My Account | View Cart | Wishlist | Checkout | About Us | Contact Us
CCNP Certification: Basic setup of an Intrusion Detection System

Introduction

In preparation of our CCNP exam, we want to make sure we cover the various concepts that we could see on our Cisco CCNP exam. So to assist you, below we will discuss the Basic setup of an Intrusion Detection System(IDS).

This document describes how to configure an Intrusion Detection System (IDS, formerly NetRanger) Director and Sensor to send TCP resets on an attempted Telnet to a range of addresses which include the managed router if the sent string is "testattack".


Requirements

When considering this configuration, please remember to:


  • Install the Sensor and verify that it works properly before you perform this configuration.
  • Ensure that the sniffing interface spans to the managed router's outside interface.
Components Used

The information in this document is based on these software and hardware versions:


  • Cisco IDS Director 2.2.3
  • Cisco IDS Sensor 3.0.5
  • Cisco IOS® Router running Software Release 12.2.6

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.



Configure

In this section, you are presented with the information to configure the features described in this document.

Note: To find additional information on the commands used in this document, use the Command Lookup Tool ( registered customers only).


Network Diagram

This document uses the network setup shown in this diagram.



Configurations

This document uses these configurations.


  • Router Light
  • Router House


Configure the Sensor

Complete these steps to configure the Sensor.


  1. Telnet to 10.64.10.49 (the IDS Sensor) with the username root and the password attack.
  2. Type sysconfig-sensor.
  3. When prompted, enter the configuration information, as shown in this example:

    1 - IP Address: 10.64.10.49
    2 - IP Netmask: 255.255.255.224
    3 - IP Host Name: sensor-2
    4 - Default Route: 10.64.10.33
    5 - Network Access Control
    64.
    10.
    6 - Communications Infrastructure
    Sensor Host ID: 49
    Sensor Organization ID: 900
    Sensor Host Name: sensor-2
    Sensor Organization Name: cisco
    Sensor IP Address: 10.64.10.49
    IDS Manager Host ID: 50
    IDS Manager Organization ID: 900
    IDS Manager Host Name: dir3
    IDS Manager Organization Name: cisco
    IDS Manager IP Address: 10.64.21.50
  4. When prompted, save the configuration and allow the Sensor to reboot.
Add the Sensor into the Director

Complete these steps to add the Sensor into the Director.


  1. Telnet to 10.64.21.50 (the IDS Director) with the username netrangr and the password attack.
  2. Type ovw& to launch HP OpenView.
  3. From the Main Menu, go to Security > Configure.
  4. In the Configuration File Management Utility, go to file > Add Host and click Next.
  5. Complete the Sensor host information, as shown in this example. Click Next.
  6. Accept the default settings for the type of machine, and click Next, as shown in this example.
  7. You may either change the log and shun minutes or you may accept the default values. However, you must change the Network Interface name to the name of your sniffing interface. In this example, it is "iprb0". It can be "spwr0" or anything else depending on the Sensor type and how you connect your Sensor.
  8. Continue to click Next and then click Finish to add the Sensor into the Director. From the main menu, you should now see sensor-2, as in this example.
Configure TCP Reset for the Cisco IOS Router

Complete these steps to configure TCP reset for the Cisco IOS router.


  1. In the Main Menu, go to Security > Configure.
  2. In the Configuration File Management Utility, highlight sensor-2 and double-click it.
  3. Open Device Management.
  4. Click Devices > Add. Enter the device information, as shown in the following example. Click OK to continue. Both the Telnet and enable passwords are Cisco.
  5. Open the Intrusion Detection window and click Protected Networks. Add the range of addresses from 10.64.10.1 to 10.64.10.254 into the protected network.
  6. Click Profile and select Manual Configuration. Next, click Modify Signatures. Choose Matched Strings with an ID of 8000. Click Expand > Add to add a new string called testattack. Enter the string information, as shown in this example, and click OK to continue.
  7. You have finished this part of the configuration. Click OK to close the Intrusion Detection window.
  8. Open the System Files folder, then the Daemons window. Make sure you have these daemons enabled:
  9. Click OK to continue.
  10. Choose the version you just modified, click Save and then Apply. Wait for the system to tell you that the Sensor has finished restarting services, then close all the windows for the Director Configuration.
Launch the Attack and TCP Reset

Telnet from Router Light to Router House and type testattack. As soon as you hit the Space or Enter key, your Telnet session resets. You will connect to Router House.

light#telnet 10.64.10.45
Trying 10.64.10.45 ... Open

User Access Verification
Password:
house>en
Password:
house#testattack
[Connection to 10.64.10.45 closed by foreign host]

!--- Telnet session has been reset because the
!--- signature testattack was triggered.


Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

This section provides information you can use to troubleshoot your configuration.

Telnet to 10.64.10.49, the Sensor, using the username root and the password attack. Type cd /usr/nr/etc. Type cat packetd.conf. If you correctly set TCP reset for testattack, you should see a four (4) in the Action Codes field. This indicates TCP reset as shown in this example.

netrangr@sensor-2:/usr/nr/etc
>cat packetd.conf | grep "testattack"
RecordOfStringName 51304 23 3 1 "testattack"
SigOfStringMatch 51304 4 5 5 # "testattack"

If you accidentally set the action to "none" in the signature, you will see a zero (0) in the Action Codes field. This indicates no action as seen in this example.

netrangr@sensor-2:/usr/nr/etc
>cat packetd.conf | grep "testattack"
RecordOfStringName 51304 23 3 1 "testattack"
SigOfStringMatch 51304 0 5 5 # "testattack"

The TCP resets are sent from the sniffing interface of the Sensor. If there is a switch connecting the Sensor interface to the outside interface of the managed router, when you configure using the set span command in the switch, use this syntax:

set span < src_mod/src_port>< dest_mod/dest_port> both inpkts enable

banana (enable) set span 2/12 3/6 both inpkts enable
Overwrote Port 3/6 to monitor transmit/receive traffic of Port 2/12
Incoming Packets enabled. Learning enabled. Multicast enabled.
banana (enable)
banana (enable)
banana (enable) show span

Destination : Port 3/6

!--- Connect to sniffing interface of the Sensor.

Admin Source : Port 2/12

!--- Connect to FastEthernet0/0 of Router House.

Oper Source : Port 2/12
Direction : transmit/receive
Incoming Packets: enabled
Learning : enabled
Multicast : enabled

We hope you found this Cisco certification article helpful. We pride ourselves on not only providing top notch Cisco CCNP exam information, but also providing you with the real world Cisco CCNP skills to advance in your networking career.

Specials more
Cisco CCNA & Super Economy CCNP Kit
Cisco CCNA & Super Economy CCNP Kit
$1,499.99
$1,379.99
Specials more
Advanced CCNA/Starter CCNP Kit IV
Advanced CCNA/Starter CCNP Kit IV
$899.99
$714.99
Specials more
Cisco CCNA 3 Router & 3 Switch Lab Kit!
Cisco CCNA 3 Router & 3 Switch Lab Kit!
$559.99
$479.99
Specials more
Cisco Dual 2501 8/8 Router CCNA Kit
Cisco Dual 2501 8/8 Router CCNA Kit
$179.99
$149.99
Specials more
CCNA Study Value Pack
CCNA Study Value Pack
$84.99
$59.99
Shopping Cart more
0 items