Responses from the IOS-Based IDS

Responses from the IOS-Based IDS

At this point, we have seen how to configure IOS-based IDS and in the next section we will see how to verify and monitor a configuration. What we haven't seen so far is Cisco IOS-based IDS in action. What happens when the router sends an alarm, performs a TCP reset, or drops a packet? We will walk through a number of examples to see how IOS-based IDS responds to intrusions.

Figure 11.4 shows how the LAN of Prince Partners Inc. is connected to the Internet via Router1.

Click To expand
Figure 11.4: The Prince Partners Inc. LAN

Router1 is configured for IDS and has all IDS signatures enabled. A Syslog server is used to send the alarm notification messages; there is no Director or IDS sensor in play. The following shows the IDS configuration of RouterA. We will use this setup in all examples. To get a good view on what the router does when detecting an intrusion, we will use debug commands when necessary. Router1 will send all messages, including debug messages, to the Syslog server on 172.16.20.2.

!
ip audit info action alarm
ip audit attack action alarm drop reset
ip audit notify log
ip audit po max-events 100
ip audit protected 172.16.20.1 to 172.16.20.254
ip audit name idstest info action alarm
ip audit name idstest attack action alarm drop reset
!
interface Serial 1/0
ip address 192.6.11.254 255.255.255.252
ip audit idstest in
!
interface Ethernet 0/0
ip address 172.16.20.1 255.255.255.0
!
logging trap debugging
logging 172.16.20.2
!

In Figure 11.4, a WWW server is connected to the Internet. When we execute a PING from Server1 to this WWW server, we expect to get a reply back. Router1 will track this reply and compare it with its signature base. An echo reply triggers informational signature 2000. Since this is an informational signature, Router1 only sends an alarm notification to the Syslog server.

%IDS-4-ICMP_ECHO_REPLY_SIG: Sig:2000:ICMP Echo Reply - from 192.6.10.34 to
172.16.20.2

In Figure 11.4, we also see HackerA connected to the Internet. HackerA is trying to get more information on Server1 and is performing a UDP port scan. A hacker uses a UDP port scan to determine which UDP ports are open on a host. It works by sending 0-byte UDP packets to each port on the target host. If the hacker receives an ICMP port unreachable message, then the port is closed. Otherwise, he will assume the port is open.

To get more information from the router about the action it takes after detecting the attack, we enable the debug command debug ip audit detailed. Be careful when using this command in a production environment. While HackerA is running his UDP port scan, what we see in Syslog is the following:

May 31 13:45:43 75607: IDS UDP Signature - UDP IOS BOMB (Sig: 76)
May 31 13:45:43 75608: %IDS-4-UDP_IOS_BOMB_SIG: Sig:4600:UDP IOS Bomb –
from 192.6.10.241 to 172.16.20.2
May 31 13:45:43 75609: IDS* Interface Ethernet1/0 Pak 0x816295D0 audit
(on input) completed, dropping
May 31 13:45:43 75611: IDS UDP Signature - UDP IOS BOMB (Sig: 76)
May 31 13:45:43 75612: IDS* Interface Ethernet1/0 Pak 0x816295D0 audit
(on input) completed, dropping
May 31 13:45:43 75614: IDS UDP Signature - UDP IOS BOMB (Sig: 76)
May 31 13:45:43 75615: IDS* Interface Ethernet1/0 Pak 0x816295D0 audit
(on input) completed, dropping

Router1 has detected the port scan and identifies it as signature 4600, a UDP IOS Bomb. The router then sends an alert to the Syslog server and starts dropping the offending UDP packets.

While the scan is taking place we use the show ip audit statistics command to get a better idea of what is going on and see how many times a signature has been triggered.

Router1#show ip audit statistics
Signature audit statistics [process switch:fast switch]
signature 1101 packets audited: [0:98]
signature 2004 packets audited: [0:11]
signature 4600 packets audited: [0:720]
Interfaces configured for audit 1
Session creations since subsystem startup or last reset 845
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:4:0]
Last session created 00:09:39
Last statistic reset never

Host ID:2, Organization ID:100, SYN pkts sent:218,
ACK pkts sent:3, Heartbeat pkts sent:14085, Heartbeat ACK pkts sent:7114,
Duplicate ACK pkts received:0, Retransmission:0, Queued pkts:0

The output of the show ip audit statistics command shows that the IOS-IDS has audited 720 IOS/UDP Signature related packets so far.