Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C O N T E N T S Contents xxiii Audience xxiii Organization i-xxiii Conventions i-xxv Related Documentation xxv Obtaining Documentation and Submitting a Service Request CHAPTER ii Logging In to the Sensor ii-1 Logging In Notes and Caveats Supported User Roles ii-1 ii-1 Logging In to the Appliance ii-2 Connecting an Appliance to a Terminal Server Logging In to the ASA 5500-X IPS SSP ii-4 Logging In to the ASA 5585-X IPS SSP ii-5 Logging In to the Sensor CHAPTER 1 Supported IPS Platf
Contents System Configuration Dialog Basic Sensor Setup 2-2 2-4 Advanced Setup 2-7 Advanced Setup for the Appliance 2-8 Advanced Setup for the ASA 5500-X IPS SSP Advanced Setup for the ASA 5585-X IPS SSP Verifying Initialization CHAPTER 3 Setting Up the Sensor 2-13 2-17 2-20 3-1 Setup Notes and Caveats 3-1 Understanding Sensor Setup 3-2 Changing Network Settings 3-2 Changing the Hostname 3-3 Changing the IP Address, Netmask, and Gateway 3-4 Enabling and Disabling Telnet 3-5 Changing the Acces
Contents Correcting Time on the Sensor 3-36 Configuring Time on the Sensor 3-36 Displaying the System Clock 3-37 Manually Setting the System Clock 3-37 Configuring Recurring Summertime Settings 3-38 Configuring Nonrecurring Summertime Settings 3-40 Configuring Time Zones Settings 3-42 Configuring NTP 3-42 Configuring a Cisco Router to be an NTP Server 3-43 Configuring the Sensor to Use an NTP Time Source 3-44 Configuring SSH 3-45 Understanding SSH 3-46 Adding Hosts to the SSH Known Hosts List 3-46 Adding A
Contents Configuring Promiscuous Mode 4-14 Understanding Promiscuous Mode 4-14 Configuring Promiscuous Mode 4-15 IPv6, Switches, and Lack of VACL Capture 4-15 Configuring Inline Interface Mode 4-16 Understanding Inline Interface Mode 4-16 Configuring Inline Interface Pairs 4-17 Configuring Inline VLAN Pair Mode 4-21 Understanding Inline VLAN Pair Mode Configuring Inline VLAN Pairs 4-22 Configuring VLAN Group Mode 4-26 Understanding VLAN Group Mode Deploying VLAN Groups 4-27 Configuring VLAN Groups 4-28
Contents Understanding Policies 7-1 Working With Signature Definition Policies Understanding Signatures 7-2 7-3 Configuring Signature Variables 7-4 Understanding Signature Variables Creating Signature Variables 7-4 7-4 Configuring Signatures 7-6 Signature Definition Options 7-6 Configuring Alert Frequency 7-7 Configuring Alert Severity 7-9 Configuring the Event Counter 7-10 Configuring Signature Fidelity Rating 7-12 Configuring the Status of Signatures 7-13 Configuring the Vulnerable OSes for a Sign
Contents Example Meta Engine Signature 7-46 Example IPv6 Engine Signature 7-50 Example String XL TCP Engine Match Offset Signature 7-52 Example String XL TCP Engine Minimum Match Length Signature CHAPTER 8 Configuring Event Action Rules 8-1 Event Action Rules Notes and Caveats Understanding Security Policies Understanding Event Action Rules Signature Event Action Processor Event Actions 7-55 8-1 8-2 8-2 8-3 8-4 Event Action Rules Configuration Sequence Working With Event Action Rules Policies 8-
Contents Monitoring Events 8-38 Displaying Events 8-38 Clearing Events from Event Store CHAPTER 9 Configuring Anomaly Detection 9-1 Anomaly Detection Notes and Caveats Understanding Security Policies 9-1 9-2 Understanding Anomaly Detection Understanding Worms 8-41 9-2 9-2 Anomaly Detection Modes 9-3 Anomaly Detection Zones 9-4 Anomaly Detection Configuration Sequence Anomaly Detection Signatures Enabling Anomaly Detection 9-5 9-6 9-8 Working With Anomaly Detection Policies 9-8 Configur
Contents Displaying KB Files 9-40 Saving and Loading KBs Manually 9-41 Copying, Renaming, and Erasing KBs 9-42 Displaying the Differences Between Two KBs Displaying the Thresholds for a KB 9-45 Displaying Anomaly Detection Statistics Disabling Anomaly Detection CHAPTER 10 9-47 9-48 Configuring Global Correlation 10-1 Global Correlation Notes and Caveats Understanding Global Correlation 10-1 10-2 Participating in the SensorBase Network Understanding Reputation 10-2 10-3 Understanding Network Pa
Contents CHAPTER 12 Configuring IP Logging 12-1 IP Logging Notes and Caveats Understanding IP Logging 12-1 12-2 Configuring Automatic IP Logging 12-2 Configuring Manual IP Logging for a Specific IP Address Displaying the Contents of IP Logs Stopping Active IP Logs 13 12-5 12-6 Copying IP Log Files to Be Viewed CHAPTER 12-7 Displaying and Capturing Live Traffic on an Interface Packet Display And Capture Notes and Caveats Understanding Packet Display and Capture Displaying Live Traffic on an
Contents Configuring the Sensor to Manage Cisco Routers 14-22 Routers and ACLs 14-23 Configuring the Sensor to Manage Cisco Routers 14-23 Configuring the Sensor to Manage Catalyst 6500 Series Switches and Cisco 7600 Series Routers 14-25 Switches and VACLs 14-25 Configuring the Sensor to Manage Catalyst 6500 Series Switches and Cisco 7600 Series Routers 14-26 Configuring the Sensor to Manage Cisco Firewalls 14-27 Configuring the Sensor to be a Master Blocking Sensor Configuring Host Blocking 14-31 Configu
Contents Using the GRUB Menu 17-3 Using ROMMON 17-4 Recovering the Password for the ASA 5500-X IPS SSP Recovering the Password for the ASA 5585-X IPS SSP Disabling Password Recovery 17-8 Verifying the State of Password Recovery 17-9 Troubleshooting Password Recovery 17-9 Clearing the Sensor Databases Configuring Health Status Information 17-13 Showing Sensor Overall Health Status 17-17 Terminating CLI Sessions 17-6 17-9 Displaying the Inspection Load of the Sensor Creating a Banner Login 17-4 17
Contents The ASA 5500-X IPS SSP and Virtualization 18-4 Virtual Sensor Configuration Sequence for ASA 5500-X IPS SSP 18-4 Creating Virtual Sensors 18-4 Assigning Virtual Sensors to Adaptive Security Appliance Contexts 18-7 The ASA 5500-X IPS SSP and Bypass Mode 18-9 The ASA 5500-X IPS SSP and the Normalizer Engine The ASA 5500-X IPS SSP and Jumbo Packets 18-11 The ASA 5500-X IPS SSP and Memory Usage 18-11 18-10 Reloading, Shutting Down, Resetting, and Recovering the ASA 5500-X IPS SSP Health and Sta
Contents CHAPTER 21 Upgrading, Downgrading, and Installing System Images Upgrade Notes and Caveats 21-1 21-1 Upgrades, Downgrades, and System Images Supported FTP and HTTP/HTTPS Servers 21-2 21-3 Upgrading the Sensor 21-3 IPS 7.
Contents NotificationApp A-9 CtlTransSource A-11 Attack Response Controller A-12 Understanding the ARC A-13 ARC Features A-14 Supported Blocking Devices A-15 ACLs and VACLs A-16 Maintaining State Across Restarts A-16 Connection-Based and Unconditional Blocking A-17 Blocking with Cisco Firewalls A-18 Blocking with Catalyst Switches A-19 Logger A-19 AuthenticationApp A-20 Understanding the AuthenticationApp A-20 Authenticating Users A-20 Configuring Authentication on the Sensor A-20 Managing TLS and SSH Trus
Contents Summary of Cisco IPS Applications APPENDIX B Signature Engines A-35 B-1 Understanding Signature Engines B-1 Master Engine B-4 General Parameters B-4 Alert Frequency B-7 Event Actions B-8 Regular Expression Syntax B-9 AIC Engine B-10 Understanding the AIC Engine B-11 AIC Engine and Sensor Performance B-11 AIC Engine Parameters B-11 Atomic Engine B-14 Atomic ARP Engine B-14 Atomic IP Advanced Engine Atomic IP Engine B-25 Atomic IPv6 Engine B-29 Fixed Engine B-30 Flood Engine B-32 Meta
Contents Service SSH Engine Service TNS Engine State Engine B-58 B-59 B-60 String Engines B-62 String XL Engines B-65 Sweep Engines B-68 Sweep Engine B-68 Sweep Other TCP Engine Traffic Anomaly Engine Traffic ICMP Engine Trojan Engines APPENDIX C Troubleshooting Bug Toolkit B-70 B-71 B-73 B-74 C-1 C-1 Preventive Maintenance C-2 Understanding Preventive Maintenance C-2 Creating and Using a Backup Configuration File C-2 Backing Up and Restoring the Configuration File Using a Remote Server Cre
Contents When to Disable Anomaly Detection Analysis Engine Not Responding C-19 C-20 Troubleshooting External Product Interfaces C-21 External Product Interfaces Issues C-21 External Product Interfaces Troubleshooting Tips C-22 Troubleshooting the Appliance C-22 Troubleshooting Loose Connections C-22 The Analysis Engine is Busy C-23 Communication Problems C-23 Cannot Access the Sensor CLI Through Telnet or SSH C-24 Correcting a Misconfigured Access List C-26 Duplicate IP Address Shuts Interface Down C-
Contents Cannot Launch the IDM-The Analysis Engine Busy C-55 The IDM, Remote Manager, or Sensing Interfaces Cannot Access Sensor Signatures Not Producing Alerts C-56 Troubleshooting the IME C-56 Time Synchronization on IME and the Sensor Not Supported Error Message C-57 C-55 C-57 Troubleshooting the ASA 5500-X IPS SSP C-57 Health and Status Information C-58 Failover Scenerios C-65 The ASA 5500-X IPS SSP and the Normalizer Engine The ASA 5500-X IPS SSP and Memory Usage C-67 The ASA 5500-X IPS SSP and Jum
Contents cidDump Script C-101 Uploading and Accessing Files on the Cisco FTP Site APPENDIX D CLI Error Messages CLI Error Messages C-102 D-1 D-1 CLI Validation Error Messages D-6 GLOSSARY INDEX Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.
Contents Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.
Preface Published: April 29, 2013, OL-29168-01 Contents This document describes how to configure the sensor using the Cisco IPS 7.2 CLI. It contains the following sections: • Audience, page xxiii • Organization, page xxiii • Related Documentation, page xxv • Obtaining Documentation and Submitting a Service Request, page xxvi Audience This guide is intended for administrators who need to do the following: • Configure the sensor for intrusion prevention using the CLI.
Chapter Organization Section Title Description 5 “Configuring Interfaces” Describes how to configure promiscuous, inline, inline VLAN pair, and VLAN group interfaces. 6 “Configuring Virtual Sensors” Describes how to configure virtual sensors. 7 “Configuring Event Action Rules” Describes how to configure event action rules policies on the sensor. 8 “Defining Signatures” Describes how to add, clone, and edit signatures.
Chapter Conventions Conventions This document uses the following conventions: Convention Indication bold font Commands and keywords and user-entered text appear in bold font. italic font Document titles, new or emphasized terms, and arguments for which you supply values are in italic font. [ ] Elements in square brackets are optional. {x | y | z } Required alternative keywords are grouped in braces and separated by vertical bars.
Chapter Obtaining Documentation and Submitting a Service Request For a complete list of the Cisco ASA 5500 series documentation and where to find it, refer to the following URL: http://www.cisco.com/en/US/docs/security/asa/roadmap/asaroadmap.
CH A P T E R ii Logging In to the Sensor This chapter explains how to log in to the sensor.
Chapter ii Logging In to the Sensor Logging In to the Appliance The service role does not have direct access to the CLI. Service account users are logged directly into a bash shell. Use this account for support and troubleshooting purposes only. Unauthorized modifications are not supported and will require the sensor to be reimaged to guarantee proper operation. You can create only one user with the service role.
Chapter ii Logging In to the Sensor Connecting an Appliance to a Terminal Server ***LICENSE NOTICE*** There is no license key installed on the system. Please go to http://www.cisco.com/go/license to obtain a new license or install a license. sensor# For More Information • For the procedure for connecting an appliance to a terminal server, see Connecting an Appliance to a Terminal Server, page ii-3.
Chapter ii Logging In to the Sensor Logging In to the ASA 5500-X IPS SSP Caution If a connection is dropped or terminated by accident, you should reestablish the connection and exit normally to prevent unauthorized access to the appliance. Logging In to the ASA 5500-X IPS SSP You log in to the ASA 5500-X IPS SSP from the adaptive security appliance. To session in to the ASA 5500-X IPS SSP from the adaptive security appliance, follow these steps: Step 1 Log in to the adaptive security appliance.
Chapter ii Logging In to the Sensor Logging In to the ASA 5585-X IPS SSP ***LICENSE NOTICE*** There is no license key installed on this IPS platform. The system will continue to operate with the currently installed signature set. A valid license must be obtained in order to apply signature updates. Please go to http://www.cisco.com/go/license to obtain a new license or install a license.
Chapter ii Logging In to the Sensor Logging In to the Sensor A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com. ***LICENSE NOTICE*** There is no license key installed on the system. Please go to http://www.cisco.com/go/license to obtain a new license or install a license.
Chapter ii Logging In to the Sensor Logging In to the Sensor ***LICENSE NOTICE*** There is no license key installed on the system. Please go to http://www.cisco.com/go/license to obtain a new license or install a license. sensor# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.
Chapter ii Logging In to the Sensor Logging In to the Sensor Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.
CH A P T E R 1 Introducing the CLI Configuration Guide This chapter introduces the IPS CLI configuration guide, and contains the following sections: • Supported IPS Platforms, page 1-1 • Sensor Configuration Sequence, page 1-2 • IPS CLI Configuration Guide, page 1-1 • User Roles, page 1-3 • CLI Behavior, page 1-5 • Command Line Editing, page 1-6 • IPS Command Modes, page 1-8 • Regular Expression Syntax, page 1-8 • Generic CLI Commands, page 1-10 • CLI Keywords, page 1-11 Supported IPS
Chapter 1 Introducing the CLI Configuration Guide Sensor Configuration Sequence For an alphabetical list of all IPS commands, refer to the Command Reference for Cisco Intrusion Prevention System 7.2. For information on locating all IPS 7.2 documents on Cisco.com, refer to the Documentation Roadmap for Cisco Intrusion Prevention System 7.2. You can also use an IPS manager to configure your sensor.
Chapter 1 Introducing the CLI Configuration Guide User Roles For More Information • For the procedure for logging in to your sensor, see Chapter ii, “Logging In to the Sensor.” • For the procedure for using the setup command to initialize your sensor, see Chapter 2, “Initializing the Sensor.” • For the procedure for verifying sensor initialization, see Verifying Initialization, page 2-20. • For the procedure for obtaining and installing the license key, see Installing the License Key, page 3-54.
Chapter 1 Introducing the CLI Configuration Guide User Roles Administrator This user role has the highest level of privileges.
Chapter 1 Introducing the CLI Configuration Guide CLI Behavior Note For IPS 5.0 and later, you can no longer remove the cisco account. You can disable it using the no password cisco command, but you cannot remove it. To use the no password cisco command, there must be another administrator account on the sensor. Removing the cisco account through the service account is not supported.
Chapter 1 Introducing the CLI Configuration Guide Command Line Editing Recall • To recall the commands entered in a mode, use the Up Arrow or Down Arrow keys or press Ctrl-P or Ctrl-N. Note • Help and tab complete requests are not reported in the recall list. A blank prompt indicates the end of the recall list. Case Sensitivity • The CLI is not case sensitive, but it does echo back the text in the same case you typed it.
Chapter 1 Introducing the CLI Configuration Guide Command Line Editing Table 1-1 Command Line Editing (continued) Keys Description Spacebar Enables you to see more output on the terminal screen. Press the Spacebar when you see the line ---More--- on the screen to display the next screen. Left arrow Moves the cursor one character to the left.
Chapter 1 Introducing the CLI Configuration Guide IPS Command Modes IPS Command Modes The Cisco IPS CLI has the following command modes: • privileged EXEC—Entered when you log in to the CLI interface. • global configuration—Entered from privileged EXEC mode by entering configure command prompt is sensor(config)# . • service mode configuration—Entered from global configuration mode by entering service service-name.
Chapter 1 Introducing the CLI Configuration Guide Regular Expression Syntax Table 1-2 Regular Expression Syntax (continued) Character Description $ Matches the end of the string. The expression “abc$” matches the sub-string “abc” only if it is at the end of the string. | Allows the expression on either side to match the target string. The expression “a|b” matches “a” as well as “b.” . Matches any character.
Chapter 1 Introducing the CLI Configuration Guide Generic CLI Commands To create a regular expression that recalls a previous pattern, you use parentheses to indicate memory of a specific pattern and a backslash (\) followed by a digit to reuse the remembered pattern. The digit specifies the occurrence of a parentheses in the regular expression pattern.
Chapter 1 Introducing the CLI Configuration Guide CLI Keywords CLI Keywords In general, use the no form of a command to disable a feature or function. Use the command without the keyword no to enable a disabled feature or function. For example, the command ssh host-key ip_address adds an entry to the known hosts table, the command no ssh host-key ip_address removes the entry from the known hosts table. Refer to the individual commands for a complete description of what the no form of that command does.
Chapter 1 Introducing the CLI Configuration Guide CLI Keywords Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.
CH A P T E R 2 Initializing the Sensor This chapter describes how to use the setup command to initialize the sensor, and contains the following sections: • Initializing Notes and Caveats, page 2-1 • Understanding Initialization, page 2-2 • Simplified Setup Mode, page 2-2 • System Configuration Dialog, page 2-2 • Basic Sensor Setup, page 2-4 • Advanced Setup, page 2-7 • Verifying Initialization, page 2-20 Initializing Notes and Caveats The following notes and caveats apply to initializing the
Chapter 2 Initializing the Sensor Understanding Initialization Understanding Initialization After you install the sensor on your network, you must use the setup command to initialize it so that you can communicate with it over the network. With the setup command, you configure basic sensor settings, including the hostname, IP interfaces, access control lists, global correlation servers, and time settings.
Chapter 2 Initializing the Sensor System Configuration Dialog Note You only need to set the date and time in the System Configuration Dialog if the system is an appliance and is NOT using NTP. Note The System Configuration Dialog is an interactive dialog. The default settings are displayed. Example 2-1 shows a sample System Configuration Dialog. Example 2-1 Example System Configuration Dialog --- Basic Setup ----- System Configuration Dialog --At any point you may enter a question mark '?' for help.
Chapter 2 Initializing the Sensor Basic Sensor Setup Local Date as YYYY-MM-DD[2013-03-06]: Local Time as HH:MM:SS[]: Participation in the SensorBase Network allows Cisco to collect aggregated statistics about traffic sent to your IPS. SensorBase Network Participation level?[off]: If you agree to participate in the SensorBase Network, Cisco will collect aggregated statistics about traffic sent to your IPS.
Chapter 2 Initializing the Sensor Basic Sensor Setup Step 6 Enter yes to modify the network access list: a. If you want to delete an entry, enter the number of the entry and press Enter, or press Enter to get to the Permit line. b. Enter the IP address and netmask of the network you want to add to the access list. Note c. Step 7 Caution Step 8 For example, 10.0.0.0/8 permits all IP addresses on the 10.0.0.0 network (10.0.0.0-10.255.255.255) and 10.1.1.0/24 permits only the IP addresses on the 10.
Chapter 2 Initializing the Sensor Basic Sensor Setup Step 9 g. Specify the month you want summertime settings to end. Valid entries are january, february, march, april, may, june, july, august, september, october, november, and december. The default is november. h. Specify the week you want the summertime settings to end. Valid entries are first, second, third, fourth, fifth, and last. The default is first. i. Specify the day you want the summertime settings to end.
Chapter 2 Initializing the Sensor Advanced Setup exit summertime-option recurring offset 60 summertime-zone-name CDT start-summertime month march week-of-month second day-of-week sunday time-of-day 02:00:00 exit end-summertime month november week-of-month first day-of-week sunday time-of-day 02:00:00 exit exit ntp-option enabled ntp-keys 1 md5-key 8675309 ntp-servers 10.10.1.
Chapter 2 Initializing the Sensor Advanced Setup Advanced Setup for the Appliance Note The currently supported Cisco IPS appliances are the IPS 4345, IPS 4360, IPS 4510, and IPS 4520. Note Adding new subinterfaces is a two-step process. You first organize the interfaces when you edit the virtual sensor configuration. You then choose which interfaces and subinterfaces are assigned to which virtual sensors.
Chapter 2 Initializing the Sensor Advanced Setup [1] Edit Interface Configuration [2] Edit Virtual Sensor Configuration [3] Display configuration Option: Step 8 Enter 1 to edit the interface configuration. Note The following options let you create and delete interfaces. You assign the interfaces to virtual sensors in the virtual sensor configuration. If you are using promiscuous mode for your interfaces and are not subdividing them by VLAN, no additional configuration is necessary.
Chapter 2 Initializing the Sensor Advanced Setup Note Step 14 At this point, you can configure another interface, for example, GigabitEthernet 0/1, for inline VLAN pair. Press Enter to return to the top-level interface editing menu. [1] Remove interface configurations. [2] Add/Modify Inline Vlan Pairs. [3] Add/Modify Promiscuous Vlan Groups. [4] Add/Modify Inline Interface Pairs. [5] Add/Modify Inline Interface Pair Vlan Groups. [6] Modify interface default-vlan.
Chapter 2 Initializing the Sensor Advanced Setup [1] GigabitEthernet0/3 [2] GigabitEthernet0/0 Inline Vlan Pair: [3] GigabitEthernet0/0:1 (Vlans: 200, 300) Inline Interface Pair: [4] newPair (GigabitEthernet0/1, GigabitEthernet0/2) Add Interface: Step 21 Enter 3 to add inline VLAN pair GigabitEthernet0/0:1. Step 22 Enter 4 to add inline interface pair NewPair. Step 23 Press Enter to return to the top-level virtual sensor menu.
Chapter 2 Initializing the Sensor Advanced Setup standard-time-zone-name UTC exit summertime-option disabled ntp-option disabled exit service web-server port 342 exit service interface physical-interfaces GigabitEthernet0/0 admin-state enabled subinterface-type inline-vlan-pair subinterface 1 description Created via setup by user asmith vlan1 200 vlan2 300 exit exit exit physical-interfaces GigabitEthernet0/1 admin-state enabled exit physical-interfaces GigabitEthernet0/2 admin-state enabled exit physica
Chapter 2 Initializing the Sensor Advanced Setup Step 29 Reboot the appliance. sensor# reset Warning: Executing this command will stop all applications and reboot the node. Continue with reset? []: Step 30 Enter yes to continue the reboot. Step 31 Apply the most recent service pack and signature update. You are now ready to configure your appliance for intrusion prevention.
Chapter 2 Initializing the Sensor Advanced Setup Step 8 Enter 1 to edit the interface configuration. Note You do not need to configure interfaces on the ASA 5500-X IPS SSP. You should ignore the modify interface default VLAN setting. The separation of traffic across virtual sensors is configured differently for the ASA 5500-X IPS SSP than for other sensors. [1] Modify interface default-vlan. Option: Step 9 Press Enter to return to the top-level interface and virtual sensor configuration menu.
Chapter 2 Initializing the Sensor Advanced Setup Step 16 Enter 1 to use the existing anomaly-detection configuration, ad0. Signature Definition Configuration [1] sig0 [2] Create a new signature definition configuration Option[2]: Step 17 Enter 2 to create a signature-definition configuration file. Step 18 Enter the signature-definition configuration name, newSig .
Chapter 2 Initializing the Sensor Advanced Setup ftp-timeout 300 no login-banner-text exit time-zone-settings offset 0 standard-time-zone-name UTC exit summertime-option disabled ntp-option disabled exit service web-server port 342 exit service analysis-engine virtual-sensor newVs description New Sensor signature-definition newSig event-action-rules rules0 anomaly-detection anomaly-detection-name ad0 exit physical-interfaces PortChannel0/0 exit exit service event-action-rules rules0 overrides deny-packet
Chapter 2 Initializing the Sensor Advanced Setup For More Information For the procedure for obtaining the most recent IPS software, see Obtaining Cisco IPS Software, page 20-1. Advanced Setup for the ASA 5585-X IPS SSP To continue with advanced setup for the ASA 5585-X IPS SSP, follow these steps: Step 1 Session in to the ASA 5585-X IPS SSP using an account with administrator privileges. asa# session 1 Step 2 Enter the setup command. The System Configuration Dialog is displayed.
Chapter 2 Initializing the Sensor Advanced Setup [2] Edit Virtual Sensor Configuration [3] Display configuration Option: Step 10 Enter 2 to edit the virtual sensor configuration. [1] Remove virtual sensor. [2] Modify "vs0" virtual sensor configuration. [3] Create new virtual sensor. Option: Step 11 Enter 2 to modify the virtual sensor vs0 configuration. Virtual Sensor: vs0 Anomaly Detection: ad0 Event Action Rules: rules0 Signature Definitions: sig0 No Interfaces to remove.
Chapter 2 Initializing the Sensor Advanced Setup Step 19 Enter 1 to use the existing event action rules configuration, rules0. Note If PortChannel 0/0 has not been assigned to vs0, you are prompted to assign it to the new virtual sensor. Virtual Sensor: newVs Anomaly Detection: ad0 Event Action Rules: rules0 Signature Definitions: newSig Monitored: PortChannel0/0 [1] Remove [2] Modify [3] Modify [4] Create Option: Step 20 virtual sensor. "newVs" virtual sensor configuration.
Chapter 2 Initializing the Sensor Verifying Initialization virtual-sensor newVs description New Sensor signature-definition newSig event-action-rules rules0 anomaly-detection anomaly-detection-name ad0 exit physical-interfaces PortChannel0/0 exit exit service event-action-rules rules0 overrides deny-packet-inline override-item-status Disabled risk-rating-range 90-100 exit exit [0] Go to the command prompt without saving this config. [1] Return back to the setup without saving this config.
Chapter 2 Initializing the Sensor Verifying Initialization To verify that you initialized your sensor, follow these steps: Step 1 Log in to the sensor. Step 2 View your configuration. sensor# show configuration ! -----------------------------! Current configuration last modified Fri Apr 19 19:01:05 2013 ! -----------------------------! Version 7.2(1) ! Host: ! Realm Keys key1.0 ! Signature Definition: ! Signature Update S697.
Chapter 2 Initializing the Sensor Verifying Initialization service trusted-certificates exit ! -----------------------------service web-server websession-inactivity-timeout 3600 exit ! -----------------------------service anomaly-detection ad0 exit ! -----------------------------service external-product-interface exit ! -----------------------------service health-monitor exit ! -----------------------------service global-correlation exit ! -----------------------------service aaa exit ! -----------------
CH A P T E R 3 Setting Up the Sensor This chapter contains procedures for the setting up the sensor, and contains the following sections: • Setup Notes and Caveats, page 3-1 • Understanding Sensor Setup, page 3-2 • Changing Network Settings, page 3-2 • Changing the CLI Session Timeout, page 3-14 • Changing Web Server Settings, page 3-15 • Configuring Authentication and User Parameters, page 3-18 • Configuring Time, page 3-35 • Configuring SSH, page 3-45 • Configuring TLS, page 3-51 • In
Chapter 3 Setting Up the Sensor Understanding Sensor Setup • You cannot use the privilege command to give a user service privileges. If you want to give an existing user service privileges, you must remove that user and then use the username command to create the service account. • Do not make modifications to the sensor through the service account except under the direction of TAC. If you use the service account to configure the sensor, your configuration is not supported by TAC.
Chapter 3 Setting Up the Sensor Changing Network Settings Changing the Hostname Note The CLI prompt of the current session and other existing sessions will not be updated with the new hostname. Subsequent CLI login sessions will reflect the new hostname in the prompt. Use the host-name host_name command in the service host submode to change the hostname of the sensor after you have run the setup command. The default is sensor.
Chapter 3 Setting Up the Sensor Changing Network Settings ftp-timeout: 300 seconds login-banner-text: ----------------------------------------------sensor(config-hos-net)# Step 7 Exit network settings mode. sensor(config-hos-net)# exit sensor(config-hos)# exit Apply Changes:?[yes]: Step 8 Press Enter to apply the changes or enter no to discard them.
Chapter 3 Setting Up the Sensor Changing Network Settings ftp-timeout: 300 seconds login-banner-text: ----------------------------------------------- Step 5 To change the information back to the default setting, use the default form of the command. sensor(config-hos-net)# default host-ip Step 6 Verify that the host IP is now the default of 192.168.1.2/24,192.168.1.1.
Chapter 3 Setting Up the Sensor Changing Network Settings Step 4 Verify that Telnet is enabled. sensor(config-hos-net)# show settings network-settings ----------------------------------------------host-ip: 192.0.2.1/24,192.0.2.2 default: 192.168.1.2/24,192.168.1.1 host-name: sensor default: sensor telnet-option: enabled default: disabled sshv1-fallback: disabled default: disabled access-list (min: 0, max: 512, current: 1) ----------------------------------------------network-address: 0.0.0.
Chapter 3 Setting Up the Sensor Changing Network Settings To modify the access list, follow these steps: Step 1 Log in to the sensor using an account with administrator privileges. Step 2 Enter network settings mode. sensor# configure terminal sensor(config)# service host sensor(config-hos)# network-settings Step 3 Add an entry to the access list. The netmask for a single host is 32. sensor(config-hos-net)# access-list 192.0.2.110/32 Step 4 Verify the change you made to the access-list.
Chapter 3 Setting Up the Sensor Changing Network Settings ----------------------------------------------host-ip: 192.168.1.2/24,192.168.1.
Chapter 3 Setting Up the Sensor Changing Network Settings ----------------------------------------------ftp-timeout: 500 seconds default: 300 login-banner-text: ----------------------------------------------sensor(config-hos-net)# Step 5 Change the value back to the default. sensor(config-hos-net)# default ftp-timeout Step 6 Verify the value has been set back to the default. sensor(config-hos-net)# show settings network-settings ----------------------------------------------host-ip: 192.0.
Chapter 3 Setting Up the Sensor Changing Network Settings ----------------------------------------------host-ip: 192.0.2.1/24,192.0.2.2 default: 192.168.1.2/24,192.168.1.1 host-name: sensor default: sensor telnet-option: enabled default: disabled sshv1-fallback: disabled default: disabled access-list (min: 0, max: 512, current: 1) ----------------------------------------------network-address: 0.0.0.
Chapter 3 Setting Up the Sensor Changing Network Settings server and it must be reachable for automatic update and global correlation updates to be successful. You can configure other DNS servers as backup servers. DNS queries are sent to the first server in the list. If it is unreachable, DNS queries are sent to the next configured DNS server. Caution For automatic and global correlation updates to function, you must have either a DNS server or an HTTP proxy server configured at all times.
Chapter 3 Setting Up the Sensor Changing Network Settings ----------------------------------------------host-ip: 10.89.147.24/25,10.89.147.126 default: 192.168.1.2/24,192.168.1.1 host-name: sensor telnet-option: enabled default: disabled sshv1-fallback: disabled default: disabled access-list (min: 0, max: 512, current: 1) ----------------------------------------------network-address: 0.0.0.
Chapter 3 Setting Up the Sensor Changing Network Settings Enabling SSHv1 Fallback Note The IPS supports managing both SSHv1 and SSHv2. The default is SSHv2, but you can configure the sensor to fallback to SSHv1 if the peer client/server does not support SSHv2 Use the sshv1-fallback {enabled | disabled} command in the service host submode to enable the sensor to fall back to SSH protocol version 1. Fallback to SSHv1 is provided in case the peer client/server does not support SSHv2.
Chapter 3 Setting Up the Sensor Changing the CLI Session Timeout Changing the CLI Session Timeout Use the cli-inactivity-timeout command in the service authentication submode to change the number of seconds that the CLI waits before timing out. Setting the CLI session timeout increases the security of a CLI session. The default is 0 seconds, which means that it is an unlimited value and thus will never time out. The valid range is 0 to 100,000 minutes.
Chapter 3 Setting Up the Sensor Changing Web Server Settings Step 8 Press Enter to apply the changes or enter no to discard them. Changing Web Server Settings Note The default web server port is 443 if TLS is enabled and 80 if TLS is disabled.
Chapter 3 Setting Up the Sensor Changing Web Server Settings – TLS_DHE_DSS_WITH_AES_256_CBC_SHA – TLS_RSA_WITH_AES_256_CBC_SHA – TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA – TLS_ECDH_RSA_WITH_AES_256_CBC_SHA – TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA – TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA – TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA – TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA – TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA – TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA – TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA – TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA – TLS_
Chapter 3 Setting Up the Sensor Changing Web Server Settings If you disable TLS, you receive this message: Warning: TLS protocol support has been disabled. This change will not take effect until the web server is re-started. Step 5 Change the HTTP server header. sensor(config-web)# server-id Nothing to see here. Move along. Step 6 Specify the web session inactivity timeout. sensor(config-web)# websession-inactivity-timeout 800 Step 7 Turn on logging for web session inactivity timeouts.
Chapter 3 Setting Up the Sensor Configuring Authentication and User Parameters Note If you change the port or enable TLS settings, you must reset the sensor to make the web server uses the new settings. For More Information • For the procedure for enabling SSHv1 fallback, see Enabling SSHv1 Fallback, page 3-13. • For the procedure for resetting the appliance, see Resetting the Appliance, page 17-44.
Chapter 3 Setting Up the Sensor Configuring Authentication and User Parameters If you do not specify a password, the system prompts you for one. Use the password command to change the password for existing users. Use the privilege command to change the privilege for existing users.
Chapter 3 Setting Up the Sensor Configuring Authentication and User Parameters Step 5 To remove a user, use the no form of the command. sensor# configure terminal sensor(config)# no username jsmith Note Step 6 You cannot use this command to remove yourself from the system. Verify that the user has been removed. The user sensor(config)# exit sensor# show users all CLI ID User * 13491 cisco jtaylor jroberts sensor# jsmith has been removed.
Chapter 3 Setting Up the Sensor Configuring Authentication and User Parameters You can also configure the sensor to use local authentication (local fallback) if no RADIUS servers are responding. In this case, the sensor authenticates against the locally configured user accounts. The sensor will only use local authentication if the RADIUS servers are not available, not if the RADIUS server rejects the authentication requests of the user.
Chapter 3 Setting Up the Sensor Configuring Authentication and User Parameters • primary-server—Lets you configure the main RADIUS server: – server-address—IP address of the RADIUS server. – server-port—Port of the RADIUS server. If not specified, the default RADIUS port is used. – timeout (seconds)—Specifies the number of seconds the sensor waits for a response from a RADIUS server before it considers the server to be unresponsive. – shared-secret—The secret value configured on the RADIUS server.
Chapter 3 Setting Up the Sensor Configuring Authentication and User Parameters Note Enabling RADIUS authentication on the sensor does not disconnect already established connections. RADIUS authentication is only enforced for new connections to the sensor. Existing CLI, IDM, and IME connections remain established with the login credentials used prior to configuring RADIUS authentication. To force disconnection of these established connections, you must reset the sensor after RADIUS is configured.
Chapter 3 Setting Up the Sensor Configuring Authentication and User Parameters – ips-role=administrator – ips-role=service e. Note If the sensor is not configured to use a default user role and the sensor user role information in not in the Accept Message of the CiscoSecure ACS server, the sensor rejects RADIUS authentication even if the CiscoSecure ACS server accepts the username and password.
Chapter 3 Setting Up the Sensor Configuring Authentication and User Parameters b. Enter the IP address of the second RADIUS server. sensor(config-aaa-rad-sec)# server-address 10.4.5.6 sensor(config-aaa-rad-sec)# c. Enter the RADIUS server port. If not specified, the default RADIUS port is used. sensor(config-aaa-rad-sec)# server-port 1812 sensor(config-aaa-rad-sec)# d. Enter the amount of time in seconds you want to wait for the RADIUS server to respond.
Chapter 3 Setting Up the Sensor Configuring Authentication and User Parameters Step 10 Exit AAA mode. sensor(config-aaa-rad)# exit sensor(config-aaa)# exit Apply Changes:?[yes]: Step 11 Press Enter to apply the changes or enter no to discard them. For More Information • For the procedure for adding and removing users, see Adding and Removing Users, page 3-18. • For the procedure for configuring passwords, see Configuring Passwords, page 3-29.
Chapter 3 Setting Up the Sensor Configuring Authentication and User Parameters Status Events As part of the packet command restriction option, status events are triggered for the following actions: • When an administrator enables or disables the packet command restriction. • When an authorized user executes any of the restricted commands. • When an unauthorized user executes any of the restricted commands.
Chapter 3 Setting Up the Sensor Configuring Authentication and User Parameters Step 7 Exit authentication mode. sensor(config-aut)# exit Apply Changes:?[yes]: Step 8 Press Enter to apply the changes or enter no to discard them. Creating the Service Account You can create a service account for TAC to use during troubleshooting. Although more than one user can have access to the sensor, only one user can have service privileges on a sensor. The service account is for support purposes only.
Chapter 3 Setting Up the Sensor Configuring Authentication and User Parameters Step 4 Specify a password when prompted. A valid password is 8 to 32 characters long. All characters except space are allowed. If a service account already exists for this sensor, the following error is displayed and no service account is created. Error: Only one service account may exist Step 5 Exit configuration mode.
Chapter 3 Setting Up the Sensor Configuring Authentication and User Parameters To change the password, follow these steps: Step 1 To change the password for another user or reset the password for a locked account, follow these steps: a. Log in to the CLI using an account with administrator privileges. b. Enter configuration mode. sensor# configure terminal c. Change the password for a specific user. This example modifies the password for the user “tester.
Chapter 3 Setting Up the Sensor Configuring Authentication and User Parameters Step 3 Change the privilege level from viewer to operator. sensor# configure terminal sensor(config)# privilege user jsmith operator Warning: The privilege change does not apply to current CLI sessions. It will be applied to subsequent logins. sensor(config)# Step 4 Verify that the privilege of the user has been changed. The privilege of the user jsmith has been changed from viewer to operator.
Chapter 3 Setting Up the Sensor Configuring Authentication and User Parameters 9802 sensor# Step 4 tester operator To unlock the account of jsmith, reset the password. sensor# configure terminal sensor(config)# password jsmith Enter New Login Password: ****** Re-enter New Login Password: ****** Configuring the Password Policy As sensor administrator, you can configure how passwords are created. All user-created passwords must conform to the policy that you set up.
Chapter 3 Setting Up the Sensor Configuring Authentication and User Parameters Step 7 Set the number of old passwords to remember for each account. A new password cannot match any of the old passwords of an account. sensor(config-aut-pas)# number-old-passwords 3 Step 8 Check your new setting.
Chapter 3 Setting Up the Sensor Configuring Authentication and User Parameters Note When you apply a configuration that contains a non-zero value for attemptLimit, a change is made in the SSH server that may subsequently impact your ability to connect with the sensor. When attemptLimit is non-zero, the SSH server requires the client to support challenge-response authentication.
Chapter 3 Setting Up the Sensor Configuring Time Step 5 Check your new setting. The account of the user jsmith is now unlocked as indicated by the lack of parenthesis. sensor# show CLI ID * 1349 5824 9802 users all User cisco jsmith tester Privilege administrator viewer operator For More Information For the procedure for locking the user accounts, see Locking User Accounts, page 3-33. Configuring Time This section describes the importance of having a reliable time source for the sensor.
Chapter 3 Setting Up the Sensor Configuring Time The ASA IPS Modules • The ASA 5500-X IPS SSP and ASA 5585-X IPS SSP automatically synchronize their clocks with the clock in the adaptive security appliance in which they are installed. This is the default. • Configure them to get their time from an NTP time synchronization source, such as a Cisco router other than the parent router.
Chapter 3 Setting Up the Sensor Configuring Time Displaying the System Clock Use the show clock [detail] command to display the system clock. You can use the detail option to indicate the clock source (NTP or system) and the current summertime setting (if any). The system clock keeps an authoritative flag that indicates whether the time is authoritative (believed to be accurate). If the system clock has been set by a timing source, such as NTP, the flag is set. Table 3-1 lists the system clock flags.
Chapter 3 Setting Up the Sensor Configuring Time Use the clock set hh:mm [:ss] month day year command to manually set the clock on the appliance. Use this command if no other time sources are available.
Chapter 3 Setting Up the Sensor Configuring Time d. Enter the week of the month you want to start summertime settings. The values are first through fifth, or last. sensor(config-hos-rec-sta)# week-of-month first e. Verify your settings.
Chapter 3 Setting Up the Sensor Configuring Time offset: 60 minutes default: 60 summertime-zone-name: CDT start-summertime ----------------------------------------------month: april default: april week-of-month: first default: first day-of-week: monday default: sunday time-of-day: 12:00:00 default: 02:00:00 ----------------------------------------------end-summertime ----------------------------------------------month: october default: october week-of-month: last default: last day-of-week: friday default
Chapter 3 Setting Up the Sensor Configuring Time c. Verify your settings. sensor(config-hos-non-sta)# show settings start-summertime ----------------------------------------------date: 2004-05-15 time: 12:00:00 ----------------------------------------------sensor(config-hos-non-sta)# Step 5 Enter end summertime submode. sensor(config-hos-non-sta)# exit sensor(config-hos-non)# end-summertime Step 6 Configure the end summertime parameters: a. Enter the date you want to end summertime settings.
Chapter 3 Setting Up the Sensor Configuring Time sensor(config-hos)# exit Apply Changes:?[yes]: Step 11 Press Enter to apply the changes or enter no to discard them. Configuring Time Zones Settings Use the time-zone-settings command to configure the time zone settings on the sensor, such as the time zone name the sensor displays whenever summertime settings are not in effect and the offset.
Chapter 3 Setting Up the Sensor Configuring Time Configuring a Cisco Router to be an NTP Server The sensor requires an authenticated connection with an NTP server if it is going to use the NTP server as its time source. The sensor supports only the MD5 hash algorithm for key encryption. Use the following procedure to activate a Cisco router to act as an NTP server and use its internal clock as the time source.
Chapter 3 Setting Up the Sensor Configuring Time Step 6 Specify the NTP master stratum number to be assigned to the sensor. The NTP master stratum number identifies the relative position of the server in the NTP hierarchy. You can choose a number between 1 and 15. It is not important to the sensor which number you choose. router(config)# ntp master stratum_number Example router(config)# ntp master 6 Configuring the Sensor to Use an NTP Time Source The sensor requires a consistent time source.
Chapter 3 Setting Up the Sensor Configuring SSH Step 5 Configure authenticated NTP: a. Enter NTP configuration mode. sensor(config-hos)# ntp-option enable b. Specify the NTP server IP address and key ID. The key ID is a number between 1 and 65535. This is the key ID that you already set up on the NTP server. sensor(config-hos-ena)# ntp-servers ip_address key-id key_ID Example sensor(config-hos-ena)# ntp-servers 10.16.0.0 key-id 100 c. Specify the key value NTP server.
Chapter 3 Setting Up the Sensor Configuring SSH • Adding Authorized RSA1 and RSA2 Keys, page 3-48 • Generating the RSA Server Host Key, page 3-49 Understanding SSH SSH provides strong authentication and secure communications over channels that are not secure. SSH encrypts your connection to the sensor and provides a key so you can validate that you are connecting to the correct sensor. SSH also provides authenticated and encrypted access to other devices that the sensor connects to for blocking.
Chapter 3 Setting Up the Sensor Configuring SSH Caution When you use the ssh host-key command, the SSH server at the specified IP address is contacted to obtain the required key over the network. The specified host must be accessible at the moment the command is issued.
Chapter 3 Setting Up the Sensor Configuring SSH Step 7 Remove an entry. The host is removed from the SSH known hosts list. sensor(config)# no ssh host-key 10.16.0.0 Step 8 Verify the host was removed. The IP address no longer appears in the list. sensor(config)# exit sensor# show ssh host-keys Adding Authorized RSA1 and RSA2 Keys Use the ssh authorized-key command to define public keys for a client allowed to use RSA1 or RSA2 authentication to log in to the local SSH server. The default is RSA2.
Chapter 3 Setting Up the Sensor Configuring SSH To add a key entry to the SSHv1 or SSHv2 authorized keys list for the current user, follow these steps: Step 1 Log in to the CLI. Step 2 Add a key to the authorized keys list for the current user. Note You recieve an error message if you try to add a key less than the 2048-bit key size and if the measured key length and input key length do not match.
Chapter 3 Setting Up the Sensor Configuring SSH Use the ssh generate-key command to change the SSH server host key. The displayed fingerprint matches the one displayed in the remote SSH client in future connections with this sensor if the remote client is using SSH. Note The sensor only supports RSA keys. Peers that communicate with IPS need to support RSA keys; otherwise, the connection is not established.
Chapter 3 Setting Up the Sensor Configuring TLS Configuring TLS This section describes TLS on the sensor, and contains the following topics: • Understanding TLS, page 3-51 • Adding TLS Trusted Hosts, page 3-52 • Displaying and Generating the Server Certificate, page 3-53 Understanding TLS The Cisco IPS contains a web server that is running the IDM. Management stations connect to this web server. Blocking forwarding sensors also connect to the web server of the master blocking sensor.
Chapter 3 Setting Up the Sensor Configuring TLS The most convenient option is to permanently trust the issuer. However, before you add the issuer, use out-of-band methods to examine the fingerprint of the certificate. This prevents you from being victimized by an attacker posing as a sensor. Confirm that the fingerprint of the certificate appearing in your web browser is the same as the one on your sensor.
Chapter 3 Setting Up the Sensor Configuring TLS Step 4 Verify that the host was added. sensor(config)# exit sensor# show tls trusted-hosts 10.89.146.110 sensor# Step 5 View the fingerprint for a specific host. sensor# show tls trusted-hosts 10.89.146.110 SHA1: B1:6F:F5:DA:F3:7A:FB:FB:93:E9:2D:39:B9:99:08:D4:47:02:F6:12 sensor# Step 6 Remove an entry from the trusted hosts list. sensor# configure terminal sensor(config)# no tls trusted-host 10.89.146.
Chapter 3 Setting Up the Sensor Installing the License Key For More Information For the procedure for updating the trusted hosts lists on remote sensors, see Adding TLS Trusted Hosts, page 3-52. Installing the License Key This section describes the IPS license key and how to install it.
Chapter 3 Setting Up the Sensor Installing the License Key Service Programs for IPS Products You must have a Cisco Services for IPS service contract for any IPS product so that you can download a license key and obtain the latest IPS signature updates. If you have a direct relationship with Cisco Systems, contact your account manager or service account manager to purchase the Cisco Services for IPS service contract.
Chapter 3 Setting Up the Sensor Installing the License Key Use the copy source-url license_file_name license-key command to copy the license key to your sensor. The following options apply: • source-url—The location of the source file to be copied. It can be a URL or keyword. • destination-url—The location of the destination file to be copied. It can be a URL or a keyword. • license-key—The subscription license file. • license_file_name—The name of the license file you receive.
Chapter 3 Setting Up the Sensor Installing the License Key Step 5 Log in to the CLI using an account with administrator privileges. Step 6 Copy the license key to the sensor. sensor# copy scp://user@192.168.1.2/24://tftpboot/dev.lic license-key Password: ******* Step 7 Verify the sensor is licensed. sensor# show version Application Partition: Cisco Intrusion Prevention System, Version 7.2(1)E4 Host: Realm Keys key1.0 Signature Definition: Signature Update S697.0 2013-02-15 OS Version: 2.6.29.
Chapter 3 Setting Up the Sensor Installing the License Key For More Information • For more information about getting started using the ASA 5500-X IPS SSP, refer to the Cisco IPS Module on the ASA Quick Start Guide. • For the procedures for obtaining and installing the IPS License key, see Obtaining and Installing the License Key. Uninstalling the License Key Use the erase license-key command to uninstall the license key on your sensor.
Chapter 3 Setting Up the Sensor Installing the License Key IPS-K9-7.2-1-E4 11:17:07 UTC Thu Jan 10 2013 Recovery Partition Version 1.1 - 7.2(1)E4 Host Certificate Valid from: 17-Apr-2013 to 18-Apr-2015 sensor# Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.
Chapter 3 Setting Up the Sensor Installing the License Key Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.
CH A P T E R 4 Configuring Interfaces This chapter describes how to configure interfaces on the sensor. You configured the interfaces when you initialized the sensor with the setup command, but if you need to change or add anything to your interface configuration, use the following procedures. For more information on configuring interfaces using the setup command, see Chapter 2, “Initializing the Sensor.
Chapter 4 Configuring Interfaces Understanding Interfaces • The ASA IPS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP) do not support inline VLAN pairs. • The ASA IPS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP) do not support VLAN groups mode. • There are security consequences when you put the sensor in bypass mode. When bypass mode is on, the traffic bypasses the sensor and is not inspected; therefore, the sensor cannot prevent malicious attacks.
Chapter 4 Configuring Interfaces Understanding Interfaces • Alternate TCP reset There are restrictions on which roles you can assign to specific interfaces and some interfaces have multiple roles. You can configure any sensing interface to any other sensing interface as its TCP reset interface. The TCP reset interface can also serve as an IDS (promiscuous) sensing interface at the same time.
Chapter 4 Configuring Interfaces Understanding Interfaces 1. The 4500 series sensors have two management ports, Management 0/0 and Management 0/1, but Management 0/1 is reserved for future use. Sensing Interfaces Sensing interfaces are used by the sensor to analyze traffic for security violations. A sensor has one or more sensing interfaces depending on the sensor. Sensing interfaces can operate individually in promiscuous mode or you can pair them to create inline interfaces.
Chapter 4 Configuring Interfaces Understanding Interfaces Note There is only one sensing interface on the ASA IPS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP), so you cannot designate an alternate TCP reset interface. Table 4-2 lists the alternate TCP reset interfaces.
Chapter 4 Configuring Interfaces Understanding Interfaces Caution You can only assign a sensing interface as an alternate TCP reset interface. You cannot configure the management interface as an alternate TCP reset interface. Interface Support Table 4-3 describes the interface support for appliances and modules running Cisco IPS.
Chapter 4 Configuring Interfaces Understanding Interfaces Table 4-3 Interface Support (continued) Base Chassis Added Interface Cards Interfaces Supporting Inline VLAN Pairs (Sensing Ports) IPS 4345 — GigabitEthernet 0/0 GigabitEthernet 0/1 Combinations Supporting Inline Interface Pairs Interfaces Not Supporting Inline (Command and Control Port) All sensing ports can be paired together Management 0/0 Management 0/11 All sensing ports can be paired together Management 0/0 Management 0/11 All s
Chapter 4 Configuring Interfaces Understanding Interfaces Table 4-3 Interface Support (continued) Base Chassis Added Interface Cards Interfaces Supporting Inline VLAN Pairs (Sensing Ports) IPS 4510 — GigabitEthernet 0/0 GigabitEthernet 0/1 Combinations Supporting Inline Interface Pairs Interfaces Not Supporting Inline (Command and Control Port) All sensing ports can be paired together Management 0/0 Management 0/12 All sensing ports can be paired together Management 0/0 Management 0/12 Giga
Chapter 4 Configuring Interfaces Understanding Interfaces – For Gigabit (copper or fiber) interfaces, if the speed is configured for 1000 Mbps, the only valid duplex setting is auto. – The command and control interface cannot also serve as a sensing interface. • Inline Interface Pairs – Inline interface pairs can contain any combination of sensing interfaces regardless of the physical interface type (copper versus fiber), speed, or duplex settings of the interface.
Chapter 4 Configuring Interfaces Understanding Interfaces – You can only configure interfaces that are capable of TCP resets as alternate TCP reset interfaces. Note • There is only one sensing interface on the ASA IPS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP), so you cannot designate an alternate TCP reset interface. VLAN Groups – You can configure any single interface for promiscuous, inline interface pair, or inline VLAN pair mode, but no combination of these modes is allowed.
Chapter 4 Configuring Interfaces Configuring Physical Interfaces For More Information • For the procedure for configuring the physical interface settings, see Configuring Physical Interfaces, page 4-11. • For the procedures for creating and deleting different kinds of interfaces, see Configuring Inline Interface Mode, page 4-16, Configuring Inline VLAN Pair Mode, page 4-21, Configuring VLAN Group Mode, page 4-26, and Configuring Inline Bypass Mode, page 4-33.
Chapter 4 Configuring Interfaces Configuring Physical Interfaces • duplex—Specifies the duplex setting of the interface: – auto—Sets the interface to auto negotiate duplex. – full—Sets the interface to full duplex. – half—Sets the interface to half duplex. Note The duplex option is protected on all modules. Note For TenGigabit SFP+ ports, the permitted values are auto and full. • no—Removes an entry or selection setting.
Chapter 4 Configuring Interfaces Configuring Physical Interfaces Step 5 Enable the interface. You must assigned the interface to a virtual sensor and enable it before it can monitor traffic. sensor(config-int-phy)# admin-state enabled Step 6 Add a description of this interface. sensor(config-int-phy)# description INT1 Step 7 Specify the duplex settings. This option is not available on the ASA IPS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP).
Chapter 4 Configuring Interfaces Configuring Promiscuous Mode media-type: tx description: admin-state: disabled duplex: auto speed: auto alt-tcp-reset-interface ----------------------------------------------none ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------sensor(config-int-phy)# Step 14 Exit interface subm
Chapter 4 Configuring Interfaces Configuring Promiscuous Mode intended target for certain types of attacks, such as atomic attacks (single-packet attacks). The response actions implemented by promiscuous sensor devices are post-event responses and often require assistance from other networking devices, for example, routers and firewalls, to respond to an attack.
Chapter 4 Configuring Interfaces Configuring Inline Interface Mode The following configuration uses one SPAN session to send all of the traffic on any of the specified VLANs to all of the specified ports. Each port configuration only allows a particular VLAN or VLANs to pass.
Chapter 4 Configuring Interfaces Configuring Inline Interface Mode Figure 4-2 illustrates inline interface pair mode: Figure 4-2 Inline Interface Pair Mode Traffic passes through interface pair Router Switch Sensor 253444 VLAN A Host Configuring Inline Interface Pairs Use the inline-interfaces name command in the service interface submode to create inline interface pairs.
Chapter 4 Configuring Interfaces Configuring Inline Interface Mode Step 3 Verify that the subinterface mode is “none” for both of the physical interfaces you are pairing in the inline interface.
Chapter 4 Configuring Interfaces Configuring Inline Interface Mode sensor(config-int)# physical-interfaces GigabitEthernet0/0 sensor(config-int-phy)# admin-state enabled sensor(config-int-phy)# exit sensor(config-int)# physical-interfaces GigabitEthernet0/1 sensor(config-int-phy)# admin-state enabled sensor(config-int-phy)# exit sensor(config-int)# Step 11 Verify that the interfaces are enabled.
Chapter 4 Configuring Interfaces Configuring Inline Interface Mode speed: auto default-vlan: 0 alt-tcp-reset-interface ----------------------------------------------none ------------------------------------------------------------------------------------------------------------------------------------------subinterface-type ----------------------------------------------none ------------------------------------------------------------------------------------------------------------
Chapter 4 Configuring Interfaces Configuring Inline VLAN Pair Mode Configuring Inline VLAN Pair Mode This section describes inline VLAN pair mode and how to configure inline VLAN pairs. It contains the following topics: • Understanding Inline VLAN Pair Mode, page 4-21 • Configuring Inline VLAN Pairs, page 4-22 Understanding Inline VLAN Pair Mode Note The ASAIPS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP) do not support inline VLAN pairs.
Chapter 4 Configuring Interfaces Configuring Inline VLAN Pair Mode Configuring Inline VLAN Pairs Use the physical-interfaces interface_name command in the service interface submode to configure inline VLAN pairs. The interface name is FastEthernet or GigabitEthernet. The following options apply: • admin-state {enabled | disabled}—Specifies the administrative link state of the interface, whether the interface is enabled or disabled.
Chapter 4 Configuring Interfaces Configuring Inline VLAN Pair Mode Configuring Inline VLAN Pairs To configure the inline VLAN pair settings on the sensor, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Enter interface submode. sensor# configure terminal sensor(config)# service interface sensor(config-int)# Step 3 Verify if any inline interfaces exist (the subinterface type should read “none” if no inline interfaces have been configured).
Chapter 4 Configuring Interfaces Configuring Inline VLAN Pair Mode description: admin-state: disabled duplex: auto speed: auto alt-tcp-reset-interface ----------------------------------------------none ------------------------------------------------------------------------------------------------------------------------------------------subinterface-type ----------------------------------------------none ----------------------------------------------------
Chapter 4 Configuring Interfaces Configuring Inline VLAN Pair Mode bypass-mode: auto interface-notifications ----------------------------------------------missed-percentage-threshold: 0 percent notification-interval: 30 seconds idle-interface-delay: 30 seconds ----------------------------------------------sensor(config-int)# Step 4 If there are inline interfaces that are using this physical interface, remove them.
Chapter 4 Configuring Interfaces Configuring VLAN Group Mode ----------------------------------------------sensor(config-int-phy-inl-sub)# Step 14 To delete VLAN pairs: a. Delete one VLAN pair. sensor(config-int-phy-inl-sub)# exit sensor(config-int-phy-inl)# no subinterface 1 If this VLAN pair is the last one on the sensor, you receive the following error message: Error: This "subinterface-type" contains less than the required number of "subinterface" entries.
Chapter 4 Configuring Interfaces Configuring VLAN Group Mode You can divide each physical interface or inline interface into VLAN group subinterfaces, each of which consists of a group of VLANs on that interface. Analysis Engine supports multiple virtual sensors, each of which can monitor one or more of these interfaces. This lets you apply multiple policies to the same sensor. The advantage is that now you can use a sensor with only a few interfaces as if it had many interfaces.
Chapter 4 Configuring Interfaces Configuring VLAN Group Mode In the second variation, the two ports are configured as trunk ports, so they can carry multiple VLANs. In this configuration, the sensor bridges multiple VLANs between the two switches. Because multiple VLANs are carried over the inline interface pair, the VLANs can be divided into groups and each group can be assigned to a virtual sensor.
Chapter 4 Configuring Interfaces Configuring VLAN Group Mode • subinterface name—Defines the subinterface as a VLAN group: – vlans {range | unassigned}—Specifies the set of VLANs in the VLAN group. The value for range is 1 to 4095 in a comma-separated pattern of individual VLAN IDs or ranges: 1,5-8,10-15. There are no spaces between the entries.
Chapter 4 Configuring Interfaces Configuring VLAN Group Mode ------------------------------------------------------------------------------------------------------------------------------------------ name: GigabitEthernet0/2 ----------------------------------------------media-type: tx description: admin-state: disabled duplex: auto speed: auto alt-tcp-reset-interface ----------------------------------------------none
Chapter 4 Configuring Interfaces Configuring VLAN Group Mode ------------------------------------------------------------------------------------------------------------------------------------------command-control: Management0/0 inline-interfaces (min: 0, max: 999999999, current: 0) --------------------------------------------------------------------------------------------bypass-mode: auto interface-notifications ----------------------------------------------missed-percentage-thr
Chapter 4 Configuring Interfaces Configuring VLAN Group Mode b. Verify the settings. sensor(config-int-phy-vla-sub)# show settings subinterface-number: 1 ----------------------------------------------description: vlans ----------------------------------------------range: 1,5-8,10-15 --------------------------------------------------------------------------------------------sensor(config-int-phy-vla-sub)# c. Configure unassigned VLANs.
Chapter 4 Configuring Interfaces Configuring Inline Bypass Mode Step 15 Delete VLAN groups: a. Delete one VLAN group. sensor(config-int-phy-vla-sub)# exit sensor(config-int-phy-vla)# no subinterface 1 If this VLAN group is the last one on the sensor, you receive an error message. Error: This "subinterface-type" contains less than the required number of "subinterface" entries. Please add entry(s) to reach the minimum required entries or select a different "subinterface-type".
Chapter 4 Configuring Interfaces Configuring Inline Bypass Mode Caution There are security consequences when you put the sensor in bypass mode. When bypass mode is on, the traffic bypasses the sensor and is not inspected; therefore, the sensor cannot prevent malicious attacks. Caution As with signature updates, when the sensor applies a global correlation update, it may trigger bypass.
Chapter 4 Configuring Interfaces Configuring Interface Notifications Step 4 Verify the settings.
Chapter 4 Configuring Interfaces Configuring CDP Mode Step 3 Enter interface submode. sensor(config)# service interface Step 4 Enter interface notifications submode. sensor(config-int)# interface-notifications Step 5 Specify the idle interface delay. sensor(config-int-int)# idle-interface-delay 60 Step 6 Specify the missed percentage threshold. sensor(config-int-int)# missed-percentage-threshold 1 Step 7 Specify the notification interval.
Chapter 4 Configuring Interfaces Configuring CDP Mode User the cdp-mode command in service interface mode to have the sensor either forward or drop CDP packets. The following option applies: • cdp-mode {forward-cdp-packets | drop-cdp-packets}—Configures the sensor to either forward CDP packets or drop CDP packets. The default is drop-cdp-packets. Enabling CDP Mode To configure CDP mode, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges.
Chapter 4 Configuring Interfaces Configuring CDP Mode Use the show interfaces [clear | brief] command in EXEC mode to display statistics for all system interfaces. Use the show interfaces {FastEthernet | GigabitEthernet | Management | PortChannel} [slot/port] command to display statistics for specific interfaces. The following options apply: • clear—(Optional) Clears the diagnostics. • brief—(Optional) Displays a summary of the usability status information for each interface.
Chapter 4 Configuring Interfaces Configuring CDP Mode GigabitEthernet0/2 GigabitEthernet0/3 sensor# Step 4 Disabled Disabled Down Down Unpaired Unpaired N/A N/A Display the statistics for a specific interface.
Chapter 4 Configuring Interfaces Displaying Interface Traffic History Displaying Interface Traffic History Use the show interfaces-history [traffic-by-hour | traffic-by-minute] command in EXEC mode to display historical interfaces statistics for all system interfaces. The historical information for each interface is maintained for three days with 60 seconds granularity.
Chapter 4 Configuring Interfaces Displaying Interface Traffic History Displaying Historical Interface Statistics To display interface traffic history, follow these steps: Step 1 Log in to the CLI. Step 2 Display the interface traffic history by the hour.
Chapter 4 Configuring Interfaces Displaying Interface Traffic History 0 12:23:37 0 12:22:30 0 12:21:31 0 12:20:29 0 12:19:25 0 12:18:18 0 12:17:12 0 12:16:07 0 12:15:00 0 12:13:54 0 12:12:49 0 12:11:43 0 12:10:36 0 12:09:30 0 12:08:24 0 12:07:25 0 12:06:23 0 12:05:25 0 sensor# Step 4 0 UTC Tue Mar 0 UTC Tue Mar 0 UTC Tue Mar 0 UTC Tue Mar 0 UTC Tue Mar 0 UTC Tue Mar 0 UTC Tue Mar 0 UTC Tue Mar 0 UTC Tue Mar 0 UTC Tue Mar 0 UTC Tue Mar 0 UTC Tue Mar 0 UTC Tue Mar 0 UTC Tue Mar 0 UTC Tue Mar 0 UTC Tue Ma
CH A P T E R 5 Configuring Virtual Sensors This chapter explains the function of the Analysis Engine and how to create, edit, and delete virtual sensors. It also explains how to assign interfaces to a virtual sensor.
Chapter 5 Configuring Virtual Sensors Understanding the Analysis Engine Understanding the Analysis Engine The Analysis Engine performs packet analysis and alert detection. It monitors traffic that flows through specified interfaces. You create virtual sensors in the Analysis Engine. Each virtual sensor has a unique name with a list of interfaces, inline interface pairs, inline VLAN pairs, and VLAN groups associated with it.
Chapter 5 Configuring Virtual Sensors Inline TCP Session Tracking Mode Virtualization has the following restrictions: • You must assign both sides of asymmetric traffic to the same virtual sensor. • Using VACL capture or SPAN (promiscuous monitoring) is inconsistent with regard to VLAN tagging, which causes problems with VLAN groups. – When using Cisco IOS software, a VACL capture port or a SPAN target does not always receive tagged packets even if it is configured for trunking.
Chapter 5 Configuring Virtual Sensors Normalization and Inline TCP Evasion Protection Mode • Virtual Sensor—All packets with the same session key (AaBb) within a virtual sensor belong to the same session. This is the default and almost always the best option to choose. Normalization and Inline TCP Evasion Protection Mode Note For the ASA IPS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP), normalization is performed by the adaptive security appliance and not the IPS.
Chapter 5 Configuring Virtual Sensors Adding, Editing, and Deleting Virtual Sensors Adding Virtual Sensors Use the virtual-sensor name command in service analysis engine submode to create a virtual sensor. You can create up to four virtual sensors. You assign policies (anomaly detection, event action rules, and signature definition) to the virtual sensor. Then you assign interfaces (promiscuous, inline interface pairs, inline VLAN pairs, and VLAN groups) to the virtual sensor.
Chapter 5 Configuring Virtual Sensors Adding, Editing, and Deleting Virtual Sensors Note • For the ASA IPS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP), normalization is performed by the adaptive security appliance and not the IPS. inline-TCP-session-tracking-mode—Enables an advanced method used to identify duplicate TCP sessions in inline traffic. The default is virtual sensor, which is almost always the best choice.
Chapter 5 Configuring Virtual Sensors Adding, Editing, and Deleting Virtual Sensors Step 6 Assign an event action rules policy to this virtual sensor. sensor(config-ana-vir-ano)# exit sensor(config-ana-vir)# event-action-rules rules1 Step 7 Assign a signature definition policy to this virtual sensor. sensor(config-ana-vir)# signature-definition sig1 Step 8 Enable HTTP advanced decoding.
Chapter 5 Configuring Virtual Sensors Adding, Editing, and Deleting Virtual Sensors event-action-rules: rules1 default: rules0 anomaly-detection ----------------------------------------------anomaly-detection-name: ad1 default: ad0 operational-mode: learn default: detect ----------------------------------------------physical-interface (min: 0, max: 999999999, current: 2) ----------------------------------------------name: GigabitEthernet0/3 subinterface-number: 0 -----------------------------
Chapter 5 Configuring Virtual Sensors Adding, Editing, and Deleting Virtual Sensors Editing and Deleting Virtual Sensors You can edit the following parameters of a virtual sensor: • Signature definition policy • Event action rules policy • Anomaly detection policy Note Anomaly detection is disabled by default. You must enable it to configure or apply an anomaly detection policy. Enabling anomaly detection results in a decrease in performance.
Chapter 5 Configuring Virtual Sensors Adding, Editing, and Deleting Virtual Sensors Step 8 Change the inline TCP session tracking mode. The default is virtual sensor mode, which is almost always the best option to choose. sensor(config-ana-vir)# inline-TCP-session-tracking-mode interface-and-vlan Step 9 Display the list of available interfaces.
Chapter 5 Configuring Virtual Sensors Adding, Editing, and Deleting Virtual Sensors Step 15 Verify the deleted virtual sensor. Only the default virtual sensor, vs0, is present.
Chapter 5 Configuring Virtual Sensors Configuring Global Variables Configuring Global Variables Use the global-parameters command in service analysis engine submode to create global variables, such as IP logging, service activity, and specifying the flow depth. Flow depth is used for String, Multi-String, Service HTTP, and State engines. It does not apply to the XL String engine and the platforms that support it.
Chapter 5 Configuring Virtual Sensors Configuring Global Variables sensor(config-ana)# Step 5 Create the variable for service activity. sensor(config-ana-glo)# serviceActivity sensor(config-ana-glo-ser)# enable-serviceactivity 1 sensor(config-ana-glo-ser)# serviceActivityLimit 15 sensor(config-ana-glo-ser)# exit sensor(config-ana-glo)# Step 6 Verify the global variable settings.
Chapter 5 Configuring Virtual Sensors Configuring Global Variables Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.
CH A P T E R 7 Defining Signatures This chapter describes how to define and create signatures.
Chapter 7 Defining Signatures Working With Signature Definition Policies Working With Signature Definition Policies Use the service signature-definition name command in service signature definition mode to create a signature definition policy. The values of this signature definition policy are the same as the default signature definition policy, sig0, until you edit them.
Chapter 7 Defining Signatures Understanding Signatures sensor# Note Step 7 You cannot delete the default signature definition policy, sig0. Confirm the signature definition policy has been deleted. sensor# list signature-definition-configurations Signature Definition Instance Size Virtual Sensor sig0 255 vs0 temp 707 N/A sig1 141 vs1 sensor# Step 8 Reset a signature definition policy to factory settings.
Chapter 7 Defining Signatures Configuring Signature Variables The Cisco IPS contains over 10,000 built-in default signatures. You cannot rename or delete signatures from the list of built-in signatures, but you can retire signatures to remove them from the sensing engine. You can later activate retired signatures; however, this process requires the sensing engines to rebuild their configuration, which takes time and could delay the processing of traffic.
Chapter 7 Defining Signatures Configuring Signature Variables Adding, Editing, and Deleting Signature Variables To add, edit, and delete signature variables, follow these steps: Step 1 Log in to the CLI using an account with administrator or operator privileges. Step 2 Enter signature definition submode. sensor# configure terminal sensor(config)# service signature-definition sig1 Step 3 Create a signature variable for a group of IP addresses. sensor(config-sig)# variables IPADD ip-addr-range 10.1.1.
Chapter 7 Defining Signatures Configuring Signatures Configuring Signatures This section describes how to configure signature parameters, and contains the following topics: • Signature Definition Options, page 7-6 • Configuring Alert Frequency, page 7-7 • Configuring Alert Severity, page 7-9 • Configuring the Event Counter, page 7-10 • Configuring Signature Fidelity Rating, page 7-12 • Configuring the Status of Signatures, page 7-13 • Configuring the Vulnerable OSes for a Signature, page 7-1
Chapter 7 Defining Signatures Configuring Signatures • vulnerable-os—Specifies the list of OS types that are vulnerable to this attack signature. For More Information • For the procedure for configuring alert frequency, see Configuring Alert Frequency, page 7-7. • For more information about signature engines, see Appendix B, “Signature Engines.” • For the procedure for assigning actions, see Assigning Actions to Signatures, page 7-15.
Chapter 7 Defining Signatures Configuring Signatures • specify-global-summary-threshold {yes | no}—(Optional) Enables global summary threshold mode: – global-summary-threshold—Specifies the threshold number of events to take alert in to global summary. The value is 1 to 65535. Configuring Alert Frequency To configure the alert frequency parameters of a signature, follow these steps: Step 1 Log in to the CLI using an account with administrator or operator privileges.
Chapter 7 Defining Signatures Configuring Signatures Step 7 Press Enter to apply the changes or enter no to discard them. Configuring Alert Severity Use the alert-severity command in signature definition submode to configure the severity of a signature. The following options apply: • sig_id—Identifies the unique numerical value assigned to this signature. This value lets the sensor identify a particular signature. The value is 1000 to 65000.
Chapter 7 Defining Signatures Configuring Signatures engine ----------------------------------------------atomic-ip ----------------------------------------------event-action: produce-alert fragment-status: any specify-l4-protocol ------------------------------------------------MORE-- Step 6 Exit signatures submode. sensor(config-sig-sig)# exit sensor(config-sig)# exit Apply Changes:?[yes]: Step 7 Press Enter to apply the changes or enter no to discard them.
Chapter 7 Defining Signatures Configuring Signatures Step 4 Enter event counter submode. sensor(config-sig-sig)# event-counter Step 5 Specify how many times an event must occur before an alert is generated. sensor(config-sig-sig-eve)# event-count 2 Step 6 Specify the storage type on which you want to count events for this signature. sensor(config-sig-sig-eve)# event-count-key AxBx Step 7 (Optional) Enable alert interval.
Chapter 7 Defining Signatures Configuring Signatures Configuring Signature Fidelity Rating Use the sig-fidelity-rating command in signature definition submode to configure the signature fidelity rating for a signature. The following option applies: • sig-fidelity-rating—Identifies the weight associated with how well this signature might perform in the absence of specific knowledge of the target. The valid value is 0 to 100.
Chapter 7 Defining Signatures Configuring Signatures Configuring the Status of Signatures Use the status command in signature definition submode to specify the status of a specific signature. The following options apply: • status—Identifies whether the signature is enabled, disabled, or retired: – enabled {true | false}—Enables the signature. – retired {true | false}—Retires the signature. – obsoletes signature_ID—Shows the other signatures that have been obsoleted by this signature.
Chapter 7 Defining Signatures Configuring Signatures Configuring the Vulnerable OSes for a Signature Use the vulnerable-os command in signature definition submode to configure the list of vulnerable OSes for a signature.
Chapter 7 Defining Signatures Configuring Signatures sig-string-info: My Sig Info sig-comment: Sig Comment alert-traits: 0 release: custom ----------------------------------------------vulnerable-os: aix|linux default: general-os *---> engine --------------------------------------------------------------------------------------------event-counter ----------------------------------------------event-count: 1 event-count-key: Axxx specif
Chapter 7 Defining Signatures Configuring Signatures – request-rate-limit—Sends a rate limit request to the ARC to perform rate limiting. – request-snmp-trap—Sends a request to the Notification Application component of the sensor to perform SNMP notification. – reset-tcp-connection—Sends TCP resets to hijack and terminate the TCP flow. – modify-packet-inline— Modifies packet data to remove ambiguity about what the end point might do with the packet.
Chapter 7 Defining Signatures Configuring Signatures percentage ----------------------------------------------external-rate-limit-percentage: 50 default: 100 ----------------------------------------------- Step 9 Exit event action submode. sensor(config-sig-sig-nor-eve-per)# exit sensor(config-sig-sig-nor-eve)# exit sensor(config-sig-sig-nor)# exit sensor(config-sig-sig)# exit sensor(config-sig)# exit Apply Changes:?[yes]: Step 10 Press Enter to apply the changes or enter no to discard them.
Chapter 7 Defining Signatures Configuring Signatures AIC has the following categories of signatures: • HTTP request method – Define request method – Recognized request methods • MIME type – Define content type – Recognized content type • Define web traffic policy There is one predefined signature, 12674, that specifies the action to take when noncompliant HTTP traffic is seen. The parameter Alarm on Non HTTP Traffic enables the signature. By default this signature is enabled.
Chapter 7 Defining Signatures Configuring Signatures The following options apply: • ftp-enable {true | false}—Enables protection for FTP services. Set to true to require the sensor to inspect FTP traffic. The default is false. • http-policy—Enables inspection of HTTP traffic: – aic-web-ports—Specifies the variable for ports to look for AIC traffic. The valid range is 0 to 65535. A comma-separated list of integer ranges a-b[,c-d] within 0-65535.
Chapter 7 Defining Signatures Configuring Signatures ----------------------------------------------ftp-enable: true default: false ----------------------------------------------sensor(config-sig-app)# Step 6 Exit signature definition submode. sensor(config-sig-app)# exit sensor(config-sig)# exit Apply Changes:?[yes]: Step 7 Press Enter to apply the changes or enter no to discard them.
Chapter 7 Defining Signatures Configuring Signatures Table 7-1 Request Method Signatures (continued) Signature ID Define Request Method 12704 Define Request Method REVLABEL 12705 Define Request Method REVLOG 12706 Define Request Method REVADD 12707 Define Request Method REVNUM 12708 Define Request Method SETATTRIBUTE 12709 Define Request Method GETATTRIBUTENAME 12710 Define Request Method GETPROPERTIES 12711 Define Request Method STARTENV 12712 Define Request Method STOPREV For More
Chapter 7 Defining Signatures Configuring Signatures Table 7-2 Define Content Type Signatures (continued) Signature ID Signature Description 12627 0 12627 1 12627 2 Content Type image/x-portable-graymap Header Check Content Type image/x-portable-graymap Invalid Message Length Content Type image/x-portable-graymap Verification Failed 12628 0 12628 1 12628 2 Content Type image/jpeg Header Check Content Type image/jpeg Invalid Message Length Content Type image/jpeg Verification Failed 12629 0 12629
Chapter 7 Defining Signatures Configuring Signatures Table 7-2 Define Content Type Signatures (continued) Signature ID Signature Description 12646 0 12646 1 12646 2 Content Type text/xml Header Check Content Type text/xml Invalid Message Length Content Type text/xml Verification Failed 12648 0 12648 1 12648 2 Content Type video/flc Header Check Content Type video/flc Invalid Message Length Content Type video/flc Verification Failed 12649 0 12649 1 12649 2 Content Type video/mpeg Header Check Cont
Chapter 7 Defining Signatures Configuring Signatures Table 7-2 Define Content Type Signatures (continued) Signature ID Signature Description 12664 0 12664 1 12664 2 Content Type application/x-gzip Header Check Content Type application/x-gzip Invalid Message Length Content Type application/x-gzip Verification Failed 12665 0 12665 1 Content Type application/x-java-archive Header Check Content Type application/x-java-archive Invalid Message Length 12666 0 12666 1 Content Type application/x-java-vm
Chapter 7 Defining Signatures Configuring Signatures For More Information For the procedure for enabling signatures, see Configuring the Status of Signatures, page 7-13. AIC FTP Commands Signatures Table 7-4 lists the predefined FTP commands signatures. Enable the signatures that have the predefined FTP command you need.
Chapter 7 Defining Signatures Configuring Signatures Table 7-4 FTP Commands Signatures (continued) Signature ID FTP Command 12930 Define FTP command stru 12931 Define FTP command syst 12932 Define FTP command type 12933 Define FTP command user For More Information For the procedure for enabling signatures, see Configuring the Status of Signatures, page 7-13. Creating an AIC Signature Caution A custom signature can affect the performance of your sensor.
Chapter 7 Defining Signatures Configuring Signatures – modify-packet-inline— Modifies packet data to remove ambiguity about what the end point might do with the packet. • no—Removes an entry or selection setting • signature-type—Specifies the type of signature desired: – content-types—Content-types. – define-web-traffic-policy—Defines web traffic policy. – max-outstanding-requests-overrun—Inspects for large number of outstanding HTTP requests. – msg-body-pattern—Message body pattern.
Chapter 7 Defining Signatures Configuring Signatures Step 8 Press Enter to apply the changes or enter no to discard them. Configuring IP Fragment Reassembly This section describes IP fragment reassembly, lists the IP fragment reassembly signatures with the configurable parameters, describes how to configure these parameters, and how to configure the method for IP fragment reassembly.
Chapter 7 Defining Signatures Configuring Signatures Table 7-5 IP Fragment Reassembly Signatures (continued) Signature ID and Name Parameter With Default Value and Range Description 1204 IP Fragment Missing Fires when the datagram is Initial Fragment incomplete and missing the initial fragment.
Chapter 7 Defining Signatures Configuring Signatures Configuring IP Fragment Reassembly Parameters To configure IP fragment reassembly parameters for a specific signature, follow these steps: Step 1 Log in to the CLI using an account with administrator or operator privileges. Step 2 Enter signature definition submode. sensor# configure terminal sensor(config)# service signature-definition sig1 Step 3 Specify the IP fragment reassembly signature ID and subsignature ID.
Chapter 7 Defining Signatures Configuring Signatures – solaris—Specifies the Solaris systems. – linux—Specifies the GNU/Linux systems. – bsd—Specifies the BSD UNIX systems. Configuring the IP Fragment Reassembly Method To configure the method for IP fragment reassembly, follow these steps: Step 1 Log in to the CLI using an account with administrator or operator privileges. Step 2 Enter fragment reassembly submode.
Chapter 7 Defining Signatures Configuring Signatures sensor from creating alerts where a valid TCP session has not been established. There are known attacks against sensors that try to get the sensor to generate alerts by simply replaying pieces of an attack. The TCP session reassembly feature helps to mitigate these types of attacks against the sensor. You configure TCP stream reassembly parameters per signature. You can configure the mode for TCP stream reassembly.
Chapter 7 Defining Signatures Configuring Signatures Table 7-6 TCP Stream Reassembly Signatures (continued) Parameter With Default Value and Range Signature ID and Name Description Default Actions 1306 0 TCP Option Other Fires when a TCP option in the range of TCP Option Number is seen. All 1306 signatures fire an alert and do not function in promiscuous mode. 1306 1 TCP SACK Allowed Option TCP Idle Timeout Fires when a TCP selective 3600 ACK allowed option is seen.
Chapter 7 Defining Signatures Configuring Signatures Table 7-6 TCP Stream Reassembly Signatures (continued) Parameter With Default Value and Range Default Actions TCP Idle Timeout 3600 Modify Packet Inline Produce Alert18 Signature ID and Name Description 1309 TCP Reserved Flags Set Fires when the reserved bits (including bits used for ECN) are set on the TCP header.
Chapter 7 Defining Signatures Configuring Signatures Table 7-6 TCP Stream Reassembly Signatures (continued) Signature ID and Name Description Parameter With Default Value and Range Default Actions 1330 7 TCP Drop - Bad WinScale Option Fires when a TCP packet has a Modify Packet Inline Value bad window scale value. sets the value to the closest constraint value.
Chapter 7 Defining Signatures Configuring Signatures 2. Modify Packet Inline, Deny Connection Inline, and Deny Packet Inline have no effect on this signature. 3. The timer starts with the first SYN packet and is not reset. State for the session is reset and any subsequent packets for this flow appear to be out of order (unless it is a SYN). 4. Modify Packet Inline, Deny Connection Inline, and Deny Packet Inline have no effect on this signature. 5.
Chapter 7 Defining Signatures Configuring Signatures sensor# configure terminal sensor(config)# service signature-definition sig1 Step 3 Specify the TCP stream reassembly signature ID and subsignature ID. sensor(config-sig)# signatures 1313 0 Step 4 Specify the engine. sensor(config-sig-sig)# engine normalizer Step 5 Enter edit default signatures submode.
Chapter 7 Defining Signatures Configuring Signatures The following options apply: • tcp-3-way-handshake-required [true | false]—Specifies that the sensor should only track sessions for which the 3-way handshake is completed. The default is true. • tcp-reassembly-mode—Specifies the mode the sensor should use to reassemble TCP sessions: – strict—Only allows the next expected in the sequence (default). – loose—Allows gaps in the sequence. – asym—Allows asymmetric traffic to be reassembled.
Chapter 7 Defining Signatures Configuring Signatures Configuring IP Logging You can configure a sensor to generate an IP session log when the sensor detects an attack. When IP logging is configured as a response action for a signature and the signature is triggered, all packets to and from the source address of the alert are logged for a specified period of time. Note IP logging allows a maximum limit of 20 concurrent IP log files.
Chapter 7 Defining Signatures Creating Custom Signatures sensor(config-sig-ip)# Step 5 Exit signature definition submode. sensor(config-sig-ip)# exit sensor(config-sig)# exit Apply Changes:?[yes]: Step 6 Press Enter to apply the changes or enter no to discard them.
Chapter 7 Defining Signatures Creating Custom Signatures Example String TCP Engine Signature The String engine is a generic-based pattern-matching inspection engine for ICMP, TCP, and UDP protocols. The String engine uses a regular expression engine that can combine multiple patterns into a single pattern-matching table allowing for a single search through the data. There are three String engines: String ICMP, String TCP, and String UDP.
Chapter 7 Defining Signatures Creating Custom Signatures • no—Removes an entry or selection setting. • regex-string —Specifies a regular expression to search for in a single TCP packet. • service-ports—Specifies the ports or port ranges where the target service may reside. The valid range is 0 to 65535. It is a separated list of integer ranges a-b[,c-d] within 0 to 65535. The second number in the range must be greater than or equal to the first number.
Chapter 7 Defining Signatures Creating Custom Signatures Step 10 Specify the regex string to search for in the TCP packet. You can change the event actions if needed according to your security policy using the event-action command. The default event action is produce-alert.
Chapter 7 Defining Signatures Creating Custom Signatures Example Service HTTP Engine Signature The Service HTTP engine is a service-specific string-based pattern-matching inspection engine. The HTTP protocol is one of the most commonly used in networks of today. In addition, it requires the most amount of preprocessing time and has the most number of signatures requiring inspection making it critical to the overall performance of the system.
Chapter 7 Defining Signatures Creating Custom Signatures – modify-packet-inline— Modifies packet data to remove ambiguity about what the end point might do with the packet. • max-field-sizes —Grouping for maximum field sizes: – specify-max-arg-field-length {yes | no}—Enables max-arg-field-length (optional). – specify-max-header-field-length {yes | no}—Enables max-header-field-length (optional). – specify-max-request-length {yes | no}—Enables max-request-length (optional).
Chapter 7 Defining Signatures Creating Custom Signatures sensor(config-sig-sig-ale-fir-yes)# summary-threshold 200 Step 9 Exit alert frequency submode. sensor(config-sig-sig-ale-fir-yes)# exit sensor(config-sig-sig-ale-fir)# exit sensor(config-sig-sig-ale)# exit Step 10 Configure the signature to apply anti-evasive deobfuscation before searching: sensor(config-sig-sig)# engine service-http sensor(config-sig-sig-ser)# de-obfuscate true Step 11 Configure the Regex parameters.
Chapter 7 Defining Signatures Creating Custom Signatures Meta Signature Engine Enhancement The purpose of the Meta engine is to detect a specified payload from an attacker and a corresponding payload from the victim. It is also used to inspect streams at different offsets. The Meta engine supports the AND and OR logical operators. ANDNOT capability has been added to the Meta engine. This clause is a negative clause used to complement the existing positive clause-based signatures.
Chapter 7 Defining Signatures Creating Custom Signatures • all-not-components-required {true | false}—Specifies to use all of the NOT components. • swap-attacker-victim {true | false}—Swaps the attacker and victim addresses and ports (source and destination) in the alert message and in any actions taken. • meta-reset-interval—Specifies the time in seconds to reset the Meta signature. The valid range is 0 to 3600 seconds. The default is 60 seconds.
Chapter 7 Defining Signatures Creating Custom Signatures Creating a Meta Engine Signature To create a signature based on the Meta engine, follow these steps: Step 1 Log in to the CLI using an account with administrator or operator privileges. Step 2 Enter signature definition submode. sensor# configure terminal sensor(config)# service signature-definition sig1 Step 3 Specify a signature ID and a subsignature ID for the signature. Custom signatures are in the range of 60000 to 65000.
Chapter 7 Defining Signatures Creating Custom Signatures component-sig-id: 1000 component-subsig-id: 0 default: 0 component-count: 1 default: 1 is-not-component: false --------------------------------------------------------------------------------------------NAME: m2 ----------------------------------------------component-sig-id: 1001 component-subsig-id: 0 component-count: 1 is-not-component: true default: false -------------------------------------------------------
Chapter 7 Defining Signatures Creating Custom Signatures The following example Atomic IP Advanced custom signature prohibits Protocol ID 88 over IPv6. To create a signature based on the Atomic IP Advanced signature engine, follow these steps: Step 1 Log in to the CLI using an account with administrator or operator privileges. Step 2 Enter signature definition submode.
Chapter 7 Defining Signatures Creating Custom Signatures For More Information • For more information about the Atomic IP Advanced engine and a list of the parameters, see Atomic IP Advanced Engine, page B-15. • For more information on the Atomic engines, see Atomic Engine, page B-14. Example String XL TCP Engine Match Offset Signature Caution Note A custom signature can affect the performance of your sensor.
Chapter 7 Defining Signatures Creating Custom Signatures Step 5 Specify a name for the new signature. You can also specify a additional comments about the sig using the sig-comment command or additional information about the signature using the sig-string-info command. sensor(config-sig-sig-sig)# sig-name This is my new name Step 6 Exit signature description submode. sensor(config-sig-sig-sig)# exit Step 7 Specify the String XL TCP engine.
Chapter 7 Defining Signatures Creating Custom Signatures Step 16 Specify a minimum match offset for this signature. sensor(config-sig-sig-str-no-yes)# exit sensor(config-sig-sig-str-no)# specify-min-match-offset yes sensor(config-sig-sig-str-no-yes)# min-match-offset 20 Step 17 Verify the settings.
Chapter 7 Defining Signatures Creating Custom Signatures Step 18 Exit signature definition submode. sensor(config-sig-sig-str)# exit sensor(config-sig-sig)# exit sensor(config-sig)# exit Apply Changes:?[yes]: Step 19 Press Enter to apply the changes or enter no to discard them. For More Information For detailed information about the String XL signature engine, see String XL Engines, page B-65.
Chapter 7 Defining Signatures Creating Custom Signatures To create a custom signature based on the String XL TCP engine that searches for minimum match length with stingy, dot all, and UTF-8 turned on, follow these steps: Step 1 Log in to the CLI using an account with administrator or operator privileges. Step 2 Enter signature definition submode. sensor# configure terminal sensor(config)# service signature-definition sig1 Step 3 Specify a signature ID and subsignature ID for the signature.
Chapter 7 Defining Signatures Creating Custom Signatures sensor(config-sig-sig-str-no-yes)# exit sensor(config-sig-sig-str-no)# stingy true Step 14 Verify the settings: sensor(config-sig-sig-str-no)# show settings no ----------------------------------------------regex-string: ht+p[\r\].
Chapter 7 Defining Signatures Creating Custom Signatures Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.
CH A P T E R 8 Configuring Event Action Rules This chapter explains how to add event action rules policies and how to configure event action rules.
Chapter 8 Configuring Event Action Rules Understanding Security Policies • You cannot delete the event action override for deny-packet-inline because it is protected. If you do not want to use that override, set the override-item-status to disabled for that entry. • Passive OS fingerprinting is enabled by default and the IPS contains a default vulnerable OS list for each signature. Understanding Security Policies You can create multiple security policies and apply them to individual virtual sensors.
Chapter 8 Configuring Event Action Rules Signature Event Action Processor Signature Event Action Processor The Signature Event Action Processor coordinates the data flow from the signature event in the Alarm Channel to processing through the Signature Event Action Override, the Signature Event Action Filter, and the Signature Event Action Handler.
Chapter 8 Configuring Event Action Rules Event Actions Figure 8-1 Signature Event Through Signature Event Action Processor Signature event with configured action Event count Consumed signature event Signature event Signature event action override Add action based on RR Signature event action filter Subtract action based on signature, address, port, RR, etc.
Chapter 8 Configuring Event Action Rules Event Actions Note There are other event actions that force a produce-alert. These actions use produce-alert as the vehicle for performing the action. Even if produce-alert is not selected or is filtered, the alert is still produced. The actions are the following: produce-verbose-alert, request-snmp-trap, log-attacker-packets, log-victim-packets, and log-pair-packets.
Chapter 8 Configuring Event Action Rules Event Actions Note You cannot use modify-packet-inline as an action when adding event action filters or overrides. Other Actions • • request-block-connection—Sends a request to ARC to block this connection. You must have blocking devices configured to implement this action. Note Connection blocks and network blocks are not supported on adaptive security appliances. Adaptive security appliances only support host blocks with additional connection information.
Chapter 8 Configuring Event Action Rules Event Action Rules Configuration Sequence When a deny-connection-inline occurs, the IPS also automatically sends a TCP one-way reset, which shows up as a TCP one-way reset sent in the alert. When the IPS denies the connection, it leaves an open connection on both the client (generally the attacker) and the server (generally the victim). Too many open connections can result in resource problems on the victim.
Chapter 8 Configuring Event Action Rules Working With Event Action Rules Policies 3. Create overrides to add actions based on the risk rating value. Assign a risk rating to each event action type. 4. Create filters. Assign filters to subtract actions based on the ID, IP addresses, and risk rating of the signature. 5. Create OS mappings. OS mappings are used for the attack relevance rating in the calculation of the risk rating for an alert. 6. Configure the general settings.
Chapter 8 Configuring Event Action Rules Event Action Variables f. Step 5 Configure the event action rules OS identification settings. Display a list of event action rules policies on the sensor: sensor# list event-action-rules-configurations Event Action Rules Instance Size Virtual Sensor rules0 255 vs0 temp 707 N/A MyRules 255 N/A rules1 141 vs1 sensor# Step 6 Delete an event action rules policy.
Chapter 8 Configuring Event Action Rules Event Action Variables Understanding Event Action Variables Note Global correlation inspection and the reputation filtering deny features do not support IPv6 addresses. For global correlation inspection, the sensor does not receive or process reputation data for IPv6 addresses. The risk rating for IPv6 addresses is not modified for global correlation inspection. Similarly, network participation does not include event data for attacks from IPv6 addresses.
Chapter 8 Configuring Event Action Rules Event Action Variables Timesaver If you have an IP address space that applies to your engineering group and there are no Windows systems in that group, and you are not worried about any Windows-based attacks to that group, you could set up a variable to be the IP address space of the engineering group. You could then use this variable to configure a filter that would ignore all Windows-based attacks for this group.
Chapter 8 Configuring Event Action Rules Event Action Variables sensor(config-eve)# variables variable-ipv6 ipv6-address 2001:0db8:3c4d:0015:0000:0000:abcd:ef12 Step 5 Verify that you added the event action rules variable.
Chapter 8 Configuring Event Action Rules Configuring Target Value Ratings Configuring Target Value Ratings This section describes what risk rating is and how to use it to configure target value ratings.
Chapter 8 Configuring Event Action Rules Configuring Target Value Ratings • Target value rating (TVR)—A weight associated with the perceived value of the target. Target value rating is a user-configurable value (zero, low, medium, high, or mission critical) that identifies the importance of a network asset (through its IP address). You can develop a security policy that is more stringent for valuable corporate resources and looser for less important resources.
Chapter 8 Configuring Event Action Rules Configuring Target Value Ratings Adding, Editing, and Deleting Target Value Ratings Note Global correlation inspection and the reputation filtering deny features do not support IPv6 addresses. For global correlation inspection, the sensor does not receive or process reputation data for IPv6 addresses. The risk rating for IPv6 addresses is not modified for global correlation inspection.
Chapter 8 Configuring Event Action Rules Configuring Target Value Ratings • ipv6-target-address ip_address—Specifies the range set of IP address(es) for IPv6 addresses in the following form: -[,] Adding, Editing, and Deleting Target Value Ratings To add, edit, and delete target value ratings for your network assets, follow these steps: Ste
Chapter 8 Configuring Event Action Rules Configuring Event Action Overrides ipv6-target-value (min: 0, max: 5, current: 0) --------------------------------------------------------------------------------------------- Step 10 Exit event action rules submode. sensor(config-rul)# exit Apply Changes:?[yes]: Step 11 Press Enter to apply your changes or enter no to discard them.
Chapter 8 Configuring Event Action Rules Configuring Event Action Overrides The following options apply: • no overrides—Removes an entry or selection setting. • override-item-status {enabled | disabled}—Enables or disables the use of this override item. The default is enabled. • risk-rating-range—Specifies the range of risk rating values for this override item. The default is 0 to 100. • show—Displays system settings and/or history information.
Chapter 8 Configuring Event Action Rules Configuring Event Action Overrides • Log packets from both the attacker and victim IP addresses. sensor(config-eve)# overrides log-pair-packets sensor(config-eve-ove)# • Write an alert to Event Store. sensor(config-eve)# overrides produce-alert sensor(config-eve-ove)# • Write verbose alerts to Event Store. sensor(config-eve)# overrides produce-verbose-alert sensor(config-eve-ove)# • Write events that request an SNMP trap to the Event Store.
Chapter 8 Configuring Event Action Rules Configuring Event Action Filters action-to-add: deny-attacker-inline ----------------------------------------------override-item-status: Enabled risk-rating-range: 95 default: 0-100 ----------------------------------------------override-item-status: Enabled risk-rating-range: 90-100 --------------------------------------------------------------------------------------------- Step 11 Exit event action rules submode.
Chapter 8 Configuring Event Action Rules Configuring Event Action Filters Caution Event action filters based on source and destination IP addresses do not function for the Sweep engine, because they do not filter as regular signatures. To filter source and destination IP addresses in sweep alerts, use the source and destination IP address filter parameters in the Sweep engine signatures.
Chapter 8 Configuring Event Action Rules Configuring Event Action Filters • ipv6-attacker-address-range—Specifies the range set of IPv6 attacker address(es) for this item (for example, -[,]. Note • The second IPv6 address in the range must be greater than or equal to the first IPv6 address.
Chapter 8 Configuring Event Action Rules Configuring Event Action Filters Configuring Event Action Filters To configure event action filters, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Enter event action rules submode. sensor# configure terminal sensor(config)# service event-action-rules rules1 sensor(config-eve)# Step 3 Create the filter name. Use name1, name2, and so forth to name your event action filters.
Chapter 8 Configuring Event Action Rules Configuring Event Action Filters l. Add any comments you want to use to explain this filter. sensor(config-eve-fil)# user-comment NEW FILTER Step 5 Verify the settings for the filter. sensor(config-eve-fil)# show settings NAME: name1 ----------------------------------------------signature-id-range: 1000-10005 default: 900-65535 subsignature-id-range: 1-5 default: 0-255 attacker-address-range: 192.0.2.3-192.0.2.26 default: 0.0.0.0-255.255.255.
Chapter 8 Configuring Event Action Rules Configuring Event Action Filters NAME: name1 ----------------------------------------------signature-id-range: 900-65535 subsignature-id-range: 0-255 attacker-address-range: 0.0.0.0-255.255.255.255 victim-address-range: 0.0.0.0-255.255.255.
Chapter 8 Configuring Event Action Rules Configuring OS Identifications Step 12 Exit event action rules submode. sensor(config-eve)# exit Apply Changes:?[yes]: Step 13 Press Enter to apply your changes or enter no to discard them. For More Information For the procedure for configuring event action variables, see Adding, Editing, and Deleting Event Action Variables, page 8-11.
Chapter 8 Configuring Event Action Rules Configuring OS Identifications There are three sources of OS information. The sensor ranks the sources of OS information in the following order: 1. Configured OS maps—OS maps you enter. Configured OS maps reside in the event action rules policy and can apply to one or many virtual sensors. Note 2. Imported OS maps—OS maps imported from an external data source. Imported OS maps are global and apply to all virtual sensors. Note 3.
Chapter 8 Configuring Event Action Rules Configuring OS Identifications Adding, Editing, Deleting, and Moving Configured OS Maps Use the os-identifications command in the service event action rules submode to configure OS host mappings, which take precedence over learned OS mappings. You can add, edit, and delete configured OS maps.
Chapter 8 Configuring Event Action Rules Configuring OS Identifications – hp-ux—Variants of HP-UX – irix—Variants of IRIX – linux—Variants of Linux – solaris—Variants of Solaris – windows—Variants of Microsoft Windows – windows-nt-2k-xp—Variants of NT, 2000, and XP – win-nt—Specific variants of Windows NT – unknown—Unknown OS • default—Sets the value back to the system default setting. • no—Removes an entry or selection setting.
Chapter 8 Configuring Event Action Rules Configuring OS Identifications Step 6 Specify the attack relevance rating range for the IP address. sensor(config-eve-os-con)# exit sensor(config-eve-os)# calc-arr-for-ip-range 192.0.2.1 to 192.0.2.25 Step 7 Enable passive OS fingerprinting. sensor(config-eve-os)# passive-traffic-analysis enabled Step 8 Edit an existing OS map. sensor(config-eve-os)# configured-os-map edit name1 sensor(config-eve-os-con)# Step 9 Edit the parameters (see Steps 4 through 7).
Chapter 8 Configuring Event Action Rules Configuring OS Identifications ------------------------------------------------------------------------------------------------------------------------------------------INACTIVE list-contents ----------------------------------------------NAME: name1 ----------------------------------------------ip: 192.0.2.0-192.0.2.
Chapter 8 Configuring Event Action Rules Configuring General Settings The following options apply: • virtual-sensor—(Optional) Specifies the learned addresses of the virtual sensor that should be displayed or cleared. • ip-address—(Optional) Specifies the IP address to query or clear. The sensor displays or clears the OS ID mapped to the specified IP address.
Chapter 8 Configuring Event Action Rules Configuring General Settings • Configuring the General Settings, page 8-34 Understanding Event Action Summarization Summarization decreases the volume of alerts sent out from the sensor by providing basic aggregation of events into a single alert. Special parameters are specified for each signature and they influence the handling of the alerts. Each signature is created with defaults that reflect a preferred normal behavior.
Chapter 8 Configuring Event Action Rules Configuring General Settings Configuring the General Settings Use the following commands in service event action rules submode to configure general event action rules settings: • global-block-timeout —Specifies the number of minutes to block a host or connection. The valid range is 0 to 10000000. The default is 30 minutes. • global-deny-timeout—Specifies the number of seconds to deny attackers inline. The valid range is 0 to 518400. The default is 3600.
Chapter 8 Configuring Event Action Rules Configuring the Denied Attackers List Step 8 Enable or disable any overrides that you have set up. The default is enabled. sensor(config-eve-gen)# global-overrides-status {enabled | disabled} Step 9 Enable or disable any filters that you have set up. The default is enabled. sensor(config-eve-gen)# global-filters-status {enabled | disabled} Step 10 Verify the settings for general submode.
Chapter 8 Configuring Event Action Rules Configuring the Denied Attackers List Adding Entries to the Denied Attacker List To add a deny attacker entry to the list of denied attackers, follow these steps: Step 1 Log in to the CLI using an account with administrator or operator privileges. Step 2 Add a deny attacker entry with an IP address of 192.0.2.0. sensor# deny attacker ip-address 192.0.2.0 Warning: Executing this command will add deny attacker address on all virtual sensors.
Chapter 8 Configuring Event Action Rules Configuring the Denied Attackers List Displaying and Deleting Denied Attackers To display the list of denied attackers and delete the list and clear the statistics, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Display the list of denied IP addresses. The statistics show that there are two IP addresses being denied at this time.
Chapter 8 Configuring Event Action Rules Monitoring Events Name of current Event-Action-Rules instance = rules0 List of interfaces monitored by this virtual sensor = mypair Denied Address Information Number of Active Denied Attackers = 0 Number of Denied Attackers Inserted = 2 Number of Denied Attackers Total Hits = 287 Number of times max-denied-attackers limited creation of new entry = 0 Number of exec Clear commands during uptime = 1 Denied Attackers and hit count for each.
Chapter 8 Configuring Event Action Rules Monitoring Events Use the show events [{alert [informational] [low] [medium] [high] [include-traits traits] [exclude-traits traits] [min-threat-rating min-rr] [max-threat-rating max-rr] | error [warning] [error] [fatal] | NAC | status}] [hh:mm:ss [month day [year]] | past hh:mm:ss] command to display events from Event Store. Events are displayed beginning at the start time. If you do not specify a start time, events are displayed beginning at the current time.
Chapter 8 Configuring Event Action Rules Monitoring Events evError: eventId=1041472274774840148 severity=error vendor=Cisco originator: hostId: sensor2 appName: cidwebserver appInstanceId: 351 time: 2011/01/07 04:41:45 2011/01/07 04:41:45 UTC errorMessage: name=errTransport WebSession::sessionTask(6) TLS connection exce ption: handshake incomplete. Step 3 Display the block requests beginning at 10:00 a.m. on February 9, 2011.
Chapter 8 Configuring Event Action Rules Monitoring Events evIdsAlert: eventId=1109695939102805308 severity=medium vendor=Cisco originator: --MORE-- Step 6 Display events that began 30 seconds in the past. sensor# show events past 00:00:30 evStatus: eventId=1041526834774829055 vendor=Cisco originator: hostId: sensor appName: mainApp appInstanceId: 2215 time: 2011/01/08 02:41:00 2011/01/08 02:41:00 UTC controlTransaction: command=getVersion successful=true description: Control transaction response.
Chapter 8 Configuring Event Action Rules Monitoring Events Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.
CH A P T E R 9 Configuring Anomaly Detection This chapter describes anomaly detection (AD) and its features and how to configure them.
Chapter 9 Configuring Anomaly Detection Understanding Security Policies connections, that is, as scanners, and sends alerts for all traffic flows. Using asymmetric mode protection with anomaly detection enabled causes excessive resource usage and possible false positives for anomaly detection signatures. Understanding Security Policies You can create multiple security policies and apply them to individual virtual sensors.
Chapter 9 Configuring Anomaly Detection Anomaly Detection Modes Anomaly detection identifies worm-infected hosts by their behavior as scanners. To spread, a worm must find new hosts. It finds them by scanning the Internet or network using TCP, UDP, and other protocols to generate unsuccessful attempts to access different destination IP addresses. A scanner is defined as a source IP address that generates events on the same destination port (in TCP and UDP) for too many destination IP addresses.
Chapter 9 Configuring Anomaly Detection Anomaly Detection Zones • Detect mode—For ongoing operation, the sensor should remain in detect mode. This is for 24 hours a day, 7 days a week. Once a KB is created and replaces the initial KB, anomaly detection detects attacks based on it. It looks at the network traffic flows that violate thresholds in the KB and sends alerts.
Chapter 9 Configuring Anomaly Detection Anomaly Detection Configuration Sequence Anomaly Detection Configuration Sequence You can configure the detection part of anomaly detection. You can configure a set of thresholds that override the KB learned thresholds. However, anomaly detection continues learning regardless of how you configure the detection. You can also import, export, and load a KB and you can view a KB for data. Follow this sequence when configuring anomaly detection: 1.
Chapter 9 Configuring Anomaly Detection Anomaly Detection Signatures • For more information on configuring anomaly detection signatures, see Anomaly Detection Signatures, page 9-6. • For more information on Deny Attacker event actions, see Event Actions, page 8-4. Anomaly Detection Signatures The Traffic Anomaly engine contains nine anomaly detection signatures covering three protocols (TCP, UDP, and other).
Chapter 9 Configuring Anomaly Detection Anomaly Detection Signatures Table 9-1 Anomaly Detection Worm Signatures (continued) Signature ID Subsignature ID Name Description 13002 1 Internal Other Scanner Identified a worm attack over an Other protocol in the internal zone; the Other histogram threshold was crossed and a scanner over an Other protocol was identified. 13003 0 External TCP Scanner Identified a single scanner over a TCP protocol in the external zone.
Chapter 9 Configuring Anomaly Detection Enabling Anomaly Detection Table 9-1 Anomaly Detection Worm Signatures (continued) Signature ID Subsignature ID Name Description 13008 0 Illegal Other Scanner Identified a single scanner over an Other protocol in the illegal zone. 13008 1 Illegal Other Scanner Identified a worm attack over an Other protocol in the illegal zone; the Other histogram threshold was crossed and a scanner over an Other protocol was identified.
Chapter 9 Configuring Anomaly Detection Working With Anomaly Detection Policies edit the values of the new policy as needed. Use the list anomaly-detection-configurations command in privileged EXEC mode to list the anomaly detection policies. Use the no service anomaly-detection name command in global configuration mode to delete an anomaly detection policy. Use the default service anomaly-detection name command in global configuration mode to reset the anomaly detection policy to factory settings.
Chapter 9 Configuring Anomaly Detection Configuring Anomaly Detection Operational Settings Step 7 Verify that the anomaly detection instance has been deleted. sensor# list anomaly-detection-configurations Anomaly Detection Instance Size Virtual Sensor ad0 204 vs0 ad1 141 N/A sensor# Step 8 Reset an anomaly detection policy to factory settings.
Chapter 9 Configuring Anomaly Detection Configuring the Internal Zone Configuring Anomaly Detection Operational Settings To specify anomaly detection operational settings, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Enter anomaly detection submode. sensor# configure terminal sensor(config)# service anomaly-detection ad1 Step 3 Specify the worm timeout. sensor(config-ano)# worm-timeout 800 Step 4 Verify the setting.
Chapter 9 Configuring Anomaly Detection Configuring the Internal Zone Understanding the Internal Zone The internal zone should represent your internal network. It should receive all the traffic that comes to your IP address range. If the zone is disabled, packets to this zone are ignored. By default the zone is enabled. You then add the IP addresses that belong to this zone. If you do not configure IP addresses for all zones, all packets are sent to the default zone, the external zone.
Chapter 9 Configuring Anomaly Detection Configuring the Internal Zone Step 7 Configure the other protocols. For More Information • For the procedure for configuring TCP protocol, see Configuring TCP Protocol for the Internal Zone, page 9-13. • For the procedure for configuring UDP protocol, see Configuring UDP Protocol for the Internal Zone, page 9-15. • For the procedure for configuring other protocols, see Configuring Other Protocols for the Internal Zone, page 9-18.
Chapter 9 Configuring Anomaly Detection Configuring the Internal Zone sensor(config-ano-int-tcp-dst)# Step 5 Enable the service for that port. sensor(config-ano-int-tcp-dst)# enabled true Step 6 To override the scanner values for that port. You can use the default scanner values, or you can override them and configure your own scanner values. sensor(config-ano-int-tcp-dst)# override-scanner-settings yes sensor(config-ano-int-tcp-dst-yes)# Step 7 To add a histogram for the new scanner settings.
Chapter 9 Configuring Anomaly Detection Configuring the Internal Zone ----------------------------------------------override-scanner-settings ----------------------------------------------no ------------------------------------------------------------------------------------------------------------------------------------------enabled: true ----------------------------------------------number: 567 ----------------------------------------------override-scanner-settings -------------------------
Chapter 9 Configuring Anomaly Detection Configuring the Internal Zone • override-scanner-settings {yes | no}—Lets you override the scanner values: – threshold-histogram {low | medium | high} num-source-ips number—Sets values in the threshold histogram. – scanner-threshold—Sets the scanner threshold. The default is 200. Configuring the Internal Zone UDP Protocol To configure UDP protocol for a zone, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges.
Chapter 9 Configuring Anomaly Detection Configuring the Internal Zone ----------------------------------------------override-scanner-settings ----------------------------------------------yes ----------------------------------------------scanner-threshold: 100 default: 200 threshold-histogram (min: 0, max: 3, current: 1) ----------------------------------------------dest-ip-bin: low num-source-ips: 100 --------------------------------------------------------------------------------------------------------
Chapter 9 Configuring Anomaly Detection Configuring the Internal Zone sensor(config-ano-int-udp)# Configuring Other Protocols for the Internal Zone Use the other {enabled | protocol number | default-thresholds} command in service anomaly detection internal zone submode to enable and configure the other services. The following options apply: • enabled {false | true}—Enables/disables other protocols.
Chapter 9 Configuring Anomaly Detection Configuring the Internal Zone Step 7 To add a histogram for the new scanner settings. Enter the number of destination IP addresses (low, medium, or high) and the number of source IP addresses you want associated with this histogram. sensor(config-ano-int-oth-pro-yes)# threshold-histogram high num-source-ips 75 Step 8 Set the scanner threshold.
Chapter 9 Configuring Anomaly Detection Configuring the Illegal Zone Configuring the Illegal Zone This section describes how to configure the illegal zone, and contains the following topics: • Understanding the Illegal Zone, page 9-20 • Configuring the Illegal Zone, page 9-20 • Configuring TCP Protocol for the Illegal Zone, page 9-21 • Configuring UDP Protocol for the Illegal Zone, page 9-24 • Configuring Other Protocols for the Illegal Zone, page 9-26 Understanding the Illegal Zone The illegal
Chapter 9 Configuring Anomaly Detection Configuring the Illegal Zone sensor(config-ano-ill)# Step 3 Enable the illegal zone. sensor(config-ano-ill)# enabled true Step 4 Configure the IP addresses to be included in the illegal zone. sensor(config-ano-ill)# ip-address-range 192.0.2.72-192.0.2.108 Step 5 Configure TCP protocol. Step 6 Configure UDP protocol. Step 7 Configure the other protocols.
Chapter 9 Configuring Anomaly Detection Configuring the Illegal Zone Configuring the Illegal Zone TCP Protocol To configure TCP protocol for illegal zone, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Enter anomaly detection illegal zone submode. sensor# configure terminal sensor(config)# service anomaly-detection ad0 sensor(config-ano)# illegal-zone sensor(config-ano-ill)# Step 3 Enable TCP protocol.
Chapter 9 Configuring Anomaly Detection Configuring the Illegal Zone threshold-histogram (min: 0, max: 3, current: 1) ----------------------------------------------dest-ip-bin: low num-source-ips: 100 ------------------------------------------------------------------------------------------------------------------------------------------enabled: true default: true ----------------------------------------------number: 23 ----------------------------------------------override-scanner-settings --------------
Chapter 9 Configuring Anomaly Detection Configuring the Illegal Zone Configuring UDP Protocol for the Illegal Zone Use the udp {enabled | dst-port number | default-thresholds} command in service anomaly detection illegal zone submode to enable and configure the UDP service. The following options apply: • enabled {false | true}—Enables/disables UDP protocol.
Chapter 9 Configuring Anomaly Detection Configuring the Illegal Zone Step 8 Set the scanner threshold. sensor(config-ano-ill-udp-dst-yes)# scanner-threshold 100 Step 9 Configure the default thresholds for all other unspecified ports.
Chapter 9 Configuring Anomaly Detection Configuring the Illegal Zone enabled: true --------------------------------------------------------------------------------------------default-thresholds ----------------------------------------------scanner-threshold: 120 default: 200 threshold-histogram (min: 0, max: 3, current: 3) ---------------------------------------------- dest-ip-bin: low num-source-ips: 10 dest-ip-bin: medium num-source
Chapter 9 Configuring Anomaly Detection Configuring the Illegal Zone sensor(config-ano)# illegal-zone sensor(config-ano-ill)# Step 3 Enable the other protocols. sensor(config-ano-ill)# other sensor(config-ano-ill-oth)# enabled true Step 4 Associate a specific number for the other protocols. sensor(config-ano-ill-oth)# protocol-number 5 sensor(config-ano-ill-oth-pro)# Step 5 Enable the service for that port.
Chapter 9 Configuring Anomaly Detection Configuring the External Zone ----------------------------------------------scanner-threshold: 200 threshold-histogram (min: 0, max: 3, current: 3) ---------------------------------------------- dest-ip-bin: low num-source-ips: 10 dest-ip-bin: medium num-source-ips: 1 dest-ip-bin: high num-source-ips: 1 ---------------------------
Chapter 9 Configuring Anomaly Detection Configuring the External Zone • other—Lets you configure other protocols besides TCP and UDP. Configuring the External Zone To configure the external zone, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Enter anomaly detection external zone submode.
Chapter 9 Configuring Anomaly Detection Configuring the External Zone – scanner-threshold—Sets the scanner threshold. The default is 200. Configuring the External Zone TCP Protocol To configure TCP protocol for the external zone, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Enter anomaly detection external zone submode.
Chapter 9 Configuring Anomaly Detection Configuring the External Zone yes ----------------------------------------------scanner-threshold: 100 default: 200 threshold-histogram (min: 0, max: 3, current: 1) ----------------------------------------------dest-ip-bin: low num-source-ips: 100 ------------------------------------------------------------------------------------------------------------------------------------------enabled: true default: true ----------------------------------------------number: 23
Chapter 9 Configuring Anomaly Detection Configuring the External Zone Configuring UDP Protocol for the External Zone Use the udp {enabled | dst-port number | default-thresholds} command in service anomaly detection external zone submode to enable and configure the UDP service. The following options apply: • enabled {false | true}—Enables/disables UDP protocol.
Chapter 9 Configuring Anomaly Detection Configuring the External Zone Step 7 Add a histogram for the new scanner settings. Enter the number of destination IP addresses (low, medium, or high) and the number of source IP addresses you want associated with this histogram. sensor(config-ano-ext-udp-dst-yes)# threshold-histogram low num-source-ips 100 Step 8 Set the scanner threshold.
Chapter 9 Configuring Anomaly Detection Configuring the External Zone no ------------------------------------------------------------------------------------------------------------------------------------------enabled: true --------------------------------------------------------------------------------------------default-thresholds ----------------------------------------------scanner-threshold: 120 default: 200 threshold-histogram (min: 0, max: 3, current: 3) ------------------------------
Chapter 9 Configuring Anomaly Detection Configuring the External Zone Configuring the External Zone Other Protocols To configure other protocols for a zone, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Enter anomaly detection external zone submode. sensor# configure terminal sensor(config)# service anomaly-detection ad0 sensor(config-ano)# external-zone sensor(config-ano-ext)# Step 3 Enable the other protocols.
Chapter 9 Configuring Anomaly Detection Configuring Learning Accept Mode ----------------------------------------------dest-ip-bin: high num-source-ips: 75 ------------------------------------------------------------------------------------------------------------------------------------------enabled: true default: true --------------------------------------------------------------------------------------------default-thresholds ----------------------------------------------scanner-threshold: 200
Chapter 9 Configuring Anomaly Detection Configuring Learning Accept Mode Note Learning accept mode uses the sensor local time. The scanner threshold defines the maximum number of zone IP addresses that a single source IP address can scan. The histogram threshold defines the maximum number of source IP addresses that can scan more than the specified numbers of zone IP addresses.
Chapter 9 Configuring Anomaly Detection Configuring Learning Accept Mode Configuring Learning Accept Mode Use the learning-accept-mode command in service anomaly detection submode to configure whether you want the sensor to create a new KB every so many hours. You can configure whether the KB is created and loaded (rotate) or saved (save only). You can schedule how often and when the KB is loaded or saved.
Chapter 9 Configuring Anomaly Detection Configuring Learning Accept Mode Step 3 Specify how the KB is saved and loaded: a. Specify that the KB is automatically saved and loaded. Go to Step 4. sensor(config-ano)# learning-accept-mode auto sensor(config-ano-aut)# b. Specify that the KB is going to be manually saved and loaded. Go to Step 6. sensor(config-ano)# learning-accept-mode manual sensor(config-ano-man)# Step 4 Specify how you want the KB automatically accepted: a.
Chapter 9 Configuring Anomaly Detection Working With KB Files For More Information For the procedures for saving and loading anomaly detection KBs manually, see Saving and Loading KBs Manually, page 9-41. Working With KB Files This section describes how to display, load, save, copy, rename and delete KB files. It also provides the procedures for comparing two KB files and for displaying the thresholds of a KB file.
Chapter 9 Configuring Anomaly Detection Working With KB Files 2003-Jan-05-10_00_00 2003-Jan-06-10_00_00 sensor# Step 3 84 84 10:00:00 CDT Sun Jan 05 2003 10:00:00 CDT Mon Jan 06 2003 Display the KB files for a specific virtual sensor.
Chapter 9 Configuring Anomaly Detection Working With KB Files Note An error is generated if anomaly detection is not active when you enter this command. You cannot overwrite the initial file. Copying, Renaming, and Erasing KBs Use these commands in privileged EXEC mode to manually copy, rename, and erase KB files.
Chapter 9 Configuring Anomaly Detection Working With KB Files Note If you use HTTPS protocol, the remote host must be a TLS trusted host. Copying, Renaming, and Removing KB Files To copy, rename, and remove KB files, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Locate the KB file you want to copy.
Chapter 9 Configuring Anomaly Detection Working With KB Files • For the procedure for adding TLS trusted hosts, see Adding TLS Trusted Hosts, page 3-52. Displaying the Differences Between Two KBs Use the show ad-knowledge-base virtual-sensor diff {current | initial | file name1}{current | initial | file name2} [diff-percentage] command in privileged EXEC mode to display the differences between two KBs.
Chapter 9 Configuring Anomaly Detection Working With KB Files None Thresholds differ more than 10% External Zone None Illegal Zone TCP Services Service = 31 Service = 22 UDP Services None Other Protocols Protocol = 3 Internal Zone None sensor# Displaying the Thresholds for a KB Use the show ad-knowledge-base virtual-sensor thresholds {current | initial | file name} [zone {external | illegal | internal]} {[protocol {tcp | udp}] [dst-port port] | [protocol other] [number protocol-number]} command in privil
Chapter 9 Configuring Anomaly Detection Working With KB Files Displaying KB Thresholds To display the KB thresholds, follow these steps: Step 1 Log in to the CLI.
Chapter 9 Configuring Anomaly Detection Displaying Anomaly Detection Statistics Default Scanner Threshold User Configuration = 200 Threshold Histogram - User Configuration Low = 10 Medium = 3 High = 1 sensor# Step 5 Display thresholds contained in the current KB illegal zone, and protocol other.
Chapter 9 Configuring Anomaly Detection Disabling Anomaly Detection TCP Protocol UDP Protocol Other Protocol sensor# Step 3 Display the statistics for all virtual sensors.
Chapter 9 Configuring Anomaly Detection Disabling Anomaly Detection sensor(config)# service analysis-engine sensor(config-ana)# Step 3 Enter the virtual sensor name that contains the anomaly detection policy you want to disable. sensor(config-ana)# virtual-sensor vs0 sensor(config-ana-vir)# Step 4 Disable anomaly detection operational mode. sensor(config-ana-vir)# anomaly-detection sensor(config-ana-vir-ano)# operational-mode inactive sensor(config-ana-vir-ano)# Step 5 Exit analysis engine submode.
Chapter 9 Configuring Anomaly Detection Disabling Anomaly Detection Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.
CH A P T E R 10 Configuring Global Correlation This chapter provides information for configuring global correlation.
Chapter 10 Configuring Global Correlation Understanding Global Correlation • Global correlation inspection and the reputation filtering deny features do not support IPv6 addresses. For global correlation inspection, the sensor does not receive or process reputation data for IPv6 addresses. The risk rating for IPv6 addresses is not modified for global correlation inspection. Similarly, network participation does not include event data for attacks from IPv6 addresses.
Chapter 10 Configuring Global Correlation Understanding Reputation Table 10-1 shows how we use the data. Table 10-1 Cisco Network Participation Data Use Participation Level Type of Data Purpose Partial Protocol attributes (TCP maximum segment size and options string, for example) Tracks potential threats and helps us to understand threat exposure. Attack type Used to understand current attacks and (signature fired and risk rating, for attack severity.
Chapter 10 Configuring Global Correlation Understanding Network Participation Figure 10-1 shows the role of the sensor and the global correlation servers.
Chapter 10 Configuring Global Correlation Understanding Efficacy • Data gathered from the sensor health metrics The statistics for network participation show the hits and misses for alerts, the reputation actions, and the counters of packets that have been denied. Note Network participation requires a network connection to the Internet.
Chapter 10 Configuring Global Correlation Understanding Reputation and Risk Rating Understanding Reputation and Risk Rating Risk rating is the concept of the probability that a network event is malicious. You assign a numerical quantification of the risk associated with a particular event on the network. By default, an alert with an extreme risk rating shuts down traffic.
Chapter 10 Configuring Global Correlation Global Correlation Requirements Global Correlation Requirements Global correlation has the following requirements: • Valid license—You must have a valid sensor license for global correlation features to function. You can still configure and display statistics for the global correlation features, but the global correlation databases are cleared and no updates are attempted. Once you install a valid license, the global correlation features are reactivated.
Chapter 10 Configuring Global Correlation Understanding Global Correlation Sensor Health Metrics • For information about configuring an HTTP proxy or DNS server to support global correlation, see Configuring the DNS and Proxy Servers for Global Correlation and Automatic Update, page 3-10. Understanding Global Correlation Sensor Health Metrics For global correlation, the following metrics are added to sensor health monitoring: • Green indicates that the last update was successful.
Chapter 10 Configuring Global Correlation Configuring Global Correlation Inspection and Reputation Filtering Understanding Global Correlation Inspection and Reputation Filtering You can configure the sensor to use updates from the SensorBase Network to adjust the risk rating. The client determines which updates are available and applicable to the sensor by communicating with the global correlation update server and a file server, which is a two-phase process.
Chapter 10 Configuring Global Correlation Configuring Global Correlation Inspection and Reputation Filtering For More Information • For the procedure for configuring global correlation features, see Configuring Global Correlation Inspection and Reputation Filtering, page 10-10. • For the procedure to view sensor health metrics, see Showing Sensor Overall Health Status, page 17-17. • For information on the CollaborationApp, see CollaborationApp, page A-27.
Chapter 10 Configuring Global Correlation Configuring Network Participation Step 5 Turn on reputation filtering. sensor(config-glo)# reputation-filtering on sensor(config-glo)# Step 6 Test global correlation data, but do not actually deny traffic. sensor(config-glo)# test-global-correlation on sensor(config-glo)# Step 7 Verify the settings.
Chapter 10 Configuring Global Correlation Configuring Network Participation Note You must accept the network participation disclaimer to turn on network participation. Turning on Network Participation To turn on network participation, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Enter global correlation submode. sensor# configure terminal sensor(config)# service global-correlation sensor(config-glo)# Step 3 Turn on network participation.
Chapter 10 Configuring Global Correlation Troubleshooting Global Correlation Step 7 Press Enter to apply your changes or enter no to discard them. For More Information For more information about participating in the SensorBase Network, see Participating in the SensorBase Network, page 10-2.
Chapter 10 Configuring Global Correlation Displaying Global Correlation Statistics – full—All data is contributed to the SensorBase network. Disabling Global Correlation To disable global correlation features, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Enter global correlation submode. sensor# configure terminal sensor(config)# service global-correlation sensor(config-glo)# Step 3 Turn off global correlation inspection.
Chapter 10 Configuring Global Correlation Displaying Global Correlation Statistics Network Participation: Counters: Total Connection Attempts = 4347 Total Connection Failures = 155 Connection Failures Since Last Success = 0 Connection History: Connection Attempt on June 17 2012, at 21:57:19 Connection Attempt on June 17 2012, at 21:54:18 Connection Attempt on June 17 2012, at 21:51:17 Connection Attempt on June 17 2012, at 21:48:17 Connection Attempt on June 17 2012, at 21:45:16 Updates: Status Of Last Up
Chapter 10 Configuring Global Correlation Displaying Global Correlation Statistics Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.
CH A P T E R 11 Configuring External Product Interfaces This chapter explains how to configure external product interfaces.
Chapter 11 Configuring External Product Interfaces Understanding the CSA MC Understanding the CSA MC The CSA MC enforces a security policy on network hosts. It has two components: • Agents that reside on and protect network hosts. • Management Console (MC)—An application that manages agents. It downloads security policy updates to agents and uploads operational information from agents. The CSA MC receives host posture information from the CSA agents it manages.
Chapter 11 Configuring External Product Interfaces External Product Interface Issues Note Caution You can only enable two CSA MC interfaces. You must add the CSA MC as a trusted host so the sensor can communicate with it. For More Information For the procedure for adding trusted hosts, see Adding TLS Trusted Hosts, page 3-52.
Chapter 11 Configuring External Product Interfaces Configuring the CSA MC to Support the IPS Interface Configuring the CSA MC to Support the IPS Interface Note For more detailed information about host posture events and quarantined IP address events, refer to Using Management Center for Cisco Security Agents 5.1. You must configure the CSA MC to send host posture events and quarantined IP address events to the sensor.
Chapter 11 Configuring External Product Interfaces Adding External Product Interfaces and Posture ACLs The following options apply: • enabled {yes | no}—Enables/disables the receipt of information from the CSA MC. • host-posture-settings—Specifies how host postures received from the CSA MC are handled: – allow-unreachable-postures {yes | no}—Allows postures for hosts that are not reachable by the CSA MC.
Chapter 11 Configuring External Product Interfaces Adding External Product Interfaces and Posture ACLs sensor(config)# service external-product-interface Step 3 Add the CSA MC interface. sensor(config-ext)# cisco-security-agents-mc-settings 209.165.200.225 sensor(config-ext-cis)# Step 4 Enable receipt of information from the CSA MC. sensor(config-ext-cis)# enabled yes Step 5 Change the default port setting. sensor(config-ext-cis)# port 80 Step 6 Configure the login settings: a.
Chapter 11 Configuring External Product Interfaces Adding External Product Interfaces and Posture ACLs Step 9 (Optional) Allow the host posture information from unreachable hosts to be passed from the external product to the sensor. sensor(config-ext-cis-hos)# allow-unreachable-postures yes Note Step 10 A host is not reachable if the CSA MC cannot establish a connection with the host on any of the IP addresses in the host’s posture.
Chapter 11 Configuring External Product Interfaces Troubleshooting External Product Interfaces ----------------------------------------------NAME: name1 ----------------------------------------------network-address: 192.0.2.
CH A P T E R 12 Configuring IP Logging This chapter describes how to configure IP logging on the sensor.
Chapter 12 Configuring IP Logging Understanding IP Logging Understanding IP Logging You can manually configure the sensor to capture all IP traffic associated with a host you specify by IP address. You can specify how long you want the IP traffic to be logged, how many packets you want logged, and how many bytes you want logged. The sensor stops logging IP traffic at the first parameter you specify. You can also have the sensor log IP packets every time a particular signature is fired.
Chapter 12 Configuring IP Logging Configuring Manual IP Logging for a Specific IP Address Configuring Automatic IP Logging To configure automatic IP logging parameters, follow these steps: Step 1 Log in to the CLI using an account with administrator or operator privileges. Step 2 Enter signature definition IP log configuration submode.
Chapter 12 Configuring IP Logging Configuring Manual IP Logging for a Specific IP Address Note • minutes—Specifies the duration the logging should be active. The valid range is 1 to 60 minutes. The default is 10 minutes. • numPackets—Specifies the maximum number of packets to log. The valid range is 0 to 4294967295. The default is 1000 packets. • numBytes—Specifies the maximum number of bytes to log. The valid range is 0 to 4294967295. A value of 0 indicates unlimited bytes.
Chapter 12 Configuring IP Logging Displaying the Contents of IP Logs • To copy and view an IP log file, see Copying IP Log Files to Be Viewed, page 12-7. Displaying the Contents of IP Logs Use the iplog-status [log-id log_id] [brief] [reverse] [ | {begin regular_expression | exclude regular_expression | include regular_expression }] command to display the description of the available IP log contents. When the log is created, the status reads added.
Chapter 12 Configuring IP Logging Stopping Active IP Logs Step 3 Display a brief list of all IP logs. sensor# iplog-status brief Log ID VS IP Address1 2425 vs0 192.0.2.10 2342 vs0 192.0.2.20 sensor# Status started completed Event ID N/A 209348 Start Date 2003/07/30 2003/07/30 Stopping Active IP Logs Use the no iplog [log-id log_id | name name] command to stop logging for the logs that are in the started state and to remove logs that are in the added state.
Chapter 12 Configuring IP Logging Copying IP Log Files to Be Viewed Step 3 Stop all IP logging sessions on a virtual sensor. sensor# no iplog name vs0 Step 4 Verify that IP logging has been stopped. When the logs are stopped, the status shows them as completed. sensor# iplog-status Log ID: 1 IP Address 1: 192.0.2.
Chapter 12 Configuring IP Logging Copying IP Log Files to Be Viewed Step 3 Packets Captured: 1039438 Log ID: IP Address: Virtual Sensor: Status: Event ID: Start Time: End Time: sensor# 2342 192.0.2.2 vs0 completed 209348 2003/07/30 18:24:18 2002/07/30 12:24:18 CST 2003/07/30 18:34:18 2002/07/30 12:34:18 CST Copy the IP log to your FTP or SCP server. sensor# copy iplog 2342 ftp://root@209.165.200.225/user/iplog1 Password: ******** Connected to 209.165.200.225 (209.165.200.225). 220 linux.machine.
CH A P T E R 13 Displaying and Capturing Live Traffic on an Interface This chapter describes how to display, capture, copy, and erase packet files.
Chapter 13 Displaying and Capturing Live Traffic on an Interface Understanding Packet Display and Capture Understanding Packet Display and Capture You can display or capture live traffic from an interface and have the live traffic or a previously captured file put directly on the screen. Storage is available for one local file only, subsequent capture requests overwrites an existing file. The size of the storage file varies depending on the platform.
Chapter 13 Displaying and Capturing Live Traffic on an Interface Displaying Live Traffic on an Interface Start: yyyy/mm/dd hh:mm:ss zone, End: yyyy/mm/dd hh:mm:ss zone or in-progress. Where user = the username of user initiating capture, id = the CLI ID of the user, and cliCmd = the command entered to perform the capture. Caution Executing the packet display command causes significant performance degradation.
Chapter 13 Displaying and Capturing Live Traffic on an Interface Capturing Live Traffic on an Interface 03:43:05.694402 IP (tos 0x10, ttl 64, id 55469, 10.89.147.31.22 > 10.89.147.50.41805: P [tcp sum 03:43:05.694521 IP (tos 0x10, ttl 64, id 55470, 10.89.147.31.22 > 10.89.147.50.41805: P [tcp sum 03:43:05.694690 IP (tos 0x10, ttl 64, id 53740, 10.89.147.50.41805 > 10.89.147.31.22: .
Chapter 13 Displaying and Capturing Live Traffic on an Interface Capturing Live Traffic on an Interface The packet capture command captures the libpcap output into a local file. Use the packet display packet-file [verbose] [expression expression] command to view the local file. Use the packet display file-info to display information about the local file, if any. The following options apply: • interface_name—Specifies the logical interface name.
Chapter 13 Displaying and Capturing Live Traffic on an Interface Copying the Packet File 03:03:15.218814 802.1d config TOP_CHANGE 8000.00:04:9a:66:35:01.8025 root 8000.0 0:04:6d:f9:e8:82 pathcost 8 age 2 max 20 hello 2 fdelay 15 03:03:15.546866 IP 64.101.182.244.1978 > 10.89.130.108.23: P 0:2(2) ack 157 win 65535 03:03:15.546923 IP 10.89.130.108.23 > 64.101.182.244.1978: P 157:159(2) ack 2 wi n 5840 03:03:15.736377 IP 64.101.182.244.1978 > 10.89.130.108.23: . ack 159 win 65533 03:03:17.219612 802.
Chapter 13 Displaying and Capturing Live Traffic on an Interface Erasing the Packet File Note The exact format of the source and destination URLs varies according to the file. – ftp:—Destination URL for an FTP network server. The syntax for this prefix is: ftp:[//[username@] location]/relativeDirectory]/filename ftp:[//[username@]location]//absoluteDirectory]/filename – scp:—Destination URL for the SCP network server.
Chapter 13 Displaying and Capturing Live Traffic on an Interface Erasing the Packet File Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.
CH A P T E R 14 Configuring Attack Response Controller for Blocking and Rate Limiting This chapter provides information for setting up the ARC to perform blocking and rate limiting on the sensor.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Understanding Blocking • Do not confuse blocking with the ability of the sensor to drop packets. The sensor can drop packets when the following actions are configured for a sensor in inline mode: deny packet inline, deny connection inline, and deny attacker inline. • The ACLs that ARC makes should never be modified by you or any other system.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Understanding Blocking is configured for VLAN A, but is blocking on a different security appliance customer context that is configured for VLAN B. Addresses that trigger blocks on VLAN A may refer to a different host on VLAN B. There are three types of blocks: Note Caution • Host block—Blocks all traffic from a given IP address.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Understanding Rate Limiting • How long you want the blocks to last. Tip To check the status of the ARC, type show statistics network-access at the sensor# . The output shows the devices you are managing, any active blocks and rate limits, and the status of all devices.. Note Rate limiting and blocking are not supported for IPv6 traffic.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Understanding Service Policies for Rate Limiting Table 14-1 Tip Rate Limiting Signatures (continued) Signature ID Signature Name Protocol Destination IP Address Allowed Data 4002 UDP Flood Host UDP Yes none 6901 Net Flood ICMP Reply ICMP No echo-reply 6902 Net Flood ICMP Request ICMP No echo-request 6903 Net Flood ICMP Any ICMP No None 6910 Net Flood UDP UDP No None 6920 Net Flood TCP TCP No
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Supported Devices Before you configure the ARC for blocking or rate limiting, make sure you do the following: • Analyze your network topology to understand which devices should be blocked by which sensor, and which addresses should never be blocked. • Gather the usernames, device passwords, enable passwords, and connections types (Telnet or SSH) needed to log in to each device. • Know the interface names on the devices.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Configuring Blocking Properties Note • We support VACL blocking on the Supervisor Engine and ACL blocking on the MSFC. PIX Firewall with version 6.0 or later (shun command) – 501 – 506E – 515E – 525 – 535 • ASA with version 7.0 or later (shun command) – ASA 5510 – ASA 5520 – ASA 5540 • FWSM 1.1 or later (shun command) You configure blocking using either ACLs, VACLS, or the shun command.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Configuring Blocking Properties • Enabling Writing to NVRAM, page 14-15 • Logging All Blocking Events and Errors, page 14-16 • Configuring the Maximum Number of Blocking Interfaces, page 14-17 • Configuring Addresses Never to Block, page 14-19 Allowing the Sensor to Block Itself Caution We recommend that you do not permit the sensor to block itself, because it may stop communicating with the blocking device.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Disabling Blocking Step 6 Configure the sensor not to block itself. sensor(config-net-gen)# allow-sensor-block false Step 7 Verify the setting.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Disabling Blocking Note While blocking is disabled, the ARC continues to receive blocks and track the time on active blocks, but will not apply new blocks or remove blocks from the managed devices. After blocking is reenabled, the blocks on the devices are updated. To disable blocking or rate limiting, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Disabling Blocking enable-acl-logging: false allow-sensor-block: false default: false block-enable: true default: true block-max-entries: 100 default: 250 max-interfaces: 250 master-blocking-sensors (min: 0, max: 100, current: 0) --------------------------------------------------------------------------------------------never-block-hosts (min: 0, max: 250, current: 1) ----------------------------------
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Disabling Blocking Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Enter network access submode. sensor# configure terminal sensor(config)# service network-access sensor(config-net)# Step 3 Enter general submode. sensor(config-net)# general Step 4 Change the maximum number of block entries. sensor(config-net-gen)# block-max-entries 100 Step 5 Verify the setting.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Disabling Blocking ----------------------------------------------ip-address: 192.0.2.1 --------------------------------------------------------------------------------------------never-block-networks (min: 0, max: 250, current: 1) ----------------------------------------------ip-address: 209.165.200.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Disabling Blocking global-summarization-status: Enabled global-metaevent-status: Enabled global-deny-timeout: 3600 global-block-timeout: 60 default: 30 max-denied-attackers: 10000 ----------------------------------------------sensor(config-rul-gen)# Step 6 Exit event action rules submode.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Disabling Blocking Step 6 Disable ACL logging by using the false keyword. sensor(config-net-gen)# enable-acl-logging false Step 7 Verify that ACL logging is disabled.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Disabling Blocking general ----------------------------------------------log-all-block-events-and-errors: true enable-nvram-write: true default: false enable-acl-logging: false default: false allow-sensor-block: false block-enable: true block-max-entries: 250 max-interfaces: 250 master-blocking-sensors (min: 0, max: 100, current: 0) ---------------------------------
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Disabling Blocking Step 4 Disable blocking event and error logging. sensor(config-net-gen)# log-all-block-events-and-errors false Step 5 Verify that logging is disabled.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Disabling Blocking To configure the maximum number of blocking interfaces, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Enter network access mode. sensor# configure terminal sensor(config)# service network-access sensor(config-net)# Step 3 Enter general submode. sensor(config-net)# general Step 4 Specify the maximum number of interfaces.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Disabling Blocking Configuring Addresses Never to Block Use the never-block-hosts and the never-block-networks commands in the service network access submode to configure hosts and network that should never be blocked. The following options apply: • ip_address—Specifies the IP address of the device that should never be blocked. • ip_address/netmask—Specifies the IP address of the network that should never be blocked.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Configuring User Profiles --------------------------------------------------------------------------------------------never-block-hosts (min: 0, max: 250, current: 2) ----------------------------------------------ip-address: 192.0.2.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Configuring Blocking and Rate Limiting Devices Enter password[]: ******** Re-enter password ******** Step 6 Specify the enable password for the user. sensor(config-net-use)# enable-password Enter enable-password[]: ******** Re-enter enable-password ******** Step 7 Verify the settings.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Configuring Blocking and Rate Limiting Devices Note The ARC reads the lines in the ACL and copies these lines to the beginning of the ACL. 3. Any active blocks. 4. Either specify a Post-Block ACL, which must already exist on the device, or specify permit ip any any (do not use if a Post-Block ACL is specified). The ARC reads the lines in the ACL and copies these lines to the end of the ACL.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Configuring Blocking and Rate Limiting Devices Routers and ACLs Note Pre-Block and Post-Block ACLS do not apply to rate limiting. You create and save Pre-Block and Post-Block ACLs in your router configuration. These ACLs must be extended IP ACLs, either named or numbered. See your router documentation for more information on creating ACLs.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Configuring Blocking and Rate Limiting Devices Step 5 Specify the method used to access the sensor. If unspecified, SSH 3DES is used. sensor(config-net-rou)# communication {telnet | ssh-3des} Note Step 6 If you are using 3DES, you must use the command ssh host-key ip_address to accept the key or ARC cannot connect to the device. Specify the sensor NAT address.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Configuring Blocking and Rate Limiting Devices direction: in ----------------------------------------------pre-acl-name: post-acl-name: --------------------------------------------------------------------------------------------response-capabilities: block|rate-limit default: block ----------------------------------------------sensor(config-net-rou)# Step 12 Exit network access submode.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Configuring Blocking and Rate Limiting Devices The Post-Block VACL is best used for additional blocking or permitting that you want to occur on the same VLAN. If you have an existing VACL on the VLAN that the sensor will manage, the existing VACL can be used as a Post-Block VACL. If you do not have a Post-Block V ACL, the sensor inserts permit ip any any at the end of the new VACL.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Configuring Blocking and Rate Limiting Devices Note Step 7 This changes the IP address in the first line of the ACL from the IP address of the sensor to the NAT address. This is not a NAT address configured on the device being managed. It is the address the sensor is translated to by an intermediate device, one that is between the sensor and the device being managed. Specify the VLAN number.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Configuring the Sensor to be a Master Blocking Sensor Note Step 6 If you are using 3DES, you must use the command ssh host-key ip_address to accept the key or the ARC cannot connect to the device. Specify the sensor NAT address. sensor(config-net-fir)# nat-address nat_address Note Step 7 This changes the IP address in the first line of the ACL from the IP address of the sensor to the NAT address.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Configuring the Sensor to be a Master Blocking Sensor If the master blocking sensor requires TLS for web connections, you must configure the ARC of the blocking forwarding sensor to accept the X.509 certificate of the master blocking sensor remote host. Sensors by default have TLS enabled, but you can change this option. Note Typically the master blocking sensor is configured to manage the network devices.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Configuring the Sensor to be a Master Blocking Sensor Example sensor(config)# tls trusted-host ip-address 192.0.2.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Configuring Host Blocking Step 13 Press Enter to apply the changes or enter Step 14 On the master blocking sensor, add the block forwarding sensor IP address to the access list. no to discard them. For More Information For the procedure for adding the blocking forward sensor IP address to the access list, see Changing the Access List, page 3-6.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Configuring Connection Blocking Use the block network ip-address/netmask [timeout minutes] command in privileged EXEC mode to block a network. Use the no form of the command to remove a block on a network. You must have blocking configured before you can set up network blocks. You can also view a list of networks that are being blocked. If you do not configure the amount of time for the network block, it is permanent.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Obtaining a List of Blocked Hosts and Connections Blocking a Connection To block a connection, follow these steps: Step 1 Log in to the CLI using an account with administrator or operator privileges. Step 2 Configure the connection block between a source IP address and a destination IP address specifying the port, protocol, and time, for example. The connection block ends in 30 minutes. sensor# block connection 10.0.0.
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting Obtaining a List of Blocked Hosts and Connections BlockMinutes = 80 MinutesRemaining = 76 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.
CH A P T E R 15 Configuring SNMP This chapter describes how to configure SNMP, and contains the following sections: • SNMP Notes and Caveats, page 15-1 • Understanding SNMP, page 15-1 • Configuring SNMP, page 15-2 • Configuring SNMP Traps, page 15-4 • Supported MIBS, page 15-6 SNMP Notes and Caveats The following notes and caveats apply to SNMP: • To have the sensor send SNMP traps, you must also select request-snmp-trap as the event action when you configure signatures.
Chapter 15 Configuring SNMP Configuring SNMP You can configure the sensor to send SNMP traps. SNMP traps enable an agent to notify the management station of significant events by way of an unsolicited SNMP message. Trap-directed notification has the following advantage—if a manager is responsible for a large number of devices, and each device has a large number of objects, it is impractical to poll or request information from every object on every device.
Chapter 15 Configuring SNMP Configuring SNMP Configuring SNMP General Parameters To configure SNMP general parameters, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Enter notification submode. sensor# configure terminal sensor(config)# service notification sensor(config-not)# Step 3 Enable SNMP so that the SNMP management workstation can issue requests to the sensor SNMP agent.
Chapter 15 Configuring SNMP Configuring SNMP Traps --------------------------------------------------------------------------------------------error-filter: error|fatal enable-detail-traps: false enable-notifications: false enable-set-get: true default: false snmp-agent-port: 161 default: 161 snmp-agent-protocol: udp default: udp read-only-community: PUBLIC1 default: public read-write-community: PRIVATE1 default: private trap-community-name: public system-l
Chapter 15 Configuring SNMP Configuring SNMP Traps • trap-destinations—Defines the destinations to send error events and alert events generated from signature actions: – trap-community-name—Specifies the community name used when sending the trap. If no community name is specified the general trap community name is used. – trap-port—Specifies the port number to send the SNMP trap to.
Chapter 15 Configuring SNMP Supported MIBS Note Step 6 The community string appears in the trap and is useful if you are receiving multiple types of traps from multiple agents. For example, a router or sensor could be sending the traps, and if you put something that identifies the router or sensor specifically in your community string, you can filter the traps based on the community string. Verify the settings.
Chapter 15 Configuring SNMP Supported MIBS Note MIB II is available on the sensor, but we do not support it. We know that some elements are not correct (for example, the packet counts from the IF MIB on the sensing interfaces). While you can use elements from MIB II, we do not guarantee that they all provide correct information. We fully support the other listed MIBs and their output is correct. Note CISCO-PROCESS-MIB is available on the sensor, but we do not support it.
Chapter 15 Configuring SNMP Supported MIBS Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.
FIRST REVIEW—CISCO CONFIDENTIAL CH A P T E R 16 Working With Configuration Files This chapter describes how to use commands that show, copy, and erase the configuration file.
Chapter 16 Working With Configuration Files Displaying the Current Configuration FIRST REVIEW—CISCO CONFIDENTIAL physical-interfaces GigabitEthernet0/0 admin-state enabled exit physical-interfaces GigabitEthernet0/1 admin-state enabled exit inline-interfaces pair0 interface1 GigabitEthernet0/0 interface2 GigabitEthernet0/1 exit bypass-mode auto exit ! -----------------------------service authentication exit ! -----------------------------service event-action-rules rules0 exit ! --------------------------
Chapter 16 Working With Configuration Files Displaying the Current Submode Configuration FIRST REVIEW—CISCO CONFIDENTIAL ! -----------------------------service aaa exit ! -----------------------------service analysis-engine virtual-sensor vs0 logical-interface pair0 exit exit sensor# Displaying the Current Submode Configuration Use the show settings command in a submode to display the current configuration of that submode.
Chapter 16 Working With Configuration Files Displaying the Current Submode Configuration FIRST REVIEW—CISCO CONFIDENTIAL action: rotate schedule ----------------------------------------------periodic-schedule ----------------------------------------------start-time: 10:00:00 interval: 24 hours ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Chapter 16 Working With Configuration Files Displaying the Current Submode Configuration FIRST REVIEW—CISCO CONFIDENTIAL --------------------------------------------------------------------------------------------default-thresholds ----------------------------------------------scanner-threshold: 100 threshold-histogram (min: 0, max: 3, current: 3) ---------------------------------------------- dest-ip-bin: low num-source-ips: 10 dest-i
Chapter 16 Working With Configuration Files Displaying the Current Submode Configuration FIRST REVIEW—CISCO CONFIDENTIAL dest-ip-bin: high num-source-ips: 1 --------------------------------------------------------------------------------------------enabled: true ----------------------------------------------other ----------------------------------------------protocol-number (min: 0, max: 255, current: 0) -----------------------------------------------
Chapter 16 Working With Configuration Files Displaying the Current Submode Configuration FIRST REVIEW—CISCO CONFIDENTIAL scanner-threshold: 100 threshold-histogram (min: 0, max: 3, current: 3) ---------------------------------------------- dest-ip-bin: low num-source-ips: 10 dest-ip-bin: medium num-source-ips: 1 dest-ip-bin: high num-source-ips: 1 -----------------------
Chapter 16 Working With Configuration Files Displaying the Current Submode Configuration FIRST REVIEW—CISCO CONFIDENTIAL sensor(config-rul)# show settings variables (min: 0, max: 256, current: 0) --------------------------------------------------------------------------------------------overrides (min: 0, max: 12, current: 0) --------------------------------------------------------------------------------------------filters (min: 0, max: 4096, current: 0 - 0 active, 0 inactive) --------------------------
Chapter 16 Working With Configuration Files Displaying the Current Submode Configuration FIRST REVIEW—CISCO CONFIDENTIAL status: red ----------------------------------------------bypass-policy ----------------------------------------------enable: true status: red ----------------------------------------------interface-down-policy ----------------------------------------------enable: true status: red ----------------------------------------------i
Chapter 16 Working With Configuration Files Displaying the Current Submode Configuration FIRST REVIEW—CISCO CONFIDENTIAL Step 9 Display the current configuration of the service host submode. sensor# configure terminal sensor(config)# service host sensor(config-hos)# show settings network-settings ----------------------------------------------host-ip: 192.0.2.0/24,192.0.2.17 default: 192.168.1.2/24,192.168.1.
Chapter 16 Working With Configuration Files Displaying the Current Submode Configuration FIRST REVIEW—CISCO CONFIDENTIAL -------------------------------------------------------------------------------------------- name: realm-trend.
Chapter 16 Working With Configuration Files Displaying the Current Submode Configuration FIRST REVIEW—CISCO CONFIDENTIAL ----------------------------------------------none ------------------------------------------------------------------------------------------------------------------------------------------subinterface-type ----------------------------------------------none ----------------------------------------------------------------------------------------------------------------------------------
Chapter 16 Working With Configuration Files Displaying the Current Submode Configuration FIRST REVIEW—CISCO CONFIDENTIAL idle-interface-delay: 30 seconds ----------------------------------------------sensor(config-int)# exit sensor(config)# exit sensor# Step 11 Display the current configuration for the service logger submode.
Chapter 16 Working With Configuration Files Displaying the Current Submode Configuration FIRST REVIEW—CISCO CONFIDENTIAL Step 12 Display the current configuration for the service network access submode.
Chapter 16 Working With Configuration Files Displaying the Current Submode Configuration FIRST REVIEW—CISCO CONFIDENTIAL enable-notifications: false enable-set-get: false snmp-agent-port: 161 snmp-agent-protocol: udp read-only-community: public read-write-community: private trap-community-name: public system-location: Unknown system-contact: Unknown sensor(config-not)# exit sensor(config)# exit sens
Chapter 16 Working With Configuration Files Filtering the Current Configuration Output FIRST REVIEW—CISCO CONFIDENTIAL common-name: 10.89.130.
Chapter 16 Working With Configuration Files Filtering the Current Configuration Output FIRST REVIEW—CISCO CONFIDENTIAL Filtering Using the More Command To filter the more command, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Filter the current-config output beginning with the regular expression “ip,” for example. sensor# more current-config | begin ip generating current config: host-ip 192.0.2.0/24,192.0.2.
Chapter 16 Working With Configuration Files Filtering the Current Submode Configuration Output FIRST REVIEW—CISCO CONFIDENTIAL access-list 10.0.0.0/8 access-list 64.0.0.0/8 exit time-zone-settings --MORE-- Note Step 4 Press Ctrl-C to stop the output and return to the CLI prompt. Include the regular expression “ip” in the current-config output. sensor# more current-config | include ip generating current config: host-ip 192.0.2.0/24,192.0.2.
Chapter 16 Working With Configuration Files Displaying the Contents of a Logical File FIRST REVIEW—CISCO CONFIDENTIAL global-summarization-status: Enabled global-metaevent-status: Enabled global-deny-timeout: 3600 global-block-timeout: 15 default: 30 max-denied-attackers: 10000 ----------------------------------------------target-value (min: 0, max: 5, current: 0) --------------------------------------------------------------------------------------------sen
Chapter 16 Working With Configuration Files Displaying the Contents of a Logical File FIRST REVIEW—CISCO CONFIDENTIAL Use the more keyword command to display the contents of a logical file, such as the current system configuration or the saved backup system configuration. The following options apply: • keyword—Specifies either the current-config or the backup-config: – current-config—Specifies the current running configuration. This configuration becomes persistent as the commands are entered.
Chapter 16 Working With Configuration Files Displaying the Contents of a Logical File FIRST REVIEW—CISCO CONFIDENTIAL dns-primary-server disabled dns-secondary-server disabled dns-tertiary-server disabled exit exit ! -----------------------------service logger exit ! -----------------------------service network-access exit ! -----------------------------service notification exit ! -----------------------------service signature-definition sig0 exit ! -----------------------------service ssh-known-hosts exi
Chapter 16 Working With Configuration Files Backing Up and Restoring the Configuration File Using a Remote Server FIRST REVIEW—CISCO CONFIDENTIAL Backing Up and Restoring the Configuration File Using a Remote Server Note We recommend copying the current configuration file to a remote server before upgrading. Use the copy [/erase] source_url destination_url keyword command to copy the configuration file to a remote server. You can then restore the current configuration from the remote server.
Chapter 16 Working With Configuration Files Backing Up and Restoring the Configuration File Using a Remote Server FIRST REVIEW—CISCO CONFIDENTIAL – https:—Source URL for the web server. The syntax for this prefix is: https://[[username@]location][/directory]/filename Note Caution The directory specification should be an absolute path to the desired file. The remote host must be a TLS trusted host.
Chapter 16 Working With Configuration Files Creating and Using a Backup Configuration File FIRST REVIEW—CISCO CONFIDENTIAL For More Information • For the procedure for adding the remote host to the SSH known host list, see Adding Hosts to the SSH Known Hosts List, page 3-46. • For the procedure for adding the remote host to the TLS trusted hosts list, see Adding TLS Trusted Hosts, page 3-52.
Chapter 16 Working With Configuration Files Erasing the Configuration File FIRST REVIEW—CISCO CONFIDENTIAL User accounts will not be erased. They must be removed manually using the "no username" command. Continue? []: Step 2 Press Enter to continue or enter no to stop. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.
Chapter 16 Working With Configuration Files Erasing the Configuration File FIRST REVIEW—CISCO CONFIDENTIAL Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.
CH A P T E R 17 Administrative Tasks for the Sensor This chapter contains procedures that will help you with the administrative aspects of your sensor.
Chapter 17 Administrative Tasks for the Sensor Administrative Notes and Caveats Administrative Notes and Caveats The following notes and caveats apply to administrative tasks for the sensor: • Administrators may need to disable the password recovery feature for security reasons. • If you try to recover the password on a sensor on which password recovery is disabled, the process proceeds with no errors or warnings; however, the password is not reset.
Chapter 17 Administrative Tasks for the Sensor Recovering the Password Table 17-1 lists the password recovery methods according to platform.
Chapter 17 Administrative Tasks for the Sensor Recovering the Password Using ROMMON For the IPS 4345, IPS 4360, IPS 4510, and IPS 4520, you can use the ROMMON to recover the password. To access the ROMMON CLI, reboot the sensor from a terminal server or direct connection and interrupt the boot process. To recover the password using the ROMMON CLI, follow these steps: Step 1 Reboot the appliance.
Chapter 17 Administrative Tasks for the Sensor Recovering the Password To reset the password on the ASA 5500-X IPS SSP, follow these steps: Step 1 Log into the adaptive security appliance and enter the following command: asa# sw-module module ips password-reset Reset the password on module ips? [confirm] Step 2 Press Enter to confirm. Password-Reset issued for module ips. Step 3 Verify the status of the module. Once the status reads Up, you can session to the ASA 5500-X IPS SSP.
Chapter 17 Administrative Tasks for the Sensor Recovering the Password A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com. ***LICENSE NOTICE*** There is no license key installed on this IPS platform. The system will continue to operate with the currently installed signature set.
Chapter 17 Administrative Tasks for the Sensor Recovering the Password Step 3 Verify the status of the module. Once the status reads Up, you can session to the ASA 5585-X IPS SSP. asa# show module 1 Mod Card Type Model Serial No.
Chapter 17 Administrative Tasks for the Sensor Recovering the Password Using the ASDM To reset the password in the ASDM, follow these steps: Step 1 From the ASDM menu bar, choose Tools > IPS Password Reset. Note This option does not appear in the menu if there is no IPS present. Step 2 In the IPS Password Reset confirmation dialog box, click OK to reset the password to the default (cisco). A dialog box displays the success or failure of the password reset.
Chapter 17 Administrative Tasks for the Sensor Clearing the Sensor Databases Step 3 To disable password recovery, uncheck the Allow Password Recovery check box. Verifying the State of Password Recovery Use the show settings | include password command to verify whether password recovery is enabled. To verify whether password recovery is enabled, follow these steps: Step 1 Log in to the CLI. Step 2 Enter service host submode.
Chapter 17 Administrative Tasks for the Sensor Clearing the Sensor Databases The following options apply: Caution • virtual-sensor—Specifies the name of a virtual sensor configured on the sensor. • all— Clears all nodes, inspectors, and alerts databases. This command causes summary alerts to be discarded. • nodes—Clears the overall packet database elements, including the packet nodes, TCP session information, and inspector lists.
Chapter 17 Administrative Tasks for the Sensor Displaying the Inspection Load of the Sensor Displaying the Inspection Load of the Sensor Use the show inspection-load command in privileged EXEC mode to display a timestamp and the current inspection load of the sensor. Use the history option to display a histogram of the inspection load over the past 60 minutes and over the past 72 hours.
Chapter 17 Administrative Tasks for the Sensor Displaying the Inspection Load of the Sensor 10 ************************************************************ 0.........1.........2.........3.........4.........5.........
Chapter 17 Administrative Tasks for the Sensor Configuring Health Status Information Inspection Load Percentage (last 72 hours) *=maximum #=average sensor# Configuring Health Status Information Configure the health statistics for the sensor in service health monitor submode. Use the show health command to see the results. The health status categories are rated by red and green with red being critical.
Chapter 17 Administrative Tasks for the Sensor Configuring Health Status Information • memory-usage-policy {enable | disable} {true | false} red-threshold yellow-threshold—Lets you set a threshold percentage for memory usage and whether this metric is applied to the overall sensor health rating. The range is 0 to 100. The default for red is 91% and the default for yellow is 80%.
Chapter 17 Administrative Tasks for the Sensor Configuring Health Status Information sensor(config-hea-app)# status red sensor(config-hea-app)# exit sensor(config-hea)# Step 4 Enable the metrics for bypass policy. sensor(config-hea)# bypass-policy sensor(config-hea-byp)# enable true sensor(config-hea-byp)# status yellow sensor(config-hea-byp)# exit sensor(config-hea)# Step 5 Enable the metrics for sensor health and security monitoring.
Chapter 17 Administrative Tasks for the Sensor Configuring Health Status Information Step 12 Set the threshold for memory usage. sensor(config-hea)# memory-usage-policy sensor(config-hea-mem)# enable true sensor(config-hea-mem)# red-threshold 100 sensor(config-hea-mem)# yellow-threshold 50 sensor(config-hea-mem)# exit sensor(config-hea)# Step 13 Set the missed packet threshold.
Chapter 17 Administrative Tasks for the Sensor Showing Sensor Overall Health Status enable: true default: true yellow-threshold: 20 percent default: 1 red-threshold: 50 percent default: 6 ----------------------------------------------memory-usage-policy ----------------------------------------------enable: true default: false yellow-threshold: 50 percent default: 80 red-threshold: 100 percent default: 91 ----------------------------------------------signature-update-policy --------------------------------
Chapter 17 Administrative Tasks for the Sensor Creating a Banner Login To display the overall health status of the sensor, follow these steps: Step 1 Log in to the CLI. Step 2 Show the health and security status of the sensor.
Chapter 17 Administrative Tasks for the Sensor Terminating CLI Sessions Step 5 Remove the banner login. The banner no longer appears at login. sensor(config)# no banner login Terminating CLI Sessions Caution You can only clear CLI login sessions with the clear line command. You cannot clear service logins with this command. Use the clear line cli_id [message] command to terminate another CLI session.
Chapter 17 Administrative Tasks for the Sensor Modifying Terminal Properties sensor# The user jsmith receives the following message from the administrator jtaylor. sensor# *** *** *** Termination request from jtaylor *** Sorry! I need to terminate your session. Modifying Terminal Properties Note You are not required to specify the screen length for some types of terminal sessions because the specified screen length can be learned by some remote hosts.
Chapter 17 Administrative Tasks for the Sensor Configuring Events Displaying Events Note The Event Store has a fixed size of 30 MB for all platforms. Note Events are displayed as a live feed. To cancel the request, press Ctrl-C.
Chapter 17 Administrative Tasks for the Sensor Configuring Events Displaying Events To display events from the Event Store, follow these steps: Step 1 Log in to the CLI. Step 2 Display all events starting now. The feed continues showing all events until you press Ctrl-C.
Chapter 17 Administrative Tasks for the Sensor Configuring Events appInstanceId: 367 time: 2011/03/02 14:15:59 2011/03/02 14:15:59 UTC signature: description=Nachi Worm ICMP Echo Request id=2156 version=S54 subsigId: 0 sigDetails: Nachi ICMP interfaceGroup: vlan: 0 participants: attacker: addr: locality=OUT 10.89.228.202 target: addr: locality=OUT 10.89.150.
Chapter 17 Administrative Tasks for the Sensor Configuring the System Clock sensor# clear events Warning: Executing this command will remove all events currently stored in the event store. Continue with clear? []: Step 3 Enter yes to clear the events. Configuring the System Clock This section explains how to display and manually set the system clock.
Chapter 17 Administrative Tasks for the Sensor Clearing the Denied Attackers List No time source Summer time starts 03:00:00 UTC Sun Mar 09 2011 Summer time stops 01:00:00 UTC Sun Nov 02 2011 Manually Setting the System Clock Note You do not need to set the system clock if your sensor is synchronized by a valid outside timing mechanism such as an NTP clock source. Use the clock set hh:mm [:ss] month day year command to manually set the clock on the appliance.
Chapter 17 Administrative Tasks for the Sensor Clearing the Denied Attackers List Displaying and Deleting Denied Attackers To display the list of denied attackers and delete the list and clear the statistics, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Display the list of denied IP addresses. The statistics show that there are two IP addresses being denied at this time.
Chapter 17 Administrative Tasks for the Sensor Displaying Policy Lists Name of current Event-Action-Rules instance = rules0 List of interfaces monitored by this virtual sensor = mypair Denied Address Information Number of Active Denied Attackers = 0 Number of Denied Attackers Inserted = 2 Number of Denied Attackers Total Hits = 287 Number of times max-denied-attackers limited creation of new entry = 0 Number of exec Clear commands during uptime = 1 Denied Attackers and hit count for each.
Chapter 17 Administrative Tasks for the Sensor Displaying Statistics Step 3 Display the list of policies for event action rules. sensor# list event-action-rules-configurations Event Action Rules Instance Size Virtual Sensor rules0 112 vs0 rules1 141 vs1 sensor# Step 4 Display the list of policies for signature definition.
Chapter 17 Administrative Tasks for the Sensor Displaying Statistics Thread 0 1 2 3 4 5 6 Average 5 sec 1 1 1 1 1 1 1 1 1 min 1 1 1 1 1 1 1 1 5 min 1 1 1 1 1 1 1 1 The rate of TCP connections tracked per second = 0 The rate of packets per second = 0 The rate of bytes per second = 0 Receiver Statistics Total number of packets processed since reset = 0 Total number of IP packets processed since reset = 0 Transmitter Statistics Total number of packets transmitted = 133698 Total number of packets denied =
Chapter 17 Administrative Tasks for the Sensor Displaying Statistics SigVersion = 645.
Chapter 17 Administrative Tasks for the Sensor Displaying Statistics TCPMissedPacketsDueToUpdate = 0 UDPMissedPacketsDueToUpdate = 0 MemorySize = 1073741824 HostDirectMemSize = 0 MaliciousSiteDenyHitCounts MaliciousSiteDenyHitCountsAUDIT Ethernet Controller Statistics Total Packets Received = 0 Total Received Packets Dropped = 0 Total Packets Transmitted = 13643" sensor# Step 3 Display the statistics for anomaly detection.
Chapter 17 Administrative Tasks for the Sensor Displaying Statistics Denied Attackers with percent denied and hit count for each. Denied Attackers with percent denied and hit count for each. Statistics for Virtual Sensor vs1 Denied Attackers with percent denied and hit count for each. Denied Attackers with percent denied and hit count for each. sensor# Step 6 Display the statistics for the Event Server.
Chapter 17 Administrative Tasks for the Sensor Displaying Statistics sensor# Step 8 Display the statistics for global correlation.
Chapter 17 Administrative Tasks for the Sensor Displaying Statistics lastInstallAttempt = N/A nextAttempt = N/A Auxilliary Processors Installed sensor# Step 10 Display the statistics for the logging application.
Chapter 17 Administrative Tasks for the Sensor Displaying Statistics NetDevice Type = CAT6000_VACL IP = 192.0.2.1 NATAddr = 0.0.0.0 Communications = telnet BlockInterface InterfaceName = 502 InterfacePreBlock = Pre_Acl_Test BlockInterface InterfaceName = 507 InterfacePostBlock = Post_Acl_Test State BlockEnable = true NetDevice IP = 192.0.2.3 AclSupport = Does not use ACLs Version = 6.3 State = Active Firewall-type = PIX NetDevice IP = 192.0.2.7 AclSupport = Does not use ACLs Version = 7.
Chapter 17 Administrative Tasks for the Sensor Displaying Statistics Step 12 Display the statistics for the notification application. sensor# show General Number of Number of Number of Number of sensor# Step 13 statistics notification SNMP set requests = 0 SNMP get requests = 0 error traps sent = 0 alert traps sent = 0 Display the statistics for OS identification.
Chapter 17 Administrative Tasks for the Sensor Displaying Statistics Total IPv6 Fragment packets processed since reset = 0 Total IPv6 Routing Header packets processed since reset = 0 Total IPv6 ICMP packets processed since reset = 0 Total packets that were not IP processed since reset = 0 Total TCP packets processed since reset = 0 Total UDP packets processed since reset = 0 Total ICMP packets processed since reset = 0 Total packets that were not TCP, UDP, or ICMP processed since reset = 0 Total ARP packe
Chapter 17 Administrative Tasks for the Sensor Displaying Statistics Number of complete datagrams reassembled since last reset = 0 Fragments hitting too many fragments condition since last reset = 0 Number of overlapping fragments since last reset = 0 Number of Datagrams too big since last reset = 0 Number of overwriting fragments since last reset = 0 Number of Inital fragment missing since last reset = 0 Fragments hitting the max partial dgrams limit since last reset = 0 Fragments too small since last r
Chapter 17 Administrative Tasks for the Sensor Displaying Statistics last request method = GET last request URI = cgi-bin/sdee-server last protocol version = HTTP/1.
Chapter 17 Administrative Tasks for the Sensor Displaying Tech Support Information Displaying Tech Support Information Note The show tech-support command now displays historical interface data for each interface for the past 72 hours. Use the show tech-support [page] [destination-url destination_url] command to display system information on the screen or have it sent to a specific URL. You can use the information as a troubleshooting tool with TAC.
Chapter 17 Administrative Tasks for the Sensor Displaying Version Information Example To send the tech support output to the file /absolute/reports/sensor1Report.html : sensor# show tech support dest ftp://csidsuser@10.2.1.2//absolute/reports/sensor1Report.html b. Enter the password for this user account. The Generating report: message is displayed.
Chapter 17 Administrative Tasks for the Sensor Displaying Version Information CollaborationApp Running CLI V-2013_04_10_11_00_7_2_0_14 (Release) 2013-04-10T11:05:55-0500 V-2013_04_10_11_00_7_2_0_14 (Release) 2013-04-10T11:05:55-0500 Upgrade History: IPS-K9-7.2-1-E4 11:17:07 UTC Thu Jan 10 2013 Recovery Partition Version 1.1 - 7.
Chapter 17 Administrative Tasks for the Sensor Diagnosing Network Connectivity dns-tertiary-server disabled exit exit ! -----------------------------service logger exit ! -----------------------------service network-access exit ! -----------------------------service notification exit ! -----------------------------service signature-definition sig0 exit ! -----------------------------service ssh-known-hosts exit ! -----------------------------service trusted-certificates exit ! ----------------------------
Chapter 17 Administrative Tasks for the Sensor Resetting the Appliance To diagnose basic network connectivity, follow these steps: Step 1 Log in to the CLI. Step 2 Ping the address you are interested in. The count is the number of echo requests to send. If you do not specify a number, 4 requests are sent. The range is 1 to 10,000. sensor# ping ip_address count The following example shows a successful ping: sensor# ping 192.0.2.1 6 PING 192.0.2.1 (192.0.2.1): 56 data 64 bytes from 192.0.2.
Chapter 17 Administrative Tasks for the Sensor Displaying Command History sensor# Step 4 Stop all applications and power down the appliance. sensor# reset powerdown Warning: Executing this command will stop all applications and power off the node if possible. If the node can not be powered off it will be left in a state that is safe to manually power down. Continue with reset? []: Step 5 Enter yes to continue with the reset and power down. sensor# yes Request Succeeded.
Chapter 17 Administrative Tasks for the Sensor Displaying Hardware Inventory Displaying Hardware Inventory Use the show inventory command to display PEP information. This command displays the UDI information that consists of the PID, the VID, and the SN of your sensor. If your sensor supports SFP/SFP+ modules and Regex accelerator cards, they are also displayed. PEP information provides an easy way to obtain the hardware version and serial number through the CLI.
Chapter 17 Administrative Tasks for the Sensor Displaying Hardware Inventory Name: "Chassis", DESCR: "ASA 5585-X" PID: ASA5585 , VID: V02, SN: JMX1552705O Name: "power supply 0", DESCR: "ASA 5585-X AC Power Supply" PID: ASA5585-PWR-AC , VID: V03, SN: POG153700UC Name: "power supply 1", DESCR: "ASA 5585-X AC Power Supply" PID: ASA5585-PWR-AC , VID: V03, SN: POG153700SY Name: "RegexAccelerator/0", DESCR: "LCPX5110 (LCPX5110)" PID: LCPX5110 , VID: 335, SN: SL14200225 Name: "RegexAccelerator/1", DESCR: "LCPX5
Chapter 17 Administrative Tasks for the Sensor Tracing the Route of an IP Packet Name: "power supply 2", DESCR: "IPS4360 AC Power Supply " PID: IPS-4360-PWR-AC , VID: 0700A, SN: 25Y1Y9 sensor# show inventory Name: "power supply 1", DESCR: "IPS-4345-K9 AC Power Supply " PID: IPS-4345-PWR-AC , VID: A1, SN: 000783 Tracing the Route of an IP Packet Caution There is no command interrupt available for this command. It must run to completion.
Chapter 17 Administrative Tasks for the Sensor Displaying Submode Settings Displaying Submode Settings Use the show settings [terse] command in any submode to view the contents of the current configuration. To display the current configuration settings for a submode, follow these steps: Step 1 Log in to the CLI. Step 2 Show the current configuration for ARC submode.
Chapter 17 Administrative Tasks for the Sensor Displaying Submode Settings password: username: ----------------------------------------------profile-name: fwsm ----------------------------------------------enable-password: password: username: pix default: ----------------------------------------------profile-name: outsidePix ----------------------------------------------enable-password: password: username: pix default: -----------------------------
Chapter 17 Administrative Tasks for the Sensor Displaying Submode Settings ----------------------------------------------ip-address: 192.0.2.25 ----------------------------------------------communication: telnet default: ssh-3des nat-address: 0.0.0.
Chapter 17 Administrative Tasks for the Sensor Displaying Submode Settings profile-name: 2admin profile-name: r7200 profile-name: insidePix profile-name: qatest profile-name: fwsm profile-name: outsidePix profile-name: cat profile-name: rcat profile-name: nopass profile-name: test profile-name: sshswitch ----------------------------------------------cat6k-devices (min: 0, max: 250, current: 1) ----------------------------------------------ip-address: 192.0.2.
CH A P T E R 18 Configuring the ASA 5500-X IPS SSP This chapter contains procedures that are specific to configuring the ASA 5500-X IPS SSP.
Chapter 18 Configuring the ASA 5500-X IPS SSP Configuration Sequence for the ASA 5500-X IPS SSP • The ASA 5500-X IPS SSP (except the ASA 5512-X IPS SSP and the ASA 5515-X IPS SSP) supports the String ICMP XL, String TCP XL, and String UDP XL engines. These engines provide optimized operation for these platforms. TCP Reset Differences Between IPS Appliances and ASA IPS Modules The IPS appliance sends TCP reset packets to both the attacker and victim when reset-tcp-connection is selected.
Chapter 18 Configuring the ASA 5500-X IPS SSP Verifying Initialization for the ASA 5500-X IPS SSP • For the procedures for configuring intrusion prevention, see Chapter 8, “Configuring Event Action Rules,” Chapter 7, “Defining Signatures,” Chapter 9, “Configuring Anomaly Detection,”and Chapter 14, “Configuring Attack Response Controller for Blocking and Rate Limiting.” • For the procedures for configuring global correlation, see Chapter 10, “Configuring Global Correlation.
Chapter 18 Configuring the ASA 5500-X IPS SSP Creating Virtual Sensors for the ASA 5500-X IPS SSP Creating Virtual Sensors for the ASA 5500-X IPS SSP This section describes how to create virtual sensors on the ASA 5500-X IPS SSP, and contains the following topics: • The ASA 5500-X IPS SSP and Virtualization, page 18-4 • Virtual Sensor Configuration Sequence for ASA 5500-X IPS SSP, page 18-4 • Creating Virtual Sensors, page 18-4 • Assigning Virtual Sensors to Adaptive Security Appliance Contexts, p
Chapter 18 Configuring the ASA 5500-X IPS SSP Creating Virtual Sensors for the ASA 5500-X IPS SSP Use the virtual-sensor name command in service analysis engine submode to create virtual sensors on the ASA 5500-X IPS SSP. You assign policies (anomaly detection, event action rules, and signature definition) to the virtual sensor. You can use the default policies, ad0, rules0, or sig0, or you can create new policies.
Chapter 18 Configuring the ASA 5500-X IPS SSP Creating Virtual Sensors for the ASA 5500-X IPS SSP Step 7 Assign a signature definition policy to this virtual sensor. If you do not want to use the default signature definition policy, sig0, you must create a new one using the service signature-definition name command, for example sig1. sensor(config-ana-vir)# signature-definition sig0 Step 8 Assign the interface to one virtual sensor.
Chapter 18 Configuring the ASA 5500-X IPS SSP Creating Virtual Sensors for the ASA 5500-X IPS SSP Assigning Virtual Sensors to Adaptive Security Appliance Contexts After you create virtual sensors on the ASA 5500-X IPS SSP, you must assign the virtual sensors to a security context on the adaptive security appliance. The following options apply: • [no] allocate-ips sensor_name [mapped_name] [default]—Allocates a virtual sensor to a security context.
Chapter 18 Configuring the ASA 5500-X IPS SSP Creating Virtual Sensors for the ASA 5500-X IPS SSP Sensor Name ----------vs0 vs1 asa# Step 3 Sensor ID --------1 2 Enter configuration mode. asa# configure terminal asa(config)# Step 4 Enter multiple mode. asa(config)# mode multiple WARNING: This command will change the behavior of the device WARNING: This command will initiate a Reboot Proceed with change mode? [confirm] yes asa(config)# Step 5 Add three context modes to multiple mode.
Chapter 18 Configuring the ASA 5500-X IPS SSP The ASA 5500-X IPS SSP and Bypass Mode Step 7 Configure MPF for each context. Note The following example shows context 3 (c3).
Chapter 18 Configuring the ASA 5500-X IPS SSP The ASA 5500-X IPS SSP and the Normalizer Engine The SensorApp is Reconfigured The following occurs when the SensorApp is reconfigured: Note • If set to fail-open, the adaptive security appliance passes traffic without sending it to the ASA IPS module. • If set to fail-close, the adaptive security appliance stops passing traffic until the ASA IPS module is restarted.
Chapter 18 Configuring the ASA 5500-X IPS SSP The ASA 5500-X IPS SSP and Jumbo Packets For More Information For detailed information about the Normalizer engine, see Normalizer Engine, page B-36.
Chapter 18 Configuring the ASA 5500-X IPS SSP Health and Status Information Use the following commands to reload, shut down, reset, recover the password, and recover the ASA 5500-X IPS SSP directly from the adaptive security appliance: Caution • sw-module module ips reload—This command reloads the software on the ASA 5500-X IPS SSP without doing a hardware reset. It is effective only when the module is in the Up state.
Chapter 18 Configuring the ASA 5500-X IPS SSP Health and Status Information Firmware version: Software version: MAC Address Range: App. name: App. Status: App. Status Desc: App. version: Data Plane Status: Status: License: Mgmt IP addr: Mgmt Network mask: Mgmt Gateway: Mgmt web ports: Mgmt TLS enabled: asa# N/A 7.2(1)E4 503d.e59c.7ca0 to 503d.e59c.7ca0 IPS Up Normal Operation 7.2(1)E4 Up Up IPS Module Enabled perpetual 192.168.1.2 255.255.255.0 192.168.1.
Chapter 18 Configuring the ASA 5500-X IPS SSP Health and Status Information Mod-ips 251> -NG-1.4.1) ) #56 SMP Tue Dec 6 00:46:11 CST 2011 Mod-ips 252> Command line: ro initfsDev=/dev/hda1 init=loader.run rootrw=/dev/hda2 initfs=runti Mod-ips 253> me-image.cpio.
Chapter 18 Configuring the ASA 5500-X IPS SSP Health and Status Information Mod-ips 313> ACPI: INT_SRC_OVR (bus 0 bus_irq 5 global_irq 5 high level) Mod-ips 314> ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level) Mod-ips 315> ACPI: INT_SRC_OVR (bus 0 bus_irq 10 global_irq 10 high level) Mod-ips 316> ACPI: INT_SRC_OVR (bus 0 bus_irq 11 global_irq 11 high level) Mod-ips 317> Using ACPI (MADT) for SMP configuration information Mod-ips 318> ACPI: HPET id: 0x8086a201 base: 0xfed00000 Mod-ips 319> SMP:
Chapter 18 Configuring the ASA 5500-X IPS SSP Health and Status Information Mod-ips 369> CPU: L1 I cache: 32K, L1 D cache: 32K Mod-ips 370> CPU: L2 cache: 4096K Mod-ips 371> CPU 2/0x2 -> Node 0 Mod-ips 372> CPU2: Intel QEMU Virtual CPU version 0.12.5 stepping 03 Mod-ips 373> Booting processor 3 APIC 0x3 ip 0x6000 Mod-ips 374> Initializing CPU#3 Mod-ips 375> Calibrating delay using timer specific routine.. 5585.
Chapter 18 Configuring the ASA 5500-X IPS SSP Health and Status Information Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips FS Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips
Chapter 18 Configuring the ASA 5500-X IPS SSP Health and Status Information Mod-ips 493> processor ACPI_CPU:01: registered as cooling_device1 Mod-ips 494> processor ACPI_CPU:02: registered as cooling_device2 Mod-ips 495> processor ACPI_CPU:03: registered as cooling_device3 Mod-ips 496> processor ACPI_CPU:04: registered as cooling_device4 Mod-ips 497> processor ACPI_CPU:05: registered as cooling_device5 Mod-ips 498> hpet_acpi_add: no address or irqs in _CRS Mod-ips 499> Non-volatile memory driver v1.
Chapter 18 Configuring the ASA 5500-X IPS SSP Health and Status Information Mod-ips 555> Mod-ips 556> Mod-ips 557> Mod-ips 558> Mod-ips 559> interf Mod-ips 560> Mod-ips 561> Mod-ips 562> Mod-ips 563> Mod-ips 564> Mod-ips 565> Mod-ips 566> Mod-ips 567> Mod-ips 568> Mod-ips 569> Mod-ips 570> Mod-ips 571> Mod-ips 572> Mod-ips 573> Mod-ips 574> Mod-ips 575> Mod-ips 576> Mod-ips 577> Mod-ips 578> Mod-ips 579> Mod-ips 580> Mod-ips 581> Mod-ips 582> directory Mod-ips 583> Mod-ips 584> Mod-ips 585> Mod-ips 586> M
Chapter 18 Configuring the ASA 5500-X IPS SSP ASA 5500-X IPS SSP Failover Scenarios Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips 616> 617> 618> 619> 620> 621> 622> 623> 624> 625> 626> 627> 628> 629> 630> 631> 632> 633> 634> Creating boot.
Chapter 18 Configuring the ASA 5500-X IPS SSP New and Modified Commands Two ASAs in Fail-Close Mode • If the ASAs are configured in fail-close mode, and if the ASA 5500-X IPS SSP on the active ASA experiences a configuration change or a signature/signature engine update, traffic is stopped from passing through the active ASA. No failover is triggered.
Chapter 18 Configuring the ASA 5500-X IPS SSP allocate-ips allocate-ips To allocate an IPS virtual sensor to a security context if you have the ASA 5500-X IPS SSP installed, use the allocate-ips command in context configuration mode. To remove a virtual sensor from a context, use the no form of this command.
Chapter 18 Configuring the ASA 5500-X IPS SSP allocate-ips Command History Usage Guidelines Note Examples Related Commands Release Modification 8.0(2) This command was introduced. You can assign one or more IPS virtual sensors to each context. Then, when you configure the context to send traffic to the ASA 5500-X IPS SSP using the ips command, you can specify a sensor that is assigned to the context; you cannot specify a sensor that you did not assign to the context.
Chapter 18 Configuring the ASA 5500-X IPS SSP allocate-ips Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.
CH A P T E R 19 Configuring the ASA 5585-X IPS SSP This chapter contains procedures that are specific to configuring the ASA 5585-X IPS SSP.
Chapter 19 Configuring the ASA 5585-X IPS SSP Configuration Sequence for the ASA 5585-X IPS SSP • The ASA 5585-X IPS SSP has four types of ports (console, management, GigabitEthernet, and 10GE). The console and management ports (on the right front panel of the ASA 5585-X IPS SSP) are configured and controlled by IPS software. The GigabitEthernet and 10GE ports (on the left front panel of the ASA 5585-X IPS SSP) are configured and controlled by ASA software rather than IPS software.
Chapter 19 Configuring the ASA 5585-X IPS SSP Verifying Initialization for the ASA 5585-X IPS SSP • For the procedure for creating virtual sensors, see Creating Virtual Sensors for the ASA 5585-X IPS SSP, page 19-4. • For the procedures for setting up the ASA 5585-X IPS SSP, see Chapter 3, “Setting Up the Sensor.
Chapter 19 Configuring the ASA 5585-X IPS SSP Creating Virtual Sensors for the ASA 5585-X IPS SSP Creating Virtual Sensors for the ASA 5585-X IPS SSP This section describes how to create virtual sensors on the ASA 5585-X IPS SSP, and contains the following topics: • The ASA 5585-X IPS SSP and Virtualization, page 19-4 • The ASA 5585-X IPS SSP Virtual Sensor Configuration Sequence, page 19-5 • Creating Virtual Sensors, page 19-5 • Assigning Virtual Sensors to Adaptive Security Appliance Contexts, p
Chapter 19 Configuring the ASA 5585-X IPS SSP Creating Virtual Sensors for the ASA 5585-X IPS SSP The ASA 5585-X IPS SSP Virtual Sensor Configuration Sequence Follow this sequence to create virtual sensors on the ASA 5585-X IPS SSP, and to assign them to adaptive security appliance contexts: 1. Configure up to four virtual sensors. 2. Assign the ASA 5585-X IPS SSP sensing interface (PortChannel 0/0), to one of the virtual sensors. 3.
Chapter 19 Configuring the ASA 5585-X IPS SSP Creating Virtual Sensors for the ASA 5585-X IPS SSP Step 3 Add a virtual sensor. sensor(config-ana)# virtual-sensor vs1 sensor(config-ana-vir)# Step 4 Add a description for this virtual sensor. sensor(config-ana-vir)# description virtual sensor 1 Step 5 Assign an anomaly detection policy and operational mode to this virtual sensor if you have enabled anomaly detection.
Chapter 19 Configuring the ASA 5585-X IPS SSP Creating Virtual Sensors for the ASA 5585-X IPS SSP sensor(config-ana)# exit Apply Changes:?[yes]: sensor(config)# Step 11 Press Enter to apply the changes or enter no to discard them. For More Information • For the procedures for creating and configuring anomaly detection policies, see Working With Anomaly Detection Policies, page 9-8.
Chapter 19 Configuring the ASA 5585-X IPS SSP Creating Virtual Sensors for the ASA 5585-X IPS SSP • show context [detail]—Updated to display information about virtual sensors. In user context mode, a new line is added to show the mapped names of all virtual sensors that have been allocated to this context. In system mode, two new lines are added to show the real and mapped names of virtual sensors allocated to this context. You can assign multiple virtual sensors to a context.
Chapter 19 Configuring the ASA 5585-X IPS SSP Creating Virtual Sensors for the ASA 5585-X IPS SSP asa(config-ctx)# asa(config-ctx)# asa(config-ctx)# asa(config-ctx)# asa(config-ctx)# all allocate-in allocate-interface g0/2 allocate-interface g0/3 config-url disk0:/c3.cfg WARNING: Could not fetch the URL disk0:/c3.cfg INFO: Creating context with default config asa(config-ctx)# Step 6 Assign virtual sensors to the security contexts.
Chapter 19 Configuring the ASA 5585-X IPS SSP The ASA 5585-X IPS SSP and the Normalizer Engine The ASA 5585-X IPS SSP and the Normalizer Engine The majority of the features in the Normalizer engine are not used on the ASA 5585-X IPS SSP, because the ASA itself handles the normalization. Packets on the ASA IPS modules go through a special path in the Normalizer that only reassembles fragments and puts packets in the right order for the TCP stream.
Chapter 19 Configuring the ASA 5585-X IPS SSP ASA 5585-X IPS SSP and Jumbo Packets The SensorApp Fails The following occurs when the SensorApp fails: • If the adaptive security appliance is configured for failover, then the adaptive security appliance fails over. • If the adaptive security appliance is not configured for failover or failover is not possible: – If set to fail-open, the adaptive security appliance passes traffic without sending it to the ASA IPS module.
Chapter 19 Configuring the ASA 5585-X IPS SSP Health and Status Information Use the following commands to reload, shut down, reset, recover the password, and recover the ASA 5585-X IPS SSP directly from the adaptive security appliance: • hw-module module slot_number reload—This command reloads the software on the ASA 5585-X IPS SSP without doing a hardware reset. It is effective only when the module is in the Up state.
Chapter 19 Configuring the ASA 5585-X IPS SSP Health and Status Information Software version: MAC Address Range: App. name: App. Status: App. Status Desc: App. version: Data plane Status: Status: Mgmt IP addr: Mgmt Network mask: Mgmt Gateway: Mgmt Access List: Mgmt Access List: Mgmt web ports: Mgmt TLS enabled asa 7.2(1)E4 8843.e12f.5414 to 8843.e12f.541f IPS Up Normal Operation 7.2(1)E4 Up Up 192.0.2.3 255.255.255.0 192.0.2.254 10.0.0.0/8 64.0.0.
Chapter 19 Configuring the ASA 5585-X IPS SSP Health and Status Information Firmware version: 2.0(7)0 Software version: 7.2(1)E4 MAC Address Range: 5475.d029.7f9c to 5475.d029.7fa7 App. name: IPS App. Status: Not Applicable App. Status Desc: Not Applicable App. version: 7.2(1)E4 Data plane Status: Not Applicable Status: Init asa# show module 1 details Getting details from the Service Module, please wait...
Chapter 19 Configuring the ASA 5585-X IPS SSP Traffic Flow Stopped on IPS Switchports asa(config)# debug module-boot debug module-boot enabled at level 1 asa(config)# hw-module module 1 recover boot The module in slot 1 will be recovered. This may erase all configuration and all data on that device and attempt to download a new image for it. Recover module in slot 1? [confirm] Recover issued for module in slot 1 asa(config)# Slot-1 140> Cisco Systems ROMMON Version (1.
Chapter 19 Configuring the ASA 5585-X IPS SSP Failover Scenarios Failover Scenarios The following failover scenarios apply to the ASA 5585-X in the event of configuration changes, signature/signature engine updates, service packs, and SensorApp crashes on the ASA 5585-X IPS SSP.
Chapter 19 Configuring the ASA 5585-X IPS SSP Failover Scenarios failover failover lan unit secondary failover lan interface folink GigabitEthernet0/7 failover interface ip folink 172.27.48.1 255.255.255.0 standby 172.27.48.2 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.
Chapter 19 Configuring the ASA 5585-X IPS SSP Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.
CH A P T E R 20 Obtaining Software This chapter provides information on obtaining the latest Cisco IPS software. It contains the following sections: • IPS 7.2 File List, page 20-1 • Obtaining Cisco IPS Software, page 20-1 • IPS Software Versioning, page 20-2 • Accessing IPS Documentation, page 20-7 • Cisco Security Intelligence Operations, page 20-8 IPS 7.2 File List The currently supported IPS 7.2(x) version is 7.2(1)E4.
Chapter 20 Obtaining Software IPS Software Versioning Downloading Cisco IPS Software To download software on Cisco.com, follow these steps: Step 1 Log in to Cisco.com. Step 2 From the Support drop-down menu, choose Download Software. Step 3 Under Select a Software Product Category, choose Security Software. Step 4 Choose Intrusion Prevention System (IPS). Step 5 Enter your username and password.
Chapter 20 Obtaining Software IPS Software Versioning Major Update A major update contains new functionality or an architectural change in the product. For example, the Cisco IPS 7.2 base version includes everything (except deprecated features) since the previous major release (the minor update features, service pack fixes, and signature updates) plus any new changes. Major update 7.2(1) requires 5.1(6) and later. With each major update there are corresponding system and recovery packages. Note The 7.
Chapter 20 Obtaining Software IPS Software Versioning Figure 20-1 illustrates what each part of the IPS software file represents for major and minor updates, service packs, and patch releases. Figure 20-1 IPS Software File Name for Major and Minor Updates, Service Packs, and Patch Releases IPS-identifier-K9-x.y-z[a or p1]-E1.
Chapter 20 Obtaining Software IPS Software Versioning Figure 20-3 illustrates what each part of the IPS software file represents for signature engine updates. Figure 20-3 IPS Software File Name for Signature Engine Updates IPS-identifier-[engine]-[E]-req-x.y-z.
Chapter 20 Obtaining Software IPS Software Versioning IPS Software Release Examples Table 20-1 lists platform-independent Cisco IPS software release examples. Table 20-1 Platform-Independent Release Examples Release Target Frequency Example Identifier Version Example Filename Signature update1 Weekly sig Signature engine update2 Service packs3 S552 IPS-identifier-sig-S552-req-E4.pkg As needed engine E4 IPS-identifier-engine-E4-req-7.2-2.pkg Every three months — 7.
Chapter 20 Obtaining Software Accessing IPS Documentation Table 20-1 describes the platform identifiers used in platform-specific names. Table 20-2 Platform Identifiers Sensor Family Identifier ASA 5500-X series SSP_5512 SSP_5515 SSP_5525 SSP_5545 SSP_5555 ASA 5585-X series SSP_10 SSP_20 SSP_40 SSP_60 IPS 4345 series 4345 IPS 4360 series 4360 IPS 4510 series 4510 IPS 4520 series 4520 For More Information For instructions on how to access these files on Cisco.
Chapter 20 Obtaining Software Cisco Security Intelligence Operations • Release and General Information—Contains documentation roadmaps and release notes. • Reference Guides—Contains command references and technical references. • Design—Contains design guide and design tech notes. • Install and Upgrade—Contains hardware installation and regulatory guides. • Configure—Contains configuration guides for IPS CLI, IDM, and IME. • Troubleshoot and Alerts—Contains TAC tech notes and field notices.
CH A P T E R 21 Upgrading, Downgrading, and Installing System Images This chapter describes how to upgrade, downgrade, and install system images.
Chapter 21 Upgrading, Downgrading, and Installing System Images Upgrades, Downgrades, and System Images • All user configuration settings are lost when you install the system image. Before trying to recover the sensor by installing the system image, try to recover by using the recover application-partition command or by selecting the recovery partition during sensor bootup. For More Information • For the procedure for accessing downloads on Cisco.com, see Obtaining Cisco IPS Software, page 20-1.
Chapter 21 Upgrading, Downgrading, and Installing System Images Supported FTP and HTTP/HTTPS Servers For More Information • For the procedure for initializing the sensor, see Basic Sensor Setup, page 2-4. • For the procedure for locating software on Cisco.com, see Obtaining Cisco IPS Software, page 20-1. Supported FTP and HTTP/HTTPS Servers The following FTP servers are supported for IPS software updates: • WU-FTPD 2.6.2 (Linux) • Solaris 2.8 • Sambar 6.0 (Windows 2000) • Serv-U 5.
Chapter 21 Upgrading, Downgrading, and Installing System Images Upgrading the Sensor Upgrade Notes and Caveats For a list of the upgrade notes and caveats for each IPS version, refer to the Release Notes for your IPS version found at this URL: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/prod_release_notes_list.html Manually Upgrading the Sensor Caution You must log in to Cisco.com using an account with cryptographic privileges to download software.
Chapter 21 Upgrading, Downgrading, and Installing System Images Upgrading the Sensor Upgrading the Sensor Note The CLI output is an example of what your configuration may look like. It will not match exactly due to the optional setup choices, sensor model, and IPS version you have installed. To upgrade the sensor, follow these steps: Step 1 Download the appropriate file to an FTP, SCP, HTTP, or HTTPS server that is accessible from your sensor.
Chapter 21 Upgrading, Downgrading, and Installing System Images Upgrading the Sensor boot is using 61.2M out of 70.1M bytes of available disk space (92% usage) application-log is using 494.0M out of 513.
Chapter 21 Upgrading, Downgrading, and Installing System Images Upgrading the Sensor To work with upgrade files, follow these steps: Step 1 Log in to the sensor using an account with administrator privileges. Step 2 Copy the upgrade file. sensor# copy scp://jsmith@10.106.132.245//tftpboot/jsmith/IPS-4520-K9-sys-1.1-a-7.2-1-E4.img upgrade-file Password: ********* IPS-4520-K9-sys-1.1-a-7.2-1-E4.img Step 3 43MB 1.1MB/s 00:38 Display the list of upgrade files.
Chapter 21 Upgrading, Downgrading, and Installing System Images Configuring Automatic Upgrades sensor(config)# upgrade ftp://user@server_ipaddress//upgrade_path/IPS-SSP_10-K9-r-1.1-a-7.2-1-E4.pkg Step 5 Enter the server password. The upgrade process begins. Note This procedure only reimages the recovery partition. The application partition is not modified by this upgrade. To reimage the application partition after the recovery partition, use the recover application-partition command.
Chapter 21 Upgrading, Downgrading, and Installing System Images Configuring Automatic Upgrades You specify the following information to schedule automatic upgrades: • Server IP address • Path of the directory on the file server where the sensor checks for upgrade files • File copy protocol (SCP or FTP) • Username and password • Upgrade schedule You must download the software upgrade from Cisco.com and copy it to the upgrade directory before the sensor can poll for automatic upgrades.
Chapter 21 Upgrading, Downgrading, and Installing System Images Configuring Automatic Upgrades • user-name user_name—Specifies the username for server authentication. • user-server {disabled | enabled}—Enables automatic upgrades from a user-defined server. Configuring Automatic Upgrades If you get an unauthorized error message while configuring an automatic update, make sure you have the correct ports open on any firewalls between the sensor and Cisco.com.
Chapter 21 Upgrading, Downgrading, and Installing System Images Configuring Automatic Upgrades Step 4 Specify the username for authentication. sensor(config-hos-ena)# user-name tester Step 5 Specify the password of the user. sensor(config-hos-ena)# password Enter password[]: ****** Re-enter password: ****** Step 6 Specify the scheduling: a.
Chapter 21 Upgrading, Downgrading, and Installing System Images Configuring Automatic Upgrades • For the output of the show statistics host command, see Displaying Statistics, page 17-28. • For the IDM procedure for automatically upgrading the sensor, refer to Configuring Automatic Update. For the IME procedure, refer to Configuring Automatic Update. • For more information about copying, displaying, and erasing upgrade files, see Working With Upgrade Files, page 21-6.
Chapter 21 Upgrading, Downgrading, and Installing System Images Downgrading the Sensor For More Information • For the procedure for configuring automatic update, see Configuring Automatic Updates, page 21-8. • For the procedure for configuring DNS and HTTP proxy servers, see Configuring the DNS and Proxy Servers for Global Correlation and Automatic Update, page 3-10.
Chapter 21 Upgrading, Downgrading, and Installing System Images Installing System Images Recovering the Application Partition Image To recover the application partition image, follow these steps: Step 1 Download the recovery partition image file to an FTP, HTTP, or HTTPS server that is accessible from your sensor. Step 2 Log in to the CLI using an account with administrator privileges. Step 3 Enter configuration mode. sensor# configure terminal Step 4 Recover the application partition image.
Chapter 21 Upgrading, Downgrading, and Installing System Images Installing System Images • Installing the System Image for the IPS 4345 and IPS 4360, page 21-16 • Installing the System Image for the IPS 4510 and IPS 4520, page 21-19 • Installing the System Image for the ASA 5500-X IPS SSP, page 21-22 • Installing the System Image for the ASA 5585-X IPS SSP, page 21-23 ROMMON Some Cisco sensors include a preboot CLI called ROMMON, which lets you boot images on sensors where the image on the primary
Chapter 21 Upgrading, Downgrading, and Installing System Images Installing System Images Step 2 Configure the line and port on the terminal server. In enable mode, enter the following configuration, where # is the line number of the port to be configured. config t line # login transport input all stopbits 1 flowcontrol hardware speed 9600 exit exit wr mem Step 3 Be sure to properly close a terminal session to avoid unauthorized access to the appliance.
Chapter 21 Upgrading, Downgrading, and Installing System Images Installing System Images Low Memory: 631 KB High Memory: 2048 MB PCI Device Table.
Chapter 21 Upgrading, Downgrading, and Installing System Images Installing System Images The variables have the following definitions: • Address—Local IP address of the IPS 4345. • Server—TFTP server IP address where the application image is stored. • Gateway—Gateway IP address used by the IPS 4345. • Port—Ethernet interface used for the IPS 4345 management. • VLAN—VLAN ID number (leave as untagged). • Image—System image file/path name. • Config—Unused by these platforms.
Chapter 21 Upgrading, Downgrading, and Installing System Images Installing System Images UNIX Example rommon> IMAGE=system_images/IPS-4345-K9-sys-1.1-a-7.2-1-E4.img Note The path is relative to the default tftpboot directory of the UNIX TFTP server. Images located in the default tftpboot directory do not have any directory names or slashes in the IMAGE specification. Windows Example rommon> IMAGE=system_images/IPS-4345-K9-sys-1.1-a-7.2-1-E4.
Chapter 21 Upgrading, Downgrading, and Installing System Images Installing System Images You can install the IPS 4510 and IPS 4520 system image by using the ROMMON on the appliance to TFTP the system image onto the compact flash device. To install the IPS 4510 system image, follow these steps: Step 1 Download the IPS 4510 system image file to the tftp root directory of a TFTP server that is accessible from your IPS 4510.
Chapter 21 Upgrading, Downgrading, and Installing System Images Installing System Images Step 5 If necessary, assign an IP address for the Managment port on the IPS 4510. rommon> ADDRESS=ip_address Note Step 6 Use the same IP address that is assigned to the IPS 4510. If necessary, assign the TFTP server IP address. rommon> SERVER=ip_address Step 7 If necessary, assign the gateway IP address.
Chapter 21 Upgrading, Downgrading, and Installing System Images Installing System Images Note If the network settings are correct, the system downloads and boots the specified image on the IPS 4510. Be sure to use the IPS 4510 image. For More Information • For more information about TFTP servers, see TFTP Servers, page 21-15. • For a list of the specific system image files, see IPS 7.2(1)E4 Files, page 21-3. • For the procedure for locating software on Cisco.
Chapter 21 Upgrading, Downgrading, and Installing System Images Installing System Images Mod --0 1 Card Type -------------------------------------------Cisco ASA 5545 Appliance with 8 GE ports, 1 IPS 5545 Intrusion Protection System Mod --0 ips MAC Address Range --------------------------------503d.e59c.6dc1 to 503d.e59c.6dca 503d.e59c.6dcb to 503d.e59c.6dcb Model -----------------ASA5545 IPS5545 Hw Version Fw Version ------------ -----------1.0 N/A N/A Serial No.
Chapter 21 Upgrading, Downgrading, and Installing System Images Installing System Images Installing the ASA 5585-X IPS SSP System Image Using the hw-module Command Note Be sure the TFTP server that you specify can transfer files up to 60 MB in size. Note This process can take approximately 15 minutes to complete, depending on your network and the size of the image. Note The CLI output is an example of what your configuration may look like.
Chapter 21 Upgrading, Downgrading, and Installing System Images Installing System Images Example Port IP Address [0.0.0.0]: 10.89.149.231 Step 7 Leave the VLAN ID at 0. VLAN ID [0]: Step 8 Specify the default gateway of the ASA 5585-X IPS SSP. Gateway IP Address [0.0.0.0]: Example Gateway IP Address [0.0.0.0]: 10.89.149.254 Step 9 Execute the recovery. This transfers the software image from the TFTP server to the ASA 5585-X IPS SSP and restarts it.
Chapter 21 Upgrading, Downgrading, and Installing System Images Installing System Images Step 11 Session to the ASA 5585-X IPS SSP. Step 12 Enter cisco three times and your new password twice. Step 13 Initialize the ASA 5585-X IPS SSP with the setup command. For More Information • For more information about TFTP servers, see TFTP Servers, page 21-15. • For a list of the specific system image files, see IPS 7.2(1)E4 Files, page 21-3.
Chapter 21 Upgrading, Downgrading, and Installing System Images Installing System Images Use BREAK or ESC to interrupt boot. Use SPACE to begin boot immediately. The system enters ROMMON mode. The rommon> prompt appears. Step 4 Check the current network settings. rommon #0> set ROMMON Variable Settings: ADDRESS=0.0.0.0 SERVER=0.0.0.0 GATEWAY=0.0.0.
Chapter 21 Upgrading, Downgrading, and Installing System Images Installing System Images Step 9 Verify that you have access to the TFTP server by pinging it from your local Ethernet port with one of the following commands. rommon> ping server_ip_address rommon> ping server Step 10 If necessary define the path and filename on the TFTP file server from which you are downloading the image. rommon> IMAGE=path/file_name Caution Make sure that you enter the IMAGE command in all uppercase.
Chapter 21 Upgrading, Downgrading, and Installing System Images Installing System Images For More Information • For more information about TFTP servers, see TFTP Servers, page 21-15. • For a list of the specific system image files, see IPS 7.2(1)E4 Files, page 21-3. • For the procedure for initializing ASA 5585-X IPS SSP, see Advanced Setup for the ASA 5585-X IPS SSP, page 2-17. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.
Chapter 21 Upgrading, Downgrading, and Installing System Images Installing System Images Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.
A P P E N D I X A System Architecture This appendix describes the IPS system architecture, and contains the following sections: • IPS System Design, page A-1 • System Applications, page A-3 • •Recovery partition—A special purpose image used for recovery of the sensor. Booting into the recovery partition enables you to completely reimage the application partition. Network settings are preserved, but all other configuration is lost.
Appendix A System Architecture IPS System Design Figure A-1 illustrates the system design for IPS software.
Appendix A System Architecture System Applications Figure A-2 illustrates the system design for IPS software for the IPS 4500 series sensors.
Appendix A System Architecture System Applications The Cisco IPS software includes the following applications: • MainApp—Initializes the system, starts and stops the other applications, configures the OS, and performs upgrades. It contains the following components: – ctlTransSource (Control Transaction server)—Allows sensors to send control transactions. This is used to enable the master blocking sensor capability of Attack Response Controller (formerly known as Network Access Controller).
Appendix A System Architecture Security Features You interact with the Cisco IPS in the following ways: • Configure device parameters You generate the initial configuration for the system and its features. This is an infrequent task, usually done only once. The system has reasonable default values to minimize the number of modifications you must make. You can configure Cisco IPS through the CLI, IDM, IME, CSM, ASDM, or through another application using SDEE.
Appendix A System Architecture MainApp MainApp This section describes the MainApp, and contains the following topics: • Understanding the MainApp, page A-6 • MainApp Responsibilities, page A-6 • Event Store, page A-7 • NotificationApp, page A-9 • CtlTransSource, page A-11 • Attack Response Controller, page A-12 • Logger, page A-19 • AuthenticationApp, page A-20 • Web Server, page A-22 Understanding the MainApp The MainApp includes all IPS components except SensorApp and the CLI.
Appendix A System Architecture MainApp Note • In the Cisco IPS, the MainApp can automatically download signature and signature engine updates from Cisco.com.
Appendix A System Architecture MainApp Table A-1 shows some examples: Table A-1 IPS Event Examples IPS Event Type Intrusion Event Priority Start Time Stamp Value Stop Time Stamp Value status — 0 Maximum value Get all status events that are stored. error status — 0 65743 status — 65743 Maximum value Get status events that were stored at or after time 65743. intrusion low attack response 0 Maximum value Get all intrusion and attack response events with low priority that are stored.
Appendix A System Architecture MainApp Control transactions involve the following types of requests: • Request to update the configuration data of an application instance • Request for the diagnostic data of an application instance • Request to reset the diagnostic data of an application instance • Request to restart an application instance • Request for ARC, such as a block request Control transactions have the following characteristics: • They always consist of a request followed by a respons
Appendix A System Architecture MainApp • Time (UTC and local time) • Signature name • Signature ID • Subsignature ID • Participant information • Alarm traits The NotificationApp sends the following information from the evAlert event in detail mode: • Originator information • Event ID • Event severity • Time (UTC and local time) • Signature name • Signature ID • Subsignature ID • Version • Summary • Interface group • VLAN • Participant information • Actions • Alarm t
Appendix A System Architecture MainApp • TCP streams in embryonic state • TCP streams in established state • TCP streams in closing state • TCP streams in system • TCP packets queued for reassembly • Total nodes active • TCP nodes keyed on both IP addresses and both ports • UDP nodes keyed on both IP addresses and both ports • IP nodes keyed on both IP addresses • Sensor memory critical stage • Interface status • Command and control packet statistics • Fail-over state • System u
Appendix A System Architecture MainApp Figure A-3 shows the transactionHandlerLoop method in the CtlTransSource. Figure A-3 CtlTransSource CtlTransSource IDAPI HTTP Client 119595 +CtlTransSource0 +transaction HandlerLoop When the transactionHandlerLoop receives a remotely addressed transaction, it tries to forward the remote control transaction to its remote destination. The transactionHandlerLoop formats the transaction into a control transaction message.
Appendix A System Architecture MainApp Understanding the ARC The main responsibility of the ARC is to block events. When it responds to a block, it either interacts with the devices it is managing directly to enable the block or it sends a block request through the Control Transaction Server to a master blocking sensor. The web server on the master blocking sensor receives the control transaction and passes it to the Control Transaction Server, which passes it to the ARC.
Appendix A System Architecture MainApp ARC Features The ARC has the following features: • Communication through Telnet and SSH 1.5 with 3DES (the default) or DES encryption Only the protocol specified in the ARC configuration for that device is attempted. If the connection fails for any reason, the ARC attempts to reestablish it.
Appendix A System Architecture MainApp • Maintaining blocking state across network device restarts The ARC reapplies blocks and removes expired blocks as needed whenever a network device is shut down and restarted. The ARC is not affected by simultaneous or overlapping shutdowns and restarts of the ARC. • Authentication and authorization The ARC can establish a communications session with a network device that uses AAA authentication and authorization including the use of remote TACACS+ servers.
Appendix A System Architecture MainApp • Catalyst 6000 MSFC2 with Catalyst software 5.4(3) or later and Cisco IOS 12.1(2)E or later on the MSFC2 • Cisco ASA 5500 series models: ASA 5510, ASA 5520, and ASA 5540 • FWSM Note The FWSM cannot block in multi-mode admin context. ACLs and VACLs If you want to filter packets on an interface or direction that the ARC controls, you can configure the ARC to apply an ACL before any blocks (preblock ACL) and to apply an ACL after any blocks (postblock ACL).
Appendix A System Architecture MainApp The following scenarios demonstrate how the ARC maintains state across restarts. Scenario 1 There are two blocks in effect when the ARC stops and one of them expires before the ARC restarts. When the ARC restarts, it first reads the nac.shun.txt file. It then reads the preblock and postblock ACLs or VACLs. The active ACL or VACL is built in the following order: 1. The allow sensor_ ip_address command (unless the allow sensor shun command has been configured) 2.
Appendix A System Architecture MainApp Caution Cisco firewalls do not support connection blocking of hosts. When a connection block is applied, the firewall treats it like an unconditional block. Cisco firewalls also do not support network blocking. ARC never tries to apply a network block to a Cisco firewall. Blocking with Cisco Firewalls The ARC performs blocks on firewalls using the shun command.
Appendix A System Architecture MainApp Blocking with Catalyst Switches Catalyst switches with a PFC filter packets using VACLs. VACLs filter all packets between VLANs and within a VLAN. MSFC router ACLs are supported when WAN cards are installed and you want the sensor to control the interfaces through the MSFC2. Note An MSFC2 card is not a required part of a Catalyst switch configuration for blocking with VACLs.
Appendix A System Architecture MainApp The Logger can control what log messages are generated by each application by controlling the logging severity for different logging zones. You would only access the individual-zone-control of the logger service at the request and supervision of a TAC engineer or developer. For troubleshooting purposes, TAC might request that you turn on debug logging.
Appendix A System Architecture MainApp AuthenticationApp to authenticate the identity of the user. The control transaction request typically includes the username and a password, or the identity of the user can be authenticated using an SSH authorized key. The AuthenticationApp responds to the execAuthenticateUser control transaction request by attempting to authenticate the identity of the user.
Appendix A System Architecture SensorApp Each TLS client has different procedures for establishing this trust. The sensor itself includes a TLS client that is used to send control transactions to other sensors and download upgrades and configuration files from other TLS web servers. Use the tls trusted-host command to establish trust of the TLS servers with which the sensor communicates.
Appendix A System Architecture SensorApp Understanding the SensorApp The SensorApp performs packet capture and analysis. Policy violations are detected through signatures in the SensorApp and the information about the violations is forwarded to the Event Store in the form of an alert. Packets flow through a pipeline of processors fed by a producer designed to collect packets from the network interfaces on the sensor.
Appendix A System Architecture SensorApp that were quiescent during the hold-down period will not be forwarded and will be allowed to timeout. Those streams that were synchronized during the hold-down period are allowed to continue. • Signature Analysis Processor—This processor dispatches packets to the inspectors that are not stream-based and that are configured for interest in the packet in process. • Slave Dispatch Processor—A process found only on dual CPU systems.
Appendix A System Architecture SensorApp • Event risk rating Event risk rating helps reduce false positives from the system and gives you more control over what causes an alarm.
Appendix A System Architecture SensorApp Signature Event Action Processor The Signature Event Action Processor coordinates the data flow from the signature event in the Alarm Channel to processing through the Signature Event Action Override, the Signature Event Action Filter, and the Signature Event Action Handler. It consists of the following components: • Alarm Channel—The unit that represents the area to communicate signature events from the SensorApp inspection path to signature event handling.
Appendix A System Architecture CollaborationApp Figure A-5 Signature Event Through Signature Event Action Processor Signature event with configured action Event count Consumed signature event Signature event Signature event action override Add action based on RR Signature event action filter Subtract action based on signature, address, port, RR, etc.
Appendix A System Architecture CollaborationApp • Set of rules score weight values • Set of IP addresses and address ranges, which together with the rules and alerts provide the information needed to calculate reputation scores • List of IP addresses and address ranges for which traffic should always be denied • Network participation configuration, which allows the server to control the rate at which sensors send telemetry date to the server The sensor sends collaboration information to the Netwo
Appendix A System Architecture SwitchApp Caution You receive a warning message if you have enabled global correlation, but you have not configured a DNS or HTTP proxy server. This warning is a reminder to either disable global correlation or add a DNS or HTTP proxy server. For More Information For the procedure for adding a DNS or proxy server to support global correlation, see Changing Network Settings, page 3-2. Error Events Whenever a global correlation update fails, an evError event is generated.
Appendix A System Architecture CLI CLI The CLI provides the sensor user interface for all direct node access such as Telnet, SSH, and serial interface. You configure the sensor applications with the CLI. Direct access to the underlying OS is allowed through the service role. This section describes the IPS CLI, and contains the following topics: • User Roles, page A-30 • Service Account, page A-31 User Roles Caution You should carefully consider whether you want to create a service account.
Appendix A System Architecture Communications Note For IPS 5.0 and later, you can no longer remove the cisco account. You can disable it using the no password cisco command, but you cannot remove it. To use the no password cisco command, there must be another administrator account on the sensor. Removing the cisco account through the service account is not supported.
Appendix A System Architecture Communications IDAPI IPS applications use an interprocess communication API called the IDAPI to handle internal communications. The IDAPI reads and writes event data and provides a mechanism for control transactions. The IDAPI is the interface through which all the applications communicate. The SensorApp captures and analyzes the network traffic on its interfaces. When a signature is matched, the SensorApp generates an alert, which is stored in the Event Store.
Appendix A System Architecture Communications IDCONF The Cisco IPS manages its configuration using XML documents. IDCONF specifies the XML schema including the Cisco IPS control transactions. The IDCONF schema does not specify the contents of the configuration documents, but rather the framework and building blocks from which the configuration documents are developed.
Appendix A System Architecture Cisco IPS File Structure CIDEE CIDEE specifies the extensions to SDEE that are used by the Cisco IPS. The CIDEE standard specifies all possible extensions that are supported by the Cisco IPS. Specific systems may implement a subset of CIDEE extensions. However, any extension that is designated as being required MUST be supported by all systems. CIDEE specifies the Cisco IPS-specific security device events and the IPS extensions to the SDEE evIdsAlert element.
Appendix A System Architecture Summary of Cisco IPS Applications • /usr/cids/idsRoot/bin—Contains the binary executables. • /usr/cids/idsRoot/bin/authentication—Contains the authentication application. • /usr/cids/idsRoot/bin/cidDump—Contains the script that gathers data for tech support. • /usr/cids/idsRoot/bin/cidwebserver—Contains the web server application. • /usr/cids/idsRoot/bin/cidcli—Contains the CLI application. • /usr/cids/idsRoot/bin/nac—Contains the ARC application.
Appendix A System Architecture Summary of Cisco IPS Applications Table A-2 Summary of Applications (continued) Application Description IDM The Java applet that provides an HTML IPS management interface. IME The Java applet that provides an interface for viewing and archiving events. InterfaceApp Handles bypass and physical settings and defines paired interfaces. Physical settings are speed, duplex, and administrative state.
A P P E N D I X B Signature Engines This appendix describes the IPS signature engines, and contains the following sections: • Understanding Signature Engines, page B-1 • Master Engine, page B-4 • Regular Expression Syntax, page B-9 • AIC Engine, page B-10 • Atomic Engine, page B-14 • Fixed Engine, page B-30 • Flood Engine, page B-32 • Meta Engine, page B-33 • Multi String Engine, page B-35 • Normalizer Engine, page B-36 • Service Engines, page B-39 • State Engine, page B-60 • Stri
Appendix B Signature Engines Understanding Signature Engines Cisco IPS contains the following signature engines: • AIC—Provides thorough analysis of web traffic. The AIC engine provides granular control over HTTP sessions to prevent abuse of the HTTP protocol. It allows administrative control over applications, such as instant messaging and gotomypc, that try to tunnel over specified ports. You can also use AIC to inspect FTP traffic and control the commands being issued.
Appendix B Signature Engines Understanding Signature Engines – HTTP V2—Supports IOS IPS. This signature engine provides a protocol decode engine tuned for IOS IPS. If you try to use this engine, you receive an error message. – IDENT—Inspects IDENT (client and server) traffic. – MSRPC—Inspects MSRPC traffic. – MSSQL—Inspects Microsoft SQL traffic. – NTP—Inspects NTP traffic. – P2P—Inspects P2P traffic. – RPC—Inspects RPC traffic.
Appendix B Signature Engines Master Engine Note The Regex accelerator card is used for both the standard String engines and the String XL engines. Most standard String engine signatures can be compiled and analyzed by the Regex accelerator card without modification. However, there are special circumstances in which the standard String engine signatures cannot be compiled for the Regex accelerator card.
Appendix B Signature Engines Master Engine Table B-1 Master Engine Parameters (continued) Parameter Description Value alert-severity Specifies the severity of the alert: high • Dangerous alert medium • Medium-level alert low • Low-level alert informational (default) • Informational alert sig-fidelity-rating Specifies the rating of the fidelity of this signature. 0 to 100 (default = 100) promisc-delta Specifies the delta value used to determine the seriousness of the alert.
Appendix B Signature Engines Master Engine Table B-1 Master Engine Parameters (continued) Parameter Description Value specify-alert-interval Enables the alert interval: {yes | no} • alert-interval—Specifies the time in seconds before the event count is reset. 2 to 1000 status Specifies whether the signature is enabled or disabled, active or retired. enabled | retired {yes | no} obsoletes Indicates that a newer signature has disabled an older — signature.
Appendix B Signature Engines Master Engine Obsoletes The Cisco signature team uses the obsoletes field to indicate obsoleted, older signatures that have been replaced by newer, better signatures, and to indicate disabled signatures in an engine when a better instance of that engine is available. For example, some String XL hardware-accelerated signatures now replace equivalent signatures that were defined in the String engine.
Appendix B Signature Engines Master Engine Table B-2 Master Engine Alert Frequency Parameters (continued) Parameter Description Value specify-global-summary-thres Enables global summary threshold mode: hold {yes |no} • global-summary-threshold—Specifies the threshold number of events to take alerts into global summary.
Appendix B Signature Engines Regular Expression Syntax • deny-attacker-inline (inline mode only)—Does not transmit this packet and future packets from the attacker address for a specified period of time. Note • This is the most severe of the deny actions. It denies the current and future packets from a single attacker address. Each deny address times out for X seconds from the first event that caused the deny to start, where X is the amount of seconds that you configured.
Appendix B Signature Engines AIC Engine Table B-3 Signature Regular Expression Syntax (continued) Metacharacter Name Description [^abc] Negated character class Any character not listed. [a-z] Character range class Any character listed inclusively in the range. () Parenthesis Used to limit the scope of other metacharacters. | Alternation, or Matches either expression it separates. ^ caret The beginning of the line.
Appendix B Signature Engines AIC Engine Understanding the AIC Engine AIC provides thorough analysis of web traffic. It provides granular control over HTTP sessions to prevent abuse of the HTTP protocol. It allows administrative control over applications, such as instant messaging and gotomypc, that try to tunnel over specified ports. Inspection and policy checks for P2P and instant messaging are possible if these applications are running over HTTP.
Appendix B Signature Engines AIC Engine • FTP traffic: – FTP command authorization and enforcement Table B-5 lists the parameters that are specific to the AIC HTTP engine. Table B-5 AIC HTTP Engine Parameters Parameter Description signature-type Specifies the type of AIC signature.
Appendix B Signature Engines AIC Engine Table B-5 AIC HTTP Engine Parameters (continued) Parameter Description request-methods — Specifies an AIC signature that allows actions to be associated with HTTP request methods: transfer-encodings • define-request-method—Specifie s get, put, and so forth. • recognized-request-methods—Li sts methods recognized by the sensor.
Appendix B Signature Engines Atomic Engine • For more information on the parameters common to all signature engines, see Master Engine, page B-4. Atomic Engine The Atomic engine contains signatures for simple, single packet conditions that cause alerts to be fired.
Appendix B Signature Engines Atomic Engine Table B-7 Atomic ARP Engine Parameters (continued) Parameter Description specify-type-of-arp-sig {yes | no} (Optional) Enables the ARP signature type: • type-of-arp-sig—Specifies the type of ARP signatures you want to fire on: – Destination Broadcast—Fires an alert for this signature when it sees an ARP destination address of 255.255.255.255.
Appendix B Signature Engines Atomic Engine Only the outermost IP tunnel is identified. When an IPv6 tunnel or IPv6 traffic inside of an IPv4 tunnel is detected, a signature fires an alert. All of the other IPv6 traffic in embedded tunnels is not inspected. The following tunneling methods are supported, but not individually detected.
Appendix B Signature Engines Atomic Engine Table B-8 lists the parameters that are specific to the Atomic IP Advanced engine. Table B-8 Atomic IP Advanced Engine Parameters Parameter Description Value fragment-status Specifies whether or not fragments are wanted.
Appendix B Signature Engines Atomic Engine Table B-8 Atomic IP Advanced Engine Parameters (continued) Parameter Description Value specify-max-match-offset {yes | no} Enables maximum match offset: 0 to 65535 • max-match-offset—Specifies the maximum stream offset the regex-string must report for a match to be valid.
Appendix B Signature Engines Atomic Engine Table B-8 Atomic IP Advanced Engine Parameters (continued) Parameter Description Value specify-flow-label {yes | no} (Optional) Enables inspection of the flow label: 0 to 1048575 • specify-headers-out-of-order {yes | no} flow-label—Specifies the value of the flow label to inspect. (Optional) Enables inspection of out-of-order headers: • headers-out-of-order—Inspects headers that are out of order.
Appendix B Signature Engines Atomic Engine Table B-8 Atomic IP Advanced Engine Parameters (continued) Parameter Description specify-ipv6-addr-options {yes (Optional) Enables the IPv6 address | no} options: • Value true | false ipv6-addr-options—Specifies the IPv6 address options: – address-with-localhost—IP address with ::1. – documentation-address—IP address with 2001:db8::/32 prefix. – ipv6-addr—IP address. – link-local-address—Inspects for an IPv6 link local address.
Appendix B Signature Engines Atomic Engine Table B-8 Atomic IP Advanced Engine Parameters (continued) Parameter Description Value specify-routing-header {yes | no} (Optional) Enables inspection of the routing header: have-rh | no-rh • specify-traffic-class {yes | no} rh-present—Inspects the routing header. (Optional) Enables inspection of the traffic 0 to 255 class: • traffic-class—Specifies the value of the traffic class to inspect.
Appendix B Signature Engines Atomic Engine Table B-8 Atomic IP Advanced Engine Parameters (continued) Parameter Description Value specify-ip-ttl {yes | no} (Optional) Enables inspection of the IP time-to-live: 0 to 255 • specify-ip-version {yes | no} ip-ttl—Specifies the value of the IP TTL to inspect. (Optional) Enables inspection of the IP version: • 0 to 16 ip-version—Specifies which IP version to inspect.
Appendix B Signature Engines Atomic Engine Table B-8 Atomic IP Advanced Engine Parameters (continued) Parameter Description specify-icmpv6-code {yes | no} (Optional) Enables inspection of the Layer 4 ICMPv6 code: • specify-icmpv6-id {yes | no} specify-icmpv6-length {yes | no} specify-icmpv6-option-type {yes | no} specify-icmpv6-option-length {yes | no} specify-icmpv6-seq {yes | no} 0 to 65535 icmpv6-seq—Specifies the value of the ICMPv6 header SEQUENCE.
Appendix B Signature Engines Atomic Engine Table B-8 Atomic IP Advanced Engine Parameters (continued) Parameter Description Value specify-tcp-mask {yes | no} (Optional) Enables the TCP mask for use: urg • specify-tcp-flags {yes | no} tcp-mask—Specifies the mask used in ack TCP flags comparison: psh – URG bit rst – ACK bit syn – PSH bit – RST bit – SYN bit – FIN bit (Optional) Enables TCP flags for use: • tcp-flags—Specifies the TCP flags to match when masked by mask: – URG bit – ACK bi
Appendix B Signature Engines Atomic Engine Table B-8 Atomic IP Advanced Engine Parameters (continued) Parameter Description specify-udp-valid-length {yes | (Optional) Enables inspection of the no} Layer 4 UDP valid length: • specify-udp-length-mismatch {yes | no} 0 to 65535 udp-valid-length—Specifies the UDP packet lengths that are considered valid and should not be inspected.
Appendix B Signature Engines Atomic Engine Table B-9 Atomic IP Engine Parameters (continued) Parameter Description specify-ip-id {yes | no} (Optional) Enables inspection of the IP 0 to 255 identifier: • specify-ip-option-inspection {yes | no} Value ip-id—Specifies the IP ID to inspect. (Optional) Enables inspection of the IP 0 to 65535 options: • ip-option-inspection—Specifies the value of the IP option: – ip-option—Specifies the IP OPTION code to match.
Appendix B Signature Engines Atomic Engine Table B-9 Atomic IP Engine Parameters (continued) Parameter Description Value specify-icmp-id {yes | no} (Optional) Enables inspection of the Layer 4 ICMP ID: 0 to 65535 • specify-icmp-seq {yes | no} icmp-id—Specifies the value of the ICMP header IDENTIFIER. (Optional) Enables inspection of the Layer 4 ICMP sequence: • specify-icmp-type {yes | no} icmp-seq—Specifies the ICMP sequence to inspect.
Appendix B Signature Engines Atomic Engine Table B-9 Atomic IP Engine Parameters (continued) Parameter Description specify-tcp-flags {yes | no} (Optional) Enables TCP flags for use: urg • Value tcp-flags—Specifies the TCP flags ack to match when masked by mask: psh – URG bit rst – ACK bit syn – PSH bit fin – RST bit – SYN bit – FIN bit specify-tcp-reserved {yes | no} (Optional) Enables TCP reserved for use: • tcp-reserved—Specifies the value of TCP reserved.
Appendix B Signature Engines Atomic Engine Table B-9 Atomic IP Engine Parameters (continued) Parameter Description Value specify-udp-valid-length {yes | no} (Optional) Enables inspection of the Layer 4 UDP valid length: 0 to 65535 • udp-valid-length—Specifies UDP packet lengths that are considered valid and should not be inspected.
Appendix B Signature Engines Fixed Engine Each Neighborhood Discovery type can have one or more Neighborhood Discovery options. The Atomic IPv6 engine inspects the length of each option for compliance with the legal values stated in RFC 2461. Violations of the length of an option results in an alert corresponding to the option type where the malformed length was encountered (signatures 1601 to 1605). Note The Atomic IPv6 signatures do not have any specific parameters to configure.
Appendix B Signature Engines Fixed Engine Table B-10 Fixed ICMP Engine Parameters (continued) Parameter Description Value specify-icmp-type {yes | no} (Optional) Enables inspection of the Layer 4 ICMP header type: 0 to 65535 • swap-attacker-victim icmp-type—Specifies the value of the ICMP header TYPE. Swaps the attacker and victim addresses and ports (source and destination) in the alert message and in any actions taken.
Appendix B Signature Engines Flood Engine Table B-12 lists the parameters specific to the Fixed UDP engine. Table B-12 Fixed UDP Engine Parameters Parameter Description Value direction Specifies the direction of traffic: from-service to-service • Traffic from service port destined to client port. • Traffic from client port destined to service port max-payload-inspect-length Specifies the maximum inspection depth for the signature.
Appendix B Signature Engines Meta Engine Table B-13 lists the parameters specific to the Flood Host engine. Table B-13 Flood Host Engine Parameters Parameter Description Value protocol Specifies which kind of traffic to inspect. ICMP UDP rate Specifies the threshold number of packets per second. 0 to 65535 1 icmp-type Specifies the value for the ICMP header type. 0 to 65535 dst-ports Specifies the destination ports when you choose UDP protocol.
Appendix B Signature Engines Meta Engine All signature events are handed off to the Meta engine by the Signature Event Action Processor. The Signature Event Action Processor hands off the event after processing the minimum hits option. Summarization and event action are processed after the Meta engine has processed the component events. Table B-15 lists the parameters specific to the Meta engine.
Appendix B Signature Engines Multi String Engine Table B-15 Meta Engine Parameters (continued) Parameter Description meta-key Specifies the storage type for the Meta signature: unique-victim-ports Value • Axxx • Attacker address • AxBx • Attacker and victim addresses • AaBb • Attacker and victim addresses and ports • xxBx • Victim address Specifies the number of unique victims ports required per Meta signature.
Appendix B Signature Engines Normalizer Engine Table B-16 Multi String Engine Parameters (continued) Parameter Description Value regex-component Specifies the list of Regex components: list (1 to 16 items) port-selection • regex-string—Specifies the string to search for. • spacing-type—Specifies the type of spacing required from the match before or from the beginning of the stream/packet if it is the first entry in the list.
Appendix B Signature Engines Normalizer Engine The Normalizer engine deals with IP fragment reassembly and TCP stream reassembly. With the Normalizer engine you can set limits on system resource usage, for example, the maximum number of fragments the sensor tries to track at the same time. Sensors in promiscuous mode report alerts on violations. Sensors in inline mode perform the action specified in the event action parameter, such as produce-alert, deny-packet-inline, and modify-packet-inline.
Appendix B Signature Engines Normalizer Engine ASA IPS Modules and the Normalizer Engine The majority of the features in the Normalizer engine are not used on the ASA 5500-X IPS SSP or ASA 5585-X IPS SSP, because the ASA itself handles the normalization. Packets on the ASA IPS modules go through a special path in the Normalizer that only reassembles fragments and puts packets in the right order for the TCP stream.
Appendix B Signature Engines Service Engines Table B-17 Normalizer Engine Parameters (continued) Parameter Description specify-max-fragments-per-dgram (Optional) Enables maximum fragments per datagram. specify-max-last-fragments (Optional) Enables maximum last fragments. specify-max-partial-dgrams (Optional) Enables maximum partial datagrams. specify-max-small-fragss (Optional) Enables maximum small fragments. specify-min-fragment-size (Optional) Enables minimum fragment size.
Appendix B Signature Engines Service Engines • Service NTP Engine, page B-52 • Service P2P Engine, page B-53 • Service RPC Engine, page B-53 • Service SMB Advanced Engine, page B-55 • Service SNMP Engine, page B-57 • Service SSH Engine, page B-58 • Service TNS Engine, page B-59 Understanding the Service Engines The Service engines analyze Layer 5+ traffic between two hosts. These are one-to-one signatures that track persistent data.
Appendix B Signature Engines Service Engines Table B-18 Service DNS Engine Parameters (continued) Parameter Description Value specify-query-jump-count-exceeded {yes |no} (Optional) Enables query jump count exceeded: no | yes • specify-query-opcode {yes |no} (Optional) Enables query opcode: • specify-query-record-data-invalid {yes |no} query-record-data-len—Specifies the DNS Response Record Data Length. query-src-port-53—Specifies the DNS packet source port 53.
Appendix B Signature Engines Service Engines Table B-19 lists the parameters that are specific to the Service FTP engine. Table B-19 Service FTP Engine Parameters Parameter Description Value direction Specifies the direction of traffic: from-service to-service ftp-inspection-type service-ports • Traffic from service port destined to client port. • Traffic from client port destined to service port.
Appendix B Signature Engines Service Engines Table B-20 lists the parameters specific to the Service Generic engine. Table B-20 Service Generic Engine Parameters Parameter Description Value specify-dst-port {yes | no} (Optional) Enables the destination port: 0 to 65535 specify-ip-protocol {yes | no} (Optional) Enables IP protocol: • • dst-port—Specifies the destination port of interest for this signature. 0 to 255 ip-protocol—Specifies the IP protocol this inspector should examine.
Appendix B Signature Engines Service Engines Service H225 Engine The Service H225 engine analyzes H225.0 protocol, which consists of many subprotocols and is part of the H.323 suite. H.323 is a collection of protocols and other standards that together enable conferencing over packet-based networks. H.225.0 call signaling and status messages are part of the H.323 call setup. Various H.323 entities in a network, such as the gatekeeper and endpoint terminals, run implementations of the H.225.
Appendix B Signature Engines Service Engines Table B-21 lists parameters specific to the Service H225 engine. Table B-21 Service H.225 Engine Parameters Parameter Description Value message-type Specifies the type of H225 message to which the signature applies: asn.1-per policy-type • SETUP • ASN.1-PER • Q.931 • TPKT Specifies the type of H225 policy to which the signature applies: • Inspects field length. • Inspects presence. • Inspects regular expressions.
Appendix B Signature Engines Service Engines Table B-21 Service H.225 Engine Parameters (continued) Parameter Description specify-regex-string {yes | no} Specifies the regular expression to look for when string the policy type is Regex: 0 to 65535 • regex-string—Specifies a regular expression to search for in a single TCP packet.
Appendix B Signature Engines Service Engines Before an HTTP packet can be inspected, the data must be deobfuscated or normalized to the same representation that the target system sees when it processes the data. It is ideal to have a customized decoding technique for each host target type, which involves knowing what operating system and web server version is running on the target. The Service HTTP engine has default deobfuscation behavior for the Microsoft IIS web server.
Appendix B Signature Engines Service Engines Table B-22 Service HTTP Engine Parameters (continued) Parameter Description Value specify-request-regex {yes | no} (Optional) Enables searching the Request field for a specific regular expression: 0 to 65535 • request-regex—Specifies the regular expression to search in both HTTP URI and HTTP Argument fields.
Appendix B Signature Engines Service Engines Table B-23 lists the parameters specific to the Service IDENT engine. Table B-23 Service IDENT Engine Parameters Parameter Description Value inspection-type Specifies the type of inspection to perform. has-newline has-bad-port size has-newline Inspects payload for a nonterminating new line character. — has-bad-port Inspects payload for a bad port.
Appendix B Signature Engines Service Engines Table B-24 lists the parameters specific to the Service MSRPC engine. Table B-24 Service MSRPC Engine Parameters Parameter Description protocol Enables the protocol of interest for this inspector: tcp • specify-flags {yes | no} type—Specifies UDP or TCP. Enables the flags to set: Value udp concurrent-execution • msrpc-flags—Specifies MSRPC TCP flags. did-not-execute • msrpc-tcp-flags-mask—Specifies the MSRPC TCP flags mask.
Appendix B Signature Engines Service Engines Table B-24 Service MSRPC Engine Parameters (continued) Parameter Description Value specify-regex-string {yes | no} (Optional) Enables using a regular expression string: 0 to 65535 • specify-exact-match-offset—Enables the exact match offset: – exact-match-offset—Specifies the exact stream offset the regular expression string must report for a match to be valid.
Appendix B Signature Engines Service Engines Table B-25 lists the parameters specific to the Service MSSQL engine. Table B-25 Service MSSQL Engine Parameters Parameter Description password-present Specifies whether or not a password was used in an MS SQL true | false login. specify-sql-username (Optional) Enables using an SQL username: • Value sa sql-username—Specifies the username (exact match) of user logging in to MS SQL service.
Appendix B Signature Engines Service Engines For More Information For more information on the parameters common to all signature engines, see Master Engine, page B-4. Service P2P Engine P2P networks use nodes that can simultaneously function as both client and server for the purpose of file sharing. P2P networks often contain copyrighted material and their use on a corporate network can violate company policy.
Appendix B Signature Engines Service Engines Table B-27 Service RPC Engine Parameters (continued) Parameter Description Value specify-regex-string {yes | (Optional) Enables using a regular expression string: 0 to 65535 no} • specify-exact-match-offset—Enables the exact match offset: – exact-match-offset—Specifies the exact stream offset the regular expression string must report for a match to be valid.
Appendix B Signature Engines Service Engines Service SMB Advanced Engine Note The SMB engine has been replaced by the SMB Advanced engine. Even though the SMB engine is still visible in IDM, IME, and the CLI, its signatures have been obsoleted; that is, the new signatures have the obsoletes parameter set with the IDs of their corresponding old signatures. Use the new SMB Advanced engine to rewrite any custom signature that were in the SMB engine.
Appendix B Signature Engines Service Engines Table B-28 Service SMB Advanced Engine Parameters (continued) Parameter Description Value specify-exact-match-offset {yes | no} (Optional) Enables exact match offset: 0 to 65535 specify-min-match-length {yes | no} (Optional) Enables minimum match length: 0 to 65535 specify-regex-payload-sour ce {yes | no} (Optional) Enables payload source inspection: • • • exact-match-offset—Specifies the exact stream offset the Regex string must report for a ma
Appendix B Signature Engines Service Engines For More Information • For more information on the parameters common to all signature engines, see Master Engine, page B-4. • For a list of the signature regular expression syntax, see Regular Expression Syntax, page B-9. Service SNMP Engine The Service SNMP engine inspects all SNMP packets destined for port 161. You can tune SNMP signatures and create custom SNMP signatures based on specific community names and object identifiers.
Appendix B Signature Engines Service Engines Table B-29 Service SNMP Engine Parameters (continued) Parameter Description non-snmp-traffic-inspection Inspects for non-SNMP traffic destined — for UDP port 161. snmp-inspection {yes | no} Enables inspection of SNMP traffic: • specify-object-id—Enables inspection of the SNMP Object identifier: Value object-id community-name – object-id—Specifies to search for the SNMP object identifier.
Appendix B Signature Engines Service Engines 1. The second number in the range must be greater than or equal to the first number. For More Information For more information on the parameters common to all signature engines, see Master Engine, page B-4. Service TNS Engine The Service TNS engine inspects TNS protocol. TNS provides database applications with a single common interface to all industry-standard network protocols.
Appendix B Signature Engines State Engine Table B-31 Service TNS Engine Parameters (continued) Parameter Description Value specify-regex-payload-src {yes | no} Enables the inspection of TCP or TNS protocol: tcp data • payload-src—Specifies which protocol to inspect: tns data – tcp-data—Performs Regex over the data portion of the TCP packet. – tns-data—Performs Regex only over the TNS data (with all white space removed).
Appendix B Signature Engines State Engine Table B-32 lists the parameters specific to the State engine. Table B-32 State Engine Parameters Parameter Description Value state-machine Specifies the state machine grouping.
Appendix B Signature Engines String Engines Table B-32 State Engine Parameters (continued) Parameter Description Value direction Specifies the direction of the traffic: from-service service-ports • Traffic from service port destined to client port. • Traffic from client port destined to service port. to-service Specifies a comma-separated list of ports or port ranges 0 to 655351 where the target service resides.
Appendix B Signature Engines String Engines Table B-33 lists the parameters specific to the String ICMP engine. Table B-33 String ICMP Engine Parameters Parameter Description Value direction Specifies the direction of the traffic: from-service • Traffic from service port destined to client port. • Traffic from client port destined to service port. to-service icmp-type Specifies the value of the ICMP header TYPE. 0 to 181 a-b[,c-d] regex-string The Regex pattern to use in the search.
Appendix B Signature Engines String Engines Table B-34 String TCP Engine (continued) Parameter Description Value specify-min-matchlength {yes | no} (Optional) Enables minimum match length: 0 to 65535 strip-telnet-options Strips the Telnet option characters from the data true | false before the pattern is searched.2 swap-attacker-victim Swaps the attacker and victim addresses and ports (source and destination) in the alert message and in any actions taken.
Appendix B Signature Engines String XL Engines String XL Engines Note The IPS 4345, IPS 4360, IPS 4510, IPS 4520, ASA 5525-X IPS SSP, ASA 5545-X IPS SSP, ASA 5555-X IPS SSP, and ASA 5585-X IPS SSP support the String XL engines and the Regex accelerator card. The String XL engines do the same thing as the other String engines—provide a matching capability of one string per signature—but they use a different Regex syntax.The String TCP XL engine is stream-based and uses cross-packet inspection (XPI).
Appendix B Signature Engines String XL Engines Table B-36 String XL Engine Parameters (continued) (continued) Parameter Description no-case Specifies to treat all alphabetic characters in the true | false (default) expression as case insensitive. raw-regex If set to true, min-match-length, max-match-length, min-whole-length, max-whole-length, dot-all, utf8, no-case, stingy, and end-optional are not used to reformat the regular expression string.
Appendix B Signature Engines String XL Engines Table B-36 String XL Engine Parameters (continued) (continued) Parameter Description Value specify-min-matchlength {yes | No} Enables minimum match length: 0 to 65535 specify-max-streamlength {yes | No} Enables maximum stream length: • • Note min-match-length—Specifies the minimum number of bytes the regular expression string must match for the pattern to be considered a hit.
Appendix B Signature Engines Sweep Engines Apply Changes?[yes]: yes Error: string-xl-tcp 60003.0 : Maximum Stream Length is currently not supported. Please don't use this option. The configuration changes failed validation, no changes were applied.
Appendix B Signature Engines Sweep Engines per-stream/per-source/per-destination basis The data node containing the sweep determines when the sweep should expire. The data node stops a sweep when the data node has not seen any traffic for x number of seconds (depending on the protocol). There are several adaptive timeouts for the data nodes. The data node expires after 30 seconds of idle time on the address set after all of the contained objects have been removed.
Appendix B Signature Engines Sweep Engines Table B-37 Sweep Engine Parameters (continued) Parameter Description storage-key Specifies the type of address key used to store persistent Axxx data: AxBx Axxb • Attacker address suppress-reverse • Attacker and victim addresses • Attacker address and victim port Does not fire when a sweep has fired in the reverse direction on this address set.
Appendix B Signature Engines Traffic Anomaly Engine Sweep Other TCP Engine Parameters Table B-38 lists the parameters specific to the Sweep Other TCP engine. Table B-38 Sweep Other TCP Engine Parameters Parameter Description Value specify-port-range {yes | no} (Optional) Enables using a port range for inspection: 0 to 65535 a-b[,c-d] set-tcp-flags Lets you set TCP flags to match. • • port-range—Specifies the UDP port range used in inspection.
Appendix B Signature Engines Traffic Anomaly Engine • log-pair-packets—Starts IP logging for packets that contain the attacker and victim address pair. • deny-attacker-service-pair-inline—Blocks the source IP address and the destination port. • request-snmp-trap—Sends a request to NotificationApp to perform SNMP notification. • request-block-host—Sends a request to ARC to block this host (the attacker). Table B-39 lists the anomaly detection worm signatures.
Appendix B Signature Engines Traffic ICMP Engine Table B-39 Anomaly Detection Worm Signatures (continued) Signature ID Subsignature ID Name 13006 0 Illegal TCP Scanner Identified a single scanner over a TCP protocol in the illegal zone. 13006 1 Illegal TCP Scanner Identified a worm attack over a TCP protocol in the illegal zone; the TCP histogram threshold was crossed and a scanner over a TCP protocol was identified.
Appendix B Signature Engines Trojan Engines Table B-40 lists the parameters specific to the Traffic ICMP engine. Table B-40 Traffic ICMP Engine Parameters Parameter Description Value parameter-tunable-sig Specifies the whether this signature has configurable parameters.
A P P E N D I X C Troubleshooting This appendix contains troubleshooting tips and procedures for sensors and software.
Appendix C Troubleshooting Preventive Maintenance If you are a registered Cisco.com user, you can view the Bug Toolkit at this URL: http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs To become a registered cisco.com user, go to this URL: http://tools.cisco.com/RPF/register/register.
Appendix C Troubleshooting Preventive Maintenance To back up your current configuration, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Save the current configuration. The current configuration is saved in a backup file. sensor# copy current-config backup-config Step 3 Display the backup configuration file. The backup configuration file is displayed.
Appendix C Troubleshooting Preventive Maintenance Note You are prompted for a password. – scp:—Source or destination URL for the SCP network server. The syntax for this prefix is: scp://[[username@]location][/relativeDirectory]/filename scp://[[username@]location][//absoluteDirectory]/filename Note You are prompted for a password. You must add the remote host to the SSH known hosts list. – http:—Source URL for the web server.
Appendix C Troubleshooting Preventive Maintenance Restoring the Current Configuration From a Backup File To restore your current configuration from a backup file, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Back up the current configuration to the remote server. sensor# copy scp://user@192.0.2.0//configuration/cfg current-config Password: ******** Warning: Copying over the current configuration may leave the box in an unstable state.
Appendix C Troubleshooting Disaster Recovery Note For IPS 5.0 and later, you can no longer remove the cisco account. You can disable it using the no password cisco command, but you cannot remove it. To use the no password cisco command, there must be another administrator account on the sensor. Removing the cisco account through the service account is not supported.
Appendix C Troubleshooting Password Recovery 2. Log in to the sensor with the default user ID and password—cisco. Note Warning You are prompted to change the cisco password. 3. Initialize the sensor. 4. Upgrade the sensor to the IPS software version it had when the configuration was last saved and copied. Trying to copy the saved configuration without getting the sensor back to the same IPS software version it had before the disaster can cause configuration errors. 5.
Appendix C Troubleshooting Password Recovery • Verifying the State of Password Recovery, page C-14 • Troubleshooting Password Recovery, page C-14 Understanding Password Recovery Note Administrators may need to disable the password recovery feature for security reasons. Password recovery implementations vary according to IPS platform requirements. Password recovery is implemented only for the cisco administrative account and is enabled by default.
Appendix C Troubleshooting Password Recovery ------------------------------------------Use the ^ and v keys to select which entry is highlighted. Press enter to boot the selected OS, 'e' to edit the Commands before booting, or 'c' for a command-line. Highlighted entry is 0: Step 2 Press any key to pause the boot process. Step 3 Choose 2: Cisco IPS Clear Password (cisco). The password is reset to cisco. Log in to the CLI with username cisco and password cisco. You can then change the password.
Appendix C Troubleshooting Password Recovery Recovering the Password for the ASA 5500-X IPS SSP You can reset the password to the default (cisco) for the ASA 5500-X IPS SSP using the CLI or the ASDM. Resetting the password causes it to reboot. IPS services are not available during a reboot. Note To reset the password, you must have ASA 8.6.1 or later. Use the sw-module module ips password-reset command to reset the password to the default cisco.
Appendix C Troubleshooting Password Recovery Step 6 Enter your new password twice. New password: new password Retype new password: new password ***NOTICE*** This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption.
Appendix C Troubleshooting Password Recovery Use the hw-module module slot_number password-reset command to reset the password to the default cisco. If the module in the specified slot has an IPS version that does not support password recovery, the following error message is displayed: ERROR: the module in slot does not support password recovery.
Appendix C Troubleshooting Password Recovery A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com. ***LICENSE NOTICE*** There is no license key installed on this IPS platform. The system will continue to operate with the currently installed signature set. A valid license must be obtained in order to apply signature updates.
Appendix C Troubleshooting Password Recovery Step 4 Disable password recovery. sensor(config-hos)# password-recovery disallowed Disabling Password Recovery Using the IDM or IME To disable password recovery in the IDM or IME, follow these steps: Step 1 Log in to the IDM or IME using an account with administrator privileges. Step 2 Choose Configuration > sensor_name > Sensor Setup > Network. Step 3 To disable password recovery, uncheck the Allow Password Recovery check box.
Appendix C Troubleshooting Time Sources and the Sensor Time Sources and the Sensor This section describes how to maintain accurate time on the sensor, and contains the following topics: • Time Sources and the Sensor, page C-15 • Synchronizing IPS Clocks with Parent Device Clocks, page C-15 • Verifying the Sensor is Synchronized with the NTP Server, page C-16 • Correcting Time on the Sensor, page C-16 Time Sources and the Sensor Note We recommend that you use an NTP server to regulate time on your
Appendix C Troubleshooting Time Sources and the Sensor Verifying the Sensor is Synchronized with the NTP Server In IPS, you cannot apply an incorrect NTP configuration, such as an invalid NTP key value or ID, to the sensor. If you try to apply an incorrect configuration, you receive an error message. To verify the NTP configuration, use the show statistics host command to gather sensor statistics.
Appendix C Troubleshooting Advantages and Restrictions of Virtualization To ensure the integrity of the time stamp on the event records, you must clear the event archive of the older events by using the clear events command. Note You cannot remove individual events. For More Information For the procedure for clearing events, see Clearing Events, page C-101.
Appendix C Troubleshooting Supported MIBs Supported MIBs To avoid problems with configuring SNMP, be aware of the MIBs that are supported on the sensor. The following private MIBs are supported on the sensor: • CISCO-CIDS-MIB The CISCO-CIDS-MIB has been updated to include SNMP health data. • CISCO-ENHANCED-MEMPOOL-MIB • CISCO-ENTITY-ALARM-MIB You can obtain these private Cisco MIBs under the heading SNMP v2 MIBs at this URL: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.
Appendix C Troubleshooting When to Disable Anomaly Detection When to Disable Anomaly Detection If you have anomaly detection enabled and you have your sensor configured to see only one direction of traffic, you should disable anomaly detection. Otherwise, you will receive many alerts, because anomaly detection sees asymmetric traffic as having incomplete connections, that is, like worm scanners, and fires alerts.
Appendix C Troubleshooting Analysis Engine Not Responding Analysis Engine Not Responding Error Message Output from show statistics analysis-engine Error: getAnalysisEngineStatistics : ct-sensorApp.424 not responding, please check system processes - The connect to the specified Io::ClientPipe failed. Error Message Output from show statistics anomaly-detection Error: getAnomalyDetectionStatistics : ct-sensorApp.
Appendix C Troubleshooting Troubleshooting External Product Interfaces Troubleshooting External Product Interfaces This section lists issues that can occur with external product interfaces and provides troubleshooting tips. For more information on external product interfaces, see Chapter 11, “Configuring External Product Interfaces.
Appendix C Troubleshooting Troubleshooting the Appliance External Product Interfaces Troubleshooting Tips To troubleshoot external product interfaces, check the following: • Make sure the interface is active by checking the output from the show statistics external-product-interface command in the CLI, or choose Monitoring > Sensor Monitoring > Support Information > Statistics in the IDM and check the Interface state line in the response, or choose Configuration > sensor_name > Sensor Monitoring > Suppor
Appendix C Troubleshooting Troubleshooting the Appliance • Make sure each device is properly seated. • If a device has latches, make sure they are completely closed and locked. • Check any interlock or interconnect indicators that indicate a component is not connected properly. • If problems continue, remove and reinstall each device, checking the connectors and sockets for bent pins or other damage.
Appendix C Troubleshooting Troubleshooting the Appliance • Duplicate IP Address Shuts Interface Down, page C-27 Cannot Access the Sensor CLI Through Telnet or SSH If you cannot access the sensor CLI through Telnet (if you already have it enabled) or SSH, follow these steps: Step 1 Log in to the sensor CLI through a console, terminal, or module session. Step 2 Make sure that the sensor management interface is enabled.
Appendix C Troubleshooting Troubleshooting the Appliance Step 3 Make sure the sensor IP address is unique. If the management interface detects that another device on the network has the same IP address, it does not come up. sensor# setup --- System Configuration Dialog --At any point you may enter a question mark '?' for help. User ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'. Current Configuration: service host network-settings host-ip 192.168.1.
Appendix C Troubleshooting Troubleshooting the Appliance For More Information • For the procedure for enabling and disabling Telnet on the sensor, see Enabling and Disabling Telnet, page 3-5. • For the various ways to open a CLI session directly on the sensor, see Chapter ii, “Logging In to the Sensor.” • For the procedure for changing the IP address, see Changing the IP Address, Netmask, and Gateway, page 3-4.
Appendix C Troubleshooting Troubleshooting the Appliance Duplicate IP Address Shuts Interface Down If you have two newly imaged sensors with the same IP address that come up on the same network at the same time, the interface shuts down. Linux prevents the command and control interface from activating if it detects an address conflict with another host.
Appendix C Troubleshooting Troubleshooting the Appliance Step 4 Make sure the IP address is correct. For More Information • To make sure the sensor cabling is correct, refer to the chapter for your sensor in Cisco Intrusion Prevention System Appliances and Modules Installation Guide for IPS 7.2. • For the procedure for making sure the IP address is correct, see Changing Network Settings, page 3-2. The SensorApp and Alerting This section helps you troubleshoot issues with the SensorApp and alerting.
Appendix C Troubleshooting Troubleshooting the Appliance AnalysisEngine Running CollaborationApp Running CLI V-2013_04_10_11_00_7_2_0_14 (Release) 2013-04-10T11:05:55-0500 V-2013_04_10_11_00_7_2_0_14 (Release) 2013-04-10T11:05:55-0500 V-2013_04_10_11_00_7_2_0_14 (Release) 2013-04-10T11:05:55-0500 Upgrade History: IPS-K9-7.2-1-E4 11:17:07 UTC Thu Jan 10 2013 Recovery Partition Version 1.1 - 7.
Appendix C Troubleshooting Troubleshooting the Appliance Physical Connectivity, SPAN, or VACL Port Issue If the sensor is not connected properly, you do not receive any alerts. To make sure the sensor is connected properly, follow these steps: Step 1 Log in to the CLI. Step 2 Make sure the interfaces are up and that the packet count is increasing.
Appendix C Troubleshooting Troubleshooting the Appliance Step 4 Verify the interface configuration: • Make sure you have the interfaces configured properly. • Verify the SPAN and VACL capture port configuration on the Cisco switch. Refer to your switch documentation for the procedure. Step 5 Verify again that the interfaces are up and that the packet count is increasing.
Appendix C Troubleshooting Troubleshooting the Appliance Step 3 Make sure you have Produce Alert configured.
Appendix C Troubleshooting Troubleshooting the Appliance Sensor Not Seeing Packets If the sensor is not seeing any packets on the network, you could have the interfaces set up incorrectly. If the sensor is not seeing packets, follow these steps: Step 1 Log in to the CLI. Step 2 Make sure the interfaces are up and receiving packets.
Appendix C Troubleshooting Troubleshooting the Appliance Step 4 Check to see that the interface is up and receiving packets.
Appendix C Troubleshooting Troubleshooting the Appliance Step 8 Start the IPS services. sensor# cids start Step 9 Log in to an account with administrator privileges. Step 10 Reboot the sensor. sensor# reset Warning: Executing this command will stop all applications and reboot the node. Continue with reset? [yes]:yes Request Succeeded. sensor# For More Information To learn more about IPS system architecture, see Appendix A, “System Architecture.
Appendix C Troubleshooting Troubleshooting the Appliance For More Information • For the procedure to verify that the ARC is running, see Verifying the ARC is Running, page C-36. • For the procedure to verify that the ARC is connecting, see Verifying ARC Connections are Active, page C-37. • For the procedure to verify that the Event Action is set to Block Host, see Blocking Not Occurring for a Signature, page C-41.
Appendix C Troubleshooting Troubleshooting the Appliance Host Certificate Valid from: 17-Apr-2013 to 18-Apr-2015 sensor# Step 3 If the MainApp displays Not Running, the ARC has failed. Contact TAC. For More Information To learn more about IPS system architecture, see Appendix A, “System Architecture.” Verifying ARC Connections are Active If the State is not Active in the ARC statistics, there is a problem.
Appendix C Troubleshooting Troubleshooting the Appliance Realm Keys key1.0 Signature Definition: Signature Update S697.0 2013-02-15 OS Version: 2.6.29.1 Platform: IPS4360 Serial Number: FCH1504V0CF No license present Sensor up-time is 3 days. Using 14470M out of 15943M bytes of available memory (90% usage) system is using 32.4M out of 160.0M bytes of available disk space (20% usage) application-data is using 87.1M out of 376.1M bytes of available disk space (24% usage) boot is using 61.2M out of 70.
Appendix C Troubleshooting Troubleshooting the Appliance Device Access Issues The ARC may not be able to access the devices it is managing. Make sure the you have the correct IP address and username and password for the managed devices and the correct interface and direction configured. Note SSH devices must support SSH 1.5. The sensor does not support SSH 2.0. To troubleshoot device access issues, follow these steps: Step 1 Log in to the CLI. Step 2 Verify the IP address for the managed devices.
Appendix C Troubleshooting Troubleshooting the Appliance profile-name: r7200 block-interfaces (min: 0, max: 100, current: 1) ----------------------------------------------interface-name: fa0/0 direction: in ----------------------------------------------pre-acl-name: post-acl-name: ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------firewall-devices (m
Appendix C Troubleshooting Troubleshooting the Appliance Step 3 Exit general submode. sensor(config-net-gen)# exit sensor(config-net)# exit Apply Changes:? [yes]: Step 4 Press Enter to apply the changes or type Step 5 Telnet to the router and verify that a deny entry for the blocked address exists in the router ACL. Refer to the router documentation for the procedure. Step 6 Remove the manual block by repeating Steps 1 through 4 except in Step 2 place no in front of the command.
Appendix C Troubleshooting Troubleshooting the Appliance sensor(config-sig-sig)# engine normalizer sensor(config-sig-sig-nor)# event-action produce-alert|request-block-host sensor(config-sig-sig-nor)# show settings normalizer ----------------------------------------------event-action: produce-alert|request-block-host default: produce-alert|deny -connection-inline edit-default-sigs-only ----------------------------------------------default-signatures-only ----------------------------------------------spec
Appendix C Troubleshooting Troubleshooting the Appliance State ShunEnable = true ShunnedAddr Host IP = 122.122.122.44 ShunMinutes = 60 MinutesRemaining = 59 Step 3 If the master blocking sensor does not show up in the statistics, you need to add it. Step 4 Initiate a manual block to a bogus host IP address to make sure the master blocking sensor is initiating blocks. sensor# configure terminal sensor(config)# service network-access sensor(config-net)# general sensor(config-net-gen)# block-hosts 10.16.
Appendix C Troubleshooting Troubleshooting the Appliance Step 9 If the remote master blocking sensor is using TLS for web access, make sure the forwarding sensor is configured as a TLS host. sensor# configure terminal sensor(config)# tls trust ip master_blocking_sensor_ip_address For More Information For the procedure to configure the sensor to be a master blocking sensor, see Configuring the Sensor to be a Master Blocking Sensor, page 14-28.
Appendix C Troubleshooting Troubleshooting the Appliance master-control ----------------------------------------------enable-debug: true default: false individual-zone-control: false ----------------------------------------------sensor(config-log-mas)# Step 9 Turn on individual zone control.
Appendix C Troubleshooting Troubleshooting the Appliance zone-name: nac severity: warning zone-name: sensorApp severity: warning zone-name: tls severity: warning ----------------------------------------------sensor(config-log)# Step 12 Change the severity level (debug, timing, warning, or error) for a particular zone.
Appendix C Troubleshooting Troubleshooting the Appliance severity: warning ----------------------------------------------sensor(config-log)# Step 13 Turn on debugging for a particular zone.
Appendix C Troubleshooting Troubleshooting the Appliance Step 15 Press Enter to apply changes or type no to discard them: For More Information For a list of what each zone name refers to, see Zone Names, page C-48.
Appendix C Troubleshooting Troubleshooting the Appliance Directing cidLog Messages to SysLog It might be useful to direct cidLog messages to syslog. To direct cidLog messages to syslog, follow these steps: Step 1 Go to the idsRoot/etc/log.conf file. Step 2 Make the following changes: a. Set [logApp] enabled=false Comment out the enabled=true because enabled=false is the default. b.
Appendix C Troubleshooting Troubleshooting the Appliance TCP Reset Not Occurring for a Signature Note There is only one sensing interface on the ASA IPS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP), so you cannot designate an alternate TCP reset interface. If you do not have the event action set to reset, the TCP reset does not occur for a specific signature. Note TCP Resets are not supported over MPLS links or the following tunnels: GRE, IPv4 in IPv4, IPv6 in IPv4, or IPv4 in IPv6.
Appendix C Troubleshooting Troubleshooting the Appliance Step 5 Make sure the correct alarms are being generated. sensor# show events alert evAlert: eventId=1047575239898467370 severity=medium originator: hostId: sj_4250_40 appName: sensorApp appInstanceId: 1004 signature: sigId=20000 sigName=STRING.TCP subSigId=0 version=Unknown addr: locality=OUT 172.16.171.19 port: 32771 victim: addr: locality=OUT 172.16.171.
Appendix C Troubleshooting Troubleshooting the Appliance Or you can use the system image file to reimage the sensor directly to the version you want. You can reimage a sensor and avoid the error because the reimage process does not check to see if the Analysis Engine is running. Caution Reimaging using the system image file restores all configuration defaults. For More Information • For more information on running the setup command, see Chapter 2, “Initializing the Sensor.
Appendix C Troubleshooting Troubleshooting the Appliance Try the manual upgrade command before attempting the automatic update. If it works with the upgrade command and does not work with the automatic update, try the following: • Determine which IPS software version your sensor has. • Make sure the passwords are configured for automatic update. Make sure they match the same passwords used for manual update.
Appendix C Troubleshooting Troubleshooting the IDM For More Information For the procedure for obtaining Cisco IPS software, see Obtaining Cisco IPS Software, page 20-1. Troubleshooting the IDM Note These procedures also apply to the IPS section of the ASDM. Note After you upgrade any IPS software on your sensor, you must restart the IDM to see the latest software features. This section contains troubleshooting procedures for the IDM.
Appendix C Troubleshooting Troubleshooting the IDM Step 4 c. Under Java Runtime Environment, select JRE 1.3.x from the drop-down menu. d. Click the Cache tab. e. Click the Browser tab. f. Deselect all browser check boxes. g. Click Clear Cache. Delete the temp files and clear the history in the browser. Cannot Launch the IDM-The Analysis Engine Busy Error Message Error connecting to sensor. Failed to load sensor-errNotAvailable-Analysis Engine is busy. Exiting IDM.
Appendix C Troubleshooting Troubleshooting the IME exit summertime-option disabled ntp-option disabled exit service web-server port 443 exit Step 2 If network devices, such as routers, switches, or firewalls, are between the sensor and the workstation, make sure these devices are configured to allow the workstation to access the sensor web server port. All remote management communication is performed by the sensor web server.
Appendix C Troubleshooting Troubleshooting the ASA 5500-X IPS SSP Time Synchronization on IME and the Sensor Symptom The IME displays No Data Available on the Events dashboard. A historical query does not return any events; however, events are coming in to the IME and they appear in the real-time event viewer. Possible Cause The time is not synchronized between the sensor and the IME local server. The IME dashboards use a time relative to the IME local time.
Appendix C Troubleshooting Troubleshooting the ASA 5500-X IPS SSP • The ASA 5500-X IPS SSP and Jumbo Packets, page C-67 Health and Status Information To see the general health of the ASA 5500-X IPS SSP, use the show module ips details command. asa# show module ips details Getting details from the Service Module, please wait... Card Type: Model: Hardware version: Serial Number: Firmware version: Software version: MAC Address Range: App. name: App. Status: App. Status Desc: App.
Appendix C Troubleshooting Troubleshooting the ASA 5500-X IPS SSP Mod-ips 239> e1000 0000:00:05.0: PCI INT A disabled Mod-ips 240> Restarting system. Mod-ips 241> machine restart Mod-ips 242> IVSHMEM: addr = 4093640704 size = 67108864 Mod-ips 243> Booting 'Cisco IPS' Mod-ips 244> root (hd0,0) Mod-ips 245> Filesystem type is ext2fs, partition type 0x83 Mod-ips 246> kernel /ips-2.6.ld ro initfsDev=/dev/hda1 init=loader.run rootrw=/dev/hda2 init Mod-ips 247> fs=runtime-image.cpio.
Appendix C Troubleshooting Troubleshooting the ASA 5500-X IPS SSP Mod-ips 298> Mod-ips 299> Mod-ips 300> Mod-ips 301> Mod-ips 302> Mod-ips 303> Mod-ips 304> Mod-ips 305> Mod-ips 306> Mod-ips 307> Mod-ips 308> Mod-ips 309> Mod-ips 310> Mod-ips 311> Mod-ips 312> Mod-ips 313> Mod-ips 314> Mod-ips 315> Mod-ips 316> Mod-ips 317> Mod-ips 318> Mod-ips 319> Mod-ips 320> Mod-ips 321> Mod-ips 322> Mod-ips 323> Mod-ips 324> Mod-ips 325> initf Mod-ips 326> hugepages=3 Mod-ips 327> Mod-ips 328> lowmem are Mod-ips 329
Appendix C Troubleshooting Troubleshooting the ASA 5500-X IPS SSP Mod-ips 357> Initializing CPU#1 Mod-ips 358> Calibrating delay using timer specific routine.. 5585.16 BogoMIPS (lpj=2792581) Mod-ips 359> CPU: L1 I cache: 32K, L1 D cache: 32K Mod-ips 360> CPU: L2 cache: 4096K Mod-ips 361> CPU 1/0x1 -> Node 0 Mod-ips 362> CPU1: Intel QEMU Virtual CPU version 0.12.
Appendix C Troubleshooting Troubleshooting the ASA 5500-X IPS SSP Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips FS Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips
Appendix C Troubleshooting Troubleshooting the ASA 5500-X IPS SSP Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips legacy Mod-ips Mod-i
Appendix C Troubleshooting Troubleshooting the ASA 5500-X IPS SSP Mod-ips 541> uhci_hcd: USB Universal Host Controller Interface driver Mod-ips 542> Initializing USB Mass Storage driver... Mod-ips 543> usbcore: registered new interface driver usb-storage Mod-ips 544> USB Mass Storage support registered.
Appendix C Troubleshooting Troubleshooting the ASA 5500-X IPS SSP Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips 601> 602> 603> 604> 605> 606> 607> 608> 609> 610> 611> 612> 613> 614> 615> 616> 617> 618> 619> 620> 621> 622> 623> 624> 625> 626> 627> 628> 629> 630> 631> 632> 633> 634>
Appendix C Troubleshooting Troubleshooting the ASA 5500-X IPS SSP Two ASAs in Fail-Open Mode • If the ASAs are configured in fail-open mode and if the ASA 5500-X IPS SSP on the active ASA experiences a configuration change or a signature/signature engine update, traffic is still passed through the active ASA without being inspected. Failover is not triggered.
Appendix C Troubleshooting Troubleshooting the ASA 5500-X IPS SSP • 1311.0 • 1315.0 • 1316.0 • 1317.0 • 1330.0 • 1330.1 • 1330.2 • 1330.9 • 1330.10 • 1330.12 • 1330.14 • 1330.15 • 1330.16 • 1330.17 • 1330.18 The ASA 5500-X IPS SSP and Memory Usage For the ASA 5500-X IPS SSP, the memory usage is 93%. The default health thresholds for the sensor are 80% for yellow and 91% for red, so the sensor health will be shown as red on these platforms even for normal operating conditions.
Appendix C Troubleshooting Troubleshooting the ASA 5585-X IPS SSP This miscount is a result of header bytes added to the packet by the ASA before the packet is transmitted to the IPS. For IPv4, 58 bytes of header data are added. For IPv6, 78 bytes of header data are added. The ASA removes the added IPS header before the packet leaves the ASA.
Appendix C Troubleshooting Troubleshooting the ASA 5585-X IPS SSP Reset issued for module in slot 1 asa# show module 1 details Getting details from the Service Module, please wait... Unable to read details from slot 1 ASA 5585-X IPS Security Services Processor-20 with 8GE Model: ASA5585-SSP-IPS20 Hardware version: 1.0 Serial Number: ABC1234DEFG Firmware version: 2.0(7)0 Software version: 7.2(1)E4 MAC Address Range: 5475.d029.7f9c to 5475.d029.7fa7 App. name: IPS App. Status: Not Applicable App.
Appendix C Troubleshooting Troubleshooting the ASA 5585-X IPS SSP Mgmt IP addr: 192.0.2.3 Mgmt Network mask: 255.255.255.0 Mgmt Gateway: 192.0.2.254 Mgmt Access List: 0.0.0.0/0 Mgmt web ports: 443 Mgmt TLS enabled: true asa# show module 1 details Getting details from the Service Module, please wait... ASA 5585-X IPS Security Services Processor-20 with 8GE Model: ASA5585-SSP-IPS20 Hardware version: 1.0 Serial Number: ABC1234DEFG Firmware version: 2.0(7)0 Software version: 7.2(1)E4 MAC Address Range: 5475.
Appendix C Troubleshooting Troubleshooting the ASA 5585-X IPS SSP Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 155> 156> 157> 158> 159> 160> 161> 162> 163> 164> 165> 166> 167> 168> 169> 170> 171> 172> 173> 174> 175> 176> RETRY=20 tftp IPS-SSP_10-K9-sys-1.1-a-7.2-1.img@192.0.2.15 via 192.0.2.254 TFTP failure: Packet verify failed after 20 retries Rebooting due to Autoboot error ... Rebooting....
Appendix C Troubleshooting Troubleshooting the ASA 5585-X IPS SSP Two ASA 5585-Xs in Fail-Close Mode • If the ASAs are configured in fail-close mode, and if the ASA 5585-X IPS SSP on the active ASA experiences a configuration change or a signature/signature engine update, traffic is stopped from passing through the active ASA. No failover is triggered.
Appendix C Troubleshooting Gathering Information • 1305.0 • 1307.0 • 1308.0 • 1309.0 • 1311.0 • 1315.0 • 1316.0 • 1317.0 • 1330.0 • 1330.1 • 1330.2 • 1330.9 • 1330.10 • 1330.12 • 1330.14 • 1330.15 • 1330.16 • 1330.17 • 1330.
Appendix C Troubleshooting Gathering Information • Events Information, page C-97 • cidDump Script, page C-101 • Uploading and Accessing Files on the Cisco FTP Site, page C-102 Health and Network Security Information Caution Note When the sensor is first starting, it is normal for certain health metric statuses to be red until the sensor is fully up and running. The ASA 5500-X IPS SSP and the ASA 5585-X IPS SSP do not support bypass mode.
Appendix C Troubleshooting Gathering Information Understanding the show tech-support Command Note The /var/log/messages file is now persistent across reboots and the information is displayed in the output of the show tech-support command. Note The show tech-support command now displays historical interface data for each interface for the past 72 hours.
Appendix C Troubleshooting Gathering Information sensor# show tech-support page Step 3 To send the output (in HTML format) to a file: a. Enter the following command, followed by a valid destination. The password: prompt appears. sensor# show tech-support destination-url destination_url Example To send the tech support output to the file /absolute/reports/sensor1Report.html : sensor# show tech support dest ftp://csidsuser@10.2.1.2//absolute/reports/sensor1Report.html b.
Appendix C Troubleshooting Gathering Information Recovery Partition Version 1.1 - 7.
Appendix C Troubleshooting Gathering Information Version Information The show version command is useful for obtaining sensor information. This section describes the show version command, and contains the following topics: • Understanding the show version Command, page C-78 • Displaying Version Information, page C-78 Understanding the show version Command The show version command shows the basic sensor information and can indicate where a failure is occurring.
Appendix C Troubleshooting Gathering Information OS Version: 2.6.29.1 Platform: IPS4360 Serial Number: FCH1504V0CF No license present Sensor up-time is 3 days. Using 14470M out of 15943M bytes of available memory (90% usage) system is using 32.4M out of 160.0M bytes of available disk space (20% usage) application-data is using 87.1M out of 376.1M bytes of available disk space (24% usage) boot is using 61.2M out of 70.1M bytes of available disk space (92% usage) application-log is using 494.0M out of 513.
Appendix C Troubleshooting Gathering Information exit ! -----------------------------service authentication exit ! -----------------------------service event-action-rules rules0 exit ! -----------------------------service host network-settings host-ip 10.106.133.159/23,10.106.132.1 host-name sensor telnet-option enabled access-list 0.0.0.
Appendix C Troubleshooting Gathering Information Statistics Information The show statistics command is useful for examining the state of the sensor services. This section describes the show statistics command, and contains the following topics: • Understanding the show statistics Command, page C-81 • Displaying Statistics, page C-81 Understanding the show statistics Command The show statistics command provides a snapshot of the state of the sensor services.
Appendix C Troubleshooting Gathering Information Note The clear option is not available for the analysis engine, anomaly detection, host, network access, or OS identification applications.
Appendix C Troubleshooting Gathering Information Statistics for Signature Events Number of SigEvents since reset = 0 Statistics for Actions executed on a SigEvent Number of Alerts written to the IdsEventStore = 0 Inspection Stats Inspector active call create delete AtomicAdvanced 0 2312 4 4 Fixed 0 1659 1606 1606 MSRPC_TCP 0 20 4 4 MSRPC_UDP 0 1808 1575 1575 MultiString 0 145 10 10 ServiceDnsUdp 0 1841 3 3 ServiceGeneric 0 2016 14 14 ServiceHttp 0 2 2 2 ServiceNtp 0 3682 3176 3176 ServiceP2PTCP 0 21 9 9 S
Appendix C Troubleshooting Gathering Information SimulatedTcpDeniesDueToGlobalCorrelation = 0 SimulatedTcpDeniesDueToOverride = 0 SimulatedTcpDeniesDueToOverlap = 0 SimulatedTcpDeniesDueToOther = 0 LateStageDenyDueToGlobalCorrelation = 0 LateStageDenyDueToOverride = 0 LateStageDenyDueToOverlap = 0 LateStageDenyDueToOther = 0 SimulatedLateStageDenyDueToGlobalCorrelation = 0 SimulatedLateStageDenyDueToOverride = 0 SimulatedLateStageDenyDueToOverlap = 0 SimulatedLateStageDenyDueToOther = 0 AlertHistogram Ri
Appendix C Troubleshooting Gathering Information Detection - ON Learning - ON Next KB rotation at 10:00:00 UTC Sat Jan 18 2008 Internal Zone TCP Protocol UDP Protocol Other Protocol External Zone TCP Protocol UDP Protocol Other Protocol Illegal Zone TCP Protocol UDP Protocol Other Protocol sensor# Step 4 Display the statistics for authentication.
Appendix C Troubleshooting Gathering Information Number of events of each type currently stored Status events = 4257 Shun request events = 0 Error events, warning = 669 Error events, error = 8 Error events, fatal = 0 Alert events, informational = 0 Alert events, low = 0 Alert events, medium = 0 Alert events, high = 0 Alert events, threat rating 0-20 = 0 Alert events, threat rating 21-40 = 0 Alert events, threat rating 41-60 = 0 Alert events, threat rating 61-80 = 0 Alert events, threat rating 81-100 = 0
Appendix C Troubleshooting Gathering Information Network Statistics = ma0_0 Link encap:Ethernet HWaddr 00:04:23:D5:A1:8D = inet addr:10.89.130.98 Bcast:10.89.131.255 Mask:255.255.254.0 = UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 = RX packets:1688325 errors:0 dropped:0 overruns:0 frame:0 = TX packets:38546 errors:0 dropped:0 overruns:0 carrier:0 = collisions:0 txqueuelen:1000 = RX bytes:133194316 (127.0 MiB) TX bytes:5515034 (5.
Appendix C Troubleshooting Gathering Information MaxDeviceInterfaces = 250 NetDevice Type = PIX IP = 10.89.150.171 NATAddr = 0.0.0.0 Communications = ssh-3des NetDevice Type = PIX IP = 192.0.2.4 NATAddr = 0.0.0.0 Communications = ssh-3des NetDevice Type = PIX IP = 192.0.2.5 NATAddr = 0.0.0.0 Communications = telnet NetDevice Type = Cisco IP = 192.0.2.6 NATAddr = 0.0.0.
Appendix C Troubleshooting Gathering Information Version = 12.2 State = Active NetDevice IP = 192.0.2.10 AclSupport = Uses VACLs Version = 8.4 State = Active BlockedAddr Host IP = 203.0.113.1 Vlan = ActualIp = BlockMinutes = Host IP = 203.0.113.2 Vlan = ActualIp = BlockMinutes = Host IP = 203.0.113.4 Vlan = ActualIp = BlockMinutes = 60 MinutesRemaining = 24 Network IP = 203.0.113.9 Mask = 255.255.0.0 BlockMinutes = sensor# Step 12 Display the statistics for the notification application.
Appendix C Troubleshooting Gathering Information Step 15 Display the statistics for the transaction server. sensor# show statistics transaction-server General totalControlTransactions = 35 failedControlTransactions = 0 sensor# Step 16 Display the statistics for a virtual sensor.
Appendix C Troubleshooting Gathering Information Denied Attackers and hit count for each. Denied Attackers with percent denied and hit count for each. The Signature Database Statistics.
Appendix C Troubleshooting Gathering Information Cumulative Statistics for the TCP Stream Reassembly Unit since reset TCP streams that have been tracked since last reset = 0 TCP streams that had a gap in the sequence jumped = 0 TCP streams that was abandoned due to a gap in the sequence = 0 TCP packets that arrived out of sequence order for their stream = 0 TCP packets that arrived out of state order for their stream = 0 The rate of TCP connections tracked per second since reset = 0 SigEvent Preliminary
Appendix C Troubleshooting Gathering Information Error Severity = 14 Warning Severity = 1 Timing Severity = 0 Debug Severity = 0 Unknown Severity = 28 TOTAL = 43 Step 19 Verify that the statistics have been cleared. The statistics now all begin from 0.
Appendix C Troubleshooting Gathering Information Interfaces Command Output The following example shows the output from the show interfaces command: sensor# show interfaces Interface Statistics Total Packets Received = 0 Total Bytes Received = 0 Missed Packet Percentage = 0 Current Bypass Mode = Auto_off MAC statistics from interface GigabitEthernet0/1 Media Type = backplane Missed Packet Percentage = 0 Inline Mode = Unpaired Pair Status = N/A Link Status = Up Link Speed = Auto_1000 Link Duplex = Auto_Ful
Appendix C Troubleshooting Gathering Information Note You must have health monitoring enabled to support the historic interface function. Each record has the following details: Note • Total packets received • Total bytes received • FIFO overruns • Receive errors • Received Mbps • Missed packet percentage • Average load • Peak load Historical data for each interface for the past 72 hours is also included in the show tech-support command.
Appendix C Troubleshooting Gathering Information GigabitEthernet0/1 Time Packets Received Bytes Received FIFO Overruns Receive Errors Avg Load Peak Load 11:30:31 UTC Tue Mar 05 2013 0 0 0 0 0 0 10:27:32 UTC Tue Mar 05 2013 0 0 0 0 0 0 GigabitEthernet0/2 Time Packets Received Bytes Received FIFO Overruns Receive Errors Avg Load Peak Load 11:30:31 UTC Tue Mar 05 2013 0 0 0 0 0 0 10:27:32 UTC Tue Mar 05 2013 0 0 0 0 0 0 GigabitEthernet0/3 Time Packets Received Bytes Received FIFO Overruns Receive Errors Avg
Appendix C Troubleshooting Gathering Information 0 12:15:00 0 12:13:54 0 12:12:49 0 12:11:43 0 12:10:36 0 12:09:30 0 12:08:24 0 12:07:25 0 12:06:23 0 12:05:25 0 sensor# Step 4 0 UTC Tue Mar 0 UTC Tue Mar 0 UTC Tue Mar 0 UTC Tue Mar 0 UTC Tue Mar 0 UTC Tue Mar 0 UTC Tue Mar 0 UTC Tue Mar 0 UTC Tue Mar 0 UTC Tue Mar 0 05 2013 05 2013 05 2013 05 2013 05 2013 05 2013 05 2013 05 2013 05 2013 05 2013 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Appendix C Troubleshooting Gathering Information Sensor Events There are five types of events: • evAlert—Intrusion detection alerts • evError—Application errors • evStatus—Status changes, such as an IP log being created • evLogTransaction—Record of control transactions processed by each sensor application • evShunRqst—Block requests Events remain in the Event Store until they are overwritten by newer events.
Appendix C Troubleshooting Gathering Information The following options apply: • alert—Displays alerts. Provides notification of some suspicious activity that may indicate an attack is in process or has been attempted. Alert events are generated by the Analysis Engine whenever a signature is triggered by network activity. If no level is selected (informational, low, medium, or high), all alert events are displayed. • include-traits—Displays alerts that have the specified traits.
Appendix C Troubleshooting Gathering Information Step 3 Display the block requests beginning at 10:00 a.m. on February 9, 2011. sensor# show events NAC 10:00:00 Feb 9 2011 evShunRqst: eventId=1106837332219222281 vendor=Cisco originator: deviceName: Sensor1 appName: NetworkAccessControllerApp appInstance: 654 time: 2011/02/09 10:33:31 2011/08/09 13:13:31 shunInfo: host: connectionShun=false srcAddr: 11.0.0.
Appendix C Troubleshooting Gathering Information originator: hostId: sensor appName: mainApp appInstanceId: 2215 time: 2011/01/08 02:41:00 2011/01/08 02:41:00 UTC controlTransaction: command=getVersion successful=true description: Control transaction response. requestor: user: cids application: hostId: 64.101.182.
Appendix C Troubleshooting Gathering Information Step 3 Enter the following command. /usr/cids/idsRoot/bin/cidDump Step 4 Enter the following command to compress the resulting /usr/cids/idsRoot/log/cidDump.html file. gzip /usr/cids/idsRoot/log/cidDump.html Step 5 Send the resulting HTML file to TAC or the IPS developers in case of a problem. For More Information For the procedure for putting a file on the Cisco FTP site, see Uploading and Accessing Files on the Cisco FTP Site, page C-102.
A P P E N D I X D CLI Error Messages This appendix lists the CLI error messages and CLI validation error messages. It contains the following sections: • CLI Error Messages, page D-1 • CLI Validation Error Messages, page D-6 CLI Error Messages Table D-1 describes CLI error messages.
Appendix D CLI Error Messages CLI Error Messages Table D-1 CLI Error Messages (continued) Error Message Reason Command The filename is not a valid upgrade file type. Attempt to install the wrong file for your platform and version. upgrade idsPackageMgr: digital signature of the update was not valid The signature update or service pack upgrade is corrupt. Contact TAC. Cannot create a new event-action-rules configuration. “rules0” is currently the only configuration allowed.
Appendix D CLI Error Messages CLI Error Messages Table D-1 CLI Error Messages (continued) Error Message Reason Command Packet-file does not exist. The user attempted to copy or erase copy the packet-file but no packet-file has erase been captured. No downgrade available. The user attempted to downgrade a system that has not been upgraded. downgrade No packet-file available. The user attempted to display the file-info or the packet-file but no packet-file exists.
Appendix D CLI Error Messages CLI Error Messages Table D-1 CLI Error Messages (continued) Error Message Reason Command You do not have permission to terminate the requested CLI session. An operator or viewer user attempted clear line to terminate a CLI session belonging to another user. Invalid CLI ID specified, use the 'show users all' command to view the valid CLI session IDs. The user attempted to cancel a CLI session that does not exist.
Appendix D CLI Error Messages CLI Error Messages 2. This error only occurs on platforms that do not support virtual policies. 3. This error only occurs on platforms that do not support virtual policies. Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.
Appendix D CLI Error Messages CLI Validation Error Messages CLI Validation Error Messages Table D-2 describes the validation error messages. Table D-2 Validation Error Messages Error Message Reason/Location Interface ‘name’ has not been subdivided. The physical interface or inline interface name subinterface type is none (service interface submode). Interface ‘name’ subinterface ‘num’ does not exist.
Appendix D CLI Error Messages CLI Validation Error Messages Table D-2 Validation Error Messages (continued) Error Message Reason/Location Interface already assigned to virtual sensor ‘vsname.’ The interface and optional sub-interface being added to the virtual sensor entry physical interface set has already been assigned to another virtual sensor entry. The instance cannot be removed. Instance assigned to virtual sensor ‘vsname.
Appendix D CLI Error Messages CLI Validation Error Messages Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.
G L O S S A RY Revised: April 25, 2013 Numerals 3DES Triple Data Encryption Standard. A stronger version of DES, which is the default encryption method for SSH version 1.5. Used when establishing an SSH session with the sensor. It can be used when the sensor is managing a device. 802.x A set of IEEE standards for the definition of LAN protocols. A AAA authentication, authorization, and accounting. Pronounced “triple a.” The primary and recommended method for access control in Cisco devices.
Glossary ASA 5500-X IPS SSP Intrusion Prevention System Security Services Processor. The IPS is running as a service and ASA controls sending and receiving traffic to and from the IPS. The IPS services processor monitors and performs real-time analysis of network traffic by looking for anomalies and misuse based on an extensive, embedded signature library.
Glossary ASDM Adaptive Security Device Manager. A web-based application that lets you configure and manage your adaptive security device. ASN.1 Abstract Syntax Notation 1. Standard for data presentation. aspect version Version information associated with a group of IDIOM default configuration settings. For example, Cisco Systems publishes the standard set of attack signatures as a collection of default settings with the S aspect.
Glossary BIOS Basic Input/Output System. The program that starts the sensor and communicates between the devices in the sensor and the system. blackhole Routing term for an area of the internetwork where packets enter, but do not emerge, due to adverse conditions or poor system configuration within a portion of the network. block The ability of the sensor to direct a network device to deny entry to all packets from a specified network host or network.
Glossary cidDump A script that captures a large amount of information including the IPS processes list, log files, OS information, directory listings, package information, and configuration files. CIDEE Cisco Intrusion Detection Event Exchange. Specifies the extensions to SDEE that are used by Cisco IPS systems. The CIDEE standard specifies all possible extensions that may be supported by Cisco IPS systems. CIDS header The header that is attached to each packet in the IPS system.
Glossary CSA MC Cisco Security Agent Management Center. CSA MC receives host posture information from the CSA agents it manages. It also maintains a watch list of IP addresses that it has determined should be quarantined from the network. CSM Cisco Security Manager, the provisioning component of the Cisco Self-Defending Networks solution. CS-Manager is fully integrated with CS-MARS. CS-MARS Cisco Security Monitoring, Analysis and Reporting System.
Glossary DIMM Dual In-line Memory Modules. DMZ demilitarized zone. A separate network located in the neutral zone between a private (inside) network and a public (outside) network. DNS Domain Name System. An Internet-wide hostname to IP address mapping. DNS enables you to convert human-readable names into the IP addresses needed for network packets. DoS Denial of Service. An attack whose goal is just to disrupt the operation of a specific system or network. DRAM dynamic random-access memory.
Glossary F fail closed Blocks traffic on the device after a hardware failure. fail open Lets traffic pass through the device after a hardware failure. false negative A signature is not fired when offending traffic is detected. false positive Normal traffic or a benign action causes a signature to fire. Fast Ethernet Any of a number of 100-Mbps Ethernet specifications.
Glossary FQDN Fully Qualified Domain Name.A domain name that specifies its exact location in the tree hierarchy of the DNS. It specifies all domain levels, including the top-level domain, relative to the root domain. A fully qualified domain name is distinguished by this absoluteness in the name space. FWSM Firewall Security Module. A module that can be installed in a Catalyst 6500 series switch. It uses the shun command to block. You can configure the FWSM in either single mode or multi-mode.
Glossary hardware bypass A specialized interface card that pairs physical interfaces so that when a software error is detected, a bypass mechanism is engaged that directly connects the physical interfaces and allows traffic to flow through the pair. Hardware bypass passes traffic at the network interface, does not pass it to the IPS system. host block ARC blocks all traffic from a given IP address. HTTP Hypertext Transfer Protocol.
Glossary intrusion detection system IDS. A security service that monitors and analyzes system events to find and provide real-time or near real-time warning of attempts to access system resources in an unauthorized manner. IP address 32-bit address assigned to hosts using TCP/IP. An IP address belongs to one of five classes (A, B, C, D, or E) and is written as 4 octets separated by periods (dotted decimal format).
Glossary L LACP Link Aggregation Control Protocol. LACP aids in the automatic creation of EtherChannel links by exchanging LACP packets between LAN ports. This protocol is defined in IEEE 802.3ad. LAN Local Area Network. Refers to the Layer 2 network domain local to a given host. Packets exchanged between two hosts on the same LAN do not require Layer 3 routing. Layer 2 Processor A processor in the IPS. Processes layer 2-related events.
Glossary MIB Management Information Base. Database of network management information that is used and maintained by a network management protocol, such as SNMP or CMIP. The value of a MIB object can be changed or retrieved using SNMP or CMIP commands, usually through a GUI network management system. MIB objects are organized in a tree structure that includes public (standard) and private (proprietary) branches. MIME Multipurpose Internet Mail Extension.
Glossary network device A device that controls IP traffic on a network and can block an attacking host. An example of a network device is a Cisco router or PIX Firewall. network participation Networks contributing learned information to the global correlation database. network participation client The software component of CollaborationApp that sends data to the SensorBase Network. never block address Hosts and networks you have identified that should never be blocked.
Glossary P P2P Peer-to-Peer. P2P networks use nodes that can simultaneously function as both client and server for the purpose of file sharing. packet Logical grouping of information that includes a header containing control information and (usually) user data. Packets most often are used to refer to network layer units of data.
Glossary ping packet internet groper. Often used in IP networks to test the reachability of a network device. It works by sending ICMP echo request packets to the target host and listening for echo response replies. PIX Firewall Private Internet Exchange Firewall. A Cisco network security device that can be programmed to block/enable addresses and ports between networks. PKI Public Key Infrastructure. Authentication of HTTP clients using the clients X.509 certificates.
Glossary RBCP Router Blade Control Protocol. RBCP is based on SCP, but modified specifically for the router application. It is designed to run over Ethernet interfaces and uses 802.2 SNAP encapsulation for messages. reassembly The putting back together of an IP datagram at the destination after it has been fragmented either at the source or at an intermediate node. recovery package An IPS package file that includes the full application image and installer used for recovery on sensors.
Glossary RTT round-trip time. A measure of the time delay imposed by a network on a host from the sending of a packet until acknowledgement of the receipt. RU rack unit. A rack is measured in rack units. An RU is equal to 44 mm or 1.75 inches. S SCP Switch Configuration Protocol. Cisco control protocol that runs directly over the Ethernet. SCEP Simple Certificate Enrollment Protocol. The Cisco Systems PKI communication protocol that leverages existing technology by using PKCS#7 and PKCS#10.
Glossary shared secret A piece of data known only to the parties involved in a secure communication. The shared secret can be a password, a passphrase, a big number, or an array of randomly chosen bytes. shun command Enables a dynamic response to an attacking host by preventing new connections and disallowing packets from any existing connection. It is used by ARC when blocking with a PIX Firewall. Signature Analysis Processor A processor in the IPS.
Glossary SNAP Subnetwork Access Protocol. Internet protocol that operates between a network entity in the subnetwork and a network entity in the end system. SNAP specifies a standard method of encapsulating IP datagrams and ARP messages on IEEE networks. The SNAP entity in the end system makes use of the services of the subnetwork and performs three key functions: data transfer, connection management, and QoS selection. sniffing interface See sensing interface. SNMP Simple Network Management Protocol.
Glossary String engine A signature engine that provides regular expression-based pattern inspection and alert functionality for multiple transport protocols, including TCP, UDP, and ICMP. subsignature A more granular representation of a general signature. It typically further defines a broad scope signature. surface mounting Refers to attaching rubber feet to the bottom of a sensor when it is installed on a flat surface.
Glossary terminal server A router with multiple, low speed, asynchronous ports that are connected to other serial devices. Terminal servers can be used to remotely manage network equipment, including sensors. TFN Tribe Flood Network. A common type of DoS attack that can take advantage of forged or rapidly changing source IP addresses to allow attackers to thwart efforts to locate or filter the attacks. TFN2K Tribe Flood Network 2000.
Glossary trusted certificate Certificate upon which a certificate user relies as being valid without the need for validation testing; especially a public-key certificate that is used to provide the first public key in a certification path. trusted key Public key upon which a user relies; especially a public key that can be used as the first public key in a certification path. tune Adjusting signature parameters to modify an existing signature. U UDI Unique Device Identifier.
Glossary virtual sensor A logical grouping of sensing interfaces and the configuration policy for the signature engines and alarm filters to apply to them. In other words, multiple virtual sensors running on the same appliance, each configured with different signature behavior and traffic feeds. virtualized sensing interface A virtualized interface has been divided into subinterfaces each of which consists of a group of VLANs.
Glossary Web Server A component of the IPS. Waits for remote HTTP client requests and calls the appropriate servlet application. WHOIS A TCP-based query/response protocol used for querying an official database to determine the owner of a domain name or an IP address. Wireshark Wireshark is a free network protocol analyzer for UNIX and Windows. It lets you examine data from a live network or from a capture file on disk.
Glossary Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.
I N D EX login banners Numerics 802.1q encapsulation for VLAN groups 4-27 3-9 signature variables 7-5 target value ratings 8-16 trusted hosts users A 3-52 3-18, 3-19, 3-30, 3-31 virtual sensors 5-6, 5-9 AAA authentication virtual sensors (ASA 5500-X IPS SSP) 18-5 configuring virtual sensors (ASA 5585-X IPS SSP) 19-5 3-23 AAA RADIUS Address Resolution Protocol. See ARP.
Index alert-severity command alert severity configuring allocate-ips command anomaly-detection load command 7-9 anomaly detection operational settings 7-9 configuring 18-4, 19-4 ASA 5500-X IPS SSP described 18-22 allow-sensor-block command configuration restrictions 9-10 4-9 copying 9-9 creating 9-9 9-9 designating 4-5 deleting restrictions 4-3 displaying Analysis Engine editing lists 5-2 error messages errors 17-27 clearing C-55 5-2 illegal anomaly detection 9-1 internal
Index ARC number of blocks ACLs postblock ACL 14-21, A-14 authentication blocking connection-based response A-16 preblock ACL A-15 A-17 A-16 prerequisites 14-6 rate limiting 14-4 responsibilities A-13 unconditional blocking blocking application SSH 14-2 C-41 Catalyst switches supported devices 14-6, A-15 A-14 troubleshooting A-19 A-15 A-14 Telnet VACL commands A-13 single point of control A-17 blocking not occurring for signature A-15 C-35 VACLs A-16, A-19 VACLs VLAN
Index sw-module module slot_number password-reset 18-12 sw-module module slot_number reload sw-module module slot_number reset sessioning in setup command 18-12 time sources 18-12 verifying initialization sequence 18-5, 19-5 assigning the interface virtual sensor sequence 19-5 Deny Connection Inline 18-5, 19-5 18-4, 19-5 ASA 5585-X IPS SSP 19-8 8-7, 18-2, 19-2 jumbo packet count 4-37, 18-11, 19-11, C-67, C-73 TCP reset packets 19-10 8-7, 18-2, 19-2 Deny Packet Inline Reset TCP Connectio
Index parameters (table) restrictions RSA authentication B-17 automatic setup B-16 Atomic IP engine described DNS servers parameters (table) immediate B-25 Atomic IPv6 engine 3-11 information required B-29 troubleshooting B-29 attack relevance rating C-52 21-8 8-14, 8-26 described B A-4 formerly known as Network Access Controller See ARC A-4 backing up configuration attack severity rating described 16-24, C-2 current configuration calculating risk rating 8-13 8-13 3-33 BackO
Index notes and caveats prerequisites properties 14-7 show statistics 14-8 ASA 5500-X IPS SSP 4-36 ASA 5585-X IPS SSP 4-36, 19-1 configuring 14-33 supported devices 14-6 14-3 user profiles 4-37 described 4-36 interfaces 4-36 certificates (IDM) 14-20 blocking not occurring for signature block network command C-41 14-32 BO changing 3-51 3-30 access lists 3-7 CLI inactivity timeout described Trojans FTP timeout B-74 BO2K hostname Trojans Bug Toolkit 3-30 web server setting
Index supported products CollaborationApp described 3-55 clear database command command and control interface 17-9 clear denied-attackers command clear events command 8-36, 17-25 3-36, 8-41, 17-23, C-16, C-101 clearing anomaly detection statistics denied attackers statistics events 9-47 8-37, 17-26 global correlation statistics 10-14 list sensor databases 4-3 command and control interface described (ASA 5585-X IPS SSP) 19-4 command line editing (table) clear line command 8-31 command lin
Index clear os-identification 8-31 cli-inactivity-timeout 3-14 clock set health-monitor host-ip copy ad-knowledge-base 16-22, C-3 copy current-config 16-22, C-3 copy event-action-rules 8-8 default service event-action-rules 8-8 default service signature-definition 14-14 enable-detail-traps 15-4 erase ad-knowledge-base event-action 13-7 7-15 event-action-rules-configurations 7-10 external-zone 9-28 12-2 12-2 iplog-status 12-5 ip-log-time 12-2 8-15 17-27 list anomaly-detection-
Index no service event-action-rules no service signature-definition no target-value no variables show users 7-2 17-41, C-78 sig-fidelity-rating 8-11 7-12, 7-14 signature-definition-configurations 8-28 snmp-agent-port 9-18, 9-26, 9-34 overrides 17-40, C-75 3-31 show version 8-15 os-identifications other show tech-support 8-8 15-2 snmp-agent-protocol 8-17 packet capture 13-4 ssh authorized-key packet-display 13-2 ssh-generate-key password ssh host-key 3-18, 3-29 permit-packet-l
Index worm-timeout comparing KBs event action filters 9-10 8-23 event actions 7-16 configuration files event counter 7-10 backing up external zone 9-29 merging 9-44 16-24, C-2 ftp-timeout 16-24, C-2 configuration restrictions global correlation alternate TCP reset interface inline interface pairs interfaces health statistics 4-9 host blocks 4-9 inline VLAN pairs 3-8 14-31 hostname 4-8 physical interfaces VLAN groups 17-14 host IP address 4-9 10-10, 10-12 3-4 3-3 hosts ne
Index passwords copy current-config command 3-30 physical interfaces privilege copy event-action-rules command 4-12 anomaly detection policies 3-11 sensor sequence sensor to use NTP IP log files 14-8 KBs 3-44 signature fidelity rating sshv1-fallback 7-12, 7-14 packet files 13-7 7-2 12-7 3-56 copy packet-file command 13-6 copy signature-definition command 3-40 correcting time on the sensor 3-38 TCP 7-2 3-36, C-16 creating external zone illegal zone banner logins 9-13 event act
Index host posture events defining signatures 11-2, 11-4 quarantined IP address events supported IPS interfaces deleting 11-2 anomaly detection policies 11-4 CtlTransSource described 7-1 denied attackers list 8-37, 17-26 event action rules policies A-4, A-11 illustration event action variables A-12 Ctrl-N 1-6 inline interface pairs Ctrl-P 1-6 inline VLAN pairs current-config command OS maps 16-20 current configuration back up 7-27 Atomic IP Advanced signature configuration sequen
Index events signature definition policies 8-39, 17-22, C-99 global correlation statistics health status 17-18, C-74 inspection load 9-40 live traffic OS IDs 4-41, C-95 12-5 KB thresholds PEP information 17-9, C-14 measurements enable-acl-logging command 14-14 enable-detail-traps command 15-4 17-27 submode settings 17-49 tech support information 17-40, C-75 7-13 Distributed Denial of Service. See DDoS.
Index Service DNS event action filters B-40 Service FTP described B-41 Service Generic Service H225 using variables B-42 described 7-44, B-46 Service IDENT 8-17 risk rating range B-48 Service MSRPC B-49 event action rules Service MSSQL B-51 described 8-2 functions 8-2 Service NTP Service P2P B-52 task list B-53 Service SMB Advanced Service SNMP event action rules lists display B-55 copying 8-8 Service TNS B-59 creating 8-8 deleting 8-8 B-60 displaying 7-41, B-62 St
Index event types submode configuration C-98 event variables filters command described example evError A-9 evShunRqst evStatus A-9 B-31 Fixed UDP engine parameters (table) B-32 B-32 Flood Host engine parameters (table) examples Flood Net engine parameters (table) ASA failover configuration 18-21, 19-16, C-66, C-72 default anomaly detection configuration KB histogram password configuring described 3-32 System Configuration Dialog 2-3 3-19 external product interfaces 11-1 4-16 G TL
Index proxy servers 3-11 requirements 10-7 risk rating hostname changing configuring 10-6 troubleshooting A-28 server described A-28 8-34 global-filters-status command 11-4 described 11-2 global-overrides-status command described 5-4 platform support 8-34 restrictions 8-34 global parameters 21-3 HTTP advanced decoding 8-34 global-metaevent-status command 5-4 5-4 HTTP deobfuscation ASCII normalization 5-12 described 5-12 maximum open IP logs options CSA MC HTTP/HTTPS serve
Index IDIOM normalization defined pairing interfaces A-32 messages 4-4 inline TCP session tracking modes described A-32 IDM 5-3 inline VLAN groups Analysis Engine is busy certificates TLS 5-4 configuring C-55 deleting 3-51 4-29 4-33 inline VLAN pair mode 3-51 will not load C-54 configuration restrictions ignore command 9-10 described illegal zone 4-21 illustration configuring configuring other protocols 9-22 configuring configuring UDP 9-24 deleting 9-20 inspection loa
Index slot numbers support (table) TCP reset IP packet trace 4-2 17-48 IPS 4345 4-6 installing system image 4-4 interface statistics displaying password recovery 4-38 interface traffic history displaying 4-41, C-95 internal zone reimaging 17-3, 17-4, C-8, C-9 21-16 IPS 4360 configuring installing system image 9-12 configuring other protocols configuring TCP 9-13 configuring UDP 9-16 9-18 password recovery reimaging 21-16 IPS 4510 9-12 installing system image protocols 9-12
Index types A-9 K IPS internal communications A-32 KB files IPS software application list A-4 available files 20-1 displaying KBs configuring device parameters directory structure comparing A-5 copying A-34 A-1 described obtaining 20-1 erasing security features updating 9-42, 9-43 9-36 initial baseline A-5 tuning signatures 9-3 histogram A-5 9-44 9-42, 9-43 Linux OS retrieving data 9-40 9-3 manually loading A-5 manually saving A-5 user interaction renaming A-5 vers
Index list anomaly-detection-configurations command 9-9, 17-27 list event-action-rules-configurations command 8-8, 17-27 list of blocked hosts show version command major updates described 17-27 7-2, firewalls routers 9-41 Logger A-4, A-19 functions A-19 14-23 14-16 14-26 manifests client A-28 server A-28 manual blocking syslog messages A-19 14-31, 14-32 manual block to bogus host logging in C-41 manually loading appliances ii-2 KBs ASA 5500-X IPS SSP ii-4 ASA 5585-X IPS SSP
Index MIBs supported described 15-6, C-18 minor updates described health metrics 20-3 modes modes anomaly detection detect bypass inline interface pair 4-16 inline TCP tracking 5-3 inline VLAN pair 9-4 10-5 never-block-hosts command no iplog command normalization described 4-27 10-5 14-19 12-6 no ipv6-target-value command modifying 8-15 5-4 Normalizer engine terminal properties described 17-20 monitoring B-37 IPv6 fragments viewer privileges more command filtering B-37 m
Index NotificationApp moving alert information 8-30 other actions (list) A-9 described A-4 other command functions A-9 output SNMP gets statistics displaying A-9 system health information no variables command 8-11 P 3-2, 3-35, 3-44, C-15 configuring servers P2P networks described 3-43 13-4 packet command restrictions incorrect configuration C-16 configuring 3-43, 3-44 time synchronization unauthenticated B-53 packet capture command 3-35, C-15 sensor time source 8-17 A-10
Index GRUB menu privilege levels 17-3, C-8 IPS 4345 17-3, 17-4, C-8, C-9 administrator IPS 4360 17-3, 17-4, C-8, C-9 operators IPS 4510 17-3, 17-4, C-8, C-9 service IPS 4520 17-3, 17-4, C-8, C-9 viewers platforms 17-2, C-8 ROMMON verifying passwords 1-3 described 17-9, C-14 7-6, 8-14 atomic attacks 3-30 configuring 3-30 4-14 illustration 20-3 4-15 4-15 described 3-32 peacetime learning (anomaly detection) 4-15 packet flow 4-14 Peer-to-Peer. See P2P.
Index SDEE Regex A-33 proxy servers described configuring 1-8 Multi String engine 3-11 standardized B-35 B-1 Regular Expression. See also Regex. Q regular expression syntax described Q.
Index resetting the password protocol ASA 5500-X IPS SSP 17-5, C-10 ASA 5585-X IPS SSP 17-6, C-12 restoring the current configuration 16-23, C-5 retiring A-33 server requests A-33 searching submode configuration 16-18 security signatures account locking 7-13 risk rating Alarm Channel calculating described information on Cisco Security Intelligence Operations 20-8 10-6 SSH 8-13 3-46 security policies described 8-26 global correlation 7-1, 8-2, 9-2 sensing interface 10-6 reputat
Index Sensor Key pane described using NTP time source 3-43 server manifest described 3-49 sensors A-28 service account access problems C-24 application partition image 21-14 asymmetric traffic and disabling anomaly detection 9-48, C-19 command and control interfaces (list) configuration sequence 1-2 configuring to use NTP 3-44 downgrading C-16 described 3-28, A-31, C-5 RADIUS authentication 3-29 A-31 A-31 service anomaly-detection command B-40 Service engine 4-6 described C-27 B
Index parameters (table) ASA 5585-X IPS SSP B-49 Service MSRPC engine DCS/RPC protocol described setting system clock B-49 notes and caveats B-50 Service MSSQL engine terminal servers 3-1 ii-3, 21-15 setup B-51 MSSQL protocol B-51 parameters (table) B-52 Service NTP engine described 3-38, 17-25 setting up B-49 parameters (table) described ii-5 automatic 2-2 command 2-2, 2-4, 2-8, 2-13, 2-17 simplified mode 2-2 setup command B-52 parameters (table) user roles B-52 Service P
Index show users command Service NTP 3-31 show version command 17-41, C-78 sig-fidelity-rating command 7-12, 7-14 signature definition lists displaying B-52 Service P2P B-53 Service RPC B-53 Service SMB Advanced Service SNMP 17-27 signature definition policies B-57 Service SSH engine copying 7-2 Service TNS creating 7-2 State deleting 7-2 String 7-41, B-62 Sweep B-68 editing 7-2 signature engines AIC Atomic Traffic ICMP Atomic ARP Atomic IP Trojan B-14 Atomic IPv6 B-7
Index TCP reset tuned supported HTTP/HTTPS servers C-50 SPAN port issues 7-4 signature update files worm timeout signature variables editing 9-38 SSH adding hosts 7-5 described 9-11 worm timout 7-5 deleting C-30 specifying 20-4 adding described 7-4 3-47 3-46 security 7-5 SNMP 3-46 ssh authorized-key command configuring ssh generate-key command agent parameters ssh host-key command 15-3 traps 15-5 SSH known hosts list described 15-1 adding hosts general parameters Ge
Index stopping IPS interfaces for CSA MC IP logging 12-6 stream-reassembly command String engine described 7-37 signature example 7-42 described A-29 TCP reset interfaces B-64 String XL engine 4-5 sw-module module 1 recover configure command hardware support 5-12, B-3, B-65 parameters (table) sw-module module slot_number reload command B-65 unsupported parameters subinterface 0 described sw-module module slot_number reset command B-67 4-22, 4-28 case sensitivity 16-18 searching ou
Index Telnet T tab completion using 1-5 disabling 3-5 enabling 3-5 telnet-option TAC command PEP information service account 17-46 configuring 3-28, A-31, C-5 IPv4 8-15 IPv6 8-15 17-40, C-75 A-31 target-value command modifying length terminal command 8-15 ii-3, 21-15 terminating CLI sessions 17-19 TFN2K calculating risk rating 8-14 described 8-14, 8-15 Trojans tasks B-73 B-74 TFTP servers configuring the sensor tcp command 1-2 recommended 9-13, 9-21, 9-29 UNIX TCPDUM
Index TLS certificates device access issues generating 3-53 tls generate-key command tls trusted-host command trace command 3-53 enabling SSH C-41 inactive state C-37 C-39 misconfigured master blocking sensor 3-52 verifying device interfaces 17-48 tracing C-42 C-40 ASA 5500-X IPS SSP IP packet route commands 17-48 Traffic Anomaly engine described B-71 protocols B-71 signatures failover scenarios commands automatic updates 4-35 LOKI cidDump C-101 communication B-73 paramet
Index sensing process not running sensor events C-22 sensor not seeing packets C-33 sensor software upgrade service account sensors show interfaces command username command user profiles C-81 show tech-support command C-74, C-75, C-76 operator C-51 C-30 C-51 verifying ARC status trusted hosts add 1-3 1-3 service 1-3 viewer 1-3 user roles authentication 3-20 users C-36 adding 3-52 tuned signatures described 14-20 administrator C-20 14-20 user roles C-78 verifying Analysis E
Index viewing described IP log contents web server 12-5 license key status user information 8-14 described 3-54 A-4, A-22 HTTP 1.0 and 1.