© 2005 Cisco Systems, Inc. All rights reserved. IDS v Lesson 3 Getting Started with the IPS Command-Line Interface

© 2005 Cisco Systems, Inc. All rights reserved. IDS v Command-Line Overview

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Accessing the CLI You can access the CLI of a sensor appliance running software version 5.0 via the following: SSH Serial interface connection Telnet (disabled by default)

© 2005 Cisco Systems, Inc. All rights reserved. IPS v CLI Features The IDS 5.0 CLI includes the following features: Help Tab completion Command abbreviation Command recall User interactive prompts

© 2005 Cisco Systems, Inc. All rights reserved. IPS v CLI Use The CLI can be used to perform the following: Sensor initialization tasks Configuration tasks Administrative tasks Troubleshooting

© 2005 Cisco Systems, Inc. All rights reserved. IPS v CLI Modes The IPS 5.0 CLI has the following command modes: Privileged EXEC mode Global configuration mode Service mode Multi-instance service mode

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Privileged EXEC Mode The following tasks are performed in privileged EXEC mode: Initialize the sensor Reboot the sensor Enter configuration mode Terminate current login session Display system settings Ping sensor#

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Global Configuration Mode The following tasks are performed in global configuration mode: Create user accounts Configure SSH and TLS settings Reimage the application partition Upgrade and downgrade system software and signatures Enter service configuration mode sensor# configure terminal sensor(config)#

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Service Mode Service mode is a generic command mode. It enables you to enter configuration mode for various services. sensor(config)# service ? alarm-channel-configuration Deprecated - Enter configuration mode for the alarm channel analysis-engine Enter configuration mode for global analysis engine options authentication Enter configuration mode for user authentication options event-action-rules Enter configuration mode for the event action rules host Enter configuration mode for node configuration interface Enter configuration mode for interface configuration logger Enter configuration mode for debug logger.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Multi-Instance Service Mode: Service Signature Definition The following tasks are performed in service signature definition mode: Modify signatures Reset signature settings to the defaults sensor(config)# service signature-definition sig0 sensor(config-sig)# ? application-policyApplication Policy Enforcement Parameters defaultSet the value back to the system default settings.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Multi-Instance Service Mode: Service Event Action Rules Within the service event action rules mode, you can perform such tasks as configuring rules to filter events. sensor(config)# service event-action-rules rules0 sensor(config-sig)# ? application-policyApplication Policy Enforcement Parameters defaultSet the value back to the system default settings.

© 2005 Cisco Systems, Inc. All rights reserved. IDS v Sensor Software Installation

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Software Installation Overview You can use the CLI upgrade command to upgrade your sensor from software version 4. x to 5.0. Using the upgrade command is characterized by the following: It retains your configuration. It requires that the sensor is running IDS 4.1 prior to upgrade.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Major Update Files Example: IDS-K9-maj S149.rpm.pkg IDS-K9–maj–w.x-y-Sz.rpm.pkg Extension Signature Version Upgrade Type Major Version Level Service Pack Level Minor Version Level

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Supported File Servers To use the upgrade command to upgrade the sensor from software version 4. X to 5.0, the sensor must have network access to the file server containing the upgrade file. The following servers are supported: FTP SCP HTTP HTTPS

© 2005 Cisco Systems, Inc. All rights reserved. IPS v upgrade source-url Applies a service pack, signature update, or image upgrade from an FTP, SCP, HTTP, or HTTPS server upgrade Command sensor(config)#upgrade S149.rpm.pkg Upgrades the sensor to IPS software version 5.0 sensor(config)#

© 2005 Cisco Systems, Inc. All rights reserved. IDS v Sensor Initialization

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Management Access These methods are used to gain management access to a Cisco IPS sensor appliance: Console port (cable provided) Telnet SSH HTTPS

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Sensor Initialization Tasks Perform these tasks to initialize the sensor: Assign a name to the sensor. Assign an IP address and netmask to the sensor command and control interface. Assign a default gateway. Enable or disable the Telnet server. Specify the web server port. Create network ACLs. Configure the date and time. Configure the sensor interfaces.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v setup Command

© 2005 Cisco Systems, Inc. All rights reserved. IPS v setup Command (Cont.)

© 2005 Cisco Systems, Inc. All rights reserved. IPS v setup Command (Cont.)

© 2005 Cisco Systems, Inc. All rights reserved. IPS v setup Command (Cont.)

© 2005 Cisco Systems, Inc. All rights reserved. IPS v setup Command (Cont.)

© 2005 Cisco Systems, Inc. All rights reserved. IDS v Administrative Tasks

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Diagnosing Network Connectivity Diagnoses basic network connectivity ping address [count] sensor# sensor# ping Diagnoses network connectivity to host by sending three echo requests to host

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Tracing a Route trace address [count] sensor# sensor1# trace traceroute to ( ), 4 hops max, 40 byte packets ( ) ms ms ms ( ) ms ms ms ( ) ms * ms sensor1# Displays the route an IP packet takes to a destination Displays the route an IP packet takes to host

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Creating a Login Banner banner login sensor(config)# sensor1(config)# banner login Banner[]:Authorized access only^MThis system is the property of Cisco Systems^MDisconnect IMMEDIATELY if you are not an authorized user Creates the following banner message: Authorized access only This system is the property of Cisco Systems Disconnect IMMEDIATELY if you are not an authorized user Enables you to create a banner message to display on the terminal screen

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Changing the FTP Timeout ftp-timeout timeout sensor(config-hos-net)# sensor1(config-hos-net)#ftp-timeout 600 Changes the FTP client timeout used when communicating with an FTP server Changes the FTP timeout to 600 seconds

© 2005 Cisco Systems, Inc. All rights reserved. IDS v Basic Troubleshooting Commands

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Displaying the Current Version show version sensor# Displays version information for all installed operating system packages and signature packages

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Displaying the Configuration Displays the sensor configuration more keyword |[ begin | exclude | include filter] sensor# sensor# more current-config | include access- list access-list /32 access-list /24 Displays only the access-list portions of the current configuration

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Displaying Settings show settings [terse] | [ begin | exclude | include filter] sensor(config-hos)# show settings terse | begin access-list sensor(config-ser)# Displays the contents of the configuration contained in the current mode Displays the contents of the configuration contained in the service host mode beginning with the regular expression access-list

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Displaying Events. show events [ { [alert [informational] [low] [medium] [high] [include-traits traits] [exclude-traits traits] | error [warning] [error] [fatal] | log | NAC | status} ] [hh:mm:ss month day [year] | past hh:mm:ss ] sensor# show events alert high 10:00 jan sensor# Displays the requested events Displays all high-severity alerts since 10:00 a.m., January 1, 2005

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Defaulting a Service default service { analysis-engine | authentication | event-action-rules | host | interface | logger | network-access | notification | signature-definition | ssh known- hosts | trusted-certificates | web server } sensor(config)# default service host sensor(config)# Restores the default settings to the specified service Restores the default settings to the host service

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Backing Up and Restoring Configurations copy [/erase] source-url destination-url sensor# sensor# copy current-config backup-config Copies configuration files Creates a backup configuration sensor# copy /erase backup-config current-config Overwrites the current configuration with the backup configuration

© 2005 Cisco Systems, Inc. All rights reserved. IDS v Summary

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Summary You can obtain management access to a sensor appliance by the following methods: –Attaching a console cable – Using Telnet or SSH via the network The sensor is bootstrapped using the setup command. IDS software versions 4.0 and higher include a full CLI. The CLI uses syntax similar to that of the Cisco IOS software. The CLI provides all the necessary functionality to configure and manage the sensor. The CLI provides several commands for verifying configuration and system information, backing up a configuration, and restoring a configuration.

© 2005 Cisco Systems, Inc. All rights reserved. IDS v Lab Exercise

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Q.0 Lab Visual Objective Q Web FTP RBB Q P.0.4 sensorQ Student PC 10.0.Q.12 RTS sensorP Student PC 10.0.P.12 RTS P.0 rP rQ prQ prP 10.0.P.0