IPS User Interface Reference - Cisco · IPS User Interface Reference - Cisco ... m-1

OL-19983-01

A
P P E N D I X M IPS User Interface Reference
The following topics describe the pages available for configuring policies for IPS sensors (appliances, switch modules, and network modules) and IOS IPS devices (Cisco IOS routers with IPS-enabled images and Cisco Integrated Services Routers):

• Signature Policies, page M-1

• Anomaly Detection Page, page M-49

• Global Correlation Policies, page M-58

• Event Action Policies, page M-59

• Interfaces Page, page M-70

• Platform Policies, page M-79

• Virtual Sensors Page, page M-100

• General Settings Page, page M-103

• Interface Rules Page, page M-105

Signature PoliciesThe pages that you access from the Signatures folder in Device View enable you to configure signatures and their settings.

These topics describe the main pages available from the Signatures folder:

• Signatures Page, page M-1

• Settings Page, page M-48

Signatures PageUse the Signatures page to display the signature summary table, in which you can edit and delete IPS signatures. The primary function of this page is to tune the active signature set in a policy by enabling or disabling signatures. You can also use this page to unload signatures from the engine. In the signature summary table, you also can add a custom signature and access the Cisco NSDB.

M-1User Guide for Cisco Security Manager 3.3

Appendix M IPS User Interface ReferenceSignature Policies

Navigation Path

• (Device view) Select IPS > Signatures > Signatures from the Policy selector.

• (Policy view) Select Intrusion Prevention System > Signatures > Signatures from the Policy Type selector. Right-click Signatures to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Edit Signature Dialog Box, page M-3

• Row Shortcut Menu, page M-5

• Actions Shortcut Menu, page M-7

• Edit Actions Dialog Box, page M-8

• Accessing the Cisco NSDB, page M-9

Field Reference

Table M-1 Signature Summary Table

Element Description

ID Signature ID. Identifies the unique numerical value assigned to this signature. This value lets the sensor identify a particular signature. Clicking on the link in the ID column triggers a browser window that opens to the entry in MySDN for that signature. This column is visible by default.

Sub Subsignature ID. Identifies the unique numerical value assigned to this subsignature. A Subsignature ID is used to identify a more granular version of a broad signature. This column is visible by default.

Name Identifies the name assigned to the signature. This column is visible by default.

Action Identifies the actions the sensor takes when this signature fires.

Any changes made using Action will affect all of the rows selected. This column is visible by default.

Severity Identifies the severity level that the signature reports: High, Informational, Low, Medium.

Any changes made using Severity will affect all of the rows selected. This column is visible by default.

Fidelity Identifies the weight associated with how well this signature might perform in the absence of specific knowledge of the target.

Any changes made using Fidelity affects all of the rows selected. This column is visible by default.

Source Displays the lowest policy in the inheritance hierarchy that overrides the settings for a signature. This column is visible by default.


OL-19983-01


Edit Signature Dialog Box

Use the Edit Signature dialog box if you want the source of the signature settings to be anything other than the default policy. The default policy cannot be edited, so if you want to change the signature settings, you will have to override them in the local policy for the device. You can do this by selecting Local from the Source Policy dropdown list. After you change the source policy to Local, the controls are enabled.

Navigation Path

(Device view) Select IPS > Signatures > Signatures from the Policy selector. Click the Edit button to open the Edit Signature dialog box.

Related Topics


• Edit Signature Parameters Dialog Box, page M-10

• Engine Options, page M-13

Enabled Identifies whether or not the signature is enabled in this policy. A signature must be enabled for the sensor to protect against the traffic specified by the signature.

Possible values are:

• true. The signature is enabled in this policy.

• false. The signature is disabled in this policy.

Base Risk Rating Displays the base risk rating value of each signature.

Retired Identifies whether or not the signature is retired. A retired signature is removed from the signature engine.

Obsolete Identifies whether or not the signature is obsolete. An obsolete signature is removed from the signature engine. It cannot be re-activated. This column is visible by default and it is read only.

Engine Identifies the engine that parses and inspects the traffic specified by this signature. This column is visible by default.

View Update Level button Click this button to open the Update Level dialog box for the current device.

Export to File button Click this button to export the signature summary for the current device to a comma-separated values (CSV) file. You are prompted to select the folder on the Security Manager server and to specify a file name.

Add button Opens the Add Custom Signature dialog box.

Edit button Opens the Edit Signature dialog box. If more than one row is selected, the Edit row option is disabled.

Delete button Removes the selected signature(s) from the table. The Delete button is enabled only when the set of selected rows contains only custom signatures.

Table M-1 Signature Summary Table (Continued)

Element Description


OL-19983-01


Field Reference

Table M-2 Edit Signature Dialog Box

Menu Command Description

Source Policy Values are Default or Local. For a newly added device, the source of the signature settings is the Default policy. Because this policy cannot be edited, if you want to change the values of these settings, you must override them in the local policy for the device; you do that by selecting Local.

Inheritance Mandatory When selected, forces any policy that inherits from that policy to use the signature settings defined.

Enabled check box Specifies that the signature is enabled.

Severity Identifies the severity level that the signature will report: High, Informational, Low, Medium.

Fidelity Rating Identifies the weight associated with how well this signature might perform in the absence of specific knowledge of the target.

Actions Identifies the actions the sensor will take when this signature fires. For a complete list of actions, see the Edit Actions Dialog Box, page M-8.

Base Risk Rating Set the base risk rating value of the signature. Risk rating is calculated as the base risk rating by multiplying the fidelity rating and the severity factor and dividing them by 100 (Fidelity Rating x Severity Factor /100).

Severity Factor has the following values:

• Severity Factor = 100 if the signature’s severity level is high

• Severity Factor = 75 if signature’s severity level is medium

• Severity Factor = 50 if signature’s severity level is low

• Severity Factor = 25 if signature’s severity level is informational

Engine Identifies the engine that parses and inspects the traffic specified by this signature.

Retired Identifies whether or not the signature is retired. A retired signature is removed from the signature engine. You can activate a retired signature to place it back in the signature engine. This column is visible by default.

Timesaver Use the retired column to unload disabled signatures on your IOS-IPS device to achieve the most favorable memory consumption of that device.

Obsolete Identifies whether or not the signature is obsolete. An obsolete signature is removed from the signature engine. It cannot be re-activated.

Restore Defaults button Reverts to default values as defined by Cisco.

Edit Parameters button Opens the Edit Signature Parameters dialog box.


OL-19983-01


Row Shortcut Menu

In the Signature Summary table, you can access a shortcut menu that enables you to add and edit signatures. This shortcut menu is available for all columns except Actions, Severity, and Fidelity.

Navigation Path

• (Device view) Select IPS > Signatures > Signatures from the Policy selector. Right-click a cell in a column other than Actions, Severity, or Fidelity.

Related Topics




Field Reference

Add Custom Signature Dialog Box

Use the Add Custom Signature dialog box to create a custom signature. In the Add Custom Signature dialog box, you enter a name and then select an existing engine from a dropdown list. The signature ID and subsignature ID will be assigned by Security Manager. After you finish selecting the remaining parameters, the new signature is added to the Signatures page in the appropriate numerical location, and it is selected.

Navigation Path

(Device view) Select IPS > Signatures > Signatures from the Policy selector. Click the Add button to open the Add Custom Signature dialog box.

Related Topics

• Edit Signature Parameters Dialog Box, page M-10


Table M-3 Row Shortcut Menu Options


Add button Opens the Add Custom Signature dialog box.

Edit button Opens the Edit Signature dialog box. If more than one row is selected, the Edit row option is disabled.

Delete button Removes the selected signature(s) from the table. The Delete button is enabled only when the set of selected rows contains only custom signatures.

Clone Opens the Add Custom Signature dialog box with the properties of the selected signature shown. This enables you to create a custom signature with the settings that the selected signature has.

Enable/Disable Places the signature in the enabled or disabled state, respectively. Disabled signatures appear with crosshatching over them.

Show Events Enables navigation to MARS to view the realtime or historical events detected by the selected signature.


OL-19983-01


Field Reference

Update Level Dialog Box

Displays the delta between the update packages applied in Security Manager and that deployed on the IPS device.

Differences between applied and deployed can occur when:

• the device is updated outside of Security Manager

• an update is applied to the policy in Security Manager but not yet published to the device

• during initial Security Manager deployment before the devices are under Security Manager control

Navigation Path

(Device view) Select IPS > Signatures > Signatures from the Policy selector. Click the View Update Level button to open the Update Level for... dialog box.

Table M-4 Add Custom Signatures Dialog Box


Name Name of the signature.

Engine Specifies the engine to use for this signature. See Engine Options, page M-13.

Actions Identifies the actions the sensor will take when this signature fires. For a complete list of actions, see the Edit Actions Dialog Box, page M-8.

Enabled check box Specifies that the signature is enabled.

Severity Identifies the severity level that the signature will report: High, Informational, Low, Medium.

Fidelity Rating Identifies the weight associated with how well this signature might perform in the absence of specific knowledge of the target.

Risk Rating Set the base risk rating value of the signature. Risk rating is calculated as the base risk rating by multiplying the fidelity rating and the severity factor and dividing them by 100 (Fidelity Rating x Severity Factor /100).

Severity Factor has the following values:

• Severity Factor = 100 if the signature’s severity level is high

• Severity Factor = 75 if signature’s severity level is medium

• Severity Factor = 50 if signature’s severity level is low

• Severity Factor = 25 if signature’s severity level is informational

Edit Parameters button Opens the Edit Signature Parameters dialog box. See Edit Signature Parameters Dialog Box, page M-10.


OL-19983-01


Field Reference

Actions Shortcut Menu

In the Signature Summary table, you can access a shortcut menu that enables you to add and remove actions. This shortcut menu is available only for the Actions column.

Navigation Path

• (Device view) Select IPS > Signatures > Signatures from the Policy selector. Right-click a cell in the Actions column.

Related Topics




Field Reference

Table M-5 Update Level for Dialog Box


Applied Level This column displays the patch level that is applied to this device in Security Manager.

Deployed Level This column displays the patch level that is currently running on the selected device.

Major Update Identifies the major update level.

Minor Update Identifies the minor update level.

Service Pack Identifies the service pack level.

Patch Identifies the patch level.

Engine Identifies the engine level.

Signature Update Identifies the signature update level.

Note This field is the only field on this page that applies to the IOS IPS devices; all of the other fields are exclusive to IPS devices.

Revert button If you mistakenly modify Applied Level, allows you to discard that new Applied Level; clicking Revert syncs the Applied Level to the Deployed Level.

Tip A warning dialog appears before performing Revert. Also, a warning dialog appears asking you to submit the activity.

Table M-6 Actions Shortcut Menu Options


Add to Actions Adds an action to the current list of actions for the selected signature.

Delete from Actions Deletes an action from the current list of actions for the selected signature.


OL-19983-01


Edit Actions Dialog Box

Use the Edit Actions dialog box to select an action that is not on the Add to Actions or Replace Actions with menus, or if you want to select more than one action.

Note When you open the Edit Actions dialog box, the list of actions that you see varies. The list of actions depends upon whether you (1) right-click in only one signature row in the Actions column or (2) select more than one signature row before right-clicking in the Actions column. If you right-click in only one signature row in the Actions column, the list of actions is that of the engine for that signature. If you select more than one signature row before right-clicking in the Actions column, the list of actions is that which is available for each affected engine. (It is the list of common actions, not the union of actions.)

Navigation Path

• (Device view) Select IPS > Signatures > Signatures from the Policy selector. Right-click a cell in the Actions column. Select Edit Actions from the shortcut menu.

Related Topics




Field Reference

Replace Actions With Replace the current set of actions for the selected signature with the single action selected.

Edit Actions Opens the Edit Actions dialog box.

Table M-6 Actions Shortcut Menu Options (Continued)


Table M-7 Edit Actions Dialog Box


Deny Attacker Inline Terminates the current packet and future packets from this attacker address for a specified period of time.

Deny Attacker/Service Pair Inline

Does not transmit this packet and future packets on the attacker address victim port pair for a specified period of time.

Deny Attacker/Victim Pair Inline

Does not transmit this packet and future packets on the attacker/victim address pair for a specified period of time.

Deny Connection Inline Terminates the current packet and future packets on this TCP flow.

Deny Packet Inline Terminates the packet.

Log Attacker Packets Starts IP logging on packets that contain the attacker address and sends an alert. This action causes an alert to be written to the Event Store, even if Produce Alert is not selected.


OL-19983-01


Edit Fidelity Dialog Box

Use the Edit Fidelity dialog box make changes in the Fidelity Rating for a particular signature. The Fidelity Rating, or Signature Fidelity Rating (SFR), identifies the weight associated with how well this signature might perform in the absence of specific knowledge of the target. This rating can be any number from 0 to 100, with 100 indicating the most confidence in the signature.

Accessing the Cisco NSDB

The Cisco Network Security Database (NSDB) can be accessed, or invoked, through the user interface of Security Manager.

The NSDB is a database of security information that explains the signatures the IPS uses along with the vulnerabilities on which these signatures are based. The NSDB contains a description for each attack signature that the sensor can detect.

Some signatures in IPS 5.x and later and IOS IPS have special characteristics: Built-in signatures cannot be added, deleted, or renamed, because they are provided with IPS itself. (“Built-in” means all signatures other than those that you create.) The information for built-in signatures, such as their names and IDs, appears as it does in the NSDB.

Log Pair Packets Starts IP Logging on packets that contain the attacker/victim address pair. This action causes an alert to be written to the Event Store, even if Produce Alert is not selected.

Log Victim Packets Starts IP Logging on packets that contain the victim address and sends an alert. This action causes an alert to be written to the Event Store, even if Produce Alert is not selected.

Modify Packet Inline Modifies packet data to remove ambiguity about what the endpoint might do with the packet.

Product Alert Writes the event to the Event Store as an alert.

Produce Verbose Alert Includes an encoded dump of the offending packet in the alert. This action causes an alert to be written to the Event Store, even if Produce Alert is not selected.

Request Block Connection Sends a request to block this connection. You must have blocking devices configured to implement this action.

Request Block Host Sends a request to block this attacker host. You must have blocking devices configured to implement this action.

Request Rate Limit Sends a rate limit request to perform rate limiting. You must have rate limiting devices configured to implement this action.

Request SNMP Trap Sends a request to the sensor to perform SNMP notification. This action causes an alert to be written even if Produce Alert is not selected. You must have SNMP configured on the sensor to implement this action.

Reset TCP Connection Sends TCP resets to hijack and terminate the TCP flow. Reset TCP Connection only works on TCP signatures that analyze a single connection. It does not work for sweeps or floods.

Table M-7 Edit Actions Dialog Box (Continued)



OL-19983-01


Tip For a particular signature in the NSDB, the “Release Version” refers to the version of IPS that the signature first appeared in, or was last modified in. The “Release Version” appears in the bottom left-hand corner of the header information when you are looking at a particular signature.

Edit Signature Parameters Dialog Box

Use the Edit Signature Parameters dialog box to edit (also called tune) the built-in micro-engine parameters for a particular signature. Different engines have different parameters, so the appearance of the Edit Signature Parameters dialog box will vary.

Navigation Path

• (Device view) Select IPS > Signatures > Signatures from the Policy selector. Right-click the row containing the signature that you want to edit, and then click Edit Row in the shortcut menu that appears. Finally, click Edit Parameters.

Related Topics

• Add Custom Signature Dialog Box, page M-5

• Edit Signature Dialog Box, page M-3


Field Reference

Table M-8 Edit Signature Parameters Dialog Box

Primary and Secondary Elements Description

Signature Definition —

Signature ID Identifies the unique numerical value assigned to this signature. This value lets the sensor identify a particular signature.

The value is 1000 to 65000.

SubSignature ID Identifies the unique numerical value assigned to this subsignature. The subsignature ID identifies a more granular version of a broad signature.


Promiscuous Delta check box Lets you determine the seriousness of the alert.

Sig Description Lets you specify the following attributes that help you distinguish this signature from other signatures:

• Alert Notes

• User Comments

• Alarm Traits

• Release

Alert Notes Add alert notes in this field.

User Comments Add your comments about this signature in this field.

Alert Traits Add the alarm trait in this field. The value is 0 to 65535. The default is 0.


OL-19983-01


Release The release in which the signature was most recently updated.

Engine Lets you choose the engine that parses and inspects the traffic specified by this signature. For the list of possible values, see Engine Options, page M-13.

Fragment Status Specifies whether fragments are wanted or not:

• Any fragment status.

• Do not inspect fragments.

• Inspect fragments.

Regex String —

Service Ports A comma-separated list of ports or port ranges where the target service resides.

Direction Direction of traffic:

• Traffic from service port destined to client port.

• Traffic from client port destined to service port.

Specify Exact Match Offset (Optional) Enables exact match offset:

• Specify Max Match Offset/Specify Min Match Offset—The exact stream offset the regular expression string must report for a match to be valid.

Swap Attacker Victim Yes if address (and ports) source and destination are swapped in the alert message. No for no swap (default).

Event Counter Lets you configure how the sensor counts events. For example, you can specify that you want the sensor to send an alert only if the same signature fires 5 times for the same address set:

• Event Count

• Event Count Key

• Specify Alert Interval

Event Count The number of times an event must occur before an alert is generated. The value is 1 to 65535. The default is 1.

Event Count Key The storage type used to count events for this signature. Choose attacker address, attacker address and victim port, attacker and victim addresses, attacker and victim addresses and ports, or victim address. The default is attacker address.

Specify Alert Interval Specifies the time in seconds before the event count is reset. Choose Yes or No from the drop-down list and then specify the amount of time.

Table M-8 Edit Signature Parameters Dialog Box (Continued)



OL-19983-01


Alert Frequency Lets you configure how often the sensor alerts you when this signature is firing. Specify the following parameters for this signature:

• Summary Mode

• Summary Interval

• Summary Key

• Specify Global Summary Threshold

Summary Mode The mode of alert summarization. Choose Fire All, Fire Once, Global Summarize, or Summarize.

Note When multiple contexts from the adaptive security appliance are contained in one virtual sensor, the summary alerts contain the context name of the last context that was summarized. Thus, the summary is the result of all alerts of this type from all contexts that are being summarized.

Summary Mode Interval The time in seconds used in each summary alert. The value is 1 to 65535. The default is 15.

Summary Key The storage type used to summarize alerts. Choose Attacker address, Attacker address and victim port, Attacker and victim addresses, Attacker and victim addresses and ports, or Victim address. The default is Attacker address.

Specify Global Summary Threshold

Lets you specify the threshold number of events to take the alert into global summary. Choose Yes or No and then specify the threshold number of events.

Status Lets you enable or disable a signature, or retire or unretire a signature:

• Enabled—Lets you choose whether the signature is enabled or disabled.The default is yes (enabled).

• Retired—Let you choose whether the signature is retired or not. The default is no (not retired).

Obsoletes Lists the signatures that are obsoleted by this signature.

Vulnerable OS List Identifies the list of operating systems that this attack targets.

MARS Category Identifies the category in Cisco Security MARS to which this signature belongs. This metadata is used to color the events generated in such a way as to provide MARS with the data that it needs to process this signature relative to the event categories that it studies.

Expand All Expands all categories and subcategories.

Collapse All Collapses all fields to the category.

Table M-8 Edit Signature Parameters Dialog Box (Continued)



OL-19983-01


Engine Options

Engine options for IOS IPS and IPS are as follows:

The following list identifies the options you can specifying the Engine field of the Edit Signature Parameters dialog box:

• AIC FTP—Inspects FTP traffic and lets you control the commands being issued.

• AIC HTTP—Provides granular control over HTTP sessions to prevent abuse of the HTTP protocol.

• Atomic ARP—Inspects Layer-2 ARP protocol. The Atomic ARP engine is different because most engines are based on Layer-3-IP.

• atomic-ip—Inspects IP protocol packets and associated Layer-4 transport protocols. For option detail, see Atomic IP Engine Options, page M-14

• Atomic IPv6—Detects IOS vulnerabilities that are stimulated by malformed IPv6 traffic.

• Flood Host—Detects ICMP and UDP floods directed at hosts.

• Flood Net—Detects ICMP and UDP floods directed at networks.

• Meta—Defines events that occur in a related manner within a sliding time interval. This engine processes events rather than packets.

• multi-string—Defines signatures that inspect Layer 4 transport protocol (ICMP, TCP, and UDP) payloads using multiple string matches for one signature. You can specify a series of regular expression patterns that must be matched to fire the signature. For option detail, see Multi-String Engine Options, page M-17

• normalizer—Configures how the IP and TCP normalizer functions and provides configuration for signature events related to the IP and TCP normalizer. Allows you to enforce RFC compliance. For option detail, see Normalizer Engine Options, page M-18

• service-dns—Inspects DNS (TCP and UDP) traffic. For option detail, see Service DNS Engine Options, page M-20

• service-ftp—Inspects FTP traffic. For option detail, see Service FTP Engine Options, page M-22

• Service Generic—Decodes custom service and payload.

• Service Generic Advanced—Generically analyzes network protocols.

• Service H225—Inspects VoIP traffic.

• service-http—Inspects HTTP traffic. The WEBPORTS variable defines inspection port for HTTP traffic. For option detail, see HTTP Service Engine Options, page M-27

• Service IDENT—Inspects IDENT (client and server) traffic.

• Service MSRPC—Inspects MSRPC traffic.

• Service MSSQL—Inspects Microsoft SQL traffic.

• Service NTP—Inspects NTP traffic.

• service-rpc—Inspects RPC traffic. For option detail, see RPC Service Engine Options, page M-31

• Service SMB—Inspects SMB traffic.

• Service SMB Advanced—Processes Microsoft SMB and Microsoft RPC over SMB packets.

• Service SNMP—Inspects SNMP traffic.

• Service SSH—Inspects SSH traffic.

• Service TNS—Inspects TNS traffic.


OL-19983-01


• state—Stateful searches of strings in protocols such as SMTP. For option detail, see STATE Engine Options, page M-39

• string-icmp—Searches on Regex strings based on ICMP protocol. For option detail, see String ICMP Engine Options, page M-41

• string-tcp—Searches on Regex strings based on TCP protocol. For option detail, see String TCP Engine Options, page M-42

• string-udp—Searches on Regex strings based on UDP protocol. For option detail, see String UDP Engine Options, page M-43

• Sweep—Analyzes sweeps of ports, hosts, and services, from a single host (ICMP and TCP), from destination ports (TCP and UDP), and multiple ports with RPC requests between two nodes.

• Sweep Other TCP—Analyzes TCP flag combinations from reconnaissance scans that are trying to get information about a single host. The signatures look for flags A, B, and C. When all three are seen, an alert is fired.

• Traffic ICMP—Analyzes nonstandard protocols, such as TFN2K, LOKI, and DDOS. There are only two signatures with configurable parameters.

• Traffic Anomaly—Analyzes TCP, UDP, and other traffic for worm-infested hosts.

• Trojan Bo2k—Analyzes traffic from the nonstandard protocol BO2K. There are no user-configurable parameters in this engine.

• Trojan Tfn2k—Analyzes traffic from the nonstandard protocol TFN2K. There are no user-configurable parameters in this engine.

• Trojan UDP—Analyzes traffic from the UDP protocol. There are no user-configurable parameters in this engine.

Atomic IP Engine Options

Table M-9 on page M-14 lists the parameters that are specific to the Atomic IP engine.

Table M-9 Atomic IP Engine Parameters

Parameter Description

Fragment Status Specifies whether or not fragments are wanted.

Specify Layer 4 Protocol Specifies Layer 4 protocol.

Specify IP Payload Length Specifies IP datagram payload length.

Specify IP Header Length Specifies IP datagram header length.

Specify IP Type of Service Specifies type of server.

Specify IP Time-to-Live Specifies time to live.

Specify IP Version Specifies IP protocol version.

Specify IP Identifier Specifies IP identifier.

Specify IP Total Length Specifies IP datagram total length.

Specify IP Option Inspection Specifies IP options inspection.

Specify IP Addr Options Specifies IP addresses.


OL-19983-01


Meta Engine Options

Table M-10 on page M-15 lists the parameters specific to the Meta engine.

Table M-10 Meta Engine Parameters

Parameter Description Value

meta-reset-interval Time in seconds to reset the META signature.

0 to 3600

component-list List of Meta components:

• edit—Edits an existing entry

• insert—Inserts a new entry into the list:

– begin—Places the entry at the beginning of the active list

– end—Places the entry at the end of the active list

– inactive—Places the entry into the inactive list

– before—Places the entry before the specified entry

– after—Places the entry after the specified entry

• move—Moves an entry in the list

name1

meta-key Storage type for the Meta signature:

• Attacker address

• Attacker and victim addresses

• Attacker and victim addresses and ports

• Victim address

AaBb AxBx Axxx xxBx

unique-victim-ports Number of unique victims ports required per Meta signature.

1 to 256

component-list-in-order Whether to fire the component list in order.

true | false


OL-19983-01


MSRPC Service Engine Options

Table M-11 on page M-16 lists the parameters specific to the Service MSRPC engine.

MSSQL Service Engine Options

The Service MSSQL engine inspects the protocol used by the Microsoft SQL server.

There is one MSSQL signature. It fires an alert when it detects an attempt to log in to an MSSQL server with the default sa account.

You can add custom signatures based on MSSQL protocol values, such as login username and whether a password was used.

Table M-12 on page M-17 lists the parameters specific to the Service MSSQL engine.

Table M-11 Service MSRPC Engine Parameters


protocol Protocol of interest for this inspector.

tcp udp

specify-operation (Optional) Enables using MSRPC operation:

• operation—MSRPC operation requested. Required for SMB_COM_TRANSACTION commands. Exact match.

0 to 65535

specify-regex-string (Optional) Enables using a regular expression string:

• specify-exact-match-offset—Enables the exact match offset:

– exact-match-offset—The exact stream offset the regular expression string must report for a match to be valid.

• specify-min-match-length—Enables the minimum match length:

– min-match-length—Minimum number of bytes the regular expression string must match.

0 to 65535

specify-uuid (Optional) Enables UUID:

• uuid—MSRPC UUID field.

000001a000000000c000000000000046


OL-19983-01


Multi-String Engine Options

The Multi String engine lets you define signatures that inspect Layer 4 transport protocol (ICMP, TCP, and UDP) payloads using multiple string matches for one signature. You can specify a series of regular expression patterns that must be matched to fire the signature. For example, you can define a signature that looks for regex 1 followed by regex 2 on a UDP service. For UDP and TCP you can specify port numbers and direction. You can specify a single source port, a single destination port, or both ports. The string matching takes place in both directions.

Use the Multi String engine when you need to specify more than one regex pattern. Otherwise, you can use the String ICMP, String TCP, or String UDP engine to specify a single Regex pattern for one of those protocols.

Table M-13 on page M-17 lists the parameters specific to the Multi String Engine.

Table M-12 Service MSSQL Engine Parameters


password-present Whether or not a password was used in an MS SQL login.

true | false

specify-sql-username (Optional) Enables using an SQL username:

• sql-username—Username (exact match) of user logging in to MS SQL service.

sa

Table M-13 Multi String Engine Parameters


Inspect Length Length of stream or packet that must contain all offending strings for the signature to fire.

0 to 4294967295

Protocol Layer 4 protocol selection. Icmp Tcp Udp

Regex Component List of regex components:

• Regex String—The string to search for.

• Spacing Type—Type of spacing required from the match before or from the beginning of the stream/packet if it is the first entry in the list.

list (1 to 16 items) exact minimum

Port Selection Type of TCP or UDP port to inspect. Only displays if TCP or UDP is selected in the Protocol field.

Both Ports Destination Source


OL-19983-01


Caution The Multi String engine can have a significant impact on memory usage.

Normalizer Engine Options

Table M-14 on page M-18 lists the parameters that are specific to the Normalizer engine.

Source Ports Specifies a range of source ports.

Note Port matching is performed bidirectionally for both the client-to-server and server-to-client traffic flow directions. For example, if the source-ports value is 80, in a client-to-server traffic flow direction, inspection occurs if the client port is 80. In a server-to-client traffic flow direction, inspection occurs if the server port is port 80.

0 to 65535

Note The second number in the range must be greater than or equal to the first number.

Dest Ports Specifies a range of destination ports.

0 to 65535

Exact Spacing Exact number of bytes that must be between this regex string and the one before, or from the beginning of the stream/packet if it is the first entry in the list.

0 to 4294967296

Minimum Spacing Minimum number of bytes that must be between this regex string and the one before, or from the beginning of the stream/packet if it is the first entry in the list.

0 to 4294967296


Yes | No

Table M-13 Multi String Engine Parameters (Continued)


Table M-14 Normalizer Engine Parameters


Edit defaults

Specify Service Ports (Optional) Enables service ports.


OL-19983-01


Atomic ARP Engine Options

The Atomic ARP engine defines basic Layer 2 ARP signatures and provides more advanced detection of the ARP spoof tools dsniff and ettercap.

Table M-15 on page M-19 lists the parameters that are specific to the Atomic ARP engine.

Specify TCP Max MSS (Optional) Enables TCP maximum mss.

Specify TCP Min MSS (Optional) Enables TCP minimum mss.

Specify TCP Option Number (Optional) Enables TCP option number.

Specify TCP Max Queue (Optional) Enables TCP maximum queue.

Specify TCP Closed Timeout (Optional) Enables TCP closed timeout.

Specify TCP Embryonic Timeout

(Optional) Enables TCP embryonic timeout.

Specify TCP Idle Timeout (Optional) Enables TCP idle timeout.

Specify Fragment Reassembly Timeout

(Optional) Enables fragment reassembly timeout.

Specify Max Fragments per Datagram

(Optional) Enables maximum fragments per datagram.

Specify Max Small Frags (Optional) Enables maximum small fragments.

Specify Min Fragment Size (Optional) Enables minimum fragment size.

Specify Max Partial Datagrams

(Optional) Enables maximum partial datagrams.

Specify Max Datagram Size (Optional) Enables maximum datagram size.

Specify Max Fragments (Optional) Enables maximum fragments.

Specify Max Last Fragments (Optional) Enables maximum last fragments.

Specify Hijack Max Old Ack (Optional) Enables hijack-max-old-ack.

Specify SYN Flood Max Embryonic

(Optional) Enables SYN flood maximum embryonic.

Table M-14 Normalizer Engine Parameters (Continued)


Table M-15 Atomic ARP Engine Parameters


specify-mac-flip Fires an alert when the MAC address changes more than this many times for this IP address.


OL-19983-01


Service DNS Engine Options

The Service DNS engine specializes in advanced DNS decode, which includes anti-evasive techniques, such as following multiple jumps. It has many parameters such as lengths, opcodes, strings, and so forth. The Service DNS engine is a biprotocol inspector operating on both TCP and UDP port 53. It uses the stream for TCP and the quad for UDP.

Table M-16 on page M-20 lists the parameters specific to the Service DNS engine.

specify-type-of-arp-sig Specifies the type of ARP signatures you want to fire on:

• Source Broadcast (default)—Fires an alarm for this signature when it sees an ARP source address of 255.255.255.255.

• Destination Broadcast—Fires an alarm for this signature when it sees an ARP destination address of 255.255.255.255.

• Same Source and Destination—Fires an alarm for this signature when it sees an ARP destination address with the same source and destination MAC address

• Source Multicast—Fires an alarm for this signature when it sees an ARP source MAC address of 01:00:5e:(00-7f).

specify-request-inbalance Fires an alert when there are this many more requests than replies on the IP address.

specify-arp-operation The ARP operation code for this signature.

Table M-15 Atomic ARP Engine Parameters (Continued)


Table M-16 Service DNS Engine Parameters


Protocol Protocol of interest for this inspector.

TCP UDP

Specify Query Type (Optional) Enables the query type:

• Query Type—DNS Query Type 2 Byte Value

0 to 65535

Specify Query Opcode (Optional) Enables query opcode:

• Query Opcode—DNS Query Opcode 1 byte Value

0 to 65535

Specify Query Record Data Length

(Optional) Enables the query record data length:

• Query Record Data Length—DNS Response Record Data Length

0 to 65535


OL-19983-01


Flood Engine Options

The Flood engine defines signatures that watch for any host or network sending multiple packets to a single host or network. For example, you can create a signature that fires when 150 or more packets per second (of the specific type) are found going to the victim host.

There are two types of Flood engines: Flood Host and Flood Net.

Table M-17 on page M-22 lists the parameters specific to the Flood Host engine.

Specify Query Record Data Invalid

(Optional) Enables query record data invalid:

• Query Record Data Invalid—DNS Record Data incomplete

Yes | No

Specify Query Src Port 53 (Optional) Enables the query source port 53:

• Query Src Port 53—DNS packet source port 53

Yes | No

Specify Query Value (Optional) Enables the query value:

• Query Value—Query 0 Response 1

Yes | No

Specify Query Stream Length (Optional) Enables the query stream length:

• Query Stream Length—DNS Packet Length

0 to 65535

Specify Query Jump Count Exceeded

(Optional) Enables query jump count exceeded:

• Query Jump Count Exceeded—DNS compression counter

Yes | No

Specify Query Invalid Domain Name

(Optional) Enables query invalid domain name:

• Query Invalid Domain Name—DNS Query Length greater than 255

Yes | No

Specify Query Class (Optional) Enables the query class:

• Query Class—DNS Query Class 2 Byte Value

0 to 65535

Specify Query Chaos String (Optional) Enables the DNS Query Class Chaos String.

query-chaos-string

Table M-16 Service DNS Engine Parameters (Continued)



OL-19983-01


Flood Net Engine Parameters

Table M-18 on page M-22 lists the parameters specific to the Flood Net engine.

Service FTP Engine Options

The Service FTP engine specializes in FTP port command decode, trapping invalid port commands and the PASV port spoof. It fills in the gaps when the String engine is not appropriate for detection. The parameters are Boolean and map to the various error trap conditions in the port command decode. The Service FTP engine runs on TCP ports 20 and 21. Port 20 is for data and the Service FTP engine does not do any inspection on this. It inspects the control transactions on port 21.

Table M-19 on page M-23 lists the parameters that are specific to the Service FTP engine.

Table M-17 Flood Host Engine Parameters


protocol Which kind of traffic to inspect. ICMP UDP

rate Threshold number of packets per second.

0 to 65535

icmp-type Specifies the value for the ICMP header type.

0 to 65535

dst-ports Specifies the destination ports when you choose UDP protocol.

0 to 65535 a-b[,c-d]

src-ports Specifies the source ports when you choose UDP protocol.

0 to 65535 a-b[,c-d]

Table M-18 Flood Net Engine Parameters


gap Gap of time allowed (in seconds) for a flood signature.

0 to 65535

peaks Number of allowed peaks of flood traffic.

0 to 65535

protocol Which kind of traffic to inspect. ICMP TCP UDP

rate Threshold number of packets per second.

0 to 65535

sampling-interval Interval used for sampling traffic.

1 to 3600

icmp-type Specifies the value for the ICMP header type.

0 to 65535


OL-19983-01


General Options for All Engines

The following parameters are part of the Master engine and apply to all signatures.

Table M-20 on page M-23 lists the general master engine parameters.

Table M-19 Service FTP Engine Parameters



• Traffic from service port destined to client port

• Traffic from client port destined to service port

From Service To Service


0 to 65535



Yes | No

FTP Inspection Type Type of inspection to perform:

• Looks for an invalid address in the FTP port command

• Looks for an invalid port in the FTP port command

• Looks for the PASV port spoof

Invalid Address in PORT Command Invalid Port in PORT Command PASV Port Spoof

Table M-20 Master Engine General Parameters


Alert Severity Severity of the alert:

• Dangerous alert

• Medium-level alert

• Low-level alert

• Informational alert

high medium low informational

Engine Specifies the engine the signature belongs to.

—

Event Counter Grouping for event count settings.

—


OL-19983-01


Generic Service Engine Options

The Service Generic engine allows programmatic signatures to be issued in a config-file-only signature update. It has a simple machine and assembly language that is defined in the configuration file. It runs the machine code (distilled from the assembly language) through its virtual machine, which processes the instructions and pulls the important pieces of information out of the packet and runs them through the comparisons and operations specified in the machine code.

Event Count Number of times an event must occur before an alert is generated.

1 to 65535

Event Count Key The storage type on which to count events for this signature:



• Attacker address and victim port

• Victim address


Axxx AxBx Axxb xxBx AaBb

Specify Alert Interval Enables alert interval. yes | no

Alert Interval Time in seconds before the event count is reset.

2 to 1000

promisc-delta Delta value used to determine seriousness of the alert.

0 to 30

sig-fidelity-rating Rating of the fidelity of this signature.

0 to 100

sig-description Grouping for your description of the signature.

—

sig-name Name of the signature. sig-name

sig-string-info Additional information about this signature that will be included in the alert message.

sig-string-info

sig-comment Comments about this signature. sig-comment

Alert Traits Traits you want to document about this signature.

0 to 65335

Release The release in which the signature was most recently updated.

release

Status Whether the signature is enabled or disabled, active or retired.

enabled retired

Table M-20 Master Engine General Parameters (Continued)



OL-19983-01


It is intended as a rapid signature response engine to supplement the String and State engines.

Note You cannot use the Service Generic engine to create custom signatures.

Caution Due to the proprietary nature of this complex language, we do not recommend that you edit the Service Generic engine signature parameters other than severity and event action.

Table M-21 on page M-25 lists the parameters specific to the Service Generic engine.

Table M-21 Service Generic Engine Parameters


specify-dst-port (Optional) Enables the destination port:

• dst-port—Destination port of interest for this signature

0 to 65535

specify-ip-protocol (Optional) Enables IP protocol:

• ip-protocol—The IP protocol this inspector should examine

0 to 255

specify-payload-source (Optional) Enables payload source inspection:

• payload-source—Payload source inspection for the following types:

– Inspects ICMP data

– Inspects Layer 2 headers



– Inspects TCP data

– Inspects UDP data

icmp-data l2-header l3-header l4-header tcp-data udp-data

specify-src-port (Optional) Enables the source port:

• src-port—Source port of interest for this signature

0 to 65535


OL-19983-01


H225 Service Engine Options

Table M-22 on page M-26 lists parameters specific to the Service H225 engine.

Table M-22 Service H.225 Engine Parameters


message-type Type of H225 message to which the signature applies:

• SETUP

• ASN.1-PER

• Q.931

• TPKT

asn.1-per q.931 setup tpkt

policy-type Type of H225 policy to which the signature applies:

• Inspects field length.

• Inspects presence. If certain fields are present in the message, an alert is sent.

• Inspects regular expressions.

• Inspects field validations.

• Inspects values.

Regex and presence are not valid for TPKT signatures.

length presence regex validate value

specify-field-name (Optional) Enables field name for use. Only valid for SETUP and Q.931 message types. Gives a dotted representation of the field name that this signature applies to.

• field-name—Field name to inspect.

1 to 512

specify-invalid-packet-index (Optional) Enables invalid packet index for use for specific errors in ASN, TPKT, and other errors that have fixed mapping.

• invalid-packet-index—Inspection for invalid packet index.

0 to 255


OL-19983-01


HTTP Service Engine Options

Table M-23 on page M-27 lists the parameters specific to the Service HTTP engine.

specify-regex-string The regular expression to look for when the policy type is regex. This is never set for TPKT signatures:

• A regular expression to search for in a single TCP packet

• (Optional) Enables min match length for use. The minimum length of the Regex match required to constitute a match. This is never set for TPKT signatures.

regex-string specify-min-match-length

specify-value-range Valid for the length or value policy types (0x00 to 6535). Not valid for other policy types.

• value-range—Range of values.

0 to 65535 a-b

Table M-22 Service H.225 Engine Parameters (Continued)


Table M-23 Service HTTP Engine Parameters


De Obfuscate Applies anti-evasive deobfuscation before searching.

Yes | No

Max Field Sizes Maximum field sizes grouping. —

Specify Max URI Field Length (Optional) Enables the maximum URI field length:

• Max URI Field Length—Maximum length of the URI field.

0 to 65535

Specify Max Arg Field Length (Optional) Enables maximum argument field length:

• Max Arg Field Length—Maximum length of the arguments field.

0 to 65535


OL-19983-01


Specify Max Header Field Length

(Optional) Enables maximum header field length:

• Max Header Field Length—Maximum length of the header field.

0 to 65535

Specify Max Request Length (Optional) Enables maximum request field length:

• Max Request Length—Maximum length of the request field.

0 to 65535

Regex Regular expression grouping. —

Specify URI Regex (Optional) Regular expression to search in HTTP URI field. The URI field is defined to be after the HTTP method (GET, for example) and before the first CRLF. The regular expression is protected, which means you cannot change the value.

[/\\][a-zA-Z][a-zA-Z][a-zA-Z][a-zA-Z][a-zA-Z][a-zA-Z][a-zA-Z][.]jpeg

Specify Arg Name Regex (Optional) Enables searching the Arguments field for a specific regular expression:

• Arg Name Regex—Regular expression to search for in the HTTP Arguments field (after the ? and in the Entity body as defined by Content-Length).

—

Specify Header Regex (Optional) Enables searching the Header field for a specific regular expression:

• Header Regex—Regular Expression to search in the HTTP Header field. The Header is defined after the first CRLF and continues until CRLFCRLF.

—

Table M-23 Service HTTP Engine Parameters (Continued)



OL-19983-01


Alert Frequency Options

The purpose of the summary parameter is to reduce the volume of the alerts written to the Event Store to counter IDS DoS tools, such as stick. There are four modes: Fire All, Fire Once, Summarize, and Global Summarize. The summary mode is changed dynamically to adapt to the current alert volume. For example, you can configure the signature to Fire All, but after a certain threshold is reached, it will start summarizing.

Specify Request Regex (Optional) Enables searching the Request field for a specific regular expression:

• Request Regex—Regular expression to search in both HTTP URI and HTTP Argument fields.

• Specify Min Request Match Length—Enables setting a minimum request match length.

0 to 65535


0 to 65535



Yes | No

Table M-23 Service HTTP Engine Parameters (Continued)


Table M-24 MASTER Engine Alert Frequency Parameters


alert-frequency Summary options for grouping alerts.

summary-mode Mode used for summarization.

fire-all Fires an alert on all events.

fire-once Fires an alert only once.

global-summarize Summarizes an alert so that it only fires once regardless of how many attackers or victims.

summarize Summarizes alerts.

specify-summary-threshold (Optional) Enables summary threshold.

yes | no


OL-19983-01


NTP Service Engine Options

The Service NTP engine inspects NTP protocol. There is one NTP signature, the NTPd readvar overflow signature, which fires an alert if a readvar command is seen with NTP data that is too large for the NTP service to capture.

You can tune this signature and create custom signatures based on NTP protocol values, such as mode and size of control packets.

Table M-25 on page M-30 lists the parameters specific to the Service NTP engine.

summary-threshold Threshold number of alerts to send signature into summary mode.

0 to 65535

specify-global-summary-threshold

Enable global summary threshold.

yes | no

global-summary-threshold Threshold number of events to take alerts into global summary.

1 to 65535

summary-interval Time in seconds used in each summary alert

1 to 1000

summary-key The storage type on which to summarize this signature:




• Victim address


Axxx

AxBx

Axxb

xxBx

AaBb

Table M-24 MASTER Engine Alert Frequency Parameters (Continued)


Table M-25 Service NTP Engine Parameters


inspection-type Type of inspection to perform.


OL-19983-01


RPC Service Engine Options

Table M-26 on page M-31 lists the parameters specific to the Service RPC engine.

inspect-ntp-packets Inspects NTP packets:

• control-opcode—Opcode number of an NTP control packet according to RFC1305, Appendix B.

• max-control-data-size—Maximum allowed amount of data sent in a control packet.

• mode—Mode of operation of the NTP packet per RFC 1305.

0 to 65535

is-invalid-data-packet Looks for invalid NTP data packets. Checks the structure of the NTP data packet to make sure it is the correct size.

true | false

is-non-ntp-traffic Checks for nonNTP packets on an NTP port.

true | false

Table M-25 Service NTP Engine Parameters (Continued)


Table M-26 Service RPC Engine Parameters






Protocol Protocol of interest. TCP UDP


0 to 65535


Specify Regex String Enables regex fields:

• Specify Exact Match Offset

• Regex String

• Specify Min Match Length

Yes | No


OL-19983-01



• Exact Match Offset—The exact stream offset the regular expression string must report for a match to be valid.

0 to 65535

Regex String The string to search for. —

Specify Min Match Length (Optional) Enables minimum match length:

• Min Match Length—Minimum number of bytes the regular expression string must match.

0 to 65535

Specify Port Map Program (Optional) Enables the portmapper program:

• Port Map Program—The program number sent to the portmapper for this signature.

0 to 9999999999

Specify RPC Program (Optional) Enables RPC program:

• RPC Program—RPC program number for this signature.

0 to 1000000

Specify Spoof Src (Optional) Enables the spoof source address:

• Spoof Src—Fires an alert when the source address is 127.0.0.1.

true | false

Specify RPC Max Length (Optional) Enables RPC maximum length:

• RPC Max Length—Maximum allowed length of the entire RPC message. Lengths longer than what you specify fire an alert.

0 to 65535

Specify RPC Procedure (Optional) Enables RPC procedure:

• RPC Procedure—RPC procedure number for this signature.

0 to 1000000

Table M-26 Service RPC Engine Parameters (Continued)



OL-19983-01


SMB Advanced Engine Options

Table M-27 on page M-33 lists the parameters specific to the Service SMB Advanced engine.

Table M-27 Service SMB Advanced Engine Parameters


service-ports A comma-separated list of ports or port ranges where the target service resides.

0 to 65535 a-b[,c-d]

specify-command (Optional) Enables SMB commands:

• command—SMB command value; exact match required; defines the SMB packet type.

0 to 255

specify-direction (Optional) Enables traffic direction:

• direction—Lets you specify the direction of traffic:

– from-service—Traffic from service port destined to client port.

– to-service—Traffic from client port destined to service port.

from service to service

specify-operation (Optional) Enables MSRPC over SMB:

• msrpc-over-smb-operation—Required for SMB_COM_TRANSACTION commands, exact match required.

0 to 65535

specify-regex-string (Optional) Enables searching for regex strings:

• regex-string—A regular expression to search for in a single TCP packet.

specify-exact-match-offset (Optional) Enables exact match offset:

• exact-match-offset—The exact stream offset the Regex string must report a match to be valid.


OL-19983-01


specify-min-match-length (Optional) Enables minimum match length:

• min-match-length—Minimum number of bytes the Regex string must match.

specify-payload-source (Optional) Enables payload source:

• payload-source—Payload source inspection.

specify-scan-interval (Optional) Enables scan interval:

• scan-interval—The interval in seconds used to calculate alert rates.

1 to 131071

specify-tcp-flags (Optional) Enables TCP flags:

• msrpc-tcp-flags

• msrpc-tcp-flags-mask

• concurrent execution

• did not execute

• first fragment

• last fragment

• maybe

• object UUID

• pending cancel

• reserved

specify-type (Optional) Enables type of MSRPC over SMB packet:

• type—Type field of MSRPC over SMB packet

• 0 = Request

• 2 = Response

• 11 = Bind

• 12 = Bind Ack

specify-uuid (Optional) Enables MSRPC over UUID:

• uuid—MSRPC UUID field

32-character string composed of hexadecimal characters 0-9, a-f, A-F.

specify-hit-count (Optional) Enables hit counting:

• hit-count—The threshold number of occurrences in scan-interval to fire alerts.

1 to 65535

swap-attacker-victim True if address (and ports) source and destination are swapped in the alert message. False for no swap (default).

true | false

Table M-27 Service SMB Advanced Engine Parameters (Continued)



OL-19983-01


SMB Engine Options

The Service SMB engine inspects SMB packets. You can tune SMB signatures and create custom SMB signatures based on SMB control transaction exchanges and SMB NT_Create_AndX exchanges.

Table M-28 on page M-35 lists the parameters specific to the Service SMB engine.

Table M-28 Service SMB Engine Parameters



0 to 65535 a-b[,c-d]

specify-allocation-hint (Optional) Enables MSRPC allocation hint:

• allocation-hint—MSRPC Allocation Hint, which is used in SMB_COM_TRANSACTION command parsing.

0 to 42949677295

specify-byte-count (Optional) Enables byte count:

• byte-count—Byte count from SMB_COM_TRANSACTION structure.

0 to 65535

specify-command (Optional) Enables SMB commands:

• command—SMB command value.

0 to 255

specify-direction (Optional) Enables traffic direction:

• direction—Lets you specify the direction of traffic:

– Traffic from service port destined to client port.

– Traffic from client port destined to service port.

from service to service

specify-file-id (Optional) Enables using a transaction file ID:

• file-id—Transaction File ID.

• This parameter may limit a signature to a specific exploit instance and its use should be carefully considered.

0 to 65535


OL-19983-01


specify-function (Optional) Enables named pipe function:

• function—Named Pipe function.

0 to 65535

specify-hit-count (Optional) Enables hit counting:

• hit-count—The threshold number of occurrences in scan-interval to fire alerts.

0 to 65535

specify-operation (Optional) Enables MSRPC operation:

• operation—MSRPC operation requested. Required for SMB_COM_TRANSACTION commands. An exact match is required.

0 to 65535

specify-resource (Optional) Enables resource:

• resource—Specifies that pipe or the SMB filename is used to qualify the alert. In ASCII format. An exact match is required.

resource

specify-scan-interval (Optional) Enables scan interval:

• scan-interval—The interval in seconds used to calculate alert rates.

0 to 131071

specify-set-count (Optional) Enables counting setup words:

• set-count—Number of Setup words.

0 to 255

specify-type (Optional) Enables searching for the Type field of an MSRPC packet:

• type—Type Field of MSRPC packet. 0 = Request; 2 = Response; 11 = Bind; 12 = Bind Ack

0 to 255

Table M-28 Service SMB Engine Parameters (Continued)



OL-19983-01


SNMP Engine Options

The Service SNMP engine inspects all SNMP packets destined for port 161. You can tune SNMP signatures and create custom SNMP signatures based on specific community names and object identifiers.

Instead of using string comparison or regular expression operations to match the community name and object identifier, all comparisons are made using the integers to speed up the protocol decode and reduce storage requirements.

Table M-29 on page M-37 lists the parameters specific to the Service SNMP engine.

specify-word-count (Optional) Enables word counting for command parameters:

• word-count—Word count for the SMB_COM_TRANSACTION command parameters.

0 to 255


true | false

Table M-28 Service SMB Engine Parameters (Continued)


Table M-29 Service SNMP Engine Parameters


inspection-type Type of inspection to perform. —

brute-force-inspection Inspects for brute force attempts:

• brute-force-count—The number of unique SNMP community names that constitute a brute force attempt.

0 to 65535

invalid-packet-inspection Inspects for SNMP protocol violations.

—

non-snmp-traffic-inspection Inspects for non-SNMP traffic destined for UDP port 161.

—


OL-19983-01


SSH Engine Options

The Service SSH engine specializes in port 22 SSH traffic. Because all but the setup of an SSH session is encrypted, the engine only looks at the fields in the setup. There are two default signatures for SSH. You can tune these signatures, but you cannot create custom signatures.

Table M-30 on page M-38 lists the parameters specific to the Service SSH engine.

snmp-inspection Inspects SNMP traffic:

• specify-community-name [yes | no]:

– community-name—Searches for the SNMP community name, that is, the SNMP password.

• specify-object-id [yes | no]:

– object-id—Searches for the SNMP object identifier.

community-name

object-id

Table M-29 Service SNMP Engine Parameters (Continued)


Table M-30 Service SSH Engine Parameters


length-type Inspects for one of the following SSH length types:

• key-length—Length of the SSH key to inspect for:

– length—Keys larger than this fire the RSAREF overflow.

• user-length—User length SSH inspection:

– length—Keys larger than this fire the RSAREF overflow.

0 to 65535


0 to 65535 a-b[,c-d]

specify-packet-depth (Optional) Enables packet depth:

• packet-depth—Number of packets to watch before determining the session key was missed.

0 to 65535


OL-19983-01


STATE Engine Options

Table M-31 on page M-39 lists the parameters specific to the State engine.

Table M-31 State Engine Parameters


State Machine State machine grouping. —

Cisco Login Specifies the state machine for Cisco login:

• state-name—Name of the state required before the signature fires an alert:

– Cisco device state

– Control-C state

– Password prompt state

– Start state

cisco-device control-c pass-prompt start

LPR Format String Specifies the state machine to inspect for the LPR format string vulnerability:

• state-name—Name of the state required before the signature fires an alert:

– Abort state to end LPR Format String inspection

– Format character state

– State state

abort format-char start



0 to 65535



OL-19983-01


SMTP Specifies the state machine for the SMTP protocol:

• State Name—Name of the state required before the signature fires an alert:

– Abort state to end LPR Format String inspection

– Mail body state

– Mail header state

– SMTP commands state

– Start state

abort mail-body mail-header smtp-commands start


Direction Direction of the traffic:





0 to 65535


Yes | No



0 to 65535

Table M-31 State Engine Parameters (Continued)



OL-19983-01


String ICMP Engine Options

Table M-32 on page M-41 lists the parameters specific to the String ICMP engine.

Table M-32 String ICMP Engine Parameters




0 to 65535






ICMP Type ICMP header TYPE value. 0 to 18



Yes | No



0 to 65535


OL-19983-01


String TCP Engine Options

Table M-33 on page M-42 lists the parameters specific to the String TCP engine.

Table M-33 String TCP Engine


Strip Telnet Options Strips the Telnet option characters from the data before the pattern is searched.

Note This parameter is primarily used as an IPS anti-evasion tool.

Yes | No



0 to 65535



0 to 65535








0 to 65535


Yes | No


OL-19983-01


String UDP Engine Options

Table M-34 on page M-43 lists the parameters specific to the String UDP engine.

Sweep Other TCP Engine Options

Table M-35 on page M-43 lists the parameters specific to the Sweep Other TCP engine.

Table M-34 String UDP Engine




0 to 65535




0 to 65535






Yes | No



0 to 65535

Table M-35 Sweep Other TCP Engine Parameters


specify-port-range (Optional) Enables using a port range for inspection:

• port-range—UDP port range used in inspection.

0 to 65535 a-b[,c-d]


OL-19983-01


Sweep Engine Options

Table M-36 on page M-44 lists the parameters specific to the Sweep engine.

set-tcp-flags Lets you set TCP flags to match:

• tcp-flags—TCP flags used in this inspection:

– URG bit

– ACK bit

– PSH bit

– RST bit

– SYN bit

– FIN bit

urg ack psh rst syn fin

Table M-35 Sweep Other TCP Engine Parameters (Continued)


Table M-36 Sweep Engine Parameters


protocol Protocol of interest for this inspector.

icmp udp tcp

specify-icmp-type (Optional) Enables the ICMP header type:

• icmp-type—ICMP header TYPE value.

0 to 255

specify-port-range (Optional) Enables using a port range for inspection:

• port-range—UDP port range used in inspection.

0 to 65535 a-b[,c-d]

fragment-status Specifies whether fragments are wanted or not:

• Any fragment status.

• Do not inspect fragments.

• Inspect fragments.

any no-fragments want-fragments

inverted-sweep Uses source port instead of destination port for unique counting.

true | false


OL-19983-01


mask Mask used in TCP flags comparison:

• URG bit

• ACK bit

• PSH bit

• RST bit

• SYN bit

• FIN bit


storage-key Type of address key used to store persistent data:




Axxx AxBx Axxb

suppress-reverse Does not fire when a sweep has fired in the reverse direction on this address set.

true | false


true | false

tcp-flags TCP flags to match when masked by mask:

• URG bit

• ACK bit

• PSH bit

• RST bit

• SYN bit

• FIN bit


unique Threshold number of unique port connections between the two hosts.

0 to 65535

Table M-36 Sweep Engine Parameters (Continued)



OL-19983-01


TNS Service Engine Options

Table M-37 on page M-46 lists the parameters specific to the Service TNS engine.

Table M-37 Service TNS Engine Parameters


type Specifies the TNS frame value type:

• 1—Connect

• 2—Accept

• 4—Refuse

• 5—Redirect

• 6—Data

• 11—Resend

• 12—Marker

1 2 4 5 6 11 12

specify-regex-string (Optional) Enables using a regular expression string:

• specify-exact-match-offset—Enables the exact match offset:

– exact-match-offset—The exact stream offset the regular expression string must report for a match to be valid.

• specify-min-match-length—Enables the minimum match length:

– min-match-length—Minimum number of bytes the regular expression string must match.

0 to 65535

specify-regex-payload Specifies which protocol to inspect:

• TCP data—Performs Regex over the data portion of the TCP packet.

• TNS data—Performs Regex only over the TNS data (with all white space removed).

TCP TNS


OL-19983-01


Traffic ICMP Engine Options

The Traffic ICMP engine analyzes nonstandard protocols, such as TFN2K, LOKI, and DDoS. There are only two signatures (based on the LOKI protocol) with user-configurable parameters.

TFN2K is the newer version of the TFN. It is a DDoS agent that is used to control coordinated attacks by infected computers (zombies) to target a single computer (or domain) with bogus traffic floods from hundreds or thousands of unknown attacking hosts. TFN2K sends randomized packet header information, but it has two discriminators that can be used to define signatures. One is whether the L3 checksum is incorrect and the other is whether the character 64 ‘A’ is found at the end of the payload. TFN2K can run on any port and can communicate with ICMP, TCP, UDP, or a combination of these protocols.

LOKI is a type of back door Trojan. When the computer is infected, the malicious code creates an ICMP Tunnel that can be used to send small payload in ICMP replies (which may go straight through a firewall if it is not configured to block ICMP.) The LOKI signatures look for an imbalance of ICMP echo requests to replies and simple ICMP code and payload discriminators.

The DDoS category (excluding TFN2K) targets ICMP-based DDoS agents. The main tools used here are TFN and Stacheldraht. They are similar in operation to TFN2K, but rely on ICMP only and have fixed commands: integers and strings.

Table M-38 on page M-47 lists the parameters specific to the Traffic ICMP engine.

Edit Signature Parameter—Component List Dialog Box

Use the Edit Signature Parameter—Component List dialog box to edit the component list for the meta engine.

Navigation Path

• (Device view) Select IPS > Signatures > Signatures from the Policy selector. Right-click a row containing a signature that uses the meta engine, and then click Edit Row in the shortcut menu that appears. Click Edit Parameters. In the Edit Signature Parameters dialog box, click List in the Value column.

Table M-38 TRAFFIC ICMP Engine Parameters


parameter-tunable-sig Whether this signature has configurable parameters.

yes | no

inspection-type Type of inspection to perform:

• Inspects for original LOKI traffic.

• Inspects for modified LOKI traffic.

is-loki is-mod-loki

reply-ratio Inbalance of replies to requests. The alert fires when there are this many more replies than requests.

0 to 65535

want-request Requires an ECHO REQUEST be seen before firing the alert.

true | false


OL-19983-01


Add Signature Parameter—List Entry Dialog Box

Use the Add Signature Parameter—List Entry dialog box to add components of the meta engine.

Edit Signature Parameter—List Entry Dialog Box

Use the Edit Signature Parameter—List Entry dialog box to edit components of the meta engine.

Obsoletes Dialog Box

Use the Obsoletes dialog box to identify obsolete signatures associated with a particular signature.

Add an Entry Dialog Box

Use the Add an Entry dialog box to add obsolete signatures associated with a particular signature.

Settings PageUse the Settings page to define application policy (enable HTTP, maximum number of HTTP Requests, AIC web ports, and enable FTP), fragment reassembly policy, stream reassembly policy, and IP logging policy.These settings result in policies that can be shared but not inherited. When a new IPS device is added, it has a local policy that contains the default settings for all signatures.

Navigation Path

• (Device view) Select IPS > Signatures > Settings from the Policy selector.

• (Policy view) Select IPS > Signatures > Signature Settings from the Policy Type selector. Right-click Signature Settings to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics



Field Reference

Table M-39 Settings Page

Element Description

Enable HTTP Enables protection for web services. Select Yes to require the sensor to inspect HTTP traffic for compliance with the RFC.

Max HTTP Requests Specifies the maximum number of outstanding HTTP requests per connection.

AIC Web Ports Specifies the variable for ports to look for AIC traffic.

Enable FTP Enables protection for FTP services. Select Yes to require the sensor to inspect FTP traffic.

IP Reassembly Mode Identifies the method the sensor uses to reassemble the fragments, based on the operating system.


OL-19983-01

Appendix M IPS User Interface ReferenceAnomaly Detection Page

Anomaly Detection PageUse the Anomaly Detection page to configure anomaly detection. The anomaly detection policy can be shared but not inherited.

The following tabs are available on the Anomaly Detection page:

• Anomaly Detection Page > Operation Settings Tab, page M-50

• Anomaly Detection Page > Learning Accept Mode Tab, page M-50

• Anomaly Detection Page > Internal Zone, External Zone, and Illegal Zone Tabs, page M-52

Navigation Path

• (Device view) Select IPS > Anomaly Detection from the Policy selector.

Related Topics

• Configuring Anomaly Detection, page 12-13

• Explaining Anomaly Detection, page 12-13

• Worm Viruses, page 12-13

• Learning Mode, page 12-14

• Anomaly Detection Zones, page 12-15

TCP Handshake Required Specifies that the sensor should only track sessions for which the three-way handshake is completed.

TCP Reassembly Mode Specifies the mode the sensor should use to reassemble TCP sessions with the following options:

• Asymmetric—May only be seeing one direction of bidirectional traffic flow.

Note Asymmetric mode lets the sensor synchronize state with the flow and maintain inspection for those engines that do not require both directions. Asymmetric mode lowers security because full protection requires both sides of traffic to be seen.

• Loose—Use in environments where packets might be dropped.

• Strict—If a packet is missed for any reason, all packets after the missed packet are not processed.

Max IP Log Packets Identifies the number of packets you want logged.

IP Log Time Identifies the duration you want the sensor to log. A valid value is 1 to 60 seconds. The default is 30 seconds.

Max IP Log Bytes Max IP Log Bytes—Identifies the maximum number of bytes you want logged.

Table M-39 Settings Page (Continued)

Element Description


OL-19983-01


Anomaly Detection Page > Operation Settings TabUse the Operation Settings tab of the Anomaly Detection page to configure the worm timeout and the IP addresses that will be ignored during anomaly detection processing.

Navigation Path

(Device view) Select IPS > Anomaly Detection from the Policy selector. Click Operation Settings.

Related Topics








Field Reference

Anomaly Detection Page > Learning Accept Mode TabUse the Learning Accept Mode tab of the Anomaly Detection page to specify if and when the learning knowledge base in the anomaly detection module will be saved or loaded.

Navigation Path

(Device view) Select IPS > Anomaly Detection from the Policy selector. Click Learning Accept Mode.

Related Topics



Table M-40 Operation Settings Tab

Element Description

Worm Timeout The number of seconds you want to wait for a worm termination to time out. The range is 120 to 10,000,000 seconds. The default is 600 seconds.

Enabled Ignored Addresses When selected, enables the lists of ignored source IP addresses and destination IP addresses. You must select the Enabled check box or none of the lists of ignored IP addresses you enter will be enabled.

Source Addresses to Ignore The source IP address(es), or range(s) of source IP addresses, that you want the anomaly detection module to ignore. The valid form is 10.10.5.5,10.10.2.1-10.10.2.30.

Destination Addresses to Ignore

The destination IP address(es), or range(s) of destination IP addresses, that you want the anomaly detection module to ignore. The valid form is 10.10.5.5,10.10.2.1-10.10.2.30.


OL-19983-01







Field Reference

Table M-41 Learning Accept Mode Tab

Element Description

Automatically accept learning knowledge base

When selected, the anomaly detection module updates the knowledge base. When deselected, the anomaly detection module does not create a knowledge base. When you choose to automatically accept the learning knowledge base, you can specify the action, such as to only save the learned thresholds or to rotate (save and load) the learned thresholds automatically. You can also specify the time schedules upon which snapshots of the learning knowledge base will be taken and loaded. If you choose “Periodic Schedule,” you need to specify the start time, which is the time to start the first learning knowledge base snapshot, and also the learning interval, which is the number of hours to wait between automatically performing learning knowledge base snapshots.

Action Specifies whether to rotate or save the knowledge base:

• Save Only—Creates a new knowledge base. You can examine it and decide whether to load it into the anomaly detection module.

• Rotate—Creates a new knowledge base and loads it according to the schedule you choose.

Schedule Allows you to choose Calendar Schedule or Periodic Schedule:

• Periodic Schedule—Allows you to configure the first learning snapshot time of day and the interval of the subsequent snapshots.

• Calendar Schedule—Allows you to configure the days and times of the day for the knowledge base to be created.

The default schedule is the periodic schedule in 24-hour format.

Times of Day Appears when you select Calendar from the Schedule list. Allows you to configure the days and times of the day for the knowledge base to be created. The valid format is hh:mm:ss.

Days of the Week Appears when you select Periodic from the Schedule list. Allows you to configure the days of the week you want to configure.

Start Time Appears when you select Calendar from the Schedule list. Specifies the time that you want the new knowledge base to start. The valid format is hh:mm:ss.

Learning Interval in hours Appears when you select Periodic from the Schedule list. Specifies the time, in hours, that you want the anomaly detection module to learn from the network before creating a new knowledge base.


OL-19983-01


Times Of Day Dialog Box

Use the Times Of Day dialog box when using the Calendar Schedule selection, not the Periodic Schedule selection, on the Learning Accept Mode tab of the Anomaly Detection page. The Times Of Day dialog box appears as either Add Times Of Day or Modify Times Of Day.

In the Add appearance of the Times Of Day dialog box, add the clock hour times of day that you want anomaly detection to accept the learning knowledge base.

In the Modify appearance of the Times Of Day dialog box, modify the clock hour times of day that you want anomaly detection to accept the learning knowledge base.

Days Of Week Dialog Box

Use the Days of Week dialog box when using the Calendar Schedule selection, not the Periodic Schedule selection, on the Learning Accept Mode tab of the Anomaly Detection page. The Days Of Week dialog box appears as either Add Days Of Week or Modify Days Of Week.

In the Add appearance of the Days Of Week dialog box, add the days of the week that you want anomaly detection to accept the learning knowledge base.

In the Modify appearance of the Days Of Week dialog box, modify the days of the week that you want anomaly detection to accept the learning knowledge base.

Anomaly Detection Page > Internal Zone, External Zone, and Illegal Zone TabsThe Anomaly Detection module divides the network into three zones, each represented by a unique tab:

• Internal Zone Tab. The internal zone should represent your internal network. It should receive all the traffic that comes to your IP address range.

• External Zone Tab. The external zone is the default zone with the default Internet range of 0.0.0.0-255.255.255.255. By default, the internal and illegal zones contain no IP addresses. Packets that do not match the set of IP addresses in the internal or illegal zone are handled by the external zone.

• Illegal Zone Tab. The illegal zone should represent IP address ranges that should never be seen in normal traffic, for example, unallocated IP addresses or part of your internal IP address range that is unoccupied.

Each of these three zones has its own designated set of IP addresses.

The following tabs are available on each of the zone tabs:

• General Sub-Tab, page M-53

• TCP Protocol Sub-Tab, page M-53

• UDP Protocol Sub-Tab, page M-56

• Other Protocols Sub-Tab, page M-56

Navigation Path

• (Device view) Select IPS > Anomaly Detection from the Policy selector. Click the Internal Zone tab.

• (Device view) Select IPS > Anomaly Detection from the Policy selector. Click the Illegal Zone tab.

• (Device view) Select IPS > Anomaly Detection from the Policy selector. Click the External Zone tab.


OL-19983-01


Related Topics








General Sub-Tab

Use the General Sub-tab to enable the selected zone. In the case of the Internal and External zone, you can also identify the Service Subnets of those zones.

Field Reference

TCP Protocol Sub-Tab

Use the TCP Protocol Sub-tab to enter TCP Destination Port Maps and to configure threshold histogram properties.

Related Topics

• Dest Port Map Dialog Box, page M-54

• Histogram Dialog Box, page M-54

Field Reference

Table M-42 General Sub-Tab

Element Description

Enable this zone check box If checked, enables the selected zone.

Service Subnets (Visible on Internal and External Zones tabs only) Lets you enter the subnets that you want to apply to the selected zone.

The valid format is 10.10.5.5,10.10.2.1-10.10.2.30.

Table M-43 TCP Protocol Sub-Tab

Element Description

Enabled check box If checked, enables the selected zone.

Destination Port Map (Visible on Internal and External Zones tabs only) Lets you enter the subnets that you want to apply to the selected zone.


Scanner Threshold Lets you set the scanner threshold.

The valid range is 5 to 1000. The default is 200.


OL-19983-01


Dest Port Map Dialog Box

Use the Dest Port Map dialog box to add or modify destination ports for the selected protocol. The Dest Port Map dialog box appears as either Add Dest Port Map or Modify Dest Port Map.

Field Reference

Histogram Dialog Box

Use the Histogram dialog box if you want to override the scanner settings instead of using the default histograms. Use the Histogram dialog box if you want to modify a previously defined histogram for the selected protocol.

The knowledge base has a tree structure and contains the following information:

• knowledge base name

• Zone name

• Protocol

• Service

The knowledge base holds a scanner threshold and a histogram for each service. If you have learning accept mode set to auto and the action set to rotate, a new knowledge base is created every 24 hours and used in the next 24 hours. If you have learning accept mode set to auto and the action is set to save only,

Threshold Histogram Displays the histograms that you added.

• Number of Destination IP Addresses—Displays the number of destination IP addresses that you added.

• Number of Source IP Addresses—Displays the number of source IP addresses that you added

Table M-43 TCP Protocol Sub-Tab (Continued)

Element Description

Table M-44 Destination Port Dialog Box

Element Description

Destination Port Number Lets you enter the destination port number.

The valid range is 0 to 65535.

Enabled check box If checked, enables the service.

Override Scanner Settings check box

If checked, overrides the default scanner settings and lets you add, edit, delete, and select all histograms.







OL-19983-01


a new knowledge base is created, but the current knowledge base is used. If you do not have learning accept mode set to auto, no knowledge base is created. For more information, see Anomaly Detection Page > Learning Accept Mode Tab, page M-50.

Note Anomaly detection learning mode uses the sensor local time.

The scanner threshold defines the maximum number of zone IP addresses that a single source IP address can scan. The histogram threshold defines the maximum number of source IP addresses that can scan more than the specified numbers of zone IP addresses.

Anomaly detection identifies a worm attack when there is a deviation from the histogram that it has learned when no attack was in progress (that is, when the number of source IP addresses that concurrently scan more than the defined zone destination IP address is exceeded). For example, if the scanning threshold is 300 and the histogram for port 445, if anomaly detection identifies a scanner that scans 350 zone destination IP addresses, it produces an action indicating that a mass scanner was detected. However, this scanner does not yet verify that a worm attack is in progress. Table M-45 on page M-55 describes this example.

When anomaly detection identifies six concurrent source IP addresses that scan more than 50 zone destination IP addresses on port 445, it produces an action with an unspecified source IP address that indicates anomaly detection has identified a worm attack on port 445. The dynamic filter threshold, 50, specifies the new internal scanning threshold and causes anomaly detection to lower the threshold definition of a scanner so that anomaly detection produces additional dynamic filters for each source IP address that scans more than the new scanning threshold (50).

You can override what the knowledge base learned per anomaly detection policy and per zone. If you understand your network traffic, you may want to use overrides to limit false positives.

Related Topics


• TCP Protocol Sub-Tab, page M-53

• UDP Protocol Sub-Tab, page M-56



• Protocol Map Dialog Box, page M-57

Field Reference

Table M-45 Example Histogram

Number of source IP addresses 10 5 2

Number of destination IP addresses 5 20 100

Table M-46 Histogram Dialog Box

Element Description

Number of Destination IP Addresses

Lets you add a high, medium, or low number of destination IP addresses.

Low is 5 destination IP addresses, medium is 20, and high is 100.


OL-19983-01


UDP Protocol Sub-Tab

Use the UDP Protocol Sub-tab of the Internal Zone tab to enter UDP Destination Port Maps and to configure threshold histogram properties.

Related Topics



Field Reference

Other Protocols Sub-Tab

Use the Other Protocols Sub-tab of the Internal Zone tab to enter protocol number maps for protocols other than TCP and UDP and to configure threshold histogram properties.

Related Topics



Field Reference

Number of Source IP Addresses

Lets you add the number of source IP addresses.


Table M-46 Histogram Dialog Box (Continued)

Table M-47 UDP Protocol Sub-Tab

Element Description


Destination Port Map (Visible on Internal and External Zones tabs only) Lets you enter the subnets that you want to apply to the selected zone.







Table M-48 Other Protocol Sub-Tab

Element Description



OL-19983-01


Protocol Map Dialog Box

Use the Protocol Map dialog box to tab to specify protocols other than TCP and UDP. You can either use the default thresholds or override the scanner settings and add your own thresholds and histograms. The Protocol Map dialog box appears as either Add Protocol Map or Modify Protocol Map.

Related Topics



Field Reference

Protocol Number Map (Visible on Internal and External Zones tabs only) Lets you enter the subnets that you want to apply to the selected zone.







Table M-48 Other Protocol Sub-Tab (Continued)

Element Description

Table M-49 Protocol Map Dialog Box

Element Description

Protocol Number Lets you enter the protocol number.


Enabled check box If checked, enables the service.

Override Scanner Settings check box

If checked, overrides the default scanner settings and lets you add, edit, delete, and select all histograms.







OL-19983-01

Appendix M IPS User Interface ReferenceGlobal Correlation Policies

Global Correlation PoliciesThe pages that you access from the Global Correlation folder in Device View enable you to configure Inspection/Reputation and Network Participation.

Global Correlation policies are not available on sensors running a version of Cisco IPS software earlier than 7.0.

Note AIP-SSC-5 supports only IPS 6.2; therefore, it does not support Global Correlation policies.

These topics describe the main pages available from the Collaboration folder:

• Inspection/Reputation Page, page M-58

• Network Participation Page, page M-59

Inspection/Reputation PageUse the Inspection/Reputation page to configure Global Correlation inspection and reputation.

Navigation Path

• (Device view) Select IPS > Global Correlation > Inspection/Reputation from the Policy selector.

• (Policy view) Select IPS > Global Correlation > Inspection/Reputation from the Policy Type selector.

Related Topics

• Network Participation Page, page M-59

Field Reference

Table M-50 Global Correlation Table

Element Description

Global Correlation Inspection

If checked, enables Global Correlation inspection and reputation.

Global Correlation inspection and reputation is turned off by default. You must accept the disclaimer to participate in Global Correlation inspection and reputation.

Global Correlation Influence Identifies how you want the sensor to use Global Correlation information to initiate deny actions:

• Permissive—Has the least aggressive effect on deny actions.

• Standard—Has a moderately aggressive effect on deny actions.

• Aggressive—Has a very aggressive effect on deny actions.

Reputation Filtering If selected, the sensor maintains a list of attackers being denied by the system.

Test Global Correlation If checked, does not enable reputation filtering to deny access to known malicious hosts; only a report of what could have happened is generated.


OL-19983-01

Appendix M IPS User Interface ReferenceEvent Action Policies

Network Participation PageUse the Network Participation page to set one of three modes for Network Participation.

Navigation Path

• (Device view) Select IPS > Global Correlation > Network Participation from the Policy selector.

• (Policy view) Select IPS > Global Correlation > Network Participation from the Policy Type selector.

Related Topics

• Inspection/Reputation Page, page M-58

Field Reference

Event Action PoliciesThe pages that you access from the Event Actions folder from the Policies selector in Device View enable you to configure event actions and related settings.

These topics describe the main pages available from the Event Actions folder:

• Event Action Filters Page, page M-59

• Event Action Overrides Page, page M-63

• Network Information Page, page M-65

• Event Actions > Settings Page, page M-68

Event Action Filters PageUse the Event Action Filters page to remove specific actions from an event or to discard an entire event and prevent further processing by the sensor.

Navigation Path

(Device view) Select IPS > Event Actions > Event Action Filters from the Policy selector.

Table M-51 Network Participation Table

Element Description

Network Participation Identifies how you want to configure Network Participation:

• Off—No data is contributed to the SensorBase network.

• Partial—Data is contributed to the SensorBase network but potentially sensitive information is withheld.

Note Configuring the sensor for partial network participation limits a third party from extracting reconnaissance information about your internal network from the Global Correlation database.

• Full—All data is contributed to the SensorBase network.


OL-19983-01


Related Topics


• Filter Item Dialog Box, page M-60

Field Reference

Filter Item Dialog Box

Use the Filter Item dialog box to add items to a filter, remove items from a filter, and otherwise define the filter. Also, use the Filter Item dialog box to edit items in an existing filter.

Table M-52 Event Action Filters Page

Element Description

Name Identifies the filter by unique name.

IDs Identifies the signature.

Subs Identifies the subsignature.

Attackers Identifies the IP address (or range) of the attacking host that triggers the filter.

Attack Ports Identifies the port used by the attacker host that triggers the filter.

Victims Identifies the IP address used by the attacker host that triggers the filter.

Victim Ports Identifies the port targeted by the attacker host that triggers the filter.

Actions Indicates the actions removed from the event when the filter is triggered.

RR Indicates the risk rating range that triggers this event action filter. For detailed information on risk rating, see Calculating the Risk Rating in Installing and Using Cisco Intrusion Prevention System Device Manager 6.0.

Stop Identifies whether or not this event will be processed against remaining filters in the event action filters list.

Active Identifies whether the filter is in the filter list.

Export to File button Click this button to export the event action filters summary for the current device to a comma-separated values (CSV) file. You are prompted to select the folder on the Security Manager server and to specify a file name.

Up Row button Moves the selected row up in the table.

A first match rule order determines which filter is applied. If the conditions of an event match those defined for a filter, and the filter has the Stop field set to Yes, that filter is applied and no additional filters are considered. You should order the more restrictive rules before general rules in the table.

Down Row button Moves the selected row down in the table.

Add button Opens the Add Filter Item dialog box.

Edit button Opens the Edit Filter Item dialog box.

Delete button Removes the selected row from the EAF table.


OL-19983-01

http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/idm/dmEvtRul.html


The Filter Item dialog box appears as either Add Filter Item or Edit Filter Item.

In the Add appearance of the Filter Item dialog box, add items to a filter, remove items from a filter, and otherwise define the filter.

In the Modify appearance of the Filter Item dialog box, edit items in an existing filter.

Navigation Path

(Device view) Select IPS > Event Actions > Event Action Filters from the Policy selector. Click the Add button or the Edit button to open the Filter Item dialog box.

Related Topics


• Event Action Filters Page, page M-59

Field Reference

Table M-53 Filter Item Dialog Box

Element Description

Enabled When selected, indicates that the filter is enabled.

The default value is checked (enabled).

If a filter is active but not enabled, it will still be included in the ordering list; it will be processed, but it will not be used.

Active When selected, indicates that the filter has been put into the filter list and will take effect on filtering events.

The default value is unchecked (not active).

If a filter is not active, then it will not be included at all in the ordering of the filters; it will not be processed at all.

Name Lets you name the filter you are adding.

You need to name your filters so that you can move them around in the list and move them to the inactive list if needed.

The following characters are valid for filter names:

a-z, A-Z, 0-9, -, . (dot or period), : (colon), and _ (underscore).

Signature IDs Identifies the unique numerical value assigned to this signature.

This value lets the sensor identify a particular signature. You can also enter a range of signatures. The default values are in the range 900-65535

SubSignature ID Identifies the unique numerical value assigned to this subsignature.

The subSig ID identifies a more granular version of a broad signature. You can also enter a range of subSig IDs. The default value is the range of 0-255.

Attacker Address Identifies the IP address of the host that sent the offending packet.

You can also enter a range of addresses. The default value is a range of all addresses (0.0.0.0-255.255.255.255).


OL-19983-01


Attacker Port Identifies the port used by the attacker host.

This is the port from which the offending packet originated. You can also enter a range of ports. The default value is a range of all ports (0-65535).

Victim Address Identifies the IP address used by the attacker host.

You can also enter a range of addresses. The default value is a range of all addresses (0.0.0.0-255.255.255.255).

Victim Port Identifies the port targeted by the attacker host. Valid values are between 0-65535.

This is the port to which the offending packet was sent. You can also enter a range of ports. The default value is a range of all ports (0-65535).

Risk Rating Min. and Max. Indicates the RR range between 0 and 100 that should be used to trigger this event action filter. The default value is the complete range (0-100).

If an event occurs with an RR that falls within the minimum-maximum range you configure here, the event is processed against the rules of this event filter.

OS Relevance Indicates whether the alert is relevant to the OS that has been identified for the victim. Possible values include one or more of the following: Not Relevant, Relevant, Unknown. Hold CTRL or SHIFT while clicking on the items to select multiple values.

Note OS Relevance is applicable only to IPS 6.x devices, so for IOS IPS devices, this field is read-only and cannot be edited, and for IPS 5.x devices, this field is blank.

Comments Displays the user comments associated with this filter.

Table M-53 Filter Item Dialog Box (Continued)

Element Description


OL-19983-01


Event Action Overrides PageUse the Event Action Overrides page to view a summary page of event action overrides that act globally (rather than per signature) to override, or change, the actions associated with an event based on the risk rating of that event.

Navigation Path

(Device view) Select IPS > Event Actions > Event Action Overrides from the Policy selector.

Actions to Subtract Indicates the actions that should be removed from the event, should the conditions of the event meet the criteria of the event action filter. You can select one or more actions in this list box. All selected actions are removed from the event. Hold CTRL or SHIFT while clicking on the items to select multiple values. For more information about the possible actions, see Edit Actions Dialog Box, page M-8.

For IOS IPS devices, the possible values are restricted to:

• Deny Attacker Inline blocks the attacker’s source IP address completely. No connection can be established from the attacker to the router until the shun time expires (this time is set by the user).

• Deny Connection Inline blocks the appropriate TCP flow from the attacker. Other connections from the attacker can be established to the router.

• Deny Packet Inline discards the packet without sending a reset. Cisco recommends using “drop and reset” in conjunction with alarm.

• Produce Alert sends a notification about the attack through syslog or SDEE.

• Reset TCP Connection is effective for TCP-based connections and sends a reset to both the source and destination addresses. For example, in case of a half-open SYN attack, Cisco IOS IPS can reset the TCP connections.

% to Deny Indicates the percentage of packets to deny for deny attacker features. Valid values range between 1 and 100%.

Note For IOS IPS devices, this field is read only and cannot be edited.

Stop on Match check box Determines whether or not this event will be processed against remaining filters in the event action filters list.

If set to No, the remaining filters are processed for a match until a Stop flag is encountered.

If set to Yes, no further processing is done. The actions specified by this filter are removed and the remaining actions are performed.

Table M-53 Filter Item Dialog Box (Continued)

Element Description


OL-19983-01


Related Topics

• Event Action Override Dialog Box, page M-64


Field Reference

Event Action Override Dialog Box

Use the Event Action Override dialog box to add or edit an event action override that acts globally (rather than per signature) to change the actions associated with an event based on the risk rating of that event.

The Event Action Override dialog box appears as either Add Event Action Override or Edit Event Action Override. In the Add appearance of the Event Action Override dialog box, add an event action override. In the Edit appearance of the Event Action Override dialog box, edit an event action override.

Navigation Path

(Device view) Select IPS > Event Actions > Event Action Overrides from the Policy selector. Click the Add button or the Edit button to open the Event Action Override dialog box.

Related Topics


• Event Action Overrides Page, page M-63


Table M-54 Event Action Overrides Page

Element Description

Action Specifies the event action that will be added to an event if the conditions of this event action override are satisfied.

Range Indicates the risk rating range between 0 and 100 defined for this rule If an event occurs with a risk rating that falls within the minimum-maximum range defined, the event action override is added to the list of actions to be performed by when that event is triggered.

Enabled Indicates whether or not the override is enabled.

Export to File button Click this button to export the event action overrides summary for the current device to a comma-separated values (CSV) file. You are prompted to select the folder on the Security Manager server and to specify a file name.

Add button Opens the Event Action Override dialog box.

Edit button Opens the Event Action Override dialog box.

Delete button Removes the selected event action overrides row from the table.


OL-19983-01


Field Reference

Network Information PageUse the Network Information page to enable or disable passive operating system fingerprinting (POSFP), limit Attack Relevance Rating (ARR) computation to specific IP addresses, and define fixed OS mappings.

Target Value Ratings Tab

Use the Target Value Ratings tab to view a summary of Target Value Ratings (TVRs). TVR is a weight associated with the perceived value of the target. You can assign a TVR to your network assets. The TVR is one of the factors used to calculate the RR value for each alert. You can assign different TVRs to different targets. Events with a higher RR trigger more severe signature event actions.

TVR identifies the importance of a network asset through its IP address. You can develop a security policy that is strict for valuable corporate resources and lenient for less important resources.

Navigation Path

(Device view) Select IPS > Event Actions > Network Information from the Policy selector. Click the Target Value Ratings tab.

Related Topics


• Target Value Rating Dialog Box, page M-66

Field Reference

Table M-55 Event Action Override Dialog Box

Element Description

Event Action Specifies the event action that will be added to an event if the conditions of this event action override are satisfied.

Enabled Indicates whether or not the override is enabled.

Risk Rating Indicates the risk rating range between 0 and 100 that should be used to trigger this event action override.

If an event occurs with a risk rating that falls within the minimum-maximum range you configure here, the event action is added to this event.

Table M-56 Target Value Tab

Element Description

Value Indicates the perceived value selected for this target.

Targets Identifies the targets associated with the selected value.

Add button Opens the Add Target Value Rating dialog box.

Edit button Opens the Edit Target Value Rating dialog box.

Delete button Removes the selected Target Value Rating from the table.


OL-19983-01


Target Value Rating Dialog Box

Use the Target Value Rating dialog box to add a TVR to one or more IP addresses. Also, use the Target Value Rating dialog box to edit a TVR that has already been assigned.

The Target Value Rating dialog box appears as either Add Target Value Rating or Edit Target Value Rating. In the Add appearance of the Target Value Rating dialog box, add a TVR. In the Edit appearance of the Target Value Rating dialog box, edit a TVR.

Navigation Path

(Device view) Select IPS > Event Actions > Network Information from the Policy selector. Click the Target Value Ratings tab. Click the Add button or the Edit button to open the Target Value Rating dialog box.

Related Topics



• Target Value Ratings Tab, page M-65

Field Reference

OS Identification Tab

Use the OS Identification tab to configure OS host mappings, which take precedence over learned OS mappings. On the OS Identifications tab you can add, edit, and delete configured OS maps. You can move them up and down in the list to change the order in which the sensor computes the ARR and RR for that particular IP address and OS type combination.

Note OS Identification applies to IPS 6.x sensors only, not earlier versions.

You can also move them up and down in the list to change the order in which the sensor resolves the OS associated with a particular IP address. Configured OS mappings allow for ranges, so for network 192.168.1.0/24 an administrator might define the following:

More specific mappings should be at the beginning of the list. Overlap in the IP address range sets is allowed, but the entry closest to the beginning of the list takes precedence.

Table M-57 Target Value Rating Dialog Box

Element Description

Value Identifies the value assigned to this network asset. The value can be High, Low, Medium, Mission Critical, or No Value.

target-addresses Identifies the IP address(es) of the network asset(s) you want to prioritize with a TVR.

IP Address Range Set OS

192.168.1.1 IOS

192.168.1.2-192.168.1.10,192.168.1.25 UNIX

192.168.1.1-192.168.1.255 Windows


OL-19983-01


In the fields listed, do not use 0.0.0.0-255.255.255.255 because it causes problems with TVR. Use 0.0.0.1-255.255.255.255 instead. For more information, refer to CSCsr19163 in the Bug Toolkit.

Navigation Path

(Device view) Select IPS > Event Actions > Network Information from the Policy selector. Click the OS Identification Tab tab.

Related Topics



• OS Map Dialog Box, page M-67

Field Reference

OS Map Dialog Box

Use the OS Map dialog box to map a host through its IP address to an OS type. Also, use the OS Map dialog box to change the map of a host through its IP address to an OS type.

The OS Map dialog box appears as either Add OS Map or Edit OS Map. In the Add appearance of the OS Map dialog box, add an OS Map. In the Edit appearance of the OS Map dialog box, edit an OS Map.

Navigation Path

(Device view) Select IPS > Event Actions > Network Information from the Policy selector. Click the OS Identification tab. Click the Add button or the Edit button to open the OS Map dialog box.

Related Topics



Table M-58 OS Identification Tab

Element Description

Enable Passive OS Fingerprinting When checked, lets the sensor perform passive OS analysis.

Restricted to these IP Addresses Lets you configure the mapping of OS type to a specific IP address and have the sensor calculate the ARR for that IP address.

IP Addresses Identifies the IP addresses associated with the selected OS type.

OS Type Identifies the operating system(s) associated with the IP addresses.

Up Row button Moves the selected row up in the table.

Down Row button Moves the selected row down in the table.

Add button Opens the Add OS Map dialog box.

Edit button Opens the Edit OS Map dialog box.

Delete button Removes the selected OS Map from the table.


OL-19983-01


• OS Identification Tab, page M-66

Field Reference

Event Actions > Settings PageUse the Event Actions > Settings page to define Event Actions. An event action is the sensor’s response to an event.

Navigation Path

(Device view) Select IPS > Event Actions > Settings from the Policy selector.

Related Topics

• Event Actions > Settings Page, page M-68

Table M-59 OS Map Dialog Box

Element Description

IP Addresses Identifies the IP address of the selected device.

OS Type Identifies the operating system type(s) associated with the selected IP addresses. Select one or more of the following values:

• General OS

• IOS

• Mac OS

• Netware

• Other

• UNIX

• AIX

• BSD

• HP-UX

• IRIX

• Linux

• Solaris

• Windows

• Windows NT/2K/XP

• WinNT

• Unknown OS

Hold CTRL or SHIFT while clicking on the items to select multiple values.


OL-19983-01


Field Reference

Table M-60 Settings Page

Element Description

Enable Event Action Override check box

When selected, enables override rules as defined on the Event Action Overrides page. You can add an event action override to change the actions associated with an event based on specific details about that event.

Enable Event Action Filters check box

When selected, enables the filter rules as defined on the Event Action Filters page. You can configure event action filters to remove specific actions from an event or to discard an entire event and prevent further processing by the sensor.

Enable Event Action Summarizer check box

When selected, enables the Summarizer component. The Summarizer groups events into a single alert, thus decreasing the number of alerts the sensor sends out.

By default, the Summarizer is enabled. If you disable it, all signatures are set to Fire All with no summarization. If you configure individual signatures to summarize, this configuration is ignored when the Summarizer is not enabled.

Enable Meta Event Generator check box

When selected, enables the Meta Event Generator. The Meta Event Generator processes the component events, which lets the sensor watch for suspicious activity transpiring over a series of events.

By default, the Meta Event Generator is enabled. If you disable the Meta Event Generator, all Meta engine signatures are disabled.

Enable Threat Rating Adjustment check box

When selected, enables threat rating adjustment, which adjusts the risk rating. If disabled, risk rating is equal to threat rating.

The Threat Rating feature (new in Cisco IPS Sensor Software Version 6.0) provides a single view of the threat environment of the network. Threat Rating minimizes alarms and events through a customized view that show only events with a high Threat Rating value. The Threat Rating value is derived as follows:

• Dynamic adjustment of event Risk Rating based on success of response action

• If response action was applied, Risk Rating is deprecated (Threat Rating < Risk Rating)

• If response action was not applied, Risk Rating remains unchanged (Threat Rating = Risk Rating)

The result is a single value by which the threat risk is determined.

Deny Attacker Duration in seconds

Number of seconds to deny the attacker inline.


Block Attack Duration in minutes

Number of minutes to block a host or connection.


Maximum Number of Denied Attackers

Limits the number of denied attackers possible in the system at any one time.



OL-19983-01

Appendix M IPS User Interface ReferenceInterfaces Page

Interfaces PageThe following tabs are available on the Interfaces page:

• Physical Interfaces Tab, page M-70

• Inline Pairs Tab, page M-73

• VLAN Pairs Tab, page M-74

• VLAN Groups Tab, page M-76

• Summary Tab, page M-78

Physical Interfaces Tab The Physical Interfaces tab lists the existing physical interfaces on your sensor and their associated settings. The sensor detects the interfaces and populates the interfaces list in the Interfaces pane.

To configure the sensor to monitor traffic, you must enable the interface. When you initialized the sensor using the setup command (using the command line interface in Cisco IPS), you assigned the interface or the inline pair to a virtual sensor, and enabled the interface or inline pair. If you need to change your interfaces settings, you can do so in the Physical Interfaces tab. To assign an interface to a virtual sensor, select the Virtual Sensors policy. Click the Add/Edit button. Use the dialog to assign an available interface to the virtual sensor.

Navigation Path

(Device view) Select IPS > Interfaces from the Policy selector. Click the Physical Interfaces tab.

Related Topics


Field Reference

Enable One Way TCP Reset When selected, enables one way TCP reset. Available only in inline mode.

Tip In inline mode, all packets entering or leaving the network must pass through the sensor.

Table M-60 Settings Page (Continued)

Element Description

Table M-61 Physical Interfaces Tab

Element Description

Interface Name Name of the interface.

The values are FastEthernet or GigabitEthernet for all interfaces.


OL-19983-01


Media Type Indicates the media type.

The media type options are the following:

• TX—Copper media

• SX—Fiber media

• XL—Network accelerator card

• Backplane interface—An internal interface that connects the module to the parent chassis’ backplane

Description Lets you provide a description of the interface.

Enabled Whether or not the interface is enabled.

Duplex Indicates the duplex setting of the interface.

The duplex type options are the following:

• Auto—Sets the interface to auto negotiate duplex

• Full—Sets the interface to full duplex

• Half—Sets the interface to half duplex

Speed Indicates the speed setting of the interface.

The speed type options are the following:

• Auto—Sets the interface to auto negotiate speed

• 10 MB—Sets the interface to 10 MB (for TX interfaces only)

• 100 MB—Sets the interface to 100 MB (for TX interfaces only)

• 1000—Sets the interface to 1 GB (for gigabit interfaces only)

Specify Interface for TCP Reset

If selected, sends TCP resets on an alternate interface when this interface is used for promiscuous monitoring and the reset action is triggered by a signature firing.

Bypass Mode A global setting that specifies the bypass mode setting for all interfaces on this device. Values are:

• Off (Always inspect inline traffic)

• On (Never inspect inline traffic)

• Auto (Bypass inspection when analysis engine is stopped)

CDP Mode A global setting, but one that applies only to inline interfaces (both inline-interface and inline-vlan-pair). Values are:

• Forward CDP packets (enable forwarding of Cisco Discovery Protocol packets)

• Drop CDP packets (disable forwarding of Cisco Discovery Protocol packets)

Table M-61 Physical Interfaces Tab (Continued)

Element Description


OL-19983-01


Modify Physical Interface Map Dialog Box

Use the Modify Physical Interface Map dialog box to change the configuration of the physical interfaces of a sensor.

Navigation Path

(Device view) Select IPS > Interfaces from the Policy selector. Click the Physical Interfaces tab. Click the Edit button to open the Modify Physical Interfaces dialog box. The fields in Table M-62 on page M-72 may be modified.

Related Topics


Field Reference

Table M-62 Modify Physical Interfaces Dialog Box

Element Description

Description Lets you provide a description of the interface.

Enabled Specify whether or not the interface is enabled.

Duplex Select the duplex setting of the interface.

The duplex type options are the following:

• Auto—Sets the interface to auto negotiate duplex.

• Full—Sets the interface to full duplex.

• Half—Sets the interface to half duplex.

Speed Select the speed setting of the interface.

The speed type options are the following:

• Auto—Sets the interface to auto negotiate speed.

• 10 MB—Sets the interface to 10 MB (for TX interfaces only).

• 100 MB—Sets the interface to 100 MB (for TX interfaces only).

• 1000—Sets the interface to 1 GB (for gigabit interfaces only).

Default VLAN Specify the Vlan ID associated with native traffic, or 0 if unknown or if you do not care which VLAN it is.

Specify Interface for TCP Reset

If selected, sends TCP resets on an alternate interface when this interface is used for promiscuous monitoring and the reset action is triggered by a signature firing.

interface-name Select the interface that sends the TCP reset.


OL-19983-01


Inline Pairs TabUse the Inline Pairs tab to see the existing inline pairs configured on the IPS.

Navigation Path

(Device view) Select IPS > Interfaces from the Policy selector. Click the Inline Pairs tab.

Related Topics



Field Reference

Interface Pair Dialog Box

You can pair interfaces on your sensor if your sensor is capable of inline monitoring. Use the Interface Pair dialog box to add an inline pair of interfaces to a sensor. Also, use the Interface Pair dialog box to edit an inline pair of interfaces that has already been added to a sensor.

The Interface Pair dialog box appears as either Add Interface Pair or Edit Interface Pair. In the Add appearance of the Interface Pair dialog box, add an inline pair of interfaces to a sensor. In the Edit appearance of the Interface Pair dialog box, edit an inline pair of interfaces that has already been added to a sensor.

You cannot delete an inline pair if there is an inline VLAN group. First delete the inline VLAN group from the VLAN Groups tab, and then delete the inline pair.

Table M-63 Inline Pairs Tab

Element Description

Name The name you give this inline interface pair.

Interface A The first interface in the pair. The interface must be defined on the Physical Interfaces tab.

Interface B The second interface in the pair. The interface must be defined on the Physical Interfaces tab.

Description Lets you add a description of this interface pair.









OL-19983-01


Navigation Path

(Device view) Select IPS > Interfaces from the Policy selector. Click the Inline Pairs tab. Click the Add button or the Edit button to open the Interface Pair dialog box.

Related Topics




Field Reference

VLAN Pairs TabUse the VLAN Pairs tab to view a summary of the existing inline VLAN pairs for each physical interface.

The VLAN Pairs tab displays the existing inline VLAN pairs for each physical interface. Click Add to create an inline VLAN pair.

Note You cannot create an inline VLAN pair for an interface that has already been paired with another interface or for an interface that is in promiscuous mode and assigned to a virtual sensor.

To create an inline VLAN pair for an interface that is in promiscuous mode, you must remove the interface from the virtual sensor and then create the inline VLAN pair. If the interface is already paired or in promiscuous mode, you receive an error message when you try to create an inline VLAN pair.

Note If your sensor does not support inline VLAN pairs, the VLAN Pairs pane is not displayed. AIP-SSM and NM-CIDS do not support inline VLAN pairs.

Navigation Path

(Device view) Select IPS > Interfaces from the Policy selector. Click the VLAN Pairs tab.

Related Topics


Table M-64 Interface Pair Dialog Box

Element Description

Inline Interface Name Enter the name of this inline interface pair. Must be less than 32 alphanumeric and/or underscore characters.

Interface A Select the first interface in the pair. The interface must be defined on the Physical Interfaces tab.

Interface B Select the second interface in the pair. The interface must be defined on the Physical Interfaces tab.

Description Lets you add a description of this interface pair.


OL-19983-01


Field Reference

VLAN Pair Dialog Box

Use the VLAN Pair dialog box to add a pair of VLANs to a sensor. Also, use the VLAN Pair dialog box to edit a pair of VLANs previously added to a sensor.

The VLAN Pair dialog box appears as either Add VLAN Pair or Edit VLAN Pair. In the Add appearance of the VLAN Pair dialog box, add a VLAN pair for a physical interface. In the Edit appearance of the VLAN Pair dialog box, edit a VLAN pair that has already been added to a physical interface.

Note You cannot pair a VLAN with itself.

Note The subinterface number and the VLAN numbers should be unique to each physical interface.

Navigation Path

(Device view) Select IPS > Interfaces from the Policy selector. Click the VLAN Pairs tab. Click the Add button or the Edit button to open the VLAN Pairs dialog box.

Related Topics


Table M-65 VLAN Pairs Tab

Element Description

Interface Name Select the name of the inline VLAN pair.

Subinterface Number Subinterface number of the inline VLAN pair.


Description Lets you provide a description of the inline VLAN pair.

VLAN A Displays the VLAN ID for the first VLAN.


VLAN B Displays the VLAN ID for the second VLAN.










OL-19983-01


Field Reference

VLAN Groups Tab In the VLAN Groups tab you can add, edit, or delete VLAN groups that you defined in the sensor interface configuration. A VLAN group consists of a group of VLAN IDs that exist on an interface. There are two types of VLAN groups: promiscuous and inline. Promiscuous VLAN groups are created on a promiscuous interface. Inline VLAN groups are created on an existing interface pair. Each VLAN group consists of at least one VLAN ID. You can have up to 255 VLAN groups per interface (logical or physical). Each group can contain any number of VLANs IDs. You then assign each VLAN group to a virtual sensor (but not multiple virtual sensors). You can assign different VLAN groups on the same sensor to different virtual sensors.

After you assign the VLAN IDs to the VLAN group, you must assign the VLAN group to a virtual sensor.

Navigation Path

(Device view) Select IPS > Interfaces from the Policy selector. Click the VLAN Groups tab.

Related Topics


Field Reference

Table M-66 VLAN Pairs Dialog Box

Element Description

Physical Interface Select the physical interface to which this VLAN pair is assigned.

Subinterface Number Specify the subinterface number of the inline VLAN pair.


Description Lets you provide a description of the inline VLAN pair.

VLAN A Specify the VLAN number for the first VLAN.


VLAN B Specify the VLAN number for the second VLAN.


Table M-67 VLAN Groups Tab

Element Description

Name The physical or logical interface name of the VLAN group.

Subinterface Number Subinterface number of the VLAN group.


Description Lets you provide a description of the VLAN group.

VLANs Displays the range of VLAN IDs belonging to the VLAN group.

Each VLAN ID is an number between 1 and 4095.


OL-19983-01


VLAN Group Map Dialog Box

Use the VLAN Group Map dialog box to add a group of VLANs to a sensor. Also, use the VLAN Group Map dialog box to edit a pair of VLANs previously added to a sensor.

The VLAN Group Map dialog box appears as either Add VLAN Group Map or Edit VLAN Group Map. In the Add appearance of the VLAN Group Map dialog box, add a group of VLANs to a sensor. In the Edit appearance of the VLAN Group Map dialog box, edit a group of VLANs that has already been added to a sensor.

Note The subinterface number and VLAN IDs should be unique on each physical interface and inline pair.

Navigation Path

(Device view) Select IPS > Interfaces from the Policy selector. Click the VLAN Groups tab. Click the Add button or the Edit button to open the VLAN Group Map dialog box.

Related Topics


Field Reference








Table M-67 VLAN Groups Tab (Continued)

Element Description

Table M-68 VLAN Group Map Dialog Box

Element Description

Physical and Logical Interfaces

Select the physical or logical interface name of the VLAN group.

Subinterface Number Specify the subinterface number of the VLAN group.


Description Lets you provide a description of the VLAN group.

All Unassigned VLAN IDs Selects all VLAN IDs that are not a member of another VLAN group definition.


OL-19983-01


Summary TabUse the Summary tab on the Interfaces page to see a summary of how you have configured the sensing interfaces—the interfaces you have configured for promiscuous mode, the interfaces you have configured as inline pairs, and the interfaces you have configured as inline VLAN pairs.

The content of this page changes when you change your interface configuration.

Caution You can configure any single physical interface to run in promiscuous mode, inline pair mode, inline VLAN pair mode, promiscuous VLAN group, or inline VLAN group, but you cannot configure an interface in a combination of these modes.

Navigation Path

(Device view) Select IPS > Interfaces from the Policy selector. Click the Summary tab.

Related Topics




• VLAN Pairs Tab, page M-74

• VLAN Groups Tab, page M-76

Field Reference

Range of Free VLANs IDs Specify the range of VLAN IDs belonging to the VLAN group. The format is dashed pairs of lower-upper IDs, separated by commas. For example, 23-44, 91-144.

Table M-68 VLAN Group Map Dialog Box (Continued)

Element Description

Table M-69 Summary Tab

Element Description

Name Name of the interface.

The values are FastEthernet or GigabitEthernet for promiscuous interfaces.

Subinterface Number Subinterface number of the inline VLAN pair or VLAN group.


Inline Interface Name The name of this inline interface pair.

Mode Identifies whether the interface is promiscuous, inline, promiscuous VLAN group, or inline VLAN group and whether there are VLAN pairs.

VLAN A Displays the VLAN ID for the first VLAN.



OL-19983-01

Appendix M IPS User Interface ReferencePlatform Policies

Platform PoliciesThe pages that you access from the Platform Policies folder from the Policies selector in Device View enable you to configure device administration, logging, and security.

These topics describe the folder and main pages available from the Platform Policies folder:

• Device Admin Policies, page M-79

• Logging Page, page M-88

• Security Policies, page M-89

Device Admin PoliciesThe pages that you access from the Device Admin folder from the Policies selector in Device View enable you to configure device access and server access.

These topics describe the folders available from the Device Admin Policies folder:

• Device Access Policies, page M-79

• Server Access Policies, page M-84

Device Access Policies

The pages that you access from the Device Access folder from the Policies Selector in Device View enable you to identify allowed hosts and configure SNMP.

VLAN B Displays the VLAN ID for the second VLAN.


VLANs Range Displays the range of VLAN IDs belonging to the VLAN group.

Each VLAN ID is an number between 1 and 4095.








Table M-69 Summary Tab (Continued)

Element Description


OL-19983-01


Allowed Hosts Page

Use the Allowed Hosts page to view a summary of the hosts that are allowed to connect to a sensor. By default, all hosts on your network can connect to a sensor to configure it and receive alarm data from it. However, you can identify the hosts that are allowed to connect to a sensor, and no other hosts will be allowed to connect.

Note If your Security Manager server is not an allowed host, then you are not able to connect to your IPS sensors and manage them.

Navigation Path

(Device view) Select Platform > Device Admin > Device Access > Allowed Hosts from the Policy selector.

Field Reference

Access List Dialog Box

The Access List dialog box appears as either the Add Access List dialog box or the Modify Access List dialog box. Use the Add Access List dialog box to identify the hosts that you want to be able to connect to a sensor. Use the Modify Access List dialog box to change an existing list of hosts that you want to be able to connect to a sensor.

Navigation Path

(Device view) Select Platform > Device Admin > Device Access > Allowed Hosts from the Policy selector. Click the Add button or the Edit button.

Field Reference

Table M-70 Allowed Hosts Page

Element Description

Network address Identifies the allowed host in prefix notation: <IP network>/subnet mask. For example, 64.0.0.0/8.

Add button Opens the Add Access List dialog.

Edit button Opens the Modify Access List dialog box.

Delete button Deletes the selected allowed host.

Table M-71 Access List Dialog Box

Element Description

Network address Identifies the allowed host in prefix notation: <IP network>/subnet mask. For example, 64.0.0.0/8.

Select... button Opens the Available Networks/Hosts dialog box.


OL-19983-01


SNMP Page

Use the SNMP page to configure Simple Network Management Protocol (SNMP). Security Manager does not use SNMP to manage sensors, but the sensors support SNMP and therefore require a means of configuration in Security Manager.

SNMP configuration has three parts:

• General Configuration—Enables you to configure general SNMP parameters and apply them to sensors.

• Traps Configuration—Enables you to configure traps and apply them to sensors.

• Traps Destination—Enables you to identify recipients that the traps should be sent to.

General Configuration Tab

Use the General Configuration tab on the SNMP page to configure general SNMP parameters and apply them to sensors.

Navigation Path

(Device view) Select Platform > Device Admin > Device Access > SNMP from the Policy selector. The General Configuration tab is active by default.

Field Reference

Table M-72 SNMP > General Configuration Tab

Element Description

Enable SNMP Gets/Sets Allows you to enable the sensor to respond to get and set queries. If this field is disabled, the sensor does not respond to the query.

Read-Only Community String

Sets the read-only community string of the sensor to a string you specify. When a sensor receives an SNMP get request with the specified read-only community string, it responds. This string gives access to all SNMP get requests.

Read-Write Community String

Sets the read-write community string of the sensor to a string you specify. When a sensor receives an SNMP get request, or an SNMP set request, with the specified read-write community string, it responds. This string gives access to all SNMP get requests and set requests.

Sensor Contact The network administrator who is responsible for this sensor.

Sensor Location The physical location of the sensor appliance or other hardware used as a sensing device.

Sensor Agent Port Instructs a sensor to run SNMP Agent in the specified port. Valid port numbers range from 1 to 65535.

Snmp Agent Protocol Instructs a sensor to run SNMP on top of particular transport protocol. The options available are TCP (Transmission Control Protocol) and UDP (User Datagram Protocol).

Select... button Opens the Port Lists Selector dialog box.


OL-19983-01


SNMP Trap Configuration Tab

Use the SNMP Trap Communication tab on the SNMP page to configure traps and apply them to sensors and to identify recipients that the traps should be sent to.

Navigation Path

(Device view) Select Platform > Device Admin > Device Access > SNMP from the Policy selector. Click the SNMP Trap Configuration tab.

Field Reference

Snmp Trap Communication Dialog Box

The Snmp Trap Communication dialog box appears as either the Add Snmp Trap Communication dialog box or the Modify Snmp Trap dialog box. Use the Add form of this dialog box to add an Snmp trap. Use the Modify form of this dialog box to modify an Snmp trap that you added earlier.

Table M-73 SNMP > SNMP Trap Configuration Tab

Element Description

Enable Notifications Allows you to enable the sensor to notify interested parties whenever a specific type of event occurs in a sensor. When you select this check box, the sensor is instructed to perform notification. (You can also use the Traps Destination function to configure interested parties.) If the Enable Notifications check box is not selected, the sensor does not respond to the query.

Error Filter Use this set of filters to specify the level of notifications that are enabled. The three levels of notification are Fatal, Error, and Warning. When you select one or more of these filters, you enable the sensor to send notification of events that correspond to the levels selected.

Enable Detail Traps When selected, this check box enables the sensor to send the detailed traps for all alerts.

Default Trap Community String

All traps that are being notified carry a community string. All traps that have a community string identical to that of the destination are taken by the destination. All other traps are discarded by the destination. This is a primary default condition, but this default can also be overridden at any destination.

Trap Destinations A summary table of the traps that you have configured, with the following information listed:

• IP Address

• Trap Community String

• Trap Port

Add button Opens the Add Snmp Trap Communication dialog box.

Edit button Opens the Modify Snmp Trap Communication dialog box.



OL-19983-01


Navigation Path

(Device view) Select Platform > Device Admin > Device Access > SNMP from the Policy selector. Click the SNMP Trap Configuration tab. Click the Add button or the Edit button.

Field Reference

Password Requirements Page

Use the Password Requirements page to configure how passwords are created for Cisco IPS sensors managed by Cisco Security Manager. All user-created sensor passwords must conform to the policy that you set on the Password Requirements page.

Navigation Path

• (Device view) Select Platform > Device Admin > Device Access > Password Requirements from the Policy selector.

• (Policy view) Select IPS > Platform > Device Admin > Password Requirements from the Policy Type selector. Right-click Password Requirements to create a policy, or select an existing policy from the Shared Policy selector.

Field Reference

Table M-74 Add Snmp Trap Communication Dialog Box

Element Description

Ip Address Identifies the trap destination in prefix notation: <IP network>/subnet mask. For example, 64.0.0.0/8. One of the three items that define a trap.


Trap Community String The community string of the trap. (All traps that are being notified carry a community string.) One of the three items that define a trap.

Trap Port The port used by the trap. One of the three items that define a trap.


Table M-75 Password Requirements Page

Element Description

Attempt Limit Lets you lock accounts so that users cannot keep trying to log in after a certain number of failed attempts. The default is 0, which indicates unlimited authentication attempts. For security purposes, you should change this number.

Size Range Range you specify for the minimum and maximum allowed size for a password. The valid range is 6 to 64 characters.

Minimum Digit Characters Minimum number of numeric digits that you specify must be in a password.

Minimum Upper Case Characters

Maximum number of uppercase alphabet characters that you specify must be in a password.

Minimum Lower Case Characters

Minimum number of lowercase alphabet characters that you specify must be in a password.


OL-19983-01


Caution If the password policy includes minimum numbers of character sets, such as uppercase or number characters, the sum of the minimum number of required character sets cannot exceed the minimum password size. For example, you cannot set a minimum password size of eight and also require that passwords must contain at least five lowercase and five uppercase characters.

Server Access Policies

The pages that you access from the Server Access folder from the Policy Selector in Device View enable you to configure server access.

These topics describe the pages available from the Server Access folder:

• External Product Interface Page, page M-84

• NTP Page, page M-86

• DNS Page, page M-87

• HTTP Proxy Page, page M-88

External Product Interface Page

Use the External Product Interface page to configure the way that Security Manager works with external products.

Note Management Center for Cisco Security Agents is the only external product for which interfaces can be configured for IPS in Security Manager.

Navigation Path

(Device view) Select Platform > Device Admin > Server Access > External Product Interface from the Policy selector.

Management Center for Cisco Security Agents Tab

Use the Management Center for Cisco Security Agents tab to configure the way that Security Manager works with Management Center for Cisco Security Agents.

Note Only two interfaces can be configured for Management Center for Cisco Security Agents.

Minimum Other Characters Minimum number of non-alphanumeric printable characters that you specify must be in a password.

Number of Historical Passwords

Number of historical passwords you want the sensor to remember for each account. Any attempt to change the password of an account fails if the new password matches any of the remembered passwords. When this value is 0, no previous passwords are remembered.

Table M-75 Password Requirements Page (Continued)

Element Description


OL-19983-01


Navigation Path

(Device view) Select Platform > Device Admin > Server Access > External Product Interface from the Policy selector. The Management Center for Cisco Security Agents tab is active by default.

Field Reference

External Product Interface Dialog Box

Use the External Product Interface dialog box to add or modify interfaces between Management Center for Cisco Security Agents and Security Manager. This dialog box appears in two forms: Add and Edit.

Also use the External Product Interface dialog box to add or modify Posture ACLs.

Navigation Path

(Device view) Select Platform > Device Admin > Server Access > External Product Interface from the Policy selector. The Management Center for Cisco Security Agents tab is active by default. Click the Add button or the Modify button.

Field Reference

Table M-76 External Product Interface > Management Center for Cisco Security Agents Tab

Element Description

IP Address The IP address of the external product.

Interface Type Identifies the physical interface type, that is, copper or fiber.

Enable Specifies whether an agent is enabled to notify the management station of significant events by way of an unsolicited SNMP message.

URL The URL of the external product.

Port Specifies the port being used for communications.

Username A valid user name for authentication to the external product.

Add button Opens the Add External Product Interface dialog box.

Edit button Opens the Edit External Product Interface dialog box.

Delete button Deletes the selected External Product Interface.

Table M-77 External Product Interface Dialog Box

Element Description

External Product’s IP Address

The IP address of the external product.


Interface Type Identifies the physical interface type, that is, copper or fiber.

Enable receipt of information Specifies whether an agent is enabled to notify the management station of significant events by way of an unsolicited SNMP message.

SDEE URL The URL of the external product.

Port Specifies the port being used for communications.



OL-19983-01


Posture Acl Dialog Box

Host Posture ACLs indicate how host postures received from Management Center for Security Agents should be handled.

Navigation Path

(Device view) Select Platform > Device Admin > Server Access > External Product Interface from the Policy selector. The Management Center for Cisco Security Agents tab is active by default. Click the Add button to open the Add External Product Interface dialog box. Click the Add button or the Edit button to open the Posture Acl dialog box.

Field Reference

NTP Page

Use the NTP page to identify a Network Time Protocol (NTP) server to use with a sensor. NTP server time can be used with a sensor that you manage with Security Manager.

User name A valid user name for authentication to the external product. A value in this field is mandatory.

Password A valid password for authentication to the external product. A value in this field is mandatory.

Enable receipt of host postures

When checked, allows the host posture information to be passed from the external product to the sensor.

Allow unreachable hosts’ postures

When checked, allows the host posture information from unreachable hosts to be passed from the external product to the sensor.

Add button Opens the Add Posture Acl dialog box.

Edit button Opens the Modify Access List dialog box.


Manual Watch List RR increase

Identifies the risk rating for the manual watch list. The default is 25, and the valid range is 0 to 35.

Session-based Watch List RR Increase

Identifies the risk rating for the session-based watch list. The default is 25, and the valid range is 0 to 35.

Packed-based Watch List RR Increase

Identifies the risk rating for the packet-based watch list. The default is 10, and the valid range is 0 to 35.

Table M-77 External Product Interface Dialog Box (Continued)

Element Description

Table M-78 Posture Acl Dialog Box

Element Description

Network Address Network address of the posture ACL.


Action Action (deny or permit) the posture ACL will take.


OL-19983-01


Navigation Path

(Device view) Select Platform > Device Admin > Server Access > NTP from the Policy selector. The Network Time Protocol page appears.

Field Reference

DNS Page

Use the DNS page to identify a Domain Name System (DNS) server to use with Collaboration policies.

Collaboration policies are not available on sensors running a version of Cisco IPS software earlier than 7.0.

Navigation Path

(Device view) Select Platform > Device Admin > Server Access > DNS from the Policy selector. The Domain Name Server page appears.

Field Reference

Table M-79 NTP Page

Element Description

NTP Server IP Address The IP address of the NTP server

Select button Opens the Available Networks/Hosts dialog box.

Authenticated NTP check box

When selected, indicates that the NTP server is authenticated. When selected, enables the Key and Key ID fields.

Key The key value of the NTP server (not required when configuring an NTP server; unauthenticated servers can be used—an NTP server IP with no Key or Key ID is interpreted to mean that the server is unauthenticated). The key is an MD5 type of key (either numeric or character); it is the key that was used to set up the NTP server. Enabled only when the Authenticated NTP check box is selected.

Key ID The key ID value of the NTP server (not required when configuring an NTP server; unauthenticated servers can be used—an NTP server IP with no Key or Key ID is interpreted to mean that the server is unauthenticated). Enabled only when the Authenticated NTP check box is selected.

Table M-80 Domain Name Server Page

Element Description

Name Server 1 The IP address of the primary DNS server used in Collaboration policies.


Name Server 2 The IP address of the secondary DNS server used in Collaboration policies.

Name Server 3 The IP address of the tertiary DNS server used in Collaboration policies.


OL-19983-01


HTTP Proxy Page

Use the HTTP Proxy page to identify a proxy server and port to use with Collaboration policies.

Collaboration policies are not available on sensors running a version of Cisco IPS software earlier than 7.0.

You may need a proxy server to download Global Correlation updates if customer networks use proxy in their networks.

Navigation Path

(Device view) Select Platform > Device Admin > Server Access > HTTP Proxy from the Policy selector. The HTTP Proxy page appears.

Field Reference

Logging PageUse the Logging page to configure traffic flow notifications and Analysis Engine global variables.

Navigation Path

(Device view) Select Platform > Logging from the Policy selector.

Interface Notifications Tab

Use the Interface Notifications tab to configure traffic flow notifications.

Navigation Path

(Device view) Select Platform > Logging from the Policy selector. The Interface Notifications tab is active by default.

Field Reference

Table M-81 HTTP Proxy Page

Element Description

HTTP Proxy Server The IP address of the proxy server used in Collaboration policies.

HTTP Proxy Port The HTTP port number for the proxy server used in Collaboration policies.

Table M-82 Logging > Interface Notifications Tab

Element Description

Missed Packets Threshold The percent of missed packets that has to occur before you want to receive notification. The default value is 0, and the valid range is 0 through 100.

Notification Interval The length of time in seconds that you want to check for the percentage of missed packets. The default value is 30, and the valid range is 5 to 3600.


OL-19983-01


Analysis Engine Tab

Use the Analysis Engine tab to configure the Analysis Engine global variables.

Navigation Path

(Device view) Select Platform > Logging from the Policy selector. Click the Analysis Engine tab.

Field Reference

Security PoliciesThe pages that you access from the Security folder in Device View help you configure blocking properties.

This topic describes the main page available from the Security folder:

• Blocking Page, page M-89

Blocking Page

Use the Blocking page to configure sensor blocking properties. You can configure sensors to block attacks; you also can manage other devices to block attacks.

The following tabs are available on the Blocking page:

• Blocking Page > General Tab, page M-90

• Blocking Page > User Profiles Tab, page M-91

• Blocking Page > Master Blocking Sensors Tab, page M-92

• Blocking Page > Router Tab, page M-94

• Blocking Page > Firewall Tab, page M-96

• Blocking Page > Catalyst 6K Tab, page M-97

• Blocking Page > Never Block Hosts and Networks Tab, page M-99

Navigation Path

(Device view) Select Platform > Security > Blocking from the Policy selector.

Interface Idle Threshold The length of time in seconds that you will allow an interface to be idle and not receiving packets before you want to be notified. The default value is 30, and the valid range is 5 to 3600.

Table M-82 Logging > Interface Notifications Tab (Continued)

Element Description

Table M-83 Logging > Interface Notifications Tab

Element Description

Maximum Open IP Log Files The maximum number of open IP log files that you want to have and enter that value in the Maximum Open IP Log Files field. The valid range is from 20 to 100. The default is 20.


OL-19983-01


Related Topic

• Configuring Blocking, page 16-9

Blocking Page > General Tab

Use the General tab of the Blocking Properties page to configure the basic settings required to enable blocking and rate limiting.

Navigation Path

(Device view) Select Platform > Security > Blocking from the Policy selector. Click the General tab.

Related Topic

• Configuring Blocking, page 16-9

Field Reference

Table M-84 General Tab

Element Description

Log All Block Events and Errors

When selected, configures the sensor to log events that follow blocks from start to finish and any error messages that occur. When a block is added to or removed from a device, an event is logged. You may not want all these events and errors to be logged. Disabling this option suppresses new events and errors. The default is enabled.

Note Log all block events and errors also applies to rate limiting.

Enable NVRAM Write When selected, configures the sensor to have the router write to non-volatile RAM (NVRAM) when Attack Response Control (ARC) first connects. If enabled, NVRAM is written each time the ACLs are updated. The default is disabled. Enabling NVRAM writing ensures that all changes for blocking and rate limiting are written to NVRAM. If the router is rebooted, the correct blocks and rate limits will still be active.

If NVRAM writing is disabled, a short time without blocking or rate limiting occurs after a router reboot. Not enabling NVRAM writing increases the life of the NVRAM and decreases the time for new blocks and rate limits to be configured.

Enable ACL Logging When selected, causes ARC to append the log parameter to block entries in the access control list (ACL) or VLAN ACL (VACL). This causes the device to generate syslog events when packets are filtered. This option only applies to routers and switches. The default is disabled.

Allow Sensor IP address to be Blocked

When selected, specifies that the sensor IP address can be blocked. The default is disabled.

Enable Blocking When selected, enables blocking of hosts. The default is enabled.

Note When you enable blocking, you also enable rate limiting. When you disable blocking, you also disable rate limiting. This means that ARC cannot add new or remove existing blocks or rate limits. Even if you do not enable blocking, you can configure all other blocking settings.


OL-19983-01


Blocking Page > User Profiles Tab

Use the User Profiles tab of the Blocking page to define connection credential information to the blocking devices. After you populate this table, you can choose one of the profiles from it when you define blocking devices.

Navigation Path

(Device view) Select Platform > Security > Blocking from the Policy selector. Click the User Profiles tab.

Related Topic

• Configuring Blocking, page 16-9.

Field Reference

Max Blocks The maximum number of entries to block. The valid range is 1 to 65535. The default is 250.

Max Interfaces Configures the maximum number of interfaces for performing blocks. For example, a PIX 500 series security appliance counts as one interface. A router with one interface counts as one, but a router with two interfaces counts as two. The maximum number of interfaces is 250 per device. The default is 250.

Note You use Max Interfaces to set an upper limit on the number of devices and interfaces that ARC can manage. The total number of blocking devices (not including master blocking sensors) cannot exceed this value. The total number of blocking items also cannot exceed this value, where a blocking item is one security appliance context, one router blocking interface/direction, or one Catalyst Software switch blocking VLAN.

In addition, the following maximum limits are fixed and you cannot change them: 100 interfaces per device, 250 security appliances, 250 routers, 250 Catalyst Software switches, and 100 master blocking sensors.

Max Ratelimits Maximum number of rate limit entries.The maximum rate limit should be equal or less then the maximum blocking entries. If you configure more rate limit entries than block entries, you receive an error. The valid range is 1 to 32767. The default value is 250.

Table M-84 General Tab (Continued)

Element Description

Table M-85 User Profiles Tab

Element Description

Profile Name Name of the profile.


OL-19983-01


User Profile Dialog Box

Use the User Profile Dialog Box to add or modify a user profile that you can use when you define blocking devices.

Navigation Path

(Device view) Select Platform > Security > Blocking from the Policy selector. Click the User Profiles tab. Select a row. Click the Add button or the Modify button.

Field Reference

Blocking Page > Master Blocking Sensors Tab

Use the Master Blocking Sensors tab of the Blocking Properties page to configure a master blocking sensor. The master blocking sensor must have one blocking device assigned.

Navigation Path

(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Master Blocking Sensors tab.

Enable Password (Optional) Enable password used on the blocking device. The enable password is found only in the Add User Profile dialog box.

Note If a password exists, it is displayed with a fixed number of asterisks.

Password (Optional) Login password used to log in to the blocking device. Found only in the Add User Profile dialog box.


Username (Optional) Username used to log in to the blocking device.

Add button Opens the Add User Profile dialog box.

Edit button Opens the Modify User Profile dialog box.

Delete button Removes the selected user profile from the table.

Table M-85 User Profiles Tab (Continued)

Element Description

Table M-86 User Profile Dialog Box

Element Description

Profile Name Name of the profile.

Enable Password (Optional) Enable password used on the blocking device.


Password (Optional) Login password used to log in to the blocking device.




OL-19983-01


Related Topic


Field Reference

Master Blocking Sensor Dialog Box

Use the Master Blocking Sensor dialog box to add a master blocking sensor or to modify the properties of a master blocking sensor that you added previously.

Navigation Path

(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Master Blocking Sensors tab. Click the Add button to add a master blocking sensor. Select a row and click the Modify button to modify a master blocking sensor.

Related Topic

• Blocking Page > Master Blocking Sensors Tab, page M-92

Field Reference

Table M-87 Master Blocking Sensors Tab

Element Description

IP Address IP address of the master blocking sensor. You receive a warning if the IP address already exists. Security Manager allows you to specify the IP address in either of two ways: by entering it manually or by choosing an existing sensor that is known to Security Manager.

Username Username used to log in to the blocking device.

Password The login password used to log in to the master blocking sensor.

Port (Optional) Port on which to connect on the master blocking sensor. The default is 443.

TLS Whether or not to use transport layer security (TLS).


Add button Opens the Add Master Blocking Sensor dialog box.

Edit button Opens the Modify Master Blocking Sensor dialog box.

Delete button Removes the selected Master Blocking Sensor from the table.

Table M-88 Master Blocking Sensor Dialog Box

Element Description

IP Address The IP address of the master blocking sensor. You receive a warning if the IP address already exists. Security Manager allows you to specify the IP address in either of two ways: by entering it manually or by choosing an existing sensor that is known to Security Manager.

Username Username used to log in to the blocking device.

Password The login password used to log in to the master blocking sensor.


OL-19983-01


Blocking Page > Router Tab

Use the Router Tab to configure an IOS router to be used as a blocking device.

Navigation Path

(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Router tab.

Related Topic


Field Reference

Router Device Dialog Box

The Router Device dialog box appears in two forms, the Add Router Device dialog box and the Modify Router Device dialog box. Use the Router Device dialog box to add an IOS router to be used as a blocking device or to modify the properties of an IOS router previously added to be used as a blocking device.

Navigation Path

(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Router tab. Click the Add button or the Modify button.

Port (Optional) The port on which to connect on the master blocking sensor. The default is 443.

TLS Specifies whether or not to use TLS.

Table M-88 Master Blocking Sensor Dialog Box (Continued)

Element Description

Table M-89 Router Tab

Element Description

IP Address The IP address of the router. You receive a warning if the IP address already exists. Security Manager allows you to specify the IP address in either of two ways: by entering it manually or by choosing an existing router that is known to Security Manager.

Communication Type SSH DES, SSH 3DES, or Telnet

NAT Address The network address translation (NAT) address, if any, to the router.

Profile Name The name of the profile as specified in the Add User Profile dialog box or the Modify User Profile dialog box.

Response Capabilities Indicates whether the device uses blocking or rate limiting or both.

Add button Opens the Add Router Device dialog box.

Edit button Opens the Modify Router Device dialog box.

Delete button Removes the selected Router Device from the table.


OL-19983-01


Field Reference

Router Block Interface Dialog Box

Use the Router Block Interface dialog box to add a block interface (the interface on the IOS router that the sensor uses for blocking) to an IOS router to be used as a blocking device. Also, use the Router Block Interface dialog box to modify a block interface that you previously added.

Navigation Path

(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Router tab. Click the Add button or the Modify button. In the Add Router Device dialog box, click the Add button or the Modify button.

Field Reference

Table M-90 Router Tab > Router Device Dialog Box

Element Description

IP Address The IP address of the router. You receive a warning if the IP address already exists. Security Manager allows you to specify the IP address in either of two ways: by entering it manually or by choosing an existing router that is known to Security Manager.

Select... Button Opens the Networks/Hosts Selector dialog box

Communication Type SSH DES, SSH 3DES, or Telnet.

NAT Address The NAT address, if any, to the router.

Select... Button Opens the Networks/Hosts Selector dialog box.


Interfaces and directions where blocks will be applied

Lists block interfaces on the router in tabular format:

• Interface Name

• Direction

• Pre-ACL Name

• Post-ACL Name

Response Capabilities Indicates whether the device uses blocking or rate limiting or both.

Add button Opens the Add Router Block Interface dialog box.

Edit button Opens the Modify Router Block Interface dialog box.

Delete button Removes the selected router block interface from the table.

Table M-91 Router Block Interface Dialog Box

Element Description

Interface Name The name, assigned by the user, of the router interface used for blocking.

Direction The direction of traffic across the router interface, in or out.

Pre Acl Name The pre-ACL name assigned by the user.


OL-19983-01


Blocking Page > Firewall Tab

Use the Firewall tab to configure a firewall to be used as a blocking device.

Navigation Path

(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Firewall tab.

Related Topic


Field Reference

Firewall Device Dialog Box

The Firewall Device dialog box appears in two forms, Add and Modify. Use the Firewall Device dialog box to identify a firewall to be used as a blocking device and configure it. Also, use the Firewall Device dialog box to modify the configuration of a firewall previously identified as a blocking device.

Navigation Path

(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Firewall tab. Click the Add button or the Modify button.

Post Acl Name The post-ACL name assigned by the user.

Table M-91 Router Block Interface Dialog Box (Continued)

Element Description

Table M-92 Firewall Tab

Element Description

IP Address The IP address of the firewall. You receive a warning if the IP address already exists. Security Manager allows you to specify the IP address in either of two ways: by entering it manually or by choosing an existing firewall that is known to Security Manager.


NAT Address The NAT address, if any, to the firewall.


Add button Opens the Add Firewall Device dialog box.

Edit button Opens the Modify Firewall Device dialog box.

Delete button Removes the selected firewall device from the table.


OL-19983-01


Field Reference

Blocking Page > Catalyst 6K Tab

Use the Catalyst 6K Tab to configure a Catalyst 6000 series switch to be used as a blocking device.

Navigation Path

(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Catalyst 6K tab.

Related Topic


Field Reference

Table M-93 Firewall Tab > Firewall Device Dialog Box

Element Description

IP Address The IP address of the firewall. You receive a warning if the IP address already exists. Security Manager allows you to specify the IP address in either of two ways: by entering it manually or by choosing an existing firewall that is known to Security Manager.



NAT Address The NAT address, if any, to the firewall.



Table M-94 Catalyst 6K Tab

Element Description

IP Address The IP address of the switch. You receive a warning if the IP address already exists. Security Manager allows you to specify the IP address in either of two ways: by entering it manually or by choosing an existing switch that is known to Security Manager.


NAT Address The NAT address, if any, to the switch.


Add button Opens the Add Cat6k Device dialog box.

Edit button Opens the Modify Cat6k Device dialog box.

Delete button Removes the selected Cat6k device from the table.


OL-19983-01


Cat6k Device Dialog Box

The Cat6k Device dialog box appears in two forms, Add and Modify. Use the Cat6k Device dialog box to identify a Catalyst 6000 series switch to be used as a blocking device and configure it. Also, use the Cat6k Device dialog box to modify the configuration of a Catalyst 6000 series switch previously identified as a blocking device.

Navigation Path

(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Catalyst 6K tab. Click the Add button or the Modify button.

Field Reference

Cat6k Block Vlan Dialog Box

The Cat6k Block Vlan dialog box appears in two forms, Add and Modify. Use the Cat6k Block Vlan dialog box to identify the VLANs to be used with a Catalyst 6000 series switch to be used as a blocking device and configure them. Also, use the Cat6k Block Vlan dialog box to modify the configuration of VLANs previously identified for use with a Catalyst 6000 series switch to be used as a blocking device.

Navigation Path

(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Catalyst 6K tab. Click the Add button or the Modify button. On the Add Cat6k Device dialog box, click the Add button or the Modify button.

Table M-95 Catalyst 6K Tab > Cat6k Device Dialog Box

Element Description

IP Address The IP address of the switch. You receive a warning if the IP address already exists. Security Manager allows you to specify the IP address in either of two ways: by entering it manually or by choosing an existing switch that is known to Security Manager.

Select... button Opens the Networks/Hosts Selector dialog box.


NAT Address The NAT address, if any, to the switch.



Vlans where blocks will be applied

Identifies the VLANs on the Catalyst 6000 Series switch where blocks will be applied.

Add button Opens the Add Cat6k Block Vlan dialog box.

Edit button Opens the Modify Cat6k Block Vlan dialog box.

Delete button Removes the selected Cat6k Block Vlan from the table.


OL-19983-01


Field Reference

Blocking Page > Never Block Hosts and Networks Tab

Use the Never Block Hosts and networks tab to identify hosts and networks that should never be blocked.

Navigation Path

(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Never Block Hosts and Networks tab.

Related Topic


Field Reference

Never Block Host Dialog Box

Use the Never Block Host dialog box to add a trusted host to the list of those that should never be blocked. Also, use the Never Block Host dialog box to modify the list of hosts that should never be blocked.

Navigation Path

(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Never Block Hosts and Networks tab. In the Never Block Hosts area, click the Add button or the Modify button.

Table M-96 Add Cat6k Block Vlan Dialog Box

Element Description

Vlan Identifies the VLANS on the Catalyst 6000 Series switch where blocks will be applied.

Pre VACL name The pre-VACL name assigned by the user.

Post VACL name The post-VACL name assigned by the user.

Table M-97 Never Block Hosts and Networks Tab

Element Description

Never Block Hosts The IP address of the trusted hosts that should never be blocked.

Add button Opens the Add Never Block Host dialog box.

Edit button Opens the Modify Never Block Host dialog box.

Delete button Removes the selected Never Block Host from the table.

Never Block Networks The network address of the trusted networks that should never be blocked.

Add button Opens the Add Never Block Network dialog box.

Edit button Opens the Modify Never Block Network dialog box.

Delete button Removes the selected Never Block Network from the table.


OL-19983-01

Appendix M IPS User Interface ReferenceIPS Updates Page

Field Reference

Never Block Networks Dialog Box

Use the Never Block Networks dialog box to add a trusted network to the list of those that should never be blocked. Also, use the Never Block Network dialog box to modify the list of networks that should never be blocked.

Navigation Path

(Device view) Select Platform > Security > Blocking from the Policy selector. Click the Never Block Hosts and Networks tab. In the Never Block Networks area, click the Add button or the Modify button.

Field Reference

IPS Updates PageUse the IPS Updates page to perform some of the tasks associated with keeping your sensors up to date with regard to signatures, patches, service packs, and other updates. For more information, refer to IPS Updates Page, page A-17.

Virtual Sensors PageUse the Virtual Sensors page to create and name virtual sensors on your Cisco IPS devices. The process of creating and naming virtual sensors on your Cisco IPS devices is sometimes called “virtualization.” The Virtual Sensors policy cannot be inherited or shared.

Note A Cisco IPS sensor monitors traffic that traverses (1) interfaces, (2) interface pairs, or (3) VLAN pairs assigned to a virtual sensor.

To create a virtual sensor, you need to assign signature policies, event action policies, and anomaly detection policies. To complete the virtualization process, you need to apply these policies to the virtual sensor.

You can assign one or more of the following types of interfaces to a virtual sensor:

• Promiscuous Interface

Table M-98 Add Never Block Hosts Dialog Box

Element Description

IP Address The IP address of the trusted host that should never be blocked.


Table M-99 Add Never Block Networks Dialog Box

Element Description

IP Address The IP address of the trusted network that should never be blocked.



OL-19983-01

Appendix M IPS User Interface ReferenceVirtual Sensors Page

• Inline Interface Pair

• Inline VLAN Pair

• Promiscuous VLAN Group

• Inline VLAN Group

A Promiscuous VLAN Group is a VLAN group assigned to a subinterface on an interface. The interface can not already be used for an inline interface or VLAN pair. There can be many promiscuous VLAN groups on the same promiscuous interface, but the VLANs assigned cannot overlap. Once a VLAN group is assigned to a promiscuous interface it is no longer a plain promiscuous interface and can only be used for promiscuous VLAN groups.

An Inline VLAN Group is a VLAN group assigned to a subinterface of an existing inline interface pair. There can be many inline VLAN groups on the same inline interface pair, but the VLANs assigned cannot overlap. Once a VLAN group is assigned to an inline interface pair it is no longer an plain inline interface pair and can only be used for inline VLAN groups.

VLAN groups cannot be assigned to Inline VLAN Pairs.

Navigation Path

(Device view) Select IPS > Virtual Sensors from the Policy selector.

Related Topics



• Anomaly Detection Page, page M-49

Field Reference

Table M-100 Virtual Sensors Table

Element Description

Name The name of the virtual sensor. The default virtual sensor is “vs0.”

Assignment The interfaces or interface pairs that belong to this virtual sensor.

Anomaly Detection Mode The mode (detect, inactive, learn) that anomaly detection is operating in.

Inline TCP Session Tracking Mode

Interface and VLAN, VLAN only, or Virtual Sensor.

Normalizer Mode Allows the choice of strict evasion protection mode or asymmetric mode.

Description The description of the virtual sensor.

Add button Opens the Add Virtual Sensor dialog box.

Edit button Opens the Edit Virtual Sensor dialog box.

Delete button Removes the selected virtual sensor(s) from the table. The Delete button is enabled only when one or more virtual sensors other than the default virtual sensor (vs0) are present; the reason is that vs0 cannot be deleted.


OL-19983-01

Appendix M IPS User Interface ReferenceVirtual Sensors Page

Add Virtual Sensor Dialog BoxUse the Add Virtual Sensor dialog box to add a virtual sensor.

Navigation Path

(Device view) Select IPS > Virtual Sensors from the Policy selector. Click the Add button.

Related Topics


• Understanding Normalizer Mode, page 16-13

Field Reference

Edit Virtual Sensor Dialog BoxUse the Edit Virtual Sensor dialog box to modify the policies assigned to a virtual sensor.

Navigation Path

(Device view) Select IPS > Virtual Sensors from the Policy selector. Select a row. Click the Edit button.

Related Topics


• Understanding Normalizer Mode, page 16-13

Table M-101 Add Virtual Sensor Dialog Box

Element Description

Virtual Sensor Name The name of the virtual sensor. The default virtual sensor is “vs0.” The virtual sensor name must contain fewer than 64 characters and must not use spaces.

Assignments The interfaces or interface pairs that belong to this virtual sensor.

Anomaly Detect The mode (detect, inactive, learn) that anomaly detection is operating in.

Inline TCP Session Interface and VLAN, VLAN only, or Virtual Sensor.




OL-19983-01

Appendix M IPS User Interface ReferenceGeneral Settings Page

Field Reference

General Settings PageThe General Settings page applies to IOS IPS devices. Use the General Settings page to specify the global settings used for IPS properties defined for a particular router.

Navigation Path

(Device view) Select IPS > General Settings from the Policy selector.

Related Topics


Field Reference

Table M-102 Edit Virtual Sensor Dialog Box

Element Description

Virtual Sensor Name The name of the virtual sensor. The default virtual sensor is “vs0.” You cannot edit the virtual sensor name.

Tip If you find that the name of a virtual sensor is unacceptable, you can delete that virtual sensor and add a new virtual sensor with a name that is acceptable.

The maximum number of characters allowed in the name of the virtual sensor is 64, and blank spaces are not allowed.

Assignments The interfaces or interface pairs that belong to this virtual sensor.

Anomaly Detect The mode (detect, inactive, learn) that anomaly detection is operating in.

Inline TCP Session Interface and VLAN, VLAN only, or Virtual Sensor.



Table M-103 General Settings Page

Element Description

Block Traffic when IPS engine is unavailable check box

If selected, this option specifies that all traffic should be denied if the IPS engine is unavailable. Otherwise, traffic is allowed to pass in accordance with the other rules in place on the router.


OL-19983-01

Appendix M IPS User Interface ReferenceGeneral Settings Page

Apply Deny Action On This option is applicable if signature actions are configured to “denyAttackerInline” or “denyFlowInline.” By default, Cisco IPS applies ACLs to the interfaces from which attack traffic came, and not to Cisco IPS interfaces. Enabling this option causes Cisco IPS to apply the ACLs directly to the Cisco IPS interfaces, and not to the interfaces that originally received the attack traffic. If the router is not performing load balancing, do not enable this setting. If the router is performing load balancing, we recommend that you enable this setting.

Select one of the following values:

• Ingress Interface. Specifies that the deny action should be enforced by the interface attached to the network from which the traffic originated.

• IPS enabled interface. Specifies that the deny action should be enforced by the interface on which the triggered IPS rule is applied.

SDEE Properties

Maximum Subscriptions Identifies the maximum number of concurrent SDEE subscriptions allowed, in the range of 1-3. An SDEE subscription is a live feed of SDEE events.

The default value is 1.

Maximum Alerts Identifies the maximum number of SDEE alerts that you want the router to store, in the range of 10-2000. Storing more alerts uses more router memory.


Maximum Messages Identifies the maximum number of SDEE messages that you want the router to store, in the range of 10-500. Storing more messages uses more router memory.


IPS Config Location Properties

Table M-103 General Settings Page (Continued)

Element Description


OL-19983-01

Appendix M IPS User Interface ReferenceInterface Rules Page

Interface Rules PageCisco IPS rules specify the interface or interfaces and the direction of traffic relative to the interface(s) that Cisco IPS is to examine. Additionally, the interface rule may also define a sub-set of the IP traffic to be examined, by assigning an ACL to select or filter IP traffic.

The Interface Rules page summarizes the rules currently applied, and it allows you to add rules that define which traffic flows through the router should be inspected using the defined signature policy.

Navigation Path

(Device view) Select IPS > Interface Rules from the Policy selector.

Related Topics


• Add IPS Rule Dialog Box, page M-106

• Adding Pair Dialog Box, page M-107

IPS Config Location Identifies the location the router will save IOS IPS specific configuration files to. These configuration files are automatically updated every time IOS IPS configuration is changed or updated from Security Manager. When the router reboots, the IOS IPS configuration is retrieved and restored from these configuration files.

To specify a location on the router, enter directory in which you want to store the configuration information.

Note If the router has a LEFS-based file system, you will be unable to create a directory in router memory. In this case, flash: is used as the config location.

To specify a location on a remote system, specify the protocol and path of the URL needed to reach the location. For example, if you want to save the config files to an HTTP server, then enter http://172.27.108.5/ips-cfg.

Other supported servers to save the IOS IPS configuration files to are: http://, https://, ftp://, rcp://, scp://, and tftp://.

Max retries If a configuration location is specified in the IPS Config Location field, specify how many times the router is to attempt to contact the remote system.


Timeout seconds between retries

If a configuration is specified in the IPS Config Location field, specify how long the router is to wait before attempting to contact the configuration location again.


Table M-103 General Settings Page (Continued)

Element Description


OL-19983-01


Field Reference

Add IPS Rule Dialog BoxUse the Add IPS Rule dialog box to specify the traffic flows to be inspected using the active signature policy.

Navigation Path

(Device view) Select IPS > Interface Rules from the Policy selector. Click the Add button.

Related Topics

• Signatures Page, page M-1



• Adding Pair Dialog Box, page M-107

Field Reference

Table M-104 Interface Rules Page

Element Description

Enable IPS check box When selected, enables the deployment of IOS IPS configuration to the device. If Enable IPS is unchecked, IPS rules are removed from all the router interfaces, which disables IPS. Also, no signature or event action policy will be deployed.

No. Identifies the rule number. The ordering has no effect on traffic monitoring.

Rule Name Identifies the IPS rule name.

ACL Name Identifies the ACL, and thereby the traffic flow, to be inspected using the signature policy.

Interface (Direction) Identifies the interfaces and directions to which the IPS rule applies.

Add button Opens the Add IPS Rule dialog box.

Edit button Opens the Edit IPS Rule dialog box. If more than one row is selected, the Edit row option is disabled.

Delete button Removes the selected rule(s) from the table.

Table M-105 Add IPS Rule Dialog Box

Element Description

Rule Name Identifies a unique name for this IPS rule. IPS rule names are not case sensitive. You cannot use a rule name that contain the same characters as another one previously defined but using a different case. For example MYRULE and MyRule are the same.


OL-19983-01


Adding Pair Dialog BoxUse the Adding Pair dialog box to identify the traffic flows, based on an interface and traffic direction pair, that the selected IPS rule inspects.

Navigation Path

(Device view) Select IPS > Interface Rules from the Policy selector. Click the Add button to open the Add IPS Rule dialog box. Then, click the Add button in the Add IPS Rule dialog box itself.

Related Topics



• Add IPS Rule Dialog Box, page M-106

ACL Name Specifies an ACL name. Click Select to either select a predefined ACL object or to create a new one. The ACL will determine what traffic is monitored by the IPS rule according to the ACEs defined. Permit entries cause that particular traffic to monitored by the IPS rule. Deny entries cause that particular traffic to be ignored by the IPS rule. When no ACLs are defined, all traffic in the configured direction is monitored.

Tip All ACLs have an implicit deny all as the last entry. Remember to always specify the traffic to be monitored as a permit entry when using ACLs.

Select button Allows you to select from existing ACLs or define a new one. The selected value populates the ACL Name field.

Add button Opens the Adding Pair dialog box.

Edit button Opens the Editing Pair dialog box. If more than one row is selected, the Edit row option is disabled.

Delete button Deletes the selected rule(s) from the table.

Table M-105 Add IPS Rule Dialog Box (Continued)

Element Description


OL-19983-01


Field Reference

Table M-106 Adding Pair Dialog Box

Element Description

Direction Identifies whether the rule is to be applied to inbound traffic or outbound traffic. If you select both, the rule applies to traffic flowing in both directions.

Select one of the following values:

• In. Specifies that this IPS rule should be applied to inbound traffic on the selected interface.

• Out. Specifies that this IPS rule should be applied to outbound on the selected interface.

• Both. Specifies that this rule should be applied to both inbound and outbound traffic on the selected interface.

Interfaces Identifies the interfaces on which to apply this Cisco IPS rule. Click Select to either select a predefined Interface or to create a new one.

Select button Displays the list of interfaces defined for this router. You can select one or more of the interfaces to populate the Interfaces field.


OL-19983-01

Documents

IPS User Interface Reference - Cisco · IPS User Interface Reference - Cisco ... m-1