It is currently Sun Aug 25, 2019 2:50 am


All times are UTC




Post new topic Reply to topic  [ 18 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: Cisco IDS/IPS fully emulated anyone?
PostPosted: Mon Dec 06, 2010 11:15 pm 
Offline

Joined: Thu Jun 24, 2010 3:58 pm
Posts: 411
Location: [email protected]
Hi,
Does any of you fully emulate a IDS v6 in QEMU/VMWARE?
I've use this tutorial to create one and everything work great during setup, boot ok, IDM works...
But I can't assign any interface to "virtual-sensor vs0" and this make my IDS Labs=Dreams
I've try from IDM but it hangs and is losing the connection...

No luck from CLI as well.
Code:
IDS1# configure terminal
IDS1(config)# service analysis-engine
IDS1(config-ana)# virtual-sensor vs0
IDS1(config-ana-vir)# physical-interface GigabitEthernet0/1
IDS1(config-ana-vir)# physical-interface GigabitEthernet0/2
IDS1(config-ana-vir)# exit
IDS1(config-ana)# exit
Apply Changes?[yes]:yes
#Hangs here forever

I think that is something wrong with the interface.conf patch...




Top
 Profile  
 
 Post subject: Re: Cisco IDS/IPS fully emulated anyone?
PostPosted: Fri Dec 17, 2010 5:48 pm 
Offline

Joined: Thu Jun 24, 2010 3:58 pm
Posts: 411
Location: [email protected]
After a few attempts, this time I've received a error message when exiting from "service analysis-engine" and trying to save the settings...

Code:
IDS1(config-ana)# exit
Apply Changes?[yes]:yes
Error: editConfigDeltaAnalysisEngine : Control transaction cannot be completed at this time
The configuration changes failed validation, no change were applied.
Would you like to return to edit mode and correct the errors? [yes]:


And in "show events" says why! The question is how to skip over....

Code:
IDS1# show events

evError: eventId=1292446218909076200 severity=error vendor=Cisco
  originator:
    hostId: IDS1
    appName: mainApp
    appInstanceId: 354
  time: 2010/12/15 21:17:28 2010/12/15 21:17:28 UTC
  errorMessage: name=errSystemError MainApplication::processExecValidatePlatformCtlTrans errNotAvailable Not a valid IDS-4235 Platform

evStatus: eventId=1292446218909076202 vendor=Cisco
  originator:
    hostId: IDS1
    appName: mainApp
    appInstanceId: 336
  time: 2010/12/15 21:17:29 2010/12/15 21:17:29 UTC
  controlTransaction: command=getPlatformValidationStatus successful=false
    description: Control transaction response.
    requestor:
      user: cids
      application:
        hostId:
        appName: sensorApp
        appInstanceId: 388
    responseData:
      error: schemaVersion=2.00 xmlns=http://www.cisco.com/cids/idiom
        errorMessage: name=errNotAvailable Not a valid IDS-4235 Platform
[...]
evError: eventId=1292446218909076241 severity=warning vendor=Cisco
  originator:
    hostId: IDS1
    appName: sensorApp
    appInstanceId: 443
  time: 2010/12/15 21:17:49 2010/12/15 21:17:49 UTC
  errorMessage: name=errUnclassified Platform validation failed after 100 retries. Not a valid IDS-4235 Platform

evError: eventId=1292446218909076242 severity=warning vendor=Cisco
  originator:
    hostId: IDS1
    appName: sensorApp
    appInstanceId: 443
  time: 2010/12/15 21:17:49 2010/12/15 21:17:49 UTC
  errorMessage: name=errWarning Invalid platform, ignoring packets from all interfaces


Even if Qemu was started with those smbios, seems that they are not correctly read by IDS:
-smbios type=0,vendor="Phoenix Technologies Ltd.",version="1.10",date="09/30/2002",release="A04"
-smbios type=1,product="IDS-4235",manufacturer="Cisco Systems",version="1.0",serial="12345789012",uuid="E0A32395-8DFE-D511-8C31-001FC641BA6B",sku="011",family="IDS-4235/4250"

Code:
bash-2.05b# /usr/cids/idsRoot/bin/smbios_bios_info

BIOS Information:
    Vendor: "Phoenix
    BIOS Version: QEMU
    BIOS Start Addr Seg: 0xe800
    BIOS Release Date: 01/01/2007
    BIOS ROM Size: 64K

System Info
    Manufacturer: "Cisco
    Product Name: "IDS-4235"
    Version:
    Serial Number:
    UUID: 00000000000000000000000000000000

System Enclosure Info
    Manufacturer:
    Version:
    Serial Number:
    Asset Tag:
bash-2.05b#


I replace that bin "/usr/cids/idsRoot/bin/smbios_bios_info" with some echo to look nice but no luck...


Attachments:
File comment: Boot OK
Qemu-IDS-Boot.jpg
Qemu-IDS-Boot.jpg [ 56.12 KiB | Viewed 15770 times ]
Top
 Profile  
 
 Post subject: Re: Cisco IDS/IPS fully emulated anyone?
PostPosted: Mon Jan 03, 2011 11:06 am 
I'm exactly in the same boat as you. It seems we are so close but something is missing. Do you know if the old version 5.0 emulation with VMWare was working fine ?

http://7200emu.hacki.at/viewtopic.php?t=3095

Maybe the solution of the smbios problem is to find the source code and then rebuild it in order to fit our needs. I will spend some time investigating this possibility.


Top
  
 
 Post subject: Re: Cisco IDS/IPS fully emulated anyone?
PostPosted: Mon Jan 03, 2011 10:29 pm 
Offline

Joined: Thu Jun 24, 2010 3:58 pm
Posts: 411
Location: [email protected]
Great news, happy training :))

Well, v5 was working with VMWare and that BIOS file "CISCO_IDS4215_440.BIOS.ROM", (I think that I have about 4 versions of it, from all over the web :)
But there are many new features in v6, so I don't even want to test it again...

This problem for sure is from SMBIOS.
I've try some options, like using that file as SMBIOS with Qemu, but it crash;
replace '/usr/cids/idsRoot/bin/smbios_bios_info' with a bash script with some echo messages, but no luck (in show version has effect, but I think that analysis-engine recheck again without that script);

What remains is to find out why Qemu is so dumb and is storing only a part of messages in SMBIOS (small buffer, wrong parsing, etc), or to "patch" IDS main binary '/usr/cids/idsRoot/bin/cidcli' (analysis-engine) to get rid of this error
Code:
***  ERROR:  UNSUPPORTED HARDWARE DETECTED
This Cisco Systems IDS software version is not supported on this
hardware platform.  Some capabilities will not be available.
For assistance, contact Cisco Systems Technical Assistance Center.

Or create a smbios with this script from a working one...
Code:
dmidecode -t 1 -u | grep $'^\t\t[^"]' | xargs -n1 | \
   perl -lne 'printf "%c", hex($_)' > smbios_type_1.bin

I'll continue this week to see if this year I have a better luck ;)


Top
 Profile  
 
 Post subject: Re: Cisco IDS/IPS fully emulated anyone?
PostPosted: Tue Jan 04, 2011 12:42 am 
I'm playing with hexedit to see if i'm able to find anything. The error messages come from the sensorApp. I was able to find those messages inside that binarie. But it seems sensorApp calls a function called CidsEnetStub::validatePlatform. This seems to be the function that tells sensorApp that the platform is invalid. But how to find where that CidsEnetSub is implemented ? We have work to do :)


Top
  
 
 Post subject: Re: Cisco IDS/IPS fully emulated anyone?
PostPosted: Wed Jan 05, 2011 7:46 pm 
I have good news. It seems this is working fine under Linux. Here's what i have:

Attachment:
ips4235.jpg
ips4235.jpg [ 42.13 KiB | Viewed 15779 times ]


So the problem it related with Qemu under Windows. I was using WIN7 and my Qemu build is based on Qemu 0.11.0. I also tried the new build that is available here:

http://www.gns3.net/download

But the problem is the same. The smbios portion of the code must be broken. I will proceed with some tests under Ubuntu to see of the virtual sensor issue is resolved or not. But i would prefer to have a good Qemu build for Windows.


Top
  
 
 Post subject: Re: Cisco IDS/IPS fully emulated anyone?
PostPosted: Wed Jan 05, 2011 11:04 pm 
Offline

Joined: Thu Jun 24, 2010 3:58 pm
Posts: 411
Location: [email protected]
Nice, but check this out ;)

I've use the "Phoenix" BIOS file "CISCO_IDS4215_440.BIOS.ROM" as a BIOS on a VMWare (CentOS 5.3) and after
booting I had the possibility to use "dmidecode -u" and extract all that data. Later after a few hex makeup it looks like the attachment file.

I'm still surprised that qemu allow me to use this command, because it normally has only smbios type 0 and 1
And yes is working the same in windows too...
Code:
-smbios file=smbios_type_0.bin -smbios file=smbios_type_1.bin -smbios file=smbios_type_2.bin -smbios file=smbios_type_3.bin

PS:
The IDS is still not working as expected!!!!!!
Error: "*** ERROR: UNSUPPORTED HARDWARE DETECTED" is still there



Attachment:
smbios_0,1,2,3.zip [7.46 KiB]
Downloaded 634 times


Attachments:
IDS_smbios.jpg
IDS_smbios.jpg [ 59.07 KiB | Viewed 15777 times ]
Top
 Profile  
 
 Post subject: Re: Cisco IDS/IPS fully emulated anyone?
PostPosted: Thu Jan 06, 2011 12:40 am 
Fantastic work you made ! The message saying that it's an unsupported platform is normal i think. Because the platform is a "pcAppliance". This is in the ids_functions file.

Now i modified your smbios_type_0.bin and smbios_type_1.bin files in oder to match the strings we had before and after loading these two only it still doesn't work but i think we are very very close.

I'm attaching the modified smbios files.

I don't see any reference to the "sku" and "family" options in the dmidecode output. Do you think this is what is missing ?


Attachments:
smbios.zip [365 Bytes]
Downloaded 538 times
Top
  
 
 Post subject: Re: Cisco IDS/IPS fully emulated anyone?
PostPosted: Thu Jan 06, 2011 7:39 am 
Offline

Joined: Thu Jun 24, 2010 3:58 pm
Posts: 411
Location: [email protected]
Quote:
The message saying that it's an unsupported platform is normal i think. Because the platform is a "pcAppliance". This is in the ids_functions file.
I'll double check that because in VMWare the message is not displayed for IDS v5. In v6 I forgot because after the network issue I throw it away :)

Quote:
I don't see any reference to the "sku" and "family" options in the dmidecode output. Do you think this is what is missing ?
That is just a common field from Qemu code which is not made to emulate Cisco IDS by purpose ;)
SKU seems to be a number ex: 470065-200
Code:
http://wiki.qemu.org/download/qemu-doc.html
‘-smbios file=binary’
Load SMBIOS entry from binary file.

‘-smbios type=0[,vendor=str][,version=str][,date=str][,release=%d.%d]’
Specify SMBIOS type 0 fields

‘-smbios type=1[,manufacturer=str][,product=str][,version=str][,serial=str][,uuid=uuid][,sku=str][,family=str]’
Specify SMBIOS type 1 fields


Top
 Profile  
 
 Post subject: Re: Cisco IDS/IPS fully emulated anyone?
PostPosted: Thu Jan 06, 2011 1:55 pm 
I just tested under Ubuntu without the "sku" and "family" options and it doesn't work. Which means we need these two strings defined in the smbios_type_1 file. The question is how do we add these to that file. We need:

sku="011",family="IDS-4235/4250"

I think after this we will have our IPS running correctly.

Working on it.




Top
  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 18 posts ]  Go to page 1, 2  Next

All times are UTC


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group

phpBB SEO