Professional Documents
Culture Documents
Implementing Cisco
Intrusion Prevention
Systems
Version 6.0
Lab Guide
EPWS: 06.08.07
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED AS IS. CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN
CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF
THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED
WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR
PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This learning product may contain early release
content, and while Cisco believes it to be accurate, it falls subject to the disclaimer above.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS
Lab Guide
Overview
This guide presents the instructions and other information concerning the lab activities for this
course. You can find the solutions in the activity Answer Key.
Outline
This guide includes these activities:
Lab 2-1: Install and Configure a Cisco IPS Sensor from the CLI
Lab 2-2: Use the Cisco IDM to Perform a Basic Sensor Configuration
Lab 4-1: Tune a Cisco IPS Sensor Using the Cisco IDM
Answer Key
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Activity Objective
In this activity, you will initialize a sensor appliance. After completing this activity, you will be
able to meet these objectives:
Test the ability to use SSH to connect to the sensor from an authorized host
Visual Objective
The figure illustrates what you will accomplish in this activity.
.50
172.26.26.0
.150
172.30.P.0
e0/1
.1
RBB
prP
e0/0
172.16.P.0
172.30.Q.0
.1
.2
.1
e0/1
.2
e0/0
.1
prQ
172.16.Q.0
.4
.4
sensorP
sensorQ
e0/1
.2
routerP
e0/0
.2
e0/1
routerQ
.2
e0/0
.2
10.0.Q.0
.100
RTS
10.0.P.0
RTS
Student PC
10.0.P.12
2007 Cisco Systems, Inc. All rights reserved.
.100
Student PC
10.0.Q.12
IPS v6.04
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Activity Procedure
Complete these steps:
Step 1
Step 2
Access the sensor via its console port as directed by your instructor:
Step 3
Note
Step 4
It is possible that the sensor password has not been reset. In that case, log into the sensor
as cisco with a password of cisco. You will then be prompted to change the password.
Change the password to iattacku2.
Enter the setup command and press Enter. The System Configuration Dialog is
displayed.
sensor# setup
--- System Configuration Dialog --At any point you may enter a question mark '?' for help.
User ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
Current Configuration:
service host
network-settings
host-ip 10.1.9.201/24,10.1.9.1
host-name sensor
telnet-option disabled
ftp-timeout 300
no login-banner-text
exit
time-zone-settings
offset 0
standard-time-zone-name UTC
exit
summertime-option disabled
ntp-option disabled
2007 Cisco Systems, Inc.
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
exit
service web-server
port 443
exit
service event-action-rules rules0
overrides
override-item-status Enabled
risk-rating-range 90-100
exit
exit
Current time: Thu Feb 22 09:39:39 2007
Setup Configuration last modified: Thu Feb 22 09:37:20 2007
Continue with configuration dialog?[yes]:
Step 5
Step 6
Specify an IP address, netmask, and default gateway for the sensor command and
control interface:
Enter IP interface[10.1.9.201/24,10.1.9.1]:10.0.P.4/24,10.0.P.2
Step 9
Step 10
Step 11
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Step 14
Press Enter to answer no when prompted to modify the virtual sensor configuration:
Modify interface/virtual sensor configuration?[no]: <Enter>
Modify default threat prevention settings?[no]: < Enter >
The following configuration was entered.
service host
network-settings
host-ip 10.0.P.4/24,10.0.P.2
host-name sensorP
telnet-option disabled
access-list 10.0.P.12/32
access-list 10.0.Q.0/24
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
risk-rating-range 90-100
exit
exit
[0] Go to the command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration and exit setup.
Step 16
Step 17
Use 24-hour time to enter the current time in the following format: hh:mm:ss.
Local Time[]: <hh:mm:ss>
sensor#
Step 18
Step 19
Step 20
Activity Verification
You have completed this task when you attain these results:
You have entered the specified values at each setup interactive prompt.
The sensor reboots and presents you with the login prompt.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Activity Procedure
Complete these steps:
Step 1
Attempt to establish an SSH session to your peer pod sensor. Although your peer is
allowed access to your sensor, you should be unable to establish the connection at
this point. This is because the sensors are installed to run inline in your pod, and
inline mode is not yet configured.
Step 4
Activity Verification
You have completed this task when you can establish an SSH session to your peer sensor but
not to another pod sensor.
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Activity Procedure
Complete these steps:
Step 1
Log back into the sensor using the username cisco and the password iattacku2.
Step 2
Display the Command options available in the first level of the CLI, the privileged
EXEC mode:
Note
Some of the more notable commands are bolded to assist you in familiarizing yourself with
the CLI.
sensorP# ?
anomaly-detection Perform an action on the anomaly detection
application.
clear
clock
configure
copy
erase
-----------Output Omitted--------------------
Step 3
Step 4
sensorP(config)# ?
banner
default
downgrade
end
exit
no
Remove configuration.
password
-----------Output Omitted--------------------
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Step 5
anomaly-detection
authentication
event-action-rules
-----------Output Omitted--------------------
Step 6
Step 8
default
exit
global-parameters
no
show
virtual-sensor
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Step 10
Display the commands available from the event action rules configuration mode:
sensorP (config-eve)# ?
default
exit
filters
general
no
Step 11
overrides
show
target-value
variables
default
exit
network-settings
ntp-option
password-recovery
show
summertime-option
time-zone-settings
10
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Step 14
Display the commands that are available from the interface configuration mode:
sensorP(config-int)# ?
Step 17
bypass-mode
default
exit
inline-interfaces
interface-notifications
no
physical-interfaces
show
Display the commands that are available from signature definition mode:
sensorP(config-sig)# ?
application-policy
default
exit
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
11
fragment-reassembly
ip-log
IP log configuration
no
show
signatures
Signature definitions
stream-reassembly
variables
Step 20
Display the configuration options and settings for a specific signature by completing
the following substeps:
1. Enter configuration mode for signature 12505, subsignature 3 (H225: SETUP
fixed signature 1):
sensorP(config-sig)# signatures 12505 3
sensorP(config-sig-sig)#
alert-severity
default
engine
Select an engine
event-counter
exit
promisc-delta
show
sig-description
Description of signature
sig-fidelity-rating
specify-mars-category
status
12
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
false <defaulted>
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
13
--------------------------------------------------------------------------------------------event-counter
----------------------------------------------event-count: 1 <defaulted>
event-count-key: Axxx <defaulted>
specify-alert-interval
----------------------------------------------no
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------alert-frequency
----------------------------------------------summary-mode
----------------------------------------------fire-once
----------------------------------------------summary-key: AaBb <defaulted>
specify-global-summary-threshold
----------------------------------------------no
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------status
----------------------------------------------enabled: true <defaulted>
retired: false <defaulted>
obsoletes (min: 0, max: 65535, current: 0)
------------------------------------------------------------------------------------------------------------------------------------------vulnerable-os: general-os <defaulted>
specify-mars-category
-----------------------------------------------
14
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
yes
----------------------------------------------mars-category: Info/Misc <protected>
-------------------------------------------------------------------------------------------------------------------------------------------
event-action
exit
message-type
no
policy-type
show
specify-field-name
-----------Output Omitted--------------------
Step 21
Activity Verification
You have completed this task when you have accessed each specified mode and familiarized
yourself with the options available within the mode.
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
15
Activity Procedure
Complete these steps:
Step 1
Enter the banner login command to begin creating the login banner:
sensorP(config)# banner login
Banner[]:
Step 4
Press Enter.
Note
Step 5
The following characters are inserted at the end of the line of text each time you press Ctrl-V
and then press Enter: ^M
Step 6
Step 7
Press Enter.
Step 8
Step 9
Press Enter.
sensorP(config)#
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Activity Verification
You have completed this task when your login banner is displayed before the sensor login
prompt.
Activity Procedure
Complete these steps:
Step 1
Display the backed-up configuration file and observe your allowed hosts:
sensorP# more backup-config
! -----------------------------! Current configuration last modified Fri Feb 23 13:20:11 2007
! -----------------------------! Version 6.0(1)
! Host:
!
Realm Keys
key1.0
! Signature Definition:
!
Signature Update
S263.0
2006-12-18
Virus Update
V1.2
2007-11-24
! -----------------------------service interface
exit
! -----------------------------service authentication
exit
! -----------------------------service event-action-rules rules0
exit
! -----------------------------service host
network-settings
host-ip 10.0.P.4/24,10.0.P.2
2007 Cisco Systems, Inc.
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
17
host-name sensorP
telnet-option disabled
access-list 10.0.P.12/32
access-list 10.0.Q.0/24
login-banner-text AUTHORIZED ACCESS ONLY!
This system is the property of Cisco Systems.
Disconnect IMMEDIATELY if you are not an authorized user.
exit
time-zone-settings
offset 0
standard-time-zone-name UTC
exit
exit
! -----------------------------service logger
exit
! -----------------------------service network-access
exit
! -----------------------------service notification
exit
! -----------------------------service signature-definition sig0
exit
! -----------------------------service ssh-known-hosts
exit
! -----------------------------service trusted-certificates
exit
! -----------------------------service web-server
exit
! -----------------------------service anomaly-detection ad0
exit
! -----------------------------service external-product-interface
exit
18
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
! -----------------------------service analysis-engine
exit
Step 3
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
19
sensorP(config-hos)#
Realm Keys
key1.0
! Signature Definition:
!
Signature Update
S263.0
2006-12-18
Virus Update
V1.2
2007-11-24
! -----------------------------service interface
exit
! -----------------------------service authentication
exit
! -----------------------------service event-action-rules rules0
exit
! -----------------------------service host
network-settings
host-ip 10.0.P.4/24,10.0.P.2
host-name sensorP
telnet-option disabled
20
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
access-list 10.0.P.12/32
access-list 10.0.Q.0/24
access-list 10.10.10.10/32
login-banner-text AUTHORIZED ACCESS ONLY!
This system is the property of Cisco Systems.
Disconnect IMMEDIATELY if you are not an authorized user.
exit
time-zone-settings
offset 0
standard-time-zone-name UTC
exit
exit
! -----------------------------service logger
exit
! -----------------------------service network-access
exit
! -----------------------------service notification
exit
! -----------------------------service signature-definition sig0
exit
! -----------------------------service ssh-known-hosts
exit
! -----------------------------service trusted-certificates
exit
! -----------------------------service web-server
exit
! -----------------------------service anomaly-detection ad0
exit
! -----------------------------service external-product-interface
exit
! -----------------------------service analysis-engine
exit
2007 Cisco Systems, Inc.
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
21
Step 13
Activity Verification
You have completed this task when you verify that the allowed host you added in this task is
removed when you restore the original configuration from backup.
Activity Procedure
Complete these steps:
Step 1
Note
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Note
Display only the status events that have occurred since 8:00 this morning.
The following command and command output is an example. The command that you enter
should contain the current date and produce output that is similar to the example. You can
press Ctrl-C at any time to return to the CLI prompt.
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
23
Step 4
When asked if you want to continue with the clear events command, enter yes.
Warning: Executing this command will remove all events
currently stored in the Event Store.
Continue with clear? : yes
sensorP#
Verify that events have been cleared from the Event Store by again displaying all
events that have occurred since 8:00 a.m. this morning:
sensorP# show events 8:00 april 1 2007 (insert your date)
Step 6
The sensor might appear to be stalled at this point because there should be no events to
display.
Activity Verification
You have completed this task when you attain these results:
24
You have cleared all events from the Event Store and verified that there are no longer any
events in the Event Store.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Activity Objective
In this activity, you will launch and navigate the Cisco IDM and use it to perform basic
administrative and configuration tasks. After completing this activity, you will be able to meet
these objectives:
Configure the sensor in various bypass modes and test its functionality
Visual Objective
The figure illustrates what you will accomplish in this activity.
.50
172.26.26.0
.150
172.30.P.0
e0/1
.1
RBB
prP
e0/0
172.16.P.0
.1
172.30.Q.0
.1
.2
e0/1
.2
e0/0
.1
prQ
172.16.Q.0
.4
.4
sensorP
sensorQ
e0/1
.2
routerP
e0/0
.100
.2
e0/1
routerQ
.2
e0/0
.2
10.0.Q.0
10.0.P.0
RTS
RTS
Student PC
10.0.P.12
2007 Cisco Systems, Inc. All rights reserved.
.100
Student PC
10.0.Q.12
IPS v6.05
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
25
Activity Procedure
Complete these steps:
Step 1
Launch your web browser and specify the sensor as the location. To do this, enter
the following URL field in your web browser:
https://10.0.P.4
Step 4
Step 5
Click OK.
Step 6
The Warning Security window opens asking if you want to accept the certificate
from your sensor 10.0.P.4.
Step 7
Click Yes.
Step 8
Another Warning Security window opens asking if you want to trust the signed
applet distributed by Cisco Systems.
Step 9
Click Yes.
Step 10
Wait while the Cisco IDM loads the current configuration from the sensor.
Activity Verification
You have completed this task when you are logged into the Cisco IDM GUI.
Activity Procedure
Complete these steps:
Step 1
Step 2
Step 3
Choose Sensor Setup > Certificates > Server Certificate. The server certificate is
displayed in the Server Certificate panel.
Activity Verification
You have completed this task when you have verified the network settings of the sensor and
displayed its server certificate.
26
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Activity Procedure
Step 1
Choose Configuration > Sensor Setup > SSH > Sensor Key. The Sensor Key panel displays the SSH
sensor key.
Click Generate Key. The Warning window opens.
Click OK. The Information window opens, informing you that the key was successfully generated.
Click OK.
Step 2
Complete the following substeps to verify that the security warning is displayed
again when you attempt to connect to the sensor using SSH:
1. Double-click the Tera Term icon on your desktop. The Tera Term: New Connection
window opens.
Enter the IP address of your sensor, 10.0.P.4, in the Host field.
(where P = pod number)
Click the SSH radio button.
Click OK. A new Security Warning window opens.
Click Yes.
Enter cisco in the Username field.
Enter iattacku2 in the Passphrase field.
Click OK. The sensor CLI is displayed in the Tera Term window.
Close the Tera Term window.
Click Disconnect. The Tera Term and Security Warning windows close.
If you are unable to establish an SSH session after generating a new SSH sensor key, reboot the sensor or the
computer or both. Then repeat Step 2.
Activity Verification
You have completed this task when you have successfully generated a new SSH sensor key and
successfully reconnected to the sensor via SSH.
Activity Procedure
Step 1
Choose Configuration > Sensor Setup > Allowed Hosts. The Allowed Hosts panel is displayed.
Choose your peer network, 10.0.Q.0, from the allowed hosts list.
(where Q = peer pod number)
Click Edit. The Edit Allowed Host window opens.
Change the IP address to 10.0.Q.12.
(where Q = peer pod number)
Choose 255.255.255.255 from the Network Mask drop-down menu to change the network mask.
Click OK. The edited IP address is displayed in the allowed hosts list.
Click Apply.
Step 2
Complete the following substeps to configure the event display and view events
resulting from the configuration change:
1. Choose Monitoring > Events. The Events panel is displayed.
2007 Cisco Systems, Inc.
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
27
You may need to click Next several times to locate the editConfigDeltaHost entry.
Click Details. The Details For window opens. Notice that the following information about the configuration
change is displayed:
Name of user who made the change (cisco)
IP address of the host from which the change was initiated (10.0.P.12)
Step 3
Step 4
Activity Verification
You have completed this task when you have displayed a status event in the Cisco IDM Event
Viewer window.
Activity Procedure
Complete these steps:
Step 1
Choose Configuration > Sensor Setup > Allowed Hosts. The Allowed Hosts panel
is displayed.
Step 2
Step 3
Choose another peer to function as a secondary. Now enter your secondary peer IP
address, 10.0.S.12, in the IP Address field.
Step 4
Step 5
Step 6
Step 7
28
Step 9
Step 10
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Activity Verification
You have completed this task when the new host address and network address are displayed in
the Allowed Hosts panel.
Activity Procedure
Step 1
1. Choose Configuration > Sensor Setup > Users. The Users panel is displayed.
2. Click Add. The Add User window opens.
3. Enter admin in the Username field.
4. Choose Administrator from the User Role drop-down menu.
5. Enter adminpass in the Password field.
6. Enter adminpass again in the Confirm Password field.
7. Click OK. The user admin is displayed in the Users panel.
8. Click Add. The Add User window opens.
9. Enter oper in the Username field.
10. Choose Operator from the User Role drop-down menu.
11. Enter operpass in the Password field.
12. Enter operpass again in the Confirm Password field.
13. Click OK. The user oper is displayed in the Users panel.
14. Click Add. The Add User window opens.
15. Enter serv in the Username field.
16. Choose Service from the User Role drop-down menu.
17. Enter servpass in the Password field.
18. Enter servpass again in the Confirm Password field.
19. Click OK. The user serv is displayed in the Users panel.
20. Click Apply.
Complete the following substeps to test the user accounts:
1. Access the terminal server as directed by your instructor.
2. Access the sensor via its console port as directed by your instructor:
3. Log into the CLI:
sensor login: cisco
Password: iattacku2
CLI ID
User
Privilege
2082
cisco
administrator
admin
administrator
oper
operator
serv
service
sensorP#
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
29
sensorP# exit
sensorP login:
***LICENSE NOTICE***
There is no license key installed on the IDS-4215.
The system will continue to operate with the currently
installed signature set. A valid license must be
obtained in order to apply signature updates. Please
go to http://www.cisco.com/go/license to obtain a new
license or to install a license.
sensorP#
sensorP(config-hos)#
30
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
sensorP(config)#
Activity Verification
You have completed this task when you attain these results:
The show users all command output displays the following user accounts:
cisco
administrator
admin
administrator
oper
operator
serv
service
You verify that a user with operator privileges cannot modify the allowed host list of the
sensor or create user accounts.
Activity Procedure
Complete these steps:
Step 1
Step 2
Step 3
Click Enable.
Step 4
Step 5
Click Enable.
Step 6
Verify that Yes is displayed in the Enabled column for both interfaces.
Step 7
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
31
Activity Verification
You have completed this task when the Enabled column of the Interfaces panel displays Yes for
FastEthernet0/1 and FastEthernet1/0.
Activity Procedure
Complete these steps:
Step 1
Choose Configuration > Interface Configuration > Interface Pairs. The Interface
Pairs panel is displayed.
Step 2
Step 3
Step 4
Choose FastEthernet0/1 (or GigabitEthernet 0/0) from the Select Two Interfaces
list.
Step 5
Hold down the shift key and choose FastEthernet1/0 (GigabitEthernet 0/1) from the
Select Two Interfaces list.
Step 6
Click OK. The interface pair is displayed in the Interface Pairs panel.
Step 7
Activity Verification
You have completed this task when the interface pair MyPair is displayed in the Interface Pairs
panel.
Activity Procedure
Complete these steps:
32
Step 1
Choose Configuration > Analysis Engine > Virtual Sensor. The Virtual Sensor
panel is displayed.
Step 2
Step 3
Step 4
Click Assign. The interface pair now has Yes under the Assigned column.
Step 5
Click OK. The interface pair is displayed in the Assigned Interfaces (or Interface
Pairs) column of the Virtual Sensor panel.
Step 6
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Activity Verification
You have completed this task when the interface pair MyPair is displayed in the Assigned
Interfaces (or Interface Pairs) column of the Virtual Sensor panel.
Activity Procedure
Step 1
Open a Windows command prompt and start a continuous ping from your student
PC to the superserver.
C:\>ping 172.26.26.50 t
Open another Windows command prompt and establish an FTP session to the superserver.
C:\>ftp 172.26.26.50
Connected to 172.26.26.50.
220 2KQ Microsoft FTP Service (Version 5.0).
User (172.26.26.50:(none)):
Step 4
Enter an invalid password three times to trigger the FTP authorization failure
signature by completing the following substeps:
1. Attempt to log in with the username administrator and an invalid password:
User (172.26.26.50:(none)): administrator
331 Password required for user.
Password: badpass
530 User administrator cannot log in.
Login failed.
ftp>
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
33
ftp>
Verify that the alert for the FTP authorization failure signature is displayed in the
CLI.
Step 6
Step 7
Step 8
1. Choose Configuration > Interface Configuration > Bypass. The Bypass panel
is displayed.
2. Choose On (Never Inspect Inline Traffic) from the Bypass Mode drop-down
menu.
3. Click Apply. The Bypass window opens.
4. Click OK. The Warning window opens.
5. Click OK.
Verify that traffic is still flowing through the sensor by verifying that the continuous
ping is still working.
Establish an FTP session to the superserver.
C:\>ftp 172.26.26.50
Connected to 172.26.26.50.
220 2KQ Microsoft FTP Service (Version 5.0).
User (172.26.26.50:(none)):
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
View the CLI to verify that traffic was not inspected by the sensor, and therefore, the
FTP authorization failure signature did not fire to generate an alert.
Step 11
Complete the following substeps to set the bypass mode back to Auto:
Choose Configuration > Interface Configuration > Bypass. The Bypass panel is displayed.
1. Choose Auto (Bypass Inspection When Analysis Engine Is Stopped) from the
Bypass Mode drop-down menu.
2. Click Apply. The Bypass window opens.
3. Click OK.
Activity Verification
You have completed this task when you attain these results:
You verify that traffic is not inspected when bypass mode is set to On.
You verify that traffic is inspected when bypass mode is set to Auto.
Activity Procedure
Complete these steps:
Step 1
Choose Configuration > Reboot Sensor. The Reboot Sensor panel is displayed.
Step 2
Step 3
Q1)
Q2)
Why? ____________________________________________________
Step 4
Activity Verification
You have completed this task when you have rebooted the sensor via the Cisco IDM.
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
35
Activity Objective
In this activity, you will manipulate built-in signatures and test their implementation.
After completing this activity, you will be able to meet these objectives:
Deny and then remove an attacker from the denied hosts list
Visual Objective
The figure illustrates what you will accomplish in this activity.
.50
172.26.26.0
.150
.1
172.30.P.0
e0/1
RBB
prP
e0/0
172.16.P.0
172.30.Q.0
.1
.2
.1
e0/1
.2
e0/0
.1
prQ
172.16.Q.0
.4
.4
sensorP
sensorQ
e0/1
.2
routerP
e0/0
.100
.2
e0/1
routerQ
.2
e0/0
.2
10.0.Q.0
10.0.P.0
RTS
RTS
Student PC
10.0.P.12
2007 Cisco Systems, Inc. All rights reserved.
36
.100
Student PC
10.0.Q.12
IPS v6.06
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Activity Procedure
Complete these steps:
Step 1
https://10.0.P.4
(where P = pod number)
Step 2
2. When the Security Alert window opens, click Yes. The Enter Network Password
window opens.
3. Enter cisco in the Username text box.
4. Enter iattacku2 in the Password text box.
5. Click OK. The Warning Security window opens asking if you want to accept
the certificate from your sensor 10.0.P.4.
6. Click Yes. Another Warning Security window opens asking if you want to
trust the signed applet distributed by Cisco Systems.
7. Click OK. Wait while Cisco IDM loads the current configuration from the
sensor.
From your student PC, ping the superserver. The ping should succeed.
C:\>ping 172.26.26.50
Step 3
1. Choose Configuration > Policies > Signature Definitions > sig0 > Signature
Configuration. The Signature Configuration panel is displayed.
Choose Sig ID from the Select By drop-down menu.
Enter 2004 in the Enter Sig ID field.
Click Find. Signature 2004, ICMP echo request, is displayed.
Choose signature 2004.
Click Enable.
Click Actions. The Assign Actions window opens.
Check the Deny Packet Inline check box, and verify that the Produce Alert check box is also selected.
Click OK. The new configuration is displayed in the Signature Configuration panel.
Click Apply.
Step 4
Complete the following substeps to test your configuration:
1. From your student PC, ping the superserver. The ping should now fail.
C:\>ping 172.26.26.50
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
37
Step 5
Step 6
Click Close in the Event Viewer window. The Event Viewer closes.
Step 7
Complete the following substeps to modify the actions for signature 2004:
Choose Configuration > Policies > Signature Definitions > sig0 > Signature Configuration. The Signature
Configuration panel is displayed.
Choose the 2004 signature.
Click Actions. The Assign Actions window opens.
Uncheck the Deny Packet Inline check box.
Check the Deny Attacker Inline check box.
Click OK.
Click Apply.
Step 8
Complete the following substeps to test your configuration:
1. Use Telnet to connect to your perimeter router. Telnet should be successful.
C:\telnet 172.16.P.1
From your perimeter router, ping your student PC. The ping should fail.
prP# ping 10.0.P.12
Click Close in the Event Viewer window. The Event Viewer closes.
Activity Verification
You have completed this task when signature 2004, ICMP Echo Request, produces an alert and
takes the specified actions.
Activity Procedure
Complete these steps:
Step 1
38
Choose Monitoring > Denied Attackers. The Denied Attackers panel displays the
IP address of your peer perimeter router.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Step 2
Step 3
Click Clear List. The Clear All Denied Attackers Entries window opens asking if
you are sure you want to remove all IP addresses from the denied attackers list.
Step 4
Click Yes. The IP address of the perimeter router of your peer is removed from the
Denied Attackers panel.
Step 5
Complete the following substeps to change the action for signature 2004 back to
Produce Alert only:
Step 6
1. Choose Configuration > Policies > Signature Definitions > sig0 > Signature
Configuration. The Signature Configuration panel is displayed.
2. Choose the 2004 signature.
3. Click Actions. The Assign Actions window opens.
4. Uncheck the Deny Attacker Inline check box.
5. Click OK.
6. Click Apply.
From your perimeter router, ping your student PC. The pings should now succeed.
prP# ping 10.0.P.12
Activity Verification
You have completed this task when you have removed the IP address of the perimeter router of
your peer from the denied attackers list.
Activity Procedure
Step 1
Complete the following substeps to configure the Cisco IDM events display:
Step 2
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
39
Step 6
Choose each signature and examine its severity level and other parameters.
Activity Verification
You have completed this task when you attain these results:
The Cisco IDM Event Viewer window displays alerts generated by the following signatures:
You have examined the severity levels and risk ratings for the alerts generated by the following
signatures:
40
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Activity Objective
In this activity, you will use the Cisco IDM to tune and create signatures to meet the
requirements of a given security policy. After completing this activity, you will be able to meet
these objectives:
Use the Cisco IDM to modify multiple settings on a signature and then verify the
modifications
Restore signature settings that were previously modified to their defaults and then verified
Use the Cisco IDM to modify multiple settings in the FTP authorization failure signature
and then verify the modifications
Enable the sensor application policy enforcement and test AIC HTTP signatures
Create a custom signature by using the Cisco IDM signature wizard while specifying the
signature engine
Use the Cisco IDM to delete the custom signature just created in one of the pods
Create a custom signature by using the Cisco IDM signature wizard without specifying the
signature engine
Visual Objective
The figure illustrates what you will accomplish in this activity.
.50
172.26.26.0
.150
172.30.P.0
e0/1
.1
RBB
prP
e0/0
172.16.P.0
.1
172.30.Q.0
.1
.2
e0/1
.2
e0/0
.1
prQ
172.16.Q.0
.4
.4
sensorP
sensorQ
e0/1
.2
routerP
e0/0
.100
.2
e0/1
routerQ
.2
e0/0
.2
10.0.Q.0
10.0.P.0
RTS
RTS
Student PC
10.0.P.12
2007 Cisco Systems, Inc. All rights reserved.
.100
Student PC
10.0.Q.12
IPS v6.07
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
41
Activity Procedure
Step 1
Choose Configuration > Policies > Signature Definitions > sig0 > Signature Configuration. The Signature
Configuration panel is displayed.
Choose Sig ID from the Select By drop-down menu.
Enter 2004 in the Enter Sig ID field.
Click Find. Signature 2004 is displayed in the Signature Configuration panel.
Choose signature 2004.
Click Edit. The Edit Signature window opens.
Click on the Alert Severity field.
Choose Medium from the Alert Severity drop-down menu.
Scroll down to the Alert Frequency parameters.
If necessary, click the Alert Frequency icon to expand the Alert Frequency parameters.
Click on the Summary Mode field.
Choose Fire All from the Summary Mode drop-down menu.
Click OK. The Signature Configuration panel is displayed.
Click Apply.
Step 2
Complete the following substeps to test the tuned signature:
Open a Windows command prompt and ping your perimeter router:
C:\ping 172.16.P.1
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Step 4
Complete the following substeps to test the changes that you made to your tuned
signature:
Open a Windows command prompt and use Telnet to connect to your perimeter router:
C:\telnet 172.16.P.1
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
43
Verify that two alerts were generated when you pinged your perimeter router this time.
Step 8
Complete the following substeps to configure an alert interval for signature 2004:
1. Verify that signature 2004 is selected in the Signature Configuration panel.
Click Edit. The Edit Signature window opens.
Click the Specify Alert Interval value and choose Yes from the drop-down menu.
Verify that 60 is displayed in the Alert Interval field.
Click OK. The Signature Configuration panel is displayed.
Click Apply.
Step 9
Complete the following substeps to test the alert interval:
1. From your student PC, ping your perimeter router, 172.16.P.1.
C:\ping 172.16.P.1
Step 11
1. Verify that the 2004 signature is selected in the Signature Configuration panel.
2. Click Edit. The Edit Signature window opens.
3. Scroll down to the Alert Frequency parameters.
4. Choose Yes from the Specify Summary Threshold drop-down menu.
5. Click the Summary Threshold field.
6. Enter 6 in the Summary Threshold field.
7. Click the Summary Interval field.
8. Enter 60 in the Summary Interval field.
9. Click OK. The Signature Configuration panel is displayed.
10. Click Apply.
Complete the following substeps to test the alert frequency parameters:
1. Open a Windows command prompt and start a continuous ping to your
perimeter router:
C:\>ping 172.16.P.1 -t
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Specify that you want to see the events of the past 5 minutes.
Click View. The Event Viewer window opens.
2. Verify that your sensor sends a summary alert to the Event Store by clicking
Details.
Q1)
Q2)
Why? _____________________________________________________________
Step 12
Step 13
Step 14
Q2)
Why? _____________________________________________________________
Step 15
Step 16
Activity Verification
You have completed this task when you attain these results:
Your sensor generates alerts for signature 2004 only when ICMP echo requests are from
your student PC.
Your sensor generates only one alert for the 2004 signature every 60 seconds.
After your sensor generates six alerts in 60 seconds for signature 2004, it automatically
begins summarizing the alerts for the specified address set.
After your sensor generates nine alerts in 60 seconds for signature 2004, it automatically
begins globally summarizing the alerts for that signature.
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
45
Activity Procedure
Step 1
Complete the following substeps to restore the default settings to signature 2004:
Why? ____________________________________________________________
Close the Windows command window.
Activity Verification
You have completed this task when your sensor no longer generates alerts for signature 2004.
46
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Activity Procedure
Step 1
Complete the following substeps to tune the FTP authorization failure signature:
1. In the Cisco IDM window, choose Configuration > Policies > Signature
Definitions > sig0 > Signature Configuration. The Signature Configuration
panel is displayed.
Choose Other Services from the Select By drop-down menu.
Choose FTP from the Select Service drop-down menu. The Service FTP signatures are displayed.
Use the scroll bar to locate signature 6250, FTP authorization failure.
Choose the signature.
Click Edit. The Edit Signature window opens.
Click the Alert Severity field.
Choose High from the Alert Severity drop-down menu.
If necessary, click the Engine icon to expand the string TCP engine-specific parameters.
Click the Event Action field.
Choose Deny Connection Inline and Produce Alert from the Event Action list.
Note
Hold down the Ctrl key while choosing Produce Alert from the Event Action list. Holding
down the Ctrl key enables you to choose more than one action at a time.
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
47
Step 3
You may not see the Connection closed by remote host message immediately.
Complete the following substeps to verify the configuration of the FTP authorization
failure signature:
Activity Verification
You have completed this task when you attain these results:
Your sensor generates one high-severity alert each time that it detects three failed FTP
login attempts from a different student PC.
The sensor denies the FTP connection after any peer makes three unsuccessful attempts to
log into your FTP server.
Activity Procedure
Step 1
Step 2
48
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Step 3
When the default web page for the superserver is displayed, verify that it displays
the following:
Step 4
Step 5
Complete the following substeps to enable the sensor application policy enforcement
feature:
In the Cisco IDM, choose Configuration > Policies > Signature Definitions > sig0 > Miscellaneous. The
Miscellaneous panel is displayed.
If necessary, click the Application Policy icon to expand the Application Policy options.
If necessary, click the HTTP Policy icon to expand the HTTP Policy options.
Click the Enable HTTP field.
Choose Yes from the Enable HTTP drop-down menu.
Click Apply.
Step 6
Complete the following substeps to enable an AIC HTTP signature:
1. Choose Configuration > Policies > Signature Definitions > sig0 > Signature
Configuration. The Signature Configuration panel is displayed.
Choose Engine from the Select By drop-down menu.
Choose AIC HTTP from the Select Engine drop-down menu. The AIC HTTP signatures are displayed.
Choose signature 12621, subsignature 0 (Content Type image/gif Header Check).
Click Edit. The Edit Signatures window opens.
If necessary, click the Engine icon to expand the engine-specific parameters for the AIC HTTP engine.
Examine the default settings for the signature. Do not change them. If you accidentally change a setting
while examining it, click the corresponding icon. When the icon turns green, the setting is returned to the
default.
Click Cancel. The Signature Configuration panel is displayed.
With the signature still selected, click Enable.
Click Apply.
Step 7
Complete the following substeps to test the signature:
1. Open a web browser.
Choose Tools > Internet Options. The Internet Options window opens.
Click Delete Cookies. The Delete Cookies window opens.
Click OK.
Click Delete Files. The Delete Files window opens.
Check the Delete All Offline Content check box.
Click OK.
Click Clear History. The Internet Options window opens.
Click Yes.
Click OK.
Close the browser window.
Reopen the browser window.
Access the default web page of the superserver by entering the following in the Address field:
http://172.26.26.50
When the default web page for the superserver is displayed, verify that it displays only the following. The
Cisco logo images, which are .gif files, should not be displayed:
The message Welcome to the SuperServer
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
49
Signature Type
Content Types
Pull a JPEG image from the superserver by entering the following in a browser
window. The image should be displayed in your browser window.
http://172.26.26.50/NETSENSOR.jpg
Step 11
Choose Monitoring > Events to verify that the attempt to retrieve the .bmp image
triggered signature 12673:
Activity Verification
You have completed this task when your sensor denies .bmp files and generates an alert when a
.bmp file is requested via HTTP.
Activity Procedure
Complete these steps:
Step 1
Step 2
Choose Monitor > Events to verify that signatures 5081 and 5114 were generated.
Step 3
Complete the following substeps to create a custom meta signature that fires when
signatures 5081 and 5114 fire from the same attacker within 60 seconds:
1. Choose Configuration > Event Action Rules > rules0 > General Settings.
The General Settings panel is displayed.
Verify that the Use Meta Event Generator check box is checked.
50
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Choose Configuration > Policies > Signature Definitions > sig0 > Signature Configuration. The Signature
Configuration panel is displayed.
Click Add. The Add Signature window opens.
Accept the default signature ID.
Accept the default subsignature ID.
Choose High from the Alert Severity drop-down menu.
Click the Sig Fidelity Rating field, and enter 95 in the Sig Fidelity Rating field.
If necessary, click the Sig Description icon to expand the Signature Description parameters.
Click the Signature Name field.
Enter NIMDA in the Signature Name field.
Choose Meta from the Engine drop-down menu.
Click the Event Action field.
Choose Deny Packet Inline and Produce Alert from the Event Action list.
Note
Hold down the Ctrl key while you choose the Deny Packet Inline and Produce Alert
actions from the Event Action list.
Click the Component List pencil field. The Component List window opens.
Click Add. The Add List Entry window opens.
Enter Sig1 in the Entry Key field.
Enter the signature ID for the first component signature, 5114, in the Component Sig ID field.
Click the Component SubSig ID field.
Enter 1, the subsignature ID for the first component signature, in the Component SubSig ID field.
Click OK. The entry key is displayed in the Inactive Entries list of the Component List window.
Choose Sig1 from the Inactive Entries list.
Click Active. The entry key moves to the selected entries list.
Click Add again. The Add List Entry window opens.
Enter Sig2 in the Entry Key field.
Enter the signature ID for the second component signature, 5081, in the Component Sig ID field.
Click OK. The entry key is displayed in the Inactive Entries list of the Component List window.
Choose Sig2 from the Inactive Entries list.
Click Active. The entry key moves to the selected entries list.
Click OK. The Add Signature window is displayed.
Click OK. The Signature Configuration panel is displayed.
Click Apply.
Step 4
Complete the following substeps to keep the sensor from generating alerts for the
component signatures:
1. Choose Sig ID from the Select By drop-down menu.
Enter 5114 in the Enter Sig ID field.
Click Find. The 5114 signatures are displayed in the Signature Configuration panel.
Choose signature 5114, sub-signature 1.
Click Actions. The Assign Actions window opens.
Deselect Produce Alert.
Click OK. The Signature Configuration panel is displayed.
Enter 5081 in the Enter Sig ID field.
Click Find. The 5081 signature is displayed in the Signature Configuration panel.
Choose the signature.
Click Actions. The Assign Actions window opens.
Uncheck the Produce Alert check box.
Click OK. The Signature Configuration panel is displayed.
Click Apply.
Step 5
Complete the following substeps to test your configuration:
Enter the following in your browser to attack the superserver:
2007 Cisco Systems, Inc.
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
51
http://172.26.26.50/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
Choose Monitoring > Events to verify that signatures 5081 and 5114 were not generated and that there was
an alert for the new NIMDA signature.
Activity Verification
You have completed this task when your sensor generates only one meta event when signature
5114, subsignature 1, and signature 5081 fire.
Activity Procedure
Step 1
Choose Configuration > Policies > Signature Definitions > sig0 > Custom Signature Wizard. The Custom
Signature Wizard panel is displayed.
Click Start the Wizard. The Welcome panel is displayed.
Click the Yes radio button.
Choose Atomic IP from the Select Engine drop-down menu.
Click Next. The Signature Identification panel is displayed.
Accept the default signature ID.
Accept the default subsignature ID.
Enter the name SYN23 in the Signature Name field.
Click Next. The Engine Specific Parameters panel is displayed.
Click the Event Action field.
Choose Deny Packet Inline in addition to the Produce Alert from the Event Action list.
Note
Hold down the Ctrl key while you choose Produce Alert and Deny Packet Inline from the
Event Action list.
If necessary, click the Specify Layer 4 Protocol icon to expand the protocol parameters.
Choose Yes from the Specify Layer 4 Protocol drop-down menu.
Choose TCP Protocol from the Layer 4 Protocol drop-down menu.
Choose SYN from the TCP Flags list.
Choose Syn and Ack from the TCP mask list.
Note
Hold down the Ctrl key while you choose Syn and Ack from the TCP mask list.
Choose Yes from the Specify Destination Port Range drop-down menu.
Enter 23 in the Destination Port Range field.
Click Next. The Alert Response panel is displayed.
Enter 90 in the Signature Fidelity Rating field.
Choose High from the Severity of the Alert drop-down menu.
Click Next. The Alert Behavior panel is displayed.
Click Finish. The Create Custom Signature window opens.
Click Yes.
Step 2
Complete the following substeps to test the custom signature:
1. Open the Windows command line.
52
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3. Choose Monitoring > Events output to verify that you triggered your custom
signature:
Activity Verification
You have completed this task when sending a SYN packet to port 23 triggers your custom
signature.
Activity Procedure
Step 1
Choose Configuration > Policies > Signature Definitions > sig0 > Signature
Configuration. The Signature Configuration panel is displayed.
Step 2
Step 3
Step 4
Click Find. The SYN23 signature is displayed in the Signature Configuration panel.
Step 5
Step 6
Step 7
Step 8
Click Apply.
Activity Verification
You have completed this task when the Apply button is grayed out, and the SYN23 signature is
no longer displayed in the Signature Configuration panel.
Sends one summary alert when the alert rate exceeds two alerts in 60 seconds for the same
victim address
Sends one global summary alert if the alert rate exceeds four alerts in a 60-second interval
Activity Procedure
Step 1
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
53
1. Choose Configuration > Policies > Signature Definitions > sig0 > Custom
Signature Wizard. The Custom Signature Wizard panel is displayed.
Click Start the Wizard. The Welcome panel is displayed.
Click the No radio button to create a custom signature without using a Signature Engine.
Click Next. The Protocol Type panel is displayed.
From the Protocol Type panel, choose TCP as the protocol to inspect.
Click Next. The TCP Traffic Type panel is displayed.
Click the Single TCP Connection radio button.
Click Next. The Service Type panel is displayed.
Click the Other radio button.
Click Next. The Signature Identification panel is displayed.
Accept the default signature ID.
Accept the default subsignature ID.
Enter the name Confidential in the Signature Name field.
Click Next. The Engine Specific Parameters panel is displayed.
Click the Event Action field.
Choose Deny Connection Inline and Produce Alert from the Event Action list.
Tip
Hold down the Ctrl key while you choose Deny Connection Inline and Produce Alert from
the Event Action list.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Choose Monitoring > Events output to verify that your custom signature triggered the alerts as desired.
Activity Verification
You have completed this task when you attain these results:
When you use Telnet to connect to IP address 172.16.P.1, your custom signature triggers an
alert and denies the connection. (where P = pod number)
After the alert rate exceeds two alerts in 60 seconds for the same victim address, the sensor
begins summarizing alerts.
When the alert rate exceeds four alerts in the 60-second interval, the sensor begins global
summarization.
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
55
Activity Objective
In this activity, you will use the Cisco IDM to tune a sensor to work optimally in the network.
After completing this activity, you will be able to meet these objectives:
Use the Cisco IDM to configure TVRs, signature severity, and fidelity ratings in order to
formulate an event risk rating
Use the Cisco IDM to create an event action override that adds a deny action to an inbound
packet with a risk rating over 90
Use the Cisco IDM to remove the Deny Packet Inline action for a signature originating in
the DMZ
Visual Objective
The figure illustrates what you will accomplish in this activity.
.50
172.26.26.0
.150
172.30.P.0
e0/1
.1
RBB
prP
e0/0
172.16.P.0
172.30.Q.0
.1
.2
.1
e0/1
.2
e0/0
.1
prQ
172.16.Q.0
.4
.4
sensorP
sensorQ
e0/1
.2
routerP
e0/0
.100
.2
e0/1
routerQ
.2
e0/0
.2
10.0.Q.0
10.0.P.0
RTS
RTS
Student PC
10.0.P.12
2007 Cisco Systems, Inc. All rights reserved.
56
.100
Student PC
10.0.Q.12
IPS v6.08
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Activity Procedure
Step 1
Complete the following substeps to configure IP logging for the Nmap UDP Port
Sweep signature:
From your student PC, choose Start > Programs > Ethereal > Ethereal. The Ethereal Network Analyzer
window opens.
2007 Cisco Systems, Inc.
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
57
Choose File > Open. The Ethereal: Open Capture File window opens.
Choose C:\Program Files\Ethereal from the drop-down menu.
Choose IPLog1 from the files list.
Click OK. The IP log is displayed in the IPLog1 Ethereal window.
Remove the Log Attacker Packets action from signature 4003.
Activity Verification
You have completed this task when the IP log generated by the firing of signature 4003 is
displayed in the IPLog1 Ethereal window.
Activity Procedure
Step 1
Complete the following substeps to prepare signature 2004 to be used as the test
signature for this lab exercise:
1. Choose Configuration > Policies > Signature Definitions > sig0 > Signature
Configuration. The Signature Configuration panel is displayed.
Choose Sig ID from the Select By drop-down menu.
Enter 2004 in the Enter Sig ID field.
Click Find. The 2004 signature, ICMP Echo Reply, is displayed in the Signature Configuration panel.
Choose the signature.
Click Edit. The Edit Signature window opens.
If necessary, click the Alert Frequency field to expand the Alert Frequency parameters.
Click the Summary Mode field.
Choose Fire All from the Summary Mode drop-down menu.
If necessary, click the Status field to expand the Status parameters.
Click the Enabled field.
Choose Yes from the Enabled drop-down menu.
Click OK. The Signature Configuration panel is displayed.
Click Apply.
Step 2
Complete the following substeps to examine the risk ratings for alerts generated by
signature 2004:
1. Open a Windows command prompt and ping the superserver:
C:\ping 172.26.26.50
Step 3
Step 4
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Click Apply.
Step 6
Step 7
Step 8
Step 9
Complete the following substeps to modify the risk rating of the ping events by
tuning the signature fidelity rating:
1. Choose Configuration > Policies > Signature Definitions > sig0 > Signature
Configuration. The Signature Configuration panel is displayed.
Verify that signature 2004 is selected in the Signature Configuration panel.
Click Edit. The Edit Signature window opens.
Click the Sig Fidelity Rating field.
Enter 90 in the Sig Fidelity Rating field.
Click OK. The Signature Configuration panel is displayed.
Click Apply.
Step 10
Open a Windows command prompt and ping the superserver:
C:\ping 172.26.26.50
Step 11
Step 12
Step 13
Complete the following substeps to modify the risk ratings by creating target value
ratings:
1. Choose Configuration > Policies > Event Action Rules > rules0 > Event
Action Overrides. The Event Action Overrides panel is displayed.
2. Clear the Use Event Action Overrides check box.
3. Click Apply.
4. Now choose Target Value Rating. The Target Value Rating panel is displayed.
5. Click Add. The Add Target Value Rating window opens.
6. Choose Mission Critical from the Target Value Rating (TVR) drop-down
menu.
7. Highlight and then delete 0.0.0.0-255.255.255.255 from the Target IP
Address(es) field.
8. Enter 172.26.26.50, the IP address of the superserver, in the Target IP
Address(es) field.
9. Enter 10.0.P.12, the IP address of your student PC, in the Target IP Address(es)
field.
10. Click OK. The TVR for your student PC and superserver is displayed in the
Target Value Rating panel.
11. Click Apply.
12. Click Add again. The Add Target Value Rating window opens.
13. Choose Low from the Target Value Rating (TVR) drop-down menu.
14. Highlight and then delete 0.0.0.0-255.255.255.255 from the Target IP
Address(es) field.
15. Enter 172.16.P.1, the IP address of your perimeter router, in the Target IP
Address(es) field.
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
59
Step 14
Step 15
Step 16
Activity Verification
You have completed this task when you attain these results:
The risk rating for the event generated when you ping the superserver is 100.
The risk rating for the event generated when you ping your peer pod student PC is 43.
Activity Procedure
Step 1
1. Choose Configuration > Policies > Event Action Rules > rules0 > Event
Action Overrides. The Event Action Overrides panel is displayed.
Verify that the Use Event Action Overrides check box is checked.
Choose the Event Action labeled Deny Packet Inline.
Click Edit. The Add Event Action Override window opens.
Verify that the Enabled: Yes radio button is selected.
Enter 80 in the Risk Rating: Minimum field.
Verify that 100 is displayed in the Risk Rating: Maximum field.
Click OK. The event action override is displayed in the Event Action Overrides panel.
Click Add. The Add Event Action Override window opens.
Choose Produce Verbose Alert from the Event Action drop-down menu.
Verify that the Enabled: Yes radio button is selected.
Enter 80 in the Risk Rating: Minimum field.
Verify that 100 is displayed in the Risk Rating: Maximum field.
Click OK. The event action override is displayed in the Event Action Overrides panel.
Click Apply.
Step 2
Complete the following substeps to test the event action overrides:
1. Open a Windows command prompt and ping the superserver. The pings should
fail:
C:\ping 172.26.26.50
Step 3
Step 4
60
Choose Monitoring > Events to view the risk rating for the events.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Activity Verification
You have completed this task when you attain these results:
When you ping your peer PC, your sensor generates an alert.
When you ping the superserver, your sensor denies the packet and generates a verbose
alert.
Activity Procedure
Step 1
Step 2
Choose Configuration > Policies > Event Action Rules > rules0 > Event
Variables. The Event Variables panel is displayed.
Step 3
Step 4
Step 5
Step 8
Step 9
Click Apply.
Step 12
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
61
prP#
Activity Verification
You have completed this task when the event variables DMZ and IN are displayed in the Event
Variables panel.
Activity Procedure
Step 1
Complete the following substeps to verify that your event action override adds the
Deny Packet Inline action to any event with a risk rating over 80:
1. Open a Windows command prompt and ping the superserver. The pings should
fail:
C:\>ping 172.26.26.50
2. From your student PC, use Telnet to connect to your perimeter router:
C:\>telnet 172.16.P.1
62
Notice that the event variables you created in Task 3 are now used in the alerts to describe
the locality of the attacker and target.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Step 2
Complete the following substeps to create an event action filter that removes the
Deny Packet Inline action if the ping originates from the 172.16.P.0 (DMZ)
network:
1. Choose Configuration > Policies > Event Action Rules > rules0 > Event
Action Filters. The Event Action Filters panel is displayed.
Verify that the Use Event Action Filters check box is checked.
Click Add. The Add Event Action Filter window opens.
Highlight and delete the Name field.
Enter PermitDMZ in the Name field.
Highlight and delete 900-65535 from the Signature ID text box.
Enter 2004 in the Signature ID field.
Highlight and delete 0.0.0.0-255.255.255.255 from the Attacker Address field.
Enter $DMZ in the Attacker Address field.
Choose Deny Packet Inline from the actions to subtract list.
Click OK. The filter is displayed in the Event Action Filters panel.
Click Apply.
Step 3
Complete the following substeps to test the event action filter:
1. Ping your student PC from your perimeter router again. The ping should
succeed:
prP#ping 10.0.P.12
From your perimeter router ping your student PC. The ping should succeed:
prP#ping 10.0.P.12
Activity Verification
You have completed this task when you attain these results:
The sensor generates a verbose alert when it detects an ICMP echo request originating from
the 172.16.P.0 network and destined for a target with a risk rating over 79.
The sensor generates a verbose alert and denies the packet inline when it detects an ICMP
echo request originating from anywhere except the 172.16.P.0 network and destined for a
target with a risk rating over 79.
The sensor generates an alert when it detects an ICMP echo request originating anywhere
and destined for a target with a risk rating lower than 80.
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
63
Activity Objective
In this activity, you will install, configure, and test Cisco IEV. After completing this activity,
you will be able to meet these objectives:
Log into Cisco IEV and add the sensor as an authorized device
Visual Objective
The figure illustrates what you will accomplish in this activity.
.50
172.26.26.0
.150
172.30.P.0
e0/1
.1
.1
.2
RBB
prP
e0/0
172.16.P.0
.1
172.30.Q.0
e0/1
.2
e0/0
.1
prQ
172.16.Q.0
.4
.4
sensorP
sensorQ
e0/1
.2
routerP
e0/0
.100
.2
e0/1
routerQ
.2
e0/0
.2
10.0.P.0
10.0.Q.0
RTS
.100
RTS
Student PC
10.0.P.12
Student PC
10.0.Q.12
IPS v6.09
Activity Procedure
To install Cisco IEV, follow these steps:
64
Step 1
Step 2
Locate and double-click the IEV-min-5.2-1.exe file to start the installation wizard.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Step 3
Step 4
To accept the default location for the Cisco IEV files, click Next.
Step 5
Click Next.
Step 6
Click Next.
Step 7
Click Next.
Step 8
Step 9
You must reboot your student PC to complete the Cisco IEV installation. Click OK
to reboot the host.
Activity Verification
You have completed this task when Cisco IEV is installed and the student PC has been
rebooted.
Activity Procedure
Step 1
1. Choose Start > Program Files > Cisco Systems > Cisco IPS Viewer > Cisco
IPS Viewer to open Cisco IEV.
2. Choose File > New > Device.
In the Sensor IP Address field, enter the IP address of your sensor, 10.0.P.4. (where P = pod number)
In the Sensor Name field, enter sensorP. (where P = pod number)
In the User Name field, enter cisco.
In the Password field, enter iattacku2.
Click OK to apply your changes and close the Device Properties dialog box.
Click Yes to accept the certificate.
The sensor now has a red dot next to it signifying that it is connected.
Note
If Cisco IEV cannot connect to the sensor, a red X appears next to the device name to
indicate that no connection is present. Cisco IEV continues trying to connect to the sensor
every 20 seconds until a connection is established or until you delete the device from Cisco
IEV.
Activity Verification
You have completed this task when your Cisco IPS 4200 Series Sensor has been added to Cisco
IEV and has a red dot next to it.
Activity Procedure
Complete these steps:
2007 Cisco Systems, Inc.
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
65
Step 1
Choose Start > Program Files > Cisco Systems > Cisco IPS Viewer > Cisco IPS
Viewer to open Cisco IEV. Choose Tools > Realtime Dashboard > Launch
Dashboard.
Step 2
Step 5
Activity Verification
You have completed this task when you attain these results:
You have scanned the superserver and peer pod student PC with Blues Port Scanner.
Activity Procedure
Complete these steps:
Step 1
1. Choose Start > Program Files > Cisco Systems > Cisco IPS Viewer > Cisco
IPS Viewer to open Cisco IEV.
2. Choose File > New > Filter.
Enter My High Filter In the Filter Name field.
Check the By Severity check box and exclude severity levels by checking the Informational, Low, and
Medium check boxes.
Click OK to save the filter.
Step 2
To create a view in Cisco IEV, follow these substeps:
1. Choose File > New > View.
Enter My High View in the View Name field.
Click Use Filter and then choose My High Filter from the drop-down list.
Click the Group by Signature Name radio button.
In the Column Secondary Sort Order (Initially) field choose Destination Address Count from the dropdown list.
Click Next to see what additional columns are available to be used in this view.
Click Finished.
Step 3
Create alarms by completing the following substeps:
1. Open the IPSfiles folder on your desktop.
Double-click BluesPortScan.exe. The Blues Port Scanner window opens.
Enter 172.26.26.50 in the Start field.
Verify that UDP is selected from the protocol list.
Deselect Anti Flood and Ping Check if necessary.
66
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Step 5
Step 6
View the top alerts by clicking the Reports tab, and then clicking Top Alerts and
Generate Report.
Step 7
View the top attackers by double-clicking Top Attackers and Generate Report.
Step 8
View the top victims by double-clicking Top Victims and Generate Report.
Activity Verification
You have completed this task when you attain these results:
You have generated Top Alerts, Top Attackers, and Top Victims reports.
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
67
Activity Objective
In this activity, you will create, configure, and delete a virtual sensor. After completing this
activity, you will be able to meet these objectives:
Configure the virtual sensor, including being able to add an inline interface pair to the
virtual sensor
Visual Objective
The figure illustrates what you will accomplish in this activity.
.50
172.26.26.0
.150
172.30.P.0
e0/1
.1
RBB
prP
e0/0
172.16.P.0
172.30.Q.0
.1
.2
.1
e0/1
.2
e0/0
.1
prQ
172.16.Q.0
.4
.4
sensorP
sensorQ
e0/1
.2
routerP
e0/0
.100
.2
e0/1
routerQ
.2
e0/0
.2
10.0.Q.0
10.0.P.0
RTS
.100
RTS
Student PC
10.0.P.12
Student PC
10.0.Q.12
IPS v6.010
Activity Procedure
Complete these steps:
Step 1
68
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3. Click Enable.
4. Click Apply.
5. Choose Configuration > Interface Configuration > VLAN Pairs.
Click Add to add inline VLAN pairs.
Choose G0/2 from the Interface Name list.
Enter subinterface 1 for the inline VLAN pair in the Subinterface Number field.
Enter 10 in the VLAN A field.
Enter 20 in the VLAN B field.
If you want, add a description of the inline VLAN pair in the Description field.
Click OK.
Click Apply.
Step 2
To create a signature policy, follow these substeps:
1. Log into the Cisco IDM using an account with administrator or operator privileges.
Choose Configuration > Policies > Signature Definitions.
To add a signature definition policy, click Add.
In the Policy Name field, enter Windows for the signature definition policy name.
Click OK.
Step 3
To edit the Windows signature definition, complete the following substeps:
1.
2.
3.
4.
5.
6.
7.
Step 4
Click Add.
Enter Windows in the Policy Name field.
Click OK.
Step 5
To edit the Windows event rule policy, complete the following substeps:
1. Expand Event Action Rules so that you see rules0 and Windows.
Choose Windows.
Choose the General Settings tab.
Set the Deny Attacker Duration parameter to 7200 seconds.
Adjust the Maximum Denied Attackers field to 1000.
Click Apply.
Activity Verification
You have completed this task when you attain these results:
You have created a new signature definition policy and disabled all non-Windows
signatures.
You have created a new event rule policy with a modified timeout for denied attackers and
maximum number of denied attackers.
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
69
Activity Procedure
Complete these steps:
Step 1
Step 2
Click Add.
Step 3
Step 4
Step 5
Choose Windows from the Event Action Rules Policy drop-down list.
Step 6
Choose the inline VLAN pair from Available Interfaces window and click Assign.
Step 7
Click OK.
Step 8
Click Apply.
Activity Verification
You have completed this task when the virtual sensor WindowsSensor has been configured
with the inline VLAN pair, signature policy, and the event rule policy created in Task 1.
Activity Procedure
Complete these steps:
Step 1
Step 2
Step 3
Click Delete.
Step 4
Click Apply.
Activity Verification
You have completed this task when the virtual sensor WindowsSensor has been removed from
your sensor.
70
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Activity Objective
In this activity, you will install advanced features of a Cisco IPS sensor, including anomaly
detection, and POSFP. After completing this activity, you will be able to meet these objectives:
Configure POSFP
Visual Objective
The figure illustrates what you will accomplish in this activity.
.50
172.26.26.0
.150
.1
172.30.P.0
e0/1
RBB
prP
e0/0
172.16.P.0
.1
172.30.Q.0
.1
.2
e0/1
.2
e0/0
.1
prQ
172.16.Q.0
.4
.4
sensorP
sensorQ
e0/1
.2
routerP
e0/0
.100
.2
e0/1
routerQ
.2
e0/0
.2
10.0.Q.0
10.0.P.0
RTS
.100
RTS
Student PC
10.0.P.12
Student PC
10.0.Q.12
IPS v6.011
Activity Procedure
Complete these steps:
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
71
Step 1
Step 2
Activity Verification
You have completed this task when you attain these results:
Activity Procedure
Complete these steps:
72
Step 1
Step 2
Step 3
Click Edit.
Step 4
Step 5
Click OK.
Step 6
Click Apply.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Activity Verification
You have completed this task when virtual sensor vs0 is in learning mode
Activity Procedure
Complete these steps:
Step 1
Browse the superserver web site. Refresh the web page several times.
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
Activity Verification
You have completed this task when you generate normal network traffic for the sensor to learn.
Activity Procedure
Complete these steps:
Step 1
Choose virtual sensor vs0 and choose Detect for the AD Operation Mode.
Step 2
Prepare to detect worm activity by connecting to the CLI on your sensor either by
using the SSH daemon or the console port. Enter the show statistics anomalydetection vs0 command. Leave this window because you will be using this to verify
the simulated worm attack.
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
73
Step 4
172.26.26.100
172.26.26.101
172.26.26.102
172.26.26.103
172.26.26.104
It may be necessary to run these commands a few times to simulate worm activity.
74
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
TCP Protocol
UDP Protocol
Other Protocol
Step 5
Choose Monitoring > Events and verify the firing of signature 13004.
evIdsAlert: eventId=1174885874866978348 severity=high
vendor=Cisco
originator:
hostId: sensor218
appName: sensorApp
appInstanceId: 358
time: 2007/03/29 10:13:31 2007/03/29 10:13:31 UTC
signature: description=AD - External UDP Scanner id=13004
version=S262
subsigId: 0
sigDetails: Single Scanner
marsCategory: Info/Misc/Scanner
marsCategory: Probe/FromScanner
interfaceGroup: vs0
vlan: 0
participants:
attacker:
addr: locality=OUT 10.0.218.12
target:
port: 503
actions:
denyPacketRequestedNotPerformed: true
alertDetails: .
adExtraData: numDestIps=5;
currentThreshold=5; destPort=503
;
riskRatingValue: targetValueRating=medium 100
threatRatingValue: 100
interface: sy0_0
protocol: udp
Activity Verification
You have completed this task when you attain these results:
The show statistics anomaly-detection vs0 command verifies that an attack is in progress.
Activity Procedure
Complete these steps:
Step 1
Choose Configuration > Policies > Event Action Rules > rules0.
Step 2
Step 3
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
75
Step 4
In the Restrict OS Mapping and ARR to These IP Addresses field, add the address
range used by your pod (10.0.P.1-10.0.P.255, where P is your pod number).
Activity Procedure
Complete these steps:
Step 1
Choose Configuration > Policies > Event Action Rules > rules0.
Step 2
Step 3
Click Add.
Step 4
Step 5
Step 6
Step 7
Step 8
Click OK.
Step 9
Click Apply.
Activity Procedure
Complete these steps:
Step 1
Choose Configuration > Policies > Event Action Rules > rules0.
Step 2
Step 4
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Activity Verification
You have completed this task when you attain these results:
You have confirmed that your student PC operating system is automatically discovered.
You have confirmed that your manual configurations are reflected in the Event Store.
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
77
Activity Objective
In this activity, you will recover the sensor software image and install a sensor license and
signature update. After completing this activity, you will be able to meet these objectives:
Boot to the recovery partition during bootup to recover the sensor image
Visual Objective
The figure illustrates what you will accomplish in this activity.
.50
172.26.26.0
.150
172.30.P.0
e0/1
.1
RBB
prP
e0/0
172.16.P.0
172.30.Q.0
.1
.2
.1
e0/1
.2
e0/0
.1
prQ
172.16.Q.0
.4
.4
sensorP
sensorQ
e0/1
.2
routerP
e0/0
.100
.2
10.0.P.0
e0/1
routerQ
.2
e0/0
.2
10.0.Q.0
RTS
RTS
Student PC
10.0.P.12
2007 Cisco Systems, Inc. All rights reserved.
78
.100
Student PC
10.0.Q.12
IPS v6.012
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Activity Procedure
Step 1
Step 2
Access the sensor via its console port as directed by your instructor:
Step 3
Step 4
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
79
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
signatures 4003 0
engine sweep
event-action produce-alert|log-attacker-packets
exit
exit
signatures 5081 0
engine service-http
no event-action
exit
exit
signatures 5114 0
engine service-http
no event-action
exit
exit
signatures 6250 0
alert-severity high
engine string-tcp
event-action produce-alert|deny-connection-inline
exit
alert-frequency
summary-mode fire-once
exit
exit
exit
signatures 12621 0
status
enabled True
exit
exit
signatures 13001 1
engine traffic-anomaly
event-action deny-packet-inline|produce-alert
exit
exit
signatures 13002 1
engine traffic-anomaly
event-action deny-packet-inline|produce-alert
exit
exit
signatures 13003 1
engine traffic-anomaly
event-action deny-packet-inline|produce-alert
exit
exit
signatures 13004 1
engine traffic-anomaly
event-action deny-packet-inline|produce-alert
exit
exit
signatures 13005 1
engine traffic-anomaly
event-action deny-packet-inline|produce-alert
exit
exit
2007 Cisco Systems, Inc.
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
81
signatures 13006 1
engine traffic-anomaly
event-action deny-packet-inline|produce-alert
exit
exit
signatures 13007 1
engine traffic-anomaly
event-action deny-packet-inline|produce-alert
exit
exit
signatures 13008 1
engine traffic-anomaly
event-action deny-packet-inline|produce-alert
exit
exit
.
.
.
.
(where P = pod number, Q = peer pod number, and S = secondary peer pod number)
Step 5
Back up this configuration:
sensorP#copy current-config ftp://10.0.P.12/backup.cfg
User:ftpuser
Password: ftppass
Caution
Step 9
The recovery process takes several minutes. Do not log in the first time that the login prompt
is presented, which is very early in the recovery process.
When the recovery is complete, log back into the sensor with the default username
cisco and the default password cisco.
sensorP login: cisco
Password: cisco
82
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Step 11
Step 12
***LICENSE NOTICE***
There is no license key installed on the system.
Please go to http://www.cisco.com/go/license
to obtain a new license or install a license.
sensor1#
Step 13
Display the current configuration, and compare it to the configuration prior to the
recovery:
sensorP# more current-config
! -----------------------------! Current configuration last modified Fri Feb 23 13:20:11 2007
! -----------------------------! Version 6.0(1)
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
83
! Host:
!
Realm Keys
key1.0
! Signature Definition:
!
Signature Update
S263.0
2006-12-18
Virus Update
V1.2
2007-11-24
! -----------------------------service interface
exit
! -----------------------------service authentication
exit
! -----------------------------service event-action-rules rules0
exit
! -----------------------------service host
network-settings
host-ip 10.0.P.4/24,10.0.P.2
host-name sensorP
telnet-option disabled
access-list 10.0.P.12/32
access-list 10.0.Q.0/32
access-list 10.0.S.12/32
exit
time-zone-settings
offset 0
standard-time-zone-name UTC
exit
exit
! -----------------------------service logger
exit
! -----------------------------service network-access
exit
! -----------------------------service notification
exit
! -----------------------------service signature-definition sig0
84
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
exit
! -----------------------------service ssh-known-hosts
exit
! -----------------------------service trusted-certificates
exit
! -----------------------------service web-server
exit
! -----------------------------service anomaly-detection ad0
exit
! -----------------------------service external-product-interface
exit
! -----------------------------service analysis-engine
exit
Step 14
Display the current configuration, and compare it to the configuration prior to the
recovery:
sensorP# more current-config
Activity Verification
You have completed this task when the recovery process completes successfully and retains
your network settings, and you have restored your backup.
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
85
Activity Procedure
Step 1
Complete the following substeps to configure settings to be used for testing the
recovery process:
1. Enter configuration mode:
sensorP#config t
sensorP(config)#
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
(where P = pod number, Q = peer pod number, and S = secondary peer pod number)
Step 2
Complete the following substeps to recover the sensor image:
1. Enter reset at the privileged EXEC prompt to reboot the sensor:
sensorP# reset
Warning: Executing this command will stop all
applications and reboot the node. Continue with reset?
[]
3. When the GRUB menu is displayed, press the Down Arrow key to choose
Cisco IPS Recovery:
GNU GRUB
memory)
version 0.94
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
87
4. Press the Down Arrow key. You should see the 0 replaced with 1.
5. Press Enter. The reimage process begins.
Highlighted entry is 1:
Booting 'Cisco IPS Recovery'
Caution
Step 3
The recovery process takes several minutes. Do not log in the first time that the login prompt
is presented, which is very early in the recovery process.
When the recovery is complete, log back into the sensor with the default username
cisco and the default password cisco.
sensorP login: cisco
Password: cisco
You are required to change your password immediately (password
aged)
Changing password for cisco
(current) UNIX password:
Step 5
Step 6
***LICENSE NOTICE***
88
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Display the current configuration, and compare it to the configuration prior to the
recovery:
sensorP# more current-config
! -----------------------------! Current configuration last modified Fri Feb 23 13:20:11 2007
! -----------------------------! Version 6.0(1)
! Host:
!
Realm Keys
key1.0
! Signature Definition:
!
Signature Update
S263.0
2006-12-18
Virus Update
V1.2
2007-11-24
! -----------------------------service interface
exit
! -----------------------------service authentication
exit
! -----------------------------service event-action-rules rules0
exit
! -----------------------------service host
network-settings
host-ip 10.0.P.4/24,10.0.P.2
host-name sensorP
telnet-option disabled
access-list 10.0.P.12/32
access-list 10.0.Q.0/32
access-list 10.0.S.12/32
exit
time-zone-settings
offset 0
standard-time-zone-name UTC
exit
exit
! -----------------------------service logger
exit
! -----------------------------service network-access
2007 Cisco Systems, Inc.
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
89
exit
! -----------------------------service notification
exit
! -----------------------------service signature-definition sig0
exit
! -----------------------------service ssh-known-hosts
exit
! -----------------------------service trusted-certificates
exit
! -----------------------------service web-server
exit
! -----------------------------service anomaly-detection ad0
exit
! -----------------------------service external-product-interface
exit
! -----------------------------service analysis-engine
exit
(where P = pod number, Q = peer pod number, and S = secondary peer pod number)
Activity Verification
You have completed this task when the recovery process completes successfully and retains
your network settings.
Activity Procedure
Complete these steps:
Step 1
Verify that the following system image file is located in the IPSfiles directory on
your student PC desktop: IPS-4240-K9-sys-1.1-a-6.0-1-E1.img
Step 2
Step 3
Step 4
Step 5
Step 6
90
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Press Ctrl-R within five seconds after the following message is displayed during
bootup:
Evaluating Run Options...
Step 8
Examine the console display information to verify that the sensor is running BIOS
version 5.1.7 or later and ROM monitor version 1.4 or later.
Step 9
address 10.0.P.4
(where P = pod number)
Step 10
Specify the IP address of the TFTP server on which the image is stored:
rommon> server 10.0.P.12
server 10.0.P.12
(where P = pod number)
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
91
Step 11
Step 12
E1.img@10.0.P.12!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Step 13
When the recovery is complete, log back into the sensor with the default username
cisco and the default password cisco.
sensor login: cisco
Password: cisco
You are required to change your password immediately (password
aged)
Changing password for cisco
(current) UNIX password:
Step 14
Step 15
Step 16
***LICENSE NOTICE***
92
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Display the current configuration and compare it to the configuration prior to the
recovery:
sensor# more current-config
! -----------------------------! Current configuration last modified Fri Feb 23 13:20:11 2007
! -----------------------------! Version 6.0(1)
! Host:
!
Realm Keys
key1.0
! Signature Definition:
!
Signature Update
S263.0
2006-12-18
Virus Update
V1.2
2007-11-24
! -----------------------------service interface
exit
! -----------------------------service authentication
exit
! -----------------------------service event-action-rules rules0
exit
! -----------------------------service host
exit
! -----------------------------service logger
exit
! -----------------------------service network-access
exit
! -----------------------------service notification
exit
! -----------------------------service signature-definition sig0
exit
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
93
! -----------------------------service ssh-known-hosts
exit
! -----------------------------service trusted-certificates
exit
! -----------------------------service web-server
exit
! -----------------------------service anomaly-detection ad0
exit
! -----------------------------service external-product-interface
exit
! -----------------------------service analysis-engine
exit
Activity Verification
You have completed this task when the recovery process completes successfully and restores
the sensor default configuration.
Activity Procedure
Step 1
Enter the setup command and press the Spacebar. The System Configuration
Dialog is displayed:
sensor# setup
--- System Configuration Dialog --At any point you may enter a question mark '?' for help.
User ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
Current Configuration:
service host
network-settings
host-ip 10.1.9.201/24,10.1.9.1
host-name sensor
telnet-option disabled
94
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
ftp-timeout 300
no login-banner-text
exit
time-zone-settings
offset 0
standard-time-zone-name UTC
exit
summertime-option disabled
ntp-option disabled
exit
service web-server
port 443
exit
service event-action-rules rules0
overrides
override-item-status Enabled
risk-rating-range 90-100
exit
exit
Step 3
Step 7
2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
95
Press Enter to accept the default of no when prompted to modify system clock
settings:
Modify system clock settings?[no]: <Enter>
Step 11
Press Enter to accept the default of no when prompted to modify the virtual sensor
configuration:
Modify interface/virtual sensor configuration?[no]: <Enter>
Modify default threat prevention settings?[no]: <Enter>
The following configuration was entered.
service host
network-settings
host-ip 10.0.P.4/24,10.0.P.2
host-name sensorP
telnet-option disabled
access-list 10.0.P.12/32
access-list 10.0.Q.0/24
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
exit
service web-server
port 443
exit
service event-action-rules rules0
overrides
override-item-status Enabled
risk-rating-range 90-100
exit
exit
[0] Go to the command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration and exit setup.
Step 13
Step 14
Activity Verification
You have completed this task when you have entered the specified values at each setup
interactive prompt.
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
97
Activity Procedure
Step 1
Launch your web browser and log into the Cisco IDM.
Step 2
Activity Procedure
Complete these steps:
Step 1
Choose Monitoring > Support Information > System Information and examine
the System Information panel to check your sensor current signature version. You
should see the following:
Partition application
Build version 6.0(1)E1
Step 2
Step 3
7. Click OK.
Complete the following substeps to verify that the update was successful:
1. Launch and log back into the Cisco IDM.
2. Choose Monitoring > Support Information > System Information. The
System Information panel is displayed. You should see the following:
Signature Definition
Signature Update
98
S274.0 2007-03-01
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Activity Verification
You have completed this task when the Cisco IDM System Information panel displays the following:
Signature Definition
Signature Update
S274.0
2007-03-01
Activity Procedure
Complete these steps:
Step 1
Step 2
Access the sensor via its console port as directed by your instructor.
Step 3
Step 4
Step 5
When the GRUB menu is displayed, press the Down Arrow key to choose Cisco
IPS Recovery:
GNU GRUB
version 0.94
Press the Down Arrow key twice. You should see the 0 replaced first with a 1 and
then a 2.
Step 8
Press Enter. The password recovery process begins and the sensor continues
rebooting.
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
99
Step 9
Log into the CLI using the old password. You should fail:
sensor login: cisco
Password: iattacku2
Step 10
Now log into the CLI using the default password. You will now succeed:
sensor login: cisco
Password: cisco
Step 11
Activity Procedure
Complete these steps:
Step 1
When the GRUB menu is displayed, press the Down Arrow key to choose Cisco IPS Recovery:
GNU GRUB
memory)
version 0.94
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
101
Answer Key
The correct answers and expected solutions for the activities that are described in this guide
appear here.
Lab 2-1 Answer Key: Install and Configure a Cisco IPS Sensor
from the CLI
When you complete this activity, your sensor configuration will be similar to the following,
with differences that are specific to your device or workgroup:
sensorP# more backup-config
! -----------------------------! Current configuration last modified Fri Feb 23 13:20:11 2007
! -----------------------------! Version 6.0(1)
! Host:
!
Realm Keys
key1.0
! Signature Definition:
!
Signature Update
S263.0
2006-12-18
Virus Update
V1.2
2007-11-24
! -----------------------------service interface
exit
! -----------------------------service authentication
exit
! -----------------------------service event-action-rules rules0
exit
! -----------------------------service host
network-settings
host-ip 10.0.P.4/24,10.0.P.2
host-name sensorP
telnet-option disabled
access-list 10.0.P.12/32
access-list 10.0.Q.0/24
login-banner-text AUTHORIZED ACCESS ONLY!
This system is the property of Cisco Systems.
Disconnect IMMEDIATELY if you are not an authorized user.
exit
102
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
time-zone-settings
offset 0
standard-time-zone-name UTC
exit
exit
! -----------------------------service logger
exit
! -----------------------------service network-access
exit
! -----------------------------service notification
exit
! -----------------------------service signature-definition sig0
exit
! -----------------------------service ssh-known-hosts
exit
! -----------------------------service trusted-certificates
exit
! -----------------------------service web-server
exit
! -----------------------------service anomaly-detection ad0
exit
! -----------------------------service external-product-interface
exit
! -----------------------------service analysis-engine
exit
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
103
Lab 2-2 Answer Key: Use the Cisco IDM to Perform a Basic
Sensor Configuration
When you complete this activity, your sensor configuration will be similar to the following,
with differences that are specific to your device or workgroup.
Allowed Hosts
104
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
User Accounts
Interfaces
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
105
Inline Pair
106
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Signature 4003
IP Logging
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
107
Signature 6250
108
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Signature 12621/0
NIMDA Signature
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
109
Confidential Signature
Lab 4-1 Answer Key: Tune a Cisco IPS Sensor Using Cisco IDM
When you complete this activity, your sensor configuration will be similar to the following,
with differences that are specific to your device or workgroup.
Signature 2004
110
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
111
Event Variables
112
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
113
Device Settings
114
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Filter Settings
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
115
View Settings
116
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
117
Virtual Sensor
118
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
119
120
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
OS Identifications
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
121
122
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Lab Guide
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
123