- Benefits
- Documentation
- Prerequisite
- Image Download Links
- Limitations
- Supported Platforms
- License Requirements
- Topology
- Step-By-Step Configuration
- Configure Virtual Service using IOx
- Configure Port Groups
- Activate the virtual service and configure guest IPs
- Configuring UTD (Service Plane)
- Configuring UTD (Data Plane)
- Whitelisting (optional)
- Verification:
- Check virtual service
- Check UTD (service plane)
- Engine Status
- Check UTD(data plane)
- How to test Snort IPS firing signature:
- Using 'curl' on a linux host
- Troubleshooting
Benefits
- Helps meet PCI compliance.
- Threat protection built into ISR and ISRv branch routers and CSR
- Complements ISR Integrated Security
- Lightweight IPS solution with low TCO (Total Cost of Ownership) and automated signature updates
- Supports VRF (16.6)
Documentation
This configuration example is meant to be interpreted with the aid of the official documentation from the configuration guide located here:
Prerequisite
If it is a physical ISR it must be running IOS-XE version 3.16.1 or above. If it is a CSR it must be running 16.3.1 or above and if it is an ISRv (ENCS) then it must be running 16.8.1 or above. Catalyst 8300 (starting 17.3.2 and above), 8200 (starting 17.4.1 and above), 8000V (starting 17.4.1 and above).
Image Download Links
Catalyst 8500L - https://software.cisco.com/download/home/286324574/type
Catalyst 8300 - https://software.cisco.com/download/home/286324476/type
Catalyst 8200 - https://software.cisco.com/download/home/286324472/type
Catalyst 8000V - https://software.cisco.com/download/home/286327102/type
ISR - https://software.cisco.com/download/home/284389362/type
CSR - https://software.cisco.com/download/home/284364978/type
ISRv - https://software.cisco.com/download/home/286308693/type
Limitations
- Only tcp, udp and icmp packets will be diverted to snort for inspection
- Only through the box traffic will be diverted to snort for inspection
Supported Platforms
ISR 4461, 4451, 4431, 4351, 4331, 4321, 4221X, 4221, CSR, ISRv and ISR 1K (X PIDs such as 1111X, 1121X, 1161X etc that support 8GB DRAM only, starting 17.2.1r release)
Catalyst 8500L, 8300, 8200, 8000V.
License Requirements
Security K9 license is required on the ISR1K, ISR 4K routers, CSRs and ISRv. In addition to that, signature subscription 1yr or 3yr is required.
DNA-Essentials license is required on the Catalyst 8000 Edge routers mentioned in the Supported Platforms section in order to be able to use IPS/Snort.
Please refer the data sheet here: http://www.cisco.com/c/en/us/products/collateral/security/router-security/datasheet-c78-736114.html
Topology
Step-By-Step Configuration
Configure Virtual Service using IOx
Copy the UTD Snort IPS engine software to the routers flash. The file name should be similar to this
secapp-utd.17.07.01a.1.0.3_SV2.9.16.1_XE17.7.x86_64.tar. Once done, install the virtual service using the IOx commands.
app-hosting install appid UTD package bootflash:secapp-utd.17.07.01a.1.0.3_SV2.9.16.1_XE17.7.x86_64.tar
Configure Port Groups
Configure two port groups. VPG0 for management traffic. This VPG (Virtual Port Group) will be used to source logs to the log collector as well as pulling signature updates from Cisco.com.
The second port group is for data. This VPG1 will be used to send and receive packets that are marked for inspection that arrive on the data plane for IPS inspection.
Make sure to provide proper NAT and routing for VPG0 to be able to reach the log server as well as cisco.com to grab the signature update files.
interface VirtualPortGroup0 description Management interface ip address 192.168.103.1 255.255.255.252 Interface VirtualPortGroup1 description Data interface ip address 192.0.2.1 255.255.255.252
Activate the virtual service and configure guest IPs
Next step is to configure matching guest IPs on the same subnet for the container side. Make sure to "start" the service.
app-hosting appid UTD
app-vnic gateway0 virtualportgroup 0 guest-interface 0
guest-ipaddress 192.168.103.2 netmask 255.255.255.252
app-vnic gateway1 virtualportgroup 1 guest-interface 1
guest-ipaddress 192.0.2.2 netmask 255.255.255.252
app-resource package-profile low (medium, high) ===> this option is not available on ISR1K Routers
start
Configuring UTD (Service Plane)
This following section is to configure whether you want snort in IPS or IDS mode, where do you want to send the snort events sent to, what policy and profile to configure for snort etc.
utd engine standard logging host 10.12.5.55 logging syslog threat-inspection threat protection (protection-ips, detection-ids) policy security (balanced, connectivity) signature update server cisco username user1 password ##### signature update occur-at daily 0 0 logging level warning whitelist (optional)
Configuring UTD (Data Plane)
This section is to configure the data plane settings. Whether we need snort enabled on all the interfaces or on selected interfaces. Whether we need "fail-close" meaning when snort engine goes down for what ever reason, no traffic will be allowed to leave.
utd all-interfaces engine standard fail close =====> fail open is default Or optionally enable snort under selected interfaces interface vlan 101 utd enable interface G0/0/0 utd enable
Whitelisting (optional)
If you see any false positives, there is an option to whitelist signatures.
utd threat-inspection whitelist signature id 21599 comment Index signature id 20148 comment ActiveX
Verification:
Check virtual service
Make sure the virtual service is installed and activated.
kusankar-1121X#show app-hosting list
App id State
---------------------------------------------------------
UTD RUNNING
kusankar-1121X#show app-hosting detail App id : UTD Owner : ioxm State : RUNNING Application Type : LXC Name : UTD-Snort-Feature Version : 1.0.3_SV2.9.16.1_XE17.7 Description : Unified Threat Defense Author : Path : /bootflash/secapp-utd.17.07.01a.1.0.3_SV2.9.16.1_XE17.7.aarch64.tar URL Path : Activated profile name : Resource reservation Memory : 1024 MB Disk : 711 MB CPU : CPU-percent : 33 % VCPU : 0 Platform resource profiles Profile Name CPU(unit) Memory(MB) Disk(MB) -------------------------------------------------------------- Attached devices Type Name Alias --------------------------------------------- Disk /tmp/xml/UtdLogMappings-IOX Disk /tmp/xml/UtdIpsAlert-IOX Disk /tmp/xml/UtdDaqWcapi-IOX Disk /tmp/xml/UtdUrlf-IOX Disk /tmp/xml/UtdTls-IOX Disk /tmp/xml/UtdDaq-IOX Disk /tmp/xml/UtdAmp-IOX Watchdog watchdog-504.0 Disk /opt/var/core Disk /tmp/HTX-IOX Disk /opt/var NIC ieobc_1 ieobc Disk _rootfs NIC dp_1_1 net3 NIC dp_1_0 net2 Serial/Trace serial3 Network interfaces --------------------------------------- eth0: MAC address : 54:e:0:b:c:2 IPv6 address : :: Network name : ---------------------------------------------------------------------- Process Status Uptime # of restarts ---------------------------------------------------------------------- climgr UP 0Y 0W 0D 1:24:50 2 logger UP 0Y 0W 0D 1:19:25 0 snort_1 UP 0Y 0W 0D 1:19:25 0 Network stats: eth0: RX packets:27151, TX packets:27060 eth1: RX packets:4774, TX packets:4564 DNS server: domain kusankar.cisco.com nameserver 208.67.222.222 nameserver 208.67.220.220 nameserver 4.2.2.2 nameserver 192.168.128.1 Coredump file(s): lost+found Interface: eth2 ip address: 192.0.2.2/30 Interface: eth1 ip address: 192.168.103.2/30 Address/Mask Next Hop Intf. ------------------------------------------------------------------------------- 0.0.0.0/0 192.0.2.1 eth2 0.0.0.0/0 192.168.103.1 eth1
Check UTD (service plane)
kusankar-1121X#show utd engine standard config
UTD Engine Standard Configuration:
VirtualPortGroup Id: 1
IPS/IDS : Enabled
Operation Mode : Intrusion Prevention
Policy : Security
Signature Update:
Server : cisco
User Name : ******
Password : [b_TJUZiEbigI_RNM]VIdNAVLgcAQVUEI
Occurs-at : daily ; Hour: 0; Minute: 0
Logging:
Server : IOS Syslog;
Level : debug
Statistics : Disabled
Hostname : kusankar-1121x
Whitelist : Disabled
Port Scan : Disabled
Web-Filter : Disabled
Engine Status
kusankar-1121X#show utd engine standard status
Engine version : 1.0.3_SV2.9.16.1_XE17.7
Profile : Default
System memory :
Usage : 31.70 %
Status : Green
Number of engines : 1
Engine Running Health Reason
=======================================================
Engine(#1): Yes Green None
=======================================================
Overall system status: Green
Signature update status:
=========================
Current signature package version: 29161.245.s
Last update status: Successful
Last successful update time: Sat Jun 4 19:07:10 2022 EST
Last failed update time: None
Last failed update reason: None
Next update scheduled at: Sunday Jun 05 00:00 2022 EST
Current status: Idle
Check UTD(data plane)
Make sure the counts increment for encap, decap, redirect, reinject and the health shows "Green".
kusankar-1121X#show platform hardware qfp active feature utd stats
Summary Statistics:
Policy
Active Connections 32
TCP Connections Created 5964
UDP Connections Created 4521
ICMP Connections Created 2110
Channel Summary
Active Connections 32
decaps 95328
encaps 95668
Expired Connections 12563
Packet stats - Policy
Pkts entered policy feature pkt 452887
byt 240683116
Pkts slow path pkt 12595
byt 862149
Packet stats - Channel Summary
Bypass pkt 26454
byt 7451485
Divert pkt 95668
byt 34022809
Reinject pkt 94970
byt 33986080
Would Drop Statistics (fail-open):
Policy
Stats were all zero
Channel Summary
Stats were all zero
General Statistics:
Non Diverted Pkts to/from divert interface 4547
Inspection skipped - UTD policy not applicable 332209
Policy already inspected 241268
Pkts Skipped - New pkt from RP 2021
Response Packet Seen 9521
Feature memory allocations 12595
Feature memory free 12563
Feature Object Delete 12563
Skipped - First-in-flow RST packets of a TCP flow 1789
Diversion Statistics Summary:
SN offloaded flow 6426
Flows Bypassed as SN Unhealthy 26454
Service Node Statistics:
SN health green 2
SN health red 1
SN Health: Channel: Threat Defense : Green
AppNAV registration 1
SN Health: Channel: Service : Down
Stats were all zero
TLS Decryption policy not enabled
How to test Snort IPS firing signature:
Using 'curl' on a linux host
Make sure you have subscription signature set enabled, in IPS mode with the security policy to do the following test.
"show utd engine standard config" should show you what policy is configured and whether IPS is enabled.
"show utd engine standard signature update status" will show you what signature package is currently on the router.
From a linux client or a mac laptop that sits behind the router, you can send
“curl -A "SAH Agent" http://url.com”
[or]
“curl -v -L -m 10 dfgvx.com”
for snort to trigger a signature and print a message as shown below.
Jun 5 04:05:21.435: %VMAN-5-VIRT_INST_NOTICE: R0/0: vman: VIRTUAL SERVICE UTD LOG:
2022/06/04-23:05:20.719516 EST [**] [Hostname: kusankar-1121x] [**] [Instance_ID: 1]
[**] Drop [**] [1:27984:2] APP-DETECT DNS request for Dynamic Internet Technology
domain dfgvx.com [**] [Classification: Misc activity] [Priority: 3] [VRF: 0]
{UDP} 192.168.102.4:64350 -> 4.2.2.2:53
Troubleshooting
https://supportforums.cisco.com/t5/security-documents/snort-ip-on-isr-isrv-and-csr-troubleshooting/ta-p/3369225
