Lesson 3

Getting Started with the IPS

Command-Line Interface

© 2005 Cisco Systems, Inc. All rights reserved. IDS v5.0—3-1

Command-Line Overview

© 2005 Cisco Systems, Inc. All rights reserved. IDS v5.0—3-2

 Accessing the CLI

You can access the CLI of a sensor appliance

running software version 5.0 via the
following:
• SSH
• Serial interface connection
• Telnet (disabled by default)

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—3-3

 CLI Features

The IDS 5.0 CLI includes the following

features:
• Help
• Tab completion
• Command abbreviation
• Command recall
• User interactive prompts

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—3-4

 CLI Use

The CLI can be used to perform the following:

• Sensor initialization tasks
• Configuration tasks
• Administrative tasks
• Troubleshooting

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—3-5

 CLI Modes

The IPS 5.0 CLI has the following command

modes:
• Privileged EXEC mode
• Global configuration mode
• Service mode
• Multi-instance service mode

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—3-6

 Privileged EXEC Mode

The following tasks are performed in

privileged EXEC mode:
• Initialize the sensor
• Reboot the sensor
• Enter configuration mode
• Terminate current login session
• Display system settings
• Ping

sensor#

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—3-7

 Global Configuration Mode

The following tasks are performed in global

configuration mode:
• Create user accounts
• Configure SSH and TLS settings
• Reimage the application partition
• Upgrade and downgrade system software and
signatures
• Enter service configuration mode

sensor# configure terminal

sensor(config)#

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—3-8

 Service Mode
sensor(config)# service ?
alarm-channel-configuration Deprecated - Enter configuration mode
for the alarm channel
analysis-engine Enter configuration mode for global
analysis engine options
authentication Enter configuration mode for user

authentication options
event-action-rules Enter configuration mode for the event
action rules
host Enter configuration mode for node
configuration
interface Enter configuration mode for interface
configuration
logger Enter configuration mode for debug
logger
.
.
.
• Service mode is a generic command mode.
• It enables you to enter configuration mode for various
services.
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—3-9
 Multi-Instance Service Mode: Service
Signature Definition

The following tasks are performed in service

signature definition mode:
• Modify signatures
• Reset signature settings to the defaults

sensor(config)# service signature-definition sig0

sensor(config-sig)# ?
application-policy Application Policy Enforcement
Parameters
default Set the value back to the system
default settings
.
.
.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—3-10

 Multi-Instance Service Mode: Service Event
Action Rules

Within the service event action rules mode,

you can perform such tasks as configuring
rules to filter events.

sensor(config)# service event-action-rules rules0

sensor(config-sig)# ?
application-policy Application Policy Enforcement
Parameters
default Set the value back to the system
default settings
.
.
.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—3-11

Sensor Software Installation

© 2005 Cisco Systems, Inc. All rights reserved. IDS v5.0—3-12

 Software Installation Overview

You can use the CLI upgrade command to

upgrade your sensor from software version
4.x to 5.0. Using the upgrade command is
characterized by the following:
• It retains your configuration.
• It requires that the sensor is running IDS 4.1 prior
to upgrade.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—3-13

Major Update Files

Upgrade Minor Signature

Type Version Version
Level

IDS-K9–maj–w.x-y-Sz.rpm.pkg
Major Service
Version Pack Extension
Level Level

Example: IDS-K9-maj-5.0-1-S149.rpm.pkg
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—3-14
 Supported File Servers

To use the upgrade command to upgrade the

sensor from software version 4.X to 5.0, the
sensor must have network access to the file
server containing the upgrade file. The
following servers are supported:
• FTP
• SCP
• HTTP
• HTTPS

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—3-15

 upgrade Command

sensor(config)#

upgrade source-url
• Applies a service pack, signature update, or
image upgrade from an FTP, SCP, HTTP, or
HTTPS server

sensor(config)#upgrade
ftp://administator@10.0.1.12/IDS-K9-maj-5.0-1-
S149.rpm.pkg
• Upgrades the sensor to IPS software version 5.0

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—3-16

Sensor Initialization

© 2005 Cisco Systems, Inc. All rights reserved. IDS v5.0—3-17

 Management Access

These methods are used to gain management

access to a Cisco IPS sensor appliance:
• Console port (cable provided)
• Telnet
• SSH
• HTTPS

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—3-18

 Sensor Initialization Tasks

Perform these tasks to initialize the sensor:

• Assign a name to the sensor.
• Assign an IP address and netmask to the sensor
command and control interface.
• Assign a default gateway.
• Enable or disable the Telnet server.
• Specify the web server port.
• Create network ACLs.
• Configure the date and time.
• Configure the sensor interfaces.
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—3-19
 setup Command

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—3-20

 setup Command (Cont.)

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—3-21

 setup Command (Cont.)

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—3-22

 setup Command (Cont.)

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—3-23

 setup Command (Cont.)

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—3-24

Administrative Tasks

© 2005 Cisco Systems, Inc. All rights reserved. IDS v5.0—3-25

 Diagnosing Network Connectivity

sensor#
ping address [count]
• Diagnoses basic network connectivity

sensor# ping 172.26.26.50 3

• Diagnoses network connectivity to host 172.26.26.50
by sending three echo requests to host 172.26.26.50

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—3-26

 Tracing a Route

sensor#
trace address [count]

• Displays the route an IP packet takes to a destination

sensor1# trace 172.26.26.150

traceroute to 172.26.26.150 (172.26.26.150), 4 hops max, 40
byte packets
1 10.0.1.2 (10.0.1.2) 21.693 ms 11.061 ms 9.659 ms
2 172.16.1.1 (172.16.1.1) 13.303 ms 11.943 ms 15.468 ms
3 172.30.1.1 (172.30.1.1) 32.837 ms * 14.304 ms
sensor1#

• Displays the route an IP packet takes to host

172.26.26.150
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—3-27
 Creating a Login Banner
sensor(config)#
banner login
• Enables you to create a banner message to display
on the terminal screen

sensor1(config)# banner login

Banner[]:Authorized access only^MThis system is the
property of Cisco Systems^MDisconnect IMMEDIATELY
if you are not an authorized user

Creates the following banner message:

• Authorized access only
• This system is the property of Cisco Systems
• Disconnect IMMEDIATELY if you are not an
authorized user
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—3-28
 Changing the FTP Timeout

sensor(config-hos-net)#

ftp-timeout timeout
• Changes the FTP client timeout used when
communicating with an FTP server

sensor1(config-hos-net)#ftp-timeout 600
• Changes the FTP timeout to 600 seconds

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—3-29

Basic Troubleshooting
Commands

© 2005 Cisco Systems, Inc. All rights reserved. IDS v5.0—3-30

 Displaying the Current Version

sensor#

show version

• Displays version information for all installed operating

system packages and signature packages

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—3-31

 Displaying the Configuration

sensor#
more keyword |[ begin | exclude | include
filter]
• Displays the sensor configuration

sensor# more current-config | include access-

list
access-list 10.0.1.12/32
access-list 10.0.2.0/24

• Displays only the access-list portions of the current

configuration

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—3-32

 Displaying Settings

sensor(config-ser)#

show settings [terse] | [ begin | exclude |

include filter]
• Displays the contents of the configuration
contained in the current mode

sensor(config-hos)# show settings terse | begin

access-list
• Displays the contents of the configuration
contained in the service host mode beginning with
the regular expression “access-list”

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—3-33

 Displaying Events

sensor#
.
show events [ { [alert [informational] [low]
[medium] [high] [include-traits traits]
[exclude-traits traits] | error [warning]
[error] [fatal] | log | NAC | status} ]
[hh:mm:ss month day [year] | past hh:mm:ss ]

• Displays the requested events

sensor# show events alert high 10:00 jan 1 2005

• Displays all high-severity alerts since 10:00 a.m.,
January 1, 2005

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—3-34

 Defaulting a Service

sensor(config)#
default service { analysis-engine |
authentication | event-action-rules | host |
interface | logger | network-access |
notification | signature-definition | ssh known-
hosts | trusted-certificates | web server }
• Restores the default settings to the specified service

sensor(config)# default service host

• Restores the default settings to the host service

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—3-35

 Backing Up and Restoring Configurations

sensor#
copy [/erase] source-url destination-url
• Copies configuration files

sensor# copy current-config backup-config

• Creates a backup configuration

sensor# copy /erase backup-config current-config

• Overwrites the current configuration with the
backup configuration

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—3-36

Summary

© 2005 Cisco Systems, Inc. All rights reserved. IDS v5.0—3-37

 Summary

• You can obtain management access to a sensor appliance

by the following methods:
– Attaching a console cable
– Using Telnet or SSH via the network
• The sensor is bootstrapped using the setup command.
• IDS software versions 4.0 and higher include a full CLI.
• The CLI uses syntax similar to that of the Cisco IOS
software.
• The CLI provides all the necessary functionality to
configure and manage the sensor.
• The CLI provides several commands for verifying
configuration and system information, backing up a
configuration, and restoring a configuration.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—3-38

Lab Exercise

© 2005 Cisco Systems, Inc. All rights reserved. IDS v5.0—3-39

 Lab Visual Objective

Web
FTP
.50
172.26.26.0
.150
172.30.P.0 .1 .1 172.30.Q.0
.2 .2
RBB
prP prQ
172.16.Q.0
172.16.P.0 .1 .1
.4 .4

sensorP sensorQ
.2 .2

rP rQ

10.0.P.0 .2 .2 10.0.Q.0
.100
.100

RTS
RTS

Student PC
Student PC
10.0.Q.12
10.0.P.12
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—3-40