snort ips deployment guide - cisco · snort health monitoring – cisco ios software keeps track of...
TRANSCRIPT
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 20
Snort IPS
Deployment Guide
Guide
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 20
Contents
1. What Is an Intrusion Prevention System ........................................................................................................... 3
2. Snort IPS for Cisco 4000 Series Integrated Services Routers ......................................................................... 3 2.1 Architecture of Snort IPS on the 4000 Series ISR ........................................................................................... 3 2.2 Features at a Glance ...................................................................................................................................... 4
3. Configuration and Activation Step by Step ....................................................................................................... 5 3.1 Step 1: Install Snort IPS Virtual Service .......................................................................................................... 5 3.2 Step 2: Configure Snort IPS policies ............................................................................................................... 6 3.3 Enabling Snort for Specific Interfaces ............................................................................................................. 6 3.4 Changing Snort Engine ................................................................................................................................... 6
4. Signature Update ................................................................................................................................................. 7 4.1 Updating from cisco.com ................................................................................................................................. 7 4.2 Updating from a Local Server ......................................................................................................................... 8 4.3 Manual Update Command .............................................................................................................................. 8 4.4 Check the Signature Update Status ................................................................................................................ 8
5. Hardware, Software, and Licensing Requirements........................................................................................... 9 5.1 Licensing ......................................................................................................................................................... 9
6. Performance ......................................................................................................................................................... 9 6.1 Co-Existing with Other Container-Based Services .......................................................................................... 9
7. Deployment Considerations ............................................................................................................................. 10
8. Management and Monitoring ............................................................................................................................ 10 8.1 Basic Monitoring and Troubleshooting .......................................................................................................... 10
8.1.1 How to Verify Snort OVA Is Installed and Activated Correctly ............................................................... 10 8.1.2 How to Verify That the Service Node Is Alive ........................................................................................ 10 8.1.3 How to Check the Active Configuration ................................................................................................. 11 8.1.4 How to Check Snort Container Service Status ...................................................................................... 11 8.1.5 Show Snort Event Logs ......................................................................................................................... 13
8.2 Advanced Troubleshooting and Debugging .................................................................................................. 13 8.2.1 How to Check Snort Engine Status ....................................................................................................... 13 8.2.2 Check Service Node Health .................................................................................................................. 14 8.2.3 Check Packet Diversion Statistics from the Data Plane to the Service Plane ....................................... 15 8.2.4 Troubleshooting Signature Update Issues ............................................................................................ 15
8.3 Debugging ..................................................................................................................................................... 16 8.4 Complete List of Show Commands ............................................................................................................... 16 8.5 Complete List of Debug Commands ............................................................................................................. 17
9. Snort IPS Deployment Using Cisco Prime CLI Templates ............................................................................. 17
10. Download Locations ........................................................................................................................................ 18 10.1 Snort IPS Engine OVA Files ....................................................................................................................... 18 10.2 Snort IPS Signature Package Files ............................................................................................................. 19 10.3 Cisco Prime CLI Templates for Snort IPS Deployment ............................................................................... 19
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 20
1. What Is an Intrusion Prevention System
An intrusion prevention system (IPS) detects and blocks known network attacks. It uses previously
known signatures to detect these attacks. These signatures can be used to detect attacks originating from both
external and internal sources. An IPS typically runs in a network gateway, like a router, or as a standalone
instance. An IPS can be deployed in inline mode or in promiscuous mode. Inline mode supports both detection and
prevention. Promiscuous mode only supports detection.
An IPS has two components. They are the IPS detection and enforcement engine and the attack signatures
package. The detection engine is relatively static, where the signature pack gets updated frequently as new attacks
are discovered. Optionally the IPS solution can have a management and monitoring solution. The two solutions
can be bundled together or operated as separate systems. Management and monitoring are typically centralized so
that multiple IPS installations can be managed. If the IPS installation is independently managed, these functions
may be integrated with the IPS engine as an on-premise solution.
2. Snort IPS for Cisco 4000 Series Integrated Services Routers
Snort® IPS is an open-source IPS engine. More information can be found on snort.org. Snort-based IPS takes
advantage of Snort engine for IPS functionality. Snort engine runs as a Linux Service Container application within
the 4000 Series Integrated Services Router (ISR), which takes advantage of the computing resources of Cisco®
4000 Series ISR platforms. This architecture allows Snort engine to run independent of the data plane CPU load.
The router copies and forwards the packets to the Snort container using an internal virtual port group (VPG)
interface. This VPG interface is connected over the router backplane. After inspection, Snort drops the packets
associated with bad flows (IPS mode); packets belonging to good flows are returned back to the router for further
processing.
2.1 Architecture of Snort IPS on the 4000 Series ISR
Snort engine on the 4000 Series ISR runs as a container application. This means that the 4000 Series ISR uses a
multi-core CPU, and the Cisco IOS-XE operating system has the ability to allocate these cores for control-plane or
data-plane functions. Computing resources unused by control plane functions can be used for running other
services. A Linux container infrastructure hosts these applications. Applications running in this container
infrastructure can have a tighter integration with Cisco IOS® Software.
The Snort process runs as a Linux container application with dedicated computing resources available to it. This
makes it easier for Snort engine to be updated independent of a Cisco IOS Software update, which helps to keep
the IPS engine up to date.
Cisco IOS Software forwards the packets to be inspected to the Snort IPS engine. Snort IPS inspects the
traffic and takes necessary action. If traffic needs to be blocked, associated packets of that flow are dropped and
the remaining packets are forwarded back to the Cisco IOS Software (data plane) for further processing. Packet
exchange between the container applications and the IOS data plane is done using VPG interfaces. These routed
interfaces are connected through the router back plane. The corresponding interface on the container side will
appear as virtual Ethernet ports. Snort IPS uses two VPG interfaces: one interface as the management interface,
and the other for exchanging data packets.
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 20
Figure 1. Snort Overview
2.2 Features at a Glance
Snort was created in 1998 and is the most widely downloaded open-source IPS software in the world.
Its primary function is to provide intrusion detection and blocking for a variety of network-based attacks and probes,
such as buffer overflows, stealth port scans, CGI attacks, server message block (SMB) probes, OS fingerprinting
attempts, and much more.
Snort IPS on the 4000 Series ISR provides the following functionalities:
● Intrusion detection system (IDS) and IPS mode – Configure threat detection or prevention mode. In
prevention mode, attack traffic will be dropped.
● Three signature levels include security, balanced, and connectivity. The security level enables the highest
number of signatures to be verified.
● An allowed list provides the ability to turn off certain signatures. This helps to avoid false positives and the
case of some legitimate traffic triggering IPS action. Up to 1000 entries can be supported in the allowed list.
● Snort health monitoring – Cisco IOS Software keeps track of the health of Snort engine running in the
service container.
● Fail open and close – In the event of IPS engine failure, the router can be configured to block the traffic flow
or bypass IPS checking until Snort engine recovers.
● Signature update – Automatic and manual updates are supported. Snort IPS can download the signature
package directly from cisco.com or a local resource location over HTTP and HTTPS. Manual download is
triggered by an exec command at the router prompt.
● Event logging – IPS logs can be sent to an independent log collector or included along with the router
syslog stream. Sending IPS logs separately helps if the security event management tool is different from the
regular syslog server used for the syslogs from the router.
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 20
3. Configuration and Activation Step by Step
Following is a sample Cisco IOS configuration for Snort IPS. Refer to the user manual for the complete
configuration guide. All the configuration and activation commands are done on the router so there is no need to
access Snort engine for any purpose. Snort IPS configuration has two main steps:
1. Installing and configuring the Snort IPS virtual service
2. Configuring and applying the Snort IPS policies
3.1 Step 1: Install Snort IPS Virtual Service
In this step, the Snort image is copied to flash and installed in the service container. Then the internal
communication between Snort and the router is established.
Step 1.1: Install Snort Virtual Container Service
The Snort engine, which runs in the service container, is distributed as an Open Virtualization Archive (OVA) file. If
this file is not present in the router flash it needs to be downloaded and copied into the flash. This can be
downloaded from cisco.com. Once the OVA file is in the flash, the service can be installed. Once the file is copied
to flash, issue the following command on the exec prompt to install the OVA.
virtual-service install name myips package flash:utd.ova
Execute "show virtual-service list" at the command prompt to see the installation status.
Step 1.2: Configure VPG Interfaces
VPG interfaces are used to communicate between the Cisco IOS data plane and Snort IPS. Snort IPS needs two
VPG interfaces. The first VPG interface is used for management purposes, and the second VPG interface is used
for forwarding packets between the Cisco IOS data plane and Snort IPS.
The management VPG interface is primarily used for signature updates, logging, and monitoring. That means that
traffic from this interface needs to be routable. There is no need for direct inbound connection, therefore the IP
address on this interface can work behind a Network Address Translation (NAT), which is typically configured on
the router itself or elsewhere in the network.
The data VPG interface is used to forward data traffic between Cisco IOS Software and Snort IPS for detection and
enforcement. The IP subnet configured on this interface does not need external access. It can use a local, non-
routable, private subnet. It is a good practice to not include this subnet in route advertisements.
interface VirtualPortGroup0
ip address 10.0.0.1 255.255.255.252
interface VirtualPortGroup1
ip address 192.168.0.1 255.255.255.252
Step 1.3: Configure and Activate Snort IPS Virtual Service
Configure the Snort container service on the router using the configuration that follows. The IP address configured
here is used by the virtual Ethernet interfaces on the container side. Make sure to assign IP addresses from the
same subnet configured on the corresponding VPG interface on the router.
virtual-service myips
vnic gateway VirtualPortGroup0
guest ip address 10.0.0.2
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 20
vnic gateway VirtualPortGroup1
guest ip address 192.168.0.2
activate
Execute "show virtual-service list" at the command prompt to see the activation status.
3.2 Step 2: Configure Snort IPS policies
In this step, we define whether the IPS should work in detection mode or protection mode, signature policy level,
event logging method, etc.
Step 2.1: Configure the Main Snort policy
Threat detection | protection Detection - IDS mode; protection - IPS mode
Policy security | balanced | connectivity Signature level - security loads the highest number of signatures
Logging External log server - if not configured the events will be published as part of router's syslog stream
Signature update server Use this optional configuration to specify the method of the signature update
utd engine standard
threat protection
policy security
logging server 172.25.220.128 syslog level warning
Step 2.2: Enable IPS on the Router
In this step, the Snort IPS is activated on the router. The configured policies will not take effect until this step is
completed. IPS can be enabled globally on all interfaces, or specifically enabled on a certain interface as an
interface configuration.
utd
all-interfaces
engine standard
Step 2.3: (Optional) Configure the Signature Allowed List
The allowed list is used to turn off certain signatures. This is mainly used if a certain signature is causing many
false alarms or causes good or custom application traffic to be blocked.
utd whitelist
signature id 12 comment testing1
signature id 15 comment testing2
3.3 Enabling Snort for Specific Interfaces
If only certain interface-specific traffic needs be subjected to IPS operation, then IPS can be enabled only on that
interface by configuring the "utd enable" command under the interface configuration. In this case, globally enabling
is not required.
interface GigabitEthernet0
utd enable
3.4 Changing Snort Engine
The Snort engine needs to be upgraded independently from the router firmware. Usually, each Cisco IOS-XE
release will have an associated Snort OVA version. But in some cases Snort OVA may need to be downloaded
and upgraded independently. To do this, the service needs to be de-activated before upgrading the OVA file.
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 20
Step 1: Deactivate Snort IPS
In config mode:
virtual-service myips
no activate
Step 2: Update the Snort Engine OVA File
In exec mode:
virtual-service upgrade name myips package flash:newutd.ova
Step 3: Activate Snort IPS
In config mode, activate the service:
virtual-service myips
activate
4. Signature Update
The signature update can be configured to happen automatically based on a schedule, or it can be updated
manually. The signature update can be manually triggered any time by issuing a router command. If the update
time schedule is not configured, then the router falls back to manual update mode, where the update can be done
only by the router’s command-line interface (CLI). Manual mode is useful if an administrator wants to control when
the signature is updated, or the signature update needs to be controlled from a management tool.
Figure 2. Signature Update Overview
4.1 Updating from cisco.com
The following configuration tries to update the signature every day, starting at 12:00 a.m., from Cisco.com.
utd engine standard
signature update server cisco username <CCO username> password <foo>
signature update occur-at daily 0 0
!
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 20
4.2 Updating from a Local Server
A local update occurs when the router does not have access to the Internet. It is a good practice to reduce network
usage when large numbers of routers need to be updated. Instead of each router using Internet bandwidth, they
can download from an intranet server. In this case, the administrator or management tool will download the
signature from Cisco.com and host it on a local HTTP server. Once the new signature is hosted, the router update
can be triggered manually or rely on the automatic update feature.
The following configuration triggers a signature update every alternate day, starting Monday at 5:00 a.m.
utd engine standard
signature update server url http://10.133.144.155/sig-packages/sig-update.sig
signature update occur-at weekly 1,3,5 05 00
!
4.3 Manual Update Command
The signature update can be triggered any time by issuing the following command. This is useful if a signature
update schedule is not configured, or in the situation where a critical signature update needs to be installed
directly. This also can be used as an override mechanism to an existing signature update method. For example, if
a local server is configured as the signature source, in the manual update a different server or cisco.com can be
specified as the signature source. If no override options create issues, the router will use the same parameters
configured in the router configuration for signature update.
To simply trigger a signature update, execute the following command in the exec prompt of the router.
Router# utd signature update
Issue additional parameters to override the configured ones.
Router# utd signature update server cisco username myuserid password mypasswd
4.4 Check the Signature Update Status
Issue the following command at exec prompt to check the signature update status.
Router# show utd engine standard signature update status
Current Signature package version: 1.3
Current Signature package name: UTD-STD-SIGNATURE-stage-1-3.pkg
Previous Signature package version: 1.0
Last update status: Failed
Last failure Reason: System error-fail to process username & password
combination.
Last successful update method: Manual
Last successful update server: cisco
Last successful update time: Mon Aug 24 21:27:06 2015 UTC
Last successful update speed: 4850875 bytes in 44 secs
Last failed update method: Manual
Last failed update server: cisco
Last failed update time: Tue Aug 25 18:23:44 2015 UTC
Last attempted update method: Manual
Last attempted update server: cisco
Last attempted update time: Tue Aug 25 18:23:44 2015 UTC
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 20
Total num of updates successful: 1
Num of attempts successful: 1
Num of attempts failed: 3
Total num of attempts: 4
Next update scheduled at: None
Current Status: Idle
5. Hardware, Software, and Licensing Requirements
The Snort IPS is supported on 4000 Series ISR platforms. The platform memory should be upgraded to 8 GB. An
SSD hard drive is needed if IPS logs need to be saved locally. Snort IPS can also work in a diskless mode with the
support of an external log server.
5.1 Licensing
A security K9 license is required to activate Snort IPS functionality. Customers also need to purchase a yearly
subscription for the signature package, which is distributed from cisco.com.
6. Performance
The performance of the Snort container depends upon the platform CPU capacity and number of virtual CPUs
available for Snort IPS. If more service container CPU cores are available, more instances of Snort can be
activated, which will increase the performance. If service container resources are being used by other services,
then Snort will get only a fraction of compute resources, thereby reducing the achievable performance.
Table 1. Snort Details by Platform
Platform Service Cores Available
Snort IPS-Only Throughput Snort IPS Plus Wide Area Application Services (WAAS) Throughput
4321 ISR (100 Mbps) 1 IMIX – 65 Mbps
HTTP – 50 Mbps
N/A
4331 ISR (300 Mbps) 3 IMIX – 60 Mbps to 140 Mbps
HTTP – 40 Mbps to 110 Mbps
Throughput: 38 Mbps
WAAS profile: 750 connections
4351 ISR (400 Mbps) 3 IMIX – 75 Mbps to 175 Mbps
HTTP –50 Mbps to 135 Mbps
Throughput: 50 Mbps
WAAS profile: 750 connections
4431 ISR (1 Gbps) 4 IMIX – 65 Mbps to 225 Mbps
HTTP – 36 Mbps to 130 Mbps
Throughput: 36 Mbps
WAAS profile: 750 connections
4451-X ISR (2 Gbps) 4 IMIX – 110 Mbps to 360 Mbps
HTTP – 75 Mbps to 270 Mbps
N/A
6.1 Co-Existing with Other Container-Based Services
The IPS process involves deep packet inspection. This is a CPU-intensive process. So on Cisco 4321, which has
limited service-plane resources available, Snort IPS needs to use all the service plane resources in order to
provide adequate performance level. Therefore, if other services are already present in service container, then
activation of Snort may fail. This is not a supported configuration. On higher platforms, other services like Kernel-
based Virtual Machine Wide-Area Application Services (KWAAS) can be enabled if a lower performance is
acceptable for all activated services.
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 20
7. Deployment Considerations
Snort IPS can be deployed in a network where known network-based attacks need to be detected or blocked.
Following are some typical use cases:
● Protecting the branch network when direct Internet access is enabled. Deploy IPS on the WAN-facing
interface. Traffic flows exchanged between the Internet and branch network will be inspected.
● Compliance requirements like PCI, where the network edges needs to be protected by an IPS solution
● Guest network protection – the IPS can be enabled on guest VLAN interface
● Threat containment – This use case prevents network attacks from propagating from branch to
headquarters or other branches. If there are multiple VLANs in the branch, inter-VLAN traffic also needs to
be protected. The easiest deployment in this case is to configure Snort IPS globally. All traffic passing
through the router will be subject to inspection. Enabling globally may create a performance impact.
Deploying IPS on the necessary VLANs only can alleviate this concern.
8. Management and Monitoring
Snort IPS configurations are designed such that entire configuration and service activation can be done from a
router CLI. This means that any management tool that is used to manage the router can be configured to manage
the Snort IPS CLIs also. The Cisco Application Policy Infrastructure Controller (Cisco APIC)-based Intelligent
WWAN (IWAN) app, Cisco Prime™
Management tool, and an on-box web UI will be enhanced to support Snort IPS
natively.
Snort IPS can be configured to send the event logs as part of the router syslog stream or to send them to a
dedicated security monitoring tool, or both. This gives the user an option to use a network monitoring tool or a
dedicated monitoring tool for IPS event monitoring. Cisco has no recommendations on which Snort monitoring tool
to use. Any third-party monitoring tool that supports standard Snort logs can be used to monitor Snort IPS also (for
instance, Splunk).
8.1 Basic Monitoring and Troubleshooting
Following are some of the commands that can be used to check the health and status of a Snort IPS installation.
8.1.1 How to Verify Snort OVA Is Installed and Activated Correctly
Router#show virtual-service list
Virtual Service List:
Name Status Package Name
------------------------------------------------------------------------------
utd Activated utdsnort.1_0_0.20150601_020127.ova
8.1.2 How to Verify That the Service Node Is Alive
Router#show service-insertion type utd service-node-group
Service Node Group name : utd_sng_1
Service Context : utd/1
Member Service Node count : 1
Service Node (SN) : 192.0.2.2
Auto discovered : No
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 20
SN belongs to SNG : utd_sng_1
Current status of SN : Alive
Time current status was reached : Sun Jul 26 02:55:22 2015
8.1.3 How to Check the Active Configuration
Router#show utd engine standard config
UTD Engine Standard Configutation:
Operation Mode : Intrusion Detection
Policy : Security
Signature Update:
Server : cisco
User Name : ciscouser
Password : HAd[RQMdWHHYJOFVEXRCcS[_ARh^NHVGf
Occurs-at : None
Logging:
Server : IOS Syslog; 172.25.220.128
Level : warning
Whitelist disabled/No config found
8.1.4 How to Check Snort Container Service Status
Router#show virtual-service detail
Virtual service utd detail
State : Activated
Package information
Name : utdsnort.1_0_0_SV2970.20150722_164412.ova
Path : bootflash:/utdsnort.1_0_0_SV2970.20150722_164412.ova
Application
Name : UTD-Snort-Feature
Installed version : 1.0.0_SV2970
Description : Unified Threat Defense
Signing
Key type : Cisco development key
Method : SHA-1
Licensing
Name : Not Available
Version : Not Available
Detailed guest status
----------------------------------------------------------------------
Process Status Uptime # of restarts
----------------------------------------------------------------------
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 20
climgr UP 0Y 2W 2D 18:26: 4 0
logger UP 0Y 2W 2D 18:26: 0 0
snort UP 0Y 2W 2D 18:26: 0 0
Network stats:
eth0: RX packets:724027, TX packets:6
eth1: RX packets:110, TX packets:148
Coredump file(s): lost+found
Activated profile name: None
Resource reservation
Disk : 736 MB
Memory : 1024 MB
CPU : 50% system CPU
Attached devices
Type Name Alias
---------------------------------------------
NIC ieobc_2 ieobc
NIC dp_2_0 net2
NIC dp_2_1 net3
NIC mgmt_2 mgmt
Disk _rootfs
Disk /opt/var
Disk /opt/va...
Serial/shell serial0
Serial/aux serial1
Serial/Syslog serial2
Serial/Trace serial3
Watchdog watchdo...
Network interfaces
MAC address Attached to interface
------------------------------------------------------
54:0E:00:0B:0C:03 ieobc_2
F4:4E:05:8A:26:7F VirtualPortGroup0
F4:4E:05:8A:26:7E VirtualPortGroup1
F4:4E:05:8A:26:7C mgmt_2
Guest interface
---
Interface: eth2
ip address: 192.0.2.2/30
Interface: eth1
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 20
ip address: 45.0.0.2/30
---
Guest routes
---
Address/Mask Next Hop Intf.
--------------------------------------------------------------------------
0.0.0.0/0 192.0.2.1 eth2
0.0.0.0/0 45.0.0.1 eth1
Resource admission (without profile) : passed
Disk space : 710MB
Memory : 1024MB
CPU : 50% system CPU
VCPUs : Not specified
8.1.5 Show Snort Event Logs
This command displays the latest signature trigger events. A circular buffer is used to overwrite old events once the
buffer is full. Up to 100 events are saved. It recommended to use an external log server to save a larger history.
The "clear utd engine standard logging events" command will clear the log buffer.
Router#show utd engine standard logging events
2015/07/28-22:45:27.566272 [**] WDrop [
**] [1:17155:6] SERVER-OTHER Multiple
vendors OPIE off-by-one stack buffer overflow attempt [**] [Classification:
Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 150.0.0.2:46298 ->
151.0.0.2:21
2015/07/28-22:45:27.566272 [**] WDrop [
**] [125:3:1] ftp_pp: FTP parameter length
overflow [**] [Classification: Attempted Administrator Privilege Gain] [Priority:
1] {TCP} 150.0.0.2:46298 -> 151.0.0.2:21
8.2 Advanced Troubleshooting and Debugging
Following are some of the commands you can use to debug and troubleshoot Snort IPS issues.
8.2.1 How to Check Snort Engine Status
Router#show platform hardware qfp active feature utd stats
Security Context: Id:0 Name: Base Security Ctx
Summary Statistics:
Active Connections 5
TCP Connections Created 68525
UDP Connections Created 153977
ICMP Connections Created 232184
Pkts entered policy feature pkt 22612632
byt 7361605825
Pkts entered divert feature pkt 4515455
byt 1692764231
Pkts slow path pkt 454686
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 20
byt 87269604
Pkts Diverted pkt 4514223
byt 1692393810
Pkts Re-injected pkt 4513988
byt 1692329067
Drop Statistics:
Service Node not healthy 1232
General Statistics:
Non Diverted Pkts to/from divert interface 125
Inspection skipped - UTD policy not applicable 18097177
Policy already inspected 4514223
Pkts Skipped - Unsupported Protocol 4304170
Pkts Skipped - New pkt from RP 12060037
Response Packet Seen 454686
Feature memory allocations 454686
Feature memory free 454681
Feature Object Delete 454681
Service Node Statistics:
SN Health: Green
SN down 13
SN health green 14
Diversion Statistics
redirect 4514223
encaps 4514223
decaps 4513988
reinject 4513988
SN offloaded flow 76
Redirect failed, SN unhealthy 1232
Flow inspection bypassed 698
decaps: delete requests received total 2524
decaps: delete - protocol decision 2524
8.2.2 Check Service Node Health
This displays the health of the service container. If the service node health status is not green, it is an indication
that something is wrong.
Reasons why the service node health status may not be not green:
● Rx ring is full. This occurs when the pps is greater than 32k. The RX ring is 64 MB and each packet
occupies 2 KB in the buffer
● DAQ CFT is full. More than 50k flow entries cause this issue. Check the DAQ CFT by using this command:
show utd engine standard statistics daq all | i active half flows
● Memory status changed to yellow. The Snort memory is greater than 95%
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 20
● Memory status changed to red. The Snort memory is more than 98%
Router#show platform hardware qfp active feature utd config
Global configuration
NAT64: disabled
SN threads: 1
CFT inst_id 0 feat id 1 fo id 1 chunk id 12
Context Id: 0, Name: Base Security Ctx
(0x60000): IDS, Standard, Enabled, Fail-open, Divert, SN Health: Green
8.2.3 Check Packet Diversion Statistics from the Data Plane to the Service Plane
Router#show platform hardware qfp active feature utd stats divert
Diversion Statistics
redirect 4537772
encaps 4537772
decaps 4537537
reinject 4537537
SN offloaded flow 76
Redirect failed, SN unhealthy 1232
Flow inspection bypassed 698
decaps: delete requests received total 2533
decaps: delete - protocol decision 2533
If packet diversion is not working properly, for additional troubleshooting check if the UTD feature is active in the
data plane and control plane. Use the following commands:
● show platform software UTD global
● show platform hardware qfp active feature UTD config
Check if snort process is running in LXC
● show virtual-service detail
Check if AppNAV tunnel is UP
● show service-insertion type utd service-context | i Cluster operational state
8.2.4 Troubleshooting Signature Update Issues
There are two types of signature updates: an update from cisco.com and an update from a local server. A router
can be configured to perform only one of them at a time.
If the signature update is not happening over a Cisco server:
● DNS is not configured or not working properly. Use the command, “show utd engine standard signature
update status”
● The cisco.com username and password provided may not be correct
● The cisco.com user may not have permission to download the signature package
● There is no connectivity between UTD Snort and the Cisco signature server
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 20
If the signature update from a local server is not happening:
● An incorrect method is configured in the URL for a signature update from the local server (only
HTTP/HTTPS are supported)
● An incorrect host name or IP address was provided in the URL for a signature update from the local server
● Credentials are required to download the signature package from the local server
● The signature package file configured in the URL is not found on the local server
● The signature package file downloaded from the local server is corrupted
● There is no connectivity between UTD Snort and the local signature server
In both cases, try issuing the update command manually from router exec mode. If the failure was due to a
temporary network issue, it may succeed in the next attempt.
8.3 Debugging
Conditional debugging commands:
debug platform condition feature utd controlplane
debug platform condition feature utd dataplane submode
debug platform condition feature utd dataplane submode divert level
debug platform condition interface g0/0/0 both
debug platform condition feature utd dataplane submode all level verbose
debug platform condition start
Packet tracing debug commands:
debug platform packet copy packet out size 2048
debug platform packet-trace enable
debug platform packet-trace packet 64 cir fia
Note: Conditional debugging needs to be enabled along with packet tracing
debug platform condition interface g0/0/0 both
debug platform condition feature utd dataplane submode divert level info
debug platform condition start
8.4 Complete List of Show Commands
Control plane show commands:
show platform software utd rp active global
show platform software utd fp active global
show platform software utd global
show platform software utd interfaces
Service plane show commands:
show utd engine standard signature statistics
show utd engine standard signature active
show utd engine standard logging events
show utd engine standard statistics daq all
show utd engine standard statistics internal
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 20
show utd engine standard statistics whitelist
show utd engine standard config
show utd engine standard signature update status
Data plane show commands:
show platform hardware qfp active feature utd stats
show platform hardware qfp active feature utd stats all
show platform hardware qfp active feature utd stats divert <all/verbose>
show platform hardware qfp active feature utd stats drop <all/verbose>
show platform hardware qfp active feature utd stats general <all/verbose>
show platform hardware qfp active feature utd stats sn <all/verbose>
show platform hardware qfp active feature utd stats summary <all/verbose>
show platform hardware qfp active feature utd stats verbose
show platform hardware qfp active feature utd config
show platform hardware qfp active flow
8.5 Complete List of Debug Commands
Control plane:
debug platform software utd
debug platform condition feature utd controlplane level
<error/info/verbose/warning>
Service plane:
debug utd engine standard internal <onep, climgr, logger, internal, daq, all>
To move the log files from container to flash:
virtual-service move name <foo> log to flash:
Data plane:
debug platform condition feature utd dataplane submode <divert, drop ,event, fia,
packet, proxy>
9. Snort IPS Deployment Using Cisco Prime CLI Templates
To ease the provisioning of Snort IPS deployment, Cisco Prime CLI templates are available. To use these
templates, you need to download them and import into Cisco Prime through the following steps:
● Download the Cisco Prime templates that correspond to the Cisco IOS-XE version running on your system
● Unzip the file if it is a zipped version
● From Cisco Prime web UI, navigate to Configuration >> Templates >> Features & Technologies and
click on "CLI Templates (User Defined)" and then click on "Import"
● Select the folder where you want to import the templates, click on "Select Templates", and choose the
template that was downloaded in the previous step
The following CLI templates are available:
● Snort IPS - Copy OVA to Device
◦ Purpose: Use this template to copy the Snort IPS OVA file to flash.
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 20
● Snort IPS - Delete OVA
◦ Purpose: Use this template to delete a previously copied Snort IPS OVA file from flash.
● Snort IPS - Dynamic NAT
◦ Purpose: Use this template if dynamic Network Address Translation (NAT) is configured in your
environment and an access list is used to select the NAT translation that needs to be modified for the
Snort IPS management interface IP.
● Snort IPS - Dynamic NAT Cleanup
◦ Purpose: Use this template to delete a previously configured NAT configuration for Snort IPS.
● Snort IPS – Dynamic PAT
◦ Purpose: Use this template if dynamic Port Address Translation (PAT) is configured in your environment
and an access list is used to select the PAT translation that needs to be modified for the Snort IPS
management interface IP.
● Snort IPS – Dynamic PAT Cleanup
◦ Purpose: Use this template to delete previously configured PAT configuration for Snort IPS.
● Snort IPS – IP Unnumbered
◦ Purpose: Use this template to configure Snort IPS and the required virtual service for IP unnumbered
deployment.
● Snort IPS – IP Unnumbered Cleanup
◦ Purpose: Use this template to delete a previously configured Snort IPS management interface with
"IP Unnumbered".
● Snort IPS – Management Interface
◦ Purpose: Use this template if you would like to use the system management interface (for instance,
GigabitEthernet0) to route Snort IPS management traffic.
● Snort IPS – Management Interface Cleanup
◦ Purpose: Use this template to delete a previously configured system management interface (for instance,
GigabitEthernet0) to route the Snort IPS management traffic.
● Snort IPS - Static NAT
◦ Purpose: Use this template to configure Snort IPS and the required virtual service for existing static NAT
deployment.
● Snort IPS - Static NAT Cleanup
◦ Purpose: Use this template to delete a previously configured Snort IPS in a static NAT deployment.
● Snort IPS - Upgrade OVA
◦ Purpose: Use this template to upgrade the Snort IPS OVA file.
10. Download Locations 10.1 Snort IPS Engine OVA Files
4321 ISR
http://software.cisco.com/download/release.html?i=!y&mdfid=286006221&softwareid=286285284&release=3.16.1a
S&os=
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 20
4331 ISR
http://software.cisco.com/download/release.html?i=!y&mdfid=285018115&softwareid=286285284&release=3.16.1a
S&os=
4351 ISR
http://software.cisco.com/download/release.html?i=!y&mdfid=285018114&softwareid=286285284&release=3.16.1a
S&os=
4431 ISR
http://software.cisco.com/download/release.html?i=!y&mdfid=284358776&softwareid=286285284&release=3.16.1a
S&os=
4451-X ISR
http://software.cisco.com/download/release.html?i=!y&mdfid=284389362&softwareid=286285284&release=3.16.1a
S&os=
10.2 Snort IPS Signature Package Files
4321 ISR
http://software.cisco.com/download/release.html?i=!y&mdfid=286006221&softwareid=286285292&release=2975.4
&os=
4331 ISR
http://software.cisco.com/download/release.html?i=!y&mdfid=285018115&softwareid=286285292&release=2975.4
&os=
4351 ISR
http://software.cisco.com/download/release.html?i=!y&mdfid=285018114&softwareid=286285292&release=2975.4
&os=
4431 ISR
http://software.cisco.com/download/release.html?i=!y&mdfid=284358776&softwareid=286285292&release=2975.4
&os=
4451-X ISR
http://software.cisco.com/download/release.html?i=!y&mdfid=284389362&softwareid=286285292&release=2975.4
&os=
10.3 Cisco Prime CLI Templates for Snort IPS Deployment
4321 ISR
http://software.cisco.com/download/release.html?i=!y&mdfid=286006221&softwareid=286285284&release=3.16.1a
S&os=
4331 ISR
http://software.cisco.com/download/release.html?i=!y&mdfid=285018115&softwareid=286285284&release=3.16.1a
S&os=
4351 ISR
http://software.cisco.com/download/release.html?i=!y&mdfid=285018114&softwareid=286285284&release=3.16.1a
S&os=
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 20
4431 ISR
http://software.cisco.com/download/release.html?i=!y&mdfid=284358776&softwareid=286285284&release=3.16.1a
S&os=
4451-X ISR
http://software.cisco.com/download/release.html?i=!y&mdfid=284389362&softwareid=286285284&release=3.16.1a
S&os=
Printed in USA C07-736629-00 02/16