Cisco Intrusion Prevention System CLI Configuration Guide for IPS 7.1
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-19892-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this
URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the
document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
Cisco Intrusion Prevention System CLI Configuration Guide for IPS 7.1
© 2011-2013 Cisco Systems, Inc. All rights reserved.
CONTENTS
Preface xxxi
Contents xxxi
Audience xxxi
Organization xxxii
Conventions xxxiii
Related Documentation xxxiv
Obtaining Documentation, Using the Cisco Bug Search Tool, and Submitting a Service
Request
xxxv
CHAPTER
1 Getting Started 1-1
Introducing the IME 1-1
Advisory 1-2
Participating in the SensorBase Network 1-2
IME Home Pane 1-3
System Requirements 1-4
IME Demo Mode 1-7
Installing the IME and Migrating Data In to the IME 1-8
Creating and Changing the IME Password 1-9
Recovering the IME Password 1-10
Configuring General Options 1-11
Configuring the Data Archive 1-12
Configuring Email Setup 1-14
Configuring Email Notification 1-15
Configuring Reports 1-17
Installation Error 1-20
CHAPTER
OL-19891-01
2 Configuring Device Lists 2-1
Device List Pane 2-1
Device List Pane Field Definitions 2-2
Add and Edit Device List Dialog Boxes Field Definitions 2-3
Adding, Editing, and Deleting Devices 2-4
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
iii
Contents
Starting, Stopping, and Displaying Device, Event, Health, and Global Correlation Connection
Status
Using Tools for Devices 2-6
2-5
CHAPTER
3 Configuring Dashboards 3-1
Understanding Dashboards 3-1
Adding and Deleting Dashboards 3-1
IME Gadgets 3-2
Sensor Information Gadget 3-2
Sensor Health Gadget 3-3
Licensing Gadget 3-5
Interface Status Gadget 3-5
Global Correlation Reports Gadget 3-6
Global Correlation Health Gadget 3-7
Network Security Gadget 3-8
Top Applications Gadget 3-9
Memory & Load Gadget 3-10
RSS Feed Gadget 3-11
Top Attackers Gadget 3-11
Top Victims Gadget 3-12
Top Signatures Gadget 3-13
Attacks Over Time Gadget 3-13
CHAPTER
CHAPTER
Working With a Single Event for Individual Top Attacker and Victim IP Addresses 3-14
Working With a Single Event for a Top Signature 3-15
Configuring Filters 3-16
Manage Filter Rules Dialog Box Field Definitions 3-18
Add and Edit Filter Dialog Boxes Field Definitions 3-19
4 Configuring RSS Feeds 4-1
Understanding RSS Feeds 4-1
Configuring RSS Feeds 4-1
5 Using the Startup Wizard 5-1
Startup Wizard Introduction Window 5-1
Setting up the Sensor 5-2
Sensor Setup Window 5-2
Add and Edit ACL Entry Dialog Boxes 5-3
Configure Summertime Dialog Box 5-4
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
iv
OL-19891-01
Configuring Sensor Settings 5-4
Configuring Interfaces 5-7
Interface Summary Window 5-7
Restore Defaults to an Interface Dialog Box 5-8
Traffic Inspection Mode Window 5-8
Interface Selection Window 5-9
Inline Interface Pair Window 5-9
Inline VLAN Pairs Window 5-9
Add and Edit Inline VLAN Pair Entry Dialog Boxes 5-10
Configuring Inline VLAN Pairs 5-10
Configuring Virtual Sensors 5-11
Virtual Sensors Window 5-11
Add Virtual Sensor Dialog Box 5-12
Adding a Virtual Sensor 5-13
Applying Signature Threat Profiles 5-14
Contents
CHAPTER
Configuring Auto Update 5-16
6 Setting Up the Sensor 6-1
Understanding Sensor Setup 6-1
Configuring Network Settings 6-1
Network Pane 6-2
Network Pane Field Definitions 6-2
Configuring Network Settings 6-3
Configuring Allowed Hosts/Networks 6-5
Allowed Hosts/Networks Pane 6-5
Allowed Hosts/Network Pane and Add and Edit Allowed Host Dialog Boxes Field
Definitions
6-6
Configuring Allowed Hosts and Networks 6-6
Configuring Time 6-7
Time Pane 6-7
Time Pane Field Definitions 6-7
Configure Summertime Dialog Box Field Definitions 6-8
Configuring Time on the Sensor 6-9
Time Sources and the Sensor 6-10
Synchronizing IPS Module System Clocks with Parent Device System Clocks 6-11
Verifying the Sensor is Synchronized with the NTP Server 6-11
Correcting Time on the Sensor 6-12
Configuring NTP 6-12
Configuring a Cisco Router to be an NTP Server 6-13
OL-19891-01
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
v
Contents
Configuring the Sensor to Use an NTP Time Source 6-14
Manually Setting the System Clock 6-15
Clearing Events 6-16
Configuring Authentication 6-16
Understanding User Roles 6-17
Understanding the Service Account 6-18
The Service Account and RADIUS Authentication 6-18
RADIUS Authentication Functionality and Limitations 6-19
Authentication Pane 6-19
Authentication Pane Field Definitions 6-20
Add and Edit User Dialog Boxes Field Definitions 6-22
Adding, Editing, Deleting Users, and Creating Accounts 6-22
Locking User Accounts 6-25
Unlocking User Accounts 6-26
CHAPTER
7 Configuring Interfaces 7-1
Sensor Interfaces 7-1
Understanding Interfaces 7-1
Command and Control Interface 7-2
Sensing Interfaces 7-3
Interface Support 7-4
TCP Reset Interfaces 7-8
Understanding Alternate TCP Reset Interfaces 7-8
Designating the Alternate TCP Reset Interface 7-9
Hardware Bypass Mode 7-9
Hardware Bypass Card 7-10
Hardware Bypass Configuration Restrictions 7-10
Interface Configuration Restrictions 7-11
Understanding Interface Modes 7-13
Promiscuous Mode 7-14
IPv6, Switches, and Lack of VACL Capture 7-14
Inline Interface Mode 7-15
Inline VLAN Pair Mode 7-16
VLAN Groups Mode 7-17
Interface Configuration Summary 7-18
Configuring Interfaces 7-18
Interfaces Pane 7-18
Interfaces Pane Field Definitions 7-19
Enabling and Disabling Interfaces 7-20
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
vi
OL-19891-01
Edit Interface Dialog Box Field Definitions 7-20
Editing Interfaces 7-21
Configuring Inline Interface Pairs 7-22
Interface Pairs Pane 7-22
Interface Pairs Pane Field Definitions 7-22
Add and Edit Interface Pair Dialog Boxes Field Definitions 7-22
Configuring Inline Interface Pairs 7-23
Configuring Inline VLAN Pairs 7-23
VLAN Pairs Pane 7-23
VLAN Pairs Pane Field Definitions 7-24
Add and Edit VLAN Pair Dialog Boxes Field Definitions 7-24
Configuring Inline VLAN Pairs 7-25
Configuring VLAN Groups 7-25
VLAN Groups Pane 7-26
Deploying VLAN Groups 7-26
VLAN Groups Pane Field Definitions 7-27
Add and Edit VLAN Group Dialog Boxes Field Definitions 7-27
Configuring VLAN Groups 7-27
Contents
CHAPTER
Configuring Bypass Mode 7-28
Bypass Pane 7-28
Bypass Pane Field Definitions 7-29
Adaptive Security Appliance, ASA 5500 AIP SSM, and Bypass Mode 7-30
Configuring Traffic Flow Notifications 7-30
Configuring CDP Mode 7-31
8 Configuring Policies 8-1
Understanding Security Policies 8-1
IPS Policies Components 8-1
Understanding Analysis Engine 8-2
Understanding the Virtual Sensor 8-2
Advantages and Restrictions of Virtualization 8-3
Inline TCP Session Tracking Mode 8-3
Understanding Normalizer Mode 8-4
Understanding HTTP Advanced Decoding 8-4
Understanding Event Action Overrides 8-5
Calculating the Risk Rating 8-5
Understanding Threat Rating 8-6
Event Action Summarization 8-7
Event Action Aggregation 8-7
OL-19891-01
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
vii
Contents
Configuring IPS Policies 8-8
IPS Policies Pane 8-8
IPS Policies Pane Field Definitions 8-9
Add and Edit Virtual Sensor Dialog Boxes Field Definitions 8-10
Add and Edit Event Action Override Dialog Boxes Field Definitions 8-12
Adding, Editing, and Deleting Virtual Sensors 8-13
The ASA 5500 AIP SSM, ASA 5500-X IPS SSP, ASA 5585-X IPS SSP, and Virtual
Sensors
Configuring Event Action Filters 8-20
Understanding Event Action Filters 8-20
Event Action Filters Tab 8-21
Event Action Filters Tab Field Definitions 8-21
Add and Edit Event Action Filter Dialog Boxes Field Definitions 8-22
Adding, Editing, Deleting, Enabling, Disabling, and Moving Event Action Filters 8-23
8-15
Understanding the ASA IPS Modules and Virtual Sensors 8-15
Configuration Sequence for the ASA IPS Modules 8-15
Creating Virtual Sensors on the ASA 5585-X IPS SSP and ASA IPS Modules 8-16
Assigning Virtual Sensors to Adaptive Security Appliance Contexts 8-18
Configuring IPv4 Target Value Rating 8-25
IPv4 Target Value Rating Tab 8-26
IPv4 Target Value Rating Tab Field Definitions 8-26
Add and Edit Target Value Rating Dialog Boxes Field Definitions 8-26
Adding, Editing, and Deleting IPv4 Target Value Ratings 8-26
Configuring IPv6 Target Value Rating 8-27
IPv6 Target Value Rating Tab 8-27
IPv6 Target Value Rating Tab Field Definitions 8-27
Add and Edit Target Value Rating Dialog Boxes Field Definitions 8-28
Adding, Editing, and Deleting IPv6 Target Value Ratings 8-28
Configuring OS Identifications 8-29
Understanding Passive OS Fingerprinting 8-30
Configuring Passive OS Fingerprinting 8-31
OS Identifications Tab 8-31
OS Identifications Tab Field Definitions 8-32
Add and Edit Configured OS Map Dialog Boxes Field Definitions 8-32
Adding, Editing, Deleting, and Moving Configured OS Maps 8-33
Configuring Event Variables 8-34
Event Variables Tab 8-34
Event Variables Tab Field Definitions 8-35
Add and Edit Event Variable Dialog Boxes Field Definitions 8-35
viii
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
OL-19891-01
Adding, Editing, and Deleting Event Variables 8-36
Configuring Risk Category 8-37
Risk Category Tab 8-37
Risk Category Tab Field Definitions 8-38
Add and Edit Risk Level Dialog Boxes Field Definitions 8-38
Adding, Editing, and Deleting Risk Categories 8-38
Configuring Threat Category 8-39
Configuring General Settings 8-40
General Tab 8-40
General Tab Field Definitions 8-41
Configuring the General Settings 8-41
Contents
CHAPTER
CHAPTER
9 Configuring Shared Policies and Group Policies 9-1
Configuring Shared Policies 9-1
Understanding Shared Policies 9-1
Add Policy Field Definitions 9-2
Adding and Deleting Shared Policies 9-3
Deploying Shared Policies 9-3
Configuring Policy Groups 9-4
10 Defining Signatures 10-1
Understanding Security Policies 10-1
Understanding Signatures 10-1
Event Actions 10-2
Signature Engines 10-4
Configuring Signature Definition Policies 10-7
Signature Definitions Pane 10-7
Signature Definitions Pane Field Definitions 10-8
Add and Clone Policy Dialog Boxes Field Definitions 10-8
Adding, Cloning, and Deleting Signature Policies 10-8
OL-19891-01
sig0 Pane 10-9
MySDN 10-10
Configuring Signatures 10-11
Sig0 Pane Field Definitions 10-11
Add, Clone, and Edit Signatures Dialog Boxes Field Definitions 10-12
Edit Actions Dialog Box Field Definitions 10-14
Enabling, Disabling, and Retiring Signatures 10-17
Adding Signatures 10-17
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
ix
Contents
Cloning Signatures 10-19
Tuning Signatures 10-20
Assigning Actions to Signatures 10-21
Configuring Alert Frequency 10-23
Example Meta Engine Signature 10-25
Example Atomic IP Advanced Engine Signature 10-28
Example String XL TCP Match Offset Signature 10-30
Example String XL TCP Engine Minimum Match Length Signature 10-33
Configuring Signature Variables 10-36
Signature Variables Tab 10-36
Signature Variables Field Definitions 10-36
Adding, Editing, and Deleting Signature Variables 10-37
Configuring Miscellaneous Settings 10-38
Miscellaneous Tab 10-38
Miscellaneous Tab Field Definitions 10-39
Configuring Application Policy Signatures 10-40
Understanding AIC Signatures 10-40
AIC Engine and Sensor Performance 10-41
AIC Request Method Signatures 10-42
AIC MIME Define Content Type Signatures 10-43
AIC Transfer Encoding Signatures 10-46
AIC FTP Commands Signatures 10-46
Configuring Application Policy 10-47
Tuning an AIC Signature 10-48
Configuring IP Fragment Reassembly Signatures 10-49
Understanding IP Fragment Reassembly Signatures 10-49
IP Fragment Reassembly Signatures and Configurable Parameters 10-50
Configuring the IP Fragment Reassembly Mode 10-51
Tuning an IP Fragment Reassembly Signature 10-51
Configuring TCP Stream Reassembly Signatures 10-52
Understanding TCP Stream Reassembly Signatures 10-52
TCP Stream Reassembly Signatures and Configurable Parameters 10-53
Configuring the TCP Stream Reassembly Mode 10-58
Tuning a TCP Stream Reassembly Signature 10-59
Configuring IP Logging 10-60
CHAPTER
x
11 Using the Custom Signature Wizard 11-1
Understanding the Custom Signature Wizard 11-1
Using a Signature Engine 11-1
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
OL-19891-01
Signature Engines Not Supported for the Custom Signature Wizard 11-2
Not Using a Signature Engine 11-4
Creating Custom Signatures 11-4
Custom Signature Wizard Field Definitions 11-9
Welcome Window 11-10
Protocol Type Window 11-10
Signature Identification Window 11-11
Service MSRPC Engine Parameters Window 11-11
ICMP Traffic Type Window 11-12
Inspect Data Window 11-12
UDP Traffic Type Window 11-12
UDP Sweep Type Window 11-12
TCP Traffic Type Window 11-12
Service Type Window 11-13
TCP Sweep Type Window 11-13
Atomic IP Engine Parameters Window 11-13
Example Atomic IP Advanced Engine Signature 11-14
Service HTTP Engine Parameters Window 11-16
Example Service HTTP Engine Signature 11-17
Service RPC Engine Parameters Window 11-19
State Engine Parameters Window 11-20
String ICMP Engine Parameters Window 11-21
String TCP Engine Parameters Window 11-21
Example String TCP Engine Signature 11-22
String UDP Engine Parameters Window 11-24
Sweep Engine Parameters Window 11-24
Alert Response Window 11-26
Alert Behavior Window 11-26
Event Count and Interval Window 11-26
Alert Summarization Window 11-27
Alert Dynamic Response Fire All Window 11-27
Alert Dynamic Response Fire Once Window 11-28
Alert Dynamic Response Summary Window 11-28
Global Summarization Window 11-29
Contents
CHAPTER
OL-19891-01
12 Configuring Event Action Rules 12-1
Understanding Security Policies 12-1
Event Action Rules Components 12-2
Understanding Event Action Rules 12-2
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
xi
Contents
Calculating the Risk Rating 12-2
Understanding Threat Rating 12-4
Understanding Event Action Overrides 12-4
Understanding Event Action Filters 12-4
Event Action Summarization 12-5
Event Action Aggregation 12-5
Signature Event Action Processor 12-6
Event Actions 12-8
Configuring Event Action Rules Policies 12-11
Event Action Rules Pane 12-11
Event Action Rules Pane Field Definitions 12-12
Add and Clone Policy Dialog Boxes Field Definitions 12-12
Adding, Cloning, and Deleting Event Action Rules Policies 12-12
rules0 Pane 12-13
Configuring Event Action Overrides 12-13
Event Action Overrides Tab 12-13
Event Action Overrides Tab Field Definitions 12-13
Add and Edit Event Action Override Dialog Boxes Field Definitions 12-13
Adding, Editing, Deleting, Enabling, and Disabling Event Action Overrides 12-14
Configuring Event Action Filters 12-15
Event Action Filters Tab 12-15
Event Action Filters Tab Field Definitions 12-15
Add and Edit Event Action Filter Dialog Boxes Field Definitions 12-16
Adding, Editing, Deleting, Enabling, Disabling, and Moving Event Action Filters 12-17
Configuring IPv4 Target Value Rating 12-19
IPv4 Target Value Rating Tab 12-20
IPv4 Target Value Rating Tab Field Definitions 12-20
Add and Edit Target Value Rating Dialog Boxes Field Definitions 12-20
Adding, Editing, and Deleting IPv4 Target Value Ratings 12-20
Configuring IPv6 Target Value Rating 12-21
IPv6 Target Value Rating Tab 12-21
IPv6 Target Value Rating Tab Field Definitions 12-21
Add and Edit IPv6 Target Value Rating Dialog Boxes Field Definitions 12-22
Adding, Editing, and Deleting IPv6 Target Value Ratings 12-22
Configuring OS Identifications 12-23
OS Identifications Tab 12-23
Understanding Passive OS Fingerprinting 12-24
Configuring Passive OS Fingerprinting 12-25
OS Identifications Tab Field Definitions 12-25
xii
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
OL-19891-01
Add and Edit Configured OS Map Dialog Boxes Field Definitions 12-26
Adding, Editing, Deleting, and Moving Configured OS Maps 12-27
Configuring Event Variables 12-28
Event Variables Tab 12-28
Event Variables Tab Field Definitions 12-29
Add and Edit Event Variable Dialog Boxes Field Definitions 12-29
Adding, Editing, and Deleting Event Variables 12-29
Configuring Risk Category 12-31
Risk Category Tab 12-31
Risk Category Tab Field Definitions 12-31
Add and Edit Risk Level Dialog Boxes Field Definitions 12-31
Adding, Editing, and Deleting Risk Categories 12-32
Configuring Threat Category 12-32
Configuring General Settings 12-33
General Tab 12-33
General Tab Field Definitions 12-34
Configuring the General Settings 12-34
Contents
CHAPTER
13 Configuring Anomaly Detection 13-1
Understanding Security Policies 13-1
Anomaly Detection Components 13-2
Understanding Anomaly Detection 13-2
Worms 13-2
Anomaly Detection Modes 13-3
Enabling Anomaly Detection 13-4
Anomaly Detection Zones 13-5
Anomaly Detection Configuration Sequence 13-5
Anomaly Detection Signatures 13-7
Configuring Anomaly Detections Policies 13-9
Anomaly Detections Pane 13-9
Anomaly Detections Pane Field Definitions 13-9
Add and Clone Policy Dialog Boxes Field Definitions 13-9
Adding, Cloning, and Deleting Anomaly Detection Policies 13-10
ad0 Pane 13-10
Configuring Operation Settings 13-11
Operation Settings Tab 13-11
Operating Settings Tab Field Definitions 13-11
Configuring Anomaly Detection Operation Settings 13-11
OL-19891-01
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
xiii
Contents
Configuring Learning Accept Mode 13-12
Learning Accept Mode Tab 13-12
The KB and Histograms 13-12
Learning Accept Mode Tab Field Definitions 13-14
Add and Edit Start Time Dialog Boxes Field Definitions 13-14
Configuring Learning Accept Mode 13-14
Configuring the Internal Zone 13-15
Internal Zone Tab 13-15
General Tab 13-16
TCP Protocol Tab 13-16
Add and Edit Destination Port Dialog Boxes Field Definitions 13-17
Add and Edit Histogram Dialog Boxes Field Definitions 13-17
UDP Protocol Tab 13-17
Other Protocols Tab 13-18
Add and Edit Protocol Number Dialog Boxes Field Definitions 13-18
Configuring the Internal Zone 13-19
Configuring the Illegal Zone 13-22
Illegal Zone Tab 13-22
General Tab 13-23
TCP Protocol Tab 13-23
Add and Edit Destination Port Dialog Boxes Field Definitions 13-23
Add and Edit Histogram Dialog Boxes Field Definitions 13-24
UDP Protocol Tab 13-24
Other Protocols Tab 13-25
Add and Edit Protocol Number Dialog Boxes Field Definitions 13-25
Configuring the Illegal Zone 13-25
Configuring the External Zone 13-29
External Zone Tab 13-29
TCP Protocol Tab 13-29
Add and Edit Destination Port Dialog Boxes Field Definitions 13-30
Add and Edit Histogram Dialog Boxes Field Definitions 13-30
UDP Protocol Tab 13-31
Other Protocols Tab 13-31
Add and Edit Protocol Number Dialog Boxes Field Definitions 13-32
Configuring the External Zone 13-32
CHAPTER
xiv
Disabling Anomaly Detection 13-35
14 Configuring Global Correlation 14-1
Understanding Global Correlation 14-1
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
OL-19891-01
Participating in the SensorBase Network 14-2
Understanding Reputation 14-2
Understanding Network Participation 14-3
Understanding Efficacy 14-4
Reputation and Risk Rating 14-5
Global Correlation Features and Goals 14-5
Global Correlation Requirements 14-6
Understanding Global Correlation Sensor Health Metrics 14-7
Configuring Global Correlation Inspection and Reputation Filtering 14-7
Inspection/Reputation Pane 14-8
Inspection/Reputation Pane Field Definitions 14-9
Configuring Global Correlation Inspection and Reputation Filtering 14-9
Configuring Network Participation 14-10
Network Participation Pane 14-10
Network Participation Pane Field Definitions 14-10
Configuring Network Participation 14-11
Contents
CHAPTER
Troubleshooting Global Correlation 14-11
Disabling Global Correlation 14-12
15 Configuring SSH and Certificates 15-1
Understanding SSH 15-1
Configuring Authorized RSA Keys 15-2
Authorized RSA Keys Pane 15-2
Authorized RSA Keys Pane Field Definitions 15-2
Add and Edit Authorized RSA Key Dialog Boxes Field Definitions 15-3
Defining Authorized RSA Keys 15-3
Configuring Authorized RSA1 Keys 15-4
Authorized RSA1 Keys Pane 15-4
Authorized RSA1 Keys Pane Field Definitions 15-4
Add and Edit Authorized RSA1 Key Dialog Boxes Field Definitions 15-5
Defining Authorized RSA1 Keys 15-5
Configuring Known Host RSA Keys 15-6
Known Host RSA Keys Pane 15-6
Known Host RSA Keys Pane Field Definitions 15-7
Add and Edit Known Host RSA Key Dialog Boxes Field Definitions 15-7
Defining Known RSA Host Keys 15-7
OL-19891-01
Configuring Known Host RSA1 Keys 15-8
Known Host RSA1 Keys Pane 15-8
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
xv
Contents
Known Host RSA1 Keys Pane Field Definitions 15-9
Add and Edit Known Host RSA1 Key Dialog Boxes Field Definitions 15-9
Defining Known Host RSA1 Keys 15-9
Generating the Sensor Key 15-10
Understanding Certificates 15-11
Configuring Trusted Hosts 15-12
Trusted Hosts Pane 15-13
Trusted Hosts Pane Field Definitions 15-13
Add Trusted Host Dialog Box Field Definitions 15-13
Adding Trusted Hosts 15-13
Adding Trusted Root Certificates 15-14
Trusted Root Certificates Pane 15-14
Trusted Root Certificates Field Definitions 15-15
Add and Update Trusted Root Certificates Dialog Box Field Definitions 15-15
Adding and Updating Trusted Root Certificates 15-15
CHAPTER
Generating the Server Certificate 15-16
16 Configuring Attack Response Controller for Blocking and Rate Limiting 16-1
ARC Components 16-1
Understanding Blocking 16-2
Understanding Rate Limiting 16-4
Understanding Service Policies for Rate Limiting 16-5
Before Configuring the ARC 16-5
Supported Devices 16-5
Configuring Blocking Properties 16-7
Blocking Properties Pane 16-7
Understanding Blocking Properties 16-7
Blocking Properties Pane Field Definitions 16-8
Configuring Blocking Properties 16-9
Add and Edit Never Block Address Dialog Boxes Field Definitions 16-10
Adding, Editing, and Deleting IP Addresses Never to be Blocked 16-11
Configuring Device Login Profiles 16-11
Device Login Profiles Pane 16-12
Device Login Profiles Pane Field Definitions 16-12
Add and Edit Device Login Profile Dialog Boxes Field Definitions 16-12
Configuring Device Login Profiles 16-13
xvi
Configuring Blocking Devices 16-14
Blocking Device Pane 16-14
Blocking Devices Pane Field Definitions 16-14
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
OL-19891-01
Add and Edit Blocking Device Dialog Boxes Field Definitions 16-15
Adding, Editing, and Deleting Blocking and Rate Limiting Devices 16-15
Configuring Router Blocking Device Interfaces 16-17
Router Blocking Device Interfaces Pane 16-17
Understanding Router Blocking Device Interfaces 16-17
How the Sensor Manages Devices 16-18
Router Blocking Device Interfaces Pane Field Definitions 16-19
Add and Edit Router Blocking Device Interface Dialog Boxes Field Definitions 16-19
Configuring the Router Blocking and Rate Limiting Device Interfaces 16-20
Configuring Cat 6K Blocking Device Interfaces 16-21
Cat 6K Blocking Device Interfaces Pane 16-21
Understanding Cat 6K Blocking Device Interfaces 16-21
Cat 6K Blocking Device Interfaces Pane Field Definitions 16-22
Add and Edit Cat 6K Blocking Device Interface Dialog Boxes Field Definitions 16-22
Configuring Cat 6K Blocking Device Interfaces 16-23
Contents
CHAPTER
Configuring the Master Blocking Sensor 16-24
Master Blocking Sensor Pane 16-24
Understanding the Master Blocking Sensor 16-24
Master Blocking Sensor Pane Field Definitions 16-25
Add and Edit Master Blocking Sensor Dialog Boxes Field Definitions 16-25
Configuring the Master Blocking Sensor 16-25
17 Configuring SNMP 17-1
Understanding SNMP 17-1
Configuring General Configuration 17-2
General Configuration Pane 17-2
General Configuration Pane Field Definitions 17-2
Configuring General Parameters 17-3
Configuring SNMP Traps 17-3
Traps Configuration Pane 17-4
Traps Configuration Pane Field Definitions 17-4
Add and Edit SNMP Trap Destination Dialog Boxes Field Definitions 17-5
Configuring SNMP Traps 17-5
CHAPTER
OL-19891-01
Supported MIBs 17-6
18 Managing Time-Based Actions 18-1
Configuring and Monitoring Denied Attackers 18-1
Denied Attackers Pane 18-1
Denied Attackers Pane Field Definitions 18-2
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
xvii
Contents
Monitoring the Denied Attackers List and Adding Denied Attackers 18-2
Configuring Host Blocks 18-3
Host Blocks Pane 18-3
Host Block Pane Field Definitions 18-3
Add Host Block Dialog Box Field Definitions 18-4
Adding, Deleting, and Managing Host Blocks 18-4
Configuring Network Blocks 18-5
Network Blocks Pane 18-6
Network Blocks Pane Field Definitions 18-6
Add Network Block Dialog Box Field Definitions 18-6
Adding, Deleting, and Managing Network Blocks 18-6
Configuring Rate Limits 18-7
Rate Limits Pane 18-7
Rate Limits Pane Field Definitions 18-8
Add Rate Limit Dialog Box Field Definitions 18-8
Adding, Deleting, and Managing Rate Limiting 18-9
CHAPTER
Configuring IP Logging 18-10
Understanding IP Logging 18-10
IP Logging Pane 18-11
IP Logging Pane Field Definitions 18-11
Add and Edit IP Logging Dialog Boxes Field Definitions 18-11
Configuring IP Logging 18-12
19 Configuring External Product Interfaces 19-1
Understanding External Product Interfaces 19-1
Understanding CSA MC 19-1
External Product Interface Issues 19-3
Configuring the CSA MC to Support IPS Interfaces 19-3
Configuring External Product Interfaces 19-4
External Product Interfaces Pane 19-4
External Product Interfaces Pane Field Definitions 19-5
Add and Edit External Product Interface Dialog Boxes Field Definitions 19-6
Add and Edit Posture ACL Dialog Boxes Field Definitions 19-7
Adding, Editing, and Deleting External Product Interfaces and Posture ACLs 19-7
CHAPTER
xviii
Troubleshooting External Product Interfaces 19-10
20 Managing the Sensor 20-1
Configuring Passwords 20-1
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
OL-19891-01
Passwords Pane 20-1
Passwords Pane Field Definitions 20-2
Configuring Password Requirements 20-2
Configuring Packet Logging 20-3
Recovering the Password 20-4
Understanding Password Recovery 20-4
Recovering the Appliance Password 20-5
Using the GRUB Menu 20-5
Using ROMMON 20-6
Recovering the ASA 5500 AIP SSM Password 20-7
Recovering the ASA 5500-X IPS SSP Password 20-9
Recovering the ASA 5585-X IPS SSP Password 20-11
Disabling Password Recovery 20-13
Troubleshooting Password Recovery 20-14
Verifying the State of Password Recovery 20-14
Contents
Configuring Licensing 20-14
Licensing Pane 20-15
Understanding Licensing 20-15
Service Programs for IPS Products 20-16
Licensing Pane Field Definitions 20-16
Obtaining and Installing the License Key 20-17
Obtaining a New License Key for the IPS 4270-20 20-18
Licensing the ASA 5500-X IPS SSP 20-18
Uninstalling the License Key 20-19
Configuring Sensor Health 20-20
Configuring IP Logging Variables 20-21
Configuring Automatic Update 20-22
Auto/Cisco.com Update Pane 20-22
Supported FTP and HTTP Servers 20-23
UNIX-Style Directory Listings 20-23
Signature Updates and Installation Time 20-23
Auto/Cisco.com Update Pane Field Definitions 20-24
Configuring Auto Update 20-25
OL-19891-01
Manually Updating the Sensor 20-26
Update Sensor Pane 20-26
Update Sensor Pane Field Definitions 20-27
Updating the Sensor 20-27
Restoring Defaults 20-29
Rebooting the Sensor 20-29
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
xix
Contents
Shutting Down the Sensor 20-30
CHAPTER
21 Monitoring the Sensor 21-1
Monitoring Events 21-1
Events Pane 21-1
Events Pane Field Definitions 21-2
Event Viewer Pane Field Definitions 21-3
Configuring Event Display 21-3
Clearing Event Store 21-4
Displaying Inspection Load Statistics 21-4
Displaying Interface Statistics 21-5
Monitoring Anomaly Detection KBs 21-7
Anomaly Detection Pane 21-7
Understanding KBs 21-8
Anomaly Detection Pane Field Definitions 21-8
Showing Thresholds 21-9
Threshold for KB_Name Window 21-9
Thresholds for KB_Name Window Field Definitions 21-10
Monitoring the KB Thresholds 21-10
Comparing KBs 21-11
Compare Knowledge Base Dialog Box 21-11
Differences between knowledge bases KB_Name and KB_Name Window 21-11
Difference Thresholds between knowledge bases KB_Name and KB_Name
Window
21-11
Comparing KBs 21-12
Saving the Current KB 21-12
Save Knowledge Base Dialog Box 21-13
Loading a KB 21-13
Saving a KB 21-13
Deleting a KB 21-14
Renaming a KB 21-14
Downloading a KB 21-15
Uploading a KB 21-15
xx
Configuring OS Identifications 21-16
Configuring Learned Operating Systems 21-16
Configuring Imported Operating Systems 21-17
Clearing Flow States 21-18
Clear Flow States Pane 21-18
Clear Flow States Pane Field Definitions 21-19
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
OL-19891-01
Clearing Flow States 21-19
Resetting Network Security Health 21-20
Generating a Diagnostics Report 21-20
Viewing Statistics 21-21
Viewing System Information 21-22
Contents
CHAPTER
CHAPTER
CHAPTER
22 Configuring Event Monitoring 22-1
Understanding Event Monitoring 22-1
Group By, Color Rules, Fields, and General Tabs 22-2
Understanding Filters 22-2
Filter Tab and Add Filter Dialog Box Field Definitions 22-3
Working With Event Views 22-4
Working With a Single Event 22-5
Configuring Filters for Event Views 22-6
23 Configuring and Generating Reports 23-1
Understanding IME Reporting 23-1
Configuring and Generating Reports 23-3
24 Logging In to the Sensor 24-1
Supported User Roles 24-1
Logging In to the Appliance 24-2
Connecting an Appliance to a Terminal Server 24-3
CHAPTER
OL-19891-01
Logging In to the ASA 5500 AIP SSM 24-4
Logging In to the ASA 5500-X IPS SSP 24-5
Logging In to the ASA 5585-X IPS SSP 24-6
Logging In to the Sensor 24-7
25 Initializing the Sensor 25-1
Understanding Initialization 25-1
Simplified Setup Mode 25-2
System Configuration Dialog 25-2
Basic Sensor Setup 25-4
Advanced Setup 25-7
Appliance Advanced Setup 25-7
ASA 5500 AIP SSM Advanced Setup 25-13
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
xxi
Contents
ASA 5500-X IPS SSP Advanced Setup 25-17
ASA 5585-X IPS SSP Advanced Setup 25-20
Verifying Initialization 25-24
CHAPTER
CHAPTER
26 Obtaining Software 26-1
IPS 7.1 File List 26-1
Obtaining Cisco IPS Software 26-1
IPS Software Versioning 26-3
Software Release Examples 26-5
Accessing IPS Documentation 26-7
Cisco Security Intelligence Operations 26-7
27 Upgrading, Downgrading, and Installing System Images 27-1
Understanding Upgrades, Downgrades, and System Images 27-1
Supported FTP and HTTP/HTTPS Servers 27-2
Upgrading the Sensor 27-2
IPS 7.1 Upgrade Files 27-3
Upgrade Notes and Caveats 27-3
Manually Upgrading the Sensor 27-3
Upgrading the Recovery Partition 27-6
Configuring Automatic Upgrades 27-7
Understanding Automatic Upgrades 27-7
Automatically Upgrading the Sensor 27-7
xxii
Downgrading the Sensor 27-10
Recovering the Application Partition 27-11
Installing System Images 27-12
ROMMON 27-13
TFTP Servers 27-13
Connecting an Appliance to a Terminal Server 27-13
Installing the IPS 4240 and IPS 4255 System Image 27-14
Installing the IPS 4260 System Image 27-17
Installing the IPS 4270-20 System Image 27-19
Installing the IPS 4345 and IPS 4360 System Image 27-21
Installing the IPS 4510 and IPS 4520 System Image 27-25
Installing the ASA 5500 AIP SSM System Image 27-27
Installing the ASA 5500-X IPS SSP Image 27-29
Installing the ASA 5585-X IPS SSP System Image 27-31
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
OL-19891-01
Contents
Installing the ASA 5585-X IPS SSP System Image Using the hw-module
Command
Installing the ASA 5585-X IPS SSP System Image Using ROMMON 27-33
27-31
APPENDIX
A System Architecture A-1
Purpose of Cisco IPS A-1
System Design A-1
System Applications A-4
User Interaction A-5
Security Features A-5
MainApp A-6
Understanding the MainApp A-6
MainApp Responsibilities A-6
Event Store A-7
Understanding the Event Store A-7
Event Data Structures A-8
IPS Events A-9
NotificationApp A-9
CtlTransSource A-11
Attack Response Controller A-12
Understanding the ARC A-13
ARC Features A-14
Supported Blocking Devices A-15
ACLs and VACLs A-16
Maintaining State Across Restarts A-16
Connection-Based and Unconditional Blocking A-17
Blocking with Cisco Firewalls A-18
Blocking with Catalyst Switches A-19
Logger A-19
InterfaceApp A-20
AuthenticationApp A-20
Understanding the AuthenticationApp A-20
Authenticating Users A-20
Configuring Authentication on the Sensor A-21
Managing TLS and SSH Trust Relationships A-21
Web Server A-23
OL-19891-01
SensorApp A-23
Understanding the SensorApp A-23
Inline, Normalization, and Event Risk Rating Features A-24
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
xxiii
Contents
SensorApp New Features A-25
Packet Flow A-26
Signature Event Action Processor A-26
CollaborationApp A-28
Understanding the CollaborationApp A-28
Update Components A-28
Error Events A-29
SwitchApp A-30
CLI A-30
Understanding the CLI A-30
User Roles A-30
Service Account A-31
Communications A-32
IDAPI A-32
IDIOM A-33
IDCONF A-33
SDEE A-34
CIDEE A-34
APPENDIX
Cisco IPS File Structure A-35
Summary of Cisco IPS Applications A-36
B Signature Engines B-1
Understanding Signature Engines B-1
Master Engine B-4
General Parameters B-4
Alert Frequency B-7
Event Actions B-8
Regular Expression Syntax B-9
AIC Engine B-10
Understanding the AIC Engine B-10
AIC Engine and Sensor Performance B-11
AIC Engine Parameters B-11
Atomic Engine B-13
Atomic ARP Engine B-13
Atomic IP Advanced Engine B-14
Atomic IP Engine B-24
Atomic IPv6 Engine B-27
xxiv
Fixed Engine B-28
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
OL-19891-01
Flood Engine B-31
Meta Engine B-32
Multi String Engine B-34
Normalizer Engine B-36
Service Engines B-39
Understanding the Service Engines B-39
Service DNS Engine B-39
Service FTP Engine B-41
Service Generic Engine B-42
Service H225 Engine B-43
Service HTTP Engine B-46
Service IDENT Engine B-48
Service MSRPC Engine B-48
Service MSSQL Engine B-50
Service NTP Engine B-51
Service P2P B-52
Service RPC Engine B-52
Service SMB Advanced Engine B-54
Service SNMP Engine B-56
Service SSH Engine B-57
Service TNS Engine B-57
Contents
APPENDIX
State Engine B-59
String Engines B-61
String XL Engines B-63
Sweep Engines B-66
Sweep Engine B-66
Sweep Other TCP Engine B-69
Traffic Anomaly Engine B-69
Traffic ICMP Engine B-72
Trojan Engines B-72
C Troubleshooting C-1
Cisco Bug Search C-1
Preventive Maintenance C-2
Understanding Preventive Maintenance C-2
Creating and Using a Backup Configuration File C-2
Backing Up and Restoring the Configuration File Using a Remote Server C-3
Creating the Service Account C-5
OL-19891-01
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
xxv
Contents
Disaster Recovery C-6
Password Recovery C-7
Understanding Password Recovery C-7
Recovering the Appliance Password C-8
Using the GRUB Menu C-8
Using ROMMON C-9
Recovering the ASA 5500 AIP SSM Password C-10
Recovering the ASA 5500-X IPS SSP Password C-12
Recovering the ASA 5585-X IPS SSP Password C-14
Disabling Password Recovery C-15
Verifying the State of Password Recovery C-16
Troubleshooting Password Recovery C-17
Time Sources and the Sensor C-17
Time Sources and the Sensor C-17
Synchronizing IPS Module Clocks with Parent Device Clocks C-18
Verifying the Sensor is Synchronized with the NTP Server C-18
Correcting Time on the Sensor C-19
Advantages and Restrictions of Virtualization C-19
Supported MIBs C-20
When to Disable Anomaly Detection C-21
The Analysis Engine is Not Responding C-22
Troubleshooting RADIUS Authentication C-23
Troubleshooting Global Correlation C-23
Troubleshooting External Product Interfaces C-23
External Product Interfaces Issues C-24
External Product Interfaces Troubleshooting Tips C-24
Troubleshooting the Appliance C-25
The Appliance and Jumbo Packet Frame Size C-25
Troubleshooting Loose Connections C-25
The Analysis Engine is Busy C-26
Connecting the IPS 4240 to a Cisco 7200 Series Router C-26
Communication Problems C-27
Cannot Access the Sensor CLI Through Telnet or SSH C-27
Correcting a Misconfigured Access List C-29
Duplicate IP Address Shuts Interface Down C-30
The SensorApp and Alerting C-31
The SensorApp Not Running C-31
Physical Connectivity, SPAN, or VACL Port Issue C-33
Unable to See Alerts C-34
xxvi
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
OL-19891-01
Sensor Not Seeing Packets C-36
Cleaning Up a Corrupted SensorApp Configuration C-37
Blocking C-38
Troubleshooting Blocking C-38
Verifying the ARC is Running C-39
Verifying ARC Connections are Active C-40
Device Access Issues C-42
Verifying the Interfaces and Directions on the Network Device C-43
Enabling SSH Connections to the Network Device C-44
Blocking Not Occurring for a Signature C-45
Verifying the Master Blocking Sensor Configuration C-46
Logging C-47
Understanding Debug Logging C-47
Enabling Debug Logging C-47
Zone Names C-51
Directing cidLog Messages to SysLog C-52
TCP Reset Not Occurring for a Signature C-53
Software Upgrades C-55
Upgrading C-55
Which Updates to Apply and Their Prerequisites C-55
Issues With Automatic Update C-56
Updating a Sensor with the Update Stored on the Sensor C-57
Contents
Troubleshooting the IDM C-57
Cannot Launch the IDM - Loading Java Applet Failed C-58
Cannot Launch the IDM - the Analysis Engine Busy C-59
The IDM, Remote Manager, or Sensing Interfaces Cannot Access Sensor C-59
Signatures Not Producing Alerts C-60
Troubleshooting the IME C-60
Time Synchronization on the IME and the Sensor C-61
Not Supported Error Message C-61
Installation Error C-61
Troubleshooting the ASA 5500 AIP SSM C-62
Failover Scenarios C-62
The ASA 5500 AIP SSM and the Data Plane C-63
Health and Status Information C-63
The ASA 5500 AIP SSM and the Normalizer Engine C-65
The ASA 5500 AIP SSM and Jumbo Packet Frame Size C-66
The ASA 5500 AIP SSM and Jumbo Packets C-66
TCP Reset Differences Between IPS Appliances and ASA IPS Modules C-67
OL-19891-01
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
xxvii
Contents
IPS Reloading Messages C-67
Troubleshooting the ASA 5500-X IPS SSP C-67
Failover Scenarios C-68
Health and Status Information C-69
The ASA 5500-X IPS SSP and the Normalizer Engine C-70
The ASA 5500-X IPS SSP and Memory Usage C-71
The ASA 5500-X IPS SSP and Jumbo Packet Frame Size C-71
The ASA 5500-X IPS SSP and Jumbo Packets C-72
TCP Reset Differences Between IPS Appliances and ASA IPS Modules C-72
IPS Reloading Messages C-72
IPS Not Loading C-73
Troubleshooting the ASA 5585-X IPS SSP C-73
Failover Sceneries C-73
Traffic Flow Stopped on IPS Switchports C-75
Health and Status Information C-75
The ASA 5585-X IPS SSP and the Normalizer Engine C-78
The ASA 5585-X IPS SSP and Jumbo Packet Frame Size C-79
The ASA 5585-X IPS SSP and Jumbo Packets C-79
TCP Reset Differences Between IPS Appliances and ASA IPS Modules C-79
IPS Reloading Messages C-79
Gathering Information C-80
Understanding Information Gathering C-80
Health and Network Security Information C-80
Tech Support Information C-81
Understanding the show tech-support Command C-81
Displaying Tech Support Information C-82
Tech Support Command Output C-83
Version Information C-85
Understanding the show version Command C-85
Displaying Version Information C-86
Statistics Information C-88
Understanding the show statistics Command C-88
Displaying Statistics C-89
Interfaces Information C-100
Understanding the show interfaces Command C-100
Interfaces Command Output C-101
Events Information C-101
Sensor Events C-102
Understanding the show events Command C-102
xxviii
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
OL-19891-01
Displaying Events C-102
Clearing Events C-105
cidDump Script C-105
Uploading and Accessing Files on the Cisco FTP Site C-106
Contents
APPENDIX
D Open Source License Files Used In Cisco IPS 7.1 D-1
Contents D-1
bash 3.2 D-2
busybox 1.13.1 D-7
cracklib 2.8.12 D-13
curl 7.18.2 1 D-18
diffutils 2.8.1 D-19
e2fsprogs 1.39 D-23
Expat XML parser 2.0.1 D-28
expect 5.4.3 D-29
freeradius-server 2.1.8 D-29
freeradius-server-src-lib 2.1.8 D-34
glibc 2.9 D-40
gnupg 1.4.5 D-44
hotplug 2004_03_29 D-49
i2c-tools 3.0.2 D-53
ipmiutil 2.3.3 D-58
OL-19891-01
iptables 1.4.1 D-59
kernel 2.6.29.1 D-63
KVM inter-VM shared memory module D-73
libpcap 0.9.8 D-77
libtecla 1.6.1 D-78
Linux-Pam 1.0.1 D-78
lm_sensors 3.0.2 D-79
module-init-tools 3.2.2 1.0.0.0900084 D-84
Ncurses 5.6 D-88
net-snmp 5.4.1 D-89
NTP 4.2.4p5 D-93
openssh 5.1p1 D-96
openssl 0.9.8j D-102
pciutils 3.0.1 D-105
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
xxix
Contents
G
LOSSARY
I
NDEX
procps 3.2.7 D-111
sysfsutils 2.1.0 D-115
sysstat 8.1.3 D-116
tcl 8.4.9 D-120
tcpdump 3.9.8 1.0.1.0801182 D-121
tipc 1.7.6-bundle D-121
util-linux 2.12r D-123
zlib 1.2.3 D-124
xxx
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
OL-19891-01
Preface
Published: March 31, 2011 , OL-19892-01
Revised: October 17, 2014
Contents
Audience
This document describes how to configure the sensor using the Cisco IPS 7.1 CLI. It contains the
following sections:
• Audience, page xxv
• Organization, page xxv
• Conventions, page xxvii
• Related Documentation, page xxviii
• Obtaining Documentation, Using the Cisco Bug Search Tool, and Submitting a Service Request,
page xxviii
This guide is intended for administrators who need to do the following:
• Configure the sensor for intrusion prevention using the CLI.
• Secure their network with IPS sensors.
• Prevent intrusion on their networks and monitor subsequent alerts.
Organization
This guide includes the following sections:
Section Title Description
1 “Introducing the CLI Configuration
2 “Logging In to the Sensor” Describes how to log in to the various sensors.
OL-19892-01
Guide”
Describes the purpose of the CLI Configuration
Guide.
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
xxv
Section Title Description
3 “Initializing the Sensor” Describes how to use the setup command to
initialize sensors.
4 “Setting Up the Sensor” Describes how to use the CLI to configure initial
settings on the sensor.
5 “Configuring Interfaces” Describes how to configure promiscuous, inline,
inline VLAN pair, and VLAN group interfaces.
6 “Configuring Virtual Sensors” Describes how to configure virtual sensors.
7 “Configuring Event Action Rules” Describes how to configure event action rules
policies on the sensor.
8 “Defining Signatures” Describes how to add, clone, and edit signatures.
9 “Configuring Global Correlation” Describes how to configure anomaly detection
policies on the sensor.
10 “Configuring Global Correlation” Describes how to configure global correlation
features on the sensor.
11 “Configuring External Product
Interfaces”
12 “Configuring IP Logging” Describes how to configure IP logging on the
13 “Displaying and Capturing Live
Traffic on an Interface”
14 “Configuring Attack Response
Controller for Blocking and Rate
Limiting”
15 “Configuring SNMP” Describes how to configure SNMP on the sensor.
16 “Working With Configuration Files” Describes how to use configuration files on the
17 “Administrative Tasks for the Sensor” Describes various administrative procedures to
19 “Configuring the ASA 5500 AIP
SSM”
20 “Configuring the ASA 5500-X IPS
SSP”
21 “Configuring the ASA 5585-X IPS
SSP”
22 “Obtaining Software” Describes where to go to get the latest IPS
23 “Upgrading, Downgrading, and
Installing System Images”
A “System Architecture” Describes the IPS system architecture.
B “Signature Engines” Describes the IPS signature engines and their
C “Troubleshooting” Contains troubleshooting tips for IPS hardware
Describes how to configure external product
interfaces for CSA MC.
sensor.
Describes how to display and capture live traffic
on sensor interfaces.
Describes how to configure blocking and rate
limiting on Cisco routers, and switches, and how
to configure a master blocking sensor.
sensor.
help you keep your sensor working and up to date.
Describes how to configure the
ASA 5500 AIP SSM.
Describes how to configure the
ASA 5500-X IPS SSP.
Describes how to configure the
ASA 5585-X IPS SSP.
software and describes the naming conventions.
Describes how to upgrade sensors and reimage
the various sensors.
parameters.
and software.
xxvi
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Section Title Description
D “CLI Error Messages” Lists the CLI error messages.
E “Open Source License Files Used In
Conventions
This document uses the following conventions:
Convention Indication
bold font Commands and keywords and user-entered text appear in bold font.
italic font Document titles, new or emphasized terms, and arguments for which you supply
[ ] Elements in square brackets are optional.
{x | y | z } Required alternative keywords are grouped in braces and separated by
[ x | y | z ] Optional alternative keywords are grouped in brackets and separated by
string A nonquoted set of characters. Do not use quotation marks around the string or
courier font Terminal sessions and information the system displays appear in courier font.
< > Nonprinting characters such as passwords are in angle brackets.
[ ] Default responses to system prompts are in square brackets.
!, # An exclamation point (!) or a pound sign (#) at the beginning of a line of code
Lists the open source license files used by the IPS.
Cisco IPS 7.1”
“Glossary” Contains IPS acronyms and terms.
values are in italic font.
vertical bars.
vertical bars.
the string will include the quotation marks.
indicates a comment line.
Timesaver Means the described action saves time. You can save time by performing the action described in
OL-19892-01
Note Means reader take note.
Tip Means the following information will help you solve a problem.
Caution Means reader be careful. In this situation, you might perform an action that could result in equipment
damage or loss of data.
the paragraph.
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
xxvii
Warnin g
Means
bodily injury.
reader be warned
Related Documentation
For more information on Cisco IPS, refer to the following documentation found at this URL:
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/tsd_products_support_series_home.html
• Documentation Roadmap for Cisco Intrusion Prevention System
• Release Notes for Cisco Intrusion Prevention System
• Cisco Intrusion Prevention System Device Manager Configuration Guide
• Cisco Intrusion Prevention System Manager Express Configuration Guide
• Cisco Intrusion Prevention System Command Reference
• Cisco Intrusion Prevention System Appliance and Module Installation Guide
• Installling and Removing Interface Cards in Cisco IPS-4260 and IPS 4270-20
• Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4300
Series Appliance Sensor
• Regulatory Compliance and Safety Information for the Cisco ASA 5500-X Series Appliances and the
Cisco Intrusion Prevention System 4300 Series Appliances
• Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4500
Series Sensor Appliance
. In this situation, you might perform an action that could result in
Obtaining Documentation, Using the Cisco Bug Search Tool, and Submitting a Service Request
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a
service request, and gathering additional information, see What’s New in Cisco Product Documentation
at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html.
Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical
documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The
RSS feeds are a free service.
xxviii
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
CHA P T ER
1
Introducing the CLI Configuration Guide
This chapter introduces the IPS CLI configuration guide, and contains the following sections:
• Sensor Configuration Sequence, page 1-1
• IPS CLI Configuration Guide, page 1-1
• User Roles, page 1-3
• CLI Behavior, page 1-5
• Command Line Editing, page 1-6
• IPS Command Modes, page 1-7
• Regular Expression Syntax, page 1-8
• Generic CLI Commands, page 1-10
• CLI Keywords, page 1-10
IPS CLI Configuration Guide
This guide is a task-based configuration guide for the Cisco IPS 7.1 CLI. The term “sensor” is used
throughout this guide to refer to all sensor models, unless a procedure refers to a specific appliance or
module, then the specific model name is used.
For an alphabetical list of all IPS commands, refer to the Command Reference for Cisco Intrusion
Prevention System 7.1. For information on locating all IPS 7.1 documents on Cisco.com, refer to the
Documentation Roadmap for Cisco Intrusion Prevention System 7.1.
You can also use an IPS manager to configure your sensor. For information on how to access
documentation that describes how to use IPS managers, refer to the Documentation Roadmap for Cisco
Intrusion Prevention System 7.1.
Sensor Configuration Sequence
Perform the following tasks to configure the sensor:
1. Log in to the sensor.
2. Initialize the sensor by running the setup command.
3. Verify the sensor initialization.
OL-19892-01
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
1-1
Sensor Configuration Sequence
4. Create the service account. A service account is needed for special debug situations directed by
TAC. Only one user with the role of service is allowed.
5. License the sensor.
6. Perform the other initial tasks, such as adding users and trusted hosts, and so forth.
7. Make changes to the interface configuration if necessary. You configure the interfaces during
initialization.
8. Add or delete virtual sensors as necessary. You configure the virtual sensors during initialization.
9. Configure event action rules.
10. Configure the signatures for intrusion prevention.
11. Configure the sensor for global correlation.
12. Configure anomaly detection if needed. You can run anomaly detection using the default values or
you can tailor it to suit your network needs.
Note Anomaly detection is disabled by default in IPS 7.1(2)E4 and later. You must enable it to
Chapter 1 Introducing the CLI Configuration Guide
configure or apply an anomaly detection policy. Enabling anomaly detection results in a
decrease in performance.
13. Set up any external product interfaces if needed. The CSA MC is the only external product
supported by the Cisco IPS.
14. Configure IP logging if needed.
15. Configure blocking if needed.
16. Configure SNMP if needed.
17. Perform miscellaneous tasks to keep your sensor running smoothly.
18. Upgrade the IPS software with new signature updates and service packs.
19. Reimage the application partition when needed.
For More Information
• For the procedure for logging in to your sensor, see Chapter 2, “Logging In to the Sensor.”
• For the procedure for using the setup command to initialize your sensor, see Chapter 3, “Initializing
the Sensor.”
• For the procedure for verifying sensor initialization, see Verifying Initialization, page 3-25.
• For the procedure for obtaining and installing the license key, see Installing the License Key,
page 4-56.
• For the procedures for setting up your sensor, see Chapter 4, “Setting Up the Sensor.”
• For the procedure for creating the service account, see Creating the Service Account, page 4-26.
• For the procedures for configuring interfaces on your sensor, see Chapter 5, “Configuring
Interfaces.”
• For the procedures for configuring virtual sensors on your sensor, see Chapter 6, “Configuring
Virtual Sensors.”
1-2
• For the procedures for configuring event action rules policies, see Chapter 7, “Configuring Event
Action Rules.”
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 1 Introducing the CLI Configuration Guide
• For the procedures for configuring signatures for intrusion prevention, see Chapter 8, “Defining
Signatures.”
• For the procedures for configuring global correlation, see Chapter 10, “Configuring Global
Correlation.”
• For the procedure for configuring anomaly detection policies, see Chapter 9, “Configuring Anomaly
Detection.”
• For the procedure for setting up external product interfaces, see Chapter 11, “Configuring External
Product Interfaces.”
• For the procedures for configuring IP logging, see Chapter 12, “Configuring IP Logging.”
• For the procedures for configuring blocking on your sensor, see Chapter 14, “Configuring Attack
Response Controller for Blocking and Rate Limiting.”
• For the procedures for configuring SNMP on your sensor, see Chapter 15, “Configuring SNMP.”
• For the administrative procedures, see Chapter 17, “Administrative Tasks for the Sensor.”
• For more information on how to obtain Cisco IPS software, see Chapter 21, “Obtaining Software.”
• For the procedures for installing system images, see Chapter 22, “Upgrading, Downgrading, and
Installing System Images.”
• For procedures specific to the ASA 5500 AIP SSM, see Chapter 18, “Configuring the ASA 5500
AIP SSM.”
User Roles
User Roles
• For the procedures specific to the ASA 5500-X IPS SSP, see Chapter 19, “Configuring the ASA
5500-X IPS SSP.”
• For the procedures specific to the ASA 5585-X IPS SSP, see Chapter 20, “Configuring the ASA
5585-X IPS SSP.”
The Cisco CLI permits multiple users to log in at the same time. You can create and remove users from
the local sensor. You can modify only one user account at a time. Each user is associated with a role that
controls what that user can and cannot modify. The CLI supports four user roles: administrator, operator,
viewer, and service. The privilege levels for each role are different; therefore, the menus and available
commands vary for each role.
Administrator
This user role has the highest level of privileges. Administrators have unrestricted view access and can
perform the following functions:
• Add users and assign passwords
• Enable and disable control of physical interfaces and virtual sensors
• Assign physical sensing interfaces to a virtual sensor
• Modify the list of hosts allowed to connect to the sensor as a configuring or viewing agent
OL-19892-01
• Modify sensor address configuration
• Tune signatures
• Assign configuration to a virtual sensor
• Manage routers
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
1-3
User Roles
Chapter 1 Introducing the CLI Configuration Guide
Operators
This user role has the second highest level of privileges. Operators have unrestricted view access and can
perform the following functions:
• Modify their passwords
• Tune signatures
• Manage routers
• Assign configuration to a virtual sensor
Viewers
This user role has the lowest level of privileges. Viewers can view configuration and event data and can
modify their passwords.
Tip Monitoring applications only require viewer access to the sensor. You can use the CLI to set up a user
account with viewer privileges and then configure the event viewer to use this account to connect to the
sensor.
Service
This user role does not have direct access to the CLI. Service account users are logged directly into a
bash shell. Use this account for support and troubleshooting purposes only. Unauthorized modifications
are not supported and require the device to be reimaged to guarantee proper operation. You can create
only one user with the service role. In the service account you can also switch to user root by executing
su-. The root password is synchronized to the service account password. Some troubleshooting
procedures may require you to execute commands as the root user.
When you log in to the service account, you receive the following warning:
******************************* WARNING *****************************************
UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
This account is intended to be used for support and troubleshooting purposes only.
Unauthorized modifications are not supported and will require this device to be re-imaged
to guarantee proper operation.
*********************************************************************************
Note The service role is a special role that allows you to bypass the CLI if needed. Only a user with
administrator privileges can edit the service account.
Note For IPS 5.0 and later, you can no longer remove the cisco account. You can disable it using the no
password cisco command, but you cannot remove it. To use the no password cisco command, there
must be another administrator account on the sensor. Removing the cisco account through the service
account is not supported. If you remove the cisco account through the service account, the sensor most
likely will not boot up, so to recover the sensor you must reinstall the sensor system image.
1-4
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 1 Introducing the CLI Configuration Guide
CLI Behavior
The following tips help you use the Cisco IPS CLI.
Prompts
• You cannot change the prompt displayed for the CLI commands.
• User interactive prompts occur when the system displays a question and waits for user input. The
default input is displayed inside brackets [ ]. To accept the default input, press Enter.
Help
• To display the help for a command, type ? after the command.
The following example demonstrates the ? function:
sensor# configure ?
terminal Configure from the terminal
sensor# configure
Note When the prompt returns from displaying help, the command previously entered is displayed
without the ?.
CLI Behavior
• You can type ? after an incomplete token to view the valid tokens that complete the command. If
there is a trailing space between the token and the ?, you receive an ambiguous command error:
sensor# show c ?
% Ambiguous command: “show c”
If you enter the token without the space, a selection of available tokens for the completion (with no
help description) appears:
sensor# show c?
clock configuration
sensor# show c
• Only commands available in the current mode are displayed by help.
Tab Completion
• Only commands available in the current mode are displayed by tab complete and help.
• If you are unsure of the complete syntax for a command, you can type a portion of the command and
press Tab to complete the command.
• If multiple commands match for tab completion, nothing is displayed.
Recall
• To recall the commands entered in a mode, use the Up Arrow or Down Arrow keys or press Ctrl-P
or Ctrl-N.
OL-19892-01
Note Help and tab complete requests are not reported in the recall list.
• A blank prompt indicates the end of the recall list.
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
1-5
Command Line Editing
Chapter 1 Introducing the CLI Configuration Guide
Case Sensitivity
• The CLI is not case sensitive, but it does echo back the text in the same case you typed it. For
example, if you type:
sensor# CONF
and press Tab , the sensor displays:
sensor# CONFigure
Note CLI commands are not case sensitive, but values are case sensitive. Remember this when you
are creating regular expressions in signatures. A regular expression of “STRING” will not
match “string” seen in a packet.
Display Options
• —More— is an interactive prompt that indicates that the terminal output exceeds the allotted display
space. To display the remaining output, press the spacebar to display the next page of output or
press Enter to display the output one line at a time.
• To clear the current line contents and return to a blank command line, press Ctrl-C.
For More Information
For more information on CLI command regular expression syntax, see Regular Expression Syntax,
page 1-8.
Command Line Editing
Table 1-1 describes the command line editing capabilities provided by the Cisco IPS CLI.
Table 1-1 Command Line Editing
Keys Description
Tab Completes a partial command name entry. When you type a unique set of characters and
press Tab, the system completes the command name. If you type a set of characters that
could indicate more than one command, the system beeps to indicate an error. Type a
question mark (?) immediately following the partial command (no space). The system
provides a list of commands that begin with that string.
Backspace Erases the character to the left of the cursor.
Enter At the command line, pressing Enter processes a command. At the
on a terminal screen, pressing Enter scrolls down a line.
Spacebar Enables you to see more output on the terminal screen. Press the Spacebar when you see
the line
Left arrow Moves the cursor one character to the left. When you type a command that extends
beyond a single line, you can press the Left Arrow key repeatedly to scroll back toward
the system prompt and verify the beginning of the command entry.
Right arrow Moves the cursor one character to the right.
Up Arrow
or Ctrl-P
Recalls commands in the history buffer, beginning with the most recent command.
Repeat the key sequence to recall successively older commands.
---More--- prompt
---More--- on the screen to display the next screen.
1-6
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 1 Introducing the CLI Configuration Guide
Table 1-1 Command Line Editing (continued)
Keys Description
Down
Arrow or
Ctrl-N
Returns to more recent commands in the history buffer after recalling commands with
the Up Arrow or Ctrl-P. Repeat the key sequence to recall successively more recent
commands.
Ctrl-A Moves the cursor to the beginning of the line.
Ctrl-B Moves the cursor back one character.
Ctrl-D Deletes the character at the cursor.
Ctrl-E Moves the cursor to the end of the command line.
Ctrl-F Moves the cursor forward one character.
Ctrl-K Deletes all characters from the cursor to the end of the command line.
Ctrl-L Clears the screen and redisplays the system prompt and command line
Ctrl-T Transposes the character to the left of the cursor with the character located at the cursor.
Ctrl-U Deletes all characters from the cursor to the beginning of the command line.
Ctrl-V Inserts a code to indicate to the system that the keystroke immediately following should
be treated as a command entry, not as an editing key.
Ctrl-W Deletes the word to the left of the cursor.
Ctrl-Y Recalls the most recent entry in the delete buffer. The delete buffer contains the last ten
items you deleted or cut.
Ctrl-Z Ends configuration mode and returns you to the EXEC prompt.
Esc-B Moves the cursor back one word.
Esc-C Capitalizes the word at the cursor.
Esc-D Deletes from the cursor to the end of the word.
Esc-F Moves the cursor forward one word.
Esc-L Changes the word at the cursor to lowercase.
Esc-U Capitalizes from the cursor to the end of the word.
IPS Command Modes
IPS Command Modes
The Cisco IPS CLI has the following command modes:
• privileged EXEC—Entered when you log in to the CLI interface.
• global configuration—Entered from privileged EXEC mode by entering configure terminal. The
command prompt is
• service mode configuration—Entered from global configuration mode by entering service
service-name. The command prompt is
characters of the service name.
• multi-instance service mode—Entered from global configuration mode by entering service
service-name component-instance-name. The command prompt is
is the first three characters of the component instance name. The only multi-instance services in the
system are anomaly detection, signature definition, and event action rules.
OL-19892-01
sensor(config)#.
sensor(config-ser)#, where ser is the first three
sensor(config-com)# where com
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
1-7
Regular Expression Syntax
Regular Expression Syntax
Note The syntax in this section applies only to regular expressions used as part of a CLI command. It does not
apply to regular expressions used by signatures.
Regular expressions are text patterns that are used for string matching. Regular expressions contain a
mix of plain text and special characters to indicate what kind of matching to do. For example, if you are
looking for a numeric digit, the regular expression to search for is “[0-9]”. The brackets indicate that the
character being compared should match any one of the characters enclosed within the bracket. The dash
(-) between 0 and 9 indicates that it is a range from 0 to 9. Therefore, this regular expression will match
any character from 0 to 9, that is, any digit.
To search for a specific special character, you must use a backslash before the special character. For
example, the single character regular expression “\*” matches a single asterisk.
The regular expressions defined in this section are similar to a subset of the POSIX Extended Regular
Expression definitions. In particular, “[..]”, “[==]”, and “[::]” expressions are not supported. Also,
escaped expressions representing single characters are supported. A character can be represented as its
hexadecimal value, for example, \x61 equals ‘a,’ so \x61 is an escaped expression representing the
character ‘a.’
The regular expressions are case sensitive. To match “STRING” or “string” use the following regular
expression: “[Ss][Tt][Rr][Ii][Nn][Gg].”
Table 1-2 lists the special characters.
Chapter 1 Introducing the CLI Configuration Guide
Table 1-2 Regular Expression Syntax
Character Description
^ Beginning of the string. The expression “^A” will match an “A” only at the beginning
of the string.
^ Immediately following the left-bracket ([). Excludes the remaining characters within
brackets from matching the target string. The expression “[^0-9]” indicates that the
target character should not be a digit.
$ Matches the end of the string. The expression “abc$” matches the sub-string “abc”
only if it is at the end of the string.
| Allows the expression on either side to match the target string. The expression “a|b”
matches “a” as well as “b.”
. Matches any character.
* Indicates that the character to the left of the asterisk in the expression should match 0
or more times.
+ Similar to * but there should be at least one match of the character to the left of the +
sign in the expression.
? Matches the character to its left 0 or 1 times.
() Affects the order of pattern evaluation and also serves as a tagged expression that can
be used when replacing the matched sub-string with another expression.
1-8
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 1 Introducing the CLI Configuration Guide
Table 1-2 Regular Expression Syntax (continued)
Character Description
[] Enclosing a set of characters indicates that any of the enclosed characters may match
the target character.
\ Allows specifying a character that would otherwise be interpreted as special.
\xHH represents the character whose value is the same as the value represented by
(HH) hexadecimal digits [0-9A-Fa-f]. The value must be non-zero.
BEL is the same as \x07, BS is \x08, FF is \x0C, LF is \x0A, CR is \x0D, TAB is \x09,
and VT is \x0B.
For any other character ‘c’, ‘\c’ is the same as ‘c’ except that it is never interpreted as
special
The following examples demonstrate the special characters:
• a* matches any number of occurrences of the letter a, including none.
• a+ requires that at least one letter a be in the string to be matched.
Regular Expression Syntax
• ba?b matches the string bb or bab.
• \** matches any number of asterisks (*).
To use multipliers with multiple-character patterns, you enclose the pattern in parentheses.
• (ab)* matches any number of the multiple-character string ab.
• ([A-Za-z][0-9])+ matches one or more instances of alphanumeric pairs, but not none (that is, an
empty string is not a match).
The order for matches using multipliers (*, +, or ?) is to put the longest construct first. Nested constructs
are matched from outside to inside. Concatenated constructs are matched beginning at the left side of the
construct. Thus, the regular expression matches A9b3, but not 9Ab3 because the letters are specified
before the numbers.
You can also use parentheses around a single- or multiple-character pattern to instruct the software to
remember a pattern for use elsewhere in the regular expression.
To create a regular expression that recalls a previous pattern, you use parentheses to indicate memory of
a specific pattern and a backslash (\) followed by a digit to reuse the remembered pattern. The digit
specifies the occurrence of a parentheses in the regular expression pattern. If you have more than one
remembered pattern in your regular expression, \1 indicates the first remembered pattern, and \2
indicates the second remembered pattern, and so on.
The following regular expression uses parentheses for recall:
• a(.)bc(.)\1\2 matches an a followed by any character, followed by bc followed by any character,
followed by the first any character again, followed by the second any character again.
For example, the regular expression can match aZbcTZT. The software remembers that the first
character is Z and the second character is T and then uses Z and T again later in the regular
expression.
OL-19892-01
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
1-9
Generic CLI Commands
Generic CLI Commands
The following CLI commands are generic to the Cisco IPS.
• configure terminal—Enters global configuration mode.
Global configuration commands apply to features that affect the system as a whole rather than just
one protocol or interface.
sensor# configure terminal
sensor(config)#
• service—Takes you to the following configuration submodes: analysis-engine, anomaly-detection,
authentication, event-action-rules, external-product-interfaces, health-monitor, host, interface,
logger, network-access, notification, signature-definition, ssh-known-hosts, trusted-certificates, and
web-server.
Note The anomaly-detection, event-action-rules, and signature-definition submodes are multiple
instance services. One predefined instance is allowed for each. For anomaly-detection, the
predefined instance name is ad0. For event-action-rules, the predefined instance name is
rules0. For signature-definition, the predefined instance name is sig0. You can create
additional instances.
Chapter 1 Introducing the CLI Configuration Guide
• end—Exits configuration mode or any configuration submodes. It takes you back to the top-level
• exit—Exits any configuration mode or closes an active terminal session and terminates the EXEC
CLI Keywords
In general, use the no form of a command to disable a feature or function. Use the command without the
keyword no to enable a disabled feature or function. For example, the command ssh host-key ip_address
adds an entry to the known hosts table, the command no ssh host-key ip_address removes the entry from
the known hosts table. Refer to the individual commands for a complete description of what the no form
of that command does.
sensor# configure terminal
sensor(config)# service event-action-rules rules0
sensor(config-rul)#
EXEC menu.
sensor# configure terminal
sensor(config)# end
sensor#
mode. It takes you to the previous menu session.
sensor# configure terminal
sensor(config)# service event-action-rules rules0
sensor(config-rul)# exit
sensor(config)# exit
sensor#
1-10
Service configuration commands can also have a default form. Use the default form of the command to
return the command setting to its default. This keyword applies to the service submenu commands used
for application configuration. Entering
default with the command resets the parameter to the default
value. You can only use the default keyword with commands that specify a default value in the
configuration files.
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Logging In to the Sensor
This chapter explains how to log in to the sensor. It contains the following sections:
• Logging In Notes and Caveats, page 2-1
• Supported User Roles, page 2-1
• Logging In to the Appliance, page 2-2
• Connecting an Appliance to a Terminal Server, page 2-3
• Logging In to the ASA 5500 AIP SSM, page 2-4
• Logging In to the ASA 5500-X IPS SSP, page 2-5
• Logging In to the ASA 5585-X IPS SSP, page 2-6
• Logging In to the Sensor, page 2-7
Logging In Notes and Caveats
CHA P T ER
2
The following notes and caveats apply to logging in to the sensor:
• All IPS platforms allow ten concurrent log in sessions.
• The service role is a special role that allows you to bypass the CLI if needed. Only a user with
administrator privileges can edit the service account.
• You must initialize the appliance (run the setup command) from the console. After networking is
configured, SSH and Telnet are available. You can log in to the appliance from a console port.
• You log in to the ASA 5500 AIP SSM, ASA 5500-X IPS SSP, and ASA 5585-X IPS SSP from the
adaptive security appliance.
Supported User Roles
You can log in with the following user privileges:
• Administrator
• Operator
• Vi ewer
• Service
OL-19892-01
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
2-1
Logging In to the Appliance
The service role does not have direct access to the CLI. Service account users are logged directly into a
bash shell. Use this account for support and troubleshooting purposes only. Unauthorized modifications
are not supported and will require the sensor to be reimaged to guarantee proper operation. You can
create only one user with the service role.
When you log in to the service account, you receive the following warning:
******************************** WARNING *****************************************
UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
This account is intended to be used for support and troubleshooting purposes only.
Unauthorized modifications are not supported and will require this device to be re-imaged
to guarantee proper operation.
**********************************************************************************
Note The service role is a special role that allows you to bypass the CLI if needed. Only a user with
administrator privileges can edit the service account.
For More Information
• For the procedure for creating the service account, see Creating the Service Account, page 4-26.
• For the procedures for adding and deleting users, see Configuring Authentication and User
Chapter 2 Logging In to the Sensor
Parameters, page 4-16.
Logging In to the Appliance
Note You can log in to the appliance from a console port. The currently supported Cisco IPS appliances are
the IPS 4240, IPS 4255, and IPS 4260 [IPS 7.1(5) and later], IPS 4270-20 [IPS 7.1(3) and later],
IPS 4345 and IPS 4360 [IPS 7.1(3) and later], and IPS 4510 and IPS 4520 [IPS 7.1(4) and later].
To log in to the appliance, follow these steps:
Step 1 Connect a console port to the sensor to log in to the appliance.
Step 2 Enter your username and password at the login prompt.
Note The default username and password are both cisco. You are prompted to change them the first
time you log in to the appliance.You must first enter the UNIX password, which is cisco. Then
you must enter the new password twice.
login: cisco
Password:
***NOTICE***
This product contains cryptographic features and is subject to United States and local
country laws governing import, export, transfer and use. Delivery of Cisco cryptographic
products does not imply third-party authority to import, export, distribute or use
encryption. Importers, exporters, distributors and users are responsible for compliance
with U.S. and local country laws. By using this product you agree to comply with
applicable laws and regulations. If you are unable to comply with U.S. and local laws,
return this product immediately.
2-2
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 2 Logging In to the Sensor
Connecting an Appliance to a Terminal Server
If you require further assistance please contact us by sending email to export@cisco.com.
***LICENSE NOTICE***
There is no license key installed on the system.
Please go to http://www.cisco.com/go/license to obtain a new license or install a license.
sensor#
For More Information
• For the procedure for connecting an appliance to a terminal server, see Connecting an Appliance to
a Terminal Server, page 2-3.
• For the procedure for using the setup command to initialize the appliance, see Basic Sensor Setup,
page 3-5.
Connecting an Appliance to a Terminal Server
A terminal server is a router with multiple, low speed, asynchronous ports that are connected to other
serial devices. You can use terminal servers to remotely manage network equipment, including
appliances. To set up a Cisco terminal server with RJ-45 or hydra cable assembly connections, follow
these steps:
Step 1 Connect to a terminal server using one of the following methods:
• For terminal servers with RJ-45 connections, connect a rollover cable from the console port on the
appliance to a port on the terminal server.
• For hydra cable assemblies, connect a straight-through patch cable from the console port on the
appliance to a port on the terminal server.
Step 2 Configure the line and port on the terminal server. In enable mode, enter the following configuration,
where # is the line number of the port to be configured.
config t
line #
login
transport input all
stopbits 1
flowcontrol hardware
speed 9600
exit
exit
wr mem
Step 3 Be sure to properly close a terminal session to avoid unauthorized access to the appliance. If a terminal
session is not stopped properly, that is, if it does not receive an exit(0) signal from the application that
initiated the session, the terminal session can remain open. When terminal sessions are not stopped
properly, authentication is not performed on the next session that is opened on the serial port.
Caution Always exit your session and return to a login prompt before terminating the application used to establish
the connection.
OL-19892-01
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
2-3
Logging In to the ASA 5500 AIP SSM
Caution If a connection is dropped or terminated by accident, you should reestablish the connection and exit
normally to prevent unauthorized access to the appliance.
Logging In to the ASA 5500 AIP SSM
You log in to the ASA 5500 AIP SSM from the adaptive security appliance.
To session in to the ASA 5500 AIP SSM from the adaptive security appliance, follow these steps:
Step 1 Log in to the adaptive security appliance.
Note If the adaptive security appliance is operating in multi-mode, use the change system command
to get to the system level prompt before continuing.
Chapter 2 Logging In to the Sensor
Step 2 Session to the ASA 5500 AIP SSM. You have 60 seconds to log in before the session times out.
asa# session 1
Opening command session with slot 1.
Connected to slot 1. Escape character sequence is 'CTRL-^X'.
Step 3 Enter your username and password at the login prompt.
Note The default username and password are both cisco. You are prompted to change them the first
time you log in to the module. You must first enter the UNIX password, which is cisco. Then
you must enter the new password twice.
login: cisco
Password:
***NOTICE***
This product contains cryptographic features and is subject to United States and local
country laws governing import, export, transfer and use. Delivery of Cisco cryptographic
products does not imply third-party authority to import, export, distribute or use
encryption. Importers, exporters, distributors and users are responsible for compliance
with U.S. and local country laws. By using this product you agree to comply with
applicable laws and regulations. If you are unable to comply with U.S. and local laws,
return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to export@cisco.com.
2-4
***LICENSE NOTICE***
There is no license key installed on the system.
Please go to http://www.cisco.com/go/license to obtain a new license or install a license.
aip-ssm#
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 2 Logging In to the Sensor
Step 4 To escape from a session and return to the adaptive security appliance prompt, do one of the following:
• Enter exit.
• Press CTRL-Shift-6-x (represented as CTRL^X).
For More Information
For the procedure for using the setup command to initialize the ASA 5500 AIP SSM, see Advanced
Setup for the ASA 5500 AIP SSM, page 3-14.
Logging In to the ASA 5500-X IPS SSP
You log in to the ASA 5500-X IPS SSP from the adaptive security appliance.
To session in to the ASA 5500-X IPS SSP from the adaptive security appliance, follow these steps:
Step 1 Log in to the adaptive security appliance.
Logging In to the ASA 5500-X IPS SSP
Note If the adaptive security appliance is operating in multi-mode, use the change system command
to get to the system level prompt before continuing.
Step 2 Session to the IPS. You have 60 seconds to log in before the session times out.
asa# session ips
Opening command session with slot 1.
Connected to slot 1. Escape character sequence is 'CTRL-^X'.
Step 3 Enter your username and password at the login prompt.
Note The default username and password are both cisco. You are prompted to change them the first
time you log in to the module. You must first enter the UNIX password, which is cisco. Then
you must enter the new password twice.
login: cisco
Password:
***NOTICE***
This product contains cryptographic features and is subject to United States and local
country laws governing import, export, transfer and use. Delivery of Cisco cryptographic
products does not imply third-party authority to import, export, distribute or use
encryption. Importers, exporters, distributors and users are responsible for compliance
with U.S. and local country laws. By using this product you agree to comply with
applicable laws and regulations. If you are unable to comply with U.S. and local laws,
return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
OL-19892-01
If you require further assistance please contact us by sending email to export@cisco.com.
***LICENSE NOTICE***
There is no license key installed on this IPS platform.
The system will continue to operate with the currently installed
signature set. A valid license must be obtained in order to apply
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
2-5
Logging In to the ASA 5585-X IPS SSP
signature updates. Please go to http://www.cisco.com/go/license
to obtain a new license or install a license.
asa-ips#
Step 4 To escape from a session and return to the adaptive security appliance prompt, do one of the following:
• Enter exit.
• Press CTRL-Shift-6-x (represented as CTRL^X).
For More Information
For the procedure for using the setup command to initialize the ASA 5500-X IPS SSP, see Advanced
Setup for the ASA 5500-X IPS SSP, page 3-18.
Logging In to the ASA 5585-X IPS SSP
You log in to the ASA 5585-X IPS SSP from the adaptive security appliance.
To session in to the ASA 5585-X IPS SSP from the adaptive security appliance, follow these steps:
Chapter 2 Logging In to the Sensor
Step 1 Log in to the adaptive security appliance.
Note If the adaptive security appliance is operating in multi-mode, use the change system command
to get to the system level prompt before continuing.
Step 2 Session to the ASA 5585-X IPS SSP. You have 60 seconds to log in before the session times out.
asa# session 1
Opening command session with slot 1.
Connected to slot 1. Escape character sequence is 'CTRL-^X'.
Step 3 Enter your username and password at the login prompt.
Note The default username and password are both cisco. You are prompted to change them the first
time you log in to the module. You must first enter the UNIX password, which is cisco. Then
you must enter the new password twice.
login: cisco
Password:
***NOTICE***
This product contains cryptographic features and is subject to United States and local
country laws governing import, export, transfer and use. Delivery of Cisco cryptographic
products does not imply third-party authority to import, export, distribute or use
encryption. Importers, exporters, distributors and users are responsible for compliance
with U.S. and local country laws. By using this product you agree to comply with
applicable laws and regulations. If you are unable to comply with U.S. and local laws,
return this product immediately.
2-6
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to export@cisco.com.
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 2 Logging In to the Sensor
***LICENSE NOTICE***
There is no license key installed on the system.
Please go to http://www.cisco.com/go/license to obtain a new license or install a license.
ips-ssp#
Step 4 To escape from a session and return to the adaptive security appliance prompt, do one of the following:
• Enter exit.
• Press CTRL-Shift-6-x (represented as CTRL^X).
For More Information
For the procedure for using the setup command to initialize the ASA 5585-X IPS SSP, see Advanced
Setup for the ASA 5585-X IPS SSP, page 3-21.
Logging In to the Sensor
Logging In to the Sensor
Note After you have initialized the sensor using the setup command and enabled Telnet, you can use SSH or
Telnet to log in to the sensor.
To log in to the sensor using Telnet or SSH, follow these steps:
Step 1 To log in to the sensor over the network using SSH or Telnet.
ssh sensor_ip_address
telnet sensor_ip_address
Step 2 Enter your username and password at the login prompt.
login: ******
Password: ******
***NOTICE***
This product contains cryptographic features and is subject to United States and local
country laws governing import, export, transfer and use. Delivery of Cisco cryptographic
products does not imply third-party authority to import, export, distribute or use
encryption. Importers, exporters, distributors and users are responsible for compliance
with U.S. and local country laws. By using this product you agree to comply with
applicable law s and regulations. If you are unable to comply with U.S. and local laws,
return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to export@cisco.com.
OL-19892-01
***LICENSE NOTICE***
There is no license key installed on the system.
Please go to http://www.cisco.com/go/license to obtain a new license or install a license.
sensor#
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
2-7
Logging In to the Sensor
Chapter 2 Logging In to the Sensor
2-8
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
CHA P T ER
3
Initializing the Sensor
This chapter describes how to use the setup command to initialize the sensor, and contains the following
sections:
• Initializing Notes and Caveats, page 3-1
• Understanding Initialization, page 3-2
• Participating in the SensorBase Network, page 3-2
• Simplified Setup Mode, page 3-3
• System Configuration Dialog, page 3-3
• Basic Sensor Setup, page 3-5
• Advanced Setup, page 3-8
• Advanced Setup, page 3-8
• Verifying Initialization, page 3-25
Initializing Notes and Caveats
The following notes and caveats apply to initializing the sensor:
• You must be administrator to use the setup command.
• You must have a valid sensor license for global correlation features to function. You can still
configure and display statistics for the global correlation features, but the global correlation
databases are cleared and no updates are attempted. Once you install a valid license, the global
correlation features are reactivated.
• The currently supported Cisco IPS appliances are the IPS 4240, IPS 4255, and IPS 4260 [IPS 7.1(5)
and later], IPS 4270-20 [IPS 7.1(3) and later], IPS 4345 and IPS 4360 [IPS 7.1(3) and later], and
IPS 4510 and IPS 4520 [IPS 7.1(4) and later].
• You do not need to configure interfaces on the ASA IPS modules (ASA 5500 AIP SSM,
ASA 5500-X IPS SSP, and ASA 5585-X IPS SSP). You should ignore the modify interface default
VLAN setting in setup. The separation of traffic across virtual sensors is configured differently for
the ASA IPS modules than for other sensors.
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
3-1
Understanding Initialization
Understanding Initialization
After you install the sensor on your network, you must use the setup command to initialize it so that you
can communicate with it over the network. You cannot use the IDM or the IME to configure the sensor
until you initialize the sensor using the setup command.
With the setup command, you configure basic sensor settings, including the hostname, IP interfaces,
access control lists, global correlation servers, and time settings. You can continue using advanced setup
in the CLI to enable Telnet, configure the web server, and assign and enable virtual sensors and
interfaces, or you can use the Startup Wizard in the IDM or the IME. After you configure the sensor with
the setup command, you can change the network settings in the IDM or the IME.
Note You must be administrator to use the setup command.
Participating in the SensorBase Network
The Cisco IPS contains a security capability, Cisco Global Correlation, which uses the immense security
intelligence that we have amassed over the years. At regular intervals, the Cisco IPS receives threat
updates from the Cisco SensorBase Network, which contain detailed information about known threats
on the Internet, including serial attackers, Botnet harvesters, Malware outbreaks, and dark nets. The IPS
uses this information to filter out the worst attackers before they have a chance to attack critical assets.
It then incorporates the global threat data in to its system to detect and prevent malicious activity even
earlier.
Chapter 3 Initializing the Sensor
If you agree to participate in the SensorBase Network, Cisco will collect aggregated statistics about
traffic sent to your IPS. This includes summary data on the Cisco IPS network traffic properties and how
this traffic was handled by the Cisco appliances. We do not collect the data content of traffic or other
confidential business or personal information. All data is aggregated and sent by secure HTTP to the
Cisco SensorBase Network servers in periodic intervals. All data shared with Cisco will be anonymous
and treated as strictly confidential.
Table 3-1 shows how we use the data.
Table 3-1 Cisco Network Participation Data Use
Participation Level Type of Data Purpose
Partial Protocol attributes
(TCP maximum segment size and
options string, for example)
Attack type
(signature fired and risk rating, for
example)
Connecting IP address and port Identifies attack source.
Summary IPS performance
(CPU utilization, memory usage,
inline vs. promiscuous, for
example)
Full Victim IP address and port Detects threat behavioral patterns.
Tracks potential threats and helps us to
understand threat exposure.
Used to understand current attacks and
attack severity.
Tracks product efficacy.
3-2
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 3 Initializing the Sensor
When you enable Partial or Full Network Participation, the Network Participation Disclaimer appears.
You must click Agree to participate. If you do not have a license installed, you receive a warning telling
you that global correlation inspection and reputation filtering are disabled until the sensor is licensed.
You can obtain a license at http://www.cisco.com/go/license.
For More Information
• For more information about global correlation, see Chapter 10, “Configuring Global Correlation.”
• For the procedure for obtaining a sensor license, see Installing the License Key, page 4-56.
Simplified Setup Mode
The sensor automatically calls the setup command when you connect to the sensor using a console cable
and the sensor basic network settings have not yet been configured. The sensor does not call automatic
setup under the following conditions:
• When initialization has already been successfully completed.
• If you have recovered or downgraded the sensor.
• If you have set the host configuration to default after successfully configuring the sensor using
automatic setup.
When you enter the setup command, an interactive dialog called the System Configuration Dialog
appears on the system console screen. The System Configuration Dialog guides you through the
configuration process. The values shown in brackets next to each prompt are the default values last set.
Simplified Setup Mode
System Configuration Dialog
When you enter the setup command, an interactive dialog called the System Configuration Dialog
appears on the system console screen. The System Configuration Dialog guides you through the
configuration process. The values shown in brackets next to each prompt are the current values.
You must go through the entire System Configuration Dialog until you come to the option that you want
to change. To accept default settings for items that you do not want to change, press Enter.
To return to the EXEC prompt without making changes and without going through the entire System
Configuration Dialog, press Ctrl-C. The System Configuration Dialog also provides help text for each
prompt. To access the help text, enter
When you complete your changes, the System Configuration Dialog shows you the configuration that
you created during the setup session. It also asks you if you want to use this configuration. If you enter
yes, the configuration is saved. If you enter no, the configuration is not saved and the process begins
again. There is no default for this prompt; you must enter either
You can configure daylight savings time either in recurring mode or date mode. If you choose recurring
mode, the start and end days are based on week, day, month, and time. If you choose date mode, the start
and end days are based on month, day, year, and time. Choosing disable turns off daylight savings time.
Note You only need to set the date and time in the System Configuration Dialog if the system is an appliance
and is NOT using NTP.
? at a prompt.
yes or no.
OL-19892-01
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
3-3
System Configuration Dialog
Note The System Configuration Dialog is an interactive dialog. The default settings are displayed.
Example 3-1 shows a sample System Configuration Dialog.
Example 3-1 Example System Configuration Dialog
--- Basic Setup ---
--- System Configuration Dialog ---
At any point you may enter a question mark '?' for help.
User ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
Current time: Wed Nov 11 21:19:51 2009
Setup Configuration last modified:
Enter host name[sensor]:
Enter IP interface[192.168.1.2/24,192.168.1.1]:
Modify current access list?[no]:
Current access list entries:
[1] 0.0.0.0/0
Delete:
Permit:
Use DNS server for Global Correlation?[no]:
DNS server IP address[171.68.226.120]:
Use HTTP proxy server for Global Correlation?[no]:
HTTP proxy server IP address[128.107.241.169]:
HTTP proxy server Port number[8080]:
Modify system clock settings?[no]: yes
Modify summer time settings?[no]:yes
Use USA SummerTime Defaults?[yes]:no
Recurring, Date or Disable?[Recurring]:
Start Month[march]:
Start Week[second]:
Start Day[sunday]:
Start Time[02:00:00]:
End Month[november]:
End Week[first]:
End Day[sunday]:
End Time[02:00:00]:
DST Zone[]:
Offset[60]:
Modify system timezone?[no]:
Timezone[UTC]:
UTC Offset[0]:
Use NTP?[no]: yes
NTP Server IP Address[]:
Use NTP Authentication?[no]: yes
NTP Key ID[]: 1
NTP Key Value[]: 8675309
Participation in the SensorBase Network allows Cisco to collect aggregated statistics
about traffic sent to your IPS.
SensorBase Network Participation level?[off]: full
Chapter 3 Initializing the Sensor
3-4
If you agree to participate in the SensorBase Network, Cisco will collect aggregated
statistics about traffic sent to your IPS.
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 3 Initializing the Sensor
This includes summary data on the Cisco IPS network traffic properties and how this
traffic was handled by the Cisco appliances. We do not collect the data content of
traffic or other sensitive business or personal information. All data is aggregated and
sent via secure HTTP to the Cisco SensorBase Network servers in periodic intervals. All
data shared with Cisco will be anonymous and treated as strictly confidential.
The table below describes how the data will be used by Cisco.
Participation Level = "Partial":
* Type of Data: Protocol Attributes (e.g. TCP max segment size and
options string)
Purpose: Track potential threats and understand threat exposure
* Type of Data: Attack Type (e.g. Signature Fired and Risk Rating)
Purpose: Used to understand current attacks and attack severity
* Type of Data: Connecting IP Address and port
Purpose: Identifies attack source
* Type of Data: Summary IPS performance (CPU utilization memory usage,
inline vs. promiscuous, etc)
Purpose: Tracks product efficacy
Participation Level = "Full" additionally includes:
* Type of Data: Victim IP Address and port
Purpose: Detect threat behavioral patterns
Do you agree to participate in the SensorBase Network?[no]:
Basic Sensor Setup
Basic Sensor Setup
You can perform basic sensor setup using the setup command, and then finish setting up the sensor using
the CLI, IDM, or IME. To perform basic sensor setup using the setup command, follow these steps:
Step 1 Log in to the sensor using an account with administrator privileges.
Note Both the default username and password are cisco.
Step 2 The first time you log in to the sensor you are prompted to change the default password. Passwords must
be at least eight characters long and be strong, that is, not be a dictionary word. After you change the
password, basic setup begins.
Step 3 Enter the setup command. The System Configuration Dialog is displayed.
Step 4 Specify the hostname. The hostname is a case-sensitive character string up to 64 characters. Numbers,
“_” and “-” are valid, but spaces are not acceptable. The default is sensor.
Step 5 Specify the IP interface. The IP interface is in the form of IP Address/Netmask,Gateway:
X.X.X.X/nn,Y. Y. Y. Y, where X.X.X.X specifies the sensor IP address as a 32-bit address written as 4 octets
separated by periods, nn specifies the number of bits in the netmask, and Y.Y. Y.Y specifies the default
gateway as a 32-bit address written as 4 octets separated by periods.
Step 6 Enter yes to modify the network access list:
a. If you want to delete an entry, enter the number of the entry and press Enter, or press Enter to get
to the Permit line.
b. Enter the IP address and netmask of the network you want to add to the access list.
OL-19892-01
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
3-5
Basic Sensor Setup
Step 7 You must configure a DNS server or an HTTP proxy server for global correlation to operate:
Caution You must have a valid sensor license for global correlation features to function. You can still configure
Chapter 3 Initializing the Sensor
Note For example, 10.0.0.0/8 permits all IP addresses on the 10.0.0.0 network
(10.0.0.0-10.255.255.255) and 10.1.1.0/24 permits only the IP addresses on the 10.1.1.0
subnet (10.1.1.0-10.1.1.255). If you want to permit access to a single IP address than the
entire network, use a 32-bit netmask. For example, 10.1.1.1/32 permits just the 10.1.1.1
address.
c. Repeat Step b until you have added all networks that you want to add to the access list, and then
press Enter at a blank permit line to go to the next step.
a. Enter yes to add a DNS server, and then enter the DNS server IP address.
b. Enter yes to add an HTTP proxy server, and then enter the HTTP proxy server IP address and port
number.
and display statistics for the global correlation features, but the global correlation databases are cleared
and no updates are attempted. Once you install a valid license, the global correlation features are
reactivated.
Step 8 Enter yes to modify the system clock settings:
a. Enter yes to modify summertime settings.
Note Summertime is also known as DST. If your location does not use Summertime, go to Step m.
b. Enter yes to choose the USA summertime defaults, or enter no and choose recurring, date, or disable
to specify how you want to configure summertime settings. The default is recurring.
c. If you chose recurring, specify the month you want to start summertime settings. Valid entries are
january, february, march, april, may, june, july, august, september, october, november, and
december. The default is march.
d. Specify the week you want to start summertime settings. Valid entries are first, second, third, fourth,
fifth, and last. The default is second.
e. Specify the day you want to start summertime settings. Valid entries are sunday, monday, tuesday,
wednesday, thursday, friday, and saturday. The default is sunday.
f. Specify the time you want to start summertime settings. The default is 02:00:00.
Note The default recurring summertime parameters are correct for time zones in the United States.
The default values specify a start time of 2:00 a.m. on the second Sunday in March, and a
stop time of 2:00 a.m. on the first Sunday in November. The default summertime offset is 60
minutes.
3-6
g. Specify the month you want summertime settings to end. Valid entries are january, february, march,
april, may, june, july, august, september, october, november, and december. The default is november.
h. Specify the week you want the summertime settings to end. Valid entries are first, second, third,
fourth, fifth, and last. The default is first.
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 3 Initializing the Sensor
i. Specify the day you want the summertime settings to end. Valid entries are sunday, monday, tuesday,
wednesday, thursday, friday, and saturday. The default is sunday.
j. Specify the time you want summertime settings to end. The default is 02:00:00.
k. Specify the DST zone. The zone name is a character string up to 24 characters long in the pattern
[A-Za-z0-9()+:,_/-]+$.
l. Specify the summertime offset. Specify the summertime offset from UTC in minutes (negative
numbers represent time zones west of the Prime Meridian). The default is 60.
m. Enter yes to modify the system time zone.
n. Specify the standard time zone name. The zone name is a character string up to 24 characters long.
o. Specify the standard time zone offset. Specify the standard time zone offset from UTC in minutes
(negative numbers represent time zones west of the Prime Meridian). The default is 0.
p. Enter yes if you want to use NTP. To use authenticated NTP, you need the NTP server IP address,
the NTP key ID, and the NTP key value. If you do not have those at this time, you can configure
NTP later. Otherwise, you can choose unauthenticated NTP.
Step 9 Enter off, partial, or full to participate in the SensorBase Network Participation:
• Off—No data is contributed to the SensorBase Network.
• Partial—Data is contributed to the SensorBase Network, but data considered potentially sensitive is
filtered out and never sent.
Basic Sensor Setup
• Full—All data is contributed to the SensorBase Network except the attacker/victim IP addresses that
you exclude.
The SensorBase Network Participation disclaimer appears. It explains what is involved in participating
in the SensorBase Network.
Step 10 Enter yes to participate in the SensorBase Network.
The following configuration was entered.
service host
network-settings
host-ip 192.168.1.2/24, 192.168.1.1
host-name sensor
telnet-option disabled
sshv1-fallback enabled
access-list 10.0.0.0/8
ftp-timeout 300
no login-banner-text
dns-primary-server enabled
address 171.68.226.120
exit
dns-secondary-server disabled
dns-tertiary-server disabled
http-proxy proxy-server
address 128.107.241.170
port 8080
exit
time-zone-settings
offset -360
standard-time-zone-name CST
exit
summertime-option recurring
offset 60
summertime-zone-name CDT
start-summertime
month march
week-of-month second
OL-19892-01
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
3-7
Advanced Setup
Chapter 3 Initializing the Sensor
day-of-week sunday
time-of-day 02:00:00
exit
end-summertime
month november
week-of-month first
day-of-week sunday
time-of-day 02:00:00
exit
exit
ntp-option enabled
ntp-keys 1 md5-key 8675309
ntp-servers 10.10.1.2 key-id 1
exit
service global-correlation
network-participation full
exit
[0] Go to the command prompt without saving this config.
[1] Return to setup without saving this config.
[2] Save this configuration and exit setup.
[3] Continue to Advanced setup.
Step 11 Enter 2 to save the configuration (or 3 to continue with advanced setup using the CLI).
Enter your selection[2]: 2
Configuration Saved.
Step 12 If you changed the time setting, enter yes to reboot the sensor.
For More Information
For the procedure for obtaining the most recent IPS software, see Obtaining Cisco IPS Software,
page 21-1.
Advanced Setup
This section describes how to continue with Advanced Setup in the CLI for the various Cisco IPS
platforms. It contains the following sections:
• Advanced Setup for the Appliance, page 3-8
• Advanced Setup for the ASA 5500 AIP SSM, page 3-14
• Advanced Setup for the ASA 5500-X IPS SSP, page 3-18
• Advanced Setup for the ASA 5585-X IPS SSP, page 3-21
Advanced Setup for the Appliance
Note The currently supported Cisco IPS appliances are the IPS 4240, IPS 4255, and IPS 4260 [IPS 7.1(5) and
later], IPS 4270-20 [IPS 7.1(3) and later], IPS 4345 and IPS 4360 [IPS 7.1(3) and later], and IPS 4510
and IPS 4520 [IPS 7.1(4) and later].
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
3-8
OL-19892-01
Chapter 3 Initializing the Sensor
Note Adding new subinterfaces is a two-step process. You first organize the interfaces when you edit the
virtual sensor configuration. You then choose which interfaces and subinterfaces are assigned to which
virtual sensors.
The interfaces change according to the appliance model, but the prompts are the same for all models. To
continue with advanced setup for the appliance, follow these steps:
Step 1 Log in to the appliance using an account with administrator privileges.
Step 2 Enter the setup command. The System Configuration Dialog is displayed. Press Enter or the spacebar
to skip to the menu to access advanced setup.
Step 3 Enter 3 to access advanced setup.
Step 4 Specify the Telnet server status. The default is disabled.
Step 5 Specify the SSHv1 fallback setting. The default is enabled.
Step 6 Specify the web server port. The web server port is the TCP port used by the web server (1 to 65535).
The default is 443.
Advanced Setup
Note The web server is configured to use TLS/SSL encryption by default. Setting the port to 80 does
not disable the encryption.
Step 7 Enter yes to modify the interface and virtual sensor configuration and to see the current interface
configuration.
Current interface configuration
Command control: Management0/0
Unassigned:
Promiscuous:
GigabitEthernet0/0
GigabitEthernet0/1
GigabitEthernet0/2
GigabitEthernet0/3
Virtual Sensor: vs0
Anomaly Detection: ad0
Event Action Rules: rules0
Signature Definitions: sig0
Virtual Sensor: vs1
Anomaly Detection: ad0
Event Action Rules: rules0
Signature Definitions: sig0
Virtual Sensor: vs2
Anomaly Detection: ad0
Event Action Rules: rules0
Signature Definitions: sig0
OL-19892-01
[1] Edit Interface Configuration
[2] Edit Virtual Sensor Configuration
[3] Display configuration
Option:
Step 8 Enter 1 to edit the interface configuration.
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
3-9
Advanced Setup
Step 9 Enter 2 to add inline VLAN pairs and display the list of available interfaces.
Caution The new VLAN pair is not automatically added to a virtual sensor.
Chapter 3 Initializing the Sensor
Note The following options let you create and delete interfaces. You assign the interfaces to virtual
sensors in the virtual sensor configuration. If you are using promiscuous mode for your
interfaces and are not subdividing them by VLAN, no additional configuration is necessary.
[1] Remove interface configurations.
[2] Add/Modify Inline Vlan Pairs.
[3] Add/Modify Promiscuous Vlan Groups.
[4] Add/Modify Inline Interface Pairs.
[5] Add/Modify Inline Interface Pair Vlan Groups.
[6] Modify interface default-vlan.
Option:
Available Interfaces
[1] GigabitEthernet0/0
[2] GigabitEthernet0/1
[3] GigabitEthernet0/2
[4] GigabitEthernet0/3
Option:
Step 10 Enter 1 to add an inline VLAN pair to GigabitEthernet 0/0, for example.
Inline Vlan Pairs for GigabitEthernet0/0
None
Step 11 Enter a subinterface number and description.
Subinterface Number:
Description[Created via setup by user asmith]:
Step 12 Enter numbers for VLAN 1 and 2.
Vlan1[]: 200
Vlan2[]: 300
Step 13 Press Enter to return to the available interfaces menu.
Note Entering a carriage return at a prompt without a value returns you to the previous menu.
[1] GigabitEthernet0/0
[2] GigabitEthernet0/1
[3] GigabitEthernet0/2
[4] GigabitEthernet0/3
Option:
Note At this point, you can configure another interface, for example, GigabitEthernet 0/1, for inline
VLAN pair.
3-10
Step 14 Press Enter to return to the top-level interface editing menu.
[1] Remove interface configurations.
[2] Add/Modify Inline Vlan Pairs.
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 3 Initializing the Sensor
[3] Add/Modify Promiscuous Vlan Groups.
[4] Add/Modify Inline Interface Pairs.
[5] Add/Modify Inline Interface Pair Vlan Groups.
[6] Modify interface default-vlan.
Option:
Step 15 Enter 4 to add an inline interface pair and see these options.
Available Interfaces
GigabitEthernet0/1
GigabitEthernet0/2
GigabitEthernet0/3
Step 16 Enter the pair name, description, and which interfaces you want to pair.
Pair name: newPair
Description[Created via setup by user asmith:
Interface1[]: GigabitEthernet0/1
Interface2[]: GigabitEthernet0/2
Pair name:
Step 17 Press Enter to return to the top-level interface editing menu.
[1] Remove interface configurations.
[2] Add/Modify Inline Vlan Pairs.
[3] Add/Modify Promiscuous Vlan Groups.
[4] Add/Modify Inline Interface Pairs.
[5] Add/Modify Inline Interface Pair Vlan Groups.
[6] Modify interface default-vlan.
Option:
Advanced Setup
Step 18 Press Enter to return to the top-level editing menu.
[1] Edit Interface Configuration
[2] Edit Virtual Sensor Configuration
[3] Display configuration
Option:
Step 19 Enter 2 to edit the virtual sensor configuration.
[1] Remove virtual sensor.
[2] Modify "vs0" virtual sensor configuration.
[3] Create new virtual sensor.
Option:
Step 20 Enter 2 to modify the virtual sensor configuration, vs0.
Virtual Sensor: vs0
Anomaly Detection: ad0
Event Action Rules: rules0
Signature Definitions: sig0
No Interfaces to remove.
Unassigned:
Promiscuous:
[1] GigabitEthernet0/3
[2] GigabitEthernet0/0
Inline Vlan Pair:
[3] GigabitEthernet0/0:1 (Vlans: 200, 300)
Inline Interface Pair:
[4] newPair (GigabitEthernet0/1, GigabitEthernet0/2)
Add Interface:
OL-19892-01
Step 21 Enter 3 to add inline VLAN pair GigabitEthernet0/0:1.
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
3-11
Advanced Setup
Step 22 Enter 4 to add inline interface pair NewPair.
Step 23 Press Enter to return to the top-level virtual sensor menu.
Step 24 Press Enter to return to the top-level interface and virtual sensor configuration menu.
Chapter 3 Initializing the Sensor
Virtual Sensor: vs0
Anomaly Detection: ad0
Event Action Rules: rules0
Signature Definitions: sig0
Inline Vlan Pair:
GigabitEthernet0/0:1 (Vlans: 200, 300)
Inline Interface Pair:
newPair (GigabitEthernet0/1, GigabitEthernet0/2)
[1] Remove virtual sensor.
[2] Modify "vs0" virtual sensor configuration.
[3] Create new virtual sensor.
Option: GigabitEthernet0/1, GigabitEthernet0/2)
Add Interface:
[1] Edit Interface Configuration
[2] Edit Virtual Sensor Configuration
[3] Display configuration
Option:
Step 25 Enter yes if you want to modify the default threat prevention settings.
Note The sensor comes with a built-in override to add the deny packet event action to high risk rating
alerts. If you do not want this protection, disable automatic threat prevention.
Virtual sensor newVs is configured to prevent high risk threats in inline mode. (Risk
Rating 90-100)
Virtual sensor vs0 is configured to prevent high risk threats in inline mode.(Risk Rating
90-100)
Do you want to disable automatic threat prevention on all virtual sensors?[no]:
Step 26 Enter yes to disable automatic threat prevention on all virtual sensors.
Step 27 Press Enter to exit the interface and virtual sensor configuration.
The following configuration was entered.
service host
network-settings
host-ip 192.168.1.2/24,192.168.1.1
host-name sensor
telnet-option disabled
sshv1-fallback enabled
ftp-timeout 300
no login-banner-text
exit
time-zone-settings
offset 0
standard-time-zone-name UTC
exit
summertime-option disabled
ntp-option disabled
exit
service web-server
port 342
exit
service interface
physical-interfaces GigabitEthernet0/0
3-12
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 3 Initializing the Sensor
admin-state enabled
subinterface-type inline-vlan-pair
subinterface 1
description Created via setup by user asmith
vlan1 200
vlan2 300
exit
exit
exit
physical-interfaces GigabitEthernet0/1
admin-state enabled
exit
physical-interfaces GigabitEthernet0/2
admin-state enabled
exit
physical-interfaces GigabitEthernet0/0
admin-state enabled
exit
inline-interfaces newPair
description Created via setup by user asmith
interface1 GigabitEthernet0/1
interface2 GigabitEthernet0/2
exit
exit
service analysis-engine
virtual-sensor newVs
description Created via setup by user cisco
signature-definition newSig
event-action-rules rules0
anomaly-detection
anomaly-detection-name ad0
operational-mode inactive
exit
physical-interface GigabitEthernet0/0
exit
virtual-sensor vs0
physical-interface GigabitEthernet0/0 subinterface-number 1
logical-interface newPair
service event-action-rules rules0
overrides deny-packet-inline
override-item-status Disabled
risk-rating-range 90-100
exit
exit
Advanced Setup
OL-19892-01
[0] Go to the command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration and exit setup.
Step 28 Enter 2 to save the configuration.
Enter your selection[2]: 2
Configuration Saved.
Step 29 Reboot the appliance.
sensor# reset
Warning: Executing this command will stop all applications and reboot the node.
Continue with reset? []:
Step 30 Enter yes to continue the reboot.
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
3-13
Advanced Setup
Step 31 Apply the most recent service pack and signature update. You are now ready to configure your appliance
for intrusion prevention.
For More Information
For the procedure for obtaining the most recent IPS software, see Obtaining Cisco IPS Software,
page 21-1.
Advanced Setup for the ASA 5500 AIP SSM
To continue with advanced setup for the ASA 5500 AIP SSM, follow these steps:
Step 1 Session in to the ASA 5500 AIP SSM using an account with administrator privileges.
asa# session 1
Step 2 Enter the setup command. The System Configuration Dialog is displayed. Press Enter or the spacebar
to skip to the menu to access advanced setup.
Chapter 3 Initializing the Sensor
Step 3 Enter 3 to access advanced setup.
Step 4 Specify the Telnet server status. You can disable or enable Telnet services. The default is disabled.
Step 5 Specify the SSHv1 fallback setting. The default is enabled.
Step 6 Specify the web server port. The web server port is the TCP port used by the web server (1 to 65535).
The default is 443.
Note The web server is configured to use TLS/SSL encryption by default. Setting the port to 80 does
not disable the encryption.
Step 7 Enter yes to modify the interface and virtual sensor configuration.
Current interface configuration
Command control: Management0/0
Unassigned:
Monitored:
GigabitEthernet0/1
Virtual Sensor: vs0
Anomaly Detection: ad0
Event Action Rules: rules0
Signature Definitions: sig0
[1] Edit Interface Configuration
[2] Edit Virtual Sensor Configuration
[3] Display configuration
Option:
3-14
Step 8 Enter 1 to edit the interface configuration.
Note You do not need to configure interfaces on the ASA 5500 AIP SSM. You should ignore the
modify interface default VLAN setting. The separation of traffic across virtual sensors is
configured differently for the ASA 5500 AIP SSM than for other sensors.
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 3 Initializing the Sensor
[1] Modify interface default-vlan.
Option:
Step 9 Press Enter to return to the top-level interface and virtual sensor configuration menu.
[1] Edit Interface Configuration
[2] Edit Virtual Sensor Configuration
[3] Display configuration
Option:
Step 10 Enter 2 to edit the virtual sensor configuration.
[1] Remove virtual sensor.
[2] Modify "vs0" virtual sensor configuration.
[3] Create new virtual sensor.
Option:
Step 11 Enter 2 to modify the virtual sensor vs0 configuration.
Virtual Sensor: vs0
Anomaly Detection: ad0
Event Action Rules: rules0
Signature Definitions: sig0
No Interfaces to remove.
Unassigned:
Monitored:
[1] GigabitEthernet0/1
Add Interface:
Advanced Setup
Step 12 Enter 1 to add GigabitEthernet 0/1 to virtual sensor vs0.
Note Multiple virtual sensors are supported. The adaptive security appliance can direct packets to
specific virtual sensors or can send packets to be monitored by a default virtual sensor. The
default virtual sensor is the virtual sensor to which you assign GigabitEthernet 0/1. We
recommend that you assign GigabitEthernet 0/1 to vs0, but you can assign it to another virtual
sensor if you want to.
Step 13 Press Enter to return to the main virtual sensor menu.
Step 14 Enter 3 to create a virtual sensor.
Name[]:
Step 15 Enter a name and description for your virtual sensor.
Name[]: newVs
Description[Created via setup by user cisco]: New Sensor
Anomaly Detection Configuration
[1] ad0
[2] Create a new anomaly detection configuration
Option[2]:
Step 16 Enter 1 to use the existing anomaly detection configuration, ad0.
Signature Definition Configuration
[1] sig0
[2] Create a new signature definition configuration
Option[2]:
OL-19892-01
Step 17 Enter 2 to create a signature-definition configuration file.
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
3-15
Advanced Setup
Step 18 Enter the signature-definition configuration name, newSig.
Step 19 Enter 1 to use the existing event-action-rules configuration, rules0.
Chapter 3 Initializing the Sensor
Event Action Rules Configuration
[1] rules0
[2] Create a new event action rules configuration
Option[2]:
Note If GigabitEthernet 0/1 has not been assigned to vs0, you are prompted to assign it to the new
virtual sensor.
Virtual Sensor: newVs
Anomaly Detection: ad0
Event Action Rules: rules0
Signature Definitions: newSig
Monitored:
GigabitEthernet0/1
[1] Remove virtual sensor.
[2] Modify "newVs" virtual sensor configuration.
[3] Modify "vs0" virtual sensor configuration.
[4] Create new virtual sensor.
Option:
Step 20 Press Enter to exit the interface and virtual sensor configuration menu.
Modify default threat prevention settings?[no]:
Step 21 Enter yes if you want to modify the default threat prevention settings.
Note The sensor comes with a built-in override to add the deny packet event action to high risk rating
alerts. If you do not want this protection, disable automatic threat prevention.
Virtual sensor newVs is configured to prevent high risk threats in inline mode. (Risk
Rating 90-100)
Virtual sensor vs0 is configured to prevent high risk threats in inline mode.(Risk Rating
90-100)
Do you want to disable automatic threat prevention on all virtual sensors?[no]:
Step 22 Enter yes to disable automatic threat prevention on all virtual sensors.
The following configuration was entered.
service host
network-settings
host-ip 10.1.9.201/24,10.1.9.1
host-name aip-ssm
telnet-option disabled
sshv1-fallback enabled
access-list 10.0.0.0/8
access-list 64.0.0.0/8
ftp-timeout 300
no login-banner-text
exit
time-zone-settings
offset 0
standard-time-zone-name UTC
exit
summertime-option disabled
3-16
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 3 Initializing the Sensor
ntp-option disabled
exit
service web-server
port 342
exit
service analysis-engine
virtual-sensor newVs
description New Sensor
signature-definition newSig
event-action-rules rules0
anomaly-detection
anomaly-detection-name ad0
exit
physical-interfaces GigabitEthernet0/1
exit
exit
service event-action-rules rules0
overrides deny-packet-inline
override-item-status Disabled
risk-rating-range 90-100
exit
exit
[0] Go to the command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration and exit setup.
Advanced Setup
Step 23 Enter 2 to save the configuration.
Enter your selection[2]: 2
Configuration Saved.
Step 24 Reboot the ASA 5500 AIP SSM.
aip-ssm# reset
Warning: Executing this command will stop all applications and reboot the node.
Continue with reset? []:
Step 25 Enter yes to continue the reboot.
Step 26 After reboot, log in to the sensor, and display the self-signed X.509 certificate (needed by TLS).
aip-ssm# show tls fingerprint
MD5: C4:BC:F2:92:C2:E2:4D:EB:92:0F:E4:86:53:6A:C6:01
SHA1: 64:9B:AC:DE:21:62:0C:D3:57:2E:9B:E5:3D:04:8F:A7:FD:CD:6F:27
Step 27 Write down the certificate fingerprints. You need the fingerprints to check the authenticity of the
certificate when using HTTPS to connect to this ASA 5500 AIP SSM with a web browser.
Step 28 Apply the most recent service pack and signature update. You are now ready to configure your
ASA 5500 AIP SSM for intrusion prevention.
For More Information
For the procedure for obtaining the most recent IPS software, see Obtaining Cisco IPS Software,
page 21-1.
OL-19892-01
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
3-17
Advanced Setup
Advanced Setup for the ASA 5500-X IPS SSP
To continue with advanced setup for the ASA 5500-X IPS SSP, follow these steps:
Step 1 Session in to the IPS using an account with administrator privileges.
asa# session ips
Step 2 Enter the setup command. The System Configuration Dialog is displayed. Press Enter or the spacebar
to skip to the menu to access advanced setup.
Step 3 Enter 3 to access advanced setup.
Step 4 Specify the Telnet server status. You can disable or enable Telnet services. The default is disabled.
Step 5 Specify the SSHv1 fallback setting. The default is enabled.
Step 6 Specify the web server port. The web server port is the TCP port used by the web server (1 to 65535).
The default is 443.
Note The web server is configured to use TLS/SSL encryption by default. Setting the port to 80 does
not disable the encryption.
Chapter 3 Initializing the Sensor
Step 7 Enter yes to modify the interface and virtual sensor configuration.
Current interface configuration
Command control: Management0/0
Unassigned:
Monitored:
PortChannel 0/0
Virtual Sensor: vs0
Anomaly Detection: ad0
Event Action Rules: rules0
Signature Definitions: sig0
[1] Edit Interface Configuration
[2] Edit Virtual Sensor Configuration
[3] Display configuration
Option:
Step 8 Enter 1 to edit the interface configuration.
Note You do not need to configure interfaces on the ASA 5500-X IPS SSP. You should ignore the
modify interface default VLAN setting. The separation of traffic across virtual sensors is
configured differently for the ASA 5500-X IPS SSP than for other sensors.
[1] Modify interface default-vlan.
Option:
3-18
Step 9 Press Enter to return to the top-level interface and virtual sensor configuration menu.
[1] Edit Interface Configuration
[2] Edit Virtual Sensor Configuration
[3] Display configuration
Option:
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 3 Initializing the Sensor
Step 10 Enter 2 to edit the virtual sensor configuration.
[1] Remove virtual sensor.
[2] Modify "vs0" virtual sensor configuration.
[3] Create new virtual sensor.
Option:
Step 11 Enter 2 to modify the virtual sensor vs0 configuration.
Virtual Sensor: vs0
Anomaly Detection: ad0
Event Action Rules: rules0
Signature Definitions: sig0
No Interfaces to remove.
Unassigned:
Monitored:
[1] PortChannel 0/0
Add Interface:
Step 12 Enter 1 to add PortChannel 0/0 to virtual sensor vs0.
Advanced Setup
Note Multiple virtual sensors are supported. The adaptive security appliance can direct packets to
specific virtual sensors or can send packets to be monitored by a default virtual sensor. The
default virtual sensor is the virtual sensor to which you assign PortChannel 0/0. We recommend
that you assign PortChannel 0/0 to vs0, but you can assign it to another virtual sensor if you want
to.
Step 13 Press Enter to return to the main virtual sensor menu.
Step 14 Enter 3 to create a virtual sensor.
Name[]:
Step 15 Enter a name and description for your virtual sensor.
Name[]: newVs
Description[Created via setup by user cisco]: New Sensor
Anomaly Detection Configuration
[1] ad0
[2] Create a new anomaly detection configuration
Option[2]:
Step 16 Enter 1 to use the existing anomaly-detection configuration, ad0.
Signature Definition Configuration
[1] sig0
[2] Create a new signature definition configuration
Option[2]:
Step 17 Enter 2 to create a signature-definition configuration file.
Step 18 Enter the signature-definition configuration name, newSig.
Event Action Rules Configuration
[1] rules0
[2] Create a new event action rules configuration
Option[2]:
OL-19892-01
Step 19 Enter 1 to use the existing event-action-rules configuration, rules0.
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
3-19
Advanced Setup
Step 20 Press Enter to exit the interface and virtual sensor configuration menu.
Step 21 Enter yes if you want to modify the default threat prevention settings.
Chapter 3 Initializing the Sensor
Note If PortChannel 0/0 has not been assigned to vs0, you are prompted to assign it to the new virtual
sensor.
Virtual Sensor: newVs
Anomaly Detection: ad0
Event Action Rules: rules0
Signature Definitions: newSig
Monitored:
PortChannel0/0
[1] Remove virtual sensor.
[2] Modify "newVs" virtual sensor configuration.
[3] Modify "vs0" virtual sensor configuration.
[4] Create new virtual sensor.
Option:
Modify default threat prevention settings?[no]:
Note The sensor comes with a built-in override to add the deny packet event action to high risk rating
alerts. If you do not want this protection, disable automatic threat prevention.
Virtual sensor newVs is configured to prevent high risk threats in inline mode. (Risk
Rating 90-100)
Virtual sensor vs0 is configured to prevent high risk threats in inline mode.(Risk Rating
90-100)
Do you want to disable automatic threat prevention on all virtual sensors?[no]:
Step 22 Enter yes to disable automatic threat prevention on all virtual sensors.
The following configuration was entered.
service host
network-settings
host-ip 192.168.1.2/24,192.168.1.1
host-name asa-ips
telnet-option disabled
sshv1-fallback enabled
access-list 10.0.0.0/8
access-list 64.0.0.0/8
ftp-timeout 300
no login-banner-text
exit
time-zone-settings
offset 0
standard-time-zone-name UTC
exit
summertime-option disabled
ntp-option disabled
exit
service web-server
port 342
exit
service analysis-engine
virtual-sensor newVs
description New Sensor
3-20
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 3 Initializing the Sensor
signature-definition newSig
event-action-rules rules0
anomaly-detection
anomaly-detection-name ad0
exit
physical-interfaces PortChannel0/0
exit
exit
service event-action-rules rules0
overrides deny-packet-inline
override-item-status Disabled
risk-rating-range 90-100
exit
exit
[0] Go to the command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration and exit setup.
Step 23 Enter 2 to save the configuration.
Enter your selection[2]: 2
Configuration Saved.
Advanced Setup
Step 24 Reboot the ASA 5500-X IPS SSP.
asa-ips# reset
Warning: Executing this command will stop all applications and reboot the node.
Continue with reset? []:
Step 25 Enter yes to continue the reboot.
Step 26 After reboot, log in to the sensor, and display the self-signed X.509 certificate (needed by TLS).
asa-ips# show tls fingerprint
MD5: C4:BC:F2:92:C2:E2:4D:EB:92:0F:E4:86:53:6A:C6:01
SHA1: 64:9B:AC:DE:21:62:0C:D3:57:2E:9B:E5:3D:04:8F:A7:FD:CD:6F:27
Step 27 Write down the certificate fingerprints. You need the fingerprints to check the authenticity of the
certificate when using HTTPS to connect to this ASA 5500-X IPS SSP with a web browser.
Step 28 Apply the most recent service pack and signature update. You are now ready to configure the
ASA 5500-X IPS SSP for intrusion prevention.
For More Information
For the procedure for obtaining the most recent IPS software, see Obtaining Cisco IPS Software,
page 21-1.
Advanced Setup for the ASA 5585-X IPS SSP
OL-19892-01
To continue with advanced setup for the ASA 5585-X IPS SSP, follow these steps:
Step 1 Session in to the ASA 5585-X IPS SSP using an account with administrator privileges.
asa# session 1
Step 2 Enter the setup command. The System Configuration Dialog is displayed. Press Enter or the spacebar
to skip to the menu to access advanced setup.
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
3-21
Advanced Setup
Step 3 Enter 3 to access advanced setup.
Step 4 Specify the Telnet server status. You can disable or enable Telnet services. The default is disabled.
Step 5 Specify the SSHv1 fallback setting. The default is enabled.
Step 6 Specify the web server port. The web server port is the TCP port used by the web server (1 to 65535).
Step 7 Enter yes to modify the interface and virtual sensor configuration.
Chapter 3 Initializing the Sensor
The default is 443.
Note The web server is configured to use TLS/SSL encryption by default. Setting the port to 80 does
not disable the encryption.
Current interface configuration
Command control: Management0/0
Unassigned:
Monitored:
PortChannel0/0
Virtual Sensor: vs0
Anomaly Detection: ad0
Event Action Rules: rules0
Signature Definitions: sig0
[1] Edit Interface Configuration
[2] Edit Virtual Sensor Configuration
[3] Display configuration
Option:
Step 8 Enter 1 to edit the interface configuration.
Note You do not need to configure interfaces on the ASA 5585-X IPS SSP. You should ignore the
modify interface default VLAN setting. The separation of traffic across virtual sensors is
configured differently for the ASA 5585-X IPS SSP than for other sensors.
[1] Modify interface default-vlan.
Option:
Step 9 Press Enter to return to the top-level interface and virtual sensor configuration menu.
[1] Edit Interface Configuration
[2] Edit Virtual Sensor Configuration
[3] Display configuration
Option:
Step 10 Enter 2 to edit the virtual sensor configuration.
[1] Remove virtual sensor.
[2] Modify "vs0" virtual sensor configuration.
[3] Create new virtual sensor.
Option:
Step 11 Enter 2 to modify the virtual sensor vs0 configuration.
Virtual Sensor: vs0
Anomaly Detection: ad0
Event Action Rules: rules0
Signature Definitions: sig0
No Interfaces to remove.
3-22
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 3 Initializing the Sensor
Unassigned:
Monitored:
[1] PortChannel0/0
Add Interface:
Step 12 Enter 1 to add PortChannel 0/0 to virtual sensor vs0.
Note Multiple virtual sensors are supported. The adaptive security appliance can direct packets to
Step 13 Press Enter to return to the main virtual sensor menu.
Step 14 Enter 3 to create a virtual sensor.
Name[]:
Step 15 Enter a name and description for your virtual sensor.
Name[]: newVs
Description[Created via setup by user cisco]: New Sensor
Anomaly Detection Configuration
[1] ad0
[2] Create a new anomaly detection configuration
Option[2]:
Advanced Setup
specific virtual sensors or can send packets to be monitored by a default virtual sensor. The
default virtual sensor is the virtual sensor to which you assign PortChannel 0/0. We recommend
that you assign PortChannel 0/0 to vs0, but you can assign it to another virtual sensor if you want
to.
Step 16 Enter 1 to use the existing anomaly-detection configuration, ad0.
Signature Definition Configuration
[1] sig0
[2] Create a new signature definition configuration
Option[2]:
Step 17 Enter 2 to create a signature-definition configuration file.
Step 18 Enter the signature-definition configuration name, newSig.
Event Action Rules Configuration
[1] rules0
[2] Create a new event action rules configuration
Option[2]:
Step 19 Enter 1 to use the existing event action rules configuration, rules0.
Note If PortChannel 0/0 has not been assigned to vs0, you are prompted to assign it to the new virtual
sensor.
Virtual Sensor: newVs
Anomaly Detection: ad0
Event Action Rules: rules0
Signature Definitions: newSig
Monitored:
PortChannel0/0
[1] Remove virtual sensor.
[2] Modify "newVs" virtual sensor configuration.
[3] Modify "vs0" virtual sensor configuration.
OL-19892-01
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
3-23
Advanced Setup
Step 20 Press Enter to exit the interface and virtual sensor configuration menu.
Step 21 Enter yes if you want to modify the default threat prevention settings.
Step 22 Enter yes to disable automatic threat prevention on all virtual sensors.
Chapter 3 Initializing the Sensor
[4] Create new virtual sensor.
Option:
Modify default threat prevention settings?[no]:
Note The sensor comes with a built-in override to add the deny packet event action to high risk rating
alerts. If you do not want this protection, disable automatic threat prevention.
Virtual sensor newVs is configured to prevent high risk threats in inline mode. (Risk
Rating 90-100)
Virtual sensor vs0 is configured to prevent high risk threats in inline mode.(Risk Rating
90-100)
Do you want to disable automatic threat prevention on all virtual sensors?[no]:
The following configuration was entered.
service host
network-settings
host-ip 10.1.9.201/24,10.1.9.1
host-name ips-ssm
telnet-option disabled
sshv1-fallback enabled
access-list 10.0.0.0/8
access-list 64.0.0.0/8
ftp-timeout 300
no login-banner-text
exit
time-zone-settings
offset 0
standard-time-zone-name UTC
exit
summertime-option disabled
ntp-option disabled
exit
service web-server
port 342
exit
service analysis-engine
virtual-sensor newVs
description New Sensor
signature-definition newSig
event-action-rules rules0
anomaly-detection
anomaly-detection-name ad0
exit
physical-interfaces PortChannel0/0
exit
exit
service event-action-rules rules0
overrides deny-packet-inline
override-item-status Disabled
risk-rating-range 90-100
exit
exit
3-24
[0] Go to the command prompt without saving this config.
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 3 Initializing the Sensor
[1] Return back to the setup without saving this config.
[2] Save this configuration and exit setup.
Step 23 Enter 2 to save the configuration.
Enter your selection[2]: 2
Configuration Saved.
Step 24 Reboot the ASA 5585-X IPS SSP.
ips-ssp# reset
Warning: Executing this command will stop all applications and reboot the node.
Continue with reset? []:
Step 25 Enter yes to continue the reboot.
Step 26 After reboot, log in to the sensor, and display the self-signed X.509 certificate (needed by TLS).
ips-ssp# show tls fingerprint
MD5: C4:BC:F2:92:C2:E2:4D:EB:92:0F:E4:86:53:6A:C6:01
SHA1: 64:9B:AC:DE:21:62:0C:D3:57:2E:9B:E5:3D:04:8F:A7:FD:CD:6F:27
Step 27 Write down the certificate fingerprints. You need the fingerprints to check the authenticity of the
certificate when using HTTPS to connect to this ASA 5585-X IPS SSP with a web browser.
Step 28 Apply the most recent service pack and signature update. You are now ready to configure your
ASA 5585-X IPS SSP for intrusion prevention.
Verifying Initialization
For More Information
For the procedure for obtaining the most recent IPS software, see Obtaining Cisco IPS Software,
page 21-1.
Verifying Initialization
Note The CLI output is an example of what your configuration may look like. It will not match exactly due to
the optional setup choices, sensor model, and IPS 7.1 version you have installed.
To verify that you initialized your sensor, follow these steps:
Step 1 Log in to the sensor.
Step 2 View your configuration.
sensor# show configuration
! -----------------------------! Current configuration last modified Tue Nov 01 10:40:39 2011
! -----------------------------! Version 7.1(3)
! Host:
! Realm Keys key1.0
! Signature Definition:
! Signature Update S581.0 2011-07-11
! -----------------------------service interface
exit
! ------------------------------
OL-19892-01
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
3-25
Verifying Initialization
Chapter 3 Initializing the Sensor
service authentication
permit-packet-logging true
exit
! -----------------------------service event-action-rules rules0
exit
! -----------------------------service host
network-settings
host-ip 192.168.1.2/24,192.168.1.1
host-name sensor
telnet-option enabled
sshv1-fallback enabled
access-list 0.0.0.0/0
dns-primary-server disabled
dns-secondary-server disabled
dns-tertiary-server disabled
exit
time-zone-settings
offset -360
standard-time-zone-name GMT-06:00
exit
exit
! -----------------------------service logger
exit
! -----------------------------service network-access
exit
! -----------------------------service notification
exit
! -----------------------------service signature-definition sig0
signatures 2000 0
alert-frequency
summary-mode fire-all
exit
exit
status
enabled true
exit
exit
signatures 2004 0
alert-frequency
summary-mode fire-all
exit
exit
status
enabled true
exit
exit
exit
! -----------------------------service ssh-known-hosts
rsa1-keys 10.89.146.1
length 1024
exponent 35
modulus 127830942922883267670156151321687733281150975610206071962216325709559802
69998149478748431202060218539250569954487820368372742332963486465122675278103455
02382074147081976580477367448761372704018006749147530115354456086472735887860780
20923203565649165402391893192805445031000304938986412742328940379711869015427
exit
exit
3-26
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 3 Initializing the Sensor
! -----------------------------service trusted-certificates
exit
! -----------------------------service web-server
exit
! -----------------------------service anomaly-detection ad0
exit
! -----------------------------service external-product-interface
exit
! -----------------------------service health-monitor
exit
! -----------------------------service global-correlation
exit
! -----------------------------service aaa
exit
! -----------------------------service analysis-engine
exit
sensor#
Verifying Initialization
Note You can also use the more current-config command to view your configuration.
Step 3 Display the self-signed X.509 certificate (needed by TLS).
sensor# show tls fingerprint
MD5: C4:BC:F2:92:C2:E2:4D:EB:92:0F:E4:86:53:6A:C6:01
SHA1: 64:9B:AC:DE:21:62:0C:D3:57:2E:9B:E5:3D:04:8F:A7:FD:CD:6F:27
Step 4 Write down the certificate fingerprints. You need the fingerprints to check the authenticity of the
certificate when connecting to this sensor with a web browser.
For More Information
For the procedure for logging in to the sensor, see Chapter 2, “Logging In to the Sensor.”
OL-19892-01
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
3-27
Verifying Initialization
Chapter 3 Initializing the Sensor
3-28
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
CHA P T ER
4
Setting Up the Sensor
This chapter contains procedures for the setting up the sensor, and contains the following sections:
• Setup Notes and Caveats, page 4-1
• Understanding Sensor Setup, page 4-2
• Changing Network Settings, page 4-2
• Changing the CLI Session Timeout, page 4-13
• Changing Web Server Settings, page 4-14
• Configuring Authentication and User Parameters, page 4-16
• Configuring Time, page 4-34
• Configuring SSH, page 4-44
• Configuring TLS, page 4-50
• Installing the License Key, page 4-56
Setup Notes and Caveats
The following notes and caveats apply to setting up the sensor:
• By default SSHv1 fallback is enabled.
• When updating the hostname, the CLI prompt of the current session and other existing sessions is
not updated with the new hostname immediately. Subsequent CLI login sessions reflect the new
hostname in the prompt.
• Telnet is not a secure access service and therefore is disabled by default on the sensor. However,
SSH is always running on the sensor and it is a secure service.
• For global correlation to function, you must have either a DNS server or an HTTP proxy server
configured at all times.
• DNS resolution is supported only for accessing the global correlation update server.
• The default web server port is 443 if TLS is enabled and 80 if TLS is disabled.
• The username command provides username and password authentication for login purposes only.
You cannot use this command to remove a user who is logged in to the system. You cannot use this
command to remove yourself from the system.
OL-19892-01
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
4-1
Understanding Sensor Setup
• You cannot use the privilege command to give a user service privileges. If you want to give an
• Do not make modifications to the sensor through the service account except under the direction of
• You should carefully consider whether you want to create a service account. The service account
• Administrators may need to disable the password recovery feature for security reasons.
• We recommend that you use an NTP server to regulate time on your sensor. You can use
• In addition to a valid Cisco.com username and password, you must also have a Cisco Services for
Chapter 4 Setting Up the Sensor
existing user service privileges, you must remove that user and then use the username command to
create the service account.
TAC. If you use the service account to configure the sensor, your configuration is not supported by
TAC. Adding services to the operating system through the service account affects proper
performance and functioning of the other IPS services. TAC does not support a sensor on which
additional services have been added.
provides shell access to the system, which makes the system vulnerable. However, you can use the
service account to create a password if the administrator password is lost. Analyze your situation to
decide if you want a service account existing on the system.
authenticated or unauthenticated NTP. For authenticated NTP, you must obtain the NTP server IP
address, NTP server key ID, and the key value from the NTP server. You can set up NTP during
initialization or you can configure NTP through the CLI, IDM, IME, or ASDM.
IPS service contract before you can apply for a license key.
Understanding Sensor Setup
Setting up the sensor involves such tasks as changing sensor initialization information, adding and
deleting users, configuring time and setting up NTP, creating a service account, configuring SSH and
TLS, and installing the license key. You configured most of these settings when you initialized the sensor
using the setup command.
For More Information
For more information on using the setup command to initialize the sensor, see Chapter 3, “Initializing
the Sensor.”
Changing Network Settings
After you initialize your sensor, you may need to change some of the network settings that you
configured when you ran the setup command. This section describes how to change network settings,
and contains the following topics:
• Changing the Hostname, page 4-3
• Changing the IP Address, Netmask, and Gateway, page 4-4
• Enabling and Disabling Telnet, page 4-5
• Changing the Access List, page 4-6
• Changing the FTP Timeout, page 4-8
• Adding a Login Banner, page 4-9
• Configuring the DNS and Proxy Servers for Global Correlation, page 4-10
4-2
• Enabling SSHv1 Fallback, page 4-12
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 4 Setting Up the Sensor
Changing the Hostname
Note The CLI prompt of the current session and other existing sessions will not be updated with the new
hostname. Subsequent CLI login sessions will reflect the new hostname in the prompt.
Use the host-name host_name command in the service host submode to change the hostname of the
sensor after you have run the setup command. The default is sensor. To change the sensor hostname,
follow these steps:
Step 1 Log in to the sensor using an account with administrator privileges.
Step 2 Enter network settings submode.
sensor# configure terminal
sensor(config)# service host
sensor(config-hos)# network-settings
Step 3 Change the sensor hostname.
sensor(config-hos-net)# host-name firesafe
Changing Network Settings
Step 4 Verify the new hostname.
sensor(config-hos-net)# show settings
network-settings
---------------------------------------------- host-ip: 192.0.2.1/24,192.0.2.2 default:
192.168.1.2/24,192.168.1.1
host-name: firesafe default: sensor
telnet-option: enabled default: disabled
access-list (min: 0, max: 512, current: 1)
---------------------------------------------- network-address: 0.0.0.0/0
-----------------------------------------------
---------------------------------------------- ftp-timeout: 300 seconds <defaulted>
login-banner-text: <defaulted>
----------------------------------------------sensor(config-hos-net)#
Step 5 To change the hostname back to the default setting, use the default form of the command.
sensor(config-hos-net)# default host-name
Step 6 Verify the change to the default hostname sensor.
sensor(config-hos-net)# show settings
network-settings
---------------------------------------------- host-ip: 192.0.2.1/24,192.0.2.2 default:
192.168.1.2/24,192.168.1.1
host-name: sensor <defaulted>
telnet-option: enabled default: disabled
access-list (min: 0, max: 512, current: 1)
---------------------------------------------- network-address: 0.0.0.0/0
-----------------------------------------------
---------------------------------------------- ftp-timeout: 300 seconds <defaulted>
login-banner-text: <defaulted>
-----------------------------------------------
OL-19892-01
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
4-3
Changing Network Settings
sensor(config-hos-net)#
Step 7 Exit network settings mode.
sensor(config-hos-net)# exit
sensor(config-hos)# exit
Apply Changes:?[yes]:
Step 8 Press Enter to apply the changes or enter no to discard them.
Changing the IP Address, Netmask, and Gateway
Use the host-ip ip_address/netmask,default_gateway command in the service host submode to change
the IP address, netmask, and default gateway after you have run the setup command. The default is
192.168.1.2/24,192.168.1.1.
The host-ip is in the form of IP Address/Netmask/Gateway: X.X.X.X/nn,Y.Y.Y.Y, where X.X.X.X
specifies the sensor IP address as a 32-bit address written as 4 octets separated by periods where X =
0-255, nn specifies the number of bits in the netmask, and Y.Y.Y.Y specifies the default gateway as a
32-bit address written as 4 octets separated by periods where Y = 0-255.
To change the sensor IP address, netmask, and default gateway, follow these steps:
Chapter 4 Setting Up the Sensor
Step 1 Log in to the sensor using an account with administrator privileges.
Step 2 Enter network settings mode.
sensor# configure terminal
sensor(config)# service host
sensor(config-hos)# network-settings
Step 3 Change the sensor IP address, netmask, and default gateway.
sensor(config-hos-net)# host-ip 192.0.2.1/24,192.0.2.2
Note The default gateway must be in the same subnet as the IP address of the sensor or the sensor
generates an error and does not accept the configuration change.
Step 4 Verify the new information.
sensor(config-hos-net)# show settings
network-settings
---------------------------------------------- host-ip: 192.0.2.1/24,192.0.2.2
default: 192.168.1.2/24,192.168.1.1
host-name: sensor default: sensor
telnet-option: enabled default: disabled
access-list (min: 0, max: 512, current: 1)
---------------------------------------------- network-address: 0.0.0.0/0
-----------------------------------------------
---------------------------------------------- ftp-timeout: 300 seconds <defaulted>
login-banner-text: <defaulted>
-----------------------------------------------
4-4
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 4 Setting Up the Sensor
Step 5 To change the information back to the default setting, use the default form of the command.
sensor(config-hos-net)# default host-ip
Step 6 Verify that the host IP is now the default of 192.168.1.2/24,192.168.1.1.
sensor(config-hos-net)# show settings
network-settings
---------------------------------------------- host-ip: 192.168.1.2/24,192.168.1.1 <defaulted>
host-name: sensor default: sensor
telnet-option: enabled default: disabled
access-list (min: 0, max: 512, current: 1)
---------------------------------------------- network-address: 0.0.0.0/0
-----------------------------------------------
---------------------------------------------- ftp-timeout: 300 seconds <defaulted>
login-banner-text: <defaulted>
----------------------------------------------sensor(config-hos-net)#
Step 7 Exit network settings mode.
sensor(config-hos-net)# exit
sensor(config-hos)# exit
Apply Changes:?[yes]:
Changing Network Settings
Step 8 Press Enter to apply the changes or enter no to discard them.
Enabling and Disabling Telnet
Caution Telnet is not a secure access service and therefore is disabled by default. However, SSH is always
running on the sensor and it is a secure service.
Use the telnet-option {enabled | disabled} command in the service host submode to enable Telnet for
remote access to the sensor. The default is disabled. To enable or disable Telnet services, follow these
steps:
Step 1 Log in to the sensor using an account with administrator privileges.
Step 2 Enter network settings mode.
sensor# configure terminal
sensor(config)# service host
sensor(config-hos)# network-settings
Step 3 Enable Telnet services.
sensor(config-hos-net)# telnet-option enabled
sensor(config-hos-net)#
OL-19892-01
Step 4 Verify that Telnet is enabled.
sensor(config-hos-net)# show settings
network-settings
-----------------------------------------------
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
4-5
Changing Network Settings
host-ip: 192.0.2.1/24,192.0.2.2
default: 192.168.1.2/24,192.168.1.1
host-name: sensor default: sensor
telnet-option: enabled default: disabled
access-list (min: 0, max: 512, current: 1)
---------------------------------------------- network-address: 0.0.0.0/0
-----------------------------------------------
---------------------------------------------- ftp-timeout: 300 seconds <defaulted>
login-banner-text: <defaulted>
----------------------------------------------sensor(config-hos-net)#
Step 5 Exit network settings mode.
sensor(config-hos-net)# exit
sensor(config-hos)# exit
Apply Changes:?[yes]:
Step 6 Press Enter to apply the changes or enter no to discard them.
Chapter 4 Setting Up the Sensor
Note To Telnet to the sensor, you must enable Telnet and configure the access list to allow the Telnet clients
to connect.
For More Information
For the procedure for configuring the access list, see Changing the Access List, page 4-6.
Changing the Access List
Use the access-list ip_address/netmask command in the service host submode to configure the access
list, the list of hosts or networks that you want to have access to your sensor. Use the no form of the
command to remove an entry from the list. The default access list is empty.
The following hosts must have an entry in the access list:
• Hosts that need to Telnet to your sensor.
• Hosts that need to use SSH with your sensor.
• Hosts, such as the IDM and the IME, that need to access your sensor from a web browser.
• Management stations, such as the CSM, that need access to your sensor.
• If your sensor is a master blocking sensor, the IP addresses of the blocking forwarding sensors must
have an entry in the list.
To modify the access list, follow these steps:
4-6
Step 1 Log in to the sensor using an account with administrator privileges.
Step 2 Enter network settings mode.
sensor# configure terminal
sensor(config)# service host
sensor(config-hos)# network-settings
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 4 Setting Up the Sensor
Step 3 Add an entry to the access list. The netmask for a single host is 32.
sensor(config-hos-net)# access-list 192.0.2.110/32
Step 4 Verify the change you made to the access-list.
sensor(config-hos-net)# show settings
network-settings
---------------------------------------------- host-ip: 192.168.1.2/24,192.168.1.1 <defaulted>
host-name: sensor <defaulted>
telnet-option: enabled default: disabled
access-list (min: 0, max: 512, current: 2)
---------------------------------------------- network-address: 10.1.9.0/24
---------------------------------------------- network-address: 192.0.2.110/32
-----------------------------------------------
---------------------------------------------- ftp-timeout: 300 seconds <defaulted>
login-banner-text: <defaulted>
-----------------------------------------------
Step 5 Remove the entry from the access list.
sensor(config-hos-net)# no access-list 192.0.2.110/32
Changing Network Settings
Step 6 Verify that the host is no longer in the list.
sensor(config-hos-net)# show settings
network-settings
---------------------------------------------- host-ip: 192.168.1.2/24,192.168.1.1 <defaulted>
host-name: sensor <defaulted>
telnet-option: enabled default: disabled
access-list (min: 0, max: 512, current: 1)
---------------------------------------------- network-address: 10.1.9.0/24
-----------------------------------------------
---------------------------------------------- ftp-timeout: 300 seconds <defaulted>
login-banner-text: <defaulted>
----------------------------------------------sensor(config-hos-net)#
Step 7 Change the value back to the default.
sensor(config-hos-net)# default access-list
Step 8 Verify the value has been set back to the default.
sensor(config-hos-net)# show settings
network-settings
---------------------------------------------- host-ip: 192.168.1.2/24,192.168.1.1 <defaulted>
host-name: sensor <defaulted>
telnet-option: enabled default: disabled
access-list (min: 0, max: 512, current: 0)
-----------------------------------------------
---------------------------------------------- ftp-timeout: 300 seconds <defaulted>
login-banner-text: <defaulted>
----------------------------------------------sensor(config-hos-net)#
OL-19892-01
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
4-7
Changing Network Settings
Step 9 Exit network settings mode.
sensor(config-hos-net)# exit
sensor(config-hos)# exit
Apply Changes:?[yes]:
Step 10 Press Enter to apply the changes or enter no to discard them.
Changing the FTP Timeout
Note You can use the FTP client for downloading updates and configuration files from your FTP server.
Use the ftp-timeout command in the service host submode to change the number of seconds that the FTP
client waits before timing out when the sensor is communicating with an FTP server. The default is 300
seconds. To change the FTP timeout, follow these steps:
Chapter 4 Setting Up the Sensor
Step 1 Log in to the sensor using an account with administrator privileges.
Step 2 Enter network settings mode.
sensor# configure terminal
sensor(config)# service host
sensor(config-hos)# network-settings
Step 3 Change the number of seconds of the FTP timeout.
sensor(config-hos-net)# ftp-timeout 500
Step 4 Verify the FTP timeout change.
sensor(config-hos-net)# show settings
network-settings
---------------------------------------------- host-ip: 192.0.2.1/24,192.0.2.2
default: 192.168.1.2/24,192.168.1.1
host-name: sensor default: sensor
telnet-option: enabled default: disabled
access-list (min: 0, max: 512, current: 1)
---------------------------------------------- network-address: 0.0.0.0/0
-----------------------------------------------
---------------------------------------------- ftp-timeout: 500 seconds default: 300
login-banner-text: <defaulted>
----------------------------------------------sensor(config-hos-net)#
4-8
Step 5 Change the value back to the default.
sensor(config-hos-net)# default ftp-timeout
Step 6 Verify the value has been set back to the default.
sensor(config-hos-net)# show settings
network-settings
---------------------------------------------- host-ip: 192.0.2.1/24,192.0.2.2
default: 192.168.1.2/24,192.168.1.1
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 4 Setting Up the Sensor
host-name: sensor default: sensor
telnet-option: enabled default: disabled
access-list (min: 0, max: 512, current: 1)
---------------------------------------------- network-address: 0.0.0.0/0
-----------------------------------------------
---------------------------------------------- ftp-timeout: 300 seconds <defaulted>
login-banner-text: <defaulted>
----------------------------------------------sensor(config-hos-net)#
Step 7 Exit network settings mode.
sensor(config-hos-net)# exit
sensor(config-hos)# exit
Apply Changes:?[yes]:
Step 8 Press Enter to apply the changes or enter no to discard them.
Changing Network Settings
Adding a Login Banner
Use the login-banner-text text_message command to add a login banner that the user sees during login.
There is no default. When you want to start a new line in your message, press Ctrl-V Enter.
To add a login banner, follow these steps:
Step 1 Log in to the sensor using an account with administrator privileges.
Step 2 Enter network settings mode.
sensor# configure terminal
sensor(config)# service host
sensor(config-hos)# network-settings
Step 3 Add the banner login text.
sensor(config-hos-net)# login-banner-text This is the banner login text message.
Step 4 Verify the banner login text message.
sensor(config-hos-net)# show settings
network-settings
---------------------------------------------- host-ip: 192.0.2.1/24,192.0.2.2
default: 192.168.1.2/24,192.168.1.1
host-name: sensor default: sensor
telnet-option: enabled default: disabled
access-list (min: 0, max: 512, current: 1)
---------------------------------------------- network-address: 0.0.0.0/0
-----------------------------------------------
---------------------------------------------- ftp-timeout: 300 seconds <defaulted>
login-banner-text: This is the banner login text message. default:
----------------------------------------------sensor(config-hos-net)#
OL-19892-01
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
4-9
Changing Network Settings
Step 5 To remove the login banner text, use the no form of the command.
sensor(config-hos-net)# no login-banner-text
Step 6 Verify the login text has been removed.
sensor(config-hos-net)# show settings
network-settings
---------------------------------------------- host-ip: 192.0.2.1/24,192.0.2.2
default: 192.168.1.2/24,192.168.1.1
host-name: sensor default: sensor
telnet-option: enabled default: disabled
access-list (min: 0, max: 512, current: 1)
---------------------------------------------- network-address: 0.0.0.0/0
-----------------------------------------------
---------------------------------------------- ftp-timeout: 300 seconds <defaulted>
login-banner-text: default:
----------------------------------------------sensor(config-hos-net)#
Step 7 Exit network settings mode.
sensor(config-hos-net)# exit
sensor(config-hos)# exit
Apply Changes:?[yes]:
Chapter 4 Setting Up the Sensor
Step 8 Press Enter to apply the changes or enter no to discard them.
Configuring the DNS and Proxy Servers for Global Correlation
Use the http-proxy, dns-primary-server, dns-secondary-server, and dns-tertiary-server commands
in network-settings submode to configure servers to support the global correlation features.
You must configure either an HTTP proxy server or DNS server to support global correlation. You may
need a proxy server to download global correlation updates if you use proxy in your network. If you are
using a DNS server, you must configure at least one DNS server and it must be reachable for global
correlation updates to be successful. You can configure other DNS servers as backup servers. DNS
queries are sent to the first server in the list. If it is unreachable, DNS queries are sent to the next
configured DNS server.
Caution For global correlation to function, you must have either a DNS server or an HTTP proxy server
configured at all times.
Caution DNS resolution is supported only for accessing the global correlation update server.
The following options apply:
4-10
• http-proxy {no-proxy | proxy-sensor}—Configures the HTTP proxy server:
–
address ip_address —Specifies the IP address of the HTTP proxy server.
–
port port_number —Specifies the port number of the HTTP proxy server.
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 4 Setting Up the Sensor
• dns-primary-server {enabled | disabled}—Enables a DNS primary server:
• dns-secondary-server {enabled | disabled}—Enables a DNS secondary server:
• dns-tertiary-server {enabled | disabled}—Enables the DNS tertiary server:
Configuring DNS and Proxy Servers for Global Correlation
To configure DNS and proxy servers to support global correlation, follow these steps:
Step 1 Log in to the sensor using an account with administrator privileges.
Step 2 Enter network settings submode.
sensor# configure terminal
sensor(config)# service host
sensor(config-hos)# network-settings
Step 3 Enable a proxy or DNS server to support global correlation:
Changing Network Settings
–
address ip_address —Specifies the IP address of the DNS primary server.
–
address ip_address —Specifies the IP address of the DNS secondary server.
–
address ip_address —Specifies the IP address of the DNS tertiary server.
a. Enable a proxy server.
sensor(config-hos-net)# http-proxy proxy-server
sensor(config-hos-net-pro)# address 10.10.10.1
sensor(config-hos-net-pro)# port 65
sensor(config-hos-net-pro)#
b. Enable a DNS server.
sensor(config-hos-net)# dns-primary-server enabled
sensor(config-hos-net-ena)# address 10.10.10.1
sensor(config-hos-net-ena)#
Step 4 Verify the settings.
sensor(config-hos-net)# show settings
network-settings
---------------------------------------------- host-ip: 10.89.147.24/25,10.89.147.126 default: 192.168.1.2/24,192.168.1.1
host-name: sensor <defaulted>
telnet-option: enabled default: disabled
access-list (min: 0, max: 512, current: 1)
---------------------------------------------- network-address: 0.0.0.0/0
-----------------------------------------------
---------------------------------------------- ftp-timeout: 300 seconds <defaulted>
login-banner-text: <defaulted>
dns-primary-server
---------------------------------------------- enabled
---------------------------------------------- address: 10.10.10.1
-----------------------------------------------
---------------------------------------------- dns-secondary-server
---------------------------------------------- disabled
-----------------------------------------------
-----------------------------------------------
OL-19892-01
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
4-11
Changing Network Settings
---------------------------------------------- dns-tertiary-server
---------------------------------------------- disabled
-----------------------------------------------
-----------------------------------------------
---------------------------------------------- http-proxy
---------------------------------------------- proxy-server
---------------------------------------------- address: 10.10.10.1
port: 65
-----------------------------------------------
-----------------------------------------------
----------------------------------------------sensor(config-hos-net)#
Step 5 Exit network settings mode.
sensor(config-hos-net)# exit
sensor(config-hos)# exit
Apply Changes:?[yes]:
Chapter 4 Setting Up the Sensor
Step 6 Press Enter to apply the changes or enter no to discard them.
For More Information
For more information on global correlation features, see Chapter 10, “Configuring Global Correlation.”
Enabling SSHv1 Fallback
Note The IPS supports a management connection through both SSHv1 and SSHv2 (SSHv2 is supported in
IPS 7.1(8)E4). In 7.1(8)E4 and later, support for both SSHv1 and SSHv2 is enabled by default.
Use the sshv1-fallback {enabled | disabled} command in the service host submode to enable/disable
the sensor to fall back to SSH protocol version 1. Fallback to SSHv1 is provided in case the peer
client/server does not support SSHv2.
To enable or disable SSHv1 fallback, follow these steps:
Step 1 Log in to the sensor using an account with administrator privileges.
Step 2 Enter network settings mode.
sensor# configure terminal
sensor(config)# service host
sensor(config-hos)# network-settings
4-12
Step 3 Enable SSHv1fallback.
sensor(config-hos-net)# sshv1-fallback enabled
sensor(config-hos-net)#
Step 4 Verify that SSHv1 fallback is enabled.
sensor(config-hos-net)# show settings
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 4 Setting Up the Sensor
network-settings
---------------------------------------------- host-ip: 10.106.164.52/24,10.106.164.1 default: 192.168.1.2/24,192.168.1.1
host-name: p32-ips4240-52 default: sensor
telnet-option: enabled default: disabled
sshv1-fallback: enabled default: enabled
access-list (min: 0, max: 512, current: 1)
---------------------------------------------- network-address: 0.0.0.0/0
-----------------------------------------------
---------------------------------------------- ftp-timeout: 300 seconds <defaulted>
login-banner-text: mmmm default:
sensor(config-hos-net)#
Step 5 Exit network settings mode.
sensor(config-hos-net)# exit
sensor(config-hos)# exit
Apply Changes:?[yes]:
Step 6 Press Enter to apply the changes or enter no to discard them.
Changing the CLI Session Timeout
Changing the CLI Session Timeout
Use the cli-inactivity-timeout command in the service authentication submode to change the number of
seconds that the CLI waits before timing out. Setting the CLI session timeout increases the security of a
CLI session. The default is 0 seconds, which means that it is an unlimited value and thus will never time
out. The valid range is 0 to 100,000 minutes. This command is supported in IPS 7.1(3)E4 and later.
To change the CLI session timeout, follow these steps:
Step 1 Log in to the sensor using an account with administrator privileges.
Step 2 Enter authentication mode.
sensor# configure terminal
sensor(config)# service authentication
Step 3 Change the number of seconds of the CLI session timeout.
sensor(config-aut)# cli-inactivity-timeout 5000
Step 4 Verify the CLI session timeout change.
sensor(config-aut)# show settings
attemptLimit: 0 <defaulted>
password-strength
---------------------------------------------- size: 8-64 <defaulted>
digits-min: 0 <defaulted>
uppercase-min: 0 <defaulted>
lowercase-min: 0 <defaulted>
other-min: 0 <defaulted>
number-old-passwords: 0 <defaulted>
---------------------------------------------- permit-packet-logging: true <defaulted>
cli-inactivity-timeout: 5000 default: 0
sensor(config-aut)#
OL-19892-01
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
4-13
Changing Web Server Settings
Step 5 Change the value back to the default.
sensor(config-aut)# default cli-inactivity-timeout
Step 6 Verify the value has been set back to the default.
sensor(config-aut)# show settings
attemptLimit: 0 <defaulted>
password-strength
---------------------------------------------- size: 8-64 <defaulted>
digits-min: 0 <defaulted>
uppercase-min: 0 <defaulted>
lowercase-min: 0 <defaulted>
other-min: 0 <defaulted>
number-old-passwords: 0 <defaulted>
---------------------------------------------- permit-packet-logging: true <defaulted>
cli-inactivity-timeout: 0 <defaulted>
sensor(config-aut)#
Step 7 Exit authentication mode.
sensor(config-aut)# exit
Apply Changes:?[yes]:
Chapter 4 Setting Up the Sensor
Step 8 Press Enter to apply the changes or enter no to discard them.
Changing Web Server Settings
Note The default web server port is 443 if TLS is enabled and 80 if TLS is disabled.
After you run the setup command, you can change the following web server settings: the web server port,
whether TLS encryption is being used, and the HTTP server header message.
HTTP is the protocol that web clients use to make requests from web servers. The HTTP specification
requires a server to identify itself in each response. Attackers sometimes exploit this protocol feature to
perform reconnaissance. If the IPS web server identified itself by providing a predictable response, an
attacker might learn that an IPS sensor is present.
We recommend that you not reveal to attackers that you have an IPS sensor. Change the server-id to
anything that does not reveal any information, especially if your web server is available to the Internet.
For example, if you forward a port through a firewall so you can monitor a sensor remotely, you need to
set the server-id.
To change the web server settings, follow these steps:
4-14
Step 1 Log in to the sensor using an account with administrator privileges.
Step 2 Enter web server mode.
sensor# configure terminal
sensor(config)# service web-server
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 4 Setting Up the Sensor
Step 3 Change the port number.
sensor(config-web)# port 8080
If you change the port number from the default of 443 to 8080, you receive this message:
Warning: The web server’s listening port number has changed from 443 to 8080. This change
will not take effect until the web server is re-started
Step 4 Enable or disable TLS.
sensor(config-web)# enable-tls {true | false}
If you disable TLS, you receive this message:
Warning: TLS protocol support has been disabled. This change will not take effect until
the web server is re-started.
Step 5 Change the HTTP server header.
sensor(config-web)# server-id Nothing to see here. Move along.
Step 6 Verify the web server changes.
sensor(config-web)# show settings
enable-tls: true default: true
port: 8001 default: 443
server-id: Nothing to see here. Move along. default: HTTP/1.1 compliant
sensor(config-web)#
Changing Web Server Settings
Step 7 To revert to the defaults, use the default form of the commands.
sensor(config-web)# default port
sensor(config-web)# default enable-tls
sensor(config-web)# default server-id
Step 8 Verify the defaults have been replaced.
sensor(config-web)# show settings
enable-tls: true <defaulted>
port: 443 <defaulted>
server-id: HTTP/1.1 compliant <defaulted>
configurable-service (min: 0, max: 99, current: 1)
---------------------------------------------- <protected entry>
service-name: rdep-event-server
---------------------------------------------- enabled: true default: false
file-name: event-server <protected>
-----------------------------------------------
----------------------------------------------sensor(config-web)#
Step 9 Exit web server submode.
sensor(config-web)# exit
Apply Changes:?[yes]:
Step 10 Press Enter to apply the changes or enter no to discard them.
OL-19892-01
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
4-15
Configuring Authentication and User Parameters
Note If you change the port or enable TLS settings, you must reset the sensor to make the web server use the
new settings.
For More Information
• For the procedure for resetting the appliance, see Resetting the Appliance, page 17-47.
• For the procedure for resetting the ASA 5500 AIP SSM, see Reloading, Shutting Down, Resetting,
and Recovering the ASA 5500 AIP SSM, page 18-15.
• For the procedure for resetting the ASA 5500-X IPS SSP, see Reloading, Shutting Down, Resetting,
and Recovering the ASA 5500-X IPS SSP, page 19-12.
• For the procedure for resetting the ASA 5585-X IPS SSP, see Reloading, Shutting Down, Resetting,
and Recovering the ASA 5585-X IPS SSP, page 20-12.
Configuring Authentication and User Parameters
Chapter 4 Setting Up the Sensor
The following section explains how to create users, configure RADIUS authentication, create the service
account, configure passwords, specify privilege level, view a list of users, configure password policy,
and lock and unlock user accounts. It contains the following topics:
• Adding and Removing Users, page 4-16
• Configuring Authentication, page 4-18
• Configuring Packet Command Restriction, page 4-24
• Creating the Service Account, page 4-26
• The Service Account and RADIUS Authentication, page 4-27
• RADIUS Authentication Functionality and Limitations, page 4-28
• Configuring Passwords, page 4-28
• Changing User Privilege Levels, page 4-29
• Showing User Status, page 4-30
• Configuring the Password Policy, page 4-30
• Locking User Accounts, page 4-32
• Unlocking User Accounts, page 4-33
Adding and Removing Users
4-16
Use the username command to create users on the local system. You can add a new user, set the privilege
level—administrator, operator, viewer—and set the password for the new user. Use the no form of this
command to remove a user from the system. This removes the user from CLI and web access.
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 4 Setting Up the Sensor
Caution The username command provides username and password authentication for login purposes only. You
cannot use this command to remove a user who is logged in to the system. You cannot use this command
to remove yourself from the system.
If you do not specify a password, the system prompts you for one. Use the password command to change
the password for existing users. Use the privilege command to change the privilege for existing users.
The username follows the pattern ^[A-Za-z0-9()+:,_/-]+$, which means the username must start with a
letter or number, and can include any letter A to Z (capital or small), any number 0 to 9, - and _, and can
contain 1 to 64 characters. A valid password is 8 to 32 characters long. All characters except space are
allowed.
You receive the following error messages if you do not create a valid password:
• Error: setEnableAuthenticationTokenStatus : The password is too short.
• Error: setEnableAuthenticationTokenStatus : Failure setting the account’s password:
it does not contain enough DIFFERENT characters
Note You cannot use the privilege command to give a user service privileges. If you want to give an existing
user service privileges, you must remove that user and then use the username command to create the
service account.
Configuring Authentication and User Parameters
To add and remove users, follow these steps:
Step 1 Log in to the CLI using an account with administrator privileges.
Step 2 Enter configuration mode.
sensor# configure terminal
Step 3 Specify the parameters for the user.
sensor(config)# username username password password privilege
administrator/operator/viewer
For example, to add the user “tester” with a privilege level of administrator and the password
“testpassword,” enter the following command:
Note If you do not want to see the password in clear text, wait for the password prompt. Do not enter
the password along with the username and privilege.
sensor(config)# username tester privilege administrator
Enter Login Password: ************
Re-enter Login Password: ************
sensor(config)#
Note If you do not specify a privilege level for the user, the user is assigned the default viewer
privilege.
OL-19892-01
Step 4 Verify that the user has been added. A list of users is displayed.
sensor(config)# exit
sensor# show users all
CLI ID User Privilege
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
4-17
Configuring Authentication and User Parameters
* 13491 cisco administrator
jsmith operator
jtaylor service
jroberts viewer
sensor#
Step 5 To remove a user, use the no form of the command.
sensor# configure terminal
sensor(config)# no username jsmith
Note You cannot use this command to remove yourself from the system.
Step 6 Verify that the user has been removed. The user jsmith has been removed.
sensor(config)# exit
sensor# show users all
CLI ID User Privilege
* 13491 cisco administrator
jtaylor service
jroberts viewer
sensor#
Chapter 4 Setting Up the Sensor
For More Information
• For the procedure for creating the service account, see Creating the Service Account, page 4-26.
• For the procedure for configuring local or RADIUS authentication, see Configuring Authentication,
page 4-18.
Configuring Authentication
Caution Make sure you have a RADIUS server already configured before you configure RADIUS authentication
on the sensor. IPS has been tested with CiscoSecure ACS 4.2 and 5.1 servers. Refer to your RADIUS
server documentation for information on how to set up a RADIUS server.
You can create and remove users from the local sensor. You can only modify one user account at a time.
Each user is associated with a role that controls what that user can and cannot modify. The requirements
that must be used for user passwords are set with the password command.
Users are authenticated through AAA either locally or through RADIUS servers. Local authentication
is enabled by default. You must configure RADIUS authentication before it is active.
You must specify the user role that is authenticated through RADIUS either by configuring the user role
on the RADIUS server or specifying a default user role. The username and password are sent in an
authentication request to the configured RADIUS server. The response of the server determines whether
the login is authenticated.
4-18
Note If the sensor is not configured to use a default user role and the sensor user role information in not in the
Accept Message of the CiscoSecure ACS server, the sensor rejects RADIUS authentication even if the
CiscoSecure ACS server accepts the username and password.
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 4 Setting Up the Sensor
You can configure a primary RADIUS server and a secondary RADIUS server. The secondary RADIUS
server authenticates and authorizes users if the primary RADIUS server is unresponsive.
You can also configure the sensor to use local authentication (local fallback) if no RADIUS servers are
responding. In this case, the sensor authenticates against the locally configured user accounts. The
sensor will only use local authentication if the RADIUS servers are not available, not if the RADIUS
server rejects the authentication requests of the user. You can also configure how users connected
through the console port are authenticated—through local user accounts, through RADIUS first and if
that fails through local user accounts, or through RADIUS alone.
To configure a RADIUS server, you must have the IP address, port, and shared secret of the RADIUS
server. You must also either have the NAS-ID of the RADIUS server, or have the RADIUS server
configured to authenticate clients without a NAS-ID or with the default IPS NAS-ID of cisco-ips.
Note Enabling RADIUS authentication on the sensor does not disconnect already established connections.
RADIUS authentication is only enforced for new connections to the sensor. Existing CLI, IDM, and IME
connections remain established with the login credentials used prior to configuring RADIUS
authentication. To force disconnection of these established connections, you must reset the sensor after
RADIUS is configured.
Configuring Authentication and User Parameters
RADIUS Authentication Options
Use the aaa command in service aaa submode to configure either local authentication or authentication
using a RADIUS server. The following options apply:
• local—Lets you specify local authentication. To continue to create users, use the password
command.
• radius—Lets you specify RADIUS as the method of authentication:
–
nas-id—Identifies the service requesting authentication. The value can be no nas-id, cisco-ips,
or a NAS-ID already configured on the RADIUS server. The default is cisco-ips.
–
default-user-role—Lets you assign a default user role on the sensor that is only applied when
there is NOT a Cisco av pair specifying the user role. The value can be unspecified, viewer,
operator, or administrator. Service cannot be the default user role. The default is unspecified.
If you do not want to configure a default user role on the sensor that is applied in the absence
of a Cisco av pair, you need to configure the Cisco IOS/PIX 6.x RADIUS Attributes [009\001]
cisco-av-pair under the group or user profile with one of the following options:
ips-role=viewer, ips-role=operator, ips-role=administrator, ips-role=service, or
ips-role=unspecified. The default is ips-role=unspecified.
Note If the sensor is not configured to use a default user role and the sensor user role
information in not in the Accept Message of the CiscoSecure ACS server, the sensor
rejects RADIUS authentication even if the CiscoSecure ACS server accepts the
username and password.
OL-19892-01
Note The default user role is used only when the user has not been configured with a specific
role on the ACS server. Local users are always configured with a specific role so the
default user role will never apply to locally authenticated users.
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
4-19
Configuring Authentication and User Parameters
Caution Do not add multiple Cisco av-pairs with the same key. You should have only one instance of
ips-role=value. Make sure the key and the value are correct or the feature may not work as expected. For
example, do not use the following configuration:
ips-role= administer
ips-role=ad
–
local-fallback {enabled | disabled}—Lets you default to local authentication if the RADIUS
servers are not responding. The default is enabled.
• primary-server—Lets you configure the main RADIUS server:
–
server-address—IP address of the RADIUS server.
–
server-port—Port of the RADIUS server. If not specified, the default RADIUS port is used.
–
timeout (seconds)—Specifies the number of seconds the sensor waits for a response from a
RADIUS server before it considers the server to be unresponsive.
–
shared-secret—The secret value configured on the RADIUS server. You must obtain the secret
value of the RADIUS server to enter with the shared-secret command.
Chapter 4 Setting Up the Sensor
Note You must have the same secret value configured on both the RADIUS server and the IPS
sensor so that the server can authenticate the requests of the client and the client can
authenticate the responses of the server.
• secondary-server {enabled | disabled}— (Optional) Lets you configure a secondary RADIUS
server:
–
server-address—IP address of the RADIUS server.
–
server-port—Port of the RADIUS server. If not specified, the default RADIUS port is used.
–
timeout (seconds)—Specifies the number of seconds the sensor waits for a response from a
RADIUS server before it considers the server to be unresponsive.
–
shared-secret—The secret value configured on the RADIUS server. You must obtain the secret
value of the RADIUS server to enter with the shared-secret command.
Note You must have the same secret value configured on both the RADIUS server and the IPS
sensor so that the server can authenticate the requests of the client and the client can
authenticate the responses of the server.
• console-authentication—Lets you choose how users connected through the console port are
authenticated:
–
local—Users connected through the console port are authenticated through local user accounts.
–
radius-and-local—Users connected through the console port are authenticated through
RADIUS first. If RADIUS fails, local authentication is attempted. This is the default.
–
radius—Users connected through the console port are authenticated by RADIUS. If you also
have local-fallback enabled, users can also be authenticated through the local user accounts.
4-20
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Loading...