The dynamips net file for router R1 is
autostart = false
ghostios = true
sparsemem = true
[localhost]
console = 3000
workingdir = C:\Users\xxx\Desktop\IOSips\WD
[[3725]]
image = C:\Users\xxx\Desktop\IOSips\c3725-adventerprisek9-mz.124-15.T14.bin
ram = 160
ghostios = true
sparsemem = true
[localhost]
console = 3000
workingdir = C:\Users\xxx\Desktop\IOSips\WD
[[3725]]
image = C:\Users\xxx\Desktop\IOSips\c3725-adventerprisek9-mz.124-15.T14.bin
ram = 160
[[ROUTER R1]]
model = 3725
disk0 = 64
FA0/0 = SW1 FA1/2
# Attached to physical network 10.0.0.x/24
FA0/1 = NIO_gen_eth:\Device\NPF_{7A4202C3-2058-40C4-9124-6BF616599DB9}
Start router R1 and then
!When dynamips allocates space for the flash it cannot be recognised by the IOS. Formatting allows IOS to use this space.
Router#erase flash:
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased
Erase of flash: complete
Router#format flash:
Format operation may take a while. Continue? [confirm]
Format operation will destroy all data in "flash:". Continue? [confirm]
Current Low End File System flash card in flash: will be formatted into DOS File System flash card! Continue? [confirm]
Primary Partition created...Size 64 MB
Drive communication & 1st Sector Write OK...
Writing Monlib sectors....
Monlib write complete
Format: All system sectors written. OK...
Format: Total sectors in formatted partition: 131040
Format: Total bytes in formatted partition: 67092480
Format: Operation completed successfully.
Format of flash: complete
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased
Erase of flash: complete
Router#format flash:
Format operation may take a while. Continue? [confirm]
Format operation will destroy all data in "flash:". Continue? [confirm]
Current Low End File System flash card in flash: will be formatted into DOS File System flash card! Continue? [confirm]
Primary Partition created...Size 64 MB
Drive communication & 1st Sector Write OK...
Writing Monlib sectors....
Monlib write complete
Format: All system sectors written. OK...
Format: Total sectors in formatted partition: 131040
Format: Total bytes in formatted partition: 67092480
Format: Operation completed successfully.
Format of flash: complete
!You need to format flash otherwise the next command fails!
Router#mkdir ips
Router#cd ips
!Copy the definition files onto the router.
Router#copy tftp://10.0.0.109/IOS-S465-CLI.pkg IOS-S465-CLI.pkg
Router#dirDirectory of flash:/ips/
2 -rw- 11236690 Mar 1 2002 00:24:40 +00:00 IOS-S465-CLI.pkg
66936832 bytes total (55693312 bytes free)
Copy the following Cisco IOS IPS Public RSA crypto key into running config. It is used to decode the signature package file.
crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
quit
!
Enable IPS, IPS SDEE (default off) and log notifications (default on). Note that SDEE notifications will not work unless ip http server is enabled.
Router(config)#ip ips name myips
!Specify where the decrypted signatures will be stored
Router(config)#ip ips config location flash:ips
Router(config)#ip ips notify sdee
Router(config)#ip ips notify log
Router(config)#ip http server
To prevent running out of memory (both in the simulated or real world), configure IOS IPS to only enable the IOS IPS basic signatures.
Router(config)#ip ips signature-category
Router(config-ips-category)#category all
Router(config-ips-category-action)#retired true
Router(config-ips-category-action)#category ios_ips basic
Router(config-ips-category-action)#retired false
Router(config-ips-category-action)#exit
Router(config-ips-category)#exit
Do you want to accept these changes? [confirm]
Router(config)#
*Mar 1 02:32:14.331: Applying Category configuration to signatures ...
Now lets enable IPS on interface FA0/1
Router(config)#int fa0/1
Router(config-if)#ip ips myips in
Router(config-if)#ip ips myips out
Router(config-if)#
*Mar 1 02:33:25.531: %IPS-6-ENGINE_BUILDS_STARTED: 02:33:25 UTC Mar 1 2002
*Mar 1 02:33:25.535: %IPS-6-ENGINE_BUILDING: atomic-ip - 3 signatures - 1 of 13 engines
*Mar 1 02:33:25.555: %IPS-6-ENGINE_READY: atomic-ip - build time 20 ms - packets for this engine will be scanned
*Mar 1 02:33:25.555: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 24 ms
Router(config-if)#
Now tell the IPS which definitions to use (note the idconf path)
Router#dir
Directory of flash:/ips/
2 -rw- 11236690 Mar 1 2002 00:24:40 +00:00 IOS-S465-CLI.pkg
8 -rw- 704 Mar 1 2002 02:33:24 +00:00 Router-sigdef-default.xml
7 -rw- 255 Mar 1 2002 02:33:26 +00:00 Router-sigdef-delta.xml
6 -rw- 4365 Mar 1 2002 02:33:26 +00:00 Router-sigdef-typedef.xml
5 -rw- 1557 Mar 1 2002 02:33:26 +00:00 Router-sigdef-category.xml
4 -rw- 257 Mar 1 2002 02:33:28 +00:00 Router-seap-delta.xml
3 -rw- 491 Mar 1 2002 02:33:28 +00:00 Router-seap-typedef.xml
66936832 bytes total (55664640 bytes free)
Router#copy IOS-S465-CLI.pkg idconf
The router then extracts all the signatures and builds its internal database.
*Mar 1 02:35:01.751: %IPS-3-IPS_FILE_OPEN_ERROR: flash:ips/Router-sigdef-typedef.xml - Directory doesn't exist
*Mar 1 02:35:04.463: %IPS-3-IPS_FILE_OPEN_ERROR: flash:ips/Router-sigdef-category.xml - Directory doesn't exist
*Mar 1 02:36:01.179: %IPS-6-ENGINE_BUILDS_STARTED: 02:36:01 UTC Mar 1 2002
*Mar 1 02:36:01.211: %IPS-6-ENGINE_BUILDING: multi-string - 44 signatures - 1 of 13 engines
*Mar 1 02:36:01.407: %IPS-6-ENGINE_READY: multi-string - build time 196 ms - packets for this engine will be scanned
*Mar 1 02:36:01.599: %IPS-6-ENGINE_BUILDING: service-http - 809 signatures - 2 of 13 engines
*Mar 1 02:36:04.599: %IPS-6-ENGINE_READY: service-http - build time 3000 ms - packets for this engine will be scanned
*Mar 1 02:36:05.203: %IPS-6-ENGINE_BUILDING: string-tcp - 2096 signatures - 3 of 13 engines
*Mar 1 02:36:15.647: %IPS-6-ENGINE_READY: string-tcp - build time 10444 ms - packets for this engine will be scanned
*Mar 1 02:36:16.003: %IPS-6-ENGINE_BUILDING: string-udp - 79 signatures - 4 of 13 engines
*Mar 1 02:36:16.179: %IPS-6-ENGINE_READY: string-udp - build time 176 ms - packets for this engine will be scanned
*Mar 1 02:36:16.211: %IPS-6-ENGINE_BUILDING: state - 37 signatures - 5 of 13 engines
*Mar 1 02:36:16.467: %IPS-6-ENGINE_READY: state - build time 256 ms - packets for this engine will be scanned
*Mar 1 02:36:16.559: %IPS-6-ENGINE_BUILDING: atomic-ip - 374 signatures - 6 of 13 engines
*Mar 1 02:36:18.311: %IPS-6-ENGINE_READY: atomic-ip - build time 1752 ms - packets for this engine will be scanned
*Mar 1 02:36:18.371: %IPS-6-ENGINE_BUILDING: string-icmp - 3 signatures - 7 of 13 engines
*Mar 1 02:36:18.375: %IPS-6-ENGINE_READY: string-icmp - build time 4 ms - packets for this engine will be scanned
*Mar 1 02:36:18.375: %IPS-6-ENGINE_BUILDING: service-ftp - 3 signatures - 8 of 13 engines
*Mar 1 02:36:18.399: %IPS-6-ENGINE_READY: service-ftp - build time 24 ms - packets for this engine will be scanned
*Mar 1 02:36:18.415: %IPS-6-ENGINE_BUILDING: service-rpc - 76 signatures - 9 of 13 engines
Router#
*Mar 1 02:36:18.675: %IPS-6-ENGINE_READY: service-rpc - build time 260 ms - packets for this engine will be scanned
*Mar 1 02:36:18.699: %IPS-6-ENGINE_BUILDING: service-dns - 39 signatures - 10 of 13 engines
*Mar 1 02:36:18.771: %IPS-6-ENGINE_READY: service-dns - build time 72 ms - packets for this engine will be scanned
*Mar 1 02:36:18.775: %IPS-6-ENGINE_BUILDING: normalizer - 9 signatures - 11 of 13 engines
*Mar 1 02:36:20.227: %IPS-6-ENGINE_READY: service-smb-advanced - build time 1436 ms - packets for this engine will be scanned
*Mar 1 02:36:20.247: %IPS-6-ENGINE_BUILDING: service-msrpc - 35 signatures - 13 of 13 engines
*Mar 1 02:36:20.539: %IPS-6-ENGINE_READY: service-msrpc - build time 292 ms - packets for this engine will be scanned
*Mar 1 02:36:20.543: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 19368 ms
*Mar 1 02:36:20.575: %IPS-3-IPS_FILE_OPEN_ERROR: flash:ips/Router-sigdef-default.xml - Directory doesn't exist
Router#
Router#dir
Directory of flash:/ips/
2 -rw- 11236690 Mar 1 2002 00:24:40 +00:00 IOS-S465-CLI.pkg
8 -rw- 704 Mar 1 2002 02:33:24 +00:00 Router-sigdef-default.xml
7 -rw- 255 Mar 1 2002 02:33:26 +00:00 Router-sigdef-delta.xml
6 -rw- 4365 Mar 1 2002 02:33:26 +00:00 Router-sigdef-typedef.xml
5 -rw- 1557 Mar 1 2002 02:33:26 +00:00 Router-sigdef-category.xml
4 -rw- 257 Mar 1 2002 02:33:28 +00:00 Router-seap-delta.xml
3 -rw- 491 Mar 1 2002 02:33:28 +00:00 Router-seap-typedef.xml
66936832 bytes total (55664640 bytes free)
Router#
Check if the IPS is enabled; Notice the SDF version matches what we downloaded.
Router#show ip ips signature
Cisco SDF release version S465.0
Trend SDF release version V0.0
En - possible values are Y, Y*, N, or N*
Y: signature is enabled
N: enabled=false in the signature definition file
*: retired=true in the signature definition file
Cmp - possible values are Y, Ni, Nr, Nf, or No
Y: signature is compiled
Ni: signature not compiled due to invalid or missing parameters
Nr: signature not compiled because it is retired
Nf: signature compile failed
No: signature is obsoleted
Action=(A)lert, (D)eny, (R)eset, Deny-(H)ost, Deny-(F)low
Trait=alert-traits EC=event-count AI=alert-interval
GST=global-summary-threshold SI=summary-interval SM=summary-mode
SW=swap-attacker-victim SFR=sig-fidelity-rating Rel=release
Signature Micro-Engine: multi-string: Total Signatures 44
multi-string enabled signatures: 37
multi-string retired signatures: 40
multi-string compiled signatures: 4
SigID:SubID En Cmp Action Sev Trait EC AI GST SI SM SW SFR Rel
----------- -- ---- ------ --- ----- ---- ---- ----- --- -- -- --- ---
23040:0 Y* Nr A HIGH 0 1 0 0 0 FA N 95 S456
22799:0 Y* Nr A HIGH 0 1 0 0 0 FA Y 95 S456
6744:0 N* Nr A HIGH 0 1 0 0 120 FA N 90 S464
23479:0 Y* Nr A HIGH 0 1 0 0 0 FA N 90 S461
22663:0 Y* Nr A HIGH 0 1 0 0 120 FA N 90 S456
<SNIP>
Cisco SDF release version S465.0
Trend SDF release version V0.0
En - possible values are Y, Y*, N, or N*
Y: signature is enabled
N: enabled=false in the signature definition file
*: retired=true in the signature definition file
Cmp - possible values are Y, Ni, Nr, Nf, or No
Y: signature is compiled
Ni: signature not compiled due to invalid or missing parameters
Nr: signature not compiled because it is retired
Nf: signature compile failed
No: signature is obsoleted
Action=(A)lert, (D)eny, (R)eset, Deny-(H)ost, Deny-(F)low
Trait=alert-traits EC=event-count AI=alert-interval
GST=global-summary-threshold SI=summary-interval SM=summary-mode
SW=swap-attacker-victim SFR=sig-fidelity-rating Rel=release
Signature Micro-Engine: multi-string: Total Signatures 44
multi-string enabled signatures: 37
multi-string retired signatures: 40
multi-string compiled signatures: 4
SigID:SubID En Cmp Action Sev Trait EC AI GST SI SM SW SFR Rel
----------- -- ---- ------ --- ----- ---- ---- ----- --- -- -- --- ---
23040:0 Y* Nr A HIGH 0 1 0 0 0 FA N 95 S456
22799:0 Y* Nr A HIGH 0 1 0 0 0 FA Y 95 S456
6744:0 N* Nr A HIGH 0 1 0 0 120 FA N 90 S464
23479:0 Y* Nr A HIGH 0 1 0 0 0 FA N 90 S461
22663:0 Y* Nr A HIGH 0 1 0 0 120 FA N 90 S456
<SNIP>
This is good; all unretired/enabled signatures can be shown as follows:
Router#show ip ips signature | i Y Y
7277:0 Y Y A HIGH 0 1 0 0 0 FA N 85 S357
5795:0 Y Y A HIGH 0 1 0 0 0 FA N 80 S239
5862:0 Y Y A HIGH 0 1 0 0 0 FA N 75 S284
5816:1 Y Y A LOW 0 1 0 0 0 FA Y 70 S300
5126:0 Y Y A HIGH 0 1 0 0 0 FA N 100 S358
5081:0 Y Y A HIGH 0 1 0 0 0 FA N 100 S109
5405:0 Y Y A HIGH 0 1 0 0 0 FA N 100 S84
The signature details can be checked by searching for the signature ID at this cisco site:
http://tools.cisco.com/security/center/ipshome.x?i=62
Lets test for exploit 1102. Check if this is enabled on the IPS:
Router#show ip ips signature | i 1102
11028:0 N* Nr A LOW 0 1 0 0 0 FA N 85 S139
11026:0 Y* Nr A LOW 0 1 0 0 0 FA N 85 S118
11024:0 N* Nr A LOW 0 15 5 0 0 FA N 85 S71
11020:0 Y Y A LOW 0 1 0 0 0 FA N 100 S183
11023:0 N* Nr A LOW 0 1 0 0 0 FA N 85 S62
11029:0 Y* Nr A LOW 0 1 0 0 0 FA N 75 S139
11025:0 N* Nr A INFO 0 1 0 0 0 FA N 75 S117
11022:0 N* Nr A LOW 0 1 0 0 0 FA N 85 S62
11027:0 N* Nr A LOW 0 1 0 0 0 FA N 75 S182
1102:0 Y Y A HIGH 0 1 0 200 30 FA N 100 S2
11021:0 Y* Nr A LOW 0 10 0 200 30 FA N 75 S62
Now from the Cisco Signature Details Website we find the details for 1102:
This triggers when an IP packet arrives with source equal to destination address. This signature will catch the so-called Land Attack.
We can use hping to test this
hping -a 192.168.10.1 192.168.10.1
HPING 192.168.10.1 (em0 192.168.10.1): NO FLAGS are set, 40 headers + 0 data bytes
^C
--- 192.168.10.1 hping statistic ---
3 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
HPING 192.168.10.1 (em0 192.168.10.1): NO FLAGS are set, 40 headers + 0 data bytes
^C
--- 192.168.10.1 hping statistic ---
3 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
On the router we see the following logs
Router#
*Mar 1 01:28:53.919: %IPS-4-SIGNATURE: Sig:1102 Subsig:0 Sev:100 Impossible IP Packet [192.168.10.1:1058 -> 192.168.10.1:0] RiskRating:100
*Mar 1 01:28:54.931: %IPS-4-SIGNATURE: Sig:1102 Subsig:0 Sev:100 Impossible IP Packet [192.168.10.1:1059 -> 192.168.10.1:0] RiskRating:100
*Mar 1 01:28:55.943: %IPS-4-SIGNATURE: Sig:1102 Subsig:0 Sev:100 Impossible IP Packet [192.168.10.1:1060 -> 192.168.10.1:0] RiskRating:100
*Mar 1 01:28:53.919: %IPS-4-SIGNATURE: Sig:1102 Subsig:0 Sev:100 Impossible IP Packet [192.168.10.1:1058 -> 192.168.10.1:0] RiskRating:100
*Mar 1 01:28:54.931: %IPS-4-SIGNATURE: Sig:1102 Subsig:0 Sev:100 Impossible IP Packet [192.168.10.1:1059 -> 192.168.10.1:0] RiskRating:100
*Mar 1 01:28:55.943: %IPS-4-SIGNATURE: Sig:1102 Subsig:0 Sev:100 Impossible IP Packet [192.168.10.1:1060 -> 192.168.10.1:0] RiskRating:100
More info
Cisco's version of these instructions are here
Testing Exploits
http://exploitsdownload.com/search?q=exploit
http://www.hping.org/download.php
http://www.iv2-technologies.com/HowToTestAnIPS.pdf
No comments:
Post a Comment