Jan
14

IOS IPS is fair game for the CCIE Security and CCIE R/S labs. With IOS IPS now using v5 signatures, (just like the sensor appliance), the ability to setup up IOS is not as simple, but very important. The intention of this post is to provide a streamlined process to use as a jumpstart into IOS IPS. For full details, examples and explanations, please refer to our lab workbooks. Both RS and Security cover the topic.   Lets get started!

First, we need a place for IPS configuration files to call home. IPS wants a folder. Lets make a directory on the router flash. Optionally if there were other IOS file systems present, we could use those writable file systems as well.

R6#mkdir ips
Create directory filename [ips]?
Created dir flash:/ips
R6#

IOS IPS uses a crypto key to verify the digital signature for the master signature file, which is signed using a private key. To verify the signature, we need a corresponding public key. This key is available as a text file on Cisco’s site. The file is called realm-cisco.pub.key.txt. To inject the public key into the router config, we would do the following:

R6(config)#crypto key pubkey-chain rsa
R6(config-pubkey-chain)#named-key realm-cisco.pub signature
Translating "realm-cisco.pub"
R6(config-pubkey-key)#key-string
Enter a public key as a hexidecimal number ....
!  Note:   The $ to the left of the hex characters represent there are more numbers present than would fit on one line.
R6(config-pubkey)#$2A864886 F70D0101 01050003 82010F00 3082010A 02820101
R6(config-pubkey)#$D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
R6(config-pubkey)#$912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
R6(config-pubkey)#$085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
R6(config-pubkey)#$0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
R6(config-pubkey)#$994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
R6(config-pubkey)#$5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
R6(config-pubkey)#$A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
R6(config-pubkey)#$80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
R6(config-pubkey)#   F3020301 0001
R6(config-pubkey)#  quit
R6(config-pubkey-key)#end

We’ll save the configuration, just to be safe.

R6#wr
Building configuration...

Let’s check the ips folder we created on flash. It should still be empty.

R6#cd ips
R6#dir
Directory of flash:/ips/

No files in directory

255967232 bytes total (187428864 bytes free)
R6#cd ..

Once we complete the IPS configuration, the router can monitor all traffic on the interface and direction we specify. If we want to limit the traffic that goes through the IPS processing, we can use an access-list to filter. Only traffic permitted in the ACL will be subjected to IPS analysis. Let’s create an ACL that matches only on traffic destined to 6.6.6.6, which is the loopback of R6.

R6(config)#access-list 123 permit ip any host 6.6.6.6

Next we will create an IPS rule named “IOS-IPS”, and associate the ACL we just created. In a later step, we will apply IPS rule to an interface.

R6(config)#ip ips name IOS-IPS list 123

IPS needs to know where to keep it’s signature definitions and configurations. It just so happens that we have a folder on flash we created earlier named “ips”. We will use that directory.

R6(config)#ip ips config location flash:/ips

The router can send alerts using Security Device Event Exchange (SDEE) and/or Syslog. We will configure both, and allow up to 2 simultaneous SDEE managers to setup up requests for alerts called subscriptions. To use SDEE, http server must be enabled on the router. Lets take care of these items next.

R6(config)#ip ips notify sdee
R6(config)#ip sdee subscriptions 2
R6(config)#ip ips notify log
R6(config)#ip http server

Before we apply the IPS rule to an interface, we are going to set up some safety. We will retire all the signatures, and then enable just the signatures in the “advanced” default set. If we un-retired the “all” category, it is possible that the router could run out of memory. (Your mileage may vary☺) As we exit out of the configuration, we are prompted to accept the changes.

R6(config)#ip ips signature-category
R6(config-ips-category)#category all
R6(config-ips-category-action)#retired true
R6(config-ips-category-action)#exit
R6(config-ips-category)#
R6(config-ips-category)#category ios_ips advanced
R6(config-ips-category-action)#retired false
R6(config-ips-category-action)#end
Do you want to accept these changes? [confirm]
R6#
Applying Category configuration to signatures ...
R6#

Next we will apply the ips rule we created to an interface. We also enable virtual-reassembly so that IPS can better analyze sessions and attacks that comprise multiple packets.

R6(config)#interface FastEthernet0/0
R6(config-if)#ip ips IOS-IPS in
R6(config-if)#ip virtual-reassembly

Notice that after we apply the IPS rule to an interface, the router begins to compile signatures. This won’t take long at this point, due to the fact that we haven’t given the router a signature package (yet).

R6#
%IPS-6-ENGINE_BUILDS_STARTED:  Jan 14 2010
%IPS-6-ENGINE_BUILDING: atomic-ip - 3 signatures - 1 of 13 engines
%IPS-6-ENGINE_READY: atomic-ip - build time 8 ms - packets for this engine will be scanned
%IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 12 ms

Lets take a peek at the ips directory that was empty just few minutes ago.

R6#cd ips
R6#dir
Directory of flash:/ips/

52  -rw-         719  Jan 14 2010 20:00:26 +00:00  R6-sigdef-default.xml
9  -rw-         271  Jan 14 2010 20:00:26 +00:00  R6-sigdef-delta.xml
59  -rw-        4365  Jan 14 2010 20:00:28 +00:00  R6-sigdef-typedef.xml
4  -rw-        1469  Jan 14 2010 20:00:28 +00:00  R6-sigdef-category.xml
7  -rw-         257  Jan 14 2010 20:00:28 +00:00  R6-seap-delta.xml
16  -rw-         491  Jan 14 2010 20:00:28 +00:00  R6-seap-typedef.xml

255967232 bytes total (187400192 bytes free)
R6#cd ..

Cool beans! Here is what those files contain:
R6-sigdef-default.xml: factory default signature definitions
R6-sigdef-delta.xml: signature definitions which were changed from the default
R6-sigdef-typedef.xml: signature parameter definitions
R6-sigdef-category.xml: signature category information, such as category ios_ips basic and advanced
R6-seap-delta.xml: has changes made to the default SEAP parameters
R6-seap-typedef.xml: has the default SEAP parameter definitions
SEAP = Signature Event Action Processor. Event Overrides/Filters, etc

Now lets give the router some signature information to crunch. We can download the latest signature packages from cisco.com, and put them on a local server. Here, R6 is copying the .pkg file from a local tftp server.

R6#copy tftp://40.0.0.101/IOS-S456-CLI.pkg idconf
Loading IOS-S456-CLI.pkg from 40.0.0.101 (via FastEthernet0/0): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 11085111 bytes]

Now check out the console, while the router digests the file, and compiles all the signatures from the “advanced” set. This will take a while, and if on a production router, could case a DoS. CPU skyrockets, and it takes about 1 – 5 minutes to complete.

R6#
%IPS-6-ENGINE_BUILDS_STARTED:  20:03:39 UTC Jan 14 2010
%IPS-6-ENGINE_BUILDING: multi-string - 40 signatures - 1 of 13 engines
%IPS-6-ENGINE_READY: multi-string - build time 164 ms - packets for this engine will be scanned
%IPS-6-ENGINE_BUILDING: service-http - 801 signatures - 2 of 13 engines
%IPS-6-ENGINE_READY: service-http - build time 17456 ms - packets for this engine will be scanned
%IPS-6-ENGINE_BUILDING: string-tcp - 2058 signatures - 3 of 13 engines
%IPS-6-ENGINE_READY: string-tcp - build time 59236 ms - packets for this engine will be scanned
%IPS-6-ENGINE_BUILDING: string-udp - 79 signatures - 4 of 13 engines
%IPS-6-ENGINE_READY: string-udp - build time 52 ms - packets for this engine will be scanned
%IPS-6-ENGINE_BUILDING: state - 37 signatures - 5 of 13 engines
%IPS-6-ENGINE_READY: state - build time 648 ms - packets for this engine will be scanned
%IPS-6-ENGINE_BUILDING: atomic-ip - 373 signatures - 6 of 13 engines
%IPS-6-ENGINE_READY: atomic-ip - build time 5548 ms - packets for this engine will be scanned
%IPS-6-ENGINE_BUILDING: string-icmp - 3 signatures - 7 of 13 engines
%IPS-6-ENGINE_READY: string-icmp - build time 0 ms - packets for this engine will be scanned
%IPS-6-ENGINE_BUILDING: service-ftp - 3 signatures - 8 of 13 engines
%IPS-6-ENGINE_READY: service-ftp - build time 20 ms - packets for this engine will be scanned
%IPS-6-ENGINE_BUILDING: service-rpc - 76 signatures - 9 of 13 engines
%IPS-6-ENGINE_READY: service-rpc - build time 204 ms - packets for this engine will be scanned
%IPS-6-ENGINE_BUILDING: service-dns - 39 signatures - 10 of 13 engines
%IPS-6-ENGINE_READY: service-dns - build time 60 ms - packets for this engine will be scanned
%IPS-6-ENGINE_BUILDING: normalizer - 9 signatures - 11 of 13 engines
%IPS-6-ENGINE_READY: normalizer - build time 4 ms - packets for this engine will be scanned
%IPS-6-ENGINE_READY: service-smb-advanced - build time 3024 ms - packets for this engine will be scanned
%IPS-6-ENGINE_BUILDING: service-msrpc - 35 signatures - 13 of 13 engines
%IPS-6-ENGINE_READY: service-msrpc - build time 2208 ms - packets for this engine will be scanned
%IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 88876 ms
R6#

Wow, only 88,876 ms to complete. About 1.5 minutes. Lets do some show commands to verify our install.

R6#show ip ips signature count 

Cisco SDF release version S456.0
Trend SDF release version V0.0

Signature Micro-Engine: multi-string: Total Signatures 40
      multi-string enabled signatures: 34
      multi-string retired signatures: 34
      multi-string compiled signatures: 6

Signature Micro-Engine: service-http: Total Signatures 801
      service-http enabled signatures: 133
      service-http retired signatures: 667
      service-http compiled signatures: 134
      service-http obsoleted signatures: 3

Signature Micro-Engine: string-tcp: Total Signatures 2058
      string-tcp enabled signatures: 675
      string-tcp retired signatures: 1810
      string-tcp compiled signatures: 248
      string-tcp obsoleted signatures: 22

Signature Micro-Engine: string-udp: Total Signatures 79
      string-udp enabled signatures: 0
      string-udp retired signatures: 78
      string-udp compiled signatures: 1
      string-udp obsoleted signatures: 2

Signature Micro-Engine: state: Total Signatures 37
      state enabled signatures: 16
      state retired signatures: 24
      state compiled signatures: 13

Signature Micro-Engine: atomic-ip: Total Signatures 373
      atomic-ip enabled signatures: 90
      atomic-ip retired signatures: 307
      atomic-ip compiled signatures: 66

Signature Micro-Engine: string-icmp: Total Signatures 3
      string-icmp enabled signatures: 0
      string-icmp retired signatures: 3

Signature Micro-Engine: service-ftp: Total Signatures 3
      service-ftp enabled signatures: 1
      service-ftp retired signatures: 2
      service-ftp compiled signatures: 1

Signature Micro-Engine: service-rpc: Total Signatures 76
      service-rpc enabled signatures: 44
      service-rpc retired signatures: 50
      service-rpc compiled signatures: 26

Signature Micro-Engine: service-dns: Total Signatures 39
      service-dns enabled signatures: 27
      service-dns retired signatures: 10
      service-dns compiled signatures: 29
      service-dns obsoleted signatures: 1

Signature Micro-Engine: normalizer: Total Signatures 9
      normalizer enabled signatures: 8
      normalizer retired signatures: 1
      normalizer compiled signatures: 8

Signature Micro-Engine: service-smb-advanced: Total Signatures 49
      service-smb-advanced enabled signatures: 40
      service-smb-advanced retired signatures: 30
      service-smb-advanced compiled signatures: 19

Signature Micro-Engine: service-msrpc: Total Signatures 35
      service-msrpc enabled signatures: 17
      service-msrpc retired signatures: 28
      service-msrpc compiled signatures: 7
      service-msrpc obsoleted signatures: 1

Total Signatures: 3602
   Total Enabled Signatures: 1085
   Total Retired Signatures: 3044
   Total Compiled Signatures: 558
   Total Obsoleted Signatures: 29

R6#show ip ips configuration  

IPS Signature File Configuration Status
    Configured Config Locations: flash:/ips/
    Last signature default load time: Jan 14 2010
    Last signature delta load time: Jan 14 2010
    Last event action (SEAP) load time: -none-

    General SEAP Config:
    Global Deny Timeout: 3600 seconds
    Global Overrides Status: Enabled
    Global Filters Status: Enabled

IPS Auto Update is not currently configured

IPS Syslog and SDEE Notification Status
    Event notification through syslog is enabled Event notification through SDEE is enabled

IPS Signature Status
    Total Active Signatures: 558
    Total Inactive Signatures: 3044

IPS Packet Scanning and Interface Status
    IPS Rule Configuration IPS name IOS-IPS acl list 123
    IPS fail closed is disabled
    IPS deny-action ips-interface is false
    Interface Configuration
      Interface FastEthernet0/0
        Inbound IPS rule is IOS-IPS acl list 123
        Outgoing IPS rule is not set

IPS Category CLI Configuration:
    Category all:
        Retire: True
    Category ios_ips advanced: Retire: False

R6#

Ok, how do we modify signatures? Simple, use Security Device Manager, the GUI. Unfortunately in the lab, that option is not available, so lets take a look at how to do it from CLI. We’ll modify the signature for ICMP echo request. If you are in a security lab, the IPS Sensor GUI (IDM) could be used on an appliance to discover which signature number is ICMP echo. In the R/S lab, online doc or the signature number in a task would be helpful. Signature 2004, sub-signature 0 is the signature for ICMP echo.

Lets look at the default for this signature first:

R6#show ip ips signature sigid 2004 subid 0

En  - possible values are Y, Y*, N, or N*
      Y:  signature is enabled
      N:  enabled=false in the signature definition file
      *:  retired=true in the signature definition file
Cmp - possible values are Y, Ni, Nr, Nf, or No
      Y:  signature is compiled
      Ni: signature not compiled due to invalid or missing parameters
      Nr: signature not compiled because it is retired
      Nf: signature compile failed
      No: signature is obsoleted
Action=(A)lert, (D)eny, (R)eset, Deny-(H)ost, Deny-(F)low
Trait=alert-traits             EC=event-count          AI=alert-interval
GST=global-summary-threshold   SI=summary-interval     SM=summary-mode
SW=swap-attacker-victim        SFR=sig-fidelity-rating Rel=release

 SigID:SubID En  Cmp   Action Sev   Trait   EC   AI   GST   SI  SM SW SFR Rel
 ----------- --  ----  ------ ---   -----  ---- ---- -----  --- -- -- --- ---
  2004:0     N* Nr    A     INFO     0     1    0    200   30  FA  N 100 S1
      sig-name: ICMP Echo Request
      sig-string-info: My Sig Info
      sig-comment: Sig Comment
      Engine atomic-ip params:
           fragment-status :
           icmp-type : 8
           l4-protocol : icmp
R6#

Now we will tweak this signature. Take a look at the config, and it is apparent what we are configuring: true. (you may get the joke, after looking at the config: true, or not:  false :)

R6(config)#ip ips signature-definition
R6(config-sigdef)#signature 2004 0
R6(config-sigdef-sig)#engine
R6(config-sigdef-sig-engine)#event-action produce-alert
R6(config-sigdef-sig-engine)#exit
R6(config-sigdef-sig)#alert-severity high
R6(config-sigdef-sig)#status
R6(config-sigdef-sig-status)#enabled true
R6(config-sigdef-sig-status)#retired false
R6(config-sigdef-sig-status)#exit
R6(config-sigdef-sig)#exit
R6(config-sigdef)#exit
Do you want to accept these changes? [confirm]
R6(config)#
%IPS-6-ENGINE_BUILDS_STARTED: Jan 14 2010
%IPS-6-ENGINE_BUILDING: atomic-ip - 373 signatures - 1 of 13 engines
%IPS-6-ENGINE_READY: atomic-ip - build time 4764 ms - packets for this engine will be scanned
%IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 5596 ms
R6(config)#exit

Now lets look at the results of the changes.

R6#show ip ips signature sigid 2004 subid 0

En  - possible values are Y, Y*, N, or N*
      Y:  signature is enabled
      N:  enabled=false in the signature definition file
      *:  retired=true in the signature definition file
Cmp - possible values are Y, Ni, Nr, Nf, or No
      Y:  signature is compiled
      Ni: signature not compiled due to invalid or missing parameters
      Nr: signature not compiled because it is retired
      Nf: signature compile failed
      No: signature is obsoleted
Action=(A)lert, (D)eny, (R)eset, Deny-(H)ost, Deny-(F)low
Trait=alert-traits             EC=event-count          AI=alert-interval
GST=global-summary-threshold   SI=summary-interval     SM=summary-mode
SW=swap-attacker-victim        SFR=sig-fidelity-rating Rel=release

 SigID:SubID En  Cmp   Action Sev   Trait   EC   AI   GST   SI  SM SW SFR Rel
 ----------- --  ----  ------ ---   -----  ---- ---- -----  --- -- -- --- ---
  2004:0     Y Y     A     HIGH     0     1    0    200   30  FA  N 100 S1
      sig-name: ICMP Echo Request
      sig-string-info: My Sig Info
      sig-comment: Sig Comment
      Engine atomic-ip params:
           fragment-status :
           icmp-type : 8
           l4-protocol : icmp
R6#

We can do a simple test by issuing a ping to 6.6.6.6 from a neighbor, R4.

Neighbor-R4#ping 6.6.6.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
R4#

Now lets take a look at the console on R6. We did set the IPS to send syslog messages for alerts.

R6#
%IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:100 ICMP Echo Request [40.0.0.4:8 -> 6.6.6.6:0] VRF:NONE RiskRating:100
%IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:100 ICMP Echo Request [40.0.0.4:8 -> 6.6.6.6:0] VRF:NONE RiskRating:100
%IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:100 ICMP Echo Request [40.0.0.4:8 -> 6.6.6.6:0] VRF:NONE RiskRating:100
%IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:100 ICMP Echo Request [40.0.0.4:8 -> 6.6.6.6:0] VRF:NONE RiskRating:100
%IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:100 ICMP Echo Request [40.0.0.4:8 -> 6.6.6.6:0] VRF:NONE RiskRating:100
R6#

Enjoy your practice, and best wishes from all of us at INE!

 


You can leave a response, or trackback from your own site.

13 Responses to “IOS IPS: CCIE RS, CCIE SC”

 
  1. IOS IPS on CCIE R&S? Could you please elaborate? I’ve already have a long list to read and unfortunately, IOS IPS is NOT on my list.

    I haven’t read the CCIE RS WB vol1 Security. Should I expect to get a glimpse of it on this WB?

  2. Yup, It’s there. 11.44 IOS OPS…

    How far should I go? :-)

  3. RoutSec says:

    Funny, TacACK and I were just working on this. You must have read our minds. As always, thanks for the great information, it is very helpful.

  4. Tacack says:

    Thanks a lot!

    Great article. In fact it was just the other day that @routsec ( Ryan Schuett ) and I were discussing this in a WAVE.

    Cheers,
    TacACK

  5. Thanks! I better finished reading the new Odom’s book then ask so at least I know what I should know :-)

  6. irom says:

    To discover which signature number is ICMP echo I use ‘sh ip audit count’ on … ASA which is available on CCIE Sec;) It takes less time than doing it through IDM

  7. rchopra says:

    Where would be the best place to find this on the documention that you are able to access in the lab?

  8. Anantha Subramanian Natarajan says:

    Hi,

    step by step explanation on setting up IOS IPS,really great …Thank you very much ….It would be great to have a post from you on SEAP,SEAH,SEAO,SEAF…..

    Thanks

    Regards
    Anantha Subramanian Natarajan

  9. [...] had also improved his skills in MPLS, Multi-Protocol BGP, IOS IPS, EEM, and many other areas by using the sweet blog articles at INE.  (Shameless Plug [...]

  10. sanjay says:

    Really good information on IOS IPS…

  11. [...] is a link to INE’s Blog, the blog post has some great insight into what these files actually are (amongst more great [...]

 

Leave a Reply

Categories

CCIE Bloggers