[ LiB ]  
4215 sensor

The entry-level Cisco IDS Sensor, designed for T1/T3 environments. It has one monitoring port and one command and control port built-in and can inspect traffic at 80Mbps. Like the 4215, it is expandable to four monitoring ports with a four-port Fast Ethernet (4FE) expansion card.

4235 sensor

The mid-range Cisco IDS Sensor, designed for multiple T3 environments and capable of up to 250Mbps performance. Like the 4235, it has one monitoring port and one command and control port and is expandable to five monitoring ports with a 4FE expansion card. It is the lowest model to include a dual power supply.

4250 sensor

The enterprise-class Cisco IDS Sensor, capable of monitoring up to 500Mbps of traffic. It can be expanded with the 1000BASE-SX card to monitor fiber lines or with the 4FE card to increase the number of 10/100BASE-TX ports. The 4250 sensor, like the 4235, is equipped with a dual power supply.

access attacks

Attacks that occur when an unauthorized person manipulates data, accesses internal systems, or escalates his or her existing privileges.

access control list ( ACL )

A filter applied to an interface and direction that specifies what kind of traffic will be allowed to pass, based on source and destination IP addresses, ports, or protocols.

action clause

In an IOS virtual LAN (VLAN) ACL (VACL) configuration, the command that configures the VACL to capture traffic which matches the match clause from the previous statement.

active ACL

The ACL that is applied when blocking is in effect; it consists of the pre-block ACL, the blocking access control entries (ACEs), and the post-block ACL.


A configuration mode in the sensor command-line interface (CLI) that allows you to create event filters.

AlarmThrottle parameter

Determines whether alarms are summarized according to a time interval, by IP address, or globally. Allowed values are FireOnce , FireAll , Summarize , and Global Summarize .

attack signature groups

A signature group that consists of signatures which detect attacks that have predefined hosts or network targets.


One of the actions that you can configure a sensor to execute when a signature is triggered; the sensor can block either a host or a connection.

blocking sensor

The sensor that sends blocking instructions to a managed device such as an IOS Router or PIX Firewall.

built-in (default) signatures

The set of signatures that are enabled by default.

ChokeThreshold parameter

Sets the number of times that an alarm must fire before moving up to the next level of alarm summarization, as determined by the AlarmThrottle parameter.


A shell process that is launched when the sensor is accessed via Telnet or Secure Shell (SSH), allowing a user to perform configuration, management, and monitoring tasks on the sensor.


The sensor's Web server, which allows Hypertext Transfer Protocol (HTTP) and Secure HTTP (HTTPS) communications between the sensor and clients . cidWebServer interfaces with these four Web servlets: IDS Device Manager (IDM), Event Server, IP Log Server, and Transaction Server.

command and control interface

The sensor interface that is configured with an IP address and allows management and control functions such as the IDS Management Center (MC) and Security Monitor to connect to a sensor.

context data buffer

Up to 256 characters of data in a Transmission Control Protocol (TCP) stream captured by a sensor. It can contain keystrokes, data, or both in the connection stream around the string of characters that triggered the signature. You can use the context data buffer to determine whether a signature was triggered accidentally or from a deliberate attack.

custom signatures

New signatures that you can create using one of the Cisco IDS signature engines.

database rules

The first option in the Admin tab sheet of Security Monitor. Database rules instruct Security Monitor to perform an action when the Security Monitor database reaches a specified size, a number of events occur, or on a daily basis.

default signatures

The same as built-in signatures; the set of Cisco IDS signatures that are enabled by default.

denial of service ( DoS )

An attack that blocks critical network services by flooding the network and consuming its resources such as bandwidth and processing power.

destination port (mirroring port, capture port, Switched Port Analyzer [ SPAN ] port)

The port on a switch where all captured traffic is sent for transmission to the sensor's monitoring port.

distributed denial of service ( DDoS )

An attack that occurs when the resources of multiple hosts are combined to perform a DoS attack on a system.

downgrade command

The command used on the sensor CLI to restore a sensor's configuration to a previous configuration prior to the installation of an update. If no update has been installed on a sensor, then the downgrade command is not available.

egress SPAN

Refers to the traffic on a SPAN (mirroring) port that is traveling outbound relative to the switch.

Event Server

One of the four Web servlets that interface with cidWebServer . It is responsible for providing Remote Data Exchange Protocol (RDEP) communications with external applications such as IDS Event Viewer (IEV) and Security Monitor.

Event Viewer

A very flexible and powerful tool allowing you to analyze traffic and events from a variety of perspectives. On the grid plane, you can change the order of the columns, thereby changing the way they will be summarized when you expand and collapse columns .


One of the five major application components of the Cisco IDS Sensor. It is a 4GB shared memory-mapped file used to store all events and alerts. When the file fills up, old records are overwritten with new records.

external threats

Threats that originate from individuals outside the network perimeter boundaries.

false positives, false negatives

A false positive is an alarm event where normal, benign traffic causes a signature to trigger; a false negative occurs when an attack event does not cause the signature to trigger.

filter exceptions

Exceptions that allow you to configure a separate signature response for a specific host or server.

FlipAddr parameter

The parameter used when the traffic that fires the alarm is return traffic from the target system.

forwarding blocking sensor

The sensor that sends a blocking request to a master blocking sensor to block the master blocking sensor's managed device.

global configuration

Allows you to perform configuration tasks on the sensor through interface levels. You can modify global settings that affect the entire sensor from global configuration level. To navigate to global configuration from the privilege exec level, just type configure terminal or config t to display the sensor(config)# prompt.

global sensing parameters

Parameters that affect overall sensing characteristics rather than those for a specific signature. The two global sensing parameters that you can configure are Internal Networks and IP Packet Reassembly.

host-based intrusion protection system ( HIPS )

Protects hosts such as desktops, servers, and workstations rather than networks. The HIPS resides on the host itself to protect against buffer overflows and operating system (OS) vulnerabilities, for example. No additional hardware is required.

hostname command

Used to change the command-line prompt and set the name of your sensor; it might not take effect until your next logon. This command is unusual because you can execute it from two completely different locations: the global config prompt, sensor(config)# , and the networkParams prompt, sensor(config-Host-net)# .

IDS Device Manager ( IDM )

The Web-based interface used to perform management, administration, and configuration tasks for a single IDS Sensor.

IDS Event Viewer ( IEV )

A Java-based application used to monitor events for up to five IDS version 4 sensor devices. IEV includes advanced filtering, custom view, and database administration functions.

IDS MC Configuration tab sheet

One of the IDS MC's four tab sheets; allows you to configure signature tuning, custom signatures, blocking, maintenance, and global sensing parameters.

IDS MC Deployment tab sheet

Used to deploy configuration files from the Sybase database to sensors or sensor groups. Sensor configuration files are deployed according to the IDS MC workflow.

IDS MC Device tab sheet

Allows you to add sensor devices and sensor groups; this step is necessary before they can be managed by the IDS MC.

IDS MC workflow

Describes the process of sensor configuration file generation, approval, and deployment.


An IDS module for the Catalyst 6000 switch; it performs inline intrusion detection at the core of your switching fabric with no performance penalty. It can monitor traffic at up to 600Mbps using SPAN, Remote SPAN (RSPAN), or VACLs.

ingress SPAN

Refers to the traffic on a SPAN (mirroring) port that is traveling inbound relative to the switch.

interface group

A feature which will be available in future releases of Cisco IDS that will provide the ability to group sensing interfaces so they can be controlled as a single unit rather than as individuals.

Internal Network

A global sensing parameter that you can use to define a network or segment as trusted.

internal threats

Threats that originate within the organization's boundaries and that are directed toward people with access to network resources.

IP Log Server

One of the four servlets that interface with cidWebServer ; uses RDEP to allow external applications such as Security Monitor and IEV to access IP logs generated by the sensor.

IP Packet Reassembly

One of the global sensing parameters; determines how packets are reassembled. Allowed values are NT , Solaris , BSD , and Linux .

L2/L3/L4 signature groups

Signatures that operate at Layers 2, 3, and 4 and include Address Resolution Protocol (ARP), TCP, User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP) signature engines.


One of five Cisco IDS version 4 main application components; the very first application that starts, it is responsible for configuring the OSs with settings such as IP addresses on interfaces. This application is also responsible for starting and stopping all other Cisco IDS applications and processes.

managed device

A device such as a Cisco IOS Router or PIX Firewall that receives instructions from a sensor to perform blocking when a signature is triggered.

managed interface

The interface between a sensor and a managed device through which blocking instructions are sent via either Telnet or SSH.

master and local signature engine parameters

Master signature engine parameters are the same for all signatures, whereas local signature engine parameters are specific to a given signature.

master blocking sensor

The sensor that receives instructions from a forwarding blocking sensor to perform blocking on the master blocking sensor's managed device. A managed device can only be managed by a single, master blocking sensor.

match clause

In an IOS VACL configuration, the command that associates a VACL with the map created by the previous vlan access map command.

monitor session commands

Used to assign both source and destination ports for SPAN sessions on 2950 and 3550 switches so that traffic can be captured and sent to the sensor for IDS analysis.

Network Access Controller ( NAC )

Sends the blocking requests from the sensor to either a managed device or a master blocking sensor.

network intrusion

A sequence of activities by a malicious individual that results in unauthorized security threats to a target network.

Network Module Cisco IDS ( NM-CIDS )

Allows you to integrate a full 45Mbps of IDS functionality into a Cisco 2600, 3600, or 3700 series router. Its 10/100BASE-TX interface connects directly to the router's backplane and supports the full TCP reset, shunning, and blocking capabilities of its appliance counterparts.

Network Security Database ( NSDB )

A component of both the IDM and IEV; contains the latest signature advisories and vulnerability information. Its online counterpart is the Cisco Secure Encyclopedia (CSEC).

network-based IDS ( NIDS )

Involves the deployment of hardware sensor-monitoring devices throughout the network to capture and monitor network as it traverses network media.


A service configuration mode that allows you to enter configuration settings for managed devices such as Catalyst switches, IOS IDS, PIX IDS, and sensor IDS devices.

never-block ACL

Contains the ACEs for the hosts or subnets that should never be blocked. It consists of a permit statement for each host or subnet at the beginning of the active ACL.

OS signature groups

Contains the signatures that target hosts with specific OSs.

pending deployment jobs

Jobs that have been scheduled for later deployment but have not reached the deployment time.

port monitor commands

Used to assign source ports for SPAN sessions on 2900XL and 3500XL switches; they are performed at the interface configuration level for the destination port.

post-block ACL

Contains the ACEs that are added after the blocking entries on the active ACL.


The communications protocol used between sensors, IEV, and Security Monitor for Cisco IDS version 3.x. It has been replaced in Cisco IDS version 4 with RDEP.

pre-block ACL

Contains the ACEs that are above the blocking ACEs on the active ACL.

privileged exec

The first CLI level you will be in when you first log in to the sensor. This level gives you the ability to initialize and reboot the sensor, copy sensor configurations, display system settings, and enter another level to further configure the system. The prompt you see at the privileged exec mode is sensor# .

profile-based intrusion detection (anomaly detection)

Detects activity that deviates from "normal" activity; as such, this detection method depends on the statistical definition of normal and can be prone to a large number of false positives.

protected parameters

Those parameters that cannot be changed for default signatures but can be changed for custom signatures.

Realtime Dashboard

Allows you to view a continuous stream of realtime events from IEV; can be paused or resumed to allow for more manageable monitoring and analysis of realtime events.

Realtime Graph

The graphical counterpart of the Realtime Dashboard; shows the average number of aggregate alarms by severity level on the Y axis, per unit time on the X axis. The display can be in either bar or area format.

reconnaissance attacks

Occur when network systems, services, and vulnerabilities are observed and mapped by an unauthorized person.

recover application-partition command

Used on a Cisco IDS version 4 sensor to replace the image on the application partition with the image that is on the recovery partition. This command is not available on the IDSM2 because it does not contain a recovery partition.

Regular Expression ( Regex ) syntax

A flexible and powerful tool allowing you to describe complex patterns of text for detection and IDS analysis.

Remote Data Exchange Protocol ( RDEP )

Uses HTTP and HTTPS to create Extensible Markup Language (XML) documents for communications between Cisco IDS version 4 sensors and to IEV and Security Monitor.

Remote SPAN ( RSPAN )

Allows you to capture VLAN traffic across switches to a destination port for IDS analysis.

required parameters

Signature engine parameters that must be defined for all signatures, both default and custom.

reset command

Used to shut down or reboot the sensor. The powerdown option of the command prepares the sensor for proper shutdown; without the powerdown option, the sensor just reboots.

Security Monitor

A component of VMS; complements IDS MC by providing a Web interface to monitor IDS statistics, connections, and events for sensor appliances, IDS modules, IOS Routers, and PIX Firewalls.

sensing interface

Also called the monitoring or sniffing interface; the sensor's interface that captures traffic from a SPAN or RSPAN destination port. The interface has no IP address and therefore cannot be detected using typical methods such as ping or Telnet.

sensor device

An individual sensor that can be a member of a sensor group.

sensor group

Similar to a folder in Windows Explorer; contains sensor devices that inherit the properties of the sensor group.


The application that actually detects IP traffic and monitors for signatures matches to generate alerts and events that are written to the EventStore. It is the only application that writes alerts to the EventStore.

service pack

The name for a release of improvements to intrusion detection and sensor functionality, as opposed to a signature update.

service signature groups

A group of signatures based on services that are OS-independent.

set security acl commands

Used to configure traffic capture using VACLs on Catalyst 6500 switches running Catalyst OS. The three set security acl commands are set security acl ip , set security acl map , and set security acl capture-ports .

set span commands

The single command to configure SPAN on the Catalyst 4000, 4500, and 6500 switches so that traffic can be captured for IDS analysis.

setup command

Allows you to configure several settings on the sensor through what is called a dialog. Dialogs provide an automated way to configure several basic sensor settings by prompting you for the values instead of having to execute the command manually.


The method of blocking a connection or host using a PIX Firewall when a signature triggers and is configured to perform a shun EventAction using a PIX Firewall as the managed device.

signature engine

To tune your IDS to your specific network environment, what you use to adjust the built-in signatures and to create new, custom signatures. Cisco IDS signature engines include Atomic, Flood, Service, State.String, String, Sweep, Traffic, Trojan, and OTHER.

signature engine parameter

A name and value pair: both the name and the allowed values are determined by the signature engine, which consists of an inspector and a parser and has a specific set of parameters with allowable ranges or sets of values.

signature filters

Allows you to specify source and destination IP addresses for any given signature and whether the filter will include or exclude the matched conditions. Signature filtering, like alarm throttling, can reduce false positives and limit the number of security events reported .

signature groups

Allow you to access a specific signature from the IDS MC so that you can either tune the signature or use it to create a custom signature. You find signature groups by navigating to Configuration, Settings, Signatures.

signature update

The name for a new IDS signature.

signature-based intrusion detection (misuse detection)

Detects a pattern which matches closely to activity that is typical of a network intrusion.

software updates

Provide the latest signature and intrusion detection improvements. Software updates include both signature updates and service packs; whereas new IDS signatures are released as signature updates, improvements to intrusion detection and sensor functionality are released as service packs .

source ports

When configuring SPAN to capture traffic, what are used to designate which ports will send their traffic to the switch's destination port, from which point the aggregate traffic is sent to the sensor's monitoring port for IDS analysis.

state machines

Provide the capability of searching for specific patterns at various states within the protocol. The state machine consists of a starting state and a list of valid transitions.

Statistic Graph

Based on a data source that you select, which could be the event_realtime_table or any imported or archived table. The events displayed in the Statistic Graph reflect the average number of alarms received by IEV, based on the filter that is applied to the data source. Therefore, depending on the filter, the Statistic Graph might not reflect the true average number of alarms.

structured threats

Threats with defined network or host targets that are methodically executed using sophisticated tools, often designed specifically for an attack.


One of two subtypes of uri- iplog -request s; allow the collection of live event feeds to an RDEP client. The RDEP client sends subscription-get messages to the sensor to retrieve the latest events.

SummaryKey parameter

Allows you to count the number of occurrences of a signature firing on various address sets. The SummaryKey parameter specifies which address to view for post-alarm counters.

Switched Port Analyzer ( SPAN )

Allows you to configure a switch so that traffic from source ports is mirrored to a destination, or SPAN port. From the destination port, the traffic is sent to the sensor's monitoring port for IDS analysis.

table of contents ( TOC )

The list of choices on the left-hand side of the tab sheet in the IDS MC, Security Monitor, and IDM interfaces. As you would expect, the TOC list depends on the tab and option that you navigate to; this path appears in the path bar.

TCP reset packet

A TCP packet with the reset bit set to 1; it is sent from the sensor through the switch's destination port to the port of an attacking host to execute a block on a host or connection when a signature is triggered and configured to block.

ThrottleInterval parameter

Used by the AlarmThrottle parameter when it is set to the value of FireOnce to determine how long to wait, in seconds, before firing an alarm.

transaction server

One of the four servlets that interface with the cidWebServer service. It is responsible for providing an interface to management applications such as IDS MC and IDM to control and configure the sensor.

true positives, true negatives

A true positive occurs when an attack event causes a signature to trigger; a true negative occurs when normal traffic does not cause an alarm to fire (that is, nothing happened and nothing was reported).

unstructured threats

Threats with arbitrary target hosts or networks that are executed using prebuilt tools which are readily available on the Internet. Although the people who carry out unstructured threats are less skilled than those who perform structured threats, the amount of damage cause by an unstructured threat should not be underestimated.

upgrade command

The command to perform an upgrade from the CLI. You execute it from global configuration mode, and it requires administrator privileges.

user account administrator

The account on CiscoWorks 2000 that has all read, write, execute, and configuration privileges for both IDS MC and Security Monitor.

user account operator

A privilege level on the sensor that allows you to view all settings and data on the sensor but with only limited configuration ability.

user account service

A privilege level on the sensor that has access to the operating system shell but not the CLI shell. You should use this account only under the supervision of a Cisco Technical Assistance Center (TAC) technician.

user account viewer

A privilege level on the sensor that allows you to view all settings and data on the sensor but provides no configuration ability.

Virtual Private Network ( VPN )/Security Management (VMS)

Based on CiscoWorks 2000 and capable of monitoring IDS Sensors, PIX and IOS firewalls, VPNs, and security agents . The IDS MC and Security Monitor are both components of VMS and together provide a Web-based interface for configuring, managing, maintaining, and monitoring multiple IDS Sensors.


The level of the sensor's CLI that allows you to fine-tune signature settings, create custom signatures, and reset all signatures back to default settings. All settings configured at the virtual-sensor-configuration level apply to the single virtual sensor called virtualSensor.


The single alarm channel for event filters that is supported by the Cisco IDS. Future releases will provide more functionality for the virtualAlarm.


The single virtual sensor supported by Cisco IDS version 4. All signature tuning and custom signatures are linked to this single virtual sensor.

VLAN access control list ( VACL )

An ACL applied to a VLAN rather than a specific interface; in the context of IDS, VACLs are used to capture traffic from Catalyst 6500 switches running both Catalyst OS or IOS, for IDS analysis by the IDSM2.

[ LiB ]  

CSIDS Exam Cram 2 (Exam 642-531)
CSIDS Exam Cram 2 (Exam 642-531)
Year: 2004
Pages: 213 © 2008-2017.
If you may any questions please contact us: