Jump to content
secholic

Emulating IPS on UNL

Recommended Posts

Hi everyone,

 

below my step to deploy IPS in UNL :

  1. Download "IPSforty-two-forty.ova"
    This link from daveguy:

    Hidden Content

      Give reaction to this post to see the hidden content.

     
     
  2. Open "IPSforty-two-forty.ova" with VMplayer to extract into "IPSforty-two-forty-disk1.vmdk" and "IPSforty-two-forty-disk2.vmdk"
     
  3. Run Unetlab
     
  4. Run "WinSCP" to login to Unetlab (username=root, passw=root), its alot easier than command line on linux
    download WinSCP :

    Hidden Content

      Give reaction to this post to see the hidden content.

     
  5. Via WinSCP, go to directory "/opt/unetlab/addons/qemu"
     
  6. Create new folder "cips-4240"
     
  7. Copy "IPSforty-two-forty-disk1.vmdk" and "IPSforty-two-forty-disk2.vmdk" from your computer into "/opt/unetlab/addons/qemu/cips-4240" on UnetLab
     
  8. Convert file vmdk into qcow2 format, you must login to Unetlab console

    Hidden Content

      Give reaction to this post to see the hidden content.


     

  9. Via WinSCP, delete 2 files vmdk
     
  10. fix permissions

    Hidden Content

      Give reaction to this post to see the hidden content.


     

  11. Now try to create new Lab, add new nodes, and taraa, you should see "image:cips-4240"
     
  12. Open the lab and run the node, then console the IPS
     
  13. Now lets fix the interfaces problems
     
  14. Log in to the IPS using account 'service' and password 'ciscoips123'
     
  15. Type: vi /usr/cids/idsRoot/etc/interface.conf (you need to know how to use the text editor 'vi')
     
  16. Scroll down until you see the section [models/IPS-4240/interfaces]
     
  17. Edit the "pci-path" section for each interface to match the QEMU PCI bus address of each NIC. QEMU E1000 bus addresses are usually:
    3.0
    4.0
    5.0
    6.0
    7.0
     
  18. need to change the device ID as well for each one
    Change every instance of:
    device-id=0x100f
    to
    device-id=0x100e
  19. Save the file and reboot the IPS sensor.
     
  20. login using account "cisco" pass "cisco" or "ciscoips123"

thats all

 

thanx to daveguy, paulno1, Unholydarkness

Edited by secholic
  • Like 1
  • Thanks 1

Share this post


Link to post
Share on other sites

Q. How do I resolve the error message Cid/W Warning - DNS or HTTP proxy is required for global correlation inspection and reputation filtering but no DNS or proxy servers are defined.Add an HTTP proxy server or DNS server in the 'host' service configuration?

 

A.
Complete these tasks in order to resolve this issue:

  • Disable global correlation.


  • Add the proxy/dns configuration.

Share this post


Link to post
Share on other sites

Hi paulno1,

 

thanks for your replay,

configuring DNS only remove the warning,

problem still exist, error unable to continue (save)

 

kindly see screen output below:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

my step to deploy IPS in UNL :

1. download "IPSforty-two-forty.ova"

2. Open ova with VMplayer to extract into "IPSforty-two-forty-disk1.vmdk" and "IPSforty-two-forty-disk2.vmdk"

3. copy to folder "cips-4240" in UNL, then convert file vmdk into qcow2 format

Hidden Content

    Give reaction to this post to see the hidden content.

4. fix permission

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

what step did I miss ?

and one more, The Error only happen in UNL, it didnt show up when I emulating IPS using VMware Workstation

Edited by secholic
  • Like 1
  • Thanks 1

Share this post


Link to post
Share on other sites

The image you are running was created under VMware and the Intel Pro/1000 network interfaces were mapped specifically to the PCI bus addresses provided by the VMware virtual hardware.

 

Since you're running under a QEMU/KVM environment, the E1000 interfaces will not be discovered properly during bootup.

 

You will need to do the following (you need to know how to use the text editor 'vi'):

 

1. Log in to the IPS using account 'service' and password 'ciscoips123'

2. Type: vi /usr/cids/idsRoot/etc/interface.conf

3. Scroll down until you see the section [models/IPS-4240/interfaces]

4. Edit the "pci-path" section for each interface to match the QEMU PCI bus address of each NIC. QEMU E1000 bus addresses are usually:

 

3.0

4.0

5.0

6.0

7.0

 

5. Save the file and reboot the IPS sensor.

 

Good luck.

 

U:H

Share this post


Link to post
Share on other sites

One more thing... you'll need to change the device ID as well for each one.

 

Change every instance of:

 

device-id=0x100f

 

to:

 

device-id=0x100e

 

U:H

Share this post


Link to post
Share on other sites

Hooray..

 

Finally, I success deploy IPS in UNL,

after stack for couple of weeks..

 

Many thanks to UnHolyDarkness & paulno1 for the assistance..

I love u guys ... :H

Share this post


Link to post
Share on other sites

Thanks guys, this is awesome. Exactly the type of collaboration we need

Hidden Content

    Give reaction to this post to see the hidden content.

 

IPS up and running on UNETLAB!

  • Like 1
  • Thanks 2

Share this post


Link to post
Share on other sites

@ UnholyDarkness

 

Can you please share how the [models/IPS-4240/interfaces] section will look like ? screenshot of code will be appreciated.

Share this post


Link to post
Share on other sites

Hello!

 

Do you have updated link, seems that file deleted from existing link

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...