Recurity Labs CIR Documentation


This page serves as the operational manual for CIR Professional.
This documentation currently covers CIR release version 1.0.

Please note that you can always comment on this Wiki or send email to if you got an idea of how to improve things. And no, you don't have to be a customer.

Edit

Installation, Prerequisites and Requirements

CIR Professional comes as installation package on a regular CD-ROM media. Insert the media and locate the program setup.exe in the media's root directory. Running setup.exe starts the installation.
CIR Professional installation

CIR Professional installation


You will have to specify the destination directory by clicking on the Destination link label, check the license agreement if you agree to the terms of the license and specify the default report directory.

When installing CIR for primary use as daemon, you should point the daemon working directory to the incoming directory for your core dump files and check the "Run CIR as daemon by default" checkbox.

Any of the default settings can be overridden by command line switches.

Once everything is in order, the Next button becomes available and you can install CIR. The following dialog will show the progress. You can close the following dialog using the Close button when the quick installation is done.
Edit

Running CIR

The CIR command line program allows you to run CIR either as standalone program, much like other command line tools. Alternatively, you can run CIR in daemon mode, so it can watch a directory and process any data that might be thrown at it.

Edit

Configuring CIR

CIR is configured by the circli.exe.config program dependent .NET configuration file.
The file is in XML format and can be edited in any text editor.

Edit

Directory Defaults

The following shows the engine configuration sub-section:

  <Cir.Engine outputfolder="K:\CIR\output" daemonWorkDir="K:\CIR\FTP_IN\" setDaemon="false">

    <plugins>

      <add assembly="*" path=".\Plugins\" />

    </plugins>

    <platforms>

      <add assembly="*" path=".\PlatformPlugins\" />

    </platforms>

  </Cir.Engine>

The setting outputfolder specifies the default destination for CIR to place the report, if no other information was given in the command line. This setting only applies to standalone processing.

The setting daemonWorkDir sets the directory monitored by CIR in daemon mode. The following Boolean variable setDaemon sets the default for CIR's behavior when started without additional command line options.

The sections plugins and platforms can be used to individually add plugins or platform plugins to CIR that are located in different directories.

Edit

Logging

The following sub-section shows the logging settings for CIR. CIR uses log4net.

  <log4net>

    <appender name="ConsoleAppender" type="log4net.Appender.ConsoleAppender">

      <layout type="log4net.Layout.PatternLayout">

        <conversionPattern value="%message %newline" />

      </layout>

    </appender>

    <appender name="FileAppender" type="log4net.Appender.FileAppender">

      <file value="cir-cli.log" />

      <appendToFile value="true" />

      <layout type="log4net.Layout.PatternLayout">

        <conversionPattern value="%date %thread %-5level %logger] - %message%newline" />

      </layout>

    </appender>

    <root>

      <level value="INFO" />

      <appender-ref ref="FileAppender" />

      <appender-ref ref="ConsoleAppender" />

    </root>

  </log4net>

As with all log4net applications, you can define appender, which channel the log information into different channels. As you can see in the above example, the conversionPattern setting allows you to configure the layout of the log messages depending on where they go.
It is recommended to have at least on appender into a file, allowing to produce debug log files for support cases.
The sub-section root finally simply references the appender specified before and activates logging.

Edit

Running Standalone

To run CIR standalone, you can just start the program in a command line window and obtain the following help screen:

CIR - Cisco Incident Response. Copyright (c) 2008, Recurity Labs GmbH. All rights reserved

Name



    circli.exe  [Version 1.0.0.0]



Synopsis



    circli.exe [options]



Description



    CIR -  Cisco Incident Response commandline interface





    Options



        -o, --output

            (Type: Value optional, Value Type:[String])

            The path to the CIR output directory. This option overrides the

                option configured in the application configuration.



        -d, --daemon

            (Type: Value required, Value Type:[String])

            Executes the CIR-CLI as a daemon if set to true. This option

                overrides the setDaemon option configured in the application

                configuration.



        -w, --workdir

            (Type: Value required, Value Type:[String])

            Sets the daemon working directory path if the CIR-CLI is executed

                in daemon daemon. This option overrides the daemon working

                directory configured in the application configuration.



        -e, --elf

            (Type: Value required, Value Type:[String])

            The path to the IOS image file.



        -c, --core

            (Type: Value required, Value Type:[String])

            The path to the IOS core file.



        -i, --iocore

            (Type: Value optional, Value Type:[String])

            The path to the IOS IOcore file.



        -h, --help

            (Type: Flag, Value Type:[Boolean])

            Prints this help message.

A typical CIR command line would look like this:
circli -o x:\path\to\output\ -e x:\path\to\image\cABCD-i-mz-XYZ.bin -c x:\path\to\core\core -i x:\path\to\coreiomem

You can also specify paths in UNC notation, such as \\servername\share\path.

CIR will output the plugins loaded and executed as well as their individual progress. Once processing is done, CIR will stop and request a key pressed to terminate. This allows the user to inspect the output before control is handed back to the calling process.

Edit

Running in Daemon Mode

When running in daemon mode (either by configuration default or by command line switch -d), CIR will monitor the specified daemon directory (-w option) for sub-directories.

Edit

Directory Structure

The daemon directory structure must contain sub-directories. The name of the directory may be arbitrary. This mode is used for FTP server installations that serve a large number of Cisco IOS devices writing core to them. Consider the following directory structure:
 

c:\ftp\

c:\ftp\router1\

c:\ftp\router2\

c:\ftp\router3\

The FTP server can be configured to change the virtual root directory to c:\ftp\router1 when Router1 connects, to c:\ftp\router2 when Router2 connects and so forth.

To prepare the daemon mode processing, the administrator only needs to place the known-to-be-good IOS images that correspond to the router's image into the respective directory with the file name image}, as seen below:
 

c:\ftp\

c:\ftp\router1\

c:\ftp\router1\image

c:\ftp\router2\

c:\ftp\router2\image

c:\ftp\router3\

c:\ftp\router3\image

Edit

Writing Core and Reporting

Once a router writes core to the FTP server, the core and coreiomem files will be created in it's respective directory:
 

c:\ftp\

c:\ftp\router1\

c:\ftp\router1\image

c:\ftp\router2\

c:\ftp\router2\image

c:\ftp\router2\core

c:\ftp\router2\coreiomem

c:\ftp\router3\

c:\ftp\router3\image

When CIR in daemon mode identifies a directory that contains files with the names image,core and coreiomem, it begins processing of the case. When processing is done, the report files (see below) will be placed in the same directory.

Edit

Restarting processing

In the case the administrator would like the processing of a core dump to be repeated, for example following a CIR upgrade, the primary report file report.xml must be deleted. Once this file is missing, the core will be reprocessed and the report recreated from the scratch.

Edit

CIR Reports

Edit

Report files

A CIR report always consists of the following files written to the output directory:
report.xml - the primary report database
report-summary.html - the report summary
report-detailed.html - the detailed report
cir.css - formating
CIRlogo.png - logo


Additionally, and depending on your plugin set, you will also get additional files:
PacketHeader.pcap - packet extraction dump, view with Wireshark.
{{HeapUseGraph.tgf - a Trivial Graph Format file, showing the relation between allocated heap blocks and processes. View with yEd.