Deploy Snort IPS on Cisco Integrated Services Routers 4000 Series

Available Languages

Download Options

  • PDF     (167.7 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (202.1 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (110.2 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:July 10, 2023
Document ID:220565

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to deploy the Snort IPS and Snort IDS feature on Cisco Integrated Services Routers (ISR) 4000 series using the IOx method.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Cisco Integrated Services Routers 4000 series with at least 8GB DRAM.
    • Basic IOS-XE command experience.
    • Basic Snort knowledge.
    • A signature subscription for 1 year or 3 years is required
    • IOS-XE 16.10.1a and above.

    Components Used

    The information in this document is based on these software and hardware versions:

    • ISR4331/K9 running 17.9.3a release.
    • UTD Engine TAR for 17.9.3a release.
    • Securityk9 license for ISR4331/K9.

    The VMAN method is now deprecated.

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    Snort IPS feature enables Intrusion Prevention System (IPS) or Intrusion Detection System (IDS) for branch offices on Cisco 4000 Series Integrated Services Routers and Cisco Cloud Services Router 1000v Series. This feature uses the open-source Snort to enable IPS and IDS capabilities.

    Snort is an open-source IPS that performs real-time traffic analysis and generates alerts when threats are detected on IP networks. It can also perform protocol analysis, content researching or marching, and detect a variety of attacks and probes, such as buffer overflows, stealth port scans, and so on. The Snort engine runs as a virtual container service on Cisco Integrated Services Routers 4000 series and Cloud Services Router 1000v Series.

    The Snort IPS feature works as network intrusion detection or prevention mode and provides IPS or IDS capabilities on Cisco Integrated Services Routers 4000 series and Cloud Services Router 1000v Series. 

    • Monitors network traffic and analyzes against a defined rule set.
    • Performs attach classification.
    • Invokes actions against matched rules.

    Based on network requirements. Snort IPS can be enabled as IPS or IDS. In IDS mode, Snort inspects the traffic and reports alerts, but does not take any action to prevent attacks. In IPS mode inspects the traffic and reports alerts as IDS does but actions are taken to prevent attacks.

    The Snort IPS runs as a service on ISR routers. Service containers use virtualization technology to provide a hosting environment on Cisco devices for applications. Snort traffic inspection is enabled either on a per-interface basis or globally on all supported interfaces. The Snort sensor requires two VirtualPortGroup interfaces. The first VirtualPortGroup is used for management traffic and the second for data traffic between the forwarding plane and the Snort virtual container service. Guess IP addresses must be configured for these VirtualPortGroup interfaces. The IP subnet assigned to the management VirtualPortGroup interface should be able to communicate with the Signature server and Alert/Reporting server.

    The Snort IPS monitors the traffic and reports events to an external log server or the IOS syslog. Enabling logging into the IOS syslog may impact performance due to the potential volume of log messages. External third-party monitoring tools, which support Snort logs, can be used for log collection and analysis.

    Snort IPS on Cisco 4000 Series Integrated Services Routers and Cisco Cloud Services Router 1000v Series is based on Signature package download. There are two types of subscriptions:

    • Community Signature Package.
    • Subscriber-based Signature Package.

    The community signature package rule set offers limited coverage against threats. The subscriber-based signature package rule set offers the best protection against threats.  It includes coverage in advance of exploits and also provides the fastest access to updated signatures in response to a security incident or the proactive discovery of a new threat. This subscription is fully supported by Cisco and the package will be updated on Cisco.com. The signature package can be downloaded from software.cisco.com. Snort signature information can be found on snort.org.

    Network Diagram

    ISR4K

    Configure

    Platform UTD configuration

    Step 1. Configure Virtual VirtualPortGroups interfaces.

    Router#configure terminal
    Router(config)#interface VirtualPortGroup0
    Router(config-if)#description Management Interface
    Router(config-if)#ip address 192.168.1.1 255.255.255.252
    Router(config-if)#no shutdown
    Router(config-if)#exit

    Router(config)#interface VirtualPortGroup1
    Router(config-if)#description Data Interface
    Router(config-if)#ip address 192.168.2.1 255.255.255.252
    Router(config-if)#no shutdown
    Router(config-if)#exit

    Step 2.  Enable the IOx environment in Global Configuration mode.

    Router(config)#iox

    Step 3. Configure app-hosting with vnic configuration.

    Router(config)#app-hosting appid UTD
    Router(config-app-hosting)#app-vnic gateway0 virtualportgroup 0 guest-interface 0
    Router(config-app-hosting-gateway0)#guest-ipaddress 192.168.1.2 netmask 255.255.255.252
    Router(config-app-hosting-gateway0)#exit

    Router(config-app-hosting)#app-vnic gateway1 virtualportgroup 1 guest-interface 1
    Router(config-app-hosting-gateway0)#guest-ipaddress 192.168.2.2 netmask 255.255.255.252
    Router(config-app-hosting-gateway0)#exit

    Step 4 (Optional). Configure Resource Profile.

    Router(config-app-hosting)#app-resource package-profile low [low,medium,high]
    Router(config-app-hosting)#end

    Note: If this is not defined, the system will use the default app-resource config (Low). Make sure to have enough available resources on ISR if the default profile config will be changed.

    Step 5. Install the app-hosting using the UTD.tar file.

    Router#app-hosting install appid UTD package bootflash:iox-iosxe-utd.16.12.08.1.0.24_SV2.9.16.1_XE16.12.x86_64.tar

    Note: Keep the correct UTD.tar file on bootflash: to proceed to install it. Snort version is specified on UTD file name.

    Next syslogs should be seen indicating UTD service was installed properly.

    Installing package 'bootflash:iox-iosxe-utd.16.12.08.1.0.24_SV2.9.16.1_XE16.12.x86_64.tar' for 'utd'. Use 'show app-hosting list' for progress.
    *Jun 26 19:25:35.975: %VMAN-5-PACKAGE_SIGNING_LEVEL_ON_INSTALL: R0/0: vman: Package 'iox-iosxe-utd.16.12.08.1.0.24_SV2.9.16.1_XE16.12.x86_64.tar' for service container 'utd' is 'Cisco signed', signing level cached on original install is 'Cisco signed'
    *Jun 26 19:25:50.746: %VIRT_SERVICE-5-INSTALL_STATE: Successfully installed virtual service utd
    *Jun 26 19:25:53.176: %IM-6-INSTALL_MSG: R0/0: ioxman: app-hosting: Install succeeded: utd installed successfully Current state is deployed

    Note: Using 'show app-hosting list' the status should be 'Deployed'

    Step 6. Start the app-hosting service.

    Router#configure terminal
    Router(config)#app-hosting appid UTD
    Router(config-app-hosting)#start
    Router(config-app-hosting)#end

    Note: After starting the app-hosting service, the app-hosting status should be 'Running'. Use 'show app-hosting list' or 'show app-hosting detail' to see more details.

    Next syslog messages should be seen indicating UTD service was installed properly.

    *Jun 26 19:55:05.362: %VIRT_SERVICE-5-ACTIVATION_STATE: Successfully activated virtual service UTD
    *Jun 26 19:55:07.412: %IM-6-START_MSG: R0/0: ioxman: app-hosting: Start succeeded: UTD started successfully Current state is running

    Service Plane and Data Plane Configuration.

    After successful installation, the service plane must be configured. Snort IPS can be configured as Intrusion Prevention System (IPS) or Intrusion Detection System (IDS) for inspection.

    Warning: Confirm the 'securityk9' license feature is enabled to proceed with UTD service plane configuration.

    Step 1. Configure the Unified Threat Defense (UTD) standard engine (Service Plane)

    Router#configure terminal
    Router(config)#utd engine standard

    Step 2. Enable the logging of emergency messages to a remote server.

    Router(config-utd-eng-std)#logging host 192.168.10.5

    Step 3. Enable Threat Inspection for Snort Engine.

    Router(config-utd-eng-std)#threat-inspection

    Step 4. Configure Threat Detection as Intrusion Prevention System (IPS) or Intrusion Detection System (IDS)

    Router(config-utd-engstd-insp)#threat [protection,detection]

    Note: 'Protection' is used for IPS and 'Detection' for IDS. 'Detection' is the default.

    Step 5. Configure Security Policy.

    Router(config-utd-engstd-insp)#policy [balanced, connectivity, security]
    Router(config-utd-engstd-insp)#exit
    Router(config-utd-eng-std)#exit

    Note: Default Policy is 'balanced'

    Step 6 (Optional). Create the UTD-allowed list (Whitelist)

    Router#configure terminal
    Router(config)#utd threat-inspection whitelist

    Step 7 (Optional). Configure Snort Signatures IDs to appear in the whitelist.

    Router(config-utd-whitelist)#generator id 40 signature id 54621 comment FILE-OFFICE traffic from network
    Router(config-utd-whitelist)#end

    Note: ID '40' is used as an example. In order to check Snort Signature information, check Official Snort documentation.

    Step 8 (Optional). Enable Allowed List on Threat Inspection config.

    Router#config terminal
    Router(config)#utd engine standard
    Router(config-utd-eng-std)#threat-inspection
    Router(config-utd-engstd-insp)#whitelist

    Step 9. Configure the Signature update interval to download Snort Signatures automatically.

    Router#config terminal
    Router(config)#utd engine standard
    Router(config-utd-eng-std)#threat-inspection
    Router(config-utd-engstd-insp)#signature update occur-at [daily, monthly, weekly] 0 0

    Note: The first number defines the hour in 24hr format, and the second number indicates minutes.

    Warning: UTD Signature updates generate a brief service interruption at the time of update.

    Step 10. Configure the signature update server parameters.

    Router(config-utd-engstd-insp)#signature update server [cisco, url] username cisco password cisco12

    Note: Use 'cisco' to use the Cisco server or 'url' to define a custom path for the update server. For the Cisco server, you must provide your own username and password.

    Step 11. Enable logging level.

    Router(config-utd-engstd-insp)#logging level [alert,crit,debug,emerg,info,notice,warning]
    Router(config-utd-engstd-insp)#exit
    Router(config-utd-eng-std)#exit

    Step 12. Enable utd service.

    Router#configure terminal
    Router(config)#utd

    Step 13 (Optional). Redirect data traffic from the VirtualPortGroup interface to the UTD service.

    Router#configure terminal
    Router(config)#utd
    Router(config-utd)#redirect interface virtualPortGroup

    Note: If the redirection is not configured, it is auto-detected.

    Step 14. Enable UTD to all Layer 3 interfaces on ISR.

    Router(config-utd)#all-interfaces

    Step 15. Enable the engine standard.

    Router(config-utd)#engine standard

    Next syslog messages should be seen indicating UTD was enabled properly.

    *Jun 27 23:41:03.062: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
    *Jun 27 23:41:13.039: %IOSXE-2-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000008501210250689 %SDVT-2-SDVT_HEALTH_CHANGE: Service node 192.168.2.2 changed state from Down => Red (3) for channel Threat Defense
    *Jun 27 23:41:22.457: %IOSXE-5-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000008510628353985 %SDVT-5-SDVT_HEALTH_UP: Service node 192.168.2.2 is up for channel Threat Defense. Current Health: Green, Previous Health: Red

    Step 16 (Optional). Define the action for UTD engine failure (UTD Data Plane)

    Router(config-engine-std)#fail close
    Router(config-engine-std)#end
    Router#copy running-config startup-config
    Destination filename [startup-config]?

    Note: 'Fail close' option drops all the IPS/IDS traffic when the UTD engine fails. 'Fail open' option allows all the IPS/IDS traffic on UTD failures. The default option is 'fail open'.

    Verify

    Verify VirtualPortGroups IP address and interface status.

    Router#show ip interface brief | i VirtualPortGroup
    VirtualPortGroup0 192.168.1.1 YES NVRAM up up
    VirtualPortGroup1 192.168.2.1 YES NVRAM up up

    Verify VirtualPortGroup configuration.

    Router#show running-config | b interface
    interface VirtualPortGroup0
    description Management Interface
    ip address 192.168.1.1 255.255.255.252
    !
    interface VirtualPortGroup1
    description Data Interface
    ip address 192.168.2.1 255.255.255.252
    !

    Verify app-hosting configuration.

    Router#show running-config | b app-hosting
    app-hosting appid UTD
    app-vnic gateway0 virtualportgroup 0 guest-interface 0
    guest-ipaddress 192.168.1.2 netmask 255.255.255.252
    app-vnic gateway1 virtualportgroup 1 guest-interface 1
    guest-ipaddress 192.168.2.2 netmask 255.255.255.252
    start
    end

    Verify iox activation.

    Router#show running-config | i iox
    iox

    Verify UTD service plane config.

    Router#show running-config | b engine
    utd engine standard
    logging host 192.168.10.5
    threat-inspection
    threat protection
    policy security
    signature update server cisco username cisco password KcEDIO[gYafNZheBHBD`CC\g`_cSeFAAB
    signature update occur-at daily 0 0
    logging level info
    whitelist
    utd threat-inspection whitelist
    generator id 40 signature id 54621 comment FILE-OFFICE traffic
    utd
    all-interfaces
    redirect interface VirtualPortGroup1
    engine standard
    fail close
    Router#show utd engine standard config
    UTD Engine Standard Configuration:

    IPS/IDS : Enabled

    Operation Mode : Intrusion Prevention
    Policy : Security

    Signature Update:
    Server : cisco
    User Name : cisco
    Password : KcEDIO[gYafNZheBHBD`CC\g`_cSeFAAB
    Occurs-at : daily ; Hour: 0; Minute: 0

    Logging:
    Server : 192.168.10.5
    Level : info
    Statistics : Disabled
    Hostname : router
    System IP : Not set

    Whitelist : Enabled
    Whitelist Signature IDs:
    54621, 40

     Port Scan : Disabled

    Web-Filter : Disabled

    Verify the app-hosting state.

    Router#show app-hosting list
    App id                                      State
    ---------------------------------------------------------
    UTD                                         RUNNING

    Verify app-hosting details.

    Router#show app-hosting detail
    App id : UTD
    Owner : ioxm
    State : RUNNING
    Application
    Type : LXC
    Name : UTD-Snort-Feature
    Version : 1.0.7_SV2.9.18.1_XE17.9
    Description : Unified Threat Defense
    Author :
    Path : /bootflash/secapp-utd.17.09.03a.1.0.7_SV2.9.18.1_XE17.9.x86_64.tar
    URL Path :
    Multicast : yes
    Activated profile name :

    Resource reservation
    Memory : 1024 MB
    Disk : 752 MB
    CPU :
    CPU-percent : 25 %
    VCPU : 0

    Platform resource profiles
    Profile Name CPU(unit) Memory(MB) Disk(MB)
    --------------------------------------------------------------

    Attached devices
    Type Name Alias
    ---------------------------------------------
    Disk /tmp/xml/UtdLogMappings-IOX
    Disk /tmp/xml/UtdIpsAlert-IOX
    Disk /tmp/xml/UtdDaqWcapi-IOX
    Disk /tmp/xml/UtdUrlf-IOX
    Disk /tmp/xml/UtdTls-IOX
    Disk /tmp/xml/UtdDaq-IOX
    Disk /tmp/xml/UtdAmp-IOX
    Watchdog watchdog-503.0
    Disk /tmp/binos-IOX
    Disk /opt/var/core
    Disk /tmp/HTX-IOX
    Disk /opt/var
    NIC ieobc_1 ieobc
    Disk _rootfs
    NIC mgmt_1 mgmt
    NIC dp_1_1 net3
    NIC dp_1_0 net2
    Serial/Trace serial3

    Network interfaces
    ---------------------------------------
    eth0:
    MAC address : 54:0e:00:0b:0c:02
    IPv6 address : ::
    Network name :
    eth:
    MAC address : 6c:41:0e:41:6b:08
    IPv6 address : ::
    Network name :
    eth2:
    MAC address : 6c:41:0e:41:6b:09
    IPv6 address : ::
    Network name :
    eth1:
    MAC address : 6c:41:0e:41:6b:0a
    IPv4 address : 192.168.2.2
    IPv6 address : ::
    Network name :

    ----------------------------------------------------------------------
    Process Status Uptime # of restarts
    ----------------------------------------------------------------------
    climgr UP 0Y 0W 0D 21:45:29 2
    logger UP 0Y 0W 0D 19:25:56 0
    snort_1 UP 0Y 0W 0D 19:25:56 0

    Network stats:
    eth0: RX packets:162886, TX packets:163855
    eth1: RX packets:46, TX packets:65

    DNS server:
    domain cisco.com
    nameserver 192.168.90.92

    Coredump file(s): core, lost+found

    Interface: eth2
    ip address: 192.168.2.2/30
    Interface: eth1
    ip address: 192.168.1.2/30

    Address/Mask Next Hop Intf.
    -------------------------------------------------------------------------------
    0.0.0.0/0 192.168.2.1 eth2
    0.0.0.0/0 192.168.1.1 eth1

    Troubleshooting

    1. Assure Cisco Integrated Services Router (ISR) runs XE 16.10.1a and above (For IOx method)

    2. Assure Cisco Integrated Services Router (ISR) is licensed with the Securityk9 feature enabled.

    3. Verify the ISR hardware model is in compliance with the minimum resource profile.

    4. Feature not compatible with Zone-Based Firewall SYN-cookie and Network Address Translation 64 (NAT64)

    5. Confirm UTD service is started after installation.

    6. During the manual Signature package download, ensure the package has the same version as the Snort engine version. The signature package update may fail if there is a version mismatch.

    7. In case of performance issues, use the 'show app-hosting resource' and 'show app-hosting utilization appid ''UTD-NAME' for learning about CPU/Memory/Storage consummation.

    Router#show app-hosting resource
    CPU:
    Quota: 75(Percentage)
    Available: 50(Percentage)
    VCPU:
    Count: 6
    Memory:
    Quota: 10240(MB)
    Available: 9216(MB)
    Storage device: bootflash
    Quota: 4000(MB)
    Available: 4000(MB)
    Storage device: harddisk
    Quota: 20000(MB)
    Available: 19029(MB)
    Storage device: volume-group
    Quota: 190768(MB)
    Available: 169536(MB)
    Storage device: CAF persist-disk
    Quota: 20159(MB)
    Available: 18078(MB)
    Router#show app-hosting utilization appid utd
    Application: utd
    CPU Utilization:
    CPU Allocation: 33 %
    CPU Used: 3 %
    Memory Utilization:
    Memory Allocation: 1024 MB
    Memory Used: 117632 KB
    Disk Utilization:
    Disk Allocation: 711 MB
    Disk Used: 451746 KB

    Warning: If you are able to see high CPU, Memory, or Disk usage, contact Cisco TAC.

    Debugging

    Use the debug commands listed below to gather Snort IPS information in case of a failure.

    debug virtual-service all
    debug virtual-service virtualPortGroup
    debug virtual-service messaging
    debug virtual-service timeout
    debug utd config level error [error, info, warning]
    debug utd engine standard all

    Related Information

    Additional documents related to Snort IPS deployment can be found here:

    Snort IPS Security Configuration Guide

    https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_utd/configuration/xe-17/sec-data-utd-xe-17-book/snort-ips.html

    Virtual Service Resource Profile

    https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_utd/configuration/xe-17/sec-data-utd-xe-17-book/snort-ips.html#id_31952

    Snort IPS on Routers - Step-by-Step configuration.

    https://community.cisco.com/t5/security-knowledge-base/router-security-snort-ips-on-routers-step-by-step-configuration/ta-p/3369186

    Troubleshooting Snort IPS

    https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_utd/configuration/xe-17/sec-data-utd-xe-17-book/snort-ips.html#concept_C3C869E633A6475890475931DF83EBCC

    ISR4K Snort IPS is not deployed since HW does not have enough platform resources

    https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwf57595

    Revision History

    Revision Publish Date Comments
    1.0
    11-Jul-2023
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Juan Carlos Carvente Juarez
      Security Technical Consulting Engineer
    • Fernando Alfredo Garcia Ortega
      Security Technical Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products