Thursday, September 22, 2011

Cisco IOS IPS (Filtering with IOS Part 10)


R2 will serve as the IPS preventing specific traffic between R1 and R3.


To begin with IOS IPS, I must download the IPS files from Cisco.com
http://tools.cisco.com/support/downloads/go/Model.x?mdfid=281442967&mdfLevel=Software%20Family&treeName=Security&modelName=Cisco%20IOS%20Intrusion%20Prevention%20System%20Feature%20Software&treeMdfId=268438162
and the public crypto key used by IOS IPS http://download-sj.cisco.com/cisco/ciscosecure/ids/sigup/5.0/ios/realm-cisco.pub.key.txt

Next, I will create a directory on R2 to store the IPS signature files and configurations.

R2#mkdir IPS
Create directory filename [IPS]? 
Created dir flash:/IPS
R2#dir
Directory of flash:/


    1  -rw-    38765296  Jul 12 2010 18:57:38 +00:00  c2800nm-advsecurityk9-mz.124-24.T3.bin
   15  drw-           0  Sep 23 2011 03:10:14 +00:00  IPS


64016384 bytes total (25243648 bytes free)
R2#

Now I'll copy the contents of the key realm-cisco.pub.key.txt to R2 to configure the crypto key used by IOS IPS.

R2#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#crypto key pubkey-chain rsa
R2(config-pubkey-chain)# named-key realm-cisco.pub signature
Translating "realm-cisco.pub"


R2(config-pubkey-key)#  key-string
Enter a public key as a hexidecimal number ....


R2(config-pubkey)#   30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
R2(config-pubkey)#   00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
R2(config-pubkey)#   17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
R2(config-pubkey)#   B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
R2(config-pubkey)#   5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
R2(config-pubkey)#   FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
R2(config-pubkey)#   50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
R2(config-pubkey)#   006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
R2(config-pubkey)#   2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
R2(config-pubkey)#   F3020301 0001
R2(config-pubkey)# quit
R2(config-pubkey-key)# exit
R2(config-pubkey-chain)# exit 
R2(config)#

Now, I'll create a rule name that will be used on an interface, point IOS IPS to the directory that will contain the IPS signature files, and enable IPS SDEE and log notifications. Note that SDEE notifications will not work unless ip http server is enabled.

R2(config)#ip ips name IOSIPS
R2(config)#ip ips config location flash:IPS
R2(config)#ip ips notify sdee
R2(config)#ip ips notify log
R2(config)#ip http server

To prevent running out R2's memory, I'll configure IOS IPS to only enable the IOS IPS basic signatures.

R2(config)#ip ips signature-category 
R2(config-ips-category)#category all 
R2(config-ips-category-action)#retired true
R2(config-ips-category-action)#category ios_ips basic
R2(config-ips-category-action)#retired false 
R2(config-ips-category-action)#exit
R2(config-ips-category)#exit
Do you want to accept these changes? [confirm]
R2(config)#

Now I'll enable the rule on the fa0/1 interface

R2(config)#interface fa0/1
R2(config-if)#ip ips IOSIPS in 
R2(config-if)#ip ips IOSIPS out
*Sep 23 04:35:02.891: %IPS-6-ENGINE_BUILDS_STARTED:  04:35:02 UTC Sep 23 2011
*Sep 23 04:35:02.891: %IPS-6-ENGINE_BUILDING: atomic-ip - 3 signatures - 1 of 13 engines
*Sep 23 04:35:02.903: %IPS-6-ENGINE_READY: atomic-ip - build time 12 ms - packets for this engine will be scanned
*Sep 23 04:35:02.903: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 12 ms

To load the IOS IPS signature file I downloaded earlier, I created an FTP server at 192.168.1.1 and connected to it with R2's VLAN2 interface, 192.168.1.2. I'll use FTP to copy the file with the parameter "idconf". This parameter initiates the compliing process once the copy is complete.

R2#copy ftp://jason:cisco@192.168.1.71/IOS-S595-CLI.pkg idconf
Loading IOS-S595-CLI.pkg !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 13572723/4096 bytes]


*Sep 23 04:38:37.959: %IPS-6-ENGINE_BUILDS_STARTED:  04:38:37 UTC Sep 23 2011
*Sep 23 04:38:37.967: %IPS-6-ENGINE_BUILDING: multi-string - 228 signatures - 1 of 13 engines
*Sep 23 04:38:38.795: %IPS-6-ENGINE_READY: multi-string - build time 828 ms - packets for this engine will be scanned
*Sep 23 04:38:38.819: %IPS-6-ENGINE_BUILDING: service-http - 914 signatures - 2 of 13 engines
*Sep 23 04:38:41.855: %IPS-6-ENGINE_READY: service-http - build time 3036 ms - packets for this engine will be scanned
*Sep 23 04:38:41.915: %IPS-6-ENGINE_BUILDING: string-tcp - 2441 signatures - 3 of 13 engines
*Sep 23 04:38:53.723: %IPS-6-ENGINE_READY: string-tcp - build time 11808 ms - packets for this engine will be scanned
*Sep 23 04:38:53.731: %IPS-6-ENGINE_BUILDING: string-udp - 79 signatures - 4 of 13 engines
*Sep 23 04:38:53.883: %IPS-6-ENGINE_READY: string-udp - build time 152 ms - packets for this engine will be scanned
*Sep 23 04:38:53.883: %IPS-6-ENGINE_BUILDING: state - 39 signatures - 5 of 13 engines
*Sep 23 04:38:54.139: %IPS-6-ENGINE_READY: state - build time 256 ms - packets for this engine will be scanned
*Sep 23 04:38:54.235: %IPS-6-ENGINE_BUILDING: atomic-ip - 424 signatures - 6 of 13 engines
*Sep 23 04:38:55.963: %IPS-6-ENGINE_READY: atomic-ip - build time 1728 ms - packets for this engine will be scanned
*Sep 23 04:38:56.051: %IPS-6-ENGINE_BUILDING: string-icmp - 3 signatures - 7 of 13 engines
*Sep 23 04:38:56.051: %IPS-6-ENGINE_READY: string-icmp - build time 0 ms - packets for this engine will be scanned
*Sep 23 04:38:56.051: %IPS-6-ENGINE_BUILDING: service-ftp - 3 signatures - 8 of 13 engines
*Sep 23 04:38:56.071: %IPS-6-ENGINE_READY: service-ftp - build time 20 ms - packets for this engine will be scanned
*Sep 23 04:38:56.075: %IPS-6-ENGINE_BUILDING: service-rpc - 78 signatures - 9 of 13 engines
*Sep 23 04:38:56.275: %IPS-6-ENGINE_READY: service-rpc - build time 200 ms - packets for this engine will be scanned
*Sep 23 04:38:56.275: %IPS-6-ENGINE_BUILDING: service-dns - 39 signatures - 10 of 13 engines
*Sep 23 04:38:56.335: %IPS-6-ENGINE_READY: service-dns - build time 56 ms - packets for this engine will be scanned
*Sep 23 04:38:56.335: %IPS-6-ENGINE_BUILDING: normalizer - 9 signatures - 11 of 13 engines
*Sep 23 04:38:56.339: %IPS-6-ENGINE_READY: normalizer - build time 4 ms - packets for this engine will be scanned
*Sep 23 04:38:56.343: %IPS-6-ENGINE_BUILDING: service-smb-advanced - 63 signatures - 12 of 13 engines
*Sep 23 04:38:57.819: %IPS-6-ENGINE_READY: service-smb-advanced - build time 1476 ms - packets for this engine will be scanned
*Sep 23 04:38:57.819: %IPS-6-ENGINE_BUILDING: service-msrpc - 36 signatures - 13 of 13 engines
*Sep 23 04:38:58.151: %IPS-6-ENGINE_READY: service-msrpc - build time 332 ms - packets for this engine will be scanned
*Sep 23 04:38:58.151: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 20192 ms
R2#

I can verify the 6 signature files in the IPS directory:

R2#dir flash:IPS
Directory of flash:/IPS/


    4  -rw-      565829  Sep 23 2011 04:39:24 +00:00  R2-sigdef-default.xml
    5  -rw-         255  Sep 23 2011 04:35:02 +00:00  R2-sigdef-delta.xml
    6  -rw-        9482  Sep 23 2011 04:36:44 +00:00  R2-sigdef-typedef.xml
    7  -rw-       90856  Sep 23 2011 04:36:52 +00:00  R2-sigdef-category.xml
    8  -rw-         304  Sep 23 2011 04:35:04 +00:00  R2-seap-delta.xml
    9  -rw-         491  Sep 23 2011 04:35:04 +00:00  R2-seap-typedef.xml


64016384 bytes total (24551424 bytes free)

I can verify the ip ips complied signature count.

R2#show ip ips signature count


Cisco SDF release version S595.0
Trend SDF release version V0.0


Signature Micro-Engine: multi-string: Total Signatures 228
      multi-string enabled signatures: 154
      multi-string retired signatures: 224
      multi-string compiled signatures: 4
      multi-string obsoleted signatures: 1


Signature Micro-Engine: service-http: Total Signatures 914
      service-http enabled signatures: 178
      service-http retired signatures: 859
      service-http compiled signatures: 55
      service-http obsoleted signatures: 4


Signature Micro-Engine: string-tcp: Total Signatures 2441
      string-tcp enabled signatures: 645
      string-tcp retired signatures: 2315
      string-tcp compiled signatures: 126
      string-tcp obsoleted signatures: 35


Signature Micro-Engine: string-udp: Total Signatures 79
      string-udp enabled signatures: 0
      string-udp retired signatures: 73
      string-udp compiled signatures: 6
      string-udp obsoleted signatures: 2


Signature Micro-Engine: state: Total Signatures 39
      state enabled signatures: 1
      state retired signatures: 28
      state compiled signatures: 11


Signature Micro-Engine: atomic-ip: Total Signatures 424
      atomic-ip enabled signatures: 105
      atomic-ip retired signatures: 403
      atomic-ip compiled signatures: 21
      atomic-ip obsoleted signatures: 2


Signature Micro-Engine: string-icmp: Total Signatures 3
      string-icmp enabled signatures: 0
      string-icmp retired signatures: 3


Signature Micro-Engine: service-ftp: Total Signatures 3
      service-ftp enabled signatures: 1
      service-ftp retired signatures: 2
      service-ftp compiled signatures: 1


Signature Micro-Engine: service-rpc: Total Signatures 78
      service-rpc enabled signatures: 44
      service-rpc retired signatures: 54
      service-rpc compiled signatures: 24


Signature Micro-Engine: service-dns: Total Signatures 39
      service-dns enabled signatures: 26
      service-dns retired signatures: 16
      service-dns compiled signatures: 23
      service-dns obsoleted signatures: 1


Signature Micro-Engine: normalizer: Total Signatures 9
      normalizer enabled signatures: 8
      normalizer retired signatures: 1
      normalizer compiled signatures: 8


Signature Micro-Engine: service-smb-advanced: Total Signatures 63
      service-smb-advanced enabled signatures: 47
      service-smb-advanced retired signatures: 49
      service-smb-advanced compiled signatures: 14
      service-smb-advanced obsoleted signatures: 1


Signature Micro-Engine: service-msrpc: Total Signatures 36
      service-msrpc enabled signatures: 16
      service-msrpc retired signatures: 31
      service-msrpc compiled signatures: 5
      service-msrpc obsoleted signatures: 1


Total Signatures: 4356
   Total Enabled Signatures: 1225
   Total Retired Signatures: 4058
   Total Compiled Signatures: 298
   Total Obsoleted Signatures: 47


R2#

Show ip ips signatures will give details on each signature.

R2#sh ip ips signatures        


Cisco SDF release version S595.0
Trend SDF release version V0.0


En  - possible values are Y, Y*, N, or N*
      Y:  signature is enabled
      N:  enabled=false in the signature definition file
      *:  retired=true in the signature definition file
Cmp - possible values are Y, Ni, Nr, Nf, or No
      Y:  signature is compiled
      Ni: signature not compiled due to invalid or missing parameters
      Nr: signature not compiled because it is retired
      Nf: signature compile failed
      No: signature is obsoleted
Action=(A)lert, (D)eny, (R)eset, Deny-(H)ost, Deny-(F)low
Trait=alert-traits             EC=event-count          AI=alert-interval
GST=global-summary-threshold   SI=summary-interval     SM=summary-mode
SW=swap-attacker-victim        SFR=sig-fidelity-rating Rel=release




Signature Micro-Engine: multi-string: Total Signatures 228
      multi-string enabled signatures: 154
      multi-string retired signatures: 224
      multi-string compiled signatures: 4
      multi-string obsoleted signatures: 1
 SigID:SubID En  Cmp   Action Sev   Trait   EC   AI   GST   SI  SM SW SFR Rel
 ----------- --  ----  ------ ---   -----  ---- ---- -----  --- -- -- --- ---
 50013:5     N*  Nr    ADR    MED     0     1    0      0    0  FA  N 100 S480   
 50013:4     N*  Nr    ADR    MED     0     1    0      0    0  FA  N 100 S480   
 50013:3     N*  Nr    ADR    MED     0     1    0      0    0  FA  N 100 S480   
 50013:2     N*  Nr    ADR    MED     0     1    0      0    0  FA  N 100 S480   
 50013:1     N*  Nr    ADR    MED     0     1    0      0    0  FA  N 100 S480   
 50013:0     N*  Nr    ADR    MED     0     1    0      0    0  FA  N 100 S480   
 50012:3     Y*  Nr    ADR    MED     0     1    0      0    0  FA  N 100 S480   
 50012:2     Y*  Nr    ADR    MED     0     1    0      0    0  FA  N 100 S480   
 50012:1     Y*  Nr    ADR    MED     0     1    0      0    0  FA  N 100 S480   
 50012:0     Y*  Nr    ADR    MED     0     1    0      0    0  FA  N 100 S480   
          
R2#


Part 1
Part 2
Part 3
Part 4
Part 5
Part 6
Part 7
Part 8
Part 9
Part 10




1 comment: