Sensor InstallationWhen installing your appliance sensor, the necessary steps vary depending on whether you are upgrading an appliance from a version 4.1 or configuring a brand new appliance. When configuring a brand new appliance, you need to initialize the sensor. If you are upgrading, however, your sensor has already been initialized. Therefore, you need to upgrade only the sensor software to Cisco IPS version 5.0. The two methods for upgrading the sensor software from version 4.1 to 5.0 are as follows:
Note Installing a second hard-disk drive in a 4235 or 4250 sensor may render the sensor unable to recognize the recover command used for re-imaging the appliance. Spare hard-disk drives are meant to be replacements for the original hard-disk drives, not to be used along with the original hard-disk drive. Installing 5.0 Software via the NetworkSome appliance sensors have no CD-ROM drive. On these systems, you can't upgrade the software by using a CD. Instead, you must perform software upgrade across the network. These systems also require you to connect to the sensor via the serial port to access the sensor CLI since they have no keyboard or mouse ports. The following appliance sensors are diskless and do not have CD-ROM drives:
To upgrade a diskless appliance sensor, you use the upgrade command (from the sensor's CLI) to install the 5.0 software. The syntax for the upgrade command is as follows: upgrade source-url You can retrieve the new software image through Secure Copy (SCP), FTP, HTTP, or Secure Hypertext Transfer Protocol (HTTPS). When specifying the source-url you can specify either the complete location or simply scp:, ftp:, http:, or https:, in which you will be prompted for the necessary fields. The prompts you see when using SCP are displayed in Example 2-1. Example 2-1. Prompts When Using SCPSensor(config)# upgrade scp: User: IDSuser Server's IP Address: 10.89.139.100 Port[22]: File Name: IDS50/IPS-K9-maj-5.0-0.15b-S91-0.15-.rpm.pkg Password: ******** Warning: Executing this command will apply a major version upgrade to the application partition. The system may be rebooted to complete the upgrade. Continue with upgrade? : yes Note To use SCP to upgrade the sensor software, you must first add the Secure Shell (SSH) server public key (for the host where the new software is located) to the list of sensor's authorized SSH hosts. Do this by using the ssh host-key global configuration command (see the "Adding a Known SSH Host" section later in the chapter). Installing 5.0 Software from a CDOn sensors that have a CD-ROM drive, you can install the 5.0 software by using the recovery CD, instead of installing through the network. Note Installing the 5.0 software via the recovery CD is not an upgrade of the existing 4.1 software. Therefore, the installation will remove your existing software (including all of your configuration information). You should save your configuration before performing the installation. After powering on the appliance, insert the Cisco IDS 5.0(1) Upgrade/Recovery CD into the CD-ROM drive located in the front of the appliance. Example 2-2 displays the boot menu text that explains the two options you can use to install the 5.0 software. Example 2-2. Boot MenuCisco IPS 5.0(1) Upgrade/Recovery CD! - To recover the Cisco IPS 5.0(1) Application using a local keyboard/monitor, Type: k <ENTER>. (WARNING: ALL DATA ON DISK 1 WILL BE LOST) - To recover the Cisco IPS 5.0(1) Application using a serial connection, Type: s <ENTER>, or just press <ENTER>. (WARNING: ALL DATA ON DISK 1 WILL BE LOST) boot: Note If you do not insert the CD into the drive quickly enough, the system may boot the normal image on the disk. If the system does not boot from the CD, then just leave the CD in the drive and reboot the system. You can install either from a keyboard connected to the appliance or through a serial connection (via the console port). Your two options are as follows:
After the installation is complete, you can continue with the sensor configuration. At this point, the sensor needs to be initialized just like a brand new appliance sensor. Sensor InitializationWhen you install a brand new appliance, you need to perform the following initial configuration tasks:
Some other tasks you also may need to perform during initialization include the following:
Accessing the CLITo begin sensor initialization, access the CLI by using either an attached keyboard or a serial connection to the console port. The default account is cisco, with a password of cisco. You will be immediately prompted to change this default password. Your new password must have the following properties:
Note Selecting strong passwords helps ensure that an attacker cannot easily guess the passwords by using commonly available password cracking tools. The sensor performs some basic checks to strengthen the passwords you use, but you can also take your own precautions. Keep in mind the following when selecting a password:
Improve your password selection by observing the following practices:
Besides accessing the CLI from the serial port (or directly attached keyboard and monitor), you can also connect to the CLI by using either Telnet or SSH. By default, the access lists on the sensor allow access only from systems on the class C subnet 10.1.9.0 (with the sensor being 10.1.9.201 and a default gateway being 10.1.9.1). To enable CLI access to the sensor from other systems, you will need to update the sensor's access control lists (through the service host > network settings sensor global configuration command). By default, access to the sensor through Telnet (TCP port 23) is disabled. SSH access (TCP port 22), however, is enabled. Running the setup CommandOnce you access the CLI by using the default account, you will see the Sensor# prompt. To configure the basic sensor parameters, run the setup command. This command enables you to configure the following sensor parameters:
When using the setup command, you will see output similar to that in Example 2-3. Example 2-3. setup Command OutputSensor# setup --- System Configuration Dialog --- At any point you may enter a question mark '?' for help. User ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'. Current Configuration: service host network-settings host-ip 10.1.9.201/24,10.1.9.1 host-name Sensor telnet-option disabled access-list 10.1.9.0/24 ftp-timeout 300 login-banner-text exit time-zone-settings offset -360 standard-time-zone-name GMT-06:00 exit summertime-option disabled ntp-option disabled exit service web-server port 443 exit service interface physical-interfaces GigabitEthernet0/3 no description admin-state disabled duplex auto speed 1000 alt-tcp-reset-interface none exit physical-interfaces GigabitEthernet0/2 no description admin-state disabled duplex auto speed 1000 alt-tcp-reset-interface none exit physical-interfaces GigabitEthernet0/1 no description admin-state disabled duplex auto speed 1000 alt-tcp-reset-interface none exit physical-interfaces GigabitEthernet0/0 no description admin-state disabled duplex auto speed 1000 alt-tcp-reset-interface none exit exit service analysis-engine virtual-sensor vs0 description default virtual sensor exit exit Current time: Mon Jan 31 09:54:44 2005 Setup Configuration last modified: Sun Jan 30 00:16:47 2005 Continue with configuration dialog?[yes]: Enter host name[Sensor]: IDS4240 Enter IP interface[10.1.9.201/24,10.1.9.1]:10.40.10.100/24,10.40.10.1 Enter telnet-server status[disabled]: Enter web-server port[443]: Modify current access list?[no]: yes Current access list entries: [1] 10.1.9.0/24 Delete: Permit: 10.40.0.0/16 Permit: Modify system clock settings?[no]: Modify virtual sensor "vs0" configuration?[no]: yes Current interface configuration Command control: Management0/0 Unused: GigabitEthernet0/3 GigabitEthernet0/2 GigabitEthernet0/0 GigabitEthernet0/1 Promiscuous: Inline: None Delete Promiscuous interfaces?[no]: Add Promiscuous interfaces?[no]: Add Inline pairs?[no]: yes Pair name: perimeter Description[Created via setup by user cisco]: Perimeter protection sensor Interface1[]: GigabiEthernet0/3 Interface2[]: GigabiEthernet0/2 Pair name: The following configuration was entered. service host network-settings host-ip 10.40.10.100/24,10.40.10.1 host-name Ids4240 telnet-option disabled access-list 10.9.1.0/24 access-list 10.40.10.0/16 ftp-timeout 300 no login-banner-text exit time-zone-settings offset -360 standard-time-zone-name GMT-06:00 exit summertime-option disabled ntp-option disabled exit service web-server port 443 exit service interface physical-interfaces GigabitEthernet0/3 no description admin-state enabled duplex auto speed 1000 alt-tcp-reset-interface none exit physical-interfaces GigabitEthernet0/2 no description admin-state enabled duplex auto speed 1000 alt-tcp-reset-interface none exit physical-interfaces GigabitEthernet0/1 no description admin-state disabled duplex auto speed 1000 alt-tcp-reset-interface none exit physical-interfaces GigabitEthernet0/0 no description admin-state disabled duplex auto speed 1000 alt-tcp-reset-interface none exit inline-interfaces perimeter description Perimeter protection sensor interface1 GigabitEthernet0/3 interface2 GigabitEthernet0/2 exit exit service analysis-engine virtual-sensor vs0 description default virtual sensor logical-interface perimeter exit exit [0] Go to the command prompt without saving this config. [1] Return back to the setup without saving this config. [2] Save this configuration and exit setup. Enter your selection[2]: Note You manage your sensor through the command and control interface. To allow your management systems to access the sensor, you must configure the appropriate network access list entries for appropriate management of IP addresses. In conjunction with using the setup command, these access list entries can be modified at any time by using the service host > network-settings CLI command. After entering the information for the setup command, you receive the prompt shown at the end of Example 2-3. Enter 2 (or just press Enter) to save the configuration. After the configuration is saved, you will see the following prompt to change the system time (unless you configured the sensor to use a Network Time Protocol server): *06:33:33 UTC Thu Nov 18 2004 Modify system date and time?[no]: If the time is incorrect, enter yes to change it. You may also be prompted to reboot the sensor with the following prompt: Continue with reboot? [yes]: Enter no to this prompt because you still need to configure a few more parameters. You can reboot the sensor later to make all of the changes take effect at the same time. Note To reboot the sensor later, you can use the reset command from the Privileged Exec mode. Creating the Service AccountYou should create a Service account for the Cisco Technical Assistance Center (TAC) to use when troubleshooting problems with your IPS appliance. Unlike other user roles in which the same role can be assigned to multiple user accounts, you can assign the Service role to only one account on your IPS appliance. To create a Service account, to perform the following steps in an Administrator account:
When you log in to the IPS appliance by using the Service account, you will receive the warning in Example 2-4. Example 2-4. Warning When You Use the Service Account to Log in to the IDS Appliance************************ WARNING ************************ UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. This account is intended to be used for support and troubleshooting purposes only. Unauthorized modifications are not supported and will require this device to be re-imaged to guarantee proper operation. ********************************************************* This serves as a reminder that the Service account is designed solely for troubleshooting your sensor's operation and for other support purposes. Adding or enabling additional services or applications will make the IPS appliance configuration unsupported. Manually Setting the System ClockMany network environments use automatic clock functionality, such as Network Time Protocol (NTP). These configurations automatically adjust the time on your devices based on a known time source. If you do not have such a mechanism, you may need to manually set the time on your IPS appliance. Note The IDS module obtains its time configuration from the Catalyst 6500 switch in which it is housed, so you should not need to set the time by using the clock set command. Besides running setup, you can also manually set the time on your IPS sensor by using the clock set Privileged Exec command. The syntax for this command is as follows: clock set hh:mm[:ss] month day year The parameters for the clock set command are described in Table 2-2.
Suppose that you want to set the current time on your IPS appliance to one o'clock in the afternoon on January 1, 2005. To accomplish this, you would use the following command after logging in to your appliance: sensor# clock set 13:00 January 1 2005 sensor# Changing your PasswordAll users on your IPS appliance can change their password. You can change your password through the CLI by using the password Global Configuration mode command. Note You can also change your account password through graphical management applications (such as IPS Device Manager). The password command requires no parameters. To change your password, enter your old password and then enter your new password twice (to verify that you entered it correctly, since it is not displayed on the screen). Note Since the Service account bypasses the sensor CLI, you can change its password either by using an account with administrative privileges or by using the passwd command at the bash shell prompt. Adding and Removing UsersIn the Global Configuration mode, you can add new users to and remove existing users from your sensor. The username Global Configuration mode command enables you to add new users. To remove an existing user, simply insert the keyword no in front of the regular username command. The syntax for the username command is as follows: username name [password password] [privilege administrator|operator|viewer|service] The sequence of commands in Example 2-5 illustrates the process of adding to your sensor the user newuser with a privilege level of Operator. Example 2-5. Adding to Your Sensor the User newuser with a Privilege Level of Operatorsensor# configure terminal sensor(config)# username newuser privilege operator Enter new login password: ****** Re-enter new login password: ****** sensor(config)# exit sensor# Note From the Privileged Exec mode, you can confirm your user configuration changes by running the show users all command. You will want to add accounts to support your network environment. At minimum, you need to create an account with Viewer privileges; you will need this to enable your monitoring application to access the sensor and retrieve alarm information. Note You can also add and remove accounts through the graphical management applications (such as IPS Device Manager). Adding a Known SSH HostYour sensor maintains a list of validated SSH known hosts so that the sensor can verify the identity of the servers with which it communicates when it is operating as an SSH client. Adding an entry to the known SSH hosts list also enables you to do the following:
The syntax for the ssh host-key command is as follows: ssh host-key ip-address [key-modulus-length] [public-exponent] [public-modulus] The parameters for the ssh host-key command are described in Table 2-3.
Note You will normally specify an IP address only for the ssh host-key global configuration command. The sensor will contact the server and retrieve the other information. These keys are also used for SSH servers that the sensor needs to connect to. You do not have to define keys for the clients that connect to the sensor itself. You can also view the currently configured SSH host keys by using the show ssh host-keys command. The command sequence in Example 2-6 adds the SSH host key for 10.89.132.78 to the list of known SSH host keys. Example 2-6. Adding the SSH Host Key for 10.89.132.78 to the List of Known SSH Host Keyssensor(config)# configure terminal sensor(config)# ssh host-key 10.89.132.78 MD5 fingerprint is BE:70:50:15:2C:13:97:5C:72:53:06:9C:DC:4D:A3:20 Bubble Babble is xepof-tudek-vycal-cynud-tolok-holek-zygaf-kuzak-syfot-tubec-paxox Would you like to add this to the known hosts table for this host?[yes]: yes sensor(config)# exit> sensor# Note To increase security when adding a new SSH host key, you should manually verify the key value presented before you add the new SSH host-key entry. Not verifying the key can allow someone to impersonate the real server. IPS CLIBeginning with Cisco IDS version 4.0, the IDS appliance has an IOS-like CLI that you can use to configure your sensor. When initially configuring your IPS appliance, you will use the CLI to perform many of the configuration steps. Note Although you can change most of the appliance's properties via the CLI, you will probably use the graphical user interfaces provided by IDS Device Manager and IDS Security Monitor to make most of the configuration changes to your appliance. Using the Sensor CLIYou can configure essentially every property of your appliance through the CLI. Understanding the following CLI characteristics enables you to use the CLI more effectively:
Each of these characteristics is described in the following sections. PromptsPrompts displayed by the CLI are not user changeable, but they do indicate the area of the CLI that you are currently operating in. For instance, the Global Configuration mode is indicated by the following prompt (with a sensor name of "Sensor"): Sensor(config)# For certain CLI commands, the system requires user input. When this happens, a prompt displays an option enclosed in square brackets (such as "[yes]"). To accept this default value, all you need to do is press Enter. Or you can override the default value by typing in another value. Sometimes the information displayed in CLI exceeds the number of lines available on the screen. When this occurs, the appliance presents you with the more interactive prompt (indicating that more information is available). To display more of the information, you have the following two options:
Sometimes you may want to abandon the current command line and start over with a blank one. You can abort the current command line by pressing either the Ctrl-C or Ctrl-Q keys. To return to a previous command level, use the exit command. HelpTo get help on a command, use the ? character. You can use the ? character to obtain help in the following situations:
When using the help character after a complete command, you enter the command, then a space, and then the help character (?), as in Example 2-7. Example 2-7. Using the Help Character After a Complete CommandSensor# show ? clock Display system clock. configuration Display the current system configuration. events Display local event log contents. history Display commands entered in current menu. interfaces Display statistics and information about system interfaces. inventory Display PEP information. privilege Display current user access role. ssh Display Secure Shell information. statistics Display application statistics. tech-support Generate report of current system status. tls Display tls certificate information. users Show all users currently logged into the system. version Display product version information. Sensor# Help will display all of the keywords or options that can be used with the partial command that you have already entered. You can also enter an incomplete command or option and use the help character to display all of the commands or options that begin with the specified sequence of characters, as in Example 2-8. Example 2-8. Using the Help Character with an Incomplete CommandSensor(config)# service a? alarm-channel-configuration authentication analysis-engine Sensor(config)# service a Tab CompletionSometimes you may be unsure of the complete command to enter. After you type the beginning of a command, you can press the Tab key to have the system complete the command for you. If multiple commands match the command segment you typed, the system can't fill in the command; instead, it displays the commands that match your partial entry and then redisplays your partial command, as in Example 2-9. Example 2-9. Using the Tab KeyIDS4240(config)# service a<tab> alarm-channel-configuration authentication analysis-engine IDS4240(config)# service a Command RecallTo cycle through the commands you have entered during your CLI session, use the up and down arrow keys on your keyboard. When you reach the end of the list, you will see a blank prompt. Note Instead of the arrows keys, you can press Ctrl-P for the up arrow and Ctrl-N for the down arrow. Command Case SensitivityThe CLI is case insensitive. For example, Configure and CONFigure represent the same command. When the system echoes the commands that you enter, however, it reproduces the commands in the case you typed. Suppose that you type the following at the command line: Sensor# CONF Now if you press the Tab key to invoke command completion, the system displays the following: Sensor# CONFigure KeywordsWhen using the CLI, you will enter various commands to change the configuration of your appliance. You can also use the following two keywords when entering commands via CLI:
If you want to reverse the effect of a command, you simply precede the command with the no keyword. For example, the access-list command allows management access from a specific host or network; using the no access-list command removes the previously granted access. Some commands (such as those associated with signature tuning) have a default value. To return a command to its default value, use the default keyword when entering the command. For instance, when you configure the analysis-engine parameters (accessed via the service analysis-engine global configuration command) as in Example 2-10, the default command option enables you to set either the global-parameters or the virtual-sensor to its default settings. Example 2-10. Setting Default ValuesIds4240(config-ana)# ? default Set the value back to the system default setting. exit Exit service configuration mode. global-parameters Platform-wide configuration parameters. no Remove an entry or selection setting. show Display system settings and/or history information. virtual-sensor Map of virtual sensor definitions. Ids4240(config-ana)# default ? global-parameters Platform-wide configuration parameters. virtual-sensor Reset virtual-sensorcontents back to default. Ids4240(config-ana)# default User RolesBeginning with version 4.0, the IDS appliance incorporated multiple user roles. When you create an account, you must assign it a user role. This user role determines the privileges of the account, and consequently the operations that the user can perform. Your Cisco IPS version 5.0 appliances support the following four user roles:
Each of these is discussed in the following sections. AdministratorWhen you assign the Administrator role to an account, you enable the user of that account to perform every operation on the appliance that is available through the CLI. Some of the capabilities available to accounts with Administrator access are as follows:
OperatorThe second-highest user role is the Operator role. Any accounts assigned the Operator role have unrestricted viewing capability to sensor information, along with the following functions:
ViewerThe lowest-privileged user role is the Viewer role. When you assign the Viewer role to an account, you enable the user to view the configuration and event data on your appliance. The only appliance information that users with this role can change is their password. Note Applications (such as the IDS Security Monitor) that you use to monitor your IPS appliance can operate with only Viewer-level access to the sensor. You can create an account with Viewer access by using the CLI and then configure your monitoring applications to use this account when retrieving information from your IPS appliance. ServiceThe Service role enables you to create a special account that can access the native operating system (OS) command shell rather than the sensor's normal CLI interface. The purpose of this account is not to support configuration of the sensor, but instead to provide an enhanced troubleshooting capability. By default, your sensor does not have a service account. You must create a service account to enable TAC to use this account during troubleshooting. The sensor allows you to assign the Service role to only one account on the sensor. When the Service account's password is set (or reset), the Linux root account's password is automatically synchronized to this new password. This enables the Service account user to use the su command to access root privileges on the sensor. Note On UNIX systems, the most privileged account is named root. This account has virtually unlimited powers on the system. Gaining root access to a system enables an attacker to totally control the system. Similarly, the Service account has virtually unlimited powers on the sensor. Therefore, you need to protect access to the Service account. Caution Making modifications to your sensor by using the Service account can make your sensor unsupported by the Cisco TAC. Cisco does not support adding any services or programs to your sensor, since doing so can impact the proper performance and functioning of the other IDS services. Furthermore, access to the Service account is recorded on the sensor. CLI Command ModesThe CLI on your IPS appliance is organized into various modes. Each of these modes gives you access to a subset of the commands that are available on your IPS appliance. Numerous CLI modes such as the following are available on the IPS appliance:
Each of these is described in the following sections. Privileged ExecThe Privileged Exec mode is the initial mode that you enter upon logging in to the IDS appliance. You can recognize this mode because it is composed of simply the sensor name followed by the # character, such as in the following example (assuming a sensor name of IDS4250): IPS4250# Some of tasks that you can perform in the Privileged Exec mode are as follows:
Global ConfigurationYou need to enter the Global Configuration mode, as you do in IOS, to change the configuration parameters on your IPS appliance. You access the Global Configuration mode by entering the configure terminal command from the Privileged Exec mode. When you enter this mode, the prompt changes to the following: IPS4250(config)# Some of tasks that you can perform in the Global Configuration mode are as follows:
ServiceThe Service mode is a generic third-level command mode. It enables you to enter the configuration mode for the following services:
Each of these is described in the following sections. Service Analysis-EngineThe analysis-engine mode is a third-level service mode that enables you to perform various tasks such as the following:
You can recognize this mode because the prompt changes to the following: IDS4250(config-ana)# Service AuthenticationThe authentication mode is a third-level service mode that enables you to configure the maximum failure attempts allowed before an account becomes disabled. You can recognize this mode because the prompt changes to the following: IPS4250(config-aut)# This setting applies to all accounts on the system. By default, account lockout is not enabled. You need to be careful when enabling it, since you can potentially lock out your account that has administrative access. Service Event-Action-RulesThe event-action-rules mode is a third-level service mode that enables you to perform various event-related tasks such as the following:
You can recognize this mode because the prompt changes to the following: IPS4240(config-rul)# When entering this mode, you must specify the name of the instance configuration. Currently, the only instance allowed is rules0. In the future, however, you may be able to specify multiple configuration instances. Therefore, to access the event-action-rules mode, you use the following command: IPS4240(config)# service event-action-rules rules0 IPS4240(config-url)# Note The event-action-rules configuration replaces the alarm-channel-configuration that was available in Cisco IDS version 4.0. Service HostThe host mode is a third-level service mode that enables you to perform various host-related tasks such as the following:
You can recognize this mode because the prompt changes to the following: IPS4250(config-hos)# The following two fourth-level configuration modes are accessible via the host mode:
The network-settings mode enables you to configure numerous host-related items, such as the following:
You can recognize the network-settings mode by the following command prompt: IPS4250(config-hos-net)# The time-zone-settings mode enables you to complete time-related tasks, such as the following:
You can recognize the time-zone-settings mode by the following command prompt: IPS4250(config-hos-tim)# Service InterfaceThe interface mode is a third-level service mode that enables you to perform the following tasks:
You can recognize the interface mode by the following command prompt: IPS4250(config-int)# Service LoggerThe logger mode is a third-level service mode that enables you to configure the debug levels for the sensor. You can recognize this mode because the prompt changes to the following: IPS4250(config-log)# Service Network-AccessThe network-access mode is a third-level service mode that enables you to perform the following tasks:
You can recognize this mode because the prompt changes to the following: IPS4250(config-net)# You can also enter a general fourth-level command mode that enables you to define many of the sensor's IP-blocking (shun) settings, such as the following:
You can recognize this fourth-level mode because the prompt changes to the following: IPS4250(config-net-gen)# Service NotificationThe notification mode is a third-level service mode that enables you to configure the Simple Network Management Protocol (SNMP) characteristics of the sensor, such as the following tasks:
You can recognize this fourth-level mode because the prompt changes to the following: IPS4250(config-not)# Service Signature-DefinitionThe signature-definition mode is a third-level service mode that enables you to perform various signature-related tasks, such as the following:
You can recognize this fourth-level mode because the prompt changes to the following: IPS4250(config-sig)# When entering this mode, you must specify the name of the instance configuration. Currently, the only instance allowed is sig0. In the future, however, you may be able to specify multiple configuration instances. To access the signature-definition mode, use the following command: IPS4240(config)# service signature-definition sig0 IPS4240(config-url)# Service SSH-Known-HostsThe ssh-known-hosts mode is a third-level service mode that enables you to perform various SSH-related tasks, such as the following:
You can recognize this third-level mode because the prompt changes to the following: IPS4250(config-ssh)# Service Trusted-CertificatesThe trusted-certificates mode is a third-level service mode that enables you to perform various TLS/SSL-related tasks, such as the following:
You can recognize this third-level mode because the prompt changes to the following: IPS4250(config-tru)# Service Web-ServerThe web-server mode is a third-level service mode that enables you to perform the following tasks:
You can recognize this third-level mode because the prompt changes to the following: IPS4250(config-web)# Administrative TasksThe sensor command line enables you to perform numerous administrative tasks, such as the following:
Some of these tasks will be covered in Chapter 12, "Verifying System Configuration." For detailed information on how to perform these administrative tasks, refer to the CLI documentation at Cisco.com (http://www.cisco.com/go/ids). Configuration TasksThe CLI provides you with a textual interface that enables you to configure essentially every facet of the sensor's configuration, such as the following:
Configuring these tasks through the CLI, however, is not a simple task. Most people prefer to use a graphical interface, such as Cisco IPS Device Manager, to configure these parameters. Numerous chapters in this book explain how to configure these characteristics of your sensor by using the Cisco IPS Device Manager. For complete documentation on Cisco IDS version 5.0 CLI, refer to the documentation at Cisco.com (http://www.cisco.com/go/ids). |