Managing Cisco IPS Sensors

Overview This lesson provides information on how to monitor the health and welfare of your sensor. There are a variety of tools that you can use to examine the status of your Cisco Intrusion Prevention System (IPS) sensors, including the command-line interface (CLI), the Cisco IPS Device Manager (IDM), the Cisco Security Manager, and Simple Network Management Protocol (SNMP).

Objectives Upon completing this lesson, you will be able use the CLI and the Cisco IDM to verify sensor configuration. This ability includes being able to meet these objectives:

Explain the various CLI commands used for sensor monitoring

Describe the Cisco IDM as a tool to perform sensor monitoring

Describe Cisco Security Manager as a tool to perform sensor monitoring

Describe SNMP as a tool to perform sensor monitoring

Using the CLI to Monitor the Sensor This topic explains how to use the CLI to display information about your sensor.

The sensor CLI contains a number of commands that enable you to obtain valuable information about your sensor and can be very useful for troubleshooting. These commands can provide the following information:

Cisco Product Evolution Program (PEP) information

Service statistics

Interface statistics

Details about traffic traversing an interface

Technical support information

Cisco devices, including intrusion prevention sensors, have a Unique Device Identifier (UDI) that enables you to easily and efficiently manage certified hardware versions within your network. These are characteristics of the UDI:

It is guaranteed to be unique for all Cisco devices.

It can be retrieved via the CLI or an SNMP MIB.

Methods of retrieving it are platform independent.

It includes product version traceability.

It is a deliverable of Cisco PEP, a new architecture baseline for all Cisco products.

It is made of up of the following three values:

Product identifier (PID): This indicates a product that can be ordered by a customer. These items are used by the customer, sales, customer service, Global Product Services, and manufacturing to transact an order for a certain product. The naming convention is alphanumeric.

Version identifier (VID): This indicates the version of a product identifier. The naming convention is a three-character field comprising the letter v followed by a two-character number starting at 00 and incrementing until the product version reaches 99. The v character may be uppercase or lowercase, for example, v03 or V21.

SN: This is the product serial number.

The UDI provides the following benefits:

Gives you the ability to electronically inventory Cisco products accurately and reliably

Simplifies product identification

Provides consistent product identification across products

The show inventory command can be used to display Cisco PEP UDI information. The output of this command varies depending on the sensor platform. The following is an example of show inventory command output:

sensor# show inventory NAME: "Chassis", DESCR: "Chasis-4240" PID: 4240-515E , VID: V04, SN: 639156

You can retrieve Cisco PEP information from a Cisco IPS sensor only if the Cisco PEP information is stored in the sensor. This information is currently stored only in the Cisco IPS 4240 and 4255 Sensors. Therefore, the show inventory command is currently available only on these sensors.

Statistics provide a snapshot of the current internal state of sensor services; therefore, they can be very useful for troubleshooting. You can use the show statistics command to display statistics. The statistics content is specific to the service that provides it.

The syntax for the show statistics command is as follows:

show statistics { analysis-engine | authentication | denied-attackers | event-server | event-store || host | logger | network-access |notification | sdee-server | transaction-source | virtual-sensor [name]| web-server } [ clear ]

You can use the show interfaces command to display statistics for all sensor interfaces. You can display statistics simultaneously for all interfaces or for all

interfaces of a specified type. You can also display statistics for a specific interface. The clear option clears statistics that can be reset.

The syntax for the show interfaces commands is as follows:

show interfaces {fastethernet | gigabitethernet | management } [slot/port]

show interfaces [clear]

The following example shows how to display statistics for a specific Fast Ethernet interface:

Sensor1# show interfaces FastEthernet0/1 MAC statistics from interface FastEthernet0/1 Media Type = TX Missed Packet Percentage = 0 Inline Mode = Paired with interface FastEthernet1/0 Pair Status = Up Link Status = Up Link Speed = Auto_10 Link Duplex = Auto_Half Total Packets Received = 9513 Total Bytes Received = 863646 Total Multicast Packets Received = 0 Total Broadcast Packets Received = 0 Total Jumbo Packets Received = 0 Total Undersize Packets Received = 0 Total Receive Errors = 0 Total Receive FIFO Overruns = 0 Total Packets Transmitted = 9872 Total Bytes Transmitted = 994518 Total Multicast Packets Transmitted = 0 Total Broadcast Packets Transmitted = 0 Total Jumbo Packets Transmitted = 0 Total Undersize Packets Transmitted = 0 Total Transmit Errors = 0 Total Transmit FIFO Overruns = 0

To display operating system IDs associated with the IP addresses learned by the sensor through passive analysis, use the show os-identification command in privileged EXEC mode. The syntax for the show os-identification command is show os-identification [name]learned [ip-address].

Note You must be an administrator, operator, or viewer to run this command.

If you specify the name of a virtual sensor, only the operating system ID for the specified virtual sensor is displayed; otherwise, the learned operating system ID for all virtual sensors are displayed. If you specify an IP address without a virtual sensor, the output displays all virtual sensors containing the requested IP address.

The following example displays the operating system ID for a specific IP address:

sensor# show os-identification learned 10.1.1.12 Virtual Sensor vs0: 10.1.1.12 windows

The following example displays the operating system ID for all of the virtual sensors:

sensor# show os-identification learned Virtual Sensor vs0: 10.1.1.12 windows Virtual Sensor vs1: 10.1.0.1 unix 10.1.0.2 windows 10.1.0.3 windows

Use the show ad-knowledge-base command to display the anomaly detection knowledge base files available for a virtual sensor. The syntax for the command is show ad-knowledge-base virtual-sensor files.

Note You must be an administrator, operator, or viewer to run this command.

The following example displays the knowledge base files available for all of the virtual sensors. The file 2007-Mar-16-10_00_00 is the current knowledge base file loaded for virtual sensor vs0.

sensor# show ad-knowledge-base files Virtual Sensor vs0 Filename Size Created initial 84 04:27:07 CDT Wed Jan 28 2007 * 2006-Jan-29-10_00_01 84 04:27:07 CDT Wed Jan 29 2007 2006-Mar-17-10_00_00 84 10:00:00 CDT Fri Mar 17 2007 2006-Mar-18-10_00_00 84 10:00:00 CDT Sat Mar 18 2007

The following example displays the knowledge base files available for all of the virtual sensors. The file 2007-Mar-16-10_00_00 is the current knowledge base file loaded for virtual sensor vs0.

sensor# show ad-knowledge-base files Virtual Sensor vs0 Filename Size Created initial 84 04:27:07 CDT Wed Jan 28 2007 * 2006-Jan-29-10_00_01 84 04:27:07 CDT Wed Jan 29 2007 2006-Mar-17-10_00_00 84 10:00:00 CDT Fri Mar 17 2007 2006-Mar-18-10_00_00 84 10:00:00 CDT Sat Mar 18 2007

The asterisk (*) before the filename indicates that the knowledge base file is currently loaded. The current knowledge base always exists (it is the initial knowledge base after installation). It shows the currently loaded knowledge base in the anomaly detection, or the one that is loaded if anomaly detection is not currently active.

If you do not provide the name of the virtual sensor, the knowledge base files are displayed for all of the virtual sensors.

Note The initial knowledge base has factory-configured thresholds.

The show tech-support command captures all status and configuration information on the sensor. The command allows the information to be transferred to a remote system. The output includes HTML-linked output from the following commands and can be very large:

show interfaces

show statistics network-access

cidDump

The cidDump command captures a large amount of information, including the process list, log files, operating system information, directory listings, package information, and configuration files. This information is needed by developers to troubleshoot problems.

The syntax for the show tech-support command is as follows:

show tech-support [page][password][destination-url destination-ur

The exact format of the destination URL varies according to the file. You can select a filename, but it must be terminated by .html.

You can specify the following destination types:

ftp: This is the destination URL for the FTP network server. The syntax for this prefix is as follows: ftp:[[//username@location]/relativeDirectory]/filename or ftp:[[//username@location]//absoluteDirectory]/filename

scp: This is the destination URL for the SCP network server. The syntax for this prefix is as follows: scp:[[//username@]location]/relativeDirectory]/filename or scp:[[//username@]location]//absoluteDirectory

The exact format of the destination URL varies according to the file. You can select a filename, but it must be terminated by .html.

You can specify the following destination types:

ftp: This is the destination URL for the FTP network server. The syntax for this prefix is as follows: ftp:[[//username@location]/relativeDirectory]/filename or ftp:[[//username@location]//absoluteDirectory]/filename

scp: This is the destination URL for the SCP network server. The syntax for this prefix is as follows: scp:[[//username@]location]/relativeDirectory]/filename or scp:[[//username@]location]//absoluteDirectory

Using the Cisco IDM to Monitor the Sensor This topic explains how to use the Cisco IDM to run a diagnostics report and view statistics and system information.

You can obtain diagnostics information about your sensors for troubleshooting purposes by running a diagnostics report. Complete the following steps to run a diagnostics report.

Caution After you start the diagnostics process, do not click any other options in the Cisco IDM or leave the Diagnostics panel. This process must run to completion before you attempt to perform any other tasks for the sensor.

Step 1 Click Monitoring and choose Support Information > Diagnostics Report. The Diagnostics Report panel is displayed.

Step 2 Click Generate Report. The diagnostics process begins and may continue for several minutes. When the process is complete, a report is generated and the display is refreshed with the updated report.

Note To save the report as a file, view the report in your browser and choose File > Save As.

The Statistics panel shows statistics for the following:

Analysis Engine

Event Server

Event Store

Host

Interface Configuration

Logger

Network Access

Notification

Transaction Server

Transaction Source

Web Server

To display statistics for your sensor, complete the following steps:

Step 1 Click Monitoring and choose Support Information > Statistics. The Statistics page is displayed.

Step 2 To update statistics as they change, click Refresh. Refresh displays the latest information about the sensor applications.

The System Information panel displays the following information:

Cisco Technical Assistance Center (TAC) contact information

Type of sensor

Software version

Status of applications

Upgrades installed

Cisco PEP information

Complete the following steps to view system information:

Step 1 Click Monitoring and choose Support Information > System Information.

Step 2 The System Information panel displays information about the system.

Step 3 Click Refresh. The panel refreshes and displays new information.

Monitoring Using Cisco Security Manager This topic describes how to use Cisco Security Manager to monitor a Cisco IPS sensor.

Cisco Security Manager is a powerful but very easy-to-use solution to centrally provision all aspects of device configurations and security policies for Cisco firewalls, Cisco virtual private networks (VPNs), and Cisco IPS sensors. The solution is effective for managing even small networks consisting of fewer than 10 devices, but also scales to efficiently manage large-scale networks composed of thousands of devices. Scalability is achieved through intelligent policy-based management techniques that can simplify administration.

Note Cisco Security Manager Version 3.1 or later is required to install or configure Cisco IPS Sensor Software Version 6.0.

You can configure the sensor for monitoring by SNMP, an application layer protocol that facilitates the exchange of management information among network devices. SNMP enables you to manage network performance, find and solve network problems, and plan for network growth.

SNMP is a simple request and response protocol. An SNMP network management system (NMS) issues a request, and managed devices return responses. This behavior is implemented by using one of the following protocol operations: Get, GetNext, Set, and Trap. Cisco IPS Sensor Software Version 6.0 currently implements the Get and Set SNMP operations. The Get operation is used by the NMS to retrieve information from an Agent. The Set operation is used by the manager to set the values of object instances within an Agent.

Complete the following steps to configure the sensor so that it can be monitored by SNMP:

Step 1 Click Configuration and choose SNMP > SNMP General Configuration. The SNMP General Configuration panel is displayed.

Step 2 Check the Enable SNMP Gets/Sets check box to enable SNMP so that the SNMP NMS can issue requests to the sensor SNMP agent.

Step 3 Complete the following substeps to configure the SNMP Agent Parameters, which are the values that the NMS can request from the sensor SNMP agent.

1. Enter the read-only community string in the Read-Only Community String field. This entry identifies the community string for read-only access.

2. Enter the read-write community string in the Read-Write Community String field. This entry identifies the community string for read and write access.

Note The management workstation sends SNMP requests to the sensor SNMP agent, which resides on the sensor. If the management workstation issues a request and the community string does not match what is on the senor, the sensor rejects it.

3. Enter the sensor contact user ID in the Sensor Contact field. The sensor contact identifies the point of contact for the sensor.

4. Enter the location of the sensor in the Sensor Location field.

5. Enter the sensor port for its SNMP agent in the Sensor Agent Port field. This entry identifies the sensor IP port. The default SNMP port number is 161.

6. From the Sensor Agent Protocol drop-down menu, choose the protocol that the sensor SNMP agent will use. The Sensor Agent Protocol identifies the sensor protocol. The default protocol is User Datagram Protocol (UDP).

Note If you want to undo your changes, click Reset. Reset refreshes the panel by replacing any edits that you made with the previously configured value.

Summary This topic summarizes the key points that were discussed in this lesson.

ep 4 Click Apply to apply your changes and save the revised configuration.