cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Snort IPS on ISR, ISRv and CSR - Step-By-Step Configuration

18038
Views
15
Helpful
19
Comments

Benefits

  • Helps meet PCI compliance.
  • Threat protection built into ISR and ISRv branch routers and CSR
  • Complements ISR Integrated Security
  • Lightweight IPS solution with low TCO (Total Cost of Ownership) and automated signature updates
  • Supports VRF (16.6)

Documentation

This configuration example is meant to be interpreted with the aid of the official documentation from the configuration guide located here:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_utd/configuration/xe-16/sec-data-utd-xe-16-book/snort-ips.pdf

Prerequisite

If it is a physical ISR it must be running IOS-XE version 3.16.1 or above. If it is a CSR it must be running 16.3.1 or above and if it is an ISRv (ENCS) then it must be running 16.8.1 or above.

Image Download Links

ISR - https://software.cisco.com/download/home/284389362/type

CSR - https://software.cisco.com/download/home/284364978/type

ISRv - https://software.cisco.com/download/home/286308693/type

Limitations

  • Only tcp, udp and icmp packets will be diverted to snort for inspection
  • Only through the box traffic will be diverted to snort for inspection

Supported Platforms

ISR 4461, 4451, 4431, 4351, 4331, 4321, 4221X, 4221, CSR, ISRv and ISR 1K (X PIDs such as 1111X, 1121X, 1161X etc that support 8GB DRAM only, starting 17.2.1r release)

License Requirements

Security K9 license is required on the ISR 4K routers, CSRs and ISRv. In addition to that, signature subscription 1yr or 3yr is required.

 

Please refer the data sheet here: http://www.cisco.com/c/en/us/products/collateral/security/router-security/datasheet-c78-736114.html

Topology

topology.jpg

Step-By-Step Configuration

Configure Virtual Service

Copy the UTD Snort IPS engine software to the routers flash. The file name should be similar to this

iosxe-utd.16.08.01.1.0.3_SV2983_XE_16_8.ova. Once done, install the virtual service.

virtual-service install name myips package flash:iosxe-utd.16.08.01.1.0.3_SV2983_XE_16_8.ova

Configure Port Groups

Snort Container.jpg 

 

 

 

 

 

Configure two port groups.  One for management traffic. This VPG (Virtual Port Group) will be used to source logs to the log collector as well as pulling signature updates from Cisco.com.

The second port group is for data.  This VPG will be used to send and receive packets that are marked for inspection that arrive on the data plane for IPS inspection.

Make sure to provide proper NAT and routing for VPG0 to be able to reach the log server as well as cisco.com to grab the signature update files.

interface VirtualPortGroup0
  description Management interface
  ip address 172.18.0.1 255.255.255.252
Interface VirtualPortGroup1
  description Data interface
  ip address 192.168.0.1 255.255.255.252 

Activate the virtual service and configure guest IPs

Next step is to activate the virtual service and configure matching guest IPs on the same subnet for the container side. Make sure to "activate" the service when done.

virtual-service myips
  vnic gateway VirtualPortGroup0
    guest ip address 172.18.0.2
  vnic gateway VirtualPortGroup1
    guest ip address 192.168.0.2
  activate

Configuring UTD (Service Plane)

This following section is to configure whether you want snort in IPS or IDS mode, where do you want to send the snort events sent to, what policy and profile to configure for snort etc.

utd engine standard
  logging host 10.12.5.55
 logging syslog 
 threat-inspection
   threat protection (protection-ips, detection-ids)
   policy security (balanced, connectivity)
   signature update server cisco username usrer1 password #####
   signature update occur-at daily 0 0
   logging level warning
   whitelist

Configuring UTD (Data Plane)

This section is to configure the data plane settings.  Whether we need snort enabled on all the interfaces or on selected interfaces.  Whether we need "fail-close" meaning when snort engine goes down for what ever reason, no traffic will be allowed to leave.

utd
all-interfaces
engine standard
 fail close

Or optionally enable snort under selected interfaces

interface G0/0/2.20
  utd enable
interface G0/0/2.30
  utd enable

Whitelisting (optional)

If you see any false positives, there is an option to whitelist signatures.

utd threat-inspection whitelist
  signature id 21599 comment Index
  signature id 20148 comment ActiveX

Verification:

Check virtual service

Make sure the virtual service is installed and activated.

ISR4451#show virtual-service list
Virtual Service List:
Name Status Package Name ------------------------------------------------------------------------------ myips Activated iosxe-utd.16.07.01.1.0.1_SV2983_XE_

ISR4451#show virtual-service detail
Virtual service myips detail
  State                 : Activated
  Owner                 : IOSd
  Package information
    Name                : iosxe-utd.16.07.01.1.0.1_SV2983_XE_16_7.ova
    Path                : bootflash:/iosxe-utd.16.07.01.1.0.1_SV2983_XE_16_7.ova
    Application
      Name              : UTD-Snort-Feature
      Installed version : 1.0.1_SV2983_XE_16_7
      Description       : Unified Threat Defense
    Signing
      Key type          : Cisco release key
      Method            : SHA-1
    Licensing
      Name              : Not Available
      Version           : Not Available
  Detailed guest status   
----------------------------------------------------------------------
Process               Status            Uptime           # of restarts
----------------------------------------------------------------------
climgr                 UP         0Y 9W 1D  1:27: 0        0
logger                 UP         0Y 7W 2D  1: 4:55        0
snort_1                UP         0Y 7W 2D  1: 4:55        0
Network stats:
 eth0: RX  packets:14866913, TX  packets:14776386
 eth1: RX  packets:1079170, TX  packets:10479

Coredump file(s): lost+found
 
  Activated profile name: None
  Resource reservation
    Disk                : 710 MB
    Memory              : 1024 MB
    CPU                 : 25% system CPU
  Attached devices
    Type              Name        Alias            
    ---------------------------------------------
    NIC               ieobc_1     ieobc            
    NIC               dp_1_0      net2             
    NIC               dp_1_1      net3             
    NIC               mgmt_1      mgmt             
    Disk              _rootfs                      
    Disk              /opt/var                     
    Disk              /opt/var/c                   
    Serial/shell                  serial0          
    Serial/aux                    serial1          
    Serial/Syslog                 serial2          
    Serial/Trace                  serial3          
    Watchdog          watchdog-2                   

  Network interfaces
    MAC address             Attached to interface           
    ------------------------------------------------------
    54:0E:00:0B:0C:02       ieobc_1                         
    70:E4:22:9E:BB:3F       VirtualPortGroup0               
    70:E4:22:9E:BB:3E       VirtualPortGroup1               
    70:E4:22:9E:BB:3D       mgmt_1                          
  Guest interface
  ---
  Interface: eth2
  ip address: 192.168.0.2/30
Interface: eth1
  ip address: 172.18.0.2/30
  ---     
  Guest routes
  ---
  Address/Mask                         Next Hop                          Intf.
-------------------------------------------------------------------------------
0.0.0.0/0                            192.168.0.1                       eth2    
0.0.0.0/0                            172.18.0.1                        eth1    
  ---
  Resource admission (without profile) : passed
    Disk space    : 710MB
    Memory        : 1024MB
    CPU           : 25% system CPU
    VCPUs         : Not specified

Check UTD (service plane)

ISR4451#show utd engine standard config                      
UTD Engine Standard Configuration:
  Operation Mode : Intrusion Prevention
  Policy         : Security

  Signature Update:
    Server    : cisco
    User Name : kusankar
    Password  : PPR[UiL]gdBh_UA][DLJY_MW
    Occurs-at : None

  Logging:
    Server    :  IOS Syslog;  10.1.10.253
    Level     : warning
  Whitelist : Enabled
  Whitelist Signature IDs:
    20148
    21599

Web-Filter	: Disabled
ISR4451#show utd engine standard status
Engine version       : 1.0.1_SV2983_XE_16_7

Profile              : Low
System memory        :
              Usage  : 73.90 %
              Status : Green
Number of engines    : 1

Engine        Running    CFT flows  Health     Reason    
=======================================================
Engine(#1):   Yes        2          Green      None
=======================================================

Overall system status: Green

Signature update status:
=========================
Current signature package version: 2983.44.s
Last update status: Successful
Last successful update time: Wed Feb 14 09:38:32 2018 PST
Last failed update time: Wed Feb 14 09:01:16 2018 PST
Last failed update reason: ('Connection aborted.', gaierror(-2, 'Name or service not known'))
Next update scheduled at: None
Current status: Idle

Check UTD(data plane)

Make sure the counts increment for encap, decap, redirect, reinject and the health shows "Green".

ISR4451#show platform hardware qfp active feature utd stats
Summary Statistics:
Active Connections                                                         2
TCP Connections Created                                                18282
UDP Connections Created                                                25056
ICMP Connections Created                                                   2
Pkts dropped                                        pkt                 3037
                                                    byt              1713151
Pkts entered policy feature                         pkt               742770
                                                    byt            290045328
Pkts entered divert feature                         pkt               358642
                                                    byt            182273982
Pkts slow path                                      pkt                43340
                                                    byt              3979312
Pkts Diverted                                       pkt               358641
                                                    byt            182272562
Pkts Re-injected                                    pkt               358142
                                                    byt            180660947

Would Drop Statistics (fail-open):

Service Node flagged flow for dropping                                  3037

General Statistics:
Inspection skipped - UTD policy not applicable                        641815
Policy already inspected                                             9247857
Pkts Skipped - New pkt from RP                                      13581686
Response Packet Seen                                                   42979
Feature memory allocations                                             43340
Feature memory free                                                    43345
Feature Object Delete                                                  43345

Diversion Statistics:
redirect                                                              358641
encaps                                                                358641
decaps                                                                363781
reinject                                                              358142
SN offloaded flow                                                      13384
Service Node requested flow bypass drop                                 3037
Flow inspection bypassed                                              768257
decaps: delete requests received total                                 10973
  decaps: delete - protocol decision                                   10973
  decaps: Processed ICMP error packet from SN                              1

Service Node Statistics:
SN Health: Green

How to test Snort IPS firing signature:

Using user agent switcher on the browser

Make sure you have subscription signature set enabled, in IPS mode with the security policy to do the following test.

"show utd engine standard config" should show you what policy is configured and whether IPS is enabled.

"show utd engine standard signature update status" will show you what signature package is currently on the router.

From a client behind the router use Chrome Browser and download user agent switcher. If you are using Firefox, then download the user agent switcher for Firefox browser.

User-Agent Switcher for Chrome - Chrome Web Store

Install it and create a custom SAH agent under Google Chrome Group.

SAH-agent.jpg

Switch to the newly created SAH agent on the browser user agent switcher and then try to load any website.

 

sah-switcher.jpgNow, try to browse. Pages will not load. Now check the router for logs and you will see the following messages:

 

*Mar  1 01:24:16.068: %VMAN-5-VIRT_INST_NOTICE: R0/0: vman: VIRTUAL SERVICE myips LOG: 2018/02/28-17:24:15.324389 PST [**] [Instance_ID: 1] [**] Drop [**] [1:5808:10] MALWARE-CNC User-Agent known malicious user agent - SAH Agent [**] [Classification: Misc activity] [Priority: 3] [VRF: 2] {TCP} 10.20.30.30:51561 -> 50.19.248.141:80

Using 'curl' on a linux host

From a linux client behind the router, you can send “curl -A "SAH Agent" http://url.com” or curl -v -L -m 10 dfgvx.com” for snort to trigger a signature as well.

Troubleshooting

https://supportforums.cisco.com/t5/security-documents/snort-ip-on-isr-isrv-and-csr-troubleshooting/ta-p/3369225

Comments
Cisco Employee

Yes, 4221 does support Snort IPS though it has fixed 4 GB DRAM that is not upgradable.  We did some internal magic to get this done. Check the NPI deck.

 

-Kureli

Beginner

@Kureli Sankar I am looking to run Snort on a CSR1000V.  We would be terminating Phase 1 DMVPN tunnels on the CSR1000V which would be the hub router.  Throughput requirement is pretty low so we would probably be OK with 100M or 250M throughput however does that mean I am locked in to a 1vCPU deployment where the CPU is split across the control plane, service plane, and data plane?  Is it possible to use 2vCPU but still stick with 100M or 250M throughput licensing?  Also, I assume we would need the 4GB memory upgrade since documentation indicates the CSR platform requires 8GB RAM when running snort.

 

Thanks...

Beginner

Hi @Kureli Sankar I saw that Snort IPS is now supported on ISR 4461 and ISR 1K (8 Gb dram versions).

Supported Platforms

ISR 4461, 4451, 4431, 4351, 4331, 4321, 4221X, 4221, CSR, ISRv and ISR 1K (X PIDs such as 1111X, 1121X, 1161X etc that support 8GB DRAM only, starting 17.2.1r release)

 

 

Does this work with traditional IOS XE router or it must be in in IOS XE SD WAN routers?

If it works with traditional IOS XE router, what would be the Snort subscriber SKU?

I cannot find L-SNT4461-S= or L-SNT11xx-S= SKU

Enthusiast

Hello i am trying to the same senarios and same config but packets never inspecting.

 

Policy already inspected                                             0

 i tried with few versions but result same

 

Do you have an experience related this iissue.?

Thanks

Content for Community-Ad