Cisco Secure IDS 4210 ------------------------------------------------- Intel Celeron 566 MHz 512 MB RAM AMIBIOS 1 PS/2 Mouse 1 PS/2 Keyboard 2 USB - Intel Corp 82371AB/EB/MB PIIX4 2 Ethernet - Intel Ethernet Pro/100 2 Serial Ports 1 HD15 - ATI RAGE XL 1 1.44 floppy 1 Atapi CDROM 1 IDE Drive - 18 gig whatever Initial Build: Redhat I hate Cisco IDS. I hate it, I hate it, I hate it. It is truly a pile. Let me give you a bit a background. I am a Open Source advocate by nature, and have been running Debian since version 1.0/1.3. I can utilize lots of different types of UNIX and Linux, but Debian is my favorite. Naturally, I try to deploy as many Debian machines as possible inside a corporate environment, to prove not only is it a very stable operating platform, but also easy (read: cost efficient) to maintain. I have been blessed by the gods with a Cisco Secure IDS model 4210, in which I will install my favorite configuration, on the platform I hate the most. As well as being a Debian fanatic, I am also into Snort IDS. Snort IDS is hands down one of the best network-based intrusion detection systems available and its free. Cisco Secure costs way too much money, and does not give a real network security analyst what they need to make problem determination. So, to bring you up to speed: I have booted the sensor, and it boots its Redhat image. Redhat is such a pain, but it is better then Solaris x86, which is what these things used to ship with. I am going to cut some corners and login to this sensor, and steal hardware information, as well as old network variables so I can place my creation into production as soon as possible. Upon logging in, the root password is not what I was told. My boss, being the busy man he is, is on the phone, in a locked office. I guess I will do what I am known for doing: I will break the machine. This is no big deal, as I have physical access. I will deftly grab my Debian 3.0 ISO, and slap it into the laptop-like ATAPI CD-ROM. I will power cycle the sensor, which sounds like a 747 on crack, and watch the POST. Still waiting for it to POST. Let me grab a redbull and get back to you... Still waiting for it to POST. While I am waiting, I will reflect my thoughts... I see absolutely no reason why what I am doing, should not work. The sensor is a x86 architecture machine, with a Celery 566. It runs Redhat already, so all we need to do, is install Debian, Snort, and add our secret sauce (which is a trademark of me, and my skills in this particular niche of the computing world.) Ahhh, now the machine is booted, and the redbull tastes good. I am at the Debian install screen, so please let me do some magic... *cough* bf24 *cough* And the blue screen of life appears. What I will do now, is mount the drive, and edit /etc/shadow, removing the root password, and we will be on our way. Okay, I have removed the root password from /target/etc/shadow and rebooted the system. Now we are posting... again. Please, if you are following along at home, feel free to get yourself a tasty redbull... Still posting... Okay, back to GRUB... I prefer LILO. It boots. Now we get the green ANSI OK checks, and soon, we will be back to a prompt. Congratulations, I have now owned a Cisco Secure IDS sensor from the console. Child's play. Okay the first thing I am going to look at here is lspci. It gives me a bunch of junk that says INTEL PIIX4, which means, yes, its old, and very supported. The video adapter is a ATI Rage XL, and the hostbridge is a 440BX/ZX/DX. This will be a cake walk. The kernel is a 2.4.18-5smpbigphys, which means that yes, it is very ownable. Very ownable. Almost tragic. I am tempted to own the machine from the command line just to say that I have. A check of the process list shows that this machine has everything that a normal Redhat Linux box has, except that most of the ps is listing processes owned by cids, the Cisco IDS software stuff... We really dont care about that. What we DO care about is the network configuration, which is propeitary to you, the dear reader, and essential for me, as I have to have this thing back in the rack before anyone realizes that its err.. missing. =) So, I have just taken all the data that I need to complete my mission, so I will reboot this machine, with my trusty Debian CD. Rebooting the sensor... I will note that this particular machine, I have seen before in my last job, where we deployed 1500 Linux machines... If this is the particular revision of the Intel 1U... it is prone to heat problems. Posting... again. Take a smoke break or something. So back to the Debian screen, I will install a base system of Debian quickly.. It's no big deal, as I always run SID, so this stuff will be upgraded via the network... just to let you know, I am using the bf24 kernel option of the Debian 3.0 install ISO. I am of course, doing the standard base install, but I am repartitioning, and I will be installing the ext3 filesystem. I have just written my partition table to disk... and now I am initializing. The drive initialization is complete... No problems whatsoever. The longest part of this process when it comes to drive init is the journal creation. I am very impatient at this point, as its close to time to go home. My first set of drivers are coming from the CD... I fully plan to deploy this machine into production with a 2.4.25 kernel that will have some trickery included. The main thing I am worried about grabbing is the eepro driver, which is very old and supported. I have selected that, and I will configure my network settings via my personal own DHCP server... I have a nice little test environment here in my cube, so this won't be a problem. DHCP of course works, and life is peachy. I am installing the base system now, and preparing to go home. I will leave this article off on a good note, one where we have successfully booted Debian off a Cisco Secure IDS sensor. There is absolutely NO TRICK to this, because like I said before, this is a x86 machine. I find it amusing though, because I absolutely _HATE_ Cisco Secure IDS. I have made the system bootable, installed my MBR on /dev/hda and now I am rebooting. It is of course, going to take another good time to POST. In this time I have packed up my very pimplike Gateway M675 laptop, and gathered up my odds and ends. Posting... Wasn't there some kind of major flaw with the 440BX's? I don't know... Its posting. The Lilo prompt has appeared and now its booting the stock bf24 kernel. Now I will configure the base system, and prepare it to take my specific package loadout, and of course, my "special sauce". Tomorrow, I will have a functioning Debian box running Snort, created from a Cisco Secure IDS model 4210. It will report back to a custom backend, and tell me everything I need to know about YOU! It's been fun, remember, when the man has you down, replace him with a small shell script. Peace.