© 2005 Cisco Systems, Inc. All rights reserved. IPS v Lesson 12 Monitoring the Sensor
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Using the CLI to Monitor the Sensor
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Obtaining Information About Your Sensor You can use the sensor CLI to obtain the following information about your sensor: PEP information Service statistics Interface statistics Details about traffic traversing an interface Tech support information
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Displaying PEP Information show inventory sensor# Displays PEP information for the sensor hardware sensor# show inventory NAME: "Chassis", DESCR: "Chasis-4240" PID: E, VID: V04, SN: Displays the product identifier, version identifier, and serial number of the local 4240 sensor
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Displaying Service Statistics Displays statistics for the specified option show statistics { analysis-engine | authentication | denied-attackers | event-server | event-store| host | logger | network-access | notification | sdee-server | transaction-source |virtual-sensor [name]| web-server } [ clear ] sensor# sensor# show statistics authentication General totalAuthenticationAttempts = 9 failedAuthenticationAttempts = 0 Displays authentication statistics
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Displaying Interface Statistics Displays statistics for system interfaces show interfaces {fastethernet | gigabitethernet | management } [slot/port] sensor# sensor# show interfaces FastEthernet0/1 Displays statistics for the Fast Ethernet 0/1 interface
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Capturing Traffic from an Interface packet capture interface-name [snaplen length] [count count] [expression expression] sensor# sensor1# packet capture FastEthernet0/1 Warning: This command will cause significant performance degradation tcpdump: WARNING: fe0_1: no IPv4 address assigned tcpdump: listening on fe0_1, link-type EN10MB (Ethernet), capture size bytes 15 packets captured 15 packets received by filter 0 packets dropped by kernel Captures traffic on Fast Ethernet 0/1 Captures traffic on an interface in real time
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Displaying Traffic Captured from an Interface sensor# Displays a previously captured file packet display packet-file [verbose] [expression expression] packet display file-info Displays information about a previously captured file sensor# packet display interface-name [snaplen length] [count count] [verbose] [expression expression] Displays live traffic as it passes the specified interface sensor#packet display FastEthernet0/1 expression host Displays traffic passing through Fast Ethernet 0/1 only if its source or destination is host packet display iplog id [verbose] [expression expression] Displays an existing IP log sensor#
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Displaying Tech Support Information sensor# show tech-support destination-url show tech-support[page][password][destination-url destination-url] sensor# Displays the current system status Places the tech support output in the file ~ipsuser/reports/sensor1Report.html.
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Using the CLI to Monitor the Sensor
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Running a Diagnostics Report Monitoring Diagnostics Report Support Information Generate Report
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Viewing Statistics Monitoring Support Information Statistics Refresh
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Viewing System Information Monitoring Support Information System Information Refresh
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring SNMP Monitoring Configuration Enable SNMP Gets/Sets SNMP SNMP General Configuration Apply Reset Read-Only Community String Read-Write Community String Sensor Contact Sensor Location Sensor Agent Port Sensor Agent Protocol
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Summary
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Summary The 4240 and 4255 sensor contain a UDI, which provides the following benefits: –Gives you the ability to electronically inventory Cisco products accurately and reliably –Simplifies product identification –Provides consistent product identification across products You can retrieve the UDI, a deliverable of the Cisco PEP via the show inventory command. The CLI contains the following useful troubleshooting commands: –show statistics: Provides a snapshot of the current internal state of sensor services –show interfaces: Provides statistics for sensor interfaces –packet: Captures or displays live traffic on an interface –show tech-support: Captures all status and configuration information on the sensor
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Summary (Cont.) The IDM enables you to monitor your sensor as follows: –Run a diagnostics report –View statistics for sensor services –View TAC contact information and system information such as the following: Type of sensor Software version Upgrades installed PEP information You can configure your sensor to be monitored by SNMP.
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Lab Exercise
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Q.0 Lab Visual Objective Q Web FTP RBB Q P.0.4 sensorQ Student PC 10.0.Q.12 RTS sensorP Student PC 10.0.P.12 RTS P.0 rPrQ prQ prP 10.0.P.0