Cisco IPS

Ahmet YAKUPOGLU

How to emulate Cisco IPS

This tutorial is for learning purposes only to get familiar with IPS configurations and commands.

In this detailed tutorial, I will show you how you can emulate Cisco Intrusion Prevention System (IPS) 6 using Qemu & GNS3. I will be emulating IPS 4235 v 6.0.6(E3) in this tutorial.

To setup environment you need to download:

•GNS3 Version: v0.7.3 and newer recommended
•IPS Sensor Version: IPS 4235 v 6.0.6(E3)
•Qemu Version: 0.11.0

Note: I will NOT provide any images

1) Create two Disk Images (hda &hdb)

C:\Program Files\GNS3>qemu-img.exe create ipsdisk1.img 512M

C:\Program Files\GNS3>qemu-img.exe create ipsdisk2.img 4000M

 IPS_01

2) Load IPS CD Image using Qemu

C:\Program Files\GNS3>qemu.exe -hda ipsdisk1.img -hdb ipsdisk2.img -m 1024 -cdrom IPS-K9-cd-1.1-a-6.0-6-E3.iso -boot d

 IPS_02

2.1) when qemu boots, press ‘k’ to start the re-imaging process (image recovery).

 IPS_03 

2.3) after software reloads and qemu pauses in the BIOS screen complaining about boot issues. Exit the qemu process

 

3) Boot from the Re-Imaged Disks

Boot from the disk. When the system starts, you need to modify the grub boot entry to make sure the system starts at runlevel 1.

C:\Program Files\GNS3>qemu.exe -hda ipsdisk1.img -hdb ipsdisk2.img -m 1024

  IPS_04

3.1) at the grub menu, press “e” to edit the first boot entry.

IPS_05

3.2) Select the 2nd line (that starts with “kernel=”) and press “e” again.

IPS_06

3.3) Change the option init=loadrc to init=1, then Enter followed by “b” to boot.

IPS_07

IPS_08

3.4) The IPS software now boots into runlevel 1. When prompted, press Enter

IPS_09

3.5) And then type following commands:

/loadrc

cd /etc/init.d

./rc.init

IPS_10

3.6) ls –l

IPS_11

3.7) Type following commands to copy and then modify ids_functions

cp ids_functions ids_functions.orig

vi ids_functions

IPS_12 

In the resulting file, search for the string “845″ (with /845), it will jump to the section which looks like this:

elif [[ `isCPU 845` -eq $TRUE && $NUM_OF_PROCS -eq 1 ]]; then

MODEL=$IDS4215

HTLBLOW=8

MEM_PAGES=${HTLBLOW}

DEFAULT_MGT_OS=”fe0_0″

DEFAULT_MGT_CIDS=”FastEthernet0/0”

Replace the first line (the elif statement), MODEL, variables DEFAULT_MGT_OS and DEFAULT_MGT_CIDS to the following:

elif [[ 1 -eq 1 ]]; then

MODEL=$IDS4235

HTLBLOW=32

MEM_PAGES=${HTLBLOW}

DEFAULT_MGT_OS=”ma0_0

DEFAULT_MGT_CIDS=”Management0/0

Save and exit vi.

:wq<Return>

Note: i insert text before cursor, until <Esc> hit

x delete single character under cursor

:wq<Return> Write and Quit

:q<Return> Quit

 

4) Map the emulated NIC cards to IPS interface

To mapping the emulated NIC cards to the IPS interfaces. Type the following commands:

To copy and modify “interface.conf” file

cd /usr/cids/idsRoot/etc

cp interface.conf interface.conf.orig

vi interface.conf

 IPS_13

4.1) go to section that deals with the 4235 sensor. You only need to make modifications at the [models/IDS-4250/interfaces/X] sections.

Edit the section. The result should look like following:

[models/IDS-4250/interfaces/1]

name-template=Management0/0

port-number=0

pci-path=3.0

vendor-id=0x8086

device-id=0x100e

type=ge

mgmt-capable=yes

net-dev-only=yes

tcp-reset-capable=yes

[models/IDS-4250/interfaces/2]

name-template=GigabitEthernet0/0

port-number=1

pci-path=4.0

vendor-id=0x8086

device-id=0x100e

type=ge

sensing-capable=yes

tcp-reset-capable=yes

[models/IDS-4250/interfaces/3]

name-template=GigabitEthernet0/1

port-number=2

pci-path=5.0

vendor-id=0x8086

device-id=0x100e

type=ge

sensing-capable=yes

tcp-reset-capable=yes

[models/IDS-4250/interfaces/4]

name-template=GigabitEthernet0/2

port-number=3

pci-path=6.0

vendor-id=0x8086

device-id=0x100e

type=ge

sensing-capable=yes

tcp-reset-capable=yes

[models/IDS-4250/interfaces/5]

name-template=GigabitEthernet0/3

port-number=4

pci-path=7.0

vendor-id=0x8086

device-id=0x100e

type=ge

sensing-capable=yes

tcp-reset-capable=yes

 

Save and exit vi

:wq<Return>

4.1) reload the device

reboot

 IPS_14

Login:cisco

Password:cisco

5) GNS3 Configuration

Edit –>Preferences –>Qemu –>IDS

Choose binary image (hda and hdb)

RAM, number of NIC and Qemu Options

Note: add below to Qmu options

,serial=12345789012,uuid=E0A32395-8DFE-D511-8C31-001FC641BA6B,sku=011,family=IDS-4235/4250

IPS_15 

Create the Topology in GNS3 & boot the sensor. Access CLI & also access via IDM (IPS Device Manager) as shown.

– Create a New Project

– Insert a Cloud,

IPS_16 

 

Now setup IDS

At the prompt IPS#, enter the command setup and follow the instructions:

Continue with configuration dialog?[yes]: yes

Enter host name[IPS]: IPS4235

Enter IP interface[192.168.1.131/24,192.168.1.1]: 192.168.8.2/24,192.168.8.1

Enter telnet-server status[disabled]: enabled

Enter web-server port[443]:

Modify current access list?[no]: yes

Permit:

192.168.8.0/24

Modify system clock settings?[no]:

Modify interface/virtual sensor configuration?[no]:

Modify default threat prevention settings?[no]:

[2] Save configuration

 IPS_17

 IPS_18

 

Ahmet YAKUPOGLU

Leave a comment