Numerics -
A -
B -
C -
D -
E -
F -
G -
H -
I -
K -
L -
M -
N -
O -
P -
Q -
R -
S -
T -
U -
V -
W -
Z
Index
Numerics
4GE bypass interface card
configuration restrictions 4-10
described 4-10
802.1q encapsulation
VLAN groups 4-13
A
accessing IPS software 18-2
access list
misconfiguration C-26
necessary hosts 2-3
ACLs
adding 2-3
described 11-3
Post-Block 11-17, 11-18
Pre-Block 11-17, 11-18
Active Host Blocks pane
configuring 15-7
described 15-6
field descriptions 15-6
user roles 15-6
ad0 pane
default 9-9
described 9-9
tabs 9-9
Add ACL Entry dialog box field descriptions 2-4
Add Active Host Block dialog box field descriptions 15-7
Add Allowed Host dialog box
field descriptions 3-5
user roles 3-4
Add Authorized Key dialog box
field descriptions 10-3
user roles 10-2
Add Blocking Device dialog box
field descriptions 11-15
user roles 11-14
Add Cat 6K Blocking Device Interface dialog box
field descriptions 11-22
user roles 11-21
Add Configured OS Map dialog box field descriptions 6-21, 8-22
Add Destination Port dialog box field descriptions 9-16, 9-17, 9-23, 9-24, 9-30, 9-31
Add Device Login Profile dialog box
field descriptions 11-12
user roles 11-12
Add Event Action Filter dialog box
field descriptions 6-13, 8-15
user roles 6-13, 8-15
Add Event Action Override dialog box
field descriptions 6-10, 8-13
user roles 6-10, 8-12
Add Event Variable dialog box
field descriptions 6-24, 8-25
user roles 6-23, 6-25, 8-25
Add External Product Interface dialog box
field descriptions 13-6
user roles 13-5
Add Histogram dialog box field descriptions 9-16, 9-17, 9-23, 9-24, 9-30, 9-31
adding
ACLs 2-3
active host blocks 15-7
a host never to be blocked 11-11
anomaly detection policies 9-9
CSA MC interfaces 13-7
denied attackers 15-5
event action filters 6-14, 8-16
event action overrides 8-13
event action rules policies 8-11
event variables 6-24, 8-26
external product interfaces 13-7
network blocks 15-9
OS maps 6-21, 8-23
risk categories 6-26, 8-28
signature definition policies 5-2
signatures 5-12
signature variables 5-25
target value rating 6-17, 8-19
virtual sensors 2-12, 6-10
Add Inline VLAN Pair dialog box field descriptions 2-10, 4-20
Add Interface Pair dialog box field descriptions 4-18
Add IP Logging dialog box field descriptions 15-13
Add Known Host Key dialog box
field descriptions 10-5
user roles 10-4
Add Master Blocking Sensor dialog box
field descriptions 11-25
user roles 11-24
Add Network Block dialog box field descriptions 15-9
Add Never Block Address dialog box
field descriptions 11-10
user roles 11-7
Add Policy dialog box field descriptions 5-2, 8-11, 9-8
Add Posture ACL dialog box field descriptions 13-7
Add Protocol Number dialog box field descriptions 9-18, 9-25, 9-32
Add Rate Limit dialog box
field descriptions 15-11
user role 15-10
Address Resolution Protocol see ARP
Add Risk Level dialog box field descriptions 6-26, 8-28
Add Router Blocking Device Interface dialog box
field descriptions 11-19
user roles 11-16
Add Signature dialog box field descriptions 5-7
Add Signature Variable dialog box
field descriptions 5-24
user roles 5-24
Add SNMP Trap Destination dialog box field descriptions 12-4
Add Target Value Rating dialog box
field descriptions 6-17, 8-19
user roles 6-16, 8-18
Add Trusted Host dialog box
field descriptions 10-10
user roles 10-9
Add User dialog box
field descriptions 3-16
user roles 3-16
Add Virtual Sensor dialog box
described 2-12, 6-9
field descriptions 2-12, 6-9
Add VLAN Group dialog box field descriptions 4-23
Advanced Alert Behavior Wizard
Alert Dynamic Response Fire All window field descriptions 7-26
Alert Dynamic Response Fire Once window field descriptions 7-27
Alert Dynamic Response Summary window field descriptions 7-27
Alert Summarization window field descriptions 7-26
Event Count and Interval window field descriptions 7-25
Global Summarization window field descriptions 7-28
AIC engine
AIC FTP B-11
AIC HTTP B-11
described B-11
features B-11
signature categories 5-28
signatures (example) 5-36
AIC FTP engine parameters (table) B-12
AIC HTTP engine parameters (table) B-11
AIC policy configuration 5-35
AIC policy enforcement
default configuration 5-29, B-11
described 5-29, B-10
sensor oversubscription 5-29, B-11
AIM-IPS
initializing 16-12
installing system image 19-21
logging in 17-4
session command 17-4
sessioning 17-3, 17-4
setup command 16-12
time sources 3-7, C-16
AIP SSM
Deny Connection Inline 8-10
Deny Packet Inline 8-10
password recovery 14-6, C-10
Reset TCP Connection 8-10
resetting the password 14-7, C-11
TCP reset packets 8-10
AIP-SSM
bypass mode 4-25
Deny Connection Inline C-70
Deny Packet Inline C-70
initializing 16-15
installing system image 19-25
logging in 17-6
Normalizer engine B-23, C-69
recovering C-67
reimaging 19-24
Reset TCP Connection C-70
resetting C-66
session command 17-6
setup command 16-15
TCP reset packets C-70
time sources C-17
Alarm Channel described 8-6, A-26
alert and log actions (list) 8-7
alert behavior normal 7-25
alert frequency
aggregation 5-18
configuring 5-19
controlling 5-18
modes B-6
Allowed Hosts/Networks pane
configuring 3-5
described 3-4
field descriptions 3-5
alternate TCP reset interface configuration restrictions 4-8
Analysis Engine
described 6-2
error messages C-23
IDM exits C-56
virtual sensors 6-2
anomaly detection
asymmetric environment 9-2, 9-35
caution 9-2, 9-35
configuration sequence 9-4
default configuration (example) 9-4
described 9-2
detect mode 9-3
disabling C-20
event actions 9-6, B-50
inactive mode 9-3
learning process 9-3
limiting false positives 9-12, 15-16
protocols 9-2
signatures 9-6
signatures (table) 9-6, B-50
turning off 9-35
worm attacks 9-12, 15-16
worms 9-2
zones 9-4
Anomaly Detection pane
button functions 15-16
field descriptions 15-16
overview 15-15
user roles 15-15
anomaly detection policies
ad0 9-8
adding 9-9
cloning 9-9
default policy 9-8
deleting 9-9
user roles 9-8
Anomaly Detections pane
described 9-8
field descriptions 9-8
user roles 9-8
appliances
application partition image 19-11
GRUB menu 14-4, C-8
initializing 16-7
logging in 17-1
password recovery 14-4, C-8
terminal servers
described 17-2, 19-13
setting up 17-2, 19-13
time sources 3-7, C-16
upgrading recovery partition 19-5
Application Inspection and Control see AIC
application partition
described A-3
image recovery 19-11
application policy enforcement
described 5-29, B-10
disabled (default) 5-29
applications and XML format A-2
applying software updates C-53
ARC
ACLs 11-18, A-13
authentication A-14
blocking
application 11-2
connection-based A-16
not occurring for signature C-42
unconditional blocking A-16
block response A-13
Catalyst 6000 series switch
VACL commands A-18
VACLs A-18
Catalyst switches
VACLs A-15
VLANs A-15
checking status 11-3, 11-4
described A-3
design 11-2
device access issues C-39
enabling SSH C-42
features A-13
firewalls
AAA A-17
connection blocking A-17
NAT A-18
network blocking A-17
postblock ACL A-15
preblock ACL A-15
shun command A-17
TACACS+ A-18
formerly Network Access Controller 11-1, 11-3
functions 11-2
illustration A-12
inactive state C-38
interfaces A-13
maintaining states A-16
managed devices 11-7
master blocking sensors A-13
maximum blocks 11-2
misconfigured MBS C-43
nac.shun.txt file A-16
NAT addressing A-14
number of blocks A-14
postblock ACL A-15
preblock ACL A-15
prerequisites 11-5
rate limiting 11-4
responsibilities A-12
single point of control A-14
SSH A-13
supported devices 11-5, A-15
Telnet A-13
troubleshooting C-36
VACLs A-13
verifying device interfaces C-41
verifying status C-37
ARP
Layer 2 signatures B-13
protocol B-13
ARP spoof tools
dsniff B-13
ettercap B-13
ASDM
resetting passwords C-12
ASDM resetting passwords 14-8
Assign Actions dialog box
button functions 5-9
field descriptions 5-9
assigning actions to signatures 5-16
asymmetric environment and anomaly detection 9-2, 9-35
asymmetric traffic and disabling anomaly detection C-20
Atomic ARP engine
described B-13
parameters (table) B-13
Atomic IP engine
described 7-14, B-13
parameters (table) B-13
Atomic IPv6 engine
described B-14
Neighborhood Discovery protocol B-14
signatures B-14
signatures (table) B-15
attack relevance rating
calculating risk rating 6-5, 8-3
described 6-5, 6-18, 8-3, 8-20
Attack Response Controller
described A-3
formerly known as Network Access Controller A-3
See ARC
attack severity rating
calculating risk rating 6-5, 8-3
described 6-5, 8-3
authenticated NTP 3-6, 3-13, C-16
AuthenticationApp
authenticating users A-20
described A-3
login attempt limit A-20
method A-20
responsibilities A-20
secure communications A-21
sensor configuration A-20
Authorized Keys pane
configuring 10-3
described 10-2
field descriptions 10-2
RSA authentication 10-2
RSA key generation tool 10-3
Auto/Cisco.com Update pane
configuring 14-19
field descriptions 14-18
automatic setup 16-1
automatic updates
Cisco.com 14-17
servers
FTP 14-17
SCP 14-17
troubleshooting C-53
automatic upgrade
information required 19-6
autonegotiation and hardware bypass 4-11
Auto Update and UNIX-style directory listings 14-17
Auto Update pane
button functions 14-18
described 14-17
field descriptions 14-18
user roles 14-17
auto-upgrade-option command 19-6
B
backing up
configuration C-3
current configuration C-4, C-5
BackOrifice. See BO.
BackOrifice 2000. See BO2K.
BackOrifice see BO
basic setup 16-3
blocking
described 11-2
disabling 11-8
master blocking sensor 11-24
necessary information 11-3
not occurring for signature C-42
prerequisites 11-5
supported devices 11-5
types 11-2
Blocking Devices pane
configuring 11-15
described 11-14
field descriptions 11-14
ssh host-key command 11-15
Blocking Properties pane
adding a host never to be blocked 11-11
configuring 11-9
described 11-7
field descriptions 11-8
BO
described B-52
Trojans B-52
BO2K
described B-52
Trojans B-52
Bug Toolkit
described C-1
URL C-1
bypass mode
AIP-SSM 4-25
described 4-24
Bypass pane field descriptions 4-25
C
calculating risk rating
attack relevance rating 6-5, 8-3
attack severity rating 6-5, 8-3
promiscuous delta 6-5, 8-3
signature fidelity rating 6-5, 8-3
target value rating 6-5, 8-3
watch list rating 6-5, 8-3
cannot access sensor C-24
Cat 6K Blocking Device Interfaces pane
configuring 11-23
described 11-21
field descriptions 11-22
CDP described 4-27
CDP Mode pane
configuring 4-28
field descriptions 4-28
certificates
displaying 10-11
Firefox 1-6
generating 10-11
IDM 1-5, 10-8
Internet Explorer 1-6
changing Microsoft IIS to UNIX-style directory listings 14-18
cidDump and obtaining information C-93
CIDEE
defined A-33
example A-34
IPS extensions A-33
protocol A-33
supported IPS events A-34
cisco
default password 17-1
default username 17-1
Cisco.com
accessing software 18-2
downloading software 18-1
IPS software 18-1, 18-3
software downloads 18-1
Cisco IOS and rate limiting 11-4
Cisco IPS 6.1 files 19-3
Cisco IPS software new features A-3
Cisco Security Intelligence Operations
described 18-9
URL 18-9
Cisco Services for IPS
service contract 1-8, 14-12
supported products 1-8, 14-12
clear events command 3-11, 3-15, 15-4, C-18, C-93
Clear Flow States pane described 15-26
clearing
events 3-15, 15-4, C-93
flow states 15-27
statistics C-79
clear password command 14-6, 14-8, C-10, C-13
CLI described A-3, A-27
clock set command 3-15
Clone Event Action Rules dialog box field descriptions 8-11
Clone Policy dialog box field descriptions 5-2, 9-8
Clone Signature dialog box field descriptions 5-7
cloning
anomaly detection policies 9-9
event action rules policies 8-11
signature definition policies 5-2
signatures 5-14
command and control interface
described 4-2
list 4-2
commands
auto-upgrade-option 19-6
clear events 3-11, 3-15, 15-4, C-18, C-93
clear password 14-6, 14-8, C-10, C-13
clock set 3-15
copy backup-config C-3
copy current-config C-3
debug module-boot C-67
downgrade 19-10
hw-module module 1 reset C-66
hw-module module slot_number password-reset 14-6, C-11
session 17-4, 17-9
setup 3-1, 16-1, 16-3, 16-7, 16-12, 16-15, 16-20, 16-24
show events C-90
show health C-71
show module 1 details C-66
show settings 14-11, C-15
show statistics C-78
show statistics virtual-sensor C-23, C-78
show tech-support C-72
show version C-76
upgrade 19-3, 19-5
Compare Knowledge Bases dialog box field descriptions 15-19
comparing KBs 15-19, 15-20
configuration files
backing up C-3
merging C-3
configuration restrictions
alternate TCP reset interface 4-8
inline interface pairs 4-8
inline VLAN pairs 4-8
interfaces 4-8
physical interfaces 4-8
VLAN groups 4-9
Configured OS Map dialog box user roles 6-20, 8-20
Configure Summertime dialog box field descriptions 2-4, 3-9
configuring
active host blocks 15-7
AIC policy parameters 5-35
allowed hosts 3-5
allowed networks 3-5
application policy 5-36
authorized keys 10-3
automatic upgrades 19-8
blocking devices 11-15
blocking properties 11-9
Cat 6K blocking device interfaces 11-23
CDP Mode 4-28
CSA MC for IPS interfaces 13-4
device login profiles 11-13
event action filters 6-14, 8-16
events 15-3
event variables 6-24, 8-26
external zone 9-32
general settings 6-29, 8-30
illegal zone 9-25
inline VLAN pairs 2-10
interface pairs 4-18
interfaces 4-16
internal zone 9-18
IP fragment reassembly signatures 5-40
IP logging 15-14
known host keys 10-6
learning accept mode 9-13
maintenance partition
IDSM-2 (Catalyst software) 19-29
IDSM-2 (Cisco IOS software) 19-33
master blocking sensor 11-25
network blocks 15-9
network settings 3-3
NTP servers 3-12
operation settings 9-10
OS maps 6-21, 8-23
rate limiting 15-11
rate limiting devices 11-15
risk categories 6-26, 8-28
router blocking device interfaces 11-20
Sensor Setup window 2-4
sensor to use NTP 3-13
SNMP 12-3
SNMP traps 12-5
target value rating 6-17, 8-19
TCP fragment reassembly parameters 5-47
time 3-10
traffic flow notifications 4-27
trusted hosts 10-10
upgrades 19-4
users 3-18
VLAN groups 4-23
VLAN pairs 4-21
control transactions
characteristics A-8
request types A-8
cookies and IDM 1-5
copy backup-config command C-3
copy current-config command C-3
correcting time on the sensor 3-11, C-18
creating
custom signatures
not using signature engines 7-3
Service HTTP 7-16
String TCP 7-21
using signature engines 7-1
Post-Block VACLs 11-21
Pre-Block VACLs 11-21
service account C-6
cryptographic account
Encryption Software Export Distribution Authorization from 18-2
obtaining 18-2
cryptographic features and IDM 1-1
cryptographic products and IDM 1-1
CSA MC
adding interfaces 13-7
configuring IPS interfaces 13-4
host posture events 13-1, 13-3
quarantined IP address events 13-1
supporting IPS interfaces 13-3
CtlTransSource
described A-2, A-11
illustration A-11
current configuration backup C-3
current KB settings 15-21
custom signatures described 5-5
Custom Signature Wizard
Alert Response window field descriptions 7-25
Atomic IP Engine Parameters window field descriptions 7-14
described 7-1
ICMP Traffic Type window field descriptions 7-13
Inspect Data window field descriptions 7-13
MSRPC Engine Parameters window field descriptions 7-12
no signature engine sequence 7-3
protocols 7-11
Protocol Type window field descriptions 7-11
Service HTTP Engine Parameters window field descriptions 7-15
Service RPC Engine Parameters window field descriptions 7-18
Service Type window field descriptions 7-13
signature engine sequence 7-1
signature identification 7-11
Signature Identification window field descriptions 7-12
State Engine Parameters window field descriptions 7-19
String ICMP Engine Parameters window field descriptions 7-20
String TCP Engine Parameters window field descriptions 7-20
String UDP Engine Parameters window field descriptions 7-23
Sweep Engine Parameters window field descriptions 7-24
TCP Sweep Type window field descriptions 7-14
TCP Traffic Type window field descriptions 7-13
UDP Sweep Type window field descriptions 7-13
UDP Traffic Type window field descriptions 7-13
Welcome window field descriptions 7-11
D
data structures (examples) A-7
DDoS
protocols B-52
Stacheldraht B-52
TFN B-52
debug logging enabling C-45
debug-module-boot command C-67
default
KB filename 9-11
password 17-1
policies (ad0) 9-8
policies (rules0) 8-11
policies (sig0) 5-2
username 17-1
virtual sensor (vs0) 6-2
defaults restoring 14-23
deleting
anomaly detection policies 9-9
event action filters 6-14, 8-16
event action overrides 8-13
event action rules policies 8-11
event variables 6-24, 8-26
imported OS values 15-26
KBs 15-22
learned OS values 15-25
OS maps 6-21, 8-23
risk categories 6-26, 8-28
signature definition policies 5-2
signature variables 5-25
target value rating 6-17, 8-19
virtual sensors 6-10
Denial of Service. See DoS.
denied attackers
adding 15-5
clearing list 15-5
hit count 15-4
resetting hit counts 15-5
Denied Attackers pane
described 15-4
field descriptions 15-5
user roles 15-4
using 15-5
deny actions (list) 8-8
Deny Packet Inline described 8-9, B-8
detect mode and anomaly detection 9-3
device access issues C-39
Device Login Profiles pane
configuring 11-13
described 11-12
field descriptions 11-12
devices 11-15
Diagnostics Report pane
button functions 15-29
described 15-29
user roles 15-29
using 15-29
diagnostics reports 15-29
Differences between knowledge bases KB_Name and KB_Name window field descriptions 15-19
disabling
anomaly detection C-20
blocking 11-8
interfaces 4-16
password recovery 14-10, C-14
disaster recovery C-6
displaying
events C-91
health status C-72
password recovery setting 14-11, C-15
statistics C-79
tech support information C-73
version C-76
Distributed Denial of Service see DDoS
DoS tools stick B-6
downgrade command 19-10
downgrading sensors 19-10
downloading
KBs 15-23
software 18-1
Download Knowledge Base From Sensor dialog box
described 15-23
field descriptions 15-23
duplicate IP addresses C-27
E
Edit Actions dialog box field descriptions 5-9
Edit Allowed Host dialog box
field descriptions 3-5
user roles 3-4
Edit Authorized Key dialog box
field descriptions 10-3
user roles 10-2
Edit Blocking Device dialog box
field descriptions 11-15
user roles 11-14
Edit Cat 6K Blocking Device Interface dialog box
field descriptions 11-22
user roles 11-21
Edit Configured OS Map dialog box field descriptions 6-21, 8-22
Edit Destination Port dialog box field descriptions 9-16, 9-17, 9-23, 9-24, 9-30, 9-31
Edit Device Login Profile dialog box
field descriptions 11-12
user roles 11-12
Edit Event Action Filter dialog box
field descriptions 6-13, 8-15
user roles 6-13, 8-15
Edit Event Action Override dialog box
field descriptions 6-10, 8-13
user roles 6-10, 8-12
Edit Event Variable dialog box
field descriptions 6-24, 8-25
user roles 6-23, 6-25, 8-25
Edit External Product Interface dialog box
field descriptions 13-6
user roles 13-5
Edit Histogram dialog box field descriptions 9-16, 9-17, 9-23, 9-24, 9-30, 9-31
editing
event action filters 6-14, 8-16
event action overrides 8-13
event variables 6-24, 8-26
interfaces 4-17
OS maps 6-21, 8-23
risk categories 6-26, 8-28
signatures 5-15
signature variables 5-25
target value rating 6-17, 8-19
virtual sensors 6-10
Edit Inline VLAN Pair dialog box field descriptions 2-10, 4-20
Edit Interface dialog box field descriptions 4-15
Edit Interface Pair dialog box field descriptions 4-18
Edit IP Logging dialog box field descriptions 15-13
Edit Known Host Key dialog box
field descriptions 10-5
user roles 10-4
Edit Master Blocking Sensor dialog box
field descriptions 11-25
user roles 11-24
Edit Never Block Address dialog box
field descriptions 11-10
user roles 11-7
Edit Posture ACL dialog box field descriptions 13-7
Edit Protocol Number dialog box field descriptions 9-18, 9-25, 9-32
Edit Risk Level dialog box field descriptions 6-26, 8-28
Edit Router Blocking Device Interface dialog box
field descriptions 11-19
user roles 11-16
Edit Signature dialog box field descriptions 5-7
Edit Signature Variable dialog box
field descriptions 5-24
user roles 5-24
Edit SNMP Trap Destination dialog box field descriptions 12-4
Edit Target Value Rating dialog box
field descriptions 6-17, 8-19
user roles 6-16, 8-18
Edit User dialog box
field descriptions 3-16
user roles 3-16
Edit Virtual Sensor dialog box
field descriptions 6-9
user roles 6-9
Edit VLAN Group dialog box field descriptions 4-23
enabling
debug logging C-45
event action filters 6-14, 8-16
event action overrides 8-13
interfaces 4-16
Encryption Software Export Distribution Authorization form
cryptographic account 18-2
described 18-2
evAlert A-8
event action filters
adding 6-14, 8-16
configuring 6-14, 8-16
deleting 6-14, 8-16
described 6-12, 8-4
editing 6-14, 8-16
enabling 6-14, 8-16
Event Action Filters tab
button functions 8-15
configuring 6-14, 8-16
described 6-13, 8-15
field descriptions 6-13, 8-15
event action overrides
adding 8-13
deleting 8-13
described 6-4, 8-4
editing 8-13
enabling 8-13
Event Action Overrides tab
described 8-12
field descriptions 8-13
event action rules
functions 8-2
understanding 8-2
Event Action Rules (rules0) pane described 8-12
Event Action Rules pane
described 8-11
field descriptions 8-11
user roles 8-10, 8-11
event action rules policies
adding 8-11
cloning 8-11
deleting 8-11
event action rules variables 8-15
events
configuring display 15-3
displaying C-91
host posture 13-2
quarantined IP address 13-2
Events pane
configuring 15-3
described 15-2
field descriptions 15-2
Event Store
clearing events 3-11, C-18
data structures A-7
described A-2
examples A-7
responsibilities A-7
timestamp A-7
event types C-89
event variables
adding 6-24, 8-26
configuring 6-24, 8-26
deleting 6-24, 8-26
editing 6-24, 8-26
example 6-23, 8-25
Event Variables tab
configuring 6-24, 8-26
described 6-23, 8-25
field descriptions 6-23, 8-25
Event Viewer window field descriptions 15-3
evError A-8
evLogTransaction A-8
evShunRqst A-8
evStatus A-8
examples
ASA failover configuration C-68
external product interfaces
adding 13-7
described 13-1
issues 13-3, C-21
troubleshooting 13-10, C-22
trusted hosts 13-5
External Product Interfaces pane
described 13-5
field descriptions 13-5
external zone
configuring 9-32
protocols 9-29
External Zone tab
described 9-29
tabs 9-29
F
fail-over testing 4-10
false positives described 5-4
files
Cisco IPS 6.1 19-3
IDSM2 password recovery 14-9, C-13
Firefox
certificates 1-6
validating CAs 1-6
Fixed engine described B-15
Fixed ICMP engine parameters (table) B-16
Fixed TCP engine parameters (table) B-17
Fixed UDP engine parameters (table) B-18
Flood engine described B-18
Flood Host engine parameters (table) B-19
Flood Net engine parameters (table) B-19
flow states clearing 15-27
FTP servers supported 14-17, 19-2
G
gadgets and the IDM home pane 1-2
general settings
configuring 6-29, 8-30
described 6-27, 8-29
General tab
configuring 6-29, 8-30
described 6-27, 8-29, 9-15, 9-22
enabling zones 9-15, 9-22
field descriptions 6-28, 8-30
user roles 6-27, 8-29
generating diagnostics reports 15-29
Global Variables pane field description 14-16
GRUB menu password recovery 14-4, C-8
H
H.225.0 protocol B-28
H.323 protocol B-28
hardware bypass
autonegotiation 4-11
configuration restrictions 4-10
fail-over 4-10
IPS 4270-20 4-10
supported configurations 4-10
with software bypass 4-10
health status display C-72
Home pane
device information 1-2
gadgets 1-2
health information 1-2
interface status 1-2
licensing information 1-2
system resources usage 1-2
updating 1-2
host posture events
CSA MC 13-3
described 13-2
HTTP/HTTPS servers supported 14-17, 19-2
HTTP deobfuscation
ASCII normalization 7-15, B-31
described 7-15, B-31
hw-module module 1 reset command C-66
hw-module module slot_number password-reset command 14-6, C-11
I
icons
signature configuration 5-7, 5-14, 5-15, 5-18, 5-21, 5-35, 5-36, 5-39, 5-40, 5-46, 5-47, 5-48, 7-7, 7-17, 7-22
IDAPI
communications A-3, A-30
described A-3
functions A-30
illustration A-30
responsibilities A-30
IDCONF
described A-32
example A-32
RDEP2 A-32
XML A-32
IDIOM
defined A-32
messages A-32
IDM
advisory 1-1
Analysis Engine is busy C-56
certificates 1-5, 10-8
cookies 1-5
cryptographic features 1-1
cryptographic products 1-1
described 1-2, 1-4
GUI 1-2
logging in 1-4
Signature Wizard unsupported signature engines 7-2
supported platforms 1-3
system requirements 1-3
TLS 1-5, 10-8
user interface 1-2
web browsers 1-2, 1-4
will not load C-55
IDSM-2
command and control port C-63
configuring
maintenance partition (Catalyst software) 19-29
maintenance partition (Cisco IOS software) 19-33
initializing 16-20
installing
system image (Catalyst software) 19-27
system image (Cisco IOS software) 19-28
logging in 17-7
reimaging 19-26
setup command 16-20
supported configurations C-60
time sources 3-7, C-16
upgrading
maintenance partition (Catalyst software) 19-37
maintenance partition (Cisco IOS software) 19-37
IDSM2
password recovery 14-9, C-13
password recovery image file 14-9, C-13
TCP reset port C-65
illegal zone configuration 9-25
Illegal Zone tab
described 9-22
user roles 9-22
IME time synchronization problems C-58
Imported OS pane
clearing 15-26
described 15-26
field descriptions 15-26
imported OS values
clearing 15-26
deleting 15-26
inactive mode and anomaly detection 9-3
initializing
AIM-IPS 16-12
AIP-SSM 16-15
appliances 16-7
IDSM-2 16-20
NME-IPS 16-24
sensors 3-1, 16-1, 16-3
verifying 16-27
inline interface pair mode described 4-12
inline interface pairs configuration restrictions 4-8
Inline Interface Pair window
described 2-8
Startup Wizard 2-8
inline VLAN pair mode
described 4-12
supported sensors 4-12
inline VLAN pairs
configuration restrictions 4-8
configuring 2-10
Inline VLAN Pairs window
described 2-9
field descriptions 2-9
Startup Wizard 2-9
installer major version 18-5
installer minor version 18-5
installing
sensor license 1-10, 14-14
system image
AIP-SSM 19-25
IDSM-2 (Catalyst software) 19-27
IDSM-2 (Cisco IOS software) 19-28
IPS-4240 19-14
IPS-4255 19-14
IPS-4260 19-17
IPS 4270-20 19-19
NME-IPS 19-38
InterfaceApp
described A-19
interactions A-19
NIC drivers A-19
InterfaceApp described A-2
interface pairs
configuring 4-18
described 4-18
Interface Pairs pane
configuring 4-18
described 4-18
field descriptions 4-18
interfaces
alternate TCP reset 4-2
command and control 4-2
configuration restrictions 4-8
configuring 4-16
described 2-7, 4-1
disabling 4-16
editing 4-17
enabling 4-16
logical 2-7
physical 2-7
port numbers 4-1
sensing 4-2, 4-3
slot numbers 4-1
support (table) 4-4
TCP reset 4-6
VLAN groups 4-2
Interface Selection window
described 2-8
Startup Wizard 2-8
Interfaces pane
configuring 4-16
described 4-15
field descriptions 4-15
Interface Summary window described 2-6
internal zone configuration 9-18
Internal Zone tab
described 9-15
user roles 9-14
Internet Explorer and validating certificates 1-6
IP fragmentation described B-22
IP fragment reassembly
configuring 5-39
described 5-37
mode 5-39
parameters (table) 5-38
signatures 5-40
signatures (example) 5-40
signatures (table) 5-38
IP logging
described 5-48, 15-12
event actions 15-13
system performance 15-13
IP Logging pane
configuring 15-14
described 15-13
field descriptions 15-13
user roles 15-13
IP Logging Variables pane described 14-16
IP logs
circular buffer 15-12
Ethereal 15-13
states 15-12
TCP Dump 15-13
viewing 15-14
IPS
external communications A-30
internal communications A-30
IPS-4240
installing system image 19-14
password recovery 14-5, C-9
reimaging 19-14
IPS-4255
installing system image 19-14
password recovery 14-5, C-9
reimaging 19-14
IPS-4260
installing system image 19-17
reimaging 19-17
IPS 4270-20
hardware bypass 4-10
installing system image 19-19
reimaging 19-19
IPS appliances
Deny Connection Inline 8-10, C-70
Deny Packet Inline 8-10, C-70
Reset TCP Connection 8-10, C-70
TCP reset packets 8-10, C-70
IPS applications
summary A-35
table A-35
XML format A-2
IPS data
types A-8
XML document A-8
IPS events
evAlert A-8
evError A-8
evLogTransaction A-8
evShunRqst A-8
evStatus A-8
listed A-8
types A-8
IPS modules
time synchronization 3-8, C-17
unsupported features 2-7
IPS Policies pane
described 6-7
field descriptions 6-8
IPS software
application list A-2
available files 18-1, 18-3
configuring device parameters A-4
directory structure A-34
Linux OS A-1
obtaining 18-1, 18-3
platform-dependent release examples 18-7
retrieving data A-4
security features A-5
tuning signatures A-4
updating A-4
user interaction A-4
IPS software file names
major updates (illustration) 18-4
minor updates (illustration) 18-4
patch releases (illustration) 18-4
service packs (illustration) 18-4
IPv6 described B-14
K
KBs
comparing 15-20
default filename 9-11
deleting 15-22
described 9-3
downloading 15-23
histogram 9-12, 15-15
initial baseline 9-3
learning accept mode 9-11
loading 15-21
monitoring 15-18
renaming 15-22
saving 15-22
scanner threshold 9-12, 15-15
tree structure 9-12, 15-15
uploading 15-24
Knowledge Base. See KB.
Known Host Keys pane
configuring 10-6
describing 10-5
field descriptions 10-5
L
Learned OS pane
clearing 15-25
described 15-25
field descriptions 15-25
learned OS values
clearing 15-25
deleting 15-25
learning accept mode
configuring 9-13
user roles 9-11
Learning Accept Mode tab
described 9-11
field descriptions 9-13
user roles 9-11
license files
BSD license D-3
expat license D-12
GNU Lesser license D-22
GNU license D-17
license key
status 1-8, 14-12
trial 1-8, 14-12
licensing
described 1-8, 14-12
IPS device serial number 1-8, 14-12
Licensing pane
button functions 1-9
configuring 1-10, 14-14
described 1-8, 14-12
field descriptions 1-9, 14-13
user roles 1-7, 14-11
limitations on concurrent CLI sessions 17-1
listings UNIX-style 14-17
loading KBs 15-21
LogApp described A-2
Logger
described A-19
functions A-19
syslog messages A-19
logging in
AIM-IPS 17-4
AIP-SSM 17-6
appliances 17-1
IDM 1-4
IDSM-2 17-7
NME-IPS 17-9
sensors
SSH 17-10
Telnet 17-10
terminal servers 17-2, 19-13
LOKI
described B-52
protocol B-52
loose connections on sensors C-22
M
MainApp
components A-5
described A-2, A-5
host statistics A-6
responsibilities A-6
show version command A-6
maintenance partition
configuring
IDSM-2 (Catalyst software) 19-29
IDSM-2 (Cisco IOS software) 19-33
described A-3
major updates described 18-3
managing rate limiting 15-11
manual block to bogus host C-42
master blocking sensor
described 11-24
not set up properly C-43
Master Blocking Sensor pane
configuring 11-25
described 11-24
field descriptions 11-25
Master engine
alert frequency B-6
alert frequency parameters (table) B-6
described B-3
event actions B-7
general parameters (table) B-3
universal parameters B-3
master engine parameters
obsoletes B-5
promiscous delta B-5
vulnerable OSes B-6
merging configuration files C-3
Meta engine
described 5-21, B-19
parameters (table) B-20
Signature Event Action Processor 5-21, B-19
Meta Event Generator described 6-27, 8-29
MIBs supported 12-6, C-19
minor updates described 18-3
Miscellaneous tab
button functions 5-27
configuring
application policy 5-35
IP fragment reassembly mode 5-39
IP logging 5-48
TCP stream reassembly mode 5-46
described 5-26
field descriptions 5-27
user roles 5-26
modes
anomaly detection detect 9-3
anomaly detection inactive 9-3
bypass 4-24
inline interface pair 4-12
inline VLAN pair mode 4-12
promiscuous 4-11
VLAN Groups 4-13
modify packets inline modes 6-3
monitoring
events 15-3
KBs 15-18
moving OS maps 6-21, 8-23
Multi String engine
described B-20
parameters (table) B-21
Regex B-20
MySDN described 5-5
N
Neighborhood Discovery
options B-14
types B-14
Network Blocks pane
configuring 15-9
described 15-8
field descriptions 15-9
user roles 15-8
Network pane
configuring 3-3
described 3-2
field descriptions 3-2
TLS/SSL 3-3
user roles 3-2
network security health data resetting 15-28
Network Timing Protocol. See NTP.
Network Timing Protocol see NTP
never block
hosts 11-7
networks 11-7
NME-IPS
initializing 16-24
installing system image 19-38
logging in 17-9
reimaging 19-38
session command 17-9
sessioning 17-8, 17-9
setup command 16-24
time sources 3-7, C-16
Normalizer engine
described B-22
IP fragment reassembly B-22
parameters (table) B-24
TCP stream reassembly B-22
Normalizer mode described 6-4
NotificationApp
alert information A-9
described A-3
functions A-9
SNMP gets A-9
SNMP traps A-9
statistics A-10
system health information A-10
NTP
authenticated 3-6, 3-13, C-16
configuring servers 3-12
described 3-6, C-16
incorrect configuration 3-8, C-17
sensor time source 3-12, 3-13
time synchronization 3-6, C-16
unauthenticated 3-6, 3-13, C-16
O
obsoletes field described B-5
obtaining
cryptographic account 18-2
IPS software 18-1
one-way TCP reset described 6-28, 8-29
operation settings
configuring 9-10
user roles 9-10
Operation Settings tab
described 9-10
field descriptions 9-10
user roles 9-10
OS Identifications tab
described 6-20, 8-20
field descriptions 6-20, 8-22
OS maps
adding 6-21, 8-23
configuring 6-21, 8-23
deleting 6-21, 8-23
editing 6-21, 8-23
moving 6-21, 8-23
other actions (list) 8-9
Other Protocols tab
described 9-24, 9-31
describing 9-17
enabling other protocols 9-17
external zone 9-31
field descriptions 9-17, 9-31
illegal zone 9-24
P
P2P networks described B-35
partitions
application A-3
maintenance A-3
recovery A-3
passive OS fingerprinting
components 6-18, 8-21
configuring 6-19, 8-22
described 6-18, 8-20
password policy caution 14-2, 14-3
password recovery
AIP SSM 14-6, C-10
appliances 14-4, C-8
CLI 14-10, C-14
described 14-3, C-8
disabling 14-10, C-14
GRUB menu 14-4, C-8
IDSM2 14-9, C-13
IPS-4240 14-5, C-9
IPS-4255 14-5, C-9
platforms 14-3, C-8
ROMMON 14-5, C-9
troubleshooting 14-11, C-15
verifying 14-11, C-15
password requirements configuration 14-2
Passwords pane
described 14-1
field descriptions 14-2
patch releases described 18-4
peacetime learning and anomaly detection 9-3
Peer-to-Peer. See P2P.
physical connectivity issues C-30
physical interfaces configuration restrictions 4-8
platforms and concurrent CLI sessions 17-1
policies and platform limitations 5-2, 9-8
Post-Block ACLs 11-17, 11-18
Pre-Block ACLs 11-17, 11-18
prerequisites for blocking 11-5
promiscuous delta
calculating risk rating 6-5, 8-3
described 6-5, 8-3
promiscuous delta described B-5
promiscuous mode
described 4-11
packet flow 4-11
protocols
ARP B-13
CIDEE A-33
Custom Signature Wizard 7-11
DCE 7-12, B-33
DDoS B-52
H.323 B-28
H225.0 B-28
IDAPI A-30
IDCONF A-32
IDIOM A-32
IPv6 B-14
LOKI B-52
MSSQL B-35
Neighborhood Discovery B-14
Q.931 B-29
RDEP2 A-30
RPC 7-12, B-33
SDEE A-33
Q
Q.931 protocol
described B-29
SETUP messages B-29
quarantined IP address events described 13-2
R
rate limiting
ACLs 11-5
configuring 15-11
described 11-4
managing 15-11
percentages 15-10
routers 11-4
service policies 11-5
supported signatures 11-4
Rate Limits pane
described 15-10
field descriptions 15-10
RDEP2
functions A-30
messages A-30
responsibilities A-31
RDEP event server deprecated A-22
rebooting the sensor 14-23
Reboot Sensor pane
configuring 14-23
described 14-23
user roles 14-23
recover command 19-11
recovering
AIP-SSM C-67
application partition image 19-11
recovery partition
described A-3
upgrading 19-5
Regular Expression. See Regex.
regular expression syntax signatures B-8
reimaging
AIP-SSM 19-24
appliances 19-11
described 19-1
IDSM-2 19-26
IPS-4240 19-14
IPS-4255 19-14
IPS-4260 19-17
IPS 4270-20 19-19
NME-IPS 19-38
sensors 18-8, 19-1
removing
last applied
service pack 19-10
signature update 19-10
renaming KBs 15-22
Reset Network Security Health pane described 15-28
reset not occurring for a signature C-50
resetting
AIP-SSM C-66
network security health data 15-28
passwords
ASDM 14-8, C-12
hw-module command 14-6, C-11
resetting the password
AIP SSM 14-7, C-11
Restore Default Interface dialog box field descriptions 2-8
Restore Defaults pane
configuring 14-23
described 14-23
user roles 14-23
restoring
defaults 14-23
restoring the current configuration C-4, C-5
retiring signatures 5-12
retrieving events through RDEP2 (illustration) A-31
risk categories
adding 6-26, 8-28
configuring 6-26, 8-28
deleting 6-26, 8-28
editing 6-26, 8-28
Risk Category tab
configuring 6-26, 8-28
described 6-25, 8-27
field descriptions 6-26, 8-27
risk rating
calculating 6-4, 8-2
described 6-18, 8-20
ROMMON
described 19-12
IPS-4240 19-14
IPS-4255 19-14
IPS-4260 19-17
IPS-4270 19-17
IPS 4270-20 19-19
password recovery 14-5, C-9
remote sensors 19-12
serial console port 19-12
TFTP 19-13
round-trip time. See RTT.
Router Blocking Device Interfaces pane
configuring 11-20
described 11-17
field descriptions 11-19
RPC portmapper 7-18, B-36
RTT
described 19-13
TFTP limitation 19-13
S
Save Knowledge Base dialog box
described 15-21
field descriptions 15-21
saving KBs 15-22
scheduling automatic upgrades 19-8
SDEE
described A-33
HTTP A-33
protocol A-33
server requests A-33
security
information on Cisco Security Intelligence Operations 18-9
security and SSH 10-1
security information MySDN 5-5
security policies described 5-1, 6-1, 8-1, 9-1
sending commands through RDEP2(illustration) A-31
sensing interfaces
described 4-3
interface cards 4-3
modes 4-3
sensor
blocking itself 11-7
not seeing packets C-33
process not running C-28
SensorApp
6.1 new features A-25
Alarm Channel A-24
Analysis Engine A-24
described A-3
event action filtering A-25
inline packet processing A-24
IP normalization A-24
packet flow A-25
processors A-22
responsibilities A-22
risk rating A-25
Signature Event Action Processor A-23
TCP normalization A-24
Sensor Health pane
described 14-15
field descriptions 14-15
Sensor Key pane
button functions 10-7
described 10-7
field descriptions 10-7
sensor SSH key
displaying 10-7
generating 10-7
user roles 10-7
sensors
access problems C-24
asymmetric traffic and disabling anomaly detection C-20
configuring to use NTP 3-13
corrupted SensorApp configuration C-35
diagnostics reports 15-29
disaster recovery C-6
downgrading 19-10
incorrect NTP configuration 3-8, C-17
initializing 3-1, 16-1, 16-3
interface support 4-4
IP address conflicts C-27
license 1-10, 14-14
logging in
SSH 17-10
Telnet 17-10
loose connections C-22
misconfigured access lists C-26
no alerts C-32, C-57
not seeing packets C-33
NTP time source 3-13
NTP time synchronization 3-6, C-16
partitions A-3
physical connectivity C-30
preventive maintenance C-2
rebooting 14-23
recovering the system image 18-8
reimaging 18-8, 19-1
restoring defaults 14-23
sensing process not running C-28
setting up 3-1
setup command 3-1, 16-1, 16-3, 16-7
shutting down 14-24
statistics 15-30
system images 18-8
system information 15-31
time sources 3-6, C-16
troubleshooting software upgrades C-54
updating 14-19, 14-21
using NTP time source 3-12
Sensor Setup window
described 2-2
Startup Wizard 2-2
Server Certificate pane
button functions 10-11
certificate
displaying 10-11
generating 10-11
described 10-11
field descriptions 10-11
user roles 10-11
service account
creating C-6
described 3-17, A-29, C-5
TAC A-29
troubleshooting A-29
Service DNS engine
described B-25
parameters (table) B-25
Service engine
described B-24
Layer 5 traffic B-24
Service FTP engine
described B-26
parameters (table) B-27
PASV port spoof B-26
Service Generic engine
described B-27
parameters (table) B-28
Service H225 engine
ASN.1PER validation B-29
described B-28
features B-29
parameters (table) B-30
TPKT validation B-29
Service HTTP engine
custom signature 7-16
described 7-15, B-31
example signature 7-16
parameters (table) B-31
Service IDENT engine
described B-33
parameters (table) B-33
service-module ids-sensor slot/port session command 17-3, 17-8
Service MSRPC engine
DCS/RPC protocol 7-12, B-33
described 7-12, B-33
parameters (table) B-34
Service MSSQL engine
described B-35
MSSQL protocol B-35
parameters (table) B-35
Service NTP engine
described B-35
parameters (table) B-35
Service P2P engine
described B-36
Service P2P engine described B-35
service packs described 18-3
service role A-28
Service RPC engine
described 7-18, B-36
parameters (table) 7-18, B-36
RPC portmapper 7-18, B-36
Service SMB Advanced engine
described B-37
parameters (table) B-38
Service SNMP engine
described B-39
parameters (table) B-40
Service SSH engine
described B-40
parameters (table) B-40
Service TNS engine
described B-41
parameters (table) B-41
session command 17-4, 17-9
AIM-IPS 17-4
AIP-SSM 17-6
IDSM-2 17-7
NME-IPS 17-9
sessioning
AIM-IPS 17-4
AIP-SSM 17-6
IDSM-2 17-7
NME-IPS 17-9
setting
current KB 15-21
system clock 3-15
setting up
sensors 3-1
terminal servers 17-2, 19-13
setup
automatic 16-1
simplified mode 16-1
setup command 3-1, 16-1, 16-3, 16-7, 16-12, 16-15, 16-20, 16-24
show events command C-89, C-90
show health command C-71
show interfaces command C-88
show module 1 details command C-66
show settings command 14-11, C-15
show statistics command C-78
show statistics virtual-sensor command C-23, C-78
show tech-support command
described C-72
output C-73
show version command C-75, C-76
Shut Down Sensor pane
configuring 14-24
described 14-24
user roles 14-24
shutting down the sensor 14-24
sig0 pane
default 5-3
described 5-3
retiring signatures 5-12
signatures
assigning actions 5-16
cloning 5-14
disabling 5-12
enabling 5-12
tuning 5-15
tabs 5-3
Sig0 pane field descriptions 5-6
signature/virus update files described 18-4
signature definition policies
adding 5-2
cloning 5-2
default policy 5-2
deleting 5-2
sig0 5-2
Signature Definitions pane
described 5-2
field descriptions 5-2
signature engines
AIC B-10
Atomic B-12
Atomic ARP B-13
Atomic IP 7-14, B-13
Atomic IPv6 B-14
creating custom signatures 7-1
described B-1
event actions B-7
Fixed B-15
Flood B-18
Flood Host B-19
Flood Net B-19
list B-2
Master B-3
Meta 5-21, B-19
Multi String B-20
Normalizer B-22
Regex
patterns B-9
syntax B-8
Service B-24
Service DNS B-25
Service FTP B-26
Service Generic B-27
Service H225 B-28
Service HTTP 7-15, B-31
Service IDENT B-33
Service MSRPC 7-12, B-33
Service MSSQL B-35
Service NTP engine B-35
Service P2P B-35, B-36
Service RPC 7-18, B-36
Service SMB Advanced B-37
Service SNMP B-39
Service SSH engine B-40
Service TNS B-41
State 7-19, B-42
String 7-20, 7-23, B-44
supported by IDM 7-2
Sweep 7-24, B-47
Sweep Other TCP B-49
Traffic Anomaly B-50
Traffic ICMP B-52
Trojan B-52
signature engine update files described 18-5
Signature Event Action Filter
described 8-6, A-26
parameters 8-6, A-26
Signature Event Action Handler described 8-6, A-26
Signature Event Action Override described 8-6, A-26
Signature Event Action Processor
alarm channel 8-6, A-26
components 8-6, A-26
described 8-6, A-23, A-26
illustration 8-6, A-26
logical flow of events 8-6, A-26
signature fidelity rating
calculating risk rating 6-5, 8-3
described 6-5, 8-3
signatures
adding 5-12
alert frequency 5-19
assigning actions 5-16
cloning 5-14
custom 5-5
default 5-4
described 5-4
disabling 5-12
editing 5-15
enabling 5-12
false positives 5-4
no TCP reset C-50
rate limits 11-4
retiring 5-12
subsignatures 5-4
tuned 5-4
tuning 5-15
signature update installation time 14-18
signature variables
adding 5-25
deleting 5-25
described 5-24
editing 5-25
Signature Variables tab
configuring 5-25
field descriptions 5-24
Signature Wizard
alert behavior 7-25
supported signature engines 7-2
SNMP
configuring 12-3
described 12-1
Get 12-1
GetNext 12-1
Set 12-1
supported MIBs 12-6, C-19
Trap 12-1
SNMP General Configuration pane
configuring 12-3
described 12-2
field descriptions 12-2
user roles 12-2
SNMP traps
configuring 12-5
described 12-1
SNMP Traps Configuration pane
button functions 12-4
configuring 12-5
described 12-4
field descriptions 12-4
software architecture
ARC (illustration) A-12
IDAPI (illustration) A-30
RDEP2 (illustration) A-31
software bypass
supported configurations 4-10
with hardware bypass 4-10
software downloads Cisco.com 18-1
software file names
recovery (illustration) 18-6
signature/virus updates (illustration) 18-5
signature engine updates (illustration) 18-5
system image (illustration) 18-6
software release examples
platform-dependent 18-7
platform identifiers 18-7
platform-independent 18-6
software updates
supported FTP servers 14-17, 19-2
supported HTTP/HTTPS servers 14-17, 19-2
SPAN port issues C-30
SSH
security 10-1
understanding 10-1
SSH Server
private keys A-21
public keys A-21
standards
CIDEE A-33
IDIOM A-32
SDEE A-33
Startup Wizard
access list 2-3
adding virtual sensors 2-12
Add Virtual Sensor dialog box 2-12
described 2-1
Inline Interface Pair window described 2-8
Inline Interface Pair window field descriptions 2-9
Inline VLAN Pairs window
described 2-9
Inline VLAN Pairs window configuration 2-10
Interface Selection window 2-8
Interface Summary window 2-6
Sensor Setup window
configuring 2-4
described 2-2
field descriptions 2-2
Traffic Inspection Mode window 2-8
Virtual Sensors window
described 2-11
field descriptions 2-11
State engine
Cisco Login 7-19, B-42
described 7-19, B-42
LPR Format String 7-19, B-42
parameters (table) B-43
SMTP 7-19, B-42
statistics display 15-30
Statistics pane
button functions 15-30, 15-31
categories 15-30
described 15-30
using 15-30
String engine described 7-20, 7-23, B-44
String ICMP engine parameters (table) B-45
String TCP engine
custom signature 7-21
example signature 7-21
parameters (table) B-45
String UDP engine parameters (table) B-46
subinterface 0 described 4-13
subsignatures described 5-4
summarization
described 6-6, 8-5
Fire All 6-7, 8-5
Fire Once 6-7, 8-5
Global Summarization 6-7, 8-5
Meta engine 6-6, 8-5
Summary 6-7, 8-5
Summarizer described 6-27, 8-29
Summary pane
button functions 4-14
described 4-14
field descriptions 2-7, 4-14
supported
configurations (IDSM-2) C-60
FTP servers 14-17, 19-2
HTTP/HTTPS servers 14-17, 19-2
IPS interfaces (CSA MC) 13-3
supported platforms (IDM) 1-3
Sweep engine
described 7-24, B-47
parameters (table) B-48, B-49
Sweep Other TCP engine described B-49
switch commands for troubleshooting C-60
system architecture
directory structure A-34
supported platforms A-1
system clock setting 3-15
System Configuration Dialog
described 16-2
example 16-2
system design (illustration) A-2
system image
installing
AIM-IPS 19-21
AIP-SSM 19-25
IDSM-2 (Catalyst software) 19-27
IDSM-2 (Cisco IOS software) 19-28
IPS-4240 19-14
IPS-4255 19-14
IPS-4260 19-17
IPS 4270-20 19-19
NME-IPS 19-38
system information display 15-31
System Information pane
described 15-30
using 15-31
system requirements for IDM 1-3
T
TAC
service account 3-17, A-29, C-5
show tech-support command C-72
target value rating
adding 6-17, 8-19
calculating risk rating 6-5, 8-3
configuring 6-17, 8-19
deleting 6-17, 8-19
described 6-5, 6-16, 8-3, 8-18
editing 6-17, 8-19
Target Value Rating tab
configuring 6-17, 8-19
field descriptions 6-16, 8-18
TCP fragmentation described B-22
TCP Protocol tab
described 9-15, 9-22, 9-29
enabling TCP 9-15
external zone 9-29
field descriptions 9-15
illegal zone 9-22
TCP reset interfaces
conditions 4-7
described 4-6
list 4-7
TCP resets
IDSM2 port C-65
not occurring C-50
TCP stream reassembly
explaining 5-41
mode 5-46
parameters (table) 5-41
signatures (table) 5-41
terminal server setup 17-2, 19-13
testing fail-over 4-10
TFN2K
described B-52
Trojans B-52
TFTP servers
maximum file size limitation 19-13
RTT 19-13
threat rating described 6-6, 8-4
Thresholds for KB Name window
described 15-17
field descriptions 15-18
filtering information 15-17
time
correction on the sensor 3-11, C-18
sensor 3-6
Time pane
configuring 3-10
described 3-6
field descriptions 3-9
user roles 3-6
time sources
AIM-IPS 3-7, C-16
AIP-SSM C-17
appliances 3-7, C-16
IDSM-2 3-7, C-16
NME-IPS 3-7, C-16
time synchronization and IPS modules 3-8, C-17
TLS
handshaking 1-6, 10-8
IDM 1-5, 10-8
understanding 3-3
Traffic Anomaly engine
described B-50
protocols B-50
signatures B-50
traffic flow notifications
configuring 4-27
described 4-26
Traffic Flow Notifications pane
configuring 4-27
field descriptions 4-26
Traffic ICMP engine
DDoS B-52
described B-52
LOKI B-52
parameters (table) B-52
TFN2K B-52
Traffic Inspection Mode window described 2-8
trial license key 1-8, 14-12
Tribe Flood Network. See TFN.
Tribe Flood Network 2000. See TFN2K.
Trojan engine
BO2K B-52
described B-52
TFN2K B-52
Trojans
BO B-52
BO2K B-52
LOKI B-52
TFN2K B-52
troubleshooting C-1
AIP-SSM
commands C-66
debugging C-67
failover scenarios C-68
recovering C-67
reset C-66
Analysis Engine busy C-56
applying software updates C-53
ARC
blocking not occurring for signature C-42
device access issues C-39
enabling SSH C-42
inactive state C-38
misconfigured MBS C-43
verifying device interfaces C-41
automatic updates C-53
cannot access sensor C-24
cidDump C-93
cidLog messages to syslog C-49
communication C-24
corrupted SensorApp configuration C-35
debug logger zone names (table) C-49
debug logging C-45
disaster recovery C-6
duplicate sensor IP addresses C-27
enabling debug logging C-45
external product interfaces 13-10, C-22
gathering information C-71
IDM cannot access sensor C-56
IDM will not load C-55
IDSM-2
command and control port C-63
diagnosing problems C-59
not online C-62, C-63
serial cable C-65
status indicator C-61
switch commands C-60
IME and time synchronization problems C-58
IPS modules time drift 3-8, C-17
manual block to bogus host C-42
misconfigured access list C-26
no alerts C-32, C-57
NTP C-50
password recovery 14-11, C-15
physical connectivity issues C-30
preventive maintenance C-2
reset not occurring for a signature C-50
sensing process not running C-28
sensor events C-89
sensor loose connections C-22
sensor not seeing packets C-33
sensor software upgrade C-54
service account 3-17, C-5
show events command C-89
show interfaces command C-88
show statistics command C-78
show tech-support command C-72, C-73
show version command C-75
software upgrades C-52
SPAN port issue C-30
upgrading from 5.x to 6.0 C-52
verifying ARC status C-37
Trusted Hosts pane
configuring 10-10
described 10-9
field descriptions 10-10
tuned signatures described 5-4
tuning
AIC signatures 5-36
IP fragment reassembly signatures 5-40
signatures 5-15
turning off anomaly detection 9-35
U
UDP Protocol tab
described 9-16, 9-23, 9-30
enabling UDP 9-16
external zone 9-30
field descriptions 9-30
illegal zone 9-23
unassigned VLAN groups described 4-13
unauthenticated NTP 3-6, 3-13, C-16
understanding
SSH 10-1
time on the sensor C-16
UNIX-style directory listings 14-17
Update Sensor pane
configuring 14-21
described 14-21
field descriptions 14-21
user roles 14-21
updating
Cisco.com 14-21
FTP server 14-21
Home pane 1-2
sensors 14-21
upgrade command 19-3, 19-5
upgrading
5.x to 6.0 18-8
from 5.x to 6.0 C-52
maintenance partition
IDSM-2 (Catalyst software) 19-37
IDSM-2 (Cisco IOS software) 19-37
minimum required version 18-8
recovery partition 19-5, 19-11
uploading KBs
FTP 15-24
SCP 15-24
Upload Knowledge Base to Sensor dialog box
described 15-24
field descriptions 15-24
URLs for Cisco Security Intelligence Operations 18-9
Users pane
button functions 3-16
configuring 3-18
field descriptions 3-16
user roles A-28
using
debug logging C-45
TCP reset interfaces 4-7
V
VACLs
described 11-3
Post-Block 11-21
Pre-Block 11-21
verifying
password recovery 14-11, C-15
sensor initialization 16-27
sensor setup 16-27
viewing
IP logs 15-14
statistics 15-30
system information 15-31
virtual sensors
adding 2-12, 6-10
default virtual sensor 6-2, 6-7
deleting 6-10
described 6-2, 6-7
editing 6-10
stream segregation 6-3
Virtual Sensors window described 2-11
VLAN groups
802.1q encapsulation 4-13
configuration restrictions 4-9
configuring 4-23
deploying 4-22
described 4-13
switches 4-22
VLAN Groups pane
configuring 4-23
described 4-22
field descriptions 4-23
VLAN IDs 4-22
VLAN Pairs pane
configuring 4-21
describing 4-19
field descriptions 4-20
vulnerable OSes field
described B-6
W
watch list rating
calculating risk rating 6-5, 8-3
described 6-5, 8-3
Web Server
described A-3, A-22
HTTP 1.0 and 1.1 support A-22
private keys A-21
public keys A-21
RDEP2 support A-22
worm attacks and histograms 9-12, 15-16
worms
Blaster 9-2
Code Red 9-2
described 9-2
Nimbda 9-2
protocols 9-2
Sasser 9-2
scanners 9-2
Slammer 9-2
SQL Slammer 9-2
Z
zones
external 9-4
illegal 9-4
internal 9-4