7200emu.hacki.at Forum Index 7200emu.hacki.at
Dynamips, Dynagen and all that stuff
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
7200emu.hacki.at Forum Index

hackibr>

running IPSv5 on VMWare
Goto page 1, 2, 3 ... 11, 12, 13  Next
 
Post new topic   Reply to topic    7200emu.hacki.at Forum Index -> PEMU News
View previous topic :: View next topic  
Author Message
einval



Joined: 16 Jul 2007
Posts: 33

PostPosted: Mon Jul 16, 2007 2:06 pm    Post subject: running IPSv5 on VMWare Reply with quote

Hi,

I dont know if this is the right place to put this in, but since there were requests for this emulation in the former PEMU section, I will post it here. Feel free to move this posting to a better place.

Ok, after doing some research I found a way to get IDS/IPS software release 5 to start and function in VMWare. There is an archive attached to the post, please use the README file as a starting point (which I paste herein after).

Notice that I cannot say anything about getting this to work in VMWare on Windows. When it loads the VMWare BIOS you should be fine. Also I will not respond to any requests for files provided by Cisco(downloadeable from CCO). Go get yourself a support contract.

Thanks to defx and the guys from securityie.

The README:
Quote:

Running Cisco IDS/IPS v5 Software in VMWare
===========================================

This Howto describes how to get the Cisco IDS/IPS Software Release 5 running
inside VMWare. After successful installtion, the VM will emulate a IDS-4215
platform with 3 GigabitEthernet interfaces Wink

I developed this Howto by using VMWare Workstation for Linux, I didnt tested
this with any VMWare version for Windows.

REQUIREMENTS
============
- VMWare Workstation, I use version 5.5, running on a debian etch host system
I never tested with a Windows host system

- Cisco IPS recovery CD image, I used IPS-K9-cd-1.1-a-5.1-4.iso
This file can be downloaded from CCO.
CCO download access requires a valid support contract.

- modified VMWare BIOS (CISCO_IDS4215_440.BIOS.ROM)
This file should be in the archive from where you extracted this Howto

- some basic UNIX skills for working with a shell and using vi

- knowledge of the english keyboard layout Wink

TECHNICAL DESCRIPTION
=====================

It seems that with IDS/IPS software release 5, Cisco implemented a more strict
hardware identification checks, making it impossible to load the code on 4.x
custom-build systems or in VMWare.

I'm not skilled enough to produce anything useful with the BIOS that can be
downloaded from CCO Wink, so I investigated in how to get VMWare to provide
anything the IPS software wants to hear. I still would prefer to have the native
BIOS running, but this is a start for all the desperate souls that need a
working IPS for study/LAB preparation.

I concentrated myself on the 4215 platform, because it seems that it does not
have any special ROM/PROM chips built in.

Basically, IPSv5 is based on Redhat Linux, so it is able to run inside VMWare.
The recovery CD boots and reimages fine, as long as the virtual harddisks are
large enough (256M for hda, 4GB for hdb).

hda is the flash in the appliance and holds the complete OS and the
configuration. hdb is a real harddisk and is for "var" storage (event store
etc.). The reimage fails when you have disks that are too small (fdisk will
complain about wrong boundaries/size).

With a fresh system, you can boot into runlevel 1, mount the remaining
filesystems and inspect what the system will do at regular startups.

The procedure collection file /etc/init.d/ids_functions will determine the
platform type during bootup. Because the 4215 doesnt have a special chip, the
routine makes selections based on the CPU speed and processor count. You can
trick the routine by entering the CPU speed reported by linux.

But this is not enough. At some point, a program called smbios_bios_info is
called, reading information from the BIOS. Also, the binary mainApp will do this
again later, so we have to find a way how to tell the systems what it wants to
hear. Luckily, on the 4215 only DMI strings are checked.

VMWare allows to extract the required portion of the BIOS, and with a resource
editor you can modify the DMI strings to match the values the software checks.
By telling VMWare to load this modified BIOS, the IPS software is satisfied and
identifies the VM as a 4215 sensor.

I basically changed all the DMI strings to read as Vendor "Cisco Systems",
Platform "IDS-4215", Chassis/Asset Tag "12345678901".

Now that the sensor boots and the CLI is useable, network connectivity must
work. VMWare and the IPS linux both support Intel e1000 cards, so this looks
promising

The physical interface configuration layout of all the appliances are defined in
/usr/cids/idsRoot/etc/interface.conf. By replacing the pci device-id values with
the one provided by VMWare (see /proc/pci), the sensor recognized the VMWare
virtual ethernet cards.

By modifying this file you are able to use interface types a platform normally
will not support (Gigabit cards in the 4215).

With this VM I was able to use IDM from a windoze system, create own signatures
and put a sensing interface between two dynamips instances (aletring each
time it sees EIGRP packets). This should be proof enough!

Well, this are nearly all the information I collected during 8-12 hours of
experimenting in a few sentences. However, there are still some quirks and areas
I dont understand well, for example, the problems caused by the absence of the
file /usr/share/zoneinfo/cidsZoneInfo.

I hope this Howto is a start and encourages people to modify and enhance it.

Have fun!


einval

INSTALLATION
============

1. VMWare

Extract the content of the archive to a place you remember; you'll need to
specify the location of the BIOS file soon.

Start VMWare and create a new Virtual Machine (VM). The wizard starts; please
use the following options:

- "Custom" configuration
- "Workstation 5" format
- Guest: "Linux" / Version: "Red Hat Linux"
- Name: whatever you like, maybe "Cisco:IPS"
make sure you remember the path listed in "Location"
- "One" processor
- 512 MB RAM
- "use brdged networking"
- SCSI Adapter: "BusLogic" (doesnt matter)
- "create a new virtual disk"
- Disk type "IDE"
- Size 0.3GB (yes, 300MB not GB)
- accept, then click "Finish"

Edit your VM Settings.

- Remove the sound adapter
- Remove the USB controller
- Remove the floppy disk

- Add two additional Ethernet adapters
The network connection type doesnt matter at the moment (leave
it as bridged, for example)

- Add one additional hard disk
- "create a new virtual disk"
- Disk type "IDE"
- Size 4 GB (yes, 4GB this time, values below 4 GB will not
work)
- accept, then click "Finish"

- modify CD-ROM settings
- "use ISO image"
point it to the IPS recovery CD iso file

Now, finish modifications and quit VMWare.

Go to the folder where your VM resides (for me, it is ~/vmware/<VM_name>), and
edit the VM configuration file (.vmx).

Put in the config option that tells VMWare to boot an alternative BIOS:

bios440.filename =
"<path_were_you_extracted_the_archive>/CISCO_IDS4215_440.BIOS.ROM"

Put in the device type for the Ethernet adapters (we want Intel GE cards):

ethernet0.virtualDev = "e1000"
ethernet1.virtualDev = "e1000"
ethernet2.virtualDev = "e1000"

Now save and close the configuration file.

2. Recovery Image installation

Start VMWare and fire up the newly created VM. The recovery CD iso file will
automatically selected for loaded; you have to enter "k" to start the CD boot
process.

The recovery CD loads and does a full re-imaging of the VM hard drives. Please
ignore any errors about failed platform identification and wait until the system
reboots.

When rebooting (VMWare BIOS message is presented), STOP the VM and continue to
read the next step.

3. First boot

Before we continue, we have to modify the GRUB boot parameters to get into
single user mode. When the system boots for the first time after re-imaging, and
the GRUB menu is displayed, press any key to stop the timer (up/down arrow, for
example). Without that, the system boots and get stuck at hardware detection.

Now that you know it is safe to turn on the VM again. Wait until GRUB menu is
displayed amd select "Cisco IPS".

Press "e" to enter edit mode.

Select the second line (the one starting with "kernel"), and press "e" again.

Scroll to the left until you see the entry "init=loadrc". replace loadrc with 1
(should read "init=1") - dont touch any other option.

Press Enter and then "b" to start the boot process. After booting linux, the
system stop at init level 1.

4. Modifications

Press Enter to get a shell. Execute (english keymap!)

/loadrc
/etc/init.d/rc.init
touch /usr/share/zoneinfo/cidsZoneInfo

Now determine the speed of your CPU:

cat /proc/cpuinfo

by looking at the line named "cpu MHz". Write down the value (int only). Make a
copy of the file ids_functions and modify it:

cd /etc/init.d
cp ids_functions ids_functions.orig
vi ids_functions

Search for the string "4215" or go directly to the line #252 that reads

elif [[ 'isCPU 845' -eq $TRUE && ...
MODEL=$IDS4215
...
Modify the string "845" to the CPU speed you determined earlier - use only the
int value (for example, 2659). Of course you can copy the whole line, comment
the original one and keep it for further reference.

3 lines below there are variables named "DEFAULT_MGT_OS" and "DEFAULT_MGT_CIDS".
Modify their values to:

DEFAULT_MGT_OS="ma0_0"
DEFAULT_MGT_CIDS="Management0/0"

Save the file and close vi.

Now, modify the interface cofiguration file:

cd /usr/cids/idsRoot/etc
cp interface.conf interface.conf.orig
vi interface.conf

Scroll down until you find the section for the IDS-4215 (its the second one).

Modify the pci-bus numbers in the slot definition subsection:

[models/IDS-4215/slots/1]
# lower slot
pci-bus=0 # change this to 1
pci-device=17

[models/IDS-4215/slots/2
# upper slot
pci-bus=0 # change this to 2
pci-device=19

Now, modify the built-in Interfaces by going to [models/IDS-4215/interfaces/1]

[models/IDS-4215/interfaces/1]
# built-in 10/100 TX mgmt interface, Intel 82559ER
# was eth1 (int1) in 4.x
# rightmost connector on front panel
# labeled "Ethernet 1" on panel
name-template=FastEthernet0/0 # change this to Management0/0
pci-bus=0
pci-device= 14 # change this to 17
pci-function=0
vendor-id=0x8086
device-id=0x1209 # change this to 0x100f
type=ge # change this to ge
mgmt-capable=yes

Modify the second interface

[models/IDS-4215/interfaces/2]
# built-in 10/100 TX sensing interface, Intel 82559ER
# was eth0 (int0) in 4.x
# leftmost connector labeled "Ethernet 0"
name-template=FastEthernet0/1 # change this to GigabitEthernet0/1
pci-bus=0
pci-device= 13 # change to 18
pci-function=0
vendor-id=0x8086
device-id=0x1209 # change to 0x100f
type=fe # change to ge
sensing-capable=yes
tcp-reset-capable=yes

CREATE a third interface by copying the whole [models/IDS-4215/interfaces/2]
section

[models/IDS-4215/interfaces/2] # rename to /3
name-template=GigabitEthernet0/1 # rename to GigabitEthernet0/2
pci-bus=0
pci-device= 18 # change to 19
pci-function=0
vendor-id=0x8086
device-id=0x100f
type=ge
sensing-capable=yes
tcp-reset-capable=yes

Now increase the interface number by 1 for the remaining (dummy) interfaces
[models/IDS-4215/interfaces/3] to 6; the ones that have "1 x 4-FE card" in the
comment.

Save the file and quit vi.

Please note:

Under some circumstances, VMware uses a different PCI bus
identifier (2 instead of 0, for example), so if your system behaves
differently, it will not work with the pci-bus settings mentioned above.

You can do a cat /proc/pci to determine the PCI bus number and the
Device IDs for the VMware network cards. Another way is to boot a
small live linux distribution from (virtual) CD-ROM and use 'lspci', that
gives very verbose output about PCI resources.

Adjust the pci-bus number in the interface.conf if you detect that your
NICs are located at a different PCI bus.

Now move to the IPS bin directory and replace the file smbios_bios_info

cd /usr/cids/idsRoot/bin/
mv smbios_bios_info smbios_bios_info.orig
vi smbios_bios_info

Enter the following content into this file:

#!/bin/sh
echo
echo "Platform: IDS-4215"
exit 0

Save and quit. Now make the file executeable and test it

chmod +x smbios_bios_info
./smbios_bios_info

The system should display "Platform: IDS-4215". And thats it for all the system
modifications.

Now reboot the VM by entering

reboot

5. second boot

After making all the modifications, the VM sould start and present you a login
promt. If it gets stuck (no login), reload it again - this can happen when you
booted the system completely without going into runlevel 1 in step 4.

There is still a yellow warning about modifications since last reboot - this
message disappears after the next reboot.

Log on with the factory default account (cisco/cisco) and assign a new password.

Now assign the service account a password:

conf t
username service pass <yourpass> privi service
exit

Log out and login as user "service" - you will have a shell. Do a switch user to
root "su -", the password is the same as for the user "service".

Now look if the file "/usr/share/zoneinfo/cidsZoneInfo" is still there. If not,
"touch /usr/share/zoneinfo/cidsZoneInfo" it. Without that file, you are not able
to see any config in the CLI (for whatever reasons). Exit until you reach the
login prompt again.

Login as "cisco" and you should be able to do a "show conf". Bacup the
configuration with "copy current-config backup-config" and reload by doing a
"reset".

After the next reboot, the system is fully useable.

USAGE/HINTS/ISSUES
==================

- initial setup

The first thing you shoud to is to get network access to the VM via
ssh/PDM/telnet. Make sure the VMWare "Ethernet 1" is connected as you need it
(bridged to the VMWare host NIC for example).

In the cli, enter

conf t
service host
network-settings
host-ip x.x.x.x/<maks>,<gateway> # for example, host-ip
192.168.1.2/24,192.168.1.1
access-list x.x.x.x/<mask> # for example, access-list 192.168.1.0/24
telnet-option enabled # if you want telnet access
exit
exit
exit

This allows anybody specified in access-list to access the sensor Management IP
address, specified by host-ip. IDM access works then out of the box.

- network access

After my VM starts, I'm not able to use any network interface unless I
disable/enable the corresponding VMWare NIC (right click in the network card
icon in VMWare status line).

- PDM

PDM does not show system information under Monitoring. Cometic issue, IMHO.

- IPS Updates

I didnt applied version 5 service packs, but I'm certain that with each update
that brings modifications to the underlying OS, you have to check your
modifications again.

I didnt tried software release 6 either; it may force you not only to apply my
modifications again, but also introduce improved hardware checking, making the
modifications mentioned above incomplete/useless.
Code:


Last edited by einval on Sun Sep 02, 2007 8:33 am; edited 1 time in total
Back to top
View user's profile Send private message
greg
Site Admin


Joined: 17 Jul 2006
Posts: 697
Location: USA

PostPosted: Mon Jul 16, 2007 4:17 pm    Post subject: Reply with quote

Great work einval, looks very promising for folks studying for CCIE security or looking to learn about IPS 5 (and maybe 6).
Back to top
View user's profile Send private message Visit poster's website
cjasztrab



Joined: 16 Apr 2007
Posts: 21

PostPosted: Mon Jul 16, 2007 7:00 pm    Post subject: Re: running IPSv5 on VMWare Reply with quote

Unfortunately this image (IPS-K9-cd-1.1-a-5.1-4.iso) is no longer available for download from CCO. Anybody else know where to get it?
Back to top
View user's profile Send private message
pgtedy



Joined: 20 May 2007
Posts: 10

PostPosted: Mon Jul 16, 2007 7:22 pm    Post subject: Reply with quote

Hi,
It's working with IPS-K9-cd-1.1-a-5.1-6-E1.iso following the steps above.
I tried also the 6.0.3 version....but is geting stuck after bringing up the loopback.

Thanks a lot!
Back to top
View user's profile Send private message
einval



Joined: 16 Jul 2007
Posts: 33

PostPosted: Mon Jul 16, 2007 7:31 pm    Post subject: Reply with quote

Well it is listed at http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-system . Dont pay attention to the model name, it says 4235/4250 - the image still works as described.

I didnt look edinto the .img files for the 4215 platform; I suspected them as not bootable by VMWare via iso file loop mounting (may be wrong conclusion, I will test tomorrow).


einval
Back to top
View user's profile Send private message
arielik



Joined: 20 Jun 2007
Posts: 104
Location: BS. AS - Argentina

PostPosted: Tue Jul 17, 2007 12:38 am    Post subject: Reply with quote

WOW Many thanks!!!!! this is too interesting im going top test it right now!!!!
_________________
Ariel M. Liguori
Huawei Certified Partner
Back to top
View user's profile Send private message Send e-mail
einval



Joined: 16 Jul 2007
Posts: 33

PostPosted: Tue Jul 17, 2007 10:39 am    Post subject: Reply with quote

regading IPSv6:

It seems that the Intel e1000-cids driver (cisco custom build) is incompatible with the VMWare e1000 nic emulation - it segfaults during modprobe, complaining something about not able to assign memory for the TX buffer. I played a little bit, but wasnt able to load the driver successfully (XLActive option etc.).

The native e1000, which is also available, loads but the system cannot make use of it, because it needs the e1000-cids module - it seems that cIdsinit will not rename any interfaces that are based on the native e1000, and mainApp refuses to load.

For the rest, the v6 system doesnt look much different than the v5 one, the interface.conf file has a slightly changed format, but thats not a major issue.
Back to top
View user's profile Send private message
arielik



Joined: 20 Jun 2007
Posts: 104
Location: BS. AS - Argentina

PostPosted: Tue Jul 17, 2007 11:42 am    Post subject: Reply with quote

Thtas bad, well maybw someone cand find the naswer or the method to emulate, dont dissapopint guys, this always happens, the sad thing is wicht take time.
_________________
Ariel M. Liguori
Huawei Certified Partner
Back to top
View user's profile Send private message Send e-mail
Sysreq



Joined: 30 Dec 2006
Posts: 88

PostPosted: Tue Jul 17, 2007 11:46 am    Post subject: Reply with quote

Nice, well done, that must have taken sometime to unravel
Back to top
View user's profile Send private message
cjasztrab



Joined: 16 Apr 2007
Posts: 21

PostPosted: Tue Jul 17, 2007 1:14 pm    Post subject: Amazing Reply with quote

I am able to get to the command-line now. Works great there although every time the VM is reset touch /usr/share/zoneinfo/cidsZoneInfo. It also doesn't look as if any of my configuration is holding. Any ideas?
Back to top
View user's profile Send private message
pgtedy



Joined: 20 May 2007
Posts: 10

PostPosted: Tue Jul 17, 2007 1:22 pm    Post subject: Re: Amazing Reply with quote

cjasztrab wrote:
I am able to get to the command-line now. Works great there although every time the VM is reset touch /usr/share/zoneinfo/cidsZoneInfo. It also doesn't look as if any of my configuration is holding. Any ideas?


I used the version that i mentioned before and i skiped all the steps that refer to cidsZoneInfo and it works fine.

Good luck!
Back to top
View user's profile Send private message
einval



Joined: 16 Jul 2007
Posts: 33

PostPosted: Tue Jul 17, 2007 3:13 pm    Post subject: Reply with quote

Without that file, you wont be able to view/modify/save the configuration. I dont know why, but touching that file enables this functionallity.

Maybe it is a bug in the release I used - perhaps you should try the 5.1.6 ISO image, as outlined by pgtedy.

If you continue with 5.1.4:
What you can try to get a "persistent" file is to include the "touch" command in one of the startscripts (on top of cids, for example) or try to force a clean reboot (with proper unmounting all the fs):

1. log in the cli (user cisco) and create a service user/assign a password to it
2. exit the cli
3. logon with the serice account
4. do a "su -" - use same password as the service account
5 touch the cidsZoneInfo file
6. logout unti you are back at the cli
7. login as a normal user (cisco)
8. look if you can "show conf" or "copy current-config backup-config"
9. issue a reset

After the reload, the file should still exist.
Back to top
View user's profile Send private message
shomar



Joined: 02 Apr 2007
Posts: 9

PostPosted: Tue Jul 17, 2007 5:18 pm    Post subject: Reply with quote

Hi enival,

Thank you very much for the post Smile

I tried it and it seems to work fine, however, when I try to create the "service" account I end up with an error preventing me from going on, any idea what that could be? any help is appreciated.

the error I am getting is the following:

Error: editConfigDeltaUserAccount : Unknown control transaction name

note: I am using the 5.1.6 E1 iso file

Thank you all.
Back to top
View user's profile Send private message
einval



Joined: 16 Jul 2007
Posts: 33

PostPosted: Tue Jul 17, 2007 5:49 pm    Post subject: Reply with quote

Nope, never seen this error message.

Does this happen while you follow my procedure or also after you have a working system (cidsZoneInfo in place)?

You can try to remove the user serivce with "no username ..." first or default it with "default username service ...", and recreate it afterwards.
Back to top
View user's profile Send private message
shomar



Joined: 02 Apr 2007
Posts: 9

PostPosted: Tue Jul 17, 2007 6:13 pm    Post subject: Reply with quote

Hi,

Thnx for the reply, this is happening during the second reboot in the procedure, i didn't get to the point where I could create the service user

this is why I am also not able to default it or remove it Sad

I think I will try to go with the procedure from the begining and see where that would lead.

thnx
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    7200emu.hacki.at Forum Index -> PEMU News All times are GMT
Goto page 1, 2, 3 ... 11, 12, 13  Next
Page 1 of 13

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum


 


Powered by phpBB © 2001, 2005 phpBB Group