snort ips deployment guide - cisco · snort health monitoring – cisco ios software keeps track of...

© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. of 20

Snort IPS

Deployment Guide

Guide


Contents

1. What Is an Intrusion Prevention System ........................................................................................................... 3

2. Snort IPS for Cisco 4000 Series Integrated Services Routers ......................................................................... 3 2.1 Architecture of Snort IPS on the 4000 Series ISR ........................................................................................... 3 2.2 Features at a Glance ...................................................................................................................................... 4

3. Configuration and Activation Step by Step ....................................................................................................... 5 3.1 Step 1: Install Snort IPS Virtual Service .......................................................................................................... 5 3.2 Step 2: Configure Snort IPS policies ............................................................................................................... 6 3.3 Enabling Snort for Specific Interfaces ............................................................................................................. 6 3.4 Changing Snort Engine ................................................................................................................................... 6

4. Signature Update ................................................................................................................................................. 7 4.1 Updating from cisco.com ................................................................................................................................. 7 4.2 Updating from a Local Server ......................................................................................................................... 8 4.3 Manual Update Command .............................................................................................................................. 8 4.4 Check the Signature Update Status ................................................................................................................ 8

5. Hardware, Software, and Licensing Requirements........................................................................................... 9 5.1 Licensing ......................................................................................................................................................... 9

6. Performance ......................................................................................................................................................... 9 6.1 Co-Existing with Other Container-Based Services .......................................................................................... 9

7. Deployment Considerations ............................................................................................................................. 10

8. Management and Monitoring ............................................................................................................................ 10 8.1 Basic Monitoring and Troubleshooting .......................................................................................................... 10

8.1.1 How to Verify Snort OVA Is Installed and Activated Correctly ............................................................... 10 8.1.2 How to Verify That the Service Node Is Alive ........................................................................................ 10 8.1.3 How to Check the Active Configuration ................................................................................................. 11 8.1.4 How to Check Snort Container Service Status ...................................................................................... 11 8.1.5 Show Snort Event Logs ......................................................................................................................... 13

8.2 Advanced Troubleshooting and Debugging .................................................................................................. 13 8.2.1 How to Check Snort Engine Status ....................................................................................................... 13 8.2.2 Check Service Node Health .................................................................................................................. 14 8.2.3 Check Packet Diversion Statistics from the Data Plane to the Service Plane ....................................... 15 8.2.4 Troubleshooting Signature Update Issues ............................................................................................ 15

8.3 Debugging ..................................................................................................................................................... 16 8.4 Complete List of Show Commands ............................................................................................................... 16 8.5 Complete List of Debug Commands ............................................................................................................. 17

9. Snort IPS Deployment Using Cisco Prime CLI Templates ............................................................................. 17

10. Download Locations ........................................................................................................................................ 18 10.1 Snort IPS Engine OVA Files ....................................................................................................................... 18 10.2 Snort IPS Signature Package Files ............................................................................................................. 19 10.3 Cisco Prime CLI Templates for Snort IPS Deployment ............................................................................... 19


1. What Is an Intrusion Prevention System

An intrusion prevention system (IPS) detects and blocks known network attacks. It uses previously

known signatures to detect these attacks. These signatures can be used to detect attacks originating from both

external and internal sources. An IPS typically runs in a network gateway, like a router, or as a standalone

instance. An IPS can be deployed in inline mode or in promiscuous mode. Inline mode supports both detection and

prevention. Promiscuous mode only supports detection.

An IPS has two components. They are the IPS detection and enforcement engine and the attack signatures

package. The detection engine is relatively static, where the signature pack gets updated frequently as new attacks

are discovered. Optionally the IPS solution can have a management and monitoring solution. The two solutions

can be bundled together or operated as separate systems. Management and monitoring are typically centralized so

that multiple IPS installations can be managed. If the IPS installation is independently managed, these functions

may be integrated with the IPS engine as an on-premise solution.

2. Snort IPS for Cisco 4000 Series Integrated Services Routers

Snort® IPS is an open-source IPS engine. More information can be found on snort.org. Snort-based IPS takes

advantage of Snort engine for IPS functionality. Snort engine runs as a Linux Service Container application within

the 4000 Series Integrated Services Router (ISR), which takes advantage of the computing resources of Cisco®

4000 Series ISR platforms. This architecture allows Snort engine to run independent of the data plane CPU load.

The router copies and forwards the packets to the Snort container using an internal virtual port group (VPG)

interface. This VPG interface is connected over the router backplane. After inspection, Snort drops the packets

associated with bad flows (IPS mode); packets belonging to good flows are returned back to the router for further

processing.

2.1 Architecture of Snort IPS on the 4000 Series ISR

Snort engine on the 4000 Series ISR runs as a container application. This means that the 4000 Series ISR uses a

multi-core CPU, and the Cisco IOS-XE operating system has the ability to allocate these cores for control-plane or

data-plane functions. Computing resources unused by control plane functions can be used for running other

services. A Linux container infrastructure hosts these applications. Applications running in this container

infrastructure can have a tighter integration with Cisco IOS® Software.

The Snort process runs as a Linux container application with dedicated computing resources available to it. This

makes it easier for Snort engine to be updated independent of a Cisco IOS Software update, which helps to keep

the IPS engine up to date.

Cisco IOS Software forwards the packets to be inspected to the Snort IPS engine. Snort IPS inspects the

traffic and takes necessary action. If traffic needs to be blocked, associated packets of that flow are dropped and

the remaining packets are forwarded back to the Cisco IOS Software (data plane) for further processing. Packet

exchange between the container applications and the IOS data plane is done using VPG interfaces. These routed

interfaces are connected through the router back plane. The corresponding interface on the container side will

appear as virtual Ethernet ports. Snort IPS uses two VPG interfaces: one interface as the management interface,

and the other for exchanging data packets.


Figure 1. Snort Overview

2.2 Features at a Glance

Snort was created in 1998 and is the most widely downloaded open-source IPS software in the world.

Its primary function is to provide intrusion detection and blocking for a variety of network-based attacks and probes,

such as buffer overflows, stealth port scans, CGI attacks, server message block (SMB) probes, OS fingerprinting

attempts, and much more.

Snort IPS on the 4000 Series ISR provides the following functionalities:

● Intrusion detection system (IDS) and IPS mode – Configure threat detection or prevention mode. In

prevention mode, attack traffic will be dropped.

● Three signature levels include security, balanced, and connectivity. The security level enables the highest

number of signatures to be verified.

● An allowed list provides the ability to turn off certain signatures. This helps to avoid false positives and the

case of some legitimate traffic triggering IPS action. Up to 1000 entries can be supported in the allowed list.

● Snort health monitoring – Cisco IOS Software keeps track of the health of Snort engine running in the

service container.

● Fail open and close – In the event of IPS engine failure, the router can be configured to block the traffic flow

or bypass IPS checking until Snort engine recovers.

● Signature update – Automatic and manual updates are supported. Snort IPS can download the signature

package directly from cisco.com or a local resource location over HTTP and HTTPS. Manual download is

triggered by an exec command at the router prompt.

● Event logging – IPS logs can be sent to an independent log collector or included along with the router

syslog stream. Sending IPS logs separately helps if the security event management tool is different from the

regular syslog server used for the syslogs from the router.


3. Configuration and Activation Step by Step

Following is a sample Cisco IOS configuration for Snort IPS. Refer to the user manual for the complete

configuration guide. All the configuration and activation commands are done on the router so there is no need to

access Snort engine for any purpose. Snort IPS configuration has two main steps:

1. Installing and configuring the Snort IPS virtual service

2. Configuring and applying the Snort IPS policies

3.1 Step 1: Install Snort IPS Virtual Service

In this step, the Snort image is copied to flash and installed in the service container. Then the internal

communication between Snort and the router is established.

Step 1.1: Install Snort Virtual Container Service

The Snort engine, which runs in the service container, is distributed as an Open Virtualization Archive (OVA) file. If

this file is not present in the router flash it needs to be downloaded and copied into the flash. This can be

downloaded from cisco.com. Once the OVA file is in the flash, the service can be installed. Once the file is copied

to flash, issue the following command on the exec prompt to install the OVA.

virtual-service install name myips package flash:utd.ova

Execute "show virtual-service list" at the command prompt to see the installation status.

Step 1.2: Configure VPG Interfaces

VPG interfaces are used to communicate between the Cisco IOS data plane and Snort IPS. Snort IPS needs two

VPG interfaces. The first VPG interface is used for management purposes, and the second VPG interface is used

for forwarding packets between the Cisco IOS data plane and Snort IPS.

The management VPG interface is primarily used for signature updates, logging, and monitoring. That means that

traffic from this interface needs to be routable. There is no need for direct inbound connection, therefore the IP

address on this interface can work behind a Network Address Translation (NAT), which is typically configured on

the router itself or elsewhere in the network.

The data VPG interface is used to forward data traffic between Cisco IOS Software and Snort IPS for detection and

enforcement. The IP subnet configured on this interface does not need external access. It can use a local, non-

routable, private subnet. It is a good practice to not include this subnet in route advertisements.

interface VirtualPortGroup0

ip address 10.0.0.1 255.255.255.252

interface VirtualPortGroup1

ip address 192.168.0.1 255.255.255.252

Step 1.3: Configure and Activate Snort IPS Virtual Service

Configure the Snort container service on the router using the configuration that follows. The IP address configured

here is used by the virtual Ethernet interfaces on the container side. Make sure to assign IP addresses from the

same subnet configured on the corresponding VPG interface on the router.

virtual-service myips

vnic gateway VirtualPortGroup0

guest ip address 10.0.0.2


vnic gateway VirtualPortGroup1

guest ip address 192.168.0.2

activate

Execute "show virtual-service list" at the command prompt to see the activation status.

3.2 Step 2: Configure Snort IPS policies

In this step, we define whether the IPS should work in detection mode or protection mode, signature policy level,

event logging method, etc.

Step 2.1: Configure the Main Snort policy

Threat detection | protection Detection - IDS mode; protection - IPS mode

Policy security | balanced | connectivity Signature level - security loads the highest number of signatures

Logging External log server - if not configured the events will be published as part of router's syslog stream

Signature update server Use this optional configuration to specify the method of the signature update

utd engine standard

threat protection

policy security

logging server 172.25.220.128 syslog level warning

Step 2.2: Enable IPS on the Router

In this step, the Snort IPS is activated on the router. The configured policies will not take effect until this step is

completed. IPS can be enabled globally on all interfaces, or specifically enabled on a certain interface as an

interface configuration.

utd

all-interfaces

engine standard

Step 2.3: (Optional) Configure the Signature Allowed List

The allowed list is used to turn off certain signatures. This is mainly used if a certain signature is causing many

false alarms or causes good or custom application traffic to be blocked.

utd whitelist

signature id 12 comment testing1

signature id 15 comment testing2

3.3 Enabling Snort for Specific Interfaces

If only certain interface-specific traffic needs be subjected to IPS operation, then IPS can be enabled only on that

interface by configuring the "utd enable" command under the interface configuration. In this case, globally enabling

is not required.

interface GigabitEthernet0

utd enable

3.4 Changing Snort Engine

The Snort engine needs to be upgraded independently from the router firmware. Usually, each Cisco IOS-XE

release will have an associated Snort OVA version. But in some cases Snort OVA may need to be downloaded

and upgraded independently. To do this, the service needs to be de-activated before upgrading the OVA file.


Step 1: Deactivate Snort IPS

In config mode:


no activate

Step 2: Update the Snort Engine OVA File

In exec mode:

virtual-service upgrade name myips package flash:newutd.ova

Step 3: Activate Snort IPS

In config mode, activate the service:


activate

4. Signature Update

The signature update can be configured to happen automatically based on a schedule, or it can be updated

manually. The signature update can be manually triggered any time by issuing a router command. If the update

time schedule is not configured, then the router falls back to manual update mode, where the update can be done

only by the router’s command-line interface (CLI). Manual mode is useful if an administrator wants to control when

the signature is updated, or the signature update needs to be controlled from a management tool.

Figure 2. Signature Update Overview

4.1 Updating from cisco.com

The following configuration tries to update the signature every day, starting at 12:00 a.m., from Cisco.com.

utd engine standard

signature update server cisco username <CCO username> password <foo>

signature update occur-at daily 0 0

!


4.2 Updating from a Local Server

A local update occurs when the router does not have access to the Internet. It is a good practice to reduce network

usage when large numbers of routers need to be updated. Instead of each router using Internet bandwidth, they

can download from an intranet server. In this case, the administrator or management tool will download the

signature from Cisco.com and host it on a local HTTP server. Once the new signature is hosted, the router update

can be triggered manually or rely on the automatic update feature.

The following configuration triggers a signature update every alternate day, starting Monday at 5:00 a.m.

utd engine standard

signature update server url http://10.133.144.155/sig-packages/sig-update.sig

signature update occur-at weekly 1,3,5 05 00

!

4.3 Manual Update Command

The signature update can be triggered any time by issuing the following command. This is useful if a signature

update schedule is not configured, or in the situation where a critical signature update needs to be installed

directly. This also can be used as an override mechanism to an existing signature update method. For example, if

a local server is configured as the signature source, in the manual update a different server or cisco.com can be

specified as the signature source. If no override options create issues, the router will use the same parameters

configured in the router configuration for signature update.

To simply trigger a signature update, execute the following command in the exec prompt of the router.

Router# utd signature update

Issue additional parameters to override the configured ones.

Router# utd signature update server cisco username myuserid password mypasswd

4.4 Check the Signature Update Status

Issue the following command at exec prompt to check the signature update status.

Router# show utd engine standard signature update status

Current Signature package version: 1.3

Current Signature package name: UTD-STD-SIGNATURE-stage-1-3.pkg

Previous Signature package version: 1.0

Last update status: Failed

Last failure Reason: System error-fail to process username & password

combination.

Last successful update method: Manual

Last successful update server: cisco

Last successful update time: Mon Aug 24 21:27:06 2015 UTC

Last successful update speed: 4850875 bytes in 44 secs

Last failed update method: Manual

Last failed update server: cisco

Last failed update time: Tue Aug 25 18:23:44 2015 UTC

Last attempted update method: Manual

Last attempted update server: cisco

Last attempted update time: Tue Aug 25 18:23:44 2015 UTC

https://cisco.jiveon.com/external-link.jspa?url=http://10.133.144.155/sig-packages/sig-update.sig


Total num of updates successful: 1

Num of attempts successful: 1

Num of attempts failed: 3

Total num of attempts: 4

Next update scheduled at: None

Current Status: Idle

5. Hardware, Software, and Licensing Requirements

The Snort IPS is supported on 4000 Series ISR platforms. The platform memory should be upgraded to 8 GB. An

SSD hard drive is needed if IPS logs need to be saved locally. Snort IPS can also work in a diskless mode with the

support of an external log server.

5.1 Licensing

A security K9 license is required to activate Snort IPS functionality. Customers also need to purchase a yearly

subscription for the signature package, which is distributed from cisco.com.

6. Performance

The performance of the Snort container depends upon the platform CPU capacity and number of virtual CPUs

available for Snort IPS. If more service container CPU cores are available, more instances of Snort can be

activated, which will increase the performance. If service container resources are being used by other services,

then Snort will get only a fraction of compute resources, thereby reducing the achievable performance.

Table 1. Snort Details by Platform

Platform Service Cores Available

Snort IPS-Only Throughput Snort IPS Plus Wide Area Application Services (WAAS) Throughput

4321 ISR (100 Mbps) 1 IMIX – 65 Mbps

HTTP – 50 Mbps

N/A

4331 ISR (300 Mbps) 3 IMIX – 60 Mbps to 140 Mbps

HTTP – 40 Mbps to 110 Mbps

Throughput: 38 Mbps

WAAS profile: 750 connections

4351 ISR (400 Mbps) 3 IMIX – 75 Mbps to 175 Mbps

HTTP –50 Mbps to 135 Mbps

Throughput: 50 Mbps


4431 ISR (1 Gbps) 4 IMIX – 65 Mbps to 225 Mbps


Throughput: 36 Mbps


4451-X ISR (2 Gbps) 4 IMIX – 110 Mbps to 360 Mbps


N/A

6.1 Co-Existing with Other Container-Based Services

The IPS process involves deep packet inspection. This is a CPU-intensive process. So on Cisco 4321, which has

limited service-plane resources available, Snort IPS needs to use all the service plane resources in order to

provide adequate performance level. Therefore, if other services are already present in service container, then

activation of Snort may fail. This is not a supported configuration. On higher platforms, other services like Kernel-

based Virtual Machine Wide-Area Application Services (KWAAS) can be enabled if a lower performance is

acceptable for all activated services.


7. Deployment Considerations

Snort IPS can be deployed in a network where known network-based attacks need to be detected or blocked.

Following are some typical use cases:

● Protecting the branch network when direct Internet access is enabled. Deploy IPS on the WAN-facing

interface. Traffic flows exchanged between the Internet and branch network will be inspected.

● Compliance requirements like PCI, where the network edges needs to be protected by an IPS solution

● Guest network protection – the IPS can be enabled on guest VLAN interface

● Threat containment – This use case prevents network attacks from propagating from branch to

headquarters or other branches. If there are multiple VLANs in the branch, inter-VLAN traffic also needs to

be protected. The easiest deployment in this case is to configure Snort IPS globally. All traffic passing

through the router will be subject to inspection. Enabling globally may create a performance impact.

Deploying IPS on the necessary VLANs only can alleviate this concern.

8. Management and Monitoring

Snort IPS configurations are designed such that entire configuration and service activation can be done from a

router CLI. This means that any management tool that is used to manage the router can be configured to manage

the Snort IPS CLIs also. The Cisco Application Policy Infrastructure Controller (Cisco APIC)-based Intelligent

WWAN (IWAN) app, Cisco Prime™

Management tool, and an on-box web UI will be enhanced to support Snort IPS

natively.

Snort IPS can be configured to send the event logs as part of the router syslog stream or to send them to a

dedicated security monitoring tool, or both. This gives the user an option to use a network monitoring tool or a

dedicated monitoring tool for IPS event monitoring. Cisco has no recommendations on which Snort monitoring tool

to use. Any third-party monitoring tool that supports standard Snort logs can be used to monitor Snort IPS also (for

instance, Splunk).

8.1 Basic Monitoring and Troubleshooting

Following are some of the commands that can be used to check the health and status of a Snort IPS installation.

8.1.1 How to Verify Snort OVA Is Installed and Activated Correctly

Router#show virtual-service list

Virtual Service List:

Name Status Package Name

------------------------------------------------------------------------------

utd Activated utdsnort.1_0_0.20150601_020127.ova

8.1.2 How to Verify That the Service Node Is Alive

Router#show service-insertion type utd service-node-group

Service Node Group name : utd_sng_1

Service Context : utd/1

Member Service Node count : 1

Service Node (SN) : 192.0.2.2

Auto discovered : No


SN belongs to SNG : utd_sng_1

Current status of SN : Alive

Time current status was reached : Sun Jul 26 02:55:22 2015

8.1.3 How to Check the Active Configuration

Router#show utd engine standard config

UTD Engine Standard Configutation:

Operation Mode : Intrusion Detection

Policy : Security

Signature Update:

Server : cisco

User Name : ciscouser

Password : HAd[RQMdWHHYJOFVEXRCcS[_ARh^NHVGf

Occurs-at : None

Logging:

Server : IOS Syslog; 172.25.220.128

Level : warning

Whitelist disabled/No config found

8.1.4 How to Check Snort Container Service Status

Router#show virtual-service detail

Virtual service utd detail

State : Activated

Package information

Name : utdsnort.1_0_0_SV2970.20150722_164412.ova

Path : bootflash:/utdsnort.1_0_0_SV2970.20150722_164412.ova

Application

Name : UTD-Snort-Feature

Installed version : 1.0.0_SV2970

Description : Unified Threat Defense

Signing

Key type : Cisco development key

Method : SHA-1

Licensing

Name : Not Available

Version : Not Available

Detailed guest status

----------------------------------------------------------------------

Process Status Uptime # of restarts

----------------------------------------------------------------------


climgr UP 0Y 2W 2D 18:26: 4 0

logger UP 0Y 2W 2D 18:26: 0 0

snort UP 0Y 2W 2D 18:26: 0 0

Network stats:

eth0: RX packets:724027, TX packets:6

eth1: RX packets:110, TX packets:148

Coredump file(s): lost+found

Activated profile name: None

Resource reservation

Disk : 736 MB

Memory : 1024 MB

CPU : 50% system CPU

Attached devices

Type Name Alias

---------------------------------------------

NIC ieobc_2 ieobc

NIC dp_2_0 net2

NIC dp_2_1 net3

NIC mgmt_2 mgmt

Disk _rootfs

Disk /opt/var

Disk /opt/va...

Serial/shell serial0

Serial/aux serial1

Serial/Syslog serial2

Serial/Trace serial3

Watchdog watchdo...

Network interfaces

MAC address Attached to interface

------------------------------------------------------

54:0E:00:0B:0C:03 ieobc_2

F4:4E:05:8A:26:7F VirtualPortGroup0

F4:4E:05:8A:26:7E VirtualPortGroup1

F4:4E:05:8A:26:7C mgmt_2

Guest interface

---

Interface: eth2

ip address: 192.0.2.2/30

Interface: eth1


ip address: 45.0.0.2/30

---

Guest routes

---

Address/Mask Next Hop Intf.

--------------------------------------------------------------------------

0.0.0.0/0 192.0.2.1 eth2

0.0.0.0/0 45.0.0.1 eth1

Resource admission (without profile) : passed

Disk space : 710MB

Memory : 1024MB

CPU : 50% system CPU

VCPUs : Not specified

8.1.5 Show Snort Event Logs

This command displays the latest signature trigger events. A circular buffer is used to overwrite old events once the

buffer is full. Up to 100 events are saved. It recommended to use an external log server to save a larger history.

The "clear utd engine standard logging events" command will clear the log buffer.

Router#show utd engine standard logging events

2015/07/28-22:45:27.566272 [**] WDrop [

**] [1:17155:6] SERVER-OTHER Multiple

vendors OPIE off-by-one stack buffer overflow attempt [**] [Classification:

Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 150.0.0.2:46298 ->

151.0.0.2:21

2015/07/28-22:45:27.566272 [**] WDrop [

**] [125:3:1] ftp_pp: FTP parameter length

overflow [**] [Classification: Attempted Administrator Privilege Gain] [Priority:

1] {TCP} 150.0.0.2:46298 -> 151.0.0.2:21

8.2 Advanced Troubleshooting and Debugging

Following are some of the commands you can use to debug and troubleshoot Snort IPS issues.

8.2.1 How to Check Snort Engine Status

Router#show platform hardware qfp active feature utd stats

Security Context: Id:0 Name: Base Security Ctx

Summary Statistics:

Active Connections 5

TCP Connections Created 68525

UDP Connections Created 153977

ICMP Connections Created 232184

Pkts entered policy feature pkt 22612632

byt 7361605825

Pkts entered divert feature pkt 4515455

byt 1692764231

Pkts slow path pkt 454686


byt 87269604

Pkts Diverted pkt 4514223

byt 1692393810

Pkts Re-injected pkt 4513988

byt 1692329067

Drop Statistics:

Service Node not healthy 1232

General Statistics:

Non Diverted Pkts to/from divert interface 125

Inspection skipped - UTD policy not applicable 18097177

Policy already inspected 4514223

Pkts Skipped - Unsupported Protocol 4304170

Pkts Skipped - New pkt from RP 12060037

Response Packet Seen 454686

Feature memory allocations 454686

Feature memory free 454681

Feature Object Delete 454681

Service Node Statistics:

SN Health: Green

SN down 13

SN health green 14

Diversion Statistics

redirect 4514223

encaps 4514223

decaps 4513988

reinject 4513988

SN offloaded flow 76

Redirect failed, SN unhealthy 1232

Flow inspection bypassed 698

decaps: delete requests received total 2524

decaps: delete - protocol decision 2524

8.2.2 Check Service Node Health

This displays the health of the service container. If the service node health status is not green, it is an indication

that something is wrong.

Reasons why the service node health status may not be not green:

● Rx ring is full. This occurs when the pps is greater than 32k. The RX ring is 64 MB and each packet

occupies 2 KB in the buffer

● DAQ CFT is full. More than 50k flow entries cause this issue. Check the DAQ CFT by using this command:

show utd engine standard statistics daq all | i active half flows

● Memory status changed to yellow. The Snort memory is greater than 95%


● Memory status changed to red. The Snort memory is more than 98%

Router#show platform hardware qfp active feature utd config

Global configuration

NAT64: disabled

SN threads: 1

CFT inst_id 0 feat id 1 fo id 1 chunk id 12

Context Id: 0, Name: Base Security Ctx

(0x60000): IDS, Standard, Enabled, Fail-open, Divert, SN Health: Green

8.2.3 Check Packet Diversion Statistics from the Data Plane to the Service Plane

Router#show platform hardware qfp active feature utd stats divert

Diversion Statistics

redirect 4537772

encaps 4537772

decaps 4537537

reinject 4537537

SN offloaded flow 76

Redirect failed, SN unhealthy 1232

Flow inspection bypassed 698

decaps: delete requests received total 2533

decaps: delete - protocol decision 2533

If packet diversion is not working properly, for additional troubleshooting check if the UTD feature is active in the

data plane and control plane. Use the following commands:

● show platform software UTD global

● show platform hardware qfp active feature UTD config

Check if snort process is running in LXC

● show virtual-service detail

Check if AppNAV tunnel is UP

● show service-insertion type utd service-context | i Cluster operational state

8.2.4 Troubleshooting Signature Update Issues

There are two types of signature updates: an update from cisco.com and an update from a local server. A router

can be configured to perform only one of them at a time.

If the signature update is not happening over a Cisco server:

● DNS is not configured or not working properly. Use the command, “show utd engine standard signature

update status”

● The cisco.com username and password provided may not be correct

● The cisco.com user may not have permission to download the signature package

● There is no connectivity between UTD Snort and the Cisco signature server


If the signature update from a local server is not happening:

● An incorrect method is configured in the URL for a signature update from the local server (only

HTTP/HTTPS are supported)

● An incorrect host name or IP address was provided in the URL for a signature update from the local server

● Credentials are required to download the signature package from the local server

● The signature package file configured in the URL is not found on the local server

● The signature package file downloaded from the local server is corrupted

● There is no connectivity between UTD Snort and the local signature server

In both cases, try issuing the update command manually from router exec mode. If the failure was due to a

temporary network issue, it may succeed in the next attempt.

8.3 Debugging

Conditional debugging commands:

debug platform condition feature utd controlplane

debug platform condition feature utd dataplane submode

debug platform condition feature utd dataplane submode divert level

debug platform condition interface g0/0/0 both

debug platform condition feature utd dataplane submode all level verbose

debug platform condition start

Packet tracing debug commands:

debug platform packet copy packet out size 2048

debug platform packet-trace enable

debug platform packet-trace packet 64 cir fia

Note: Conditional debugging needs to be enabled along with packet tracing

debug platform condition interface g0/0/0 both

debug platform condition feature utd dataplane submode divert level info

debug platform condition start

8.4 Complete List of Show Commands

Control plane show commands:

show platform software utd rp active global

show platform software utd fp active global

show platform software utd global

show platform software utd interfaces

Service plane show commands:

show utd engine standard signature statistics

show utd engine standard signature active

show utd engine standard logging events

show utd engine standard statistics daq all

show utd engine standard statistics internal


show utd engine standard statistics whitelist

show utd engine standard config

show utd engine standard signature update status

Data plane show commands:

show platform hardware qfp active feature utd stats

show platform hardware qfp active feature utd stats all

show platform hardware qfp active feature utd stats divert <all/verbose>

show platform hardware qfp active feature utd stats drop <all/verbose>

show platform hardware qfp active feature utd stats general <all/verbose>

show platform hardware qfp active feature utd stats sn <all/verbose>

show platform hardware qfp active feature utd stats summary <all/verbose>

show platform hardware qfp active feature utd stats verbose

show platform hardware qfp active feature utd config

show platform hardware qfp active flow

8.5 Complete List of Debug Commands

Control plane:

debug platform software utd

debug platform condition feature utd controlplane level

<error/info/verbose/warning>

Service plane:

debug utd engine standard internal <onep, climgr, logger, internal, daq, all>

To move the log files from container to flash:

virtual-service move name <foo> log to flash:

Data plane:

debug platform condition feature utd dataplane submode <divert, drop ,event, fia,

packet, proxy>

9. Snort IPS Deployment Using Cisco Prime CLI Templates

To ease the provisioning of Snort IPS deployment, Cisco Prime CLI templates are available. To use these

templates, you need to download them and import into Cisco Prime through the following steps:

● Download the Cisco Prime templates that correspond to the Cisco IOS-XE version running on your system

● Unzip the file if it is a zipped version

● From Cisco Prime web UI, navigate to Configuration >> Templates >> Features & Technologies and

click on "CLI Templates (User Defined)" and then click on "Import"

● Select the folder where you want to import the templates, click on "Select Templates", and choose the

template that was downloaded in the previous step

The following CLI templates are available:

● Snort IPS - Copy OVA to Device

◦ Purpose: Use this template to copy the Snort IPS OVA file to flash.


● Snort IPS - Delete OVA

◦ Purpose: Use this template to delete a previously copied Snort IPS OVA file from flash.

● Snort IPS - Dynamic NAT

◦ Purpose: Use this template if dynamic Network Address Translation (NAT) is configured in your

environment and an access list is used to select the NAT translation that needs to be modified for the

Snort IPS management interface IP.

● Snort IPS - Dynamic NAT Cleanup

◦ Purpose: Use this template to delete a previously configured NAT configuration for Snort IPS.

● Snort IPS – Dynamic PAT

◦ Purpose: Use this template if dynamic Port Address Translation (PAT) is configured in your environment

and an access list is used to select the PAT translation that needs to be modified for the Snort IPS

management interface IP.

● Snort IPS – Dynamic PAT Cleanup

◦ Purpose: Use this template to delete previously configured PAT configuration for Snort IPS.

● Snort IPS – IP Unnumbered

◦ Purpose: Use this template to configure Snort IPS and the required virtual service for IP unnumbered

deployment.

● Snort IPS – IP Unnumbered Cleanup

◦ Purpose: Use this template to delete a previously configured Snort IPS management interface with

"IP Unnumbered".

● Snort IPS – Management Interface

◦ Purpose: Use this template if you would like to use the system management interface (for instance,

GigabitEthernet0) to route Snort IPS management traffic.

● Snort IPS – Management Interface Cleanup

◦ Purpose: Use this template to delete a previously configured system management interface (for instance,

GigabitEthernet0) to route the Snort IPS management traffic.

● Snort IPS - Static NAT

◦ Purpose: Use this template to configure Snort IPS and the required virtual service for existing static NAT

deployment.

● Snort IPS - Static NAT Cleanup

◦ Purpose: Use this template to delete a previously configured Snort IPS in a static NAT deployment.

● Snort IPS - Upgrade OVA

◦ Purpose: Use this template to upgrade the Snort IPS OVA file.

10. Download Locations 10.1 Snort IPS Engine OVA Files

4321 ISR

http://software.cisco.com/download/release.html?i=!y&mdfid=286006221&softwareid=286285284&release=3.16.1a

S&os=

http://software.cisco.com/download/release.html?i=!y&mdfid=286006221&softwareid=286285284&release=3.16.1aS&os=



4331 ISR


S&os=

4351 ISR


S&os=

4431 ISR


S&os=

4451-X ISR


S&os=

10.2 Snort IPS Signature Package Files

4321 ISR

http://software.cisco.com/download/release.html?i=!y&mdfid=286006221&softwareid=286285292&release=2975.4

&os=

4331 ISR


&os=

4351 ISR


&os=

4431 ISR


&os=

4451-X ISR


&os=

10.3 Cisco Prime CLI Templates for Snort IPS Deployment

4321 ISR


S&os=

4331 ISR


S&os=

4351 ISR


S&os=









http://software.cisco.com/download/release.html?i=!y&mdfid=286006221&softwareid=286285292&release=2975.4&os=

















4431 ISR


S&os=

4451-X ISR


S&os=

Printed in USA C07-736629-00 02/16





snort ips deployment guide - cisco · snort health monitoring – cisco ios software keeps track of...

Documents