Table Of Contents
Release Note for the Cisco Traffic Anomaly Detector Appliance
Contents
New Features in Software Version 5.1(4)
Operating Considerations
Prior To Upgrading from Software Version 3.x to 5.1(4)
Documentation Enhancements and Corrections
Software Version 5.1(6) Open Caveats and Resolved Caveats
Software Version 5.1(6) Open Caveats
Software Version 5.1(6) Resolved Caveats
Software Version 5.1(5) Open Caveats, Resolved Caveats, and Documentation Corrections
Software Version 5.1(5) Open Caveats
Software Version 5.1(5) Resolved Caveats
MultiDevice Manager Commands Omitted from the Configuration Guide
mdm logging trap Command
mdm restore Command
show mdm Command
Software Version 5.1(4) Open Caveats, Resolved Caveats, and Command Changes
Software Version 5.1(4) Open Caveats
Software Version 5.1(4) Resolved Caveats
Software Version 5.1(4) Command Changes
Related Documentation
Obtaining Documentation, Obtaining Support, and Security Guidelines
Release Note for the Cisco Traffic Anomaly Detector Appliance
April 16, 2006
Note 
The most current Cisco documentation for released products is available on www.cisco.com.
Contents
This release note applies to software version 5.1(4), 5.1(5), and 5.1(6) for the Cisco Traffic Anomaly Detector appliance (Detector). This release note contains the following sections:
•New Features in Software Version 5.1(4)
•Operating Considerations
•Prior To Upgrading from Software Version 3.x to 5.1(4)
•Documentation Enhancements and Corrections
•Software Version 5.1(6) Open Caveats and Resolved Caveats
•Software Version 5.1(5) Open Caveats, Resolved Caveats, and Documentation Corrections
•Software Version 5.1(4) Open Caveats, Resolved Caveats, and Command Changes
•Related Documentation
•Obtaining Documentation, Obtaining Support, and Security Guidelines
New Features in Software Version 5.1(4)
The following new features are available in software version 5.1(4):
•Voice over IP (VoIP) antispoofing support
•Activation of zone traffic diversion to a Cisco Guard by using BGP
•Resource tracking enhancements, such as the ability to display CPU utilization and the number of active dynamic filters
•Security enhancements:
–Configurable login banner for the CLI and the WBM
–Configurable session idle timeout for the CLI
–Ability to move between user privilege levels in the WBM
•TACACS+ security enhancements:
–Ability to limit tab completion of zone names in the CLI
–TACACS+ password expiration warning in the CLI and the WBM
–Ability to change a TACACS+ password when the password expires if the TACACS+ server supports a password change
•Configurable IP addresses to exclude from the zone IP address range
•Ability to customize the WMB logo
•Secure Copy protocol (SCP) support for importing and exporting files
•Manual activation of Cisco Guards
•Configurable file server name and attributes that can be used in the import and export commands
•Support for clearing counters
Operating Considerations
The following operating considerations apply to the Cisco Traffic Anomaly Detector.
•Caution when upgrading the software - Do not press Ctrl-C during the upgrade process or the upgrade may fail.
•The copy ftp command supports active mode only.
•You can configure the Cisco Traffic Anomaly Detector to export attack reports and packet-dump capture files in XML format. The XML schema is described in the Capture .xsd file and the Exported Reports .xsd file. You can download these .xsd files from the Software Center at: http://www.cisco.com/public/sw-center/. The following .xsd files are available:
–Capture—describes XML schema of the packet-dump capture files
–ExportedReports—describes the XML schema of the attack reports
•Port 3220 was added in software version 5.0(x).
Prior To Upgrading from Software Version 3.x to 5.1(4)
In software version 3.x, the Detector allowed you to configure illegal subnet masks. In software version 5.1(4), the Detector checks to ensure that subnet masks are legal. When you upgrade to software version 5.1(4), the Detector corrupts all zone configurations that contain an illegal subnet mask. To prevent the Detector from corrupting a zone configuration that contains an illegal subnet mask:
Step 1 Use the no ip address command to delete the subnet mask.
Step 2 Use the ip address command to configure the subnet mask with a legal subnet.
For details on configuring zone IP addresses, see the "Configuring the Zone IP address Range" section in the Configuring Zones" chapter.
Software upgrade instructions are located in the "Upgrading the Detector Software Version" section in the "Performing Maintenance Tasks" chapter in the Cisco Traffic Anomaly Detector Configuration Guide.
Documentation Enhancements and Corrections
The following enhancements and corrections apply to the 5.1 documentation set.
•CSCse18399—The Detector supports the following MIBs:
–Riverhead private MIB
–MIB2 (RFC1213-MIB)—All of the MIB groups with the exceptions of the EGP and transmission MIB groups
–UCDAVIS (UCD-SNMP-MIB)—Only the following MIB groups: memory, latable, systemStats, version, and snmperrs
•Correction to the description of the Detector operation in the Cisco Traffic Anomaly Detector Configuration Guide. The section Understanding the Zone Policies in Chapter 1, "Product Overview" describes how the Detector configures a set of dynamic filters to apply the appropriate "detection level" to the traffic flow according to the severity of the attack.
When the Detector detects a traffic anomaly, it creates a set of dynamic filters and associates an action (not a detection level) with each filter. The Detector executes the action in response to the attack. The two possible action options are:
–Issue a syslog message and snmp trap (if you have the Detector configured to send traps)
–Activate a Cisco Guard to mitigate the attack
•CSCsg09162—Sequential Authentication List. The Cisco Traffic Anomaly Detector Configuration Guide contains incomplete information for configuring the Detector to use the local and TACACS+ server methods to authenticate a user.
Issue—The following text in Chapter 3, "Configuring the Detector", section "Configuring Access Control Using AAA" does not clearly describe how the Detector performs user authentication when using a distributed authentication scheme.
"You can configure a distributed authentication scheme and define users in several authentication databases. The Detector uses the first TACACS+ server to authenticate users. If the authentication returns a rejection, the Detector scans the TACACS+ server list and the alternative authentication method (local), if one exists. Authentication fails only if all the authentication methods on the list fail. This option is valid only if you do not configure the first-hit option."
Correction—Refer to the revised text below for information on configuring the Detector to use local and TACACS+ server methods to authenticate a user.
You can configure the Detector to use one or both of the user authentication methods (local or TACACS+ server). When using the TACACS+ authentication method, you can define multiple TACACS+ servers. Defining more than one authentication method provides a backup in the event the initial method fail due to a communication error.
The Detector authenticates a user by using each of the authentication methods that you define and in the order in which you define them on the Detector. The Detector attempts to authenticate the user using the first method on the list. If the first authentication method does not respond, the Detector sequentially selects the next authentication method on the list until it finds one that responds.
You can configure the action the Detector executes when it receives a response from the first TACACS+ server using the tacacs-server first-hit command. If you enable the first-hit option, the Detector accepts as the final decision the authentication response (reject or accept) of the first TACACS+ server to respond. If you disable the first-hit option using the no tacacs-server first-hit command and the first server rejects the authentication, the Detector sequentially scans the other TACACS+ servers in an attempt to find one that accepts the authentication. User authentication using the TACACS+ servers fails when none of the defined TACACS+ servers accept the authentication or the Detector cannot communicate with any of the servers. You can configure the Detector to use its local database for user authentication when the Detector cannot communicate with the TACACS+ servers. By default, the first-hit option is disabled.
•CSCsg70257—Add SCP/SFTP debug-core copy to user guide. To copy debug information to a remote server, the Cisco Traffic Anomaly Detector Configuration Guide, Chapter 11, "Using Detector Module Diagnostics Tools", in the "Obtaining Debug Information" section currently describes the syntax for the copy debug-core command as shown below. This syntax description indicates that File Transfer Protocol (FTP) is the only transfer protocol that you can use to copy a debug-core file to a remote server. In addition to using FTP, you can also use Secure Copy Protocol (SCP) and Secure File Transfer Protocol (SFTP). The current syntax is as follows:
copy debug-core time ftp server full-file-name [login [password]]
The correct syntax for describing the transfer protocol options of the copy debug-core command is as follows:
copy debug-core time {ftp | scp | sftp} server full-file-name [login [password]]
•The Cisco Traffic Anomaly Detector Configuration Guide, Chapter 3, "Configuring the Detector Module", section "Configuring Authentication" incorrectly states that if you access the Detector from a console session, it uses the local user database for authentication regardless of the defined authentication method. The correct explanation is that a console session will use the authentication method that you define.
Software Version 5.1(6) Open Caveats and Resolved Caveats
The following sections contain the open and resolved caveats in software version 5.1(6):
•Software Version 5.1(6) Open Caveats
•Software Version 5.1(6) Resolved Caveats
Software Version 5.1(6) Open Caveats
The following caveats are open in software version 5.1(6):
•CSCsc05116—The Anomaly Detection Engine may not function correctly after reaching 100% memory utilization.
•CSCsb05557—Remote activation and synchronization processes from a Detector to a Guard do not function when the Detector is located behind a device that is performing Network Address Translation (NAT). Workaround: Reconfigure the network configuration to disable NAT.
•CSCsb20206—The Web-Based Manager (WBM) remains unresponsive while the pop up window waits for results from the signature generation process. Even if you close the pop up window manually, the WBM remains unresponsive while signature generation is in progress. Workaround: Wait until the pop up window receives a result, or issue the no service wbm command.
•CSCsb29083—You cannot use the same name to create packet dumps in different zones. Workaround: Assign unique names to manual packet dumps.
•CSCsc69508—After importing an HTML file to serve as login banner, some SSH clients may not be able to connect to the product.
•CSCsc49737—The accelerator card sometimes fail to load at the first try during the reload or bootup process. The Detector issues an error message and shows it in the logs. The Detector attempts two additional loads.
•CSCsc77155—After a Detector reloads 1,024 consecutive times, it cannot be accessed from the network. Workaround: Reboot the Detector.
•CSCsd39569—After several hundreds consecutive reloads, the appliance may reboot itself. Workaround: None.
•CSCsd71002—The Detector does not create and activate all child zones under attack under certain conditions. This behavior occurs when the zone is defined on the Detector with dst-ip-by-name activation method and an attack occurs on several IP addresses from the zone range. If global policies are only active (not dst_ip policy), only the first recognized IP address is protected successfully. Workaround: Make sure the dst_ip policies are active on the zone.
•CSCse08139—When pressing Ctrl-Z several times after issuing the more 0 command, the CLI session terminates.
•CSCse27876—When pressing Ctrl-C during the import of a new software version or configuration, the CLI session might get disconnected. Workaround: Avoid interrupting the import process with Ctrl-C.
•CSCse31042—Zone configuration with ip_scan or port_scan policies cannot be imported into the Detector. Workaround: None.
Software Version 5.1(6) Resolved Caveats
The following caveat was resolved in software version 5.1(6):
•CSCsb33259—The show counters history and show rates history CLI commands and the WBM traffic rates graphs only show the current rate; there are no logs for the zone. This condition occurs when you activate the zone and there is no zone traffic.
Software Version 5.1(5) Open Caveats, Resolved Caveats, and Documentation Corrections
The following sections contain the open caveats, resolved caveats, and documentation corrections in software version 5.1(5):
•Software Version 5.1(5) Open Caveats
•Software Version 5.1(5) Resolved Caveats
•MultiDevice Manager Commands Omitted from the Configuration Guide
Software Version 5.1(5) Open Caveats
The following caveats are open in software version 5.1(5):
•CSCsc05116—The Anomaly Detection Engine may not function correctly after reaching 100% memory utilization.
•CSCsb05557—Remote activation and synchronization processes from a Detector to a Guard do not function when the Detector is located behind a device that is performing Network Address Translation (NAT). Workaround: Reconfigure the network configuration to disable NAT.
•CSCsb20206—The Web-Based Manager (WBM) remains unresponsive while the pop up window waits for results from the signature generation process. Even if you close the pop up window manually, the WBM remains unresponsive while signature generation is in progress. Workaround: Wait until the pop up window receives a result, or issue the no service wbm command.
•CSCsb29083—You cannot use the same name to create packet dumps in different zones. Workaround: Assign unique names to manual packet dumps.
•CSCsc69508—After importing an HTML file to serve as login banner, some SSH clients may not be able to connect to the product.
•CSCsc49737—The accelerator card sometimes fail to load at the first try during the reload or bootup process. The Detector issues an error message and shows it in the logs. The Detector attempts two additional loads.
•CSCsc77155—After a Detector reloads 1,024 consecutive times, it cannot be accessed from the network. Workaround: Reboot the Detector.
•CSCsd39569—After several hundreds consecutive reloads, the appliance may reboot itself. Workaround: None.
•CSCsd71002—The Detector does not create and activate all child zones under attack under certain conditions. This behavior occurs when the zone is defined on the Detector with dst-ip-by-name activation method and an attack occurs on several IP addresses from the zone range. If global policies are only active (not dst_ip policy), only the first recognized IP address is protected successfully. Workaround: Make sure the dst_ip policies are active on the zone.
•CSCse08139—When pressing Ctrl-Z several times after issuing the more 0 command, the CLI session terminates.
•CSCse27876—When pressing Ctrl-C during the import of a new software version or configuration, the CLI session might get disconnected. Workaround: Avoid interrupting the import process with Ctrl-C.
•CSCse31042—Zone configuration with ip_scan or port_scan policies cannot be imported into the Detector. Workaround: None.
Software Version 5.1(5) Resolved Caveats
The following caveats were resolved in software version 5.1(5):
•CSCsb50772—Sometimes during zone activation, an error in accessing the counters/current report in the WBM is reported.
•CSCsb87316—You cannot change the protection-end-timer to never when using the WBM.
•CSCsb91723—The Detector does not activate the Guard during malformed packets attack.
•CSCsc79115—Configuration synchronization success/failure is not logged.
•CSCsd22723—A user with show privileges is authorized to stop learning.
•CSCsd22968—History settings are not saved in upgrade and are not cleared when clearing the configuration.
•CSCsd23102—The TACACS+ host key is not imported to the Detector.
•CSCsd27480—The comment parameter in SSH public key after removing key.
•CSCsd28961—The default protect-ip-state method in the LINK_XXXX templates is not as recommended.
•CSCsd31785—A large report may cause the reporting module to fail.
•CSCsd34930—Exporting XML reports to a predefined server exports text instead of XML.
•CSCsd34937—Changing file server definition does not change automatic export.
•CSCsd39608, CSCsd46177—The Detector may stop responding after a reboot.
•CSCsd44681—The Detector may stop functioning after the Detect and Learn zone activates two Guards.
•CSCsd49132—The Detector displays the wrong error message when there are no host keys to display.
•CSCsd54999—You cannot get policy statistics from the WBM during detection of GUARD_XXX zone.
•CSCsd59895—SNMP traps are sent with wrong agent address in SNMP payload.
•CSCsd71016—The show log command does not display all logs.
•CSCsd73646—There is no GUARD_VOIP template on the Detector.
•CSCsd82058—The watchdog does not check the reporting module.
•CSCsd82191—The BGP daemon will not respond when you configure the advertisement-interval option to 0.
•CSCsd82222—Automatic Export reports are missing the complete type of events.
•CSCsd97276—The SNMP Enhancement:Interface Index (ifIndex) must be persistent.
•CSCsd97443—Learning auto-accept weeks are not displayed with the show running-config command.
•CSCse03815—Configured interface speed and duplex are not displayed by the show running-config command.
•CSCse21170—Events are not shown on the Detector when a zone is inactive.
•CSCse28303—You cannot show more than 130 subnets related entries per zone in SNMP.
•CSCse30525—Excluded IP addresses are synchronized with sync.
•CSCse30965—Clearing counters while two or more zones are active causes failure to operate.
•CSCse30973—You cannot clear counters while one of the zones is in Policy Construction.
•CSCse34917—Failure occurs after configuring a snapshot with underscore in name.
•CSCse42543—The no reports * command fails to delete reports.
•CSCuk52975—Some commands are not logged when AAA accounting is enabled.
MultiDevice Manager Commands Omitted from the Configuration Guide
Three commands related to the Cisco DDoS MultiDevice Manager (MDM) software functionality on the Detector were introduced in software version 5.1(5), but were omitted from the Cisco Traffic Anomaly Detector Configuration Guide. The following sections describe these commands:
•mdm logging trap Command
•mdm restore Command
•show mdm Command
mdm logging trap Command
To configure traps for MDM logging, use the mdm logging trap command in global configuration mode. To disable logging functions, use the no form of this command.
The syntax for this command is as follows:
mdm logging trap {alerts | critical | debugging | emergencies | errors | informational | notifications | warnings}
The following table describes the keywords for the mdm logging trap command.
alerts
|
Immediate action needed (severity=1).
|
critical
|
Critical conditions (severity=2).
|
debugging
|
Debugging messages (severity=7).
|
emergencies
|
System is unusable (severity=0). This is the default.
|
errors
|
Error conditions (severity=3).
|
informational
|
Informational messages (severity=6).
|
notifications
|
Normal but significant conditions (severity=5).
|
warnings
|
Warning conditions (severity=4).
|
For example, to capture and log informational messages, use the mdm logging trap informational command in global configuration mode.
user@DETECTOR# configure
user@DETECTOR-conf# mdm logging trap informational
mdm restore Command
When you enable the MDM service on the Detector to allow you to manage the device using the MDM, the MDM automatically upgrades the RA on the device when it initiates a communication link with the device. While the MDM is upgrading the device RA, the operating state displays on the MDM as Initializing. The state changes to Connected when the RA upgrade is complete.
When a device appears to be constantly in a state of initialization, it may indicate that the MDM is attempting to upgrade the device RA but cannot do so.
Use the mdm restore command to resolve issues with upgrading and connecting the device RA. To return the device Remote Agent (RA) to the stub and force the MDM to reinstall the latest RA version, use the mdm restore command in global configuration mode.
The syntax for this command is as follows:
mdm restore
For example:
user@DETECTOR# configure
user@DETECTOR-conf# mdm restore
show mdm Command
To check the status of MDM connections and settings, use the show mdm command in EXEC mode.
The syntax for this command is as follows:
show mdm
For example:
The following table describes the fields in the show mdm display.
Field
|
Description
|
MDM service state
|
Operating state of the MDM service: enabled or disabled.
|
MDM servers
|
List of MDM servers that you define on the device (permitting them to access the device) and the state of the key exchange process with each of the servers: key exchange is complete or key exchange is required.
|
Connected managers
|
MDM server currently connected to and managing the device.
|
MDM syslog level
|
Setting of the syslog server logging level: alerts, critical, debugging, emergencies, errors, informational, notifications, warnings.
|
Software Version 5.1(4) Open Caveats, Resolved Caveats, and Command Changes
The following sections contain the open caveats, resolved caveats, and command changes in software version 5.1(4):
•Software Version 5.1(4) Open Caveats
•Software Version 5.1(4) Resolved Caveats
•Software Version 5.1(4) Command Changes
Software Version 5.1(4) Open Caveats
The following caveats are open in software version 5.1(4):
•CSCsc05116—The Anomaly Detection Engine may not function correctly after reaching 100% memory utilization.
•CSCsb05557—Remote activation and sync processes from the Detector to the Guard do not function when the Detector is located behind a device that is performing Network Address Translation (NAT). Workaround: Reconfigure the network configuration to disable NAT.
•CSCsb20206—The Web-Based Manager (WBM) remains unresponsive while the pop up window waits for results from the signature generation process. Even if you close the pop up window manually, the WBM remains unresponsive while signature generation is in progress. Workaround: Wait until the pop up window receives a result, or issue the no service wbm command.
•CSCsb29083—You cannot use the same name to create packet dumps in different zones. Workaround: Assign unique names to manual packet dumps.
•CSCsc69508—After importing an HTML file to serve as login banner, some SSH clients may not be able to connect to the product.
•CSCuk52975—Some commands are not logged when AAA accounting is enabled.
Software Version 5.1(4) Resolved Caveats
The following caveats were resolved in software version 5.1(4):
•CSCsb29077—The WBM does not properly add IP addresses to a threshold list. Using the WBM to add IP addresses to the threshold list of a policy results in wrong IP addresses in the list. Workaround: Only use the CLI to add IP addresses to a threshold list.
•CSCsb85900—You cannot add a static route to the Detector.
Software Version 5.1(4) Command Changes
Table 1 lists the new commands in software version 5.1(4). Table 2 describes the commands that were changed in software version 5.1(4). Table 3 describes the commands that were removed from software version 5.1(4).
Table 1 describes the new commands in software version 5.1(4).
Table 1 New Commands in Software Version 5.1(4)
Mode
|
Command and Syntax
|
Description
|
Configuration
|
aaa authorization commands zone-completion tacacs+
no aaa authorization commands zone-completion tacacs+
|
Disables tab completion of zone names, which limits access to zone configuration to authorized users. This setting applies to all commands in which you specify the zone name.
Use the no form of the command to enable tab completion of zone names.
For more information on this command, see the "Configuring the Detector" chapter in the Cisco Traffic Anomaly Detector Configuration Guide.
|
Configuration
|
clear counters
|
Clears the Detector counters.
For more information on this command, see the "Using the Detector Diagnostics Tools" chapter in the Cisco Traffic Anomaly Detector Configuration Guide.
|
Interface Configuration
|
clear counters
|
Clears the interface counters.
For more information on this command, see the "Initializing the Detector" chapter in the Cisco Traffic Anomaly Detector Configuration Guide.
|
Zone Configuration
|
clear counters
|
Clears the zone counters.
For more information on this command, see the "Using the Detector Diagnostics Tools" chapter in the Cisco Traffic Anomaly Detector Configuration Guide.
|
Global
|
copy [zone zone-name] running-config file-server-name dest-file-name
|
Exports a configuration file (running-config) to a network server. The keywords and arguments are:
•zone zone-name—(Optional) The zone name. If you specify the zone name, the Detector exports the zone configuration file. The default is to export the Detector configuration file.
•running-config—Exports the complete Detector configuration, or the configuration of the specified zone.
•file-server-name—The name of a network server to which you export the configuration file. Configure the file-server name by using the file-server command.
•destination-file-name—The name of the configuration file on the network server. The Detector saves the configuration file on the network server using the destination filename, in the directory that you defined for the network server by using the file-server command.
For more information on this command, see the "Performing Maintenance Tasks" chapter in the Cisco Traffic Anomaly Detector Configuration Guide.
|
Configuration
|
copy ftp login-banner server full-file-name [login [password]]
copy {sftp | scp} login-banner server full-file-name login
|
Imports the login banner from a network server and replaces the current login banner. The keywords and arguments are:
•ftp—Imports the login banner file from an FTP network server.
•sftp—Imports the login banner file from a SFTP network server.
•scp—Imports the login banner file from a SCP network server.
•server—The IP address of the network server. Enter the IP address in dotted-decimal notation (for example, enter 192.168.10.2).
•full-file-name—The complete name of the file. If you do not specify a path, the server copies the file from your home directory.
•login—The server login name. The login argument is optional when you define an FTP server. If you do not insert a login name, the FTP server assumes an anonymous login and does not prompt you for a password.
•password—(Optional) The password for the remote FTP server. If you do not insert the password, the Detector prompts you for it.
For more information on this command, see the "Configuring the Detector" chapter in the Cisco Traffic Anomaly Detector Configuration Guide.
|
Configuration
|
copy ftp wbm-logo server full-file-name [login [password]]
copy {sftp | scp} wbm-logo server full-file-name login
|
Customizes your end-user interface by adding a company logo or a customized logo to the WBM web pages. The keywords and arguments are:
•ftp—Imports the WBM logo file from an FTP network server.
•sftp—Imports the WBM logo file from a SFTP network server.
•scp—Imports the WBM logo file from a SCP network server.
•server—The IP address of the network server. Enter the IP address in dotted-decimal notation (for example, enter 192.168.10.2).
•full-file-name—The complete name of the file including the GIF file extension. If you do not specify a path, the server copies the file from your home directory.
•login—The server login name. The login argument is optional when you define an FTP server. If you do not insert a login name, the FTP server assumes an anonymous login and does not prompt you for a password.
•password—(Optional) The password for the remote FTP server. If you do not insert the password, the Detector prompts you for it.
For more information on this command, see the "Configuring the Detector" chapter in the Cisco Traffic Anomaly Detector Configuration Guide.
|
Global
|
copy file-server-name running-config source-file-name
|
Imports the Detector configuration file or a zone configuration file (running-config) from a network server. The keywords and arguments are:
•file-server-name—The name of a network server from which to import the configuration file. Configure the file-server name by using the file-server command.
•running-config—Imports the complete Detector configuration, or the configuration of the specified zone.
•source-file-name—The name of the configuration file on the network server. The Detector copies the configuration file from the directory that you defined on the network server by using the file-server command.
For more information on this command, see the "Performing Maintenance Tasks" chapter in the Cisco Traffic Anomaly Detector Configuration Guide.
|
Global
|
copy file-server-name zone zone-name packet-dump captures capture-name
|
Imports the packet-dump capture files from a network server. The keywords and arguments are:
•file-server-name—The name of a network server. Configure the file-server name by using the file-server command.
•zone zone-name —The name of an existing zone for which the packet-dump capture files are imported.
•packet-dump captures—Imports packet-dump capture files.
•capture-name—The name of the file to import. The Detector appends the name of the file to the path that you defined on the network server by using the file-server command.
For more information on this command, see the "Using the Detector Diagnostics Tools" chapter in the Cisco Traffic Anomaly Detector Configuration Guide.
|
Global
|
copy reports [details] [xml] file-server-name dest-file-name
|
Exports attack reports of all zones. The keywords and arguments are:
•details—(Optional) Export details of flow and attacking source IP addresses.
•xml—(Optional) Export the report in XML format. See the.xsd file released with the version for a description of the XML schema. By default, the Detector exports reports in text format.
Reports in XML format include all details. If you include the xml option, it is not necessary to include the details option.
•file-server-name—The name of a network server. Configure the file-server name by using the file-server command.
•dest-file-name—The name of the file. The Detector appends the name of the file to the path that you defined for the network server by using the file-server command.
For more information on this command, see the "Understanding Attack Reports" chapter in the Cisco Traffic Anomaly Detector Configuration Guide.
|
Global
|
copy zone zone-name guard-running-config *
|
Exports the portion of the zone configuration that is required to configure the zone on a Cisco Guard to the network servers. Define the network server in the zone file-server list and the default file-server list by using the file-server command.
The keywords and arguments are:
•zone zone-name —The name of an existing zone. The Detector exports the portion of the specified zone configuration that applies to the Guard.
•guard-running-config—Exports the portion of the zone configuration that is required to configure the zone on a Cisco Guard.
•*—Exports a zone configuration to all the network servers that are defined in the zone remote server list and the default remote server list. The Detector exports only the portion of a zone configuration that is required to configure a zone on the Guard.
For more information on this command, see the "Configuring Zones" chapter in the Cisco Traffic Anomaly Detector Configuration Guide.
|
Global
|
copy zone zone-name reports [current | report-id] [xml] [details] file-server-name dest-file-name
|
Exports the zone attack reports to a network server. The keywords and arguments are:
•zone zone-name—The name of an existing zone.
•current—(Optional) Export an ongoing attack report (if applicable). The default is to export all zone reports.
•report-id—(Optional) The ID of an existing report. The Detector exports the report with the specified ID number. To view the details of the zone attack reports, use the show zone reports command. The default is to export all zone reports.
•details—(Optional) Export details of flow and attacking source IP addresses.
•xml—(Optional) Export the report in XML format. See the.xsd file released with the version for a description of the XML schema. By default, the Detector exports the reports in text format.
Reports in XML format include all details. If you include the xml option, you do not need to include the details option.
•file-server-name—The name of a network server. Configure the file-server name by using the file-server command.
•dest-file-name—The name of the file. The Detector appends the name of the file to the path that you defined on the network server by using the file-server command.
For more information on this command, see the "Understanding Attack Reports" chapter in the Cisco Traffic Anomaly Detector Configuration Guide.
|
Zone Configuration
|
dynamic-filter remote-activate {exp-time | forever} [dst-ip]
|
Adds a dynamic filter that activates the remote Guards to protect a zone. The keywords and arguments are:
•remote-activate—Activates the remote Guards to protect a zone. If you do not enter the dst-ip argument, the activation method that the Detector uses to activate protection on the remote Guard is entire-zone.
•exp-time—An integer from 1 to 3,000,000 that specifies the time (in seconds) for the filter to be active.
•forever—The filter is active for an unlimited time. The Detector deleted the filter when zone protection ends.
•dst-ip—Activates zone protection on the remote Guards based on the specified IP address. Enter the IP address in dotted-decimal notation (for example, enter an IP address of 192.168.100.1).
The Detector uses the activation method of dst-ip-by-name to activate protection on the remote Guard.
For more information on this command, see the "Configuring Zone Filters" chapter in the Cisco Traffic Anomaly Detector Configuration Guide.
|
Configuration
|
export sync-config file-server-name
|
Adds a network server to the Detector default remote-server list. The Detector exports the zone configuration file each time it accepts the results of the threshold-tuning phase of the learning process.
The file-server-name argument specifies the name of a network server that you configure by using the file-server command.
For more information on this command, see the "Configuring Zones" chapter in the Cisco Traffic Anomaly Detector Configuration Guide.
|
Zone Configuration
|
export sync-config file-server-name
|
Adds a network server to the zone remote server list. The Detector exports the zone configuration file each time that it accepts the results of the threshold-tuning phase of the learning process.
The file-server-name argument specifies the name of a network server that you configure by using the file-server command.
For more information on this command, see the "Configuring Zones" chapter in the Cisco Traffic Anomaly Detector Configuration Guide.
|
Configuration
|
file-server file-server-name description [ftp | sftp | scp] server remote-path login [password]
no file-server [file-server-name | *]
|
Configures a network server to enable you to import or export files. Configuring a network server allows you to configure server attributes, such as the IP address and the login details, and then use the name of the network server in subsequent operations without specifying the server attributes.
The keywords and arguments are:
•file-server-name—A name for the network server on which to save files. Enter an alphanumeric string from 1 to 63 characters. The string can contain underscores but cannot contain spaces.
•description—A string to describe the network server. The maximum string length is 80 characters. If you use spaces in the description, enclose the description in quotation marks (" ").
•ftp—Defines an FTP server.
•sftp—Defines an SFTP server.
•scp—Defines an SCP server.
•server—The IP address of the network server. Enter the IP address in dotted-decimal notation (for example, enter 192.168.10.2).
•remote-path—The complete path of the directory where you save files or from which you import files.
•login—The login name for the network server.
•password—The password for the network server.
This option is valid only for an FTP server. The Detector authenticates SFTP and SCP servers using a public key.
Use the no form of the command to delete a network server.
For more information on this command, see the "Performing Maintenance Tasks" chapter in the Cisco Traffic Anomaly Detector Configuration Guide.
|
Configuration
|
login-banner banner-str
|
Configures a single or a multiple message banner. The banner-str argument specifies the banner text. The maximum string length is 255 characters. If you use spaces in the expression, enclose the expression in quotation marks (" ").
To delete the login banner, use the no login-banner command.
To display the login banner, use the show login-banner command.
For more information on this command, see the "Configuring the Detector" chapter in the Cisco Traffic Anomaly Detector Configuration Guide.
|
Configuration
|
no login-banner
|
Removes the login banner.
For more information on this command, see the "Configuring the Detector" chapter in the Cisco Traffic Anomaly Detector Configuration Guide.
|
Configuration
|
no wbm-logo
|
Removes the WBM logo.
For more information on this command, see the "Configuring the Detector" chapter in the Cisco Traffic Anomaly Detector Configuration Guide.
|
Router Configuration
|
redistribute detector
|
Redistributes the routes that the Detector defined. For more information on this command, see the "Detecting Zone Traffic Anomalies" chapter in the Cisco Traffic Anomaly Detector Configuration Guide.
|
Configuration
|
router
|
Enters router configuration mode. For more information on this command, see the "Detecting Zone Traffic Anomalies" chapter in the Cisco Traffic Anomaly Detector Configuration Guide.
|
Configuration
|
service router
no service router
|
Enables the routing service.
To disable the routing service, use the no service router command.
For more information on this command, see the "Detecting Zone Traffic Anomalies" chapter in the Cisco Traffic Anomaly Detector Configuration Guide.
|
Configuration
|
session-timeout timeout-val
no session-timeout
|
Configures the amount of time that a session remains active when there is no activity.
The timeout-val argument specifies the number of minutes until the Detector disconnects an idle session. Valid values are 1 to 1440 minutes (one day).
To delete the session timeout, use the no session-timeout command.
For more information on this command, see the "Configuring the Detector" chapter in the Cisco Traffic Anomaly Detector Configuration Guide.
|
Global
Configuration
Zone Configuration
|
show [zone zone-name] sync-config file-servers
|
Displays the list of network servers to which the Detector exports zone configuration.
The zone-name argument specifies the name of the zone. For more information on this command, see the "Configuring Zones" chapter in the Cisco Traffic Anomaly Detector Configuration Guide.
|
Global
Configuration
|
show file-servers
|
Displays the list of network servers to which the Detector exports files or from which the Detector imports files.
For more information on this command, see the "Performing Maintenance Tasks" chapter in the Cisco Traffic Anomaly Detector Configuration Guide.
|
Global
Configuration
Zone Configuration
|
show remote-guards
|
Displays a list of remote Guards.
For more information on this command, see the "Configuring Zones" chapter in the Cisco Traffic Anomaly Detector Configuration Guide.
|
Table 2 describes the commands that were changed in software version 5.1(4).
Table 2 Changed Commands in Software Version 5.1(4)
Mode
|
Command and Syntax
|
Description
|
Configuration
|
export packet-dump file-server-name
|
You now configure the file server to which you export packet-dump capture files by using a file-server name. Configure the file-server-name argument by using the file-server command.
This command replaces the export packet-dump ftp command and the export packet-dump sftp command.
For more information on this command, see the "Using the Detector Diagnostics Tools" chapter in the Cisco Traffic Anomaly Detector Configuration Guide.
|
Configuration
|
export reports file-server-name
|
You now configure the file server to which you export attack reports by using a file-server name. Configure the file-server-name argument by using the file-server command.
This command replaces the export reports ftp command and the export reports sftp command.
For more information on this command, see the "Understanding Attack Reports" chapter in the Cisco Traffic Anomaly Detector Configuration Guide.
|
Zone Configuration
|
ip address [exclude] ip-addr [ip-mask]
|
The exclude keyword was added. The exclude keyword specifies the IP address to exclude from the zone IP address range.
For more information on this command, see the "Configuring Zones" chapter in the Cisco Traffic Anomaly Detector Configuration Guide.
|
Configuration
|
key generate
|
The key generate command was change and no longer generates and publishes the SSH keys and the SSL certificates. The key generate command generates the SSH keys and the SSL certificates only. Use the key publish command to publish the SSH keys and the SSL certificates. See Table 1 for more information on the key publish command.
For more information on this command, see the "Configuring the Detector" chapter in the Cisco Traffic Anomaly Detector Configuration Guide.
|
Table 3 describes the commands that were removed from software version 5.1(4).
Table 3 Removed Commands in Software Version 5.1(4)
Command and Syntax
|
Description
|
[no] export log
|
The export log command was removed. Use the logging host command to configure the IP address of the remote syslog server from which to export online events.
|
ftp-server
|
The ftp-server command was removed and replaced by the file-server command and the export sync-config command. Use the file-server command to define the network server to use to import or export files. Use the export sync-config command to define the default server to which you export zone configuration. See Table 1 for more information on the file-server command and the export sync-config command.
|
Related Documentation
The following Detector documents are available:
•Cisco Guard and Traffic Anomaly Detector Hardware Installation and Configuration Note
•Cisco Traffic Anomaly Detector Configuration Guide
•Cisco Traffic Anomaly Detector Web-Based Manager Configuration Guide
Obtaining Documentation, Obtaining Support, and Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007 Cisco Systems, Inc. All rights reserved.
