Professional Documents
Culture Documents
Administrator Guide
Version 4.9.1
Intellectual Property Notices, Disclaimers, and Terms of Use Applicable to the User Documentation.
The legal notices, disclaimers, terms of use, and other information contained herein (the “terms”) apply
only to Sourcefire, Inc. appliance discussed in the Documentation (“Documentation”) and your use of it.
The terms do not apply to or govern the use of Sourcefire's web site or Sourcefire's appliance discussed
in the Documentation. Sourcefire appliances are available for purchase and subject to a separate license
containing very different terms of use.
The copyright in the Documentation is owned by Sourcefire, Inc., and is protected by copyright pursuant
to US copyright law, international conventions, and other laws. You may use, print out, save on a retrieval
system, and otherwise copy and distribute the documentation solely for non-commercial use, provided
that (i) you do not modify the documentation in any way and (ii) you always include Sourcefire's copyright,
trademark, and other notices, as well as a link to, or print out of, the full contents of this page and its
terms. No part of the documentation may be used in a compilation or otherwise incorporated into another
work, or be used to create derivative works, without the express prior written permission of Sourcefire,
Inc. Sourcefire, Inc. reserves the right to change the Terms at any time, and your continued use of the
Documentation shall be deemed an acceptance of those terms.
Sourcefire, the Sourcefire logo, Snort, the Snort logo, 3D Sensor, Intrusion Sensor, Intrusion Agent, Real-
time Network Awareness, RNA Sensor, Defense Center, Master Defense Center, Success Pack, and 3D
System, are trademarks or registered trademarks of Sourcefire, Inc. All other trademarks are property of
their respective owners.
Liability Disclaimers
THE DOCUMENTATION AND ANY INFORMATION AVAILABLE FROM IT MAY INCLUDE INACCURACIES
OR TYPOGRAPHICAL ERRORS. SOURCEFIRE, INC. MAY CHANGE THE DOCUMENTATION FROM THE
TIME TO TIME. SOURCEFIRE, INC. MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE
ACCURACY OR SUITABILITY OF THE SOURCEFIRE, INC. WEB SITE, THE DOCUMENTATION, AND/OR
ANY APPLIANCE OR INFORMATION. SOURCEFIRE, INC. PROVIDES THE SOURCEFIRE, INC. WEB SITE,
THE DOCUMENTATION, AND ANY APPLIANCE OR INFORMATION “AS IS” AND SOURCEFIRE, INC.
DISCLAIMS ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING BUT NOT LIMITED TO
WARRANTIES OF TITLE OR THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL SOURCEFIRE, INC. BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE, OR CONSEQUENTIAL DAMAGES
(INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, LOSS OF
DATA, LOSS OF PROFITS, AND/OR BUSINESS INTERRUPTIONS), ARISING OUT OF OR IN ANY WAY
RELATED TO THE SOURCEFIRE, INC. WEB SITE, THE DOCUMENTATION, AND/OR ANY SOFTWARE
OR INFORMATION, NO MATTER HOW CAUSED AND/OR WHETHER BASED ON CONTRACT, STRICT
LIABILITY, NEGLIGENCE OR OTHER TORTUOUS ACTIVITY, OR ANY OTHER THEORY OF LIABILITY,
EVEN IF SOURCEFIRE, INC. IS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. BECAUSE SOME
STATES/JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATIONS MAY NOT APPLY TO YOU.
The Documentation may contain “links” to sites on the Internet that are not created by, or under the
control of Sourcefire, Inc. Sourcefire, Inc. provides such links solely for your convenience, and assumes no
responsibility for the availability or content of such other sites.
2010-Jul-12 13:56
Table of Contents
The Sourcefire 3D System™ provides you with real-time network intelligence for
real-time network defense. Sourcefire 3D System has the tools you need to:
• discover the changing assets and vulnerabilities on your network
• determine the types of attacks against your network and the impact they
have to your business processes
• defend your network in real time
The topics that follow introduce you to the Sourcefire 3D System and describe
some of the key components that contribute to its value as a part of any security
strategy for your network.
• Components of the Sourcefire 3D System on page 15 provides descriptions
of each of the components that may be in your Sourcefire 3D System.
• Logging into the Appliance on page 21 explains how to access the web
interface on your appliance and log in using one of the user accounts.
• Logging into the Appliance to Set Up an Account on page 23 explains how
to set up an association between a external user account and a set of
credentials on the appliance.
• Logging Out of the Appliance on page 24 explains how to log out of the web
interface.
• Specifying Your User Preferences on page 25 explains how to configure the
preferences that are tied to a single user account, such as the home page,
account password, time zone, dashboard, and event viewing preferences.
• Using the Context Menu on page 36 explains how to display a
context-specific menu of shortcuts on certain pages in the web interface.
updates from the Defense Center to sensors as well. For more information, see
What Can Be Managed by a Defense Center? on page 101.
If your 3D Sensor is running IPS, you can also use a local web interface to create
intrusion policies and review the resulting intrusion events. Note that if you do
manage your 3D Sensors with a Defense Center, Sourcefire recommends that
you use only the Defense Center’s web interface to interact with the sensor and
its data.
If you deploy your 3D Sensor inline on your network and create what is called an
inline detection engine, you can configure your 3D Sensor to drop or replace
packets that you know to be harmful.
Defense Centers
The Defense Center provides a centralized management interface and database
repository for the Sourcefire 3D System. You can analyze and respond to events
from all your sensors consistently by doing the analysis through an interface
where you can see all the data collected by the managed sensors. You can also
push policies created on the Defense Center and software updates to managed
sensors. If you have software sensors or Intrusion Agents on your network, you
must use the Defense Center to manage them. Note that a 3D Sensor running
the IPS component includes its own local web interface, but if you want to use
RNA on the sensor, you must manage the sensor with a Defense Center.
If you use your Defense Center to manage 3D Sensors that run RNA and IPS
(either on the same sensor or different sensors that monitor the same network
segments), the Defense Center correlates intrusion events from IPS with host
vulnerabilities from RNA and assigns impact flags to the intrusion events. Impact
correlation lets you focus in on attacks most likely to damage high priority hosts.
If you deploy Real-time User-Awareness (RUA), the Defense Center correlates
threat, endpoint, and network intelligence with user identity information so that
you can identify the source of policy breaches, attacks, or network vulnerabilities.
DC500
You can use the DC500 model of the Defense Center in managed services
environments to collect data from up to three 3D Sensors. The DC500 receives
data at an aggregate rate of up to 100 intrusion events or 900 flow events per
second. DC500s also have an RNA host limit of 1000.
DC1000
You can use DC1000 Defense Centers in most environments. You can rack mount
a DC1000 and collect data from a large number of 3D Sensors. You can use either
DC1000s or DC3000s in high availability configurations.
Key DC1000 database quantities are:
• Intrusion Events - 1 million default and 10 million maximum
• RNA Flows - 1 million default and 10 million maximum
• RNA Flow Summaries - 2 million default and 10 million maximum
DC3000
You can use DC3000 Defense Centers in high-demand environments. A DC3000
allows you to use higher database quantities. You can configure a DC3000 as a
Master Defense Center during the initial setup.
Intrusion Agents
If you have an existing installation of Snort®, you can install an Intrusion Agent to
forward intrusion events to a Defense Center. You can then analyze the events
detected by Snort alongside your other data. Although you cannot manage
policies or rules for an Intrusion Agent from the Defense Center, you can do
analysis and reporting on those events. If the network map on the Defense
Center has entries for the target host in a given event, the Defense Center
assigns impact flags to the events. You can continue to manually tune Snort rules
and preprocessors with the Intrusion Agent in place.
IMPORTANT! Because the 3D Sensor Software for X-Series does not have a web
interface, you must use a Defense Center to manage it.
eStreamer
You can access event data within your own applications through the eStreamer
Application Programming Interface (API). eStreamer integration requires custom
programming, but allows you to request specific data from a Defense Center. If,
for example, you display network host data within one of your network
management applications, you could write a program to retrieve host criticality or
vulnerability data from the Defense Center and add that information to your
display. See the eStreamer Integration Guide for more information.
Browser Requirements
Microsoft JavaScript
Internet Explorer cookies
7.0 Secure Sockets Layer (SSL) v3
128-bit encryption
Active scripting security setting
Microsoft JavaScript
Internet Explorer cookies
8.0 Secure Sockets Layer (SSL) v3
128-bit encryption
Active scripting security setting
Compatibility View
TIP! Some processes that take a significant amount of time may cause your web
browser to display a message that a script has become unresponsive. If this
occurs, make sure you allow the script to continue until it finishes.
If you are the first user to log into the appliance after it is installed, you must log in
using the admin user account. The initial setup process is described in Setting Up
3D Sensors on page 44.
After you log into the appliance, the features that you can access are controlled by
the privileges granted to your user account. However, the procedures for logging
into and out of the appliance remain the same.
When the appliance was installed, the user who performed the installation
created a single administrative user account and password. The first time you log
into the appliance, you should use this account. After you create other user
accounts as described in Adding New User Accounts on page 300, you and other
users should use those accounts to log into the appliance.
If your organization uses SecurID® tokens when logging in, append the token to
your SecurID pin and use that as your password to log in. For example, if your pin
is 1111 and the SecurID token is 222222, type 1111222222.
IMPORTANT! Because the Defense Center and the 3D Sensor audit user activity
based on user accounts, you should make sure that users log into the system
with the correct account.
Your session automatically logs you out after 3.5 hours of inactivity, unless you
are viewing a page (such as an unpaused dashboard) that periodically
communicates with the web server on the appliance.
3. Click Login.
The default start page appears. If you selected a new home page for your
user account, then that page is displayed instead. See Specifying Your Home
Page on page 35 for more information.
The menus and menu options that are available to you at the top of the page
are based on the privileges for your user account. However, the links on the
default home page include options that span the range of user account
privileges. If you click a link that requires different privileges from those
granted to your account, the following warning message is displayed:
You are attempting to view an unauthorized page. This
activity has been logged.
You can either select a different option from the available menus or click Back
in your browser window.
IMPORTANT! The 3Dx800 sensor models do not have a web interface. Instead,
use the Defense Center’s web interface to manage policies and view events.
3. Click Login.
The page that appears depends on the default access role for external
authentication:
• If a default access role is selected in the authentication object or the
system policy, the default start page appears. If you selected a new
home page for your user account, then that page is displayed instead.
See Specifying Your Home Page on page 35 for more information.
The menus and menu options that are available to you at the top of the
page are based on the privileges for your user account. However, the
links on the default home page include options that span the range of
user account privileges. If you click a link that requires different
privileges from those granted to your account, the following warning
message is displayed:
You are attempting to view an unauthorized page. This
activity has been logged.
You can either select a different option from the available menus or click
Back in your browser window.
• If no default access role is selected, the Login page re-appears, with the
following error message:
Unable to authorize access. If you continue to have
difficulty accessing this device, please contact the system
administrator.
4. If you do not have access, contact your system administrator and ask them to
modify your account privileges or login as a user with Administrator access
and modify the privileges for the account. For more information, see
Modifying User Privileges and Options on page 306.
Note that your session automatically logs you out after 3.5 hours of inactivity,
unless you are viewing a page (such as an unpaused dashboard) that periodically
communicates with the web server on the appliance.
IMPORTANT! If you are an LDAP or a RADIUS user, you cannot change your
password through the web interface.
3. In the Current Password field, type your current password and click Change.
4. In the New Password and Confirm fields, type your new password.
5. Click Change.
A success message appears on the page when your new password is
accepted by the system.
Event Preferences
Use the Event Preferences section of the Event View Settings page to configure
basic characteristics of event views in the Sourcefire 3D System.
The Event Preferences table describes the settings you can configure.
Event Preferences
Confirm ‘All’ Actions Controls whether the appliance forces you to confirm Any
actions that affect all events in an event view.
For example, if this setting is enabled and you click Delete All
on an event view, you must confirm that you want to delete
all the events that meet the current constraints (including
events not displayed on the current page) before the
appliance will delete them from the database.
Expand Packet View Allows you to configure how the packet view for intrusion IPS or
events appears. By default, the appliance displays a DC/MDC + IPS
collapsed version of the packet view.
• None - collapse all subsections of the Packet Information
section of the packet view
• Packet Text - expand only the Packet Text subsection
• Packet Bytes - expand only the Packet Bytes subsection
• All - expand all sections
Regardless of the default setting, you can always manually
expand the sections in the packet view to view detailed
information about a captured packet. For more information
on the packet view, see Using the Packet View in the
Analyst Guide.
Rows Per Page Controls how many rows of events per page you want to Any
appear in drill-down pages and table views.
Refresh Interval Sets the refresh interval for event views, in minutes. Any
Entering zero disables the refresh option. Note that this
interval does not apply to dashboards.
Statistics Refresh Sets the refresh interval for event summary pages such as IPS or
Interval the Intrusion Event Statistics and RNA Statistics pages. DC/MDC
Entering zero disables the refresh option. Note that this
interval does not apply to dashboards.
Deactivate Rules Controls which links appear on the packet view for intrusion IPS or
events generated by standard text rules. DC/MDC + IPS
• All Policies - a single link that deactivates the standard
text rule in all the locally defined custom intrusion
policies
• Current Policy - a single link that deactivates the standard
text rule in only the currently applied intrusion policy.
Note that you cannot deactivate rules in the default
policies.
• Ask - links for each of these options
To see these links on the packet view, your user account
must have either Administrator access or both Intrusion
Event Analyst and Policy & Response Administrator access.
Note that regardless of the default time window setting, you can always manually
change the time window for individual event views during your event analysis.
Also keep in mind that time window settings are valid for only the current
session. When you log out and then log back in, time windows are reset to the
defaults you configured on this page. For more information, see Setting Event
Time Constraints in the Analyst Guide.
There are three types of events for which you can set the default time window.
• Requires: IPS or DC/MDC The Events Time Window sets a single default time
window for (depending on the appliance) intrusion events, RNA events, flow
data, RUA events, compliance events, remediation status events, white list
events, the SEU import log, and event views for custom tables that can be
constrained by time.
• Requires: Any The Audit Log Time Window sets the default time window for the
audit log.
• Requires: DC/MDC The Health Monitoring Time Window sets the default time
window for health events.
You can only set time windows for event types your user account can access. All
user types can set event time windows. Administrators, maintenance users, RNA
event analysts, and IPS event analysts can set health monitoring time windows.
Administrators and maintenance users can set audit log time windows.
Note that because not all event views can be constrained by time, time window
settings have no effect on event views that display RNA hosts, host attributes,
services, client applications, vulnerabilities, RUA users, or white list violations.
You can either use Multiple time windows, one for each of these types of events,
or you can use a Single time window that applies to all events. If you use a single
time window, the settings for the three types of time window disappear and a
new Global Time Window setting appears.
The Time Window Settings table explains the kinds of default time windows you
can configure.
IMPORTANT! The maximum time range for all time windows is from midnight on
January 1, 1970 (UTC) to 3:14:07 AM on January 19, 2038 (UTC).
Setting Description
Show the Last - This setting allows you to configure a sliding default time window of the length
Sliding you specify.
The appliance displays all the events generated from a specific start time (for
example, 1 hour ago) to the present. As you change event views, the time
window “slides” so that you always see events from the last hour.
Show the Last - This setting allows you to configure either a static or expanding default time
Static/Expanding window of the length you specify.
For static time windows (enable the Use End Time check box), the appliance
displays all the events generated from a specific start time (for example, 1
hour ago), to the time when you first viewed the events. As you change event
views, the time window stays fixed so that you see only the events that
occured during the static time window.
For expanding time windows (disable the Use End Time check box), the
appliance displays all the events generated from a specific start time (for
example, 1 hour ago), to the present. As you change event views, the time
window expands to the present time.
Setting Description
Current Day - This setting allows you to configure either a static or expanding default time
Static/Expanding window for the current day. The current day begins at midnight, based on the
time zone setting for your current session.
For static time windows (enable the Use End Time check box), the appliance
displays all the events generated from midnight to the time when you first
viewed the events. As you change event views, the time window stays fixed
so that you see only the events that occured during the static time window.
For expanding time windows (disable the Use End Time check box), the
appliance displays all the events generated from midnight to the present. As
you change event views, the time window expands to the present time. Note
that if your analysis continues for over 24 hours before you log out, this time
window can be more than 24 hours.
Current Week - This setting allows you to configure either a static or expanding default time
Static/Expanding window for the current week. The current week begins at midnight on the
previous Sunday, based on the time zone setting for your current session.
For static time windows (enable the Use End Time check box), the appliance
displays all the events generated from midnight to the time when you first
viewed the events. As you change event views, the time window stays fixed
so that you see only the events that occured during the static time window.
For expanding time windows (disable the Use End Time check box), the
appliance displays all the events generated from midnight Sunday to the
present. As you change event views, the time window expands to the present
time. Note that if your analysis continues for over 1 week before you log out,
this time window can be more than 1 week.
Default Workflows
Requires: Any A workflow is a series of pages displaying data that analysts use to evaluate
events. For each event type, the appliance ships with at least one predefined
workflow. For example, depending on the type of analysis you are performing,
you can choose between ten different intrusion event workflows, each of which
presents intrusion event data in a different way.
The appliance is configured with a default workflow for each event type. For
example, the Events by Priority and Classification workflow is the default for
intrusion events. This means whenever you view intrusion events (including
reviewed intrusion events), the appliance displays the Events by Priority and
Classification workflow.
You can, however, change the default workflow for each event type using the
Default Workflows sections of the Event View Settings page. The following
graphic shows the Defense Center version of the Default Workflows section.
Keep in mind that the default workflows you are able to configure depend not
only on the appliance you are using, but also on your user role. For example, on a
3D Sensor without an IPS license, you can only configure the default workflow for
the audit log. As another example, on the Defense Center, intrusion event
analysts cannot set default RNA workflows. For general information on
workflows, see Understanding and Using Workflows in the Analyst Guide.
WARNING! The Time Zone function assumes that the default system clock is set
to UTC time. If you have changed the system clock on the appliance to use a local
time zone, you must change it back to UTC time in order to view accurate local
time on the appliance. For more information about time synchronization between
the Defense Center and the sensors, see Synchronizing Time on page 354.
3. From the box on the left, select the continent or area that contains the time
zone you want to use.
For example, if you want to use a time zone standard to North America, South
America, or Canada, select America.
4. From the box on the right, select the zone (city name) that corresponds with
the time zone you want to use.
For example, if you want to use Eastern Standard Time, you would select
New York after selecting America in the first time zone box.
5. Click Save.
The time zone is set.
3. Select the page you want to use as your home page from the Opening Screen
drop-down list.
The options in the drop-down list are based on the access privileges for your
user account. That is, user accounts with Policy & Response Administrator
access have different options from accounts with Intrusion or RNA Event
Analyst full or read-only access, Restricted Event Analyst full or read-only
access, Maintenance access, or Administrator access.
4. Click Save.
Your home page preference is saved.
IMPORTANT! User accounts with Restricted Event Analyst access cannot use
the dashboard and therefore cannot specify a default dashboard.
3. Select the dashboard you want to use as your default from the Default
Dashboard drop-down list.
If you select None, when you select Analysis & Reporting > Event Summary >
Dashboards, the Dashboard List page appears. You can then select a
dashboard to view.
4. Click Save.
Your default dashboard preference is saved.
Documentation Resources
The Sourcefire 3D System documentation set includes online help and PDF files.
You can reach the online help in two ways:
• by clicking the context-sensitive help links on each page
• by selecting Operations > Help > Online.
The online help includes information about the tasks you can complete on the
web interface, including procedural and conceptual information about user
management, system management, and IPS and RNA analysis.
The Documentation CD contains a PDF version of the Sourcefire 3D System
Administrator Guide and the Sourcefire 3D System Analyst Guide, which together
include the same content as the online help, but in an easy-to-print format.
The Administrator Guide contains information specifically for administrators and
maintenance users. In this guide you will find information about managing Master
Defense Centers, Defense Centers, and 3D Sensors, configuring system settings
and system policies, managing user accounts, scheduling tasks, and monitoring
the health of your appliances.
The Analyst Guide contains information for Intrusion Event Analysts, RNA Event
Analysts, and Policy & Response Administrators. In this guide you will find
information about managing RNA and IPS policies; analyzing RNA, RUA, and
intrusion data; and using event reports.
The Documentation CD also contains copies of the Defense Center Installation
Guide and the 3D Sensor Installation Guide, which includes information about
installing the appliance as well as hardware specifications and safety information.
The CD also contains copies of various API guides and supplementary material.
You can access the most up-to-date versions of the documentation on the
Sourcefire Support web site (https://support.sourcefire.com/).
Documentation Conventions
This documentation includes information about which Sourcefire 3D System
components are required for each feature and which user roles have permission
to complete each procedure.
Refer to Platform Requirements Conventions on page 38 for the meaning of the
Requires statement at the beginning of each section.
Refer to Access Requirements Conventions on page 39 for the meaning of the
Access statement at the beginning of each procedure.
Any except User can have any role except Restricted Analyst or
Restricted Restricted Analyst (Read Only)
Any Analyst User can have any analyst role except Restricted Analyst
except or Restricted Analyst (Read Only)
Restricted
Any IPS User must have the Intrusion Event Analyst role or
Intrusion Event Analyst (Read Only) role or the Restricted
Event Analyst role or Restricted Event Analyst (Read Only)
role with rights to that function
IPS-RO User must have the Intrusion Event Analyst (Read Only)
role or Restricted Event Analyst (Read Only) role with
rights to that function
P&R Admin User must have the Policy & Response Administrator role
Any RNA User must have the RNA Event Analyst or RNA Event
Analyst (Read Only) or Restricted Event Analyst or
Restricted Event Analyst (Read Only) with rights to that
function
RNA User must have the RNA Event Analyst role or Restricted
Event Analyst role with rights to that function
RNA-RO User must have the RNA Event Analyst (Read Only) role
or Restricted Event Analyst (Read Only) role with rights to
that function
A “/” conjunction indicates that the task or feature is available to users with one
or more of the indicated platforms. A “+” conjunction indicates that the platforms
are required in combination.
For example, to view the Hosts network map, a user must have the RNA Event
Analyst or RNA Event Analyst (Read Only) role or the Restricted Event Analyst or
Restricted Event Analyst (Read Only) role with RNA Hosts Data set to Show All Data
or to show a specific search. The Access setting for the procedure in the Working
with the Hosts Network Map topic is Any RNA/Admin.
Rule thresholding in the packet view provides an example of required combined
access roles. You must have the Administrator role or have the Policy & Response
Administrator role in combination with the Intrusion Event Analyst role or the
Restricted Event Analyst role with Intrusion Events Data set to Show All Data or to
show a specific search to access the packet view and set thresholding for a rule
from the packet view. As a result, the Access setting for the procedure in the
Setting Threshold Options within the Packet View topic is IPS + P&R
Admin/Admin.
IP Address Conventions
Requires: Any You can use Classless Inter-Domain Routing (CIDR) notation to define IP address
ranges in many places in the Sourcefire 3D System, including but not limited to
the following:
• RNA detection policies
• custom topologies
• auto-assigned networks for user-defined host attributes
• traffic profiles
• compliance rules and white lists
• active scan targets
• intrusion policies, variables, and standard text rules
• PEP
CIDR notation uses a network IP address combined with a bit mask to define the
IP addresses in the specified range. For example, the following table lists the
private IPv4 address spaces in CIDR notation.
When you use CIDR notation to specify a range of IP addresses, the Sourcefire
3D System uses only the masked portion of the network IP address you
specified, without changing your user input. For example, if you type 10.1.2.3/8,
the Sourcefire 3D System uses 10.0.0.0/8, but the web interface continues to
display 10.1.2.3/8.
Setting Up 3D Sensors
Requires: 3D Sensor Newer models of the 3D Sensor (that is, Series 2 sensors) provide a simple web
form to collect information about your network environment and how you intend
to deploy the sensor. These sensors include the following models:
• 3D500
• 3D1000
• 3D2000
• 3D2100
• 3D2500
• 3D3500
• 3D4500
• 3D6500
• 3D9900
You can view illustrations of each model in the 3D Sensor Installation Guide to
determine your sensor model. Defense Centers use the setup process in Setting
up Defense Centers on page 47.
After physically installing the 3D Sensor, setting up the IP address for the
management interface, and logging into the 3D Sensor’s web interface (as
described in the 3D Sensor Installation Guide), the Install page appears so that
you can continue the setup process.
WARNING! Prepare for the initial setup and complete it promptly after you begin.
If the initial setup is interrupted or if a second user logs in while it is underway,
the results can be unpredictable.
TIP! The initial change to the admin user password changes the root
password for the shell account. Use the command line interface on the
appliance for subsequent changes to the root password.
2. Under Network Settings, enter the settings that you want to use for the
management IP address.
Note that if you used the configure-network script before logging into the
web interface, the IP address, netmask, and gateway fields are pre-populated
with your settings.
3. Under Remote Management, indicate whether you want to manage the
3D Sensor with a Defense Center.
You can use the IP address of the Defense Center or, if you specify a DNS
server, its hostname. The registration key is a single-use, user-created string
that you will also use from within the Defense Center’s web interface when
you complete the sensor registration process.
If your sensor and Defense Center are separated by a network address
translation (NAT) device, defer Defense Center management until after you
complete the initial setup. Refer to Working in NAT Environments on page 112
and Adding Sensors to the Defense Center on page 117 for more information.
4. Optionally, if your Defense Center is running current software and your
sensors are running earlier software, under Time Settings, indicate how you
want to set the time for the 3D Sensor. You can set the time manually or via
network time protocol (NTP) from an NTP server. Note that if you use an NTP
server to set the time, you must also specify the primary and secondary DNS
servers.
Note that if you are managing the sensor with a Defense Center and the
Defense Center itself is set up as an NTP server, you can specify the Defense
Center as the sensor’s NTP server.
IMPORTANT! If both your Defense Center and your sensors are running
current software, this step is unnecessary as the current software will
synchronize automatically.
5. Under Detection Mode, specify how you want to deploy the 3D Sensor. You
have two options:
• If you deployed the sensor as an inline IPS using paired sensing
interfaces, select Inline with Failopen Mode.
• If you deployed the sensor as a passive IDS on your network, select
Passive Mode.
WARNING! If you select Inline with Failopen Mode when the sensor is
deployed passively, you may cause your network to be bridged, resulting in
unexpected network behavior.
6. Under Recurring SEU Imports, check the Enable Recurring SEU Imports check
box to configure automatic SEU imports and specify the update frequency. To
queue an immediate update from the Sourcefire support site, select Update
Now.
Select the state for adding new rules to intrusion policies as disabled or in the
predefined default state. For detailed information on adding new rules to
custom policies in the default state or in the disabled rule state, refer to Using
Recurring SEU Imports in the Analyst Guide. You can also instruct the system
to reapply intrusion policies after the SEU import completes.
7. Under License Settings, indicate whether you want to add a product license
to the 3D Sensor. You have two options:
• To use only the RNA or RUA functionality without IPS, you do not need
to add a product license. You will automatically create an RNA detection
engine without a policy. You control licensing for RNA or RUA through
the Defense Center managing the sensor.
Skip to step 8.
• To use IPS functionality (either by itself or with RNA or RUA
functionality), you must add a product license to the 3D Sensor.
To add a product license, enter the license key in the license key field,
and click Add/Verify.
To obtain a product license, click the link to navigate to https://
keyserver.sourcefire.com/. Follow the on-screen instructions to
generate an email containing the license file and paste it into the
License field. Note that you will be prompted for the license key and an
activation key. The activation key was previously emailed to the contact
person identified on your support contract.
If your current host cannot access the Internet, switch to a host that can
and navigate to the keyserver web page.
8. Under End User License Agreement, read the agreement carefully. If you
agree to abide by its provisions, select the check box and click Apply.
The 3D Sensor is configured according to your selections. The appliance logs
you out. A dashboard page appears after you log back in, which indicates the
appliance is now operational. See Using Dashboards on page 59 for more
information. See What’s Next? on page 52 for some suggestions about how
to proceed after you complete these initial startup pages.
TIP! If you used the option to connect through the management port to
perform the initial setup, remember to connect the cable to the protected
management network.
TIP! Applying a default policy to detection engines can take several minutes.
You will see no intrusion events until it completes. You can check the task
progress at Operations > Monitoring > Task Status.
WARNING! Prepare for the initial setup and complete it promptly after you begin.
If the initial setup is interrupted or if a second user logs in while it is underway,
the results can be unpredictable.
TIP! The initial change to the admin user password changes the root
password for the shell account. Use the command line interface on the
appliance for subsequent changes to the root password.
If you select the Master Defense Center mode, the Remote Management
section becomes unnecessary and is hidden from the form. Skip to step 5.
4. Under Remote Management, indicate whether you want to manage the
Defense Center with a Master Defense Center.
You can use the IP address of the Master Defense Center or, if you specify a
DNS server, its hostname. The registration key is a single-use, user-created
string that you will also need to use when you register the Defense Center
through the Master Defense Center’s web interface.
5. Under Time Settings, indicate how you want to set the time for the Defense
Center. You can set the time manually or via network time protocol (NTP)
from an NTP server. Note that if you use an NTP server to set the time, you
must also specify the primary and secondary DNS servers.
Note that if you are managing the Defense Center with a Master Defense
Center and the Master Defense Center itself is set up as an NTP server, you
can specify the Master Defense Center as the Defense Center’s NTP server.
6. If you are installing a DC3000 and your operational mode is Master Defense
Center, the Defense Center Registration portion of the form is visible. Use
these fields only to register Defense Centers where you have already
configured remote management by this Master Defense Center.
You can use the IP address of the Defense Center or, if you specify a DNS
server, its hostname. The registration key is the single-use, user-created
string you used in the Defense Center’s web interface when you configured
remote management.
Click Add to register each newly listed 3D Sensors with this Defense Center.
8. Under Recurring SEU Imports, check the Enable Recurring SEU Import check
box to configure automatic SEU imports and specify the update frequency. To
queue an immediate update from the Sourcefire support site, select Update
Now.
Select the state for adding new rules to intrusion policies as disabled or in the
predefined default state. For detailed information on adding new rules to
custom policies in the default state or in the disabled rule state see Using
Recurring SEU Imports in the Analyst Guide. You can also instruct the system
to reapply intrusion policies after the SEU import completes.
9. Under License Settings, add a product license and any required feature
licenses to the Defense Center.
To obtain a product license, click the link to navigate to https://
keyserver.sourcefire.com/. Follow the on-screen instructions to generate
an email containing the license file and paste it into the License field. Note
that you will be prompted for the license key and an activation key. The
activation key was previously emailed to the contact person identified on your
support contract.
If your current host cannot access the Internet, switch to a host that can and
navigate to the keyserver web page.
10. Under End User License Agreement, read the agreement carefully.If you
agree to abide by its provisions, select the check box and click Apply.
The Defense Center or Master Defense Center is configured according to
your selections.The appliance logs you out. A dashboard page appears after
you log back in, which indicates the appliance is operational. See Using
Dashboards on page 59 for more information. See What’s Next? on page 52
for some suggestions about how to proceed after you complete these initial
startup pages.
TIP! If you used the option to connect through the management port to
perform the initial setup, remember to connect the cable to the protected
management network.
Communication Ports
The Sourcefire 3D System requires the use of specific ports to communicate
internally and externally, between Defense Centers and sensors, and to enable
certain functionality within the network deployment. Refer to the Required Open
Ports table for more information on functions and their associated ports.
20, 21 ftp
22 ssh/ssl
23 telnet
25 smtp
53 dns
67, 68 dhcp
80 http Open this port when you connect to a remote web server
through the RSS widget.
162 snmp
443 https
514 syslog Open this port only if you are using a remote syslog
server.
1241 Nessus
1660 Nmap
1812 and 1813 FreeRADIUS Note that you must open both ports to ensure that
FreeRADIUS functions correctly.
3306 RUA Agent Open this port for communicatiosn between the Defense
Center and RUA Agents.
8301 Intrustion Agent Open this port for communications between the Defense
Center and Intrusion Agents.
8302 eStreamer
8305 Management Open this port for communications between the Defense
Virtual Network Center and v. 4.8.x 3D Sensors.
What’s Next?
Requires: Any After you complete the initial setup for the Sourcefire 3D System, your next steps
depend on the role assigned to your user account (Administrator user,
Maintenance user, Policy & Response Administrator user, Intrusion Event Analyst
user, or RNA Event Analyst user) and what appliance you are using. See
Managing Users on page 264 for more information about user roles.
For deployments that include a Defense Center, you can perform much of the
process on the Defense Center itself.
For standalone 3D Sensor deployments (that is, deployments that do not include
a Defense Center and do not use RNA), a user with Administrator access must
perform the first steps. Review the tasks in the following sections, which are
based on the user account privileges required for the task.
• Administrator User Tasks on page 53 describe the steps that you must
complete before Policy & Response Administrator users and analyst users
can begin their tasks.
• Maintenance User Tasks on page 54 explain some of the steps in the
process that Maintenance users can perform after Administrator users
finish their required tasks.
• Policy & Response Administrator User Tasks on page 55 describe some of
the policies and custom rules that Policy & Response Administrator users
can create and apply so that analyst users receive useful data for their
analyses.
• RNA Event Analyst User Tasks on page 56 describe the features that RNA
Event Analyst users can use to learn about the assets on your network.
• Intrusion Event Analyst User Tasks on page 57 describe the features that
Intrusion Event Analyst users can use to learn about the kinds of attacks
that are launched against assets on your network.
TIP! After you set up management, Sourcefire recommends that you use
the Defense Center’s web interface rather than the sensor’s web interface to
manage the sensor and view the events that it generates. You must complete
the steps outlined in Working with Sensors on page 113 on the Defense
Center and on the sensors to complete the process.
TIP! You can use high availabilty mode on Defense Centers which are
managed by a Master Defense Center, but you cannot use high availability
mode directly on the Master Defense Center itself.
4. If you did not already set up a system policy as part of the initial setup, you
should configure one that meets the needs of your network and security
environment. Note that, if you want to use external authentication, you need
to enable it in a system policy on the Defense Center and apply that policy to
any appliances where users will authenticate to the external server. See
Managing System Policies on page 320 for more information.
You can also create different policies on your Defense Center and apply them
to the managed sensors where it is appropriate.
5. Check for any available software patches, vulnerability database updates, and
Security Enhancement Updates (SEUs) and apply them to your Defense
Center where required. Apply any available software patches or vulnerability
database updates to managed sensors where required.
Patches and updates are available on the Sourcefire Support site. See
Importing SEUs and Rule Files in the Analyst Guide and Updating System
Software on page 398 for more information.
6. Create new user accounts that match the roles you want to assign to your
users.
The auditing feature records events based on the user account name, so it is
much better to have an account for each user rather than allowing multiple
users to access the appliance from one or two accounts. See Managing
Users on page 264 for more information.
7. By default, each 3D Sensor has a single detection engine that encompasses
all of the available sensing interfaces (or all of the available fast-packet-
enabled interfaces) on the sensor. To take advantage of the multiple detection
engine feature, you must modify the default detection engine.
See Using Detection Engines and Interface Sets on page 185 for more
information about examining traffic on multiple network segments with a
single sensor.
8. Requires: DC Set up health monitoring policies and apply them to your
managed sensors and to the Defense Center itself.
The health monitoring feature includes a range of modules that you can
enable or disable based on the needs of your network environment. See
Using Health Monitoring on page 482 for more information. Note that a
Maintenance user can also set up health policies.
The next section, Maintenance User Tasks, describes the steps that a user with
Maintenance access can perform.
To continue the initial setup, Policy & Response Administrator users can:
Access: P&R Admin/ 1. Requires: RNA Set up compliance policies to determine when prohibited
Admin activity occurs on your network. Compliance policies can contain rules based
on nearly any kind of network activity that your 3D Sensor can detect,
including anomalous network traffic patterns. See Configuring Compliance
Policies and Rules in the Analyst Guide.
2. Requires: RNA If a compliance policy violation occurs, you can specify that the
Defense Center automatically respond to it in one of several ways, including
blocking a suspect host at the firewall or router, sending a notification by
email or SNMP, or simply generating a syslog alert. For more information on
responses, see Configuring Responses for Compliance Policies in the Analyst
Guide.
3. Requires: IPS Create and apply intrusion policies to the IPS-related detection
engines on your 3D Sensor. See Using Basic Settings in an Intrusion Policy in
the Analyst Guide for more information.
4. Requires: IPS Part of the process for creating an intrusion policy includes
enabling the appropriate intrusion rules and fine-tuning the preprocessors and
packet decoders to match your network traffic. See Managing Intrusion Rules
in the Analyst Guide and Using Advanced Settings in an Intrusion Policy in the
Analyst Guide for more in-depth information about configuring intrusion
policies.
5. Requires: IPS To ensure that your intrusion event analysts are informed as
soon as possible regarding attacks against your most valuable network
assets, consider setting up automated notifications (that can be sent to the
syslog, via email, or via SNMP) if a specific intrusion rule is triggered. If your
network environment includes an OPSEC-compliant firewall, you can also
send SAM-based responses to the firewall. See Configuring External
Responses to Intrusion Events in the Analyst Guide for more information.
6. Requires: IPS As you gain more experience with the intrusion rules provided by
Sourcefire, you may want to write your own rules to meet the unique needs
of your network. See Understanding and Writing Intrusion Rules in the
Analyst Guide and Rule-Writing Examples and Tips in the Analyst Guide to
learn more about using the rule editor to write your own intrusion rules.
The policies and rules that you create as a Policy & Response Administrator user
determine the kinds of events that are seen by the RNA Event Analyst and
Intrusion Event Analyst users on your appliance. The next sections, RNA Event
Analyst User Tasks and Intrusion Event Analyst User Tasks, describe the steps
that a user with Intrusion Event Analyst, Intrusion Event Analyst (Read-Only), RNA
Event Analyst, RNA Event Analyst (Read-Only), or Restricted Event Analyst
access can perform.
4. Requires: RNA Use the RNA event workflows to review the activity that has
occurred on your network over time. You can review information for network
hosts, services, vulnerabilities, client applications, and host attributes. You
can also use the extensive search capability to define and save your own
search criteria that you can use as part of your regular analysis. Note that the
kinds of RNA events that are logged to the database are determined by the
system policy on the managing Defense Center. See Working with RNA
Events in the Analyst Guide for more information.
5. Requires: RNA Use flow data and traffic profiles to gain a different kind of
insight into the activity on your network. For example, you can review the
information collected by RNA’s traffic monitoring features and identify high-
traffic hosts, then determine which might be behaving abnormally. Note that
flow data is collected by your sensors only if the flow data option is enabled
in the RNA detection policy. See Working with Flow Data and Traffic Profiles
in the Analyst Guide for more information.
6. Use the report designer to create CSV, HTML, or PDF-based event and
incident reports. You can automatically email a report when it is complete,
and you can create and save report profiles to use later. See Working with
Event Reports on page 232 for more information. You can use the scheduler
to automate reporting. See Scheduling Tasks on page 425.
7. Use any of the predefined workflows to view, investigate, and act on the
events generated by your sensors. As you grow more experienced with the
Sourcefire 3D System, you may want to create your own workflows. See
Understanding and Using Workflows in the Analyst Guide for more
information.
Using Dashboards
By default, the home page for your appliance displays the default dashboard,
although you can configure your appliance to display a different default home
page, including pages that are not dashboard pages.
TIP! If you change the home page, you can access dashboards by selecting
Analysis & Reporting > Event Summary > Dashboards. For more information, see
Viewing Dashboards on page 91.
In addition to the default dashboard, the Defense Center is delivered with two
other predefined dashboards:
• The Flow Summary dashboard uses flow data to create tables and charts of
the activity on your monitored network; for more information on flow
summary data, see Understanding Flow Data in the Analyst Guide.
Note that Restricted Event Analysts use the Flow Summary page instead of
the Flow Summary Dashboard; see Viewing the Flow Summary Page in the
Analyst Guide for more information.
• The Detailed Dashboard provides advanced users with detailed information
about your Sourcefire 3D System deployment, and includes multiple
widgets that summarize collected IPS, RNA, compliance, and system status
data.
You can use the predefined dashboards, modify the predefined dashboards, or
create a custom dashboard to suit your needs. You can share custom dashboards
among all users of an appliance, or you can create a custom dashboard solely for
your own use. You can also set a custom dashboard as your default dashboard.
For more information, see the following sections:
• Understanding Dashboard Widgets on page 60
• Understanding the Predefined Widgets on page 65
• Working with Dashboards on page 89
different aspect of the Sourcefire 3D System. Widgets are grouped into three
categories:
• Analysis & Reporting widgets display data about the events collected and
generated by the Sourcefire 3D System.
• Operations widgets display information about the status and overall health
of the Sourcefire 3D System.
• Miscellaneous widgets display neither event data nor operations data.
Currently the only widget in this category displays an RSS feed.
The dashboard widgets that you can view depend on the type of appliance you
are using and on your user role. In addition, each dashboard has a set of
preferences that determines its behavior. You can minimize and maximize
widgets, add and remove widgets from tabs, as well as rearrange the widgets on
a tab.
For more information, see:
• Understanding Widget Availability on page 61
• Understanding Widget Preferences on page 64
• Understanding the Predefined Widgets on page 65
• Working with Dashboards on page 89
Similarly, the content of a widget can differ depending on the type of appliance
you are using. For example, the Current Interface Status widget on a 3D Sensor
displays the status of its sensing interfaces, but on Defense Centers and Master
Defense Centers the widget displays only the status of the management
interface. Note than any content generated in table format can be sorted by
clicking on the table column header.
You can delete or minimize unauthorized and invalid widgets, as well as widgets
that display no data, keeping in mind that modifying a widget on a shared
dashboard modifies it for all users of the appliance. For more information, see
Minimizing and Maximizing Widgets on page 97 and Deleting Widgets on
page 97.
The Sourcefire Appliances and Dashboard Widget Availability table lists the valid
widgets for each appliance. An X indicates that the appliance can display the
widget.
Appliance Information X X X X
Appliance Status X X
Compliance Events X X
Current Interface X X X X
Status
Current Sessions X X X X
Custom Analysis X X X X
Disk Usage X X X X
Interface Traffic X X X X
Intrusion Events X X X X
Network Compliance X
Product Licensing X
Product Updates X X X X
RSS Feed X X X X
System Load X X X X
System Time X X X X
The User Roles and Dashboard Widget Availability table lists the user account
privileges required to view each widget. An X indicates the user can view the
widget.
IMPORTANT! User accounts with Restricted Event Analyst access cannot use
dashboards.
Appliance Information X X X X X
Appliance Status X X X X
Compliance Events X X X
Current Interface X X X X
Status
Current Sessions X
Custom Analysis X X X
Disk Usage X X X X X
Interface Traffic X X X X
Intrusion Events X X
Network Compliance X X X
Product Licensing X X
Product Updates X X X
RSS Feed X X X X X
System Load X X X X X
System Time X X X X X
Widget preferences can also be more complex. For example, the following
graphic shows the preferences for the Custom Analysis widget, which is a highly
customizable widget that allows you to display detailed information on the events
collected and generated by the Sourcefire 3D System.
IMPORTANT! The dashboard widgets you can view depend on the type of
appliance you are using and on your user role. For more information, see
Understanding Widget Availability on page 61.
You can configure the widget to display appliance status as a pie chart or in a table
by modifying the widget preferences.
The preferences also control how often the widget updates. For more
information, see Understanding Widget Preferences on page 64.
You can click a section on the pie chart or one of the numbers on the appliance
status table to go to the Health Monitor page and view the compiled health status
of the appliance and of any appliances it is managing. For more information, see
Using the Health Monitor on page 545.
You can configure the widget to display compliance events of different priorities
by modifying the widget preferences, as well as to select a linear (incremental) or
logarithmic (factor of ten) scale.
Select one or more Priorities check boxes to display separate graphs for events of
specific priorities, including events that do not have a priority. Select Show All to
display an additional graph for all compliance events, regardless of priority. The
preferences also control how often the widget updates. For more information,
see Understanding Widget Preferences on page 64.
You can click a graph to view compliance events of a specific priority, or click the
All graph to view all compliance events. In either case, the events are constrained
by the dashboard time range; accessing compliance events via the dashboard
changes the events (or global) time window for the appliance. For more
information on compliance events, see Viewing Compliance Events in the Analyst
Guide.
• click the host icon ( ) next to any IP address to view the host profile for
that computer; see Using Host Profiles in the nAnalyst Guide (Defense
Center with RNA only)
• click any IP address or access time to view the audit log constrained by that
IP address and by the time that the user associated with that IP address
logged on to the web interface; see Viewing Audit Records on page 567
The widget preferences control how often the widget updates. For more
information, see Understanding Widget Preferences on page 64.
For example, if you are using Sourcefire RNA as part of your deployment, you can
configure the Custom Analysis widget to display which operating systems are
running on the hosts in your organization by configuring the widget to display OS
data from the RNA Hosts table. Aggregating this data by Count tells you how many
hosts are running each operating system.
On the other hand, aggregating by Unique OS tells you how many unique versions
of each operating system are running on the same hosts (for example, how many
unique versions of Linux, Microsoft Windows, Mac OS X, and so on).
Optionally, you can further constrain the widget using a saved search, either one
of the predefined searches delivered with your appliance or a custom search that
you created. For example, constraining the first example (operating systems
aggregated by Count) using the Local Systems search tells you how many hosts
within one hop of your 3D Sensors are running each operating system.
The colored bars in the widget background show the relative number of
occurrences of each event; you should read the bars from right to left. You can
change the color of the bars as well as the number of rows that the widget
displays. You can also configure the widget to display the most frequently
occurring events or the least frequently occurring events.
The direction icon ( ) indicates and controls the sort order of the display. A
downward-pointing icon indicates descending order; an upwards-pointing icon
indicates ascending order. To change the sort order, click the icon.
Next to each event, the widget can display one of three icons to indicate any
additions or movement from the most recent results:
• The new event icon ( ) signifies that the event is new to the results.
• The up-arrow icon ( ) indicates that the event has moved up in the
standings since the last time the widget updated. A number indicating how
many places the event has moved up appears next to the icon.
• The down-arrow icon ( ) indicates that the event has moved down in the
standings since the last time the widget updated. A number indicating how
many places the event has moved down appears next to the icon.
The widget displays the last time it updated, based on the local time of the
appliance. The widget updates with a frequency that depends on the dashboard
time range. For example, if you set the dashboard time range to an hour, the
widget updates every five minutes. On the other hand, if you set the dashboard
time range to a year, the widget updates once a week. To determine when the
dashboard will update next, hover your pointer over the Last updated notice in the
bottom left corner of the widget.
If you want information on events or other collected data over time, you can
configure the Custom Analysis widget to display a line graph, such as one that
displays the total number of intrusion events generated in your deployment over
time. For graphs over time, you can choose the time zone that the widget uses as
well as the color of the line.
To configure the widget to show a bar graph, select any value except Time from
the Field drop-down list, as shown in the following graphic.
To configure the widget to show a line graph, select Time from the Field
drop-down list, as shown in the following graphic.
The following table describes the various preferences you can set in the Custom
Analysis widget.
Table the table of events which contains the event data the widget
displays.
Field the specific field of the event type you want to display.
TIP! To display a graph over time, select Time.
Search the saved search you want to use to further constrain the data
that the widget displays.
You do not have to specify a search, although some presets
use predefined searches.
Show Movers whether you want to display the icons that indicate additions
or movement from the most recent results.
Time Zone which time zone you want to use to display results.
The time zone appears whenever you select a time-based
field.
Color the color of the bars in the widget background that show the
relative number of occurrences of each result.
The following table describes the available presets for the Custom Analysis
widget. It also indicates which, if any, Defense Center predefined dashboard uses
each preset. (The predefined dashboards on the Master Defense Center and
3D Sensor do not include Custom Analysis widgets.)
.
All Intrusion Events Displays a graph of the total Default Dashboard IPS or
number of intrusion events on DC/MDC + IPS
your monitored network over the Detailed Dashboard
dashboard time range.
All Intrusion Events Displays the most frequently Detailed Dashboard IPS or
(Not Dropped) occurring types of intrusion DC/MDC + IPS
events, by classification, where
the packet was not dropped as
part of the event.
Client Applications Displays the most active client Detailed Dashboard DC + RNA
applications on your monitored
network, by application type.
Dropped Intrusion Displays counts for the most Default Dashboard IPS or
Events frequently occurring intrusion DC/MDC + IPS
events, by classification, where
the packet was dropped.
Flows by Initiator IP Displays the most active hosts Flow Summary DC + RNA
on your monitored network,
based on the number of flows
where the host initiated the
session.
Flows by Port Displays the most active ports Flow Summary DC + RNA
on your monitored network,
based on the number of
detected flows.
Flows by Responder Displays the most active hosts Flow Summary DC + RNA
IP on your monitored network,
based on the number of flows
where the host was the
responder in the session.
Flows over Time Displays a graph of the total Flow Summary DC + RNA
number of flows on your
monitored network, over the
dashboard time range.
Intrusion Events to Displays the most frequently Detailed Dashboard DC/MDC + IPS +
High Criticality Hosts occurring types of intrusion RNA
events, based on the number of
intrusion events occurring on
high criticality hosts.
Top Attackers Displays the most active hosts Default Dashboard IPS or
on your monitored network, DC/MDC + IPS
based on the number of
intrusion events where the host
was the attacking host in the
flow that caused the event.
Top Targets Displays the most active hosts Default Dashboard IPS or
on your monitored network, DC/MDC + IPS
based on the number of
intrusion events where the host
was the targeted host in the
flow that caused the event.
Traffic by Initiator IP Displays the most active hosts Detailed Dashboard DC + RNA
on your monitored network,
based on the number of Flow Summary
kilobytes per second of data
transmitted by the hosts.
Traffic by Initiator Displays the most active RUA Detailed Dashboard DC + RNA + RUA
User users on your monitored
network, based on the total
number of kilobytes of data
received by the hosts where
those users are logged in.
Traffic by Responder Displays the most active hosts Detailed Dashboard DC + RNA
IP on your monitored network,
based on the number of Flow Summary
kilobytes per second of data
received by the hosts.
Traffic over Time Displays a graph of the total Detailed Dashboard DC + RNA
kilobytes of data transmitted on
your monitored network over the Flow Summary
dashboard time range.
White List Violations Displays the hosts with the most Detailed Dashboard DC + RNA
white list violations, by violation
count?
example, the Master Defense Center does not store flow data. If your dashboard
includes a Custom Analysis widget that displays data that you cannot see, the
widget indicates that you are unauthorized to view the data. Note, however, that
you (and any other users who share the dashboard) can modify the preferences of
the widget to display data that you can see, or even delete the widget. If you
want to make sure that this does not happen, save the dashboard as private.
Remember that only you can access searches that you have saved as private. If
you configure the widget on a shared dashboard and constrain its events using a
private search, the widget resets to not using the search when another user logs
in. This affects your view of the widget as well. If you want to make sure that this
does not happen, save the dashboard as private.
You enable or disable the Custom Analysis widget from the Dashboard settings in
your system policy. For more information, see Configuring Dashboard Settings on
page 331.
You can configure the widget to display just the root (/) and /volume partition
usage, or you can show these plus the /boot partition usage by modifying the
widget preferences.
The widget preferences also control how often the widget updates, as well as
whether it displays the current disk usage or collected disk usage statistics over
the dashboard time range. For more information, see Understanding Widget
Preferences on page 64.
The widget preferences control how often the widget updates. On 3D Sensors,
the preferences also control whether the widget displays the traffic rate for
unused interfaces (by default, the widget only displays the traffic rate for
interfaces that belong to an interface set). For more information, see
Understanding Widget Preferences on page 64.
On the 3D Sensor, the widget can display statistics for dropped intrusion events,
all intrusion events, or both. Note that for managed 3D Sensors, you must enable
local event storage or the widget will not have any data to display.
On the Defense Center and Master Defense Center, you can configure the
widget to display intrusion events of different impacts by modifying the widget
preferences. On the 3D Sensor, you cannot configure the widget to display
intrusion events by impact. On either appliance, you can display dropped events.
The following graphic shows the Defense Center version of the widget
preferences.
number of hosts that are compliant, non-compliant, and that have not been
evaluated, for all compliance white lists that you have created.
You can configure the widget to display network compliance either for all white
lists, or for a specific white list, by modifying the widget preferences.
Note that if you choose to display network compliance for all white lists, the
widget considers a host to be non-compliant if it is not compliant with any of the
white lists on the Defense Center, including white lists that are no longer in active
compliance policies. To bring these hosts into compliance, delete the unused
white lists.
You can also use the widget preferences to specify which of three different styles
you want to use to display network compliance.
The Network Compliance style (the default) displays a pie chart that shows the
number of hosts that are compliant, non-compliant, and that have not been
evaluated. You can click the pie chart to view the host violation count, which lists
the hosts that violate at least one white list. For more information, see Viewing
White List Violations in the Analyst Guide.
The Network Compliance over Time (%) style displays a stacked area graph showing
the relative proportion of hosts that are compliant, non-compliant, and that have
not yet been evaluated, over the dashboard time range.
The Network Compliance over Time style displays a line graph that shows the
number of hosts that are compliant, non-compliant, and that have not yet been
evaluated, over the dashboard time range.
The preferences control how often the widget updates. You can check the Show
Not Evaluated box to hide events which have not been evaluated. For more
information, see Understanding Widget Preferences on page 64.
The top section of the widget displays all of the feature licenses installed on the
Defense Center, including temporary licenses, while the Temporary Licenses
section displays only temporary and expired licenses. For example, if you have
two feature licenses for RNA Hosts, one of which is a permanent license and
allows 750 hosts, and another that is temporary and allows an additional 750
hosts, the top section of the widget displays an RNA Hosts feature license with
1500 licensed hosts, while the Temporary Licenses section displays an RNA
Hosts feature license with 750 hosts.
The bars in the widget background show the percentage of each type of license
that is being used; you should read the bars from right to left. Expired licenses are
marked with a strikethrough.
You can configure the widget to display either the features that are currently
licensed, or all the features that you can license, by modifying the widget
preferences. The preferences also control how often the widget updates. For
more information, see Understanding Widget Preferences on page 64.
You can click any of the license types to go to the License page of the System
Settings and add or delete feature licenses. For more information, see Managing
Your Feature Licenses on page 370.
You can configure the widget to hide the latest versions by modifying the widget
preferences. The preferences also control how often the widget updates. For
more information, see Understanding Widget Preferences on page 64.
You can also configure the widget to display a preconfigured feed of Sourcefire
security news, or you can create a custom connection to any other RSS feed by
specifying its URL in the widget preferences.
Feeds update every 24 hours (although you can manually update the feed) and
the widget displays the last time the feed was updated based on the local time of
the appliance. Keep in mind that the appliance must have access to the
Sourcefire web site (for the two preconfigured feeds) or to any custom feed you
configure.
When you configure the widget, you can also choose how many stories from the
feed you want to show in the widget, as well as whether you want to show
descriptions of the stories along with the headlines; keep in mind that not all RSS
feeds use descriptions.
You can configure the widget to show or hide the load average by modifying the
widget preferences. The preferences also control how often the widget updates.
For more information, see Understanding Widget Preferences on page 64.
You can configure the widget to hide the boot time by modifying the widget
preferences. The preferences also control how often the widget synchronizes
with the appliance’s clock. For more information, see Understanding Widget
Preferences on page 64.
You can configure the widget to display white list events of different priorities by
modifying the widget preferences.
For each dashboard, the page indicates the owner (that is, the user who created
it) and whether a dashboard is private. Note that, unless you have Admin access,
you can only see your own private dashboards; you cannot view or modify private
dashboards created by other users.
Finally, the page indicates which dashboard is the default. You specify the default
dashboard in your user preferences; for more information, see Specifying Your
Default Dashboard on page 35.
For more information on working with dashboards, see:
• Creating a Custom Dashboard on page 89
• Viewing Dashboards on page 91
• Modifying Dashboards on page 93
• Deleting a Dashboard on page 97
• Exporting a Dashboard on page 585
Finally, you can choose to associate the new dashboard with your user account by
saving it as a private dashboard. If you choose not to save the dashboard as
private, all other users of the appliance can view it.
Keep in mind that because not all user roles have access to all dashboard
widgets, users with fewer permissions viewing a dashboard created by a user
with more permissions may not be able to use all of the widgets on the
dashboard. Although the unauthorized widgets still appear on the dashboard, they
are disabled.
You should also keep in mind that any user, regardless of role, can modify shared
dashboards. If you want to make sure that only you can modify a particular
dashboard, save it as private.
TIP! Instead of creating a new dashboard, you can export a dashboard from
another appliance and then import it onto your appliance. You can then edit the
imported dashboard to suit your needs. Note that the dashboard widgets you can
view depend on the type of appliance you are using and on your user role; for
example, a dashboard created on the Defense Center and imported onto a
3D Sensor or Master Defense Center may display some invalid, disabled widgets.
For more information, see Importing and Exporting Objects on page 583.
3. Use the Copy Dashboard drop-down list to select the dashboard on which you
want to base the new dashboard.
You can select any predefined or user-defined dashboard. Optionally, select
None (the default) to create a blank dashboard.
4. Type a name and optional description for the dashboard.
5. In the Change Tabs Every field, specify (in minutes) how often the dashboard
should change tabs.
Unless you pause the dashboard or your dashboard has only one tab, this
setting advances your view to the next tab at the interval you specify. To
disable tab cycling, enter 0 in the Change Tabs Every field.
6. In the Refresh Page Every field, specify (in minutes) how often the current
dashboard tab should refresh with new data. This value must be greater than
the Change Tabs Every setting.
Unless you pause the dashboard, this setting will refresh the entire
dashboard at the interval you specify. To disable the periodic page refresh,
enter 0 in the Refresh Page Every field.
Note that this setting is separate from the update interval available on many
individual widgets; although refreshing the dashboard page resets the update
interval on individual widgets, widgets will update according to their individual
preferences even if you disable the Refresh Page Every setting.
7. Optionally, select the Save As Private check box to associate the dashboard
with your user account and to prevent other users from viewing and
modifying the dashboard.
8. Click Save.
Your dashboard is created and appears in the web interface. You can now
tailor it to suit your needs by adding tabs and widgets (and, if you based it on
a pre-existing dashboard, by rearranging and deleting widgets). For more
information, see Modifying Dashboards on page 93.
Viewing Dashboards
Requires: Any By default, the home page for your appliance displays the default dashboard. If
you do not have a default dashboard defined, the home page shows the
Dashboard List page, where you can choose a dashboard to view. To view the
details of all available dashboards, click Dashboards from the Dashboard toolbar.
TIP! You can configure your appliance to display a different default home page,
including pages that are not dashboard pages. You can also change the default
dashboard. For more information, see Specifying Your Home Page on page 35
and Specifying Your Default Dashboard on page 35.
Each dashboard has a time range that constrains its widgets. You can change the
time range to reflect a period as short as the last hour (the default) or as long as
the last year. When you change the time range, the widgets that can be
constrained by time automatically update to reflect the new time range.
Note that not all widgets can be constrained by time. For example, the dashboard
time range has no effect on the Appliance Information widget, which provides
information the includes the appliance name, model, and current version of the
Sourcefire 3D System software.
Keep in mind that for enterprise deployments of the Sourcefire 3D System,
changing the time range to a long period may not be useful for widgets like the
Custom Analysis widget, depending on how often newer events replace older
events.
You can also pause a dashboard, which allows you to examine the data provided
by the widgets without the display changing and interrupting your analysis.
Pausing a dashboard has the following effects:
• Individual widgets stop updating, regardless of any Update Every widget
preference.
• Dashboard tabs stop cycling, regardless of the Cycle Tabs Every setting in the
dashboard properties.
• Dashboard pages stop refreshing, regardless of the Refresh Page Every
setting in the dashboard properties.
• Changing the time range has no effect.
When you are finished with your analysis, you can unpause the dashboard.
Unpausing the dashboard causes all the appropriate widgets on the page to
update to reflect the current time range. In addition, dashboard tabs resume
cycling and the dashboard page resumes refreshing according to the settings you
specified in the dashboard properties.
IMPORTANT! Although your session normally logs you out after 3.5 hours of
inactivity, this will not happen while you are viewing a dashboard, unless the
dashboard is paused.
To view a dashboard:
Access: Any except X Select Analysis & Reporting > Event Summary > Dashboards. You have two
Restricted options, depending on whether you have a default dashboard defined:
• If you have a default dashboard defined, it appears. To view a different
dashboard, use the Dashboards menu on the toolbar.
• If you do not have a default dashboard defined, the Dashboard List page
appears. Click View next to the dashboard you want to view.
The dashboard you selected appears.
Modifying Dashboards
Requires: Any Each dashboard has one or more tabs. You can add, delete, and rename tabs.
Note that you cannot change the order of dashboard tabs.
Each tab can display one or more widgets in a three-column layout. You can
minimize and maximize widgets, add and remove widgets from tabs, as well as
rearrange the widgets on a tab.
You can also change the basic dashboard properties, which include its name and
description, the tab cycle and page refresh intervals, and whether you want to
share the dashboard with other users.
IMPORTANT! Any user, regardless of role, can modify shared dashboards. If you
want to make sure that only you can modify a particular dashboard, make sure to
set it as a private dashboard in the dashboard properties.
Adding Tabs
Requires: Any Use the following procedure to add a tab to a dashboard.
You can now add widgets to the new tab. For more information, see Adding
Widgets on page 95.
Deleting Tabs
Requires: Any Use the following procedure to delete a dashboard tab and all its widgets. You
cannot delete the last tab from a dashboard; each dashboard must have at least
one tab.
Renaming Tabs
Requires: Any Use the following procedure to rename a dashboard tab.
To rename a tab:
Access: Any except 1. View the dashboard where you want to rename a tab.
Restricted For more information, see Viewing Dashboards on page 91.
2. Click the tab you want to rename.
3. Click the tab title.
A pop-up window appears, prompting you to rename the tab.
4. Type a name for the tab and click OK.
The tab is renamed.
Adding Widgets
Requires: Any To add a widget to a dashboard, you must first decide to which tab you want to
add the widget. When you add a widget to a tab, the appliance automatically adds
it to the column with the fewest widgets. If all columns have an equal number of
widgets, the new widget is added to the left-most column. You can add a
maximum of 15 widgets to a dashboard tab.
TIP! After you add widgets, you can move them to any location on the tab. You
cannot, however, move widgets from tab to tab. For more information, see
Rearranging Widgets on page 97.
The widgets that you can add depend on the type of appliance you are using
and on your user role. They are organized according to function: Analysis &
Reporting, Operations, and Miscellaneous. You can view the widgets in each
category by clicking on the category name, or you can view all widgets by
clicking All Categories.
4. Click Add next to the widgets you want to add.
TIP! To add multiple widgets of the same type (for example, you may want
to add multiple RSS Feed widgets, or multiple Custom Analysis widgets),
click Add again.
The widget is immediately added to the dashboard. The Add Widgets page
indicates how many widgets of each type are on the tab, including the widget
you just added.
5. Optionally, when you are finished adding widgets, click Done to return to the
dashboard.
The tab where you added the widgets appears again, reflecting the changes
you made.
Rearranging Widgets
Requires: Any You can change the location of any widget on a tab. Note, however, that you
cannot move widgets from tab to tab. If you want a widget to appear on a
different tab, you must delete it from the existing tab and add it to the new tab.
To move a widget:
Access: Any except X Click the title bar of the widget you want to move, then drag it to its new
Restricted location.
To minimize a widget:
Access: Any except X Click the minimize icon ( ) in a widget’s title bar.
Restricted
To maximize a widget:
Access: Any except X Click the maximize icon ( ) in a minimized widget’s title bar.
Restricted
Deleting Widgets
Requires: Any Delete a widget if you no longer want to view it on a tab.
To delete a widget:
Access: Any except 1. Click the close icon ( ) in the title bar of the widget.
Restricted
2. Confirm that you want to delete the widget.
The widget is deleted from the tab.
Deleting a Dashboard
Requires: Any Delete a dashboard if you no longer need to use it.
If you delete your default dashboard, you must define a new default or the
appliance will force you to select a dashboard to view every time you attempt to
view a dashboard. For more information, see Specifying Your Default Dashboard
on page 35.
To delete a dashboard:
Access: Any except 1. Select Analysis & Reporting > Event Summary > Dashboards.
Restricted If you have a default dashboard defined, it appears; continue with the next
step.
If you do not have a default dashboard defined, the Dashboard List page
appears; skip to step 3.
See the following sections for more information about using the Defense Center
to manage your sensors:
• Management Concepts on page 100 describes some of the features and
limitations involved with managing your sensors with a Defense Center.
• Working in NAT Environments on page 112 describes the principles of
setting up the management of your sensors in Network Address Translation
environments.
• Working with Sensors on page 113 describes how to establish and disable
connections between sensors and your Defense Center. It also explains
how to add, delete, and change the state of managed sensors and how to
reset management of a sensor.
• Managing Sensor Groups on page 131 describes how to create sensor
groups as well as how to add and remove sensors from groups.
• Editing a Managed Sensor’s System Settings on page 133 describes the
sensor attributes you can edit and explains how to edit them.
• Managing a Clustered Pair on page 140 describes how to create a clustered
pair of 3D9900s and how to remove 3D9900s from clusters.
• Configuring High Availability on page 145 describes how to set up two
Defense Centers as a high availability pair to help ensure continuity of
operations.
Management Concepts
Requires: DC You can use a Defense Center to manage nearly every aspect of a sensor’s
behavior. You can only use a single Defense Center to manage your sensor unless
you are using a second Defense Center as a part of a high availability pair. The
sections that follow explain some of the concepts you need to know as you plan
your Sourcefire 3D System deployment.
• The Benefits of Managing Your Sensors on page 100
• What Can Be Managed by a Defense Center? on page 101
• Understanding Software Sensors on page 105
• Beyond Policies and Events on page 111
• Using Redundant Defense Centers on page 112
to replicate the intrusion policy on each sensor, which can be a laborious task
depending on how many of the thousands of intrusion rules you want to enable or
disable. There is a similar savings when you create and apply RNA appliance and
detection policies to managed 3D Sensors with RNA.
You can also create and apply system policies to your managed sensors. A
system policy controls several appliance-level settings such as the login banner
and the access control list. Because most of the sensors in your deployment are
likely to have similar settings in the system policy, you can create the policy on
the Defense Center and push it to the appropriate sensors instead of replicating it
locally.
Second, when you manage a sensor with a Defense Center, all the intrusion
events and RNA events are automatically sent to the Defense Center. You can
view the events from a single web interface instead of having to log into each
sensor’s interface to view the events there. You can also generate reports based
on events from multiple sensors.
Third, if your Defense Center manages sensors with IPS and RNA, and those
sensors view the same network traffic, then the Defense Center can correlate the
intrusion events it receives with the information about hosts that RNA provides.
The Defense Center can then assign impact flags to each intrusion event. The
impact flag indicates how likely it is that an intrusion attempt will affect its target.
Fourth, you can use your Defense Center to configure external authentication
through an Lightweight Directory Access Protocol (LDAP) or Remote
Authentication Dial In User Service (RADIUS) server. You can use user
information from an external server to authenticate users on your Sourcefire 3D
System appliances. By pushing a system policy with configured authentication
objects to your sensor, you push the external authentication object to the sensor.
External authentication cannot be managed on the sensor, so you must use the
Defense Center to manage it.
Finally, the Defense Center includes a feature called health monitoring that you
can use to check the status of critical functionality across your Sourcefire 3D
System deployment. You can take advantage of health monitoring by applying
health policies to each of your managed sensors and then reviewing the health
data that they send back to the Defense Center. You can also apply a health policy
to the Defense Center to monitor its health.
If you apply a policy on a sensor before you begin managing it with a Defense
Center, you can see a read-only version of the policy on the Defense Center’s
web interface.
Similarly, after you set up communications with a Defense Center and apply
policies from the Defense Center to your sensor, you can see a read-only version
of the running policies on the sensor’s web interface. The following graphics
illustrate this process. First, before you set up sensor management, each
appliance has its own policies:
Then, after communications are set up, read-only versions of running policies
(represented by the dotted lines) are available:
The appliance where you originally create a policy is the policy’s “owner” and is
identified that way if you view the policy on a different appliance. For example, the
following graphic shows the Detection Engine page on a 3D Sensor with IPS. The
Sample Intrusion Policy that is currently applied to the sensor’s two detection
engines was created on the Defense Center (pine.example.com).
If you want to edit a policy, you must do it on the appliance where the policy was
created.
The following user-created data and configurations are retained locally on the
sensor and are not shared with the Defense Center:
• user accounts
• user preferences
• bookmarks
• saved searches
• custom workflows
• report profiles
• audit events
• syslog messages
• reviewed status for intrusion events (IPS only)
• contents of the clipboard (IPS only)
• incidents (IPS only)
If you create custom fingerprints on the Defense Center, they are automatically
shared with managed 3D Sensors with RNA.
Also note that operations you perform on data on one appliance are not
transmitted to other appliances. For example, if you delete an intrusion event
from the Defense Center, the event remains on the sensor that discovered it.
Similarly, deleting an intrusion event from a sensor does not delete it from the
Defense Center.
Software-based sensors do not have a user interface on the sensor; they can only
be managed from a Defense Center. In addition, some of the functionality in the
Defense Center interface cannot be used with software-based sensors. For some
software-based sensors, certain aspects of functionality are managed through
the operating system or other features on the appliance.
See the Supported Features for Intrusion Agents table for more information.
Supported through Defense Center Supported through CLI and .conf Not Supported
files
certain features cannot be used with these sensors. See the Supported Features
for 3Dx800 Sensors table for more information.
the sensors, certain features cannot be used with this software. See the
Supported Features for IPS on Crossbeam table for more information.
Backing Up a Sensor
If you are storing event data on your sensor in addition to sending it to the
Defense Center, you can use the Defense Center’s web interface to back up
those events from the sensor. See Performing Sensor Backup with the Defense
Center on page 419 for more information.
and are not sent to the Defense Center, but you can design a report on the
Defense Center, select a managed sensor, and run the report. If you set up the
report so that it is automatically emailed to you, you do not even need a user
account on the sensor to read the resulting report. See Working with Event
Reports on page 232 for more information.
Updating Sensors
From time to time, Sourcefire releases updates to the Sourcefire 3D System,
including:
• Security Enhancement Updates (SEUs), which can contain new and
updated intrusion rules, as well as new and updated preprocessors and
protocol decoders
• vulnerability database updates
• software patches and updates
You can use the Defense Center to push an update to the sensors it manages and
then automatically install the update.
be unique. However, you must use a unique NAT ID when adding the New York
3D Sensor to the Defense Center, and then use a different unique NAT ID when
adding the Miami 3D Sensor. Each NAT ID has to be unique among all NAT IDs
used to register sensors on the Defense Center.
TIP! The process for setting up communications between the Defense Center
and other products such as the Crossbeam-based software sensors, RNA
Software for Red Hat Linux, and the Intrusion Agents are slightly different. Refer
to the configuration guides for those products for more information.
When you manage Virtual 3D Sensors from the Defense Center, the field for a
Virtual Sensor count appears above the sensor list on the Sensors page. For details
about Virtual 3D Sensors, see the Virtual Defense Center and 3D Sensor
Installation Guide.
Sensor List
The first column lists the hostname, sensor type, sensor model, and software
version for each sensor. You can click the folder icon next to the name of the
category to expand and contract the list of sensors. If you use clustered 3D9900
sensors, they are designated in the sensor list by a peer icon.
When you hover over the peer icon, you can see which sensors are paired and if
you configured the sensor as a master or a slave.
Health Policy
The next column lists the health policy for the sensor, if one has been applied. You
can click the name of the health policy to view a read-only version of the policy.
See Editing Health Policies on page 530 for information about modifying an
existing health policy.
System Policy
The next column lists the currently applied system policy. The policy name and
the icon for the system policy in the top row highlight a special feature of the
Sensors page. If a policy has a different icon and its name is in italics, that
indicates the policy was modified after it was applied to the sensor. The icon and
the name of the policy in the bottom row indicate that the version applied to the
sensor is up to date. Note that this is the case for any policy that you create and
apply from the Defense Center.
As with the health policy, you can click the name of the system policy to view a
read-only version. See Managing System Policies on page 320 for more
information.
Status Icons
The status icons indicate the state of a sensor. The green check mark icon
indicates that the sensor and the Defense Center are communicating properly.
The red exclamation point icon indicates that the Defense Center has not
received communications from the sensor in the last three minutes. If you hover
your cursor over the icon, a pop-up window indicates the amount of time (in
hours, minutes, and seconds) since the last contact. If the Defense Center has
not received a communication from a sensor within the last two minutes, it sends
a two-byte heartbeat packet to establish contact and ensure that the
communications channel is still running. If your network is constrained in
bandwidth, you can contact technical support to change the default time interval.
Click the Edit icon next to a sensor if you want to change the sensor’s current
system settings. The system settings include the storage settings for the sensor,
the time, the remote management configuration, and access to the processes for
stopping and restarting the sensor or its software. See Editing a Managed
Sensor’s System Settings on page 133 for more information.
If you sort your Sensors page by sensor group, you can click the Edit icon next to
the name of a sensor group to modify the list of sensors that belong to the group.
See Editing Sensor Groups on page 132 for more information.
Click the Delete icon next to a sensor if you no longer want to manage the sensor
with the Defense Center. See Deleting Sensors on page 121 for more
information.
If you sort your Sensors page by sensor group, you can click the Delete icon next
to the name of a sensor group to remove the sensor group from the Defense
Center. See Deleting Sensor Groups on page 133 for more information.
IMPORTANT! If you registered a Defense Center and 3D Sensor using IPv4 and
want to convert them to IPv6, you must delete and re-register the sensor.
You must begin the procedure for setting up the management relationship
between a Defense Center and a sensor on the sensor.
Three fields are provided for setting up communications between appliances:
• Management Host - for the hostname or IP address.
• Registration Key - for registration key.
• Unique NAT ID - for a unique alphanumeric ID. Refer to Working in NAT
Environments on page 112 for more information.
Valid combinations include:
• Management Host and Registration Key used on both appliances
• Registration Key and Unique NAT ID used on the 3D Sensor with Host,
Registration Key, and Unique NAT ID used on the Defense Center.
• Management Host, Registration Key, and Unique NAT ID used on the 3D Sensor
with Registration Key and Unique NAT ID used on the Defense Center.
5. In the Management Host field, type the IP address or the host name of the
Defense Center that you want to use to manage the sensor.
WARNING! Make sure you use hostnames rather than IP addresses if your
network uses DHCP to assign IP addresses.
TIP! You can leave the Management Host field empty if the management host
does not have a routable address. In that case, use both the Registration Key
and the Unique NAT ID fields.
6. In the Registration Key field, type the one-time use registration key that you
want to use to set up a communications channel between the sensor and the
Defense Center.
7. Optionally, in the Unique NAT ID field, type a unique alphanumeric ID that you
want to use to identify the sensor.
8. Click Save.
After the sensor confirms communication with the Defense Center, the
Pending Registration status appears.
9. Log into the Defense Center’s web interface using a user account with Admin
access, and select Operations > Sensors.
The Sensors page appears.
10. Click New Sensor.
The Add New Sensor page appears.
11. Type the IP address or the hostname of the sensor you want to add in the
Host field.
WARNING! Make sure you use hostnames rather than IP addresses if your
network uses DHCP to assign IP addresses.
12. In the Registration Key field, enter the same registration key that you used in
step 6.
13. If you used a NAT ID in step 7, enter the same ID in the Unique NAT ID
(optional) field.
14. You can store data on both the Defense Center and the sensor by clearing the
Store Events and Packets Only on the Defense Center check box.
By default, data is stored only on the Defense Center and not on the sensor.
15. You can prevent packet data from leaving a sensor by enabling the Prohibit
Packet Transfer to the Defense Center check box.
IMPORTANT! If you elect to prohibit sending packets and you do not store
events on the 3D Sensor, packet data is not retained. Packet data is often
important for forensic analysis.
16. To add the sensor to a group, select the group from the Add to Group list.
For more information about groups, see Managing Sensor Groups on
page 131.
17. Click Add.
The sensor is added to the Defense Center. It can take up to two minutes for
the Defense Center to verify the sensor’s heartbeat and establish
communication. You can view the sensor’s status on the Sensors page
(Operations > Sensors).
Deleting Sensors
Requires: DC + If you no longer want to manage a sensor, you can delete it from the Defense
3D Sensor Center. Deleting a sensor severs all communication between the Defense Center
and the sensor. To manage the sensor again at a later date, you must re-add it to
the Defense Center. To keep the sensor from trying to reconnect to the Defense
Center, you should also delete the manager on the sensor.
3. Using a user account with Admin access, log into the web interface of the
sensor you want to delete.
4. Select Operations > System Settings.
The Information page appears.
5. Click Remote Management.
The Remote Management page appears.
6. Click Delete next to the Defense Center where you want to reset
management.
The manager is removed. If the sensor has a system policy that causes it to
receive time from the Defense Center via NTP, the sensor reverts to local
time management.
To reset management:
Access: Admin 1. Log into the web interface of the Defense Center where you want to reset
communications.
2. Select Operations > Sensors.
The Sensors page appears.
2. In the Management Host field, type the IP address or the host name of the
Defense Center that you want to use to manage the sensor.
WARNING! Make sure you use hostnames rather than IP addresses if your
network uses DHCP to assign IP addresses.
You can leave the Management Host field empty if the management host
does not have a routable address. In that case, use both the Registration Key
and the Unique NAT ID fields.
3. In the Registration Key field, type the one-time use registration key that you
want to use to set up a communications channel between the sensor and the
Defense Center.
4. Optionally, in the Unique NAT ID field, type a unique ID that you want to use to
identify the sensor.
5. Click Save.
After the sensor confirms communication with the Defense Center, the
Pending Registration status appears.
6. Log into the Defense Center’s web interface using a user account with Admin
access, and select Operations > Sensors.
The Sensors page appears.
7. Click New Sensor.
The Add New Sensor page appears.
8. Type the IP address or the hostname of the sensor you want to add in the
Host field.
WARNING! Make sure you use hostnames rather than IP addresses if your
network uses DHCP to assign IP addresses.
9. In the Registration Key field, type the same one-time use registration key that
you used in step 3.
10. If you used a unique NAT ID in step 4, type the same value in the Unique NAT
ID field.
11. You can store data on both the Defense Center and the sensor by clearing the
Store Events and Packets Only on the Defense Center check box.
By default, data is stored only on the Defense Center and not on the sensor.
12. You can prevent packet data from leaving a sensor by checking the Prohibit
Packet Transfer to the Defense Center check box.
If you elect to prohibit sending packets and you do not store events on the
3D Sensor, packet data is not retained. Packet data is often important for
forensic analysis.
13. To add the sensor to a group, select the group from the Add to Group list.
For more information about groups, see Managing Sensor Groups on
page 131.
14. Click Add.
The sensor is added to the Defense Center. It can take up to two minutes for
the Defense Center to verify the sensor’s heartbeat and establish
communication. You can view the sensor’s status on the Sensors page
(Operations > Sensors).
In some high availability deployments where network address translation is
used, you may need to use the Add Manager feature a second time to add
the secondary Defense Center. Contact technical support for more
information.
10. In the Host field, type the IP address or the hostname of the sensor you want
to add.
11. In the Registration Key field, type the same one-time use registration key that
you used on the sensor.
12. If you used a NAT ID in step 4, type the same value in the Unique NAT ID field.
IMPORTANT! Because 3Dx800 sensors do not have any local storage for
events, make sure the Store Events and Packets Only on the Defense Center check
box is selected.
13. You can prevent packet data from leaving a sensor by checking the Prohibit
Packet Transfer to the Defense Center check box.
If you prohibit sending packets to the Defense Center, packet data, which is
often important for forensic analysis, is not retained anywhere.
14. To add the sensor to a group, select the name of the group from the Add to
Group list.
For more information about groups, see Managing Sensor Groups on
page 131.
15. Click Add.
The 3Dx800 is added to the Defense Center.
It can take up to two minutes for the Defense Center to verify the sensor’s
heartbeat and establish communication.
3. In the Group Name field, type the name of the group you want to create.
4. Click Save.
The group is added.
5. To add sensors to the group, return to the Sensors page (Operations > Sensors)
and click Edit next to the name of the sensor group.
The Sensor Group Edit page appears.
6. Select the IP addresses or hostnames of the sensors you want to add from
the Available Sensors list and click the arrow to move them into sensor group.
7. Click Save.
The sensors are added to the group.
Moving a sensor to a new group does not change its policy to the policy
previously applied to the group. To change the sensor’s policy, you must apply a
new policy to the sensor or sensor group. See Applying an Intrusion Policy in the
Analyst Guide for details.
3. Select the sensor you want to move and click the arrow to add or remove it
from the group.
• To add a sensor to the group, select it from the Available Sensors list and
click the arrow pointing toward the group you are editing.
• To remove a sensor from a group, select it from the list in the group you
are editing and click the arrow pointing to the Available Sensors list.
4. Click Done.
manage one or more sensors with a Defense Center, you can modify their
system settings through the Defense Center’s web interface.
IMPORTANT! You cannot edit the network settings or add a license file to a
sensor through the Defense Center’s web interface. You must perform those
tasks on the sensor’s web interface (generally before you begin to manage the
sensor with the Defense Center). See Configuring System Settings on page 360
for more information about system settings.
Sensor Information
Field Description
Name The assigned name for the managed sensor. Note that is
the name of the sensor in the Defense Center web
interface, not the hostname.
Store Events Enable this check box to store event data on the Defense
Only on Defense Center, but not the managed sensor. Clear this check box
Center to store event data on both appliances.
Prohibit Packet Enable this check box to prevent the managed sensor
Transfer to the from sending packet data with the events. Clear this
Defense Center check box to allow packet data to be stored on the DC
with events.
Field Description
Model Number The model number for the sensor. This number can be
important for troubleshooting.
Current Group The sensor group that the sensor belongs to, if any. See
Creating Sensor Groups on page 131 for more
information.
2. Click Edit next to the name of the sensor whose system settings you want to
edit.
The Information page for that sensor appears. See the Sensor Information
table on page 135 for a description of each field.
4. Click Save.
The updated sensor attributes are saved.
WARNING! If you shut down the appliance, the process shuts down the
operating system on the appliance, but does not physically shut off power. To
shut off power, you must press the power button on the appliance.
2. Click Edit next to the name of the sensor that you want to manage.
The Information page for that sensor appears.
3. Click Remote Management in the list to the left of the page.
The Remote Management page appears.
4. Click Disable next to the name of the sensor.
After you establish the relationship between the two sensors, they act like two
separate sensors with a single, shared detection configuration. For information on
the detection engines, interface set, and data from a clustered pair, see:
• Using Detection Engines on Clustered 3D Sensors on page 228
• Understanding Interface Sets on Clustered 3D Sensors on page 229
• Managing Information from a Clustered 3D Sensor on page 230
The Defense Center manages the clustered pair, and local management is
blocked on the shared portion of the clustered pair. The following diagram shows
interfaces on the master and slave sensors.
For information about the connections between the master and slave 3D9900
sensors, see the Cluster Interconnect table.
Cluster Interconnect
Master Slave
Interface Interface
ethb2 RX ethb0 TX
ethb2 TX ethb0 RX
Cluster Interconnect
Master Slave
Interface Interface
ethb3 RX ethb1 TX
ethb3 TX ethb1 RX
You connect the master to the network and the slave to the master. You
determine the master/slave designation by the way you cable the pair. After you
establish the relationship, you cannot change which sensor is the master or slave
unless you break and reestablish the relationship using the Defense Center.
For more information, see:
• Establishing a Clustered Pair on page 142
• Separating a Clustered Pair on page 144
IMPORTANT! You cannot connect the slave’s ethb2 and ethb3 pair when you
establish the clustered pairing.
For more information about cabling, see the Sourcefire 3D Sensor Installation
Guide.
After you establish the master/slave relationship, the detection engines and
interface set are combined on the two sensors.
IMPORTANT! If you apply an RNA detection policy to the RNA detection engines
on two different 3D9900 sensors and then establish clustering with those two
sensors, you must edit and reapply your detection policy after you establish
clustering.
There is one detection engine and interface set shared over the paired 3D9900
sensors. They are managed from the Defense Center, instead of the 3D9900
sensors.
If you attempt to manage the combined detection engines and interface set on
the paired 3D9900 sensors, the following message is displayed.
TIP! If you edit a 3D9900 that is not cabled as the master, you cannot
perform the next series of steps.
The System Settings page appears and there is a Clustering field at the
bottom.
3. In the Clustering field, under status, select the sensor you want to form a
cluster with. For example, if the other member of your pair is
birch.example.com, select Clustered with birch.example.com.
Clustering is established and a confirmation message appears.
4. Review the confirmation message and confirm the correct the Master/Slave
pairing.
4. Click Save.
5. Review the confirmation message. Note the Master/Slave pairing and click OK
to confirm the Master/Slave that you want to separate the clustered pair.
The 3D9900 sensors separate and the confirmation message disappears.
WARNING! Before you establish a high availability, if you have any user
accounts with the same name on both Defense Centers, make sure you
remove duplicate user accounts from one of the Defense Centers. Also,
because both Defense Centers must have an admin account, you must
make sure that the admin account uses the same password on both
Defense Centers.
• custom dashboards
• authentication objects for Sourcefire 3D System user accounts
• custom workflows
• custom tables
• sensor attributes, such as the sensor’s host name, where events generated
by the sensor are stored, and the group in which the sensor resides
• intrusion, RNA, and RUA detection engines
• intrusion policies and their associated rule states
• local rules
• custom intrusion rule classifications
• variable values and user-defined variables
IMPORTANT! If your deployment includes intrusion agents and you are also
using a Master Defense Center to manage your linked Defense Centers,
make sure you register all intrusion agents to the primary Defense Center.
TIP! If you employ an HA paired Defense Center as a NTP server, the NTP
function does not automatically switch. However, you can synchronize time with
multiple alternative NTP servers. For 3D Sensors, you can point to one Defense
Center as your first NTP server and the other Defense Center as your second NTP
server. For more information, see Synchronizing Time on page 354.
Although system policies are shared by Defense Centers in a high availability pair,
they are not automatically applied. If you want identical system policies on both
Defense Centers, apply the policy after it synchronizes.
Defense Centers in an HA pair share the following system and health policy
information:
• system policies
• system policy configurations (what policy is applied where)
• health policies
• health monitoring configurations (what policy is applied where)
• which appliances are blacklisted from health monitoring
• which appliances have individual health monitoring policies blacklisted
Feature Licenses
Requires: DC Defense Centers in an HA pair do not share RNA, RUA, and NetFlow licenses:
• Both Defense Centers must have RNA host licenses if you want to manage
3D Sensors with RNA with the high availability pair.
• While NetFlow data and devices are shared, the two Defense Centers must
have enough NetFlow licenses to merge the list of devices on each, if you
want to use NetFlow data to supplement the data gathered by your
3D Sensors with RNA.
• While RUA LDAP authentication objects are shared, both Defense Centers
must have RUA licenses if you want to manage 3D Sensors with RUA with
the high availability pair.
cycles.) However, during this ten-minute window, policies may appear incorrectly
on the other Defense Center.
For example, if you create a policy on your primary Defense Center and apply it to
a sensor that is also managed by your secondary Defense Center, the sensor
could contact the secondary Defense Center before the Defense Centers contact
each other. Because the sensor has a policy applied to it that the secondary
Defense Center does not recognize, the secondary Defense Center displays a
new policy with the name “unknown” until the Defense Centers synchronize.
Also, if you make conflicting policy or other changes to both Defense Centers
within the same window between Defense Centers syncs, the last change you
make takes precedence, regardless of the designations of the Defense Center as
primary and secondary.
Defense Centers configured as a high availability pair do not need to be on the
same trusted management network, nor do they have to be in the same
geographic location. For more information, see Guidelines for Implementing High
Availability on page 149.
TIP! To avoid confusion, start with the secondary Defense Center in its
original state. That is, you have not created or modified any policies, nor
created any new rules, nor have you previously managed any sensors with
it. To make sure the secondary Defense Center is in its original state, use
the Restore CD to remove changed settings. Note that this also deletes
event and configuration data from the Defense Center.
Before you configure high availability, make sure you synchronize time settings
between the Defense Centers you want to link. For details on setting time, see
Synchronizing Time on page 354.
WARNING! Make sure you use hostnames rather than IP addresses if your
network uses DHCP to assign IP addresses.
You can leave the Primary DC Host field empty if the management host does
not have a routable address. In that case, use both the Registration Key and
the Unique NAT ID fields.
5. Type a one-time-use registration key in the Registration Key text box
6. Optionally, in the Unique NAT ID field, type a unique alphanumeric registration
ID that you want to use to identify the primary Defense Center. See Working
in NAT Environments on page 112 for more information.
7. Click Register.
A success message appears, and the Peer Manager page appears, showing
the current state of the secondary Defense Center.
8. Using an account with Admin access, log into the Defense Center that you
want to designate as the primary.
9. Select Operations > Configuration > High Availability.
The High Availability page appears.
10. Click the primary Defense Center option.
The Primary Defense Center Setup page appears.
11. Type the hostname or IP address of the secondary Defense Center in the
Secondary DC Host text box.
WARNING! Make sure you use hostnames rather than IP addresses if your
network uses DHCP to assign IP addresses.
12. Type the same one-time-use registration key in the Registration Key text box
you used in step 5.
13. If you used a unique NAT ID on the secondary Defense Center, type the
same registration ID that you used in step 6 in the Unique NAT ID text box.
14. Click Register.
A success message appears, and the Peer Manager page appears, showing
the current state of the primary Defense Center.
Depending upon the number of policies and custom standard text rules they
have, it may take up to 10 minutes before all the rules and policies appear on
both Defense Centers. You can view the High Availability page to check the
status of the link between the two Defense Centers. You can also monitor
the Task Status to see when the process completes. See Monitoring the High
Availability Status on page 152.
3. Under High Availability Status, you can view the following information about
the other Defense Center in the high availability pair:
• the IP address
• the model name
• the software version
• the operating system
• the length of time since the last contact between the two Defense
Centers
4. The two Defense Centers automatically synchronize within ten minutes (five
minutes for each Defense Center) after any action that affects a shared
feature. For example, if you create a new policy on one Defense Center, it is
automatically shared with the other Defense Center within 5 minutes.
However, if you want to synchronize the policy immediately, click Synchronize.
You can use the Master Defense Center to build and dispatch global detection
and intrusion policies. When you apply intrusion policies from a Master Defense
Center, the Sourcefire 3D System checks the SEU on the managing Defense
Center. If it finds an older SEU, it updates the managing Defense Center’s SEU.
The Master Defense Center can also aggregate events related to the health of
managed Defense Centers. In this way, you can view the current status of the
Defense Centers across your enterprise from a web interface.
IMPORTANT! The Product Compatibility section of the release notes for each
version describes which versions of the Defense Center you can manage with a
Master Defense Center.
The following sections explain more about using a Master Defense Center in your
Sourcefire 3D System deployment.
• Understanding Event Aggregation on page 157 explains which types of
events you can send from your Master Defense Centers to your Master
Defense Center.
• Understanding Global Policy Management on page 161 explains which
policies you can send from your Master Defense Center to 3D Sensors and
Defense Centers.
• Adding and Deleting Defense Centers on page 164 explains how to
configure a Defense Center to communicate with a Master Defense Center.
• Editing Settings for a Managed Defense Center on page 175 explains how
to change some of the settings for a Defense Center from the Master
Defense Center’s web interface.
• Managing Appliance Groups on page 179 explains how to use appliance
groups to aid in managing 3D Sensors and Defense Centers.
IMPORTANT! You must deploy both RNA and IPS on your network to generate
intrusion events with meaningful impact flags. If you do not deploy 3D Sensors
with RNA on your network, then intrusion events are limited to gray impact flags
to indicate unknown impact.
When you use the Filter Configuration page to specify which events are
forwarded to the Master Defense Center, you can choose to send or not send
compliance events. See the following sections for more information:
• Adding a Defense Center on page 168
• Editing the Event Filter Configuration on page 176
Analysis and reporting search allows you to search for allows you search for intrusion
intrusion events, compliance events, RNA events, hosts, host
events, white list events, SEU attributes, services, client
import log, audit log, health applications, flow data,
events. vulnerabilities, compliance
events, white list events, white
list violations, remediation
status, SEU import log, audit
log, health events, scan results,
users, and RUA events.
Network scans does not provide for Nessus provides Nessus and Nmap
and Nmap scans. scans and results.
Event consolidation allows for collection of events events are collected only from
from up to ten Defense Centers managed 3D Sensors
Event Rate
The event rate limit for the Master Defense Center is the same rate limit on
Defense Centers. This means that if your Defense Centers are accepting events
from their 3D Sensors up to the rate limit, you must adjust the event filter on the
Master Defense Center so that only the most important events are forwarded
from the Defense Centers. For example, in cases where the intrusion event rate
is high, you might want to adjust the filter to send only intrusion events with red
impact flags. You can also limit the amount of data transferred between a
Defense Center and its Master Defense Center by sending only intrusion event
data, and not sending the packet data.
Intrusion Agents
Intrusion events generated by intrusion agents are not forwarded to the Master
Defense Center.
• Managing Intrusion Rules in the Analyst Guide explains how to enable and
disable intrusion rules within an intrusion policy. This section also explains
how to configure rules in inline intrusion policies so that they drop malicious
packets.
• Importing SEUs and Rule Files in the Analyst Guide explains how to
download and import Security Enhancement Updates (SEUs) that contain
new intrusion rules. Note that SEUs can also contain new and updated
decoders and preprocessors.
• database limits
• DNS cache settings
• the mail relay host and a notification address for database prune messages
• language selection (English or Japanese)
• login banner
• the kinds and amount of RNA data stored in the database (Defense Center
only)
• time synchronization settings
See Managing System Policies on page 320 for information about system policy
usage.
TIP! Before applying a filtered policy, you must apply a non-filtered policy to the
detection engine from the same Defense Center or Master Defense Center. You
cannot apply a non-filtered policy from a Defense Center then add filters to it from
a managing Master Defense Center.
deployment includes RNA, you can view host profiles from event views by
clicking the host profile icon ( ) next to an IP address.
Health Policies
The Master Defense Center monitors its health and the health of connected
Defense Centers. Master Defense Centers apply health policies only to Master
Defense Centers and Defense Centers. Default 3D Sensor, Default IPS, Default
IPS (3Dx800 only), and Default RNA Health Policies are not used on the Master
Defense Center.
Currently, only the generic Default Health Policy is available for editing and
application to appliances. For a listing of the health policy modules that apply to
Defense Centers, see the Enabled Defense Center Health Modules - Default
Health Policy table on page 493. For a listing of the health policy modules that
apply to Master Defense Centers, see the Enabled MDC Health Modules - Default
Health Policy table on page 494. Policies that are not applicable are implicitly
disabled when there is an attempt to apply them to a Defense Center or an
Master Defense Center. For details about editing appropriate health policies, see
Editing Health Policies on page 530.
System Policies
System policies are applied only to Master Defense Centers and Defense Centers
from a Master Defense Center.
TIP! Set up the managed appliance first. At a Defense Center, add the remote
management then at the managing Master Defense Center, add the Defense
Center.
To add a Master Defense Center, you need to determine which events on the
Defense Center you want to forward to the Master Defense Center.
5. In the Management Host field, type the IP address or the host name of the
Master Defense Center that you want to use to manage the Defense Center.
WARNING! Make sure you use hostnames rather than IP addresses if your
network uses DHCP to assign IP addresses.
You can leave the Management Host field empty if the management host does
not have a routable address. In that case, use both the Registration Key and
the Unique NAT ID fields
6. In the Registration Key field, type the one-time use registration key that you
want to use to set up a communications channel between the Master
Defense Center and the Defense Center.
7. Optionally, in the Unique NAT ID field, type a unique alphanumeric NAT ID that
you want to use to identify the Defense Center.
8. Click Save.
After the Defense Center confirms communication with the Master Defense
Center, the Pending Registration status appears.
9. Log into the Master Defense Center’s web interface using a user account
with Admin access, and select Operations > Appliances.
The Defense Centers page appears.
11. Type the IP address or the hostname of the Defense Center you want to add
in the Host field.
WARNING! Make sure you use hostnames rather than IP addresses if your
network uses DHCP to assign IP addresses.
You can leave the Host field empty if the host does not have a routable
address. In that case, use both the Registration Key and the Unique NAT ID
fields
12. In the Registration Key field, type the same one-time use registration key that
you used in step 6.
13. If you used an unique NAT ID in step 6, type the same value in the Unique NAT
ID (optional) field.
14. Under Filter Configuration, identify the types of events you want to forward
from the Defense Center to the Master Defense Center.
Note that if you select intrusion events, you can send events or events and
packet data. You can also filter which intrusion events are forwarded based on
their impact flag. If you chose to send compliance events to the Master
Defense Center, white list events are also sent. See Editing the Event Filter
Configuration on page 176 for more information.
IMPORTANT! You must select at least one type of flag if you want to send
intrusion events.
TIP! Set up the managed appliance first. At a Defense Center, add the remote
management, then at the managing Master Defense Center add the Defense
Center.
To add a Defense Center, you need to predetermine which events on the Defense
Center you want to forward to the Master Defense Center.
5. In the Management Host field, type the IP address or the host name of the
Master Defense Center that you want to use to manage the Defense Center.
WARNING! Make sure you use hostnames rather than IP addresses if your
network uses DHCP to assign IP addresses.
TIP! You can leave the Management Host field empty if the management host
does not have a routable address. In that case, use both the Registration Key
and the Unique NAT ID fields.
6. In the Registration Key field, type the one-time use registration key that you
want to use to set up a communications channel between the Master
Defense Center and the Defense Center.
7. Optionally, in the Unique NAT ID field, type a unique alphanumeric NAT ID that
you want to use to identify the Defense Center.
8. Click Save.
After the Defense Center confirms communication with the Master Defense
Center, the Pending Registration status appears.
9. Log into the Master Defense Center’s web interface using a user account
with Admin access, and select Operations > Appliances.
The Defense Centers page appears.
10. Click New Defense Center.
The New Defense Center page appears.
11. Type the IP address or the hostname of the Defense Center you want to add
in the Host field.
WARNING! Make sure you use hostnames rather than IP addresses if your
network uses DHCP to assign IP addresses.
12. In the Registration Key field, type the same one-time use registration key that
you used in step 6.
13. If you used a NAT ID in step 7, type the same value in the Unique NAT ID
(optional) field.
14. Under Filter Configuration, identify the types of events you want to forward
from the Defense Center to the Master Defense Center.
Note that if you select intrusion events, you can send events or events and
packet data. You can also filter which intrusion events are forwarded based on
their impact flag. If you chose to send compliance events to the Master
Defense Center, white list events are also sent. See Editing the Event Filter
Configuration on page 176 for more information.
IMPORTANT! You must select at least one type of flag if you want to send
intrusion events.
2. In the Management Host field, type the IP address or the host name of the
Master Defense Center that you want to use to manage the Defense Center.
WARNING! Make sure you use hostnames rather than IP addresses if your
network uses DHCP to assign IP addresses.
TIP! You can leave the Management Host field empty if the management host
does not have a routable address. In that case, use both the Registration Key
and the Unique NAT ID fields
3. In the Registration Key field, type the one-time use registration key that you
want to use to set up a communications channel between the Defense
Center and the Master Defense Center.
4. Optionally, in the Unique NAT ID field, type a unique alphanumeric NAT ID that
you want to use to identify the Defense Center. See Working in NAT
Environments on page 112 for more information.
5. Click Save.
After the Defense Center confirms communication with the Master Defense
Center, the Pending Registration status appears.
6. Log into the Master Defense Center’s web interface and select Operations >
Appliances.
The Defense Centers page appears.
7. Click New Defense Center.
The Add New Defense Center page appears.
8. Type the IP address or the hostname of the Defense Center you want to add
in the Host field.
WARNING! Make sure you use hostnames rather than IP addresses if your
network uses DHCP to assign IP addresses.
9. In the Registration Key field, type the same one-time use registration key that
you used in step 3.
10. If you used an alphanumeric NAT ID in step 4, type the same value in the
Unique NAT ID (optional) field.
11. To add the Defense Center to a group, select the group from the Add to Group
list.
For more information about Defense Center groups, see Managing Appliance
Groups on page 179.
12. Click Add.
The Defense Center is added to the Master Defense Center. It can take up to
two minutes for the Master Defense Center to verify communication with the
Defense Center. You can view the Defense Center’s status on the Defense
Centers page (Operations > Appliances).
• Manager, which sorts by the Defense Center then the 3D Sensor connected
to it.
• Model, which sorts by appliance model number, that is, the Defense Center
1000 and the Defense Center 3000, 3D Sensor 2100, and so on.
Status Icons
The status icons indicate the state of a Defense Center. The green check mark
icon indicates that the Master Defense Center and the Defense Center are
communicating properly. The red exclamation point icon indicates that the Master
Defense Center has not received communications from the Defense Center in
the last three minutes. If you hover your cursor over the icon, a pop-up window
indicates the amount of time (in hours, minutes, and seconds) since the last
contact. If the Master Defense Center has not received a communication from a
Defense Center within the last two minutes, it sends a two-byte heartbeat packet
to establish contact and ensure that the communications channel is still running.
If your network is constrained in bandwidth, you can contact technical support to
change the default time interval.
Click the Edit icon next to a sensor if you want to change the Defense Center’s
current system settings. The system settings include the filter configuration for
the Defense Center, the remote management configuration, the health blacklist
settings, and the high availability settings. See Editing Settings for a Managed
Defense Center on page 175 for more information.
Click the Delete icon next to a Defense Center if you no longer want to manage
the Defense Center with the Master Defense Center. See Deleting a Defense
Center on page 171 for more information.
Field Description
Name The assigned name for the Defense Center. Note that this
is the name of the Defense Center in the Master Defense
Center web interface, not the hostname.
Product Model The model name for the managed Defense Center.
Field Description
Model Number The model number for the Defense Center. This number
can be important for troubleshooting.
Current Group The group that the Defense Center belongs to, if any.
2. Click Save.
The updated Defense Center attributes are saved.
flag means. Note that you must deploy both RNA and IPS as part of your
Sourcefire 3D System deployment to generate meaningful impact flags.
TIP! If you set up the 3D Sensor so it does not send packet data to the
intermediate Defense Center, then packet data is not forwarded to the Master
Defense Center.
3. In the Intrusion Events area, use the drop-down list to indicate whether you
want to forward intrusion events to the Master Defense Center. The options
are Do Not Send, Events Only, and Events and Packet Data.
4. If you indicated that you want to send intrusion events, then you must specify
which events you want to send based on their impact flag. The Flags options
are:
• All
• Black (or Drop)
• Red (or Vulnerable)
• Orange (or Potentially Vulnerable)
• Yellow (or Currently Not Vulnerable)
• Blue (or Unknown Target)
• Gray (or Unknown)
TIP! If you select All, then all the options are immediately selected. If you
want to send intrusion events to the Master Defense Center, then you must
select at least one impact flag option.
5. In the Compliance Events area, use the drop-down list to indicate whether
you want to forward compliance events to the Master Defense Center. The
options are Do Not Send and Send.
6. Click Save.
Your settings are saved and the Defense Center begins forwarding the events
you specified to the Master Defense Center that manages it.
To disable communications between the Defense Center and the Master Defense Center:
Access: Admin X Click Disable next to the name of the Defense Center. Communications
between the two appliances are interrupted.
To enable communications between the two appliances again, click Enable.
For more information about editing the Management Virtual Network, see Editing
the Management Virtual Network on page 385.
TIP! When using Intrusion Agents registered to Defense Centers configured for
high availability and managed by a Master Defense Center, register all Intrusion
Agents to the primary Defense Center.
TIP! A light bulb icon shows which of the high availability paired Defense
Centers is currently active.
TIP! You must remove an appliance from its current group before you can add it
to a new group.
Moving an appliance to a new group does not change any of its policies or
configurations.
2. Click Save.
The updated Master Defense Center attributes are saved.
TIP! Because Master Defense Centers do not currently use Management Virtual
Networks, their real IP network is used to serve time.
WARNING! If the appliance is rebooted and your DHCP server sets an NTP
server record different than the one you specify here, the DHCP-provided NTP
server will be used instead. To avoid this situation, you should configure your
DHCP server to set the same NTP server.
For more information about setting system time, see Synchronizing Time on
page 354.
TIP! You cannot use the RUA feature on Crossbeam-based software sensors. In
addition, you cannot use RUA or RNA on 3D9800 sensors. However, you can
combine the data from those sensors with RUA or RNA on a Defense Center.
The following sections describe the detection engines and interface set features
and how you can use them in your Sourcefire 3D System deployment:
• Understanding Detection Engines on page 186 explains detection engines
in more detail, including some of the limitations based on the sensor model.
This section also describes how default detection engines are configured.
• Managing Detection Engines on page 193 explains how to create, edit, and
delete detection engines.
• Using Detection Engine Groups on page 197 explains how to create and
use detection engine groups.
• Using Variables within Detection Engines on page 199 explains how to use
detection engine-specific variable values to tailor your detection capabilities
to more closely match your infrastructure.
• Using Interface Sets on page 207 describes how to create interface sets
and how to use them with detection engines.
• Using Interface Set Groups on page 223 describes how to create and use
interface sets groups.
• Inline Fail Open Interface Set Commands on page 225 explains how to force
an interface set in and out of bypass mode when using an inline fiber fail
open interface set.
• Using Clustered 3D Sensors on page 227 explains how to use detection
engines and interface sets in a clustered 3D9900 sensor pairing.
You can sort the available detection engines by group, sensor, policy,
detection engine type, or interface set type.
PEP Policy
Only 3D9900 sensors provide the PEP feature. For more information on the PEP
feature, see Using PEP to Manage Traffic in the Analyst Guide.
Set Type
An interface set refers to a grouping of one or more sensing interfaces on a
sensor, although a sensing interface can belong to only one interface set at a
time. The Sourcefire 3D System supports three types of interface sets, but the
interface options available to you depend on the type of sensor and the
capabilities of its sensing interfaces. The three interface types are described in
the Interface Set Types table.
Type Description
Passive Use a passive interface set if you deployed the sensor out
of band from the flow of network traffic.
Inline Use an inline interface set if you deployed the sensor inline
on your network and the sensing interfaces do not support
automatic fail-open capabilities. Note that you can use any
two of the non-fail-open interfaces on the sensor’s network
interface cards as part of an inline interface set. (The
exception is on 3D9900s, where pairs are pre-determined).
Inline with Fail Use an inline with fail open interface set if you deployed the
Open sensor inline on your network and the sensing interfaces do
support automatic fail-open capabilities. Note that you must
use paired fail-open interfaces on the sensor’s network
interface cards for an inline with fail open interface set.
You can use RNA or RUA to monitor the traffic that passes through any of the
three types of interface sets.
See Using Interface Sets on page 207 for more information about creating and
editing interface sets.
Policy
3D Sensors have different capabilities and limitations depending on whether you
licensed IPS, RUA, or RNA. You can determine what the name and state of IPS
and RNA policies from the following information in the policy column:
• If you change an IPS and RNA policy and have not applied it to the detection
engine since the change, then the icon has an exclamation point and the
name is italicized.
TIP! After you upgrade your sensor to version 4.9 you have the advantage
of the following listed features.
• You can click the name of an IPS policy to see details about the running
policy. For more information see Viewing an Intrusion Policy Report in the
Analyst Guide.
• If there is a network or VLAN filter applied to the IPS policy, you can click
More or the down icon ( ) and view the type (Net for network or VLAN for
virtual LAN) filter. If you hover above the name you can view the network or
VLAN range of the filter. If you want to remove the currently applied filter
from the IPS policy, click the delete icon ( ) next to the filter name.
• If you want to remove the currently applied IPS policy from the detection
engine, click the delete icon ( ) next to the intrusion policy name. The
delete icon only appears next to the base policy when there are no network
or VLAN filters applied.
Sensor
The sensor column provides the name of the sensor where the policy is applied.
It also provides the following capabilities:
• If you want to edit or delete a detection engine, click Edit or Delete next to its
sensor name. See Editing a Detection Engine on page 194 and Deleting a
Detection Engine on page 197 for more information.
• If you want to list, add, edit, reset, or delete variables associated with a
detection engine’s IPS or RNA policy, click Variables. See Using Variables
within Detection Engines on page 199 for more information.
• If you want to reapply all policies for the detection engine, click Reapply All,
then OK to confirm.
For more information see Understanding Detection Resources and 3D Sensor
Models on page 189
When you configure a new sensor, it has a predefined detection engine that you
can choose to modify to meet your needs. See Understanding Default Detection
Engines for more information.
3D2100 2 3 No restrictions
3D2500 2 4 No restrictions
3D3000 2 4 No restrictions
3D3500 2 6 No restrictions
3D3800 2 2 No restrictions
3D4500 4 8 No restrictions
3D5800 6 6 No restrictions
3D6500 8 12 No restrictions
3D9800 12 12 No restrictions
3D9900 7 12 No restrictions
Virtual 3 3 No restrictions
3D Sensor
IMPORTANT! For the 3D3000 on the IBM xSeries 346 appliance, note that the
default detection engine does not include the second on-board interface. If you
modify the default detection engine to include it, the detection engine may not
provide optimum performance.
If you want to change either the number of detection resources or the interfaces
assigned to the default detection engine, see Editing a Detection Engine on
page 194.
3. In the Name and Description fields, enter a name and description for the new
detection engine.
You can use alphanumeric characters, punctuation, and spaces.
4. Select the type of detection engine that you want to create from the Type
drop-down list, IPS, RNA, or RUA.
5. Optionally, add the detection engine to an existing detection engine group.
See Using Detection Engine Groups on page 197 for information on creating
and modifying detection engine groups.
6. Select the interface set that you want to assign to this detection engine.
See Using Interface Sets on page 207 for information about creating and
modifying interface sets.
7. Select the number of detection resources for this detection engine.
IMPORTANT! On the 3D500, you can only use one of the two detection
resources for IPS. The second detection resource is available only if you want
to create a second detection engine for RNA or RUA. See the Detection
Resources by Model table on page 190 for more information.
8. Optionally, if you are creating an IPS detection engine and if you are using a
3D Sensor other than a 3D500, 3D1000, or 3D3800, you can select Inspect
Traffic During Policy Apply.
TIP! This option may degrade performance when you apply a policy and may
result in longer policy-apply periods. However, if this option is employed, the
detection engine does not restart and interrupt traffic inspection when the
policy is applied.
9. Click Save.
The detection engine is created.
IMPORTANT! For most 3D Sensors with inline interface sets, a software bridge
is automatically set up to transport packets when the sensor restarts. Although
some packets are transmitted without inspection during this time, no packets are
lost.
The following sections describe some of the cases where a detection engines is
affected by changes to the detection engines and interface sets:
3Dx800 Sensors
• If you change the number of network interfaces, the interface set type, or
the setting for tap mode or transparent mode for an interface set, all the
detection engines using that interface set are restarted.
• If you change the number of detection resources, which interface set is
used, or the detection engine type, only that detection engine is restarted
(although other CPUs may be restarted to rebalance the processing load).
Other Sensors
• If you change which network interfaces are used by an interface set, all the
detection engines on the sensor are restarted.
• If you change an interface set’s transparent mode setting, or interface set
type, all detection engines assigned to that interface set are restarted.
• If you change a detection engine’s interface set, all detection engines on the
sensor are restarted.
• If you change the number of detection resources allocated to a detection
engine, all the detection engines on the sensor are restarted.
• If you change the detection engine type for a detection engine, that
detection engine is restarted.
• When you create a detection engine, all the detection engines on the
sensor are restarted because the total number of allocated resources has
changed.
• If you delete a detection engine or interface set, all detection engines on
the sensor are restarted.
• If you create an interface set, nothing is restarted. A restart occurs only
when you assign a detection engine to the interface set.
• If you change the name or description of an interface set or detection
engine, nothing is restarted.
Make sure you plan these actions for times when they will have the least impact
on your deployment.
TIP! On your 3D Sensor Software for Crossbeam Systems X-Series, you may
want to remove any affected VAPs from the load-balanced list until the associated
detection engines restart, then reinstate the VAPs. For more information, see the
Sourcefire 3D Sensor Software for X-Series Installation Guide.
You can modify the name, description, group, and number of detection
resources for the detection engine. You cannot modify the detection engine
type. If you need to change the detection engine type, you must delete the
detection engine and create a new one. In the case of an IPS detection
engine you can also select if traffic is inspected while a policy is being
applied.
TIP! The Inspect Traffic During Policy Apply option is not available on 3D500,
3D1000, or 3D3800 sensors.
3. Click Save.
Your changes are saved.
3. Type a name for the detection engine group in the Group Name field.
4. Click Save.
The Detection Engine page appears again. You can add detection engines to
this group by clicking Edit next to a detection engine name and, on the Edit
Detection Engine page, adding the detection engine to the group and clicking
Update.
variable value rather than creating another detection engine-specific value for
HOME_NET.
You can also create new variables for use only within the context of the detection
engine. You can create detection engine-specific variables and set detection
engine-specific values for system default variables within an intrusion policy or
from the detection engine Variable List page. Configuration details in this section
relate to the detection engine Variable List page. For configuration details related
to setting detection engine-specific variables within an intrusion policy, see
Creating New Variables in the Analyst Guide.
Creating a detection engine-specific variable from the detection engine Variable
List page also creates a corresponding system default variable with the value set
to any. You can view the explicit detection engine-specific value you configured in
the list of variables for the detection engine within each policy, or on the detection
engine Variable List page for the detection engine. You can view the
corresponding new system default variable in the list of system default variables
within each policy, and on the Variable list page for all other detection engines
where it is listed with the value set to Policy Defined, which means that the value
specified in the policy will be used when you apply the policy. Optionally, you can
modify the variable in the intrusion policies and detection engines where it is
added automatically to give it a specific definition. When they exist, a detection
engine-specific variable value takes precedence over a policy-specific or system
default value for the same variable. If you disable a variable defined on the
Variable List page by resetting the variable, the definition reverts to the definition
in the intrusion policy the next time you apply the policy.
Variables use the same syntax and must follow the same guidelines regardless of
whether you create or define them from within intrusion policies or from the
detection engine Variable List page. See Creating New Variables in the Analyst
Guide and Modifying Variables in the Analyst Guide for more information.
4. Enter a value for the variable and click Save. See Creating New Variables in the
Analyst Guide for information about variable syntax.
The Variable List page appears again and shows the new value for the
variable. The variable takes effect the next time you apply an intrusion policy
to the detection engine, as described in Applying an Intrusion Policy in the
Analyst Guide.
6. In the Value field, enter a value for the variable and click Save. See Creating
New Variables in the Analyst Guide for information about the syntax for
variables.
The Variable List page appears again and shows the new variable and its
value.
The variable is created and is accessible to all policies as a system default
variable. It is listed in the variable list for the detection engine in all intrusion
policies with the explicitly set value, and listed for all other detection engines
on the Variable List page with a value of Policy Defined. The variable takes
effect the next time you apply an intrusion policy to the detection engine, as
described in Applying an Intrusion Policy in the Analyst Guide.
2. Click Variables next to the detection engine where you want to delete or reset
a variable value.
The Variable List page appears.
4. Create and apply an intrusion policy for the multi-resource detection engine.
Make sure you match the type of intrusion policy to the type of interface set
that you created in step 1. Also, make sure you disable portscan detection in
this policy.
5. Create and apply an intrusion policy to the portscan-only detection engine.
The policy should inherit or be set to the following settings in the layer in your
intrusion policy where you enable portscan detection (See Creating an
Intrusion Policy in the Analyst Guide, Working with Layers, and Applying an
Intrusion Policy in the Analyst Guide for more information):
• Select the No Rules Active Base Policy and make sure the Protection
Mode is Passive. See Selecting the Base Policy in the Analyst Guide for
more information. Note that all rules are disabled on the Rules page.
• Ensure that the DCE/RPC Configuration preprocessor, the HTTP
Configuration preprocessor, the SMTP Configuration preprocessor (under
Application Layer Preprocessors), and Back Orifice Detection (under Specific
Threat Detection) are disabled. See Enabling and Disabling Advanced IPS
Features in the Analyst Guide for more information.
• Ensure that OPSEC Configuration (under External Responses) is disabled.
• Enable IP Defragmentation (under Transport/Network Layer Preprocessors)
and make sure it is configured for your environment (using the Hosts
option) See Enabling and Disabling Advanced IPS Features in the
Analyst Guide for more information.
• You should not change the default settings for Checksum Verification or
Packet Decoding (under Transport/Network Layer Preprocessors), items
listed under Performance Statistics, or Rule Processing Configuration.
• Enable Portscan Detection and configure it for your network environment.
See Detecting Portscans in the Analyst Guide for more information.
• Make sure portscan rules are enabled for the types of portscans you
configure.
See the following table for a list of 3D Sensors and each of their applicable
interfaces features.
Supported Features by 3D Sensor Model
3D Sensor Transparent Link State Tap Mode Jumbo Automatic Enable PEP
Model Inline Mode Propagation Frames Application Fail-safe
Mode Bypass
• Inline
For most sensors, an inline interface set can include any two interfaces. The
interfaces do not have to be on the same network cards, but you should
avoid using an on-board interface.
However, an inline interface set on a 3D3800 or 3D5800 sensor can include
up to four interface pairs, and an inline interface set on a 3D9800 sensor can
include up to the total number of interface pairs on the sensor. Note that
interface pairs on the same fiber-based NIM will act as fail open interfaces
even if you assign them to an inline interface set. That is, if the power fails
or the Snort process halts, network traffic continues to flow through the
sensor as it would for an inline with fail open interface set.
• Inline with Fail Open
For most sensors, an inline with fail open interface set must include exactly
one interface pair. However, an inline with fail open interface set on a
3D3800 or 3D5800 sensor can include up to four interface pairs, and an
inline with fail open interface set on a 3D9800 sensor can include up to the
total number of interface pairs on the sensor.
You can set up multiple detection engines to use a single interface set, except on
the 3D9800 sensor, which only supports a single IPS detection engine. For
example, you could create a single passive interface set and create two detection
engines, one for an IPS and the other for RNA, then apply different policies to the
detection engines.
If you disable this option, a sensor acts as a bridge. Over time, the sensor learns
which hosts are on which side of the inline interface, and forwards packets
accordingly. For example, consider the following diagram.
If your sensor is deployed inline (or more precisely, if your sensor includes a
detection engine with an inline interface set) and the Transparent Inline Mode
option is selected, then if the sensor sees network traffic from Host A to Host B,
it allows the traffic to pass through the interface even though Host A and Host B
are on the same side of the sensor.
If the sensor is inline and you are not using transparent inline mode, when the
sensor sees traffic from Host A to Host B, it does not allow the traffic to pass
through the interface to the side of the network with Host C. Only traffic between
Host A and Host C or between Host B to Host C is allowed to pass.
Keep in mind that if you create an inline interface set but do not use transparent
inline mode, you must be especially careful not to create loops in your network
infrastructure.
3Dx800 sensors run in transparent inline mode, and you cannot disable it.
Tap Mode
Tap mode is available for the 3D3800, 3D5800, 3D9900, and on later versions of
3D9800 3D Sensor when you create an inline or inline with fail open interface set.
TIP! 3D9800 sensors with earlier versions of firmware do not support tap mode.
The Sourcefire 3D System checks the 3D9800 firmware version and displays the
optional tap mode check box in the Create Interface Set page when appropriate.
With tap mode, the sensor is deployed inline, but instead of the packet flow
passing through the sensor, a copy of each packet is sent to the sensor and the
network traffic flow is undisturbed. Because you are working with copies of
packets rather than the packets themselves, rules that you set to Drop and rules
that use the replace keyword do not affect the packet stream. However, rules of
these types do generate intrusion events when they are triggered.
There are benefits to using tap mode with sensors that are deployed inline. For
example, you can set up the cabling between the sensor and the network as if
the sensor were inline and analyze the kinds of intrusion events the sensor
generates. Based on the results, you can modify your intrusion policy and add the
drop rules that best protect your network without impacting its efficiency. When
you are ready to deploy the sensor inline, you can disable tap mode and begin
dropping suspicious traffic without having to reconfigure the cabling between the
sensor and the network.
IMPORTANT! Fiber interface sets configured as inline fail-open, other than those
on 3D9900s must be in hardware bypass mode for link state propagation to
function correctly. For more information about fiber interface sets and hardware
bypass, see Removing Bypass Mode on Inline Fail Open Fiber Interfaces on
page 225.
Link state propagation mode automatically brings down the second interface in
the interface pair when one of the interfaces in an inline interface set goes down.
When the downed interface comes back up, the second interface automatically
comes back up, too. In other words, if the link state of one interface changes, the
link state of the other interface is changed automatically to match it. Link state
propagation is available for both copper and fiber fail-open NIMs.
Jumbo Frames
Jumbo frames are Ethernet frames with a frame size greater than the standard
1518 bytes. Typical maximum sized jumbo frames are 9018 bytes. Most gigabit
Ethernet network interface cards support jumbo frames to increase efficiency. If
your 3D Sensor and interface supports jumbo frames, set the maximum frame
size for the interface using the Create Interface Set page.
3D Sensor that support jumbo frames include:
• 3D6500
• 3D9800 (9018-byte jumbo frames are always accepted)
• 3D9900
Note that since the 3D9800 is set to always accept the maximum size frame, you
do not need to set it in the Create Interface Set page.
Note also that frames larger than the configured maximum frame size are silently
dropped by the sensor.
To see a list of which 3D Sensors you can use Automatic Application Bypass
Monitoring on, see the Supported Features by 3D Sensor Model table on
page 208.
If a detection engine is bypassed, 3D Sensors generate a health monitoring alert.
For more information on the health monitoring alert, see Configuring Automatic
Application Bypass Monitoring on page 502.
Enabling Fail-Safe
The Create Interface Set page includes an additional option for 3D9900 sensors:
the Enable Fail-Safe option. The Enable Fail-Safe option is only available on inline
interface configurations. When you enable the Enable Fail-Safe option, traffic is
allowed to bypass detection and continue through the sensor. 3D9900 sensors
monitor internal traffic buffers and bypass detection engines if those buffers are
full.
IMPORTANT! The procedure for creating an inline interface set for 3Dx800
sensors is slightly different. For more information, see the next section, Creating
an Inline Interface Set.
3. Type a name and description for the new interface set in the Name and
Description fields.
You can use alphanumeric characters and spaces.
4. Select the type of interface you want to create, Passive, Inline, or Inline with
Fail Open, from the Interface Set Type drop-down list.
5. Optionally, select an existing interface set group or select Create New Group to
create a new interface set group. See Using Interface Set Groups on
page 223 for more information.
6. Optionally, if you selected the Inline or Inline with Fail Open option, clear the
Transparent Inline Mode check box to disable transparent mode.
7. If you selected either the Inline or Inline with Fail Open option and you are not
configuring a Crossbeam-based software sensor, then optionally, select Link
State Propagation Mode. This option is especially useful if the routers on your
network are able to re-route traffic around a network device that is down.
10. Optionally, and if you are configuring an interface set on a 3D6500 or 3D9900
type a maximum frame size for your IP traffic in the Maximum Frame Size field.
You can set any jumbo frame size between 1518 and 9018 bytes, inclusive.
On the Defense Center only, a list of sensor groups appears, including a list of
ungrouped sensors.
The following shows a 3D9900 interface set.
11. Defense Center Only Select the sensor group containing the sensors where you
want to create the interface set. You can also select the ungrouped sensors.
A list of sensors appears.
12. Defense Center Only Select one of the sensors from the list.
A list of network interfaces on the sensor appears.
13. Select the interfaces that you want to add from the Available Interfaces list
and click the arrow button to add the interface to the Selected Interfaces list.
You can use the Shift and Ctrl keys to select multiple interfaces at once.
Determining which interface name corresponds with a physical interface on
your sensor depends on the model:
• For most 3D Sensors, log into the console and disconnect the network
cable from the interface. A message appears on the console indicating
the name of the interface (eth1, eth2, and so on). Remember to
reconnect the network cable when you are finished.
• For 3Dx800 sensors, the names that appear in the Available Interfaces
list correspond to the slot number and interface location. For example,
s0.e0 corresponds to the leftmost interface on the network interface
module (NIM) in I/O Slot 0 on the back of your appliance.
• For 3D Sensor Software for Crossbeam Systems X-Series, the names
that appear in the Available Interfaces list correspond to the device
names you assigned to the circuits you created on the X-Series.
For more information, see the Installation Guide for your sensor or sensor
software.
Different types of interface sets have different requirements. For example,
you can include all of the available interfaces in a passive interface set, but
inline interface sets must contain exactly two interfaces (except on 3Dx800
sensors). Inline with fail open interface sets must contain one pair of
interfaces from the same fail-open network card.
TIP! After you create an interface set, make sure you reapply intrusion
policies to the IPS detection engines on the affected sensor.
3D Sensor deployment. Later, you can refine policies for specific connected
network segments and their requirements.
TIP! Although the default interface set on 3D Sensors includes all the available
inline interface pairs, in many cases you can improve performance by modifying
the interface set to include only the inline interface pairs your network requires.
You can also use multiple interface pairs when your network employs
asynchronous routing, as shown in the following graphic.
Your network may be set up to route traffic between a host on your network and
external hosts through different interface pairs depending on whether the traffic
is inbound or outbound. If you include only one interface pair in an interface set,
the sensor might not correctly analyze your network traffic because a detection
engine might see only half of the traffic.
For most 3D Sensors with inline interface sets, a software bridge is automatically
set up to transport packets when the sensor restarts. Although some packets are
transmitted without inspection during this time, no packets are lost.
3. Type a name and description for the new interface set in the Name and
Description fields.
You can use alphanumeric characters and spaces.
4. Select the type of inline interface you want to create.
• For an 3Dx800 sensor, choose either Inline or Inline with Fail Open, from
the Interface Set Type drop-down list.
• For Crossbeam-based software sensors, choose Inline from the
Interface Set Type drop-down list.
A list of sensor groups appears, including a list of ungrouped sensors.
5. Optionally, select an existing interface set group or select Create New Group to
create a new interface set group. See Using Interface Set Groups on
page 223 for more information.
7. Optionally, and if you are configuring an interface set on a 3D9900, you can
select the Enable Fail-safe check box to enable traffic pass-though during
application bypass.
8. Optionally, and if you are configuring an interface set on a 3D6500 or 3D9900
type a maximum frame size for your IP traffic in the Maximum Frame Size field.
You can set any jumbo frame size between 1518 and 9018 bytes, inclusive.
On the Defense Center only, a list of sensor groups appears, including a list of
ungrouped sensors.
The following shows a 3D9900 interface set.
TIP! 3D9800 sensors with earlier versions of firmware do not support tap
mode. The Sourcefire 3D System checks the 3D9800 firmware version and
displays the optional tap mode check box in the Create Interface Set page
when appropriate.
12. Optionally, for a 3D3800 or 3D5800 sensor, select Link State Propagation Mode.
This option is especially useful if the routers on your network are able to
re-route traffic around a network device that is down.
TIP! The link lights on fiber fail-open NIMs remain lighted even when the link
state is down on 3D3800 or 3D5800 sensors with link state propagation
enabled.
IMPORTANT! Note that link state propagation is not available for Crossbeam-
based software sensors or 3D9800 sensors.
TIP! After you create an interface set, make sure you reapply intrusion
policies to the IPS detection engines on the affected sensor.
IMPORTANT! For most 3D Sensors with inline interface sets, a software bridge
is automatically set up to transport packets when the sensor restarts. Although
some packets are transmitted without inspection during this time, no packets are
lost.
The following sections describe some of the cases where a detection engine is
affected by changes to the detection engines and interface sets:
3Dx800 Sensors
• If you change the number of network interfaces, the interface set type, or
transparent mode for an interface set, all the detection engines using that
interface set are restarted.
• If you change an interface set’s tap mode setting, all detection engines
assigned to that interface set are restarted.
TIP! 3D9800 sensors with earlier versions of firmware do not support tap
mode. The Sourcefire 3D System checks the 3D9800 firmware version and
displays the optional tap mode check box in the Create Interface Set page
when appropriate.
TIP! After you edit an interface set used by an IPS detection engine, make
sure you reapply your intrusion policy on the affected sensor.
Type a name for the interface set group in the Group Name field.
3. Click Save.
The Interface Set page appears again.
You can add interface sets to an interface set group by clicking Edit next to a
interface set group name and, on the Interface Group Edit page, adding
available interfaces to the group and clicking Save.
3. Select available interface sets and to move them to the interface set group
with the arrow buttons.
You can also move interface sets out of the interface set group.
4. Click Save to add the selected interfaces to the interface set group.
The Available Interface Sets page appears.
TIP! This tool works on most 3D Sensors with inline with fail open fiber interface
pairs. It is not necessary to use this tool on inline with fail open copper interface
pairs or to use this tool with 3D9900 sensors.
IMPORTANT! Make sure you contact Technical Support if you are having issues
with the fail open interfaces on your sensor.
To force a fiber inline fail open interface set out of bypass mode:
Access: Admin 1. Open a terminal window on your 3D Sensor and enter the command su and
the root password to switch to the root user.
2. Enter the following at the command line:
/var/sf/bin/unbypass_cards.sh
3. When the interfaces switch out of bypass mode, a message in syslog
indicates the 3D Sensor is analyzing traffic. For example:
Fiber pair has been reset by un_bypass
TIP! Note that this tool works only with inline with fail open interface pairs. You
cannot use it with non-fail open inline interface sets.
To force an inline fail open interface set into bypass mode, you must know which
two interfaces are included in the interface set. You can determine this
information on the Interface Sets page.
IMPORTANT! Make sure you contact Technical Support if you are having issues
with the fail open interfaces on your sensor.
You can see if the sensor is a master or slave, and which sensor it is paired with,
when you hover over the peer icon.
By combining two 3D9900 sensors as a clustered pair, you can combine their
detection engines. In a clustered pair, the slave’s ethb0 and ethb1 connect to the
master and the its ethb2 and ethb3 are not connected. Because the detection
engines and interface sets are combined, you can only manage them from a
Defense Center and not from one of the clustered sensors.
When you combine two 3D9900 sensors as a clustered pair, the Defense Center
displays the single interface set of the master sensor. You use the combined
detection engines as a single entity except when viewing information from the
clustered pair. For more information, see:
• Using Detection Engines on Clustered 3D Sensors on page 228
• Understanding Interface Sets on Clustered 3D Sensors on page 229
• Managing Information from a Clustered 3D Sensor on page 230
When you create or edit a detection engine formed by the clustered 3D Sensors,
the detection resources are listed as from both sensors.
IMPORTANT! You cannot use the Policy & Response menu on the local GUI of a
paired 3D Sensor; those pages are replaced with an informational page.
IMPORTANT! If you collect statistics from clustered 3D9900s, add data from
both sensor of the detection engine to measure the total.
For example, the clustered 3D Sensors detection engine could be: Z inline DE
(birch.example.com, fir.example.com), where Z inline DE is the detection engine,
birch.example.com is the master sensor, and fir.example.com is the slave
sensors. When you examine information from the clustered pair, it is listed as
from both Z inline DE / birch.example.com and from Z inline DE / fir.example.com.
A Select Detection Engines list from the Intrusion Event Statistics page is show
below.
• dashboards
• RNA statistics
• network map
• searches
IMPORTANT! If you use eStreamer to stream event data from a clustered pair of
3D9900s to an external client application, collect the data from both 3D9900s and
ensure that you configure each 3D9900 identically. The eStreamer settings are
not automatically synchronized over the pair.
The Sourcefire 3D System provides a flexible reporting system that you can use
to generate a variety of event reports. Event reports include the data that you see
on the event view pages for each type of event presented in a report format.
The Report Types table describes the reports you can create and the components
required for producing them. For example, the RNA Events report appears under
the RNA report category on the Report Designer page. You must have an RNA
host license on the Defense Center managing your 3D Sensor, and you must
configure the RNA component for that sensor to collect RNA events. Similarly,
the Intrusion Events report appears under the IPS report category and requires
the IPS component on a 3D Sensor. You can run the report on the 3D Sensor or
on the Defense Center that manages the sensor.
Report Types
You can use a predefined report profile to generate your report, or use it as a
template for an event report profile which can be customized by modifying field
settings as appropriate and saving the report with the new values. For information
on modifying a predefined or existing report profile, see Editing Report Profiles on
page 263.
You can create a new report profile through the use of the Report Designer. For
more information on how to create and save report profiles, see Understanding
Report Profiles on page 241.
You can include a summary report for intrusion events and RNA events by
selecting the appropriate radio button in your report profile. For more information
on each of the summary reports, see Using Summary Reports on page 255.
You can generate reports in PDF, HTML or comma-separated value (CSV) formats,
and include custom options such as a corporate logo or footers, and a short
description of the report. For information on how to incorporate these options into
your reports, see Working with Report Options on page 258.
TIP! If you need to go back to the drill-down page where you opened the
Report Designer, click Return to Calling Page at the bottom of the Report
Designer page.
6. Click OK to confirm that you want to save the current parameters as a report
profile.
The report profile is saved and the report generates in the output formats you
selected.
7. To view the report, click Reports in the toolbar, then click the report name on
the Reporting page that appears.
The report appears.
Each report is listed with the report name as defined in the report profile plus the
date and time the report was generated, who generated it, and whether it is
stored locally or remotely. The default location for report storage is listed at the
top of the page; for local, NFS, and SMB storage, the appliance provides the disk
usage of the storage device.
Each report has one of the following file extensions appended to the report name:
• .csv for comma-separated value reports
• .pdf for PDF reports
• .zip for HTML reports (HTML reports are zipped along with the necessary
graphics)
Finally, the appliance lists the status of each of the reports, which indicates
whether it has yet to be generated (for example, for scheduled tasks), it has
already been generated, or whether the generation failed (for example, due to
lack of disk space).
Note that only Series 2 Defense Centers support remote storage of reports. You
can enable or disable remote storage using the Enable Remote Storage for Reports
check box. If you disable remote storage, the Defense Center hides any
previously generated remotely stored reports. In addition, if you change the
remote storage location, the Defense Center hides reports not stored in the new
location. To configure remote storage, click Remote Storage on the toolbar. For
more information, see Managing Remote Storage on page 393.
TIP! You can also save reports locally. For more information, see the next
section, Downloading Generated Reports.
3. Enable the check boxes next to the reports you want to download, then click
Download.
TIP! Enable the check box at the top left of the page to download all reports
on the page. If you have multiple pages of reports, a second check box
appears that you can enable to download all reports on all pages.
TIP! Enable the check box at the top left of the page to delete all reports on
the page. If you have multiple pages of reports, a second check box appears
that you can enable to delete all reports on all pages.
3. Enable the check boxes next to the reports you want to move, then click
Move.
TIP! Enable the check box at the top left of the page to move all reports on
the page. If you have multiple pages of reports, a second check box appears
that you can enable to move all reports on all pages.
TIP! You can also use report profiles as the basis for remote reports by
creating a profile as described in Creating a Report Profile on page 246. When
you run the report, make sure you select the name of the sensor and click Run
Report Remotely.
Predefined reports are provided by the Sourcefire system: Blocked Events, High
Priority Events, and Host Audit. The following graphic shows the Blocked Events
report profile on the Defense Center version of the page.
The following tables provide the default settings for each of the predefined report
profiles. Note that if you modify the default settings, you have created a new
report profile; you must save the report profile with a new name to preserve your
new settings. The Report Options area is not included in these charts.
Field Setting
The High Priority Events report profile provides information on intrusion events as
well as the host criticality of hosts involved in the intrusion events for the past
twenty-four hours. This report profile is available only on a Defense Center that
manages 3D Sensors with RNA and IPS.
Field Setting
The Host Audit report profile provides operating system details for the past week
on systems less than two network hops away from 3D Sensors with RNA. This
report profile is available only on the Defense Center that manages 3D Sensors
with RNA.
Field Setting
Field Setting
Working with Report Options on page 258 section explains how to set the output
of the report (PDF, HTML or comma-separated value (CSV) format), adds a custom
footer or logo, and how to use the option which emails the report.
TIP! You can also reach the Report Designer page from any event view by
clicking Report Designer on the toolbar.
The Report Name can be any name using 1-80 alphanumeric characters, periods,
dashes, parentheses, and spaces.
The Report Category defines which system feature is examined in the report.
Select from the Report Categories table
.
Report Categories
Select... If you...
IPS have an IPS license and you want to report on intrusion events with or without
source or destination criticality, or the SEU import log.
Use this option to select a workflow on one or more detection engines to
search for blocked events, high impact or high priority events, common
concerns, public or private addresses only, or exploits that target client/server
issues, or various services. For example, you can create a report which
searches for IP-specific high impact intrusion events on a specified detection
engine. For information on IPS Report Type options, see IPS Category Report
Types on page 251.
RNA are using a Defense Center with an RNA host license and you want to report
on host attributes, RNA client applications, vulnerabilities, intrusion events
with source criticality, hosts with services, RNA hosts, RNA events, RNA
services, or scan results.
Use this option to search hosts for blocked or high priority events.For example,
you can create a report which searches selected detection engines for RNA
client applications. For more information on RNA Report Type options, see
RNA Category Report Types on page 252.
RUA are using a Defense Center with an RUA host license and you want to search
one or more detection engines to examine the RUA Events and users, and
generate a report which can include sections with a Table View of Events and
Users. For example, you can create a report which searches selected
detection engines for RUA events.
Compliance are using a Defense Center with an RNA host license and you want to report
on white list violations, remediation status, compliance events, or white list
events. For example, you can create a report which searches a selected
detection engine for RNA compliance events.
Health Monitoring are using a Defense Center and you want to report on the health of your
sensors.
The Report Type is a subset of the Report Category and provides a greater level of
detail to the report. Options vary depending upon Report Type. In many cases,
such as the Compliance or Audit Log report categories, report types are limited
and self-explanatory. However IPS and RNA report types options are extensive
and provide detailed options for defining your report profile. See Using Report
Types on page 250 for more information.
The Detection Engine allows you to select which detection engines are to be
searched for the report. This option is available when searching for events, such a
intrusion, RNA, white list, or compliance events, or when searching the network
for RNA hosts, host attributes, client applications, and health monitoring.
The Search Query identifies the search criteria for the report. Options vary
depending upon Report Type, and can include a list of exploits (such as Sasser
Worm Search or non-standard service attempts) or areas of concern such as IRC
Events or Kerberos Client/Server issues.
The Workflow allows you to select which workflow to examine. Options vary
depending upon which options you selected for Report Type, Detection Engine,
and Search Query, and can include such options as Network Services by Count or
Host Violations, and IP-Specific or Impact and Priority.
The Time option allows you to define the period of time for which the report is
generated. Click in the current time field to open a pop-up window from which
you can select a static, expanding, or sliding time frame. For more information,
see Setting Event Time Constraints in the Analyst Guide.
See the following sections for more information:
• Using Report Types on page 250
• Defining Report Information on page 254
Select... To...
Intrusion Events search one or more detection engines using user-specified search queries and
workflows to generate a report which can include sections with a drill down of
the destination port and events, a table view of events, and the packets.
Search queries include: Blocked Events, Bootstrap Client/Server, Common
Concerns, DNS Service, DirectX Service, FTP Service, Finger Service, High
Impact Events, High Priority Events, IRC Events, Impact1/Not Dropped
Events, Kerberos Client/Server, LDAP Services, Mail Services, Oracle Service,
Private Addresses Only, Public Addresses Only, RPC Services, and Reserved
Port TCP Scan.
Workflows include: Destination Port, Event-Specific, Events by Priority and
Classification, Events to Destinations, IP-Specific, Impact and Priority, Impact
and Source, Impact to Destination, Source Port, and Source and Destination.
Intrusion Events with search using the Blocked Events or High Priority events search queries to
Source Criticality generate a report on the Intrusion Events with Source Criticality default
workflow which can include sections on Intrusion Events with Source
Criticality, and the packets.
Intrusion Events with search using the Blocked Events or High Priority Events search queries on your
Destination Criticality choice of three workflows:
Events by Impact, Priority, and Host Criticality, which can include sections on
Impact to Criticality Summary, Source Destination Drill Down, Intrusion Events
with Destination Criticality, and the packets.
Events with Destination, Impact, and Host Criticality, which can include
sections on Current Events Monitor, Intrusion Events with Destination
Criticality, and the packets.
Intrusion Events with Destination Criticality default workflow, which can
include sections on Intrusion Events with Destination Criticality, and the
packets.
SEU Import Log generate a report on the SEU Detail View workflow.
Select... To...
Host Attributes search one or more detection engines to examine the Attributes workflow, and
generate a report which can include sections with a table view of host
attributes and the packets.
RNA Client search one or more detection engines to examine the Client Application
Applications Summaries or RNA Client Applications workflows, and generate a report
which can include sections with a table view of client applications and the
packets.
Vulnerabilities examine the Vulnerabilities workflow and generate a report which can include
sections with a table view of vulnerabilities, vulnerabilities on the network, and
the packets.
Intrusion Events with search using the Blocked Events or High Priority events search queries on the
Source Criticality Intrusion Events with Source Criticality default workflow, and generate a
report which can include sections on Intrusion Events with Source Criticality,
and the packets.
Host with Services examine the Hosts with Services Default Workflow or the Service and Host
Details, and generate a report which can include sections on Hosts with
Services and the hosts.
RNA Hosts search one or more detection engines to examine the operating system
summary or RNA hosts for local, remote, unidentified, or unknown systems,
and generate a report which can include sections with a Summary of
Operating System Names, Summary of Operating System Versions, Operating
System Details with IP, NetBIOS Criticality, Table View of Hosts, and Hosts.
RNA Events search one or more detection engines using the NetSky.S Worm Search, New
Events, Sasser Worm Search, Subseven Trojan Search, Timeout Events, and
Update Events, and generate a report which can include sections with a Table
View of Events, and Hosts.
Select... To...
RNA Services search one or more detection engines for non-standard service events (such
as non-standard HTML, non-standard mail, non-standard SSH) in Network
Services by Count, Network Services by Hit, and RNA Services workflows,
and to generate a report which can include sections with Active Services,
Service Application Activity, Service Version Audit, Service by Host, and Hosts.
Intrusion Events with search using the Blocked Events, Events to High Criticality Hosts, or High
Destination Criticality Priority Events search queries, and generate a report on your choice of three
workflows:
Events by Impact, Priority, and Host Criticality, which can include sections on
Impact to Criticality Summary, Source Destination Drill Down, Intrusion Events
with Destination Criticality, and the packets.
Events with Destination, Impact, and Host Criticality, which can include
sections on Current Events Monitor, Intrusion Events with Destination
Criticality, and the packets.
Intrusion Events with Destination Criticality default workflow, which can
include sections on Intrusion Events with Destination Criticality, and the
packets.
Flow Data search one or more detection engines using user-specified search queries and
workflows, and generate a report which can include sections with the Top Ten
workflows, Table View of Flow Summary Data, Table View of Flow Data drill
down of the destination port and events, a table view of events, and the
packets.
Search queries include: Possible Database Access, Standard HTTP, Standard
Mail, Standard SSL, and Unauthorized SMTP.
Workflows include: Flow Summaries, Flows by Detection Engine, Flows by
Initiator, Flows by Port, Flows by Responder, Flows by Service, Flows Over
Time, RNA Flows, Traffic by Detection Engine, Traffic by Initiator, Traffic by
Port, Traffic by Responder, Traffic by Service, Traffic Over Time, Unique
Initiators by Responder, and Unique Responders by Initiator.
IMPORTANT! For report profiles that you plan to use multiple times, such as
in scheduled tasks, Sourcefire strongly recommends that you use a sliding
time range. If you create a report profile with a static time range, the
appliance will generate a report using the same time range (and therefore the
same events) every time you use the report profile.
The Comparison of Quick Summary and Detail Summary Reports table shows
which information is included in the reports
.
Pie chart showing the percentage of events in each event type (which maps to X X
the rule category for the rule that generated the event)
Pie charts showing the percentage of events by protocol (for example, TCP, X X
UDP, or ICMP) and event classification (which maps to the value for the
classtype keyword in the rule that generated the event)
Tables listing the 25 most active source and destination hosts and host X X
combinations.
Tables listing the 25 most active source and destination hosts as well as the X
25 most active source and host combinations
Tables listing the most active events for each of the 25 most active destination X
hosts
Tables listing the most active events for the 25 most active source and X
destination host combinations
you can add the RNA Summary to RNA event, host, client application, service,
and flow data reports. The RNA Summary includes:
• RNA event statistics including total number of events, events in the last day
and hour, total services, total hosts, total routers, total bridges, and host
limit usage
• a list of events divided by event type with counts for the last hour and total
number within the report range
• pie charts showing the percentage of events by protocol (for example, TCP,
UDP, or ICMP), service, and operating system
TIP! Note that if you select a table view of events, the report is limited to
10,000 records as noted in step 6, regardless of the number of events.
You can include a logo on your report. In PDF formats, the logo is included on
every page. In HTML formats, the logo is included at the top of the report.
You can add a description which will be included on the front page summary of
the report.
Access: Any Analyst/ To define the report options:
Admin
1. Select the check boxes next to one or more output options for your report:
PDF, HTML, or CSV.
2. Optionally, for PDF and HTML reports, select a logo from the list of image
files that were previously added to the system.
See Including an Image File on page 257 for information about how to make
more logos available to the report designer.
3. Optionally, for PDF and HTML reports, type a description in the Description
field. You can use alphanumeric characters and spaces. The description
appears in the report header.
4. Optionally, for PDF reports, type the text you want to include as the footer in
the Custom Footer field. You can use 1 - 80 alphanumeric characters and
spaces.
5. Optionally, you can specify that reports are automatically emailed after they
are generated. To email a report, type one or more email addresses in a
comma-separated list in the Email to field.
IMPORTANT! You must make sure that the mail host is identified: Click Not
available. You must set up your mail relay host. The System Policy page appears.
Click Edit in the row for the system policy you want to modify. Click Email
Notification. Type the name of your mail server in the Mail Relay Host field and
click Save. Click Apply in the row for the system policy you changed and apply
it to the appliance.
IMPORTANT! The PDF, HTML, and CSV selections for Output Options apply to
generated reports, not to report previews. When you click Preview Report, you
see a PDF version of the report.
3. If necessary, click the time range to change it to include the events you want
in your report.
For more information, see Setting Event Time Constraints in the Analyst
Guide.
4. Click Generate Report.
The system generates the report.
5. Click Reports in the toolbar to display the Reporting page.
The Reporting page appears, listing the report that you generated as well as
any other previously generated reports. For information on managing
generated reports, see Managing Generated Reports on page 237.
4. Click Save Report Profile. When prompted, follow the instructions for your
browser to save the report profile. The report profile is saved with the name
you specified in the Report Name field.
Managing Users
If your user account has Administrator access, you can manage the user accounts
that can access the web interface on your Defense Center or 3D Sensor. On the
Defense Center, you can also set up user authentication via an external
authentication server, rather than through the internal database.
For more information, see the following sections:
• Understanding Sourcefire User Authentication on page 264
• Managing Authentication Objects on page 269
• Managing User Accounts on page 299
For users with either internal or external authentication, you can control user
permissions. Users with external authentication receive the permissions either
for the group or access list they belong to, or based on the default user access
role you set in the server authentication object or in a system policy on the
managing Defense Center, unless you change the user permissions manually.
When you create a user, you can specify whether that user is internally or
externally authenticated.
TIP! You can use the Import/Export feature to export system policies. When you
export a policy with external authentication enabled, the authentication objects
are exported with the policy. You can then import the policy and object on another
Defense Center. Do not import policies with authentication objects onto
3D Sensors.
default access rights for the group that they belong to that has the highest level of
access. If they do not belong to any groups and you have configured group
access, they receive the default user access rights configured in the
authentication object for the LDAP server. If you configure group access, those
settings override the default access setting in the system policy.
Similarly, if you assign a user to specific user role lists in a RADIUS authentication
object, the user receives all assigned roles, unless one or more of those roles are
mutually incompatible. If a user is on the lists for two mutually incompatible roles,
the user receives the role that has the highest level of access. If the user does
not belong to any lists and you have configured a default access role in the
authentication object, the user receives that role. If you configure default access
in the authentication object, those settings override the default access setting in
the system policy.
The Sourcefire 3D System supports the following user roles, listed in order of
precedence, depending on the features you have licensed:
• Administrators can set up the appliance’s network configuration, manage
user accounts, configure system policies and system settings. Users with
the Administrator role also have Intrusion Event Analyst, RNA Event
Analyst, Policy & Response (P&R) Administrator, and Maintenance access
rights.
• Intrusion Event Analysts can view, analyze, review, and delete intrusion
events and compliance and RUA events. They can also create incidents,
generate reports, and view (but not delete or modify) health events.
• Intrusion Event Analysts (Read Only) have all the same rights as Intrusion
Event Analysts, except that they cannot delete events.
• RNA Event Analysts can view, analyze, and delete network change events,
hosts, host attributes, services, vulnerabilities, client applications,
compliance events, and RUA events. RNA analysts can also generate
reports and view (but not delete or modify) health events.
• RNA Event Analysts (Read Only) have all the same rights as RNA Event
Analysts, except that they cannot delete events.
• Restricted Event Analysts have the combined privileges of Intrusion Event
Analysts and RNA Event Analysts, but users are limited to subsets of that
data. Restricted analysts can also be assigned the Policy & Response
Administrator or Maintenance User roles, but cannot be assigned the
Intrusion Event Analyst or RNA Event Analyst roles.
Note that on the Defense Center you cannot select Restricted Event
Analyst as the default user role in the system policy, but you can modify a
user’s settings via the User Management page to grant this level of access.
• Policy & Response Administrators can manage intrusion rules, policies, and
responses, as well as compliance rules, policies, and responses.
• Maintenance Administrators can access monitoring functions (including
health monitoring, host statistics, performance data, and system logs) and
maintenance functions (including task scheduling and backing up the
system).
Note that maintenance administrators do not have access to the functions
in the Policy & Response menu and can only access the dashboard from the
Analysis & Reporting menu.
Note that to create an authentication object, you need TCP/IP access from your
local appliance to the authentication server where you want to connect.
2. Type a name and description for the authentication server in the Name and
Description fields.
3. Type the IP address or host name for the primary server where you want to
obtain authentication data in the Primary Server Host Name/IP Address field.
IMPORTANT! If you are using a certificate to connect via TLS or SSL, the
host name in the certificate must match the host name used in this field. In
addition, IPv6 addresses are not supported.
4. Optionally, modify the port used by the primary authentication server in the
Primary Server Port field.
5. Optionally, type the IP address or host name for the backup server where you
want to obtain authentication data in the Backup Server Host Name/IP Address
field.
6. Optionally, modify the port used by the primary authentication server in the
Backup Server Port field.
7. Continue with Configuring LDAP Authentication Settings.
To allow an appliance to connect to the LDAP server, you need to select the
encryption method for the connection. You can choose no encryption, Transport
Layer Security (TLS), or Secure Sockets Layer (SSL) encryption. Note that if you
are using a certificate to authenticate when connecting via TLS or SSL, the name
of the LDAP server in the certificate must match the name that you use to
connect. For example, if you enter 10.10.10.250 as the server and
computer1.example.com in the certificate, the connection fails. Changing the
name of the server in the authentication profile to computer1.example.com
causes the connection to succeed.
When the local appliance searches the LDAP directory server to retrieve user
information on the authentication server, it needs a starting point for that search.
You can specify the namespace, or directory tree, that the local appliance should
search by providing a base distinguished name, or base DN. If your LDAP Server
uses a Pluggable Authentication Module (PAM) login attribute of uid, the local
appliance checks the uid attribute value for each object in the directory tree
indicated by the base DN you set. If one of the objects has a matching username
and password, the user login request is authenticated. Typically, the base DN will
have a basic structure indicating the company domain and operational unit. For
example, the Security organization of the Example company might have a base
DN of ou=security,dc=example,dc=com.
You can also add a base filter that sets a specific value for a specific attribute. The
base filter focuses your search by only retrieving objects in the base DN that have
the attribute value set in the filter. Enclose the base filter in parentheses. For
example, to filter for only users with a common name starting with F, use the
filter (cn=F*). When you save the authentication object, the local appliance
queries using the base filter to test it and indicates whether or not the filter
appears to be correct. To test your base filter more specifically by entering a test
username and password, see Testing User Authentication on page 280.
LDAP usernames can include underscores (_), periods (.), and hyphens (-) but
otherwise only alphanumeric characters are supported.
To allow the local appliance to access the user objects, you must supply user
credentials for a user with appropriate rights to the authentication objects you
want to retrieve. Remember that the distinguished name for the user you specify
must be unique to the directory information tree for the directory server.
For the authentication method specific parameters, you can use the LDAP
naming standards and filter and attribute syntax defined in the RFCs listed in the
Lightweight Directory Access Protocol (v3): Technical Specification, RFC 3377.
Examples of syntax are provided throughout this procedure. Note that when you
set up an authentication object to connect to a Microsoft Active Directory Server,
you can use the address specification syntax documented in the Internet RFC
822 (Standard for the Format of ARPA Internet Text Messages) specification
when referencing a user name that contains a domain. For example, to refer to a
user object, you might type JoeSmith@security.example.com rather than the
equivalent user distinguished name of cn=JoeSmith,ou=security,
dc=example,dc=com when using Microsoft Active Directory Server.
Selecting a user name template lets you indicate how user names entered on
login should be formatted, by mapping the string conversion character (%s) to the
value of the shell access attribute for the user. The user name template is the
format for the distinguished name used for authentication. When a user enters a
user name into the login page, the name is substituted for the string conversion
character and the resulting distinguished name is used to search for the user
credentials. For example, to set a user name template for the Security
organization of the Example company, you would enter
%s@security.example.com.
IMPORTANT! Note that if you change the encryption method after specifying
a port, you reset the port to the default value for that method. For none or
TLS, the port uses the default value of 389. If you select SSL encryption, the
port uses the default of 636.
3. Optionally, if you selected TLS or SSL encryption and you want to use a
certificate to authenticate, click Browse to browse to the location of a valid
TLS or SSL certificate or type the path to the certificate in the SSL Certificate
Upload Path field.
A message appears, indicating a successful certificate upload.
4. Type the base distinguished name for the LDAP directory you want to access
in the Base DN field.
For example, to authenticate names in the Security organization at the
Example company, type ou=security,dc=example,dc=com.
5. To set a filter that retrieves only specific objects within the namespace you
specified as the Base DN, type the attribute type, a comparison operator, and
the attribute value you want to use as a filter, enclosed in parentheses, in the
Base Filter field.
For example, if the user objects in a directory tree have a
physicalDeliveryOfficeName attribute and users in the New York office have
an attribute value of NewYork for that attribute, to retrieve only users in the
New York office, type (physicalDeliveryOfficeName=NewYork).
6. Type the distinguished name and password for the user whose credentials
should be used to validate access to the LDAP directory in the User Name and
Password fields.
For example, if you are connecting to an OpenLDAP Server where user
objects have a uid attribute and the object for the administrator in the
Security division at our example company has a uid value of NetworkAdmin,
you would type uid=NetworkAdmin,ou=security,dc=example,dc=com.
7. Re-type the password in the Confirm Password field.
8. Type the user distinguished name, with the string conversion character (%s) in
place of the shell access attribute value, into the User Name Template field.
For example, to authenticate all users who work in the Security organization
of our example company by connecting to an OpenLDAP server where the
shell access attribute is uid, you would type
uid=%s,ou=security,dc=example,dc=com in the User Name Template field.
For a Microsoft Active Directory server, you could type
%s@security.example.com.
9. Continue with Configuring Attribute Mapping.
The access rights granted when a user logs into the Sourcefire 3D System
depends on the LDAP configuration:
• If no group access settings are configured for your LDAP server, when a
new user logs in, the Sourcefire 3D System authenticates the user against
the LDAP server and then grants user rights based on the default minimum
access role set in the system policy.
• If you configure any group settings, new users belonging to specified
groups inherit the minimum access setting for the groups where they are
members.
• If a new user does not belong to any specified groups, the user is assigned
the default minimum access role specified in the Group Controlled Access
Roles section of the authentication object.
• If a user belongs to more than one configured group, the user receives the
access role for the group with the highest access as a minimum access
role.
You cannot remove the minimum access rights for users assigned an access role
because of LDAP group membership through the Sourcefire 3D System user
management page. You can, however, assign additional rights. When you modify
the access rights for an externally authenticated user, the Authentication Method
column on the User Management page provides a status of External - Locally
Modified.
IMPORTANT! If you use a dynamic group, the LDAP query is used exactly as it is
configured on the LDAP server. For this reason, the Sourcefire 3D System limits
the number of recursions of a search to four to prevent search syntax errors from
causing infinite loops. If a user’s group membership is not established in those
recursions, the default access role defined in the Group Controlled Access Roles
section is granted to the user.
2. Type the distinguished name for the LDAP group containing users who
should at minimum have access to monitoring and maintenance features in
the Maintenance Group DN field.
For example, to authenticate names in the information technology
organization at the Example company, type cn=itgroup,ou=groups,
dc=example,dc=com.
3. Type the distinguished name for the LDAP group containing users who
should at minimum have access to rules and policy configuration in the Policy
& Response Administrator Group DN field.
For example, to authenticate names in the Security organization at the
Example company, type cn=securitygroup,ou=groups,dc=example,
dc=com.
4. Type the distinguished name for the LDAP group containing users who
should at minimum have access to IPS analysis features in the Intrusion Event
Analyst Group DN field.
For example, to authenticate names in the Intrusion Event Analyst group at
the Example company, type cn=ipsanalystgroup,ou=groups,dc=example,
dc=com.
5. Type the distinguished name for the LDAP group containing users who
should at minimum have access to IPS analysis features in the Intrusion Event
Analyst Group DN (Read Only) field.
6. Type the distinguished name for the LDAP group containing users who
should at minimum have access to RNA analysis features in the RNA Event
Analyst Group DN field.
7. Type the distinguished name for the LDAP group containing users who
should at minimum have access to RNA analysis features in the RNA Event
Analyst Group DN (Read Only) field.
8. Select the default minimum access role for users that do not belong to any of
the specified groups from the Default User Role list.
TIP! Press the Ctrl key while clicking role names to select multiple roles in
the list.
For more information on user access roles, see Adding New User Accounts
on page 300.
9. Type the LDAP attribute that designates membership in a static group in the
Group Member Attribute field.
For example, if the member attribute is used to indicate membership in the
static group you reference for default Policy & Response Administrator
access, type member.
10. Optionally, type the LDAP attribute that contains the LDAP search string used
to determine membership in a dynamic group in the Group Member URL
Attribute field.
For example, if the memberURL attribute contains the LDAP search that
retrieves members for the dynamic group you specified for default Admin
access, type memberURL.
11. Continue with Configuring Administrative Shell Access on page 278.
With the exception of the root account, shell access is controlled entirely though
the shell access attribute you set. Shell users are not configured as local users on
the appliance, even after they log in. Addition and deletion of shell access users
occurs only on the LDAP server, and the filter you set here determines which set
of users on the LDAP server can log into the shell.
Note that a home directory for each shell user is created on login, and when an
LDAP shell access user account is disabled (by disabling the LDAP connection),
the directory remains, but the user shell is set to /bin/false in /etc/password
to disable the shell. If the user then is re-enabled, the shell is reset, using the
same home directory.
The Same as Base Filter check box allows you to search more efficiently if all users
qualified in the base DN are also qualified for shell access privileges. Normally,
the LDAP query to retrieve users combines the base filter with the shell access
filter. If the shell access filter was the same as the base filter, the same query
would be run twice, which is unnecessarily time-consuming. You can use the
Same as Base Filter option to run the query only once for both purposes.
Shell users should log in using usernames with all lowercase letters.
WARNING! All shell users have sudoers privileges. Make sure that you restrict
the list of users with shell access appropriately.
For example, if all network administrators have a manager attribute which has
an attribute value of shell, you can set a base filter of (manager=shell).
TIP! If you mistype the name or password of the test user, the test fails even if
the server configuration is correct. Test the server configuration without the
additional test parameters first. If that succeeds supply a user name and
password to test with the specific user.
2. Click Test.
A message appears, either indicating success of the test or detailing what
settings are missing or need to be corrected.
3. To view details of test output, select Show Details.
4. If the test succeeds, click Save.
The Login Authentication page appears, with the new object listed.
To enable LDAP authentication using the object on an appliance, you must
apply a system policy with that object enabled to the appliance. For more
information, see Configuring Authentication Profiles on page 329 and
Applying a System Policy on page 324.
OpenLDAP Example
Requires: DC The following figures illustrate parts of a sample LDAP login authentication object
for an OpenLDAP directory server with an IP address of 10.10.3.4, with a backup
server that has an IP address of 10.10.3.5. Note that the connection uses port 389
for access and that connections to the server time out after 30 seconds of disuse.
• To support shell access, the CN attribute is set as the shell access attribute.
• A shell access filter has been applied to this configuration, allowing only
those users who have a common name attribute value of jsmith to log into
the appliance using a shell account.
• Like the OpenLDAP server, this example shows a connection using a base
distinguished name of OU=security,DC=it,DC=example,DC=com for the
security organization in the information technology domain of the Example
company. Again, because no base filter is applied to this server, the
Sourcefire 3D System checks attributes for all objects in the directory
indicated by the base distinguished name.
• Because this is a Microsoft Active Directory Server, the user name template
for the connection uses address specification syntax documented in RFC
822 rather than the typical LDAP naming syntax.
• However, because this server is a Microsoft Active Directory server, it uses
the userPrincipalName attribute to store user names rather than the uid
attribute. Note that the configuration includes a UI Access Attribute of
userPrincipalName. As a result, the Sourcefire 3D System checks the
userPrincipalName attribute for each object for matching user names
when a user attempts to log into the Sourcefire 3D System.
• This example also has group settings in place. The maintenance role is
automatically assigned to all members of the group with a member group
attribute and the base domain name of
CN=maintenance,DC=it,DC=example,DC=com.
• As in the OpenLDAP server, a shell access filter has been specified for this
server, allowing only those users who have a common name attribute value
of jsmith to log into the appliance using a shell account. However, as noted
above, a shell access attribute value of sAMAccountName must be set for
shell access to work on a Microsoft Active Directory server.
• To allow shell access on the server, the uid attribute is named as the Shell
Access Attribute and the Same as Base Filter option for the shell access filter
is set, allowing all users with a common name ending in smith to log in
using a shell account as well. Using Same as Base Filter allows a more
efficient search query if and only if all users qualified in the base DN are also
qualified for shell access privileges.
Requires: DC You can edit an existing authentication object. If the object is in use in a system
policy, the settings in place at the time the policy was applied stay in effect until
you re-apply the policy.
4. Click Save.
Your changes are saved and the Login Authentication page re-appears.
Remember that you have to apply a system policy with the object enabled to
an appliance before the authentication changes take place on that appliance.
For more information, see Configuring Authentication Profiles on page 329
and Applying a System Policy on page 324.
3. Identify the primary and backup authentication servers where you want to
retrieve user data for external authentication and set timeout and retry values.
For more information, see Configuring RADIUS Connection Settings on
page 288.
4. Set the default user role. Optionally, specify the users or user attribute values
for users that you want to receive specific Sourcefire 3D System access
roles. For more information, see Configuring RADIUS User Roles on
page 290.
5. Optionally, configure administrative shell access. For more information, see
Configuring Administrative Shell Access on page 292.
6. If the profiles for any of the users to authenticate return custom RADIUS
attributes, define those attributes. For more information, see Defining
Custom RADIUS Attributes on page 293.
7. Test your configuration by entering the name and password for a user who
should successfully authenticate. For more information, see Testing User
Authentication on page 294.
Your changes are saved. Remember that you have to apply a system policy
with the object enabled to an appliance before the authentication changes
take place on that appliance. For more information, see Configuring
Authentication Profiles on page 329 and Applying a System Policy on
page 324.
IMPORTANT! For FreeRADIUS to function correctly, you need to open both ports
1812 and 1813 on your firewall and on the FreeRADIUS server.
If you specify a backup authentication server, you can set a timeout for the
connection attempt to the primary server. If the number of seconds indicated in
the Timeout field (or the timeout on the directory server) elapses without a
response from the primary authentication server, the appliance then re-queries
the primary server.
After the appliance re-queries the primary authentication server the number of
times indicated by the Retries field and the number of seconds indicated in the
Timeout field again elapses without a response from the primary authentication
server, the appliance then rolls over to the backup server.
If, for example, the primary server has RADIUS disabled, the appliance would
query the backup server. If RADIUS is running on the port of the primary RADIUS
server and for some reason refuses to service the request (due to
misconfiguration or other issues), however, the failover to the backup server does
not occur.
2. Type a name and description for the authentication server in the Name and
Description fields.
3. Type the IP address or host name for the primary RADIUS server where you
want to obtain authentication data in the Primary Server Host Name/IP Address
field.
4. Optionally, modify the port used by the primary RADIUS authentication server
in the Primary Server Port field.
5. Type the secret key for the primary RADIUS authentication server in the
RADIUS Secret Key field.
6. Type the IP address or host name for the backup RADIUS authentication
server where you want to obtain authentication data in the Backup Server Host
Name/IP Address field.
7. Optionally, modify the port used by the backup RADIUS authentication server
in the Backup Server Port field.
8. Type the secret key for the backup RADIUS authentication server in the
RADIUS Secret Key field.
9. Type the number of seconds that should elapse before retrying the
connection in the Timeout field.
10. Type the number of times the primary server connection should be tried
before rolling over to the backup connection in the Retries field.
11. Continue with Configuring RADIUS User Roles.
WARNING! If you want to change the minimum access setting for a user, you
must not only move the user from one list to another in the RADIUS Specific
Parameters section or change the user’s attribute on the RADIUS server, you
must reapply the system policy, and you must remove the assigned user right on
the user management page.
2. Type the name of each user or each identifying attribute-value pair, separated
by commas, who should at minimum receive access to monitoring and
maintenance features in the Maintenance List field.
For example, to grant the Maintenance role to all users with a
User-Category value of Maintenance, type User-Category=Maintenance
in the Maintenance List field.
3. Type the name of each user or each identifying attribute-value pair, separated
by commas,who should at minimum receive access to rules and policy
configuration in the Policy & Response Administrator List field.
4. Type the name of each user or each identifying attribute-value pair, separated
by commas, who should at minimum receive access to IPS analysis features
in the Intrusion Event Analyst List field.
5. Type the name of each user or each identifying attribute-value pair, separated
by commas, who should at minimum receive access to IPS analysis features
in the Intrusion Event Analyst (Read Only) List field.
6. Type the name of each user or each identifying attribute-value pair, separated
by commas, who should at minimum receive access to RNA analysis features
in the RNA Event Analyst List field.
7. Type the name of each user or each identifying attribute-value pair, separated
by commas, who should at minimum receive access to RNA analysis features
in the RNA Event Analyst (Read Only) List field.
8. Select the default minimum access role for users that do not belong to any of
the specified groups from the Default User Role list.
TIP! Press the Ctrl key while clicking role names to select multiple roles in
the list.
For more information on user access roles, see Configuring User Roles on
page 304.
9. Continue with Configuring Administrative Shell Access.
WARNING! All shell users have sudoers privileges. Make sure that you restrict
the list of users with shell access appropriately.
TIP! If you mistype the name or password of the test user, the test fails even if
the server configuration is correct. To verify that the server configuration is
correct, click Test without entering user information in the Additional Test
Parameters first. If that succeeds supply a user name and password to test with
the specific user.
The following figure illustrates the role configuration and custom attribute
definition in a sample RADIUS login authentication object for the same freeRadius
server as in the previous example.
In this example, however, the MS-RAS-Version custom attribute is returned for
one or more of the users because a Microsoft remote access server is in use.
Note the MS-RAS-Version custom attribute is a string. In this example, all users
logging in to RADIUS through a Microsoft v. 5.00 remote access server should
receive the Intrusion Event Analyst (Read Only role), so you type the
attribute-value pair of MS-RAS-Version=MSRASV5.00 in the Intrusion Event Analyst
(Read Only) field.
See the following sections for information about the actions you can perform on
the User Management page:
• Adding New User Accounts on page 300
• Modifying User Privileges and Options on page 306
• Modifying Restricted Event Analyst Access Properties on page 307
• Modifying User Passwords on page 311
• Deleting User Accounts on page 312
3. In the User Name field, type a name for the new user.
New user names must contain alphanumeric or hyphen characters with no
spaces, and must be no more than 32 characters.
4. Requires: DC/MDC If you want this user to authenticate to an external directory
server on login, select Use External Authentication Method.
Password Options table describes some of the options you can use to regulate
passwords and account access.
Option Description
Use External Select this option if you want this user's credentials to be
Authentication externally authenticated.
Method
IMPORTANT! If you select this option for the user and
the external authentication server is unavailable, that user
can log into the web interface but cannot access any
functionality.
Days Until Enter the number of days after which the user’s password
Password will expire. The default setting is 0, which indicates that
Expiration the password never expires.
Days Until Enter the number of warning days users have to change
Expiration their password before their password actually expires.
Warning The default setting is 0 days.
WARNING! The number of warning days must be less
than the number of days before the password expires
Force Password Select this option to force the user to change his
Reset on Login password the first time the user logs in.
Note that you cannot change the authentication type for a user after you create
the user account. In addition, externally authenticated users cannot authenticate
unless the external authentication server is available.
Note that you can restrict an event analyst user’s deletion rights to only allow
deletion of report profiles, searches, bookmarks, custom tables, and custom
workflows created by that user. Select Restrict Deletion Rights - User Cannot Delete
Items Created by Other Users to restrict the user’s deletion rights.
You cannot remove minimum access rights through the Sourcefire 3D System
user management page for users assigned an access role because of LDAP
group or RADIUS list membership or attribute values . You can, however, assign
additional rights.
WARNING! If you want to change the minimum access setting for a user, you
must not only move the user from one list to another in the authentication object
or change the user's attribute value or group membership on the external
authentication server, you must reapply the system policy, and you must remove
the assigned user right on the user management page.
User Roles
Policy & Provides access to rules and policy configuration. Policy &
Response Response Administrators have access to the main toolbar
Administrator and rule and policy-related options on the Policy & Response
Access and Operations menus.
Restricted event analyst users have access to only a few sections of the web
interface. The Restricted Event Analyst Settings table shows the correlation
between platform and access requirements for the restricted event analyst.
To allow the restricted When these Set this data set or data sets to
event analyst to... platforms are Show All or to a specific search
present...
To allow the restricted When these Set this data set or data sets to
event analyst to... platforms are Show All or to a specific search
present...
generate (but not view) IPS All data sets for which the user
reports will generate reports
create (but not modify) IPS All data sets for which the user
incident reports will create incident reports
create custom DC/MDC or All data sets for which the user
workflows and, on the 3D Sensor will create custom workflows
Defense Center, custom
tables
create and manage DC/MDC or All data sets for which the user
bookmarks 3D Sensor will need to create or access
bookmarks
view events from a Platforms All data sets for the applicable
custom table required to custom tables
view custom
table
If you want to ensure that a user only sees data for a specific subnet, create
multiple private saved searches, one for each of the event types, and then apply
each saved search to the account as described in the following procedure.
IMPORTANT! You must have saved private searches available before you can add
restricted event analyst values to a user account. Searches must be private. If
they are saved as public, restricted event analyst users could delete the searches
and enhance their access privileges. See Searching for Events in the Analyst
Guide for more information.
3. If the user you want to modify does not already have the Restricted Event
Analyst option enabled, select Restricted Event Analyst.
The Restrictions section of the page appears. The Defense Center version of
the page is shown below.
IMPORTANT! If you created any custom tables on the Defense Center, they
appear on this page.
TIP! If you want to force a user to change the password on the next log-in, click
Reset Password next to the user account on the User Management page.
5. Make any other changes you want to make to the user configuration:
• For more information on password options, see Managing User
Password Settings on page 303.
• For more information on user roles, see Configuring User Roles on
page 304.
6. Click Save.
The password is changed and any other changes saved.
Event Summary X X X X
Event Graphs X X
Dashboards X X X X
RNA Statistics X X X
Flow Summary X X X
IPS X X X X
Events X X X X
Reviewed Events X X X X
Clipboard X X X X
Incidents X X
RNA X X X
RNA Events X X X
Hosts X X X
Host Attributes X X X
Services X X X
Client Applications X X X
Flow Data X X X
Vulnerabilities X X X
RUA X X X X
Users X X X X
RUA Events X X X X
Compliance X X X X
Compliance Events X X X X
Custom Tables X X X
Searches X X X X X
Audit Log X
Client Applications X X X
Compliance Events X X X X
Flow Data X X X
Health Events X X X
Host Attributes X X X
Hosts X X X
Intrusion Events X X X X
Remediation Status X
RNA Events X X X X
RUA Events X X X X
Scan Results X
Services X X X
Users X X X X
Vulnerabilities X X X
Custom Workflows X X X X
Bookmarks X X X X
Report Profiles X X X
IPS X X
Intrusion Policy X X
SEU X X
Rule Editor X X
Email X X
OPSEC X X
RNA X X
Detection Policy X X
Host Attributes X X
RNA Detectors X X
Custom Fingerprinting X X
Compliance X X
Policy Management X X
Rule Management X X
White List X X
Traffic Profiles X X
Responses X X
Alerts X X
Remediations X X
Groups X X
Operations Menu
Requires: DC/MDC or The Operations Menu table lists the user account privileges required to access
3D Sensor each option on the Operations menu. An X indicates that the user can access the
option. All users can access at least some options on the Operations menu.
Operations Menu
Configuration X
Detection Engines X
High Availability X
eStreamer X
Login Authentication X
RUA X
Sensors X
User Management X
System Settings X
System Policy X
Update X
Monitoring X X X
Statistics X X
Performance | IPS X X
Performance | RNA X X
Audit X
Task Status X X X
Syslog X X
Health X X X
Tools X X X X X X
Scheduling X X
Backup/Restore X
Import/Export X
Whois X X X X X X
Scan Results X X X
Scanners X X
Help X X X X X X
About X X X X X X
Online X X X X X X
Email Support X X X X X X
Support Site X X X X X X
Toolbar Options
Requires: DC/MDC or The Toolbar Options table lists the user account privileges required to access
3D Sensor each option on the toolbar and its sub-menus. An X indicates that the user can
access the option. All users can access at least some of the options on the
toolbar.
Toolbar Options
Health X X X X
Preferences X X X X X X
Help X X X X X X
Logout X X X X X X
A system policy allows you to manage the following on your Defense Center or
3D Sensor:
• access control lists
• audit log settings
• authentication profiles
• dashboard settings
• database event limits
• detection policy preferences
• DNS cache properties
• the mail relay host and notification address
• tracking intrusion policy changes
• specifying a different language
• custom login banners
• RNA settings, including multiple fingerprint and subnet detection
settings
• RUA settings
• synchronizing time
• serving time from the Defense Center
• mapping vulnerabilities for services
You can use a system policy to control the aspects of your Defense Center that
are likely to be similar for other Sourcefire 3D System appliances in your
deployment. For example, your organization’s security policies may require that
your appliances have a “No Unauthorized Use” message when a user logs in.
With system policies, you can set the login banner once in a system policy on a
Defense Center and then apply the policy to all the sensors that it manages.
You can also benefit from having multiple policies on a 3D Sensor. For example, if
you have different mail relay hosts that you use under different circumstances, or
if you want to test different database limits, you can create several system
policies and switch between them rather than editing a single policy.
Contrast a system policy, which controls aspects of an appliance that are likely to
be similar across a deployment, with system settings, which are likely to be
specific to a single appliance. See Configuring System Settings on page 360 for
more information.
The Policy Name column includes its description. The Applied To column
indicates the number of appliances where the policy is applied and a count of
out-of-date appliances where the previously applied policy has changed and
should be reapplied.
2. Click Create Policy.
The Create page appears.
3. From the drop-down list, select an existing policy to use as a template for
your new system policy.
4. Type a name and description (up to 40 alphanumeric characters and spaces
each) for your new policy.
5. Click Save.
Your system policy is saved and the Access List page appears. For
information about configuring each aspect of the system policy, see one of
the following sections:
• Configuring the Access List for Your Appliance on page 325
• Configuring Audit Log Settings on page 327
• Configuring Authentication Profiles on page 329
• Configuring Dashboard Settings on page 331
• Configuring Database Event Limits on page 332
• Configuring Detection Policy Preferences on page 336
• Configuring DNS Cache Properties on page 337
• Configuring a Mail Relay Host and Notification Address on page 338
• Configuring Intrusion Policy Preferences on page 339
• Specifying a Different Language on page 340
• Adding a Custom Login Banner on page 341
• Configuring RNA Settings on page 342
IMPORTANT! If you are editing the current system policy, make sure you
apply the updated policy when you are finished. See Applying a System Policy
on page 324.
2. Click Apply next to the system policy that you want to apply.
On the 3D Sensor, the system policy is applied.
On the Defense Center, the Apply page appears. If a policy has been updated
since it was applied, the name of the policy appears in italics.
3. On the Defense Center, select the sensors, and, if required, the Defense
Center itself, where you want to apply the system policy.
TIP! You can sort the sensors by sensor group, model, type of sensor, or
previously applied policy. You can also select an entire group.
4. Click Apply.
A message appears indicating that the task is added to the task queue.
Secure, or HTTPS), which is used to access the web interface and port 22 (Secure
Shell, or SSH), which is used to access the command line, are enabled for any IP
address.
The access list is part of the system policy. You can specify the access list either
by creating a new system policy or by editing an existing policy. In either case, the
access list does not take effect until you apply the system policy.
WARNING! If you delete access for the IP address that you are currently
using to connect to the appliance interface (and if there is no entry for
“IP=any port=443”), you will lose access to the system when you apply the
policy.
TIP! You can click Add to add access for additional IP addresses or click
Delete to remove access from other IP addresses.
IMPORTANT! You must ensure that the external host is functional and accessible
from the appliance sending the audit log.
The name of the sending host is part of the sent information and you can further
identify the audit log stream with a facility, a severity, and an optional tag. The
appliance does not send the audit log until you apply the system policy.
WARNING! The computer you configure to receive an audit log must be set
up to accept remote messages. Otherwise, the appliance may the send audit
log to the host, but it will not be accepted.
6. Label the audit data that you are sending with a facility and severity.
The default for Facility is USER. The default for Severity is INFO. However, you
can select any of the standard syslog facility and severity settings.
7. Optionally, insert a reference tag in the TAG field.
8. Click Save Policy and Exit.
The system policy is updated. Your changes do not take effect until you apply
the system policy to the Defense Center and its managed sensors. See
Applying a System Policy on page 324 for more information.
After you apply a policy with this feature enabled and your destination host is
configured to accept the audit log, the syslog messages are sent. The following is
an example of the output structure:
Date Time Host [Tag] Sender: [User_Name]@[User_IP], [Subsystem], [Action]
where the local date, time, and hostname precede the bracketed optional tag,
and the sending device name precedes the audit log message.
For example:
Mar 01 14:45:24 localhost [TAG] Dev-DC3000: admin@10.1.1.2,
Operations > Monitoring, Page View
sensor, eligible externally authenticated users can log into the sensor. However,
the system policy on the sensor does not display authentication profile settings,
so you cannot manage them on the sensor itself. To make changes to the
authentication profile settings, you have to modify the policy on the Defense
Center and then push it to the sensor again. To disable authentication on a
managed sensor, you can either disable it in a system policy on the Defense
Center and push that to the sensor or apply a local system policy (which cannot
contain authentication profile settings) on the sensor.
Note that you can only enable external authentication on Defense Centers and
3D Sensors. Enabling external authentication by applying a system policy is not
supported on the following sensor types:
• 3Dx800 sensors
• Crossbeam-based software sensors
• Intrusion Agents
• RNA Software for Red Hat Linux
If a user with internal authentication attempts to log in, the appliance first checks
if that user is in the local user database. If the user exists, the appliance then
checks the username and password against the local database. If a match is
found, the user logs in successfully. If the login fails, however, and external
authentication is enabled, the appliance checks the user against each external
authentication server in the authentication order shown in the system policy. If
the username and password match results from an external server, the appliance
changes the user to an external user with the default privileges for that
authentication object.
If an external user attempts to log in, the appliance checks the username and
password against the external database. If a match is found, the user logs in
successfully. If the login fails, the user login attempt is rejected. External users
cannot authenticate against the user list in the local database. If the user is a new
external user, an external user account is created in the local database with the
default privileges for the external authentication object.
TIP! Press Ctrl before selecting roles to select multiple default user roles.
Note that although you can select both an event analyst role and the
corresponding read-only event analyst role, only the analyst role is applied.
6. If you want to use the external server to authenticate shell access accounts
as well, select Enabled from the Shell Authentication drop-down list.
7. To enable use of an authentication object, click Enable next to the object.
8. Optionally, use the up and down arrows to change the order in which
authentication servers are accessed when an authentication request occurs.
Remember that shell access users can only authenticate against the server
whose authentication object is highest in the profile order.
9. Click Save Policy and Exit.
The system policy is updated. Your changes do not take effect until you apply
the system policy to the Defense Center and its managed sensors. See
Applying a System Policy on page 324 for more information.
system status through the use of widgets: small, self-contained components that
provide insight into different aspects of the Sourcefire 3D System.
The Custom Analysis widget allows you to create a visual representation of
events based on a flexible, user-configurable query of the events in your
appliance's database. See Understanding the Custom Analysis Widget on
page 69 for more information on how to use custom widgets.
4. Select the Enable Custom Analysis Widgets check box to allow users to add
Custom Analysis widgets to dashboards; clear the check box to prohibit users
from using those widgets.
By default, Custom Analysis widget use is enabled
5. Click Save Policy and Exit.
The system policy is updated. Your changes do not take effect until you apply
the system policy. See Deleting System Policies on page 325for more
information.
These databases include those that store RNA and RUA events, as well as flow
events, flow summaries, and health events.
The Database Event Limits on page 333 below describes the maximum number
of records you can store in the databases on your appliance. Note that if you apply
a system policy to an appliance that does not support the maximum limit you
specify (for example, if you specify 100 million intrusion events and apply that
policy to a 3D Sensor), the maximum limit for the appliance is silently enforced.
In addition, database limits that do not apply to a particular appliance are silently
ignored. For example, if you use the Defense Center to apply the same system
policy to itself and the 3D Sensors it manages, any health alert limits you set in
the policy have no effect on the sensors.
Intrusion Event intrusion events on a Defense 2.5 million events on the DC500
Database (Defense Center or on a Master Defense 10 million events on the Virtual Defense
Center or Master Center (which is always a DC3000) Center or the DC1000
Defense Center) 100 million events on the DC3000
RNA Flow Database RNA flows on a Defense Center 10 million events on the DC500, Virtual
Defense Center, or DC1000
100 million events on the DC3000
RNA Flow Summary RNA flow summaries (aggregated 10 million events on the DC500, Virtual
Database RNA flows) on a Defense Center Defense Center, or DC1000
100 million events on the DC3000
Compliance & White compliance events and white list 1 million events
List Event Database events on a Defense Center or
Master Defense Center
White List Violation the white list violation history of a 30-day history of violations
History Database the hosts on your network, on a
Defense Center
RUA History RUA storage of user logins on a 10 million user login records
Database Defense Center
Note that if the number of events in the intrusion event database exceeds the
maximum, the oldest events and packet files are pruned until the database is back
within limits. In addition, if the /volume disk partition reaches 85% of its capacity,
unified files are deleted from the system, beginning with the oldest files. See
Configuring a Mail Relay Host and Notification Address on page 338 for
information about generating automated email notifications when events are
automatically pruned.
For information on manually pruning the RNA and RUA databases, see Purging
the RNA and RUA Databases on page 598.
3. Click Database.
The Database page appears. The following graphic shows the Database page
on a DC1000 Defense Center.
4. For each of the databases, enter the number of records you want to store.
For information on how many records each database can maintain, see
Database Event Limits on page 333.
4. Do you want to confirm your action when you apply RNA detection policies
and intrusion policies?
• If yes, select Yes from the drop-down list.
• If no, select No from the drop-down list.
5. Click Save Policy and Exit.
The system policy is updated. Your changes do not take effect until you apply
the system policy. See Applying a System Policy on page 324 for more
information.
5. In the DNS Cache Timeout field, enter the number of minutes a DNS entry
remains cached in memory before it is removed for inactivity.
The default setting is 300 minutes (five hours).
4. In the Mail Relay Host field, type the hostname or IP address of the mail server
you want to use.
IMPORTANT! The mail host you enter must allow access from the appliance.
5. Optionally, in the Data Pruning Notification Address field, enter the email
address you want to receive notifications when intrusion events and audit
logs are pruned from the appliance’s database.
6. Click Save Policy and Exit.
The system policy is updated. Your changes do not take effect until you apply
the system policy. See Applying a System Policy on page 324 for more
information.
WARNING! The language you select here is used for the web interface for every
user who logs into the appliance.
4. In the Custom Login Banner field, enter the login banner that you want to use
with this system policy.
Field Description
Host Timeout The amount of time that passes, in minutes, before RNA drops a host from
the network map due to inactivity. The default setting is 10080 minutes (7
days).
IMPORTANT! To avoid premature timeout of hosts, make sure that the host
timeout value is longer than the update interval in the RNA detection policy.
For more information, see Creating RNA Detection Policies in the Analyst
Guide.
Service Timeout The amount of time that passes, in minutes, before RNA drops a service from
the network map due to inactivity. The default setting is 10080 minutes (7
days).
IMPORTANT! To avoid premature timeout of services, make sure that the
service timeout value is longer than the update interval in the RNA detection
policy. For more information, see Creating RNA Detection Policies in the
Analyst Guide.
Field Description
Client Application The amount of time that passes, in minutes, before RNA drops a client
Timeout application from the network map due to inactivity. The default setting is
10080 minutes(7 days).
IMPORTANT! Make sure that the client application timeout value is longer than
the update interval in the RNA detection policy. For more information, see
Creating RNA Detection Policies in the Analyst Guide.
Drop New Hosts Select this check box if you want new hosts rather than old hosts dropped
When Host Limit when the Defense Center reaches its host limit and the network map is full.
Reached This option is especially valuable if you want to prevent spoofed hosts from
taking the place of valid hosts in the network map.
Combine Flows for Select this check box if you want you want to combine flow summaries
Out-Of-Network involving external hosts.
Responders
Enabling this option treats flow summary data from IP addresses that are not
in your list of monitored networks (as defined by your RNA detection policy) as
coming from a single host. Event views, graphs, and reports use external to
indicate the hosts outside your monitored network, instead of an individual IP
address.
The Defense Center will combine flow summaries involving a host on your
monitored network and one or more external hosts if the flows use the same
port, protocol, service, and if they were detected by the same detection
engine (for flows detected by 3D Sensor) or were exported by the same
NetFlow-enabled device and were processed by the same detection engine.
This can reduce the space required to store flow data and can also speed up
the rendering of flow data graphs. However, if you enable this option and you
attempt to drill down to the table view of flow data (that is, access data on
individual flows) for a flow summary that involves an external responder, the
table view contains no information.
Note that you can also use the RNA detection policy to force your 3D Sensors
to combine flow summaries involving external hosts before they transmit the
data to the Defense Center, which can reduce the number of events sent to
the Defense Center. However, keep in mind that setting this option in the RNA
detection policy requires that you set your flow data mode to Summary, which
prevents your 3D Sensors from transmitting individual flows to the Defense
Center and therefore prevents you from taking advantage of any feature that
requires data from individual flows. For more information, see Combining Flow
Summaries from External Responders in the Analyst Guide as well as
Configuring RNA Detection Policy Settings in the Analyst Guide.
Field Description
Drop Duplicate RNA Select this check box if you want the Defense Center to drop duplicate flow
Flow Events events generated by 3D Sensors with RNA.
Duplicate flow events can be created if you use two RNA detection policies,
each of which is monitoring a separate network segment using separate
detection engines. In that scenario, each detection engine generates a flow
event when RNA detects that a connection is terminated between a
monitored host on one of the networks and a monitored host on the other
network. On the other hand, if you use one policy to monitor both networks,
only the reporting detection engine for the flow initiator generates a flow
event.
Duplicate flow events can also be created if you overlap network segment
coverage with your RNA detection engines in your RNA detection policy.
Note that best practices are to use only one detection policy and to not overlap
network segment coverage; not following best practices can degrade
performance as the Defense Center attempts to resolve the conflicts, and can
also use excessive bandwidth.
Drop Duplicate Select this check box if you want the Defense Center to drop duplicate flow
NetFlow Events events that are based on NetFlow data. Duplicate NetFlow events can be
created, for example, if two NetFlow-enabled devices export information
about the same session.
Just as with RNA flow events, best practices are to avoid creating duplicate
NetFlow events, For more information, see Drop Duplicate RNA Flow Events.
Field Description
Vulnerabilities to use Select the check boxes in this section to configure how the Sourcefire 3D
for Impact System performs impact flag correlation with intrusion events.
Assessment • Select the Use RNA Vulnerability Mappings check box if you want to use RNA
Requires: IPS vulnerability information to perform impact flag correlation.
• Select the Use Third Party Scanner Vulnerability Mappings check box if you are
using an integrated scan capability or the AddScanResult host input API
function and you want to use vulnerability lookups from the scanner to
perform impact flag correlation. For example, if you scan using Nessus,
select this option to use the Nessus vulnerability mappings. For more
information, see Understanding Nessus Scans in the Analyst Guide or the
Sourcefire 3D System Host Input API Guide.
• Select the Third Party Vulnerability Mappings check box if you want to use
third-party vulnerability references to perform impact flag correlation. For
more information, see Mapping Third-Party Vulnerabilities in the Analyst
Guide.
You can select any or all of the check boxes in this section; if IPS generates an
intrusion event and the Sourcefire 3D System is able to use any of the
methods you specified to determine that the host involved in the event is
vulnerable to the attack or exploit, the intrusion event will be marked with the
red (Vulnerable) impact flag. Note that if you clear all the check boxes, intrusion
events will never be marked with the red impact flag. For more information,
see Using Impact Flags to Evaluate Events in the Analyst Guide.
RNA Event Logging Expand this section and use the check boxes to specify the types of RNA
network discovery events that you want to log in the database. See
Understanding RNA Network Discovery Event Types in the Analyst Guide for
information about each event type
Host Input Event Expand this section and use the check boxes to specify the types of RNA host
Logging input events that you want to log in the database. See Understanding RNA
Host Input Event Types in the Analyst Guide for information about each event
type.
RNA uses all passive data to derive operating system identities and assign a
confidence value. For more information on current identities and how RNA
selects the current identity, see Enhancing Your Network Map in the Analyst
Guide.
By default, unless there is an identity conflict, identity data added by a scanner or
application overrides identity data detected by RNA. You can use the Multiple
Fingerprinting page to rank scanner and application fingerprint sources by priority.
RNA retains one identity for each source, but only data from the highest priority
application or scanner source is used as the current identity. Note, however, that
user input data overrides scanner and application data regardless of priority.
An identity conflict occurs when RNA detects an identity that conflicts with an
existing identity that came from the active scanner or application sources listed
on the Multiple Fingerprinting page or from a user. By default, identity conflicts
are not automatically resolved and you must resolve them through the host
profile or by rescanning the host or re-adding new identity data to override the
RNA identity. However, you can set your system to always automatically resolve
the conflict by keeping the passive identity or to always resolve it by keeping the
active identity, as indicated in the Multiple Fingerprint Settings table.
You can add new active sources through this page, or change the priority or
timeout settings for existing sources. Note that adding a scanner to this page
does not add the full integration capabilities that exist for the Nmap and Nessus
scanners, but does allow integration of imported application or scan results. If you
import data from a third-party application or scanner, remember to make sure that
you map vulnerabilities from the source to the RNA vulnerabilities in the network
map. For more information, see Mapping Third-Party Vulnerabilities in the Analyst
Guide.
Option Description
Generate Identity Conflict Event Enable this option to generate an event when an identity conflict
occurs on a host in the network map.
4. Specify the RNA data storage settings that you want for your Defense Center.
See the RNA Data Storage Settings table on page 342 for more information.
5. Optionally, specify the RNA network discovery events that you want to log by
clicking the arrow next to RNA Event Logging. All the event types are enabled
by default.
See the RNA Network Discovery Event Types table in the Analyst Guide for
more information.
6. Optionally, specify the RNA host input events that you want to log by clicking
the arrow next to Host Input Event Logging. All the event types are enabled
by default.
See the RNA Host Input Event Types table in the Analyst Guide for more
information.
7. Optionally, configure multiple fingerprint settings to manage operating
system and service source priorities and identity conflict resolution settings.
See the Multiple Fingerprint Settings table on page 347 for more information.
8. Click Save Policy and Exit.
The system policy is updated. Your changes do not take effect until you apply
the system policy. See Applying a System Policy on page 324 for more
information.
(hops and MAC address data) about hosts in subnets that are set to autodetect.
To get detailed information about the hosts in a subnet, including operating
system and service identity data, flow data, and so on, you must explicitly assign
an RNA detection engine to monitor that subnet.
The following diagram illustrates the automated subnet detection process. Note
that you can configure the Defense Center to notify you of subnet
recommendations via email so that you can make the changes manually, or, if you
configured the Defense Center to automatically apply recommendations, to notify
you of any changes made.
4. Optionally, in the Mail Notifications To field, enter the email address where you
want to receive notifications of new subnet recommendations.
TIP! To receive email notifications, you must configure a valid mail relay host;
see Configuring a Mail Relay Host and Notification Address on page 338.
5. From the Generate Recommendations Daily At drop-down list, select the time
when you want RNA to automatically generate daily subnet
recommendations for all applied RNA detection policies.
To disable daily generation of subnet recommendations, select Disabled.
nor are they associated with any of the information contained in the other types
of login that your 3D Sensors detect.
4. Select the check boxes that correspond to the types of logins that will create
RUA users.
By default, all login types cause RUA to add users to the database.
5. Click Save Policy and Exit.
The system policy is updated. Your changes do not take effect until you apply
the system policy. See Applying a System Policy on page 324 for more
information.
Synchronizing Time
Requires: Any You can manage time synchronization on the appliance using the Time
Synchronization page. You can choose to synchronize the time:
• manually
• using one or more NTP servers (one of which can be a Defense Center)
Time settings are part of the system policy. You can specify the time settings
either by creating a new system policy or by editing an existing policy. In either
case, the time setting is not used until you apply the system policy.
Note that time settings are displayed on most pages on the appliance in local time
using the time zone you set on the Time Zone page (America/New York by
default), but are stored on the appliance itself using UTC time. In addition, the
current time appears in UTC at the top of the Time Synchronization page (local
time is displayed in the Manual clock setting option, if enabled).
You must use native applications, such as command line interfaces or the
operating system interface, to manage time settings for software sensors:
• For more information on configuring settings for Crossbeam Systems
Switches, see the Sourcefire 3D Sensor Software for X-Series Installation
Guide.
• For more information on configuring settings for RNA Software for Red Hat
Linux, see the Sourcefire RNA Software for Red Hat Linux Configuration
Guide.
• You manage time settings on an Intrusion Agent through the operating
system.
You can synchronize the appliance’s time with an external time server. If you
specify a remote NTP server, your appliance must have network access to it.
Connections to NTP servers do not use configured proxy settings. To use the
Defense Center as an NTP server, see Serving Time from the Defense Center on
page 357.
Sourcefire recommends that you synchronize your virtual appliances to a physical
NTP server. Do not synchronize your 3D Sensors (virtual or physical) to a Virtual
Defense Center.
The procedure for synchronizing time differs slightly depending on whether you
are using the web interface on a Defense Center or a 3D Sensor. Each procedure
is explained separately below.
4. If you want to serve time from the Defense Center to your managed sensors,
in the Serve time via NTP drop-down list, select Enabled.
Note that if you set this option to Enabled and then apply the system policy to
a sensor rather than a Defense Center, this value is ignored. Only Defense
Centers can act as NTP servers.
5. You have two options for specifying how the time is synchronized on the
appliance:
• To set the time manually, select Manually in the System Settings. See
Setting the Time Manually on page 389 for information about setting
the time after you apply the system policy.
• To receive time through NTP from a different server, select Via NTP
Server from and, in the text box, type a comma-separated list of IP
addresses for the NTP servers you want to use or, if DNS is enabled,
type the fully qualified host and domain names.
WARNING! If the appliance is rebooted and your DHCP server sets an NTP
server record different than the one you specify here, the DHCP-provided
NTP server will be used instead. To avoid this situation, you should configure
your DHCP server to set the same NTP server.
4. You have two options for specifying how time is synchronized on the
3D Sensor:
• To set the time manually, select Manually in the System Settings. See
Setting the Time Manually on page 389 for information about setting
the time after you apply the system policy.
• To receive time through NTP from different servers, select Via NTP
Server from and, in the text box, type a comma-separated list of IP
addresses of the NTP servers or, if DNS is enabled, type the fully
qualified host and domain names.
5. Click Save Policy and Exit.
The system policy is updated. Your changes do not take effect until you apply
the system policy. See Applying a System Policy on page 324 for more
information.
TIP! You cannot set the time manually after configuring the Defense Center to
serve time using NTP. If you need to manually change the time, you should do so
before configuring the Defense Center to serve time using NTP. If you need to
change the time manually after configuring the Defense Center as an NTP server,
disable the Via NTP option and click Save, change the time manually and click Save,
and then enable Via NTP and click Save.
IMPORTANT! If you configure the Defense Center to serve time using NTP, and
then later disable it, the NTP service on managed sensors will still attempt to
synchronize time with the Defense Center. You must disable NTP from the
managed sensors’ web interfaces to stop the synchronization attempts.
TIP! You can select or clear all check boxes at once using the check box next
to Enable.
The system settings include a series of linked pages that you can use to view and
modify settings on your appliance. Contrast the system settings, which are likely
to be specific to a single appliance, with a system policy, which controls aspects
of an appliance that are likely to be similar across a deployment. See Managing
System Policies on page 320 for more information.
The System Settings Options table describes the options you can configure in the
system settings.
Option Description
Network Allows you to view and modify the settings for the network
Interface interfaces on your appliance. See Editing Network Interface
Configurations on page 380 for more information.
Option Description
Appliance Information
Field Description
Name A name you assign to the appliance. Note that this name
is only used within the context of the Sourcefire 3D
System. Although you can use the hostname as the name
of the appliance, entering a different name in this field
does not change the hostname.
Store Events Enable this check box to store event data on the Defense
Only on Defense Center, but not the managed sensor. Clear this check box
Center to store event data on both appliances.
Prohibit Packet Enable this check box to prevent the managed sensor
Transfer to the from sending packet data with the events. Clear this
Defense Center check box to allow packet data to be stored on the DC
with events.
Model Number The model number for the appliance. This number can be
important for troubleshooting.
2. To change the appliance name, type a new name in the Name field.
Understanding Licenses
Requires: Any You can license a variety of products and features to create your optimal
deployment. For Defense Centers, the Sourcefire 3D System requires that you
enable IPS by applying a product license file to each appliance as part of the
installation process. You can also add feature licenses such as RNA host licenses
and Intrusion Agent licenses.
TIP! You can view your licenses by using the Product Licensing widget in the
dashboard. See Understanding the Product Licensing Widget on page 84 for
more information.
identify the source of policy breaches, attacks, or RUA Users and either
network vulnerabilities RNA Hosts or the
product license (or both).
IPS for use with Crossbeam Systems X-Series IPS Software Sensors.
NetFlow
NetFlow is an embedded instrumentation within Cisco IOS Software that
characterizes network operation. Standardized through the RFC process, NetFlow
is available not only on Cisco networking devices, but can also be embedded in
Juniper, FreeBSD, and OpenBSD devices.
NetFlow-enabled devices are widely used to capture and export data about the
traffic that passes through those devices. The NetFlow cache stores a record of
every flow (a sequence of packets that represents a connection between a
source and destination host) that passes through the devices. You can deploy
NetFlow-enabled devices on networks that your sensors cannot monitor, and use
NetFlow data to monitor those networks.
You must use a Defense Center to configure NetFlow data collection and to view
the collected data, and your deployment must include at least one 3D Sensor
with RNA that can communicate with your NetFlow-enabled devices. Although
you can use NetFlow-enabled devices exclusively to monitor your network, the
Sourcefire 3D System uses RNA detection engines on 3D Sensors to analyze
NetFlow data. For more information, see Introduction to NetFlow in the
Sourcefire 3D System Analyst Guide.
RNA Host
Sourcefire RNA allows your organization to confidently monitor and protect your
network using a combination of forensic analysis, behavioral profiling, and built-in
alerting and remediation. 3D Sensors with RNA passively observe your
organization’s network traffic and analyze it to provide you with a complete, up-to-
the-minute profile of your network.
By default, RNA is installed on most 3D Sensors. (The 3D9800 does not support
RNA.) Sourcefire also makes key components of RNA available in installation
packages for Red Hat Linux servers and Crossbeam Systems security switches.
However, to control how network intelligence is gathered and to view the
resulting information, you must manage 3D Sensors with RNA with a Defense
Center. In addition, to enable RNA functionality, that Defense Center must have
an RNA host license installed and the 3D Sensor must have a product license
installed. For more information, see Introduction to Sourcefire RNA in the
Sourcefire 3D System Analyst Guide.
RUA Host
Sourcefire Real-time User Awareness, also called RUA, allows your organization
to correlate threat, endpoint, and network intelligence with user identity
information. By linking network behavior, traffic, and events directly to individual
users, RUA can help you to identify the source of policy breaches, attacks, or
network vulnerabilities, as well as mitigate risk, block users or user activity, and
take action to protect others from disruption. These capabilities also significantly
improve audit controls and enhance regulatory compliance.
All RUA deployments require a Defense Center that has an RUA feature license
installed. If your organization uses LDAP, you can use the user information on your
LDAP server to augment the Defense Center’s database of user identity
information with available metadata. For more information, see Using Sourcefire
RUA in the Sourcefire 3D System Analyst Guide.
Intrusion Agent
If you have an existing installation of Snort®, you can install an Intrusion Agent to
forward intrusion events to a Defense Center. You can then analyze the events
detected by Snort alongside your other data.
Although you cannot manage policies or rules for an Intrusion Agent from the
Defense Center, you can do analysis and reporting on those events. If the
network map on the Defense Center has entries for the target host in a given
event, the Defense Center assigns impact flags to the events. You can continue
to manually tune Snort rules and preprocessors with the Intrusion Agent in place.
For more information, see Sourcefire 3D System Intrusion Agent Configuration
Guide.
2. Click License.
The License page appears.
IMPORTANT! If your web browser cannot access the Internet, you must
switch to a host that can access it. Copy the license key at the bottom of the
page and browse to https://keyserver.sourcefire.com/.
IMPORTANT! If you purchased a feature license, click Add New License and add it
using the Add Feature License page. For more information about feature licenses,
see Managing Your Feature Licenses on page 370.
To add a license:
Access: Admin 1. Select Operations > System Settings.
The Information page appears.
2. Click License.
The License page appears.
IMPORTANT! If your web browser cannot access the Internet, you must
switch to a host that can access it. Copy the license key at the bottom of the
page and browse to https://keyserver.sourcefire.com/.
5. Follow the on-screen instructions for a feature license to obtain your license
file, which will be sent to you in an email.
6. After you receive an email with the feature license file, copy the license file
from the email, paste it into the License field, and click Submit License.
If the license file is correct, the license is added to the appliance, and the
licensed feature is available. You can repeat this process for each feature
license you need to add.
TIP! Your Defense Center can have multiple feature licenses (for example,
one or more licenses for RNA Hosts in addition to one or more licenses for
Intrusion Agents, RUA, and so on). Note that there is only one product
license.
TIP! You can also view licenses by using the Product Licensing widget on the
dashboard. See Understanding the Product Licensing Widget on page 84 for
more information.
The NetFlow License Columns table describes each column that appears in a
NetFlow license.
Column Description
Expires Displays the date and time that the feature license
expires.
The RNA Host License Columns table describes each column that appears in an
RNA host license.
Column Description
Column Description
Expires Displays the date and time that the feature license
expires.
The RUA License Columns table describes each column that appears in an RUA
host license.
Column Description
Expires Displays the date and time that the feature license
expires.
The Intrusion Agent License Columns table describes each column that appears
in an intrusion agent license.
Column Description
Column Description
Expires Displays the date and time that the feature license
expires.
The Virtual 3D Sensor License Columns table describes each column that appears
in an intrusion agent license.
Column Description
Column Description
Expires Displays the date and time that the feature license
expires.
The IPS Software License Columns table describes each column that appears in
an IPS Software license.
Column Description
Expires Displays the date and time that the feature license
expires.
2. Click License.
The License page appears, showing the product license and any feature
licenses you have added.
3. For the feature that you want to delete, click Delete in the Action column.
local DHCP server. If, in the case of IPv6, you specify Router assigned, the
appliance retrieves its network settings from a local router.
Setting Description
Primary DNS Server The IP address of the DNS server for the network
where the appliance resides
If the appliance is not directly connected to the Internet, you can configure a
proxy server to be used when downloading updates and SEUs. By default, the
appliance is configured to directly connect to the Internet.
2. Click Network.
The Network page appears.
3. Specify which IP version (v4, v6, or both) you want to use by selecting the
Configuration from the IPv4 and IPv6 settings:
• Select Disabled to use only the alternative IP version (for example, if
your network uses only IPv6, in the IPv4 section select Disabled).
• Select DHCP to allow DHCP server network setting resolution.
• Select Router assigned (an IPv6-only configuration) to allow router
assigned network setting resolution.
• Select Manual to manually specify network settings.
4. If you selected Manual, specify the network settings.
See the Manual Network Configuration Settings table on page 378 for a full
description of each field you can configure. You can change the Shared
Settings (hostname, domain, and domain servers) if you use manual or router
assigned configurations.
5. If your appliance is not directly connected to the Internet, you can identify a
proxy server to be used when downloading updates and rules. By default,
appliances are configured to connect directly to the Internet. To configure a
proxy server, you have two options:
• If you have a direct connection from the appliance to the Internet, select
Direct connection.
• If your network uses a proxy, select Manual proxy configuration and enter
the IP address or fully qualified domain name of your proxy server in the
HTTP Proxy field and the port in the Port field.
6. Click Save.
The network settings are changed.
WARNING! Do not modify the settings for the management interface unless you
have physical access to the appliance. It is possible to select a setting that makes
it difficult to access the web interface.
If you change the link mode for a sensing interface, the sensor drops traffic while
the network interface card renegotiates its network connection.
IMPORTANT! If you shut down the appliance, the process shuts down the
operating system on the appliance, but does not physically shut off power. To
shut off power to the appliance, you must press the power button on the
appliance, or, for an appliance without a power button, unplug it.
both using the current software. However, if your Defense Center is running the
current version of the software and the sensors it manages are running an older
version of the software, you will need to use a management virtual network and
ensure that it does not conflict with other communications on your network.
WARNING! The IP address range you specify for the Management Virtual
Network must not conflict with any other local network, including your
management network. The user interface prevents you from entering the address
range for the management network, but make sure you do not to enter a range
that overlaps other local networks. Doing so may break communications between
hosts on the local network.
You must use native applications, such as command line interfaces, third-party
user interfaces, or the operating system interface, to manage the communication
channel sensor settings for Crossbeam-based software sensors, 3Dx800
sensors, and Intrusion Agents. For more information on configuring settings for
Crossbeam-based software sensor, see the Sourcefire 3D Sensor Software for
X-Series Installation Guide. For more information on configuring settings for
3Dx800 sensors, see the Sourcefire 3D Sensor Installation Guide. For more
information on configuring settings for RNA Software for Red Hat Linux, see the
Sourcefire RNA Software for Red Hat Linux Configuration Guide. For more
information on configuring settings for Intrusion Agents, see the Intrusion Agent
Configuration Guide.
3. In the Management Port field, enter the port number that you want to use.
4. In the Management Virtual Network field, enter the IP address range that you
want to use.
5. Click Save to save your changes for both the IP address range and the port
number.
The new values are saved.
version uses a default /16 (sixteen bit) CIDR address space, which provides for a
much greater number of appliances.
3. Click Edit next to the host whose Management Virtual Network you want to
change.
The Edit Remote Management page appears.
TIP! The regenerate VIP option is useful after you reconfigure your network
or change the Sourcefire 3D System to take advantage of a larger address
space.
6. After appropriate management virtual network edits are made, click Save.
TIP! If you register a sensor to a Defense Center using a Registration Key and
Unique NAT ID, but without a hostname or IP address, the Remote Management
page displays the Unique NAT ID in the Host field.
Sourcefire strongly recommends that you read Using the Defense Center on
page 99 before you add sensors to the Defense Center.
WARNING! Leave the Management Port field at the top of the Remote
Management page in the default setting in nearly all cases. If you must
change the Management Port, see Setting Up the Management Virtual
Network on page 384.
4. In the Management Host field, type the IP address or the hostname of the
Defense Center that you want to use to manage the sensor.
WARNING! Make sure you use hostnames rather than IP addresses if your
network uses DHCP to assign IP addresses.
Note that you can leave the Management Host field empty if the management host
does not have a routable address. In that case, use both the Registration Key and
the Unique NAT ID fields.
5. In the Registration Key field, type the one-time use registration key that you
want to use to set up a communications channel between the sensor and the
Defense Center.
6. Optionally, in the Unique NAT ID field, type a unique alphanumeric NAT ID that
you want to use to identify the sensor.
7. Click Save.
After the sensor confirms communication with the Defense Center, the
Pending Registration status appears.
8. Access the Defense Center web interface and select Operations > Sensors.
The Sensors page appears.
9. Click New Sensor.
The Add New Sensor page appears.
10. Type the IP address or the hostname of the sensor you want to add in the
Host field.
WARNING! Make sure you use hostnames rather than IP addresses if your
network uses DHCP to assign IP addresses.
11. In the Registration Key field, type the same one-time use registration key that
you used in step 5.
12. If you used a unique ID in step 6, type the same value in the Unique NAT ID
field.
13. You can store IPS data on both the Defense Center and the sensor by clearing
the Store Events and Packets Only on the Defense Center check box.
By default, IPS data is stored only on the Defense Center and not on the
sensor. Note that RNA data is never stored on the sensor.
14. You can prevent packet data from leaving a sensor by checking the Prohibit
Packet Transfer to the Defense Center check box.
IMPORTANT! If you elect to prohibit sending packets and you do not store
events on the 3D Sensor, packet data is not retained. Packet data is often
important for forensic analysis.
15. To add the sensor to a group, select the group from the Add to Group list.
For more information about groups, see Managing Sensor Groups on
page 131.
16. Click Add.
The sensor is added to the Defense Center. It can take up to two minutes for
the Defense Center to verify the sensor’s heartbeat and establish
communication.
If the appliance is synchronizing its time based on NTP, you cannot change the
time manually. Instead, the NTP Status section on the Time page provides the
following information:
NTP Status
Column Description
Last The number of seconds that have elapsed since the time was
Update last synchronized with the NTP server. The NTP daemon
automatically adjusts the synchronization times based on a
number of conditions. For example, if you see larger update
times such as 300 seconds, that indicates that the time is
relatively stable and the NTP daemon has determined that it
does not need to use a lower update increment.
See Synchronizing Time on page 354 for more information about the time
settings in the system policy.
2. Click Time.
The Time page appears.
TIP! To remove a NetFlow-enabled device, click Delete next to the device you
want to remove. Keep in mind that if you remove a NetFlow-enabled device
from the system policy, you should also remove it from your RNA detection
policy. For more information, see Editing an RNA Detection Policy in the
Analyst Guide.
6. Click Save.
The list of NetFlow-enabled devices is saved.
TIP! After configuring and selecting remote storage, you can switch back to local
storage only if you have not increased the RNA flow database limit.
You must ensure that your external remote storage system is functional and
accessible from the Defense Center.
Select one of the backup and report storage options:
• To disable external remote storage and use the local Defense Center for
backup and report storage, see Using Local Storage on page 393.
• To use NFS for backup and report storage, see Using NFS for Remote
Storage on page 394.
• To use SSH for backup and report storage, see Using SSH for Remote
Storage on page 395.
• To use SMB for backup and report storage, see Using SMB for Remote
Storage on page 396.
IMPORTANT! You cannot use remote backup and restore to manage data on
Crossbeam-based software sensors, RNA Software for Red Hat Linux, 3Dx800
sensors, or Intrusion Agents.
TIP! You do not use the Test button with local storage.
5. If there are any required command line options, select Use Advanced Options.
A Command Line Options field appears where you can enter the commands.
6. Under System Usage, select either or both of the following:
• Select Enable Remote Storage for Backups to store backups on the
designated host.
• Select Enable Remote Storage for Reports to store reports on the
designated host.
7. Optionally, click Test.
The test ensures that the Defense Center can access the designated host
and directory.
8. Click Save.
Your remote storage configuration is saved.
IMPORTANT! You cannot use the Update feature to update the SEU or Intrusion
Agents. For information on updating your SEU, see Importing SEUs and Rule Files
in the Analyst Guide. For information on Intrusion Agents, see the Intrusion Agent
Configuration Guide.
You can obtain updates from the Sourcefire Support and then manually install
them using the Patch Update Management page.The following graphic shows the
Defense Center version of the page.
When you upload updates to your appliance, they appear on the page. Uploaded
VDB updates also appear on the page, as do uninstaller updates, which are
created when you install a patch to a Sourcefire appliance. The list of updates
shows the type of each update, the version number, and the date and time it was
generated. It also indicates whether a reboot is required as part of the update.
TIP! For patches, feature updates, and VDB updates, you can take advantage of
the automated update feature; see Scheduling Tasks on page 425.
If your deployment includes a Defense Center, you can use it to install updates on
its managed 3D Sensors, including software sensors. However, for major updates
to software sensors, you may need to uninstall the previous version and install
the new version.
You can uninstall patches to the Sourcefire software using an appliance’s local
web interface. Uninstalling from the web interface is not supported for major
version upgrades, nor is it supported for appliances that do not have local web
interfaces.
TIP! This section explains how to plan for and perform manual software updates
on your Sourcefire appliances. For patches and feature updates, you can take
advantage of the automated update feature; see Automating Software Updates
on page 430.
5. Delete any backups that reside on the appliance, then back up current event and
configuration data to an external location.
Sourcefire strongly recommends that you delete or move any backup files that
reside on your appliance, then back up current event and configuration data to
an external location. Event data is not backed up as part of the update
process.
For more information on the backup and restore feature, including the types
of backups that are supported for your appliance, see Using Backup and
Restore on page 413.
6. Make sure you have enough free disk space and allow enough time for the update.
When you update a managed sensor, the update requires additional disk
space on the Defense Center. The release notes for the update indicate
space and time requirements.
7. Update your Master Defense Centers.
Always update Master Defense Centers first; see Updating a Defense Center
or Master Defense Center on page 402.
8. Update your Defense Centers.
After you update any Master Defense Centers in your deployment, you can
update the Defense Centers they manage; see Updating a Defense Center or
Master Defense Center on page 402.
Note that when you begin to update one Defense Center in a high availability
pair, the other Defense Center in the pair becomes the primary, if it is not
already. In addition, the paired Defense Centers stop sharing configuration
information; paired Defense Centers do not receive software updates as part
of the regular synchronization process. To ensure continuity of operations, do
not update paired Defense Center at the same time. First, complete the
update procedure for one of the Defense Centers, then update the second
Defense Center.
9. Update your managed 3D Sensors.
After you update the Master Defense Centers and Defense Centers in your
deployment, you can update your managed sensors (including software
sensors). Sourcefire strongly recommends that you use your Defense Centers
to update the sensors they manage; see Updating Managed Sensors on
page 404.
Note that you must use the Defense Center to update sensors that do not
have a web interface, including Crossbeam-based software sensors, RNA for
Red Hat Linux, and 3Dx800 sensors. However, for major updates to software
sensors, you may need to uninstall the previous version and install the new
version; see the release notes for more information.
10. Update your unmanaged 3D Sensors.
See Updating Unmanaged 3D Sensors on page 406.
Note that when you begin to update one Defense Center in a high availability pair,
the other Defense Center in the pair becomes the primary, if it is not already. In
addition, the paired Defense Centers stop sharing configuration information;
paired Defense Centers do not receive software updates as part of the regular
synchronization process. To ensure continuity of operations, do not update paired
Defense Center at the same time. First, complete the update procedure for one
of the Defense Centers, then update the second Defense Center.
IMPORTANT! For major updates, updating the Defense Center removes any
existing updates and patches, as well as their uninstall scripts, from the
appliance.
2. Upload the update to the Defense Center. You have two options, depending
on the type of update and whether your Defense Center has access to the
internet.
• For all except major releases, and if your Defense Center has access to
the Internet, select Operations > Update to display the Patch Update
Management page, then click Download Updates to check for the latest
updates on the Support Site.
• For major releases, or if your Defense Center does not have access to
the Internet, first manually download the update from the Sourcefire
Support Site. Select Operations > Update to display the Patch Update
Management page, then click Upload Update. Browse to the update and
click Upload.
IMPORTANT! Download the update directly from the Support Site, either
manually or by clicking Update on the Patch Update Management page. If you
transfer an update file by email, it may become corrupted.
7. Under Selected Update, select the Defense Center and click Install. If
prompted, confirm that you want to install the update and reboot the Defense
Center.
The update process begins. You can monitor the update's progress in the
task queue (Operations > Monitoring > Task Status).
WARNING! Do not use the web interface to perform any other tasks until the
update has completed and (if necessary) the Defense Center reboots. Before
the update completes, the web interface may become unavailable, or the
Defense Center may log you out. This is expected behavior. If this occurs, log
in again to view the task queue. If the update is still running, continue to
refrain from using the web interface until the update has completed. If you
encounter issues with the update (for example, if the task queue indicates
that the update has failed or if a manual refresh of the task queue shows no
progress), do not restart the update. Instead, contact Support.
8. After the update finishes, if necessary, log into the Defense Center.
9. Clear your browser cache and force a reload of the browser. Otherwise, the
user interface may exhibit unexpected behavior.
10. Select Operations > Help > About and confirm that the software version is listed
correctly.
11. Verify that all managed sensors are successfully communicating with the
Defense Center.
12. Re-apply intrusion policies to the IPS detection engines on your managed
3D Sensors.
Unless you enabled the Inspect Traffic During Policy Apply option when you
created your IPS detection engines (this option is supported on many sensor
models; see Creating a Detection Engine on page 193), applying an intrusion
policy causes IPS detection engines to restart. This can cause a short pause
in processing and, for most detection engines with inline interface sets, may
cause a few packets to pass through the sensor uninspected.
13. Update the VDB on your Defense Centers and the 3D Sensors with RNA that
they manage; see Updating the Vulnerability Database on page 410.
14. Continue with the next section, Updating Managed Sensors, to update the
Sourcefire software on the sensors that the Defense Center manages.
multiple 3D Sensors at once, but only if they use the same update. For
information on updating the 3D Sensors in your deployment, see the release
notes.
IMPORTANT! You must use the Defense Center to update sensors that do not
have a web interface, including Crossbeam-based software sensors, RNA for Red
Hat Linux, and 3Dx800 sensors. However, for major updates to software sensors,
you may need to uninstall the previous version and install the new version; see
the release notes for more information.
IMPORTANT! Download the update directly from the Support Site. If you
transfer an update file by email, it may become corrupted.
8. Under Selected Update, select the sensors you want to update, then click
Push.
Depending on the size of the file, it may take some time to push the update
to all sensors. You can monitor the progress of the push in the task queue
(Operations > Monitoring > Task Status). When the push is complete, continue
with the next step.
9. Click Install next to the update you are installing.
The Install Update page appears.
10. Select the sensors where you pushed the update and click Install. If
prompted, confirm that you want to install the update and reboot the
3D Sensors.
The update process begins. You can monitor the update's progress in the
Defense Center’s task queue (Operations > Monitoring > Task Status).
If the update requires a reboot, your 3D Sensors use IPS detection engines
with inline interface sets, and the sensors do not have fail-open network
cards, traffic is interrupted while the sensors reboot. If your sensors have
fail-open network cards, some traffic may pass through the sensors
uninspected while they reboot.
WARNING! If you encounter issues with the update (for example, if the task
queue indicates that the update has failed or if a manual refresh of the task
queue shows no progress), do not restart the update. Instead, contact
Support.
11. Select Operations > Sensors and confirm that the sensors you updated have
the correct version listed.
12. Verify that the sensors you updated are successfully communicating with the
Defense Center.
13. Re-apply intrusion policies to the IPS detection engines on your managed
3D Sensors.
Unless you enabled the Inspect Traffic During Policy Apply option when you
created your IPS detection engines (this option is supported on many sensor
models; see Creating a Detection Engine on page 193), applying an intrusion
policy causes IPS detection engines to restart. This can cause a short pause
in processing and, for most detection engines with inline interface sets, may
cause a few packets to pass through the sensor uninspected.
You update the 3D Sensor in one of two ways, depending on the type of update
and whether your 3D Sensor has access to the internet:
• You can use the 3D Sensor to obtain the update directly from the Support
Site. Choose this option if your 3D Sensor has access to the internet and
you are not performing a major update. This option is not supported for
major updates.
• You can manually download the update from the Sourcefire Support Site
and then upload it to the 3D Sensor. Choose this option if your 3D Sensor
does not have access to the internet or if you are performing a major
update.
IMPORTANT! For major updates, updating the 3D Sensor removes any existing
updates and patches, as well as their uninstall scripts, from the sensor.
IMPORTANT! Download the update directly from the Support Site, either
manually or by clicking Update on the Patch Update Management page. If you
transfer an update file by email, it may become corrupted.
3. Select Operations > Monitoring > Task Status to view the task queue and make
sure that there are no jobs in process.
Tasks that are running when the update begins are stopped and cannot be
resumed; you must manually delete them from the task queue after the
update completes. The task queue automatically refreshes every 10 seconds.
You must wait until any long-running tasks are complete before you begin the
update.
4. Select Operations > Update.
The Patch Update Management page appears.
5. Click Install next to the update you just uploaded. If prompted, confirm that
you want to install the update and reboot the 3D Sensor.
The update process begins. You can monitor the update's progress in the
task queue (Operations > Monitoring > Task Status).
If the update requires a reboot, your 3D Sensor uses IPS detection engines
with inline interface sets, and the sensor does not have a fail-open network
card, traffic is interrupted while the sensor reboots. If the sensor has a
fail-open network card, some traffic may pass through the sensor
uninspected while it reboots.
WARNING! Do not use the web interface to perform any other tasks until the
update has completed and (if necessary) the 3D Sensor reboots. Before the
update completes, the web interface may become unavailable, or the
3D Sensor may log you out. This is expected behavior. If this occurs, log in
again to view the task queue. If the update is still running, continue to refrain
from using the web interface until the update has completed. If you
encounter issues with the update (for example, if the task queue indicates
that the update has failed or if a manual refresh of the task queue shows no
progress), do not restart the update. Instead, contact Support.
IMPORTANT! Uninstalling from the web interface is not supported for major
version upgrades. If you upgraded to a new version of the appliance and need to
revert to an older version, contact Support.
You must use the local web interface to uninstall patches, as described by the
procedure in this section; you cannot use the Defense Center to uninstall patches
from managed sensors. For information on uninstalling patches from appliances
that do not have local web interfaces (Crossbeam-based software sensors, RNA
for Red Hat Linux, and 3Dx800 sensors), see the release notes.
In addition, you must uninstall a patch from the appliances in your deployment in
the reverse order of how you installed it. That is, first uninstall the patch from your
managed 3D Sensors, then your Defense Centers, and finally your Master
Defense Centers.
When you uninstall a patch, the resulting Sourcefire software version depends on
the update path for your appliance. For example, consider a scenario where you
updated an appliance directly from Version 4.9.0 to Version 4.9.0.2. Uninstalling
the Version 4.9.0.2 patch might result in an appliance running Version 4.9.0.1,
even though you never installed the Version 4.9.0.1 update. For information on
the resulting Sourcefire software version when you uninstall an update, see the
release notes.
2. Click Install next to the uninstaller for the update you want to remove.
• On the Defense Center, the Install Update page appears. Under
Selected Update, select the Defense Center and click Install.
• On the 3D Sensor, there is no intervening page.
In either case, if prompted, confirm that you want to uninstall the update and
reboot the appliance.
The uninstall process begins. You can monitor its progress in the task queue
(Operations > Monitoring > Task Status).
If the uninstall for a 3D Sensor requires a reboot, the sensor uses IPS
detection engines with inline interface sets, and the sensor does not have a
fail-open network card, traffic is interrupted while the sensor reboots. If the
sensor has a fail-open network card, some traffic may pass through the
sensor uninspected while it reboots.
WARNING! Do not use the web interface to perform any other tasks until the
uninstall has completed and (if necessary) the appliance reboots. Before the
uninstall completes, the web interface may become unavailable, or the
appliance may log you out. This is expected behavior. If this occurs, log in
again and view the task queue. If the uninstall is still running, continue to
refrain from using the web interface until the uninstall has completed. If you
encounter issues with the uninstall, for example, if the task queue indicates
that the uninstall has failed or if a manual refresh of the task queue shows no
progress, do not restart the uninstall. Instead, contact Support.
You should install the same version of the VDB on all the appliances in your
deployment. To ensure you install the same VDB version, use your Defense
Centers to push and install the VDB on all managed 3D Sensors with RNA,
including software sensors. Because you cannot view RNA data on Master
Defense Centers or on unmanaged 3D Sensors, you do not need to update the
VDB on these appliances.
The time it takes to update vulnerability mappings depends on the number of
hosts in your network map. You may want to schedule the update during low
system usage times to minimize the impact of any system downtime. As a rule of
thumb, divide the number of hosts on your network by 1000 to determine the
approximate number of minutes to perform the update.
TIP! This section explains how to plan for and perform manual VDB updates on
your Sourcefire 3D System appliances. You can take advantage of the automated
update feature to schedule VDB updates; see Automating Vulnerability Database
Updates on page 437.
IMPORTANT! Download the update directly from the Support Site, either
manually or by clicking Update. If you transfer an update file by email, it may
become corrupted.
The VDB update is saved on the Defense Center and appears in the Updates
section.
4. Click Push next to the VDB update.
The Push Update page appears.
5. Under Selected Update, select the managed 3D Sensors you want to update,
then click Push.
Depending on the size of the file, it may take some time to push the VDB
update to all sensors. You can monitor the progress of the push in the
Defense Center’s task queue (Operations > Monitoring > Task Status). When the
push is complete, continue with the next step.
6. Click Install next to the VDB update.
The Install Update page appears.
7. Select the Defense Center, as well as the sensors where you pushed the
VDB update, then click Install.
The update process begins. Depending on the number of hosts in your
network map, the update may take some time. You can monitor the update's
progress in the task queue (Operations > Monitoring > Task Status).
WARNING! Do not use the web interface to perform tasks related to mapped
vulnerabilities until the update has completed. If you encounter issues with
the update, for example, if the task queue indicates that the update has failed
or if a manual refresh of the task queue shows no progress, do not restart the
update. Instead, contact Support.
8. After the update finishes, confirm that the VDB build number matches the
update you installed.
• To check the VDB build number on the Defense Center, select
Operations > Help > About.
• To check the VDB build number on your managed sensors, select
Operations > Sensors on the Defense Center, then click Edit next to each
sensor you updated.
WARNING! Do not use the backup and restore process to copy the configuration
files between sensors. The configuration files include information that uniquely
identifies a sensor and cannot be shared.
By default, system configuration files are saved in the backup file. You can also
choose to back up the following, if applicable for the range of appliances in your
deployment:
• the entire intrusion event database
• the entire RNA event database
• additional files that reside on the appliance
WARNING! If you applied any SEU updates, those updates are not backed up.
You need to apply the latest SEU update after you restore.
You can save backup files to the appliance or to your local computer. Additionally,
if you are using a Series 2 Defense Center, you can use remote storage as
detailed in Managing Remote Storage on page 393.
See the following sections for more information.
• See Creating Backup Files on page 414 for information about backing up
files from the appliance.
• See Creating Backup Profiles on page 418 for information about creating
backup profiles that you can use later as templates for creating backups.
• See Performing Sensor Backup with the Defense Center on page 419 for
information about backing up managed sensors with the Defense Center.
• See Uploading Backups from a Local Host on page 420 for information
about uploading backup files from a local host.
• See Restoring the Appliance from a Backup File on page 421 for information
about how to restore a backup file to the appliance.
The Defense Center and Master Defense Center version of the page is shown
below.
7. Requires: IPS Ensure that the value of the compressed backup file in the
Selected Sum field is less than the value in the Available Space field.
TIP! The compressed value that appears in the Selected Sum field is a
conservative estimate of the size of the compressed file. Often, the file will
be smaller.
8. If you want to include an additional file in the backup, type the full path and
file name in the Additional Files field and click the plus sign (+).
9. Optionally, to be notified when the backup is complete, select the Email when
complete check box and type your email address in the accompanying text
box.
You must make sure that your mail relay host is configured as described in
Configuring a Mail Relay Host and Notification Address on page 338.
10. Optionally, to use secure copy (scp) to copy the backup archive to a different
machine, select the Copy when complete check box and then type the following
information in the accompanying text boxes:
• the hostname or IP address of the machine where you want to copy the
backup
• the path to the directory where you want to copy the backup
• the user name that you want to use to log into the remote machine
• the password for that user name
TIP! When you create a backup file as described in Creating Backup Files on
page 414, a backup profile is automatically created.
TIP! You can click Edit to modify an existing profile or click Delete to delete a
profile from the list.
TIP! If you use a backup file name containing spaces or punctuation characters,
they change to underscores.
You cannot use remote backup and restore to manage data on Crossbeam-based
software sensors, RNA Software for Red Hat Linux, 3Dx800 sensors, or Intrusion
Agents.
3. In the Sensors field, select the managed sensors that you want to back up.
4. To include event data in addition to configuration data, select the Include All
Unified Files check box. Note that the unified files are binary file that the
Sourcefire 3D System uses to log event data.
5. To save the backup file on the Defense Center, select the Retrieve to DC check
box.
TIP! To save each sensor’s backup file on the sensor itself, leave this check
box unselected.
TIP! It can take several minutes to complete the backup. Check the task
status for progress.
A success messages appears and the backup task is set up. When the
backup is complete, you can view the backup file on the Restoration
Database page.
TIP! Uploading a backup larger than 4GB from your local host does not work
because web browsers do not support uploading files that large. As an
alternative, copy the backup via SCP to a remote host and retrieve it from there.
On Series 2 Defense Centers, the backup file can be saved to and retrieved from
a remote location; see Managing Remote Storage on page 393.
TIP! After the Defense Center verifies the file integrity, refresh the System
Backup Management page to reveal detailed file system information.
Backup Management
Column Description
System The originating appliance name, type, and version. Note that
Information you can only restore a backup to an identical appliance type
and version.
Date The date and time that the backup file was created
Created
View Click with the backup file selected to view a list of the files
included in the compressed backup file.
Column Description
Download Click with the backup file selected to save it to your local
computer.
2. To view the contents of a backup file, select the file and click View.
The manifest appears listing the name of each file, its owner and
permissions, and its file size and date. The Defense Center version of the
page is truncated to show a sample of the files that are backed up.
WARNING! This procedure will overwrite all configuration files and, on the
3D Sensor, all event data.
6. Requires: IPS If you want to restore intrusion event data, select the files that
you want to include from the Unified File List box.
Click Restore to begin the restoration.
Scheduling Tasks
You can schedule many different types of administrative tasks to run at scheduled
times, including:
• running backups
• Requires: IPS applying intrusion policies
• generating reports
• Requires: DC + RNA running Nessus scans
• Requires: DC + RNA synchronizing Nessus plugins
• Requires: DC + RNA running Nmap scans
• Requires: DC + RNA + IPS using RNA rule recommendations
• Requires: IPS importing Security Enhancement Updates (SEUs)
• downloading and installing software updates
• Requires: DC + RNA downloading and installing vulnerability database updates
• Requires: DC pushing downloaded updates to managed sensors
You can schedule tasks to run once or on a recurring schedule.
IMPORTANT! Some tasks (such as those involving automated software and SEU
updates and those that require pushing updates or intrusion policies to managed
sensors) can place a significant load on networks with low bandwidths. You
should always schedule tasks like these to run during periods of low network use.
Note that the time displayed on most pages on the web interface is the local
time, which is determined by using the time zone you specify in your system
settings. Further, the Defense Center or 3D Sensor with IPS automatically adjusts
its local time display for daylight saving time (DST), where appropriate. However,
recurring tasks that span the transition dates from DST to standard time and back
do not adjust for the transition. That is, if you create a task scheduled for 2am
during standard time, it will run at 3am during DST. Similarly, if you create a task
scheduled for 2am during DST, it will run at 1am during standard time.
5. In the Start On field, specify the date when you want to start your recurring
task. You can use the drop-down list to select the month, day, and year.
6. In the Repeat Every field, specify how often you want the task to recur. You can
specify a number of hours, days, weeks, or months.
TIP! You can either type a number or use the arrow buttons to specify the
interval. For example, type 2 and select Day(s) to run the task every two days.
7. In the Run At field, specify the time when you want to start your recurring
task.
8. If you selected Week(s) in the Repeat Every field, a Repeat On field appears.
Select the check boxes next to the days of the week when you want to run
the task.
9. If you selected Month(s) in the Repeat Every field, a Repeat On field appears.
Use the drop-down list to select the day of the month when you want to run
the task.
The remaining options on the Add Task page are determined by the task you
are creating. See the following sections for more information:
• Automating Backup Jobs on page 428
• Automating Software Updates on page 430
• Automating Vulnerability Database Updates on page 437
• Automating SEU Imports on page 444
• Automating Intrusion Policy Applications on page 446
• Automating Reports on page 448
• Automating Nessus Scans on page 450
• Synchronizing Nessus Plugins on page 452
• Automating Nmap Scans on page 454
• Automating Recommended Rule State Generation on page 456
TIP! You must design a backup profile before you can configure it as a scheduled
task. For information on backup profiles, see Creating Backup Profiles on
page 418.
TIP! The Current Time field indicates the current time on the appliance.
• For recurring tasks, you have several options for setting the interval
between instances of the task. See Configuring a Recurring Task on
page 426 for details.
5. In the Job Name field, type a name using up to 255 alphanumeric characters,
spaces, or dashes.
6. From the Backup Profile list, select the appropriate backup profile.
For more information on creating new backup profiles, see Creating Backup
Profiles on page 418.
7. Optionally, in the Comment field, type a comment using up to 255
alphanumeric characters, spaces, or periods.
TIP! The comment field appears in the View Tasks section of the page, so
you should try to keep it relatively short.
8. Optionally, in the Email Status To: field, type the email address (or multiple
email addresses separated by commas) where you want status messages
sent.
IMPORTANT! You must have a valid email relay server configured to send
status messages. See Configuring a Mail Relay Host and Notification Address
on page 338 for more information about configuring a relay host.
9. Click Save.
The backup task is created.
Support site to ensure that you have the latest version of the update. If your
appliance cannot access the Support site, the task does not complete. This
behavior also has implications for appliances that cannot access the Support site
at all. Specifically, if you manually download an update to an appliance that cannot
access the Support site, you cannot schedule either pushes to managed sensors
(on the Defense Center) or installs (on any appliance). Instead you must manually
push or install the updates as described in Updating System Software on
page 398.
If you want to have more control over this process, you can use the Once option
to download and install updates during off-peak hours after you learn that an
update has been released.
TIP! The automated update process allows you to download and install software
patches and feature releases (generally when the last two digits in the four-digit
version number change, such as 4.8.1 or 4.8.2.1). For larger, more comprehensive
updates (such as 4.8 or 4.9), you must manually upload, push, and install the
upgrade files.
TIP! The Current Time field indicates the current time on the appliance.
• For recurring tasks, you have several options for setting the interval
between instances of the task. See Configuring a Recurring Task on
page 426 for details.
5. In the Job Name field, type a name using up to 255 alphanumeric characters,
spaces, or dashes.
6. In the Update Items section, specify which updates you want to download.
• Select Software to download the most recent software patch.
• Requires: DC Select Vulnerability Database to download the most recent
vulnerability database update.
Both options are selected by default.
TIP! The comment field appears in the View Tasks section of the page, so
you should try to keep it relatively short.
8. Optionally, in the Email Status To: field, type the email address (or multiple
email addresses separated by commas) where you want status messages
sent.
IMPORTANT! You must have a valid email relay server configured to send
status messages. See Configuring a Mail Relay Host and Notification Address
on page 338 for more information about configuring a relay host.
9. Click Save.
The task is created.
TIP! The Current Time field indicates the current time on the appliance.
• For recurring tasks, you have several options for setting the interval
between instances of the task. See Configuring a Recurring Task on
page 426 for details.
5. In the Job Name field, type a name using up to 255 alphanumeric characters,
spaces, or dashes.
6. From the Sensor list, select the sensor that you want to receive updates.
7. In the Update Items section, specify which updates you want to push to your
managed sensors.
• Select Software to push the software update.
• Requires: DC + RNA Select Vulnerability Database to push the VDB update.
Both options are selected by default.
8. Optionally, in the Comment field, type a comment using up to 255
alphanumeric characters, spaces, or periods.
TIP! The comment field appears in the View Tasks section of the page, so
you should try to keep it relatively short.
9. Optionally, in the Email Status To: field, type the email address (or multiple
email addresses separated by commas) where you want status messages
sent.
IMPORTANT! You must have a valid email relay server configured to send
status messages. See Configuring a Mail Relay Host and Notification Address
on page 338 for more information about configuring a relay host.
WARNING! Depending on the update being installed, the appliance may reboot
after the software is installed.
TIP! The Current Time field indicates the current time on the appliance.
• For recurring tasks, you have several options for setting the interval
between instances of the task. See Configuring a Recurring Task on
page 426 for details.
5. In the Job Name field, type a name using up to 255 alphanumeric characters,
spaces, or dashes.
6. If you are using a Defense Center, from the Sensor list, you have the following
options:
• Select the sensor where you want to install the update.
• Select the name of the Defense Center to install the update there.
7. In the Update Items section, select Software to install the software update.
8. Optionally, in the Comment field, type a comment using up to 255
alphanumeric characters, spaces, or periods.
TIP! The comment field appears in the View Tasks section of the page, so
you should try to keep it relatively short.
9. Optionally, in the Email Status To: field, type the email address (or multiple
email addresses separated by commas) where you want status messages
sent.
IMPORTANT! You must have a valid email relay server configured to send
status messages. See Configuring a Mail Relay Host and Notification Address
on page 338 for more information about configuring a relay host.
TIP! If your Sourcefire 3D System deployment includes IPS and RNA monitoring
the same network segments, make sure that you download and install VDB
updates and SEUs on a regular basis. This ensures that your Defense Center is
correctly setting the impact flag on the intrusion events generated by the traffic
on your network.
When automating VDB updates for your Defense Center, you must automate two
separate steps:
1. Downloading the VDB update.
2. Installing the VDB update.
When automating VDB updates for managed sensors with RNA, you must
schedule three tasks in this order:
1. Download the VDB update on your Defense Center.
2. Push the VDB update to your managed 3D Sensors that are using the RNA
component.
3. Install the VDB update on the Defense Center and on those managed
sensors.
Always allow enough time between tasks for the process to complete. For
example, if you schedule a task to install an update and the update has not fully
downloaded, the installation task will not succeed. However, if the scheduled
installation task repeats daily, it will install the downloaded VDB update when it
runs the next day.
Note that if you manually download an update to an appliance that cannot access
the Support site, you cannot schedule either pushes to managed sensors (on the
Defense Center) or installs (on any appliance). Instead you must manually push or
install the updates as described in Updating System Software on page 398.
If you want to have more control over this process, you can use the Once option
to download and install VDB updates during off-peak hours after you learn that an
update has been released.
See the following sections for more information:
• Automating VDB Update Downloads on page 438
• Automating VDB Update Pushes on page 440
• Automating VDB Update Installs on page 442
IMPORTANT! You cannot download the VDB using a scheduled task on a sensor.
You must download the VDB on the Defense Center and push it to the sensor.
TIP! The Current Time field indicates the current time on the appliance.
• For recurring tasks, you have several options for setting the interval
between instances of the task. See Configuring a Recurring Task on
page 426 for details.
5. In the Job Name field, type a name using up to 255 alphanumeric characters,
spaces, or dashes.
TIP! The comment field appears in the View Tasks section of the page, so
you should try to keep it relatively short.
8. Optionally, in the Email Status To: field, type the email address (or multiple
email addresses separated by commas) where you want status messages
sent.
IMPORTANT! You must have a valid email relay server configured to send
status messages. See Configuring a Mail Relay Host and Notification Address
on page 338 for more information about configuring a relay host.
9. Click Save.
The task is created.
WARNING! You must download vulnerability database updates before you can
push them to managed sensors.
TIP! The Current Time field indicates the current time on the appliance.
• For recurring tasks, you have several options for setting the interval
between instances of the task. See Configuring a Recurring Task on
page 426 for details.
5. In the Job Name field, type a name using up to 255 alphanumeric characters,
spaces, or dashes.
6. From the Sensor list, select the sensor that you want to receive updates.
7. In the Update Items section, make sure Vulnerability Database is selected.
Both the Software and Vulnerability Database options are selected by default.
8. Optionally, in the Comment field, type a comment using up to 255
alphanumeric characters, spaces, or periods.
TIP! The comment field appears in the View Tasks section of the page, so
you should try to keep it relatively short.
9. Optionally, in the Email Status To: field, type the email address (or multiple
email addresses separated by commas) where you want status messages
sent.
IMPORTANT! You must have a valid email relay server configured to send
status messages. See Configuring a Mail Relay Host and Notification Address
on page 338 for more information about configuring a relay host.
TIP! The Current Time field indicates the current time on the appliance.
• For recurring tasks, you have several options for setting the interval
between instances of the task. See Configuring a Recurring Task on
page 426 for details.
5. In the Job Name field, type a name using up to 255 alphanumeric characters,
spaces, or dashes.
6. From the Sensor list, you have the following options:
• If you want to install the update on a managed sensor, select the name
of the sensor from the drop-down list.
• If you want to install the update on the Defense Center, select the
name of the Defense Center from the drop-down list.
7. In the Update Items section, select Vulnerability Database to install the VDB
update.
8. Optionally, in the Comment field, type a comment using up to 255
alphanumeric characters, spaces, or periods.
TIP! The comment field appears in the View Tasks section of the page, so
you should try to keep it relatively short.
9. Optionally, in the Email Status To: field, type the email address (or multiple
email addresses separated by commas) where you want status messages
sent.
IMPORTANT! You must have a valid email relay server configured to send
status messages. See Configuring a Mail Relay Host and Notification Address
on page 338 for more information about configuring a relay host.
SEU to change the default state of a rule in your policy when the default state
changes in the default policy you used to create your policy (or in the default
policy it is based on). Note, however, that if you have changed the rule state, the
SEU will not override your change.
In addition to configuring SEU imports on the Scheduling page, you can also use
the recurring SEU import feature on the Import SEU page. For more information
on the recurring SEU import feature and a comparison of the two methods of
setting up recurring imports, see Importing SEUs and Rule Files in the Analyst
Guide. Note that you must be using Snort 2.8.2 or higher to import recurring
SEUs on the Import SEU page.
IMPORTANT! SEUs may contain new binaries. Make sure your process for
downloading and importing SEUs complies with your security policies. In
addition, SEUs can be quite large, so make sure you schedule downloads during
periods of low network use.
TIP! The Current Time field indicates the current time on the appliance.
• For recurring tasks, you have several options for setting the interval
between instances of the task. See Configuring a Recurring Task on
page 426 for details.
5. In the Job Name field, type a name using up to 255 alphanumeric characters,
spaces, or dashes.
6. To use this task to download the latest SEU, select Download the latest SEU
from the support site.
7. To use this task to install the latest downloaded SEU, select Install the latest
downloaded SEU.
8. To re-apply intrusion policies after installing an SEU, select Reapply intrusion
policies after the SEU import completes.
9. Optionally, in the Comment field, type a comment using up to 255
alphanumeric characters, spaces, or periods.
TIP! The comment field appears in the View Tasks section of the page, so
you should try to keep it relatively short.
10. Optionally, in the Email Status To: field, type the email address (or multiple
email addresses separated by commas) where you want status messages
sent.
IMPORTANT! You must have a valid email relay server configured to send
status messages. See Configuring a Mail Relay Host and Notification Address
on page 338 for more information about configuring a relay host.
TIP! The Current Time field indicates the current time on the appliance.
• For recurring tasks, you have several options for setting the interval
between instances of the task. See Configuring a Recurring Task on
page 426 for details.
5. In the Job Name field, type a name using up to 255 alphanumeric characters,
spaces, or dashes.
6. In the Policy Name field, select the intrusion policy you want to apply from the
drop-down list or select Policy Default to apply the policy to each detection
engine targeted in the policy.
7. In the Detection Engine field, select the detection engine where you want to
apply the policy.
TIP! The comment field appears in the View Tasks section of the page, so
you should try to keep it relatively short.
9. Optionally, in the Email Status To: field, type the email address (or multiple
email addresses separated by commas) where you want status messages
sent.
IMPORTANT! You must have a valid email relay server configured to send
status messages. See Configuring a Mail Relay Host and Notification Address
on page 338 for more information about configuring a relay host.
Automating Reports
Requires: IPS or DC/ You can automate reports so that they run at regular intervals. However, you must
MDC design a profile for your report before you can configure it as a scheduled task.
See Creating a Report Profile on page 246 for more information about using the
report designer to create a report profile.
To automate a report:
Access: Maint/Admin 1. Select Operations > Tools > Scheduling.
The Scheduling page appears.
2. Click Add Task.
The Add Task page appears.
TIP! The Current Time field indicates the current time on the appliance.
• For recurring tasks, you have several options for setting the interval
between instances of the task. See Configuring a Recurring Task on
page 426 for details.
5. In the Job Name field, type a name using up to 255 alphanumeric characters,
spaces, or dashes.
6. In the Report Profile field, select the report profile that you want to use from
the drop-down list.
7. Requires: DC If you want to run the report on a managed sensor, in the Remote
Run field, select the name of the sensor from the drop-down list.
8. Optionally, in the Comment field, type a comment using up to 255
alphanumeric characters, spaces, or periods.
TIP! The comment field appears in the View Tasks section of the page, so
you should try to keep it relatively short.
9. Optionally, in the Email Status To: field, type the email address (or multiple
email addresses separated by commas) where you want status messages
sent.
IMPORTANT! You must have a valid email relay server configured to send
status messages. See Configuring a Mail Relay Host and Notification Address
on page 338 for more information about configuring a relay host.
IMPORTANT! Make note of the name of the scan instance you create. You
need to select this name when prompted for the Nessus Remediation name
when setting up the scheduled scan.
3. Create a scan target to define the target hosts and host ports to scan.
For more information on setting up a scan target, see Creating a Nessus Scan
Target on page 645.
4. Create a remediation definition to define what plugins and Nessus scan
settings should be used when the scheduled scan runs.
For more information on setting up a remediation definition, see Creating a
Nessus Remediation on page 646.
5. Continue with Scheduling a Nessus Scan.
TIP! The Current Time field indicates the current time on the appliance.
• For recurring tasks, you have several options for setting the interval
between instances of the task. See Configuring a Recurring Task on
page 426 for details.
5. In the Job Name field, type a name using up to 255 alphanumeric characters,
spaces, or dashes.
6. In the Nessus Remediation field, select the Nessus remediation for the Nessus
server where you want to run the scan.
7. In the Nessus Target field, select the scan target that defines the target hosts
you want to scan.
8. Optionally, in the Comment field, type a comment using up to 255
alphanumeric characters, spaces, or periods.
TIP! The comment field appears in the View Tasks section of the page, so
you should try to keep it relatively short.
9. Optionally, in the Email Status To: field, type the email address (or multiple
email addresses separated by commas) where you want status messages
sent.
IMPORTANT! You must have a valid email relay server configured to send
status messages. See Configuring a Mail Relay Host and Notification Address
on page 338 for more information about configuring a relay host.
TIP! The comment field appears in the View Tasks section of the page, so
you should try to keep it relatively short.
8. Optionally, in the Email Status To: field, type the email address (or multiple
email addresses separated by commas) where you want status messages
sent.
IMPORTANT! You must have a valid email relay server configured to send
status messages. See Configuring a Mail Relay Host and Notification Address
on page 338 for more information about configuring a relay host.
9. Click Save.
The task is created.
IMPORTANT! Make note of the name of the scan instance you create. You
need to select this name when prompted for the Nmap Configuration name
when setting up the scheduled scan.
2. Create a scan target to define the target hosts and host ports to scan.
For more information on setting up a scan target, see Creating an Nmap Scan
Target in the Analyst Guide.
TIP! The Current Time field indicates the current time on the appliance.
• For recurring tasks, you have several options for setting the interval
between instances of the task. See Configuring a Recurring Task on
page 426 for details.
5. In the Job Name field, type a name using up to 255 alphanumeric characters,
spaces, or dashes.
6. In the Nmap Remediation field, select the Nmap remediation to use when
running the scan.
7. In the Nmap Target field, select the scan target that defines the target hosts
you want to scan.
8. Optionally, in the Comment field, type a comment using up to 255
alphanumeric characters, spaces, or periods.
TIP! The comment field appears in the View Tasks section of the page, so
you should try to keep it relatively short.
9. Optionally, in the Email Status To: field, type the email address (or multiple
email addresses separated by commas) where you want status messages
sent.
IMPORTANT! You must have a valid email relay server configured to send
status messages. See Configuring a Mail Relay Host and Notification Address
on page 338 for more information about configuring a relay host.
You can automatically generate rule state recommendations based on RNA data
for your network using the most recently saved configuration settings in your
custom intrusion policy.
When the task runs, the system automatically generates recommended rule
states. Optionally, depending on the configuration of your policy, it also modifies
the states of intrusion rules based on the criteria described in Managing RNA
Rule State Recommendations in the Analyst Guide. Modified rule states take
effect the next time you apply your intrusion policy. See Using RNA
Recommendations in the Analyst Guide for more information.
To generate recommendations:
Access: Maint/Admin 1. Select Operations > Tools > Scheduling.
The Scheduling page appears.
2. Click Add Task.
The Add Task page appears.
3. From the Job Type list, select RNA Recommended Rules.
The page reloads to show the options for generating RNA-recommended rule
states.
4. Optionally, click the policies link in the Job Type field to display the Detection &
Prevention page, where you can configure RNA Recommended Rules in a
policy. See Managing RNA Rule State Recommendations in the Analyst
Guide for more information.
TIP! The Current Time field indicates the current time on the appliance.
• For recurring tasks, you have several options for setting the interval
between instances of the task. See Configuring a Recurring Task on
page 426 for details.
6. In the Job Name field, type a name using up to 255 alphanumeric characters,
spaces, or dashes.
7. Next to Policies, select one or more policies where you want to generate
recommendations. You have the following options:
• In the Policies field, select one or more policies. Use the Shift and Ctrl
keys to select multiple policies.
• Click the All Policies check box to select all policies.
8. Optionally, in the Comment field, type a comment using up to 255
alphanumeric characters, spaces, or periods.
TIP! The comment field appears in the View Tasks section of the page, so
you should try to keep it relatively short.
9. Optionally, in the Email Status To: field, type the email address (or multiple
email addresses separated by commas) where you want status messages
sent.
IMPORTANT! You must have a valid email relay server configured to send
status messages. See Configuring a Mail Relay Host and Notification Address
on page 338 for more information about configuring a relay host.
Viewing Tasks
After adding scheduled tasks, you can view them and evaluate their status. The
View Options section of the page allows you to view scheduled tasks using a
calendar and a list of scheduled tasks.
2. You can perform the following tasks using the calendar view:
• Click << to move back one year.
• Click < to move back one month.
IMPORTANT! For more information about using the task list, see Using the
Task List on page 460.
Column Description
Creator Displays the name of the user that created the scheduled task.
To delete a single task or, if it has already run, delete a task record:
Access: Maint/Admin 1. Select Operations > Tools > Scheduling.
The Scheduling page appears.
2. Click the task that you want to delete or the day on which the task appears.
A table containing the selected task or tasks appears.
3. Locate the task you want to delete in the table and click Delete.
The instance of the task you selected is deleted.
The Sourcefire 3D System provides many useful monitoring features to assist you
in the daily administration of your system, all on a single page. For example, on
the Host Statistics page you can monitor basic host statistics, intrusion event
information, and statistics for the Data Correlator and RNA processes for the
current day. You can also monitor both summary and detailed information on all
processes that are currently running on the Defense Center or 3D Sensor. The
following sections provide more information about the monitoring features that
the system provides:
• Viewing Host Statistics on page 464 describes how to view host
information such as:
• system uptime
• disk and memory usage
• RNA process statistics
• Data Correlator statistics
• system processes
• intrusion event information
On the Defense Center, you can also use the health monitor to monitor disk
usage and alert on low disk space conditions. For more information, see
Understanding Health Monitoring on page 483.
• Monitoring System Status and Disk Space Usage on page 468 describes
how to view basic event and disk partition information.
• Viewing System Process Status on page 468 describes how to view basic
process status.
• Understanding Running Processes on page 471 describes the basic system
processes that run on the appliance.
• Viewing IPS Performance Statistics on page 476 describes how to view IPS
performance statistics and how to generate graphs based on these
statistics.
• Viewing RNA Performance Statistics on page 478 describes how to view
RNA performance statistics and how to generate graphs based on these
statistics.
Host Statistics
Category Description
Load Average The average number of processes in the CPU queue for
the past 1 minute, 5 minutes, and 15 minutes.
Category Description
Disk Usage The percentage of the disk that is being used. Click the
arrow to view more detailed host statistics. See
Monitoring System Status and Disk Space Usage on
page 468 for more information.
Category Description
CPU Usage - User (%) Average percentage of CPU time spent on user
processes for the current day
The RNA Process Statistics table describes the statistics displayed for the RNA
process.
Category Description
CPU Usage - User (%) Average percentage of CPU time spent by user
processes for the current day
On 3D Sensors with IPS and on Defense Centers that manage sensors with IPS,
you can also view the time and date of the last intrusion event, the total number
of events that have occurred in the past hour and the past day, and the total
number in the database.
The information in the Intrusion Event Information section of the Statistics page is
based on intrusion events stored on the sensor rather than those sent to the
Defense Center. If you manage your sensor so that intrusion events are not
stored locally, no intrusion event information is listed on this page. This is also the
case for 3D Sensors that cannot store events locally.
The Intrusion Event Information table describes the statistics displayed in the
Intrusion Event Information section of the Statistics page.
Statistic Description
Last Alert Was The date and time that the last event occurred
Total Events Last Hour The total number of events that occurred in the
past hour
Total Events Last Day The total number of events that occurred in the
past twenty-four hours
2. On the Defense Center, you can also list statistics for managed sensors.
From the Select Device(s) box and click Select Devices. You can use the Shift
and Ctrl keys to select multiple devices at once.
The Statistics page is updated with statistics for the devices that you
selected.
TIP! On the Defense Center you can also use the health monitor to monitor disk
usage and alert on low disk space conditions. For more information, see
Understanding Health Monitoring on page 483.
On the Defense Center, to view disk usage information for a specific sensor:
Access: Maint/Admin 1. Select the sensor name from the Select Device(s) box, and click Select Devices.
The page reloads, listing host statistics for each sensor you selected.
2. Click the down arrow next to Disk Usage to expand it.
The Disk Usage section expands.
The Process Status table describes each column that appears in the process list.
Process Status
Column Description
Nice The nice value, which is a value that indicates the scheduling
priority of a process. Values range between -20 (highest priority)
and 19 (lowest priority)
Size The memory size used by the process (in kilobytes, unless the
value is followed by m, which indicates megabytes)
2. On the Defense Center, select the device or devices you want to view
process statistics for and click Select Devices.
3. Click the down arrow next to Processes.
The process list expands, listing general process status that includes the
number and types of running tasks, the current time, the current system
uptime, the system load average, CPU, memory, and swap information, and
specific information about each running process.
IMPORTANT! For more information about the types of processes that run on
the appliance, see Understanding Running Processes on page 471.
System Daemons
Daemon Description
httpsd Manages the HTTPS (Apache web server with SSL) service, and checks for
working SSL and valid certificate authentication; runs in the background to
provide secure web access to the appliance
Daemon Description
kupdated Manages the Linux kernel update process, which performs disk
synchronization
safe_mysqld Manages safe mode operation of the database; restarts the database daemon
if an error occurs and logs runtime information to a file
sfestreamer Manages connections to third-party client applications that use the Event
(Defense Center Streamer
only)
sfmgr Provides the RPC service for remotely managing and configuring an appliance
using an sftunnel connection to the appliance
sfreactd Manages Check Point OPSEC integration; only seen if Checkpoint SAM
support is enabled
sfmbservice Provides access to the sfmb message broker process running on a remote
(requires IPS) appliance, using an sftunnel connection to the appliance. Currently used only
by health monitoring to send health events and alerts from a 3D Sensor to a
Defense Center or, in a high availability environment, between Defense
Centers
sftroughd Listens for connections on incoming sockets and then invokes the correct
executable (typically the Sourcefire message broker, sfmb) to handle the
request
Daemon Description
sftunnel Provides the secure communication channel for all processes requiring
communication with a remote appliance
sshd Manages the Secure Shell (SSH) process; runs in the background to provide
SSH access to the appliance
Executable Description
egrep Utility that searches files and folders for specified input;
supports extended set of regular expressions not
supported in standard grep
Executable Description
grep Utility that searches files and directories for specified input
killall Utility that can be used to end all sessions and processes
md5sum Utility that prints checksums and block counts for specified
files
Executable Description
Executable Description
IPS performance statistics refer only to the data stored locally on the 3D Sensor.
New data is accumulated for statistics graphs every five minutes. Therefore, if
you reload a graph quickly, the data may not change until the next five-minute
increment occurs.
The IPS Performance Statistics Graph Types table lists the available graph types.
2. From the Select Device list, select the detection engines whose data you want
to view.
3. From the Select Graph(s) list, select the type of graph you want to create.
4. From the Select Time Range list, select the time range you would like to use for
the graph.
You can choose from last hour, last day, last week, or last month.
5. Click Graph.
The graph appears, displaying the information you specified.
2. From the Select Target list, select the Defense Center, the managed
3D Sensors, or the detection engines that you want to include.
Depending on whether you select a detection engine or a sensor, the Select
Graph(s) list adjusts to display the available graphs.
3. From the Select Graph(s) list, select the type of graph you want to create.
TIP! You can select multiple graphs by holding down the Ctrl or Shift keys
while clicking on the graph type.
4. From the Select Time Range list, select the time range you would like to use for
the graph.
You can choose from last hour, last day, last week, or last month.
5. Click Graph.
The graph appears, displaying the information you specified. If you selected
multiple graphs, each graph appears on the page.
The health monitor provides numerous tests for determining the health of an
appliance from the Defense Center. You can use the health monitor to create a
collection of tests, referred to as a health policy, and apply the health policy to one
or more appliances. You can create one health policy for every appliance in your
system, customize a health policy for the specific appliance where you plan to
apply it, or use one of the default health policies. You can also import a health
policy exported from another Defense Center.
The tests, referred to as health modules, are scripts that test for criteria you
specify. You can modify a health policy by enabling or disabling tests or by
changing test settings, and you can delete health policies that you no longer need.
You can also suppress messages from selected appliances by blacklisting them.
The tests in a health policy run automatically at the interval you configure. You can
also run all tests or a specific test on demand. The health monitor collects health
events based on the test conditions configured. Optionally, you can also configure
email, SNMP, or syslog alerting in response to health events.
At the Defense Center, you can view health status information for the entire
system or for a particular appliance. Fully customizable event views allow you to
quickly and easily analyze the health status events gathered by the health
monitor. These event views allow you to search and view event data and to
access other information that may be related to the events you are investigating.
You can also generate troubleshooting files for an appliance if you are asked to do
so by Support.
See the following sections for more information:
• Understanding Health Monitoring on page 483
• Configuring Health Policies on page 489
You can use the health monitor to access health status information for the entire
system or for a particular appliance. The Health Monitor page provides a visual
summary of the status of all appliances on your system. Individual appliance
health monitors let you drill down into health details for a specific appliance.
You can also view health events in the standard Sourcefire 3D System table view.
From an individual appliance’s health monitor, you can open a table view of
occurrences of a specific event, or you can retrieve all the health events for that
appliance. You can also search for specific health events. For example, if you want
to see all the occurrences of CPU usage with a certain percentage, you can
search for the CPU usage module and enter the percentage value.
You can also configure email, SNMP, or syslog alerting in response to health
events. A health alert is an association between a standard alert and a health
status level. For example, if you need to make sure an appliance never fails due to
hardware overload, you can set up an email alert. You can then create a health
alert that triggers that email alert whenever CPU, disk, or memory usage reaches
the Warning level you configure in the health policy applied to that appliance. You
can set alerting thresholds to minimize the number of repeating alerts you
receive.
For more information on health policies and the health modules you can run to
test system health, see the following topics:
• Understanding Health Policies on page 484
• Understanding Health Modules on page 485
• Understanding Health Monitoring Configuration on page 489
Health Modules
Module Description
Appliance Heartbeat This module determines if an appliance heartbeat is being heard from the
sensor and alerts based on the sensor heartbeat status.
Automatic This module determines if a detection engine has been bypassed because it
Application Bypass did not respond within the number of seconds set in the bypass threshold,
Status and alerts when a bypass occurs.
CPU Temperature This module determines if the CPU on the sensor is overheated and alerts
when the temperature exceeds temperatures configured for the module. This
module only runs on 3Dx800 sensors.
CPU Usage This module checks that the CPU on the appliance is not overloaded and alerts
when CPU usage exceeds the percentages configured for the module.
Card Reset This module checks for network cards which have restarted due to hardware
failure and alerts when a reset occurs.
Data Correlator This module determines if the Data Correlator process (SFDataCorrelator) is
Process restarting too often, which may indicate a problem with the process, and alerts
when the number of restarts exceeds limits configured for the module.
The restart counter does not count actual restarts. The module checks if any
restarts occurred during the period between tests. Even if multiple restarts
occur between tests, the module only increments the restart counter by one
each time it checks. If any restarts occur, the module adds one to the restart
count. The first time the module checks and no restarts have occurred since
the last test, the module resets the counter to zero. The alert level also lowers
by one level (for example, Critical is reduced to Warning or Warning is reduced
to Normal). The second time the module checks and no restarts have occurred
since the last test, the alert level resets to Normal.
If the module finds that the process is not running at all, it increments the
restart counter by one, but sets the module status to Critical for that test,
regardless of the limits set for the module. The status remains Critical until the
module finds that the process is running. At that point, the module sets status
according to the restart counter value and the configured limits for the
module.
For more information on system daemons such as SFDataCorrelator, see
Understanding System Daemons on page 471.
Module Description
Defense Center This module ensures that there are heartbeats from connected Defense
Status Centers and alerts based on the Defense Center status.
This module only runs on Master Defense Centers.
Disk Usage This module compares disk usage on the appliance to the limits configured for
the module and alerts when usage exceeds the percentages configured for
the module.
eStreamer Process This module determines if the eStreamer process is restarting too often,
which may indicate a problem with the process, and alerts when the number
of restarts exceeds limits configured for the module.
The restart counter does not count actual restarts. The module checks if any
restarts occurred during the period between tests. Even if multiple restarts
occur between tests, the module only increments the restart counter by one
each time it checks. If any restarts occur, the module adds one to the restart
count. The first time the module checks and no restarts have occurred since
the last test, the module resets the counter to zero. The alert level also lowers
by one level (for example, Critical is reduced to Warning or Warning is reduced
to Normal). The second time the module checks and no restarts have occurred
since the last test, the alert level resets to Normal.
If the module finds that the process is not running at all, it increments the
restart counter by one, but sets the module status to Critical for that test,
regardless of the limits set for the module. The status remains Critical until the
module finds that the process is running. At that point, the module sets status
according to the restart counter value and the configured limits for the
module.
This module only runs on Defense Centers.
Event Stream Status This module compares the number of events per second to the limits
configured for this module and alerts if the limits are exceeded. If the Event
Stream is zero, the eStreamer process may be down or the Defense Center
may not be sending events.
This module only runs on Master Defense Centers.
Fan Alarm This module determines if fans need to be replaced on the sensor and alerts
based on the fan status. This module only runs on 3Dx800 sensors.
Module Description
Health Monitor This module monitors the status of the health monitor itself and alerts if the
Process number of minutes since the last health event received by the Defense Center
exceeds the Warning or Critical limits.
This module only runs on Defense Centers.
IPS Event Rate This module compares the number of intrusion events per second to the limits
configured for this module and alerts if the limits are exceeded. If the IPS
Event Rate is zero, the IPS process may be down or the 3D Sensor may not be
sending events. Select Analysis & Reporting > Event Summary > Intrusion Event
Statistics to check if events are being received from the sensor.
IPS Process This module determines if the IPS process (snort) has been restarting too
often, which may indicate a problem with the process, and alerts when the
number of restarts exceeds the limits configured for the module. The IPS
process (also known as snort) is the packet decoder on a 3D Sensor with that
is licensed for IPS component. If the IPS process is down or has been
restarting, the IPS Event Rate results may be inaccurate.
The restart counter does not indicate the number of restarts. Instead, the
module checks if any restarts occurred during the period between tests. Even
if multiple restarts occur between tests, the module only increments the
restart counter by one each time it checks. If any restarts occur, the module
adds one to the restart count. The first time the module checks and no restarts
have occurred since the last test, the module resets the counter to zero. The
alert level also lowers by one level (for example, Critical is reduced to Warning
or Warning is reduced to Normal). The second time the module checks and no
restarts have occurred since the last test, the alert level resets to Normal.
If the module finds that the process is not running at all, it increments the
restart counter by one, but sets the module status to Critical for that test,
regardless of the limits set for the module. The status remains Critical until the
module finds that the process is running. At that point, the module sets status
according to the restart counter value and the configured limits for the
module.
Link State This module determines when a link in a paired inline interface set fails and
Propagation triggers the link state propagation mode.
MDC Event Service This module monitors the health of the internal eStreamer process used to
transmit events to the Master Defense Center from the Defense Center.
Memory Usage This module compares memory usage on the appliance to the limits
configured for the module and alerts when usage exceeds the levels
configured for the module.
This module monitors the application of PEP rules to interface sets on a
PEP Status
3D9900. If PEP rules cannot be applied to interfaces in an interface set, the
module generates an alert.
Module Description
Power Supply This module determines if power supplies on the sensor require replacement
and alerts based on the power supply status. This module only runs on the
Series 2 DC3000, MDC3000, 3Dx800, 3D9900, 3D3500, 3D4500, and
3D6500 appliances.
RNA Event Status This module indicates whether a specified period of time has passed since any
RNA events have been detected by a sensor.
RNA Host License This module determines if sufficient RNA host licenses remain and alerts
Limit based on the warning level configured for the module.
RNA Process This module determines if the RNA process (rna) is restarting too often, which
may indicate a problem with the process, and alerts based on the number of
restarts configured for the module.
The restart counter does not count actual restarts. The module checks if any
restarts occurred during the period between tests. Even if multiple restarts
occur between tests, the module only increments the restart counter by one
each time it checks. If any restarts occur, the module adds one to the restart
count. The first time the module checks and no restarts have occurred since
the last test, the module resets the counter to zero. The alert level also lowers
by one level (for example, Critical is reduced to Warning or Warning is reduced
to Normal). The second time the module checks and no restarts have occurred
since the last test, the alert level resets to Normal.
If the module finds that the process is not running at all, it increments the
restart counter by one, but sets the module status to Critical for that test,
regardless of the limits set for the module. The status remains Critical until the
module finds that the process is running. At that point, the module sets status
according to the restart counter value and the configured limits for the
module.
Time Synchronization This module tracks the synchronization of a sensor clock that obtains time
Status using NTP with the clock on the NTP server and alerts if the difference in the
clocks is more than ten seconds.
Traffic Status This module determines if the sensor currently collects traffic and alerts based
on the traffic status.
TIP! If you want to quickly enable health monitoring without customizing the
monitoring behavior, you can apply one of the default policies provided for
that purpose.
When you configure a health policy, you decide whether to enable each health
module for that policy. You also select the criteria that control which health status
each enabled module reports each time it assesses the health of a process.
For more information on the default health policy, which is applied to the Defense
Center and Master Defense Center automatically, see Default Health Policy on
page 493.
For more information, see the following topics:
• Predefined Health Policies on page 490
• Creating Health Policies on page 497
• Applying Health Policies on page 528
• Editing Health Policies on page 530
• Deleting Health Policies on page 533
IMPORTANT! You cannot apply a health policy to RNA Software for Red Hat
Linux or Crossbeam-based software sensors.
IPS Event Rate Configuring IPS Event Rate Monitoring on page 515
be used instead of the Power Supply module to monitor power supply health on
the 3Dx800 sensor models.
IPS Event Rate Configuring IPS Event Rate Monitoring on page 515
sensor models. CPU usage for a 3D9900 may reach 100% during normal sensor
operation, so the data provided by the module would generate misleading events.
IPS Event Rate Configuring IPS Event Rate Monitoring on page 515
RNA Host License Configuring RNA Host Usage Monitoring on page 524
Limit
Use the Default Health Policy to monitor health on a Master Defense Center.
Enabled health modules for this policy are listed in the Enabled MDC Health
Modules - Default Health Policy table.
IPS Event Rate Configuring IPS Event Rate Monitoring on page 515
Alarm module should be used instead of the Power Supply module to monitor
power supply health on the 3Dx800 sensor models.
IPS Event Rate Configuring IPS Event Rate Monitoring on page 515
this policy are listed in the Enabled Health Modules: Default RNA Sensor Health
Policy table.
TIP! Instead of creating a new policy, you can export a health policy from another
Defense Center and then import it onto your Defense Center. You can then edit
the imported policy to suit your needs before you apply it. For more information,
see Importing and Exporting Objects on page 583.
4. Select the existing policy that you want to use as the basis for the new policy
from the Copy Policy drop-down list.
5. Enter a name for the policy.
6. Enter a description for the policy.
8. Configure settings on each module you want to use to test the health status
of your appliances, as described in the following sections:
• Configuring Policy Run Time Intervals on page 500
• Configuring Appliance Heartbeat Monitoring on page 501
• Configuring Automatic Application Bypass Monitoring on page 502
• Configuring CPU Temperature Monitoring on page 503
• Configuring CPU Usage Monitoring on page 504
• Configuring Card Reset Monitoring on page 505
• Configuring Data Correlator Process Monitoring on page 506
• Configuring Defense Center Status on page 507
• Configuring Disk Usage Monitoring on page 508
• Configuring eStreamer Process Monitoring on page 509
• Configuring Event Stream Monitoring on page 511
• Configuring Fan Monitoring on page 512
IMPORTANT! Make sure you enable each module that you want to run to
test the health status on each Health Policy Configuration page as you
configure the settings. Disabled modules do not produce health status
feedback, even if the policy that contains the module has been applied to an
appliance.
2. In the Run Interval (mins) field, enter the time in minutes that you want to
elapse between automatic repetitions of the test.
3. You have three options:
• To save your changes to this module and return to the Health Policy
page, click Save Policy and Exit.
• To return to the Health Policy page without saving any of your settings
for this module, click Cancel.
• To temporarily save your changes to this module and switch to another
module’s settings to modify, select the other module from the list at the
left of the page. If you click Save Policy and Exit when you are done, all
changes you made will be saved; if you click Cancel, you discard all
changes.
You must apply the health policy to the appropriate appliances if you want
your settings to take effect. See Applying Health Policies on page 528 for
more information.
2. Select On for the Enabled option to enable use of the module for health status
testing.
2. Select On for the Enabled option to enable use of the module for health status
testing.
WARNING! Sourcefire recommends that you do not set the Critical limit higher
than 65 degrees Celsius and that you do not set the Warning limit higher than 55
degrees Celsius.
2. Select On for the Enabled option to enable use of the module for health status
testing.
3. In the Critical Threshold Celsius field, enter the number of degrees, in Celsius,
that should trigger a critical health status.
4. In the Warning Threshold Celsius field, enter the number of degrees, in Celsius,
that should trigger a warning health status.
5. You have three options:
• To save your changes to this module and return to the Health Policy
page, click Save Policy and Exit.
• To return to the Health Policy page without saving any of your settings
for this module, click Cancel.
• To temporarily save your changes to this module and switch to another
module’s settings to modify, select the other module from the list at the
left of the page. If you click Save Policy and Exit when you are done, all
changes you made will be saved; if you click Cancel, you discard all
changes.
You must apply the health policy to the appropriate sensors if you want your
settings to take effect. See Applying Health Policies on page 528 for more
information.
2. Select On for the Enabled option to enable use of the module for health status
testing.
3. In the Critical Threshold % field, enter the percentage of CPU usage that
should trigger a critical health status.
4. In the Warning Threshold % field, enter the percentage of CPU usage that
should trigger a warning health status.
5. You have three options:
• To save your changes to this module and return to the Health Policy
page, click Save Policy and Exit.
• To return to the Health Policy page without saving any of your settings
for this module, click Cancel.
• To temporarily save your changes to this module and switch to another
module’s settings to modify, select the other module from the list at the
left of the page. If you click Save Policy and Exit when you are done, all
changes you made will be saved; if you click Cancel, you discard all
changes.
You must apply the health policy to the appropriate appliances if you want
your settings to take effect. See Applying Health Policies on page 528 for
more information.
2. Select On for the Enabled option to enable use of the module for health status
testing.
3. You have three options:
• To save your changes to this module and return to the Health Policy
page, click Save Policy and Exit.
• To return to the Health Policy page without saving any of your settings
for this module, click Cancel.
• To temporarily save your changes to this module and switch to another
module’s settings to modify, select the other module from the list at the
left of the page. If you click Save Policy and Exit when you are done, all
changes you made will be saved; if you click Cancel, you discard all
changes.
You must apply the health policy to the appropriate Defense Center if you
want your settings to take effect. See Applying Health Policies on page 528
for more information.
The maximum number of restarts you can set for either limit is 100, and the
Critical limit must be higher than the Warning limit.
2. Select On for the Enabled option to enable use of the module for health status
testing.
3. In the Critical Number of restarts field, enter the number of process restarts
that should trigger a critical health status.
4. In the Warning Number of restarts field, enter the number of process restarts
that should trigger a warning health status.
5. You have three options:
• To save your changes to this module and return to the Health Policy
page, click Save Policy and Exit.
• To return to the Health Policy page without saving any of your settings
for this module, click Cancel.
• To temporarily save your changes to this module and switch to another
module’s settings to modify, select the other module from the list at the
left of the page. If you click Save Policy and Exit when you are done, all
changes you made will be saved; if you click Cancel, you discard all
changes.
You must apply the health policy to the appropriate appliances if you want
your settings to take effect. See Applying Health Policies on page 528 for
more information.
2. Select On for the Enabled option to enable use of the module for health status
testing.
3. You have three options:
• To save your changes to this module and return to the Health Policy
page, click Save Policy and Exit.
• To return to the Health Policy page without saving any of your settings
for this module, click Cancel.
• To temporarily save your changes to this module and switch to another
module’s settings to modify, select the other module from the list at the
left of the page. If you click Save Policy and Exit when you are done, all
changes you made will be saved; if you click Cancel, you discard all
changes.
You must apply the health policy to the appropriate Defense Center if you
want your settings to take effect. See Applying Health Policies on page 528
for more information.
IMPORTANT! Although the disk usage module lists the /boot partition as a
monitored partition, the size of the partition is static so the module does not alert
on the boot partition.
If the disk usage on the monitored appliance exceeds the Warning limit, the
status classification for that module changes to Warning. If the disk usage on the
monitored appliance exceeds the Critical limit, the status classification for that
module changes to Critical. That status data feeds into the health monitor.
The maximum percentage you can set for either limit is 100 percent, and the
Critical limit must be higher than the Warning limit.
2. Select On for the Enabled option to enable use of the module for health status
testing.
3. In the Critical Threshold % field, enter the percentage of disk usage that should
trigger a critical health status.
4. In the Warning Threshold % field, enter the percentage of disk usage that
should trigger a warning health status.
5. You have three options:
• To save your changes to this module and return to the Health Policy
page, click Save Policy and Exit.
• To return to the Health Policy page without saving any of your settings
for this module, click Cancel.
• To temporarily save your changes to this module and switch to another
module’s settings to modify, select the other module from the list at the
left of the page. If you click Save Policy and Exit when you are done, all
changes you made will be saved; if you click Cancel, you discard all
changes.
You must apply the health policy to the appropriate appliances if you want
your settings to take effect. See Applying Health Policies on page 528 for
more information.
The first time the module checks and no restarts have occurred since the last
test, the module resets the counter to zero. The alert level also lowers by one
level (for example, Critical is reduced to Warning or Warning is reduced to
Normal). The second time the module checks and no restarts have occurred since
the last test, the alert level resets to Normal.
If the module finds that the process is not running at all, it increments the restart
counter by one, but sets the module status to Critical for that test, regardless of
the limits set for the module. The status remains Critical until the module finds
that the process is running. At that point, the module sets status according to the
restart counter value and the configured limits for the module.
If the module checks the eStreamer process as many times as configured in the
Warning Number of restarts limit, and each time one or more restarts have
occurred, the status classification for that module changes to Warning. If the
module checks the eStreamer process as many times as configured in the Critical
Number of restarts limit, and each time one or more restarts have occurred, the
status classification for that module changes to Critical. That status data feeds
into the health monitor.
The maximum number of restarts you can set for either limit is 100, and the
Critical limit must be higher than the Warning limit.
2. Select On for the Enabled option to enable use of the module for health status
testing.
3. In the Critical Number of restarts field, enter the number of process restarts
that should trigger a critical health status.
4. In the Warning Number of restarts field, enter the number of process restarts
that should trigger a warning health status.
2. Select On for the Enabled option to enable use of the module for health status
testing.
3. In the Critical Seconds since last event field, enter the maximum number of
seconds to wait between events, before triggering a critical health status.
4. In the Warning Seconds since last event field, enter the maximum number of
seconds to wait between events, before triggering a warning health status.
5. You have three options:
• To save your changes to this module and return to the Health Policy
page, click Save Policy and Exit.
• To return to the Health Policy page without saving any of your settings
for this module, click Cancel.
• To temporarily save your changes to this module and switch to another
module’s settings to modify, select the other module from the list at the
left of the page. If you click Save Policy and Exit when you are done, all
changes you made will be saved; if you click Cancel, you discard all
changes.
You must apply the health policy to the Master Defense Center for your
settings to take effect. See Applying Health Policies on page 528 for more
information.
2. Select On for the Enabled option to enable use of the module for health status
testing.
2. Select On for the Enabled option to enable use of the module for health status
testing.
2. Select On for the Enabled option to enable use of the module for health status
testing.
3. In the Critical Minutes since last event field, enter the maximum number of
minutes to wait between events, before triggering a critical health status.
4. In the Warning Minutes since last event field, enter the maximum number of
minutes to wait between events, before triggering a warning health status.
2. Select On for the Enabled option to enable use of the module for health status
testing.
3. In the Events per second (Critical) field, enter the number of events per second
that should trigger a critical health status.
4. In the Events per second (Warning) field, enter the number of events per
second that should trigger a warning health status.
5. You have three options:
• To save your changes to this module and return to the Health Policy
page, click Save Policy and Exit.
• To return to the Health Policy page without saving any of your settings
for this module, click Cancel.
• To temporarily save your changes to this module and switch to another
module’s settings to modify, select the other module from the list at the
left of the page. If you click Save Policy and Exit when you are done, all
changes you made will be saved; if you click Cancel, you discard all
changes.
You must apply the health policy to the appropriate sensors if you want your
settings to take effect. See Applying Health Policies on page 528 for more
information.
2. Select On for the Enabled option to enable use of the module for health status
testing.
3. In the Critical Number of restarts field, enter the number of process restarts
that should trigger a critical health status.
4. In the Warning Number of restarts field, enter the number of process restarts
that should trigger a warning health status.
2. Select On for the Enabled option to enable use of the module for health status
testing.
2. Select On for the Enabled option to enable use of the module for health status
testing.
3. In the Critical Number of restarts field, enter the number of process restarts
that should trigger a critical health status.
4. In the Warning Number of restarts field, enter the number of process restarts
that should trigger a warning health status.
5. You have three options:
• To save your changes to this module and return to the Health Policy
page, click Save Policy and Exit.
• To return to the Health Policy page without saving any of your settings
for this module, click Cancel.
• To temporarily save your changes to this module and switch to another
module’s settings to modify, select the other module from the list at the
left of the page. If you click Save Policy and Exit when you are done, all
changes you made will be saved; if you click Cancel, you discard all
changes.
You must apply the health policy to the appropriate appliances if you want
your settings to take effect. See Applying Health Policies on page 528 for
more information.
2. Select On for the Enabled option to enable use of the module for health status
testing.
3. In the Critical Threshold % field, enter the percentage of memory usage that
should trigger a critical health status.
4. In the Warning Threshold % field, enter the percentage of memory usage that
should trigger a warning health status.
5. You have three options:
• To save your changes to this module and return to the Health Policy
page, click Save Policy and Exit.
• To return to the Health Policy page without saving any of your settings
for this module, click Cancel.
• To temporarily save your changes to this module and switch to another
module’s settings to modify, select the other module from the list at the
left of the page. If you click Save Policy and Exit when you are done, all
changes you made will be saved; if you click Cancel, you discard all
changes.
You must apply the health policy to the appropriate appliances if you want
your settings to take effect. See Applying Health Policies on page 528 for
more information.
2. Select On for the Enabled option to enable use of the module for health status
testing.
3. You have three options:
• To save your changes to this module and return to the Health Policy
page, click Save Policy and Exit.
• To return to the Health Policy page without saving any of your settings
for this module, click Cancel.
• To temporarily save your changes to this module and switch to another
module’s settings to modify, select the other module from the list at the
left of the page. If you click Save Policy and Exit when you are done, all
changes you made will be saved; if you click Cancel, you discard all
changes.
You must apply the health policy to the appropriate sensors if you want your
settings to take effect. See Applying Health Policies on page 528 for more
information.
2. Select On for the Enabled option to enable use of the module for health status
testing.
3. You have three options:
• To save your changes to this module and return to the Health Policy
page, click Save Policy and Exit.
• To return to the Health Policy page without saving any of your settings
for this module, click Cancel.
• To temporarily save your changes to this module and switch to another
module’s settings to modify, select the other module from the list at the
left of the page. If you click Save Policy and Exit when you are done, all
changes you made will be saved; if you click Cancel, you discard all
changes.
You must apply the health policy to the appropriate sensors if you want your
settings to take effect. See Applying Health Policies on page 528 for more
information.
2. Select On for the Enabled option to enable use of the module for health status
testing.
3. In the Critical Seconds since last event field, enter the maximum number of
seconds to wait between events, before triggering a critical health status.
4. In the Warning Seconds since last event field, enter the maximum number of
seconds to wait between events, before triggering a warning health status.
5. You have three options:
• To save your changes to this module and return to the Health Policy
page, click Save Policy and Exit.
• To return to the Health Policy page without saving any of your settings
for this module, click Cancel.
• To temporarily save your changes to this module and switch to another
module’s settings to modify, select the other module from the list at the
left of the page. If you click Save Policy and Exit when you are done, all
changes you made will be saved; if you click Cancel, you discard all
changes.
You must apply the health policy to the Defense Center for your settings to
take effect. See Applying Health Policies on page 528 for more information.
2. Select On for the Enabled option to enable use of the module for health status
testing.
3. In the Critical number Hosts field, enter the remaining number of available
hosts that should trigger a critical health status.
4. In the Warning number Hosts field, enter the remaining number of available
hosts that should trigger a warning health status.
5. You have three options:
• To save your changes to this module and return to the Health Policy
page, click Save Policy and Exit.
• To return to the Health Policy page without saving any of your settings
for this module, click Cancel.
• To temporarily save your changes to this module and switch to another
module’s settings to modify, select the other module from the list at the
left of the page. If you click Save Policy and Exit when you are done, all
changes you made will be saved; if you click Cancel, you discard all
changes.
You must apply the health policy to the appropriate sensors if you want your
settings to take effect. See Applying Health Policies on page 528 for more
information.
The maximum number of restarts you can set for either limit is 100, and the
Critical limit must be higher than the Warning limit.
2. Select On for the Enabled option to enable use of the module for health status
testing.
3. In the Critical Number of restarts field, enter the number of process restarts
that should trigger a critical health status.
4. In the Warning Number of restarts field, enter the number of process restarts
that should trigger a warning health status.
5. You have three options:
• To save your changes to this module and return to the Health Policy
page, click Save Policy and Exit.
• To return to the Health Policy page without saving any of your settings
for this module, click Cancel.
• To temporarily save your changes to this module and switch to another
module’s settings to modify, select the other module from the list at the
left of the page. If you click Save Policy and Exit when you are done, all
changes you made will be saved; if you click Cancel, you discard all
changes.
You must apply the health policy to the appropriate sensors if you want your
settings to take effect. See Applying Health Policies on page 528 for more
information.
2. Select On for the Enabled option to enable use of the module for health status
testing.
3. You have three options:
• To save your changes to this module and return to the Health Policy
page, click Save Policy and Exit.
• To return to the Health Policy page without saving any of your settings
for this module, click Cancel.
• To temporarily save your changes to this module and switch to another
module’s settings to modify, select the other module from the list at the
left of the page. If you click Save Policy and Exit when you are done, all
changes you made will be saved; if you click Cancel, you discard all
changes.
You must apply the health policy to the appropriate sensors if you want your
settings to take effect. See Applying Health Policies on page 528 for more
information.
WARNING! If you enable the Traffic Status module on a sensor where there are
unused interfaces that are included in an interface set associated with a detection
engine, the module interprets the idleness of the port as a traffic failure and alerts
on traffic status. To prevent alerting on idle interfaces, remove those interfaces
from all interface sets associated with detection engines. For more information
on managing interface sets, see Editing an Interface Set on page 221.
2. Select On for the Enabled option to enable use of the module for health status
testing.
3. You have three options:
• To save your changes to this module and return to the Health Policy
page, click Save Policy and Exit.
• To return to the Health Policy page without saving any of your settings
for this module, click Cancel.
• To temporarily save your changes to this module and switch to another
module’s settings to modify, select the other module from the list at the
left of the page. If you click Save Policy and Exit when you are done, all
changes you made will be saved; if you click Cancel, you discard all
changes.
You must apply the health policy to the appropriate sensors if you want your
settings to take effect. See Applying Health Policies on page 528 for more
information.
You cannot apply a health policy to RNA Software for Red Hat Linux.
TIP! The status icon next to the Health Policy column ( ) indicates the
current health status for the appliance. The status icon next to the System
Policy column ( ) indicates the communication status between the Defense
Center and the sensor. Note that you can remove the currently applied policy
by clicking the remove icon ( ).
4. Check the appliances where you want to apply the health policy.
5. Click Apply to apply the policy to the selected appliances.
The Health Policy page appears, with a message indicating if the application
of the policy was successful. Monitoring of the appliance starts as soon as
the policy is successfully applied.
Applicable health modules for various appliances are listed in the Health Modules
Applicable to Appliances table.
TIP! To stop health monitoring for an appliance, create a health policy with all
modules disabled and apply it to the appliance. For more information on creating
health policies, see Creating Health Policies on page 497. For more information
on applying health policies, see Applying Health Policies on page 528.
RNA host licenses on an appliance, you can blacklist the RNA Host License Limit
status messages until you install a new license with more hosts.
Make sure to remove all unused sensing interfaces from any interface sets in use
by a detection engine so health monitoring alerts do not generate for those
interfaces.
Note that on the main Health Monitor page you can distinguish between
appliances that are blacklisted if you expand to view the list of appliances with a
particular status by clicking the arrow in that status row. For more information on
expanding that view, see Using the Health Monitor on page 545.
A blacklist icon ( ) and a notation are visible once you expand the view for a
blacklisted or partially blacklisted appliance.
TIP! You can blacklist 3D Sensors only from a Defense Center, not a Master
Defense Center. You cannot blacklist intrusion agents.
3. Use the drop-down list on the right to sort the list by group, policy, or model.
(On a Master Defense Center, sort the list by group, manager, policy or
model. Groups on a Defense Center are 3D Sensors. Groups on a Master
Defense Center are appliances.)
TIP! The status icon next to the Health Policy column ( ) indicates the
current health status for the appliance. The status icon next to the System
Policy column ( ) indicates the communication status between the Defense
Center and the sensor. Note that you can remove the currently applied policy
by clicking the remove icon ( ).
Blacklisting an Appliance
If you need to set the events and health status for an individual appliance to
disabled, you can blacklist the appliance. Once the blacklist settings take effect,
the appliance shows as disabled in the Health Monitor Appliance Module
Summary and health events for the appliance have a status of disabled.
The page refreshes then indicates the blacklisted state of the appliances.
Click Edit and see Blacklisting a Health Policy Module on page 537 to blacklist
individual health policy modules.
• Power Supply
• RNA Host License Limit
TIP! Once the blacklist settings take effect, the appliance shows as Part
Blacklisted or All Modules Blacklisted in the Blacklist page and in the
Appliance Health Monitor Module Status Summary but only in expanded views
on the main Appliance Status Summary page. Make sure that you keep track of
individually blacklisted modules so you can reactivate them when you need them.
You may miss necessary warning or critical messages if you accidentally leave a
module disabled.
3. Sort by Group, Policy, or Model, then click Edit to display the list of health
policy modules.
The health policy modules appear.
For example, if you are concerned that your appliances may run out of hard disk
space, you can automatically send an email to a system administrator when the
remaining disk space reaches the warning level. If the hard drive continues to fill,
you can send a second email when the hard drive reaches the critical level.
For more information, see the following topics:
• Preparing to Create a Health Alert on page 540
• Creating Health Monitor Alerts on page 540
• Interpreting Health Monitor Alerts on page 542
• Editing Health Monitor Alerts on page 543
• Deleting Health Monitor Alerts on page 544
on creating the alert, see Preparing to Create a Health Alert on page 540. When
the severity level occurs for the selected module, the associated alert triggers.
Note that if you create or update a threshold in a way that duplicates an existing
threshold, you are notified of the conflict. When duplicate thresholds exist, the
health monitor uses the threshold that generates the fewest alerts and ignores
the others. The timeout value for the threshold must be between 5 and
4,294,967,295 minutes.
3. Type a name for the health alert in the Health Alert Name field.
4. From the Severity list, select the severity level you want to use to trigger the
alert.
5. From the Module list, select the modules for which you want the alert to apply.
TIP! To select multiple modules, press Shift + Ctrl and click the module
names.
6. From the Alert list, select the alert which you want to trigger when the
selected severity level is reached.
TIP! Click Alerts in the toolbar to open the Alerts page. For more information
on creating alerts, see Creating Alerts in the Analyst Guide.
7. In the Threshold Timeout field, type the number of minutes that should elapse
before each threshold period ends and the threshold count resets.
8. Click Save to save the health alert.
A message appears, indicating if the alert configuration was successfully
saved. The Active Health Alerts list now includes the alert you created.
Alert Severities
Severity Description
Critical The health test results met the criteria to trigger a Critical alert
status.
Warning The health test results met the criteria to trigger a Warning alert
status.
Normal The health test results met the criteria to trigger a Normal alert
status.
Recovered The health test results met the criteria to return to a normal
alert status, following a Critical or Warning alert status.
4. Click Load to load the configured settings for the selected alert.
5. Modify settings as needed. For more information, see Creating Health
Monitor Alerts on page 540.
6. Click Save to save the modified health alert.
A message appears, indicating if the alert configuration was successfully
saved.
IMPORTANT! Deleting a health monitor alert does not delete the associated
alert. You must deactivate or delete the underlying alert to ensure that alerting
does not continue. For more information on deactivating alerts, see Activating and
Deactivating Alerts in the Analyst Guide. For more information on deleting alerts,
see Deleting Alerts in the Analyst Guide.
You can obtain information about the health of your Sourcefire 3D System
through the Health Monitor. Administrators can create and apply a health policy to
an appliance. The Health Monitor then generates health events to indicate the
current status of any aspects of appliance health that you chose to monitor. For
more information on viewing the health status of your appliance, see the
following topics:
• Using the Health Monitor on page 545
• Using Appliance Health Monitors on page 547
• Working with Health Events on page 555
2. Select the appropriate status in the Status column of the table or the
appropriate portion of the pie chart to the list appliances with that status.
TIP! If the arrow in the row for a status level points down, the appliance list
for that status shows in the lower table. If the arrow points right, the
appliance list is hidden.
The following topics provide details on the tasks you can perform from the Health
Monitor page:
• Interpreting Health Monitor Status on page 547
• Using Appliance Health Monitors on page 547
• Configuring Health Policies on page 489
• Configuring Health Monitor Alerts on page 539
Error White Indicates that at least one health monitoring module has failed on
the appliance and has not been successfully re-run since the failure
occurred. Contact your technical support representative to obtain
an update to the health monitoring module.
Critical Red Indicates that the critical limits have been exceeded for at least
one health module on the appliance and the problem has not been
corrected.
Warning Yellow Indicates that warning limits have been exceeded for at least one
health module on the appliance and the problem has not been
corrected.
Normal Green Indicates that all health modules on the appliance are running
within the limits configured in the health policy applied to the
appliance.
Recovered Green Indicates that all health modules on the appliance are running
within the limits configured in the health policy applied to the
appliance, including modules that were in a Critical or Warning
state.
IMPORTANT! Your browser session will not be automatically timed out while you
are viewing the Health Monitor page.
TIP! If the arrow in the row for a status level points down, the appliance list
for that status shows in the lower table. If the arrow points right, the
appliance list is hidden.
3. In the Appliance column of the appliance list, click the name of the appliance
for which you want to view details in the health monitor toolbar.
The Health Monitor Appliance page appears.
4. Optionally, in the Module Status Summary graph, click the color for the event
status category you want to view. The Alert Detail list toggles the display to
show or hide events.
For more information, see the following sections:
• Interpreting Appliance Health Monitor Status on page 549
• Viewing Alerts by Status on page 549
• Running All Modules for an Appliance on page 550
Error White Indicates that the health monitoring module has failed and has not
been successfully re-run since the failure occurred. Contact your
technical support representative to obtain an update to the health
monitoring module.
Critical Red Indicates that the critical limits have been exceeded for the health
module on the appliance and the problem has not been corrected.
Warning Yellow Indicates that warning limits have been exceeded for the health
module on the appliance and the problem has not been corrected.
Normal Green Indicates that the monitored item is running within the limits
configured in the health policy applied to the appliance.
Recovered Green Indicates that the health for the monitored item is back within the
limits configured in the health policy applied to the appliance.
TIP! If the arrow in the row for a status level points down, the appliance list
for that status shows in the lower table. If the arrow points right, the
appliance list is hidden.
3. In the Appliance column of the appliance list, click the name of the appliance
for which you want to view details in the health monitor toolbar.
The Health Monitor Appliance page appears.
IMPORTANT! When you manually run health modules, the first refresh that
automatically occurs may not reflect the data from the manually-run tests. If
the value has not changed for a module that you just ran manually, wait a few
seconds, then refresh the page by clicking the sensor name. You can also
wait for the page to refresh again automatically.
TIP! If the arrow in the row for a status level points down, the appliance list
for that status shows in the lower table. If the arrow points right, the
appliance list is hidden.
3. In the Appliance column of the appliance list, click the name of the appliance
for which you want to view details in the health monitor toolbar.
The Health Monitor Appliance page appears.
4. In the Module Status Summary graph of the Health Monitor Appliance page,
click the color for the health alert status category you want to view.
The Alert Detail list expands to list the health alerts for the selected appliance
for that status category.
5. In the Alert Detail row for the alert for which you want to view a list of events,
click Run.
The status bar indicates the progress of the test, then the Health Monitor
Appliance page refreshes.
IMPORTANT! When you manually run health modules, the first refresh that
automatically occurs may not reflect the data from the manually-run tests. If
the value has not changed for a module that you just manually ran, wait a few
seconds, then refresh the page by clicking the sensor name. You can also
wait for the page to refresh automatically again.
TIP! If the arrow in the row for a status level points down, the appliance list
for that status shows in the lower table. If the arrow points right, the
appliance list is hidden.
3. In the Appliance column of the appliance list, click the name of the appliance
for which you want to view details in the health monitor toolbar.
The Health Monitor Appliance page appears.
4. In the Module Status Summary graph of the Health Monitor Appliance page,
click the color for the health alert status category you want to view.
The Alert Detail list expands to list the health alerts for the selected appliance
for that status category.
5. In the Alert Detail row for the alert for which you want to view a list of events,
click Graph.
A graph appears, showing the status of the event over time. The Alert Detail
section below the graph lists all health alerts for the selected appliance.
TIP! If no events appear, you may need to adjust the time range. See Setting
Event Time Constraints in the Analyst Guide for more information.
TIP! If the arrow in the row for a status level points down, the appliance list
for that status shows in the lower table. If the arrow points right, the
appliance list is hidden.
3. In the Appliance column of the appliance list, click the name of the appliance
for which you want to view details in the health monitor toolbar.
The Health Monitor Appliance page appears.
4. Click Generate Troubleshooting Files and confirm that you want to generate the
files.
The file generation task is added to the task status queue.
5. Select Operations > Monitoring > Task Status.
The Task Status page appears.
6. Click the folder for the file generation job entry to expand the entry.
See the following sections for more information about viewing events:
• Understanding Health Event Views on page 556 describes the types of
events that RNA generates.
• Viewing Health Events on page 556 describes how to access and use the
Event View page.
• Searching for Health Events on page 563 describes how to search for
specific events using the Event Search page.
If no events appear, you may need to adjust the time range. See Setting
Event Time Constraints in the Analyst Guide for more information.
TIP! You can bookmark this view to allow you to return to the page in the
health events workflow containing the Health Events table of events. The
bookmarked view retrieves events within the time range you are currently
viewing, but you can then modify the time range to update the table with
more recent information if needed. For more information, see Setting Event
Time Constraints in the Analyst Guide.
TIP! If the arrow in the row for a status level points down, the appliance list
for that status shows in the lower table. If the arrow points right, the
appliance list is hidden.
3. In the Appliance column of the appliance list, click the name of the appliance
for which you want to view details in the health monitor toolbar.
The Health Monitor Appliance page appears.
4. In the Module Status Summary graph of the Health Monitor Appliance page,
click the color for the health alert status category you want to view.
The Alert Detail list expands to list the health alerts for the selected appliance
for that status category.
5. In the Alert Detail row for the alert for which you want to view a list of events,
click Events.
The Health Events page appears, containing query results for a query with
the name of the appliance and the name of the selected health alert module
as constraints.
If no events appear, you may need to adjust the time range. See Setting
Event Time Constraints in the Analyst Guide for more information.
6. If you want to view all health events for the selected appliance, expand
Search Constraints and click the Module Name constraint to remove it.
learn more about the contents of the columns find more information in Understanding the
that appear in the Health event view Health Events Table on page 561.
modify the time and date range for events listed find more information in Setting Event Time
in the Health table view Constraints in the Analyst Guide.
Note that events that were generated outside the
appliance's configured time window (whether
global or event-specific) may appear in an event
view if you constrain the event view by time. This
can occur even if you configured a sliding time
window for the appliance.
sort the events that appear, change what columns find more information in Sorting Drill-down
display in the table of events, or constrain the Workflow Pages in the Analyst Guide.
events that appear
delete health events select the check box next to the events you want
to delete and click Delete. To delete all the events
in the current constrained view, click Delete All,
then confirm you want to delete all the events.
navigate through event view pages find more information in Navigating to Other
Pages in the Workflow in the Analyst Guide.
navigate to other event tables to view associated find more information in Navigating between
events Workflows in the Analyst Guide.
bookmark the current page so that you can click Bookmark This Page, provide a name for the
quickly return to it bookmark and click Save. See Using Bookmarks in
the Analyst Guide for more information.
navigate to the bookmark management page select Analysis & Reporting > Bookmarks or, from
any event view, click View Bookmarks. See Using
Bookmarks in the Analyst Guide for more
information.
generate a report based on data in the table view click Report Designer. See Generating Reports
from Event Views on page 235 for more
information.
select another health events workflow click Workflows or select from the Workflows drop-
down list in the toolbar. See Selecting Workflows
in the Analyst Guide for more information.
view the details associated with a single health click the down arrow link on the left side of the
event event.
view event details for multiple health events select the check box next to the rows that
correspond with the events you want to view
details for and then click View.
view event details for all events in the view click View All.
view all events of a particular status click the status icon in the Status column for an
event with that status.
NFE card presence If NFE hardware is detected that is not valid for the
appliance, health status for the Hardware Alarms
module changes to red and the message details
include a reference to the NFE card presence.
NFE Platform daemon If the NFE Platform daemon goes down, health
status for the Hardware Alarms module changes to
red and the message details include a reference to
the daemon.
NFE Message daemon If the NFE Message daemon goes down, health
status for the Hardware Alarms module changes to
red and the message details include a reference to
the daemon.
NFE TCAM daemon If the NFE TCAM daemon goes down, health status
for the Hardware Alarms module changes to red
and the message details include a reference to the
daemon.
Scmd daemon If the Scmd daemon goes down, health status for
the Hardware Alarms module changes to red and
the message details include a reference to the
daemon.
Psls daemon If the Psls daemon goes down, health status for
the Hardware Alarms module changes to red and
the message details include a reference to the
daemon.
Ftwo daemon If the Ftwo daemon goes down, health status for
the Hardware Alarms module changes to red and
the message details include a reference to the
daemon.
Rulesd (host rules) If the Rulesd daemon goes down, health status for
daemon the Hardware Alarms module changes to yellow
and the message details include a reference to the
daemon.
in your health policy run various tests to determine appliance health status. When
the health status meets criteria that you specify, a health event is generated. For
more information on health monitoring, see Monitoring the System on page 463.
The fields in the health events table are described in the Health Event Fields
table.
Field Description
Module Name The name of the health module that generated the event.
For a list of health modules, see the Health Modules table
on page 485.
Test Name The name of the test. This is typically the same as the
module name.
Units The units descriptor for the result. You can use the asterisk
(*) to create wildcard searches.
For example, if the Defense Center generates a health
event when a sensor it is monitoring is using 80 percent or
more of its CPU resources, the units is a percentage sign
(%).
TIP! If you are using a custom workflow that does not include the table view
of health events, click Workflows. On the Select Workflow page, click Health
Events.
Module Name Specify the name of the module which generated the health events you want
to view. For example, to view events that measure CPU performance, type
CPU. The search should retrieve applicable CPU Usage and CPU temperature
events.
Value Specify the value (number of units) of the result obtained by the health test for
the events you want to view.
For example, if you specify a value of 15 and type CPU in the Units field, you
retrieve events where the appliance CPU was running at 15% utilization at the
time the test ran.
Description Specify the description of the events you want to view. For example, you could
enter Unable to Execute to view any health events where a process was
unable to execute. You can use an asterisk (*) in this field to create wildcard
searches.
Units Specify the units descriptor for the result obtained by the health test for the
events you want to view. You can use an asterisk (*) in this field to create
wildcard searches.
For example, if you type % in the Units field, you retrieve all events for the Disk
Usage modules, because the Disk Usage module has a “%” label in the Units
field (and no additional text). However, if you type *% in the Units field, you
retrieve all events for any modules that contain text followed by a “%” sign in
the Units field.
Status Specify the status for the health events that you want to view. Valid status
levels are Critical, Warning, Normal, Error, and Disabled.
For example, type Critical to retrieve all health events that indicate a critical
status.
2. Optionally, if you want to save the search, enter a name for the search in the
Name field.
If you do not enter a name, one is created automatically when you save the
search.
3. Enter your search criteria.
See Health Event Search Criteria on page 563 for more information about the
values you can enter for search criteria.
4. Optionally, if you want to save the search so that other users can access it,
disable the Save As Private check box. Otherwise, leave the check box
selected to save the search as private.
TIP! If you want to save a search as a restriction for restricted data users,
you must save it as a private search.
You can audit activity on your system in two ways. The appliances that are a part
of the Sourcefire 3D System generate an audit record for each user interaction
with the web interface, and also record system status messages in the system
log.
The following sections provide more information about the monitoring features
that the system provides:
• Managing Audit Records on page 566 describes how to view and manage
system audit information.
• Viewing the System Log on page 578 describes how to view the system
log, which contains system status messages.
TIP! Defense Centers and 3D Sensors with IPS also provide full-featured
reporting features that allow you to generate reports for almost any type of data
accessible in an event view, including auditing data. For more information, see
Working with Event Reports on page 232.
The audit log stores a maximum of 100,000 entries. When the number of audit
log entries exceeds 100,000, the appliance prunes the oldest records from the
database to reduce the number to 100,000.
For more information, see the following sections:
• Viewing Audit Records on page 567
• Suppressing Audit Records on page 570
• Understanding the Audit Log Table on page 574
• Searching Audit Records on page 575
modify the time range used find more information at Setting Event Time
when viewing audit records Constraints in the Analyst Guide.
Note that events that were generated outside
the appliance's configured time window
(whether global or event-specific) may appear
in an event view if you constrain the event
view by time. This can occur even if you
configured a sliding time window for the
appliance.
sort and constrain events on find more information in Sorting Table View
the current workflow page Pages and Changing Their Layout in the
Analyst Guide.
navigate between pages in click the appropriate page link at the top left
the current workflow, of the workflow page. For more information,
keeping the current see Using Workflow Pages in the Analyst
constraints Guide.
drill down to the next page in use one of the following methods:
the workflow • To drill down to the next workflow page
constraining on a specific value, click a
value within a row. Note that this only
works on drill-down pages. Clicking a
value within a row in a table view
constrains the table view and does not
drill down to the next page.
• To drill down to the next workflow page
constraining on some events, select the
checkboxes next to the events you want
to view on the next workflow page, then
click View.
• To drill down to the next workflow page
keeping the current constraints, click View
All.
TIP! Table views always include “Table View”
in the page name.
For more information, see Constraining
Events in the Analyst Guide.
bookmark the current page click Bookmark This Page. For more
so that you can quickly return information, see Using Bookmarks in the
to it Analyst Guide.
TIP! If you are using a custom workflow that does not include the table view
of audit events, from the Workflows menu on the toolbar, select Audit Log.
When disabling columns, after you click the close icon ( ) in the column heading
that you want to hide, in the pop-up window that appears, click Apply. When you
disable a column, it is disabled for the duration of your session (unless you add it
back later). Note that when you disable the first column, the count column is
added.
To hide or show other columns, select or clear the appropriate check boxes before
you click Apply. To add a disabled column back to the view, use the Expand arrow
( ) to expand the search constraints, then click the column name under
Disabled Columns.
Clicking a value within a row in a table view constrains the table view and does
not drill down to the next page.
TIP! Table views always include “Table View” in the page name.
WARNING! Make sure that only authorized personnel have access to the
appliance and to its root account.
To suppress audit records you must create one or more files in the /etc/sf
directory in the following form:
AuditBlock.type
where type is address, message, subsystem, or user.
If you create an AuditBlock.type file for a specific type of audit message, but
later decide that you no longer want to suppress them, you must delete the
contents of the AuditBlock.type file but leave the file itself on the Sourcefire 3D
System.
The contents for each audit block type must be in a specific format as described
in the Audit Block Types table. Make sure you use the correct capitalization for the
file names. Note also that the contents of the files are case sensitive.
Type Description
Type Description
When you add an AuditBlock file, an audit record with a subsystem of Audit
and a message of Audit Filter type Changed is added to the audit events. For
security reasons, this audit record cannot be suppressed.
Subsystem Names
Preferences User preferences such as the time zone for a user account and individual
event preferences
Rules Intrusion rules including the rule editor and the rule importation process
action generated the event, a source IP, and text describing the event. The fields
in the audit log table are described in the Audit Log Fields table.
Field Description
Time Time and date that the appliance generated the audit record
User User name of the user that triggered the audit event
Subsystem Menu path the user followed to generate the audit record
For example, Operations > Monitoring > Audit is the menu path
to view the audit log.
Count The number of events that match the information that appears
in each row. Note that the Count field appears only after you
apply a constraint that creates two or more identical rows.
sensitive. For example, searching for Analyst01 or analyst01 yields the same
results.
User Enter the user name of the user who jsmith returns all audit records involving
triggered the audit events you want to the user jsmith.
see. You can use an asterisk (*) as a
wildcard character in this field.
Subsystem Enter the full menu path a user would Operations > Monitoring > Audit
follow to generate the audit records you and *Audit both return audit records
want to see. You can use an asterisk (*) that involve using the audit log.
as a wildcard character in this field.
*Audit* returns all of the above records,
plus records that involve searching for
audit records.
Message The action the user performed or the Apply returns audit records where the
button the user clicked on the page. You user applied an intrusion policy.
can use an asterisk (*) as a wildcard
character in this field. Save Rule returns audit records where
the user saved a compliance rule.
Page View returns audit records where
the user viewed the page.
Time Specify the date and time the audit > 2006-01-15 13:30:00 returns all audit
record was generated. See Specifying records generated after January 15, 2006
Time Constraints in Searches in the at 1:30pm.
Analyst Guide for the syntax for entering
time.
Source IP Enter the IP address of the host that you 172.16.1.37 returns all audit records
want to view audit records for. generated by a user from the 172.16.1.37
IP address.
IMPORTANT! You must type a specific IP
address. You cannot use IP ranges when
searching audit logs.
For more information on searching, including how to load and delete saved
searches, see Searching for Events in the Analyst Guide.
TIP! To search the database for a different kind of event, select it from the
Table list.
2. Optionally, if you want to save the search, enter a name for the search in the
Name field.
If you do not enter a name, the web interface automatically creates one when
you save it.
3. Enter your search criteria in the appropriate fields, as described in the Audit
Record Search Criteria table. If you enter multiple criteria, the appliance
returns only the records that match all the criteria.
4. If you want to save the search so that other users can access it, clear the Save
As Private check box. Otherwise, leave the check box selected to save the
search as private.
TIP! If you want to save a search as a restriction for restricted data users,
you must save it as a private search.
• Click Save if you are modifying an existing search and want to save your
changes.
• Click Save as New Search to save the search criteria. The search is saved
(and associated with your user account if you selected Save As Private),
so that you can run it at a later time.
IMPORTANT! System log information is local. For example, you cannot use the
Defense Center to view system status messages in the system logs on your
managed sensors.
You can view system log messages for specific components by using the filter
feature. For more information, see Filtering System Log Messages on page 579.
If you want to use a 3D3800 sensor in compliance with ICSA requirements, you
can also configure system logging using a four-digit year format. For more
information, see Using Four-Digit Year Formats on the 3D3800 on page 581.
TIP! On the 3D9900, the Load Balancing Interface Module (LBIM) forwards
messages to the sensor's syslog. You can find these messages by filtering on
lbim.
WARNING! The System Log page does not allow the use of pipe characters for
OR expressions. For example, if you use [word_1|word_2], you will receive an
invalid filter error.
The System Log Filter Syntax table shows the regular expression syntax you can
use in System Log filters:
. Matches any character or white Admi. matches Admin, AdmiN, Admi1, and
space Admi&
[[:space:]] Matches any white space, including Feb[[:space:]]29 matches logs from
tabs February 29th.
* Matches one or more instances of ab* matches ab, abb, abbb, abbbb, and so
the pattern it follows on. [ab]* matches ab, abab, ababab, and
so on.
The System Log Filter Examples table shows some example filters you can use
on the System Log page.
You can use the Import/Export feature to copy several types of objects, including
policies, from one appliance to another appliance of the same type. Object import
and export is not intended as a backup tool, but can be used to simplify the
process of adding new appliances to your Sourcefire 3D System.
You can import and export the objects listed in the following table.
Object Requires
Dashboards Any
Note that to import an exported object, both appliances must be running the
same version of the Sourcefire 3D System. To import an exported intrusion policy,
the SEU versions on both appliances must also match.
For more information, see the following sections:
• Exporting Objects on page 584
• Importing Objects on page 593
Exporting Objects
Requires: IPS or You can export a single object, or you can export several objects at once.
DC/MDC
When you export an object, the appliance also exports revision information for
that object. The Sourcefire 3D System uses that information to determine
whether you can import that object onto another appliance; you cannot import an
object revision that already exists on an appliance.
In addition, when you export an object, the appliance also exports system objects
that the object depends on, such as authentication objects. For example, if you
set up authentication to an LDAP server on your Defense Center, and then export
a Defense Center system policy with authentication enabled, the authentication
object is exported as well.
Note that depending on the number of objects being exported and the number of
objects those objects reference, the export process may take several minutes.
For more information, see the following sections:
• Exporting a Custom Table on page 584
• Exporting a Custom Workflow on page 585
• Exporting a Dashboard on page 585
• Exporting a Health Policy on page 586
• Exporting an Intrusion Policy on page 586
• Exporting a PEP Policy on page 588
• Exporting an RNA Detection Policy on page 588
• Exporting a System Policy on page 588
• Exporting a User-Defined RNA Detector on page 589
• Exporting Multiple Objects on page 590
Exporting a Dashboard
Requires: Any A dashboard is a customizable tabbed view that provides you with an at-a-glance
display of your current system status. Dashboards use various widgets to present
data about the events collected and generated by the Sourcefire 3D System, as
well as information about the status and overall health of the appliances in your
deployment.
Note that the dashboard widgets that you can view depend on the type of
appliance you are using and on your user role. For example, a dashboard created
on the Defense Center and imported onto a 3D Sensor or Master Defense Center
may display some invalid, disabled widgets. For more information, see
Understanding Widget Availability on page 61.
To export a dashboard:
Access: Any 1. Select Analysis & Reporting > Event Summary > Dashboards.
If you have a default dashboard defined, it appears; continue with the next
step.
If you do not have a default dashboard defined, the Dashboard List page
appears; skip to step 3.
2. On the toolbar, click Dashboards.
The Dashboard List page appears.
3. Click Export next to the dashboard you want to export.
4. Follow your web browser’s prompts to save the exported package to your
computer.
Exporting an intrusion policy exports all settings for the policy. For example, if you
choose to set a rule to generate events, or if you set SNMP alerting for a rule, or if
you turn on the SMTP preprocessor in a policy, those settings remain in place in
the exported policy. Custom rules, custom rule classifications, and user-defined
variables are also exported with the policy.
Note that if you export an intrusion policy that uses a layer that is shared by a
second intrusion policy, that shared layer is copied into the policy you are
exporting and the sharing relationship is broken. When you import the intrusion
policy on another appliance, you can edit the imported policy to suit your needs,
including deleting, adding, and sharing layers.
Also note the following if you export an intrusion policy from a Defense Center,
and then import the policy onto a 3D Sensor:
• The Adaptive Profiles feature is ignored if it is enabled in the policy; you
cannot configure or use adaptive profiles in an intrusion policy that you
apply from a sensor. For more information, see Using Adaptive Profiles in
the Analyst Guide.
• Any RNA-recommended rule states in the policy are used on the sensor by
importing the built-in RNA Recommended Rules layer as a user layer
located immediately above the base layer. Although you cannot configure
RNA Recommended Rules on a sensor, you can use the imported RNA
Recommended Rules layer as you would any other user layer. For more
information, see Managing RNA Rule State Recommendations in the
Analyst Guide and Working With Layers in the Analyst Guide.
IMPORTANT! You cannot use the Import/Export feature to update rules created
by Sourcefire’s Vulnerability Research Team (VRT). To update rules, download and
apply the latest SEU version; see Importing SEUs and Rule Files in the Analyst
Guide.
authentication objects on which the system policy depends. That is, if you set up
authentication to an LDAP server on your Defense Center, and then export a
Defense Center system policy with authentication enabled, the authentication
object is exported as well.
Also note that system policies on Defense Centers contain database settings that
do not apply to 3D Sensors. If you export a system policy from a 3D Sensor and
then import it onto a Defense Center, the database limits that you could not
configure on the sensor are set to the default values on the Defense Center.
3. Select the check box next to the detector you want to export and click Export.
Depending on how many detectors you have, the detector you want to export
may not be on the first page. You can find it by paging through the detector
list, or applying one or more filters. For more information, see Working with
RNA Detectors in the Analyst Guide.
TIP! To export multiple detectors at once, select the check boxes next to the
appropriate detectors, then click Export. You can also select all detectors in the
current filtered view by selecting the check box at the top of the page.
4. Follow your web browser’s prompts to save the exported package to your
computer.
Object Requires
Dashboards Any
Depending on the type of object you are exporting, you should keep the following
points in mind:
• You must make sure that the appliance you are using to export an object is
running the same version of the Sourcefire 3D System as the appliance you
plan to use to import the exported object. For intrusion policies, the SEU
versions on both appliances must also match. If the versions do not match,
the import will fail.
• If you cannot view the table on which a custom workflow is based on your
appliance, you can import the workflow but will not be able to view it.
• The dashboard widgets that you can view depend on the type of appliance
you are using and on your user role. For example, a dashboard created on
the Defense Center and imported onto a 3D Sensor or Master Defense
Center may display some invalid, disabled widgets.
• If you export an intrusion policy that uses a layer that is shared by a second
intrusion policy, that shared layer is copied into the policy you are exporting
and the sharing relationship is broken.
In addition, because RNA Recommended Rules and Adaptive Profiles are
not supported on 3D Sensors, there are additional consequences if you
export an intrusion policy from a Defense Center and then import the policy
onto a 3D Sensor. For more information, see Exporting an Intrusion Policy
on page 586.
• When you export a system policy from a Defense Center where external
authentication is enabled, the Defense Center also exports the
authentication objects on which the system policy depends.
Also note that if you export a system policy from a 3D Sensor and then
import it onto a Defense Center, the database limits that you could not
configure on the sensor are set to the default values on the Defense
Center.
• You can export user-defined RNA detectors and Sourcefire-provided
detectors that you added to the Sourcefire 3D System using the
Import/Export feature. However, you cannot export internal detectors or
Sourcefire-provided detectors added via VDB update.
For detailed information on exporting specific objects, see the following sections:
• Exporting a Custom Table on page 584
• Exporting a Custom Workflow on page 585
TIP! You can click the collapse icon ( ) next to an object type to collapse
the list of objects. Click the expand folder icon ( ) next to an object type to
reveal objects.
The Defense Center version of the page is shown below with some object
types collapsed.
3. Select the check boxes next to the objects you want to export and click Export.
4. Follow your web browser’s prompts to save the exported package to your
computer.
Importing Objects
Requires: Any After you export an object from another appliance, you can import it onto a
different appliance as long as that appliance supports it. Note, however, that
some imported objects may not be useful depending on the type of appliance you
are using and on your user role. The following table lists the objects that you can
import on the various Sourcefire appliance types.
Object Requires
Dashboards Any
Depending on the type of object you are importing, you should keep the following
points in mind:
• You must make sure that the appliance where you are importing an object is
running the same version of the Sourcefire 3D System as the appliance you
used to export the object. For intrusion policies, the SEU versions on both
appliances must also match. If the versions do not match, the import will
fail.
• If your appliance does not allow you to view the table on which an custom
workflow is based, you can import the workflow but will not be able to view
it.
• The dashboard widgets that you can view depend on the type of appliance
you are using and on your user role. For example, a dashboard created on
the Defense Center and imported onto a 3D Sensor or Master Defense
Center may display some invalid, disabled widgets.
• If you import an intrusion policy that used a shared layer from a second
intrusion policy, the export process breaks the sharing relationship and the
previously shared layer is copied into the package. In other words, imported
intrusion policies do not contain shared layers.
In addition, because RNA Recommended Rules and Adaptive Profiles are
not supported on 3D Sensors, there are additional consequences if you
export an intrusion policy from a Defense Center and then import the policy
onto a 3D Sensor. For more information, see Exporting an Intrusion Policy
on page 586.
• When you import a system policy that was exported from a Defense Center
where external authentication is enabled, you also import the authentication
objects on which the system policy depends.
Also note that for a system policy exported from a 3D Sensor and then
imported onto a Defense Center, the database limits that you could not
configure on the sensor are set to the default values on the Defense
Center.
Because can export several different objects in a single package, when you import
the package you must choose which objects in the package to import. You can
only import objects that are supported on the destination appliance.
When you attempt to import an object, your appliance determines whether that
object already exists on the appliance. If a conflict exists, you can keep the
existing object, replace the existing object with a new object, keep the newest
object, or import the object as a new object. If you import an object and then later
make a modification to the object on the destination system, and then re-import
the object, you must choose which version of the object to keep.
Depending on the number of objects being imported and the number of objects
those objects reference, the import process may take several minutes.
3. On the appliance where you want to import the objects, select Operations >
Tools > Import/Export.
The Import/Export page appears.
TIP! You can click the collapse icon ( ) next to an object type to collapse
the list of objects. Click the expand folder icon ( ) next to an object type to
reveal objects.
The Defense Center version of the page is shown below with some object
types collapsed.
6. Click Upload.
The result of the upload depends on the contents of the package:
• If the object and rule versions in the package exactly match versions
that already exist on your appliance, a message displays indicating that
the versions already exist. The appliance has the most recent objects so
you do not need to import them.
• If there is a Sourcefire 3D System or SEU version mismatch between
your appliance and the appliance where the package was exported, a
message appears, indicating that you cannot import the package.
Update the Sourcefire 3D System or the SEU version and attempt the
process again.
• If the package contains any object or rule versions that do not exist on
your appliance, the Package Import page appears. Continue with the
next step.
7. Select the objects you want to import and click Import.
The import process occurs, with the following results:
• If the objects you import do not have previous revisions on your
appliance, the import completes automatically and a success message
appears. Skip the rest of the procedure.
• If the objects you import do have previous revisions on your appliance,
the Import Resolution page appears. Continue with step 8.
Requires: DC + RNA or You can use the RNA/RUA Event Purge page to purge files from the RNA and
DC + RUA RUA databases. Note that if you purge database items from the RNA or RUA
database, the RNA or RUA process is restarted.
WARNING! Purging a database removes the data you specify from the Defense
Center. After the data is deleted, it cannot be recovered.
When you perform long-running tasks, such as applying a policy, pushing updates,
installing software, and so on, the status of these tasks is reported in the task
queue. The task queue provides information about complex tasks and reports
when they are complete.
For more information, see the following sections:
• Viewing the Task Queue on page 600
• Managing the Task Queue on page 602
You view the task queue on the Task Status page, which automatically refreshes
every 10 seconds. You can always see the status of tasks that you initiated; if your
account has Administrator access, you can also see the status of every task
regardless of who initiated it.
The Job Summary section displays the state of the tasks listed on the page, as
described in the following table.
Retrying The number of tasks that are automatically retrying. Note that
not all tasks are permitted to try again.
The Jobs section provides information about each task, including a brief
description, when the task was launched, the current status of the task, and
when the status last changed. Tasks of the same type appear together.
remove a single task click Delete next to the task you want to delete.
from the task queue
Note that you cannot delete a running task. If you
need to delete a running task (for example, if a task
repeatedly fails) contact Sourcefire Support.
collapse the view of click the collapse icon ( ) next to the task type for
tasks of the same type the tasks you want to hide.
expand the view of click the expand folder icon ( ) next to the task
tasks of the same type type for which you want to view individual tasks.
3D Sensor An appliance-based sensor that, as part of the Sourcefire 3D System, can run the
IPS component, the RNA component, the RUA component, or combinations of
the components.
active detection The addition, to the network map, of data collected by active sources, such as
host operating system and service information.
adaptive profile An intrusion policy profile that uses information from RNA host profiles to
determine the operating system for the target host of a packet. Profiles within an
intrusion policy then automatically adapt to cause the preprocessors to
defragment IP packets and reassemble streams in the same way as the operating
system on the target host and to cause Snort to analyze the data in the same
format as that used by the destination host.
Administrator A type of user role that conveys rights to all Sourcefire 3D System functionality.
Administrators can set up an appliance’s network configuration, manage user
accounts, and configure system policies and system settings. Users with the
Administrator role also have the access rights provided to the Intrusion Event
Analyst, RNA Event Analyst, Policy & Response Administrator, and Maintenance
User roles.
advanced feature An IPS component feature such as a layer, preprocessor, global rule thresholding,
setting VLAN or subnetwork policy configuration, and so on that you enable, disable, or
configure on web interface pages accessed by some means other than directly
from the Policy Information page where basic feature settings are accessed.
advanced intrusion An intrusion policy with custom user layers, modified advanced feature settings,
policy or both.
alert A message that notifies you when an intrusion event, health event, host input
event, RNA event, RUA event, white list event, or compliance event is generated.
You can send alerts to an external syslog server, a specific email address, or an
SNMP trap server. See email alerting, SNMP alerting, and syslog alerting.
alert rule An intrusion rule that, when triggered, generates an intrusion event and logs the
details of the packet that triggered the rule. Compare with pass rule and drop rule.
anomaly detection The detection of anomalous conditions in traffic rate or traffic content that
indicates an attack.
audit log A record of user interactions with the web interface. The audit log comprises
audit events.
audit event An event that describes a specific user interaction with the web interface. Each
audit event contains a time stamp, the user name of the user whose action
generated the event, a source IP address, and text describing the event. You can
view audit events in the audit log.
banner The first 256 bytes of the first packet detected by a service. A banner is collected
only once, the first time a service is detected by RNA. Banners provide additional
context to the information gathered by RNA.
base policy A selectable set of configurations that can be any one of the default intrusion
policies provided by Sourcefire or a custom user layer.
base policy layer A built-in layer in an intrusion policy comprised of all of the default basic feature
settings and advanced feature settings for the IPS component. The default
settings in the base policy layer are determined by the base policy selected for
the intrusion policy.
basic feature setting An IPS component feature in a basic intrusion policy that you can access directly
from the Intrusion Policy information page. Basic features include the policy
name, description and protection mode, and management of detection engines,
variables, rules, and RNA recommended rules.
basic intrusion policy An intrusion policy with no custom user layers and no modified advanced feature
settings. Although layers are transparent to the user in a basic intrusion policy, a
basic intrusion policy includes the read-only base policy layer, a modifiable
system-defined user layer that is initially named My Changes and, optionally, a
read-only RNA Recommendations layer immediately above the base policy. In
addition to default basic feature settings, a basic intrusion policy also includes
default advanced feature settings.
bit mask The notation used to identify which bits in an IP address correspond to the
network address and subnet portions of the address.
bookmark A saved link to a specific location and time in an event analysis. Bookmarks retain
information about the workflow you are using, the part of the workflow you are
viewing, the page number within the workflow you are viewing, the time range
you selected, and any columns you disabled as well as any constraints you
imposed. The bookmarks you create are available to all users with unrestricted
analyst access.
bridge A network device that forwards traffic between network segments. RNA
identifies bridges as network devices that communicate using Cisco Discovery
Protocol (CDP) or Spanning Tree Protocol (STP). RNA may identify switches as
bridges.
built-in layer A read-only layer in an intrusion policy. An intrusion policy always includes a
built-in base policy layer and, optionally, can include a built-in RNA
Recommendations layer.
Classless Inter- A notation that defines IP address ranges by combining an IP address with a bit
Domain Routing mask that signifies the subnet mask used to define the number of IP addresses in
(CIDR) notation the specified range. For example, if you want to define the network described by
192.168.1.x with a subnet mask of 255.255.255.0, use 192.168.1.1/24, where 24
signifies the number of bits in the subnet mask.
client application An application that runs on one host and relies on another host (a server) to
perform some operation. For example, email clients are client applications that
allow you to send and receive email. When RNA detects that a user on a host is
using a specific client application to access another host, it reports that
information in the host profile and network map, including the name and version
(if available) of the client application.
client application Information that describes client application activity on monitored hosts. For each
event detected client application, RNA logs the IP address that used the application and
when the application was last used, as well as the application name, version, and
the number of times its use was detected.
clipboard A holding area where you can copy up to 25,000 intrusion events that you can
later add to incidents. The contents of the clipboard are sorted by the date and
time that the events were generated.
clustering A feature that allows you to increase the amount of traffic inspected on a network
segment by connecting two fiber-based 3D9900 sensors in a clustered pair.
When you establish a clustered pair configuration, you combine the 3D9900
sensors resources into a single, shared configuration.
complex condition A complex way of qualifying compliance rules, flow trackers, host profile
qualifications, and traffic profiles. A complex condition comprises at least two
simple conditions, linked to each other with an AND or an OR operator.
complex constraint A constraint set in an event view or event search that constrains an event query
using all the criteria from a specific event.
compliance event An event generated by the Defense Center when a compliance rule triggers. You
can search, view, and delete compliance events and can configure the number of
compliance events saved in the database. Note that white list events, generated
by white list violations, are a special kind of compliance event.
compliance policy Describes the network activity that constitutes a security policy violation, using
compliance rules and compliance white lists. You can specify responses to each
rule or white list within a policy.
compliance rule Along with compliance white lists, one of the ways you can specify criteria that
network traffic must meet in order to violate a compliance policy. You can use the
Defense Center to configure compliance rules to trigger (and generate a
compliance event) when a specific intrusion event, RNA event, or flow event
occurs, or when your network traffic deviates from your normal network traffic
pattern as characterized in a traffic profile. You can constrain compliance rules
with host profile qualifications, flow trackers, snooze periods, and inactive
periods. You can also configure the Defense Center to launch a response, such as
an alert or remediation, when a compliance rule triggers.
compliance white list Along with compliance rules, one of the ways you can specify criteria that
network traffic must meet in order to violate a compliance policy. You can use the
Defense Center to configure compliance white lists to specify which operating
systems, services, client applications, and protocols are allowed to run on the
hosts in a specific subnet. You can also configure the Defense Center to launch a
response, such as an alert or remediation, when a white list is violated. Note that
a compliance white list is not associated with the white list of IP addresses that
you can configure in certain remediations.
current identity The operating system or service identity that RNA finds most likely to be correct,
which is used to assign host vulnerability, to assess impact of an attack, to
evaluate compliance rules written against operating system identifications, host
profile qualifications, and compliance white lists, to display in the Hosts and
Services table views in workflows and in the host profile, and to calculate the
operating system and service statistics on the RNA Statistics page.
custom table A table you can construct that combines fields from two or more of the
predefined tables delivered with the Sourcefire 3D System. For example, you
could combine the host criticality information from the host attributes table with
information from the flow data table to examine flow data in a new context.
Custom tables include Sourcefire-defined custom tables, which are custom
tables delivered with the Defense Center.
custom workflow A workflow that you create to meet the unique needs of your organization.
Compare with predefined workflow and, on the Defense Center, saved custom
workflow.
dashboard A display that provides tabs of at-a-glance information about many aspects of the
performance on your Sourcefire 3D System. You can configure as many
dashboards as you need and decide which dashboard widgets appear on each tab
to fit your system monitoring needs. The dashboard appears as the default home
page for all user roles except the restricted event analyst roles.
dashboard widget A dashboard widget provides status or performance information about a specific
aspect of your Sourcefire 3D System. You can select which widgets to add to your
dashboard.
data correlator A program that generates events and creates the network map on the Defense
Center, using the data collected by RNA.
decoder A component of IPS that places sniffed packets into a format that can be
understood by a preprocessor.
Defense Center A central management point that allows you to manage sensors and
automatically aggregate the events they generate. You can also push policies
created on the Defense Center and software updates to managed sensors. If you
manage 3D Sensors with IPS and RNA with a Defense Center, the Defense
Center correlates intrusion events with host vulnerabilities and assigns impact
flags to the intrusion events. Impact correlation lets you focus on attacks most
likely to affect high-priority hosts. The Defense Center also correlates intrusion
information with user identity data from the RUA database.
derived fingerprint An operating system fingerprint created by RNA from all passively collected
fingerprints for a host by applying a formula which calculates the most likely
identity using the confidence value of each collected fingerprint and the amount
of corroborating fingerprint data between identities.
detection engine The mechanism that is responsible for analyzing the traffic on the network
segment where a sensor is connected. A detection engine has two main
components: an interface set and a detection resource. RNA uses RNA detection
engines, IPS uses IPS detection engines, and RUA uses RUA detection engines.
detection resource A portion of a sensor's computing resources used as part of a detection engine.
DNS cache Temporary storage of previously resolved IP addresses. Configuring DNS caching
allows you to resolve those IP addresses without performing additional lookups.
This can reduce the amount of traffic on your network and speed the display of
event pages.
drill-down page An intermediate workflow page used to constrain event views. Generally, a
drill-down page presents constraints that you can select to advance to a more
narrowly constrained page or a table view.
drop event An intrusion event generated when a drop rule triggers. Drop events are marked
with black inline result flags on RNA compliance event views and IPS intrusion
event views.
drop rule An intrusion rule whose rule state is set to Drop and Generate Events. When a
malicious packet triggers the rule, IPS drops the packet and generates an
intrusion event (specifically, a drop event). You can only use a drop rule within an
inline intrusion policy that is applied to detection engines that are deployed inline.
Compare with alert rule and pass rule.
dynamic rule state A rule state that is set for a specified period of time in response to a detected rate
anomaly in traffic matching the rule.
event Information that is stored as an event. An event contains multiple fields that
describe the activity that caused the event to be generated. IPS generates
intrusion events, which also include drop events and preprocessor events. RNA
generates network discovery events and flow events, as well as events that
provide general information about your network topology: client application
events, host events, host attributes, and service events. A vulnerability is also
considered an RNA event. You can use the policy and response feature to
configure your Defense Center to generate compliance events and white list
events, as well as remediation status events. RUA generates RUA events when it
detects user logins or user additions or deletions. In addition, every appliance
generates records of user activity called audit events. The health monitor on the
Defense Center also generates health events.
event analyst An event analyst examines event data collected by the Sourcefire 3D System. The
Intrusion Event Analyst, RNA Event Analyst, and Restricted Event Analyst roles,
or their read-only counterparts, can be assigned to a user to provide access to
event analysis functionality.
Event Streamer Also known as eStreamer, a component of the Sourcefire 3D System that allows
you to stream event data from a Defense Center or 3D Sensor to external client
applications.
event suppression A feature that allows you to use suppress intrusion events when a specific IP
address or range of IP addresses triggers a rule. Event suppression is useful for
eliminating false positives. For example, if you have a mail server that transmits
packets that look like a specific exploit, you can suppress events for the rules that
are triggered by your mail server, so that you only see the events for legitimate
attacks.
event thresholding A feature that allows you to limit the number of times the system logs and
displays an intrusion event, based on how many times the event is generated
within a specified time period. Use event thresholding if you are overwhelmed
with a large number of identical events.
event view A workflow view containing a set of events. You can constrain the events
included in an event view using an event search or using simple constraints or
complex constraints.
export A method that you can use to transfer various configurations from appliance to
appliance. You can export intrusion policies, RNA detection policies, system
policies, health policies, dashboards, custom workflows and tables, and some
RNA detectors. After you export a configuration from one appliance, you can
import it onto another appliance of the same type.
fail-open card A network interface card that allows network traffic to pass through a 3D Sensor
that uses IPS detection engines that are deployed inline, even if the appliance
itself fails or loses power.
feature license A license you can add to an appliance that enables additional features, including
NetFlow, Intrusion Agents, Sourcefire 3D Sensor Software for X-Series,
Sourcefire Virtual 3D Sensors, and the ability to monitor a number of hosts with
RNA or users with RUA.
fingerprint An established definition that RNA compares against specific packet header
values and other unique data from network traffic to identify a host's operating
flow event An event generated when RNA detects that a connection between a monitored
host and any other host is terminated. Flow events include information about the
collected traffic, including the first packet of the transaction, the last packet of the
transaction, the source IP address and port, the destination IP address and port,
the number of packets and bytes sent and received by the monitored host, and
the client application and URL involved in the transaction, if applicable.
flow summary Flow data aggregated over a five-minute interval. You can choose to store flow
data only as flow summaries to save disk space.
flow tracker One or more conditions that constrain a compliance rule so that after the rule’s
initial criteria are met, RNA begins tracking certain flows. The rule then triggers
only if the tracked flows meet additional criteria.
gateway A device that acts as an entrance to and controls traffic within your organization’s
network. When you set up your 3D Sensor or Defense Center, you must specify
the IP address of the gateway device for your network.
GID (generator ID) A number that indicates which component of the Sourcefire 3D System
generated an intrusion event. GIDs help you analyze events more effectively by
categorizing the type of event in the same way a rule’s SID offers context for the
packets that trigger rules.
health alert An alert generated by the Defense Center or Master Defense Center when a
specific health event occurs.
health event An event that is generated when one of the appliances in your deployment meets
(or fails to meet) performance criteria specified in a health module. Health events
indicate which module triggered the event and when the event was triggered.
health monitor A feature that continuously monitors the performance of the appliances in your
deployment. The health monitor uses health modules to test various performance
aspects of the appliances. You configure the health monitor using a health policy.
health monitor A blacklist that temporarily disables aspects of health monitoring to prevent the
blacklist Defense Center from generating unnecessary health events. You can disable
monitoring for a group of appliances, a single appliance, or a specific health
module.
health module A test of a particular performance aspect of one of the appliances in your
deployment. For example, you can monitor CPU usage or available disk space.
You can configure health modules to generate health events and health alerts
when the performance aspects they monitor reach a certain level.
health policy The criteria used when checking the health of an appliance in your deployment.
Health policies use health modules to indicate whether your Sourcefire 3D
System hardware and software are working correctly. The Defense Center and
Master Defense Center are delivered with default health policies; you can modify
them or create your own.
high availability A feature that allows you to designate redundant Defense Centers to manage
groups of sensors. Event data streams from managed sensors to both Defense
Centers and certain configuration elements are maintained on both Defense
Centers. If your primary Defense Center fails, you can monitor your network
without interruption using the secondary Defense Center.
hop The trip a packet takes from one router or intermediate point to another in the
network. RNA detects the number of network hops that exist between the
sensors and the hosts they monitor, which provides you with information about
the physical location the hosts on your network.
host A device that is connected to a network and has a unique IP address. To RNA, a
host is any identified host that is not categorized as a bridge, router, NAT device,
or load balancer.
host attribute A tool you can use to provide information about hosts detected by RNA and to
classify them in ways that are important to your network environment. For
example, you could create a host attribute that designates the physical location of
each host on your network. You can use and configure the two predefined host
attributes, host criticality and notes, as well as create your own host attributes. In
addition, when you create a compliance white list, RNA automatically creates a
host attribute that indicates the compliance of the host. You can use host
attributes in compliance rules and compliance white lists, and you can search for
hosts with specific host attribute values. You also can generate reports based on
host attributes.
host criticality A host attribute that indicates the business criticality (importance) of any given
host detected by RNA. You can use host criticality values when searching for
hosts or when creating compliance rules and compliance white lists.
host event An event indicating that RNA has detected a host. RNA collects information about
the hosts on monitored network segments. The information that RNA collects
comprises that host’s host profile.
host import input data Host input data imported using a command line utility or the host input API.
host input A feature that allows you to import host data from third-party applications to
augment the information in the RNA network map using scripts or command-line
files. You can also use the host input feature through the web interface to modify
operating system or service identities or deleting services, protocols, host
attributes, or client applications.
host input event An event that is created when a change is made to your network map using the
host input feature.
host profile Collected information about a specific host detected by RNA. This includes
general host information, such as its name and operating system, as well as its
user history, host attributes, the protocols it uses, the services it is running, VLAN
information, client applications running on the host, applicable white list
violations, detected vulnerabilities, and any scan results for that host.
host profile A constraint placed on a traffic profile or compliance rule. A host profile
qualification qualification within a compliance rule specifies that the Defense Center should
generate a compliance event only if the host involved meets certain criteria. A
host profile qualification within a traffic profile limits the hosts that are profiled.
host statistics Information you can obtain about an appliance, including uptime, system memory
usage, load average, disk usage, a summary of system processes, and, on the
Defense Center, information about data correlator processes.
host view The final page in workflows based on RNA events (with the exception of
workflows based on vulnerabilities, which use the vulnerability detail page). The
host view displays the host profiles of the hosts involved in the events you are
viewing.
HTTP Inspection A preprocessor that decodes and normalizes URI data sent to and received from
web servers on your network, detects and generates events against possible
URI-encoding attacks, and makes the normalized data available for additional rule
processing. This is important because HTTP traffic can be encoded in a variety of
formats, making it difficult for IPS to inspect packets accurately.
identity conflict A conflict event that occurs when RNA reports a new passive identity that
conflicts with the current active identity and previously-reported passive
identities.
impact The qualification of each intrusion event on a Defense Center based on whether
RNA deployed on the same segment detected a vulnerable service or open port
on the target of the attack. If the targeted host is not vulnerable, the impact of the
attack is low. However, if the targeted host is vulnerable, then the impact is high
and you should act to mitigate the effects of the attack.
impact flag For intrusion events, an indicator of the correlation between intrusion data, RNA
network discovery events, and vulnerability information. A red impact flag means
that the host is vulnerable to the attack represented by the intrusion event,
orange means it is potentially vulnerable, and so on. Intrusion events detected on
network segments not monitored by RNA have gray impact flags; this indicates
that the Defense Center cannot determine the events’ impact.
import A method that you can use to transfer various configurations from appliance to
appliance. You can import intrusion policies, RNA detection policies, system
policies, health policies, dashboards, custom workflows and tables, and RNA
detectors that you previously exported from another appliance of the same type.
inactive period An interval during which a compliance rule does not trigger. You can configure an
inactive period to occur daily, weekly, or monthly and to begin at a specified time
and last a specified number of minutes. For example, you might perform a nightly
Nessus scan on your internal network to look for vulnerabilities. In that case, you
could set a daily inactive period on the affected compliance rules for the time and
duration of your scan so those rules do not trigger erroneously. See also snooze
period.
incident One or more intrusion events that you suspect are involved in a possible violation
of your security policy. The Sourcefire 3D System provides incident-handling
features that you can use to collect and process information that is relevant to
your investigation of the incident.
inline A type of interface set that allows you to deploy a 3D Sensor inline on a network.
In this configuration, the IPS component can affect the traffic flow on the
monitored network, including dropping malicious packets.
inline intrusion policy An intrusion policy that you apply to an IPS detection engine configured with an
inline or inline with fail open interface set. Inline intrusion policies can contain
intrusion rules that not only generate intrusion events based on network traffic
content, but that also can drop malicious packets and replace their content with
benign alternatives. You designate an intrusion policy as inline by setting the
protection mode to inline. Compare with passive intrusion policy.
inline with fail open A type of interface set that allows you to use a compatible fail-open card that
allows network traffic to continue flowing if the appliance fails for any reason.
interface set One or more sensing interfaces on a 3D Sensor that you can use to monitor
network segments for one or more detection engines. You can use passive,
inline, or inline with fail open interface sets.
internal An authentication method that stores user credentials in a local database. When a
authentication user logs into the appliance, the user name and password are checked against the
information in the database. Compare with external authentication.
Intrusion Agent Software that can be installed on certain Red Hat Linux, FreeBSD or Sun Solaris
servers to transmit intrusion events generated by Snort to the Defense Center.
You can use the Defense Center to aggregate event information from Intrusion
Agents with data from 3D Sensors with IPS.
intrusion event A record of the network traffic that violated an intrusion policy. Intrusion event
data includes the date, time, and the type of exploit, as well as other contextual
information about the source of the attack and its target.
intrusion policy Either an passive intrusion policy or an inline intrusion policy. Intrusion policies
include a variety of components that you can configure to inspect your network
traffic for intrusions and policy violations. These components include
preprocessors; intrusion rules that inspect the protocol header values, payload
content, and certain packet size characteristics; adaptive profile configuration;
RNA recommended rules configuration; and tools that allow you to control how
often events are logged and displayed.
intrusion rule A set of keywords and arguments that, when applied to captured network traffic,
identify potential intrusions, policy violations, and security breaches. IPS
compares packets against the conditions specified in each rule and, if the packet
data matches all the conditions specified in the rule, the rule triggers and
generates an intrusion event. Intrusion rules include alert rules, drop rules, and
pass rules.
IP address A 32-bit (IPv4) or 128-bit (IPv6) number, usually represented in dot notation (for
example, 192.168.34.166), that identifies the host that sends or receives packets
on the Internet or on the local network.
Intrusion Event A user role that provides access to IPS analysis features, including intrusion event
Analyst views, incidents, and reports. Intrusion Event Analysts see the main toolbar and
IPS analysis-related options on the Analysis & Reporting and Operations menus.
The Intrusion Event Analyst (Read Only) role provides read-only access to the
same set of functions.
layer A complete set of option settings for all IPS features. In a basic intrusion policy, all
layer interactions are transparent to the user. You can add custom user layers to
the built-in layer or layers in your policy to create a more advanced intrusion policy.
In either a basic intrusion policy or an advanced intrusion policy, the setting in a
higher layer for an intrusion policy feature or feature option overrides a setting for
the same feature or option in a lower layer
LDAP authentication A form of external authentication that verifies user credentials by comparing them
to a Lightweight Directory Access Protocol (LDAP) directory stored on an LDAP
directory server.
link state propagation An option you can enable for an inline interface set. With this option enabled,
mode when one of the interfaces goes down the other interface in the set is
automatically brought down within a few seconds. For copper fail-open NIMs,
when the first interface comes back up the second interface comes up
automatically. Link state propagation mode is also available for fiber interface
cards, but that recovery is not automatic. To restore fiber interfaces you must
reset the NIM. Crossbeam-based software sensors and 3D9800 sensors do not
support this feature.
load balancer A network device that distributes network traffic to optimize performance and
resource use. RNA identifies network devices as load balancers if the TTL value
changes from the client side, or if the TTL value changes more frequently than a
typical boot time. RNA distinguishes between load balancers and NAT devices
depending on what side the analyzed traffic is coming from: server (load balancer)
or client (NAT device).
MAC address Media Access Control address. A MAC address is a NIC’s (network interface
card’s) unique hardware address. RNA detects the MAC addresses and hardware
vendors of the NICs for the hosts and network devices on your network.
managed sensor A 3D Sensor, Intrusion Agent, or software sensor configured and managed by a
Defense Center.
management The network interface that you use to administer the Defense Center or
interface 3D Sensor. In most installations, the management interface is connected to an
internal, protected network. Compare with sensing interface.
Maintenance User A user role that provides access to monitoring and maintenance features.
Maintenance users see the main toolbar and maintenance-related options on the
Operations top-level menu.
Master Defense A special-purpose appliance that is capable of aggregating intrusion events and
Center compliance events from up to ten other Defense Centers. A Master Defense
Center is also able to collect health status from its managed Defense Centers.
NAT device A network device that performs network address translation (NAT), most
commonly to share a single internet connection among multiple hosts on a
private network. RNA identifies network devices as NAT devices if the TTL value
changes from the client side, or if the TTL value changes more frequently than a
typical boot time. RNA distinguishes between load balancers and NAT devices
depending on what side the analyzed traffic is coming from: server (load balancer)
or client (NAT device).
Nessus An open source vulnerability scanner developed through the Nessus Project
(http://www.nessus.org/) that uses Nessus plugins to test for vulnerabilities on
the hosts that it scans.
Nessus plugin A Nessus script written in the Nessus Attack Scripting Language (NASL) that
tests for a specific vulnerability on your system. Over 9000 Nessus plugins exist.
Nessus plugin family A group of Nessus plugins of a particular type. The Sourcefire 3D System
integration with Nessus allows you to select the plugins used to scan by enabling
or disabling plugin families.
Nessus scan A network scan for vulnerabilities that emulates the actions of an attacker.
Nessus scans use plugin families (see Nessus plugin family) to test for specific
vulnerabilities on your network. You can manually run Nessus scans, or you can
schedule periodic scans. Within a compliance policy, you can configure a Nessus
scan as a response (or remediation) to a compliance event or white list event.
NetFlow An open but proprietary network protocol for collecting IP traffic information,
developed by Cisco Systems to run on Cisco IOS-enabled equipment. You can
use the information collected by NetFlow-enabled devices to supplement the
data collected by RNA and to monitor networks not covered by 3D Sensors with
RNA.
network device In the Sourcefire 3D System, a bridge, router, NAT device, or load balancer.
network discovery A kind of RNA event that communicates the details of changes to the hosts on
event your monitored network. New events are generated for newly discovered
network features, and change events are generated for any change in previously
identified network assets. Settings in the system policy determine the types of
network discovery events that are stored in the RNA database.
network map A detailed representation of your network generated by RNA. The network map
allows you to view your network topology in terms of the hosts and network
devices running on your network as well as their associated host attributes,
services, and vulnerabilities.
Nmap An open source active scanner that you can use to detect operating systems and
services running on a host. Running an Nmap scan adds the information detected
to your network map.
Nmap scan A scan of a designated host or hosts to detect operating systems and services.
NTP Network Time Protocol. NTP uses Coordinated Universal Time (UTC time) to
synchronize the computer clocks in a network. You can synchronize the Defense
Center’s time with an NTP server. You can also configure a Defense Center as an
NTP server so that managed sensors can synchronize time with it.
object, for import or A policy or rule that is created on an appliance and can be exported from that
export appliance and imported by another appliance. Depending on the type of appliance
and the components you are licensed to use, you can import and export some
RNA detectors, custom table views, custom workflows, dashboards, system
policies, intrusion policies, custom intrusion rules and rule classifications, RNA
detection policies, and health policies.
operating system The operating system vendor and version details for an operating system on a
identity host.
packet A unit of data routed between a source and a destination on a network. When
data travels from one place to another on a network, the file is divided into chunks
of an efficient size, called packets, for routing. The packets that comprise a single
file may travel different routes through the network, but can be reassembled into
the original file at the receiving end. If you are licensed for the IPS component,
you can view the portion of a packet that was captured as part of an intrusion
event.
packet decoder rule A rule associated with a detection option of the packet decoder included in the
IPS component of the Sourcefire 3D System. You must enable packet decoder
rules if you want them to generate events. Packet decoder rules have a GID
(generator ID) of 116.
packet view A type of workflow page that provides detailed information about the packet that
triggered an intrusion rule or the preprocessor that generated an intrusion event.
The packet view is the final page in workflows based on intrusion events.
pass rule An intrusion rule that, when triggered, does not generates an intrusion event and
does not log the details of the packet that triggered the rule. Pass rules allow you
to prevent packets that meet specific criteria from generating an event in specific
situations, as an alternative to disabling the intrusion rule. Compare with alert rule
and drop rule.
passive A type of interface set that allows you to deploy a 3D Sensor passively on a
network. In this configuration, the IPS component cannot affect the traffic flow,
and should be used with a passive intrusion policy.
passive detection The detection of host operating system and service information through analysis
of traffic passively collected by RNA.
passive intrusion An intrusion policy applied to an IPS detection engine configured with a passive
policy interface set. You can also apply a passive intrusion policy to an IPS detection
engine that uses an inline or inline with fail open interface set. You designate an
intrusion policy as passive by setting the protection mode to passive. Compare
with inline intrusion policy.
payload In an event, the content of http traffic detected by RNA, if available. Payload
information is comprised of a payload type, which represents the general content
type (for example, audio or video) as well as a payload, which represents the
specific type of content (for example, WMV or QuickTime).
PCRE Perl-compatible regular expression. You can search packet payloads for content
using PCREs. This is useful if you want to search for content that could be
displayed in a variety of ways; the content may have different attributes that you
want to account for in your attempt to locate it within a packet’s payload.
PEP A technology based on the hardware capabilities of 3D9900 interface sets that
allows you to use a PEP policy for advanced traffic management.
PEP policy The criteria used when determining if a PEP-capable interface set should block,
analyze, or send traffic directly through the sensor with no further inspection.
policy and response A feature you can use to build a compliance policy that responds in real-time to
threats on your network. In addition, the remediation component of policy and
response provides a flexible API that allows you to create and upload your own
custom remediation modules to respond to policy violations.
Policy & Response A user role that provides access to rules and policy configuration. Policy &
Administrator Response Administrators have access to the main toolbar and rule and
policy-related options on the Policy & Response and Operations menus.
policy violation A security breach, attack, exploit, or other misuse of your network as detected by
a compliance policy.
port The endpoint of a logical connection on a TCP or UDP network. Each port on a
host has a number, which identifies the type of port. Many services have default
ports; for example, HTTP traffic typically uses port 80. TCP and UDP use port
numbers to separate data transmissions on the same network interface on the
same host. With IPS, when you tune your intrusion policy, you can define, in both
variables and rules, specific port numbers, such as ports susceptible to shell code
exploits, HTTP (or web server) ports, and database server ports. This lets you
specify the level of granularity of inspection so that rules execute against ports
appropriate to your network needs.
predefined table A database table delivered with the Sourcefire 3D System. You can use the web
interface to view the event information in the predefined tables. Predefined tables
cannot be modified. Compare with custom table.
predefined workflow A workflow delivered with the Sourcefire 3D System. You cannot modify
predefined workflows. Compare with custom workflow and saved custom
workflow.
preprocessor A feature of IPS that normalizes traffic and helps identify network layer and
transport layer protocol anomalies by identifying inappropriate header options,
defragmenting IP datagrams, providing TCP stateful inspection and stream
reassembly, and validating checksums. Preprocessors can also render specific
types of packet data in a format that the detection engine can analyze; these
preprocessors are called data normalization preprocessors, or application-layer
protocol preprocessors. Normalizing application-layer protocol encoding allows
the detection engine to effectively apply the same content-related rules to
packets whose data is represented differently and obtain meaningful results.
Preprocessors generate preprocessor events whenever packets trigger
preprocessor options that you configure.
preprocessor event A type of intrusion event that is generated when a packet triggers specified
preprocessor options. Preprocessor events can help you detect anomalous
protocol exploits.
preprocessor rule A rule associated with a detection option of one of the preprocessors or with the
portscan flow detector included in the IPS component of the Sourcefire 3D
System. You must enable preprocessor rules if you want them to generate
events. Preprocessor rules have a preprocessor-specific GID (generator ID).
private search A named set of search terms that is tied to your user account. Only you and users
with Administrator access can use your private searches.
protection mode An intrusion policy setting that determines how IPS handles rule states set to
Drop and Generate Events in an inline deployment. When you apply an inline
intrusion policy to a detection engine on a 3D Sensor with an inline interface set,
IPS drops packets that trigger enabled preprocessor rules, packet decoder rules,
or intrusion rules that are set to Drop and Generate Events and generates events
for the triggered rules.
protected network Your organization’s internal network that is protected from users of other
networks by a device such as a firewall. Many of the intrusion rules delivered with
the Sourcefire 3D System use variables to define the protected network and the
unprotected (or outside) network.
rate filtering A form of anomaly detection that sets a new rule state for a rule based on the rate
of matching traffic.
remediation An action that mitigates potential attacks on your system. You can configure
remediations and, within a compliance policy, associate them with compliance
rules and compliance white lists so that when they trigger, the Defense Center
launches the remediation. This not only can automatically mitigate attacks when
you are not immediately available to address them, but also can ensure that your
system remains compliant with your organization’s security policy. The Defense
Center ships with predefined remediation modules: three that are designed for a
particular firewalls and routers, one that lets you perform Nessus scans, one that
lets you perform Nmap scans, and one that lets you set host attributes. You also
can use a flexible API to create custom remediations.
replace rule When using an inline IPS detection engine, you use the replace keyword in a
custom standard text rule to replace a specific string with exactly the same
number of characters. This allows you to replace the content of malicious packets
with benign alternatives. Only the first instance of the content found by the rule is
replaced. The sensor automatically updates the packet checksum so that the
destination host can receive the packet without error.
report profile A template for an event report. You can create and save custom report profiles.
You can then manually run reports based on the profiles, or schedule the
Sourcefire 3D System to generate reports automatically. You can use report
profiles to add your company logo to reports, define the set of events that appear,
specify the amount of detail, and specify the report’s output file format.
Restricted Event A user role that can provide access to the same features as Intrusion Event
Analyst Analyst or RNA Event Analyst access. You can restrict access by only allowing
access to those events that match specified search criteria or you can turn off
access for an entire category of events. Restricted event analyst users see only
the main toolbar and analysis-related options on the Analysis & Reporting and
Operations menus. The Restricted Event Analyst (Read Only) role provides read-
only access to the same set of functions.
RNA detection policy A policy that you apply to RNA detection engines that specifies the kinds of data
RNA collects, as well as the network segments each RNA detection engine or
NetFlow-enabled device monitors.
RNA detector An RNA detector provides RNA with the information needed to identify
non-standard services, including the port used by service traffic, a pattern within
the traffic, or both the port and the pattern. The Sourcefire 3D System is delivered
with many internal RNA detectors, or you can create your own. In addition,
Sourcefire may deliver additional RNA detectors that you can add to the
Sourcefire 3D System via vulnerability database updates or via the Import/Export
feature.
RNA event An event generated by RNA. RNA events include network discovery events,
which communicate the details of changes to the hosts on your monitored
network, and flow events, which are records of sessions involving monitored
hosts. RNA events also include client application events, host events, host
attributes, and service events, which provide general information about your
network topology. A vulnerability is also considered an RNA event.
RNA Event Analyst A user role that provides access to RNA analysis features, including event views,
network maps, host profiles, services, vulnerabilities, client applications, and
reports. RNA Event Analysts see the main toolbar and RNA analysis-related
options on the Analysis & Reporting and Operations menus. The RNA Analyst
(Read Only) role provides read-only access to the same set of functions.
RNA A built-in layer in an intrusion policy that exists when you choose to allow IPS to
Recommendations modify the rule states of shared object rules and standard text rules to the states
layer recommended by the RNA recommended rules features. You cannot manually
modify or remove this layer. IPS removes or restores the layer when you decide
to not use or use, respectively, recommendations for a policy.
RNA recommended A feature that recommends which rules should be enabled or disabled in your
rules intrusion policy, based on information from your RNA network map. You can
choose to allow the system to modify rule states based on recommendations, in
which case the system adds a read-only RNA Recommendations layer.
RUA Real-time User Awareness, also called RUA, allows your organization to correlate
threat, endpoint, and network intelligence with user identity information.
RUA Agent An RUA Agent is an agent you install on a Microsoft Active Directory server to
monitor users as they log into the network or when they authenticate against
Active Directory credentials for any other reason.
RUA event An event generated by RUA in response to a detected user login or the addition or
deletion of a user from the RUA database. RUA events are stored in the RUA
database.
RUA user A user detected by RUA whose user identity data is stored in the RUA database.
rule A construct that provides criteria against which network traffic is examined. Rules
can detect a variety of intrusions, attacks, exploits, and suspicious traffic. See
compliance rule, intrusion rule, alert rule, pass rule, and drop rule.
rule state Whether an intrusion rule is enabled, disabled, or set to Drop within an intrusion
policy. If you enable a rule, it is used to evaluate your network traffic; if you
disable a rule, it is not used. A drop rule drops any packets that trigger the rule;
note that you can set the Drop rule state only in an inline intrusion policy.
saved custom A custom workflow that is based on a custom table and delivered with the
workflow Defense Center. Unlike predefined workflows, you can modify saved custom
workflows.
scheduled task An administrative task that you can schedule to run once or at recurring intervals.
Depending on the appliance where you are creating the task, you can schedule
tasks to run backups, apply an intrusion policy, generate reports, download and
install SEUs, manage RNA recommended rules, run Nmap scans, run Nessus
scans and synchronize Nessus plugins, download and install software and
vulnerability database updates, and push downloaded updates to managed
sensors.
security policy An organization's guidelines for protecting its network. For example, your security
policy might forbid the use of wireless access points. A security policy may also
include an acceptable use policy (AUP), which provides employees with
guidelines of how they may use their organization’s systems. For example, your
AUP might forbid the use of instant messaging client applications.
sensing interface A network interface on a sensor that you use to monitor a network segment. You
can connect sensing interfaces to your network in various ways. How you plan to
deploy your detection engines (passively or inline) affects how you connect them
to your network. Compare with management interface.
sensitive data A preprocessor that detects sensitive data such as credit card numbers and Social
Security numbers in ASCII text. This can be particularly useful for detecting
accidental data leaks that can occur, for example, when an employee emails
themselves a list of credit card numbers to work with at home.
sensor group On the Defense Center, a logical group that can contain or more managed
sensors so you can more readily manage them. For example, you can easily apply
a system policy to, or install updates on, multiple sensors at once.
Series 1 appliance The first series of Sourcefire appliance models, including the following models:
3D500 PW, 3D1000 NH, 3D2000 NH, 3D2100 NH, 3D3000 JR, DC1000 JR,
DC3000 JR, and the 3Dx800 sensor models.
Series 2 appliance The second series of Sourcefire appliance models, including the following
models: 3D500 PB, 3D1000 PB, 3D2000 PB, 3D2100 FR, 3D2500 FR, 3D3500
FR, 3D4500 FR, DC1000 AL, DC3000 AL, and MDC3000 AL. All appliances
currently shipping from Sourcefire, with the exception of the 3Dx800 models, are
Series 2 appliances.
service Work performed by a server. NTP, SSH, HTTP, and AIM are examples of services.
service event An event indicating that RNA has detected a service running on a specific host.
RNA collects information about all services run by hosts on monitored network
segments. The information that RNA collects includes the name of the service,
the protocol used by the service, the IP address of the host running a service, and
the port on which the service is running.
service identity The service type, vendor, and version details for a service on a host.
SEU (Security An as-needed product update that contains new and updated standard text rules
Enhancement Update) and shared object rules. In addition, SEUs can provide your Defense Centers and
3D Sensors with an updated version of Snort, as well as features such as new
preprocessors and decoders.
shared object rule An intrusion rule delivered as a binary module compiled from C source code. You
can use shared object rules to detect attacks in ways that standard text rules
cannot. You cannot modify the rule keywords and arguments in a shared object
rule; you are limited to either modifying variables used in the rule, or modifying
aspects such as the source and destination ports and IP addresses and saving a
new instance of the rule as a custom shared object rule. Shared object rules have
a GID (generator ID) of 3.
SID A unique identifying number assigned to each intrusion rule. When you create a
new rule or modify an existing standard text rule, it is given a SID (Signature ID,
also called Snort ID) of 1,000,000 or greater. The SIDs for shared object rules and
standard text rules delivered with the Sourcefire 3D System are lower than
1,000,000. Also, preprocessors and decoders use SIDs to identify the different
types of packets they detect.
simple condition A single constraint placed on a compliance rule, flow tracker, host profile
qualification, or traffic profile. You can link simple conditions with other simple or
complex conditions using AND or OR operators.
simple constraint A simple constraint sets a single constraint on the events retrieved in an event
view or event search.
SNMP alerting The transmission of an alert as an SNMP trap. Each event SNMP trap contains
information identifying the server's name, the sensor’s IP address, and the event
data.
SNMP trap A message sent by a network device on UDP port 162 using the simple network
management protocol (SNMP) when errors or specific events occur on the
network. See also SNMP alerting.
snooze period An interval specified in seconds, minutes, or hours after a compliance rule
triggers during which the Defense Center stops firing that rule, even if the rule is
violated again during the interval. When the snooze period has elapsed, the rule
can trigger again (and start a new snooze period). See also inactive period.
Snort An open-source intrusion detection system that performs real-time traffic analysis
and packet logging on IP networks. Snort can perform protocol analysis, content
searching and matching, and can detect a variety of attacks and probes. Snort
uses a flexible rules language to describe network traffic that it should collect or
pass. The IPS detection engines use Snort to test packets against decoders,
preprocessors, and intrusion rules.
Sourcefire-defined A table that is delivered with the Defense Center that contains fields from two or
custom table more predefined tables.
standard text rule An intrusion rule created based on the identifiers, keywords and arguments
available in the rule editor. You can create your own custom standard text rules
and modify existing standard text rules provided by Sourcefire. A standard text
rule has a GID (generator ID) of 1.
stateful inspection A preprocessor that makes sure that only packets that are part of a TCP session
established with a legitimate three-way handshake between a client and server
can generate intrusion events. This allows analysts to focus on these events
rather than the volume of events caused by denial of service (DoS) attacks like
stick or snot.
stream reassembly A preprocessor that IPS uses to collect and reassemble all of the packets that are
part of a TCP session’s server-to-client or client-to-server communication stream.
Stream reassembly allows the detection engine to inspect the stream as a single
entity rather than only the individual packets, which allows the detection engine
to identify stream-based attacks.
subnet detection A feature that allows RNA to automatically determine the closest subnets to each
RNA detection engine and then make recommendations about which detection
engines should be the reporting detection engines for specific subnets.
subnet mask A bit mask used to identify which bits in an IP address correspond to the network
address, and which correspond to the subnet portion of the address.
syslog A logging system, also called the system log, used by many operating systems.
You can configure the Defense Center or 3D Sensor to perform syslog alerting.
syslog alerting The transmission of an alert as a message to an external syslog. All syslog
messages include both a facility and a priority level. The facility indicates the
subsystem (for example, FTP, NTP, or MAIL) that created the message and the
priority defines the importance of the message.
system policy Settings that are likely to be similar for multiple appliances in a deployment, such
as access configuration, authentication profiles, database limits, DNS cache
settings, the mail relay host, a notification address for database prune messages,
language selection (English or Japanese), login banner, RNA settings, and time
synchronization settings. You can configure a system policy on a Defense Center
and then apply the policy to the Defense Center and its managed sensors.
system settings Settings that are specific to a single appliance, such as appliance name, IP
address, time settings, licensing, and remote management settings. You can also
use the system settings pages to shut down or reboot an appliance and to restart
its software.
table view A type of workflow page that displays event information. Table views include a
column for each of the fields in the database. For example, the table view of
intrusion events includes columns such as Time, Priority, Impact Flag, Source IP,
Destination IP. As another example, the table view of RNA network discovery
events includes such columns as Time, Event, IP Address, MAC Address, and so
on. Generally, you use drill-down pages to constrain the events you want to
investigate before moving to the table view that shows you the details about the
events you are interested in. The table view is the next to last page in predefined
workflows; advancing from the table view leads to the packet view (for workflows
based on intrusion events), the host view (for workflows based on RNA events),
the vulnerability detail page (for workflows based on vulnerabilities), or the user
identity view (for workflows based on RUA events).
tap mode A setting for an inline interface set on a 3D3800, 3D5800, 3D9800, or 3D9900
sensor where a copy of each packet is sent to the sensor and the network traffic
flow is undisturbed instead of the packet flow passing through the sensor.
Because you are working with copies of packets rather than the packets
themselves, you cannot use drop rules or replace rules as you can with a sensor
that is deployed in the packet stream.
task queue A queue of jobs that the Defense Center or 3D Sensor needs to perform. When
you apply a policy, push updates, install software, and perform other long-running
jobs, the jobs are queued and their status reported on the Task Status page. The
Task Status page provides a detailed list of jobs and refreshes every ten seconds
to update their status.
three-way handshake The process two hosts use to establish a TCP/IP connection. A three-way
handshake occurs when the originating host sends a SYN (synchronization)
packet to the destination host. The destination then sends its own SYN packet
and an ACK (acknowledgement) packet. The originator then returns an ACK which
acknowledges the SYN/ACK packets the destination sent. With IPS, you can
configure intrusion rules evaluate the data in established TCP sessions only
traffic profile A profile of the traffic on your network, based on flow data collected by RNA over
a time span that you specify. You can create profiles using all the traffic on a
monitored network segment, or you can create more targeted profiles using
criteria based on the data in flow events. Then, you can use the policy and
response feature to detect abnormal network traffic by evaluating new traffic
against an existing profile.
transparent inline A setting that allows 3D Sensors configured with inline interface sets that
mode forward packets regardless of whether they contain MAC addresses that are valid
for the monitored network.
unidentified host A host whose operating system cannot be identified because RNA has not yet
gathered enough information about the host. Compare with unknown host.
unknown host A host whose traffic has been analyzed by RNA, but whose operating system
does not match any known fingerprints. Compare with unidentified host.
Unified file A binary file format that the Sourcefire 3D System uses to log event data.
user identity view The user identity view provides details on RUA users and a host history with a
graphic representation of the last twenty-four hours of the user’s activity.
user input data Host input data added through the Sourcefire 3D System user interface by setting
or modifying an identity.
user layer A layer in an intrusion policy where you can modify the basic feature settings and
advanced feature settings in the policy.
UTC time Coordinated Universal Time. Also known as Greenwich Mean Time (GMT), UTC is
the standard time common to every place in the world. The Sourcefire 3D System
uses UTC, although you can set the local time using the Time Zone feature.
VLAN A virtual local area network. VLANs map hosts not by geographic location, but by
some other criterion (such as by department or primary use). This is useful if you
want to separate hosts into small, logical network segments. A host’s host profile
shows any VLAN information associated with the host. VLAN information is
included in intrusion events (as the innermost VLAN tag in the packet that
triggered the event). You can filter intrusion policies by VLAN, or target
compliance white lists by VLAN.
vulnerability database A database of known vulnerabilities to which hosts may be susceptible. The
database includes such technical details as vulnerability title and identification
number, technical details, whether any exploits are known to take advantage of
the vulnerability, known solutions, and so on. RNA correlates the operating
system and services detected on each host with the vulnerability database to
help you determine whether a particular host increases your risk of network
compromise.
vulnerability detail A page in a workflow that provides information about a specific vulnerability,
page including technical details and known solutions. The vulnerability detail page is
the final page in workflows based on vulnerabilities.
white list Either a compliance white list or a list of IP addresses that you can configure
within a remediation to exempt the IP addresses from some kind of action. For
example, you could configure a firewall-based remediation to block all hosts that
trigger a specific compliance rule, with the exception of hosts specified in a white
list.
white list event An event generated when RNA detects that a valid target host has become
non-compliant with a compliance white list. For example, you can configure the
Defense Center to generate a white list event when RNA detects a new
non-compliant service running on a target host. Note that a white list event is a
special kind of compliance event.
white list violation A white list violation is an event that occurs when RNA generates an event that
indicates that a host is out of compliance. The Sourcefire 3D System includes
workflows that allow you to view each of the individual white list violations, as
well as the number of violations per host.
whois A mechanism for finding contact and registration information for IP addresses. If
your Defense Center or 3D Sensor is connected to the Internet, you can use the
web interface to look up information about an IP address using the whois feature,
which uses ARIN's (American Registry for Internet Numbers) WHOIS service.
workflow A series of pages you can use to view and evaluate events by moving from a
broad view of event data to a more focused view that contains only the events of
interest to you. Workflows can include three types of pages, each of which
performs a unique function: drill-down pages, table views, and a final page (which
could be, depending upon the type of analysis you are performing, a packet view,
host view, vulnerability detail page, or user identity view). IPS provides two
categories of workflows: predefined workflows and custom workflows. The
Defense Center provides three categories of workflows: predefined workflows,
custom workflows, and saved custom workflows.
Numerics A
3D Sensors 15, 16 access list 325
adding to a Defense Center 117 access requirements conventions 39
deleting 121 accessing the appliance 21, 23
deleting 3Dx800s 127 Active Directory 282
disabling communications 138 adding sensors to a Defense Center 117
health policy 491 Admin access 305
host name 137, 146 appliance groups 179
management concepts 100 creating 180
managing 99, 113 deleting 181
managing 3Dx800s 125 editing 180
resetting communications 128 appliance heartbeat monitoring 485, 501
resetting management 122 appliance information 135, 362
restarting 137 appliance status widget 67
sensor attributes 133 Application 212
sensor information 135 asynchronous routing and interface sets 216
Sensors page 115 audit log
stopping 137 time window 29
time sync 139 audit log settings 327
unregistering 153 auditing
updating 405, 406 audit records 566
3D9900s field descriptions 575
clustering 227 introduction 566
hardware alert details 560 searching 575
3Dx800s understanding 574
health policy 491, 495 viewing 567
managing 107, 125, 127 authentication objects 269
resetting communications 128 creating 269
B
backup and restore 413
D
remote backups 419 dashboards 59, 89
scheduling backups 428 adding widgets 95
backup files custom dashboards 89
creating 414 default dashboard 35, 59
location 418 deleting 97
restoring 421 home page 60
backup profiles 418 modifying 93
blacklists properties 93
health monitoring 534, 537 settings 331
Master Defense Center 184 tabs 94, 95
system settings 362, 391 viewing 91
browser requirements 21 widgets 60, 64
bypass mode for fail open fiber interfaces 225, 226 data correlator process monitoring 485, 506
database
limits 332
purging 598
DC500 limitations 18
E G
global policy management 161
email notification 338 graphs
email relay host 338 health monitoring 553
Enabling Fail-Safe 213 performance statistics 476
eStreamer 20 groups
process monitoring 486, 509 appliance groups 179
event aggregation 157 Defense Center groups 179
compliance events 158 detection engines 197
intrusion events 158 sensor groups 131
limitations 159
event database limits 332
event logging (RNA settings) 345
event preferences 27
event stream monitoring 511
M
mail relay host 338
J Maintenance access 305
management interface 378
jumbo frames 212 management virtual network 383
managing
3D Sensors 99
3Dx800s 107, 125, 127
Defense Centers 156
V
variables
and detection engines 199
assigning values for detection engines 200
creating in detection engines 202
VDB updates 410
scheduling downloads 438
scheduling installs 442
scheduling pushes 440
scheduling updates 437
vulnerability database
updating 398
vulnerability lookup (RNA settings) 345
vulnerability mapping for services 358