AIP-SSM Maintenance
This section includes information on administrative maintenance tasks on the AIP-SSM. These tasks include the following:
- Adding trusted hosts to connect to the AIP-SSM
- Upgrading the CIPS software and signatures via the CLI
- Displaying software version and configuration information
- Backing up the AIP-SSM configuration
- Displaying and clearing events
- Displaying and clearing AIP-SSM statistics
Adding Trusted Hosts
In order for a device to be able to connect to the AIP-SSM for management and monitoring purposes, it needs to be added to the trusted host list. You can add trusted hosts that will be able to communicate with the AIP-SSM by following these steps:
Step 1. |
Enter configuration mode and invoke the service host command. You will be placed into host configuration mode.
ChicagoSSM# configure terminal ChicagoSSM (config)# service host ChicagoSSM (config-hos)# |
Step 2. |
Invoke the network-settings command to start adding entries to the ACL for hosts or networks allowed to connect to the AIP-SSM:
ChicagoSSM (config-hos)# network-settings ChicagoSSM (config-hos-net)# access-list 192.168.10.123/32 ChicagoSSM (config-hos-net)# exit ChicagoSSM (config-hos)# exit Apply Changes:?[yes]: yes ChicagoSSM (config)# In this example, a host with IP address 192.168.10.123 is added to the ACL.
Once you exit from both configuration modes, the AIP-SSM will prompt you to apply the changes to the configuration. Enter yes if the configuration parameters are correct.
|
SSH Known Host List
In order for any SSH client or any SSH server to communicate with the AIP-SSM, you must first add it into the SSH known host list. Use the ssh host-key command to add a host to the AIP-SSM SSH known host list. Example 14-10 shows how a host with IP address 192.168.10.33 is added to the Chicago SSM.
Example 14-10. Adding an Entry to the SSH Known Host List
ChicagoSSM# configure terminal ChicagoSSM(config)# ssh host-key 192.168.10.33 Would you like to add this to the known hosts table for this host?[yes] yes
The AIP-SSM asks the administrator to confirm the addition of the SSH host entry. Type yes or press Enter to confirm.
TLS Known Host List
The CIPS software allows you to restrict what systems are able to establish a TLS/SSL session to the AIP-SSM. To add a TLS trusted host to the AIP-SSM, use the tls trusted-host command. Example 14-11 demonstrates how to add a TLS host configured with IP address 192.168.10.34. The AIP-SSM does an SSL/TLS exchange with the specified host to obtain its SSL/TLS certificate.
Example 14-11. Adding a TLS Known Host
ChicagoSSM# configure terminal ChicagoSSM(config)# tls trusted-host ip-address 192.168.10.34
Upgrading the CIPS Software and Signatures via the CLI
You can apply the CIPS software service packs and signature updates by using the CLI. The following protocols are supported:
- File Transfer Protocol (FTP)
- Hypertext Transfer Protocol (HTTP)
- Hypertext Transfer Protocol Secure (HTTPS)
- Secure Copy Protocol (SCP)
Note
If HTTPS/SSL is used, a trusted TLS host entry must be added for the server from which you will retrieve the service pack or signature update file.
You can perform one-time upgrades or schedule recurring automatic upgrades.
One-Time Upgrades
The upgrade command is used to apply service packs and signature updates to the AIP-SSM. The following is the command syntax:
upgrade source-url
The source-url is the location where the AIP-SSM retrieves the upgrade file.
The following is the URL syntax if FTP is used:
ftp:[[//username:password@]location]/relativeDirectory/filename
or
ftp:[[//username@]location]//absoluteDirectory/filename
The syntax for HTTP is
http:[[//username@]location]/directory]/filename
The syntax for HTTPS is
https:[[//username@]location]/directory]/filename
The syntax for SCP is
scp:[[//username@]location]/relativeDirectory]/filename
or
scp:[[//username@]location]/absoluteDirectory]/filename
Tip
If you just enter the upgrade command followed by a protocol prefix (ftp:, http:, https:, or scp:), the CLI prompts you for all the required information.
In Example 14-12, a signature update is retrieved from the HTTP server that was previously entered into the TLS trusted list (192.168.10.34). A user called httpsuser is being used for authentication purposes. After invoking the command, the AIP-SSM prompts you to enter the password for the HTTPS server user.
Example 14-12. Applying Signature Updates
ChicagoSSM# configure terminal ChicagoSSM(config)# upgrade https://httpsuser@192.168.10.34/upgrade/sigupdate.pkg Enter password: ***** Re-enter password: *****
Scheduled Upgrades
As a best practice, you may want to configure automatic service pack upgrades or signature updates. This eases administration and provides a mechanism to make sure that your AIP-SSM is running updated signatures.
Note
Cisco offers a service where customers can subscribe to obtain IPS signatures shortly after security threats and vulnerabilities are announced. For more information, visit http://www.cisco.com/go/ipsalert/.
In the example illustrated in Figure 14-5, the goal is to configure the AIP-SSM module in the Chicago ASA appliance to automatically retrieve signature updates every Monday, Wednesday, and Friday at 1:00 a.m.
Figure 14-5. Scheduled Upgrades
The following steps are completed on each device to achieve this goal:
Step 1. |
The IPS signature update from Cisco.com is downloaded and saved on the management server. To enable automatic upgrades and configure auto-upgrade settings go into service host configuration mode and enable the auto-upgrade option as follows:
ChicagoSSM(config)# service host ChicagoSSM(config-hos)# auto-upgrade-option enabled |
Step 2. |
Specify the IP address of the server from which the AIP-SSM will retrieve the update file. In this case, the server is 192.168.1.188:
ChicagoSSM(config-hos-ena)# ip-address 192.168.10.188 |
Step 3. |
Specify the file copy protocol used to download files from the server. SCP is used in this example:
ChicagoSSM(config-hos-ena)# file-copy-protocol scp |
Step 4. |
Define the username for authentication on the 192.168.10.188 server. The user in this example is called scpuser:
ChicagoSSM(config-hos-ena)# user-name scpuser |
Step 5. |
Enter the user password for authentication on the 192.168.10.188 server with the password command. The AIP-SSM prompts you to enter and confirm the password:
ChicagoSSM(config-hos-ena)# password Enter password[]: ***** Re-enter password: ***** |
Step 6. |
Specify the directory where upgrade files are located on the server. A leading forward slash (/) indicates an absolute path. The directory in this example is called updates and the update file is called sigupdatefile.pkg:
ChicagoSSM(config-hos-ena)# directory/updates/ sigupdatefile.pkg |
Step 7. |
You can configure two types of scheduled updates:
- Calendar based Specify what days and times of the week the AIP-SSM will attempt the updates.
- Periodic Configure the time that the first automatic upgrade should occur, and how long the AIP-SSM will wait between automatic upgrades. In this example, the AIP-SSM will automatically retrieve signature updates every Monday, Wednesday, and Friday at 1:00 a.m.:
ChicagoSSM(config-hos-ena)# schedule-option calendar-schedule ChicagoSSM (config-hos-ena-cal)# times-of-day 01:00:00 ChicagoSSM (config-hos-ena-cal)# days-of-week Monday ChicagoSSM (config-hos-ena-cal)# days-of-week Wednesday ChicagoSSM (config-hos-ena-cal)# days-of-week Friday ChicagoSSM (config-hos-ena-cal)# exit |
Step 8. |
Use the show settings command to view and confirm all the settings entered:
ChicagoSSM(config-hos-ena)# show settings enabled ----------------------------------------------- schedule-option ----------------------------------------------- calendar-schedule ----------------------------------------------- times-of-day (min: 1, max: 24, current: 1) ----------------------------------------------- time: 01:00:00 ----------------------------------------------- ----------------------------------------------- days-of-week (min: 1, max: 7, current: 3) ----------------------------------------------- day: monday ----------------------------------------------- day: wednesday ----------------------------------------------- day: friday ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- ip-address: 192.168.10.188 directory:/updates/sigupdatefile.pkg user-name: scpuser password: file-copy-protocol: scp default: scp ----------------------------------------------- |
Step 9. |
Exit configuration mode. You will be asked to apply the changes. Enter yes if the information is correct.
ChicagoSSM(config-hos-ena)# exit ChicagoSSM(config-hos)# exit Apply Changes:?[yes]: yes |
Displaying Software Version and Configuration Information
You can use the show version command to display the version of the CIPS software, signature packages, and IPS processes running on the AIP-SSM. Example 14-13 shows the output of the show version command at the ChicagoSSM.
Example 14-13. Output of AIP-SSM show version Command
ChicagoSSM# show version Application Partition: Cisco Intrusion Prevention System, Version 5.0(1)S149.0 OS Version 2.4.26-IDS-smp-bigphys Platform: ASA-SSM-20 Serial Number: 1234567890 Trial license, expires: 21-Feb-2005 UTC Sensor up-time is 12 days. Using 501858304 out of 1984704512 bytes of available memory (25% usage) system is using 17.3M out of 29.0M bytes of available disk space (59% usage) application-data is using 49.1M out of 166.6M bytes of available disk space (31% usage) boot is using 34.9M out of 68.5M bytes of available disk space (54% usage) MainApp 2005_Jan_05_11.54 (Release) 2005-01-05T12:06:57-0600 Running AnalysisEngine 2005_Jan_05_11.54 (Release) 2005-01-05T12:06:57-0600 Running CLI 2005_Jan_05_11.54 (Release) 2005-01-05T12:06:57-0600 Upgrade History: IDS-K9-maj-5.0.1.S141.pkg 11:00:00 UTC Sat Dec 18 2004 Recovery Partition Version 1.1 - 5.0(1)S149.0
The first shaded line in Example 14-13 shows the CIPS software version running on the AIP-SSM. The second shaded line shows that the AIP-SSM has been up for 12 days. The third shaded line shows information about previous upgrades and updates to this AIP-SSM. Other information such as disk and memory utilization is also displayed.
You can use the show configuration command to display the current configuration on the AIP-SSM, as shown in Example 14-14.
Example 14-14. Output of AIP-SSM show configuration Command
ChicagoSSM# show configuration ! ------------------------------ ! Version 5.0(1) ! Current configuration last modified Tue Feb 08 15:54:43 2005 ! ------------------------------ service analysis-engine exit ! ------------------------------ service authentication exit ! ------------------------------ service event-action-rules rules0 exit ! ------------------------------ service host network-settings host-ip 172.23.62.92/24,172.23.62.1 host-name ChicagoSSM telnet-option enabled access-list 192.168.10.123/32 exit time-zone-settings offset -420 standard-time-zone-name GMT-07:00 exit summertime-option recurring summertime-zone-name PDT exit auto-upgrade-option enabled schedule-option calendar-schedule times-of-day 01:00:00 days-of-week monday days-of-week wednesday days-of-week friday exit ip-address 192.168.10.188 directory/updates/sigupdatefile.pkg user-name scpuser password cisco file-copy-protocol scp exit exit ! ------------------------------ service interface exit ! ------------------------------ service logger exit ! ------------------------------ service network-access general never-block-hosts 10.0.0.1 exit user-profiles a exit exit ! ------------------------------ service notification snmp-agent-port 165 exit ! ------------------------------ service signature-definition sig0 exit ! ------------------------------ service ssh-known-hosts exit ! ------------------------------ service trusted-certificates exit ! ------------------------------ service web-server enable-tls true port 443 exit
Backing Up Your Configuration
It is recommended that you back up your configuration on a regular basis. You can back up your configuration to the local Flash on the AIP-SSM or to a remote server.
Use the copy current-config backup-config command to make a backup of the current configuration to a file (called backup-config) locally stored on the AIP-SSM. You can merge the backup configuration file with the current configuration file or overwrite the current configuration file with the backup configuration file. In Example 14-15, the AIP-SSM merges the backup configuration into the current configuration.
Example 14-15. Merging the Backup Configuration
ChicagoSSM# copy backup-config current-config
In Example 14-16, the AIP-SSM overwrites the backup configuration file into the current configuration file.
Example 14-16. Overwriting the Backup Configuration into Current AIP-SSM Configuration
ChicagoSSM# copy /erase backup-config current-config
As a best practice, you should back up your configuration file to an external server. In the example illustrated in Figure 14-6, SecureMe's Chicago AIP-SSM copies a backup of its configuration file to FTP server 192.168.10.159.
Figure 14-6. Configuration Backup
Example 14-17 shows the command entered on the AIP-SSM.
Example 14-17. Backing Up the Configuration to an FTP Server
ChicagoSSM# copy current-config ftp://192.168.10.159 User: ftpuser File name: ChicagoSSM_Config Password: ********
The configuration is successfully copied to a file named ChicagoSSM_Config on the FTP server 192.168.10.159. The AIP-SSM prompts the administrator to enter the FTP user, file name, and password.
Displaying and Clearing Events
The show events command enables you to view the events stored in the AIP-SSM's local event log. After invoking this command, all the events are displayed as a live feed (to exit, press Ctrl-C). Example 14-18 lists all the available options for the show events command.
Example 14-18. show events Command Options
ChicagoSSM# show events ? alert Display local system alerts. error Display error events. hh:mm[:ss] Display start time. log Display log events. nac Display NAC shun events. past Display events starting in the past specified time. status Display status events. | Output modifiers.
In Example 14-19, the AIP-SSM displays past events since 8:00 a.m.
Example 14-19. Displaying Past Events
ChicagoSSM# show events past 08:00:00 evStatus: eventId=1104988000052754141 vendor=Cisco originator: hostId: ChicagoSSM appName: cidwebserver appInstanceId: 276 time: 2005/02/09 18:54:56 2005/02/09 11:54:56 GMT-09:00 controlTransaction: command=getEventServerStatistics successful=true description: Control transaction response. requestor: user: cisco application: hostId: 127.0.1.1 appName: -cidcli appInstanceId: 13200 evStatus: eventId=1104988000052754142 vendor=Cisco originator: hostId: ChicagoSSM appName: mainApp appInstanceId: 276 time: 2005/02/09 18:55:06 2005/02/09 11:55:06 GMT-07:00 controlTransaction: command=getEventStoreStatistics successful=true description: Control transaction response. requestor: user: cisco application: hostId: 127.0.1.1 appName: -cidcli appInstanceId: 13200
You can clear events stored locally in the AIP-SSM by using the clear events command, as demonstrated in Example 14-20.
Example 14-20. Clearing Events
ChicagoSSM# clear events Warning: Executing this command will remove all events currently stored in the event store. Continue with clear? []: yes
The AIP-SSM displays a warning message asking you to confirm the removal of all the events stored on the system, because they will be lost if they have not been retrieved by a management or monitoring device.
Displaying and Clearing Statistics
The CLI enables you to collect statistics about different CIPS services, components, and applications. The show statistics command is used to display such information. Example 14-21 shows the show statistics command options.
Example 14-21. show statistics Command Options
ChicagoSSM# show statistics ? analysis-engine Display analysis engine statistics. authentication Display authentication statistics. denied-attackers Display denied attacker statistics. event-server Display event server statistics. event-store Display event store statistics. host Display host statistics. logger Display logger statistics. network-access Display network access controller statistics. notification Display notification statistics. sdee-server Display SDEE server statistics. transaction-server Display transaction server statistics. transaction-source Display transaction source statistics. virtual-sensor Display virtual sensor statistics. web-server Display web werver statistics.
The show statistics analysis-engine command displays traffic statistics and health information about the AIP-SSM analysis engine. Example 14-22 includes the output of this command.
Example 14-22. show statistics analysis-engine Command Output
ChicagoSSM# show statistics analysis-engine Analysis Engine Statistics Number of seconds since service started = 1665921 Measure of the level of current resource utilization = 0 Measure of the level of maximum resource utilization = 0 The rate of TCP connections tracked per second = 0 The rate of packets per second = 0 The rate of bytes per second = 0 Receiver Statistics Total number of packets processed since reset = 0 Total number of IP packets processed since reset = 0 Transmitter Statistics Total number of packets transmitted = 0 Total number of packets denied = 0 Total number of packets reset = 0 Fragment Reassembly Unit Statistics Number of fragments currently in FRU = 0 Number of datagrams currently in FRU = 0 TCP Stream Reassembly Unit Statistics TCP streams currently in the embryonic state = 0 TCP streams currently in the established state = 0 TCP streams currently in the closing state = 0 TCP streams currently in the system = 0 TCP Packets currently queued for reassembly = 0 The Signature Database Statistics. Total nodes active = 0 TCP nodes keyed on both IP addresses and both ports = 0 UDP nodes keyed on both IP addresses and both ports = 0 IP nodes keyed on both IP addresses = 0 Statistics for Signature Events Number of SigEvents since reset = 0 Statistics for Actions executed on a SigEvent Number of Alerts written to the IdsEventStore = 0
You can use the show statistics authentication command to display statistics on failed and total authentication attempts to the AIP-SSM module. Example 14-23 shows the output of this command.
Example 14-23. show statistics authentication Command Output
ChicagoSSM# show statistics authentication General totalAuthenticationAttempts = 144 failedAuthenticationAttempts = 9
In Example 14-23, there were 9 failed authentication attempts out of 144 total attempts.
Example 14-24 includes the output of the show statistics event-server command. This command is used to only display the number of open and blocked connections o the AIP-SSM from event management stations.
Example 14-24. show statistics event-server Command Output
ChicagoSSM# show statistics event-server General openSubscriptions = 10 blockedSubscriptions = 0 Subscriptions
The show statistics event-store command gives you more useful information. It displays detailed information about the event store. Example 14-25 includes the output of this command.
Example 14-25. show statistics event-store Command Output
ChicagoSSM# show statistics event-store Event store statistics General information about the event store The current number of open subscriptions = 10 The number of events lost by subscriptions and queries = 0 The number of queries issued = 0 The number of times the event store circular buffer has wrapped = 0 Number of events of each type currently stored Debug events = 0 Status events = 59 Log transaction events = 0 Shun request events = 0 Error events, warning = 1 Error events, error = 8 Error events, fatal = 0 Alert events, informational = 2 Alert events, low = 0 Alert events, medium = 0 Alert events, high = 0
Another command that is very useful for troubleshooting is the show statistics host command. It includes network and link statistics, health of the AIP-SSM module (i.e., CPU and memory utilization), and other administrative items such as NTP and auto-update statistics. Example 14-26 includes the output of this command.
Example 14-26. show statistics host Command Output
ChicagoSSM# show statistics host General Statistics Last Change To Host Config (UTC) = 03:00:39 Tue Feb 15 2005 Command Control Port Device = GigabitEthernet0/0 Network Statistics ge0_0 Link encap:Ethernet HWaddr 00:0B:FC:F8:01:2C inet addr:172.23.62.92 Bcast:172.23.62.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:3758776 errors:0 dropped:0 overruns:0 frame:0 TX packets:272436 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:471408183 (449.5 MiB) TX bytes:183240697 (174.7 MiB) Base address:0xbc00 Memory:f8200000-f8220000 NTP Statistics status = Not applicable Memory Usage usedBytes = 500649984 freeBytes = 1484054528 totalBytes = 1984704512 Swap Usage Used Bytes = 0 Free Bytes = 0 Total Bytes = 0 Summertime Statistics start = 03:00:00 PDT Sun Apr 03 2005 end = 01:00:00 GMT-08:00 Sun Oct 30 2005 CPU Statistics Usage over last 5 seconds = 0 Usage over last minute = 0 Usage over last 5 minutes = 0 Memory Statistics Memory usage (bytes) = 500559872 Memory free (bytes) = 1484144640 Auto Update Statistics lastDirectoryReadAttempt = 01:03:09 GMT-08:00 Mon Feb 14 2005 Read directory: scp://scpuser@192.168.10.188//updates/sigupdatefile.pkg/ Error: Failed attempt to get directory listing from remote auto update server: ssh: connect to host 192.168.10.188 port 22: Connection timed out lastDownloadAttempt = N/A lastInstallAttempt = N/A nextAttempt = 01:00:00 GMT-08:00 Wed Feb 16 2005
In the shaded lines in Example 14-26, you can see that the AIP-SSM attempted to connect to the server with IP address 192.168.10.188 over SSH (TCP port 22) without success. The connection timed out because of network connectivity problems.
To display IP logger statistics, use the show statistics logger command. The output of this command is included in Example 14-27.
Example 14-27. show statistics logger Command Output
ChicagoSSM# show statistics logger The number of Log interprocessor FIFO overruns = 0 The number of syslog messages received = 331 The number of events written to the event store by severity Fatal Severity = 0 Error Severity = 78 Warning Severity = 358 TOTAL = 436 The number of log messages written to the message log by severity Fatal Severity = 0 Error Severity = 78 Warning Severity = 27 Timing Severity = 0 Debug Severity = 0 Unknown Severity = 62 TOTAL = 167
IP logging is covered in detail in the following section.