This section examines two commonly seen issues with NM-CIDS operations.
Re-imaging the NM-CIDS Application Partition
You can use the helper image file to re-image the application partition on the NM-CIDS using TFTP server. This section presents the steps to perform the re-image, and to troubleshoot any issues pertaining to the re-image process as follows:
Performing the Re-image of Application Partition
The re-image of the application partition involves booting the sensor into boot-loader. You then load the helper image, which is used to load the actual application image.
Work through the following steps to perform this task:
Obtain the helper image file from the following location: http://www.cisco.com/kobayashi/sw-center/ciscosecure/ids/crypto/
Install a Trivial File Transfer Protocol (TFTP) server in a machine on your network.
Put the IDS/IPS helper image file (example of helper image is NM-CIDS-K9-helper-1.0-1.bin) on the TFTP server root directory.
Session in to the NM-CIDS with the following command to verify that NM-CIDS is working efficiently.
Router# service-module IDS-Sensor slot_number/0 session
Suspend the session by pressing Shift-CTRL-6 x. You will see the router# prompt. If you do not see this prompt, try Ctrl-6 x.
Reset the NM-CIDS with the following command:
Router# service-module IDS-Sensor slot_number/0 reset
When you are prompted to confirm the reset command, press Enter to confirm.
Immediately after that, resume the suspended session by pressing Enter.
After displaying its version, the bootloader displays the following prompt for 15 seconds:
Please enter '***' to change boot configuration:
If you type *** during the 15-second delay (or if there is no default boot device configured) you will enter the bootloader CLI.
After sessioning in to the NM-CIDS, you will see the bootloader CLI prompt as follows:
Set up the bootloader network parameters as shown in Example 16-16. You have to configure the bootloader only once.
Example 16-16. The Bootloader Configuration
ServicesEngine boot-loader> config ! Assign the IP address same as the Command and Control interface IP address. ! This is the same address that you have assigned to the Fast Ethernet interface ! which is visible from the front panel of the NM-CIDS IP Address [10.1.1.60] > ! Assign the subnet mask for the IP address that you have assigned in the ! previous line Subnet mask [255.255.255.0] > ! Specify the TFTP server IP address where the helper image is installed. TFTP server [10.1.1.1] > ! Specify the default gateway IP address. This is very important if the TFTP ! server is more than one hop away. Gateway [10.1.1.1] > ! Specify the helper image file name that you have installed on the TFTP server Default Helper-file [mohawk_helper] > ! By default the interface that you have defined IP address for is external. So, ! select this default value. Just hit Return. Ethernet interface [external] > ! The default boot device is disk. So, just hit Return Default Boot [disk] > ServicesEngine boot-loader>
Once all the parameters are defined, load the helper image on NM-CIDS with the boot helper command as shown in Example 16-17.
Example 16-17. Loading a Boot Helper Image
ServicesEngine boot-loader> boot helper Probing...EEPRO100Found Intel EtherExpressPro100 at x00000000 ROM address 0x 00000000 Ethernet addr: 01:23:45:67:89:AB Me: 10.1.2.3, Server: 10.1.2.5, Gateway: 10.1.2.254 Loading NM-CIDS-K9-helper-1.0-1.bin
To boot a helper image different from the one you configured as your default helper, type the command boot helper name.
After the helper image is loaded, the bootloader checks that it downloaded correctly. The bootloader will not run a helper if it is received incorrectly or it is not signed by Cisco. The following message indicates the helper is valid: Image signature verified successfully.
The Helper utility is launched as shown in Example 16-18.
Example 16-18. Helper Utility Screen
Cisco Systems, Inc. Services engine helper utility for NM-CIDS Version 1.0(1)  - Main menu 1 Download application image and write to HDD 2 Download bootloader and write to flash 3 - Display software version on HDD 4 - Display total RAM size 5 Change file transfer method (currently secure shell) Change file transfer method (currently secure shell) r - Exit and reset Services Engine h - Exit and shutdown Services Engine Selection [1234rh]:
Work through the steps that follow to complete the rest of the steps:
From the selection menu, type 5 to set the transfer method. Type 1 to choose Secure Shell, or choose 2 to choose TFTP. Use r to return to the Main Menu.
Type 1 from the Selection Menu to start the re-imaging of the hard-disk of the NM-CIDS. If SSH is chosen, enter the username and SSH server IP address. If TFTP is chosen, just type the TFTP server IP address.
Type the full pathname of the recovery image: /path /NM-CIDS.
Type y to continue and you will see a message similar to that shown in Example 16-19.
Example 16-19. Message Shown After Clicking Yes
Type yes. Then, if SSH is used, specify the server password.
Ready to begin Are you sure? y/n You receive the following message: The authenticity of host 10.1.2.10 (10.1.2.10) can't be established. RSA key fingerprint is 7b:90:3b:16:5f:a1:34:92:ff:94:54:19:82:dc:73:ba. Are you sure you want to continue connecting (yes/no)?
Reboot the NM-CIDS as shown in Example 16-20.
After sessioning into it, initialize the NM-CIDS with the setup command.
Example 16-20. Message Shown When Rebooting the NM-CIDS
Selection [1234rh]: r About to exit and reset Services Engine. Are you sure? [y/N]
There can be primarily two problems you may encounter with the re-image process:
Unable to access to boot-loader You must issue a service-module IDS-Sensor <slot>/0 reset command instead of a service-module IDS-Sensor <slot>/0 reload command. The reload argument sends a message to the NM-CIDS asking it to reboot itself. If the NM-CIDS is in an unresponsive state, reload may fail. The reset command forces a hardware reset of the NM-CIDS. Before trying to access boot-loader, check to see if the NM-CIDS is in good state with service-module IDS-Sensor <slot>/0 status.
Unable to load helper image The bootloader brings up the external interface and locates the TFTP server host. This process may take some time. Press p to see a printout of the ARP table. You should see ARP entries for the NM-CIDS, TFTP server, and the Default Gateway. If this process takes too long and nothing changes for a long time, you may have network configuration or connectivity problems. When the TFTP load actually begins, a spinning character is displayed to indicate that packets are arriving from the TFTP server.
Configuring Time on the NM-CIDS
To correctly analyze the events after an attack, NM-CIDS must have the correct time stamp; otherwise, you cannot analyze correctly. The NM-CIDS gets its time from the Cisco router in which it is installed. As the routers do not have a battery, they cannot preserve a time setting when they are powered off. You must set the router's clock each time you power up or reset the router. Therefore, the best solution is to configure the router to use Network Time Protocol (NTP) server to provide time. NTP can be configured either on the NM-CIDS itself or on the router on which NM-CIDS is installed.
Default Behavior for Time Setting on NM-CIDS
By default, the NM-CIDS automatically synchronizes its clock with the clock in the router chassis in which it is installed. Note that only the Greenwich Mean Time (GMT) is synchronized between the router and the NM-CIDS, not the time zone and summertime settings.
Be sure to set the time zone and summertime settings on both the router and the NM-CIDS; otherwise the local time for the NM-CIDS will be incorrect.
Using Network Time Protocol (NTP) Server
Instead having the NM-CIDS get its time from the router, you can configure your NM-CIDS to get its time from an NTP time synchronization source, such as a Cisco router. Refer to the following link for configuring a Cisco Router to be an NTP Server: http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_installation_and_configuration_guide_chapter09186a008035809d.html#wp87016
You will need the NTP server IP address, the NTP key ID, and the NTP key value. You can configure the NM-CIDS to use NTP during initialization or you can set up NTP later. You can configure the sensor to use an NTP server as its time source. Refer to the following link:
It is recommended to use an NTP time synchronization source.