Using the Sensor Command-Line Interface
When using the command-line interface you need to be aware of all the pertinent commands that are used to initialize the sensor and which ultimately can be used to administer the IDS Sensor. Many of these commands will be used for troubleshooting purposes only. The daemons start automatically when the sensor is started. Many of the commands are used to verify the status of those daemons and/or services.
To execute commands specific to the administration of the sensor, make sure you are logged in as netrangr. For all commands, with the exception of cidServer, the /usr/nr/bin directory has an nr command that does the same as the ids commands.
cidServer
cidServer is the IDS Web server itself and enables the administrator to connect via IDM. The server automatically begins during system startup. You must be logged in as root to execute this command. cidServer has three parameters that can accompany the command:
-
version
-
stop
-
start
Figure 3.18 demonstrates the output.
| Note | If you are having trouble communicating with the sensor via Telnet, SSH, or IDM, use the command cidServer version to check the status of the sensor. |
idsstatus
idsstatus is used to check the status of the IDS sensor daemons and services. This can be accomplished with the unix ps command, but the idsstatus only shows IDS services. Figure 3.19 shows the expected output.
idsconns
The idsconns command assists in troubleshooting connections between the sensor and the management device. If the connection is up, you will see [established], as shown in Figure 3.20. The output shown in Figure 3.21 shows that a SYN packet has been sent [SynSent] but also says syn NOT rcvd! This means that communication between the management device and the sensor has not been established.
idsvers
idsvers is used to verify the version of Cisco IDS software that is currently running on the sensor. Figure 3.22 shows the expected output.
idsstop
Another command that you may encounter is idsstop. It is pretty self-explanatory. No switches or additional parameters are needed for this command. In most cases, you don't need to use this command because the IDS services are started when the sensor is booted. If you are troubleshooting a problem, however, you may need to use this command. The output on the screen is limited, as shown in Figure 3.23.
idsstart
Of course, if the services are stopped, you need a method to restart them. Use the command idsstart to do so. This command only starts the services listed in /usr/nr/etc/daemons. See Figure 3.24.
