Cisco Systems IPS4510K9 User Manual

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

Americas Headquarters

Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 527-0883

Text Part Number: OL-29168-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

CONTENTS

CHAPTER

Contents

Audience

Organization

Conventions

Related Documentation

Obtaining Documentation and Submitting a Service Request

Logging In to the Sensor

Logging In Notes and Caveats

Supported User Roles

Logging In to the Appliance

Connecting an Appliance to a Terminal Server

Logging In to the ASA 5500-X IPS SSP

Logging In to the ASA 5585-X IPS SSP

Logging In to the Sensor

Introducing the CLI Configuration Guide

xxiii

i-xxiii

i-xxv

xxv

i-xxvi

ii-1

ii-2

ii-3

ii-4

ii-5

ii-6

1-1

CHAPTER

OL-29168-01

Supported IPS Platforms

IPS CLI Configuration Guide

Sensor Configuration Sequence

User Roles

CLI Behavior

1-3

1-5

Command Line Editing

IPS Command Modes

Regular Expression Syntax

Generic CLI Commands

CLI Keywords

Initializing the Sensor

1-11

Initializing Notes and Caveats

Understanding Initialization

Simplified Setup Mode

1-1

1-2

1-6

1-8

1-10

2-1

2-2

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

iii

Contents

CHAPTER

System Configuration Dialog

Basic Sensor Setup

Advanced Setup

2-4

2-7

Advanced Setup for the Appliance Advanced Setup for the ASA 5500-X IPS SSP Advanced Setup for the ASA 5585-X IPS SSP

Verifying Initialization

Setting Up the Sensor

3-1

Setup Notes and Caveats

Understanding Sensor Setup

Changing Network Settings

Changing the Hostname Changing the IP Address, Netmask, and Gateway Enabling and Disabling Telnet Changing the Access List Changing the FTP Timeout Adding a Login Banner Configuring the DNS and Proxy Servers for Global Correlation and Automatic Update Enabling SSHv1 Fallback

2-2

2-8

2-13

2-17

2-20

3-1

3-2

3-3

3-4

3-5

3-6

3-8

3-9

3-10

3-13

Changing the CLI Session Timeout

Changing Web Server Settings

Configuring Authentication and User Parameters

Adding and Removing Users Configuring Authentication Configuring Packet Command Restriction Creating the Service Account The Service Account and RADIUS Authentication RADIUS Authentication Functionality and Limitations Configuring Passwords Changing User Privilege Levels Showing User Status

3-31

Configuring the Password Policy Locking User Accounts Unlocking User Accounts

Configuring Time

3-35

Time Sources and the Sensor

3-14

3-15

3-18

3-20

3-26

3-28

3-29

3-30

3-32

3-33

3-34

3-35

Synchronizing IPS Module System Clocks with the Parent Device System Clock

3-36

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

Contents

Correcting Time on the Sensor Configuring Time on the Sensor

Displaying the System Clock

3-36

3-37

Manually Setting the System Clock Configuring Recurring Summertime Settings Configuring Nonrecurring Summertime Settings Configuring Time Zones Settings

Configuring NTP

3-42

Configuring a Cisco Router to be an NTP Server Configuring the Sensor to Use an NTP Time Source

Configuring SSH

Understanding SSH

3-45

3-46

Adding Hosts to the SSH Known Hosts List Adding Authorized RSA1 and RSA2 Keys Generating the RSA Server Host Key

Configuring TLS

Understanding TLS Adding TLS Trusted Hosts

3-51

3-52

Displaying and Generating the Server Certificate

3-37

3-38

3-40

3-42

3-43

3-44

3-46

3-48

3-49

3-53

CHAPTER

Installing the License Key

Understanding the License Key Service Programs for IPS Products Obtaining and Installing the License Key Licensing the ASA 5500-X IPS SSP Uninstalling the License Key

Configuring Interfaces

Interface Notes and Caveats

Understanding Interfaces

IPS Interfaces Command and Control Interface Sensing Interfaces TCP Reset Interfaces

Understanding Alternate TCP Reset Interfaces

Designating the Alternate TCP Reset Interface Interface Support Interface Configuration Restrictions Interface Configuration Sequence

3-54

3-55

3-57

3-58

4-1

4-2

4-3

4-4

4-5

4-6

4-8

4-10

OL-29168-01

Configuring Physical Interfaces

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

4-11

Contents

Configuring Promiscuous Mode

4-14

Understanding Promiscuous Mode Configuring Promiscuous Mode IPv6, Switches, and Lack of VACL Capture

Configuring Inline Interface Mode

Understanding Inline Interface Mode Configuring Inline Interface Pairs

Configuring Inline VLAN Pair Mode

Understanding Inline VLAN Pair Mode Configuring Inline VLAN Pairs

Configuring VLAN Group Mode

4-26

Understanding VLAN Group Mode Deploying VLAN Groups Configuring VLAN Groups

Configuring Inline Bypass Mode

4-27

4-28

4-33

Understanding Inline Bypass Mode Configuring Inline Bypass Mode

Configuring Interface Notifications

4-14

4-15

4-16

4-17

4-21

4-22

4-26

4-33

4-34

4-35

CHAPTER

Configuring CDP Mode

Displaying Interface Statistics

Displaying Interface Traffic History

Configuring Virtual Sensors

Virtual Sensor Notes and Caveats

Understanding the Analysis Engine

Understanding Virtual Sensors

Advantages and Restrictions of Virtualization

Inline TCP Session Tracking Mode

Normalization and Inline TCP Evasion Protection Mode

HTTP Advanced Decoding

Adding, Editing, and Deleting Virtual Sensors

Adding Virtual Sensors Editing and Deleting Virtual Sensors

Configuring Global Variables

4-36

4-37

4-40

5-1

5-2

5-3

5-4

5-5

5-9

5-12

CHAPTER

Defining Signatures

7-1

Signature Definition Notes and Caveats

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

7-1

OL-29168-01

Contents

Understanding Policies

7-1

Working With Signature Definition Policies

Understanding Signatures

Configuring Signature Variables

7-3

7-4

Understanding Signature Variables Creating Signature Variables

Configuring Signatures

Signature Definition Options Configuring Alert Frequency Configuring Alert Severity Configuring the Event Counter

7-6

7-4

7-6

7-7

7-9

7-10

Configuring Signature Fidelity Rating Configuring the Status of Signatures Configuring the Vulnerable OSes for a Signature Assigning Actions to Signatures Configuring AIC Signatures

7-15

7-17

Understanding the AIC Engine

AIC Engine and Sensor Performance

Configuring the Application Policy

AIC Request Method Signatures

AIC MIME Define Content Type Signatures

AIC Transfer Encoding Signatures

AIC FTP Commands Signatures

Creating an AIC Signature

7-26

Configuring IP Fragment Reassembly

Understanding IP Fragment Reassembly

IP Fragment Reassembly Signatures and Configurable Parameters

Configuring IP Fragment Reassembly Parameters

Configuring the Method for IP Fragment Reassembly Configuring TCP Stream Reassembly

Understanding TCP Stream Reassembly

TCP Stream Reassembly Signatures and Configurable Parameters

Configuring TCP Stream Reassembly Signatures

Configuring the Mode for TCP Stream Reassembly Configuring IP Logging

7-39

7-2

7-4

7-12

7-13

7-14

7-17

7-18

7-20

7-21

7-24

7-25

7-28

7-30

7-31

7-32

7-36

7-37

OL-29168-01

Creating Custom Signatures

7-40

Sequence for Creating a Custom Signature Example String TCP Engine Signature Example Service HTTP Engine Signature

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

7-40

7-41

7-44

vii

Contents

CHAPTER

Example Meta Engine Signature Example IPv6 Engine Signature Example String XL TCP Engine Match Offset Signature Example String XL TCP Engine Minimum Match Length Signature

Configuring Event Action Rules

Event Action Rules Notes and Caveats

Understanding Security Policies

Understanding Event Action Rules

Signature Event Action Processor

Event Actions

8-4

Event Action Rules Configuration Sequence

Working With Event Action Rules Policies

Event Action Variables

8-9

Understanding Event Action Variables Adding, Editing, and Deleting Event Action Variables

Configuring Target Value Ratings

Calculating the Risk Rating Understanding Threat Rating Adding, Editing, and Deleting Target Value Ratings

7-46

7-50

7-52

7-55

8-1

8-2

8-3

8-7

8-8

8-10

8-11

8-13

8-14

8-15

Configuring Event Action Overrides

Understanding Event Action Overrides

8-17

Adding, Editing, Enabling, and Disabling Event Action Overrides

Configuring Event Action Filters

Understanding Event Action Filters Configuring Event Action Filters

Configuring OS Identifications

Understanding Passive OS Fingerprinting

8-20

8-21

8-26

Passive OS Fingerprinting Configuration Considerations Adding, Editing, Deleting, and Moving Configured OS Maps Displaying and Clearing OS Identifications

Configuring General Settings

8-32

Understanding Event Action Summarization Understanding Event Action Aggregation Configuring the General Settings

Configuring the Denied Attackers List

8-34

8-35

8-31

8-33

Adding a Deny Attacker Entry to the Denied Attackers List Monitoring and Clearing the Denied Attackers List

8-17

8-27

8-28

8-35

8-36

viii

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

Contents

CHAPTER

Monitoring Events

Displaying Events Clearing Events from Event Store

Configuring Anomaly Detection

Anomaly Detection Notes and Caveats

Understanding Security Policies

Understanding Anomaly Detection

Understanding Worms

Anomaly Detection Modes

Anomaly Detection Zones

Anomaly Detection Configuration Sequence

Anomaly Detection Signatures

Enabling Anomaly Detection

Working With Anomaly Detection Policies

Configuring Anomaly Detection Operational Settings

Configuring the Internal Zone

Understanding the Internal Zone Configuring the Internal Zone Configuring TCP Protocol for the Internal Zone Configuring UDP Protocol for the Internal Zone Configuring Other Protocols for the Internal Zone

8-38

8-41

9-1

9-2

9-3

9-4

9-5

9-6

9-8

9-10

9-11

9-12

9-13

9-15

9-18

OL-29168-01

Configuring the Illegal Zone

Understanding the Illegal Zone Configuring the Illegal Zone

9-20

Configuring TCP Protocol for the Illegal Zone Configuring UDP Protocol for the Illegal Zone Configuring Other Protocols for the Illegal Zone

Configuring the External Zone

Understanding the External Zone Configuring the External Zone

9-28

Configuring TCP Protocol for the External Zone Configuring UDP Protocol for the External Zone Configuring Other Protocols for the External Zone

Configuring Learning Accept Mode

The KB and Histograms

9-36

Configuring Learning Accept Mode

Working With KB Files

9-40

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

9-21

9-24

9-26

9-29

9-32

9-34

9-38

Contents

CHAPTER

Displaying KB Files

9-40

Saving and Loading KBs Manually Copying, Renaming, and Erasing KBs Displaying the Differences Between Two KBs Displaying the Thresholds for a KB

Displaying Anomaly Detection Statistics

Disabling Anomaly Detection

Configuring Global Correlation

Global Correlation Notes and Caveats

Understanding Global Correlation

Participating in the SensorBase Network

Understanding Reputation

10-3

Understanding Network Participation

Understanding Efficacy

10-5

Understanding Reputation and Risk Rating

Global Correlation Features and Goals

9-41

9-42

9-44

9-45

9-47

9-48

10-1

10-2

10-4

10-6

CHAPTER

Global Correlation Requirements

10-7

Understanding Global Correlation Sensor Health Metrics

Configuring Global Correlation Inspection and Reputation Filtering

Understanding Global Correlation Inspection and Reputation Filtering Configuring Global Correlation Inspection and Reputation Filtering

Configuring Network Participation

Troubleshooting Global Correlation

Disabling Global Correlation

Displaying Global Correlation Statistics

Configuring External Product Interfaces

External Product Interface Notes and Caveats

Understanding External Product Interfaces

Understanding the CSA MC

External Product Interface Issues

10-11

10-13

10-14

11-1

11-2

11-3

Configuring the CSA MC to Support the IPS Interface

Adding External Product Interfaces and Posture ACLs

10-8

10-9

10-10

11-4

Troubleshooting External Product Interfaces

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

11-8

OL-29168-01

Contents

CHAPTER

Configuring IP Logging

IP Logging Notes and Caveats

Understanding IP Logging

Configuring Automatic IP Logging

12-1

12-2

Configuring Manual IP Logging for a Specific IP Address

Displaying the Contents of IP Logs

Stopping Active IP Logs

12-6

Copying IP Log Files to Be Viewed

12-5

12-7

Displaying and Capturing Live Traffic on an Interface

Packet Display And Capture Notes and Caveats

Understanding Packet Display and Capture

Displaying Live Traffic on an Interface

Capturing Live Traffic on an Interface

Copying the Packet File

Erasing the Packet File

13-6

13-7

13-2

13-4

13-1

13-2

12-3

13-1

CHAPTER

Configuring Attack Response Controller for Blocking and Rate Limiting

Blocking Notes and Caveats

Understanding Blocking

Understanding Rate Limiting

Understanding Service Policies for Rate Limiting

Before Configuring ARC

Supported Devices

14-6

Configuring Blocking Properties

Allowing the Sensor to Block Itself

Disabling Blocking

14-9

Specifying Maximum Block Entries Specifying the Block Time Enabling ACL Logging Enabling Writing to NVRAM Logging All Blocking Events and Errors Configuring the Maximum Number of Blocking Interfaces Configuring Addresses Never to Block

14-1

14-2

14-4

14-5

14-7

14-8

14-11

14-13

14-14

14-15

14-16

14-17

14-19

14-1

OL-29168-01

Configuring User Profiles

14-20

Configuring Blocking and Rate Limiting Devices

How the Sensor Manages Devices

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

14-21

Contents

CHAPTER

Configuring the Sensor to Manage Cisco Routers

Routers and ACLs

14-23

Configuring the Sensor to Manage Cisco Routers Configuring the Sensor to Manage Catalyst 6500 Series Switches and Cisco 7600 Series

Routers

14-25

Switches and VACLs

14-25

Configuring the Sensor to Manage Catalyst 6500 Series Switches and Cisco 7600 Series Routers

14-26

Configuring the Sensor to Manage Cisco Firewalls

Configuring the Sensor to be a Master Blocking Sensor

Configuring Host Blocking

Configuring Network Blocking

Configuring Connection Blocking

14-31

14-32

Obtaining a List of Blocked Hosts and Connections

Configuring SNMP

SNMP Notes and Caveats

Understanding SNMP

15-1

14-22

14-23

14-27

14-28

14-33

CHAPTER

Configuring SNMP

Configuring SNMP Traps

Supported MIBS

Working With Configuration Files

Displaying the Current Configuration

Displaying the Current Submode Configuration

Filtering the Current Configuration Output

Filtering the Current Submode Configuration Output

Displaying the Contents of a Logical File

15-2

15-4

15-6

16-1

16-3

16-16

16-18

16-19

Backing Up and Restoring the Configuration File Using a Remote Server

Creating and Using a Backup Configuration File

Erasing the Configuration File

16-24

Administrative Tasks for the Sensor

Administrative Notes and Caveats

Recovering the Password

17-2

Understanding Password Recovery Recovering the Password for the Appliance

17-1

17-2

16-24

17-3

16-22

xii

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

Contents

Using the GRUB Menu

Using ROMMON

17-3

17-4

Recovering the Password for the ASA 5500-X IPS SSP Recovering the Password for the ASA 5585-X IPS SSP Disabling Password Recovery

17-8

Verifying the State of Password Recovery Troubleshooting Password Recovery

Clearing the Sensor Databases

17-9

Displaying the Inspection Load of the Sensor

Configuring Health Status Information

Showing Sensor Overall Health Status

Creating a Banner Login

Terminating CLI Sessions

Modifying Terminal Properties

Configuring Events

Displaying Events

17-18

17-19

17-20

17-21

Clearing Events from the Event Store

17-13

17-17

17-23

17-4

17-6

17-9

17-11

CHAPTER

Configuring the System Clock

17-24

Displaying the System Clock Manually Setting the System Clock

Clearing the Denied Attackers List

Displaying Policy Lists

Displaying Statistics

17-27

17-28

Displaying Tech Support Information

Displaying Version Information

17-41

Diagnosing Network Connectivity

Resetting the Appliance

Displaying Command History

Displaying Hardware Inventory

17-44

17-45

17-46

Tracing the Route of an IP Packet

Displaying Submode Settings

17-49

Configuring the ASA 5500-X IPS SSP

Notes and Caveats for ASA 5500-X IPS SSP

17-24

17-25

17-40

17-43

17-48

18-1

OL-29168-01

Configuration Sequence for the ASA 5500-X IPS SSP

Verifying Initialization for the ASA 5500-X IPS SSP

Creating Virtual Sensors for the ASA 5500-X IPS SSP

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

18-2

18-3

18-4

xiii

Contents

CHAPTER

The ASA 5500-X IPS SSP and Virtualization

18-4

Virtual Sensor Configuration Sequence for ASA 5500-X IPS SSP Creating Virtual Sensors

18-4

Assigning Virtual Sensors to Adaptive Security Appliance Contexts

The ASA 5500-X IPS SSP and Bypass Mode

The ASA 5500-X IPS SSP and the Normalizer Engine

The ASA 5500-X IPS SSP and Jumbo Packets

The ASA 5500-X IPS SSP and Memory Usage

18-9

18-10

18-11

Reloading, Shutting Down, Resetting, and Recovering the ASA 5500-X IPS SSP

Health and Status Information

ASA 5500-X IPS SSP Failover Scenarios

New and Modified Commands

Configuring the ASA 5585-X IPS SSP

ASA 5585-X IPS SSP Notes and Caveats

Configuration Sequence for the ASA 5585-X IPS SSP

Verifying Initialization for the ASA 5585-X IPS SSP

18-12

18-20

18-21

19-1

19-2

19-3

18-4

18-7

18-11

CHAPTER

Creating Virtual Sensors for the ASA 5585-X IPS SSP

The ASA 5585-X IPS SSP and Virtualization

19-4

The ASA 5585-X IPS SSP Virtual Sensor Configuration Sequence Creating Virtual Sensors

19-5

Assigning Virtual Sensors to Adaptive Security Appliance Contexts

The ASA 5585-X IPS SSP and the Normalizer Engine

The ASA 5585-X IPS SSP and Bypass Mode

ASA 5585-X IPS SSP and Jumbo Packets

19-10

19-11

19-10

Reloading, Shutting Down, Resetting, and Recovering the ASA 5585-X IPS SSP

Health and Status Information

Traffic Flow Stopped on IPS Switchports

Failover Scenarios

Obtaining Software

IPS 7.2 File List

19-16

20-1

Obtaining Cisco IPS Software

IPS Software Versioning

IPS Software Release Examples

19-12

19-15

20-1

20-2

20-6

19-5

19-7

19-11

xiv

Accessing IPS Documentation

Cisco Security Intelligence Operations

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

20-7

20-8

OL-29168-01

Contents

CHAPTER

Upgrading, Downgrading, and Installing System Images

Upgrade Notes and Caveats

Upgrades, Downgrades, and System Images

Supported FTP and HTTP/HTTPS Servers

Upgrading the Sensor

IPS 7.2(1)E4 Files Upgrade Notes and Caveats Manually Upgrading the Sensor Working With Upgrade Files Upgrading the Recovery Partition

Configuring Automatic Upgrades

Configuring Automatic Updates Applying an Immediate Update

Downgrading the Sensor

Recovering the Application Partition

Installing System Images

ROMMON TFTP Servers

21-15

Connecting an Appliance to a Terminal Server

21-1

21-2

21-3

21-4

21-6

21-7

21-8

21-12

21-13

21-14

21-15

Installing the System Image for the IPS 4345 and IPS 4360 Installing the System Image for the IPS 4510 and IPS 4520 Installing the System Image for the ASA 5500-X IPS SSP Installing the System Image for the ASA 5585-X IPS SSP

Installing the ASA 5585-X IPS SSP System Image Using the hw-module Command

Installing the ASA 5585-X IPS SSP System Image Using ROMMON

21-1

21-16

21-19

21-22

21-23

21-24

21-26

APPENDIX

OL-29168-01

System Architecture

A-1

Understanding the IPS System Architecture

IPS System Design

System Applications

Security Features

MainApp

A-6

A-1

A-3

A-5

Understanding the MainApp MainApp Responsibilities Event Store

A-7

Understanding the Event Store

Event Data Structures

IPS Events

A-9

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

A-1

A-6

A-7

A-8

Contents

NotificationApp

CtlTransSource

Attack Response Controller

Understanding the ARC ARC Features Supported Blocking Devices ACLs and VACLs

A-9

A-11

A-12

A-13

A-14

A-15

A-16

Maintaining State Across Restarts Connection-Based and Unconditional Blocking Blocking with Cisco Firewalls

A-18

Blocking with Catalyst Switches Logger AuthenticationApp

A-19

A-20

Understanding the AuthenticationApp

Authenticating Users

A-20

Configuring Authentication on the Sensor

Managing TLS and SSH Trust Relationships Web Server

A-22

A-16

A-17

A-19

A-20

A-21

SensorApp

Understanding the SensorApp

A-22

A-23

Inline, Normalization, and Event Risk Rating Features SensorApp New Features Packet Flow

A-25

Signature Event Action Processor

CollaborationApp

A-27

Understanding the CollaborationApp Update Components Error Events

SwitchApp

CLI

A-30

User Roles Service Account

Communications

IDAPI IDIOM IDCONF SDEE CIDEE

A-29

A-30

A-31

A-32

A-33

A-34

A-25

A-26

A-27

A-28

A-24

xvi

Cisco IPS File Structure

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

A-34

OL-29168-01

Contents

APPENDIX

Summary of Cisco IPS Applications

Signature Engines

B-1

Understanding Signature Engines

Master Engine

General Parameters Alert Frequency Event Actions

Regular Expression Syntax

AIC Engine

B-4

B-7

B-8

B-9

B-10

Understanding the AIC Engine AIC Engine and Sensor Performance AIC Engine Parameters

Atomic Engine

Atomic ARP Engine

B-14

Atomic IP Advanced Engine Atomic IP Engine Atomic IPv6 Engine

B-25

B-29

A-35

B-1

B-11

B-15

Fixed Engine

Flood Engine

Meta Engine

Multi String Engine

Normalizer Engine

Service Engines

B-30

B-32

B-33

B-35

B-36

B-39

Understanding the Service Engines Service DNS Engine Service FTP Engine

B-40

B-41

Service Generic Engine Service H225 Engine Service HTTP Engine

B-44

B-46

Service IDENT Engine Service MSRPC Engine Service MSSQL Engine Service NTP Engine Service P2P Engine Service RPC Engine

B-52

B-53

Service SMB Advanced Engine Service SNMP Engine

B-40

B-42

B-48

B-49

B-51

B-55

B-57

OL-29168-01

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

xvii

Contents

APPENDIX

Service SSH Engine Service TNS Engine

State Engine

String Engines

B-60

B-62

String XL Engines

Sweep Engines

B-68

Sweep Engine Sweep Other TCP Engine

Traffic Anomaly Engine

Traffic ICMP Engine

Trojan Engines

Troubleshooting

Bug Toolkit

B-74

C-1

Preventive Maintenance

Understanding Preventive Maintenance Creating and Using a Backup Configuration File Backing Up and Restoring the Configuration File Using a Remote Server Creating the Service Account

B-58

B-59

B-65

B-68

B-70

B-71

B-73

C-2

C-3

C-5

Disaster Recovery

Password Recovery

Understanding Password Recovery Recovering the Password for the Appliance

Using the GRUB Menu

Using ROMMON

C-6

C-7

C-8

C-9

Recovering the Password for the ASA 5500-X IPS SSP Recovering the Password for the ASA 5585-X IPS SSP Disabling Password Recovery Verifying the State of Password Recovery Troubleshooting Password Recovery

Time Sources and the Sensor

C-13

C-14

C-15

Synchronizing IPS Clocks with Parent Device Clocks Verifying the Sensor is Synchronized with the NTP Server Correcting Time on the Sensor

Advantages and Restrictions of Virtualization

Supported MIBs

C-18

C-16

C-17

C-10

C-11

C-15

C-16

xviii

Troubleshooting Global Correlation

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

C-18

OL-29168-01

Contents

When to Disable Anomaly Detection

Analysis Engine Not Responding

C-19

C-20

Troubleshooting External Product Interfaces

External Product Interfaces Issues

C-21

External Product Interfaces Troubleshooting Tips

Troubleshooting the Appliance

C-22

Troubleshooting Loose Connections The Analysis Engine is Busy Communication Problems

C-23

Cannot Access the Sensor CLI Through Telnet or SSH Correcting a Misconfigured Access List Duplicate IP Address Shuts Interface Down

The SensorApp and Alerting

C-28

The SensorApp is Not Running Physical Connectivity, SPAN, or VACL Port Issue Unable to See Alerts Sensor Not Seeing Packets

C-31

C-33

Cleaning Up a Corrupted SensorApp Configuration

Blocking

C-35

Troubleshooting Blocking Verifying the ARC is Running

C-35

C-36

Verifying ARC Connections are Active Device Access Issues

C-39

Verifying the Interfaces and Directions on the Network Device Enabling SSH Connections to the Network Device Blocking Not Occurring for a Signature Verifying the Master Blocking Sensor Configuration

Logging

C-44

Enabling Debug Logging Zone Names

C-48

C-44

Directing cidLog Messages to SysLog TCP Reset Not Occurring for a Signature Software Upgrades

Upgrading Error

C-51

Which Updates to Apply and Their Prerequisites

Issues With Automatic Update

Updating a Sensor with the Update Stored on the Sensor

C-21

C-22

C-24

C-26

C-27

C-28

C-30

C-34

C-37

C-40

C-41

C-42

C-49

C-50

C-52

C-53

OL-29168-01

Troubleshooting the IDM

C-54

Cannot Launch the IDM - Loading Java Applet Failed

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

C-54

xix

Contents

Cannot Launch the IDM-The Analysis Engine Busy

C-55

The IDM, Remote Manager, or Sensing Interfaces Cannot Access Sensor Signatures Not Producing Alerts

Troubleshooting the IME

C-56

Time Synchronization on IME and the Sensor Not Supported Error Message

Troubleshooting the ASA 5500-X IPS SSP

Health and Status Information Failover Scenerios

C-65

The ASA 5500-X IPS SSP and the Normalizer Engine The ASA 5500-X IPS SSP and Memory Usage The ASA 5500-X IPS SSP and Jumbo Packets

Troubleshooting the ASA 5585-X IPS SSP

Health and Status Information Failover Scenarios

C-71

Traffic Flow Stopped on IPS Switchports The ASA 5585-X IPS SSP and the Normalizer Engine The ASA 5585-X IPS SSP and Jumbo Packets

C-56

C-57

C-58

C-66

C-67

C-68

C-72

C-73

C-55

Gathering Information

C-73

Health and Network Security Information Tech Support Information

C-74

Understanding the show tech-support Command Displaying Tech Support Information Tech Support Command Output

Version Information

C-78

Understanding the show version Command Displaying Version Information

Statistics Information

C-81

Understanding the show statistics Command Displaying Statistics

Interfaces Information

C-81

C-93

Understanding the show interfaces Command

Interfaces Command Output Displaying Interface Traffic History Events Information

Sensor Events

C-97

C-98

Understanding the show events Command

Displaying Events

Clearing Events

C-98

C-101

C-74

C-75

C-76

C-78

C-81

C-93

C-94

C-98

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

Contents

APPENDIX

LOSSARY

NDEX

cidDump Script Uploading and Accessing Files on the Cisco FTP Site

CLI Error Messages

CLI Validation Error Messages

C-101

C-102

D-1

D-6

OL-29168-01

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

xxi

Contents

xxii

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

Preface

Published: April 29, 2013, OL-29168-01

This document describes how to configure the sensor using the Cisco IPS 7.2 CLI. It contains the following sections:

Audience

This guide is intended for administrators who need to do the following:

Organization

This guide includes the following sections:

Section Title Description

1 “Introducing the CLI Configuration

2 “Logging In to the Sensor” Describes how to log in to the various sensors.

3 “Initializing the Sensor” Describes how to use the setup command to

4 “Setting Up the Sensor” Describes how to use the CLI to configure initial

•

Audience, page xxiii

•

Organization, page xxiii

•

Conventions

This document uses the following conventions:

Conventions

Convention Indication

bold font Commands and keywords and user-entered text appear in bold font.

italic font Document titles, new or emphasized terms, and arguments for which you supply

values are in italic font.

[ ] Elements in square brackets are optional.

{x | y | z } Required alternative keywords are grouped in braces and separated by

vertical bars.

[ x | y | z ] Optional alternative keywords are grouped in brackets and separated by

vertical bars.

string A nonquoted set of characters. Do not use quotation marks around the string or

the string will include the quotation marks.

courier

< > Nonprinting characters such as passwords are in angle brackets.

[ ] Default responses to system prompts are in square brackets.

!, # An exclamation point (!) or a pound sign (#) at the beginning of a line of code

font Terminal sessions and information the system displays appear in

indicates a comment line.

courier

font.

Note

Tip

Caution

Timesaver

Warning

Means reader take note.

Means the following information will help you solve a problem.

Means reader be careful. In this situation, you might perform an action that could result in equipment damage or loss of data.

Means the described action saves time. You can save time by performing the action described in the paragraph.

Means reader be warned. In this situation, you might perform an action that could result in bodily injury.

Obtaining Documentation and Submitting a Service Request

For a complete list of the Cisco ASA 5500 series documentation and where to find it, refer to the following URL:

http://www.cisco.com/en/US/docs/security/asa/roadmap/asaroadmap.html

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.

Chapter

-xxvi

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

Logging In to the Sensor

This chapter explains how to log in to the sensor. It contains the following sections:

•

Logging In Notes and Caveats, page ii-1

•

Supported User Roles, page ii-1

•

Logging In to the Appliance, page ii-2

•

Connecting an Appliance to a Terminal Server, page ii-3

•

Logging In to the ASA 5500-X IPS SSP, page ii-4

•

Logging In to the ASA 5585-X IPS SSP, page ii-5

•

Logging In to the Sensor, page ii-6

Logging In Notes and Caveats

CHA PTER

The following notes and caveats apply to logging in to the sensor:

•

All IPS platforms allow ten concurrent log in sessions.

•

The service role is a special role that allows you to bypass the CLI if needed. Only a user with administrator privileges can edit the service account.

•

You must initialize the appliance (run the setup command) from the console. After networking is configured, SSH and Telnet are available. You can log in to the appliance from a console port.

•

You log in to the ASA 5500-X IPS SSP and ASA 5585-X IPS SSP from the adaptive security appliance.

Supported User Roles

You can log in with the following user privileges:

•

Administrator

•

Operator

•

Viewer

•

Service

OL-29168-01

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

ii-1

Logging In to the Appliance

The service role does not have direct access to the CLI. Service account users are logged directly into a bash shell. Use this account for support and troubleshooting purposes only. Unauthorized modifications are not supported and will require the sensor to be reimaged to guarantee proper operation. You can create only one user with the service role.

When you log in to the service account, you receive the following warning:

******************************** WARNING ***************************************** UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. This account is intended to be used for support and troubleshooting purposes only. Unauthorized modifications are not supported and will require this device to be re-imaged to guarantee proper operation. **********************************************************************************

Chapter ii Logging In to the Sensor

Note

The service role is a special role that allows you to bypass the CLI if needed. Only a user with administrator privileges can edit the service account.

For More Information

•

For the procedure for creating the service account, see Creating the Service Account, page 3-28.

•

For the procedures for adding and deleting users, see Configuring Authentication and User

Parameters, page 3-18.

Logging In to the Appliance

Note

Step 1

Step 2

You can log in to the appliance from a console port. The currently supported Cisco IPS appliances are the IPS 4345, IPS 4360, IPS 4510, and IPS 4520.

To log in to the appliance, follow these steps:

Connect a console port to the sensor to log in to the appliance.

Enter your username and password at the login prompt.

Note

The default username and password are both cisco. You are prompted to change them the first time you log in to the appliance.You must first enter the UNIX password, which is cisco. Then you must enter the new password twice.

ii-2

login: cisco Password: ***NOTICE*** This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to export@cisco.com.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

Chapter ii Logging In to the Sensor

Connecting an Appliance to a Terminal Server

***LICENSE NOTICE*** There is no license key installed on the system. Please go to http://www.cisco.com/go/license to obtain a new license or install a license. sensor#

For More Information

•

For the procedure for connecting an appliance to a terminal server, see Connecting an Appliance to

a Terminal Server, page ii-3.

•

For the procedure for using the setup command to initialize the appliance, see Basic Sensor Setup,

page 2-4.

Connecting an Appliance to a Terminal Server

A terminal server is a router with multiple, low speed, asynchronous ports that are connected to other serial devices. You can use terminal servers to remotely manage network equipment, including appliances. To set up a Cisco terminal server with RJ-45 or hydra cable assembly connections, follow these steps:

Step 1

Step 2

Step 3

Caution

Connect to a terminal server using one of the following methods:

•

For terminal servers with RJ-45 connections, connect a rollover cable from the console port on the appliance to a port on the terminal server.

•

For hydra cable assemblies, connect a straight-through patch cable from the console port on the appliance to a port on the terminal server.

Configure the line and port on the terminal server. In enable mode, enter the following configuration, where # is the line number of the port to be configured.

config t

line # login transport input all stopbits 1 flowcontrol hardware speed 9600

exit exit wr mem

Be sure to properly close a terminal session to avoid unauthorized access to the appliance. If a terminal session is not stopped properly, that is, if it does not receive an exit(0) signal from the application that initiated the session, the terminal session can remain open. When terminal sessions are not stopped properly, authentication is not performed on the next session that is opened on the serial port.

Always exit your session and return to a login prompt before terminating the application used to establish the connection.

OL-29168-01

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

ii-3

Logging In to the ASA 5500-X IPS SSP

Chapter ii Logging In to the Sensor

Caution

If a connection is dropped or terminated by accident, you should reestablish the connection and exit normally to prevent unauthorized access to the appliance.

Logging In to the ASA 5500-X IPS SSP

You log in to the ASA 5500-X IPS SSP from the adaptive security appliance.

To session in to the ASA 5500-X IPS SSP from the adaptive security appliance, follow these steps:

Step 1

Step 2

Step 3

Note

If the adaptive security appliance is operating in multi-mode, use the change system command to get to the system level prompt before continuing.

Session to the IPS. You have 60 seconds to log in before the session times out.

asa# session ips Opening command session with slot 1. Connected to slot 1. Escape character sequence is 'CTRL-^X'.

Enter your username and password at the login prompt.

Note

The default username and password are both cisco. You are prompted to change them the first time you log in to the module. You must first enter the UNIX password, which is cisco. Then you must enter the new password twice.

A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to export@cisco.com.

ii-4

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

+ 824 hidden pages