You can trigger a safe shutdown and reboot of the Center.

Use Reboot to fix a minor bug, such as a system overload.

To access the Center shutdown/reboot page, choose Admin > System from the main menu.

Use the System interface to import and export the Cisco Cyber Vision database. To access the Import/Export page, choose Admin > System from the main menu.

Regularly export the database to back up the industrial network data on Cisco Cyber Vision or if you need to transfer the database to a different Center.

Exports database file limitation is up to 2 GB of data. This avoids side effects related to slow database exports. If the database is larger than 2 GB, you get an error message. In this case, connect to the Center using SSH and perform a data dump. Use the command: sbs-db dump.

Network data, events, and users are retained, as well as all customizations (e.g., groups, component names).

Only configurations created in Cisco Cyber Vision's GUI persist. If you change Center, perform a basic configuration of the Center and then configure Cisco Cyber Vision again. Refer to the corresponding Center Installation Guide.

Note	The Import process may take one hour for big databases. Refresh the page to check that the import remains active (i.e., no error message).

Use the certificate fingerprint to register a Global Center with its synchronized centers and vice versa. To access the Center Fingerprint, choose Admin > System from the main menu. Click the copy icon to copy the Fingerprint and enroll your center with a global center.

For more information, refer the Centers Installation Guides.

Only use Reset to Factory Defaults as a last resort, after all other troubleshooting attempts fail. Get help from product support.

To access the Reset, choose Admin > System from the main menu.

A Reset to Factory Defaults deletes the following:

• Some Center configuration data elements.

• The GUI configuration (such as user accounts, the setup of event severities, etc.).

• Data collected by the sensors.

• The configuration of all known sensors (such as IP addresses, capture modes, etc.).

Root password, certificates and configurations from the Basic Center configuration persist.

After a Reset to Factory Defaults occurs, the GUI refreshes with the installation wizard. See the corresponding Center Installation Guide.

Snort is a Network Intrusion Detection System (NIDS) software which detects malicious network behavior based on a rule matching engine and a set of rules characterizing malicious network activity. Cisco Cyber Vision can run the Snort engine on both the Center and some sensors. The Center stores the configuration rule files, pushes rules on compatible sensors, and intercepts Snort alerts to display them as events in the Cisco Cyber Vision Center's GUI.

To access the SNORT page, choose Admin > Snort from the main menu.

Snort is not activated by default on sensors, so you must first enable IDS in the Sensor Explorer page.

It is available on the following sensor devices:

• The Cisco IC3000 Industrial Compute Gateway

• The Cisco Catalyst 9300 Series Switches

• The Cisco IR8340 Integrated Services Router Rugged

It is also avaible on the Center DPI, and is enabled by default.

Snort Community Rules are set by default in the Cisco Cyber Vision Center. You can use the Use Subscriber Rules toggle button to enable snort subscriber rules. This option requires Advantage licensing and a specific IDS sensor license for each enabled sensor.

Community ruleset

• The community ruleset is a Talos certified ruleset that is distributed freely. It includes rules that have been submitted by the open-source community or by Snort integrators. This ruleset is a subset of the full ruleset available to the subscriber users. It does not contain the latest Snort rules and does not ensure coverage of the latest threats.

Subscriber ruleset

• The subscriber ruleset includes all the rules released by the Talos Security Intelligence and Research Team. The ruleset ensures fast access to the latest rules and early coverage of exploits. Compared to the Community ruleset, it contains more rules and remains in sync with the latest Talos research work on vulnerability detection.

On the SNORT Administration page, you can find Snort rules grouped into categories. Use the toggle buttons under the Status columns to enable or disable sets of rules.

Click the download buttons under the Download Rules column to download each category rule file.

Note that some rules are not enabled inside these categories. So, using the toggle button on a category won't necessarily have an effect on their rules. The ones that are considered the most useful are enabled by default, others have been disabled to avoid performance issues. Consequently, if you want to enable these rules you need to use the specific rule field.

It is also possible to enable/disable a specific rule from a custom rule file.

Snort rules categories:

• Browser:

  Rules for vulnerabilities present in several browsers including, but not restricted to, Chrome, Firefox, Internet Explorer and Webkit. This category also covers vulnerabilities related to browser plugins such as Active-x.

• Deleted:

  When a rule has been deprecated or replaced it is moved to this category.

• Experimental-DoS:

  Rules developed by the Cisco CyberVision team for various kinds of DoS activities (TCP SYN flooding, DNS/HTTP flooding, LOIC, etc.).

• Experimental-Scada:

  Rules developed by the Cisco CyberVision team for attacks against industrial control system assets.

• Exploit-Kit:

  Rules that are specifically tailored to detect exploit kit activity.

• File:

  Rules for vulnerabilities found in numerous types of files including, but not restricted to, executable files, Microsoft Office files, flash files, image files, Java files, multimedia files and pdf files.

• Malware-Backdoor:

  Rules for the detection of traffic destined to known listening backdoor command channels.

• Malware-CNC:

  Known malicious command and control activity for identified botnet traffic. This includes call home, downloading of dropped files, and ex-filtration of data.

• Malware-Other:

  Rules that deal with tools that can be considered malicious in nature as well as other malware-related rules.

• Misc:

  Rules that do not fit in any other categories such as indicator rules (compromise, scan, obfuscation, etc.), protocol-related rules, policy violation rules (spam, social media, etc.), and rules for the detection of potentially unwanted applications (p2p, toolbars, etc.).

• OS-Other:

  Rules that are looking for vulnerabilites in various operating systems such as Linux based OSes, Mobile based OSes, Solaris based OSes and others.

• OS-Windows

  Rules that are looking for vulnerabilities in Windows based OSes.

• Server-Other:

  Rules dealing with vulnerabilities found in numerous types of servers including, but not restricted to, web servers (Apache, IIS), SQL servers (Microsoft SQL server, MySQL server, Oracle DB server), mail servers (Exchange, Courier) and Samba servers.

• Server-Webapp:

  Rules pertaining to vulnerabilities in or attacks against web based applications on servers.

In case of mistake, or to revert to the default configuration, you can use the RESET TO DEFAULT button. Note that all categories status and specific rules status will be reset and any added custom rules file will be deleted.

In addition, this page allows you to import custom rules, to enable or disable rules, and reset Snort's parameters to default.