© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lesson 5 Getting Started with the IDS Command Line Interface

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Objectives

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Objectives Upon completion of this lesson, you will be able to perform the following tasks: Install the Sensor software image. Install the Sensor appliance on the network. Obtain management access to the Sensor. Initialize the Sensor. Navigate the CLI. Create user accounts. Configure account lockout. Configure network access lists. Describe preventative maintenance practices. Use general troubleshooting commands.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Sensor Installation

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Sensor Appliance Installation Complete the following tasks to install the Sensor and to prepare for upgrading its software: Position the Sensor on the network. Attach a power cord to the Sensor and plug it into a power source. Do one of the following: –Attach a laptop to the console port of the Sensor. –Connect a keyboard and monitor to the Sensor.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Special Considerations The following information should be considered before beginning an upgrade to IDS software version 4.x: Cable swap on the 4220 and 4230 Sensors Spare hard-disk drives in the 4235 and 4250 Sensors BIOS upgrade for the 4235 and 4250 Sensors Memory upgrade for the 4210 and 4220 Sensors

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Software Installation Overview The following tasks are required for upgrading the IDS appliance to version 4.0: Insert the Cisco IDS 4.0(1) Upgrade/Recovery CD into the CD-ROM drive. Boot the Sensor from the Recovery CD. At the boot prompt, enter k if installing from a keyboard, or s if installing from a serial connection. When prompted, press Enter to reboot the system. Log in using the default username and password. Change the default password.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Installation Options

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Installation Complete

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Change Password

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Upgrade from Software Version 4.0 to 4.1 The upgrade from IDS software version 4.0 to 4.1 is characterized by the following: The upgrade can be applied only to 4200 Series Sensor appliances and IDSM-2s. The Sensor must report IDS Software Version 4.0(1)S37 or later prior to upgrade. The 4210 and 4220 Sensor appliances must be upgraded to 512 MB of RAM prior to upgrade. The upgrade can be performed via the upgrade command.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Sensor Initialization

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Management Access Following are the methods used to gain management access to a Sensor: Console port (cable provided) Monitor and keyboard Telnet SSH HTTPS

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Sensor Initialization Tasks The following are the tasks to initialize the Sensor: Assign a name to the Sensor. Assign an IP address and netmask to the Sensor command and control interface. Assign a default gateway. Enable or disable the Telnet server. Specify the web server port. Create network ACLs. Set the date and time.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS setup Command

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configuration Dialog

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Command Line Modes

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS CLI Overview The IDS 4. x CLI is characterized by the following: Provides access to the Sensor via Telnet, SSH, serial interface connections, and keyboard/monitor connections Replaces 3. x operating system shell access Similar to the Cisco IOS software CLI

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS CLI Features The IDS 4. x CLI includes the following features: Help Tab completion Command abbreviation Command recall User interactive prompts

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS CLI Usage The CLI can be used to perform the following tasks: Sensor initialization tasks Configuration tasks Administrative tasks Troubleshooting

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS CLI Modes The IDS 4. x CLI has the following modes: Privileged EXEC Global configuration Interface command-control configuration Interface group configuration Interface sensing configuration Service Virtual sensor configuration Alarm channel configuration Tune micro engines Tune alarm channel

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Privileged EXEC Mode Privileged EXEC mode is the first level of the CLI. The following tasks are performed in privileged EXEC mode: –Initialize the Sensor. –Reboot the Sensor. –Enter configuration mode. –Terminate current login session. –Display system settings. –Ping. sensor#

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Global Configuration Mode Global configuration mode is the second level of the CLI. The following tasks are performed in global configuration mode: –Set the Sensor hostname. –Create user accounts. –Configure SSH, Telnet, and TLS settings. –Reimage the application partition. –Upgrade and downgrade system software and signatures. –Enter interface configuration modes. –Enter service configuration mode. sensor# configure terminal sensor(config)#

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Interface Command-Control Configuration Mode Interface command-control configuration mode is a third level of the CLI. Interface command-control configuration mode enables you to configure interface IP information. sensor# configure terminal sensor(config)# interface command-control sensor(config-if)#

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Interface Group Configuration Mode Interface group configuration mode is a third level of the CLI. The following tasks are performed in interface group configuration mode: –Add a sensing interface to the interface group. –Disable the interface group. sensor# configure terminal sensor(config)# interface group 0 sensor(config-ifg)#

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Interface Sensing Configuration Mode Interface sensing configuration mode is a third level of the CLI. Interface sensing configuration mode allows you to enable or disable the sensing interface. sensor# configure terminal sensor(config)# interface sensing int0 sensor(config-ifs)#

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Service Mode Service mode is a generic command mode. It enables you to enter configuration mode for various services. sensor# configure terminal sensor(config)# service ? alarm-channel-configuration Enter configuration mode for the alarm channel Authentication Enter configuration mode for user authentication options Host Enter configuration mode for node configuration Logger Enter configuration mode for debug logger NetworkAccess Enter configuration mode for the network access controller SshKnownHosts Enter configuration mode for configuring SSH known hosts TrustedCertificates Enter configuration mode for configuring trusted certificates virtual-sensor-configuration Enter configuration mode for the virtual sensor WebServer Enter configuration mode for the web server application

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Virtual Sensor Configuration Mode Virtual sensor configuration mode is a third level of the CLI. The following tasks are performed in virtual sensor configuration mode: –Reset signature settings to the default configuration. –Enter tune micro engines mode. sensor# configure terminal sensor(config)# service virtual-sensor-configuration virtualSensor sensor(config-vsc)#

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Alarm Channel Configuration Mode Alarm channel configuration mode is a third level of the CLI. Alarm channel configuration mode enables you to enter configuration mode for the alarm channel. sensor# configure terminal sensor(config)# service alarm-channel-configuration virtualAlarm sensor(config-acc)#

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Tune Micro Engines Mode sensor# configure terminal sensor(config)# service virtual-sensor-configuration virtualSensor sensor(config-vsc)# tune-micro-engines sensor(config-vsc-virtualSensor)# Tune micro engines mode is a fourth level of the CLI. It enables you to tune micro-engines.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Tune Alarm Channel Mode sensor# configure terminal sensor(config)# service alarm-channel-configuration virtualAlarm sensor(config-acc)# tune-alarm-channel sensor(config-acc-virtualAlarm)# Tune alarm channel mode is a fourth level of the CLI. It enables you to configure system variables for the alarm aggregation process.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Completing the Initial Configuration

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Initial Configuration Tasks After completing the setup commands interactive dialog, complete the initial configuration by doing the following: Create user accounts. Create a service account. (Optional.) Add hosts to the network ACL.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Sensor Login Accounts User accounts Special user account that provides root access Should be used only for troubleshooting and recovery under direction of TAC Does not exist by default Can be used by only one user Has service role Used to access Sensor for management and monitoring Created on Sensor Default user is cisco with password cisco Password change required at first login Have roles that determine users privileges Service account

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Creating User Accounts sensor(config)# username name [password password] [privilege privilege] sensor(config)# username ADMIN password adminpass privilege administrator Creates the user ADMIN with a privilege level of administrator and the password adminpass Creates a user account

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Creating the Service Account sensor(config)# username name [password password] [privilege privilege] sensor(config)# username MYSERVICEACCT password servpass privilege service Creates a service account called MYSERVICEACCT with the password servpass Creates a service account

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configuring Account Lockout sensor(config-Authentication-gen)# attemptLimit limit sensor(config-Authentication-gen)# attemptLimit 3 Sets the maximum number of authentication attempts to three Limits the number of authentication attempts before the account becomes disabled

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Changing Passwords sensor(config)# password [name [newPassword ] ] sensor(config)# password Enter old login password: ********* Enter new login password: ******** Re-enter new login password: ********* sensor(config)# Changes the password on a user account Modifies the password for the operator account, OPER sensor(config)# password OPER Enter new login password: ****** Re-enter new login password: ****** sensor(config)# Modifies the password for the current user

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Changing Privileges sensor(config)# privilege user name [administrator | operator | viewer] sensor(config)# privilege user TESTUSER operator Warning: The privilege change does not apply to current CLI sessions. It will be applied to subsequent logins. sensor(config)# Changes the role for user TESTUSER to operator Changes an accounts role

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configuring Network Access sensor(config-Host-net)# accessList ipAddress ip_address [netmask netmask] sensor# config t sensor(config)# service host sensor(config-Host)# networkParams sensor(config-Host-net)# accessList ipAddress sensor# config t sensor(config)# service host sensor(config-Host)# networkParams sensor(config-Host-net)# accessList ipAddress netmask Creates a network ACL Adds a single host to the ACL Adds an entire network to the ACL

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Preventive Maintenance and Troubleshooting

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Displaying the Current Version. show version sensor# Displays version information for all installed operating system packages, signature packages, and IDS processes running on the system

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Displaying the Configuration. Displays the current configuration for the entire system show configuration | [begin | exclude | include filter] sensor# sensor# show configuration | include accessList accessList ipAddress netmask accessList ipAddress netmask Displays only the accessList portions of the current configuration

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Displaying the Configuration (Cont.). Displays the current or backup configuration more keyword | [begin | exclude | include filter] sensor# sensor# more backup-config Displays the backup configuration

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Displaying Settings. show settings [terse] [begin | exclude | include filter] sensor(config)# show settings sensor(config)# Displays the contents of the configuration contained in the current submode Displays all high-severity events since 10:00 a.m., June 1, 2003

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Displaying Events. show events [alert[informational][low][medium][high] [include-traits must-have-traits][exclude-traits must-not-have-traits] | error [warning | error | fatal ] | log | NAC | status] [[past] hh:mm:ss [month day [year]]] [| {begin filter | include filter | exclude filter}] sensor# show events alert high 10:00 June sensor# Displays the requested event types, beginning at the requested start time Displays all high-severity events since 10:00 a.m., June 1, 2003

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Displaying Statistics show statistics { Authentication | EventServer | EventStore | Host | Logger | NetworkAccess | TransactionServer | TransactionSource | WebServer } [ clear ] sensor# show statistics EventStore sensor# Displays statistics for the specified service Displays statistics for the EventStore

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Displaying Interface Statistics Displays statistics for all system interfaces show interfaces [clear] sensor# show interfaces sensing name Displays information about the sensing interfaces sensor# Displays information about the logical interface group show interfaces group [number] sensor# show interfaces command-control Displays information about the command and control interface sensor#

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Displaying Tech Support Information sensor# show tech-support destination password:******* show tech-support[page][password][destination destination-url] sensor# Displays the current system status Places the tech-support output into the file ~csidsuser/reports/sensor1Report.html

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Rebooting the Sensor reset [powerdown] sensor# sensor# reset Warning: Executing this command will stop all applications and reboot the node. Continue with reset?: yes Request Succeeded. Shuts down the applications running on the Sensor and reboots it

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Backing Up and Restoring Configurations copy [/erase] source-url destination-url sensor# sensor# copy current-config backup-config Copies configuration files Creates a backup configuration sensor# copy /erase backup-config current-config Overwrites the current configuration with the backup configuration

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Recovering the Application Partition recover application-partition sensor(config)# sensor(config)# recover application-partition Warning: Executing this command will stop all applications and re-image the node to version 4.0(1)S29. All configuration changes except for network settings will be reset to default. Continue with recovery?:yes Request Succeeded. Reimages the application partition with the application image stored on the recovery partition

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary Obtain management access to a Sensor by the following methods: – Connect a keyboard and a monitor. – Attach a console cable. – Use Telnet, SSH, or IDM via the network. The Sensor is bootstrapped using the setup command. IDS Software Versions 4.0 and higher include a full CLI.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary (Cont.) The CLI uses syntax similar to that of the Cisco IOS software. The CLI provides all the necessary functionality to configure and manage the Sensor. The CLI provides several troubleshooting features.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lab Exercise

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS sensorP.4 sensorQ Q P.0 Lab Visual Objective Student PC.2 Student PC Router.1.2 Router P Q P Q.0 RTS Web FTP RBB