I started on the IPS a little while ago, in this post, and then in this post. Then went and rebuilt the lab using Arista switches, and now the stability is much improved. In doing so I moved from the IPS and into ISE, but there is much left to do with the IPS.
Options with the IPS seems to be limited, for me at least. I can't get IDM to work over HTTPS, but HTTP works:
IPS(config)# service web IPS(config-web)# enable-tls false IPS(config-web)# port 80 IPS(config-web)# exit Apply Changes?[yes]: yes IPS(config)#Temporarily.
Fucking Java.
So, let's do this from the CLI instead:
Gives me another excuse to post pictures of Rachel Riley.
So, what do we need to achieve?
I want an interface pair, and I'll take Gi0/1 and Gi0/2 for these, and a VLAN pair, using Gi0/3, then we'll set up some custom signatures.
Let's go!
IPS interface pairs
We start in the "service interface" section:
IPS(config)# service interface IPS(config-int)# ? bypass-mode cdp-mode default exit inline-interfaces interface-notifications no physical-interfaces show IPS(config-int)#I have removed the descriptions because they were long...
IPS(config-int)# inline-interfaces Inline-VS IPS(config-int-inl)# interface1 ? GigabitEthernet0/0 GigabitEthernet0/0 physical interface. GigabitEthernet0/1 GigabitEthernet0/1 physical interface. GigabitEthernet0/2 GigabitEthernet0/2 physical interface. GigabitEthernet0/3 GigabitEthernet0/3 physical interface. Management0/0 Management0/0 physical interface. IPS(config-int-inl)# interface1 GigabitEthernet0/1 IPS(config-int-inl)# interface2 GigabitEthernet0/2 IPS(config-int-inl)# exit IPS(config-int)# exit Apply Changes?[yes]: yes IPS(config)#That's the first part of the interface pair, let's do the VLAN pair:
IPS(config)# service interface IPS(config-int)# physical-interfaces GigabitEthernet0/3 IPS(config-int-phy)# subinterface-type inline-vlan-pair IPS(config-int-phy-inl)# subinterface 1 IPS(config-int-phy-inl-sub)# vlan1 4 IPS(config-int-phy-inl-sub)# vlan2 90 IPS(config-int-phy-inl-sub)# exit IPS(config-int-phy-inl)# exit IPS(config-int-phy)# exit IPS(config-int)# exit Apply Changes?[yes]: yes IPS(config)# exit IPS#I can't see where to name this, though, so hopefully the config should show us. Well, this is the relevant part of the config, but there is no name, maybe we don't need it:
service interface physical-interfaces GigabitEthernet0/3 subinterface-type inline-vlan-pair subinterface 1 vlan1 4 vlan2 90 exit exit exit inline-interfaces Inline-VS interface1 GigabitEthernet0/1 interface2 GigabitEthernet0/2 exit exitThe next step is to create the virtual sensors and assign the interfaces to them (or maybe it's the other way around).
It is important to make sure that all the interfaces are up:
IPS(config)# service interface IPS(config-int)# physical-interfaces GigabitEthernet0/3 IPS(config-int-phy)# admin-state enabled IPS(config-int)# exit Apply Changes?[yes]: yes IPS(config)# exit IPS# show interfaces brief CC Interface Sensing State Link Inline Mode Pair Status GigabitEthernet0/0 Disabled Down Unpaired N/A GigabitEthernet0/1 Enabled Up Paired with interface GigabitEthernet0/2 Up GigabitEthernet0/2 Enabled Up Paired with interface GigabitEthernet0/1 Up GigabitEthernet0/3 Enabled Up Inline-vlan-pair N/A * Management0/0 Disabled Up IPS#Back to the virtual sensor:
IPS(config)# service analysis-engine IPS(config-ana)# virtual-sensor VS-VS IPS(config-ana-vir)# signature-definition sig0 IPS(config-ana-vir-ano)# anomaly-detection-name ad0 IPS(config-ana-vir-ano)# exi IPS(config-ana-vir)# event-action-rules rules0 IPS(config-ana-vir)# IPS(config-ana-vir)# logical-interface Inline-VS IPS(config-ana-vir)# IPS(config-ana-vir)# show setting name: VS-VS ----------------------------------------------- description: signature-definition: sig0 default: sig0 event-action-rules: rules0 default: rules0 anomaly-detection ----------------------------------------------- anomaly-detection-name: ad0 default: ad0 operational-mode: detect ----------------------------------------------- physical-interface (min: 0, max: 999999999, current: 0) ----------------------------------------------- ----------------------------------------------- logical-interface (min: 0, max: 999999999, current: 1) ----------------------------------------------- name: Inline-VS subinterface-number: 0 ----------------------------------------------- ----------------------------------------------- inline-TCP-session-tracking-mode: virtual-sensor inline-TCP-evasion-protection-mode: strict ----------------------------------------------- IPS(config-ana-vir)# exit IPS(config-ana)# exit Apply Changes?[yes]: yes IPS(config)#Let's create the other one with the VLAN pair:
IPS(config)# service analysis-engine IPS(config-ana)# virtual-sensor VS-VP IPS(config-ana-vir)# signature-definition sig0 IPS(config-ana-vir)# event-action-rules rules0 IPS(config-ana-vir)# IPS(config-ana-vir)# physical-interface GigabitEthernet0/3 subinterface-number 1 IPS(config-ana-vir)# exi IPS(config-ana-vir)# anomaly-detection IPS(config-ana-vir-ano)# anomaly-detection-name ad0 IPS(config-ana)# exit IPS(config-ana-vir)# show settings name: VS-VP ----------------------------------------------- description: signature-definition: sig0 default: sig0 event-action-rules: rules0 default: rules0 anomaly-detection ----------------------------------------------- anomaly-detection-name: ad0 default: ad0 operational-mode: detect ----------------------------------------------- physical-interface (min: 0, max: 999999999, current: 1) ----------------------------------------------- name: GigabitEthernet0/3 subinterface-number: 1 default: 0 ----------------------------------------------- ----------------------------------------------- logical-interface (min: 0, max: 999999999, current: 0) ----------------------------------------------- ----------------------------------------------- inline-TCP-session-tracking-mode: virtual-sensor inline-TCP-evasion-protection-mode: strict ----------------------------------------------- IPS(config-ana-vir)# Apply Changes?[yes]: yes IPS(config)#Now let's create a custom signature, which is intended to produce a high-severity alert if it sees a telnet connection coming from the 192.168.90.0/24 subnet:
IPS(config)# service signature-definition sig0 IPS(config-sig)# signatures ? IPS(config-sig)# signatures 60101 ? IPS(config-sig)# signatures 60101 0 IPS(config-sig-sig)# alert-severity high IPS(config-sig-sig)# engine atomic-ip IPS(config-sig-sig-ato)# event-action produce-verbose-alert IPS(config-sig-sig-ato)# specify-l4-protocol yes IPS(config-sig-sig-ato-yes)# l4-protocol tcp IPS(config-sig-sig-ato-yes-tcp)# no tcp-flags IPS(config-sig-sig-ato-yes-tcp)# no tcp-mask IPS(config-sig-sig-ato-yes-tcp)# specify-dst-port yes IPS(config-sig-sig-ato-yes-tcp-yes)# dst-port 23 IPS(config-sig-sig-ato-yes-tcp-yes)# exi IPS(config-sig-sig-ato-yes-tcp)# specify-src-port no IPS(config-sig-sig-ato-yes-tcp)# exit IPS(config-sig-sig-ato-yes)# exit IPS(config-sig-sig-ato)# specify-ip-addr-options yes IPS(config-sig-sig-ato-yes)# ip-addr-options ip-addr IPS(config-sig-sig-ato-yes-ip)# specify-src-ip-addr yes IPS(config-sig-sig-ato-yes-ip-yes)# src-ip-addr 192.168.90.1-192.168.90.254 IPS(config-sig-sig-ato-yes-ip-yes)# IPS(config-sig-sig-ato-yes-ip-yes)# exit IPS(config-sig-sig-ato-yes-ip)# exit IPS(config-sig-sig-ato-yes)# exit IPS(config-sig-sig-ato)# exit IPS(config-sig-sig)# exit IPS(config-sig)# exit Apply Changes?[yes]: yes IPS(config)#This shows in the config as follows:
service signature-definition sig0 signatures 60101 0 alert-severity high engine atomic-ip event-action produce-verbose-alert specify-l4-protocol yes l4-protocol tcp no tcp-flags no tcp-mask specify-dst-port yes dst-port 23 exit specify-src-port no exit exit specify-ip-addr-options yes ip-addr-options ip-addr specify-src-ip-addr yes src-ip-addr 192.168.90.1-192.168.90.254This is all well and good, but we need to turn it on for it to be effective:
IPS(config)# service signature-definition sig0 IPS(config-sig)# signatures 60101 0 IPS(config-sig-sig)# status IPS(config-sig-sig-sta)# enabled true IPS(config-sig-sig-sta)# exit IPS(config-sig-sig)# exit IPS(config-sig)# exit Apply Changes?[yes]: yes IPS(config)#Looks good, but we need the IPS to get the traffic. At the moment there is no reason why it should get the traffic, and this is partly a bad design choice on my part, and having moved my switches over to Arista, I lose the remote-span functionality, but we are not totally out of luck:
SW2(config)#monitor session trunky source e10 SW2(config)#monitor session trunky destination e18 SW2(config)#exi SW2#sh mon sess Session trunky ------------------------ Source Ports: Both: Et10 Destination Ports: Et18 : active SW2#sh int e18 sta Port Name Status Vlan Duplex Speed Type Et18 IPS connected monitoring full unconf EbraTestPhyP SW2#With this in place, we do get the telnet traffic (from MGMT-PC to 10.1.4.101) mirrored towards the IPS:
Not getting anything on the IPS though:
IPS# sh events alert highThe lack of output isn't to say that it's not working. I look after a handful of IPS modules for work, and they are slow, not as slow as this one is, but still very slow. Thankfully, although IDM access is a little hit and miss, it does show that this works:
The console does seem to take an extraordinarily long time, though, so it looks like its waiting for a response, but this does work, and, at nearly 10 pm, that's the goal. Thankfully I managed to pull the results out of IDM before Java shit the bed (for the ten billionth time).
I will be saving WLC integration for another day.