Ahmet YAKUPOGLU
How to emulate Cisco IPS
This tutorial is for learning purposes only to get familiar with IPS configurations and commands.
In this detailed tutorial, I will show you how you can emulate Cisco Intrusion Prevention System (IPS) 6 using Qemu & GNS3. I will be emulating IPS 4235 v 6.0.6(E3) in this tutorial.
To setup environment you need to download:
•GNS3 Version: v0.7.3 and newer recommended
•IPS Sensor Version: IPS 4235 v 6.0.6(E3)
•Qemu Version: 0.11.0
Note: I will NOT provide any images
1) Create two Disk Images (hda &hdb)
C:\Program Files\GNS3>qemu-img.exe create ipsdisk1.img 512M
C:\Program Files\GNS3>qemu-img.exe create ipsdisk2.img 4000M
2) Load IPS CD Image using Qemu
C:\Program Files\GNS3>qemu.exe -hda ipsdisk1.img -hdb ipsdisk2.img -m 1024 -cdrom IPS-K9-cd-1.1-a-6.0-6-E3.iso -boot d
2.1) when qemu boots, press ‘k’ to start the re-imaging process (image recovery).
2.3) after software reloads and qemu pauses in the BIOS screen complaining about boot issues. Exit the qemu process
3) Boot from the Re-Imaged Disks
Boot from the disk. When the system starts, you need to modify the grub boot entry to make sure the system starts at runlevel 1.
C:\Program Files\GNS3>qemu.exe -hda ipsdisk1.img -hdb ipsdisk2.img -m 1024
3.1) at the grub menu, press “e” to edit the first boot entry.
3.2) Select the 2nd line (that starts with “kernel=”) and press “e” again.
3.3) Change the option init=loadrc to init=1, then Enter followed by “b” to boot.
3.4) The IPS software now boots into runlevel 1. When prompted, press Enter
3.5) And then type following commands:
/loadrc
cd /etc/init.d
./rc.init
3.6) ls –l
3.7) Type following commands to copy and then modify ids_functions
cp ids_functions ids_functions.orig
vi ids_functions
In the resulting file, search for the string “845″ (with /845), it will jump to the section which looks like this:
elif [[ `isCPU 845` -eq $TRUE && $NUM_OF_PROCS -eq 1 ]]; then
MODEL=$IDS4215
HTLBLOW=8
MEM_PAGES=${HTLBLOW}
DEFAULT_MGT_OS=”fe0_0″
DEFAULT_MGT_CIDS=”FastEthernet0/0”
Replace the first line (the elif statement), MODEL, variables DEFAULT_MGT_OS and DEFAULT_MGT_CIDS to the following:
elif [[ 1 -eq 1 ]]; then
MODEL=$IDS4235
HTLBLOW=32
MEM_PAGES=${HTLBLOW}
DEFAULT_MGT_OS=”ma0_0”
DEFAULT_MGT_CIDS=”Management0/0”
Save and exit vi.
:wq<Return>
Note: i insert text before cursor, until <Esc> hit
x delete single character under cursor
:wq<Return> Write and Quit
:q<Return> Quit
4) Map the emulated NIC cards to IPS interface
To mapping the emulated NIC cards to the IPS interfaces. Type the following commands:
To copy and modify “interface.conf” file
cd /usr/cids/idsRoot/etc
cp interface.conf interface.conf.orig
vi interface.conf
4.1) go to section that deals with the 4235 sensor. You only need to make modifications at the [models/IDS-4250/interfaces/X] sections.
Edit the section. The result should look like following:
[models/IDS-4250/interfaces/1]
name-template=Management0/0
port-number=0
pci-path=3.0
vendor-id=0x8086
device-id=0x100e
type=ge
mgmt-capable=yes
net-dev-only=yes
tcp-reset-capable=yes
[models/IDS-4250/interfaces/2]
name-template=GigabitEthernet0/0
port-number=1
pci-path=4.0
vendor-id=0x8086
device-id=0x100e
type=ge
sensing-capable=yes
tcp-reset-capable=yes
[models/IDS-4250/interfaces/3]
name-template=GigabitEthernet0/1
port-number=2
pci-path=5.0
vendor-id=0x8086
device-id=0x100e
type=ge
sensing-capable=yes
tcp-reset-capable=yes
[models/IDS-4250/interfaces/4]
name-template=GigabitEthernet0/2
port-number=3
pci-path=6.0
vendor-id=0x8086
device-id=0x100e
type=ge
sensing-capable=yes
tcp-reset-capable=yes
[models/IDS-4250/interfaces/5]
name-template=GigabitEthernet0/3
port-number=4
pci-path=7.0
vendor-id=0x8086
device-id=0x100e
type=ge
sensing-capable=yes
tcp-reset-capable=yes
Save and exit vi
:wq<Return>
4.1) reload the device
reboot
Login:cisco
Password:cisco
5) GNS3 Configuration
Edit –>Preferences –>Qemu –>IDS
Choose binary image (hda and hdb)
RAM, number of NIC and Qemu Options
Note: add below to Qmu options
,serial=12345789012,uuid=E0A32395-8DFE-D511-8C31-001FC641BA6B,sku=011,family=IDS-4235/4250
Create the Topology in GNS3 & boot the sensor. Access CLI & also access via IDM (IPS Device Manager) as shown.
– Create a New Project
– Insert a Cloud,
Now setup IDS
At the prompt IPS#, enter the command setup and follow the instructions:
Continue with configuration dialog?[yes]: yes
Enter host name[IPS]: IPS4235
Enter IP interface[192.168.1.131/24,192.168.1.1]: 192.168.8.2/24,192.168.8.1
Enter telnet-server status[disabled]: enabled
Enter web-server port[443]:
Modify current access list?[no]: yes
Permit:
192.168.8.0/24
Modify system clock settings?[no]:
Modify interface/virtual sensor configuration?[no]:
Modify default threat prevention settings?[no]:
[2] Save configuration
Ahmet YAKUPOGLU