Cisco Intrusion Prevention System CLI
Configuration Guide for IPS 7.1
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-19892-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this
URL: www.cisco.com/go/trademarks . Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the
document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
Cisco Intrusion Prevention System CLI Configuration Guide for IPS 7.1
© 2011-2013 Cisco Systems, Inc. All rights reserved.
CONTENTS
Preface xxxi
Contents xxxi
Audience xxxi
Organization xxxii
Conventions xxxiii
Related Documentation xxxiv
Obtaining Documentation, Using the Cisco Bug Search Tool, and Submitting a Service
Request
xxxv
CHAPTER
1 Getting Started 1-1
Introducing the IME 1-1
Advisory 1-2
Participating in the SensorBase Network 1-2
IME Home Pane 1-3
System Requirements 1-4
IME Demo Mode 1-7
Installing the IME and Migrating Data In to the IME 1-8
Creating and Changing the IME Password 1-9
Recovering the IME Password 1-10
Configuring General Options 1-11
Configuring the Data Archive 1-12
Configuring Email Setup 1-14
Configuring Email Notification 1-15
Configuring Reports 1-17
Installation Error 1-20
CHAPTER
OL-19891-01
2 Configuring Device Lists 2-1
Device List Pane 2-1
Device List Pane Field Definitions 2-2
Add and Edit Device List Dialog Boxes Field Definitions 2-3
Adding, Editing, and Deleting Devices 2-4
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
iii
Contents
Starting, Stopping, and Displaying Device, Event, Health, and Global Correlation Connection
Status
Using Tools for Devices 2-6
2-5
CHAPTER
3 Configuring Dashboards 3-1
Understanding Dashboards 3-1
Adding and Deleting Dashboards 3-1
IME Gadgets 3-2
Sensor Information Gadget 3-2
Sensor Health Gadget 3-3
Licensing Gadget 3-5
Interface Status Gadget 3-5
Global Correlation Reports Gadget 3-6
Global Correlation Health Gadget 3-7
Network Security Gadget 3-8
Top Applications Gadget 3-9
Memory & Load Gadget 3-10
RSS Feed Gadget 3-11
Top Attackers Gadget 3-11
Top Victims Gadget 3-12
Top Signatures Gadget 3-13
Attacks Over Time Gadget 3-13
CHAPTER
CHAPTER
Working With a Single Event for Individual Top Attacker and Victim IP Addresses 3-14
Working With a Single Event for a Top Signature 3-15
Configuring Filters 3-16
Manage Filter Rules Dialog Box Field Definitions 3-18
Add and Edit Filter Dialog Boxes Field Definitions 3-19
4 Configuring RSS Feeds 4-1
Understanding RSS Feeds 4-1
Configuring RSS Feeds 4-1
5 Using the Startup Wizard 5-1
Startup Wizard Introduction Window 5-1
Setting up the Sensor 5-2
Sensor Setup Window 5-2
Add and Edit ACL Entry Dialog Boxes 5-3
Configure Summertime Dialog Box 5-4
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
iv
OL-19891-01
Configuring Sensor Settings 5-4
Configuring Interfaces 5-7
Interface Summary Window 5-7
Restore Defaults to an Interface Dialog Box 5-8
Traffic Inspection Mode Window 5-8
Interface Selection Window 5-9
Inline Interface Pair Window 5-9
Inline VLAN Pairs Window 5-9
Add and Edit Inline VLAN Pair Entry Dialog Boxes 5-10
Configuring Inline VLAN Pairs 5-10
Configuring Virtual Sensors 5-11
Virtual Sensors Window 5-11
Add Virtual Sensor Dialog Box 5-12
Adding a Virtual Sensor 5-13
Applying Signature Threat Profiles 5-14
Contents
CHAPTER
Configuring Auto Update 5-16
6 Setting Up the Sensor 6-1
Understanding Sensor Setup 6-1
Configuring Network Settings 6-1
Network Pane 6-2
Network Pane Field Definitions 6-2
Configuring Network Settings 6-3
Configuring Allowed Hosts/Networks 6-5
Allowed Hosts/Networks Pane 6-5
Allowed Hosts/Network Pane and Add and Edit Allowed Host Dialog Boxes Field
Definitions
6-6
Configuring Allowed Hosts and Networks 6-6
Configuring Time 6-7
Time Pane 6-7
Time Pane Field Definitions 6-7
Configure Summertime Dialog Box Field Definitions 6-8
Configuring Time on the Sensor 6-9
Time Sources and the Sensor 6-10
Synchronizing IPS Module System Clocks with Parent Device System Clocks 6-11
Verifying the Sensor is Synchronized with the NTP Server 6-11
Correcting Time on the Sensor 6-12
Configuring NTP 6-12
Configuring a Cisco Router to be an NTP Server 6-13
OL-19891-01
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
v
Contents
Configuring the Sensor to Use an NTP Time Source 6-14
Manually Setting the System Clock 6-15
Clearing Events 6-16
Configuring Authentication 6-16
Understanding User Roles 6-17
Understanding the Service Account 6-18
The Service Account and RADIUS Authentication 6-18
RADIUS Authentication Functionality and Limitations 6-19
Authentication Pane 6-19
Authentication Pane Field Definitions 6-20
Add and Edit User Dialog Boxes Field Definitions 6-22
Adding, Editing, Deleting Users, and Creating Accounts 6-22
Locking User Accounts 6-25
Unlocking User Accounts 6-26
CHAPTER
7 Configuring Interfaces 7-1
Sensor Interfaces 7-1
Understanding Interfaces 7-1
Command and Control Interface 7-2
Sensing Interfaces 7-3
Interface Support 7-4
TCP Reset Interfaces 7-8
Understanding Alternate TCP Reset Interfaces 7-8
Designating the Alternate TCP Reset Interface 7-9
Hardware Bypass Mode 7-9
Hardware Bypass Card 7-10
Hardware Bypass Configuration Restrictions 7-10
Interface Configuration Restrictions 7-11
Understanding Interface Modes 7-13
Promiscuous Mode 7-14
IPv6, Switches, and Lack of VACL Capture 7-14
Inline Interface Mode 7-15
Inline VLAN Pair Mode 7-16
VLAN Groups Mode 7-17
Interface Configuration Summary 7-18
Configuring Interfaces 7-18
Interfaces Pane 7-18
Interfaces Pane Field Definitions 7-19
Enabling and Disabling Interfaces 7-20
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
vi
OL-19891-01
Edit Interface Dialog Box Field Definitions 7-20
Editing Interfaces 7-21
Configuring Inline Interface Pairs 7-22
Interface Pairs Pane 7-22
Interface Pairs Pane Field Definitions 7-22
Add and Edit Interface Pair Dialog Boxes Field Definitions 7-22
Configuring Inline Interface Pairs 7-23
Configuring Inline VLAN Pairs 7-23
VLAN Pairs Pane 7-23
VLAN Pairs Pane Field Definitions 7-24
Add and Edit VLAN Pair Dialog Boxes Field Definitions 7-24
Configuring Inline VLAN Pairs 7-25
Configuring VLAN Groups 7-25
VLAN Groups Pane 7-26
Deploying VLAN Groups 7-26
VLAN Groups Pane Field Definitions 7-27
Add and Edit VLAN Group Dialog Boxes Field Definitions 7-27
Configuring VLAN Groups 7-27
Contents
CHAPTER
Configuring Bypass Mode 7-28
Bypass Pane 7-28
Bypass Pane Field Definitions 7-29
Adaptive Security Appliance, ASA 5500 AIP SSM, and Bypass Mode 7-30
Configuring Traffic Flow Notifications 7-30
Configuring CDP Mode 7-31
8 Configuring Policies 8-1
Understanding Security Policies 8-1
IPS Policies Components 8-1
Understanding Analysis Engine 8-2
Understanding the Virtual Sensor 8-2
Advantages and Restrictions of Virtualization 8-3
Inline TCP Session Tracking Mode 8-3
Understanding Normalizer Mode 8-4
Understanding HTTP Advanced Decoding 8-4
Understanding Event Action Overrides 8-5
Calculating the Risk Rating 8-5
Understanding Threat Rating 8-6
Event Action Summarization 8-7
Event Action Aggregation 8-7
OL-19891-01
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
vii
Contents
Configuring IPS Policies 8-8
IPS Policies Pane 8-8
IPS Policies Pane Field Definitions 8-9
Add and Edit Virtual Sensor Dialog Boxes Field Definitions 8-10
Add and Edit Event Action Override Dialog Boxes Field Definitions 8-12
Adding, Editing, and Deleting Virtual Sensors 8-13
The ASA 5500 AIP SSM, ASA 5500-X IPS SSP, ASA 5585-X IPS SSP, and Virtual
Sensors
Configuring Event Action Filters 8-20
Understanding Event Action Filters 8-20
Event Action Filters Tab 8-21
Event Action Filters Tab Field Definitions 8-21
Add and Edit Event Action Filter Dialog Boxes Field Definitions 8-22
Adding, Editing, Deleting, Enabling, Disabling, and Moving Event Action Filters 8-23
8-15
Understanding the ASA IPS Modules and Virtual Sensors 8-15
Configuration Sequence for the ASA IPS Modules 8-15
Creating Virtual Sensors on the ASA 5585-X IPS SSP and ASA IPS Modules 8-16
Assigning Virtual Sensors to Adaptive Security Appliance Contexts 8-18
Configuring IPv4 Target Value Rating 8-25
IPv4 Target Value Rating Tab 8-26
IPv4 Target Value Rating Tab Field Definitions 8-26
Add and Edit Target Value Rating Dialog Boxes Field Definitions 8-26
Adding, Editing, and Deleting IPv4 Target Value Ratings 8-26
Configuring IPv6 Target Value Rating 8-27
IPv6 Target Value Rating Tab 8-27
IPv6 Target Value Rating Tab Field Definitions 8-27
Add and Edit Target Value Rating Dialog Boxes Field Definitions 8-28
Adding, Editing, and Deleting IPv6 Target Value Ratings 8-28
Configuring OS Identifications 8-29
Understanding Passive OS Fingerprinting 8-30
Configuring Passive OS Fingerprinting 8-31
OS Identifications Tab 8-31
OS Identifications Tab Field Definitions 8-32
Add and Edit Configured OS Map Dialog Boxes Field Definitions 8-32
Adding, Editing, Deleting, and Moving Configured OS Maps 8-33
Configuring Event Variables 8-34
Event Variables Tab 8-34
Event Variables Tab Field Definitions 8-35
Add and Edit Event Variable Dialog Boxes Field Definitions 8-35
viii
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
OL-19891-01
Adding, Editing, and Deleting Event Variables 8-36
Configuring Risk Category 8-37
Risk Category Tab 8-37
Risk Category Tab Field Definitions 8-38
Add and Edit Risk Level Dialog Boxes Field Definitions 8-38
Adding, Editing, and Deleting Risk Categories 8-38
Configuring Threat Category 8-39
Configuring General Settings 8-40
General Tab 8-40
General Tab Field Definitions 8-41
Configuring the General Settings 8-41
Contents
CHAPTER
CHAPTER
9 Configuring Shared Policies and Group Policies 9-1
Configuring Shared Policies 9-1
Understanding Shared Policies 9-1
Add Policy Field Definitions 9-2
Adding and Deleting Shared Policies 9-3
Deploying Shared Policies 9-3
Configuring Policy Groups 9-4
10 Defining Signatures 10-1
Understanding Security Policies 10-1
Understanding Signatures 10-1
Event Actions 10-2
Signature Engines 10-4
Configuring Signature Definition Policies 10-7
Signature Definitions Pane 10-7
Signature Definitions Pane Field Definitions 10-8
Add and Clone Policy Dialog Boxes Field Definitions 10-8
Adding, Cloning, and Deleting Signature Policies 10-8
OL-19891-01
sig0 Pane 10-9
MySDN 10-10
Configuring Signatures 10-11
Sig0 Pane Field Definitions 10-11
Add, Clone, and Edit Signatures Dialog Boxes Field Definitions 10-12
Edit Actions Dialog Box Field Definitions 10-14
Enabling, Disabling, and Retiring Signatures 10-17
Adding Signatures 10-17
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
ix
Contents
Cloning Signatures 10-19
Tuning Signatures 10-20
Assigning Actions to Signatures 10-21
Configuring Alert Frequency 10-23
Example Meta Engine Signature 10-25
Example Atomic IP Advanced Engine Signature 10-28
Example String XL TCP Match Offset Signature 10-30
Example String XL TCP Engine Minimum Match Length Signature 10-33
Configuring Signature Variables 10-36
Signature Variables Tab 10-36
Signature Variables Field Definitions 10-36
Adding, Editing, and Deleting Signature Variables 10-37
Configuring Miscellaneous Settings 10-38
Miscellaneous Tab 10-38
Miscellaneous Tab Field Definitions 10-39
Configuring Application Policy Signatures 10-40
Understanding AIC Signatures 10-40
AIC Engine and Sensor Performance 10-41
AIC Request Method Signatures 10-42
AIC MIME Define Content Type Signatures 10-43
AIC Transfer Encoding Signatures 10-46
AIC FTP Commands Signatures 10-46
Configuring Application Policy 10-47
Tuning an AIC Signature 10-48
Configuring IP Fragment Reassembly Signatures 10-49
Understanding IP Fragment Reassembly Signatures 10-49
IP Fragment Reassembly Signatures and Configurable Parameters 10-50
Configuring the IP Fragment Reassembly Mode 10-51
Tuning an IP Fragment Reassembly Signature 10-51
Configuring TCP Stream Reassembly Signatures 10-52
Understanding TCP Stream Reassembly Signatures 10-52
TCP Stream Reassembly Signatures and Configurable Parameters 10-53
Configuring the TCP Stream Reassembly Mode 10-58
Tuning a TCP Stream Reassembly Signature 10-59
Configuring IP Logging 10-60
CHAPTER
x
11 Using the Custom Signature Wizard 11-1
Understanding the Custom Signature Wizard 11-1
Using a Signature Engine 11-1
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
OL-19891-01
Signature Engines Not Supported for the Custom Signature Wizard 11-2
Not Using a Signature Engine 11-4
Creating Custom Signatures 11-4
Custom Signature Wizard Field Definitions 11-9
Welcome Window 11-10
Protocol Type Window 11-10
Signature Identification Window 11-11
Service MSRPC Engine Parameters Window 11-11
ICMP Traffic Type Window 11-12
Inspect Data Window 11-12
UDP Traffic Type Window 11-12
UDP Sweep Type Window 11-12
TCP Traffic Type Window 11-12
Service Type Window 11-13
TCP Sweep Type Window 11-13
Atomic IP Engine Parameters Window 11-13
Example Atomic IP Advanced Engine Signature 11-14
Service HTTP Engine Parameters Window 11-16
Example Service HTTP Engine Signature 11-17
Service RPC Engine Parameters Window 11-19
State Engine Parameters Window 11-20
String ICMP Engine Parameters Window 11-21
String TCP Engine Parameters Window 11-21
Example String TCP Engine Signature 11-22
String UDP Engine Parameters Window 11-24
Sweep Engine Parameters Window 11-24
Alert Response Window 11-26
Alert Behavior Window 11-26
Event Count and Interval Window 11-26
Alert Summarization Window 11-27
Alert Dynamic Response Fire All Window 11-27
Alert Dynamic Response Fire Once Window 11-28
Alert Dynamic Response Summary Window 11-28
Global Summarization Window 11-29
Contents
CHAPTER
OL-19891-01
12 Configuring Event Action Rules 12-1
Understanding Security Policies 12-1
Event Action Rules Components 12-2
Understanding Event Action Rules 12-2
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
xi
Contents
Calculating the Risk Rating 12-2
Understanding Threat Rating 12-4
Understanding Event Action Overrides 12-4
Understanding Event Action Filters 12-4
Event Action Summarization 12-5
Event Action Aggregation 12-5
Signature Event Action Processor 12-6
Event Actions 12-8
Configuring Event Action Rules Policies 12-11
Event Action Rules Pane 12-11
Event Action Rules Pane Field Definitions 12-12
Add and Clone Policy Dialog Boxes Field Definitions 12-12
Adding, Cloning, and Deleting Event Action Rules Policies 12-12
rules0 Pane 12-13
Configuring Event Action Overrides 12-13
Event Action Overrides Tab 12-13
Event Action Overrides Tab Field Definitions 12-13
Add and Edit Event Action Override Dialog Boxes Field Definitions 12-13
Adding, Editing, Deleting, Enabling, and Disabling Event Action Overrides 12-14
Configuring Event Action Filters 12-15
Event Action Filters Tab 12-15
Event Action Filters Tab Field Definitions 12-15
Add and Edit Event Action Filter Dialog Boxes Field Definitions 12-16
Adding, Editing, Deleting, Enabling, Disabling, and Moving Event Action Filters 12-17
Configuring IPv4 Target Value Rating 12-19
IPv4 Target Value Rating Tab 12-20
IPv4 Target Value Rating Tab Field Definitions 12-20
Add and Edit Target Value Rating Dialog Boxes Field Definitions 12-20
Adding, Editing, and Deleting IPv4 Target Value Ratings 12-20
Configuring IPv6 Target Value Rating 12-21
IPv6 Target Value Rating Tab 12-21
IPv6 Target Value Rating Tab Field Definitions 12-21
Add and Edit IPv6 Target Value Rating Dialog Boxes Field Definitions 12-22
Adding, Editing, and Deleting IPv6 Target Value Ratings 12-22
Configuring OS Identifications 12-23
OS Identifications Tab 12-23
Understanding Passive OS Fingerprinting 12-24
Configuring Passive OS Fingerprinting 12-25
OS Identifications Tab Field Definitions 12-25
xii
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
OL-19891-01
Add and Edit Configured OS Map Dialog Boxes Field Definitions 12-26
Adding, Editing, Deleting, and Moving Configured OS Maps 12-27
Configuring Event Variables 12-28
Event Variables Tab 12-28
Event Variables Tab Field Definitions 12-29
Add and Edit Event Variable Dialog Boxes Field Definitions 12-29
Adding, Editing, and Deleting Event Variables 12-29
Configuring Risk Category 12-31
Risk Category Tab 12-31
Risk Category Tab Field Definitions 12-31
Add and Edit Risk Level Dialog Boxes Field Definitions 12-31
Adding, Editing, and Deleting Risk Categories 12-32
Configuring Threat Category 12-32
Configuring General Settings 12-33
General Tab 12-33
General Tab Field Definitions 12-34
Configuring the General Settings 12-34
Contents
CHAPTER
13 Configuring Anomaly Detection 13-1
Understanding Security Policies 13-1
Anomaly Detection Components 13-2
Understanding Anomaly Detection 13-2
Worms 13-2
Anomaly Detection Modes 13-3
Enabling Anomaly Detection 13-4
Anomaly Detection Zones 13-5
Anomaly Detection Configuration Sequence 13-5
Anomaly Detection Signatures 13-7
Configuring Anomaly Detections Policies 13-9
Anomaly Detections Pane 13-9
Anomaly Detections Pane Field Definitions 13-9
Add and Clone Policy Dialog Boxes Field Definitions 13-9
Adding, Cloning, and Deleting Anomaly Detection Policies 13-10
ad0 Pane 13-10
Configuring Operation Settings 13-11
Operation Settings Tab 13-11
Operating Settings Tab Field Definitions 13-11
Configuring Anomaly Detection Operation Settings 13-11
OL-19891-01
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
xiii
Contents
Configuring Learning Accept Mode 13-12
Learning Accept Mode Tab 13-12
The KB and Histograms 13-12
Learning Accept Mode Tab Field Definitions 13-14
Add and Edit Start Time Dialog Boxes Field Definitions 13-14
Configuring Learning Accept Mode 13-14
Configuring the Internal Zone 13-15
Internal Zone Tab 13-15
General Tab 13-16
TCP Protocol Tab 13-16
Add and Edit Destination Port Dialog Boxes Field Definitions 13-17
Add and Edit Histogram Dialog Boxes Field Definitions 13-17
UDP Protocol Tab 13-17
Other Protocols Tab 13-18
Add and Edit Protocol Number Dialog Boxes Field Definitions 13-18
Configuring the Internal Zone 13-19
Configuring the Illegal Zone 13-22
Illegal Zone Tab 13-22
General Tab 13-23
TCP Protocol Tab 13-23
Add and Edit Destination Port Dialog Boxes Field Definitions 13-23
Add and Edit Histogram Dialog Boxes Field Definitions 13-24
UDP Protocol Tab 13-24
Other Protocols Tab 13-25
Add and Edit Protocol Number Dialog Boxes Field Definitions 13-25
Configuring the Illegal Zone 13-25
Configuring the External Zone 13-29
External Zone Tab 13-29
TCP Protocol Tab 13-29
Add and Edit Destination Port Dialog Boxes Field Definitions 13-30
Add and Edit Histogram Dialog Boxes Field Definitions 13-30
UDP Protocol Tab 13-31
Other Protocols Tab 13-31
Add and Edit Protocol Number Dialog Boxes Field Definitions 13-32
Configuring the External Zone 13-32
CHAPTER
xiv
Disabling Anomaly Detection 13-35
14 Configuring Global Correlation 14-1
Understanding Global Correlation 14-1
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
OL-19891-01
Participating in the SensorBase Network 14-2
Understanding Reputation 14-2
Understanding Network Participation 14-3
Understanding Efficacy 14-4
Reputation and Risk Rating 14-5
Global Correlation Features and Goals 14-5
Global Correlation Requirements 14-6
Understanding Global Correlation Sensor Health Metrics 14-7
Configuring Global Correlation Inspection and Reputation Filtering 14-7
Inspection/Reputation Pane 14-8
Inspection/Reputation Pane Field Definitions 14-9
Configuring Global Correlation Inspection and Reputation Filtering 14-9
Configuring Network Participation 14-10
Network Participation Pane 14-10
Network Participation Pane Field Definitions 14-10
Configuring Network Participation 14-11
Contents
CHAPTER
Troubleshooting Global Correlation 14-11
Disabling Global Correlation 14-12
15 Configuring SSH and Certificates 15-1
Understanding SSH 15-1
Configuring Authorized RSA Keys 15-2
Authorized RSA Keys Pane 15-2
Authorized RSA Keys Pane Field Definitions 15-2
Add and Edit Authorized RSA Key Dialog Boxes Field Definitions 15-3
Defining Authorized RSA Keys 15-3
Configuring Authorized RSA1 Keys 15-4
Authorized RSA1 Keys Pane 15-4
Authorized RSA1 Keys Pane Field Definitions 15-4
Add and Edit Authorized RSA1 Key Dialog Boxes Field Definitions 15-5
Defining Authorized RSA1 Keys 15-5
Configuring Known Host RSA Keys 15-6
Known Host RSA Keys Pane 15-6
Known Host RSA Keys Pane Field Definitions 15-7
Add and Edit Known Host RSA Key Dialog Boxes Field Definitions 15-7
Defining Known RSA Host Keys 15-7
OL-19891-01
Configuring Known Host RSA1 Keys 15-8
Known Host RSA1 Keys Pane 15-8
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
xv
Contents
Known Host RSA1 Keys Pane Field Definitions 15-9
Add and Edit Known Host RSA1 Key Dialog Boxes Field Definitions 15-9
Defining Known Host RSA1 Keys 15-9
Generating the Sensor Key 15-10
Understanding Certificates 15-11
Configuring Trusted Hosts 15-12
Trusted Hosts Pane 15-13
Trusted Hosts Pane Field Definitions 15-13
Add Trusted Host Dialog Box Field Definitions 15-13
Adding Trusted Hosts 15-13
Adding Trusted Root Certificates 15-14
Trusted Root Certificates Pane 15-14
Trusted Root Certificates Field Definitions 15-15
Add and Update Trusted Root Certificates Dialog Box Field Definitions 15-15
Adding and Updating Trusted Root Certificates 15-15
CHAPTER
Generating the Server Certificate 15-16
16 Configuring Attack Response Controller for Blocking and Rate Limiting 16-1
ARC Components 16-1
Understanding Blocking 16-2
Understanding Rate Limiting 16-4
Understanding Service Policies for Rate Limiting 16-5
Before Configuring the ARC 16-5
Supported Devices 16-5
Configuring Blocking Properties 16-7
Blocking Properties Pane 16-7
Understanding Blocking Properties 16-7
Blocking Properties Pane Field Definitions 16-8
Configuring Blocking Properties 16-9
Add and Edit Never Block Address Dialog Boxes Field Definitions 16-10
Adding, Editing, and Deleting IP Addresses Never to be Blocked 16-11
Configuring Device Login Profiles 16-11
Device Login Profiles Pane 16-12
Device Login Profiles Pane Field Definitions 16-12
Add and Edit Device Login Profile Dialog Boxes Field Definitions 16-12
Configuring Device Login Profiles 16-13
xvi
Configuring Blocking Devices 16-14
Blocking Device Pane 16-14
Blocking Devices Pane Field Definitions 16-14
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
OL-19891-01
Add and Edit Blocking Device Dialog Boxes Field Definitions 16-15
Adding, Editing, and Deleting Blocking and Rate Limiting Devices 16-15
Configuring Router Blocking Device Interfaces 16-17
Router Blocking Device Interfaces Pane 16-17
Understanding Router Blocking Device Interfaces 16-17
How the Sensor Manages Devices 16-18
Router Blocking Device Interfaces Pane Field Definitions 16-19
Add and Edit Router Blocking Device Interface Dialog Boxes Field Definitions 16-19
Configuring the Router Blocking and Rate Limiting Device Interfaces 16-20
Configuring Cat 6K Blocking Device Interfaces 16-21
Cat 6K Blocking Device Interfaces Pane 16-21
Understanding Cat 6K Blocking Device Interfaces 16-21
Cat 6K Blocking Device Interfaces Pane Field Definitions 16-22
Add and Edit Cat 6K Blocking Device Interface Dialog Boxes Field Definitions 16-22
Configuring Cat 6K Blocking Device Interfaces 16-23
Contents
CHAPTER
Configuring the Master Blocking Sensor 16-24
Master Blocking Sensor Pane 16-24
Understanding the Master Blocking Sensor 16-24
Master Blocking Sensor Pane Field Definitions 16-25
Add and Edit Master Blocking Sensor Dialog Boxes Field Definitions 16-25
Configuring the Master Blocking Sensor 16-25
17 Configuring SNMP 17-1
Understanding SNMP 17-1
Configuring General Configuration 17-2
General Configuration Pane 17-2
General Configuration Pane Field Definitions 17-2
Configuring General Parameters 17-3
Configuring SNMP Traps 17-3
Traps Configuration Pane 17-4
Traps Configuration Pane Field Definitions 17-4
Add and Edit SNMP Trap Destination Dialog Boxes Field Definitions 17-5
Configuring SNMP Traps 17-5
CHAPTER
OL-19891-01
Supported MIBs 17-6
18 Managing Time-Based Actions 18-1
Configuring and Monitoring Denied Attackers 18-1
Denied Attackers Pane 18-1
Denied Attackers Pane Field Definitions 18-2
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
xvii
Contents
Monitoring the Denied Attackers List and Adding Denied Attackers 18-2
Configuring Host Blocks 18-3
Host Blocks Pane 18-3
Host Block Pane Field Definitions 18-3
Add Host Block Dialog Box Field Definitions 18-4
Adding, Deleting, and Managing Host Blocks 18-4
Configuring Network Blocks 18-5
Network Blocks Pane 18-6
Network Blocks Pane Field Definitions 18-6
Add Network Block Dialog Box Field Definitions 18-6
Adding, Deleting, and Managing Network Blocks 18-6
Configuring Rate Limits 18-7
Rate Limits Pane 18-7
Rate Limits Pane Field Definitions 18-8
Add Rate Limit Dialog Box Field Definitions 18-8
Adding, Deleting, and Managing Rate Limiting 18-9
CHAPTER
Configuring IP Logging 18-10
Understanding IP Logging 18-10
IP Logging Pane 18-11
IP Logging Pane Field Definitions 18-11
Add and Edit IP Logging Dialog Boxes Field Definitions 18-11
Configuring IP Logging 18-12
19 Configuring External Product Interfaces 19-1
Understanding External Product Interfaces 19-1
Understanding CSA MC 19-1
External Product Interface Issues 19-3
Configuring the CSA MC to Support IPS Interfaces 19-3
Configuring External Product Interfaces 19-4
External Product Interfaces Pane 19-4
External Product Interfaces Pane Field Definitions 19-5
Add and Edit External Product Interface Dialog Boxes Field Definitions 19-6
Add and Edit Posture ACL Dialog Boxes Field Definitions 19-7
Adding, Editing, and Deleting External Product Interfaces and Posture ACLs 19-7
CHAPTER
xviii
Troubleshooting External Product Interfaces 19-10
20 Managing the Sensor 20-1
Configuring Passwords 20-1
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
OL-19891-01
Passwords Pane 20-1
Passwords Pane Field Definitions 20-2
Configuring Password Requirements 20-2
Configuring Packet Logging 20-3
Recovering the Password 20-4
Understanding Password Recovery 20-4
Recovering the Appliance Password 20-5
Using the GRUB Menu 20-5
Using ROMMON 20-6
Recovering the ASA 5500 AIP SSM Password 20-7
Recovering the ASA 5500-X IPS SSP Password 20-9
Recovering the ASA 5585-X IPS SSP Password 20-11
Disabling Password Recovery 20-13
Troubleshooting Password Recovery 20-14
Verifying the State of Password Recovery 20-14
Contents
Configuring Licensing 20-14
Licensing Pane 20-15
Understanding Licensing 20-15
Service Programs for IPS Products 20-16
Licensing Pane Field Definitions 20-16
Obtaining and Installing the License Key 20-17
Obtaining a New License Key for the IPS 4270-20 20-18
Licensing the ASA 5500-X IPS SSP 20-18
Uninstalling the License Key 20-19
Configuring Sensor Health 20-20
Configuring IP Logging Variables 20-21
Configuring Automatic Update 20-22
Auto/Cisco.com Update Pane 20-22
Supported FTP and HTTP Servers 20-23
UNIX-Style Directory Listings 20-23
Signature Updates and Installation Time 20-23
Auto/Cisco.com Update Pane Field Definitions 20-24
Configuring Auto Update 20-25
OL-19891-01
Manually Updating the Sensor 20-26
Update Sensor Pane 20-26
Update Sensor Pane Field Definitions 20-27
Updating the Sensor 20-27
Restoring Defaults 20-29
Rebooting the Sensor 20-29
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
xix
Contents
Shutting Down the Sensor 20-30
CHAPTER
21 Monitoring the Sensor 21-1
Monitoring Events 21-1
Events Pane 21-1
Events Pane Field Definitions 21-2
Event Viewer Pane Field Definitions 21-3
Configuring Event Display 21-3
Clearing Event Store 21-4
Displaying Inspection Load Statistics 21-4
Displaying Interface Statistics 21-5
Monitoring Anomaly Detection KBs 21-7
Anomaly Detection Pane 21-7
Understanding KBs 21-8
Anomaly Detection Pane Field Definitions 21-8
Showing Thresholds 21-9
Threshold for KB_Name Window 21-9
Thresholds for KB_Name Window Field Definitions 21-10
Monitoring the KB Thresholds 21-10
Comparing KBs 21-11
Compare Knowledge Base Dialog Box 21-11
Differences between knowledge bases KB_Name and KB_Name Window 21-11
Difference Thresholds between knowledge bases KB_Name and KB_Name
Window
21-11
Comparing KBs 21-12
Saving the Current KB 21-12
Save Knowledge Base Dialog Box 21-13
Loading a KB 21-13
Saving a KB 21-13
Deleting a KB 21-14
Renaming a KB 21-14
Downloading a KB 21-15
Uploading a KB 21-15
xx
Configuring OS Identifications 21-16
Configuring Learned Operating Systems 21-16
Configuring Imported Operating Systems 21-17
Clearing Flow States 21-18
Clear Flow States Pane 21-18
Clear Flow States Pane Field Definitions 21-19
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
OL-19891-01
Clearing Flow States 21-19
Resetting Network Security Health 21-20
Generating a Diagnostics Report 21-20
Viewing Statistics 21-21
Viewing System Information 21-22
Contents
CHAPTER
CHAPTER
CHAPTER
22 Configuring Event Monitoring 22-1
Understanding Event Monitoring 22-1
Group By, Color Rules, Fields, and General Tabs 22-2
Understanding Filters 22-2
Filter Tab and Add Filter Dialog Box Field Definitions 22-3
Working With Event Views 22-4
Working With a Single Event 22-5
Configuring Filters for Event Views 22-6
23 Configuring and Generating Reports 23-1
Understanding IME Reporting 23-1
Configuring and Generating Reports 23-3
24 Logging In to the Sensor 24-1
Supported User Roles 24-1
Logging In to the Appliance 24-2
Connecting an Appliance to a Terminal Server 24-3
CHAPTER
OL-19891-01
Logging In to the ASA 5500 AIP SSM 24-4
Logging In to the ASA 5500-X IPS SSP 24-5
Logging In to the ASA 5585-X IPS SSP 24-6
Logging In to the Sensor 24-7
25 Initializing the Sensor 25-1
Understanding Initialization 25-1
Simplified Setup Mode 25-2
System Configuration Dialog 25-2
Basic Sensor Setup 25-4
Advanced Setup 25-7
Appliance Advanced Setup 25-7
ASA 5500 AIP SSM Advanced Setup 25-13
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
xxi
Contents
ASA 5500-X IPS SSP Advanced Setup 25-17
ASA 5585-X IPS SSP Advanced Setup 25-20
Verifying Initialization 25-24
CHAPTER
CHAPTER
26 Obtaining Software 26-1
IPS 7.1 File List 26-1
Obtaining Cisco IPS Software 26-1
IPS Software Versioning 26-3
Software Release Examples 26-5
Accessing IPS Documentation 26-7
Cisco Security Intelligence Operations 26-7
27 Upgrading, Downgrading, and Installing System Images 27-1
Understanding Upgrades, Downgrades, and System Images 27-1
Supported FTP and HTTP/HTTPS Servers 27-2
Upgrading the Sensor 27-2
IPS 7.1 Upgrade Files 27-3
Upgrade Notes and Caveats 27-3
Manually Upgrading the Sensor 27-3
Upgrading the Recovery Partition 27-6
Configuring Automatic Upgrades 27-7
Understanding Automatic Upgrades 27-7
Automatically Upgrading the Sensor 27-7
xxii
Downgrading the Sensor 27-10
Recovering the Application Partition 27-11
Installing System Images 27-12
ROMMON 27-13
TFTP Servers 27-13
Connecting an Appliance to a Terminal Server 27-13
Installing the IPS 4240 and IPS 4255 System Image 27-14
Installing the IPS 4260 System Image 27-17
Installing the IPS 4270-20 System Image 27-19
Installing the IPS 4345 and IPS 4360 System Image 27-21
Installing the IPS 4510 and IPS 4520 System Image 27-25
Installing the ASA 5500 AIP SSM System Image 27-27
Installing the ASA 5500-X IPS SSP Image 27-29
Installing the ASA 5585-X IPS SSP System Image 27-31
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
OL-19891-01
Contents
Installing the ASA 5585-X IPS SSP System Image Using the hw-module
Command
Installing the ASA 5585-X IPS SSP System Image Using ROMMON 27-33
27-31
APPENDIX
A System Architecture A-1
Purpose of Cisco IPS A-1
System Design A-1
System Applications A-4
User Interaction A-5
Security Features A-5
MainApp A-6
Understanding the MainApp A-6
MainApp Responsibilities A-6
Event Store A-7
Understanding the Event Store A-7
Event Data Structures A-8
IPS Events A-9
NotificationApp A-9
CtlTransSource A-11
Attack Response Controller A-12
Understanding the ARC A-13
ARC Features A-14
Supported Blocking Devices A-15
ACLs and VACLs A-16
Maintaining State Across Restarts A-16
Connection-Based and Unconditional Blocking A-17
Blocking with Cisco Firewalls A-18
Blocking with Catalyst Switches A-19
Logger A-19
InterfaceApp A-20
AuthenticationApp A-20
Understanding the AuthenticationApp A-20
Authenticating Users A-20
Configuring Authentication on the Sensor A-21
Managing TLS and SSH Trust Relationships A-21
Web Server A-23
OL-19891-01
SensorApp A-23
Understanding the SensorApp A-23
Inline, Normalization, and Event Risk Rating Features A-24
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
xxiii
Contents
SensorApp New Features A-25
Packet Flow A-26
Signature Event Action Processor A-26
CollaborationApp A-28
Understanding the CollaborationApp A-28
Update Components A-28
Error Events A-29
SwitchApp A-30
CLI A-30
Understanding the CLI A-30
User Roles A-30
Service Account A-31
Communications A-32
IDAPI A-32
IDIOM A-33
IDCONF A-33
SDEE A-34
CIDEE A-34
APPENDIX
Cisco IPS File Structure A-35
Summary of Cisco IPS Applications A-36
B Signature Engines B-1
Understanding Signature Engines B-1
Master Engine B-4
General Parameters B-4
Alert Frequency B-7
Event Actions B-8
Regular Expression Syntax B-9
AIC Engine B-10
Understanding the AIC Engine B-10
AIC Engine and Sensor Performance B-11
AIC Engine Parameters B-11
Atomic Engine B-13
Atomic ARP Engine B-13
Atomic IP Advanced Engine B-14
Atomic IP Engine B-24
Atomic IPv6 Engine B-27
xxiv
Fixed Engine B-28
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
OL-19891-01
Flood Engine B-31
Meta Engine B-32
Multi String Engine B-34
Normalizer Engine B-36
Service Engines B-39
Understanding the Service Engines B-39
Service DNS Engine B-39
Service FTP Engine B-41
Service Generic Engine B-42
Service H225 Engine B-43
Service HTTP Engine B-46
Service IDENT Engine B-48
Service MSRPC Engine B-48
Service MSSQL Engine B-50
Service NTP Engine B-51
Service P2P B-52
Service RPC Engine B-52
Service SMB Advanced Engine B-54
Service SNMP Engine B-56
Service SSH Engine B-57
Service TNS Engine B-57
Contents
APPENDIX
State Engine B-59
String Engines B-61
String XL Engines B-63
Sweep Engines B-66
Sweep Engine B-66
Sweep Other TCP Engine B-69
Traffic Anomaly Engine B-69
Traffic ICMP Engine B-72
Trojan Engines B-72
C Troubleshooting C-1
Cisco Bug Search C-1
Preventive Maintenance C-2
Understanding Preventive Maintenance C-2
Creating and Using a Backup Configuration File C-2
Backing Up and Restoring the Configuration File Using a Remote Server C-3
Creating the Service Account C-5
OL-19891-01
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
xxv
Contents
Disaster Recovery C-6
Password Recovery C-7
Understanding Password Recovery C-7
Recovering the Appliance Password C-8
Using the GRUB Menu C-8
Using ROMMON C-9
Recovering the ASA 5500 AIP SSM Password C-10
Recovering the ASA 5500-X IPS SSP Password C-12
Recovering the ASA 5585-X IPS SSP Password C-14
Disabling Password Recovery C-15
Verifying the State of Password Recovery C-16
Troubleshooting Password Recovery C-17
Time Sources and the Sensor C-17
Time Sources and the Sensor C-17
Synchronizing IPS Module Clocks with Parent Device Clocks C-18
Verifying the Sensor is Synchronized with the NTP Server C-18
Correcting Time on the Sensor C-19
Advantages and Restrictions of Virtualization C-19
Supported MIBs C-20
When to Disable Anomaly Detection C-21
The Analysis Engine is Not Responding C-22
Troubleshooting RADIUS Authentication C-23
Troubleshooting Global Correlation C-23
Troubleshooting External Product Interfaces C-23
External Product Interfaces Issues C-24
External Product Interfaces Troubleshooting Tips C-24
Troubleshooting the Appliance C-25
The Appliance and Jumbo Packet Frame Size C-25
Troubleshooting Loose Connections C-25
The Analysis Engine is Busy C-26
Connecting the IPS 4240 to a Cisco 7200 Series Router C-26
Communication Problems C-27
Cannot Access the Sensor CLI Through Telnet or SSH C-27
Correcting a Misconfigured Access List C-29
Duplicate IP Address Shuts Interface Down C-30
The SensorApp and Alerting C-31
The SensorApp Not Running C-31
Physical Connectivity, SPAN, or VACL Port Issue C-33
Unable to See Alerts C-34
xxvi
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
OL-19891-01
Sensor Not Seeing Packets C-36
Cleaning Up a Corrupted SensorApp Configuration C-37
Blocking C-38
Troubleshooting Blocking C-38
Verifying the ARC is Running C-39
Verifying ARC Connections are Active C-40
Device Access Issues C-42
Verifying the Interfaces and Directions on the Network Device C-43
Enabling SSH Connections to the Network Device C-44
Blocking Not Occurring for a Signature C-45
Verifying the Master Blocking Sensor Configuration C-46
Logging C-47
Understanding Debug Logging C-47
Enabling Debug Logging C-47
Zone Names C-51
Directing cidLog Messages to SysLog C-52
TCP Reset Not Occurring for a Signature C-53
Software Upgrades C-55
Upgrading C-55
Which Updates to Apply and Their Prerequisites C-55
Issues With Automatic Update C-56
Updating a Sensor with the Update Stored on the Sensor C-57
Contents
Troubleshooting the IDM C-57
Cannot Launch the IDM - Loading Java Applet Failed C-58
Cannot Launch the IDM - the Analysis Engine Busy C-59
The IDM, Remote Manager, or Sensing Interfaces Cannot Access Sensor C-59
Signatures Not Producing Alerts C-60
Troubleshooting the IME C-60
Time Synchronization on the IME and the Sensor C-61
Not Supported Error Message C-61
Installation Error C-61
Troubleshooting the ASA 5500 AIP SSM C-62
Failover Scenarios C-62
The ASA 5500 AIP SSM and the Data Plane C-63
Health and Status Information C-63
The ASA 5500 AIP SSM and the Normalizer Engine C-65
The ASA 5500 AIP SSM and Jumbo Packet Frame Size C-66
The ASA 5500 AIP SSM and Jumbo Packets C-66
TCP Reset Differences Between IPS Appliances and ASA IPS Modules C-67
OL-19891-01
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
xxvii
Contents
IPS Reloading Messages C-67
Troubleshooting the ASA 5500-X IPS SSP C-67
Failover Scenarios C-68
Health and Status Information C-69
The ASA 5500-X IPS SSP and the Normalizer Engine C-70
The ASA 5500-X IPS SSP and Memory Usage C-71
The ASA 5500-X IPS SSP and Jumbo Packet Frame Size C-71
The ASA 5500-X IPS SSP and Jumbo Packets C-72
TCP Reset Differences Between IPS Appliances and ASA IPS Modules C-72
IPS Reloading Messages C-72
IPS Not Loading C-73
Troubleshooting the ASA 5585-X IPS SSP C-73
Failover Sceneries C-73
Traffic Flow Stopped on IPS Switchports C-75
Health and Status Information C-75
The ASA 5585-X IPS SSP and the Normalizer Engine C-78
The ASA 5585-X IPS SSP and Jumbo Packet Frame Size C-79
The ASA 5585-X IPS SSP and Jumbo Packets C-79
TCP Reset Differences Between IPS Appliances and ASA IPS Modules C-79
IPS Reloading Messages C-79
Gathering Information C-80
Understanding Information Gathering C-80
Health and Network Security Information C-80
Tech Support Information C-81
Understanding the show tech-support Command C-81
Displaying Tech Support Information C-82
Tech Support Command Output C-83
Version Information C-85
Understanding the show version Command C-85
Displaying Version Information C-86
Statistics Information C-88
Understanding the show statistics Command C-88
Displaying Statistics C-89
Interfaces Information C-100
Understanding the show interfaces Command C-100
Interfaces Command Output C-101
Events Information C-101
Sensor Events C-102
Understanding the show events Command C-102
xxviii
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
OL-19891-01
Displaying Events C-102
Clearing Events C-105
cidDump Script C-105
Uploading and Accessing Files on the Cisco FTP Site C-106
Contents
APPENDIX
D Open Source License Files Used In Cisco IPS 7.1 D-1
Contents D-1
bash 3.2 D-2
busybox 1.13.1 D-7
cracklib 2.8.12 D-13
curl 7.18.2 1 D-18
diffutils 2.8.1 D-19
e2fsprogs 1.39 D-23
Expat XML parser 2.0.1 D-28
expect 5.4.3 D-29
freeradius-server 2.1.8 D-29
freeradius-server-src-lib 2.1.8 D-34
glibc 2.9 D-40
gnupg 1.4.5 D-44
hotplug 2004_03_29 D-49
i2c-tools 3.0.2 D-53
ipmiutil 2.3.3 D-58
OL-19891-01
iptables 1.4.1 D-59
kernel 2.6.29.1 D-63
KVM inter-VM shared memory module D-73
libpcap 0.9.8 D-77
libtecla 1.6.1 D-78
Linux-Pam 1.0.1 D-78
lm_sensors 3.0.2 D-79
module-init-tools 3.2.2 1.0.0.0900084 D-84
Ncurses 5.6 D-88
net-snmp 5.4.1 D-89
NTP 4.2.4p5 D-93
openssh 5.1p1 D-96
openssl 0.9.8j D-102
pciutils 3.0.1 D-105
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
xxix
Contents
G
LOSSARY
I
NDEX
procps 3.2.7 D-111
sysfsutils 2.1.0 D-115
sysstat 8.1.3 D-116
tcl 8.4.9 D-120
tcpdump 3.9.8 1.0.1.0801182 D-121
tipc 1.7.6-bundle D-121
util-linux 2.12r D-123
zlib 1.2.3 D-124
xxx
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
OL-19891-01