Section C-1. Intrusion Detection System Module

1.

Access the IDSM.

a. Open a command-line interface (CLI) session with the IDSM:

COS	session module
IOS	session slot module processor 1

A CLI session is initiated with the IDSM module in chassis slot module. To close the session, type the escape sequence ^-], control-], or the exit command.

b. Log in as the administrator:

IDSM	login: username Password: password

Use the administrator username (text string; default "ciscoids") and password (text string; default "attack").

c. (Optional) Change the administrator password:

IDSM	(exec) configure terminal (global) password

You should change the password to something different from the default. The password is a text string of up to 15 characters.

d. (Optional) Initially configure the IDSM:

IDSM	(exec) setup

After the setup mode begins, the IDSM prompts for all the necessary parameters. These values are needed for both the local IDS sensor and the remote IDS director:

- IP address, subnet mask, and default gateway.

- Host name (up to 256 characters), host ID (1 to 65,535), and Post Office Protocol UDP port (256 to 65,535; default 45,000). The host ID is a number that uniquely identifies the IDSM among other IDS sensors in an organization.

- Organization name (up to 256 characters) and ID (1 to 65,535). Within an IDS domain, the sensors and their managing directors must have a common organization ID and name.

e. (Optional) Test network connectivity to the IDSM.

- Ping a remote host:

IDSM	(exec) diagnostics (diag) ping ip-address

- Trace the route to a remote host:

IDSM	(exec) diagnostics (diag) traceroute ip-address

2.

(Optional) Shut down the IDSM.

CAUTION

Before you can remove the IDSM from the switch chassis, you must properly shut it down. Use one of the shutdown methods in this step to bring about an orderly shutdown, and wait for the shutdown process to be completed. A completed shutdown process is indicated when the status LED goes from green to either amber or is off. Then you can safely remove the module.

a. Module shutdown from the IDSM CLI:

IDSM	(exec) shutdown

b. (Optional) Module shutdown or reset from the switch CLI:

COS	set module shutdown module -or- reset module
IOS	(exec) hw-module module shutdown module -or- (exec) hw-module module module reset

You can shut down the IDSM in slot module with the shutdown keyword. If the switch is then rebooted or power cycled, the IDSM will reboot also. To restore the IDSM to service, use the reset keyword.

c. (Optional) Remove or restore power to the IDSM:

COS	set module power down module -or- set module power up module
IOS	(global) no power enable module module -or- (global) power enable module module

d. (Optional) Use the IDSM shutdown button as a last resort.

You can use a small pointed object such as the end of a paper clip to push the Shutdown button on the IDSM module front panel. The button is located to the right of the status LED.

3.

Instruct the IDSM to begin intrusion detection.

From an external management application, such as Cisco Secure Director, you can select the set of attack signatures that the IDSM uses. Refer to that application's documentation for more information.

4.

Specify the traffic source to monitor.

a. (Optional) Monitor specific traffic.

- Select interesting traffic with a VLAN access control list (VACL):

COS	[View full width] set security acl ip acl-name {permit | deny | redirect {adj-name | mod/port}} protocol src-ip-spec dest-ip-spec [precedence precedence] [tos tos] [fragment] capture [before editbuffer_index | modify editbuffer_index] [log]
IOS	[View full width] (global) access-template {acl-number | acl-name} {temporary-list-name} src-ip-spec dest-ip-spec [timeout minutes] (global) vlan access-map name [seq#] (vlan-acc-map) match {ip address {acl-number | acl-name}}

The traffic to be captured or monitored by the IDSM should have both the permit and capture keywords added. Other traffic to be forwarded but not captured should have the permit keyword only. Mark any traffic that is not to be forwarded with the deny keyword. Be sure to add a permit ip any any line at the end of the VACL so that all other traffic not specified is forwarded.

The simplest case is to capture all traffic on a VLAN with the permit ip any any capture command.

Refer to section "11-5: VLAN ACLs" for complete information about configuring VACLs.

- Apply the VACL to hardware:

COS	commit security acl {acl-name | all}
IOS	N/A

A COS switch must first compile the VACL and download it into the switching hardware. You can compile and commit a single VACL as acl-name, or all configured VACLs.

- Copy the interesting traffic to the IDSM:

COS	set security acl capture-ports mod/1
IOS	[View full width] (vlan-acc-map) action forward capture {interface slot/1}

Traffic that is matched by the VACL is copied to the capture port, which is the IDSM slot number and port number 1.

- Apply the VACL to one or more VLANs:

COS	set security acl map acl-name vlan
IOS	(global) vlan filter map-name vlan-list vlan-list

The VLAN access list named acl-name (text string of up to 32 characters) is applied to examine traffic on VLAN number vlan (1 to 1005 or 1025 to 4094).

- Gauge the amount of monitored traffic.

Make sure the bandwidth of captured or monitored traffic doesn't rise above 100 Mbps. This ensures that the IDSM is able to examine all the packets involved in every traffic flow.

You can configure an additional VACL capture to an unused Gigabit Ethernet interface. The data that is copied to the IDSM capture port is also copied to the unused switch port. Then you can use the show mac mod/port or show interface command to measure the amount of data that is being captured.

COS	set security acl capture-ports mod/port
IOS	[View full width] (vlan-acc-map) action forward capture {interface slot/number}

b. (Optional) Monitor a SPAN source.

TIP

See section "12-3: SPAN" for complete configuration information about Switched Port Analyzer (SPAN) or port monitoring.

- (Optional) Monitor a switch port:

COS	[View full width] set span src-mod/src-ports dest-mod/1 [rx | tx | both] [inpkts {enable | disable}] [learning {enable | disable}] [multicast {enable | disable}] [filter vlans...] [create]
IOS	[View full width] (global) monitor session session source interface type number [rx | tx | both] (global) monitor session session destination interface type 1 (global) monitor session session filter vlan vlans

The traffic source is identified as a specific switch port. The destination is the IDSM port 1. Specific VLANs can be filtered for monitoring by using the filter keyword.

- (Optional) Monitor a VLAN:

COS	[View full width] set span src-vlans dest-mod/1 [rx | tx | both] [inpkts {enable | disable}] [learning {enable | disable}] [multicast {enable | disable}] [create]
IOS	[View full width] (global) monitor session session source vlan vlans [rx | tx | both] (global) monitor session session destination interface type 1

One or more VLANs can be given as sources of traffic to be monitored. The destination is the IDSM port 1.

- Gauge the amount of monitored traffic.

Make sure the bandwidth of captured or monitored traffic specified in Steps 4b and 4c don't rise above 100 Mbps. This ensures that the IDSM is able to examine all the packets involved in every traffic flow.

The easiest way to control the traffic rate to the IDSM is to choose a source switch port that has 100 Mbps bandwidth.

Otherwise, you can use the show top n command to display the highest utilized switch ports.

5.

(Optional) Upgrade the IDSM software.

a. Select the active hard drive partition:

COS	set boot device hdd:partition mod
IOS	N/A

The IDSM in slot number mod runs the software image in partition: 1 (application partition, the default) or 2 (maintenance partition). After the IDSM is running the image in the active partition, the other partition can be upgraded.

b. (Optional) Install a cached image from the inactive partition.

- Enter the diagnostics mode:

IDSM	(exec) diag

- Verify that the correct image is cached:

IDSM	(diag) ids-installer system /cache /show

- Install the cached image:

IDSM	(diag) ids-installer system /cache /install

- Reload the IDSM:

COS	reset module hdd:1
IOS	(global) hw-module module module reset hdd:1

The IDSM reloads, running the image on the application partition (partition 1).

c. (Optional) Install an image from an FTP server.

- Enter the diagnostics mode:

IDSM	(exec) diag

- (Optional) Identify IP addresses for the upgrade process:

IDSM	[View full width] (diag) ids-installer netconfig /configure /ip=ip-addr /subnet=mask /gw=gw-ip-addr

The IDSM uses the specified IP address ip-addr, subnet mask, and gateway address gw-ip-addr when upgrading the application partition from an FTP server.

- Download the image from an FTP server:

IDSM	[View full width] (diag) ids-installer system /nw /install /server=ip-addr /user=account /save={yes | no} /dir=ftp-path /prefix=file-prefix

The IDSM contacts the FTP server at ip-addr, using the user account name account (text string). After the image has been downloaded from the server and installed, it can also be cached on the IDSM by using the yes keyword. The image is found in the FTP directory ftp-path, as the filename file-prefix (text string) but not including the .dat extension.

- Reload the IDSM:

COS	reset module hdd:1

The IDSM reloads, running the image on the application partition (partition 1).

6.

(Optional) Upgrade IDSM with service packs.

a. (Optional) Check the active version:

IDSM	(exec) show config

b. Download the service pack to an FTP server.

TIP

You can find the IDSM service packs at the Software Center on Cisco.com: www.cisco.com/kobayashi/sw-center/sw-ciscosecure.shtml. Look under "Cisco Intrusion Detection System (IDS)." The Catalyst 6000 IDS Module software is collected under the "Latest Software" link. (You need to have a registered user account on CCO, and a current maintenance contract, to access the Software Center link.)

c. Apply the service pack:

IDSM	[View full width] (exec) configure terminal (config-term) apply servicepack site ftp-ip-addr user account dir path file filename

The IDSM contacts the FTP server at IP address ftp-ip-addr using the username account (text string). The service pack is found stored in the path directory under the name filename (text string, including the .exe extension).

You can remove the last applied service pack with the remove servicepack command.

7.

(Optional) Upgrade the IDS signature database.

a. (Optional) Check the active version:

IDSM	(exec) show config

b. Download the signature database to an FTP server.

TIP

You can find the IDSM signature databases or updates at the Software Center on Cisco.com: www.cisco.com/kobayashi/sw-center/sw-ciscosecure.shtml. Look under "Cisco Intrusion Detection System (IDS)." The Catalyst 6000 IDS Module software is collected under the "Latest Software" link. (You need to have a registered user account on CCO, and a current maintenance contract, to access the Software Center link.)

c. Apply the signature update:

IDSM	[View full width] (exec) configure terminal (config-term) apply signatureupdate site ftp-ip-addr user account dir path file filename

The IDSM contacts the FTP server at IP address ftp-ip-addr using the username account (text string). The signature update is found stored in the path directory under the name filename (text string, including the .exe extension).

You can remove the last applied signature update with the remove signatureupdate command.

IDSM versions

IDSM

 show version 

IDSM configuration

IDSM

 show configuration 

VACLs for capturing

COS

 show security acl info all 

IOS

[View full width]

 (exec) show vlan filter [{access-map map-name} |  {vlan vlan-id}] 

VACLs mapped to VLANs

COS

 show security acl map {acl-name |vlan |)all} 

IOS

 (exec) show vlan access-map [map-name] 

Active SPAN sessions

COS

 show span 

IOS

 (exec) show port monitor