Verifying the IOS-IDS Configuration

A working and well-tested IDS can be very important for the continuity of your business. It ensures all attacks IOS has a signature for are being detected and that alerts are sent to the right place. In this section, we discuss how you can verify and test an IOS-based IDS configuration. We will see examples of commands you can use to verify the working of your IDS. In addition, we look at how to troubleshoot an IDS configuration. The commands and items we will discuss include:

show ip audit interfaces
show ip audit configuration
show ip audit statistics
show ip audit session
show ip audit debug
clear ip audit statistics
clear ip audit configuration
debug commands

show ip audit interfaces

The show ip audit interfaces EXEC command is used to display the interface configuration. Figure 11.5 shows an example of the output of this command.

Router#show ip audit interfaces 
Interface Configuration
 Interface Ethernet1/0
  Inbound IDS audit rule is idstest
    info actions alarm
    attack actions alarm drop reset
  Outgoing IDS audit rule is not set

Figure 11.5: The show ip audit interfaces Command

In Figure 11.5, the audit rule idstest is applied to interface Ethernet1/0 on an inbound direction. When an informational signature is triggered by certain activity, the router sends an alarm to the configured Syslog or Director. When an attack signature is triggered, an alarm is sent, the packet is dropped, and in case of a TCP session, the session is reset. There is no audit rule applied in an outbound direction.

show ip audit configuration

The show ip audit configuration EXEC command is used to display an overview of configuration information. It includes information not shown using the show running-config command, like the default values of certain parameters. Figure 11.6 shows an example of the output of this command.

Router#show ip audit configuration
Event notification through syslog is enabled
Event notification through Net Director is disabled
Default action(s) for info signatures is alarm
Default action(s) for attack signatures is alarm drop reset
Default threshold of recipients for spam signature is 250
PostOffice:HostID:0 OrgID:0 Msg dropped:0
          :Curr Event Buf Size:0  Configured:100
Post Office is not enabled - No connections are active
Audit Rule Configuration
 Audit name idstest
    info actions alarm
    attack actions alarm drop reset

Figure 11.6: The show ip audit configuration Command

Figure 11.6 is an example of how the output of the show ip audit configuration command looks when only the log notification type is used and no PostOffice parameters are configured. As you can see, event notification through the Director is disabled, and PostOffice communications is not enabled.

Figure 11.7 shows the command output of another IOS-IDS sensor.

Router#show ip audit configuration 
Event notification through syslog is enabled
Event notification through Net Director is enabled
Default action(s) for info signatures is alarm
Default action(s) for attack signatures is alarm drop reset
Default threshold of recipients for spam signature is 300
Signature 1107 disable
PostOffice:HostID:1 OrgID:100 Msg dropped:0
          :Curr Event Buf Size:100  Configured:100
Host ID:2, Organization ID:100, SYN pkts sent:1,
ACK pkts sent:2, Heartbeat pkts sent:82, Heartbeat ACK pkts sent:49,
Duplicate ACK pkts received:0, Retransmission:0, Queued pkts:0
  ID:1 Dest:172.16.20.2:45000 Loc:172.16.20.1:45000 T:5 S:ESTAB * 
   
Audit Rule Configuration
 Audit name idstest
    info actions alarm
    attack actions alarm drop reset

Figure 11.7: The show ip audit configuration Command

The first thing we see when looking at Figure 11.7 is that event notification through Syslog and Director are both enabled. This means that each time a signature is triggered an alarm is sent to both locations. The default actions for informational and attack signatures are set and the threshold of recipients for the spam signature has been set to 300. We also see that signature 1107 has been disabled.

In the next section of output, we find PostOffice settings, the current configured notification queue size, and statistics on packets sent between the IOS-IDS sensor and the Director. Using this data, you can verify the communication between the IOS-IDS sensor and the Director. The line ending with the word ESTAB *tells you that a session between IOS-IDS sensor and Director has been established. If you find the word SYN SENT at the end of this line, it means the IOS-IDS sensor tried to set up a session but the Director is not answering, or that the set up of the session has not yet been completed. Figure 11.8 shows an example of the output of the show ip audit configuration command in this situation.

Router#show ip audit configuration 
Event notification through syslog is enabled
Event notification through Net Director is enabled
Default action(s) for info signatures is alarm
Default action(s) for attack signatures is alarm drop reset
Default threshold of recipients for spam signature is 300
Signature 1107 disable
PostOffice:HostID:1 OrgID:20 Msg dropped:0
          :Curr Event Buf Size:100  Configured:100
Host ID:2, Organization ID:100, SYN pkts sent:573,
ACK pkts sent:0, Heartbeat pkts sent:0, Heartbeat ACK pkts sent:0,
Duplicate ACK pkts received:0, Retransmission:0, Queued pkts:0
  ID:1 Dest:172.16.20.2:45000 Loc:172.16.20.1:45000 T:5 S:SYN SENT 
   
Audit Rule Configuration
 Audit name idstest
    info actions alarm
    attack actions alarm drop reset

Figure 11.8: The show ip audit configuration Command

The output of the show ip audit configuration command ends with the audit rule configuration on the router. In Figure 11.6 through 11.8, we see that an audit rule with the name idstest has been configured on this router, plus what actions have been configured for the information and attack signatures under that rule.

show ip audit statistics

The show ip audit statistics EXEC command displays the number of packets audited plus the number of alarms sent. Figure 11.9 shows an example of the output of this command.

Router#show ip audit statistics
Signature audit statistics [process switch:fast switch]
  signature 1101 packets audited: [0:98]
  signature 2004 packets audited: [0:11]
  signature 3050 packets audited: [145:0]
  signature 4050 packets audited: [0:720]
Interfaces configured for audit 1
Session creations since subsystem startup or last reset 2729
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:4:0]
Last session created 00:09:39
Last statistic reset never
   
Host ID:2, Organization ID:100, SYN pkts sent:218,
ACK pkts sent:3, Heartbeat pkts sent:14085, Heartbeat ACK pkts sent:7114,
Duplicate ACK pkts received:0, Retransmission:0, Queued pkts:0

Figure 11.9: The show ip audit statistics Command

Figure 11.9 shows a number of intrusions detected by IOS-IDS. For instance, signature 3050 has been triggered several times, meaning a half-open SYN attack has been detected. Further, there are some session counters and statistics on PostOffice communications.

show ip audit sessions

The show ip audit sessions EXEC command is used to display the current sessions on the IOS-IDS sensor. This command can be helpful when troubleshooting or verifying the working of the IDS. Figure 11.10 shows the output of the command at the moment a user is checking some POP3 e-mail accounts.

Router#show ip audit sessions
Established Sessions
 Session 813635E4 (172.16.20.2:4071)=>(192.6.6.40:110) tcp SIS_OPEN
   
Terminating Sessions
 Session 81363CC8 (172.16.20.2:4070)=>(192.6.196.44:110) tcp SIS_CLOSING
   
Router#show ip audit sessions
Terminating Sessions
 Session 81363CC8 (172.16.20.2:4070)=>( 192.6.196.44:110) tcp SIS_CLOSING
 Session 813635E4 (172.16.20.2:4071)=>(192.6.6.40:110) tcp SIS_CLOSING

Figure 11.10: The show ip audit sessions Command

show ip audit debug

The show ip audit debug EXEC command is used to display the debug commands that have been enabled on the router. An example of the output of this command is shown in Figure 11.11.

Router#show ip audit debug
IDS Detailed Debug debugging is on
IDS TCP Audit debugging is on

Figure 11.11: The show ip audit debug Command

The same result can be attained using the show debug command, but that will show all debug commands enabled on the router, while the show ip audit debug command displays only the ip audit debug commands enabled. An example of the show debug command output is shown in Figure 11.12.

Router#show debug
Generic IP:
  IP packet debugging is on for access list 101
IDS Audit:
  IDS Detailed Debug debugging is on
  IDS TCP Inspection debugging is on

Figure 11.12: The show debug Command

clear ip audit statistics

The clear ip audit statistics EXEC command is used to reset statistics on packets that have been audited and the number of alarms sent. To perform this action, type the command at the router prompt as follows:

Router#clear ip audit statistics

This command becomes useful when troubleshooting an IDS configuration and you want to start with fresh statistics.

clear ip audit configuration

The clear ip audit configuration EXEC command can be used to disable IOS-based IDS. The command removes all IDS configuration entries and releases dynamic resources IDS has in use. To clear the existing IP audit configuration, type the command at the router prompt as follows:

Router#clear ip audit configuration

Debug Commands

A number of debug commands are available to troubleshoot and test your IDS configuration. A combination of alarms sent by the sensor and certain debug commands is very helpful in testing the quality of your IDS configuration. We saw an example of this earlier in the section, "Responses from the IOS-Based IDS," where we combined alarms with the debug ip audit detailed command. The following list shows the available ip audit debug commands in Cisco IOS; the last two commands are new in IOS 12.2.

debug ip audit detailed The debug ip audit detailed command enables IDS detailed debugging. Using this command, we see how IDS handles a packet: Does it forward or drop the packet? In the previous section, we saw an example of this command in action. It can also be used in combination with other debug ip audit commands to get additional information.
debug ip audit ftp-cmd This command enables IDS FTP command and response debugging. The output of this command shows messages about IDS-audited FTP command and response events.
debug ip audit ftp-token This command enables IDS FTP tokens debugging and is best used in combination with the debug ip audit ftp-cmd command. It enables tracing of the ftp tokens parsed.
debug ip audit function-trace Using this command enables IDS function trace debugging, and creates a lot of output. The messages displayed relate to software functions called by IDS.
debug ip audit icmp The debug ip audit icmp command enables IDS ICMP packet debugging. The output of the command shows ICMP echo requests and replies.
debug ip audit ip This command enables IDS IP packet debugging
debug ip audit object-creation Using this command enables IDS Object Creations debugging. The command's output shows messages about software objects created by IDS. Object creation refers to the beginning of an IDS-audited session.
debug ip audit object-deletion The debug ip audit object-deletion command enables IDS Object Deletions debugging. The command's output shows messages about software objects deleted by IDS. Object deletion refers to the closing of IDS-audited sessions.
debug ip audit rpc This command enables IDS RPC Inspection debugging. The command's output shows messages about IDS-audited RPC events, including details about RPC packets.

debug ip audit smtp Using this command enables IDS SMTP Inspection debugging and the output shows messages about IDS-audited SMTP events. One of these events is the check for the spam signature, where IDS checks the number of recipients and thereupon permits or denies the message.

debug ip audit tcp The debug ip audit command enables IDS TCP Inspection debugging. The command's output displays messages about IDS-audited TCP events, including details about TCP packets. It shows every ACK and SYN that passes through.

debug ip audit tftp This command enables IDS TFTP Inspection debugging. The output of this command displays messages about IDS-audited TFTP events.

debug ip audit timers The debug ip audit timers event enables the debugging of IDS timer event.

debug ip audit udp This command enables IDS UDP Inspection debugging. The output of this command shows messages about IDS-audited UDP events, including details about UDP packets.

debug ip audit dns Using this command enables IDS DNS Inspection debugging. Output of this command displays messages about IDS-audited DNS events.

debug ip audit http The debug ip audit http command enables IDS HTTP Inspection debugging. The output of this command shows messages about IDS-audited HTTP events.

Warning

Use these debug commands with caution on a production system. Some of the commands generate a lot of output and consume available CPU cycles, possibly causing a router to hang.