I posted yesterday about the IPS, in that it had a tendency to go to sleep on me, and not wake up. However, the IPS is a pretty big part of the CCIE Security lab, so it needs to be working! Through the power of the internet, it turns out that this is not an uncommon issue.
@802101stu Well i faced same issue, and some other minor things, but finally found that bug was with the image which i was using
— mzStanikzai (@mzStanikzai) 3 May 2016
This guy is also working towards his CCIE Security, so follow him on Twitter.
So I started again from scratch, new source, followed the IPS creation docs (see the cznetlab link from yesterday), and everything booted up.
So I ran the setup:
sensor# setup --- Basic Setup --- --- System Configuration Dialog --- At any point you may enter a question mark '?' for help. User ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets ''. Current time: Wed May 4 09:45:54 2016 Setup Configuration last modified: Wed May 04 09:45:35 2016 Enter host name[sensor]: IPS-4240 Enter IP interface[192.168.1.2/24,192.168.1.1]: 10.1.4.155/24,10.1.4.254 Modify current access list?[no]: yes Current access list entries: No entries Permit: 10.1.4.0/24 Permit: 10.1.20.0/24 Permit: Use DNS server for Global Correlation?[no]: Use HTTP proxy server for Global Correlation?[no]: Modify system clock settings?[no]: Participation in the SensorBase Network allows Cisco to collect aggregated statistics about traffic sent to your IPS. SensorBase Network Participation level?[off]: The following configuration was entered. service host network-settings host-ip 10.1.4.155/24,10.1.4.254 host-name IPS-4240 telnet-option disabled access-list 10.1.4.0/24 access-list 10.1.20.0/24 ftp-timeout 300 no login-banner-text dns-primary-server disabled dns-secondary-server disabled dns-tertiary-server disabled http-proxy no-proxy exit time-zone-settings offset 0 standard-time-zone-name UTC exit summertime-option disabled ntp-option disabled exit service global-correlation network-participation off exit  Go to the command prompt without saving this config.  Return to setup without saving this config.  Save this configuration and exit setup.  Continue to Advanced setup. Enter your selection: 2 Warning: DNS or HTTP proxy is required for global correlation inspection and reputation filtering, but no DNS or proxy servers are defined. --- Configuration Saved --- Complete the advanced setup using CLI or IDM. To use IDM,point your web browser at https://. sensor#
All looked good. I switched to non-TLS, and IDM started to load… then hung. Again the IPS won’t communicate with anything else.
So I get another IPS-4240 source, and the same things happens again. This is really starting to piss me off now.
Oddly, it only seems to crap out once I start to use the GUI, so could this be the issue? Am I destined know IPS purely by the CLI? That’s no bad thing. So let’s see how far I can go in the CLI. Starting by creating some users. Thankfully the IPS supports context sensitive help, and there is a username command:
IPS-4240(config)# username ipsadmin privilege administrator password Admin1234 IPS-4240(config)# username ipsoper privilege operator password Oper1234 IPS-4240(config)# username ipsview privilege viewer password View1234 IPS-4240(config)#
That was a nice, easy start. The rest of the cool stuff lives under the “service command”:
IPS-4240(config)# service ? aaa Enter configuration mode for AAA options. analysis-engine Enter configuration mode for global analysis engine options. anomaly-detection Enter configuration mode for anomaly-detection. authentication Enter configuration mode for user authentication options. event-action-rules Enter configuration mode for the event action rules. external-product-interface Enter configuration mode for the interfaces to external products. global-correlation Enter configuration mode for global correlation configuration. health-monitor Enter configuration mode for health and security monitoring. host Enter configuration mode for host configuration. interface Enter configuration mode for interface configuration. logger Enter configuration mode for debug logger. network-access Enter configuration mode for the network access controller. notification Enter configuration mode for the notification application. signature-definition Enter configuration mode for the signature definition. ssh-known-hosts Enter configuration mode for configuring SSH known hosts. trusted-certificates Enter configuration mode for configuring trusted certificates. web-server Enter configuration mode for the web server application. IPS-4240(config)# service
Let’s try and create a new signature. This will have some basic goals. It’ll produce a high-severity alert on matches to tcp port 93. I kind of stumbled my way through, so have cleaned it up a bit:
IPS-4240(config)# service signature-definition sig2 Editing new instance sig2. IPS-4240(config-sig)# IPS-4240(config-sig)# signatures ? IPS-4240(config-sig)# signatures 65000 ? IPS-4240(config-sig)# signatures 65000 0 IPS-4240(config-sig-sig)# alert-severity ? high Dangerous Alert. medium Medium level alert low Low level alert informational Informational alert. IPS-4240(config-sig-sig)# alert-severity high IPS-4240(config-sig-sig)# engine atomic-ip IPS-4240(config-sig-sig-ato)# ? default event-action exit fragment-status no show specify-ip-addr-options specify-ip-header-length specify-ip-id specify-ip-option-inspection specify-ip-payload-length specify-ip-tos specify-ip-total-length specify-ip-ttl specify-ip-version specify-l4-protocol swap-attacker-victim IPS-4240(config-sig-sig-ato)# event-action produce-alert IPS-4240(config-sig-sig-ato)# specify-l4-protocol yes IPS-4240(config-sig-sig-ato-yes)# l4-protocol tcp IPS-4240(config-sig-sig-ato-yes-tcp)# exit Error: /tcp/tcp-flags/ -- the value is empty and has no default /tcp/tcp-mask/ -- the value is empty and has no default % Please answer 'yes' or 'no'. no]: no tcp-flags Would you like to exit anyway?[no]: no IPS-4240(config-sig-sig-ato-yes-tcp)# no tcp-flags IPS-4240(config-sig-sig-ato-yes-tcp)# no tcp-mask IPS-4240(config-sig-sig-ato-yes-tcp)# specify-dst-port yes IPS-4240(config-sig-sig-ato-yes-tcp-yes)# dst-port 93 IPS-4240(config-sig-sig-ato-yes-tcp-yes)# exit IPS-4240(config-sig-sig-ato-yes-tcp)# exit IPS-4240(config-sig-sig-ato-yes)# exit IPS-4240(config-sig-sig-ato)# exit IPS-4240(config-sig-sig)# exit Apply Changes?[yes]: yes IPS-4240(config)#
So, that took a fair amount of time, so I thought I’d see if I could access it by the IDM, just in case I wasn’t waiting long enough after booting. But even without trying IDM, I had still lost contact with the network:
IPS-4240# ping 10.1.4.254 PING 10.1.4.254 (10.1.4.254): 56 data bytes --- 10.1.4.254 ping statistics --- 4 packets transmitted, 0 packets received, 100% packet loss IPS-4240#
This is going to make using the IPS as an IPS so much harder!
Broadening the Google search I can across these posts:
Both have a similar issue (Connection Refused) – but that’s through Telnet, whereas I would not see this on the console. The proposed fix is this though:
Qemu Options: -smbios type=1,product=IPS-4240,version=1.0,serial=12345789012,uuid=E0A32395-8DFE-D511-8C31-001FC641BA6B,sku=011,family=IPS-4240
The existing UNL template can be amended to achieve this quite easily.
So let’s give this a go!
I edited the template, deleted and readded the IPS, fired it up, reconfigured it, and….
Yep. It all stops again.
So I rebooted. EVERYTHING. All nodes were stopped. I turned the oven on (not related, I’m just hungry), UNL got rebooted, I closed the lab and reopened it, and things were started again.
So, what do you reckon?
Did it work?
Actually, I think it might have done. IDM has loaded, and the ping seems solid:
So, for those having the same issue at home, just a little recap (some steps may not be needed, but this is what has worked for me tonight):
Turn off all nodes
Edit the template file: /opt/unetlab/html/templates/cips.php
Use this code:
<?php # vim: syntax=php tabstop=4 softtabstop=0 noexpandtab laststatus=1 ruler /** * html/templates/cips.php * * cips template for UNetLab. * * LICENSE: * * This file is part of UNetLab (Unified Networking Lab). * * UNetLab is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * UNetLab is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with UNetLab.If not, see . * * @author Andrea Dainese * @copyright 2014-2016 Andrea Dainese * @license http://www.gnu.org/licenses/gpl.html * @link http://www.unetlab.com/ * @version 20151116 */ $p['type'] = 'qemu'; $p['name'] = 'IPS'; $p['icon'] = 'Network Analyzer.png'; $p['cpu'] = 1; $p['ram'] = 2048; $p['ethernet'] = 5; $p['console'] = 'telnet'; $p['qemu_arch'] = 'i386'; $p['qemu_version'] = '1.3.1'; $p['qemu_options'] = '-machine type=pc-1.0 -serial mon:stdio -nographic -nodefconfig -nodefaults -rtc base=utc -no-shutdown -boot order=c -smbios type=1,product=IPS-4240/4255,version=1.0,serial=12345789012,uuid=E0A32395-8DFE-D511-8C31-001FC641BA6B,sku=011,family=IPS-4240/4255'; ?>
Reboot UNL (completely)
Start things up again.
Hopefully it will work for you as well!
This is the only time I have been able to get into IDM, and so far (all 12 minutes), it has been stable!
EDIT: Make that 17 minutes! Wooo Hooo!
Is IPS stable after above changes?
Its been up for one day, and I still have full access!
2 days and still stable