Glossary

The entry-level Cisco IDS Sensor, designed for T1/T3 environments. It has one monitoring port and one command and control port built-in and can inspect traffic at 80Mbps. Like the 4215, it is expandable to four monitoring ports with a four-port Fast Ethernet (4FE) expansion card.

The mid-range Cisco IDS Sensor, designed for multiple T3 environments and capable of up to 250Mbps performance. Like the 4235, it has one monitoring port and one command and control port and is expandable to five monitoring ports with a 4FE expansion card. It is the lowest model to include a dual power supply.

The enterprise-class Cisco IDS Sensor, capable of monitoring up to 500Mbps of traffic. It can be expanded with the 1000BASE-SX card to monitor fiber lines or with the 4FE card to increase the number of 10/100BASE-TX ports. The 4250 sensor, like the 4235, is equipped with a dual power supply.

Attacks that occur when an unauthorized person manipulates data, accesses internal systems, or escalates his or her existing privileges.

A filter applied to an interface and direction that specifies what kind of traffic will be allowed to pass, based on source and destination IP addresses, ports, or protocols.

In an IOS virtual LAN (VLAN) ACL (VACL) configuration, the command that configures the VACL to capture traffic which matches the match clause from the previous statement.

The ACL that is applied when blocking is in effect; it consists of the pre-block ACL, the blocking access control entries (ACEs), and the post-block ACL.

A configuration mode in the sensor command-line interface (CLI) that allows you to create event filters.

Determines whether alarms are summarized according to a time interval, by IP address, or globally. Allowed values are FireOnce , FireAll , Summarize , and Global Summarize .

A signature group that consists of signatures which detect attacks that have predefined hosts or network targets.

One of the actions that you can configure a sensor to execute when a signature is triggered; the sensor can block either a host or a connection.

The sensor that sends blocking instructions to a managed device such as an IOS Router or PIX Firewall.

The set of signatures that are enabled by default.

Sets the number of times that an alarm must fire before moving up to the next level of alarm summarization, as determined by the AlarmThrottle parameter.

A shell process that is launched when the sensor is accessed via Telnet or Secure Shell (SSH), allowing a user to perform configuration, management, and monitoring tasks on the sensor.

The sensor's Web server, which allows Hypertext Transfer Protocol (HTTP) and Secure HTTP (HTTPS) communications between the sensor and clients . cidWebServer interfaces with these four Web servlets: IDS Device Manager (IDM), Event Server, IP Log Server, and Transaction Server.

The sensor interface that is configured with an IP address and allows management and control functions such as the IDS Management Center (MC) and Security Monitor to connect to a sensor.

Up to 256 characters of data in a Transmission Control Protocol (TCP) stream captured by a sensor. It can contain keystrokes, data, or both in the connection stream around the string of characters that triggered the signature. You can use the context data buffer to determine whether a signature was triggered accidentally or from a deliberate attack.

New signatures that you can create using one of the Cisco IDS signature engines.

The first option in the Admin tab sheet of Security Monitor. Database rules instruct Security Monitor to perform an action when the Security Monitor database reaches a specified size, a number of events occur, or on a daily basis.

The same as built-in signatures; the set of Cisco IDS signatures that are enabled by default.

An attack that blocks critical network services by flooding the network and consuming its resources such as bandwidth and processing power.

The port on a switch where all captured traffic is sent for transmission to the sensor's monitoring port.

An attack that occurs when the resources of multiple hosts are combined to perform a DoS attack on a system.

The command used on the sensor CLI to restore a sensor's configuration to a previous configuration prior to the installation of an update. If no update has been installed on a sensor, then the downgrade command is not available.

Refers to the traffic on a SPAN (mirroring) port that is traveling outbound relative to the switch.

One of the four Web servlets that interface with cidWebServer . It is responsible for providing Remote Data Exchange Protocol (RDEP) communications with external applications such as IDS Event Viewer (IEV) and Security Monitor.

A very flexible and powerful tool allowing you to analyze traffic and events from a variety of perspectives. On the grid plane, you can change the order of the columns, thereby changing the way they will be summarized when you expand and collapse columns .

One of the five major application components of the Cisco IDS Sensor. It is a 4GB shared memory-mapped file used to store all events and alerts. When the file fills up, old records are overwritten with new records.

Threats that originate from individuals outside the network perimeter boundaries.

A false positive is an alarm event where normal, benign traffic causes a signature to trigger; a false negative occurs when an attack event does not cause the signature to trigger.

Exceptions that allow you to configure a separate signature response for a specific host or server.

The parameter used when the traffic that fires the alarm is return traffic from the target system.

The sensor that sends a blocking request to a master blocking sensor to block the master blocking sensor's managed device.

Allows you to perform configuration tasks on the sensor through interface levels. You can modify global settings that affect the entire sensor from global configuration level. To navigate to global configuration from the privilege exec level, just type configure terminal or config t to display the sensor(config)# prompt.

Parameters that affect overall sensing characteristics rather than those for a specific signature. The two global sensing parameters that you can configure are Internal Networks and IP Packet Reassembly.

Protects hosts such as desktops, servers, and workstations rather than networks. The HIPS resides on the host itself to protect against buffer overflows and operating system (OS) vulnerabilities, for example. No additional hardware is required.

Used to change the command-line prompt and set the name of your sensor; it might not take effect until your next logon. This command is unusual because you can execute it from two completely different locations: the global config prompt, sensor(config)# , and the networkParams prompt, sensor(config-Host-net)# .

The Web-based interface used to perform management, administration, and configuration tasks for a single IDS Sensor.

A Java-based application used to monitor events for up to five IDS version 4 sensor devices. IEV includes advanced filtering, custom view, and database administration functions.

One of the IDS MC's four tab sheets; allows you to configure signature tuning, custom signatures, blocking, maintenance, and global sensing parameters.

Used to deploy configuration files from the Sybase database to sensors or sensor groups. Sensor configuration files are deployed according to the IDS MC workflow.

Allows you to add sensor devices and sensor groups; this step is necessary before they can be managed by the IDS MC.

Describes the process of sensor configuration file generation, approval, and deployment.

An IDS module for the Catalyst 6000 switch; it performs inline intrusion detection at the core of your switching fabric with no performance penalty. It can monitor traffic at up to 600Mbps using SPAN, Remote SPAN (RSPAN), or VACLs.

Refers to the traffic on a SPAN (mirroring) port that is traveling inbound relative to the switch.

A feature which will be available in future releases of Cisco IDS that will provide the ability to group sensing interfaces so they can be controlled as a single unit rather than as individuals.

A global sensing parameter that you can use to define a network or segment as trusted.

Threats that originate within the organization's boundaries and that are directed toward people with access to network resources.

One of the four servlets that interface with cidWebServer ; uses RDEP to allow external applications such as Security Monitor and IEV to access IP logs generated by the sensor.

One of the global sensing parameters; determines how packets are reassembled. Allowed values are NT , Solaris , BSD , and Linux .

Signatures that operate at Layers 2, 3, and 4 and include Address Resolution Protocol (ARP), TCP, User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP) signature engines.

One of five Cisco IDS version 4 main application components; the very first application that starts, it is responsible for configuring the OSs with settings such as IP addresses on interfaces. This application is also responsible for starting and stopping all other Cisco IDS applications and processes.

A device such as a Cisco IOS Router or PIX Firewall that receives instructions from a sensor to perform blocking when a signature is triggered.

The interface between a sensor and a managed device through which blocking instructions are sent via either Telnet or SSH.

Master signature engine parameters are the same for all signatures, whereas local signature engine parameters are specific to a given signature.

The sensor that receives instructions from a forwarding blocking sensor to perform blocking on the master blocking sensor's managed device. A managed device can only be managed by a single, master blocking sensor.

In an IOS VACL configuration, the command that associates a VACL with the map created by the previous vlan access map command.

Used to assign both source and destination ports for SPAN sessions on 2950 and 3550 switches so that traffic can be captured and sent to the sensor for IDS analysis.

Sends the blocking requests from the sensor to either a managed device or a master blocking sensor.

A sequence of activities by a malicious individual that results in unauthorized security threats to a target network.

Allows you to integrate a full 45Mbps of IDS functionality into a Cisco 2600, 3600, or 3700 series router. Its 10/100BASE-TX interface connects directly to the router's backplane and supports the full TCP reset, shunning, and blocking capabilities of its appliance counterparts.

A component of both the IDM and IEV; contains the latest signature advisories and vulnerability information. Its online counterpart is the Cisco Secure Encyclopedia (CSEC).

Involves the deployment of hardware sensor-monitoring devices throughout the network to capture and monitor network as it traverses network media.

A service configuration mode that allows you to enter configuration settings for managed devices such as Catalyst switches, IOS IDS, PIX IDS, and sensor IDS devices.

Contains the ACEs for the hosts or subnets that should never be blocked. It consists of a permit statement for each host or subnet at the beginning of the active ACL.

Contains the signatures that target hosts with specific OSs.

Jobs that have been scheduled for later deployment but have not reached the deployment time.

Used to assign source ports for SPAN sessions on 2900XL and 3500XL switches; they are performed at the interface configuration level for the destination port.

Contains the ACEs that are added after the blocking entries on the active ACL.

The communications protocol used between sensors, IEV, and Security Monitor for Cisco IDS version 3.x. It has been replaced in Cisco IDS version 4 with RDEP.

Contains the ACEs that are above the blocking ACEs on the active ACL.

The first CLI level you will be in when you first log in to the sensor. This level gives you the ability to initialize and reboot the sensor, copy sensor configurations, display system settings, and enter another level to further configure the system. The prompt you see at the privileged exec mode is sensor# .

Detects activity that deviates from "normal" activity; as such, this detection method depends on the statistical definition of normal and can be prone to a large number of false positives.

Those parameters that cannot be changed for default signatures but can be changed for custom signatures.

Allows you to view a continuous stream of realtime events from IEV; can be paused or resumed to allow for more manageable monitoring and analysis of realtime events.

The graphical counterpart of the Realtime Dashboard; shows the average number of aggregate alarms by severity level on the Y axis, per unit time on the X axis. The display can be in either bar or area format.

Occur when network systems, services, and vulnerabilities are observed and mapped by an unauthorized person.

Used on a Cisco IDS version 4 sensor to replace the image on the application partition with the image that is on the recovery partition. This command is not available on the IDSM2 because it does not contain a recovery partition.

A flexible and powerful tool allowing you to describe complex patterns of text for detection and IDS analysis.

Uses HTTP and HTTPS to create Extensible Markup Language (XML) documents for communications between Cisco IDS version 4 sensors and to IEV and Security Monitor.

Allows you to capture VLAN traffic across switches to a destination port for IDS analysis.

Signature engine parameters that must be defined for all signatures, both default and custom.

Used to shut down or reboot the sensor. The powerdown option of the command prepares the sensor for proper shutdown; without the powerdown option, the sensor just reboots.

A component of VMS; complements IDS MC by providing a Web interface to monitor IDS statistics, connections, and events for sensor appliances, IDS modules, IOS Routers, and PIX Firewalls.

Also called the monitoring or sniffing interface; the sensor's interface that captures traffic from a SPAN or RSPAN destination port. The interface has no IP address and therefore cannot be detected using typical methods such as ping or Telnet.

An individual sensor that can be a member of a sensor group.

Similar to a folder in Windows Explorer; contains sensor devices that inherit the properties of the sensor group.

The application that actually detects IP traffic and monitors for signatures matches to generate alerts and events that are written to the EventStore. It is the only application that writes alerts to the EventStore.

The name for a release of improvements to intrusion detection and sensor functionality, as opposed to a signature update.

A group of signatures based on services that are OS-independent.

Used to configure traffic capture using VACLs on Catalyst 6500 switches running Catalyst OS. The three set security acl commands are set security acl ip , set security acl map , and set security acl capture-ports .

The single command to configure SPAN on the Catalyst 4000, 4500, and 6500 switches so that traffic can be captured for IDS analysis.

Allows you to configure several settings on the sensor through what is called a dialog. Dialogs provide an automated way to configure several basic sensor settings by prompting you for the values instead of having to execute the command manually.

The method of blocking a connection or host using a PIX Firewall when a signature triggers and is configured to perform a shun EventAction using a PIX Firewall as the managed device.

To tune your IDS to your specific network environment, what you use to adjust the built-in signatures and to create new, custom signatures. Cisco IDS signature engines include Atomic, Flood, Service, State.String, String, Sweep, Traffic, Trojan, and OTHER.

A name and value pair: both the name and the allowed values are determined by the signature engine, which consists of an inspector and a parser and has a specific set of parameters with allowable ranges or sets of values.

Allows you to specify source and destination IP addresses for any given signature and whether the filter will include or exclude the matched conditions. Signature filtering, like alarm throttling, can reduce false positives and limit the number of security events reported .

Allow you to access a specific signature from the IDS MC so that you can either tune the signature or use it to create a custom signature. You find signature groups by navigating to Configuration, Settings, Signatures.

The name for a new IDS signature.

Detects a pattern which matches closely to activity that is typical of a network intrusion.

Provide the latest signature and intrusion detection improvements. Software updates include both signature updates and service packs; whereas new IDS signatures are released as signature updates, improvements to intrusion detection and sensor functionality are released as service packs .

When configuring SPAN to capture traffic, what are used to designate which ports will send their traffic to the switch's destination port, from which point the aggregate traffic is sent to the sensor's monitoring port for IDS analysis.

Provide the capability of searching for specific patterns at various states within the protocol. The state machine consists of a starting state and a list of valid transitions.

Based on a data source that you select, which could be the event_realtime_table or any imported or archived table. The events displayed in the Statistic Graph reflect the average number of alarms received by IEV, based on the filter that is applied to the data source. Therefore, depending on the filter, the Statistic Graph might not reflect the true average number of alarms.

Threats with defined network or host targets that are methodically executed using sophisticated tools, often designed specifically for an attack.

One of two subtypes of uri- iplog -request s; allow the collection of live event feeds to an RDEP client. The RDEP client sends subscription-get messages to the sensor to retrieve the latest events.

Allows you to count the number of occurrences of a signature firing on various address sets. The SummaryKey parameter specifies which address to view for post-alarm counters.

Allows you to configure a switch so that traffic from source ports is mirrored to a destination, or SPAN port. From the destination port, the traffic is sent to the sensor's monitoring port for IDS analysis.

The list of choices on the left-hand side of the tab sheet in the IDS MC, Security Monitor, and IDM interfaces. As you would expect, the TOC list depends on the tab and option that you navigate to; this path appears in the path bar.

A TCP packet with the reset bit set to 1; it is sent from the sensor through the switch's destination port to the port of an attacking host to execute a block on a host or connection when a signature is triggered and configured to block.

Used by the AlarmThrottle parameter when it is set to the value of FireOnce to determine how long to wait, in seconds, before firing an alarm.

One of the four servlets that interface with the cidWebServer service. It is responsible for providing an interface to management applications such as IDS MC and IDM to control and configure the sensor.

A true positive occurs when an attack event causes a signature to trigger; a true negative occurs when normal traffic does not cause an alarm to fire (that is, nothing happened and nothing was reported).

Threats with arbitrary target hosts or networks that are executed using prebuilt tools which are readily available on the Internet. Although the people who carry out unstructured threats are less skilled than those who perform structured threats, the amount of damage cause by an unstructured threat should not be underestimated.

The command to perform an upgrade from the CLI. You execute it from global configuration mode, and it requires administrator privileges.

The account on CiscoWorks 2000 that has all read, write, execute, and configuration privileges for both IDS MC and Security Monitor.

A privilege level on the sensor that allows you to view all settings and data on the sensor but with only limited configuration ability.

A privilege level on the sensor that has access to the operating system shell but not the CLI shell. You should use this account only under the supervision of a Cisco Technical Assistance Center (TAC) technician.

A privilege level on the sensor that allows you to view all settings and data on the sensor but provides no configuration ability.

Based on CiscoWorks 2000 and capable of monitoring IDS Sensors, PIX and IOS firewalls, VPNs, and security agents . The IDS MC and Security Monitor are both components of VMS and together provide a Web-based interface for configuring, managing, maintaining, and monitoring multiple IDS Sensors.

The level of the sensor's CLI that allows you to fine-tune signature settings, create custom signatures, and reset all signatures back to default settings. All settings configured at the virtual-sensor-configuration level apply to the single virtual sensor called virtualSensor.

The single alarm channel for event filters that is supported by the Cisco IDS. Future releases will provide more functionality for the virtualAlarm.

The single virtual sensor supported by Cisco IDS version 4. All signature tuning and custom signatures are linked to this single virtual sensor.

An ACL applied to a VLAN rather than a specific interface; in the context of IDS, VACLs are used to capture traffic from Catalyst 6500 switches running both Catalyst OS or IOS, for IDS analysis by the IDSM2.