cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Snort IPS on ISR, ISRv and CSR - Step-By-Step Configuration

18039
Views
15
Helpful
19
Comments

Benefits

  • Helps meet PCI compliance.
  • Threat protection built into ISR and ISRv branch routers and CSR
  • Complements ISR Integrated Security
  • Lightweight IPS solution with low TCO (Total Cost of Ownership) and automated signature updates
  • Supports VRF (16.6)

Documentation

This configuration example is meant to be interpreted with the aid of the official documentation from the configuration guide located here:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_utd/configuration/xe-16/sec-data-utd-xe-16-book/snort-ips.pdf

Prerequisite

If it is a physical ISR it must be running IOS-XE version 3.16.1 or above. If it is a CSR it must be running 16.3.1 or above and if it is an ISRv (ENCS) then it must be running 16.8.1 or above.

Image Download Links

ISR - https://software.cisco.com/download/home/284389362/type

CSR - https://software.cisco.com/download/home/284364978/type

ISRv - https://software.cisco.com/download/home/286308693/type

Limitations

  • Only tcp, udp and icmp packets will be diverted to snort for inspection
  • Only through the box traffic will be diverted to snort for inspection

Supported Platforms

ISR 4461, 4451, 4431, 4351, 4331, 4321, 4221X, 4221, CSR, ISRv and ISR 1K (X PIDs such as 1111X, 1121X, 1161X etc that support 8GB DRAM only, starting 17.2.1r release)

License Requirements

Security K9 license is required on the ISR 4K routers, CSRs and ISRv. In addition to that, signature subscription 1yr or 3yr is required.

 

Please refer the data sheet here: http://www.cisco.com/c/en/us/products/collateral/security/router-security/datasheet-c78-736114.html

Topology

topology.jpg

Step-By-Step Configuration

Configure Virtual Service

Copy the UTD Snort IPS engine software to the routers flash. The file name should be similar to this

iosxe-utd.16.08.01.1.0.3_SV2983_XE_16_8.ova. Once done, install the virtual service.

virtual-service install name myips package flash:iosxe-utd.16.08.01.1.0.3_SV2983_XE_16_8.ova

Configure Port Groups

Snort Container.jpg 

 

 

 

 

 

Configure two port groups.  One for management traffic. This VPG (Virtual Port Group) will be used to source logs to the log collector as well as pulling signature updates from Cisco.com.

The second port group is for data.  This VPG will be used to send and receive packets that are marked for inspection that arrive on the data plane for IPS inspection.

Make sure to provide proper NAT and routing for VPG0 to be able to reach the log server as well as cisco.com to grab the signature update files.

interface VirtualPortGroup0
  description Management interface
  ip address 172.18.0.1 255.255.255.252
Interface VirtualPortGroup1
  description Data interface
  ip address 192.168.0.1 255.255.255.252 

Activate the virtual service and configure guest IPs

Next step is to activate the virtual service and configure matching guest IPs on the same subnet for the container side. Make sure to "activate" the service when done.

virtual-service myips
  vnic gateway VirtualPortGroup0
    guest ip address 172.18.0.2
  vnic gateway VirtualPortGroup1
    guest ip address 192.168.0.2
  activate

Configuring UTD (Service Plane)

This following section is to configure whether you want snort in IPS or IDS mode, where do you want to send the snort events sent to, what policy and profile to configure for snort etc.

utd engine standard
  logging host 10.12.5.55
 logging syslog 
 threat-inspection
   threat protection (protection-ips, detection-ids)
   policy security (balanced, connectivity)
   signature update server cisco username usrer1 password #####
   signature update occur-at daily 0 0
   logging level warning
   whitelist

Configuring UTD (Data Plane)

This section is to configure the data plane settings.  Whether we need snort enabled on all the interfaces or on selected interfaces.  Whether we need "fail-close" meaning when snort engine goes down for what ever reason, no traffic will be allowed to leave.

utd
all-interfaces
engine standard
 fail close

Or optionally enable snort under selected interfaces

interface G0/0/2.20
  utd enable
interface G0/0/2.30
  utd enable

Whitelisting (optional)

If you see any false positives, there is an option to whitelist signatures.

utd threat-inspection whitelist
  signature id 21599 comment Index
  signature id 20148 comment ActiveX

Verification:

Check virtual service

Make sure the virtual service is installed and activated.

ISR4451#show virtual-service list
Virtual Service List:
Name Status Package Name ------------------------------------------------------------------------------ myips Activated iosxe-utd.16.07.01.1.0.1_SV2983_XE_

ISR4451#show virtual-service detail
Virtual service myips detail
  State                 : Activated
  Owner                 : IOSd
  Package information
    Name                : iosxe-utd.16.07.01.1.0.1_SV2983_XE_16_7.ova
    Path                : bootflash:/iosxe-utd.16.07.01.1.0.1_SV2983_XE_16_7.ova
    Application
      Name              : UTD-Snort-Feature
      Installed version : 1.0.1_SV2983_XE_16_7
      Description       : Unified Threat Defense
    Signing
      Key type          : Cisco release key
      Method            : SHA-1
    Licensing
      Name              : Not Available
      Version           : Not Available
  Detailed guest status   
----------------------------------------------------------------------
Process               Status            Uptime           # of restarts
----------------------------------------------------------------------
climgr                 UP         0Y 9W 1D  1:27: 0        0
logger                 UP         0Y 7W 2D  1: 4:55        0
snort_1                UP         0Y 7W 2D  1: 4:55        0
Network stats:
 eth0: RX  packets:14866913, TX  packets:14776386
 eth1: RX  packets:1079170, TX  packets:10479

Coredump file(s): lost+found
 
  Activated profile name: None
  Resource reservation
    Disk                : 710 MB
    Memory              : 1024 MB
    CPU                 : 25% system CPU
  Attached devices
    Type              Name        Alias            
    ---------------------------------------------
    NIC               ieobc_1     ieobc            
    NIC               dp_1_0      net2             
    NIC               dp_1_1      net3             
    NIC               mgmt_1      mgmt             
    Disk              _rootfs                      
    Disk              /opt/var                     
    Disk              /opt/var/c                   
    Serial/shell                  serial0          
    Serial/aux                    serial1          
    Serial/Syslog                 serial2          
    Serial/Trace                  serial3          
    Watchdog          watchdog-2                   

  Network interfaces
    MAC address             Attached to interface           
    ------------------------------------------------------
    54:0E:00:0B:0C:02       ieobc_1                         
    70:E4:22:9E:BB:3F       VirtualPortGroup0               
    70:E4:22:9E:BB:3E       VirtualPortGroup1               
    70:E4:22:9E:BB:3D       mgmt_1                          
  Guest interface
  ---
  Interface: eth2
  ip address: 192.168.0.2/30
Interface: eth1
  ip address: 172.18.0.2/30
  ---     
  Guest routes
  ---
  Address/Mask                         Next Hop                          Intf.
-------------------------------------------------------------------------------
0.0.0.0/0                            192.168.0.1                       eth2    
0.0.0.0/0                            172.18.0.1                        eth1    
  ---
  Resource admission (without profile) : passed
    Disk space    : 710MB
    Memory        : 1024MB
    CPU           : 25% system CPU
    VCPUs         : Not specified

Check UTD (service plane)

ISR4451#show utd engine standard config                      
UTD Engine Standard Configuration:
  Operation Mode : Intrusion Prevention
  Policy         : Security

  Signature Update:
    Server    : cisco
    User Name : kusankar
    Password  : PPR[UiL]gdBh_UA][DLJY_MW
    Occurs-at : None

  Logging:
    Server    :  IOS Syslog;  10.1.10.253
    Level     : warning
  Whitelist : Enabled
  Whitelist Signature IDs:
    20148
    21599

Web-Filter	: Disabled
ISR4451#show utd engine standard status
Engine version       : 1.0.1_SV2983_XE_16_7

Profile              : Low
System memory        :
              Usage  : 73.90 %
              Status : Green
Number of engines    : 1

Engine        Running    CFT flows  Health     Reason    
=======================================================
Engine(#1):   Yes        2          Green      None
=======================================================

Overall system status: Green

Signature update status:
=========================
Current signature package version: 2983.44.s
Last update status: Successful
Last successful update time: Wed Feb 14 09:38:32 2018 PST
Last failed update time: Wed Feb 14 09:01:16 2018 PST
Last failed update reason: ('Connection aborted.', gaierror(-2, 'Name or service not known'))
Next update scheduled at: None
Current status: Idle

Check UTD(data plane)

Make sure the counts increment for encap, decap, redirect, reinject and the health shows "Green".

ISR4451#show platform hardware qfp active feature utd stats
Summary Statistics:
Active Connections                                                         2
TCP Connections Created                                                18282
UDP Connections Created                                                25056
ICMP Connections Created                                                   2
Pkts dropped                                        pkt                 3037
                                                    byt              1713151
Pkts entered policy feature                         pkt               742770
                                                    byt            290045328
Pkts entered divert feature                         pkt               358642
                                                    byt            182273982
Pkts slow path                                      pkt                43340
                                                    byt              3979312
Pkts Diverted                                       pkt               358641
                                                    byt            182272562
Pkts Re-injected                                    pkt               358142
                                                    byt            180660947

Would Drop Statistics (fail-open):

Service Node flagged flow for dropping                                  3037

General Statistics:
Inspection skipped - UTD policy not applicable                        641815
Policy already inspected                                             9247857
Pkts Skipped - New pkt from RP                                      13581686
Response Packet Seen                                                   42979
Feature memory allocations                                             43340
Feature memory free                                                    43345
Feature Object Delete                                                  43345

Diversion Statistics:
redirect                                                              358641
encaps                                                                358641
decaps                                                                363781
reinject                                                              358142
SN offloaded flow                                                      13384
Service Node requested flow bypass drop                                 3037
Flow inspection bypassed                                              768257
decaps: delete requests received total                                 10973
  decaps: delete - protocol decision                                   10973
  decaps: Processed ICMP error packet from SN                              1

Service Node Statistics:
SN Health: Green

How to test Snort IPS firing signature:

Using user agent switcher on the browser

Make sure you have subscription signature set enabled, in IPS mode with the security policy to do the following test.

"show utd engine standard config" should show you what policy is configured and whether IPS is enabled.

"show utd engine standard signature update status" will show you what signature package is currently on the router.

From a client behind the router use Chrome Browser and download user agent switcher. If you are using Firefox, then download the user agent switcher for Firefox browser.

User-Agent Switcher for Chrome - Chrome Web Store

Install it and create a custom SAH agent under Google Chrome Group.

SAH-agent.jpg

Switch to the newly created SAH agent on the browser user agent switcher and then try to load any website.

 

sah-switcher.jpgNow, try to browse. Pages will not load. Now check the router for logs and you will see the following messages:

 

*Mar  1 01:24:16.068: %VMAN-5-VIRT_INST_NOTICE: R0/0: vman: VIRTUAL SERVICE myips LOG: 2018/02/28-17:24:15.324389 PST [**] [Instance_ID: 1] [**] Drop [**] [1:5808:10] MALWARE-CNC User-Agent known malicious user agent - SAH Agent [**] [Classification: Misc activity] [Priority: 3] [VRF: 2] {TCP} 10.20.30.30:51561 -> 50.19.248.141:80

Using 'curl' on a linux host

From a linux client behind the router, you can send “curl -A "SAH Agent" http://url.com” or curl -v -L -m 10 dfgvx.com” for snort to trigger a signature as well.

Troubleshooting

https://supportforums.cisco.com/t5/security-documents/snort-ip-on-isr-isrv-and-csr-troubleshooting/ta-p/3369225

Comments
Rising star

I was hoping you could answer a question.

 

1. Is there a roadmap for how long this will be supported? Installing the extra memory and NVRAM is expensive so a roadmap is significant.

 

Cisco Employee

We will continue to support Snort IPS on ISR 4K.  It is not going anywhere.

 

-Kureli

 

Beginner

Hi,

 

I cannot find any info how to check follwoing Log adn we are flooded with it:

un 26 2018 08:21:14.448 UTC: %IOSXE-5-PLATFORM: SIP1: cpp_cp: QFP:0.0 Thread:000 TS:00008443534828036544 %UTD-5-UTD_HEALTH_CHANGE: Service node changed state Green => Yellow (2)
Jun 26 2018 08:21:19.051 UTC: %IOSXE-5-PLATFORM: SIP1: cpp_cp: QFP:0.0 Thread:000 TS:00008443539431303514 %UTD-5-UTD_HEALTH_CHANGE: Service node changed state Yellow => Green (3)

 

So keep changing b/ yellow and green

Cisco Employee

Pls. open a TAC case and get this investigated.

Make sure you are running a matching Snort engine version to the IOS bin file.

 

- Kureli

Beginner

Currently it seems that Snort on ISR is only capable to forward to a syslog server. Is there a (easy) way to integrate/manage "snort on ISR" from FirePower management Center?

On a ASA that seems to be possible, but not with a ISR router.

Cisco Employee

That is correct.  Snort IPS on ISR cannot be managed with FMC. 

- Kureli

Beginner
Thanks,

So to get more info and nice stats out of IPS/UTD function of an ISR4431 I need to buy UCS-EN 140. Can I than manage the IPS/UTD features from Firepower management Center?

Cisco Employee

What you have with Snort IPS is just the IPS piece from Firepower.  We do not have an option to create new signatures or tweak existing signatures.  We can however, whitelist signatures should you see false positives.

Firepower offers IPS/AVC, URL Filtering, AMP etc so FMC provides a lot of visibility into all these features that you can enable. Snort IPS on ISR is built into the OS and is the low TCO IPS solution. 

If you need Firepower on ISR then you need to install FTDv on UCS E-Series blade. Follow these links:

At a Glance: http://www.cisco.com/c/en/us/products/security/router-security/at-a-glance-listing.html
Q&A: http://www.cisco.com/c/en/us/products/security/router-security/q-and-a-listing.html
Configuration Guide: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_utd/configuration/xe-3s/sec-data-utd-xe-3s-book.html#concept_0AC4C1AE8D714F1C9533FD3B383EC8AF

https://supportforums.cisco.com/document/13016901/firepower-threat-defense-isr-ips-using-front-panel-port-ucs-e - FirePOWER Threat Defense for ISR 4K & G2 - IPS inline mode using UCS-E front panel port
https://supportforums.cisco.com/document/13050311/firepower-threat-defense-isr-4k-g2-ips-inline-mode-using-vrf-method - FirePOWER Threat Defense for ISR 4K & G2 - IPS inline mode using VRF method

White Paper: http://www.cisco.com/c/en/us/products/collateral/servers-unified-computing/ucs-e-series-servers/white-paper-c11-739289.html#_Toc486544446

 

- Kureli

Beginner

Sorry, but it is not clear how FireSight compares to Firepower management center (VM).
The Q&A URL  also only mentions FirePower to manager the Firepower for ISR and there is reference to Firesight. Are they one and the same only to be the latter the "old" name?

In the https://www.cisco.com/c/en/us/products/collateral/security/router-security/datasheet-c78-735410.html url I can not find the SKU for the ISR4431 (only the 4451 is mentioned).=20

To use only Snort on the ISR pushing logs to syslog is not very handy to read/followup. Is Splunk the only alternative to get the logs or can Firepower manage center also be configured to receive the snort logs?

Jan

Cisco Employee

FireSight and FMC (rebranded name) are one and the same.

Snort IPS can print logs to the syslog server configured on the router or to a 3rd party SIEM server. In our case we recommend Splunk because it has Snort for Splunk App that is capable of parsing through Snort generated logs and provide a nice UI on top talkers, top sigs fired etc.

Configuring UTD (service plane)

utd engine standard

 threat-inspection

  threat protection (protection-ips, detection-ids)

  policy security (balanced, connectivity)

  logging server 10.12.5.55 syslog level warning

   signature update server cisco username <blah>

   signature update occur-at daily 0 0

    whitelist

In the above service plane config section you specify splunk server's IP address 10.12.5.55 in addition to syslog.

- Kureli

Hi,

 

Is the logging to Splunk and update server vrf "aware"?

Our Splunk server is reachable via the Management Interface of our ISR 443, but that interface is configured with vrf. The "utd engine standard", "loggin server X.X.X.X" is not accepting a VRF command. Same hold tru for the connection to the update server.

Cisco Employee

So long as you can source the packet from the mgmt interface (VPG0) and reach the update server and the splunk server, UTD is VRF aware.  You just need to make sure proper route leaking is in place.

Try a ping sourced from VPG0 interface and see if you can reach both the servers.

- Kureli

 

Ok, the Splunk server (7.1.1) is receiving the messages from the Snort UTD.

like this in the event description:

Jul 17 16:35:14 10.135.0.24 2018/07/17-18:35:14.513038 CEST [**] [Instance_ID: 1] [**] Alert [**] [1:27964:5] MALWARE-CNC Win.Trojan.Gh0st variant outbound connection [**] [Classification: A Network Trojan was Detected] [Priority: 1] [VRF: 3] {TCP} X.X.X.X:35648 -> Y.Y.Y.Y:443

 

I've installed the app "Cisco Firepower Threat Defense FTD" and addes the sourcetype cisco:ftd on the receiving udp 514 port the ISR is sending the snort logs to, but I don't get any results in the "Cisco Firepower Threat Defense FTD dashboard.

Any help to get Splunk configured to properly show events from the Snort sensor would be appreciated.

 

 

Cisco Employee

I do not understand your question.  Snort IPS is sending events to Splunk. Correct?

Where did FTD come in the picture?

 

-Kureli

Cisco Employee

Are the ISR4221 really supported for Snort since it doesn't meet the 8Gb requirement for Memory? I can't find any supporting docs that actually say the 4221 is supported. Any feedback would be greatly appreciated.

Content for Community-Ad