TCPdump support on sensing interface for CSIDS v4.1

msmitha · ‎09-25-2003

When we deploy new IDS sensors in various locations, we need to verify that the sensor's sniffing interface has sufficient visibility into the protected nets. In order to do this, we (security group) rely on network admins to setup SPAN, RSPAN, VACLs, etc.

In v4.1, we are not able to run tcpdump on the sensing interface. I understand that Cisco has disabled tcpdump on the sensing intf due to performance reasons. However, tcpdump is very necessary to make sure that SPAN/RSPAN/etc as the case maybe is setup correctly. Sometimes, we do see traffic (show int sensing) but we are not sure if we are looking at bi-directional traffic.

I'd like to know if there is a workaround to get tcpdump working on the sensing interface temporarily. Do we stop sensorapp for that and run tcpdump?

Please let me know, Thanks.

jlively · ‎09-25-2003

You could always disable the sensor (log into service accountand su - root then enter: /etc/init.d/cids stop)

Next, bring up the interface you want to run tcpdump on (ifconfig up.

Now run the tcpdump command (tcpdump -i {other options}.

When you are done, it is safest to just reboot to get everything back in sync.

m-raft · ‎09-25-2003

I also heard that Cisco is planning to restore the tcpdump feature while the sensing app is still active. I heard possible version 5 release for this. Have you heard about this.

marcabal · ‎09-25-2003

I can confirm that engineering does know about the feature request nad has been discussed.

We can't comment on public forums (like the NetPro Forum) about what will or will not be in the next version of the product until that version has been officially announced.

So for information about 5.0 you would need to contact your Cisco Representative and sign Non-Disclosure agreements.

scothrel · ‎09-25-2003

Jim's suggestion is the recommended way to get tcpdump running. A caveate is that you must put the sensing interface in its "down" configuration before you can reenable the sensor (/etc/init.d/cids start), or the sensor application will not bind to the port and will recieve no traffic. As Jim said above, a reboot is a safe way to get back to where you need to be (the Microsoft approach). Also note, tcpdump will not work on the 4250-XL accelerator card, as it is not a proper NIC. We provide falcondump, which has a subset of tcpdump functionality, but enough to do what you need to.

wardwalk · ‎09-25-2003

Here are two additional notes to what has already been mentioned:

1. tcpdump cannot be run on the IDSM2 sensing ports as well as the 4250-XL sensing ports. If your sensor is either of these types, you can use the already mentioned falcondump utility or you can use the sensor's iplog feature. Follow these steps to use the iplog feature to log traffic related to a particular ip address, e.g. the address of your attacker or target whose traffic you're studying:

login to the CLI as user "cisco"

type "iplog 0 " followed by and/or and/or "

type "iplog-status" to find the iplog id

type "copy iplog "

now you can look at the iplog file with something like Ethereal. (http://www.ethereal.com/)

2. An alternative means of disabling sensing on a port so that you can run tcpdump on that port is to remove it from the interface group. To do this via the CLI, follow these steps:

login to the CLI as user "cisco"

type "configure terminal"

type "interface group 0"

type "no sensing-interface "

exit out of the CLI and login via the service acct

su to root

ifconfig down

ifconfig up

now run tcpdump on that interface

pbobby · ‎09-25-2003

I recall changing the password for 'cisco' and creating a maintenance account (to a shell). But haven't found anywhere what the default root account is, nor any instructions to change it if it differs from the default 'cisco' one.

marcabal · ‎09-25-2003

Login as cisco on your sensor and type "show users all".

If you see a username configured with the privelege level "service" then this is the account name that can access a Linux Bash Shell.

If you don't then simply create a new account with the privilege level "service".

NOTE: only one "service" account can be configured

If you remember the password for this username then great just login with that username and password.

If you don't remember the password don't panic, as user cisco just go to "configure terminal", and type "password " using the username for the "service" account. Then just give the account a new password.

Once you login as the service account on the box and have a Linux Bash Shell then you can use the "su -" command to switch to user "root". The password for root is automatically sync'd to the password for the "service" account. So just use the same password again to become root.

Any time the user cisco changes the "service" account's password through the IDS CLI command "password " the system will sync both the "service" account and root account passwords.

NOTE: Changing the passwords directly in the "service" account or root account with the standard Linux "passwd" command instead of the "password " command in the CLI will not sync the passwords.

msmitha · ‎09-26-2003

Can you please tell us more about using "falcondump" on the IDSM2 and the 4250-XL? Any examples?

I suppose we would first stop CIDS "/etc/init.d/cids stop" before using falcondump?