Cisco IPS emulated

Protection from Threats

Cisco Intrusion Prevention Systems (IPS) solutions provide protection against sophisticated threats such as:

  • Targeted attacks
  • Adaptive Persistent Threats (APTs)
  • Botnets
  • SQL injection attacks
  • Malware targeting application and OS vulnerabilities

Tools:

  • Windows 7 64bit edition
  • GNS3 Version : v0.8.3.1          (GNS3 0.8.4 RC2 is now released)
  • qemuwrapper.exe
  • IPS-K9-cd-1.1-a-6.0-6-E3.iso (The version I used during my trials)

qemu-img.exe create ipsdisk1.img 512M

ips1qemu-img.exe create ipsdisk2.img 4000M

2

C:\Program Files\GNS3>qemu.exe -hda ipsdisk1.img -hdb ipsdisk2.img -m 1024 –cdrom C:\Users\XXX\Desktop\Cisco\GNS3\IOS\IPS-K9-cd-1.1-a-6.0-6-E3.iso -boot d

Type → k

ips3ips4Ctrl-C to break

ips5

qemu.exe -hda ipsdisk1.img -hdb ipsdisk2.img -m 1024

ips6Press → e

ips7

  • Again Press → e
  • Change à init=/loadrc to init=1
  • Press → esc

ips8

Press → b

ips9ips10

  • /loadrc
  • cd /etc/init.d
  • ./rc.init

ips11

Ls –l

ips12

Cp ids_functions ids_functions.orig

Vi ids_functions

ips13

/845 (to find string)

Change elif ; DEFAULT_MGT_OS ; DEFAULT_MGT_CIDS ; HTLBLOW

NOTE : my SS says 4215 à I had to fix it supposed to be 4235 ( otherwise it fails on supported HW on last boot  – sorry)

:wq!

ips14

cd /usr/cids/idsRoot/etc

 cp interface.conf interface.conf.orig

 vi interface.conf

  • [models/IDS-4250/interfaces/1]
  • name-template=Management0/0
  • port-number=0
  • pci-path=3.0
  • vendor-id=0x8086
  • device-id=0x100e
  • type=ge
  • mgmt-capable=yes
  • net-dev-only=yes
  • tcp-reset-capable=yes
  • [models/IDS-4250/interfaces/2]
  • name-template=GigabitEthernet0/0
  • port-number=1
  • pci-path=4.0
  • vendor-id=0x8086
  • device-id=0x100e
  • type=ge
  • sensing-capable=yes
  • tcp-reset-capable=yes
  • [models/IDS-4250/interfaces/3]
  • name-template=GigabitEthernet0/1
  • port-number=2
  • pci-path=5.0
  • vendor-id=0x8086
  • device-id=0x100e
  • type=ge
  • sensing-capable=yes
  • tcp-reset-capable=yes
  • [models/IDS-4250/interfaces/4]
  • name-template=GigabitEthernet0/2
  • port-number=3
  • pci-path=6.0
  • vendor-id=0x8086
  • device-id=0x100e
  • type=ge
  • sensing-capable=yes
  • tcp-reset-capable=yes
  • [models/IDS-4250/interfaces/5]
  • name-template=GigabitEthernet0/3
  • port-number=4
  • pci-path=7.0
  • vendor-id=0x8086
  • device-id=0x100e
  • type=ge
  • sensing-capable=yes
  • tcp-reset-capable=yes

:wq!

ips15

Reboot

ips16

It will reboot a couple of times à login and change pass (cisco cisco)

ips17Modify GNS3 Qemu config..

-smbios type=1,product=IDS-4235,serial=12345789012,uuid=E0A32395-8DFE-D511-8C31-001FC641BA6B,sku=011,family=IDS-4235/4250

ips18Configure →Cloud to local loopback

ips19Start all devices : Follow IPS on QEMU untill “Sensor #”

ips20Setup

ips21ips22Modify ACL to allow network 192.168.X.0 / XX and save (2)

ips23

ips24Open https://192.168.100.2/idm/index.html

ips25Logon and open ADSM 🙂

ips27ip26

Advertisements