Cisco IDS Easy Configuration Guide

Cisco IDS Easy Configuration

Cisco IDSM Easy Config I. IDS II. III. IV. IEV V. Trouble Shooting

Cisco IDSM Easy Config I. IDS II. III. IV. IEV V. Trouble Shooting

I. IPS/IDS I.I IPS/IDS

I. IPS/IDS I.I A. Signature Based IDS Signature DB Match!!! String Match: http://.../cmd.exe... String Match: http get./cmd.exe. Traffic Signature (Misused) Based IDS Capture Packet Attack, Worm, Virus, Signature DB IDS.

I. IPS/IDS I.I A. Signature Based IDS Signature IDS Signature Based IDS. False Positive( ) : Packet Event Signature Rule. False Negative( ) Signature Update IDS Attack Packet Capture Packet Loss Signature Based IDS. False Positive. Tuning False Positive Vendor Quality Signature Signature.. Customize.

I. IPS/IDS I.I A. Signature Based IDS Signature Based IDS. Attack. Attack.. Signature Update., 3. Signature, IDS. 4. Signature Signature IDS Quality. Market Lead IDS Vendor IDS Signature.

I. IPS/IDS I.I B. Policy Based IDS IDS Alarm!!! IP IPX Traffic Policy Based IDS Capture Packet Policy, Packet Alarm,Evnet IDS Tuning

I. IPS/IDS I.I B. Policy Based IDS IDS Policy Based IDS. Detection Signature Based Config, False Positive.. Very Focused,. 3. Signature Tuning, Policy Based IDS. Policy Based IDS. Network. Focus Attack, (Ex.DMZ Zone).

I. IPS/IDS I.I C. Anomaly Based IDS Anomaly IDS UDP Flooding, Impossible Ip packet. Anomaly Based IDS Statistical vs non-statistical : Traffic

I. IPS/IDS I.I C. Anomaly Based IDS Anomaly IDS Anomaly Based IDS. Signature.. Anomaly Based IDS. Focus Attack, (Ex.DMZ Zone).., Reporting.

I. IPS/IDS I.II A. Passive IDS IDS Event - Alarm Passive IDS Event Managerment Server,, Log, Report

I. IPS/IDS I.II B. Active IDS IDS Event - Alarm Active IDS Event Managerment Server,,., Traffic

I. IPS/IDS I.II C. Passive IDS vs Active IDS IDS vs IPS IPS ASIC IDS Engine. Connection Reset TCP FIN flag. UDP,ICMP. 3. IP Blocking.. TCP/UDP/ICPM. H/W 3. IPS Active IDS.

I. IPS/IDS I.III Network IDS, Host IDS

Cisco IDSM Easy Config I. IDS II. III. IV. IEV V. Trouble Shooting

II. IPS/IDS II.I A.

II. IPS/IDS II.I B. Interface G bps G bps Reset Interface TCP Rest Command Control port IDSM Interface 70G Switching Fabric 7 8 G bps Sensing Interface Packet Capture Interface

II. IPS/IDS II.II. IDSM Vlan. IDSM Setup IP, ACL IDSM Filtering 3. SPAN or VACL : 7600/6500 Backbone Packet Capture 4. IDM or VMS IDS Tuning

II. IPS/IDS II.II A. 6500#show module <IDSM Slot > Mod Ports Card Type Model Serial No. ----- ------ ------------------------------- ------------------ ----------- 8 Intrusion Detection System WS-SVC-IDSM- SAD0700DZ Mod MAC addresses Hw Fw Sw Status ---- ---------------------------------- ------ ------------ ------------ ------- 000.fcbe.8a0 to 000.fcbe.8a7.0 7.() 4.(3)S8 Ok Mod Sub-Module Model Serial Hw Status --- --------------------------- --------------- --------------- ------- ------- IDS accelerator board WS-SVC-IDSUPG 0347339A.0 Ok Mod Online Diag Status ----- ------------------- Pass 4 3. IDSM Serial. IDSM Signature Version 3. IDSM 4. IDSM Test Print

II. IPS/IDS II.II B. IDSM IP Network 70G Switching Fabric 7 8 G bps G bps Reset Interface TCP Rest Command Control port IDSM Interface G bps Sensing Interface Packet Capture Interface Native IOS IDSM IP Vlan intrusion-detection module 5 management-port access-vlan IDSM IP Vlan Hybrid OS IDSM IP Vlan set vlan 5/ IDSM IP Vlan

II. IPS/IDS II.II C. IDSM 7600/6500 IDSM. Native IOS IDSM 6500#session slot <IDSM slot > processor ( ) session slot 5 pr. Hybrid IOS IDSM 6500#session <IDSM slot > ( ) session 5 3. Native/Hybrid 6500#telnet 7.0.0.<IDSM slot +> ( ) telnet 7.0.0.5 Native IOS Tip Alias( ) 6500 6500#conf t 6500(config)#alias exec idsm session slot <IDSM slot > processor 6500#idsm 6500 IDSM

II. IPS/IDS II.II C. IDSM < > 653##session slot pr The default escape character is Ctrl-^, then x. You can also type 'exit' at the remote prompt to end the session Trying 7.0.0.... Open login: cisco Password: ***NOTICE*** IDSM ID & Password This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto If you require further assistance please contact us by sending email to export@cisco.com. sensor# 3, Hostname Prompt

II. IPS/IDS II.II D. CLI(Command Line Interface) Setup Sensor#setup At any point you may enter a question mark '?' for help. User ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'. IDSM Setup IDSM Display Current Configuration: networkparams ipaddress 9.68.3.33 defaultgateway 9.68.3. hostname sensor accesslist ipaddress 0.0.0.0 netmask 0.0.0.0 exit timeparams summertimeparams active-selection none exit exit service webserver general ports 443 exit exit Current time: Wed Jan 7 9:07:45 004 Setup Configuration last modified: Wed Jan 7 9:06:08 004

II. IPS/IDS II.II D. CLI(Command Line Interface) Setup Continue with configuration dialog?[yes]: Enter host name[sensor]: IDSM Sensor Host name Enter IP address[9.68.3.33]: 0.0.0.0 Sensor IP Address Enter netmask[55.55.55.0]: 55.55.55.0 Sensor Netmask Enter default gateway[9.68.3.]: 0.0.0. Sensor Gateway Enter telnet-server status[disabled]: Enable disable Telnet Service Enter web-server port[443]: SSL Port Modify current access list?[no]: Modify current access list?[no]: yes Current access list entries: [] 0.0.0.0 55.55.55.0 Delete: Delete: Permit: 0.0.0.0 0.0.0.0 Permit: IDSM IP ACL IP IDSM

II. IPS/IDS II.II D. CLI(Command Line Interface) Setup Modify system clock settings?[no]: The following configuration was entered. networkparams ipaddress 0.0.0.0 netmask 55.55.55.0 defaultgateway 0.0.0. hostname IDSM accesslist ipaddress 0.0.0.0 netmask 0.0.0.0 exit timeparams summertimeparams active-selection none exit exit service webserver general ports 443 exit Exit Setup Config Display [0] Go to the command prompt without saving this config. [] Return back to the setup without saving this config. [] Save this configuration and exit setup. Enter your selection[]: Setup

II. IPS/IDS II.II E. IDSM Packet Capture -SPAN Line Card Line Card Line Card 70G Switching Fabric 7 8 Vlan Vlan Vlan 999 G bps Sensing Interface Packet Capture Interface Native IOS SPAN Packet Capture monitor session source vlan,, 999 rx ## Vlan,,999 Packet Capture monitor session destination intrusion-detection-module 5 data-port ## Capture Packet Module 5 IDSM Sensing Interface. ## Data-port IDSM Interface 7, Data-port Interface 8. Hybrid OS SPAN Packet Capture set span,, 999 5/7 rx ## IDSM Interface 7 Traffic Capture, Destination Interface Interface.

II. IPS/IDS II.II F. IDSM Packet Capture Vlan ACL Capture VACL Capture IDSM Packet Capture SPAN(Port Mirroring) 4,, IDS SPAN Line Card 4. VACL Capture Packet Data port 5. Vlan Capture Line Card 70G Switching Fabric 7 8 Line Card Vlan Vlan Vlan 999 G bps Sensing Interface Packet Capture Interface. Access-list All IP Permit. Vlan ACL Map Capture 3. VLAN

II. IPS/IDS II.II F. IDSM Packet Capture Vlan ACL Capture. Access-list access-list 99 permit ip any any ## Packet Capture, Rule.. Vlan ACL Map vlan access-map idsm 99 match ip address 99 action forward capture ## VACL Map ## ACL 99 Matching. ## VACL Capture Enable. 3. VACL VLAN vlan filter idsm vlan-list,,999 ## idsm VACL Map Vlan. 4. IDSM Capture Native IOS VACL Capture intrusion-detection module 5 data-port capture intrusion-detection module 5 data-port capture allowed-vlan,,999 ## IDSM module 5 Data-port VACL Capture VACL Capture packet. ## Vlan VACL Capture packet.

II. IPS/IDS II.II F. IDSM Packet Capture Vlan ACL Capture. Security ACL Commit set security acl ip IDSM permit ip any any capture commit security acl IDSM ## Security ACL Commit Hybrid OS VACL Capture. VLAN set security acl map IDSM,,999 ## Security ACL Vlan 3. Capture Port set security acl capture-ports 5/7 ## IDSM module 5 Data-port VACL Capture VACL Capture packet. clear security acl IDSM commit security acl IDSM

II. IPS/IDS II.II G. IDSM Packet Capture Packet Capture(RSPAN) RSPAN Traffic Capture Traffic IDS Access Switch VTP Domain - Yellow Core Switch Trunk Trunk Source RSPAN Vlan 90 Destination Hybrid OS RSPAN Access Switch set rspan source 4/- 90 rx Core Switch set rspan destination / 90 Native IOS RSPAN Access Switch A monitor session 8 source remote vlan 90 Core Switch monitor session 8 destination interface fastethernet /

II. IPS/IDS II.II H. IDSM Packet Capture MLS IP IDS IOS Firewall Feature MLS IP IDS Packet Capture. Access-list ip access-list extended IDS-Capture permit ip any any ## Packet Capture, Rule.. Capture Interface MLS ip ids int vlan mls ip ids IDS-Capture int vlan mls ip ids IDS-Capture ## Interface Vlan MLS ip ids 3. IDSM Capture Native IOS MLS IP IDS intrusion-detection module 5 data-port capture intrusion-detection module 5 data-port capture allowed-vlan, ## Vlan Capture packet

II. IPS/IDS II.II H. IDSM Packet Capture MLS IP IDS IOS Firewall Feature MLS IP IDS Packet Capture. Access-list!! MSFC ip access-list extended IDS-Capture permit ip any any ## Packet Capture, Rule.. VLAN!! MSFC 3. Capture Port int vlan mls ip ids IDS-Capture int vlan mls ip ids IDS-Capture ## Interface Vlan MLS ip ids set security acl capture-ports 5/7 ## IDSM module 5 Data-port Vlan Capture packet. Hybrid OS MLS IP IDS

Cisco IDSM Easy Config I. IDS II. III. IV. IEV V. Trouble Shooting

III. III.I SSL 0.0.0.00 SSL (Secure Socket Layer) IDSM Management Port IP Address 0.0.0.00 Setup Mode ID : cisco (Default) Password : ************ ID,.

III. III.II IDM Menu Device Menu Configuration Monitoring Administration Network IDM IP Telnet Service SSH IDM User Interface Alarm Channel Signature IP Fragment TCP Stream IP Log Blocking Autoupdate Default Setting IP Logging Event Display signature Upgrade IP Logging Blocking Blocking System Reset

III. III.III IDM Device A. Sensor setup Network 3 4 5 6. Host Name IDSM. IP address IDSM IP address 3. Netmask mask 4. Default Route Gateway 5. Enable TLS/SSL SSL Enable 6. Web Server Port TCP 443 port ## IDSM Setup,.

III. III.III IDM Device B. Sensor setup IDM. IDSM IDM IP List. List,, 3 3. Add IP

III. III.III IDM Device C. Sensor setup IDS 3. Time Zone. IDSM UTC UTC Offset UTC Offset 540 ~545,. 3. NTP NTP. Server IP, Key, Key ID.

III. III.III IDM Device D. Sensor setup IDM. IDSM IDM User User. User,,

III. III.III IDM Device D. Sensor setup IDM 3 4 3. User User Name, Password 4. User Viewer -Event Config, / Operator - Event, Config, signature Administrator - Service -IDM, CLI

III. III.IV IDM Configuration A. Sensing Engine IDS Interface 3 4. IDSM Interface Reset : Interface TCP Reset ( ). IDSM Interface Command, Contorl : Interface ( ) 3. IDSM Interface 7, 8 Sensing Enable : Interface 7, 8 Sensing Interface Select Option Check 4 Enable. Sensing Interface, IDSM.

III. III.IV IDM Device A. Sensing Engine IDS Interface Group. Virtual Sensor IDSM Version 4..4 Virtual Sensor Select Box Check Enable. Interface, Interface Group, IDSM. Signature Event Action.

III. III.IV IDM Device A. Sensing Engine Signature 3. Signature Enable Top Level Category Enable Top Level Category Enable Top Level Category Disable Signature Enable, Signature Enable Signature Enable.

III. III.IV IDM Device A. Sensing Engine Signature. Signature Category All Signature Category Signature Signature Signature Signature ID ID Click SubSig ID. Event Sig ID. Edit SubSig. Signature Name Event Reset, ShunHost ShunConnection Zero, Log Signature Level High, Medium, Low Information Signature Built-In, tuned

III. III.IV IDM Device A. Sensing Engine Signature Engine Layer ARP Alarm / ID 7000 ICMP(type,code,Sequence,ID )Alarm / ID 000 IP Option Alarm / ID000 Layer 3 IP Alarm /ID 00,00 TCP flag,port,sigle Packe Regex Alarm / ID 9000,900,3000,3300 UDP port, direction, Data Length Alarm /ID 4000,9000 ICMP Flooding Alarm / ID 00 UDP Flooding Alarm /ID 400 Flooding Alarm / ID 6900 Alarm DNS Service Engine /ID 6000 FTP Service Engine /ID 300 Only TACAS Overflow / ID 3530 String Search HTTP Decoding Engine / ID 5300,500,300,3700,5000,500,500 Client, Server Engine / ID 600 MS-SQL Inspection Engine / ID 3700 Network Time Protocol Engine / ID 4056 RPC Service Engine / ID 600,600 SMB(Service Message Block) Decoding Inspection Engine /ID 3300 SMTP Inspection Engine / ID 300

III. III.IV IDM Device A. Sensing Engine Signature SNMP Traffic Inspection Engine / ID 4500 SSH Header Decoding Engine / ID 3600 Syslog Process Telnet Cisco Engine /ID 3600 LPR Protocol Inspection Engine / ID 60 ICMP String Search Engine / ID 00 TCP String Search Engine / ID 300,3500,5300,000,600,3700,3400 UDP String Search Engine / ID 4000,4600,3300,000 ICMP Sweep / ID 00 TCP Sweep / ID 3000 TCP/UDP Sweep /ID 6000 NMAP Sweep,Scan / ID 3045,3046 Host Port Sweep / ID 3000 Host Port Sweep /ID 400,4003 ICMP Traffic Pattern / ID 6300,6500 Back orifice BOK Trojan / ID 3990~ TFNK trojan/ddos Traffic /ID 6507 BO/BOK UDP Trojan Traffic /ID 4053,4055

III. III.IV IDM Device A. Sensing Engine Signature Attack Adware,Spyware, Engine / ID 000 Code Attack Engine / ID 300 Data Buffer Overflow Engine / ID 5300 Engine /ID 6500,4300 Attack, Engine /ID 00 ~ 5000, Engine /ID 300,300

III. III.IV IDM Device A. Sensing Engine Signature Attack Attack Engine IDS Engine / ID 300 Engine,,PP Engine ID 000 Attack Sweep Check Engine Virus, Worm, Trojans Engine

III. III.IV IDM Device A. Sensing Engine Signature L/L3/L4 Protocol ARP Attack Engine Layer ~4 Protocol Attack Engine Protocol Associate Engine IP Attack Engine TCP,UDP Engine

III. III.IV IDM Device A. Sensing Engine Signature OS Engine Cisco IOS Engine Mac OS Engine Novel Netware Engine Unix Engine Window Engine

III. III.IV IDM Device A. Sensing Engine Signature Releases, Signature Releases Version,, Signature Action.

III. III.IV IDM Device A. Sensing Engine Signature Service Network Service

III. III.IV IDM Device A. Sensing Engine Signature 3. Signature IDSM Nachi Worm Signature Group Attack Attack Sub Viruses/Worm/Trojans

III. III.IV IDM Device A. Sensing Engine Signature 3 4 3 Nachi Worm 4 Edit 5 Event Action. Log IP Logging. Reset Event Host IDS TCP Session 3. Shunhost Event Host IDSM Block 4. Shunconnection Event Host Connection IDSM Drop

III. III.IV IDM Device A. Sensing Engine Signature 6 Save Changes Signature Configuration Save Changes

III. III.IV IDM Device A. Sensing Engine Signature Signature Wizard Signature DB, Signature Signature Wizard Wizard Step by Step Signature, Signature ID 0000. Signature Wizard Signature 0.0.0.0/8 Network TCP Syn Packet Wizard Step by Step Signature, Signature ID 0000

III. III.IV IDM Device A. Sensing Engine Signature Signature Type Signature Type Packet Signature TCP Packet Signature 3 Next

III. III.IV IDM Device A. Sensing Engine Signature Signature ID Signature ID 3 Signature ID : 0000 Signature Name 4 Next

III. III.IV IDM Device A. Sensing Engine Signature TCP Flag TCP 3-handshaking Syn Flag TCP SYN flag True TCP ACK flag - False 3 3 Source IP address range

III. III.IV IDM Device A. Sensing Engine Signature Signature - Information / Low / Medium / High Event IDSM - Log / Reset / ShunHost / Shun Connection Signature Wizard

III. III.IV IDM Device A. Sensing Engine IP Fragment Reassembly & TCP Stream Reassembly Processor IP Fragment

III. III.IV IDM Device A. Sensing Engine IP Fragment Reassembly & TCP Stream Reassembly OS Segment Reassembly, OS NT, Solaris, Linux, BSD Fragment 0000 Timeout - 0 IP Fragment Reassembly TCP (segment).,.,,.

III. III.IV IDM Device B. Blocking Blocking TCP Reset IDS -Reset TCP Reset Internet Router RACL / Router TCP Session Reset UDP, ICMP TCP Flag, Reset. Reset, Processor. Shunning - FWSM / PIX PIX VACL 6500 Hybrid OS Core User Access Switch Switch RACL/PACL 6500 Native OS, Cat 4500/4000/3750/3550/950 IDS TCP Reset + Block Interface Sensor Network..

III. III.IV IDM Device B. Blocking Blocking 3 4. Blocking 3 4 Blocking Sensor IP Block!!! Check Box IDSM Blocking Block Entry Default 00 50 Blocking Default 30 Blocking 30, 30 Blocking.

III. III.IV IDM Device B. Blocking Blocking IP. Never Block Blocking Address Ex> IP, Server Farm IP Neverblock IP Menu Button,, Block Address

III. III.IV IDM Device B. Blocking Blocking Device 3. Blocking Device Block Device Block Device Logical Device Menu Button,, Blocking Device Name Password

III. III.IV IDM Device B. Blocking Blocking Device 4. Blocking Device Blocking Device 3 4 5 3 4 Blocking Device IP address Blocking Device Name Blocking Device Type Cisco Router- Catalyst Native OS 6500 Cat 4500/4000/3750/3550/950 VACL Cat 6500,7600 Hybird OS PIX FWSM, PIX 5 Telnet, SSH

III. III.IV IDM Device B. Blocking Blocking Device Interface 5. Blocking Device Interface Blocking Interface 3 4 4 3 4 Blocking Device IP address Blocking Device ACL Interface Blociking Show ip interface brief Interface Name. Blocking Device Interface ACL Inbound filtering, Outbound filtering Extended ACL

III. III.IV IDM Device C. Auto update Auto update Internet Cisco IDS Signature Center 3 FTP Server Cisco IDS Signature E-mail (Download URL ) (Signature Update.) Signature Download FTP Server Autoupdate Server IP 3 Cisco IDS FTP or SCP Server Signature. Signature Rebooting.

III. III.IV IDM Device C. Auto update Auto update http://www.cisco.com/pcgi-bin/lm/show_form.pl?7486734804609375597&3668_4!!! IDS Update.

III. III.IV IDM Device C. AutoUpdate Signature Update 6 3 4 7 5 Auto update 3 4 5 Auto update Server IP FTP Server directory FTP Server ID Password File Copy Protocol FTP,SCP 6 7.,.

III. III.IV IDM Device D. Restore Default Restore Default Apply to Sensor.!!!,.

III. III.IV IDM Device A. Web Server / Block IDSM SSL Configuration Blocking ShunMaxEntries = 00 : 00 ACL NetDevice Blocking Device NeverShun Never Block Address Shun Enable State = Active Blocking Device.

III. III.IV IDM Device B. Command & Control Interface Command & Control Port Ip address, Rx,Tx Network Interface Memory 3 3 Swap HDD Swap.

III. III.IV IDM Device C. Event /Sensing Interface Event Event Category. Packet Capture Sensing Interface Capture Packet Size 0, Capture.

III. III.IV IDM Device D. Virtual Sensor (Interface, CPU ) CPU Configuration Sensing Engine Interface Group Sensing Interface Sensing Group, IDS. Packet total number, Refresh. CPU 0 Configuration Sensing Engine Fragment Fragment Reassembly,TCP Stream Reassembly

III. III.V IDM Device A. 3 Diagnostics IDS,Version,interface dump 3 ~. View Result,., configuration, Version, Interface, Dump.

III. III.V IDM Device A. IDS Signature Version Main Application, Analysis Engine,, Webserver Processor 3 3 IDS System

III. III.V IDM Device B. Update Signature update FTP Signature Engine Upgrade ftp://username@location/relativedirectory/filename Ex> ftp://anonymous@0.0.0.0/ids/ids-sig-4.-4-s9.rpm.pkg SCP Signature Engine Upgrade scp://username@]location/relativedirectory/filename Ex> ftp://ids@0.0.0.0/ids/ids-sig-4.-4-s9.rpm.pkg [ ] CLI Upgrade sensor#config t sensor(config)#upgrade ftp://anonymous@9.68.3.3//ids/ids-sig-4.-3-s64.rpm.pkg Password: Warning: Executing this command will apply a signature update to the application partition. Continue with upgrade? : yes Broadcast message from root (Wed Jan 7 9:05:37 004): Applying update IDS-sig-4.-3-S64. This may take several minutes. Please do not reboot the sensor during this update. Broadcast message from root (Wed Jan 7 9:06:06 004): Update complete. sensorapp is restarting This may take several minutes.

III. III.V IDM Device C. Manual Blocking Blocking Host. 3 4 5 6 Event Blocking Device ACL Blocking Host Minutes Remaining : ACL ACL, Event ACL. Add : ACL. Delete Blocking Host ACL. 3 Extended ACL Src IP,port,Dst IP,port. 4 Protocol 5 ACL Blocking, Connection Shun 6 Blocking Time

III. III.V IDM Device C. Manual Blocking Network Blocking 3 Network Manual Block Blocking Network. Block 3 Blocking Time

III. III.V IDM Device D. Manual Blocking Network Blocking IDS system Reset, Power Down

Cisco IDSM Easy Config I. IDS II. III. IV. IEV V. Trouble Shooting

IV. IV.I IEV A. IEV(IDS Event Viewer) 4. IDS Event Viewer Platform OS Windows NT 4 Service pack 6 Windows 000 Service pack Windows XP Service pack IDS Event Viewer Application Java Runtime.3. ( ) MySQL Server Version 3.3 ( ) IDS Event Viewer H.W Pentium III 800 Mhz 56MB Ram 500MB Hard Disk

IV. IV.II IEV A. Device Discover 3 4 5 6 3 4 5 IDS Sensor IP Address Sensor Host Name User Name IDS User Name Password IDS Password Web Server Port SSL 6 http or https Event Start 7 7 Security Level Event Check. Information, Information Check.

IV. IV.II IEV B. Device Discover IDSM

IV. IV.III IEV A. IEV Menu New View Event Filter New Device Event Graph Event Event Refresh Event Viewer IEV Application Etherreal Data Source Event Import/Export

IV. IV.III IEV B. IEV Menu New View Data Source Event Group -Signature,,, Sensor, Security Level 3 3 View Column -Step Column. - display View Sorting

IV. IV.III IEV C. IEV Menu Import/Export Import Log File Event Export IEV Event, CSV, TAB.

IV. IV.III IEV D. IEV Menu Data Source Information Data Source Information DB Table Data Source DB Table Purge DB Table

IV. IV.III IEV E. IEV Menu Application Setting Html Browser IDM Application ( exploer.exe) 3 Ethereal IP Log Dump Data 3 NSDB(Network Signature DataBase) - IEV Version upgrade.

IV. IV.III IEV F. IEV Menu Preference IEV Console Display Refresh Time -, Auto Refresh. IEV Console Display Refresh Time IEV Auto Refresh. IEV Menu Refresh.

IV. IV.III IEV G. IEV Menu Preference Event Archive File -Event 3:45 Archive File.,. Archive file Size Table : 000 ~,000,000 Archived File : 0 ~ 400 Archived File : 0 ~ 400

IV. IV.III IEV H. IEV Menu Event Graph 3 4 5 3 4 5 6 Realtime Graph / Bar Graph / Area Graph Security Level Color Alarm Alarm 6

IV. IV.III IEV I. IEV Menu Dashboard Event Dashboard Event, Display. Signature Name, Sig ID, Security Level, Device, UTC or,,,,, Event ID, Trigger Stirng ( Sensing Interface) Sorting.

IV. IV.III IEV J. View Menu Event Column -Sorting Signature Count -Sorting -Sorting IDS -Sorting Security Level -Sorting Total Event -Sorting

IV. IV.III IEV K. View Menu Sensor Event Sensor Signature Count -Sorting -Sorting -Sorting Security Level -Sorting Total Event -Sorting

IV. IV.III IEV L. View Menu Security Level Event Security Level -Sorting Signature Count -Sorting -Sorting -Sorting Sensor ( ~) Total Event -Sorting

IV. IV.III IEV M. View Menu Security Level Event Level, - or Setting - DB Signature Sensor Event

IV. IV.III IEV N. View Menu Signature Group Event Signature Count -Sorting -Sorting -Sorting Sensor ( ~) Security Level -Sorting Total Event -Sorting

IV. IV.III IEV O. View Menu Signature Group Event Level, - or Setting - DB Signature Sensor Event

IV. IV.III IEV P. View Menu Event -Sorting Signature Count -Sorting -Sorting Sensor ( ) Security Level -sorting Total Event -Sorting

IV. IV.III IEV Q. View Menu Event Level, - or Setting - DB Signature Sensor Security Level Event

IV. IV.III IEV R. Filter Menu Event filter Filter Security Level Filtering level ( Information ) Filtering - Filtering - Signature Filtering Signature Sensor filtering Sensor Event Filtering Event status filtering Event.

Cisco IDSM Easy Config I. IDS II. III. IV. IEV V. Trouble Shooting

V. IDSM Trouble Shooting - FAQ FAQ. Packet Capture???. IDM. 3. IDSM.

V. IDSM Trouble Shooting V-I. Packet Capture Issue FAQ. Packet Capture???. Packet Capture Page 7 II.II.E Native/Hybrid OS SPAN. 7600/6500 Packet Capture 653#sh intrusion-detection module data-port state Intrusion-detection module data-port : Switchport: Enabled Administrative Mode: trunk Operational Mode: down Administrative Trunking Encapsulation: dotq Negotiation of Trunking: Off Access Mode VLAN: (default) Trunking Native Mode VLAN: (default) Trunking VLANs Enabled: NONE Pruning VLANs Enabled: -00 Vlans allowed on trunk:none Vlans allowed and active in management domain:none Vlans in spanning tree forwarding state and not pruned: none Administrative Capture Mode: Disabled Administrative Capture Allowed-vlans: 999

V. IDSM Trouble Shooting V-I. Packet Capture Issue. 7600/6500 Packet Capture 653#sh intrusion-detection module data-port traffic Intrusion-detection module data-port : Specified interface is up line protocol is down (monitoring) Hardware is C6k 000Mb 80.3, address is 000.fcbe.8a6 (bia 000.fcbe.8a6) MTU 500 bytes, BW 000000 Kbit, DLY 0 usec, reliability 55/55, txload 4/55, rxload /55 Encapsulation ARPA, loopback not set Keepalive set (0 sec) Unknown duplex, Unknown Speed, media type is unknown media type output flow-control is unsupported, input flow-control is unsupported Last input never, output 07:5:34, output hang never Last clearing of "show interface" counters never Input queue: 0/000/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 5865000 bits/sec, 976 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 input packets with dribble condition detected 30696078 packets output, 7083479776 bytes, 0 underruns 0 output errors, 0 collisions, 37 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out

V. IDSM Trouble Shooting V-I. Packet Capture Issue 3. IDM Sensing Interface Enabled Yes

V. IDSM Trouble Shooting V-I. Packet Capture Issue 3. IDM Sensing Interface IDM Monitoring Statistics AnalysisEngine Statistics Sensing Interface Packet Counter.

V. IDSM Trouble Shooting V-I. Packet Capture Issue 4. IDSM Sensing Interface 653#sh diagnostic module Current Online Diagnostic Level = Minimal Online Diagnostic Result for Module : PASS Online Diagnostic Level when Module came up = Minimal Test Results: (. = Pass, F = Fail, U = Unknown). TestPortASICLoopback : Port 3 4 ----------------..... TestPCLoopback : Port 3,4 Sensing Interface Pass. Hybrid show port 7,8 Trunk, Faulty. Port 3 4 ----------------.... 3. TestNetflowInlineRewrite : Port 3 4 ---------------- U U U U

V. IDSM Trouble Shooting V-II. IDM FAQ. IDM.. Comman & Control Port (Page 0) Native IOS IDSM IP Vlan intrusion-detection module 5 management-port access-vlan IDSM IP Vlan Hybrid OS IDSM IP Vlan set vlan 5/ IDSM IP Vlan

V. IDSM Trouble Shooting V-III. IDSM FAQ 3. IDSM.. MP(Maintenance Partition), AP(Application Partition). Native IOS hw-module module reset cf: MP Mode Booting hw-module module reset AP Mode Booting Hybrid OS Reset cf: MP Mode Booting Reset AP Mode Booting MP Mode AP Image Upgred Network config MP Network Crash Dump Application Partition IDS img,config Application Partition IDS img,config cf cf cf3 cf4 cf5

V. IDSM Trouble Shooting V-III. IDSM FAQ 3. IDSM.. MP(Maintenance Partition), Application Partition Image Reloading root@localhost.localdomain#ip address 0.0.0.3 55.55.55.0 root@localhost.localdomain#ip gateway 0.0.0.. root@localhost.localdomain#ip broadcast 0.0.0.55 root@localhost.localdomain#upgrade ftp://anonymous@8.53.76.07//idsm/ws-svc-idsm-k9-a-4.--s47.bin.gz Downloading the image. This may take several minutes... Password for anonymous@8.53.76.07: ftp://anonymous@8.53.76.07//idsm/ws-svc-idsm-k9-a-4.--s47.bin.gz (6559K) /tmp/upgrade.gz [########################] 6559K 64.68K/s 66856 bytes transferred in 4.86 sec (64.67k/sec) Upgrade file ftp://anonymous@8.53.76.07//idsm/ws-svc-idsm-k9-a-4.--s47.bin.gz is downloaded. Upgrading will wipe out the contents on the hard disk. Do you want to proceed installing it [y N]: y Proceeding with upgrade. Please do not interrupt. If the upgrade is interrupted or fails, boot into Maintenance image again and restart upgrade. Creating IDS application image file... Initializing the hard disk... Applying the image, this process may take several minutes... Performing post install, please wait... Application image upgrade complete. You can boot the image now.

V. IDSM Trouble Shooting V-III. IDSM FAQ 3. IDSM. 3. MP (Maintenance Partition) Application Partition Image Reloading,., Setup. Setup Signature Service Pack Install. Service Pack Install, Rebooting. Signature File Install. sensor(config)# upgrade ftp://anomnymous@9.68.3.3//ids/ids-k9-sp-4.-4-s9.rpm.pkg Password: Warning: Executing this command will apply a signature update to the application partition. Continue with upgrade? : yes Broadcast message from root (Wed Jan 7 9:05:37 004): Applying update IDS-sig-4.-3-S64. This may take several minutes. Please do not reboot the sensor during this update. Broadcast message from root (Wed Jan 7 9:06:06 004): Update complete. sensorapp is restarting This may take several minutes.