246 Chapter 6 • Configuring the Cisco IDSM Sensor switch>(enable) set security acl map WEBTRAF 10 switch>(enable) set security acl capture-ports 4/1 This sets up the capture for only Web traffic, permitting everything else to pass the IDSM.The permit any any is the magic key to let the rest of the traffic go past the IDSM. We then commit the VACL called WEBTRAF.The security ACL map is set to WEBTRAF, and VLAN 10 is mapped to the ACL. Lastly, we set the ACL to use module 4, and employ port 1 as the capture port for the IDSM. Configuring Trunks to Manage Traffic Flow A method of managing the amount of traffic seen by the IDSM sensor is to manage the trunks and VLANs on the trunks.An example of this would be to have a single IDSM sensor and the need to monitor a single VLAN.This can be accomplished by clearing VLANs from the IDSM sensor monitoring port and then assigning the VLAN that we are interested in back to the monitoring port. In the following example, we step through the process. We have three VLANs, VLAN 501, VLAN 502, and VLAN 503 on module 4, port 1. So we will first clear the VLANs from the port by using this command: switch>(enable) clear trunk 4/1 2-1005, 1025-4094 Now we will reassign VLAN 502 back to the monitoring port switch>(enable) set trunk 4/1 502 switch>(enable) set vlan 502 4/1 We now assign module 4 and port 1 as the capture port using the following command: switch>(enable) set security acl capture-ports 4/1 Verifying the Configuration To verify that the IDSM is configured correctly, we have several commands at our disposal.The most common command as you might guess is just like a router, the show config command at the switch.This will give us the entire config- uration of the switch.The next command of great use is called show span and tells us to span the configuration on the switch. We can use the show security acl, which shows us the VACL settings. www.syngress.com 267_cssp_ids_06.qxd 9/30/03 3:41 PM Page 246 Configuring the Cisco IDSM Sensor • Chapter 6 247 On the IDSM itself, we can use the same show configuration command to get the config of the IDSM.The show eventfile current command allows us to look at the logfiles of the IDSM. Updating the Cisco IDSM Sensor Updating the IDSM sensor might result from a need to move to newer code, or because the current image has been corrupted.A different reason for updating (or more appropriately: to recover the IDSM sensor) is that the password has been forgotten. In any case, the image of the IDSM sensor OS needs to be replaced. The IDSM sensor has two partitions on the internal hard drive.The first is the application partition or hdd:1.The second is the maintenance partition or hdd:2. Both of these partitions contain a complete operating system and therefore the IDSM sensor can be booted from either partition.The partition that the IDSM sensor booted from is called the active partition. Any updates to the IDSM sensor operating system must be done to an offline partition so the production partition would need to be offline by booting to the maintenance partition. Be aware that when updating the IDSM sensor, the process must be done at the command line.To update the IDSM requires administrative privileges to the maintenance partition.This is why we reboot to the maintenance partition and log in as ciscoids, using the password attack. If no upgrade has been done before, we need to set the network settings for the IDSM sensor to communicate with the network—in particular, to communicate with the FTP server that holds the new CAB files for the update.This setting of the network parameters in the maintenance mode is accomplished by using the ids-installer command.The update file that the ids-installer will use must reside on an FTP server or the IDS Director. In the following examples, we used an FTP server called “Cerberus FTP Server,” which is free for personal and non-profit use and can be found at www.cerberusftp.com. Booting the IDSM Sensor from Partition 2 In order to boot from a particular partition, we can set the default partition by using the command set boot device, as shown in the following example: switch> (enable) set boot device hdd:2 4 Device BOOT variable = hdd:2 Warning: Device list is not verified but still set in the boot string. switch> (enable) www.syngress.com 267_cssp_ids_06.qxd 9/30/03 3:41 PM Page 247 248 Chapter 6 • Configuring the Cisco IDSM Sensor Alternatively, we can have the IDSM boot from a given partition temporally, as shown in the following example. Switch> (enable) reset 4 hdd:2 This command will reset module 4 and have it boot off the boot device: hdd number 2, which is the maintenance partition. We can see this in Figure 6.6. Figure 6.6 Booting IDSM Module 4 off Partition 2 switch> (enable) reset 4 hdd:2 This command will reset module 4. Unsaved configuration on module 4 will be lost Do you want to continue (y/n) [n]? y Module 4 shut down in progress, please don't remove module until shutdown completed. 2003 Jun 15 07:29:44 PDT -07:00 %PAGP-5-PORTFROMSTP:Port 4/1 left bridge port 4/1 2003 Jun 15 07:29:44 PDT -07:00 %DTP-5-NONTRUNKPORTON:Port 4/1 has become non-trunk 2003 Jun 15 07:32:01 PDT -07:00 %SYS-3-SUP_OSBOOTSTATUS:Starting IDSM Diagnostics 2003 Jun 15 07:32:41 PDT -07:00 %SYS-3-SUP_OSBOOTSTATUS:IDSM diagnostics completed successfully. 2003 Jun 15 07:32:50 PDT -07:00 %SYS-5-MOD_OK:Module 4 is online 2003 Jun 15 07:32:51 PDT -07:00 %SYS-3-MOD_PORTINTFINSYNC:Port Interface in sync for Module 4 2003 Jun 15 07:32:51 PDT -07:00 %DTP-5-TRUNKPORTON:Port 4/1 has become dot1q trunk 2003 Jun 15 07:32:51 PDT -07:00 %PAGP-5-PORTTOSTP:Port 4/1 joined bridge port 4/1 2003 Jun 15 07:32:51 PDT -07:00 %PAGP-5-PORTTOSTP:Port 4/2 joined bridge port 4/2 2003 Jun 15 07:33:21 PDT -07:00 %CDP-4-NVLANMISMATCH:Native vlan mismatch detected on port 3/5 switch2> (enable) www.syngress.com 267_cssp_ids_06.qxd 9/30/03 3:41 PM Page 248 Configuring the Cisco IDSM Sensor • Chapter 6 249 As we saw in Figure 6.6, there are several messages that tell us module 4 is being reset and that diagnostics are being run. We can see the bridge port mes- sages of ports 1 and 2 leaving the switch and coming back into the switch. In Figure 6.7, we are logging into the IDSM after the reset to partition 2. We can see that the hostname of the IDSM is now shown as maintenance. Figure 6.7 Logging in to the Maintenance Partition of the IDSM switch> (enable) session 4 Trying IDS-4 Connected to IDS-4. Escape character is '^]' login: ciscoids Password: attack maintenance# show configure Enter configuration mode diagnostics Enter diagnostic command menu exit Exit from Telnet session show Show system parameters shutdown Shutdown the system maintenance# We can also see that there are very limited commands from this version of the IDSM sensor operating system to work with. No IDS commands are avail- able from the maintenance partition.To get back to our production IDSM oper- ating system, all we need to do is log out of the IDSM sensor and use the reset module command but leave the boot device off. Now that we have learned about how to boot the IDSM sensor into the maintenance mode using the second partition, we are ready to upgrade the OS of the IDSM. In the following example, we will upgrade the IDSM V1sensor from version 2.5 to 3.0 of the OS.The first step is to boot to the second partition just as we did before using the reset command, as shown in Figure 6.8. Figure 6.8 Using the reset Command to Boot to the Maintenance Partition Switch>(enable) #reset 4 hdd:2 This command will reset module 4. Unsaved configuration on module 4 will be lost Do you want to continue (y/n) [n]? y www.syngress.com Continued 267_cssp_ids_06.qxd 9/30/03 3:41 PM Page 249 250 Chapter 6 • Configuring the Cisco IDSM Sensor Figure 6.8 Using the reset Command to Boot to the Maintenance Partition Module 4 shut down in progress, please don't remove module until shutdown completed. Switch> (enable) 2003 Jun 15 07:29:44 PDT -07:00 %PAGP-5-PORTFROMSTP:Port 4/1 left bridge port 4/1 2003 Jun 15 07:29:44 PDT -07:00 %DTP-5-NONTRUNKPORTON:Port 4/1 has become non-trunk 2003 Jun 15 07:32:01 PDT -07:00 %SYS-3-SUP_OSBOOTSTATUS:Starting IDSM Diagnostics 2003 Jun 15 07:32:41 PDT -07:00 %SYS-3-SUP_OSBOOTSTATUS:IDSM diagnostics completed successfully. 2003 Jun 15 07:32:50 PDT -07:00 %SYS-5-MOD_OK:Module 4 is online ::text truncated for clarity:: Upgrading the IDSM Sensor Remember that the hdd:2 will boot the IDSM off the OS on the second parti- tion. Once the IDSM has completely rebooted and run through its diagnostics, we are ready to configure the maintenance IDSM OS for a network connection. First, we will session into the IDSM and log in as we have done before.Then we will use the ids-installer command to verify any network configuration, or to add the network information, as shown in the following example: switch-2> (enable) session 4 Trying IDS-4 Connected to IDS-4. Escape character is '^]'. login: ciscoids Password: attack We change to the diagnostic mode by typing in diag, and then we verify the existing network configuration, if there is one: maintenance#(diag) ids-installer netconfig /view IP Configuration for Control Port: IP Address : 0.0.0.0 Subnet Mask : 0.0.0.0 Default Gateway : 0.0.0.0 Domain Name Server : 77.1.1.1 www.syngress.com 267_cssp_ids_06.qxd 9/30/03 3:41 PM Page 250 Configuring the Cisco IDSM Sensor • Chapter 6 251 Domain Name : cisco Host Name : CISCO_IDS maintenance(diag)# To either change the network settings or to configure the network settings, we use the ids-installer command and the following command-line parameters: ids-installer netconfig /configure /ip=ip_address /subnet=subnet_mask /gw=default_gateway /dns=dns_server /domain=nw_domain /hostname=host_name In the following example of the ids-installer command, we see how to change the network configuration in the diag mode of the maintenance partition: maintenance(diag)# ids-installer netconfig /configure /ip=10.10.10.101 /subnet=255.255.0.0 /gw=10.10.10.1 /hostname=testids In Table 6.2, we show the ids-installer netconfig parameters and what they mean: Table 6.2 ids-installer netconfig Parameters Parameters Notes netconfig This keyword specifies that a network configuration action will take place. /configure This keyword specifies the configuration of port parameters. /ip This keyword specifies an IP address as a parameter. ip_address This is the IP address of the IDSM command and control port (port 2). /subnet This keyword specifies the subnet mask address parameter. Subnet This is the subnet mask for the IDSM command and control port. /gw This keyword specifies the Default Gateway parameter. default_gateway This is the IP address of the default gateway for the IDSM. /dns This is an OPTIONAL keyword that specifies the DNS server. www.syngress.com Continued 267_cssp_ids_06.qxd 9/30/03 3:41 PM Page 251 252 Chapter 6 • Configuring the Cisco IDSM Sensor Table 6.2 ids-installer netconfig Parameters Parameters Notes ip_address This is the IP address of the optional DNS server parameter. /domain This is an OPTIONAL keyword that specifies a network domain name. nw_domain This is the network domain name assigned to the command and control port. /hostname This OPTIONAL keyword specifies the hostname assigned to the IDSM. host_name This is the hostname assigned to the IDSM. To install the image to the partition, we use the ids-installer command men- tioned earlier.This command has several parameters that can be used to install the image.The command line is structured as shown in this example: ids-installer system /nw /install /server=ip_address /user=username /dir=directory /prefix=update_file /save=yes In Table 6.3, we see a listing of the command-line arguments that can be used: Table 6.3 ids-installer Command-Line Parameters to Install an Image Parameters Notes system This keyword specifies that a system action will be performed. /nw This keyword specifies that the installation of the image will be done from the network. /install This keyword specifies the system action will be to install. /server This keyword specifies that the image file will be on an FTP server. ip_address This is the IP address of the FTP server. /user This specifies that a username is required to log in to the FTP server. username This is the username required. /dir This specifies that the files are stored in a specific directory. directory This is the directory name of where the files are stored. www.syngress.com Continued 267_cssp_ids_06.qxd 9/30/03 3:41 PM Page 252 Configuring the Cisco IDSM Sensor • Chapter 6 253 Table 6.3 ids-installer Command-Line Parameters to Install an Image Parameters Notes /prefix This specifies that the update filename prefix is required. update_file This is the update filename that will be installed but without the extension. /save This keyword specifies that the image will be saved as a cached copy. yes | no If yes, then the image will be cached. If no, the image is installed but not cached. In the following example, we will have the IDSM do a network install of the new code from an FTP server and a certain user account: maintenance(diag)# ids-installer system /nw /install /server=10.1.2.11 / user=ciscoids /save=yes /dir='ftpupload' /prefix=IDSMk9-a-3.0-1-S4 The FTP server is 10.1.2.11 using a user ID of ciscoids. We are saving the image to cache, and the directory name on the FTP server is ftpupload.The file- name is IDSMk9-a-3.0-1-S4 but without the .bin extension on it. In Figure 6.9, we see the complete upgrade of an IDSM V1 in progress. Note that it has been shortened in some places for brevity. Figure 6.9 Complete Upgrade of IDSM V1 maintenance(diag)# ids-installer system /nw /install /server=10.1.2.11 /user=ciscoids /save=no /dir='ftpupload' /prefix=IDSMk9-a-3.0-1-S4 Please enter login password: ***** Downloading the image File 01 of 05 Downloading the image File 02 of 05 Downloading the image File 03 of 05 Downloading the image File 04 of 05 Downloading the image File 05 of 05 FTP STATUS: Installation files have been downloaded successfully! Validating integrity of the image PASSED! Formatting drive C:\ Verifying 4016M 0 percent completed.1 percent completed.2 percent completed.3 percent completed.4 percent completed.5 ::shortened for brevity:: www.syngress.com Continued 267_cssp_ids_06.qxd 9/30/03 3:41 PM Page 253 254 Chapter 6 • Configuring the Cisco IDSM Sensor Figure 6.9 Complete Upgrade of IDSM V1 100 percent completed.Format completed successfully. 4211310592 bytes total disk space. 4206780416 bytes available on disk. Volume Serial Number is C49D-CFDA Extracting the image ::shortened for brevity:: STATUS: Image has been successfully installed on drive C:\! maintenance(diag)# exit maintenance# exit switch>(enable) reset 4 hdd:2 This command will reset module 4. Unsaved configuration on module 4 will be lost Do you want to continue (y/n) [n]? y Module 4 shut down in progress, please don't remove module until shutdown completed. switch>(enable) 2003 Jun 17 13:15:06 PDT -07:00 %SYS-3- SUP_OSBOOTSTATUS:Starting IDSM Diagnostics 2003 Jun 17 13:15:49 PDT -07:00 %SYS-3-SUP_OSBOOTSTATUS:IDSM diagnostics completed successfully. 2003 Jun 17 13:15:49 PDT -07:00 %SYS-3-SUP_OSBOOTSTATUS:IDSM has not been configured. Network is unguarded! 2003 Jun 17 13:15:49 PDT -07:00 %SYS-3-SUP_OSBOOTSTATUS:Use session to login to IDSM and run setup. 2003 Jun 17 13:15:58 PDT -07:00 %SYS-5-MOD_OK:Module 4 is online Verifying the IDSM Sensor Upgrade Once the IDSM sensor has rebooted and completed its self-diagnostics, we need to log back into the IDSM sensor and run the setup command since the original configuration has been overwritten. We can see in Figure 6.10 that the new con- figuration is void of data except for the default IP address and mask. We also see that the version of the software is 3.0(1)S4. www.syngress.com 267_cssp_ids_06.qxd 9/30/03 3:41 PM Page 254 Configuring the Cisco IDSM Sensor • Chapter 6 255 Figure 6.10 Verifying the Successful Upgrade of the IDSM Sensor switch>(enable) session 4 Trying IDS-4 Connected to IDS-4. Escape character is '^]'. login: ciscoids Password: # show config Using 38240256 out of 267702272 bytes of available memory ! Using 439668736 out of 4211310592 bytes of available disk space ! Sensor version is : 3.0(1)S4 ; Note that the preceding line shows our new version number of the OS. ! Sensor application status: nr.postofficed not running nr.fileXferd not running nr.loggerd not running nr.packetd not running nr.sapd not running Configuration last modified Never Sensor: IP Address: 10.0.0.1 Netmask: 255.0.0.0 Default Gateway: Host Name: Not Set Host ID: Not Set Host Port: 45000 Organization Name: Not Set Organization ID: Not Set Director: IP Address: Not Set Host Name: Not Set www.syngress.com 267_cssp_ids_06.qxd 9/30/03 3:41 PM Page 255 [...]...267_cssp_ids_06.qxd 256 9/30/03 3:41 PM Page 256 Chapter 6 • Configuring the Cisco IDSM Sensor Host ID: Not Set Host Port: 450 00 Heart Beat Interval (secs): 5 Organization Name: Not Set Organization ID: Not Set Direct Telnet access to IDSM: disabled # Shutting Down the IDSM Sensor In order to disable or to remove the IDSM sensor from a live switch, we need to shut down the IDSM sensor If... Page 259 Configuring the Cisco IDSM Sensor • Chapter 6 Figure 6. 15 Service Pack Installation on an ISDM v1 Sensor Installing files from 3.0(6)S23 Starting NetRanger Signatures Merging Utility Checking file: C:\Program Files \Cisco Systems\ Netranger/etc/packetd conf Adding signature: SigOfGeneral 993 to C:\Program Files \Cisco Systems\ Netranger/etc/packetd.conf Adding signature: SigOfGeneral 1107 to C:\Program... 4,47,2003/06/18,22:40:23,2003/06/18,14:40:23,10008 ,57 ,100,OUT,OUT,2, 3030,0,TCP/I P,10.4.2. 75, 0.0.0.0,0,139,0.0.0.0, 4,48,2003/06/18,23:21 :50 ,2003/06/18, 15: 21 :50 ,10008 ,57 ,100,OUT,OUT,2, 3030,0,TCP/I P,10.8.3.24,0.0.0.0,0,139,0.0.0.0,7 To start with clear counters and to clear out the statistics, we use the diag resetcount command, as shown next: idsm(diag)# diag resetcount To clear out a configuration, we can use... access to thousands of other FAQs at ITFAQnet.com Q: How do I get into the IDSM to configure it? A: With a default configuration, there is only one way in and that is to use the session command from the switch console.This can be changed to allow Telnet directly to the IDSM Q: How do I upgrade my IDSM? A: To upgrade the IDSM sensor, boot to the maintenance partition using the reset command and go into the... the command line In order to start using the IDSM sensor, you need to configure the monitoring port to capture the appropriate VLAN traffic .To do this on a Catalyst 6000/ 650 0 switch, we use the set vlan command Once we have the monitor port in the correct VLAN, we can either configure SPAN or use a VACL depending on the need SPAN is easier to configure but does not have... sensor.The first, port 1, is for monitoring the traffic.The second, port 2, is used to command and control the IDSM sensor The IDSMv1 needs to have a director to manage the sensor while IDSMv2 can be managed by web,Telnet, or a director Configuring the Cisco IDSM Sensor The initial configuration is accomplished by using the setup command There are two partitions on a Cisco IDSM: one for the operation and... order for the IDSM sensor to analyze traffic, we need to assign it to the correct VLAN(s) that we want to analyze by using the set vlan command If we want to just filter traffic at the IP level, we can use the SPAN command If we want to filter traffic at a port level or a MAC level, we use VACLs Updating the Cisco IDSM Sensor Updating the operating system of the sensor requires you to boot the sensor from... the Windows-based operating system, you need to properly shut down the IDSM before hitting the power switch.The proper way to shut down the IDSM is to use the shutdown command from the Catalyst switch console If the shutdown command fails to work, you can use the Shutdown button to force the IDSM to shut down NOTE The default for the IDSM configuration is to have the direct Telnet feature of the IDSM... 272 Chapter 7 • Cisco IDS Alarms and Signatures Introduction Once the Cisco IDS sensor is racked and operational, and the IDS management device or director is configured and communicating properly, it is time to tune the IDS signatures to the traffic patterns that occur on your network We need to run the sensor for a period of time, normally a week or so to build a baseline of activity to look at Without... enhancement to Packet Signature Detection, which does not consider any context The most common implementations of Context-Based Signature Detection are designed to look for attack signatures in particular fields or use a particular offset within a packet stream (based on the protocol) www.syngress.com 267_cssp_ids_07.qxd 9/30/03 2:28 PM Page 2 75 Cisco IDS Alarms and Signatures • Chapter 7 You need to keep . %DTP -5- TRUNKPORTON:Port 4/1 has become dot1q trunk 2003 Jun 15 07:32 :51 PDT -07:00 %PAGP -5- PORTTOSTP:Port 4/1 joined bridge port 4/1 2003 Jun 15 07:32 :51 PDT -07:00 %PAGP -5- PORTTOSTP:Port 4/2. Jun 15 07:32 :50 PDT -07:00 %SYS -5- MOD_OK:Module 4 is online 2003 Jun 15 07:32 :51 PDT -07:00 %SYS-3-MOD_PORTINTFINSYNC:Port Interface in sync for Module 4 2003 Jun 15 07:32 :51 PDT -07:00 %DTP -5- TRUNKPORTON:Port. 9/30/03 3:41 PM Page 250 Configuring the Cisco IDSM Sensor • Chapter 6 251 Domain Name : cisco Host Name : CISCO_ IDS maintenance(diag)# To either change the network settings or to configure the network