|
Author
|
Topic: Fraken IDS Guide
|
erauqssidlroweht
Jr Member
Member # 16698
Member Rated:
|
posted August 22, 2005 12:35 PM
I made this guide for educational use only.
------------------------------------------------------------------------------
Get the hardware
-CPU: Can work on a Pentium II, Recommend Pentium III 600MHz
-1.7 Athlon works well for higher versions
-MB: The 440BX motherboard is best
-Other also work
-440BX, VIA686a
-RAM: Minimum of 256MB.
-Recommend 512MB or more for higher versions
-HDD: 10GB HDD
-Note: Software will not ask. All data will be formated
-NICs: Minimum of 2 Intel NICS with a Chipset of = 82557/82558/82559
-These are 'a must have'
-Or as many sensor interfaces you would like.
-The 3515 etc. can support multipule NICs
-CDROM: Bootable
-ETC: A Keyboard, Monitor and mouse. Or possibly a serial Connection.
Retrive your Copy of Cisco IDS Recovery v4.1 CD.
If you have lost your disk some backup methods include:
-eBay
-eMule
-52Network.com
-jgt-cids.bin
-jgt-cids.cue
-jgtiso.nfo
-(2nd CD of SIGs for later jgt-idse.bin)
Burn the Backups
-BIN files (shown above) are just like ISOs but NERO can't burn them directly
-All BIN files are mounted to a virtual CD-Rom on your system
-For example you can Copy the mounted Image CD-ROM to CD-ROM
-My favorite program for mounting BIN files is Daemon Tools
-www.daemon-tools.cc
-Note: Some older Versions didn't work with XP.
-Requires Restart. (Is going to install a '2nd' cdrom)
-Mount the CUE file, or the BIN file directly.
-With Nero Copy the vitual Cd to a real Cd-Rom (Copy disk to disk)
Install Cisco IDS
-Boot from the Recovery CD
-You will get a Cisco IDS boot prompt
-'s' to use Serial Connection for install
-'k' to use keyboard for install
-I personally enjoy installing with Keyboard.
-The CD will automatically partition and format your 10 GB hard drive
and install a slimmed down version RedHat Linux 7 and Cisco IDS.
-It will Congratulate your install and ask you to reboot. Press OK
-The Cd-Rom will eject and make sure to take it out before restart.
Background information
-The problem with install Cisco IDS on hardware that is not really Cisco Hardware
is that it expects specific CPUs to be installed. The system will not know what version of IDS to load.
-To resolv this problem we can edit a file called ids_functions and fool the system.
Editing this file will allow us the ability to tell Cisco IDS what hardware it can expect.
MODEL CPU # of CPUS
4210 567 1
4215 845 1
4220 598 1
4230 598 2
4235 1260 1
4250 1260 2
4250XL 1260 2
-http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/prodlit/ids4f_ds.htm
-NOTE: Using 2 CPUs 'seemed' to work, but I found there was no easy way to test it.
-NOTE: IDS 4235 and IDS 4250 may require BIOS upgrades. If hanging during boot proccess.
-Lets say that you have a 900Mhz Cerleron you can effectively load Cisco
Model 4210, 4215, 4220, or 4230.
-Just edit the ids_functions file to the Version you would like to boot with
-To edit the ids_functions You can either choose to
OPTION 1) Reboot 4 or 5 times until the machine finally boots into Cisco Command Line
or
OPTION 2) Temporarily Edit the 'Grub' loader and boot directly as root.
Getting in as root
As stated earlier you have to choices to edit the ids_functions file.
The goal is to log into Linux and edit the ids_functions file from there.
OPTION 1) By default if you do not intervene and initiate OPTION 2 your system will
automaticly try to load and fail (reboot) 4 to 5 times before giving you a prompt.
PROCEDURE for OPTION 1:
After your IDS install let the IDS try and load. It will attempt to load 4 to 5 times.
(1 reboot for every processor speed it can't find.)
Eventually you'll receive a login Prompt.
The default user name Cisco with a password of Cisco will allow you access to the Cisco IDS command line.
This command line is NOT Linux, but this interface will allow us to add a service user that will load into Linux.
Step 1 Log in to the CLI.
Step 2 Enter configure terminal mode:
sensor# configure terminal
Step 3 Create the service account:
sensor(config)# username bob privilege service
Step 4 Enter the password when/if prompted.
Step 5 Exit configure terminal mode:
sensor(config)# exit
sensor# exit (or "reset" to reboot)
(http://www.Cisco.com/en/US/products/sw/cscowork/ps3990/products_installation_guide_chapter09186a008019b298.html)
At the login prompt type in your newly created service username and password.
Login: bob
Password: test
You are now in Linux.
(su)
-OR-
OPTION 2) Edit the Grub boot loader and edit the file as single user - root
PROCEDURE for OPTION 2:
-At the GRUB boot loader screen:
[ Cisco IDS (2.4.18-5smpbigphys) ]
[ Recovery... ]
-Highlight and Press 'e' to edit the [ Cisco IDS (2.4.18-5smpbigphys) ] Entry
-A submenu of options will appear
[ ... ]
[ kernel /boot/vmlinuz-2.4.18-5smpbigphys ro root=/dev/hda1 bigphysarea=32768 ]
[ initd /etc....]
-Push the down arrow to kernel /boot/vmlinuz-2.4.18-5smpbigphys ro root=/dev/hda1 bigphysarea=32768
-Press 'e' for edit
edit the item as follows:
kernel /boot/vmlinuz-2.4.18-5smpbigphys ro root=/dev/hda1 bigphysarea=32768 single
NOTE: You may see something like:
" hdc=ide-scsi bigphysarea=32768"
Just make the change to:
" hdc=ide-scsi bigphysarea=32768 single"
(You should see the last little bit of the line. But its all the if you press left key)
-Pressing ENTER after you are done typing 'single' will exit you to the Menu
-Pressing 'b' starts the boot process with your new changes.
-This will allow you to boot as root in single user mode you can now edit the ids_functions file without creating a 'service user' with Cisco.
-You will not need a password but you should see a BASH prompt like this one
sh-2.05a#
Congradulations you are now in Linux.
EDITING THE ids_functions file
-Now that you have root access (either with OPTION 1 or OPTION 2) you can edit the ids_function file.
-The ids_functions file is in /etc/init.d/ or /etc/rc.d/init.d/ folders
-"cd /etc/init.d/" OR "cd /etc/rc.d/init.d/"
-With your favorite text editor (pico, or vi work well) open the ids_function
-"vi ids_function"
-If you see a blank page you've done something wrong and need to try again. (Esc, :q)
-Carefully Scroll down until you find the default text below:
"PROC=`awk '/^cpu MHz/ { print $4 } ' $cCpu_info_file | tail -1 | cut -f1 -d"
-Comment out the old $1 = CPU SPEED, PROC, and MAX_DIFF commands by placing a # before it
-Now that the PROC and MAX_DIFF commands are 'gone' we can control the IDS sensor to
load whichever model we see fit. (That is with a CPU we can support).
-MAX_DIFF=150
-PROC=567
-The Proc is based upon the cpu speed you want to fool the system to believe you have.
-To load IDS 4210 for example enter PROC=567
-To load IDS 4230 enter PROC=1260
(TIP: Use the Chart Above)
-Here is an example of my script
# $1 = CPU speed
# MAX_DIFF=4
# PROC=`awk '/^cpu MHz/ { print $4 } ' $cCpu_info_file | tail -1 | cut -f1 -d "."
#PROC Values: 4210=567, 4215=845, 4220=598, 4230=598, 4235/50=1260
MAX_DIFF=150
PROC=1260
-Write your changes (Esc, :wq)
-Restart the sytem (shutdown -r now)
That's it! You have a Franken IDS. Run 'setup' at the IDS command to get started.
(You may want to upgrade the Signatures now.)
Good Luck!
----------------------------------------
This guide is for educational use only and is not ment to encourage piracy in any form.
----------------------------------------
Posts: 6 | From: Idaho | Registered: Jul 2005
| IP: Logged
|
|
gunnels
Member
Member # 3450
Rate Member
|
posted August 22, 2005 01:59 PM
Great info! We need a guide like this for building an IPS 5.0.
Posts: 41 | From: PA | Registered: Jun 2002
| IP: Logged
|
|
muttley
Jr Member
Member # 16916
Rate Member
|
posted August 22, 2005 03:41 PM
Man - wish that had been easy to find BEFORE I spent my whole weekend converting my NetRanger. Of course, the educational experience I received trying to do it myself probably will count for something, although not on the exam....
Posts: 13 | From: Washington, DC | Registered: Aug 2005
| IP: Logged
|
|
marrum
Member
Member # 5608
|
posted September 02, 2005 12:54 AM
many thanks
Posts: 17 | From: Muc | Registered: Oct 2002
| IP: Logged
|
|
gokiken
Guru
Member # 8478
Rate Member
|
posted September 03, 2005 06:27 AM
Many Thankxxxx
Your invaluable experience truly help a lot of people who preparing for CCIE Security.
Posts: 135 | From: oversea | Registered: Jun 2003
| IP: Logged
|
|
erauqssidlroweht
Jr Member
Member # 16698
Member Rated:
|
posted September 03, 2005 08:53 AM
*Tips hat* Thank you everyone for you compliments. I'm more than happy to help.
I will work towards a IPS 5.0 guide but I think I'll take that as it comes. I have a lot of studing to do right now.
I'm taking the new CIDS test this week! Wish me luck.
Posts: 6 | From: Idaho | Registered: Jul 2005
| IP: Logged
|
|
gokiken
Guru
Member # 8478
Rate Member
|
posted September 04, 2005 04:28 AM
Based on erauqssidlroweht's great educational material. Last night I managed to get all required stuffs and I got Franken IDS working today.
I've tried 2 platforms (PC,RACK Server) and end up with RACK Server.
I have successfully installed recovery software V4.1.1S47 on PC but Linux detect only 256MB of memory (#cat /proc/meminfo) instead of 512MB so I can't upgrade IDS since the utility expect 512MB of memory.
The working platform for me is the old INTEL Rack Mount Server Model SRMK2
- 2 x CPU PIII 1GHz
- RAM 2GB
- HD UltraWide160 SCSI Seagate 35GB using Adaptec AIC7899 Chipset
- 3 x NIC Intel Pro 10/100 ( 2 onboard, 1 pci)
- CD-ROM 24x
- VGA MachATI 64 onboard.
I use NERO Burning ROM to burn .bin file. Go to file menu and choose open then change "file of type" to Image File ( *.cue) . Select the .cue file and then burn it.
I takes quite a while for installation since the cd-rom speed is only 24x. I thought it was hanging at first though.
After completing the installation, I do exactly as described on the guide and I got working IDS-4250 platform.
Then , I download update pack (IDS-K9-sp-4.1-5-S189.rpm.pkg)from cisco web site and use
upgrade http://x.x.x.x/IDS-K9-sp-4.1-5-S189.rpm.pkg
This time I got it working since linux can detect 2GB of memory.
The IDS will reboot and you have to go to Linux command prompt again to edit ids_functions file since upgrade will replace the previous one and reboot it.
Here is what I got based on erauqssidlroweht's great educational material.
sensor# sh ver
Application Partition:
Cisco Systems Intrusion Detection Sensor, Version 4.1(5)S189
OS Version 2.4.18-5smpbigphys
Platform: IDS-4250
Sensor up-time is 24 min.
Using 266104832 out of 1980358656 bytes of available memory (13% usage)
Using 568M out of 34G bytes of available disk space (2% usage)
MainApp 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 Running
AnalysisEngine 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 Running
Authentication 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 Running
Logger 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 Running
NetworkAccess 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 Running
TransactionSource 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 Running
WebServer 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 Running
CLI 2005_Aug_02_10.53 (Release) 2005-08-02T10:25:35-0500
Upgrade History:
* IDS-K9-min-4.1-1-S47 12:00:00 UTC Thu Jun 30 2005
IDS-K9-sp-4.1-5-S189.rpm.pkg 17:27:37 UTC Sun Sep 04 2005
Recovery Partition Version 1.2 - 4.1(1)S47
I can't thank you enough and Good LUCK on THE EXAM !!!
Posts: 135 | From: oversea | Registered: Jun 2003
| IP: Logged
|
|
abhor666
Elite
Member # 12925
Member Rated:
|
posted September 05, 2005 11:05 PM
hi erauqssidlroweht this is the best piece of work i have seen on this forum.thanks a lot buddy .it's really very helpful now i am going to build an ids on my own .incase if i have problems building in i will surely bug u for this.thank u once again.
abhor666
Posts: 474 | From: india | Registered: Jul 2004
| IP: Logged
|
|
abhor666
Elite
Member # 12925
Member Rated:
|
posted September 15, 2005 01:24 AM
hi there i have got
pentium III 800 mhz
2 intel nics 82559
512 mb sdram
40 gb harddisk
ids recovery cd 4.1
do i need a 10GB HARD disk is it ok with 40GB.
after formatting the hard disk it start copying modules then it get's stuck saying error installing kernel 2.4.18-3 indicating media failure,lack of disk space and any other hardware failure and reboot.it doesn't go ahead from this .is it the problem of the cd cause when i do it again and again it get's stuck with different files at times.could u pls guide me and is my hardware specs ok for the franken ids .anyone pls guide me on this.all ur help is greatly appreciated.thank you in advance.
abhor666
Posts: 474 | From: india | Registered: Jul 2004
| IP: Logged
|
|
gokiken
Guru
Member # 8478
Rate Member
|
posted September 15, 2005 10:41 PM
Have you tried to change CD-ROM drive ?
Posts: 135 | From: oversea | Registered: Jun 2003
| IP: Logged
|
|
abhor666
Elite
Member # 12925
Member Rated:
|
posted September 17, 2005 06:23 AM
hi there i will urely try that today and let u know and thanks for ur advice. ok
abhor666
Posts: 474 | From: india | Registered: Jul 2004
| IP: Logged
|
|
billburns
Guru
Member # 14145
Rate Member
|
posted October 13, 2005 05:51 AM
erauqssidlroweht,
Many Thanks. Excellent doc. Please share your observations work on the V5 upgrade.
Cheers,
Bill
Posts: 155 | From: Arcadia,CA | Registered: Nov 2004
| IP: Logged
|
|
jambrose
Member
Member # 8728
Rate Member
|
posted December 17, 2005 02:50 PM
i can not get the CD to boot.. it does not catch recovery cd.. it just checks it real quick then goes to the hard drive. (i do have CD reading first)
By just copying the files over to a CD then burning them will that do trick or do you have to make the cd bootable or have a certian file load before all others?
thanks!
Posts: 16 | From: PDX | Registered: Jul 2003
| IP: Logged
|
|
erauqssidlroweht
Jr Member
Member # 16698
Member Rated:
|
posted December 18, 2005 03:16 PM
Jambrose there are countless factors as to why your boot has failed. I highly recommend http://www.911cd.net/forums/ for further inquiries. (But for the sake of getting you up and running, I'll add these steps to my original guide.)
Assuming you've already checked your CD-ROM and BIOS and that you have successfully booted from a burnt CD in the past (such as burnt copy of Win98 or Knoppix). Follow these basic steps:
----------
BURNING WITH NERO IN WINDOWS:
1) Download or acquire a image Recovery Image file: In this example I will be using jgt-cids.bin
(As depicted in the guide above)
2) Download or acquire the CUE file. (jgt-cids.cue)
3) Open Nero (I'm using version 6) Any version will do.
4) This is where you will have to experiment. I'm running Nero StartSmart so I do the following:
-A) I have a screen where I can "Copy and Backup". In this screen I can "Burn Image to Disc".
-B) After clicking on Burn Image to Disc I am asked where the image file I want to burn
(Skip to step 6)
5) If you do not use StartSmart then you most likely see a "New Compilation" Screen.
-A) Cancel out of the "New Compilation Screen"
-B) Using the Tool bar at the top; select Recorder.
-C) In the recorder drop down, you will see the option to "Burn Image".
6) IMPORTANT: You will need to change the FILE TYPE option
From: "All Nero Compliant Images"
To: "Image Files (.nrg) (.iso) (.cue)"
7) I navigate to my CUE file. (C:\jgt-cids.cue & C:\jgt-cids.bin) and if both are in the same location then the image should burn as a bootable disc. TIP: Burning at slower speeds helps older CD-Roms read burnt CDs.
----------
BURNING WITH XYZ PROGRAM IN WINDOWS:
If you are not using Nero (Roxio EZ CD-Creator for example) I suggest the following:
1) Download the program "Daemon Tools" (as depicted above)
2) After installing "Daemon Tools" restart your PC.
3) After the restart RIGHT CLICK on the Daemon icon (It looks like a Lightning Bolt)
4) Select Virtual CD/DVD Rom ---> Device 0 ----> Mount Image
5) Select the CUE or BIN file you want to mount.
6) Use XYZ Burning Software perform a DISC COPY from the Virtual CD to the Actual CD.
-A) This will process will allow you to successfully clone the Bootable features of the CD Image.
----------
EXTRA GEEKY/NERDY STUFF:
DOWNLOAD VERFICATION:
jgt-cids.cue = 74 bytes
Unofficial MD5: 4c9efa9fee03fd0502cee98d8207358a
jgt-cids.bin = 553 MB
Unofficial MD5: cfbb653cbdd758e2ad81e481c4e4891c
NERO 5.5:
http://www.bay-wolf.com/bootcd.htm
BURNING CUE/BIN FILES WITH LINUX:
http://wiki.linuxquestions.org/wiki/Burning_a_CDROM_from_a_bin/cue_file
Bart's way to create bootable CD-Roms (for Windows/Dos):
http://www.nu2.nu/bootcd/
CONVERTING BIN FILE TO ISO IMAGE:
http://www.weethet.nl/english/cdrw_bintoiso.php
MAKING CUE AND BIN FILES:
http://www.weethet.nl/english/cdrw_usingnero_bincue.php
SPECIAL THANKS:
Gokiken, for providing his work.
----------------------------------------
This additional guide is for educational use only and is not meant to encourage piracy in any form.
----------------------------------------
Posts: 6 | From: Idaho | Registered: Jul 2005
| IP: Logged
|
|
jambrose
Member
Member # 8728
Rate Member
|
posted December 19, 2005 02:48 PM
Thank you very much for taking the time to post all these details! Wish every post would be this detailed.
tkx again!
Posts: 16 | From: PDX | Registered: Jul 2003
| IP: Logged
|
|
jimmy25
Guru
Member # 20962
|
posted April 21, 2007 07:06 PM
hi guys,
well i have a IDS up and running following this guide. thanks to all for making this guide.
IDS is working fine . but the problem is i cannot upgrade the service pack or signatures..
can anyone tell me how to do that. i have service pack and singnatures for that.
regards
jimmy
Posts: 151 | From: new zealand | Registered: Dec 2006
| IP: Logged
|
|
jimmy25
Guru
Member # 20962
|
posted April 21, 2007 07:13 PM
one more thing
on my server i have 20 gb HD and 512 mb ram.
what do i need to change to upgrade the singnatures and service pack ?
i am making it as 4215 model
proc 845
regards
Posts: 151 | From: new zealand | Registered: Dec 2006
| IP: Logged
|
|
billburns
Guru
Member # 14145
Rate Member
|
posted April 23, 2007 07:23 PM
Jimmy25
You need a CCO account to update the sigs, but you cannot upgrade it to 5.0 IPS.
Posts: 155 | From: Arcadia,CA | Registered: Nov 2004
| IP: Logged
|
|
UBBFriend: Email this page to someone!
Printer-friendly view of this topic