CCIE Security lab: IPS Part 2 – Oh, you motherf-IPS!

I posted yesterday about the IPS, in that it had a tendency to go to sleep on me, and not wake up. However, the IPS is a pretty big part of the CCIE Security lab, so it needs to be working! Through the power of the internet, it turns out that this is not an uncommon issue.

@802101stu Well i faced same issue, and some other minor things, but finally found that bug was with the image which i was using

— mzStanikzai (@mzStanikzai) 3 May 2016

This guy is also working towards his CCIE Security, so follow him on Twitter.

So I started again from scratch, new source, followed the IPS creation docs (see the cznetlab link from yesterday), and everything booted up.

So I ran the setup:

sensor# setup


    --- Basic Setup ---

    --- System Configuration Dialog ---

At any point you may enter a question mark '?' for help.
User ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.



Current time: Wed May  4 09:45:54 2016

Setup Configuration last modified: Wed May 04 09:45:35 2016

Enter host name[sensor]: IPS-4240
Enter IP interface[192.168.1.2/24,192.168.1.1]: 10.1.4.155/24,10.1.4.254
Modify current access list?[no]: yes
Current access list entries:
  No entries
Permit: 10.1.4.0/24
Permit: 10.1.20.0/24
Permit: 
Use DNS server for Global Correlation?[no]: 
Use HTTP proxy server for Global Correlation?[no]: 
Modify system clock settings?[no]: 
Participation in the SensorBase Network allows Cisco to
collect aggregated statistics about traffic sent to your IPS.
SensorBase Network Participation level?[off]: 

The following configuration was entered.

service host
network-settings
host-ip 10.1.4.155/24,10.1.4.254
host-name IPS-4240
telnet-option disabled
access-list 10.1.4.0/24 
access-list 10.1.20.0/24 
ftp-timeout 300
no login-banner-text
dns-primary-server disabled
dns-secondary-server disabled
dns-tertiary-server disabled
http-proxy no-proxy
exit
time-zone-settings
offset 0
standard-time-zone-name UTC
exit
summertime-option disabled
ntp-option disabled
exit
service global-correlation
network-participation off
exit


[0] Go to the command prompt without saving this config.
[1] Return to setup without saving this config.
[2] Save this configuration and exit setup.
[3] Continue to Advanced setup.

Enter your selection[3]: 2
Warning: DNS or HTTP proxy is required for global correlation inspection and reputation filtering, but no DNS or proxy servers are defined.

--- Configuration Saved ---

Complete the advanced setup using CLI or IDM.
To use IDM,point your web browser at https://.

sensor#

All looked good. I switched to non-TLS, and IDM started to load… then hung. Again the IPS won’t communicate with anything else.

So I get another IPS-4240 source, and the same things happens again. This is really starting to piss me off now.

Oddly, it only seems to crap out once I start to use the GUI, so could this be the issue? Am I destined know IPS purely by the CLI? That’s no bad thing. So let’s see how far I can go in the CLI. Starting by creating some users. Thankfully the IPS supports context sensitive help, and there is a username command:

IPS-4240(config)# username ipsadmin privilege administrator password Admin1234
IPS-4240(config)# username ipsoper privilege operator password Oper1234
IPS-4240(config)# username ipsview privilege viewer password View1234
IPS-4240(config)#

That was a nice, easy start. The rest of the cool stuff lives under the “service command”:

IPS-4240(config)# service ?
aaa                            Enter configuration mode for AAA options.
analysis-engine                Enter configuration mode for global analysis engine options.
anomaly-detection              Enter configuration mode for anomaly-detection.
authentication                 Enter configuration mode for user authentication options.
event-action-rules             Enter configuration mode for the event action rules.
external-product-interface     Enter configuration mode for the interfaces to external products.
global-correlation             Enter configuration mode for global correlation configuration.
health-monitor                 Enter configuration mode for health and security monitoring.
host                           Enter configuration mode for host configuration.
interface                      Enter configuration mode for interface configuration.
logger                         Enter configuration mode for debug logger.
network-access                 Enter configuration mode for the network access controller.
notification                   Enter configuration mode for the notification application.
signature-definition           Enter configuration mode for the signature definition.
ssh-known-hosts                Enter configuration mode for configuring SSH known hosts.
trusted-certificates           Enter configuration mode for configuring trusted certificates.
web-server                     Enter configuration mode for the web server application.
IPS-4240(config)# service

Let’s try and create a new signature. This will have some basic goals. It’ll produce a high-severity alert on matches to tcp port 93. I kind of stumbled my way through, so have cleaned it up a bit:

IPS-4240(config)# service signature-definition sig2
Editing new instance sig2.

IPS-4240(config-sig)# 
IPS-4240(config-sig)# signatures ?
     
IPS-4240(config-sig)# signatures 65000 ?
     
IPS-4240(config-sig)# signatures 65000 0
IPS-4240(config-sig-sig)# alert-severity ?
high              Dangerous Alert.
medium            Medium level alert
low               Low level alert
informational     Informational alert.
IPS-4240(config-sig-sig)# alert-severity high
IPS-4240(config-sig-sig)# engine atomic-ip
IPS-4240(config-sig-sig-ato)# ?
default                          
event-action                     
exit                             
fragment-status                  
no                               
show                             
specify-ip-addr-options          
specify-ip-header-length         
specify-ip-id                    
specify-ip-option-inspection     
specify-ip-payload-length        
specify-ip-tos                   
specify-ip-total-length          
specify-ip-ttl                   
specify-ip-version               
specify-l4-protocol              
swap-attacker-victim             
IPS-4240(config-sig-sig-ato)# event-action produce-alert 
IPS-4240(config-sig-sig-ato)# specify-l4-protocol yes
IPS-4240(config-sig-sig-ato-yes)# l4-protocol tcp
IPS-4240(config-sig-sig-ato-yes-tcp)# exit
Error: /tcp/tcp-flags/ -- the value is empty and has no default
/tcp/tcp-mask/ -- the value is empty and has no default

% Please answer 'yes' or 'no'. no]: no tcp-flags
Would you like to exit anyway?[no]: no 
IPS-4240(config-sig-sig-ato-yes-tcp)# no tcp-flags 
IPS-4240(config-sig-sig-ato-yes-tcp)# no tcp-mask
IPS-4240(config-sig-sig-ato-yes-tcp)# specify-dst-port yes 
IPS-4240(config-sig-sig-ato-yes-tcp-yes)# dst-port 93
IPS-4240(config-sig-sig-ato-yes-tcp-yes)# exit
IPS-4240(config-sig-sig-ato-yes-tcp)# exit
IPS-4240(config-sig-sig-ato-yes)# exit
IPS-4240(config-sig-sig-ato)# exit
IPS-4240(config-sig-sig)# exit
Apply Changes?[yes]: yes 
IPS-4240(config)#

So, that took a fair amount of time, so I thought I’d see if I could access it by the IDM, just in case I wasn’t waiting long enough after booting. But even without trying IDM, I had still lost contact with the network:

IPS-4240# ping 10.1.4.254
PING 10.1.4.254 (10.1.4.254): 56 data bytes

--- 10.1.4.254 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
IPS-4240#

Arse.

This is going to make using the IPS as an IPS so much harder!

Broadening the Google search I can across these posts:

https://supportforums.cisco.com/discussion/12207411/ips-70-gns3
https://gns3.com/qa/ips-7-network-connection-refused

Both have a similar issue (Connection Refused) – but that’s through Telnet, whereas I would not see this on the console. The proposed fix is this though:

Qemu Options: -smbios type=1,product=IPS-4240,version=1.0,serial=12345789012,uuid=E0A32395-8DFE-D511-8C31-001FC641BA6B,sku=011,family=IPS-4240

The existing UNL template can be amended to achieve this quite easily.

So let’s give this a go!

I edited the template, deleted and readded the IPS, fired it up, reconfigured it, and….

Cisco IPS on UNetLab not stable

Yep. It all stops again.

So I rebooted. EVERYTHING. All nodes were stopped. I turned the oven on (not related, I’m just hungry), UNL got rebooted, I closed the lab and reopened it, and things were started again.

So, what do you reckon?

Did it work?

Actually, I think it might have done. IDM has loaded, and the ping seems solid:

Cisco IPS on UNetLab nice and stable

So, for those having the same issue at home, just a little recap (some steps may not be needed, but this is what has worked for me tonight):

Turn off all nodes
Edit the template file: /opt/unetlab/html/templates/cips.php
Use this code:

<?php
# vim: syntax=php tabstop=4 softtabstop=0 noexpandtab laststatus=1 ruler

/**
 * html/templates/cips.php
 *
 * cips template for UNetLab.
 *
 * LICENSE:
 *
 * This file is part of UNetLab (Unified Networking Lab).
 *
 * UNetLab is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * UNetLab is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with UNetLab.If not, see .
 *
 * @author Andrea Dainese 
 * @copyright 2014-2016 Andrea Dainese
 * @license http://www.gnu.org/licenses/gpl.html
 * @link http://www.unetlab.com/
 * @version 20151116
 */

$p['type'] = 'qemu';
$p['name'] = 'IPS'; 
$p['icon'] = 'Network Analyzer.png';
$p['cpu'] = 1;
$p['ram'] = 2048; 
$p['ethernet'] = 5; 
$p['console'] = 'telnet'; 
$p['qemu_arch'] = 'i386';
$p['qemu_version'] = '1.3.1';
$p['qemu_options'] = '-machine type=pc-1.0 -serial mon:stdio -nographic -nodefconfig -nodefaults -rtc base=utc -no-shutdown -boot order=c -smbios type=1,product=IPS-4240/4255,version=1.0,serial=12345789012,uuid=E0A32395-8DFE-D511-8C31-001FC641BA6B,sku=011,family=IPS-4240/4255';
?>

Save it
Reboot UNL (completely)
Start things up again.

Hopefully it will work for you as well!

This is the only time I have been able to get into IDM, and so far (all 12 minutes), it has been stable!

EDIT: Make that 17 minutes! Wooo Hooo!

3 Comments

  1. Anonymous May 7, 2016
  2. Stuart Fordham May 7, 2016
  3. Stuart Fordham May 8, 2016