I dont know if this is the right place to put this in, but since there were requests for this emulation in the former PEMU section, I will post it here. Feel free to move this posting to a better place.
Ok, after doing some research I found a way to get IDS/IPS software release 5 to start and function in VMWare. There is an archive attached to the post, please use the README file as a starting point (which I paste herein after).
Notice that I cannot say anything about getting this to work in VMWare on Windows. When it loads the VMWare BIOS you should be fine. Also I will not respond to any requests for files provided by Cisco(downloadeable from CCO). Go get yourself a support contract.
Thanks to defx and the guys from securityie.
The README: Quote:
Running Cisco IDS/IPS v5 Software in VMWare ===========================================
This Howto describes how to get the Cisco IDS/IPS Software Release 5 running inside VMWare. After successful installtion, the VM will emulate a IDS-4215 platform with 3 GigabitEthernet interfaces Wink
I developed this Howto by using VMWare Workstation for Linux, I didnt tested this with any VMWare version for Windows.
REQUIREMENTS ============ - VMWare Workstation, I use version 5.5, running on a debian etch host system I never tested with a Windows host system
- Cisco IPS recovery CD image, I used IPS-K9-cd-1.1-a-5.1-4.iso This file can be downloaded from CCO. CCO download access requires a valid support contract.
- modified VMWare BIOS (CISCO_IDS4215_440.BIOS.ROM) This file should be in the archive from where you extracted this Howto
- some basic UNIX skills for working with a shell and using vi
- knowledge of the english keyboard layout Wink
TECHNICAL DESCRIPTION =====================
It seems that with IDS/IPS software release 5, Cisco implemented a more strict hardware identification checks, making it impossible to load the code on 4.x custom-build systems or in VMWare.
I'm not skilled enough to produce anything useful with the BIOS that can be downloaded from CCO Wink, so I investigated in how to get VMWare to provide anything the IPS software wants to hear. I still would prefer to have the native BIOS running, but this is a start for all the desperate souls that need a working IPS for study/LAB preparation.
I concentrated myself on the 4215 platform, because it seems that it does not have any special ROM/PROM chips built in.
Basically, IPSv5 is based on Redhat Linux, so it is able to run inside VMWare. The recovery CD boots and reimages fine, as long as the virtual harddisks are large enough (256M for hda, 4GB for hdb).
hda is the flash in the appliance and holds the complete OS and the configuration. hdb is a real harddisk and is for "var" storage (event store etc.). The reimage fails when you have disks that are too small (fdisk will complain about wrong boundaries/size).
With a fresh system, you can boot into runlevel 1, mount the remaining filesystems and inspect what the system will do at regular startups.
The procedure collection file /etc/init.d/ids_functions will determine the platform type during bootup. Because the 4215 doesnt have a special chip, the routine makes selections based on the CPU speed and processor count. You can trick the routine by entering the CPU speed reported by linux.
But this is not enough. At some point, a program called smbios_bios_info is called, reading information from the BIOS. Also, the binary mainApp will do this again later, so we have to find a way how to tell the systems what it wants to hear. Luckily, on the 4215 only DMI strings are checked.
VMWare allows to extract the required portion of the BIOS, and with a resource editor you can modify the DMI strings to match the values the software checks. By telling VMWare to load this modified BIOS, the IPS software is satisfied and identifies the VM as a 4215 sensor.
I basically changed all the DMI strings to read as Vendor "Cisco Systems", Platform "IDS-4215", Chassis/Asset Tag "12345678901".
Now that the sensor boots and the CLI is useable, network connectivity must work. VMWare and the IPS linux both support Intel e1000 cards, so this looks promising
The physical interface configuration layout of all the appliances are defined in /usr/cids/idsRoot/etc/interface.conf. By replacing the pci device-id values with the one provided by VMWare (see /proc/pci), the sensor recognized the VMWare virtual ethernet cards.
By modifying this file you are able to use interface types a platform normally will not support (Gigabit cards in the 4215).
With this VM I was able to use IDM from a windoze system, create own signatures and put a sensing interface between two dynamips instances (aletring each time it sees EIGRP packets). This should be proof enough!
Well, this are nearly all the information I collected during 8-12 hours of experimenting in a few sentences. However, there are still some quirks and areas I dont understand well, for example, the problems caused by the absence of the file /usr/share/zoneinfo/cidsZoneInfo.
I hope this Howto is a start and encourages people to modify and enhance it.
Have fun!
INSTALLATION ============
1. VMWare
Extract the content of the archive to a place you remember; you'll need to specify the location of the BIOS file soon.
Start VMWare and create a new Virtual Machine (VM). The wizard starts; please use the following options:
- "Custom" configuration - "Workstation 5" format - Guest: "Linux" / Version: "Red Hat Linux" - Name: whatever you like, maybe "Cisco:IPS" make sure you remember the path listed in "Location" - "One" processor - 512 MB RAM - "use brdged networking" - SCSI Adapter: "BusLogic" (doesnt matter) - "create a new virtual disk" - Disk type "IDE" - Size 0.3GB (yes, 300MB not GB) - accept, then click "Finish"
Edit your VM Settings.
- Remove the sound adapter - Remove the USB controller - Remove the floppy disk
- Add two additional Ethernet adapters The network connection type doesnt matter at the moment (leave it as bridged, for example)
- Add one additional hard disk - "create a new virtual disk" - Disk type "IDE" - Size 4 GB (yes, 4GB this time, values below 4 GB will not work) - accept, then click "Finish"
- modify CD-ROM settings - "use ISO image" point it to the IPS recovery CD iso file
Now, finish modifications and quit VMWare.
Go to the folder where your VM resides (for me, it is ~/vmware/<VM_name>), and edit the VM configuration file (.vmx).
Put in the config option that tells VMWare to boot an alternative BIOS:
bios440.filename = "<path_were_you_extracted_the_archive>/CISCO_IDS4215_440.BIOS.ROM"
Put in the device type for the Ethernet adapters (we want Intel GE cards):
ethernet0.virtualDev = "e1000" ethernet1.virtualDev = "e1000" ethernet2.virtualDev = "e1000"
Now save and close the configuration file.
2. Recovery Image installation
Start VMWare and fire up the newly created VM. The recovery CD iso file will automatically selected for loaded; you have to enter "k" to start the CD boot process.
The recovery CD loads and does a full re-imaging of the VM hard drives. Please ignore any errors about failed platform identification and wait until the system reboots.
When rebooting (VMWare BIOS message is presented), STOP the VM and continue to read the next step.
3. First boot
Before we continue, we have to modify the GRUB boot parameters to get into single user mode. When the system boots for the first time after re-imaging, and the GRUB menu is displayed, press any key to stop the timer (up/down arrow, for example). Without that, the system boots and get stuck at hardware detection.
Now that you know it is safe to turn on the VM again. Wait until GRUB menu is displayed amd select "Cisco IPS".
Press "e" to enter edit mode.
Select the second line (the one starting with "kernel"), and press "e" again.
Scroll to the left until you see the entry "init=loadrc". replace loadrc with 1 (should read "init=1") - dont touch any other option.
Press Enter and then "b" to start the boot process. After booting linux, the system stop at init level 1.
4. Modifications
Press Enter to get a shell. Execute (english keymap!)
/loadrc /etc/init.d/rc.init touch /usr/share/zoneinfo/cidsZoneInfo
Now determine the speed of your CPU:
cat /proc/cpuinfo
by looking at the line named "cpu MHz". Write down the value (int only). Make a copy of the file ids_functions and modify it:
cd /etc/init.d cp ids_functions ids_functions.orig vi ids_functions
Search for the string "4215" or go directly to the line #252 that reads
elif [[ 'isCPU 845' -eq $TRUE && ... MODEL=$IDS4215 ... Modify the string "845" to the CPU speed you determined earlier - use only the int value (for example, 2659). Of course you can copy the whole line, comment the original one and keep it for further reference.
3 lines below there are variables named "DEFAULT_MGT_OS" and "DEFAULT_MGT_CIDS". Modify their values to:
DEFAULT_MGT_OS="ma0_0" DEFAULT_MGT_CIDS="Management0/0"
Save the file and close vi.
Now, modify the interface cofiguration file:
cd /usr/cids/idsRoot/etc cp interface.conf interface.conf.orig vi interface.conf
Scroll down until you find the section for the IDS-4215 (its the second one).
Modify the pci-bus numbers in the slot definition subsection:
[models/IDS-4215/slots/1] # lower slot pci-bus=0 # change this to 1 pci-device=17
[models/IDS-4215/slots/2 # upper slot pci-bus=0 # change this to 2 pci-device=19
Now, modify the built-in Interfaces by going to [models/IDS-4215/interfaces/1]
[models/IDS-4215/interfaces/1] # built-in 10/100 TX mgmt interface, Intel 82559ER # was eth1 (int1) in 4.x # rightmost connector on front panel # labeled "Ethernet 1" on panel name-template=FastEthernet0/0 # change this to Management0/0 pci-bus=0 pci-device= 14 # change this to 17 pci-function=0 vendor-id=0x8086 device-id=0x1209 # change this to 0x100f type=ge # change this to ge mgmt-capable=yes
Modify the second interface
[models/IDS-4215/interfaces/2] # built-in 10/100 TX sensing interface, Intel 82559ER # was eth0 (int0) in 4.x # leftmost connector labeled "Ethernet 0" name-template=FastEthernet0/1 # change this to GigabitEthernet0/1 pci-bus=0 pci-device= 13 # change to 18 pci-function=0 vendor-id=0x8086 device-id=0x1209 # change to 0x100f type=fe # change to ge sensing-capable=yes tcp-reset-capable=yes
CREATE a third interface by copying the whole [models/IDS-4215/interfaces/2] section
[models/IDS-4215/interfaces/2] # rename to /3 name-template=GigabitEthernet0/1 # rename to GigabitEthernet0/2 pci-bus=0 pci-device= 18 # change to 19 pci-function=0 vendor-id=0x8086 device-id=0x100f type=ge sensing-capable=yes tcp-reset-capable=yes
Now increase the interface number by 1 for the remaining (dummy) interfaces [models/IDS-4215/interfaces/3] to 6; the ones that have "1 x 4-FE card" in the comment.
Save the file and quit vi.
Now move to the IPS bin directory and replace the file smbios_bios_info
cd /usr/cids/idsRoot/bin/ mv smbios_bios_info smbios_bios_info.orig vi smbios_bios_info
Enter the following content into this file:
#!/bin/sh echo echo "Platform: IDS-4215" exit 0
Save and quit. Now make the file executeable and test it
chmod +x smbios_bios_info ./smbios_bios_info
The system should display "Platform: IDS-4215". And thats it for all the system modifications.
Now reboot the VM by entering
5. second boot
After making all the modifications, the VM sould start and present you a login promt. If it gets stuck (no login), reload it again - this can happen when you booted the system completely without going into runlevel 1 in step 4.
There is still a yellow warning about modifications since last reboot - this message disappears after the next reboot.
Log on with the factory default account (cisco/cisco) and assign a new password.
Now assign the service account a password:
conf t username service pass <yourpass> privi service exit
Log out and login as user "service" - you will have a shell. Do a switch user to root "su -", the password is the same as for the user "service".
Now look if the file "/usr/share/zoneinfo/cidsZoneInfo" is still there. If not, "touch /usr/share/zoneinfo/cidsZoneInfo" it. Without that file, you are not able to see any config in the CLI (for whatever reasons). Exit until you reach the login prompt again.
Login as "cisco" and you should be able to do a "show conf". Bacup the configuration with "copy current-config backup-config" and reload by doing a "reset".
After the next reboot, the system is fully useable.
USAGE/HINTS/ISSUES ==================
- initial setup
The first thing you shoud to is to get network access to the VM via ssh/PDM/telnet. Make sure the VMWare "Ethernet 1" is connected as you need it (bridged to the VMWare host NIC for example).
In the cli, enter
conf t service host network-settings host-ip x.x.x.x/<maks>,<gateway> # for example, host-ip, access-list x.x.x.x/<mask> # for example, access-list telnet-option enabled # if you want telnet access exit exit exit
This allows anybody specified in access-list to access the sensor Management IP address, specified by host-ip. IDM access works then out of the box.
- network access
After my VM starts, I'm not able to use any network interface unless I disable/enable the corresponding VMWare NIC (right click in the network card icon in VMWare status line).
PDM does not show system information under Monitoring. Cometic issue, IMHO.
- IPS Updates
I didnt applied version 5 service packs, but I'm certain that with each update that brings modifications to the underlying OS, you have to check your modifications again.
I didnt tried software release 6 either; it may force you not only to apply my modifications again, but also introduce improved hardware checking, making the
Cisco_IPS_in_VMWare[1].tar.gz (212.84 KB)
2007-9-10 09:32, 下载次数: 47
请看说明文件 Running Cisco IDS/IPS v5 Software in VMWare ===========================================
This Howto describes how to get the Cisco IDS/IPS Software Release 5 running inside VMWare. After successful installtion, the VM will emulate a IDS-4215 platform with 3 GigabitEthernet interfaces ;-)
I developed this Howto by using VMWare Workstation for Linux, I didnt tested this with any VMWare version for Windows.
REQUIREMENTS ============ - VMWare Workstation, I use version 5.5, running on a debian etch host system I never tested with a Windows host system
- Cisco IPS recovery CD image, I used IPS-K9-cd-1.1-a-5.1-4.iso This file can be downloaded from CCO. CCO download access requires a valid support contract.
- modified VMWare BIOS (CISCO_IDS4215_440.BIOS.ROM) This file should be in the archive from where you extracted this Howto - some basic UNIX skills for working with a shell and using vi
- knowledge of the english keyboard layout ;-) TECHNICAL DESCRIPTION ===================== It seems that with IDS/IPS software release 5, Cisco implemented a more strict hardware identification checks, making it impossible to load the code on 4.x custom-build systems or in VMWare. I'm not skilled enough to produce anything useful with the BIOS that can be downloaded from CCO ;-), so I investigated in how to get VMWare to provide anything the IPS software wants to hear. I still would prefer to have the native BIOS running, but this is a start for all the desperate souls that need a working IPS for study/LAB preparation.
I concentrated myself on the 4215 platform, because it seems that it does not have any special ROM/PROM chips built in.
Basically, IPSv5 is based on Redhat Linux, so it is able to run inside VMWare. The recovery CD boots and reimages fine, as long as the virtual harddisks are large enough (256M for hda, 4GB for hdb).
hda is the flash in the appliance and holds the complete OS and the configuration. hdb is a real harddisk and is for "var" storage (event store etc.). The reimage fails when you have disks that are too small (fdisk will complain about wrong boundaries/size).
With a fresh system, you can boot into runlevel 1, mount the remaining filesystems and inspect what the system will do at regular startups.
The procedure collection file /etc/init.d/ids_functions will determine the platform type during bootup. Because the 4215 doesnt have a special chip, the routine makes selections based on the CPU speed and processor count. You can trick the routine by entering the CPU speed reported by linux.
But this is not enough. At some point, a program called smbios_bios_info is called, reading information from the BIOS. Also, the binary mainApp will do this again later, so we have to find a way how to tell the systems what it wants to hear. Luckily, on the 4215 only DMI strings are checked.
VMWare allows to extract the required portion of the BIOS, and with a resource editor you can modify the DMI strings to match the values the software checks. By telling VMWare to load this modified BIOS, the IPS software is satisfied and identifies the VM as a 4215 sensor.
I basically changed all the DMI strings to read as Vendor "Cisco Systems", Platform "IDS-4215", Chassis/Asset Tag "12345678901".
Now that the sensor boots and the CLI is useable, network connectivity must work. VMWare and the IPS linux both support Intel e1000 cards, so this looks promising
The physical interface configuration layout of all the appliances are defined in /usr/cids/idsRoot/etc/interface.conf. By replacing the pci device-id values with the one provided by VMWare (see /proc/pci), the sensor recognized the VMWare virtual ethernet cards.
By modifying this file you are able to use interface types a platform normally will not support (Gigabit cards in the 4215).
With this VM I was able to use IDM from a windoze system, create own signatures and put a sensing interface between two dynamips instances (aletring each time it sees EIGRP packets). This should be proof enough!
Well, this are nearly all the information I collected during 8-12 hours of experimenting in a few sentences. However, there are still some quirks and areas I dont understand well, for example, the problems caused by the absence of the file /usr/share/zoneinfo/cidsZoneInfo.
I hope this Howto is a start and encourages people to modify and enhance it.
Have fun!
INSTALLATION ============
1. VMWare
Extract the content of the archive to a place you remember; you'll need to specify the location of the BIOS file soon.
Start VMWare and create a new Virtual Machine (VM). The wizard starts; please use the following options:
- "Custom" configuration - "Workstation 5" format - Guest: "Linux" / Version: "Red Hat Linux" - Name: whatever you like, maybe "Cisco:IPS" make sure you remember the path listed in "Location" - "One" processor - 512 MB RAM - "use brdged networking" - SCSI Adapter: "BusLogic" (doesnt matter) - "create a new virtual disk" - Disk type "IDE" - Size 0.3GB (yes, 300MB not GB) - accept, then click "Finish"
Edit your VM Settings.
- Remove the sound adapter - Remove the USB controller - Remove the floppy disk
- Add two additional Ethernet adapters The network connection type doesnt matter at the moment (leave it as bridged, for example)
- Add one additional hard disk - "create a new virtual disk" - Disk type "IDE" - Size 4 GB (yes, 4GB this time, values below 4 GB will not work) - accept, then click "Finish" - modify CD-ROM settings - "use ISO image" point it to the IPS recovery CD iso file Now, finish modifications and quit VMWare.
Go to the folder where your VM resides (for me, it is ~/vmware/<VM_name>), and edit the VM configuration file (.vmx).
Put in the config option that tells VMWare to boot an alternative BIOS:
bios440.filename = "<path_were_you_extracted_the_archive>/CISCO_IDS4215_440.BIOS.ROM"
Put in the device type for the Ethernet adapters (we want Intel GE cards):
ethernet0.virtualDev = "e1000" ethernet1.virtualDev = "e1000" ethernet2.virtualDev = "e1000"
Now save and close the configuration file.
2. Recovery Image installation
Start VMWare and fire up the newly created VM. The recovery CD iso file will automatically selected for loaded; you have to enter "k" to start the CD boot process.
The recovery CD loads and does a full re-imaging of the VM hard drives. Please ignore any errors about failed platform identification and wait until the system reboots.
When rebooting (VMWare BIOS message is presented), STOP the VM and continue to read the next step.
3. First boot
Before we continue, we have to modify the GRUB boot parameters to get into single user mode. When the system boots for the first time after re-imaging, and the GRUB menu is displayed, press any key to stop the timer (up/down arrow, for example). Without that, the system boots and get stuck at hardware detection.
Now that you know it is safe to turn on the VM again. Wait until GRUB menu is displayed amd select "Cisco IPS".
Press "e" to enter edit mode.
Select the second line (the one starting with "kernel"), and press "e" again.
Scroll to the left until you see the entry "init=loadrc". replace loadrc with 1 (should read "init=1") - dont touch any other option.
Press Enter and then "b" to start the boot process. After booting linux, the system stop at init level 1.
4. Modifications
Press Enter to get a shell. Execute (english keymap!)
/loadrc /etc/init.d/rc.init touch /usr/share/zoneinfo/cidsZoneInfo
Now determine the speed of your CPU:
cat /proc/cpuinfo
by looking at the line named "cpu MHz". Write down the value (int only). Make a copy of the file ids_functions and modify it:
cd /etc/init.d cp ids_functions ids_functions.orig vi ids_functions
Search for the string "4215" or go directly to the line #252 that reads
elif [[ 'isCPU 845' -eq $TRUE && ... MODEL=$IDS4215 ... Modify the string "845" to the CPU speed you determined earlier - use only the int value (for example, 2659). Of course you can copy the whole line, comment the original one and keep it for further reference.
3 lines below there are variables named "DEFAULT_MGT_OS" and "DEFAULT_MGT_CIDS". Modify their values to:
DEFAULT_MGT_OS="ma0_0" DEFAULT_MGT_CIDS="Management0/0"
Save the file and close vi.
Now, modify the interface cofiguration file:
cd /usr/cids/idsRoot/etc cp interface.conf interface.conf.orig vi interface.conf
Scroll down until you find the section for the IDS-4215 (its the second one).
Modify the pci-bus numbers in the slot definition subsection:
[models/IDS-4215/slots/1] # lower slot pci-bus=0 # change this to 1 pci-device=17
[models/IDS-4215/slots/2 # upper slot pci-bus=0 # change this to 2 pci-device=19
Now, modify the built-in Interfaces by going to [models/IDS-4215/interfaces/1]
[models/IDS-4215/interfaces/1] # built-in 10/100 TX mgmt interface, Intel 82559ER # was eth1 (int1) in 4.x # rightmost connector on front panel # labeled "Ethernet 1" on panel name-template=FastEthernet0/0 # change this to Management0/0 pci-bus=0 pci-device= 14 # change this to 17 pci-function=0 vendor-id=0x8086 device-id=0x1209 # change this to 0x100f type=ge # change this to ge mgmt-capable=yes
Modify the second interface
[models/IDS-4215/interfaces/2] # built-in 10/100 TX sensing interface, Intel 82559ER # was eth0 (int0) in 4.x # leftmost connector labeled "Ethernet 0" name-template=FastEthernet0/1 # change this to GigabitEthernet0/1 pci-bus=0 pci-device= 13 # change to 18 pci-function=0 vendor-id=0x8086 device-id=0x1209 # change to 0x100f type=fe # change to ge sensing-capable=yes tcp-reset-capable=yes
CREATE a third interface by copying the whole [models/IDS-4215/interfaces/2] section
[models/IDS-4215/interfaces/2] # rename to /3 name-template=GigabitEthernet0/1 # rename to GigabitEthernet0/2 pci-bus=0 pci-device= 18 # change to 19 pci-function=0 vendor-id=0x8086 device-id=0x100f type=ge sensing-capable=yes tcp-reset-capable=yes
Now increase the interface number by 1 for the remaining (dummy) interfaces [models/IDS-4215/interfaces/3] to 6; the ones that have "1 x 4-FE card" in the comment.
Save the file and quit vi.
Now move to the IPS bin directory and replace the file smbios_bios_info
cd /usr/cids/idsRoot/bin/ mv smbios_bios_info smbios_bios_info.orig vi smbios_bios_info
Enter the following content into this file:
#!/bin/sh echo echo "Platform: IDS-4215" exit 0
Save and quit. Now make the file executeable and test it
chmod +x smbios_bios_info ./smbios_bios_info
The system should display "Platform: IDS-4215". And thats it for all the system modifications.
Now reboot the VM by entering
5. second boot
After making all the modifications, the VM sould start and present you a login promt. If it gets stuck (no login), reload it again - this can happen when you booted the system completely without going into runlevel 1 in step 4.
There is still a yellow warning about modifications since last reboot - this message disappears after the next reboot.
Log on with the factory default account (cisco/cisco) and assign a new password.
Now assign the service account a password:
conf t username service pass <yourpass> privi service exit
Log out and login as user "service" - you will have a shell. Do a switch user to root "su -", the password is the same as for the user "service".
Now look if the file "/usr/share/zoneinfo/cidsZoneInfo" is still there. If not, "touch /usr/share/zoneinfo/cidsZoneInfo" it. Without that file, you are not able to see any config in the CLI (for whatever reasons). Exit until you reach the login prompt again.
Login as "cisco" and you should be able to do a "show conf". Bacup the configuration with "copy current-config backup-config" and reload by doing a "reset".
After the next reboot, the system is fully useable.
USAGE/HINTS/ISSUES ==================
- initial setup
The first thing you shoud to is to get network access to the VM via ssh/PDM/telnet. Make sure the VMWare "Ethernet 1" is connected as you need it (bridged to the VMWare host NIC for example).
In the cli, enter
conf t service host network-settings host-ip x.x.x.x/<maks>,<gateway> # for example, host-ip, access-list x.x.x.x/<mask> # for example, access-list telnet-option enabled # if you want telnet access exit exit exit
This allows anybody specified in access-list to access the sensor Management IP address, specified by host-ip. IDM access works then out of the box.
- network access
After my VM starts, I'm not able to use any network interface unless I disable/enable the corresponding VMWare NIC (right click in the network card icon in VMWare status line).
PDM does not show system information under Monitoring. Cometic issue, IMHO.
- IPS Updates
I didnt applied version 5 service packs, but I'm certain that with each update that brings modifications to the underlying OS, you have to check your modifications again.
I didnt tried software release 6 either; it may force you not only to apply my modifications again, but also introduce improved hardware checking, making the modifications mentioned above incomplete/useless.