This page serves as the operational manual for CIR Professional.
This documentation currently covers CIR release
version 1.0.
Please note that you can always comment on this Wiki or send email to
support@cir.recurity-labs.com if you got an idea of how to improve things. And no, you don't have to be a customer.
Installation, Prerequisites and Requirements
CIR Professional comes as installation package on a regular CD-ROM media. Insert the media and locate the program
setup.exe in the media's root directory. Running
setup.exe starts the installation.
CIR Professional installation
You will have to specify the destination directory by clicking on the
Destination link label, check the license agreement if you agree to the terms of the license and specify the default report directory.
When installing CIR for primary use as daemon, you should point the daemon working directory to the incoming directory for your core dump files and check the "Run CIR as daemon by default" checkbox.
Any of the default settings can be overridden by command line switches.
Once everything is in order, the
Next button becomes available and you can install CIR. The following dialog will show the progress. You can close the following dialog using the
Close button when the quick installation is done.
EditRunning CIR
The CIR command line program allows you to run CIR either as standalone program, much like other command line tools. Alternatively, you can run CIR in daemon mode, so it can watch a directory and process any data that might be thrown at it.
EditConfiguring CIR
CIR is configured by the
circli.exe.config program dependent .NET configuration file.
The file is in XML format and can be edited in any text editor.
EditDirectory Defaults
The following shows the engine configuration sub-section:
<Cir.Engine outputfolder="K:\CIR\output" daemonWorkDir="K:\CIR\FTP_IN\" setDaemon="false">
<plugins>
<add assembly="*" path=".\Plugins\" />
</plugins>
<platforms>
<add assembly="*" path=".\PlatformPlugins\" />
</platforms>
</Cir.Engine>
The setting
outputfolder specifies the default destination for CIR to place the report, if no other information was given in the command line. This setting only applies to standalone processing.
The setting
daemonWorkDir sets the directory monitored by CIR in daemon mode. The following Boolean variable
setDaemon sets the default for CIR's behavior when started without additional command line options.
The sections
plugins and
platforms can be used to individually add plugins or platform plugins to CIR that are located in different directories.
EditLogging
The following sub-section shows the logging settings for CIR. CIR uses log4net.
<log4net>
<appender name="ConsoleAppender" type="log4net.Appender.ConsoleAppender">
<layout type="log4net.Layout.PatternLayout">
<conversionPattern value="%message %newline" />
</layout>
</appender>
<appender name="FileAppender" type="log4net.Appender.FileAppender">
<file value="cir-cli.log" />
<appendToFile value="true" />
<layout type="log4net.Layout.PatternLayout">
<conversionPattern value="%date %thread %-5level %logger] - %message%newline" />
</layout>
</appender>
<root>
<level value="INFO" />
<appender-ref ref="FileAppender" />
<appender-ref ref="ConsoleAppender" />
</root>
</log4net>
As with all log4net applications, you can define
appender, which channel the log information into different channels. As you can see in the above example, the
conversionPattern setting allows you to configure the layout of the log messages depending on where they go.
It is recommended to have at least on
appender into a file, allowing to produce debug log files for support cases.
The sub-section
root finally simply references the
appender specified before and activates logging.
EditRunning Standalone
To run CIR standalone, you can just start the program in a command line window and obtain the following help screen:
CIR - Cisco Incident Response. Copyright (c) 2008, Recurity Labs GmbH. All rights reserved
Name
circli.exe [Version 1.0.0.0]
Synopsis
circli.exe [options]
Description
CIR - Cisco Incident Response commandline interface
Options
-o, --output
(Type: Value optional, Value Type:[String])
The path to the CIR output directory. This option overrides the
option configured in the application configuration.
-d, --daemon
(Type: Value required, Value Type:[String])
Executes the CIR-CLI as a daemon if set to true. This option
overrides the setDaemon option configured in the application
configuration.
-w, --workdir
(Type: Value required, Value Type:[String])
Sets the daemon working directory path if the CIR-CLI is executed
in daemon daemon. This option overrides the daemon working
directory configured in the application configuration.
-e, --elf
(Type: Value required, Value Type:[String])
The path to the IOS image file.
-c, --core
(Type: Value required, Value Type:[String])
The path to the IOS core file.
-i, --iocore
(Type: Value optional, Value Type:[String])
The path to the IOS IOcore file.
-h, --help
(Type: Flag, Value Type:[Boolean])
Prints this help message.
A typical CIR command line would look like this:
circli -o x:\path\to\output\ -e x:\path\to\image\cABCD-i-mz-XYZ.bin -c x:\path\to\core\core -i x:\path\to\coreiomem
You can also specify paths in UNC notation, such as
\\servername\share\path.
CIR will output the plugins loaded and executed as well as their individual progress. Once processing is done, CIR will stop and request a key pressed to terminate. This allows the user to inspect the output before control is handed back to the calling process.
EditRunning in Daemon Mode
When running in daemon mode (either by configuration default or by command line switch
-d), CIR will monitor the specified daemon directory (
-w option) for sub-directories.
EditDirectory Structure
The daemon directory structure must contain sub-directories. The name of the directory may be arbitrary. This mode is used for FTP server installations that serve a large number of Cisco IOS devices writing core to them. Consider the following directory structure:
c:\ftp\
c:\ftp\router1\
c:\ftp\router2\
c:\ftp\router3\
The FTP server can be configured to change the virtual root directory to
c:\ftp\router1 when Router1 connects, to
c:\ftp\router2 when Router2 connects and so forth.
To prepare the daemon mode processing, the administrator only needs to place the known-to-be-good IOS images that correspond to the router's image into the respective directory with the file name
image}, as seen below:
c:\ftp\
c:\ftp\router1\
c:\ftp\router1\image
c:\ftp\router2\
c:\ftp\router2\image
c:\ftp\router3\
c:\ftp\router3\image
EditWriting Core and Reporting
Once a router writes core to the FTP server, the core and coreiomem files will be created in it's respective directory:
c:\ftp\
c:\ftp\router1\
c:\ftp\router1\image
c:\ftp\router2\
c:\ftp\router2\image
c:\ftp\router2\core
c:\ftp\router2\coreiomem
c:\ftp\router3\
c:\ftp\router3\image
When CIR in daemon mode identifies a directory that contains files with the names image,core and coreiomem, it begins processing of the case. When processing is done, the report files (see below) will be placed in the same directory.
EditRestarting processing
In the case the administrator would like the processing of a core dump to be repeated, for example following a CIR upgrade, the primary report file report.xml must be deleted. Once this file is missing, the core will be reprocessed and the report recreated from the scratch.
EditCIR Reports
EditReport files
A CIR report always consists of the following files written to the output directory:
report.xml - the primary report database
report-summary.html - the report summary
report-detailed.html - the detailed report
cir.css - formating
CIRlogo.png - logo
Additionally, and depending on your plugin set, you will also get additional files:
PacketHeader.pcap - packet extraction dump, view with Wireshark.
{{HeapUseGraph.tgf - a Trivial Graph Format file, showing the relation between allocated heap blocks and processes. View with
yEd.