ana-vir)# show settings

-----------------------------------------------

description: virtual sensor 1 default:

signature-definition: sig1 default: sig0

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

5-7

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 5 Configuring Virtual Sensors

Adding, Editing, and Deleting Virtual Sensors

event-action-rules: rules1 default: rules0

anomaly-detection

-----------------------------------------------

anomaly-detection-name: ad1 default: ad0

operational-mode: learn default: detect

-----------------------------------------------

physical-interface (min: 0, max: 999999999, current: 2)

-----------------------------------------------

subinterface-number: 0 <defaulted>

-----------------------------------------------

inline-TCP-session-tracking-mode: virtual-sensor default: virtual-sensor

-----------------------------------------------

logical-interface (min: 0, max: 999999999, current: 0)

-----------------------------------------------

sensor(config-ana-vir)#

Step 17 Exit analysis engine mode.

sensor(config-ana-vir)# exit

sensor(config-ana)# exit

sensor(config)#

Apply Changes:?[yes]:

Step 18 Press Enter to apply the changes or enter no to discard them.

For More Information

•

For the procedure for creating virtual sensors on the ASA 5500-X IPS SSP, see Creating Virtual

Sensors for the ASA 5500-X IPS SS P , p age 18-4.

For the procedure for creating virtual sensors on the ASA 5585-X IPS SSP, see Creating Virtual

Sensors for the ASA 5585-X IPS SS P , p age 19-4.

For more information on creating and configuring anomaly detection policies, see Working With

Anomaly Detection Policies, page 9-8.

For more information on creating and configuring event action rules policies, see W o rking With

Event Action Rules Policies, page 8-8.

For more information on creating and configuring signature definition policies, see Working With

Signature Definition Policies, page 7-2.

For more information about normalization, see Normalization and Inline TCP Evasion Protection

Mode, page 5-4.

For more information about inline TCP session tracking mode, see Inline TCP Session Tracking

Mode, page 5-3.

For the procedure for pairing inline interfaces, see Configuring Inline Interface Pairs, page 4-17.

Repeat Step 11 for all the inline interface pairs that you want to assign to this virtual sensor.

For the procedure for pairing and grouping inline VLANs, see Configuring Inline VLAN Pairs,

page 4-22 and Configuring VLAN Groups, page 4-28. Repeat Step 12 for all inline VLAN pairs or

VLAN groups that you want to assign to this virtual sensor.

•

For the procedure for enabling anomaly detection, see Enabling Anomaly Detection, page 9-8.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

5-8

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 5 Configuring Virtual Sensors

Adding, Editing, and Deleting Virtual Sensors

Editing and Deleting Virtual Sensors

You can edit the following parameters of a virtual sensor:

Signature definition policy

Event action rules policy

Anomaly detection policy

•

Note

Anomaly detection is disabled by default. You must enable it to configure or apply an

anomaly detection policy. Enabling anomaly detection results in a decrease in performance.

•

Anomaly detection operational mode

Inline TCP session tracking mode

Note

The ASA IPS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP) do not support

the inline TCP session tracking mode.

•

Description

Interfaces assigned

Editing or Deleting a Virtual Sensor

To edit or delete a virtual sensor, follow these steps:

Step 1

Step 2

Enter analysis engine mode.

sensor# configure terminal

sensor(config)# service analysis-engine

sensor(config-ana)#

Step 3

Edit the virtual sensor, vs1.

sensor(config-ana)# virtual-sensor vs1

sensor(config-ana-vir)#

Step 4

Step 5

Edit the description of this virtual sensor.

sensor(config-ana-vir)# description virtual sensor A

Change the anomaly detection policy and operational mode assigned to this virtual sensor.

sensor(config-ana-vir)# anomaly-detection

sensor(config-ana-vir-ano)# anomaly-detection-name ad0

sensor(config-ana-vir-ano)# operational-mode learn

Step 6

Step 7

Change the event action rules policy assigned to this virtual sensor.

sensor(config-ana-vir-ano)# exit

sensor(config-ana-vir)# event-action-rules rules0

Change the signature definition policy assigned to this virtual sensor.

sensor(config-ana-vir)# signature-definition sig0

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

5-9

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 5 Configuring Virtual Sensors

Adding, Editing, and Deleting Virtual Sensors

Step 8

Step 9

Change the inline TCP session tracking mode. The default is virtual sensor mode, which is almost always

the best option to choose.

sensor(config-ana-vir)# inline-TCP-session-tracking-mode interface-and-vlan

Display the list of available interfaces.

sensor(config-ana-vir)# physical-interface ?

GigabitEthernet0/0

GigabitEthernet0/1

GigabitEthernet2/0

GigabitEthernet2/1

GigabitEthernet0/0 physical interface.

GigabitEthernet0/1 physical interface.

GigabitEthernet0/2 physical interface.

GigabitEthernet0/3 physical interface.

sensor(config-ana-vir)# physical-interface

sensor(config-ana-vir)# logical-interface ?

Step 10 Change the promiscuous mode interfaces assigned to this virtual sensor.

sensor(config-ana-vir)# physical-interface GigabitEthernet0/2

Step 11 Change the inline interface pairs assigned to this virtual sensor. You must have already paired the

interfaces.

sensor(config-ana-vir)# logical-interface inline_interface_pair_name

Step 12 Change the subinterface with the inline VLAN pairs or groups assigned to this virtual sensor. You must

have already subdivided any interfaces into VLAN pairs or groups.

sensor(config-ana-vir)# physical-interface GigabitEthernet2/0 subinterface-number

subinterface_number

Step 13 Verify the edited virtual sensor settings.

ssensor(config-ana-vir)# show settings

-----------------------------------------------

description: virtual sensor 1 default:

signature-definition: sig1 default: sig0

event-action-rules: rules1 default: rules0

anomaly-detection

-----------------------------------------------

anomaly-detection-name: ad1 default: ad0

operational-mode: learn default: detect

-----------------------------------------------

physical-interface (min: 0, max: 999999999, current: 2)

-----------------------------------------------

subinterface-number: 0 <defaulted>

-----------------------------------------------

inline-TCP-session-tracking-mode: interface-and-vlan default: virtual-sensor

-----------------------------------------------

logical-interface (min: 0, max: 999999999, current: 0)

-----------------------------------------------

sensor(config-ana-vir)#

Step 14 Delete a virtual sensor.

sensor(config-ana-vir)# exit

sensor(config-ana)# no virtual-sensor vs1

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

5-10

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 5 Configuring Virtual Sensors

Adding, Editing, and Deleting Virtual Sensors

Step 15 Verify the deleted virtual sensor. Only the default virtual sensor, vs0, is present.

sensor(config-ana)# show settings

global-parameters

-----------------------------------------------

ip-logging

-----------------------------------------------

max-open-iplog-files: 20 <defaulted>

-----------------------------------------------

virtual-sensor (min: 1, max: 255, current: 2)

-----------------------------------------------

-----------------------------------------------

description: default virtual sensor <defaulted>

signature-definition: sig0 <protected>

event-action-rules: rules0 <protected>

anomaly-detection

-----------------------------------------------

anomaly-detection-name: ad0 <protected>

operational-mode: detect <defaulted>

-----------------------------------------------

physical-interface (min: 0, max: 999999999, current: 0)

-----------------------------------------------

logical-interface (min: 0, max: 999999999, current: 0)

-----------------------------------------------

sensor(config-ana)#

Step 16 Exit analysis engine mode.

sensor(config-ana)# exit

sensor(config)#

Apply Changes:?[yes]:

Step 17 Press Enter to apply the changes or enter no to discard them.

For More Information

•

For more information on creating and configuring anomaly detection policies, see Working With

Anomaly Detection Policies, page 9-8.

For more information on creating and configuring event action rules policies, see W o rking With

Event Action Rules Policies, page 8-8.

For more information on creating and configuring signature definition policies, see Working With

Signature Definition Policies, page 7-2.

For the procedure for pairing inline interfaces, see Configuring Inline Interface Pairs, page 4-17.

Repeat Step 11 for all the inline interface pairs that you want to assign to this virtual sensor.

For the procedure for pairing and grouping inline VLANs, see Configuring Inline VLAN Pairs,

page 4-22 and Configuring VLAN Groups, page 4-28. Repeat Step 12 for all inline VLAN pairs or

VLAN groups that you want to assign to this virtual sensor.

•

For the procedure for enabling anomaly detection, see Enabling Anomaly Detection, page 9-8.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

5-11

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 5 Configuring Virtual Sensors

Configuring Global Variables

Use the global-parameters command in service analysis engine submode to create global variables,

such as IP logging, service activity, and specifying the flow depth. Flow depth is used for String,

Multi-String, Service HTTP, and State engines. It does not apply to the XL String engine and the

platforms that support it.

Note

The IPS 4345, IPS 4360, IPS 4510, IPS 4520, ASA 5525-X IPS SSP, ASA 5545-X IPS SSP,

ASA 5555-X IPS SSP, and ASA 5585-X IPS SSP support the String XL engines and the Regex

accelerator card.

The following options apply:

•

ip-logging—Enables global IP logging parameters.

–

max-open-iplog-files—Specifies the maximum number of concurrently open log files. The

range is 20 to 100. The default is 20.

serviceActivity—Lets you gather information about service activities for diagnostic purposes. The

details are more granular and have port level details.

Note

Enabling service activity impacts system performance. Enable service activity collection

temporarily for diagnostic purposes only. You must reboot the sensor after you enable

service activity for the change to take affect.

–

enable-serviceactivity [1 | 0]—Set to 1 to enable, set to 0 to disable. The default is disabled.

serviceActivityLimit limit—Sets the limit for how many services you want to enable. The valid

range is from 10 to 65536. The default is 15.

•

specify-flow-depth—Lets you specify the inspection depth of the flow. Flow depth is the number

of bytes inspected in a flow. The new value applies for new flows only. The valid range is from 0 to

429496296. The default is 0, which is infinitive.

Creating a Global Variable

To create a global variable, follow these steps:

Step 1

Step 2

Enter service analysis mode.

sensor# configure terminal

sensor(config)# service analysis-engine

sensor(config-ana)#

Step 3

Step 4

Create the variable for the maximum number of open IP logs.

sensor(config-ana)# global-parameters

sensor(config-ana-glo)# ip-logging

sensor(config-ana-glo-ip)# max-open-iplog-files 50

sensor(config-ana-glo-ip)# exit

sensor(config-ana-glo)#

Create the flow depth variable.

sensor(config-ana-glo)# specify-flow-depth 500

sensor(config-ana-glo)# exit

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

5-12

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 5 Configuring Virtual Sensors

Configuring Global Variables

sensor(config-ana)#

Step 5

Step 6

Create the variable for service activity.

sensor(config-ana-glo)# serviceActivity

sensor(config-ana-glo-ser)# enable-serviceactivity 1

sensor(config-ana-glo-ser)# serviceActivityLimit 15

sensor(config-ana-glo-ser)# exit

sensor(config-ana-glo)#

Verify the global variable settings.

sensor(config-ana-glo)# show settings

global-parameters

-----------------------------------------------

specify-flow-depth: 500 default: 0

serviceActivity

-----------------------------------------------

enable-serviceactivity: 1 default: 0

serviceActivityLimit: 25 default: 15

-----------------------------------------------

ip-logging

-----------------------------------------------

max-open-iplog-files: 50 default: 20

-----------------------------------------------

sensor(config-ana-glo)#

Step 7

Exit analysis engine mode.

sensor(config-ana)# exit

sensor(config)#

Apply Changes:?[yes]:

Step 8

Step 9

Press Enter to apply the changes or enter no to discard them.

After you reboot the sensor so that service activity is effective, you can view the details.

sensor# show statistic analysis-engine

Analysis Engine Statistics

Number of seconds since service started = 354

Processing Load Percentage

Thread

5 sec

1 min

5 min

Average

For More Information

For detailed information about String, Multi-String, Service HTTP, and State engines, see Appendix B,

“Signature Engines.”

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

5-13

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 5 Configuring Virtual Sensors

Configuring Global Variables

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

5-14

Download from Www.Somanuals.com. All Manuals Search And Download.

C H A P T E R

Defining Signatures

This chapter describes how to define and create signatures. It contains the following sections:

•

Signature Definition Notes and Caveats, page 7-1

Understanding Policies, page 7-1

W o rking With Signature Definition Policies, page 7-2

Understanding Signatures, page 7-3

Configuring Signature V a riables, page 7-4

Configuring Signatures, page 7-6

Creating Custom Signatures, page 7-40

Signature Definition Notes and Caveats

The following notes and caveats apply to defining signatures:

•

You must preface signature variables with a dollar ($) sign to indicate that you are using a variable

rather than a string.

•

We recommend that you do NOT change the promiscuous delta setting for a signature.

The parameters tcp-3-way-handshake-required and tcp-reassembly-mode only impact sensors

inspecting traffic in promiscuous mode, not inline mode. To configure asymmetric options for

sensors inspecting inline traffic, use the inline-TCP-evasion-protection-mode parameter.

•

A custom signature can affect the performance of your sensor. Test the custom signature against a

baseline sensor performance for your network to determine the overall impact of the signature.

Understanding Policies

You can create multiple security policies and apply them to individual virtual sensors. A security policy

is made up of a signature definition policy, an event action rules policy, and an anomaly detection policy.

Cisco IPS contains a default signature definition policy called sig0, a default event action rules policy

called rules0, and a default anomaly detection policy called ad0. You can assign the default policies to

a virtual sensor or you can create new policies. The use of multiple security policies lets you create

security policies based on different requirements and then apply these customized policies per VLAN or

physical interface.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-1

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Working With Signature Definition Policies

Use the service signature-definition name command in service signature definition mode to create a

signature definition policy. The values of this signature definition policy are the same as the default

signature definition policy, sig0, until you edit them.

Or you can use the copy signature-definition source_destination command in privileged EXEC mode

to make a copy of an existing policy and then edit the values of the new policy as needed.

Use the list signature-definition-configurations command in privileged EXEC mode to list the

signature definition policies.

Use the no service signature-definition name command in global configuration mode to delete a

signature definition policy. Use the default service signature-definition name command in global

configuration mode to reset the signature definition policy to factory settings.

Creating, Copying, Editing, and Deleting Signature Definition Policies

To create, copy, edit, and delete signature definition policies, follow these steps:

Step 1

Step 2

Create a signature definition policy.

sensor# configure terminal

sensor(config)# service signature-definition MySig

Editing new instance MySig.

sensor(config-sig)# exit

Apply Changes?[yes]: yes

sensor(config)# exit

Step 3

Or copy an existing signature definition policy to a new signature definition policy.

sensor# copy signature-definition sig0 sig1

sensor#

Note

You receive an error if the policy already exists or if there is not enough space available for the

new policy.

Step 4

Step 5

Accept the default signature definition policy values or edit the following parameters:

a. Add signature definition variables.

b. Configure the general signature options.

Display a list of signature definition policies on the sensor.

sensor# list signature-definition-configurations

Signature Definition

Instance

sig0

temp

MySig

sig1

Size

255

707

255

141

Virtual Sensor

vs0

N/A

vs1

sensor#

Step 6

Delete a signature definition policy.

sensor# configure terminal

sensor(config)# no service signature-definition MySig

sensor(config)# exit

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-2

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Understanding Signatures

sensor#

Note

You cannot delete the default signature definition policy, sig0.

Step 7

Confirm the signature definition policy has been deleted.

sensor# list signature-definition-configurations

Signature Definition

Instance

sig0

temp

Size

255

707

141

Virtual Sensor

vs0

N/A

vs1

sig1

sensor#

Step 8

Reset a signature definition policy to factory settings.

sensor# configure terminal

sensor(config)# default service signature-definition sig1

sensor(config)#

For More Information

•

For the procedure for adding signature variables, see Configuring Signature V a riables, page 7-4.

For the procedure for configuring the general settings, see Configuring Signatures, page 7-6.

Understanding Signatures

Attacks or other misuses of network resources can be defined as network intrusions. Sensors that use a

signature-based technology can detect network intrusions. A signature is a set of rules that your sensor

uses to detect typical intrusive activity, such as DoS attacks. As sensors scan network packets, they use

signatures to detect known attacks and respond with actions that you define.

The sensor compares the list of signatures with network activity. When a match is found, the sensor takes

an action, such as logging the event or sending an alert. Sensors let you modify existing signatures and

define new ones.

Signature-based intrusion detection can produce false positives because certain normal network activity

can be misinterpreted as malicious activity. For example, some network applications or operating

systems may send out numerous ICMP messages, which a signature-based detection system might

interpret as an attempt by an attacker to map out a network segment. You can minimize false positives

by tuning your signatures.

To configure a sensor to monitor network traffic for a particular signature, you must enable the signature.

By default, the most critical signatures are enabled when you install the signature update. When an attack

is detected that matches an enabled signature, the sensor generates an alert, which is stored in the Event

Store of the sensor. The alerts, as well as other events, may be retrieved from the Event Store by

web-based clients. By default the sensor logs all Informational alerts or higher.

Some signatures have subsignatures, that is, the signature is divided into subcategories. When you

configure a subsignature, changes made to the parameters of one subsignature apply only to that

subsignature. For example, if you edit signature 3050 subsignature 1 and change the severity, the severity

change applies to only subsignature 1 and not to 3050 2, 3050 3, and 3050 4.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-3

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Configuring Signature Variables

The Cisco IPS contains over 10,000 built-in default signatures. You cannot rename or delete signatures

from the list of built-in signatures, but you can retire signatures to remove them from the sensing engine.

You can later activate retired signatures; however, this process requires the sensing engines to rebuild

their configuration, which takes time and could delay the processing of traffic. You can tune built-in

signatures by adjusting several signature parameters. Built-in signatures that have been modified are

called tuned signatures.

Note

We recommend that you retire any signatures that you are not using. This improves sensor performance.

You can create signatures, which are called custom signatures. Custom signature IDs begin at 60000.

You can configure them for several things, such as matching of strings on UDP connections, tracking of

network floods, and scans. Each signature is created using a signature engine specifically designed for

the type of traffic being monitored.

Configuring Signature Variables

This section describes signature variables, and contains the following topics:

Understanding Signature V a riables, page 7-4

Creating Signature V a riables, page 7-4

•

Understanding Signature Variables

When you want to use the same value within multiple signatures, use a variable. When you change the

value of a variable, that variable is updated in all signatures in which it appears. This saves you from

having to change the variable repeatedly as you configure signatures.

Note

You must preface signature variables with a dollar ($) sign to indicate that you are using a variable rather

than a string.

Some variables cannot be deleted because they are necessary to the signature system. If a variable is

protected, you cannot select it to edit it. You receive an error message if you try to delete protected

variables. You can edit only one variable at a time.

Creating Signature Variables

Use the variables command in the signature definition submode to create signature variables.

The following options apply:

•

variable_name—Identifies the name assigned to this variable. A valid name can only contain

numbers or letters. You can also use a hyphen (-) or underscore (_).

ip-addr-range—Specifies the system-defined variable for grouping IP addresses. The valid values

are: A.B.C.D-A.B.C.D[,A.B.C.D-A.B.C.D]

web-ports—Specifies the system-defined variable for ports to look for HTTP traffic. To designate

multiple port numbers for a single variable, place a comma between the entries. For example, 80,

3128, 8000, 8010, 8080, 8888, 24326.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-4

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Configuring Signature Variables

Adding, Editing, and Deleting Signature Variables

To add, edit, and delete signature variables, follow these steps:

Step 1

Step 2

Enter signature definition submode.

sensor# configure terminal

sensor(config)# service signature-definition sig1

Step 3

Step 4

Create a signature variable for a group of IP addresses.

sensor(config-sig)# variables IPADD ip-addr-range 10.1.1.1-10.1.1.24

Edit the signature variable for web ports. WEBPORTS has a predefined set of ports where web servers

are running, but you can edit the value. This variable affects all signatures that have web ports. The

default is 80, 3128, 8000, 8010, 8080, 8888, 24326.

sensor(config-sig)# variables WEBPORTS web-ports 80,3128,8000

Step 5

Verify the changes.

sensor(config-sig)# show settings

variables (min: 0, max: 256, current: 2)

-----------------------------------------------

variable-name: IPADD

-----------------------------------------------

ip-addr-range: 10.1.1.1-10.1.1.24

-----------------------------------------------

variable-name: WEBPORTS

-----------------------------------------------

web-ports: 80,3128,8000 default: 80-80,3128-3128,8000-8000,8010-8010,80

80-8080,8888-8888,24326-24326

-----------------------------------------------

Step 6

Step 7

Delete a variable.

sensor(config-sig)# no variables IPADD

Verify the variable has been deleted.

sensor(config-sig)# show settings

variables (min: 0, max: 256, current: 1)

-----------------------------------------------

variable-name: WEBPORTS

-----------------------------------------------

web-ports: 80,3128,8000 default: 80-80,3128-3128,8000-8000,8010-8010,80

80-8080,8888-8888,24326-24326

-----------------------------------------------

Step 8

Step 9

Exit signature definition submode.

sensor(config-sig)# exit

Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-5

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Configuring Signatures

This section describes how to configure signature parameters, and contains the following topics:

•

Signature Definition Options, page 7-6

Configuring Alert Frequency, page 7-7

Configuring Alert Severity, page 7-9

Configuring the Event Counter, page 7-10

Configuring Signature Fidelity Rating, page 7-12

Configuring the Status of Signatures, page 7-13

Configuring the Vulnerable OSes for a Signature, page 7-14

Assigning Actions to Signatures, page 7-15

Configuring AIC Signatures, page 7-17

Configuring IP Fragment Reassembly, page 7-28

Configuring TCP Stream Reassembly, page 7-31

Configuring IP Logging, page 7-39

Signature Definition Options

The following options apply to configuring the general parameters of a specific signature:

•

alert-frequency—Sets the summary options for grouping alerts.

alert-severity—Sets the severity of the alert.

engine—Specifies the signature engine. You can assign actions when you are in the engine

submode.

•

event-counter—Sets the event count.

promisc-delta—Specifies the delta value used to determine the seriousness of the alert.

Caution

We recommend that you do NOT change the promiscuous delta setting for a signature.

Promiscuous delta lowers the risk rating of certain alerts in promiscuous mode. Because the sensor

does not know the attributes of the target system and in promiscuous mode cannot deny packets, it

is useful to lower the prioritization of promiscuous alerts (based on the lower risk rating) so the

administrator can focus on investigating higher risk rating alerts.

In inline mode, the sensor can deny the offending packets and they never reach the target host, so it

does not matter if the target was vulnerable. The attack was not allowed on the network and so we

do not subtract from the risk rating value.

Signatures that are not service, OS, or application specific have 0 for the promiscuous delta. If the

signature is specific to an OS, service, or application, it has a promiscuous delta of 5, 10, or 15

calculated from 5 points for each category.

•

sig-description—Your description of the signature.

sig-fidelity-rating—Specifies the rating of the fidelity of signature.

status—Sets the status of the signature to enabled or retired.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-6

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Configuring Signatures

•

vulnerable-os—Specifies the list of OS types that are vulnerable to this attack signature.

For More Information

•

For the procedure for configuring alert frequency, see Configuring Alert Frequency, page 7-7.

For more information about signature engines, see Appendix B, “Signature Engines.”

For the procedure for assigning actions, see Assigning Actions to Signatures, page 7-15.

For the procedure for configuring event counts, see Configuring the Event Counter, page 7-10.

For the procedure for configuring the signature fidelity rating, see Configuring Signature Fidelity

Rating, page 7-12.

•

For the procedure for enabling and disabling signatures, see Configuring the Status of Signatures,

page 7-13.

For the procedure for configuring vulnerable OSes, see Configuring the Vulnerable OSes for a

Signature, page 7-14.

Configuring Alert Frequency

Use the alert-frequency command in signature definition submode to configure the alert frequency for

a signature. The alert-frequency command specifies how often the sensor alerts you when this signature

is firing.

The following options apply:

•

sig_id—Identifies the unique numerical value assigned to this signature. This value lets the sensor

identify a particular signature. The value is 1000 to 65000.

subsig_id—Identifies the unique numerical value assigned to this subsignature. A subsignature ID

is used to identify a more granular version of a broad signature. The value is 0 to 255.

summary-mode—Specifies the way you want the sensor to group the alerts:

–

fire-all—Fires an alert on all events.

fire-once—Fires an alert only once.

global-summarize—Summarizes an alert so that it only fires once regardless of how many

attackers or victims.

–

summarize—Summarize all the alerts.

•

specify-summary-threshold {yes | no}—Enables summary threshold mode:

–

summary-threshold—Specifies the minimum number of hits the sensor must receive before

sending a summary alert for this signature. The value is 0 to 65535.

–

summary-interval—Specifies the time in seconds used in each summary alert. The value is 1

to 1000.

summary-key—Specifies the storage type on which to summarize this signature:

–

Axxx—Attacker address.

Axxb—Attacker address and victim port.

AxBx—Attacker and victim addresses.

AaBb—Attacker and victim addresses and ports.

xxBx—Victim address.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-7

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Configuring Signatures

•

specify-global-summary-threshold {yes | no}—(Optional) Enables global summary threshold

mode:

–

global-summary-threshold—Specifies the threshold number of events to take alert in to global

summary. The value is 1 to 65535.

Configuring Alert Frequency

To configure the alert frequency parameters of a signature, follow these steps:

Step 1

Step 2

Enter signature definition submode.

sensor# configure terminal

sensor(config)# service signature-definition sig1

Step 3

Step 4

Step 5

Specify the signature you want to configure.

sensor(config-sig)# signatures 9000 0

Enter alert frequency submode.

sensor(config-sig-sig)# alert-frequency

Specify the alert frequency of this signature:

a. Configure the summary mode to, for example, fire once.

sensor(config-sig-sig-ale)# summary-mode fire-once

sensor(config-sig-sig-ale-fir)# specify-global-summary-threshold yes

sensor(config-sig-sig-ale-fir-yes)# global-summary-threshold 3000

sensor(config-sig-sig-ale-fir-yes)# summary-interval 5000

b. Specify the summary key.

sensor(config-sig-sig-ale-fir-yes)# exit

sensor(config-sig-sig-ale-fir)# summary-key AxBx

c. Verify the settings.

sensor(config-sig-sig-ale-fir)# show settings

fire-once

-----------------------------------------------

summary-key: AxBx default: Axxx

specify-global-summary-threshold

-----------------------------------------------

yes

-----------------------------------------------

global-summary-threshold: 3000 default: 120

summary-interval: 5000 default: 15

-----------------------------------------------

sensor(config-sig-sig-ale-fir)#

Step 6

Exit alert-frequency submode.

sensor(config-sig-sig-ale-fir)# exit

sensor(config-sig-sig-ale)# exit

sensor(config-sig-sig)# exit

sensor(config-sig)# exit

Apply Changes:?[yes]:

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-8

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Configuring Signatures

Step 7

Press Enter to apply the changes or enter no to discard them.

Configuring Alert Severity

Use the alert-severity command in signature definition submode to configure the severity of a signature.

The following options apply:

•

sig_id—Identifies the unique numerical value assigned to this signature. This value lets the sensor

identify a particular signature. The value is 1000 to 65000.

subsig_id—Identifies the unique numerical value assigned to this subsignature. A subsignature ID

is used to identify a more granular version of a broad signature. The value is 0 to 255.

alert-severity—Specifies the severity of the alert:

–

high —Dangerous alert.

medium—Medium level alert (default).

low—Low level alert.

informational—Informational alert.

Configuring Alert Severity

To configure the alert severity, follow these steps:

Step 1

Step 2

Enter signature definition submode.

sensor# configure terminal

sensor(config)# service signature-definition sig1

Step 3

Step 4

Step 5

Specify the signature you want to configure.

sensor(config-sig)# signatures 9000 0

Assign the alert severity.

sensor(config-sig-sig)# alert-severity medium

Verify the settings.

sensor(config-sig-sig)# show settings

sig-id: 9000

subsig-id: 0

-----------------------------------------------

alert-severity: medium default: medium

sig-fidelity-rating: 75 <defaulted>

promisc-delta: 0 <defaulted>

sig-description

-----------------------------------------------

sig-name: Back Door Probe (TCP 12345) <defaulted>

sig-string-info: SYN to TCP 12345 <defaulted>

sig-comment: <defaulted>

alert-traits: 0 <defaulted>

release: 40 <defaulted>

-----------------------------------------------

vulnerable-os: general-os <defaulted>

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-9

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Configuring Signatures

engine

-----------------------------------------------

atomic-ip

-----------------------------------------------

event-action: produce-alert <defaulted>

fragment-status: any <defaulted>

specify-l4-protocol

-----------------------------------------------

--MORE--

Step 6

Step 7

Exit signatures submode.

sensor(config-sig-sig)# exit

sensor(config-sig)# exit

Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

Configuring the Event Counter

Use the event-counter command in signature definition submode to configure how the sensor counts

events. For example, you can specify that you want the sensor to send an alert only if the same signature

fires 5 times for the same address set.

The following options apply:

•

event-count—Specifies the number of times an event must occur before an alert is generated. The

valid range is 1 to 65535. The default is 1.

•

event-count-key—Specifies the storage type on which to count events for this signature:

–

Axxx—Attacker address

AxBx—Attacker and victim addresses

Axxb—Attacker address and victim port

xxBx—Victim address

AaBb—Attacker and victim addresses and ports

•

specify-alert-interval [yes | no]—Enables alert interval:

alert-interval—Specifies the time in seconds before the event count is reset. The default is 60.

–

Configuring the Event Counter

To configure event counter, follow these steps:

Step 1

Step 2

Enter signature definition submode.

sensor# configure terminal

sensor(config)# service signature-definition sig1

Step 3

Specify the signature for which you want to configure event counter.

sensor(config-sig)# signatures 9000 0

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-10

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Configuring Signatures

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Enter event counter submode.

sensor(config-sig-sig)# event-counter

Specify how many times an event must occur before an alert is generated.

sensor(config-sig-sig-eve)# event-count 2

Specify the storage type on which you want to count events for this signature.

sensor(config-sig-sig-eve)# event-count-key AxBx

(Optional) Enable alert interval.

sensor(config-sig-sig-eve)# specify-alert-interval yes

(Optional) Specify the amount of time in seconds before the event count should be reset.

sensor(config-sig-sig-eve-yes)# alert-interval 30

Verify the settings.

sensor(config-sig-sig-eve-yes)# exit

sensor(config-sig-sig-eve)# show settings

event-counter

-----------------------------------------------

event-count: 2 default: 1

event-count-key: AxBx default: Axxx

specify-alert-interval

-----------------------------------------------

yes

-----------------------------------------------

alert-interval: 30 default: 60

-----------------------------------------------

sensor(config-sig-sig-eve)#

Step 10 Exit signatures submode.

sensor(config-sig-sig-eve)# exit

sensor(config-sig-sig)# exit

sensor(config-sig)# exit

Apply Changes:?[yes]:

Step 11 Press Enter to apply the changes or enter no to discard them.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-11

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Configuring Signatures

Configuring Signature Fidelity Rating

Use the sig-fidelity-rating command in signature definition submode to configure the signature fidelity

rating for a signature.

The following option applies:

•

sig-fidelity-rating—Identifies the weight associated with how well this signature might perform in

the absence of specific knowledge of the target. The valid value is 0 to 100.

Configuring the Signature Fidelity Rating

To configure the signature fidelity rating for a signature, follow these steps:

Step 1

Step 2

Enter signature definition submode.

sensor# configure terminal

sensor(config)# service signature-definition sig0

Step 3

Step 4

Step 5

Specify the signature you want to configure.

sensor(config-sig)# signatures 12000 0

Specify the signature fidelity rating for this signature.

sensor(config-sig-sig)# sig-fidelity-rating 50

Verify the settings.

sensor(config-sig-sig)# show settings

sig-id: 12000

subsig-id: 0

-----------------------------------------------

alert-severity: low <defaulted>

sig-fidelity-rating: 50 default: 85

promisc-delta: 15 <defaulted>

sig-description

-----------------------------------------------

sig-name: Gator Spyware Beacon <defaulted>

sig-string-info: /download/ User-Agent: Gator <defaulted>

sig-comment: <defaulted>

alert-traits: 0 <defaulted>

release: 71 <defaulted>

-----------------------------------------------

Step 6

Step 7

Exit signatures submode.

sensor(config-sig-sig)# exit

sensor(config-sig)# exit

Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-12

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Configuring Signatures

Configuring the Status of Signatures

Use the status command in signature definition submode to specify the status of a specific signature.

The following options apply:

•

status—Identifies whether the signature is enabled, disabled, or retired:

–

enabled {true | false}—Enables the signature.

retired {true | false}—Retires the signature.

obsoletes signature_ID—Shows the other signatures that have been obsoleted by this signature.

Caution

Activating and retiring signatures can take 30 minutes or longer.

Changing the Signature Status

To change the status of a signature, follow these steps:

Step 1

Step 2

Enter signature definition submode.

sensor# configure terminal

sensor(config)# service signature-definition sig1

Step 3

Step 4

Choose the signature you want to configure.

sensor(config-sig)# signatures 12000 0

Change the status for this signature.

sensor(config-sig-sig)# status

sensor(config-sig-sig-sta)# enabled true

Step 5

Verify the settings.

sensor(config-sig-sig-sta)# show settings

status

-----------------------------------------------

enabled: true default: false

retired: false <defaulted>

-----------------------------------------------

sensor(config-sig-sig-sta)#

Step 6

Step 7

Exit signatures submode.

sensor(config-sig-sig-sta)# exit

sensor(config-sig-sig)# exit

sensor(config-sig)# exit

Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-13

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Configuring Signatures

Configuring the Vulnerable OSes for a Signature

Use the vulnerable-os command in signature definition submode to configure the list of vulnerable OSes

for a signature.

The following options apply:

•

general-os—Specifies all OS types

ios—Specifies the variants of Cisco IOS

mac-os—Specifies the variants of Macintosh OS

netware—Specifies Netware

other—Specifies any other OS

unix—Specifies the variants of UNIX

aix—Specifies the variants of AIX

bsd—Specifies the variants of BSD

hp-ux—Specifies the variants of HP-UX

irix—Specifies the variants of IRIX

linux—Specifies the variants of Linux

solaris—Specifies the variants of Solaris

windows—Specifies the variants of Microsoft Windows

windows-nt-2k-xp—Specifies the variants of Microsoft NT, 2000, and XP

win-nt—Specifies the specific variants of Windows NT

Configuring Vulnerable OSes

To configure the vulnerable OSes for a signature, follow these steps:

Step 1

Step 2

Enter signature definition submode.

sensor# configure terminal

sensor(config)# service signature-definition sig1

Step 3

Step 4

Step 5

Specify the signature you want to configure.

sensor(config-sig)# signatures 6000 0

Specify the vulnerable OSes for this signature.

sensor(config-sig-sig)# vulnerable-os linux|aix

Verify the settings.

sensor(config-sig-sig)# show settings

sig-id: 60000

subsig-id: 0

-----------------------------------------------

alert-severity: medium <defaulted>

sig-fidelity-rating: 75 <defaulted>

promisc-delta: 0 <defaulted>

sig-description

-----------------------------------------------

sig-name: My Sig <defaulted>

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-14

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Configuring Signatures

sig-string-info: My Sig Info <defaulted>

sig-comment: Sig Comment <defaulted>

alert-traits: 0 <defaulted>

release: custom <defaulted>

-----------------------------------------------

vulnerable-os: aix|linux default: general-os

*---> engine

-----------------------------------------------

event-counter

-----------------------------------------------

event-count: 1 <defaulted>

event-count-key: Axxx <defaulted>

specify-alert-interval

-----------------------------------------------

--MORE--

Step 6

Step 7

Exit signatures submode.

sensor(config-sig-sig)# exit

sensor(config-sig)# exit

Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

Assigning Actions to Signatures

Use the event-action command in signature definition submode to configure the actions the sensor takes

when the signature fires.

The following options apply:

•

event-action—Specifies the type of event action the sensor should perform:

–

deny-attacker-inline (inline only)—Does not transmit this packet and future packets from the

attacker address for a specified period of time.

deny-attacker-service-pair-inline (inline only)—Does not transmit this packet and future

packets on the attacker address victim port pair for a specified period of time.

deny-attacker-victim-pair-inline (inline only)—Does not transmit this packet and future

packets on the attacker/victim address pair for a specified period of time.

deny-connection-inline (inline only)—Does not transmit this packet and future packets on the

TCP flow.

–

deny-packet-inline (inline only)—Does not transmit this packet.

log-attacker-packets—Starts IP logging of packets containing the attacker address.

log-pair-packets—Starts IP logging of packets containing the attacker-victim address pair.

log-victim-packets—Starts IP logging of packets containing the victim address.

produce-alert —Writes the event to the Event Store as an alert.

produce-verbose-alert—Includes an encoded dump (possibly truncated) of the offending

packet in the alert.

–

request-block-connection—Sends a request to the ARC to block this connection.

request-block-host—Sends a request to the ARC to block this attacker host.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-15

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Configuring Signatures

–

request-rate-limit—Sends a rate limit request to the ARC to perform rate limiting.

request-snmp-trap—Sends a request to the Notification Application component of the sensor

to perform SNMP notification.

–

reset-tcp-connection—Sends TCP resets to hijack and terminate the TCP flow.

modify-packet-inline— Modifies packet data to remove ambiguity about what the end point

might do with the packet.

–

•

event-action-settings—Enables the external-rate-limit-type:

–

none—No rate limiting configured.

percentage—Specifies the rate limit by traffic percentage (external-rate-limit-percentage).

Configuring Event Actions

To configure event actions and event action settings for a signature, follow these steps:

Step 1

Step 2

Enter signature definition mode.

sensor# configure terminal

sensor(config)# service signature-definition sig0

sensor(config-sig)#

Step 3

Step 4

Step 5

Specify the signature you want to configure.

sensor(config-sig)# signatures 1200 0

Specify the signature engine (for signature 1200 it is the Normalizer engine).

sensor(config-sig-sig)# engine normalizer

Configure the event action.

sensor(config-sig-sig-nor)# event-action produce-alert|request-snmp-trap

Note

Each time you configure the event actions for a signature, you overwrite the previous

configuration. For example, if you always want to produce an alert when the signature is fired,

you must configure it along with the other event actions you want. Use the | symbol to add more

than one event action, for example, product-alert|deny-packet-inline|request-snmp-trap.

Step 6

Verify the settings.

sensor(config-sig-sig-nor)# show settings

normalizer

-----------------------------------------------

event-action: produce-alert|request-snmp-trap default:

produce-alert|deny-packet-inline

Step 7

Step 8

Specify the percentage for rate limiting.

sensor(config-sig-sig-nor)# event-action-settings

sensor(config-sig-sig-nor-eve)# external-rate-limit-type percentage

sensor(config-sig-sig-nor-eve-per)# external-rate-limit-percentage 50

Verify the settings.

sensor(config-sig-sig-nor-eve-per)# show settings

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-16

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Configuring Signatures

percentage

-----------------------------------------------

external-rate-limit-percentage: 50 default: 100

-----------------------------------------------

Step 9

Exit event action submode.

sensor(config-sig-sig-nor-eve-per)# exit

sensor(config-sig-sig-nor-eve)# exit

sensor(config-sig-sig-nor)# exit

sensor(config-sig-sig)# exit

sensor(config-sig)# exit

Apply Changes:?[yes]:

Step 10 Press Enter to apply the changes or enter no to discard them.

For More Information

For a detailed description of event actions, see Event Actions, page 8-4.

Configuring AIC Signatures

This section describes the Application Inspection and Control (AIC) signatures and how to configure

them. It contains the following topics:

•

Understanding the AIC Engine, page 7-17

AIC Engine and Sensor Performance, page 7-18

Configuring the Application Policy, page 7-18

AIC Request Method Signatures, page 7-20

AIC MIME Define Content Type Signatures, page 7-21

AIC Transfer Encoding Signatures, page 7-24

AIC FTP Commands Signatures, page 7-25

Creating an AIC Signature, page 7-26

Understanding the AIC Engine

AIC provides thorough analysis of web traffic. It provides granular control over HTTP sessions to

prevent abuse of the HTTP protocol. It allows administrative control over applications, such as instant

messaging and gotomypc, that try to tunnel over specified ports. Inspection and policy checks for P2P

and instant messaging are possible if these applications are running over HTTP. AIC also provides a way

to inspect FTP traffic and control the commands being issued. You can enable or disable the predefined

signatures or you can create policies through custom signatures.

Note

The AIC engines run when HTTP traffic is received on AIC web ports. If traffic is web traffic, but not

received on the AIC web ports, the Service HTTP engine is executed. AIC inspection can be on any port

if it is configured as an AIC web port and the traffic to be inspected is HTTP traffic.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-17

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Configuring Signatures

AIC has the following categories of signatures:

•

HTTP request method

–

Define request method

Recognized request methods

MIME type

–

Define content type

Recognized content type

Define web traffic policy

There is one predefined signature, 12674, that specifies the action to take when noncompliant HTTP

traffic is seen. The parameter Alarm on Non HTTP Traffic enables the signature. By default this

signature is enabled.

•

Transfer encodings

–

Associate an action with each method

List methods recognized by the sensor

Specify which actions need to be taken when a chunked encoding error is seen

FTP commands

Associates an action with an FTP command.

–

For More Information

•

For a list of signature IDs and descriptions for these signatures, see AIC Request Method Signatures,

page 7-20, AIC MIME Define Content Type Signatures, page 7-21, AIC Transfer Encoding

Signatures, page 7-24, and AIC FTP Commands Signatures, page 7-25.

•

For the procedure for creating a custom MIME signature, see Creating an AIC Signature, page 7-26.

AIC Engine and Sensor Performance

Application policy enforcement is a unique sensor feature. Rather than being based on traditional IPS

technologies that inspect for exploits, vulnerabilities, and anomalies, AIC policy enforcement is

designed to enforce HTTP and FTP service policies. The inspection work required for this policy

enforcement is extreme compared with traditional IPS inspection work. A large performance penalty is

associated with using this feature. When AIC is enabled, the overall bandwidth capacity of the sensor is

reduced.

AIC policy enforcement is disabled in the IPS default configuration. If you want to activate AIC policy

enforcement, we highly recommend that you carefully choose the exact policies of interest and disable

those you do not need. Also, if your sensor is near its maximum inspection load capacity, we recommend

that you not use this feature since it can oversubscribe the sensor. We recommend that you use the

adaptive security appliance firewall to handle this type of policy enforcement.

Configuring the Application Policy

Use the application-policy command in signature definition submode to enable the web AIC feature.

You can configure the sensor to provide Layer 4 to Layer 7 packet inspection to prevent malicious

attacks related to web and FTP services.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-18

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Configuring Signatures

The following options apply:

•

ftp-enable {true | false}—Enables protection for FTP services. Set to true to require the sensor to

inspect FTP traffic. The default is false.

•

http-policy—Enables inspection of HTTP traffic:

–

aic-web-ports—Specifies the variable for ports to look for AIC traffic. The valid range is 0 to

65535. A comma-separated list of integer ranges a-b[,c-d] within 0-65535. The second number

in the range must be greater than or equal to the first number. The default is

80-80,3128-3128,8000-8000,8010-8010,8080-8080,8888-8888,24326-24326.

–

http-enable [true | false]—Enables protection for web services. Set to true to require the sensor

to inspect HTTP traffic for compliance with the RFC. The default is false.

max-outstanding-http-requests-per-connection—Specifies the maximum allowed HTTP

requests per connection. The valid value is 1 to 16. The default is 10.

Configuring the Application Policy

To configure the application policy, follow these steps:

Step 1

Step 2

Enter application policy submode.

sensor# configure terminal

sensor(config)# service signature-definition sig1

sensor(config-sig)# application-policy

Step 3

Step 4

Enable inspection of FTP traffic.

sensor(config-sig-app)# ftp-enable true

Configure the HTTP application policy:

a. Enter HTTP application policy submode.

sensor(config-sig-app)# http-policy

b. Enable HTTP application policy enforcement.

sensor(config-sig-app-htt)# http-enable true

c. Specify the number of outstanding HTTP requests per connection that can be outstanding without

having received a response from the server.

sensor(config-sig-app-htt)# max-outstanding-http-requests-per-connection 5

d. Edit the AIC ports.

sensor(config-sig-app-htt)# aic-web-ports 80-80,3128-3128

Step 5

Verify your settings.

sensor(config-sig-app-htt)# exit

sensor(config-sig-app)# show settings

application-policy

-----------------------------------------------

http-policy

-----------------------------------------------

http-enable: true default: false

max-outstanding-http-requests-per-connection: 5 default: 10

aic-web-ports: 80-80,3128-3128 default: 80-80,3128-3128,8000-8000,8010-

8010,8080-8080,8888-8888,24326-24326

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-19

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Configuring Signatures

-----------------------------------------------

ftp-enable: true default: false

-----------------------------------------------

sensor(config-sig-app)#

Step 6

Step 7

Exit signature definition submode.

sensor(config-sig-app)# exit

sensor(config-sig)# exit

Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

AIC Request Method Signatures

The HTTP request method has two categories of signatures:

•

Define request method—Allows actions to be associated with request methods. You can expand and

modify the signatures (Define Request Method).

•

Recognized request methods—Lists methods that are recognized by the sensor (Recognized Request

Methods).

Table 7-1 lists the predefined define request method signatures. Enable the signatures that have the

predefined method you need.

Table 7-1

Request Method Signatures

Signature ID

12676

12677

12678

12679

12680

12681

12682

12683

12685

12695

12696

12697

12698

12699

12700

12701

12702

12703

Define Request Method

Request Method Not Recognized

Define Request Method PUT

Define Request Method CONNECT

Define Request Method DELETE

Define Request Method GET

Define Request Method HEAD

Define Request Method OPTIONS

Define Request Method POST

Define Request Method TRACE

Define Request Method INDEX

Define Request Method MOVE

Define Request Method MKDIR

Define Request Method COPY

Define Request Method EDIT

Define Request Method UNEDIT

Define Request Method SAVE

Define Request Method LOCK

Define Request Method UNLOCK

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-20

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Configuring Signatures

Table 7-1

Request Method Signatures (continued)

Signature ID

12704

Define Request Method

Define Request Method REVLABEL

Define Request Method REVLOG

Define Request Method REVADD

Define Request Method REVNUM

Define Request Method SETATTRIBUTE

Define Request Method GETATTRIBUTENAME

Define Request Method GETPROPERTIES

Define Request Method STARTENV

Define Request Method STOPREV

12705

12706

12707

12708

12709

12710

12711

12712

For More Information

For the procedure for enabling signatures, see Configuring the Status of Signatures, page 7-13.

AIC MIME Define Content Type Signatures

There are two policies associated with MIME types:

•

Define content type—Associates specific actions for the following cases (Define Content Type):

–

Deny a specific MIME type, such as an image/jpeg

Message size violation

MIME-type mentioned in header and body do not match

•

Recognized content type (Recognized Content Type)

Table 7-2 lists the predefined define content type signatures. Enable the signatures that have the

predefined content type you need. You can also create custom define content type signatures.

Table 7-2

Define Content Type Signatures

Signature ID

12621

Signature Description

Content Type image/gif Invalid Message Length

Content Type image/png Verification Failed

12622 2

12623 0

12623 1

12623 2

Content Type image/tiff Header Check

Content Type image/tiff Invalid Message Length

Content Type image/tiff Verification Failed

12624 0

12624 1

12624 2

Content Type image/x-3ds Header Check

Content Type image/x-3ds Invalid Message Length

Content Type image/x-3ds Verification Failed

12626 0

12626 1

12626 2

Content Type image/x-portable-bitmap Header Check

Content Type image/x-portable-bitmap Invalid Message Length

Content Type image/x-portable-bitmap Verification Failed

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-21

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Configuring Signatures

Table 7-2

Define Content Type Signatures (continued)

Signature ID

Signature Description

12627 0

12627 1

12627 2

Content Type image/x-portable-graymap Header Check

Content Type image/x-portable-graymap Invalid Message Length

Content Type image/x-portable-graymap Verification Failed

12628 0

12628 1

12628 2

Content Type image/jpeg Header Check

Content Type image/jpeg Invalid Message Length

Content Type image/jpeg Verification Failed

12629 0

12629 1

Content Type image/cgf Header Check

Content Type image/cgf Invalid Message Length

12631 0

12631 1

Content Type image/x-xpm Header Check

Content Type image/x-xpm Invalid Message Length

12633 0

12633 1

12633 2

Content Type audio/midi Header Check

Content Type audio/midi Invalid Message Length

Content Type audio/midi Verification Failed

12634 0

12634 1

12634 2

Content Type audio/basic Header Check

Content Type audio/basic Invalid Message Length

Content Type audio/basic Verification Failed

12635 0

12635 1

12635 2

Content Type audio/mpeg Header Check

Content Type audio/mpeg Invalid Message Length

Content Type audio/mpeg Verification Failed

12636 0

12636 1

12636 2

Content Type audio/x-adpcm Header Check

Content Type audio/x-adpcm Invalid Message Length

Content Type audio/x-adpcm Verification Failed

12637 0

12637 1

12637 2

Content Type audio/x-aiff Header Check

Content Type audio/x-aiff Invalid Message Length

Content Type audio/x-aiff Verification Failed

12638 0

12638 1

12638 2

Content Type audio/x-ogg Header Check

Content Type audio/x-ogg Invalid Message Length

Content Type audio/x-ogg Verification Failed

12639 0

12639 1

12639 2

Content Type audio/x-wav Header Check

Content Type audio/x-wav Invalid Message Length

Content Type audio/x-wav Verification Failed

12641 0

12641 1

12641 2

Content Type text/html Header Check

Content Type text/html Invalid Message Length

Content Type text/html Verification Failed

12642 0

12642 1

Content Type text/css Header Check

Content Type text/css Invalid Message Length

12643 0

12643 1

Content Type text/plain Header Check

Content Type text/plain Invalid Message Length

12644 0

12644 1

Content Type text/richtext Header Check

Content Type text/richtext Invalid Message Length

12645 0

12645 1

12645 2

Content Type text/sgml Header Check

Content Type text/sgml Invalid Message Length

Content Type text/sgml Verification Failed

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-22

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Configuring Signatures

Table 7-2

Define Content Type Signatures (continued)

Signature ID

Signature Description

12646 0

12646 1

12646 2

Content Type text/xml Header Check

Content Type text/xml Invalid Message Length

Content Type text/xml Verification Failed

12648 0

12648 1

12648 2

Content Type video/flc Header Check

Content Type video/flc Invalid Message Length

Content Type video/flc Verification Failed

12649 0

12649 1

12649 2

Content Type video/mpeg Header Check

Content Type video/mpeg Invalid Message Length

Content Type video/mpeg Verification Failed

12650 0

12650 1

Content Type text/xmcd Header Check

Content Type text/xmcd Invalid Message Length

12651 0

12651 1

12651 2

Content Type video/quicktime Header Check

Content Type video/quicktime Invalid Message Length

Content Type video/quicktime Verification Failed

12652 0

12652 1

Content Type video/sgi Header Check

Content Type video/sgi Verification Failed

12653 0

12653 1

Content Type video/x-avi Header Check

Content Type video/x-avi Invalid Message Length

12654 0

12654 1

12654 2

Content Type video/x-fli Header Check

Content Type video/x-fli Invalid Message Length

Content Type video/x-fli Verification Failed

12655 0

12655 1

12655 2

Content Type video/x-mng Header Check

Content Type video/x-mng Invalid Message Length

Content Type video/x-mng Verification Failed

12656 0

12656 1

12656 2

Content Type application/x-msvideo Header Check

Content Type application/x-msvideo Invalid Message Length

Content Type application/x-msvideo Verification Failed

12658 0

12658 1

Content Type application/ms-word Header Check

Content Type application/ms-word Invalid Message Length

12659 0

12659 1

Content Type application/octet-stream Header Check

Content Type application/octet-stream Invalid Message Length

12660 0

12660 1

12660 2

Content Type application/postscript Header Check

Content Type application/postscript Invalid Message Length

Content Type application/postscript Verification Failed

12661 0

12661 1

Content Type application/vnd.ms-excel Header Check

Content Type application/vnd.ms-excel Invalid Message Length

12662 0

12662 1

Content Type application/vnd.ms-powerpoint Header Check

Content Type application/vnd.ms-powerpoint Invalid Message Length

12663 0

12663 1

12663 2

Content Type application/zip Header Check

Content Type application/zip Invalid Message Length

Content Type application/zip Verification Failed

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-23

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Configuring Signatures

Table 7-2

Define Content Type Signatures (continued)

Signature ID

Signature Description

12664 0

12664 1

12664 2

Content Type application/x-gzip Header Check

Content Type application/x-gzip Invalid Message Length

Content Type application/x-gzip Verification Failed

12665 0

12665 1

Content Type application/x-java-archive Header Check

Content Type application/x-java-archive Invalid Message Length

12666 0

12666 1

Content Type application/x-java-vm Header Check

Content Type application/x-java-vm Invalid Message Length

12667 0

12667 1

12667 2

Content Type application/pdf Header Check

Content Type application/pdf Invalid Message Length

Content Type application/pdf Verification Failed

12668 0

12668 1

Content Type unknown Header Check

Content Type unknown Invalid Message Length

12669 0

12669 1

Content Type image/x-bitmap Header Check

Content Type image/x-bitmap Invalid Message Length

12673 0

Recognized content type

For More Information

•

For the procedure for enabling signatures, see Configuring the Status of Signatures, page 7-13.

For the procedure for creating an ACI signature, see Creating an AIC Signature, page 7-26.

AIC Transfer Encoding Signatures

There are three policies associated with transfer encoding:

•

Associate an action with each method (Define Transfer Encoding)

List methods recognized by the sensor (Recognized Transfer Encodings)

Specify which actions need to be taken when a chunked encoding error is seen (Chunked Transfer

Encoding Error)

Table 7-3 lists the predefined transfer encoding signatures. Enable the signatures that have the

predefined transfer encoding method you need.

Table 7-3

Transfer Encoding Signatures

Signature ID

12686

Transfer Encoding Method

Recognized Transfer Encoding

Define Transfer Encoding Deflate

Define Transfer Encoding Identity

Define Transfer Encoding Compress

Define Transfer Encoding GZIP

Define Transfer Encoding Chunked

Chunked Transfer Encoding Error

12687

12688

12689

12690

12693

12694

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-24

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Configuring Signatures

For More Information

For the procedure for enabling signatures, see Configuring the Status of Signatures, page 7-13.

AIC FTP Commands Signatures

Table 7-4 lists the predefined FTP commands signatures. Enable the signatures that have the predefined

FTP command you need.

Table 7-4

FTP Commands Signatures

Signature ID

12900

12901

12902

12903

12904

12905

12906

12907

12908

12909

12910

12911

12912

12913

12914

12915

12916

12917

12918

12919

12920

12921

12922

12923

12924

12925

12926

12927

12928

12929

FTP Command

Unrecognized FTP command

Define FTP command abor

Define FTP command acct

Define FTP command allo

Define FTP command appe

Define FTP command cdup

Define FTP command cwd

Define FTP command dele

Define FTP command help

Define FTP command list

Define FTP command mkd

Define FTP command mode

Define FTP command nlst

Define FTP command noop

Define FTP command pass

Define FTP command pasv

Define FTP command port

Define FTP command pwd

Define FTP command quit

Define FTP command rein

Define FTP command rest

Define FTP command retr

Define FTP command rmd

Define FTP command rnfr

Define FTP command rnto

Define FTP command site

Define FTP command smnt

Define FTP command stat

Define FTP command stor

Define FTP command stou

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-25

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Configuring Signatures

Table 7-4

FTP Commands Signatures (continued)

Signature ID

12930

FTP Command

Define FTP command stru

Define FTP command syst

Define FTP command type

Define FTP command user

12931

12932

12933

For More Information

For the procedure for enabling signatures, see Configuring the Status of Signatures, page 7-13.

Creating an AIC Signature

Caution

A custom signature can affect the performance of your sensor. Test the custom signature against a

baseline sensor performance for your network to determine the overall impact of the signature.

The following example demonstrates how to create a MIME-type signature based on the AIC engine.

The following options apply:

•

event-action—Specifies the action(s) to perform when alert is triggered:

–

deny-attacker-inline (inline only)—Does not transmit this packet and future packets from the

attacker address for a specified period of time.

deny-attacker-service-pair-inline (inline only)—Does not transmit this packet and future

packets on the attacker address victim port pair for a specified period of time.

deny-attacker-victim-pair-inline (inline only)—Does not transmit this packet and future

packets on the attacker/victim address pair for a specified period of time.

deny-connection-inline (inline only)—Does not transmit this packet and future packets on the

TCP flow.

–

deny-packet-inline (inline only)—Does not transmit this packet.

log-attacker-packets—Starts IP logging of packets containing the attacker address.

log-pair-packets—Starts IP logging of packets containing the attacker-victim address pair.

log-victim-packets—Starts IP logging of packets containing the victim address.

produce-alert —Writes the event to the Event Store as an alert.

produce-verbose-alert—Includes an encoded dump (possibly truncated) of the offending

packet in the alert.

–

request-block-connection—Sends a request to the ARC to block this connection.

request-block-host—Sends a request to the ARC to block this attacker host.

request-rate-limit—Sends a rate limit request to the ARC to perform rate limiting.

request-snmp-trap—Sends a request to the Notification Application component of the sensor

to perform SNMP notification.

–

reset-tcp-connection—Sends TCP resets to hijack and terminate the TCP flow.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-26

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Configuring Signatures

–

modify-packet-inline— Modifies packet data to remove ambiguity about what the end point

might do with the packet.

•

no—Removes an entry or selection setting

signature-type—Specifies the type of signature desired:

–

content-types—Content-types.

define-web-traffic-policy—Defines web traffic policy.

max-outstanding-requests-overrun—Inspects for large number of outstanding HTTP

requests.

–

msg-body-pattern—Message body pattern.

request-methods—Signature types that deal with request methods.

transfer-encodings—Signature types that deal with transfer encodings.

Defining a MIME-Type Policy Signature

To define a MIME-type policy signature, follow these steps:

Step 1

Step 2

Enter application policy enforcement submode.

sensor# configure terminal

sensor(config)# service signature-definition sig1

sensor(config-sig)# signatures 60001 0

sensor(config-sig-sig)# engine application-policy-enforcement-http

Step 3

Step 4

Step 5

Step 6

Specify the event action.

sensor(config-sig-sig-app)# event-action produce-alert|log-pair-packets

Define the signature type.

sensor(config-sig-sig-app)# signature-type content-type define-content-type

Define the content type.

sensor(config-sig-sig-app-def)# name MyContent

Verify your settings.

sensor(config-sig-sig-app-def)# show settings

-> define-content-type

-----------------------------------------------

*---> content-type-details

-----------------------------------------------

sensor(config-sig-sig-app-def)#

Step 7

Exit signatures submode.

sensor(config-sig-sig-app-def)# exit

sensor(config-sig-sig-app)# exit

sensor(config-sig-sig)# exit

sensor(config-sig)# exit

Apply Changes:?[yes]:

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-27

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Configuring Signatures

Step 8

Press Enter to apply the changes or enter no to discard them.

Configuring IP Fragment Reassembly

This section describes IP fragment reassembly, lists the IP fragment reassembly signatures with the

configurable parameters, describes how to configure these parameters, and how to configure the method

for IP fragment reassembly. It contains the following topics:

•

Understanding IP Fragment Reassembly, page 7-28

IP Fragment Reassembly Signatures and Configurable Parameters, page 7-28

Configuring IP Fragment Reassembly Parameters, page 7-30

Configuring the Method for IP Fragment Reassembly, page 7-30

Understanding IP Fragment Reassembly

You can configure the sensor to reassemble a datagram that has been fragmented over multiple packets.

You can specify boundaries that the sensor uses to determine how many datagram fragments it

reassembles and how long to wait for more fragments of a datagram. The goal is to ensure that the sensor

does not allocate all its resources to datagrams that cannot be completely reassembled, either because

the sensor missed some frame transmissions or because an attack has been launched that is based on

generating random fragmented datagrams.

Note

You configure the IP fragment reassembly per signature.

IP Fragment Reassembly Signatures and Configurable Parameters

Table 7-5 lists IP fragment reassembly signatures with the parameters that you can configure for IP

fragment reassembly. The IP fragment reassembly signatures are part of the Normalizer engine.

Table 7-5

IP Fragment Reassembly Signatures

Parameter With Default Value

and Range

Signature ID and Name

Description

Default Action

1200 IP Fragmentation

Buffer Full

Fires when the total number of

fragments in the system exceeds the (0-42000)

Specify Max Fragments 10000 Deny Packet Inline

Produce Alert¹

threshold set by Max Fragments.

1201 IP Fragment Overlap Fires when the fragments queued for

a datagram overlap each other.

—

Deny Packet Inline

Produce Alert¹

1202 IP Fragment Overrun Fires when the fragment data (offset Specify Max Datagram Size

Deny Packet Inline

Produce Alert³

- Datagram Too Long

and size) exceeds the threshold set

with Max Datagram Size.

65536 (2000-65536)

1203 IP Fragment

Overwrite - Data is

Overwritten

Fires when the fragments queued for

a datagram overlap each other and

the overlapping data is different.⁴

—

Deny Packet Inline

Produce Alert⁵

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-28

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Configuring Signatures

Table 7-5

IP Fragment Reassembly Signatures (continued)

Parameter With Default Value

and Range

Signature ID and Name

Description

Default Action

1204 IP Fragment Missing Fires when the datagram is

—

Deny Packet Inline

Produce Alert⁶

Initial Fragment

incomplete and missing the initial

fragment.

1205 IP Fragment Too

Many Datagrams

Fires when the total number of partial Specify Max Partial Datagrams Deny Packet Inline

datagrams in the system exceeds the 1000 (0-10000)

threshold set by Max Partial

Produce Alert⁷

Datagrams.

1206 IP Fragment Too

Small

Fires when there are more than Max Specify Max Small Frags 2

Deny Packet Inline

Produce Alert⁹

Small Frags of a size less than Min

(8-1500)

Fragment Size in one datagram.⁸

Specify Min Fragment Size 400

(1-8)

1207 IP Fragment Too

Many Fragments in a

Datagram

Fires when there are more than Max Specify Max Fragments per

Deny Packet Inline

Produce Alert⁶

Fragments per Datagram in one

datagram.

Datagram 170 (0-8192)

1208 IP Fragment

Incomplete Datagram

Fires when all of the fragments for a Specify Fragment Reassembly Deny Packet Inline

datagram have not arrived during the Timeout 60 (0-360)

Produce Alert⁶

Fragment Reassembly Timeout.¹⁰

1225 Fragment Flags

Invalid

Fires when a bad combination of

fragment flags is detected.

—

1. Modify Packet Inline and Deny Connection Inline have no effect on this signature. Deny Packet Inline drops the packets and all associated fragments for

this datagram. If you disable this signature, the default values are still used and packets are dropped (inline mode) or not analyzed (promiscuous mode)

and no alert is sent.

2. This signature does not fire when the datagram is an exact duplicate. Exact duplicates are dropped in inline mode regardless of the settings. Modify Packet

Inline removes the overlapped data from all but one fragment so there is no ambiguity about how the endpoint treats the datagram. Deny Connection

Inline has no effect on this signature. Deny Packet Inline drops the packet and all associated fragments for this datagram.

3. Modify Packet Inline and Deny Connection Inline have no effect on this signature. Deny Packet Inline drops the packet and all associated fragments for

this datagram. Regardless of the actions set the datagram is not processed by the IPS if the datagram is larger than the Max Datagram size.

4. This is a very unusual event.

5. Modify Packet Inline removes the overlapped data from all but one fragment so there is no ambiguity about how the endpoint treats the datagram. Deny

Connection Inline has no effect on this signature. Deny Packet Inline drops the packets and all associated fragments for this datagram.

6. IPS does not inspect a datagram missing the first fragments regardless of the settings. Modify Packet Inline and Deny Connection Inline have no effect

on this signature. Deny Packet Inline drops the packet and all associated fragments for this datagram.

7. Modify Packet Inline and Deny Connection Inline have no effect on this signature. Deny Packet Inline drops the packet and all associated fragments for

this datagram.

8. IPS does not inspect the datagram if this signature is on and the number of small fragments is exceeded.

9. Modify Packet Inline and Deny Connection Inline have no effect on this signature. Deny Packet Inline drops the packet and all associated fragments for

this datagram.

10. The timer starts when the packet for the datagram arrives.

11. Modify Packet Inline modifies the flags to a valid combination. Deny Connection Inline has no effect on this signature. Deny Packet Inline drops the

packet and all associated fragments for this datagram.

For More Information

For more information about the Normalizer engine, see Normalizer Engine, page B-36.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-29

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Configuring Signatures

Configuring IP Fragment Reassembly Parameters

To configure IP fragment reassembly parameters for a specific signature, follow these steps:

Step 1

Step 2

Enter signature definition submode.

sensor# configure terminal

sensor(config)# service signature-definition sig1

Step 3

Step 4

Step 5

Step 6

Specify the IP fragment reassembly signature ID and subsignature ID.

sensor(config-sig)# signatures 1200 0

Specify the engine.

sensor(config-sig-sig)# engine normalizer

Enter edit default signatures submode.

sensor(config-sig-sig-nor)# edit-default-sigs-only default-signatures-only

Enable and change the default setting (if desired) of any of the IP fragment reassembly parameter for

signature 1200, for example, specifying the maximum fragments.

sensor(config-sig-sig-nor-def)# specify-max-fragments yes

sensor(config-sig-sig-nor-def-yes)# max-fragments 20000

Step 7

Step 8

Step 9

Verify the settings.

sensor(config-sig-sig-nor-def-yes)# show settings

yes

-----------------------------------------------

max-fragments: 20000 default: 10000

-----------------------------------------------

sensor(config-sig-sig-nor-def-yes)#

Exit signature definition submode.

sensor(config-sig-sig-nor-def-yes)# exit

sensor(config-sig-sig-nor-def)# exit

sensor(config-sig-sig-nor)# exit

sensor(config-sig-sig)# exit

sensor(config-sig)# exit

Apply Changes:?[yes]:

Press Enter for apply the changes or enter no to discard them.

Configuring the Method for IP Fragment Reassembly

Use the fragment-reassembly command in the signature definition submode to configure the method

the sensor will use to reassemble fragments. You can configure this option if your sensor is operating in

promiscuous mode. If your sensor is operating in line mode, the method is NT only.

The following options apply:

•

ip-reassemble-mode—Identifies the method the sensor uses to reassemble the fragments based on

the operating system:

–

nt—Specifies the Windows systems (default).

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-30

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Configuring Signatures

–

solaris—Specifies the Solaris systems.

linux—Specifies the GNU/Linux systems.

bsd—Specifies the BSD UNIX systems.

Configuring the IP Fragment Reassembly Method

To configure the method for IP fragment reassembly, follow these steps:

Step 1

Step 2

Enter fragment reassembly submode.

sensor# configure terminal

sensor(config)# service signature-definition sig1

sensor(config-sig)# fragment-reassembly

Step 3

Step 4

Configure the operating system you want the sensor to use to reassemble IP fragments.

sensor(config-sig-fra)# ip-reassemble-mode linux

Verify the setting.

sensor(config-sig-fra)# show settings

fragment-reassembly

-----------------------------------------------

ip-reassemble-mode: linux default: nt

-----------------------------------------------

sensor(config-sig-fra)#

Step 5

Step 6

Exit signature definition submode.

sensor(config-sig-fra)# exit

sensor(config-sig)# exit

Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

Configuring TCP Stream Reassembly

This section describes TCP stream reassembly, lists the TCP stream reassembly signatures with the

configurable parameters, describes how to configure TCP stream signatures, and how to configure the

mode for TCP stream reassembly. It contains the following topics:

•

Understanding TCP Stream Reassembly, page 7-31

TCP Stream Reassembly Signatures and Configurable Parameters, page 7-32

Configuring TCP Stream Reassembly Signatures, page 7-36

Configuring the Mode for TCP Stream Reassembly, page 7-37

Understanding TCP Stream Reassembly

You can configure the sensor to monitor only TCP sessions that have been established by a complete

three-way handshake. You can also configure how long to wait for the handshake to complete, and how

long to keep monitoring a connection where no more packets have been seen. The goal is to prevent the

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-31

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Configuring Signatures

sensor from creating alerts where a valid TCP session has not been established. There are known attacks

against sensors that try to get the sensor to generate alerts by simply replaying pieces of an attack. The

TCP session reassembly feature helps to mitigate these types of attacks against the sensor.

You configure TCP stream reassembly parameters per signature. You can configure the mode for TCP

stream reassembly.

TCP Stream Reassembly Signatures and Configurable Parameters

Table 7-6 lists TCP stream reassembly signatures with the parameters that you can configure for TCP

stream reassembly. TCP stream reassembly signatures are part of the Normalizer engine.

Table 7-6

TCP Stream Reassembly Signatures

Parameter With

Default Value and

Range

Signature ID and Name

Description

Default Actions

1301 TCP Session Inactivity Timeout¹

Fires when a TCP session has TCP Idle Timeout

—

been idle for a TCP Idle

Timeout.

3600 (15-3600)

1302 TCP Session Embryonic Timeout³

1303 TCP Session Closing Timeout⁵

Fires when a TCP session has TCP Embryonic

—

not completes the three-way

handshake in TCP embryonic

timeout seconds.

Timeout 15

(3-300)

Fires when a TCP session has TCP Closed Timeout

not closed completely in TCP 5 (1-60)

Closed Timeout seconds after

—

the first FIN.

1304 TCP Session Packet Queue Overflow This signature allows for

setting the internal TCP Max

TCP Max Queue 32

(0-128)

—

Queue size value for the

TCP Idle Timeout

Normalizer engine. As a result 3600

it does not function in

promiscuous mode. By default

this signature does not fire an

alert. If a custom alert event is

associated with this signature

and if the queue size is

exceeded, an alert fires.

Note

The IPS signature team

discourages modifying

this value.

1305 TCP Urg Flag Set⁸

Fires when the TCP urgent flag TCP Idle Timeout

is seen 3600

Modify Packet Inline⁹

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-32

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Configuring Signatures

Table 7-6

TCP Stream Reassembly Signatures (continued)

Parameter With

Default Value and

Range

Signature ID and Name

Description

Default Actions

1306 0 TCP Option Other

Fires when a TCP option in the TCP Option Number Modify Packet Inline

range of TCP Option Number is 6-7,9-255

Produce Alert¹⁰

seen. All 1306 signatures fire

(Integer Range Allow

an alert and do not function in Multiple 0-255

promiscuous mode.

constraints)

TCP Idle Timeout

3600

1306 1 TCP SACK Allowed Option

1306 2 TCP SACK Data Option

1306 3 TCP Timestamp Option

1306 4 TCP Window Scale Option

1306 5 TCP MSS Option

Fires when a TCP selective

ACK allowed option is seen.

All 1306 signatures fire an alert

and do not function in

TCP Idle Timeout

3600

Modify Packet Inline¹¹

Modify Packet Inline¹²

Modify Packet Inline¹³

Modify Packet Inline¹⁴

promiscuous mode.

Fires when a TCP selective

ACK data option is seen. All

1306 signatures fire an alert and

do not function in promiscuous

mode.

TCP Idle Timeout

3600

Fires when a TCP timestamp

option is seen. All 1306

signatures fire an alert and do

not function in promiscuous

mode.

TCP Idle Timeout

3600

Fires when a TCP window scale TCP Idle Timeout

option is seen. All 1306

signatures fire an alert and do

not function in promiscuous

mode.

3600

Fires when a TCP MSS option TCP Idle Timeout

is detected. All 1306 signatures 3600

fire an alert and do not function

Modify Packet Inline

in promiscuous mode.

1306 6 TCP option data after EOL option Fires when the TCP option list TCP Idle Timeout

has data after the EOL option. 3600

All 1306 signatures fire an alert

and do not function in

promiscuous mode.

1307 TCP Window Variation

1308 TTL Evasion¹⁶

Fires when the right edge of the TCP Idle Timeout

recv window for TCP moves to 3600

the right (decreases).

Deny Connection Inline

Produce Alert¹⁵

Fires when the TTL seen on one TCP Idle Timeout

direction of a session is higher 3600

than the minimum that has been

observed.

Modify Packet Inline¹⁷

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-33

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Configuring Signatures

Table 7-6

TCP Stream Reassembly Signatures (continued)

Parameter With

Default Value and

Range

Signature ID and Name

Description

Default Actions

1309 TCP Reserved Flags Set

Fires when the reserved bits

(including bits used for ECN) 3600

are set on the TCP header.

TCP Idle Timeout

Modify Packet Inline

Produce Alert¹⁸

1311 TCP Packet Exceeds MSS

1312 TCP MSS Below Minimum

1313 TCP Max MSS

Fires when a packet exceeds the TCP Idle Timeout

Produce Alert¹⁹

MSS that was exchanged

during the three-way

handshake.

3600

Fires when the MSS value in a TCP Min MSS 400

packet containing a SYN flag is (0-16000)

Modify Packet Inline²⁰

less that TCP Min MSS.

TCP Idle Timeout

3600

Fires when the MSS value in a TCP Max MSS1460 Modify Packet Inline

packet containing a SYN flag

exceed TCP Max MSS

(0-16000)

disabled²¹

1314 TCP Data SYN

Fires when TCP payload is sent

in the SYN packet.

—

Deny Packet Inline

disabled²²

1315 ACK Without TCP Stream

Fires when an ACK packet is

sent that does not belong to a

stream.

Produce Alert

disabled²³

1317 Zero Window Probe

Fires when a zero window

probe packet is detected.

Modify Packet Inline Modify Packet Inline

removes data from the

Zero Window Probe

packet.

1330²⁴0 TCP Drop - Bad Checksum

1330 1 TCP Drop - Bad TCP Flags

Fires when TCP packet has bad Modify Packet Inline Deny Packet Inline

checksum.

corrects the

checksum.

Fires when TCP packet has bad

flag combination.

—

Deny Packet Inline

1330 2 TCP Drop - Urgent Pointer With

No Flag

Fires when TCP packet has a

URG pointer and no URG flag. clears the pointer.

Modify Packet Inline Modify Packet Inline

disabled

1330 3 TCP Drop - Bad Option List

Fires when TCP packet has a

bad option list.

—

Deny Packet Inline

1330 4 TCP Drop - Bad Option Length

Fires when TCP packet has a

bad option length.

—

Deny Packet Inline

1330 5 TCP Drop - MSS Option Without Fires when TCP MSS option is Modify Packet Inline Modify Packet Inline

SYN

seen in packet without the SYN clears the MSS

flag set. option.

1330 6 TCP Drop - WinScale Option

Without SYN

Fires when TCP window scale Modify Packet Inline Modify Packet Inline

option is seen in packet without clears the window

the SYN flag set.

scale option.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-34

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Configuring Signatures

Table 7-6

TCP Stream Reassembly Signatures (continued)

Parameter With

Default Value and

Range

Signature ID and Name

Description

Default Actions

1330 7 TCP Drop - Bad WinScale Option Fires when a TCP packet has a Modify Packet Inline Modify Packet Inline

Value

bad window scale value.

sets the value to the

closest constraint

value.

1330 8 TCP Drop - SACK Allow Without Fires when the TCP SACK

Modify Packet Inline Modify Packet Inline

clears the SACK

allowed option.

SYN

allowed option is seen in a

packet without the SYN flags

set.

1330 9 TCP Drop - Data in SYN|ACK

1330 10 TCP Drop - Data Past FIN

Fires when TCP packet with

SYN and ACK flags set also

contains data.

—

Deny Packet Inline

Fires when TCP data is

sequenced after FIN.

—

Deny Packet Inline

1330 11 TCP Drop - Timestamp not

Allowed

Fires when TCP packet has

timestamp option when

timestamp option is not

allowed.

1330 12 TCP Drop - Segment Out of Order Fires when TCP segment is out

of order and cannot be queued.

—

Deny Packet Inline

1330 13 TCP Drop - Invalid TCP Packet Fires when TCP packet has

invalid header.

1330 14 TCP Drop - RST or SYN in

window

Fires when TCP packet with

RST or SYN flag was sent in

the sequence window but was

not the next sequence.

1330 15 TCP Drop - Segment Already

ACKed

Fires when TCP packet

sequence is already ACKed by

peer (excluding keepalives).

—

Deny Packet Inline

1330 16 TCP Drop - PAWS Failed

Fires when TCP packet fails

PAWS check.

—

Deny Packet Inline

1330 17 TCP Drop - Segment out of State Fires when TCP packet is not

Order

proper for the TCP session

state.

1330 18 TCP Drop - Segment out of

Window

Fires when TCP packet

sequence number is outside of

allowed window.

—

Deny Packet Inline

3050 Half Open SYN Attack

syn-flood-max-embry

onic 5000

3250 TCP Hijack

max-old-ack 200

max-old-ack 100

3251 TCP Hijack Simplex Mode

1. The timer is reset to 0 after each packet on the TCP session. by default, this signature does not produce an alert. You can choose to produce alerts for

expiring TCP connections if desired. A statistic of total number of expired flows is updated any time a flow expires.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-35

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Configuring Signatures

2. Modify Packet Inline, Deny Connection Inline, and Deny Packet Inline have no effect on this signature.

3. The timer starts with the first SYN packet and is not reset. State for the session is reset and any subsequent packets for this flow appear to be out of order

(unless it is a SYN).

4. Modify Packet Inline, Deny Connection Inline, and Deny Packet Inline have no effect on this signature.

5. The timer starts with the first FIN packet and is not reset. State for the session is reset and any subsequent packets for this flow appear to be out of order

(unless it is a SYN).

6. Modify Packet Inline, Deny Connection Inline, and Deny Packet Inline have no effect on this signature.

7. Modify Packet Inline and Deny Packet Inline have no effect on this signature. Deny Connection Inline drops the current packet and the TCP session.

8. Phrak 57 describes a way to evade security policy using URG pointers. You can normalize the packet when it is in inline mode with this signature.

9. Modify Packet Inline strips the URG flag and zeros the URG pointer from the packet. Deny Connection Inline drops the current packet and the TCP

session. Deny Packet Inline drops the packet.

10. Modify Packet Inline strips the selected option(s) from the packet. Deny Connection Inline drops the current packet and the TCP session. Deny Packet

Inline drops the packet.

11. Modify Packet Inline strips the selected ACK allowed option from the packet. Deny Connection Inline drops the current packet and the TCP session. Deny

Packet Inline drops the packet.

12. Modify Packet Inline strips the selected ACK allowed option from the packet. Deny Connection Inline drops the current packet and the TCP session. Deny

Packet Inline drops the packet.

13. Modify Packet Inline strips the timestamp option from the packet. Deny Connection Inline drops the current packet and the TCP session. Deny Packet

Inline drops the packet.

14. Modify Packet Inline strips the window scale option from the packet. Deny Connection Inline drops the current packet and the TCP session. Deny Packet

Inline drops the packet.

15. Modify Packet Inline has no effect on this signature. Deny Connection Inline drops the current packet and the TCP connection. Deny Packet Inline drops

the packet.

16. This signature is used to cause TTLs to monotonically decrease for each direction on a session. For example, if TTL 45 is the lowest TTL seen from A to

B, then all future packets from A to B will have a maximum of 45 if Modify Packet Inline is set. Each new low TTL becomes the new maximum for packets

on that session.

17. Modify Packet Inline ensures that the IP TTL monotonically decreases. Deny Connection Inline drops the current packet and the TCP session. Deny Packet

Inline drops the packet.

18. Modify Packet Inline clears all reserved TCP flags. Deny Connection Inline drops the current packet and the TCP session. Deny Packet Inline drops the

packet.

19. Modify Packet Inline has no effect on this signature. Deny Connection Inline drops the current packet and the TCP connection. Deny Packet Inline drops

the packet.

20. 2.4.21-15.EL.cisco.1 Modify Packet Inline raises the MSS value to TCP Min MSS. Deny Connection Inline drops the current packet and the TCP session.

Deny Packet Inline drops the packet 2.4.21-15.EL.cisco.1.

21. Modify Packet Inline lowers the MSS value to TCP Max MSS. Deny Connection Inline drops the current packet and the TCP session. Deny Packet Inline

drops the packet 2.4.21-15.EL.cisco.1.

22. Modify Packet Inline has no effect on this signature. Deny Connection Inline drops the current packet and the TCP session. Deny Packet Inline drops the

packet.

23. Modify Packet Inline, Deny Connection Inline, and Deny Packet Inline have no effect on this signature. By default, the 1330 signatures drop packets for

which this signature sends alerts.

24. These subsignatures represent the reasons why the Normalizer might drop a TCP packet. By default these subsignatures drop packets. These subsignatures

let you permit packets that fail the checks in the Normalizer through the IPS. The drop reasons have an entry in the TCP statistics. By default these

subsignatures do not produce an alert.

For More Information

For more information about the Normalizer engine, see Normalizer Engine, page B-36.

Configuring TCP Stream Reassembly Signatures

To configure TCP stream reassembly for a specific signature, follow these steps:

Step 1

Step 2

Enter signature definition submode.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-36

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Configuring Signatures

sensor# configure terminal

sensor(config)# service signature-definition sig1

Step 3

Step 4

Step 5

Step 6

Specify the TCP stream reassembly signature ID and subsignature ID.

sensor(config-sig)# signatures 1313 0

Specify the engine.

sensor(config-sig-sig)# engine normalizer

Enter edit default signatures submode.

sensor(config-sig-sig-nor)# edit-default-sigs-only default-signatures-only

Enable and change the default setting (if desired) of the maximum MSS parameter for signature 1313.

sensor(config-sig-sig-nor-def)# specify-tcp-max-mss yes

sensor(config-sig-sig-nor-def-yes)# tcp-max-mss 1380

Note

Changing this parameter from the default of 1460 to 1380 helps prevent fragmentation of traffic

going through a VPN tunnel.

Step 7

Step 8

Step 9

Verify the settings.

sensor(config-sig-sig-nor-def-yes)# show settings

yes

-----------------------------------------------

tcp-max-mss: 1380 default: 1460

-----------------------------------------------

sensor(config-sig-sig-nor-def-yes)#

Exit signature definition submode.

sensor(config-sig-sig-nor-def-yes)# exit

sensor(config-sig-sig-nor-def)# exit

sensor(config-sig-sig-nor)# exit

sensor(config-sig-sig)# exit

sensor(config-sig)# exit

Apply Changes:?[yes]:

Press Enter for apply the changes or enter no to discard them.

Configuring the Mode for TCP Stream Reassembly

Use the stream-reassembly command in the signature definition submode to configure the mode that

the sensor will use to reassemble TCP sessions.

Note

The parameters tcp-3-way-handshake-required and tcp-reassembly-mode only impact sensors

inspecting traffic in promiscuous mode, not inline mode. To configure asymmetric options for sensors

inspecting inline traffic, use the inline-TCP-evasion-protection-mode parameter.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-37

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Configuring Signatures

The following options apply:

•

tcp-3-way-handshake-required [true | false]—Specifies that the sensor should only track sessions

for which the 3-way handshake is completed. The default is true.

•

tcp-reassembly-mode—Specifies the mode the sensor should use to reassemble TCP sessions:

–

strict—Only allows the next expected in the sequence (default).

loose—Allows gaps in the sequence.

asym—Allows asymmetric traffic to be reassembled.

Caution

The asymmetric option disables TCP window evasion checking.

Configuring the TCP Stream Reassembly Parameters

To configure the TCP stream reassembly parameters, follow these steps:

Step 1

Step 2

Enter TCP stream reassembly submode.

sensor# configure terminal

sensor(config)# service signature-definition sig1

sensor(config-sig)# stream-reassembly

Step 3

Step 4

Step 5

Specify that the sensor should only track session for which the 3-way handshake is completed.

sensor(config-sig-str)# tcp-3-way-handshake-required true

Specify the mode the sensor should use to reassemble TCP sessions.

sensor(config-sig-str)# tcp-reassembly-mode strict

Verify the settings.

sensor(config-sig-str)# show settings

stream-reassembly

-----------------------------------------------

tcp-3-way-handshake-required: true default: true

tcp-reassembly-mode: strict default: strict

-----------------------------------------------

sensor(config-sig-str)#

Step 6

Step 7

Exit signature definition submode.

sensor(config-sig-str)# exit

sensor(config-sig)# exit

Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

For More Information

For information on asymmetric inspection options for sensors configured in inline mode, see Inline TCP

Session Tracking Mode, page 5-3 and Adding, Editing, and Deleting Virtual Sensors, page 5-4.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-38

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Configuring Signatures

Configuring IP Logging

You can configure a sensor to generate an IP session log when the sensor detects an attack. When IP

logging is configured as a response action for a signature and the signature is triggered, all packets to

and from the source address of the alert are logged for a specified period of time.

Note

IP logging allows a maximum limit of 20 concurrent IP log files. Once the limit of 20 is reached, you

receive the following message in main.log: Cid/W errWarnIpLogProcessor::addIpLog: Ran out of

file descriptors.

Use the ip-log command in the signature definition submode to configure IP logging.

The following options apply:

•

ip-log-bytes—Identifies the maximum number of bytes you want logged. The valid value is 0 to

2147483647. The default is 0.

ip-log-packets—Identifies the number of packets you want logged. The valid value is 0 to 65535.

The default is 0.

ip-log-time—Identifies the duration you want the sensor to log. The valid value is 30 to 300

seconds. The default is 30 seconds.

Note

When the sensor meets any one of the IP logging conditions, it stops IP logging.

Configuring IP Logging Parameters

To configure the IP logging parameters, follow these steps:

Step 1

Step 2

Enter IP log submode.

sensor# configure terminal

sensor(config)# service signature-definition sig1

sensor(config-sig)# ip-log

Step 3

Specify the IP logging parameters:

a. Specify the maximum number of bytes you want logged.

sensor(config-sig-ip)# ip-log-bytes 200000

b. Specify the number of packets you want logged.

sensor(config-sig-ip)# ip-log-packets 150

c. Specify the length of time you want the sensor to log.

sensor(config-sig-ip)# ip-log-time 60

Step 4

Verify the settings.

sensor(config-sig-ip)# show settings

ip-log

-----------------------------------------------

ip-log-packets: 150 default: 0

ip-log-time: 60 default: 30

ip-log-bytes: 200000 default: 0

-----------------------------------------------

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-39

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Creating Custom Signatures

sensor(config-sig-ip)#

Step 5

Step 6

Exit signature definition submode.

sensor(config-sig-ip)# exit

sensor(config-sig)# exit

Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

Creating Custom Signatures

This section describes how to create custom signatures and contains the following topics:

•

Sequence for Creating a Custom Signature, page 7-40

Example String TCP Engine Signature, page 7-41

Example Service HTTP Engine Signature, page 7-44

Example Meta Engine Signature, page 7-46

Example IPv6 Engine Signature, page 7-50

Example String XL TCP Engine Match Offset Signature, page 7-52

Example String XL TCP Engine Minimum Match Length Signature, page 7-55

Sequence for Creating a Custom Signature

Use the following sequence when you create a custom signature:

Step 1

Step 2

Select a signature engine.

Assign the signature identifiers:

•

Signature ID

SubSignature ID

Signature name

Alert notes (optional)

User comments (optional)

Step 3

Step 4

Assign the engine-specific parameters. The parameters differ for each signature engine, although there

is a group of master parameters that applies to each engine.

Assign the alert response:

•

Signature fidelity rating

Severity of the alert

Step 5

Step 6

Assign the alert behavior.

Apply the changes.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-40

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Creating Custom Signatures

Example String TCP Engine Signature

The String engine is a generic-based pattern-matching inspection engine for ICMP, TCP, and UDP

protocols. The String engine uses a regular expression engine that can combine multiple patterns into a

single pattern-matching table allowing for a single search through the data. There are three String

engines: String ICMP, String TCP, and String UDP.

Caution

Note

A custom signature can affect the performance of your sensor. Test the custom signature against a

baseline sensor performance for your network to determine the overall impact of the signature.

This procedure also applies to String UDP and ICMP signatures.

The following options apply:

•

default—Sets the value back to the system default setting.

direction—Specifies the direction of the traffic:

–

from-service—Traffic from service port destined to client port.

to-service—Traffic from client port destined to service port.

•

event-action—Specifies the action(s) to perform when alert is triggered:

–

deny-attacker-inline (inline only)—Does not transmit this packet and future packets from the

attacker address for a specified period of time.

deny-attacker-service-pair-inline (inline only)—Does not transmit this packet and future

packets on the attacker address victim port pair for a specified period of time.

deny-attacker-victim-pair-inline (inline only)—Does not transmit this packet and future

packets on the attacker/victim address pair for a specified period of time.

deny-connection-inline (inline only)—Does not transmit this packet and future packets on the

TCP flow.

–

deny-packet-inline (inline only)—Does not transmit this packet.

log-attacker-packets—Starts IP logging of packets containing the attacker address.

log-pair-packets—Starts IP logging of packets containing the attacker-victim address pair.

log-victim-packets—Starts IP logging of packets containing the victim address.

produce-alert —Writes the event to the Event Store as an alert.

produce-verbose-alert—Includes an encoded dump (possibly truncated) of the offending

packet in the alert.

–

request-block-connection—Sends a request to the ARC to block this connection.

request-block-host—Sends a request to the ARC to block this attacker host.

request-rate-limit—Sends a rate limit request to the ARC to perform rate limiting.

request-snmp-trap—Sends a request to the Notification Application component of the sensor

to perform SNMP notification.

–

reset-tcp-connection—Sends TCP resets to hijack and terminate the TCP flow.

modify-packet-inline— Modifies packet data to remove ambiguity about what the end point

might do with the packet.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-41

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Creating Custom Signatures

•

no—Removes an entry or selection setting.

regex-string —Specifies a regular expression to search for in a single TCP packet.

service-ports—Specifies the ports or port ranges where the target service may reside. The valid

range is 0 to 65535. It is a separated list of integer ranges a-b[,c-d] within 0 to 65535. The second

number in the range must be greater than or equal to the first number.

•

specify-exact-match-offset {yes | no}—(Optional) Enables exact match offset:

–

exact-match-offset—Specifies the exact stream offset the regular expression string must report

for a match to be valid. The value is 0 to 65535.

specify-min-match-length {yes | no}—(Optional) Enables minimum match length:

–

min-match-length—Specifies the minimum number of bytes the regular expression string must

match. The value is 0 to 65535.

•

strip-telnet-options {true | false}—Strips the Telnet option characters from the data before the

pattern is searched.

swap-attacker-victim {true | false}—Swaps the attacker and victim addresses and ports (source

and destination) in the alert message and in any actions taken. The default is false.

Creating a String TCP Engine Signature

To create a signature based on the String TCP engine, follow these steps:

Step 1

Step 2

Enter signature definition submode.

sensor# configure terminal

sensor(config)# service signature-definition sig1

Step 3

Specify a signature ID and subsignature ID for the signature. Custom signatures are in the range of 60000

to 65000.

sensor(config-sig)# signatures 60025 0

Step 4

Step 5

Enter signature description submode.

sensor(config-sig-sig)# sig-description

Specify a name for the new signature. You can also specify a additional comments about the sig using

the sig-comment command or additional information about the signature using the sig-string-info

command.

sensor(config-sig-sig-sig)# sig-name This is my new name

Step 6

Step 7

Step 8

Step 9

Exit signature description submode.

sensor(config-sig-sig-sig)# exit

Specify the string TCP engine.

sensor(config-sig-sig)# engine string-tcp

Specify the service ports.

sensor(config-sig-sig-str)# service-ports 23

Specify the direction.

sensor(config-sig-sig-str)# direction to-service

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-42

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Creating Custom Signatures

Step 10 Specify the regex string to search for in the TCP packet. You can change the event actions if needed

according to your security policy using the event-action command. The default event action is

produce-alert.

sensor(config-sig-sig-str)# regex-string This-is-my-new-Sig-regex

Step 11 You can modify the following optional parameters for this custom String TCP signature:

•

specify-exact-match-offset

specify-min-match-length

strip-telnet-options

swap-attacker-victim.

Step 12 Verify the settings.

sensor(config-sig-sig-str)# show settings

string-tcp

-----------------------------------------------

event-action: produce-alert <defaulted>

strip-telnet-options: false <defaulted>

specify-min-match-length

-----------------------------------------------

regex-string: This-is-my-new-Sig-regex

service-ports: 23

direction: to-service default: to-service

specify-exact-match-offset

-----------------------------------------------

specify-max-match-offset

-----------------------------------------------

specify-min-match-offset

-----------------------------------------------

swap-attacker-victim: false <defaulted>

-----------------------------------------------

sensor(config-sig-sig-str)#

Step 13 Exit signature definition submode.

sensor(config-sig-sig-str)# exit

sensor(config-sig-sig)# exit

sensor(config-sig)# exit

Apply Changes:?[yes]:

Step 14 Press Enter to apply the changes or enter no to discard them.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-43

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Creating Custom Signatures

Example Service HTTP Engine Signature

The Service HTTP engine is a service-specific string-based pattern-matching inspection engine. The

HTTP protocol is one of the most commonly used in networks of today. In addition, it requires the most

amount of preprocessing time and has the most number of signatures requiring inspection making it

critical to the overall performance of the system.

The Service HTTP engine uses a Regex library that can combine multiple patterns into a single

pattern-matching table allowing a single search through the data. This engine searches traffic directed

only to web services, or HTTP requests. You cannot inspect return traffic with this engine. You can

specify separate web ports of interest in each signature in this engine.

HTTP deobfuscation is the process of decoding an HTTP message by normalizing encoded characters

to ASCII equivalent characters. It is also known as ASCII normalization.

Before an HTTP packet can be inspected, the data must be deobfuscated or normalized to the same

representation that the target system sees when it processes the data. It is ideal to have a customized

decoding technique for each host target type, which involves knowing what operating system and web

server version is running on the target. The Service HTTP engine has default deobfuscation behavior for

the Microsoft IIS web server.

The following options apply:

•

de-obfuscate {true | false}—Applies anti-evasive deobfuscation before searching.

default—Sets the value back to the system default setting.

event-action —Specifies the action(s) to perform when alert is triggered:

–

deny-attacker-inline (inline only)—Does not transmit this packet and future packets from the

attacker address for a specified period of time.

deny-attacker-service-pair-inline (inline only)—Does not transmit this packet and future

packets on the attacker address victim port pair for a specified period of time.

deny-attacker-victim-pair-inline (inline only)—Does not transmit this packet and future

packets on the attacker/victim address pair for a specified period of time.

deny-connection-inline (inline only)—Does not transmit this packet and future packets on the

TCP flow.

–

deny-packet-inline (inline only)—Does not transmit this packet.

log-attacker-packets—Starts IP logging of packets containing the attacker address.

log-pair-packets—Starts IP logging of packets containing the attacker-victim address pair.

log-victim-packets—Starts IP logging of packets containing the victim address.

produce-alert —Writes the event to the Event Store as an alert.

produce-verbose-alert—Includes an encoded dump (possibly truncated) of the offending

packet in the alert.

–

request-block-connection—Sends a request to the ARC to block this connection.

request-block-host—Sends a request to the ARC to block this attacker host.

request-rate-limit—Sends a rate limit request to the ARC to perform rate limiting.

request-snmp-trap—Sends a request to the Notification Application component of the sensor

to perform SNMP notification.

–

reset-tcp-connection—Sends TCP resets to hijack and terminate the TCP flow.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-44

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Creating Custom Signatures

–

modify-packet-inline— Modifies packet data to remove ambiguity about what the end point

might do with the packet.

•

max-field-sizes —Grouping for maximum field sizes:

–

specify-max-arg-field-length {yes | no}—Enables max-arg-field-length (optional).

specify-max-header-field-length {yes | no}—Enables max-header-field-length (optional).

specify-max-request-length {yes | no}—Enables max-request-length (optional).

specify-max-uri-field-length {yes | no}—Enables max-uri-field-length (optional).

•

no—Removes an entry or selection setting.

regex—Regular expression grouping:

–

specify-arg-name-regex—Enables arg-name-regex (optional).

specify-header-regex —Enables header-regex (optional).

specify-request-regex—Enables request-regex (optional).

specify-uri-regex—Enables uri-regex (optional).

•

service-ports —A comma-separated list of ports or port ranges where the target service may reside.

swap-attacker-victim {true | false}—Whether address (and ports) source and destination are

swapped in the alarm message. The default is false for no swapping.

Creating a Service HTTP Engine Signature

To create a custom signature based on the Service HTTP engine, follow these steps:

Step 1

Step 2

Enter signature definition submode.

sensor# configure terminal

sensor(config)# service signature-definition sig1

Step 3

Specify a signature ID and a subsignature ID for the signature. Custom signatures are in the range of

60000 to 65000.

sensor(config-sig)# signatures 63000 0

Step 4

Step 5

Step 6

Step 7

Step 8

Enter signature description mode.

sensor(config-sig-sig)# sig-description

Specify a signature name.

sensor(config-sig-sig-sig)# sig-name myWebSig

Specify the alert traits. The valid range is from 0 to 65535.

sensor(config-sig-sig-sig)# alert-traits 2

Exit signature description submode.

sensor(config-sig-sig-sig)# exit

Specify the alert frequency.

sensor(config-sig-sig)# alert-frequency

sensor(config-sig-sig-ale)# summary-mode fire-all

sensor(config-sig-sig-ale-fir)# summary-key Axxx

sensor(config-sig-sig-ale-fir)# specify-summary-threshold yes

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-45

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Creating Custom Signatures

sensor(config-sig-sig-ale-fir-yes)# summary-threshold 200

Step 9

Exit alert frequency submode.

sensor(config-sig-sig-ale-fir-yes)# exit

sensor(config-sig-sig-ale-fir)# exit

sensor(config-sig-sig-ale)# exit

Step 10 Configure the signature to apply anti-evasive deobfuscation before searching:

sensor(config-sig-sig)# engine service-http

sensor(config-sig-sig-ser)# de-obfuscate true

Step 11 Configure the Regex parameters.

sensor(config-sig-sig)# engine service-http

sensor(config-sig-sig-ser)# regex

sensor(config-sig-sig-ser-reg)# specify-uri-regex yes

sensor(config-sig-sig-ser-reg-yes)# uri-regex [Mm][Yy][Ff][Oo][Oo]

Step 12 Exit Regex submode.

sensor(config-sig-sig-ser-reg-yes)# exit

sensor(config-sig-sig-ser-reg-)# exit

Step 13 Configure the service ports using the signature variable WEBPORTS.

sensor(config-sig-sig-ser)# service-ports $WEBPORTS

Step 14 Exit signature definition submode.

sensor(config-sig-sig-ser)# exit

sensor(config-sig-sig)# exit

sensor(config-sig)# exit

Apply Changes:?[yes]:

Step 15 Press Enter to apply the changes or enter no to discard them.

Example Meta Engine Signature

Caution

A large number of Meta engine signatures could adversely affect overall sensor performance.

The Meta engine defines events that occur in a related manner within a sliding time interval. This engine

processes events rather than packets. As signature events are generated, the Meta engine inspects them

to determine if they match any or several Meta definitions. The Meta engine generates a signature event

after all requirements for the event are met.

All signature events are handed off to the Meta engine by the Signature Event Action Processor. The

Signature Event Action Processor hands off the event after processing the minimum hits option.

Summarization and event action are processed after the Meta engine has processed the component

events.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-46

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Creating Custom Signatures

Meta Signature Engine Enhancement

The purpose of the Meta engine is to detect a specified payload from an attacker and a corresponding

payload from the victim. It is also used to inspect streams at different offsets. The Meta engine supports

the AND and OR logical operators. ANDNOT capability has been added to the Meta engine. This clause

is a negative clause used to complement the existing positive clause-based signatures. The previous

signature format had the following form:

IF (A and B and C) then Alarm; alternatively, IF (A or B or C) then Alarm is also

supported; where A, B, and C are meta component signatures.

The addition of the negative clause allows for the following logic:

IF (A and/or B) AND NOT (C and/or D) then Alarm.

The (C and/or D) is the negative clause and is satisfied if (C and D) [alternatively (C or D)] do not occur

before the Meta Reset Interval time expires.

A component of the positive clause must occur before the negative clause(s) to establish the Meta

tracking state. The Meta engine cannot track the lack of past behavior. The state of the negative clause

is evaluated when the Meta Reset Interval time expires.

Caution

A custom signature can affect the performance of your sensor. Test the custom signature against a

baseline sensor performance for your network to determine the overall impact of the signature.

The Meta engine is different from other engines in that it takes alerts as input where most engines take

packets as input.

The following options apply:

•

component-list name1—Specifies the list of Meta components:

–

edit—Edits an existing entry in the list.

insert —Inserts a new entry into the list.

move—Moves an entry in the list.

begin—Places the entry at the beginning of the active list.

end—Places the entry at the end of the active list.

inactive—Places the entry into the inactive list.

before—Places the entry before the specified entry.

after—Places the entry after the specified entry.

component-count—Specifies the number of times component must fire before this component

is satisfied.

–

component-sig-id—Specifies the signature ID of the signature to match this component on.

component-subsig-id—Specifies the subsignature ID of the signature to match this component

on.

–

is-not-component {true | false}—Specifies that the component is a NOT component.

•

component-list-in-order {true | false}—Specifies whether to have the component list fire in order.

For example, if signature 1001 in the m2 component fires before signature 1000 in the m1

component, the Meta signature will not fire.

all-components-required {true | false}—Specifies to use all components. This option works with

the all-not-components-required option, if you have NOT components configured as required, the

Meta signature will not fire.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-47

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Creating Custom Signatures

•

all-not-components-required {true | false}—Specifies to use all of the NOT components.

swap-attacker-victim {true | false}—Swaps the attacker and victim addresses and ports (source

and destination) in the alert message and in any actions taken.

•

meta-reset-interval—Specifies the time in seconds to reset the Meta signature. The valid range is

0 to 3600 seconds. The default is 60 seconds.

meta-key—Specifies the storage type for the Meta signature:

–

AaBb—Attacker and victim addresses and ports.

AxBx—Attacker and victim addresses.

Axxx—Attacker address.

xxBx—Victim address.

•

unique-victim-ports—Specifies the number of unique victims ports required per Meta signature.

The valid range is 1 to 256.

event-action—Specifies the action(s) to perform when an alert is triggered:

–

deny-attacker-inline (inline only)—Does not transmit this packet and future packets from the

attacker address for a specified period of time.

deny-attacker-service-pair-inline (inline only)—Does not transmit this packet and future

packets on the attacker address victim port pair for a specified period of time.

deny-attacker-victim-pair-inline (inline only)—Does not transmit this packet and future

packets on the attacker/victim address pair for a specified period of time.

deny-connection-inline (inline only)—Does not transmit this packet and future packets on the

TCP flow.

–

deny-packet-inline (inline only)—Does not transmit this packet.

log-attacker-packets—Starts IP logging of packets containing the attacker address.

log-pair-packets—Starts IP logging of packets containing the attacker-victim address pair.

log-victim-packets—Starts IP logging of packets containing the victim address.

produce-alert —Writes the event to the Event Store as an alert.

produce-verbose-alert—Includes an encoded dump (possibly truncated) of the offending

packet in the alert.

–

request-block-connection—Sends a request to the ARC to block this connection.

request-block-host—Sends a request to the ARC to block this attacker host.

request-rate-limit—Sends a rate limit request to the ARC to perform rate limiting.

request-snmp-trap—Sends a request to the Notification Application component of the sensor

to perform SNMP notification.

–

reset-tcp-connection—Sends TCP resets to hijack and terminate the TCP flow.

modify-packet-inline— Modifies packet data to remove ambiguity about what the end point

might do with the packet.

Note

Signature 64000 subsignature 0 will fire when it sees the alerts from signature 1000 subsignature 0 and

signature 1001 subsignature 0 on the same source address. The source address selection is a result of the

meta key default value of Axxx. You can change the behavior by changing the meta key setting to xxBx

(destination address) for example.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-48

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Creating Custom Signatures

Creating a Meta Engine Signature

To create a signature based on the Meta engine, follow these steps:

Step 1

Step 2

Enter signature definition submode.

sensor# configure terminal

sensor(config)# service signature-definition sig1

Step 3

Specify a signature ID and a subsignature ID for the signature. Custom signatures are in the range of

60000 to 65000.

sensor(config-sig)# signatures 64000 0

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Specify the signature engine.

sensor(config-sig-sig)# engine meta

Insert a signature (named m1) at the beginning of the list.

sensor(config-sig-sig-met)# component-list insert m1 begin

Specify the signature ID of the signature on which to match this component.

sensor(config-sig-sig-met-com)# component-sig-id 1000

Exit component list submode.

sensor(config-sig-sig-met-com)# exit

Insert another signature (named m2) at the end of the list.

sensor(config-sig-sig-met)# component-list insert m2 end

Specify the signature ID of the signature on which to match this component.

sensor(config-sig-sig-met-com)# component-sig-id 1001

Step 10 Configure the component list not to fire in order.

sensor(config-sig-sig-met-com)# component-list-in-order false

Step 11 Specify to use all components you have created.

sensor(config-sig-sig-met-com)# all-components-required true

Step 12 Specify not to use all of the NOT components.

sensor(config-sig-sig-met-com)# all-not-components-required false

Step 13 Verify the settings.

sensor(config-sig-sig-met-com)# exit

sensor-128(config-sig-sig-met)# show settings

meta

-----------------------------------------------

event-action: produce-alert <defaulted>

swap-attacker-victim: false <defaulted>

meta-reset-interval: 60 <defaulted>

component-list (ordered min: 1, max: 32, current: 2 - 2 active, 0 inactive)

-----------------------------------------------

ACTIVE list-contents

-----------------------------------------------

NAME: m1

-----------------------------------------------

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-49

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Creating Custom Signatures

component-sig-id: 1000

component-subsig-id: 0 default: 0

component-count: 1 default: 1

is-not-component: false <defaulted>

-----------------------------------------------

NAME: m2

-----------------------------------------------

component-sig-id: 1001

component-subsig-id: 0 <defaulted>

component-count: 1 <defaulted>

is-not-component: true default: false

-----------------------------------------------

meta-key

-----------------------------------------------

Axxx

-----------------------------------------------

unique-victims: 1 <defaulted>

-----------------------------------------------

component-list-in-order: false default: false

all-components-required: true default: true

all-nots-required: false default: false

-----------------------------------------------

sensor(config-sig-sig-met)#

Step 14 Exit signature definition submode.

sensor(config-sig-sig-met)# exit

sensor(config-sig-sig)# exit

sensor(config-sig)# exit

Apply Changes:?[yes]:

Step 15 Press Enter to apply the changes or enter no to discard them.

For More Information

•

For more information on Signature Event Action Processor, see Signature Event Action Processor,

page 8-3.

•

For more information on the Meta engine, see Meta Engine, page B-33.

Example IPv6 Engine Signature

Caution

A custom signature can affect the performance of your sensor. Test the custom signature against a

baseline sensor performance for your network to determine the overall impact of the signature.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-50

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Creating Custom Signatures

The following example Atomic IP Advanced custom signature prohibits Protocol ID 88 over IPv6.

To create a signature based on the Atomic IP Advanced signature engine, follow these steps:

Step 1

Step 2

Enter signature definition submode.

sensor# configure terminal

sensor(config)# service signature-definition sig0

Step 3

Specify a signature ID and a subsignature ID for the signature. Custom signatures are in the range of

60000 to 65000.

sensor(config-sig)# signatures 60000 0

Step 4

Step 5

Step 6

Step 7

Specify the signature engine.

sensor(config-sig-sig)# engine atomic-ip-advanced

Specify the IP version.

sensor(config-sig-sig-ato)# specify-ip-version yes

Specify IPv6.

sensor(config-sig-sig-ato-yes)# version ipv6

Specify the L4 protocol.

sensor(config-sig-sig-ato-yes-ipv)# exit

sensor(config-sig-sig-ato-yes)# exit

sensor(config-sig-sig-ato)# specify-l4-protocol yes

Step 8

Step 9

Specify protocol ID 88.

sensor(config-sig-sig-ato-yes)# l4-protocol other-protocol

sensor(config-sig-sig-ato-yes-oth)# other-ip-protocol-id 88

Verify the settings.

sensor(config-sig-sig-ato-yes-oth)# show settings

other-protocol

-----------------------------------------------

other-ip-protocol-id: 88

-----------------------------------------------

sensor(config-sig-sig-ato-yes-oth)#

Step 10 Exit signature definition submode.

sensor(config-sig-sig-ato-yes-oth)# exit

sensor(config-sig-sig-ato-yes)# exit

sensor(config-sig-sig-ato)# exit

sensor(config-sig-sig)# exit

sensor(config-sig)# exit

Apply Changes?[yes]:

Step 11 Press Enter to apply the changes or enter no to discard them.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-51

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Creating Custom Signatures

For More Information

•

For more information about the Atomic IP Advanced engine and a list of the parameters, see Atomic

IP Advanced Engine, page B-15.

•

For more information on the Atomic engines, see Atomic Engine, page B-14.

Example String XL TCP Engine Match Offset Signature

Caution

A custom signature can affect the performance of your sensor. Test the custom signature against a

baseline sensor performance for your network to determine the overall impact of the signature.

Note

This procedure also applies to String XLUDP and String XL ICMP signatures, with the exception of the

parameter service-ports, which does not apply to String XL ICMP signatures.

The following example demonstrates how to create a custom String XL TCP signature that searches for

exact, maximum, or minimum offsets. You can modify the following optional match offset parameters

for this custom String XL TCP signature:

•

specify-exact-match-offset {yes |no}—Enables exact match offset:

–

exact-match-offset—Specifies the exact stream offset in bytes the regular expression string

must report for a match to be valid. The value is 0 to 65535.

specify-max-match-offset {yes |no}—Enables maximum match length:

–

max-match-offset—Specifies the maximum stream offset in bytes the regular expression string

must report for a match to be valid. The value is 0 to 65535.

specify-min-match-offset {yes |no}—Enables minimum match offset:

–

min-match-offset—Specifies the minimum stream offset in bytes the regular expression string

must report for a match to be valid. The value is 0 to 65535.

Creating a String XL TCP Engine Signature

To create a custom signature based on the String XL TCP engine that searches for matches, follow these

steps:

Step 1

Step 2

Enter signature definition submode.

sensor# configure terminal

sensor(config)# service signature-definition sig1

Step 3

Step 4

Specify a signature ID and subsignature ID for the signature. Custom signatures are in the range of 60000

to 65000.

sensor(config-sig)# signatures 60003 0

Enter signature description submode.

sensor(config-sig-sig)# sig-description

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-52

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Creating Custom Signatures

Step 5

Specify a name for the new signature. You can also specify a additional comments about the sig using

the sig-comment command or additional information about the signature using the sig-string-info

command.

sensor(config-sig-sig-sig)# sig-name This is my new name

Step 6

Step 7

Step 8

Step 9

Exit signature description submode.

sensor(config-sig-sig-sig)# exit

Specify the String XL TCP engine.

sensor(config-sig-sig)# engine string-xl-tcp

Specify the service ports.

sensor(config-sig-sig-str)# service-ports 80

Specify the direction.

sensor(config-sig-sig-str)# direction to-service

Step 10 Change the event actions if needed according to your security policy by using the event-action

command. The default event action is produce-alert.

Step 11 Make sure raw regex is turned off:

sensor(config-sig-sig-str)# specify-raw-regex-string no

Note

Raw Regex is regular expression syntax used for raw mode processing. It is expert mode only

and targeted for use by the Cisco IPS signature development team or only those who are under

supervision by the Cisco IPS signature development team. You can configure a String XL

signature in either regular Regex or raw Regex.

Step 12 Specify the regex string to search for in the TCP packet.

sensor(config-sig-sig-str-no)# regex-string tcpstring

Step 13 Exit raw regex mode to configure optional String XL TCP parameters.

sensor(config-sig-sig-str-no)# exit

sensor(config-sig-sig-str)#

Step 14 Specify an exact match offset for this signature.

sensor(config-sig-sig-str)# specify-exact-match-offset yes

sensor(config-sig-sig-str-yes)# exact-match-offset 20

Note

If you have exact match offset set to yes, you cannot configure maximum or minimum match

offset. If you have exact match offset set to no, you can configure both maximum and minimum

match offset at the same time.

Step 15 Turn off exact match offset and specify a maximum match offset for this signature.

sensor(config-sig-sig-str-yes)# exit

sensor(config-sig-sig-str)# specify-exact-match-offset no

sensor(config-sig-sig-str-no)# specify-max-match-offset yes

sensor(config-sig-sig-str-no-yes)# max-match-offset 30

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-53

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Creating Custom Signatures

Step 16 Specify a minimum match offset for this signature.

sensor(config-sig-sig-str-no-yes)# exit

sensor(config-sig-sig-str-no)# specify-min-match-offset yes

sensor(config-sig-sig-str-no-yes)# min-match-offset 20

Step 17 Verify the settings.

sensor(config-sig-sig-str-no-yes)# exit

sensor(config-sig-sig-str-no)# exit

sensor(config-sig-sig-str)# show settings

string-xl-tcp

-----------------------------------------------

event-action: produce-alert <defaulted>

strip-telnet-options: false <defaulted>

direction: to-service default: to-service

service-ports: 80

specify-max-stream-length

-----------------------------------------------

specify-raw-regex-string

-----------------------------------------------

regex-string: tcpstring

dot-all: false <defaulted>

end-optional: false <defaulted>

no-case: false <defaulted>

stingy: false <defaulted>

utf8: false <defaulted>

specify-min-match-length

-----------------------------------------------

swap-attacker-victim: false <defaulted>

specify-exact-match-offset

-----------------------------------------------

specify-max-match-offset

-----------------------------------------------

yes

-----------------------------------------------

max-match-offset: 30

-----------------------------------------------

specify-min-match-offset

-----------------------------------------------

yes

-----------------------------------------------

min-match-offset: 20

-----------------------------------------------

sensor(config-sig-sig-str)#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-54

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Creating Custom Signatures

Step 18 Exit signature definition submode.

sensor(config-sig-sig-str)# exit

sensor(config-sig-sig)# exit

sensor(config-sig)# exit

Apply Changes:?[yes]:

Step 19 Press Enter to apply the changes or enter no to discard them.

For More Information

For detailed information about the String XL signature engine, see String XL Engines, page B-65.

Example String XL TCP Engine Minimum Match Length Signature

Caution

A custom signature can affect the performance of your sensor. Test the custom signature against a

baseline sensor performance for your network to determine the overall impact of the signature.

Note

This procedure also applies to String XL UDP and String XL ICMP signatures, with the exception of the

parameter service-ports, which does not apply to String XL ICMP signatures.

You can modify the following optional parameters to work with a specific Regex string:

•

dot-all true {true | false}—If set to true, matches [\x00-\xFF] including \n; if set to false, matches

anything in the range [\x00-\xFF] except \n. The default is false.

•

specify-min-match-length {yes | no}—Enables minimum match length:

–

min-match-length—Specifies the maximum number of bytes the regular expression string

must match for the pattern to be considered a hit. The value is 0 to 65535.

•

stingy {true | false}—If set to true, specifies to stop looking for larger matches after the first

completed match. The default is false.

Note

Stingy can only be used with min-match-length; otherwise, it is ignored.

utf8 {true | false}—If set to true, treats all legal UTF-8 byte sequences in the expression as a single

character. The default is false.

Creating a String XL TCP Engine Signature

The following example demonstrates how to create a custom String XL TCP signature that searches for

minimum match length with stingy, dot all, and UTF-8 turned on.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-55

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Creating Custom Signatures

To create a custom signature based on the String XL TCP engine that searches for minimum match length

with stingy, dot all, and UTF-8 turned on, follow these steps:

Step 1

Step 2

Enter signature definition submode.

sensor# configure terminal

sensor(config)# service signature-definition sig1

Step 3

Specify a signature ID and subsignature ID for the signature.

sensor(config-sig)# signatures 60004 0

Custom signatures are in the range of 60000 to 65000.

Step 4

Step 5

Enter signature description submode.

sensor(config-sig-sig)# sig-description

Specify a name for the new signature. You can also specify a additional comments about the sig using

the sig-comment command or additional information about the signature using the sig-string-info

command.

sensor(config-sig-sig-sig)# sig-name This is my new name

Step 6

Step 7

Step 8

Step 9

Exit signature description submode.

sensor(config-sig-sig-sig)# exit

Specify the String XL TCP engine.

sensor(config-sig-sig)# engine string-xl-tcp

Specify the service ports.

sensor(config-sig-sig-str)# service-ports 80

Specify the direction.

sensor(config-sig-sig-str)# direction to-service

Step 10 Change the event actions if needed according to your security policy by using the event-action

command. The default event action is produce-alert.

Step 11 Make sure raw regex is turned off:

sensor(config-sig-sig-str)# specify-raw-regex-string no

Note

Raw Regex is regular expression syntax used for raw mode processing. It is expert mode only

and targeted for use by the Cisco IPS signature development team or only those who are under

supervision by the Cisco IPS signature development team. You can configure a String XL

signature in either regular Regex or raw Regex.

Step 12 Specify the regex string to search for in the TCP packet with dot all turned on.

sensor(config-sig-sig-str-no)# regex-string ht+p[\r].

sensor(config-sig-sig-str-no)# dot-all true

Step 13 Specify a minimum match length for this signature that can only be used with stingy.

sensor(config-sig-sig-str-no)# specify-min-match-length yes

sensor(config-sig-sig-str-no-yes)# min-match-length 100

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-56

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Creating Custom Signatures

sensor(config-sig-sig-str-no-yes)# exit

sensor(config-sig-sig-str-no)# stingy true

Step 14 Verify the settings:

sensor(config-sig-sig-str-no)# show settings

-----------------------------------------------

regex-string: ht+p[\r\].

dot-all: true default: false

end-optional: false <defaulted>

no-case: false <defaulted>

stingy: true default: false

utf8: false <defaulted>

specify-min-match-length

-----------------------------------------------

yes

-----------------------------------------------

min-match-length: 100

-----------------------------------------------

sensor(config-sig-sig-str-no)#

Step 15 Specify a new Regex string to search for and turn on UTF-8.

sensor(config-sig-sig-str-no)# regex-string \x5c\x31\x30\x2e\x30[\x00-\xff]+\

x2e\x31\x5c\x74\x65\x6d\x70

sensor(config-sig-sig-str-no)# utf8 true

Step 16 Verify the settings:

sensor(config-sig-sig-str-no)# show settings

-----------------------------------------------

regex-string: \x5c\x31\x30\x2e\x30[\x00-\xff]+\x2e\x31\x5c\x74\x65\x6d\x70

dot-all: true default: false

end-optional: false <defaulted>

no-case: false <defaulted>

stingy: true default: false

utf8: true default: false

specify-min-match-length

-----------------------------------------------

yes

-----------------------------------------------

min-match-length: 100

-----------------------------------------------

Step 17 Exit signature definition submode.

sensor(config-sig-sig-str-no)# exit

sensor(config-sig-sig-str)# exit

sensor(config-sig-sig)# exit

sensor(config-sig)# exit

Apply Changes:?[yes]:

Step 18 Press Enter to apply the changes or enter no to discard them.

For More Information

For detailed information about the String XL signature engine, see String XL Engines, page B-65.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-57

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 7 Defining Signatures

Creating Custom Signatures

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

7-58

Download from Www.Somanuals.com. All Manuals Search And Download.

C H A P T E R

Configuring Event Action Rules

This chapter explains how to add event action rules policies and how to configure event action rules. It

contains the following sections:

•

Event Action Rules Notes and Caveats, page 8-1

Understanding Security Policies, page 8-2

Understanding Event Action Rules, page 8-2

W o rking With Event Action Rules Policies, page 8-8

Event Action V a riables, page 8-9

Configuring Target V a lue Ratings, page 8-13

Configuring Event Action Overrides, page 8-17

Configuring Event Action Filters, page 8-20

Configuring OS Identifications, page 8-26

Configuring General Settings, page 8-32

Configuring the Denied Attackers List, page 8-35

Monitoring Events, page 8-38

Event Action Rules Notes and Caveats

The following notes and caveats apply to configuring event action rules:

•

Rate limiting and blocking are not supported for IPv6 traffic. If a signature is configured with a

block or rate limit event action and is triggered by IPv6 traffic, an alert is generated but the action

is not carried out.

•

Global correlation inspection and the reputation filtering deny features do not support IPv6

addresses. For global correlation inspection, the sensor does not receive or process reputation data

for IPv6 addresses. The risk rating for IPv6 addresses is not modified for global correlation

inspection. Similarly, network participation does not include event data for attacks from IPv6

addresses. And finally, IPv6 addresses do not appear in the deny list.

•

You must preface the event variable with a dollar ($) sign to indicate that you are using a variable

rather than a string.

Connection blocks and network blocks are not supported on adaptive security appliances. Adaptive

security appliances only support host blocks with additional connection information.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-1

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Understanding Security Policies

•

You cannot delete the event action override for deny-packet-inline because it is protected. If you do

not want to use that override, set the override-item-status to disabled for that entry.

Passive OS fingerprinting is enabled by default and the IPS contains a default vulnerable OS list for

each signature.

Understanding Security Policies

You can create multiple security policies and apply them to individual virtual sensors. A security policy

is made up of a signature definition policy, an event action rules policy, and an anomaly detection policy.

Cisco IPS contains a default signature definition policy called sig0, a default event action rules policy

called rules0, and a default anomaly detection policy called ad0. You can assign the default policies to

a virtual sensor or you can create new policies. The use of multiple security policies lets you create

security policies based on different requirements and then apply these customized policies per VLAN or

physical interface.

Understanding Event Action Rules

Event action rules are a group of settings you configure for the event action processing component of the

sensor. These rules dictate the actions the sensor performs when an event occurs. The event action

processing component is responsible for the following functions:

•

Calculating the risk rating

Adding event action overrides

Filtering event action

Executing the resulting event action

Summarizing and aggregating events

Maintaining a list of denied attackers

Note

Rate limiting and blocking are not supported for IPv6 traffic. If a signature is configured with a block or

rate limit event action and is triggered by IPv6 traffic, an alert is generated but the action is not carried

out.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-2

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Signature Event Action Processor

The Signature Event Action Processor coordinates the data flow from the signature event in the Alarm

Channel to processing through the Signature Event Action Override, the Signature Event Action Filter,

and the Signature Event Action Handler. It consists of the following components:

•

Alarm Channel—The unit that represents the area to communicate signature events from the

SensorApp inspection path to signature event handling.

•

Signature Event Action Override—Adds actions based on the risk rating value. Signature Event

Action Override applies to all signatures that fall in the range of the configured risk rating threshold.

Each Signature Event Action Override is independent and has a separate configuration value for

each action type.

•

Signature Event Action Filter—Subtracts actions based on the signature ID, addresses, and risk

rating of the signature event. The input to the Signature Event Action Filter is the signature event

with actions possibly added by the Signature Event Action Override.

Note

The Signature Event Action Filter can only subtract actions, it cannot add new actions.

The following parameters apply to the Signature Event Action Filter:

–

Signature ID

Subsignature ID

Attacker address

Attacker port

Victim address

Victim port

Risk rating threshold range

Actions to subtract

Sequence identifier (optional)

Stop-or-continue bit

Enable action filter line bit

Victim OS relevance or OS relevance

•

Signature Event Action Handler—Performs the requested actions. The output from the Signature

Event Action Handler is the actions being performed and possibly an evIdsAlert written to the Event

Store.

Figure 8-1 on page 8-4 illustrates the logical flow of the signature event through the Signature Event

Action Processor and the operations performed on the action for this event. It starts with the signature

event with configured action received in the Alarm Channel and flows top to bottom as the signature

event passes through the functional components of the Signature Event Action Processor.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-3

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Event Actions

Figure 8-1

Signature Event Through Signature Event Action Processor

Signature event with

configured action

Signature event

Event count

Consumed

signature event

Signature event

action override

Add action based on RR

Signature event

action filter

Subtract action based on

signature, address, port, RR, etc.

Signature event

summary filter

Subtract action based on

current summary mode

Signature event

action handler

Perform action

For More Information

For more information on risk rating, see Calculating the Risk Rating, page 8-13.

Event Actions

The IPS has the following event actions:

Alert and Log Actions

produce-alert—Writes the event to the Event Store as an alert.

•

Note

The produce-alert action is not automatic when you enable alerts for a signature. To have an

alert created in the Event Store, you must select produce-alert. If you add a second action,

you must include produce-alert if you want an alert sent to the Event Store. Also, every time

you configure the event actions, a new list is created and it replaces the old list. Make sure

you include all the event actions you need for each signature.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-4

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Event Actions

Note

There are other event actions that force a produce-alert. These actions use produce-alert as

the vehicle for performing the action. Even if produce-alert is not selected or is filtered, the

alert is still produced. The actions are the following: produce-verbose-alert,

request-snmp-trap, log-attacker-packets, log-victim-packets, and log-pair-packets.

Note

A produce-alert event action is added for an event when global correlation has increased the

risk rating of an event, and has added either the deny-packet-inline or deny-attacker-inline

event action.

•

produce-verbose-alert—Includes an encoded dump of the offending packet in the alert. This action

causes an alert to be written to the Event Store, even if produce-alert is not selected.

log-attacker-packets—Starts IP logging on packets that contain the attacker address and sends an

alert. This action causes an alert to be written to the Event Store, even if produce-alert is not

selected.

•

log-victim-packets—Starts IP logging on packets that contain the victim address and sends an alert.

This action causes an alert to be written to the Event Store, even if produce-alert is not selected.

log-pair-packets—Starts IP logging on packets that contain the attacker/victim address pair. This

action causes an alert to be written to the Event Store, even if produce-alert is not selected.

request-snmp-trap—Sends a request to the Notification Application component of the sensor to

perform SNMP notification. This action causes an alert to be written to the Event Store, even if

produce-alert is not selected. You must have SNMP configured on the sensor to implement this

action.

Deny Actions

•

deny-packet-inline (inline only)—Terminates the packet.

Note

You cannot delete the event action override for deny-packet-inline because it is protected. If

you do not want to use that override, set the override-item-status to disabled for that entry.

•

deny-connection-inline (inline only)—Terminates the current packet and future packets on this TCP

flow.

deny-attacker-victim-pair-inline (inline only)—Does not transmit this packet and future packets on

the attacker/victim address pair for a specified period of time.

deny-attacker-service-pair-inline (inline only)—Does not transmit this packet and future packets on

the attacker address victim port pair for a specified period of time.

deny-attacker-inline (inline only)—Terminates the current packet and future packets from this

attacker address for a specified period of time.

The sensor maintains a list of attackers being denied by the system. To remove an entry from the

denied attacker list, you can view the list of attackers and clear the entire list, or you can wait for

the timer to expire. The timer is a sliding timer for each entry. Therefore, if attacker A is being

denied, but issues another attack, the timer for attacker A is reset and attacker A remains in the

denied attacker list until the timer expires. If the denied attacker list is at capacity and cannot add a

new entry, the packet is still denied.

•

modify-packet-inline (inline only)—Modifies packet data to remove ambiguity about what the end

point might do with the packet.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-5

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Event Actions

Note

You cannot use modify-packet-inline as an action when adding event action filters or

overrides.

Other Actions

•

request-block-connection—Sends a request to ARC to block this connection. You must have

blocking devices configured to implement this action.

Note

Connection blocks and network blocks are not supported on adaptive security appliances.

Adaptive security appliances only support host blocks with additional connection

information.

Note

IPv6 does not support request-block-connection.

•

request-block-host—Sends a request to ARC to block this attacker host. You must have blocking

devices configured to implement this action.

Note

IPv6 does not support request-block-host.

request-rate-limit—Sends a rate limit request to ARC to perform rate limiting. You must have rate

limiting devices configured to implement this action.

Note

The request-rate-limit action applies to a select set of signatures.

Note

IPv6 does not support request-rate-limit.

•

reset-tcp-connection—Sends TCP resets to hijack and terminate the TCP flow. The

reset-tcp-connection action only works on TCP signatures that analyze a single connection. It does

not work for sweeps or floods.

Understanding Deny Packet Inline

For signatures that have deny-packet-inline configured as an action or for an event action override that

adds deny-packet-inline as an action, the following actions may be taken:

•

dropped-packet

denied-flow

tcp-one-way-reset-sent

The deny-packet-inline action is represented as a dropped packet action in the alert. When a

deny-packet-inline occurs for a TCP connection, it is automatically upgraded to a

deny-connection-inline action and seen as a denied flow in the alert. If the IPS denies just one packet,

the TCP continues to try to send that same packet again and again, so the IPS denies the entire connection

to ensure it never succeeds with the resends.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-6

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Event Action Rules Configuration Sequence

When a deny-connection-inline occurs, the IPS also automatically sends a TCP one-way reset, which

shows up as a TCP one-way reset sent in the alert. When the IPS denies the connection, it leaves an open

connection on both the client (generally the attacker) and the server (generally the victim). Too many

open connections can result in resource problems on the victim. So the IPS sends a TCP reset to the

victim to close the connection on the victim side (usually the server), which conserves the resources of

the victim. It also prevents a failover that would otherwise allow the connection to fail over to a different

network path and reach the victim. The IPS leaves the attacker side open and denies all traffic from it.

TCP Reset Differences Between IPS Appliances and ASA IPS Modules

The IPS appliance sends TCP reset packets to both the attacker and victim when reset-tcp-connection is

selected. The IPS appliance sends a TCP reset packet only to the victim under the following

circumstances:

•

When a deny-packet-inline or deny-connection-inline is selected

When TCP-based signatures and reset-tcp-connection have NOT been selected

In the case of the ASA IPS modules, the TCP reset request is sent to the ASA, and then the ASA sends

the TCP reset packets. The ASA sends TCP reset packets to both the attacker and victim when the

reset-tcp-connection is selected. When deny-packet-inline or deny-connection-inline is selected, the

ASA sends the TCP reset packet to either the attacker or victim depending on the configuration of the

signature. Signatures configured to swap the attacker and victim when reporting the alert can cause the

ASA to send the TCP reset packet to the attacker.

TCP Normalizer Signature Warning

You receive the following warning if you disable a default-enabled TCP Normalizer signature or remove

a default-enabled modify packet inline, deny packet inline, or deny connection inline action:

Use caution when disabling, retiring, or changing the event action settings of a <Sig ID>

TCP Normalizer signature for a sensor operating in IPS mode. The TCP Normalizer signature

default values are essential for proper operation of the sensor.

If the sensor is seeing duplicate packets, consider assigning the traffic to multiple

virtual sensors. If you are having problems with asymmetric or out-of-order TCP packets,

consider changing the normalizer mode from strict evasion protection to asymmetric mode

protection. Contact Cisco TAC if you require further assistance.

For More Information

•

For procedure for configuring denied attackers, see Monitoring and Clearing the Denied Attackers

List, page 8-36.

For the procedure for configuring the general settings, see Configuring the General Settings,

page 8-34.

For the procedures for configuring blocking devices, see Chapter 14, “Configuring Attack Response

Controller for Blocking and Rate Limiting.”

For the procedures for configuring SNMP, see Chapter 15, “Configuring SNM P .”

Event Action Rules Configuration Sequence

Follow these steps when configuring the event action rules component of the IPS:

1. Create any variables that you want to use in event action filters.

2. Create target value ratings. Assign target value ratings to your network assets so that you can

calculate the risk rating.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-7

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Working With Event Action Rules Policies

3. Create overrides to add actions based on the risk rating value. Assign a risk rating to each event

action type.

4. Create filters. Assign filters to subtract actions based on the ID, IP addresses, and risk rating of the

signature.

5. Create OS mappings. OS mappings are used for the attack relevance rating in the calculation of the

risk rating for an alert.

6. Configure the general settings. Specify whether you want to use the summarizer, the meta event

generator, or configure denied attacker parameters.

Working With Event Action Rules Policies

Use the service event-action-rules name command in service event action rules submode to create an

event action rules policy. The values of this event action rules policy are the same as the default event

action rules policy, rules0, until you edit them. Or you can use the copy event-action-rules

source_destination command in privileged EXEC mode to make a copy of an existing policy and then

edit the values of the new policy as needed. Use the list event-action-rules-configurations command

in privileged EXEC mode to list the event action rules policies. Use the no service event-action-rules

name command in global configuration mode to delete an event action rules policy. Use the default

service event-action-rules name command in global configuration mode to reset the event action rules

policy to factory settings.

Working With Event Action Rules Policies

To create, copy, display, edit, and delete event action rules policies, follow these steps:

Step 1

Step 2

Create an event action rules policy.

sensor# configure terminal

sensor(config)# service event-action-rules MyRules

sensor(config-eve)# exit

Apply Changes?[yes]: yes

sensor(config)# exit

sensor#

Step 3

Copy an existing event action rules policy to a new event action rules policy.

sensor# copy event-action-rules rules0 rules1

sensor#

Note

You receive an error if the policy already exists or if there is not enough space available for the

new policy.

Step 4

Accept the default event action rules policy values or edit the following parameters.

a. Add event action rules variables.

b. Configure event action rules overrides.

c. Configure event action rules filters.

d. Configure the event action rules general settings.

e. Configure the event action rules target value rating.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-8

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Event Action Variables

f. Configure the event action rules OS identification settings.

Step 5

Display a list of event action rules policies on the sensor:

sensor# list event-action-rules-configurations

Event Action Rules

Instance

rules0

temp

MyRules

rules1

Size

255

707

255

141

Virtual Sensor

vs0

N/A

vs1

sensor#

Step 6

Delete an event action rules policy.

sensor(config)# no service event-action-rules MyRules

sensor(config)#

Note

You cannot delete the default event action rules policy, rules0.

Step 7

Confirm the event action rules instance has been deleted.

sensor# list event-action-rules-configurations

Event Action Rules

Instance

rules0

rules1

Size

112

142

Virtual Sensor

vs0

N/A

sensor#

Step 8

Reset an event action rules policy to factory settings.

sensor# configure terminal

sensor(config)# default service event-action-rules rules1

sensor(config)#

For More Information

•

For the procedure for adding event action rules variables, see Event Action V a riables, page 8-9.

For the procedure for configuring event action rules overrides, see Configuring Event Action

Overrides, page 8-17.

•

For the procedure for configuring event action rules filters, see Configuring Event Action Filters,

page 8-20.

•

For the procedure for configuring the general settings, see Configuring General Settings, page 8-32.

For the procedure for configuring event action rules target value ratings, see Configuring Target

V a lue Ratings, page 8-13.

•

For the procedure for configuring OS maps, see Configuring OS Identifications, page 8-26.

Event Action Variables

This section describes event action variables, and contains the following topics:

•

Understanding Event Action V a riables, page 8-10

Adding, Editing, and Deleting Event Action V a riables, page 8-11

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-9

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Event Action Variables

Understanding Event Action Variables

Note

Global correlation inspection and the reputation filtering deny features do not support IPv6 addresses.

For global correlation inspection, the sensor does not receive or process reputation data for IPv6

addresses. The risk rating for IPv6 addresses is not modified for global correlation inspection. Similarly,

network participation does not include event data for attacks from IPv6 addresses. And finally, IPv6

addresses do not appear in the deny list.

Note

Rate limiting and blocking are not supported for IPv6 traffic. If a signature is configured with a block or

rate limit event action and is triggered by IPv6 traffic, an alert is generated but the action is not carried

out.

You can create event variables and then use those variables in event action filters. When you want to use

the same value within multiple filters, use a variable. When you change the value of the variable, any

filter that uses that variable is updated with the new value.

Note

You must preface the event variable with a dollar ($) sign to indicate that you are using a variable rather

than a string.

Some variables cannot be deleted because they are necessary to the signature system. If a variable is

protected, you cannot select it to edit it. You receive an error message if you try to delete protected

variables. You can edit only one variable at a time.

IPv4 Addresses

When configuring IPv4 addresses, specify the full IP address or ranges or set of ranges:

•

192.0.2.3-192.0.2.26

10.90.1.1

192.56.10.1-192.56.10.255

10.1.1.1-10.2.255.255, 192.0.2.3-192.0.2.26

IPv6 Addresses

When configuring IPv6 addresses, use the following format:

<XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX>-<XXXX:XXXX:XXXX:XXXX:XX

XX:XXXX:XXXX:XXXX>[,<XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX>-<XXX

X:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX>]

Note

IPv6 addresses are 128 bits represented in hexadecimal and divided into eight 16-bit groups

separated by colons. You can skip the leading zeros and you can represent the zeroed groups in

the middle with a double colon (::). You must start the address with the 2001:db8 prefix.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-10

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Event Action Variables

Timesaver

If you have an IP address space that applies to your engineering group and there are no Windows systems

in that group, and you are not worried about any Windows-based attacks to that group, you could set up

a variable to be the IP address space of the engineering group. You could then use this variable to

configure a filter that would ignore all Windows-based attacks for this group.

Adding, Editing, and Deleting Event Action Variables

Note

Global correlation inspection and the reputation filtering deny features do not support IPv6 addresses.

For global correlation inspection, the sensor does not receive or process reputation data for IPv6

addresses. The risk rating for IPv6 addresses is not modified for global correlation inspection. Similarly,

network participation does not include event data for attacks from IPv6 addresses. And finally, IPv6

addresses do not appear in the deny list.

Note

Rate limiting and blocking are not supported for IPv6 traffic. If a signature is configured with a block or

rate limit event action and is triggered by IPv6 traffic, an alert is generated but the action is not carried

out.

Use the variables variable_name address ip_address command in service event action rules submode

to create an IPv4 event action variable. The IPv4 address can be one address, a range, or ranges separated

by a comma. Use the variables variable_name ipv6-address ip_address command in service event

action rules submode to create an IPv6 event action variable. Use the no variables variable_name

command in service event action rules submode to delete an event action variable.

Note

IPv6 addresses are 128 bits represented in hexadecimal and divided into eight 16-bit groups separated

by colons. You can skip the leading zeros and you can represent the zeroed groups in the middle with a

double colon (::). You must start the address with the 2001:db8 prefix.

Working With Event Action Variables

To add, delete, and edit event action variables, follow these steps:

Step 1

Step 2

Enter event action rules submode.

sensor# configure terminal

sensor(config)# service event-action-rules rules0

Step 3

Step 4

Add an IPv4 event action rules variable. The valid values for address are A.B.C.D-A.B.C.D

[,A.B.C.D-A.B.C.D].

sensor(config-eve)# variables variable-ipv4 address 192.0.2.3

Add an IPv6 event action rules variable. The valid form for ipv6-address is:

<XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX>-<XXXX:XXXX:XXXX:XXXX:XX

XX:XXXX:XXXX:XXXX>[,<XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX>-<XXX

X:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX>]

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-11

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Event Action Variables

sensor(config-eve)# variables variable-ipv6 ipv6-address

2001:0db8:3c4d:0015:0000:0000:abcd:ef12

Step 5

Verify that you added the event action rules variable.

sensor(config-eve)# show settings

variables (min: 0, max: 256, current: 2)

-----------------------------------------------

variableName: variable-ipv6

-----------------------------------------------

ipv6-address: 2001:0db8:3c4d:0015:0000:0000:abcd:ef12 default: ::0-FFFF

:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

-----------------------------------------------

variableName: variable-ipv4

-----------------------------------------------

address: 192.0.2.3 default: 0.0.0.0-255.255.255.255

-----------------------------------------------

Step 6

Step 7

To edit an event action rules variable, change the IPv6 address to a range.

sensor(config-eve)# variables variable-ipv6 ipv6-address

::0-FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

Verify that you edited the event action rules variable.

sensor(config-eve)# show settings

variables (min: 0, max: 256, current: 2)

-----------------------------------------------

variableName: variable-ipv6

-----------------------------------------------

ipv6-address: ::0-FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF default: ::0

FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

-----------------------------------------------

Step 8

Step 9

Delete an event action rules variable.

sensor(config-eve)# no variables variable-ipv6

Verify the event action rules variable you deleted.

sensor(config-eve)# show settings

variables (min: 0, max: 256, current: 1)

-----------------------------------------------

variableName: variableipv4

-----------------------------------------------

address: 192.0.2.3 default: 0.0.0.0-255.255.255.255

-----------------------------------------------

Step 10 Exit event action rules submode.

sensor(config-eve)# exit

Apply Changes:?[yes]:

Step 11 Press Enter to apply your changes or enter no to discard them.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-12

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Configuring Target Value Ratings

This section describes what risk rating is and how to use it to configure target value ratings. This section

contains the following topics:

•

Calculating the Risk Rating, page 8-13

Understanding Threat Rating, page 8-14

Adding, Editing, and Deleting Target V a lue Ratings, page 8-15

Calculating the Risk Rating

A risk rating (RR) is a value between 0 and 100 that represents a numerical quantification of the risk

associated with a particular event on the network. The calculation takes into account the value of the

network asset being attacked (for example, a particular server), so it is configured on a per-signature

basis using the attack severity rating and the signature fidelity rating, and on a per-server basis using the

target value rating. The risk rating is calculated from several components, some of which are configured,

some collected, and some derived.

Note

The risk rating is associated with alerts not signatures.

Risk ratings let you prioritize alerts that need your attention. These risk rating factors take into

consideration the severity of the attack if it succeeds, the fidelity of the signature, the reputation score

of the attacker from the global correlation data, and the overall value of the target host to you. The risk

rating is reported in the evIdsAlert.

The following values are used to calculate the risk rating for a particular event:

•

Signature fidelity rating (SFR)—A weight associated with how well this signature might perform in

the absence of specific knowledge of the target. The signature fidelity rating is configured per

signature and indicates how accurately the signature detects the event or condition it describes.

Signature fidelity rating is calculated by the signature author on a per-signature basis. The signature

author defines a baseline confidence ranking for the accuracy of the signature in the absence of

qualifying intelligence on the target. It represents the confidence that the detected behavior would

produce the intended effect on the target platform if the packet under analysis were allowed to be

delivered. For example, a signature that is written with very specific rules (specific regular

expression) has a higher signature fidelity rating than a signature that is written with generic rules.

Note

The signature fidelity rating does not indicate how bad the detected event may be.

•

Attack severity rating (ASR)—A weight associated with the severity of a successful exploit of the

vulnerability. The attack severity rating is derived from the alert severity parameter (informational,

low, medium, or high) of the signature. The attack severity rating is configured per signature and

indicates how dangerous the event detected is.

Note

The attack severity rating does not indicate how accurately the event is detected.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-13

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Configuring Target Value Ratings

•

Target value rating (TVR)—A weight associated with the perceived value of the target.

Target value rating is a user-configurable value (zero, low, medium, high, or mission critical) that

identifies the importance of a network asset (through its IP address). You can develop a security

policy that is more stringent for valuable corporate resources and looser for less important resources.

For example, you could assign a target value rating to the company web server that is higher than

the target value rating you assign to a desktop node. In this example, attacks against the company

web server have a higher risk rating than attacks against the desktop node. Target value rating is

configured in the event action rules policy.

•

Attack relevance rating (ARR)—A weight associated with the relevancy of the targeted operating

system. Attack relevancy rating is a derived value (relevant, unknown, or not relevant), which is

determined at alert time. The relevant operating systems are configured per signature.

Promiscuous delta (PD)—A weight associated with the promiscuous delta, which can be subtracted

from the overall risk rating in promiscuous mode. Promiscuous delta is in the range of 0 to 30 and

is configured per signature.

Note

If the trigger packet is not inline, the promiscuous delta is subtracted from the rating.

•

Watch list rating (WLR)—A weight associated with the CSA MC watch list in the range of 0 to 100

(CSA MC only uses the range 0 to 35). If the attacker for the alert is found on the watch list, the

watch list rating for that attacker is added to the rating.

Figure 8-2 illustrates the risk rating formula:

Figure 8-2

Risk Rating Formula

ASR TVR SFR

RR =

+ ARR - PD + WLR

10000

Understanding Threat Rating

Threat rating is risk rating that has been lowered by event actions that have been taken. Nonlogging event

actions have a threat rating adjustment. The largest threat rating from all the event actions taken is

subtracted from the risk rating. The event actions have the following threat ratings:

•

deny-attacker-inline—45

deny-attacker-victim-pair-inline—40

deny-attacker-service-pair-inline—40

deny-connection-inline—35

deny-packet-inline—35

modify-packet-inline—35

request-block-host—20

request-block-connection—20

reset-tcp-connection—20

request-rate-limit—20

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-14

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Configuring Target Value Ratings

Adding, Editing, and Deleting Target Value Ratings

Note

Global correlation inspection and the reputation filtering deny features do not support IPv6 addresses.

For global correlation inspection, the sensor does not receive or process reputation data for IPv6

addresses. The risk rating for IPv6 addresses is not modified for global correlation inspection. Similarly,

network participation does not include event data for attacks from IPv6 addresses. And finally, IPv6

addresses do not appear in the deny list.

Note

Rate limiting and blocking are not supported for IPv6 traffic. If a signature is configured with a block or

rate limit event action and is triggered by IPv6 traffic, an alert is generated but the action is not carried

out.

You can assign a target value rating to your network assets. The target value rating is one of the factors

used to calculate the risk rating value for each alert. You can assign different target value ratings to

different targets. Events with a higher risk rating trigger more severe signature event actions.

For IPv4 address, use the target-value {zerovalue | low | medium | high | mission-critical}

target-address ip_address command in service event action rules submode to add target value ratings

for your network assets. The default is medium. Use the no target-value {zerovalue | low | medium |

high | mission-critical} command in service event action rules submode to delete target value ratings.

For IPv6 addresses, use the ipv6-target-value {zerovalue | low | medium | high | mission-critical}

ipv6-target-address ip_address command in service event action rules submode to add target value

ratings for your network assets. The default is medium. Use the no ipv6-target-value {zerovalue | low

| medium | high | mission-critical} command in service event action rules submode to delete target

value ratings.

The following options apply:

•

target-value—Specifies the IPv4 target value rating:

–

zerovalue—No value of this target.

low—Lower value of this target.

medium—Normal value of this target (default).

high—Elevated value of this target.

mission-critical—Extreme value of this target.

•

no target-value—Removes the IPv4 target value rating.

target-address ip_address—Specifies the range set of IP address(es) for IPv4 addresses in the

following form: <A.B.C.D>-<A.B.C.D>[,<A.B.C.D>-<A.B.C.D>]

•

ipv6-target-value—Specifies the IPv6 target value rating:

–

zerovalue—No value of this target.

low—Lower value of this target.

medium—Normal value of this target (default).

high—Elevated value of this target.

mission-critical—Extreme value of this target.

•

no ipv6-target-value—Removes the IPv6 target value rating.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-15

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Configuring Target Value Ratings

•

ipv6-target-address ip_address—Specifies the range set of IP address(es) for IPv6 addresses in the

following form:

<XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX>-<XXXX:XXXX:XXXX:XXXX:

XXXX:XXXX:XXXX:XXXX>[,<XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX>-

<XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX>]

Adding, Editing, and Deleting Target Value Ratings

To add, edit, and delete target value ratings for your network assets, follow these steps:

Step 1

Step 2

Enter event action rules submode.

sensor# configure terminal

sensor(config)# service event-action-rules rules1

Step 3

Step 4

Assign an IPv4 target value rating to the network asset.

sensor(config-eve)# target-value mission-critical target-address 192.0.2.0

Assign an IPv6 target value rating to the network asset.

sensor(config-eve)# ipv6-target-value mission-critical ipv6-target-address

2001:0db8:3c4d:0015:0000:0000:abcd:ef12

Step 5

Verify that you added the target value rating.

sensor(config-eve)# show settings

-----------------------------------------------

target-value (min: 0, max: 5, current: 1)

-----------------------------------------------

target-value-setting: mission-critical

target-address: 192.0.2.0 default: 0.0.0.0-255.255.255.255

-----------------------------------------------

ipv6-target-value (min: 0, max: 5, current: 2)

-----------------------------------------------

ipv6-target-value-setting: mission-critical

ipv6-target-address: 2001:0db8:3c4d:0015:0000:0000:abcd:ef12 default: ::0-

FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

-----------------------------------------------

sensor(config-eve)#

Step 6

Step 7

To edit a target value rating, change the target value rating setting of the asset.

sensor(config-eve)# target-value low target-address 192.0.2.0

Verify that you edited the target value rating.

sensor(config-eve)# show settings

-----------------------------------------------

target-value (min: 0, max: 5, current: 1)

-----------------------------------------------

target-value-setting: low

target-address: 192.0.2.0 default: 0.0.0.0-255.255.255.255

-----------------------------------------------

Step 8

Step 9

Delete the target value rating.

sensor(config-eve)# no ipv6-target-value mission-critical

Verify that you deleted the target value rating.

sensor(config-eve)# show settings

-----------------------------------------------

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-16

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Configuring Event Action Overrides

ipv6-target-value (min: 0, max: 5, current: 0)

-----------------------------------------------

Step 10 Exit event action rules submode.

sensor(config-rul)# exit

Apply Changes:?[yes]:

Step 11 Press Enter to apply your changes or enter no to discard them.

Configuring Event Action Overrides

This section describes event action overrides, and contains the following topics:

•

Understanding Event Action Overrides, page 8-17

Adding, Editing, Enabling, and Disabling Event Action Overrides, page 8-17

Understanding Event Action Overrides

You can add an event action override to change the actions associated with an event based on the risk

rating of that event. Event action overrides are a way to add event actions globally without having to

configure each signature individually. Each event action has an associated risk rating range. If a

signature event occurs and the risk rating for that event falls within the range for an event action, that

action is added to the event. For example, if you want any event with a risk rating of 85 or more to

generate an SNMP trap, you can set the risk rating range for request-snmp-trap to 85-100. If you do not

want to use action overrides, you can disable the entire event action override component.

Note

Connection blocks and network blocks are not supported on adaptive security appliances. Adaptive

security appliances only support host blocks with additional connection information.

Adding, Editing, Enabling, and Disabling Event Action Overrides

Use the overrides {request-block-connection | request-block-host | deny-attacker-inline |

deny-packet-inline | deny-attacker-service-pair-inline | deny-attacker-victim-pair-inline |

deny-connection-inline | log-attacker-packets | log-victim-packets | log-pair-packets |

reset-tcp-connection | produce-alert | produce-verbose-alert | request-rate-limit |

request-snmp-trap} command in service event action rules submode to configure the parameters of

event action overrides. Use the no overrides command in service event action rules submode to delete

the parameters of event action overrides.

Configure the override event actions, then the risk rating range, then enable or disable the override.

Note

You cannot delete the event action override for deny-packet-inline because it is protected. If you do not

want to use that override, set the override-item-status to disabled for that entry.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-17

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Configuring Event Action Overrides

The following options apply:

•

no overrides—Removes an entry or selection setting.

override-item-status {enabled | disabled}—Enables or disables the use of this override item. The

default is enabled.

•

risk-rating-range—Specifies the range of risk rating values for this override item. The default is 0

to 100.

show—Displays system settings and/or history information.

Configuring Event Action Overrides

To add event action overrides, follow these steps:

Step 1

Step 2

Enter event action rules submode.

sensor# configure terminal

sensor(config)# service event-action-rules rules0

sensor(config-eve)#

Step 3

Assign the action for the override:

•

Deny packets from the source IP address of the attacker.

sensor(config-eve)# overrides deny-attacker-inline

sensor(config-eve-ove)#

Do not transmit the single packet causing the alert.

sensor(config-eve)# overrides deny-packet-inline

sensor(config-eve-ove)#

Do not transmit packets on the specified TCP connection.

sensor(config-eve)# overrides deny-connection-inline

sensor(config-eve-ove)#

Send TCP RST packets to terminate the connection.

sensor(config-eve)# overrides reset-tcp-connection

sensor(config-eve-ove)#

Request a block of the connection.

sensor(config-eve)# overrides request-block-connection

sensor(config-eve-ove)#

Request a block of the attacker host.

sensor(config-eve)# overrides request-block-host

sensor(config-eve-ove)#

Log the packets from the attacker IP address.

sensor(config-eve)# overrides log-attacker-packets

sensor(config-eve-ove)#

Log the packets from the victim IP address.

sensor(config-eve)# overrides log-victim-packets

sensor(config-eve-ove)#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-18

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Configuring Event Action Overrides

•

Log packets from both the attacker and victim IP addresses.

sensor(config-eve)# overrides log-pair-packets

sensor(config-eve-ove)#

Write an alert to Event Store.

sensor(config-eve)# overrides produce-alert

sensor(config-eve-ove)#

Write verbose alerts to Event Store.

sensor(config-eve)# overrides produce-verbose-alert

sensor(config-eve-ove)#

Write events that request an SNMP trap to the Event Store.

sensor(config-eve)# overrides request-snmp-trap

sensor(config-eve-ove)#

Step 4

Configure the risk rating for this override item. The default risk rating range is 0 to 100. Set it to a

different value, such as 85 to 100.

sensor(config-eve-ove)# risk-rating-range 85-100

Step 5

Step 6

Enable or disable the use of this override item. The default is enabled.

sensor(config-eve-ove)# override-item-status {enabled | disabled}

Verify the settings.

sensor(config-eve-ove)# exit

sensor(config-eve)# show settings

action-to-add: deny-attacker-inline

-----------------------------------------------

override-item-status: Enabled default: Enabled

risk-rating-range: 85-100 default: 0-100

-----------------------------------------------

Step 7

Step 8

Edit the risk rating of an event action override.

sensor(config-eve)# overrides deny-attacker-inline

sensor(config-eve-ove)# risk-rating 95-100

Verify that you edited the event action override.

sensor(config-eve-ove)# exit

sensor(config-eve)# show settings

-----------------------------------------------

overrides (min: 0, max: 14, current: 1)

-----------------------------------------------

override-item-status: Enabled <defaulted>

risk-rating-range: 95-100 default: 0-100

-----------------------------------------------

Step 9

Delete the event action override.

sensor(config-eve)# no overrides deny-attacker-inline

sensor(config-eve-ove)#

Step 10 Verify that you deleted the event action override.

sensor(config-eve-ove)# exit

sensor(config-eve)# show settings

overrides (min: 0, max: 14, current: 1)

-----------------------------------------------

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-19

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Configuring Event Action Filters

action-to-add: deny-attacker-inline

-----------------------------------------------

override-item-status: Enabled <defaulted>

risk-rating-range: 95 default: 0-100

-----------------------------------------------

override-item-status: Enabled <defaulted>

risk-rating-range: 90-100 <defaulted>

-----------------------------------------------

Step 11 Exit event action rules submode.

sensor(config-eve)# exit

Apply Changes:?[yes]:

Step 12 Press Enter to apply your changes or enter no to discard them.

For More Information

For a detailed description of all the event actions, see Event Actions, page 8-4.

Configuring Event Action Filters

This section describes event action filters, and contains the following topics:

•

Understanding Event Action Filters, page 8-20

Configuring Event Action Filters, page 8-21

Understanding Event Action Filters

Note

Global correlation inspection and the reputation filtering deny features do not support IPv6 addresses.

For global correlation inspection, the sensor does not receive or process reputation data for IPv6

addresses. The risk rating for IPv6 addresses is not modified for global correlation inspection. Similarly,

network participation does not include event data for attacks from IPv6 addresses. And finally, IPv6

addresses do not appear in the deny list.

Rate limiting and blocking are not supported for IPv6 traffic. If a signature is configured with a block or

rate limit event action and is triggered by IPv6 traffic, an alert is generated but the action is not carried

out.

Event action filters are processed as an ordered list and you can move filters up or down in the list. Filters

let the sensor perform certain actions in response to the event without requiring the sensor to perform all

actions or remove the entire event. Filters work by removing actions from an event. A filter that removes

all actions from an event effectively consumes the event.

Note

When filtering sweep signatures, we recommend that you do not filter the destination addresses. If there

are multiple destination addresses, only the last address is used for matching the filter.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-20

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Configuring Event Action Filters

Caution

Event action filters based on source and destination IP addresses do not function for the Sweep engine,

because they do not filter as regular signatures. To filter source and destination IP addresses in sweep

alerts, use the source and destination IP address filter parameters in the Sweep engine signatures.

Configuring Event Action Filters

Note

Global correlation inspection and the reputation filtering deny features do not support IPv6 addresses.

For global correlation inspection, the sensor does not receive or process reputation data for IPv6

addresses. The risk rating for IPv6 addresses is not modified for global correlation inspection. Similarly,

network participation does not include event data for attacks from IPv6 addresses. And finally, IPv6

addresses do not appear in the deny list.

Note

Rate limiting and blocking are not supported for IPv6 traffic. If a signature is configured with a block or

rate limit event action and is triggered by IPv6 traffic, an alert is generated but the action is not carried

out.

You can configure event action filters to remove specific actions from an event or to discard an entire

event and prevent further processing by the sensor. You can use event action variables that you defined

to group addresses for your filters.

Note

You must preface the event variable with a dollar sign ($) to indicate that you are using a variable rather

than a string. Otherwise, you receive the Bad source and destinationerror.

Use the filters {edit | insert | move] name1 [begin | end | inactive | before | after} command in service

event action rules submode to set up event action filters.

The following options apply:

•

actions-to-remove—Specifies the event actions to remove for this filter item.

attacker-address-range—Specifies the range set of IPv4 attacker address(es) for this item (for

example, 192.0.2.0-192.0.2.254,192.3.2.0-192.3.2.254).

Note

The second IP address in the range must be greater then or equal to the first IP address. If

you do not specify an attacker address range, all IPv4 attacker addresses are matched.

•

attacker-port-range—Specifies the range set of attacker port(s) for this item (for example,

147-147,8000-10000).

•

default—Sets the value back to the system default setting.

deny-attacker-percentage—Specifies the percentage of packets to deny for deny attacker features.

The valid range is 0 to 100. The default is 100.

•

filter-item-status {enabled | disabled}—Enables or disables the use of this filter item.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-21

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Configuring Event Action Filters

•

ipv6-attacker-address-range—Specifies the range set of IPv6 attacker address(es) for this item

(for example,

<XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX>-<XXXX:XXXX:XXXX:XXXX:

XXXX:XXXX:XXXX:XXXX>[,<XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX>-

<XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX>].

Note

The second IPv6 address in the range must be greater than or equal to the first IPv6 address.

If you do not specify an IPv6 attacker address range, all IPv6 attacker addresses are matched.

•

ipv6-victim-address-range—Specifies the range set of victim address(es) for this item (for

example,

<XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX>-<XXXX:XXXX:XXXX:XXXX:

XXXX:XXXX:XXXX:XXXX>[,<XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX>-

<XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX>].

Note

The second IPv6 address in the range must be greater than or equal to the first IPv6 address.

If you do not specify an IPv6 victim address range, all IPv6 victim addresses are matched.

•

no—Removes an entry or selection setting.

os-relevance—Specifies the event OS relevance for this filter:

–

relevant—Specifies that the event is relevant to the target OS.

not-relevant—Specifies that the event is not relevant to the target OS.

unknown—It is unknown whether the event is relevant to the target OS.

•

risk-rating-range—Specifies the range of risk rating values for this filter item.

signature-id-range—Specifies the range set of signature ID(s) for this item (for example,

1000-2000,3000-3000).

•

stop-on-match {true | false}—Specifies to continue evaluating filters or stop when this filter item

is matched.

subsignature-id-range—Specifies the range set of subsignature ID(s) for this item (for example,

0-2,5-5).

•

user-comment —Lets you add your comments about this filter item.

victim-address-range—Specifies the range set of victim address(es) for this item (for example,

10.20.1.0-10.20.1.255,10.20.5.0-10.20.5.255).

Note

The second IP address in the range must be greater then or equal to the first IP address. If

you do not specify a victim address range, all IPv4 attacker addresses are matched.

•

victim-port-range—Specifies the range set of victim port(s) for this item (for example,

147-147,8000-10000).

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-22

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Configuring Event Action Filters

To configure event action filters, follow these steps:

Step 1

Step 2

Enter event action rules submode.

sensor# configure terminal

sensor(config)# service event-action-rules rules1

sensor(config-eve)#

Step 3

Step 4

Create the filter name. Use name1, name2, and so forth to name your event action filters. Use the begin

| end | inactive | before | after keywords to specify where you want to insert the filter.

sensor(config-eve)# filters insert name1 begin

Specify the values for this filter:

a. Specify the signature ID range. The default is 900 to 65535.

sensor(config-eve-fil)# signature-id-range 1000-1005

b. Specify the subsignature ID range. The default is 0 to 255.

sensor(config-eve-fil)# subsignature-id-range 1-5

c. Specify the attacker address range for IPv4 or IPv6.

sensor(config-eve-fil)# attacker-address-range 192.0.2.3-192.0.2.26

sensor(config-eve-fil)# ipv6-attacker-address-range

2001:0db8:3c4d:0015:0000:0000:abcd:ef12

d. Specify the victim address range for IPv4 or IPv6.

sensor(config-eve-fil)# victim-address-range 192.56.10.1-192.56.10.255

sensor(config-eve-fil)# ipv6-victim-address-range ::0-FFFF:FFFF:FFFF:FFFF:FFFF:

FFFF:FFFF:FFFF

e. Specify the victim port range. The default is 0 to 65535.

sensor(config-eve-fil)# victim-port-range 0-434

f. Specify the OS relevance. The default is 0 to 100.

sensor(config-eve-fil)# os-relevance relevant

g. Specify the risk rating range.The default is 0 to 100.

sensor(config-eve-fil)# risk-rating-range 85-100

h. Specify the actions to remove.

sensor(config-eve-fil)# actions-to-remove reset-tcp-connection

i. If you are filtering a deny action, set the percentage of deny actions you want. The default is 100.

sensor(config-eve-fil)# deny-attacker-percentage 90

j. Specify the status of the filter to either disabled or enabled. The default is enabled.

sensor(config-eve-fil)# filter-item-status {enabled | disabled}

k. Specify the stop on match parameter. True tells the sensor to stop processing filters if this item

matches. False tells the sensor to continue processing filters even if this item matches.

sensor(config-eve-fil)# stop-on-match {true | false}

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-23

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Configuring Event Action Filters

l. Add any comments you want to use to explain this filter.

sensor(config-eve-fil)# user-comment NEW FILTER

Step 5

Verify the settings for the filter.

sensor(config-eve-fil)# show settings

NAME: name1

-----------------------------------------------

signature-id-range: 1000-10005 default: 900-65535

subsignature-id-range: 1-5 default: 0-255

attacker-address-range: 192.0.2.3-192.0.2.26 default: 0.0.0.0-255.255.255.255

victim-address-range: 192.56.10.1-192.56.10.255 default: 0.0.0.0-255.255.255.255

ipv6-attacker-address-range: 2001:0db8:3c4d:0015:0000:0000:abcd:ef12 default:

::0-FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

ipv6-victim-address-range: ::0-FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF default:

::0-FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

attacker-port-range: 0-65535 <defaulted>

victim-port-range: 1-343 default: 0-65535

risk-rating-range: 85-100 default: 0-100

actions-to-remove: reset-tcp-connection default:

deny-attacker-percentage: 90 default: 100

filter-item-status: Enabled default: Enabled

stop-on-match: True default: False

user-comment: NEW FILTER default:

os-relevance: relevant default: relevant|not-relevant|unknown

------------------------------------------------

senor(config-eve-fil)#

Step 6

Edit an existing filter.

sensor(config-eve)# filters edit name1

Step 7

Step 8

Edit the parameters (see Steps 4a through 4l).

Move a filter up or down in the filter list.

sensor(config-eve-fil)# exit

sensor(config-eve)# filters move name5 before name1

Step 9

Verify that you have moved the filters.

sensor(config-eve-fil)# exit

sensor(config-eve)# show settings

-----------------------------------------------

filters (min: 0, max: 4096, current: 5 - 4 active, 1 inactive)

-----------------------------------------------

ACTIVE list-contents

-----------------------------------------------

NAME: name5

-----------------------------------------------

signature-id-range: 900-65535 <defaulted>

subsignature-id-range: 0-255 <defaulted>

attacker-address-range: 0.0.0.0-255.255.255.255 <defaulted>

victim-address-range: 0.0.0.0-255.255.255.255 <defaulted>

attacker-port-range: 0-65535 <defaulted>

victim-port-range: 0-65535 <defaulted>

risk-rating-range: 0-100 <defaulted>

actions-to-remove: <defaulted>

filter-item-status: Enabled <defaulted>

stop-on-match: False <defaulted>

user-comment: <defaulted>

-----------------------------------------------

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-24

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Configuring Event Action Filters

NAME: name1

-----------------------------------------------

signature-id-range: 900-65535 <defaulted>

subsignature-id-range: 0-255 <defaulted>

attacker-address-range: 0.0.0.0-255.255.255.255 <defaulted>

victim-address-range: 0.0.0.0-255.255.255.255 <defaulted>

attacker-port-range: 0-65535 <defaulted>

victim-port-range: 0-65535 <defaulted>

risk-rating-range: 0-100 <defaulted>

actions-to-remove: <defaulted>

filter-item-status: Enabled <defaulted>

stop-on-match: False <defaulted>

user-comment: <defaulted>

-----------------------------------------------

NAME: name2

-----------------------------------------------

signature-id-range: 900-65535 <defaulted>

subsignature-id-range: 0-255 <defaulted>

attacker-address-range: 0.0.0.0-255.255.255.255 <defaulted>

victim-address-range: 0.0.0.0-255.255.255.255 <defaulted>

attacker-port-range: 0-65535 <defaulted>

victim-port-range: 0-65535 <defaulted>

risk-rating-range: 0-100 <defaulted>

actions-to-remove: <defaulted>

filter-item-status: Enabled <defaulted>

stop-on-match: False <defaulted>

user-comment: <defaulted>

-----------------------------------------------

INACTIVE list-contents

-----------------------------------------------

sensor(config-eve)#

Step 10 Move a filter to the inactive list.

sensor(config-eve)# filters move name1 inactive

Step 11 Verify that the filter has been moved to the inactive list.

sensor(config-eve-fil)# exit

sensor(config-eve)# show settings

-----------------------------------------------

INACTIVE list-contents

-----------------------------------------------

NAME: name1

-----------------------------------------------

signature-id-range: 900-65535 <defaulted>

subsignature-id-range: 0-255 <defaulted>

attacker-address-range: 0.0.0.0-255.255.255.255 <defaulted>

victim-address-range: 0.0.0.0-255.255.255.255 <defaulted>

attacker-port-range: 0-65535 <defaulted>

victim-port-range: 0-65535 <defaulted>

risk-rating-range: 0-100 <defaulted>

actions-to-remove: <defaulted>

filter-item-status: Enabled <defaulted>

stop-on-match: False <defaulted>

user-comment: <defaulted>

-----------------------------------------------

sensor(config-eve)#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-25

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Configuring OS Identifications

Step 12 Exit event action rules submode.

sensor(config-eve)# exit

Apply Changes:?[yes]:

Step 13 Press Enter to apply your changes or enter no to discard them.

For More Information

For the procedure for configuring event action variables, see Adding, Editing, and Deleting Event Action

V a riables, page 8-11.

Configuring OS Identifications

This section describes OS identifications and how to configure OS maps, and contains the following

topics:

•

Understanding Passive OS Fingerprinting, page 8-26

Passive OS Fingerprinting Configuration Considerations, page 8-27

Adding, Editing, Deleting, and Moving Configured OS Maps, page 8-28

Displaying and Clearing OS Identifications, page 8-31

Understanding Passive OS Fingerprinting

Passive OS fingerprinting lets the sensor determine the OS that hosts are running. The sensor analyzes

network traffic between hosts and stores the OS of these hosts with their IP addresses. The sensor

inspects TCP SYN and SYNACK packets exchanged on the network to determine the OS type.

The sensor then uses the OS of the target host OS to determine the relevance of the attack to the victim

by computing the attack relevance rating component of the risk rating. Based on the relevance of the

attack, the sensor may alter the risk rating of the alert for the attack and/or the sensor may filter the alert

for the attack. You can then use the risk rating to reduce the number of false positive alerts (a benefit in

IDS mode) or definitively drop suspicious packets (a benefit in IPS mode). Passive OS fingerprinting

also enhances the alert output by reporting the victim OS, the source of the OS identification, and the

relevance to the victim OS in the alert.

Passive OS fingerprinting consists of three components:

•

Passive OS learning—Passive OS learning occurs as the sensor observes traffic on the network.

Based on the characteristics of TCP SYN and SYNACK packets, the sensor makes a determination

of the OS running on the host of the source IP address.

•

User-configurable OS identification—You can configure OS host maps, which take precedence over

learned OS maps.

Computation of attack relevance rating and risk rating—The sensor uses OS information to

determine the relevance of the attack signature to the targeted host. The attack relevance is the attack

relevance rating component of the risk rating value for the attack alert. The sensor uses the OS type

reported in the host posture information imported from the CSA MC to compute the attack relevance

rating.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-26

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Configuring OS Identifications

There are three sources of OS information. The sensor ranks the sources of OS information in the

following order:

1. Configured OS maps—OS maps you enter. Configured OS maps reside in the event action rules

policy and can apply to one or many virtual sensors.

Note

You can specify multiple operating systems for the same IP address. The last one in the list

is the operating system that is matched.

2. Imported OS maps—OS maps imported from an external data source. Imported OS maps are global

and apply to all virtual sensors.

Note

Currently the CSA MC is the only external data source.

3. Learned OS maps—OS maps observed by the sensor through the fingerprinting of TCP packets with

the SYN control bit set. Learned OS maps are local to the virtual sensor that sees the traffic.

When the sensor needs to determine the OS for a target IP address, it consults the configured OS maps.

If the target IP address is not in the configured OS maps, the sensor looks in the imported OS maps. If

the target IP address is not in the imported OS maps, the sensor looks in the learned OS maps. If it cannot

find it there, the sensor treats the OS of the target IP address as unknown.

Note

Passive OS fingerprinting is enabled by default and the IPS contains a default vulnerable OS list for each

signature.

Passive OS Fingerprinting Configuration Considerations

You do not have to configure passive OS fingerprinting for it to function. IPS provides a default

vulnerable OS list for each signature and passive analysis is enabled by default.

You can configure the following aspects of passive OS fingerprinting:

•

Define OS maps—We recommend configuring OS maps to define the identity of the OS running on

critical systems. It is best to configure OS maps when the OS and IP address of the critical systems

are unlikely to change.

•

Limit the attack relevance rating calculation to a specific IP address range—This limits the attack

relevance rating calculations to IP addresses on the protected network.

Import OS maps—Importing OS maps provides a mechanism for accelerating the learning rate and

fidelity of the OS identifications made through passive analysis. If you have an external product

interface, such as the CSA MC, you can import OS identifications from it.

•

Define event action rules filters using the OS relevance value of the target—This provides a way to

filter alerts solely on OS relevance.

•

Disable passive analysis—Stops the sensor from learning new OS maps.

Edit signature vulnerable OS lists—The vulnerable OS list specifies what OS types are vulnerable

to each signature. The default, general-os, applies to all signatures that do not specify a vulnerable

OS list.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-27

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Configuring OS Identifications

Adding, Editing, Deleting, and Moving Configured OS Maps

Use the os-identifications command in the service event action rules submode to configure OS host

mappings, which take precedence over learned OS mappings. You can add, edit, and delete configured

OS maps. You can move them up and down in the list to change the order in which the sensor computes

the attack relevance rating and risk rating for that particular IP address and OS type combination.

You can also move them up and down in the list to change the order in which the sensor resolves the OS

associated with a particular IP address. Configured OS mappings allow for ranges, so for network

192.168.1.0/24 an administrator might define the following(Table 8-1):

Table 8-1

Example Configured OS Mapping

IP Address Range Set

192.168.1.1

IOS

192.168.1.2-192.168.1.10,192.168.1.25

192.168.1.1-192.168.1.255

UNIX

Windows

More specific mappings should be at the beginning of the list. Overlap in the IP address range sets is

allowed, but the entry closest to the beginning of the list takes precedence.

The following options apply:

•

calc-arr-for-ip-range—Calculates the attack relevance rating for victims in this range. The value is

<A.B.C.D>-<A.B.C.D>[,<A.B.C.D>-<A.B.C.D>], for example,

10.20.1.0-10.20.1.255,10.20.5.0-10.20.5.255).

Note

The second IP address in the range must be greater than or equal to the first IP address.

•

configured-os-map {edit | insert | move] name1[begin | end | inactive | before | after}—Specifies

a collection of administrator-defined mappings of IP addresses to OS IDs (configured OS mappings

take precedence over imported and learned OS mappings).

ip—Specifies the host IP address (or addresses) running the specified OS. The value is

<A.B.C.D>-<A.B.C.D>[,<A.B.C.D>-<A.B.C.D>], for example,

10.20.1.0-10.20.1.255,10.20.5.0-10.20.5.255.

Note

The second IP address in the range must be greater than or equal to the first IP address.

•

os—Specifies the OS type the host (or hosts) is running:

–

general-os—All OS types

ios—Variants of Cisco IOS

mac-os—Variants of the Apple System OS prior to OS X

netware—Netware

other —Any Other OS

unix—Variants of UNIX

aix—Variants of AIX

bsd—Variants of BSD

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-28

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Configuring OS Identifications

–

hp-ux—Variants of HP-UX

irix—Variants of IRIX

linux—Variants of Linux

solaris—Variants of Solaris

windows—Variants of Microsoft Windows

windows-nt-2k-xp—Variants of NT, 2000, and XP

win-nt—Specific variants of Windows NT

unknown—Unknown OS

•

default—Sets the value back to the system default setting.

no—Removes an entry or selection setting.

passive-traffic-analysis {enabled | disabled}—Enables/disables passive OS fingerprinting

analysis.

Configuring OS Maps

To configure OS maps, follow these steps:

Step 1

Step 2

Enter event action rules submode.

sensor# configure terminal

sensor(config)# service event-action-rules rules1

sensor(config-eve)#

Step 3

Step 4

Create the OS map. Use name1, name2, and so forth to name your OS maps. Use the begin | end |

inactive | before | after keywords to specify where you want to insert the filter.

sensor(config-eve)# os-identification

sensor(config-eve-os)# configured-os-map insert name1 begin

sensor(config-eve-os-con)#

Specify the values for this OS map:

a. Specify the host IP address.

sensor(config-eve-os-con)# ip 192.0.2.0-192.0.2.255

b. Specify the host OS type.

sensor(config-eve-os-con)# os unix

Caution

Step 5

You can specify multiple operating systems for the same IP address. The last one in the list is the

operating system that is matched.

Verify the settings for the OS map.

sensor(config-eve-os-con)# show settings

NAME: name1

-----------------------------------------------

ip: 192.0.2.0-192.0.2.255 default:

os: unix

-----------------------------------------------

sensor(config-eve-os-con)#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-29

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Configuring OS Identifications

Step 6

Specify the attack relevance rating range for the IP address.

sensor(config-eve-os-con)# exit

sensor(config-eve-os)# calc-arr-for-ip-range 192.0.2.1 to 192.0.2.25

Step 7

Step 8

Enable passive OS fingerprinting.

sensor(config-eve-os)# passive-traffic-analysis enabled

Edit an existing OS map.

sensor(config-eve-os)# configured-os-map edit name1

sensor(config-eve-os-con)#

Step 9

Edit the parameters (see Steps 4 through 7).

Step 10 Move an OS map up or down in the OS maps list.

sensor(config-eve-os-con)# exit

sensor(config-eve-os)# configured-os-map move name5 before name1

Step 11 Verify that you have moved the OS maps.

sensor(config-eve-os)# show settings

os-identification

-----------------------------------------------

calc-arr-for-ip-range: 192.0.2.1-192.0.2.25 default: 0.0.0.0-255.255.255.255

configured-os-map (ordered min: 0, max: 50, current: 2 - 2 active, 0 inactive)

-----------------------------------------------

ACTIVE list-contents

-----------------------------------------------

NAME: name2

-----------------------------------------------

ip: 192.0.2.33 default:

os: aix

-----------------------------------------------

NAME: name1

-----------------------------------------------

ip: 192.0.2.0-192.0.2.255 default:

os: unix

-----------------------------------------------

passive-traffic-analysis: Enabled default: Enabled

-----------------------------------------------

ips-ssp(config-eve-os)#

Step 12 Move an OS map to the inactive list.

sensor(config-eve-os)# configured-os-map move name1 inactive

Step 13 Verify that the filter has been moved to the inactive list.

sensor(config-eve-os)# show settings

os-identification

-----------------------------------------------

calc-arr-for-ip-range: 192.0.2.33 default: 0.0.0.0-255.255.255.255

configured-os-map (ordered min: 0, max: 50, current: 2 - 1 active, 1 inactive)

-----------------------------------------------

ACTIVE list-contents

-----------------------------------------------

NAME: name2

-----------------------------------------------

ip: 192.0.2.33 default:

os: aix

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-30

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Configuring OS Identifications

-----------------------------------------------

INACTIVE list-contents

-----------------------------------------------

NAME: name1

-----------------------------------------------

ip: 192.0.2.0-192.0.2.255 default:

os: unix

-----------------------------------------------

passive-traffic-analysis: Enabled default: Enabled

--MORE--#

Step 14 Delete an OS map.

sensor(config-eve-os)# no configured-os-map name2

Step 15 Verify that the OS map has been deleted.

sensor(config-eve-os)# show settings

os-identification

-----------------------------------------------

calc-arr-for-ip-range: 192.0.2.33 default: 0.0.0.0-255.255.255.255

configured-os-map (ordered min: 0, max: 50, current: 1 - 0 active, 1 inactive)

-----------------------------------------------

INACTIVE list-contents

-----------------------------------------------

NAME: name1

-----------------------------------------------

ip: 192.0.2.0-192.0.2.255 default:

os: unix

-----------------------------------------------

passive-traffic-analysis: Enabled default: Enabled

-----------------------------------------------

ips-ssp(config-eve-os)#

Step 16 Exit event action rules submode.

sensor(config-eve-os)# exit

sensor(config-eve)# exit

Apply Changes:?[yes]:

Step 17 Press Enter to apply your changes or enter no to discard them.

Displaying and Clearing OS Identifications

Use the show os-identification [virtual-sensor] learned [ip-address] command in EXEC mode to

display OS IDs associated with IP addresses that were learned by the sensor through passive analysis.

Use the clear os-identification [virtual-sensor] learned [ip-address] command in EXEC mode to delete

OS IDs associated with IP addresses that were learned by the sensor through passive analysis.

When you specify an IP address, only the OS identification for the specified IP address is displayed or

cleared. If you specify a virtual sensor, only the OS identifications for the specified sensor is displayed

or cleared. If you specify an IP address without a virtual sensor, the IP address is displayed or cleared

on all virtual sensors.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-31

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Configuring General Settings

The following options apply:

•

virtual-sensor—(Optional) Specifies the learned addresses of the virtual sensor that should be

displayed or cleared.

•

ip-address—(Optional) Specifies the IP address to query or clear. The sensor displays or clears the

OS ID mapped to the specified IP address.

Displaying and Clearing OS Identifications

To display and clear OS IDs, follow these steps:

Step 1

Step 2

Note

An account with viewer privileges can display OS IDs.

Display the learned OS IDs associated with a specific IP address.

sensor# show os-identification learned 192.0.2.0

Virtual Sensor vs0:

10.1.1.12 windows

sensor# show os-identification learned

Virtual Sensor vs0:

10.1.1.12 windows

Virtual Sensor vs1:

10.1.0.1

10.1.0.2

10.1.0.3

unix

windows

sensor#

Step 3

Step 4

Clear the learned OS IDs for a specific IP address on all virtual sensors.

sensor# clear os-identification learned 192.0.2.0

Verify that the OS IDs have been cleared.

sensor# show statistics os-identification

Statistics for Virtual Sensor vs0

OS Identification

Configured

Imported

Learned

Statistics for Virtual Sensor vs1

OS Identification

Configured

Imported

Learned

sensor#

Configuring General Settings

This section describes the general settings, and contains the following topics:

•

Understanding Event Action Summarization, page 8-33

Understanding Event Action Aggregation, page 8-33

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-32

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Configuring General Settings

•

Configuring the General Settings, page 8-34

Understanding Event Action Summarization

Summarization decreases the volume of alerts sent out from the sensor by providing basic aggregation

of events into a single alert. Special parameters are specified for each signature and they influence the

handling of the alerts. Each signature is created with defaults that reflect a preferred normal behavior.

However, you can tune each signature to change this default behavior within the constraints for each

engine type.

The nonalert-generating actions (deny, block, TCP reset) go through the filters for each signature event

unsummarized. The alert-generating actions are not performed on these summarized alerts; instead the

actions are applied to the one summary alert and then put through the filters.

If you select one of the other alert-generating actions and do not have it filtered out, the alert is created

even if you do not select produce-alert. To prevent alerts from being created, you must have all

alert-generating actions filtered out.

Summarization and event actions are processed after the Meta engine has processed the component

events. This lets the sensor watch for suspicious activity transpiring over a series of events.

Understanding Event Action Aggregation

Basic aggregation provides two operating modes. The simple mode involves configuring a threshold

number of hits for a signature that must be met before the alert is sent. A more advanced mode is

timed-interval counting. In this mode, the sensor tracks the number of hits per second and only sends

alerts when that threshold is met. In this example, a hit is a term used to describe an event, which is

basically an alert, but it is not sent out of the sensor as an alert until the threshold number of hits has

been exceeded.

You can choose from the following summarization options:

•

fire-all—Fires an alert each time the signature is triggered. If the threshold is set for summarization,

alerts are fired for each execution until summarization occurs. After summarization starts, only one

alert every summary interval fires for each address set. Alerts for other address sets are either all

seen or separately summarized. The signature reverts to fire all mode after a period of no alerts for

that signature.

•

summary—Fires an alert the first time a signature is triggered, and then additional alerts for that

signature are summarized for the duration of the summary interval. Only one alert every summary

interval should fire for each address set. If the global summary threshold is reached, the signature

goes into global summarization mode.

•

global-summarization—Fires an alert for every summary interval. Signatures can be preconfigured

for global summarization.

fire-once—Fires an alert for each address set. You can upgrade this mode to global summarization

mode.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-33

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Configuring General Settings

Configuring the General Settings

Use the following commands in service event action rules submode to configure general event action

rules settings:

•

global-block-timeout —Specifies the number of minutes to block a host or connection. The valid

range is 0 to 10000000. The default is 30 minutes.

global-deny-timeout—Specifies the number of seconds to deny attackers inline. The valid range is

0 to 518400. The default is 3600.

global-filters-status {enabled | disabled}—Enables or disables the use of the filters. The default is

enabled.

global-metaevent-status {enabled | disabled}—Enables or disables the use of the Meta Event

Generator. The default is enabled.

global-overrides-status {enabled | disabled}—Enables or disables the use of the overrides. The

default is enabled.

global-summarization-status {enabled | disabled}—Enables or disables the use of the

summarizer. The default is enabled.

max-denied-attackers—Limits the number of denied attackers possible in the system at any one

time. The valid range is 0 to 100000000. The default is 10000.

Configuring Event Action General Settings

To configure event action general settings, follow these steps:

Step 1

Step 2

Enter event action rules submode.

sensor# configure terminal

sensor(config)# service event-action-rules rules0

Step 3

Step 4

Step 5

Step 6

Enter general submode.

sensor(config)# general

Enable or disable the meta event generator. The default is enabled.

sensor(config-eve-gen)# global-metaevent-status {enabled | disabled}

Enable or disable the summarizer. The default is enabled.

sensor(config-eve-gen)# global-summarization-status {enabled | disabled}

Configure the denied attackers inline event action:

a. Limit the number of denied attackers in the system at any given time. The default is 1000.

sensor(config-eve-gen)# max-denied-attackers 100

b. Configure the amount of seconds to deny attackers in the system. The default is 3600 seconds.

sensor(config-eve-gen)# global-deny-timeout 1000

Step 7

Configure the number of minutes to block a host or a connection. The default is 30 minutes.

sensor(config-eve-gen)# global-block-timeout 20

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-34

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Configuring the Denied Attackers List

Step 8

Step 9

Enable or disable any overrides that you have set up. The default is enabled.

sensor(config-eve-gen)# global-overrides-status {enabled | disabled}

Enable or disable any filters that you have set up. The default is enabled.

sensor(config-eve-gen)# global-filters-status {enabled | disabled}

Step 10 Verify the settings for general submode.

sensor(config-eve-gen)# show settings

general

-----------------------------------------------

global-overrides-status: Enabled default: Enabled

global-filters-status: Enabled default: Enabled

global-summarization-status: Enabled default: Enabled

global-metaevent-status: Enabled default: Enabled

global-deny-timeout: 1000 default: 3600

global-block-timeout: 20 default: 30

max-denied-attackers: 100 default: 10000

-----------------------------------------------

sensor(config-eve-gen)#

Step 11 Exit event action rules submode.

sensor(config-eve-gen)# exit

sensor(config-eve)# exit

Apply Changes:?[yes]:

Step 12 Press Enter to apply your changes or enter no to discard them.

Configuring the Denied Attackers List

This section describes the denied attackers list and how to add, clear, and monitor the list. It contains the

following topics:

•

Adding a Deny Attacker Entry to the Denied Attackers List, page 8-35

Monitoring and Clearing the Denied Attackers List, page 8-36

Adding a Deny Attacker Entry to the Denied Attackers List

Use the deny attacker [virtual-sensor name] [ip-address attacker-ip-address] | victim

victim-ip-address | port port-number] command to add a single deny attacker entry to the list of denied

attackers. Use the no form of the command to delete the deny attacker entry from the list.

The following options apply:

•

name—(Optional) Specifies the name of the virtual sensor to which the deny attackers entry should

be added.

•

attacker-ip-address—Specifies the attacker IP address.

victim-ip-address—(Optional) Specifies the victim IP address.

port-number—(Optional) Specifies the victim port number. The valid range is 0 to 65535.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-35

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Configuring the Denied Attackers List

Adding Entries to the Denied Attacker List

To add a deny attacker entry to the list of denied attackers, follow these steps:

Step 1

Step 2

Add a deny attacker entry with an IP address of 192.0.2.0.

sensor# deny attacker ip-address 192.0.2.0

Warning: Executing this command will add deny attacker address on all virtual sensors.

Continue? [yes]:

Step 3

Step 4

Enter yesto add this deny attacker entry for all virtual sensors.

Add a deny attacker entry to a specific virtual sensor.

sensor# deny attacker virtual-sensor vs0 ip-address 192.0.2.0

Step 5

Remove the deny attacker entry from the list.

sensor# no deny attacker ip-address 10.1.1.1

Warning: Executing this command will delete this address from the list of attackers being

denied by all virtual sensors.

Continue? [yes]:

Step 6

Enter yesto remove the deny attacker entry from the list.

Note

To immediately stop denying attackers, you must use the clear denied-attackers command to

clear the denied attackers list.

For More Information

For the procedure for clearing denied attackers permanently from the denied attackers list, see

Monitoring and Clearing the Denied Attackers List, page 8-36.

Monitoring and Clearing the Denied Attackers List

Use the show statistics denied-attackers command to display the list of denied attackers. Use the clear

denied-attackers [virtual_sensor] [ip-address ip_address] command to delete the denied attackers list

and clear the virtual sensor statistics.

If your sensor is configured to operate in inline mode, the traffic is passing through the sensor. You can

configure signatures to deny packets, connections, and attackers while in inline mode, which means that

single packets, connections, and specific attackers are denied, that is, not transmitted, when the sensor

encounters them. When the signature fires, the attacker is denied and placed in a list. As part of sensor

administration, you may want to delete the list or clear the statistics in the list.

The following options apply:

•

virtual_sensor—(Optional) Specifies the virtual sensor whose denied attackers list should be

cleared.

•

ip_address—(Optional) Specifies the IP address to clear.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-36

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Configuring the Denied Attackers List

Displaying and Deleting Denied Attackers

To display the list of denied attackers and delete the list and clear the statistics, follow these steps:

Step 1

Step 2

Display the list of denied IP addresses. The statistics show that there are two IP addresses being denied

at this time.

sensor# show statistics denied-attackers

Denied Attackers and hit count for each.

10.20.4.2 = 9

10.20.5.2 = 5

Step 3

Delete the denied attackers list.

sensor# clear denied-attackers

Warning: Executing this command will delete all addresses from the list of attackers

currently being denied by the sensor.

Continue with clear? [yes]:

Step 4

Step 5

Enter yesto clear the list.

Delete the denied attackers list for a specific virtual sensor.

sensor# clear denied-attackers vs0

Warning: Executing this command will delete all addresses from the list of attackers being

denied by virtual sensor vs0.

Continue with clear? [yes]:

Step 6

Step 7

Enter yesto clear the list.

Remove a specific IP address from the denied attackers list for a specific virtual sensor.

sensor# clear denied-attackers vs0 ip-address 192.0.2.0

Warning: Executing this command will delete ip address 192.0.2.0 from the list of

attackers being denied by virtual sensor vs0.

Continue with clear? [yes]:

Step 8

Step 9

Enter yesto clear the list.

Verify that you have cleared the list. You can use the show statistics denied-attackers or show statistics

virtual-sensor command.

sensor# show statistics denied-attackers

Denied Attackers and hit count for each.

Statistics for Virtual Sensor vs0

Denied Attackers with percent denied and hit count for each.

Statistics for Virtual Sensor vs1

Denied Attackers with percent denied and hit count for each.

sensor#

sensor# show statistics virtual-sensor

Virtual Sensor Statistics

Statistics for Virtual Sensor vs0

Name of current Signature-Definition instance = sig0

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-37

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Monitoring Events

Name of current Event-Action-Rules instance = rules0

List of interfaces monitored by this virtual sensor = mypair

Denied Address Information

Number of Active Denied Attackers = 0

Number of Denied Attackers Inserted = 2

Number of Denied Attackers Total Hits = 287

Number of times max-denied-attackers limited creation of new entry = 0

Number of exec Clear commands during uptime = 1

Denied Attackers and hit count for each.

Step 10 Clear only the statistics.

sensor# show statistics virtual-sensor clear

Step 11 Verify that you have cleared the statistics. The statistics have all been cleared except for the Number of

Active Denied Attackersand Number of exec Clear commands during uptimecategories. It is

important to know if the list has been cleared.

sensor# show statistics virtual-sensor

Virtual Sensor Statistics

Statistics for Virtual Sensor vs0

Name of current Signature-Definition instance = sig0

Name of current Event-Action-Rules instance = rules0

List of interfaces monitored by this virtual sensor = mypair

Denied Address Information

Number of Active Denied Attackers = 2

Number of Denied Attackers Inserted = 0

Number of Denied Attackers Total Hits = 0

Number of times max-denied-attackers limited creation of new entry = 0

Number of exec Clear commands during uptime = 1

Denied Attackers and hit count for each.

10.20.2.5 = 0

10.20.5.2 = 0

Monitoring Events

This section describes how to display and clear events from the Event Store, and contains the following

topics:

•

Displaying Events, page 8-38

Clearing Events from Event Store, page 8-41

Displaying Events

Note

The Event Store has a fixed size of 30 MB for all platforms.

Note

Events are displayed as a live feed. To cancel the request, press Ctrl-C.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-38

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Monitoring Events

Use the show events [{alert [informational] [low] [medium] [high] [include-traits traits]

[exclude-traits traits] [min-threat-rating min-rr] [max-threat-rating max-rr] | error [warning]

[error] [fatal] | NAC | status}] [hh:mm:ss [month day [year]] | past hh:mm:ss] command to display

events from Event Store. Events are displayed beginning at the start time. If you do not specify a start

time, events are displayed beginning at the current time. If you do not specify an event type, all events

are displayed.

The following options apply:

•

alert—Displays alerts. Provides notification of some suspicious activity that may indicate an attack

is in process or has been attempted. Alert events are generated by the Analysis Engine whenever a

signature is triggered by network activity. If no level is selected (informational, low, medium, or

high), all alert events are displayed.

•

include-traits—Displays alerts that have the specified traits.

exclude-traits—Does not display alerts that have the specified traits.

traits—Specifies the trait bit position in decimal (0 to 15).

min-threat-rating—Displays events with a threat rating above or equal to this value. The default is

0. The valid range is 0 to 100.

•

max-threat-rating—Displays events with a threat rating below or equal to this value. The default

is 100. The valid range is 0 to 100.

error—Displays error events. Error events are generated by services when error conditions are

encountered. If no level is selected (warning, error, or fatal), all error events are displayed.

NAC—Displays the ARC (block) requests.

Note

The ARC is formerly known as NAC. This name change has not been completely

implemented throughout the IDM, the IME, and the CLI.

•

status—Displays status events.

past—Displays events starting in the past for the specified hours, minutes, and seconds.

hh:mm:ss—Specifies the hours, minutes, and seconds in the past to begin the display.

Note

The show events command continues to display events until a specified event is available. To exit, press

Ctrl-C.

Displaying Events

To display events from the Event Store, follow these steps:

Step 1

Step 2

Display all events starting now. The feed continues showing all events until you press Ctrl-C.

sensor# show events

evError: eventId=1041472274774840147 severity=warning vendor=Cisco

originator:

hostId: sensor2

appName: cidwebserver

appInstanceId: 12075

time: 2011/01/07 04:41:45 2011/01/07 04:41:45 UTC

errorMessage: name=errWarning received fatal alert: certificate_unknown

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-39

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Monitoring Events

evError: eventId=1041472274774840148 severity=error vendor=Cisco

originator:

hostId: sensor2

appName: cidwebserver

appInstanceId: 351

time: 2011/01/07 04:41:45 2011/01/07 04:41:45 UTC

errorMessage: name=errTransport WebSession::sessionTask(6) TLS connection exce

ption: handshake incomplete.

Step 3

Display the block requests beginning at 10:00 a.m. on February 9, 2011.

sensor# show events NAC 10:00:00 Feb 9 2011

evShunRqst: eventId=1106837332219222281 vendor=Cisco

originator:

deviceName: Sensor1

appName: NetworkAccessControllerApp

appInstance: 654

time: 2011/02/09 10:33:31 2011/08/09 13:13:31

shunInfo:

host: connectionShun=false

srcAddr: 11.0.0.1

destAddr:

srcPort:

destPort:

protocol: numericType=0 other

timeoutMinutes: 40

evAlertRef: hostId=esendHost 123456789012345678

sensor#

Step 4

Display errors with the warning level starting at 10:00 a.m. on February 9, 2011.

sensor# show events error warning 10:00:00 Feb 9 2011

evError: eventId=1041472274774840197 severity=warning vendor=Cisco

originator:

hostId: sensor

appName: cidwebserver

appInstanceId: 12160

time: 2011/01/07 04:49:25 2011/01/07 04:49:25 UTC

errorMessage: name=errWarning received fatal alert: certificate_unknown

Step 5

Display alerts from the past 45 seconds.

sensor# show events alert past 00:00:45

evIdsAlert: eventId=1109695939102805307 severity=medium vendor=Cisco

originator:

hostId: sensor

appName: sensorApp

appInstanceId: 367

time: 2011/03/02 14:15:59 2011/03/02 14:15:59 UTC

signature: description=Nachi Worm ICMP Echo Request id=2156 version=S54

subsigId: 0

sigDetails: Nachi ICMP

interfaceGroup:

vlan: 0

participants:

attacker:

addr: locality=OUT 10.89.228.202

target:

addr: locality=OUT 10.89.150.185

riskRatingValue: 70

interface: fe0_1

protocol: icmp

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-40

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Monitoring Events

evIdsAlert: eventId=1109695939102805308 severity=medium vendor=Cisco

originator:

--MORE--

Step 6

Display events that began 30 seconds in the past.

sensor# show events past 00:00:30

evStatus: eventId=1041526834774829055 vendor=Cisco

originator:

hostId: sensor

appName: mainApp

appInstanceId: 2215

time: 2011/01/08 02:41:00 2011/01/08 02:41:00 UTC

controlTransaction: command=getVersion successful=true

description: Control transaction response.

requestor:

user: cids

application:

hostId: 64.101.182.101

appName: -cidcli

appInstanceId: 2316

evStatus: eventId=1041526834774829056 vendor=Cisco

originator:

hostId: sensor

appName: login(pam_unix)

appInstanceId: 2315

time: 2011/01/08 02:41:00 2011/01/08 02:41:00 UTC

syslogMessage:

description: session opened for user cisco by cisco(uid=0)

Clearing Events from Event Store

Use the clear events command to clear the Event Store.

To clear events from the Event Store, follow these steps:

Step 1

Step 2

Clear the Event Store.

sensor# clear events

Warning: Executing this command will remove all events currently stored in the event

store.

Continue with clear? []:

Step 3

Enter yesto clear the events.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-41

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 8 Configuring Event Action Rules

Monitoring Events

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

8-42

Download from Www.Somanuals.com. All Manuals Search And Download.

C H A P T E R

Configuring Anomaly Detection

This chapter describes anomaly detection (AD) and its features and how to configure them. This chapter

contains the following topics:

•

Anomaly Detection Notes and Caveats, page 9-1

Understanding Security Policies, page 9-2

Understanding Anomaly Detection, page 9-2

Understanding Worms, page 9-2

Anomaly Detection Modes, page 9-3

Anomaly Detection Zones, page 9-4

Anomaly Detection Configuration Sequence, page 9-5

Anomaly Detection Signatures, page 9-6

Enabling Anomaly Detection, page 9-8

W o rking With Anomaly Detection Policies, page 9-8

Configuring Anomaly Detection Operational Settings, page 9-10

Configuring the Internal Zone, page 9-11

Configuring the Illegal Zone, page 9-20

Configuring the External Zone, page 9-28

Configuring Learning Accept Mode, page 9-36

W o rking With KB Files, page 9-40

Displaying Anomaly Detection Statistics, page 9-47

Disabling Anomaly Detection, page 9-48

Anomaly Detection Notes and Caveats

The following notes and caveats apply to configuring anomaly detection:

•

Anomaly detection is disabled by default. You must enable it to configure or apply an anomaly

detection policy. Enabling anomaly detection results in a decrease in performance.

•

Anomaly detection assumes it gets traffic from both directions. If the sensor is configured to see

only one direction of traffic, you should turn off anomaly detection. Otherwise, when anomaly

detection is running in an asymmetric environment, it identifies all traffic as having incomplete

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-1

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Understanding Security Policies

connections, that is, as scanners, and sends alerts for all traffic flows. Using asymmetric mode

protection with anomaly detection enabled causes excessive resource usage and possible false

positives for anomaly detection signatures.

Understanding Security Policies

You can create multiple security policies and apply them to individual virtual sensors. A security policy

is made up of a signature definition policy, an event action rules policy, and an anomaly detection policy.

Cisco IPS contains a default signature definition policy called sig0, a default event action rules policy

called rules0, and a default anomaly detection policy called ad0. You can assign the default policies to

a virtual sensor or you can create new policies. The use of multiple security policies lets you create

security policies based on different requirements and then apply these customized policies per VLAN or

physical interface.

Understanding Anomaly Detection

The anomaly detection component of the sensor detects worm-infected hosts. This enables the sensor to

be less dependent on signature updates for protection again worms and scanners, such as Code Red and

SQL Slammer and so forth. The anomaly detection component lets the sensor learn normal activity and

send alerts or take dynamic response actions for behavior that deviates from what it has learned as

normal behavior.

Note

Anomaly detection does not detect email-based worms, such as Nimda.

Anomaly detection detects the following two situations:

•

When the network starts on the path of becoming congested by worm traffic.

When a single worm-infected source enters the network and starts scanning for other vulnerable

hosts.

Understanding Worms

Caution

Anomaly detection assumes it gets traffic from both directions. If the sensor is configured to see only

one direction of traffic, you should turn off anomaly detection. Otherwise, when anomaly detection is

running in an asymmetric environment, it identifies all traffic as having incomplete connections, that is,

as scanners, and sends alerts for all traffic flows. Using asymmetric mode protection with anomaly

detection enabled causes excessive resource usage and possible false positives for anomaly detection

signatures.

Worms are automated, self-propagating, intrusion agents that make copies of themselves and then

facilitate their spread. Worms attack a vulnerable host, infect it, and then use it as a base to attack other

vulnerable hosts. They search for other hosts by using a form of network inspection, typically a scan,

and then propagate to the next target. A scanning worm locates vulnerable hosts by generating a list of

IP addresses to probe, and then contacts the hosts. Code Red worm, Sasser worm, Blaster worm, and the

Slammer worm are examples of worms that spread in this manner.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-2

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Anomaly Detection Modes

Anomaly detection identifies worm-infected hosts by their behavior as scanners. To spread, a worm must

find new hosts. It finds them by scanning the Internet or network using TCP, UDP, and other protocols

to generate unsuccessful attempts to access different destination IP addresses. A scanner is defined as a

source IP address that generates events on the same destination port (in TCP and UDP) for too many

destination IP addresses.

The events that are important for TCP protocol are nonestablished connections, such as a SYN packet

that does not have its SYN-ACK response for a given amount of time. A worm-infected host that scans

using TCP protocol generates nonestablished connections on the same destination port for an anomalous

number of IP addresses.

The events that are important for UDP protocol are unidirectional connections, such as a UDP

connection where all packets are going only in one direction. A worm-infected host that scans using UDP

protocol generates UDP packets but does not receive UDP packets on the same quad within a timeout

period on the same destination port for multiple destination IP addresses.

The events that are important for other protocols, such as ICMP, are from a source IP address to many

different destination IP addresses, that is, packets that are received in only one direction.

Caution

If a worm has a list of IP addresses it should infect and does not have to use scanning to spread itself (for

example, it uses passive mapping—listening to the network as opposed to active scanning), it is not

detected by the anomaly detection worm policies. Worms that receive a mailing list from probing files

within the infected host and email this list are also not detected, because no Layer 3/Layer 4 anomaly is

generated.

For More Information

For the procedure for turning off anomaly detection, see Disabling Anomaly Detection, page 9-48.

Anomaly Detection Modes

If you have anomaly detection enabled, it initially conducts a “peacetime” learning process when the

most normal state of the network is reflected. Anomaly detection then derives a set of policy thresholds

that best fit the normal network.

Anomaly detection has the following modes:

•

Learning accept mode—Anomaly detection conducts an initial learning accept mode for the default

period of 24 hours. We assume that during this phase no attack is being carried out. Anomaly

detection creates an initial baseline, known as a knowledge base (KB), of the network traffic. The

default interval value for periodic schedule is 24 hours and the default action is rotate, meaning that

a new KB is saved and loaded, and then replaces the initial KB after 24 hours.

Note

Anomaly detection does not detect attacks when working with the initial KB, which is

empty. After the default of 24 hours, a KB is saved and loaded and now anomaly detection

also detects attacks.

Note

Depending on your network complexity, you may want to have anomaly detection in

learning accept mode for longer than the default 24 hours.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-3

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Anomaly Detection Zones

•

Detect mode—For ongoing operation, the sensor should remain in detect mode. This is for 24 hours

a day, 7 days a week. Once a KB is created and replaces the initial KB, anomaly detection detects

attacks based on it. It looks at the network traffic flows that violate thresholds in the KB and sends

alerts. As anomaly detection looks for anomalies, it also records gradual changes to the KB that do

not violate the thresholds and thus creates a new KB. The new KB is periodically saved and takes

the place of the old one thus maintaining an up-to-date KB.

•

Inactive mode—You can turn anomaly detection off by putting it in inactive mode. Under certain

circumstances, anomaly detection should be in inactive mode, for example, if the sensor is running

in an asymmetric environment. Because anomaly detection assumes it gets traffic from both

directions, if the sensor is configured to see only one direction of traffic, anomaly detection

identifies all traffic as having incomplete connections, that is, as scanners, and sends alerts for all

traffic flows. Having anomaly detection running also lowers performance.

Example

The following example summarizes the default anomaly detection configuration. If you add a virtual

sensor at 11:00 pm and do not change the default anomaly detection configuration, anomaly detection

begins working with the initial KB and only performs learning. Although it is in detect mode, it cannot

detect attacks until it has gathered information for 24 hours and replaced the initial KB. At the first start

time (10:00 am by default), and the first interval (24 hours by default), the learning results are saved to

a new KB and this KB is loaded and replaces the initial KB. Because the anomaly detection is in detect

mode by default, now that anomaly detection has a new KB, the anomaly detection begins to detect

attacks.

For More Information

•

For the procedures for putting anomaly detection in different modes, see Adding, Editing, and

Deleting Virtual Sensors, page 5-4.

•

For more information about how worms operate, see Understanding Worms, page 9-2.

Anomaly Detection Zones

By subdividing the network into zones, you can achieve a lower false negative rate. A zone is a set of

destination IP addresses. There are three zones, internal, illegal, and external, each with its own

thresholds.

The external zone is the default zone with the default Internet range of 0.0.0.0-255.255.255.255. By

default, the internal and illegal zones contain no IP addresses. Packets that do not match the set of IP

addresses in the internal or illegal zone are handled by the external zone.

We recommend that you configure the internal zone with the IP address range of your internal network.

If you configure it in this way, the internal zone is all the traffic that comes to your IP address range, and

the external zone is all the traffic that goes to the Internet.

You can configure the illegal zone with IP address ranges that should never be seen in normal traffic, for

example, unallocated IP addresses or part of your internal IP address range that is unoccupied. An illegal

zone can be very helpful for accurate detection, because we do not expect any legal traffic to reach this

zone. This allows very low thresholds, which in turn can lead to very quick worm virus detection.

For More Information

For the procedures for configuring zones, see Configuring the Internal Zone, page 9-11, Configuring the

Illegal Zone, page 9-20, and Configuring the External Zone, page 9-28.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-4

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Anomaly Detection Configuration Sequence

You can configure the detection part of anomaly detection. You can configure a set of thresholds that

override the KB learned thresholds. However, anomaly detection continues learning regardless of how

you configure the detection. You can also import, export, and load a KB and you can view a KB for data.

Follow this sequence when configuring anomaly detection:

1. Create an anomaly detection policy to add to the virtual sensors. Or you can use the default anomaly

detection policy, ad0.

2. Add the anomaly detection policy to your virtual sensors.

3. Enable anomaly detection.

4. Configure the anomaly detection zones and protocols.

5. For the first 24 hours anomaly detection performs learning to create a populated KB. The initial KB

is empty and during the default 24 hours, anomaly detection collects data to use to populate the KB.

If you want the learning period to be longer than the default period of 24 hours, you must manually

set the mode to learning accept.

6. Let the sensor run in learning accept mode for at least 24 hours (the default). You should let the

sensor run in learning accept mode for at least 24 hours so it can gather information on the normal

state of the network for the initial KB. However, you should change the amount of time for learning

accept mode according to the complexity of your network. After the time period, the sensor saves

the initial KB as a baseline of the normal activity of your network.

Note

We recommend leaving the sensor in learning accept mode for at least 24 hours, but letting

the sensor run in learning accept mode for longer, even up to a week, is better.

7. If you manually set anomaly detection to learning accept mode, switch back to detect mode.

8. Configure the anomaly detection parameters:

•

Configure the worm timeout and which source and destination IP addresses should be bypassed

by anomaly detection. After this timeout, the scanner threshold returns to the configured value.

Decide whether you want to enable automatic KB updates when anomaly detection is in detect

mode.

Configure the 18 anomaly detection worm signatures to have more event actions than just the

default produce-alert. For example, configure them to have deny-attacker event actions.

For More Information

•

For the procedures for putting anomaly detection in different modes, see Adding, Editing, and

Deleting Virtual Sensors, page 5-4.

For the procedure for configuring a new anomaly detection policy, see Working With Anomaly

Detection Policies, page 9-8.

For more information on configuring zones, see Configuring the Internal Zone, page 9-11,

Configuring the Illegal Zone, page 9-20, and Configuring the External Zone, page 9-28.

•

For more information on anomaly detection modes, see Anomaly Detection Modes, page 9-3.

For more information about configuring learning accept mode, see Configuring Learning Accept

Mode, page 9-36.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-5

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Anomaly Detection Signatures

•

For more information on configuring anomaly detection signatures, see Anomaly Detection

Signatures, page 9-6.

For more information on Deny Attacker event actions, see Event Actions, page 8-4.

Anomaly Detection Signatures

The Traffic Anomaly engine contains nine anomaly detection signatures covering three protocols (TCP,

UDP, and other). Each signature has two subsignatures, one for the scanner and the other for the

worm-infected host (or a scanner under worm attack). When anomaly detection discovers an anomaly, it

triggers an alert for these signatures. All anomaly detection signatures are enabled by default and the

alert severity for each one is set to high.

When a scanner is detected but no histogram anomaly occurred, the scanner signature fires for that

attacker (scanner) IP address. If the histogram signature is triggered, the attacker addresses that are doing

the scanning each trigger the worm signature (instead of the scanner signature). The alert details state

which threshold is being used for the worm detection now that the histogram has been triggered. From

that point on, all scanners are detected as worm-infected hosts.

The following anomaly detection event actions are possible:

•

produce-alert—Writes the event to the Event Store.

deny-attacker-inline—(Inline only) Does not transmit this packet and future packets originating

from the attacker address for a specified period of time.

•

log-attacker-packets—Starts IP logging for packets that contain the attacker address.

deny-attacker-service-pair-inline—Blocks the source IP address and the destination port.

request-snmp-trapRequest—Sends a request to NotificationApp to perform SNMP notification.

request-block-host—Sends a request to ARC to block this host (the attacker).

Table 9-1 lists the anomaly detection worm signatures.

Table 9-1 Anomaly Detection Worm Signatures

Signature ID Subsignature ID Name

Description

13000

Internal TCP Scanner Identified a single scanner over a TCP

protocol in the internal zone.

13000

Internal TCP Scanner Identified a worm attack over a TCP

protocol in the internal zone; the TCP

histogram threshold was crossed and a

scanner over a TCP protocol was

identified.

13001

Internal UDP Scanner Identified a single scanner over a UDP

protocol in the internal zone.

Internal UDP Scanner Identified a worm attack over a UDP

protocol in the internal zone; the UDP

histogram threshold was crossed and a

scanner over a UDP protocol was

identified.

13002

Internal Other Scanner Identified a single scanner over an Other

protocol in the internal zone.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-6

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Anomaly Detection Signatures

Table 9-1

Anomaly Detection Worm Signatures (continued)

Description

Signature ID Subsignature ID Name

13002

Internal Other Scanner Identified a worm attack over an Other

protocol in the internal zone; the Other

histogram threshold was crossed and a

scanner over an Other protocol was

identified.

13003

External TCP Scanner Identified a single scanner over a TCP

protocol in the external zone.

External TCP Scanner Identified a worm attack over a TCP

protocol in the external zone; the TCP

histogram threshold was crossed and a

scanner over a TCP protocol was

identified.

13004

External UDP Scanner Identified a single scanner over a UDP

protocol in the external zone.

External UDP Scanner Identified a worm attack over a UDP

protocol in the external zone; the UDP

histogram threshold was crossed and a

scanner over a UDP protocol was

identified.

13005

External Other Scanner Identified a single scanner over an Other

protocol in the external zone.

External Other Scanner Identified a worm attack over an Other

protocol in the external zone; the Other

histogram threshold was crossed and a

scanner over an Other protocol was

identified.

13006

Illegal TCP Scanner

Identified a single scanner over a TCP

protocol in the illegal zone.

Illegal TCP Scanner

Identified a worm attack over a TCP

protocol in the illegal zone; the TCP

histogram threshold was crossed and a

scanner over a TCP protocol was

identified.

13007

Illegal UDP Scanner

Identified a single scanner over a UDP

protocol in the illegal zone.

Identified a worm attack over a UDP

protocol in the illegal zone; the UDP

histogram threshold was crossed and a

scanner over a UDP protocol was

identified.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-7

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Enabling Anomaly Detection

Table 9-1

Anomaly Detection Worm Signatures (continued)

Description

Signature ID Subsignature ID Name

13008

Illegal Other Scanner

Identified a single scanner over an Other

protocol in the illegal zone.

Illegal Other Scanner

Identified a worm attack over an Other

protocol in the illegal zone; the Other

histogram threshold was crossed and a

scanner over an Other protocol was

identified.

For More Information

For the procedure for assigning actions to signatures, see Assigning Actions to Signatures, page 7-15.

Enabling Anomaly Detection

To enable anomaly detection, follow these steps:

Step 1

Step 2

Enter analysis engine submode.

sensor# configure terminal

sensor(config)# service analysis-engine

sensor(config-ana)#

Step 3

Step 4

Enter the virtual sensor name that contains the anomaly detection policy you want to enable.

sensor(config-ana)# virtual-sensor vs0

sensor(config-ana-vir)#

Enable anomaly detection operational mode.

sensor(config-ana-vir)# anomaly-detection

sensor(config-ana-vir-ano)# operational-mode detect

sensor(config-ana-vir-ano)#

Step 5

Step 6

Exit analysis engine submode.

sensor(config-ana-vir-ano)# exit

sensor(config-ana-vir)# exit

sensor(config-ana-)# exit

Apply Changes:?[yes]:

Press Enter to apply your changes or enter no to discard them.

Working With Anomaly Detection Policies

Use the service anomaly-detection name command in service anomaly detection submode to create an

anomaly detection policy. The values of this anomaly detection policy are the same as the default

anomaly detection policy, ad0, until you edit them. Or you can use the copy anomaly-detection

source_destination command in privileged EXEC mode to make a copy of an existing policy and then

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-8

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Working With Anomaly Detection Policies

edit the values of the new policy as needed. Use the list anomaly-detection-configurations command

in privileged EXEC mode to list the anomaly detection policies. Use the no service anomaly-detection

name command in global configuration mode to delete an anomaly detection policy. Use the default

service anomaly-detection name command in global configuration mode to reset the anomaly detection

policy to factory settings.

Working With Anomaly Detection Policies

To create, copy, display, edit, and delete anomaly detection policies, follow these steps:

Step 1

Step 2

Create an anomaly detection policy.

sensor# configure terminal

sensor(config)# service anomaly-detection MyAnomaly Detection

Editing new instance MyAnomaly Detection.

sensor(config-ano)# exit

Apply Changes?[yes]: yes

sensor(config)# exit

sensor#

Step 3

Or copy an existing anomaly detection policy to a new anomaly detection policy.

sensor# copy anomaly-detection ad0 ad1

sensor#

Note

You receive an error if the policy already exists or if there is not enough space available for the

new policy.

Step 4

Step 5

Accept the default anomaly detection policy values or edit the following parameters:

a. Configure the operational settings.

b. Configure the zones.

c. Configure learning accept mode.

d. Learn how to work with KBs.

Display a list of anomaly detection policies on the sensor.

sensor# list anomaly-detection-configurations

Anomaly Detection

Instance

ad0

temp

Size

255

707

Virtual Sensor

vs0

N/A

MyAnomaly Detection

255

N/A

ad1

141

vs1

sensor#

Step 6

Delete an anomaly detection policy.

sensor# configure terminal

sensor(config)# no service anomaly-detection MyAnomaly Detection

sensor(config)# exit

sensor#

Note

You cannot delete the default anomaly detection policy, ad0.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-9

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Configuring Anomaly Detection Operational Settings

Step 7

Verify that the anomaly detection instance has been deleted.

sensor# list anomaly-detection-configurations

Anomaly Detection

Instance

ad0

ad1

Size

204

141

Virtual Sensor

vs0

N/A

sensor#

Step 8

Reset an anomaly detection policy to factory settings.

sensor# configure terminal

sensor(config)# default service anomaly-detection ad1

sensor(config)#

For More Information

•

For the procedure for configuring operational settings, see Configuring Anomaly Detection

Operational Settings, page 9-10.

For the procedures for configuring anomaly detection zones, see Configuring the Internal Zone,

page 9-11, Configuring the Illegal Zone, page 9-20, and Configuring the External Zone, page 9-28.

For the procedure for configuring learning accept mode, see Configuring Learning Accept Mode,

page 9-38.

For the procedure for working with KBs, see Working With KB Files, page 9-40.

Configuring Anomaly Detection Operational Settings

Use the worm-timeout command in service anomaly detection submode to set the worm detection

timeout. After this timeout, the scanner threshold returns to the configured value. Use the ignore

command in service anomaly detection submode to configure source and destination IP addresses that

you want the sensor to ignore when anomaly detection is gathering information for a KB. Anomaly

detection does not track these source and destination IP addresses and the KB thresholds are not affected

by these IP addresses.

The following options apply:

•

worm-timeout—Specifies the amount of time in seconds for the worm termination timeout. The

range is 120 to 10,000,000 seconds. The default is 600 seconds.

•

ignore—Specifies the IP addresses that should be ignored while anomaly detection is processing:

–

enabled {true | false}—Enables/disables the list of ignored IP addresses. The default is

enabled.

source-ip-address-range—Specifies the source IP addresses that you want anomaly detection

to ignore during processing.

dest-ip-address-range—Specifies the destination IP addresses that you want anomaly

detection to ignore during processing.

Note

IP addresses are in the form of <A.B.C.D>-<A.B.C.D>[,<A.B.C.D>-<A.B.C.D>].

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-10

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Configuring the Internal Zone

Configuring Anomaly Detection Operational Settings

To specify anomaly detection operational settings, follow these steps:

Step 1

Step 2

Enter anomaly detection submode.

sensor# configure terminal

sensor(config)# service anomaly-detection ad1

Step 3

Step 4

Specify the worm timeout.

sensor(config-ano)# worm-timeout 800

Verify the setting.

sensor(config-ano)# show settings

worm-timeout: 800 seconds default: 600

Step 5

Specify the destination IP addresses that you want to be ignored while anomaly detection is processing.

sensor(config-ano)# ignore

sensor(config-ano-ign)# dest-ip-address-range 10.10.5.5,10.10.2.1-10.10.2.30

Step 6

Step 7

Specify the source IP addresses that you want to be ignored while anomaly detection is processing.

sensor(config-ano-ign)# source-ip-address-range 10.20.30.108-10.20.30.191

Verify the settings.

sensor(config-ano-ign)# show settings

ignore

-----------------------------------------------

enabled: true default: true

source-ip-address-range: 10.20.30.108-10.20.30.191 default: 0.0.0.0

dest-ip-address-range: 10.10.5.5,10.10.2.1-10.10.2.30 default: 0.0.0.0

-----------------------------------------------

sensor(config-ano-ign)#

Step 8

Step 9

Exit anomaly detection submode.

sensor(config-ano-ign)# exit

sensor(config-ano)# exit

Apply Changes:?[yes]:

Press Enter to apply your changes or enter no to discard them.

Configuring the Internal Zone

This section describes how to configure the internal zone, and contains the following topics:

•

Understanding the Internal Zone, page 9-12

Configuring the Internal Zone, page 9-12

Configuring TCP Protocol for the Internal Zone, page 9-13

Configuring UDP Protocol for the Internal Zone, page 9-15

Configuring Other Protocols for the Internal Zone, page 9-18

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-11

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Configuring the Internal Zone

Understanding the Internal Zone

The internal zone should represent your internal network. It should receive all the traffic that comes to

your IP address range. If the zone is disabled, packets to this zone are ignored. By default the zone is

enabled. You then add the IP addresses that belong to this zone. If you do not configure IP addresses for

all zones, all packets are sent to the default zone, the external zone.

You can enable or disable TCP, UDP, and other protocols for the internal zone. You can configure a

destination port for the TCP and UDP protocols and a protocol number for the other protocols. You can

either use the default thresholds or override the scanner settings and add your own thresholds and

histograms.

Configuring the Internal Zone

Use the internal-zone {enabled | ip-address-range | tcp | udp |other} command in service

anomaly-detection submode to enable the internal zone, add IP addresses to the internal zone, and

specify protocols.

The following options apply:

•

enabled {false | true}—Enables/disables the zone.

ip-address-range—Specifies the IP addresses of the subnets in the zone. The valid value is

<A.B.C.D>-<A.B.C.D>[,<A.B.C.D>-<A.B.C.D>].

Note

The second IP address in the range must be greater than or equal to the first IP address.

•

tcp—Lets you configure TCP protocol.

udp—Lets you configure UDP protocol.

other—Lets you configure other protocols besides TCP and UDP.

Configuring the Internal Zone

To configure the internal zone, follow these steps:

Step 1

Step 2

Enter anomaly detection internal zone submode.

sensor# configure terminal

sensor(config)# service anomaly-detection ad0

sensor(config-ano)# internal-zone

sensor(config-ano-int)#

Step 3

Step 4

Enable the internal zone.

sensor(config-ano-int)# enabled true

Configure the IP addresses to be included in the internal zone.

sensor(config-ano-int)# ip-address-range 192.0.2.72-192.0.2.108

Step 5

Step 6

Configure TCP protocol.

Configure UDP protocol.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-12

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Configuring the Internal Zone

Step 7

Configure the other protocols.

For More Information

•

For the procedure for configuring TCP protocol, see Configuring TCP Protocol for the Internal

Zone, page 9-13.

For the procedure for configuring UDP protocol, see Configuring UDP Protocol for the Internal

Zone, page 9-15.

For the procedure for configuring other protocols, see Configuring Other Protocols for the Internal

Zone, page 9-18.

Configuring TCP Protocol for the Internal Zone

Use the tcp {enabled | dst-port number | default-thresholds} command in service anomaly detection

internal zone submode to enable and configure the TCP service.

The following options apply:

•

enabled {false | true}—Enables/disables TCP protocol.

default-thresholds—Defines thresholds to be used for all ports not specified in the destination port

map:

–

threshold-histogram {low | medium | high} num-source-ips number—Sets values in the

threshold histogram.

–

scanner-threshold—Sets the scanner threshold. The default is 200.

•

dst-port number—Defines thresholds for specific destination ports. The valid values are 0 to 65535.

enabled {true | false}—Enables/disables the service.

override-scanner-settings {yes | no}—Lets you override the scanner values:

–

threshold-histogram {low | medium | high} num-source-ips number—Sets values in the

threshold histogram.

–

scanner-threshold—Sets the scanner threshold. The default is 200.

Configuring Internal Zone TCP Protocol

To configure TCP protocol for the internal zone, follow these steps:

Step 1

Step 2

Enter anomaly detection internal zone submode.

sensor# configure terminal

sensor(config)# service anomaly-detection ad0

sensor(config-ano)# internal-zone

sensor(config-ano-int)#

Step 3

Step 4

Enable TCP protocol.

sensor(config-ano-int)# tcp

sensor(config-ano-int-tcp)# enabled true

Associate a specific port with TCP protocol.

sensor(config-ano-int-tcp)# dst-port 20

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-13

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Configuring the Internal Zone

sensor(config-ano-int-tcp-dst)#

Step 5

Step 6

Enable the service for that port.

sensor(config-ano-int-tcp-dst)# enabled true

To override the scanner values for that port. You can use the default scanner values, or you can override

them and configure your own scanner values.

sensor(config-ano-int-tcp-dst)# override-scanner-settings yes

sensor(config-ano-int-tcp-dst-yes)#

Step 7

To add a histogram for the new scanner settings. Enter the number of destination IP addresses (low,

medium, or high) and the number of source IP addresses you want associated with this histogram.

sensor(config-ano-int-tcp-dst-yes)# threshold-histogram low num-source-ips 100

Step 8

Step 9

Set the scanner threshold.

sensor(config-ano-int-tcp-dst-yes)# scanner-threshold 100

Configure the default thresholds for all other unspecified ports.

sensor(config-ano-int-tcp-dst-yes)# exit

sensor(config-ano-int-tcp-dst)# exit

sensor(config-ano-int-tcp)# exit

sensor(config-ano-int-tcp)# default-thresholds

sensor(config-ano-int-tcp-def)# default-thresholds

sensor(config-ano-int-tcp-def)# threshold-histogram medium num-source-ips 120

sensor(config-ano-int-tcp-def)# scanner-threshold 120

Step 10 Verify the TCP configuration settings.

sensor(config-ano-int-tcp)# show settings

tcp

-----------------------------------------------

dst-port (min: 0, max: 65535, current: 4)

-----------------------------------------------

number: 20

-----------------------------------------------

override-scanner-settings

-----------------------------------------------

yes

-----------------------------------------------

scanner-threshold: 120 default: 200

threshold-histogram (min: 0, max: 3, current: 1)

-----------------------------------------------

dest-ip-bin: low

num-source-ips: 100

-----------------------------------------------

enabled: true default: true

-----------------------------------------------

number: 23

-----------------------------------------------

override-scanner-settings

-----------------------------------------------

enabled: true <defaulted>

-----------------------------------------------

number: 113

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-14

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Configuring the Internal Zone

-----------------------------------------------

override-scanner-settings

-----------------------------------------------

enabled: true <defaulted>

-----------------------------------------------

number: 567

-----------------------------------------------

override-scanner-settings

-----------------------------------------------

enabled: true <defaulted>

-----------------------------------------------

default-thresholds

-----------------------------------------------

scanner-threshold: 120 default: 200

threshold-histogram (min: 0, max: 3, current: 3)

-----------------------------------------------

dest-ip-bin: low <defaulted>

num-source-ips: 10 <defaulted>

dest-ip-bin: medium

num-source-ips: 120 default: 1

dest-ip-bin: high <defaulted>

num-source-ips: 1 <defaulted>

-----------------------------------------------

enabled: true <defaulted>

-----------------------------------------------

sensor(config-ano-int-tcp)#

Configuring UDP Protocol for the Internal Zone

Use the udp {enabled | dst-port number | default-thresholds} command in service anomaly detection

internal zone submode to enable and configure the UDP service.

The following options apply:

•

enabled {false | true}—Enables/disables UDP protocol.

default-thresholds—Defines thresholds to be used for all ports not specified in the destination port

map:

–

threshold-histogram {low | medium | high} num-source-ips number—Sets values in the

threshold histogram.

–

scanner-threshold—Sets the scanner threshold. The default is 200.

•

dst-port number—Defines thresholds for specific destination ports. The valid values are 0 to 65535.

enabled {true | false}—Enables/disables the service.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-15

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Configuring the Internal Zone

•

override-scanner-settings {yes | no}—Lets you override the scanner values:

–

threshold-histogram {low | medium | high} num-source-ips number—Sets values in the

threshold histogram.

–

scanner-threshold—Sets the scanner threshold. The default is 200.

Configuring the Internal Zone UDP Protocol

To configure UDP protocol for a zone, follow these steps:

Step 1

Step 2

Enter anomaly detection internal zone submode.

sensor# configure terminal

sensor(config)# service anomaly-detection ad0

sensor(config-ano)# internal-zone

sensor(config-ano-int)#

Step 3

Step 4

Enable UDP protocol.

sensor(config-ano-int)# udp

sensor(config-ano-int-udp)# enabled true

Associate a specific port with UDP protocol.

sensor(config-ano-int-udp)# dst-port 20

sensor(config-ano-int-udp-dst)#

Step 5

Step 6

Enable the service for that port.

sensor(config-ano-int-udp-dst)# enabled true

To override the scanner values for that port. You can use the default scanner values, or you can override

them and configure your own scanner values.

sensor(config-ano-int-udp-dst)# override-scanner-settings yes

sensor(config-ano-int-udp-dst-yes)#

Step 7

To add a histogram for the new scanner settings. Enter the number of destination IP addresses (low,

medium, or high) and the number of source IP addresses you want associated with this histogram.

sensor(config-ano-int-udp-dst-yes)# threshold-histogram low num-source-ips 100

Step 8

Step 9

Set the scanner threshold.

sensor(config-ano-int-udp-dst-yes)# scanner-threshold 100

Configure the default thresholds for all other unspecified ports.

sensor(config-ano-int-udp-dst-yes)# exit

sensor(config-ano-int-udp-dst)# exit

sensor(config-ano-int-udp)# default-thresholds

sensor(config-ano-int-udp-def)# default-thresholds

sensor(config-ano-int-udp-def)# threshold-histogram medium num-source-ips 120

sensor(config-ano-int-udp-def)# scanner-threshold 120

Step 10 Verify the UDP configuration settings.

sensor(config-ano-int-udp)# show settings

udp

-----------------------------------------------

dst-port (min: 0, max: 65535, current: 4)

-----------------------------------------------

number: 20

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-16

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Configuring the Internal Zone

-----------------------------------------------

override-scanner-settings

-----------------------------------------------

yes

-----------------------------------------------

scanner-threshold: 100 default: 200

threshold-histogram (min: 0, max: 3, current: 1)

-----------------------------------------------

dest-ip-bin: low

num-source-ips: 100

-----------------------------------------------

enabled: true default: true

-----------------------------------------------

number: 23

-----------------------------------------------

override-scanner-settings

-----------------------------------------------

enabled: true <defaulted>

-----------------------------------------------

number: 113

-----------------------------------------------

override-scanner-settings

-----------------------------------------------

enabled: true <defaulted>

-----------------------------------------------

number: 567

-----------------------------------------------

override-scanner-settings

-----------------------------------------------

enabled: true <defaulted>

-----------------------------------------------

default-thresholds

-----------------------------------------------

scanner-threshold: 120 default: 200

threshold-histogram (min: 0, max: 3, current: 3)

-----------------------------------------------

dest-ip-bin: low <defaulted>

num-source-ips: 10 <defaulted>

dest-ip-bin: medium

num-source-ips: 120 default: 1

dest-ip-bin: high <defaulted>

num-source-ips: 1 <defaulted>

-----------------------------------------------

enabled: true <defaulted>

-----------------------------------------------

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-17

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Configuring the Internal Zone

sensor(config-ano-int-udp)#

Configuring Other Protocols for the Internal Zone

Use the other {enabled | protocol number | default-thresholds} command in service anomaly detection

internal zone submode to enable and configure the other services.

The following options apply:

•

enabled {false | true}—Enables/disables other protocols.

default-thresholds—Defines thresholds to be used for all ports not specified in the destination port

map:

–

threshold-histogram {low | medium | high} num-source-ips number—Sets values in the

threshold histogram.

–

scanner-threshold—Sets the scanner threshold. The default is 200.

•

protocol-number number—Defines thresholds for specific protocols. The valid values are 0 to 255.

enabled {true | false}—Enables/disables the service.

override-scanner-settings {yes | no}—Lets you override the scanner values:

–

threshold-histogram {low | medium | high} num-source-ips number—Sets values in the

threshold histogram.

–

scanner-threshold—Sets the scanner threshold. The default is 200.

Configuring the Internal Zone Other Protocols

To configure other protocols for a zone, follow these steps:

Step 1

Step 2

Enter anomaly detection internal zone submode.

sensor# configure terminal

sensor(config)# service anomaly-detection ad0

sensor(config-ano)# internal-zone

sensor(config-ano-int)#

Step 3

Step 4

Enable the other protocols.

sensor(config-ano-int)# other

sensor(config-ano-int-oth)# enabled true

Associate a specific number for the other protocols.

sensor(config-ano-int-oth)# protocol-number 5

sensor(config-ano-int-oth-pro)#

Step 5

Step 6

Enable the service for that port.

sensor(config-ano-int-oth-pro)# enabled true

To override the scanner values for that protocol. You can use the default scanner values, or you can

override them and configure your own scanner values.

sensor(config-ano-int-oth-pro)# override-scanner-settings yes

sensor(config-ano-int-oth-pro-yes)#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-18

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Configuring the Internal Zone

Step 7

To add a histogram for the new scanner settings. Enter the number of destination IP addresses (low,

medium, or high) and the number of source IP addresses you want associated with this histogram.

sensor(config-ano-int-oth-pro-yes)# threshold-histogram high num-source-ips 75

Step 8

Step 9

Set the scanner threshold.

sensor(config-ano-int-oth-pro-yes)# scanner-threshold 100

Configure the default thresholds for all other unspecified ports.

sensor(config-ano-int-oth-pro-yes)# exit

sensor(config-ano-int-oth-pro)# exit

sensor(config-ano-int-oth)# default-thresholds

sensor(config-ano-int-oth-def)# default-thresholds

sensor(config-ano-int-oth-def)# threshold-histogram medium num-source-ips 120

sensor(config-ano-int-oth-def)# scanner-threshold 120

Step 10 Verify the other configuration settings.

sensor(config-ano-int-oth)# show settings

other

-----------------------------------------------

protocol-number (min: 0, max: 255, current: 1)

-----------------------------------------------

number: 5

-----------------------------------------------

override-scanner-settings

-----------------------------------------------

yes

-----------------------------------------------

scanner-threshold: 95 default: 200

threshold-histogram (min: 0, max: 3, current: 1)

-----------------------------------------------

dest-ip-bin: high

num-source-ips: 75

-----------------------------------------------

enabled: true default: true

-----------------------------------------------

default-thresholds

-----------------------------------------------

scanner-threshold: 200 <defaulted>

threshold-histogram (min: 0, max: 3, current: 3)

-----------------------------------------------

dest-ip-bin: low <defaulted>

num-source-ips: 10 <defaulted>

dest-ip-bin: medium <defaulted>

num-source-ips: 1 <defaulted>

dest-ip-bin: high <defaulted>

num-source-ips: 1 <defaulted>

-----------------------------------------------

enabled: true default: true

-----------------------------------------------

sensor(config-ano-int-oth)#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-19

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Configuring the Illegal Zone

This section describes how to configure the illegal zone, and contains the following topics:

•

Understanding the Illegal Zone, page 9-20

Configuring the Illegal Zone, page 9-20

Configuring TCP Protocol for the Illegal Zone, page 9-21

Configuring UDP Protocol for the Illegal Zone, page 9-24

Configuring Other Protocols for the Illegal Zone, page 9-26

Understanding the Illegal Zone

The illegal zone should represent IP address ranges that should never be seen in normal traffic, for

example, unallocated IP addresses or part of your internal IP address range that is unoccupied. You then

add the IP addresses that belong to this zone. If you do not configure IP addresses for all zones, all

packets are sent to the default zone, the external zone.

You can enable or disable TCP, UDP, and other protocols for the internal zone. You can configure a

destination port for the TCP and UDP protocols and a protocol number for the other protocols. You can

either use the default thresholds or override the scanner settings and add your own thresholds and

histograms.

Configuring the Illegal Zone

Use the illegal-zone {enabled | ip-address-range | tcp | udp |other} command in service anomaly

detection submode to enable the illegal zone, add IP addresses to the illegal zone, and specify protocols.

The following options apply:

•

enabled {false | true}—Enables/disables the zone.

ip-address-range—Specifies the IP addresses of the subnets in the zone. The valid value is

<A.B.C.D>-<A.B.C.D>[,<A.B.C.D>-<A.B.C.D>].

Note

The second IP address in the range must be greater than or equal to the first IP address.

•

tcp—Lets you configure TCP protocol.

udp—Lets you configure UDP protocol.

other—Lets you configure other protocols besides TCP and UDP.

Configuring the Illegal Zone

To configure the illegal zone, follow these steps:

Step 1

Step 2

Enter anomaly detection illegal zone submode.

sensor# configure terminal

sensor(config)# service anomaly-detection ad0

sensor(config-ano)# illegal-zone

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-20

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Configuring the Illegal Zone

sensor(config-ano-ill)#

Step 3

Step 4

Enable the illegal zone.

sensor(config-ano-ill)# enabled true

Configure the IP addresses to be included in the illegal zone.

sensor(config-ano-ill)# ip-address-range 192.0.2.72-192.0.2.108

Step 5

Step 6

Step 7

Configure TCP protocol.

Configure UDP protocol.

Configure the other protocols.

For More Information

•

For the procedure for configuring TCP protocol, see Configuring TCP Protocol for the Illegal Zone,

page 9-21.

For the procedure for the UDP protocol, see Configuring UDP Protocol for the Illegal Zone,

page 9-24.

For the procedure for configuring other protocols, see Configuring Other Protocols for the Illegal

Zone, page 9-26.

Configuring TCP Protocol for the Illegal Zone

Use the tcp {enabled | dst-port number | default-thresholds} command in service anomaly detection

illegal zone submode to enable and configure the TCP service.

The following options apply:

•

enabled {false | true}—Enables/disables TCP protocol.

default-thresholds—Defines thresholds to be used for all ports not specified in the destination port

map:

–

threshold-histogram {low | medium | high} num-source-ips number—Sets values in the

threshold histogram.

–

scanner-threshold—Sets the scanner threshold. The default is 200.

•

dst-port number—Defines thresholds for specific destination ports. The valid values are 0 to 65535.

enabled {true | false}—Enables/disables the service.

override-scanner-settings {yes | no}—Lets you override the scanner values:

–

threshold-histogram {low | medium | high} num-source-ips number—Sets values in the

threshold histogram.

–

scanner-threshold—Sets the scanner threshold. The default is 200.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-21

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Configuring the Illegal Zone

Configuring the Illegal Zone TCP Protocol

To configure TCP protocol for illegal zone, follow these steps:

Step 1

Step 2

Enter anomaly detection illegal zone submode.

sensor# configure terminal

sensor(config)# service anomaly-detection ad0

sensor(config-ano)# illegal-zone

sensor(config-ano-ill)#

Step 3

Step 4

Enable TCP protocol.

sensor(config-ano-ill)# tcp

sensor(config-ano-ill-tcp)# enabled true

Associate a specific port with TCP protocol.

sensor(config-ano-ill-tcp)# dst-port 20

sensor(config-ano-ill-tcp-dst)#

Step 5

Step 6

Enable the service for that port.

sensor(config-ano-ill-tcp-dst)# enabled true

Override the scanner values for that port. You can use the default scanner values, or you can override

them and configure your own scanner values.

sensor(config-ano-ill-tcp-dst)# override-scanner-settings yes

sensor(config-ano-ill-tcp-dst-yes)#

Step 7

Add a histogram for the new scanner settings. Enter the number of destination IP addresses (low,

medium, or high) and the number of source IP addresses you want associated with this histogram.

sensor(config-ano-ill-tcp-dst-yes)# threshold-histogram low num-source-ips 100

Step 8

Step 9

Set the scanner threshold.

sensor(config-ano-ill-tcp-dst-yes)# scanner-threshold 100

Configure the default thresholds for all other unspecified ports.

sensor(config-ano-ill-tcp-dst-yes)# exit

sensor(config-ano-ill-tcp-dst)# exit

sensor(config-ano-ill-tcp)# exit

sensor(config-ano-ill-tcp)# default-thresholds

sensor(config-ano-ill-tcp-def)# default-thresholds

sensor(config-ano-ill-tcp-def)# threshold-histogram medium num-source-ips 120

sensor(config-ano-ill-tcp-def)# scanner-threshold 120

Step 10 Verify the TCP configuration settings.

sensor(config-ano-ill-tcp)# show settings

tcp

-----------------------------------------------

dst-port (min: 0, max: 65535, current: 4)

-----------------------------------------------

number: 20

-----------------------------------------------

override-scanner-settings

-----------------------------------------------

yes

-----------------------------------------------

scanner-threshold: 100 default: 200

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-22

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Configuring the Illegal Zone

threshold-histogram (min: 0, max: 3, current: 1)

-----------------------------------------------

dest-ip-bin: low

num-source-ips: 100

-----------------------------------------------

enabled: true default: true

-----------------------------------------------

number: 23

-----------------------------------------------

override-scanner-settings

-----------------------------------------------

enabled: true <defaulted>

-----------------------------------------------

number: 113

-----------------------------------------------

override-scanner-settings

-----------------------------------------------

enabled: true <defaulted>

-----------------------------------------------

number: 567

-----------------------------------------------

override-scanner-settings

-----------------------------------------------

enabled: true <defaulted>

-----------------------------------------------

default-thresholds

-----------------------------------------------

scanner-threshold: 120 default: 200

threshold-histogram (min: 0, max: 3, current: 3)

-----------------------------------------------

dest-ip-bin: low <defaulted>

num-source-ips: 10 <defaulted>

dest-ip-bin: medium

num-source-ips: 120 default: 1

dest-ip-bin: high <defaulted>

num-source-ips: 1 <defaulted>

-----------------------------------------------

enabled: true <defaulted>

-----------------------------------------------

sensor(config-ano-ill-tcp)#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-23

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Configuring the Illegal Zone

Configuring UDP Protocol for the Illegal Zone

Use the udp {enabled | dst-port number | default-thresholds} command in service anomaly detection

illegal zone submode to enable and configure the UDP service.

The following options apply:

•

enabled {false | true}—Enables/disables UDP protocol.

default-thresholds—Defines thresholds to be used for all ports not specified in the destination port

map:

–

threshold-histogram {low | medium | high} num-source-ips number—Sets values in the

threshold histogram.

–

scanner-threshold—Sets the scanner threshold. The default is 200.

•

dst-port number—Defines thresholds for specific destination ports. The valid values are 0 to 65535.

enabled {true | false}—Enables/disables the service.

override-scanner-settings {yes | no}—Lets you override the scanner values:

–

threshold-histogram {low | medium | high} num-source-ips number—Sets values in the

threshold histogram.

–

scanner-threshold—Sets the scanner threshold. The default is 200.

Configuring the Illegal Zone UDP Protocol

To configure UDP protocol for a zone, follow these steps:

Step 1

Step 2

Enter anomaly detection illegal zone submode.

sensor# configure terminal

sensor(config)# service anomaly-detection ad0

sensor(config-ano)# illegal-zone

sensor(config-ano-ill)#

Step 3

Step 4

Enable UDP protocol.

sensor(config-ano-ill)# udp

sensor(config-ano-ill-udp)# enabled true

Associate a specific port with UDP protocol.

sensor(config-ano-ill-udp)# dst-port 20

sensor(config-ano-ill-udp-dst)#

Step 5

Step 6

Enable the service for that port.

sensor(config-ano-ill-udp-dst)# enabled true

Override the scanner values for that port. You can use the default scanner values, or you can override

them and configure your own scanner values.

sensor(config-ano-ill-udp-dst)# override-scanner-settings yes

sensor(config-ano-ill-udp-dst-yes)#

Step 7

Add a histogram for the new scanner settings. Enter the number of destination IP addresses (low,

medium, or high) and the number of source IP addresses you want associated with this histogram.

sensor(config-ano-ill-udp-dst-yes)# threshold-histogram low num-source-ips 100

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-24

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Configuring the Illegal Zone

Step 8

Step 9

Set the scanner threshold.

sensor(config-ano-ill-udp-dst-yes)# scanner-threshold 100

Configure the default thresholds for all other unspecified ports.

sensor(config-ano-ill-udp-dst-yes)# exit

sensor(config-ano-ill-udp-dst)# exit

sensor(config-ano-ill-udp)# exit

sensor(config-ano-ill-udp)# default-thresholds

sensor(config-ano-ill-udp-def)# default-thresholds

sensor(config-ano-ill-udp-def)# threshold-histogram medium num-source-ips 120

sensor(config-ano-ill-udp-def)# scanner-threshold 120

Step 10 Verify the UDP configuration settings.

sensor(config-ano-ill-udp)# show settings

udp

-----------------------------------------------

dst-port (min: 0, max: 65535, current: 4)

-----------------------------------------------

number: 20

-----------------------------------------------

override-scanner-settings

-----------------------------------------------

yes

-----------------------------------------------

scanner-threshold: 100 default: 200

threshold-histogram (min: 0, max: 3, current: 1)

-----------------------------------------------

dest-ip-bin: low

num-source-ips: 100

-----------------------------------------------

enabled: true default: true

-----------------------------------------------

number: 23

-----------------------------------------------

override-scanner-settings

-----------------------------------------------

enabled: true <defaulted>

-----------------------------------------------

number: 113

-----------------------------------------------

override-scanner-settings

-----------------------------------------------

enabled: true <defaulted>

-----------------------------------------------

number: 567

-----------------------------------------------

override-scanner-settings

-----------------------------------------------

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-25

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Configuring the Illegal Zone

enabled: true <defaulted>

-----------------------------------------------

default-thresholds

-----------------------------------------------

scanner-threshold: 120 default: 200

threshold-histogram (min: 0, max: 3, current: 3)

-----------------------------------------------

dest-ip-bin: low <defaulted>

num-source-ips: 10 <defaulted>

dest-ip-bin: medium

num-source-ips: 120 default: 1

dest-ip-bin: high <defaulted>

num-source-ips: 1 <defaulted>

-----------------------------------------------

enabled: true <defaulted>

-----------------------------------------------

sensor(config-ano-ill-udp)#

Configuring Other Protocols for the Illegal Zone

Use the other {enabled | protocol number | default-thresholds} command in service anomaly detection

illegal zone submode to enable and configure the other services.

The following options apply:

•

enabled {false | true}—Enables/disables other protocols.

default-thresholds—Defines thresholds to be used for all ports not specified in the destination port

map:

–

threshold-histogram {low | medium | high} num-source-ips number—Sets values in the

threshold histogram.

–

scanner-threshold—Sets the scanner threshold. The default is 200.

•

protocol-number number—Defines thresholds for specific protocols. The valid values are 0 to 255.

enabled {true | false}—Enables/disables the service.

override-scanner-settings {yes | no}—Lets you override the scanner values:

–

threshold-histogram {low | medium | high} num-source-ips number—Sets values in the

threshold histogram.

–

scanner-threshold—Sets the scanner threshold. The default is 200.

Configuring the Illegal Zone Other Protocols

To configure other protocols for a zone, follow these steps:

Step 1

Step 2

Enter anomaly detection illegal zone submode.

sensor# configure terminal

sensor(config)# service anomaly-detection ad0

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-26

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Configuring the Illegal Zone

sensor(config-ano)# illegal-zone

sensor(config-ano-ill)#

Step 3

Step 4

Enable the other protocols.

sensor(config-ano-ill)# other

sensor(config-ano-ill-oth)# enabled true

Associate a specific number for the other protocols.

sensor(config-ano-ill-oth)# protocol-number 5

sensor(config-ano-ill-oth-pro)#

Step 5

Step 6

Enable the service for that port.

sensor(config-ano-ill-oth-pro)# enabled true

Override the scanner values for that protocol. You can use the default scanner values, or you can override

them and configure your own scanner values.

sensor(config-ano-ill-oth-pro)# override-scanner-settings yes

sensor(config-ano-ill-oth-pro-yes)#

Step 7

Add a histogram for the new scanner settings. Enter the number of destination IP addresses (low,

medium, or high) and the number of source IP addresses you want associated with this histogram.

sensor(config-ano-ill-oth-pro-yes)# threshold-histogram high num-source-ips 75

Step 8

Step 9

Set the scanner threshold.

sensor(config-ano-ill-oth-pro-yes)# scanner-threshold 100

Configure the default thresholds for all other unspecified ports.

sensor(config-ano-ill-oth-pro-yes)# exit

sensor(config-ano-ill-oth-pro)# exit

sensor(config-ano-ill-oth)# default-thresholds

sensor(config-ano-ill-oth-def)# default-thresholds

sensor(config-ano-ill-oth-def)# threshold-histogram medium num-source-ips 120

sensor(config-ano-ill-oth-def)# scanner-threshold 120

Step 10 Verify the other protocols configuration settings.

sensor(config-ano-ill-oth)# show settings

other

-----------------------------------------------

protocol-number (min: 0, max: 255, current: 1)

-----------------------------------------------

number: 5

-----------------------------------------------

override-scanner-settings

-----------------------------------------------

yes

-----------------------------------------------

scanner-threshold: 95 default: 200

threshold-histogram (min: 0, max: 3, current: 1)

-----------------------------------------------

dest-ip-bin: high

num-source-ips: 75

-----------------------------------------------

enabled: true default: true

-----------------------------------------------

default-thresholds

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-27

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Configuring the External Zone

-----------------------------------------------

scanner-threshold: 200 <defaulted>

threshold-histogram (min: 0, max: 3, current: 3)

-----------------------------------------------

dest-ip-bin: low <defaulted>

num-source-ips: 10 <defaulted>

dest-ip-bin: medium <defaulted>

num-source-ips: 1 <defaulted>

dest-ip-bin: high <defaulted>

num-source-ips: 1 <defaulted>

-----------------------------------------------

enabled: true default: true

-----------------------------------------------

sensor(config-ano-ill-oth)#

Configuring the External Zone

This section describes how to configure the external zone, and contains the following topics:

•

Understanding the External Zone, page 9-28

Configuring the External Zone, page 9-28

Configuring TCP Protocol for the External Zone, page 9-29

Configuring UDP Protocol for the External Zone, page 9-32

Configuring Other Protocols for the External Zone, page 9-34

Understanding the External Zone

The external zone is the default zone with the default Internet range of 0.0.0.0-255.255.255.255. By

default, the internal and illegal zones contain no IP addresses. Packets that do not match the set of IP

addresses in the internal or illegal zone are handled by the external zone.

You can enable or disable TCP, UDP, and other protocols for the external zone. You can configure a

destination port for the TCP and UDP protocols and a protocol number for the other protocols. You can

either use the default thresholds or override the scanner settings and add your own thresholds and

histograms.

Configuring the External Zone

Use the external-zone {enabled | tcp | udp |other} command in service anomaly detection submode to

enable the external zone and specify protocols.

The following options apply:

•

enabled {false | true}—Enables/disables the zone.

tcp—Lets you configure TCP protocol.

udp—Lets you configure UDP protocol.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-28

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Configuring the External Zone

•

other—Lets you configure other protocols besides TCP and UDP.

Configuring the External Zone

To configure the external zone, follow these steps:

Step 1

Step 2

Enter anomaly detection external zone submode.

sensor# configure terminal

sensor(config)# service anomaly-detection ad0

sensor(config-ano)# external-zone

sensor(config-ano-ext)#

Step 3

Enable the external zone.

sensor(config-ano-ext)# enabled true

Step 4

Step 5

Step 6

Configure TCP protocol.

Configure UDP protocol.

Configure the other protocols.

For More Information

•

For the procedure for configuring TCP protocol, see Configuring TCP Protocol for the External

Zone, page 9-29.

For the procedure for configuring UDP protocol, see Configuring UDP Protocol for the External

Zone, page 9-32.

For the procedure for configuring other protocols, see Configuring Other Protocols for the External

Zone, page 9-34.

Configuring TCP Protocol for the External Zone

Use the tcp {enabled | dst-port number | default-thresholds} command in service anomaly detection

external zone submode to enable and configure the TCP service.

The following options apply:

•

enabled {false | true}—Enables/disables TCP protocol.

default-thresholds—Defines thresholds to be used for all ports not specified in the destination port

map:

–

threshold-histogram {low | medium | high} num-source-ips number—Sets values in the

threshold histogram.

–

scanner-threshold—Sets the scanner threshold. The default is 200.

•

dst-port number—Defines thresholds for specific destination ports. The valid values are 0 to 65535.

enabled {true | false}—Enables/disables the service.

override-scanner-settings {yes | no}—Lets you override the scanner values:

–

threshold-histogram {low | medium | high} num-source-ips number—Sets values in the

threshold histogram.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-29

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Configuring the External Zone

–

scanner-threshold—Sets the scanner threshold. The default is 200.

Configuring the External Zone TCP Protocol

To configure TCP protocol for the external zone, follow these steps:

Step 1

Step 2

Enter anomaly detection external zone submode.

sensor# configure terminal

sensor(config)# service anomaly-detection ad0

sensor(config-ano)# external-zone

sensor(config-ano-ext)#

Step 3

Step 4

Enable TCP protocol.

sensor(config-ano-ext)# tcp

sensor(config-ano-ext-tcp)# enabled true

Associate a specific port with TCP protocol.

sensor(config-ano-ext-tcp)# dst-port 20

sensor(config-ano-ext-tcp-dst)#

Step 5

Step 6

Enable the service for that port.

sensor(config-ano-ext-tcp-dst)# enabled true

Override the scanner values for that port. You can use the default scanner values, or you can override

them and configure your own scanner values.

sensor(config-ano-ext-tcp-dst)# override-scanner-settings yes

sensor(config-ano-ext-tcp-dst-yes)#

Step 7

Add a histogram for the new scanner settings. Enter the number of destination IP addresses (low,

medium, or high) and the number of source IP addresses you want associated with this histogram.

sensor(config-ano-ext-tcp-dst-yes)# threshold-histogram low num-source-ips 100

Step 8

Step 9

Set the scanner threshold.

sensor(config-ano-ext-tcp-dst-yes)# scanner-threshold 100

Configure the default thresholds for all other unspecified ports.

sensor(config-ano-ext-tcp-dst-yes)# exit

sensor(config-ano-ext-tcp-dst)# exit

sensor(config-ano-ext-tcp)# exit

sensor(config-ano-ext-tcp)# default-thresholds

sensor(config-ano-ext-tcp-def)# default-thresholds

sensor(config-ano-ext-tcp-def)# threshold-histogram medium num-source-ips 120

sensor(config-ano-ext-tcp-def)# scanner-threshold 120

Step 10 Verify the TCP configuration settings.

sensor(config-ano-ext-tcp)# show settings

tcp

-----------------------------------------------

dst-port (min: 0, max: 65535, current: 4)

-----------------------------------------------

number: 20

-----------------------------------------------

override-scanner-settings

-----------------------------------------------

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-30

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Configuring the External Zone

yes

-----------------------------------------------

scanner-threshold: 100 default: 200

threshold-histogram (min: 0, max: 3, current: 1)

-----------------------------------------------

dest-ip-bin: low

num-source-ips: 100

-----------------------------------------------

enabled: true default: true

-----------------------------------------------

number: 23

-----------------------------------------------

override-scanner-settings

-----------------------------------------------

enabled: true <defaulted>

-----------------------------------------------

number: 113

-----------------------------------------------

override-scanner-settings

-----------------------------------------------

enabled: true <defaulted>

-----------------------------------------------

number: 567

-----------------------------------------------

override-scanner-settings

-----------------------------------------------

enabled: true <defaulted>

-----------------------------------------------

default-thresholds

-----------------------------------------------

scanner-threshold: 120 default: 200

threshold-histogram (min: 0, max: 3, current: 3)

-----------------------------------------------

dest-ip-bin: low <defaulted>

num-source-ips: 10 <defaulted>

dest-ip-bin: medium

num-source-ips: 120 default: 1

dest-ip-bin: high <defaulted>

num-source-ips: 1 <defaulted>

-----------------------------------------------

enabled: true <defaulted>

-----------------------------------------------

sensor(config-ano-ext-tcp)#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-31

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Configuring the External Zone

Configuring UDP Protocol for the External Zone

Use the udp {enabled | dst-port number | default-thresholds} command in service anomaly detection

external zone submode to enable and configure the UDP service.

The following options apply:

•

enabled {false | true}—Enables/disables UDP protocol.

default-thresholds—Defines thresholds to be used for all ports not specified in the destination port

map:

–

threshold-histogram {low | medium | high} num-source-ips number—Sets values in the

threshold histogram.

–

scanner-threshold—Sets the scanner threshold. The default is 200.

•

dst-port number—Defines thresholds for specific destination ports. The valid values are 0 to 65535.

enabled {true | false}—Enables/disables the service.

override-scanner-settings {yes | no}—Lets you override the scanner values:

–

threshold-histogram {low | medium | high} num-source-ips number—Sets values in the

threshold histogram.

–

scanner-threshold—Sets the scanner threshold. The default is 200.

Configuring the External Zone UDP Protocol

To configure UDP protocol for a zone, follow these steps:

Step 1

Step 2

Enter anomaly detection external zone submode.

sensor# configure terminal

sensor(config)# service anomaly-detection ad0

sensor(config-ano)# external-zone

sensor(config-ano-ext)#

Step 3

Step 4

Enable UDP protocol.

sensor(config-ano-ext)# udp

sensor(config-ano-ext-udp)# enabled true

Associate a specific port with UDP protocol.

sensor(config-ano-ext-udp)# dst-port 20

sensor(config-ano-ext-udp-dst)#

Step 5

Step 6

Enable the service for that port.

sensor(config-ano-ext-udp-dst)# enabled true

Override the scanner values for that port. You can use the default scanner values, or you can override

them and configure your own scanner values.

sensor(config-ano-ext-udp-dst)# override-scanner-settings yes

sensor(config-ano-ext-udp-dst-yes)#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-32

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Configuring the External Zone

Step 7

Add a histogram for the new scanner settings. Enter the number of destination IP addresses (low,

medium, or high) and the number of source IP addresses you want associated with this histogram.

sensor(config-ano-ext-udp-dst-yes)# threshold-histogram low num-source-ips 100

Step 8

Step 9

Set the scanner threshold.

sensor(config-ano-ext-udp-dst-yes)# scanner-threshold 100

Configure the default thresholds for all other unspecified ports.

sensor(config-ano-ext-udp-dst-yes)# exit

sensor(config-ano-ext-udp-dst)# exit

sensor(config-ano-ext-udp)# default-thresholds

sensor(config-ano-ext-udp-def)# default-thresholds

sensor(config-ano-ext-udp-def)# threshold-histogram medium num-source-ips 120

sensor(config-ano-ext-udp-def)# scanner-threshold 120

Step 10 Verify the UDP configuration settings.

sensor(config-ano-ext-udp)# show settings

udp

-----------------------------------------------

dst-port (min: 0, max: 65535, current: 4)

-----------------------------------------------

number: 20

-----------------------------------------------

override-scanner-settings

-----------------------------------------------

yes

-----------------------------------------------

scanner-threshold: 100 default: 200

threshold-histogram (min: 0, max: 3, current: 1)

-----------------------------------------------

dest-ip-bin: low

num-source-ips: 100

-----------------------------------------------

enabled: true default: true

-----------------------------------------------

number: 23

-----------------------------------------------

override-scanner-settings

-----------------------------------------------

enabled: true <defaulted>

-----------------------------------------------

number: 113

-----------------------------------------------

override-scanner-settings

-----------------------------------------------

enabled: true <defaulted>

-----------------------------------------------

number: 567

-----------------------------------------------

override-scanner-settings

-----------------------------------------------

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-33

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Configuring the External Zone

-----------------------------------------------

enabled: true <defaulted>

-----------------------------------------------

default-thresholds

-----------------------------------------------

scanner-threshold: 120 default: 200

threshold-histogram (min: 0, max: 3, current: 3)

-----------------------------------------------

dest-ip-bin: low <defaulted>

num-source-ips: 10 <defaulted>

dest-ip-bin: medium

num-source-ips: 120 default: 1

dest-ip-bin: high <defaulted>

num-source-ips: 1 <defaulted>

-----------------------------------------------

enabled: true <defaulted>

-----------------------------------------------

sensor(config-ano-ext-udp)#

Configuring Other Protocols for the External Zone

Use the other {enabled | protocol number | default-thresholds} command in service anomaly detection

external zone submode to enable and configure the other services.

The following options apply:

•

enabled {false | true}—Enables/disables other protocols.

default-thresholds—Defines thresholds to be used for all ports not specified in the destination port

map:

–

threshold-histogram {low | medium | high} num-source-ips number—Sets values in the

threshold histogram.

–

scanner-threshold—Sets the scanner threshold. The default is 200.

•

protocol-number number—Defines thresholds for specific protocols. The valid values are 0 to 255.

enabled {true | false}—Enables/disables the service.

override-scanner-settings {yes | no}—Lets you override the scanner values:

–

threshold-histogram {low | medium | high} num-source-ips number—Sets values in the

threshold histogram.

–

scanner-threshold—Sets the scanner threshold. The default is 200.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-34

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Configuring the External Zone

Configuring the External Zone Other Protocols

To configure other protocols for a zone, follow these steps:

Step 1

Step 2

Enter anomaly detection external zone submode.

sensor# configure terminal

sensor(config)# service anomaly-detection ad0

sensor(config-ano)# external-zone

sensor(config-ano-ext)#

Step 3

Step 4

Enable the other protocols.

sensor(config-ano-ext)# other

sensor(config-ano-ext-oth)# enabled true

Associate a specific number for the other protocols.

sensor(config-ano-ext-oth)# protocol-number 5

sensor(config-ano-ext-oth-pro)#

Step 5

Step 6

Enable the service for that port.

sensor(config-ano-ext-oth-pro)# enabled true

Override the scanner values for that protocol. You can use the default scanner values, or you can override

them and configure your own scanner values.

sensor(config-ano-ext-oth-pro)# override-scanner-settings yes

sensor(config-ano-ext-oth-pro-yes)#

Step 7

Add a histogram for the new scanner settings. Enter the number of destination IP addresses (low,

medium, or high) and the number of source IP addresses you want associated with this histogram.

sensor(config-ano-ext-oth-pro-yes)# threshold-histogram high num-source-ips 75

Step 8

Step 9

Set the scanner threshold.

sensor(config-ano-ext-oth-pro-yes)# scanner-threshold 100

Configure the default thresholds for all other unspecified ports.

sensor(config-ano-ext-oth-pro-yes)# exit

sensor(config-ano-ext-oth-pro)# exit

sensor(config-ano-ext-oth)# default-thresholds

sensor(config-ano-ext-oth-def)# default-thresholds

sensor(config-ano-ext-oth-def)# threshold-histogram medium num-source-ips 120

sensor(config-ano-ext-oth-def)# scanner-threshold 120

Step 10 Verify the other protocols configuration settings.

sensor(config-ano-ext-oth)# show settings

other

-----------------------------------------------

protocol-number (min: 0, max: 255, current: 1)

-----------------------------------------------

number: 5

-----------------------------------------------

override-scanner-settings

-----------------------------------------------

yes

-----------------------------------------------

scanner-threshold: 95 default: 200

threshold-histogram (min: 0, max: 3, current: 1)

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-35

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Configuring Learning Accept Mode

-----------------------------------------------

dest-ip-bin: high

num-source-ips: 75

-----------------------------------------------

enabled: true default: true

-----------------------------------------------

default-thresholds

-----------------------------------------------

scanner-threshold: 200 <defaulted>

threshold-histogram (min: 0, max: 3, current: 3)

-----------------------------------------------

dest-ip-bin: low <defaulted>

num-source-ips: 10 <defaulted>

dest-ip-bin: medium <defaulted>

num-source-ips: 1 <defaulted>

dest-ip-bin: high <defaulted>

num-source-ips: 1 <defaulted>

-----------------------------------------------

enabled: true default: true

-----------------------------------------------

sensor(config-ano-ext-oth)#

Configuring Learning Accept Mode

This section describes KBs and histograms and how to configure learning accept mode. It contains the

following topics:

•

The KB and Histograms, page 9-36

Configuring Learning Accept Mode, page 9-38

The KB and Histograms

The KB has a tree structure, and contains the following information:

KB name

Zone name

•

Protocol

Service

The KB holds a scanner threshold and a histogram for each service. If you have learning accept mode

set to auto and the action set to rotate, a new KB is created every 24 hours and used in the next 24 hours.

If you have learning accept mode set to auto and the action is set to save only, a new KB is created, but

the current KB is used. If you do not have learning accept mode set to auto, no KB is created.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-36

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Configuring Learning Accept Mode

Note

Learning accept mode uses the sensor local time.

The scanner threshold defines the maximum number of zone IP addresses that a single source IP address

can scan. The histogram threshold defines the maximum number of source IP addresses that can scan

more than the specified numbers of zone IP addresses.

Anomaly detection identifies a worm attack when there is a deviation from the histogram that it has

learned when no attack was in progress (that is, when the number of source IP addresses that

concurrently scan more than the defined zone destination IP address is exceeded). For example, if the

scanning threshold is 300 and the histogram for port 445, if anomaly detection identifies a scanner that

scans 350 zone destination IP addresses, it produces an action indicating that a mass scanner was

detected. However, this scanner does not yet verify that a worm attack is in progress. Table 9-2 describes

this example.

Table 9-2

Example Histogram

Number of source IP addresses

Number of destination IP addresses

100

When anomaly detection identifies six concurrent source IP addresses that scan more than 20 zone

destination IP addresses on port 445, it produces an action with an unspecified source IP address that

indicates anomaly detection has identified a worm attack on port 445. The dynamic filter threshold, 20,

specifies the new internal scanning threshold and causes anomaly detection to lower the threshold

definition of a scanner so that anomaly detection produces additional dynamic filters for each source IP

address that scans more than the new scanning threshold (20).

You can override what the KB learned per anomaly detection policy and per zone. If you understand your

network traffic, you may want to use overrides to limit false positives.

Triggering the High Category Histogram Before the Single-Scanner Threshold

Based on the default histogram (nonlearned knowledge base [KB]) values, histogram-based detection

can occur before single-scanner detection.

Single scanner detection is based on the scanner threshold settings. The scanner threshold setting is a

single number for that port or protocol and zone. Any single IP address scanning more than that number

of hosts of that port or protocol in that zone is alerted as a scanner.

There is a histogram for that port or protocol and zone that tracks how many systems normally scan a

smaller number of hosts (10 hosts, 20 hosts, or 100 hosts). When more than that normal number of

scanners are seen, then a worm is declared and all IPs scanning more than the associated number of hosts

are alerted on as being a worm scanner.

Note

An IP source address can be alerted on as being a worm scanner without ever reaching the scanner

threshold. The scanner threshold is used to detect single systems scanning a large number of hosts and

is tracked separately from the algorithms for detecting worms.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-37

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Configuring Learning Accept Mode

Use the learning-accept-mode command in service anomaly detection submode to configure whether

you want the sensor to create a new KB every so many hours. You can configure whether the KB is

created and loaded (rotate) or saved (save only). You can schedule how often and when the KB is loaded

or saved.

The new updated KB file name is the current date and time, YYYY-Mon-dd-hh_mm_ss, where Mon is the

three-letter abbreviation of the month.

Note

Anomaly detection learning accept mode uses the sensor local time.

The following options apply:

•

learning-accept-mode—Specifies if and when the KB is saved and loaded:

–

auto— Configures the sensor to automatically accept the KB.

manual—Does not save the KB.

Note

You can save and load the KB using the anomaly-detection {load | save} commands.

action—Specifies whether to rotate or save the KB:

–

save-only—Saves the new KB. You can examine it and decide whether to load it into anomaly

detection.

Note

You can load the KB using the anomaly-detection load command.

rotate—Saves the new KB and loads it as the current KB according to the schedule you define.

•

schedule— Configures a schedule to accept the KB:

–

calendar-schedule {days-of-week} {times-of-day}—Starts learning accept mode at specific

times on specific days.

–

periodic-schedule {interval} {start-time}—Starts learning accept mode at specific periodic

intervals.

Configuring Learning Accept Mode

The first saving begins after a full interval between configuration time and start time. For example, if the

time is now 16:00 and you configure start time at 16:30 with an interval of one hour, the first KB is saved

at 17:30, because there was no one-hour interval between 16:00 and 16:30.

To configure learning accept mode, follow these steps:

Step 1

Step 2

Enter anomaly detection submode.

sensor# configure terminal

sensor(config)# service anomaly-detection ad1

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-38

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Configuring Learning Accept Mode

Step 3

Specify how the KB is saved and loaded:

a. Specify that the KB is automatically saved and loaded. Go to Step 4.

sensor(config-ano)# learning-accept-mode auto

sensor(config-ano-aut)#

b. Specify that the KB is going to be manually saved and loaded. Go to Step 6.

sensor(config-ano)# learning-accept-mode manual

sensor(config-ano-man)#

Step 4

Specify how you want the KB automatically accepted:

a. Save the KB so that you can inspect it and decide whether to load it. Go to Step 6.

sensor(config-ano-aut)# action save-only

b. Have the KB saved and loaded as the current KB according to the schedule you define. Continue

with Step 5.

sensor(config-ano-aut)# action rotate

Step 5

Schedule the automatic KB saves and loads:

•

Calendar schedule—With this schedule the KB is saved and loaded every Monday at midnight.

sensor(config-ano-aut)# schedule calendar-schedule

sensor(config-ano-aut-cal)# days-of-week monday

sensor(config-ano-aut-cal)# times-of-day time 24:00:00

•

Periodic schedule—With this schedule the KB is saved and loaded every 24 hours at midnight.

sensor(config-ano-aut)# schedule periodic-schedule

sensor(config-ano-aut-per)# start-time 24:00:00

sensor(config-ano-aut-per)# interval 24

Step 6

Verify the settings.

sensor(config-ano-aut-per)# exit

sensor(config-ano-aut)# show settings

auto

-----------------------------------------------

action: rotate default: rotate

schedule

-----------------------------------------------

periodic-schedule

-----------------------------------------------

start-time: 12:00:00 default: 10:00:00

interval: 24 hours default: 24

-----------------------------------------------

Step 7

Step 8

Exit anomaly detection submode.

sensor(config-ano-aut)# exit

sensor(config-ano)# exit

Apply Changes:?[yes]:

Press Enter to apply your changes or enter no to discard them.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-39

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Working With KB Files

For More Information

For the procedures for saving and loading anomaly detection KBs manually, see Saving and Loading

KBs Manually, page 9-41.

Working With KB Files

This section describes how to display, load, save, copy, rename and delete KB files. It also provides the

procedures for comparing two KB files and for displaying the thresholds of a KB file. It contains the

following topics:

•

Displaying KB Files, page 9-40

Saving and Loading KBs Manually, page 9-41

Copying, Renaming, and Erasing KBs, page 9-42

Displaying the Differences Between Two KBs, page 9-44

Displaying the Thresholds for a KB, page 9-45

Displaying KB Files

Use the show ad-knowledge-base [virtual-sensor] files command in privileged EXEC mode to display

the available KB files for a virtual sensor.

Note

The * before the file name indicates that this KB file is the currently loaded KB file.

To display KB files, follow these steps:

Step 1

Step 2

Display the KB files for all virtual sensors.

sensor# show ad-knowledge-base files

Virtual Sensor vs0

Filename

initial

2003-Jan-28-10_00_01

Size

Created

04:27:07 CDT Wed Jan 29 2003

Virtual Sensor vs1

Filename

Size

Created

initial

14:35:38 CDT Tue Mar 14 2006

10:00:00 CDT Thu Mar 16 2006

10:00:00 CDT Fri Mar 17 2006

10:00:00 CDT Sat Mar 18 2006

10:00:00 CDT Sun Mar 19 2006

10:00:00 CDT Mon Mar 20 2006

10:00:00 CDT Tue Mar 21 2006

10:00:00 CDT Wed Mar 22 2006

10:00:00 CDT Thu Mar 23 2006

10:00:00 CDT Fri Mar 24 2006

10:00:00 CDT Sat Mar 25 2006

10:00:00 CDT Sun Mar 26 2006

10:00:00 CDT Mon Mar 27 2006

10:00:00 CDT Thu Jan 02 2003

10:00:00 CDT Fri Jan 03 2003

10:00:00 CDT Sat Jan 04 2003

2006-Mar-16-10_00_00

2006-Mar-17-10_00_00

2006-Mar-18-10_00_00

2006-Mar-19-10_00_00

2006-Mar-20-10_00_00

2006-Mar-21-10_00_00

2006-Mar-22-10_00_00

2006-Mar-23-10_00_00

2006-Mar-24-10_00_00

2006-Mar-25-10_00_00

2006-Mar-26-10_00_00

2006-Mar-27-10_00_00

2003-Jan-02-10_00_00

2003-Jan-03-10_00_00

2003-Jan-04-10_00_00

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-40

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Working With KB Files

2003-Jan-05-10_00_00

2003-Jan-06-10_00_00

sensor#

10:00:00 CDT Sun Jan 05 2003

10:00:00 CDT Mon Jan 06 2003

Step 3

Display the KB files for a specific virtual sensor.

sensor# show ad-knowledge-base vs0 files

Virtual Sensor vs0

Filename

initial

Size

Created

10:24:58 CDT Tue Mar 14 2006

10:00:00 CDT Thu Mar 16 2006

10:00:00 CDT Fri Mar 17 2006

10:00:00 CDT Sat Mar 18 2006

10:00:00 CDT Sun Mar 19 2006

10:00:00 CDT Mon Mar 20 2006

2006-Mar-16-10_00_00

2006-Mar-17-10_00_00

2006-Mar-18-10_00_00

2006-Mar-19-10_00_00

2006-Mar-20-10_00_00

Saving and Loading KBs Manually

Use these commands in privileged EXEC mode to manually save and load KBs.

The following options apply:

•

show ad-knowledge-base virtual-sensor files—Displays the available KB files per virtual sensor.

anomaly-detection virtual-sensor load {initial | file name}—Sets the KB file as the current KB for

the specified virtual sensor. If AD is active, the file is loaded as the current KB.

•

anomaly-detection virtual-sensor save [new-name]—Retrieves the current KB file and saves it

locally.

Manually Saving and Loading KBs

To manually save and load a KB, follow these steps:

Step 1

Step 2

Locate the KB you want to load.

sensor# show ad-knowledge-base vs0 files

Virtual Sensor vs0

Filename

initial

Size

Created

10:24:58 CDT Tue Mar 14 2006

10:00:00 CDT Thu Mar 16 2006

10:00:00 CDT Fri Mar 17 2006

10:00:00 CDT Sat Mar 18 2006

10:00:00 CDT Sun Mar 19 2006

10:00:00 CDT Mon Mar 20 2006

2006-Mar-16-10_00_00

2006-Mar-17-10_00_00

2006-Mar-18-10_00_00

2006-Mar-19-10_00_00

2006-Mar-20-10_00_00

Step 3

Step 4

Load the KB file as the current KB file for a specific virtual sensor.

sensor# anomaly-detection vs0 load file 2006-Mar-16-10_00_00

sensor#

Save the current KB file and store it as a new name.

sensor# anomaly-detection vs0 save my-KB

sensor#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-41

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Working With KB Files

Note

An error is generated if anomaly detection is not active when you enter this command. You

cannot overwrite the initial file.

Copying, Renaming, and Erasing KBs

Use these commands in privileged EXEC mode to manually copy, rename, and erase KB files.

The following options apply:

•

copy ad-knowledge-base virtual-sensor {current | initial | file name} destination-url—Copies the

KB file (current, initial, or the file name you enter) to a specified destination URL.

Note

Copying a file to a name that already exists overwrites it.

•

copy ad-knowledge-base virtual-sensor source-url new-name—Copies a KB with a new file name

to the source URL you specify.

Note

You cannot use the current keyword as a new-name. A new current KB file is created with

the load command.

•

rename ad-knowledge-base virtual-sensor {current | file name} new-name—Renames an existing

KB file.

erase ad-knowledge-base [virtual-sensor [name]]—Removes all KB files from a virtual sensor, or

just one KB file if you use the name option.

You cannot erase the initial KB file or the KB file loaded as the current KB.The exact format of the

source and destination URLs varies according to the file. Here are the valid types:

•

ftp:—Source or destination URL for an FTP network server. The syntax for this prefix is:

ftp:[//[username@] location]/relativeDirectory]/filename

ftp:[//[username@]location]//absoluteDirectory]/filename

•

scp:—Source or destination URL for the SCP network server. The syntax for this prefix is:

scp:[//[username@] location]/relativeDirectory]/filename

scp:[//[username@] location]//absoluteDirectory]/filename

Note

If you use FTP or SCP protocol, you are prompted for a password. If you use SCP protocol,

you must add the remote host to the SSH known hosts list.

•

http:—Source URL for the web server. The syntax for this prefix is:

http:[[/[username@]location]/directory]/filename

https:—Source URL for the web server. The syntax for this prefix is:

https:[[/[username@]location]/directory]/filename

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-42

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Working With KB Files

Note

If you use HTTPS protocol, the remote host must be a TLS trusted host.

Copying, Renaming, and Removing KB Files

To copy, rename, and remove KB files, follow these steps:

Step 1

Step 2

Locate the KB file you want to copy.

sensor# show ad-knowledge-base vs0 files

Virtual Sensor vs0

Filename

initial

Size

Created

10:24:58 CDT Tue Mar 14 2006

10:00:00 CDT Thu Mar 16 2006

10:00:00 CDT Fri Mar 17 2006

10:00:00 CDT Sat Mar 18 2006

10:00:00 CDT Sun Mar 19 2006

10:00:00 CDT Mon Mar 20 2006

2006-Mar-16-10_00_00

2006-Mar-17-10_00_00

2006-Mar-18-10_00_00

2006-Mar-19-10_00_00

2006-Mar-20-10_00_00

Step 3

Copy the KB file to a user on a computer with the IP address 10.1.1.1.

sensor# copy ad-knowledge-base vs0 file 2006-Mar-16-10_00_00

scp://[email protected]/AD/my-KB

password: ********

sensor#

Step 4

Step 5

Step 6

Rename a KB file.

sensor# rename ad-knowledge-base vs0 2006-Mar-16-10_00_00 My-KB

sensor#

Remove a KB file from a specific virtual sensor.

sensor# erase ad-knowledge-base vs0 2006-Mar-16-10_00_00

sensor#

Remove all KB files except the file loaded as current and the initial KB file from a virtual sensor.

sensor# erase ad-knowledge-base vs0

Warning: Executing this command will delete all virtual sensor 'vs0' knowledge bases

except the file loaded as current and the initial knowledge base.

Continue with erase? [yes]: yes

sensor#

Step 7

Remove all KB files except the file loaded as current and the initial KB file from all virtual sensors.

sensor# erase ad-knowledge-base

Warning: Executing this command will delete all virtual sensor knowledge bases except the

file loaded as current and the initial knowledge base.

Continue with erase? [yes]: yes

sensor#

For More Information

•

For the procedure for creating a new KB using the load command, see Saving and Loading KBs

Manually, page 9-41.

•

For the procedure for adding hosts to the SSH known hosts list, see Adding Hosts to the SSH Known

Hosts List, page 3-46.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-43

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Working With KB Files

•

For the procedure for adding TLS trusted hosts, see Adding TLS Trusted Hosts, page 3-52.

Displaying the Differences Between Two KBs

Use the show ad-knowledge-base virtual-sensor diff {current | initial | file name1}{current | initial |

file name2} [diff-percentage] command in privileged EXEC mode to display the differences between

two KBs.

The following options apply:

•

virtual-sensor—Specifies the name of the virtual sensor that contains the KB files you want to

compare.

•

name1—Specifies the name of the first existing KB file to compare.

name2—Specifies the name of the second existing KB file to compare.

current—Specifies the currently loaded KB.

initial—Specifies the initial KB.

file—Specifies the name of an existing KB file.

diff-percentage—(Optional) Displays the services where the thresholds differ more than the

specified percentage. The valid values are 1 to 100. The default is 10%.

Comparing Two KBs

To compare two KBs, follow these steps:

Step 1

Step 2

Locate the file you want to compare.

sensor# show ad-knowledge-base vs0 files

Virtual Sensor vs0

Filename

initial

2006-Jun-28-10_00_01

Size

Created

04:27:07 CDT Wed Jan 29 2003

04:27:07 CDT Thu Jun 29 2006

sensor#

Step 3

Compare the currently loaded file (the file with the *) with the initial KB for virtual sensor vs0.

sensor# show ad-knowledge-base vs0 diff initial file 2006-Jun-28-10_00_01

Initial Only Services/Protocols

External Zone

TCP Services

Service = 30

Service = 20

UDP Services

None

Other Protocols

Protocol = 1

Illegal Zone

None

Internal Zone

None

2006-Jun-28-10_00_01 Only Services/Protocols

External Zone

None

Illegal Zone

None

Internal Zone

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-44

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Working With KB Files

None

Thresholds differ more than 10%

External Zone

None

Illegal Zone

TCP Services

Service = 31

Service = 22

UDP Services

None

Other Protocols

Protocol = 3

Internal Zone

None

sensor#

Displaying the Thresholds for a KB

Use the show ad-knowledge-base virtual-sensor thresholds {current | initial | file name} [zone

{external | illegal | internal]} {[protocol {tcp | udp}] [dst-port port] | [protocol other] [number

protocol-number]} command in privileged EXEC mode to display the thresholds in a KB.

The following options apply:

•

virtual-sensor—Specifies the name of the virtual sensor that contains the KB files you want to

compare.

•

name—Specifies the name of the existing KB file.

current—Specifies the currently loaded KB.

initial—Specifies the initial KB.

file—Specifies the name of an existing KB file.

zone—(Optional) Displays the thresholds for the specified zone. The default displays information

for all zones.

•

external—Displays the thresholds for the external zone.

illegal—Displays the thresholds for the illegal zone.

internal—Displays the thresholds for the internal zone.

protocol—(Optional) Displays the thresholds for the specified protocol. The default displays

information about all protocols.

•

tcp—Displays the thresholds for the TCP protocol.

udp—Displays the thresholds for the UDP protocol.

other—Displays the thresholds for the other protocols besides TCP or UDP.

dst-port—(Optional) Displays thresholds for the specified port. The default displays information

about all TCP and/or UDP ports.

•

port—Specifies the port number. The valid values are 0 to 65535.

number—(Optional) Displays thresholds for the specified other protocol number. The default

displays information for all other protocols.

•

protocol-number—Specifies the protocol number. The valid values are 0 to 255.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-45

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Working With KB Files

Displaying KB Thresholds

To display the KB thresholds, follow these steps:

Step 1

Step 2

Locate the file for which you want to display thresholds:

sensor# show ad-knowledge-base vs1 files

Virtual Sensor vs1

Filename

initial

Size

Created

10:24:58 CDT Tue Mar 14 2006

10:00:00 CDT Thu Mar 16 2006

10:00:00 CDT Fri Mar 17 2006

10:00:00 CDT Sat Mar 18 2006

10:00:00 CDT Sun Mar 19 2006

10:00:00 CDT Mon Mar 27 2006

05:00:00 CDT Mon Apr 24 2006

05:00:00 CDT Tue Apr 25 2006

2006-Mar-16-10_00_00

2006-Mar-17-10_00_00

2006-Mar-18-10_00_00

2006-Mar-19-10_00_00

2006-Mar-27-10_00_00

2006-Apr-24-05_00_00

2006-Apr-25-05_00_00

Step 3

Display thresholds contained in a specific file for the illegal zone.

sensor# show ad-knowledge-base vs0 thresholds file 2006-Nov-11-10_00_00 zone illegal

AD Thresholds

Creation Date = 2006-Nov-11-10_00_00

KB = 2006-Nov-11-10_00_00

Illegal Zone

TCP Services

Default

Scanner Threshold

User Configuration = 200

Threshold Histogram - User Configuration

Low = 10

Medium = 3

High = 1

UDP Services

Default

Scanner Threshold

User Configuration = 200

Threshold Histogram - User Configuration

Low = 10

Medium = 3

High = 1

Other Services

Default

Scanner Threshold

User Configuration = 200

Threshold Histogram - User Configuration

Low = 10

Medium = 3

High = 1

sensor#

Step 4

Display thresholds contained in the current KB illegal zone, protocol TCP, and destination port 20.

sensor# show ad-knowledge-base vs0 thresholds current zone illegal protocol tcp dst-port

AD Thresholds

Creation Date = 2006-Nov-14-10_00_00

KB = 2006-Nov-14-10_00_00

Illegal Zone

TCP Services

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-46

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Displaying Anomaly Detection Statistics

Default

Scanner Threshold

User Configuration = 200

Threshold Histogram - User Configuration

Low = 10

Medium = 3

High = 1

sensor#

Step 5

Display thresholds contained in the current KB illegal zone, and protocol other.

sensor# show ad-knowledge-base vs0 thresholds current zone illegal protocol other

AD Thresholds

Creation Date = 2006-Nov-14-10_00_00

KB = 2006-Nov-14-10_00_00

Illegal Zone

Other Services

Default

Scanner Threshold

User Configuration = 200

Threshold Histogram - User Configuration

Low = 10

Medium = 3

High = 1

sensor#

Displaying Anomaly Detection Statistics

Use the show statistics anomaly-detection [virtual-sensor-name] command in privileged EXEC mode

to display the statistics for anomaly detection. You can see if an attack is in progress (Attack in

progress or No attack). You can also see when the next KB will be saved (Next KB rotation at

10:00:00 UTC Wed Apr 26 2006).

Note

The clear command is not available for anomaly detection statistics.

To display anomaly detection statistics, follow these steps:

Step 1

Step 2

Display the anomaly detection statistics for a specific virtual sensor.

sensor# show statistics anomaly-detection vs0

Statistics for Virtual Sensor vs0

No attack

Detection - ON

Learning - ON

Next KB rotation at 10:00:00 UTC Wed Apr 26 2006

Internal Zone

TCP Protocol

UDP Protocol

Other Protocol

External Zone

TCP Protocol

UDP Protocol

Other Protocol

Illegal Zone

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-47

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Disabling Anomaly Detection

TCP Protocol

UDP Protocol

Other Protocol

sensor#

Step 3

Display the statistics for all virtual sensors.

sensor# show statistics anomaly-detection

Statistics for Virtual Sensor vs0

No attack

Detection - ON

Learning - ON

Next KB rotation at 10:00:01 UTC Wed Jun 29 2006

Internal Zone

TCP Protocol

UDP Protocol

Other Protocol

External Zone

TCP Protocol

UDP Protocol

Other Protocol

Illegal Zone

TCP Protocol

UDP Protocol

Other Protocol

Statistics for Virtual Sensor vs1

No attack

Detection - ON

Learning - ON

Next KB rotation at 10:00:00 UTC Wed Jul 29 2006

Internal Zone

TCP Protocol

UDP Protocol

Other Protocol

External Zone

TCP Protocol

UDP Protocol

Other Protocol

Illegal Zone

TCP Protocol

UDP Protocol

Other Protocol

sensor#

Disabling Anomaly Detection

If you have anomaly detection enabled and you have your sensor configured to see only one direction of

traffic, you should disable anomaly detection. Otherwise, you will receive many alerts, because anomaly

detection sees asymmetric traffic as having incomplete connections, that is, like worm scanners, and fires

alerts.

To disable anomaly detection, follow these steps:

Step 1

Step 2

Enter analysis engine submode.

sensor# configure terminal

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-48

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Disabling Anomaly Detection

sensor(config)# service analysis-engine

sensor(config-ana)#

Step 3

Step 4

Enter the virtual sensor name that contains the anomaly detection policy you want to disable.

sensor(config-ana)# virtual-sensor vs0

sensor(config-ana-vir)#

Disable anomaly detection operational mode.

sensor(config-ana-vir)# anomaly-detection

sensor(config-ana-vir-ano)# operational-mode inactive

sensor(config-ana-vir-ano)#

Step 5

Step 6

Exit analysis engine submode.

sensor(config-ana-vir-ano)# exit

sensor(config-ana-vir)# exit

sensor(config-ana-)# exit

Apply Changes:?[yes]:

Press Enter to apply your changes or enter no to discard them.

For More Information

For more information about how worms operate, see Understanding Worms, page 9-2.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-49

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 9 Configuring Anomaly Detection

Disabling Anomaly Detection

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

9-50

Download from Www.Somanuals.com. All Manuals Search And Download.

C H A P T E R

Configuring Global Correlation

This chapter provides information for configuring global correlation. It contains the following sections:

•

Global Correlation Notes and Caveats, page 10-1

Understanding Global Correlation, page 10-2

Participating in the SensorBase Network, page 10-2

Understanding Reputation, page 10-3

Understanding Network Participation, page 10-4

Understanding Efficacy, page 10-5

Understanding Reputation and Risk Rating, page 10-6

Global Correlation Features and Goals, page 10-6

Global Correlation Requirements, page 10-7

Understanding Global Correlation Sensor Health Metrics, page 10-8

Configuring Global Correlation Inspection and Reputation Filtering, page 10-8

Configuring Network Participation, page 10-11

Troubleshooting Global Correlation, page 10-13

Disabling Global Correlation, page 10-13

Displaying Global Correlation Statistics, page 10-14

Global Correlation Notes and Caveats

The following notes and caveats apply to configuring global correlation:

•

The global correlation features are supported in IPS 7.0 and later.

As with signature updates, when the sensor applies a global correlation update, it may trigger

bypass. Whether or not bypass is triggered depends on the traffic load of the sensor and the size of

the signature/global correlation update. If bypass mode is turned off, an inline sensor stops passing

traffic while the update is being applied.

•

Network participation requires a network connection to the Internet.

Valid license—You must have a valid sensor license for automatic signature updates and global

correlation features to function. You can still configure and display statistics for the global

correlation features, but the global correlation databases are cleared and no updates are attempted.

Once you install a valid license, the global correlation features are reactivated.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

10-1

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 10 Configuring Global Correlation

Understanding Global Correlation

•

Global correlation inspection and the reputation filtering deny features do not support IPv6

addresses. For global correlation inspection, the sensor does not receive or process reputation data

for IPv6 addresses. The risk rating for IPv6 addresses is not modified for global correlation

inspection. Similarly, network participation does not include event data for attacks from IPv6

addresses. And finally, IPv6 addresses do not appear in the deny list.

•

The sensor must operate in inline mode so that the global correlation features can increase efficacy

by being able to use the inline deny actions.

For global correlation to function, you must have either a DNS server or an HTTP proxy server

configured at all times.

Understanding Global Correlation

You can configure global correlation so that your sensors are aware of network devices with a reputation

for malicious activity, and can take action against them. Participating IPS devices in a centralized Cisco

threat database, the SensorBase Network, receive and absorb global correlation updates. The reputation

information contained in the global correlation updates is factored in to the analysis of network traffic,

which increases IPS efficacy, since traffic is denied or allowed based on the reputation of the source IP

address. The participating IPS devices send data back to the Cisco SensorBase Network, which results

in a feedback loop that keeps the updates current and global.

You can configure the sensor to participate in the global correlation updates and/or in sending telemetry

data or you can turn both services off. You can view reputation scores in events and see the reputation

score of the attacker. You can also view statistics from the reputation filter.

Participating in the SensorBase Network

The Cisco IPS contains a security capability, Cisco Global Correlation, which uses the immense security

intelligence that we have amassed over the years. At regular intervals, the Cisco IPS receives threat

updates from the Cisco SensorBase Network, which contain detailed information about known threats

on the Internet, including serial attackers, Botnet harvesters, Malware outbreaks, and dark nets. The IPS

uses this information to filter out the worst attackers before they have a chance to attack critical assets.

It then incorporates the global threat data in to its system to detect and prevent malicious activity even

earlier.

If you agree to participate in the SensorBase Network, Cisco will collect aggregated statistics about

traffic sent to your IPS. This includes summary data on the Cisco IPS network traffic properties and how

this traffic was handled by the Cisco appliances. We do not collect the data content of traffic or other

confidential business or personal information. All data is aggregated and sent by secure HTTP to the

Cisco SensorBase Network servers in periodic intervals. All data shared with Cisco will be anonymous

and treated as strictly confidential.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

10-2

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 10 Configuring Global Correlation

Understanding Reputation

Table 10-1 shows how we use the data.

Table 10-1 Cisco Network Participation Data Use

Participation Level Type of Data

Partial Protocol attributes

(TCP maximum segment size and understand threat exposure.

Purpose

Tracks potential threats and helps us to

options string, for example)

Attack type

Used to understand current attacks and

(signature fired and risk rating, for attack severity.

example)

Connecting IP address and port

Identifies attack source.

Summary IPS performance

(CPU utilization, memory usage,

inline vs. promiscuous, for

example)

Tracks product efficacy.

Full

Victim IP address and port

Detects threat behavioral patterns.

When you enable Partial or Full Network Participation, the Network Participation Disclaimer appears.

You must enter yes to participate. If you do not have a license installed, you receive a warning telling

you that global correlation inspection and reputation filtering are disabled until the sensor is licensed.

You can obtain a license at http://www.cisco.com/go/license.

For More Information

For information on how to obtain and install a sensor license, see Installing the License Key, page 3-54.

Understanding Reputation

Similar to human social interaction, reputation is an opinion toward a device on the Internet. It enables

the installed base of IPS sensors in the field to collaborate using the existing network infrastructure. A

network device with reputation is most likely either malicious or infected. You can view reputation

information and statistics in the IDM, IME, or the CLI.

The IPS sensor collaborates with the global correlation servers (also known as reputation servers) to

improve the efficacy of the sensor.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

10-3

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 10 Configuring Global Correlation

Understanding Network Participation

Figure 10-1 shows the role of the sensor and the global correlation servers.

Figure 10-1 IPS Management and Global Correlation Server Interaction

Cisco IPS

Sensor

Application

Events

Config

Event

Manager

Reputation

Telemetry

Database

Query

Management Tools

Reputation

Client

(CLI/IDM/IME/

CSM/MARS)

Support

Cisco Data Clients

(CA-Sig, Sec-Analysis)

Reputation

Server(s)

Reputation

Database

The global correlation servers provide information to the sensor about certain IP addresses that may

identify malicious or infected hosts. The sensor uses this information to determine which actions, if any,

to perform when potentially harmful traffic is received from a host with known reputation. Because the

global correlation database changes rapidly, the sensor must periodically download global correlation

updates from the global correlation servers.

Caution

As with signature updates, when the sensor applies a global correlation update, it may trigger bypass.

Whether or not bypass is triggered depends on the traffic load of the sensor and the size of the

signature/global correlation update. If bypass mode is turned off, an inline sensor stops passing traffic

while the update is being applied.

For More Information

For more information about viewing global correlation statistics, see Displaying Statistics, page 17-28.

Understanding Network Participation

Network participation lets us collect nearly real-time data from sensors around the world. Sensors

installed at customer sites can send data to the SensorBase Network. These data feed in to the global

correlation database to increase reputation fidelity. Communication between sensors and the SensorBase

Network involves an HTTPS request and response over TCP/IP. Network participation gathers the

following data:

•

Signature ID

Attacker IP address

Attacker port

Maximum segment size

Victim IP address

Victim port

Signature version

TCP options string

Reputation score

Risk rating

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

10-4

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 10 Configuring Global Correlation

Understanding Efficacy

•

Data gathered from the sensor health metrics

The statistics for network participation show the hits and misses for alerts, the reputation actions, and

the counters of packets that have been denied.

Note

Network participation requires a network connection to the Internet.

There are three modes for network participation:

•

Off—The network participation server does not collect data, track statistics, or try to contact the

Cisco SensorBase Network.

•

Partial Participation—The network participation server collects data, tracks statistics, and

communicates with the SensorBase Network. Data considered to be potentially sensitive is filtered

out and never sent.

•

Full Participation—The network participation server collects data, tracks statistics, and

communicates with the SensorBase Network. All data collected is sent except the IP addresses that

you exclude from the network participation data.

Caution

As with signature updates, when the sensor applies a global correlation update, it may trigger bypass.

Whether or not bypass is triggered depends on the traffic load of the sensor and the size of the

signature/global correlation update. If bypass mode is turned off, an inline sensor stops passing traffic

while the update is being applied.

For More Information

•

For more information on network participation, see Configuring Network Participation, page 10-11.

For more information on bypass mode, see Configuring Inline Bypass Mode, page 4-33.

Understanding Efficacy

Obtaining data from participating IPS clients and using that in conjunction with the existing corpus of

threat knowledge improves the efficacy of the IPS. We measure efficacy based on the following:

•

False positives as a percentage of actionable events

False negatives as a percentage of threats that do not result in actionable events

Actionable events as a percentage of all events

The IPS signature team uses the data to improve signature fidelity and the IPS engineering team uses the

data to better understand the various types of sensor deployment.

For More Information

For more information about reputation and risk rating, see Understanding Reputation and Risk Rating,

page 10-6.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

10-5

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 10 Configuring Global Correlation

Understanding Reputation and Risk Rating

Risk rating is the concept of the probability that a network event is malicious. You assign a numerical

quantification of the risk associated with a particular event on the network. By default, an alert with an

extreme risk rating shuts down traffic. Reputation indicates the probability that a particular attacker IP

address will initiate malicious behavior based on its known past activity. A certain score is computed for

this reputation by the Alarm Channel and added to risk rating, thus improving the efficacy of the IPS.

When the attacker has a bad reputation score, an incremental risk is added to the risk rating to make it

more aggressive.

The Alarm Channel handles signature events from the data path. The alert processing units have multiple

aggregation techniques, action overrides, action filters, attacker reputation, and per-action custom

handling methods. We use the large reputation data from the reputation participation client to score

attackers in the Alarm Channel and then use this score to influence the risk rating and actions of the alert.

For More Information

•

For a detailed description of risk rating, see Calculating the Risk Rating, page 8-13.

For a detailed description of threat rating, see Understanding Threat Rating, page 8-14.

For a detailed description of event action filters, see Configuring Event Action Filters, page 8-20.

For a detailed description of the Alarm Channel, see Understanding the SensorApp, page A-23.

For a detailed description of event action aggregation, see Understanding Event Action Aggregation,

page 8-33.

Global Correlation Features and Goals

There are three main features of global correlation:

•

Global Correlation Inspection—We use the global correlation reputation knowledge of attackers to

influence alert handling and deny actions when attackers with a bad score are seen on the sensor.

Reputation Filtering—Applies automatic deny actions to packets from known malicious sites.

Network Reputation—Sensor sends alert and TCP fingerprint data to the SensorBase Network.

•

Global correlation has the following goals:

•

Dealing intelligently with alerts thus improving efficacy.

Improving protection against known malicious sites.

Sharing telemetry data with the SensorBase Network to improve visibility of alerts and sensor

actions on a global scale.

•

Simplifying configuration settings.

Automatic handling of the uploads and downloads of the information.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

10-6

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 10 Configuring Global Correlation

Global Correlation Requirements

Global correlation has the following requirements:

•

Valid license—You must have a valid sensor license for global correlation features to function. You

can still configure and display statistics for the global correlation features, but the global correlation

databases are cleared and no updates are attempted. Once you install a valid license, the global

correlation features are reactivated.

•

Network Participation disclaimer—You must agree to the disclaimer to participate.

External connectivity for the sensor and a DNS server—The global correlation features of Cisco IPS

require the sensor to connect to the Cisco SensorBase Network. Domain name resolution is also

required for these features to function. You can either configure the sensor to connect through an

HTTP proxy server that has a DNS client running on it, or you can assign an Internet routeable

address to the management interface of the sensor and configure the sensor to use a DNS server. In

Cisco IPS the HTTP proxy and DNS servers are used only by the global correlation features.

•

If you are connecting through an HTTP proxy, make sure you have the following configuration:

–

The proxy must allow HTTP requests from the IPS systems to http://updates.ironport.com/ibrs/

on port 80.

The proxy must allow HTTPS requests from the IPS systems to update-manifests.ironport.com

on port 443.

The firewall must allow access from the proxy to the internet (any destination address) on ports

80 and 443.

•

If you are NOT connecting through the HTTP proxy:

–

The firewall must allow access from each IPS to the Internet (any destination address) on ports

80 and 443.

Note

The IPS does not support the use of authenticated proxies.

•

Sensors deployed in an environment with a slow command and control connection will be slow to

download global correlation updates.

No IPv6 address support—Global correlation inspection and the reputation filtering deny features

do not support IPv6 addresses. For global correlation inspection, the sensor does not receive or

process reputation data for IPv6 addresses. The risk rating for IPv6 addresses is not modified for

global correlation inspection. Similarly, network participation does not include event data for

attacks from IPv6 addresses. And finally, IPv6 addresses do not appear in the deny list.

•

Sensor in inline mode—The sensor must operate in inline mode so that the global correlation

features can increase efficacy by being able to use the inline deny actions.

•

Sensor that supports the global correlation features

IPS version that supports the global correlation features

For More Information

•

For information on how to obtain and install a sensor license, see Installing the License Key,

page 3-54.

•

For information about the Network Participation disclaimer, see Participating in the SensorBase

Network, page 10-2.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

10-7

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 10 Configuring Global Correlation

Understanding Global Correlation Sensor Health Metrics

•

For information about configuring an HTTP proxy or DNS server to support global correlation, see

Configuring the DNS and Proxy Servers for Global Correlation and Automatic Update, page 3-10.

Understanding Global Correlation Sensor Health Metrics

For global correlation, the following metrics are added to sensor health monitoring:

•

Green indicates that the last update was successful.

Yellow indicates that there has not been a successful update within the past day (86,400 seconds).

Red indicates that there has not been a successful update within the last three days (259,200

seconds).

For network participation, the following metrics are added to sensor health monitoring:

•

Green indicates that the last connection was successful.

Yellow indicates that less than 6 connections failed in a row.

Red indicates that more than 6 connections failed in a row.

Use the health-monitor command in service submode to configure the health statistics for the sensor.

Use the show health command to see the results of the health-monitor command.

Global correlation health status defaults to red and changes to green after a successful global correlation

update. Successful global correlation updates require a DNS server or an HTTP proxy server. If the

sensor is deployed in an environment where a DNS or HTTP proxy server is not available, you can

address the red global correlation health and overall sensor health status by disabling global correlation

and configuring sensor health status not to include global correlation health status.

For More Information

•

For more information about the sensor health metrics and how to enable/disable Global Correlation

health status, see Configuring Health Status Information, page 17-13.

For the procedure to view sensor health metrics, see Showing Sensor Overall Health Status,

page 17-17.

For information about configuring an HTTP proxy or DNS server to support global correlation, see

Configuring the DNS and Proxy Servers for Global Correlation and Automatic Update, page 3-10.

For the procedure to disable global correlation, see Configuring Global Correlation Inspection and

Reputation Filtering, page 10-10.

Configuring Global Correlation Inspection and Reputation

Filtering

This section describes global correlation inspection and reputation filtering, and how to configure them.

It contains the following topics:

•

Understanding Global Correlation Inspection and Reputation Filtering, page 10-9

Configuring Global Correlation Inspection and Reputation Filtering, page 10-10

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

10-8

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 10 Configuring Global Correlation

Configuring Global Correlation Inspection and Reputation Filtering

Understanding Global Correlation Inspection and Reputation Filtering

You can configure the sensor to use updates from the SensorBase Network to adjust the risk rating. The

client determines which updates are available and applicable to the sensor by communicating with the

global correlation update server and a file server, which is a two-phase process. In the first phase the

sensor sends a client manifest to the global correlation update sever via an HTTPS POST request. The

server then returns the server manifest document in the HTTPS response. In the next phase the sensor

identifies the updates that are available and how to obtain them from a file server. The sensor downloads

the encrypted update files via HTTP from the file server using the information in the server manifest.

The integrity of these update files has been verified by comparing its MD5 hash with the hash value

specified in the server manifest.

Figure 10-2 demonstrates how the global correlation update client obtains the files.

Figure 10-2

Global Correlation Update Client

Client Manifest

Server Manifest

Global

Correlation

Update Server

Global

Correlation

Client

Update Files

File

Server

Caution

You must have a valid sensor license for global correlation features to function. You can still configure

and display statistics for the global correlation features, but the global correlation databases are cleared

and no updates are attempted. Once you install a valid license, the global correlation features are

reactivated.

Once you configure global correlation, updates are automatic and happen at regular intervals,

approximately every five minutes by default, but this interval may be modified by the global correlation

server. The sensor gets a full update and then applies an incremental update periodically.

You configure an HTTP proxy or a DNS server in the service network-setting submode. If you turn on

global correlation, you can choose how aggressively you want the deny actions to be enforced against

malicious hosts. You can then enable reputation filtering to deny access to known malicious hosts. If you

only want a report of what could have happened, you can enable test-global-correlation. This puts the

sensor in audit mode, and actions the sensor would have performed are generated in the events.

Use the show health command in privileged EXEC mode to display the overall health status information

of the sensor. The health status categories are rated by red and green with red being critical.

Caution

As with signature updates, when the sensor applies a global correlation update, it may trigger bypass.

Whether or not bypass is triggered depends on the traffic load of the sensor and the size of the

signature/global correlation update. If bypass mode is turned off, an inline sensor stops passing traffic

while the update is being applied.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

10-9

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 10 Configuring Global Correlation

Configuring Global Correlation Inspection and Reputation Filtering

For More Information

•

For the procedure for configuring global correlation features, see Configuring Global Correlation

Inspection and Reputation Filtering, page 10-10.

•

For the procedure to view sensor health metrics, see Showing Sensor Overall Health Status,

page 17-17.

•

For information on the CollaborationApp, see CollaborationApp, page A-27.

For more information on bypass mode, see Configuring Inline Bypass Mode, page 4-33.

Configuring Global Correlation Inspection and Reputation Filtering

Caution

For automatic and global correlation updates to function, you must have either a DNS server or an HTTP

proxy server configured at all times.

The following options apply:

•

global-correlation-inspection {on | off}—Turns global correlation inspection on or off. When

turned on, the sensor uses updates from the SensorBase network to adjust the risk rating. The default

is on.

•

global-correlation-inspection-influence {permissive | standard | aggressive}—Lets you choose

the level of global correlation inspection. The default is standard.

–

permissive—Global correlation data has little influence in the decision to deny traffic.

standard—Global correlation moderately influences the decision to deny traffic.

aggressive—Global correlation data heavily influences the decision to deny traffic.

•

reputation-filtering {on | off}—Turns reputation filtering on or off. When turned on, the sensor

denies access to malicious hosts that are listed in the global correlation database. The default is on.

test-global-correlation {on | off}—Enables reporting of deny actions that are affected by global

correlation. Allows you to test the global correlation features without actually denying any hosts.

The default is off.

Configuring Global Correlation

To configure global correlation features, follow these steps:

Step 1

Step 2

Enter global correlation submode.

sensor# configure terminal

sensor(config)# service global-correlation

sensor(config-glo)#

Step 3

Step 4

Turn on global correlation inspection.

sensor(config-glo)# global-correlation-inspection on

sensor(config-glo)#

Specify the level of global correlation inspection.

sensor(config-glo)# global-correlation-inspection-influence aggressive

sensor(config-glo)#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

10-10

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 10 Configuring Global Correlation

Configuring Network Participation

Step 5

Step 6

Step 7

Turn on reputation filtering.

sensor(config-glo)# reputation-filtering on

sensor(config-glo)#

Test global correlation data, but do not actually deny traffic.

sensor(config-glo)# test-global-correlation on

sensor(config-glo)#

Verify the settings.

sensor(config-glo)# show settings

global-correlation-inspection: on default: on

global-correlation-inspection-influence: aggressive default: standard

reputation-filtering: on default: on

test-global-correlation: on default: off

sensor(config-glo)#

Step 8

Step 9

Exit global correlation submode.

sensor(config-glo)# exit

Apply Changes:?[yes]:

Press Enter to apply your changes or enter no to discard them.

For More Information

•

For information about configuring a proxy or DNS server to support global correlation, see

Configuring the DNS and Proxy Servers for Global Correlation and Automatic Update, page 3-10.

For information on how to obtain and install a sensor license, see Installing the License Key,

page 3-54.

For more information about the sensor health metrics, see Showing Sensor Overall Health Status,

page 17-17.

Configuring Network Participation

You can configure the sensor to send data to the SensorBase Network. You can configure the sensor to

fully participate and send all data to the SensorBase Network. Or you can configure the sensor to collect

the data but to omit potentially sensitive data, such as the destination IP address of trigger packets.

Note

Configuring the sensor for partial network participation limits a third party from extracting

reconnaissance information about your internal network from the global correlation database.

The following option applies:

•

network-participation—Sets the level of network participation. The default is off.

–

off—No data is contributed to the SensorBase network.

partial—Data is contributed to the SensorBase network but potentially sensitive information is

withheld.

–

full—All data is contributed to the SensorBase network.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

10-11

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 10 Configuring Global Correlation

Configuring Network Participation

Note

You must accept the network participation disclaimer to turn on network participation.

Turning on Network Participation

To turn on network participation, follow these steps:

Step 1

Step 2

Enter global correlation submode.

sensor# configure terminal

sensor(config)# service global-correlation

sensor(config-glo)#

Step 3

Step 4

Turn on network participation.

sensor(config-glo)# network-participation [full | partial]

sensor(config-glo)# exit

Enter yesto agree to participate in the SensorBase Network.

If you agree to participate in the SensorBase Network, Cisco will collect aggregated

statistics about traffic sent to your IPS. This includes summary data on the Cisco IPS

network traffic properties and how this traffic was handled by the Cisco appliances. We do

not collect the data content of traffic or other sensitive business or personal

information. All data is aggregated and sent via secure HTTP to the Cisco SensorBase

Network servers in periodic intervals. All data shared with Cisco will be anonymous and

treated as strictly confidential.

The table below describes how the data will be used by Cisco.

Participation Level = "Partial":

* Type of Data: Protocol Attributes (e.g. TCP max segment size and

options string)

Purpose: Track potential threats and understand threat exposure

* Type of Data: Attack Type (e.g. Signature Fired and Risk Rating)

Purpose: Used to understand current attacks and attack severity

* Type of Data: Connecting IP Address and port

Purpose: Identifies attack source

* Type of Data: Summary IPS performance (CPU utilization memory usage,

inline vs. promiscuous, etc)

Purpose: Tracks product efficacy

Participation Level = "Full" additionally includes:

* Type of Data: Victim IP Address and port

Purpose: Detect threat behavioral patterns

Do you agree to participate in the SensorBase Network?[no]:

Step 5

Verify the settings.

sensor(config-glo)# show settings

network-participation: full default: off

global-correlation-inspection: on default: on

global-correlation-inspection-influence: aggressive default: standard

reputation-filtering: on default: on

test-global-correlation: on default: off

sensor(config-glo)#

Step 6

Exit global correlation submode.

sensor(config-glo)# exit

Apply Changes:?[yes]:

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

10-12

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 10 Configuring Global Correlation

Troubleshooting Global Correlation

Step 7

Press Enter to apply your changes or enter no to discard them.

For More Information

For more information about participating in the SensorBase Network, see Participating in the

SensorBase Network, page 10-2.

Troubleshooting Global Correlation

Make sure you observe the following when configuring global correlation:

•

Because global correlation updates occur through the sensor management interface, firewalls must

allow port 443/80 traffic.

You must have an HTTP proxy server or a DNS server configured to allow global correlation

features to function.

If you have an HTTP proxy server configured, the proxy must allow port 443/80 traffic from IPS

systems.

•

You must have a valid IPS license to allow global correlation features to function.

Global correlation features only contain external IP addresses, so if you position a sensor in an

internal lab, you may never receive global correlation information.

•

Make sure your sensor supports the global correlation features.

Make sure your IPS version supports the global correlation features.

For More Information

•

For the procedure for configuring a DNS or HTTP proxy server, see Configuring the DNS and Proxy

Servers for Global Correlation and Automatic Update, page 3-10.

•

For the procedure for obtaining an IPS license, see Installing the License Key, page 3-54.

Disabling Global Correlation

If your sensor is deployed in an environment where a DNS server or HTTP proxy server is not available,

you may want to disable global correlation so that global correlation health does not appear as red in the

overall sensor health, thus indicating a problem. You can also configure sensor health to exclude global

correlation status.

The following options apply:

•

global-correlation-inspection {on | off}—Turns global correlation inspection on or off. When

turned on, the sensor uses updates from the SensorBase network to adjust the risk rating. The default

is on.

•

reputation-filtering {on | off}—Turns reputation filtering on or off. When turned on, the sensor

denies access to malicious hosts that are listed in the global correlation database. The default is on.

network-participation—Sets the level of network participation. The default is off.

–

off—No data is contributed to the SensorBase network.

partial—Data is contributed to the SensorBase network but potentially sensitive information is

withheld.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

10-13

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 10 Configuring Global Correlation

Displaying Global Correlation Statistics

–

full—All data is contributed to the SensorBase network.

Disabling Global Correlation

To disable global correlation features, follow these steps:

Step 1

Step 2

Enter global correlation submode.

sensor# configure terminal

sensor(config)# service global-correlation

sensor(config-glo)#

Step 3

Step 4

Step 5

Step 6

Turn off global correlation inspection.

sensor(config-glo)# global-correlation-inspection off

sensor(config-glo)#

Turn off reputation filtering.

sensor(config-glo)# reputation-filtering off

sensor(config-glo)#

Turn off network participation.

sensor(config-glo)# network-participation off

sensor(config-glo)# exit

Verify the settings.

sensor(config-glo)# show settings

network-participation: full default: off

global-correlation-inspection: on default: off

reputation-filtering: on default: off

sensor(config-glo)#

Step 7

Step 8

Exit global correlation submode.

sensor(config-glo)# exit

Apply Changes:?[yes]:

Press Enter to apply your changes or enter no to discard them.

Displaying Global Correlation Statistics

Use the show statistics global-correlation command to display global correlation statistics. Use the

show statistics global-correlation [name | clear] command to display statistics for these components for

all virtual sensors. If you provide the virtual sensor name, the statistics for that virtual sensor only are

displayed.

To display and clear global correlation statistics for the sensor, follow these steps:

Step 1

Step 2

Display the statistics for global correlation.

sensor# show statistics global-correlation

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

10-14

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 10 Configuring Global Correlation

Displaying Global Correlation Statistics

Network Participation:

Counters:

Total Connection Attempts = 4347

Total Connection Failures = 155

Connection Failures Since Last Success = 0

Connection History:

Connection Attempt on June 17 2012, at 21:57:19 UTC = Successful

Connection Attempt on June 17 2012, at 21:54:18 UTC = Successful

Connection Attempt on June 17 2012, at 21:51:17 UTC = Successful

Connection Attempt on June 17 2012, at 21:48:17 UTC = Successful

Connection Attempt on June 17 2012, at 21:45:16 UTC = Successful

Updates:

Status Of Last Update Attempt = Disabled

Time Since Last Successful Update = never

Counters:

Update Failures Since Last Success = 0

Total Update Attempts = 0

Total Update Failures = 0

Update Interval In Seconds = 300

Update Server = update-manifests.ironport.com

Update Server Address = Unknown

Current Versions:

Warnings:

Details:

Last fail log =

sensor#

Step 3

Clear the statistics for global correlation:

sensor# show statistics global-correlation clear

Network Participation:

Counters:

Total Connection Attempts = 0

Total Connection Failures = 0

Connection Failures Since Last Success = 0

Connection History:

Connection Attempt on June 17 2012, at 22:03:20 UTC = Successful

Connection Attempt on June 17 2012, at 22:00:19 UTC = Successful

Connection Attempt on June 17 2012, at 21:57:19 UTC = Successful

Connection Attempt on June 17 2012, at 21:54:18 UTC = Successful

Connection Attempt on June 17 2012, at 21:51:17 UTC = Successful

Updates:

Status Of Last Update Attempt = Disabled

Time Since Last Successful Update = never

Counters:

Update Failures Since Last Success = 0

Total Update Attempts = 0

Total Update Failures = 0

Update Interval In Seconds = 300

Update Server = update-manifests.ironport.com

Update Server Address = Unknown

Current Versions:

Warnings:

Details:

Last fail log =

sensor#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

10-15

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 10 Configuring Global Correlation

Displaying Global Correlation Statistics

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

10-16

Download from Www.Somanuals.com. All Manuals Search And Download.

C H A P T E R

Configuring External Product Interfaces

This chapter explains how to configure external product interfaces. It contains the following sections:

•

External Product Interface Notes and Caveats, page 11-1

Understanding External Product Interfaces, page 11-1

Understanding the CSA MC, page 11-2

External Product Interface Issues, page 11-3

Configuring the CSA MC to Support the IPS Interface, page 11-4

Adding External Product Interfaces and Posture ACLs, page 11-4

Troubleshooting External Product Interfaces, page 11-8

External Product Interface Notes and Caveats

The following notes and caveats apply to external product interfaces:

•

In Cisco IPS, you can only add interfaces to the CSA MC.

You can only enable two CSA MC interfaces.

You must add the CSA MC as a trusted host so the sensor can communicate with it.

Understanding External Product Interfaces

Note

In Cisco IPS, you can only add interfaces to the CSA MC.

The external product interface is designed to receive and process information from external security and

management products. These external security and management products collect information that can be

used to automatically enhance the sensor configuration information. For example, the types of

information that can be received from external products include host profiles (the host OS configuration,

application configuration, and security posture) and IP addresses that have been identified as causing

malicious network activity.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

11-1

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 11 Configuring External Product Interfaces

Understanding the CSA MC

The CSA MC enforces a security policy on network hosts. It has two components:

•

Agents that reside on and protect network hosts.

Management Console (MC)—An application that manages agents. It downloads security policy

updates to agents and uploads operational information from agents.

The CSA MC receives host posture information from the CSA agents it manages. It also maintains a

watch list of IP addresses that it has determined should be quarantined from the network. The CSA MC

sends two types of events to the sensor—host posture events and quarantined IP address events.

Host posture events (called imported OS identifications in IPS) contain the following information:

•

Unique host ID assigned by the CSA MC

CSA agent status

Host system hostname

Set of IP addresses enabled on the host

CSA software version

CSA polling status

CSA test mode status

NAC posture

For example, when an OS-specific signature fires whose target is running that OS, the attack is highly

relevant and the response should be greater. If the target OS is different, then the attack is less relevant

and the response may be less critical. The signature attack relevance rating is adjusted for this host.

The quarantined host events (called the watch list in IPS) contain the following information:

•

IP address

Reason for the quarantine

Protocol associated with a rule violation (TCP, UDP, or ICMP)

Indicator of whether a rule-based violation was associated with an established session or a UDP

packet.

For example, if a signature fires that lists one of these hosts as the attacker, it is presumed to be that much

more serious. The risk rating is increased for this host. The magnitude of the increase depends on what

caused the host to be quarantined.

The sensor uses the information from these events to determine the risk rating increase based on the

information in the event and the risk rating configuration settings for host postures and quarantined IP

addresses.

Note

The host posture and watch list IP address information is not associated with a virtual sensor, but is

treated as global information.

Secure communications between the CSA MC and the IPS sensor are maintained through SSL/TLS. The

sensor initiates SSL/TLS communications with the CSA MC. This communication is mutually

authenticated. The CSA MC authenticates by providing X.509 certificates. The sensor uses

username/password authentication.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

11-2

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 11 Configuring External Product Interfaces

External Product Interface Issues

Note

You can only enable two CSA MC interfaces.

Caution

You must add the CSA MC as a trusted host so the sensor can communicate with it.

For More Information

For the procedure for adding trusted hosts, see Adding TLS Trusted Hosts, page 3-52.

External Product Interface Issues

When the external product interface receives host posture and quarantine events, the following issues

can arise:

•

The sensor can store only a certain number of host records:

–

If the number of records exceeds 10,000, subsequent records are dropped.

If the 10,000 limit is reached and then it drops to below 9900, new records are no longer

dropped.

•

Hosts can change an IP address or appear to use another host IP address, for example, because of

DHCP lease expiration or movement in a wireless network. In the case of an IP address conflict, the

sensor presumes the most recent host posture event to be the most accurate.

•

A network can include overlapping IP address ranges in different VLANs, but host postures do not

include VLAN ID information. You can configure the sensor to ignore specified address ranges.

A host can be unreachable from the CSA MC because it is behind a firewall. You can exclude

unreachable hosts.

The CSA MC event server allows up to ten open subscriptions by default. You can change this value.

You must have an administrative account and password to open subscriptions.

•

CSA data is not virtualized; it is treated globally by the sensor.

Host posture OS and IP addresses are integrated into passive OS fingerprinting storage. You can

view them as imported OS profiles.

•

You cannot see the quarantined hosts.

The sensor must recognize each CSA MC host X.509 certificate. You must add them as a trusted

host.

•

You can configure a maximum of two external product devices.

For More Information

•

For more information on working with OS maps and identifications, see Adding, Editing, Deleting,

and Moving Configured OS Maps, page 8-28 and Displaying and Clearing OS Identifications,

page 8-31.

For the procedure for adding trusted hosts, see Adding TLS Trusted Hosts, page 3-52.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

11-3

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 11 Configuring External Product Interfaces

Configuring the CSA MC to Support the IPS Interface

Note

For more detailed information about host posture events and quarantined IP address events, refer to

Using Management Center for Cisco Security Agents 5.1.

You must configure the CSA MC to send host posture events and quarantined IP address events to the

sensor. To configure the CSA MC to support IPS interfaces, follow these steps:

Step 1

Step 2

Choose Events > Status Summary.

In the Network Status section, click No beside Host history collection enabled, and then click Enable

in the popup window.

Note

Host history collection is enabled globally for the system. This feature is disabled by default

because the MC log file tends to fill quickly when it is turned on.

Step 3

Step 4

Step 5

Choose Systems > Groups to create a new group (with no hosts) to use in conjunction with

administrator account you will next create.

Choose Maintenance > Administrators > Account Management to create a new CSA MC

administrator account to provide IPS access to the MC system.

Create a new administrator account with the role of Monitor. This maintains the security of the MC by

not allowing this new account to have configure privileges.

Note

Remember the username and password for this administrator account because you need them to

configure external product interfaces on the sensor.

Step 6

Step 7

Choose Maintenance > Administrators > Access Control to further limit this administrator account.

In the Access Control window, select the administrator you created and select the group you created.

Note

When you save this configuration, you further limit the MC access of this new administrator

account with the purpose of maintaining security on the CSA MC.

Adding External Product Interfaces and Posture ACLs

Caution

In the Cisco IPS, the only external product interfaces you can add are CSA MC interfaces. The Cisco

IPS supports two CSA MC interfaces.

Use the cisco-security-agents-mc-settings ip-address command in service external product interfaces

submode to add the CSA MC as an external product interface.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

11-4

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 11 Configuring External Product Interfaces

Adding External Product Interfaces and Posture ACLs

The following options apply:

•

enabled {yes | no}—Enables/disables the receipt of information from the CSA MC.

host-posture-settings—Specifies how host postures received from the CSA MC are handled:

–

allow-unreachable-postures {yes | no}—Allows postures for hosts that are not reachable by

the CSA MC.

A host is not reachable if the CSA MC cannot establish a connection with the host on any IP

addresses in the posture of the host. This option is useful in filtering the postures whose IP

addresses may not be visible to the IPS or may be duplicated across the network. This filter is

most applicable in network topologies where hosts that are not reachable by the CSA MC are

also not reachable by the IPS, for example if the IPS and the CSA MC are on the same network

segment.

–

enabled {yes | no}—Enables/disables receipt of host postures from the CSA MC.

posture-acls {edit | insert | move} name1 {begin | end | inactive | before | after}—Specifies

the list of permitted or denied posture addresses. This command provides a mechanism for

filtering postures that have IP addresses that may not be visible to the IPS or may be duplicated

across the network.

–

action {permit | deny}—Specifies the permit or deny postures that match the specified network

address.

network-address address—Specifies the network address, in the form x.x.x.x/nn, for postures

to be permitted or denied.

•

password—Specifies the password used to log in to the CSA MC.

port —Specifies the TCP port to connect to on the CSA MC. The valid range is 1 to 65535. The

default is 443.

•

username —Specifies the username used to log in to the CSA MC.

watchlist-address-settings—Specifies how watch listed addresses received from the CSA MC are

handled:

–

enabled {yes | no}—Enables/disables receipt of watch list addresses from the CSA MC.

manual-rr-increase—Specifies the number added to an event RR because the attacker has been

manually watch-listed by the CSA MC. The valid range is 0 to 35. The default is 25.

–

packet-rr-increase—Specifies the number added to an event risk rating because the attacker

has been watch listed by the CSA MC because of a sessionless packet-based policy violation.

The valid range is 0 to 35. The default is 10.

session-rr-increase—Specifies the number added to an event risk rating because the attacker

has been watch-listed by the CSA MC because of a session-based policy violation. The valid

range is 0 to 35. The default is 25.

Note

Make sure you add the external product as a trusted host so the sensor can communicate with it.

Adding External Product Interfaces

To add external product interfaces, follow these steps:

Step 1

Step 2

Enter external product interfaces submode.

sensor# configure terminal

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

11-5

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 11 Configuring External Product Interfaces

Adding External Product Interfaces and Posture ACLs

sensor(config)# service external-product-interface

Step 3

Add the CSA MC interface.

sensor(config-ext)# cisco-security-agents-mc-settings 209.165.200.225

sensor(config-ext-cis)#

Step 4

Step 5

Step 6

Enable receipt of information from the CSA MC.

sensor(config-ext-cis)# enabled yes

Change the default port setting.

sensor(config-ext-cis)# port 80

Configure the login settings:

a. Enter the username.

sensor(config-ext-cis)# username jsmith

b. Enter and confirm the password.

sensor(config-ext-cis)# password

Enter password[]: *******

Re-enter password: *******

sensor(config-ext-cis)#

Note

Steps 7 through 10 are optional. If you do not perform Steps 7 though 10, the default values

are used to receive all the CSA MC information with no filters applied.

Step 7

(Optional) Configure the watch list settings:

a. Allow the watch list information to be passed from the external product to the sensor.

sensor(config-ext-cis-wat)# enabled yes

Note

If you do not enable the watch list, the watch list information received from a CSA MC is

deleted.

b. Change the percentage of the manual watch list RR from the default of 25.

sensor(config-ext-cis-wat)# manual-rr-increase 30

c. Change the percentage of the session-based watch list RR from the default of 25.

sensor(config-ext-cis-wat)# session-rr-increase 30

d. Change the percentage of the packet-based watch list RR from the default of 10.

sensor(config-ext-cis-wat)# packet-rr-increase 20

Step 8

(Optional) Allow the host posture information to be passed from the external product to the sensor.

sensor(config-ext-cis)# host-posture-settings

sensor(config-ext-cis-hos)# enabled yes

Note

If you do not enable the host posture information, the host posture information received from a

CSA MC is deleted.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

11-6

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 11 Configuring External Product Interfaces

Adding External Product Interfaces and Posture ACLs

Step 9

(Optional) Allow the host posture information from unreachable hosts to be passed from the external

product to the sensor.

sensor(config-ext-cis-hos)# allow-unreachable-postures yes

Note

A host is not reachable if the CSA MC cannot establish a connection with the host on any of the

IP addresses in the host’s posture. This option is useful in filtering the postures whose IP

addresses may not be visible to the IPS or may be duplicated across the network. This filter is

most applicable in network topologies where hosts that are not reachable by the CSA MC are

also not reachable by the IPS, for example if the IPS and the CSA MC are on the same network

segment.

Step 10 Configure a posture ACL:

a. Add the posture ACL into the ACL list.

sensor(config-ext-cis-hos)# posture-acls insert name1 begin

sensor(config-ext-cis-hos-pos)#

Note

Posture ACLs are network address ranges for which host postures are allowed or denied. Use

posture ACLs to filter postures that have IP addresses that may not be visible to the IPS or

may be duplicated across the network.

b. Enter the network address the posture ACL will use.

sensor(config-ext-cis-hos-pos)# network-address 192.0.2.0/24

c. Choose the action (deny or permit) the posture ACL will take.

sensor(config-ext-cis-hos-pos)# action permit

Step 11 Verify the settings.

sensor(config-ext-cis-hos-pos)# exit

sensor(config-ext-cis-hos)# exit

sensor(config-ext-cis)# exit

sensor(config-ext)# show settings

cisco-security-agents-mc-settings (min: 0, max: 2, current: 1)

-----------------------------------------------

ip-address: 209.165.200.225

-----------------------------------------------

interface-type: extended-sdee <protected>

enabled: yes default: yes

url: /csamc50/sdee-server <protected>

port: 80 default: 443

use-ssl

-----------------------------------------------

always-yes: yes <protected>

-----------------------------------------------

username: jsmith

password: <hidden>

host-posture-settings

-----------------------------------------------

enabled: yes default: yes

allow-unreachable-postures: yes default: yes

posture-acls (ordered min: 0, max: 10, current: 1 - 1 active, 0 inactive)

-----------------------------------------------

ACTIVE list-contents

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

11-7

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 11 Configuring External Product Interfaces

Troubleshooting External Product Interfaces

-----------------------------------------------

NAME: name1

-----------------------------------------------

network-address: 192.0.2.0/24

action: permit

-----------------------------------------------

watchlist-address-settings

-----------------------------------------------

enabled: yes default: yes

manual-rr-increase: 30 default: 25

session-rr-increase: 30 default: 25

packet-rr-increase: 20 default: 10

-----------------------------------------------

sensor(config-ext)#

Step 12 Exit external product interface submode.

sensor(config-ext)# exit

Apply Changes:?[yes]:

Step 13 Press Enter to apply the changes or enter no to discard them.

For More Information

For the procedure for adding trusted hosts, see Adding TLS Trusted Hosts, page 3-52.

Troubleshooting External Product Interfaces

To troubleshoot external product interfaces, check the following:

•

Make sure the interface is active by checking the output from the show statistics

external-product-interface command.

Make sure you have added the CSA MC IP address to the trusted hosts. If you forgot to add it, add

it, wait a few minutes and then check again.

Confirm subscription login information by opening and closing a subscription on the CSA MC using

the browser.

Check the Event Store for the CSA MC subscription errors.

For More Information

•

For the procedure for adding trusted hosts, see Adding TLS Trusted Hosts, page 3-52.

For the procedure for displaying events, see Clearing Events from Event Store, page 8-41.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

11-8

Download from Www.Somanuals.com. All Manuals Search And Download.

C H A P T E R

Configuring IP Logging

This chapter describes how to configure IP logging on the sensor. It contains the following sections:

•

Understanding IP Logging, page 12-2

Configuring Automatic IP Logging, page 12-2

Configuring Manual IP Logging for a Specific IP Address, page 12-3

Displaying the Contents of IP Logs, page 12-5

Stopping Active IP Logs, page 12-6

Copying IP Log Files to Be Viewed, page 12-7

IP Logging Notes and Caveats

The following notes and caveats apply to IP logging:

•

Enabling IP logging slows down system performance.

IP logging allows a maximum limit of 20 concurrent IP log files. Once the limit of 20 is reached,

you receive the following message in main.log: Cid/W errWarnIpLogProcessor::addIpLog: Ran

out of file descriptors.

•

You cannot delete or manage IP log files. The no iplog command does not delete IP logs, it only

stops more packets from being recorded for that IP log. IP logs are stored in a circular buffer that is

never filled because new IP logs overwrite old ones.

•

You can configure IP logging restrictions using the permit-packet-logging true | false command.

On IPS sensors with multiple processors, packets may be captured out of order in the IP logs and by

the packet command. Because the packets are not processed using a single processor, the packets

can become out of sync when received from multiple processors.

For More Information

For detailed information about the packet-related command restrictions, see Configuring Packet

Command Restriction, page 3-26.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

12-1

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 12 Configuring IP Logging

Understanding IP Logging

You can manually configure the sensor to capture all IP traffic associated with a host you specify by IP

address. You can specify how long you want the IP traffic to be logged, how many packets you want

logged, and how many bytes you want logged. The sensor stops logging IP traffic at the first parameter

you specify.

You can also have the sensor log IP packets every time a particular signature is fired. You can specify

how long you want the sensor to log IP traffic and how many packets and bytes you want logged.

You can copy the IP logs from the sensor and have them analyzed by a tool that can read packet files in

a libpcap format, such as Wireshark or TCPDUMP.

Note

Each alert references IP logs that are created because of that alert. If multiple alerts create IP logs for

the same IP address, only one IP log is created for all the alerts. Each alert references the same IP log.

However, the output of the IP log status only shows the event ID of the first alert triggering the IP log.

IP logging allows a maximum limit of 20 concurrent IP log files. Once the limit of 20 is reached, you

receive the following message in main.log: Cid/W errWarnIpLogProcessor::addIpLog: Ran out of

file descriptors.

Configuring Automatic IP Logging

Use the ip-log-packets number, ip-log-time number, and ip-log-bytes number commands to configure

automatic IP logging parameters on the sensor.

The following options apply:

•

ip-log-packets—Identifies the number of packets you want logged. The valid value is 0 to 65535.

The default is 0.

ip-log-time—Identifies the duration you want the sensor to log packets. The valid value is 0 to

65535 minutes. The default is 30 minutes.

ip-log-bytes —Identifies the maximum number of bytes you want logged. The valid value is 0 to

2147483647. The default is 0.

default—Resets the parameters.

Note

An automatic IP log continues capturing packets until one of these parameters is reached.

Automatic IP logging is configured on a per signature basis or as an event action override. The following

actions trigger automatic IP logging:

•

log-attacker-packets

log-victim-packets

log-pair-packets

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

12-2

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 12 Configuring IP Logging

Configuring Manual IP Logging for a Specific IP Address

Configuring Automatic IP Logging

To configure automatic IP logging parameters, follow these steps:

Step 1

Step 2

Enter signature definition IP log configuration submode.

sensor# configure terminal

sensor(config)# service signature-definition sig0

sensor(config-sig)# ip-log

Step 3

Step 4

Step 5

Step 6

Specify the number of packets you want the sensor to log.

sensor(config-sig-ip)# ip-log-packets 200

Specify the duration you want the sensor to log packets.

sensor(config-sig-ip)# ip-log-time 60

Specify the number of bytes you want logged.

sensor(config-sig-ip)# ip-log-bytes 5024

Verify the settings.

sensor(config-sig-ip)# show settings

ip-log

-----------------------------------------------

ip-log-packets: 200 default: 0

ip-log-time: 60 default: 30

ip-log-bytes: 5024 default: 0

-----------------------------------------------

sensor(config-sig-ip)#

Step 7

Step 8

Exit IP logging submode.

sensor(config-sig-ip)# exit

sensor(config-sig)# exit

Apply Changes?:[yes]:

Press Enter to apply the changes or type no to discard the changes.

For More Information

•

To copy and view an IP log file, see Copying IP Log Files to Be Viewed, page 12-7.

For more information on event actions, see Assigning Actions to Signatures, page 7-15 and

Configuring Event Action Overrides, page 8-17.

Configuring Manual IP Logging for a Specific IP Address

Use the iplog name ip_address [duration minutes] [packets numPackets] [bytes numBytes] command

to log IP packets manually on a virtual sensor for a specific IP address.

The following options apply:

•

name—Specifies the virtual sensor on which to begin and end logging.

ip_address—Logs packets containing the specified source and/or destination IP address.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

12-3

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 12 Configuring IP Logging

Configuring Manual IP Logging for a Specific IP Address

•

minutes—Specifies the duration the logging should be active. The valid range is 1 to 60 minutes.

The default is 10 minutes.

numPackets—Specifies the maximum number of packets to log. The valid range is 0 to 4294967295.

The default is 1000 packets.

numBytes—Specifies the maximum number of bytes to log. The valid range is 0 to 4294967295. A

value of 0 indicates unlimited bytes.

Note

The minutes, numPackets, and numBytes parameters are optional, you do not have to specify all three.

However, if you include more than one parameter, the sensor continues logging only until the first

threshold is reached. For example, if you set the duration to 5 minutes and the number of packets to 1000,

the sensor stops logging after the 1000th packet is captured, even if only 2 minutes have passed.

Configuring Manual IP Logging

To manually log packets on a virtual sensor for a specific IP address, follow these steps:

Step 1

Step 2

Start IP logging for a specific IP address.

sensor# iplog vs0 192.0.2.1 duration 5

Logging started for virtual sensor vs0, IP address 192.0.2.1, Log ID 1

Warning: IP Logging will affect system performance.

sensor#

The example shows the sensor logging all IP packets for 5 minutes to and from the IP address 192.0.2.1.

Note

Make note of the Log ID for future reference.

Step 3

Monitor the IP log status with the iplog-status command.

sensor# iplog-status

Log ID:

IP Address 1:

Virtual Sensor:

Status:

192.0.2.1

vs0

added

Event ID:

Bytes Captured:

Packets Captured:

sensor

Note

Each alert references IP logs that are created because of that alert. If multiple alerts create IP

logs for the same IP address, only one IP log is created for all the alerts. Each alert references

the same IP log. However, the output of the IP log status only shows the event ID of the first alert

triggering the IP log.

For More Information

•

To stop logging IP packets for a specific IP address, see Stopping Active IP Logs, page 12-6.

To log IP packets as an event associated with a signature, see Configuring Automatic IP Logging,

page 12-2.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

12-4

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 12 Configuring IP Logging

Displaying the Contents of IP Logs

•

To copy and view an IP log file, see Copying IP Log Files to Be Viewed, page 12-7.

Displaying the Contents of IP Logs

Use the iplog-status [log-id log_id] [brief] [reverse] [ | {begin regular_expression | exclude

regular_expression | include regular_expression }] command to display the description of the available

IP log contents.

When the log is created, the status reads added. If and when the first entry is inserted in the log, the status

changes to started. When the log is completed, because it reaches the packet count limit, for example,

the status changes to completed.

The following options apply:

•

log_id—(Optional) Specifies the log ID of the file for which you want to see the status.

brief—(Optional) Displays a summary of IP log status information for each log.

reverse—(Optional) Displays the list in reverse chronological order (newest log first).

|—(Optional) Indicates that an output processing specification follows.

regular_expression—Specifies any regular expression found in the IP log status output.

begin—Searches the output of the more command and displays the output from the first instance of

a specified string.

•

exclude—Filters the IP log status output so that it excludes lines that contain a particular regular

expression.

include—Filters the IP log status output so that it includes lines that contain a particular regular

expression.

Displaying IP Logs

To view the contents of IP logs, follow these steps:

Step 1

Step 2

Display the status of all IP logs.

sensor# iplog-status

Log ID:

2425

IP Address 1:

Virtual Sensor:

Status:

192.0.2.1

vs0

started

Start Time:

Packets Captured:

2003/07/30 18:24:18 2002/07/30 12:24:18 CST

1039438

Log ID:

2342

IP Address 1:

IP Address 2:

Virtual Sensor:

Status:

192.0.2.10

192.0.2.20

vs0

completed

Event ID:

209348

Start Time:

End Time:

2003/07/30 18:24:18 2002/07/30 12:24:18 CST

2003/07/30 18:34:18 2002/07/30 12:34:18 CST

sensor#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

12-5

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 12 Configuring IP Logging

Stopping Active IP Logs

Step 3

Display a brief list of all IP logs.

sensor# iplog-status brief

Log ID

2425

2342

vs0

IP Address1

192.0.2.10

192.0.2.20

Status

started

completed

Event ID

N/A

209348

Start Date

2003/07/30

sensor#

Stopping Active IP Logs

Use the no iplog [log-id log_id | name name] command to stop logging for the logs that are in the

startedstate and to remove logs that are in the addedstate. The no iplog command does not remove or

delete the IP log. It only signals to the sensor to stop capturing additional packets on that IP log.

Note

Using the no iplog command on an added state IP log stops the IP log. The added state means that the

IP log is still empty (no packets). Stopping it when there are no packets means you are stopping an empty

IP log. An empty log is removed when it is stopped.

The following options apply:

•

log_id—Specifies the log ID of the logging session to stop. Use the iplog-status command to find

the log ID.

•

name—Specifies the virtual sensor on which to begin or end logging.

Disabling IP Logging Sessions

To disable one or all IP logging sessions, follow these steps:

Step 1

Step 2

Stop a particular IP logging session:

a. Find the log ID of the session you want to stop.

sensor# iplog-status

Log ID:

IP Address 1:

Virtual Sensor:

Status:

192.0.2.1

vs0

added

Event ID:

Bytes Captured:

Packets Captured:

sensor#

Note

Each alert references IP logs that are created because of that alert. If multiple alerts create

IP logs for the same IP address, only one IP log is created for all the alerts. Each alert

references the same IP log. However, the output of the IP log status only shows the event ID

of the first alert triggering the IP log.

b. Stop the IP log session.

sensor# no iplog log-id 137857512

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

12-6

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 12 Configuring IP Logging

Copying IP Log Files to Be Viewed

Step 3

Step 4

Stop all IP logging sessions on a virtual sensor.

sensor# no iplog name vs0

Verify that IP logging has been stopped. When the logs are stopped, the status shows them as completed.

sensor# iplog-status

Log ID:

IP Address 1:

Virtual Sensor:

Status:

192.0.2.1

vs0

completed

Event ID:

Bytes Captured:

Packets Captured:

sensor#

Copying IP Log Files to Be Viewed

Use the copy iplog log_id destination_url command to copy IP log files to an FTP or SCP server so that

you can view them with a sniffing tool such as Ethereal or TCPDUMP.

The following options apply:

•

log_id—Specifies the log ID of the logging session. You can retrieve the log ID using the

iplog-status command.

destination_url—Specifies the location of the destination file to be copied. It can be a URL or a

keyword.

The exact format of the source and destination URLs varies according to the file. Here are the valid

types:

•

ftp:—Destination URL for an FTP network server. The syntax for this prefix is:

ftp:[//[username@] location]/relativeDirectory]/filename

ftp:[//[username@]location]//absoluteDirectory]/filename

•

scp:—Destination URL for the SCP network server. The syntax for this prefix is:

scp:[//[username@] location]/relativeDirectory]/filename

scp:[//[username@] location]//absoluteDirectory]/filename

When you use FTP or SCP protocol, you are prompted for a password.

Copying IP Log Files

To copy IP log files to an FTP or SCP server, follow these steps:

Step 1

Step 2

Monitor the IP log status with the iplog-status command until you see that the status reads completed

for the log ID of the log file that you want to copy.

sensor# iplog-status

Log ID:

2425

IP Address:

Virtual Sensor:

Status:

192.0.2.1

vs0

started

Start Time:

2003/07/30 18:24:18 2002/07/30 12:24:18 CST

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

12-7

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 12 Configuring IP Logging

Copying IP Log Files to Be Viewed

Packets Captured:

1039438

Log ID:

2342

IP Address:

Virtual Sensor:

Status:

192.0.2.2

vs0

completed

Event ID:

Start Time:

End Time:

sensor#

209348

2003/07/30 18:24:18 2002/07/30 12:24:18 CST

2003/07/30 18:34:18 2002/07/30 12:34:18 CST

Step 3

Copy the IP log to your FTP or SCP server.

sensor# copy iplog 2342 ftp://[email protected]/user/iplog1

Password: ******** Connected to 209.165.200.225 (209.165.200.225). 220 linux.machine.com

FTP server (Version wu-2.6.0(1) Mon Feb 28 10:30 :36 EST 2000) ready. ftp> user (username)

root 331 Password required for root. Password:230 User root logged in. ftp> 200 Type set

to I. ftp> put iplog.8518.tmp iplog1 local: iplog.8518.tmp remote: iplog1 227 Entering

Passive Mode (2,4,6,8,179,125) 150 Opening BINARY mode data connection for iplog1. 226

Transfer complete. 30650 bytes sent in 0.00246 secs (1.2e+04 Kbytes/sec) ftp>

Step 4

Open the IP log using a sniffer program such as Wireshark or TCPDUMP. For more information on

Wireshark, go to http://www.wireshark.org. For more information on TCPDUMP, go to

http://www.tcpdump.org/.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

12-8

Download from Www.Somanuals.com. All Manuals Search And Download.

C H A P T E R

Displaying and Capturing Live Traffic on an

Interface

This chapter describes how to display, capture, copy, and erase packet files. It contains the following

sections:

•

Packet Display And Capture Notes and Caveats, page 13-1

Understanding Packet Display and Capture, page 13-2

Displaying Live Traffic on an Interface, page 13-2

Capturing Live Traffic on an Interface, page 13-4

Copying the Packet File, page 13-6

Erasing the Packet File, page 13-7

Packet Display And Capture Notes and Caveats

The following notes and caveats apply to capturing packet files:

•

Although capturing live traffic off the interface does not disrupt any of the functionality of the

sensor, it does cause significant performance degradation.

Changing the interface configuration results in abnormal termination of any packet command

running on that interface.

You can configure packet capture/display restrictions using the permit-packet-logging true | false

command.

On IPS sensors with multiple processors, packets may be captured out of order in the IP logs and by

the packet command. Because the packets are not processed using a single processor, the packets

can become out of sync when received from multiple processors.

•

When the IPS 4510 and IPS 4520 are configured in VLAN pairs, the packet display command does

not work without the VLAN option if the expression keyword is also used.

For More Information

For detailed information about the packet-related command restrictions, see Configuring Packet

Command Restriction, page 3-26.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

13-1

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 13 Displaying and Capturing Live Traffic on an Interface

Understanding Packet Display and Capture

You can display or capture live traffic from an interface and have the live traffic or a previously captured

file put directly on the screen. Storage is available for one local file only, subsequent capture requests

overwrites an existing file. The size of the storage file varies depending on the platform. A message may

be displayed if the maximum file size is reached before the requested packet count is captured.

Displaying Live Traffic on an Interface

Use the packet display interface_name [snaplen length] [count count] [verbose] [expression

expression] command to display live traffic from an interface directly on your screen. Use the packet

display iplog id [verbose] [expression expression] to display IP logs.

Note

To terminate the live display, press Ctrl-C.

The following options apply:

•

interface_name—Specifies the interface name, interface type (GigabitEthernet, FastEthernet,

Management, PortChannel) followed by slot/port. You can only use an interface name that exists in

the system.

snaplen—(Optional) Specifies the maximum number of bytes captured for each packet. The valid

range is 68 to 1600. The default is 0. A value of 0 means use the required length to catch whole

packets.

count—(Optional) Specifies the maximum number of packets to capture. The valid range is 1 to

10000.

Note

If you do not specify this option, the capture terminates after the maximum file size is

captured.

•

verbose—(Optional) Displays the protocol tree for each packet rather than a one-line summary.

expression—Specifies the packet-display filter expression. This expression is passed directly to

TCPDUMP and must meet the TCPDUMP expression syntax.

Note

The expression syntax is described in the TCPDUMP man page.

If you use the expression option when monitoring packets with VLAN headers, the

expression does not match properly unless vlan and is added to the beginning of the

expression. For example, packet display iplog 926299444 verbose expression icmp Will

NOT show ICMP packets; packet display iplog 926299444 verbose expression vlan and

icmp WILL show ICMP packets. It is often necessary to use expression vlan and on the IPS

appliance interfaces connected to trunk ports.

•

file-info—Displays information about the stored packet file. File-info displays the following

information:

Captured by: user:id, Cmd: cliCmd

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

13-2

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 13 Displaying and Capturing Live Traffic on an Interface

Displaying Live Traffic on an Interface

Start: yyyy/mm/dd hh:mm:ss zone, End: yyyy/mm/dd hh:mm:ss zone or in-progress.

Where user = the username of user initiating capture, id = the CLI ID of the user, and cliCmd = the

command entered to perform the capture.

Caution

Executing the packet display command causes significant performance degradation.

Displaying Live Traffic From an Interface

To configure the sensor to display live traffic from an interface on the screen, follow these steps:

Step 1

Step 2

Display the live traffic on the interface you are interested in, for example, GigabitEthernet0/1.

sensor# packet display GigabitEthernet0/1

Warning: This command will cause significant performance degradation

tcpdump: listening on ge0_1, link-type EN10MB (Ethernet), capture size 65535 bytes

03:43:05.691883 IP (tos 0x10, ttl 64, id 55460, offset 0, flags [DF], length: 100)

10.89.147.31.22 > 10.89.147.50.41805: P [tcp sum ok] 4233955485:4233955533(48) ack

1495691730 win 8576 <nop,nop,timestamp 44085169 226014949>

03:43:05.691975 IP (tos 0x10, ttl 64, id 55461, offset 0, flags [DF], length: 164)

10.89.147.31.22 > 10.89.147.50.41805: P [tcp sum ok] 48:160(112) ack 1 win 8576

<nop,nop,timestamp 44085169 226014949>

03:43:05.691998 IP (tos 0x10, ttl 64, id 53735, offset 0, flags [DF], length: 52)

10.89.147.50.41805 > 10.89.147.31.22: . [tcp sum ok] 1:1(0) ack 48 win 11704

<nop,nop,timestamp 226014949 44085169>

03:43:05.693165 IP (tos 0x10, ttl 64, id 53736, offset 0, flags [DF], length: 52)

10.89.147.50.41805 > 10.89.147.31.22: . [tcp sum ok] 1:1(0) ack 160 win 11704

<nop,nop,timestamp 226014949 44085169>

03:43:05.693351 IP (tos 0x10, ttl 64, id 55462, offset 0, flags [DF], length: 316)

10.89.147.31.22 > 10.89.147.50.41805: P [tcp sum ok] 160:424(264) ack 1 win 8576

<nop,nop,timestamp 44085169 226014949>

03:43:05.693493 IP (tos 0x10, ttl 64, id 55463, offset 0, flags [DF], length: 292)

10.89.147.31.22 > 10.89.147.50.41805: P [tcp sum ok] 424:664(240) ack 1 win 8576

<nop,nop,timestamp 44085169 226014949>

03:43:05.693612 IP (tos 0x10, ttl 64, id 55464, offset 0, flags [DF], length: 292)

10.89.147.31.22 > 10.89.147.50.41805: P [tcp sum ok] 664:904(240) ack 1 win 8576

<nop,nop,timestamp 44085169 226014949>

03:43:05.693628 IP (tos 0x10, ttl 64, id 53737, offset 0, flags [DF], length: 52)

10.89.147.50.41805 > 10.89.147.31.22: . [tcp sum ok] 1:1(0) ack 424 win 11704

<nop,nop,timestamp 226014949 44085169>

03:43:05.693654 IP (tos 0x10, ttl 64, id 53738, offset 0, flags [DF], length: 52)

10.89.147.50.41805 > 10.89.147.31.22: . [tcp sum ok] 1:1(0) ack 664 win 11704

<nop,nop,timestamp 226014949 44085169>

03:43:05.693926 IP (tos 0x10, ttl 64, id 55465, offset 0, flags [DF], length: 292)

10.89.147.31.22 > 10.89.147.50.41805: P [tcp sum ok] 904:1144(240) ack 1 win 8576

<nop,nop,timestamp 44085169 226014949>

03:43:05.694043 IP (tos 0x10, ttl 64, id 55466, offset 0, flags [DF], length: 292)

10.89.147.31.22 > 10.89.147.50.41805: P [tcp sum ok] 1144:1384(240) ack 1 win 8576

<nop,nop,timestamp 44085169 226014949>

03:43:05.694163 IP (tos 0x10, ttl 64, id 55467, offset 0, flags [DF], length: 292)

10.89.147.31.22 > 10.89.147.50.41805: P [tcp sum ok] 1384:1624(240) ack 1 win 8576

<nop,nop,timestamp 44085169 226014949>

03:43:05.694209 IP (tos 0x10, ttl 64, id 53739, offset 0, flags [DF], length: 52)

10.89.147.50.41805 > 10.89.147.31.22: . [tcp sum ok] 1:1(0) ack 1384 win 11704

<nop,nop,timestamp 226014950 44085169>

03:43:05.694283 IP (tos 0x10, ttl 64, id 55468, offset 0, flags [DF], length: 292)

10.89.147.31.22 > 10.89.147.50.41805: P [tcp sum ok] 1624:1864(240) ack 1 win 8576

<nop,nop,timestamp 44085169 226014950>

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

13-3

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 13 Displaying and Capturing Live Traffic on an Interface

Capturing Live Traffic on an Interface

03:43:05.694402 IP (tos 0x10, ttl 64, id 55469, offset 0, flags [DF], length: 292)

10.89.147.31.22 > 10.89.147.50.41805: P [tcp sum ok] 1864:2104(240) ack 1 win 8576

<nop,nop,timestamp 44085169 226014950>

03:43:05.694521 IP (tos 0x10, ttl 64, id 55470, offset 0, flags [DF], length: 292)

10.89.147.31.22 > 10.89.147.50.41805: P [tcp sum ok] 2104:2344(240) ack 1 win 8576

<nop,nop,timestamp 44085169 226014950>

03:43:05.694690 IP (tos 0x10, ttl 64, id 53740, offset 0, flags [DF], length: 52)

10.89.147.50.41805 > 10.89.147.31.22: . [tcp sum ok] 1:1(0) ack 2344 win 11704

<nop,nop,timestamp 226014950 44085169>

03:43:05.694808 IP (tos 0x10, ttl 64, id 55471, offset 0, flags [DF], length: 300)

10.89.147.31.22 > 10.89.147.50.41805: P [tcp sum ok] 2344:2592(248) ack 1 win 8576

<nop,nop,timestamp 44085169 226014950>

Step 3

You can use the expression option to limit what you display, for example, only TCP packets.

Note

As described in the TCPDUMP man page, the protocol identifiers tcp, udp, and icmp are also

keywords and must be escaped by using two back slashes (\\).

sensor# packet display GigabitEthernet0/1 verbose expression ip proto \\tcp

Warning: This command will cause significant performance degradation

tcpdump: listening on ge0_1, link-type EN10MB (Ethernet), capture size 65535 bytes

03:42:02.509738 IP (tos 0x10, ttl 64, id 27743, offset 0, flags [DF], length: 88)

10.89.147.31.22 > 64.101.182.54.47039: P [tcp sum ok] 3449098782:3449098830(48) ack

3009767154 win 8704

03:42:02.509834 IP (tos 0x10, ttl 64, id 27744, offset 0, flags [DF], length: 152)

10.89.147.31.22 > 64.101.182.54.47039: P [tcp sum ok] 48:160(112) ack 1 win 8704

03:42:02.510248 IP (tos 0x0, ttl 252, id 55922, offset 0, flags [none], length: 40)

64.101.182.54.47039 > 10.89.147.31.22: . [tcp sum ok] 1:1(0) ack 160 win 8760

03:42:02.511262 IP (tos 0x10, ttl 64, id 27745, offset 0, flags [DF], length: 264)

10.89.147.31.22 > 64.101.182.54.47039: P [tcp sum ok] 160:384(224) ack 1 win 8704

03:42:02.511408 IP (tos 0x10, ttl 64, id 27746, offset 0, flags [DF], length: 248)

10.89.147.31.22 > 64.101.182.54.47039: P [tcp sum ok] 384:592(208) ack 1 win 8704

03:42:02.511545 IP (tos 0x10, ttl 64, id 27747, offset 0, flags [DF], length: 240)

10.89.147.31.22 > 64.101.182.54.47039: P [tcp sum ok] 592:792(200) ack 1 win 8704

Step 4

Display information about the packet file.

sensor# packet display file-info

Captured by: cisco:25579, Cmd: packet capture GigabitEthernet0/1

Start: 2003/02/03 02:56:48 UTC, End: 2003/02/03 02:56:51 UTC

sensor#

Capturing Live Traffic on an Interface

Use the packet capture interface_name [snaplen length] [count count] [expression expression]

command to capture live traffic on an interface. Only one user can use the packet capture command at

a time. A second user request results in an error message containing information about the user currently

executing the capture.

Caution

Executing the packet capture command causes significant performance degradation.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

13-4

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 13 Displaying and Capturing Live Traffic on an Interface

Capturing Live Traffic on an Interface

The packet capture command captures the libpcap output into a local file. Use the packet display

packet-file [verbose] [expression expression] command to view the local file. Use the packet display

file-info to display information about the local file, if any.

The following options apply:

•

interface_name—Specifies the logical interface name. You can only use an interface name that

exists in the system.

snaplen—Specifies the maximum number of bytes captured for each packet (optional). The valid

range is 68 to 1600. The default is 0.

count—Specifies the maximum number of packets to capture (optional). The valid range is 1 to

10000.

Note

If you do not specify this option, the capture terminates after the maximum file size is

captured.

•

expression—Specifies the packet-capture filter expression. This expression is passed directly to

TCPDUMP and must meet the TCPDUMP expression syntax.

file-info—Displays information about the stored packet file.

File-info displays the following information:

Captured by: user:id, Cmd: cliCmd

Start: yyyy/mm/dd hh:mm:ss zone, End: yyyy/mm/dd hh:mm:ss zone or in-progress

Where user = username of user initiating capture, id = CLI ID of the user, and cliCmd = command

entered to perform the capture.

•

verbose—Displays the protocol tree for each packet rather than a one-line summary. This parameter

is optional.

Capturing Live Traffic on an Interface

To configure the sensor to capture live traffic on an interface, follow these steps:

Step 1

Step 2

Capture the live traffic on the interface you are interested in, for example, GigabitEthernet0/1.

sensor# packet capture GigabitEthernet0/1

Warning: This command will cause significant performance degradation

tcpdump: WARNING: ge0_1: no IPv4 address assigned

tcpdump: listening on ge0_1, link-type EN10MB (Ethernet), capture size 65535 bytes

125 packets captured

126 packets received by filter

0 packets dropped by kernel

Step 3

View the captured packet file.

sensor# packet display packet-file

reading from file /usr/cids/idsRoot/var/packet-file, link-type EN10MB (Ethernet)

03:03:13.216768 802.1d config TOP_CHANGE 8000.00:04:9a:66:35:01.8025 root 8000.0

0:04:6d:f9:e8:82 pathcost 8 age 2 max 20 hello 2 fdelay 15

03:03:13.232881 IP 64.101.182.244.1978 > 10.89.130.108.23: . ack 3266153791 win

64328

03:03:13.232895 IP 10.89.130.108.23 > 64.101.182.244.1978: P 1:157(156) ack 0 wi

n 5840

03:03:13.433136 IP 64.101.182.244.1978 > 10.89.130.108.23: . ack 157 win 65535

03:03:13.518335 IP 10.89.130.134.42342 > 255.255.255.255.42342: UDP, length: 76

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

13-5

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 13 Displaying and Capturing Live Traffic on an Interface

Copying the Packet File

03:03:15.218814 802.1d config TOP_CHANGE 8000.00:04:9a:66:35:01.8025 root 8000.0

0:04:6d:f9:e8:82 pathcost 8 age 2 max 20 hello 2 fdelay 15

03:03:15.546866 IP 64.101.182.244.1978 > 10.89.130.108.23: P 0:2(2) ack 157 win

65535

03:03:15.546923 IP 10.89.130.108.23 > 64.101.182.244.1978: P 157:159(2) ack 2 wi

n 5840

03:03:15.736377 IP 64.101.182.244.1978 > 10.89.130.108.23: . ack 159 win 65533

03:03:17.219612 802.1d config TOP_CHANGE 8000.00:04:9a:66:35:01.8025 root 8000.0

0:04:6d:f9:e8:82 pathcost 8 age 2 max 20 hello 2 fdelay 15

03:03:19.218535 802.1d config TOP_CHANGE 8000.00:04:9a:66:35:01.8025 root 8000.0

0:04:6d:f9:e8:82 pathcost 8 age 2 max 20 hello 2 fdelay 15

03:03:19.843658 IP 64.101.182.143.3262 > 10.89.130.23.445: P 3749577803:37495778

56(53) ack 3040953472 win 64407

03:03:20.174835 IP 161.44.55.250.1720 > 10.89.130.60.445: S 3147454533:314745453

3(0) win 65520 <mss 1260,nop,nop,sackOK>

03:03:21.219958 802.1d config TOP_CHANGE 8000.00:04:9a:66:35:01.8025 root 8000.0

0:04:6d:f9:e8:82 pathcost 8 age 2 max 20 hello 2 fdelay 15

03:03:21.508907 IP 161.44.55.250.1809 > 10.89.130.61.445: S 3152179859:315217985

9(0) win 65520 <mss 1260,nop,nop,sackOK>

03:03:23.221004 802.1d config TOP_CHANGE 8000.00:04:9a:66:35:01.8025 root 8000.0

0:04:6d:f9:e8:82 pathcost 8 age 2 max 20 hello 2 fdelay 15

03:03:23.688099 IP 161.44.55.250.1975 > 10.89.130.63.445: S 3160484670:316048467

0(0) win 65520 <mss 1260,nop,nop,sackOK>

03:03:25.219054 802.1d config TOP_CHANGE 8000.00:04:9a:66:35:01.8025 root 8000.0

0:04:6d:f9:e8:82 pathcost 8 age 2 max 20 hello 2 fdelay 15

03:03:25.846552 IP 172.20.12.10.2984 > 10.89.130.127.445: S 1345848756:134584875

6(0) win 64240 <mss 1460,nop,nop,sackOK>

03:03:26.195342 IP 161.44.55.250.2178 > 10.89.130.65.445: S 3170518052:317051805

2(0) win 65520 <mss 1260,nop,nop,sackOK>

03:03:27.222725 802.1d config TOP_CHANGE 8000.00:04:9a:66:35:01.8025 root 8000.0

0:04:6d:f9:e8:82 pathcost 8 age 2 max 20 hello 2 fdelay 15

03:03:27.299178 IP 161.44.55.250.2269 > 10.89.130.66.445: S 3174717959:317471795

9(0) win 65520 <mss 1260,nop,nop,sackOK>

03:03:27.308798 arp who-has 161.44.55.250 tell 10.89.130.66

03:03:28.383028 IP 161.44.55.250.2349 > 10.89.130.67.445: S 3178636061:317863606

1(0) win 65520 <mss 1260,nop,nop,sackOK>

--MORE--

Step 4

View any information about the packet file.

sensor# packet display file-info

Captured by: cisco:8874, Cmd: packet capture GigabitEthernet0/1

Start: 2003/01/07 00:12:50 UTC, End: 2003/01/07 00:15:30 UTC

sensor#

Copying the Packet File

Use the copy packet-file destination_url command to copy the packet file to an FTP or SCP server for

saving or further analysis with another tool, such as Wireshark or TCPDUMP.

The following options apply:

•

packet-file—Specifies the locally stored libpcap file that you captured using the packet capture

command.

destination_url—Specifies the location of the destination file to be copied. It can be a URL or a

keyword.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

13-6

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 13 Displaying and Capturing Live Traffic on an Interface

Erasing the Packet File

Note

The exact format of the source and destination URLs varies according to the file.

ftp:—Destination URL for an FTP network server. The syntax for this prefix is:

–

ftp:[//[username@] location]/relativeDirectory]/filename

ftp:[//[username@]location]//absoluteDirectory]/filename

scp:—Destination URL for the SCP network server. The syntax for this prefix is:

scp:[//[username@] location]/relativeDirectory]/filename

scp:[//[username@] location]//absoluteDirectory]/filename

–

Note

When you use FTP or SCP protocol, you are prompted for a password.

To copy packets files to an FTP or SCP server, follow these steps:

Step 1

Step 2

Copy the packet-file to an FTP or SCP server.

sensor# copy packet-file scp://[email protected]/work/

Password: *********

packet-file

sensor#

100% 1670

0.0KB/s

00:00

Step 3

View the packet file with Wireshark or TCPDUMP.

Erasing the Packet File

Use the erase packet-file command to erase the packet file. There is only one packet file. It is 16 MB

and is over-written each time you use the packet capture command. To erase the packet file, follow

these steps:

Step 1

Display information about the current captured packet file.

sensor# packet display file-info

Captured by: cisco:1514, Cmd: packet capture GigabitEthernet0/1

Start: 2005/02/15 03:55:00 CST, End: 2005/02/15 03:55:05 CST

sensor#

Step 2

Step 3

Erase the packet file.

sensor# erase packet-file

sensor#

Verify that you have erased the packet file.

sensor# packet display file-info

No packet-file available.

sensor#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

13-7

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 13 Displaying and Capturing Live Traffic on an Interface

Erasing the Packet File

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

13-8

Download from Www.Somanuals.com. All Manuals Search And Download.

C H A P T E R

Configuring Attack Response Controller for

Blocking and Rate Limiting

This chapter provides information for setting up the ARC to perform blocking and rate limiting on the

sensor. It the following sections:

•

Blocking Notes and Caveats, page 14-1

Understanding Blocking, page 14-2

Understanding Rate Limiting, page 14-4

Understanding Service Policies for Rate Limiting, page 14-5

Before Configuring ARC, page 14-5

Supported Devices, page 14-6

Configuring Blocking Properties, page 14-7

Configuring User Profiles, page 14-20

Configuring Blocking and Rate Limiting Devices, page 14-21

Configuring the Sensor to be a Master Blocking Sensor, page 14-28

Configuring Host Blocking, page 14-31

Configuring Network Blocking, page 14-31

Configuring Connection Blocking, page 14-32

Obtaining a List of Blocked Hosts and Connections, page 14-33

Blocking Notes and Caveats

The following notes and caveats apply to blocking:

•

The ARC is formerly known as Network Access Controller. Although the name has been changed,

the IDM, the IME, and the CLI contain references to Network Access Controller, nac, and

network-access.

•

Blocking is not supported on the FWSM in multiple mode admin context.

Connection blocks and network blocks are not supported on adaptive security appliances. Adaptive

security appliances only support host blocks with additional connection information.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

14-1

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting

Understanding Blocking

•

Do not confuse blocking with the ability of the sensor to drop packets. The sensor can drop packets

when the following actions are configured for a sensor in inline mode: deny packet inline, deny

connection inline, and deny attacker inline.

•

The ACLs that ARC makes should never be modified by you or any other system. These ACLs are

temporary and new ACLs are constantly being created by the sensor. The only modifications that

you can make are to the Pre- and Post-Block ACLs.

Rate limiting and blocking are not supported for IPv6 traffic. If a signature is configured with a

block or rate limit event action and is triggered by IPv6 traffic, an alert is generated but the action

is not carried out.

Two sensors cannot control blocking or rate limiting on the same device. If this situation is needed,

configure one sensor as the master blocking sensor to manage the devices and the other sensors can

forward their requests to the master blocking sensor.

•

Pre-Block and Post-Block ACLS do not apply to rate limiting.

When you add a master blocking sensor, you reduce the number of blocking devices per sensor. For

example, if you want to block on 10 security appliances and 10 routers with one blocking

interface/direction each, you can assign 10 to the sensor and assign the other 10 to a master blocking

sensor.

•

While blocking is disabled, the ARC continues to receive blocks and track the time on active blocks,

but will not apply new blocks or remove blocks from the managed devices. After blocking is

reenabled, the blocks on the devices are updated.

We recommend that you do not permit the sensor to block itself, because it may stop communicating

with the blocking device. You can configure this option if you can ensure that if the sensor creates

a rule to block its own IP address, it will not prevent the sensor from accessing the blocking device.

You MUST create a user profile before configuring the blocking device.

Understanding Blocking

The ARC is responsible for managing network devices in response to suspicious events by blocking

access from attacking hosts and networks. The ARC blocks the IP address on the devices it is managing.

It sends the same block to all the devices it is managing, including any other master blocking sensors.

The ARC monitors the time for the block and removes the block after the time has expired.

The ARC completes the action response for a new block in no more than 7 seconds. In most cases, it

completes the action response in less time. To meet this performance goal, you should not configure the

sensor to perform blocks at too high a rate or to manage too many blocking devices and interfaces. We

recommend that the maximum number of blocks not exceed 250 and the maximum number of blocking

items not exceed 10. To calculate the maximum number of blocking items, a security appliance counts

as one blocking item per blocking context. A router counts as one blocking item per blocking

interface/direction. A switch running Catalyst software counts as one blocking item per blocking VLAN.

If the recommended limits are exceeded, the ARC may not apply blocks in a timely manner or may not

be able to apply blocks at all.

Caution

Blocking is not supported on the FWSM in multiple mode admin context.

For security appliances configured in multi-mode, Cisco IPS does not include VLAN information in the

block request. Therefore you must make sure the IP addresses being blocked are correct for each security

appliance. For example, the sensor is monitoring packets on a security appliance customer context that

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

14-2

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting

Understanding Blocking

is configured for VLAN A, but is blocking on a different security appliance customer context that is

configured for VLAN B. Addresses that trigger blocks on VLAN A may refer to a different host on

VLAN B.

There are three types of blocks:

•

Host block—Blocks all traffic from a given IP address.

Connection block—Blocks traffic from a given source IP address to a given destination IP address

and destination port. Multiple connection blocks from the same source IP address to either a

different destination IP address or destination port automatically switch the block from a connection

block to a host block.

•

Network block—Blocks all traffic from a given network. You can initiate host and connection blocks

manually or automatically when a signature is triggered. You can only initiate network blocks

manually.

Note

Connection blocks and network blocks are not supported on adaptive security appliances. Adaptive

security appliances only support host blocks with additional connection information.

Caution

Do not confuse blocking with the ability of the sensor to drop packets. The sensor can drop packets when

the following actions are configured for a sensor in inline mode: deny packet inline, deny connection

inline, and deny attacker inline.

For automatic blocks, you must configure request-block-host or request-block-connection as the event

action for particular signatures, and add them to any event action overrides you have configured, so that

the SensorApp sends a block request to the ARC when the signature is triggered. When the ARC receives

the block request from the SensorApp, it updates the device configurations to block the host or

connection.

On Cisco routers and Catalyst 6500 series switches, ARC creates blocks by applying ACLs or VACLs.

ACLs and VACLs permit or deny passage of data packets through interface directions or VLANs. Each

ACL or VACL contains permit and deny conditions that apply to IP addresses. The security appliances

do not use ACLs or VACLs. The built-in shun and no shun command is used.

Caution

The ACLs that ARC makes should never be modified by you or any other system. These ACLs are

temporary and new ACLs are constantly being created by the sensor. The only modifications that you

can make are to the Pre- and Post-Block ACLs.

You need the following information for the ARC to manage a device:

•

Enable password (not needed if the user has enable privileges).

Interfaces to be managed (for example, ethernet0, vlan100).

Any existing ACL or VACL information you want applied at the beginning (Pre-Block ACL or

VACL) or end (Post-Block ACL or VACL) of the ACL or VACL that will be created. This does not

apply to the security appliances because they do not use ACLs to block.

•

Whether you are using Telnet or SSH to communicate with the device.

IP addresses (host or range of hosts) you never want blocked.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

14-3

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting

Understanding Rate Limiting

•

How long you want the blocks to last.

Tip

To check the status of the ARC, type show statistics network-access at the sensor#. The output shows

the devices you are managing, any active blocks and rate limits, and the status of all devices..

Note

Rate limiting and blocking are not supported for IPv6 traffic. If a signature is configured with a block or

rate limit event action and is triggered by IPv6 traffic, an alert is generated but the action is not carried

out.

For More Information

•

For the procedure to add request-block-host or request-block-connection event actions to a

signature, see Assigning Actions to Signatures, page 7-15.

•

For the procedure for configuring overrides that add the request-block-host or

request-block-connection event actions to alerts of a specific risk rating, see Adding, Editing,

Enabling, and Disabling Event Action Overrides, page 8-17.

•

For more information on Pre- and Post-Block ACLs, see How the Sensor Manages Devices,

page 14-21.

Understanding Rate Limiting

The ARC is responsible for rate limiting traffic in protected networks. Rate limiting lets sensors restrict

the rate of specified traffic classes on network devices. Rate limit responses are supported for the Host

Flood and Net Flood engines, and the TCP half-open SYN signature. The ARC can configure rate limits

on network devices running Cisco IOS 12.3 or later. Master blocking sensors can also forward rate limit

requests to blocking forwarding sensors.

To add a rate limit, you specify the following:

•

Source address and/or destination address for any rate limit

Source port and/or destination port for rate limits with TCP or UDP protocol

You can also tune rate limiting signatures. You must also set the action to request-rate-limit and set the

percentage for these signatures.

Note

Rate limiting and blocking are not supported for IPv6 traffic. If a signature is configured with a block or

rate limit event action and is triggered by IPv6 traffic, an alert is generated but the action is not carried

out.

Table 14-1 lists the supported rate limiting signatures and parameters.

Table 14-1

Rate Limiting Signatures

Destination IP

Address Allowed Data

Signature ID

2152

Signature Name

Protocol

ICMP

ICMP Flood Host

ICMP Smurf Attack

Yes

echo-request

echo-reply

2153

ICMP

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

14-4

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting

Understanding Service Policies for Rate Limiting

Table 14-1

Rate Limiting Signatures (continued)

Destination IP

Address Allowed Data

Signature ID

4002

Signature Name

Protocol

UDP Flood Host

UDP

ICMP

UDP

TCP

Yes

none

6901

Net Flood ICMP Reply

Net Flood ICMP Request

Net Flood ICMP Any

Net Flood UDP

echo-reply

echo-request

None

6902

6903

6910

None

6920

Net Flood TCP

None

3050

TCP HalfOpenSyn

TCP

halfOpenSyn

Tip

To check the status of the ARC, type show statistics network-access at the sensor#. The output shows

the devices you are managing, any active blocks and rate limits, and the status of all devices..

For More Information

•

For the procedure for configuring rate limiting on a router, see Configuring Blocking and Rate

Limiting Devices, page 14-21.

•

For the procedure for configuring a sensor to be a master blocking sensor, see Configuring the

Sensor to be a Master Blocking Sensor, page 14-28.

Understanding Service Policies for Rate Limiting

You must not apply a service policy to an interface/direction that is configured for rate limiting. If you

do so, the rate limit action will fail. Before configuring rate limits, confirm that there is no service policy

on the interface/direction, and remove it if one exists. The ARC does not remove the existing rate limit

unless it is one that the ARC had previously added.

Rate limits use ACLs, but not in the same way as blocks. Rate limits use acls and class-map entries to

identify traffic, and policy-map and service-policy entries to police the traffic.

Before Configuring ARC

Caution

Two sensors cannot control blocking or rate limiting on the same device. If this situation is needed,

configure one sensor as the master blocking sensor to manage the devices and the other sensors can

forward their requests to the master blocking sensor.

Note

When you add a master blocking sensor, you reduce the number of blocking devices per sensor. For

example, if you want to block on 10 security appliances and 10 routers with one blocking

interface/direction each, you can assign 10 to the sensor and assign the other 10 to a master blocking

sensor.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

14-5

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting

Supported Devices

Before you configure the ARC for blocking or rate limiting, make sure you do the following:

•

Analyze your network topology to understand which devices should be blocked by which sensor,

and which addresses should never be blocked.

•

Gather the usernames, device passwords, enable passwords, and connections types (Telnet or SSH)

needed to log in to each device.

•

Know the interface names on the devices.

Know the names of the Pre-Block ACL or VACL and the Post-Block ACL or VACL if needed.

Understand which interfaces should and should not be blocked and in which direction (in or out).

You do not want to accidentally shut down an entire network.

For More Information

For the procedure for configuring the master blocking sensor, see Configuring the Sensor to be a Master

Blocking Sensor, page 14-28.

Supported Devices

Caution

If the recommended limits are exceeded, the ARC may not apply blocks in a timely manner or may not

be able to apply blocks at all.

By default, the ARC supports up to 250 devices in any combination. The following devices are supported

for blocking by the ARC:

•

Cisco series routers using Cisco IOS 11.2 or later (ACLs):

–

Cisco 1600 series router

Cisco 1700 series router

Cisco 2500 series router

Cisco 2600 series router

Cisco 2800 series router

Cisco 3600 series router

Cisco 3800 series router

Cisco 7200 series router

Cisco 7500 series router

•

Catalyst 5000 switches with RSM with IOS 11.2(9)P or later (ACLs)

Catalyst 6500 switches and 7600 routers with IOS 12.1(13)E or later (ACLs)

Catalyst 6500 switches 7600 routers with Catalyst software version 7.5(1) or later (VACLs)

–

Supervisor Engine 1A with PFC

Supervisor Engine 1A with MSFC1

Supervisor Engine 1A with MFSC2

Supervisor Engine 2 with MSFC2

Supervisor Engine 720 with MSFC3

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

14-6

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting

Configuring Blocking Properties

Note

We support VACL blocking on the Supervisor Engine and ACL blocking on the MSFC.

•

PIX Firewall with version 6.0 or later (shun command)

–

501

506E

515E

525

535

•

ASA with version 7.0 or later (shun command)

–

ASA 5510

ASA 5520

ASA 5540

FWSM 1.1 or later (shun command)

You configure blocking using either ACLs, VACLS, or the shun command. All firewall and ASA models

support the shun command.

The following devices are supported for rate limiting by the ARC:

•

Cisco series routers using Cisco IOS 12.3 or later:

–

Cisco 1700 series router

Cisco 2500 series router

Cisco 2600 series router

Cisco 2800 series router

Cisco 3600 series router

Cisco 3800 series router

Cisco 7200 series router

Cisco 7500 series router

Caution

The ARC cannot perform rate limits on 7500 routers with VIP. The ARC reports the error but cannot rate

limit.

Configuring Blocking Properties

You can change the default blocking properties. It is best to use the default properties, but if you need to

change them, use the following procedures:

•

Allowing the Sensor to Block Itself, page 14-8

Disabling Blocking, page 14-9

Specifying Maximum Block Entries, page 14-11

Specifying the Block Time, page 14-13

Enabling ACL Logging, page 14-14

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

14-7

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting

Configuring Blocking Properties

•

Enabling Writing to NVRAM, page 14-15

Logging All Blocking Events and Errors, page 14-16

Configuring the Maximum Number of Blocking Interfaces, page 14-17

Configuring Addresses Never to Block, page 14-19

Allowing the Sensor to Block Itself

Caution

We recommend that you do not permit the sensor to block itself, because it may stop communicating

with the blocking device. You can configure this option if you can ensure that if the sensor creates a rule

to block its own IP address, it will not prevent the sensor from accessing the blocking device.

Use the allow-sensor-block {true | false} command in the service network access submode to configure

the sensor to block itself. To allow the sensor to block itself, follow these steps:

Step 1

Step 2

Enter network access submode.

sensor# configure terminal

sensor(config)# service network-access

Step 3

Step 4

Step 5

Enter general submode.

sensor(config-net)# general

Configure the sensor to block itself. By default, this value is false.

sensor(config-net-gen)# allow-sensor-block true

Verify the settings.

sensor(config-net-gen)# show settings

general

-----------------------------------------------

log-all-block-events-and-errors: true <defaulted>

enable-nvram-write: false <defaulted>

enable-acl-logging: false <defaulted>

allow-sensor-block: true default: false

block-enable: true default: true

block-max-entries: 100 default: 250

max-interfaces: 250 <defaulted>

master-blocking-sensors (min: 0, max: 100, current: 0)

-----------------------------------------------

never-block-hosts (min: 0, max: 250, current: 1)

-----------------------------------------------

ip-address: 192.0.2.1

-----------------------------------------------

never-block-networks (min: 0, max: 250, current: 1)

-----------------------------------------------

ip-address: 209.165.200.224/27

-----------------------------------------------

block-hosts (min: 0, max: 250, current: 0)

-----------------------------------------------

--MORE--

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

14-8

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting

Disabling Blocking

Step 6

Step 7

Configure the sensor not to block itself.

sensor(config-net-gen)# allow-sensor-block false

Verify the setting.

sensor(config-net-gen)# show settings

general

-----------------------------------------------

log-all-block-events-and-errors: true <defaulted>

enable-nvram-write: false <defaulted>

enable-acl-logging: false <defaulted>

allow-sensor-block: false default: false

block-enable: true default: true

block-max-entries: 100 default: 250

max-interfaces: 250 <defaulted>

master-blocking-sensors (min: 0, max: 100, current: 0)

-----------------------------------------------

never-block-hosts (min: 0, max: 250, current: 1)

-----------------------------------------------

ip-address: 192.0.2.1

-----------------------------------------------

never-block-networks (min: 0, max: 250, current: 1)

-----------------------------------------------

ip-address: 209.165.200.224/27

-----------------------------------------------

block-hosts (min: 0, max: 250, current: 0)

-----------------------------------------------

--MORE--

Step 8

Step 9

Exit network access submode.

sensor(config-net-gen)# exit

sensor(config-net)# exit

Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

Disabling Blocking

Note

For blocking to operate, you must set up devices to do the blocking.

Use the block-enable {true | false} command in the service network access submode to enable or disable

blocking on the sensor. By default, blocking is enabled on the sensor. If the ARC is managing a device

and you need to manually configure something on that device, you should disable blocking first. You

want to avoid a situation in which both you and the ARC could be making a change at the same time on

the same device. This could cause the device and/or the ARC to crash.

Caution

If you disable blocking for maintenance on the devices, make sure you enable it after the maintenance

is complete or the network will be vulnerable to attacks that would otherwise be blocked

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

14-9

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting

Disabling Blocking

Note

While blocking is disabled, the ARC continues to receive blocks and track the time on active blocks, but

will not apply new blocks or remove blocks from the managed devices. After blocking is reenabled, the

blocks on the devices are updated.

To disable blocking or rate limiting, follow these steps:

Step 1

Step 2

Enter network access submode.

sensor# configure terminal

sensor(config)# service network-access

sensor(config-net)#

Step 3

Step 4

Step 5

Enter general submode.

sensor(config-net)# general

Disable blocking on the sensor. By default, this value is set to true.

sensor(config-net-gen)# block-enable false

Verify the settings.

sensor(config-net-gen)# show settings

general

-----------------------------------------------

log-all-block-events-and-errors: true <defaulted>

enable-nvram-write: false <defaulted>

enable-acl-logging: false <defaulted>

allow-sensor-block: false default: false

block-enable: false default: true

block-max-entries: 100 default: 250

max-interfaces: 250 <defaulted>

master-blocking-sensors (min: 0, max: 100, current: 0)

-----------------------------------------------

never-block-hosts (min: 0, max: 250, current: 1)

-----------------------------------------------

ip-address: 192.0.2.1

-----------------------------------------------

never-block-networks (min: 0, max: 250, current: 1)

-----------------------------------------------

ip-address: 209.165.200.224/27

-----------------------------------------------

block-hosts (min: 0, max: 250, current: 0)

-----------------------------------------------

--MORE--

Step 6

Step 7

Enable blocking on the sensor.

sensor(config-net-gen)# block-enable true

Verify that the setting has been returned to the default.

sensor(config-net-gen)# show settings

general

-----------------------------------------------

log-all-block-events-and-errors: true <defaulted>

enable-nvram-write: false <defaulted>

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

14-10

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting

Disabling Blocking

enable-acl-logging: false <defaulted>

allow-sensor-block: false default: false

block-enable: true default: true

block-max-entries: 100 default: 250

max-interfaces: 250 <defaulted>

master-blocking-sensors (min: 0, max: 100, current: 0)

-----------------------------------------------

never-block-hosts (min: 0, max: 250, current: 1)

-----------------------------------------------

ip-address: 192.0.2.1

-----------------------------------------------

never-block-networks (min: 0, max: 250, current: 1)

-----------------------------------------------

ip-address: 209.165.200.224/27

-----------------------------------------------

block-hosts (min: 0, max: 250, current: 0)

-----------------------------------------------

--MORE--

Step 8

Step 9

Exit network access submode.

sensor(config-net-gen)# exit

sensor(config-net)# exit

Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

For More Information

•

For the procedure for configuring the sensor to manage Cisco routers, see Configuring the Sensor

to Manage Cisco Routers, page 14-22.

•

For the procedure for configuring the sensor to manage Cisco routers and switches, seeConfiguring

the Sensor to Manage Catalyst 6500 Series Switches and Cisco 7600 Series Routers, page 14-25.

Specifying Maximum Block Entries

Caution

We do not recommend setting the maximum block entries higher than 250. Some devices have problems

with larger numbers of ACL or shun entries. Refer to the documentation for each device to determine its

limits before increasing this number.

Note

The number of blocks will not exceed the maximum block entries. If the maximum is reached, new

blocks will not occur until existing blocks time out and are removed.

Use the block-max-entries command in the service network access submode to configure the maximum

block entries. You can set how many blocks are to be maintained simultaneously (1 to 65535). The

default value is 250. To change the maximum number of block entries, follow these steps:

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

14-11

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting

Disabling Blocking

Step 1

Step 2

Enter network access submode.

sensor# configure terminal

sensor(config)# service network-access

sensor(config-net)#

Step 3

Step 4

Step 5

Enter general submode.

sensor(config-net)# general

Change the maximum number of block entries.

sensor(config-net-gen)# block-max-entries 100

Verify the setting.

sensor(config-net-gen)# show settings

general

-----------------------------------------------

log-all-block-events-and-errors: true <defaulted>

enable-nvram-write: false <defaulted>

enable-acl-logging: false <defaulted>

allow-sensor-block: false default: false

block-enable: true <defaulted>

block-max-entries: 100 default: 250

max-interfaces: 250 <defaulted>

master-blocking-sensors (min: 0, max: 100, current: 0)

-----------------------------------------------

never-block-hosts (min: 0, max: 250, current: 1)

-----------------------------------------------

ip-address: 192.0.2.1

-----------------------------------------------

never-block-networks (min: 0, max: 250, current: 1)

-----------------------------------------------

ip-address: 209.165.200.224/27

-----------------------------------------------

block-hosts (min: 0, max: 250, current: 0)

-----------------------------------------------

--MORE--

Step 6

Step 7

Return to the default value of 250 blocks.

sensor(config-net-gen)# default block-max-entries

Verify the setting.

sensor(config-net-gen)# show settings

general

-----------------------------------------------

log-all-block-events-and-errors: true <defaulted>

enable-nvram-write: false <defaulted>

enable-acl-logging: false <defaulted>

allow-sensor-block: false default: false

block-enable: true <defaulted>

block-max-entries: 250 <defaulted>

max-interfaces: 250 <defaulted>

master-blocking-sensors (min: 0, max: 100, current: 0

-----------------------------------------------

never-block-hosts (min: 0, max: 250, current: 1)

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

14-12

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting

Disabling Blocking

-----------------------------------------------

ip-address: 192.0.2.1

-----------------------------------------------

never-block-networks (min: 0, max: 250, current: 1)

-----------------------------------------------

ip-address: 209.165.200.224/27

-----------------------------------------------

block-hosts (min: 0, max: 250, current: 0)

-----------------------------------------------

--MORE--

Step 8

Step 9

Exit network access submode.

sensor(config-net-gen)# exit

sensor(config-net)# exit

Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

Specifying the Block Time

Note

If you change the default block time, you are changing a signature parameter, which affects all

signatures.

Note

The time for manual blocks is set when you request the block.

Use the global-block-timeout command in the service event action rules submode to change the amount

of time an automatic block lasts. The default is 30 minutes. To change the default block time, follow

these steps:

Step 1

Step 2

Enter event action rules submode.

sensor# configure terminal

sensor(config)# service event-action-rules rules0

sensor(config-rul)#

Step 3

Step 4

Step 5

Enter general submode.

sensor(config-rul)# general

Specify the block time. The value is the time duration of the block event in minutes (0 to 10000000).

sensor(config-rul-gen)# global-block-timeout 60

Verify the setting.

sensor(config-rul-gen)# show settings

general

-----------------------------------------------

global-overrides-status: Enabled <defaulted>

global-filters-status: Enabled <defaulted>

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

14-13

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting

Disabling Blocking

global-summarization-status: Enabled <defaulted>

global-metaevent-status: Enabled <defaulted>

global-deny-timeout: 3600 <defaulted>

global-block-timeout: 60 default: 30

max-denied-attackers: 10000 <defaulted>

-----------------------------------------------

sensor(config-rul-gen)#

Step 6

Step 7

Exit event action rules submode.

sensor(config-rul-gen)# exit

sensor(config-rul)# exit

Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

Note

There is a time delay while the signatures are updated.

Enabling ACL Logging

Use the enable-acl-logging {true | false} command in the service network access submode to enable

ACL logging, which causes ARC to append the log parameter to block entries in the ACL or VACL. This

causes the device to generate syslog events when packets are filtered. Enable ACL logging only applies

to routers and switches. The default is disabled.

To enable ACL logging, follow these steps:

Step 1

Step 2

Enter network access submode:

sensor# configure terminal

sensor(config)# service network-access

sensor(config-net)#

Step 3

Step 4

Step 5

Enter general submode.

sensor(config-net)# general

Enable ACL logging.

sensor(config-net-gen)# enable-acl-logging true

Verify that ACL logging is enabled.

sensor(config-net-gen)# show settings

general

-----------------------------------------------

log-all-block-events-and-errors: true <defaulted>

enable-nvram-write: false <defaulted>

enable-acl-logging: true default: false

allow-sensor-block: false <defaulted>

block-enable: true <defaulted>

block-max-entries: 250 <defaulted>

max-interfaces: 250 <defaulted>

master-blocking-sensors (min: 0, max: 100, current: 0)

-----------------------------------------------

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

14-14

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting

Disabling Blocking

Step 6

Step 7

Disable ACL logging by using the false keyword.

sensor(config-net-gen)# enable-acl-logging false

Verify that ACL logging is disabled.

sensor(config-net-gen)# show settings

general

-----------------------------------------------

log-all-block-events-and-errors: true <defaulted>

enable-nvram-write: false <defaulted>

enable-acl-logging: false default: false

allow-sensor-block: false <defaulted>

block-enable: true <defaulted>

block-max-entries: 250 <defaulted>

max-interfaces: 250 <defaulted>

master-blocking-sensors (min: 0, max: 100, current: 0)

-----------------------------------------------

Step 8

Step 9

Exit network access mode.

sensor(config-net-gen)# exit

sensor(config-net)# exit

Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

Enabling Writing to NVRAM

Use the enable-nvram-write {true | false} command to configure the sensor to have the router write to

NVRAM when ARC first connects. If enable-nvram-write is enabled, NVRAM is written each time the

ACLs are updated. The default is disabled.

Enabling NVRAM writing ensures that all changes for blocking are written to NVRAM. If the router is

rebooted, the correct blocks will still be active. If NVRAM writing is disabled, a short time without

blocking occurs after a router reboot. And not enabling NVRAM writing increases the life of the

NVRAM and decreases the time for new blocks to be configured.

To enable writing to NVRAM, follow these steps:

Step 1

Step 2

Enter network access submode.

sensor# configure terminal

sensor(config)# service network-access

sensor(config-net)#

Step 3

Step 4

Step 5

Enter general submode.

sensor(config-net)# general

Enable writing to NVRAM.

sensor(config-net-gen)# enable-nvram-write true

Verify that writing to NVRAM is enabled.

sensor(config-net-gen)# show settings

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

14-15

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting

Disabling Blocking

general

-----------------------------------------------

log-all-block-events-and-errors: true <defaulted>

enable-nvram-write: true default: false

enable-acl-logging: false default: false

allow-sensor-block: false <defaulted>

block-enable: true <defaulted>

block-max-entries: 250 <defaulted>

max-interfaces: 250 <defaulted>

master-blocking-sensors (min: 0, max: 100, current: 0)

-----------------------------------------------

Step 6

Step 7

Disable writing to NVRAM.

sensor(config-net-gen)# enable-nvram-write false

Verify that writing to NVRAM is disabled.

sensor(config-net-gen)# show settings

general

-----------------------------------------------

log-all-block-events-and-errors: true <defaulted>

enable-nvram-write: false default: false

enable-acl-logging: false default: false

allow-sensor-block: false <defaulted>

block-enable: true <defaulted>

block-max-entries: 250 <defaulted>

max-interfaces: 250 <defaulted>

master-blocking-sensors (min: 0, max: 100, current: 0)

-----------------------------------------------

Step 8

Step 9

Exit network access submode.

sensor(config-net-gen)# exit

sensor(config-net)# exit

Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

Logging All Blocking Events and Errors

Use the log-all-block-events-and-errors {true | false} command in the service network access submode

to configure the sensor to log events that follow blocks from start to finish. For example, when a block

is added to or removed from a device, an event is logged. You may not want all these events and errors

to be logged. Disabling log-all-block-events-and-errors suppresses the new events and errors. The

default is enabled.

To disable blocking event and error logging, follow these steps:

Step 1

Step 2

Enter network access mode.

sensor# configure terminal

sensor(config)# service network-access

sensor(config-net)#

Step 3

Enter general submode.

sensor(config-net)# general

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

14-16

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting

Disabling Blocking

Step 4

Step 5

Disable blocking event and error logging.

sensor(config-net-gen)# log-all-block-events-and-errors false

Verify that logging is disabled.

sensor(config-net-gen)# show settings

general

-----------------------------------------------

log-all-block-events-and-errors: false default: true

enable-nvram-write: false default: false

enable-acl-logging: false default: false

allow-sensor-block: false <defaulted>

block-enable: true <defaulted>

block-max-entries: 250 <defaulted>

max-interfaces: 250 <defaulted>

master-blocking-sensors (min: 0, max: 100, current: 0)

-----------------------------------------------

Step 6

Step 7

Enable blocking event and error logging.

sensor(config-net-gen)# log-all-block-events-and-errors true

Verify that logging is enabled.

sensor(config-net-gen)# show settings

general

-----------------------------------------------

log-all-block-events-and-errors: true default: true

enable-nvram-write: false default: false

enable-acl-logging: false default: false

allow-sensor-block: false <defaulted>

block-enable: true <defaulted>

block-max-entries: 250 <defaulted>

max-interfaces: 250 <defaulted>

master-blocking-sensors (min: 0, max: 100, current: 0)

-----------------------------------------------

Step 8

Step 9

Exit network access mode.

sensor(config-net-gen)# exit

sensor(config-net)# exit

Apply Changes:?[yes]:

Press Enter to apply the changes or type no to discard them.

Configuring the Maximum Number of Blocking Interfaces

Use the max-interfaces command to configure the maximum number of interfaces for performing

blocks. For example, a PIX Firewall counts as one interface. A router with one interface counts as one,

but a router with two interfaces counts as two. At most you can configure 250 blocking interfaces on a

router, switch, or firewall. You can configure up to 250 Catalyst 6K switches, 250 routers, and 250

firewalls.

The max-interfaces command configures the limit of the sum total of all interfaces and devices. In

addition to configuring the limit on the sum total of interfaces and devices, there is a fixed limit on the

number of blocking interfaces you can configure per device. Use the show settings command in network

access mode to view the specific maximum limits per device.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

14-17

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting

Disabling Blocking

To configure the maximum number of blocking interfaces, follow these steps:

Step 1

Step 2

Enter network access mode.

sensor# configure terminal

sensor(config)# service network-access

sensor(config-net)#

Step 3

Step 4

Step 5

Enter general submode.

sensor(config-net)# general

Specify the maximum number of interfaces.

sensor(config-net-gen)# max-interfaces 50

Verify the number of maximum interfaces.

sensor(config-net-gen)# show settings

general

-----------------------------------------------

log-all-block-events-and-errors: true default: true

enable-nvram-write: false default: false

enable-acl-logging: false default: false

allow-sensor-block: false <defaulted>

block-enable: true <defaulted>

block-max-entries: 250 <defaulted>

max-interfaces: 50 default: 250

master-blocking-sensors (min: 0, max: 100, current: 0)

-----------------------------------------------

Step 6

Step 7

Return the setting to the default of 250.

sensor(config-net-gen)# default max-interfaces

Verify the default setting.

sensor(config-net-gen)# show settings

general

-----------------------------------------------

log-all-block-events-and-errors: true default: true

enable-nvram-write: false default: false

enable-acl-logging: false default: false

allow-sensor-block: false <defaulted>

block-enable: true <defaulted>

block-max-entries: 250 <defaulted>

max-interfaces: 250 <defaulted>

master-blocking-sensors (min: 0, max: 100, current: 0)

----------------------------------------------

Step 8

Step 9

Exit network access mode.

sensor(config-net-gen)# exit

sensor(config-net)# exit

Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

14-18

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting

Disabling Blocking

Configuring Addresses Never to Block

Use the never-block-hosts and the never-block-networks commands in the service network access

submode to configure hosts and network that should never be blocked.

The following options apply:

•

ip_address—Specifies the IP address of the device that should never be blocked.

ip_address/netmask—Specifies the IP address of the network that should never be blocked. The

format is A.B.C.D/nn.

You must tune your sensor to identify hosts and networks that should never be blocked, not even

manually, because you may have a trusted network device whose normal, expected behavior appears to

be an attack. Such a device should never be blocked, and trusted, internal networks should never be

blocked. You can specify a single host or an entire network.

Note

The never-block-hosts and the never-block-networks commands apply only to the Request Block Host

and Request Block Connection event actions. It does not apply to the Deny Attacker Inline, Deny

Connection Inline, or Deny Packet Inline event actions. Use event action rules to filter out the hosts that

you do not want blocked, denied, or dropped.

Configuring Addresses Never to Be Blocked

To set up addresses never to be blocked by blocking devices, follow these steps:

Step 1

Step 2

Enter network access submode.

sensor# configure terminal

sensor(config)# service network-access

sensor(config-net)#

Step 3

Step 4

Enter general submode.

sensor(config-net)# general

Specify the address that should never be blocked:

•

For a single host

sensor(config-net-gen)# never-block-hosts 192.0.2.1

For a network

sensor(config-net-gen)# never-block-networks 209.165.200.224/27

Step 5

Verify the settings.

sensor(config-net-gen)# show settings

general

-----------------------------------------------

log-all-block-events-and-errors: true <defaulted>

enable-nvram-write: false <defaulted>

enable-acl-logging: false <defaulted>

allow-sensor-block: false default: false

block-enable: true default: true

block-max-entries: 100 default: 250

max-interfaces: 250 <defaulted>

master-blocking-sensors (min: 0, max: 100, current: 0)

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

14-19

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting

Configuring User Profiles

-----------------------------------------------

never-block-hosts (min: 0, max: 250, current: 2)

-----------------------------------------------

ip-address: 192.0.2.1

-----------------------------------------------

never-block-networks (min: 0, max: 250, current: 2)

-----------------------------------------------

ip-address: 209.165.200.224/27

--MORE--

Step 6

Step 7

Exit network access submode.

sensor(config-net-gen)# exit

sensor(config-net)# exit

Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

For More Information

For the procedure for configuring event action filters, see Configuring Event Action Filters, page 8-21.

Configuring User Profiles

Note

If the username or password is not needed to log in to the device, do not set a value for it.

Note

You MUST create a user profile before configuring the blocking device.

Use the user-profiles profile_name command in the service network access submode to set up user

profiles for the other devices that the senor will manage. The user profiles contain userid, password, and

enable password information. For example, routers that all share the same passwords and usernames can

be under one user profile. To set up user profiles, follow these steps:

Step 1

Step 2

Enter network access mode.

sensor# configure terminal

sensor(config)# service network-access

sensor(config-net)#

Step 3

Step 4

Step 5

Create the user profile name.

sensor(config-net)# user-profiles PROFILE1

Enter the username for that user profile.

sensor(config-net-use)# username username

Specify the password for the user.

sensor(config-net-use)# password

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

14-20

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting

Configuring Blocking and Rate Limiting Devices

Enter password[]: ********

Re-enter password ********

Step 6

Step 7

Specify the enable password for the user.

sensor(config-net-use)# enable-password

Enter enable-password[]: ********

Re-enter enable-password ********

Verify the settings.

sensor(config-net-use)# show settings

profile-name: PROFILE1

-----------------------------------------------

enable-password: <hidden>

password: <hidden>

username: jsmith default:

-----------------------------------------------

sensor(config-net-use)#

Step 8

Step 9

Exit network access submode.

sensor(config-net-use)# exit

sensor(config-net)# exit

Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

Configuring Blocking and Rate Limiting Devices

This section describes how to configure devices that the sensor uses to perform blocking or rate limiting.

It contains the following topics:

•

How the Sensor Manages Devices, page 14-21

Configuring the Sensor to Manage Cisco Routers, page 14-22

Configuring the Sensor to Manage Catalyst 6500 Series Switches and Cisco 7600 Series Routers,

page 14-25

•

Configuring the Sensor to Manage Cisco Firewalls, page 14-27

How the Sensor Manages Devices

Note

ACLs do not apply to rate limiting devices.

The ARC uses ACLs on Cisco routers and switches to manage those devices. These ACLs are built as

follows:

1. A permit line with the sensor IP address or, if specified, the NAT address of the sensor.

Note

If you permit the sensor to be blocked, this line does not appear in the ACL.

2. Pre-Block ACL (if specified). This ACL must already exist on the device.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

14-21

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting

Configuring Blocking and Rate Limiting Devices

Note

The ARC reads the lines in the ACL and copies these lines to the beginning of the ACL.

3. Any active blocks.

4. Either specify a Post-Block ACL, which must already exist on the device, or specify permit ip any

any (do not use if a Post-Block ACL is specified). The ARC reads the lines in the ACL and copies

these lines to the end of the ACL.

Note

Make sure the last line in the ACL is permit ip any any if you want all unmatched packets

to be permitted.

The ARC uses two ACLs to manage devices. Only one is active at any one time. It uses the offline ACL

name to build the new ACL, then applies it to the interface. The ARC then reverses the process on the

next cycle.

Caution

The ACLs that the ARC makes should never be modified by you or any other system. These ACLs are

temporary and new ACLs are constantly being created by the sensor. The only modifications that you

can make are to the Pre- and Post-Block ACLs.

If you need to modify the Pre-Block or Post-Block ACL, do the following:

1. Disable blocking on the sensor.

2. Make the changes to the configuration of the device.

3. Reenable blocking on the sensor.

When blocking is reenabled, the sensor reads the new device configuration.

Caution

A single sensor can manage multiple devices, but you cannot use multiple sensors to control a single

device. In this case, use a master blocking sensor.

For More Information

•

For the procedure for enabling blocking, see Configuring Blocking Properties, page 14-7.

For the procedure for configuring the sensor to be a master blocking sensor, see Configuring the

Sensor to be a Master Blocking Sensor, page 14-28.

Configuring the Sensor to Manage Cisco Routers

This section describes how to configure the sensor to manage Cisco routers. It contains the following

topics:

•

Routers and ACLs, page 14-23

Configuring the Sensor to Manage Cisco Routers, page 14-23

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

14-22

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting

Configuring Blocking and Rate Limiting Devices

Routers and ACLs

Note

Pre-Block and Post-Block ACLS do not apply to rate limiting.

You create and save Pre-Block and Post-Block ACLs in your router configuration. These ACLs must be

extended IP ACLs, either named or numbered. See your router documentation for more information on

creating ACLs. Enter the names of these ACLs that are already configured on your router in the

Pre-Block ACL and Post-Block ACL fields.

The Pre-Block ACL is mainly used for permitting what you do not want the sensor to ever block. When

a packet is checked against the ACL, the first line that gets matched determines the action. If the first

line matched is a permit line from the Pre-Block ACL, the packet is permitted even though there may be

a deny line (from an automatic block) listed later in the ACL. The Pre-Block ACL can override the deny

lines resulting from the blocks.

The Post-Block ACL is best used for additional blocking or permitting that you want to occur on the

same interface or direction. If you have an existing ACL on the interface or direction that the sensor will

manage, that existing ACL can be used as a Post-Block ACL. If you do not have a Post-Block ACL, the

sensor inserts permit ip any any at the end of the new ACL.

When the sensor starts up, it reads the contents of the two ACLs. It creates a third ACL with the

following entries:

•

A permit line for the sensor IP address

Copies of all configuration lines of the Pre-Block ACL

A deny line for each address being blocked by the sensor

Copies of all configuration lines of the Post-Block ACL

The sensor applies the new ACL to the interface and direction that you designate.

Note

When the new ACL is applied to an interface or direction of the router, it removes the application of any

other ACL to that interface or direction.

Configuring the Sensor to Manage Cisco Routers

To configure a sensor to manage a Cisco router to perform blocking and rate limiting, follow these steps:

Step 1

Step 2

Enter network access submode.

sensor# configure terminal

sensor(config)# service network-access

sensor(config-net)#

Step 3

Step 4

Specify the IP address for the router controlled by the ARC.

sensor(config-net)# router-devices ip_address

Enter the logical device name that you created when you configured the user profile. The ARC accepts

anything you enter. It does not check to see if the user profile exists.

sensor(config-net-rou)# profile-name user_profile_name

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

14-23

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting

Configuring Blocking and Rate Limiting Devices

Step 5

Specify the method used to access the sensor. If unspecified, SSH 3DES is used.

sensor(config-net-rou)# communication {telnet | ssh-3des}

Note

If you are using 3DES, you must use the command ssh host-key ip_address to accept the key or

ARC cannot connect to the device.

Step 6

Specify the sensor NAT address.

sensor(config-net-rou)# nat-address nat_address

Note

This changes the IP address in the first line of the ACL from the address of the sensor to the NAT

address. This is not a NAT address configured on the device being managed. It is the address the

sensor is translated to by an intermediate device, one that is between the sensor and the device

being managed.

Step 7

Specify whether the router will perform blocking, rate limiting, or both.

Note

The default is blocking. You do not have to configure response capabilities if you want the router

to perform blocking only.

a. Rate limiting only

sensor(config-net-rou)# response-capabilities rate-limit

b. Both blocking and rate limiting

sensor(config-net-rou)# response-capabilities block|rate-limit

Step 8

Specify the interface name and direction.

sensor(config-net-rou)# block-interfaces interface_name {in | out}

Caution

Step 9

The name of the interface must either be the complete name of the interface or an abbreviation that the

router recognizes with the interface command.

(Optional) Add the pre-ACL name (blocking only).

sensor(config-net-rou-blo)# pre-acl-name pre_acl_name

Step 10 (Optional) Add the post-ACL name (blocking only).

sensor(config-net-rou-blo)# post-acl-name post_acl_name

Step 11 Verify the settings.

sensor(config-net-rou-blo)# exit

sensor(config-net-rou)# show settings

ip-address: 192.0.2.1

-----------------------------------------------

communication: ssh-3des default: ssh-3des

nat-address: 19.89.149.219 default: 0.0.0.0

profile-name: PROFILE1

block-interfaces (min: 0, max: 100, current: 1)

-----------------------------------------------

interface-name: GigabitEthernet0/1

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

14-24

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting

Configuring Blocking and Rate Limiting Devices

direction: in

-----------------------------------------------

pre-acl-name: <defaulted>

post-acl-name: <defaulted>

-----------------------------------------------

response-capabilities: block|rate-limit default: block

-----------------------------------------------

sensor(config-net-rou)#

Step 12 Exit network access submode.

sensor(config-net-rou)# exit

sensor(config-net)# exit

sensor(config)# exit

Apply Changes:?[yes]:

Step 13 Press Enter to apply the changes or enter no to discard them.

For More Information

•

For the procedure for configuring user profiles, see Configuring User Profiles, page 14-20.

For the procedure for adding a device to the known hosts list, see Adding Hosts to the SSH Known

Hosts List, page 3-46.

Configuring the Sensor to Manage Catalyst 6500 Series Switches and Cisco

7600 Series Routers

This section describes how to configure the sensor to manage Cisco switches. It contains the following

topics:

•

Switches and V ACLs, page 14-25

Configuring the Sensor to Manage Catalyst 6500 Series Switches and Cisco 7600 Series Routers,

page 14-26

Switches and VACLs

You can configure the ARC to block using VACLs on the switch itself when running Cisco Catalyst

software, or to block using router ACLs on the MSFC or on the switch itself when running Cisco IOS

software. This section describes blocking using VACLs. You cannot configure switches that use VACLs

to perform rate limiting. You must configure the blocking interfaces on the Catalyst 6500 series switch

and specify the VLAN of traffic you want blocked.

You create and save Pre-Block and Post-Block VACLs in your switch configuration. These VACLs must

be extended IP VACLs, either named or numbered. See your switch documentation for more information

on creating VACLs. Enter the names of these VACLs that are already configured on your switch in the

Pre-Block VACL and Post-Block VACL fields.

The Pre-Block VACL is used mainly for permitting what you do not want the sensor to ever block. When

a packet is checked against the VACL, the first line that gets matched determines the action. If the first

line matched is a permit line from the Pre-Block VACL, the packet is permitted even though there may

be a deny line (from an automatic block) listed later in the VACL. The Pre-Block VACL can override the

deny lines resulting from the blocks.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

14-25

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting

Configuring Blocking and Rate Limiting Devices

The Post-Block VACL is best used for additional blocking or permitting that you want to occur on the

same VLAN. If you have an existing VACL on the VLAN that the sensor will manage, the existing VACL

can be used as a Post-Block VACL. If you do not have a Post-Block V ACL, the sensor inserts permit

ip any any at the end of the new VACL.

When the sensor starts up, it reads the contents of the two VACLs. It creates a third VACL with the

following entries:

•

A permit line for the sensor IP address

Copies of all configuration lines of the Pre-Block VACL

A deny line for each address being blocked by the sensor

Copies of all configuration lines of the Post-Block VACL

The sensor applies the new VACL to the VLAN that you designate.

Note

When the new VACL is applied to a VLAN of the switch, it removes the application of any other VACL

to that VLAN.

For More Information

For the procedure for configuring blocking using router ACLs, see Configuring Blocking and Rate

Limiting Devices, page 14-21.

Configuring the Sensor to Manage Catalyst 6500 Series Switches and Cisco 7600 Series Routers

To configure the sensor to manage Catalyst 6500 series switches and Cisco 7600 series routers, follow

these steps:

Step 1

Step 2

Enter network access submode.

sensor# configure terminal

sensor(config)# service network-access

sensor(config-net)#

Step 3

Step 4

Specify the IP address for the router controlled by the ARC.

sensor(config-net)# cat6k-devices ip_address

Enter the user profile name that you created when you configured the user profile. The ARC accepts

anything you type. It does not accept it, check to see if the logical device exists.

sensor(config-net-cat)# profile-name user_profile_name

Step 5

Specify the method used to access the sensor. If unspecified, SSH 3DES is used.

sensor(config-net-cat)# communication {telnet | ssh-3des}

Note

If you are using 3DES, you must use the command ssh host-key ip_address to accept the key or

ARC cannot connect to the device.

Step 6

Specify the sensor NAT address.

sensor(config-net-cat)# nat-address nat_address

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

14-26

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting

Configuring Blocking and Rate Limiting Devices

Note

This changes the IP address in the first line of the ACL from the IP address of the sensor to the

NAT address. This is not a NAT address configured on the device being managed. It is the

address the sensor is translated to by an intermediate device, one that is between the sensor and

the device being managed.

Step 7

Step 8

Step 9

Specify the VLAN number.

sensor(config-net-cat)# block-vlans vlan_number

(Optional) Add the pre-VACL name.

sensor(config-net-cat-blo)# pre-vacl-name pre_vacl_name

(Optional) Add the post-VACL name.

sensor(config-net-cat-blo)# post-vacl-name post_vacl_name

Step 10 Exit network access submode.

sensor(config-net-cat-blo)# exit

sensor(config-net-cat)# exit

sensor(config-net)# exit

sensor(config)# exit

Apply Changes:?[yes]:

Step 11 Press Enter to apply the changes or enter no to discard them.

For More Information

•

For the procedure for configuring user profiles, see Configuring User Profiles, page 14-20.

For the procedure for adding a device to the known hosts list, see Adding Hosts to the SSH Known

Hosts List, page 3-46.

Configuring the Sensor to Manage Cisco Firewalls

To configure the sensor to manage Cisco firewalls, follow these steps:

Step 1

Step 2

Enter network access submode.

sensor# configure terminal

sensor(config)# service network-access

sensor(config-net)#

Step 3

Step 4

Specify the IP address for the firewall controlled by the ARC.

sensor(config-net)# firewall-devices ip_address

Enter the user profile name that you created when you configured the user profile. ARC accepts anything

you type. It does not check to see if the logical device exists.

sensor(config-net-fir)# profile-name user_profile_name

Step 5

Specify the method used to access the sensor. If unspecified, SSH 3DES is used.

sensor(config-net-fir)# communication {telnet | ssh-3des}

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

14-27

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting

Configuring the Sensor to be a Master Blocking Sensor

Note

If you are using 3DES, you must use the command ssh host-key ip_address to accept the key or

the ARC cannot connect to the device.

Step 6

Specify the sensor NAT address.

sensor(config-net-fir)# nat-address nat_address

Note

This changes the IP address in the first line of the ACL from the IP address of the sensor to the

NAT address. This is not a NAT address configured on the device being managed. It is the

address the sensor is translated to by an intermediate device, one that is between the sensor and

the device being managed.

Step 7

Step 8

Exit network access submode.

sensor(config-net-fir)# exit

sensor(config-net)# exit

sensor(config)# exit

Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

For More Information

•

For the procedure for configuring user profiles, see Configuring User Profiles, page 14-20.

For the procedure for adding a device to the known hosts list, see Adding Hosts to the SSH Known

Hosts List, page 3-46.

Configuring the Sensor to be a Master Blocking Sensor

Multiple sensors (blocking forwarding sensors) can forward blocking requests to a specified master

blocking sensor, which controls one or more devices. The master blocking sensor is the ARC running on

a sensor that controls blocking on one or more devices on behalf of one or more other sensors. The ARC

on a master blocking sensor controls blocking on devices at the request of the ARCs running on other

sensors. Master blocking sensors can also forward rate limits.

Caution

Two sensors cannot control blocking or rate limiting on the same device. If this situation is needed,

configure one sensor as the master blocking sensor to manage the devices and the other sensors can

forward their requests to the master blocking sensor.

When you add a master blocking sensor, you reduce the number of blocking devices per sensor. For

example, if you want to block on 10 firewalls and 10 routers with one blocking interface/direction each,

you can assign 10 to the sensor and assign the other 10 to a master blocking sensor.

On the blocking forwarding sensor, identify which remote host serves as the master blocking sensor; on

the master blocking sensor you must add the blocking forwarding sensors to its access list.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

14-28

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting

Configuring the Sensor to be a Master Blocking Sensor

If the master blocking sensor requires TLS for web connections, you must configure the ARC of the

blocking forwarding sensor to accept the X.509 certificate of the master blocking sensor remote host.

Sensors by default have TLS enabled, but you can change this option.

Note

Typically the master blocking sensor is configured to manage the network devices. Blocking forwarding

sensors are not normally configured to manage other network devices, although doing so is permissible.

Even if you have no devices configured for blocking or rate limiting, a sensor that is configured for

blocking or rate limiting can forward blocking and rate limiting requests to a master blocking sensor.

When a signature fires that has blocking or rate limit requests configured as event actions, the sensor

forwards the block or rate limit request to the master blocking sensor, which then performs the block or

rate limit.

Caution

Only one sensor should control all blocking interfaces on a device.

Use the master-blocking-sensors master_blocking_sensor_ip_address command in the service

network access submode to configure a master blocking sensor.

The following options apply:

•

master_blocking_sensor_ip_address—Specifies the IP address of sensor for forward block requests.

password—Specifies the account password of sensor for forward block requests.

port—Specifies the port of sensor for forward block requests.

tls {true | false} —Set to true if the remote sensor requires TLS; otherwise, set to false.

username—Specifies the account name of sensor for forward block requests.

Configuring the Master Blocking Sensor

To configure ARC on a sensor to forward blocks to a master blocking sensor, follow these steps:

Step 1

Step 2

the blocking forwarding sensor.

Enter configuration mode on both sensors.

sensor# configure terminal

Step 3

Configure TLS if necessary:

a. On the master blocking sensor, check to see if it requires TLS and what port number is used. If

enable-tlsis true, go to Step b.

sensor(config)# service web-server

sensor(config-web)# show settings

enable-tls: true <defaulted>

port: 443 <defaulted>

server-id: HTTP/1.1 compliant <defaulted>

sensor(config-web)#

b. On the blocking forwarding sensor, configure it to accept the X.509 certificate of the master

blocking sensor.

sensor(config-web)# exit

sensor(config)# tls trusted-host ip-address master_blocking_sensor_ip_address port

port_number

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

14-29

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting

Configuring the Sensor to be a Master Blocking Sensor

Example

sensor(config)# tls trusted-host ip-address 192.0.2.1 port 8080

Certificate MD5 fingerprint is

F4:4A:14:BA:84:F4:51:D0:A4:E2:15:38:7E:77:96:D8Certificate SHA1 fingerprint is

84:09:B6:85:C5:43:60:5B:37:1E:6D:31:6A:30:5F:7E:4D:4D:E8:B2

Would you like to add this to the trusted certificate table for this host?[yes]:

Note

You are prompted to accept the certificate based on the certificate fingerprint. Sensors

provide only self-signed certificates (instead of certificates signed by a recognized

certificate authority). You can verify the master blocking sensor host sensor certificate by

logging in to the host sensor and typing the show tls fingerprint command to see that the

fingerprints of the host certificate match.

Step 4

Step 5

Enter yesto accept the certificate from the master blocking sensor.

Enter network access mode.

sensor(config)# service network-access

Step 6

Step 7

Step 8

Step 9

Enter general submode.

sensor(config-net)# general

Add a master blocking sensor entry.

sensor(config-net-gen)# master-blocking-sensors master_blocking_sensor_ip_address

Specify the username for an administrative account on the master blocking sensor host.

sensor(config-net-gen-mas)# username username

Specify the password for the user.

sensor(config-net-gen-mas)# password

Enter password []: *****

Re-enter mbs-password []: *****

sensor(config-net-gen-mas)#

Step 10 Specify the port number for the host HTTP communications. The default is 80/443 if not specified.

sensor(config-net-gen-mas)# port port_number

Step 11 Specify whether or not the host uses TLS/SSL.

sensor(config-net-gen-mas)# tls {true | false}

sensor(config-net-gen-mas)

Note

If you set the value to true, you need to use the command tls trusted-host ip-address

master_blocking_sensor_ip_address.

Step 12 Exit network access submode.

sensor(config-net-gen-mas)# exit

sensor(config-net-gen)# exit

sensor(config-net)# exit

sensor(config)# exit

Apply Changes:?[yes]:

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

14-30

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting

Configuring Host Blocking

Step 13 Press Enter to apply the changes or enter no to discard them.

Step 14 On the master blocking sensor, add the block forwarding sensor IP address to the access list.

For More Information

For the procedure for adding the blocking forward sensor IP address to the access list, see Changing the

Access List, page 3-6.

Configuring Host Blocking

Note

Connection blocks and network blocks are not supported on adaptive security appliances. Adaptive

security appliances only support host blocks with additional connection information.

Use the block host ip-address [timeout minutes] command in privileged EXEC mode to block a host.

Use the no form of the command to remove a block on a host. You must have blocking configured before

you can set up host blocks. You can also view a list of hosts that are being blocked. If you do not

configure the amount of time for the host block, it is permanent.

The following options apply:

•

ip-address—Specifies the IP address of the host to be blocked.

minutes—(Optional) Specifies the duration of the host block in minutes. The valid range is 0 to

70560 minutes.

Blocking a Host

To block a host, follow these steps:

Step 1

Step 2

Configure the host block for 15 minutes, for example. The host block ends in 15 minutes.

sensor# block host 192.0.2.1 timeout 15

Step 3

Step 4

Start a host block. The host block lasts until you remove it.

sensor# block host 192.0.2.1

End the host block.

sensor# no block host 192.0.2.1

sensor#

Configuring Network Blocking

Note

Connection blocks and network blocks are not supported on adaptive security appliances. Adaptive

security appliances only support host blocks with additional connection information.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

14-31

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting

Configuring Connection Blocking

Use the block network ip-address/netmask [timeout minutes] command in privileged EXEC mode to

block a network. Use the no form of the command to remove a block on a network. You must have

blocking configured before you can set up network blocks. You can also view a list of networks that are

being blocked. If you do not configure the amount of time for the network block, it is permanent.

The following options apply:

•

ip-address/netmask—Specifies the network subnet to be blocked in X.X.X.X/nn format, where

X.X.X.X specifies the sensor IP address as a 32-bit address written as 4 octets separated by periods

where X = 0-255, and nn specifies the number of bits (1032) in the netmask.

•

minutes—(Optional) Specifies the duration of the network block in minutes. The valid range is 0 to

70560 minutes.

Blocking a Network

To block a network, follow these steps:

Step 1

Step 2

Configure the network block for 15 minutes, for example. The network block ends in 15 minutes.

sensor# block network 192.0.2.0/24 timeout 15

Step 3

Step 4

Start a network block. The network block lasts until you remove it.

sensor# block network 192.0.2.0/24

End the network block.

sensor# no block network 192.0.2.0/24

sensor#

Configuring Connection Blocking

Note

Connection blocks and network blocks are not supported on adaptive security appliances. Adaptive

security appliances only support host blocks with additional connection information.

Use the block connection source-ip-address destination-ip-address [port port-number] [protocol type]

[timeout minutes] command in privileged EXEC mode to block a connection between two IP addresses.

Use the no form of the command to remove the connection block. You must have blocking configured

before you can set up connection blocks. You can also view a list of connections that are being blocked.

If you do not configure the amount of time for the connection block, it is permanent.

The following options apply:

•

source-ip-address—Specifies the source IP address in a connection block.

destination-ip-address—Specifies the destination IP address in a connection block.

port-number—(Optional) Specifies the destination port number. The valid range is 0 to 65535.

type—(Optional) Specifies the protocol type. The valid types are tcp or udp.

minutes—(Optional) Specifies the duration of the connection block in minutes. The valid range is 0

to 70560 minutes.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

14-32

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting

Obtaining a List of Blocked Hosts and Connections

Blocking a Connection

To block a connection, follow these steps:

Step 1

Step 2

Configure the connection block between a source IP address and a destination IP address specifying the

port, protocol, and time, for example. The connection block ends in 30 minutes.

sensor# block connection 10.0.0.0 172.16.0.0 port 80 protocol tcp timeout 30

Step 3

Step 4

Start a connection block. The connection block lasts until you remove it.

sensor# block connection 10.0.0.0 172.16.0.0

End the connection block.

sensor# no block connection 10.0.0.0

sensor#

Obtaining a List of Blocked Hosts and Connections

Use the show statistics command to obtain a list of blocked hosts and blocked connections. To obtain a

list of blocked hosts and connections, follow these steps:

Step 1

Step 2

Check the statistics for the ARC. The Hostentry indicates which hosts are being blocked and how long

the blocks are.

sensor# show statistics network-access

Current Configuration

LogAllBlockEventsAndSensors = true

EnableNvramWrite = false

EnableAclLogging = false

AllowSensorBlock = false

BlockMaxEntries = 250

MaxDeviceInterfaces = 250

NetDevice

Type = Cisco

IP = 10.1.1.1

NATAddr = 0.0.0.0

Communications = telnet

BlockInterface

InterfaceName = fa0/0

InterfaceDirection = in

State

BlockEnable = true

NetDevice

IP = 10.1.1.1

AclSupport = uses Named ACLs

Version = 12.2

State = Active

BlockedAddr

Host

IP = 192.168.1.1

Vlan =

ActualIp =

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

14-33

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting

Obtaining a List of Blocked Hosts and Connections

BlockMinutes = 80

MinutesRemaining = 76

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

14-34

Download from Www.Somanuals.com. All Manuals Search And Download.

C H A P T E R

Configuring SNMP

This chapter describes how to configure SNMP, and contains the following sections:

•

SNMP Notes and Caveats, page 15-1

Understanding SNM P , p age 15-1

Configuring SNM P , p age 15-2

Configuring SNMP Traps, page 15-4

Supported MIBS, page 15-6

SNMP Notes and Caveats

The following notes and caveats apply to SNMP:

•

To have the sensor send SNMP traps, you must also select request-snmp-trap as the event action

when you configure signatures.

•

MIB II is available on the sensor, but we do not support it. We know that some elements are not

correct (for example, the packet counts from the IF MIB on the sensing interfaces). While you can

use elements from MIB II, we do not guarantee that they all provide correct information. We fully

support the other listed MIBs and their output is correct.

•

CISCO-PROCESS-MIB is available on the sensor, but we do not support it. We know that some

elements are not available. While you can use elements from CISCO-PROCESS-MIB, we do not

guarantee that they all provide correct information. We fully support the other listed MIBs and their

output is correct.

Understanding SNMP

SNMP is an application layer protocol that facilitates the exchange of management information between

network devices. SNMP enables network administrators to manage network performance, find and solve

network problems, and plan for network growth.

SNMP is a simple request/response protocol. The network-management system issues a request, and

managed devices return responses. This behavior is implemented by using one of four protocol

operations: Get, GetNext, Set, and Trap.

You can configure the sensor for monitoring by SNMP. SNMP defines a standard way for network

management stations to monitor the health and status of many types of devices, including switches,

routers, and sensors.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

15-1

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 15 Configuring SNMP

Configuring SNMP

You can configure the sensor to send SNMP traps. SNMP traps enable an agent to notify the management

station of significant events by way of an unsolicited SNMP message.

Trap-directed notification has the following advantage—if a manager is responsible for a large number

of devices, and each device has a large number of objects, it is impractical to poll or request information

from every object on every device. The solution is for each agent on the managed device to notify the

manager without solicitation. It does this by sending a message known as a trap of the event.

After receiving the event, the manager displays it and can take an action based on the event. For instance,

the manager can poll the agent directly, or poll other associated device agents to get a better

understanding of the event.

Note

Trap-directed notification results in substantial savings of network and agent resources by eliminating

frivolous SNMP requests. However, it is not possible to totally eliminate SNMP polling. SNMP requests

are required for discovery and topology changes. In addition, a managed device agent cannot send a trap

if the device has had a catastrophic outage.

Configuring SNMP

Caution

To have the sensor send SNMP traps, you must also select request-snmp-trap as the event action when

you configure signatures.

Configure general SNMP parameters in the service notification submode.

The following options apply:

•

default—Sets the value back to the system default setting.

enable-set-get {true | false}—Enables the gets and sets of object identifiers (OIDs).

no—Removes an entry or selection setting.

read-only-community—Specifies the read-only community name for the SNMP agent. The default

is public.

•

read-write-community—Specifies the read-write community name for the SNMP agent. The

default is private.

snmp-agent-port—Specifies the port the SNMP agent will listen on. The default SNMP port

number is 161.

snmp-agent-protocol—Specifies the protocol the SNMP agent will communicate with. The default

protocol is UDP.

system-contact—Specifies the contact information for this sensor. The system-contact option

modifies the SNMPv2-MIB::sysContact.0 value.

system-location—Specifies the location of the sensor. The system-location option modifies the

SNMPv2-MIB::sysLocation.0 value.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

15-2

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 15 Configuring SNMP

Configuring SNMP

Configuring SNMP General Parameters

To configure SNMP general parameters, follow these steps:

Step 1

Step 2

Enter notification submode.

sensor# configure terminal

sensor(config)# service notification

sensor(config-not)#

Step 3

Step 4

Enable SNMP so that the SNMP management workstation can issue requests to the sensor SNMP agent.

sensor(config-not)# enable-set-get true

Specify the SNMP agent parameters. These values configure the community name on the sensor SNMP

agent. A community name is a plain-text password mechanism that is used to weakly authenticate SNMP

queries.

a. Assign the read-only community string. The read-only community name specifies the password for

queries to the SNMP agent.

sensor(config-not)# read-only-community PUBLIC1

b. Assign the read-write community string. The read-write community name specifies the password for

sets to the SNMP agent.

sensor(config-not)# read-write-community PRIVATE1

Note

The management workstation sends SNMP requests to the sensor SNMP agent, which

resides on the sensor. If the management workstation issues a request and the community

string does not match what is on the senor, the sensor rejects it.

c. Assign the sensor contact user ID.

sensor(config-not)# system-contact BUSINESS

d. Enter the location of the sensor.

sensor(config-not)# system-location AUSTIN

e. Enter the port of the sensor SNMP agent.

sensor(config-not)# snmp-agent-port 161

Note

You must reboot the sensor if you change the port or protocol.

f. Specify the protocol the sensor SNMP agent will use.

sensor(config-not)# snmp-agent-protocol udp

Note

You must reboot the sensor if you change the port or protocol.

Step 5

Verify the settings.

sensor(config-not)# show settings

trap-destinations (min: 0, max: 10, current: 0)

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

15-3

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 15 Configuring SNMP

Configuring SNMP Traps

-----------------------------------------------

error-filter: error|fatal <defaulted>

enable-detail-traps: false <defaulted>

enable-notifications: false <defaulted>

enable-set-get: true default: false

snmp-agent-port: 161 default: 161

snmp-agent-protocol: udp default: udp

read-only-community: PUBLIC1 default: public

read-write-community: PRIVATE1 default: private

trap-community-name: public <defaulted>

system-location: AUSTIN default: Unknown

system-contact: BUSINESS default: Unknown

sensor(config-not)#

Step 6

Step 7

Exit notification submode.

sensor(config-not)# exit

Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

For More Information

For the procedure for assigning actions to signatures, see Assigning Actions to Signatures, page 7-15.

Configuring SNMP Traps

Caution

To have the sensor send SNMP traps, you must also select request-snmp-trap as the event action when

you configure signatures.

Configure the SNMP traps in the service notification submode.

The following options apply:

•

enable-detail-traps {true | false}—Enables the sending of detailed traps with no size limit.

Otherwise traps are sent in sparse mode (less than 484 bytes).

•

enable-health-traps {true | false} —Enables the sending of both heartbeat and health metric

change traps.

Note

To receive sensor health information through SNMP traps, you must have the sensor health

metrics enabled. Use the heartbeat-events enable command in service health monitor

submode to enable sensor health metrics.

•

enable-notifications {true | false}—Enables event notifications.

error-filter {warning | error | fatal}—Determines which errors generate an SNMP trap. An SNMP

trap is generated for every evError event that matches the filter. The default is error and fatal.

•

trap-community-name—Specifies the community name used when sending traps if no name is

specified when defining the trap destinations.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

15-4

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 15 Configuring SNMP

Configuring SNMP Traps

•

trap-destinations—Defines the destinations to send error events and alert events generated from

signature actions:

–

trap-community-name—Specifies the community name used when sending the trap. If no

community name is specified the general trap community name is used.

–

trap-port—Specifies the port number to send the SNMP trap to.

Configuring SNMP Traps

To configure SNMP traps, follow these steps:

Step 1

Step 2

Enter notification submode.

sensor# configure terminal

sensor(config)# service notification

sensor(config-not)#

Step 3

Step 4

Enable SNMP traps.

sensor(config-not)# enable-notifications true

Specify the parameters for the SNMP trap:

a. Specify the error events you want to be notified about through SNMP traps.

sensor(config-not)# error-filter {error | warning | fatal}

Note

The error-filter [error | warning | fatal] command includes error, warning, and fatal traps.

It filters in (not filters out) the traps based on severity.

b. Specify whether you want detailed SNMP traps.

sensor(config-not)# enable-detail-traps true

c. Specify whether you want health traps (heartbeat and health metric change traps).

sensor(config-not)# enable-health-traps true

Note

Make sure heartbeat and sensor health metrics are enabled.

d. Enter the community string to be included in the detailed traps.

sensor(config-not)# trap-community-name TRAP1

Step 5

Specify the parameters for the SNMP trap destinations so the sensor knows which management

workstations to send them to:

a. Enter the IP address of the SNMP management station.

sensor(config-not)# trap-destinations 10.0.0.0

b. Enter the UDP port of the SNMP management station. The default is 162

sensor(config-not-tra)# trap-port 162

c. Enter the trap community string.

sensor(config-not-tra)# trap-community-name AUSTIN_PUBLI

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

15-5

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 15 Configuring SNMP

Supported MIBS

Note

The community string appears in the trap and is useful if you are receiving multiple types of

traps from multiple agents. For example, a router or sensor could be sending the traps, and

if you put something that identifies the router or sensor specifically in your community

string, you can filter the traps based on the community string.

Step 6

Verify the settings.

sensor(config-not-tra)# exit

sensor(config-not)# show settings

trap-destinations (min: 0, max: 10, current: 1)

-----------------------------------------------

ip-address: 10.1.1.1

-----------------------------------------------

trap-community-name: AUSTIN_PUBLIC default:

trap-port: 161 default: 162

-----------------------------------------------

error-filter: warning|error|fatal default: error|fatal

enable-detail-traps: true default: false

enable-health-traps: true default: false

enable-notifications: true default: false

enable-set-get: true default: false

snmp-agent-port: 161 default: 161

snmp-agent-protocol: udp default: udp

read-only-community: PUBLIC1 default: public

read-write-community: PRIVATE1 default: private

trap-community-name: PUBLIC1 default: public

system-location: AUSTIN default: Unknown

system-contact: BUSINESS default: Unknown

sensor(config-not)#

Step 7

Step 8

Exit notification submode.

sensor(config-not)# exit

Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

For More Information

For the procedure for assigning actions to signatures, see Assigning Actions to Signatures, page 7-15.

Supported MIBS

The following private MIBs are supported on the sensor:

•

CISCO-CIDS-MIB

The CISCO-CIDS-MIB has been updated to include SNMP health data.

CISCO-ENHANCED-MEMPOOL-MIB

CISCO-ENTITY-ALARM-MIB

•

You can obtain these private Cisco MIBs under the heading SNMP v2 MIBs at this URL:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

15-6

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 15 Configuring SNMP

Supported MIBS

Note

MIB II is available on the sensor, but we do not support it. We know that some elements are not correct

(for example, the packet counts from the IF MIB on the sensing interfaces). While you can use elements

from MIB II, we do not guarantee that they all provide correct information. We fully support the other

listed MIBs and their output is correct.

CISCO-PROCESS-MIB is available on the sensor, but we do not support it. We know that some elements

are not available. While you can use elements from CISCO-PROCESS-MIB, we do not guarantee that

they all provide correct information. We fully support the other listed MIBs and their output is correct.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

15-7

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 15 Configuring SNMP

Supported MIBS

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

15-8

Download from Www.Somanuals.com. All Manuals Search And Download.

FIRST REVIEW—CISCO CONFIDENTIAL

C H A P T E R

Working With Configuration Files

This chapter describes how to use commands that show, copy, and erase the configuration file. It contains

the following sections:

•

Displaying the Current Configuration, page 16-1

Displaying the Current Submode Configuration, page 16-3

Filtering the Current Configuration Output, page 16-16

Filtering the Current Submode Configuration Output, page 16-18

Displaying the Contents of a Logical File, page 16-19

Backing Up and Restoring the Configuration File Using a Remote Server, page 16-22

Creating and Using a Backup Configuration File, page 16-24

Erasing the Configuration File, page 16-24

Displaying the Current Configuration

Note

The CLI output is an example of what your configuration may look like. It will not match exactly due to

the optional setup choices, sensor model, and IPS version you have installed.

Use the show configuration or the more current-config command to display the contents of the current

configuration.

To display the contents of the current configuration, follow these steps:

Step 1

Step 2

Display the current configuration.

sensor# show configuration

! ------------------------------

! Current configuration last modified Fri Apr 19 19:01:05 2013

! ------------------------------

! Version 7.2(1)

! Host:

Realm Keys

! Signature Definition:

Signature Update

key1.0

S697.0

2013-02-15

! ------------------------------

service interface

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

16-1

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 16 Working With Configuration Files

Displaying the Current Configuration

FIRST REVIEW—CISCO CONFIDENTIAL

physical-interfaces GigabitEthernet0/0

admin-state enabled

exit

physical-interfaces GigabitEthernet0/1

admin-state enabled

exit

inline-interfaces pair0

interface1 GigabitEthernet0/0

interface2 GigabitEthernet0/1

exit

bypass-mode auto

exit

! ------------------------------

service authentication

exit

! ------------------------------

service event-action-rules rules0

exit

! ------------------------------

service host

network-settings

host-ip 10.106.133.159/23,10.106.132.1

host-name q4360-159

telnet-option enabled

access-list 0.0.0.0/0

dns-primary-server disabled

dns-secondary-server disabled

dns-tertiary-server disabled

exit

! ------------------------------

service logger

exit

! ------------------------------

service network-access

exit

! ------------------------------

service notification

exit

! ------------------------------

service signature-definition sig0

exit

! ------------------------------

service ssh-known-hosts

exit

! ------------------------------

service trusted-certificates

exit

! ------------------------------

service web-server

websession-inactivity-timeout 3600

exit

! ------------------------------

service anomaly-detection ad0

exit

! ------------------------------

service external-product-interface

exit

! ------------------------------

service health-monitor

exit

! ------------------------------

service global-correlation

exit

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

16-2

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 16 Working With Configuration Files

Displaying the Current Submode Configuration

FIRST REVIEW—CISCO CONFIDENTIAL

! ------------------------------

service aaa

exit

! ------------------------------

service analysis-engine

virtual-sensor vs0

logical-interface pair0

exit

sensor#

Displaying the Current Submode Configuration

Use the show settings command in a submode to display the current configuration of that submode.

To display the current configuration of a submode, follow these steps:

Step 1

Step 2

Display the current configuration of the service analysis engine submode.

sensor# configure terminal

sensor(config)# service analysis-engine

sensor(config-ana)# show settings

global-parameters

-----------------------------------------------

ip-logging

-----------------------------------------------

max-open-iplog-files: 20 <defaulted>

-----------------------------------------------

virtual-sensor (min: 1, max: 255, current: 1)

-----------------------------------------------

-----------------------------------------------

description: default virtual sensor <defaulted>

signature-definition: sig0 <protected>

event-action-rules: rules0 <protected>

physical-interface (min: 0, max: 999999999, current: 0)

-----------------------------------------------

logical-interface (min: 0, max: 999999999, current: 0)

-----------------------------------------------

sensor(config-ana)# exit

sensor(config)# exit

sensor#

Step 3

Display the current configuration of the service anomaly detection submode.

sensor(config)# service anomaly-detection ad0

sensor(config-ano)# show settings

worm-timeout: 600 seconds <defaulted>

learning-accept-mode

-----------------------------------------------

auto

-----------------------------------------------

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

16-3

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 16 Working With Configuration Files

Displaying the Current Submode Configuration

FIRST REVIEW—CISCO CONFIDENTIAL

action: rotate <defaulted>

schedule

-----------------------------------------------

periodic-schedule

-----------------------------------------------

start-time: 10:00:00 <defaulted>

interval: 24 hours <defaulted>

-----------------------------------------------

internal-zone

-----------------------------------------------

enabled: true <defaulted>

ip-address-range: 0.0.0.0 <defaulted>

tcp

-----------------------------------------------

dst-port (min: 0, max: 65535, current: 0)

-----------------------------------------------

default-thresholds

-----------------------------------------------

scanner-threshold: 100 <defaulted>

threshold-histogram (min: 0, max: 3, current: 3)

-----------------------------------------------

dest-ip-bin: low <defaulted>

num-source-ips: 10 <defaulted>

dest-ip-bin: medium <defaulted>

num-source-ips: 1 <defaulted>

dest-ip-bin: high <defaulted>

num-source-ips: 1 <defaulted>

-----------------------------------------------

enabled: true <defaulted>

-----------------------------------------------

udp

-----------------------------------------------

dst-port (min: 0, max: 65535, current: 0)

-----------------------------------------------

default-thresholds

-----------------------------------------------

scanner-threshold: 100 <defaulted>

threshold-histogram (min: 0, max: 3, current: 3)

-----------------------------------------------

dest-ip-bin: low <defaulted>

num-source-ips: 10 <defaulted>

dest-ip-bin: medium <defaulted>

num-source-ips: 1 <defaulted>

dest-ip-bin: high <defaulted>

num-source-ips: 1 <defaulted>

-----------------------------------------------

enabled: true <defaulted>

-----------------------------------------------

other

-----------------------------------------------

protocol-number (min: 0, max: 255, current: 0)

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

16-4

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 16 Working With Configuration Files

Displaying the Current Submode Configuration

FIRST REVIEW—CISCO CONFIDENTIAL

-----------------------------------------------

default-thresholds

-----------------------------------------------

scanner-threshold: 100 <defaulted>

threshold-histogram (min: 0, max: 3, current: 3)

-----------------------------------------------

dest-ip-bin: low <defaulted>

num-source-ips: 10 <defaulted>

dest-ip-bin: medium <defaulted>

num-source-ips: 1 <defaulted>

dest-ip-bin: high <defaulted>

num-source-ips: 1 <defaulted>

-----------------------------------------------

enabled: true <defaulted>

-----------------------------------------------

illegal-zone

-----------------------------------------------

enabled: true <defaulted>

ip-address-range: 0.0.0.0 <defaulted>

tcp

-----------------------------------------------

dst-port (min: 0, max: 65535, current: 0)

-----------------------------------------------

default-thresholds

-----------------------------------------------

scanner-threshold: 100 <defaulted>

threshold-histogram (min: 0, max: 3, current: 3)

-----------------------------------------------

dest-ip-bin: low <defaulted>

num-source-ips: 10 <defaulted>

dest-ip-bin: medium <defaulted>

num-source-ips: 1 <defaulted>

dest-ip-bin: high <defaulted>

num-source-ips: 1 <defaulted>

-----------------------------------------------

enabled: true <defaulted>

-----------------------------------------------

udp

-----------------------------------------------

dst-port (min: 0, max: 65535, current: 0)

-----------------------------------------------

default-thresholds

-----------------------------------------------

scanner-threshold: 100 <defaulted>

threshold-histogram (min: 0, max: 3, current: 3)

-----------------------------------------------

dest-ip-bin: low <defaulted>

num-source-ips: 10 <defaulted>

dest-ip-bin: medium <defaulted>

num-source-ips: 1 <defaulted>

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

16-5

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 16 Working With Configuration Files

Displaying the Current Submode Configuration

FIRST REVIEW—CISCO CONFIDENTIAL

dest-ip-bin: high <defaulted>

num-source-ips: 1 <defaulted>

-----------------------------------------------

enabled: true <defaulted>

-----------------------------------------------

other

-----------------------------------------------

protocol-number (min: 0, max: 255, current: 0)

-----------------------------------------------

default-thresholds

-----------------------------------------------

scanner-threshold: 100 <defaulted>

threshold-histogram (min: 0, max: 3, current: 3)

-----------------------------------------------

dest-ip-bin: low <defaulted>

num-source-ips: 10 <defaulted>

dest-ip-bin: medium <defaulted>

num-source-ips: 1 <defaulted>

dest-ip-bin: high <defaulted>

num-source-ips: 1 <defaulted>

-----------------------------------------------

enabled: true <defaulted>

-----------------------------------------------

external-zone

-----------------------------------------------

enabled: true <defaulted>

tcp

-----------------------------------------------

dst-port (min: 0, max: 65535, current: 0)

-----------------------------------------------

default-thresholds

-----------------------------------------------

scanner-threshold: 100 <defaulted>

threshold-histogram (min: 0, max: 3, current: 3)

-----------------------------------------------

dest-ip-bin: low <defaulted>

num-source-ips: 10 <defaulted>

dest-ip-bin: medium <defaulted>

num-source-ips: 1 <defaulted>

dest-ip-bin: high <defaulted>

num-source-ips: 1 <defaulted>

-----------------------------------------------

enabled: true <defaulted>

-----------------------------------------------

udp

-----------------------------------------------

dst-port (min: 0, max: 65535, current: 0)

-----------------------------------------------

default-thresholds

-----------------------------------------------

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

16-6

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 16 Working With Configuration Files

Displaying the Current Submode Configuration

FIRST REVIEW—CISCO CONFIDENTIAL

scanner-threshold: 100 <defaulted>

threshold-histogram (min: 0, max: 3, current: 3)

-----------------------------------------------

dest-ip-bin: low <defaulted>

num-source-ips: 10 <defaulted>

dest-ip-bin: medium <defaulted>

num-source-ips: 1 <defaulted>

dest-ip-bin: high <defaulted>

num-source-ips: 1 <defaulted>

-----------------------------------------------

enabled: true <defaulted>

-----------------------------------------------

other

-----------------------------------------------

protocol-number (min: 0, max: 255, current: 0)

-----------------------------------------------

default-thresholds

-----------------------------------------------

scanner-threshold: 100 <defaulted>

threshold-histogram (min: 0, max: 3, current: 3)

-----------------------------------------------

dest-ip-bin: low <defaulted>

num-source-ips: 10 <defaulted>

dest-ip-bin: medium <defaulted>

num-source-ips: 1 <defaulted>

dest-ip-bin: high <defaulted>

num-source-ips: 1 <defaulted>

-----------------------------------------------

enabled: true <defaulted>

-----------------------------------------------

ignore

-----------------------------------------------

enabled: true <defaulted>

source-ip-address-range: 0.0.0.0 <defaulted>

dest-ip-address-range: 0.0.0.0 <defaulted>

-----------------------------------------------

sensor(config-ano)# exit

sensor(config)# exit

sensor# exit

Step 4

Display the current configuration of the service authentication submode.

sensor# configure terminal

sensor(config)# service authentication

sensor(config-aut)# show settings

attemptLimit: 0 <defaulted>

sensor(config-aut)# exit

sensor(config)# exit

sensor#

Step 5

Display the current configuration of the service event action rules submode.

sensor# configure terminal

sensor(config)# service event-action-rules rules0

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

16-7

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 16 Working With Configuration Files

Displaying the Current Submode Configuration

FIRST REVIEW—CISCO CONFIDENTIAL

sensor(config-rul)# show settings

variables (min: 0, max: 256, current: 0)

-----------------------------------------------

overrides (min: 0, max: 12, current: 0)

-----------------------------------------------

filters (min: 0, max: 4096, current: 0 - 0 active, 0 inactive)

-----------------------------------------------

general

-----------------------------------------------

global-overrides-status: Enabled <defaulted>

global-filters-status: Enabled <defaulted>

global-summarization-status: Enabled <defaulted>

global-metaevent-status: Enabled <defaulted>

global-deny-timeout: 3600 <defaulted>

global-block-timeout: 30 <defaulted>

max-denied-attackers: 10000 <defaulted>

-----------------------------------------------

target-value (min: 0, max: 5, current: 0)

-----------------------------------------------

sensor(config-rul)# exit

sensor(config)# exit

sensor# exit

Step 6

Display the current configuration of the external product interface submode.

sensor(config)# service external-product-interface

sensor(config-ext)# show settings

cisco-security-agents-mc-settings (min: 0, max: 2, current: 0)

-----------------------------------------------

sensor(config-ext)# exit

sensor(config)# exit

sensor#

Step 7

Display the current configuration of the service global-correlation submode.

sensor# configure terminal

sensor(config)# service global-correlation

sensor(config-glo)# show settings

network-participation: off <defaulted>

global-correlation-inspection: on <defaulted>

global-correlation-inspection-influence: standard <defaulted>

reputation-filtering: on <defaulted>

test-global-correlation: off <defaulted>

sensor(config-glo)# exit

sensor(config)# exit

sensor# exit

Step 8

Display the current configuration of the service health-monitor submode.

sensor# configure terminal

sensor(config)# service health-monitor

sensor(config-hea)# show settings

enable-monitoring: true <defaulted>

persist-security-status: 5 minutes <defaulted>

heartbeat-events

-----------------------------------------------

enable: 300 seconds <defaulted>

-----------------------------------------------

application-failure-policy

-----------------------------------------------

enable: true <defaulted>

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

16-8

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 16 Working With Configuration Files

Displaying the Current Submode Configuration

FIRST REVIEW—CISCO CONFIDENTIAL

status: red <defaulted>

-----------------------------------------------

bypass-policy

-----------------------------------------------

enable: true <defaulted>

status: red <defaulted>

-----------------------------------------------

interface-down-policy

-----------------------------------------------

enable: true <defaulted>

status: red <defaulted>

-----------------------------------------------

inspection-load-policy

-----------------------------------------------

enable: true <defaulted>

yellow-threshold: 80 percent <defaulted>

red-threshold: 91 percent <defaulted>

-----------------------------------------------

missed-packet-policy

-----------------------------------------------

enable: true <defaulted>

yellow-threshold: 1 percent <defaulted>

red-threshold: 6 percent <defaulted>

-----------------------------------------------

memory-usage-policy

-----------------------------------------------

enable: false <defaulted>

yellow-threshold: 80 percent <defaulted>

red-threshold: 91 percent <defaulted>

-----------------------------------------------

signature-update-policy

-----------------------------------------------

enable: true <defaulted>

yellow-threshold: 30 days <defaulted>

red-threshold: 60 days <defaulted>

-----------------------------------------------

license-expiration-policy

-----------------------------------------------

enable: true <defaulted>

yellow-threshold: 30 days <defaulted>

red-threshold: 0 days <defaulted>

-----------------------------------------------

event-retrieval-policy

-----------------------------------------------

enable: true <defaulted>

yellow-threshold: 300 seconds <defaulted>

red-threshold: 600 seconds <defaulted>

-----------------------------------------------

global-correlation-policy

-----------------------------------------------

enable: true <defaulted>

yellow-threshold: 86400 seconds <protected>

red-threshold: 259200 seconds <protected>

-----------------------------------------------

network-participation-policy

-----------------------------------------------

enable: false <defaulted>

yellow-threshold: 1 connection failures <protected>

red-threshold: 6 connection failures <protected>

-----------------------------------------------

sensor(config-hea)# exit

sensor(config)# exit

sensor# exit

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

16-9

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 16 Working With Configuration Files

Displaying the Current Submode Configuration

FIRST REVIEW—CISCO CONFIDENTIAL

Step 9

Display the current configuration of the service host submode.

sensor# configure terminal

sensor(config)# service host

sensor(config-hos)# show settings

network-settings

-----------------------------------------------

host-ip: 192.0.2.0/24,192.0.2.17 default: 192.168.1.2/24,192.168.1.1

host-name: sensor default: sensor

telnet-option: enabled default: disabled

access-list (min: 0, max: 512, current: 2)

-----------------------------------------------

network-address: 10.0.0.0/8

-----------------------------------------------

network-address: 64.0.0.0/8

-----------------------------------------------

ftp-timeout: 300 seconds <defaulted>

-----------------------------------------------

time-zone-settings

-----------------------------------------------

offset: 0 minutes default: 0

standard-time-zone-name: UTC default: UTC

-----------------------------------------------

ntp-option

-----------------------------------------------

disabled

-----------------------------------------------

summertime-option

-----------------------------------------------

disabled

-----------------------------------------------

auto-upgrade-option

-----------------------------------------------

disabled

-----------------------------------------------

crypto

-----------------------------------------------

key (min: 0, max: 10, current: 2)

-----------------------------------------------

type

-----------------------------------------------

rsa-pubkey

-----------------------------------------------

length: 2048 <defaulted>

exponent: 65537 <defaulted>

modulus: 24442189989357747083874855335232628843599968934198559648

63019947387841151932503911172668940194754549155390407658020393330611891292508300

85940304031186014499632568812428068058089581614196337399623060624990057049103055

90153955935086060008679776808073640186063435723252375575293126304558068704301863

80562114437439289069456670922074995827390284761610591515752008405140243673083189

77822469964934598367010389389888297490802884118543730076293589703535912161993319

47093130298688830012547215572646349623539468838641064915313947806852904082351955

13217273138099965383039716130153270715220046567107828128924197692417332033911704

3 <defaulted>

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

16-10

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 16 Working With Configuration Files

Displaying the Current Submode Configuration

FIRST REVIEW—CISCO CONFIDENTIAL

-----------------------------------------------

type

-----------------------------------------------

rsa-pubkey

-----------------------------------------------

length: 2048 <defaulted>

exponent: 65537 <defaulted>

modulus: 21765561422573021314159855351418723031625093380777053696

63817289527060570932551065489818190713745672148260527030060667208366606603802679

30439066724143390626495479300550101618179584637287052936465692146572612651375969

20354521585644221602944203520804404212975401970895119903756769601133853673296766

45289795777973491984056587045214514820063366950731346400044308491594626434706999

47608668822814014830063399534204647069509052443439525363706527255224510771122235

80181150460544783251498481432705991010069844368525754878413669427639752950801767

99905309235232456295580086724203297914095984224328444391582223138423799100838191

9 <defaulted>

-----------------------------------------------

sensor(config-hos)# exit

sensor(config)# exit

sensor#

Step 10 Display the current configuration of the service interface submode.

sensor# configure terminal

sensor(config)# service interface

sensor(config-int)# show settings

physical-interfaces (min: 0, max: 999999999, current: 4)

-----------------------------------------------

-----------------------------------------------

media-type: tx <protected>

description: <defaulted>

admin-state: disabled <defaulted>

duplex: auto <defaulted>

speed: auto <defaulted>

alt-tcp-reset-interface

-----------------------------------------------

none

-----------------------------------------------

subinterface-type

-----------------------------------------------

none

-----------------------------------------------

-----------------------------------------------

media-type: tx <protected>

description: <defaulted>

admin-state: disabled <protected>

duplex: auto <defaulted>

speed: auto <defaulted>

alt-tcp-reset-interface

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

16-11

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 16 Working With Configuration Files

Displaying the Current Submode Configuration

FIRST REVIEW—CISCO CONFIDENTIAL

-----------------------------------------------

none

-----------------------------------------------

subinterface-type

-----------------------------------------------

none

-----------------------------------------------

-----------------------------------------------

media-type: xl <protected>

description: <defaulted>

admin-state: disabled <defaulted>

duplex: auto <defaulted>

speed: auto <defaulted>

alt-tcp-reset-interface

-----------------------------------------------

none

-----------------------------------------------

subinterface-type

-----------------------------------------------

none

-----------------------------------------------

-----------------------------------------------

media-type: xl <protected>

description: <defaulted>

admin-state: disabled <defaulted>

duplex: auto <defaulted>

speed: auto <defaulted>

alt-tcp-reset-interface

-----------------------------------------------

none

-----------------------------------------------

subinterface-type

-----------------------------------------------

none

-----------------------------------------------

command-control: GigabitEthernet0/1 <protected>

inline-interfaces (min: 0, max: 999999999, current: 0)

-----------------------------------------------

bypass-mode: auto <defaulted>

interface-notifications

-----------------------------------------------

missed-percentage-threshold: 0 percent <defaulted>

notification-interval: 30 seconds <defaulted>

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

16-12

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 16 Working With Configuration Files

Displaying the Current Submode Configuration

FIRST REVIEW—CISCO CONFIDENTIAL

idle-interface-delay: 30 seconds <defaulted>

-----------------------------------------------

sensor(config-int)# exit

sensor(config)# exit

sensor#

Step 11 Display the current configuration for the service logger submode.

sensor# configure terminal

sensor(config)# service logger

sensor(config-log)# show settings

master-control

-----------------------------------------------

enable-debug: false <defaulted>

individual-zone-control: false <defaulted>

-----------------------------------------------

zone-control (min: 0, max: 999999999, current: 14)

-----------------------------------------------

zone-name: Cid

severity: debug <defaulted>

zone-name: AuthenticationApp

severity: warning <defaulted>

zone-name: Cli

severity: warning <defaulted>

zone-name: csi

severity: warning <defaulted>

zone-name: ctlTransSource

severity: warning <defaulted>

zone-name: IdapiCtlTrans

severity: warning <defaulted>

zone-name: IdsEventStore

severity: warning <defaulted>

zone-name: MpInstaller

severity: warning <defaulted>

zone-name: nac

severity: warning <defaulted>

zone-name: sensorApp

severity: warning <defaulted>

zone-name: tls

severity: warning <defaulted>

zone-name: intfc

severity: warning <defaulted>

zone-name: cmgr

severity: warning <defaulted>

zone-name: cplane

severity: warning <defaulted>

-----------------------------------------------

sensor(config-log)# exit

sensor(config)# exit

sensor#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

16-13

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 16 Working With Configuration Files

Displaying the Current Submode Configuration

FIRST REVIEW—CISCO CONFIDENTIAL

Step 12 Display the current configuration for the service network access submode.

sensor# configure terminal

sensor(config)# service network-access

sensor(config-net)# show settings

general

-----------------------------------------------

log-all-block-events-and-errors: true <defaulted>

enable-nvram-write: false <defaulted>

enable-acl-logging: false <defaulted>

allow-sensor-block: false <defaulted>

block-enable: true <defaulted>

block-max-entries: 250 <defaulted>

max-interfaces: 250 <defaulted>

rate-limit-max-entries: 250 <defaulted>

master-blocking-sensors (min: 0, max: 100, current: 0)

-----------------------------------------------

never-block-hosts (min: 0, max: 250, current: 0)

-----------------------------------------------

never-block-networks (min: 0, max: 250, current: 0)

-----------------------------------------------

block-hosts (min: 0, max: 250, current: 0)

-----------------------------------------------

block-networks (min: 0, max: 250, current: 0)

-----------------------------------------------

user-profiles (min: 0, max: 250, current: 1)

-----------------------------------------------

profile-name: test

-----------------------------------------------

enable-password: <hidden>

password: <hidden>

username: <defaulted>

-----------------------------------------------

cat6k-devices (min: 0, max: 250, current: 0)

-----------------------------------------------

router-devices (min: 0, max: 250, current: 0)

-----------------------------------------------

firewall-devices (min: 0, max: 250, current: 0)

-----------------------------------------------

sensor(config-net)# exit

sensor(config)# exit

sensor#

Step 13 Display the current configuration for the notification submode.

sensor# configure terminal

sensor(config)# service notification

sensor(config-not)# show settings

trap-destinations (min: 0, max: 10, current: 0)

-----------------------------------------------

error-filter: error|fatal <defaulted>

enable-detail-traps: false <defaulted>

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

16-14

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 16 Working With Configuration Files

Displaying the Current Submode Configuration

FIRST REVIEW—CISCO CONFIDENTIAL

enable-notifications: false <defaulted>

enable-set-get: false <defaulted>

snmp-agent-port: 161 <defaulted>

snmp-agent-protocol: udp <defaulted>

read-only-community: public <defaulted>

read-write-community: private <defaulted>

trap-community-name: public <defaulted>

system-location: Unknown <defaulted>

system-contact: Unknown <defaulted>

sensor(config-not)# exit

sensor(config)# exit

sensor#

Step 14 Display the current configuration for the signature definition submode.

sensor# configure terminal

sensor(config)# service signature-definition sig0

sensor(config-sig)# show settings

variables (min: 0, max: 256, current: 1)

-----------------------------------------------

variable-name: WEBPORTS

-----------------------------------------------

web-ports: 80-80,3128-3128,8000-8000,8010-8010,8080-8080,8888-8888,2432

6-24326 <defaulted>

-----------------------------------------------

application-policy

-----------------------------------------------

http-policy

-----------------------------------------------

http-enable: false <defaulted>

max-outstanding-http-requests-per-connection: 10 <defaulted>

aic-web-ports: 80-80,3128-3128,8000-8000,8010-8010,8080-8080,8888-8888,

24326-24326 <defaulted>

-----------------------------------------------

ftp-enable: false <defaulted>

-----------------------------------------------

fragment-reassembly

-----------------------------------------------

ip-reassemble-mode: nt <defaulted>

-----------------------------------------------

stream-reassembly

-----------------------------------------------

--MORE--

Step 15 Display the current configuration for the SSH known hosts submode.

sensor# configure terminal

sensor(config)# service ssh-known-hosts

sensor(config-ssh)# show settings

rsa1-keys (min: 0, max: 500, current: 0)

-----------------------------------------------

sensor(config-ssh)# exit

sensor(config)# exit

sensor#

Step 16 Display the current configuration for the trusted certificates submode.

sensor# configure terminal

sensor(config)# service trusted-certificate

sensor(config-tru)# show settings

trusted-certificates (min: 0, max: 500, current: 1)

-----------------------------------------------

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

16-15

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 16 Working With Configuration Files

Filtering the Current Configuration Output

FIRST REVIEW—CISCO CONFIDENTIAL

common-name: 10.89.130.108

certificate: MIICJDCCAY0CCPbSkgXUchJIMA0GCSqGSIb3DQEBBQUAMFcxCzAJBgNVBAYTA

lVTMRwwGgYDVQQKExNDaXNjbyBTeXN0ZW1zLCBJbmMuMRIwEAYDVQQLEwlTU00tSVBTMjAxFjAUBgNVB

AMTDTEwLjg5LjEzMC4xMDgwHhcNMDMwMTAzMDE1MjEwWhcNMDUwMTAzMDE1MjEwWjBXMQswCQYDVQQGE

wJVUzEcMBoGA1UEChMTQ2lzY28gU3lzdGVtcywgSW5jLjESMBAGA1UECxMJU1NNLUlQUzIwMRYwFAYDV

QQDEw0xMC44OS4xMzAuMTA4MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzldqLFG4MT4bfgh3mJ

fP/DCilnnaLfzHK9FdnhmWI4FY+9MVvAI7MOhAcuV6HYfyp6n6cYvH+Eswzl9uv7H5nouID9St9GI3Yr

SUtlIQAJ4QVL2DwWP230x6KdHrYqcj+Nmhc7AnnPypjidwGSfF+VetIJLEeRFh/mI2JcmwF2QIDAQABM

A0GCSqGSIb3DQEBBQUAA4GBAAUI2PLANTOehxvCfwd6UAFXvy8uifbjqKMC1jrrF+f9KGkxmR+XZvUaG

OS83FYDXlXJvB5Xyxms+Y01wGjzKKpxegBoan8OB8o193Ueszdpvz2xYmiEgywCDyVJRsw3hAFMXWMS5

XsBUiHtw0btHH0j7ElFZxUjZv12fGz8hlnY

-----------------------------------------------

sensor(config-tru)# exit

sensor(config)# exit

sensor#

Step 17 Display the current configuration for the web server submode.

sensor# configure terminal

sensor(config)# service web-server

sensor(config-web)# show settings

enable-tls: true <defaulted>

port: 443 <defaulted>

server-id: HTTP/1.1 compliant <defaulted>

sensor(config-web)# exit

sensor(config)# exit

sensor#

Filtering the Current Configuration Output

Use the more keyword | [begin | exclude | include] regular-expression command to search the output of

the more command.

The following options apply:

•

keyword—Specifies either the current-config or the backup-config:

–

current-config—Specifies the current running configuration. This configuration becomes

persistent as the commands are entered.

–

backup-config—Specifies the storage location for the configuration backup file.

•

|—The pipe symbol indicates that an output processing specification follows.

begin—Begins unfiltered output of the more command with the first line that contains the regular

expression specified.

•

exclude—Excludes lines in the output of the more command that contain a particular regular

expression.

include—Includes only the lines in the output of the more command that contain the regular

expression you specify.

regular-expression—Specifies any regular expression found in the more command output.

Note

The regular-expression option is case sensitive and allows for complex matching

requirements.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

16-16

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 16 Working With Configuration Files

Filtering the Current Configuration Output

FIRST REVIEW—CISCO CONFIDENTIAL

Filtering Using the More Command

To filter the more command, follow these steps:

Step 1

Step 2

Filter the current-config output beginning with the regular expression “ip,” for example.

sensor# more current-config | begin ip

generating current config:

host-ip 192.0.2.0/24,192.0.2.17

host-name sensor

telnet-option enabled

access-list 10.0.0.0/8

access-list 64.0.0.0/8

exit

time-zone-settings

offset 0

standard-time-zone-name UTC

exit

! ------------------------------

service interface

exit

! ------------------------------

service logger

master-control

enable-debug true

exit

! ------------------------------

service network-access

general

log-all-block-events-and-errors true

--MORE--

Note

Press Ctrl-C to stop the output and return to the CLI prompt.

Step 3

Exclude the regular expression “ip” from the current-config output.

sensor# more current-config | exclude ip

generating current config:

! ------------------------------

! Version 7.0(1)

! Current configuration last modified Fri Feb 11 15:10:57 2009

! ------------------------------

service analysis-engine

virtual-sensor vs0

physical-interface FastEthernet0/1

exit

! ------------------------------

service authentication

exit

! ------------------------------

service event-action-rules rules0

exit

! ------------------------------

service host

network-settings

host-name sensor

telnet-option enabled

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

16-17

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 16 Working With Configuration Files

Filtering the Current Submode Configuration Output

FIRST REVIEW—CISCO CONFIDENTIAL

access-list 10.0.0.0/8

access-list 64.0.0.0/8

exit

time-zone-settings

--MORE--

Note

Press Ctrl-C to stop the output and return to the CLI prompt.

Step 4

Include the regular expression “ip” in the current-config output.

sensor# more current-config | include ip

generating current config:

host-ip 192.0.2.0/24,192.0.2.17

engine atomic-ip

Filtering the Current Submode Configuration Output

Use the show settings | [begin | exclude | include] regular_expression command in the submode you

are interested in to search or filter the output of the contents of the submode configuration.

The following options apply:

•

|—The pipe symbol indicates that an output processing specification follows.

begin—Begins unfiltered output of the show settings command with the first line that contains the

regular expression specified.

•

exclude—Excludes lines in the output of the show settings command that contain a particular

regular expression.

include—Includes only the lines in the output of the show settings command that contain the

regular expression you specify.

regular_expression—Specifies any regular expression found in the show settings command output.

Note

The regular_expression option is case sensitive and allows for complex matching

requirements.

Filtering the Submode Output

To search or filter the output of the contents of the submode configuration, follow these steps:

Step 1

Step 2

Search the output of the event action rules settings for the regular expression, “filters,” for example.

sensor# configure terminal

sensor(config)# service event-action-rules

sensor(config-rul)# show settings | begin filters

filters (min: 0, max: 4096, current: 0 - 0 active, 0 inactive)

-----------------------------------------------

general

-----------------------------------------------

global-overrides-status: Enabled <defaulted>

global-filters-status: Enabled <defaulted>

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

16-18

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 16 Working With Configuration Files

Displaying the Contents of a Logical File

FIRST REVIEW—CISCO CONFIDENTIAL

global-summarization-status: Enabled <defaulted>

global-metaevent-status: Enabled <defaulted>

global-deny-timeout: 3600 <defaulted>

global-block-timeout: 15 default: 30

max-denied-attackers: 10000 <defaulted>

-----------------------------------------------

target-value (min: 0, max: 5, current: 0)

-----------------------------------------------

sensor(config-rul)#

Step 3

Filter the output of the network access settings to exclude the regular expression.

sensor# configure terminal

sensor(config)# service network-access

sensor(config-net)# show settings | exclude false

general

-----------------------------------------------

log-all-block-events-and-errors: true default: true

block-enable: true default: true

block-max-entries: 11 default: 250

max-interfaces: 13 default: 250

master-blocking-sensors (min: 0, max: 100, current: 1)

-----------------------------------------------

ipaddress: 192.0.2.0

-----------------------------------------------

password: <hidden>

port: 443 default: 443

tls: true default: true

username: cisco default:

-----------------------------------------------

never-block-hosts (min: 0, max: 250, current: 1)

-----------------------------------------------

ip-address: 10.89.146.112

-----------------------------------------------

never-block-networks (min: 0, max: 250, current: 1)

-----------------------------------------------

ip-address: 88.88.88.0/24

--MORE--

Step 4

Filter the output of the host settings to include the regular expression “ip.”

sensor# configure terminal

sensor(config)# service host

sensor(config-hos)# show settings | include ip

host-ip: 192.0.2.0/24,192.0.2.17 default: 192.168.1.2/24,192.168.1.1

sensor(config-hos)#

Displaying the Contents of a Logical File

Note

Operators and viewers can only display the current configuration. Only administrators can view hidden

fields such as passwords.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

16-19

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 16 Working With Configuration Files

Displaying the Contents of a Logical File

FIRST REVIEW—CISCO CONFIDENTIAL

Use the more keyword command to display the contents of a logical file, such as the current system

configuration or the saved backup system configuration.

The following options apply:

•

keyword—Specifies either the current-config or the backup-config:

–

current-config—Specifies the current running configuration. This configuration becomes

persistent as the commands are entered.

–

backup-config—Specifies the storage location for the configuration backup file.

You can disable the more prompt in more current-config or more backup-config by setting the terminal

length to zero using the terminal length 0 command. The more command then displays the entire file

content without pausing.

Displaying the Logical File Contents

To display the contents of a logical file, follow these steps:

Step 1

Step 2

Display the contents of the current configuration file.

sensor# more current-config

Generating current config:

The current configuration is displayed.

! ------------------------------

! Current configuration last modified Fri Apr 19 19:01:05 2013

! ------------------------------

! Version 7.2(1)

! Host:

Realm Keys

! Signature Definition:

Signature Update

key1.0

S697.0

2013-02-15

! ------------------------------

service interface

physical-interfaces GigabitEthernet0/0

admin-state enabled

exit

physical-interfaces GigabitEthernet0/1

admin-state enabled

exit

inline-interfaces pair0

interface1 GigabitEthernet0/0

interface2 GigabitEthernet0/1

exit

bypass-mode auto

exit

! ------------------------------

service authentication

exit

! ------------------------------

service event-action-rules rules0

exit

! ------------------------------

service host

network-settings

host-ip 10.106.133.159/23,10.106.132.1

host-name q4360-159

telnet-option enabled

access-list 0.0.0.0/0

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

16-20

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 16 Working With Configuration Files

Displaying the Contents of a Logical File

FIRST REVIEW—CISCO CONFIDENTIAL

dns-primary-server disabled

dns-secondary-server disabled

dns-tertiary-server disabled

exit

! ------------------------------

service logger

exit

! ------------------------------

service network-access

exit

! ------------------------------

service notification

exit

! ------------------------------

service signature-definition sig0

exit

! ------------------------------

service ssh-known-hosts

exit

! ------------------------------

service trusted-certificates

exit

! ------------------------------

service web-server

websession-inactivity-timeout 3600

exit

! ------------------------------

service anomaly-detection ad0

exit

! ------------------------------

service external-product-interface

exit

! ------------------------------

service health-monitor

exit

! ------------------------------

service global-correlation

exit

! ------------------------------

service aaa

exit

! ------------------------------

service analysis-engine

virtual-sensor vs0

logical-interface pair0

exit

sensor#

For More Information

For the procedure for using the terminal command, see Modifying Terminal Properties, page 17-20.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

16-21

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 16 Working With Configuration Files

Backing Up and Restoring the Configuration File Using a Remote Server

FIRST REVIEW—CISCO CONFIDENTIAL

Backing Up and Restoring the Configuration File Using a Remote

Server

Note

We recommend copying the current configuration file to a remote server before upgrading.

Use the copy [/erase] source_url destination_url keyword command to copy the configuration file to a

remote server. You can then restore the current configuration from the remote server. You are prompted

to back up the current configuration first.

The following options apply:

•

/erase—Erases the destination file before copying.

This keyword only applies to the current-config; the backup-config is always overwritten. If this

keyword is specified for destination current-config, the source configuration is applied to the system

default configuration. If it is not specified for the destination current-config, the source

configuration is merged with the current-config.

•

source_url—The location of the source file to be copied. It can be a URL or keyword.

destination_url—The location of the destination file to be copied. It can be a URL or a keyword.

current-config—The current running configuration. The configuration becomes persistent as the

commands are entered.

•

backup-config—The storage location for the configuration backup.

The exact format of the source and destination URLs varies according to the file. Here are the valid

types:

–

ftp:—Source or destination URL for an FTP network server. The syntax for this prefix is:

ftp://[[username@]location][/relativeDirectory]/filename

ftp://[[username@]location][//absoluteDirectory]/filename

Note

You are prompted for a password.

scp:—Source or destination URL for the SCP network server. The syntax for this prefix is:

scp://[[username@]location][/relativeDirectory]/filename

scp://[[username@]location][//absoluteDirectory]/filename

Note

You are prompted for a password. You must add the remote host to the SSH known hosts

list.

–

http:—Source URL for the web server. The syntax for this prefix is:

http://[[username@]location][/directory]/filename

Note

The directory specification should be an absolute path to the desired file.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

16-22

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 16 Working With Configuration Files

Backing Up and Restoring the Configuration File Using a Remote Server

FIRST REVIEW—CISCO CONFIDENTIAL

–

https:—Source URL for the web server. The syntax for this prefix is:

https://[[username@]location][/directory]/filename

Note

The directory specification should be an absolute path to the desired file. The remote

host must be a TLS trusted host.

Caution

Copying a configuration file from another sensor may result in errors if the sensing interfaces and virtual

sensors are not configured the same.

Backing Up the Current Configuration to a Remote Server

To back up your current configuration to a remote server, follow these steps:

Step 1

Step 2

Back up the current configuration to the remote server.

sensor# copy current-config scp://[email protected]//configuration/cfg current-config

Password: ********

Warning: Copying over the current configuration may leave the box in an unstable state.

Would you like to copy current-config to backup-config before proceeding? [yes]:

Step 3

Enter yesto copy the current configuration to a backup configuration.

cfg

100% |************************************************| 36124

00:00

Restoring the Current Configuration From a Backup File

To restore your current configuration from a backup file, follow these steps:

Step 1

Step 2

Back up the current configuration to the remote server.

sensor# copy scp://[email protected]//configuration/cfg current-config

Password: ********

Warning: Copying over the current configuration may leave the box in an unstable state.

Would you like to copy current-config to backup-config before proceeding? [yes]:

Step 3

Enter yesto copy the current configuration to a backup configuration.

cfg

100% |************************************************| 36124

00:00

Warning: Replacing existing network-settings may leave the box in an unstable state.

Would you like to replace existing network settings

(host-ipaddress/netmask/gateway/access-list) on sensor before proceeding? [no]:

sensor#

Step 4

Enter no to retain the currently configured hostname, IP address, subnet mask, management interface,

and access list. We recommend you retain this information to preserve access to your sensor after the

rest of the configuration has been restored.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

16-23

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 16 Working With Configuration Files

Creating and Using a Backup Configuration File

FIRST REVIEW—CISCO CONFIDENTIAL

For More Information

•

For the procedure for adding the remote host to the SSH known host list, see Adding Hosts to the

SSH Known Hosts List, page 3-46.

•

For the procedure for adding the remote host to the TLS trusted hosts list, see Adding TLS Trusted

Hosts, page 3-52.

Creating and Using a Backup Configuration File

To protect your configuration, you can back up the current configuration and then display it to confirm

that is the configuration you want to save. If you need to restore this configuration, you can merge the

backup configuration file with the current configuration or overwrite the current configuration file with

the backup configuration file.

To back up your current configuration, follow these steps:

Step 1

Step 2

Save the current configuration. The current configuration is saved in a backup file.

sensor# copy current-config backup-config

Step 3

Step 4

Display the backup configuration file. The backup configuration file is displayed.

sensor# more backup-config

You can either merge the backup configuration with the current configuration, or you can overwrite the

current configuration:

•

Merge the backup configuration into the current configuration.

sensor# copy backup-config current-config

•

Overwrite the current configuration with the backup configuration.

sensor# copy /erase backup-config current-config

Erasing the Configuration File

Use the erase {backup-config | current-config} command to delete a logical file. The following options

apply:

•

current-config—The current running configuration. The configuration becomes persistent as the

commands are entered.

•

backup-config—The storage location for the configuration backup.

To erase the current configuration and return all settings back to the default, follow these steps:

Step 1

sensor# erase current-config

Warning: Removing the current-config file will result in all configuration being reset to

default, including system information such as IP address.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

16-24

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 16 Working With Configuration Files

Erasing the Configuration File

FIRST REVIEW—CISCO CONFIDENTIAL

User accounts will not be erased. They must be removed manually using the "no username"

command.

Continue? []:

Step 2

Press Enter to continue or enter no to stop.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

16-25

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 16 Working With Configuration Files

Erasing the Configuration File

FIRST REVIEW—CISCO CONFIDENTIAL

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

16-26

Download from Www.Somanuals.com. All Manuals Search And Download.

C H A P T E R

Administrative Tasks for the Sensor

This chapter contains procedures that will help you with the administrative aspects of your sensor. It

contains the following sections:

•

Administrative Notes and Caveats, page 17-2

Recovering the Password, page 17-2

Clearing the Sensor Databases, page 17-9

Displaying the Inspection Load of the Sensor, page 17-11

Configuring Health Status Information, page 17-13

Showing Sensor Overall Health Status, page 17-17

Creating a Banner Login, page 17-18

Terminating CLI Sessions, page 17-19

Modifying Terminal Properties, page 17-20

Configuring Events, page 17-20

Configuring the System Clock, page 17-24

Clearing the Denied Attackers List, page 17-25

Displaying Policy Lists, page 17-27

Displaying Statistics, page 17-28

Displaying Tech Support Information, page 17-40

Displaying V e rsion Information, page 17-41

Diagnosing Network Connectivity, page 17-43

Resetting the Appliance, page 17-44

Displaying Command History, page 17-45

Displaying Hardware Inventory, page 17-46

Tracing the Route of an IP Packet, page 17-48

Displaying Submode Settings, page 17-49

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-1

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Administrative Notes and Caveats

The following notes and caveats apply to administrative tasks for the sensor:

•

Administrators may need to disable the password recovery feature for security reasons.

If you try to recover the password on a sensor on which password recovery is disabled, the process

proceeds with no errors or warnings; however, the password is not reset. If you cannot log in to the

sensor because you have forgotten the password, and password recovery is set to disabled, you must

reimage your sensor.

•

We do not recommend that you use clear database command unless under the direction of TAC or

in some testing conditions when you need to clear accumulated state information and start with a

clean database.

The ASA 5500-X IPS SSP and the ASA 5585-X IPS SSP do not support bypass mode. The adaptive

security appliance will either fail open, fail close, or fail over depending on the configuration of the

adaptive security appliance and the type of activity being done on the IPS.

•

When the sensor is first starting, it is normal for certain health metric statuses to be red until the

sensor is fully up and running.

You do not need to set the system clock if your sensor is synchronized by a valid outside timing

mechanism such as an NTP clock source.

The show inventory command does not apply to the ASA 5500-X IPS SSP and

ASA 5585-X IPS SSP.

Recovering the Password

This section describes how to recover the password for the various IPS platforms. It contains the

following topics:

•

Understanding Password Recovery, page 17-2

Recovering the Password for the Appliance, page 17-3

Recovering the Password for the ASA 5500-X IPS SS P , p age 17-4

Recovering the Password for the ASA 5585-X IPS SS P , p age 17-6

Disabling Password Recovery, page 17-8

V e rifying the State of Password Recovery, page 17-9

Troubleshooting Password Recovery, page 17-9

Understanding Password Recovery

Note

Administrators may need to disable the password recovery feature for security reasons.

Password recovery implementations vary according to IPS platform requirements. Password recovery is

implemented only for the cisco administrative account and is enabled by default. The IPS administrator

can then recover user passwords for other accounts using the CLI. The cisco user password reverts to

cisco and must be changed after the next login.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-2

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Recovering the Password

Table 17-1 lists the password recovery methods according to platform.

Table 17-1

Password Recovery Methods According to Platform

Platform

Description

Recovery Method

4300 series sensors

4500 series sensors

Standalone IPS appliances

GRUB prompt or ROMMON

ASA 5500-X IPS SSP

ASA 5585-X IPS SSP

ASA 5500 series adaptive security

appliance IPS modules

Adaptive security appliance CLI

command

Recovering the Password for the Appliance

This section describes the two ways to recover the password for appliances. It contains the following

topics:

•

Using the GRUB Menu, page 17-3

Using ROMMON, page 17-4

Using the GRUB Menu

Note

You must have a terminal server or direct serial connection to the appliance to use the GRUB menu to

recover the password.

For the IPS 4355, IPS 4360, IPS 4510, and IPS 4520 appliances, the password recovery is found in the

GRUB menu, which appears during bootup. When the GRUB menu appears, press any key to pause the

boot process.

To recover the password on appliances, follow these steps:

Step 1

Reboot the appliance to see the GRUB menu.

GNU GRUB version 0.94 (632K lower / 523264K upper memory)

-------------------------------------------

0: Cisco IPS

1: Cisco IPS Recovery

2: Cisco IPS Clear Password (cisco)

-------------------------------------------

Use the ^ and v keys to select which entry is highlighted.

Press enter to boot the selected OS, 'e' to edit the

Commands before booting, or 'c' for a command-line.

Highlighted entry is 0:

Step 2

Step 3

Press any key to pause the boot process.

Choose 2: Cisco IPS Clear Password (cisco). The password is reset to cisco. Log in to the CLI with

username cisco and password cisco. You can then change the password.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-3

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Recovering the Password

Using ROMMON

For the IPS 4345, IPS 4360, IPS 4510, and IPS 4520, you can use the ROMMON to recover the

password. To access the ROMMON CLI, reboot the sensor from a terminal server or direct connection

and interrupt the boot process.

To recover the password using the ROMMON CLI, follow these steps:

Step 1

Step 2

Reboot the appliance.

To interrupt the boot process, press ESC or Control-R (terminal server) or send a BREAK command

(direct connection). The boot code either pauses for 10 seconds or displays something similar to one of

the following:

•

Evaluating boot options

Use BREAK or ESC to interrupt boot

Step 3

Enter the following commands to reset the password:

confreg 0x7

boot

Sample ROMMON session:

Booting system, please wait...

CISCO SYSTEMS

Embedded BIOS Version 1.0(11)2 01/25/06 13:21:26.17

...

Evaluating BIOS Options...

Launch BIOS Extension to setup ROMMON

Cisco Systems ROMMON Version (1.0(11)2) #0: Thu Jan 26 10:43:08 PST 2006

Platform IPS-4360-K9

Use BREAK or ESC to interrupt boot.

Use SPACE to begin boot immediately.

Boot interrupted.

Management0/0

Link is UP

MAC Address:000b.fcfa.d155

Use ? for help.

rommon #0> confreg 0x7

Update Config Register (0x7) in NVRAM...

rommon #1> boot

Recovering the Password for the ASA 5500-X IPS SSP

You can reset the password to the default (cisco) for the ASA 5500-X IPS SSP using the CLI or the

ASDM. Resetting the password causes it to reboot. IPS services are not available during a reboot.

Note

To reset the password, you must have ASA 8.6.1 or later.

Use the sw-module module ips password-reset command to reset the password to the default cisco. If

the module in the specified slot has an IPS version that does not support password recovery, the

following error message is displayed:

ERROR: the module in slot <n> does not support password recovery.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-4

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Recovering the Password

To reset the password on the ASA 5500-X IPS SSP, follow these steps:

Step 1

Log into the adaptive security appliance and enter the following command:

asa# sw-module module ips password-reset

Reset the password on module ips? [confirm]

Step 2

Step 3

Press Enter to confirm.

Password-Reset issued for module ips.

Verify the status of the module. Once the status reads Up, you can session to the ASA 5500-X IPS SSP.

asa# show module ips

Mod Card Type

Model

Serial No.

--- -------------------------------------------- ------------------ -----------

ips ASA 5555-X IPS Security Services Processor

Mod MAC Address Range Hw Version

ASA5555-IPS

FCH151070GR

Fw Version

Sw Version

--- --------------------------------- ------------ ------------ ---------------

ips 503d.e59c.7c4c to 503d.e59c.7c4c N/A N/A 7.2(1)E4

Mod SSM Application Name

Status

SSM Application Version

--- ------------------------------ ---------------- --------------------------

ips IPS

7.2(1)E4

Compatibility

Mod Status

Data Plane Status

--- ------------------ --------------------- -------------

ips Up

Mod License Name

License Status Time Remaining

--- -------------- --------------- ---------------

ips IPS Module Enabled 210 days

Step 4

Step 5

Session to the ASA 5500-X IPS SSP.

asa# session ips

Opening command session with module ips.

Connected to module ips. Escape character sequence is 'CTRL-^X'.

Enter the default username (cisco) and password (cisco) at the login prompt.

Password: cisco

You are required to change your password immediately (password aged)

Changing password for cisco.

(current) password: cisco

Step 6

Enter your new password twice.

New password: new password

Retype new password: new password

***NOTICE***

This product contains cryptographic features and is subject to United States and local

country laws governing import, export, transfer and use. Delivery of Cisco cryptographic

products does not imply third-party authority to import, export, distribute or use

encryption. Importers, exporters, distributors and users are responsible for compliance

with U.S. and local country laws. By using this product you agree to comply with

applicable laws and regulations. If you are unable to comply with U.S. and local laws,

return this product immediately.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-5

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Recovering the Password

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to [email protected].

***LICENSE NOTICE***

There is no license key installed on this IPS platform. The system will continue to

operate with the currently installed signature set. A valid license must be obtained in

order to apply signature updates. Please go to http://www.cisco.com/go/license to obtain a

new license or install a license.

asa-ssp#

Using the ASDM

To reset the password in the ASDM, follow these steps:

Step 1

From the ASDM menu bar, choose Tools > IPS Password Reset.

Note

This option does not appear in the menu if there is no IPS present.

Step 2

Step 3

In the IPS Password Reset confirmation dialog box, click OK to reset the password to the default (cisco).

A dialog box displays the success or failure of the password reset. If the reset fails, make sure you have

the correct ASA and IPS software versions.

Click Close to close the dialog box. The sensor reboots.

Recovering the Password for the ASA 5585-X IPS SSP

Note

To reset the password, you must have ASA 8.2.(4.4) or later or ASA 8.4.2 or later. The

ASA 5585-X IPS SSP is not supported in ASA 8.3(x).

You can reset the password to the default (cisco) for the ASA 5585-X IPS SSP using the CLI or the

ASDM. Resetting the password causes it to reboot. IPS services are not available during a reboot.

Use the hw-module module slot_number password-reset command to reset the password to the default

cisco. If the module in the specified slot has an IPS version that does not support password recovery, the

following error message is displayed:

ERROR: the module in slot <n> does not support password recovery.

To reset the password on the ASA 5585-X IPS SSP, follow these steps:

Step 1

Step 2

Log into the adaptive security appliance and enter the following command:

asa# hw-module module 1 password-reset

Reset the password on module in slot 1? [confirm]

Press Enter to confirm.

Password-Reset issued for slot 1.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-6

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Recovering the Password

Step 3

Verify the status of the module. Once the status reads Up, you can session to the ASA 5585-X IPS SSP.

asa# show module 1

Mod Card Type

Model

Serial No.

--- -------------------------------------------- ------------------ -----------

1 ASA 5585-X IPS Security Services Processor-4 ASA5585-SSP-IPS40 JAF1436ABSG

Mod MAC Address Range

--- --------------------------------- ------------ ------------ ---------------

1 5475.d029.8c74 to 5475.d029.8c7f 0.1 2.0(12)3 7.2(1)E4

Hw Version

Fw Version

Sw Version

Mod SSM Application Name

Status

SSM Application Version

--- ------------------------------ ---------------- --------------------------

1 IPS

7.2(1)E4

Compatibility

Mod Status

Data Plane Status

--- ------------------ --------------------- -------------

1 Up Up

Step 4

Step 5

Session to the ASA 5585-X IPS SSP.

asa# session 1

Opening command session with slot 1.

Connected to slot 1. Escape character sequence is 'CTRL-^X'.

Enter the default username (cisco) and password (cisco) at the login prompt.

Password: cisco

You are required to change your password immediately (password aged)

Changing password for cisco.

(current) password: cisco

Step 6

Enter your new password twice.

New password: new password

Retype new password: new password

***NOTICE***

This product contains cryptographic features and is subject to United States and local

country laws governing import, export, transfer and use. Delivery of Cisco cryptographic

products does not imply third-party authority to import, export, distribute or use

encryption. Importers, exporters, distributors and users are responsible for compliance

with U.S. and local country laws. By using this product you agree to comply with

applicable laws and regulations. If you are unable to comply with U.S. and local laws,

return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to [email protected].

***LICENSE NOTICE***

There is no license key installed on this IPS platform. The system will continue to

operate with the currently installed signature set. A valid license must be obtained in

order to apply signature updates. Please go to http://www.cisco.com/go/license to obtain a

new license or install a license.

ips_ssp#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-7

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Recovering the Password

Using the ASDM

To reset the password in the ASDM, follow these steps:

Step 1

From the ASDM menu bar, choose Tools > IPS Password Reset.

Note

This option does not appear in the menu if there is no IPS present.

Step 2

Step 3

In the IPS Password Reset confirmation dialog box, click OK to reset the password to the default (cisco).

A dialog box displays the success or failure of the password reset. If the reset fails, make sure you have

the correct ASA and IPS software versions.

Click Close to close the dialog box. The sensor reboots.

Disabling Password Recovery

Caution

If you try to recover the password on a sensor on which password recovery is disabled, the process

proceeds with no errors or warnings; however, the password is not reset. If you cannot log in to the sensor

because you have forgotten the password, and password recovery is set to disabled, you must reimage

your sensor.

Password recovery is enabled by default. You can disable password recovery through the CLI, IDM, or

IME.

Disabling Password Recovery Using the CLI

To disable password recovery in the CLI, follow these steps:

Step 1

Step 2

Enter global configuration mode.

sensor# configure terminal

Step 3

Step 4

Enter host mode.

sensor(config)# service host

Disable password recovery.

sensor(config-hos)# password-recovery disallowed

Disabling Password Recovery Using the IDM or IME

To disable password recovery in the IDM or IME, follow these steps:

Step 1

Step 2

Choose Configuration > sensor_name > Sensor Setup > Network.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-8

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Clearing the Sensor Databases

Step 3

To disable password recovery, uncheck the Allow Password Recovery check box.

Verifying the State of Password Recovery

Use the show settings | include password command to verify whether password recovery is enabled.

To verify whether password recovery is enabled, follow these steps:

Step 1

Step 2

Enter service host submode.

sensor# configure terminal

sensor (config)# service host

sensor (config-hos)#

Step 3

Verify the state of password recovery by using the include keyword to show settings in a filtered output.

sensor(config-hos)# show settings | include password

password-recovery: allowed <defaulted>

sensor(config-hos)#

Troubleshooting Password Recovery

When you troubleshoot password recovery, pay attention to the following:

•

You cannot determine whether password recovery has been disabled in the sensor configuration

from the ROMMON prompt, GRUB menu, switch CLI, or router CLI. If you attempt password

recovery, it always appears to succeed. If it has been disabled, the password is not reset to cisco. The

only option is to reimage the sensor.

You can disable password recovery in the host configuration. For the platforms that use external

mechanisms, such as ROMMON, although you can run commands to clear the password, if

password recovery is disabled in the IPS, the IPS detects that password recovery is not allowed and

rejects the external request.

To check the state of password recovery, use the show settings | include password command.

Clearing the Sensor Databases

Caution

We do not recommend that you use clear database command unless under the direction of TAC or in

some testing conditions when you need to clear accumulated state information and start with a clean

database.

Use the clear database [virtual-sensor] all | nodes | alerts | inspectors command in privileged EXEC

mode to clear specific parts of the sensor database. The clear database command is useful for

troubleshooting and testing.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-9

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Clearing the Sensor Databases

The following options apply:

•

virtual-sensor—Specifies the name of a virtual sensor configured on the sensor.

all— Clears all nodes, inspectors, and alerts databases.

Caution

This command causes summary alerts to be discarded.

•

nodes—Clears the overall packet database elements, including the packet nodes, TCP session

information, and inspector lists.

alerts—Clears the alert database including the alerts nodes, Meta inspector information, summary

state, and event count structures.

inspectors—Clears the inspector lists in the nodes. Inspector lists represent the packet work and

observations collected during the time the sensor is running.

Clearing the Sensor Database

To clear the sensor database, follow these steps:

Step 1

Step 2

Clear the entire sensor database.

sensor# clear database all

Warning: Executing this command will delete database on all virtual sensors

Continue? [yes]:

Step 3

Step 4

Enter yesto clear all the databases on the sensor.

Clear the packet nodes.

sensor# clear database nodes

Warning: Executing this command will delete database on all virtual sensors

Continue? [yes]:

Step 5

Step 6

Enter yesto clear the packet nodes database.

Clear the alerts database on a specific virtual sensor.

sensor# clear database vs0 alerts

Warning: Executing this command will delete database on all virtual sensors

Continue? [yes]:

Step 7

Step 8

Enter yesto clear the alerts database.

Clear inspector lists on the sensor.

sensor# clear database inspectors

Warning: Executing this command will delete database on all virtual sensors

Continue? [yes]:

Step 9

Enter yesto clear the inspectors database.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-10

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Displaying the Inspection Load of the Sensor

Use the show inspection-load command in privileged EXEC mode to display a timestamp and the

current inspection load of the sensor. Use the history option to display a histogram of the inspection load

over the past 60 minutes and over the past 72 hours.

Use this command to determine the load on the sensor instead of the CPU Usage information from the

show statistics host command. The inspection load is a more accurate representation of the processing

level of the sensor. The calculation of the inspection load has also been enhanced to provide a more

accurate calculation of the sensor load at lower traffic levels.

Note

The Processing Load category in the show statistics virtual-sensor output has been renamed to

Inspection Load and shows the same value seen in the show inspection load command.

The show inspection-load command is not currently supported for the IPS 4500 series sensors.

To display the inspection load of the sensor, follow these steps:

Step 1

Step 2

Show the current inspection load with a timestamp of the sensor.

sensor# show inspection-load

sensor 08:18:13 PM Friday Jan 15 2011 UTC

Inspection Load Percentage = 1

Step 3

Show the histogram of the inspection load:

sensor# show inspection-load history

sensor 15:36:42 UTC Mon Jan 30 2012

sensor 08:18:13 PM Friday Jan 15 2011 UTC

Inspection Load Percentage = 65

100

70 * *

60 * * *** * ****** ** * * * * * * ** ** *

50 * * *** * ****** ** * * * * * * ** ** *

40 * *** ********************* * * * * ** * * * * * ***********

30 ********************************* ************ *************

20 ************************************************************

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-11

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Displaying the Inspection Load of the Sensor

10 ************************************************************

0.........1.........2.........3.........4.........5.........6

Inspection Load Percentage (last 6 minutes at 10 second intervals)

100

60 * * *** * ****** ** * * * * * * ** ** *

50 * * *** * ****** ** * * * * * * ** ** *

40 * *** *********####******** * * * * ** * * * * * ***********

30 ####**###*###*######**##****#*#*# *********#*# #*##****#####

20 ############################################################

10 ############################################################

0....5....1....1....2....2....3....3....4....4....5....5....6

Inspection Load Percentage (last 60 minutes) *=maximum #=average

100

60 * * *** * ****** ** * * * * * * ** ** * * * *** *

50 * * *** * ****** ** * * * * * * ** ** * * * *** *

40 * *** ********************* * * * * ** * * * * * *********** * * ***

30 ******###**#**######**##****#*#*# *********#*# #*##****##**# #*#*###

20 #####################################################################

10 #####################################################################

0....5....1....1....2....2....3....3....4....4....5....5....6....6....7.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-12

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Configuring Health Status Information

Inspection Load Percentage (last 72 hours) *=maximum #=average

sensor#

Configuring Health Status Information

Configure the health statistics for the sensor in service health monitor submode. Use the show health

command to see the results. The health status categories are rated by red and green with red being

critical.

The following options apply:

•

application-failure-policy {enable | disable} {true | false} status {green | yellow | red}—Lets you

choose to have an application failure applied to the overall sensor health rating.

•

bypass-policy {enable | disable} {true | false} status {green | yellow | red}—Lets you choose to

know if bypass mode is active and have that apply to the overall sensor health rating.

Note

The ASA 5500-X IPS SSP and the ASA 5585-X IPS SSP do not support bypass mode. The

adaptive security appliance will either fail open, fail close, or fail over depending on the

configuration of the adaptive security appliance and the type of activity being done on the

IPS.

•

enable-monitoring {true | false}—Lets you choose to monitor sensor health and security.

event-retrieval-policy {enable | disable} {true | false} red-threshold yellow-threshold

seconds—Lets you set a threshold for when the last event was retrieved and have that apply to the

overall sensor health rating. The health status is degraded to red or yellow when that threshold is

met. The range for the threshold is 0 to 4294967295 seconds.

Note

The event retrieval metric keeps track of when the last event was retrieved by an external

monitoring application such as the IME. Disable event retrieval policy if you are not doing

external event monitoring.

•

global-correlation-policy {enable | disable} {true | false}—Lets you apply this metric to the

overall sensor health rating.

heartbeat-events {enable | disable} seconds—Lets you enable heartbeat events to be emitted at the

specified interval in seconds and have that apply to the overall sensor health rating. The range for

the interval is 15 to 86400 seconds.

•

inspection-load-policy {enable | disable} {true | false} red-threshold yellow-threshold

seconds—Lets you set the threshold for inspection load. The health status is degraded to red or

yellow when that threshold is met. The range is 0 to 100.

interface-down-policy {enable | disable} {true | false} status {green | yellow | red}—Lets you

choose to know if one or more enabled interfaces are down and have that apply to the overall sensor

health rating.

license-expiration-policy {enable | disable} {true | false} red-threshold yellow-threshold—Lets

you set a threshold for when the license expires and whether this metric is applied to the overall

sensor health rating. The range for the threshold is 0 to 4294967295 seconds.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-13

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Configuring Health Status Information

•

memory-usage-policy {enable | disable} {true | false} red-threshold yellow-threshold—Lets you

set a threshold percentage for memory usage and whether this metric is applied to the overall sensor

health rating. The range is 0 to 100. The default for red is 91% and the default for yellow is 80%.

missed-packet-policy {enable | disable} {true | false} red-threshold yellow-threshold—Lets you

set a threshold percentage for missed packets and whether this metric is applied to the overall sensor

health rating.

•

network-participation-policy {enable | disable} {true | false}—Lets you apply this metric to the

overall sensor health rating.

persist-security-status—Lets you set the number of minutes that a lower security persists following

the occurrence of the latest event to lower the security status.

signature-update-policy {enable | disable} {true | false} red-threshold yellow-threshold—Lets

you set a threshold for the number of days elapsed since the last signature update and whether this

metric is applied to the overall sensor health rating. The range for the threshold is 0 to 4294967295

seconds

ASA 5500-X IPS SSP and Memory Usage

For the ASA 5500-X IPS SSP, the memory usage is 93%. The default health thresholds for the sensor

are 80% for yellow and 91% for red, so the sensor health will be shown as red on these platforms even

for normal operating conditions. You can tune the threshold percentage for memory usage so that it reads

more accurately for these platforms by configuring the memory-usage-policy option in the sensor health

metrics.

Note

Make sure you have the memory-usage-policy option in the sensor health metrics enabled.

Table 17-2 lists the yellow-threshold and red-threshold health values.

Table 17-2

ASA 5500-X IPS SSP Memory Usage Values

Platform

Yellow

85%

88%

93%

95%

Red

Memory Used

28%

ASA 5512-X IPS SSP

ASA 5515-X IPS SSP

ASA 5525-X IPS SSP

ASA 5545-X IPS SSP

ASA 5555-X IPS SSP

91%

92%

96%

98%

14%

13%

17%

Configuring Health Statistics

To configure the health statistics for the sensor, follow these steps:

Step 1

Step 2

Enter service health monitor submode.

sensor# configure terminal

sensor(config)# service health-monitor

sensor(config-hea)#

Step 3

Enable the metrics for application failure status.

sensor(config-hea)# application-failure-policy

sensor(config-hea-app)# enable true

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-14

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Configuring Health Status Information

sensor(config-hea-app)# status red

sensor(config-hea-app)# exit

sensor(config-hea)#

Step 4

Enable the metrics for bypass policy.

sensor(config-hea)# bypass-policy

sensor(config-hea-byp)# enable true

sensor(config-hea-byp)# status yellow

sensor(config-hea-byp)# exit

sensor(config-hea)#

Step 5

Step 6

Enable the metrics for sensor health and security monitoring.

sensor(config-hea)# enable-monitoring true

sensor(config-hea)#

Set the event retrieval thresholds for event retrieval metrics.

sensor(config-hea)# event-retrieval-policy

sensor(config-hea-eve)# enable true

sensor(config-hea-eve)# red-threshold 100000

sensor(config-hea-eve)# yellow-threshold 100

sensor(config-hea-eve)# exit

sensor(config-hea)#

Step 7

Enable health metrics for global correlation.

sensor(config-hea)# global-correlation-policy

sensor(config-hea-glo)# enable true

sensor(config-hea-glo)# exit

sensor(config-hea)#

Step 8

Step 9

Enable the metrics for heartbeat events to be emitted at the specified interval of seconds.

sensor(config-hea)# heartbeat-events enable 20000

sensor(config-hea)#

Set the inspection load threshold.

sensor(config-hea)# inspection-load-policy

sensor(config-hea-ins)# enable true

sensor(config-hea-ins)# red-threshold 100

sensor(config-hea-ins)# yellow-threshold 50

sensor(config-hea-ins)# exit

sensor(config-hea)#

Step 10 Enable the interface down policy.

sensor(config-hea)# interface-down-policy

sensor(config-hea-int)# enable true

sensor(config-hea-int)# status yellow

sensor(config-hea-int)# exit

sensor(config-hea)#

Step 11 Set the number of days until the license expires.

sensor(config-hea)# license-expiration-policy

sensor(config-hea-lic)# enable true

sensor(config-hea-lic)# red-threshold 400000

sensor(config-hea-lic)# yellow-threshold 200000

sensor(config-hea-lic)# exit

sensor(config-hea)#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-15

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Configuring Health Status Information

Step 12 Set the threshold for memory usage.

sensor(config-hea)# memory-usage-policy

sensor(config-hea-mem)# enable true

sensor(config-hea-mem)# red-threshold 100

sensor(config-hea-mem)# yellow-threshold 50

sensor(config-hea-mem)# exit

sensor(config-hea)#

Step 13 Set the missed packet threshold.

sensor(config-hea)# missed-packet-policy

sensor(config-hea-mis)# enable true

sensor(config-hea-mis)# red-threshold 50

sensor(config-hea-mis)# yellow-threshold 20

sensor(config-hea-mis)# exit

sensor(config-hea)#

Step 14 Set the number of minutes that a lower security persists following the occurrence of the latest event to

lower the security status.

sensor(config-hea)# persist-security-status 10

sensor(config-hea)#

Step 15 Set the number of days since the last signature update.

sensor(config-hea)# signature-update-policy

sensor(config-hea-sig)# enable true

sensor(config-hea-sig)# red-threshold 30000

sensor(config-hea-sig)# yellow-threshold 10000

sensor(config-hea-sig)# exit

sensor(config-hea)#

Step 16 Verify your settings.

sensor(config-hea)# show settings

enable-monitoring: true default: true

persist-security-status: 10 minutes default: 5

heartbeat-events

-----------------------------------------------

enable: 20000 seconds default: 300

-----------------------------------------------

application-failure-policy

-----------------------------------------------

enable: true default: true

status: red default: red

-----------------------------------------------

bypass-policy

-----------------------------------------------

enable: true default: true

status: yellow default: red

-----------------------------------------------

interface-down-policy

-----------------------------------------------

enable: true default: true

status: yellow default: red

-----------------------------------------------

inspection-load-policy

-----------------------------------------------

enable: true default: true

yellow-threshold: 50 percent default: 80

red-threshold: 100 percent default: 91

-----------------------------------------------

missed-packet-policy

-----------------------------------------------

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-16

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Showing Sensor Overall Health Status

enable: true default: true

yellow-threshold: 20 percent default: 1

red-threshold: 50 percent default: 6

-----------------------------------------------

memory-usage-policy

-----------------------------------------------

enable: true default: false

yellow-threshold: 50 percent default: 80

red-threshold: 100 percent default: 91

-----------------------------------------------

signature-update-policy

-----------------------------------------------

enable: true default: true

yellow-threshold: 10000 days default: 30

red-threshold: 30000 days default: 60

-----------------------------------------------

license-expiration-policy

-----------------------------------------------

enable: true default: true

yellow-threshold: 200000 days default: 30

red-threshold: 400000 days default: 0

-----------------------------------------------

event-retrieval-policy

-----------------------------------------------

enable: true <defaulted>

yellow-threshold: 100000 seconds default: 300

red-threshold: 100 seconds default: 600

-----------------------------------------------

sensor(config-hea)#

Step 17 Exit health monitoring submode.

sensor(config-hea)# exit

Apply Changes:?[yes]:

Step 18 Press Enter to apply the changes or enter no to discard them.

Showing Sensor Overall Health Status

Caution

When the sensor is first starting, it is normal for certain health metric statuses to be red until the sensor

is fully up and running.

Note

The ASA 5500-X IPS SSP and the ASA 5585-X IPS SSP do not support bypass mode. The adaptive

security appliance will either fail open, fail close, or fail over depending on the configuration of the

adaptive security appliance and the type of activity being done on the IPS.

Use the show health command in privileged EXEC mode to display the overall health status information

of the sensor. The health status categories are rated by red and green with red being critical.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-17

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Creating a Banner Login

To display the overall health status of the sensor, follow these steps:

Step 1

Step 2

Show the health and security status of the sensor.

sensor# show health

Overall Health Status

Red

Health Status for Failed Applications

Health Status for Signature Updates

Health Status for License Key Expiration

Health Status for Running in Bypass Mode

Health Status for Interfaces Being Down

Health Status for the Inspection Load

Health Status for the Time Since Last Event Retrieval

Health Status for the Number of Missed Packets

Health Status for the Memory Usage

Health Status for Global Correlation

Health Status for Network Participation

Green

Red

Green

Red

Green

Not Enabled

Red

Not Enabled

Security Status for Virtual Sensor vs0

sensor#

Green

Creating a Banner Login

Use the banner login command to create a banner login that will be displayed before the user and

password login prompts. The maximum message length is 2500 characters. Use the no banner login

command to remove the banner.

To create a banner login, follow these steps:

Step 1

Step 2

Enter global configuration mode.

sensor# configure terminal

Step 3

Step 4

Create the banner login.

sensor(config)# banner login

Banner[]:

Enter your message.

Banner[]: This message will be displayed on banner login. ^M Thank you

sensor(config)#

Note

To use a ? or a carriage return in the message, press Ctrl-V-? or Ctrl-V-Enter. They are

represented by ^M.

Example

This message will be displayed on login.

Thank you

Password:****

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-18

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Terminating CLI Sessions

Step 5

Remove the banner login. The banner no longer appears at login.

sensor(config)# no banner login

Terminating CLI Sessions

Caution

You can only clear CLI login sessions with the clear line command. You cannot clear service logins with

this command.

Use the clear line cli_id [message] command to terminate another CLI session. If you use the message

keyword, you can send a message along with the termination request to the receiving user. The maximum

message length is 2500 characters.

The following options apply:

•

cli_id—Specifies the CLI ID number associated with the login session. Use the show users

command to find the CLI ID number.

•

message—Specifies the message to send to the receiving user.

If an administrator tries to log in when the maximum sessions have been reached, the following message

appears:

Error: The maximum allowed CLI sessions are currently open, would you like to terminate

one of the open sessions? [no]

If an operator or viewer tries to log in when the maximum sessions are open, the following message

appears:

Error: The maximum allowed CLI sessions are currently open, please try again later.

To terminate a CLI session, follow these steps:

Step 1

Step 2

Note

Operator and viewer can only clear lines with the same username as the current login.

Find the CLI ID number associated with the login session.

sensor# show users

CLI ID

13533

15689

20098

User

Privilege

jtaylor administrator

jsmith operator

viewer viewer

Step 3

Terminate the CLI session of jsmith.

sensor# clear line cli_id message

Message[]:

Example

sensor# clear line 15689 message

Message{}: Sorry! I need to terminate your session.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-19

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Modifying Terminal Properties

sensor#

The user jsmith receives the following message from the administrator jtaylor.

sensor#

***

*** Termination request from jtaylor

***

Sorry! I need to terminate your session.

Modifying Terminal Properties

Note

You are not required to specify the screen length for some types of terminal sessions because the

specified screen length can be learned by some remote hosts.

Use the terminal [length] screen _length command to modify terminal properties for a login session.

The screen_ length option lets you set the number of lines that appear on the screen before the --more--

prompt is displayed. A value of zero results in no pause in the output. The default value is 24 lines.

To modify the terminal properties, follow these steps:

Step 1

Step 2

To have no pause between multi-screen outputs, use 0 for the screen length value.

sensor# terminal length 0

Note

The screen length values are not saved between login sessions.

Step 3

To have the CLI pause and display the --more--prompt every 10 lines, use 10 for the screen length value.

sensor# terminal length 10

Configuring Events

This section describes how to display and clear events from the Event Store, and contains the following

topics:

•

Displaying Events, page 17-21

Clearing Events from the Event Store, page 17-23

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-20

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Configuring Events

Displaying Events

Note

The Event Store has a fixed size of 30 MB for all platforms.

Note

Events are displayed as a live feed. To cancel the request, press Ctrl-C.

Use the show events [{alert [informational] [low] [medium] [high] [include-traits traits]

[exclude-traits traits] [min-threat-rating min-rr] [max-threat-rating max-rr] | error [warning]

[error] [fatal] | NAC | status}] [hh:mm:ss [month day [year]] | past hh:mm:ss] command to display

events from Event Store. Events are displayed beginning at the start time. If you do not specify a start

time, events are displayed beginning at the current time. If you do not specify an event type, all events

are displayed.

The following options apply:

•

alert—Displays alerts. Provides notification of some suspicious activity that may indicate an attack

is in process or has been attempted. Alert events are generated by the Analysis Engine whenever a

signature is triggered by network activity. If no level is selected (informational, low, medium, or

high), all alert events are displayed.

•

include-traits—Displays alerts that have the specified traits.

exclude-traits—Does not display alerts that have the specified traits.

traits—Specifies the trait bit position in decimal (0 to 15).

min-threat-rating—Displays events with a threat rating above or equal to this value. The default is

0. The valid range is 0 to 100.

•

max-threat-rating—Displays events with a threat rating below or equal to this value. The default

is 100. The valid range is 0 to 100.

error—Displays error events. Error events are generated by services when error conditions are

encountered. If no level is selected (warning, error, or fatal), all error events are displayed.

NAC—Displays the ARC (block) requests.

Note

The ARC is formerly known as NAC. This name change has not been completely

implemented throughout the IDM, the IME, and the CLI.

•

status—Displays status events.

past—Displays events starting in the past for the specified hours, minutes, and seconds.

hh:mm:ss—Specifies the hours, minutes, and seconds in the past to begin the display.

Note

The show events command continues to display events until a specified event is available. To exit, press

Ctrl-C.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-21

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Configuring Events

Displaying Events

To display events from the Event Store, follow these steps:

Step 1

Step 2

Display all events starting now. The feed continues showing all events until you press Ctrl-C.

sensor# show events

evError: eventId=1041472274774840147 severity=warning vendor=Cisco

originator:

hostId: sensor2

appName: cidwebserver

appInstanceId: 12075

time: 2011/01/07 04:41:45 2011/01/07 04:41:45 UTC

errorMessage: name=errWarning received fatal alert: certificate_unknown

evError: eventId=1041472274774840148 severity=error vendor=Cisco

originator:

hostId: sensor2

appName: cidwebserver

appInstanceId: 351

time: 2011/01/07 04:41:45 2011/01/07 04:41:45 UTC

errorMessage: name=errTransport WebSession::sessionTask(6) TLS connection exce

ption: handshake incomplete.

Step 3

Display the block requests beginning at 10:00 a.m. on February 9, 2011.

sensor# show events NAC 10:00:00 Feb 9 2011

evShunRqst: eventId=1106837332219222281 vendor=Cisco

originator:

deviceName: Sensor1

appName: NetworkAccessControllerApp

appInstance: 654

time: 2011/02/09 10:33:31 2011/08/09 13:13:31

shunInfo:

host: connectionShun=false

srcAddr: 11.0.0.1

destAddr:

srcPort:

destPort:

protocol: numericType=0 other

timeoutMinutes: 40

evAlertRef: hostId=esendHost 123456789012345678

sensor#

Step 4

Display errors with the warning level starting at 10:00 a.m. on February 9, 2011.

sensor# show events error warning 10:00:00 Feb 9 2011

evError: eventId=1041472274774840197 severity=warning vendor=Cisco

originator:

hostId: sensor

appName: cidwebserver

appInstanceId: 12160

time: 2011/01/07 04:49:25 2011/01/07 04:49:25 UTC

errorMessage: name=errWarning received fatal alert: certificate_unknown

Step 5

Display alerts from the past 45 seconds.

sensor# show events alert past 00:00:45

evIdsAlert: eventId=1109695939102805307 severity=medium vendor=Cisco

originator:

hostId: sensor

appName: sensorApp

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-22

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Configuring Events

appInstanceId: 367

time: 2011/03/02 14:15:59 2011/03/02 14:15:59 UTC

signature: description=Nachi Worm ICMP Echo Request id=2156 version=S54

subsigId: 0

sigDetails: Nachi ICMP

interfaceGroup:

vlan: 0

participants:

attacker:

addr: locality=OUT 10.89.228.202

target:

addr: locality=OUT 10.89.150.185

riskRatingValue: 70

interface: fe0_1

protocol: icmp

evIdsAlert: eventId=1109695939102805308 severity=medium vendor=Cisco

originator:

--MORE--

Step 6

Display events that began 30 seconds in the past.

sensor# show events past 00:00:30

evStatus: eventId=1041526834774829055 vendor=Cisco

originator:

hostId: sensor

appName: mainApp

appInstanceId: 2215

time: 2011/01/08 02:41:00 2011/01/08 02:41:00 UTC

controlTransaction: command=getVersion successful=true

description: Control transaction response.

requestor:

user: cids

application:

hostId: 64.101.182.101

appName: -cidcli

appInstanceId: 2316

evStatus: eventId=1041526834774829056 vendor=Cisco

originator:

hostId: sensor

appName: login(pam_unix)

appInstanceId: 2315

time: 2011/01/08 02:41:00 2011/01/08 02:41:00 UTC

syslogMessage:

description: session opened for user cisco by cisco(uid=0)

Clearing Events from the Event Store

Use the clear events command to clear the Event Store.

To clear events from the Event Store, follow these steps:

Step 1

Step 2

Clear the Event Store.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-23

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Configuring the System Clock

sensor# clear events

Warning: Executing this command will remove all events currently stored in the event

store.

Continue with clear? []:

Step 3

Enter yesto clear the events.

Configuring the System Clock

This section explains how to display and manually set the system clock. It contains the following topics:

Displaying the System Clock, page 17-24

Manually Setting the System Clock, page 17-25

•

Displaying the System Clock

Use the show clock [detail] command to display the system clock. You can use the detail option to

indicate the clock source (NTP or system) and the current summertime setting (if any). The system clock

keeps an authoritative flag that indicates whether the time is authoritative (believed to be accurate). If

the system clock has been set by a timing source, such as NTP, the flag is set.

Table 17-3 lists the system clock flags.

Table 17-3

System Clock Flags

Symbol

Description

Time is not authoritative.

Time is authoritative.

(blank)

Time is authoritative, but NTP is not synchronized.

To display the system clock, follow these steps:

Step 1

Step 2

Display the system clock.

sensor# show clock

*19:04:52 UTC Thu Apr 03 2008

Step 3

Display the system clock with details. The following example indicates that the sensor is getting its time

from NTP and that is configured and synchronized.

sensor# show clock detail

20:09:43 UTC Thu Apr 03 2011

Time source is NTP

Summer time starts 03:00:00 UTC Sun Mar 09 2011

Summer time stops 01:00:00 UTC Sun Nov 02 2011

Step 4

Display the system clock with details. The following example indicates that no time source is configured.

sensor# show clock detail

*20:09:43 UTC Thu Apr 03 2011

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-24

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Clearing the Denied Attackers List

No time source

Summer time starts 03:00:00 UTC Sun Mar 09 2011

Summer time stops 01:00:00 UTC Sun Nov 02 2011

Manually Setting the System Clock

Note

You do not need to set the system clock if your sensor is synchronized by a valid outside timing

mechanism such as an NTP clock source.

Use the clock set hh:mm [:ss] month day year command to manually set the clock on the appliance. Use

this command if no other time sources are available. The clock set command does not apply to the

following platforms, because they get their time from the adaptive security appliance in which they are

installed:

•

ASA 5500-X IPS SSP

ASA 5585-X IPS SSP

To manually set the clock on the appliance, follow these steps:

Step 1

Step 2

Set the clock manually.

sensor# clock set 13:21 Mar 29 2011

Note

The time format is 24-hour time.

Clearing the Denied Attackers List

Use the show statistics denied-attackers command to display the list of denied attackers. Use the clear

denied-attackers [virtual_sensor] [ip-address ip_address] command to delete the denied attackers list

and clear the virtual sensor statistics.

If your sensor is configured to operate in inline mode, the traffic is passing through the sensor. You can

configure signatures to deny packets, connections, and attackers while in inline mode, which means that

single packets, connections, and specific attackers are denied, that is, not transmitted, when the sensor

encounters them. When the signature fires, the attacker is denied and placed in a list. As part of sensor

administration, you may want to delete the list or clear the statistics in the list.

The following options apply:

•

virtual_sensor—(Optional) Specifies the virtual sensor whose denied attackers list should be

cleared.

•

ip_address—(Optional) Specifies the IP address to clear.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-25

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Clearing the Denied Attackers List

Displaying and Deleting Denied Attackers

To display the list of denied attackers and delete the list and clear the statistics, follow these steps:

Step 1

Step 2

Display the list of denied IP addresses. The statistics show that there are two IP addresses being denied

at this time.

sensor# show statistics denied-attackers

Denied Attackers and hit count for each.

10.20.4.2 = 9

10.20.5.2 = 5

Step 3

Delete the denied attackers list.

sensor# clear denied-attackers

Warning: Executing this command will delete all addresses from the list of attackers

currently being denied by the sensor.

Continue with clear? [yes]:

Step 4

Step 5

Enter yesto clear the list.

Delete the denied attackers list for a specific virtual sensor.

sensor# clear denied-attackers vs0

Warning: Executing this command will delete all addresses from the list of attackers being

denied by virtual sensor vs0.

Continue with clear? [yes]:

Step 6

Step 7

Enter yesto clear the list.

Remove a specific IP address from the denied attackers list for a specific virtual sensor.

sensor# clear denied-attackers vs0 ip-address 192.0.2.0

Warning: Executing this command will delete ip address 192.0.2.0 from the list of

attackers being denied by virtual sensor vs0.

Continue with clear? [yes]:

Step 8

Step 9

Enter yesto clear the list.

Verify that you have cleared the list. You can use the show statistics denied-attackers or show statistics

virtual-sensor command.

sensor# show statistics denied-attackers

Denied Attackers and hit count for each.

Statistics for Virtual Sensor vs0

Denied Attackers with percent denied and hit count for each.

Statistics for Virtual Sensor vs1

Denied Attackers with percent denied and hit count for each.

sensor#

sensor# show statistics virtual-sensor

Virtual Sensor Statistics

Statistics for Virtual Sensor vs0

Name of current Signature-Definition instance = sig0

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-26

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Displaying Policy Lists

Name of current Event-Action-Rules instance = rules0

List of interfaces monitored by this virtual sensor = mypair

Denied Address Information

Number of Active Denied Attackers = 0

Number of Denied Attackers Inserted = 2

Number of Denied Attackers Total Hits = 287

Number of times max-denied-attackers limited creation of new entry = 0

Number of exec Clear commands during uptime = 1

Denied Attackers and hit count for each.

Step 10 Clear only the statistics.

sensor# show statistics virtual-sensor clear

Step 11 Verify that you have cleared the statistics. The statistics have all been cleared except for the Number of

Active Denied Attackersand Number of exec Clear commands during uptimecategories. It is

important to know if the list has been cleared.

sensor# show statistics virtual-sensor

Virtual Sensor Statistics

Statistics for Virtual Sensor vs0

Name of current Signature-Definition instance = sig0

Name of current Event-Action-Rules instance = rules0

List of interfaces monitored by this virtual sensor = mypair

Denied Address Information

Number of Active Denied Attackers = 2

Number of Denied Attackers Inserted = 0

Number of Denied Attackers Total Hits = 0

Number of times max-denied-attackers limited creation of new entry = 0

Number of exec Clear commands during uptime = 1

Denied Attackers and hit count for each.

10.20.2.5 = 0

10.20.5.2 = 0

Displaying Policy Lists

Use the list {anomaly-detection-configurations | event-action-rules-configurations |

signature-definition-configurations} in EXEC mode to display the list of policies for these

components. The file size is in bytes. A virtual sensor with N/A indicates that the policy is not assigned

to a virtual sensor.

To display a list of policies on the sensor, follow these steps:

Step 1

Step 2

Display the list of policies for anomaly detection.

sensor# list anomaly-detection-configurations

Anomaly Detection

Instance

ad0

temp

MyAD

ad1

Size

255

707

255

141

Virtual Sensor

vs0

N/A

vs1

sensor#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-27

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Displaying Statistics

Step 3

Display the list of policies for event action rules.

sensor# list event-action-rules-configurations

Event Action Rules

Instance

rules0

rules1

Size

112

141

Virtual Sensor

vs0

vs1

sensor#

Step 4

Display the list of policies for signature definition.

sensor# list signature-definition-configurations

Signature Definition

Instance

sig0

sig1

Size

336

141

Virtual Sensor

vs0

vs1

N/A

sig2

sensor#

Displaying Statistics

Use the show statistics [analysis-engine | anomaly-detection | authentication | denied-attackers |

web-server] [clear] command to display statistics for each sensor application.

Use the show statistics {anomaly-detection | denied-attackers | os-identification | virtual-sensor}

[name | clear] command to display statistics for these components for all virtual sensors. If you provide

the virtual sensor name, the statistics for that virtual sensor only are displayed.

Note

The clear option is not available for the analysis engine, anomaly detection, host, network access, or OS

identification applications.

For the IPS 4510 and IPS 4520, at the end of the command output, there are extra details for the Ethernet

controller statistics, such as the total number of packets received at the Ethernet controller, the total

number of packets dropped at the Ethernet controller under high load conditions, and the total packets

transmitted including the customer traffic packets and the internal keepalive packet count.

Note

The Ethernet controller statistics are polled at an interval of 5 seconds from the hardware side. The

keepalives are sent or updated at an interval of 10 ms. Because of this, there may be a disparity in the

actual count reflected in the total packets transmitted. At times, it is even possible that the total packets

transmitted may be less that the keepalive packets transmitted.

To display statistics for the sensor, follow these steps:

Step 1

Step 2

Display the statistics for the Analysis Engine.

sensor# show statistics analysis-engine

Analysis Engine Statistics

Number of seconds since service started = 431157

Processing Load Percentage

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-28

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Displaying Statistics

Thread

5 sec

1 min

5 min

Average

The rate of TCP connections tracked per second = 0

The rate of packets per second = 0

The rate of bytes per second = 0

Receiver Statistics

Total number of packets processed since reset = 0

Total number of IP packets processed since reset = 0

Transmitter Statistics

Total number of packets transmitted = 133698

Total number of packets denied = 203

Total number of packets reset = 3

Fragment Reassembly Unit Statistics

Number of fragments currently in FRU = 0

Number of datagrams currently in FRU = 0

TCP Stream Reassembly Unit Statistics

TCP streams currently in the embryonic state = 0

TCP streams currently in the established state = 0

TCP streams currently in the closing state = 0

TCP streams currently in the system = 0

TCP Packets currently queued for reassembly = 0

The Signature Database Statistics.

Total nodes active = 0

TCP nodes keyed on both IP addresses and both ports = 0

UDP nodes keyed on both IP addresses and both ports = 0

IP nodes keyed on both IP addresses = 0

Statistics for Signature Events

Number of SigEvents since reset = 0

Statistics for Actions executed on a SigEvent

Number of Alerts written to the IdsEventStore = 0

Inspection Stats

Inspector

AtomicAdvanced

Fixed

MSRPC_TCP

MSRPC_UDP

MultiString

ServiceDnsUdp

ServiceGeneric

ServiceHttp

ServiceNtp

ServiceP2PTCP

ServiceRpcUDP

ServiceRpcTCP

ServiceSMBAdvanced

ServiceSnmp

ServiceTNS

String

active

call

2312

1659

1808

145

1841

2016

create

delete

loadPct

1606

1575

3176

1606

1575

3176

3682

1841

130

139

1841

225

1808

576

288

261

1808

1555

SweepUDP

SweepTCP

SweepOtherTcp

TrojanBO2K

TrojanUdp

1555

GlobalCorrelationStats

SwVersion = 7.2(1)E4

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-29

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Displaying Statistics

SigVersion = 645.0

DatabaseRecordCount = 0

DatabaseVersion = 0

RuleVersion = 0

ReputationFilterVersion = 0

AlertsWithHit = 0

AlertsWithMiss = 0

AlertsWithModifiedRiskRating = 0

AlertsWithGlobalCorrelationDenyAttacker = 0

AlertsWithGlobalCorrelationDenyPacket = 0

AlertsWithGlobalCorrelationOtherAction = 0

AlertsWithAuditRepDenies = 0

ReputationForcedAlerts = 0

EventStoreInsertTotal = 0

EventStoreInsertWithHit = 0

EventStoreInsertWithMiss = 0

EventStoreDenyFromGlobalCorrelation = 0

EventStoreDenyFromOverride = 0

EventStoreDenyFromOverlap = 0

EventStoreDenyFromOther = 0

ReputationFilterDataSize = 0

ReputationFilterPacketsInput = 0

ReputationFilterRuleMatch = 0

DenyFilterHitsNormal = 0

DenyFilterHitsGlobalCorrelation = 0

SimulatedReputationFilterPacketsInput = 0

SimulatedReputationFilterRuleMatch = 0

SimulatedDenyFilterInsert = 0

SimulatedDenyFilterPacketsInput = 0

SimulatedDenyFilterRuleMatch = 0

TcpDeniesDueToGlobalCorrelation = 0

TcpDeniesDueToOverride = 0

TcpDeniesDueToOverlap = 0

TcpDeniesDueToOther = 0

SimulatedTcpDeniesDueToGlobalCorrelation = 0

SimulatedTcpDeniesDueToOverride = 0

SimulatedTcpDeniesDueToOverlap = 0

SimulatedTcpDeniesDueToOther = 0

LateStageDenyDueToGlobalCorrelation = 0

LateStageDenyDueToOverride = 0

LateStageDenyDueToOverlap = 0

LateStageDenyDueToOther = 0

SimulatedLateStageDenyDueToGlobalCorrelation = 0

SimulatedLateStageDenyDueToOverride = 0

SimulatedLateStageDenyDueToOverlap = 0

SimulatedLateStageDenyDueToOther = 0

AlertHistogram

RiskHistogramEarlyStage

RiskHistogramLateStage

ConfigAggressiveMode = 0

ConfigAuditMode = 0

RegexAccelerationStats

Status = Enabled

DriverVersion = 6.2.1

Devices = 1

Agents = 12

Flows = 7

Channels = 0

SubmittedJobs = 4968

CompletedJobs = 4968

SubmittedBytes = 72258005

CompletedBytes = 168

TCPFlowsWithoutLCB = 0

UDPFlowsWithoutLCB = 0

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-30

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Displaying Statistics

TCPMissedPacketsDueToUpdate = 0

UDPMissedPacketsDueToUpdate = 0

MemorySize = 1073741824

HostDirectMemSize = 0

MaliciousSiteDenyHitCounts

MaliciousSiteDenyHitCountsAUDIT

Ethernet Controller Statistics

Total Packets Received = 0

Total Received Packets Dropped = 0

Total Packets Transmitted = 13643"

sensor#

Step 3

Display the statistics for anomaly detection.

sensor# show statistics anomaly-detection

Statistics for Virtual Sensor vs0

No attack

Detection - ON

Learning - ON

Next KB rotation at 10:00:01 UTC Sat Jan 18 2008

Internal Zone

TCP Protocol

UDP Protocol

Other Protocol

External Zone

TCP Protocol

UDP Protocol

Other Protocol

Illegal Zone

TCP Protocol

UDP Protocol

Other Protocol

Statistics for Virtual Sensor vs1

No attack

Detection - ON

Learning - ON

Next KB rotation at 10:00:00 UTC Sat Jan 18 2008

Internal Zone

TCP Protocol

UDP Protocol

Other Protocol

External Zone

TCP Protocol

UDP Protocol

Other Protocol

Illegal Zone

TCP Protocol

UDP Protocol

Other Protocol

sensor#

Step 4

Step 5

Display the statistics for authentication.

sensor# show statistics authentication

General

totalAuthenticationAttempts = 128

failedAuthenticationAttempts = 0

sensor#

Display the statistics for the denied attackers in the system.

sensor# show statistics denied-attackers

Denied Attackers and hit count for each.

Statistics for Virtual Sensor vs0

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-31

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Displaying Statistics

Denied Attackers with percent denied and hit count for each.

Statistics for Virtual Sensor vs1

Denied Attackers with percent denied and hit count for each.

sensor#

Step 6

Display the statistics for the Event Server.

sensor# show statistics event-server

General

openSubscriptions = 0

blockedSubscriptions = 0

Subscriptions

sensor#

Step 7

Display the statistics for the Event Store.

sensor# show statistics event-store

EEvent store statistics

General information about the event store

The current number of open subscriptions = 2

The number of events lost by subscriptions and queries = 0

The number of filtered events not written to the event store = 850763

The number of queries issued = 0

The number of times the event store circular buffer has wrapped = 0

Number of events of each type currently stored

Status events = 4257

Shun request events = 0

Error events, warning = 669

Error events, error = 8

Error events, fatal = 0

Alert events, informational = 0

Alert events, low = 0

Alert events, medium = 0

Alert events, high = 0

Alert events, threat rating 0-20 = 0

Alert events, threat rating 21-40 = 0

Alert events, threat rating 41-60 = 0

Alert events, threat rating 61-80 = 0

Alert events, threat rating 81-100 = 0

Cumulative number of each type of event

Status events = 4257

Shun request events = 0

Error events, warning = 669

Error events, error = 8

Error events, fatal = 0

Alert events, informational = 0

Alert events, low = 0

Alert events, medium = 0

Alert events, high = 0

Alert events, threat rating 0-20 = 0

Alert events, threat rating 21-40 = 0

Alert events, threat rating 41-60 = 0

Alert events, threat rating 61-80 = 0

Alert events, threat rating 81-100 = 0

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-32

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Displaying Statistics

sensor#

Step 8

Display the statistics for global correlation.

sensor# show statistics global-correlation

Network Participation:

Counters:

Total Connection Attempts = 0

Total Connection Failures = 0

Connection Failures Since Last Success = 0

Connection History:

Updates:

Status Of Last Update Attempt = Disabled

Time Since Last Successful Update = never

Counters:

Update Failures Since Last Success = 0

Total Update Attempts = 0

Total Update Failures = 0

Update Interval In Seconds = 300

Update Server = update-manifests.ironport.com

Update Server Address = Unknown

Current Versions:

Warnings:

Unlicensed = Global correlation inspection and reputation filtering have been

disabled because the sensor is unlicensed.

Action Required = Obtain a new license from http://www.cisco.com/go/license.

sensor#

Step 9

Display the statistics for the host.

sensor# show statistics host

General Statistics

Last Change To Host Config (UTC) = 25-Jan-2012 02:59:18

Command Control Port Device = Management0/0

Network Statistics

= ma0_0

Link encap:Ethernet HWaddr 00:04:23:D5:A1:8D

inet addr:10.89.130.98 Bcast:10.89.131.255 Mask:255.255.254.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:1688325 errors:0 dropped:0 overruns:0 frame:0

TX packets:38546 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:133194316 (127.0 MiB) TX bytes:5515034 (5.2 MiB)

Base address:0xcc80 Memory:fcee0000-fcf00000

NTP Statistics

status = Not applicable

Memory Usage

usedBytes = 1889357824

freeBytes = 2210988032

totalBytes = 4100345856

CPU Statistics

Note: CPU Usage statistics are not a good indication of the sensor processin load. The

Inspection Load Percentage in the output of 'show inspection-load' should be used instead.

Usage over last 5 seconds = 0

Usage over last minute = 2

Usage over last 5 minutes = 2

Usage over last 5 seconds = 0

Usage over last minute = 1

Usage over last 5 minutes = 1

Memory Statistics

Memory usage (bytes) = 1889357824

Memory free (bytes) = 2210988032

Auto Update Statistics

lastDirectoryReadAttempt = N/A

lastDownloadAttempt = N/A

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-33

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Displaying Statistics

lastInstallAttempt = N/A

nextAttempt = N/A

Auxilliary Processors Installed

sensor#

Step 10 Display the statistics for the logging application.

sensor# show statistics logger

The number of Log interprocessor FIFO overruns = 0

The number of syslog messages received = 11

The number of <evError> events written to the event store by severity

Fatal Severity = 0

Error Severity = 64

Warning Severity = 35

TOTAL = 99

The number of log messages written to the message log by severity

Fatal Severity = 0

Error Severity = 64

Warning Severity = 24

Timing Severity = 311

Debug Severity = 31522

Unknown Severity = 7

TOTAL = 31928

sensor#

Step 11 Display the statistics for the ARC.

sensor# show statistics network-access

Current Configuration

LogAllBlockEventsAndSensors = true

EnableNvramWrite = false

EnableAclLogging = false

AllowSensorBlock = false

BlockMaxEntries = 11

MaxDeviceInterfaces = 250

NetDevice

Type = PIX

IP = 10.89.150.171

NATAddr = 0.0.0.0

Communications = ssh-3des

NetDevice

Type = PIX

IP = 192.0.2.4

NATAddr = 0.0.0.0

Communications = ssh-3des

NetDevice

Type = PIX

IP = 192.0.2.5

NATAddr = 0.0.0.0

Communications = telnet

NetDevice

Type = Cisco

IP = 192.0.2.6

NATAddr = 0.0.0.0

Communications = telnet

BlockInterface

InterfaceName = ethernet0/1

InterfaceDirection = out

InterfacePostBlock = Post_Acl_Test

BlockInterface

InterfaceName = ethernet0/1

InterfaceDirection = in

InterfacePreBlock = Pre_Acl_Test

InterfacePostBlock = Post_Acl_Test

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-34

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Displaying Statistics

NetDevice

Type = CAT6000_VACL

IP = 192.0.2.1

NATAddr = 0.0.0.0

Communications = telnet

BlockInterface

InterfaceName = 502

InterfacePreBlock = Pre_Acl_Test

BlockInterface

InterfaceName = 507

InterfacePostBlock = Post_Acl_Test

State

BlockEnable = true

NetDevice

IP = 192.0.2.3

AclSupport = Does not use ACLs

Version = 6.3

State = Active

Firewall-type = PIX

NetDevice

IP = 192.0.2.7

AclSupport = Does not use ACLs

Version = 7.0

State = Active

Firewall-type = ASA

NetDevice

IP = 102.0.2.8

AclSupport = Does not use ACLs

Version = 2.2

State = Active

Firewall-type = FWSM

NetDevice

IP = 192.0.2.9

AclSupport = uses Named ACLs

Version = 12.2

State = Active

NetDevice

IP = 192.0.2.10

AclSupport = Uses VACLs

Version = 8.4

State = Active

BlockedAddr

Host

IP = 203.0.113.1

Vlan =

ActualIp =

BlockMinutes =

Host

IP = 203.0.113.2

Vlan =

ActualIp =

BlockMinutes =

Host

IP = 203.0.113.4

Vlan =

ActualIp =

BlockMinutes = 60

MinutesRemaining = 24

Network

IP = 203.0.113.9

Mask = 255.255.0.0

BlockMinutes =

sensor#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-35

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Displaying Statistics

Step 12 Display the statistics for the notification application.

sensor# show statistics notification

General

Number of SNMP set requests = 0

Number of SNMP get requests = 0

Number of error traps sent = 0

Number of alert traps sent = 0

sensor#

Step 13 Display the statistics for OS identification.

sensor# show statistics os-identification

Statistics for Virtual Sensor vs0

OS Identification

Configured

Imported

Learned

sensor#

Step 14 Display the statistics for the SDEE server.

sensor# show statistics sdee-server

General

Open Subscriptions = 1

Blocked Subscriptions = 1

Maximum Available Subscriptions = 5

Maximum Events Per Retrieval = 500

Subscriptions

sub-4-d074914f

State = Read Pending

Last Read Time = 23:54:16 UTC Wed Nov 30 2011

Last Read Time (nanoseconds) = 1322697256078549000

sensor#

Step 15 Display the statistics for the transaction server.

sensor# show statistics transaction-server

General

totalControlTransactions = 35

failedControlTransactions = 0

sensor#

Step 16 Display the statistics for a virtual sensor.

sensor# show statistics virtual-sensor vs0

Statistics for Virtual Sensor vs0

Name of current Signature-Defintion instance = sig0

Name of current Event-Action-Rules instance = rules0

List of interfaces monitored by this virtual sensor =

General Statistics for this Virtual Sensor

Number of seconds since a reset of the statistics = 1151770

MemoryAlloPercent = 23

MemoryUsedPercent = 22

MemoryMaxCapacity = 3500000

MemoryMaxHighUsed = 4193330

MemoryCurrentAllo = 805452

MemoryCurrentUsed = 789047

Processing Load Percentage = 1

Total packets processed since reset = 0

Total IP packets processed since reset = 0

Total IPv4 packets processed since reset = 0

Total IPv6 packets processed since reset = 0

Total IPv6 AH packets processed since reset = 0

Total IPv6 ESP packets processed since reset = 0

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-36

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Displaying Statistics

Total IPv6 Fragment packets processed since reset = 0

Total IPv6 Routing Header packets processed since reset = 0

Total IPv6 ICMP packets processed since reset = 0

Total packets that were not IP processed since reset = 0

Total TCP packets processed since reset = 0

Total UDP packets processed since reset = 0

Total ICMP packets processed since reset = 0

Total packets that were not TCP, UDP, or ICMP processed since reset = 0

Total ARP packets processed since reset = 0

Total ISL encapsulated packets processed since reset = 0

Total 802.1q encapsulated packets processed since reset = 0

Total GRE Packets processed since reset = 0

Total GRE Fragment Packets processed since reset = 0

Total GRE Packets skipped since reset = 0

Total GRE Packets with Bad Header skipped since reset = 0

Total IpIp Packets with Bad Header skipped since reset = 0

Total Encapsulated Tunnel Packets with Bad Header skipped since reset = 0

Total packets with bad IP checksums processed since reset = 0

Total packets with bad layer 4 checksums processed since reset = 0

Total cross queue TCP packets processed since reset = 0

Total cross queue UDP packets processed since reset = 0

Packets dropped due to regex resources unavailable since reset = 0

Total number of bytes processed since reset = 0

The rate of packets per second since reset = 0

The rate of bytes per second since reset = 0

The average bytes per packet since reset = 0

Denied Address Information

Number of Active Denied Attackers = 0

Number of Denied Attackers Inserted = 0

Number of Denied Attacker Victim Pairs Inserted = 0

Number of Denied Attacker Service Pairs Inserted = 0

Number of Denied Attackers Total Hits = 0

Number of times max-denied-attackers limited creation of new entry = 0

Number of exec Clear commands during uptime = 0

Denied Attackers and hit count for each.

Denied Attackers with percent denied and hit count for each.

The Signature Database Statistics.

The Number of each type of node active in the system

Total nodes active = 0

TCP nodes keyed on both IP addresses and both ports = 0

UDP nodes keyed on both IP addresses and both ports = 0

IP nodes keyed on both IP addresses = 0

The number of each type of node inserted since reset

Total nodes inserted = 0

TCP nodes keyed on both IP addresses and both ports = 0

UDP nodes keyed on both IP addresses and both ports = 0

IP nodes keyed on both IP addresses = 0

The rate of nodes per second for each time since reset

Nodes per second = 0

TCP nodes keyed on both IP addresses and both ports per second = 0

UDP nodes keyed on both IP addresses and both ports per second = 0

IP nodes keyed on both IP addresses per second = 0

The number of root nodes forced to expire because of memory constraints

TCP nodes keyed on both IP addresses and both ports = 0

Packets dropped because they would exceed Database insertion rate limits = 0

Fragment Reassembly Unit Statistics for this Virtual Sensor

Number of fragments currently in FRU = 0

Number of datagrams currently in FRU = 0

Number of fragments received since reset = 0

Number of fragments forwarded since reset = 0

Number of fragments dropped since last reset = 0

Number of fragments modified since last reset = 0

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-37

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Displaying Statistics

Number of complete datagrams reassembled since last reset = 0

Fragments hitting too many fragments condition since last reset = 0

Number of overlapping fragments since last reset = 0

Number of Datagrams too big since last reset = 0

Number of overwriting fragments since last reset = 0

Number of Inital fragment missing since last reset = 0

Fragments hitting the max partial dgrams limit since last reset = 0

Fragments too small since last reset = 0

Too many fragments per dgram limit since last reset = 0

Number of datagram reassembly timeout since last reset = 0

Too many fragments claiming to be the last since last reset = 0

Fragments with bad fragment flags since last reset = 0

TCP Normalizer stage statistics

Packets Input = 0

Packets Modified = 0

Dropped packets from queue = 0

Dropped packets due to deny-connection = 0

Duplicate Packets = 0

Current Streams = 0

Current Streams Closed = 0

Current Streams Closing = 0

Current Streams Embryonic = 0

Current Streams Established = 0

Current Streams Denied = 0

Total SendAck Limited Packets = 0

Total SendAck Limited Streams = 0

Total SendAck Packets Sent = 0

Statistics for the TCP Stream Reassembly Unit

Current Statistics for the TCP Stream Reassembly Unit

TCP streams currently in the embryonic state = 0

TCP streams currently in the established state = 0

TCP streams currently in the closing state = 0

TCP streams currently in the system = 0

TCP Packets currently queued for reassembly = 0

Cumulative Statistics for the TCP Stream Reassembly Unit since reset

TCP streams that have been tracked since last reset = 0

TCP streams that had a gap in the sequence jumped = 0

TCP streams that was abandoned due to a gap in the sequence = 0

TCP packets that arrived out of sequence order for their stream = 0

TCP packets that arrived out of state order for their stream = 0

The rate of TCP connections tracked per second since reset = 0

SigEvent Preliminary Stage Statistics

Number of Alerts received = 0

Number of Alerts Consumed by AlertInterval = 0

Number of Alerts Consumed by Event Count = 0

Number of FireOnce First Alerts = 0

Number of FireOnce Intermediate Alerts = 0

Number of Summary First Alerts = 0

Number of Summary Intermediate Alerts = 0

Number of Regular Summary Final Alerts = 0

Number of Global Summary Final Alerts = 0

Number of Active SigEventDataNodes = 0

Number of Alerts Output for further processing = 0

--MORE--

Step 17 Display the statistics for the web server.

sensor# show statistics web-server

listener-443

session-11

remote host = 64.101.182.167

session is persistent = no

number of requests serviced on current connection = 1

last status code = 200

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-38

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Displaying Statistics

last request method = GET

last request URI = cgi-bin/sdee-server

last protocol version = HTTP/1.1

session state = processingGetServlet

number of server session requests handled = 957134

number of server session requests rejected = 0

total HTTP requests handled = 365871

maximum number of session objects allowed = 40

number of idle allocated session objects = 12

number of busy allocated session objects = 1

summarized log messages

number of TCP socket failure messages logged = 0

number of TLS socket failure messages logged = 0

number of TLS protocol failure messages logged = 0

number of TLS connection failure messages logged = 595015

number of TLS crypto warning messages logged = 0

number of TLS expired certificate warning messages logged = 0

number of receipt of TLS fatal alert message messages logged = 594969

crypto library version = 6.2.1.0

sensor#

Step 18 Clear the statistics for an application, for example, the logging application. The statistics are retrieved

and cleared.

sensor# show statistics logger clear

The number of Log interprocessor FIFO overruns = 0

The number of syslog messages received = 141

The number of <evError> events written to the event store by severity

Fatal Severity = 0

Error Severity = 14

Warning Severity = 142

TOTAL = 156

The number of log messages written to the message log by severity

Fatal Severity = 0

Error Severity = 14

Warning Severity = 1

Timing Severity = 0

Debug Severity = 0

Unknown Severity = 28

TOTAL = 43

Step 19 Verify that the statistics have been cleared. The statistics now all begin from 0.

sensor# show statistics logger

The number of Log interprocessor FIFO overruns = 0

The number of syslog messages received = 0

The number of <evError> events written to the event store by severity

Fatal Severity = 0

Error Severity = 0

Warning Severity = 0

TOTAL = 0

The number of log messages written to the message log by severity

Fatal Severity = 0

Error Severity = 0

Warning Severity = 0

Timing Severity = 0

Debug Severity = 0

Unknown Severity = 0

TOTAL = 0

sensor#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-39

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Displaying Tech Support Information

Note

The show tech-support command now displays historical interface data for each interface for the past

72 hours.

Use the show tech-support [page] [destination-url destination_url] command to display system

information on the screen or have it sent to a specific URL. You can use the information as a

troubleshooting tool with TAC.

The following parameters are optional:

•

page—Displays the output, one page of information at a time. Press Enter to display the next line

of output or use the spacebar to display the next page of information.

•

destination-url—Indicates the information should be formatted as HTML and sent to the

destination that follows this command. If you use this keyword, the output is not displayed on the

screen.

•

destination_url—Indicates the information should be formatted as HTML.The URL specifies where

the information should be sent. If you do not use this keyword, the information is displayed on the

screen.

You can specify the following destination types:

–

ftp:—Destination URL for FTP network server. The syntax for this prefix is:

ftp:[[//username@location]/relativeDirectory]/filename or

ftp:[[//username@location]//absoluteDirectory]/filename.

–

scp:—Destination URL for the SCP network server. The syntax for this prefix is:

scp:[[//username@]location]/relativeDirectory]/filename or

scp:[[//username@]location]//absoluteDirectory]/filename.

Varlog Files

The /var/log/messages file has the latest logs. A new softlink called varlog has been created under the

/usr/cids/idsRoot/log folder that points to the /var/log/messages file. Old logs are stored in varlog.1 and

varlog.2 files. The maximum size of these varlog files is 200 KB. Once they cross the size limit the

content is rotated. The content of varlog, varlog.1, and varlog.2 is displayed in the output of the show

tech-support command. The log messages (/usr/cids/idsRoot/varlog files) persist only across sensor

reboots. The old logs are lost during software upgrades.

Displaying Tech Support Information

To display tech support information, follow these steps:

Step 1

Step 2

View the output on the screen. The system information appears on the screen, one page at a time. Press

the spacebar to view the next page or press Ctrl-C to return to the prompt

sensor# show tech-support page

Step 3

To send the output (in HTML format) to a file:

a. Enter the following command, followed by a valid destination. The password: prompt appears.

sensor# show tech-support destination-url destination_url

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-40

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Displaying Version Information

Example

To send the tech support output to the file /absolute/reports/sensor1Report.html:

sensor# show tech support dest

ftp://[email protected]//absolute/reports/sensor1Report.html

b. Enter the password for this user account. The Generating report: message is displayed.

Displaying Version Information

Use the show version command to display version information for all installed operating system

packages, signature packages, and IPS processes running on the system. To view the configuration for

the entire system, use the more current-config command.

Note

The CLI output is an example of what your configuration may look like. It will not match exactly due to

the optional setup choices, sensor model, and IPS version you have installed.

For the IPS 4500 series sensors, the show version command output contains an extra application called

the SwitchApp.

To display the version and configuration, follow these steps:

Step 1

Step 2

View version information.

sensor# show version

Application Partition:

Cisco Intrusion Prevention System, Version 7.2(1)E4

Host:

Realm Keys

Signature Definition:

Signature Update

OS Version:

key1.0

S697.0

2.6.29.1

IPS4360

2013-02-15

Platform:

Serial Number:

No license present

FCH1504V0CF

Sensor up-time is 3 days.

Using 14470M out of 15943M bytes of available memory (90% usage)

system is using 32.4M out of 160.0M bytes of available disk space (20% usage)

application-data is using 87.1M out of 376.1M bytes of available disk space (24%

usage)

boot is using 61.2M out of 70.1M bytes of available disk space (92% usage)

application-log is using 494.0M out of 513.0M bytes of available disk space (96%

usage)

MainApp

Running

AnalysisEngine

Running

V-2013_04_10_11_00_7_2_0_14

(Release)

2013-04-10T11:05:55-0500

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-41

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Displaying Version Information

CollaborationApp

Running

CLI

V-2013_04_10_11_00_7_2_0_14

(Release)

2013-04-10T11:05:55-0500

Upgrade History:

IPS-K9-7.2-1-E4

11:17:07 UTC Thu Jan 10 2013

Recovery Partition Version 1.1 - 7.2(1)E4

Host Certificate Valid from: 17-Apr-2013 to 18-Apr-2015

sensor#

Note

If the —-MORE-—prompt is displayed, press the spacebar to see more information or Ctrl-C to

cancel the output and get back to the CLI prompt.

Step 3

View configuration information.

Note

You can use the more current-config or show configuration commands.

sensor# more current-config

! ------------------------------

! Current configuration last modified Fri Apr 19 19:01:05 2013

! ------------------------------

! Version 7.2(1)

! Host:

Realm Keys

! Signature Definition:

Signature Update

key1.0

S697.0

2013-02-15

! ------------------------------

service interface

physical-interfaces GigabitEthernet0/0

admin-state enabled

exit

physical-interfaces GigabitEthernet0/1

admin-state enabled

exit

inline-interfaces pair0

interface1 GigabitEthernet0/0

interface2 GigabitEthernet0/1

exit

bypass-mode auto

exit

! ------------------------------

service authentication

exit

! ------------------------------

service event-action-rules rules0

exit

! ------------------------------

service host

network-settings

host-ip 10.106.133.159/23,10.106.132.1

host-name q4360-159

telnet-option enabled

access-list 0.0.0.0/0

dns-primary-server disabled

dns-secondary-server disabled

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-42

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Diagnosing Network Connectivity

dns-tertiary-server disabled

exit

! ------------------------------

service logger

exit

! ------------------------------

service network-access

exit

! ------------------------------

service notification

exit

! ------------------------------

service signature-definition sig0

exit

! ------------------------------

service ssh-known-hosts

exit

! ------------------------------

service trusted-certificates

exit

! ------------------------------

service web-server

websession-inactivity-timeout 3600

exit

! ------------------------------

service anomaly-detection ad0

exit

! ------------------------------

service external-product-interface

exit

! ------------------------------

service health-monitor

exit

! ------------------------------

service global-correlation

exit

! ------------------------------

service aaa

exit

! ------------------------------

service analysis-engine

virtual-sensor vs0

logical-interface pair0

exit

sensor#

Diagnosing Network Connectivity

Caution

No command interrupt is available for this command. It must run to completion.

Use the ping ip_address [count] command to diagnose basic network connectivity.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-43

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Resetting the Appliance

To diagnose basic network connectivity, follow these steps:

Step 1

Step 2

Ping the address you are interested in. The count is the number of echo requests to send. If you do not

specify a number, 4 requests are sent. The range is 1 to 10,000.

sensor# ping ip_address count

The following example shows a successful ping:

sensor# ping 192.0.2.1 6

PING 192.0.2.1 (192.0.2.1): 56 data bytes

64 bytes from 192.0.2.1: icmp_seq=0 ttl=61 time=0.3 ms

64 bytes from 192.0.2.1: icmp_seq=1 ttl=61 time=0.1 ms

64 bytes from 192.0.2.1: icmp_seq=2 ttl=61 time=0.1 ms

64 bytes from 192.0.2.1: icmp_seq=3 ttl=61 time=0.2 ms

64 bytes from 192.0.2.1: icmp_seq=4 ttl=61 time=0.2 ms

64 bytes from 192.0.2.1: icmp_seq=5 ttl=61 time=0.2 ms

--- 192.0.2.1 ping statistics ---

6 packets transmitted, 6 packets received, 0% packet loss

round-trip min/avg/max = 0.1/0.1/0.3 ms

The following example shows an unsuccessful ping:

sensor# ping 172.16.0.0 3

PING 172.16.0.0 (172.16.0.0): 56 data bytes

--- 172.16.0.0 ping statistics ---

3 packets transmitted, 0 packets received, 100% packet loss

sensor#

Resetting the Appliance

Use the reset [powerdown] command to shut down the applications running on the appliance and to

reboot the appliance. You can include the powerdown option to power off the appliance, if possible, or

to have the appliance left in a state where the power can be turned off.

Shutdown (stopping the applications) begins immediately after you execute the command. Shutdown can

take a while, and you can still access CLI commands while it is taking place, but the session is terminated

without warning.

To reset the appliance, follow these steps:

Step 1

Step 2

To stop all applications and reboot the appliance, follow these Steps 2 and 3. Otherwise, to power down

the appliance, go to Steps 4 and 5.

sensor# reset

Warning: Executing this command will stop all applications and reboot the node.

Continue with reset? []:

Step 3

Enter yes to continue the reset.

sensor# yes

Request Succeeded.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-44

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Displaying Command History

sensor#

Step 4

Step 5

Stop all applications and power down the appliance.

sensor# reset powerdown

Warning: Executing this command will stop all applications and power off the node if

possible. If the node can not be powered off it will be left in a state that is safe to

manually power down.

Continue with reset? []:

Enter yes to continue with the reset and power down.

sensor# yes

Request Succeeded.

sensor#

For More Information

To reset the ASA IPS modules, see the following individual procedures:

•

Reloading, Shutting Down, Resetting, and Recovering the ASA 5500-X IPS SS P , p age 18-11

Reloading, Shutting Down, Resetting, and Recovering the ASA 5585-X IPS SS P , p age 19-11

Displaying Command History

Use the show history command to obtain a list of the commands you have entered in the current menu.

The maximum number of commands in the list is 50.

To obtain a list of the commands you have used recently, follow these steps:

Step 1

Step 2

Show the history of the commands you have used in EXEC mode, for example.

sensor# show history

clear line

configure terminal

show history

Step 3

Show the history of the commands you have used in network access mode, for example.

sensor# configure terminal

sensor (config)# service network-access

sensor (config-net)# show history

show settings

show settings terse

show settings | include profile-name|ip-address

exit

show history

sensor (config-net)#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-45

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Displaying Hardware Inventory

Use the show inventory command to display PEP information. This command displays the UDI

information that consists of the PID, the VID, and the SN of your sensor. If your sensor supports

SFP/SFP+ modules and Regex accelerator cards, they are also displayed. PEP information provides an

easy way to obtain the hardware version and serial number through the CLI.

Note

The show inventory command now displays the FRUable components of the 4300 series sensors.

To display PEP information, follow these steps:

Step 1

Step 2

Display the PEP information. You can use this information when dealing with TAC.

sensor# show inventory

Name: "Chassis", DESCR: "IPS 4360 with SW, 8 GE data + 1 GE mgmt"

PID: IPS-4360

, VID: V00, SN: FCH1504V04T

Name: "RegexAccelerator/0", DESCR: "LCPX8640 (humphrey)"

PID: PREAKNESS 2G

sensor#

, VID: 335, SN: LXXXXXYYYY

sensor# show inventory

Name: "Chassis", DESCR: "IPS 4255 Intrusion Prevention Sensor"

PID: IPS-4255-K9, VID: V01 , SN: JAB0815R017

Name: "Power Supply", DESCR: ""

PID: ASA-180W-PWR-AC, VID: V01 , SN: 123456789AB

sensor#

sensor# show inventory

Name: "Module", DESCR: "ASA 5500 Series Security Services Module-20"

PID: ASA-SSM-20, VID: V01 , SN: JAB0815R036

sensor#

sensor# show inventory

Name: "Chassis", DESCR: "IPS 4240 Appliance Sensor"

PID: IPS-4240-K9, VID: V01 , SN: P3000000653

sensor#

sensor# show inventory

Name: "Chassis", DESCR: "IPS 4345 Intrusion Protection System"

PID: IPS4345

, VID: V00, SN: FCH1445V00N

Name: "RegexAccelerator/0", DESCR: "LCPX8640 (humphrey)"

PID: FCH1442705J

sensor#

, VID: 335, SN: LXXXXXYYYY

sensor# show inventory

Name: "Module", DESCR: "IPS 4520- 6 Gig E, 4 10 Gig E SFP+"

PID: IPS-4520-INC-K9 , VID: V01, SN: JAF1547BJTJ

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-46

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Displaying Hardware Inventory

Name: "Chassis", DESCR: "ASA 5585-X"

PID: ASA5585 , VID: V02, SN: JMX1552705O

Name: "power supply 0", DESCR: "ASA 5585-X AC Power Supply"

PID: ASA5585-PWR-AC , VID: V03, SN: POG153700UC

Name: "power supply 1", DESCR: "ASA 5585-X AC Power Supply"

PID: ASA5585-PWR-AC , VID: V03, SN: POG153700SY

Name: "RegexAccelerator/0", DESCR: "LCPX5110 (LCPX5110)"

PID: LCPX5110 , VID: 335, SN: SL14200225

Name: "RegexAccelerator/1", DESCR: "LCPX5110 (LCPX5110)"

PID: LCPX5110 , VID: 335, SN: SL14200242

Name: "TenGigabitEthernet0/0", DESCR: "10G Based-SR"

PID: SFP-10G-SR , VID: V03, SN: AGD152740NV

Name: "TenGigabitEthernet0/1", DESCR: "10G Based-SR"

PID: SFP-10G-SR , VID: V03, SN: AGD152741JT

Name: "TenGigabitEthernet0/2", DESCR: "10G Based-CX-1-5 Passive"

PID: SFP-H10GB-CU5M , VID: V02, SN: MOC15210458

Name: "TenGigabitEthernet0/3", DESCR: "10G Based-CX-1-5 Passive"

PID: SFP-H10GB-CU5M

, VID: V02, SN: MOC15210458

sensor# show inventory

Name: "Module", DESCR: "IPS 4510- 6 Gig E, 4 10 Gig E SFP+"

PID: IPS-4510-INC-K9 , VID: V01, SN: JAF1546CECE

Name: "Chassis", DESCR: "ASA 5585-X"

PID: ASA5585

, VID: V02, SN: JMX1552705F

Name: "power supply 0", DESCR: "ASA 5585-X AC Power Supply"

PID: ASA5585-PWR-AC

, VID: V03, SN: POG1540001Z

Name: "power supply 1", DESCR: "ASA 5585-X AC Power Supply"

PID: ASA5585-PWR-AC , VID: V03, SN: POG1540000B

Name: "RegexAccelerator/0", DESCR: "LCPX5110 (LCPX5110)"

PID: LCPX5110 , VID: 335, SN: SL14200223

Name: "TenGigabitEthernet0/0", DESCR: "10G Based-SR"

PID: SFP-10G-SR , VID: V03, SN: AGD152740KZ

Name: "TenGigabitEthernet0/1", DESCR: "10G Based-SR"

PID: SFP-10G-SR , VID: V03, SN: AGD15264272

Name: "TenGigabitEthernet0/2", DESCR: "1000Based-SX"

PID: FTLF8519P2BCL-CS , VID: 000, SN: FNS110210C1

sensor# show inventory

Name: "Chassis", DESCR: "IPS 4360 with SW, 8 GE Data + 1 GE Mgmt"

PID: IPS-4360

, VID: V01 , SN: FGL162740J6

Name: "RegexAccelerator/0", DESCR: "LCPX8640 (humphrey)"

PID: FCH162077NK , VID: 33554537, SN: LXXXXXYYYY

Name: "power supply 1", DESCR: "IPS4360 AC Power Supply "

PID: IPS-4360-PWR-AC , VID: 0700A, SN: 25Y1Y8

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-47

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Tracing the Route of an IP Packet

Name: "power supply 2", DESCR: "IPS4360 AC Power Supply "

PID: IPS-4360-PWR-AC , VID: 0700A, SN: 25Y1Y9

sensor# show inventory

Name: "power supply 1", DESCR: "IPS-4345-K9 AC Power Supply "

PID: IPS-4345-PWR-AC , VID: A1, SN: 000783

Tracing the Route of an IP Packet

Caution

There is no command interrupt available for this command. It must run to completion.

Use the trace ip_address count command to display the route an IP packet takes to a destination. The

ip_address option is the address of the system to trace the route to. The count option lets you define how

many hops you want to take. The default is 4. The valid values are 1 to 256.

To trace the route of an IP packet, follow these steps:

Step 1

Step 2

Display the route of IP packet you are interested in.

sensor# trace 10.0.0.1

traceroute to 10.0.0.1 (10.0.0.1), 4 hops max, 40 byte packets

1 192.0.2.2 (192.0.2.2) 0.267 ms 0.262 ms 0.236 ms

2 192.0.2.12 (192.0.2.12) 0.24 ms * 0.399 ms

3 * 192.0.2.12 (192.0.2.12) 0.424 ms *

4 192.0.2.12 (192.0.2.12) 0.408 ms * 0.406 ms

sensor#

Step 3

To configure the route to take more hops than the default of 4, use the count option.

sensor# trace 10.0.0.1 8

traceroute to 10.0.0.1 (10.0.0.1), 8 hops max, 40 byte packets

1 192.0.2.2 (192.0.2.2) 0.35 ms 0.261 ms 0.238 ms

2 192.0.2.12 (192.0.2.12) 0.36 ms * 0.344 ms

3 * 192.0.2.12 (192.0.2.12) 0.465 ms *

4 192.0.2.12 (192.0.2.12) 0.319 ms * 0.442 ms

5 * 192.0.2.12 (192.0.2.12) 0.304 ms *

6 192.0.2.12 (192.0.2.12) 0.527 ms * 0.402 ms

7 * 192.0.2.12 (192.0.2.12) 0.39 ms *

8 192.0.2.12 (192.0.2.12) 0.37 ms * 0.486 ms

sensor#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-48

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Displaying Submode Settings

Use the show settings [terse] command in any submode to view the contents of the current

configuration.

To display the current configuration settings for a submode, follow these steps:

Step 1

Step 2

Show the current configuration for ARC submode.

sensor# configure terminal

sensor (config)# service network-access

sensor (config-net)# show settings

general

-----------------------------------------------

log-all-block-events-and-errors: true <defaulted>

enable-nvram-write: false <defaulted>

enable-acl-logging: false <defaulted>

allow-sensor-block: false <defaulted>

block-enable: true <defaulted>

block-max-entries: 250 <defaulted>

max-interfaces: 250 default: 250

master-blocking-sensors (min: 0, max: 100, current: 0)

-----------------------------------------------

never-block-hosts (min: 0, max: 250, current: 0)

-----------------------------------------------

never-block-networks (min: 0, max: 250, current: 0)

-----------------------------------------------

block-hosts (min: 0, max: 250, current: 0)

-----------------------------------------------

block-networks (min: 0, max: 250, current: 0)

-----------------------------------------------

user-profiles (min: 0, max: 250, current: 11)

-----------------------------------------------

profile-name: 2admin

-----------------------------------------------

enable-password: <hidden>

password: <hidden>

username: pix default:

-----------------------------------------------

profile-name: r7200

-----------------------------------------------

enable-password: <hidden>

password: <hidden>

username: netrangr default:

-----------------------------------------------

profile-name: insidePix

-----------------------------------------------

enable-password: <hidden>

password: <hidden>

username: <defaulted>

-----------------------------------------------

profile-name: qatest

-----------------------------------------------

enable-password: <hidden>

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-49

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Displaying Submode Settings

password: <hidden>

username: <defaulted>

-----------------------------------------------

profile-name: fwsm

-----------------------------------------------

enable-password: <hidden>

password: <hidden>

username: pix default:

-----------------------------------------------

profile-name: outsidePix

-----------------------------------------------

enable-password: <hidden>

password: <hidden>

username: pix default:

-----------------------------------------------

profile-name: cat

-----------------------------------------------

enable-password: <hidden>

password: <hidden>

username: <defaulted>

-----------------------------------------------

profile-name: rcat

-----------------------------------------------

enable-password: <hidden>

password: <hidden>

username: cisco default:

-----------------------------------------------

profile-name: nopass

-----------------------------------------------

enable-password: <hidden>

password: <hidden>

username: <defaulted>

-----------------------------------------------

profile-name: test

-----------------------------------------------

enable-password: <hidden>

password: <hidden>

username: pix default:

-----------------------------------------------

profile-name: sshswitch

-----------------------------------------------

enable-password: <hidden>

password: <hidden>

username: cisco default:

-----------------------------------------------

cat6k-devices (min: 0, max: 250, current: 1)

-----------------------------------------------

ip-address: 192.0.2.12

-----------------------------------------------

communication: telnet default: ssh-3des

nat-address: 0.0.0.0 <defaulted>

profile-name: cat

block-vlans (min: 0, max: 100, current: 1)

-----------------------------------------------

vlan: 1

-----------------------------------------------

pre-vacl-name: <defaulted>

post-vacl-name: <defaulted>

-----------------------------------------------

router-devices (min: 0, max: 250, current: 1)

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-50

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Displaying Submode Settings

-----------------------------------------------

ip-address: 192.0.2.25

-----------------------------------------------

communication: telnet default: ssh-3des

nat-address: 0.0.0.0 <defaulted>

profile-name: r7200

block-interfaces (min: 0, max: 100, current: 1)

-----------------------------------------------

interface-name: fa0/0

direction: in

-----------------------------------------------

pre-acl-name: <defaulted>

post-acl-name: <defaulted>

-----------------------------------------------

firewall-devices (min: 0, max: 250, current: 2)

-----------------------------------------------

ip-address: 192.0.2.30

-----------------------------------------------

communication: telnet default: ssh-3des

nat-address: 0.0.0.0 <defaulted>

profile-name: insidePix

-----------------------------------------------

ip-address: 192.0.2.3

-----------------------------------------------

communication: ssh-3des <defaulted>

nat-address: 0.0.0.0 <defaulted>

profile-name: f1

-----------------------------------------------

sensor (config-net)#

Step 3

Show the ARC settings in terse mode.

sensor(config-net)# show settings terse

general

-----------------------------------------------

log-all-block-events-and-errors: true <defaulted>

enable-nvram-write: false <defaulted>

enable-acl-logging: false <defaulted>

allow-sensor-block: false <defaulted>

block-enable: true <defaulted>

block-max-entries: 250 <defaulted>

max-interfaces: 250 default: 250

master-blocking-sensors (min: 0, max: 100, current: 0)

-----------------------------------------------

never-block-hosts (min: 0, max: 250, current: 0)

-----------------------------------------------

never-block-networks (min: 0, max: 250, current: 0)

-----------------------------------------------

block-hosts (min: 0, max: 250, current: 0)

-----------------------------------------------

block-networks (min: 0, max: 250, current: 0)

-----------------------------------------------

user-profiles (min: 0, max: 250, current: 11)

-----------------------------------------------

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-51

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 17 Administrative Tasks for the Sensor

Displaying Submode Settings

profile-name: 2admin

profile-name: r7200

profile-name: insidePix

profile-name: qatest

profile-name: fwsm

profile-name: outsidePix

profile-name: cat

profile-name: rcat

profile-name: nopass

profile-name: test

profile-name: sshswitch

-----------------------------------------------

cat6k-devices (min: 0, max: 250, current: 1)

-----------------------------------------------

ip-address: 192.0.2.12

-----------------------------------------------

router-devices (min: 0, max: 250, current: 1)

-----------------------------------------------

ip-address: 192.0.2.25

-----------------------------------------------

firewall-devices (min: 0, max: 250, current: 2)

-----------------------------------------------

ip-address: 192.0.2.30

ip-address: 192.0.2.3

-----------------------------------------------

sensor(config-net)#

Step 4

You can use the include keyword to show settings in a filtered output, for example, to show only profile

names and IP addresses in the ARC configuration.

sensor(config-net)# show settings | include profile-name|ip-address

profile-name: 2admin

profile-name: r7200

profile-name: insidePix

profile-name: qatest

profile-name: fwsm

profile-name: outsidePix

profile-name: cat

profile-name: rcat

profile-name: nopass

profile-name: test

profile-name: sshswitch

ip-address: 192.0.2.12

profile-name: cat

ip-address: 192.0.2.25

profile-name: r7200

ip-address: 192.0.2.30

profile-name: insidePix

ip-address: 192.0.2.3

profile-name: test

sensor(config-net)#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

17-52

Download from Www.Somanuals.com. All Manuals Search And Download.

C H A P T E R

Configuring the ASA 5500-X IPS SSP

This chapter contains procedures that are specific to configuring the ASA 5500-X IPS SSP. It contains

the following sections:

•

Notes and Caveats for ASA 5500-X IPS SS P , p age 18-1

Configuration Sequence for the ASA 5500-X IPS SS P , p age 18-2

V e rifying Initialization for the ASA 5500-X IPS SS P , p age 18-3

Creating Virtual Sensors for the ASA 5500-X IPS SS P , p age 18-4

The ASA 5500-X IPS SSP and Bypass Mode, page 18-9

The ASA 5500-X IPS SSP and the Normalizer Engine, page 18-10

The ASA 5500-X IPS SSP and Memory Usage, page 18-11

The ASA 5500-X IPS SSP and Jumbo Packets, page 18-11

Reloading, Shutting Down, Resetting, and Recovering the ASA 5500-X IPS SS P , p age 18-11

Health and Status Information, page 18-12

ASA 5500-X IPS SSP Failover Scenarios, page 18-20

New and Modified Commands, page 18-21

Notes and Caveats for ASA 5500-X IPS SSP

The following notes and caveats apply to configuring the ASA 5500-X IPS SSP:

•

The ASA 5500-X IPS SSP is supported in ASA 8.6.1 and later.

For the ASA 5500-X IPS SSP, normalization is performed by the adaptive security appliance and

not the IPS.

•

The ASA 5500-X IPS SSP does not support the inline TCP session tracking mode.

The ASA 5500-X IPS SSP does not support CDP mode.

Anomaly detection is disabled by default.

All IPS platforms allow ten concurrent CLI sessions.

The ASA 5500-X IPS SSP does not support bypass mode. The adaptive security appliance will

either fail open, fail close, or fail over depending on the configuration of the adaptive security

appliance and the type of activity being done on the IPS.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

18-1

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 18 Configuring the ASA 5500-X IPS SSP

Configuration Sequence for the ASA 5500-X IPS SSP

•

The ASA 5500-X IPS SSP (except the ASA 5512-X IPS SSP and the ASA 5515-X IPS SSP)

supports the String ICMP XL, String TCP XL, and String UDP XL engines. These engines provide

optimized operation for these platforms.

TCP Reset Differences Between IPS Appliances and ASA IPS Modules

The IPS appliance sends TCP reset packets to both the attacker and victim when reset-tcp-connection is

selected. The IPS appliance sends a TCP reset packet only to the victim under the following

circumstances:

•

When a deny-packet-inline or deny-connection-inline is selected

When TCP-based signatures and reset-tcp-connection have NOT been selected

In the case of the ASA IPS modules, the TCP reset request is sent to the ASA, and then the ASA sends

the TCP reset packets. The ASA sends TCP reset packets to both the attacker and victim when the

reset-tcp-connection is selected. When deny-packet-inline or deny-connection-inline is selected, the

ASA sends the TCP reset packet to either the attacker or victim depending on the configuration of the

signature. Signatures configured to swap the attacker and victim when reporting the alert can cause the

ASA to send the TCP reset packet to the attacker.

Configuration Sequence for the ASA 5500-X IPS SSP

Perform the following tasks to configure the ASA 5500-X IPS SSP:

1. Obtain and install the current IPS software if your software is not up to date.

2. Obtain and install the license key.

3. Log (session) in to the ASA 5500-X IPS SSP.

4. Run the setup command to initialize the ASA 5500-X IPS SSP.

5. Verify initialization for the ASA 5500-X IPS SSP.

6. Configure the adaptive security appliance to send IPS traffic to the ASA 5500-X IPS SSP.

7. Perform other initial tasks, such as adding users, trusted hosts, and so forth.

8. Configure intrusion prevention.

9. Configure global correlation.

10. Perform miscellaneous tasks to keep your ASA 5500-X IPS SSP running smoothly.

11. Upgrade the IPS software with new signature updates and service packs as they become available.

12. Reimage the ASA 5500-X IPS SSP when needed.

For More Information

•

For the procedure for logging in to the ASA 5500-X IPS SSP, see Chapter ii, “Logging In to the

Sensor.”

For the procedure for running the setup command, see Advanced Setup for the ASA 5500-X IPS

SS P , p age 2-13.

For the procedure for verifying initialization for the ASA 5500-X IPS SSP, see V e rifying

Initialization for the ASA 5500-X IPS SS P , p age 18-3.

For the procedure for creating virtual sensors, see Creating Virtual Sensors for the ASA 5500-X IPS

SS P , p age 18-4.

For the procedures for setting up the ASA 5500-X IPS SSP, see Chapter 3, “Setting Up the Sensor.”

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

18-2

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 18 Configuring the ASA 5500-X IPS SSP

Verifying Initialization for the ASA 5500-X IPS SSP

•

For the procedures for configuring intrusion prevention, see Chapter 8, “Configuring Event Action

Rules,” Chapter 7, “Defining Signatures,” Chapter 9, “Configuring Anomaly Detection,”and

Chapter 14, “Configuring Attack Response Controller for Blocking and Rate Limiting.”

•

For the procedures for configuring global correlation, see Chapter 10, “Configuring Global

Correlation.”

For the procedures for keeping your ASA 5500-X IPS SSP running smoothly, see Chapter 17,

“Administrative Tasks for the Sensor.”

•

For more information on how to obtain Cisco IPS software, see Chapter 20, “Obtaining Software.”

For the procedure for reimaging the ASA 5500-X IPS SSP, see Installing the System Image for the

ASA 5500-X IPS SS P , p age 21-22.

Verifying Initialization for the ASA 5500-X IPS SSP

You can use the show module slot details command to verify that you have initialized the

ASA 5500-X IPS SSP and to verify that you have the correct software version.

To verify initialization, follow these steps:

Step 1

Step 2

Obtain the details about the ASA 5500-X IPS SSPS.

asa# show module ips details

Getting details from the Service Module, please wait...

Card Type:

ASA 5555-X IPS Security Services Processor

Model:

ASA5555-IPS

N/A

FCH151070GW

N/A

Hardware version:

Serial Number:

Firmware version:

Software version:

7.2(1)E4

MAC Address Range: 503d.e59c.7ca0 to 503d.e59c.7ca0

App. name:

IPS

App. Status:

App. Status Desc:

App. version:

Normal Operation

7.2(1)E4

Data Plane Status: Up

Status:

License:

Mgmt IP addr:

IPS Module Enabled perpetual

192.0.2.2

Mgmt Network mask: 255.255.255.0

Mgmt Gateway:

Mgmt Access List:

Mgmt web ports:

Mgmt TLS enabled:

asa#

192.0.2.254

0.0.0.0/0

443

true

Step 3

Confirm the information.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

18-3

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 18 Configuring the ASA 5500-X IPS SSP

Creating Virtual Sensors for the ASA 5500-X IPS SSP

This section describes how to create virtual sensors on the ASA 5500-X IPS SSP, and contains the

following topics:

•

The ASA 5500-X IPS SSP and Virtualization, page 18-4

Virtual Sensor Configuration Sequence for ASA 5500-X IPS SS P , p age 18-4

Creating Virtual Sensors, page 18-4

Assigning Virtual Sensors to Adaptive Security Appliance Contexts, page 18-7

The ASA 5500-X IPS SSP and Virtualization

The ASA 5500-X IPS SSP has one sensing interface, PortChannel 0/0. When you create multiple virtual

sensors, you must assign this interface to only one virtual sensor. For the other virtual sensors you do

not need to designate an interface.

After you create virtual sensors, you must map them to a security context on the adaptive security

appliance using the allocate-ips command. You can map many security contexts to many virtual sensors.

Note

The allocate-ips command does not apply to single mode. In this mode, the adaptive security appliance

accepts any virtual sensor named in a policy-map command.

The allocate-ips command adds a new entry to the security context database. A warning is issued if the

specified virtual sensor does not exist; however, the configuration is allowed. The configuration is

checked again when the service-policy command is processed. If the virtual sensor is not valid, the

fail-open policy is enforced.

Virtual Sensor Configuration Sequence for ASA 5500-X IPS SSP

Follow this sequence to create virtual sensors on the ASA 5500-X IPS SSP, and to assign them to

adaptive security appliance contexts:

1. Configure up to four virtual sensors.

2. Assign the ASA 5500-X IPS SSP sensing interface (PortChannel 0/0) to one of the virtual sensors.

3. (Optional) Assign virtual sensors to different contexts on the adaptive security appliance.

4. Use MPF to direct traffic to the targeted virtual sensor.

Creating Virtual Sensors

Note

You can create four virtual sensors.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

18-4

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 18 Configuring the ASA 5500-X IPS SSP

Creating Virtual Sensors for the ASA 5500-X IPS SSP

Use the virtual-sensor name command in service analysis engine submode to create virtual sensors on

the ASA 5500-X IPS SSP. You assign policies (anomaly detection, event action rules, and signature

definition) to the virtual sensor. You can use the default policies, ad0, rules0, or sig0, or you can create

new policies.Then you assign the sensing interface, PortChannel 0/0 for the ASA 5500-X IPS SSP to

one virtual sensor.

The following options apply:

•

anomaly-detection—Specifies the anomaly detection parameters:

–

anomaly-detection-name name—Specifies the name of the anomaly detection policy.

operational-mode—Specifies the anomaly detection mode (inactive, learn, detect).

Note

Anomaly detection is disabled by default. You must enable it to configure or apply an

anomaly detection policy. Enabling anomaly detection results in a decrease in

performance.

•

description—Provides a description of the virtual sensor.

event-action-rules—Specifies the name of the event action rules policy.

signature-definition—Specifies the name of the signature definition policy.

physical-interfaces—Specifies the name of the physical interface.

no—Removes an entry or selection.

Creating Virtual Sensors

To create a virtual sensor on the ASA 5500-X IPS SSP, follow these steps:

Step 1

Step 2

Enter service analysis mode.

sensor# configure terminal

sensor(config)# service analysis-engine

sensor(config-ana)#

Step 3

Add a virtual sensor.

sensor(config-ana)# virtual-sensor vs1

sensor(config-ana-vir)#

Step 4

Step 5

Add a description for this virtual sensor.

sensor(config-ana-vir)# description virtual sensor 1

Assign an anomaly detection policy and operational mode to this virtual sensor if you have enabled

anomaly detection. If you do not want to use the default anomaly detection policy, ad0, you must create

a new one using the service anomaly-detection name command, for example, ad1.

sensor(config-ana-vir)# anomaly-detection

sensor(config-ana-vir-ano)# anomaly-detection-name ad0

sensor(config-ana-vir-ano)# operational-mode learn

Step 6

Assign an event action rules policy to this virtual sensor. If you do not want to use the default event action

rules policy, rules0, you must create a new one using the service event-action-rules name command, for

example, rules1

sensor(config-ana-vir-ano)# exit

sensor(config-ana-vir)# event-action-rules rules0

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

18-5

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 18 Configuring the ASA 5500-X IPS SSP

Creating Virtual Sensors for the ASA 5500-X IPS SSP

Step 7

Step 8

Step 9

Assign a signature definition policy to this virtual sensor. If you do not want to use the default signature

definition policy, sig0, you must create a new one using the service signature-definition name

command, for example sig1.

sensor(config-ana-vir)# signature-definition sig0

Assign the interface to one virtual sensor. By default the sensing interface is already assigned to the

default virtual sensor, vs0. You must remove it from the default virtual sensor to assign it to another

virtual sensor that you create.

sensor(config-ana-vir)# physical-interface PortChannel0/0

Verify the virtual sensor settings.

sensor(config-ana-vir)# show settings

-----------------------------------------------

description: virtual sensor 1 default:

signature-definition: sig0 <protected>

event-action-rules: rules0 <protected>

anomaly-detection

-----------------------------------------------

anomaly-detection-name: ad0 <protected>

operational-mode: inactive <defaulted>

-----------------------------------------------

physical-interface (min: 0, max: 999999999, current: 1)

-----------------------------------------------

-----------------------------------------------

inline-TCP-evasion-protection-mode: strict <defaulted>

-----------------------------------------------

sensor(config-ana-vir)#

Step 10 Exit analysis engine mode.

sensor(config-ana-vir)# exit

sensor(config-ana)# exit

Apply Changes:?[yes]:

sensor(config)#

Step 11 Press Enter to apply the changes or enter no to discard them.

For More Information

•

For the procedure for enabling anomaly detection, see Enabling Anomaly Detection, page 9-8.

For the procedures for creating and configuring anomaly detection policies, see Working With

Anomaly Detection Policies, page 9-8.

•

For the procedure for creating and configuring event action rules policies, see W o rking With Event

Action Rules Policies, page 8-8.

For the procedure for creating and configuring signature definitions, Working With Signature

Definition Policies, page 7-2.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

18-6

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 18 Configuring the ASA 5500-X IPS SSP

Creating Virtual Sensors for the ASA 5500-X IPS SSP

Assigning Virtual Sensors to Adaptive Security Appliance Contexts

After you create virtual sensors on the ASA 5500-X IPS SSP, you must assign the virtual sensors to a

security context on the adaptive security appliance.

The following options apply:

•

[no] allocate-ips sensor_name [mapped_name] [default]—Allocates a virtual sensor to a security

context. Supported modes are multiple mode, system context, and context submode.

Note

You cannot allocate the same virtual sensor twice in a context.

–

sensor_name—Specifies the name of the virtual sensor configured on the

ASA 5500-X IPS SSP. You receive a warning message if the name is not valid.

–

mapped_name—Specifies the name by which the security context knows the virtual sensor.

Note

The mapped name is used to hide the real name of the virtual sensor from the context,

usually done for reasons of security or convenience to make the context configuration

more generic. If no mapped name is used, the real virtual sensor name is used. You

cannot reuse a mapped name for two different virtual sensors in a context.

–

no—De-allocates the sensor, looks through the policy map configurations, and deletes any IPS

subcommand that refers to it.

default—Specifies this virtual sensor as the default. All legacy IPS configurations that do not

specify a virtual sensor are mapped to this virtual sensor.

Caution

You can only configure one default virtual sensor per context. You must turn off the default flag of an

existing default virtual sensor before you can designate another virtual sensor as the default.

–

clear configure allocate-ips—Removes the configuration.

allocate-ips?—Displays the list of configured virtual sensors.

•

show context [detail]—Updated to display information about virtual sensors. In user context mode,

a new line is added to show the mapped names of all virtual sensors that have been allocated to this

context. In system mode, two new lines are added to show the real and mapped names of virtual

sensors allocated to this context.

You can assign multiple virtual sensors to a context. Multiple contexts can share one virtual sensor, and

when sharing, the contexts can have different mapped names (aliases) for the same virtual sensor. The

following procedure demonstrates how to add three security contexts in multiple mode and how to assign

virtual sensors to these security contexts.

Assigning Virtual Sensors to Contexts

To assign virtual sensors to adaptive security appliance contexts in multiple mode for the

ASA 5500-X IPS SSP, follow these steps:

Step 1

Step 2

Display the list of available virtual sensors.

asa# show ips

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

18-7

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 18 Configuring the ASA 5500-X IPS SSP

Creating Virtual Sensors for the ASA 5500-X IPS SSP

Sensor Name

-----------

vs0

Sensor ID

---------

vs1

asa#

Step 3

Step 4

Enter configuration mode.

asa# configure terminal

asa(config)#

Enter multiple mode.

asa(config)# mode multiple

WARNING: This command will change the behavior of the device

WARNING: This command will initiate a Reboot

Proceed with change mode? [confirm] yes

asa(config)#

Step 5

Add three context modes to multiple mode.

asa(config)# admin-context admin

Creating context 'admin'... Done. (13)

asa(config)# context admin

asa(config-ctx)#

allocate-interface GigabitEthernet0/0.101

allocate-interface GigabitEthernet0/1.102

allocate-interface Management0/0

config-url disk0:/admin.cfg

Cryptochecksum (changed): 0c34dc67 f413ad74 e297464a db211681

INFO: Context admin was created with URL disk0:/admin.cfg

INFO: Admin context will take some time to come up .... please wait.

asa(config-ctx)#

asa(config-ctx)# context c2

Creating context 'c2'... Done. (14)

asa(config-ctx)#

allocate-interface GigabitEthernet0/0.103

allocate-interface GigabitEthernet0/1.104

config-url disk0:/c2.cfg

WARNING: Could not fetch the URL disk0:/c2.cfg

INFO: Creating context with default config

asa(config-ctx)#

asa(config-ctx)# context c3

Creating context 'c3'... Done. (15)

asa(config-ctx)# all

asa(config-ctx)# allocate-in

asa(config-ctx)# allocate-interface g0/2

asa(config-ctx)# allocate-interface g0/3

asa(config-ctx)#

config-url disk0:/c3.cfg

WARNING: Could not fetch the URL disk0:/c3.cfg

INFO: Creating context with default config

asa(config-ctx)#

Step 6

Assign virtual sensors to the security contexts.

asa(config)# context admin

asa(config-ctx)#

allocate-ips vs0 adminvs0

asa(config-ctx)# exit

asa(config)# context c2

asa(config-ctx)#

allocate-ips vs1 c2vs1

asa(config)# context c3

asa(config-ctx)# allocate-ips vs0 c3vs0

asa(config-ctx)# allocate-ips vs1 c3vs1

asa(config-ctx)#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

18-8

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 18 Configuring the ASA 5500-X IPS SSP

The ASA 5500-X IPS SSP and Bypass Mode

Step 7

Configure MPF for each context.

Note

The following example shows context 3 (c3).

asa(config)# context c3

asa/c3(config)# class-map any

asa/c3(config-cmap)# match access-list any

asa/c3(config-cmap)# exit

asa/c3(config)# policy-map ips_out

asa/c3(config-pmap)# class any

asa/c3(config-pmap-c)# ips promiscuous fail-close sensor c3vs1

asa/c3(config-pmap-c)# policy-map ips_in

asa/c3(config-pmap)# class any

asa/c3(config-pmap-c)# ips inline fail-open sensor c3vs0

asa/c3(config-pmap-c)# service-policy ips_out interface outside

asa/c3(config)# service-policy ips_in interface inside

asa/c3(config)#

Step 8

Confirm the configuration.

asa/c3(config)# exit

asa(config)# show ips detail

Sensor Name

-----------

vs0

Sensor ID

---------

Allocated To

------------

admin

Mapped Name

-----------

adminvs0

c3vs0

vs1

c2vs1

c3vs1

asa(config)#

The ASA 5500-X IPS SSP and Bypass Mode

The ASA 5500-X IPS SSP does not support bypass mode. The adaptive security appliance will either

fail open, fail close, or fail over depending on the configuration of the adaptive security appliance and

the type of activity being done on the ASA 5500-X IPS SSP.

The SensorApp Fails

The following occurs when the SensorApp fails:

•

If the adaptive security appliance is configured for failover, then the adaptive security appliance fails

over.

•

If the adaptive security appliance is not configured for failover or failover is not possible:

–

If set to fail-open, the adaptive security appliance passes traffic without sending it to the

ASA IPS module.

–

If set to fail-close, the adaptive security appliance stops passing traffic until the ASA IPS

module is restarted.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

18-9

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 18 Configuring the ASA 5500-X IPS SSP

The ASA 5500-X IPS SSP and the Normalizer Engine

The SensorApp is Reconfigured

The following occurs when the SensorApp is reconfigured:

•

If set to fail-open, the adaptive security appliance passes traffic without sending it to the ASA IPS

module.

•

If set to fail-close, the adaptive security appliance stops passing traffic until the ASA IPS module is

restarted.

Note

The adaptive security appliance does not fail over unless the reconfiguration is not completed.

The ASA 5500-X IPS SSP and the Normalizer Engine

The majority of the features in the Normalizer engine are not used on the ASA 5500-X IPS SSP, because

the ASA itself handles the normalization. Packets on the ASA IPS modules go through a special path in

the Normalizer that only reassembles fragments and puts packets in the right order for the TCP stream.

The Normalizer does not do any of the normalization that is done on an inline IPS appliance, because

that causes problems in the way the ASA handles the packets.

The following Normalizer engine signatures are not supported:

•

1300.0

1304.0

1305.0

1307.0

1308.0

1309.0

1311.0

1315.0

1316.0

1317.0

1330.0

1330.1

1330.2

1330.9

1330.10

1330.12

1330.14

1330.15

1330.16

1330.17

1330.18

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

18-10

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 18 Configuring the ASA 5500-X IPS SSP

The ASA 5500-X IPS SSP and Jumbo Packets

For More Information

For detailed information about the Normalizer engine, see Normalizer Engine, page B-36.

The ASA 5500-X IPS SSP and Jumbo Packets

The jumbo packet count in the show interface command output from the lines Total Jumbo Packets

Received and Total Jumbo Packets Transmitted for ASA IPS modules may be larger than expected

due to some packets that were almost jumbo size on the wire being counted as jumbo size by the IPS.

This miscount is a result of header bytes added to the packet by the ASA before the packet is transmitted

to the IPS. For IPv4, 58 bytes of header data are added. For IPv6, 78 bytes of header data are added. The

ASA removes the added IPS header before the packet leaves the ASA.

The ASA 5500-X IPS SSP and Memory Usage

For the ASA 5500-X IPS SSP, the memory usage is 93%. The default health thresholds for the sensor

are 80% for yellow and 91% for red, so the sensor health will be shown as red on these platforms even

for normal operating conditions. You can tune the threshold percentage for memory usage so that it reads

more accurately for these platforms by configuring the memory-usage-policy option in the sensor health

metrics.

Note

Make sure you have the memory-usage-policy option in the sensor health metrics enabled.

Table 18-1 lists the yellow-threshold and the red-threshold health values.

Table 18-1

ASA 5500-X IPS SSP Memory Usage Values

Platform

Yellow

85%

88%

93%

95%

Red

Memory Used

28%

ASA 5512-X IPS SSP

ASA 5515-X IPS SSP

ASA 5525-X IPS SSP

ASA 5545-X IPS SSP

ASA 5555-X IPS SSP

91%

92%

96%

98%

14%

13%

17%

Reloading, Shutting Down, Resetting, and Recovering the

ASA 5500-X IPS SSP

Note

You can enter the sw-module commands from privileged EXEC mode or from global configuration

mode. You can enter the commands in single routed mode and single transparent mode. For adaptive

security appliances operating in multi-mode (routed or transparent multi-mode) you can only execute the

sw-module commands from the system context (not from administrator or user contexts).

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

18-11

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 18 Configuring the ASA 5500-X IPS SSP

Health and Status Information

Use the following commands to reload, shut down, reset, recover the password, and recover the

ASA 5500-X IPS SSP directly from the adaptive security appliance:

•

sw-module module ips reload—This command reloads the software on the ASA 5500-X IPS SSP

without doing a hardware reset. It is effective only when the module is in the Up state.

sw-module module ips shutdown—This command shuts down the software on the

ASA 5500-X IPS SSP. It is effective only when the module is in Up state.

sw-module module ips reset—This command performs a hardware reset of the

ASA 5500-X IPS SSP. It is applicable when the module is in the Up/Down/Unresponsive/Recover

states.

•

sw-module module ips password-reset—This command restores the cisco CLI account password

on the ASA 5500-X IPS SSP to the default cisco.

sw-module module ips recover image disk0:/image name—This command starts the reimage

process by setting the image location and name. You must first copy the IPS image to the ASA to

disk0:/.

•

sw-module module ips recover boot—This command reimages the ASA 5500-X IPS SSP. It is

applicable only when the module is in the Up state.

sw-module module ips recover stop—This command stops the reimage of the ASA 5500-X IPS

SSP. It is applicable only when the module is in the Recover state.

Caution

If the ASA 5500-X IPS SSP recovery needs to be stopped, you must issue the sw-module module ips

recover stop command within 30 to 45 seconds after starting the recovery. Waiting any longer can lead

to unexpected consequences. For example, the module may come up in the Unresponsive state.

–

sw-module module ips recover configure—Use this command to configure parameters for the

ASA 5500-X IPS SSP recovery. The essential parameters are the IP address and recovery image

TFTP URL location.

Example

asa-ips# sw-module module ips recover configure image

disk0:/IPS-SSP_5555-K9-sys-1.1-a-7.2-1-E4.aip

Image URL [tftp://192.0.2.1/IPS-5545-K9-sys-1.1-a-7.2-1-E4.aip]:

Port IP Address [192.0.2.226]:

VLAN ID [0]:

Gateway IP Address [192.0.2.254]:

For More Information

For the procedure for recovering the ASA 5500-X IPS SSP system image, see Installing the System

Image for the ASA 5500-X IPS SS P , p age 21-22.

Health and Status Information

To see the general health of the ASA 5500-X IPS SSP, use the show module ips details command.

asa# show module ips details

Getting details from the Service Module, please wait...

Card Type:

IPS 5555 Intrusion Prevention System

Model:

Hardware version:

Serial Number:

IPS5555

N/A

FCH1504V0CW

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

18-12

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 18 Configuring the ASA 5500-X IPS SSP

Health and Status Information

Firmware version:

Software version:

N/A

7.2(1)E4

MAC Address Range: 503d.e59c.7ca0 to 503d.e59c.7ca0

App. name:

IPS

App. Status:

App. Status Desc:

App. version:

Normal Operation

7.2(1)E4

Data Plane Status: Up

Status:

License:

Mgmt IP addr:

IPS Module Enabled perpetual

192.168.1.2

Mgmt Network mask: 255.255.255.0

Mgmt Gateway:

Mgmt web ports:

Mgmt TLS enabled:

asa#

192.168.1.1

443

true

The output shows that the ASA 5500-X IPS SSP is up. If the status reads Down, you can reset it using the

sw-module module 1 reset command.

If you have problems with reimaging the ASA 5500-X IPS SSP, use the debug module-boot command

to see the output as it boots. Make sure you have the correct IP address for the TFTP server and you have

the correct file on the TFTP server. Then use the sw-module module ips recover command again to

reimage the module.

asa-ips# sw-module module ips recover configure image

disk0:/IPS-SSP_5555-K9-sys-1.1-a-7.2-1-E4.aip

Image URL [tftp://192.0.2.1/IPS-5545-K9-sys-1.1-a-7.2-1-E4.aip]:

Port IP Address [192.0.2.226]:

VLAN ID [0]:

Gateway IP Address [192.0.2.254]:

asa-ips# debug module-boot

debug module-boot enabled at level 1

asa-ips# sw-module module ips reload

Reload module ips? [confirm]

Reload issued for module ips.

asa-ips# Mod-ips 228> ***

Mod-ips 229> *** EVENT: The module is reloading.

Mod-ips 230> *** TIME: 08:07:36 CST Jan 17 2012

Mod-ips 231> ***

Mod-ips 232> Mod-ips 233> The system is going down NOW!

Mod-ips 234> Sending SIGTERM to all processes

Mod-ips 235> Sending SIGKILL to all processes

Mod-ips 236> Requesting system reboot

Mod-ips 237> e1000 0000:00:07.0: PCI INT A disabled

Mod-ips 238> e1000 0000:00:06.0: PCI INT A disabled

Mod-ips 239> e1000 0000:00:05.0: PCI INT A disabled

Mod-ips 240> Restarting system.

Mod-ips 241> machine restart

Mod-ips 242> IVSHMEM: addr = 4093640704 size = 67108864

Mod-ips 243>

Booting 'Cisco IPS'

Mod-ips 244> root (hd0,0)

Mod-ips 245> Filesystem type is ext2fs, partition type 0x83

Mod-ips 246> kernel /ips-2.6.ld ro initfsDev=/dev/hda1 init=loader.run rootrw=/dev/hda2

init

Mod-ips 247> fs=runtime-image.cpio.bz2 hda=nodma console=ttyS0 plat=saleen htlblow=1

hugepag

Mod-ips 248> es=3223

Mod-ips 249>

[Linux-bzImage, setup=0x2c00, size=0x2bad80]

Mod-ips 250> Linux version 2.6.29.1 (ipsbuild@seti-teambuilder-a) (gcc version 4.3.2

(crosstool

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

18-13

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 18 Configuring the ASA 5500-X IPS SSP

Health and Status Information

Mod-ips 251> -NG-1.4.1) ) #56 SMP Tue Dec 6 00:46:11 CST 2011

Mod-ips 252> Command line: ro initfsDev=/dev/hda1 init=loader.run rootrw=/dev/hda2

initfs=runti

Mod-ips 253> me-image.cpio.bz2 hda=nodma console=ttyS0 plat=saleen htlblow=1

hugepages=3223

Mod-ips 254> KERNEL supported cpus:

Mod-ips 255>

Mod-ips 256>

Mod-ips 257>

Intel GenuineIntel

AMD AuthenticAMD

Centaur CentaurHauls

Mod-ips 258> BIOS-provided physical RAM map:

Mod-ips 259> BIOS-e820: 0000000000000000 - 000000000009f400 (usable)

Mod-ips 260> BIOS-e820: 000000000009f400 - 00000000000a0000 (reserved)

Mod-ips 261> BIOS-e820: 00000000000f0000 - 0000000000100000 (reserved)

Mod-ips 262> BIOS-e820: 0000000000100000 - 00000000dfffd000 (usable)

Mod-ips 263> BIOS-e820: 00000000dfffd000 - 00000000e0000000 (reserved)

Mod-ips 264> BIOS-e820: 00000000fffbc000 - 0000000100000000 (reserved)

Mod-ips 265> BIOS-e820: 0000000100000000 - 0000000201400000 (usable)

Mod-ips 266> DMI 2.4 present.

Mod-ips 267> last_pfn = 0x201400 max_arch_pfn = 0x100000000

Mod-ips 268> last_pfn = 0xdfffd max_arch_pfn = 0x100000000

Mod-ips 269> init_memory_mapping: 0000000000000000-00000000dfffd000

Mod-ips 270> last_map_addr: dfffd000 end: dfffd000

Mod-ips 271> init_memory_mapping: 0000000100000000-0000000201400000

Mod-ips 272> last_map_addr: 201400000 end: 201400000

Mod-ips 273> ACPI: RSDP 000F88D0, 0014 (r0 BOCHS )

Mod-ips 274> ACPI: RSDT DFFFDD00, 0034 (r1 BOCHS BXPCRSDT

Mod-ips 275> ACPI: FACP DFFFFD90, 0074 (r1 BOCHS BXPCFACP

1 BXPC

Mod-ips 276> FADT: X_PM1a_EVT_BLK.bit_width (16) does not match PM1_EVT_LEN (4)

Mod-ips 277> ACPI: DSDT DFFFDF10, 1E22 (r1

Mod-ips 278> ACPI: FACS DFFFFD40, 0040

BXPC

BXDSDT

1 INTL 20090123)

Mod-ips 279> ACPI: SSDT DFFFDE90, 0079 (r1 BOCHS BXPCSSDT

Mod-ips 280> ACPI: APIC DFFFDD80, 0090 (r1 BOCHS BXPCAPIC

Mod-ips 281> ACPI: HPET DFFFDD40, 0038 (r1 BOCHS BXPCHPET

Mod-ips 282> No NUMA configuration found

1 BXPC

Mod-ips 283> Faking a node at 0000000000000000-0000000201400000

Mod-ips 284> Bootmem setup node 0 0000000000000000-0000000201400000

Mod-ips 285>

Mod-ips 286>

NODE_DATA [0000000000011000 - 000000000001ffff]

bootmap [0000000000020000 - 000000000006027f] pages 41

Mod-ips 287> (6 early reservations) ==> bootmem [0000000000 - 0201400000]

Mod-ips 288>

Mod-ips 289>

Mod-ips 290>

Mod-ips 291>

Mod-ips 292>

Mod-ips 293>

#0 [0000000000 - 0000001000]

#1 [0000006000 - 0000008000]

#2 [0000200000 - 0000d55754]

#3 [000009f400 - 0000100000]

#4 [0000008000 - 000000c000]

#5 [000000c000 - 0000011000]

BIOS data page ==> [0000000000 - 0000001000]

TRAMPOLINE ==> [0000006000 - 0000008000]

TEXT DATA BSS ==> [0000200000 - 0000d55754]

BIOS reserved ==> [000009f400 - 0000100000]

PGTABLE ==> [0000008000 - 000000c000]

PGTABLE ==> [000000c000 - 0000011000]

Mod-ips 294> found SMP MP-table at [ffff8800000f8920] 000f8920

Mod-ips 295> Zone PFN ranges:

Mod-ips 296>

Mod-ips 297>

Mod-ips 298>

DMA

DMA32

Normal

0x00000000 -> 0x00001000

0x00001000 -> 0x00100000

0x00100000 -> 0x00201400

Mod-ips 299> Movable zone start PFN for each node

Mod-ips 300> early_node_map[3] active PFN ranges

Mod-ips 301>

Mod-ips 302>

Mod-ips 303>

0: 0x00000000 -> 0x0000009f

0: 0x00000100 -> 0x000dfffd

0: 0x00100000 -> 0x00201400

Mod-ips 304> ACPI: PM-Timer IO Port: 0xb008

Mod-ips 305> ACPI: LAPIC (acpi_id[0x00] lapic_id[0x00] enabled)

Mod-ips 306> ACPI: LAPIC (acpi_id[0x01] lapic_id[0x01] enabled)

Mod-ips 307> ACPI: LAPIC (acpi_id[0x02] lapic_id[0x02] enabled)

Mod-ips 308> ACPI: LAPIC (acpi_id[0x03] lapic_id[0x03] enabled)

Mod-ips 309> ACPI: LAPIC (acpi_id[0x04] lapic_id[0x04] enabled)

Mod-ips 310> ACPI: LAPIC (acpi_id[0x05] lapic_id[0x05] enabled)

Mod-ips 311> ACPI: IOAPIC (id[0x06] address[0xfec00000] gsi_base[0])

Mod-ips 312> IOAPIC[0]: apic_id 6, version 0, address 0xfec00000, GSI 0-23

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

18-14

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 18 Configuring the ASA 5500-X IPS SSP

Health and Status Information

Mod-ips 313> ACPI: INT_SRC_OVR (bus 0 bus_irq 5 global_irq 5 high level)

Mod-ips 314> ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level)

Mod-ips 315> ACPI: INT_SRC_OVR (bus 0 bus_irq 10 global_irq 10 high level)

Mod-ips 316> ACPI: INT_SRC_OVR (bus 0 bus_irq 11 global_irq 11 high level)

Mod-ips 317> Using ACPI (MADT) for SMP configuration information

Mod-ips 318> ACPI: HPET id: 0x8086a201 base: 0xfed00000

Mod-ips 319> SMP: Allowing 6 CPUs, 0 hotplug CPUs

Mod-ips 320> Allocating PCI resources starting at e2000000 (gap: e0000000:1ffbc000)

Mod-ips 321> NR_CPUS:32 nr_cpumask_bits:32 nr_cpu_ids:6 nr_node_ids:1

Mod-ips 322> PERCPU: Allocating 49152 bytes of per cpu data

Mod-ips 323> Built 1 zonelists in Zone order, mobility grouping on. Total pages: 1939347

Mod-ips 324> Policy zone: Normal

Mod-ips 325> Kernel command line: ro initfsDev=/dev/hda1 init=loader.run rootrw=/dev/hda2

initf

Mod-ips 326> s=runtime-image.cpio.bz2 hda=nodma console=ttyS0 plat=saleen htlblow=1

hugepages=3

Mod-ips 327> 223

Mod-ips 328> hugetlb_lowmem_setup: Allocated 2097152 huge pages (size=0x200000) from

lowmem are

Mod-ips 329> a at 0xffff88002ee00000 phys addr 0x000000002ee00000

Mod-ips 330> Initializing CPU#0

Mod-ips 331> PID hash table entries: 4096 (order: 12, 32768 bytes)

Mod-ips 332> Fast TSC calibration using PIT

Mod-ips 333> Detected 2792.965 MHz processor.

Mod-ips 334> Console: colour VGA+ 80x25

Mod-ips 335> console [ttyS0] enabled

Mod-ips 336> Checking aperture...

Mod-ips 337> No AGP bridge found

Mod-ips 338> PCI-DMA: Using software bounce buffering for IO (SWIOTLB)

Mod-ips 339> Placing 64MB software IO TLB between ffff880020000000 - ffff880024000000

Mod-ips 340> software IO TLB at phys 0x20000000 - 0x24000000

Mod-ips 341> Memory: 7693472k/8409088k available (3164k kernel code, 524688k absent,

190928k re

Mod-ips 342> served, 1511k data, 1032k init)

Mod-ips 343> Calibrating delay loop (skipped), value calculated using timer frequency..

5585.93

Mod-ips 344> BogoMIPS (lpj=2792965)

Mod-ips 345> Dentry cache hash table entries: 1048576 (order: 11, 8388608 bytes)

Mod-ips 346> Inode-cache hash table entries: 524288 (order: 10, 4194304 bytes)

Mod-ips 347> Mount-cache hash table entries: 256

Mod-ips 348> CPU: L1 I cache: 32K, L1 D cache: 32K

Mod-ips 349> CPU: L2 cache: 4096K

Mod-ips 350> CPU 0/0x0 -> Node 0

Mod-ips 351> Freeing SMP alternatives: 29k freed

Mod-ips 352> ACPI: Core revision 20081204

Mod-ips 353> Setting APIC routing to flat

Mod-ips 354> ..TIMER: vector=0x30 apic1=0 pin1=0 apic2=-1 pin2=-1

Mod-ips 355> CPU0: Intel QEMU Virtual CPU version 0.12.5 stepping 03

Mod-ips 356> Booting processor 1 APIC 0x1 ip 0x6000

Mod-ips 357> Initializing CPU#1

Mod-ips 358> Calibrating delay using timer specific routine.. 5585.16 BogoMIPS

(lpj=2792581)

Mod-ips 359> CPU: L1 I cache: 32K, L1 D cache: 32K

Mod-ips 360> CPU: L2 cache: 4096K

Mod-ips 361> CPU 1/0x1 -> Node 0

Mod-ips 362> CPU1: Intel QEMU Virtual CPU version 0.12.5 stepping 03

Mod-ips 363> checking TSC synchronization [CPU#0 -> CPU#1]:

Mod-ips 364> Measured 1453783140569731 cycles TSC warp between CPUs, turning off TSC

clock.

Mod-ips 365> Marking TSC unstable due to check_tsc_sync_source failed

Mod-ips 366> Booting processor 2 APIC 0x2 ip 0x6000

Mod-ips 367> Initializing CPU#2

Mod-ips 368> Calibrating delay using timer specific routine.. 5580.51 BogoMIPS

(lpj=2790259)

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

18-15

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 18 Configuring the ASA 5500-X IPS SSP

Health and Status Information

Mod-ips 369> CPU: L1 I cache: 32K, L1 D cache: 32K

Mod-ips 370> CPU: L2 cache: 4096K

Mod-ips 371> CPU 2/0x2 -> Node 0

Mod-ips 372> CPU2: Intel QEMU Virtual CPU version 0.12.5 stepping 03

Mod-ips 373> Booting processor 3 APIC 0x3 ip 0x6000

Mod-ips 374> Initializing CPU#3

Mod-ips 375> Calibrating delay using timer specific routine.. 5585.18 BogoMIPS

(lpj=2792594)

Mod-ips 376> CPU: L1 I cache: 32K, L1 D cache: 32K

Mod-ips 377> CPU: L2 cache: 4096K

Mod-ips 378> CPU 3/0x3 -> Node 0

Mod-ips 379> CPU3: Intel QEMU Virtual CPU version 0.12.5 stepping 03

Mod-ips 380> Booting processor 4 APIC 0x4 ip 0x6000

Mod-ips 381> Initializing CPU#4

Mod-ips 382> Calibrating delay using timer specific routine.. 5585.15 BogoMIPS

(lpj=2792579)

Mod-ips 383> CPU: L1 I cache: 32K, L1 D cache: 32K

Mod-ips 384> CPU: L2 cache: 4096K

Mod-ips 385> CPU 4/0x4 -> Node 0

Mod-ips 386> CPU4: Intel QEMU Virtual CPU version 0.12.5 stepping 03

Mod-ips 387> Booting processor 5 APIC 0x5 ip 0x6000

Mod-ips 388> Initializing CPU#5

Mod-ips 389> Calibrating delay using timer specific routine.. 5585.21 BogoMIPS

(lpj=2792609)

Mod-ips 390> CPU: L1 I cache: 32K, L1 D cache: 32K

Mod-ips 391> CPU: L2 cache: 4096K

Mod-ips 392> CPU 5/0x5 -> Node 0

Mod-ips 393> CPU5: Intel QEMU Virtual CPU version 0.12.5 stepping 03

Mod-ips 394> Brought up 6 CPUs

Mod-ips 395> Total of 6 processors activated (33507.17 BogoMIPS).

Mod-ips 396> net_namespace: 1312 bytes

Mod-ips 397> Booting paravirtualized kernel on bare hardware

Mod-ips 398> NET: Registered protocol family 16

Mod-ips 399> ACPI: bus type pci registered

Mod-ips 400> dca service started, version 1.8

Mod-ips 401> PCI: Using configuration type 1 for base access

Mod-ips 402> mtrr: your CPUs had inconsistent variable MTRR settings

Mod-ips 403> mtrr: your CPUs had inconsistent MTRRdefType settings

Mod-ips 404> mtrr: probably your BIOS does not setup all CPUs.

Mod-ips 405> mtrr: corrected configuration.

Mod-ips 406> bio: create slab <bio-0> at 0

Mod-ips 407> ACPI: Interpreter enabled

Mod-ips 408> ACPI: (supports S0 S5)

Mod-ips 409> ACPI: Using IOAPIC for interrupt routing

Mod-ips 410> ACPI: No dock devices found.

Mod-ips 411> ACPI: PCI Root Bridge [PCI0] (0000:00)

Mod-ips 412> pci 0000:00:01.3: quirk: region b000-b03f claimed by PIIX4 ACPI

Mod-ips 413> pci 0000:00:01.3: quirk: region b100-b10f claimed by PIIX4 SMB

Mod-ips 414> IVSHMEM: addr = 4093640704 size = 67108864

Mod-ips 415> ACPI: PCI Interrupt Link [LNKA] (IRQs 5 *10 11)

Mod-ips 416> ACPI: PCI Interrupt Link [LNKB] (IRQs 5 *10 11)

Mod-ips 417> ACPI: PCI Interrupt Link [LNKC] (IRQs 5 10 *11)

Mod-ips 418> ACPI: PCI Interrupt Link [LNKD] (IRQs 5 10 *11)

Mod-ips 419> SCSI subsystem initialized

Mod-ips 420> usbcore: registered new interface driver usbfs

Mod-ips 421> usbcore: registered new interface driver hub

Mod-ips 422> usbcore: registered new device driver usb

Mod-ips 423> PCI: Using ACPI for IRQ routing

Mod-ips 424> pnp: PnP ACPI init

Mod-ips 425> ACPI: bus type pnp registered

Mod-ips 426> pnp: PnP ACPI: found 9 devices

Mod-ips 427> ACPI: ACPI bus type pnp unregistered

Mod-ips 428> NET: Registered protocol family 2

Mod-ips 429> IP route cache hash table entries: 262144 (order: 9, 2097152 bytes)

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

18-16

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 18 Configuring the ASA 5500-X IPS SSP

Health and Status Information

Mod-ips 430> TCP established hash table entries: 524288 (order: 11, 8388608 bytes)

Mod-ips 431> TCP bind hash table entries: 65536 (order: 8, 1048576 bytes)

Mod-ips 432> TCP: Hash tables configured (established 524288 bind 65536)

Mod-ips 433> TCP reno registered

Mod-ips 434> NET: Registered protocol family 1

Mod-ips 435> Adding htlb page ffff88002ee00000 phys 000000002ee00000 page ffffe20000a41000

Mod-ips 436> HugeTLB registered 2 MB page size, pre-allocated 3223 pages

Mod-ips 437> report_hugepages: Using 1 pages from low memory at ffff88002ee00000 HugeTLB

Mod-ips 438> msgmni has been set to 15026

Mod-ips 439> alg: No test for stdrng (krng)

Mod-ips 440> io scheduler noop registered

Mod-ips 441> io scheduler anticipatory registered

Mod-ips 442> io scheduler deadline registered

Mod-ips 443> io scheduler cfq registered (default)

Mod-ips 444> pci 0000:00:00.0: Limiting direct PCI/PCI transfers

Mod-ips 445> pci 0000:00:01.0: PIIX3: Enabling Passive Release

Mod-ips 446> pci 0000:00:01.0: Activating ISA DMA hang workarounds

Mod-ips 447> pci_hotplug: PCI Hot Plug PCI Core version: 0.5

Mod-ips 448> pciehp: PCI Express Hot Plug Controller Driver version: 0.4

Mod-ips 449> acpiphp: ACPI Hot Plug PCI Controller Driver version: 0.5

Mod-ips 450> acpiphp_glue: can't get bus number, assuming 0

Mod-ips 451> decode_hpp: Could not get hotplug parameters. Use defaults

Mod-ips 452> acpiphp: Slot [1] registered

Mod-ips 453> acpiphp: Slot [2] registered

Mod-ips 454> acpiphp: Slot [3] registered

Mod-ips 455> acpiphp: Slot [4] registered

Mod-ips 456> acpiphp: Slot [5] registered

Mod-ips 457> acpiphp: Slot [6] registered

Mod-ips 458> acpiphp: Slot [7] registered

Mod-ips 459> acpiphp: Slot [8] registered

Mod-ips 460> acpiphp: Slot [9] registered

Mod-ips 461> acpiphp: Slot [10] registered

Mod-ips 462> acpiphp: Slot [11] registered

Mod-ips 463> acpiphp: Slot [12] registered

Mod-ips 464> acpiphp: Slot [13] registered

Mod-ips 465> acpiphp: Slot [14] registered

Mod-ips 466> acpiphp: Slot [15] registered

Mod-ips 467> acpiphp: Slot [16] registered

Mod-ips 468> acpiphp: Slot [17] registered

Mod-ips 469> acpiphp: Slot [18] registered

Mod-ips 470> acpiphp: Slot [19] registered

Mod-ips 471> acpiphp: Slot [20] registered

Mod-ips 472> acpiphp: Slot [21] registered

Mod-ips 473> acpiphp: Slot [22] registered

Mod-ips 474> acpiphp: Slot [23] registered

Mod-ips 475> acpiphp: Slot [24] registered

Mod-ips 476> acpiphp: Slot [25] registered

Mod-ips 477> acpiphp: Slot [26] registered

Mod-ips 478> acpiphp: Slot [27] registered

Mod-ips 479> acpiphp: Slot [28] registered

Mod-ips 480> acpiphp: Slot [29] registered

Mod-ips 481> acpiphp: Slot [30] registered

Mod-ips 482> acpiphp: Slot [31] registered

Mod-ips 483> shpchp: Standard Hot Plug PCI Controller Driver version: 0.4

Mod-ips 484> fakephp: Fake PCI Hot Plug Controller Driver

Mod-ips 485> fakephp: pci_hp_register failed with error -16

Mod-ips 486> fakephp: pci_hp_register failed with error -16

Mod-ips 487> fakephp: pci_hp_register failed with error -16

Mod-ips 488> fakephp: pci_hp_register failed with error -16

Mod-ips 489> fakephp: pci_hp_register failed with error -16

Mod-ips 490> fakephp: pci_hp_register failed with error -16

Mod-ips 491> fakephp: pci_hp_register failed with error -16

Mod-ips 492> processor ACPI_CPU:00: registered as cooling_device0

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

18-17

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 18 Configuring the ASA 5500-X IPS SSP

Health and Status Information

Mod-ips 493> processor ACPI_CPU:01: registered as cooling_device1

Mod-ips 494> processor ACPI_CPU:02: registered as cooling_device2

Mod-ips 495> processor ACPI_CPU:03: registered as cooling_device3

Mod-ips 496> processor ACPI_CPU:04: registered as cooling_device4

Mod-ips 497> processor ACPI_CPU:05: registered as cooling_device5

Mod-ips 498> hpet_acpi_add: no address or irqs in _CRS

Mod-ips 499> Non-volatile memory driver v1.3

Mod-ips 500> Linux agpgart interface v0.103

Mod-ips 501> ipmi message handler version 39.2

Mod-ips 502> ipmi device interface

Mod-ips 503> IPMI System Interface driver.

Mod-ips 504> ipmi_si: Unable to find any System Interface(s)

Mod-ips 505> IPMI SMB Interface driver

Mod-ips 506> IPMI Watchdog: driver initialized

Mod-ips 508> Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled

Mod-ips 509> ?serial8250: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A

Mod-ips 510> serial8250: ttyS1 at I/O 0x2f8 (irq = 3) is a 16550A

Mod-ips 511> 00:06: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A

Mod-ips 512> 00:07: ttyS1 at I/O 0x2f8 (irq = 3) is a 16550A

Mod-ips 513> brd: module loaded

Mod-ips 514> loop: module loaded

Mod-ips 515> lpc: version 0.1 (Nov 10 2011)

Mod-ips 516> tun: Universal TUN/TAP device driver, 1.6

Mod-ips 518> Uniform Multi-Platform E-IDE driver

Mod-ips 519> piix 0000:00:01.1: IDE controller (0x8086:0x7010 rev 0x00)

Mod-ips 520> piix 0000:00:01.1: not 100native mode: will probe irqs later

Mod-ips 521>

Mod-ips 522>

ide0: BM-DMA at 0xc000-0xc007

ide1: BM-DMA at 0xc008-0xc00f

Mod-ips 523> hda: QEMU HARDDISK, ATA DISK drive

Mod-ips 524> Clocksource tsc unstable (delta = 2851415955127 ns)

Mod-ips 525> hda: MWDMA2 mode selected

Mod-ips 526> hdc: QEMU DVD-ROM, ATAPI CD/DVD-ROM drive

Mod-ips 527> hdc: MWDMA2 mode selected

Mod-ips 528> ide0 at 0x1f0-0x1f7,0x3f6 on irq 14

Mod-ips 529> ide1 at 0x170-0x177,0x376 on irq 15

Mod-ips 530> ide_generic: please use "probe_mask=0x3f" module parameter for probing all

legacy

Mod-ips 531> ISA IDE ports

Mod-ips 532> ide-gd driver 1.18

Mod-ips 533> hda: max request size: 512KiB

Mod-ips 534> hda: 7815168 sectors (4001 MB) w/256KiB Cache, CHS=7753/255/63

Mod-ips 535> hda: cache flushes supported

Mod-ips 536> hda: hda1 hda2 hda3 hda4

Mod-ips 537> Driver 'sd' needs updating - please use bus_type methods

Mod-ips 538> Driver 'sr' needs updating - please use bus_type methods

Mod-ips 539> ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver

Mod-ips 540> ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver

Mod-ips 541> uhci_hcd: USB Universal Host Controller Interface driver

Mod-ips 542> Initializing USB Mass Storage driver...

Mod-ips 543> usbcore: registered new interface driver usb-storage

Mod-ips 544> USB Mass Storage support registered.

Mod-ips 545> PNP: PS/2 Controller [PNP0303:KBD,PNP0f13:MOU] at 0x60,0x64 irq 1,12

Mod-ips 546> serio: i8042 KBD port at 0x60,0x64 irq 1

Mod-ips 547> serio: i8042 AUX port at 0x60,0x64 irq 12

Mod-ips 548> mice: PS/2 mouse device common for all mice

Mod-ips 549> rtc_cmos 00:01: rtc core: registered rtc_cmos as rtc0

Mod-ips 550> rtc0: alarms up to one day, 114 bytes nvram

Mod-ips 551> input: AT Translated Set 2 keyboard as /class/input/input0

Mod-ips 552> i2c /dev entries driver

Mod-ips 553> piix4_smbus 0000:00:01.3: SMBus Host Controller at 0xb100, revision 0

Mod-ips 554> device-mapper: ioctl: 4.14.0-ioctl (2008-04-23) initialised:

[email protected]

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

18-18

Download from Www.Somanuals.com. All Manuals Search And Download.

Chapter 18 Configuring the ASA 5500-X IPS SSP

Health and Status Information

Mod-ips 555> cpuidle: using governor ladder

Mod-ips 556> usbcore: registered new interface driver usbhid

Mod-ips 557> usbhid: v2.6:USB HID core driver

Mod-ips 558> TCP cubic registered

Mod-ips 559> IPv6: Loaded, but is disabled by default. IPv6 may be enabled on individual

interf

Mod-ips 560> aces.

Mod-ips 561> NET: Registered protocol family 10

Mod-ips 562> NET: Registered protocol family 17

Mod-ips 563> NET: Registered protocol family 5

Mod-ips 564> rtc_cmos 00:01: setting system clock to 2012-01-17 14:06:34 UTC (1326809194)

Mod-ips 565> Freeing unused kernel memory: 1032k freed

Mod-ips 566> Write protecting the kernel read-only data: 4272k

Mod-ips 567> Loader init started...

Mod-ips 568> kjournald starting. Commit interval 5 seconds

Mod-ips 569> EXT3-fs: mounted filesystem with ordered data mode.

Mod-ips 570> input: ImExPS/2 Generic Explorer Mouse as /class/input/input1

Mod-ips 571> 51216 blocks

Mod-ips 572> Checking rootrw fs: corrected filesystem

Mod-ips 573> kjournald starting. Commit interval 5 seconds

Mod-ips 574> EXT3 FS on hda2, internal journal

Mod-ips 575> EXT3-fs: mounted filesystem with ordered data mode.

Mod-ips 576> mkdir: cannot create directory '/lib/modules': File exists

Mod-ips 577> init started: BusyBox v1.13.1 (2011-11-01 07:21:34 CDT)

Mod-ips 578> starting pid 678, tty '': '/etc/init.d/rc.init'

Mod-ips 579> Checking system fs: no errors

Mod-ips 580> kjournald starting. Commit interval 5 seconds

Mod-ips 581> EXT3-fs: mounted filesystem with ordered data mode.

Mod-ips 582> /etc/init.d/rc.init: line 102: /proc/sys/vm/bdflush: No such file or