CCIE Security Lab: IPS - CLI to GUI and back again


I started on the IPS a little while ago, in this post, and then in this post. Then went and rebuilt the lab using Arista switches, and now the stability is much improved. In doing so I moved from the IPS and into ISE, but there is much left to do with the IPS.

Options with the IPS seems to be limited, for me at least. I can't get IDM to work over HTTPS, but HTTP works:
IPS(config)# service web
IPS(config-web)# enable-tls false
IPS(config-web)# port 80 
IPS(config-web)# exit
Apply Changes?[yes]: yes 
IPS(config)# 
Temporarily.

Java sucks ass.

Fucking Java.

So, let's do this from the CLI instead:

Rachel Riley says use the CLI

Gives me another excuse to post pictures of Rachel Riley.

So, what do we need to achieve?

I want an interface pair, and I'll take Gi0/1 and Gi0/2 for these, and a VLAN pair, using Gi0/3, then we'll set up some custom signatures.

Let's go!

IPS interface pairs

We start in the "service interface" section:
IPS(config)# service interface 
IPS(config-int)# ?
bypass-mode                 
cdp-mode                    
default                     
exit                        
inline-interfaces           
interface-notifications     
no                          
physical-interfaces         
show                        
IPS(config-int)# 
I have removed the descriptions because they were long...
IPS(config-int)# inline-interfaces Inline-VS 
IPS(config-int-inl)# interface1 ?
GigabitEthernet0/0     GigabitEthernet0/0 physical interface.
GigabitEthernet0/1     GigabitEthernet0/1 physical interface.
GigabitEthernet0/2     GigabitEthernet0/2 physical interface.
GigabitEthernet0/3     GigabitEthernet0/3 physical interface.
Management0/0          Management0/0 physical interface.
IPS(config-int-inl)# interface1 GigabitEthernet0/1
IPS(config-int-inl)# interface2 GigabitEthernet0/2
IPS(config-int-inl)# exit
IPS(config-int)# exit
Apply Changes?[yes]: yes 
IPS(config)# 
That's the first part of the interface pair, let's do the VLAN pair:
IPS(config)# service interface 
IPS(config-int)# physical-interfaces GigabitEthernet0/3  
IPS(config-int-phy)# subinterface-type inline-vlan-pair 
IPS(config-int-phy-inl)# subinterface 1 
IPS(config-int-phy-inl-sub)# vlan1 4
IPS(config-int-phy-inl-sub)# vlan2 90
IPS(config-int-phy-inl-sub)# exit
IPS(config-int-phy-inl)# exit
IPS(config-int-phy)# exit
IPS(config-int)# exit
Apply Changes?[yes]: yes 
IPS(config)# exit
IPS# 
I can't see where to name this, though, so hopefully the config should show us. Well, this is the relevant part of the config, but there is no name, maybe we don't need it:
service interface
physical-interfaces GigabitEthernet0/3 
subinterface-type inline-vlan-pair
subinterface 1 
vlan1 4
vlan2 90
exit
exit
exit
inline-interfaces Inline-VS 
interface1 GigabitEthernet0/1
interface2 GigabitEthernet0/2
exit
exit
The next step is to create the virtual sensors and assign the interfaces to them (or maybe it's the other way around).

It is important to make sure that all the interfaces are up:
IPS(config)# service interface 
IPS(config-int)# physical-interfaces GigabitEthernet0/3
IPS(config-int-phy)# admin-state enabled
IPS(config-int)# exit
Apply Changes?[yes]: yes 
IPS(config)# exit
IPS# show interfaces brief
CC   Interface            Sensing State   Link   Inline Mode                                Pair Status   
     GigabitEthernet0/0   Disabled        Down   Unpaired                                   N/A           
     GigabitEthernet0/1   Enabled         Up     Paired with interface GigabitEthernet0/2   Up            
     GigabitEthernet0/2   Enabled         Up     Paired with interface GigabitEthernet0/1   Up            
     GigabitEthernet0/3   Enabled         Up     Inline-vlan-pair                           N/A           
*    Management0/0        Disabled        Up                                                              
IPS# 
Back to the virtual sensor:
IPS(config)# service analysis-engine
IPS(config-ana)# virtual-sensor VS-VS 
IPS(config-ana-vir)# signature-definition sig0

IPS(config-ana-vir-ano)# anomaly-detection-name ad0
IPS(config-ana-vir-ano)# exi
IPS(config-ana-vir)# event-action-rules rules0

IPS(config-ana-vir)# 
IPS(config-ana-vir)# logical-interface Inline-VS 
IPS(config-ana-vir)# 
IPS(config-ana-vir)# show setting
   name: VS-VS
   -----------------------------------------------
      description:  
      signature-definition: sig0 default: sig0
      event-action-rules: rules0 default: rules0
      anomaly-detection
      -----------------------------------------------
         anomaly-detection-name: ad0 default: ad0
         operational-mode: detect 
      -----------------------------------------------
      physical-interface (min: 0, max: 999999999, current: 0)
      -----------------------------------------------
      -----------------------------------------------
      logical-interface (min: 0, max: 999999999, current: 1)
      -----------------------------------------------
         name: Inline-VS
         subinterface-number: 0 
         -----------------------------------------------
      -----------------------------------------------
      inline-TCP-session-tracking-mode: virtual-sensor 
      inline-TCP-evasion-protection-mode: strict 
   -----------------------------------------------
IPS(config-ana-vir)# exit
IPS(config-ana)# exit
Apply Changes?[yes]: yes 
IPS(config)# 
Let's create the other one with the VLAN pair:
IPS(config)# service analysis-engine 
IPS(config-ana)# virtual-sensor VS-VP
IPS(config-ana-vir)# signature-definition sig0

IPS(config-ana-vir)# event-action-rules rules0
                                             
IPS(config-ana-vir)# 
IPS(config-ana-vir)# physical-interface GigabitEthernet0/3 subinterface-number 1
IPS(config-ana-vir)# exi 
IPS(config-ana-vir)# anomaly-detection 
IPS(config-ana-vir-ano)# anomaly-detection-name ad0
IPS(config-ana)# exit
IPS(config-ana-vir)# show settings 
   name: VS-VP
   -----------------------------------------------
      description:  
      signature-definition: sig0 default: sig0
      event-action-rules: rules0 default: rules0
      anomaly-detection
      -----------------------------------------------
         anomaly-detection-name: ad0 default: ad0
         operational-mode: detect 
      -----------------------------------------------
      physical-interface (min: 0, max: 999999999, current: 1)
      -----------------------------------------------
         name: GigabitEthernet0/3
         subinterface-number: 1 default: 0
         -----------------------------------------------
      -----------------------------------------------
      logical-interface (min: 0, max: 999999999, current: 0)
      -----------------------------------------------
      -----------------------------------------------
      inline-TCP-session-tracking-mode: virtual-sensor 
      inline-TCP-evasion-protection-mode: strict 
   -----------------------------------------------
IPS(config-ana-vir)# 
Apply Changes?[yes]: yes 
IPS(config)# 
Now let's create a custom signature, which is intended to produce a high-severity alert if it sees a telnet connection coming from the 192.168.90.0/24 subnet:
IPS(config)# service signature-definition sig0

IPS(config-sig)# signatures ?
     
IPS(config-sig)# signatures 60101 ?
     
IPS(config-sig)# signatures 60101 0           
IPS(config-sig-sig)# alert-severity high                        
IPS(config-sig-sig)# engine atomic-ip              
IPS(config-sig-sig-ato)# event-action produce-verbose-alert  
IPS(config-sig-sig-ato)# specify-l4-protocol yes                
IPS(config-sig-sig-ato-yes)# l4-protocol tcp                 
IPS(config-sig-sig-ato-yes-tcp)# no tcp-flags
IPS(config-sig-sig-ato-yes-tcp)# no tcp-mask
IPS(config-sig-sig-ato-yes-tcp)# specify-dst-port yes   
IPS(config-sig-sig-ato-yes-tcp-yes)# dst-port 23 
IPS(config-sig-sig-ato-yes-tcp-yes)# exi
IPS(config-sig-sig-ato-yes-tcp)# specify-src-port no
IPS(config-sig-sig-ato-yes-tcp)# exit
IPS(config-sig-sig-ato-yes)# exit           
IPS(config-sig-sig-ato)# specify-ip-addr-options yes     
IPS(config-sig-sig-ato-yes)# ip-addr-options ip-addr   
IPS(config-sig-sig-ato-yes-ip)# specify-src-ip-addr yes   
IPS(config-sig-sig-ato-yes-ip-yes)# src-ip-addr 192.168.90.1-192.168.90.254
IPS(config-sig-sig-ato-yes-ip-yes)# 
IPS(config-sig-sig-ato-yes-ip-yes)# exit
IPS(config-sig-sig-ato-yes-ip)# exit
IPS(config-sig-sig-ato-yes)# exit
IPS(config-sig-sig-ato)# exit
IPS(config-sig-sig)# exit
IPS(config-sig)# exit
Apply Changes?[yes]: yes 
IPS(config)#   
This shows in the config as follows:
service signature-definition sig0
signatures 60101 0 
alert-severity high
engine atomic-ip
event-action produce-verbose-alert
specify-l4-protocol yes
l4-protocol tcp
no tcp-flags
no tcp-mask
specify-dst-port yes
dst-port 23
exit
specify-src-port no
exit
exit
specify-ip-addr-options yes
ip-addr-options ip-addr
specify-src-ip-addr yes
src-ip-addr 192.168.90.1-192.168.90.254
This is all well and good, but we need to turn it on for it to be effective:
IPS(config)# service signature-definition sig0
IPS(config-sig)# signatures 60101 0
IPS(config-sig-sig)# status
IPS(config-sig-sig-sta)# enabled true
IPS(config-sig-sig-sta)# exit
IPS(config-sig-sig)# exit
IPS(config-sig)# exit
Apply Changes?[yes]: yes 
IPS(config)#  
Looks good, but we need the IPS to get the traffic. At the moment there is no reason why it should get the traffic, and this is partly a bad design choice on my part, and having moved my switches over to Arista, I lose the remote-span functionality, but we are not totally out of luck:
SW2(config)#monitor session trunky source e10
SW2(config)#monitor session trunky destination e18
SW2(config)#exi
SW2#sh mon sess

Session trunky
------------------------

Source Ports:

  Both:        Et10

Destination Ports:

    Et18 :  active


SW2#sh int e18 sta
Port       Name              Status       Vlan        Duplex  Speed Type        
Et18       IPS               connected    monitoring    full unconf EbraTestPhyP

SW2#
With this in place, we do get the telnet traffic (from MGMT-PC to 10.1.4.101) mirrored towards the IPS:

Wireshark session mirroring

Not getting anything on the IPS though:
IPS# sh events alert high


The lack of output isn't to say that it's not working. I look after a handful of IPS modules for work, and they are slow, not as slow as this one is, but still very slow. Thankfully, although IDM access is a little hit and miss, it does show that this works:

IPS alert severity IDM

The console does seem to take an extraordinarily long time, though, so it looks like its waiting for a response, but this does work, and, at nearly 10 pm, that's the goal. Thankfully I managed to pull the results out of IDM before Java shit the bed (for the ten billionth time).

I will be saving WLC integration for another day.

CCIE #49337, author of CCNA and Beyond, BGP for Cisco Networks, MPLS for Cisco Networks, VPNs and NAT for Cisco Networks.

Related Posts

Previous
Next Post »