CCIE Security lab: IPS Part 2 – Oh, you motherf-IPS!

I posted yesterday about the IPS, in that it had a tendency to go to sleep on me, and not wake up. However, the IPS is a pretty big part of the CCIE Security lab, so it needs to be working! Through the power of the internet, it turns out that this is not an uncommon issue.

@802101stu Well i faced same issue, and some other minor things, but finally found that bug was with the image which i was using

— mzStanikzai (@mzStanikzai) 3 May 2016

This guy is also working towards his CCIE Security, so follow him on Twitter.

So I started again from scratch, new source, followed the IPS creation docs (see the cznetlab link from yesterday), and everything booted up.

So I ran the setup:

sensor# setup

    --- Basic Setup ---

    --- System Configuration Dialog ---

At any point you may enter a question mark '?' for help.
User ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.

Current time: Wed May  4 09:45:54 2016

Setup Configuration last modified: Wed May 04 09:45:35 2016

Enter host name[sensor]: IPS-4240
Enter IP interface[,]:,
Modify current access list?[no]: yes
Current access list entries:
  No entries
Use DNS server for Global Correlation?[no]: 
Use HTTP proxy server for Global Correlation?[no]: 
Modify system clock settings?[no]: 
Participation in the SensorBase Network allows Cisco to
collect aggregated statistics about traffic sent to your IPS.
SensorBase Network Participation level?[off]: 

The following configuration was entered.

service host
host-name IPS-4240
telnet-option disabled
ftp-timeout 300
no login-banner-text
dns-primary-server disabled
dns-secondary-server disabled
dns-tertiary-server disabled
http-proxy no-proxy
offset 0
standard-time-zone-name UTC
summertime-option disabled
ntp-option disabled
service global-correlation
network-participation off

[0] Go to the command prompt without saving this config.
[1] Return to setup without saving this config.
[2] Save this configuration and exit setup.
[3] Continue to Advanced setup.

Enter your selection[3]: 2
Warning: DNS or HTTP proxy is required for global correlation inspection and reputation filtering, but no DNS or proxy servers are defined.

--- Configuration Saved ---

Complete the advanced setup using CLI or IDM.
To use IDM,point your web browser at https://.


All looked good. I switched to non-TLS, and IDM started to load… then hung. Again the IPS won’t communicate with anything else.

So I get another IPS-4240 source, and the same things happens again. This is really starting to piss me off now.

Oddly, it only seems to crap out once I start to use the GUI, so could this be the issue? Am I destined know IPS purely by the CLI? That’s no bad thing. So let’s see how far I can go in the CLI. Starting by creating some users. Thankfully the IPS supports context sensitive help, and there is a username command:

IPS-4240(config)# username ipsadmin privilege administrator password Admin1234
IPS-4240(config)# username ipsoper privilege operator password Oper1234
IPS-4240(config)# username ipsview privilege viewer password View1234

That was a nice, easy start. The rest of the cool stuff lives under the “service command”:

IPS-4240(config)# service ?
aaa                            Enter configuration mode for AAA options.
analysis-engine                Enter configuration mode for global analysis engine options.
anomaly-detection              Enter configuration mode for anomaly-detection.
authentication                 Enter configuration mode for user authentication options.
event-action-rules             Enter configuration mode for the event action rules.
external-product-interface     Enter configuration mode for the interfaces to external products.
global-correlation             Enter configuration mode for global correlation configuration.
health-monitor                 Enter configuration mode for health and security monitoring.
host                           Enter configuration mode for host configuration.
interface                      Enter configuration mode for interface configuration.
logger                         Enter configuration mode for debug logger.
network-access                 Enter configuration mode for the network access controller.
notification                   Enter configuration mode for the notification application.
signature-definition           Enter configuration mode for the signature definition.
ssh-known-hosts                Enter configuration mode for configuring SSH known hosts.
trusted-certificates           Enter configuration mode for configuring trusted certificates.
web-server                     Enter configuration mode for the web server application.
IPS-4240(config)# service

Let’s try and create a new signature. This will have some basic goals. It’ll produce a high-severity alert on matches to tcp port 93. I kind of stumbled my way through, so have cleaned it up a bit:

IPS-4240(config)# service signature-definition sig2
Editing new instance sig2.

IPS-4240(config-sig)# signatures ?
IPS-4240(config-sig)# signatures 65000 ?
IPS-4240(config-sig)# signatures 65000 0
IPS-4240(config-sig-sig)# alert-severity ?
high              Dangerous Alert.
medium            Medium level alert
low               Low level alert
informational     Informational alert.
IPS-4240(config-sig-sig)# alert-severity high
IPS-4240(config-sig-sig)# engine atomic-ip
IPS-4240(config-sig-sig-ato)# ?
IPS-4240(config-sig-sig-ato)# event-action produce-alert 
IPS-4240(config-sig-sig-ato)# specify-l4-protocol yes
IPS-4240(config-sig-sig-ato-yes)# l4-protocol tcp
IPS-4240(config-sig-sig-ato-yes-tcp)# exit
Error: /tcp/tcp-flags/ -- the value is empty and has no default
/tcp/tcp-mask/ -- the value is empty and has no default

% Please answer 'yes' or 'no'. no]: no tcp-flags
Would you like to exit anyway?[no]: no 
IPS-4240(config-sig-sig-ato-yes-tcp)# no tcp-flags 
IPS-4240(config-sig-sig-ato-yes-tcp)# no tcp-mask
IPS-4240(config-sig-sig-ato-yes-tcp)# specify-dst-port yes 
IPS-4240(config-sig-sig-ato-yes-tcp-yes)# dst-port 93
IPS-4240(config-sig-sig-ato-yes-tcp-yes)# exit
IPS-4240(config-sig-sig-ato-yes-tcp)# exit
IPS-4240(config-sig-sig-ato-yes)# exit
IPS-4240(config-sig-sig-ato)# exit
IPS-4240(config-sig-sig)# exit
Apply Changes?[yes]: yes 

So, that took a fair amount of time, so I thought I’d see if I could access it by the IDM, just in case I wasn’t waiting long enough after booting. But even without trying IDM, I had still lost contact with the network:

IPS-4240# ping
PING ( 56 data bytes

--- ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss


This is going to make using the IPS as an IPS so much harder!

Broadening the Google search I can across these posts:

Both have a similar issue (Connection Refused) – but that’s through Telnet, whereas I would not see this on the console. The proposed fix is this though:

Qemu Options: -smbios type=1,product=IPS-4240,version=1.0,serial=12345789012,uuid=E0A32395-8DFE-D511-8C31-001FC641BA6B,sku=011,family=IPS-4240

The existing UNL template can be amended to achieve this quite easily.

So let’s give this a go!

I edited the template, deleted and readded the IPS, fired it up, reconfigured it, and….

Cisco IPS on UNetLab not stable

Yep. It all stops again.

So I rebooted. EVERYTHING. All nodes were stopped. I turned the oven on (not related, I’m just hungry), UNL got rebooted, I closed the lab and reopened it, and things were started again.

So, what do you reckon?

Did it work?

Actually, I think it might have done. IDM has loaded, and the ping seems solid:

Cisco IPS on UNetLab nice and stable

So, for those having the same issue at home, just a little recap (some steps may not be needed, but this is what has worked for me tonight):

Turn off all nodes
Edit the template file: /opt/unetlab/html/templates/cips.php
Use this code:

# vim: syntax=php tabstop=4 softtabstop=0 noexpandtab laststatus=1 ruler

 * html/templates/cips.php
 * cips template for UNetLab.
 * This file is part of UNetLab (Unified Networking Lab).
 * UNetLab is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 * UNetLab is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * GNU General Public License for more details.
 * You should have received a copy of the GNU General Public License
 * along with UNetLab.If not, see .
 * @author Andrea Dainese 
 * @copyright 2014-2016 Andrea Dainese
 * @license
 * @link
 * @version 20151116

$p['type'] = 'qemu';
$p['name'] = 'IPS'; 
$p['icon'] = 'Network Analyzer.png';
$p['cpu'] = 1;
$p['ram'] = 2048; 
$p['ethernet'] = 5; 
$p['console'] = 'telnet'; 
$p['qemu_arch'] = 'i386';
$p['qemu_version'] = '1.3.1';
$p['qemu_options'] = '-machine type=pc-1.0 -serial mon:stdio -nographic -nodefconfig -nodefaults -rtc base=utc -no-shutdown -boot order=c -smbios type=1,product=IPS-4240/4255,version=1.0,serial=12345789012,uuid=E0A32395-8DFE-D511-8C31-001FC641BA6B,sku=011,family=IPS-4240/4255';

Save it
Reboot UNL (completely)
Start things up again.

Hopefully it will work for you as well!

This is the only time I have been able to get into IDM, and so far (all 12 minutes), it has been stable!

EDIT: Make that 17 minutes! Wooo Hooo!


  1. Anonymous May 7, 2016
  2. Stuart Fordham May 7, 2016
  3. Stuart Fordham May 8, 2016