IPS60LG UnEncrypted PDF

IPS
Implementing Cisco
Intrusion Prevention
Systems
Version 6.0
Lab Guide
EPWS: 06.08.07
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED AS IS. CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN
CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF
THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED
WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR
PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This learning product may contain early release
content, and while Cisco believes it to be accurate, it falls subject to the disclaimer above.
IPS
Lab Guide
Overview
This guide presents the instructions and other information concerning the lab activities for this
course. You can find the solutions in the activity Answer Key.
Outline
This guide includes these activities:
Lab 2-1: Install and Configure a Cisco IPS Sensor from the CLI
Lab 2-2: Use the Cisco IDM to Perform a Basic Sensor Configuration
Lab 3-1: Working with Signatures and Alerts
Lab 3-2: Customizing Signatures
Lab 4-1: Tune a Cisco IPS Sensor Using the Cisco IDM
Lab 4-2: Monitor and Manage Alarms
Lab 4-3: Configure a Virtual Sensor (Optional)
Lab 4-4: Configure Anomaly Detection and POSFP
Lab 6-1: Maintain Sensors and Verify System Configuration
Answer Key
Lab 2-1: Install and Configure a Cisco IPS Sensor

from the CLI
Complete this lab activity to practice what you learned in the related module.
Activity Objective
In this activity, you will initialize a sensor appliance. After completing this activity, you will be
able to meet these objectives:
Log into the sensor and run the initialization wizard
Test the ability to use SSH to connect to the sensor from an authorized host
Navigate the sensor CLI
Create a standard login banner to serve as a warning to intruders
Back up and restore the current configuration
Display sensor events
Visual Objective
The figure illustrates what you will accomplish in this activity.
Visual Objective for Lab 2-1: Install and

Configure an IPS Cisco Sensor from the CLI
Web
FTP
.50
172.26.26.0
.150
172.30.P.0
e0/1
.1
RBB
prP
e0/0
172.16.P.0
172.30.Q.0
.1
.2
.1
e0/1
.2
e0/0
.1
prQ
172.16.Q.0
.4
.4
sensorP
sensorQ
e0/1
.2
routerP
e0/0
.2
e0/1
routerQ
.2
e0/0
.2
10.0.Q.0
.100
RTS
10.0.P.0
RTS
Student PC
10.0.P.12
2007 Cisco Systems, Inc. All rights reserved.
.100
Implementing Cisco Intrusion Prevention Systems (IPS) v6.0
Student PC
10.0.Q.12
IPS v6.04
2007 Cisco Systems, Inc.
Task 1: Initializing the Sensor

This task involves configuring the following: sensor hostname, IP address for the sensor
command and control interface, default route, Telnet server status, web server port, allowed
hosts, and sensor time.
Activity Procedure
Complete these steps:
Step 1
Access the terminal server as directed by your instructor.
Step 2
Access the sensor via its console port as directed by your instructor:
Step 3
Log into the CLI:

sensor login: cisco
Password: iattacku2
Note
Step 4
It is possible that the sensor password has not been reset. In that case, log into the sensor
as cisco with a password of cisco. You will then be prompted to change the password.
Change the password to iattacku2.
Enter the setup command and press Enter. The System Configuration Dialog is
displayed.
sensor# setup
--- System Configuration Dialog --At any point you may enter a question mark '?' for help.
User ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
Current Configuration:
service host
network-settings
host-ip 10.1.9.201/24,10.1.9.1
host-name sensor
telnet-option disabled
ftp-timeout 300
no login-banner-text
exit
time-zone-settings
offset 0
standard-time-zone-name UTC
exit
summertime-option disabled
ntp-option disabled
Lab Guide
exit
service web-server
port 443
exit
service event-action-rules rules0
overrides
override-item-status Enabled
risk-rating-range 90-100
exit
exit
Current time: Thu Feb 22 09:39:39 2007
Setup Configuration last modified: Thu Feb 22 09:37:20 2007
Continue with configuration dialog?[yes]:
Step 5
Press Enter when prompted to continue with the configuration dialog:

Continue with configuration dialog? [yes]: <Enter>
Step 6
Assign a name to the sensor:

Enter host name[sensor]: sensorP
(where P = pod number)

Step 7
Specify an IP address, netmask, and default gateway for the sensor command and
control interface:
Enter IP interface[10.1.9.201/24,10.1.9.1]:10.0.P.4/24,10.0.P.2

Step 8
Press Enter to accept the default setting for Telnet services:

Enter telnet-server status[disabled]: <Enter>
Step 9
Press Enter to accept the default web server port:

Enter web-server port[443]: <Enter>
Step 10
Enter yes when prompted to modify the current ACL:

Modify current access list? [no] yes
Current access list entries:
No entries
Permit:
Step 11
Enter the IP address of your student PC:

Permit: 10.0.P.12/32
Permit:

Step 12
Enter your peer pod network address:

Permit: 10.0.Q.0/24
Permit:
(where Q = peer pod number)

Press Enter again:
Permit: <Enter>
Step 13
Press Enter to answer no when prompted to modify system clock settings:

Modify system clock settings?[no]: <Enter>
Step 14
Press Enter to answer no when prompted to modify the virtual sensor configuration:
Modify interface/virtual sensor configuration?[no]: <Enter>
Modify default threat prevention settings?[no]: < Enter >
The following configuration was entered.
service host
network-settings
host-ip 10.0.P.4/24,10.0.P.2
host-name sensorP
access-list 10.0.P.12/32
access-list 10.0.Q.0/24
(where P = pod number and Q = peer pod number)

ftp-timeout 300
exit
time-zone-settings
offset 0
exit
ntp-option disabled
exit
service web-server
port 443
exit
overrides
Lab Guide
exit
exit
[0] Go to the command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration and exit setup.
Enter your selection[2]:
Press Enter to select Save this configuration and exit

setup.
Enter your selection[2]: <Enter>
Configuration Saved.
*10:08:43 UTC Thu Feb 22 2007
Modify system date and time?[no]: <Enter>
Step 15
Enter yes to modify the system date and time:

Modify system date and time?[no]: yes
Step 16
Enter the current date in the following format: YYYY-MM-DD

Local Date[]: <YYYY-MM-DD>
Step 17
Use 24-hour time to enter the current time in the following format: hh:mm:ss.
Local Time[]: <hh:mm:ss>
sensor#
Step 18
Reboot the sensor:

sensor# reset
Warning: Executing this command will stop all applications and
reboot the node.
Continue with reset? []:
Step 19
Enter yes to continue rebooting the sensor:

reboot the node.
Continue with reset? [] : yes
Step 20
Minimize the terminal window.
Activity Verification
You have completed this task when you attain these results:
You have entered the specified values at each setup interactive prompt.
The sensor reboots and presents you with the login prompt.
Task 2: Testing the Initial Configuration

In this task, you will verify that the sensor can only be accessed by hosts listed in its allowed
hosts list.
Activity Procedure
Step 1
Complete the following substeps to establish an SSH session to your sensor at IP

address 10.0.P.4.

Double-click the Tera Term icon on your desktop. The Tera Term: New Connection window opens.
Enter the IP address of your sensor, 10.0.P.4, in the Host field.
Click the SSH radio button.
Click OK. The Security Warning window opens.
Click yes. The SSH Authentication window opens.
Enter cisco in the Username field.
Enter iattacku2 in the Passphrase field.
Click OK. The sensor CLI is displayed in the Tera Term window.
Step 2
Close the Tera Term window.
Step 3
Attempt to establish an SSH session to your peer pod sensor. Although your peer is
allowed access to your sensor, you should be unable to establish the connection at
this point. This is because the sensors are installed to run inline in your pod, and
inline mode is not yet configured.
Step 4
You have completed this task when you can establish an SSH session to your peer sensor but
not to another pod sensor.
Lab Guide
Task 3: Navigating the CLI

This task involves navigating the sensor CLI.
Activity Procedure
Step 1
Log back into the sensor using the username cisco and the password iattacku2.
Step 2
Display the Command options available in the first level of the CLI, the privileged
EXEC mode:
Note
Some of the more notable commands are bolded to assist you in familiarizing yourself with
the CLI.
sensorP# ?
anomaly-detection Perform an action on the anomaly detection
application.
clear
Clear system settings or devices.
clock
Set system clock settings.
configure
Enter configuration mode.
copy
Copy iplog, license key or configuration

files.
erase
Erase a logical file.
-----------Output Omitted--------------------
Step 3
Enter the second level of the CLI, configuration mode:

sensorP# configure terminal
sensorP(config)#

Display the Command options available in configuration mode:
Step 4
sensorP(config)# ?
banner
Define a login banner.
default
Reset settings back to default.
downgrade
Remove the last applied upgrade.
end
Exit configuration mode and return to exec

mode.
exit
Exit configuration mode and return to exec

mode.
no
Remove configuration.
password
Modify current user password on the local

sensor.
-----------Output Omitted--------------------
Step 5
Display the services that can be configured via the CLI:

sensorP(config)# service ?
analysis-engine
Enter configuration mode for

global analysis engine options.
anomaly-detection
Enter configuration mode for anomalydetection
authentication
Enter configuration mode for user

authentication options.
event-action-rules
Enter configuration mode for the event

action rules.
-----------Output Omitted--------------------
Step 6
Enter configuration mode for the Analysis Engine:

sensorP(config)# service analysis-engine
sensorP(config-ana)#

Step 7
Display the commands available from the service analysis engine mode:
sensorP(config-ana)# ?
Step 8
default
Set the value back to the system default

setting.
exit
Exit service configuration mode.
global-parameters
Platform-wide configuration parameters.
no
Remove an entry or selection setting.
show
Display system settings and/or history

information.
virtual-sensor
Map of virtual sensor definitions.
Exit configuration mode for the Analysis Engine:

sensorP(config-ana)#exit
sensorP(config)#

Step 9
Enter configuration mode for event action rules:
sensorP(config)#service event-action-rules rules0
sensorP(config-eve)#
Lab Guide
Step 10
Display the commands available from the event action rules configuration mode:
sensorP (config-eve)# ?
default

setting.
exit
filters
Collection of sigevent action filter items
general
General settings for VirtualAlarm features
no
os-identification OS Identification settings
Step 11
overrides
Collection of sigevent action override items
show

information.
target-value
Collection of Risk Rating Target Value

definitions
variables
User and system defined variables
Exit the event action rules configuration mode:

sensorP(config-eve)#exit
sensorP(config)#

Step 12
Enter host configuration mode:

sensorP(config)# service host
sensorP(config-hos)#

Step 13
Display the commands available from the host configuration mode:

sensorP(config-hos)# ?
auto-upgrade-option Select whether to enable automatic
upgrades.
crypto
Configure cryptographic settings.
default

setting.
exit
network-settings
Configure network settings.
ntp-option
Select whether to synchronize the sensor's

clock to an NTP time server.
password-recovery
Option to allow password recovery.
show

information.
summertime-option
Select whether summertime (Daylight

SavingsTime) begins and ends at the same
time every year (recurring), or just this
year (non-recurring), or summertime is
disabled.
time-zone-settings
10
Configure time zone settings.
Step 14
Exit host configuration mode:

sensorP(config-hos)#exit
sensorP(config)#

Step 15
Enter interface configuration mode:
sensorP(config)#service interface
sensorP(config-int)#

Step 16
Display the commands that are available from the interface configuration mode:
sensorP(config-int)# ?
Step 17
bypass-mode
The system-wide inline bypass mode.

Inline bypass, when activated,
bypasses the analysis engine so
traffic will continue to flow when
the analysis
engine is stopped. However no IDS
analysis will be performed on the
traffic.
default
Set the value back to the system

default setting.
exit
inline-interfaces
List of logical interfaces defined

by inlining two physical interfaces.
interface-notifications
Parameters to configure interface

notifications.
no
Remove an entry or selection

setting.
physical-interfaces
List of physical interfaces.
show
Display system settings and/or

history information.
Exit interface configuration mode:

sensorP(config-int)#exit
sensorP(config)#

Step 18
Enter signature definition mode:

sensorP(config)# service signature-definition sig0
sensorP(config-sig)#

Step 19
Display the commands that are available from signature definition mode:
sensorP(config-sig)# ?
application-policy
Application Policy Enforcement Parameters
default

setting.
exit
Lab Guide
11
fragment-reassembly
IP Fragment reassembly configuration
ip-log
IP log configuration
no
show

information.
signatures
Signature definitions
stream-reassembly
TCP stream assembly configuration
variables
Step 20
Display the configuration options and settings for a specific signature by completing
the following substeps:
1. Enter configuration mode for signature 12505, subsignature 3 (H225: SETUP
fixed signature 1):
sensorP(config-sig)# signatures 12505 3
sensorP(config-sig-sig)#

Display the Configuration options:
sensorP(config-sig-sig)# ?
alert-frequency
Summary options for grouping alerts
alert-severity
Severity of the alert
default
Set the value back to the system

default setting.
engine
Select an engine
event-counter
Event count settings
exit
Exit signatures configuration

submode
promisc-delta
Delta value used to determine

seriousness of the alert
show
Display system settings and/or

history information.
sig-description
Description of signature
sig-fidelity-rating
Rating of the fidelity of signature
specify-mars-category
This is the MARS category text.
status
Enabled, Retired grouping
Display the settings for signature 12505, subsignature 3:

sensorP(config-sig-sig)#show settings
<protected entry>
sig-id: 12505
subsig-id: 3
----------------------------------------------alert-severity: low <defaulted>
sig-fidelity-rating: 81 <defaulted>
promisc-delta: 0 <defaulted>
sig-description
12
----------------------------------------------sig-name: H225 : SETUP fixed signature 1

<defaulted>
sig-string-info:
SETUP signature <defaulted>
sig-comment: empty <defaulted>

alert-traits: 0 <defaulted>
release: S149 <defaulted>
----------------------------------------------engine
----------------------------------------------service-h225
----------------------------------------------event-action: produce-alert <defaulted>
specify-field-name
----------------------------------------------no
------------------------------------------------------------------------------------------------------------------------------------------message-type: setup <defaulted>
policy-type: validate <defaulted>
specify-value-range
----------------------------------------------no
------------------------------------------------------------------------------------------------------------------------------------------specify-regex-string
----------------------------------------------no
------------------------------------------------------------------------------------------------------------------------------------------specify-invalid-packet-index
----------------------------------------------yes
----------------------------------------------invalid-packet-index: 3 <defaulted>
--------------------------------------------------------------------------------------------swap-attacker-victim:
false <defaulted>
Lab Guide
13
--------------------------------------------------------------------------------------------event-counter
----------------------------------------------event-count: 1 <defaulted>
event-count-key: Axxx <defaulted>
specify-alert-interval
----------------------------------------------no
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------alert-frequency
----------------------------------------------summary-mode
----------------------------------------------fire-once
----------------------------------------------summary-key: AaBb <defaulted>
specify-global-summary-threshold
----------------------------------------------no
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------status
----------------------------------------------enabled: true <defaulted>
retired: false <defaulted>
obsoletes (min: 0, max: 65535, current: 0)
------------------------------------------------------------------------------------------------------------------------------------------vulnerable-os: general-os <defaulted>
specify-mars-category
-----------------------------------------------
14
yes
----------------------------------------------mars-category: Info/Misc <protected>
-------------------------------------------------------------------------------------------------------------------------------------------
Enter configuration mode for the signature engine:

sensorP(config-sig-sig)# engine service-h225
sensorP(config-sig-sig-ser)#
Display the configurable parameters:
sensorP(config-sig-sig-ser)# ?
default

setting
event-action
What action(s) to perform when alert is

triggered
exit
Exit service-h225 configuration submode
message-type
Type of H225 message
no
policy-type
H225 Policy type
show

information
specify-field-name
Field-name is an optional parameter. Use

specify-field-name yes to enable
-----------Output Omitted--------------------
Step 21
Exit configuration mode for the signature engine:

sensorP(config-sig-sig-ser)# exit

Step 22
Exit configuration mode for signature 12505, subsignature 3:
sensorP(config-sig-sig)# exit

Step 23
Exit signature definition mode:
sensorP(config-sig)# exit
sensorP(config)#
You have completed this task when you have accessed each specified mode and familiarized
yourself with the options available within the mode.
Lab Guide
15
Task 4: Creating a Login Banner

This task involves creating the following login banner as a warning to intruders:
AUTHORIZED ACCESS ONLY!
This system is the property of Cisco Systems.
Disconnect IMMEDIATELY if you are not an authorized user.
Activity Procedure
Step 1
Enter the banner login command to begin creating the login banner:
sensorP(config)# banner login
Banner[]:

Step 2
Enter the first line of your message:
Caution
Do not press Enter after entering this line.
Banner[]: AUTHORIZED ACCESS ONLY!

Step 3
Press Ctrl-V to insert a carriage return in the message.
Step 4
Press Enter.
Note
Step 5
The following characters are inserted at the end of the line of text each time you press Ctrl-V
and then press Enter: ^M
Enter the second line of your message:

Step 6
Press Ctrl-V to insert a carriage return in the message.
Step 7
Press Enter.
Step 8
Enter the third line of your message:

Step 9
Press Enter.
sensorP(config)#

Step 10
Exit global configuration mode:
sensorP(config)# exit
sensorP#

Step 11
Exit privileged EXEC mode:
sensorP#exit
AUTHORIZED ACCESS ONLY!
16

sensorP login:
You have completed this task when your login banner is displayed before the sensor login
prompt.
Task 5: Back Up and Restore the Current Configuration

This task involves backing up and restoring a sensor configuration.
Activity Procedure
Step 1
Back up your current configuration:

sensorP# copy current-config backup-config

Step 2
Display the backed-up configuration file and observe your allowed hosts:
sensorP# more backup-config
! -----------------------------! Current configuration last modified Fri Feb 23 13:20:11 2007
! -----------------------------! Version 6.0(1)
! Host:
!
Realm Keys
key1.0
! Signature Definition:
!
Signature Update
S263.0
2006-12-18
Virus Update
V1.2
2007-11-24
! -----------------------------service interface
exit
! -----------------------------service authentication
exit
! -----------------------------service event-action-rules rules0
exit
! -----------------------------service host
network-settings
host-ip 10.0.P.4/24,10.0.P.2
Lab Guide
17
host-name sensorP
login-banner-text AUTHORIZED ACCESS ONLY!
exit
time-zone-settings
offset 0
exit
exit
! -----------------------------service logger
exit
! -----------------------------service network-access
exit
! -----------------------------service notification
exit
! -----------------------------service signature-definition sig0
exit
! -----------------------------service ssh-known-hosts
exit
! -----------------------------service trusted-certificates
exit
! -----------------------------service web-server
exit
! -----------------------------service anomaly-detection ad0
exit
! -----------------------------service external-product-interface
exit
18
! -----------------------------service analysis-engine
exit
Step 3
Enter configuration mode:

sensorP(config)#

Step 4
Enter host configuration mode:

Step 5
Display the settings for the host service:
sensorP(config-hos)# show settings
network-settings
----------------------------------------------host-ip: 10.0.P.4/24,10.0.P.2 default:
10.1.9.201/24,10.1.9.1
host-name: sensorP default: sensor
telnet-option: disabled default: disabled
access-list (min: 0, max: 512, current: 2)
----------------------------------------------network-address: 10.0.P.12/32
----------------------------------------------network-address: 10.0.Q.0/24
--------------------------------------------------------------------------------------------ftp-timeout: 300 seconds <defaulted>
.
.
.
(where P = pod number, and Q = peer pod number)

Step 6
Enter the network settings configuration mode:
sensorP(config-hos)# network-settings
sensorP(config-hos-net)#

Step 7
Add an entry to your allowed hosts list:
sensorP(config-hos-net)# access-list 10.10.10.10/32

Step 8
Exit the network settings configuration mode:
sensorP(config-hos-net)#exit
Lab Guide
19

Step 9
Exit host configuration mode:
Apply Changes:?[yes]:

Step 10
Press Enter to apply your changes:
Apply Changes:?[yes]: <Enter>
sensorP(config)#

Step 11
Exit configuration mode:
sensorP#

Step 12
Display the current configuration of the sensor and notice the access list entries:
sensorP# more current-config
! -----------------------------! Version 6.0(1)
! Host:
!
Realm Keys
key1.0
!
Signature Update
S263.0
2006-12-18
Virus Update
V1.2
2007-11-24
exit
exit
exit
! -----------------------------service host
network-settings
host-ip 10.0.P.4/24,10.0.P.2
host-name sensorP
20
access-list 10.10.10.10/32
exit
time-zone-settings
offset 0
exit
exit
! -----------------------------service logger
exit
exit
exit
exit
exit
exit
exit
exit
exit
exit
Lab Guide
21
Step 13
Overwrite the current configuration with the backup configuration:

sensorP# copy /erase backup-config current-config

Step 14
View the ACLs in your current configuration again to verify that the running
configuration has been overwritten and the allowed host you just added no longer
appears in the list:
sensorP# show configuration | include access-list
You have completed this task when you verify that the allowed host you added in this task is
removed when you restore the original configuration from backup.
Task 6: Display Sensor Events

This task involves using the sensor CLI to view events generated by the sensor.
Activity Procedure
Step 1
Note
Display all events that occurred since 8:00 a.m. today.

The following command and command output is an example. The command that you enter
should contain the current date and produce output that is similar to the example. You can
press Ctrl-C at any time to return to the CLI prompt.
sensorP# show events 8:00 feb 22 2007

evError: eventId=1111046219743472019 severity=error
vendor=Cisco
originator:
hostId: sensor
appName: sensorApp
appInstanceId: 362
time: 2007/02/22 09:57:34 2007/02/22 09:57:34 UTC
errorMessage: name=errUnacceptableValue Sub-Struct
Validation ... missing Para
meter: variable-name
evStatus: eventId=1111046219743472022 vendor=Cisco

originator:
hostId: sensor
appName: mainApp
appInstanceId: 288
22
time: 2007/02/22 09:57:35 2007/02/22 09:57:35 UTC

controlTransaction: command=getVersion successful=true
description: Control transaction response.
requestor:
user: cisco
application:
hostId: UNKNOWN
appName: -cidcli
appInstanceId: 365
.
.
.

Step 2
Note
Display only the status events that have occurred since 8:00 this morning.
The following command and command output is an example. The command that you enter
should contain the current date and produce output that is similar to the example. You can
press Ctrl-C at any time to return to the CLI prompt.
sensorP# show events status 8:00 feb 22 2007

evStatus: eventId=1111046219743472006 vendor=Cisco
originator:
hostId: sensor
appName: authentication
appInstanceId: 288
time: 2007/02/22 09:57:08 2007/02/22 09:57:08 UTC
certificatesChanged:
description: A new self-signed X.509 certificate was
generated for 10.1.9.20
1. The new certificate MD5 fingerprint is
66:4E:28:8D:15:EB:CD:C2:92:6C:A2:17:1B
:C0:A6:70, and the SHA1 fingerprint is
9D:C6:9A:D0:4B:5B:79:82:1E:2E:91:15:D5:6E
:CD:17:57:06:FF:F5.

Step 3
Delete events from the Event Store:

sensorP# clear events
Warning: Executing this command will remove all events
currently stored in the Event Store.
Continue with clear? :
Lab Guide
23
Step 4
When asked if you want to continue with the clear events command, enter yes.
Warning: Executing this command will remove all events
currently stored in the Event Store.
Continue with clear? : yes
sensorP#

Step 5
Verify that events have been cleared from the Event Store by again displaying all
events that have occurred since 8:00 a.m. this morning:
sensorP# show events 8:00 april 1 2007 (insert your date)

Note
Step 6
The sensor might appear to be stalled at this point because there should be no events to
display.
Enter Ctrl-C to return to the CLI prompt.
24
You have observed sensor events via the sensor CLI.
You have cleared all events from the Event Store and verified that there are no longer any
events in the Event Store.
Lab 2-2: Use the Cisco IDM to Perform a Basic

Sensor Configuration
Activity Objective
In this activity, you will launch and navigate the Cisco IDM and use it to perform basic
administrative and configuration tasks. After completing this activity, you will be able to meet
these objectives:
Launch the Cisco IDM
Verify network settings
Generate a new SSH key pair
View sensor events
Add another student to the allowed hosts
Create additional user accounts
Enable two sensing interfaces
Create an interface pair
Assign the interface pair to the first virtual sensor
Configure the sensor in various bypass modes and test its functionality
Reboot a Cisco IPS 4200 Series Sensor
Visual Objective
Visual Objective for Lab 2-2: Use the Cisco

IDM to Perform a Basic Sensor Configuration
Web
FTP
.50
172.26.26.0
.150
172.30.P.0
e0/1
.1
RBB
prP
e0/0
172.16.P.0
.1
172.30.Q.0
.1
.2
e0/1
.2
e0/0
.1
prQ
172.16.Q.0
.4
.4
sensorP
sensorQ
e0/1
.2
routerP
e0/0
.100
.2
e0/1
routerQ
.2
e0/0
.2
10.0.Q.0
10.0.P.0
RTS
RTS
Student PC
10.0.P.12
.100
Student PC
10.0.Q.12
IPS v6.05
Lab Guide
25
Task 1: Launching and Logging into the Cisco IDM

This task involves launching and logging into the Cisco IDM.
Activity Procedure
Step 1
Launch your web browser and specify the sensor as the location. To do this, enter
the following URL field in your web browser:
https://10.0.P.4

Step 2
When the Security Alert window opens, click Yes. The Enter Network Password
window opens.
Step 3
Enter cisco in the Username text box.
Step 4
Enter iattacku2 in the Password text box.
Step 5
Click OK.
Step 6
The Warning Security window opens asking if you want to accept the certificate
from your sensor 10.0.P.4.
Step 7
Click Yes.
Step 8
Another Warning Security window opens asking if you want to trust the signed
applet distributed by Cisco Systems.
Step 9
Click Yes.
Step 10
Wait while the Cisco IDM loads the current configuration from the sensor.
You have completed this task when you are logged into the Cisco IDM GUI.
Task 2: Navigating the Cisco IDM

In this task, you will verify network settings, verify interface configuration, and display the
server certificate of the sensor to get familiar with the Cisco IDM.
Activity Procedure
Step 1
Verify that the Configuration radio button is selected.
Step 2
Verify the network settings of the sensor in the Network panel.
Step 3
Choose Sensor Setup > Certificates > Server Certificate. The server certificate is
displayed in the Server Certificate panel.
You have completed this task when you have verified the network settings of the sensor and
displayed its server certificate.
26
Task 3: Configuring SSH Communications

This task involves configuring SSH secure communications.
Activity Procedure
Step 1
Complete the following substeps to generate a new SSH sensor key.
Choose Configuration > Sensor Setup > SSH > Sensor Key. The Sensor Key panel displays the SSH
sensor key.
Click Generate Key. The Warning window opens.
Click OK. The Information window opens, informing you that the key was successfully generated.
Click OK.
Step 2
Complete the following substeps to verify that the security warning is displayed
again when you attempt to connect to the sensor using SSH:
1. Double-click the Tera Term icon on your desktop. The Tera Term: New Connection
window opens.
Enter the IP address of your sensor, 10.0.P.4, in the Host field.
Click OK. A new Security Warning window opens.
Click Yes.
Click OK. The sensor CLI is displayed in the Tera Term window.
Click Disconnect. The Tera Term and Security Warning windows close.
If you are unable to establish an SSH session after generating a new SSH sensor key, reboot the sensor or the
computer or both. Then repeat Step 2.
You have completed this task when you have successfully generated a new SSH sensor key and
successfully reconnected to the sensor via SSH.
Task 4: Use the Cisco IDM to View Sensor Events

This task involves using the Cisco IDM to view sensor events resulting from configuration
changes.
Activity Procedure
Step 1
Complete the following substeps to make a configuration change:
Choose Configuration > Sensor Setup > Allowed Hosts. The Allowed Hosts panel is displayed.
Choose your peer network, 10.0.Q.0, from the allowed hosts list.
Click Edit. The Edit Allowed Host window opens.
Change the IP address to 10.0.Q.12.
Choose 255.255.255.255 from the Network Mask drop-down menu to change the network mask.
Click OK. The edited IP address is displayed in the allowed hosts list.
Click Apply.
Step 2
Complete the following substeps to configure the event display and view events
resulting from the configuration change:
1. Choose Monitoring > Events. The Events panel is displayed.
Lab Guide
27
Check the Show Status Events check box.

Verify that the Show Past Events radio button is selected.
Verify that 1 is displayed in the Show Past Events field and that hours is selected from the drop-down menu.
Click View. The Event Viewer window opens.
Click the Refresh button in the Event Viewer. The Refresh Events window opens.
If prompted, click Yes. A status event, editConfigDeltaHost, is displayed in the Events column.
Choose the editConfigDeltaHost event.
Note
You may need to click Next several times to locate the editConfigDeltaHost entry.
Click Details. The Details For window opens. Notice that the following information about the configuration
change is displayed:
Name of user who made the change (cisco)
IP address of the host from which the change was initiated (10.0.P.12)
Subsystem that was configured (MainApp)
Step 3
Click Close to close the Details For window.
Step 4
Click Close to close the Event Viewer window.
You have completed this task when you have displayed a status event in the Cisco IDM Event
Viewer window.
Task 5: Configuring Allowed Hosts

This task involves using the Cisco IDM to add another student PC to your allowed hosts list.
Activity Procedure
Step 1
Choose Configuration > Sensor Setup > Allowed Hosts. The Allowed Hosts panel
is displayed.
Step 2
Click Add. The Add Allowed Host window opens.
Step 3
Choose another peer to function as a secondary. Now enter your secondary peer IP
address, 10.0.S.12, in the IP Address field.
Step 4
Choose 255.255.255.255 from the Network Mask drop-down menu.
Step 5
Click OK. The IP address is displayed in the allowed hosts list.
Step 6
Click Add again. The Add Allowed Host window opens.
Step 7
Enter 172.30.Q.0 in the IP Address field.

Step 8
Choose 255.255.255.0 from the Network Mask drop-down menu.
28
Step 9
Click OK. The IP address is displayed in the allowed hosts list.
Step 10
Click Apply to apply your changes to the sensor.
You have completed this task when the new host address and network address are displayed in
the Allowed Hosts panel.
Task 6: Creating User Accounts

This task involves creating an additional user account.
Activity Procedure
Step 1
Complete the following substeps to create user accounts:
1. Choose Configuration > Sensor Setup > Users. The Users panel is displayed.
2. Click Add. The Add User window opens.
3. Enter admin in the Username field.
4. Choose Administrator from the User Role drop-down menu.
5. Enter adminpass in the Password field.
6. Enter adminpass again in the Confirm Password field.
7. Click OK. The user admin is displayed in the Users panel.
9. Enter oper in the Username field.
10. Choose Operator from the User Role drop-down menu.
11. Enter operpass in the Password field.
12. Enter operpass again in the Confirm Password field.
13. Click OK. The user oper is displayed in the Users panel.
15. Enter serv in the Username field.
16. Choose Service from the User Role drop-down menu.
17. Enter servpass in the Password field.
18. Enter servpass again in the Confirm Password field.
19. Click OK. The user serv is displayed in the Users panel.
20. Click Apply.
Complete the following substeps to test the user accounts:
1. Access the terminal server as directed by your instructor.
2. Access the sensor via its console port as directed by your instructor:
3. Log into the CLI:
sensor login: cisco
Password: iattacku2
4. Display the user accounts that you created:

sensorP# show users all
CLI ID
User
Privilege
2082
cisco
administrator
admin
administrator
oper
operator
serv
service
sensorP#

5. Exit privileged EXEC mode:
Lab Guide
29
sensorP# exit
sensorP login:

1. Log in with the operator account, oper:
Sensor login: oper
Password: operpass
***NOTICE***
This product contains cryptographic features and is
subject to United States and local country laws
governing import, export, transfer and use. Delivery
of Cisco cryptographic products does not imply thirdparty authority to import, export, distribute or use
encryption. Importers, exporters, distributors and
users are responsible for compliance with U.S. and
local country laws. By using this product you agree to
comply with applicable laws and regulations. If you
are unable to comply with U.S. and local laws, return
this product immediately.
A summary of U.S. laws governing Cisco cryptographic

products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by

sending email to
export@cisco.com.
***LICENSE NOTICE***
There is no license key installed on the IDS-4215.
The system will continue to operate with the currently
installed signature set. A valid license must be
obtained in order to apply signature updates. Please
go to http://www.cisco.com/go/license to obtain a new
license or to install a license.
sensorP#

2. Enter configuration mode:
sensorP(config)#

3. Attempt to add a host to the sensor allowed host list:
sensorP(config-hos)# network-settings
^
% Invalid input detected at '^' marker
30

4. Exit host configuration mode:
sensorP(config)#

5. Attempt to add a user:
sensorP(config)# username bob
^
% Invalid input detected at '^' marker
sensorP(config)#

6. Log out of the operator account:
sensorP# exit
sensorP login:
The show users all command output displays the following user accounts:
cisco
administrator
admin
administrator
oper
operator
serv
service
You verify that a user with operator privileges cannot modify the allowed host list of the
sensor or create user accounts.
Task 7: Enabling the Sensing Interfaces

This task involves using the Cisco IDM to enable the sensor sensing interfaces.
Activity Procedure
Step 1
Choose Configuration > Interface Configuration > Interfaces. The Interfaces

panel is displayed.
Step 2
Choose FastEthernet0/1 (or GigabitEthernet 0/0) from the interface list.
Step 3
Click Enable.
Step 4
Choose FastEthernet1/0 (or GigabitEthernet 0/1) from the interfaces list.
Step 5
Click Enable.
Step 6
Verify that Yes is displayed in the Enabled column for both interfaces.
Step 7
Lab Guide
31
You have completed this task when the Enabled column of the Interfaces panel displays Yes for
FastEthernet0/1 and FastEthernet1/0.
Task 8: Creating an Interface Pair

This task involves using the Cisco IDM to create an interface pair.
Activity Procedure
Step 1
Choose Configuration > Interface Configuration > Interface Pairs. The Interface
Pairs panel is displayed.
Step 2
Click Add. The Add Interface Pair window opens.
Step 3
Enter MyPair in the Interface Pair Name field.
Step 4
Choose FastEthernet0/1 (or GigabitEthernet 0/0) from the Select Two Interfaces
list.
Step 5
Hold down the shift key and choose FastEthernet1/0 (GigabitEthernet 0/1) from the
Select Two Interfaces list.
Step 6
Click OK. The interface pair is displayed in the Interface Pairs panel.
Step 7
You have completed this task when the interface pair MyPair is displayed in the Interface Pairs
panel.
Task 9: Assigning the Interface Pair to the Virtual Sensor

This task involves using the Cisco IDM to create an interface pair.
Activity Procedure
32
Step 1
Choose Configuration > Analysis Engine > Virtual Sensor. The Virtual Sensor
panel is displayed.
Step 2
Click Edit. The Edit Virtual Sensor window opens.
Step 3
Choose MyPair (FastEthernet0/1<->FastEthernet1/0) from the Available

Interfaces (or Pairs) list.
Step 4
Click Assign. The interface pair now has Yes under the Assigned column.
Step 5
Click OK. The interface pair is displayed in the Assigned Interfaces (or Interface
Pairs) column of the Virtual Sensor panel.
Step 6
You have completed this task when the interface pair MyPair is displayed in the Assigned
Interfaces (or Interface Pairs) column of the Virtual Sensor panel.
Task 10: Configuring Bypass Mode

This task involves changing the bypass mode of the sensor and testing its functionality.
Activity Procedure
Step 1
Complete the following substeps to connect to your sensor CLI:
1. Double-click the Tera Term icon on your desktop.

Enter your sensor IP address, 10.0.P.4, in the Host field.
Click OK.
If the security warning is displayed, click Continue.
Click OK. The sensor CLI is displayed.
Step 2
Display real-time events:
sensorP#show events

Step 3
Open a Windows command prompt and start a continuous ping from your student
PC to the superserver.
C:\>ping 172.26.26.50 t
Open another Windows command prompt and establish an FTP session to the superserver.
C:\>ftp 172.26.26.50
Connected to 172.26.26.50.
220 2KQ Microsoft FTP Service (Version 5.0).
User (172.26.26.50:(none)):
Step 4
Enter an invalid password three times to trigger the FTP authorization failure
signature by completing the following substeps:
1. Attempt to log in with the username administrator and an invalid password:
User (172.26.26.50:(none)): administrator
331 Password required for user.
Password: badpass
530 User administrator cannot log in.
Login failed.
ftp>
2. Make another login attempt:

ftp> user administrator
Password: badpass2
Login failed.
Lab Guide
33
ftp>
3. Make a third login attempt:

Password: badpass3
Login failed.
Step 5
Verify that the alert for the FTP authorization failure signature is displayed in the
CLI.
Step 6
Complete the following substeps to configure bypass mode:
Step 7
Step 8
1. Choose Configuration > Interface Configuration > Bypass. The Bypass panel
is displayed.
2. Choose On (Never Inspect Inline Traffic) from the Bypass Mode drop-down
menu.
3. Click Apply. The Bypass window opens.
4. Click OK. The Warning window opens.
5. Click OK.
Verify that traffic is still flowing through the sensor by verifying that the continuous
ping is still working.
Establish an FTP session to the superserver.
C:\>ftp 172.26.26.50
User (172.26.26.50:(none)):

Step 9
Attempt to trigger the FTP authorization failure signature again to verify that the
sensor is no longer inspecting traffic by completing the following substeps:
1. Attempt to log in with the username administrator and an invalid password:
User (172.26.26.50:(none)): administrator
Password: badpass
Login failed.
ftp>
2. Make another login attempt:

Password: badpass2
Login failed.
ftp>
3. Make a third login attempt:

34

Password: badpass3
Login failed.
Step 10
View the CLI to verify that traffic was not inspected by the sensor, and therefore, the
FTP authorization failure signature did not fire to generate an alert.
Step 11
Complete the following substeps to set the bypass mode back to Auto:
Choose Configuration > Interface Configuration > Bypass. The Bypass panel is displayed.
1. Choose Auto (Bypass Inspection When Analysis Engine Is Stopped) from the
Bypass Mode drop-down menu.
2. Click Apply. The Bypass window opens.
3. Click OK.
You verify that traffic is not inspected when bypass mode is set to On.
You verify that traffic is inspected when bypass mode is set to Auto.
Task 11: Using the Cisco IDM to Reboot the Sensor

This task involves rebooting the sensor.
Activity Procedure
Step 1
Choose Configuration > Reboot Sensor. The Reboot Sensor panel is displayed.
Step 2
Click Reboot Sensor. The Reboot Sensor window opens.
Step 3
Click OK. Wait for approximately 90 seconds.
Q1)
Was the continuous ping interrupted by the sensor rebooting? __________
Q2)
Why? ____________________________________________________
Step 4
Terminate the continuous ping.
You have completed this task when you have rebooted the sensor via the Cisco IDM.
Lab Guide
35
Lab 3-1: Working with Signatures and Alerts

Activity Objective
In this activity, you will manipulate built-in signatures and test their implementation.
After completing this activity, you will be able to meet these objectives:
Manipulate built-in signatures parameters using the principles learned
Deny and then remove an attacker from the denied hosts list
Generate more events and examine the generated alerts
Use Ethereal to examine IP logs captured by the sensor
Visual Objective
Visual Objective for Lab 3-1: Working

with Signatures and Alerts
Web
FTP
.50
172.26.26.0
.150
.1
172.30.P.0
e0/1
RBB
prP
e0/0
172.16.P.0
172.30.Q.0
.1
.2
.1
e0/1
.2
e0/0
.1
prQ
172.16.Q.0
.4
.4
sensorP
sensorQ
e0/1
.2
routerP
e0/0
.100
.2
e0/1
routerQ
.2
e0/0
.2
10.0.Q.0
10.0.P.0
RTS
RTS
Student PC
10.0.P.12
36
.100
Student PC
10.0.Q.12
IPS v6.06
Task 1: Modify Parameters of Built-in Signatures

This task involves using the Cisco IDM to enable built-in signatures and configure signature
actions.
Activity Procedure
Step 1
Complete the following substeps to log into the Cisco IDM:

1. Launch your web browser and specify the sensor as the location. To do this,
enter the following URL field in your web browser:
https://10.0.P.4
Step 2
2. When the Security Alert window opens, click Yes. The Enter Network Password
window opens.
3. Enter cisco in the Username text box.
4. Enter iattacku2 in the Password text box.
5. Click OK. The Warning Security window opens asking if you want to accept
the certificate from your sensor 10.0.P.4.
6. Click Yes. Another Warning Security window opens asking if you want to
trust the signed applet distributed by Cisco Systems.
7. Click OK. Wait while Cisco IDM loads the current configuration from the
sensor.
From your student PC, ping the superserver. The ping should succeed.
C:\>ping 172.26.26.50
Step 3
Complete the following substeps to configure a built-in signature:
1. Choose Configuration > Policies > Signature Definitions > sig0 > Signature
Configuration. The Signature Configuration panel is displayed.
Choose Sig ID from the Select By drop-down menu.
Enter 2004 in the Enter Sig ID field.
Click Find. Signature 2004, ICMP echo request, is displayed.
Choose signature 2004.
Click Enable.
Click Actions. The Assign Actions window opens.
Check the Deny Packet Inline check box, and verify that the Produce Alert check box is also selected.
Click OK. The new configuration is displayed in the Signature Configuration panel.
Click Apply.
Step 4
Complete the following substeps to test your configuration:
1. From your student PC, ping the superserver. The ping should now fail.
C:\>ping 172.26.26.50
Choose Monitoring > Events. The Events panel is displayed.

Verify that the Show Past Events radio button is selected.
Enter 5 in the Show Past Events field.
Choose Minutes from the Show Past Events drop-down menu.
Click Refresh. The Refresh Events window opens.
Click Yes. The alert generated by the ICMP echo request signature is displayed.
Choose the signature.
Click Details. The Details For window opens. Notice the following information about the ICMP echo
request:
Lab Guide
37
Attacker Address: 10.0.P.12
Action: Dropped packet
Value Rating: Medium
Relevance Rating: Relevant
Step 5
Click Close. The Details For window closes.
Step 6
Click Close in the Event Viewer window. The Event Viewer closes.
Step 7
Complete the following substeps to modify the actions for signature 2004:
Choose Configuration > Policies > Signature Definitions > sig0 > Signature Configuration. The Signature
Configuration panel is displayed.
Choose the 2004 signature.
Uncheck the Deny Packet Inline check box.
Check the Deny Attacker Inline check box.
Click OK.
Click Apply.
Step 8
1. Use Telnet to connect to your perimeter router. Telnet should be successful.
C:\telnet 172.16.P.1
From your perimeter router, ping your student PC. The ping should fail.
prP# ping 10.0.P.12

Q1) What is the status of your Telnet session? ___________________________
Q2) Why? __________________________________________________
Click Refresh.
Choose the new alert.
Click Details. The Details For window opens. Notice that the action is deniedAttacker.
Step 9
Click Close. The Details For window closes.
Step 10
Click Close in the Event Viewer window. The Event Viewer closes.
You have completed this task when signature 2004, ICMP Echo Request, produces an alert and
takes the specified actions.
Task 2: Displaying and Clearing Denied Attackers

This task involves using the Cisco IDM to view and clear the denied attackers list.
Activity Procedure
Step 1
38
Choose Monitoring > Denied Attackers. The Denied Attackers panel displays the
IP address of your peer perimeter router.
Step 2
Verify that the IP address of your perimeter router is selected.
Step 3
Click Clear List. The Clear All Denied Attackers Entries window opens asking if
you are sure you want to remove all IP addresses from the denied attackers list.
Step 4
Click Yes. The IP address of the perimeter router of your peer is removed from the
Denied Attackers panel.
Step 5
Complete the following substeps to change the action for signature 2004 back to
Produce Alert only:
Step 6
2. Choose the 2004 signature.
3. Click Actions. The Assign Actions window opens.
4. Uncheck the Deny Attacker Inline check box.
5. Click OK.
6. Click Apply.
From your perimeter router, ping your student PC. The pings should now succeed.
prP# ping 10.0.P.12
You have completed this task when you have removed the IP address of the perimeter router of
your peer from the denied attackers list.
Task 3: Generating and Examining More Alerts

This task involves using the Cisco IDM to view alerts generated by the sensor.
Activity Procedure
Step 1
Complete the following substeps to configure the Cisco IDM events display:
Step 2

2. Verify that the Informational, Low, Medium, and High check boxes under
Show Alert Events are checked.
3. Click the Show Events from the Following Time Range radio button.
4. In the Start Time (UTC) area, click the From radio button and use the dropdown menus to specify the current date and the current time.
5. Click View. The Event Viewer window opens.
Complete the following substeps to generate additional alerts:
1. Open the IPSfiles folder on your desktop.

Double-click BluesPortScan.exe. The Blues Port Scanner window opens.
Enter 172.26.26.50, the IP address of the superserver, in the Start field.
Verify that TCP is selected from the protocol list.
Deselect Anti Flood and Ping Check.
Click Start Scan.
Step 3
Click Refresh in the Cisco IDM Event Viewer window periodically to view alerts
generated by the sensor. You should see Signature 3002, TCP SYN Port Sweep.
Step 4

1. Choose UDP from the Blues Port Scanner protocol list.
Click Start Scan.

Lab Guide
39
Minimize the Blues Port Scanner window.

Step 5
Click Refresh in the Cisco IDM Event Viewer window periodically to view alerts
generated by the sensor. You should see alerts generated by the following
signatures:
Step 6
2157: ICMP Hard Error DoS
4003: Nmap UDP Port Sweep
4619: Invalid DHCP Packet
4508: Non SNMP Traffic
Choose each signature and examine its severity level and other parameters.
The Cisco IDM Event Viewer window displays alerts generated by the following signatures:
3002: TCP SYN Port Sweep
You have examined the severity levels and risk ratings for the alerts generated by the following
signatures:
40
3002: TCP SYN Port Sweep
Lab 3-2: Customizing Signatures

Activity Objective
In this activity, you will use the Cisco IDM to tune and create signatures to meet the
requirements of a given security policy. After completing this activity, you will be able to meet
these objectives:
Use the Cisco IDM to modify multiple settings on a signature and then verify the
modifications
Restore signature settings that were previously modified to their defaults and then verified
Use the Cisco IDM to modify multiple settings in the FTP authorization failure signature
and then verify the modifications
Enable the sensor application policy enforcement and test AIC HTTP signatures
Use the sensor meta event generator for event correlation
Create a custom signature by using the Cisco IDM signature wizard while specifying the
signature engine
Use the Cisco IDM to delete the custom signature just created in one of the pods
Create a custom signature by using the Cisco IDM signature wizard without specifying the
signature engine
Visual Objective
Visual Objective for Lab 3-2:

Customizing Signatures
Web
FTP
.50
172.26.26.0
.150
172.30.P.0
e0/1
.1
RBB
prP
e0/0
172.16.P.0
.1
172.30.Q.0
.1
.2
e0/1
.2
e0/0
.1
prQ
172.16.Q.0
.4
.4
sensorP
sensorQ
e0/1
.2
routerP
e0/0
.100
.2
e0/1
routerQ
.2
e0/0
.2
10.0.Q.0
10.0.P.0
RTS
RTS
Student PC
10.0.P.12
.100
Student PC
10.0.Q.12
IPS v6.07
Lab Guide
41
Task 1: Tuning a Signature Using the Cisco IDM

This task involves modifying and testing the following parameters for signature 2004, ICMP
echo request:
Alert severity parameter
Alert frequency parameters
Event counter parameters
Activity Procedure
Step 1
Complete the following substeps to tune a built-in signature:
Click Find. Signature 2004 is displayed in the Signature Configuration panel.
Click Edit. The Edit Signature window opens.
Click on the Alert Severity field.
Choose Medium from the Alert Severity drop-down menu.
Scroll down to the Alert Frequency parameters.
If necessary, click the Alert Frequency icon to expand the Alert Frequency parameters.
Click on the Summary Mode field.
Choose Fire All from the Summary Mode drop-down menu.
Click OK. The Signature Configuration panel is displayed.
Click Apply.
Step 2
Complete the following substeps to test the tuned signature:
Open a Windows command prompt and ping your perimeter router:
C:\ping 172.16.P.1

Verify that the Informational, Low, Medium, and High check boxes under Show Alert Events are checked.
Choose Show Past Events.
Specify that you want to see the events of the past 5 minutes.
Verify that four alerts were generated when you pinged your perimeter router.
Step 3
Configure the 2004 signature to fire only when ICMP echo requests are coming
from your inside host by completing the following substeps:
Click Find. Signature 2004 is displayed in the Signature Configuration panel.
Click the Specify IP Addr Options field and choose Yes from the drop-down menu.
Choose IP Addresses from the IP Address Options drop-down menu.
Choose Yes from the Specify Source IP Addresses drop-down menu.
Enter 10.0.P.12 in the Source IP Address Range field.
Click Apply.
42
Step 4
Complete the following substeps to test the changes that you made to your tuned
signature:
Open a Windows command prompt and use Telnet to connect to your perimeter router:

Step 5
From the perimeter router, ping your inside host, 10.0.P.12. Have your peer also
ping your inside host from their perimeter router:
prP>ping 10.0.P.12

1. Open a second Windows command prompt and ping your perimeter router:
C:\ping 172.16.P.1

Verify that the Informational, Low, Medium, and High check boxes under Show Alert Events are
checked.
Verify that four alerts were generated when you executed a ping to your perimeter router but that no alerts
were generated when you executed a ping to your inside host from your perimeter router or peer pod.
Close the Telnet window.
Step 6
Complete the following substeps to tune the signature event counter parameters:
1. Verify that signature 2004 is selected in the Signature Configuration panel.
If necessary, click the Event Counter field to expand the Event Counter parameters.
Click the Event Count field.
Enter 6 in the Event Count field.
Click Apply.
Step 7
Complete the following substeps to test the Event Count setting:
1. Open a Windows command prompt and ping your perimeter router once:
C:\ping 172.16.P.1

checked.
Verify that no alerts were generated when you pinged your perimeter router.
Now ping the perimeter router three (3) times.
C:\ping 172.16.P.1

checked.
Lab Guide
43
Verify that two alerts were generated when you pinged your perimeter router this time.
Step 8
Complete the following substeps to configure an alert interval for signature 2004:
Click the Specify Alert Interval value and choose Yes from the drop-down menu.
Verify that 60 is displayed in the Alert Interval field.
Click Apply.
Step 9
Complete the following substeps to test the alert interval:
1. From your student PC, ping your perimeter router, 172.16.P.1.
C:\ping 172.16.P.1

checked.
2. Verify that no alerts were generated when you pinged your perimeter router.
3. Wait at least 60 seconds.
4. Ping your perimeter router again two more times.
C:\ping 172.16.P.1

5. Click Refresh. The second round of pings should have generated one alert.
6. Wait at least 60 seconds.
From your student PC, ping your perimeter router again once.
C:\ping 172.16.P.1

7. Click Refresh. Verify that no alerts were generated by the ping.
Step 10
Complete the following substeps to tune the 2004 signature alert frequency
parameters:
Step 11
1. Verify that the 2004 signature is selected in the Signature Configuration panel.
2. Click Edit. The Edit Signature window opens.
3. Scroll down to the Alert Frequency parameters.
4. Choose Yes from the Specify Summary Threshold drop-down menu.
5. Click the Summary Threshold field.
6. Enter 6 in the Summary Threshold field.
7. Click the Summary Interval field.
8. Enter 60 in the Summary Interval field.
9. Click OK. The Signature Configuration panel is displayed.
10. Click Apply.
Complete the following substeps to test the alert frequency parameters:
1. Open a Windows command prompt and start a continuous ping to your
perimeter router:
C:\>ping 172.16.P.1 -t

checked.
44
2. Verify that your sensor sends a summary alert to the Event Store by clicking
Details.
Q1)
On which ping alert was it found? _______________________
Q2)
Why? _____________________________________________________________
Step 12
Stop the continuous ping.
Step 13
Complete the following substeps to configure a global summary threshold for

signature 2004:
2. Click Edit. The Edit Signature window opens.
3. Scroll down to the Alert Frequency parameters.
4. Choose Yes from the Specify Global Summary Threshold drop-down menu.
5. Click the Global Summary Threshold field.
6. Enter 9 in the Global Summary Threshold field.
7. Click OK. The Signature Configuration panel is displayed.
8. Click Apply.
Complete the following substeps to test the alert frequency parameters:
Step 14
1. Open a Windows command prompt and start a continuous ping to your

perimeter router:
C:\>ping 172.16.P.1 -t
checked.
Verify that your sensor sends a global summary alert to the Event Store by clicking Details.
Q1)
On which ping alert was it found? _______________________
Q2)
Why? _____________________________________________________________
Step 15
Stop the continuous ping.
Step 16
Close the Windows Command Prompt window.
Your sensor generates alerts for signature 2004 only when ICMP echo requests are from
your student PC.
Your sensor generates only one alert for the 2004 signature every 60 seconds.
After your sensor generates six alerts in 60 seconds for signature 2004, it automatically
begins summarizing the alerts for the specified address set.
After your sensor generates nine alerts in 60 seconds for signature 2004, it automatically
begins globally summarizing the alerts for that signature.
Lab Guide
45
Task 2: Restoring Default Signature Settings Using the Cisco

IDM
This task involves restoring the default configuration to signature 2004, ICMP echo request.
Activity Procedure
Step 1
Complete the following substeps to restore the default settings to signature 2004:
1. Maximize the Cisco IDM window.

Click Restore Defaults. The Enabled column display changes from Yes to No.
Click Apply.
Step 2
Minimize the Cisco IDM window.
1. Open a Windows command prompt and ping your perimeter router:
C:\>ping 172.16.P.1
checked.
Verify that your sensor sent no alert to the Event Store.
Q1)
Step 3
Why? ____________________________________________________________
Close the Windows command window.
You have completed this task when your sensor no longer generates alerts for signature 2004.
46
Task 3: Tuning the FTP Authorization Failure Signature

This task involves tuning the FTP authorization failure signature to behave as follows when it
detects unauthorized FTP login attempts:
Trigger a high-severity alarm
Generate one alert for each address set
Deny the connection inline
Activity Procedure
Step 1
Complete the following substeps to tune the FTP authorization failure signature:
1. In the Cisco IDM window, choose Configuration > Policies > Signature
Definitions > sig0 > Signature Configuration. The Signature Configuration
panel is displayed.
Choose Other Services from the Select By drop-down menu.
Choose FTP from the Select Service drop-down menu. The Service FTP signatures are displayed.
Use the scroll bar to locate signature 6250, FTP authorization failure.
Click the Alert Severity field.
Choose High from the Alert Severity drop-down menu.
If necessary, click the Engine icon to expand the string TCP engine-specific parameters.
Click the Event Action field.
Choose Deny Connection Inline and Produce Alert from the Event Action list.
Note
Hold down the Ctrl key while choosing Produce Alert from the Event Action list. Holding
down the Ctrl key enables you to choose more than one action at a time.
Scroll down to the alert frequency parameters.

Click the Summary Mode field.
Choose Fire Once from the Summary Mode drop-down menu.
Click OK. The Edit Signature window closes, displaying the Signature Configuration panel.
Click Apply to save your changes.
Step 2
Complete the following substeps to test the parameters that you configured for the
FTP authorization failure signature:
1. Open a Windows command prompt.
Establish an FTP session to the superserver.
c:\>ftp 172.26.26.50
User (172.26.26.50:(none)):
Enter an invalid password three times as shown in the following example:

User (172.26.26.50:(none)): baduser
Password: badpass
Login failed.
ftp>
Lab Guide
47
ftp> user baduser

Password: badpass2
Login failed.
ftp>
ftp> user baduser
Password: badpass3
Connection closed by remote host.
Note
Step 3
You may not see the Connection closed by remote host message immediately.
Complete the following substeps to verify the configuration of the FTP authorization
failure signature:

checked.
Locate the FTP Authorization Failure alert to the Event Store and click Details.
Verify that the severity is now High.
Verify that the packet was dropped.
Verify that the flow was denied.
Verify that only one alert was sent.
Step 4
Close the Windows Command Prompt window.
Your sensor generates one high-severity alert each time that it detects three failed FTP
login attempts from a different student PC.
The sensor denies the FTP connection after any peer makes three unsuccessful attempts to
log into your FTP server.
Task 4: Testing the AIC HTTP Engine Signatures

This task involves enabling the sensor application policy enforcement feature and testing AIC
HTTP signatures.
Activity Procedure
Step 1
Open a web browser.
Step 2
Enter the IP address of superserver in the Address field:

http://172.26.26.50
48
Step 3
When the default web page for the superserver is displayed, verify that it displays
the following:
The message Welcome to the SuperServer
Images of two Cisco devices
Two Cisco logo images
Step 4
Close the browser.
Step 5
Complete the following substeps to enable the sensor application policy enforcement
feature:
In the Cisco IDM, choose Configuration > Policies > Signature Definitions > sig0 > Miscellaneous. The
Miscellaneous panel is displayed.
If necessary, click the Application Policy icon to expand the Application Policy options.
If necessary, click the HTTP Policy icon to expand the HTTP Policy options.
Click the Enable HTTP field.
Choose Yes from the Enable HTTP drop-down menu.
Click Apply.
Step 6
Complete the following substeps to enable an AIC HTTP signature:
Choose Engine from the Select By drop-down menu.
Choose AIC HTTP from the Select Engine drop-down menu. The AIC HTTP signatures are displayed.
Choose signature 12621, subsignature 0 (Content Type image/gif Header Check).
Click Edit. The Edit Signatures window opens.
If necessary, click the Engine icon to expand the engine-specific parameters for the AIC HTTP engine.
Examine the default settings for the signature. Do not change them. If you accidentally change a setting
while examining it, click the corresponding icon. When the icon turns green, the setting is returned to the
default.
Click Cancel. The Signature Configuration panel is displayed.
With the signature still selected, click Enable.
Click Apply.
Step 7
Complete the following substeps to test the signature:
1. Open a web browser.
Choose Tools > Internet Options. The Internet Options window opens.
Click Delete Cookies. The Delete Cookies window opens.
Click OK.
Click Delete Files. The Delete Files window opens.
Check the Delete All Offline Content check box.
Click OK.
Click Clear History. The Internet Options window opens.
Click Yes.
Click OK.
Close the browser window.
Reopen the browser window.
Access the default web page of the superserver by entering the following in the Address field:
http://172.26.26.50
When the default web page for the superserver is displayed, verify that it displays only the following. The
Cisco logo images, which are .gif files, should not be displayed:
The message Welcome to the SuperServer
Images of two Cisco devices
Lab Guide
49
Close the browser.

Choose Monitoring > Events to verify that your sensor generated an alert for signature 12621.
Step 8
Complete the following substeps to familiarize yourself with signature 12673,
subsignature 0 (recognized content type):
1. Maximize the Cisco IDM window.
Return to the AIC HTTP signatures display in the Signature Configuration panel.
Choose signature 12673, subsignature 0 (recognized content type).
Click Edit. The Edit Signatures window opens.
If necessary, click the Engine icon to expand the engine-specific parameters for the AIC HTTP engine.
Examine the following parameters, but do not change their settings:
Event Action
Signature Type
Content Types
Enforce Accept Content Types
Recognized Content Types
Click Cancel.. The Signature Configuration panel is displayed.

Step 9
Attempt to pull a bitmap image from the superserver by entering the following in a
browser window. The attempt should fail.
http://172.26.26.50/Bitmap.bmp
Step 10
Pull a JPEG image from the superserver by entering the following in a browser
window. The image should be displayed in your browser window.
http://172.26.26.50/NETSENSOR.jpg
Step 11
Choose Monitoring > Events to verify that the attempt to retrieve the .bmp image
triggered signature 12673:
You have completed this task when your sensor denies .bmp files and generates an alert when a
.bmp file is requested via HTTP.
Task 5: Creating a Meta Event

This task involves using the sensor meta event generator for event correlation.
Activity Procedure
Step 1
Attack the superserver by entering the following in your browser:

http://172.26.26.50/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
Step 2
Choose Monitor > Events to verify that signatures 5081 and 5114 were generated.
Step 3
Complete the following substeps to create a custom meta signature that fires when
signatures 5081 and 5114 fire from the same attacker within 60 seconds:
1. Choose Configuration > Event Action Rules > rules0 > General Settings.
The General Settings panel is displayed.
Verify that the Use Meta Event Generator check box is checked.
50
Click Add. The Add Signature window opens.
Accept the default signature ID.
Accept the default subsignature ID.
Choose High from the Alert Severity drop-down menu.
Click the Sig Fidelity Rating field, and enter 95 in the Sig Fidelity Rating field.
If necessary, click the Sig Description icon to expand the Signature Description parameters.
Click the Signature Name field.
Enter NIMDA in the Signature Name field.
Choose Meta from the Engine drop-down menu.
Choose Deny Packet Inline and Produce Alert from the Event Action list.
Note
Hold down the Ctrl key while you choose the Deny Packet Inline and Produce Alert
actions from the Event Action list.
Click the Component List pencil field. The Component List window opens.
Click Add. The Add List Entry window opens.
Enter Sig1 in the Entry Key field.
Enter the signature ID for the first component signature, 5114, in the Component Sig ID field.
Click the Component SubSig ID field.
Enter 1, the subsignature ID for the first component signature, in the Component SubSig ID field.
Click OK. The entry key is displayed in the Inactive Entries list of the Component List window.
Choose Sig1 from the Inactive Entries list.
Click Active. The entry key moves to the selected entries list.
Click Add again. The Add List Entry window opens.
Enter Sig2 in the Entry Key field.
Enter the signature ID for the second component signature, 5081, in the Component Sig ID field.
Click OK. The entry key is displayed in the Inactive Entries list of the Component List window.
Choose Sig2 from the Inactive Entries list.
Click Active. The entry key moves to the selected entries list.
Click OK. The Add Signature window is displayed.
Click Apply.
Step 4
Complete the following substeps to keep the sensor from generating alerts for the
component signatures:
1. Choose Sig ID from the Select By drop-down menu.
Click Find. The 5114 signatures are displayed in the Signature Configuration panel.
Choose signature 5114, sub-signature 1.
Deselect Produce Alert.
Click Find. The 5081 signature is displayed in the Signature Configuration panel.
Uncheck the Produce Alert check box.
Click Apply.
Step 5
Enter the following in your browser to attack the superserver:
Lab Guide
51
http://172.26.26.50/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
Choose Monitoring > Events to verify that signatures 5081 and 5114 were not generated and that there was
an alert for the new NIMDA signature.
You have completed this task when your sensor generates only one meta event when signature
5114, subsignature 1, and signature 5081 fire.
Task 6: Creating a Custom Signature by Specifying the

Signature Engine
This task involves creating a custom signature that is triggered by SYN packets destined for
port 23.
Activity Procedure
Step 1
Complete the following substeps to create the custom signature:
Choose Configuration > Policies > Signature Definitions > sig0 > Custom Signature Wizard. The Custom
Signature Wizard panel is displayed.
Click Start the Wizard. The Welcome panel is displayed.
Click the Yes radio button.
Choose Atomic IP from the Select Engine drop-down menu.
Click Next. The Signature Identification panel is displayed.
Enter the name SYN23 in the Signature Name field.
Click Next. The Engine Specific Parameters panel is displayed.
Choose Deny Packet Inline in addition to the Produce Alert from the Event Action list.
Note
Hold down the Ctrl key while you choose Produce Alert and Deny Packet Inline from the
Event Action list.
If necessary, click the Specify Layer 4 Protocol icon to expand the protocol parameters.
Choose Yes from the Specify Layer 4 Protocol drop-down menu.
Choose TCP Protocol from the Layer 4 Protocol drop-down menu.
Choose SYN from the TCP Flags list.
Choose Syn and Ack from the TCP mask list.
Note
Hold down the Ctrl key while you choose Syn and Ack from the TCP mask list.
Choose Yes from the Specify Destination Port Range drop-down menu.
Enter 23 in the Destination Port Range field.
Click Next. The Alert Response panel is displayed.
Enter 90 in the Signature Fidelity Rating field.
Choose High from the Severity of the Alert drop-down menu.
Click Next. The Alert Behavior panel is displayed.
Click Finish. The Create Custom Signature window opens.
Click Yes.
Step 2
Complete the following substeps to test the custom signature:
1. Open the Windows command line.
52
2. Send a SYN packet to your perimeter router by entering the following:

C:/telnet 172.16.P.1
Note
You should not be able to connect.
3. Choose Monitoring > Events output to verify that you triggered your custom
signature:
You have completed this task when sending a SYN packet to port 23 triggers your custom
signature.
Task 7: Deleting a Custom Signature Using the Cisco IDM

This task involves deleting a custom signature.
Activity Procedure
Step 1
Choose Configuration > Policies > Signature Definitions > sig0 > Signature
Step 2
Choose Sig Name from the Select By drop-down menu.
Step 3
Enter SYN23 in the Enter Sig Name field.
Step 4
Click Find. The SYN23 signature is displayed in the Signature Configuration panel.
Step 5
Step 6
Click Delete. The Delete Custom Signature window opens.
Step 7
Click Yes. The Signature Configuration panel is displayed.
Step 8
Click Apply.
You have completed this task when the Apply button is grayed out, and the SYN23 signature is
no longer displayed in the Signature Configuration panel.
Task 8: Creating a Custom Signature Without Specifying the

Signature Engine
This task involves creating a custom string match signature that fires when it detects the string
Confidential and initially sends an alert to the Event Store every time the signature fires. The
signature then limits the number of alerts by dynamically changing its response as follows:
Sends one summary alert when the alert rate exceeds two alerts in 60 seconds for the same
victim address
Sends one global summary alert if the alert rate exceeds four alerts in a 60-second interval
Activity Procedure
Step 1
Complete the following substeps to create the custom signature:
Lab Guide
53
1. Choose Configuration > Policies > Signature Definitions > sig0 > Custom
Signature Wizard. The Custom Signature Wizard panel is displayed.
Click Start the Wizard. The Welcome panel is displayed.
Click the No radio button to create a custom signature without using a Signature Engine.
Click Next. The Protocol Type panel is displayed.
From the Protocol Type panel, choose TCP as the protocol to inspect.
Click Next. The TCP Traffic Type panel is displayed.
Click the Single TCP Connection radio button.
Click Next. The Service Type panel is displayed.
Click the Other radio button.
Click Next. The Signature Identification panel is displayed.
Enter the name Confidential in the Signature Name field.
Click Next. The Engine Specific Parameters panel is displayed.
Choose Deny Connection Inline and Produce Alert from the Event Action list.
Tip
Hold down the Ctrl key while you choose Deny Connection Inline and Produce Alert from
the Event Action list.
Enter [Cc][Oo][Nn][Ff][Ii][Dd][Ee][Nn][Tt][Ii][Aa][Ll] in the Regex String field.

Enter 23 in the Service Ports field.
Verify that To Service is displayed in the Direction field.
Click Next. The Alert Response panel is displayed.
Enter 90 in the Signature Fidelity Rating field.
Choose Medium from the Severity of the Alert drop-down menu.
Click Next. The Alert Behavior panel is displayed.
Click Advanced. The Event Count and Interval panel is displayed.
Verify that 1 is displayed in the Event Count field.
Choose Victim Address from the Event Count Key drop-down menu.
Click Next. The Alert Summarization panel is displayed.
Click the Alert Every Time the Signature Fires radio button.
Click Next. The Alert Dynamic Response panel is displayed.
Choose Victim Address from the Summary Key drop-down menu.
Check the Use Dynamic Summarization check box.
Enter 2 in the Summary Threshold field.
Enter 60 in the Summary Interval (seconds) field.
Check the Specify Global Summary Threshold check box.
Enter 4 in the Global Summary Threshold field.
Click Finish. The Alert Behavior panel is displayed.
Click Finish. The Create Custom Signature window opens.
Click Yes.
Step 2
Complete the following substeps to test the custom signature:
1. Open five Windows command prompt windows.
2. From one of the Windows command prompts, use Telnet to connect to IP
address 172.16.P.1:
C:\>telnet 172.16.P.1
Enter confidential at the password prompt. The Telnet session should close because entering confidential
triggers the string match signature.
Repeat Substep 2 and Substep 3 from each of the Windows command prompts. When finished, you have
triggered your custom signature five times, from five different windows.
54
Choose Monitoring > Events output to verify that your custom signature triggered the alerts as desired.
When you use Telnet to connect to IP address 172.16.P.1, your custom signature triggers an
alert and denies the connection. (where P = pod number)
After the alert rate exceeds two alerts in 60 seconds for the same victim address, the sensor
begins summarizing alerts.
When the alert rate exceeds four alerts in the 60-second interval, the sensor begins global
summarization.
Lab Guide
55
Lab 4-1: Tune a Cisco IPS Sensor Using the

Cisco IDM
Complete this lab activity to practice what you learned in the related lesson.
Activity Objective
In this activity, you will use the Cisco IDM to tune a sensor to work optimally in the network.
After completing this activity, you will be able to meet these objectives:
Download and view IP logs
Use the Cisco IDM to configure TVRs, signature severity, and fidelity ratings in order to
formulate an event risk rating
Use the Cisco IDM to create an event action override that adds a deny action to an inbound
packet with a risk rating over 90
Create event variables for inside and DMZ networks
Use the Cisco IDM to remove the Deny Packet Inline action for a signature originating in
the DMZ
Visual Objective
Visual Objective for Lab 4-1: Tune a

Cisco IPS Sensor Using Cisco IDM
Web
FTP
.50
172.26.26.0
.150
172.30.P.0
e0/1
.1
RBB
prP
e0/0
172.16.P.0
172.30.Q.0
.1
.2
.1
e0/1
.2
e0/0
.1
prQ
172.16.Q.0
.4
.4
sensorP
sensorQ
e0/1
.2
routerP
e0/0
.100
.2
e0/1
routerQ
.2
e0/0
.2
10.0.Q.0
10.0.P.0
RTS
RTS
Student PC
10.0.P.12
56
.100
Student PC
10.0.Q.12
IPS v6.08
Task 1: Download and View IP Logs

This task involves using Ethereal to view IP logs generated by a signature configured with a
logging action.
Activity Procedure
Step 1
Complete the following substeps to configure IP logging for the Nmap UDP Port
Sweep signature:
1. Choose Configuration > Signature Definitions > Signature Configuration >

sig0. The Signature Configuration panel is displayed.
Click Find. The 4003 Nmap UDP Port Sweep signature is displayed in the Signature Configuration panel.
Choose Log Attacker Packets.
Click Apply.
Step 2
Enter 172.26.26.50, the IP address of superserver, in the Start field.
Deselect Anti Flood and Ping Check if necessary.
Click Start Scan.
After 10 seconds, click Abort to stop the scan.
Step 3
Complete the following substeps to view the new alert for the 4003 signature:
1. Choose Monitoring > Events in the Cisco IDM window. The Events panel is
displayed.
Click Refresh.
Choose the latest Nmap UDP Port Sweep entry.
Click Details. The Details For window opens. You should see the following in the alert:
actions:
ipLoggingActivated: true
logAttackerPacketsActivated: true
ipLogIds:
ipLogId: 1
Step 4
Complete the following substeps to download the IP log generated by signature

4003:
1. Choose Monitoring > IP Logging. The IP Logging panel is displayed.

Click Refresh. The Log ID 1 and the IP address of your peer student PC are displayed.
When the Status column displays the word completed, click Download. The Save As window opens.
Save the IP log to the following destination as IPLog1:
C:\Program Files\Ethereal
Step 5
Complete the following substeps to view the IP log:
From your student PC, choose Start > Programs > Ethereal > Ethereal. The Ethereal Network Analyzer
window opens.
Lab Guide
57
Choose File > Open. The Ethereal: Open Capture File window opens.
Choose C:\Program Files\Ethereal from the drop-down menu.
Choose IPLog1 from the files list.
Click OK. The IP log is displayed in the IPLog1 Ethereal window.
Remove the Log Attacker Packets action from signature 4003.
You have completed this task when the IP log generated by the firing of signature 4003 is
displayed in the IPLog1 Ethereal window.
Task 2: Modifying the Risk Rating of an Event

This task involves creating TVRs and modifying a signature alert severity and fidelity rating to
formulate an event risk rating.
Activity Procedure
Step 1
Complete the following substeps to prepare signature 2004 to be used as the test
signature for this lab exercise:
Click Find. The 2004 signature, ICMP Echo Reply, is displayed in the Signature Configuration panel.
If necessary, click the Alert Frequency field to expand the Alert Frequency parameters.
Click the Summary Mode field.
Choose Fire All from the Summary Mode drop-down menu.
If necessary, click the Status field to expand the Status parameters.
Click the Enabled field.
Choose Yes from the Enabled drop-down menu.
Click Apply.
Step 2
Complete the following substeps to examine the risk ratings for alerts generated by
signature 2004:
1. Open a Windows command prompt and ping the superserver:
C:\ping 172.26.26.50
Step 3
Now ping your perimeter router.

C:\ping 172.16.P.1
Step 4
Choose Monitoring > Events to display the events.
What is the risk rating?______________

Step 5
Complete the following substeps to modify the risk ratings of the ping events by
tuning the signature severity level:
Choose Low from the Alert Severity drop-down menu.
58
Click Apply.
Step 6
Open a Windows command prompt and ping the superserver:

C:\ping 172.26.26.50
Step 7

C:\ping 172.16.P.1
Step 8

What is the risk rating now?______________
Step 9
Complete the following substeps to modify the risk rating of the ping events by
tuning the signature fidelity rating:
Verify that signature 2004 is selected in the Signature Configuration panel.
Click the Sig Fidelity Rating field.
Enter 90 in the Sig Fidelity Rating field.
Click Apply.
Step 10
C:\ping 172.26.26.50
Step 11

C:\ping 172.16.P.1
Step 12
Go to Monitoring > Events to display the events.

What is the risk rating now?______________
Step 13
Complete the following substeps to modify the risk ratings by creating target value
ratings:
1. Choose Configuration > Policies > Event Action Rules > rules0 > Event
Action Overrides. The Event Action Overrides panel is displayed.
2. Clear the Use Event Action Overrides check box.
3. Click Apply.
4. Now choose Target Value Rating. The Target Value Rating panel is displayed.
5. Click Add. The Add Target Value Rating window opens.
6. Choose Mission Critical from the Target Value Rating (TVR) drop-down
menu.
7. Highlight and then delete 0.0.0.0-255.255.255.255 from the Target IP
Address(es) field.
8. Enter 172.26.26.50, the IP address of the superserver, in the Target IP
Address(es) field.
9. Enter 10.0.P.12, the IP address of your student PC, in the Target IP Address(es)
field.
10. Click OK. The TVR for your student PC and superserver is displayed in the
Target Value Rating panel.
11. Click Apply.
12. Click Add again. The Add Target Value Rating window opens.
13. Choose Low from the Target Value Rating (TVR) drop-down menu.
14. Highlight and then delete 0.0.0.0-255.255.255.255 from the Target IP
Address(es) field.
15. Enter 172.16.P.1, the IP address of your perimeter router, in the Target IP
Address(es) field.
Lab Guide
59
Step 14
16. Click OK. The Target Value Rating panel is displayed.

17. Click Apply.
C:\ping 172.26.26.50
Step 15
Now ping perimeter router.

C:\ping 172.16.P.1
Step 16

What is the risk rating now for the superserver?______________
What is the risk rating now for the perimeter router?____________
The risk rating for the event generated when you ping the superserver is 100.
The risk rating for the event generated when you ping your peer pod student PC is 43.
Task 3: Configuring an Event Action Override

This task involves creating an event action override that adds the Deny Packet Inline action to
any event whose risk rating is 90 or above.
Activity Procedure
Step 1
Complete the following substeps to create the event action override:
Action Overrides. The Event Action Overrides panel is displayed.
Verify that the Use Event Action Overrides check box is checked.
Choose the Event Action labeled Deny Packet Inline.
Click Edit. The Add Event Action Override window opens.
Verify that the Enabled: Yes radio button is selected.
Enter 80 in the Risk Rating: Minimum field.
Verify that 100 is displayed in the Risk Rating: Maximum field.
Click OK. The event action override is displayed in the Event Action Overrides panel.
Click Add. The Add Event Action Override window opens.
Choose Produce Verbose Alert from the Event Action drop-down menu.
Verify that the Enabled: Yes radio button is selected.
Enter 80 in the Risk Rating: Minimum field.
Verify that 100 is displayed in the Risk Rating: Maximum field.
Click OK. The event action override is displayed in the Event Action Overrides panel.
Click Apply.
Step 2
Complete the following substeps to test the event action overrides:
1. Open a Windows command prompt and ping the superserver. The pings should
fail:
C:\ping 172.26.26.50
Step 3
Now ping the perimeter router.

C:\ping 172.16.P.1
Step 4
60
Choose Monitoring > Events to view the risk rating for the events.
When you ping your peer PC, your sensor generates an alert.
When you ping the superserver, your sensor denies the packet and generates a verbose
alert.
Task 4: Creating Event Variables

This task involves creating event variables for your inside and DMZ networks.
Activity Procedure
Step 1
Maximize the Cisco IDM window.
Step 2
Choose Configuration > Policies > Event Action Rules > rules0 > Event
Variables. The Event Variables panel is displayed.
Step 3
Click Add. The Add Event Variable window opens.
Step 4
Enter DMZ in the Name field.
Step 5
Enter 172.16.P.0-172.16.P.255 in the Value field.

Step 6
Click OK. The event variable is displayed in the Event Variables panel.
Step 7
Click Add again. The Add Event Variable window opens.
Step 8
Enter IN in the Name field.
Step 9
Enter 10.0.P.0-10.0.P.255 in the Value field.

Step 10
Click OK. The event variable is displayed in the Event Variables panel.
Step 11
Click Apply.
Step 12

Enter 172.26.26.50, the IP address of superserver, in the Start field.
Click Start Scan.
From your student PC, use Telnet to connect to your perimeter router:
C:\>telnet 172.16.P.1

Log into the perimeter router with the username cisco and the password cisco.
Enter enable mode:
prP>en
Password:

Log into enable mode with the password cisco.
Password: cisco
Lab Guide
61
prP#

From your perimeter router, ping your student PC. The ping should fail:
prP#ping 10.0.P.12

Minimize the Windows Command Prompt window.
Step 13
Choose Monitoring > Events output to verify that the alerts indicate IN, OUT, and
DMZ in the locality value as desired.
You have completed this task when the event variables DMZ and IN are displayed in the Event
Variables panel.
Task 5: Configuring an Event Action Filter

This task involves creating an event action filter that removes the Deny Packet Inline action for
signature 2004 if the ping originates from your DMZ network. The event action filter will use
the event variable that you created in the Task 4.
Activity Procedure
Step 1
Complete the following substeps to verify that your event action override adds the
Deny Packet Inline action to any event with a risk rating over 80:
1. Open a Windows command prompt and ping the superserver. The pings should
fail:
C:\>ping 172.26.26.50
2. From your student PC, use Telnet to connect to your perimeter router:
C:\>telnet 172.16.P.1

3. Log into the perimeter router with the username cisco and the password cisco.
4. Enter enable mode:
prP>en
Password:

5. Log into enable mode with the password cisco.
Password: cisco
prP#

6. From your perimeter router, ping your student PC. The ping should fail:
prP#ping 10.0.P.12

7. Choose Monitoring > Events. You should see multiple alerts from the pings
just completed.
Note
62
Notice that the event variables you created in Task 3 are now used in the alerts to describe
the locality of the attacker and target.
Step 2
Complete the following substeps to create an event action filter that removes the
Deny Packet Inline action if the ping originates from the 172.16.P.0 (DMZ)
network:
Action Filters. The Event Action Filters panel is displayed.
Verify that the Use Event Action Filters check box is checked.
Click Add. The Add Event Action Filter window opens.
Highlight and delete the Name field.
Enter PermitDMZ in the Name field.
Highlight and delete 900-65535 from the Signature ID text box.
Enter 2004 in the Signature ID field.
Highlight and delete 0.0.0.0-255.255.255.255 from the Attacker Address field.
Enter $DMZ in the Attacker Address field.
Choose Deny Packet Inline from the actions to subtract list.
Click OK. The filter is displayed in the Event Action Filters panel.
Click Apply.
Step 3
Complete the following substeps to test the event action filter:
1. Ping your student PC from your perimeter router again. The ping should
succeed:
prP#ping 10.0.P.12

From your student PC, ping the SuperServer. The ping should fail:
C:\>ping 172.26.26.50
From your perimeter router ping your student PC. The ping should succeed:
prP#ping 10.0.P.12

Choose Monitoring > Events to verify that, when you executed a ping to your student PC from your
perimeter router, the event action override added the Produce Verbose Alert action to the signature but did
not add the Deny Packet Inline action. Close all open windows.
The sensor generates a verbose alert when it detects an ICMP echo request originating from
the 172.16.P.0 network and destined for a target with a risk rating over 79.
The sensor generates a verbose alert and denies the packet inline when it detects an ICMP
echo request originating from anywhere except the 172.16.P.0 network and destined for a
target with a risk rating over 79.
The sensor generates an alert when it detects an ICMP echo request originating anywhere
and destined for a target with a risk rating lower than 80.
Lab Guide
63
Lab 4-2: Monitor and Manage Alarms

Activity Objective
In this activity, you will install, configure, and test Cisco IEV. After completing this activity,
you will be able to meet these objectives:
Install Cisco IEV on a Microsoft Windows 2000 Server
Log into Cisco IEV and add the sensor as an authorized device
Launch several different attacks against the superserver
Customize Cisco IEV for the viewing of events
Visual Objective
Visual Objective for Lab 4-2: Monitor and

Manage Alarms
Web
FTP
.50
172.26.26.0
.150
172.30.P.0
e0/1
.1
.1
.2
RBB
prP
e0/0
172.16.P.0
.1
172.30.Q.0
e0/1
.2
e0/0
.1
prQ
172.16.Q.0
.4
.4
sensorP
sensorQ
e0/1
.2
routerP
e0/0
.100
.2
e0/1
routerQ
.2
e0/0
.2
10.0.P.0
10.0.Q.0
RTS
.100
RTS
Student PC
10.0.P.12
Student PC
10.0.Q.12
IPS v6.09
Task 1: Installing Cisco IEV

This task involves installing Cisco IEV on the student PC.
Activity Procedure
To install Cisco IEV, follow these steps:
64
Step 1
Open the IPSfiles folder on the desktop.
Step 2
Locate and double-click the IEV-min-5.2-1.exe file to start the installation wizard.
Step 3
Click Next to proceed with installation.
Step 4
To accept the default location for the Cisco IEV files, click Next.
Step 5
Click Next.
Step 6
Click Next.
Step 7
Click Next.
Step 8
Click Finish to complete installation.
Step 9
You must reboot your student PC to complete the Cisco IEV installation. Click OK
to reboot the host.
You have completed this task when Cisco IEV is installed and the student PC has been
rebooted.
Task 2: Configuring Cisco IEV

This task involves configuring Cisco IEV to work with the Cisco IPS 4200 Series Sensor.
Activity Procedure
Step 1
To add a sensor to Cisco IEV, follow these substeps:
1. Choose Start > Program Files > Cisco Systems > Cisco IPS Viewer > Cisco
IPS Viewer to open Cisco IEV.
2. Choose File > New > Device.
In the Sensor IP Address field, enter the IP address of your sensor, 10.0.P.4. (where P = pod number)
In the Sensor Name field, enter sensorP. (where P = pod number)
In the User Name field, enter cisco.
In the Password field, enter iattacku2.
Click OK to apply your changes and close the Device Properties dialog box.
Click Yes to accept the certificate.
The sensor now has a red dot next to it signifying that it is connected.
Note
If Cisco IEV cannot connect to the sensor, a red X appears next to the device name to
indicate that no connection is present. Cisco IEV continues trying to connect to the sensor
every 20 seconds until a connection is established or until you delete the device from Cisco
IEV.
You have completed this task when your Cisco IPS 4200 Series Sensor has been added to Cisco
IEV and has a red dot next to it.
Task 3: Attacking the Superserver

In this task, you will trigger a number of events.
Activity Procedure
Lab Guide
65
Step 1
Choose Start > Program Files > Cisco Systems > Cisco IPS Viewer > Cisco IPS
Viewer to open Cisco IEV. Choose Tools > Realtime Dashboard > Launch
Dashboard.
Step 2
Create alarms by completing the following substeps:

Enter 172.26.26.50 in the Start field.
Step 3
Step 4
Click Start Scan.
Step 5
Return to the Realtime Dashboard and observe the results.
You have scanned the superserver and peer pod student PC with Blues Port Scanner.
The generated alarms have been observed in the Realtime Dashboard.
Task 4: Viewing Events in Cisco IEV

This task will view the events created by the scan of the superserver.
Activity Procedure
Step 1
To add a filter to Cisco IEV, follow these substeps:
1. Choose Start > Program Files > Cisco Systems > Cisco IPS Viewer > Cisco
IPS Viewer to open Cisco IEV.
2. Choose File > New > Filter.
Enter My High Filter In the Filter Name field.
Check the By Severity check box and exclude severity levels by checking the Informational, Low, and
Medium check boxes.
Click OK to save the filter.
Step 2
To create a view in Cisco IEV, follow these substeps:
1. Choose File > New > View.
Enter My High View in the View Name field.
Click Use Filter and then choose My High Filter from the drop-down list.
Click the Group by Signature Name radio button.
In the Column Secondary Sort Order (Initially) field choose Destination Address Count from the dropdown list.
Click Next to see what additional columns are available to be used in this view.
Click Finished.
Step 3
Verify that UDP is selected from the protocol list.
66
Click Start Scan.

Step 4
View recent high-level events by completing the following substeps:
Step 5
1. Click the View tab in the lower left-hand corner.

2. Double-click My High View.
Examine the details of several alarms.
Step 6
View the top alerts by clicking the Reports tab, and then clicking Top Alerts and
Generate Report.
Step 7
View the top attackers by double-clicking Top Attackers and Generate Report.
Step 8
View the top victims by double-clicking Top Victims and Generate Report.
You have created a filter that only displays high-level events.
You have created a view to display the high-level events.
You have viewed high-level events.
You have generated Top Alerts, Top Attackers, and Top Victims reports.
Lab Guide
67
Lab 4-3: Configure a Virtual Sensor (Optional)

Activity Objective
In this activity, you will create, configure, and delete a virtual sensor. After completing this
activity, you will be able to meet these objectives:
Add a second virtual sensor to the configuration
Configure the virtual sensor, including being able to add an inline interface pair to the
virtual sensor
Delete the new virtual sensor
Visual Objective
Visual Objective for Lab 4-3: Configure a

Virtual Sensor (Optional)
Web
FTP
.50
172.26.26.0
.150
172.30.P.0
e0/1
.1
RBB
prP
e0/0
172.16.P.0
172.30.Q.0
.1
.2
.1
e0/1
.2
e0/0
.1
prQ
172.16.Q.0
.4
.4
sensorP
sensorQ
e0/1
.2
routerP
e0/0
.100
.2
e0/1
routerQ
.2
e0/0
.2
10.0.Q.0
10.0.P.0
RTS
.100
RTS
Student PC
10.0.P.12
Student PC
10.0.Q.12
IPS v6.010
Task 1: Preparing to Create a Virtual Sensor

This task will involve the preparatory items that must be created before adding an additional
virtual sensor.
Activity Procedure
Step 1
To create an inline VLAN pair of interfaces, complete the following substeps:

1. Choose Configuration > Interface Configuration > Interfaces.
2. Choose G0/2.
68
3. Click Enable.
4. Click Apply.
5. Choose Configuration > Interface Configuration > VLAN Pairs.
Click Add to add inline VLAN pairs.
Choose G0/2 from the Interface Name list.
Enter subinterface 1 for the inline VLAN pair in the Subinterface Number field.
Enter 10 in the VLAN A field.
Enter 20 in the VLAN B field.
If you want, add a description of the inline VLAN pair in the Description field.
Click OK.
Click Apply.
Step 2
To create a signature policy, follow these substeps:
1. Log into the Cisco IDM using an account with administrator or operator privileges.
Choose Configuration > Policies > Signature Definitions.
To add a signature definition policy, click Add.
In the Policy Name field, enter Windows for the signature definition policy name.
Click OK.
Step 3
To edit the Windows signature definition, complete the following substeps:
1.
2.
3.
4.
5.
6.
7.
Step 4
Expand Signature Definitions so that you see sig0 and Windows.

Choose Windows.
In the Select By drop-down box, choose OS.
Confirm that AIX is the chosen OS.
Click Select All.
Click Disable.
Repeat Substep 4 through Substep 6 for all operating systems that are not some form of
Windows. Leave the General OS signatures enabled.
To add an event rule policy, follow these steps:
1. Choose Configuration > Policies > Event Action Rules.
Click Add.
Enter Windows in the Policy Name field.
Click OK.
Step 5
To edit the Windows event rule policy, complete the following substeps:
1. Expand Event Action Rules so that you see rules0 and Windows.
Choose Windows.
Choose the General Settings tab.
Set the Deny Attacker Duration parameter to 7200 seconds.
Adjust the Maximum Denied Attackers field to 1000.
Click Apply.
You have created an inline VLAN pair on interface G0/2.
You have created a new signature definition policy and disabled all non-Windows
signatures.
You have created a new event rule policy with a modified timeout for denied attackers and
maximum number of denied attackers.
Task 2: Configuring Virtual Sensor Settings

In this task, all of the preliminary steps will come together as a new virtual sensor is created.
Lab Guide
69
Activity Procedure
Step 1
Choose Configuration > Analysis Engine > Virtual Sensors.
Step 2
Click Add.
Step 3
Enter WindowsSensor in the Virtual Sensor Name field.
Step 4
Choose Windows from the Signature Definition Policy drop-down list.
Step 5
Choose Windows from the Event Action Rules Policy drop-down list.
Step 6
Choose the inline VLAN pair from Available Interfaces window and click Assign.
Step 7
Click OK.
Step 8
Click Apply.
You have completed this task when the virtual sensor WindowsSensor has been configured
with the inline VLAN pair, signature policy, and the event rule policy created in Task 1.
Task 3: Deleting a Virtual Sensor

In this task, you will remove the virtual sensor that you created in Task 2.
Activity Procedure
Step 1
Step 2
Choose WindowsSensor in the Virtual Sensors field.
Step 3
Click Delete.
Step 4
Click Apply.
You have completed this task when the virtual sensor WindowsSensor has been removed from
your sensor.
70
Lab 4-4: Configure Anomaly Detection and

POSFP
Activity Objective
In this activity, you will install advanced features of a Cisco IPS sensor, including anomaly
detection, and POSFP. After completing this activity, you will be able to meet these objectives:
Configure global anomaly detection
Put a sensor into learning mode
Generate and view normal traffic
Simulate worm traffic
Configure POSFP
Visual Objective
Visual Objective for Lab 4-4: Configure

Anomaly Detection and POSFP
Web
FTP
.50
172.26.26.0
.150
.1
172.30.P.0
e0/1
RBB
prP
e0/0
172.16.P.0
.1
172.30.Q.0
.1
.2
e0/1
.2
e0/0
.1
prQ
172.16.Q.0
.4
.4
sensorP
sensorQ
e0/1
.2
routerP
e0/0
.100
.2
e0/1
routerQ
.2
e0/0
.2
10.0.Q.0
10.0.P.0
RTS
.100
RTS
Student PC
10.0.P.12
Student PC
10.0.Q.12
IPS v6.011
Task 1: Configuring Global Anomaly Detection Parameters

In this task, you will configure anomaly detection.
Activity Procedure
Lab Guide
71
Step 1
Reset signature 2004 to the default.
Step 2
Complete the following substeps to configure anomaly detection zones.
1. Choose Configuration > Policies > Anomaly Detections > ad0.

Choose Internal Zone.
Under the General tab, confirm that the Internal Zone is enabled.
Delete 0.0.0.0 and replace with your subnet 10.0.P.0-10.0.P.255, where P is your pod number.
Click Apply.
Choose the Illegal Zone.
Under the General tab, confirm that the Illegal Zone is enabled.
Delete 0.0.0.0 and replace with 192.168.0.0-192.168.255.255.
Click Apply.
Choose the External Zone.
Click the Other Protocols tab.
Click Add.
Enter 1 in the Protocol Number field.
Check the Override Scanner Settings check box.
Enter 5 in the Scanner Threshold field.
Click Add.
Click OK and then click Apply.
Step 3
Configure the anomaly detection signatures by completing these substeps:
1. Choose Configuration > Policies > Signature Definitions > sig0.
Choose Viruses/Worms/Trojans in the Select By drop-down list.
Verify that signatures 13000-13008 are enabled.
Configure signatures 13000-13008 to take the action Deny Packet Inline in addition to Produce Alert.
Click Apply.
The virtual sensor vs0 is not learning or detecting.
The anomaly detection zones are configured.
The anomaly signatures are set to Deny Packet Inline.
Task 2: Putting a Cisco Sensor into Learning Mode

In this task, you will put the virtual sensor vs0 into anomaly detection learning mode.
Activity Procedure
72
Step 1
Step 2
Choose virtual sensor vso.
Step 3
Click Edit.
Step 4
Set the AD Operation Mode to Learn.
Step 5
Click OK.
Step 6
Click Apply.
You have completed this task when virtual sensor vs0 is in learning mode
Task 3: Generating and Observing Normal Network Traffic

In this task, you will generate normal traffic for the sensor to observe.
Activity Procedure
Step 1
Browse the superserver web site. Refresh the web page several times.
Step 2
Log into the superserver FTP site.
Step 3
At the command prompt, enter ls.
Step 4
At the command prompt, enter dir.
Step 5
At the command prompt, enter bye.
Step 6
Ping your perimeter router.
Step 7
Ping the superserver.
Step 8
Log into the perimeter router.
Step 9
Enter the show running-configuration command.
Step 10
Log out of the perimeter router.
You have completed this task when you generate normal network traffic for the sensor to learn.
Task 4: Generating and Observing Anomalous Traffic

In this task, you will attempt to generate enough traffic to trigger anomaly detection.
Activity Procedure
Step 1
Choose virtual sensor vs0 and choose Detect for the AD Operation Mode.
Step 2
Prepare to detect worm activity by connecting to the CLI on your sensor either by
using the SSH daemon or the console port. Enter the show statistics anomalydetection vs0 command. Leave this window because you will be using this to verify
the simulated worm attack.
Lab Guide
73
sensor218# show statistics anomaly-detection vs0

Statistics for Virtual Sensor vs0
No attack
Detection - ON
Learning - ON
Next KB rotation at 10:00:00 UTC Sat Mar 31 2007
Internal Zone
TCP Protocol
UDP Protocol
Other Protocol
External Zone
TCP Protocol
UDP Protocol
Other Protocol
Illegal Zone
TCP Protocol
UDP Protocol
Other Protocol
Step 3
Now complete the following substeps to simulate worm traffic:
1. Open a command window on your student PC.

Ping five different IP addresses on the 172.26.26.0/24 network.
C:/ping
C:/ping
C:/ping
C:/ping
C:/ping
Note
Step 4
172.26.26.100
172.26.26.101
172.26.26.102
172.26.26.103
172.26.26.104
It may be necessary to run these commands a few times to simulate worm activity.
Verify that worm activity has been successfully simulated.

sensorP# show statistics anomaly-detection
Statistics for Virtual Sensor vs0
Attack in progress
Detection - ON
Learning - OFF
Next KB rotation at 10:00:00 UTC Sat Mar 31 2007
Internal Zone
TCP Protocol
UDP Protocol
Other Protocol
External Zone
TCP Protocol
UDP Protocol
Other Protocol
Service 1
Source IP: 10.0.218.12 Num Dest IP: 9
Illegal Zone
74
TCP Protocol
UDP Protocol
Other Protocol
Step 5
Choose Monitoring > Events and verify the firing of signature 13004.
evIdsAlert: eventId=1174885874866978348 severity=high
vendor=Cisco
originator:
hostId: sensor218
appName: sensorApp
appInstanceId: 358
time: 2007/03/29 10:13:31 2007/03/29 10:13:31 UTC
signature: description=AD - External UDP Scanner id=13004
version=S262
subsigId: 0
sigDetails: Single Scanner
marsCategory: Info/Misc/Scanner
marsCategory: Probe/FromScanner
interfaceGroup: vs0
vlan: 0
participants:
attacker:
addr: locality=OUT 10.0.218.12
target:
port: 503
actions:
denyPacketRequestedNotPerformed: true
alertDetails: .
adExtraData: numDestIps=5;
currentThreshold=5; destPort=503
;
riskRatingValue: targetValueRating=medium 100
threatRatingValue: 100
interface: sy0_0
protocol: udp
The AD Operational Mode is set to Detect.
The show statistics anomaly-detection vs0 command verifies that an attack is in progress.
Signature 13004 has fired.
Task 5: Configuring Global POSFP Settings

This task will address configuring global POSFP settings.
Activity Procedure
Step 1
Choose Configuration > Policies > Event Action Rules > rules0.
Step 2
Click the OS Identifications tab.
Step 3
Check the Enable Passive OS Fingerprinting Analysis check box.
Lab Guide
75
Step 4
In the Restrict OS Mapping and ARR to These IP Addresses field, add the address
range used by your pod (10.0.P.1-10.0.P.255, where P is your pod number).
Task 6: Configuring Manual Operating System Mapping

This task will address manually configuring an operating system mapping.
Activity Procedure
Step 1
Step 2
Click the OS Identifications tab.
Step 3
Click Add.
Step 4
Enter SuperServer in the Name field.
Step 5
Confirm that Yes is selected in the Active field.
Step 6
Enter 172.26.26.50 in the IP Address field.
Step 7
Choose Windows NT/2K/XP in the OS Type field.
Step 8
Click OK.
Step 9
Click Apply.
Task 7: Verifying POSFP Configuration

This task will address verifying your POSFP configuration.
Activity Procedure
Step 1
Step 2
Discover the operating system of your student PC automatically by following these

substeps:
1. Use Telnet to connect to your perimeter router.

From your perimeter router, back up your running configuration to your student PC.
prP# copy running-config ftp://10.0.P.12

Press Enter twice.
Step 3
Verify that POSFP is working by completing the following substeps:
Step 4
1. Choose Monitoring > OS Identifications > Learned OS.

2. Confirm that the student PC operating system has been learned.

76

Click Start Scan.
Step 6
Choose Monitoring > Events to verify that the statically configured operating
system of the superserver is noted in the TCP SYN Port Sweep alert.
Step 7
Close the Cisco IDM window.
You have restricted POSFP to your internal IP range.
You have manually configured the superserver operating system.
You have confirmed that your student PC operating system is automatically discovered.
You have confirmed that your manual configurations are reflected in the Event Store.
Lab Guide
77
Lab 6-1: Maintain Sensors and Verify System

Configuration
Activity Objective
In this activity, you will recover the sensor software image and install a sensor license and
signature update. After completing this activity, you will be able to meet these objectives:
Use the CLI to recover the sensor image
Boot to the recovery partition during bootup to recover the sensor image
Use ROM monitor to perform a complete sensor reimaging
Reinitialize the sensor
Use the Cisco IDM to install a sensor license
Use the Cisco IDM to install a signature update
Perform password recovery
Reset the sensor
Visual Objective
Visual Objective for Lab 6-1: Maintain

Sensors and Verify System Configuration
Web
FTP
.50
172.26.26.0
.150
172.30.P.0
e0/1
.1
RBB
prP
e0/0
172.16.P.0
172.30.Q.0
.1
.2
.1
e0/1
.2
e0/0
.1
prQ
172.16.Q.0
.4
.4
sensorP
sensorQ
e0/1
.2
routerP
e0/0
.100
.2
10.0.P.0
e0/1
routerQ
.2
e0/0
.2
10.0.Q.0
RTS
RTS
Student PC
10.0.P.12
78
.100
Student PC
10.0.Q.12
IPS v6.012
Task 1: Recovering the Image Using the CLI

This task involves using the CLI recover command to recover the sensor image.
Activity Procedure
Step 1
Step 2
Access the sensor via its console port as directed by your instructor:
Step 3
Log into the CLI:

sensor login: cisco
Password: iattacku2
Step 4
Display the current configuration:

! -----------------------------! Current configuration last modified Mon Mar 05 13:20:11 2007

! -----------------------------! Version 6.0(1)
! Host:
! Realm Keys
key1.0
! Signature Update S263.0 2006-12-18
! Virus Update
V1.2 2007-11-24
physical interfaces FastEthernet0/1
admin-state enabled
exit
physical interfaces FastEthernet1/0
admin-state enabled
exit
inline-interfaces MyPair
no description
interface1 FastEthernet0/1
interface2 FastEthernet1/0
exit
exit
exit
variables DMZ address 172.16.P.1-172.16.P.255
variables IN address 10.0.P.1-10.0.P.255
overrides deny-packet-inline
exit
overrides produce-verbose-alert
exit
Lab Guide
79
filters edit PermitDMZ

signature-id-range 2004
attacker-address-range $DMZ
actions-to-remove deny-packet-inline
os-relevance relevant|not-relevent|unknown
exit
filters move PermitDMZ begin
general
global-overrides-status Enabled
exit
target-value low target-address 10.0.Q.12
target-value mission-critical target-address 172.26.26.50,10.0.P.2
os-identification
calc-arr-for-ip-range 10.0.P.1-10.0.P.255
configured os-map move Windows begin
ip 10.0.P.12,172.26.26.50
os windows-not-2k-xp
exit
configured-os-map move Windows begin
exit
exit
! -----------------------------service host
network-settings
host-ip 10.0.P.4/24,10.0.P.2
host-name sensorP
exit
time-zone-settings
offset 0
exit
exit
! -----------------------------service logger
exit
exit
exit
application-policy
http-policy
http-enable true
exit
exit
80
signatures 4003 0
engine sweep
event-action produce-alert|log-attacker-packets
exit
exit
signatures 5081 0
engine service-http
no event-action
exit
exit
signatures 5114 0
engine service-http
no event-action
exit
exit
signatures 6250 0
alert-severity high
engine string-tcp
event-action produce-alert|deny-connection-inline
exit
alert-frequency
summary-mode fire-once
exit
exit
exit
signatures 12621 0
status
enabled True
exit
exit
signatures 13001 1
engine traffic-anomaly
event-action deny-packet-inline|produce-alert
exit
exit
signatures 13002 1
exit
exit
signatures 13003 1
exit
exit
signatures 13004 1
exit
exit
signatures 13005 1
exit
exit
Lab Guide
81
signatures 13006 1
exit
exit
signatures 13007 1
exit
exit
signatures 13008 1
exit
exit
.
.
.
.
(where P = pod number, Q = peer pod number, and S = secondary peer pod number)
Step 5
Back up this configuration:
sensorP#copy current-config ftp://10.0.P.12/backup.cfg
User:ftpuser
Password: ftppass

Step 6
Enter global configuration mode:

sensorP#config t

Step 7
Recover the sensor application partition:

sensorP(config)#recover application-partition
reimage the node to version 6.0(1)E1. All configuration
changes except for network settings will be reset to default.
Continue with recovery? []:

Step 8
Answer yes when asked if you want to continue:

Continue with recovery? []: yes
Caution
Step 9
The recovery process takes several minutes. Do not log in the first time that the login prompt
is presented, which is very early in the recovery process.
When the recovery is complete, log back into the sensor with the default username
cisco and the default password cisco.
sensorP login: cisco
Password: cisco
82
You are required to change your password immediately (password

aged)
Changing password for cisco
(current) UNIX password:
Step 10
Enter the current password again:

(current) UNIX password: cisco
New password:
Step 11
Enter iattacku2 as the new password:

New password: iattacku2
Retype new password:
Step 12
Enter the new password again:

Retype new password: iattacku2
***NOTICE***
This product contains cryptographic features and is subject to
United States and local country laws governing import, export,
transfer and use. Delivery of Cisco cryptographic products
does not imply third-party authority to import, export,
distribute or use encryption. Importers, exporters,
distributors and users are responsible for compliance with
U.S. and local country laws. By using this product you agree
to comply with applicable laws and regulations. If you are
unable to comply with U.S. and local laws, return this product
immediately.
A summary of U.S. laws governing Cisco cryptographic products

may be found at:
If you require further assistance please contact us by sending

email to export@cisco.com.
There is no license key installed on the system.
Please go to http://www.cisco.com/go/license
to obtain a new license or install a license.
sensor1#
Step 13
Display the current configuration, and compare it to the configuration prior to the
recovery:
! -----------------------------! Version 6.0(1)
Lab Guide
83
! Host:
!
Realm Keys
key1.0
!
Signature Update
S263.0
2006-12-18
Virus Update
V1.2
2007-11-24
exit
exit
exit
! -----------------------------service host
network-settings
host-ip 10.0.P.4/24,10.0.P.2
host-name sensorP
access-list 10.0.S.12/32
exit
time-zone-settings
offset 0
exit
exit
! -----------------------------service logger
exit
exit
exit
84
exit
exit
exit
exit
exit
exit
exit
Step 14
Restore your configuration from the FTP server:

sensorP#copy /erase ftp://10.0.P.12/backup.cfg current-config
User:ftpuser
Password: ftppass
Warning: Copying over the current configuration may leave the
box in an unstable state.
Would you like to copy current-config to backup-config before
proceeding? [yes]: no

Step 15
recovery:
You have completed this task when the recovery process completes successfully and retains
your network settings, and you have restored your backup.
Task 2: Recovering the Image by Selecting Recovery Image

During Bootup
This task involves booting to the recovery partition during bootup to recover the sensor image.
Lab Guide
85
Activity Procedure
Step 1
Complete the following substeps to configure settings to be used for testing the
recovery process:
1. Enter configuration mode:
sensorP#config t
sensorP(config)#

2. Enter host configuration mode:
sensorP(config)#service host

3. Enter network settings mode:
sensorP(config-hos)#network-settings

4. Add a host to your allowed hosts list:
sensorP(config-hos-net)#access-list 172.26.26.50/32

5. Exit network settings mode:
sensorP(config-hos-net)#exit

6. Exit host configuration mode:

7. Answer yes when prompted to apply the changes:
Apply Changes:?[yes]: yes
sensorP(config)#

8. Enter signature configuration mode:
sensorP(config)# service signature-definition sig0

9. Enter configuration mode for signature 2004, subsignature 0:
sensorP(config-sig)# signatures 2004 0

10. Enter signature status configuration mode:
sensorP(config-sig-sig)# status
sensorP(config-sig-sig-sta)#

11. Enable the signature:
sensorP(config-sig-sig-sta)# enable true

86
12. Exit all modes until prompted to apply changes:

sensorP(config-sig-sig-sta)# exit
sensorP(config-sig-sig)# exit
sensorP(config-sig)# exit

13. Answer yes when prompted to apply changes:
Apply Changes:?[yes]: yes
sensorP(config)#

14. Exit global configuration mode:
sensorP(config)#exit
sensorP#

15. Display the new configuration:
Step 2
Complete the following substeps to recover the sensor image:
1. Enter reset at the privileged EXEC prompt to reboot the sensor:
sensorP# reset
Warning: Executing this command will stop all
applications and reboot the node. Continue with reset?
[]

2. Answer yes when asked if you want to continue:
[] yes
3. When the GRUB menu is displayed, press the Down Arrow key to choose
Cisco IPS Recovery:
GNU GRUB
memory)
version 0.94
(632K lower / 523264K upper
------------------------------------------------------------0: Cisco IPS

1: Cisco IPS Recovery
2: Cisco IPS Clear Password (cisco)
-------------------------------------------------------------
Use the ^ and v keys to select which entry is

highlighted.
Press enter to boot the selected OS, 'e' to edit the
commands before booting, or 'c' for a commandline.
Lab Guide
87
4. Press the Down Arrow key. You should see the 0 replaced with 1.
5. Press Enter. The reimage process begins.
Highlighted entry is 1:
Booting 'Cisco IPS Recovery'
Caution
Step 3
The recovery process takes several minutes. Do not log in the first time that the login prompt
is presented, which is very early in the recovery process.
sensorP login: cisco
Password: cisco
aged)

Step 4

New password:
Step 5

Step 6

***NOTICE***
immediately.

may be found at:

88

Step 7
recovery:
! -----------------------------! Version 6.0(1)
! Host:
!
Realm Keys
key1.0
!
Signature Update
S263.0
2006-12-18
Virus Update
V1.2
2007-11-24
exit
exit
exit
! -----------------------------service host
network-settings
host-ip 10.0.P.4/24,10.0.P.2
host-name sensorP
access-list 10.0.S.12/32
exit
time-zone-settings
offset 0
exit
exit
! -----------------------------service logger
exit
Lab Guide
89
exit
exit
exit
exit
exit
exit
exit
exit
exit
You have completed this task when the recovery process completes successfully and retains
your network settings.
Task 3: Using ROM Monitor to Recover the Sensor Software

Image
This task involves performing a complete system reimage.
Activity Procedure
Step 1
Verify that the following system image file is located in the IPSfiles directory on
your student PC desktop: IPS-4240-K9-sys-1.1-a-6.0-1-E1.img
Step 2
Double-click the tftpd32.exe shortcut on your desktop.
Step 3
Click Browse and choose C:\Documents and

Settings\Administrator\Desktop\IPSfiles.
Step 4
Verify that C:\Documents and Settings\Administrator\Desktop\IPSfiles is

displayed in the Current Directory field of the Tftpd32 window.
Step 5
Minimize the Tftpd32 window.
Step 6
Return to the terminal window and reboot the sensor:

sensorP# reset
90

Step 7
Press Ctrl-R within five seconds after the following message is displayed during
bootup:
Evaluating Run Options...
Step 8
Examine the console display information to verify that the sensor is running BIOS
version 5.1.7 or later and ROM monitor version 1.4 or later.
Step 9
Specify the IP address of the sensor:

rommon> address 10.0.P.4
address 10.0.P.4
Step 10
Specify the IP address of the TFTP server on which the image is stored:
rommon> server 10.0.P.12
server 10.0.P.12
Lab Guide
91
Step 11
Specify the name of the system image file:

rommon> file IPS-4240-K9-sys-1.1-a-6.0-1-E1.img
file IPS-4215-K9-sys-1.1-a-6.0-1-E1.img
Step 12
Download and install the system image:

rommon> tftp
tftp IPS-4215-K9-sys-1.1-a-6.0-1-
E1.img@10.0.P.12!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Step 13
sensor login: cisco
Password: cisco
aged)
Step 14

New password:
Step 15

Step 16

***NOTICE***
immediately.

may be found at:

92

sensor1#
Step 17
Display the current configuration and compare it to the configuration prior to the
recovery:
sensor# more current-config
! -----------------------------! Version 6.0(1)
! Host:
!
Realm Keys
key1.0
!
Signature Update
S263.0
2006-12-18
Virus Update
V1.2
2007-11-24
exit
exit
exit
! -----------------------------service host
exit
! -----------------------------service logger
exit
exit
exit
exit
Lab Guide
93
exit
exit
exit
exit
exit
exit
You have completed this task when the recovery process completes successfully and restores
the sensor default configuration.
Task 4: Reinitializing the Sensor

This task involves reinitializing the sensor.
Activity Procedure
Step 1
Enter the setup command and press the Spacebar. The System Configuration
Dialog is displayed:
sensor# setup
--- System Configuration Dialog --At any point you may enter a question mark '?' for help.
User ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
Current Configuration:
service host
network-settings
host-ip 10.1.9.201/24,10.1.9.1
host-name sensor
94
ftp-timeout 300
exit
time-zone-settings
offset 0
exit
ntp-option disabled
exit
service web-server
port 443
exit
overrides
exit
exit
Current time: Thu Feb 22 09:39:39 2007
Setup Configuration last modified: Tue Mar 05 09:37:20 2007
Continue with configuration dialog?[yes]:

Step 2
Press Enter when prompted to continue with the configuration dialog:

Continue with configuration dialog? [yes]: <Enter>
Step 3
Assign a name to the sensor:

Enter host name[sensor]: sensorP

Step 4
Specify an IP address, netmask, and default gateway for the sensor command and
control interface:
Enter IP interface[10.1.9.201/24,10.1.9.1]:10.0.P.4/24,10.0.P.2

Step 5
Press Enter to accept the default setting for Telnet services:
Enter telnet-server status[disabled]: <Enter>
Step 6
Press Enter to accept the default web server port:

Enter web-server port[443]: <Enter>
Step 7
Enter yes when prompted to modify the current ACL:

Lab Guide
95
Modify current access list? [no] yes

Current access list entries:
No entries
Permit:
Step 8
Enter the IP address of your student PC:

Permit: 10.0.P.12/32
Permit:

Step 9
Enter your peer pod network address:
Permit: 10.0.Q.0/24
Permit:

Press Enter again:
Permit: <Enter>
Step 10
Press Enter to accept the default of no when prompted to modify system clock
settings:
Modify system clock settings?[no]: <Enter>
Step 11
Press Enter to accept the default of no when prompted to modify the virtual sensor
configuration:
Modify interface/virtual sensor configuration?[no]: <Enter>
Modify default threat prevention settings?[no]: <Enter>
The following configuration was entered.
service host
network-settings
host-ip 10.0.P.4/24,10.0.P.2
host-name sensorP
(where P = pod number and Q = peer pod number)

ftp-timeout 300
exit
time-zone-settings
offset 0
exit
ntp-option disabled
96
exit
service web-server
port 443
exit
overrides
exit
exit
[0] Go to the command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration and exit setup.
Enter your selection[2]:
Press Enter to select Save this configuration and exit

setup.
Enter your selection[2]: <Enter>
Configuration Saved.
*10:08:43 UTC Tue Mar 05 2007
Modify system date and time?[no]: <Enter>
Step 12
Enter no to modify the system date and time:

Modify system date and time?[no]: no
Step 13
Enter reset to reboot the sensor:

sensor# reset
reboot the node.
Continue with reset? []:
Step 14
Enter yes to continue rebooting the sensor:

reboot the node.
Continue with reset? [] : yes
You have completed this task when you have entered the specified values at each setup
interactive prompt.
Task 5: Installing a Sensor License

This task involves using the Cisco IDM to install a sensor license.
Lab Guide
97
Activity Procedure
Step 1
Launch your web browser and log into the Cisco IDM.
Step 2
Complete the following substeps to install the license:
1. Choose Configuration > Licensing. The Licensing panel is displayed.

Click the Update From: License File radio button.
Click Browse Local.
Browse to C:\Inetpub\ftproot and double-click the file IDSDEMO2007XXXXXXXXXXXXX.lic. The path
and file name are displayed in the Local File Path field.
(where X = license number specific to your sensor)
Click Update License. The Licensing window opens asking if you want to continue.
Click Yes. After the license is installed, the Information window opens, telling you that the license has been
successfully updated.
Click OK.
Task 6: Installing a Signature Update

This task involves applying signature update S274 to your sensor.
Activity Procedure
Step 1
Choose Monitoring > Support Information > System Information and examine
the System Information panel to check your sensor current signature version. You
should see the following:
Partition application
Build version 6.0(1)E1
Step 2
Complete the following substeps to apply the signature update:

1. Choose Configuration > Update Sensor. The Update Sensor panel is
displayed.
2. Choose Update Is Located on This Client.
3. Click Browse Local.
4. Browse to the IPSfiles directory on your desktop, and double-click the file IPSsig-S274-req-E1.pkg. The path and file name are displayed in the Local File
Path field.
5. Click Update Sensor. The Update Sensor window opens asking if you want to
continue.
6. Click OK. After a few minutes, the Information window opens and displays the
following message:
To recognize the upgraded sensor software, you must
re-log in to the sensor. Your connection to the sensor
has been closed. IDM will now exit.
Step 3
7. Click OK.
Complete the following substeps to verify that the update was successful:
1. Launch and log back into the Cisco IDM.
2. Choose Monitoring > Support Information > System Information. The
System Information panel is displayed. You should see the following:
Signature Definition
Signature Update
98
S274.0 2007-03-01
You have completed this task when the Cisco IDM System Information panel displays the following:
Signature Definition
Signature Update
S274.0
2007-03-01
Task 7: Password Recovery

This task involves resetting the password for the cisco account.
Activity Procedure
Step 1
Step 2
Access the sensor via its console port as directed by your instructor.
Step 3
Log into the CLI:

sensor login: cisco
Password: iattacku2
Step 4
Enter reset at the privileged EXEC prompt to reboot the sensor:

sensorP# reset
reboot the node. Continue with reset? []

Step 5

reboot the node. Continue with reset? [] yes
Step 6
When the GRUB menu is displayed, press the Down Arrow key to choose Cisco
IPS Recovery:
GNU GRUB
version 0.94
(632K lower / 523264K upper memory)
-------------------------------------------------------------0: Cisco IPS

--------------------------------------------------------------
Use the ^ and v keys to select which entry is highlighted.

commands before booting, or 'c' for a command-line.
Step 7
Press the Down Arrow key twice. You should see the 0 replaced first with a 1 and
then a 2.
Step 8
Press Enter. The password recovery process begins and the sensor continues
rebooting.
Lab Guide
99
Step 9
Log into the CLI using the old password. You should fail:
sensor login: cisco
Password: iattacku2
Step 10
Now log into the CLI using the default password. You will now succeed:
sensor login: cisco
Password: cisco
Step 11
Reset the password to iattacku2.
Task 8: Lab Reset

This task involves resetting the sensor for the next class.
Activity Procedure
Step 1
Complete the following substeps to recover the sensor image:

1. Enter reset at the privileged EXEC prompt to reboot the sensor:
sensorP# reset
[]

[] yes
When the GRUB menu is displayed, press the Down Arrow key to choose Cisco IPS Recovery:
GNU GRUB
memory)
version 0.94
(632K lower / 523264K upper
------------------------------------------------------------0: Cisco IPS

-------------------------------------------------------------
Use the ^ and v keys to select which entry is

highlighted.
commands before booting, or 'c' for a commandline.
Press Enter. The reimage process begins.

Highlighted entry is 1:
Booting 'Cisco IPS Recovery'
100
Close the CLI.

Log off of the student PC.
Lab Guide
101
Answer Key
The correct answers and expected solutions for the activities that are described in this guide
appear here.
Lab 2-1 Answer Key: Install and Configure a Cisco IPS Sensor
from the CLI
When you complete this activity, your sensor configuration will be similar to the following,
with differences that are specific to your device or workgroup:
sensorP# more backup-config
! -----------------------------! Version 6.0(1)
! Host:
!
Realm Keys
key1.0
!
Signature Update
S263.0
2006-12-18
Virus Update
V1.2
2007-11-24
exit
exit
exit
! -----------------------------service host
network-settings
host-ip 10.0.P.4/24,10.0.P.2
host-name sensorP
exit
102
time-zone-settings
offset 0
exit
exit
! -----------------------------service logger
exit
exit
exit
exit
exit
exit
exit
exit
exit
exit
Lab Guide
103
Lab 2-2 Answer Key: Use the Cisco IDM to Perform a Basic
Sensor Configuration
with differences that are specific to your device or workgroup.
Allowed Hosts
104
User Accounts
Interfaces
Lab Guide
105
Inline Pair
106
Lab 3-1 Answer Key: Working with Signatures and Alerts

Signature 4003
IP Logging
Lab Guide
107
Lab 3-2 Answer Key: Customizing Signatures

Signature 6250
HTTP Application Policy
108
Signature 12621/0
NIMDA Signature
Lab Guide
109
Confidential Signature
Lab 4-1 Answer Key: Tune a Cisco IPS Sensor Using Cisco IDM
Signature 2004
110
Target Value Rating
Event Action Override
Lab Guide
111
Event Variables
112
Event Action Filters
Lab Guide
113
Lab 4-2 Answer Key: Monitor and Manage Alarms

Device Settings
114
Filter Settings
Lab Guide
115
View Settings
116
Lab 4-3 Answer Key: Configure a Virtual Sensor (Optional)

Inline VLAN Pair
Event Action Rules
Lab Guide
117
Virtual Sensor
118
Lab 4-4 Answer Key: Configure Anomaly Detection and POSFP

Anomaly Detection: Internal Zone
Anomaly Detection: Illegal Zone
Lab Guide
119
Anomaly Detection: Scanner Settings
120
OS Identifications
Lab Guide
121
Lab 6-1 Answer Key: Maintain Sensors and Verify System

Configuration
with differences that are specific to your device or workgroup:
The sensor should be reset to factory defaults with a password of iattacku2.
122
Lab Guide
123

IPS60LG UnEncrypted PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IPS60LG UnEncrypted PDF

Uploaded by

Copyright:

Available Formats

IPS

Lab 3-1: Working with Signatures and Alerts

Lab 3-2: Customizing Signatures

Lab 4-2: Monitor and Manage Alarms

Lab 4-3: Configure a Virtual Sensor (Optional)

Lab 4-4: Configure Anomaly Detection and POSFP

Lab 6-1: Maintain Sensors and Verify System Configuration

Lab 2-1: Install and Configure a Cisco IPS Sensor

Log into the sensor and run the initialization wizard

Navigate the sensor CLI

Create a standard login banner to serve as a warning to intruders

Back up and restore the current configuration

Display sensor events

Visual Objective for Lab 2-1: Install and

Implementing Cisco Intrusion Prevention Systems (IPS) v6.0

2007 Cisco Systems, Inc.

Task 1: Initializing the Sensor

Access the terminal server as directed by your instructor.

Log into the CLI:

Press Enter when prompted to continue with the configuration dialog:

Assign a name to the sensor:

(where P = pod number)

(where P = pod number)

Press Enter to accept the default setting for Telnet services:

Press Enter to accept the default web server port:

Enter yes when prompted to modify the current ACL:

Enter the IP address of your student PC:

Implementing Cisco Intrusion Prevention Systems (IPS) v6.0

2007 Cisco Systems, Inc.

(where P = pod number)

Enter your peer pod network address:

(where Q = peer pod number)

Press Enter to answer no when prompted to modify system clock settings:

(where P = pod number and Q = peer pod number)

Enter your selection[2]:

Press Enter to select Save this configuration and exit

Enter yes to modify the system date and time:

Enter the current date in the following format: YYYY-MM-DD

Reboot the sensor:

Enter yes to continue rebooting the sensor:

Minimize the terminal window.

Implementing Cisco Intrusion Prevention Systems (IPS) v6.0

2007 Cisco Systems, Inc.

Task 2: Testing the Initial Configuration

Complete the following substeps to establish an SSH session to your sensor at IP

(where P = pod number)

Close the Tera Term window.

2007 Cisco Systems, Inc.

Task 3: Navigating the CLI

Clear system settings or devices.

Set system clock settings.

Enter configuration mode.

Copy iplog, license key or configuration

Erase a logical file.

Enter the second level of the CLI, configuration mode:

(where P = pod number)

Define a login banner.

Reset settings back to default.

Remove the last applied upgrade.

Exit configuration mode and return to exec

Exit configuration mode and return to exec

Modify current user password on the local