Loading...
Cisco Intrusion Prevention System CLI Configuration Guide for IPS 7.1
Americas Headquarters
Cisco Systems, Inc. 170 West Tasman Drive
San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000
800 553-NETS (6387) Fax: 408 527-0883
Text Part Number: OL-19892-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
Cisco Intrusion Prevention System CLI Configuration Guide for IPS 7.1 © 2011-2013 Cisco Systems, Inc. All rights reserved.
|
|
|
|
|
|
|
|
C O N T E N T S |
|||
|
|
Preface xxxi |
|
|
|
|
|
|
|
|
|
|
|
Contents |
xxxi |
|
|
|
|
|
|
|
|
|
|
Audience |
xxxi |
|
|
|
|
|
|
|
|
|
|
Organization |
xxxii |
|
|
|
|
|
|
||
|
|
Conventions |
xxxiii |
|
|
|
|
|
|
||
|
|
Related Documentation |
xxxiv |
|
|
|
|
|
|||
|
|
Obtaining Documentation, Using the Cisco Bug Search Tool, and Submitting a Service |
|||||||||
|
|
Request |
xxxv |
|
|
|
|
|
|
|
|
|
Getting Started |
1-1 |
|
|
|
|
|
|
|
||
C H A P T E R 1 |
|
|
|
|
|
|
|
||||
|
|
Introducing the IME |
1-1 |
|
|
|
|
|
|||
|
|
Advisory |
1-2 |
|
|
|
|
|
|
|
|
|
|
Participating in the SensorBase Network |
1-2 |
|
|
|
|||||
|
|
IME Home Pane |
1-3 |
|
|
|
|
|
|
||
|
|
System Requirements |
1-4 |
|
|
|
|
|
|||
|
|
IME Demo Mode |
1-7 |
|
|
|
|
|
|
||
|
|
Installing the IME and Migrating Data In to the IME 1-8 |
|||||||||
|
|
Creating and Changing the IME Password |
1-9 |
|
|
|
|||||
|
|
Recovering the IME Password |
1-10 |
|
|
|
|
||||
|
|
Configuring General Options |
1-11 |
|
|
|
|
||||
|
|
Configuring the Data Archive |
1-12 |
|
|
|
|
||||
|
|
Configuring Email Setup 1-14 |
|
|
|
|
|
||||
|
|
Configuring Email Notification |
1-15 |
|
|
|
|
||||
|
|
Configuring Reports |
1-17 |
|
|
|
|
|
|||
|
|
Installation Error |
1-20 |
|
|
|
|
|
|||
|
Configuring Device Lists |
2-1 |
|
|
|
|
|
||||
C H A P T E R 2 |
|
|
|
|
|
||||||
|
|
Device List Pane |
2-1 |
|
|
|
|
|
|
||
|
|
Device List Pane Field Definitions 2-2 |
|
|
|
|
|||||
|
|
Add and Edit Device List Dialog Boxes Field Definitions 2-3 |
|||||||||
|
|
Adding, Editing, and Deleting Devices 2-4 |
|||||||||
|
|
|
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1 |
|
|
|
|||||
|
|
|
|
||||||||
|
OL-19891-01 |
|
|
|
|
|
|
|
|
iii |
|
|
|
|
|
|
|
|
|
|
|
||
Contents
Starting, Stopping, and Displaying Device, Event, Health, and Global Correlation Connection Status 2-5
|
Using Tools for Devices |
|
2-6 |
|
|
|
Configuring Dashboards |
3-1 |
|
|
|
C H A P T E R 3 |
|
|
|||
|
Understanding Dashboards |
3-1 |
|
||
|
Adding and Deleting Dashboards 3-1 |
|
|||
|
IME Gadgets 3-2 |
|
|
|
|
|
Sensor Information Gadget |
3-2 |
|
||
|
Sensor Health Gadget |
3-3 |
|
|
|
|
Licensing Gadget |
3-5 |
|
|
|
|
Interface Status Gadget |
3-5 |
|
||
|
Global Correlation Reports Gadget |
3-6 |
|||
|
Global Correlation Health Gadget |
3-7 |
|||
|
Network Security Gadget |
3-8 |
|
||
|
Top Applications Gadget |
3-9 |
|
||
|
Memory & Load Gadget |
3-10 |
|
||
|
RSS Feed Gadget |
3-11 |
|
|
|
|
Top Attackers Gadget |
3-11 |
|
||
|
Top Victims Gadget |
|
3-12 |
|
|
|
Top Signatures Gadget |
3-13 |
|
||
|
|
|
|
Attacks Over Time Gadget 3-13 |
|
|
|
||
|
|
|
|
Working With a Single Event for Individual Top Attacker and Victim IP Addresses 3-14 |
|||||
|
|
|
|
Working With a Single Event for a Top Signature |
3-15 |
|
|||
|
|
|
|
Configuring Filters |
3-16 |
|
|
|
|
|
|
|
|
Manage Filter Rules Dialog Box Field Definitions |
3-18 |
|
|||
|
|
|
|
Add and Edit Filter Dialog Boxes Field Definitions |
3-19 |
|
|||
|
|
Configuring RSS Feeds |
4-1 |
|
|
|
|||
C H A P T E R 4 |
|
|
|
|
|||||
|
|
|
|
Understanding RSS Feeds |
4-1 |
|
|
|
|
|
|
|
|
Configuring RSS Feeds |
4-1 |
|
|
|
|
|
|
Using the Startup Wizard |
5-1 |
|
|
|
|||
C H A P T E R 5 |
|
|
|
|
|||||
|
|
|
|
Startup Wizard Introduction Window |
5-1 |
|
|
||
|
|
|
|
Setting up the Sensor |
5-2 |
|
|
|
|
|
|
|
|
Sensor Setup Window |
5-2 |
|
|
|
|
|
|
|
|
Add and Edit ACL Entry Dialog Boxes 5-3 |
|
|
|||
|
|
|
|
Configure Summertime Dialog Box |
5-4 |
|
|
||
|
|
|
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1 |
||||||
|
|
|
|||||||
|
iv |
|
|
|
|
|
|
OL-19891-01 |
|
|
|
|
|
|
|
|
|
||
Contents
Configuring Sensor Settings |
5-4 |
Configuring Interfaces 5-7 |
|
Interface Summary Window |
5-7 |
Restore Defaults to an Interface Dialog Box 5-8 |
|
Traffic Inspection Mode Window 5-8 |
|
Interface Selection Window |
5-9 |
Inline Interface Pair Window |
5-9 |
Inline VLAN Pairs Window |
5-9 |
|
Add and Edit Inline VLAN Pair Entry Dialog Boxes |
5-10 |
|||||
|
Configuring Inline VLAN Pairs |
5-10 |
|
||||
|
Configuring Virtual Sensors |
5-11 |
|
|
|
||
|
Virtual Sensors Window |
5-11 |
|
|
|||
|
Add Virtual Sensor Dialog Box |
5-12 |
|
||||
|
Adding a Virtual Sensor |
5-13 |
|
|
|
||
|
Applying Signature Threat Profiles |
|
5-14 |
|
|||
|
Configuring Auto Update 5-16 |
|
|
|
|||
|
Setting Up the Sensor |
6-1 |
|
|
|
|
|
C H A P T E R 6 |
|
|
|
|
|||
|
Understanding Sensor Setup |
6-1 |
|
|
|
||
|
Configuring Network Settings |
6-1 |
|
|
|||
|
Network Pane |
6-2 |
|
|
|
|
|
|
Network Pane Field Definitions |
6-2 |
|
||||
|
Configuring Network Settings |
|
6-3 |
|
|||
|
Configuring Allowed Hosts/Networks 6-5 |
|
|||||
|
Allowed Hosts/Networks Pane |
|
6-5 |
|
|||
|
Allowed Hosts/Network Pane and Add and Edit Allowed Host Dialog Boxes Field |
||||||
|
Definitions |
6-6 |
|
|
|
|
|
|
Configuring Allowed Hosts and Networks 6-6 |
|
|||||
|
Configuring Time |
6-7 |
|
|
|
|
|
|
Time Pane |
6-7 |
|
|
|
|
|
|
Time Pane Field Definitions |
6-7 |
|
||||
|
Configure Summertime Dialog Box Field Definitions |
6-8 |
|||||
|
Configuring Time on the Sensor |
6-9 |
|
||||
|
Time Sources and the Sensor |
6-10 |
|
||||
|
Synchronizing IPS Module System Clocks with Parent Device System Clocks 6-11 |
||||||
|
Verifying the Sensor is Synchronized with the NTP Server 6-11 |
||||||
|
Correcting Time on the Sensor |
|
6-12 |
|
|||
|
Configuring NTP 6-12 |
|
|
|
|
||
|
Configuring a Cisco Router to be an NTP Server |
6-13 |
|
|
|
|
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1 |
|
|
|
|
|
|||||
|
OL-19891-01 |
|
|
v |
|
|
|
|
|
||
Contents
|
|
|
|
Configuring the Sensor to Use an NTP Time Source |
6-14 |
|
||||||
|
|
|
|
Manually Setting the System Clock |
6-15 |
|
|
|
||||
|
|
|
|
Clearing Events |
6-16 |
|
|
|
|
|
|
|
|
|
|
|
Configuring Authentication |
6-16 |
|
|
|
|
|||
|
|
|
|
Understanding User Roles |
6-17 |
|
|
|
|
|||
|
|
|
|
Understanding the Service Account |
6-18 |
|
|
|
||||
|
|
|
|
The Service Account and RADIUS Authentication |
6-18 |
|
|
|||||
|
|
|
|
RADIUS Authentication Functionality and Limitations |
6-19 |
|
||||||
|
|
|
|
Authentication Pane |
6-19 |
|
|
|
|
|
||
|
|
|
|
Authentication Pane Field Definitions 6-20 |
|
|
|
|||||
|
|
|
|
Add and Edit User Dialog Boxes Field Definitions |
6-22 |
|
|
|||||
|
|
|
|
Adding, Editing, Deleting Users, and Creating Accounts |
6-22 |
|
||||||
|
|
|
|
Locking User Accounts |
6-25 |
|
|
|
|
|||
|
|
|
|
Unlocking User Accounts |
6-26 |
|
|
|
|
|||
|
|
Configuring Interfaces |
7-1 |
|
|
|
|
|
|
|||
C H A P T E R 7 |
|
|
|
|
|
|
|
|||||
|
|
|
|
Sensor Interfaces 7-1 |
|
|
|
|
|
|
|
|
|
|
|
|
Understanding Interfaces |
7-1 |
|
|
|
|
|||
|
|
|
|
Command and Control Interface 7-2 |
|
|
|
|||||
|
|
|
|
Sensing Interfaces |
|
7-3 |
|
|
|
|
|
|
|
|
|
|
Interface Support |
7-4 |
|
|
|
|
|
|
|
|
|
|
|
TCP Reset Interfaces |
7-8 |
|
|
|
|
|
||
|
|
|
|
Understanding Alternate TCP Reset Interfaces |
7-8 |
|
|
|||||
|
|
|
|
Designating the Alternate TCP Reset Interface |
7-9 |
|
|
|||||
|
|
|
|
Hardware Bypass Mode |
7-9 |
|
|
|
|
|
||
|
|
|
|
Hardware Bypass Card |
7-10 |
|
|
|
|
|||
|
|
|
|
Hardware Bypass Configuration Restrictions |
7-10 |
|
|
|||||
|
|
|
|
Interface Configuration Restrictions |
7-11 |
|
|
|
||||
|
|
|
|
Understanding Interface Modes |
7-13 |
|
|
|
|
|||
|
|
|
|
Promiscuous Mode |
7-14 |
|
|
|
|
|
|
|
|
|
|
|
IPv6, Switches, and Lack of VACL Capture 7-14 |
|
|
|
|||||
|
|
|
|
Inline Interface Mode 7-15 |
|
|
|
|
|
|||
|
|
|
|
Inline VLAN Pair Mode |
7-16 |
|
|
|
|
|||
|
|
|
|
VLAN Groups Mode |
7-17 |
|
|
|
|
|
||
|
|
|
|
Interface Configuration Summary |
7-18 |
|
|
|
||||
|
|
|
|
Configuring Interfaces |
7-18 |
|
|
|
|
|
|
|
|
|
|
|
Interfaces Pane |
7-18 |
|
|
|
|
|
|
|
|
|
|
|
Interfaces Pane Field Definitions |
7-19 |
|
|
|
||||
|
|
|
|
Enabling and Disabling Interfaces |
7-20 |
|
|
|
||||
|
|
|
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1 |
|
|
|
||||||
|
|
|
|
|
|
|||||||
|
vi |
|
|
|
|
|
|
|
|
|
OL-19891-01 |
|
|
|
|
|
|
|
|
|
|
|
|
||
Contents
|
Edit Interface Dialog Box Field Definitions |
7-20 |
|
||||||||
|
Editing Interfaces |
7-21 |
|
|
|
|
|
|
|
||
|
Configuring Inline Interface Pairs |
7-22 |
|
|
|
||||||
|
Interface Pairs Pane |
|
7-22 |
|
|
|
|
|
|
||
|
Interface Pairs Pane Field Definitions |
7-22 |
|
|
|||||||
|
Add and Edit Interface Pair Dialog Boxes Field Definitions |
7-22 |
|||||||||
|
Configuring Inline Interface Pairs |
|
7-23 |
|
|
|
|||||
|
Configuring Inline VLAN Pairs |
7-23 |
|
|
|
|
|
||||
|
VLAN Pairs Pane |
7-23 |
|
|
|
|
|
|
|
||
|
VLAN Pairs Pane Field Definitions |
7-24 |
|
|
|||||||
|
Add and Edit VLAN Pair Dialog Boxes Field Definitions |
7-24 |
|||||||||
|
Configuring Inline VLAN Pairs |
7-25 |
|
|
|
||||||
|
Configuring VLAN Groups |
7-25 |
|
|
|
|
|
|
|||
|
VLAN Groups Pane |
|
7-26 |
|
|
|
|
|
|
||
|
Deploying VLAN Groups |
7-26 |
|
|
|
|
|
||||
|
VLAN Groups Pane Field Definitions |
7-27 |
|
|
|||||||
|
Add and Edit VLAN Group Dialog Boxes Field Definitions |
7-27 |
|||||||||
|
Configuring VLAN Groups |
7-27 |
|
|
|
|
|
||||
|
Configuring Bypass Mode |
7-28 |
|
|
|
|
|
|
|||
|
Bypass Pane |
7-28 |
|
|
|
|
|
|
|
|
|
|
Bypass Pane Field Definitions |
7-29 |
|
|
|
||||||
|
Adaptive Security Appliance, ASA 5500 AIP SSM, and Bypass Mode 7-30 |
||||||||||
|
Configuring Traffic Flow Notifications |
7-30 |
|
|
|||||||
|
Configuring CDP Mode |
|
7-31 |
|
|
|
|
|
|
||
|
Configuring Policies |
8-1 |
|
|
|
|
|
|
|
|
|
C H A P T E R 8 |
|
|
|
|
|
|
|
|
|
||
|
Understanding Security Policies |
8-1 |
|
|
|
|
|
||||
|
IPS Policies Components |
8-1 |
|
|
|
|
|
|
|||
|
Understanding Analysis Engine |
8-2 |
|
|
|
||||||
|
Understanding the Virtual Sensor |
|
8-2 |
|
|
|
|||||
|
Advantages and Restrictions of Virtualization |
8-3 |
|
||||||||
|
Inline TCP Session Tracking Mode |
8-3 |
|
|
|||||||
|
Understanding Normalizer Mode |
|
8-4 |
|
|
|
|||||
|
Understanding HTTP Advanced Decoding |
8-4 |
|
||||||||
|
Understanding Event Action Overrides |
8-5 |
|
|
|||||||
|
Calculating the Risk Rating |
8-5 |
|
|
|
|
|
||||
|
Understanding Threat Rating |
8-6 |
|
|
|
|
|||||
|
Event Action Summarization |
8-7 |
|
|
|
|
|||||
|
Event Action Aggregation |
8-7 |
|
|
|
|
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1 |
|
|
|
|
|
|||||
|
OL-19891-01 |
|
|
vii |
|
|
|
|
|
||
Contents
|
|
|
Configuring IPS Policies |
8-8 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IPS Policies Pane 8-8 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IPS Policies Pane Field Definitions |
8-9 |
|
|
|
|
|
|
|
|
|||
|
|
|
Add and Edit Virtual Sensor Dialog Boxes Field Definitions |
8-10 |
|
|
|
||||||||
|
|
|
Add and Edit Event Action Override Dialog Boxes Field Definitions |
8-12 |
|
|
|||||||||
|
|
|
Adding, Editing, and Deleting Virtual Sensors |
8-13 |
|
|
|
|
|
||||||
|
|
|
The ASA 5500 AIP SSM, ASA 5500-X IPS SSP, ASA 5585-X IPS SSP, and Virtual |
||||||||||||
|
|
|
Sensors 8-15 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Understanding the ASA IPS Modules and Virtual Sensors |
8-15 |
|
|
|
||||||||
|
|
|
Configuration Sequence for the ASA IPS Modules |
8-15 |
|
|
|
|
|||||||
|
|
|
Creating Virtual Sensors on the ASA 5585-X IPS SSP and ASA IPS Modules |
8-16 |
|
||||||||||
|
|
|
Assigning Virtual Sensors to Adaptive Security Appliance Contexts 8-18 |
|
|
||||||||||
|
|
|
Configuring Event Action Filters |
8-20 |
|
|
|
|
|
|
|
|
|
||
|
|
|
Understanding Event Action Filters |
8-20 |
|
|
|
|
|
|
|
||||
|
|
|
Event Action Filters Tab |
8-21 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Event Action Filters Tab Field Definitions |
8-21 |
|
|
|
|
|
|
|||||
|
|
|
Add and Edit Event Action Filter Dialog Boxes Field Definitions 8-22 |
|
|
||||||||||
|
|
|
Adding, Editing, Deleting, Enabling, Disabling, and Moving Event Action Filters |
8-23 |
|
||||||||||
|
|
|
Configuring IPv4 Target Value Rating |
8-25 |
|
|
|
|
|
|
|
||||
|
|
|
IPv4 Target Value Rating Tab |
8-26 |
|
|
|
|
|
|
|
|
|
||
|
|
|
IPv4 Target Value Rating Tab Field Definitions |
8-26 |
|
|
|
|
|
||||||
|
|
|
Add and Edit Target Value Rating Dialog Boxes Field Definitions |
8-26 |
|
|
|||||||||
|
|
|
Adding, Editing, and Deleting IPv4 Target Value Ratings |
8-26 |
|
|
|
||||||||
|
|
|
Configuring IPv6 Target Value Rating |
8-27 |
|
|
|
|
|
|
|
||||
|
|
|
IPv6 Target Value Rating Tab |
8-27 |
|
|
|
|
|
|
|
|
|
||
|
|
|
IPv6 Target Value Rating Tab Field Definitions |
8-27 |
|
|
|
|
|
||||||
|
|
|
Add and Edit Target Value Rating Dialog Boxes Field Definitions |
8-28 |
|
|
|||||||||
|
|
|
Adding, Editing, and Deleting IPv6 Target Value Ratings |
8-28 |
|
|
|
||||||||
|
|
|
Configuring OS Identifications |
8-29 |
|
|
|
|
|
|
|
|
|
||
|
|
|
Understanding Passive OS Fingerprinting |
8-30 |
|
|
|
|
|
|
|||||
|
|
|
Configuring Passive OS Fingerprinting |
8-31 |
|
|
|
|
|
|
|||||
|
|
|
OS Identifications Tab |
8-31 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
OS Identifications Tab Field Definitions |
|
8-32 |
|
|
|
|
|
|
||||
|
|
|
Add and Edit Configured OS Map Dialog Boxes Field Definitions |
8-32 |
|
|
|||||||||
|
|
|
Adding, Editing, Deleting, and Moving Configured OS Maps |
8-33 |
|
|
|
||||||||
|
|
|
Configuring Event Variables |
8-34 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Event Variables Tab |
8-34 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Event Variables Tab Field Definitions |
8-35 |
|
|
|
|
|
|
|||||
|
|
|
Add and Edit Event Variable Dialog Boxes Field Definitions |
8-35 |
|
|
|
||||||||
|
|
|
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1 |
|
|
|
|
|
|||||||
|
|
|
|
|
|
|
|
||||||||
|
viii |
|
|
|
|
|
|
|
|
|
|
|
OL-19891-01 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
Contents
|
Adding, Editing, and Deleting Event Variables |
8-36 |
|||||
|
Configuring Risk Category |
8-37 |
|
|
|
||
|
Risk Category Tab |
8-37 |
|
|
|
|
|
|
Risk Category Tab Field Definitions |
8-38 |
|
||||
|
Add and Edit Risk Level Dialog Boxes Field Definitions 8-38 |
||||||
|
Adding, Editing, and Deleting Risk Categories |
8-38 |
|||||
|
Configuring Threat Category |
8-39 |
|
|
|||
|
Configuring General Settings |
8-40 |
|
|
|||
|
General Tab |
8-40 |
|
|
|
|
|
|
General Tab Field Definitions |
8-41 |
|
|
|||
|
Configuring the General Settings 8-41 |
|
|||||
|
Configuring Shared Policies and Group Policies 9-1 |
|
|||||
C H A P T E R 9 |
|
||||||
|
Configuring Shared Policies |
9-1 |
|
|
|
||
|
Understanding Shared Policies |
9-1 |
|
|
|||
|
Add Policy Field Definitions |
9-2 |
|
|
|||
|
Adding and Deleting Shared Policies |
9-3 |
|
||||
|
Deploying Shared Policies 9-3 |
|
|
||||
|
Configuring Policy Groups |
9-4 |
|
|
|
||
|
Defining Signatures |
10-1 |
|
|
|
|
|
C H A P T E R 10 |
|
|
|
|
|
||
|
Understanding Security Policies |
10-1 |
|
|
|||
|
Understanding Signatures |
10-1 |
|
|
|
||
|
Event Actions |
10-2 |
|
|
|
|
|
Signature Engines 10-4
Configuring Signature Definition Policies 10-7
Signature Definitions Pane 10-7
Signature Definitions Pane Field Definitions 10-8
Add and Clone Policy Dialog Boxes Field Definitions 10-8
Adding, Cloning, and Deleting Signature Policies 10-8
|
sig0 Pane |
10-9 |
|
|
|
|
|
|
MySDN |
10-10 |
|
|
|
|
|
|
Configuring Signatures |
10-11 |
|
|
|
|
|
|
Sig0 Pane Field Definitions 10-11 |
|
|
|
|
||
|
Add, Clone, and Edit Signatures Dialog Boxes Field Definitions 10-12 |
||||||
|
Edit Actions Dialog Box Field Definitions |
10-14 |
|
|
|
||
|
Enabling, Disabling, and Retiring Signatures |
10-17 |
|
|
|
||
|
Adding Signatures |
10-17 |
|
|
|
|
|
|
|
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1 |
|
|
|
||
|
|
|
|||||
|
OL-19891-01 |
|
|
|
|
ix |
|
|
|
|
|
|
|
||
Contents
|
|
|
|
|
Cloning Signatures |
10-19 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Tuning Signatures |
10-20 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Assigning Actions to Signatures |
10-21 |
|
|
|
|
|
|
|||
|
|
|
|
|
Configuring Alert Frequency |
10-23 |
|
|
|
|
|
|
|
||
|
|
|
|
|
Example Meta Engine Signature 10-25 |
|
|
|
|
|
|
||||
|
|
|
|
|
Example Atomic IP Advanced Engine Signature |
10-28 |
|
|
|
||||||
|
|
|
|
|
Example String XL TCP Match Offset Signature |
10-30 |
|
|
|
||||||
|
|
|
|
|
Example String XL TCP Engine Minimum Match Length Signature |
10-33 |
|
||||||||
|
|
|
|
|
Configuring Signature Variables 10-36 |
|
|
|
|
|
|
|
|||
|
|
|
|
|
Signature Variables Tab |
10-36 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Signature Variables Field Definitions |
10-36 |
|
|
|
|
|
||||
|
|
|
|
|
Adding, Editing, and Deleting Signature Variables |
|
10-37 |
|
|
|
|||||
|
|
|
|
|
Configuring Miscellaneous Settings |
10-38 |
|
|
|
|
|
|
|||
|
|
|
|
|
Miscellaneous Tab |
10-38 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Miscellaneous Tab Field Definitions |
10-39 |
|
|
|
|
|
||||
|
|
|
|
|
Configuring Application Policy Signatures |
10-40 |
|
|
|
|
|
||||
|
|
|
|
|
Understanding AIC Signatures |
10-40 |
|
|
|
|
|
|
|||
|
|
|
|
|
AIC Engine and Sensor Performance |
10-41 |
|
|
|
|
|
||||
|
|
|
|
|
AIC Request Method Signatures |
10-42 |
|
|
|
|
|
||||
|
|
|
|
|
AIC MIME Define Content Type Signatures |
10-43 |
|
|
|
||||||
|
|
|
|
|
AIC Transfer Encoding Signatures 10-46 |
|
|
|
|
|
|||||
|
|
|
|
|
AIC FTP Commands Signatures |
10-46 |
|
|
|
|
|
||||
|
|
|
|
|
Configuring Application Policy |
10-47 |
|
|
|
|
|
|
|||
|
|
|
|
|
Tuning an AIC Signature |
10-48 |
|
|
|
|
|
|
|
||
|
|
|
|
|
Configuring IP Fragment Reassembly Signatures |
|
10-49 |
|
|
|
|||||
|
|
|
|
|
Understanding IP Fragment Reassembly Signatures |
10-49 |
|
|
|||||||
|
|
|
|
|
IP Fragment Reassembly Signatures and Configurable Parameters |
10-50 |
|
||||||||
|
|
|
|
|
Configuring the IP Fragment Reassembly Mode |
10-51 |
|
|
|||||||
|
|
|
|
|
Tuning an IP Fragment Reassembly Signature |
|
10-51 |
|
|
|
|||||
|
|
|
|
|
Configuring TCP Stream Reassembly Signatures |
10-52 |
|
|
|
||||||
|
|
|
|
|
Understanding TCP Stream Reassembly Signatures |
10-52 |
|
|
|||||||
|
|
|
|
|
TCP Stream Reassembly Signatures and Configurable Parameters |
10-53 |
|
||||||||
|
|
|
|
|
Configuring the TCP Stream Reassembly Mode |
10-58 |
|
|
|||||||
|
|
|
|
|
Tuning a TCP Stream Reassembly Signature |
10-59 |
|
|
|
||||||
|
|
|
|
|
Configuring IP Logging |
10-60 |
|
|
|
|
|
|
|
|
|
|
|
Using the Custom Signature Wizard |
11-1 |
|
|
|
|
|
|
|
|||||
C H A P T E R 11 |
|
|
|
|
|
|
|
|
|||||||
|
|
|
|
|
Understanding the Custom Signature Wizard |
11-1 |
|
|
|
|
|
||||
|
|
|
|
|
Using a Signature Engine |
11-1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1 |
|
|
|
|
|
||||||
|
|
|
|
|
|
|
|
|
|||||||
|
x |
|
|
|
|
|
|
|
|
|
|
|
|
OL-19891-01 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
Contents
Signature Engines Not Supported for the Custom Signature Wizard 11-2 |
|
Not Using a Signature Engine |
11-4 |
Creating Custom Signatures |
11-4 |
Custom Signature Wizard Field Definitions |
11-9 |
||||
Welcome Window 11-10 |
|
|
|
|
|
Protocol Type Window |
11-10 |
|
|
|
|
Signature Identification Window |
11-11 |
|
|
||
Service MSRPC Engine Parameters Window |
11-11 |
||||
ICMP Traffic Type Window |
11-12 |
|
|
||
Inspect Data Window |
11-12 |
|
|
|
|
UDP Traffic Type Window |
11-12 |
|
|
|
|
UDP Sweep Type Window |
11-12 |
|
|
|
|
TCP Traffic Type Window |
11-12 |
|
|
|
|
Service Type Window |
11-13 |
|
|
|
|
TCP Sweep Type Window |
11-13 |
|
|
|
|
Atomic IP Engine Parameters Window |
11-13 |
||||
Example Atomic IP Advanced Engine Signature 11-14 |
|||||
Service HTTP Engine Parameters Window |
11-16 |
||||
Example Service HTTP Engine Signature |
11-17 |
||||
Service RPC Engine Parameters Window |
11-19 |
||||
State Engine Parameters Window |
11-20 |
|
|
||
String ICMP Engine Parameters Window |
11-21 |
||||
String TCP Engine Parameters Window |
11-21 |
||||
Example String TCP Engine Signature |
11-22 |
||||
String UDP Engine Parameters Window |
11-24 |
||||
Sweep Engine Parameters Window |
11-24 |
|
|||
Alert Response Window |
11-26 |
|
|
|
|
Alert Behavior Window |
11-26 |
|
|
|
|
|
|
Event Count and Interval Window 11-26 |
|
|
|
|
||
|
|
Alert Summarization Window |
11-27 |
|
|
|
|
|
|
|
Alert Dynamic Response Fire All Window |
11-27 |
|
|
|
||
|
|
Alert Dynamic Response Fire Once Window |
11-28 |
|
|
|
||
|
|
Alert Dynamic Response Summary Window |
11-28 |
|
|
|
||
|
|
Global Summarization Window |
11-29 |
|
|
|
|
|
|
Configuring Event Action Rules |
12-1 |
|
|
|
|
|
|
C H A P T E R 12 |
|
|
|
|
|
|||
|
|
Understanding Security Policies |
12-1 |
|
|
|
|
|
|
|
Event Action Rules Components |
12-2 |
|
|
|
|
|
|
|
Understanding Event Action Rules |
12-2 |
|
|
|
|
|
|
|
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1 |
|
|
|
|||
|
|
|
||||||
|
OL-19891-01 |
|
|
|
|
|
xi |
|
|
|
|
|
|
|
|
||
Contents
|
|
|
Calculating the Risk Rating |
|
12-2 |
|
|
|
|
|
|
|
|
|
|
|
Understanding Threat Rating |
12-4 |
|
|
|
|
|
|
|
|
|
|
|
|
Understanding Event Action Overrides |
12-4 |
|
|
|
|
|
||||
|
|
|
Understanding Event Action Filters |
12-4 |
|
|
|
|
|
|
|||
|
|
|
Event Action Summarization |
12-5 |
|
|
|
|
|
|
|
|
|
|
|
|
Event Action Aggregation |
12-5 |
|
|
|
|
|
|
|
|
|
|
|
|
Signature Event Action Processor |
12-6 |
|
|
|
|
|
|
|
||
|
|
|
Event Actions 12-8 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Configuring Event Action Rules Policies |
12-11 |
|
|
|
|
|
||||
|
|
|
Event Action Rules Pane |
12-11 |
|
|
|
|
|
|
|
|
|
|
|
|
Event Action Rules Pane Field Definitions |
12-12 |
|
|
|
|
|||||
|
|
|
Add and Clone Policy Dialog Boxes Field Definitions 12-12 |
|
|
|
|||||||
|
|
|
Adding, Cloning, and Deleting Event Action Rules Policies |
12-12 |
|
|
|
||||||
|
|
|
rules0 Pane 12-13 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Configuring Event Action Overrides 12-13 |
|
|
|
|
|
|
|
|||
|
|
|
Event Action Overrides Tab |
12-13 |
|
|
|
|
|
|
|
|
|
|
|
|
Event Action Overrides Tab Field Definitions |
12-13 |
|
|
|
|
|||||
|
|
|
Add and Edit Event Action Override Dialog Boxes Field Definitions |
12-13 |
|
||||||||
|
|
|
Adding, Editing, Deleting, Enabling, and Disabling Event Action Overrides 12-14 |
||||||||||
|
|
|
Configuring Event Action Filters |
12-15 |
|
|
|
|
|
|
|
|
|
|
|
|
Event Action Filters Tab |
12-15 |
|
|
|
|
|
|
|
|
|
|
|
|
Event Action Filters Tab Field Definitions |
12-15 |
|
|
|
|
|||||
|
|
|
Add and Edit Event Action Filter Dialog Boxes Field Definitions |
12-16 |
|
||||||||
|
|
|
Adding, Editing, Deleting, Enabling, Disabling, and Moving Event Action Filters 12-17 |
||||||||||
|
|
|
Configuring IPv4 Target Value Rating |
12-19 |
|
|
|
|
|
|
|||
|
|
|
IPv4 Target Value Rating Tab |
12-20 |
|
|
|
|
|
|
|
||
|
|
|
IPv4 Target Value Rating Tab Field Definitions |
12-20 |
|
|
|
|
|||||
|
|
|
Add and Edit Target Value Rating Dialog Boxes Field Definitions |
12-20 |
|
||||||||
|
|
|
Adding, Editing, and Deleting IPv4 Target Value Ratings |
12-20 |
|
|
|
||||||
|
|
|
Configuring IPv6 Target Value Rating |
12-21 |
|
|
|
|
|
|
|||
|
|
|
IPv6 Target Value Rating Tab |
12-21 |
|
|
|
|
|
|
|
||
|
|
|
IPv6 Target Value Rating Tab Field Definitions |
12-21 |
|
|
|
|
|||||
|
|
|
Add and Edit IPv6 Target Value Rating Dialog Boxes Field Definitions |
12-22 |
|
||||||||
|
|
|
Adding, Editing, and Deleting IPv6 Target Value Ratings |
12-22 |
|
|
|
||||||
|
|
|
Configuring OS Identifications |
12-23 |
|
|
|
|
|
|
|
|
|
|
|
|
OS Identifications Tab 12-23 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Understanding Passive OS Fingerprinting |
|
12-24 |
|
|
|
|
||||
|
|
|
Configuring Passive OS Fingerprinting |
12-25 |
|
|
|
|
|
||||
|
|
|
OS Identifications Tab Field Definitions |
|
12-25 |
|
|
|
|
|
|||
|
|
|
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1 |
|
|
|
|
||||||
|
|
|
|
|
|
|
|||||||
|
xii |
|
|
|
|
|
|
|
|
|
|
OL-19891-01 |
|
|
|
|
|
|
|
|
|
|
|
|
|
||
Contents
|
|
Add and Edit Configured OS Map Dialog Boxes Field Definitions 12-26 |
||||||||||||
|
|
Adding, Editing, Deleting, and Moving Configured OS Maps |
12-27 |
|
|
|
||||||||
|
|
Configuring Event Variables |
12-28 |
|
|
|
|
|
|
|
|
|||
|
|
Event Variables Tab |
12-28 |
|
|
|
|
|
|
|
|
|
||
|
|
Event Variables Tab Field Definitions |
12-29 |
|
|
|
|
|
|
|||||
|
|
Add and Edit Event Variable Dialog Boxes Field Definitions |
12-29 |
|
|
|
||||||||
|
|
Adding, Editing, and Deleting Event Variables |
12-29 |
|
|
|
|
|
||||||
|
|
Configuring Risk Category |
12-31 |
|
|
|
|
|
|
|
|
|
||
|
|
Risk Category Tab 12-31 |
|
|
|
|
|
|
|
|
|
|
||
|
|
Risk Category Tab Field Definitions |
12-31 |
|
|
|
|
|
|
|||||
|
|
Add and Edit Risk Level Dialog Boxes Field Definitions |
12-31 |
|
|
|
||||||||
|
|
Adding, Editing, and Deleting Risk Categories |
12-32 |
|
|
|
|
|
||||||
|
|
Configuring Threat Category |
12-32 |
|
|
|
|
|
|
|
|
|||
|
|
Configuring General Settings |
12-33 |
|
|
|
|
|
|
|
|
|||
|
|
General Tab 12-33 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
General Tab Field Definitions |
12-34 |
|
|
|
|
|
|
|
|
|||
|
|
Configuring the General Settings 12-34 |
|
|
|
|
|
|
|
|||||
|
Configuring Anomaly Detection |
13-1 |
|
|
|
|
|
|
|
|
||||
C H A P T E R 13 |
|
|
|
|
|
|
|
|
||||||
|
|
Understanding Security Policies |
13-1 |
|
|
|
|
|
|
|
|
|||
|
|
Anomaly Detection Components |
13-2 |
|
|
|
|
|
|
|
|
|||
|
|
Understanding Anomaly Detection |
13-2 |
|
|
|
|
|
|
|||||
|
|
Worms |
13-2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Anomaly Detection Modes |
13-3 |
|
|
|
|
|
|
|
|
|||
|
|
Enabling Anomaly Detection |
13-4 |
|
|
|
|
|
|
|
|
|||
|
|
Anomaly Detection Zones |
13-5 |
|
|
|
|
|
|
|
|
|||
|
|
Anomaly Detection Configuration Sequence |
13-5 |
|
|
|
|
|
||||||
|
|
Anomaly Detection Signatures |
13-7 |
|
|
|
|
|
|
|
|
|||
|
|
Configuring Anomaly Detections Policies |
|
13-9 |
|
|
|
|
|
|
||||
|
|
Anomaly Detections Pane |
13-9 |
|
|
|
|
|
|
|
|
|||
|
|
Anomaly Detections Pane Field Definitions |
13-9 |
|
|
|
|
|
||||||
|
|
Add and Clone Policy Dialog Boxes Field Definitions |
13-9 |
|
|
|
|
|||||||
|
|
Adding, Cloning, and Deleting Anomaly Detection Policies |
13-10 |
|
|
|
||||||||
|
|
ad0 Pane |
13-10 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Configuring Operation Settings |
13-11 |
|
|
|
|
|
|
|
|
|||
|
|
Operation Settings Tab |
13-11 |
|
|
|
|
|
|
|
|
|
||
|
|
Operating Settings Tab Field Definitions |
13-11 |
|
|
|
|
|
||||||
|
|
Configuring Anomaly Detection Operation Settings 13-11 |
|
|
|
|
||||||||
|
|
|
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1 |
|
|
|
||||||||
|
|
|
|
|||||||||||
|
OL-19891-01 |
|
|
|
|
|
|
|
|
|
|
|
xiii |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
Contents
|
Configuring Learning Accept Mode |
13-12 |
|
|
||||
|
Learning Accept Mode Tab |
13-12 |
|
|
||||
|
The KB and Histograms |
13-12 |
|
|
|
|||
|
Learning Accept Mode Tab Field Definitions 13-14 |
|
|
|||||
|
Add and Edit Start Time Dialog Boxes Field Definitions |
13-14 |
|
|||||
|
Configuring Learning Accept Mode 13-14 |
|
|
|||||
|
Configuring the Internal Zone |
|
13-15 |
|
|
|||
|
Internal Zone Tab |
13-15 |
|
|
|
|
|
|
|
General Tab |
13-16 |
|
|
|
|
|
|
|
TCP Protocol Tab |
13-16 |
|
|
|
|
|
|
|
Add and Edit Destination Port Dialog Boxes Field Definitions |
13-17 |
||||||
|
Add and Edit Histogram Dialog Boxes Field Definitions |
13-17 |
|
|||||
|
UDP Protocol Tab |
13-17 |
|
|
|
|
|
|
|
Other Protocols Tab |
13-18 |
|
|
|
|
||
|
Add and Edit Protocol Number Dialog Boxes Field Definitions |
13-18 |
||||||
|
Configuring the Internal Zone |
13-19 |
|
|
||||
|
Configuring the Illegal Zone |
13-22 |
|
|
|
|||
|
Illegal Zone Tab 13-22 |
|
|
|
|
|
||
|
General Tab |
13-23 |
|
|
|
|
|
|
|
TCP Protocol Tab |
13-23 |
|
|
|
|
|
|
|
Add and Edit Destination Port Dialog Boxes Field Definitions |
13-23 |
||||||
|
Add and Edit Histogram Dialog Boxes Field Definitions |
13-24 |
|
|||||
|
UDP Protocol Tab |
13-24 |
|
|
|
|
|
|
|
Other Protocols Tab |
13-25 |
|
|
|
|
||
|
Add and Edit Protocol Number Dialog Boxes Field Definitions |
13-25 |
||||||
|
Configuring the Illegal Zone |
13-25 |
|
|
||||
|
Configuring the External Zone |
|
13-29 |
|
|
|||
|
External Zone Tab |
13-29 |
|
|
|
|
|
|
|
TCP Protocol Tab |
13-29 |
|
|
|
|
|
|
|
Add and Edit Destination Port Dialog Boxes Field Definitions |
13-30 |
||||||
|
Add and Edit Histogram Dialog Boxes Field Definitions |
13-30 |
|
|||||
|
UDP Protocol Tab |
13-31 |
|
|
|
|
|
|
|
Other Protocols Tab |
13-31 |
|
|
|
|
||
|
Add and Edit Protocol Number Dialog Boxes Field Definitions |
13-32 |
||||||
|
Configuring the External Zone |
13-32 |
|
|
||||
|
Disabling Anomaly Detection |
|
13-35 |
|
|
|||
|
Configuring Global Correlation |
|
14-1 |
|
|
|
||
C H A P T E R 14 |
|
|
|
|
||||
|
|
|
Understanding Global Correlation |
14-1 |
|
|
|
|
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1 |
||
|
|
|
|||
|
xiv |
|
|
OL-19891-01 |
|
|
|
|
|
||
Contents
|
|
Participating in the SensorBase Network 14-2 |
|
|
|
|
|
||||
|
|
Understanding Reputation |
14-2 |
|
|
|
|
|
|
|
|
|
|
Understanding Network Participation |
|
14-3 |
|
|
|
|
|
||
|
|
Understanding Efficacy 14-4 |
|
|
|
|
|
|
|
|
|
|
|
Reputation and Risk Rating |
14-5 |
|
|
|
|
|
|
|
|
|
|
Global Correlation Features and Goals |
14-5 |
|
|
|
|
|
|||
|
|
Global Correlation Requirements |
14-6 |
|
|
|
|
|
|||
|
|
Understanding Global Correlation Sensor Health Metrics 14-7 |
|
|
|
|
|||||
|
|
Configuring Global Correlation Inspection and Reputation Filtering 14-7 |
|
|
|
|
|||||
|
|
Inspection/Reputation Pane |
14-8 |
|
|
|
|
|
|
||
|
|
Inspection/Reputation Pane Field Definitions |
14-9 |
|
|
|
|
||||
|
|
Configuring Global Correlation Inspection and Reputation Filtering |
14-9 |
|
|
|
|||||
|
|
Configuring Network Participation |
14-10 |
|
|
|
|
|
|||
|
|
Network Participation Pane |
14-10 |
|
|
|
|
|
|||
|
|
Network Participation Pane Field Definitions |
14-10 |
|
|
|
|
||||
|
|
Configuring Network Participation |
14-11 |
|
|
|
|
|
|||
|
|
Troubleshooting Global Correlation |
|
14-11 |
|
|
|
|
|
||
|
|
Disabling Global Correlation |
14-12 |
|
|
|
|
|
|
|
|
|
Configuring SSH and Certificates |
15-1 |
|
|
|
|
|
|
|||
C H A P T E R 15 |
|
|
|
|
|
|
|||||
|
|
Understanding SSH 15-1 |
|
|
|
|
|
|
|
|
|
|
|
Configuring Authorized RSA Keys |
15-2 |
|
|
|
|
|
|||
|
|
Authorized RSA Keys Pane |
15-2 |
|
|
|
|
|
|
||
|
|
Authorized RSA Keys Pane Field Definitions |
15-2 |
|
|
|
|
||||
|
|
Add and Edit Authorized RSA Key Dialog Boxes Field Definitions |
15-3 |
|
|
|
|||||
|
|
Defining Authorized RSA Keys |
|
15-3 |
|
|
|
|
|
||
|
|
Configuring Authorized RSA1 Keys |
|
15-4 |
|
|
|
|
|
||
|
|
Authorized RSA1 Keys Pane |
15-4 |
|
|
|
|
|
|||
|
|
Authorized RSA1 Keys Pane Field Definitions |
15-4 |
|
|
|
|
||||
|
|
Add and Edit Authorized RSA1 Key Dialog Boxes Field Definitions |
15-5 |
|
|
|
|||||
|
|
Defining Authorized RSA1 Keys |
|
15-5 |
|
|
|
|
|
||
|
|
Configuring Known Host RSA Keys |
|
15-6 |
|
|
|
|
|
||
|
|
Known Host RSA Keys Pane |
15-6 |
|
|
|
|
|
|||
|
|
Known Host RSA Keys Pane Field Definitions |
15-7 |
|
|
|
|
||||
|
|
Add and Edit Known Host RSA Key Dialog Boxes Field Definitions |
15-7 |
|
|
|
|||||
|
|
Defining Known RSA Host Keys |
|
15-7 |
|
|
|
|
|
||
|
|
Configuring Known Host RSA1 Keys |
15-8 |
|
|
|
|
|
|||
|
|
Known Host RSA1 Keys Pane |
|
15-8 |
|
|
|
|
|
||
|
|
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1 |
|
|
|
||||||
|
|
|
|||||||||
|
OL-19891-01 |
|
|
|
|
|
|
|
|
xv |
|
|
|
|
|
|
|
|
|
|
|
||
Contents
Known Host RSA1 Keys Pane Field Definitions 15-9 |
|
Add and Edit Known Host RSA1 Key Dialog Boxes Field Definitions 15-9 |
|
Defining Known Host RSA1 Keys 15-9 |
|
Generating the Sensor Key |
15-10 |
Understanding Certificates |
15-11 |
Configuring Trusted Hosts |
15-12 |
|
|
|
|
|
Trusted Hosts Pane |
15-13 |
|
|
|
|
|
|
|
|
|
|
|
|
Trusted Hosts Pane Field Definitions |
15-13 |
|
|
|
|
|||
|
|
|
|
|
Add Trusted Host Dialog Box Field Definitions |
15-13 |
|
|
|||||
|
|
|
|
|
Adding Trusted Hosts |
15-13 |
|
|
|
|
|
|
|
|
|
|
|
|
Adding Trusted Root Certificates |
15-14 |
|
|
|
|
|
||
|
|
|
|
|
Trusted Root Certificates Pane |
15-14 |
|
|
|
|
|||
|
|
|
|
|
Trusted Root Certificates Field Definitions |
15-15 |
|
|
|||||
|
|
|
|
|
Add and Update Trusted Root Certificates Dialog Box Field Definitions 15-15 |
||||||||
|
|
|
|
|
Adding and Updating Trusted Root Certificates |
15-15 |
|
|
|||||
|
|
|
|
|
Generating the Server Certificate |
15-16 |
|
|
|
|
|
||
|
|
Configuring Attack Response Controller for Blocking and Rate Limiting |
16-1 |
|
|||||||||
C H A P T E R 16 |
|
|
|||||||||||
|
|
|
|
|
ARC Components 16-1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Understanding Blocking |
16-2 |
|
|
|
|
|
|
|
|
|
|
|
|
Understanding Rate Limiting |
16-4 |
|
|
|
|
|
||
|
|
|
|
|
Understanding Service Policies for Rate Limiting |
16-5 |
|
|
|||||
|
|
|
|
|
Before Configuring the ARC |
16-5 |
|
|
|
|
|
||
|
|
|
|
|
Supported Devices 16-5 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Configuring Blocking Properties |
16-7 |
|
|
|
|
|
||
|
|
|
|
|
Blocking Properties Pane |
16-7 |
|
|
|
|
|
||
|
|
|
|
|
Understanding Blocking Properties |
16-7 |
|
|
|
|
|||
|
|
|
|
|
Blocking Properties Pane Field Definitions |
16-8 |
|
|
|
||||
|
|
|
|
|
Configuring Blocking Properties 16-9 |
|
|
|
|
||||
|
|
|
|
|
Add and Edit Never Block Address Dialog Boxes Field Definitions |
16-10 |
|
||||||
|
|
|
|
|
Adding, Editing, and Deleting IP Addresses Never to be Blocked 16-11 |
||||||||
|
|
|
|
|
Configuring Device Login Profiles |
16-11 |
|
|
|
|
|||
|
|
|
|
|
Device Login Profiles Pane |
16-12 |
|
|
|
|
|
||
|
|
|
|
|
Device Login Profiles Pane Field Definitions |
16-12 |
|
|
|||||
|
|
|
|
|
Add and Edit Device Login Profile Dialog Boxes Field Definitions |
16-12 |
|
||||||
|
|
|
|
|
Configuring Device Login Profiles |
16-13 |
|
|
|
|
|||
|
|
|
|
|
Configuring Blocking Devices |
16-14 |
|
|
|
|
|
||
|
|
|
|
|
Blocking Device Pane |
16-14 |
|
|
|
|
|
|
|
|
|
|
|
|
Blocking Devices Pane Field Definitions 16-14 |
|
|
|
|||||
|
|
|
|
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1 |
|
|
|
||||||
|
|
|
|
|
|
|
|||||||
|
xvi |
|
|
|
|
|
|
|
|
|
|
OL-19891-01 |
|
|
|
|
|
|
|
|
|
|
|
|
|
||
Contents
|
|
Add and Edit Blocking Device Dialog Boxes Field Definitions 16-15 |
|
|
||||||||||
|
|
Adding, Editing, and Deleting Blocking and Rate Limiting Devices |
16-15 |
|
|
|
||||||||
|
|
Configuring Router Blocking Device Interfaces |
16-17 |
|
|
|
|
|
||||||
|
|
Router Blocking Device Interfaces Pane 16-17 |
|
|
|
|
|
|
|
|||||
|
|
Understanding Router Blocking Device Interfaces |
16-17 |
|
|
|
|
|
||||||
|
|
How the Sensor Manages Devices |
16-18 |
|
|
|
|
|
|
|
|
|||
|
|
Router Blocking Device Interfaces Pane Field Definitions |
16-19 |
|
|
|
|
|||||||
|
|
Add and Edit Router Blocking Device Interface Dialog Boxes Field Definitions |
16-19 |
|
||||||||||
|
|
Configuring the Router Blocking and Rate Limiting Device Interfaces |
16-20 |
|
|
|
||||||||
|
|
Configuring Cat 6K Blocking Device Interfaces 16-21 |
|
|
|
|
|
|||||||
|
|
Cat 6K Blocking Device Interfaces Pane |
16-21 |
|
|
|
|
|
|
|
||||
|
|
Understanding Cat 6K Blocking Device Interfaces |
16-21 |
|
|
|
|
|
||||||
|
|
Cat 6K Blocking Device Interfaces Pane Field Definitions |
16-22 |
|
|
|
|
|||||||
|
|
Add and Edit Cat 6K Blocking Device Interface Dialog Boxes Field Definitions |
16-22 |
|
||||||||||
|
|
Configuring Cat 6K Blocking Device Interfaces |
|
16-23 |
|
|
|
|
|
|||||
|
|
Configuring the Master Blocking Sensor 16-24 |
|
|
|
|
|
|
|
|||||
|
|
Master Blocking Sensor Pane |
16-24 |
|
|
|
|
|
|
|
|
|||
|
|
Understanding the Master Blocking Sensor |
16-24 |
|
|
|
|
|
|
|||||
|
|
Master Blocking Sensor Pane Field Definitions |
16-25 |
|
|
|
|
|
||||||
|
|
Add and Edit Master Blocking Sensor Dialog Boxes Field Definitions |
16-25 |
|
|
|
||||||||
|
|
Configuring the Master Blocking Sensor |
16-25 |
|
|
|
|
|
|
|
||||
|
Configuring SNMP |
17-1 |
|
|
|
|
|
|
|
|
|
|
|
|
C H A P T E R 17 |
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
Understanding SNMP 17-1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Configuring General Configuration |
17-2 |
|
|
|
|
|
|
|
|
|||
|
|
General Configuration Pane |
17-2 |
|
|
|
|
|
|
|
|
|||
|
|
General Configuration Pane Field Definitions |
17-2 |
|
|
|
|
|
||||||
|
|
Configuring General Parameters |
17-3 |
|
|
|
|
|
|
|
|
|||
|
|
Configuring SNMP Traps 17-3 |
|
|
|
|
|
|
|
|
|
|
||
|
|
Traps Configuration Pane |
17-4 |
|
|
|
|
|
|
|
|
|
||
|
|
Traps Configuration Pane Field Definitions |
17-4 |
|
|
|
|
|
|
|||||
|
|
Add and Edit SNMP Trap Destination Dialog Boxes Field Definitions |
17-5 |
|
|
|
||||||||
|
|
Configuring SNMP Traps |
17-5 |
|
|
|
|
|
|
|
|
|
||
|
|
Supported MIBs |
17-6 |
|
|
|
|
|
|
|
|
|
|
|
|
Managing Time-Based Actions |
18-1 |
|
|
|
|
|
|
|
|
|
|||
C H A P T E R 18 |
|
|
|
|
|
|
|
|
|
|||||
|
|
Configuring and Monitoring Denied Attackers |
18-1 |
|
|
|
|
|
|
|||||
|
|
Denied Attackers Pane |
18-1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Denied Attackers Pane Field Definitions |
18-2 |
|
|
|
|
|
|
|
||||
|
|
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1 |
|
|
|
|||||||||
|
|
|
|
|
||||||||||
|
OL-19891-01 |
|
|
|
|
|
|
|
|
|
|
|
xvii |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
Contents
|
|
|
|
|
Monitoring the Denied Attackers List and Adding Denied Attackers 18-2 |
|||||||||
|
|
|
|
|
Configuring Host Blocks |
18-3 |
|
|
|
|
|
|
||
|
|
|
|
|
Host Blocks Pane |
18-3 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Host Block Pane Field Definitions |
18-3 |
|
|
|
|
|
|||
|
|
|
|
|
Add Host Block Dialog Box Field Definitions |
18-4 |
|
|
||||||
|
|
|
|
|
Adding, Deleting, and Managing Host Blocks |
18-4 |
|
|
||||||
|
|
|
|
|
Configuring Network Blocks |
18-5 |
|
|
|
|
|
|
||
|
|
|
|
|
Network Blocks Pane |
18-6 |
|
|
|
|
|
|
||
|
|
|
|
|
Network Blocks Pane Field Definitions |
18-6 |
|
|
|
|
||||
|
|
|
|
|
Add Network Block Dialog Box Field Definitions |
18-6 |
|
|
||||||
|
|
|
|
|
Adding, Deleting, and Managing Network Blocks |
18-6 |
|
|
||||||
|
|
|
|
|
Configuring Rate Limits |
18-7 |
|
|
|
|
|
|
||
|
|
|
|
|
Rate Limits Pane |
18-7 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Rate Limits Pane Field Definitions |
18-8 |
|
|
|
|
|
|||
|
|
|
|
|
Add Rate Limit Dialog Box Field Definitions |
18-8 |
|
|
||||||
|
|
|
|
|
Adding, Deleting, and Managing Rate Limiting |
|
18-9 |
|
|
|||||
|
|
|
|
|
Configuring IP Logging |
18-10 |
|
|
|
|
|
|
||
|
|
|
|
|
Understanding IP Logging |
18-10 |
|
|
|
|
|
|
||
|
|
|
|
|
IP Logging Pane |
18-11 |
|
|
|
|
|
|
|
|
|
|
|
|
|
IP Logging Pane Field Definitions |
18-11 |
|
|
|
|
||||
|
|
|
|
|
Add and Edit IP Logging Dialog Boxes Field Definitions |
18-11 |
|
|||||||
|
|
|
|
|
Configuring IP Logging |
18-12 |
|
|
|
|
|
|
||
|
|
Configuring External Product Interfaces |
19-1 |
|
|
|
|
|||||||
C H A P T E R 19 |
|
|
|
|
|
|||||||||
|
|
|
|
|
Understanding External Product Interfaces |
19-1 |
|
|
|
|
||||
|
|
|
|
|
Understanding CSA MC |
19-1 |
|
|
|
|
|
|
||
|
|
|
|
|
External Product Interface Issues 19-3 |
|
|
|
|
|
|
|||
|
|
|
|
|
Configuring the CSA MC to Support IPS Interfaces |
|
19-3 |
|
|
|||||
|
|
|
|
|
Configuring External Product Interfaces |
19-4 |
|
|
|
|
||||
|
|
|
|
|
External Product Interfaces Pane 19-4 |
|
|
|
|
|
||||
|
|
|
|
|
External Product Interfaces Pane Field Definitions |
19-5 |
|
|
||||||
|
|
|
|
|
Add and Edit External Product Interface Dialog Boxes Field Definitions 19-6 |
|||||||||
|
|
|
|
|
Add and Edit Posture ACL Dialog Boxes Field Definitions |
19-7 |
|
|||||||
|
|
|
|
|
Adding, Editing, and Deleting External Product Interfaces and Posture ACLs 19-7 |
|||||||||
|
|
|
|
|
Troubleshooting External Product Interfaces |
19-10 |
|
|
|
|
||||
|
|
Managing the Sensor 20-1 |
|
|
|
|
|
|
|
|
||||
C H A P T E R 20 |
|
|
|
|
|
|
|
|
|
|||||
|
|
|
|
|
Configuring Passwords |
|
20-1 |
|
|
|
|
|
|
|
|
|
|
|
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1 |
|
|
|
|||||||
|
|
|
|
|
|
|
||||||||
|
xviii |
|
|
|
|
|
|
|
|
|
|
|
OL-19891-01 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
Contents
|
Passwords Pane |
20-1 |
|
|
|
|
|
|
|
|
|
|
|
Passwords Pane Field Definitions |
20-2 |
|
|
|
|
|
|||||
|
Configuring Password Requirements |
20-2 |
|
|
|
|
||||||
|
Configuring Packet Logging |
20-3 |
|
|
|
|
|
|
|
|||
|
Recovering the Password |
20-4 |
|
|
|
|
|
|
|
|
||
|
Understanding Password Recovery |
|
20-4 |
|
|
|
|
|
||||
|
Recovering the Appliance Password |
20-5 |
|
|
|
|
|
|||||
|
Using the GRUB Menu |
20-5 |
|
|
|
|
|
|
|
|||
|
Using ROMMON |
20-6 |
|
|
|
|
|
|
|
|
||
|
Recovering the ASA 5500 AIP SSM Password |
20-7 |
|
|
|
|||||||
|
Recovering the ASA 5500-X IPS SSP Password |
20-9 |
|
|
|
|||||||
|
Recovering the ASA 5585-X IPS SSP Password |
20-11 |
|
|
|
|||||||
|
Disabling Password Recovery |
20-13 |
|
|
|
|
|
|||||
|
Troubleshooting Password Recovery |
20-14 |
|
|
|
|
||||||
|
Verifying the State of Password Recovery |
20-14 |
|
|
|
|
||||||
|
Configuring Licensing 20-14 |
|
|
|
|
|
|
|
|
|
||
|
Licensing Pane |
20-15 |
|
|
|
|
|
|
|
|
|
|
|
Understanding Licensing |
20-15 |
|
|
|
|
|
|
|
|||
|
Service Programs for IPS Products |
|
20-16 |
|
|
|
|
|
||||
|
Licensing Pane Field Definitions |
20-16 |
|
|
|
|
|
|||||
|
Obtaining and Installing the License Key |
20-17 |
|
|
|
|
||||||
|
Obtaining a New License Key for the IPS 4270-20 20-18 |
|||||||||||
|
Licensing the ASA 5500-X IPS SSP |
20-18 |
|
|
|
|
||||||
|
Uninstalling the License Key |
20-19 |
|
|
|
|
|
|
||||
|
Configuring Sensor Health |
20-20 |
|
|
|
|
|
|
|
|||
|
Configuring IP Logging Variables |
20-21 |
|
|
|
|
|
|||||
|
Configuring Automatic Update |
|
20-22 |
|
|
|
|
|
|
|
||
|
Auto/Cisco.com Update Pane |
20-22 |
|
|
|
|
|
|
||||
|
Supported FTP and HTTP Servers |
20-23 |
|
|
|
|
|
|||||
|
UNIX-Style Directory Listings 20-23 |
|
|
|
|
|
||||||
|
Signature Updates and Installation Time |
20-23 |
|
|
|
|
||||||
|
Auto/Cisco.com Update Pane Field Definitions |
20-24 |
|
|
|
|||||||
|
Configuring Auto Update |
20-25 |
|
|
|
|
|
|
|
|||
|
Manually Updating the Sensor |
20-26 |
|
|
|
|
|
|
|
|||
|
Update Sensor Pane |
20-26 |
|
|
|
|
|
|
|
|
||
|
Update Sensor Pane Field Definitions |
20-27 |
|
|
|
|
||||||
|
Updating the Sensor |
20-27 |
|
|
|
|
|
|
|
|
||
|
Restoring Defaults |
20-29 |
|
|
|
|
|
|
|
|
|
|
|
Rebooting the Sensor |
20-29 |
|
|
|
|
|
|
|
|
|
|
|
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1 |
|
|
|
||||||||
|
||||||||||||
|
OL-19891-01 |
|
|
|
|
|
|
|
|
|
xix |
|
|
|
|
|
|
|
|
|
|
|
|
||
Contents
|
Shutting Down the Sensor |
20-30 |
|
|
|
Monitoring the Sensor |
21-1 |
|
|
C H A P T E R 21 |
|
|
||
|
Monitoring Events |
21-1 |
|
|
|
Events Pane 21-1 |
|
|
|
|
Events Pane Field Definitions |
21-2 |
||
|
Event Viewer Pane Field Definitions 21-3 |
|||
|
Configuring Event Display |
21-3 |
||
|
Clearing Event Store |
21-4 |
|
|
|
|
|
Displaying Inspection Load Statistics |
21-4 |
|
|
|
|||
|
|
|
Displaying Interface Statistics |
21-5 |
|
|
|
|
||
|
|
|
Monitoring Anomaly Detection KBs |
21-7 |
|
|
|
|||
|
|
|
Anomaly Detection Pane |
21-7 |
|
|
|
|
||
|
|
|
Understanding KBs |
21-8 |
|
|
|
|
||
|
|
|
Anomaly Detection Pane Field Definitions |
21-8 |
|
|||||
|
|
|
Showing Thresholds |
21-9 |
|
|
|
|
||
|
|
|
Threshold for KB_Name Window |
21-9 |
|
|||||
|
|
|
Thresholds for KB_Name Window Field Definitions 21-10 |
|||||||
|
|
|
Monitoring the KB Thresholds |
21-10 |
|
|
||||
|
|
|
Comparing KBs |
21-11 |
|
|
|
|
|
|
|
|
|
Compare Knowledge Base Dialog Box |
21-11 |
|
|||||
|
|
|
Differences between knowledge bases KB_Name and KB_Name Window 21-11 |
|||||||
|
|
|
Difference Thresholds between knowledge bases KB_Name and KB_Name |
|||||||
|
|
|
Window 21-11 |
|
|
|
|
|
|
|
|
|
|
Comparing KBs |
21-12 |
|
|
|
|
||
|
|
|
Saving the Current KB |
21-12 |
|
|
|
|
||
|
|
|
Save Knowledge Base Dialog Box |
21-13 |
|
|||||
|
|
|
Loading a KB |
|
21-13 |
|
|
|
|
|
|
|
|
Saving a KB |
21-13 |
|
|
|
|
|
|
|
|
|
Deleting a KB |
|
21-14 |
|
|
|
|
|
|
|
|
Renaming a KB |
21-14 |
|
|
|
|
||
|
|
|
Downloading a KB |
21-15 |
|
|
|
|
||
|
|
|
Uploading a KB |
21-15 |
|
|
|
|
||
|
|
|
Configuring OS Identifications 21-16 |
|
|
|
|
|||
|
|
|
Configuring Learned Operating Systems |
|
21-16 |
|
||||
|
|
|
Configuring Imported Operating Systems |
21-17 |
|
|||||
|
|
|
Clearing Flow States |
21-18 |
|
|
|
|
|
|
|
|
|
Clear Flow States Pane |
21-18 |
|
|
|
|
||
|
|
|
Clear Flow States Pane Field Definitions |
|
21-19 |
|
||||
|
|
|
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1 |
|||||||
|
|
|
||||||||
|
xx |
|
|
|
|
|
|
|
OL-19891-01 |
|
|
|
|
|
|
|
|
|
|
||
Contents
Clearing Flow States 21-19 |
|
Resetting Network Security Health |
21-20 |
Generating a Diagnostics Report |
21-20 |
Viewing Statistics 21-21 |
|
|
Viewing System Information |
21-22 |
|
|
|
||
|
Configuring Event Monitoring |
22-1 |
|
|
|
||
C H A P T E R 22 |
|
|
|
||||
|
Understanding Event Monitoring 22-1 |
|
|
||||
|
Group By, Color Rules, Fields, and General Tabs |
22-2 |
|||||
|
Understanding Filters |
22-2 |
|
|
|
|
|
|
Filter Tab and Add Filter Dialog Box Field Definitions 22-3 |
||||||
|
Working With Event Views |
22-4 |
|
|
|
||
|
Working With a Single Event |
22-5 |
|
|
|
||
|
Configuring Filters for Event Views |
22-6 |
|
||||
|
Configuring and Generating Reports |
23-1 |
|
||||
C H A P T E R 23 |
|
||||||
|
Understanding IME Reporting |
23-1 |
|
|
|
||
|
Configuring and Generating Reports |
23-3 |
|
||||
|
Logging In to the Sensor |
24-1 |
|
|
|
|
|
C H A P T E R 24 |
|
|
|
|
|||
|
Supported User Roles |
24-1 |
|
|
|
|
|
|
Logging In to the Appliance |
24-2 |
|
|
|
||
|
Connecting an Appliance to a Terminal Server |
24-3 |
|||||
|
Logging In to the ASA 5500 AIP SSM |
24-4 |
|
||||
|
Logging In to the ASA 5500-X IPS SSP |
24-5 |
|
||||
|
Logging In to the ASA 5585-X IPS SSP |
24-6 |
|
||||
|
Logging In to the Sensor |
24-7 |
|
|
|
||
|
Initializing the Sensor |
25-1 |
|
|
|
|
|
C H A P T E R 25 |
|
|
|
|
|||
|
Understanding Initialization |
25-1 |
|
|
|
||
|
Simplified Setup Mode |
25-2 |
|
|
|
|
|
|
System Configuration Dialog |
25-2 |
|
|
|
||
|
Basic Sensor Setup |
25-4 |
|
|
|
|
|
|
Advanced Setup |
25-7 |
|
|
|
|
|
|
Appliance Advanced Setup 25-7 |
|
|
|
|
|
ASA 5500 AIP SSM Advanced Setup |
25-13 |
|
|
|
|
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1 |
|
|
|
|
|
|||||
|
OL-19891-01 |
|
|
xxi |
|
|
|
|
|
||
Contents
|
ASA 5500-X IPS SSP Advanced Setup |
25-17 |
|
|||||
|
ASA 5585-X IPS SSP Advanced Setup |
25-20 |
|
|||||
|
Verifying Initialization |
25-24 |
|
|
|
|
|
|
|
Obtaining Software |
26-1 |
|
|
|
|
|
|
C H A P T E R 26 |
|
|
|
|
|
|
||
|
IPS 7.1 File List |
26-1 |
|
|
|
|
|
|
|
Obtaining Cisco IPS Software |
26-1 |
|
|
|
|
||
|
IPS Software Versioning |
26-3 |
|
|
|
|
|
|
|
Software Release Examples 26-5 |
|
|
|
|
|||
|
Accessing IPS Documentation |
26-7 |
|
|
|
|
||
|
Cisco Security Intelligence Operations |
26-7 |
|
|
||||
|
Upgrading, Downgrading, and Installing System Images |
27-1 |
||||||
C H A P T E R 27 |
||||||||
|
Understanding Upgrades, Downgrades, and System Images 27-1 |
|||||||
|
Supported FTP and HTTP/HTTPS Servers |
27-2 |
|
|||||
|
Upgrading the Sensor 27-2 |
|
|
|
|
|
||
|
IPS 7.1 Upgrade Files |
27-3 |
|
|
|
|
|
|
|
Upgrade Notes and Caveats |
27-3 |
|
|
|
|
||
|
Manually Upgrading the Sensor |
27-3 |
|
|
|
|||
|
Upgrading the Recovery Partition |
27-6 |
|
|
||||
|
Configuring Automatic Upgrades 27-7 |
|
|
|
||||
|
Understanding Automatic Upgrades 27-7 |
|
|
|||||
|
Automatically Upgrading the Sensor |
27-7 |
|
|
||||
|
Downgrading the Sensor |
27-10 |
|
|
|
|
|
|
|
Recovering the Application Partition |
27-11 |
|
|
||||
|
Installing System Images |
27-12 |
|
|
|
|
|
|
|
ROMMON |
27-13 |
|
|
|
|
|
|
|
TFTP Servers |
27-13 |
|
|
|
|
|
|
|
Connecting an Appliance to a Terminal Server 27-13 |
|||||||
|
Installing the IPS 4240 and IPS 4255 System Image |
27-14 |
||||||
|
Installing the IPS 4260 System Image |
27-17 |
|
|||||
|
Installing the IPS 4270-20 System Image |
27-19 |
|
|||||
|
Installing the IPS 4345 and IPS 4360 System Image |
27-21 |
||||||
|
Installing the IPS 4510 and IPS 4520 System Image |
27-25 |
||||||
|
Installing the ASA 5500 AIP SSM System Image |
27-27 |
||||||
|
Installing the ASA 5500-X IPS SSP Image |
27-29 |
|
|||||
|
|
|
Installing the ASA 5585-X IPS SSP System Image |
27-31 |
|
|
|
|
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1 |
|
|
|
|
|
|
|
|
|
xxii |
|
|
OL-19891-01 |
|
|
|
|
|
Contents
Installing the ASA 5585-X IPS SSP System Image Using the hw-module
Command
Installing the ASA 5585-X IPS SSP System Image Using ROMMON
A P P E N D I X A |
System Architecture |
A-1 |
|
|
Purpose of Cisco IPS |
A-1 |
|
|
System Design |
A-1 |
|
|
System Applications |
A-4 |
|
|
User Interaction |
A-5 |
|
|
Security Features |
A-5 |
|
|
MainApp A-6 |
|
|
|
Understanding the MainApp |
A-6 |
|
|
|
|
|
|
||||||
|
MainApp Responsibilities |
A-6 |
|
|
|
|
|
|
|
|||||
|
Event Store |
A-7 |
|
|
|
|
|
|
|
|
|
|
||
|
Understanding the Event Store |
A-7 |
|
|
|
|
|
|||||||
|
Event Data Structures |
A-8 |
|
|
|
|
|
|
|
|||||
|
IPS Events |
A-9 |
|
|
|
|
|
|
|
|
|
|||
|
NotificationApp |
A-9 |
|
|
|
|
|
|
|
|
|
|||
|
CtlTransSource |
A-11 |
|
|
|
|
|
|
|
|
|
|||
|
Attack Response Controller |
A-12 |
|
|
|
|
|
|
||||||
|
Understanding the ARC |
A-13 |
|
|
|
|
|
|
||||||
|
ARC Features |
A-14 |
|
|
|
|
|
|
|
|
|
|||
|
Supported Blocking Devices |
A-15 |
|
|
|
|
|
|||||||
|
ACLs and VACLs |
A-16 |
|
|
|
|
|
|
|
|||||
|
Maintaining State Across Restarts A-16 |
|
|
|
|
|
||||||||
|
Connection-Based and Unconditional Blocking |
A-17 |
||||||||||||
|
Blocking with Cisco Firewalls |
A-18 |
|
|
|
|
|
|||||||
|
Blocking with Catalyst Switches |
A-19 |
|
|
|
|
|
|||||||
|
Logger |
A-19 |
|
|
|
|
|
|
|
|
|
|
|
|
|
InterfaceApp |
|
A-20 |
|
|
|
|
|
|
|
|
|
||
|
AuthenticationApp |
A-20 |
|
|
|
|
|
|
|
|
||||
|
Understanding the AuthenticationApp A-20 |
|
|
|
|
|||||||||
|
Authenticating Users |
A-20 |
|
|
|
|
|
|
|
|||||
|
Configuring Authentication on the Sensor |
A-21 |
|
|
|
|
||||||||
|
Managing TLS and SSH Trust Relationships |
A-21 |
||||||||||||
|
Web Server |
A-23 |
|
|
|
|
|
|
|
|
|
|
||
|
SensorApp |
A-23 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Understanding the SensorApp |
A-23 |
|
|
|
|
|
|
||||||
|
Inline, Normalization, and Event Risk Rating Features |
A-24 |
||||||||||||
|
|
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1 |
|
|
|
|||||||||
|
|
|
||||||||||||
|
OL-19891-01 |
|
|
|
|
|
|
|
|
|
|
|
xxiii |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
Contents
SensorApp New Features A-25
Packet Flow |
A-26 |
|
Signature Event Action Processor A-26 |
||
CollaborationApp |
A-28 |
|
Understanding the CollaborationApp A-28 |
||
Update Components |
A-28 |
|
Error Events |
A-29 |
|
SwitchApp A-30 |
|
|
CLI A-30 |
|
|
Understanding the CLI |
A-30 |
|
User Roles |
A-30 |
|
Service Account A-31
Communications A-32
IDAPI A-32
IDIOM A-33
IDCONF A-33
SDEE A-34
CIDEE A-34
|
|
|
|
|
Cisco IPS File Structure |
A-35 |
|
|
|||
|
|
|
|
|
Summary of Cisco IPS Applications A-36 |
||||||
|
|
Signature Engines |
B-1 |
|
|
|
|
||||
A P P E N D I X B |
|
|
|
|
|
||||||
|
|
|
|
|
Understanding Signature Engines |
B-1 |
|||||
|
|
|
|
|
Master Engine |
B-4 |
|
|
|
|
|
|
|
|
|
|
General Parameters |
B-4 |
|
|
|
||
|
|
|
|
|
Alert Frequency |
B-7 |
|
|
|
||
|
|
|
|
|
Event Actions |
B-8 |
|
|
|
|
|
|
|
|
|
|
Regular Expression Syntax |
B-9 |
|
|
|||
|
|
|
|
|
AIC Engine B-10 |
|
|
|
|
|
|
|
|
|
|
|
Understanding the AIC Engine |
B-10 |
|||||
|
|
|
|
|
AIC Engine and Sensor Performance B-11 |
||||||
|
|
|
|
|
AIC Engine Parameters |
B-11 |
|
|
|||
|
|
|
|
|
Atomic Engine |
B-13 |
|
|
|
|
|
|
|
|
|
|
Atomic ARP Engine |
B-13 |
|
|
|||
|
|
|
|
|
Atomic IP Advanced Engine |
B-14 |
|||||
|
|
|
|
|
Atomic IP Engine |
B-24 |
|
|
|
||
|
|
|
|
|
Atomic IPv6 Engine |
B-27 |
|
|
|||
|
|
|
|
|
Fixed Engine |
B-28 |
|
|
|
|
|
|
|
|
|
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1 |
|||||||
|
|
|
|
||||||||
|
xxiv |
|
|
|
|
|
|
|
|
OL-19891-01 |
|
|
|
|
|
|
|
|
|
|
|
||
Contents
|
|
Flood Engine |
B-31 |
|
|
|
|
|
|
|
|
|
|
Meta Engine |
B-32 |
|
|
|
|
|
|
|
|
|
|
Multi String Engine |
B-34 |
|
|
|
|
|
|
||
|
|
Normalizer Engine |
|
B-36 |
|
|
|
|
|
|
|
|
|
Service Engines |
B-39 |
|
|
|
|
|
|
||
|
|
Understanding the Service Engines B-39 |
|||||||||
|
|
Service DNS Engine |
B-39 |
|
|
|
|
||||
|
|
Service FTP Engine |
B-41 |
|
|
|
|
||||
|
|
Service Generic Engine |
B-42 |
|
|
|
|
||||
|
|
Service H225 Engine |
B-43 |
|
|
|
|
||||
|
|
Service HTTP Engine |
B-46 |
|
|
|
|
||||
|
|
Service IDENT Engine |
B-48 |
|
|
|
|
||||
|
|
Service MSRPC Engine |
B-48 |
|
|
|
|
||||
|
|
Service MSSQL Engine |
B-50 |
|
|
|
|
||||
|
|
Service NTP Engine |
B-51 |
|
|
|
|
||||
|
|
Service P2P |
B-52 |
|
|
|
|
|
|
||
|
|
Service RPC Engine |
B-52 |
|
|
|
|
||||
|
|
Service SMB Advanced Engine |
B-54 |
||||||||
|
|
Service SNMP Engine |
B-56 |
|
|
|
|
||||
|
|
Service SSH Engine |
B-57 |
|
|
|
|
||||
|
|
Service TNS Engine |
B-57 |
|
|
|
|
||||
|
|
State Engine |
B-59 |
|
|
|
|
|
|
|
|
|
|
String Engines |
B-61 |
|
|
|
|
|
|
||
|
|
String XL Engines |
|
B-63 |
|
|
|
|
|
|
|
|
|
Sweep Engines |
B-66 |
|
|
|
|
|
|
||
|
|
Sweep Engine |
|
B-66 |
|
|
|
|
|
|
|
|
|
Sweep Other TCP Engine |
B-69 |
||||||||
|
|
Traffic Anomaly Engine |
B-69 |
|
|
|
|
||||
|
|
Traffic ICMP Engine |
B-72 |
|
|
|
|
|
|||
|
|
Trojan Engines |
B-72 |
|
|
|
|
|
|
||
|
Troubleshooting |
C-1 |
|
|
|
|
|
|
|
||
A P P E N D I X C |
|
|
|
|
|
|
|
||||
|
|
Cisco Bug Search |
C-1 |
|
|
|
|
|
|
||
|
|
Preventive Maintenance |
C-2 |
|
|
|
|
|
|||
|
|
Understanding Preventive Maintenance C-2 |
|||||||||
|
|
Creating and Using a Backup Configuration File C-2 |
|||||||||
|
|
Backing Up and Restoring the Configuration File Using a Remote Server C-3 |
|||||||||
|
|
Creating the Service Account |
C-5 |
||||||||
|
|
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1 |
|
|
|
||||||
|
|
|
|||||||||
|
OL-19891-01 |
|
|
|
|
|
|
|
|
xxv |
|
|
|
|
|
|
|
|
|
|
|
||
Contents
Disaster Recovery |
C-6 |
|
|
|
|
Password Recovery |
C-7 |
|
|
|
|
Understanding Password Recovery |
C-7 |
|
|||
Recovering the Appliance Password |
C-8 |
|
|||
Using the GRUB Menu |
C-8 |
|
|
||
Using ROMMON |
C-9 |
|
|
|
|
Recovering the ASA 5500 AIP SSM Password |
C-10 |
||||
Recovering the ASA 5500-X IPS SSP Password |
C-12 |
||||
Recovering the ASA 5585-X IPS SSP Password |
C-14 |
||||
Disabling Password Recovery |
C-15 |
|
|
||
Verifying the State of Password Recovery C-16 |
|
||||
Troubleshooting Password Recovery |
C-17 |
|
|||
Time Sources and the Sensor |
C-17 |
|
|
||
Time Sources and the Sensor |
C-17 |
|
|
||
Synchronizing IPS Module Clocks with Parent Device Clocks C-18
Verifying the Sensor is Synchronized with the NTP Server
Correcting Time on the Sensor
|
|
|
Advantages and Restrictions of Virtualization |
C-19 |
|
|
|
||||
|
|
|
Supported MIBs C-20 |
|
|
|
|
|
|
|
|
|
|
|
When to Disable Anomaly Detection |
C-21 |
|
|
|
|
|
||
|
|
|
The Analysis Engine is Not Responding |
C-22 |
|
|
|
|
|
||
|
|
|
Troubleshooting RADIUS Authentication C-23 |
|
|
|
|
||||
|
|
|
Troubleshooting Global Correlation |
C-23 |
|
|
|
|
|
||
|
|
|
Troubleshooting External Product Interfaces |
C-23 |
|
|
|
||||
|
|
|
External Product Interfaces Issues |
|
C-24 |
|
|
|
|
|
|
|
|
|
External Product Interfaces Troubleshooting Tips |
C-24 |
|
|
|||||
|
|
|
Troubleshooting the Appliance |
C-25 |
|
|
|
|
|
|
|
|
|
|
The Appliance and Jumbo Packet Frame Size |
C-25 |
|
|
|||||
|
|
|
Troubleshooting Loose Connections |
C-25 |
|
|
|
|
|||
|
|
|
The Analysis Engine is Busy |
C-26 |
|
|
|
|
|
|
|
|
|
|
Connecting the IPS 4240 to a Cisco 7200 Series Router |
C-26 |
|||||||
|
|
|
Communication Problems |
C-27 |
|
|
|
|
|
|
|
|
|
|
Cannot Access the Sensor CLI Through Telnet or SSH C-27 |
||||||||
|
|
|
Correcting a Misconfigured Access List |
C-29 |
|
|
|||||
|
|
|
Duplicate IP Address Shuts Interface Down |
C-30 |
|
|
|||||
|
|
|
The SensorApp and Alerting |
C-31 |
|
|
|
|
|
|
|
|
|
|
The SensorApp Not Running |
|
C-31 |
|
|
|
|
|
|
|
|
|
Physical Connectivity, SPAN, or VACL Port Issue |
C-33 |
|||||||
|
|
|
Unable to See Alerts C-34 |
|
|
|
|
|
|
|
|
|
|
|
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1 |
|
|
|
|||||
|
|
|
|
|
|
||||||
|
xxvi |
|
|
|
|
|
|
|
|
OL-19891-01 |
|
|
|
|
|
|
|
|
|
|
|
||
Contents
|
Sensor Not Seeing Packets |
C-36 |
|
|
|
|
|
|
|
||||
|
Cleaning Up a Corrupted SensorApp Configuration |
C-37 |
|
|
|
|
|||||||
|
Blocking |
C-38 |
|
|
|
|
|
|
|
|
|
|
|
|
Troubleshooting Blocking |
C-38 |
|
|
|
|
|
|
|
|
|||
|
Verifying the ARC is Running |
C-39 |
|
|
|
|
|
|
|
||||
|
Verifying ARC Connections are Active |
C-40 |
|
|
|
|
|
|
|||||
|
Device Access Issues C-42 |
|
|
|
|
|
|
|
|
||||
|
Verifying the Interfaces and Directions on the Network Device C-43 |
|
|
|
|
||||||||
|
Enabling SSH Connections to the Network Device |
|
C-44 |
|
|
|
|
||||||
|
Blocking Not Occurring for a Signature |
C-45 |
|
|
|
|
|
|
|||||
|
Verifying the Master Blocking Sensor Configuration |
C-46 |
|
|
|
|
|||||||
|
Logging |
C-47 |
|
|
|
|
|
|
|
|
|
|
|
|
Understanding Debug Logging |
C-47 |
|
|
|
|
|
|
|
||||
|
Enabling Debug Logging |
C-47 |
|
|
|
|
|
|
|
|
|||
|
Zone Names |
C-51 |
|
|
|
|
|
|
|
|
|
||
|
Directing cidLog Messages to SysLog |
C-52 |
|
|
|
|
|
|
|||||
|
TCP Reset Not Occurring for a Signature C-53 |
|
|
|
|
|
|
||||||
|
Software Upgrades |
|
C-55 |
|
|
|
|
|
|
|
|
|
|
|
Upgrading C-55 |
|
|
|
|
|
|
|
|
|
|||
|
Which Updates to Apply and Their Prerequisites |
C-55 |
|
|
|
|
|||||||
|
Issues With Automatic Update |
C-56 |
|
|
|
|
|
|
|
||||
|
Updating a Sensor with the Update Stored on the Sensor C-57 |
|
|
|
|
||||||||
|
Troubleshooting the IDM |
C-57 |
|
|
|
|
|
|
|
|
|
||
|
Cannot Launch the IDM - Loading Java Applet Failed |
|
C-58 |
|
|
|
|
||||||
|
Cannot Launch the IDM - the Analysis Engine Busy |
C-59 |
|
|
|
|
|||||||
|
The IDM, Remote Manager, or Sensing Interfaces Cannot Access Sensor |
C-59 |
|||||||||||
|
Signatures Not Producing Alerts |
C-60 |
|
|
|
|
|
|
|
||||
|
Troubleshooting the IME |
C-60 |
|
|
|
|
|
|
|
|
|
||
|
Time Synchronization on the IME and the Sensor C-61 |
|
|
|
|
|
|||||||
|
Not Supported Error Message |
C-61 |
|
|
|
|
|
|
|
|
|||
|
Installation Error |
C-61 |
|
|
|
|
|
|
|
|
|
||
|
Troubleshooting the ASA 5500 AIP SSM |
C-62 |
|
|
|
|
|
|
|
||||
|
Failover Scenarios |
|
C-62 |
|
|
|
|
|
|
|
|
|
|
|
The ASA 5500 AIP SSM and the Data Plane |
C-63 |
|
|
|
|
|
|
|||||
|
Health and Status Information |
C-63 |
|
|
|
|
|
|
|
|
|||
|
The ASA 5500 AIP SSM and the Normalizer Engine |
C-65 |
|
|
|
|
|||||||
|
The ASA 5500 AIP SSM and Jumbo Packet Frame Size |
C-66 |
|
|
|
|
|||||||
|
The ASA 5500 AIP SSM and Jumbo Packets |
C-66 |
|
|
|
|
|
|
|||||
|
TCP Reset Differences Between IPS Appliances and ASA IPS Modules |
C-67 |
|||||||||||
|
|
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1 |
|
|
|
||||||||
|
|
|
|||||||||||
|
OL-19891-01 |
|
|
|
|
|
|
|
|
|
|
xxvii |
|
|
|
|
|
|
|
|
|
|
|
|
|
||
Contents
|
|
|
IPS Reloading Messages |
C-67 |
|
|
|
|
|
|
|
|
||
|
|
|
Troubleshooting the ASA 5500-X IPS SSP |
|
C-67 |
|
|
|
|
|
||||
|
|
|
Failover Scenarios |
C-68 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Health and Status Information |
C-69 |
|
|
|
|
|
|
|
|||
|
|
|
The ASA 5500-X IPS SSP and the Normalizer Engine |
C-70 |
|
|
||||||||
|
|
|
The ASA 5500-X IPS SSP and Memory Usage |
C-71 |
|
|
|
|||||||
|
|
|
The ASA 5500-X IPS SSP and Jumbo Packet Frame Size |
C-71 |
|
|
||||||||
|
|
|
The ASA 5500-X IPS SSP and Jumbo Packets |
C-72 |
|
|
|
|||||||
|
|
|
TCP Reset Differences Between IPS Appliances and ASA IPS Modules |
C-72 |
||||||||||
|
|
|
IPS Reloading Messages |
C-72 |
|
|
|
|
|
|
|
|
||
|
|
|
IPS Not Loading C-73 |
|
|
|
|
|
|
|
|
|
||
|
|
|
Troubleshooting the ASA 5585-X IPS SSP |
|
C-73 |
|
|
|
|
|
||||
|
|
|
Failover Sceneries |
C-73 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Traffic Flow Stopped on IPS Switchports |
C-75 |
|
|
|
|
|
|||||
|
|
|
Health and Status Information |
C-75 |
|
|
|
|
|
|
|
|||
|
|
|
The ASA 5585-X IPS SSP and the Normalizer Engine |
C-78 |
|
|
||||||||
|
|
|
The ASA 5585-X IPS SSP and Jumbo Packet Frame Size |
C-79 |
|
|
||||||||
|
|
|
The ASA 5585-X IPS SSP and Jumbo Packets |
C-79 |
|
|
|
|||||||
|
|
|
TCP Reset Differences Between IPS Appliances and ASA IPS Modules |
C-79 |
||||||||||
|
|
|
IPS Reloading Messages |
C-79 |
|
|
|
|
|
|
|
|
||
|
|
|
Gathering Information |
C-80 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Understanding Information Gathering |
C-80 |
|
|
|
|
|
|||||
|
|
|
Health and Network Security Information |
C-80 |
|
|
|
|
|
|||||
|
|
|
Tech Support Information |
C-81 |
|
|
|
|
|
|
|
|||
|
|
|
Understanding the show tech-support Command |
C-81 |
|
|
||||||||
|
|
|
Displaying Tech Support Information |
C-82 |
|
|
|
|
|
|||||
|
|
|
Tech Support Command Output |
C-83 |
|
|
|
|
|
|||||
|
|
|
Version Information |
|
C-85 |
|
|
|
|
|
|
|
|
|
|
|
|
Understanding the show version Command |
C-85 |
|
|
|
|||||||
|
|
|
Displaying Version Information |
C-86 |
|
|
|
|
|
|||||
|
|
|
Statistics Information |
C-88 |
|
|
|
|
|
|
|
|
||
|
|
|
Understanding the show statistics Command |
C-88 |
|
|
|
|||||||
|
|
|
Displaying Statistics |
C-89 |
|
|
|
|
|
|
|
|
||
|
|
|
Interfaces Information |
C-100 |
|
|
|
|
|
|
|
|
||
|
|
|
Understanding the show interfaces Command |
C-100 |
|
|
||||||||
|
|
|
Interfaces Command Output |
C-101 |
|
|
|
|
|
|
||||
|
|
|
Events Information |
|
C-101 |
|
|
|
|
|
|
|
|
|
|
|
|
Sensor Events |
C-102 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Understanding the show events Command |
C-102 |
|
|
|
|||||||
|
|
|
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1 |
|
|
|
|
|||||||
|
|
|
|
|
|
|
||||||||
|
xxviii |
|
|
|
|
|
|
|
|
|
|
|
OL-19891-01 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
Contents
|
|
Displaying Events C-102 |
|
|
|
|
|||||
|
|
Clearing Events |
C-105 |
|
|
|
|
||||
|
|
cidDump Script |
C-105 |
|
|
|
|
||||
|
|
Uploading and Accessing Files on the Cisco FTP Site C-106 |
|||||||||
|
Open Source License Files Used In Cisco IPS 7.1 D-1 |
||||||||||
A P P E N D I X D |
|||||||||||
|
|
Contents |
D-1 |
|
|
|
|
|
|
|
|
|
|
bash 3.2 |
D-2 |
|
|
|
|
|
|
|
|
|
|
busybox 1.13.1 |
D-7 |
|
|
|
|
|
|
||
|
|
cracklib 2.8.12 |
|
D-13 |
|
|
|
|
|
|
|
|
|
curl 7.18.2 1 |
D-18 |
|
|
|
|
|
|
||
|
|
diffutils 2.8.1 |
D-19 |
|
|
|
|
|
|
||
|
|
e2fsprogs 1.39 |
|
D-23 |
|
|
|
|
|
|
|
|
|
Expat XML parser 2.0.1 |
D-28 |
|
|
|
|
||||
|
|
expect 5.4.3 |
D-29 |
|
|
|
|
|
|
||
|
|
freeradius-server 2.1.8 |
|
D-29 |
|
|
|
|
|||
|
|
freeradius-server-src-lib 2.1.8 D-34 |
|
|
|
|
|||||
|
|
glibc 2.9 |
D-40 |
|
|
|
|
|
|
|
|
|
|
gnupg 1.4.5 |
D-44 |
|
|
|
|
|
|
||
|
|
hotplug 2004_03_29 |
D-49 |
|
|
|
|
||||
|
|
i2c-tools 3.0.2 |
|
D-53 |
|
|
|
|
|
|
|
|
|
ipmiutil 2.3.3 |
D-58 |
|
|
|
|
|
|
||
|
|
iptables 1.4.1 |
D-59 |
|
|
|
|
|
|
||
|
|
kernel 2.6.29.1 |
D-63 |
|
|
|
|
|
|
||
|
|
KVM inter-VM shared memory module |
D-73 |
||||||||
|
|
libpcap 0.9.8 |
D-77 |
|
|
|
|
|
|
||
|
|
libtecla 1.6.1 |
D-78 |
|
|
|
|
|
|
||
|
|
Linux-Pam 1.0.1 |
D-78 |
|
|
|
|
|
|||
|
|
lm_sensors 3.0.2 |
D-79 |
|
|
|
|
|
|||
|
|
module-init-tools 3.2.2 1.0.0.0900084 |
D-84 |
||||||||
|
|
Ncurses 5.6 |
D-88 |
|
|
|
|
|
|
||
|
|
net-snmp 5.4.1 |
|
D-89 |
|
|
|
|
|
|
|
|
|
NTP 4.2.4p5 |
D-93 |
|
|
|
|
|
|
||
|
|
openssh 5.1p1 |
|
D-96 |
|
|
|
|
|
|
|
|
|
openssl 0.9.8j |
|
D-102 |
|
|
|
|
|
|
|
|
|
pciutils 3.0.1 |
D-105 |
|
|
|
|
|
|
||
|
|
|
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1 |
|
|
|
|||||
|
|
|
|
||||||||
|
OL-19891-01 |
|
|
|
|
|
|
|
|
xxix |
|
|
|
|
|
|
|
|
|
|
|
||
Contents
procps 3.2.7 |
D-111 |
sysfsutils 2.1.0 |
D-115 |
sysstat 8.1.3 |
D-116 |
tcl 8.4.9 D-120
tcpdump 3.9.8 1.0.1.0801182 D-121
tipc 1.7.6-bundle |
D-121 |
util-linux 2.12r |
D-123 |
zlib 1.2.3 D-124 |
|
G L O S S A R Y
I N D E X
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
|
xxx |
OL-19891-01 |
|
|
|
Loading...