How to emulate Cisco IPS

If you are studying for CCIE Security or any Cisco Related Certification, you need to work on IPS. In this detailed tutorial, i will show you how you can emulate Cisco Intrusion Prevention System (IPS) 6 using Qemu & GNS3. I will be emulating IPS 4235 v 6.0.6(E3) in this tutorial. You can run upto 4 virtual sensors starting IPS-4235u v 6.0 . In a future blog post, i will show you also how to run virtual sensors , configure IPS for sensing interfaces using interface pair , inline vlan pair etc & connecting to IPS6 using ASDM . In this guide, i will setup sensor for 5 1000Mbps interfaces with Management0/0 being used for Command & Control ( C&C ) & rest of 4 interfaces (GigabitEthernet 0/0 – GigabitEthernet 0/3) as Sensing interfaces.

First & foremost, install the latest version of GNS3 i.e GNS v 0.7.3 if you haven’t already done so. Next, Cisco IPS Recovery CD will be required. You should be able to get one from you CCO account on

Disclaimer: This tutorial is for learning purposes only. You can download Cisco IPS Recovery image from CCO directly.Otherwise,it shouldn’t be hard to get one from internet using some googling skills :) I will NOT provide any images so, please refrain from asking me as i won’t entertain any such requests/emails.

Cisco Secure ACS 5.X Deployment Guide E-Book

Now, lets get started. I will be breaking it down into several steps.

Software Version Used in this tutorial:

  • -> Platform : Windows 7 64bit edition (Tutorial will work on any OS )
  • -> GNS3 Version : v0.7.3
  • -> IPS Sensor Version : IPS 4235 v 6.0.6(E3)
  • -> Qemu Version : 0.11.0
  • -> Reference :

NOTE: Screenshots might get cropped on blog post so click on thumbnail to view full image.If you want to download tutorial , see end of this tutorial for GNS3 configuration file & PDF version of this tutorial.


Step 1 : Create 2 Disk Images (hda & hdb)

IPS disk creation

Step 2 : Load IPS CD image using qemu

IPS Image Recovery Process

When qemu boots, press ‘k’ to start the re-imaging process (image recovery). When reimaging is done, the software reloads, and qemu pauses in the BIOS screen complaining about boot issues. Exit the qemu process (using Ctrl-C)

Step 3 :  Boot from the Re-Imaged Disks

Next step is to boot from the disk. When the system starts, you need to modify the grub boot entry to make sure the system starts at runlevel 1.

At the grub menu, press “e” to edit the first boot entry. In the following menu, select the 2nd line (that starts with “kernel=”) and press “e” again. Change the option init=/loadrc to init=1, then Enter followed by “b” to boot.

The IPS software now boots into runlevel 1. When prompted, press Enter and issue  following commands:

 cd /etc/init.d
 cp ids_functions ids_functions.orig
 vi ids_functions

In the resulting file, search for the string “845″ (with /845),it will jump to the  section which looks like this :

 elif [[ `isCPU 845` -eq $TRUE && $NUM_OF_PROCS -eq 1 ]]; then

Replace the first line (the elif statement) and the variables DEFAULT_MGT_OS and DEFAULT_MGT_CIDS to the following :

 elif [[ 1 -eq 1 ]]; then

Save and exit vi.

Step 4: Map the emulated NIC cards to the IPS interface



Now,lets adjust the process of mapping the emulated NIC cards to the IPS interfaces. Issue the following commands:

cd /usr/cids/idsRoot/etc
 cp interface.conf interface.conf.orig
 vi interface.conf

Move forward to the section that deals with the 4235 sensor.  You only need to make modifications at the [models/IDS-4250/interfaces/X] sections.

Edit the section. The result should look like following :






Follow the Screenshots :

Save the changes and exit vi. The system changes are done, now reload the device


Device will reload couple of times, followed by prompting you to change the password & that’s it!

GNS3 Specific Configuration :



Next, Edit Preferences Menu in GNS3 & make IPS Qemu Settings as shown [ Under Qemu Options, modify smbios settings to remove Unsupported platform error ] :

Create the Topology in GNS3 & boot the sensor. Access CLI & also access via IDM (IPS Device Manager) as shown.

Now , you have FULL-BLOWN IPS Sensor at your disposal. ENJOY !!!

In Next tutorial, i will help you fine tune the sensor e.g . Setup mutiple virtual sensors, reduce CPU load to less than 5% (Qemu Optimization), Tunning Signatures , Connecting & Configuring Sensing interfaces in GNS3 etc. Stay Tuned !

NOTE:Refer to the original wiki document mentioned in Reference if you want to understand the nitty gritty.Thanks to “tranzitwww” for his comments.

If you find this tutorial useful in your studies & want to download this tutorial for offline viewing, the link is provided below.Download package contains GNS3 Configuration File (.net) , PDF version of this tutorial , separate full resolution screenshots etc.

Download Tutorial




PDF Converter    Send article as PDF   

Tags: , , , , , , , , ,

108 Responses to “How to emulate Cisco IPS”

  1. ahmad says:


    is there any ETA for the next tutorial, since all is working fine with this tutorial, and I’m waiting the next one to complete the IPS

  2. mohsaf says:

    I followed above step 1 and 2 at step 2 when i type C:\Program Files\GNS3> qemu.exe -hda ipsdisk1.img -hdb ipsdisk2.img -m 1024 –cdrom IPS-K9-cd-1.1-a-6.0-6-E3.iso -boot d

    it showed as below
    booting from cd-rom….
    cdrom boot failure code : 0003
    Boot failed could not read the boot disk
    FATAL no bootable device
    i tried without -boot d also same results
    can anybody help me to solve the issue
    Thanks in advance
    waiting for reply

  3. mohsaf says:

    i had IPS-K9-cd-1.1-a-6.0-6-E3.iso downloaded and written to a cd and the CD also loaded to cdrom

  4. Siva Vadakandra says:

    Hi There, It is simply great to have such tool to practice IPS stuff.

    i did follow the whole set of instructions given in this page and finally got the SENSOR prompt. But when i integrate with GNS3 and dragging the IDS to drawing space and did start the IPS, at some stage it is throwing “KERNAL PANIC: no killable processes.” and then it halts there.

    hence please let me know, how to get rid of this trouble to run the IPS successfully.

    Siva S Vadakandra
    510 468 2367

  5. mohsaf says:

    can anybody comment on my issue that is after step 2 it shows as
    booting from cd-rom….
    cdrom boot failure code : 0003
    Boot failed could not read the boot disk
    FATAL no bootable device
    i tried without -boot d also same results
    can anybody help me to solve the issue
    Thanks in advance
    waiting for reply

  6. secguy says:

    hi all,

    my sensor is up, ana engine is ok to start, but i cant pass traffic thru ips in inline mode, any idea pls share.


  7. sk says:

    hello i can emulate the ips sucessful
    but the cpu of ips usage all up the 100%
    i cannot do anything
    how can i do ??

  8. Robbi says:

    thank you!! This is perfect for CCIE security labs. My GNS3 setup is fully configured thanks to you! :D


  9. geoux says:

    To secguy:

    make sure two interfaces you’re using are up, enabled and assigned to some virtual sensor, say vs0.

    You may also use

    packet display gigabitEthernet0/0
    packet display gigabitEthernet0/1

    from CLI to see if traffic is reaching the sensor at all. If you use other pair of ints,
    change as appropriate. You should see traffic flow in both cases.

    Finally, try changing speed and/or duplex in interface configuration.


  10. geoux says:

    For sk:

    you may try BES software to limit the CPU usage for QEMU process under which IPS is running.

    You can find BES here:

    I wouldn’t expect much, but until Tariq show us how to optimize IPS resource utilization it is your best bet.

    You can of course switch to dual or quad core CPU. In that case QEMU will still eat up one whole core, but you will have another or three of them for other stuff.


  11. rnutter says:

    Thanks for the instructions. Having a little problem with getting the sensor to come up in GNS3 (latest version on Windows). If I follow step 2 where you load the IPS image directly in QEMU, it loads giving the messages about no license and unsupported hardware. I followed the setup instructions in your tutorial on the setup for GNS3. It comes most of the way up and then I get the following – EXT-fs: unable to read superblock,
    mount: Mounting /dev/data on /usr/cids/idsRoot/var failed: Invalid argument
    mount: Mounting none on /usr/cids/idsRoot/var/eventStore failed: No such file or directory

    Any suggestions ?

  12. karim says:

    I get this error ,

    Would you like to run cidDump?[no]:”

    I can ping my ips from a loopback interface. I can not run IDM .

    can you pls help

  13. bimdawg says:

    Anybody figure out how to update signatures yet? With no license-key, not sure if we can spoof a serial # or add in the new sigs during the qemu build. Ideas?

  14. Kong Rathanak says:

    Thanks for your value tutorial, but I have problem with login info, could you provide me the default? and one more thing regarding to license, it display a License Notice said that there is no license install.

  15. John says:

    Thanks great for this tutorial. It really helpful. But I am facing some issue here

    I followed the steps and It seems working when I run qemu from command line.

    qemu -hda ips-disk1.img -hdb ips-disk2.img -m 1024

    getting three boot option and when I select Cisco IPS and get a sensor prompt.

    But When I use the GNS3 and start IDS will getting a below error

    kernel panic : Out of memory and no killable processes

    any help is highly appreciated here.

  16. innocent says:

    May someone who got this working with Windows 7(64-bit)please tell us how you mounted the iso image? I get the “no bootable device error” like mohsaf

  17. innocent says:

    I used this line and it worked:
    qemu.exe -hda ips-disk1.img -hdb ips-disk2.img -m 1024 -cdrom C:\CCIE-SEC\GNS3\GNS3.0.7\IOS\IPS-K9-cd-1.1-a-6.0-6-E3.iso -boot d

    You will obviously need to put the correct path- whereever your image is

  18. psypher246 says:

    To anyone getting the following error after following all these procedures:

    mainapp has not started and do you want to do ciddump.

    This error means that something is wrong in your interfaces file. Adjust the file PRECISELY as written above. letter for letter. there is a line or two you need to delete, not just adjust. I spent 2 days trying to figure this out, no-one explains it. I have just gotten my IPS to boot for the 1st time in GNS3, so I cannot confirm if anything else is working. Also for a linux howto, go to:
    I followed that and also had the same errors, until my interfaces file was identical. I am running the 6.0.6 E3 image.

    Thanks for the great howto!

  19. markaulif says:

    I have followed steps properly. At “GNS3:Specific Configuration:” when IDS starts at the command prompt I found
    “Warning: MainApp has not started, please try again later.
    Would you like to run cidDump?[no]: ”
    I could not access “sensor# ”
    Please help me out this problem

  20. haraka says:

    I am missing something here. I am able to get this running on GNS3. But How can I link command & control interface to some other device (e.g to a switch). I tried with all available interfaces (e0,e1,e2), but no success. Any suggestions?

  21. Dawood Khan says:

    i did follow the whole set of instructions given in this page and finally got the SENSOR prompt. But when i integrate with GNS3 and dragging the IDS to drawing space and did start the IPS. qemu given an error “FATEL No bootable device”

  22. AgentPhunk says:

    I know you will think I’m crazy, but:

    I want to install Snort IPS on a -real- Cisco IPS sensor. I have a few dozen sensor modules in ASA’s and I’ve found the Emerging Threats ( signatures to be way better than what Cisco provides. My goal would be to turn off the Cisco IPS sensor processes and just run Snort. The benefit would be a rock-solid hardware platform that is already inline, with sigs that actually work.

    I think I just need pcap and pcre, and then a pre-compiled snort. There is no GCC on the box, but there is ./lib/

    I think I need to cross-compile gcc on another box and then bring it over, as is described here:

    I assume Cisco IPS is based on the 2.4.30 kernel:
    Linux CISCOSEN1 2.4.30-IDS-smp-bigphys #2 SMP Tue Aug 18 13:05:49 UTC 2009 i686 unknown

    Any help will be GREATLY appreciated!

  23. Phil says:

    I am running winxp and placed the IPS 4235 v 6.0.6(E3) file in the GNS3 folder.

    I first went through the tutorial and finally got to log into the cisco ips.
    And loaded up the GNS3 and made ids-switch-cloud setup,
    Configured the loopback etc then ran the IDS and got the following error
    ‘mainapp has not started and do you want to do ciddump.’
    I then followed the advise of psypher246 and started again.

    Now after I have followed
    Step 1 and 2 I get the following error.

    ‘booting from cd-rom…. cdrom boot failure code : 0003.’

    And it is not loading up the QEMU Cisco IPS screen.
    I have now followed what innocent says: and tried to point the file path to IPS-K9-cd.

    I have done this in the GNS3 folder and removed it and placed it on the desktop and pointed it to there. This does now does nothing.
    As you can guess I am now stuck.

    Any help please would really be helpful.

    Many thanks

  24. tinkergeek says:


    After three longs days of tinkering,,, no pun intended it works. If you get MainApp message or CidDump, one of three things is wrong.

    Your interfaces.conf file has a typo. Mine did.
    Your Qemu options line in GNS3 has a typo. Mine did.
    You’ve recreated ipsdisk1 and ipsdisk2 and have multiple copies in the directory that GNS3 is looking at to start IPS. Mine did.

    If you fix your syntax issues it will work. At least, you’ll get ids to start in GNS3 and you’ll be able to log into the CLI. Of course, I still am working on the https:// part via my laptop since the connection is refused, so the jury’s still out. :-)
    Good Luck!

  25. Babuu says:

    Hello guys

    hey i follow all the procedure on how to emulate IPS and works fine up to the stage i powerdown the IPS, how do i quite after it says power down? as for me i use Ctrl+C to end it.

    but next step is to set on gns3 i change the code as instractuted but when i start IDS press start fine it change from red to green that end, nothing else how can i go about after that? HELP ME PLZ

  26. jt says:

    i be able to get the ips up and running using this tutorial. thanks the owner.

    i experience some errors:

    1. when i assigned interface to vs0 (virtual sensor) and/or when i updated the sig0, i get this error. i get this error either using CLI or IDM.

    does anyone experience this error? please share. thanks!
    i used gns3 v0.74 on XP SP3. i also get some error on Win7 64bit.

    SEN1(config-ana-vir)# exit
    SEN1(config-ana)# exit

    Apply Changes?[yes]:
    Error: editConfigDeltaAnalysisEngine : Analysis Engine is busy rebuilding regex tables. This may take a while.
    The configuration changes failed validation, no changes were applied.
    Would you like to return to edit mode to correct the errors? [yes]:

  27. Mohammed Imran Ali says:

    Hi Tariq and Everyone,

    I am able to configure the IPS through Qemu when I drag IPS in GNS3 and created a simple topology. Now the problem starts GNS3 IPS will start and display the following:
    ata0 master:QEMU Harddisk ATA-7 Hard-Disk(512 MB)
    ata0 slave:QEMU Harddisk ATA-7 Hard-Disk(4000 MB)
    ata1 master:QEMU dvd-rom atapi-4 cd-rom/dvd-rom

    Booting from Hard Disk…..

    And it never boots. I am in great pain as I am trying this from almost 1 week. Please anyone help me.

    I have followed this tutorial for configuring QEMu:

    FOR mohsaf:

    the error displayed cdrom boot failure 003 is because your physical cd rom and virtual cd rom is enable please disable in device manager the cdroms. then copy the IPS iso into the gns3 folder and then go for step 2 loding from Cd you will not get this error.

  28. Mohammed Imran Ali says:

    Please look at the below error:

    login: cisco
    Last login: Fri Oct 14 13:59:39 on ttyS0
    This product contains cryptographic features and is subject to United States
    and local country laws governing import, export, transfer and use. Delivery
    of Cisco cryptographic products does not imply third-party authority to import,
    export, distribute or use encryption. Importers, exporters, distributors and
    users are responsible for compliance with U.S. and local country laws. By using
    this product you agree to comply with applicable laws and regulations. If you
    are unable to comply with U.S. and local laws, return this product immediately.

    A summary of U.S. laws governing Cisco cryptographic products may be found at:

    If you require further assistance please contact us by sending email to

    This Cisco Systems IDS software version is not supported on this
    hardware platform. Some capabilities will not be available.
    For assistance, contact Cisco Systems Technical Assistance Center.
    Warning: MainApp has not started, please try again later.
    Would you like to run cidDump?[no]:

  29. ulstr says:

    TuT works perfect, I did use the reference site as well though to validate and help. Thanks for the time spent on putting this together!

    Couple of notes that might help people:

    1) If your having issues with the qemu command below you can simply copy the .iso image into the program files\GNS3 folder.
    qemu -hda ips-disk1.img -hdb ips-disk2.img -m 1024 -cdrom cisco-files/IPS-K9-cd-1.1-a-6.0-5-E3.iso -boot d

    2) On the configuration for interface 4 and 5 I believe there might be an error, not sure. When I compare the config in the original tutorial the port number for 4 and 5 are suppose to be 0 (zero)

    3) Make sure you double check the interface files and the ids_functions config twice, it is easy to make mistakes.

    4) CPU stats in the console seem to be incorrect.. it says 100% all the time for me, but in IDM it is 17% w/e :p

    Thanks again!

  30. bitu says:

    A zillion thanx

  31. fachroky says:

    anyone please help me

    i get the problem after entering the setup from the configuration

    the configuration that i was entered didn’t want to save..

    “Errors Ocurred, Host Configuration NOT Saved”

    “Would you like to return to setup to correct the errors?”

    Does anyone can solve my problem ? :(

  32. junq says:

    hi! anyone run asa on gns3 with asdm? i cant launch the id launcher it hang up when i try download from webpage. thanks

  33. Ayanda says:

    The files ipsdisk1.img and ipsdisk2.img, cannot find them in my directory c:\Program Files (x86)\GNS3\

    Anyone getting this error when changing Password
    – Authentication Token Manipulation Error

    Please Assist. What am I doing wrong? Followed all steps.

  34. osb says:

    Hi, I can run the IPS from qemu but when trying to run on gns3 it doesn’t do anything. No error no message. I’ve setup debug 3 on gns3 but nothing.Any idea?
    Thanks a lot.

  35. IS-IS says:


    I can get as far as the grub menu and editing the

    elif [[ 1 -eq 1 ]]; then

    It then says save and exit. How the bloody hell do you save and exit. Not used to grub menu and don’t know what I’m what I’m doing

  36. Prabakaran says:


    I think you aren’t familiar with Vi Editor. Here is my few shortcuts.
    Open a file using Vi Editor ==> vi{space}filename

    To modify the opened file == > Just press “i”. Now go to where you want to edit the letters in the file by using UP and DOWN Arrow keys. After Completing Your modification process, Just press the ESC button and then followed by press the “:wq”{without Quotes}. As soon as you hit the “:wq” your file will be saved by using the existing file name. For more you want to know about Vi Editor… do GOOGLE.

  37. Charles says:

    Running GNS 8.0.2 on Windows Vista 32-bit. I’ve got everything installed and working, but I cannot assign vs0 to my interface pair. I keep getting an analysis engine is busy error. Not very useful if you can’t inspect traffic.

    Anyone else have this issue and solve it? Thanks!

  38. Charles says:

    Ah! If you try and assign an interface to vs0 and get an error that the sensor is busy recalculating regEx expressions (or some nonsense like that)…

    Don’t do anything (I kept restarting it and playing with smbios settings). Just wait about 30 to 45 minutes (make sure your system does not go to sleep) and then try again.

    The virtualized IPS just doesn’t have the dedicated resources to do it as quickly as the real one and it takes a while.

  39. max says:

    @ Mohammed Imran & AliTariq & mohsaf

    also try like this if no bootable device found:
    first boot with: >qemu.exe | omitted | boot -d
    once load the files on hard disk
    boot with: >qemu.exe | omitted | boot -c

    still testing

  40. Chris says:


    I have double checked all my files but still get the error
    Would you like to run cidDump?[no]:
    When I boot the IPS via the win 7 command I can login in and configure but not via GNS3 when the IP’s is started.

    Please assist.

  41. SwampRabbit says:

    Has anyone been able to upgrade or build a version 7 image?

  42. Pratik says:

    i cant enable the management state to enable it shows protected and the admin state enable command does not work their. show config command also not working in global mode its generating config long time.

    please someone help me here !!!!!!!!!!!!!!!!!!!!!!!!!!!

  43. unkrr says:

    Tariq Ahmad

    Analysis Engine can take somewhere between 5 min – 30 min. It will take longer first time only. Subsequent power on’s should be less time-consuming. In my case, it takes little less than 5 minutes to build up regex entries & cpu returns back to normal.

    its taking about 1 hour in my case is it normal ??

  44. abhijit says:

    while emulating junos for GNS3, i am getting error message “cdrom boot failure code :0003″

  45. ntmyd8 says:

    Hi guys,

    Need help from your expertise. I got stuck after launching this command.

    C:\Program Files (x86)\GNS3>qemu.exe -hda ips-disk1.img -hdb ips-disk2.img -m 1024 -cdrom IPS-K9-cd-1.1-a-6.0-5-E3.iso -boot d

    Getting error after pressing “k” from the QEMU with below message:
    “Abort: fdisk /dev/hdb”

    I have below specs.
    GNS3 Version : v0.7.3
    IPS Sensor Version : IPS 4235 v 6.0.6(E3)
    Qemu Version : 0.11.0

    What could be wrong? Many thanks in advance.

  46. Abdul says:

    Please check your .iso file. If its ok check whether you are on the right path. are u using 64 bit or 32 bit os.also check ur gns3 version.May be need to reinstall it again.


  47. RRR says:

    Is that good enough for IPS 7.0 cert?

  48. junq says:

    Hi pls help! i successfully run ips 4215 or 4235 but can login to it. i used default username:cisco passwd:ciscoips4215 why cant login? is there any issue? thanks in advance!

  49. Amit says:

    can anybody help me?????????????

    after emulating IPS in GNS3, i got following error…

    “MainApp has not started, please try again later”

    if i open IDS directly from qemu it works great but with GNS3, it won’t…


  50. Luuk says:

    I have the same problem as Amit.
    Ik can boot the IDS directly from qemu.
    But when i boot it from GNS3 i get the
    “MainApp has not started, please try again later”

    Did you solve it Amit?
    Or does any1 know a solution to it?
    Ill keep trying to look for an answer, if i find it, ill post it.

Leave a Reply

hide totop
  • RSS
  • Facebook
  • Twitter
  • RSS
  • Facebook
  • Twitter