Re: IDSM-2 Inline VLAN configuration issue

dmarsh · ‎10-23-2006

The SVR is on VL60, the PC is on VL80.

So, PC(.25--VL81--GE0/7--VL80--SVI 80--SVI60--VL60--SVR(.10)

Sensor interface GigabitEthernet0/7 is assigned to trunk all Vlans 1-4094

CAT65K-PODX#sh ru | in intrusion

intrusion-detection module 6 management-port access-vlan 99 intrusion-detection module 6 data-port 1 trunk allowed-vlan 1-4094 CAT65K-PODX#

The interface is assigned to vs0.

All I am seeing is "unknown 802.1d" when I look at the interface instead of the continuous ping I have from the PC to the SVR. (80.25 to 60.10)

CAT65K-PODX#ses sl 6 pr 1

The default escape character is Ctrl-^, then x.

You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.61 ... Open

login: cisco

Password:

Last login: Mon Oct 23 18:16:06 from 127.0.0.51

***NOTICE***

This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to export@cisco.com.

***LICENSE NOTICE***

There is no license key installed on the system.

The system will continue to operate with the currently installed signature set. A valid license must be obtained in order to apply signature updates. Please go to http://www.cisco.com/go/license to obtain a new license or install a license.

IDSM2-PODX# pack disp gi

gigabitEthernet0/2 gigabitEthernet0/7 gigabitEthernet0/8 IDSM2-PODX# pack disp gigabitEthernet0/7

Warning: This command will cause significant performance degradation

tcpdump: WARNING: ge0_7: no IPv4 address assigned

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ge0_7, link-type EN10MB (Ethernet), capture size 65535 bytes

18:35:17.968178 802.1d unknown version

0x0000: 0180 c200 0000 0016 9dab 3346 8100 e001 ..........3F....

0x0010: 0079 4242 0300 0003 027c 1000 000f f863 .yBB.....|.....c

0x0020: 8400 0000 0000 1000 000f f863 8400 8287 ...........c....

0x0030: 0000 1400 0200 0f00 0000 5000 6369 7363 ..........P.cisc

0x0040: 6f00 0000 0000 0000 0000 0000 0000 0000 o...............

0x0050: 0000 0000 0000 0000 0000 0000 0001 46b6 ..............F.

0x0060: c0ce 9a01 9392 94e2 dcc9 ca1b 3291 0000 ............2...

0x0070: 0000 1000 000f f863 8400 147c 80 .......c...|.

18:35:19.968666 802.1d unknown version

0x0000: 0180 c200 0000 0016 9dab 3346 8100 e001 ..........3F....

0x0010: 0079 4242 0300 0003 027c 1000 000f f863 .yBB.....|.....c

0x0020: 8400 0000 0000 1000 000f f863 8400 8287 ...........c....

0x0030: 0000 1400 0200 0f00 0000 5000 6369 7363 ..........P.cisc

0x0040: 6f00 0000 0000 0000 0000 0000 0000 0000 o...............

0x0050: 0000 0000 0000 0000 0000 0000 0001 46b6 ..............F.

0x0060: c0ce 9a01 9392 94e2 dcc9 ca1b 3291 0000 ............2...

0x0070: 0000 1000 000f f863 8400 147c 80 .......c...|.

2 packets captured

2 packets received by filter

0 packets dropped by kernel

IDSM2-PODX#

dmarsh · ‎10-23-2006

<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

CAT65K-PODX#sh intr mo 6 da 1 st

Intrusion-detection module 6 data-port 1:

Switchport: Enabled

Administrative Mode: trunk

Operational Mode: trunk

Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: Off Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Vlans allowed on trunk: 1-4094 Vlans allowed and active in management domain: 1,60,70,80-81,99,901,3100 Vlans in spanning tree forwarding state and not pruned:

1,60,70,80-81,99,901,3100

Administrative Capture Mode: Disabled

Administrative Capture Allowed-vlans: Autostate mode: excluded Portfast mode: default

CAT65K-PODX#sh intr mo 6 da 1 tr

Intrusion-detection module 6 data-port 1:

Specified interface is up line protocol is up (connected) Hardware is C6k 1000Mb 802.3, address is 0016.9dab.3346 (bia 0016.9dab.3346) MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s input flow-control is off, output flow-control is unsupported Last input never, output 00:00:22, output hang never Last clearing of "show interface" counters 00:23:50 Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

81 packets input, 6293 bytes, 0 no buffer Received 80 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 input packets with dribble condition detected 780 packets output, 113107 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out CAT65K-PODX#

No events are being shown even though the sigs are defined and active.

Also, it is NOT an interface-pair, it is an inline VLAN pair configuration. I will post the sensor config next.

dmarsh · ‎10-23-2006

IDSM2-PODX# sh conf

! ------------------------------

! Version 5.1(1)

! Current configuration last modified Mon Oct 23 16:35:57 2006

! ------------------------------

service interface

physical-interfaces GigabitEthernet0/7

description Pod 1 Sensing Interface

subinterface-type inline-vlan-pair

subinterface 1

description test

vlan1 80

vlan2 81

exit

! ------------------------------

service analysis-engine

virtual-sensor vs0

physical-interface GigabitEthernet0/7 subinterface-number 1

exit

! ------------------------------

service authentication

exit

! ------------------------------

service event-action-rules rules0

general

global-block-timeout 5

exit

! ------------------------------

service host

network-settings

host-ip 10.1.99.99/24,10.1.99.1

host-name IDSM2-PODX

telnet-option enabled

access-list 10.1.60.0/24

access-list 10.1.70.0/24

access-list 10.1.80.0/24

access-list 10.1.99.1/32

access-list 10.1.100.0/24

exit

time-zone-settings

offset -5

standard-time-zone-name EST

exit

! ------------------------------

service logger

exit

! ------------------------------

service network-access

general

enable-acl-logging true

never-block-hosts 10.1.70.1

never-block-hosts 10.1.80.1

never-block-hosts 10.1.99.1

never-block-networks 10.1.60.0/24

exit

user-profiles MSFC

enable-password cisco

password test

username test

exit

user-profiles PIX

enable-password cisco

password cisco

username cisco

exit

router-devices 10.1.80.1

communication telnet

profile-name MSFC

block-interfaces VLAN80 in

post-acl-name 2020

exit

response-capabilities block

exit

firewall-devices 10.1.80.80

communication telnet

profile-name PIX

exit

firewall-devices 10.1.80.81

communication telnet

profile-name PIX

exit

! ------------------------------

service notification

exit

! ------------------------------

service signature-definition sig0

variables Outside ip-addr-range 10.1.80.0

application-policy

http-policy

http-enable true

exit

signatures 1305 0

status

enabled true

exit

signatures 1306 1

status

enabled true

exit

signatures 1306 2

status

enabled true

exit

signatures 1306 3

status

enabled true

exit

signatures 1306 4

status

enabled true

exit

signatures 1306 5

status

enabled true

exit

signatures 1307 0

status

enabled true

exit

dmarsh · ‎10-23-2006

exit

signatures 60000 0

alert-severity medium

sig-fidelity-rating 75

sig-description

sig-name BadICMP

sig-string-info BadICMP

sig-comment BadICMP

exit

engine atomic-ip

event-action produce-alert|log-attacker-packets

specify-l4-protocol yes

l4-protocol icmp

specify-icmp-code yes

icmp-code 8

exit

specify-ip-addr-options yes

ip-addr-options ip-addr

specify-src-ip-addr yes

src-ip-addr 10.1.80.25

exit

signatures 60001 0

alert-severity high

sig-fidelity-rating 75

sig-description

sig-name Block BadICMP

sig-string-info Block BadICMP

sig-comment Block BadICMP

exit

engine atomic-ip

event-action produce-alert|request-block-host

specify-l4-protocol yes

l4-protocol icmp

specify-icmp-seq no

specify-icmp-type no

specify-icmp-code yes

icmp-code 0

exit

specify-icmp-id no

specify-icmp-total-length no

exit

specify-payload-inspection no

exit

specify-ip-payload-length no

specify-ip-header-length no

specify-ip-tos no

specify-ip-ttl no

specify-ip-version no

specify-ip-id no

specify-ip-total-length no

specify-ip-option-inspection no

specify-ip-addr-options yes

ip-addr-options ip-addr

specify-src-ip-addr yes

src-ip-addr 10.1.80.25

exit

specify-dst-ip-addr no

exit

event-counter

specify-alert-interval no

exit

alert-frequency

summary-mode summarize

specify-global-summary-threshold no

exit

status

enabled false

exit

signatures 60002 0

alert-severity high

sig-fidelity-rating 75

sig-description

sig-name WatchHTTP

sig-string-info WatchHTTP

sig-comment WatchHTTP

exit

engine service-http

service-ports 80,443

exit

status

enabled false

exit

signatures 60003 0

alert-severity high

sig-fidelity-rating 75

sig-description

sig-name LogICMP

sig-string-info BadICMP

sig-comment BadICMP

exit

engine atomic-ip

event-action produce-alert|log-pair-packets

specify-l4-protocol yes

l4-protocol icmp

specify-icmp-seq no

specify-icmp-type no

specify-icmp-code no

specify-icmp-id no

specify-icmp-total-length no

exit

specify-payload-inspection no

exit

specify-ip-payload-length no

specify-ip-header-length no

specify-ip-tos no

specify-ip-ttl no

specify-ip-version no

specify-ip-id no

specify-ip-total-length no

specify-ip-option-inspection no

specify-ip-addr-options yes

ip-addr-options ip-addr

specify-src-ip-addr yes

src-ip-addr 10.1.80.25

exit

specify-dst-ip-addr no

exit

event-counter

specify-alert-interval no

exit

alert-frequency

summary-mode summarize

specify-global-summary-threshold no

exit

status

enabled false

exit

! ------------------------------

service ssh-known-hosts

rsa1-keys 10.1.80.1

length 512

exponent 65537

modulus 991855327191948068336083262027767630211536570646048046207473086001594287

45731517042852081906588402062478059658578012089704942074191546123977278518597538

73

exit

! ------------------------------

service trusted-certificates

exit

! ------------------------------

service web-server

port 443

exit

IDSM2-PODX#

dmarsh · ‎10-23-2006

Resolved the issue. Two problems:

1. Incorrect VLAN membership - the attcking PC was in VL80, not 81. THe PC has to be in VL81 but still in the 10.1.80.0/24 subnet.

2. Signature misconfiguration - I had the custom sig looking for ICMp type 8 instead of type 0.

I hope this helps someone else at some point since the IDSM-2 docs are not going to...