Show Commands

Show commands provide tremendously detailed information about the sensor, including software versions, interface statistics, and tech-support outputs. Make sure that you are familiar with the basic show commands outlined here when preparing for the test.

The show version Command

You use the show version command to display detailed information about the sensor. Some output items are

• Operating system

• Signature packages

• IDS processes running

• Upgrades installed

The following display demonstrates a sample of the detailed information the command outputs:

 sensor#  show version  Application Partition: Cisco Systems Intrusion Detection Sensor, Version 4.1(1)S47 OS Version 2.4.18-5smpbigphys-4215 Platform: IDS-4215 Sensor up-time is 4:06. Using 241983488 out of 459202560 bytes of available memory (52% usage) Using 540M out of 17G bytes of available disk space (4% usage) MainApp 2003_Jun_20_06.00 (Release) 2003-06-20T05:53:31-0500 Running AnalysisEngine 2003_Jun_20_06.00 (Release) 2003-06-20T05:53:31-0500 Running Authentication 2003_Jun_20_06.00 (Release) 2003-06-20T05:53:31-0500 Running Logger 2003_Jun_20_06.00 (Release) 2003-06-20T05:53:31-0500 Running NetworkAccess 2003_Jun_20_06.00 (Release) 2003-06-20T05:53:31-0500 Running TransactionSource 2003_Jun_20_06.00 (Release) 2003-06-20T05:53:31-0500 Running WebServer 2003_Jun_20_06.00 (Release) 2003-06-20T05:53:31-0500 Running CLI 2003_Jun_20_06.00 (Release) 2003-06-20T05:53:31-0500 Upgrade History: No upgrades installed Recovery Partition Version 4.1(1)S47 sensor# 

In this example, you can see several detailed points about the sensor. The version number is 4.1, the platform is IDS-4215, the used disk space is 4%, the services (daemons) are running, and the upgrade history displays no upgrade installed.

The show statistics Command

The show statistics command displays statistics about several of the different services and engines running on the sensor. Table 8.2 displays the available options the command supports.

Table 8.2. show statistics Command Options

The following code sample shows an example of the output when using the EventStore option:

 sensor#  show statistics eventstore  Event store statistics General information about the event store The current number of open subscriptions = 0 The number of events lost by subscriptions and queries = 1 The number of queries issued = 0 The number of times the event store circular buffer has wrapped = 0 Number of events of each type currently stored Debug events = 0 Status events = 5 Log transaction events = 31 Shun request events = 0 Error events, warning = 5 Error events, error = 0 Error events, fatal = 0 Alert events, informational = 0 Alert events, low = 0 Alert events, medium = 0 Alert events, high = 0 sensor# 

As you can see in the example, the show statistics eventstore command displays quite a bit of detail. The information has two parts : general information and the number of events of each type.

The show tech-support Command

The show tech-support command displays detailed information that you can use to help debug sensors. The command supports outputting the detailed information to the console screen or to an FTP server. Following is the command syntax:

 show tech-support [page] [password] [  destination-url destination-url  ] 

Table 8.3 describes the show tech-support options.

Table 8.3. show tech-support Command Options

The following example outputs all the details to an FTP server:

 sensor#  show tech-support destination-URL   ftp://dnewman@10.1.9.11/ reports /sensorReport.html  password:***** ** 

The show interfaces Command

You use the show interface command to display detailed information about IDS interfaces. The show interface command by itself displays general detailed information about all the IDS interfaces on the system. To display information about a specific interface, you can use one of the extra options in Table 8.4.

Table 8.4. show interface Command Options

Here are three different examples displaying a sampling of the first few lines of each command. First is example 1:

 sensor#  show int  command-control is up Internet address is 10.89.147.31, subnet mask is 255.255.255.128, telnet is disabled. Hardware is eth1, tx Network Statistics eth1 Link encap:Ethernet HWaddr 00:06:5B:0F:0E:53 inet addr:10.89.147.31 Bcast:10.89.147.127 Mask:255.255.255.128 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:49703 errors:5454 dropped:0 overruns:0 frame:5454 TX packets:22928 errors:0 dropped:0 overruns:0 carrier:0 collisions:1913 txqueuelen:100 

In example 1, the show int command displays only the first few lines of the output. The actual output displays more than 100 lines of detail as it shows each interface one at a time. As you can see, the first lines are for the command and control interface. Next is example 2:

 sensor#  show interfaces sensing  Sensing int0 is up Hardware is eth0, Tx Reset port Sensing int1 is up Hardware is eth1, TX Reset port Command control port MAC statistics from the IntelPro interface Link = up Speed = 100 Duplex = Half State = up Rx_Packets = 49703 

Example 2 added the sensing option to limit the details to those about sensing interfaces. And as you can see, the sensing int0 and int1 are both up.

Last is example 3:

 sensor#  show interface group 0  Group 0 is up Sensing ports int1 Logical virtual sensor configuration: virtualSensor Logical alarm channel configuration: virtualAlarm Statistics for Virtual Sensor (Interface Group 1) 

Example 3 shows that group 0 is up and contains int1 as a sensing interface. Also, group 0 uses virtualSensor and virtualAlarm .

The show events Command

The show events command displays the local event log contents. The command supports several parameters that help you narrow down the exact time and event you might be looking for. If you set no parameters, all events appear as a live feed. You cancel live feeds by pressing Ctrl+C. See the command reference for all the possible settings this command supports.