I started on the IPS a little while ago, in this post, and then in this post. Then went and rebuilt the lab using Arista switches, and now the stability is much improved. In doing so I moved from the IPS and into ISE, but there is much left to do with the IPS.
Options with the IPS seems to be limited, for me at least. I can't get IDM to work over HTTPS, but HTTP works:
IPS(config)# service web IPS(config-web)# enable-tls false IPS(config-web)# port 80 IPS(config-web)# exit Apply Changes?[yes]: yes IPS(config)#Temporarily.
Fucking Java.
So, let's do this from the CLI instead:
Gives me another excuse to post pictures of Rachel Riley.
So, what do we need to achieve?
I want an interface pair, and I'll take Gi0/1 and Gi0/2 for these, and a VLAN pair, using Gi0/3, then we'll set up some custom signatures.
Let's go!
IPS interface pairs
We start in the "service interface" section:
IPS(config)# service interface IPS(config-int)# ? bypass-mode cdp-mode default exit inline-interfaces interface-notifications no physical-interfaces show IPS(config-int)#I have removed the descriptions because they were long...
IPS(config-int)# inline-interfaces Inline-VS IPS(config-int-inl)# interface1 ? GigabitEthernet0/0 GigabitEthernet0/0 physical interface. GigabitEthernet0/1 GigabitEthernet0/1 physical interface. GigabitEthernet0/2 GigabitEthernet0/2 physical interface. GigabitEthernet0/3 GigabitEthernet0/3 physical interface. Management0/0 Management0/0 physical interface. IPS(config-int-inl)# interface1 GigabitEthernet0/1 IPS(config-int-inl)# interface2 GigabitEthernet0/2 IPS(config-int-inl)# exit IPS(config-int)# exit Apply Changes?[yes]: yes IPS(config)#That's the first part of the interface pair, let's do the VLAN pair:
IPS(config)# service interface IPS(config-int)# physical-interfaces GigabitEthernet0/3 IPS(config-int-phy)# subinterface-type inline-vlan-pair IPS(config-int-phy-inl)# subinterface 1 IPS(config-int-phy-inl-sub)# vlan1 4 IPS(config-int-phy-inl-sub)# vlan2 90 IPS(config-int-phy-inl-sub)# exit IPS(config-int-phy-inl)# exit IPS(config-int-phy)# exit IPS(config-int)# exit Apply Changes?[yes]: yes IPS(config)# exit IPS#I can't see where to name this, though, so hopefully the config should show us. Well, this is the relevant part of the config, but there is no name, maybe we don't need it:
service interface physical-interfaces GigabitEthernet0/3 subinterface-type inline-vlan-pair subinterface 1 vlan1 4 vlan2 90 exit exit exit inline-interfaces Inline-VS interface1 GigabitEthernet0/1 interface2 GigabitEthernet0/2 exit exitThe next step is to create the virtual sensors and assign the interfaces to them (or maybe it's the other way around).
It is important to make sure that all the interfaces are up:
IPS(config)# service interface
IPS(config-int)# physical-interfaces GigabitEthernet0/3
IPS(config-int-phy)# admin-state enabled
IPS(config-int)# exit
Apply Changes?[yes]: yes
IPS(config)# exit
IPS# show interfaces brief
CC Interface Sensing State Link Inline Mode Pair Status
GigabitEthernet0/0 Disabled Down Unpaired N/A
GigabitEthernet0/1 Enabled Up Paired with interface GigabitEthernet0/2 Up
GigabitEthernet0/2 Enabled Up Paired with interface GigabitEthernet0/1 Up
GigabitEthernet0/3 Enabled Up Inline-vlan-pair N/A
* Management0/0 Disabled Up
IPS#
Back to the virtual sensor:IPS(config)# service analysis-engine
IPS(config-ana)# virtual-sensor VS-VS
IPS(config-ana-vir)# signature-definition sig0
IPS(config-ana-vir-ano)# anomaly-detection-name ad0
IPS(config-ana-vir-ano)# exi
IPS(config-ana-vir)# event-action-rules rules0
IPS(config-ana-vir)#
IPS(config-ana-vir)# logical-interface Inline-VS
IPS(config-ana-vir)#
IPS(config-ana-vir)# show setting
name: VS-VS
-----------------------------------------------
description:
signature-definition: sig0 default: sig0
event-action-rules: rules0 default: rules0
anomaly-detection
-----------------------------------------------
anomaly-detection-name: ad0 default: ad0
operational-mode: detect
-----------------------------------------------
physical-interface (min: 0, max: 999999999, current: 0)
-----------------------------------------------
-----------------------------------------------
logical-interface (min: 0, max: 999999999, current: 1)
-----------------------------------------------
name: Inline-VS
subinterface-number: 0
-----------------------------------------------
-----------------------------------------------
inline-TCP-session-tracking-mode: virtual-sensor
inline-TCP-evasion-protection-mode: strict
-----------------------------------------------
IPS(config-ana-vir)# exit
IPS(config-ana)# exit
Apply Changes?[yes]: yes
IPS(config)#
Let's create the other one with the VLAN pair:IPS(config)# service analysis-engine
IPS(config-ana)# virtual-sensor VS-VP
IPS(config-ana-vir)# signature-definition sig0
IPS(config-ana-vir)# event-action-rules rules0
IPS(config-ana-vir)#
IPS(config-ana-vir)# physical-interface GigabitEthernet0/3 subinterface-number 1
IPS(config-ana-vir)# exi
IPS(config-ana-vir)# anomaly-detection
IPS(config-ana-vir-ano)# anomaly-detection-name ad0
IPS(config-ana)# exit
IPS(config-ana-vir)# show settings
name: VS-VP
-----------------------------------------------
description:
signature-definition: sig0 default: sig0
event-action-rules: rules0 default: rules0
anomaly-detection
-----------------------------------------------
anomaly-detection-name: ad0 default: ad0
operational-mode: detect
-----------------------------------------------
physical-interface (min: 0, max: 999999999, current: 1)
-----------------------------------------------
name: GigabitEthernet0/3
subinterface-number: 1 default: 0
-----------------------------------------------
-----------------------------------------------
logical-interface (min: 0, max: 999999999, current: 0)
-----------------------------------------------
-----------------------------------------------
inline-TCP-session-tracking-mode: virtual-sensor
inline-TCP-evasion-protection-mode: strict
-----------------------------------------------
IPS(config-ana-vir)#
Apply Changes?[yes]: yes
IPS(config)#
Now let's create a custom signature, which is intended to produce a high-severity alert if it sees a telnet connection coming from the 192.168.90.0/24 subnet:IPS(config)# service signature-definition sig0
IPS(config-sig)# signatures ?
IPS(config-sig)# signatures 60101 ?
IPS(config-sig)# signatures 60101 0
IPS(config-sig-sig)# alert-severity high
IPS(config-sig-sig)# engine atomic-ip
IPS(config-sig-sig-ato)# event-action produce-verbose-alert
IPS(config-sig-sig-ato)# specify-l4-protocol yes
IPS(config-sig-sig-ato-yes)# l4-protocol tcp
IPS(config-sig-sig-ato-yes-tcp)# no tcp-flags
IPS(config-sig-sig-ato-yes-tcp)# no tcp-mask
IPS(config-sig-sig-ato-yes-tcp)# specify-dst-port yes
IPS(config-sig-sig-ato-yes-tcp-yes)# dst-port 23
IPS(config-sig-sig-ato-yes-tcp-yes)# exi
IPS(config-sig-sig-ato-yes-tcp)# specify-src-port no
IPS(config-sig-sig-ato-yes-tcp)# exit
IPS(config-sig-sig-ato-yes)# exit
IPS(config-sig-sig-ato)# specify-ip-addr-options yes
IPS(config-sig-sig-ato-yes)# ip-addr-options ip-addr
IPS(config-sig-sig-ato-yes-ip)# specify-src-ip-addr yes
IPS(config-sig-sig-ato-yes-ip-yes)# src-ip-addr 192.168.90.1-192.168.90.254
IPS(config-sig-sig-ato-yes-ip-yes)#
IPS(config-sig-sig-ato-yes-ip-yes)# exit
IPS(config-sig-sig-ato-yes-ip)# exit
IPS(config-sig-sig-ato-yes)# exit
IPS(config-sig-sig-ato)# exit
IPS(config-sig-sig)# exit
IPS(config-sig)# exit
Apply Changes?[yes]: yes
IPS(config)#
This shows in the config as follows:service signature-definition sig0 signatures 60101 0 alert-severity high engine atomic-ip event-action produce-verbose-alert specify-l4-protocol yes l4-protocol tcp no tcp-flags no tcp-mask specify-dst-port yes dst-port 23 exit specify-src-port no exit exit specify-ip-addr-options yes ip-addr-options ip-addr specify-src-ip-addr yes src-ip-addr 192.168.90.1-192.168.90.254This is all well and good, but we need to turn it on for it to be effective:
IPS(config)# service signature-definition sig0 IPS(config-sig)# signatures 60101 0 IPS(config-sig-sig)# status IPS(config-sig-sig-sta)# enabled true IPS(config-sig-sig-sta)# exit IPS(config-sig-sig)# exit IPS(config-sig)# exit Apply Changes?[yes]: yes IPS(config)#Looks good, but we need the IPS to get the traffic. At the moment there is no reason why it should get the traffic, and this is partly a bad design choice on my part, and having moved my switches over to Arista, I lose the remote-span functionality, but we are not totally out of luck:
SW2(config)#monitor session trunky source e10
SW2(config)#monitor session trunky destination e18
SW2(config)#exi
SW2#sh mon sess
Session trunky
------------------------
Source Ports:
Both: Et10
Destination Ports:
Et18 : active
SW2#sh int e18 sta
Port Name Status Vlan Duplex Speed Type
Et18 IPS connected monitoring full unconf EbraTestPhyP
SW2#
With this in place, we do get the telnet traffic (from MGMT-PC to 10.1.4.101) mirrored towards the IPS:
Not getting anything on the IPS though:
IPS# sh events alert highThe lack of output isn't to say that it's not working. I look after a handful of IPS modules for work, and they are slow, not as slow as this one is, but still very slow. Thankfully, although IDM access is a little hit and miss, it does show that this works:
The console does seem to take an extraordinarily long time, though, so it looks like its waiting for a response, but this does work, and, at nearly 10 pm, that's the goal. Thankfully I managed to pull the results out of IDM before Java shit the bed (for the ten billionth time).
I will be saving WLC integration for another day.