Краткое содержание страницы № 1
Cisco Intrusion Prevention System Sensor
CLI Configuration Guide for IPS 7.2
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-29168-01���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
Краткое содержание страницы № 2
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE
Краткое содержание страницы № 3
CONTENTS Contents xxiii Audience xxiii Organization i-xxiii Conventions i-xxv Related Documentation xxv Obtaining Documentation and Submitting a Service Request i-xxvi CHAPTER ii Logging In to the Sensor ii-1 Logging In Notes and Caveats ii-1 Supported User Roles ii-1 Logging In to the Appliance ii-2 Connecting an Appliance to a Terminal Server ii-3 Logging In to the ASA 5500-X IPS SSP ii-4 Logging In to the ASA 5585-X IPS SSP ii-5 Logging In to the Sensor ii-6 CHAPTER 1 Introducing the CLI Co
Краткое содержание страницы № 4
Contents System Configuration Dialog 2-2 Basic Sensor Setup 2-4 Advanced Setup 2-7 Advanced Setup for the Appliance 2-8 Advanced Setup for the ASA 5500-X IPS SSP 2-13 Advanced Setup for the ASA 5585-X IPS SSP 2-17 Verifying Initialization 2-20 CHAPTER 3 Setting Up the Sensor 3-1 Setup Notes and Caveats 3-1 Understanding Sensor Setup 3-2 Changing Network Settings 3-2 Changing the Hostname 3-3 Changing the IP Address, Netmask, and Gateway 3-4 Enabling and Disabling Telnet 3-5 Changing the Acces
Краткое содержание страницы № 5
Contents Correcting Time on the Sensor 3-36 Configuring Time on the Sensor 3-36 Displaying the System Clock 3-37 Manually Setting the System Clock 3-37 Configuring Recurring Summertime Settings 3-38 Configuring Nonrecurring Summertime Settings 3-40 Configuring Time Zones Settings 3-42 Configuring NTP 3-42 Configuring a Cisco Router to be an NTP Server 3-43 Configuring the Sensor to Use an NTP Time Source 3-44 Configuring SSH 3-45 Understanding SSH 3-46 Adding Hosts to the SSH Known Hosts List
Краткое содержание страницы № 6
Contents Configuring Promiscuous Mode 4-14 Understanding Promiscuous Mode 4-14 Configuring Promiscuous Mode 4-15 IPv6, Switches, and Lack of VACL Capture 4-15 Configuring Inline Interface Mode 4-16 Understanding Inline Interface Mode 4-16 Configuring Inline Interface Pairs 4-17 Configuring Inline VLAN Pair Mode 4-21 Understanding Inline VLAN Pair Mode 4-21 Configuring Inline VLAN Pairs 4-22 Configuring VLAN Group Mode 4-26 Understanding VLAN Group Mode 4-26 Deploying VLAN Groups 4-27 Configur
Краткое содержание страницы № 7
Contents Understanding Policies 7-1 Working With Signature Definition Policies 7-2 Understanding Signatures 7-3 Configuring Signature Variables 7-4 Understanding Signature Variables 7-4 Creating Signature Variables 7-4 Configuring Signatures 7-6 Signature Definition Options 7-6 Configuring Alert Frequency 7-7 Configuring Alert Severity 7-9 Configuring the Event Counter 7-10 Configuring Signature Fidelity Rating 7-12 Configuring the Status of Signatures 7-13 Configuring the Vulnerable OSes for
Краткое содержание страницы № 8
Contents Example Meta Engine Signature 7-46 Example IPv6 Engine Signature 7-50 Example String XL TCP Engine Match Offset Signature 7-52 Example String XL TCP Engine Minimum Match Length Signature 7-55 CHAPTER 8 Configuring Event Action Rules 8-1 Event Action Rules Notes and Caveats 8-1 Understanding Security Policies 8-2 Understanding Event Action Rules 8-2 Signature Event Action Processor 8-3 Event Actions 8-4 Event Action Rules Configuration Sequence 8-7 Working With Event Action Rules Poli
Краткое содержание страницы № 9
Contents Monitoring Events 8-38 Displaying Events 8-38 Clearing Events from Event Store 8-41 CHAPTER 9 Configuring Anomaly Detection 9-1 Anomaly Detection Notes and Caveats 9-1 Understanding Security Policies 9-2 Understanding Anomaly Detection 9-2 Understanding Worms 9-2 Anomaly Detection Modes 9-3 Anomaly Detection Zones 9-4 Anomaly Detection Configuration Sequence 9-5 Anomaly Detection Signatures 9-6 Enabling Anomaly Detection 9-8 Working With Anomaly Detection Policies 9-8 Configuring Ano
Краткое содержание страницы № 10
Contents Displaying KB Files 9-40 Saving and Loading KBs Manually 9-41 Copying, Renaming, and Erasing KBs 9-42 Displaying the Differences Between Two KBs 9-44 Displaying the Thresholds for a KB 9-45 Displaying Anomaly Detection Statistics 9-47 Disabling Anomaly Detection 9-48 CHAPTER 10 Configuring Global Correlation 10-1 Global Correlation Notes and Caveats 10-1 Understanding Global Correlation 10-2 Participating in the SensorBase Network 10-2 Understanding Reputation 10-3 Understanding Netw
Краткое содержание страницы № 11
Contents CHAPTER 12 Configuring IP Logging 12-1 IP Logging Notes and Caveats 12-1 Understanding IP Logging 12-2 Configuring Automatic IP Logging 12-2 Configuring Manual IP Logging for a Specific IP Address 12-3 Displaying the Contents of IP Logs 12-5 Stopping Active IP Logs 12-6 Copying IP Log Files to Be Viewed 12-7 CHAPTER 13 Displaying and Capturing Live Traffic on an Interface 13-1 Packet Display And Capture Notes and Caveats 13-1 Understanding Packet Display and Capture 13-2 Displaying L
Краткое содержание страницы № 12
Contents Configuring the Sensor to Manage Cisco Routers 14-22 Routers and ACLs 14-23 Configuring the Sensor to Manage Cisco Routers 14-23 Configuring the Sensor to Manage Catalyst 6500 Series Switches and Cisco 7600 Series Routers 14-25 Switches and VACLs 14-25 Configuring the Sensor to Manage Catalyst 6500 Series Switches and Cisco 7600 Series Routers 14-26 Configuring the Sensor to Manage Cisco Firewalls 14-27 Configuring the Sensor to be a Master Blocking Sensor 14-28 Configuring Host Bl
Краткое содержание страницы № 13
Contents Using the GRUB Menu 17-3 Using ROMMON 17-4 Recovering the Password for the ASA 5500-X IPS SSP 17-4 Recovering the Password for the ASA 5585-X IPS SSP 17-6 Disabling Password Recovery 17-8 Verifying the State of Password Recovery 17-9 Troubleshooting Password Recovery 17-9 Clearing the Sensor Databases 17-9 Displaying the Inspection Load of the Sensor 17-11 Configuring Health Status Information 17-13 Showing Sensor Overall Health Status 17-17 Creating a Banner Login 17-18 Terminating
Краткое содержание страницы № 14
Contents The ASA 5500-X IPS SSP and Virtualization 18-4 Virtual Sensor Configuration Sequence for ASA 5500-X IPS SSP 18-4 Creating Virtual Sensors 18-4 Assigning Virtual Sensors to Adaptive Security Appliance Contexts 18-7 The ASA 5500-X IPS SSP and Bypass Mode 18-9 The ASA 5500-X IPS SSP and the Normalizer Engine 18-10 The ASA 5500-X IPS SSP and Jumbo Packets 18-11 The ASA 5500-X IPS SSP and Memory Usage 18-11 Reloading, Shutting Down, Resetting, and Recovering the ASA 5500-X IPS SSP 18-11 H
Краткое содержание страницы № 15
Contents CHAPTER 21 Upgrading, Downgrading, and Installing System Images 21-1 Upgrade Notes and Caveats 21-1 Upgrades, Downgrades, and System Images 21-2 Supported FTP and HTTP/HTTPS Servers 21-3 Upgrading the Sensor 21-3 IPS 7.2(1)E4 Files 21-3 Upgrade Notes and Caveats 21-4 Manually Upgrading the Sensor 21-4 Working With Upgrade Files 21-6 Upgrading the Recovery Partition 21-7 Configuring Automatic Upgrades 21-8 Configuring Automatic Updates 21-8 Applying an Immediate Update 21-12 Downgradi
Краткое содержание страницы № 16
Contents NotificationApp A-9 CtlTransSource A-11 Attack Response Controller A-12 Understanding the ARC A-13 ARC Features A-14 Supported Blocking Devices A-15 ACLs and VACLs A-16 Maintaining State Across Restarts A-16 Connection-Based and Unconditional Blocking A-17 Blocking with Cisco Firewalls A-18 Blocking with Catalyst Switches A-19 Logger A-19 AuthenticationApp A-20 Understanding the AuthenticationApp A-20 Authenticating Users A-20 Configuring Authentication on the Sensor A-20 Managing TL
Краткое содержание страницы № 17
Contents Summary of Cisco IPS Applications A-35 APPENDIX B Signature Engines B-1 Understanding Signature Engines B-1 Master Engine B-4 General Parameters B-4 Alert Frequency B-7 Event Actions B-8 Regular Expression Syntax B-9 AIC Engine B-10 Understanding the AIC Engine B-11 AIC Engine and Sensor Performance B-11 AIC Engine Parameters B-11 Atomic Engine B-14 Atomic ARP Engine B-14 Atomic IP Advanced Engine B-15 Atomic IP Engine B-25 Atomic IPv6 Engine B-29 Fixed Engine B-30 Flood Engine B-32
Краткое содержание страницы № 18
Contents Service SSH Engine B-58 Service TNS Engine B-59 State Engine B-60 String Engines B-62 String XL Engines B-65 Sweep Engines B-68 Sweep Engine B-68 Sweep Other TCP Engine B-70 Traffic Anomaly Engine B-71 Traffic ICMP Engine B-73 Trojan Engines B-74 APPENDIX C Troubleshooting C-1 Bug Toolkit C-1 Preventive Maintenance C-2 Understanding Preventive Maintenance C-2 Creating and Using a Backup Configuration File C-2 Backing Up and Restoring the Configuration File Using a Remote Server C-3 C
Краткое содержание страницы № 19
Contents When to Disable Anomaly Detection C-19 Analysis Engine Not Responding C-20 Troubleshooting External Product Interfaces C-21 External Product Interfaces Issues C-21 External Product Interfaces Troubleshooting Tips C-22 Troubleshooting the Appliance C-22 Troubleshooting Loose Connections C-22 The Analysis Engine is Busy C-23 Communication Problems C-23 Cannot Access the Sensor CLI Through Telnet or SSH C-24 Correcting a Misconfigured Access List C-26 Duplicate IP Address Shuts Interfac
Краткое содержание страницы № 20
Contents Cannot Launch the IDM-The Analysis Engine Busy C-55 The IDM, Remote Manager, or Sensing Interfaces Cannot Access Sensor C-55 Signatures Not Producing Alerts C-56 Troubleshooting the IME C-56 Time Synchronization on IME and the Sensor C-57 Not Supported Error Message C-57 Troubleshooting the ASA 5500-X IPS SSP C-57 Health and Status Information C-58 Failover Scenerios C-65 The ASA 5500-X IPS SSP and the Normalizer Engine C-66 The ASA 5500-X IPS SSP and Memory Usage C-67 The ASA 5500-X
