It is currently Sat Nov 25, 2017 3:42 am


All times are UTC




Post new topic Reply to topic  [ 18 posts ]  Go to page Previous  1, 2
Author Message
 Post subject: Re: Cisco IDS/IPS fully emulated anyone?
PostPosted: Thu Jan 06, 2011 6:10 pm 
Offline

Joined: Thu Jun 24, 2010 3:58 pm
Posts: 411
Location: [email protected]
Thanks men!!!
Now it works and that annoying message complaining unsupported platform is gone :)) (You said that is just for cosmetics, but wasn't ;)

I've just add those bytes "30 30 31 00 49 44 53 2D 34 32 33 35 2F 34 32 35 30 00" to "smbios_type_1.bin" ;))
And the result was something else, beautifully I can say...
It is working the same even if you are using just smbios types 0 and 1! (Weird for Cisco)

But there is still a VERY BAD news, it is not working with Qemu 0.13.0, no message at all from "/usr/cids/idsRoot/bin/smbios_bios_info"
We will have to find a patch to Qemu or limit to v0.11.0!

Code:
sensor(config)# service analysis-engine
sensor(config-ana)# show settings
[...]
      name: vs0
[...]
         logical-interface (min: 0, max: 999999999, current: 1)
         -----------------------------------------------
            name: ips0
[...]
      name: vs1
[...]
         physical-interface (min: 0, max: 999999999, current: 1)
         -----------------------------------------------
            name: GigabitEthernet0/1
[...]
sensor(config)# service interface
sensor(config-int)# show settings
[...]
      name: ips0
      -----------------------------------------------
         description:  <defaulted>
         interface1: GigabitEthernet0/3
         interface2: GigabitEthernet0/4

Attachment:
IDS_SMBIOS_Type_0_and_1.zip [382 Bytes]
Downloaded 1080 times

Attachment:
IDS.jpg
IDS.jpg [ 61.87 KiB | Viewed 6744 times ]


[edit 5-10 minutes later]
After all that hard work I found the [email protected]&$^# solution ;)
Use double quote only at full string ends ...
Qemu 0.13.0 remains the same :((

Code:
-smbios "type=0,vendor=Phoenix Technologies Ltd.,version=1.10,date=09/30/2002,release=A04"
-smbios "type=1,product=IDS-4235,manufacturer=Cisco Systems,version=1.0,serial=12345789012,uuid=E0A32395-8DFE-D511-8C31-001FC641BA6B,sku=011,family=IDS-4235/4250"




Top
 Profile  
 
 Post subject: Re: Cisco IDS/IPS fully emulated anyone?
PostPosted: Thu Jan 06, 2011 8:54 pm 
Great work !!! I also lost almost all day trying editing the smbios type 0 and type 1 files and i was able to do it. I used the SMBIOS specification document:

http://www.dmtf.org/sites/default/files ... 5Final.pdf

But the solution with the quotes in the right place is much more simpler. And it was so easy, wasn't it ? :)

I also see the problem with qemu 0.13.0, but i don't mind. Do you see any advantages of using this new release ?

Now, i have an image of one 4240 running 6.1. Do you think we can apply the same techniques and make it work ?


Top
  
 
 Post subject: Re: Cisco IDS/IPS fully emulated anyone?
PostPosted: Thu Jan 06, 2011 9:33 pm 
Offline

Joined: Thu Jun 24, 2010 3:58 pm
Posts: 411
Location: [email protected]
I've also saw that documentation today while tracking Qemu possible patches for that issue... (Long day :))
The binary smbios stuff was just a hunch after discovering that all strings are separated by a null "hex 00". After all I was lucky ;)

Of course it is easier, if you have it, but trust me that I would be happy enough to use the binary as well...

Latest Qemu seem to be stable and solved some issues of 0.11.0 (arrow keys in Linux x mode, emulated from windows), but without smbios it sucks!
What you still can do is to change the source code and replace the original strings, but this sucks too, because will be is hardcoded to that only...

About that 4240, well........ WHY NOT!!!

I'm happy now after all, because I have emulated PIX,ASA,IPS,MARS and I can really start to do some labs ;))


Top
 Profile  
 
 Post subject: Re: Cisco IDS/IPS fully emulated anyone?
PostPosted: Sat Jan 08, 2011 11:25 am 
Offline

Joined: Thu Jun 24, 2010 3:58 pm
Posts: 411
Location: [email protected]
According to this bug report GNS3 (Windows version)
Emulation from GNS3 will not work with smbios strings because of a "single quote/double quote" incompatibility war between Qemu and Qemuwrapper

Use the binary files to solve this issue (type 1, smbios_type_1.bin), until that bug is fixed..

------------EDIT------------

According to Tariq Ahmad - How to emulate Cisco IPS BrainBump
There is another possibility by removing all quotes from smbios string and this part {manufacturer=Cisco Systems,version=1.0}
which was the reason to use quotes in the first place (space character inside the string): [ topic2918.html#p9075 ]

tariqccie wrote:
-smbios type=1,product=IDS-4235,serial=12345789012,uuid=E0A32395-8DFE-D511-8C31-001FC641BA6B,sku=011,family=IDS-4235/4250

Thanks for sharing ;)


Top
 Profile  
 
 Post subject: Re: Cisco IDS/IPS fully emulated anyone?
PostPosted: Thu Aug 30, 2012 11:03 pm 
Offline

Joined: Thu Jul 19, 2012 1:15 am
Posts: 1
I am experiencing this same issue. Was there any resolution to get this version of the IPS to run legit on WIN 7?

Thank you.


Top
 Profile  
 
 Post subject: Re: Cisco IDS/IPS fully emulated anyone?
PostPosted: Tue Feb 26, 2013 9:29 am 
Offline

Joined: Tue Feb 26, 2013 9:24 am
Posts: 1
Hi , Guys i'm having the same problem with my IPS :/ , i'm using this right now :

-smbios type=1,product=IDS-4235,serial=12345789012,uuid=E0A32395-8DFE-D511-8C31-001FC641BA6B,sku=011,family=IDS-4235/4250

can you please give a step by step instructions ? i'm currently preparing for my IPS 7.0, and i'de like to make a video tutorial and post it on how to emulate an IPS from scratch , thanks


Top
 Profile  
 
 Post subject: Re: Cisco IDS/IPS fully emulated anyone?
PostPosted: Sat May 18, 2013 8:17 pm 
Offline

Joined: Sat May 18, 2013 5:36 am
Posts: 1
I finally have IPS 6 booting in GNS but anytime i configure the IP address and try to ping a computer on the network the IPS reboots. If I ping the IPS interface from a computer it reboots. Anyone see this or know a fix?

Thanks


Top
 Profile  
 
 Post subject: Re: Cisco IDS/IPS fully emulated anyone?
PostPosted: Wed Apr 16, 2014 6:30 am 
Offline

Joined: Wed Apr 16, 2014 6:27 am
Posts: 1
Mine is workig file ...........thanks tranzitwww.

those qemu options without quotes works fine for me.




Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 18 posts ]  Go to page Previous  1, 2

All times are UTC


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group

phpBB SEO