Cisco Cisco IPS 4255 Sensor 릴리즈 노트
5
Release Notes for Cisco Intrusion Prevention System 6.0(1)E1
OL-8827-01
New and Changed Information
You can access Cisco Security Intelligence Operations at this URL:
Cisco Security Intelligence Operations is also a repository of information for individual signatures,
including signature ID, type, structure, and description.
including signature ID, type, structure, and description.
You can search for security alerts and signatures at this URL:
New and Changed Information
Cisco IPS 6.0(1)E1 contains the following new features:
•
Java Start—IDM now uses Java Start to launch rather than the Java Plug-in. This applies only to IPS
6.0(2) and later. The base version of IPS 6.0(1)E1 still uses the Java Plug-in.
6.0(2) and later. The base version of IPS 6.0(1)E1 still uses the Java Plug-in.
•
Anomaly Detection—The sensor component that creates a baseline of normal network traffic and
then uses this baseline to detect worm-infected hosts.
then uses this baseline to detect worm-infected hosts.
•
Passive OS Fingerprinting—The sensor determines host operating systems by inspecting
characteristics of the packets exchanged on the network.
characteristics of the packets exchanged on the network.
•
CSA Collaboration—The sensor collaborates with CSA MC to receive information about host
postures. CSA MC receives host posture information from the CSA agents it manages. It also
maintains a watch list of IP addresses that it has determined should be quarantined from the network.
postures. CSA MC receives host posture information from the CSA agents it manages. It also
maintains a watch list of IP addresses that it has determined should be quarantined from the network.
•
Signature Policy Virtualization—Multiple virtual sensors running on the same appliance, each
configured with different signature behavior and traffic feeds.
configured with different signature behavior and traffic feeds.
•
TCP session tracking modes—Used to help inline sensors correctly track TCP sessions in complex
network configurations.
network configurations.
•
AIP SSM virtualization—ASA 8.0 supports an API for AIP SSM virtualization. The AIP SSM
reports the virtual sensor names and IDs to the adaptive security appliance. The adaptive security
appliance lets you associate classes of traffic to virtual sensor names. You can then configure the
sensing mode as inline or promiscuous.
reports the virtual sensor names and IDs to the adaptive security appliance. The adaptive security
appliance lets you associate classes of traffic to virtual sensor names. You can then configure the
sensing mode as inline or promiscuous.
•
Smaller signature updates—Signature updates are now smaller and quicker to process.
•
MARS attack signature categories—Each signature now contains a new parameter, MARS
Category, which contains the list of the MARS attack categories associated with the signature. This
category is included in the signature alerts. You can modify the MARS category for custom
signatures but not for built-in signatures.
Category, which contains the list of the MARS attack categories associated with the signature. This
category is included in the signature alerts. You can modify the MARS category for custom
signatures but not for built-in signatures.
•
New Engines (SMB Advanced, TNS)—Service SMB Advanced processes Microsoft SMB and
Microsoft RPC over SMB packets and Service TNS inspects TNS traffic.
Microsoft RPC over SMB packets and Service TNS inspects TNS traffic.
•
Enhanced Password Recovery—For most IPS platforms, you can now recover the password on the
sensor rather than using the service account or reimaging the sensor.
sensor rather than using the service account or reimaging the sensor.
•
IDM Home Page—Displays the most important information about a sensor, such as device
information, interface status (up or down), events information, and system resources usage.
information, interface status (up or down), events information, and system resources usage.
•
Threat Rating (Adjusted Risk Rating)—Threat rating is risk rating that has been lowered by event
actions that have been taken. All event actions have a threat rating adjustment. The largest threat
rating from all of the event actions taken is subtracted from the risk rating.
actions that have been taken. All event actions have a threat rating adjustment. The largest threat
rating from all of the event actions taken is subtracted from the risk rating.
•
Deny packets for high risk events by default—Added to the deny packet parameter.