Results 1 to 9 of 9

Thread: Cisco IPS

  1. #1
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325

    Cisco IPS

    Just last week I updated to the latest 12.3T IOS (IOS 12.3(8)T).

    While reading some of the documentation and searching for new features within the CLI itself, I found

    ip ips

    Which is the Cisco Intrusion Prevention System.

    I configured it with the default rules but am unable to find any good documentation about the IPS itself and configuring additional rulesets. If the router had come with this IOS, then it would have an attack-drop.sdf file in the flash that I could merge with the default rules in the IOS. Since I upgraded mine... the file isn't there and I can't seem to find it anywhere.

    I just wanted to play and learn more about this IPS.

    So far it seems pretty cool. I'm seeing all kinds of stuff being dropped through the IPS.

    Before, you really only had ACLs to work with... and a basic IDS... but to include firewall/IDS/IPS into one... very cool! Especially cause its all in the router.

    I'm such a geek... I get excited when I find new features to play with...

    Anyway, anyone messing with this yet? Anyone know where I can find the sdf file?

    I'm going to continue reading docs but I figured I'd throw this out there and see if I catch anything.

    http://www.cisco.com/univercd/cc/td/...cr/sec_vcg.htm

    While searching for more info specifically on the IPS I've found some docs that it looks like Cisco took down... its in the cache, but not on the site. So, I can't find any specific documentation besides a pdf on how to configure it for an interface. I can't find any info on how to apply new rulesets or anything like that.

    Doh! I'm such a retard... if google has it cached... just use the cache! LoL

    www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a008021f875.html+Cisco+IOS+Intrusion+Prevention+System&hl=en]Google Cisco IPS cache[/URL]

    I still can't find where to obtain the latest attack-drop.sdf file... probably cause they took down that page? Man... they can make it really hard to find what you are looking for...
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  2. #2
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Man... if it isn't one thing... its going to be another.

    Not enough freaking memory in my router!!!

    000021: *Mar 21 19:25:14.143 EST: %SYS-5-RESTART: System restarted --
    Cisco IOS Software, C806 Software (C806-K9O3SY6-M), Version 12.3(8)T, RELEASE SOFTWARE (fc2)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2004 by Cisco Systems, Inc.
    Compiled Fri 14-May-04 00:33 by eaarmas
    000022: *Mar 21 19:25:14.143 EST: %SNMP-5-COLDSTART: SNMP agent on host broadband is undergoing a cold start
    000023: *Mar 21 19:25:14.591 EST: %SSH-5-ENABLED: SSH 1.99 has been enabled
    000024: *Mar 21 19:25:19.579 EST: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
    000025: *Mar 21 19:25:34.351 EST: %IPS-6-ENGINE_READY: SERVICE.SMTP - 22780 ms - packets for this engine will be scanned
    000026: *Mar 21 19:25:34.355 EST: %IPS-6-ENGINE_BUILDING: SERVICE.RPC - 26 signatures - 6 of 13 engines
    000027: *Mar 21 19:25:34.507 EST: %IPS-6-ENGINE_READY: SERVICE.RPC - 152 ms - packets for this engine will be scanned
    000028: *Mar 21 19:25:34.507 EST: %IPS-6-ENGINE_BUILDING: SERVICE.DNS - 23 signatures - 7 of 13 engines
    000029: *Mar 21 19:25:34.879 EST: %IPS-6-ENGINE_READY: SERVICE.DNS - 368 ms - packets for this engine will be scanned
    000030: *Mar 21 19:25:34.879 EST: %IPS-6-ENGINE_BUILDING: SERVICE.HTTP - 24 signatures - 8 of 13 engines
    000031: *Mar 21 19:25:39.211 EST: %DIALER-6-BIND: Interface Vi1 bound to profile Di1
    000032: *Mar 21 19:25:39.275 EST: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
    000033: *Mar 21 19:25:41.127 EST: %IPS-6-ENGINE_READY: SERVICE.HTTP - 6248 ms - packets for this engine will be scanned
    000034: *Mar 21 19:25:41.127 EST: %IPS-6-ENGINE_BUILDING: ATOMIC.TCP - 6 signatures - 9 of 13 engines
    000035: *Mar 21 19:25:41.199 EST: %IPS-6-ENGINE_READY: ATOMIC.TCP - 68 ms - packets for this engine will be scanned
    000036: *Mar 21 19:25:41.203 EST: %IPS-6-ENGINE_BUILDING: ATOMIC.UDP - 7 signatures - 10 of 13 engines
    000037: *Mar 21 19:25:41.231 EST: %IPS-6-ENGINE_READY: ATOMIC.UDP - 28 ms - packets for this engine will be scanned
    000038: *Mar 21 19:25:41.235 EST: %IPS-6-ENGINE_BUILDING: ATOMIC.ICMP - 14 signatures - 11 of 13 engines
    000039: *Mar 21 19:25:41.263 EST: %IPS-6-ENGINE_READY: ATOMIC.ICMP - 28 ms - packets for this engine will be scanned
    000040: *Mar 21 19:25:41.267 EST: %IPS-6-ENGINE_BUILDING: ATOMIC.IPOPTIONS - 7 signatures - 12 of 13 engines
    000041: *Mar 21 19:25:41.283 EST: %IPS-6-ENGINE_READY: ATOMIC.IPOPTIONS - 16 ms - packets for this engine will be scanned
    000042: *Mar 21 19:25:41.283 EST: %IPS-6-ENGINE_BUILDING: ATOMIC.L3.IP - 6 signatures - 13 of 13 engines
    000043: *Mar 21 19:25:41.303 EST: %IPS-6-ENGINE_READY: ATOMIC.L3.IP - 16 ms - packets for this engine will be scanned
    000044: *Mar 21 19:25:41.443 EST: %SYS-2-MALLOCFAIL: Memory allocation of 65536 bytes failed from 0x801A2108, alignment 0
    Pool: Processor Free: 37852 Cause: Not enough free memory
    Alternate Pool: None Free: 0 Cause: No Alternate pool

    -Process= "SSS Manager", ipl= 0, pid= 44
    -Traceback= 80079D64 8018F770 80192E0C 801A210C 806CF53C 806D1254 806D13D8 806D14D8 80183870 801887E4
    I know the date is wrong... but thats cause I'm not syncing to a NTP server...

    Guess I won't be going on vacation afterall! I'll have to get myself a new router that will have enough memory... Even if I do upgrade to the 831 that only gives me a maximum of 48MB... which I have 32 now... and I can't upgrade mine.

    Maybe I'll just look into getting a PIX!

    Man... and I was really looking forward to playing with this IPS some more.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    For what it's worth, just my 2 cents

    I don't like IPS (yet) same goes for active IDS. As you probably know these things still generate alot of false positives (or even worse false negatives). I don't want to block regular traffic just because some box thinks one of our users is trying to break in. Not to mention the fact you're susceptible to a DoS.

    An IDS is a great tool in identifying a potential threat but I still think you need a human to verify it and base the actions on what is found.

    If you setup your firewalls correctly, auditted the (web)code, hardened the OS and you keep a sharp eye on all of it then there's very little to be worried about.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    SirDice:
    I understand what you're saying and I agree with you for the most part.
    I was just trying to take the opportunity to learn/play with something new since I had "found" it.

    Since there are only at maximum 5 users on my home network at any one time (I probably can account for 5 users myself...) playing a lot doesn't hurt any. I make sure to have appropriate firewall rules and have people I trust audit my setup. I make sure that I have working backup configs just in case that I fux0r something.

    I was worried about it dropping legitimate traffic or like you said having false negatives. I've taken further steps to protect the devices/hosts behind that boarder router just in case something like that were to happen. (2 routers and Norton Internet Security on each host with iptables on the *nix boxes, plus all your usual securing basics.) The PCs on my home lan are used for me playing/learning and for some gaming... not much else.

    Thanks for bringing up that point. It is a very important point!
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  5. #5
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Agreed, it doesn't hurt to play around with new technology. This can be alot of fun too. Sometimes I feel just like a little kid that got a shiny new toy for his birthday
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  6. #6
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    I've been trying to think of ways to get this IPS to work.

    Because of the memory problem... the only choice is obvious...

    Use less memory.

    The only way you can really do that is to dumb down the config...

    I have some very detailed ACLs that are probably not needed. I just had them in there for peace of mind... but that requires more memory and processing power because each acl has to be checked...

    Reduce/disable logging to local memory and send everything to the syslog like I was doing before...

    The services are already at a minimum.

    Can anyone think of any other things that might reduce the amount of memory being used?

    I have enough flash storage... its just the running RAM... NVRAM?

    Too bad I can't swap it out to the webflash that I rarely ever use... thats another 8MB right there... but flash is very slow and it'd probably create more problems...
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  7. #7
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Heya Phissy, I gotz the answer to your question. The IOS you have with IPS support is part of the new self healing network product line that Cisco has been advertising the piss out of. When you purchase the suite, all of your existing devices will need the IOS you have installed in order to participate in the "healing". Think of this as an agent, not an independent feature set.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  8. #8
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    TH13: Thanks for the info. I've just been skimming the docs and reading what seems to be important. They can put a lot of fluff in there. So, without the rest of the suite... or more devices for it to interact with... I'm just wasting time? I'll have to check again... but I'm pretty sure it was the IPS that was dropping connections and not my ACLs?

    When I first enabled it on an interface, it worked. I must have changed the config too much after that and used up all the memory. I was messing with the ACLs and other new stuff that was introduced in the 12.3T series. I must have been playing with that thing for at least 5 hours last night... I'm going to revert to an old config until I find out what actaully used up all my memory!
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  9. #9
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Yeah man, the Cisco comedy road show (they roll through here all the time hocking their warez) told me specifically not to **** with the IPS feature set. It needs to be controlled from their super duper self healing management console. Now, I'm sure you can tune it on your own but as you have discovered, there is no documentation available so you are navigating uncharted waters.

    --TH13

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •