Cisco IDS-4230-FE Installation Guide
Cisco IDS-4230-FE - Intrusion Detection Sys Fast Ethernet Sensor Manual
 |
UPC - 746320349008
View all Cisco IDS-4230-FE manuals
Add to My Manuals
Save this manual to your list of manuals |
Cisco IDS-4230-FE manual content summary:
- Cisco IDS-4230-FE | Installation Guide - Page 1
Detection System Appliance and Module Installation and Configuration Guide Version 4.1 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7815597 - Cisco IDS-4230-FE | Installation Guide - Page 2
in accordance with the instruction manual, may cause harmful Cisco's installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications - Cisco IDS-4230-FE | Installation Guide - Page 3
Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering - Cisco IDS-4230-FE | Installation Guide - Page 4
- Cisco IDS-4230-FE | Installation Guide - Page 5
Cisco Technical Support Website xxi Submitting a Service Request xxii Definitions of Service Request Severity xxii Obtaining Additional Publications and Information xxiii Introducing the Sensor 1-9 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version - Cisco IDS-4230-FE | Installation Guide - Page 6
System Network Module 1-12 Introducing the Cisco Catalyst 6500 Series Intrusion Detection System Services Module 1-14 Supported Sensors 1-16 Setting the Time on Sensors 1-18 Installation Preparation 1-20 Working in an ESD Environment 1-21 Installing the IDS-4210 2-1 Front Panel Features and - Cisco IDS-4230-FE | Installation Guide - Page 7
Keyboards and Monitors 4-4 Upgrading the IDS-4220-E and IDS-4230-FE to 4.x Software 4-5 Installing the IDS-4220 and IDS-4230 4-6 Installing the IDS-4235 and IDS-4250 5-1 Front-Panel Features and Indicators 5-2 Back-Panel Features and Indicators 5-4 Specifications 5-5 Installing Spare Hard-Disk - Cisco IDS-4230-FE | Installation Guide - Page 8
5-36 Installing the IPS-4240 and IPS-4255 6-1 Front and Back Panel Features 6-2 Specifications 6-5 Accessories 6-6 Rack Mounting 6-7 Installing the IPS-4240 and IPS-4255 6-9 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 viii 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 9
Module Panels 7-14 Installing the IDSM-2 8-1 Specifications 8-1 Software and Hardware Requirements 8-2 Supported IDSM-2 Configurations 8-3 Using the TCP Reset Interface 8-4 Front Panel Description 8-4 Installation and Removal Instructions 8-5 Required Tools 8-6 Slot Assignments 8-6 Installing the - Cisco IDS-4230-FE | Installation Guide - Page 10
Applying for a Cisco.com Account with Cryptographic Access 9-11 IDS Bulletin 9-12 Configuring the Sensor Using the CLI 10-1 Sensor Initial Configuration Tasks 10-2 Initializing the Sensor 10-2 Assigning and Enabling the Sensing Interface 10-9 Sensing Interfaces 10-11 Creating the Service Account 10 - Cisco IDS-4230-FE | Installation Guide - Page 11
to be a Master Blocking Sensor 10-73 Obtaining a List of Blocked Hosts and Connections 10-75 How to Set up Manual Blocking and How to Unblock 10-76 NM-CIDS Configuration Tasks 10-77 Configuring Cisco IDS Interfaces on the Router 10-78 Establishing Cisco IDS Console Sessions 10-80 Using the Session - Cisco IDS-4230-FE | Installation Guide - Page 12
83 Setting Up Packet Capture 10-84 Checking the Status of the Cisco IDS Software 10-85 Supported Cisco IOS Commands 10-86 IDSM-2 Configuration Tasks 10-87 Configuring the 10-127 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 xii 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 13
A-12 Authenticating Users A-12 Configuring Authentication on the Sensor A-13 Managing TLS and SSH Trust Relationships A-14 LogApp Service Account A-31 CLI Behavior A-32 Regular Expression Syntax A-34 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 14
to See Alerts B-14 Sensor Not Seeing Packets B-15 Cleaning Up a Corrupted SensorApp Configuration B-16 Running SensorApp in Single CPU Mode B-17 Bad Memory on the IDS-4250-XL B-18 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 xiv 78-15597 - Cisco IDS-4230-FE | Installation Guide - Page 15
on the Sensor B-43 Troubleshooting the IDSM-2 B-44 Diagnosing IDSM-2 Problems B-44 Switch Commands for Troubleshooting B-46 Status LED Off B-46 Status LED On But IDSM-2 Does Not Come Online B-48 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version - Cisco IDS-4230-FE | Installation Guide - Page 16
support Command B-52 show tech-support Command B-53 Displaying Tech Support Information B-53 show tech-support B-65 show events Command B-66 Sensor Events B-67 show events Command B-67 Cisco FTP Site B-71 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 17
and Information, page xxiii Audience This guide is intended for audiences who need to do the following: • Install appliances and modules. • Secure their network with sensors. • Detect intrusion on their networks and monitor subsequent alarms. Cisco Intrusion Detection System Appliance and Module - Cisco IDS-4230-FE | Installation Guide - Page 18
. Notes contain helpful suggestions or references to material not covered in the guide. Caution Means reader be careful. In this situation, you might do this device. xviii Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 19
Intrusion Detection System (IDS) Hardware and Software Version 4.1 Documentation Guide • Quick Start Guide for the Cisco Intrusion Detection System Version 4.1 • Regulatory Compliance and Safety Information for the Cisco Intrusion Detection System 4200 Series Appliance Sensor • Installing and Using - Cisco IDS-4230-FE | Installation Guide - Page 20
Documentation Feedback Preface You can access the Cisco website at this URL: http://www.cisco.com You can access international Cisco websites at this URL: http://www.cisco.com/public/countries_languages.shtml Ordering Documentation You can find instructions for ordering documentation at this URL: - Cisco IDS-4230-FE | Installation Guide - Page 21
. If you do not hold a valid Cisco service contract, contact your reseller. Cisco Technical Support Website The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 - Cisco IDS-4230-FE | Installation Guide - Page 22
service request is assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL: http://www.cisco.com/techsupport/servicerequest For S1 or S2 service are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during - Cisco IDS-4230-FE | Installation Guide - Page 23
, reference guides, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL: http://www.cisco.com/go/marketplace/ • The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product - Cisco IDS-4230-FE | Installation Guide - Page 24
URL: http://www.cisco.com/ipj • World-class networking training is available from Cisco. You can view current offerings at this URL: http://www.cisco.com/en/US/learning/index.html xxiv Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597 - Cisco IDS-4230-FE | Installation Guide - Page 25
sensor. In this guide, the term "sensor" refers to all models unless specifically noted otherwise. See Supported Sensors, page 1-16, for a complete list of supported sensors , page 1-8 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78 - Cisco IDS-4230-FE | Installation Guide - Page 26
system. See Supported Sensors, page 1-16, for a list of supported appliances. You can use the Command Line Interface (CLI), IDS Device Manager, or Management Center for IDS Sensors to configure the appliance. Refer to your IDS manager documentation. To access IDS documentation on Cisco.com, refer - Cisco IDS-4230-FE | Installation Guide - Page 27
IDS manager workstation or network devices (typically a Cisco router). Because this interface is visible on the network, you should use encryption to maintain data privacy. Secure associated with a TCP-based service. If selected as an action on non-TCP-based services, no action is taken. - Cisco IDS-4230-FE | Installation Guide - Page 28
1 Introducing the Sensor Note ACLs may the size and type of network interface cards), and how many IDS managers are needed. The appliance monitors all traffic across a on page 1-5. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 1-4 78-15597- - Cisco IDS-4230-FE | Installation Guide - Page 29
Sensor have defined policies on the use and security of this type of connection, there is specific research and development or other engineering information and should be given additional protection. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 30
to the network. An internal attacker taking advantage of vulnerabilities in network services would remain undetected by the external appliance (see Figure 1-2 on page 1-7). Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 1-6 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 31
Sensor Figure 1-2 Appliance in Front of a Firewall Hostile network ISP router Outermost router Monitoring interface Firewall Protected network Appliances IDS 1-3 on page 1-8). Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 32
Chapter 1 Introducing the Sensor Figure 1-3 Appliance services on the router if available, otherwise, enable Telnet. • Add the router to the device management list of the appliance (via the IDS manager). Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 33
Introducing the Sensor Appliances • Configure appliance that is not part of the normal operation of the Cisco IDS. Setting Up a Terminal Server A terminal server is a including appliances. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78 - Cisco IDS-4230-FE | Installation Guide - Page 34
for all other supported appliances, to direct all output to the terminal server, log in to the IDS CLI and type the following commands: sensor# configure terminal sensor(config)# display-serial 1-10 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version - Cisco IDS-4230-FE | Installation Guide - Page 35
Sensor Appliances Output is directed to the serial port. Use the no display-serial command to redirect output to the keyboard/monitor. Note You can set up a terminal server and use the IDS appliance. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version - Cisco IDS-4230-FE | Installation Guide - Page 36
Requirements, page 7-2, for a list of supported routers. Only one NM-CIDS is supported per router. Figure 1-4 on page 1-13 shows the IDS router in a branch office environment. 1-12 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 37
Introducing the Sensor Figure 1-4 NM-CIDS in the Branch Office Router HQ Hacker A outside Modules 26xx/36xx/37/NG Untrusted network IDS network module Branch the attack. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 1-13 - Cisco IDS-4230-FE | Installation Guide - Page 38
the CLI or through one of these IDS managers-IDS Device Manager or Management Center for IDS Sensors. For instructions on accessing IDS documentation on Cisco.com, refer to Cisco Intrusion Detection System (IDS) Hardware and Software Version 4.1 Documentation Guide that shipped with your NM-CIDS - Cisco IDS-4230-FE | Installation Guide - Page 39
the Sensor Modules traffic is either copied to the IDSM-2 based on security VLAN access control lists (VACLs) in the switch or IDS manager, where they are logged or displayed on a graphical user interface. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 40
unsupported platforms. Table 1-1 Supported Sensors Model Name Appliances IDS-4210 IDS-4215 Part Number IDS-4210 IDS-4210-K9 IDS-4210-NFR IDS-4215-K9 IDS-4220 IDS-4230 IDS-4235 IDS-4250 IDS-4215-4FE-K9 IDS-4220-E IDS-4230-FE IDS-4235-K9 IDS-4250-TX-K9 IPS-4240 IDS-4250-SX-K9 IDS-4250-XL-K9 IPS - Cisco IDS-4230-FE | Installation Guide - Page 41
not supported in this document: • NRS-2E • NRS-2E-DM • NRS-2FE • NRS-2FE-DM • NRS-TR • NRS-TR-DM • NRS-SFDDI • NRS-SFDDI-DM • NRS-DFDDI • NRS-DFDDI-DM • IDS-4220-TR • IDS-4230-SFDDI • IDS-4230-DFDDI Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version - Cisco IDS-4230-FE | Installation Guide - Page 42
the IDSM, is a legacy model and is not supported in this document. Note The IDS-4210 and IDS-4220-E require memory upgrades to support the latest IDS software. See Upgrading the Memory, page 2-3, for more information. Setting the Time on Sensors The sensor requires a reliable time source. All events - Cisco IDS-4230-FE | Installation Guide - Page 43
source. See Configuring a Cisco Router to be an NTP Server, page 10-22. You will need the NTP server IP address, the NTP key ID, and the NTP key value. You can configure the IDSM-2 to use NTP during initialization or you can set up NTP later. See Configuring the Sensor to - Cisco IDS-4230-FE | Installation Guide - Page 44
with the location of IDS documentation on Cisco.com, read the Cisco Intrusion Detection System (IDS) Hardware and Software Version 4.1 Documentation Guide that shipped with your sensor. Obtain the Release Notes for the Cisco Intrusion Detection System Version 4.1 from Cisco.com and completely read - Cisco IDS-4230-FE | Installation Guide - Page 45
ESD workbench or static dissipative mat. To remove and replace components in a sensor, follow these steps: Step 1 Remove all static-generating items from your work of the chassis. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 1-21 - Cisco IDS-4230-FE | Installation Guide - Page 46
10/100 ETHERNET 0/0 FAILOVER CONSOLE PIX-515 24304 Chapter 1 Introducing the Sensor Copper foil Step 4 Connect the work surface to the chassis using a ready to install it. 1-22 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 47
IDS-4210 before July 2003, you must upgrade the memory to 256 MB to install Cisco IDS 4.1. See Upgrading the Memory, page 2-3 for more information. If you purchase an IDS page 2-1 • Upgrading the Memory, page 2-3 • Installing the IDS-4210, page 2-5 • Installing the Accessories, page 2-8 Front Panel - Cisco IDS-4230-FE | Installation Guide - Page 48
and Indicators Figure 2-1 Front Panel Features Chapter 2 Installing the IDS-4210 87951 System fault indictor Power indicator LAN 1 activity/link occurs on this channel. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 2-2 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 49
Upgrading the Memory Upgrading the Memory The IDS-4210, IDS-4210-K9, IDS-4210-NFR, and IDS-4220-E sensors must have 512 MB RAM to support Cisco IDS 4.1 software. If you are upgrading an existing IDS-4210, IDS-4210-K9, IDS-4210-NFR, or IDS-4220-E sensor to version 4.1, you must insert additional - Cisco IDS-4230-FE | Installation Guide - Page 50
and sliding the cover straight back. Note IDS-4210 sensors have a single screw on the front cover. IDS-4220 sensors have three screws spaced evenly across the front the socket. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 2-4 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 51
and Safety Information for the Cisco Intrusion Detection System 4200 Series Appliance Sensor and follow proper safety procedures when performing these steps. Note If you purchased an IDS-4210 before July 2003, you must upgrade the memory to 256 MB to install Cisco IDS 4.1. See Upgrading the Memory - Cisco IDS-4230-FE | Installation Guide - Page 52
in to a power source (a UPS is recommended). Note When you first plug an IDS-4210 into a power source, it powers on momentarily and then powers off leaving with the appliance. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 2-6 78-15597- - Cisco IDS-4230-FE | Installation Guide - Page 53
page 1-9 for the instructions for setting up a Sensor, page 10-2, for the procedure. Upgrade your appliance to the latest Cisco IDS software. See Obtaining Cisco IDS Software, page 9-1, for the procedure. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 54
Chapter 2 Installing the IDS-4210 Step 9 Assign a bezel, and center or front mounting brackets for your IDS-4210. This section contains the following topics: • Accessories Package items are shipped in the accessories package for the IDS-4210: • Cisco IDS-4210 bezel • Power cable • Network patch - Cisco IDS-4230-FE | Installation Guide - Page 55
and software - Cisco IDS recovery/upgrade CD - Cisco Documentation CD - Cisco Intrusion Detection System (IDS) Hardware and Software Version 4.1 Documentation Guide - Regulatory Compliance and Safety Information for the Cisco Intrusion Detection System 4200 Series Appliance Sensor Installing and - Cisco IDS-4230-FE | Installation Guide - Page 56
2 Installing the IDS-4210 Step 3 Locate LVD ONLY DRIVE 0 DRIVE 1 50623 Step 4 Step 5 Step 6 Secure the bracket to the appliance chassis using two screws (see Figure 2-2). Repeat Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 57
the IDS-4210 Installing the Accessories Step 7 Secure the a two-post, open-frame relay rack: • Two chassis support brackets • Two rack-mounting brackets • Six screws • #2 Phillips Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 2- - Cisco IDS-4230-FE | Installation Guide - Page 58
10,000 cycles of opening and closing. Higher cycles or frequency will lower the load rating. The chassis support brackets are meant to support the weight of only one appliance. 2-12 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 59
the rack to fasten the appliance's front flanges to the rack. Note When you are done, the appliance should not slide on the channel bar. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 2-13 - Cisco IDS-4230-FE | Installation Guide - Page 60
Installing the Accessories Chapter 2 Installing the IDS-4210 2-14 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 61
3-2 • Specifications, page 3-4 • Accessories, page 3-5 • Surface Mounting, page 3-6 • Rack Mounting, page 3-7 • Installing the IDS-4215, page 3-9 • Removing and Replacing the Chassis Cover, page 3-12 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version - Cisco IDS-4230-FE | Installation Guide - Page 62
IDS-4215. Figure 3-1 IDS-4215 Front Panel Features CISCO IDS-4215 Intrusion Detection Sensor POWER ACT NETWORK 87925 Table 3-1 describes the front panel indicators on the IDS . Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 3-2 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 63
indicators per port. Figure 3-3 shows the back panel indicators. Figure 3-3 IDS-4215 Indicators Indicators 119585 100Mbps ACT LINK 100Mbps ACT LINK 10/100 ETHERNET port. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 3-3 - Cisco IDS-4230-FE | Installation Guide - Page 64
in 10-Mbps mode. Specifications Table 3-3 lists the specifications for the IDS-4215. Table 3-3 IDS-4215 Specifications Dimensions and Weight Height , full power usage (65W) Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 3-4 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 65
Chapter 3 Installing the IDS-4215 Accessories Table 3-3 IDS-4215 Specifications (continued) Environment Temperature Relative humidity Altitude Shock Vibration 1071 SAVE THESE INSTRUCTIONS Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78- - Cisco IDS-4230-FE | Installation Guide - Page 66
not rack mounting the IDS-4215, you must attach the rubber feet to the bottom of the IDS-4215 as shown in Figure 3-4 on page 3-7. The rubber feet are shipped in the accessories kit. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 3-6 78-15597 - Cisco IDS-4230-FE | Installation Guide - Page 67
4215 when it is on a flat surface. The rubber feet allow proper airflow around the IDS-4215 and they also absorb vibration so that the hard-disk drive is less impacted. Rack Mounting Warning To prevent bodily injury when mounting or servicing this unit in a rack, you must take special precautions - Cisco IDS-4230-FE | Installation Guide - Page 68
, install the stabilizers before mounting or servicing the unit in the rack. If you are installing the 4FE card in the IDS-4215, do not install the mounting to the equipment rack. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 3-8 78-15597 - Cisco IDS-4230-FE | Installation Guide - Page 69
should be allowed to install, replace, or service this equipment. Statement 1030 Caution Be sure to read the safety warnings in the Regulatory Compliance and Safety Information for the Cisco Intrusion Detection System 4200 Series Appliance Sensor and follow proper safety procedures when performing - Cisco IDS-4230-FE | Installation Guide - Page 70
-4215 Chapter 3 Installing the IDS-4215 To install the IDS-4215 on your network, follow these steps: Step 1 Step 2 Step 3 01 and DB-25 connector adapter PN 29-0810-01). 3-10 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 71
on the terminal server. See Setting Up a Terminal Server, page 1-9, for the instructions for setting up a terminal server. Step 4 Step 5 Connect the RJ-45 the Sensor, page 10-2, for the procedure. Upgrade your appliance to the most recent Cisco IDS software. See Obtaining Cisco IDS Software, - Cisco IDS-4230-FE | Installation Guide - Page 72
Removing and Replacing the Chassis Cover Chapter 3 Installing the IDS-4215 Note The interfaces are disabled by default. You be removed to de-energize the unit. Statement 1028 3-12 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 73
Regulatory Compliance and Safety Information for the Cisco Intrusion Detection System 4200 Series Appliance Sensor and follow proper safety procedures when removing and replacing the chassis cover. This section describes how to remove and replace the IDS-4215 chassis cover. This section contains - Cisco IDS-4230-FE | Installation Guide - Page 74
unit facing you, push the top panel back one inch. POWER ACT NETWORK Step 8 Pull the top panel up and put it in a safe place. CISCO IDS-4215 Intrusion Detection Sensor 104180 3-14 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 75
-4215 Removing and Replacing the Chassis Cover 104181 POWER ACT NETWORK CISCO IDS-4215 Intrusion Detection Sensor Replacing the Chassis Cover Caution Do not operate the IDS-4215 without the chassis cover installed. The chassis cover protects the internal components, prevents electrical shorts - Cisco IDS-4230-FE | Installation Guide - Page 76
back panel tabs fit under the top panel. 104183 POWER ACT NETWORK Step 5 Fasten the top panel with the screws you set aside earlier. CISCO IDS-4215 Intrusion Detection Sensor 3-16 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 77
qualified personnel should be allowed to install, replace, or service this equipment. Statement 1030 Caution Only use the replacement IDE hard-disk drive from Cisco. We cannot guarantee that other hard-disk drives will operate properly with the IDS. Caution Be sure to read the safety warnings in - Cisco IDS-4230-FE | Installation Guide - Page 78
down message before continuing with Step 3. Note You can also power down the sensor using IDM or IDS MC. Step 3 Step 4 Step 5 Step 6 Step 7 Power off the -disk drive carrier. 3-18 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 79
Chapter 3 Installing the IDS-4215 Removing and Replacing the IDE Hard-Disk Drive Hard drive 87927 Step 8 -disk drive side to side until it is completely free of the connector. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 3-19 - Cisco IDS-4230-FE | Installation Guide - Page 80
To replace the hard-disk drive in the IDS-4215, follow these steps: Step 1 Step 2 Place the appliance in an ESD-controlled environment. See Working in an ESD Environment, page 1-21, for more information. Align the hard-disk drive connector with the two guide pins on the riser card. Hard drive - Cisco IDS-4230-FE | Installation Guide - Page 81
the IDS-4215, follow these steps: Step 1 Step 2 Log in to the CLI. Prepare the appliance to be powered off: sensor# reset powerdown Wait for the power down message before continuing with Step 3. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version - Cisco IDS-4230-FE | Installation Guide - Page 82
and Replacing the Compact Flash Device Chapter 3 Installing the IDS-4215 Note You can also power down the sensor using IDM or IDS MC. Step 3 Step 4 Step 5 Step 6 riser card. 3-22 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 83
87928 Replacing the Compact Flash Device To replace the compact flash device in the IDS-4215, follow these steps: Step 1 Step 2 Place the appliance in an on the riser card. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 3-23 - Cisco IDS-4230-FE | Installation Guide - Page 84
and Replacing the Compact Flash Device Chapter 3 Installing the IDS-4215 Compact Flash memory card 87962 Step 3 Step 4 Step the Chassis Cover, page 3-15, for the procedure. 3-24 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 85
should be allowed to install, replace, or service this equipment. Statement 1030 Caution Be sure to read the safety warnings in the Regulatory Compliance and Safety Information for the Cisco Intrusion Detection System 4200 Series Appliance Sensor and follow proper safety procedures when installing - Cisco IDS-4230-FE | Installation Guide - Page 86
Removing and Installing the 4FE Card Chapter 3 Installing the IDS-4215 Step 6 Step 7 Step 8 Step 9 See Working in an ESD Environment plate and tighten the two captive screws. 3-26 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 87
recommend that you install the 4FE card in the bottom slot. We do not support installation of the 4FE card in the top slot. Note Only one 4FE card is supported on the IDS-4215. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 3-27 - Cisco IDS-4230-FE | Installation Guide - Page 88
IDS-4215 To install a 4FE card in the IDS-4215, follow these steps: Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Prepare the appliance to be powered off: sensor lower slot. 3-28 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 89
Chapter 3 Installing the IDS-4215 Removing and Installing the 4FE Card 61904 Note When you insert a 4FE card on the 4FE card goes through the slot on the back cover plate. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 3-29 - Cisco IDS-4230-FE | Installation Guide - Page 90
and Installing the 4FE Card Chapter 3 Installing the IDS-4215 61905 Step 10 Step 11 Tighten the single and Enabling the Sensing Interface, page 10-9, for the procedure. 3-30 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 91
, page 4-2 • Recommended Keyboards and Monitors, page 4-4 • Upgrading the IDS-4220-E and IDS-4230-FE to 4.x Software, page 4-5 • Installing the IDS-4220 and IDS-4230, page 4-6 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 4-1 - Cisco IDS-4230-FE | Installation Guide - Page 92
system is idle or powered off. Figure 4-2 on page 4-3 shows the back panel features (the onboard NIC and the SMC9432FTX network card indicators) of the IDS-4220 and IDS-4230. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 4-2 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 93
of the onboard NIC (the monitoring port) indicators for the IDS-4220 and 4230. Table 4-2 On-board NIC Indicators Indicator Color Orange Green Status status indicators. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 4-3 - Cisco IDS-4230-FE | Installation Guide - Page 94
keyboards and monitors have been tested with the IDS-4220 and IDS-4230: • Keyboards - KeyTronic E03601QUS201-C - KeyTronic LT DESIGNER • Monitors - MaxTech XT-7800 - Dell D1025HT Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 4-4 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 95
Interface: int0 Keyboard Monitor Caution If the cables on the IDS-4220-E or IDS-4230-FE are not swapped, you may not be able to connect to your appliance through the network. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 4-5 - Cisco IDS-4230-FE | Installation Guide - Page 96
Installing the IDS-4220 and IDS-4230 Chapter 4 Installing the IDS-4220 and IDS-4230 Note The PCI-based card that was used as the sensing interface for the IDS-4220-E and the IDS-4230-FE does not support the monitoring of dot1q trunk packets and the tracking of the 993 Dropped Packet alarm. The - Cisco IDS-4230-FE | Installation Guide - Page 97
Chapter 4 Installing the IDS-4220 and IDS-4230 Installing the IDS-4220 and IDS-4230 Step 3 Use the dual serial , page 1-9, for the instructions for setting up a terminal server. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 98
the IDS-4220 and IDS-4230 Chapter 4 Installing the IDS-4220 and IDS-4230 Step Sensor, page 10-2, for the procedure. Upgrade your appliance to the most recent Cisco IDS software. See Obtaining Cisco IDS Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version - Cisco IDS-4230-FE | Installation Guide - Page 99
, average packet size of 445 bytes, system running Cisco IDS 4.1 sensor software. The Cisco IDS-4250 supports a 500-Mbps speed and can be used to installing optional PCI cards. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 5-1 - Cisco IDS-4230-FE | Installation Guide - Page 100
595 bytes, system running Cisco IDS 4.1 sensor software. This chapter describes the IDS-4235 and IDS-4250 and how to Specifications, page 5-5 • Installing Spare Hard-Disk Drives, page 5-6 • Upgrading the BIOS, page 5-7 • Using the TCP Reset Interface, page 5-8 • Installing the IDS-4235 and IDS - Cisco IDS-4230-FE | Installation Guide - Page 101
connecting a monitor and a PS/2 connector for connecting a keyboard. Table 5-1 on page 5-4 describes the appearance of the front panel indicators for the IDS-4235 and IDS-4250. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 5-3 - Cisco IDS-4230-FE | Installation Guide - Page 102
5 Installing the IDS-4235 and IDS-4250 Table 5-1 flashes when the system needs attention due to a problem with power supplies, fans, system temperature, or supported per chassis. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 5-4 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 103
Keyboard connector System status indicator connector System identification button Specifications Table 5-2 on page 5-6 lists the IDS-4235 and IDS-4250 specifications. 83724 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 5-5 - Cisco IDS-4230-FE | Installation Guide - Page 104
Drives Chapter 5 Installing the IDS-4235 and IDS-4250 Table 5-2 IDS-4235 and IDS-4250 Specifications Dimensions and Weight Height Appliance, page 10-110, for the procedure. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 5-6 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 105
downloaded BIOS update file, BIOS_A04.exe, on the Windows system to generate the BIOS update diskette. Insert the newly created BIOS update diskette in your IDS-4235 or IDS-4250. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 5-7 - Cisco IDS-4230-FE | Installation Guide - Page 106
will be started again. Using the TCP Reset Interface The IDS-4250-XL has a TCP reset interface-INT0. The IDS-4250-XL has a specific TCP reset interface because it cannot send TCP resets on its monitoring ports. If you have reset problems with the IDS-4250-XL, try the following: • Make sure the TCP - Cisco IDS-4230-FE | Installation Guide - Page 107
safety warnings in the Regulatory Compliance and Safety Information for the Cisco Intrusion Detection System 4200 Series Appliance Sensor and follow proper safety procedures when performing these steps. To install the IDS-4235 and IDS-4250 on your network, follow these steps: Step 1 Step 2 Step - Cisco IDS-4230-FE | Installation Guide - Page 108
IDS-4235 and IDS-4250 Chapter 5 Installing the IDS-4235 and IDS See Setting Up a Terminal Server, page 1-9, for the instructions for setting up a terminal server. Step 4 Attach the Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 109
Initializing the Sensor, page 10-2, for the procedure. Upgrade your appliance to the most recent Cisco IDS software. See Obtaining Cisco IDS Software, Rack Installation, page 5-34 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 5-11 - Cisco IDS-4230-FE | Installation Guide - Page 110
and software - Cisco IDS recovery/upgrade CD - Cisco Documentation CD - Cisco Intrusion Detection System (IDS) Hardware and Software Version 4.1 Documentation Guide - Regulatory Compliance and Safety Information for the Cisco Intrusion Detection System 4200 Series Appliance Sensor Installing and - Cisco IDS-4230-FE | Installation Guide - Page 111
Compliance and Safety Information for the Cisco Intrusion Detection System 4200 Series Appliance Sensor and follow proper safety procedures when performing the following steps. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 5-13 - Cisco IDS-4230-FE | Installation Guide - Page 112
down message before continuing with Step 3. Note You can also power down the sensor from IDM or IDS MC. Step 3 Step 4 Step 5 Step 6 Step 7 Power off the 5-4 on page 5-15). 5-14 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 113
Chapter 5 Installing the IDS-4235 and IDS-4250 Installing the Accessories Warning The connectors on the Power 5-4). Figure 5-4 Power Supply and Power-Supply Cooling Fan 78106 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 5-15 - Cisco IDS-4230-FE | Installation Guide - Page 114
-port 10/100BASE-TX fast Ethernet sensing interface, part number IDS-4FE-INT=) You can install the 4FE card in the lower PCI slot in the IDS-4235 and IDS-4250 series appliances. 5-16 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 115
and Safety Information for the Cisco Intrusion Detection System 4200 Series Appliance Sensor and follow proper safety procedures when performing the following steps. Note None of the PCI cards are supported as a command and control interface. Caution The IDS-4250 supports only one of the - Cisco IDS-4230-FE | Installation Guide - Page 116
that the card pops securely into place. Caution Be sure to support the riser card while riser card or main board. Caution The IDS-4250 supports only one of the following cards in a Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 117
problem is not seen again. Note You will not experience this problem if you order the IDS-4250 sensor from IDM or IDS MC. Step 3 Power off the appliance. Step 4 Remove the fiber connections from the XL card. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 118
failure. Or you can order a spare drive (part number IDS-SCSI=), apply your configuration, and ship the drive to for the Cisco Intrusion Detection System 4200 Series Appliance Sensor and follow Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597 - Cisco IDS-4230-FE | Installation Guide - Page 119
down the sensor from IDM or IDS MC. Step 3 Step 4 Power off the appliance by pressing the power button. Remove the front bezel. See Installing and Removing the Bezel, page 5-12, for the procedure. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 120
power down message before continuing with Step 3. Note You can also power down the sensor from IDM or IDS MC. Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step more information. 5-22 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 121
install your appliance in a four-post rack (part number IDS-RAIL-4=). Caution Do not install rack kit components designed for another Phillips screws • Releaseable tie wraps Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 5-23 - Cisco IDS-4230-FE | Installation Guide - Page 122
the Accessories Chapter 5 Installing the IDS-4235 and IDS-4250 Installing the Slide Assemblies The to secure the slide assembly to the front vertical rail (see Figure 5-6 on page 5-25). 5-24 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version - Cisco IDS-4230-FE | Installation Guide - Page 123
back of the cabinet, pull back on the mounting-bracket flange until the mounting holes align with their respective holes on the back vertical rail. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 5-25 - Cisco IDS-4230-FE | Installation Guide - Page 124
the IDS-4235 and IDS-4250 Step 7 Step 8 Step 9 Install three 10-32 x 0.5-inch flange-head Phillips screws in the mounting flange's holes to secure the slide 5-7 on page 5-27). 5-26 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 125
Chapter 5 Installing the IDS-4235 and IDS-4250 Installing the Accessories The appliance release latch moves assemblies. Figure 5-7 Installing the Appliance in the Rack 78110 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 5-27 - Cisco IDS-4230-FE | Installation Guide - Page 126
latch clicks when locked. Step 4 Install a stop block on the latch on the end of the opposite slide assembly (see Figure 5-8 on page 5-29). 5-28 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 127
Installing the IDS-4235 and IDS-4250 Installing the Accessories Note The stop block prevents the backward travel of the cable-management arm and supports the on page 5-30). Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 5- - Cisco IDS-4230-FE | Installation Guide - Page 128
Installing the Accessories Chapter 5 Installing the IDS-4235 and IDS-4250 Step 6 Step 7 Open the wire covers on Connect the power cords to their receptacles on the back panel. 5-30 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 129
Chapter 5 Installing the IDS-4235 and IDS-4250 Installing the Accessories Note Although the strain-relief can (see Figure 5-10). Figure 5-10 Power Cord Strain Relief 78113 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 5-31 - Cisco IDS-4230-FE | Installation Guide - Page 130
see Installing the IDS-4235 and IDS-4250, page 5-9. Route the power and I/O cables through the cable-management arm, using four loosely secured releaseable tie-wraps the cables. 5-32 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 131
Chapter 5 Installing the IDS-4235 and IDS-4250 Figure 5-11 Routing Cables Installing the Accessories 78104 Step 3 Secure the cables to the cable-management arm: a. After connecting the cables to the appliance, unscrew the thumbscrews that secure the front of the appliance to the front vertical - Cisco IDS-4230-FE | Installation Guide - Page 132
You can install the two-post rack (part number IDS-RAIL-2=) in a center-mount or flush-mount configuration. The two-post kit incorporates slide assemblies that enable the appliance to be pulled out of the rack for servicing. You must properly secure the two-post, open frame relay rack to the - Cisco IDS-4230-FE | Installation Guide - Page 133
Chapter 5 Installing the IDS-4235 and IDS-4250 Installing the Accessories • Marking the Rack, page 5-35 • Installing space for each appliance you install in the two-post rack. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 5-35 - Cisco IDS-4230-FE | Installation Guide - Page 134
Installing the Accessories Chapter 5 Installing the IDS-4235 and IDS-4250 To mark the rack, follow these steps: shipped with brackets configured for center-mount installation. 5-36 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 135
the IDS-4235 and IDS-4250 push the back bracket forward against the vertical two-post rack, and secure the front and rear center-mounting brackets to the rack with two rack. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 5-37 - Cisco IDS-4230-FE | Installation Guide - Page 136
Installing the Accessories Chapter 5 Installing the IDS-4235 and IDS-4250 Figure 5-12 Slide Assemblies for Center-Mount Configuration 78105 5-38 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 137
the IDS-4235 and IDS-4250 mounting flange faces forward (see Figure 5-13 on page 5-40). Secure each front center mount bracket (by its nuts and shoulder washers) bracket. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 5-39 - Cisco IDS-4230-FE | Installation Guide - Page 138
Accessories Chapter 5 Installing the IDS-4235 and IDS-4250 Figure 5-13 Rotating the the back of the vertical two-post rack and secure it to the two-post rail with two 12-24 x 0.5-inch pan Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 139
Chapter 5 Installing the IDS-4235 and IDS-4250 Installing the Accessories Figure 5-14 Installing the Slide Assemblies for Flush-Mount Configuration 78108 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 5-41 - Cisco IDS-4230-FE | Installation Guide - Page 140
Installing the Accessories Chapter 5 Installing the IDS-4235 and IDS-4250 5-42 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 141
system running Cisco IDS 4.1 sensor software. IDS-4250-TX. There are four 10/100/1000 copper sniffing interfaces. Note The IDS-4250-SX and the IDS-4250-XL are not being replaced by the IPS-4255 at this time. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 142
per second, average packet size of 445 bytes, system running Cisco IDS 4.1 sensor software. The 600-Mbps performance is traffic combined from all four sniffing interfaces. Note The IPS-4240 and the IPS-4255 do not support redundant power supplies. This chapter describes the IPS-4240 and the - Cisco IDS-4230-FE | Installation Guide - Page 143
6-1 IPS-4240 Front Panel Features PWR STATUS FLASH Cisco IPS 4240 series Intrusion Prevention Sensor 114003 Power Flash Status Table 6-1 describes the front being accessed. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 144
-in Ethernet ports, which have two indicators per port. Figure 6-3 Ethernet Port Indicators MGMT USB2 USB1 114417 LINK SPD LINK SPD LINK SPD LINK SPD 3 2 1 0 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 6-4 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 145
Mbps 1000 Mbps Specifications Table 6-3 lists the specifications for the IPS-4240 and IPS-4255. Table 6-3 IPS-4240/IPS-4255 Specifications Dimensions and power usage (65 W) Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 6-5 - Cisco IDS-4230-FE | Installation Guide - Page 146
IPS-4240/IPS-4255 Specifications (continued) Environment Temperature INSTRUCTIONS Warning Only trained and qualified personnel should be allowed to install, replace, or service this equipment. Statement 1030 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 147
to the appliance using the supplied screws. You can attach the brackets to the holes near the front of the appliance. Cisco IPSIn4tru2s4io0n Psreervieenstion Sensor 114016 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 6-7 - Cisco IDS-4230-FE | Installation Guide - Page 148
purposes when you are servicing the system. You can Sensor 114017 Step 3 To remove the appliance from the rack, remove the screws that attach the appliance to the rack, and then remove the appliance. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 149
should be allowed to install, replace, or service this equipment. Statement 1030 Caution Be sure to read the safety warnings in the Regulatory Compliance and Safety Information for the Cisco Intrusion Detection System 4200 Series Appliance Sensor and follow proper safety procedures when performing - Cisco IDS-4230-FE | Installation Guide - Page 150
on the terminal server. See Setting Up a Terminal Server, page 1-9, for the instructions for setting up a terminal server. Step 5 Connect the RJ-45 connector to the cables. 6-10 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 151
Initializing the Sensor, page 10-2, for the procedure. Upgrade your appliance with the most recent Cisco IDS software. See Obtaining Cisco IDS Software, on your appliance. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 6- - Cisco IDS-4230-FE | Installation Guide - Page 152
Installing the IPS-4240 and IPS-4255 Chapter 6 Installing the IPS-4240 and IPS-4255 6-12 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 153
to as the Cisco IDS network module. This chapter contains the following sections: • Specifications, page 7-1 • Software and Hardware Requirements, page 7-2 • Front Panel Features, page 7-5 • Installation and Removal Instructions, page 7-6 Specifications Table 7-1 lists the specifications for the - Cisco IDS-4230-FE | Installation Guide - Page 154
IDS and Cisco IDS 4.1 simultaneously. The NM-CIDS supports the following feature sets: • IOS IP/FW/IDS • IOS IP/FW/IDS PLUS IPSEC 56 • IOS IP/FW/IDS PLUS IPSEC 3DES • IOS IP/IPX/AT/DEC/FW/IDS PLUS • IOS ENTERPRISE/FW/IDS PLUS IPSEC 56 • IOS ENTERPRISE/FW/IDS PLUS IPSEC 3DES • IOS Advanced Security - Cisco IDS-4230-FE | Installation Guide - Page 155
2600 series Cisco 2600XM series Cisco 2691 Cisco 3620 Cisco 3631 Cisco 3640, Cisco 3640A Cisco 3660 Cisco 3725 Cisco 3745 NM-CIDS No Yes Yes No No No Yes Yes Yes Note The supported Cisco series routers only support one NM-CIDS per chassis. Table 7-3 lists the hardware specifications for the NM - Cisco IDS-4230-FE | Installation Guide - Page 156
side. • Console access to the module from the router. • External FE interface, which provides a command and control interface. Figure 7-1 shows the IDS Disk Flash Memory NM-CIDS Fast Ethernet 0 119517 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 157
LINK PWR Description Activity on the fast ethernet connection. Activity on the IDS hard-disk drive. NM-CIDS has passed self-test and is CIDS. Interfaces The router-side fast ethernet interface is known as interface IDS-Sensor. This interface name appears in the show interface and show controller - Cisco IDS-4230-FE | Installation Guide - Page 158
Cisco IDS Interfaces on the Router, page 10-78 for the procedure for assigning the IP address to gain access to the console and for setting up a loopback address. Installation and Removal Instructions session preservation. Note Cisco 2600, 3600, and 3700 series routers support only one NM-CIDS - Cisco IDS-4230-FE | Installation Guide - Page 159
Instructions • Removing the NM-CIDS, page 7-11 • Blank Network Module Panels, page 7-14 Required Tools You need the following tools and equipment to install an NM-CIDS in a Cisco Using OIR Support, page 7-10 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 160
Instructions circuit breaker on the panel board that services the DC circuit, switch the circuit place until you feel its edge connector mate securely with the connector on the motherboard. Fasten Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 7-8 - Cisco IDS-4230-FE | Installation Guide - Page 161
CIDS Installation and Removal Instructions NM-CE-BP the Sensor, page 10-2, for the procedure. Upgrade your NM-CIDS to the latest Cisco IDS software. See Obtaining Cisco IDS Software, . Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78- - Cisco IDS-4230-FE | Installation Guide - Page 162
Instructions Chapter 7 Installing the NM-CIDS Installing an NM-CIDS Using OIR Support To install the NM-CIDS using OIR support, follow these steps: Step 1 Align the NM-CIDS with the guides VIC FXS 1 SEE MANUAL BEFORE INSTALLATION 0 SERIAL its edge connector mate securely with the connector on - Cisco IDS-4230-FE | Installation Guide - Page 163
CIDS Installation and Removal Instructions NM-CE-BP Sensor, page 10-2, for the procedure. Upgrade your NM-CIDS to the latest Cisco IDS software. See Obtaining Cisco IDS OIR Support, page 7-13 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78 - Cisco IDS-4230-FE | Installation Guide - Page 164
Instructions Chapter the NM-CIDS to be powered off by entering: Router# service-module IDS-Sensor slot_number/0 shutdown Trying 10.10.10.1, 2129 ... Open Wait the procedure). 7-12 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 165
and Cisco 3700 series routers support OIR with similar modules only. If you remove an NM-CIDS, install another NM-CIDS in its place. To remove an NM-CIDS with OIR support, follow these steps: Step 1 Step 2 Step 3 Prepare the NM-CIDS to be powered off by entering: Router# service-module IDS-Sensor - Cisco IDS-4230-FE | Installation Guide - Page 166
and Removal Instructions Chapter 7 Installing the NM-CIDS Note Either install a replacement NM-CIDS (see Installing an NM-CIDS Using OIR Support, page 7-10 Panel H6552 7-14 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 167
Requirements, page 8-2 • Supported IDSM-2 Configurations, page 8-3 • Front Panel Description, page 8-4 • Installation and Removal Instructions, page 8-5 Specifications Table 8-1 lists the specifications for the IDSM-2. Table 8-1 IDSM-2 Specifications Specification Dimensions (H x W x D) Weight - Cisco IDS-4230-FE | Installation Guide - Page 168
Specifications (continued) Specification Cisco IOS software release 12.2(14)SX1 with supervisor engine 720 • Cisco IDS software release 4.0 or later • Any Catalyst 6500 series switch chassis or 7600 router Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 169
VACLs Caution The Supervisor 1A with PFC2 combination is not supported. Supervisor 2 alone (without PFC2 or MSFC2) is not supported by Catalyst software or Cisco IOS software. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 8-3 - Cisco IDS-4230-FE | Installation Guide - Page 170
port 1. The IDSM-2 has a specific TCP reset interface because it cannot send TCP resets on its sensing ports. If you have reset problems with the IDSM-2, try the is off. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 8-4 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 171
result in data loss. Installation and Removal Instructions All Catalyst 6500 series switches support hot swapping, which lets you install, 8-7 • Removing the IDSM-2, page 8-13 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 8-5 - Cisco IDS-4230-FE | Installation Guide - Page 172
Instructions Chapter 8 Installing the IDSM-2 Required Tools Note You must have at least one supervisor engine running in the Catalyst 6500 series switch with the IDSM-2. Refer to the Catalyst 6500 Series Switch Installation Guide to install, replace, or service this equipment. Statement 1030 Slot - Cisco IDS-4230-FE | Installation Guide - Page 173
3 Step 4 Remove the installation screws (use a screwdriver, if necessary) that secure the filler plate to the desired slot. Remove the filler plate by prying it out carefully. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 8-7 - Cisco IDS-4230-FE | Installation Guide - Page 174
Installation and Removal Instructions Chapter 8 Installing the IDSM-2 1 2 3 4 5 6 7 8 FAN LED 9 WS-X6K-SUP1 and place your other hand under the IDSM-2 carrier to support it. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 8-8 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 175
Chapter 8 Installing the IDSM-2 Installation and Removal Instructions Caution Do not touch the printed circuit boards or on both ejector levers engage the chassis sides. 83833 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 8-9 - Cisco IDS-4230-FE | Installation Guide - Page 176
Installation and Removal Instructions WS-SVC-IDSM2 STATUS INTRUSION DETECTION MODULE Chapter 8 Initialize the IDSM-2. See Initializing the Sensor, page 10-2, for the procedure. 8-10 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 177
Instructions Step 12 Step 13 Step 14 Step 15 Configure the switch for command and control access to the IDSM-2. See Configuring the Catalyst 6500 Series Switch for Command and Control Access to the IDSM-2, page 10-88. Upgrade your IDSM-2 to the most recent Cisco IDS software. See Obtaining Cisco - Cisco IDS-4230-FE | Installation Guide - Page 178
Installation and Removal Instructions Chapter 8 Installing -63 0.301 4B4LZ0XA 3.0(7)S82 9 00-03-fe-aa-c0-d8 to 00-03-fe-aa-c0-df 0.102 7.2(1) 4.1(4)S91 Mod IDS 2 accelerator board WS-SVC-IDSUPG . 2.0 Ok Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 179
Instructions Mod Online Diag Status 1 Pass 2 Pass 5 Pass 6 Not Supported 7 Not Supported be allowed to install, replace, or service this equipment. Statement 1030 Caution Before Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 8-13 - Cisco IDS-4230-FE | Installation Guide - Page 180
Cisco IOS software, type: hw-module module module_number shutdown • Shut down the IDSM-2 through IDM or IDS , and perform the instructions for restoring the application support it. 8-14 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 181
Chapter 8 Installing the IDSM-2 Installation and Removal Instructions Caution Do not touch the printed circuit boards or connector pins. Step 6 Carefully pull the IDSM-2 straight out of the slot, keeping your other hand under the carrier to guide it. Note Keep the IDSM-2 at a 90-degree - Cisco IDS-4230-FE | Installation Guide - Page 182
Installation and Removal Instructions Chapter 8 Installing the IDSM-2 8-16 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 183
Cisco IDS Software You can find IDS Event Viewer, signature updates, service pack updates, BIOS upgrades, Readmes, and other software updates at Downloads on Cisco.com. Note You must be logged into Cisco.com to access Downloads. Periodic signature updates, which also contain Network Security - Cisco IDS-4230-FE | Installation Guide - Page 184
Step 7 Go to Cisco.com. Log in to Cisco.com. Select Technical Support > Downloads. Under Software Products & Downloads, click Cisco Secure Software. Under Cisco Secure Software, click Cisco Intrusion Detection System (IDS). On the Software Center (Downloads) page, locate your sensor, and then under - Cisco IDS-4230-FE | Installation Guide - Page 185
which software version is installed on your sensor by using the show version command. Figure 9-1 on page 9-4 illustrates what each part of the IDS software file represents: Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 9-3 - Cisco IDS-4230-FE | Installation Guide - Page 186
Service Pack Level Signature Level IDS-sig-4.0-2-S44.rpm.pkg-Signature Update IDS-K9-sp-4.0-2-S42.rpm.pkg-Service Pack Update IDS-K9-min-4.1-1-S50.rpm.pkg-Minor Version Update IDS released. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 9-4 - Cisco IDS-4230-FE | Installation Guide - Page 187
• System image files (IDS-4215, IPS-4240, IPS-4255 only)-Full IDS application and recovery image used for reimaging an entire sensor. • Recovery partition image subsequently released service packs. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version - Cisco IDS-4230-FE | Installation Guide - Page 188
install the files. See Obtaining Cisco IDS Software, page 9-1, for instructions on how to access these files on Cisco.com. Table 9-1 Platform-Independent Release Examples Release Signature update1 Service pack2 Minor version3 Major version4 Supported Target Frequency Identifier Platform Example - Cisco IDS-4230-FE | Installation Guide - Page 189
CD7 IDS-4210 IDS-4220 IDS-4230 IDS-4235 IDS-4250 IDS-42XX-K9-cd-1.1-a-4.0-1-S29.iso 1. The system image includes the combined recovery and application image used to reimage an entire sensor. 2. The application partition image includes the full image for the application partition. Cisco Intrusion - Cisco IDS-4230-FE | Installation Guide - Page 190
You must replace your IDSM (WS-X6381) with the IDSM-2 (WS-SVC-IDSM2-K9), which supports version 4.x. The upgrade from Cisco IDS software version 4.0 to 4.1 is available as a download from Cisco.com. See Obtaining Cisco IDS Software, page 9-1, for the procedure for accessing the Software Center on - Cisco IDS-4230-FE | Installation Guide - Page 191
your sensor and the sensor is unusable after it reboots, you must recover the system image of your sensor. Upgrading a sensor from any Cisco IDS version diagnostics report through IDM. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597 - Cisco IDS-4230-FE | Installation Guide - Page 192
the Network Security Database ( boot options. IDS-4220/4230 customers: Sniffing and DISK 1 WILL BE LOST) - To recover the Cisco IDS 4.0 Application using a serial connection, type: s < Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 193
command to initialize the appliance. See Initializing the Sensor, page 10-2, for the procedure. Install the most recent service pack and signature update. See Obtaining Cisco IDS Software, page 9-1, for the procedure. Applying for a Cisco.com Account with Cryptographic Access To download software - Cisco IDS-4230-FE | Installation Guide - Page 194
not receive notification. IDS Bulletin You can subscribe to Cisco IDS Active Update Bulletin on Cisco.com to receive e-mails when signature updates and service pack updates occur. 9-12 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597 - Cisco IDS-4230-FE | Installation Guide - Page 195
following URL: http://www.cisco.com/offer/newsletter/123668_4/ Fill out the required information, as follows: a. Would you like to receive IDS Active Update Bulletin? Select instructions on how to obtain them. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 196
IDS Bulletin Chapter 9 Obtaining Software 9-14 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 197
Cisco Intrusion Detection System (IDS) Hardware and Software Version 4.1 Documentation Guide that shipped with your sensor for information on how to access IDS documentation. Note When procedures apply to all IDS sensors, the term "sensor" is used. When a procedure applies to a specific appliance - Cisco IDS-4230-FE | Installation Guide - Page 198
the procedure. Note For support reasons, you should set up the service account after initializing the sensor. See Creating the Service Account, page 10-12, for the procedure. 10-2 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 199
: Console> enable Console> (enable) session module_number • For Cisco IOS software, type the following: Router# session slot slot_number processor 1 b. Session in to the NM-CIDS by typing the following: Router# service-module IDS-Sensor slot_number/port_number session c. Log in to the appliance by - Cisco IDS-4230-FE | Installation Guide - Page 200
hostname sensor telnetOption disabled accessList ipAddress 10.0.0.0 netmask 255.0.0.0 exit timeParams summerTimeParams active-selection none exit exit service webServer time. 10-4 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 201
sensor. The default is 10.1.9.1. Specify the Telnet server status. You can disable or enable Telnet services connect to IDS Device Manager in the format https://sensor ip address: Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 10 - Cisco IDS-4230-FE | Installation Guide - Page 202
the NTP key ID, and the NTP key value. If you do not have those at this time, you can configure NTP later. See Configuring the Sensor to Use an summertime offset is 60 minutes. 10-6 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 203
Chapter 10 Configuring the Sensor Using the CLI Sensor Initial Configuration Tasks h. Specify the month you the configuration. Enter your selection[2]: 2 Configuration Saved. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 10-7 - Cisco IDS-4230-FE | Installation Guide - Page 204
:E4:6E:FE:22:78:B0:33:0F:5A:F2:4A:13:59 Step 19 Step 20 Step 21 Write down the certificate fingerprints. You will need these to check the authenticity of the certificate when connecting to this sensor with a web browser. Apply the most recent signature update. See Obtaining Cisco IDS Software - Cisco IDS-4230-FE | Installation Guide - Page 205
group, 0, is supported. Depending on the configuration of your sensor, you may need to assign the sensing interface to interface group 0 and enable the interface. Review the following guidelines: • If you purchased a new sensor that shipped with Cisco IDS version 4.1: - The sensor detects the - Cisco IDS-4230-FE | Installation Guide - Page 206
Cisco IDS 4.1 boots. The sensor detects that the command and control interface is an invalid interface for interface group 0. You must use the IDS CLI or other IDS name. 10-10 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 207
mode: sensor(config-ifs)# exit sensor(config)# exit sensor# Note Enabling or disabling the interface group enables or disables all sensing interfaces contained in the group. Sensing Interfaces Table 10-1 on page 10-12 lists the sensing interfaces for each IDS platform. Cisco Intrusion Detection - Cisco IDS-4230-FE | Installation Guide - Page 208
system through the service account affects proper performance and functioning of the other IDS services. TAC does not support a sensor on which additional services have been added. 10-12 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597 - Cisco IDS-4230-FE | Installation Guide - Page 209
Exit configuration mode: sensor(config)# exit sensor# When you use the service account to log in to the CLI, you receive the following warning: WARNING UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. This account is intended to be used for support and troubleshooting purposes only - Cisco IDS-4230-FE | Installation Guide - Page 210
c. SSH or Telnet to the NM-CIDS: ssh ip_address service-module IDS-Sensor slot_number/0 session telnet ip_address service-module IDS-Sensor slot_number/0 session 10-14 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 211
for a specific user: sensor(config)# password tester Enter New Login Password: ****** Re-enter New Login Password: ****** Note This example modifies the password for the user "tester." Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78 - Cisco IDS-4230-FE | Installation Guide - Page 212
to create the service account. See "Creating the Service Account" section on page 10-12. To add a user, follow these steps: Step 1 Step 2 Log in to the CLI using an account with administrator privileges. Enter configuration mode: sensor# configure terminal 10-16 Cisco Intrusion Detection System - Cisco IDS-4230-FE | Installation Guide - Page 213
. To remove a user, follow these steps: Step 1 Step 2 Log in to the CLI using an account with administrator privileges. Enter configuration mode: sensor# configure terminal Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 10-17 - Cisco IDS-4230-FE | Installation Guide - Page 214
Enter Service host mode: sensor(config)# service host Enter configuration mode for network parameters: sensor(config-Host)# networkParams Specify the allowed host: sensor(config-Host-net)# accessList ipAddress ip_address The IP address is now in the list of trusted hosts. 10-18 Cisco Intrusion - Cisco IDS-4230-FE | Installation Guide - Page 215
(config)# ssh host-key ip_address For example, to add the remote host 10.16.0.0 to the SSH known hosts list, type the following command: sensor(config)# ssh host-key 10.16.0.0 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 10-19 - Cisco IDS-4230-FE | Installation Guide - Page 216
: rsa1Keys (min: 0, max: 500, current: 0) Exit service mode for SSH known hosts: sensor(config-SshKnownHosts)# exit You are prompted to apply the changes: Apply Changes:?[yes]: 10-20 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 217
terminal Enter service host mode: sensor(config)# service host Enter time configuration parameters mode: sensor(config-Host)# timeParams Type the NTP server's IP address: sensor(config-Host-tim)# ntp ipAddress ip_address For example: sensor(config-Host-tim)# ntp ipAddress 10.16.0.0 Cisco Intrusion - Cisco IDS-4230-FE | Installation Guide - Page 218
ID: sensor(config-Host-tim-ntp)# keyId key_ID The key ID is a number between 1 and 65535. This is the key ID that you already set up on the NTP server. See Step 3 of Configuring a Cisco sensor supports only the MD5 hash algorithm for key encryption. Use the following procedure to activate a Cisco - Cisco IDS-4230-FE | Installation Guide - Page 219
-key key-ID The trusted key ID is the same number as the key ID in Step 3. For example: router(config)# ntp trusted-key 100 Type the interface on the router that the sensor will communicate with: Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version - Cisco IDS-4230-FE | Installation Guide - Page 220
to the sensor: router(config • Displaying Tech Support Information, page 10 IDS processes running on the system. To view the configuration for the entire system, use the more current-config command. 10-24 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 221
: sensor# show version Application Partition: Cisco Systems Intrusion Detection Sensor, Version 4.1(3)S61 OS Version 2.4.18-5smpbigphys Platform: IDS-4235 Sensor up CLI prompt. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 10-25 - Cisco IDS-4230-FE | Installation Guide - Page 222
information (similar to the following) appears: sensor# more current-config service Authentication general methods method Local exit exit exit service Host networkParams 10-26 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 223
10 Configuring the Sensor Using the CLI Sensor Administrative Tasks ipAddress keyId 2 keyValue test exit exit exit service Logger masterControl enable-debug false exit zoneControl --MORE-- Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78 - Cisco IDS-4230-FE | Installation Guide - Page 224
in a backup file. Display the backup configuration file: sensor# more backup-config The backup configuration file is displayed. specific time or of a specific severity, and you can delete all events. 10-28 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 225
the event. New events are displayed as they occur. Display events from a specific time: sensor# show events hh:mm month day year For example, show events 14:00 began in the past: Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 10-29 - Cisco IDS-4230-FE | Installation Guide - Page 226
all applications and reboot the appliance, follow these steps:, otherwise, to power down the appliance, skip to Step 3. a. Reset the appliance: sensor# reset A warning appears: 10-30 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 227
to a specific URL to use as a troubleshooting tool with TAC. To display tech support information, follow these steps: Step 1 Step 2 Log in to the CLI using an account with administrator privileges. View the optional parameters for the show tech-support command: sensor# show tech-support ? Cisco - Cisco IDS-4230-FE | Installation Guide - Page 228
. • scp:-Destination URL for the Secure Copy Protocol (SCP) network server. The sensor# show tech support dest ftp://[email protected]//absolute/reports/sensor1Report.html The password: prompt appears. 10-32 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 229
statistics. Step 3 Show the statistics of the service you are interested in: sensor# show statistics {Authentication | EventServer | EventStore | by subscriptions and queries = 0 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 230
clear option is not available for Host or NetworkAccess statistics. sensor# show statistics EventStore clear Event store statistics General information about counters are reset. 10-34 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 231
Signatures This section describes how to configure signatures on the sensor. This section contains the following topics: • Configuring Alarm Channel represents a variable. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 10-35 - Cisco IDS-4230-FE | Installation Guide - Page 232
value for that variable. For example, to set the value of system variable SIG1 to 2001-2006, type the following command: sensor(config-acc-virtualAlarm-sys)# SIG1 2001-2006 10-36 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 233
is displayed. Exit alarm channel configuration mode: sensor(config-acc)# exit sensor(config)# Configuring Alarm Channel Event Filters The have entered represents a variable. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 10-37 - Cisco IDS-4230-FE | Installation Guide - Page 234
sensor# configure terminal Enter alarm channel configuration mode: sensor(config)# service alarm-channel-configuration virtualAlarm Enter tune alarm channel submode: sensor IDs of Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 235
terminal Enter service virtual sensor configuration mode: sensor(config)# service virtual-sensor-configuration virtualSensor Enter tune micro-engines mode: sensor(config-vsc)# tune-micro-engines Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version - Cisco IDS-4230-FE | Installation Guide - Page 236
service (client and server) alarms. SERVICE.MSSQL Microsoft (R) SQL service inspection engine SERVICE.NTP Network Time Protocol based signature engine SERVICE.RPC RPC SERVICE analysis engine 10-40 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 237
the parameters for that specific signature engine: sensor(config-vsc-virtualSensor-SER)# show settings SERVICE.NTP version: 4.0 signatures (min: 0, max: 1000, current: 1 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 238
but you cannot add or delete variables. You cannot change the name or type of a variable. Only one virtual sensor is supported; therefore, you cannot select the virtual sensor. 10-42 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 239
number of fragments the system will queue from the default value (10000) to 5000, type the following command: sensor(config-vsc-virtualSensor-sys)# IPReassembleMaxFrags 5000 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 10-43 - Cisco IDS-4230-FE | Installation Guide - Page 240
as IPReassembleMaxFrags: 10000 . Exit system variable mode: sensor(config-vsc-virtualSensor-sys)# exit sensor(config-vsc-virtualSensor)# exit Apply Changes?:[yes]: 10-44 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 241
signature. Note Refer to the IDS Event Viewer documentation for more sensor# configure terminal Enter virtual sensor configuration mode: sensor(config)# service virtual-sensor-configuration virtualSensor Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 242
signature engines by typing a question mark (?) at the sensor(config-vsc-virtualSensor)# prompt. Step 6 For example, to tune a simple UDP packet alarm, > ShortUDPLength: 10-46 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597- - Cisco IDS-4230-FE | Installation Guide - Page 243
Chapter 10 Configuring the Sensor Using the CLI Sensor Configuration Tasks SigComment: SigName: Back Door (UDP 2140) SigStringInfo : 30 WantFrag Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 244
specific signature: sensor(config-vsc-virtualSensor-ATO)# signature SIGID signature ID For example, to tune signature ID 9019, type the following command: sensor( submode 10-48 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 245
example, to change the destination port for signature ID 9019 from the default 2140 to 2139, type the following command: sensor(config-vsc-virtualSensor-ATO-sig)# dstport 2139 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 10-49 - Cisco IDS-4230-FE | Installation Guide - Page 246
virtual sensor configuration mode: sensor(config-vsc)# exit sensor(config)# IP Logging You can manually configure the sensor to sensor stops logging IP traffic at the first parameter you specify. 10-50 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 247
56. To manually log packets for a specific IP address specific IP address: sensor# iplog group-id ip-address [duration minutes] [packets numPackets] [bytes numBytes] Note There is only one interface group, 0. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 248
to specify all three. However, if you include more than one parameter, the sensor continues logging only until the first threshold is reached. For example, if you set 263 Log ID: 137857513 10-52 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 - Cisco IDS-4230-FE | Installation Guide - Page 249
packets for a specific signature, follow these sensor(config-vsc-virtualSensor)# prompt. For example, to tune a simple UDP packet alarm, type the following command: sensor(config-vsc-virtualSensor)# ATOMIC.UDP Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 250
following command to configure the parameters for a specific signature and subsignature: sensor(config-vsc-virtualSensor-ATO)# signature SIGID signature ID SubSig SubSig ID For example, to tune signature ID 9019, type the following command: sensor(config-vsc-virtualSensor-ATO)# signature sigID 9019 - Cisco IDS-4230-FE | Installation Guide - Page 251
log ID of the session you want to disable by using the iplog-status command: sensor# iplog-status Log ID: 137857512 sensor# no iplog 137857512 To disable all IP logging sessions: sensor# no iplog sensor# Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 252
the status reads completed for the log ID of the log file that you want to copy: sensor# iplog-status Log ID: 137857506 IP Address: 10.16.0.0 Group http://www.tcpdump.org/. 10-56 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 253
75 • How to Set up Manual Blocking and How to Unblock, page 10-76 Understanding Blocking NAC, the blocking application on the sensor, starts and stops blocks on routers to a host block. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 254
the Sensor Using the CLI On Cisco routers need the following information for NAC to manage a device: • Login user ID • Login password • Enable password (not needed if the user has enable , type show statistics networkAccess at the sensor#. The output shows the devices you are managing, any active blocks, - Cisco IDS-4230-FE | Installation Guide - Page 255
The NAC service supports up to 250 devices in any combination. The following devices are supported by NAC: • Cisco series routers using Cisco IOS 11.2 or later (ACLs): - Cisco 1600 series router - Cisco 1700 series router - Cisco 2500 series router - Cisco 2600 series router - Cisco 3600 series - Cisco IDS-4230-FE | Installation Guide - Page 256
10 Configuring the Sensor Using the CLI VACLS, or the shun command. All PIX Firewall models support the shun command. Configuring Blocking Properties You can change procedures. This section contains the following topics: • Allowing the Sensor to Block Itself, page 10-61 • Disabling Blocking, page 10 - Cisco IDS-4230-FE | Installation Guide - Page 257
)# exit sensor(config-NetworkAccess)# exit Apply Changes:?[yes]: Type yes to apply changes. Note To reverse this procedure, follow the steps but change the value in Step 5 from true to false. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78 - Cisco IDS-4230-FE | Installation Guide - Page 258
)# exit sensor(config-NetworkAccess)# exit Apply Changes:?[yes]: Type yes to apply changes. Note To enable blocking, follow the steps but change the value in Step 5 from false to true. 10-62 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78 - Cisco IDS-4230-FE | Installation Guide - Page 259
-gen)# shun-max-entries value Exit general submode: sensor(config-NetworkAccess-gen)# exit sensor(config-NetworkAccess)# exit Apply Changes:?[yes]: Type yes to apply changes. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 10-63 - Cisco IDS-4230-FE | Installation Guide - Page 260
of the shun event in minutes (0-4294967295). Exit shun event submode: sensor(config-vsc-VirtualSensor-Shu)# exit sensor(config-vsc-VirtualSensor)# exit Apply Changes:?[yes]: 10-64 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 261
. Enter configuration mode: sensor# configure terminal Enter network access mode: sensor(config)# service networkAccess Enter general submode: sensor(config-NetworkAccess)# general Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597 - Cisco IDS-4230-FE | Installation Guide - Page 262
to the CLI using an account with administrator privileges. Enter configuration mode: sensor# configure terminal Enter Network Access mode: sensor(config)# service networkAccess 10-66 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 263
as follows: 1. A permit line with the sensor's IP address, or if specified, the NAT address Note If you permit the sensor to be blocked, this line does not appear in the ACL. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 10-67 - Cisco IDS-4230-FE | Installation Guide - Page 264
a sensor to manager a Cisco router, follow these steps: Step 1 Step 2 Log in to the CLI using an account with administrator privileges. Enter configuration mode: sensor# configure terminal 10-68 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version - Cisco IDS-4230-FE | Installation Guide - Page 265
access mode: sensor(config)# service networkAccess Set the IP address for the router controlled by NAC: sensor(config-NetworkAccess)# sensor(config-NetworkAccess-rou-shu)# post-acl-name post_shun_acl_name Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 266
logical device exists. Designate the method used to access the sensor: sensor(config-NetworkAccess-cat)# communication telnet/ssh-des/ssh-3des If unspecified, SSH 3DES is used. 10-70 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 267
cat)# exit sensor(config-NetworkAccess)# exit sensor(config)# exit Apply Changes:?[yes]: Note You receive an error if the logical device name does not exist. Step 11 Type yes to apply changes. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78 - Cisco IDS-4230-FE | Installation Guide - Page 268
configure the sensor to manage a Cisco PIX Firewall, follow these steps: Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Log in to the CLI using an account with administrator privileges. Enter configuration mode: sensor# configure terminal Enter network access mode: sensor(config)# service networkAccess - Cisco IDS-4230-FE | Installation Guide - Page 269
Blocking forwarding sensors are not normally configured to manage network devices, although doing so is permissible. Caution Only one sensor should control all blocking interfaces on a device. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78 - Cisco IDS-4230-FE | Installation Guide - Page 270
-mas)# mbs-username username Specify the password for the user: sensor(config-networkAccess-gen-mas)# mbs-password Enter mbs-password []: ***** Re-enter mbs-password []: ***** 10-74 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 271
for NAC: sensor# show statistics networkAccess Current Configuration AllowSensorShun = false ShunMaxEntries = 250 NetDevice Type = Cisco IP = 10.89.150.160 NATAddr = 0.0.0.0 Communications = telnet Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version - Cisco IDS-4230-FE | Installation Guide - Page 272
the Sensor Using the IDS MC to delete blocks created by the CLI. Manual blocks have to be removed in the CLI. Caution We recommend that you use manual blocking on a very limited basis, if at all. 10-76 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 273
terminal Enter network access mode: sensor(config)# service networkAccess Enter general mode: sensor (config-NetworkAccess)# general Start the manual block for a host IP address: sensor (config-NetworkAccess-gen)# shun-hosts ip-address ip_address Note You must end the manual block in the CLI or it - Cisco IDS-4230-FE | Installation Guide - Page 274
-85 • Supported Cisco IOS Commands, page 10-86 Configuring Cisco IDS Interfaces on the Router The NM-CIDS differs from a standalone appliance because it does not have an external console port. Console access to the NM-CIDS is enabled when you issue the command service-module ids-module slot_number - Cisco IDS-4230-FE | Installation Guide - Page 275
. Router(config)# interface ids-sensor 1/0 Router(config-if)# ip unnumbered loopback 0 Activate the port: Router(config-if)# no shutdown Exit configuration mode: Router(config-if)# end Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597 - Cisco IDS-4230-FE | Installation Guide - Page 276
to establish a session in the NM-CIDS (in slot 1 in this example): Router# service-module ids-sensor 1/0 session A Telnet session is initiated: Trying 10.16.0.0, 2033 ... Open 10-80 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 277
the session, the session remains running. The open session can be exploited by someone wanting to take advantage of a connection that is still in place. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 10-81 - Cisco IDS-4230-FE | Installation Guide - Page 278
Step 3 Step 4 Step 5 Exit the session: sensor# exit Suspend and close the session to the NM the loopback 0 interface in Configuring Cisco IDS Interfaces on the Router, page 10 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 279
Cisco IOS provides the following commands to control the NM-CIDS: shutdown, reload, and reset: • shutdown-Brings the operating system down gracefully: Router# service-module ids-sensor Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 10 - Cisco IDS-4230-FE | Installation Guide - Page 280
Configuration Tasks Chapter 10 Configuring the Sensor Using the CLI Setting Up Packet ids-service-module monitoring Note Use the command no ids-service-module monitoring to turn off monitoring. 10-84 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 281
Cisco IDS Software To check the status of the Cisco IDS software running on the router: Router# service-module ids-sensor slot_number/0 status Something similar to the following output appears: Router# service-module ids-sensor1/0 status Service Module is Cisco IDS-Sensor1/0 Service Module supports - Cisco IDS-4230-FE | Installation Guide - Page 282
Detection System Network Module Software version: 4.1(1)S42(0.3) Model: NM-CIDS Memory: 254676 KB Supported Cisco IOS Commands The following Cisco IOS command is new to support the NM-CIDS: service-module ids-sensor slot_number/0 The slot number can vary, but the port is always 0. These options are - Cisco IDS-4230-FE | Installation Guide - Page 283
now remove the NM-CIDS. - Router# service-module ids-sensor slot_number/0 status Provides information on the status of the Cisco IDS software. • Configure interfaces mode Router(config-if)# ids-service-module monitoring You can enable IDS monitoring on a specified interface (or subinterface). Both - Cisco IDS-4230-FE | Installation Guide - Page 284
more information. 6. Configure intrusion detection. See Sensor Configuration Tasks, page 10-35, and IDS manager documentation. See the Cisco Intrusion Detection System (IDS) Hardware and Software Version 4.1 Documentation Guide that shipped with your IDSM-2 for instructions on how to locate these - Cisco IDS-4230-FE | Installation Guide - Page 285
the Sensor Using the CLI IDSM-2 Configuration Tasks This section contains the following topics: • Catalyst Software, page 10-89 • Cisco IOS mode: Router# configure terminal Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 10-89 - Cisco IDS-4230-FE | Installation Guide - Page 286
Configuration Tasks Chapter 10 Configuring the Sensor Using the CLI Step 3 Step IDS traffic. The section contains the following topics: • Catalyst Software, page 10-91 • Cisco IOS Software, page 10-91 10-90 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 287
Configuring the Sensor Using the vlans...] Note Use the filter keyword and variable to monitor traffic on specific VLANs on source trunk ports. Step 4 Step 5 Enable SPAN to Series Switch Command Reference for more information on SPAN. Cisco IOS Software To enable SPAN on the IDSM-2, follow these - Cisco IDS-4230-FE | Installation Guide - Page 288
Configuration Tasks Chapter 10 Configuring the Sensor Using the CLI Step 3 IDS traffic. This section contains the following topics: • Catalyst Software, page 10-93 • Cisco IOS Software, page 10-94 10-92 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 289
and trunk all VLANs on which a security ACL has been applied with the capture feature. If you want to monitor traffic from specific VLANs only, you need to clear the any any Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 10-93 - Cisco IDS-4230-FE | Installation Guide - Page 290
Sensor Using the CLI Note Refer to Catalyst 6500 Series Switch Command Reference for more information on trunk ports and ACLs. Cisco IOS Software To set VACLs to capture IDS } 10-94 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 291
Chapter 10 Configuring the Sensor Using the CLI IDSM-2 Configuration Tasks Step 6 Step 7 Step action forward capture . . . ip access-list extended MATCHALL permit ip any any Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 10-95 - Cisco IDS-4230-FE | Installation Guide - Page 292
Tasks Chapter 10 Configuring the Sensor Using the CLI Using the mls ip ids Command for Capturing IDS Traffic This section describes how to use the mls ip ids command to capture IDS traffic. This section contains the following topics: • Catalyst Software, page 10-96 • Cisco IOS Software, page 10-97 - Cisco IDS-4230-FE | Installation Guide - Page 293
mls ip ids command to capture IDS traffic, follow these steps: Step 1 Step 2 Step 3 Log in to the console. Enter privileged mode: Router> enable Enter configuration mode: Router# configure terminal Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version - Cisco IDS-4230-FE | Installation Guide - Page 294
IDSM-2 Configuration Tasks Chapter 10 Configuring the Sensor Using the CLI Step 4 Step 5 Step 6 Configure an references found on Cisco.com. See the Cisco Intrusion Detection System (IDS) Hardware and Software Version 4.1 Documentation Guide that shipped with your IDSM-2 for instructions on how to - Cisco IDS-4230-FE | Installation Guide - Page 295
Chapter 10 Configuring the Sensor Using the CLI IDSM-2 Configuration Tasks • Cisco IOS Software Commands, page 10-106 • Cisco IOS Software Commands, page 10-106 12 minutes. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 10-99 - Cisco IDS-4230-FE | Installation Guide - Page 296
IDSM-2 Configuration Tasks Chapter 10 Configuring the Sensor Using the CLI To enable a full memory test, follow these steps: device command can either contain cf:1 or hdd:1. 10-100 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 297
Chapter 10 Configuring the Sensor Using the CLI IDSM-2 Configuration Tasks Step 3 Step 4 The following partition: Console> (enable) reset module_number [hdd:1/cf:1] Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 10-101 - Cisco IDS-4230-FE | Installation Guide - Page 298
Chapter 10 Configuring the Sensor Using the CLI Note the instructions for restoring the application partition. See Reimaging the IDSM-2, page 10-124, for the procedure. Cisco IOS 10-102 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597- - Cisco IDS-4230-FE | Installation Guide - Page 299
6500 Series Command References found on Cisco.com. This section contains the following topics: • Supported Supervisor Engine Commands, page 10-103 • Unsupported Supervisor Engine Commands, page 10-105 Supported Supervisor Engine Commands The IDSM-2 also supports the following supervisor engine CLI - Cisco IDS-4230-FE | Installation Guide - Page 300
IDSM-2 Configuration Tasks Chapter 10 Configuring the Sensor Using the CLI • set port name module_number Configures the name for the 2) and the BIOS and CMOS boot results. 10-104 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 301
port protocol • set port qos • set port rsvp • set port security • set port speed • set port trap • set protocolfilter • set rgmp • set snmp • set spantree • set udld • set vtp Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 10-105 - Cisco IDS-4230-FE | Installation Guide - Page 302
IOS software commands, refer to the command references found on Cisco.com. See the Cisco Intrusion Detection System (IDS) Hardware and Software Version 4.1 Documentation Guide that shipped with your sensor for instructions on how to locate these documents. This section contains the following topics - Cisco IDS-4230-FE | Installation Guide - Page 303
Chapter 10 Configuring the Sensor Using the CLI IDSM-2 Configuration Tasks • session slot slot_number processor • show vlan access-map Displays all current VLAN access maps. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 10-107 - Cisco IDS-4230-FE | Installation Guide - Page 304
Chapter 10 Configuring the Sensor Using the CLI Configuration id rx | tx | both] Sets the sources for a SPAN session. - no power enable module slot_number Shuts down the IDSM-2 and removes power. 10-108 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 305
Chapter 10 Configuring the Sensor Using the CLI IDSM-2 Configuration Tasks - power enable module slot_number {1-199 | 1300-2699 | acl_name} Specifies filtering in the VACL. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 10-109 - Cisco IDS-4230-FE | Installation Guide - Page 306
sensor again. See Initializing the Sensor, page 10-2, for the procedure. After you initialize your sensor, upgrade your sensor with the most recent signature updates and service packs. See Obtaining Cisco IDS system image on the IDS-4215, IPS-4240, -112 • Installing the IDS-4215 System Image, page - Cisco IDS-4230-FE | Installation Guide - Page 307
the original factory image from the recovery partition. You must now initialize the appliance with the setup command. See Initializing the Sensor, page 10-2, for the procedure. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 10-111 - Cisco IDS-4230-FE | Installation Guide - Page 308
to an SCP or FTP server. See Obtaining Cisco IDS Software, page 9-1, for instructions on how to access the Software Center on Cisco.com. Log in to the sensor CLI. Enter configuration mode: sensor# configure terminal Upgrade the recovery partition: sensor(config)# upgrade scp://user@server_ipaddress - Cisco IDS-4230-FE | Installation Guide - Page 309
Configuring the Sensor Using the file IDS-4215-bios-5.1.7-rom-1.4.bin available for download at the following URL: http://www.cisco.com/cgi-bin/tablebuild.pl/ids- software/network/tftp/ Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 310
recover the sensor by IDS-4215 0: i8255X @ PCI(bus:0 dev:13 irq:11) 1: i8255X @ PCI(bus:0 dev:14 irq:11) Using 1: i82557 @ PCI(bus:0 dev:14 irq:11), MAC: 0000.c0ff.ee01 Use ? for help. rommon> 10-114 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 311
IP address for the local port on the IDS-4125: rommon> ip_address Note Select an unused IP address on the sensor's local network that can access the TFTP /filename> Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 10 - Cisco IDS-4230-FE | Installation Guide - Page 312
Sensor Using the CLI For example, for UNIX: rommon> file /tftpboot/IDS-4215-K9-sys-4.1-4-S91a.img For example, for Windows: rommon> file C:\\IDS /tftp/ 10-116 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 313
IDS-4240. The file is available for download at the following URL: http://www.cisco sensor • Server-TFTP server IP address where the application image is stored • Gateway-Gateway IP address used by the sensor Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 314
an IP address for the local port on the IDS-4240: rommon> ip_address Note Select an unused IP address on the sensor's local network that can access the TFTP server. -118 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 315
specified IMAGE on the sensor. Be sure to use a valid sensor image. Reimaging the NM Cisco.com. See Obtaining Cisco IDS Software, page 9-1, for the procedure for accessing the Software Center on Cisco Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 - Cisco IDS-4230-FE | Installation Guide - Page 316
not see this prompt, try Ctrl-6 x. Reset the NM-CIDS: Router# service-module IDS-Sensor slot_number/0 reset You are prompted to confirm the reset command. Press Enter to . 10-120 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 317
Chapter 10 Configuring the Sensor Using the CLI Reimaging Appliances and problems. When the TFTP load actually begins, a spinning character is displayed to indicate packets arriving from the TFTP server. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 318
is launched: Cisco Systems, Inc. Services engine helper secure shell server IP address. d. Type the full pathname of recovery image: full pathname of recovery image: /path /NM-CIDS-K9-a-4.1-1-S42.bin 10-122 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 319
Chapter 10 Configuring the Sensor Using the CLI Reimaging Appliances and Modules e. Type y to continue: Ready S42.bin d. Type y to continue. Ready to begin Are you sure? y/n Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 10-123 - Cisco IDS-4230-FE | Installation Guide - Page 320
Sensor [1234rh]: r About to exit and reset Services Engine. Are you sure? [y/N] Step 16 Type y to the setup command. See Initializing the Sensor, page 10-2. Reimaging the IDSM-2 setup command. See Initializing the Sensor, page 10-2, for the Catalyst software and Cisco IOS software. This - Cisco IDS-4230-FE | Installation Guide - Page 321
Center on Cisco.com and copy it to an FTP server. See Obtaining Cisco IDS Software, page 9-1, for instructions on how to access the Software Center on Cisco.com. Log switch CLI. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 322
4 Step 5 Step 6 Step 7 Obtain the application partition file from Software Center on Cisco.com and copy it to an FTP server. See Obtaining Cisco IDS Software, page 9-1, for instructions on how to access the Software Center on Cisco.com. Log in to the switch CLI. Boot the IDSM-2 to the maintenance - Cisco IDS-4230-FE | Installation Guide - Page 323
Initialize the IDSM-2. See Initializing the Sensor, page 10-2, for the procedure. Cisco IDS Software, page 9-1, for instructions on how to access the Software Center on Cisco.com. Log in to the IDSM-2 CLI. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 324
Sensor Using the CLI Step 3 Step 4 Step 5 Enter configuration mode: sensor# configure terminal Reimage the maintenance partition: sensor on Cisco.com and copy it to an SCP or FTP server. See Obtaining Cisco IDS Software, page 9-1, for instructions on how to access the Software Center on Cisco.com. - Cisco IDS-4230-FE | Installation Guide - Page 325
the Sensor Using the CLI Step 6 Step 7 Specify the FTP server password: Password: ******** You are prompted to continue: Continue with upgrade? : Type yes to continue. Reimaging Appliances and Modules Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 326
Reimaging Appliances and Modules Chapter 10 Configuring the Sensor Using the CLI 10-130 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 327
System Overview You can install Cisco IDS software on two platforms: the appliances and the modules (see Supported Sensors, page 1-16, for a New Features in Version 4.x, page A-6 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 A-1 - Cisco IDS-4230-FE | Installation Guide - Page 328
IDAPI 119095 Sensor CT Source EventServer/CT Server/IDM Web Server RDEP-HTTP/SSL HTTP/SSL NotificationApp SNMP Traps Master Blocking Sensor IEV/MDC/... Browsers SNMP Server Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-2 78 - Cisco IDS-4230-FE | Installation Guide - Page 329
such as Security Monitor. - Transaction server-Allows external management applications such as the IDS MC to send control transactions to the sensor. - IP log server-Used to serve IP logs to external systems. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 330
with their current status. sensor# show version Application Partition: Cisco Systems Intrusion Detection Sensor, Version 4.1(3)S61 OS Version 2.4.18-5smpbigphys Platform: IDS-4235 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-4 78-15597 - Cisco IDS-4230-FE | Installation Guide - Page 331
monitors network traffic. After initially installing the IDS on the network, you can tune it until it is operating efficiently and only producing information you think is useful. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 A-5 - Cisco IDS-4230-FE | Installation Guide - Page 332
new features appear in the IDS 4.x system architecture: • XML documents replace tokens and configuration files. Sensor configuration, control, log, and event information are communicated and stored in XML documents as directed by the IDIOM specification. • RDEP replaces postoffice protocol. RDEP - Cisco IDS-4230-FE | Installation Guide - Page 333
to support more sensors - Provides better support for large scale sensor deployment and management • Version 4.x has the following security enhancements: - The CLI replaces the OS shell access. - Multi-user support with multi-level permissions (administrator, operator, viewer, service) replaces - Cisco IDS-4230-FE | Installation Guide - Page 334
and IDAPI. 4. Open status event subscription. 5. Start the IDS applications (the order is specified in the static configuration). 6. Wait transaction requests, and service them as received. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 A-8 - Cisco IDS-4230-FE | Installation Guide - Page 335
itself and all IDS components and applications down in the following sequence: 1. Deregister control transaction requests. 2. Stop the update scheduler. 3. Open evStatus event subscription. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78 - Cisco IDS-4230-FE | Installation Guide - Page 336
of each installed upgrade • Platform version (for example, IDS-4240, WS-SVC-IDSM2) • Version of sensor build on the other partition MainApp also gathers the host statistics. A-10 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 337
different signature behavior and traffic feeds, at this time IDS 4.x only supports one virtual sensor. Note The legacy application is packetd. • Kernel ranges or sets of values. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 A-11 - Cisco IDS-4230-FE | Installation Guide - Page 338
which authentication methods are used by AuthenticationApp and other access services on the sensor This section contains the following topics: • Authenticating Users, if the A-12 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597 - Cisco IDS-4230-FE | Installation Guide - Page 339
on the sensor to establish appropriate security for user access. When you install a sensor, an initial cisco account with an expired password is created. A user with administrative access to the sensor accesses the sensor through the CLI or an IDS manager by logging in to the sensor using the - Cisco IDS-4230-FE | Installation Guide - Page 340
IDS supports two encryption protocols, SSH and TLS, and AuthenticationApp helps manage trust when the sensor an sensor through the Microsoft Internet Explorer (MSIE) web browser, a security warning Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version - Cisco IDS-4230-FE | Installation Guide - Page 341
IP address and trust the new certificate. By using the SSH known hosts and TLS trusted certificates services in AuthenticationApp, you can operate sensors at a high level of security. LogApp The sensor logs all events (alert, error, status, and debug messages) in a persistent, circular buffer. The - Cisco IDS-4230-FE | Installation Guide - Page 342
tech support command service at the request and supervision of a TAC engineer or developer. For troubleshooting specific host IP address or network address. Note The legacy application is managed. A-16 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 343
NAC application. The NAC application on the master blocking sensor then interacts with the devices it is managing to enable the block. Figure A-2 illustrates the NAC application. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 A-17 - Cisco IDS-4230-FE | Installation Guide - Page 344
CT Response CT Source Master Blocking Sensor Routers-PIX Firewalls Block CT Block manually through the CLI, IDM, or the IDS MC • A block configured permanently against a host or network address A-18 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 345
ACL or after any blocks by specifying a postblock ACL. The Catalyst 6000 VACL device types can have a preblock and postblock VACL specified for each interface Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 A-19 - Cisco IDS-4230-FE | Installation Guide - Page 346
and Catalyst 6000 MSFC2 network devices are supported in the same way as Cisco routers. See ACLs and VACLs, page A-22, for more information. • Forwarding blocks to a list of remote sensors NAC can forward blocks to a list of remote sensors, so that multiple sensors can in effect collectively control - Cisco IDS-4230-FE | Installation Guide - Page 347
Two types of blocking NAC supports host blocks and network blocks Address Translation (NAT) address for the sensor. If you specify a NAT address when instead of the local IP address when the sensor address is filtered from blocks on that device NAC through the IDS CLI or any IDS manager. When NAC - Cisco IDS-4230-FE | Installation Guide - Page 348
active blocks at a time. Although NAC can support up to 65535 blocks, we recommend that defined. The ACLs maintained by NAC have a specific format that should not be used by user-defined Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 349
time is not changed while NAC is not running. Caution Do not make manual changes to the nac.shun.txt file. The following scenarios demonstrate how following order: 1. The allow sensor_ ip_address command (unless the allow sensor shun command has been configured) 2. Preblock ACL 3. The always block - Cisco IDS-4230-FE | Installation Guide - Page 350
The allow sensor_ ip_address command (unless the allow sensor shun command has been configured) 2. The always -Based and Unconditional Blocking NAC supports two types of blocking for Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 351
Firewall treats it like an unconditional block. The PIX Firewall also does not support network blocking. NAC never tries to apply a network block to a PIX the PIX configuration. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 A-25 - Cisco IDS-4230-FE | Installation Guide - Page 352
not perform manual blocks or information. The PIX Firewall and AAA NAC supports authentication on the PIX Firewall using local sensor on the inside interface or do not configure the sensor to block. A-26 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 353
supported when WAN cards are installed and you want the sensor security acl map all • To map a VACL to a VLAN: set sec acl {aclname} {vlans} See Configuring Blocking Devices, page 10-67, for more information. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 354
RDEP control transaction request to the HTTP server on the remote node. The remote HTTP server handles the remote control transaction and returns the A-28 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 355
exit event is signaled. WebServer The WebServer provides configuration support for IDM. It also provides IDS RDEP, which enables the sensor to report security events, receive IDIOM transactions, and serve IP logs. The WebServer supports HTTP 1.0 and 1.1. The communications with the WebServer often - Cisco IDS-4230-FE | Installation Guide - Page 356
privileges. Operators can perform all viewing and some administrative operations on a sensor including the following: - Modify their passwords - Tune signatures - Manage routers A-30 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 357
of TAC are supported. Cisco Systems does not support the addition and/or running of an additional service to the operating system through the service account, because it affects proper performance and proper functioning of the other IDS services. TAC does not support a sensor on which additional - Cisco IDS-4230-FE | Installation Guide - Page 358
Architecture CLI Behavior The IDS CLI has the following . sensor# configure ? terminal Configure from the terminal sensor# configure sensor (config)# ip n? name-server nat sensor ( Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597- - Cisco IDS-4230-FE | Installation Guide - Page 359
example, if you type: sensor# CONF and press Tab, the sensor displays: sensor# CONFigure Display Options • the interface. Refer to the Cisco Intrusion Detection System Command Reference Version default value in the configuration files, such as service and tune-micro-engines, can have a default - Cisco IDS-4230-FE | Installation Guide - Page 360
that is, any digit. To search for a specific special character, you must use a backslash before not supported. Also, escaped expressions representing single characters are supported. • Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 361
beginning at the left side of the construct. Thus, the regular expression matches A9b3, but not 9Ab3 because the letters are specified before the numbers. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 A-35 - Cisco IDS-4230-FE | Installation Guide - Page 362
a single- or multiple-character pattern to instruct the software to remember a pattern for use elsewhere in the regular expression. To create a regular expression that recalls a previous pattern, you use parentheses to indicate memory of a specific pattern and a backslash (\) followed by a digit - Cisco IDS-4230-FE | Installation Guide - Page 363
when the sensor is not connected to an IDS event consumer. Sufficient buffering depends on your requirements and the capabilities of the nodes in use. The oldest events in the circular buffer are replaced by the newest events. Cisco Intrusion Detection System Appliance and Module Installation - Cisco IDS-4230-FE | Installation Guide - Page 364
to by other IDS applications. IDS events have the following characteristics: • They are spontaneously generated by the application instances configured to do so. There is no request from another application instance to generate a particular event. • They have no specific destination. They are - Cisco IDS-4230-FE | Installation Guide - Page 365
to another application instance (the responder). IDS data is represented in XML format as the control transactions processed by each sensor application. • evShunRqst-Shun request page A-41 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597 - Cisco IDS-4230-FE | Installation Guide - Page 366
application whenever an IDS signature is triggered =1066276939791336085 severity=informational originator: hostId: sensor appName: sensorApp appInstanceId: 3627 time specific to a single application. A-40 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 367
identifier. • loginAction-A login action, such as a user logging in or logging out, has occurred. Error Events Error events are generated by an IDS application when the application detects an error or warning condition. The evError event contains error code and a textual description of the error - Cisco IDS-4230-FE | Installation Guide - Page 368
cisco by (uid=0) Log Events Log events provide notification anytime control transactions are processed by sensor 1077226078696330135 successful=true originator: hostId: sensor appName: mainApp appInstanceId: 1048 time Events NAC communicates with other IDS applications through IDIOM control - Cisco IDS-4230-FE | Installation Guide - Page 369
event: Note You can configure these actions through the CLI, IDM, or IDS MC. • IP logging-Provides the ability to capture raw unaltered packets related TCP protocol are ignored. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 A-43 - Cisco IDS-4230-FE | Installation Guide - Page 370
system and get only packets from a specific time inside the log. If you supply sensor. You must reimage the sensor if you want to remove all log files. Note The IDS Sensor Directory Structure, page A-48 A-44 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 371
IDS manager to specify which hosts are allowed to access the sensor through the network. Sensors time persistent connection) or both. Communications are secured by TLS or SSL. Note The following legacy Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 - Cisco IDS-4230-FE | Installation Guide - Page 372
IDAPI IDIOM supports two types of interactions: event and control transaction. Event interactions are used to exchange IDS events such and receive events and control transactions. IDAPI provides the following services: • Control transactions - Initiates the control transaction. - Waits - Cisco IDS-4230-FE | Installation Guide - Page 373
RDEP IEV, IDS-MC, Third Party Event Management Applications RDEP Client Sensor EventStore Event Request Event HTTP GET Events IDAPI Event Request Event WebServer EventServer 119098 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78 - Cisco IDS-4230-FE | Installation Guide - Page 374
sensor is running. • /usr/cids/idsRoot/var/updates-Stores files and logs for update installations. • /usr/cids/idsRoot/var/virtualSensor-Stores files used by SensorApp to analyze regular expressions. A-48 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 375
cidDump-Contains the script that gathers data for tech support. • /usr/cids/idsRoot/bin/cidwebserver-Contains the sensor. Summary of Applications Table A-2 gives a summary of the applications that make up IDS. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 376
to send network access events to a master blocking sensor, it initiates a network access control transaction to control transactions are also used by IDS managers to issue occasional network Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597 - Cisco IDS-4230-FE | Installation Guide - Page 377
known as managed in the legacy IDS. 4. SensorApp is formerly known as packetd in the legacy IDS. 5. This is a WebServer servlet. 6. This is a remote control transaction proxy. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 A-51 - Cisco IDS-4230-FE | Installation Guide - Page 378
Summary of Applications Appendix A Intrusion Detection System Architecture A-52 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 379
sensor: • Create a service account. You can use the service account when you need to work with the TAC to troubleshoot your sensor. See Creating the Service for the procedure. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 B-1 - Cisco IDS-4230-FE | Installation Guide - Page 380
a note of the user IDs. Note You should note the specific software version for that configuration. You can push the copied configuration only to a sensor of the same version. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 B-2 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 381
setup command. See Initializing the Sensor, page 10-2, for the procedure. 4. Upgrade the sensor to the IDS software version it had when the configuration was last saved and copied. See Obtaining Cisco IDS Software, page 9-1, for more information on obtaining IDS software versions and how to install - Cisco IDS-4230-FE | Installation Guide - Page 382
33 • TCP Reset, page B-37 • Software Upgrade, page B-39 Communication This section helps you troubleshoot communication problems with the 4200 series sensor. This section contains the following topics: • Cannot Access the Sensor Through the IDM or Telnet and/or SSH, page B-5 • IDM Cannot Access the - Cisco IDS-4230-FE | Installation Guide - Page 383
, switch, and/or the firewall are configured to interface with the sensor. sensor# setup -- System Configuration Dialog -At any point you may enter a question mark '?' for help. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 B-5 - Cisco IDS-4230-FE | Installation Guide - Page 384
Appliance Appendix B Troubleshooting Step 4 exit service webServer general ports 443 exit exit The network configuration is correct. Verify that the sensor does activating if it detects an address conflict with another host. sensor# show interfaces command-control is up Internet address is 10. - Cisco IDS-4230-FE | Installation Guide - Page 385
Telnet and web server ports are open in the firewall. sensor# configure terminal sensor(config)# service WebServer sensor(config-WebServer)# show settings general enable-tls: true ports: 443 server-id: HTTP/1.1 compliant - Cisco IDS-4230-FE | Installation Guide - Page 386
B Troubleshooting Step 2 Verify that the Web server is still running: a. Use the show version command to check the status of the WebServer: sensor# show version Application Partition: Cisco Systems Intrusion Detection Sensor, Version 4.1(3)S61 OS Version 2.4.18-5smpbigphys Platform: IDS-4235 Sensor - Cisco IDS-4230-FE | Installation Guide - Page 387
running on the sensor, reboots the appliance, and restarts all the applications. Step 4 If the Web server is still running, verify that the firewall has an open port for the sensor. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597 - Cisco IDS-4230-FE | Installation Guide - Page 388
If it is not, add it: sensor# configure terminal sensor(config)# service Host sensor(config-Host)# networkParams sensor(config-Host-net)# accessList ipAddress value another host. B-10 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 389
correct. Refer to the chapter for your sensor in this hardware guide. Run the setup command to make sure the IP address is correct. See Initializing the Sensor, page 10-2, for the procedure. SensorApp and Alerting This section helps you troubleshoot issues with SensorApp and alerting. This section - Cisco IDS-4230-FE | Installation Guide - Page 390
updates: sensor# show version Upgrade History: * IDS-K9-min-4.1-1-S47 12:00:00 UTC Thu Jun 30 2005 IDS-K9-sp-4.1-3-S61.rpm.pkg 14:14:55 UTC Fri Feb 20 2004 Recovery Partition Version 1.2 - 4.1(1)S47 If you do not have the latest software updates, download them from Cisco.com. See Obtaining Cisco IDS - Cisco IDS-4230-FE | Installation Guide - Page 391
Appendix B Troubleshooting Troubleshooting the 4200 Series Appliance To make sure the sensor is connected properly, follow these steps: Note If you have an IDS-4230 or IDS-4220, make sure you have swapped the interfaces. See Upgrading the IDS-4220-E and IDS-4230-FE to 4.x Software, page 4-5, for - Cisco IDS-4230-FE | Installation Guide - Page 392
sensor# configure terminal b. Enter virtual sensor mode: sensor(config)# service virtual-sensor-configuration virtualSensor c. Make sure the signature is enabled: sensor(config-vsc)# tune-micro-engines sensor Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 393
: Step 1 Step 2 Log in to the CLI. Make sure the interfaces are up and receiving packets: sensor# show interfaces sensing Sensing int0 is down Hardware is eth0, TX Reset port Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 B-15 - Cisco IDS-4230-FE | Installation Guide - Page 394
and restart SensorApp. To delete SensorApp, follow these steps: Step 1 Step 2 Step 3 Log in to the service account. Su to root. Stop the IDS applications: /etc/init.d/cids stop B-16 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 395
Troubleshooting the 4200 Series Appliance Step 4 Step 5 Step 6 Step 7 Step 8 Replace the virtual sensor file: cp /usr/cids/idsRoot/etc/defVirtualSensorConfig.xml /usr/cids/idsRoot/etc/VS-Config/virtualSensor.xml Remove the cache files: rm /usr/cids/idsRoot/var/virtualSensor/*.pmz Exit the service - Cisco IDS-4230-FE | Installation Guide - Page 396
IDS-4250-XL Step 3 Some IDS-4250-XLs were shipped with faulty DIMMs on the XL cards. The faulty DIMMs cause the sensor statistics networkAccess command. To troubleshoot NAC, follow these steps Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597 - Cisco IDS-4230-FE | Installation Guide - Page 397
-5smpbigphys Platform: IDS-4235 Sensor up-time is 20 days. Using 214319104 out of 921522176 bytes of available memory (23% usage) Using 596M out of 15G bytes of available disk space (5% usage) Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78 - Cisco IDS-4230-FE | Installation Guide - Page 398
Troubleshooting 13-0500 Upgrade History: * IDS-K9-min-4.1-1-S47 12:00:00 UTC Thu Jun 30 2005 IDS-K9-sp-4.1-3-S61.rpm.pkg 14 verify that all devices are connecting. sensor# show statistics networkAccess Current Configuration Communications = telnet NetDevice Type = Cisco IP = 5.5.5.5 NATAddr = - Cisco IDS-4230-FE | Installation Guide - Page 399
: sensor# show version Upgrade History: * IDS-K9-min-4.1-1-S47 12:00:00 UTC Thu Jun 30 2005 IDS-K9-sp-4.1-3-S61.rpm.pkg 14:14:55 UTC Fri Feb 20 2004 Recovery Partition Version 1.2 - 4.1(1)S47 If you do not have the latest software updates, download them from Cisco.com. See Obtaining Cisco IDS - Cisco IDS-4230-FE | Installation Guide - Page 400
interface/direction configured. To troubleshoot device access issues, follow these steps: Step 1 Step 2 Step 3 Step 4 Log in to the CLI. Enter configuration mode: sensor# configure terminal Enter service configuration mode for NetworkAccess: sensor (config)# service NetworkAccess Verify the IP - Cisco IDS-4230-FE | Installation Guide - Page 401
by selecting Administration > Manual Blocking > Host Manual Blocks. To initiate a manual block to a bogus host, follow these steps: Step 1 Enter configuration mode: sensor# configure terminal Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78 - Cisco IDS-4230-FE | Installation Guide - Page 402
the 4200 Series Appliance Appendix B Troubleshooting Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Enter the NAC's service configuration mode: sensor(config)# service NetworkAccess Enter general NAC configuration mode: sensor(config-NetworkAccess)# general Start the manual block of the bogus host IP - Cisco IDS-4230-FE | Installation Guide - Page 403
specific signature, follow these steps: Step 1 Step 2 Step 3 Step 4 Log in to the CLI. Enter configuration mode: sensor# configure terminal Enter virtual sensor mode: sensor(config)# service virtual-sensor Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 404
terminal b. Enter the NAC's service configuration mode: sensor(config)# service NetworkAccess c. Enter general NAC configuration mode: sensor(config-NetworkAccess)# general B-26 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 405
Appendix B Troubleshooting Troubleshooting the 4200 Series Appliance Step 4 Step 5 d. Start the manual block for a bogus host IP address: sensor(config-NetworkAccess-gen)# shun-hosts ip-address 10.16.0.0 e. Exit and accept changes: sensor(config-NetworkAccess-gen-shu)# exit sensor(config- - Cisco IDS-4230-FE | Installation Guide - Page 406
cidLog Messages to SysLog, page B-31 Enabling Debug Logging Caution Enabling debug logging seriously affects performance and should only be done when instructed by TAC. B-28 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 407
, exit the vi editor, and exit the service account. Log in to the CLI as administrator. Enter configuration mode: sensor# configure terminal Step 8 Enter service logger mode: sensor(config)# service logger Step 9 Enter master-control submode: sensor(config-Logger)# masterControl Step 10 Turn - Cisco IDS-4230-FE | Installation Guide - Page 408
a specific zone, for example, the EventStore: sensor(config-Logger)# zoneControl zoneName IdsEventStore Step 15 Turn on debugging for the EventStore: sensor(config-Logger-zon)# severity debug B-30 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version - Cisco IDS-4230-FE | Installation Guide - Page 409
Appendix B Troubleshooting Troubleshooting the 4200 Series Appliance Step 16 Exit the submode for the individual zone: sensor(config-Logger-zon)# exit sensor(config-Logger)# exit Step 17 Type yes to apply the changes: Apply Changes:?[yes]: yes sensor(config)# Zone Names Table B-1 lists the - Cisco IDS-4230-FE | Installation Guide - Page 410
the 4200 Series Appliance Appendix B Troubleshooting To direct cidLog messages to syslog, follow these steps: Step 1 Step 2 // warning LOG_ERR, // error LOG_CRIT // fatal B-32 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 411
following topics: • Verifying that the Sensor is Synchronized with the NTP Server, page B-34 • NTP Server Connectivity Problem, page B-35 • NTP Reconfiguration Defect, page B-35 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 B-33 - Cisco IDS-4230-FE | Installation Guide - Page 412
the 4200 Series Appliance Appendix B Troubleshooting Verifying that the Sensor is Synchronized with the NTP Server To verify that the sensor is synchronized with the NTP server, follow these steps: Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Log in to the service account. Check to see if - Cisco IDS-4230-FE | Installation Guide - Page 413
with connectivity and the NTP server. To look for problems with connectivity to the NTP server, follow these steps: Step 1 Step 2 Step 3 Step 4 Step 5 Log in to the sensor service account. Su to root using the service account password: bash-2.05a$ su root Password: Type the following command - Cisco IDS-4230-FE | Installation Guide - Page 414
of the service account. Log in to the sensor CLI. Enter configuration mode: sensor# configure terminal Enter service Host mode: sensor(config)# service Host Enter time parameters submode: sensor(config-Host)# timeParams Set up NTP (NTP server IP address, key ID, and key value): sensor(config-Host - Cisco IDS-4230-FE | Installation Guide - Page 415
To troubleshoot a reset not occurring for a specific signature, follow these steps: Step 1 Step 2 Log in to the CLI. Make sure the EventAction is set to reset: a. Enter configuration mode: sensor# configure terminal b. Enter virtual sensor mode: sensor(config)# service virtual-sensor-configuration - Cisco IDS-4230-FE | Installation Guide - Page 416
Appliance Appendix B Troubleshooting Step 3 Step sure the switch is allowing incoming TCP reset packet from the sensor. Refer to your switch documentation for the procedure. Make sure Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 417
B Troubleshooting Troubleshooting the 4200 Series Appliance Using the TCP Reset Interface The IDS-4250-XL has a TCP reset interface-INT0. The IDS-4250-XL has a specific TCP reset interface because it cannot send TCP resets on its monitoring ports. If you have reset problems with the IDS-4250 - Cisco IDS-4230-FE | Installation Guide - Page 418
the BIOS. Refer to Obtaining Cisco IDS Software, page 9-1, for the procedure for applying the latest IDS software. Which Updates to Apply and in Which Order You must have the correct service pack and minor/major version of the software. If you are having trouble with applying new software, make - Cisco IDS-4230-FE | Installation Guide - Page 419
use custom prompts. If you modify the FTP prompts to give security warnings, for example, this causes a problem, because the sensor is expecting a hard-coded list of responses. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 B-41 - Cisco IDS-4230-FE | Installation Guide - Page 420
IDS software version your sensor has (see Displaying the Current Version, page B-57, for the procedure). Version 4.0(1) has a known problem with automatic update. Upgrade manually B-42 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 421
Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Log in to the service account. Obtain the update package file from Cisco.com. Refer to Obtaining Cisco IDS Software, page 9-1, for the procedure. FTP or SCP the update file to the sensor's /usr/cids/idsRoot/var directory. Set the file permissions: chmod 644 - Cisco IDS-4230-FE | Installation Guide - Page 422
as the 4200 series sensors. You can use the same troubleshooting tools as outlined in Troubleshooting the 4200 Series Appliance, page B-4. This section pertains specifically to troubleshooting the IDSM-2. This section contains the following topics: • Diagnosing IDSM-2 Problems, page B-44 • Switch - Cisco IDS-4230-FE | Installation Guide - Page 423
the switch. Determine if the IDSM-2 responds to pings and if you can log in through the service account. If you can log in, obtain a cidDump and any core files and contact TAC. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 B-45 - Cisco IDS-4230-FE | Installation Guide - Page 424
you troubleshoot the IDSM-2: • show module (Cisco Catalyst Software and Cisco IOS Software) • show version (Cisco Catalyst Software and Cisco IOS Software) • show port (Cisco Catalyst Software) • show trunk (Cisco Catalyst Software) • show span (Cisco Catalyst Software) • show security acl (Cisco - Cisco IDS-4230-FE | Installation Guide - Page 425
Appendix B Troubleshooting Troubleshooting the IDSM-2 Mod Module-Name fe-aa-c0-df 0.102 7.2(1) 4.1(4)S91 Mod Sub-Type Sub-Model Sub-Serial Sub-Hw Sub-Sw 1 L3 Switching Engine II WS-F6K-PFC2 SAD044302BP 1.0 9 IDS 2 accelerator board WS-SVC-IDSUPG . 2.0 console> (enable) For Cisco - Cisco IDS-4230-FE | Installation Guide - Page 426
IDS 2 accelerator board WS-SVC-IDSUPG . 2.0 Ok Mod Online Diag Status 1 Pass 2 Pass 5 Pass 6 Not Supported 7 Not Supported online, try the following troubleshooting tips: • Reset the Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 427
Appendix B Troubleshooting Troubleshooting the IDSM-2 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Make sure , mask, and gateway settings are correct: router# show configuration Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 B-49 - Cisco IDS-4230-FE | Installation Guide - Page 428
the IDSM-2 Appendix B Troubleshooting Step 4 Make sure the command and control port is in the correct VLAN: For Catalyst Encapsulation: native Negotiation of Trunking: On B-50 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 429
B Troubleshooting Troubleshooting the IDSM-2 has a specific TCP reset interface because it cannot send TCP resets on its sensing ports. If you have reset problems with the IDSM-2, Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 B-51 - Cisco IDS-4230-FE | Installation Guide - Page 430
to gather information and diagnose the state of the sensor when problems occur. You can use the show tech-support command to gather all the sensor's information, or you can use the other individual commands listed in this section for specific information. This section contains the following topics - Cisco IDS-4230-FE | Installation Guide - Page 431
: sensor# show tech-support ? The following parameters are optional: • page-Displays the output, one page of information at a time. • password-Leaves passwords and other security information in the output. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 432
Troubleshooting :-Destination URL for the Secure Copy Protocol (SCP) sensor# show tech support dest ftp://[email protected]//absolute/reports/sensor1Report.html The password: prompt appears. b. Type the password for this user account. The Generating report: message is displayed. B-54 Cisco - Cisco IDS-4230-FE | Installation Guide - Page 433
lists the information for the Authentication, Host, and Logger services. sensor# show tech-support page IDS 4.1 System Status Report !! Warning output may contain Passwords exit exit exit Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78- - Cisco IDS-4230-FE | Installation Guide - Page 434
Gathering Information Appendix B Troubleshooting service Logger masterControl enable-debug false exit zoneControl version Command The show version command is useful for establishing the general health of the sensor. This section contains the following topics: • show version Command, page B-57 • - Cisco IDS-4230-FE | Installation Guide - Page 435
-5smpbigphys Platform: IDS-4235 Sensor up-time is 20 days. Using 214319104 out of 921522176 bytes of available memory (23% usage) Using 596M out of 15G bytes of available disk space (5% usage) Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78 - Cisco IDS-4230-FE | Installation Guide - Page 436
Troubleshooting * IDS-K9-min-4.1-1-S47 12:00:00 UTC Thu Jun 30 2005 IDS-K9 Cisco Systems Intrusion Detection Sensor, Version 4.1(0.3)S42(0.3) OS Version 2.4.18-5 Platform: NM-CIDS Sensor Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 437
Appendix B Troubleshooting Upgrade History: No upgrades installed Gathering Information Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 B-59 - Cisco IDS-4230-FE | Installation Guide - Page 438
B Troubleshooting show sensor# more current-config Configuration information (similar to the following) appears: service Authentication general attemptLimit 0 methods method Local exit exit exit service Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 439
B Troubleshooting ipAddress 10 sensor's services. Use the show statistics ?command to list the following services that provide the statistics: • Authentication • EventServer • EventStore • Host • Logger Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide - Cisco IDS-4230-FE | Installation Guide - Page 440
B Troubleshooting • NetworkAccess • TransactionSource • TransactionServer • WebServer Note You can get the same information from IDS Device Manager by selecting Monitoring > Statistics. Displaying Statistics You can use the show statistics command to display the statistics of the service you - Cisco IDS-4230-FE | Installation Guide - Page 441
Troubleshooting show statistics command output for the EventStore service: sensor# show statistics EventStore Event store statistics General command output for the Logger service: Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 442
Gathering Information Appendix B Troubleshooting sensor# show statistics Logger The number of Log interprocessor FIFO overruns = 0 the interfaces that can result in packet drops B-64 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 443
Troubleshooting sensor# configure terminal sensor(config)# interface sensing int0 sensor(config-ifs)# no shutdown sensor(config-ifd)# exit sensor(config)# exit sensor dropped. Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 B-65 - Cisco IDS-4230-FE | Installation Guide - Page 444
Information Appendix B Troubleshooting show events Command You can use the show events command to view the alerts generated by SensorApp and errors generated by an application. B-66 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78 - Cisco IDS-4230-FE | Installation Guide - Page 445
troubleshooting event capture issues in which you are not seeing events in IDS Event Viewer or Security Monitor. You can use the show events command to determine which events are being generated on the sensor the parameters for the show events command: sensor# show events alert Display local - Cisco IDS-4230-FE | Installation Guide - Page 446
shunInfo to view the shun information, including source address, for the event. New events are displayed as they occur. Display events from a specific time: sensor# show events hh:mm month day year For example, show events 14:00 September 2 2002 displays all events since 2:00 p.m. September 2, 2002 - Cisco IDS-4230-FE | Installation Guide - Page 447
Appendix B Troubleshooting Gathering Information Note Time is specified in 24-hour format. You can use single digit numbers for the date. Step 4 Step 5 Step 6 Events from the specified time are displayed. Show events that began in the past: sensor# show events past hh:mm:ss The following example - Cisco IDS-4230-FE | Installation Guide - Page 448
, follow these steps: Step 1 Step 2 Step 3 Log in to the sensor service account. Su to root using the service account password. Type cidDump /usr/cids/idsRoot/bin/cidDump. B-70 Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 78-15597-02 - Cisco IDS-4230-FE | Installation Guide - Page 449
Appendix B Troubleshooting Gathering Information Step 4 Step 5 Compress the resulting /usr/cids/idsRoot/log/cidDump.html file: gzip /usr/cids/idsRoot/log/cidDump.html Send the resulting HTML file to TAC or the IDS developers in case of a problem. See Uploading a File to the Cisco FTP Site for the - Cisco IDS-4230-FE | Installation Guide - Page 450
Appendix B Troubleshooting
-
1 -
2 -
3 -
4 -
5 -
6 -
7 -
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
-
241
-
242
-
243
-
244
-
245
-
246
-
247
-
248
-
249
-
250
-
251
-
252
-
253
-
254
-
255
-
256
-
257
-
258
-
259
-
260
-
261
-
262
-
263
-
264
-
265
-
266
-
267
-
268
-
269
-
270
-
271
-
272
-
273
-
274
-
275
-
276
-
277
-
278
-
279
-
280
-
281
-
282
-
283
-
284
-
285
-
286
-
287
-
288
-
289
-
290
-
291
-
292
-
293
-
294
-
295
-
296
-
297
-
298
-
299
-
300
-
301
-
302
-
303
-
304
-
305
-
306
-
307
-
308
-
309
-
310
-
311
-
312
-
313
-
314
-
315
-
316
-
317
-
318
-
319
-
320
-
321
-
322
-
323
-
324
-
325
-
326
-
327
-
328
-
329
-
330
-
331
-
332
-
333
-
334
-
335
-
336
-
337
-
338
-
339
-
340
-
341
-
342
-
343
-
344
-
345
-
346
-
347
-
348
-
349
-
350
-
351
-
352
-
353
-
354
-
355
-
356
-
357
-
358
-
359
-
360
-
361
-
362
-
363
-
364
-
365
-
366
-
367
-
368
-
369
-
370
-
371
-
372
-
373
-
374
-
375
-
376
-
377
-
378
-
379
-
380
-
381
-
382
-
383
-
384
-
385
-
386
-
387
-
388
-
389
-
390
-
391
-
392
-
393
-
394
-
395
-
396
-
397
-
398
-
399
-
400
-
401
-
402
-
403
-
404
-
405
-
406
-
407
-
408
-
409
-
410
-
411
-
412
-
413
-
414
-
415
-
416
-
417
-
418
-
419
-
420
-
421
-
422
-
423
-
424
-
425
-
426
-
427
-
428
-
429
-
430
-
431
-
432
-
433
-
434
-
435
-
436
-
437
-
438
-
439
-
440
-
441
-
442
-
443
-
444
-
445
-
446
-
447
-
448
-
449
-
450
 |
 |
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
Tel:
408 526-4000
800 553-NETS (6387)
Fax:
408 526-4100
Cisco Intrusion Detection System
Appliance and Module Installation
and Configuration Guide
Version 4.1
Customer Order Number: DOC-7815597=
Text Part Number: 78-15597-02