CIDS Commands

Two different types of commands are available with CIDS: system commands and configuration commands. System commands allow the administrators to view and manage the IDS environment, while configuration commands are used to view and configure the CIDS sensor and director platforms.

System Commands

Several system commands can be used to view system information, as well as starting and stopping services running on the director or sensor platforms. Some of the more common commands that can be used are

idsstart
idsstop
idsconns
idsstatus
idsvers

STUDY TIP
Be aware of the common system commands and the functions they perform.

idsstart

You can use the idsstart command to start the CIDS services on your sensor. This command will start all services located in the /usr/nr/etc/daemons configuration file.

idsstop

The idsstop script can be used to stop the CIDS services running on your sensor.

idsconn

The idsconn script is provided to assist with troubleshooting communication issues between the sensors and other IDS hosts. The idsconn script can be used to display the status of all connections between the local sensor and other IDS devices, such as a sensor or a director. When this command is issued on the sensor, the script returns a list of open Cisco Secure IDS communication routes.

The script returns the following information for each open connection:

. Connection 1:  45000 1 [Established]
sto:5000

If a connection is down, the following is returned:

. Connection 1:  45000 1 [SynSent] sto:5000 syn NOT rcvd!

dsstatus

To view or confirm that the correct services are running on your sensors, you can use the idsstatus script, which returns a list of all IDS daemons currently running on the sensor. The UNIX ps command can also be used to list all services running, however, the ps command returns a list of all daemons, while the idsstatus script returns a list consisting of only the IDS daemons currently running.

idsvers

The idsvers script can be used to verify the version of services the sensor is currently running. The idsvers script returns a list of currently running daemons and their version numbers.

Configuration Commands

The sensors can be remotely configured and viewed via the director platforms. The following commands form the bases for remote configuration by the director platforms. Table 24-3 lists the sensor commands that allow for remote configuration from the director platform and Table 24-4 lists the syntax parameters used in these commands.

Table 24-3: Configuration Commands with Syntax
Command	Description	Syntax
nrget	Used to retrieve a single piece of information from a token in a configuration file, such as the IP address of a managed router.	nrget <appid> <hostid> <orgid> <priority> <token> {<identifier>]
nrgetbulk	Used to retrieve multiple pieces of information from a token in a configuration file, such as a list of IP addresses currently being shunned.	nrgetbulk <appid> <hostid> <orgid> <priority> <token> {<identifier>]
nrset	Used to set attributes within a configuration file.	nrset <appid> <hostid> <orgid> <priority> <token> {<identifier>] <value1> [<value2>…..]
nrunset	Used to remove or unset an attribute within a configuration file.	nrunset <appid> <hostid> <orgid> <priority> <token> {<identifier>]
nrexec	Used to execute commands	nrexec <appid> <hostid> <orgid> <priority> <timeout> <token> {<identifier>]

Table 24-4: Syntax Parameter Description
Syntax Parameter	Description
<appid>	The application ID. The ID of the service or daemon. A complete list of application IDs can be located in /usr/nr/etc/services.
<hostid>	The PostOffice protocol host identification number, as previously defined.
<identifier> (Optional)	An additional piece of information that can be used to identify a token. This piece of information is optional.
<orgid>	The PostOffice protocol organizational identification number as previously defined.
<priority>	An integer representing the priority of the command.
<timeout>	Used only for nrexec, this command specifies the amount of time (in seconds) to wait until the process is considered unreachable.
<token>	The name of the token to set or from which to get information.
<value>	The value to which the specified token should be set.