Sunday, July 3, 2011

Cisco IOS IPS (Intrusion Prevention System) - 2801 ISR

Below is the basic configuration needed to get the IPS feature up and running on an IOS router.

First thing that we need to do is create a directory on your flash to store all of your files, you can name it whatever you like but something to describe what's in there is usually best practice.

r1#mkdir flash:/oscar_ips
Create directory filename [oscar_ips]?
Created dir flash:/oscar_ips

We need to name the IPS:

r1(config)#ip ips name oscar 


We need to tell the IPS where to store it's signature files:

r1(config)#ip ips config location flash:/oscar_ips

Lets retire all of the signatures before we decide on which ones we want to turn on and unless you have a lot of memory in your router, you won't be able to turn them all on.


r1(config-ips-category)#category ?
  adware/spyware         Adware/Spyware (more sub-categories)
  all                    All Categories
  attack                 Attack (more sub-categories)
  ddos                   DDoS (more sub-categories)
  dos                    DoS (more sub-categories)
  email                  Email (more sub-categories)
  instant_messaging      Instant Messaging (more sub-categories)
  ios_ips                IOS IPS (more sub-categories)
  l2/l3/l4_protocol      L2/L3/L4 Protocol (more sub-categories)
  network_services       Network Services (more sub-categories)
  os                     OS (more sub-categories)
  other_services         Other Services (more sub-categories)
  p2p                    P2P (more sub-categories)
  reconnaissance         Reconnaissance (more sub-categories)
  releases               Releases (more sub-categories)
  viruses/worms/trojans  Viruses/Worms/Trojans (more sub-categories)
  web_server             Web Server (more sub-categories)



r1(config)#ip ips signature-category
r1(config-ips-category)#category all
r1(config-ips-category-action)#retired true
r1(config-ips-category-action)#exit

Since I am using a 2801 with 256MB of RAM, lets just turn on the basics. (Note: I have tried turning them all on and this is what happens:


--------------------------------------------------------------------
   Possible software fault. Upon reccurence,  please collect
   crashinfo, "show tech" and contact Cisco Technical Support.
--------------------------------------------------------------------
-Traceback= 0x630B74C8 0x63624B48 0x63604504 0x6363D7B0 0x6349B5F4 0x6349BC3C 0x63496C10 0x6363B2E0 0x6363F2B8 0x616B7CD8 0x616B8420 0x616DDC88 0x630AF450 0x630AF434
$0 : 00000000, AT : 65E60000, v0 : 0D0D0D0D, v1 : 68636248
a0 : 00000000, a1 : 681CCEB4, a2 : 00000001, a3 : 00000009
t0 : 0000C100, t1 : 00000000, t2 : 00000000, t3 : FFFF00FF
t4 : 00000000, t5 : 0D0D0D0D, t6 : 00000002, t7 : 00000000
s0 : 681CCEB4, s1 : 65D5C044, s2 : 00000008, s3 : 00000000
s4 : 681CCC68, s5 : 680521C8, s6 : 669ACF04, s7 : 681CCC68
t8 : 00000000, t9 : 6541A234, k0 : 3041E801, k1 : 00100000
gp : 65E6DDB0, sp : 68051ED0, s8 : 6781AF04, ra : 630B73E8
EPC  : 630B74C8, ErrorEPC : BFCC6038, SREG     : 3401C103
MDLO : 0000004D, MDHI     : 00002A9E, BadVaddr : 0D0D0D11
DATA_START : 0x63F08CB0
Cause 00000014 (Code 0x5): Address Error (store) exception

*Jul  3 18:31:04.635: %REGISTRY-3-STUB_CHK_OVERWRITE: Attempt made to overwrite a set stub function in . -Process= "Init", ipl= 3, pid= 3,  -Traceback= 0x61667464 0x603774C4 0x630ECB68 0x6165BCE0 0x6165BFC0 0x630AF450 0x630AF434)



OK, that was fun!

r1(config-ips-category)#category ios_ips basic
r1(config-ips-category-action)#retired false 
r1(config-ips-category-action)#exit
r1(config-ips-category)#exit


Do you want to accept these changes? [confirm]

We need to assign the IPS that we just enabled to an interface, I have chosen in / out on the same interface.

r1(config)#inter fa 0/1

r1(config-if)#ip ips oscar in

r1(config-if)#ip ips oscar out

Jul  3 18:55:57.107: %IPS-6-ENGINE_BUILDS_STARTED:  18:55:57 UTC Jul 3 2011
Jul  3 18:55:57.107: %IPS-6-ENGINE_BUILDING: atomic-ip - 3 signatures - 1 of 13 engines
Jul  3 18:55:57.119: %IPS-6-ENGINE_READY: atomic-ip - build time 12 ms - packets for this engine will be scanned
Jul  3 18:55:57.119: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 12 msut

Now we have to create "add" Cisco's public key to verify that the signature package is authentic. You can get the key located below from Cisco.com and this file "IOS-S359-CLI.pkg" which are the actual signatures.

r1(config)#crypto key pubkey-chain rsa 

r1(config-pubkey-chain)#named-key realm-cisco.pub
Translating "realm-cisco.pub"

r1(config-pubkey-key)#key-string
Enter a public key as a hexidecimal number ....
   30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
   00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
   17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
   B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
   5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
   FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
   50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
   006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
   2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
   F3020301 0001

r1(config-pubkey)#quit

Now we have everything that we need in place, now we just need to copy the files to "idconf".

r1#copy flash:IOS-S359-CLI.pkg idconf 



r1#
Jul  4 13:00:42.547: %IPS-6-ENGINE_BUILDS_STARTED:  13:00:42 UTC Jul 4 2011
Jul  4 13:00:42.547: %IPS-6-ENGINE_BUILDING: atomic-ip - 3 signatures - 1 of 13 engines
Jul  4 13:00:42.559: %IPS-6-ENGINE_READY: atomic-ip - build time 12 ms - packets for this engine will be scanned
Jul  4 13:00:42.559: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 12 ms
Jul  4 13:00:45.491: Applying Category configuration to signatures ...
Jul  4 13:01:25.047: %IPS-6-ENGINE_BUILDS_STARTED:  13:01:25 UTC Jul 4 2011
Jul  4 13:01:25.047: %IPS-6-ENGINE_BUILDING: multi-string - 11 signatures - 1 of 13 engines
Jul  4 13:01:25.067: %IPS-6-ENGINE_READY: multi-string - build time 20 ms - packets for this engine will be scanned
Jul  4 13:01:25.091: %IPS-6-ENGINE_BUILDING: service-http - 649 signatures - 2 of 13 engines
Jul  4 13:01:34.911: %IPS-6-ENGINE_READY: service-http - build time 9820 ms - packets for this engine will be scanned
Jul  4 13:01:34.947: %IPS-6-ENGINE_BUILDING: string-tcp - 1127 signatures - 3 of 13 engines
Jul  4 13:02:15.767: %IPS-6-ENGINE_READY: string-tcp - build time 40820 ms - packets for this engine will be scanned
Jul  4 13:02:15.771: %IPS-6-ENGINE_BUILDING: string-udp - 75 signatures - 4 of 13 engines
Jul  4 13:02:16.623: %IPS-6-ENGINE_READY: string-udp - build time 852 ms - packets for this engine will be scanned
Jul  4 13:02:16.627: %IPS-6-ENGINE_BUILDING: state - 31 signatures - 5 of 13 engines
Jul  4 13:02:16.711: %IPS-6-ENGINE_READY: state - build time 84 ms - packets for this engine will be scanned
Jul  4 13:02:16.775: %IPS-6-ENGINE_BUILDING: atomic-ip - 304 signatures - 6 of 13 engines
Jul  4 13:02:17.979: %IPS-6-ENGINE_READY: atomic-ip - build time 1204 ms - packets for this engine will be scanned
Jul  4 13:02:18.031: %IPS-6-ENGINE_BUILDING: string-icmp - 3 signatures - 7 of 13 engines
Jul  4 13:02:18.087: %IPS-6-ENGINE_READY: string-icmp - build time 56 ms - packets for this engine will be scanned
Jul  4 13:02:18.087: %IPS-6-ENGINE_BUILDING: service-ftp - 3 signatures - 8 of 13 engines
Jul  4 13:02:18.111: %IPS-6-ENGINE_READY: service-ftp - build time 24 ms - packets for this engine will be scanned
Jul  4 13:02:18.115: %IPS-6-ENGINE_BUILDING: service-rpc - 75 signatures - 9 of 13 engines
Jul  4 13:02:18.495: %IPS-6-ENGINE_READY: service-rpc - build time 376 ms - packets for this engine will be scanned
Jul  4 13:02:18.495: %IPS-6-ENGINE_BUILDING: service-dns - 38 signatures - 10 of 13 engines
Jul  4 13:02:18.563: %IPS-6-ENGINE_READY: service-dns - build time 68 ms - packets for this engine will be scanned
Jul  4 13:02:18.563: %IPS-6-ENGINE_BUILDING: normalizer - 9 signatures - 11 of 13 engines
Jul  4 13:02:56.947: %IPS-6-ENGINE_BUILDS_STARTED:  13:02:56 UTC Jul 4 2011
Jul  4 13:02:56.963: %IPS-6-ENGINE_BUILDING: multi-string - 11 signatures - 1 of 13 engines
Jul  4 13:02:56.975: %IPS-6-ENGINE_READY: multi-string - build time 12 ms - packets for this engine will be scanned
Jul  4 13:02:57.407: %IPS-6-ENGINE_BUILDING: service-http - 649 signatures - 2 of 13 engines
Jul  4 13:02:57.799: %IPS-6-ENGINE_READY: service-http - build time 392 ms - packets for this engine will be scanned
Jul  4 13:02:58.747: %IPS-6-ENGINE_BUILDING: string-tcp - 1127 signatures - 3 of 13 engines
Jul  4 13:02:59.359: %IPS-6-ENGINE_READY: string-tcp - build time 612 ms - packets for this engine will be scanned
Jul  4 13:02:59.911: %IPS-6-ENGINE_BUILDING: string-udp - 75 signatures - 4 of 13 engines
Jul  4 13:02:59.939: %IPS-6-ENGINE_READY: string-udp - build time 28 ms - packets for this engine will be scanned
Jul  4 13:02:59.991: %IPS-6-ENGINE_BUILDING: state - 31 signatures - 5 of 13 engines
Jul  4 13:03:00.003: %IPS-6-ENGINE_READY: state - build time 12 ms - packets for this engine will be scanned
Jul  4 13:03:00.367: %IPS-6-ENGINE_BUILDING: atomic-ip - 304 signatures - 6 of 13 engines
Jul  4 13:03:01.059: %IPS-6-ENGINE_READY: atomic-ip - build time 692 ms - packets for this engine will be scanned
Jul  4 13:03:01.319: %IPS-6-ENGINE_BUILDING: string-icmp - 3 signatures - 7 of 13 engines
Jul  4 13:03:01.375: %IPS-6-ENGINE_READY: string-icmp - build time 52 ms - packets for this engine will be scanned
Jul  4 13:03:01.379: %IPS-6-ENGINE_BUILDING: service-ftp - 3 signatures - 8 of 13 engines
Jul  4 13:03:01.383: %IPS-6-ENGINE_READY: service-ftp - build time 0 ms - packets for this engine will be scanned
Jul  4 13:03:01.435: %IPS-6-ENGINE_BUILDING: service-rpc - 75 signatures - 9 of 13 engines
Jul  4 13:03:01.467: %IPS-6-ENGINE_READY: service-rpc - build time 32 ms - packets for this engine will be scanned
Jul  4 13:03:01.535: %IPS-6-ENGINE_BUILDING: service-dns - 38 signatures - 10 of 13 engines
Jul  4 13:03:01.555: %IPS-6-ENGINE_READY: service-dns - build time 16 ms - packets for this engine will be scanned
Jul  4 13:03:01.583: %IPS-6-ENGINE_BUILDING: normalizer - 9 signatures - 11 of 13 engines
Jul  4 13:03:01.739: %IPS-6-ENGINE_READY: service-msrpc - build time 44 ms - packets for this engine will be scanned
Jul  4 13:03:01.755: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 4812 ms

Now you have an IPS running on your router!

More to come...

4 comments:

  1. What are the memory requirments? I have a Cisco 887 with 256MB of memory I believe and want to load a few categories is there any documentation on what the categories actually do and the suggested memory size?

    ReplyDelete
  2. Hey Andrew,

    I did a little searching on cisco.com and could't find anything definitive but from experience I would say that 256 RAM is the minimum needed. You wont be able to enable all the signature's at once as you can see I tried and crashed my router. Onto which categories to "unretire" you will have to decide what you are looking to identify. I wish that I could be more specific but if you take a second to look at this link below you will see what I mean. I wish I had a simple answer for you but until you understand what the signature's are looking for and what works best for you in your environment then and only then will the answer become clear.

    -Adrian


    http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_cfg_ips_ps6350_TSD_Products_Configuration_Guide_Chapter.html

    ReplyDelete
  3. Good Post! Very informative, glad that you are going to continue writing things like this! Good Post! Very informative, glad that you are going to continue writing things like this!

    ReplyDelete
  4. Thanks and I am glad it helped you out a little!

    ReplyDelete