AIP-SSM Maintenance

This section includes information on administrative maintenance tasks on the AIP-SSM. These tasks include the following:

• Adding trusted hosts to connect to the AIP-SSM
• Upgrading the CIPS software and signatures via the CLI
• Displaying software version and configuration information
• Backing up the AIP-SSM configuration
• Displaying and clearing events
• Displaying and clearing AIP-SSM statistics

Adding Trusted Hosts

In order for a device to be able to connect to the AIP-SSM for management and monitoring purposes, it needs to be added to the trusted host list. You can add trusted hosts that will be able to communicate with the AIP-SSM by following these steps:

SSH Known Host List

In order for any SSH client or any SSH server to communicate with the AIP-SSM, you must first add it into the SSH known host list. Use the ssh host-key command to add a host to the AIP-SSM SSH known host list. Example 14-10 shows how a host with IP address 192.168.10.33 is added to the Chicago SSM.

Example 14-10. Adding an Entry to the SSH Known Host List

ChicagoSSM# configure terminal ChicagoSSM(config)# ssh host-key 192.168.10.33 Would you like to add this to the known hosts table for this host?[yes] yes

The AIP-SSM asks the administrator to confirm the addition of the SSH host entry. Type yes or press Enter to confirm.

TLS Known Host List

The CIPS software allows you to restrict what systems are able to establish a TLS/SSL session to the AIP-SSM. To add a TLS trusted host to the AIP-SSM, use the tls trusted-host command. Example 14-11 demonstrates how to add a TLS host configured with IP address 192.168.10.34. The AIP-SSM does an SSL/TLS exchange with the specified host to obtain its SSL/TLS certificate.

Example 14-11. Adding a TLS Known Host

ChicagoSSM# configure terminal ChicagoSSM(config)# tls trusted-host ip-address 192.168.10.34

Upgrading the CIPS Software and Signatures via the CLI

You can apply the CIPS software service packs and signature updates by using the CLI. The following protocols are supported:

• File Transfer Protocol (FTP)
• Hypertext Transfer Protocol (HTTP)
• Hypertext Transfer Protocol Secure (HTTPS)
• Secure Copy Protocol (SCP)

Note

If HTTPS/SSL is used, a trusted TLS host entry must be added for the server from which you will retrieve the service pack or signature update file.

You can perform one-time upgrades or schedule recurring automatic upgrades.

One-Time Upgrades

The upgrade command is used to apply service packs and signature updates to the AIP-SSM. The following is the command syntax:

upgrade source-url

The source-url is the location where the AIP-SSM retrieves the upgrade file.

The following is the URL syntax if FTP is used:

ftp:[[//username:password@]location]/relativeDirectory/filename

or

ftp:[[//username@]location]//absoluteDirectory/filename

The syntax for HTTP is

http:[[//username@]location]/directory]/filename

The syntax for HTTPS is

https:[[//username@]location]/directory]/filename

The syntax for SCP is

scp:[[//username@]location]/relativeDirectory]/filename

or

scp:[[//username@]location]/absoluteDirectory]/filename

Tip

If you just enter the upgrade command followed by a protocol prefix (ftp:, http:, https:, or scp:), the CLI prompts you for all the required information.

In Example 14-12, a signature update is retrieved from the HTTP server that was previously entered into the TLS trusted list (192.168.10.34). A user called httpsuser is being used for authentication purposes. After invoking the command, the AIP-SSM prompts you to enter the password for the HTTPS server user.

Example 14-12. Applying Signature Updates

ChicagoSSM# configure terminal ChicagoSSM(config)# upgrade https://httpsuser@192.168.10.34/upgrade/sigupdate.pkg Enter password: ***** Re-enter password: *****

Scheduled Upgrades

As a best practice, you may want to configure automatic service pack upgrades or signature updates. This eases administration and provides a mechanism to make sure that your AIP-SSM is running updated signatures.

Note

Cisco offers a service where customers can subscribe to obtain IPS signatures shortly after security threats and vulnerabilities are announced. For more information, visit http://www.cisco.com/go/ipsalert/.

In the example illustrated in Figure 14-5, the goal is to configure the AIP-SSM module in the Chicago ASA appliance to automatically retrieve signature updates every Monday, Wednesday, and Friday at 1:00 a.m.

Figure 14-5. Scheduled Upgrades

The following steps are completed on each device to achieve this goal:

Displaying Software Version and Configuration Information

You can use the show version command to display the version of the CIPS software, signature packages, and IPS processes running on the AIP-SSM. Example 14-13 shows the output of the show version command at the ChicagoSSM.

Example 14-13. Output of AIP-SSM show version Command

ChicagoSSM# show version Application Partition: Cisco Intrusion Prevention System, Version 5.0(1)S149.0 OS Version 2.4.26-IDS-smp-bigphys Platform: ASA-SSM-20 Serial Number: 1234567890 Trial license, expires: 21-Feb-2005 UTC Sensor up-time is 12 days. Using 501858304 out of 1984704512 bytes of available memory (25% usage) system is using 17.3M out of 29.0M bytes of available disk space (59% usage) application-data is using 49.1M out of 166.6M bytes of available disk space (31% usage) boot is using 34.9M out of 68.5M bytes of available disk space (54% usage) MainApp 2005_Jan_05_11.54 (Release) 2005-01-05T12:06:57-0600 Running AnalysisEngine 2005_Jan_05_11.54 (Release) 2005-01-05T12:06:57-0600 Running CLI 2005_Jan_05_11.54 (Release) 2005-01-05T12:06:57-0600 Upgrade History: IDS-K9-maj-5.0.1.S141.pkg 11:00:00 UTC Sat Dec 18 2004 Recovery Partition Version 1.1 - 5.0(1)S149.0

The first shaded line in Example 14-13 shows the CIPS software version running on the AIP-SSM. The second shaded line shows that the AIP-SSM has been up for 12 days. The third shaded line shows information about previous upgrades and updates to this AIP-SSM. Other information such as disk and memory utilization is also displayed.

You can use the show configuration command to display the current configuration on the AIP-SSM, as shown in Example 14-14.

Example 14-14. Output of AIP-SSM show configuration Command

ChicagoSSM# show configuration ! ------------------------------ ! Version 5.0(1) ! Current configuration last modified Tue Feb 08 15:54:43 2005 ! ------------------------------ service analysis-engine exit ! ------------------------------ service authentication exit ! ------------------------------ service event-action-rules rules0 exit ! ------------------------------ service host network-settings host-ip 172.23.62.92/24,172.23.62.1 host-name ChicagoSSM telnet-option enabled access-list 192.168.10.123/32 exit time-zone-settings offset -420 standard-time-zone-name GMT-07:00 exit summertime-option recurring summertime-zone-name PDT exit auto-upgrade-option enabled schedule-option calendar-schedule times-of-day 01:00:00 days-of-week monday days-of-week wednesday days-of-week friday exit ip-address 192.168.10.188 directory/updates/sigupdatefile.pkg user-name scpuser password cisco file-copy-protocol scp exit exit ! ------------------------------ service interface exit ! ------------------------------ service logger exit ! ------------------------------ service network-access general never-block-hosts 10.0.0.1 exit user-profiles a exit exit ! ------------------------------ service notification snmp-agent-port 165 exit ! ------------------------------ service signature-definition sig0 exit ! ------------------------------ service ssh-known-hosts exit ! ------------------------------ service trusted-certificates exit ! ------------------------------ service web-server enable-tls true port 443 exit

Backing Up Your Configuration

It is recommended that you back up your configuration on a regular basis. You can back up your configuration to the local Flash on the AIP-SSM or to a remote server.

Use the copy current-config backup-config command to make a backup of the current configuration to a file (called backup-config) locally stored on the AIP-SSM. You can merge the backup configuration file with the current configuration file or overwrite the current configuration file with the backup configuration file. In Example 14-15, the AIP-SSM merges the backup configuration into the current configuration.

Example 14-15. Merging the Backup Configuration

ChicagoSSM# copy backup-config current-config

In Example 14-16, the AIP-SSM overwrites the backup configuration file into the current configuration file.

Example 14-16. Overwriting the Backup Configuration into Current AIP-SSM Configuration

ChicagoSSM# copy /erase backup-config current-config

As a best practice, you should back up your configuration file to an external server. In the example illustrated in Figure 14-6, SecureMe's Chicago AIP-SSM copies a backup of its configuration file to FTP server 192.168.10.159.

Figure 14-6. Configuration Backup

Example 14-17 shows the command entered on the AIP-SSM.

Example 14-17. Backing Up the Configuration to an FTP Server

ChicagoSSM# copy current-config ftp://192.168.10.159 User: ftpuser File name: ChicagoSSM_Config Password: ********

The configuration is successfully copied to a file named ChicagoSSM_Config on the FTP server 192.168.10.159. The AIP-SSM prompts the administrator to enter the FTP user, file name, and password.

Displaying and Clearing Events

The show events command enables you to view the events stored in the AIP-SSM's local event log. After invoking this command, all the events are displayed as a live feed (to exit, press Ctrl-C). Example 14-18 lists all the available options for the show events command.

Example 14-18. show events Command Options

ChicagoSSM# show events ? alert Display local system alerts. error Display error events. hh:mm[:ss] Display start time. log Display log events. nac Display NAC shun events. past Display events starting in the past specified time. status Display status events. | Output modifiers.

In Example 14-19, the AIP-SSM displays past events since 8:00 a.m.

Example 14-19. Displaying Past Events

ChicagoSSM# show events past 08:00:00 evStatus: eventId=1104988000052754141 vendor=Cisco originator: hostId: ChicagoSSM appName: cidwebserver appInstanceId: 276 time: 2005/02/09 18:54:56 2005/02/09 11:54:56 GMT-09:00 controlTransaction: command=getEventServerStatistics successful=true description: Control transaction response. requestor: user: cisco application: hostId: 127.0.1.1 appName: -cidcli appInstanceId: 13200 evStatus: eventId=1104988000052754142 vendor=Cisco originator: hostId: ChicagoSSM appName: mainApp appInstanceId: 276 time: 2005/02/09 18:55:06 2005/02/09 11:55:06 GMT-07:00 controlTransaction: command=getEventStoreStatistics successful=true description: Control transaction response. requestor: user: cisco application: hostId: 127.0.1.1 appName: -cidcli appInstanceId: 13200

You can clear events stored locally in the AIP-SSM by using the clear events command, as demonstrated in Example 14-20.

Example 14-20. Clearing Events

ChicagoSSM# clear events Warning: Executing this command will remove all events currently stored in the event store. Continue with clear? []: yes

The AIP-SSM displays a warning message asking you to confirm the removal of all the events stored on the system, because they will be lost if they have not been retrieved by a management or monitoring device.

Displaying and Clearing Statistics

The CLI enables you to collect statistics about different CIPS services, components, and applications. The show statistics command is used to display such information. Example 14-21 shows the show statistics command options.

Example 14-21. show statistics Command Options

ChicagoSSM# show statistics ? analysis-engine Display analysis engine statistics. authentication Display authentication statistics. denied-attackers Display denied attacker statistics. event-server Display event server statistics. event-store Display event store statistics. host Display host statistics. logger Display logger statistics. network-access Display network access controller statistics. notification Display notification statistics. sdee-server Display SDEE server statistics. transaction-server Display transaction server statistics. transaction-source Display transaction source statistics. virtual-sensor Display virtual sensor statistics. web-server Display web werver statistics.

The show statistics analysis-engine command displays traffic statistics and health information about the AIP-SSM analysis engine. Example 14-22 includes the output of this command.

Example 14-22. show statistics analysis-engine Command Output

ChicagoSSM# show statistics analysis-engine Analysis Engine Statistics Number of seconds since service started = 1665921 Measure of the level of current resource utilization = 0 Measure of the level of maximum resource utilization = 0 The rate of TCP connections tracked per second = 0 The rate of packets per second = 0 The rate of bytes per second = 0 Receiver Statistics Total number of packets processed since reset = 0 Total number of IP packets processed since reset = 0 Transmitter Statistics Total number of packets transmitted = 0 Total number of packets denied = 0 Total number of packets reset = 0 Fragment Reassembly Unit Statistics Number of fragments currently in FRU = 0 Number of datagrams currently in FRU = 0 TCP Stream Reassembly Unit Statistics TCP streams currently in the embryonic state = 0 TCP streams currently in the established state = 0 TCP streams currently in the closing state = 0 TCP streams currently in the system = 0 TCP Packets currently queued for reassembly = 0 The Signature Database Statistics. Total nodes active = 0 TCP nodes keyed on both IP addresses and both ports = 0 UDP nodes keyed on both IP addresses and both ports = 0 IP nodes keyed on both IP addresses = 0 Statistics for Signature Events Number of SigEvents since reset = 0 Statistics for Actions executed on a SigEvent Number of Alerts written to the IdsEventStore = 0

You can use the show statistics authentication command to display statistics on failed and total authentication attempts to the AIP-SSM module. Example 14-23 shows the output of this command.

Example 14-23. show statistics authentication Command Output

ChicagoSSM# show statistics authentication General totalAuthenticationAttempts = 144 failedAuthenticationAttempts = 9

In Example 14-23, there were 9 failed authentication attempts out of 144 total attempts.

Example 14-24 includes the output of the show statistics event-server command. This command is used to only display the number of open and blocked connections o the AIP-SSM from event management stations.

Example 14-24. show statistics event-server Command Output

ChicagoSSM# show statistics event-server General openSubscriptions = 10 blockedSubscriptions = 0 Subscriptions

The show statistics event-store command gives you more useful information. It displays detailed information about the event store. Example 14-25 includes the output of this command.

Example 14-25. show statistics event-store Command Output

ChicagoSSM# show statistics event-store Event store statistics General information about the event store The current number of open subscriptions = 10 The number of events lost by subscriptions and queries = 0 The number of queries issued = 0 The number of times the event store circular buffer has wrapped = 0 Number of events of each type currently stored Debug events = 0 Status events = 59 Log transaction events = 0 Shun request events = 0 Error events, warning = 1 Error events, error = 8 Error events, fatal = 0 Alert events, informational = 2 Alert events, low = 0 Alert events, medium = 0 Alert events, high = 0

Another command that is very useful for troubleshooting is the show statistics host command. It includes network and link statistics, health of the AIP-SSM module (i.e., CPU and memory utilization), and other administrative items such as NTP and auto-update statistics. Example 14-26 includes the output of this command.

Example 14-26. show statistics host Command Output

ChicagoSSM# show statistics host General Statistics Last Change To Host Config (UTC) = 03:00:39 Tue Feb 15 2005 Command Control Port Device = GigabitEthernet0/0 Network Statistics ge0_0 Link encap:Ethernet HWaddr 00:0B:FC:F8:01:2C inet addr:172.23.62.92 Bcast:172.23.62.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:3758776 errors:0 dropped:0 overruns:0 frame:0 TX packets:272436 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:471408183 (449.5 MiB) TX bytes:183240697 (174.7 MiB) Base address:0xbc00 Memory:f8200000-f8220000 NTP Statistics status = Not applicable Memory Usage usedBytes = 500649984 freeBytes = 1484054528 totalBytes = 1984704512 Swap Usage Used Bytes = 0 Free Bytes = 0 Total Bytes = 0 Summertime Statistics start = 03:00:00 PDT Sun Apr 03 2005 end = 01:00:00 GMT-08:00 Sun Oct 30 2005 CPU Statistics Usage over last 5 seconds = 0 Usage over last minute = 0 Usage over last 5 minutes = 0 Memory Statistics Memory usage (bytes) = 500559872 Memory free (bytes) = 1484144640 Auto Update Statistics lastDirectoryReadAttempt = 01:03:09 GMT-08:00 Mon Feb 14 2005 Read directory: scp://scpuser@192.168.10.188//updates/sigupdatefile.pkg/ Error: Failed attempt to get directory listing from remote auto update server: ssh: connect to host 192.168.10.188 port 22: Connection timed out lastDownloadAttempt = N/A lastInstallAttempt = N/A nextAttempt = 01:00:00 GMT-08:00 Wed Feb 16 2005

In the shaded lines in Example 14-26, you can see that the AIP-SSM attempted to connect to the server with IP address 192.168.10.188 over SSH (TCP port 22) without success. The connection timed out because of network connectivity problems.

To display IP logger statistics, use the show statistics logger command. The output of this command is included in Example 14-27.

Example 14-27. show statistics logger Command Output

ChicagoSSM# show statistics logger The number of Log interprocessor FIFO overruns = 0 The number of syslog messages received = 331 The number of events written to the event store by severity Fatal Severity = 0 Error Severity = 78 Warning Severity = 358 TOTAL = 436 The number of log messages written to the message log by severity Fatal Severity = 0 Error Severity = 78 Warning Severity = 27 Timing Severity = 0 Debug Severity = 0 Unknown Severity = 62 TOTAL = 167

IP logging is covered in detail in the following section.