Sourcefire 3D System Administrator Guide v4.9.1

Sourcefire 3D System
Administrator Guide
Version 4.9.1
Intellectual Property Notices, Disclaimers, and Terms of Use Applicable to the User Documentation.
The legal notices, disclaimers, terms of use, and other information contained herein (the “terms”) apply
only to Sourcefire, Inc. appliance discussed in the Documentation (“Documentation”) and your use of it.
The terms do not apply to or govern the use of Sourcefire's web site or Sourcefire's appliance discussed
in the Documentation. Sourcefire appliances are available for purchase and subject to a separate license
containing very different terms of use.
Terms Of Use and Copyright and Trademark Notices
The copyright in the Documentation is owned by Sourcefire, Inc., and is protected by copyright pursuant
to US copyright law, international conventions, and other laws. You may use, print out, save on a retrieval
system, and otherwise copy and distribute the documentation solely for non-commercial use, provided
that (i) you do not modify the documentation in any way and (ii) you always include Sourcefire's copyright,
trademark, and other notices, as well as a link to, or print out of, the full contents of this page and its
terms. No part of the documentation may be used in a compilation or otherwise incorporated into another
work, or be used to create derivative works, without the express prior written permission of Sourcefire,
Inc. Sourcefire, Inc. reserves the right to change the Terms at any time, and your continued use of the
Documentation shall be deemed an acceptance of those terms.
Sourcefire, the Sourcefire logo, Snort, the Snort logo, 3D Sensor, Intrusion Sensor, Intrusion Agent, Real-
time Network Awareness, RNA Sensor, Defense Center, Master Defense Center, Success Pack, and 3D
System, are trademarks or registered trademarks of Sourcefire, Inc. All other trademarks are property of
their respective owners.
© 2004 - 2010 Sourcefire, Inc. All rights reserved.
Liability Disclaimers
THE DOCUMENTATION AND ANY INFORMATION AVAILABLE FROM IT MAY INCLUDE INACCURACIES
OR TYPOGRAPHICAL ERRORS. SOURCEFIRE, INC. MAY CHANGE THE DOCUMENTATION FROM THE
TIME TO TIME. SOURCEFIRE, INC. MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE
ACCURACY OR SUITABILITY OF THE SOURCEFIRE, INC. WEB SITE, THE DOCUMENTATION, AND/OR
ANY APPLIANCE OR INFORMATION. SOURCEFIRE, INC. PROVIDES THE SOURCEFIRE, INC. WEB SITE,
THE DOCUMENTATION, AND ANY APPLIANCE OR INFORMATION “AS IS” AND SOURCEFIRE, INC.
DISCLAIMS ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING BUT NOT LIMITED TO
WARRANTIES OF TITLE OR THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL SOURCEFIRE, INC. BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE, OR CONSEQUENTIAL DAMAGES
(INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, LOSS OF
DATA, LOSS OF PROFITS, AND/OR BUSINESS INTERRUPTIONS), ARISING OUT OF OR IN ANY WAY
RELATED TO THE SOURCEFIRE, INC. WEB SITE, THE DOCUMENTATION, AND/OR ANY SOFTWARE
OR INFORMATION, NO MATTER HOW CAUSED AND/OR WHETHER BASED ON CONTRACT, STRICT
LIABILITY, NEGLIGENCE OR OTHER TORTUOUS ACTIVITY, OR ANY OTHER THEORY OF LIABILITY,
EVEN IF SOURCEFIRE, INC. IS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. BECAUSE SOME
STATES/JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATIONS MAY NOT APPLY TO YOU.
The Documentation may contain “links” to sites on the Internet that are not created by, or under the
control of Sourcefire, Inc. Sourcefire, Inc. provides such links solely for your convenience, and assumes no
responsibility for the availability or content of such other sites.
2010-Jul-12 13:56
Table of Contents
Chapter 1: Introduction to the Sourcefire 3D System............................. 14

Components of the Sourcefire 3D System......................................................... 15
Real-time Network Awareness (RNA).................................................... 15
Intrusion Prevention System (IPS) ......................................................... 16
Real-time User Awareness (RUA) .......................................................... 17
PEP Traffic Management ....................................................................... 17
Defense Centers.................................................................................... 17
Master Defense Centers ....................................................................... 19
Intrusion Agents..................................................................................... 19
RNA for Red Hat Linux........................................................................... 20
RNA and IPS for Crossbeam Systems................................................... 20
eStreamer .............................................................................................. 20
Logging into the Appliance ................................................................................. 21
Logging into the Appliance to Set Up an Account .............................................. 23
Logging Out of the Appliance ............................................................................. 24
Last Successful Login......................................................................................... 25
Specifying Your User Preferences ...................................................................... 25
Changing Your Password ....................................................................... 25
Configuring Event View Settings ........................................................... 27
Setting Your Default Time Zone ............................................................. 34
Specifying Your Home Page................................................................... 35
Specifying Your Default Dashboard........................................................ 35
Using the Context Menu .................................................................................... 36
Documentation Resources ................................................................................. 37
Version 4.9.1 Sourcefire 3D System Administrator Guide 3

Table of Contents
Documentation Conventions .............................................................................. 38

Platform Requirements Conventions ..................................................... 38
Access Requirements Conventions ....................................................... 39
IP Address Conventions...................................................................................... 41
Chapter 2: Performing the Initial Setup .................................................... 43

Setting Up 3D Sensors ....................................................................................... 44
Setting up Defense Centers ............................................................................... 47
Communication Ports ......................................................................................... 50
What’s Next? ...................................................................................................... 52
Administrator User Tasks....................................................................... 53
Maintenance User Tasks........................................................................ 54
Policy & Response Administrator User Tasks ........................................ 55
RNA Event Analyst User Tasks .............................................................. 56
Intrusion Event Analyst User Tasks........................................................ 57
Chapter 3: Using Dashboards..................................................................... 59

Understanding Dashboard Widgets.................................................................... 60
Understanding Widget Availability ......................................................... 61
Understanding Widget Preferences ...................................................... 64
Understanding the Predefined Widgets ............................................................. 65
Understanding the Appliance Information Widget................................. 66
Understanding the Appliance Status Widget......................................... 67
Understanding the Compliance Events Widget..................................... 67
Understanding the Current Interface Status Widget ............................. 68
Understanding the Current Sessions Widget ........................................ 69
Understanding the Custom Analysis Widget......................................... 69
Understanding the Disk Usage Widget ................................................. 80
Understanding the Interface Traffic Widget ........................................... 81
Understanding the Intrusion Events Widget.......................................... 81
Understanding the Network Compliance Widget .................................. 82
Understanding the Product Licensing Widget ....................................... 84
Understanding the Product Updates Widget......................................... 85
Understanding the RSS Feed Widget .................................................... 86
Understanding the System Load Widget............................................... 87
Understanding the System Time Widget .............................................. 87
Understanding the White List Events Widget ....................................... 88
Working with Dashboards .................................................................................. 89
Creating a Custom Dashboard............................................................... 89
Viewing Dashboards .............................................................................. 91
Modifying Dashboards........................................................................... 93
Deleting a Dashboard ............................................................................ 97

Table of Contents
Chapter 4: Using the Defense Center........................................................ 99

Management Concepts .................................................................................... 100
The Benefits of Managing Your Sensors.............................................. 100
What Can Be Managed by a Defense Center? .................................... 101
Understanding Software Sensors ........................................................ 105
Beyond Policies and Events .................................................................. 111
Using Redundant Defense Centers ..................................................... 112
Working in NAT Environments.......................................................................... 112
Working with Sensors ...................................................................................... 113
Understanding the Sensors Page ........................................................ 115
Adding Sensors to the Defense Center ................................................ 117
Deleting Sensors ................................................................................. 121
Resetting Management of a Sensor .................................................... 122
Managing a 3Dx800 Sensor................................................................. 125
Adding Intrusion Agents ...................................................................... 130
Sensor Attributes - Intrusion Agent Page............................................. 130
Managing Sensor Groups ................................................................................. 131
Creating Sensor Groups....................................................................... 131
Editing Sensor Groups ......................................................................... 132
Deleting Sensor Groups....................................................................... 133
Editing a Managed Sensor’s System Settings .................................................. 133
Viewing a Sensor’s Information Page .................................................. 135
Stopping and Restarting a Managed Sensor ....................................... 137
Managing Communication on a Managed Sensor............................... 138
Setting the Time on a Managed Sensor .............................................. 139
Managing a Clustered Pair ................................................................................ 140
Establishing a Clustered Pair ............................................................... 142
Separating a Clustered Pair.................................................................. 144
Configuring High Availability ............................................................................. 145
Using High Availability.......................................................................... 145
Guidelines for Implementing High Availability ..................................... 149
Setting Up High Availability .................................................................. 150
Monitoring the High Availability Status ................................................ 152
Disabling High Availability and Unregistering Sensors......................... 153
Pausing Communication between Paired Defense Centers ................ 154
Restarting Communication between Paired Defense Centers ............ 154
Chapter 5: Using the Master Defense Center........................................ 156

Understanding Event Aggregation.................................................................... 157
Aggregating Intrusion Events............................................................... 158
Aggregating Compliance Events.......................................................... 158
Limitations on Event Aggregation........................................................ 159

Table of Contents
Understanding Global Policy Management....................................................... 161

Managing Global Intrusion Policies ...................................................... 161
Using RNA Detection Policies on a Master Defense Center ............... 162
Using Health Policies on a Master Defense Center............................. 162
Using System Policies on a Master Defense Center ........................... 162
Master Defense Center Policy Management Limitations .................... 163
Adding and Deleting Defense Centers ............................................................. 164
Adding a Master Defense Center ........................................................ 165
Adding a Defense Center..................................................................... 168
Deleting a Defense Center .................................................................. 171
Resetting Management of a Defense Center ...................................... 171
Using the Appliances Page ............................................................................... 173
Editing Settings for a Managed Defense Center .............................................. 175
Viewing the Defense Center Information Page ................................... 175
Editing the Event Filter Configuration .................................................. 176
Editing or Disabling Remote Management Communications .............. 178
Managing the Health Blacklist ............................................................. 178
Managing High Availability Defense Centers ....................................... 178
Managing Appliance Groups............................................................................. 179
Creating Appliance Groups .................................................................. 180
Editing Appliance Groups..................................................................... 180
Deleting Appliance Groups .................................................................. 181
Editing Master Defense Center System Settings ............................................. 181
Listing Master Defense Center Information ........................................ 182
Viewing a Master Defense Center License ......................................... 182
Configuring Network Settings.............................................................. 182
Shutting Down and Restarting the System.......................................... 182
Configuring Remote Management Networking................................... 183
Setting System Time............................................................................ 183
Blacklisting Health Policies................................................................... 184
Chapter 6: Using Detection Engines and Interface Sets...................... 185

Understanding Detection Engines .................................................................... 186
Understanding Detection Resources and 3D Sensor Models ............. 189
Understanding Default Detection Engines .......................................... 191
Managing Detection Engines............................................................................ 193
Creating a Detection Engine ................................................................ 193
Editing a Detection Engine .................................................................. 194
Deleting a Detection Engine ................................................................ 197
Using Detection Engine Groups ....................................................................... 197
Creating Detection Engine Groups ...................................................... 197
Editing Detection Engine Groups......................................................... 198
Deleting Detection Engine Groups ...................................................... 199

Table of Contents
Using Variables within Detection Engines ........................................................ 199

Assigning Values to System Default Variables in Detection Engines... 200
Creating New Variables for Detection Engines .................................... 202
Deleting and Resetting Variables ......................................................... 203
Configuring Custom Variables in Detection Engines ........................... 204
Using Portscan-Only Detection Engines .............................................. 205
Using Interface Sets ......................................................................................... 207
Understanding Interface Set Configuration Options............................ 207
Creating an Interface Set ..................................................................... 213
Creating an Inline Interface Set ........................................................... 216
Editing an Interface Set ....................................................................... 221
Deleting an Interface Set ..................................................................... 223
Using Interface Set Groups .............................................................................. 223
Creating Interface Set Groups ............................................................. 224
Editing Interface Set Groups................................................................ 224
Deleting Interface Set Groups ............................................................. 225
Inline Fail Open Interface Set Commands ........................................................ 225
Removing Bypass Mode on Inline Fail Open Fiber Interfaces ............. 225
Forcing an Inline Fail Open Interface Set into Bypass Mode ............... 226
Using Clustered 3D Sensors............................................................................. 227
Using Detection Engines on Clustered 3D Sensors ............................ 228
Understanding Interface Sets on Clustered 3D Sensors ..................... 229
Managing Information from a Clustered 3D Sensor ............................ 230
Chapter 7: Working with Event Reports.................................................. 232

Working with Event Reports............................................................................. 234
Working with Report Profiles............................................................................ 234
Generating Reports from Event Views ............................................................. 235
Managing Generated Reports........................................................................... 237
Viewing Generated Reports................................................................. 238
Downloading Generated Reports......................................................... 238
Deleting Generated Reports ................................................................ 239
Moving Reports to a Remote Storage Location................................... 239
Running Remote Reports .................................................................... 240
Understanding Report Profiles.......................................................................... 241
Understanding the Predefined Report Profiles .................................... 242
Modifying a Predefined Report Profile................................................. 246
Creating a Report Profile...................................................................... 246
Working with Report Information ..................................................................... 248
Using Report Types.............................................................................. 250
Defining Report Information ................................................................ 254

Table of Contents
Working with Report Sections .......................................................................... 255

Using Summary Reports...................................................................... 255
Including an Image File ........................................................................ 257
Defining the Report Sections............................................................... 258
Working with Report Options ........................................................................... 258
Using a Report Profile ....................................................................................... 260
Generating a Report using a Report Profile ......................................... 261
Editing Report Profiles ......................................................................... 263
Deleting Report Profiles....................................................................... 263
Chapter 8: Managing Users ...................................................................... 264

Understanding Sourcefire User Authentication ................................................ 264
Understanding Internal Authentication ................................................ 266
Understanding External Authentication ............................................... 266
Understanding User Privileges ............................................................ 267
Managing Authentication Objects .................................................................... 269
Understanding LDAP Authentication ................................................... 269
Creating LDAP Authentication Objects ................................................ 269
LDAP Authentication Object Examples ............................................... 281
Editing LDAP Authentication Objects .................................................. 286
Understanding RADIUS Authentication ............................................... 287
Creating RADIUS Authentication Objects............................................ 287
RADIUS Authentication Object Examples ........................................... 295
Editing RADIUS Authentication Objects .............................................. 298
Deleting Authentication Objects .......................................................... 298
Managing User Accounts ................................................................................. 299
Viewing User Accounts........................................................................ 299
Adding New User Accounts................................................................. 300
Managing Externally Authenticated User Accounts............................. 302
Managing User Password Settings...................................................... 303
Configuring User Roles........................................................................ 304
Modifying User Privileges and Options ............................................... 306
Modifying Restricted Event Analyst Access Properties....................... 307
Modifying User Passwords.................................................................. 311
Deleting User Accounts ....................................................................... 312
User Account Privileges....................................................................... 312
Chapter 9: Managing System Policies .................................................... 320

Creating a System Policy .................................................................................. 321
Editing a System Policy..................................................................................... 323
Applying a System Policy .................................................................................. 324
Deleting System Policies .................................................................................. 325

Table of Contents
Configuring the Parts of Your System Policy..................................................... 325

Configuring the Access List for Your Appliance ................................... 325
Configuring Audit Log Settings ............................................................ 327
Configuring Authentication Profiles ..................................................... 329
Configuring Dashboard Settings .......................................................... 331
Configuring Database Event Limits ..................................................... 332
Configuring Detection Policy Preferences ........................................... 336
Configuring DNS Cache Properties...................................................... 337
Configuring a Mail Relay Host and Notification Address ..................... 338
Configuring Intrusion Policy Preferences ............................................. 339
Specifying a Different Language .......................................................... 340
Adding a Custom Login Banner ........................................................... 341
Configuring RNA Settings .................................................................... 342
Configuring RNA Subnet Detection Settings ....................................... 349
Configuring RUA Settings .................................................................... 352
Synchronizing Time .............................................................................. 354
Mapping Vulnerabilities for Services.................................................... 358
Chapter 10: Configuring System Settings ................................................. 360

Viewing and Modifying the Appliance Information ........................................... 362
Understanding Licenses ................................................................................... 364
Understanding Feature Licenses ......................................................... 366
Verifying Your Product License ............................................................ 368
Managing Your Feature Licenses ......................................................... 370
Configuring Network Settings........................................................................... 377
Editing Network Interface Configurations......................................................... 380
Shutting Down and Restarting the System....................................................... 382
Configuring the Communication Channel ......................................................... 383
Setting Up the Management Virtual Network...................................... 384
Editing the Management Virtual Network............................................ 385
Configuring Remote Access to the Defense Center ........................................ 386
Setting the Time Manually ................................................................................ 389
Blacklisting Health Modules.............................................................................. 391
Specifying NetFlow-Enabled Devices ............................................................... 392
Managing Remote Storage............................................................................... 393
Using Local Storage ............................................................................. 393
Using NFS for Remote Storage ........................................................... 394
Using SSH for Remote Storage ........................................................... 395
Using SMB for Remote Storage .......................................................... 396

Table of Contents
Chapter 11: Updating System Software.................................................... 398

Installing Software Updates.............................................................................. 400
Updating a Defense Center or Master Defense Center ...................... 402
Updating Managed Sensors ................................................................ 404
Updating Unmanaged 3D Sensors ...................................................... 406
Uninstalling Software Updates ......................................................................... 409
Updating the Vulnerability Database................................................................. 410
Chapter 12: Using Backup and Restore .................................................... 413

Creating Backup Files ....................................................................................... 414
Creating Backup Profiles ................................................................................... 418
Performing Sensor Backup with the Defense Center ....................................... 419
Uploading Backups from a Local Host .............................................................. 420
Restoring the Appliance from a Backup File ..................................................... 421
Chapter 13: Scheduling Tasks .................................................................... 425

Configuring a Recurring Task ............................................................................ 426
Automating Backup Jobs .................................................................................. 428
Automating Software Updates ......................................................................... 430
Automating Software Downloads ........................................................ 431
Automating Software Pushes .............................................................. 433
Automating Software Installs............................................................... 435
Automating Vulnerability Database Updates .................................................... 437
Automating VDB Update Downloads................................................... 438
Automating VDB Update Pushes......................................................... 440
Automating VDB Update Installs ......................................................... 442
Automating SEU Imports.................................................................................. 444
Automating Intrusion Policy Applications.......................................................... 446
Automating Reports.......................................................................................... 448
Automating Nessus Scans................................................................................ 450
Preparing Your System to Run a Nessus Scan..................................... 450
Scheduling a Nessus Scan................................................................... 451
Synchronizing Nessus Plugins .......................................................................... 452
Automating Nmap Scans .................................................................................. 454
Preparing Your System for an Nmap Scan ........................................... 454
Scheduling an Nmap Scan ................................................................... 455
Automating Recommended Rule State Generation.......................................... 456

Table of Contents
Viewing Tasks ................................................................................................... 458

Using the Calendar .............................................................................. 459
Using the Task List............................................................................... 460
Editing Scheduled Tasks ................................................................................... 461
Deleting Scheduled Tasks ................................................................................. 461
Deleting a Recurring Task .................................................................... 462
Deleting a One-Time Task.................................................................... 462
Chapter 14: Monitoring the System ........................................................... 463

Viewing Host Statistics..................................................................................... 464
Monitoring System Status and Disk Space Usage ........................................... 468
Viewing System Process Status ....................................................................... 468
Understanding Running Processes................................................................... 471
Understanding System Daemons ........................................................ 471
Understanding Executables and System Utilities ................................ 473
Viewing IPS Performance Statistics.................................................................. 476
Generating IPS Performance Statistics Graphs ................................... 476
Saving IPS Performance Statistics Graphs .......................................... 478
Viewing RNA Performance Statistics................................................................ 478
Generating RNA Performance Statistics Graphs ................................. 479
Saving RNA Performance Statistics Graphs ........................................ 481
Chapter 15: Using Health Monitoring ........................................................ 482

Understanding Health Monitoring .................................................................... 483
Understanding Health Policies ............................................................. 484
Understanding Health Modules ........................................................... 485
Understanding Health Monitoring Configuration ................................. 489
Configuring Health Policies ............................................................................... 489
Predefined Health Policies ................................................................... 490
Creating Health Policies ....................................................................... 497
Applying Health Policies....................................................................... 528
Editing Health Policies ......................................................................... 530
Deleting Health Policies ....................................................................... 533
Using the Health Monitor Blacklist ................................................................... 534
Blacklisting Health Policies or Appliances ............................................ 535
Blacklisting a Health Policy Module ..................................................... 537

Table of Contents
Configuring Health Monitor Alerts .................................................................... 539

Preparing to Create a Health Alert ....................................................... 540
Creating Health Monitor Alerts ............................................................ 540
Interpreting Health Monitor Alerts....................................................... 542
Editing Health Monitor Alerts .............................................................. 543
Deleting Health Monitor Alerts ............................................................ 544
Chapter 16: Reviewing Health Status........................................................ 545

Using the Health Monitor ................................................................................. 545
Interpreting Health Monitor Status ...................................................... 547
Using Appliance Health Monitors ..................................................................... 547
Interpreting Appliance Health Monitor Status ..................................... 549
Viewing Alerts by Status...................................................................... 549
Running All Modules for an Appliance ................................................. 550
Running a Specific Health Module....................................................... 551
Generating Health Module Alert Graphs.............................................. 553
Generating Appliance Troubleshooting Files........................................ 554
Working with Health Events ............................................................................. 555
Understanding Health Event Views ..................................................... 556
Viewing Health Events......................................................................... 556
Understanding the Health Events Table............................................... 561
Searching for Health Events................................................................. 563
Chapter 17: Auditing the System................................................................ 566

Managing Audit Records .................................................................................. 566
Viewing Audit Records......................................................................... 567
Suppressing Audit Records.................................................................. 570
Understanding the Audit Log Table...................................................... 574
Searching Audit Records...................................................................... 575
Viewing the System Log ................................................................................... 578
Filtering System Log Messages .......................................................... 579
Using Four-Digit Year Formats on the 3D3800 ..................................... 581

Table of Contents
Appendix A: Importing and Exporting Objects .......................................... 583

Exporting Objects ............................................................................................. 584
Exporting a Custom Table .................................................................... 584
Exporting a Custom Workflow............................................................. 585
Exporting a Dashboard......................................................................... 585
Exporting a Health Policy ..................................................................... 586
Exporting an Intrusion Policy................................................................ 586
Exporting a PEP Policy ......................................................................... 588
Exporting an RNA Detection Policy...................................................... 588
Exporting a System Policy.................................................................... 588
Exporting a User-Defined RNA Detector.............................................. 589
Exporting Multiple Objects .................................................................. 590
Importing Objects ............................................................................................. 593
Appendix B: Purging the RNA and RUA Databases................................. 598
Appendix C: Viewing the Status of Long-Running Tasks ........................ 600

Viewing the Task Queue ................................................................................... 600
Managing the Task Queue ................................................................................ 602
Glossary .................................................................................................................... 603
Index .......................................................................................................................... 629

Chapter 1
Administrator Guide
tn
Introduction to the Sourcefire 3D

System
The Sourcefire 3D System™ provides you with real-time network intelligence for
real-time network defense. Sourcefire 3D System has the tools you need to:
• discover the changing assets and vulnerabilities on your network
• determine the types of attacks against your network and the impact they
have to your business processes
• defend your network in real time
The topics that follow introduce you to the Sourcefire 3D System and describe
some of the key components that contribute to its value as a part of any security
strategy for your network.
• Components of the Sourcefire 3D System on page 15 provides descriptions
of each of the components that may be in your Sourcefire 3D System.
• Logging into the Appliance on page 21 explains how to access the web
interface on your appliance and log in using one of the user accounts.
• Logging into the Appliance to Set Up an Account on page 23 explains how
to set up an association between a external user account and a set of
credentials on the appliance.
• Logging Out of the Appliance on page 24 explains how to log out of the web
interface.
• Specifying Your User Preferences on page 25 explains how to configure the
preferences that are tied to a single user account, such as the home page,
account password, time zone, dashboard, and event viewing preferences.
• Using the Context Menu on page 36 explains how to display a
context-specific menu of shortcuts on certain pages in the web interface.

Introduction to the Sourcefire 3D System
Components of the Sourcefire 3D System Chapter 1
• Documentation Resources on page 37 explains where to locate specific

information about using the Defense Center.
• Documentation Conventions on page 38 explains typeface conventions
used throughout the guide to convey specific types of information visually.
• IP Address Conventions on page 41 explains how the Sourcefire 3D System
treats IP address ranges specified using Classless Inter-Domain Routing
(CIDR) notation.
Components of the Sourcefire 3D System

The topics that follow introduce you to the Sourcefire 3D System and describe
some of the key components that contribute to its value as a part of any security
strategy for your network.
• Real-time Network Awareness (RNA) on page 15
• Intrusion Prevention System (IPS) on page 16
• Real-time User Awareness (RUA) on page 17
• Defense Centers on page 17
• Master Defense Centers on page 19
• Intrusion Agents on page 19
• RNA for Red Hat Linux on page 20
• RNA and IPS for Crossbeam Systems on page 20
• eStreamer on page 20
Real-time Network Awareness (RNA)

Sourcefire Real-time Network Awareness (also called RNA) is one of the
components of the Sourcefire 3D System that you can use on your 3D Sensor.
RNA monitors traffic on your network, using information from detected packets to
build a comprehensive map of the devices on the network. You can set up
compliance policies, compliance white lists, and traffic profiles to protect your
company’s infrastructure by monitoring network traffic for unusual patterns or
behavior and automatically responding as needed. You must use a Defense
Center to manage a 3D Sensor if it is running RNA.
As RNA passively observes traffic, listening to the network segments you specify,
it compiles the following information:
• the number and types of network devices running on your network
• the operating systems running on monitored network devices
• the active services and open ports on monitored network devices

• the vulnerabilities and exploits to which monitored network devices may be

susceptible
• flow data, which are records of active sessions involving monitored network
devices including the frequency and size of the session, as well as the
service and protocol used and, if applicable, the client application and URL
involved in the session
You can access event views and graphs to analyze this collected data. RNA builds
a host profile for each host it detects, containing host details such as detected
operating system, services, and protocols, and assigned host attributes. RNA
assigns vulnerabilities to the host based on the operating system vendor and
version detected for the host. You can access host profiles by browsing the
network map or through one of the workflows Sourcefire provides to aid your
analysis.
3D Sensors running RNA transmit the network map, event and flow data, and
sensor statistics to the Defense Center so you can see a consolidated view of
events. The Defense Center can also push health, system, and RNA detection
policies to your sensors. You can push vulnerability database (VDB) and software
updates from the Defense Center as well. For more information, see What Can
Be Managed by a Defense Center? on page 101.
Intrusion Prevention System (IPS)

The Sourcefire Intrusion Prevention System (also called IPS) is one of the
components of the Sourcefire 3D System that you can run on the 3D Sensor. IPS
allows you to monitor your network for attacks that might affect the availability,
integrity, or confidentiality of hosts on the network. By placing 3D Sensors on key
network segments, you can examine the packets that traverse your network for
malicious activity. Each 3D Sensor uses rules, decoders, and preprocessors to
look for the broad range of exploits that attackers have developed.
3D Sensors that are licensed to use IPS include a set of intrusion rules developed
by the Sourcefire Vulnerability Research Team (VRT). You can choose to enable
rules that would detect the attacks you think most likely to occur on your network.
You can also create custom intrusion rules tuned to your environment. In addition,
3D Sensors with IPS run preprocessors against detected network traffic to
normalize traffic and detect malicious packets.
When a 3D Sensor identifies a possible intrusion, it generates an intrusion event,
which is a record of the date, time, the type of exploit, and contextual information
about the source of the attack and its target. For packet-based events, a copy of
the packet or packets that triggered the event is also recorded.
In a Sourcefire 3D System deployment that includes 3D Sensors with IPS and a
Defense Center, the sensors transmit events and sensor statistics to the Defense
Center where you can view the aggregated data and gain a greater understanding
of the attacks against your network assets.The Defense Center can also push
health, system, and intrusion policies to your sensors. You can push software

updates from the Defense Center to sensors as well. For more information, see
What Can Be Managed by a Defense Center? on page 101.
If your 3D Sensor is running IPS, you can also use a local web interface to create
intrusion policies and review the resulting intrusion events. Note that if you do
manage your 3D Sensors with a Defense Center, Sourcefire recommends that
you use only the Defense Center’s web interface to interact with the sensor and
its data.
IMPORTANT! The Sourcefire 3D Sensor 3800, 3D Sensor 6800, and 3D Sensor

9800 models (usually referred to a the 3Dc800 sensors) do not have a web
interface. You must manage these models with a Defense Center.
If you deploy your 3D Sensor inline on your network and create what is called an
inline detection engine, you can configure your 3D Sensor to drop or replace
packets that you know to be harmful.
Real-time User Awareness (RUA)

The Real-time User-Awareness component (also called RUA) allows you to create
policies and response rules that are user-based. You can apply these policies and
rules across the Sourcefire 3D System. As a result, RUA enables you to
implement and enforce policies specific to individuals, departments, or other user
characteristics.
The network protocol used by your organization to provide user authentication
largely determines the amount of data and efficiency of RUA. See Using
Sourcefire RUA in the Analyst Guide for more information about RUA.
PEP Traffic Management

PEP is a technology based on the hardware capabilities of the 3D9900 Sensors.
PEP allows you to create rules to block, analyze, or send traffic directly through
the 3D9900 with no further inspection. PEP traffic management enhances the
sensor’s efficiency by allowing you to pre-select traffic to cut through or to drop
instead of analyzing.
Defense Centers
The Defense Center provides a centralized management interface and database
repository for the Sourcefire 3D System. You can analyze and respond to events
from all your sensors consistently by doing the analysis through an interface
where you can see all the data collected by the managed sensors. You can also
push policies created on the Defense Center and software updates to managed
sensors. If you have software sensors or Intrusion Agents on your network, you
must use the Defense Center to manage them. Note that a 3D Sensor running

the IPS component includes its own local web interface, but if you want to use
RNA on the sensor, you must manage the sensor with a Defense Center.
If you use your Defense Center to manage 3D Sensors that run RNA and IPS
(either on the same sensor or different sensors that monitor the same network
segments), the Defense Center correlates intrusion events from IPS with host
vulnerabilities from RNA and assigns impact flags to the intrusion events. Impact
correlation lets you focus in on attacks most likely to damage high priority hosts.
If you deploy Real-time User-Awareness (RUA), the Defense Center correlates
threat, endpoint, and network intelligence with user identity information so that
you can identify the source of policy breaches, attacks, or network vulnerabilities.
DC500
You can use the DC500 model of the Defense Center in managed services
environments to collect data from up to three 3D Sensors. The DC500 receives
data at an aggregate rate of up to 100 intrusion events or 900 flow events per
second. DC500s also have an RNA host limit of 1000.
IMPORTANT! You cannot use DC500s in high availability configurations.
Key DC500 database limits are:

• Intrusion Events - 500 thousand default and 2.5 million maximum
• RNA Flows - 1 million default and 10 million maximum
• RNA Flow Summaries - 2 million default and 10 million maximum
DC1000
You can use DC1000 Defense Centers in most environments. You can rack mount
a DC1000 and collect data from a large number of 3D Sensors. You can use either
DC1000s or DC3000s in high availability configurations.
Key DC1000 database quantities are:
• Intrusion Events - 1 million default and 10 million maximum
DC3000
You can use DC3000 Defense Centers in high-demand environments. A DC3000
allows you to use higher database quantities. You can configure a DC3000 as a
Master Defense Center during the initial setup.

Key DC3000 database quantities are:

Virtual Defense Center

Virtual Defense Centers are hosted on VMware’s ESX/ESXi or Xen virtual
machines. For more information, see the Sourcefire 3D System Virtual Defense
Center and 3D Sensor Installation Guide. You can manage up to 25 physical and
Virtual 3D Sensors with a Virtual Defense Center. You cannot use a Virtual
Defense Center in high availability configurations or as a Master Defense Center.
Key Virtual Defense Center database quantities are:
Master Defense Centers

The Sourcefire Master Defense Center is a key component in the Sourcefire 3D
System. You can use the Master Defense Center to aggregate and analyze
intrusion events, compliance events, and white list events from up to ten Defense
Centers within your Sourcefire 3D System deployment. The Master Defense
Center can also aggregate events related to the health of the Defense Centers it
is managing. In this way, you can view the current status of the Defense Centers
across your enterprise from a single web interface.
See Using the Master Defense Center on page 156 for more information about
managing your Defense Centers with a Master Defense Center.
Intrusion Agents
If you have an existing installation of Snort®, you can install an Intrusion Agent to
forward intrusion events to a Defense Center. You can then analyze the events
detected by Snort alongside your other data. Although you cannot manage
policies or rules for an Intrusion Agent from the Defense Center, you can do
analysis and reporting on those events. If the network map on the Defense
Center has entries for the target host in a given event, the Defense Center

assigns impact flags to the events. You can continue to manually tune Snort rules
and preprocessors with the Intrusion Agent in place.
IMPORTANT! When using Intrusion Agents registered to Defense Centers

configured for high availability and managed by a Master Defense Center, register
all Intrusion Agents to the primary Defense Center.
RNA for Red Hat Linux

The Sourcefire 3D System currently supports a software-only version of the RNA
component on your server hardware running Red Hat Enterprise Linux 5 (RHEL5)
or CentOS 5. RNA data received by a Defense Center from the server is treated in
a similar way to RNA data received from a 3D Sensor that is running RNA. See
the Sourcefire RNA Software on Red Hat Linux Configuration Guide for more
information.
IMPORTANT! You must have a Defense Center in your Sourcefire 3D System

deployment to use RNA for Red Hat Linux.
RNA and IPS for Crossbeam Systems

The Sourcefire 3D System currently supports software-only versions of RNA and
IPS for Crossbeam Systems X-Series security switches. RNA and IPS data
received by a Defense Center from a Crossbeam-based software sensors is
treated in a similar way to data received from a 3D Sensor. Separate installation
and configuration guides are available for the 3D Sensor Software for X-Series.
IMPORTANT! Because the 3D Sensor Software for X-Series does not have a web
interface, you must use a Defense Center to manage it.
eStreamer
You can access event data within your own applications through the eStreamer
Application Programming Interface (API). eStreamer integration requires custom
programming, but allows you to request specific data from a Defense Center. If,
for example, you display network host data within one of your network
management applications, you could write a program to retrieve host criticality or
vulnerability data from the Defense Center and add that information to your
display. See the eStreamer Integration Guide for more information.

Logging into the Appliance Chapter 1
Logging into the Appliance

Requires: Any The Defense Center and many 3D Sensor models have a web-based interface
that you can use to perform administrative, management, and analysis tasks.
If your 3D Sensor is not licensed for IPS, there is a limited web interface that you
can use to perform the initial appliance setup and to register the sensor with a
Defense Center. If your 3D Sensor is licensed for IPS, you are presented with a
more complete web interface that you can use to perform additional configuration
and event analysis.
Note that 3Dx800 and software sensors (Crossbeam-based software sensors,
RNA for Red Hat Linux, Intrusion Agents, and Virtual 3D Sensors) do not have a
web interface. You must use the Defense Center’s web interface to manage
these sensors.
You can access the web interface by logging into the appliance using a web
browser. The current version of the web interface supports the browsers listed in
the following table.
Browser Requirements
Browser Required Enabled Options and Settings
Firefox 3.5.x JavaScript

cookies
Secure Sockets Layer (SSL) v3
Microsoft JavaScript
Internet Explorer cookies
7.0 Secure Sockets Layer (SSL) v3
128-bit encryption
Active scripting security setting
Microsoft JavaScript
Internet Explorer cookies
8.0 Secure Sockets Layer (SSL) v3
128-bit encryption
Active scripting security setting
Compatibility View
TIP! Some processes that take a significant amount of time may cause your web
browser to display a message that a script has become unresponsive. If this
occurs, make sure you allow the script to continue until it finishes.
If you are the first user to log into the appliance after it is installed, you must log in
using the admin user account. The initial setup process is described in Setting Up
3D Sensors on page 44.

Logging into the Appliance Chapter 1
After you log into the appliance, the features that you can access are controlled by
the privileges granted to your user account. However, the procedures for logging
into and out of the appliance remain the same.
When the appliance was installed, the user who performed the installation
created a single administrative user account and password. The first time you log
into the appliance, you should use this account. After you create other user
accounts as described in Adding New User Accounts on page 300, you and other
users should use those accounts to log into the appliance.
If your organization uses SecurID® tokens when logging in, append the token to
your SecurID pin and use that as your password to log in. For example, if your pin
is 1111 and the SecurID token is 222222, type 1111222222.
IMPORTANT! Because the Defense Center and the 3D Sensor audit user activity
based on user accounts, you should make sure that users log into the system
with the correct account.
Your session automatically logs you out after 3.5 hours of inactivity, unless you
are viewing a page (such as an unpaused dashboard) that periodically
communicates with the web server on the appliance.
To log into the appliance:

Access: Any 1. Direct your browser to https://hostname/, where hostname corresponds to
the host name of the appliance.
The Login page appears.
2. In the Username and Password fields, type your user name and password.
IMPORTANT! If your company uses SecurID, append the SecurID token to

the end of your SecurID pin and use that as your password when you log in.
You must have already generated your SecurID pin before you can log into the
Sourcefire 3D System.

Logging into the Appliance to Set Up an Account Chapter 1
3. Click Login.
The default start page appears. If you selected a new home page for your
user account, then that page is displayed instead. See Specifying Your Home
Page on page 35 for more information.
The menus and menu options that are available to you at the top of the page
are based on the privileges for your user account. However, the links on the
default home page include options that span the range of user account
privileges. If you click a link that requires different privileges from those
granted to your account, the following warning message is displayed:
You are attempting to view an unauthorized page. This
activity has been logged.
You can either select a different option from the available menus or click Back
in your browser window.
Logging into the Appliance to Set Up an Account

Requires: Any Some user accounts may be authenticated through an external authentication
server. If this is the case, the first time you log into the Defense Center or
3D Sensor using your external user credentials, the appliance associates those
credentials with a set of permissions by creating a local user record. The
permissions for that local user record can then be modified, unless they are
granted through group or list membership.
If the default role for external user accounts is set to a specific access role,
externally authenticated users can log into the appliance using their external
account credentials without any additional configuration by the system
administrator. If an account is externally authenticated and by default receives no
access privileges, you can log in but cannot access any functionality. You (or your
system administrator) can then change the permissions to grant the appropriate
access to user functionality.
LDAP usernames can include underscores (_), periods (.), and hyphens (-) but
otherwise only alphanumeric characters are supported.
Note that when a shell access user logs into the appliance, it does not create a
local user account. Shell access is controlled entirely through the shell access
filter or PAM login attribute set for an LDAP server or the shell access list on a
RADIUS server. Shell users should log in using usernames with all lowercase
letters.
If your organization uses SecurID tokens when logging in, append the token to
your SecurID pin and use that as your password to log in. For example, if your pin
is 1111 and the SecurID token is 222222, type 1111222222.
IMPORTANT! The 3Dx800 sensor models do not have a web interface. Instead,
use the Defense Center’s web interface to manage policies and view events.

Logging Out of the Appliance Chapter 1
To create an externally authenticated account on the appliance:

Access: Any 1. Direct your browser to https://hostname, where hostname corresponds to the
host name of the appliance.
The Login page appears.
2. In the Username and Password fields, type your user name and password.
IMPORTANT! If your company uses SecurID, append the SecurID token to

your SecurID pin and use that as your password when you log in.
3. Click Login.
The page that appears depends on the default access role for external
authentication:
• If a default access role is selected in the authentication object or the
system policy, the default start page appears. If you selected a new
home page for your user account, then that page is displayed instead.
See Specifying Your Home Page on page 35 for more information.
The menus and menu options that are available to you at the top of the
page are based on the privileges for your user account. However, the
links on the default home page include options that span the range of
user account privileges. If you click a link that requires different
privileges from those granted to your account, the following warning
message is displayed:
You are attempting to view an unauthorized page. This
activity has been logged.
You can either select a different option from the available menus or click
Back in your browser window.
• If no default access role is selected, the Login page re-appears, with the
following error message:
Unable to authorize access. If you continue to have
difficulty accessing this device, please contact the system
administrator.
4. If you do not have access, contact your system administrator and ask them to
modify your account privileges or login as a user with Administrator access
and modify the privileges for the account. For more information, see
Modifying User Privileges and Options on page 306.
Logging Out of the Appliance

Requires: Any Make sure you log out of the appliance, even if you are only stepping away from
your web browser for a short period of time. Logging out ends your web session
and ensures that no one can use the appliance with your credentials.

Last Successful Login Chapter 1
Note that your session automatically logs you out after 3.5 hours of inactivity,
unless you are viewing a page (such as an unpaused dashboard) that periodically
communicates with the web server on the appliance.
To log out of the appliance:

Access: Any X Click Logout on the toolbar.
Last Successful Login

Requires: Any The first time you visit the appliance home page during a web session, you can
view information about the last login session for the appliance. You can see the
following information about that user account last login:
• day of the week, month, date and year of your last login
• the appliance-local time of your last login in 24-hour notation
• host and domain name last used to access the appliance.
Specifying Your User Preferences

Requires: Any Users can specify certain preferences for their user account, including
passwords, event viewing preferences, time zone settings, and home page
preferences. See the following sections for more information:
• Changing Your Password on page 25 explains how to change the password
for your user account.
• Configuring Event View Settings on page 27 describes how the event
preferences affect what you see as you view events.
• Setting Your Default Time Zone on page 34 explains how to set the time
zone for your user account and describes how that affects the time stamp
on the events that you view.
• Specifying Your Home Page on page 35 explains how to use one of the
existing pages as your default home page. After setting this value, this is the
first page you see upon logging into the appliance.
• Specifying Your Default Dashboard on page 35 explains how to choose
which of the dashboards you want to use as your default dashboard.
Changing Your Password

Requires: Any All user accounts are protected with a password. You can change your password
at any time, and depending on the settings for your user account, you may have to
change your password periodically; see Changing an Expired Password on
page 26.

Specifying Your User Preferences Chapter 1
Note that if password strength-checking is enabled, passwords must be at least

eight alphanumeric characters of mixed case and must include at least one
numeric character. Passwords cannot be a word that appears in a dictionary or
include consecutive repeating characters.
IMPORTANT! If you are an LDAP or a RADIUS user, you cannot change your
password through the web interface.
To change your password:

Access: Any 1. In the toolbar, click Preferences.
The User Preferences page appears.
2. Click Change Password.
The Change Password page appears.
3. In the Current Password field, type your current password and click Change.
4. In the New Password and Confirm fields, type your new password.
5. Click Change.
A success message appears on the page when your new password is
accepted by the system.
Changing an Expired Password

Requires: DC/MDC or Depending on the settings for your user account, your password can expire. Note
3D Sensor that the password expiration time period is set when your account is created and
cannot be changed. If your password has exired, the Password Expiration
Warning page appears.
To respond to the password expiration warning:

Access: Any X You have two choices:
• Click Change Password to change your password now.
If you have zero warning days left, you must change your password.
Also, if password strength-checking is enabled, passwords must be at
least eight alphanumeric characters of mixed case and must include at
least one numeric character. Passwords cannot be a word that appears
in a dictionary or include consecutive repeating characters
• Click Skip to change your password later.

Configuring Event View Settings

Requires: Any Use the Event View Settings page to configure characteristics of event views in
the Sourcefire 3D System.
To configure event preferences:

2. Click Event View Settings.
The Event View Settings page appears.
3. Configure the basic characteristics of event views.
For more information, see Event Preferences on page 27.
4. Configure the default time window or windows.
For more information, see Default Time Windows on page 29.
5. Configure default workflows.
For more information, see Default Workflows on page 32.
6. Click Save.
Your changes are implemented.
Event Preferences
Use the Event Preferences section of the Event View Settings page to configure
basic characteristics of event views in the Sourcefire 3D System.

The Event Preferences table describes the settings you can configure.
Event Preferences
Setting Description Requires
Confirm ‘All’ Actions Controls whether the appliance forces you to confirm Any
actions that affect all events in an event view.
For example, if this setting is enabled and you click Delete All
on an event view, you must confirm that you want to delete
all the events that meet the current constraints (including
events not displayed on the current page) before the
appliance will delete them from the database.
Resolve IP Whenever possible, allows the appliance to display host IPS or

Addresses names instead of IP addresses in event views. DC/MDC
Note that an event view can be slow to display if it contains
a large number of IP addresses and you have enabled this
option. Note also that for this setting to take effect, you
must have a DNS server configured in the system settings;
see Configuring Network Settings on page 377.
Expand Packet View Allows you to configure how the packet view for intrusion IPS or
events appears. By default, the appliance displays a DC/MDC + IPS
collapsed version of the packet view.
• None - collapse all subsections of the Packet Information
section of the packet view
• Packet Text - expand only the Packet Text subsection
• Packet Bytes - expand only the Packet Bytes subsection
• All - expand all sections
Regardless of the default setting, you can always manually
expand the sections in the packet view to view detailed
information about a captured packet. For more information
on the packet view, see Using the Packet View in the
Analyst Guide.
Rows Per Page Controls how many rows of events per page you want to Any
appear in drill-down pages and table views.

Event Preferences (Continued)
Setting Description Requires
Refresh Interval Sets the refresh interval for event views, in minutes. Any
Entering zero disables the refresh option. Note that this
interval does not apply to dashboards.
Statistics Refresh Sets the refresh interval for event summary pages such as IPS or
Interval the Intrusion Event Statistics and RNA Statistics pages. DC/MDC
Entering zero disables the refresh option. Note that this
interval does not apply to dashboards.
Deactivate Rules Controls which links appear on the packet view for intrusion IPS or
events generated by standard text rules. DC/MDC + IPS
• All Policies - a single link that deactivates the standard
text rule in all the locally defined custom intrusion
policies
• Current Policy - a single link that deactivates the standard
text rule in only the currently applied intrusion policy.
Note that you cannot deactivate rules in the default
policies.
• Ask - links for each of these options
To see these links on the packet view, your user account
must have either Administrator access or both Intrusion
Event Analyst and Policy & Response Administrator access.
Default Time Windows

Requires: Any The time window, sometimes called the time range, imposes a time constraint on
the events in any event view. Use the Default Time Windows section of the Event
View Settings page to control the default behavior of the time window. The
following graphic shows the Defense Center version of the page.
Note that regardless of the default time window setting, you can always manually
change the time window for individual event views during your event analysis.
Also keep in mind that time window settings are valid for only the current
session. When you log out and then log back in, time windows are reset to the

defaults you configured on this page. For more information, see Setting Event
Time Constraints in the Analyst Guide.
There are three types of events for which you can set the default time window.
• Requires: IPS or DC/MDC The Events Time Window sets a single default time
window for (depending on the appliance) intrusion events, RNA events, flow
data, RUA events, compliance events, remediation status events, white list
events, the SEU import log, and event views for custom tables that can be
constrained by time.
• Requires: Any The Audit Log Time Window sets the default time window for the
audit log.
• Requires: DC/MDC The Health Monitoring Time Window sets the default time
window for health events.
You can only set time windows for event types your user account can access. All
user types can set event time windows. Administrators, maintenance users, RNA
event analysts, and IPS event analysts can set health monitoring time windows.
Administrators and maintenance users can set audit log time windows.
Note that because not all event views can be constrained by time, time window
settings have no effect on event views that display RNA hosts, host attributes,
services, client applications, vulnerabilities, RUA users, or white list violations.
You can either use Multiple time windows, one for each of these types of events,
or you can use a Single time window that applies to all events. If you use a single
time window, the settings for the three types of time window disappear and a
new Global Time Window setting appears.
There are three types of time window:

• static, which displays all the events generated from a specific start time to a
specific end time
• expanding, which displays all the events generated from a specific start
time to the present; as time moves forward, the time window expands and
new events are added to the event view
• sliding, which displays all the events generated from a specific start time
(for example, one day ago) to the present; as time moves forward, the time
window “slides” so that you see only the events for the range you
configured (in this example, for the last day)

The Time Window Settings table explains the kinds of default time windows you
can configure.
IMPORTANT! The maximum time range for all time windows is from midnight on
January 1, 1970 (UTC) to 3:14:07 AM on January 19, 2038 (UTC).
Time Window Settings
Setting Description
Show the Last - This setting allows you to configure a sliding default time window of the length
Sliding you specify.
The appliance displays all the events generated from a specific start time (for
example, 1 hour ago) to the present. As you change event views, the time
window “slides” so that you always see events from the last hour.
Show the Last - This setting allows you to configure either a static or expanding default time
Static/Expanding window of the length you specify.
For static time windows (enable the Use End Time check box), the appliance
displays all the events generated from a specific start time (for example, 1
hour ago), to the time when you first viewed the events. As you change event
views, the time window stays fixed so that you see only the events that
occured during the static time window.
For expanding time windows (disable the Use End Time check box), the
appliance displays all the events generated from a specific start time (for
example, 1 hour ago), to the present. As you change event views, the time
window expands to the present time.

Time Window Settings (Continued)
Setting Description
Current Day - This setting allows you to configure either a static or expanding default time
Static/Expanding window for the current day. The current day begins at midnight, based on the
time zone setting for your current session.
displays all the events generated from midnight to the time when you first
viewed the events. As you change event views, the time window stays fixed
so that you see only the events that occured during the static time window.
appliance displays all the events generated from midnight to the present. As
you change event views, the time window expands to the present time. Note
that if your analysis continues for over 24 hours before you log out, this time
window can be more than 24 hours.
Current Week - This setting allows you to configure either a static or expanding default time
Static/Expanding window for the current week. The current week begins at midnight on the
previous Sunday, based on the time zone setting for your current session.
displays all the events generated from midnight to the time when you first
viewed the events. As you change event views, the time window stays fixed
so that you see only the events that occured during the static time window.
appliance displays all the events generated from midnight Sunday to the
present. As you change event views, the time window expands to the present
time. Note that if your analysis continues for over 1 week before you log out,
this time window can be more than 1 week.
Default Workflows
Requires: Any A workflow is a series of pages displaying data that analysts use to evaluate
events. For each event type, the appliance ships with at least one predefined
workflow. For example, depending on the type of analysis you are performing,
you can choose between ten different intrusion event workflows, each of which
presents intrusion event data in a different way.
The appliance is configured with a default workflow for each event type. For
example, the Events by Priority and Classification workflow is the default for
intrusion events. This means whenever you view intrusion events (including
reviewed intrusion events), the appliance displays the Events by Priority and
Classification workflow.

You can, however, change the default workflow for each event type using the
Default Workflows sections of the Event View Settings page. The following
graphic shows the Defense Center version of the Default Workflows section.
Keep in mind that the default workflows you are able to configure depend not
only on the appliance you are using, but also on your user role. For example, on a
3D Sensor without an IPS license, you can only configure the default workflow for
the audit log. As another example, on the Defense Center, intrusion event
analysts cannot set default RNA workflows. For general information on
workflows, see Understanding and Using Workflows in the Analyst Guide.

Setting Your Default Time Zone

Requires: Any You can change the time zone used to display events from the standard UTC time
that the appliance uses. When you configure a time zone, it applies only to your
user account and is in effect until you make further changes to the time zone.
WARNING! The Time Zone function assumes that the default system clock is set
to UTC time. If you have changed the system clock on the appliance to use a local
time zone, you must change it back to UTC time in order to view accurate local
time on the appliance. For more information about time synchronization between
the Defense Center and the sensors, see Synchronizing Time on page 354.
To change your time zone:

2. Click Time Zone Settings.
The Time Zone Preference page appears.
3. From the box on the left, select the continent or area that contains the time
zone you want to use.
For example, if you want to use a time zone standard to North America, South
America, or Canada, select America.
4. From the box on the right, select the zone (city name) that corresponds with
the time zone you want to use.
For example, if you want to use Eastern Standard Time, you would select
New York after selecting America in the first time zone box.
5. Click Save.
The time zone is set.

Specifying Your Home Page

Requires: Any You can specify a page within the web interface as your home page for the
appliance. The default home page is the dashboard (Analysis & Reporting > Event
Summary > Dashboards), except for user accounts with Restricted Event Analyst
access, who use the Welcome page.
To specify your home page:

2. Click Home Page.
The Home Page page appears.
3. Select the page you want to use as your home page from the Opening Screen
drop-down list.
The options in the drop-down list are based on the access privileges for your
user account. That is, user accounts with Policy & Response Administrator
access have different options from accounts with Intrusion or RNA Event
Analyst full or read-only access, Restricted Event Analyst full or read-only
access, Maintenance access, or Administrator access.
4. Click Save.
Your home page preference is saved.
Specifying Your Default Dashboard

Requires: Any You can specify one of the dashboards on the appliance as the default dashboard.
The default dashboard appears when you select Analysis & Reporting > Event
Summary > Dashboards. If you do not have a default dashboard defined, the
Dashboard List page appears. For general information on dashboards, see Using
Dashboards on page 59.
IMPORTANT! User accounts with Restricted Event Analyst access cannot use
the dashboard and therefore cannot specify a default dashboard.
To specify your default dashboard:


Using the Context Menu Chapter 1
2. Click Dashboard Settings.

The Dashboard Settings page appears.
3. Select the dashboard you want to use as your default from the Default
Dashboard drop-down list.
If you select None, when you select Analysis & Reporting > Event Summary >
Dashboards, the Dashboard List page appears. You can then select a
dashboard to view.
4. Click Save.
Your default dashboard preference is saved.
Using the Context Menu

Requires: Any For your convenience, certain pages in the web interface support a pop-up
context menu that you can use as a shortcut for accessing other features in the
Sourcefire 3D System. As the name implies, the contents of the menu depend on
the context where you access it. For example, if you access the menu while
viewing an RNA event, the context menu provides you with the option to view
the event in a separate browser window. However, if you access the context
menu while viewing an intrusion event that was triggered by an intrusion rule, you
have a range of options that includes enabling, disabling, suppressing, and
thresholding the rule. You can also view the rule documentation and edit the rule.
You can access the context menu on the following pages.
• Event pages (drill-down pages and table views) contain hotspots over each
event.
• The Rule Editor page for intrusion rules contains a hotspot over each
intrusion rule.
Note that if you try to access the context menu for a web page or location that
doesn’t support the Sourcefire-specific menu, the normal context menu for your
browser appears.
To access the context menu:

Access: Any 1. On one of the hotspot-enabled pages in the web interface, hover your pointer
over one of the hotspots.
A “Right-click for menu” message appears.

Documentation Resources Chapter 1
2. Right-click your pointing device.

A pop-up context menu appears with options that are appropriate for the
hotspot. For example, the following menu appears if you right-click over an
intrusion event.
3. Select one of the options by left-clicking the name of the option.

A new browser window opens based on the option you selected.
Documentation Resources
The Sourcefire 3D System documentation set includes online help and PDF files.
You can reach the online help in two ways:
• by clicking the context-sensitive help links on each page
• by selecting Operations > Help > Online.
The online help includes information about the tasks you can complete on the
web interface, including procedural and conceptual information about user
management, system management, and IPS and RNA analysis.
The Documentation CD contains a PDF version of the Sourcefire 3D System
Administrator Guide and the Sourcefire 3D System Analyst Guide, which together
include the same content as the online help, but in an easy-to-print format.
The Administrator Guide contains information specifically for administrators and
maintenance users. In this guide you will find information about managing Master
Defense Centers, Defense Centers, and 3D Sensors, configuring system settings
and system policies, managing user accounts, scheduling tasks, and monitoring
the health of your appliances.
The Analyst Guide contains information for Intrusion Event Analysts, RNA Event
Analysts, and Policy & Response Administrators. In this guide you will find
information about managing RNA and IPS policies; analyzing RNA, RUA, and
intrusion data; and using event reports.
The Documentation CD also contains copies of the Defense Center Installation
Guide and the 3D Sensor Installation Guide, which includes information about
installing the appliance as well as hardware specifications and safety information.
The CD also contains copies of various API guides and supplementary material.
You can access the most up-to-date versions of the documentation on the
Sourcefire Support web site (https://support.sourcefire.com/).

Documentation Conventions Chapter 1
Documentation Conventions
This documentation includes information about which Sourcefire 3D System
components are required for each feature and which user roles have permission
to complete each procedure.
Refer to Platform Requirements Conventions on page 38 for the meaning of the
Requires statement at the beginning of each section.
Refer to Access Requirements Conventions on page 39 for the meaning of the
Access statement at the beginning of each procedure.
Platform Requirements Conventions

The Requires statement at the beginning of each section in this documentation
indicates the combination of appliance platform and licenses you need to use the
feature described in the section. Platform requirement information for specific
aspects of a feature is provided where needed.
All platform information is formatted with an orange typeface.
The following table defines the abbreviations used to indicate each different
platform requirement:
Platform and Licensing Requirement Abbreviations
Requires Acronym Indicates
3D Sensor One of the following Series 1 or Series 2 sensors:

• 3D500
• 3D1000
• 3D2000
• 3D2100
• 3D2500
• 3D3500
• 3D4500
• 3D6500
• 3D9900
This acronym on its own indicates that the task in
question can be performed on any of these sensors even
if an IPS license is not applied on the sensor and the
sensor is not managed.
Any Any appliance with any combination of licenses
DC A DC500, DC1000, Virtual Defense Center, or DC3000

appliance used as a Defense Center

Platform and Licensing Requirement Abbreviations (Continued)
DC/MDC A DC3000 appliance used as a Defense Center or a

Master Defense Center
IPS A 3D Sensor licensed with the IPS technology
RNA An RNA license
RUA An RUA license
An or conjunction indicates that the task or feature is available on either of the

indicated platforms. A “+” conjunction indicates that the platforms are required in
combination.
For example, you can change an expired password on a Defense Center or
Master Defense Center or on a 3D Sensor, so the Changing an Expired Password
topic has a Requires statement of DC/MDC or 3D Sensor.
In contrast, to manage a Defense Center with a Master Defense Center, you
need both a Defense Center and a Master Defense Center, so the Adding a
Master Defense Center topic has a Requires statement of MDC + DC.
Access Requirements Conventions

The Access statement at the beginning of each procedure in this documentation
indicates the access role required to use the feature described in the section.
All access information is formatted with a green typeface.
The following table defines the abbreviations used to indicate each different
platform requirement:
Access Requirement Abbreviations
Admin User must have the Administrator role
Any User can have any role
Any Analyst User can have any analyst role
Any except User can have any role except Restricted Analyst or
Restricted Restricted Analyst (Read Only)

Access Requirement Abbreviations (Continued)
Any Analyst User can have any analyst role except Restricted Analyst
except or Restricted Analyst (Read Only)
Restricted
Any IPS User must have the Intrusion Event Analyst role or
Intrusion Event Analyst (Read Only) role or the Restricted
Event Analyst role or Restricted Event Analyst (Read Only)
role with rights to that function
IPS User must have the Intrusion Event Analyst role or

Restricted Event Analyst role with rights to that function
IPS-RO User must have the Intrusion Event Analyst (Read Only)
role or Restricted Event Analyst (Read Only) role with
rights to that function
Maint User must have the Maintenance role
P&R Admin User must have the Policy & Response Administrator role
Any RNA User must have the RNA Event Analyst or RNA Event
Analyst (Read Only) or Restricted Event Analyst or
Restricted Event Analyst (Read Only) with rights to that
function
RNA User must have the RNA Event Analyst role or Restricted
Event Analyst role with rights to that function
RNA-RO User must have the RNA Event Analyst (Read Only) role
or Restricted Event Analyst (Read Only) role with rights to
that function
A “/” conjunction indicates that the task or feature is available to users with one
or more of the indicated platforms. A “+” conjunction indicates that the platforms
are required in combination.
For example, to view the Hosts network map, a user must have the RNA Event
Analyst or RNA Event Analyst (Read Only) role or the Restricted Event Analyst or
Restricted Event Analyst (Read Only) role with RNA Hosts Data set to Show All Data
or to show a specific search. The Access setting for the procedure in the Working
with the Hosts Network Map topic is Any RNA/Admin.
Rule thresholding in the packet view provides an example of required combined
access roles. You must have the Administrator role or have the Policy & Response
Administrator role in combination with the Intrusion Event Analyst role or the
Restricted Event Analyst role with Intrusion Events Data set to Show All Data or to
show a specific search to access the packet view and set thresholding for a rule

IP Address Conventions Chapter 1
from the packet view. As a result, the Access setting for the procedure in the
Setting Threshold Options within the Packet View topic is IPS + P&R
Admin/Admin.
IP Address Conventions
Requires: Any You can use Classless Inter-Domain Routing (CIDR) notation to define IP address
ranges in many places in the Sourcefire 3D System, including but not limited to
the following:
• RNA detection policies
• custom topologies
• auto-assigned networks for user-defined host attributes
• traffic profiles
• compliance rules and white lists
• active scan targets
• intrusion policies, variables, and standard text rules
• PEP
CIDR notation uses a network IP address combined with a bit mask to define the
IP addresses in the specified range. For example, the following table lists the
private IPv4 address spaces in CIDR notation.
CIDR Notation Syntax Examples
CIDR Block IP Addresses in Subnet Mask Number of

CIDR Block IP Addresses
10.0.0.0/8 10.0.0.0 - 255.0.0.0 16,777,216

10.255.255.255
172.16.0.0/12 172.16.0.0 - 255.240.0.0 1,048,576

172.31.255.255
192.168.0.0/16 192.168.0.0 - 255.255.0.0 65,536

192.168.255.255
When you use CIDR notation to specify a range of IP addresses, the Sourcefire
3D System uses only the masked portion of the network IP address you
specified, without changing your user input. For example, if you type 10.1.2.3/8,
the Sourcefire 3D System uses 10.0.0.0/8, but the web interface continues to
display 10.1.2.3/8.

IP Address Conventions Chapter 1
In other words, although Sourcefire recommends the standard method of using a

network IP address on the bit boundary when using CIDR notation, the Sourcefire
3D System does not require it.

Chapter 2
Administrator Guide
Performing the Initial Setup
After installing your Defense Center or 3D Sensor as described in the Installation

Guide and logging into the web interface for the first time, you are presented with
a series of start-up pages.
Newer models of the 3D Sensor, called Series 2 sensors, provide a rapid set up
feature and a status page. Note that if you purchased your sensor prior to 2008,
you may have a Series 1 3D Sensor. Consult your original documentation or
contact Sourcefire Support for information about performing the initial setup on
those sensor models.
To perform the initial setup of a Virtual 3D Sensor, see the Sourcefire 3D System
Virtual Defense Center and 3D Sensor Installation Guide.
See the following sections for more information:
• Setting Up 3D Sensors on page 44 explains how to complete the setup
process for Series 2 3D Sensors.
• Setting up Defense Centers on page 47 explains how to complete the setup
process for Defense Centers.
• What’s Next? on page 52 provides detailed lists of the next tasks to be
performed by each type of user.

Setting Up 3D Sensors Chapter 2
Setting Up 3D Sensors
Requires: 3D Sensor Newer models of the 3D Sensor (that is, Series 2 sensors) provide a simple web
form to collect information about your network environment and how you intend
to deploy the sensor. These sensors include the following models:
• 3D500
• 3D1000
• 3D2000
• 3D2100
• 3D2500
• 3D3500
• 3D4500
• 3D6500
• 3D9900
You can view illustrations of each model in the 3D Sensor Installation Guide to
determine your sensor model. Defense Centers use the setup process in Setting
up Defense Centers on page 47.
After physically installing the 3D Sensor, setting up the IP address for the
management interface, and logging into the 3D Sensor’s web interface (as
described in the 3D Sensor Installation Guide), the Install page appears so that
you can continue the setup process.
WARNING! Prepare for the initial setup and complete it promptly after you begin.
If the initial setup is interrupted or if a second user logs in while it is underway,
the results can be unpredictable.
To complete the initial setup:

Access: Admin 1. Under Change Password, in the New Password and Confirm fields, enter a new
password for the admin user account and for the root password for the shell
account. The same password is used for both accounts.
TIP! The initial change to the admin user password changes the root
password for the shell account. Use the command line interface on the
appliance for subsequent changes to the root password.
Sourcefire strongly recommends that your password is at least eight

alphanumeric characters of mixed case and includes at least one numeric
character. Avoid using words that appear in a dictionary.

2. Under Network Settings, enter the settings that you want to use for the
management IP address.
Note that if you used the configure-network script before logging into the
web interface, the IP address, netmask, and gateway fields are pre-populated
with your settings.
3. Under Remote Management, indicate whether you want to manage the
3D Sensor with a Defense Center.
You can use the IP address of the Defense Center or, if you specify a DNS
server, its hostname. The registration key is a single-use, user-created string
that you will also use from within the Defense Center’s web interface when
you complete the sensor registration process.
If your sensor and Defense Center are separated by a network address
translation (NAT) device, defer Defense Center management until after you
complete the initial setup. Refer to Working in NAT Environments on page 112
and Adding Sensors to the Defense Center on page 117 for more information.
4. Optionally, if your Defense Center is running current software and your
sensors are running earlier software, under Time Settings, indicate how you
want to set the time for the 3D Sensor. You can set the time manually or via
network time protocol (NTP) from an NTP server. Note that if you use an NTP
server to set the time, you must also specify the primary and secondary DNS
servers.
Note that if you are managing the sensor with a Defense Center and the
Defense Center itself is set up as an NTP server, you can specify the Defense
Center as the sensor’s NTP server.
IMPORTANT! If both your Defense Center and your sensors are running
current software, this step is unnecessary as the current software will
synchronize automatically.
5. Under Detection Mode, specify how you want to deploy the 3D Sensor. You
have two options:
• If you deployed the sensor as an inline IPS using paired sensing
interfaces, select Inline with Failopen Mode.
• If you deployed the sensor as a passive IDS on your network, select
Passive Mode.
WARNING! If you select Inline with Failopen Mode when the sensor is
deployed passively, you may cause your network to be bridged, resulting in
unexpected network behavior.

6. Under Recurring SEU Imports, check the Enable Recurring SEU Imports check
box to configure automatic SEU imports and specify the update frequency. To
queue an immediate update from the Sourcefire support site, select Update
Now.
Select the state for adding new rules to intrusion policies as disabled or in the
predefined default state. For detailed information on adding new rules to
custom policies in the default state or in the disabled rule state, refer to Using
Recurring SEU Imports in the Analyst Guide. You can also instruct the system
to reapply intrusion policies after the SEU import completes.
7. Under License Settings, indicate whether you want to add a product license
to the 3D Sensor. You have two options:
• To use only the RNA or RUA functionality without IPS, you do not need
to add a product license. You will automatically create an RNA detection
engine without a policy. You control licensing for RNA or RUA through
the Defense Center managing the sensor.
Skip to step 8.
• To use IPS functionality (either by itself or with RNA or RUA
functionality), you must add a product license to the 3D Sensor.
To add a product license, enter the license key in the license key field,
and click Add/Verify.
To obtain a product license, click the link to navigate to https://
keyserver.sourcefire.com/. Follow the on-screen instructions to
generate an email containing the license file and paste it into the
License field. Note that you will be prompted for the license key and an
activation key. The activation key was previously emailed to the contact
person identified on your support contract.
If your current host cannot access the Internet, switch to a host that can
and navigate to the keyserver web page.

Setting up Defense Centers Chapter 2
8. Under End User License Agreement, read the agreement carefully. If you
agree to abide by its provisions, select the check box and click Apply.
The 3D Sensor is configured according to your selections. The appliance logs
you out. A dashboard page appears after you log back in, which indicates the
appliance is now operational. See Using Dashboards on page 59 for more
information. See What’s Next? on page 52 for some suggestions about how
to proceed after you complete these initial startup pages.
TIP! If you used the option to connect through the management port to
perform the initial setup, remember to connect the cable to the protected
management network.
TIP! Applying a default policy to detection engines can take several minutes.
You will see no intrusion events until it completes. You can check the task
progress at Operations > Monitoring > Task Status.
Setting up Defense Centers

Requires: DC/MDC The first time you log in to the web interface, Defense Centers and Master
Defense Centers provide a simple web form to collect information about your
network environment and how you intend to deploy the appliance.
After physically installing the Defense Center, setting up the IP address for the
management interface, and logging into the Defense Center’s web interface (as
described in the Defense Center Installation Guide), the Install page appears so
that you can continue the setup process.
WARNING! Prepare for the initial setup and complete it promptly after you begin.
If the initial setup is interrupted or if a second user logs in while it is underway,
the results can be unpredictable.

To complete the initial setup:

Access: Admin 1. Under Change Password, in the New Password and Confirm fields, enter a new
password for the admin user account and the root password shell account.
The same password is used for both accounts.
TIP! The initial change to the admin user password changes the root
password for the shell account. Use the command line interface on the
appliance for subsequent changes to the root password.
Sourcefire strongly recommends that your password is at least eight

alphanumeric characters of mixed case and includes at least one numeric
character. Avoid using words that appear in a dictionary.
2. Under Network Settings, enter the settings that you want to use for the
management IP address.
Note that if you used the configure-network script before logging into the
web interface, the IP address, netmask, and gateway fields are pre-populated
with your settings.
3. If you are installing a DC3000, under Operational Mode, you can set the
appliance to operate as a Defense Center or a Master Defense Center.
IMPORTANT! A Master Defense Center can manage only Defense Centers,

and not 3D Sensors. Defense Center capabilities are not a subset of a Master
Defense Center. For more information on the differences between the
features provided by a Master Defense Center and a Defense Center, see
Master Defense Center and Defense Center Functional Comparison on
page 159.
If you select the Master Defense Center mode, the Remote Management
section becomes unnecessary and is hidden from the form. Skip to step 5.
4. Under Remote Management, indicate whether you want to manage the
Defense Center with a Master Defense Center.
You can use the IP address of the Master Defense Center or, if you specify a
DNS server, its hostname. The registration key is a single-use, user-created
string that you will also need to use when you register the Defense Center
through the Master Defense Center’s web interface.
IMPORTANT! If your Defense Center and Master Defense Center are

separated by a network address translation (NAT) device, defer remote
management until after you complete the initial setup. See Working in NAT
Environments on page 112 and Adding a Master Defense Center on page 165
for more information.

5. Under Time Settings, indicate how you want to set the time for the Defense
Center. You can set the time manually or via network time protocol (NTP)
from an NTP server. Note that if you use an NTP server to set the time, you
must also specify the primary and secondary DNS servers.
Note that if you are managing the Defense Center with a Master Defense
Center and the Master Defense Center itself is set up as an NTP server, you
can specify the Master Defense Center as the Defense Center’s NTP server.
IMPORTANT! If your Defense Center, Master Defense Center and all

sensors are running current software, this step is unnecessary as the current
software will synchronize automatically.
6. If you are installing a DC3000 and your operational mode is Master Defense
Center, the Defense Center Registration portion of the form is visible. Use
these fields only to register Defense Centers where you have already
configured remote management by this Master Defense Center.
You can use the IP address of the Defense Center or, if you specify a DNS
server, its hostname. The registration key is the single-use, user-created
string you used in the Defense Center’s web interface when you configured
remote management.
IMPORTANT! If your Defense Center and Master Defense Center are

separated by a network address translation (NAT) device, defer remote
management until after you complete the initial setup. See Working in NAT
Environments on page 112 and Adding a Defense Center on page 168 for
more information.
7. On Defense Centers, under Sensor Registration, indicate whether you want

to apply default policies.
You can use the IP address of the 3D Sensor or, if you specify a DNS server,
its hostname. The registration key is the single-use, user-created string used
in the 3D Sensor’s web interface when you configured remote management
for the sensor.
If your 3D Sensor and Defense Center are separated by a network address
translation (NAT) device, you should defer remote management until after you
complete the initial setup. Refer to Working in NAT Environments on page 112
and Adding Sensors to the Defense Center on page 117 for more information.
IMPORTANT! Use this function only if you have previously installed

3D Sensors that are pending registration with this Defense Center.
Click Add to register each newly listed 3D Sensors with this Defense Center.

Communication Ports Chapter 2
8. Under Recurring SEU Imports, check the Enable Recurring SEU Import check
box to configure automatic SEU imports and specify the update frequency. To
queue an immediate update from the Sourcefire support site, select Update
Now.
Select the state for adding new rules to intrusion policies as disabled or in the
predefined default state. For detailed information on adding new rules to
custom policies in the default state or in the disabled rule state see Using
Recurring SEU Imports in the Analyst Guide. You can also instruct the system
to reapply intrusion policies after the SEU import completes.
9. Under License Settings, add a product license and any required feature
licenses to the Defense Center.
To obtain a product license, click the link to navigate to https://
keyserver.sourcefire.com/. Follow the on-screen instructions to generate
an email containing the license file and paste it into the License field. Note
that you will be prompted for the license key and an activation key. The
activation key was previously emailed to the contact person identified on your
support contract.
If your current host cannot access the Internet, switch to a host that can and
navigate to the keyserver web page.
10. Under End User License Agreement, read the agreement carefully.If you
agree to abide by its provisions, select the check box and click Apply.
The Defense Center or Master Defense Center is configured according to
your selections.The appliance logs you out. A dashboard page appears after
you log back in, which indicates the appliance is operational. See Using
Dashboards on page 59 for more information. See What’s Next? on page 52
for some suggestions about how to proceed after you complete these initial
startup pages.
TIP! If you used the option to connect through the management port to
perform the initial setup, remember to connect the cable to the protected
management network.
Communication Ports
The Sourcefire 3D System requires the use of specific ports to communicate
internally and externally, between Defense Centers and sensors, and to enable

Communication Ports Chapter 2
certain functionality within the network deployment. Refer to the Required Open
Ports table for more information on functions and their associated ports.
Required Open Ports
Ports Description Notes
20, 21 ftp
22 ssh/ssl
23 telnet
25 smtp
53 dns
67, 68 dhcp
80 http Open this port when you connect to a remote web server
through the RSS widget.
162 snmp
389, 636 ldap
443 https
514 syslog Open this port only if you are using a remote syslog
server.
1241 Nessus
1660 Nmap
1812 and 1813 FreeRADIUS Note that you must open both ports to ensure that
FreeRADIUS functions correctly.
3306 RUA Agent Open this port for communicatiosn between the Defense
Center and RUA Agents.
8301 Intrustion Agent Open this port for communications between the Defense
Center and Intrusion Agents.

What’s Next? Chapter 2
Required Open Ports (Continued)
Ports Description Notes
8302 eStreamer
8305 Management Open this port for communications between the Defense
Virtual Network Center and v. 4.8.x 3D Sensors.
18183 OPSEC SAM
What’s Next?
Requires: Any After you complete the initial setup for the Sourcefire 3D System, your next steps
depend on the role assigned to your user account (Administrator user,
Maintenance user, Policy & Response Administrator user, Intrusion Event Analyst
user, or RNA Event Analyst user) and what appliance you are using. See
Managing Users on page 264 for more information about user roles.
For deployments that include a Defense Center, you can perform much of the
process on the Defense Center itself.
IMPORTANT! Tasks that must be completed on specific hardware or software

platforms are indicated by special text: For example, tasks that require a Defense
Center are preceded with Requires: DC. Similarly, if your Defense Center or
3D Sensor must be licensed for IPS, RNA, or RUA, the task is preceded with
Requires: IPS, Requires: RNA, or Requires: RUA.
For standalone 3D Sensor deployments (that is, deployments that do not include
a Defense Center and do not use RNA), a user with Administrator access must
perform the first steps. Review the tasks in the following sections, which are
based on the user account privileges required for the task.
• Administrator User Tasks on page 53 describe the steps that you must
complete before Policy & Response Administrator users and analyst users
can begin their tasks.
• Maintenance User Tasks on page 54 explain some of the steps in the
process that Maintenance users can perform after Administrator users
finish their required tasks.
• Policy & Response Administrator User Tasks on page 55 describe some of
the policies and custom rules that Policy & Response Administrator users
can create and apply so that analyst users receive useful data for their
analyses.

• RNA Event Analyst User Tasks on page 56 describe the features that RNA
Event Analyst users can use to learn about the assets on your network.
• Intrusion Event Analyst User Tasks on page 57 describe the features that
Intrusion Event Analyst users can use to learn about the kinds of attacks
that are launched against assets on your network.
Administrator User Tasks

Requires: Any Administrator users have a superset of tasks. Tasks essential to initial setup are
listed below.
The first steps for the Administrator user are as follows:

Access: Admin 1. If you want to manage your 3D Sensors with a Defense Center but did not
enable remote management as part of the initial setup on the sensor, you
should set it up now. See Configuring Remote Access to the Defense Center
on page 386 for information about setting up management links between
your sensors and the Defense Center.
TIP! After you set up management, Sourcefire recommends that you use
the Defense Center’s web interface rather than the sensor’s web interface to
manage the sensor and view the events that it generates. You must complete
the steps outlined in Working with Sensors on page 113 on the Defense
Center and on the sensors to complete the process.
2. Requires: DC If you are deploying two Defense Centers in high availability

mode, set up high availability as explained in Configuring High Availability on
page 145.
In most network environments, the sensors you add to the primary Defense
Center are automatically added to the secondary Defense Center.
TIP! You can use high availabilty mode on Defense Centers which are
managed by a Master Defense Center, but you cannot use high availability
mode directly on the Master Defense Center itself.
3. Requires: DC If you want to authenticate users using an external authentication

server, you must create an authentication object for that server as described
in Creating LDAP Authentication Objects on page 269.

4. If you did not already set up a system policy as part of the initial setup, you
should configure one that meets the needs of your network and security
environment. Note that, if you want to use external authentication, you need
to enable it in a system policy on the Defense Center and apply that policy to
any appliances where users will authenticate to the external server. See
Managing System Policies on page 320 for more information.
You can also create different policies on your Defense Center and apply them
to the managed sensors where it is appropriate.
5. Check for any available software patches, vulnerability database updates, and
Security Enhancement Updates (SEUs) and apply them to your Defense
Center where required. Apply any available software patches or vulnerability
database updates to managed sensors where required.
Patches and updates are available on the Sourcefire Support site. See
Importing SEUs and Rule Files in the Analyst Guide and Updating System
Software on page 398 for more information.
6. Create new user accounts that match the roles you want to assign to your
users.
The auditing feature records events based on the user account name, so it is
much better to have an account for each user rather than allowing multiple
users to access the appliance from one or two accounts. See Managing
Users on page 264 for more information.
7. By default, each 3D Sensor has a single detection engine that encompasses
all of the available sensing interfaces (or all of the available fast-packet-
enabled interfaces) on the sensor. To take advantage of the multiple detection
engine feature, you must modify the default detection engine.
See Using Detection Engines and Interface Sets on page 185 for more
information about examining traffic on multiple network segments with a
single sensor.
8. Requires: DC Set up health monitoring policies and apply them to your
managed sensors and to the Defense Center itself.
The health monitoring feature includes a range of modules that you can
enable or disable based on the needs of your network environment. See
Using Health Monitoring on page 482 for more information. Note that a
Maintenance user can also set up health policies.
The next section, Maintenance User Tasks, describes the steps that a user with
Maintenance access can perform.
Maintenance User Tasks

Requires: Any After a user with Administrator privileges performs the initial configuration as
described in Setting Up 3D Sensors on page 44, a Maintenance user or an
Administrator user can perform the following tasks:

To continue the initial setup, Maintenance users can:

Access: Maint/Admin 1. Requires: DC If a user with Administrator privileges has not configured health
monitoring, you can set up and apply health policies on your managed
sensors and the Defense Center.
See Using Health Monitoring on page 482 for more information.
2. Set up scheduled tasks for any jobs that you want to perform on a regular
basis. See Scheduling Tasks on page 425 for more information.
3. Develop a backup and restore plan. See Using Backup and Restore on
page 413 for details about backing up configurations as well as event data.
Note that you can also schedule regular backups of your appliance.
The next section, Policy & Response Administrator User Tasks, describes the
steps that a user with Policy & Response Administrator access can perform.
Policy & Response Administrator User Tasks

described in Setting Up 3D Sensors on page 44, a Policy & Response
Administrator user or an Administrator user can perform the following tasks:
To continue the initial setup, Policy & Response Administrator users can:
Access: P&R Admin/ 1. Requires: RNA Set up compliance policies to determine when prohibited
Admin activity occurs on your network. Compliance policies can contain rules based
on nearly any kind of network activity that your 3D Sensor can detect,
including anomalous network traffic patterns. See Configuring Compliance
Policies and Rules in the Analyst Guide.
2. Requires: RNA If a compliance policy violation occurs, you can specify that the
Defense Center automatically respond to it in one of several ways, including
blocking a suspect host at the firewall or router, sending a notification by
email or SNMP, or simply generating a syslog alert. For more information on
responses, see Configuring Responses for Compliance Policies in the Analyst
Guide.
3. Requires: IPS Create and apply intrusion policies to the IPS-related detection
engines on your 3D Sensor. See Using Basic Settings in an Intrusion Policy in
the Analyst Guide for more information.
4. Requires: IPS Part of the process for creating an intrusion policy includes
enabling the appropriate intrusion rules and fine-tuning the preprocessors and
packet decoders to match your network traffic. See Managing Intrusion Rules
in the Analyst Guide and Using Advanced Settings in an Intrusion Policy in the
Analyst Guide for more in-depth information about configuring intrusion
policies.

5. Requires: IPS To ensure that your intrusion event analysts are informed as
soon as possible regarding attacks against your most valuable network
assets, consider setting up automated notifications (that can be sent to the
syslog, via email, or via SNMP) if a specific intrusion rule is triggered. If your
network environment includes an OPSEC-compliant firewall, you can also
send SAM-based responses to the firewall. See Configuring External
Responses to Intrusion Events in the Analyst Guide for more information.
6. Requires: IPS As you gain more experience with the intrusion rules provided by
Sourcefire, you may want to write your own rules to meet the unique needs
of your network. See Understanding and Writing Intrusion Rules in the
Analyst Guide and Rule-Writing Examples and Tips in the Analyst Guide to
learn more about using the rule editor to write your own intrusion rules.
The policies and rules that you create as a Policy & Response Administrator user
determine the kinds of events that are seen by the RNA Event Analyst and
Intrusion Event Analyst users on your appliance. The next sections, RNA Event
Analyst User Tasks and Intrusion Event Analyst User Tasks, describe the steps
that a user with Intrusion Event Analyst, Intrusion Event Analyst (Read-Only), RNA
Event Analyst, RNA Event Analyst (Read-Only), or Restricted Event Analyst
access can perform.
RNA Event Analyst User Tasks

described in Setting Up 3D Sensors on page 44, an RNA Event Analyst user or an
Administrator user can perform the tasks listed below. RNA Event Analyst (Read
Only) users can perform any of these tasks. Similarly, Restricted Event Analyst
users can perform most of these tasks, but their event views are limited to
specific IP address ranges.
To continue the initial setup, RNA Event Analyst users can:

Access: Any RNA/ 1. Begin by reviewing the summary statistics, which can provide you with a
Admin high-level view of the activity and events taking place on your network. See
Viewing RNA Event Statistics in the Analyst Guide for more information.
2. Requires: RNA Review the information in the network map, which is an
expandable tree view of all the hosts and services reported by RNA. The
network map provides you with an overview of your network and is a good
tool for locating rogue access points, unknown hosts, and services that are
prohibited by your security policies. See Using the Network Map in the
Analyst Guide for more information.
3. Requires: RNA If you locate unknown hosts on the network map, use the host
profile feature to learn more about them. You can also use the host profile to
set host criticality and to learn about the vulnerabilities reported for the
operating system and services running on each host. See Using Host Profiles
in the nAnalyst Guide for more information.

4. Requires: RNA Use the RNA event workflows to review the activity that has
occurred on your network over time. You can review information for network
hosts, services, vulnerabilities, client applications, and host attributes. You
can also use the extensive search capability to define and save your own
search criteria that you can use as part of your regular analysis. Note that the
kinds of RNA events that are logged to the database are determined by the
system policy on the managing Defense Center. See Working with RNA
Events in the Analyst Guide for more information.
5. Requires: RNA Use flow data and traffic profiles to gain a different kind of
insight into the activity on your network. For example, you can review the
information collected by RNA’s traffic monitoring features and identify high-
traffic hosts, then determine which might be behaving abnormally. Note that
flow data is collected by your sensors only if the flow data option is enabled
in the RNA detection policy. See Working with Flow Data and Traffic Profiles
in the Analyst Guide for more information.
6. Use the report designer to create CSV, HTML, or PDF-based event and
incident reports. You can automatically email a report when it is complete,
and you can create and save report profiles to use later. See Working with
Event Reports on page 232 for more information. You can use the scheduler
to automate reporting. See Scheduling Tasks on page 425.
7. Use any of the predefined workflows to view, investigate, and act on the
events generated by your sensors. As you grow more experienced with the
Sourcefire 3D System, you may want to create your own workflows. See
Understanding and Using Workflows in the Analyst Guide for more
information.
Intrusion Event Analyst User Tasks

described in Setting Up 3D Sensors on page 44, an Intrusion Event Analyst user
or an Administrator user can perform the tasks listed below. Most of these can be
performed by Restricted Event Analyst users also, but their event views are
limited to specific IP address ranges.

To continue the initial setup, Intrusion Event Analyst users can:

Access: Any IPS/ 1. Begin by reviewing the summary statistics, which can provide you with a
Admin high-level view of the activity and events taking place on your network. See
Viewing Intrusion Event Statistics in the Analyst Guide for more information.
2. Requires: IPS Use the intrusion event views to determine which hosts on your
network are the targets of attacks and the types of attacks that are attempted
against them. Note that the events that you see are limited by the options
that are enabled in the intrusion policy that is applied to your sensors. See
Working with Intrusion Events in the Analyst Guide for more information.
Requires: RNA Note that on the Defense Center, intrusion events are
correlated with any available RNA data to generate an impact flag. Events
with high impact are more likely to indicate that an attack is targeted against a
vulnerable host on your network. See Using Impact Flags to Evaluate Events
3. Requires: IPS Use the incident handling feature to collect information about
your investigation of possible intrusions on your network. You can use an
incident to record details about your investigation, and the appliance
automatically records the amount of time you have the incident open. You can
also add intrusion event data that you believe might be important to your
investigation of the incident. See Handling Incidents in the Analyst Guide for
more information.
4. Use the report designer to create CSV, HTML, or PDF-based event and
incident reports. You can automatically email a report when it is complete,
and you can create and save report profiles to use later. See Working with
Event Reports on page 232 for more information. You can use the scheduler
to automate reporting. See Scheduling Tasks on page 425.
5. Use any of the predefined workflows to view, investigate, and act on the
events generated by your sensors. As you grow more experienced with the
Sourcefire 3D System, you may want to create your own workflows. See
Understanding and Using Workflows in the Analyst Guide for more
information.

Chapter 3
;Administrator Guide
Using Dashboards
Sourcefire 3D System dashboards provide you with at-a-glance views of current

system status, including data about the events collected and generated by the
Sourcefire 3D System, as well as information about the status and overall health
of the appliances in your deployment.
Each dashboard has one or more tabs, each of which can display one or more
widgets in a three-column layout. Widgets are small, self-contained components
that provide insight into different aspects of the Sourcefire 3D System. The
Sourcefire 3D System is delivered with several predefined widgets. For example,
the Appliance Information widget tells you the appliance name, model, current
version of the Sourcefire 3D System software running on the appliance, and its
remote manager.
Each dashboard has a time range that constrains its widgets. You can change the
time range to reflect a period as short as the last hour or as long as the last year.
Each type of appliance is delivered with a default dashboard, named Default
Dashboard. This dashboard provides the casual user with basic event and system
status information for your Sourcefire 3D System deployment. Note that because
not all widgets are useful for all types of appliances, the default dashboard differs
depending on whether you are using a Master Defense Center, Defense Center,
or 3D Sensor.

Using Dashboards
Understanding Dashboard Widgets Chapter 3
By default, the home page for your appliance displays the default dashboard,
although you can configure your appliance to display a different default home
page, including pages that are not dashboard pages.
TIP! If you change the home page, you can access dashboards by selecting
Analysis & Reporting > Event Summary > Dashboards. For more information, see
Viewing Dashboards on page 91.
In addition to the default dashboard, the Defense Center is delivered with two
other predefined dashboards:
• The Flow Summary dashboard uses flow data to create tables and charts of
the activity on your monitored network; for more information on flow
summary data, see Understanding Flow Data in the Analyst Guide.
Note that Restricted Event Analysts use the Flow Summary page instead of
the Flow Summary Dashboard; see Viewing the Flow Summary Page in the
• The Detailed Dashboard provides advanced users with detailed information
about your Sourcefire 3D System deployment, and includes multiple
widgets that summarize collected IPS, RNA, compliance, and system status
data.
You can use the predefined dashboards, modify the predefined dashboards, or
create a custom dashboard to suit your needs. You can share custom dashboards
among all users of an appliance, or you can create a custom dashboard solely for
your own use. You can also set a custom dashboard as your default dashboard.
For more information, see the following sections:
• Understanding Dashboard Widgets on page 60
• Understanding the Predefined Widgets on page 65
• Working with Dashboards on page 89
Understanding Dashboard Widgets

Requires: Any Each dashboard has one or more tabs, each of which can display one or more
widgets in a three-column layout. The Sourcefire 3D System is delivered with
several predefined dashboard widgets, each of which provides insight into a

Using Dashboards
different aspect of the Sourcefire 3D System. Widgets are grouped into three
categories:
• Analysis & Reporting widgets display data about the events collected and
generated by the Sourcefire 3D System.
• Operations widgets display information about the status and overall health
of the Sourcefire 3D System.
• Miscellaneous widgets display neither event data nor operations data.
Currently the only widget in this category displays an RSS feed.
The dashboard widgets that you can view depend on the type of appliance you
are using and on your user role. In addition, each dashboard has a set of
preferences that determines its behavior. You can minimize and maximize
widgets, add and remove widgets from tabs, as well as rearrange the widgets on
a tab.
For more information, see:
• Understanding Widget Availability on page 61
• Understanding Widget Preferences on page 64
• Understanding the Predefined Widgets on page 65
Understanding Widget Availability

Requires: Any The Sourcefire 3D System is delivered with several predefined dashboard
widgets. The dashboard widgets that you can view depend on the type of
appliance you are using and on your user role:
• An invalid widget is one that you cannot view because you are using the
wrong type of appliance.
• An unauthorized widget is one that you cannot view because you do not
have the necessary account privileges.
For example, the Appliance Information widget is available on all appliances for all
user roles, while the Compliance Events widget is available only on the Defense
Center for users with Administrator, Intrusion Event Analyst, or RNA Event
Analyst account privileges.
Although you cannot add an unauthorized or invalid widget to a dashboard, if you
import a dashboard created either on a different kind of appliance or by a user
with different access privileges, that dashboard may contain unauthorized or
invalid widgets. These widgets are disabled and display error messages that
indicate the reason why you cannot view them.
Also note that widgets cannot display data to which an appliance has no access.
For example, the Master Defense Center cannot access flow data, RUA events,
RNA events, and so on. If you import a dashboard onto a Master Defense Center
that contains a Custom Analysis widget configured to display one of those data
types, the widget displays an error message.

Using Dashboards
Similarly, the content of a widget can differ depending on the type of appliance
you are using. For example, the Current Interface Status widget on a 3D Sensor
displays the status of its sensing interfaces, but on Defense Centers and Master
Defense Centers the widget displays only the status of the management
interface. Note than any content generated in table format can be sorted by
clicking on the table column header.
You can delete or minimize unauthorized and invalid widgets, as well as widgets
that display no data, keeping in mind that modifying a widget on a shared
dashboard modifies it for all users of the appliance. For more information, see
Minimizing and Maximizing Widgets on page 97 and Deleting Widgets on
page 97.
The Sourcefire Appliances and Dashboard Widget Availability table lists the valid
widgets for each appliance. An X indicates that the appliance can display the
widget.
Sourcefire Appliances and Dashboard Widget Availability
Widget Master Defense Defense Center 3D Sensor with 3D Sensor with

Center IPS (and RNA) RNA (only)
Appliance Information X X X X
Appliance Status X X
Compliance Events X X
Current Interface X X X X
Status
Current Sessions X X X X
Custom Analysis X X X X
Disk Usage X X X X
Interface Traffic X X X X
Intrusion Events X X X X
Network Compliance X
Product Licensing X
Product Updates X X X X
RSS Feed X X X X

Using Dashboards
Sourcefire Appliances and Dashboard Widget Availability (Continued)
Widget Master Defense Defense Center 3D Sensor with 3D Sensor with

Center IPS (and RNA) RNA (only)
System Load X X X X
System Time X X X X
White List Events X X
The User Roles and Dashboard Widget Availability table lists the user account
privileges required to view each widget. An X indicates the user can view the
widget.
IMPORTANT! User accounts with Restricted Event Analyst access cannot use
dashboards.
User Roles and Dashboard Widget Availability
Widget Administrator Maintenance P&R Admin IPS Analyst RNA Analyst
Appliance Information X X X X X
Appliance Status X X X X
Compliance Events X X X
Current Interface X X X X
Status
Current Sessions X
Custom Analysis X X X
Disk Usage X X X X X
Interface Traffic X X X X
Intrusion Events X X
Network Compliance X X X
Product Licensing X X

Using Dashboards
User Roles and Dashboard Widget Availability (Continued)
Widget Administrator Maintenance P&R Admin IPS Analyst RNA Analyst
Product Updates X X X
RSS Feed X X X X X
System Load X X X X X
System Time X X X X X
White List Events X X X
Understanding Widget Preferences

Requires: Any Each widget has a set of preferences that determines its behavior.
Widget preferences can be simple. For example, the following graphic shows the
preferences for the Current Interface Status widget, which displays the current
status of the network interfaces for the appliance. You can only configure the
update frequency for this widget.
Widget preferences can also be more complex. For example, the following
graphic shows the preferences for the Custom Analysis widget, which is a highly
customizable widget that allows you to display detailed information on the events
collected and generated by the Sourcefire 3D System.
To modify a widget’s preferences:

Access: Any except 1. On the title bar of the widget whose preferences you want to change, click
Restricted the show preferences icon ( ).
The preferences section for that widget appears.

Using Dashboards
Understanding the Predefined Widgets Chapter 3
2. Make changes as needed.

Your changes take effect immediately. For information on the preferences you
can specify for individual widgets, see Understanding the Predefined
Widgets on page 65.
3. On the widget title bar, click the hide preferences icon ( ) to hide the
preferences section.
Understanding the Predefined Widgets

Requires: Any The Sourcefire 3D System is delivered with several predefined widgets that,
when used on dashboards, can provide you with at-a-glance views of current
system status, including data about the events collected and generated by the
Sourcefire 3D System, as well as information about the status and overall health
of the appliances in your deployment.
For detailed information on the widgets delivered with the Sourcefire 3D System,
see the following sections:
• Understanding the Appliance Information Widget on page 66
• Understanding the Appliance Status Widget on page 67
• Understanding the Compliance Events Widget on page 67
• Understanding the Current Interface Status Widget on page 68
• Understanding the Current Sessions Widget on page 69
• Understanding the Custom Analysis Widget on page 69
• Understanding the Disk Usage Widget on page 80
• Understanding the Interface Traffic Widget on page 81
• Understanding the Intrusion Events Widget on page 81
• Understanding the Network Compliance Widget on page 82
• Understanding the Product Licensing Widget on page 84
• Understanding the Product Updates Widget on page 85
• Understanding the RSS Feed Widget on page 86
• Understanding the System Load Widget on page 87
• Understanding the System Time Widget on page 87
• Understanding the White List Events Widget on page 88
IMPORTANT! The dashboard widgets you can view depend on the type of
appliance you are using and on your user role. For more information, see
Understanding Widget Availability on page 61.

Using Dashboards
Understanding the Appliance Information Widget

Requires: Any The Appliance Information widget provides a snapshot of the appliance.
The widget provides:

• the name, management interface IP address, and model of the appliance
• the versions of the Sourcefire 3D System software, operating system,
Snort, SEU, rule pack, module pack, and vulnerability database (VDB)
installed on the appliance
• for managed appliances, the name and status of the communications link
with the managing appliance
• for Defense Centers in a high availability pair, the name, model, and
Sourcefire 3D System software and operating system versions of the peer
Defense Center, as well as how recently the Defense Centers made
contact
You can configure the widget to display more or less information by modifying the
widget preferences to display a simple or an advanced view; the preferences also
control how often the widget updates. For more information, see Understanding
Widget Preferences on page 64.

Using Dashboards
Understanding the Appliance Status Widget

Requires: DC/MDC The Appliance Status widget indicates the health of the appliance and of any
appliances it is managing. Note that because the Defense Center does not
automatically apply a health policy to managed sensors, you must manually apply
a health policy or their status appears as Disabled.
You can configure the widget to display appliance status as a pie chart or in a table
by modifying the widget preferences.
The preferences also control how often the widget updates. For more
information, see Understanding Widget Preferences on page 64.
You can click a section on the pie chart or one of the numbers on the appliance
status table to go to the Health Monitor page and view the compiled health status
of the appliance and of any appliances it is managing. For more information, see
Using the Health Monitor on page 545.
Understanding the Compliance Events Widget

Requires: DC/MDC The Compliance Events widget shows the average events per second by priority,
over the dashboard time range.

Using Dashboards
You can configure the widget to display compliance events of different priorities
by modifying the widget preferences, as well as to select a linear (incremental) or
logarithmic (factor of ten) scale.
Select one or more Priorities check boxes to display separate graphs for events of
specific priorities, including events that do not have a priority. Select Show All to
display an additional graph for all compliance events, regardless of priority. The
preferences also control how often the widget updates. For more information,
see Understanding Widget Preferences on page 64.
You can click a graph to view compliance events of a specific priority, or click the
All graph to view all compliance events. In either case, the events are constrained
by the dashboard time range; accessing compliance events via the dashboard
changes the events (or global) time window for the appliance. For more
information on compliance events, see Viewing Compliance Events in the Analyst
Guide.
Understanding the Current Interface Status Widget

Requires: Any The Current Interface Status widget shows the status of the network interfaces
for the appliance, grouped by type: management, inline, passive, and unused.
Note that only 3D Sensors have interface types other than the management
interface.
For each interface, the widget provides:

• the name of the interface
• the link state of the interface, represented by a green ball (up) or a gray ball
(down)
• the link mode (for example, 100Mb full duplex, or 10Mb half duplex) of the
interface

Using Dashboards
• the type of interface, that is, copper or fiber

• the amount of data received (Rx) and transmitted (Tx) by the interface
The widget preferences control how often the widget updates. For more
Understanding the Current Sessions Widget

Requires: Any The Current Sessions widget shows which users are logged into the appliance,
the IP address of the machine where the session originated, and the last time
each user accessed a page on the appliance (based on the local time for the
appliance). The user that represents you, that is, the user currently viewing the
widget, is marked with a user icon and is rendered in bold type.
On the Current Sessions widget, you can:

• click any user name to manage user accounts on the User Management
page; see Managing User Accounts on page 299
• click the host icon ( ) next to any IP address to view the host profile for
that computer; see Using Host Profiles in the nAnalyst Guide (Defense
Center with RNA only)
• click any IP address or access time to view the audit log constrained by that
IP address and by the time that the user associated with that IP address
logged on to the web interface; see Viewing Audit Records on page 567
The widget preferences control how often the widget updates. For more
Understanding the Custom Analysis Widget

Requires: Any The Custom Analysis widget is a highly customizable widget that allows you to
display detailed information on the events collected and generated by the
Sourcefire 3D System.
The Custom Analysis widget is delivered with several presets, which are groups
of configurations that are predefined by Sourcefire. The presets serve as
examples and can provide quick access to information about your deployment.
You can use these presets or you can create a custom configuration.
When you configure the widget preferences, you must select which table and
individual field you want to display, as well as the aggregation method that
configures how the widget groups the data it displays.

Using Dashboards
For example, if you are using Sourcefire RNA as part of your deployment, you can
configure the Custom Analysis widget to display which operating systems are
running on the hosts in your organization by configuring the widget to display OS
data from the RNA Hosts table. Aggregating this data by Count tells you how many
hosts are running each operating system.
On the other hand, aggregating by Unique OS tells you how many unique versions
of each operating system are running on the same hosts (for example, how many
unique versions of Linux, Microsoft Windows, Mac OS X, and so on).
Optionally, you can further constrain the widget using a saved search, either one
of the predefined searches delivered with your appliance or a custom search that
you created. For example, constraining the first example (operating systems

Using Dashboards
aggregated by Count) using the Local Systems search tells you how many hosts
within one hop of your 3D Sensors are running each operating system.
The colored bars in the widget background show the relative number of
occurrences of each event; you should read the bars from right to left. You can
change the color of the bars as well as the number of rows that the widget
displays. You can also configure the widget to display the most frequently
occurring events or the least frequently occurring events.
The direction icon ( ) indicates and controls the sort order of the display. A
downward-pointing icon indicates descending order; an upwards-pointing icon
indicates ascending order. To change the sort order, click the icon.
Next to each event, the widget can display one of three icons to indicate any
additions or movement from the most recent results:
• The new event icon ( ) signifies that the event is new to the results.
• The up-arrow icon ( ) indicates that the event has moved up in the
standings since the last time the widget updated. A number indicating how
many places the event has moved up appears next to the icon.
• The down-arrow icon ( ) indicates that the event has moved down in the
standings since the last time the widget updated. A number indicating how
many places the event has moved down appears next to the icon.
The widget displays the last time it updated, based on the local time of the
appliance. The widget updates with a frequency that depends on the dashboard
time range. For example, if you set the dashboard time range to an hour, the
widget updates every five minutes. On the other hand, if you set the dashboard
time range to a year, the widget updates once a week. To determine when the
dashboard will update next, hover your pointer over the Last updated notice in the
bottom left corner of the widget.
If you want information on events or other collected data over time, you can
configure the Custom Analysis widget to display a line graph, such as one that
displays the total number of intrusion events generated in your deployment over

Using Dashboards
time. For graphs over time, you can choose the time zone that the widget uses as
well as the color of the line.
Finally, you can choose a custom title for the widget.

From Custom Analysis widgets, you can invoke event views (that is, workflows)
that provide detailed information about the events displayed in the widget.
IMPORTANT! Depending on how they are configured, Custom Analysis widgets

can place a drain on an appliance’s resources; a red-shaded Custom Analysis
widget indicates that its use is harming system performance. If the widget
continues to stay red over time, you should remove the widget.

• Configuring the Custom Analysis Widget on page 72
• Viewing Associated Events from the Custom Analysis Widget on page 78
• Custom Analysis Widget Limitations on page 79
Configuring the Custom Analysis Widget

Requires: Any As with all widgets, the Custom Analysis widget has preferences that determines
its behavior. To configure a Custom Analysis widget, show the preferences as
described in Understanding Widget Preferences on page 64.
A different set of preferences appears depending on whether you configure the
widget to show relative occurrences of events (that is, a bar graph), or you
configure the widget to show a graph over time (that is, a line graph).

Using Dashboards
To configure the widget to show a bar graph, select any value except Time from
the Field drop-down list, as shown in the following graphic.
To configure the widget to show a line graph, select Time from the Field
drop-down list, as shown in the following graphic.
The following table describes the various preferences you can set in the Custom
Analysis widget.
Custom Analysis Widget Preferences
Use this To control...

preference...
Title the title of the widget.

If you do not specify a title, the appliance uses the configured
event type as the widget title.
Preset the preset for the widget.

The Custom Analysis widget is delivered with several presets,
which are groups of configurations that are predefined by
Sourcefire. The presets serve as examples and can provide
quick access to information about your deployment. You can
use these presets or you can create a custom configuration.
For a detailed list of presets, see the Custom Analysis Widget
Presets table on page 75.

Using Dashboards
Custom Analysis Widget Preferences (Continued)
Use this To control...

preference...
Table the table of events which contains the event data the widget
displays.
Field the specific field of the event type you want to display.
TIP! To display a graph over time, select Time.
Aggregate the aggregation method for the widget.

The aggregation method configures how the widget groups
the data it displays. For most event types, the default
aggregation criterion is Count.
Search the saved search you want to use to further constrain the data
that the widget displays.
You do not have to specify a search, although some presets
use predefined searches.
Show whether you want to display the most frequently occurring

events (Top) or the least frequently occurring events (Bottom).
Results the number of results rows you want to display.

You can display from 10 to 25 result rows, in increments of
five.
Show Movers whether you want to display the icons that indicate additions
or movement from the most recent results.
Time Zone which time zone you want to use to display results.
The time zone appears whenever you select a time-based
field.
Color the color of the bars in the widget background that show the
relative number of occurrences of each result.
The following table describes the available presets for the Custom Analysis
widget. It also indicates which, if any, Defense Center predefined dashboard uses

Using Dashboards
each preset. (The predefined dashboards on the Master Defense Center and
3D Sensor do not include Custom Analysis widgets.)
.
Custom Analysis Widget Presets
Preset Description Predefined Requires

Dashboards
All Intrusion Events Displays a graph of the total Default Dashboard IPS or
number of intrusion events on DC/MDC + IPS
your monitored network over the Detailed Dashboard
dashboard time range.
All Intrusion Events Displays the most frequently Detailed Dashboard IPS or
(Not Dropped) occurring types of intrusion DC/MDC + IPS
events, by classification, where
the packet was not dropped as
part of the event.
Client Applications Displays the most active client Detailed Dashboard DC + RNA
applications on your monitored
network, by application type.
Dropped Intrusion Displays counts for the most Default Dashboard IPS or
Events frequently occurring intrusion DC/MDC + IPS
events, by classification, where
the packet was dropped.
Flows by Initiator IP Displays the most active hosts Flow Summary DC + RNA
on your monitored network,
based on the number of flows
where the host initiated the
session.
Flows by Port Displays the most active ports Flow Summary DC + RNA
based on the number of
detected flows.
Flows by Responder Displays the most active hosts Flow Summary DC + RNA
IP on your monitored network,
based on the number of flows
where the host was the
responder in the session.
Flows by Service Displays the most active Flow Summary DC + RNA

services on your monitored
network, based on the number
of detected flows.

Using Dashboards
Custom Analysis Widget Presets (Continued)

Dashboards
Flows over Time Displays a graph of the total Flow Summary DC + RNA
number of flows on your
monitored network, over the
Intrusion Events Displays a count of intrusion Detailed Dashboard DC/MDC + IPS +

Requiring Analysis event requiring analysis, based RNA
on event classification.
Intrusion Events by Displays the most active hours none IPS or

Hour of the day, based on frequency DC/MDC + IPS
of intrusion events.
Intrusion Events to Displays the most frequently Detailed Dashboard DC/MDC + IPS +
High Criticality Hosts occurring types of intrusion RNA
events, based on the number of
intrusion events occurring on
high criticality hosts.
Operating Systems Displays the most common Detailed Dashboard DC + RNA

operating system, based on the
number of hosts running each
operating system within your
network.
Services Displays the most common RNA Detailed Dashboard DC + RNA

service vendors, based on the
number of hosts on the network
running services made by that
vendor.
Top Attackers Displays the most active hosts Default Dashboard IPS or
on your monitored network, DC/MDC + IPS
intrusion events where the host
was the attacking host in the
flow that caused the event.
Top Targets Displays the most active hosts Default Dashboard IPS or
on your monitored network, DC/MDC + IPS
intrusion events where the host
was the targeted host in the
flow that caused the event.

Using Dashboards

Dashboards
Traffic by Initiator IP Displays the most active hosts Detailed Dashboard DC + RNA
based on the number of Flow Summary
kilobytes per second of data
transmitted by the hosts.
Traffic by Initiator Displays the most active RUA Detailed Dashboard DC + RNA + RUA
User users on your monitored
network, based on the total
number of kilobytes of data
received by the hosts where
those users are logged in.
Traffic by Port Displays the most active Flow Summary DC + RNA

responder ports on your
monitored network, based on
the number of kilobytes per
second of data transmitted via
the port.
Traffic by Responder Displays the most active hosts Detailed Dashboard DC + RNA
IP on your monitored network,
based on the number of Flow Summary
kilobytes per second of data
received by the hosts.
Traffic by Service Displays the most active Detailed Dashboard DC + RNA

services on your monitored
network, based on the number Flow Summary
of kilobytes per second of data
transmitted by the service.
Traffic over Time Displays a graph of the total Detailed Dashboard DC + RNA
kilobytes of data transmitted on
your monitored network over the Flow Summary

Using Dashboards

Dashboards
Unique Intrusion Displays the most active none IPS or

Events by targeted hosts, based on the DC/MDC + IPS
Destination IP number of unique intrusion
events per targeted host.
Unique Intrusion Displays the number of unique none DC/MDC + IPS +

Events by Impact intrusion event types associated RNA
with each impact flag level.
White List Violations Displays the hosts with the most Detailed Dashboard DC + RNA
white list violations, by violation
count?
Viewing Associated Events from the Custom Analysis Widget

Requires: Any Depending on the kind of data that a Custom Analysis widget is configured to
display, you can invoke an event view (that is, a workflow) that provides detailed
information about the events displayed in the widget.
When you invoke an event view from the dashbaord, the events appear in the
default workflow for that event type, constrained by the dashboard time range.
This also changes the appropriate time window for the appliance, depending on
how many time windows you have configured and on what type of event you are
trying to view.
For example, if you configure multiple time windows on your Defense Center and
then access health events from a Custom Analysis widget, the events appear in
the default health events workflow, and the health monitoring time window
changes to the dashboard time range.
As another example, if you configure a single time window and then access any
type of event from the Custom Analysis widget, the events appear in the default
workflow for that event type, and the global time window changes to the
For more information on time windows, see Default Time Windows on page 29
and Specifying Time Constraints in Searches in the Analyst Guide.

Using Dashboards
To view associated events from the Custom Analysis Widget:

Access: Any except X You have two options, depending on how you configured the widget:
Restricted • On widgets configured to show relative occurrences of events (that is,
bar graphs), click any event to view associated events constrained by
the widget preferences, as well as by that event. You can also click the
View All icon in the lower right corner of the widget to view all
associated events, constrained by the widget preferences.
• On widgets configured to show flow data over time, click the View All
icon in the lower right corner of the widget to view all associated
events, constrained by the widget preferences.
For information on working with specific event types, see the following
sections:
• Viewing Audit Records on page 567
• Viewing Intrusion Events in the Analyst Guide
• Viewing RNA Network Discovery and Host Input Events in the Analyst
Guide
• Viewing Hosts in the Analyst Guide
• Viewing Host Attributes in the Analyst Guide
• Viewing Services in the Analyst Guide
• Viewing Client Applications in the Analyst Guide
• Viewing Vulnerabilities in the Analyst Guide
• Viewing Flow Data in the Analyst Guide
• Viewing RUA Users in the Analyst Guide
• Viewing RUA Events in the Analyst Guide
• Viewing Compliance Events in the Analyst Guide
• Viewing White List Events in the Analyst Guide
• Viewing White List Violations in the Analyst Guide
• Viewing the SEU Import Log in the Analyst Guide
• Working with Active Scan Results in the Analyst Guide
• Understanding Custom Tables in the Analyst Guide
Custom Analysis Widget Limitations

Requires: Any There are some important points to keep in mind when using the Custom
Analysis widget.
If you are configuring the widget on a shared dashboard, remember that not all
users can view data of all event types, depending on the user’s account
privileges. For example, Intrusion Event Analysts cannot view RNA events.
Similarly, if you are using a dashboard imported from another appliance,
remember that not all appliances have access to data of all event types. For

Using Dashboards
example, the Master Defense Center does not store flow data. If your dashboard
includes a Custom Analysis widget that displays data that you cannot see, the
widget indicates that you are unauthorized to view the data. Note, however, that
you (and any other users who share the dashboard) can modify the preferences of
the widget to display data that you can see, or even delete the widget. If you
want to make sure that this does not happen, save the dashboard as private.
Remember that only you can access searches that you have saved as private. If
you configure the widget on a shared dashboard and constrain its events using a
private search, the widget resets to not using the search when another user logs
in. This affects your view of the widget as well. If you want to make sure that this
does not happen, save the dashboard as private.
You enable or disable the Custom Analysis widget from the Dashboard settings in
your system policy. For more information, see Configuring Dashboard Settings on
page 331.
Understanding the Disk Usage Widget

Requires: Any The Disk Usage widget indicates the percentage of space used on each partition
of the appliance’s hard drive. It also shows the capacity of each partition.
You can configure the widget to display just the root (/) and /volume partition
usage, or you can show these plus the /boot partition usage by modifying the
widget preferences.
The widget preferences also control how often the widget updates, as well as
whether it displays the current disk usage or collected disk usage statistics over
the dashboard time range. For more information, see Understanding Widget
Preferences on page 64.

Using Dashboards
Understanding the Interface Traffic Widget

Requires: Any The Interface Traffic widget shows the rate of traffic received (Rx) and transmitted
(Tx) on the appliance’s interfaces over the dashboard time range. Note that only
3D Sensors have interfaces other than the management interface.
The widget preferences control how often the widget updates. On 3D Sensors,
the preferences also control whether the widget displays the traffic rate for
unused interfaces (by default, the widget only displays the traffic rate for
interfaces that belong to an interface set). For more information, see
Understanding Widget Preferences on page 64.
Understanding the Intrusion Events Widget

Requires: IPS or DC/ The Intrusion Events widget shows the rate of intrusion events that occurred over
MDC + IPS the dashboard time range. On the Defense Center and Master Defense Center,
this includes statistics on intrusion events of different impacts.
On the 3D Sensor, the widget can display statistics for dropped intrusion events,
all intrusion events, or both. Note that for managed 3D Sensors, you must enable
local event storage or the widget will not have any data to display.
On the Defense Center and Master Defense Center, you can configure the
widget to display intrusion events of different impacts by modifying the widget
preferences. On the 3D Sensor, you cannot configure the widget to display

Using Dashboards
intrusion events by impact. On either appliance, you can display dropped events.
The following graphic shows the Defense Center version of the widget
preferences.
In the widget preferences, you can:

• Requires: DC/MDC select one or more Event Flags check boxes to display
separate graphs for events of specific impacts; select All to display an
additional graph for all intrusion events, regardless of impact or rule state;
see Using Impact Flags to Evaluate Events in the Analyst Guide
• select Show to choose Events per second or Total events
• select Vertical Scale to choose Linear (incremental) or Logarithmic (factor of
ten) scale
On the Intrusion Events widget, you can:
• Requires: DC/MDC click a graph corresponding to a specific impact to view
intrusion events of that impact
• click the graph corresponding to dropped events to view dropped events
• click the All graph to view all intrusion events
Note that the resulting event view is constrained by the dashboard time range;
accessing intrusion events via the dashboard changes the events (or global) time
window for the appliance. For more information on intrusion events, see Viewing
Intrusion Events in the Analyst Guide.
Understanding the Network Compliance Widget

Requires: DC The Network Compliance widget summarizes your hosts’ compliance with the
compliance white lists you configured (see Using RNA as a Compliance Tool in
the Analyst Guide). By default, the widget displays a pie chart that shows the

Using Dashboards
number of hosts that are compliant, non-compliant, and that have not been
evaluated, for all compliance white lists that you have created.
You can configure the widget to display network compliance either for all white
lists, or for a specific white list, by modifying the widget preferences.
Note that if you choose to display network compliance for all white lists, the
widget considers a host to be non-compliant if it is not compliant with any of the
white lists on the Defense Center, including white lists that are no longer in active
compliance policies. To bring these hosts into compliance, delete the unused
white lists.
You can also use the widget preferences to specify which of three different styles
you want to use to display network compliance.
The Network Compliance style (the default) displays a pie chart that shows the
number of hosts that are compliant, non-compliant, and that have not been
evaluated. You can click the pie chart to view the host violation count, which lists
the hosts that violate at least one white list. For more information, see Viewing
White List Violations in the Analyst Guide.

Using Dashboards
The Network Compliance over Time (%) style displays a stacked area graph showing
the relative proportion of hosts that are compliant, non-compliant, and that have
not yet been evaluated, over the dashboard time range.
The Network Compliance over Time style displays a line graph that shows the
number of hosts that are compliant, non-compliant, and that have not yet been
evaluated, over the dashboard time range.
The preferences control how often the widget updates. You can check the Show
Not Evaluated box to hide events which have not been evaluated. For more
Understanding the Product Licensing Widget

Requires: DC The Product Licensing widget shows the feature licenses currently installed on
the Defense Center. It also indicates the number of items (such as hosts or users)
licensed and the number of remaining licensed items allowed.
The top section of the widget displays all of the feature licenses installed on the
Defense Center, including temporary licenses, while the Temporary Licenses
section displays only temporary and expired licenses. For example, if you have
two feature licenses for RNA Hosts, one of which is a permanent license and

Using Dashboards
allows 750 hosts, and another that is temporary and allows an additional 750
hosts, the top section of the widget displays an RNA Hosts feature license with
1500 licensed hosts, while the Temporary Licenses section displays an RNA
Hosts feature license with 750 hosts.
The bars in the widget background show the percentage of each type of license
that is being used; you should read the bars from right to left. Expired licenses are
marked with a strikethrough.
You can configure the widget to display either the features that are currently
licensed, or all the features that you can license, by modifying the widget
preferences. The preferences also control how often the widget updates. For
more information, see Understanding Widget Preferences on page 64.
You can click any of the license types to go to the License page of the System
Settings and add or delete feature licenses. For more information, see Managing
Your Feature Licenses on page 370.
Understanding the Product Updates Widget

Requires: Any The Product Updates widget provides you with a summary of the software
(Sourcefire 3D System software, SEU, and VDB) currently installed on the
appliance as well as information on available updates that you have downloaded,
but not yet installed, for that software.
Note that the widget displays Unknown as the latest version of the software
unless you have configured a scheduled task to download, push, or install
software updates; the widget uses scheduled tasks to determine the latest
version. For more information, see Scheduling Tasks on page 425.
The widget also provides you with links to pages where you can update the
software; the Defense Center version of the widget provides you with similar
links so you can update the software on your managed sensors. Note that you
cannot update the VDB on a sensor or a Master Defense Center.
You can configure the widget to hide the latest versions by modifying the widget
preferences. The preferences also control how often the widget updates. For
more information, see Understanding Widget Preferences on page 64.

Using Dashboards
On the Product Updates widget, you can:

• manually update an appliance by clicking the current version of the
Sourcefire 3D System software, SEU, or VDB; see Updating System
Software on page 398 and Importing SEUs and Rule Files in the Analyst
Guide
• create a scheduled task to download the latest version of the Sourcefire 3D
System software, SEU, or VDB by clicking either the latest version or the
Unknown link in the Latest column; see Scheduling Tasks on page 425
Understanding the RSS Feed Widget

Requires: Any The RSS Feed widget adds an RSS feed to a dashboard. By default, the widget
shows a feed of Sourcefire company news.
You can also configure the widget to display a preconfigured feed of Sourcefire
security news, or you can create a custom connection to any other RSS feed by
specifying its URL in the widget preferences.
Feeds update every 24 hours (although you can manually update the feed) and
the widget displays the last time the feed was updated based on the local time of
the appliance. Keep in mind that the appliance must have access to the
Sourcefire web site (for the two preconfigured feeds) or to any custom feed you
configure.
When you configure the widget, you can also choose how many stories from the
feed you want to show in the widget, as well as whether you want to show
descriptions of the stories along with the headlines; keep in mind that not all RSS
feeds use descriptions.

Using Dashboards
On the RSS Feed widget, you can:

• click one of the stories in the feed to view the story
• click the more link to go to the feed’s web site
• click the update icon ( ) to manually update the feed
Understanding the System Load Widget

Requires: Any The System Load widget shows the CPU usage (for each CPU), memory (RAM)
usage, and system load (also called the load average, measured by the number of
processes waiting to execute) on the appliance, both currently and over the
You can configure the widget to show or hide the load average by modifying the
widget preferences. The preferences also control how often the widget updates.
For more information, see Understanding Widget Preferences on page 64.
Understanding the System Time Widget

Requires: Any The System Time widget shows the local system time, uptime, and boot time for
the appliance.
You can configure the widget to hide the boot time by modifying the widget
preferences. The preferences also control how often the widget synchronizes
with the appliance’s clock. For more information, see Understanding Widget
Preferences on page 64.

Using Dashboards
Understanding the White List Events Widget

Requires: DC/MDC The White List Events widget shows the average events per second by priority,
over the dashboard time range.
You can configure the widget to display white list events of different priorities by
modifying the widget preferences.
In the widget preferences, you can:

• select one or more Priorities check boxes to display separate graphs for
events of specific priorities, including events that do not have a priority
• select Show All to display an additional graph for all white list events,
regardless of priority
• select Vertical Scale to choose Linear (incremental) or Logarithmic (factor of
ten) scale
You can click a graph to view white list events of a specific priority, or click the All
graph to view all white list events. In either case, the events are constrained by
the dashboard time range; accessing white list events via the dashboard changes
the events (or global) time window for the Defense Center. For more information
on white list events, see Viewing White List Events in the Analyst Guide.

Using Dashboards
Working with Dashboards Chapter 3
Working with Dashboards

Requires: Any You manage dashboards on the Dashboard List page (see Viewing Dashboards on
page 91). You can create, view, modify, export, and delete dashboards.
For each dashboard, the page indicates the owner (that is, the user who created
it) and whether a dashboard is private. Note that, unless you have Admin access,
you can only see your own private dashboards; you cannot view or modify private
dashboards created by other users.
Finally, the page indicates which dashboard is the default. You specify the default
dashboard in your user preferences; for more information, see Specifying Your
Default Dashboard on page 35.
For more information on working with dashboards, see:
• Creating a Custom Dashboard on page 89
• Viewing Dashboards on page 91
• Modifying Dashboards on page 93
• Deleting a Dashboard on page 97
• Exporting a Dashboard on page 585
Creating a Custom Dashboard

Requires: Any When you create a new dashboard, you can choose to base it on any pre-existing
dashboard, including the Sourcefire default dashboard, or on any user-defined
dashboard. This makes a copy of the pre-existing dashboard; you can modify this
copy to suit your needs. Optionally, you can create a blank new dashboard by
choosing not to base your dashboard on any pre-existing dashboards.
You must also specify (or disable) the tab change and page refresh intervals.
These settings determine how often the dashboard cycles through its tabs and
how often the entire dashboard page refreshes.
Refreshing the entire dashboard allows you to see any preference or layout
changes that were made to a shared dashboard by another user, or that you made
to a private dashboard on another computer, since the last time the dashboard
refreshed. This can be useful, for example, in a network operations center (NOC)
where a dashboard is displayed at all times. If you want to make changes to the
dashboard, you can make the changes at a local computer. Then, the dashboard in
the NOC automatically refreshes at the interval you specify and displays your
changes without you having to manually refresh the dashboard in the NOC. Note
that you do not need to refresh the entire dashboard to see data updates;
individual widgets update according to their preferences.

Using Dashboards
Finally, you can choose to associate the new dashboard with your user account by
saving it as a private dashboard. If you choose not to save the dashboard as
private, all other users of the appliance can view it.
Keep in mind that because not all user roles have access to all dashboard
widgets, users with fewer permissions viewing a dashboard created by a user
with more permissions may not be able to use all of the widgets on the
dashboard. Although the unauthorized widgets still appear on the dashboard, they
are disabled.
You should also keep in mind that any user, regardless of role, can modify shared
dashboards. If you want to make sure that only you can modify a particular
dashboard, save it as private.
TIP! Instead of creating a new dashboard, you can export a dashboard from
another appliance and then import it onto your appliance. You can then edit the
imported dashboard to suit your needs. Note that the dashboard widgets you can
view depend on the type of appliance you are using and on your user role; for
example, a dashboard created on the Defense Center and imported onto a
3D Sensor or Master Defense Center may display some invalid, disabled widgets.
For more information, see Importing and Exporting Objects on page 583.
To create a new dashboard:

Access: Any except 1. Select Analysis & Reporting > Event Summary > Dashboards.
Restricted If you have a default dashboard defined, it appears. If you do not have a
default dashboard defined, the Dashboard List page appears.
2. In either case, click New Dashboard.
The New Dashboard page appears.
3. Use the Copy Dashboard drop-down list to select the dashboard on which you
want to base the new dashboard.
You can select any predefined or user-defined dashboard. Optionally, select
None (the default) to create a blank dashboard.
4. Type a name and optional description for the dashboard.

Using Dashboards
5. In the Change Tabs Every field, specify (in minutes) how often the dashboard
should change tabs.
Unless you pause the dashboard or your dashboard has only one tab, this
setting advances your view to the next tab at the interval you specify. To
disable tab cycling, enter 0 in the Change Tabs Every field.
6. In the Refresh Page Every field, specify (in minutes) how often the current
dashboard tab should refresh with new data. This value must be greater than
the Change Tabs Every setting.
Unless you pause the dashboard, this setting will refresh the entire
dashboard at the interval you specify. To disable the periodic page refresh,
enter 0 in the Refresh Page Every field.
Note that this setting is separate from the update interval available on many
individual widgets; although refreshing the dashboard page resets the update
interval on individual widgets, widgets will update according to their individual
preferences even if you disable the Refresh Page Every setting.
7. Optionally, select the Save As Private check box to associate the dashboard
with your user account and to prevent other users from viewing and
modifying the dashboard.
8. Click Save.
Your dashboard is created and appears in the web interface. You can now
tailor it to suit your needs by adding tabs and widgets (and, if you based it on
a pre-existing dashboard, by rearranging and deleting widgets). For more
information, see Modifying Dashboards on page 93.
Viewing Dashboards
Requires: Any By default, the home page for your appliance displays the default dashboard. If
you do not have a default dashboard defined, the home page shows the
Dashboard List page, where you can choose a dashboard to view. To view the
details of all available dashboards, click Dashboards from the Dashboard toolbar.
TIP! You can configure your appliance to display a different default home page,
including pages that are not dashboard pages. You can also change the default
dashboard. For more information, see Specifying Your Home Page on page 35
and Specifying Your Default Dashboard on page 35.
Each dashboard has a time range that constrains its widgets. You can change the
time range to reflect a period as short as the last hour (the default) or as long as
the last year. When you change the time range, the widgets that can be
constrained by time automatically update to reflect the new time range.
Note that not all widgets can be constrained by time. For example, the dashboard
time range has no effect on the Appliance Information widget, which provides

Using Dashboards
information the includes the appliance name, model, and current version of the
Sourcefire 3D System software.
Keep in mind that for enterprise deployments of the Sourcefire 3D System,
changing the time range to a long period may not be useful for widgets like the
Custom Analysis widget, depending on how often newer events replace older
events.
You can also pause a dashboard, which allows you to examine the data provided
by the widgets without the display changing and interrupting your analysis.
Pausing a dashboard has the following effects:
• Individual widgets stop updating, regardless of any Update Every widget
preference.
• Dashboard tabs stop cycling, regardless of the Cycle Tabs Every setting in the
dashboard properties.
• Dashboard pages stop refreshing, regardless of the Refresh Page Every
setting in the dashboard properties.
• Changing the time range has no effect.
When you are finished with your analysis, you can unpause the dashboard.
Unpausing the dashboard causes all the appropriate widgets on the page to
update to reflect the current time range. In addition, dashboard tabs resume
cycling and the dashboard page resumes refreshing according to the settings you
specified in the dashboard properties.
IMPORTANT! Although your session normally logs you out after 3.5 hours of
inactivity, this will not happen while you are viewing a dashboard, unless the
dashboard is paused.
To view a dashboard:
Access: Any except X Select Analysis & Reporting > Event Summary > Dashboards. You have two
Restricted options, depending on whether you have a default dashboard defined:
• If you have a default dashboard defined, it appears. To view a different
dashboard, use the Dashboards menu on the toolbar.
• If you do not have a default dashboard defined, the Dashboard List page
appears. Click View next to the dashboard you want to view.
The dashboard you selected appears.
To change the dashboard time range:

Access: Any except X From the Show the Last drop-down list, choose a dashboard time range.
Restricted Unless the dashboard is paused, all appropriate widgets on the page update
to reflect the new time range.

Using Dashboards
To pause the dashboard:

Access: Any except X On the time range control, click the pause icon ( ).
Restricted The dashboard is paused until you unpause it.
To unpause the dashboard:

Access: Any except X On the time range control of a paused dashboard, click the play icon ( ).
Restricted The dashboard is unpaused.
Modifying Dashboards
Requires: Any Each dashboard has one or more tabs. You can add, delete, and rename tabs.
Note that you cannot change the order of dashboard tabs.
Each tab can display one or more widgets in a three-column layout. You can
minimize and maximize widgets, add and remove widgets from tabs, as well as
rearrange the widgets on a tab.
You can also change the basic dashboard properties, which include its name and
description, the tab cycle and page refresh intervals, and whether you want to
share the dashboard with other users.
IMPORTANT! Any user, regardless of role, can modify shared dashboards. If you
want to make sure that only you can modify a particular dashboard, make sure to
set it as a private dashboard in the dashboard properties.
For more information, see the following sections

• Changing Dashboard Properties on page 93
• Adding Tabs on page 94
• Deleting Tabs on page 95
• Renaming Tabs on page 95
• Adding Widgets on page 95
• Rearranging Widgets on page 97
• Minimizing and Maximizing Widgets on page 97
• Deleting Widgets on page 97
Changing Dashboard Properties

Requires: Any Use the following procedure to change the basic dashboard properties, which
include its name and description, the tab cycle and page refresh intervals, and
whether you want to share the dashboard with other users.

Using Dashboards
To change a dashboard’s properties:

Restricted If you have a default dashboard defined, it appears; continue with the next
step.
If you do not have a default dashboard defined, the Dashboard List page
appears; skip to step 3.
2. On the toolbar, click Dashboards.
The Dashboard List page appears.
3. Click Edit next to the dashboard whose properties you want to change.
The Edit Dashboard page appears. See Creating a Custom Dashboard on
page 89 for information on the various configurations you can change.
4. Make changes as needed and click Save.

The dashboard is changed.
Adding Tabs
Requires: Any Use the following procedure to add a tab to a dashboard.
To add a tab to a dashboard:

Access: Any except 1. View the dashboard where you want to add a tab.
Restricted For more information, see Viewing Dashboards on page 91.
2. To the right of the existing tabs, click the add tab icon ( ).
A pop-up window appears, prompting you to name the tab.
3. Type a name for the tab and click OK, or simply click OK to accept the default
name. Note that you can rename the tab at any time; see Renaming Tabs on
page 95.
The new tab is added.
You can now add widgets to the new tab. For more information, see Adding
Widgets on page 95.

Using Dashboards
Deleting Tabs
Requires: Any Use the following procedure to delete a dashboard tab and all its widgets. You
cannot delete the last tab from a dashboard; each dashboard must have at least
one tab.
To delete a tab from a dashboard:

Access: Any except 1. View the dashboard where you want to delete a tab.
2. On the tab you want to delete, click the delete icon ( ).
3. Confirm that you want to delete the tab.
The tab is deleted.
Renaming Tabs
Requires: Any Use the following procedure to rename a dashboard tab.
To rename a tab:
Access: Any except 1. View the dashboard where you want to rename a tab.
2. Click the tab you want to rename.
3. Click the tab title.
A pop-up window appears, prompting you to rename the tab.
4. Type a name for the tab and click OK.
The tab is renamed.
Adding Widgets
Requires: Any To add a widget to a dashboard, you must first decide to which tab you want to
add the widget. When you add a widget to a tab, the appliance automatically adds
it to the column with the fewest widgets. If all columns have an equal number of
widgets, the new widget is added to the left-most column. You can add a
maximum of 15 widgets to a dashboard tab.
TIP! After you add widgets, you can move them to any location on the tab. You
cannot, however, move widgets from tab to tab. For more information, see
Rearranging Widgets on page 97.
To add a widget to a dashboard:

Access: Any except 1. View the dashboard where you want to add a widget.

Using Dashboards
2. Select the tab where you want to add the widget.

3. Click Add Widgets.
The Add Widgets page appears.
The widgets that you can add depend on the type of appliance you are using
and on your user role. They are organized according to function: Analysis &
Reporting, Operations, and Miscellaneous. You can view the widgets in each
category by clicking on the category name, or you can view all widgets by
clicking All Categories.
4. Click Add next to the widgets you want to add.
TIP! To add multiple widgets of the same type (for example, you may want
to add multiple RSS Feed widgets, or multiple Custom Analysis widgets),
click Add again.
The widget is immediately added to the dashboard. The Add Widgets page
indicates how many widgets of each type are on the tab, including the widget
you just added.
5. Optionally, when you are finished adding widgets, click Done to return to the
dashboard.
The tab where you added the widgets appears again, reflecting the changes
you made.

Using Dashboards
Rearranging Widgets
Requires: Any You can change the location of any widget on a tab. Note, however, that you
cannot move widgets from tab to tab. If you want a widget to appear on a
different tab, you must delete it from the existing tab and add it to the new tab.
To move a widget:
Access: Any except X Click the title bar of the widget you want to move, then drag it to its new
Restricted location.
Minimizing and Maximizing Widgets

Requires: Any You can minimize widgets to simplify your view, then maximize them when you
want to see them again.
To minimize a widget:
Access: Any except X Click the minimize icon ( ) in a widget’s title bar.
Restricted
To maximize a widget:
Access: Any except X Click the maximize icon ( ) in a minimized widget’s title bar.
Restricted
Deleting Widgets
Requires: Any Delete a widget if you no longer want to view it on a tab.
To delete a widget:
Access: Any except 1. Click the close icon ( ) in the title bar of the widget.
Restricted
2. Confirm that you want to delete the widget.
The widget is deleted from the tab.
Deleting a Dashboard
Requires: Any Delete a dashboard if you no longer need to use it.
If you delete your default dashboard, you must define a new default or the
appliance will force you to select a dashboard to view every time you attempt to
view a dashboard. For more information, see Specifying Your Default Dashboard
on page 35.
To delete a dashboard:
Restricted If you have a default dashboard defined, it appears; continue with the next
step.

Using Dashboards

3. Click Delete next to the dashboard you want to delete.
4. Confirm that you want to delete the dashboard.
The dashboard is deleted.

Chapter 4
Administrator Guide
Using the Defense Center
The Sourcefire Defense Center is a key component in the Sourcefire 3D System.

You can use the Defense Center to manage the full range of sensors that are a
part of the Sourcefire 3D System, and to aggregate, analyze, and respond to the
threats they detect on your network.
By using the Defense Center to manage sensors, you can configure policies for all
your sensors from a single location, making it easier to change configurations. In
addition, you can push various types of software updates to sensors. You can also
push health policies to your managed sensors and monitor their health status
from the Defense Center.
The Defense Center aggregates and correlates intrusion events, network
discovery information, and sensor performance data, allowing you to monitor the
information that your sensors are reporting in relation to one another and to
assess the overall activity occurring on your network.
IMPORTANT! Some of the components in the Sourcefire 3D System (such as the

Virtual 3D Sensors, 3Dx800 sensors, Intrusion Agents, RNA Software for Red Hat
Linux, and Crossbeam-based software sensors) do not provide a web interface
that you can use to view events or manage policies. You must use a Defense
Center if your deployment includes any of these products.

Management Concepts Chapter 4
See the following sections for more information about using the Defense Center
to manage your sensors:
• Management Concepts on page 100 describes some of the features and
limitations involved with managing your sensors with a Defense Center.
• Working in NAT Environments on page 112 describes the principles of
setting up the management of your sensors in Network Address Translation
environments.
• Working with Sensors on page 113 describes how to establish and disable
connections between sensors and your Defense Center. It also explains
how to add, delete, and change the state of managed sensors and how to
reset management of a sensor.
• Managing Sensor Groups on page 131 describes how to create sensor
groups as well as how to add and remove sensors from groups.
• Editing a Managed Sensor’s System Settings on page 133 describes the
sensor attributes you can edit and explains how to edit them.
• Managing a Clustered Pair on page 140 describes how to create a clustered
pair of 3D9900s and how to remove 3D9900s from clusters.
• Configuring High Availability on page 145 describes how to set up two
Defense Centers as a high availability pair to help ensure continuity of
operations.
Management Concepts
Requires: DC You can use a Defense Center to manage nearly every aspect of a sensor’s
behavior. You can only use a single Defense Center to manage your sensor unless
you are using a second Defense Center as a part of a high availability pair. The
sections that follow explain some of the concepts you need to know as you plan
your Sourcefire 3D System deployment.
• The Benefits of Managing Your Sensors on page 100
• What Can Be Managed by a Defense Center? on page 101
• Understanding Software Sensors on page 105
• Beyond Policies and Events on page 111
• Using Redundant Defense Centers on page 112
The Benefits of Managing Your Sensors

Requires: DC There are several benefits to using a Defense Center to manage your sensors.
First, you can use the Defense Center as a central point of management. Instead
of managing each sensor using its own local web interface, you can use the
Defense Center’s web interface to accomplish nearly any task on any sensor it
manages. For example, you can create an intrusion policy on the Defense Center
and apply it to all your managed 3D Sensors with IPS. This saves you from having

to replicate the intrusion policy on each sensor, which can be a laborious task
depending on how many of the thousands of intrusion rules you want to enable or
disable. There is a similar savings when you create and apply RNA appliance and
detection policies to managed 3D Sensors with RNA.
You can also create and apply system policies to your managed sensors. A
system policy controls several appliance-level settings such as the login banner
and the access control list. Because most of the sensors in your deployment are
likely to have similar settings in the system policy, you can create the policy on
the Defense Center and push it to the appropriate sensors instead of replicating it
locally.
Second, when you manage a sensor with a Defense Center, all the intrusion
events and RNA events are automatically sent to the Defense Center. You can
view the events from a single web interface instead of having to log into each
sensor’s interface to view the events there. You can also generate reports based
on events from multiple sensors.
Third, if your Defense Center manages sensors with IPS and RNA, and those
sensors view the same network traffic, then the Defense Center can correlate the
intrusion events it receives with the information about hosts that RNA provides.
The Defense Center can then assign impact flags to each intrusion event. The
impact flag indicates how likely it is that an intrusion attempt will affect its target.
Fourth, you can use your Defense Center to configure external authentication
through an Lightweight Directory Access Protocol (LDAP) or Remote
Authentication Dial In User Service (RADIUS) server. You can use user
information from an external server to authenticate users on your Sourcefire 3D
System appliances. By pushing a system policy with configured authentication
objects to your sensor, you push the external authentication object to the sensor.
External authentication cannot be managed on the sensor, so you must use the
Defense Center to manage it.
Finally, the Defense Center includes a feature called health monitoring that you
can use to check the status of critical functionality across your Sourcefire 3D
System deployment. You can take advantage of health monitoring by applying
health policies to each of your managed sensors and then reviewing the health
data that they send back to the Defense Center. You can also apply a health policy
to the Defense Center to monitor its health.
What Can Be Managed by a Defense Center?

Requires: DC You can use your Defense Center as a central management point in a Sourcefire
3D System deployment to manage the following devices:
• Sourcefire 3D Sensors
• RNA Software for Red Hat Linux

• 3D Sensor Software for Crossbeam Systems X-Series

• Intrusion Agents on various platforms
IMPORTANT! Sourcefire recommends that you manage no more than three

3D Sensors with the DC500 model Defense Center. You can also use a DC500 to
manage Sourcefire 3D Sensor software on approved platforms, as well as
intrusion agents and RNA software on approved platforms. For details on DC500
database limitations see Database Event Limits on page 333.
When you manage a sensor (or a software sensor), information is transmitted

between the Defense Center and the sensor over a secure, SSL-encrypted TCP
tunnel.
The following illustration lists what is transmitted between a Sourcefire Defense
Center and its managed sensors. Note that the types of events and policies that
are sent between the appliances are based on the sensor type.
If you apply a policy on a sensor before you begin managing it with a Defense
Center, you can see a read-only version of the policy on the Defense Center’s
web interface.

Similarly, after you set up communications with a Defense Center and apply
policies from the Defense Center to your sensor, you can see a read-only version
of the running policies on the sensor’s web interface. The following graphics
illustrate this process. First, before you set up sensor management, each
appliance has its own policies:

Then, after communications are set up, read-only versions of running policies
(represented by the dotted lines) are available:
The appliance where you originally create a policy is the policy’s “owner” and is
identified that way if you view the policy on a different appliance. For example, the
following graphic shows the Detection Engine page on a 3D Sensor with IPS. The
Sample Intrusion Policy that is currently applied to the sensor’s two detection
engines was created on the Defense Center (pine.example.com).
If you want to edit a policy, you must do it on the appliance where the policy was
created.
TIP! After you set up management with a Defense Center, Sourcefire

recommends that you use only the Defense Center’s web interface to view
events and manage policies for your managed sensors.

The following user-created data and configurations are retained locally on the
sensor and are not shared with the Defense Center:
• user accounts
• user preferences
• bookmarks
• saved searches
• custom workflows
• report profiles
• audit events
• syslog messages
• reviewed status for intrusion events (IPS only)
• contents of the clipboard (IPS only)
• incidents (IPS only)
If you create custom fingerprints on the Defense Center, they are automatically
shared with managed 3D Sensors with RNA.
Also note that operations you perform on data on one appliance are not
transmitted to other appliances. For example, if you delete an intrusion event
from the Defense Center, the event remains on the sensor that discovered it.
Similarly, deleting an intrusion event from a sensor does not delete it from the
Defense Center.
Understanding Software Sensors

Requires: DC Several of the sensors you can manage with a Defense Center are software-
based sensors. A software-based sensor is a software-only installation of
Sourcefire 3D System sensor software. The following Sourcefire 3D System
sensors are software-based:
• Intrusion Agents for various platforms - for more information, see Managing
Intrusion Agents on page 106
• 3D5800, 3D3800, and 3D9800 sensors - for more information, see
Managing 3Dx800 Sensors on page 107.
• RNA Software for Red Hat Linux - for more information, see Managing RNA
Software for Red Hat Linux on page 109
• 3D Sensor Software with RNA for Crossbeam X-Series - for more
information, see Managing 3D Sensor Software with RNA for Crossbeam
on page 110
• 3D Sensor Software with IPS for Crossbeam X-Series - for more
information, see Managing 3D Sensor Software with IPS for Crossbeam on
page 110

Software-based sensors do not have a user interface on the sensor; they can only
be managed from a Defense Center. In addition, some of the functionality in the
Defense Center interface cannot be used with software-based sensors. For some
software-based sensors, certain aspects of functionality are managed through
the operating system or other features on the appliance.
Managing Intrusion Agents

Requires: DC The Sourcefire Intrusion Agent transmits events generated by open source Snort
sensor installations to the Sourcefire Defense Center. These events can then be
viewed along with data from 3D Sensors with IPS so you can easily analyze all the
intrusion information gathered on your network.
The Defense Center cannot apply intrusion policies to the Intrusion Agent. You
must tune your Snort rules and options manually on the computer where the
Intrusion Agent resides. Also, high availability is not supported on Intrusion
Agents.


See the Supported Features for Intrusion Agents table for more information.
Supported Features for Intrusion Agents
Supported through Defense Center Supported through CLI and .conf Not Supported
files
• Intrusion event collection and • Process management • Detection engine

management • Registration of remote management
• Licensing manager • Event storage on sensor
• Reports generated on the • Rules tuning • Health policy apply
Defense Center • High availability
synchronization
• Host Statistics
• Interface set
management
• Intrusion policy apply
• Network interface
management
• Network settings
• Performance Statistics
• Remote backup and
restore
• Remote reports
• Sensor information
management (System
Settings)
• SEU updates
• Software updates
• System policy apply
• Time settings
Managing 3Dx800 Sensors

Requires: DC + Sourcefire 3D Sensor 3800, 3D Sensor 5800, and 3D Sensor 9800 models
3D Sensor (usually referred to as the 3Dx800 sensors) provide many of the features found on
other 3D Sensors. However, because these models do not have a web interface
and because configuration and event data cannot be stored on the sensors,

certain features cannot be used with these sensors. See the Supported Features
for 3Dx800 Sensors table for more information.
Supported Features for 3Dx800 Sensors
Supported through Defense Center Supported through CLI Not Supported
All 3Dx800 models: • Network interface • Custom fingerprinting

• Detection engine management management • Event storage on sensor
• Health policy apply • Network settings • Remote backup and
• High availability synchronization • Registration of remote restore
manager • Remote reports
• Host Statistics
• Interface set management
• Intrusion policy apply (no OPSEC
support)
• Intrusion event collection and
management
• Licensing
• Performance Statistics (may be
underreported because of
multiple detection resources)
• Process management
• Reports generated on the
Defense Center
• Sensor information management
(System Settings)
• SEU updates
• System policy apply
• Time settings
3D3800 and 3D5800 only:
• Compliance policy apply
• RNA and compliance event
collection and management
• RNA detection policy apply
• VDB updates

Managing RNA Software for Red Hat Linux

Requires: DC RNA Software for Red Hat Linux provides many of the features found on
3D Sensors with RNA. However, not all of the features function in the same
manner. See the Supported Features for RNA Software for Red Hat Linux table for
more information.
Supported Features for RNA Software for Red Hat Linux
Supported through Defense Center Supported through CLI Not Supported
• Compliance policy apply • Network interface • Custom fingerprinting

• Detection engine management management • Event storage on sensor
• High availability synchronization • Network settings • Health policy apply
• Host Statistics • Process management • Remote backup and
• Interface set management • Registration of remote restore
manager • Remote reports
• Licensing
• Time settings • System policy apply
• Performance Statistics
• Reports generated on the
Defense Center
• RNA detection policy apply
• Sensor information management
(System Settings)
• VDB updates

Managing 3D Sensor Software with RNA for Crossbeam

Requires: DC 3D Sensor Software with RNA for Crossbeam provides many of the features
found on 3D Sensors with RNA. However, not all of the features function in the
same manner. See the Supported Features for RNA on Crossbeam table for more
information.
Supported Features for RNA on Crossbeam
Supported through Defense Center Supported through Not Supported

Crossbeam X-Series
CLI
• Compliance policy apply • Backup and • Custom

• Detection engine restore fingerprinting
management • Network • Event storage
• High availability interface on sensor
synchronization management • Health policy
• Host Statistics • Network apply
settings • Remote
• Interface set management
• Process backup and
• Licensing management restore
• Performance Statistics • Registration of • Remote
• Reports generated on the remote reports
Defense Center manager • System policy
• RNA detection policy apply • Time settings apply
management (in System
Settings)
• VDB updates
Managing 3D Sensor Software with IPS for Crossbeam

Requires: DC 3D Sensor Software with IPS for Crossbeam provides many of the features found
on 3D Sensors with IPS. However, because the Crossbeam sensors do not have
a user interface and because configuration and event data cannot be stored on

the sensors, certain features cannot be used with this software. See the
Supported Features for IPS on Crossbeam table for more information.
Supported Features for IPS on Crossbeam
Supported through Defense Center Supported through Not Supported

Crossbeam X-Series
CLI
• Detection engine • Backup and • Custom

management restore fingerprinting
• High availability • Network • Event storage
synchronization interface on sensor
• Host Statistics management • Health policy
• Interface set management • Network apply
settings • Remote
• Intrusion policy apply
• Process backup and
• Intrusion event collection and management restore
management
• Registration of • Remote
• Licensing remote reports
• Performance Statistics manager • System policy
• Reports generated on the • Time settings apply
Defense Center
• SEU updates
management (in System
Settings)
Beyond Policies and Events

Requires: DC In addition to applying policies to sensors and receiving events from them, you
can also perform other sensor-related tasks on the Defense Center.
Backing Up a Sensor
If you are storing event data on your sensor in addition to sending it to the
Defense Center, you can use the Defense Center’s web interface to back up
those events from the sensor. See Performing Sensor Backup with the Defense
Center on page 419 for more information.
Running Remote Reports

You can create a report profile on the Defense Center and run it remotely using
the data on a managed sensor. This is particularly useful if you want to generate a
report for the audit events on a managed sensor. Audit events are stored locally

Working in NAT Environments Chapter 4
and are not sent to the Defense Center, but you can design a report on the
Defense Center, select a managed sensor, and run the report. If you set up the
report so that it is automatically emailed to you, you do not even need a user
account on the sensor to read the resulting report. See Working with Event
Reports on page 232 for more information.
Updating Sensors
From time to time, Sourcefire releases updates to the Sourcefire 3D System,
including:
• Security Enhancement Updates (SEUs), which can contain new and
updated intrusion rules, as well as new and updated preprocessors and
protocol decoders
• vulnerability database updates
• software patches and updates
You can use the Defense Center to push an update to the sensors it manages and
then automatically install the update.
Using Redundant Defense Centers

Requires: DC You can set up two Defense Centers as a high availability pair. This ensures
redundant functionality in case one of the Defense Centers fails. Policies, user
accounts, and more are shared between the two Defense Centers. Events are
automatically sent to both Defense Centers. See Configuring High Availability on
page 145 or more information.
Working in NAT Environments

Requires: Any Network address translation (NAT) is a method of transmitting and receiving
network traffic through a router that involves reassigning the source or
destination IP address as the traffic passes through the router. Typical
applications using NAT enable multiple hosts on a private network to use a single
public IP address to access the public network.
When you add an appliance, you establish connections between appliances and
register the appliances with one another. If you establish that communication in
an environment without NAT, the two required pieces of common information
during registration are the registration key and the unique IP address or the fully
qualified domain name of the host. If you establish that communication in an
environment with NAT, the two required pieces of common information during
registration are the registration key and the unique NAT ID.
In the example diagram, when you set up the remote office 3D Sensors
connections to the home office, use the Defense Center’s fully qualified domain
name maple.company.com as its host name. For the registration key, you can use
snort when adding either sensor, because the registration key does not have to

Working with Sensors Chapter 4
be unique. However, you must use a unique NAT ID when adding the New York
3D Sensor to the Defense Center, and then use a different unique NAT ID when
adding the Miami 3D Sensor. Each NAT ID has to be unique among all NAT IDs
used to register sensors on the Defense Center.
Working with Sensors

Requires: DC + When you manage a sensor, you set up a two-way, SSL-encrypted
3D Sensor communication channel between the Defense Center and the sensor. The
Defense Center uses this channel to send information (in the form of policies) to
the sensor about how you want to analyze your network traffic. As the sensor
evaluates the traffic, it generates events and sends them to the Defense Center
using the same channel. You can create the following policies on your Defense
Center and apply them to managed sensors:
• health policies
• system policies
• RUA policies


• intrusion policies
There are several steps to managing a sensor with a Defense Center:
The procedure for managing a 3Dx800 sensor differs from the procedure for
managing other sensors. See Managing a 3Dx800 Sensor on page 125 for more
information.
TIP! The process for setting up communications between the Defense Center
and other products such as the Crossbeam-based software sensors, RNA
Software for Red Hat Linux, and the Intrusion Agents are slightly different. Refer
to the configuration guides for those products for more information.
1. Begin by setting up a communications channel between the two appliances.

This is a two-step process, with procedures that you need to perform on each
side of the communications channel. See Adding Sensors to the Defense
Center on page 117 for more information. (Deleting Sensors on page 121
explains how to remove a sensor from the Defense Center.)
2. Create the appropriate policies on the Defense Center and apply them to the
sensor or to the appropriate detection engines on the sensor.
• IPS detection engines require an intrusion policy that determines which
types of attacks 3D Sensor with IPS detect. See Using Intrusion Policies
• RNA detection engines require an RNA detection policy, which controls
the networks that 3D Sensors with RNA monitor. See What is an RNA
Detection Policy? in the Analyst Guide for more information.
• You can also create and apply system policies, which control certain
appliance-level features on your sensors. Note that the system policy
applied to the Defense Center controls the types of RNA events that
are logged to the database. See Managing System Policies on page 320
• You can create and apply health policies that allow you to monitor the
processes and status of your sensors. See Configuring Health Policies
on page 489 for more information.
3. Confirm that you are receiving the events generated by your sensors. See
Viewing Intrusion Event Statistics in the Analyst Guide and Viewing RNA
Event Statistics in the Analyst Guide for more information.
Many sensor management tasks are performed on the Sensors page and are
described in Understanding the Sensors Page on page 115.

Understanding the Sensors Page

Requires: DC + The Sensors page (Operations > Sensors) provides you with a range of information
3D Sensor and options that you can use to manage your sensors (including software-based
sensors), intrusion agents, and sensor groups.
The following sections describe some of the features on the Sensors page.
Virtual Sensor Count
When you manage Virtual 3D Sensors from the Defense Center, the field for a
Virtual Sensor count appears above the sensor list on the Sensors page. For details
about Virtual 3D Sensors, see the Virtual Defense Center and 3D Sensor
Installation Guide.
Sort-by Drop-Down List

Use this drop-down list to sort the Sensors page according to your needs. You can
sort by:
• Group (that is, sensor group; see Managing Sensor Groups on page 131)
• Model (that is, the sensor model)
Sensor List
The first column lists the hostname, sensor type, sensor model, and software
version for each sensor. You can click the folder icon next to the name of the
category to expand and contract the list of sensors. If you use clustered 3D9900
sensors, they are designated in the sensor list by a peer icon.
When you hover over the peer icon, you can see which sensors are paired and if
you configured the sensor as a master or a slave.
Health Policy
The next column lists the health policy for the sensor, if one has been applied. You
can click the name of the health policy to view a read-only version of the policy.
See Editing Health Policies on page 530 for information about modifying an
existing health policy.

System Policy
The next column lists the currently applied system policy. The policy name and
the icon for the system policy in the top row highlight a special feature of the
Sensors page. If a policy has a different icon and its name is in italics, that
indicates the policy was modified after it was applied to the sensor. The icon and
the name of the policy in the bottom row indicate that the version applied to the
sensor is up to date. Note that this is the case for any policy that you create and
apply from the Defense Center.
As with the health policy, you can click the name of the system policy to view a
read-only version. See Managing System Policies on page 320 for more
information.
Status Icons
The status icons indicate the state of a sensor. The green check mark icon
indicates that the sensor and the Defense Center are communicating properly.
The red exclamation point icon indicates that the Defense Center has not
received communications from the sensor in the last three minutes. If you hover
your cursor over the icon, a pop-up window indicates the amount of time (in
hours, minutes, and seconds) since the last contact. If the Defense Center has
not received a communication from a sensor within the last two minutes, it sends
a two-byte heartbeat packet to establish contact and ensure that the
communications channel is still running. If your network is constrained in
bandwidth, you can contact technical support to change the default time interval.
Edit and Delete Icons
Click the Edit icon next to a sensor if you want to change the sensor’s current
system settings. The system settings include the storage settings for the sensor,
the time, the remote management configuration, and access to the processes for
stopping and restarting the sensor or its software. See Editing a Managed
Sensor’s System Settings on page 133 for more information.
If you sort your Sensors page by sensor group, you can click the Edit icon next to
the name of a sensor group to modify the list of sensors that belong to the group.
See Editing Sensor Groups on page 132 for more information.

Click the Delete icon next to a sensor if you no longer want to manage the sensor
with the Defense Center. See Deleting Sensors on page 121 for more
information.
If you sort your Sensors page by sensor group, you can click the Delete icon next
to the name of a sensor group to remove the sensor group from the Defense
Center. See Deleting Sensor Groups on page 133 for more information.
Adding Sensors to the Defense Center

Requires: DC + When you manage a sensor, you set up a two-way, SSL-encrypted
3D Sensor communication channel between the Defense Center and the sensor. The
Defense Center uses this channel to send information about how you want to
analyze your network traffic (in the form of policies) to the sensor. As the sensor
evaluates the traffic, it generates events and sends them to the Defense Center
using the same channel. You can create the following policies on your Defense
Center and apply them to managed sensors:
• system policies, which control appliance-level configurations such as
database limits, DNS cache settings, and custom login banners
• RNA detection policies, which control RNA data-gathering behavior and
determine which networks are monitored which detection engines
• intrusion policies, which control how protocol decoders and preprocessors
are configured and which intrusion rules are enabled
• health policies, which monitor the health of your managed sensors
Note that before you add sensors to a Defense Center, you must make sure that
the network settings are configured correctly on the sensor. This is usually
completed as part of the installation process, but you can refer to Configuring
Network Settings on page 377 for details.
You can also add Intrusion Agents to the Defense Center. For more information,
see Adding Intrusion Agents on page 130 and the Sourcefire Intrusion Agent
Configuration Guide.
IMPORTANT! If you registered a Defense Center and 3D Sensor using IPv4 and
want to convert them to IPv6, you must delete and re-register the sensor.

To add a sensor, you need:

• the sensor’s IP address or hostname (in the connection context
“hostname” is the fully qualified domain name or the name that resolves
through the local DNS to a valid IP address)
• the Defense Center’s IP address or hostname
• to decide if you want to store the events generated by the sensor only on
the Defense Center, or on both the Defense Center and the sensor
TIP! Set up the managed appliance first.
You must begin the procedure for setting up the management relationship
between a Defense Center and a sensor on the sensor.
Three fields are provided for setting up communications between appliances:
• Management Host - for the hostname or IP address.
• Registration Key - for registration key.
• Unique NAT ID - for a unique alphanumeric ID. Refer to Working in NAT
Environments on page 112 for more information.
Valid combinations include:
• Management Host and Registration Key used on both appliances
• Registration Key and Unique NAT ID used on the 3D Sensor with Host,
Registration Key, and Unique NAT ID used on the Defense Center.
• Management Host, Registration Key, and Unique NAT ID used on the 3D Sensor
with Registration Key and Unique NAT ID used on the Defense Center.
IMPORTANT! The Management Host or Host field (hostname or IP address) must

be used on at least one of the appliances.
To add a sensor to a Defense Center:

Access: Admin 1. Log into the web interface of the sensor you want to add.
2. Select Operations > System Settings.
The Information page appears.

3. Click Remote Management.

The Remote Management page appears.
4. Click Add Manager.

The Add Remote Management page appears.
5. In the Management Host field, type the IP address or the host name of the
Defense Center that you want to use to manage the sensor.
WARNING! Make sure you use hostnames rather than IP addresses if your
network uses DHCP to assign IP addresses.
TIP! You can leave the Management Host field empty if the management host
does not have a routable address. In that case, use both the Registration Key
and the Unique NAT ID fields.
6. In the Registration Key field, type the one-time use registration key that you
want to use to set up a communications channel between the sensor and the
Defense Center.
7. Optionally, in the Unique NAT ID field, type a unique alphanumeric ID that you
want to use to identify the sensor.
8. Click Save.
After the sensor confirms communication with the Defense Center, the
Pending Registration status appears.

9. Log into the Defense Center’s web interface using a user account with Admin
access, and select Operations > Sensors.
The Sensors page appears.
10. Click New Sensor.
The Add New Sensor page appears.
11. Type the IP address or the hostname of the sensor you want to add in the
Host field.
12. In the Registration Key field, enter the same registration key that you used in
step 6.
13. If you used a NAT ID in step 7, enter the same ID in the Unique NAT ID
(optional) field.
14. You can store data on both the Defense Center and the sensor by clearing the
Store Events and Packets Only on the Defense Center check box.
By default, data is stored only on the Defense Center and not on the sensor.
IMPORTANT! Software-based sensors such as the 3D Sensor Software for

Crossbeam cannot store data locally. You must store events on the Defense
Center. For more information on supported functionality for software-based
sensors, see Understanding Software Sensors on page 105.
15. You can prevent packet data from leaving a sensor by enabling the Prohibit
Packet Transfer to the Defense Center check box.
IMPORTANT! If you elect to prohibit sending packets and you do not store
events on the 3D Sensor, packet data is not retained. Packet data is often
important for forensic analysis.

16. To add the sensor to a group, select the group from the Add to Group list.
For more information about groups, see Managing Sensor Groups on
page 131.
17. Click Add.
The sensor is added to the Defense Center. It can take up to two minutes for
the Defense Center to verify the sensor’s heartbeat and establish
communication. You can view the sensor’s status on the Sensors page
(Operations > Sensors).
IMPORTANT! In some high availability deployments where network address

translation is used, you may need to use the Add Manager feature a second
time to add the secondary Defense Center. Contact technical support for
more information.
Deleting Sensors
Requires: DC + If you no longer want to manage a sensor, you can delete it from the Defense
3D Sensor Center. Deleting a sensor severs all communication between the Defense Center
and the sensor. To manage the sensor again at a later date, you must re-add it to
the Defense Center. To keep the sensor from trying to reconnect to the Defense
Center, you should also delete the manager on the sensor.
TIP! If you can no longer communicate with a detection engine on a managed

sensor (for example, if the sensor is down or the network interface card is
damaged), you should delete the managed sensor from the Defense Center and
then re-add it rather than try to delete the non-communicative detection engine.
IMPORTANT! If you delete a sensor from a Defense Center configured in a high

availability pair and intend to re-add it, Sourcefire recommends that you wait at
least five minutes before re-adding it. This interval ensures that the high
availability pair re-synchronizes so that both Defense Centers recognize the
deletion. If you do not wait five minutes, it may take more than one
synchronization cycle to add the sensor to both Defense Centers.
To delete a sensor from the Defense Center:

Access: Admin 1. Log into the Defense Center web interface and select Operations > Sensors.
2. Click Delete next to the sensor you want to delete.
Communication between the sensor and the Defense Center is discontinued
and the sensor is deleted from the Sensors page.

3. Using a user account with Admin access, log into the web interface of the
sensor you want to delete.
6. Click Delete next to the Defense Center where you want to reset
management.
The manager is removed. If the sensor has a system policy that causes it to
receive time from the Defense Center via NTP, the sensor reverts to local
time management.
Resetting Management of a Sensor

Requires: DC + If communications fail between the Defense Center and one of your sensors, you
3D Sensor can reset management of the sensor. If you want to manage a sensor with a
different Defense Center, you must also reset management before adding the
sensor to another Defense Center. You must first delete the manager on the
sensor and delete the sensor on the Defense Center. You can then re-add the
manager on the sensor and then add the sensor to a Defense Center.
TIP! To temporarily disable communications between appliances without having

to reset management, you can disable the manager on the sensor. For more
information, see Managing Communication on a Managed Sensor on page 138.
The procedures for resetting management on the 3Dx800 sensors and on

Crossbeam-based software sensors differ from the procedure for other sensors.
For more information on resetting management on a 3Dx800 sensor, see
Resetting Communications on the 3Dx800 on page 128. For more information on
resetting management on a Crossbeam-based software sensor, see the
Sourcefire 3D Sensor Software for X-Series Installation Guide.
To reset management:
Access: Admin 1. Log into the web interface of the Defense Center where you want to reset
communications.
2. Select Operations > Sensors.


Communication between the sensor and the Defense Center is discontinued
and the sensor is deleted from the Sensors page.
If your sensor is no longer communicating with the Defense Center, you can
delete the management on the sensor. If you attempt to delete management
on the sensor while it is communicating with the Defense Center you will
receive an error similar to:
Delete failed. You must delete the appliance from its manager,
maple.example.com.
To delete management on the sensor:

Access: Admin 1. Log into the web interface of the sensor where you want to reset
communications.
4. Click Delete next to the Defense Center where you want to reset
management.
The manager is removed.
To re-add the sensor to the Defense Center:

Access: Admin 1. Log into the web interface of the sensor where you want to reset
communications and click Add Manager.
You can leave the Management Host field empty if the management host
Defense Center.

4. Optionally, in the Unique NAT ID field, type a unique ID that you want to use to
identify the sensor.
5. Click Save.
6. Log into the Defense Center’s web interface using a user account with Admin
access, and select Operations > Sensors.
Host field.
9. In the Registration Key field, type the same one-time use registration key that
you used in step 3.
10. If you used a unique NAT ID in step 4, type the same value in the Unique NAT
ID field.
11. You can store data on both the Defense Center and the sensor by clearing the
Store Events and Packets Only on the Defense Center check box.
By default, data is stored only on the Defense Center and not on the sensor.
12. You can prevent packet data from leaving a sensor by checking the Prohibit
If you elect to prohibit sending packets and you do not store events on the
3D Sensor, packet data is not retained. Packet data is often important for
forensic analysis.

page 131.
14. Click Add.
communication. You can view the sensor’s status on the Sensors page
(Operations > Sensors).
In some high availability deployments where network address translation is
used, you may need to use the Add Manager feature a second time to add
the secondary Defense Center. Contact technical support for more
information.
Managing a 3Dx800 Sensor

Requires: DC + Because the Sourcefire 3D Sensor 3800, 3D Sensor 5800, and 3D Sensor 9800
3D Sensor (usually called the 3Dx800 sensors) do not have their own web interfaces, you
must add them to a Defense Center as managed sensors so that you can perform
procedures such as:
• creating and applying intrusion and RNA detection policies
• viewing events
• generating reports
• uploading and installing software updates
The following sections explain how to manage 3Dx800 sensors with a Defense
Center:
• Managing 3Dx800 Sensors with a Defense Center on page 125
• Deleting a 3Dx800 Sensor from the Defense Center on page 127
• Resetting Communications on the 3Dx800 on page 128
Managing 3Dx800 Sensors with a Defense Center

Requires: DC + Setting up communications between a 3Dx800 sensor and a Defense Center is a
3D Sensor two-step process that involves setting up the sensor and then adding the sensor
to the Defense Center.
This procedure assumes that you have completed the setup steps described in
the sensor’s Installation Guide.
To manage a 3Dx800 sensor with a Defense Center:

Access: Admin 1. Log into the 3D Sensor using the admin account.
The CLI prompt appears.
sensor.domain [admin]

2. Enter the following at the CLI prompt:

[admin] configure sensor
3. Use the following command to determine whether remote management is
already enabled:
[admin:sensor] show management
If management is already enabled, the sensor may be managed by another
Defense Center. See Resetting Communications on the 3Dx800 on page 128
for information about deleting the sensor from the other Defense Center and
preparing it for new management.
4. Use one of the following commands to enable management on the
3D Sensor:
• If you are deploying your sensor in a network that does not use network
address translation, enter the following command:
[admin:sensor] set management enable ip_address reg_key
where ip_address is the IP address of the Defense Center and
reg_key is a unique single-use alphanumeric registration key. The IP
address and registration key pair must uniquely identify the
communications channel between the sensor and the Defense Center.
• If you are deploying your sensor in a network that does use network
address translation, enter the following command:
[admin:sensor] set management enable NONE reg_key nat_id
where NONE is a placeholder for the unresolvable IP address of the
Defense Center, reg_key is a unique single-use alphanumeric
registration key, and nat_id is a unique alphanumeric string. The NAT
ID together with the registration key must uniquely identify the
In either case, a message appears indicating that remote management is
enabled.
5. If you changed the management port on the Defense Center, you must
change it on the 3Dx800 also:
[admin:sensor] set management port port_number
where port_number is the same port number you used on the Defense
Center.
6. Use the following command to exit the CLI and return to the login prompt:
[admin:sensor] exit
7. Using a user account with Admin access, log into the web interface of the
Defense Center where you want to add the sensor.


10. In the Host field, type the IP address or the hostname of the sensor you want
to add.
you used on the sensor.
12. If you used a NAT ID in step 4, type the same value in the Unique NAT ID field.
IMPORTANT! Because 3Dx800 sensors do not have any local storage for
events, make sure the Store Events and Packets Only on the Defense Center check
box is selected.
If you prohibit sending packets to the Defense Center, packet data, which is
often important for forensic analysis, is not retained anywhere.
14. To add the sensor to a group, select the name of the group from the Add to
Group list.
page 131.
15. Click Add.
The 3Dx800 is added to the Defense Center.
It can take up to two minutes for the Defense Center to verify the sensor’s
heartbeat and establish communication.
Deleting a 3Dx800 Sensor from the Defense Center

Requires: DC + If you want to delete a 3Dx800 sensor from a Defense Center (for example, to
3D Sensor manage it with a different Defense Center), you must complete a two-step
process to disable remote management and then delete it from the Defense
Center.

To delete a 3Dx800 sensor from a Defense Center:

Access: Admin 1. Log into the web interface of the Defense Center where you want to delete
the sensor.
The sensor is deleted.
4. On the sensor, access the command prompt and use the admin account to
log in.
6. Enter the following command to disable remote management:
[admin:sensor] set management disable
A message appears indicating that remote management is disabled.
7. Enter the following command to exit the CLI and return to the login prompt:
[admin:sensor] exit
To add the sensor to either the same or a different Defense Center, you must
re-enable remote management and then add the sensor to the Defense
Center. For more information, see the next section, Resetting
Communications on the 3Dx800.
Resetting Communications on the 3Dx800

Requires: DC + If communication fails between a 3Dx800 sensor and the Defense Center that
3D Sensor manages it, you can manually reset communications on the sensor.
To reset communications between the sensor and the Defense Center:

Access: Admin 1. Log into the web interface of the Defense Center that manages the sensor.
3. Click Delete next to the sensor that is no longer communicating with the
Defense Center.
The sensor is deleted.
4. On the sensor, access the command prompt and use the admin account to
log in.


6. Enter the following command to disable remote management:
[admin:sensor] set management disable
Remote management is disabled.
7. Use one of the following commands to enable remote management.
• If your sensor is in a network that does not use network address
translation, enter the following command:
[admin:sensor] set management enable ip_address reg_key
where ip_address is the IP address of the Defense Center and
reg_key is a unique single-use alphanumeric registration key. The IP
address and registration key pair must uniquely identify the
• If your sensor is in a network that does use network address translation,
enter the following command:
[admin:sensor] set management enable NONE reg_key nat_id
where NONE is a placeholder for the unresolvable IP address of the
Defense Center, reg_key is a unique single-use alphanumeric
registration key, and nat_id is a unique alphanumeric string. The NAT
ID together with the registration key must uniquely identify the
In either case, remote management is enabled again.
8. Enter the following command to exit the CLI and return to the login prompt:
[admin:sensor] exit
9. On the Defense Center’s Sensors page, re-add the sensor by clicking New
Sensor.
10. In the Host field, type the IP address or hostname of the sensor and make
sure the Store Events and Packets Only on the Defense Center check box is
selected.
11. Click Add.
Communications are restarted and the sensor is re-added to the Defense
Center.

Adding Intrusion Agents

Requires: DC + The Add Agent page allows you to add an Intrusion Agent.
Intrusion Agent
To add an Intrusion Agent:

Access: Admin 1. Access the Defense Center web interface and select Operations > Sensors.
The Managed Sensors page appears.
2. Click New Agent.
The Agent Administration page appears.
3. In the Name Of Agent field, type an identifying name for the agent.
This is the name that the Defense Center uses to identify the Intrusion Agent.
It will appear on the event summary, event view pages, and reports.
4. In the Hostname or IP Address field, type the Intrusion Agent’s host name (if
DNS resolution is enabled on the Defense Center) or IP address.
WARNING! If your Intrusion Agent sensor resides behind a NAT device,

enter the IP address granted by the NAT device; that is, you should the IP
address that the Defense Center will “see” when the Intrusion Agent
attempts to communicate with it.
5. Click Add Agent.

The Intrusion Agent is added and the page reloads, displaying a link that
allows you to download authentication credentials.
6. Click Download Auth Credentials and save them for later use on the Intrusion
Agent.
To download authentication credentials, see Sensor Attributes - Intrusion
Agent Page on page 130.
For information on the requirements for the intrusion agent side of the
connection, see the Sourcefire Intrusion Agent Configuration Guide.
Sensor Attributes - Intrusion Agent Page

Requires: DC + The Sensor Attributes page for Intrusion Agents allows you to view basic
Intrusion Agent information about the Intrusion Agent and allows you to download authentication
credentials. During configuration, you copy this file to the Intrusion Agent
appliance to allow the Intrusion Agent to authenticate with the Defense Center.

Managing Sensor Groups Chapter 4
Authentication credentials are unique to each Intrusion Agent appliance and

Defense Center and cannot be copied from one appliance to another.
To download authentication credentials from the Sensor Attributes page:

Access: Admin 1. Access the Defense Center web interface and select Operations > Sensors.
The Managed Sensors page appears.
2. Click Edit next to the Intrusion Agent.
The System Settings page for the Intrusion Agent appears.
3. Click Download Credential File.
You are prompted to download the credentials to your local computer.
For more information about copying the credentials, see the Sourcefire Intrusion
Agent Configuration Guide.
Managing Sensor Groups

Requires: DC + The Defense Center allows you to group sensors so that you can easily apply
3D Sensor policies and install updates on multiple sensors.
• Creating Sensor Groups on page 131 explains how to create a sensor group
on the Defense Center.
• Editing Sensor Groups on page 132 explains how to modify the list of
sensors in a sensor group.
• Deleting Sensor Groups on page 133 explains how to delete a sensor
group.
Creating Sensor Groups

Requires: DC + Grouping managed sensors allows you to configure multiple sensors with a single
3D Sensor system or health policy, and update multiple sensors with new software updates
at the same time.
For information about Defense Center groups, see Managing Appliance Groups
on page 179.
To create a sensor group and add sensors to it:

Access: Admin 1. On the Defense Center, select Operations > Sensors.

Managing Sensor Groups Chapter 4
2. Click Create New Sensor Group.

The Create Sensor Group page appears.
3. In the Group Name field, type the name of the group you want to create.
4. Click Save.
The group is added.
5. To add sensors to the group, return to the Sensors page (Operations > Sensors)
and click Edit next to the name of the sensor group.
The Sensor Group Edit page appears.
6. Select the IP addresses or hostnames of the sensors you want to add from
the Available Sensors list and click the arrow to move them into sensor group.
7. Click Save.
The sensors are added to the group.
Editing Sensor Groups

Requires: DC + You can change the set of sensors that reside in any sensor group.
3D Sensor
TIP! You must remove a sensor from its current group before you can add it to a
new group.
Moving a sensor to a new group does not change its policy to the policy
previously applied to the group. To change the sensor’s policy, you must apply a
new policy to the sensor or sensor group. See Applying an Intrusion Policy in the
Analyst Guide for details.
To edit a sensor group:


Editing a Managed Sensor’s System Settings Chapter 4
2. Click Edit next to the sensor group you want to edit.

The Sensor Group Edit page appears.
3. Select the sensor you want to move and click the arrow to add or remove it
from the group.
• To add a sensor to the group, select it from the Available Sensors list and
click the arrow pointing toward the group you are editing.
• To remove a sensor from a group, select it from the list in the group you
are editing and click the arrow pointing to the Available Sensors list.
4. Click Done.
Deleting Sensor Groups

Requires: DC + If you delete a group that contains sensors, the sensors are moved to Ungrouped
3D Sensor on the Sensors page. They are not deleted from the Defense Center.
To delete a sensor group:

Access: Admin 1. Select Operations > Sensors.
2. Click Delete next to the group you want to delete.
Editing a Managed Sensor’s System Settings

Requires: DC or Each sensor has a number of system settings. On an unmanaged sensor you can
3D Sensor use the sensor’s web interface to modify the settings as needed. When you

manage one or more sensors with a Defense Center, you can modify their
system settings through the Defense Center’s web interface.
IMPORTANT! You cannot edit the network settings or add a license file to a
sensor through the Defense Center’s web interface. You must perform those
tasks on the sensor’s web interface (generally before you begin to manage the
sensor with the Defense Center). See Configuring System Settings on page 360
for more information about system settings.
To edit the system settings for a managed sensor:

2. Click Edit next to the name of the sensor where you want to edit the system
settings.
The Appliance page appears and includes a list of links on the left side of the
page that you can use to navigate between pages.
3. From the System Settings page, you can:

• view detailed information about the sensor. For more information, see
Viewing a Sensor’s Information Page on page 135.
• modify the default settings for each network interface on the managed
sensor. For more information, see Editing Network Interface
Configurations on page 380.
WARNING! Do not modify the settings for the management interface

unless you have physical access to the appliance. It is possible to select a
setting that makes it difficult to access the web interface.
• reboot or restart the processes on the managed sensor. For more

information, see Stopping and Restarting a Managed Sensor on
page 137.

• manage communications between the sensor and the Defense Center.

For more information, see Managing Communication on a Managed
Sensor on page 138.
• manage time settings on the managed sensor. For more information,
see Setting the Time on a Managed Sensor on page 139.
• blacklist individual health policy modules on the managed sensor. For
more information, see Blacklisting a Health Policy Module on page 537.
Viewing a Sensor’s Information Page

Requires: DC or The Information page for a managed sensor includes the fields described in the
3D Sensor Sensor Information table.
When you view the Information page for a managed Defense Center from the
Master Defense Center’s web interface, the fields are slightly different. See
Editing Settings for a Managed Defense Center on page 175.
Sensor Information
Field Description
Name The assigned name for the managed sensor. Note that is
the name of the sensor in the Defense Center web
interface, not the hostname.
Product Model The model name for the managed sensor.
Software Version The version of the software currently installed on the

managed sensor.
Store Events Enable this check box to store event data on the Defense
Only on Defense Center, but not the managed sensor. Clear this check box
Center to store event data on both appliances.
Prohibit Packet Enable this check box to prevent the managed sensor
Transfer to the from sending packet data with the events. Clear this
Defense Center check box to allow packet data to be stored on the DC
with events.
Operating The operating system currently running on the managed

System sensor.
Operating The version of the operating system currently running on

System Version the managed sensor.
VDB Version The version level of the vulnerability database currently

loaded on the managed sensor.
IPv4 Address The IPv4 address of the managed sensor.

Sensor Information (Continued)
Field Description
IPv6 Address The IPv6 address of the managed sensor.
Current Policies The appliance-level policies currently applied to the

managed sensor. If a policy has been updated since it was
last applied, the name of the policy appears in italics.
• The name of the current system policy is listed under
System.
• The name of the current health policy is listed under
Health, if you applied one from the Defense Center
that manages the sensor.
Status An icon showing the current status of the managed

sensor. If you hover your cursor over the icon, a pop-up
message indicates how long it has been (in hours,
minutes, and seconds) since the sensor communicated
with the Defense Center.
You can click Refresh to update the Status icon and its
accompanying pop-up message.
Model Number The model number for the sensor. This number can be
important for troubleshooting.
Current Group The sensor group that the sensor belongs to, if any. See
Creating Sensor Groups on page 131 for more
information.
To edit a managed sensor’s settings:


2. Click Edit next to the name of the sensor whose system settings you want to
edit.
The Information page for that sensor appears. See the Sensor Information
table on page 135 for a description of each field.
3. Change the sensor’s attributes as needed.

You can edit the following:
• the sensor’s hostname
• where events generated by the sensor are stored
• the group in which the sensor resides
WARNING! Sensor host names must be made up of a combination of

alphanumeric characters and should not be made up of numeric characters
only.
4. Click Save.
The updated sensor attributes are saved.
Stopping and Restarting a Managed Sensor

Requires: DC For 3D Sensors, you can reboot or restart the processes on a managed sensor
using the Defense Center’s web interface.
You must use the command line interface (CLI) to manage processes on
Crossbeam-based software sensors, RNA Software for Red Hat Linux, and
Intrusion Agents.

To shut down or restart a managed sensor:

2. Click Edit next to the name of the sensor that you want to restart.
The Information page for that sensor appears.
3. Click Process in the list to the left of the page.
The Process page appears for your managed sensor.
4. Specify what command you want to perform:

• If you want to shut down the sensor, click Run Command next to
Shutdown Appliance.
• If you want to reboot the sensor, click Run Command next to Reboot
Appliance.
• If you want to restart the software processes on the sensor, click Run
Command next to Restart Appliance Console.
• If you want to restart the Snort and RNA processes, click Run Command
next to Restart Detection Engines.
WARNING! If you shut down the appliance, the process shuts down the
operating system on the appliance, but does not physically shut off power. To
shut off power, you must press the power button on the appliance.
Managing Communication on a Managed Sensor

Requires: DC + For most 3D Sensors, you can manage communications between a managed
3D Sensor sensor and the Defense Center managing it using the Defense Center’s web
interface.
You must use the command line interface (CLI) to manage communication on
3Dx800 sensors, Crossbeam-based software sensors, RNA Software for Red Hat
Linux, and Intrusion Agents.
To disable communications between the Defense Center and the sensor:


2. Click Edit next to the name of the sensor that you want to manage.
3. Click Remote Management in the list to the left of the page.
4. Click Disable next to the name of the sensor.
Communications between the two appliances are interrupted.
TIP! To enable communications between the two appliances again, click

Enable.
For information about editing the remote management communications from a

sensor see Configuring Remote Access to the Defense Center on page 386.
Setting the Time on a Managed Sensor

Requires: DC or If your managed sensor is receiving its time from an NTP server, which is the
3D Sensor recommended setting for a managed sensor and its Defense Center, then you
cannot change the time manually. See the NTP Status table on page 390 for a
description of the values you are likely to see for a sensor that is synchronized
with an NTP server. However, if the system policy applied to the managed sensor
allows you to set the time manually, then you can change it as part of the system
settings.
For 3D Sensors, you can manage time settings on a managed sensor using the
Defense Center’s web interface.
You must use the command line interface (CLI) to manage time settings on
Crossbeam-based software sensors and RNA Software for Red Hat Linux. You
cannot manage time settings on Intrusion Agents.
To set the time for a managed sensor:

2. Click Edit next to the name of the sensor where you want to set the time.

Managing a Clustered Pair Chapter 4
3. Click Time in the list to the left of the page.

The Time page appears showing the current time.
4. From the Set Time drop-down lists, select the following:

• year
• month
• day
• hour
• minute
5. Click Apply.
The time is updated.
6. If you want to change the time zone, click the time zone link located next to
the date and time.
A pop-up window appears.
7. Select your time zone and click Save and, after the time zone setting is saved,
click Close to close the pop-up window.
Changing the time zone with this option is equivalent to changing the time
zone using the Time Zone Settings option in the user preferences. In other
words, this time zone option changes the time setting your user account uses
on the Defense Center web interface. This setting does not affect the time
zone setting on the managed sensor.
Managing a Clustered Pair

Requires: DC + 3D9900 You can increase the amount of traffic inspected on a network segment by
connecting two fiber-based 3D9900 sensors in a clustered pair. When you
establish a clustered pair configuration, you combine the 3D9900 sensors
resources into a single, shared configuration.
When you connect the two 3D9900 sensors you determine which is the master.
You connect the master to the network segment you wish to analyze. After you
do the cabling, use a Defense Center to establish the clustered pair relationship
between the two sensors and manage their joint resources.

After you establish the relationship between the two sensors, they act like two
separate sensors with a single, shared detection configuration. For information on
the detection engines, interface set, and data from a clustered pair, see:
• Using Detection Engines on Clustered 3D Sensors on page 228
• Understanding Interface Sets on Clustered 3D Sensors on page 229
• Managing Information from a Clustered 3D Sensor on page 230
The Defense Center manages the clustered pair, and local management is
blocked on the shared portion of the clustered pair. The following diagram shows
interfaces on the master and slave sensors.
For information about the connections between the master and slave 3D9900
sensors, see the Cluster Interconnect table.
Cluster Interconnect
Master Slave
Interface Interface
ethb2 RX ethb0 TX
ethb2 TX ethb0 RX

Cluster Interconnect
Master Slave
Interface Interface
ethb3 RX ethb1 TX
ethb3 TX ethb1 RX
You connect the master to the network and the slave to the master. You
determine the master/slave designation by the way you cable the pair. After you
establish the relationship, you cannot change which sensor is the master or slave
unless you break and reestablish the relationship using the Defense Center.
For more information, see:
• Establishing a Clustered Pair on page 142
• Separating a Clustered Pair on page 144
Establishing a Clustered Pair

Requires: DC + 3D9900 You can group two fiber-based 3D9900 sensors in a clustered pair to increase
throughput. Before you begin, you must:
• decide which unit will be the master
• have SEU 2.8.6 or later loaded on your 3D9900 and Defense Center
• cable the units properly prior to designating the master/slave relationship
Connect the master’s ethb0 and ethb1 pair to the network. Connect the master’s
ethb2 and ethb3 pair to the slave’s ethb0 and ethb1 pair as shown in the Cluster
Interconnect table.
IMPORTANT! You cannot connect the slave’s ethb2 and ethb3 pair when you
establish the clustered pairing.
For more information about cabling, see the Sourcefire 3D Sensor Installation
Guide.
After you establish the master/slave relationship, the detection engines and
interface set are combined on the two sensors.
IMPORTANT! If you apply an RNA detection policy to the RNA detection engines
on two different 3D9900 sensors and then establish clustering with those two
sensors, you must edit and reapply your detection policy after you establish
clustering.

There is one detection engine and interface set shared over the paired 3D9900
sensors. They are managed from the Defense Center, instead of the 3D9900
sensors.
If you attempt to manage the combined detection engines and interface set on
the paired 3D9900 sensors, the following message is displayed.
To establish 3D9900 clustered pairing:

Access: Admin 1. Select Operations > Sensors on your Defense Center.
The Sensor page appears.
2. The Click Edit next to the 3D9900 sensor that you cabled for master operation.
TIP! If you edit a 3D9900 that is not cabled as the master, you cannot
perform the next series of steps.
The System Settings page appears and there is a Clustering field at the
bottom.
3. In the Clustering field, under status, select the sensor you want to form a
cluster with. For example, if the other member of your pair is
birch.example.com, select Clustered with birch.example.com.
Clustering is established and a confirmation message appears.

4. Review the confirmation message and confirm the correct the Master/Slave
pairing.
IMPORTANT! While system verifies the cabling configuration, the sensing

traffic is interrupted. If the system determines that the cabling is correct, it
removes detection configurations (interface sets, detection engines) from the
slave.
5. Click OK to confirm the Master/Slave pairing.

6. After clustering is established, verify that the Clustering field changes to
indicate the correct state.
• On the master, the field reads: Status Clustered sensor_name, where
sensor_name is the name of the sensor you designated as the slave in
step 3 and Role Master.
• On the slave, the field reads: Status Clustered and Role Slave
3D9900 clustering is established. Use the managing Defense Center to
establish the cluster’s detection configurations for the interface set and
detection engines.
Separating a Clustered Pair

Requires: DC + 3D9900 If you no longer need to use the two 3D9900 sensors as a clustered pair, you can
use the Defense Center to break the cluster.
To separate a 3D9900 clustered pair:

Access: Admin 1. Select Operations > Sensors on your Defense Center.
The Sensor page appears.
2. Click Edit next to the 3D9900 sensor that you designated as the maser sensor
when you connected the pair’s cables.
The System Settings page appears with the Clustering field at the bottom.
3. Select Break Cluster in the Clustering field.
For example:
4. Click Save.
5. Review the confirmation message. Note the Master/Slave pairing and click OK
to confirm the Master/Slave that you want to separate the clustered pair.
The 3D9900 sensors separate and the confirmation message disappears.

Configuring High Availability Chapter 4
Configuring High Availability

Requires: DC To ensure the continuity of operations, the high availability feature allows you to
designate redundant Defense Centers to manage 3D Sensors. Event data
streams from managed sensors to both Defense Centers and certain
configuration elements are maintained on both Defense Centers. If one Defense
Center fails, you can monitor your network for intrusion events, RNA events, RUA
events, and compliance events without interruption using the second Defense
Center.
See the following sections for more information about setting up high availability.
• Using High Availability on page 145 list the items that are and are not
duplicated when you implement high availability.
• Guidelines for Implementing High Availability on page 149 outlines some
guidelines you must follow if you want to implement high availability.
• Setting Up High Availability on page 150 explains how to specify primary
and secondary Defense Centers.
• Monitoring the High Availability Status on page 152 explains how to check
the status of your linked Defense Centers.
• Disabling High Availability and Unregistering Sensors on page 153 explains
how to permanently remove the link between linked Defense Centers.
• Pausing Communication between Paired Defense Centers on page 154
explains how to pause communications between linked Defense Centers.
• Restarting Communication between Paired Defense Centers on page 154
explains how to restart communications between linked Defense Centers.
Using High Availability

Requires: DC The DC1000 and DC3000 models of the Defense Center support high availability
configurations. The DC500 model of the Defense Center and the Virtual Defense
Center do not support high availability.
Sourcefire strongly recommends that both Defense Centers in an HA pair be the
same model. That is, do not attempt to set up high availability between a Defense
Center 1000 and a Defense Center 3000.
WARNING! Sourcefire recommends that you change configurations only on the

primary Defense Center and that you keep your secondary Defense Center as a
backup.

For more information on:

• sensor attributes and user information shared in a high availability pair, see
Sensor Configurations and User Information on page 146
• health and system policies shared in a high availability pair, see Health and
System Policies on page 147
• feature license operation in a high availability pair, see Feature Licenses on
page 148
• details of high availability pair operation, see Understanding High Availability
on page 148
Sensor Configurations and User Information

Requires: DC Defense Centers in a high availability pair (also called an HA pair) share the
following sensor attributes and user information:
• user account attributes and authentication configurations
WARNING! Before you establish a high availability, if you have any user
accounts with the same name on both Defense Centers, make sure you
remove duplicate user accounts from one of the Defense Centers. Also,
because both Defense Centers must have an admin account, you must
make sure that the admin account uses the same password on both
Defense Centers.
• custom dashboards
• authentication objects for Sourcefire 3D System user accounts
• custom workflows
• custom tables
• sensor attributes, such as the sensor’s host name, where events generated
by the sensor are stored, and the group in which the sensor resides
• intrusion, RNA, and RUA detection engines
• intrusion policies and their associated rule states
• local rules
• custom intrusion rule classifications
• variable values and user-defined variables
IMPORTANT! If your deployment includes intrusion agents and you are also
using a Master Defense Center to manage your linked Defense Centers,
make sure you register all intrusion agents to the primary Defense Center.

• RNA custom service detectors

• activated custom fingerprints

• host attributes
• traffic profiles
• RNA user feedback, including notes and host criticality; the deletion of
hosts, services, and networks from the network map; and the deactivation
or modification of vulnerabilities
• compliance policies and their associated rules
• compliance white lists
To avoid launching duplicate responses and remediations when compliance
policies are violated, Defense Centers do not share the associations between the
policies and their responses and remediations.You must upload and install any
custom remediation modules and configure remediation instances on your
secondary Defense Center before remediations are available to associate with
compliance policies. If the primary Defense Center fails, you should quickly
associate your compliance policies with the appropriate responses and
remediations on the secondary Defense Center to maintain continuity of
operations. For more information, see Creating Compliance Policies in the Analyst
Guide and Configuring Remediations in the Analyst Guide.
When you restore your primary Defense Center after a failure, if you created
associations between rules or white lists and their responses and remediations
on the secondary Defense Center, make sure you remove the associations so
responses and remediations will only be generated by the primary Defense
Center.
Health and System Policies

Requires: DC Health and system policies for Defense Centers and 3D Sensors are shared in
high availability pairs. Allow enough time to ensure that 3D Sensor information
about health policies, modules, blacklists, is synchronized on a newly activated
Defense Center.
TIP! If you employ an HA paired Defense Center as a NTP server, the NTP
function does not automatically switch. However, you can synchronize time with
multiple alternative NTP servers. For 3D Sensors, you can point to one Defense
Center as your first NTP server and the other Defense Center as your second NTP
server. For more information, see Synchronizing Time on page 354.
Although system policies are shared by Defense Centers in a high availability pair,
they are not automatically applied. If you want identical system policies on both
Defense Centers, apply the policy after it synchronizes.

Defense Centers in an HA pair share the following system and health policy
information:
• system policies
• system policy configurations (what policy is applied where)
• health policies
• health monitoring configurations (what policy is applied where)
• which appliances are blacklisted from health monitoring
• which appliances have individual health monitoring policies blacklisted
Feature Licenses
Requires: DC Defense Centers in an HA pair do not share RNA, RUA, and NetFlow licenses:
• Both Defense Centers must have RNA host licenses if you want to manage
3D Sensors with RNA with the high availability pair.
• While NetFlow data and devices are shared, the two Defense Centers must
have enough NetFlow licenses to merge the list of devices on each, if you
want to use NetFlow data to supplement the data gathered by your
3D Sensors with RNA.
TIP! Both Defense Centers in a high-availability pair must have NetFlow

licenses for at least the number of NetFlow-enabled devices you are using.
If one Defense Center does not have a NetFlow license, it will not receive
data from your NetFlow-enabled devices.
• While RUA LDAP authentication objects are shared, both Defense Centers
must have RUA licenses if you want to manage 3D Sensors with RUA with
the high availability pair.
IMPORTANT! An RUA Agent can only connect to one Defense Center at a

time. In an high-availability environment, if the primary Defense Center fails,
you must make sure that your RUA Agents can communicate with the
secondary Defense Center. For more information, see Configuring an RUA
Agent on an Active Directory Server in the Analyst Guide.
Understanding High Availability

Requires: DC Although Defense Centers in high availability mode are named “primary” and
“secondary,” you can make policy or other changes to either Defense Center.
Defense Centers periodically update each other on changes to their
configurations, and any change you make to one Defense Center should be
applied on the other Defense Center within ten minutes. (Each Defense Center
has a five-minute synchronization cycle, but the cycles themselves could be out
of sync by as much as five minutes, so changes appear within two five-minute

cycles.) However, during this ten-minute window, policies may appear incorrectly
on the other Defense Center.
For example, if you create a policy on your primary Defense Center and apply it to
a sensor that is also managed by your secondary Defense Center, the sensor
could contact the secondary Defense Center before the Defense Centers contact
each other. Because the sensor has a policy applied to it that the secondary
Defense Center does not recognize, the secondary Defense Center displays a
new policy with the name “unknown” until the Defense Centers synchronize.
Also, if you make conflicting policy or other changes to both Defense Centers
within the same window between Defense Centers syncs, the last change you
make takes precedence, regardless of the designations of the Defense Center as
primary and secondary.
Defense Centers configured as a high availability pair do not need to be on the
same trusted management network, nor do they have to be in the same
geographic location. For more information, see Guidelines for Implementing High
Availability on page 149.
Guidelines for Implementing High Availability

Requires: DC To take advantage of high availability, you must follow these guidelines.
• You must designate one Defense Center as the primary Defense Center
and one as the secondary.
Regardless of their designations as primary and secondary, both Defense
Centers can be configured with policies, rules, managed sensors, and so on
before you set up high availability.
TIP! To avoid confusion, start with the secondary Defense Center in its
original state. That is, you have not created or modified any policies, nor
created any new rules, nor have you previously managed any sensors with
it. To make sure the secondary Defense Center is in its original state, use
the Restore CD to remove changed settings. Note that this also deletes
event and configuration data from the Defense Center.
You cannot configure a recurring task schedule on the inactive Defense

Center. You must recreate the recurring task schedule on a newly activated
Defense Center when it changes from inactive to active.
• By default, the Defense Centers use port 8305/tcp for communications. You
can change the port as described in Configuring the Communication
Channel on page 383.
• Both Defense Centers must be running the same software version.
• Both Defense Centers must be running the same SEU version.
• The Defense Center software version must be the same or newer than the
software version of managed 3D Sensors.

• All RNA software sensors managed by Defense Centers in high availability

mode must be the same software version.
• If you use a Master Defense Center to manage a high-availability pair of
Defense Centers, use this sequence to establish communications between
the three of them: First, set up remote management between each
Defense Center and the Master Defense Center as detailed in Adding and
Deleting Defense Centers on page 164, then set up high availability as
detailed in Setting Up High Availability on page 150.
• The two Defense Centers do not need to be on the same network
segment, but each of the Defense Centers must be able to communicate
with the other and with the sensors they share. That is, the primary
Defense Center must be able to contact the secondary Defense Center at
the IP address on the secondary Defense Center’s own management
interface, and vice versa. In addition, either each Defense Center must be
able to contact the sensors it manages or the sensors must be able to
contact the Defense Center.
Setting Up High Availability

Requires: DC To use high availability, you must designate one Defense Center as the primary
and another Defense Center of the same model as the secondary. For information
about editing the remote management communications between the two
appliances, see Editing the Management Virtual Network on page 385.
WARNING! Sourcefire recommends that you change configurations only on the

primary Defense Center and that you use your secondary Defense Center as a
backup.
Before you configure high availability, make sure you synchronize time settings
between the Defense Centers you want to link. For details on setting time, see
Synchronizing Time on page 354.
TIP! To add an existing high availability pair of Defense Centers to a Master

Defense Center, add the primary Defense Center and the secondary Defense
Center is automatically added. For information about adding a Defense Center to
a Master Defense Center, see Adding a Master Defense Center on page 165.
To set up high availability for two Defense Centers:

Access: Admin 1. Log into the Defense Center that you want to designate as the secondary
Defense Center.
2. Select Operations > Configuration > High Availability.
The High Availability page appears.

3. Click the secondary Defense Center option.

The Secondary Defense Center Setup page appears.
4. Type the hostname or IP address of the primary Defense Center in the

Primary DC Host text box.
You can leave the Primary DC Host field empty if the management host does
not have a routable address. In that case, use both the Registration Key and
the Unique NAT ID fields.
5. Type a one-time-use registration key in the Registration Key text box
6. Optionally, in the Unique NAT ID field, type a unique alphanumeric registration
ID that you want to use to identify the primary Defense Center. See Working
in NAT Environments on page 112 for more information.
7. Click Register.
A success message appears, and the Peer Manager page appears, showing
the current state of the secondary Defense Center.
8. Using an account with Admin access, log into the Defense Center that you
want to designate as the primary.
10. Click the primary Defense Center option.
The Primary Defense Center Setup page appears.
11. Type the hostname or IP address of the secondary Defense Center in the
Secondary DC Host text box.

12. Type the same one-time-use registration key in the Registration Key text box
you used in step 5.
13. If you used a unique NAT ID on the secondary Defense Center, type the
same registration ID that you used in step 6 in the Unique NAT ID text box.
14. Click Register.
A success message appears, and the Peer Manager page appears, showing
the current state of the primary Defense Center.
Depending upon the number of policies and custom standard text rules they
have, it may take up to 10 minutes before all the rules and policies appear on
both Defense Centers. You can view the High Availability page to check the
status of the link between the two Defense Centers. You can also monitor
the Task Status to see when the process completes. See Monitoring the High
Availability Status on page 152.
Monitoring the High Availability Status

Requires: DC Once you have identified your primary and secondary Defense Centers, you can
use one of them to view status information about the other, including:
• IP address
• product model
• operating system
• operation system version
• time the Defense Centers last synchronized
To check high availability status:

Access: Admin 1. Log into one of the Defense Centers that you linked using high availability.

3. Under High Availability Status, you can view the following information about
the other Defense Center in the high availability pair:
• the IP address
• the model name
• the software version
• the operating system
• the length of time since the last contact between the two Defense
Centers
4. The two Defense Centers automatically synchronize within ten minutes (five
minutes for each Defense Center) after any action that affects a shared
feature. For example, if you create a new policy on one Defense Center, it is
automatically shared with the other Defense Center within 5 minutes.
However, if you want to synchronize the policy immediately, click Synchronize.
IMPORTANT! If you delete a sensor from a Defense Center configured in a

high availability pair and intend to re-add it, Sourcefire recommends that you
wait at least five minutes before adding the sensor back. This interval ensures
that the high availability pair re-synchronizes first. If you do not wait five
minutes, it may take more than one synchronization cycle to add the sensor
to both Defense Centers.
5. Click Peer Manager in the toolbar.

The Peer Manager page appears.
You can view the following information:

• the IP address of the other Defense Center in the HA pair
• the status, registered or unregistered, of the communications link
• the state, enabled or disabled, of the HA pair
For information about editing the remote management communications
between the two appliances, see Editing the Management Virtual Network
on page 385.
Disabling High Availability and Unregistering Sensors

Requires: DC If you want to remove one of the Defense Centers from a high availability pair,
you must first disable the high availability link between them.

To disable a high availability pair:

Access: Admin 1. Log into one of the Defense Centers in the HA pair.
3. Select one of the following options from the Handle Registered Sensors drop-
down list:
• To control all the managed sensors with the Defense Center where you
are accessing this page, select Unregister sensors on the other peer.
• To control all the managed sensors with the other Defense Center,
select Unregister sensors on this peer.
• To stop managing the sensors altogether, select Unregister sensors on
both peers.
4. Click Disable HA.
After you answer the prompt Do you really want to Disable High Availability? by
selecting OK, high availability is disabled and any managed sensors are
deleted from the Defense Centers according to your selection.
You can enable high availability with a different Defense Center as described
in Setting Up High Availability on page 150.
Pausing Communication between Paired Defense Centers

Requires: DC If you want to temporarily disable high availability, you can disable the
communications channel between the Defense Centers.
To disable the communications channel for a high availability pair:

Access: Admin 1. Click Peer Manager.
2. Click Disable to disable the communications channel between the two

Defense Centers.
on page 385.
Restarting Communication between Paired Defense Centers

Requires: DC If you temporarily disabled high availability, you can enable the communications
channel between the Defense Centers to restart high availability.

To enable the communications channel for a high availability pair:

Access: Admin 1. Click Peer Manager.
2. Click Enable to disable the communications channel between the two

Defense Centers.
on page 385.

Chapter 5
Administrator Guide
Using the Master Defense Center
The Sourcefire Master Defense Center is a key component in the Sourcefire 3D

System. You can use the Master Defense Center to aggregate and analyze
intrusion events, compliance events, and white list events from up to ten Defense
Centers within your Sourcefire 3D System deployment.

Understanding Event Aggregation Chapter 5
You can use the Master Defense Center to build and dispatch global detection
and intrusion policies. When you apply intrusion policies from a Master Defense
Center, the Sourcefire 3D System checks the SEU on the managing Defense
Center. If it finds an older SEU, it updates the managing Defense Center’s SEU.
The Master Defense Center can also aggregate events related to the health of
managed Defense Centers. In this way, you can view the current status of the
Defense Centers across your enterprise from a web interface.
IMPORTANT! The Product Compatibility section of the release notes for each
version describes which versions of the Defense Center you can manage with a
Master Defense Center.
The following sections explain more about using a Master Defense Center in your
Sourcefire 3D System deployment.
• Understanding Event Aggregation on page 157 explains which types of
events you can send from your Master Defense Centers to your Master
Defense Center.
• Understanding Global Policy Management on page 161 explains which
policies you can send from your Master Defense Center to 3D Sensors and
Defense Centers.
• Adding and Deleting Defense Centers on page 164 explains how to
configure a Defense Center to communicate with a Master Defense Center.
• Editing Settings for a Managed Defense Center on page 175 explains how
to change some of the settings for a Defense Center from the Master
Defense Center’s web interface.
• Managing Appliance Groups on page 179 explains how to use appliance
groups to aid in managing 3D Sensors and Defense Centers.
Understanding Event Aggregation

Requires: MDC A Master Defense Center can aggregate intrusion events and compliance events
(including white list events) from up to ten Defense Centers. You can configure a
Defense Center to send intrusion events based on their flag. You can also choose
whether to include the packet data collected with the intrusion events.
The settings on the Filter Configuration page determine which events are
forwarded from the Defense Center to the Master Defense Center. You can set
up a different configuration for each Defense Center, although most deployments
will use the same configuration across the enterprise.
• Aggregating Intrusion Events on page 158
• Aggregating Compliance Events on page 158
• Limitations on Event Aggregation on page 159

Aggregating Intrusion Events

Requires: MDC An intrusion event is generated by IPS when it analyzes network traffic and finds
one or more packets that violate the currently applied intrusion policy. Packet
decoders, preprocessors, and intrusion rules are all able to generate intrusion
events.
When you use the Filter Configuration page to specify which events are
forwarded to the Master Defense Center, you can choose one of the following
options:
• Do Not Send - Intrusion events are not forwarded to the Master Defense
Center.
• Events Only - The intrusion events specified in the Flags section are
forwarded to the Master Defense Center; however, any packets captured
for the event are not sent.
• Events and Packet Data - The intrusion events specified in the Flags section,
along with any related packets, are forwarded to the Master Defense
Center.
You can use the Flags section of the Filter Configuration page to forward only the
intrusion events that are important to your analysis. For example, you may want to
limit the intrusion events on the Master Defense Center to only those with the
greatest impact, that is, the red impact flag. If your 3D Sensors are deployed
inline and you are using intrusion rules set to Drop and Generate Events, you may
also want to send intrusion events with the black inline result flag.
You can also use flag settings to reduce the number of intrusion events that are
sent to the Master Defense Center in deployments where large numbers of
intrusion events are being generated from your 3D Sensors. For example, you can
greatly reduce the number of events sent from a Defense Center by excluding
events with the blue or gray impact flags.
IMPORTANT! You must deploy both RNA and IPS on your network to generate
intrusion events with meaningful impact flags. If you do not deploy 3D Sensors
with RNA on your network, then intrusion events are limited to gray impact flags
to indicate unknown impact.
Aggregating Compliance Events

Requires: MDC A compliance event is generated by a Defense Center when the conditions for a
compliance rule in an active compliance policy are met. The conditions that can
trigger a compliance rule include intrusion events, RNA events, flow data, and
anomalous network traffic.

When you use the Filter Configuration page to specify which events are
forwarded to the Master Defense Center, you can choose to send or not send
compliance events. See the following sections for more information:
• Adding a Defense Center on page 168
• Editing the Event Filter Configuration on page 176
Limitations on Event Aggregation

Requires: MDC The Master Defense Center is a powerful tool for analyzing the potential
malicious activity across your enterprise’s network. However, there are certain
limitations that you should take into consideration when you design your Master
Defense Center deployment. The Master Defense Center and Defense Center
Functional Comparison table compares and contrasts Defense Center and Master
Defense Center functional areas.
Master Defense Center and Defense Center Functional Comparison
Function Master Defense Center Defense Center
License provisions provides product license provides product license, and

NetFlow, RNA and RUA feature
licenses
3D Sensor configuration allows you to configure allows you to configure

detection engines detection engines, interface
sets, network interfaces.
Analysis and reporting search allows you to search for allows you search for intrusion
intrusion events, compliance events, RNA events, hosts, host
events, white list events, SEU attributes, services, client
import log, audit log, health applications, flow data,
events. vulnerabilities, compliance
events, white list events, white
list violations, remediation
status, SEU import log, audit
log, health events, scan results,
users, and RUA events.

Master Defense Center and Defense Center Functional Comparison (Continued)
Function Master Defense Center Defense Center
Network scans does not provide for Nessus provides Nessus and Nmap
and Nmap scans. scans and results.
Global policies allows you to build intrusion policies are normally

policies and to distribute them downloaded only to their
through connected Defense managed 3D Sensors
Centers to their managed
3D Sensors throughout the
enterprise
Event consolidation allows for collection of events events are collected only from
from up to ten Defense Centers managed 3D Sensors
Data Generated by RNA

The Master Defense Center cannot aggregate RNA events or flow data generated
by RNA and forwarded to a Defense Center. In addition, the Master Defense
Center does not build a network map or host data for the hosts on your network.
However, because you can forward compliance events and white list events from
your managed Defense Centers to your Master Defense Center, you can gain
insight into RNA-detected activity across your enterprise. To take advantage of
this, on your Defense Centers you need to build compliance rules and policies
that are triggered by the RNA events that interest you and forward the resulting
compliance events to the Master Defense Center.
Event Rate
The event rate limit for the Master Defense Center is the same rate limit on
Defense Centers. This means that if your Defense Centers are accepting events
from their 3D Sensors up to the rate limit, you must adjust the event filter on the
Master Defense Center so that only the most important events are forwarded
from the Defense Centers. For example, in cases where the intrusion event rate
is high, you might want to adjust the filter to send only intrusion events with red
impact flags. You can also limit the amount of data transferred between a
Defense Center and its Master Defense Center by sending only intrusion event
data, and not sending the packet data.
Intrusion Agents
Intrusion events generated by intrusion agents are not forwarded to the Master
Defense Center.

Understanding Global Policy Management Chapter 5
Understanding Global Policy Management

Requires: MDC You can use the Master Defense Center to generate global intrusion policies and
coordinate them with potential vulnerabilities detected by RNA policies. Global
intrusion policies are beneficial in rapid response scenarios and during
enterprise-wide intrusion policy updates. The Master Defense Center sends the
policy through a Defense Center to a 3D Sensor’s detection engine. Master
Defense Center generated policies are not accessible on an intermediate
Defense Center, however if a newer SEU resides on the Master Defense Center
than on a Defense Center in the path, then the downstream SEU is updated. This
ensures that a global intrusion policies utilize the latest SEU.
RNA compares the data it collects and analyzes with its vulnerability database to
determine the potential vulnerabilities on the detected host. You can build, apply
edit, delete and export RNA on a Master Defense Center. Existing RNA policies
are available for viewing so that you can determine:
• RNA policy name and description
• Detection policy settings such as update interval, if banners and HTTP URLs
are captured, if client application are being detected, and so on.
• Which networks and ports are monitored by the RNA policy
• If NetFlow is used to generate host information, which networks and
NetFlow-enabled devices are monitored by NetFlow.
For information on creating and applying as well as deleting RNA policies, see
What is an RNA Detection Policy? in the Analyst Guide.
You can also import and export compliance policies and rules, custom service
decoders, as well as intrusion, system, and health policies. For information on
import and export functions, see Importing and Exporting Objects on page 583.
Managing Global Intrusion Policies

Requires: MDC Refer to the following sections for information about managing intrusion policies:
• Creating an Intrusion Policy in the Analyst Guide explains how to create an
intrusion policy.
• Editing an Intrusion Policy in the Analyst Guide explains how to modify
existing intrusion policies.
• Applying an Intrusion Policy in the Analyst Guide explains how to apply a
new or updated intrusion policy to the appropriate IPS detection engines.
• Defining IP Addresses and Ports for Your Network in the Analyst Guide
provides the syntax used to specify IP addresses and port numbers within
the variables and rules in your policy.
• Managing Variables in the Analyst Guide explains how to create and
manage variables that you can use within intrusion policies.

• Managing Intrusion Rules in the Analyst Guide explains how to enable and
disable intrusion rules within an intrusion policy. This section also explains
how to configure rules in inline intrusion policies so that they drop malicious
packets.
• Importing SEUs and Rule Files in the Analyst Guide explains how to
download and import Security Enhancement Updates (SEUs) that contain
new intrusion rules. Note that SEUs can also contain new and updated
decoders and preprocessors.
Using RNA Detection Policies on a Master Defense Center

Requires: MDC You can create, edit, delete, export, and apply RNA detection policies from a
Master Defense Center. Refer to the following, for information on the following
RNA detection policy functions:
• Creating RNA Detection Policies in the Analyst Guide
• Applying an RNA Detection Policy in the Analyst Guide
• Editing an RNA Detection Policy in the Analyst Guide
• Deleting an RNA Detection Policy in the Analyst Guide
Using Health Policies on a Master Defense Center

Requires: MDC You can edit, delete, and apply default health policies to the Master Defense
Center and to connected Defense Centers. For information about health policies
see the following:
• Understanding Health Monitoring on page 483
• Configuring Health Policies on page 489
• Using the Health Monitor Blacklist on page 534
• Configuring Health Monitor Alerts on page 539
• Using the Health Monitor on page 545
• Using Appliance Health Monitors on page 547
• Working with Health Events on page 555
See Health Policies on page 164 to distinguish the health policy modules that are
useful on a Master Defense Center or Defense Center from those that are not,
and for brief descriptions of those modules that are used.
Using System Policies on a Master Defense Center

Requires: MDC System policies allow you to manage the following functions on your Defense
Centers or Master Defense Center:
• access configuration
• authentication profiles (Defense Center only)

• database limits
• DNS cache settings
• the mail relay host and a notification address for database prune messages
• language selection (English or Japanese)
• login banner
• the kinds and amount of RNA data stored in the database (Defense Center
only)
• time synchronization settings
See Managing System Policies on page 320 for information about system policy
usage.
Master Defense Center Policy Management Limitations

Requires: MDC There are several types of policies including detection and prevention, RNA
detection, RUA detection, and health policies. The Defense Center and Master
Defense Center do not handle these policies in the same manner.
Detection and Prevention Policies

You can create, edit, delete, export, and apply intrusion detection and prevention
policies from a Master Defense Center. The Sourcefire 3D System bases
intrusion policies on SEUs residing on the appliance where the policy is built.
When you apply an intrusion policy to a 3D Sensor’s detection engines from a
Master Defense Center, the Sourcefire 3D System checks for any older SEUs on
Defense Center(s) managing those detection engines. If it finds SEUs older than
those on the Master Defense Center, they are updated. Therefore, a warning
message with a check box appears. After you acknowledge the message by
clicking its check box, the Apply button activates.
You can apply one or more custom intrusion policies filtered to monitor VLAN or
subnetwork traffic on the network monitored by the detection engine where you
apply the policy.
TIP! Before applying a filtered policy, you must apply a non-filtered policy to the
detection engine from the same Defense Center or Master Defense Center. You
cannot apply a non-filtered policy from a Defense Center then add filters to it from
a managing Master Defense Center.
RNA Detection Policies

RNA analysis and reporting functions such as using the network map, listing RNA
hosts and events, and listing client applications and vulnerabilities are performed
on Defense Centers and not on Master Defense Centers. However, if your

Adding and Deleting Defense Centers Chapter 5
deployment includes RNA, you can view host profiles from event views by
clicking the host profile icon ( ) next to an IP address.
RUA Detection Policies

There are currently no Real-Time User Awareness functions on a Master Defense
Center. RUA functions are available only on properly licensed Defense Centers.
Health Policies
The Master Defense Center monitors its health and the health of connected
Defense Centers. Master Defense Centers apply health policies only to Master
Defense Centers and Defense Centers. Default 3D Sensor, Default IPS, Default
IPS (3Dx800 only), and Default RNA Health Policies are not used on the Master
Defense Center.
Currently, only the generic Default Health Policy is available for editing and
application to appliances. For a listing of the health policy modules that apply to
Defense Centers, see the Enabled Defense Center Health Modules - Default
Health Policy table on page 493. For a listing of the health policy modules that
apply to Master Defense Centers, see the Enabled MDC Health Modules - Default
Health Policy table on page 494. Policies that are not applicable are implicitly
disabled when there is an attempt to apply them to a Defense Center or an
Master Defense Center. For details about editing appropriate health policies, see
Editing Health Policies on page 530.
System Policies
System policies are applied only to Master Defense Centers and Defense Centers
from a Master Defense Center.
Adding and Deleting Defense Centers

Requires: MDC + DC When you manage a Defense Center with your Master Defense Center, you set
up a two-way, SSL-encrypted communication channel between the appliances.
The Defense Center uses this channel to send events to the Master Defense
Center. As the Defense Center receives events from its sensors, it evaluates
which events, based on filter configuration, it should send to the Master Defense
Center using the same channel.
• Adding a Defense Center on page 168
• Deleting a Defense Center on page 171
• Resetting Management of a Defense Center on page 171

Adding a Master Defense Center

Requires: MDC + DC You can add a Master Defense Center connection to your Defense Center,
however before you do, you must make sure that the network settings are
configured correctly on both appliances. This is usually completed as part of the
installation process, but you can see Configuring Network Settings on page 377
for details.
TIP! To add an existing high availability pair of Defense Centers to a Master

Defense Center, add the primary Defense Center and the secondary Defense
Center is automatically added.

• Management Host or Host- for the hostname or IP address.
• Registration Key - registration key
• Unique NAT ID (optional) - for a unique alphanumeric ID. See Working in NAT
TIP! Set up the managed appliance first. At a Defense Center, add the remote
management then at the managing Master Defense Center, add the Defense
Center.

• Management Host or Host and Registration Key used on both appliances
• Registration Key and Unique NAT ID used on the Defense Center with Host,
Registration Key, and Unique NAT ID used on the Master Defense Center
• Management Host, Registration Key, and Unique NAT ID used on the Defense
Center with Registration Key and Unique NAT ID used on the Master Defense
Center

be used on at least one of the appliance.
To add a Master Defense Center, you need to determine which events on the
Defense Center you want to forward to the Master Defense Center.
To add a Master Defense Center to a Defense Center:

Access: Admin 1. Log into the web interface of the Defense Center you want to add.


Master Defense Center that you want to use to manage the Defense Center.
You can leave the Management Host field empty if the management host does
not have a routable address. In that case, use both the Registration Key and
the Unique NAT ID fields
want to use to set up a communications channel between the Master
Defense Center and the Defense Center.
7. Optionally, in the Unique NAT ID field, type a unique alphanumeric NAT ID that
you want to use to identify the Defense Center.
8. Click Save.
After the Defense Center confirms communication with the Master Defense
Center, the Pending Registration status appears.
9. Log into the Master Defense Center’s web interface using a user account
with Admin access, and select Operations > Appliances.
The Defense Centers page appears.

10. Click New Defense Center.

The New Defense Center page appears.
11. Type the IP address or the hostname of the Defense Center you want to add
in the Host field.
You can leave the Host field empty if the host does not have a routable
address. In that case, use both the Registration Key and the Unique NAT ID
fields
you used in step 6.
13. If you used an unique NAT ID in step 6, type the same value in the Unique NAT
ID (optional) field.
14. Under Filter Configuration, identify the types of events you want to forward
from the Defense Center to the Master Defense Center.
Note that if you select intrusion events, you can send events or events and
packet data. You can also filter which intrusion events are forwarded based on
their impact flag. If you chose to send compliance events to the Master
Defense Center, white list events are also sent. See Editing the Event Filter
Configuration on page 176 for more information.
IMPORTANT! You must select at least one type of flag if you want to send
intrusion events.

15. Click Add.

The Defense Center is added to the Master Defense Center. It can take up to
two minutes for the Defense Center to establish communication with the
Master Defense Center. You can view the status on the Defense Centers
page (Operations > Appliances).
16. After communications between the two appliances are established, continue
with the procedure in Adding a Defense Center.
Adding a Defense Center

Requires: MDC + DC Before you add a Defense Center to a Master Defense Center, you must make
sure that the network settings are configured correctly on both appliances. This is
usually completed as part of the installation process. For more information see
Configuring Network Settings on page 377.
IMPORTANT! If you registered a Master Defense Center and Defense Center

using IPv4 and want to convert them to IPv6, you must delete and re-register the
Defense Center.

• Management Host or Host- for the hostname or IP address.
• Registration Key - one-time use registration key
• Unique NAT ID (optional) - for a unique alphanumeric ID. See Working in NAT
TIP! Set up the managed appliance first. At a Defense Center, add the remote
management, then at the managing Master Defense Center add the Defense
Center.

• Management Host or Host and Registration Key used on both appliances
• Registration Key and Unique NAT ID used on the Defense Center with Host,
Registration Key, and Unique NAT ID used on the Master Defense Center
• Management Host, Registration Key, and Unique NAT ID used on the Defense
Center with Registration Key and Unique NAT ID used on the Master Defense
Center

be used on at least one of the appliance.

To add a Defense Center, you need to predetermine which events on the Defense
Center you want to forward to the Master Defense Center.
To add a Defense Center to a Master Defense Center:

Access: Admin 1. Using a user account with Admin access, log into the web interface of the
Defense Center you want to add.
want to use to set up a communications channel between the Master
Defense Center and the Defense Center.
you want to use to identify the Defense Center.
8. Click Save.

9. Log into the Master Defense Center’s web interface using a user account
with Admin access, and select Operations > Appliances.
The New Defense Center page appears.
in the Host field.
you used in step 6.
13. If you used a NAT ID in step 7, type the same value in the Unique NAT ID
(optional) field.
14. Under Filter Configuration, identify the types of events you want to forward
from the Defense Center to the Master Defense Center.
Note that if you select intrusion events, you can send events or events and
packet data. You can also filter which intrusion events are forwarded based on
their impact flag. If you chose to send compliance events to the Master
Defense Center, white list events are also sent. See Editing the Event Filter
Configuration on page 176 for more information.
IMPORTANT! You must select at least one type of flag if you want to send
intrusion events.

15. Click Add.

two minutes for the Defense Center to establish communication with the
Master Defense Center. You can view the status on the Defense Centers
page (Operations > Appliances).
Deleting a Defense Center

Requires: MDC + DC If you no longer want to manage a Defense Center, you can delete it from the
Master Defense Center. Deleting a Defense Center severs all communication
between the Defense Center and the Master Defense Center. To manage the
Defense Center again at a later date, you must re-add it to the Master Defense
Center. To keep the Defense Center from trying to reconnect to the Master
Defense Center, you should also delete the manager on the Defense Center.
To delete a Defense Center from the Master Defense Center:

Access: Admin 1. Log into the Master Defense Center web interface, and select Operations >
Appliances.
2. Click Delete next to the Defense Center you want to delete.
Communication between the Master Defense Center and the Defense
Center is discontinued and the Defense Center is deleted from the Defense
Centers page.
3. Log into the web interface of the Defense Center you want to delete.
6. Click Delete next to the Master Defense Center that was managing the
Defense Center.
Resetting Management of a Defense Center

Requires: MDC + DC If communications fail between the Master Defense Center and one of your
Defense Centers, you can reset management of the Defense Center. If you want
to manage a Defense Center with a different Master Defense Center, you must
also reset management before adding the Defense Center to the another Master
Defense Center. To do this, you must first delete the manager on the Defense
Center and delete the Defense Center on the Master Defense Center. You can
then re-add the Master Defense Center on the Defense Center and then add the
Defense Center to a Master Defense Center.

To reset management from a Master Defense Center:

Access: Admin 1. Log into the web interface of the Master Defense Center where you want to
reset communications.
2. Select Operations > Appliances.
3. Click Delete next to the Defense Center you want to delete.
Communication between the Defense Center and the Master Defense
Center is discontinued and the Defense Center is deleted from the Defense
Centers page.
To delete management on the Defense Center:

communications.
4. Click Delete next to the Master Defense Center where you want to reset
management.
To re-add the Defense Center to the Master Defense Center:

communications and click Add Manager.
and the Unique NAT ID fields

Using the Appliances Page Chapter 5
want to use to set up a communications channel between the Defense
Center and the Master Defense Center.
you want to use to identify the Defense Center. See Working in NAT
5. Click Save.
6. Log into the Master Defense Center’s web interface and select Operations >
Appliances.
The Add New Defense Center page appears.
in the Host field.
you used in step 3.
10. If you used an alphanumeric NAT ID in step 4, type the same value in the
Unique NAT ID (optional) field.
11. To add the Defense Center to a group, select the group from the Add to Group
list.
For more information about Defense Center groups, see Managing Appliance
Groups on page 179.
12. Click Add.
two minutes for the Master Defense Center to verify communication with the
Defense Center. You can view the Defense Center’s status on the Defense
Centers page (Operations > Appliances).
Using the Appliances Page

Requires: MDC + DC The Appliances page (Operations > Appliances) provides you with a range of
information and options that you can use to manage your Defense Centers. The
following sections describe the features on the Appliances page.

Using the Appliances Page Chapter 5
Sort-by Drop-Down List

Use this drop-down list to sort the Appliances page according to your needs. You
can sort by:
• Group, which sorts by Appliance group (see Managing Appliance Groups on
page 179)
TIP! High availability Defense Center pairs are automatically listed as an

appliance group. An HA pair is listed as a group named with the name of the
active Defense Center.
• Manager, which sorts by the Defense Center then the 3D Sensor connected
to it.
• Model, which sorts by appliance model number, that is, the Defense Center
1000 and the Defense Center 3000, 3D Sensor 2100, and so on.
Status Icons
The status icons indicate the state of a Defense Center. The green check mark
icon indicates that the Master Defense Center and the Defense Center are
communicating properly. The red exclamation point icon indicates that the Master
Defense Center has not received communications from the Defense Center in
the last three minutes. If you hover your cursor over the icon, a pop-up window
indicates the amount of time (in hours, minutes, and seconds) since the last
contact. If the Master Defense Center has not received a communication from a
Defense Center within the last two minutes, it sends a two-byte heartbeat packet
to establish contact and ensure that the communications channel is still running.
If your network is constrained in bandwidth, you can contact technical support to
change the default time interval.
Edit and Delete Icons
Click the Edit icon next to a sensor if you want to change the Defense Center’s
current system settings. The system settings include the filter configuration for
the Defense Center, the remote management configuration, the health blacklist
settings, and the high availability settings. See Editing Settings for a Managed
Defense Center on page 175 for more information.
Click the Delete icon next to a Defense Center if you no longer want to manage
the Defense Center with the Master Defense Center. See Deleting a Defense
Center on page 171 for more information.

Editing Settings for a Managed Defense Center Chapter 5
Editing Settings for a Managed Defense Center

Requires: MDC + DC After you configure management of a Defense Center by a Master Defense
Center, you can use the Master Defense Center web interface to view and edit
the configuration of the Defense Center. See the following sections for more
information.
• Viewing the Defense Center Information Page on page 175
• Editing the Event Filter Configuration on page 176
• Editing or Disabling Remote Management Communications on page 178
• Managing the Health Blacklist on page 178
• Managing High Availability Defense Centers on page 178
Viewing the Defense Center Information Page

Requires: MDC + DC To access the system settings information page for a managed Defense Center,
select Appliances from the Operations menu, then click Edit next to the Defense
Center. The Information page for a managed Defense Center includes the fields
described in the Defense Center Information table.
Defense Center Information
Field Description
Name The assigned name for the Defense Center. Note that this
is the name of the Defense Center in the Master Defense
Center web interface, not the hostname.
Product Model The model name for the managed Defense Center.
Software Version The version of the software currently installed on the

managed Defense Center.
Operating The operating system currently running on the managed

System Defense Center.

System Version the managed Defense Center.
VDB Version The Vulnerability Database version on the managed

Defense Center.
IP Address The IP address of the managed Defense Center.

Defense Center Information (Continued)
Field Description
Status An icon showing the current status of the managed

Defense Center. If you hover your cursor over the icon, a
pop-up message indicates how long it has been (in hours,
minutes, and seconds) since the Defense Center
communicated with the Master Defense Center.
You can click Refresh to update the Status icon and its
accompanying pop-up message.
Model Number The model number for the Defense Center. This number
can be important for troubleshooting.
Current Group The group that the Defense Center belongs to, if any.
To edit a managed Defense Center’s settings:

Access: Admin 1. Change the Defense Center’s attributes as needed.
You can edit the following:
• the name of the Defense Center
• the group in which the Defense Center resides
WARNING! The name must be made up of a combination of alphanumeric

characters and should not be made up of numeric characters only.
2. Click Save.
The updated Defense Center attributes are saved.
Editing the Event Filter Configuration

Requires: MDC The settings on the Filter Configuration page control which events are sent from
the Defense Center to the Master Defense Center that manages it. Your options
are to send intrusion events, intrusion events and related packet data, and
compliance events.
If you want to send intrusion events (with or without packet data), you can also
specify which intrusion events are sent based on their impact flag. See the
Impact Flags table in the Analyst Guide for an explanation of what each impact

flag means. Note that you must deploy both RNA and IPS as part of your
Sourcefire 3D System deployment to generate meaningful impact flags.
TIP! If you set up the 3D Sensor so it does not send packet data to the
intermediate Defense Center, then packet data is not forwarded to the Master
Defense Center.
To modify the event filter configuration:

Access: Admin 1. On the Master Defense Center’s web interface, select Operations > Appliances.
The Appliances page appears.
2. Next to the Defense Center whose filter configuration you want to change,
click Edit.
The Filter Configuration page appears.
3. In the Intrusion Events area, use the drop-down list to indicate whether you
want to forward intrusion events to the Master Defense Center. The options
are Do Not Send, Events Only, and Events and Packet Data.
4. If you indicated that you want to send intrusion events, then you must specify
which events you want to send based on their impact flag. The Flags options
are:
• All
• Black (or Drop)
• Red (or Vulnerable)
• Orange (or Potentially Vulnerable)
• Yellow (or Currently Not Vulnerable)
• Blue (or Unknown Target)
• Gray (or Unknown)
TIP! If you select All, then all the options are immediately selected. If you
want to send intrusion events to the Master Defense Center, then you must
select at least one impact flag option.

5. In the Compliance Events area, use the drop-down list to indicate whether
you want to forward compliance events to the Master Defense Center. The
options are Do Not Send and Send.
6. Click Save.
Your settings are saved and the Defense Center begins forwarding the events
you specified to the Master Defense Center that manages it.
Editing or Disabling Remote Management Communications

Requires: MDC + DC You can manage communications between a managed Defense Center and its
Master Defense Center using the Master Defense Center’s web interface. For
example, if a Defense Center is no longer responding, you can temporarily disable
communications between the Defense Center and its Master Defense Center.
IMPORTANT! Master Defense Centers do not currently use a Management

Virtual Network. You cannot edit the Management Virtual Network field of a Master
Defense Center. The field is filled with 0.0.0.0/24 to indicate that the
Management Virtual Network is disabled on a Master Defense Center.
To disable communications between the Defense Center and the Master Defense Center:
Access: Admin X Click Disable next to the name of the Defense Center. Communications
between the two appliances are interrupted.
To enable communications between the two appliances again, click Enable.
For more information about editing the Management Virtual Network, see Editing
the Management Virtual Network on page 385.
Managing the Health Blacklist

Requires: MDC + DC You can blacklist individual health policy modules on Defense Centers. You may
want to do this to prevent events from the module from changing the status for
the appliance to warning or critical.
For information on using the blacklisting function, see Using the Health Monitor
Blacklist on page 534.
Managing High Availability Defense Centers

Requires: MDC + DC You can configure, monitor, disable, pause and restart Defense Center High
Availability from a Defense Center. See the following sections for more
information:
• Using Redundant Defense Centers on page 112
• Setting Up High Availability on page 150

Managing Appliance Groups Chapter 5
• Monitoring the High Availability Status on page 152

• Disabling High Availability and Unregistering Sensors on page 153
• Pausing Communication between Paired Defense Centers on page 154
• Restarting Communication between Paired Defense Centers on page 154
If High Availability is configured, you can activate Defense Center High Availability
from a Master Defense Center.
TIP! When using Intrusion Agents registered to Defense Centers configured for
high availability and managed by a Master Defense Center, register all Intrusion
Agents to the primary Defense Center.
To activate a redundant Defense Center:

Access: Admin 1. Select Operations > Appliances.
2. Click Edit next to the appropriate Defense Center.
The System Settings page for that Defense Center appears.
3. Click High Availability.
The high availability page appears with the paired Defense Centers.
TIP! A light bulb icon shows which of the high availability paired Defense
Centers is currently active.
4. Click Activate to activate the redundant Defense Center.

The redundant Defense Center is activated.
Managing Appliance Groups

Requires: MDC The Master Defense Center allows you to group appliances so that you can easily
search for events based on whether they were forwarded by one of a specific
group of appliances.
TIP! High availability Defense Center pairs are automatically listed as an

appliance group. An HA pair is listed as a group with the name of the active
Defense Center.

Managing Appliance Groups Chapter 5

• Creating Appliance Groups on page 180 explains how to create a Defense
Center group on the Master Defense Center.
• Editing Appliance Groups on page 180 explains how to modify the list of
Defense Centers in a Defense Center group.
• Deleting Appliance Groups on page 181 explains how to delete a Defense
Center group.
Creating Appliance Groups

Requires: MDC Grouping managed appliances allows you to use the group name as a search
criterion when you search for specific compliance or intrusion events.
To create an appliance group and add appliances to it:

Access: Admin 1. On the Master Defense Center, select Operations > Appliances.
2. Click Create New Appliance Group.
The Create Appliance Group page appears.
3. In the Group Name field, type the name of the group you want to create.
4. Click Save.
The group is added.
5. To add appliances to the group, return to the Appliances page (Operations >
Appliances) and click Edit next to the name of the group.
The Appliance Group Edit page appears.
6. Select the IP addresses or hostnames of the appliances you want to add from
the Available Appliances list and click the arrow to move them into the group.
7. Click Save.
The appliances are added to the group and the Appliances page appears
again.
Editing Appliance Groups

Requires: MDC You can change the set of appliances that reside in any appliance group.
TIP! You must remove an appliance from its current group before you can add it
to a new group.
Moving an appliance to a new group does not change any of its policies or
configurations.

Editing Master Defense Center System Settings Chapter 5
To edit an appliance group:

Access: Admin 1. On the Master Defense Center, select Operations > Appliances.
2. Click Edit next to the Appliance group you want to edit.
The Appliance Group Edit page appears.
3. Select the appliance you want to move and click the arrow to add or remove it
from the group.
• To add an appliance to the group, select it from the Available Appliances
list and click the arrow pointing toward the group you are editing.
• To remove an appliance from a group, select it from the list in the group
you are editing and click the arrow pointing to the Available Appliances
list.
4. Click Save.
Deleting Appliance Groups

Requires: MDC If you delete a group that contains appliances, the appliances are moved to
Ungrouped on the Appliances page. They are not deleted from the Master
Defense Center.
To delete an appliance group:

Access: Admin 1. Select Operations > Appliances.
2. Click Delete next to the group you want to delete.
The appliances group is removed from the Master Defense Center.
Editing Master Defense Center System Settings

Requires: MDC With a few exceptions, the Master Defense Center system settings are the same
as those of a Defense Center. See the following sections for information on each
of the listed system settings:
IMPORTANT! NetFlow-enabled devices cannot currently be added to a Master

Defense Center.
• Listing Master Defense Center Information on page 182

• Viewing a Master Defense Center License on page 182
• Configuring Network Settings on page 377
• Shutting Down and Restarting the System on page 182

• Setting System Time on page 183

• Blacklisting Health Policies on page 184
Listing Master Defense Center Information

Requires: MDC For details on information listed under the Master Defense Center system
settings, see Defense Center Information on page 175.
To edit a Master Defense Center’s settings:

Access: Admin 1. Change the name of the Master Defense Center attributes as needed.
WARNING! The name must be made up of a combination of alphanumeric

characters and should not be made up of numeric characters only.
2. Click Save.
The updated Master Defense Center attributes are saved.
Viewing a Master Defense Center License

Requires: MDC Unlike a Defense Center, a Master Defense Center cannot manage the licenses
of Defense Centers or 3D Sensors.
To view information about the Master Defense Center license:

Access: Admin 1. Select Operations > System Settings.
2. Click License.
The License page appears.
Configuring Network Settings

Requires: MDC The network settings are identical to those of the Defense Center. For
information on configuring the Master Defense Center network settings, see
Configuring Network Settings on page 377.
Shutting Down and Restarting the System

Requires: MDC You have several options for controlling the processes on your Master Defense
Center. You can:
• shut down the appliance
• reboot the appliance
• restart the appliance

To shut down or restart your appliance:

2. Click Process.
The Appliance Process page appears.
3. Specify the command you want to perform:

• If you want to shut down the Master Defense Center, click Run
Command next to Shutdown Master Defense Center.
• If you want to reboot the system, click Run Command next to Reboot
• If you want to restart the Defense Center, click Run Command next to
Restart Master Defense Center Console. Note that restarting the Defense
Center may cause deleted hosts to reappear.
Configuring Remote Management Networking

Requires: MDC A Master Defense Center’s Management Virtual Network is disabled.

Virtual Network. You cannot edit the Management Virtual Network field if the
Defense Center is in the Master Defense Center operational mode. The field is
filled with the address range 0.0.0.0/24 to disable the Management Virtual
Network.
Setting System Time

Requires: MDC The system time is set and synchronized in accordance with the system policy.
On the Time Synchronization page you can choose to serve time from the Master
Defense Center by selecting Enabled in the Serve Time via NTP field.
TIP! Because Master Defense Centers do not currently use Management Virtual
Networks, their real IP network is used to serve time.

To specify how the Master Defense Center clock is set:

Access: Admin X You have two options:
• To set the time manually, select Manually in the System Settings.
• To receive time through NTP from a different server, select Via NTP
Server from and, in the text box, type the IP address of the NTP server
or, if DNS is enabled, type the fully qualified host and domain name.
WARNING! If the appliance is rebooted and your DHCP server sets an NTP
server record different than the one you specify here, the DHCP-provided NTP
server will be used instead. To avoid this situation, you should configure your
DHCP server to set the same NTP server.
For more information about setting system time, see Synchronizing Time on
page 354.
Blacklisting Health Policies

Requires: MDC You can blacklist health policy modules when required. The Master Defense
Center supports the following health policy modules:
• Appliance Heartbeat
• CPU Usage
• Data Correlator Process
• Defense Center Status
• Disk Usage
• eStreamer Process
• Event Stream Status
• Memory Usage
For more information on blacklisting a health policy, see Blacklisting a Health
Policy Module on page 537.

Chapter 6
Administrator Guide
Using Detection Engines and

Interface Sets
To give you increased flexibility in your deployment choices, the Sourcefire 3D

System provides a feature called the detection engine. You can think of a
detection engine as a collection of one or more sensing interfaces (called an
interface set) on a 3D Sensor plus a portion of the sensor’s computing resources
(called a detection resource).
3D Sensors support three types of detection engines:
• IPS
• RNA
• RUA
TIP! You cannot use the RUA feature on Crossbeam-based software sensors. In
addition, you cannot use RUA or RNA on 3D9800 sensors. However, you can
combine the data from those sensors with RUA or RNA on a Defense Center.
The number of detection engines per sensor is limited by the number of

detection resources that are available. Most 3D Sensor models have at least
three detection resources available and can support at least three detection
engines: one for IPS, one for RNA, and the third for RUA. See the Detection
Resources by Model table on page 190 for more information.

Using Detection Engines and Interface Sets
Understanding Detection Engines Chapter 6
The following sections describe the detection engines and interface set features
and how you can use them in your Sourcefire 3D System deployment:
• Understanding Detection Engines on page 186 explains detection engines
in more detail, including some of the limitations based on the sensor model.
This section also describes how default detection engines are configured.
• Managing Detection Engines on page 193 explains how to create, edit, and
delete detection engines.
• Using Detection Engine Groups on page 197 explains how to create and
use detection engine groups.
• Using Variables within Detection Engines on page 199 explains how to use
detection engine-specific variable values to tailor your detection capabilities
to more closely match your infrastructure.
• Using Interface Sets on page 207 describes how to create interface sets
and how to use them with detection engines.
• Using Interface Set Groups on page 223 describes how to create and use
interface sets groups.
• Inline Fail Open Interface Set Commands on page 225 explains how to force
an interface set in and out of bypass mode when using an inline fiber fail
open interface set.
• Using Clustered 3D Sensors on page 227 explains how to use detection
engines and interface sets in a clustered 3D9900 sensor pairing.
Understanding Detection Engines

Requires: DC or A detection engine is the mechanism on a 3D Sensor that is responsible for
3D Sensor analyzing the traffic on the network segment where the sensor is connected.
To list the available detection engines:

Access: Admin X Select Operations > Configuration > Detection Engines > Detection Engines.
The Available Detection Engines page appears. The figure below shows the
Defense Center version of the page.
You can sort the available detection engines by group, sensor, policy,
detection engine type, or interface set type.

Detection Engine Type, Resources, and Interface Set

Depending on which components are licensed on the sensor, 3D Sensors can
support three types of detection engines: IPS, RNA, and RUA.
A detection engine has two main components:
• an interface set, which can include one or more sensing interfaces
• a detection resource, which is a portion of the sensor’s computing
resources
For information about detection engines and detection resources, see
Understanding Detection Resources and 3D Sensor Models on page 189
PEP Policy
Only 3D9900 sensors provide the PEP feature. For more information on the PEP
feature, see Using PEP to Manage Traffic in the Analyst Guide.
Set Type
An interface set refers to a grouping of one or more sensing interfaces on a
sensor, although a sensing interface can belong to only one interface set at a
time. The Sourcefire 3D System supports three types of interface sets, but the
interface options available to you depend on the type of sensor and the
capabilities of its sensing interfaces. The three interface types are described in
the Interface Set Types table.
Interface Set Types
Type Description
Passive Use a passive interface set if you deployed the sensor out
of band from the flow of network traffic.
Inline Use an inline interface set if you deployed the sensor inline
on your network and the sensing interfaces do not support
automatic fail-open capabilities. Note that you can use any
two of the non-fail-open interfaces on the sensor’s network
interface cards as part of an inline interface set. (The
exception is on 3D9900s, where pairs are pre-determined).
Inline with Fail Use an inline with fail open interface set if you deployed the
Open sensor inline on your network and the sensing interfaces do
support automatic fail-open capabilities. Note that you must
use paired fail-open interfaces on the sensor’s network
interface cards for an inline with fail open interface set.

You can use RNA or RUA to monitor the traffic that passes through any of the
three types of interface sets.
IMPORTANT! On a 3D3800 or 3D5800 sensor, if you plan to use RNA to monitor

either an inline or inline with fail open interface set, you must either configure an
IPS detection engine that uses that interface set, as well as apply an intrusion
policy to that detection engine, or configure the interface set in tap mode.
Otherwise, the RNA detection engine monitoring that interface set will not see
any traffic. If you are monitoring the same inline interface set with both IPS and
RNA or RUA, and the IPS detection engine fails for any reason, the RNA or RUA
detection engine monitoring that interface set will not see any traffic until the IPS
detection engine restarts. Neither RNA nor RUA are supported on the 3D9800
sensor.
See Using Interface Sets on page 207 for more information about creating and
editing interface sets.
Policy
3D Sensors have different capabilities and limitations depending on whether you
licensed IPS, RUA, or RNA. You can determine what the name and state of IPS
and RNA policies from the following information in the policy column:
• If you change an IPS and RNA policy and have not applied it to the detection
engine since the change, then the icon has an exclamation point and the
name is italicized.
TIP! After you upgrade your sensor to version 4.9 you have the advantage
of the following listed features.
• You can click the name of an IPS policy to see details about the running
policy. For more information see Viewing an Intrusion Policy Report in the
Analyst Guide.

• If there is a network or VLAN filter applied to the IPS policy, you can click
More or the down icon ( ) and view the type (Net for network or VLAN for
virtual LAN) filter. If you hover above the name you can view the network or
VLAN range of the filter. If you want to remove the currently applied filter
from the IPS policy, click the delete icon ( ) next to the filter name.
• If you want to remove the currently applied IPS policy from the detection
engine, click the delete icon ( ) next to the intrusion policy name. The
delete icon only appears next to the base policy when there are no network
or VLAN filters applied.
IMPORTANT! Initially, the Available Detection Engines page does not

indicate that the filtered or base intrusion policy is deleted. Select Monitor >
Task Status to track the progress of the deletion process, which takes
approximately 30 seconds.
Sensor
The sensor column provides the name of the sensor where the policy is applied.
It also provides the following capabilities:
• If you want to edit or delete a detection engine, click Edit or Delete next to its
sensor name. See Editing a Detection Engine on page 194 and Deleting a
Detection Engine on page 197 for more information.
• If you want to list, add, edit, reset, or delete variables associated with a
detection engine’s IPS or RNA policy, click Variables. See Using Variables
within Detection Engines on page 199 for more information.
• If you want to reapply all policies for the detection engine, click Reapply All,
then OK to confirm.
For more information see Understanding Detection Resources and 3D Sensor
Models on page 189
When you configure a new sensor, it has a predefined detection engine that you
can choose to modify to meet your needs. See Understanding Default Detection
Engines for more information.
Understanding Detection Resources and 3D Sensor Models

Requires: DC or 3D Sensors with IPS can use multiple detection resources per detection engine,
3D Sensor which allows you to use more computing resources when network traffic is high.
For example, if you plan to use the 3D3500 sensor in inline mode, you could
assign two detection resources to your detection engine to allow processing of
more events per second. As a best practice, use one detection resource per
application per core on your appliance. Different sensor models have different

numbers of detection resources available as shown in the Detection Resources

by Model table.
• The Optimal column indicates the per-sensor total number of detection
resources you should use if you want to maximize the performance of the
sensor. It also indicates the maximum number of detection resources you
can assign a single detection engine.
• The Maximum column indicates the total number of detection resources
available on the sensor.
• The Combination Restrictions column indicates the permitted combinations of
detection resources that you can allocate to detection engines on the same
sensor; 3D Sensors can run combinations of IPS, RNA and RUA.
Detection Resources by Model
Model Optimal Maximum Combination Restrictions

per Sensor per Sensor
3D500 1 2 Maximum of one IPS and either

one RNA or one RUA
3D1000 1 2 Maximum of two; can be any type
3D2000 1 2 Maximum of two; can be any type
3D2100 2 3 No restrictions

Detection Resources by Model (Continued)
Model Optimal Maximum Combination Restrictions

per Sensor per Sensor
Virtual 3 3 No restrictions
3D Sensor
Crossbeam- Refer to Crossbeam-based Software Sensor Considerations

based on page 191
software
sensors
General Recommendations with Two or More Detection Resources

For improved 3D Sensor performance on sensors with optimal detection
resources of two or greater, you can reduce latency by distributing your network
traffic across all available interfaces on the sensor, then distribute the detection
engines and detection resources across all operative interfaces on the sensor.
Crossbeam-based Software Sensor Considerations

Depending upon the capabilities of your X-Series and the products you are
licensed to use, you have several deployment options for 3D Sensor Software.
Consider how your network is configured and how you want to deploy the
Sourcefire 3D System within it. As with other 3D Sensors, the maximum number
of detection engines that you can create is equal to the number of available
detection resources. The number of detection resource depends on the
Crossbeam System hardware.
Refer to the Sourcefire 3D Sensor Software for X-Series Installation Guide for
information on deployment scenarios, current Crossbeam System hardware and
software support, and detection resources available on Crossbeam System
hardware.
Understanding Default Detection Engines

Requires: DC or When you install a new 3D Sensor, you can use initial interface sets and default
3D Sensor detection engines to quickly begin evaluating network traffic. After initial
installation can modify interface sets and detection engines.

Initial Interface Sets

The initial interface sets for 3D Sensors are:
• Inline with Fail-Open, the default that builds paired fail-open interface sets on
all 3D Sensor interfaces, less the management interface.
• Passive that builds a single passive interface set for all 3D Sensor interfaces,
less the management interface.
Choose from these initial interface sets based on how you deployed the sensor.
Select Inline with Fail-Open Mode if you cabled the sensing interfaces inline on
your network as an IPS. Depending on the 3D Sensor, typically you pair adjacent
interfaces; for example, a 3D2000 Sensor uses eth1 and eth2 as one inline
fail-open interface set and it uses eth3 and eth4 as another inline fail-open
interface set.
Select Passive Mode if the sensing interfaces are not cabled inline.
Default Detection Engines

Default detection engines are configured with the optimal (rather than maximum)
number of detection resources as described in the Detection Resources by
Model table on page 190. With this configuration, you can connect any of the
non-management interfaces to your network and apply the appropriate policy to
the detection engine and begin analyzing your network.
Second On-Board Interface

Some Sourcefire sensors have a second on-board interface, usually near the
management interface, that is automatically included in the default detection
engine. However, on some of the older models, the second on-board interface
cannot support the same high-performance standards as the interfaces on the
network interface cards. If your appliance has one of these extra interfaces, and
you have deployed it in a high-bandwidth environment where the traffic load is
likely to reach the design limits of the appliance, Sourcefire recommends that you
remove the second on-board interface from the detection engine for improved
performance.
IMPORTANT! For the 3D3000 on the IBM xSeries 346 appliance, note that the
default detection engine does not include the second on-board interface. If you
modify the default detection engine to include it, the detection engine may not
provide optimum performance.
If you want to change either the number of detection resources or the interfaces
assigned to the default detection engine, see Editing a Detection Engine on
page 194.

Managing Detection Engines Chapter 6
Managing Detection Engines

Requires: DC/MDC or See Understanding Detection Engines on page 186 and Using Interface Sets on
3D Sensor page 207 for more information about the capabilities of detection engines and the
interface sets they depend on. The following sections explain how to create, edit,
and delete detection engines.
• Creating a Detection Engine on page 193
• Editing a Detection Engine on page 194
• Deleting a Detection Engine on page 197
Creating a Detection Engine

Requires: DC or You can create a detection engine if you have an available interface set and at
3D Sensor least one available detection resource. You can use interface sets that include
multiple inline interface pairs, when they are available on your 3D Sensor.
To create a detection engine:

Access: Admin 1. Select Operations > Configuration > Detection Engines > Detection Engines.
The Detection Engines page appears. The figure below shows the Defense
Center version of the page.
2. Click Create Detection Engine.

The Create Detection Engine page appears.
3. In the Name and Description fields, enter a name and description for the new
detection engine.
You can use alphanumeric characters, punctuation, and spaces.

4. Select the type of detection engine that you want to create from the Type
drop-down list, IPS, RNA, or RUA.
5. Optionally, add the detection engine to an existing detection engine group.
See Using Detection Engine Groups on page 197 for information on creating
and modifying detection engine groups.
6. Select the interface set that you want to assign to this detection engine.
See Using Interface Sets on page 207 for information about creating and
modifying interface sets.
7. Select the number of detection resources for this detection engine.
IMPORTANT! On the 3D500, you can only use one of the two detection
resources for IPS. The second detection resource is available only if you want
to create a second detection engine for RNA or RUA. See the Detection
Resources by Model table on page 190 for more information.
8. Optionally, if you are creating an IPS detection engine and if you are using a
3D Sensor other than a 3D500, 3D1000, or 3D3800, you can select Inspect
Traffic During Policy Apply.
TIP! This option may degrade performance when you apply a policy and may
result in longer policy-apply periods. However, if this option is employed, the
detection engine does not restart and interrupt traffic inspection when the
policy is applied.
9. Click Save.
The detection engine is created.
Editing a Detection Engine

Requires: DC or In some circumstances, editing an interface set or detection engine can cause
3D Sensor the detection engines on the sensor to restart, which can cause a short pause in
processing.
IMPORTANT! For most 3D Sensors with inline interface sets, a software bridge
is automatically set up to transport packets when the sensor restarts. Although
some packets are transmitted without inspection during this time, no packets are
lost.
The following sections describe some of the cases where a detection engines is
affected by changes to the detection engines and interface sets:

3Dx800 Sensors
• If you change the number of network interfaces, the interface set type, or
the setting for tap mode or transparent mode for an interface set, all the
detection engines using that interface set are restarted.
• If you change the number of detection resources, which interface set is
used, or the detection engine type, only that detection engine is restarted
(although other CPUs may be restarted to rebalance the processing load).
IMPORTANT! If you have an 3Dx800 health policy applied to a 3D9800

sensor when you change the number of detection resources, it will
generate hardware alarms. Contact Sourcefire Support for information
about how to clear those hardware alarms.
• If you create a detection engine, only that detection engine is started

• If you delete a detection engine or interface set, all detection engines on
the sensor are restarted.
• If you create an interface set, nothing is restarted.
• If you change the name or description of an interface set or detection
engine, nothing is restarted.
Other Sensors
• If you change which network interfaces are used by an interface set, all the
detection engines on the sensor are restarted.
• If you change an interface set’s transparent mode setting, or interface set
type, all detection engines assigned to that interface set are restarted.
• If you change a detection engine’s interface set, all detection engines on the
sensor are restarted.
• If you change the number of detection resources allocated to a detection
engine, all the detection engines on the sensor are restarted.
• If you change the detection engine type for a detection engine, that
detection engine is restarted.
• When you create a detection engine, all the detection engines on the
sensor are restarted because the total number of allocated resources has
changed.
• If you create an interface set, nothing is restarted. A restart occurs only
when you assign a detection engine to the interface set.

Make sure you plan these actions for times when they will have the least impact
on your deployment.
TIP! On your 3D Sensor Software for Crossbeam Systems X-Series, you may
want to remove any affected VAPs from the load-balanced list until the associated
detection engines restart, then reinstate the VAPs. For more information, see the
Sourcefire 3D Sensor Software for X-Series Installation Guide.
To edit an existing detection engine:

The Detection Engines page appears.
2. Click Edit next to the detection engine you want to modify.
The Edit Detection Engine page appears.
You can modify the name, description, group, and number of detection
resources for the detection engine. You cannot modify the detection engine
type. If you need to change the detection engine type, you must delete the
detection engine and create a new one. In the case of an IPS detection
engine you can also select if traffic is inspected while a policy is being
applied.
TIP! The Inspect Traffic During Policy Apply option is not available on 3D500,
3D1000, or 3D3800 sensors.
3. Click Save.
Your changes are saved.

Using Detection Engine Groups Chapter 6
Deleting a Detection Engine

Requires: DC or Use the following procedure to delete a detection engine.
3D Sensor
WARNING! Do not delete a detection engine that is in use. Also, you should not
delete a detection engine that is used as a constraint in one or more compliance
rules; you should first delete (or modify) the constraint in all rules in which it is
used. For information on modifying compliance rules, see Modifying a Rule in the
Analyst Guide.
To delete a detection engine:

2. Click Delete next to the detection engine you want to delete.
3. At the prompt, confirm that you want to delete the detection engine.
The detection engine is deleted; however, a record of the detection engine is
retained so that events generated by that detection engine are viewable.
Using Detection Engine Groups

Requires: DC/MDC or You can use detection engine groups to combine similar detection engines. These
3D Sensor groups make it easier to apply policies to detection engines that have similar
purposes.
• Creating Detection Engine Groups on page 197
• Editing Detection Engine Groups on page 198
• Deleting Detection Engine Groups on page 199
Creating Detection Engine Groups

Requires: DC/MDC or The following procedure explains how to create a detection engine group.
3D Sensor
To create a detection engine group:

Using Detection Engine Groups Chapter 6
2. Click Create Detection Engine Group.

The Create Detection Engine Group page appears.
3. Type a name for the detection engine group in the Group Name field.
4. Click Save.
The Detection Engine page appears again. You can add detection engines to
this group by clicking Edit next to a detection engine name and, on the Edit
Detection Engine page, adding the detection engine to the group and clicking
Update.
Editing Detection Engine Groups

Requires: DC/MDC or The following procedure explains how to edit a detection engine group. You must
3D Sensor create a detection engine group before you can edit it. See Creating Detection
Engine Groups on page 197.
To edit a detection engine group:

2. Click Edit for the detection engine group.
The Detection Engine Group Edit page appears.
3. Select available detections engines and to move them to the detection

engine group with the arrow buttons.
You can also move detection engines out of the detection engine group.
4. Click Save to add the selected detection engines to the detection engine
group.
The Available Detection Engines page appears.

Using Variables within Detection Engines Chapter 6
Deleting Detection Engine Groups

Requires: DC/MDC or When you delete a detection engine group, any detection engines in the group
3D Sensor are automatically ungrouped; they are not deleted.
To delete a detection engine group:

2. Click Delete next to the name of the detection engine group.
The detection engine group is deleted.
Using Variables within Detection Engines

Requires: IPS or A system default variable sets a variable value on your Sourcefire 3D Sensor or
DC/MDC + IPS Defense Center that IPS uses by default unless it is overridden by a policy-specific
or detection engine-specific value for the same variable. You can associate a
system default variable with a specific detection engine and give the resulting
detection engine-specific variable an explicit value for that detection engine.
When you apply an intrusion policy to that detection engine, IPS can use the value
of the detection engine-specific variable in rules you enable in your policy to
monitor network traffic and generate events. For information on policy-specific
variables, which are specific to the policy in which they are created, see Creating
New Policy-Specific Variables in the Analyst Guide.
For example, the intrusion rules in an intrusion policy take advantage of certain
system default variables such as HOME_NET and EXTERNAL_NET to look for exploits
that originate outside your network and are targeted against hosts within your
network. You can define HOME_NET in your system default variable to encompass
your internal address range (for example, 10.10.0.0/16).
However, if you have created your detection engines so that one detection engine
monitors one class of hosts (in this example, hosts in your network’s DMZ in the
range 10.10.30.0/24) and another monitors a different class (for example, hosts in
your accounting department in the address range 10.10.90.0/24), you can use
detection engine-specific variable values to tailor your detection capabilities to
more closely match your infrastructure.
In the system default variable used in the intrusion policy:
HOME_NET = 10.10.0.0/16
In the detection engine named DE_DMZ:
HOME_NET = 10.10.30.0/24
In the detection engine named DE_ACCT:
HOME_NET = 10.10.90.0/24
If you later create another detection engine that monitors the rest of your
network, which includes a mixed address space, you can use the system default

variable value rather than creating another detection engine-specific value for
HOME_NET.
You can also create new variables for use only within the context of the detection
engine. You can create detection engine-specific variables and set detection
engine-specific values for system default variables within an intrusion policy or
from the detection engine Variable List page. Configuration details in this section
relate to the detection engine Variable List page. For configuration details related
to setting detection engine-specific variables within an intrusion policy, see
Creating New Variables in the Analyst Guide.
Creating a detection engine-specific variable from the detection engine Variable
List page also creates a corresponding system default variable with the value set
to any. You can view the explicit detection engine-specific value you configured in
the list of variables for the detection engine within each policy, or on the detection
engine Variable List page for the detection engine. You can view the
corresponding new system default variable in the list of system default variables
within each policy, and on the Variable list page for all other detection engines
where it is listed with the value set to Policy Defined, which means that the value
specified in the policy will be used when you apply the policy. Optionally, you can
modify the variable in the intrusion policies and detection engines where it is
added automatically to give it a specific definition. When they exist, a detection
engine-specific variable value takes precedence over a policy-specific or system
default value for the same variable. If you disable a variable defined on the
Variable List page by resetting the variable, the definition reverts to the definition
in the intrusion policy the next time you apply the policy.
Variables use the same syntax and must follow the same guidelines regardless of
whether you create or define them from within intrusion policies or from the
detection engine Variable List page. See Creating New Variables in the Analyst
Guide and Modifying Variables in the Analyst Guide for more information.
IMPORTANT! You cannot use variables with RNA detection engines.

• Assigning Values to System Default Variables in Detection Engines on
page 200
• Creating New Variables for Detection Engines on page 202
• Deleting and Resetting Variables on page 203
• Configuring Custom Variables in Detection Engines on page 204
• Using Portscan-Only Detection Engines on page 205
Assigning Values to System Default Variables in Detection Engines

Requires: IPS or You can assign detection engine-specific values to system default variables. For
DC/MDC + IPS an explanation see Using Variables within Detection Engines on page 199.

To assign a detection engine-specific value to a system default variable:

2. Click Variables next to the detection engine where you want to define a
variable value.
The Variable List page appears. The value for each of the variables defaults to
the value within the intrusion policy that is applied to the detection engine.
3. Click Edit next to the variable you want to define.

The Variable Binding page appears.
4. Enter a value for the variable and click Save. See Creating New Variables in the
Analyst Guide for information about variable syntax.
The Variable List page appears again and shows the new value for the
variable. The variable takes effect the next time you apply an intrusion policy
to the detection engine, as described in Applying an Intrusion Policy in the
Analyst Guide.

Creating New Variables for Detection Engines

Requires: IPS or When you create an intrusion policy, you can associate detection engine-specific
DC/MDC + IPS variable definitions with the policy. For an explanation see Using Variables within
Detection Engines on page 199.
To create a new variable for a detection engine:

2. Click Variables next to the detection engine where you want to define a
variable value.
The Variable List page appears.
3. Click Add Variable.
The Variable page appears.
4. In the Variable Name field, enter a name for the variable.

5. From the Variable Type drop-down list, select IP, Port, or Custom.
• See Defining IP Addresses in Variables and Rules in the Analyst Guide
for more information if you are defining a IP address-based variable.
• See Defining Ports in Variables and Rules in the Analyst Guide for more
information if you are defining a port-based variable.
• See Understanding Custom Variables in the Analyst Guide if you are
defining a special-purpose custom variable with one of the reserved
variable names described in the Custom Variables table in the Analyst
Guide.

6. In the Value field, enter a value for the variable and click Save. See Creating
New Variables in the Analyst Guide for information about the syntax for
variables.
The Variable List page appears again and shows the new variable and its
value.
The variable is created and is accessible to all policies as a system default
variable. It is listed in the variable list for the detection engine in all intrusion
policies with the explicitly set value, and listed for all other detection engines
on the Variable List page with a value of Policy Defined. The variable takes
effect the next time you apply an intrusion policy to the detection engine, as
described in Applying an Intrusion Policy in the Analyst Guide.
IMPORTANT! Each new detection engine variable adds a system variable

with a value of any that is accessible in all your intrusion policies. Creating the
new detection engine variable also lists the description Policy Defined for all
other IPS detection engines on the Variable List page, meaning that the value
specified in the policy will be used when you apply the policy. In any intrusion
policy that you apply to a different detection engine and do not explicitly set a
policy-defined or detection engine-specific variable to override the value of
the system variable, the value any will be used.
Deleting and Resetting Variables

Requires: IPS or You can reset the value of a variable on the Variable List page and the variable
DC/MDC + IPS reverts to the value defined in the intrusion policy the next time you apply the
intrusion policy to the detection engine. You can also delete variables that you
created within the context of the detection engine. You cannot delete predefined
system variables within an intrusion policy. You can delete predefined system
variables on the detection engine Variable List page, but only if they are not used
in any active or inactive rule within the system.
To delete or reset variables on a detection engine:


2. Click Variables next to the detection engine where you want to delete or reset
a variable value.
The Variable List page appears.
3. You have two options:

• To disable the variable value defined in the IPS detection engine and
revert to the variable value defined in the policy, click Reset next to the
name of the variable.
The variable is reset and Policy Defined appears in the Value column.
• To delete a locally created variable, click Delete next to the name of the
variable.
The variable is deleted from the detection engine the next time you
apply an intrusion policy to the detection engine.
Configuring Custom Variables in Detection Engines

Requires: IPS or Custom variables allow you to configure special IPS features that you cannot
DC/MDC + IPS otherwise configure via the web interface. You create a detection engine-specific
custom variable by setting an explicit value for a reserved predefined system
variable, or by creating a variable using a specific reserved name. You then define
the variable value with a set of instructions appropriate to the function the variable
provides. For more information, see Understanding Custom Variables in the
Analyst Guide.
You can set an explicit detection engine value for the predefined SNORT_BPF
custom system variable.
You can add a new USER_CONF detection engine variable using the reserved
name USER_CONF.

To configure the SNORT_BPF custom variable for a detection engine:

Access: P&R X To set an explicit detection engine-specific value for SNORT_BPF using the
Admin/Admin existing system default variable, see Assigning Values to System Default
Variables in Detection Engines on page 200.
To configure the USER_CONF custom variable for a detection engine:

Access: P&R X To create USER_CONF as a new detection engine-specific variable using the
Admin/Admin reserved name USER_CONF, see Creating New Variables for Detection
Engines on page 202.
Using Portscan-Only Detection Engines

Requires: IPS or If you configure a sensor to use multiple detection resources within a single IPS
DC/MDC + IPS detection engine, a portion of the traffic that the 3D Sensor sees is directed to
each detection resource for processing. Internal logic on the sensor ensures that
packets belonging to the same session are directed to the same resource for
analysis. In this way, the sensor can process more packets with greater efficiency.
One downside to using multiple detection resources is that no single resource
sees all the traffic on a network segment, which is a requirement for the portscan
preprocessor. To overcome this issue, you can create a portscan-only intrusion
policy and apply it to a portscan-only detection engine on the sensor. The
following steps outline the process you can use to configure your sensor to
detect portscans in addition to other exploits against your network assets.
1. Using the Defense Center’s web interface, create an interface set that
includes the network interfaces you want to use on the sensor. Multiple
detection engines will use this interface set.
The interface set can be passive, inline, or inline with fail open depending on
how your sensor is deployed.
2. Create an IPS portscan-only detection engine and assign one detection
resource to it. Make sure you use the interface set that you created in step 1.
3. Create another IPS detection engine that uses up to the remaining number of
detection resources and the interface set that you created in step 1.
IMPORTANT! A portscan-only intrusion policy is able to process up to three

times more traffic than a more complex intrusion policy because it uses fewer
CPU resources. However, Sourcefire recommends that you monitor the
performance of your sensor to make sure that the portscan-only detection
engine is able to keep up with the multi-resource detection engine.
Depending on the traffic mix on your network, you may need to adjust the
number of resources in the multi-resource detection engine. Remember that
the portscan-only detection engine can use only one detection resource.

4. Create and apply an intrusion policy for the multi-resource detection engine.
Make sure you match the type of intrusion policy to the type of interface set
that you created in step 1. Also, make sure you disable portscan detection in
this policy.
5. Create and apply an intrusion policy to the portscan-only detection engine.
The policy should inherit or be set to the following settings in the layer in your
intrusion policy where you enable portscan detection (See Creating an
Intrusion Policy in the Analyst Guide, Working with Layers, and Applying an
Intrusion Policy in the Analyst Guide for more information):
• Select the No Rules Active Base Policy and make sure the Protection
Mode is Passive. See Selecting the Base Policy in the Analyst Guide for
more information. Note that all rules are disabled on the Rules page.
• Ensure that the DCE/RPC Configuration preprocessor, the HTTP
Configuration preprocessor, the SMTP Configuration preprocessor (under
Application Layer Preprocessors), and Back Orifice Detection (under Specific
Threat Detection) are disabled. See Enabling and Disabling Advanced IPS
Features in the Analyst Guide for more information.
• Ensure that OPSEC Configuration (under External Responses) is disabled.
• Enable IP Defragmentation (under Transport/Network Layer Preprocessors)
and make sure it is configured for your environment (using the Hosts
option) See Enabling and Disabling Advanced IPS Features in the
• You should not change the default settings for Checksum Verification or
Packet Decoding (under Transport/Network Layer Preprocessors), items
listed under Performance Statistics, or Rule Processing Configuration.
• Enable Portscan Detection and configure it for your network environment.
See Detecting Portscans in the Analyst Guide for more information.
• Make sure portscan rules are enabled for the types of portscans you
configure.
IMPORTANT! Note that when portscan detection is enabled, you must

enable rules on the Rules page with generator ID (GID) 122 for enabled
portscan types for the portscan detector to generate portscan events. See
the Portscan Detection SIDs (GID:122) table in the Analyst Guide for more
information.
You do not need to set up variables for this policy.

6. Review the resulting intrusion events to ensure that you are receiving the
events you expect.

Using Interface Sets Chapter 6
Using Interface Sets

Requires: DC or An interface set is a collection of one or more sensing interfaces on your
3D Sensor appliance.
To list the available interface sets:

Access: Admin X Select Operations > Configuration > Detection Engines > Interface Sets.
You can sort the available interface sets by group, set type, sensor, or PEP
policy.
See the following sections for more information about interface sets:
• Understanding Interface Set Configuration Options on page 207
• Creating an Interface Set on page 213
• Creating an Inline Interface Set on page 216
• Editing an Interface Set on page 221
• Deleting an Interface Set on page 223
• Inline Fail Open Interface Set Commands on page 225
• Using Clustered 3D Sensors on page 227
Understanding Interface Set Configuration Options

Requires: DC or There are a number of configuration variables to consider when you configure
3D Sensor interface sets.
• With the exception of the Virtual 3D Sensor, you can set up any of your
3D Sensor interfaces in passive, inline, or inline with fail-open mode. The
Virtual 3D Sensor supports only passive mode operation.
• You can also set interfaces on most sensors in transparent inline mode.
• On selected sensors you can set interfaces to tap mode.
• Some installations require that the link state be propagated and most
sensor interfaces provide that option.
• Sensors with Gigabit Ethernet interfaces can employ jumbo frames.
• 3D Sensors deployed in networks that are highly sensitive to latency can
use the automatic application bypass option.
• Only 3D9900 sensors provide a fail-safe option that works with inline
interface sets.
• Only 3D9900 sensors provide the PEP feature. For more information on the
PEP feature, see Using PEP to Manage Traffic in the Analyst Guide.

See the following table for a list of 3D Sensors and each of their applicable
interfaces features.
Supported Features by 3D Sensor Model
3D Sensor Transparent Link State Tap Mode Jumbo Automatic Enable PEP
Model Inline Mode Propagation Frames Application Fail-safe
Mode Bypass
Virtual Yes Yes

3D Sensor
3D500 Yes Yes
3D1000 Yes Yes Yes
3D2000 Yes Yes Yes
3D2100 Yes Yes Yes
3D2500 Yes Yes Yes
3D3000 Yes Yes Yes
3D3500 Yes Yes Yes
3D3800 Yes Yes Yes Yes
3D4500 Yes Yes Yes
3D9900 Yes Yes Yes Yes Yes Yes Yes

• Types of Interface Sets on page 209
• Transparent Inline Mode on page 209
• Tap Mode on page 210
• Link State Propagation Mode on page 211
• Jumbo Frames on page 212
• Automatic Application Bypass on page 212
• Enabling Fail-Safe on page 213

Types of Interface Sets

When you create an interface set, you can choose one of three types:
• Passive
A passive interface set can encompass any number of the available sensing
interfaces on a sensor.
IMPORTANT! If you include an on-board sensing interface (instead of, or in

addition to, interfaces on the network cards), the appliance’s performance
could be degraded.
• Inline
For most sensors, an inline interface set can include any two interfaces. The
interfaces do not have to be on the same network cards, but you should
avoid using an on-board interface.
However, an inline interface set on a 3D3800 or 3D5800 sensor can include
up to four interface pairs, and an inline interface set on a 3D9800 sensor can
include up to the total number of interface pairs on the sensor. Note that
interface pairs on the same fiber-based NIM will act as fail open interfaces
even if you assign them to an inline interface set. That is, if the power fails
or the Snort process halts, network traffic continues to flow through the
sensor as it would for an inline with fail open interface set.
• Inline with Fail Open
For most sensors, an inline with fail open interface set must include exactly
one interface pair. However, an inline with fail open interface set on a
3D3800 or 3D5800 sensor can include up to four interface pairs, and an
inline with fail open interface set on a 3D9800 sensor can include up to the
total number of interface pairs on the sensor.
You can set up multiple detection engines to use a single interface set, except on
the 3D9800 sensor, which only supports a single IPS detection engine. For
example, you could create a single passive interface set and create two detection
engines, one for an IPS and the other for RNA, then apply different policies to the
detection engines.
Transparent Inline Mode

Transparent inline mode is a feature for inline interface sets and is not available for
Passive interface sets.
If you choose the Inline or Inline with Fail Open option, the Transparent Inline
Mode option is enabled by default, except for the 3D500 and the Virtual
3D Sensor. It is not available on the 3D500 and available but not a default
configuration on the Virtual 3D Sensor. This allows the sensor to act as a “bump
in the wire” and means that the sensor forwards all the network traffic it sees
regardless of its source and destination.

If you disable this option, a sensor acts as a bridge. Over time, the sensor learns
which hosts are on which side of the inline interface, and forwards packets
accordingly. For example, consider the following diagram.
If your sensor is deployed inline (or more precisely, if your sensor includes a
detection engine with an inline interface set) and the Transparent Inline Mode
option is selected, then if the sensor sees network traffic from Host A to Host B,
it allows the traffic to pass through the interface even though Host A and Host B
are on the same side of the sensor.
If the sensor is inline and you are not using transparent inline mode, when the
sensor sees traffic from Host A to Host B, it does not allow the traffic to pass
through the interface to the side of the network with Host C. Only traffic between
Host A and Host C or between Host B to Host C is allowed to pass.
Keep in mind that if you create an inline interface set but do not use transparent
inline mode, you must be especially careful not to create loops in your network
infrastructure.
3Dx800 sensors run in transparent inline mode, and you cannot disable it.
Tap Mode
Tap mode is available for the 3D3800, 3D5800, 3D9900, and on later versions of
3D9800 3D Sensor when you create an inline or inline with fail open interface set.
TIP! 3D9800 sensors with earlier versions of firmware do not support tap mode.
The Sourcefire 3D System checks the 3D9800 firmware version and displays the
optional tap mode check box in the Create Interface Set page when appropriate.
With tap mode, the sensor is deployed inline, but instead of the packet flow
passing through the sensor, a copy of each packet is sent to the sensor and the
network traffic flow is undisturbed. Because you are working with copies of
packets rather than the packets themselves, rules that you set to Drop and rules
that use the replace keyword do not affect the packet stream. However, rules of
these types do generate intrusion events when they are triggered.

There are benefits to using tap mode with sensors that are deployed inline. For
example, you can set up the cabling between the sensor and the network as if
the sensor were inline and analyze the kinds of intrusion events the sensor
generates. Based on the results, you can modify your intrusion policy and add the
drop rules that best protect your network without impacting its efficiency. When
you are ready to deploy the sensor inline, you can disable tap mode and begin
dropping suspicious traffic without having to reconfigure the cabling between the
sensor and the network.

sensor.
Link State Propagation Mode

Link state propagation mode is a feature for interface sets in the inline fail-open
mode so both pairs of an inline pair track state. It is also available on 3D9900s in
both the inline and inline fail-open mode. It is not available for passive interface
sets.
IMPORTANT! Fiber interface sets configured as inline fail-open, other than those
on 3D9900s must be in hardware bypass mode for link state propagation to
function correctly. For more information about fiber interface sets and hardware
bypass, see Removing Bypass Mode on Inline Fail Open Fiber Interfaces on
page 225.
Link state propagation mode automatically brings down the second interface in
the interface pair when one of the interfaces in an inline interface set goes down.
When the downed interface comes back up, the second interface automatically
comes back up, too. In other words, if the link state of one interface changes, the
link state of the other interface is changed automatically to match it. Link state
propagation is available for both copper and fiber fail-open NIMs.
IMPORTANT! Crossbeam-based software sensors and 3D9800 sensors do not

support link state propagation.

Link state propagation is especially useful in resilient network environments

where routers are configured to reroute traffic automatically around network
devices that are in a failure state.
Jumbo Frames
Jumbo frames are Ethernet frames with a frame size greater than the standard
1518 bytes. Typical maximum sized jumbo frames are 9018 bytes. Most gigabit
Ethernet network interface cards support jumbo frames to increase efficiency. If
your 3D Sensor and interface supports jumbo frames, set the maximum frame
size for the interface using the Create Interface Set page.
3D Sensor that support jumbo frames include:
• 3D6500
• 3D9800 (9018-byte jumbo frames are always accepted)
• 3D9900
Note that since the 3D9800 is set to always accept the maximum size frame, you
do not need to set it in the Create Interface Set page.
Note also that frames larger than the configured maximum frame size are silently
dropped by the sensor.
Automatic Application Bypass

The automatic application bypass feature allows you to balance packet processing
delays with your network’s tolerance for packet latency. You can apply automatic
application bypass on an interface set basis. The feature functions with both
passive and inline interface sets; however, it is most valuable in inline
deployments.
Automatic application bypass limits the time allowed to process packets through
an IPS, RNA, or RUA detection engine and allows packets to bypass the detection
engine if the time is exceeded. The automatic application bypass option is off by
default. You can change the bypass threshold if the option is selected. The default
setting is 750 milliseconds (ms). The valid range is from 250 ms to 60,000 ms.
WARNING! If a detection engine is bypassed, a core file is automatically

generated for potential troubleshooting by Sourcefire Support. If the application
bypass triggers repeatedly, excessive numbers of core files can result in disk
usage health alerts.
To see a list of which 3D Sensors you can use Automatic Application Bypass
Monitoring on, see the Supported Features by 3D Sensor Model table on
page 208.
If a detection engine is bypassed, 3D Sensors generate a health monitoring alert.
For more information on the health monitoring alert, see Configuring Automatic
Application Bypass Monitoring on page 502.

Enabling Fail-Safe
The Create Interface Set page includes an additional option for 3D9900 sensors:
the Enable Fail-Safe option. The Enable Fail-Safe option is only available on inline
interface configurations. When you enable the Enable Fail-Safe option, traffic is
allowed to bypass detection and continue through the sensor. 3D9900 sensors
monitor internal traffic buffers and bypass detection engines if those buffers are
full.
Creating an Interface Set

Requires: DC or An interface set is a collection of one or more sensing interfaces on your
3D Sensor appliance. For information about their use, see Using Interface Sets on page 207.
IMPORTANT! The procedure for creating an inline interface set for 3Dx800
sensors is slightly different. For more information, see the next section, Creating
an Inline Interface Set.
To create an interface set:

Access: Admin 1. Select Operations > Configuration > Detection Engines > Interface Sets.
The Interface Sets page appears.
2. Click Create Interface Set.
The Create Interface Set page appears.
3. Type a name and description for the new interface set in the Name and
Description fields.
You can use alphanumeric characters and spaces.
4. Select the type of interface you want to create, Passive, Inline, or Inline with
Fail Open, from the Interface Set Type drop-down list.
TIP! Some sensors do not support every interface set type.

5. Optionally, select an existing interface set group or select Create New Group to
create a new interface set group. See Using Interface Set Groups on
page 223 for more information.
6. Optionally, if you selected the Inline or Inline with Fail Open option, clear the
Transparent Inline Mode check box to disable transparent mode.
7. If you selected either the Inline or Inline with Fail Open option and you are not
configuring a Crossbeam-based software sensor, then optionally, select Link
State Propagation Mode. This option is especially useful if the routers on your
network are able to re-route traffic around a network device that is down.
IMPORTANT! Link state propagation and automatic application bypass are

not supported on Sourcefire 3D Sensor Software for X-Series platforms. You
can, however, set jumbo frame options on the Crossbeam CLI.
8. Optionally, select Automatic Application Bypass if your network is sensitive to

latency. When the option selected, you can select a Bypass Threshold in
milliseconds (ms). The default setting is 750 ms and the valid range is from
250 ms to 60,000 ms. Automatic Application Bypass is most useful in inline
applications.
9. Optionally, and if you are configuring an inline interface set on a 3D9900, you
can select the Enable Fail-safe check box to enable traffic pass-though during
application bypass.

10. Optionally, and if you are configuring an interface set on a 3D6500 or 3D9900
type a maximum frame size for your IP traffic in the Maximum Frame Size field.
You can set any jumbo frame size between 1518 and 9018 bytes, inclusive.
On the Defense Center only, a list of sensor groups appears, including a list of
ungrouped sensors.
The following shows a 3D9900 interface set.
11. Defense Center Only Select the sensor group containing the sensors where you
want to create the interface set. You can also select the ungrouped sensors.
A list of sensors appears.
12. Defense Center Only Select one of the sensors from the list.
A list of network interfaces on the sensor appears.

13. Select the interfaces that you want to add from the Available Interfaces list
and click the arrow button to add the interface to the Selected Interfaces list.
You can use the Shift and Ctrl keys to select multiple interfaces at once.
Determining which interface name corresponds with a physical interface on
your sensor depends on the model:
• For most 3D Sensors, log into the console and disconnect the network
cable from the interface. A message appears on the console indicating
the name of the interface (eth1, eth2, and so on). Remember to
reconnect the network cable when you are finished.
• For 3Dx800 sensors, the names that appear in the Available Interfaces
list correspond to the slot number and interface location. For example,
s0.e0 corresponds to the leftmost interface on the network interface
module (NIM) in I/O Slot 0 on the back of your appliance.
• For 3D Sensor Software for Crossbeam Systems X-Series, the names
that appear in the Available Interfaces list correspond to the device
names you assigned to the circuits you created on the X-Series.
For more information, see the Installation Guide for your sensor or sensor
software.
Different types of interface sets have different requirements. For example,
you can include all of the available interfaces in a passive interface set, but
inline interface sets must contain exactly two interfaces (except on 3Dx800
sensors). Inline with fail open interface sets must contain one pair of
interfaces from the same fail-open network card.
IMPORTANT! If you select an on-board interface rather than an interface on a

network card, your sensor may not provide optimum performance.
14. Click Save.

The interface set is created.
TIP! After you create an interface set, make sure you reapply intrusion
policies to the IPS detection engines on the affected sensor.
Creating an Inline Interface Set

Requires: DC or You can add multiple interface pairs to an inline interface set on 3D Sensors and
3D Sensor Crossbeam-based software sensors. This is the default behavior during
3D Sensor installations. Using one interface set that includes all available inline
interface pairs, you can apply a single policy and rapidly complete your initial

3D Sensor deployment. Later, you can refine policies for specific connected
network segments and their requirements.
TIP! Although the default interface set on 3D Sensors includes all the available
inline interface pairs, in many cases you can improve performance by modifying
the interface set to include only the inline interface pairs your network requires.
You can also use multiple interface pairs when your network employs
asynchronous routing, as shown in the following graphic.
Your network may be set up to route traffic between a host on your network and
external hosts through different interface pairs depending on whether the traffic
is inbound or outbound. If you include only one interface pair in an interface set,
the sensor might not correctly analyze your network traffic because a detection
engine might see only half of the traffic.

For most 3D Sensors with inline interface sets, a software bridge is automatically
set up to transport packets when the sensor restarts. Although some packets are
transmitted without inspection during this time, no packets are lost.

sensor.
To create an inline interface set:

2. Click Create Interface Set.
3. Type a name and description for the new interface set in the Name and
Description fields.
You can use alphanumeric characters and spaces.
4. Select the type of inline interface you want to create.
• For an 3Dx800 sensor, choose either Inline or Inline with Fail Open, from
the Interface Set Type drop-down list.
• For Crossbeam-based software sensors, choose Inline from the
Interface Set Type drop-down list.
A list of sensor groups appears, including a list of ungrouped sensors.
5. Optionally, select an existing interface set group or select Create New Group to
create a new interface set group. See Using Interface Set Groups on

6. Optionally, select Automatic Application Bypass if your network is sensitive to

latency. When the option selected, you can select a Bypass Threshold in
milliseconds (ms). The default setting is 750 ms and the valid range is from
250 ms to 60,000 ms.
IMPORTANT! Link state propagation and automatic application bypass are

not supported on Sourcefire 3D Sensor Software for X-Series platforms. You
can, however, set jumbo frame options on the Crossbeam CLI.
7. Optionally, and if you are configuring an interface set on a 3D9900, you can
select the Enable Fail-safe check box to enable traffic pass-though during
application bypass.
8. Optionally, and if you are configuring an interface set on a 3D6500 or 3D9900
type a maximum frame size for your IP traffic in the Maximum Frame Size field.
You can set any jumbo frame size between 1518 and 9018 bytes, inclusive.
On the Defense Center only, a list of sensor groups appears, including a list of
ungrouped sensors.
The following shows a 3D9900 interface set.
9. Select one of the sensors from the list.

If you are creating an inline interface set, a list of network interfaces on the
sensor appears.
If you are creating an inline with fail open interface set, a list of paired
network interfaces on the sensor’s fail-open cards appears.

10. Add the interfaces to your interface set.

• If you are creating an inline interface set, select two interfaces that you
want to designate as an inline pair from the Available Interfaces list and
click the arrow button to add the interface to the Selected Interfaces
list. Repeat to add additional interface pairs.
• If you are creating an inline with fail open interface set, select at least
one interface pair from the Available Interfaces list and click the arrow
button to add the interface to the Selected Interfaces list.
Use the Shift and Ctrl keys to select multiple interfaces or interface pairs at
once.
Determining which interface name corresponds with a physical interface on
your sensor depends on the model:
• For 3Dx800 sensors, the names that appear in the Available Interfaces
list correspond to the slot number and interface location. For example,
s0.e0 corresponds to the leftmost interface on the network interface
module (NIM) in I/O Slot 0 on the back of your appliance.
• For 3D Sensor Software for Crossbeam Systems X-Series, the paired
interface names that appear in the Available Interfaces list correspond to
the device names you assigned to the transparent bridge-mode bridge
circuits you created on the X-Series. Note that 3D Sensor Software for
Crossbeam Systems X-Series does not support inline with fail open
interface sets.
For more information, see the Installation Guide for your sensor or sensor
software.
You can configure inline interface sets on 3D3800 and 3D5800 sensors to
contain up to four pairs of interfaces. Inline with fail open interface sets on
3D3800 and 3D5800 sensors can also contain up to four pairs of interfaces,
but each pair must reside on a single fail-open network card. On the 3D9800
sensor, inline and inline with fail open interface sets can include up to the
total number of interface pairs on the sensor.
11. Optionally, for a 3DX800 or 3DX900 sensor, select the Enable Tap Mode check
box to use tap mode.
TIP! 3D9800 sensors with earlier versions of firmware do not support tap
mode. The Sourcefire 3D System checks the 3D9800 firmware version and
displays the optional tap mode check box in the Create Interface Set page
when appropriate.

12. Optionally, for a 3D3800 or 3D5800 sensor, select Link State Propagation Mode.
This option is especially useful if the routers on your network are able to
re-route traffic around a network device that is down.
TIP! The link lights on fiber fail-open NIMs remain lighted even when the link
state is down on 3D3800 or 3D5800 sensors with link state propagation
enabled.
IMPORTANT! Note that link state propagation is not available for Crossbeam-
based software sensors or 3D9800 sensors.
13. Click Save.

The interface set is created.
TIP! After you create an interface set, make sure you reapply intrusion
policies to the IPS detection engines on the affected sensor.
Editing an Interface Set

Requires: DC or In some circumstances, editing an interface set or detection engine can cause
3D Sensor the detection engines on the sensor to restart, which can cause a short pause in
processing.
IMPORTANT! For most 3D Sensors with inline interface sets, a software bridge
is automatically set up to transport packets when the sensor restarts. Although
some packets are transmitted without inspection during this time, no packets are
lost.
The following sections describe some of the cases where a detection engine is
affected by changes to the detection engines and interface sets:

3Dx800 Sensors
• If you change the number of network interfaces, the interface set type, or
transparent mode for an interface set, all the detection engines using that
interface set are restarted.
• If you change an interface set’s tap mode setting, all detection engines
assigned to that interface set are restarted.
TIP! 3D9800 sensors with earlier versions of firmware do not support tap
mode. The Sourcefire 3D System checks the 3D9800 firmware version and
displays the optional tap mode check box in the Create Interface Set page
when appropriate.
• If you change the number of detection resources, which interface set is

used, or the detection engine type, only that detection engine is restarted
• If you create a detection engine, only that detection engine is started
• If you create an interface set, nothing is restarted.
Other Sensors
• If you change which network interfaces are used by the interface set, all the
detection engines on the sensor are restarted.
• If you change an interface set’s transparent mode setting or interface set
type, all detection engines assigned to that interface set are restarted.
• If you change a detection engine’s interface set, all detection engines on
• If you change the number of detection resources allocated to a detection
engine, all the detection engines on the sensor are restarted.
• If you change the detection engine type for a detection engine, that
detection engine is restarted.
• When you create a detection engine, all the detection engines on the
sensor are restarted because the total number of allocated resources has
changed.

Using Interface Set Groups Chapter 6
• If you create an interface set, nothing is restarted. A restart occurs only

when you assign a detection engine to the interface set.
Make sure you plan these actions for times when they will have the least impact
on your deployment.
To edit an interface set:

2. Click Edit next to the interface set that you want to modify.
3. Make any changes to the interface set and click Update.
Your changes are saved.
TIP! After you edit an interface set used by an IPS detection engine, make
sure you reapply your intrusion policy on the affected sensor.
Deleting an Interface Set

Requires: DC You cannot delete an interface set that is being used by a detection engine. You
must delete the detection engine before you can delete the interface set.
To delete an interface set:

2. Click Delete next to the interface set that you want to delete, and, at the
prompt, confirm that you want to delete the interface set.
The interface set is deleted.
Using Interface Set Groups

Requires: DC You can use interface set groups to combine similar interface sets. These groups
make it easier to apply PEP policies to interface sets that have similar purposes.
For more information on PEP policies, see Understanding PEP Traffic
Management in the Analyst Guide.
• Creating Interface Set Groups on page 224
• Deleting Interface Set Groups on page 225

Using Interface Set Groups Chapter 6
Creating Interface Set Groups

Requires: DC The following procedure explains how to create an interface set group.
To create a interface set group:

2. Click Create Interface Set Group or click Create Interface Set then click Create New
Group in the Group field.
The Create Interface Set Group page appears.
Type a name for the interface set group in the Group Name field.
3. Click Save.
The Interface Set page appears again.
You can add interface sets to an interface set group by clicking Edit next to a
interface set group name and, on the Interface Group Edit page, adding
available interfaces to the group and clicking Save.
Editing Interface Set Groups

Requires: DC/MDC or The following procedure explains how to edit an interface set group. You must
3D Sensor create an interface set group before you can edit it. See Creating Interface Set
Groups on page 224.
To edit an interface set group:

The Available Interface Sets page appears.
2. Click Edit for the interface set group.
The Interface Group Edit page appears.

Inline Fail Open Interface Set Commands Chapter 6
3. Select available interface sets and to move them to the interface set group
with the arrow buttons.
You can also move interface sets out of the interface set group.
4. Click Save to add the selected interfaces to the interface set group.
The Available Interface Sets page appears.
Deleting Interface Set Groups

Requires: DC When you delete an interface set group, any interface sets in the group are
automatically ungrouped; they are not deleted.
To delete a interface set group:

2. Click Delete next to the name of the interface set group.
The interface set group is deleted.
Inline Fail Open Interface Set Commands

Requires: 3D Sensor When you use fiber inline fail open interfaces sets and the interface set goes into
bypass, you can force the interface out of bypass mode. See Removing Bypass
Mode on Inline Fail Open Fiber Interfaces. You can force a copper or fiber inline
fail open interface in or out of bypass. See Forcing an Inline Fail Open Interface
Set into Bypass Mode on page 226.
Removing Bypass Mode on Inline Fail Open Fiber Interfaces

Requires: 3D Sensor When link state propagation is enabled on a sensor with an inline fail open
interface set and the sensor goes into bypass mode, all network traffic passes
through the interface pair without being analyzed. When the links restore, most
fiber inline fail open interface sets do not return from bypass automatically. You
can use a command line tool to force the interface set out of bypass mode.
TIP! This tool works on most 3D Sensors with inline with fail open fiber interface
pairs. It is not necessary to use this tool on inline with fail open copper interface
pairs or to use this tool with 3D9900 sensors.
IMPORTANT! Make sure you contact Technical Support if you are having issues
with the fail open interfaces on your sensor.

Inline Fail Open Interface Set Commands Chapter 6
To force a fiber inline fail open interface set out of bypass mode:
Access: Admin 1. Open a terminal window on your 3D Sensor and enter the command su and
the root password to switch to the root user.
2. Enter the following at the command line:
/var/sf/bin/unbypass_cards.sh
3. When the interfaces switch out of bypass mode, a message in syslog
indicates the 3D Sensor is analyzing traffic. For example:
Fiber pair has been reset by un_bypass
Forcing an Inline Fail Open Interface Set into Bypass Mode

Requires: 3D Sensor When the sensor with an inline fail open interface set fails, it goes into bypass
mode, a state where all network traffic passes through the interface pair without
being analyzed. If you are troubleshooting an interface set, or if the interface card
does not fail open on its own, you can use a command line tool to force the
interface set into bypass mode.
TIP! Note that this tool works only with inline with fail open interface pairs. You
cannot use it with non-fail open inline interface sets.
To force an inline fail open interface set into bypass mode, you must know which
two interfaces are included in the interface set. You can determine this
information on the Interface Sets page.
IMPORTANT! Make sure you contact Technical Support if you are having issues
with the fail open interfaces on your sensor.
To force an inline fail open interface set into bypass mode:

Access: Admin 1. On the appliance’s web interface, select Operations > Configuration > Detection
Engines > Interface Sets.
2. Under Available Interface Sets, click Edit next to the inline with fail open
interface set you are investigating.
The Create Interface Set page appears. The Selected Interfaces column
displays the names of the interfaces in the interface set.
3. Log in as root onto the sensor and, at the prompt, enter the correct
password.

Using Clustered 3D Sensors Chapter 6

failopen_pair.pl open eth#:eth#
For example, if the interfaces in the interface set are eth2 and eth3, enter the
following:
failopen_pair.pl open eth2:eth3
The following message appears:
NOTE: You must already have a failopen interface set
and detection engine configured on the pair
you are forcing open or closed for this utility
to work.
Then, if you specified the correct interfaces, the following message appears:
Mode changed for interfaces eth2:eth3
The interfaces switch to bypass mode and the traffic is no longer analyzed.
If you did not specify the correct interfaces, the following message appears:
No failopen interface set configured for interfaces
eth2:eth3...
To return an inline fail open interface set to normal mode:

Access: Admin 1. Log in as root onto the sensor and, at the prompt, enter the correct
password.
failopen_pair.pl close eth#:eth#
For example, if the interfaces in the interface set are eth2 and eth3, enter the
following:
failopen_pair.pl close eth2:eth3
The following message appears:
Mode changed for interfaces eth2:eth3
The interfaces return to normal mode and the traffic flowing through the
detection engines on the interface set is analyzed as you would expect.
Using Clustered 3D Sensors

Requires: DC + 3D9900 You can increase the amount of traffic inspected on a network segment by
connecting two fiber-based 3D9900 sensors in a clustered pair. When you
establish a clustered pair configuration, you combine the 3D9900 sensors
resources into a single, shared configuration. For information on establishing and
separating clustered pairs, see Managing a Clustered Pair on page 140. After the
cluster is established, you can identify them on the Sensor list page. Select
Operation > Sensors and note that clustered sensors have a peer icon.

You can see if the sensor is a master or slave, and which sensor it is paired with,
when you hover over the peer icon.
By combining two 3D9900 sensors as a clustered pair, you can combine their
detection engines. In a clustered pair, the slave’s ethb0 and ethb1 connect to the
master and the its ethb2 and ethb3 are not connected. Because the detection
engines and interface sets are combined, you can only manage them from a
Defense Center and not from one of the clustered sensors.
When you combine two 3D9900 sensors as a clustered pair, the Defense Center
displays the single interface set of the master sensor. You use the combined
detection engines as a single entity except when viewing information from the
clustered pair. For more information, see:
• Using Detection Engines on Clustered 3D Sensors on page 228
• Understanding Interface Sets on Clustered 3D Sensors on page 229
Using Detection Engines on Clustered 3D Sensors

Requires: DC + 3D9900 For information about using detection engines with clustered 3D9900s, see:
• Managing Clustered 3D Sensor Detection Engines on page 228
• Using Clustered 3D Sensor Detection Engines in Policies on page 229
For information about how to manage detection engines, see:
• Creating a Detection Engine on page 193
• Editing a Detection Engine on page 194
• Deleting a Detection Engine on page 197
Managing Clustered 3D Sensor Detection Engines

Requires: DC + 3D9900 Use the managing Defense Center to create, edit, and list the detection engines
of paired 3D Sensors. You cannot manage detection engines on the local GUI of a
paired 3D Sensor; the Edit page is replaced with an informational page.
Both 3D9900 sensors are listed as a part of the detection engine formed by the
clustered 3D Sensors. When you create a detection for a clustered pair, both
sensors are listed in the interface set. The format is DetectionEngineName
(MasterSensorName, SlaveSensorName). For example, a clustered 3D Sensors
detection engine could be: Z inline DE (birch.example.com, fir.example.com);
where Z inline DE is the name of the detection engine, birch.example.com is the
name of the master in the pair, and fir.example.com is the name of the slave in
the pair of 3D9900 sensors.

When you create or edit a detection engine formed by the clustered 3D Sensors,
the detection resources are listed as from both sensors.
Using Clustered 3D Sensor Detection Engines in Policies

Requires: DC + 3D9900 Use the managing Defense Center to manage policies and responses of paired
3D Sensors.
IMPORTANT! You cannot use the Policy & Response menu on the local GUI of a
paired 3D Sensor; those pages are replaced with an informational page.
Clustered 3D Sensors detection engines present their names in the form

DetectionEngineName (MasterSensorName, SlaveSensorName) when you use
them in:
• IPS policies
• PEP policies
• compliance rules
For example, a clustered 3D Sensors detection engine could be: Z inline DE
(birch.example.com, fir.example.com); where Z inline DE is the name of the
detection engine, birch.example.com is the name of the master in the pair, and
fir.example.com is the name of the slave in the pair of 3D9900 sensors.
Understanding Interface Sets on Clustered 3D Sensors

Requires: DC + 3D9900 After you set up the clustered pair, a master/slave relationship is established
between the two 3D9900 sensors. The master’s ethb0 and ethb1 pair are used
for sensing connections. The master’s ethb2 and ethb3 pair connect to the
slave’s ethb0 and ethb1 pair. The slave’s ethb2 and ethb3 pair are not functional
and must not be connected when you establish the clustered pairing.

To view the clustered pair interface sets:

Access: Admin X Select Operations > Configuration > Detection Engines > Interface Sets.
The Interface Sets page appears. A clustered pair interface set displays both
the master and the slave in the Sensor column.
Do not attempt to change the interface settings while a clustered sensor is

paired.
For information about using interface sets in the detection engines of
clustered 3D9900s, see Using Detection Engines on Clustered 3D Sensors
on page 228.
Managing Information from a Clustered 3D Sensor

Requires: DC + 3D9900 Clustered sensors report information from each of the sensors. Analysis &
Reporting tools display the information from each half of the detection engine
independently, in the form DetectionEngineName/MasterSensorName and
DetectionEngineName/SlaveSensorName.
IMPORTANT! If you collect statistics from clustered 3D9900s, add data from
both sensor of the detection engine to measure the total.
For example, the clustered 3D Sensors detection engine could be: Z inline DE
(birch.example.com, fir.example.com), where Z inline DE is the detection engine,
birch.example.com is the master sensor, and fir.example.com is the slave
sensors. When you examine information from the clustered pair, it is listed as
from both Z inline DE / birch.example.com and from Z inline DE / fir.example.com.
A Select Detection Engines list from the Intrusion Event Statistics page is show
below.
These reports include:

• intrusion event statistics
• intrusion events
• event graphs

• dashboards
• RNA statistics
• network map
• searches
IMPORTANT! If you use eStreamer to stream event data from a clustered pair of
3D9900s to an external client application, collect the data from both 3D9900s and
ensure that you configure each 3D9900 identically. The eStreamer settings are
not automatically synchronized over the pair.

Chapter 7
Sourcefire 3D System Administrator Guide
Working with Event Reports
The Sourcefire 3D System provides a flexible reporting system that you can use
to generate a variety of event reports. Event reports include the data that you see
on the event view pages for each type of event presented in a report format.
The Report Types table describes the reports you can create and the components
required for producing them. For example, the RNA Events report appears under
the RNA report category on the Report Designer page. You must have an RNA
host license on the Defense Center managing your 3D Sensor, and you must
configure the RNA component for that sensor to collect RNA events. Similarly,
the Intrusion Events report appears under the IPS report category and requires
the IPS component on a 3D Sensor. You can run the report on the 3D Sensor or
on the Defense Center that manages the sensor.
Report Types
Report Report Category Requires
Intrusion Events with Destination IPS or RNA DC + RNA + IPS

Criticality
Intrusion Events with Source IPS or RNA DC + RNA + IPS

Criticality
Intrusion Events IPS DC + IPS
SEU Import Log IPS DC + IPS
Host Attributes RNA DC + RNA

Chapter 7
Report Types (Continued)
Report Report Category Requires
RNA Hosts RNA DC + RNA
Scan Results RNA DC + RNA
RNA Client Applications RNA DC + RNA
RNA Events RNA DC + RNA
RNA Services RNA DC + RNA
Vulnerabilities RNA DC + RNA
Hosts with Services RNA DC + RNA
Flow Data RNA DC + RNA
RUA Events RUA DC + RUA
Users RUA DC + RUA
White List Violations Compliance DC + RNA
Compliance Events Compliance DC + RNA
White List Events Compliance DC + RNA
Remediation Status Compliance DC + RNA
Health Events Health Monitoring DC
Audit Log Events Audit Log Any
You can use a predefined report profile to generate your report, or use it as a
template for an event report profile which can be customized by modifying field
settings as appropriate and saving the report with the new values. For information
on modifying a predefined or existing report profile, see Editing Report Profiles on
page 263.
You can create a new report profile through the use of the Report Designer. For
more information on how to create and save report profiles, see Understanding
Report Profiles on page 241.

Working with Event Reports Chapter 7

• Working with Event Reports on page 234
• Working with Report Profiles on page 234
• Managing Generated Reports on page 237
• Understanding Report Profiles on page 241
• Working with Report Information on page 248
• Working with Report Sections on page 255
• Working with Report Options on page 258
• Using a Report Profile on page 260

Requires: IPS or DC/ You can generate reports manually or automatically on any subset of events in an
MDC event view. You can also specify which detection engine to use when generating
the report. For information on how to generate a report for the data that appears
in an event view, see Generating Reports from Event Views on page 235.
You can view, download, or delete previously generated reports, as well as move
reports to a remote storage location. For more information on how to manage
your reports, see Managing Generated Reports on page 237.
You can run reports remotely from the Defense Center using the data on the
sensors for the report, if you use a Defense Center to manage your sensors. For
more information on how to how to generate reports on managed sensors and
view the results on the Defense Center, see Running Remote Reports on
page 240.
You can store reports locally or remotely. For more information on how to
configure a Defense Center to store reports in a remote location using SSH, NFS,
or SMB, see Managing Remote Storage on page 393.
Working with Report Profiles

Requires: IPS or DC/ You can use a predefined report profile to generate your report. For information on
MDC how to generate a report from a report profile view, see Using a Report Profile on
page 260.
You can use a predefined report profile as a template for an event report which
can be customized by modifying field settings as appropriate and saving the
report with the new values. For information on how to modify a report profile, see
Editing Report Profiles on page 263.
You can create a new report profile through the use of the Report Designer. For
more information on how to create and save report profiles, see Creating a Report
Profile on page 246.

Generating Reports from Event Views Chapter 7
You can include a summary report for intrusion events and RNA events by
selecting the appropriate radio button in your report profile. For more information
on each of the summary reports, see Using Summary Reports on page 255.
You can generate reports in PDF, HTML or comma-separated value (CSV) formats,
and include custom options such as a corporate logo or footers, and a short
description of the report. For information on how to incorporate these options into
your reports, see Working with Report Options on page 258.
Generating Reports from Event Views

Requires: IPS or DC/ You can generate reports on any subset of events in an event view. You can also
MDC specify how you want the report formatted: PDF, HTML, or as comma-separated
values (CSV).
To generate a report for a specific set of events:

Access: Any Analyst/ 1. Populate an event view with the events you want to include in the report. You
Admin can do this several ways:
• Use an event search to define the type of events you want to view. For
details on using the event search, see Searching for Events in the
Analyst Guide.
• Drill down through a workflow until you have the proper events in your
event view. For details on using workflows and constraining events
within a workflow, see Understanding and Using Workflows in the
Analyst Guide.
TIP! In addition to generating reports in an event view, as described in this

section, you can also create a report profile and then either use it to generate
a report or save it to use later. For more information, see Understanding
Report Profiles on page 241.

Generating Reports from Event Views Chapter 7
2. Click Report Designer in the toolbar.

The Report Designer page appears. The settings on the page reflect the
parameters that you selected for the search or through the drill-down pages.
The following graphic shows the Defense Center version of the page.
TIP! If you need to go back to the drill-down page where you opened the
Report Designer, click Return to Calling Page at the bottom of the Report
Designer page.
3. Change any of the parameters as necessary to meet your needs.

For details on the parameters for a report, see Creating a Report Profile on
page 246.
4. Select the check boxes next to the output options you want in the report: PDF,
HTML, or CSV. Note that you may select more than one format.
5. Click Generate Report.

Managing Generated Reports Chapter 7
6. Click OK to confirm that you want to save the current parameters as a report
profile.
The report profile is saved and the report generates in the output formats you
selected.
7. To view the report, click Reports in the toolbar, then click the report name on
the Reporting page that appears.
The report appears.
Managing Generated Reports

Requires: IPS or DC/ Manage previously generated reports on the Reporting page. You can view,
MDC download, or delete reports. If you are using a Series 2 Defense Center, you can
move reports to a remote storage location.
Each report is listed with the report name as defined in the report profile plus the
date and time the report was generated, who generated it, and whether it is
stored locally or remotely. The default location for report storage is listed at the
top of the page; for local, NFS, and SMB storage, the appliance provides the disk
usage of the storage device.
Each report has one of the following file extensions appended to the report name:
• .csv for comma-separated value reports
• .pdf for PDF reports
• .zip for HTML reports (HTML reports are zipped along with the necessary
graphics)
Finally, the appliance lists the status of each of the reports, which indicates
whether it has yet to be generated (for example, for scheduled tasks), it has
already been generated, or whether the generation failed (for example, due to
lack of disk space).
Note that only Series 2 Defense Centers support remote storage of reports. You
can enable or disable remote storage using the Enable Remote Storage for Reports
check box. If you disable remote storage, the Defense Center hides any
previously generated remotely stored reports. In addition, if you change the
remote storage location, the Defense Center hides reports not stored in the new
location. To configure remote storage, click Remote Storage on the toolbar. For
more information, see Managing Remote Storage on page 393.

For information on managing reports, see the following topics:

• Viewing Generated Reports on page 238
• Downloading Generated Reports on page 238
• Deleting Generated Reports on page 239
• Moving Reports to a Remote Storage Location on page 239
• Running Remote Reports on page 240
Viewing Generated Reports

Requires: IPS or DC/ Use the following procedure to view generated reports. You can view one report
MDC at a time. Note that users with Admin access can view all reports generated on
the appliance; other users can only view reports that they generated themselves.
TIP! You can also save reports locally. For more information, see the next
section, Downloading Generated Reports.
To view a generated report:

Access: Any Analyst/ 1. Select Analysis & Reporting > Report Profiles.
Admin The Report Profiles page appears.
2. On the toolbar, click Reports.
The Reporting page appears.
• Enable the check box next to the report you want to view, then click
View.
• Click the name of the report.
In either case, the report opens.
Downloading Generated Reports

Requires: IPS or DC/ Use the following procedure to download generated reports.
MDC
To download generated reports:

3. Enable the check boxes next to the reports you want to download, then click
Download.
TIP! Enable the check box at the top left of the page to download all reports
on the page. If you have multiple pages of reports, a second check box
appears that you can enable to download all reports on all pages.
4. Follow your browser’s prompts to download the reports.

The reports are downloaded in a single .zip file.
Deleting Generated Reports

Requires: IPS or DC/ Use the following procedure to delete generated reports.
MDC
To delete generated reports:
3. Enable the check boxes next to the reports you want to delete, then click
Delete.
TIP! Enable the check box at the top left of the page to delete all reports on
the page. If you have multiple pages of reports, a second check box appears
that you can enable to delete all reports on all pages.
4. Confirm that you want to delete the reports.

The reports are deleted.
Moving Reports to a Remote Storage Location

Requires: DC/MDC On Series 2 Defense Centers, you can move locally stored reports to a remote
storage location. Note that after you move a report to a remote location, you
cannot move it back. For information on configuring a remote storage location and
enabling remote storage of reports, see Managing Remote Storage on page 393.
To move generated reports:


3. Enable the check boxes next to the reports you want to move, then click
Move.
TIP! Enable the check box at the top left of the page to move all reports on
the page. If you have multiple pages of reports, a second check box appears
that you can enable to move all reports on all pages.
4. Confirm that you want to move the reports.

The reports are moved.
Running Remote Reports

Requires: DC + If you use a Defense Center to manage your sensors, you have the option of
3D Sensor running reports remotely from the Defense Center using the data on the sensors.
For example, if you use your Defense Center to manage a 3D Sensor with IPS,
and you store IPS data on the sensor in addition to sending it automatically to the
Defense Center, you can run the report on the data that is resident on the sensor.
There are several limitations that you need to keep in mind:
• If you do not store data on the sensor, then the remote report will be empty.
• If your report uses a logo or image file, the logo or image file must exist on
both the Defense Center and the managed sensor where you run the
report.
• You cannot run incident reports remotely on managed 3D Sensors with IPS.
• You cannot run remote reports on 3Dx800 or Crossbeam-based software
sensors.
To run a remote report:

2. Click Create Report Profile.
The Report Designer page appears.
3. Create the report that you want to run on the managed sensor.
See Generating Reports from Event Views on page 235 for details.
4. From the drop-down list at the bottom of the page, select the sensor where
you want to run the report and click Run Remote Report.
A prompt appears asking you to confirm that you want to run the report
remotely.
5. Click OK.
The report is run on the sensor that you selected.

Understanding Report Profiles Chapter 7
6. In the toolbar, click Reports.

The Reporting page appears, listing the report you just generated on the
managed sensor. Note that remote- is prepended to the name of the report.
7. You can view or download the remote report as you would with any other
locally generated report.
TIP! You can also use report profiles as the basis for remote reports by
creating a profile as described in Creating a Report Profile on page 246. When
you run the report, make sure you select the name of the sensor and click Run
Report Remotely.
Understanding Report Profiles

Requires: IPS or DC/ Report profiles provide the structure for the generated report. You can use a
MDC predefined report profile to either generate your report, or use as a template for a
new report profile by modifying field settings as appropriate and saving the report
with the new values. Additionally, a new report profile can be created through the
use of the Report Designer. You can then manually run these reports or schedule
them to run automatically (for information about scheduling tasks, see Scheduling
Tasks on page 425).
Whether you use a predefined report profile or create your own, all report profiles
contain the same three configurable areas: Report Information, Reports Sections,
and Report Options. Note that not all options are available for all categories or
types.
Report Information defines the basic nature of the report profile by first giving the
report profile a name, and then selecting the report category and type. Depending
upon your choices, you will have other options to define, such as detection
engine, search query, and workflow. For more information, see Working with
Report Information on page 248.
Report Sections identifies which sections to include in the report, such as a drill
down of events, table view of events, or the inclusion of an image file. For more
information, see Working with Report Sections on page 255.
Report Options specifies the outputs of the report format (PDF, HTML, or
comma-separated (CSV format), inserts a logo, adds a custom footer, and
provides an option to email the report. For more information, see Working with
Report Options on page 258.
• Understanding the Predefined Report Profiles on page 242
• Modifying a Predefined Report Profile on page 246
• Creating a Report Profile on page 246


• Using a Report Profile on page 260
• Generating a Report using a Report Profile on page 261
• Deleting Report Profiles on page 263
Understanding the Predefined Report Profiles

Requires: IPS or DC/ A predefined report profile provides you with predefined setting for event reports.
MDC As with custom report profiles that you create (see Creating a Report Profile on
page 246), you can use a predefined report profile as a template for an event
report. You can modify field settings as appropriate, save the report with the new
values, and run the report manually or automatically.

Predefined reports are provided by the Sourcefire system: Blocked Events, High
Priority Events, and Host Audit. The following graphic shows the Blocked Events
report profile on the Defense Center version of the page.
The following tables provide the default settings for each of the predefined report
profiles. Note that if you modify the default settings, you have created a new
report profile; you must save the report profile with a new name to preserve your
new settings. The Report Options area is not included in these charts.

The Blocked Events report profile provides information on blocked intrusion

events for all detection engines for the past twenty-four hours. This report profile
is available on the Defense Center or on a 3D Sensor with IPS.
Default Settings for the Blocked Events Report Profile
Field Setting
Report Category IPS
Report Type Intrusion Events
Detection Engine All
Search Query Blocked Events
Workflow Impact and Priority (on the Defense Center)

Destination Port (on the 3D Sensor)
Time Last day, sliding time window
Add Summary Report Quick
Impact Based Event Summary Enabled

(on the Defense Center)
Drill Down of Source and Enabled

Destination IPS
(on the Defense Center)
Drill Down of Destination Port Enabled

(on the 3D Sensor)
Drill Down of Events Enabled

(on the 3D Sensor)
Table View of Events Disabled
Packets (limit 50 pages) Disabled
The High Priority Events report profile provides information on intrusion events as
well as the host criticality of hosts involved in the intrusion events for the past

twenty-four hours. This report profile is available only on a Defense Center that
manages 3D Sensors with RNA and IPS.
Default Settings for the High Priority Events Report Profile
Field Setting
Report Category IPS
Report Type Intrusion Events with Destination Criticality
Search Query High Priority Events
Workflow Events by Impact, Priority, and Host

Criticality
Time Last day, sliding time window
Add Summary Report Quick
Impact to Criticality Summary Enabled
Source Destination Drill Down Enabled
Intrusion Events with Enabled

Destination Criticality
The Host Audit report profile provides operating system details for the past week
on systems less than two network hops away from 3D Sensors with RNA. This
report profile is available only on the Defense Center that manages 3D Sensors
with RNA.
Default Settings for the Host Audit Report Profile
Field Setting
Report Category RNA
Report Type RNA Hosts
Search Query Local Systems

Default Settings for the Host Audit Report Profile (Continued)
Field Setting
Workflow Operating System Summary
Time Last week, sliding time window
Add Summary Report summary
Summary of OS Names Enabled
Summary of OS Versions Enabled
OS Details with IP, NetBIOS, Enabled

Criticality
Table View of Events Disabled
Modifying a Predefined Report Profile

Requires: IPS or DC/ You can use a predefined report profile as a template to create a new report
MDC profile by modifying the field settings as appropriate, and saving the report with
the new values. For more information on how to modify a predefined report
profile, see Editing Report Profiles on page 263.
Creating a Report Profile

Requires: IPS or DC/ You can create the report profile by defining category and type, and then
MDC specifying which detection engines to search, the criteria for the search, and
which workflows to examine. Not all options are available for all reports. For
example, in the IPS report category, selecting the Intrusion Events report type
gives you the option to select which detection engines to search; selecting the
Intrusion Events with Source Criticality report type does not provide that option.
You perform three steps to create the a report profile: first, create the report
profile in the system; second, configure the options in each of three report areas
(Report Information, Report Sections, and Report Options); and, finally, save the
report profile.
Working with Report Information on page 248 explains how to set the type of
report and how to specify which detection engines, queries, and workflows to
apply. Working with Report Sections on page 255 explains how to specify which
the sections to be included in the report, such as a drill down of events, table
view of events, or an image file. Note that all reports contain the option for a
summary report and an image file, but not all options are available for all reports.

Working with Report Options on page 258 section explains how to set the output
of the report (PDF, HTML or comma-separated value (CSV) format), adds a custom
footer or logo, and how to use the option which emails the report.
To create a report profile:

2. Click Create Report Profile.
The Report Designer page appears. The following graphic shows the Defense
Center version of the page.
TIP! You can also reach the Report Designer page from any event view by
clicking Report Designer on the toolbar.
3. Continue with Defining Report Information on page 254.

Working with Report Information Chapter 7
Working with Report Information

Requires: IPS or DC/ You define the basic nature of the report profile by first giving the report profile a
MDC name, and then selecting the report category and type. Depending upon your
choices, you will have other options to define, such as detection engine, search
query, and workflow. Note that not all options are available for all categories or
types. The following graphic is an example of the Report Information section.
The Report Name can be any name using 1-80 alphanumeric characters, periods,
dashes, parentheses, and spaces.

The Report Category defines which system feature is examined in the report.
Select from the Report Categories table
.
Report Categories
Select... If you...
IPS have an IPS license and you want to report on intrusion events with or without
source or destination criticality, or the SEU import log.
Use this option to select a workflow on one or more detection engines to
search for blocked events, high impact or high priority events, common
concerns, public or private addresses only, or exploits that target client/server
issues, or various services. For example, you can create a report which
searches for IP-specific high impact intrusion events on a specified detection
engine. For information on IPS Report Type options, see IPS Category Report
Types on page 251.
RNA are using a Defense Center with an RNA host license and you want to report
on host attributes, RNA client applications, vulnerabilities, intrusion events
with source criticality, hosts with services, RNA hosts, RNA events, RNA
services, or scan results.
Use this option to search hosts for blocked or high priority events.For example,
you can create a report which searches selected detection engines for RNA
client applications. For more information on RNA Report Type options, see
RNA Category Report Types on page 252.
RUA are using a Defense Center with an RUA host license and you want to search
one or more detection engines to examine the RUA Events and users, and
generate a report which can include sections with a Table View of Events and
Users. For example, you can create a report which searches selected
detection engines for RUA events.
Compliance are using a Defense Center with an RNA host license and you want to report
on white list violations, remediation status, compliance events, or white list
events. For example, you can create a report which searches a selected
detection engine for RNA compliance events.
Health Monitoring are using a Defense Center and you want to report on the health of your
sensors.
Audit Log want to report on audit log events.
The Report Type is a subset of the Report Category and provides a greater level of
detail to the report. Options vary depending upon Report Type. In many cases,
such as the Compliance or Audit Log report categories, report types are limited
and self-explanatory. However IPS and RNA report types options are extensive
and provide detailed options for defining your report profile. See Using Report
Types on page 250 for more information.

The Detection Engine allows you to select which detection engines are to be
searched for the report. This option is available when searching for events, such a
intrusion, RNA, white list, or compliance events, or when searching the network
for RNA hosts, host attributes, client applications, and health monitoring.
The Search Query identifies the search criteria for the report. Options vary
depending upon Report Type, and can include a list of exploits (such as Sasser
Worm Search or non-standard service attempts) or areas of concern such as IRC
Events or Kerberos Client/Server issues.
The Workflow allows you to select which workflow to examine. Options vary
depending upon which options you selected for Report Type, Detection Engine,
and Search Query, and can include such options as Network Services by Count or
Host Violations, and IP-Specific or Impact and Priority.
The Time option allows you to define the period of time for which the report is
generated. Click in the current time field to open a pop-up window from which
you can select a static, expanding, or sliding time frame. For more information,
see Setting Event Time Constraints in the Analyst Guide.
• Using Report Types on page 250
• Defining Report Information on page 254
Using Report Types

Requires: IPS or DC/ The Report Type is a subset of the Report Category and provides a greater level of
MDC detail to the report. Options for the report type vary depending upon which
Report Category is selected. Some report categories, such as the Compliance or
Audit Log report categories, have limited report types and are self-explanatory.
However, the report types available to the IPS and RNA report categories are
extensive and provide detailed options for defining your report profile.
• IPS Category Report Types on page 251
• RNA Category Report Types on page 252

IPS Category Report Types

You can choose from the following IPS Category Report Types
:
IPS Category Report Types
Select... To...
Intrusion Events search one or more detection engines using user-specified search queries and
workflows to generate a report which can include sections with a drill down of
the destination port and events, a table view of events, and the packets.
Search queries include: Blocked Events, Bootstrap Client/Server, Common
Concerns, DNS Service, DirectX Service, FTP Service, Finger Service, High
Impact Events, High Priority Events, IRC Events, Impact1/Not Dropped
Events, Kerberos Client/Server, LDAP Services, Mail Services, Oracle Service,
Private Addresses Only, Public Addresses Only, RPC Services, and Reserved
Port TCP Scan.
Workflows include: Destination Port, Event-Specific, Events by Priority and
Classification, Events to Destinations, IP-Specific, Impact and Priority, Impact
and Source, Impact to Destination, Source Port, and Source and Destination.
Intrusion Events with search using the Blocked Events or High Priority events search queries to
Source Criticality generate a report on the Intrusion Events with Source Criticality default
workflow which can include sections on Intrusion Events with Source
Criticality, and the packets.
Intrusion Events with search using the Blocked Events or High Priority Events search queries on your
Destination Criticality choice of three workflows:
Events by Impact, Priority, and Host Criticality, which can include sections on
Impact to Criticality Summary, Source Destination Drill Down, Intrusion Events
with Destination Criticality, and the packets.
Events with Destination, Impact, and Host Criticality, which can include
sections on Current Events Monitor, Intrusion Events with Destination
Intrusion Events with Destination Criticality default workflow, which can
include sections on Intrusion Events with Destination Criticality, and the
packets.
SEU Import Log generate a report on the SEU Detail View workflow.

RNA Category Report Types

You can choose from the following RNA Category Report Types:
RNA Category Report Types
Select... To...
Host Attributes search one or more detection engines to examine the Attributes workflow, and
generate a report which can include sections with a table view of host
attributes and the packets.
RNA Client search one or more detection engines to examine the Client Application
Applications Summaries or RNA Client Applications workflows, and generate a report
which can include sections with a table view of client applications and the
packets.
Vulnerabilities examine the Vulnerabilities workflow and generate a report which can include
sections with a table view of vulnerabilities, vulnerabilities on the network, and
the packets.
Intrusion Events with search using the Blocked Events or High Priority events search queries on the
Source Criticality Intrusion Events with Source Criticality default workflow, and generate a
report which can include sections on Intrusion Events with Source Criticality,
and the packets.
Host with Services examine the Hosts with Services Default Workflow or the Service and Host
Details, and generate a report which can include sections on Hosts with
Services and the hosts.
RNA Hosts search one or more detection engines to examine the operating system
summary or RNA hosts for local, remote, unidentified, or unknown systems,
and generate a report which can include sections with a Summary of
Operating System Names, Summary of Operating System Versions, Operating
System Details with IP, NetBIOS Criticality, Table View of Hosts, and Hosts.
Scan Results generate a report on the Scan Results workflow.
RNA Events search one or more detection engines using the NetSky.S Worm Search, New
Events, Sasser Worm Search, Subseven Trojan Search, Timeout Events, and
Update Events, and generate a report which can include sections with a Table
View of Events, and Hosts.

RNA Category Report Types (Continued)
Select... To...
RNA Services search one or more detection engines for non-standard service events (such
as non-standard HTML, non-standard mail, non-standard SSH) in Network
Services by Count, Network Services by Hit, and RNA Services workflows,
and to generate a report which can include sections with Active Services,
Service Application Activity, Service Version Audit, Service by Host, and Hosts.
Intrusion Events with search using the Blocked Events, Events to High Criticality Hosts, or High
Destination Criticality Priority Events search queries, and generate a report on your choice of three
workflows:
Events by Impact, Priority, and Host Criticality, which can include sections on
Impact to Criticality Summary, Source Destination Drill Down, Intrusion Events
with Destination Criticality, and the packets.
Events with Destination, Impact, and Host Criticality, which can include
sections on Current Events Monitor, Intrusion Events with Destination
Intrusion Events with Destination Criticality default workflow, which can
include sections on Intrusion Events with Destination Criticality, and the
packets.
Flow Data search one or more detection engines using user-specified search queries and
workflows, and generate a report which can include sections with the Top Ten
workflows, Table View of Flow Summary Data, Table View of Flow Data drill
down of the destination port and events, a table view of events, and the
packets.
Search queries include: Possible Database Access, Standard HTTP, Standard
Mail, Standard SSL, and Unauthorized SMTP.
Workflows include: Flow Summaries, Flows by Detection Engine, Flows by
Initiator, Flows by Port, Flows by Responder, Flows by Service, Flows Over
Time, RNA Flows, Traffic by Detection Engine, Traffic by Initiator, Traffic by
Port, Traffic by Responder, Traffic by Service, Traffic Over Time, Unique
Initiators by Responder, and Unique Responders by Initiator.

Defining Report Information

Requires: IPS or DC/ After you have determined which options you need for your report, use the
MDC following procedure to define the report information options.
Access: Any Analyst/ To define the Report Information:
Admin
1. From the Report Category drop-down list, select the report category for which
you want to create a report.
You can choose from:

• IPS (with an IPS license)
• RNA (on a Defense Center with an RNA host license)
• RUA (on a Defense Center with an RUA host license)
• Compliance (on a Defense Center with an RNA host license)
• Health Monitoring (on a Defense Center)
• Audit Log
2. From the Report Type drop-down list, select the type of report you want to
create.
3. Optionally, if the report type you selected includes the Detection Engine option,
select a specific Detection Engine on which to report.
4. Requires: DC Optionally, if you are reporting on health events, select a specific
sensor or sensor group from the Sensor drop-down list.
5. From the Search Query drop-down list, either use the Use Current Query option
(which retains any query parameters you specified on the search page or
event page) or select one of the existing search queries.
Note that if you did not previously specify a search query, the Use Current
Query option places no constraints on the events.
6. From the Workflows list, select the workflow you want to use to build the
report.
For information on workflows, see Understanding and Using Workflows in
the Analyst Guide.

Working with Report Sections Chapter 7
7. Specify the time range for the report.

Depending on your default time window, the time range matches either the
time window for the event view you are using to building the report profile, or
the global time window. You can change time range by clicking it and using
the Date/Time pop-up window to select a new time range. For more
information, see Setting Event Time Constraints in the Analyst Guide.
8. Continue with Defining the Report Sections on page 258.
IMPORTANT! For report profiles that you plan to use multiple times, such as
in scheduled tasks, Sourcefire strongly recommends that you use a sliding
time range. If you create a report profile with a static time range, the
appliance will generate a report using the same time range (and therefore the
same events) every time you use the report profile.
Working with Report Sections

Requires: IPS or DC/ The Report Sections area is populated based on the workflow you selected.
MDC Select the check box for each report section you want to include in the report.
Reports can include up to 10,000 records for each report section you select.
• Using Summary Reports on page 255
• Including an Image File on page 257
• Defining the Report Sections on page 258
Using Summary Reports

Requires: IPS or DC/ Depending on the components you are licensed to use in your Sourcefire 3D
MDC System deployment, you can include summary reports for intrusion events and
RNA events. You can append these summary reports to the beginning of any
report by selecting the appropriate radio button in the report profile.
Intrusion event reports require the IPS component. If your deployment includes
IPS, you can include either a Quick Summary or a Detail Summary report in your
report profile definition.

The Comparison of Quick Summary and Detail Summary Reports table shows
which information is included in the reports
.
Comparison of Quick Summary and Detail Summary Reports
Report Information Quick Detail

Summary Summary
Pie chart showing the percentage of events in each event type (which maps to X X
the rule category for the rule that generated the event)
List of the 10 most active and 10 least active events X X
Graph showing the number of events over time X X
Pie charts showing the percentage of events by protocol (for example, TCP, X X
UDP, or ICMP) and event classification (which maps to the value for the
classtype keyword in the rule that generated the event)
Tables listing the 50 most active and least active events X X
Tables listing the 50 most active source and destination ports X X
Tables listing the 25 most active source and destination hosts and host X X
combinations.
Tables listing the 25 most active source and destination hosts as well as the X
25 most active source and host combinations
Tables listing the most active events for each of the 25 most active destination X
hosts
Tables listing the most active events for the 25 most active source and X
destination host combinations
IMPORTANT! On the Defense Center, the report includes summary information

for all the managed 3D Sensors with IPS that you include in the report.
RNA-related event reports require the RNA component. If your deployment

includes 3D Sensors with RNA and a Defense Center that manages the sensors,

you can add the RNA Summary to RNA event, host, client application, service,
and flow data reports. The RNA Summary includes:
• RNA event statistics including total number of events, events in the last day
and hour, total services, total hosts, total routers, total bridges, and host
limit usage
• a list of events divided by event type with counts for the last hour and total
number within the report range
• pie charts showing the percentage of events by protocol (for example, TCP,
UDP, or ICMP), service, and operating system
Including an Image File

Requires: IPS or DC/ You can add an image to your report which will be displayed after the summary
MDC report and before the drill down or table views. This can be useful for providing
information best displayed in a visual, non-graphical format, or simply as a break
between sections.
You can use JPEG, PNG, and TIFF files as image files, but only JPEG and PNG
graphics are supported in most browsers.

Working with Report Options Chapter 7
Defining the Report Sections

Requires: IPS or DC/ After you have determined which options you need for your report, use the
MDC following procedure to define the report section options.
Access: Any Analyst/ To define the Report Sections:
Admin
1. If a summary is available for the report type you selected, specify whether
you want to include it as part of your report.
• To include a summary with intrusion event-based reports, select quick

or detailed. For a full description of the information provided in Quick and
Detailed summaries, see Using Summary Reports on page 255.
• On a Defense Center with an RNA host license, to include a summary
with an RNA-based report, select summary. For a full description of the
information provided in the RNA summary, see Using Summary
Reports on page 255.
• To exclude the summary, select none, which is the default.
2. If you want to include an image in the report, type the path to the image in
the Include Image File text box, or navigate to a JPEG, PNG, or TIFF file.
3. Select the check boxes next to the sections of the workflow you want to
include in the report. The options in this section depend on the workflow you
selected in step 6.
4. Continue with Working with Report Options on page 258.
TIP! Note that if you select a table view of events, the report is limited to
10,000 records as noted in step 6, regardless of the number of events.
Working with Report Options

Requires: IPS or DC/ Report Options define the look of the report, and provide the option to email the
MDC report
You can generate a report in PDF, HTML or comma-separated value (CSV) format.
You can also generate the same report in multiple formats. Note that graphics are
not available in the CSV format.

Working with Report Options Chapter 7
You can include a logo on your report. In PDF formats, the logo is included on
every page. In HTML formats, the logo is included at the top of the report.
You can add a description which will be included on the front page summary of
the report.
Access: Any Analyst/ To define the report options:
Admin
1. Select the check boxes next to one or more output options for your report:
PDF, HTML, or CSV.
2. Optionally, for PDF and HTML reports, select a logo from the list of image
files that were previously added to the system.
See Including an Image File on page 257 for information about how to make
more logos available to the report designer.
3. Optionally, for PDF and HTML reports, type a description in the Description
field. You can use alphanumeric characters and spaces. The description
appears in the report header.
4. Optionally, for PDF reports, type the text you want to include as the footer in
the Custom Footer field. You can use 1 - 80 alphanumeric characters and
spaces.
5. Optionally, you can specify that reports are automatically emailed after they
are generated. To email a report, type one or more email addresses in a
comma-separated list in the Email to field.
IMPORTANT! You must make sure that the mail host is identified: Click Not
available. You must set up your mail relay host. The System Policy page appears.
Click Edit in the row for the system policy you want to modify. Click Email
Notification. Type the name of your mail server in the Mail Relay Host field and
click Save. Click Apply in the row for the system policy you changed and apply
it to the appliance.
The report is emailed from host_name@domain_name, where host_name is

the host name of the appliance and domain_name is the name of the domain
where you deployed the appliance.

Using a Report Profile Chapter 7
6. You have the following options:

• To save the report profile, click Save Report Profile.
When prompted, follow the instructions for your browser to save the
report profile.
The report profile is saved with the name you specified in the Report
Name field.
• To generate the report and save the report profile, click Generate Report.
When prompted, follow the instructions for your browser to generate
the report and save the report profile.
• To see a PDF preview of your report, click Preview Report.
When prompted, follow the instructions for your browser to display a
PDF version of the report in the browser window.
• On a Defense Center, to generate the report remotely, select the
sensor where you want to run the report and click Run Remote Report.
When prompted, follow the instructions for your browser to generate
the report and save the report profile.
IMPORTANT! The PDF, HTML, and CSV selections for Output Options apply to
generated reports, not to report previews. When you click Preview Report, you
see a PDF version of the report.
Using a Report Profile

Requires: IPS or DC/ You can use report profiles to generate reports that contain the information that is
MDC important to you and your evaluation of the events generated for your network.
You can use an predefined or existing report profile as a template for a new report
profile. For information on editing a report profile, see Editing Report Profiles on
page 263.
If you want to generate a report for a specific set of events or a specific time
period, populate the event view with the events you want to see in your report
before opening the report designer. For details on using the event view, see the
following sections:
• Viewing RNA Network Discovery and Host Input Events in the Analyst
Guide
• Viewing Hosts in the Analyst Guide
• Viewing Services in the Analyst Guide
• Viewing Client Applications in the Analyst Guide
• Working with Flow Data and Traffic Profiles in the Analyst Guide
• Working with Intrusion Events in the Analyst Guide


• Generating a Report using a Report Profile on page 261
• Editing Report Profiles on page 263
• Deleting Report Profiles on page 263
Generating a Report using a Report Profile

Requires: IPS or DC/ You can use report profiles to generate reports that contain the information that is
MDC important to you and your evaluation of the events generated for your network.
Access: Any Analyst/ To generate a report using a report profile:
Admin
1. Select Analysis & Reporting > Report Profiles.
The Report Profiles page appears.

2. Click the name of the report profile you want to use.

The Report Designer page loads the parameters defined for that selected
report.
3. If necessary, click the time range to change it to include the events you want
in your report.
For more information, see Setting Event Time Constraints in the Analyst
Guide.
4. Click Generate Report.
The system generates the report.
5. Click Reports in the toolbar to display the Reporting page.
The Reporting page appears, listing the report that you generated as well as
any other previously generated reports. For information on managing
generated reports, see Managing Generated Reports on page 237.

Editing Report Profiles

Requires: IPS or DC/ You can create a new report profile by using a predefined or existing report profile
MDC as a template for a new report profile, modifying the field settings as appropriate,
and saving the report with the new values. You can also edit a report profile to
make changes to the resulting report.
Use the following procedure to edit a report profile.
Access: Any Analyst/ To edit a report profile:
Admin
1. Select Analysis & Reporting > Report Profiles.
The Report Profiles page appears.
2. Click Edit next to the profile that you want to delete.
The Report Designer page appears and contains the current settings for the
report profile.
3. Make changes to the report areas as needed.
See the following sections for information:
IMPORTANT! If you are creating a new report profile from a predefined or

existing report profile, remember to change the name of the report profile in
the Report Name field.
4. Click Save Report Profile. When prompted, follow the instructions for your
browser to save the report profile. The report profile is saved with the name
you specified in the Report Name field.
Deleting Report Profiles

Requires: IPS or DC/ Use the following procedure to delete a report profile.
MDC
To delete a report profile:
2. Click Delete next to the profile that you want to delete.
The report profile is deleted.

Chapter 8
Administrator Guide
Managing Users
If your user account has Administrator access, you can manage the user accounts
that can access the web interface on your Defense Center or 3D Sensor. On the
Defense Center, you can also set up user authentication via an external
authentication server, rather than through the internal database.
• Understanding Sourcefire User Authentication on page 264
• Managing Authentication Objects on page 269
• Managing User Accounts on page 299
Understanding Sourcefire User Authentication

Requires: DC/MDC or When a user logs into the web interface, the appliance looks for a match for the
3D Sensor user name and password in the local list of users. This process is called
authentication. There are two kinds of authentication: internal and external. If the
user’s account uses internal authentication, the authentication process checks
the local database for this list. If the account uses external authentication, the
process checks the local database to see if the user exists there and, if the user is
not found locally, it queries an external server, such as a Lightweight Directory

Managing Users
Understanding Sourcefire User Authentication Chapter 8
Access Protocol (LDAP) directory server or a Remote Authentication Dial In User

Service (RADIUS) authentication server, for a list of users.
For users with either internal or external authentication, you can control user
permissions. Users with external authentication receive the permissions either
for the group or access list they belong to, or based on the default user access
role you set in the server authentication object or in a system policy on the
managing Defense Center, unless you change the user permissions manually.

Managing Users

• Understanding Internal Authentication on page 266
• Understanding External Authentication on page 266
• Understanding User Privileges on page 267
Understanding Internal Authentication

Requires: DC/MDC or By default, the Sourcefire 3D System uses internal authentication to check user
3D Sensor credentials when a user logs in. Internal authentication occurs when the
username and password are verified against records in the internal Sourcefire 3D
System database. If you do not enable external authentication when you create a
user, the user credentials are managed in the internal database.
Because you manually create each internally authenticated user, you set the
access settings when you create the user and you do not need to set default
settings.
IMPORTANT! Note that an internally authenticated user is converted to external

authentication if you enable external authentication, the same username exists
for the user on the external server, and the user logs in using the password
stored for that user on the external server. Once an internally authenticated user
converts to an externally authenticated user, you cannot revert to internal
authentication for that user.
Understanding External Authentication

Requires: DC External authentication occurs when the Defense Center or managed sensor
retrieves user credentials from an external repository, such as an LDAP directory
server or RADIUS authentication server. LDAP authentication and RADIUS
authentication are types of external authentication.Note that you can only use one
form of external authentication for an appliance.
If you want to use external authentication, you must configure an authentication
object for each external authentication server where you want to request user
information. The authentication object contains your settings for connecting to
and retrieving user data from that server. You can then enable that object in a
system policy on the managing Defense Center and apply the policy to an
appliance to enable authentication. When any externally authenticated user logs
in, the web interface checks each authentication server to see if that user is
listed, in the order the servers are listed in the system policy.

Managing Users
When you create a user, you can specify whether that user is internally or
externally authenticated.
TIP! You can use the Import/Export feature to export system policies. When you
export a policy with external authentication enabled, the authentication objects
are exported with the policy. You can then import the policy and object on another
Defense Center. Do not import policies with authentication objects onto
3D Sensors.
You can push a system policy to a managed 3D Sensor to enable external

authentication on that sensor, but you cannot control the authentication object
from the sensor’s web interface. The only configuration of external authentication
on the sensor occurs when you select the type of authentication for a new user. If
you want to disable external authentication on a managed 3D Sensor, disable it in
the system policy on the managing Defense Center and re-apply the policy to the
sensor. If you apply a local system policy (created on the sensor) to the sensor
itself, external authentication is also disabled.
IMPORTANT! Sourcefire does not support external authentication for RNA

Software for Red Hat Linux, Intrusion Agents, 3Dx800 sensors, or Crossbeam-
based software sensors.
For more information on specific types of external authentication, see the

following sections:
• Understanding LDAP Authentication on page 269
• Understanding RADIUS Authentication on page 287
Understanding User Privileges

The Sourcefire 3D System lets you allocate user privileges based on the user’s
role. For example, an analyst typically needs access to event data to analyze the
security of monitored networks, but might never require access to administrative
functions for the Sourcefire 3D System itself. You can grant Intrusion Event
Analyst and RNA Event Analyst access privileges for analysts and reserve the
Administrator role for the network administrator managing the Sourcefire 3D
System.
In the system policy on the Defense Center, you set a default access role for all
users who are externally authenticated. After an externally authenticated user
logs in for the first time, you can add or remove access rights for that user on the
User Management page. If you do not modify the user’s rights, the user has only
the rights granted by default. Because you create internally authenticated users
manually, you set the access rights when you create them.
If you configured management of access rights through LDAP groups, the access
rights for users are based on their membership in LDAP groups. They receive the

Managing Users
default access rights for the group that they belong to that has the highest level of
access. If they do not belong to any groups and you have configured group
access, they receive the default user access rights configured in the
authentication object for the LDAP server. If you configure group access, those
settings override the default access setting in the system policy.
Similarly, if you assign a user to specific user role lists in a RADIUS authentication
object, the user receives all assigned roles, unless one or more of those roles are
mutually incompatible. If a user is on the lists for two mutually incompatible roles,
the user receives the role that has the highest level of access. If the user does
not belong to any lists and you have configured a default access role in the
authentication object, the user receives that role. If you configure default access
in the authentication object, those settings override the default access setting in
the system policy.
The Sourcefire 3D System supports the following user roles, listed in order of
precedence, depending on the features you have licensed:
• Administrators can set up the appliance’s network configuration, manage
user accounts, configure system policies and system settings. Users with
the Administrator role also have Intrusion Event Analyst, RNA Event
Analyst, Policy & Response (P&R) Administrator, and Maintenance access
rights.
• Intrusion Event Analysts can view, analyze, review, and delete intrusion
events and compliance and RUA events. They can also create incidents,
generate reports, and view (but not delete or modify) health events.
• Intrusion Event Analysts (Read Only) have all the same rights as Intrusion
Event Analysts, except that they cannot delete events.
• RNA Event Analysts can view, analyze, and delete network change events,
hosts, host attributes, services, vulnerabilities, client applications,
compliance events, and RUA events. RNA analysts can also generate
reports and view (but not delete or modify) health events.
• RNA Event Analysts (Read Only) have all the same rights as RNA Event
Analysts, except that they cannot delete events.
• Restricted Event Analysts have the combined privileges of Intrusion Event
Analysts and RNA Event Analysts, but users are limited to subsets of that
data. Restricted analysts can also be assigned the Policy & Response
Administrator or Maintenance User roles, but cannot be assigned the
Intrusion Event Analyst or RNA Event Analyst roles.
Note that on the Defense Center you cannot select Restricted Event
Analyst as the default user role in the system policy, but you can modify a
user’s settings via the User Management page to grant this level of access.

Managing Users
Managing Authentication Objects Chapter 8
• Policy & Response Administrators can manage intrusion rules, policies, and
responses, as well as compliance rules, policies, and responses.
• Maintenance Administrators can access monitoring functions (including
health monitoring, host statistics, performance data, and system logs) and
maintenance functions (including task scheduling and backing up the
system).
Note that maintenance administrators do not have access to the functions
in the Policy & Response menu and can only access the dashboard from the
Analysis & Reporting menu.
Managing Authentication Objects

Requires: DC Authentication objects are server profiles for external authentication servers,
containing connection settings and authentication filter settings for those servers.
You can create, manage, and delete authentication objects on the Defense
Center. See the following sections for details on these tasks:
• Understanding LDAP Authentication on page 269
• Creating LDAP Authentication Objects on page 269
• LDAP Authentication Object Examples on page 281
• Editing LDAP Authentication Objects on page 286
• Creating RADIUS Authentication Objects on page 287
• RADIUS Authentication Object Examples on page 295
• Editing RADIUS Authentication Objects on page 298
• Deleting Authentication Objects on page 298
Understanding LDAP Authentication

LDAP, or the Lightweight Directory Access Protocol, allows you to set up a
directory on your network that organizes objects, such as user credentials, in a
centralized location. Multiple applications can then access those credentials and
the information used to describe them. If you ever need to change a user's
credentials, you can change them in one place, rather than having to change them
on the local appliances as well as on any other application that uses them.
Creating LDAP Authentication Objects

Requires: DC You can create LDAP authentication objects to provide user authentication
services for an appliance.
When you create an authentication object, you define settings that let you
connect to an authentication server. You also select the directory context and
search criteria you want to use to retrieve user data from the server. Optionally,
you can configure shell access authentication.

Managing Users
Note that to create an authentication object, you need TCP/IP access from your
local appliance to the authentication server where you want to connect.
To create an authentication object:

Access: Admin 1. Select Operations > Configuration > Login Authentication.
The Login Authentication page appears.
2. Click Create Authentication Object.
The Create Authentication Object page appears.
3. Identify the authentication server where you want to retrieve user data for
external authentication. For more information, see Identifying the LDAP
Authentication Server on page 270.
4. Configure authentication settings to build a search request that retrieves the
users you want to authenticate. Specify a user name template to format the
usernames that users enter on login. For more information, see Configuring
LDAP Authentication Settings on page 271.
5. If you are using a Microsoft Active Directory server or if your LDAP server
uses a UI access attribute or a shell access attribute other than uid, specify
the appropriate attributes for your server. For more information, see
Configuring Attribute Mapping on page 274.
6. Optionally, configure LDAP groups to use as the basis for default access role
assignments. For more information, see Configuring Access Settings by
Group on page 275.
7. Optionally, configure authentication settings for shell access. For more
information, see Configuring Administrative Shell Access on page 278.
8. Test your configuration by entering the name and password for a user who
can successfully authenticate. For more information, see Testing User
Authentication on page 280.
Your changes are saved. Remember that you have to apply a system policy
with the object enabled to an appliance before the authentication changes
take place on that appliance. For more information, see Configuring
Authentication Profiles on page 329 and Applying a System Policy on
page 324.
Identifying the LDAP Authentication Server

Requires: DC When you create an authentication object, you first specify the primary and
backup server and server port where you want the local appliance (3D Sensor or
Defense Center) to connect for authentication. Note that if you change the
encryption method after specifying the port, the port resets to the default value.
For none or TLS, the port uses the default value of 389. If you select SSL
encryption, the port uses the default of 636.

Managing Users
To identify an LDAP authentication server:

Access: Admin 1. Select LDAP from the Authentication Method drop-down list.
2. Type a name and description for the authentication server in the Name and
Description fields.
3. Type the IP address or host name for the primary server where you want to
obtain authentication data in the Primary Server Host Name/IP Address field.
IMPORTANT! If you are using a certificate to connect via TLS or SSL, the
host name in the certificate must match the host name used in this field. In
addition, IPv6 addresses are not supported.
4. Optionally, modify the port used by the primary authentication server in the
Primary Server Port field.
5. Optionally, type the IP address or host name for the backup server where you
want to obtain authentication data in the Backup Server Host Name/IP Address
field.
6. Optionally, modify the port used by the primary authentication server in the
Backup Server Port field.
7. Continue with Configuring LDAP Authentication Settings.
Configuring LDAP Authentication Settings

Requires: DC If you specify a backup authentication server, you can set a timeout for the
connection attempt to the primary server. If the number of seconds indicated in
the Timeout field (or the timeout on the directory server) elapses without a
response from the primary authentication server, the appliance then queries the
backup server. If, for example, the primary server has LDAP disabled, the
appliance would query the backup server. If LDAP is running on the port of the
primary LDAP server and for some reason refuses to service the request (due to
misconfiguration or other issues), however, the failover to the backup server does
not occur.

Managing Users
To allow an appliance to connect to the LDAP server, you need to select the
encryption method for the connection. You can choose no encryption, Transport
Layer Security (TLS), or Secure Sockets Layer (SSL) encryption. Note that if you
are using a certificate to authenticate when connecting via TLS or SSL, the name
of the LDAP server in the certificate must match the name that you use to
connect. For example, if you enter 10.10.10.250 as the server and
computer1.example.com in the certificate, the connection fails. Changing the
name of the server in the authentication profile to computer1.example.com
causes the connection to succeed.
When the local appliance searches the LDAP directory server to retrieve user
information on the authentication server, it needs a starting point for that search.
You can specify the namespace, or directory tree, that the local appliance should
search by providing a base distinguished name, or base DN. If your LDAP Server
uses a Pluggable Authentication Module (PAM) login attribute of uid, the local
appliance checks the uid attribute value for each object in the directory tree
indicated by the base DN you set. If one of the objects has a matching username
and password, the user login request is authenticated. Typically, the base DN will
have a basic structure indicating the company domain and operational unit. For
example, the Security organization of the Example company might have a base
DN of ou=security,dc=example,dc=com.
You can also add a base filter that sets a specific value for a specific attribute. The
base filter focuses your search by only retrieving objects in the base DN that have
the attribute value set in the filter. Enclose the base filter in parentheses. For
example, to filter for only users with a common name starting with F, use the
filter (cn=F*). When you save the authentication object, the local appliance
queries using the base filter to test it and indicates whether or not the filter
appears to be correct. To test your base filter more specifically by entering a test
username and password, see Testing User Authentication on page 280.
LDAP usernames can include underscores (_), periods (.), and hyphens (-) but
otherwise only alphanumeric characters are supported.
To allow the local appliance to access the user objects, you must supply user
credentials for a user with appropriate rights to the authentication objects you
want to retrieve. Remember that the distinguished name for the user you specify
must be unique to the directory information tree for the directory server.
For the authentication method specific parameters, you can use the LDAP
naming standards and filter and attribute syntax defined in the RFCs listed in the
Lightweight Directory Access Protocol (v3): Technical Specification, RFC 3377.
Examples of syntax are provided throughout this procedure. Note that when you
set up an authentication object to connect to a Microsoft Active Directory Server,
you can use the address specification syntax documented in the Internet RFC
822 (Standard for the Format of ARPA Internet Text Messages) specification
when referencing a user name that contains a domain. For example, to refer to a
user object, you might type JoeSmith@security.example.com rather than the
equivalent user distinguished name of cn=JoeSmith,ou=security,
dc=example,dc=com when using Microsoft Active Directory Server.

Managing Users
Selecting a user name template lets you indicate how user names entered on
login should be formatted, by mapping the string conversion character (%s) to the
value of the shell access attribute for the user. The user name template is the
format for the distinguished name used for authentication. When a user enters a
user name into the login page, the name is substituted for the string conversion
character and the resulting distinguished name is used to search for the user
credentials. For example, to set a user name template for the Security
organization of the Example company, you would enter
%s@security.example.com.
To configure the authentication method for a server:

Access: Admin 1. Type the number of seconds that should elapse before rolling over to the
backup connection in the Timeout field.
2. Select one of the following encryption modes:

• To connect using Secure Sockets Layer (SSL), select SSL.
• To connect using Transport Layer Security (TLS), select TLS.
• To connect without encryption, select None.
IMPORTANT! Note that if you change the encryption method after specifying
a port, you reset the port to the default value for that method. For none or
TLS, the port uses the default value of 389. If you select SSL encryption, the
port uses the default of 636.
3. Optionally, if you selected TLS or SSL encryption and you want to use a
certificate to authenticate, click Browse to browse to the location of a valid
TLS or SSL certificate or type the path to the certificate in the SSL Certificate
Upload Path field.
A message appears, indicating a successful certificate upload.
4. Type the base distinguished name for the LDAP directory you want to access
in the Base DN field.
For example, to authenticate names in the Security organization at the
Example company, type ou=security,dc=example,dc=com.

Managing Users
5. To set a filter that retrieves only specific objects within the namespace you
specified as the Base DN, type the attribute type, a comparison operator, and
the attribute value you want to use as a filter, enclosed in parentheses, in the
Base Filter field.
For example, if the user objects in a directory tree have a
physicalDeliveryOfficeName attribute and users in the New York office have
an attribute value of NewYork for that attribute, to retrieve only users in the
New York office, type (physicalDeliveryOfficeName=NewYork).
6. Type the distinguished name and password for the user whose credentials
should be used to validate access to the LDAP directory in the User Name and
Password fields.
For example, if you are connecting to an OpenLDAP Server where user
objects have a uid attribute and the object for the administrator in the
Security division at our example company has a uid value of NetworkAdmin,
you would type uid=NetworkAdmin,ou=security,dc=example,dc=com.
7. Re-type the password in the Confirm Password field.
8. Type the user distinguished name, with the string conversion character (%s) in
place of the shell access attribute value, into the User Name Template field.
For example, to authenticate all users who work in the Security organization
of our example company by connecting to an OpenLDAP server where the
shell access attribute is uid, you would type
uid=%s,ou=security,dc=example,dc=com in the User Name Template field.
For a Microsoft Active Directory server, you could type
%s@security.example.com.
9. Continue with Configuring Attribute Mapping.
Configuring Attribute Mapping

Requires: DC If your LDAP Server uses a default UI access attribute of uid, when a user logs in,
the local appliance (3D Sensor or Defense Center) checks the value of the uid
attribute for each user record on the LDAP Server to see if it matches the user
name. If you want to filter on uid, you do not need to specify a UI access
attribute. However, you can map a different attribute for the local appliance to
search. Setting a UI access attribute tells the local appliance to match the value of
that attribute rather than the value of the uid attribute. You can use any attribute,
if the value of the attribute is a valid user name for either the Sourcefire 3D
System web interface or for shell access. Valid user names are unique, have no
spaces and no periods in them, and do not begin with a numeral.
The Pluggable Authentication Module (PAM) login attribute of your LDAP Server
acts as a shell access attribute. If your LDAP server uses uid, the local appliance
checks the user name entered on login against the attribute value of uid. If the
shell access attribute for a server is something other than uid, you must explicitly
set the Shell Access Attribute to match the attribute value.

Managing Users
To configure attribute mapping for a server:

Access: Admin 1. To retrieve users based on an attribute instead of the Base DN and Base
Filter, type the attribute type in the UI Access Attribute field.
For example, on a Microsoft Active Directory Server, you may want to use the
UI Access Attribute to retrieve users, because there may not be a uid
attribute on Active Directory Server user objects. Instead, you can search the
userPrincipalName attribute by typing userPrincipalName in the UI Access
Attribute field.
2. To retrieve users for shell access, type the attribute type you want to filter on
in the Shell Access Attribute field.
For example, on a Microsoft Active Directory Server, use the
sAMAccountName shell access attribute to retrieve shell access users by
typing sAMAccountName in the Shell Access Attribute field.
3. For the next step, you have two choices:
• If you want to configure user default roles based on LDAP group
membership, continue with Configuring Access Settings by Group.
• If you are not using LDAP groups for authentication, continue with
Configuring Administrative Shell Access on page 278.
Configuring Access Settings by Group

Requires: DC If you prefer to base default access settings on a user’s membership in an LDAP
group, you can specify distinguished names for existing groups on your LDAP
server for each of the access roles used by your Sourcefire 3D System. When you
do so, you can configure a default access setting for those users detected by
LDAP that do not belong to any specified groups. When a user logs in, the
Sourcefire 3D System dynamically checks the LDAP directory and assigns default
access rights according to the user’s current group membership.
Any group you reference must exist on the LDAP server. You can reference static
LDAP groups or dynamic LDAP groups. Static LDAP groups are groups where
membership is determined by group object attributes that point to specific users,
and dynamic LDAP groups are groups where membership is determined by
creating an LDAP search that retrieves group users based on user object
attributes. Group access settings for a role only affect users who are members of
the group.

Managing Users
The access rights granted when a user logs into the Sourcefire 3D System
depends on the LDAP configuration:
• If no group access settings are configured for your LDAP server, when a
new user logs in, the Sourcefire 3D System authenticates the user against
the LDAP server and then grants user rights based on the default minimum
access role set in the system policy.
• If you configure any group settings, new users belonging to specified
groups inherit the minimum access setting for the groups where they are
members.
• If a new user does not belong to any specified groups, the user is assigned
the default minimum access role specified in the Group Controlled Access
Roles section of the authentication object.
• If a user belongs to more than one configured group, the user receives the
access role for the group with the highest access as a minimum access
role.
You cannot remove the minimum access rights for users assigned an access role
because of LDAP group membership through the Sourcefire 3D System user
management page. You can, however, assign additional rights. When you modify
the access rights for an externally authenticated user, the Authentication Method
column on the User Management page provides a status of External - Locally
Modified.
IMPORTANT! If you use a dynamic group, the LDAP query is used exactly as it is
configured on the LDAP server. For this reason, the Sourcefire 3D System limits
the number of recursions of a search to four to prevent search syntax errors from
causing infinite loops. If a user’s group membership is not established in those
recursions, the default access role defined in the Group Controlled Access Roles
section is granted to the user.

Managing Users
To base access defaults on LDAP group membership:

Access: Admin 1. Type the distinguished name for the LDAP group containing users who
should at minimum have access to analysis and reporting features, rule and
policy configuration, system management, and all maintenance features in
the Administrator Group DN field.
For example, to authenticate names in the information technology
organization at the Example company, type cn=itgroup,ou=groups,
dc=example,dc=com.
2. Type the distinguished name for the LDAP group containing users who
should at minimum have access to monitoring and maintenance features in
the Maintenance Group DN field.
For example, to authenticate names in the information technology
organization at the Example company, type cn=itgroup,ou=groups,
dc=example,dc=com.
should at minimum have access to rules and policy configuration in the Policy
& Response Administrator Group DN field.
For example, to authenticate names in the Security organization at the
Example company, type cn=securitygroup,ou=groups,dc=example,
dc=com.
should at minimum have access to IPS analysis features in the Intrusion Event
Analyst Group DN field.
For example, to authenticate names in the Intrusion Event Analyst group at
the Example company, type cn=ipsanalystgroup,ou=groups,dc=example,
dc=com.

Managing Users
should at minimum have access to IPS analysis features in the Intrusion Event
Analyst Group DN (Read Only) field.
should at minimum have access to RNA analysis features in the RNA Event
Analyst Group DN field.
should at minimum have access to RNA analysis features in the RNA Event
Analyst Group DN (Read Only) field.
8. Select the default minimum access role for users that do not belong to any of
the specified groups from the Default User Role list.
TIP! Press the Ctrl key while clicking role names to select multiple roles in
the list.
For more information on user access roles, see Adding New User Accounts
on page 300.
9. Type the LDAP attribute that designates membership in a static group in the
Group Member Attribute field.
For example, if the member attribute is used to indicate membership in the
static group you reference for default Policy & Response Administrator
access, type member.
10. Optionally, type the LDAP attribute that contains the LDAP search string used
to determine membership in a dynamic group in the Group Member URL
Attribute field.
For example, if the memberURL attribute contains the LDAP search that
retrieves members for the dynamic group you specified for default Admin
access, type memberURL.
11. Continue with Configuring Administrative Shell Access on page 278.
Configuring Administrative Shell Access

Requires: DC You can also use the LDAP directory server to authenticate accounts for shell
access on your local appliance (3D Sensor or Defense Center). Specify a search
filter that will retrieve entries for users you want to grant shell access. Note that
you can only configure shell access for the first authentication object in your
system policy. For more information on managing authentication object order, see
Configuring Authentication Profiles on page 329.
IMPORTANT! Sourcefire does not support external authentication for RNA

Software for Red Hat Linux, Intrusion Agents, 3Dx800 sensors, or
Crossbeam-based software sensors.

Managing Users
With the exception of the root account, shell access is controlled entirely though
the shell access attribute you set. Shell users are not configured as local users on
the appliance, even after they log in. Addition and deletion of shell access users
occurs only on the LDAP server, and the filter you set here determines which set
of users on the LDAP server can log into the shell.
Note that a home directory for each shell user is created on login, and when an
LDAP shell access user account is disabled (by disabling the LDAP connection),
the directory remains, but the user shell is set to /bin/false in /etc/password
to disable the shell. If the user then is re-enabled, the shell is reset, using the
same home directory.
The Same as Base Filter check box allows you to search more efficiently if all users
qualified in the base DN are also qualified for shell access privileges. Normally,
the LDAP query to retrieve users combines the base filter with the shell access
filter. If the shell access filter was the same as the base filter, the same query
would be run twice, which is unnecessarily time-consuming. You can use the
Same as Base Filter option to run the query only once for both purposes.
Shell users should log in using usernames with all lowercase letters.
WARNING! All shell users have sudoers privileges. Make sure that you restrict
the list of users with shell access appropriately.
To configure shell account authentication:

Access: Admin 1. To set a filter to retrieve administrative user entries based on attribute value,
type the attribute type, a comparison operator, and the attribute value you
want to use as a filter, enclosed in parentheses, in the Shell Access Filter field,
or select Same as Base Filter to use the same filter you specified when
configuring authentication settings.
For example, if all network administrators have a manager attribute which has
an attribute value of shell, you can set a base filter of (manager=shell).
IMPORTANT! If you choose not to specify a shell access filter, a warning

displays when you save the authentication object to confirm that you meant
to leave the filter blank.
2. Continue with Testing User Authentication.

Managing Users
Testing User Authentication

Requires: DC After you configure LDAP server and authentication settings, you can specify user
credentials for a user who should be able to authenticate to test those settings.
For the user name, you can enter the value for the uid attribute for the user you
want to test with. If you are connecting to a Microsoft Active Directory Server and
supplied a shell access attribute in place of uid in Configuring Attribute Mapping
on page 274, use the value for that attribute as the user name. You can also
specify a fully-qualified distinguished name for the user.
Note that testing the connection to servers with more than 1000 users only
returns 1000 users because of UI page size limitations.
TIP! If you mistype the name or password of the test user, the test fails even if
the server configuration is correct. Test the server configuration without the
additional test parameters first. If that succeeds supply a user name and
password to test with the specific user.
To test user authentication:

Access: Admin 1. In the User Name and Password fields, type the uid value or shell access
attribute value and password for the user whose credentials should be used
to validate access to the LDAP directory.
For example, to test to see you can retrieve the JSmith user credentials at
our example company, type JSmith.
2. Click Test.
A message appears, either indicating success of the test or detailing what
settings are missing or need to be corrected.
3. To view details of test output, select Show Details.
4. If the test succeeds, click Save.
The Login Authentication page appears, with the new object listed.
To enable LDAP authentication using the object on an appliance, you must
apply a system policy with that object enabled to the appliance. For more
information, see Configuring Authentication Profiles on page 329 and
Applying a System Policy on page 324.

Managing Users
LDAP Authentication Object Examples

Requires: DC For sample configurations showing how different configuration options might be
used for connections to specific directory server types, see the following
sections:
• OpenLDAP Example on page 281
• Microsoft Active Directory Server Example on page 282
• Sun Directory Server Example on page 284
OpenLDAP Example
Requires: DC The following figures illustrate parts of a sample LDAP login authentication object
for an OpenLDAP directory server with an IP address of 10.10.3.4, with a backup
server that has an IP address of 10.10.3.5. Note that the connection uses port 389
for access and that connections to the server time out after 30 seconds of disuse.
This example illustrates important aspects of LDAP configuration.

• This example shows a connection using a base distinguished name of
OU=security,DC=it,DC=example,DC=com for the security organization in
the information technology domain of the Example company.

Managing Users
• Because this is an OpenLDAP server that uses CN as a part of each user’s

name, the user name template for the connection uses CN=%s, followed by
the base distinguished name for the server directory, to indicate the
template used to format user names retrieved from the server.
• Because the user names to be retrieved are contained in the default uid
attribute, no UI access attribute is specified. The Sourcefire 3D System
checks the uid attribute of each object in the directory indicated by the
distinguished name against the username for each user who logs into the
system. Note that all objects in the directory are checked because no base
filter is set.
• To support shell access, the CN attribute is set as the shell access attribute.
• A shell access filter has been applied to this configuration, allowing only
those users who have a common name attribute value of jsmith to log into
the appliance using a shell account.
Microsoft Active Directory Server Example

Requires: DC The following figure illustrates a sample LDAP login authentication object for a
Microsoft Active Directory Server with an IP address of 10.11.3.4, with a backup
server that has an IP address of 10.11.3.5. Like the OpenLDAP server, the
connection uses port 389 for access and connections to the server time out after
30 seconds of disuse (or the timeout period set on the LDAP server).
Aspects of this example illustrate important differences in this LDAP configuration

from the configuration discussed in the OpenLDAP Example on page 281.

Managing Users
• Like the OpenLDAP server, this example shows a connection using a base
distinguished name of OU=security,DC=it,DC=example,DC=com for the
security organization in the information technology domain of the Example
company. Again, because no base filter is applied to this server, the
Sourcefire 3D System checks attributes for all objects in the directory
indicated by the base distinguished name.
• Because this is a Microsoft Active Directory Server, the user name template
for the connection uses address specification syntax documented in RFC
822 rather than the typical LDAP naming syntax.
• However, because this server is a Microsoft Active Directory server, it uses
the userPrincipalName attribute to store user names rather than the uid
attribute. Note that the configuration includes a UI Access Attribute of
userPrincipalName. As a result, the Sourcefire 3D System checks the
userPrincipalName attribute for each object for matching user names
when a user attempts to log into the Sourcefire 3D System.
• In addition, a Shell Access Attribute of sAMAccountName causes each

sAMAccountName attribute to be checked for all objects in the directory for
matches when a user logs into a shell account on the appliance.

Managing Users
• This example also has group settings in place. The maintenance role is
automatically assigned to all members of the group with a member group
attribute and the base domain name of
CN=maintenance,DC=it,DC=example,DC=com.
• As in the OpenLDAP server, a shell access filter has been specified for this
server, allowing only those users who have a common name attribute value
of jsmith to log into the appliance using a shell account. However, as noted
above, a shell access attribute value of sAMAccountName must be set for
shell access to work on a Microsoft Active Directory server.
Sun Directory Server Example

Requires: DC The following figure illustrates a sample LDAP login authentication object for a
Sun Directory Server with an IP address of 10.12.3.4, with a backup server that
has an IP address of 10.12.3.5.

Managing Users
Settings in the example illustrate important differences in this LDAP configuration

from the configuration discussed in Microsoft Active Directory Server Example on
page 282:
• Because the Encryption for the connection is set to SSL, the Server Port is set
to 636.
A certificate has been uploaded to allow the SSL connection.
• This example shows a connection using a base distinguished name of

OU=security,DC=it,DC=example,DC=com for the security organization in
the information technology domain of the Example company.
However, note that this server does have a base filter of (cn=*smith). The
filter restricts the users retrieved from the server to those with a common
name ending in smith.
• The user name template shown uses the uid attribute value as the user
name.
• Because user names can be retrieved from the uid attribute on this server,
no UI access attribute is specified. The Sourcefire 3D System checks the
uid attribute of each object in the directory indicated by the distinguished
name against the user name for each user who logs into the system. Note
that all objects in the directory are checked because no base filter is set.
• To allow shell access on the server, the uid attribute is named as the Shell
Access Attribute and the Same as Base Filter option for the shell access filter
is set, allowing all users with a common name ending in smith to log in
using a shell account as well. Using Same as Base Filter allows a more
efficient search query if and only if all users qualified in the base DN are also
qualified for shell access privileges.

Managing Users
Editing LDAP Authentication Objects
Requires: DC You can edit an existing authentication object. If the object is in use in a system
policy, the settings in place at the time the policy was applied stay in effect until
you re-apply the policy.
To edit an authentication object:

2. Click Edit next to the object you want to edit.
3. Modify the object settings as needed.
For more information, see the following topics:
• Creating LDAP Authentication Objects on page 269
• Configuring LDAP Authentication Settings on page 271
• Configuring Attribute Mapping on page 274
• Configuring Administrative Shell Access on page 278
• Testing User Authentication on page 280
IMPORTANT! If you previously uploaded a certificate and want to replace it,

upload the new certificate and re-apply the system policy to your appliances
to copy over the new certificate.

Managing Users
4. Click Save.
Your changes are saved and the Login Authentication page re-appears.
Remember that you have to apply a system policy with the object enabled to
an appliance before the authentication changes take place on that appliance.
For more information, see Configuring Authentication Profiles on page 329
and Applying a System Policy on page 324.
Understanding RADIUS Authentication

Requires: DC The Remote Authentication Dial In User Service (RADIUS) is an authentication
protocol used to authenticate, authorize, and account for user access to network
resources. You can create an authentication object for any RADIUS server that
conforms to RFC 2865.
When a user authenticated on a RADIUS server logs in for the first time, the user
receives the roles specified for that user in the authentication object, or if the
user is not listed for any of the user roles, the default access role you selected in
the authentication object, or failing that, the system policy. You can modify a
user’s roles, if needed, unless the settings are granted through the user lists in
the authentication object.
The Sourcefire 3D System implementation of RADIUS supports the use of
SecurID® tokens. When you configure authentication by a server using SecurID,
users authenticated against that server append the SecurID token to the end of
their SecurID pin and use that as their password when they log into a Sourcefire
appliance. As long as SecurID is configured correctly to authenticate users
outside the Sourcefire 3D System, those users can log into a Sourcefire 3D
System appliance using their pin plus the SecurID token without any additional
configuration on the appliance.
Creating RADIUS Authentication Objects

Requires: DC When you create a RADIUS authentication object, you define settings that let you
connect to an authentication server. You also grant user roles to specific and
default users. If your RADIUS server returns custom attributes for any users you
plan to authenticate, you need to define those custom attributes. Optionally, you
can also configure shell access authentication.
Note that to create an authentication object, you need TCP/IP access from your
local appliance to the authentication server where you want to connect.
To create an authentication object:

2. Click Create Authentication Object.

Managing Users
3. Identify the primary and backup authentication servers where you want to
retrieve user data for external authentication and set timeout and retry values.
For more information, see Configuring RADIUS Connection Settings on
page 288.
4. Set the default user role. Optionally, specify the users or user attribute values
for users that you want to receive specific Sourcefire 3D System access
roles. For more information, see Configuring RADIUS User Roles on
page 290.
5. Optionally, configure administrative shell access. For more information, see
Configuring Administrative Shell Access on page 292.
6. If the profiles for any of the users to authenticate return custom RADIUS
attributes, define those attributes. For more information, see Defining
Custom RADIUS Attributes on page 293.
7. Test your configuration by entering the name and password for a user who
should successfully authenticate. For more information, see Testing User
Authentication on page 294.
Your changes are saved. Remember that you have to apply a system policy
with the object enabled to an appliance before the authentication changes
take place on that appliance. For more information, see Configuring
Authentication Profiles on page 329 and Applying a System Policy on
page 324.
Configuring RADIUS Connection Settings

Requires: DC When you create a RADIUS authentication object, you first specify the primary
and backup server and server port where you want the local appliance (3D Sensor
or Defense Center) to connect for authentication.
IMPORTANT! For FreeRADIUS to function correctly, you need to open both ports
1812 and 1813 on your firewall and on the FreeRADIUS server.
If you specify a backup authentication server, you can set a timeout for the
connection attempt to the primary server. If the number of seconds indicated in
the Timeout field (or the timeout on the directory server) elapses without a
response from the primary authentication server, the appliance then re-queries
the primary server.
After the appliance re-queries the primary authentication server the number of
times indicated by the Retries field and the number of seconds indicated in the
Timeout field again elapses without a response from the primary authentication
server, the appliance then rolls over to the backup server.
If, for example, the primary server has RADIUS disabled, the appliance would
query the backup server. If RADIUS is running on the port of the primary RADIUS
server and for some reason refuses to service the request (due to

Managing Users
misconfiguration or other issues), however, the failover to the backup server does
not occur.
To identify a RADIUS authentication server:

Access: Admin 1. Select RADIUS from the Authentication Method drop-down list.
2. Type a name and description for the authentication server in the Name and
Description fields.
3. Type the IP address or host name for the primary RADIUS server where you
want to obtain authentication data in the Primary Server Host Name/IP Address
field.
IMPORTANT! IPv6 addresses are not supported.
4. Optionally, modify the port used by the primary RADIUS authentication server
in the Primary Server Port field.
5. Type the secret key for the primary RADIUS authentication server in the
RADIUS Secret Key field.
6. Type the IP address or host name for the backup RADIUS authentication
server where you want to obtain authentication data in the Backup Server Host
Name/IP Address field.
7. Optionally, modify the port used by the backup RADIUS authentication server
in the Backup Server Port field.
8. Type the secret key for the backup RADIUS authentication server in the
RADIUS Secret Key field.
9. Type the number of seconds that should elapse before retrying the
connection in the Timeout field.

Managing Users
10. Type the number of times the primary server connection should be tried
before rolling over to the backup connection in the Retries field.
11. Continue with Configuring RADIUS User Roles.
Configuring RADIUS User Roles

Requires: DC You can specify the access roles for existing users on your RADIUS server by
listing the user names for each of the access roles used by your Sourcefire 3D
System. When you do so, you can also configure a default access setting for
those users detected by RADIUS that are not specified for a particular role.
When a user logs in, the Sourcefire 3D System checks the RADIUS server and
grants access rights depending on the RADIUS configuration:
• If specific access settings are not configured for a user and a default access
role is not selected, when a new user logs in, the Sourcefire 3D System
authenticates the user against the RADIUS server and then grants user
rights based on the default access role (or roles) set in the system policy.
• If a new user is not specified on any lists and default access roles are
selected in the Default User Role list of the authentication object, the user is
assigned those access roles.
• If you add a user to the list for one or more specific role, that user receives
all assigned access roles.
You can also use attribute-value pairs, rather than usernames, to identify users
who should receive a particular user role. For example, if you know all users who
should be RNA Analysts have the value Analyst for their User-Category
attribute, you can type User-Category=Analyst in the RNA Analyst List field to
grant that role to those users. Note that you need to define any custom attributes
before you use them to set user role membership. For more information, see
Defining Custom RADIUS Attributes on page 293.
You can assign a default user role (or roles) to be assigned to any users that are
authenticated externally but not listed for a specific role. You can select multiple
roles on the Default User Role list.
For more information on the user roles supported by the Sourcefire 3D System,
see Configuring User Roles on page 304.
You cannot remove the minimum access rights for users assigned an access role
because of RADIUS user list membership through the Sourcefire 3D System user
management page. You can, however, assign additional rights.
WARNING! If you want to change the minimum access setting for a user, you
must not only move the user from one list to another in the RADIUS Specific
Parameters section or change the user’s attribute on the RADIUS server, you
must reapply the system policy, and you must remove the assigned user right on
the user management page.

Managing Users
To base access on user lists:

Access: Admin 1. Type the name of each user or each identifying attribute-value pair, separated
by commas, who should at minimum receive access to analysis and reporting
features, rule and policy configuration, system management, and all
maintenance features in the Administrator List field.
For example, to grant the Administrator role to the users jsmith and jdoe,
type jsmith, jdoe in the Administrator List field.
2. Type the name of each user or each identifying attribute-value pair, separated
by commas, who should at minimum receive access to monitoring and
maintenance features in the Maintenance List field.
For example, to grant the Maintenance role to all users with a
User-Category value of Maintenance, type User-Category=Maintenance
in the Maintenance List field.
by commas,who should at minimum receive access to rules and policy
configuration in the Policy & Response Administrator List field.
by commas, who should at minimum receive access to IPS analysis features
in the Intrusion Event Analyst List field.
by commas, who should at minimum receive access to IPS analysis features
in the Intrusion Event Analyst (Read Only) List field.

Managing Users
by commas, who should at minimum receive access to RNA analysis features
in the RNA Event Analyst List field.
by commas, who should at minimum receive access to RNA analysis features
in the RNA Event Analyst (Read Only) List field.
8. Select the default minimum access role for users that do not belong to any of
the specified groups from the Default User Role list.
TIP! Press the Ctrl key while clicking role names to select multiple roles in
the list.
For more information on user access roles, see Configuring User Roles on
page 304.
9. Continue with Configuring Administrative Shell Access.
Configuring Administrative Shell Access

Requires: DC You can also use the RADIUS server to authenticate accounts for shell access on
your local appliance (3D Sensor or Defense Center). Specify user names for users
you want to grant shell access. Note that you can only configure shell access for
the first authentication object in your system policy. For more information on
managing authentication object order, see Configuring Authentication Profiles on
page 329.
With the exception of the root account, the shell access list you set on the
RADIUS authentication object entirely controls shell access on the appliance.
Shell users are configured as local users on the appliance when the system policy
is applied.
Note that a home directory for each shell user is created on login, and when an
RADIUS shell access user account is disabled (by disabling the RADIUS
connection), the directory remains, but the user shell is set to /bin/false in /
etc/password to disable the shell. If the user then is re-enabled, the shell is
reset, using the same home directory.
Shell users should log in using usernames with all lowercase letters.
WARNING! All shell users have sudoers privileges. Make sure that you restrict
the list of users with shell access appropriately.

Managing Users
To configure shell account authentication:

Access: Admin 1. Type the usernames, separated by commas, in the Administrator Shell Access
User List field.
IMPORTANT! If you choose not to specify a shell access filter, a warning

displays when you save the authentication object to confirm that you meant
to leave the filter blank.
2. Continue with Defining Custom RADIUS Attributes on page 293.
Defining Custom RADIUS Attributes

Requires: DC If your RADIUS server returns values for attributes not included in the
dictionary file in /etc/radiusclient/ and you plan to use those attributes to
set user roles for users with those attributes, you need to define those attributes
in the login authentication object.
You can locate the attributes returned for a user by looking at the user’s profile on
your RADIUS server.
When you define an attribute, you provide the name of the attribute, which
consists of alphanumeric characters. Note that words in an attribute name should
be separated by dashes rather than spaces. You also provide the attribute ID,
which should be an integer and should not conflict with any existing attribute IDs
in the etc/radiusclient/dictionary file. You also specify the type of attribute:
string, IP address, integer, or date.
As an example, if a RADIUS server is used on a network with a Cisco router, you
might want to use the Ascend-Assign-IP-Pool attribute to grant a specific role
to all users logging in from a specific IP address pool. Ascend-Assign-IP-Pool is
an integer attribute that defines the address pool where the user is allowed to log
in, with the integer indicating the number of the assigned IP address pool. To
declare that custom attribute, you create a custom attribute with an attribute
name of Ascend-IP-Pool-Definition, an attribute ID of 218, and an attribute
type of integer. You could then type Ascend-Assign-IP-Pool=2 in the Intrusion
Event Analyst (Read Only) field to grant read-only intrusion event analyst rights to all
users with an Ascend-IP-Pool-Definition attribute value of 2.
When you create a RADIUS authentication object, a new dictionary file for that
object is created on the Sourcefire 3D System appliance in the /var/sf/
userauth directory. Any custom attributes you add to the authentication object
are added to the dictionary file.

Managing Users
To define a custom attribute:

Access: Admin 1. Click the arrow to expand the Define Custom RADIUS Attributes section.
The attribute fields appear.
2. Type an attribute name consisting of alphanumeric characters and dashes,

with no spaces, in the Attribute Name field.
3. Type the attribute ID, in integer form, in the Attribute ID field.
4. Select the type of attribute from the Attribute Type drop-down list.
5. Click Add to add the custom attribute to the authentication object.
TIP! You can remove a custom attribute from an authentication object by

clicking Delete next to the attribute.
6. Continue with Testing User Authentication on page 294.
Testing User Authentication

Requires: DC After you configure RADIUS connection, user role, and custom attribute settings,
you can specify user credentials for a user who should be able to authenticate to
test those settings.
For the user name, you can enter the user name for the user you want to test
with.
Note that testing the connection to servers with more than 1000 users only
returns 1000 users because of UI page size limitations.
TIP! If you mistype the name or password of the test user, the test fails even if
the server configuration is correct. To verify that the server configuration is
correct, click Test without entering user information in the Additional Test
Parameters first. If that succeeds supply a user name and password to test with
the specific user.

Managing Users
To test user authentication:

Access: Admin 1. In the User Name and Password fields, type the user name and password for
the user whose credentials should be used to validate access to the RADIUS
server.
For example, to test to see you can retrieve the jsmith user credentials at
our example company, type jsmith.
2. Select Show Details and click Test.

A message appears, either indicating success of the test or detailing what
settings are missing or need to be corrected.
3. If the test succeeds, click Save.
The Login Authentication page appears, with the new object listed.
To enable RADIUS authentication using the object on an appliance, you must
apply a system policy with that object enabled to the appliance. For more
information, see Configuring Authentication Profiles on page 329 and
Applying a System Policy on page 324.
RADIUS Authentication Object Examples

Requires: DC This section provides examples of RADIUS server authentication objects to show
how Sourcefire 3D System RADIUS authentication features can be used. See the
following sections for more information:
• Authenticating a User using RADIUS on page 295
• Authenticating a User with Custom Attributes on page 296
Authenticating a User using RADIUS

Requires: DC The following figure illustrates a sample RADIUS login authentication object for a
server running freeRadius with an IP address of 10.10.10.98. Note that the
connection uses port 1812 for access and that connections to the server time out
after 30 seconds of disuse and will retry three times before attempting to connect
to a backup authentication server.

Managing Users
This example illustrates important aspects of RADIUS user role configuration:

• Users ewharton and gsands are granted administrative access to
Sourcefire 3D System appliances where this authentication object is
enabled.
• The user jaustin is granted Intrusion Event Analyst access to Sourcefire
3D System appliances where this authentication object is enabled.
• The user cbronte is granted RNA Event Analyst access to Sourcefire 3D
System appliances where this authentication object is enabled.
• The user ewharton can log into the appliance using a shell account.
The following graphic depicts the role configuration for the example:
Authenticating a User with Custom Attributes

Requires: DC You can use an attribute-value pair to identify users who should receive a
particular user role. If the attribute you use is a custom attribute, you must define
the custom attribute.

Managing Users
The following figure illustrates the role configuration and custom attribute
definition in a sample RADIUS login authentication object for the same freeRadius
server as in the previous example.
In this example, however, the MS-RAS-Version custom attribute is returned for
one or more of the users because a Microsoft remote access server is in use.
Note the MS-RAS-Version custom attribute is a string. In this example, all users
logging in to RADIUS through a Microsoft v. 5.00 remote access server should
receive the Intrusion Event Analyst (Read Only role), so you type the
attribute-value pair of MS-RAS-Version=MSRASV5.00 in the Intrusion Event Analyst
(Read Only) field.

Managing Users
Editing RADIUS Authentication Objects

Requires: DC You can edit an existing authentication object. If the object is in use in a system
policy, the settings in place at the time the policy was applied stay in effect until
you re-apply the policy.
To edit an authentication object:

2. Click Edit next to the object you want to edit.
3. Modify the object settings as needed.
• Creating RADIUS Authentication Objects on page 287
• Configuring RADIUS Connection Settings on page 288
• Configuring RADIUS User Roles on page 290
• Configuring Administrative Shell Access on page 292
• Testing User Authentication on page 294
4. Click Save.
Your changes are saved and the Login Authentication page re-appears.
Remember that you have to apply a system policy with the object enabled to
an appliance before the authentication changes take place on that appliance.
For more information, see Configuring Authentication Profiles on page 329
and Applying a System Policy on page 324.
Deleting Authentication Objects

Requires: DC You can delete an authentication object if it is not currently enabled in a system
policy.
To delete an authentication object:

2. Click Delete next to the object you want to delete.
The object is deleted and the Login Authentication page appears.

Managing Users
Managing User Accounts Chapter 8
Managing User Accounts

If you have Admin access, you can use the web interface to view and manage
user accounts on a Defense Center or a 3D Sensor, including adding, modifying,
and deleting accounts. User accounts without Admin access are restricted from
accessing management features. The navigation menu differs in appearance for
each type of user.
See the following sections for more information about managing user accounts:
• Viewing User Accounts on page 299 explains how to access the User
Management page, where you can add, activate, deactivate, edit, and
delete user accounts.
• Adding New User Accounts on page 300 describes the different options you
can use when you add a new user account.
• Managing Externally Authenticated User Accounts on page 302 explains
how externally authenticated users are added and what aspects of the user
configuration you can manage within the Sourcefire 3D System.
• Modifying User Privileges and Options on page 306 explains how to access
and modify an existing user account.
• Modifying Restricted Event Analyst Access Properties on page 307 explains
how to restrict the data available to a user account with restricted data
access.
• Deleting User Accounts on page 312 explains how to delete user accounts.
• User Account Privileges on page 312 contains tables that list the menus and
options each type of user account can access.
Viewing User Accounts

Requires: DC/MDC or From the User Management page, you can view, edit, and delete existing
3D Sensor accounts. You can determine the type of authentication for a user from the
Authentication Method column. The Password Lifetime column indicates the
days remaining on each user’s password. The Action column allows you to set
users active or inactive. Note that for externally authenticated users, if the
authentication object for the server is disabled, the Authentication Method
column displays External (Disabled).
To access the User Management page:

Access: Admin X Select Operations > User Management.
The User Management page appears, showing each user, with options to
activate, deactivate, edit, or delete the user account.

Managing Users
See the following sections for information about the actions you can perform on
the User Management page:
• Adding New User Accounts on page 300
• Modifying User Privileges and Options on page 306
• Modifying Restricted Event Analyst Access Properties on page 307
• Modifying User Passwords on page 311
• Deleting User Accounts on page 312
Adding New User Accounts

Requires: DC/MDC or When you set up a new user account, you can control which parts of the system
3D Sensor the account can access.
To add a new user:

Access: Admin 1. Select Operations > User Management.
The User Management page appears.

Managing Users
2. Click Create User.

The Create User page appears.
3. In the User Name field, type a name for the new user.
New user names must contain alphanumeric or hyphen characters with no
spaces, and must be no more than 32 characters.
4. Requires: DC/MDC If you want this user to authenticate to an external directory
server on login, select Use External Authentication Method.
IMPORTANT! If you select this option, the password management options

below disappear. Configure access settings and click Add User to complete
configuration of the externally authenticated user. You must also create an
authentication object for the external authentication server you want to use
for authentication on your Defense Center, and apply a system policy with
authentication enabled to your appliance before users can log in using
credentials from an external server. For more information, see Managing
Authentication Objects on page 269 and Configuring Authentication Profiles
on page 329.

Managing Users
5. In the Password field, type a password (up to 32 alphanumeric characters).

If you enable password strength checking, the password must be at least
eight alphanumeric characters of mixed case and must include at least one
numeric character. It cannot be a word that appears in a dictionary or include
consecutive repeating characters.
6. In the Confirm Password field, type the password again.
7. Configure the remaining password user account options.
For more information, see the User Account Password Options table on
page 304.
8. Select user roles to grant to the user.
For more information, see the User Roles table on page 305.
9. Optionally, for users with event analyst roles, click Restrict Deletion Rights - User
Cannot Delete Bookmarks, Searches, Reports, Report Profiles, Custom Workflows or
Custom Tables Created by Other Users to restrict the user to deletion of reports,
report profiles, searches, bookmarks, custom tables, and custom workflows
created by the user.
10. Click Add User.
A message appears, indicating that the user was added. The username
appears on the User Management page.
IMPORTANT! Click Deactivate next to the name of an internally authenticated

user on the User Management page to disable that user login without
deleting it. To reactivate a user, click Activate next to the username.
Managing Externally Authenticated User Accounts

Requires: DC/MDC or When an externally authenticated user logs into an appliance that has external
3D Sensor authentication enabled, the appliance grants the user the default access role you
set by specifying group membership in the authentication object. If you did not
configure access group settings, the appliance grants the default user role you
set in the system policy. However, if you add users locally before they log into the
appliance, the user privileges you configure on the User Management page
override the default settings.
An internally authenticated user is converted to external authentication when all
of the following conditions exist:
• You enable LDAP or RADIUS authentication.
• The same username exists for the user on the LDAP or RADIUS server.
• The user logs in using the password stored for that user on the LDAP or
RADIUS server.

Managing Users
Once an internally authenticated user converts to an externally authenticated

user, you cannot revert to internal authentication for that user.
For more information on selecting a default user role, see Configuring
Authentication Profiles on page 329 and Understanding User Privileges on
page 267.
Note that you can only enable external authentication in a system policy on a
Defense Center. You must use the Defense Center to apply the policy to
managed sensors if you want to use external authentication on them.
For more information on associating an external user with a set of permissions on
your appliance, see Logging into the Appliance to Set Up an Account on page 23.
For more information on modifying user access, see Modifying User Privileges
and Options on page 306. Note that you cannot manage passwords for externally
authenticated users or deactivate externally authenticated users through the
Sourcefire 3D System interface. For externally authenticated users, you cannot
remove the minimum access rights through the Sourcefire 3D System user
management page for users assigned an access role because of LDAP group or
RADIUS list membership or attribute values. On the Edit User page for an
externally authenticated user, rights granted because of settings on an external
authentication server are marked with a status of Externally Modified.
You can, however, assign additional rights. When you modify the access rights for
an externally authenticated user, the Authentication Method column on the User
Management page provides a status of External - Locally Modified.
Managing User Password Settings

You can also control how and when the password for each user account is
changed, as well as when user accounts are disabled. The User Account

Managing Users
Password Options table describes some of the options you can use to regulate
passwords and account access.
IMPORTANT! After you enable Use External Authentication Method, password

options no longer appear. Use the external authentication server to manage
password settings.
User Account Password Options
Option Description
Use External Select this option if you want this user's credentials to be
Authentication externally authenticated.
Method
IMPORTANT! If you select this option for the user and
the external authentication server is unavailable, that user
can log into the web interface but cannot access any
functionality.
Maximum Enter an integer, without spaces, that determines the

Number of Failed maximum number of times each user can try to log in
Logins after a failed login attempt before the account is locked.
The default setting is five tries; use 0 to allow an unlimited
number of failed logins.
Days Until Enter the number of days after which the user’s password
Password will expire. The default setting is 0, which indicates that
Expiration the password never expires.
Days Until Enter the number of warning days users have to change
Expiration their password before their password actually expires.
Warning The default setting is 0 days.
WARNING! The number of warning days must be less
than the number of days before the password expires
Force Password Select this option to force the user to change his
Reset on Login password the first time the user logs in.
Check Password Select this option to require strong passwords. A strong

Strength password must be at least eight alphanumeric characters
of mixed case and must include at least one numeric
character. It cannot be a word that appears in a dictionary
or include consecutive repeating characters.
Configuring User Roles

The User Roles table contains a synopsis of each access type. For a full list of the
menus available to each access type, see User Account Privileges on page 312.

Managing Users
Note that you cannot change the authentication type for a user after you create
the user account. In addition, externally authenticated users cannot authenticate
unless the external authentication server is available.
Note that you can restrict an event analyst user’s deletion rights to only allow
deletion of report profiles, searches, bookmarks, custom tables, and custom
workflows created by that user. Select Restrict Deletion Rights - User Cannot Delete
Items Created by Other Users to restrict the user’s deletion rights.
You cannot remove minimum access rights through the Sourcefire 3D System
user management page for users assigned an access role because of LDAP
group or RADIUS list membership or attribute values . You can, however, assign
additional rights.
WARNING! If you want to change the minimum access setting for a user, you
must not only move the user from one list to another in the authentication object
or change the user's attribute value or group membership on the external
authentication server, you must reapply the system policy, and you must remove
the assigned user right on the user management page.
User Roles
User Role Privileges
Administrator Provides access to analysis and reporting features, rule and

Access policy configuration, system management, and all
maintenance features. Administrator users see the main
toolbar as well as all the menu options.
Note that you should limit use of the Administrator role for
security reasons.
Maintenance Provides access to monitoring and maintenance features.

User Access Maintenance users see the main toolbar and maintenance-
related options on the Operations top-level menu.
RNA Event Provides access to RNA analysis features, including event

Analyst views, network maps, host profiles, services,
Access vulnerabilities, client applications, and reports. RNA Event
Analysts see the main toolbar and RNA analysis-related
options on the Analysis & Reporting and Operations menus.
RNA Event Provides read-only access to analysis features, including

Analyst (Read event views, network maps, host profiles, services,
Only) Access vulnerabilities, client applications, incidents, and reports.
RNA Event Analysts see the main toolbar and analysis-
related options on the Analysis & Reporting and Operations
menus.

Managing Users
User Roles (Continued)
User Role Privileges
Intrusion Event Provides access to IPS analysis features, including intrusion

Analyst event views, incidents, and reports. Intrusion Event
Access Analysts see the main toolbar and IPS analysis-related
Intrusion Event Provides read-only access to IPS analysis features, including

Analyst (Read intrusion event views, incidents, and reports. Intrusion
Only) Access Event Analysts see the main toolbar and IPS analysis-related
Restricted Provides access to the same features as Intrusion Event

Event Analyst Analyst or RNA Event Analyst access. You can restrict
Access access by allowing access to only for those events that
match specified search criteria or you can turn off access for
an entire category of events. See Modifying Restricted
Event Analyst Access Properties on page 307 for more
information. Restricted event analyst users see only the
main toolbar and analysis-related options on the Analysis &
Reporting and Operations menus.
Policy & Provides access to rules and policy configuration. Policy &
Response Response Administrators have access to the main toolbar
Administrator and rule and policy-related options on the Policy & Response
Access and Operations menus.
Modifying User Privileges and Options

Requires: DC/MDC or After adding user accounts to the system, you can modify access privileges,
3D Sensor account options, or passwords at any time. Note that password management
options do not apply to users who authenticate to an external directory server.
You manage those settings on the external server. However, you must configure
access rights for all accounts, including those that are externally authenticated.
For externally authenticated users, you cannot remove the minimum access
rights through the Sourcefire 3D System user management page for users
assigned an access role because of LDAP group or RADIUS list membership or
attribute values. You can, however, assign additional rights. When you modify the
access rights for an externally authenticated user, the Authentication Method
column on the User Management page provides a status of External - Locally
Modified.
Note that if you change the authentication for a user from externally authenticated
to internally authenticated, you must supply a new password for the user.

Managing Users
To modify user account privileges:

2. Click Edit next to the user you want to modify.
The Edit User page appears.
3. Modify the account or accounts as needed:
• See Managing Externally Authenticated User Accounts on page 302 for
a description of how users can be authenticated through external
servers.
• See Managing User Password Settings on page 303 for information on
changing password settings for internally authenticated users.
• See Configuring User Roles on page 304 for more information on
configuring roles to grant access for Sourcefire 3D System functions.
• Optionally, for users with event analyst roles, select or clear the Only
delete items created by user option to manage the user’s ability to delete
of items not created by that user.
Modifying Restricted Event Analyst Access Properties

Requires: DC/MDC or User accounts with Restricted Event Analyst access use saved searches to
3D Sensor specify which events a user can view. You can specify this information only after
the user is added. See Adding New User Accounts on page 300 for information
about adding new user accounts.

Managing Users
Restricted event analyst users have access to only a few sections of the web
interface. The Restricted Event Analyst Settings table shows the correlation
between platform and access requirements for the restricted event analyst.
Restricted Event Analyst Settings
To allow the restricted When these Set this data set or data sets to
event analyst to... platforms are Show All or to a specific search
present...
view the network map DC + RNA One or more of the following:

• Host Attributes Data
• RNA Client Applications
Data
• RNA Hosts Data
• RNA Services Data
• Vulnerabilities Data
view network discovery DC + RNA RNA Events Data

events
view hosts DC + RNA RNA Hosts Data
view host attributes DC + RNA Host Attributes Data
view services DC + RNA RNA Services Data
view vulnerabilities DC + RNA Vulnerabilities Data
view client applications DC + RNA RNA Client Applications Data
view flow data DC + RNA Flow Data
view compliance events DC + RNA Compliance Events Data
view white list events DC + RNA White List Events Data
view white list violations DC + RNA White List Violations Data
view users or user DC + RUA Users Data

events
view intrusion events IPS Intrusion Events Data
use the clipboard IPS N/A - included in the base set of

rights for the restricted analyst
role

Managing Users
Restricted Event Analyst Settings (Continued)
To allow the restricted When these Set this data set or data sets to
event analyst to... platforms are Show All or to a specific search
present...
generate (but not view) IPS All data sets for which the user
reports will generate reports
create (but not modify) IPS All data sets for which the user
incident reports will create incident reports
change user-specific DC/MDC or N/A - included in the base set of

preferences such as the 3D Sensor rights for the restricted analyst
account password, time role
zone, and event view
settings
create custom DC/MDC or All data sets for which the user
workflows and, on the 3D Sensor will create custom workflows
Defense Center, custom
tables
create and manage DC/MDC or All data sets for which the user
bookmarks 3D Sensor will need to create or access
bookmarks
view events from a Platforms All data sets for the applicable
custom table required to custom tables
view custom
table
If you want to ensure that a user only sees data for a specific subnet, create
multiple private saved searches, one for each of the event types, and then apply
each saved search to the account as described in the following procedure.
IMPORTANT! You must have saved private searches available before you can add
restricted event analyst values to a user account. Searches must be private. If
they are saved as public, restricted event analyst users could delete the searches
and enhance their access privileges. See Searching for Events in the Analyst
Guide for more information.
To restrict event analyst access to events:

2. Click Edit next to the user to whom you want to grant restricted event analyst
rights.

Managing Users
3. If the user you want to modify does not already have the Restricted Event
Analyst option enabled, select Restricted Event Analyst.
IMPORTANT! You cannot select Restricted Event Analyst if Administrator,

Intrusion Event Analyst, Intrusion Event Analyst (Read Only), RNA Event Analyst, or
RNA Event Analyst (Read Only) access is enabled.
The Restrictions section of the page appears. The Defense Center version of
the page is shown below.
IMPORTANT! If you created any custom tables on the Defense Center, they
appear on this page.
4. For each row, you have three choices:

• To grant access to all events for a category, select Show All Data.
• To grant access to events that match a specific saved search, select the
search that you want to use to restrict the user account.
• To deny access to all events in a category, select Hide Data.
5. Click Save to save your changes and return to the User Management page.

Managing Users
Modifying User Passwords

Requires: DC/MDC or You can modify user passwords from the User Management page for internally
3D Sensor authenticated users. Note that you must manage externally authenticated user
passwords on the LDAP or RADIUS server.
TIP! If you want to force a user to change the password on the next log-in, click
Reset Password next to the user account on the User Management page.
To change a user’s password:

2. Next to the user name, click Edit.
The Edit User page appears.
3. In the Password field, type the new password (up to 32 alphanumeric

characters).

Managing Users
4. In the Confirm Password field, re-type the new password.
IMPORTANT! If password strength checking is enabled for the user account,

the password must have at least eight alphanumeric characters of mixed
case, with at least one number. It cannot be a word that appears in a
dictionary or contain consecutive repeating characters.
5. Make any other changes you want to make to the user configuration:
• For more information on password options, see Managing User
Password Settings on page 303.
• For more information on user roles, see Configuring User Roles on
page 304.
6. Click Save.
The password is changed and any other changes saved.
Deleting User Accounts

Requires: DC/MDC or You can delete user accounts from the system at any time, with the exception of
3D Sensor the admin account, which cannot be deleted.
To delete a user account:

2. Next to the user whose account you want delete, click Delete.
The account is deleted.
User Account Privileges

Requires: DC/MDC or The following sections provide a list of the menus and toolbar options in
3D Sensor Sourcefire 3D System and the user account privileges required to access them.
For more information on the access notations used in the tables that follow and
throughout this documentation, see Access Requirements Conventions on
page 39.
• Analysis & Reporting Menu on page 313
• Policy & Response Menu on page 316
• Operations Menu on page 317
• Toolbar Options on page 319

Managing Users
Analysis & Reporting Menu

Requires: IPS or DC/ The Analysis & Reporting Menu table lists the user account privileges required to
MDC access each option on the Analysis & Reporting menu. An X indicates that the
user can access the option. Users with only Rules or Maintenance access cannot
see the Analysis & Reporting menu at all.
Analysis & Reporting Menu
Menu Admin Maint RNA/ IPS/ Restricted P&R

RNA-RO IPS-RO Event Admin
Event Event Analyst
Analyst Analyst
Event Summary X X X X
Intrusion Event Statistics X X
Event Graphs X X
Dashboards X X X X
RNA Statistics X X X
Flow Summary X X X
IPS X X X X
Events X X X X
Reviewed Events X X X X
Clipboard X X X X
Incidents X X
RNA X X X
Network Map | Hosts X X X
Network Map | Network Devices X X X
Network Map | Services X X X
Network Map | Vulnerabilities X X X
Network Map | Host Attributes X X X

Managing Users
Analysis & Reporting Menu (Continued)

Event Event Analyst
Analyst Analyst
RNA Events X X X
Hosts X X X
Host Attributes X X X
Services X X X
Client Applications X X X
Flow Data X X X
Vulnerabilities X X X
RUA X X X X
Users X X X X
RUA Events X X X X
Compliance X X X X
Compliance Events X X X X
White List Events X X X X
White List Violations X X X X
Custom Tables X X X
Searches X X X X X
Audit Log X
Client Applications X X X
Compliance Events X X X X
Flow Data X X X
Health Events X X X

Managing Users
Analysis & Reporting Menu (Continued)

Event Event Analyst
Analyst Analyst
Host Attributes X X X
Hosts X X X
Intrusion Events X X X X
Remediation Status X
RNA Events X X X X
RUA Events X X X X
Scan Results X
Services X X X
SEU Import Log X X
Users X X X X
Vulnerabilities X X X
White List Events X X X X
White List Violations X X X X
Custom Workflows X X X X
Bookmarks X X X X
Report Profiles X X X

Managing Users
Policy & Response Menu

Requires: IPS or DC/ The Policy & Response Menu table lists the user account privileges required to
MDC access each option on the Policy & Response menu. An X indicates that the user
can access the option. Users with Intrusion Event Analyst, RNA Event Analyst, or
Maintenance access can not see the Policy & Response menu at all.
Policy & Response Menu
Menu Admin Maint RNA/ IPS/ Res. P&R

Event Event Analyst
Analyst Analyst
IPS X X
Intrusion Policy X X
SEU X X
Rule Editor X X
Email X X
OPSEC X X
RNA X X
Detection Policy X X
Host Attributes X X
RNA Detectors X X
Custom Fingerprinting X X
Custom Product Mappings X
User 3rd Party Mappings X
Network Map | Custom Topology X
Compliance X X
Policy Management X X
Rule Management X X

Managing Users
Policy & Response Menu (Continued)

Event Event Analyst
Analyst Analyst
White List X X
Traffic Profiles X X
Responses X X
Alerts X X
Impact Flag Alerts X X
RNA Event Alerts X X
Remediations X X
Groups X X
Operations Menu
Requires: DC/MDC or The Operations Menu table lists the user account privileges required to access
3D Sensor each option on the Operations menu. An X indicates that the user can access the
option. All users can access at least some options on the Operations menu.
Operations Menu

Event Event Analyst
Analyst Analyst
Configuration X
RNA/RUA Event Purge X X
Detection Engines X
High Availability X
eStreamer X
Login Authentication X

Managing Users
Operations Menu (Continued)

Event Event Analyst
Analyst Analyst
RUA X
Sensors X
User Management X
System Settings X
System Policy X
Update X
Monitoring X X X
Statistics X X
Performance | IPS X X
Performance | RNA X X
Audit X
Task Status X X X
Syslog X X
Health X X X
Tools X X X X X X
Scheduling X X
Backup/Restore X
Import/Export X
Whois X X X X X X
Scan Results X X X
Scanners X X

Managing Users
Operations Menu (Continued)

Event Event Analyst
Analyst Analyst
Help X X X X X X
About X X X X X X
Online X X X X X X
Email Support X X X X X X
Support Site X X X X X X
Toolbar Options
Requires: DC/MDC or The Toolbar Options table lists the user account privileges required to access
3D Sensor each option on the toolbar and its sub-menus. An X indicates that the user can
access the option. All users can access at least some of the options on the
toolbar.
Toolbar Options

Event Event Analyst
Analyst Analyst
Health X X X X
Preferences X X X X X X
Preferences | Home Page X X X X X X
Preferences | Event View Settings X X X X
Preferences | Change Password X X X X X X
Preferences | Time Zone Settings X X X X X X
Help X X X X X X
Logout X X X X X X

Chapter 9
Administrator Guide
Managing System Policies
A system policy allows you to manage the following on your Defense Center or
3D Sensor:
• access control lists
• audit log settings
• authentication profiles
• dashboard settings
• database event limits
• detection policy preferences
• DNS cache properties
• the mail relay host and notification address
• tracking intrusion policy changes
• specifying a different language
• custom login banners
• RNA settings, including multiple fingerprint and subnet detection
settings
• RUA settings
• synchronizing time
• serving time from the Defense Center
• mapping vulnerabilities for services
You can use a system policy to control the aspects of your Defense Center that
are likely to be similar for other Sourcefire 3D System appliances in your
deployment. For example, your organization’s security policies may require that

Creating a System Policy Chapter 9
your appliances have a “No Unauthorized Use” message when a user logs in.
With system policies, you can set the login banner once in a system policy on a
Defense Center and then apply the policy to all the sensors that it manages.
You can also benefit from having multiple policies on a 3D Sensor. For example, if
you have different mail relay hosts that you use under different circumstances, or
if you want to test different database limits, you can create several system
policies and switch between them rather than editing a single policy.
Contrast a system policy, which controls aspects of an appliance that are likely to
be similar across a deployment, with system settings, which are likely to be
specific to a single appliance. See Configuring System Settings on page 360 for
more information.
IMPORTANT! You cannot apply system policies to Crossbeam-based software

sensors or Intrusion Agents.

• Creating a System Policy on page 321
• Editing a System Policy on page 323
• Applying a System Policy on page 324
• Deleting System Policies on page 325
Creating a System Policy

Requires: Any When you create a system policy, you assign it a name and a description. Next,
you configure the various aspects of the policy, each of which is described in its
own section.
Instead of creating a new policy, you can export a system policy from another
appliance and then import it onto your appliance. You can then edit the imported
policy to suit your needs before you apply it. For more information, see Importing
and Exporting Objects on page 583.

Creating a System Policy Chapter 9
To create a system policy:

Access: Admin 1. Select Operations > System Policy.
The System Policy page appears.
The Policy Name column includes its description. The Applied To column
indicates the number of appliances where the policy is applied and a count of
out-of-date appliances where the previously applied policy has changed and
should be reapplied.
2. Click Create Policy.
The Create page appears.
3. From the drop-down list, select an existing policy to use as a template for
your new system policy.
4. Type a name and description (up to 40 alphanumeric characters and spaces
each) for your new policy.
5. Click Save.
Your system policy is saved and the Access List page appears. For
information about configuring each aspect of the system policy, see one of
the following sections:
• Configuring the Access List for Your Appliance on page 325
• Configuring Audit Log Settings on page 327
• Configuring Authentication Profiles on page 329
• Configuring Dashboard Settings on page 331
• Configuring Database Event Limits on page 332
• Configuring Detection Policy Preferences on page 336
• Configuring DNS Cache Properties on page 337
• Configuring a Mail Relay Host and Notification Address on page 338
• Configuring Intrusion Policy Preferences on page 339
• Specifying a Different Language on page 340
• Adding a Custom Login Banner on page 341
• Configuring RNA Settings on page 342

Editing a System Policy Chapter 9
• Configuring RNA Subnet Detection Settings on page 349

• Configuring RUA Settings on page 352
• Synchronizing Time on page 354
• Serving Time from the Defense Center on page 357
• Mapping Vulnerabilities for Services on page 358
Editing a System Policy

Requires: Any You can edit a system policy that is currently in use, but remember to re-apply the
policy as explained in Applying a System Policy on page 324.
To edit an existing system policy:

The System Policy page appears, including a list of the existing system
policies.
2. Click Edit next to the system policy that you want to edit.
With the Policy Name and Policy Description fields at the top, Access List, the
first section of the system policy, appears. You can change the policy name
and description. For information about configuring each aspect of the system
policy, see one of the following sections:

Applying a System Policy Chapter 9

IMPORTANT! If you are editing the current system policy, make sure you
apply the updated policy when you are finished. See Applying a System Policy
on page 324.
Applying a System Policy

Requires: Any After you create or edit a system policy, your settings do not take effect until you
apply it.

To apply a system policy:

policies.
2. Click Apply next to the system policy that you want to apply.
On the 3D Sensor, the system policy is applied.
On the Defense Center, the Apply page appears. If a policy has been updated
since it was applied, the name of the policy appears in italics.
3. On the Defense Center, select the sensors, and, if required, the Defense
Center itself, where you want to apply the system policy.
TIP! You can sort the sensors by sensor group, model, type of sensor, or
previously applied policy. You can also select an entire group.
4. Click Apply.
A message appears indicating that the task is added to the task queue.

Deleting System Policies Chapter 9
Deleting System Policies

Requires: Any You can delete a system policy even if it is in use. If the policy is still in use, it is
used until a new policy is applied. Default system policies cannot be deleted.
To delete a system policy:

policies.
2. Click Delete next to the system policy that you want to delete.
The policy is deleted.
Configuring the Parts of Your System Policy

Requires: Any You can change various parts of your system policy. For information about
configuring each aspect of the system policy, see one of the following
sections:
Configuring the Access List for Your Appliance

Requires: Any The Access List page allows you to control which computers can access your
appliance on specific ports. By default, port 443 (Hypertext Transfer Protocol

Configuring the Parts of Your System Policy Chapter 9
Secure, or HTTPS), which is used to access the web interface and port 22 (Secure
Shell, or SSH), which is used to access the command line, are enabled for any IP
address.
WARNING! By default, access to the appliance is not restricted. To operate the

appliance in a more secure environment, consider adding access to the appliance
for specific IP addresses and then deleting the default any option.
The access list is part of the system policy. You can specify the access list either
by creating a new system policy or by editing an existing policy. In either case, the
access list does not take effect until you apply the system policy.
To configure the access list:

• To modify the access list in an existing system policy, click Edit next to
the system policy.
• To configure the access list as part of a new system policy, click Create
Policy.
Provide a name and description for the system policy as described in
Creating a System Policy on page 321, and click Save.
In either case, the Access List page appears.
3. To delete one of the current settings, click Delete.
WARNING! If you delete access for the IP address that you are currently
using to connect to the appliance interface (and if there is no entry for
“IP=any port=443”), you will lose access to the system when you apply the
policy.
The setting is removed.

4. To add access for one or more IP addresses, click Add.

The Add IP Address page appears.
5. In the IP Address field, use the following syntax depending on the IP

addresses you want to add:
• an exact IP address (for example, 192.168.1.101)
• an IP address range using CIDR notation (for example, 192.168.1.1/24)
For information on using CIDR in the Sourcefire 3D System, see IP
Address Conventions on page 41.
• any, to designate any IP address
6. Select SSH, HTTPS, or both to specify which ports you want to enable for
these IP addresses, then click Add.
The Access List page appears again, reflecting the changes you made.
TIP! You can click Add to add access for additional IP addresses or click
Delete to remove access from other IP addresses.
7. Click Save Policy and Exit.

The system policy is updated. Your changes do not take effect until you apply
the system policy. See Applying a System Policy on page 324 for more
information.
Configuring Audit Log Settings

Requires: Any You can configure the system policy so that the appliance streams an audit log to
an external host.
IMPORTANT! You must ensure that the external host is functional and accessible
from the appliance sending the audit log.
The name of the sending host is part of the sent information and you can further
identify the audit log stream with a facility, a severity, and an optional tag. The
appliance does not send the audit log until you apply the system policy.

To configure the audit log settings:

The System Policy Page appears.
• To modify the audit log settings in an existing system policy, click Edit
next to the system policy.
• To configure the audit log settings as part of a new system policy, click
Create Policy.
3. Click Audit Log Settings.
4. Select Enabled next to Send Audit Log to Syslog.
The default setting is Disabled.
5. Designate the destination host for the audit information by using the IP
address or the fully qualified name of the host in the Host field. The default
port (514) is used.
WARNING! The computer you configure to receive an audit log must be set
up to accept remote messages. Otherwise, the appliance may the send audit
log to the host, but it will not be accepted.
6. Label the audit data that you are sending with a facility and severity.
The default for Facility is USER. The default for Severity is INFO. However, you
can select any of the standard syslog facility and severity settings.
7. Optionally, insert a reference tag in the TAG field.
the system policy to the Defense Center and its managed sensors. See
Applying a System Policy on page 324 for more information.
After you apply a policy with this feature enabled and your destination host is
configured to accept the audit log, the syslog messages are sent. The following is
an example of the output structure:
Date Time Host [Tag] Sender: [User_Name]@[User_IP], [Subsystem], [Action]
where the local date, time, and hostname precede the bracketed optional tag,
and the sending device name precedes the audit log message.
For example:
Mar 01 14:45:24 localhost [TAG] Dev-DC3000: admin@10.1.1.2,
Operations > Monitoring, Page View

Configuring Authentication Profiles

Requires: DC/MDC Normally, when a user logs into a Sourcefire 3D System Defense Center or
managed sensor, the appliance verifies the user credentials by comparing them
to a user account stored in the Defense Center or managed sensor’s local
database. However, if you create an authentication object referencing an external
authentication server, you can apply the system policy to let users logging into
the Defense Center or managed sensor authenticate to that server rather than
using the local database.
When you apply a policy with authentication enabled to an appliance, the
appliance verifies the user credentials against users on an LDAP or RADIUS
server. In addition, if a user has internal authentication enabled and the user
credentials are not found in the internal database, the appliance then checks the
external server for a set of matching credentials. If a user has the same username
on multiple systems, all passwords across all servers work. Note, however, that if
authentication fails on the available external authentication servers, the appliance
does not revert to checking the local database.
When you enable authentication, you can set the default user role for any user
whose account is externally authenticated. You can select multiple roles, as long
as those roles can be combined. For example, if you set up an authentication
profile that retrieves only users in the Network Security group in your company,
you may set the default user role to include both the Intrusion Event Analyst role
and the RNA Event Analyst so users can access collected event data without any
additional user configuration on your part. However, if your authentication profile
retrieves records for other personnel in addition to the security group, you would
probably want to leave the default role unselected. For more information on
available user roles, see Understanding User Privileges on page 267.
Note that when you create an LDAP authentication object on your Defense
Center, you can set a filter search attribute to specify the set of users who can
successfully authenticate against the LDAP server. See Configuring Attribute
Mapping on page 274 for more information.
If no access role is selected, users can log in but cannot access any functionality.
After a user attempts to log in, their account is listed on the User Management
page, where you can edit the account settings to grant additional permissions. For
more information on modifying a user account, see Modifying User Privileges and
Options on page 306. For a complete procedure for logging in initially as an
externally authenticated user, see Logging into the Appliance to Set Up an
Account on page 23.
If you configure the system policy to use one user role and apply the policy, then
later modify the policy to use different default user roles and re-apply, any user
accounts created before the modification retain the first user role until you modify
or delete and recreate them.
The Authentication Profiles page only displays in the system policy on a Defense
Center. You can enable authentication in a system policy on your Defense Center
and then push that policy to managed sensors. Once you apply the policy to a

sensor, eligible externally authenticated users can log into the sensor. However,
the system policy on the sensor does not display authentication profile settings,
so you cannot manage them on the sensor itself. To make changes to the
authentication profile settings, you have to modify the policy on the Defense
Center and then push it to the sensor again. To disable authentication on a
managed sensor, you can either disable it in a system policy on the Defense
Center and push that to the sensor or apply a local system policy (which cannot
contain authentication profile settings) on the sensor.
Note that you can only enable external authentication on Defense Centers and
3D Sensors. Enabling external authentication by applying a system policy is not
supported on the following sensor types:
• 3Dx800 sensors
• Crossbeam-based software sensors
• Intrusion Agents
• RNA Software for Red Hat Linux
If a user with internal authentication attempts to log in, the appliance first checks
if that user is in the local user database. If the user exists, the appliance then
checks the username and password against the local database. If a match is
found, the user logs in successfully. If the login fails, however, and external
authentication is enabled, the appliance checks the user against each external
authentication server in the authentication order shown in the system policy. If
the username and password match results from an external server, the appliance
changes the user to an external user with the default privileges for that
authentication object.
If an external user attempts to log in, the appliance checks the username and
password against the external database. If a match is found, the user logs in
successfully. If the login fails, the user login attempt is rejected. External users
cannot authenticate against the user list in the local database. If the user is a new
external user, an external user account is created in the local database with the
default privileges for the external authentication object.
To enable authentication of users on external servers:

Access: Admin 1. On the Defense Center, select Operations > System Policy.
• To modify the authentication profile settings in an existing system
policy, click Edit next to the system policy.
• To configure the authentication profile settings as part of a new system
policy, click Create Policy.

3. Click Authentication Profiles.

The Authentication Profiles page appears.
4. From the Status drop-down list, select Enabled.

5. From the Default User Role drop-down list, select a user role to define the
default permissions you want to grant to users authenticated externally.
TIP! Press Ctrl before selecting roles to select multiple default user roles.
Note that although you can select both an event analyst role and the
corresponding read-only event analyst role, only the analyst role is applied.
6. If you want to use the external server to authenticate shell access accounts
as well, select Enabled from the Shell Authentication drop-down list.
7. To enable use of an authentication object, click Enable next to the object.
IMPORTANT! You must enable at least one authentication object to enable

external authentication.
8. Optionally, use the up and down arrows to change the order in which
authentication servers are accessed when an authentication request occurs.
Remember that shell access users can only authenticate against the server
whose authentication object is highest in the profile order.
Configuring Dashboard Settings

Requires: Any You can configure the system policy so that Custom Analysis widgets are enabled
on the dashboard. Dashboards provide you with at-a-glance views of current

system status through the use of widgets: small, self-contained components that
provide insight into different aspects of the Sourcefire 3D System.
The Custom Analysis widget allows you to create a visual representation of
events based on a flexible, user-configurable query of the events in your
appliance's database. See Understanding the Custom Analysis Widget on
page 69 for more information on how to use custom widgets.
To enable Custom Analysis widgets:

• To modify the dashboard settings in an existing system policy, click Edit
• To configure the dashboard settings as part of a new system policy, click
Create Policy. Provide a name and description for the system policy as
described in Creating a System Policy on page 321, and click Save.
3. Click Dashboard.
The Dashboard Settings page appears.
4. Select the Enable Custom Analysis Widgets check box to allow users to add
Custom Analysis widgets to dashboards; clear the check box to prohibit users
from using those widgets.
By default, Custom Analysis widget use is enabled
the system policy. See Deleting System Policies on page 325for more
information.
Configuring Database Event Limits

Requires: Any You can use the Database page to specify the maximum number of events you
want to store on an appliance. To improve performance, you should try to tailor
the database event limit to the number of events you regularly work with.
In most cases, the minimum number of records you can store in any database is
one record (or, in the case of the compliance violation history database, one day’s
history). However, for some databases, you can choose not to store any events.

These databases include those that store RNA and RUA events, as well as flow
events, flow summaries, and health events.
The Database Event Limits on page 333 below describes the maximum number
of records you can store in the databases on your appliance. Note that if you apply
a system policy to an appliance that does not support the maximum limit you
specify (for example, if you specify 100 million intrusion events and apply that
policy to a 3D Sensor), the maximum limit for the appliance is silently enforced.
In addition, database limits that do not apply to a particular appliance are silently
ignored. For example, if you use the Defense Center to apply the same system
policy to itself and the 3D Sensors it manages, any health alert limits you set in
the policy have no effect on the sensors.

Database Event Limits
The... Is the database that stores... And can store up to...
Intrusion Event intrusion events on a Defense 2.5 million events on the DC500
Database (Defense Center or on a Master Defense 10 million events on the Virtual Defense
Center or Master Center (which is always a DC3000) Center or the DC1000
Defense Center) 100 million events on the DC3000
Intrusion Event intrusion events on a 3D Sensor 2 million events

Database
(3D Sensor)
RNA Event Database RNA network discovery events on 10 million events

a Defense Center
RNA Flow Database RNA flows on a Defense Center 10 million events on the DC500, Virtual
Defense Center, or DC1000
100 million events on the DC3000
RNA Flow Summary RNA flow summaries (aggregated 10 million events on the DC500, Virtual
Database RNA flows) on a Defense Center Defense Center, or DC1000
100 million events on the DC3000
Compliance & White compliance events and white list 1 million events
List Event Database events on a Defense Center or
Master Defense Center
Health Event health events on a Defense Center 1 million events

Database or Master Defense Center

Database Event Limits (Continued)
The... Is the database that stores... And can store up to...
Audit Event audit records 100,000 records

Database
Remediation Status remediation status events on a 10 million events

Event Database Defense Center
White List Violation the white list violation history of a 30-day history of violations
History Database the hosts on your network, on a
Defense Center
RUA Event Database RUA events on a Defense Center 10 million events
RUA History RUA storage of user logins on a 10 million user login records
Database Defense Center
SEU Import Log SEU import log records 1 million records

Database
Note that if the number of events in the intrusion event database exceeds the
maximum, the oldest events and packet files are pruned until the database is back
within limits. In addition, if the /volume disk partition reaches 85% of its capacity,
unified files are deleted from the system, beginning with the oldest files. See
Configuring a Mail Relay Host and Notification Address on page 338 for
information about generating automated email notifications when events are
automatically pruned.
For information on manually pruning the RNA and RUA databases, see Purging
the RNA and RUA Databases on page 598.
To configure the maximum number of records in the database:

• To modify the database settings in an existing system policy, click Edit
• To configure the database settings as part of a new system policy, click
Create Policy.

3. Click Database.
The Database page appears. The following graphic shows the Database page
on a DC1000 Defense Center.
4. For each of the databases, enter the number of records you want to store.
For information on how many records each database can maintain, see
Database Event Limits on page 333.


information.
Configuring Detection Policy Preferences

Requires: Any The Detection Policy Preferences page allows you to configure whether you must
confirm your action when you apply RNA detection policies and intrusion policies.
If you enable this setting, whenever you apply an RNA detection policy or an
intrusion policy to one or more detection engines, the appliance prompts you to
confirm that you want to apply the policy. The appliance also warns you if the
detection engine has a different policy applied to it than the one you are
attempting to apply.
To configure detection policy preferences:

• To modify the detection policy preferences in an existing system policy,
click Edit next to the system policy.
• To configure the detection policy preferences as part of a new system
policy, click Create Policy. Provide a name and description for the system
policy as described in Creating a System Policy on page 321, and click
Save.
3. Click Detection Policy Preferences.
The Detection Policy Preferences page appears.
4. Do you want to confirm your action when you apply RNA detection policies
and intrusion policies?
• If yes, select Yes from the drop-down list.
• If no, select No from the drop-down list.
information.

Configuring DNS Cache Properties

Requires: Any If you have a DNS server configured on the Network page, you can configure the
appliance to resolve IP addresses automatically on the event view pages. As an
administrator, you can also configure basic properties for DNS caching performed
by the appliance. Configuring DNS caching allows you to identify IP addresses
you previously resolved without performing additional lookups. This can reduce
the amount of traffic on your network and speed the display of event pages when
IP address resolution is enabled.
To configure the DNS cache properties:

• To modify the DNS cache settings in an existing system policy, click Edit
• To configure the DNS cache settings as part of a new system policy,
click Create Policy.
3. Click DNS Cache.
The DNS Cache page appears.
4. Next to DNS Resolution Caching, select Enabled to enable caching or Disabled to

disable it.
IMPORTANT! DNS resolution caching is a system-wide setting that allows

the caching of previously resolved DNS lookups. To configure IP address
resolution on a per-user-account basis, users must also select Event View
Settings from the User Preferences menu, enable Resolve IP Addresses, and
then click Save. For information about configuring DNS servers, see
Configuring Network Settings on page 377. For information about configuring
event preferences, see Configuring Event View Settings on page 27.
5. In the DNS Cache Timeout field, enter the number of minutes a DNS entry
remains cached in memory before it is removed for inactivity.
The default setting is 300 minutes (five hours).


information.
WARNING! Although DNS caching is enabled for the appliance, IP address

resolution is not enabled on a per-user basis unless it is configured on the
Events page accessed from the User Preferences menu.
Configuring a Mail Relay Host and Notification Address

Requires: Any If you plan to:
• email event-based reports
• email status reports for scheduled tasks
• use email for RNA event, impact flag, and compliance event alerting
(Defense Center only - requires RNA)
• use email for intrusion event alerting (Defense Center only - requires IPS)
• use email for health event alerting (Defense Center only)
you must configure a mail host. In addition, you can configure an email address
that will receive notifications when intrusion events and audit logs are pruned
from the database.
To configure a mail relay host:

• To modify the email settings in an existing system policy, click Edit next
to the system policy.
• To configure the email settings as part of a new system policy, click
Create Policy.

3. Click Email Notification.

The Configure Email Notification page appears.
4. In the Mail Relay Host field, type the hostname or IP address of the mail server
you want to use.
IMPORTANT! The mail host you enter must allow access from the appliance.
5. Optionally, in the Data Pruning Notification Address field, enter the email
address you want to receive notifications when intrusion events and audit
logs are pruned from the appliance’s database.
information.
Configuring Intrusion Policy Preferences

Requires: Any You can allow or require comments to be added to the audit log when an intrusion
policy changes. You can also track all changes to intrusion policies in the audit log.
To configure intrusion policy change tracking:

• To modify the intrusion policy preferences in an existing system policy,
• To configure the intrusion policy preferences as part of a new system
3. Click Intrusion Policy Preferences.
The Intrusion Policy Preferences page appears.

4. Select Disabled, Optional, or Required from the Comments on policy change

drop-down list.
If you select Optional or Required, a Description of Changes text box appears
when you commit your intrusion policy changes.
5. Optionally, if you want to track changes to intrusion policies, select Write
changes in Intrusion Policy to audit log.
information.
Specifying a Different Language

Requires: Any You can use the Language page to specify a different language for the web
interface.
WARNING! The language you select here is used for the web interface for every
user who logs into the appliance.
To select a different language for the user interface:

• To modify the language settings in an existing system policy, click Edit
• To configure the language settings as part of a new system policy, click
Create Policy.
3. Click Language.
The Language page appears.
4. Select the language you want to use.


information.
Adding a Custom Login Banner

Requires: Any You can create a custom login banner that appears when users log into the
appliance using SSH and on the login page of the web interface. Banners can
contain any printable characters except the less-than symbol (<) and the greater-
than symbol (>).
Custom login banners are part of the system policy. You can specify the login
banner either by creating a new system policy or by editing an existing policy. In
either case, the login banner is not used until you apply the system policy.
To add a custom banner:

• To modify the login banner in an existing system policy, click Edit next to
the system policy.
• To configure the login banner as part of a new system policy, click Create
Policy.
3. Click Login Banner.
The Login Banner page appears.
4. In the Custom Login Banner field, enter the login banner that you want to use
with this system policy.


information.
Configuring RNA Settings

Requires: DC/ MDC + You can configure several aspects of RNA behavior through the system policy,
RNA including how RNA stores data, what RNA and host input events are logged,
which vulnerability types to use for impact assessment, whether identity conflict
events are logged, whether operating system and service identity conflicts are
automatically resolved, and the priority of active sources of identity data.
• Understanding RNA Data Storage Settings on page 342
• Understanding Vulnerability Impact Assessment Settings on page 345
• Understanding Multiple Fingerprint Settings on page 345
• Configuring Settings for RNA on page 347
Understanding RNA Data Storage Settings

Requires: DC/ MDC + RNA data storage settings, as described in the following table, control the kinds
RNA of RNA data stored in the database, and therefore determine the data that other
parts of the Sourcefire 3D System can use. These settings also control how long
data is retained in the network map.
RNA Data Storage Settings
Field Description
Host Timeout The amount of time that passes, in minutes, before RNA drops a host from
the network map due to inactivity. The default setting is 10080 minutes (7
days).
IMPORTANT! To avoid premature timeout of hosts, make sure that the host
timeout value is longer than the update interval in the RNA detection policy.
For more information, see Creating RNA Detection Policies in the Analyst
Guide.
Service Timeout The amount of time that passes, in minutes, before RNA drops a service from
the network map due to inactivity. The default setting is 10080 minutes (7
days).
IMPORTANT! To avoid premature timeout of services, make sure that the
service timeout value is longer than the update interval in the RNA detection
policy. For more information, see Creating RNA Detection Policies in the
Analyst Guide.

RNA Data Storage Settings (Continued)
Field Description
Client Application The amount of time that passes, in minutes, before RNA drops a client
Timeout application from the network map due to inactivity. The default setting is
10080 minutes(7 days).
IMPORTANT! Make sure that the client application timeout value is longer than
the update interval in the RNA detection policy. For more information, see
Creating RNA Detection Policies in the Analyst Guide.
Drop New Hosts Select this check box if you want new hosts rather than old hosts dropped
When Host Limit when the Defense Center reaches its host limit and the network map is full.
Reached This option is especially valuable if you want to prevent spoofed hosts from
taking the place of valid hosts in the network map.
Combine Flows for Select this check box if you want you want to combine flow summaries
Out-Of-Network involving external hosts.
Responders
Enabling this option treats flow summary data from IP addresses that are not
in your list of monitored networks (as defined by your RNA detection policy) as
coming from a single host. Event views, graphs, and reports use external to
indicate the hosts outside your monitored network, instead of an individual IP
address.
The Defense Center will combine flow summaries involving a host on your
monitored network and one or more external hosts if the flows use the same
port, protocol, service, and if they were detected by the same detection
engine (for flows detected by 3D Sensor) or were exported by the same
NetFlow-enabled device and were processed by the same detection engine.
This can reduce the space required to store flow data and can also speed up
the rendering of flow data graphs. However, if you enable this option and you
attempt to drill down to the table view of flow data (that is, access data on
individual flows) for a flow summary that involves an external responder, the
table view contains no information.
Note that you can also use the RNA detection policy to force your 3D Sensors
to combine flow summaries involving external hosts before they transmit the
data to the Defense Center, which can reduce the number of events sent to
the Defense Center. However, keep in mind that setting this option in the RNA
detection policy requires that you set your flow data mode to Summary, which
prevents your 3D Sensors from transmitting individual flows to the Defense
Center and therefore prevents you from taking advantage of any feature that
requires data from individual flows. For more information, see Combining Flow
Summaries from External Responders in the Analyst Guide as well as
Configuring RNA Detection Policy Settings in the Analyst Guide.

RNA Data Storage Settings (Continued)
Field Description
Drop Duplicate RNA Select this check box if you want the Defense Center to drop duplicate flow
Flow Events events generated by 3D Sensors with RNA.
Duplicate flow events can be created if you use two RNA detection policies,
each of which is monitoring a separate network segment using separate
detection engines. In that scenario, each detection engine generates a flow
event when RNA detects that a connection is terminated between a
monitored host on one of the networks and a monitored host on the other
network. On the other hand, if you use one policy to monitor both networks,
only the reporting detection engine for the flow initiator generates a flow
event.
Duplicate flow events can also be created if you overlap network segment
coverage with your RNA detection engines in your RNA detection policy.
Note that best practices are to use only one detection policy and to not overlap
network segment coverage; not following best practices can degrade
performance as the Defense Center attempts to resolve the conflicts, and can
also use excessive bandwidth.
Drop Duplicate Select this check box if you want the Defense Center to drop duplicate flow
NetFlow Events events that are based on NetFlow data. Duplicate NetFlow events can be
created, for example, if two NetFlow-enabled devices export information
about the same session.
Just as with RNA flow events, best practices are to avoid creating duplicate
NetFlow events, For more information, see Drop Duplicate RNA Flow Events.

Understanding Vulnerability Impact Assessment Settings

Requires: DC/ MDC + The RNA vulnerability impact assessment settings, as described in the following
RNA table, control which vulnerability types to use for impact assessment.
Vulnerability Impact Assessment Settings
Field Description
Vulnerabilities to use Select the check boxes in this section to configure how the Sourcefire 3D
for Impact System performs impact flag correlation with intrusion events.
Assessment • Select the Use RNA Vulnerability Mappings check box if you want to use RNA
Requires: IPS vulnerability information to perform impact flag correlation.
• Select the Use Third Party Scanner Vulnerability Mappings check box if you are
using an integrated scan capability or the AddScanResult host input API
function and you want to use vulnerability lookups from the scanner to
perform impact flag correlation. For example, if you scan using Nessus,
select this option to use the Nessus vulnerability mappings. For more
information, see Understanding Nessus Scans in the Analyst Guide or the
Sourcefire 3D System Host Input API Guide.
• Select the Third Party Vulnerability Mappings check box if you want to use
third-party vulnerability references to perform impact flag correlation. For
more information, see Mapping Third-Party Vulnerabilities in the Analyst
Guide.
You can select any or all of the check boxes in this section; if IPS generates an
intrusion event and the Sourcefire 3D System is able to use any of the
methods you specified to determine that the host involved in the event is
vulnerable to the attack or exploit, the intrusion event will be marked with the
red (Vulnerable) impact flag. Note that if you clear all the check boxes, intrusion
events will never be marked with the red impact flag. For more information,
see Using Impact Flags to Evaluate Events in the Analyst Guide.
RNA Event Logging Expand this section and use the check boxes to specify the types of RNA
network discovery events that you want to log in the database. See
Understanding RNA Network Discovery Event Types in the Analyst Guide for
information about each event type
Host Input Event Expand this section and use the check boxes to specify the types of RNA host
Logging input events that you want to log in the database. See Understanding RNA
Host Input Event Types in the Analyst Guide for information about each event
type.
Understanding Multiple Fingerprint Settings

Requires: DC + RNA RNA matches fingerprints for operating systems and services against patterns in
traffic to determine what operating system and which services are running on a
particular host. To provide the most reliable operating system and service identity
information, RNA collates fingerprint information from several sources.

RNA uses all passive data to derive operating system identities and assign a
confidence value. For more information on current identities and how RNA
selects the current identity, see Enhancing Your Network Map in the Analyst
Guide.
By default, unless there is an identity conflict, identity data added by a scanner or
application overrides identity data detected by RNA. You can use the Multiple
Fingerprinting page to rank scanner and application fingerprint sources by priority.
RNA retains one identity for each source, but only data from the highest priority
application or scanner source is used as the current identity. Note, however, that
user input data overrides scanner and application data regardless of priority.
An identity conflict occurs when RNA detects an identity that conflicts with an
existing identity that came from the active scanner or application sources listed
on the Multiple Fingerprinting page or from a user. By default, identity conflicts
are not automatically resolved and you must resolve them through the host
profile or by rescanning the host or re-adding new identity data to override the
RNA identity. However, you can set your system to always automatically resolve
the conflict by keeping the passive identity or to always resolve it by keeping the
active identity, as indicated in the Multiple Fingerprint Settings table.
You can add new active sources through this page, or change the priority or
timeout settings for existing sources. Note that adding a scanner to this page
does not add the full integration capabilities that exist for the Nmap and Nessus
scanners, but does allow integration of imported application or scan results. If you
import data from a third-party application or scanner, remember to make sure that
you map vulnerabilities from the source to the RNA vulnerabilities in the network

map. For more information, see Mapping Third-Party Vulnerabilities in the Analyst
Guide.
Multiple Fingerprint Settings
Option Description
Generate Identity Conflict Event Enable this option to generate an event when an identity conflict
occurs on a host in the network map.
Automatically Resolve Conflicts You have the following options:

• To force manual conflict resolution of identity conflicts, select
Disabled from the Automatically Resolve Conflicts drop-down list.
• To use the RNA fingerprint when an identity conflict occurs,
select Passive from the Automatically Resolve Conflicts drop-down
list.
• To use the current identity from the highest priority active
source when an identity conflict occurs, select Active from the
Automatically Resolve Conflicts drop-down list.
Scanner/ Application List You have several options:

• To add a new source, click Add in the Multiple Fingerprints page
of the system policy. Type a name for the source.
• To change the type of source, select Scanner or Application,
from the Type drop-down list.
• To indicate the duration of time that should elapse between the
addition of an identity to the network map by this source and
the deletion of that identity, select Hours, Days, or Weeks from
the Timeout drop-down list and type the appropriate duration.
• To promote a source and cause the operating system and
service identities to be used in favor of sources below it in the
list, click the up arrow next to the source name.
• To demote a source and cause the operating system and
service identities to be used only if there are no identities
provided by sources above it in the list, click the down arrow
next to the source name.
Configuring Settings for RNA

Requires: DC + RNA Use the following procedure to configure RNA settings in the system policy.
To specify RNA settings:



• To modify the RNA settings in an existing system policy, click Edit next
• To configure the RNA settings as part of a new system policy, click
Create Policy.
3. Click RNA Settings.
The RNA Settings page appears.
4. Specify the RNA data storage settings that you want for your Defense Center.
See the RNA Data Storage Settings table on page 342 for more information.

5. Optionally, specify the RNA network discovery events that you want to log by
clicking the arrow next to RNA Event Logging. All the event types are enabled
by default.
See the RNA Network Discovery Event Types table in the Analyst Guide for
more information.
6. Optionally, specify the RNA host input events that you want to log by clicking
the arrow next to Host Input Event Logging. All the event types are enabled
by default.
See the RNA Host Input Event Types table in the Analyst Guide for more
information.
7. Optionally, configure multiple fingerprint settings to manage operating
system and service source priorities and identity conflict resolution settings.
See the Multiple Fingerprint Settings table on page 347 for more information.
information.
Configuring RNA Subnet Detection Settings

Requires: DC + RNA Optimally, your RNA detection policy specifies that each RNA detection engine is
configured as the reporting detection engine for the hosts that are closest to it
from a network hop standpoint.
Unfortunately, you may not always be kept abreast of network configuration
changes. A network administrator may modify a network configuration through
routing or host changes without informing you, which can make it challenging to
stay on top of proper RNA policy configurations. Subnet detection allows RNA to
make recommendations about which are the best detection engines to analyze
the traffic on the various network segments in your organization.
As RNA continuously monitors your network traffic, it may be able to refine any
subnet recommendations it has made for your RNA detection policies, especially
if your network configuration has been altered through routing or host changes.
Choosing which subnets to monitor with which detection engines is an iterative
process that you should revisit from time to time.
Alternately, as a time-saving and performance-maximizing measure, you can use
the system policy to configure RNA to automatically generate subnet
recommendations for your currently applied RNA detection policies on a daily
basis. Optionally, you can configure the Defense Center to automatically update
those policies and apply the updated policies to your RNA detection engines.
If you do not configure the Defense Center to automatically apply subnet
recommendations, you must revisit the detection policy after you apply it for the
first time so that you can manually evaluate and apply any subnet
recommendations. This is because RNA only gathers secondary information

(hops and MAC address data) about hosts in subnets that are set to autodetect.
To get detailed information about the hosts in a subnet, including operating
system and service identity data, flow data, and so on, you must explicitly assign
an RNA detection engine to monitor that subnet.
The following diagram illustrates the automated subnet detection process. Note
that you can configure the Defense Center to notify you of subnet
recommendations via email so that you can make the changes manually, or, if you
configured the Defense Center to automatically apply recommendations, to notify
you of any changes made.

For more information on subnet detection, see Introduction to Sourcefire RNA in

the Analyst Guide.
IMPORTANT! For performance reasons, RNA only automatically generates

recommendations for RNA deployments running on Version 4.9 and later
3D Sensors. If your RNA deployment includes even one legacy (pre-Version 4.9)
3D Sensor, you must manually generate and apply recommendations for your
RNA detection policies. For more information, see Manually Generating Subnet
Recommendations in the Analyst Guide.
To configure RNA subnet detection settings:

• To modify the RNA subnet detection settings in an existing system
policy, click Edit next to the system policy.
• To configure the RNA subnet detection settings as part of a new system
3. Click RNA Subnet Detection Settings.
The RNA Subnet Detection Settings page appears.
4. Optionally, in the Mail Notifications To field, enter the email address where you
want to receive notifications of new subnet recommendations.
TIP! To receive email notifications, you must configure a valid mail relay host;
see Configuring a Mail Relay Host and Notification Address on page 338.
5. From the Generate Recommendations Daily At drop-down list, select the time
when you want RNA to automatically generate daily subnet
recommendations for all applied RNA detection policies.
To disable daily generation of subnet recommendations, select Disabled.

6. Enable the Automatically Apply Daily Recommendations check box to

automatically update and apply your RNA detection policies after RNA
generates subnet recommendations.
Note that this option has no effect unless you enable daily recommendations.
information.
Configuring RUA Settings

Requires: DC + RUA You can use the RUA settings in the system policy to filter which types of
network activity cause RUA to add users to the database.
Sourcefire RUA (see Using Sourcefire RUA in the Analyst Guide) is an optional
component of the Sourcefire 3D System that allows you to correlate network
activity with user identity information. When RUA detects a user login for a user
who is not already in the database, an RUA user is added to the Defense Center
user database. RUA can add users to the database using the following types of
detected protocols:
• LDAP
• AIM
• POP3
• IMAP
• Oracle
• SIP (VoIP)
Note that although RUA detects SMTP logins, the Defense Center does not
record them unless there is already a user with a matching email address in the
database; RUA users are not added to the database based on SMTP logins.
The RUA feature license on the Defense Center (see Licensing RUA in the
Analyst Guide) specifies the number of users you can monitor with RUA. After
you reach your licensed limit, RUA stops adding new users to the Defense Center
database.
Restricting RUA helps minimize username clutter and preserve RUA licenses. For
example, obtaining usernames through protocols such as AIM, POP3, and IMAP
can introduce usernames not relevant to your organization due to network access
from contractors, visitors, and other guests. In addition, AIM, Oracle, and SIP
logins always create duplicate user records. This is because these logins are not
associated with any of the user metadata that RUA obtains from an LDAP server,

nor are they associated with any of the information contained in the other types
of login that your 3D Sensors detect.
IMPORTANT! Sourcefire RUA Agents installed on Microsoft Active Directory

LDAP servers collect only LDAP user login information. Therefore, unless your
RUA implementation includes 3D Sensors with RUA, filtering non-LDAP logins
has no effect. For more information on RUA Agents and 3D Sensors with RUA,
see How Do I Choose an RUA Implementation? in the Analyst Guide.
To filter RUA users based on network activity type:

• To modify the RUA settings in an existing system policy, click Edit next
• To configure the RUA settings as part of a new system policy, click
Create Policy.
3. Click RUA Settings.
The RUA Detection Settings page appears.
4. Select the check boxes that correspond to the types of logins that will create
RUA users.
By default, all login types cause RUA to add users to the database.
information.

Synchronizing Time
Requires: Any You can manage time synchronization on the appliance using the Time
Synchronization page. You can choose to synchronize the time:
• manually
• using one or more NTP servers (one of which can be a Defense Center)
Time settings are part of the system policy. You can specify the time settings
either by creating a new system policy or by editing an existing policy. In either
case, the time setting is not used until you apply the system policy.
Note that time settings are displayed on most pages on the appliance in local time
using the time zone you set on the Time Zone page (America/New York by
default), but are stored on the appliance itself using UTC time. In addition, the
current time appears in UTC at the top of the Time Synchronization page (local
time is displayed in the Manual clock setting option, if enabled).
You must use native applications, such as command line interfaces or the
operating system interface, to manage time settings for software sensors:
• For more information on configuring settings for Crossbeam Systems
Switches, see the Sourcefire 3D Sensor Software for X-Series Installation
Guide.
• For more information on configuring settings for RNA Software for Red Hat
Linux, see the Sourcefire RNA Software for Red Hat Linux Configuration
Guide.
• You manage time settings on an Intrusion Agent through the operating
system.
You can synchronize the appliance’s time with an external time server. If you
specify a remote NTP server, your appliance must have network access to it.
Connections to NTP servers do not use configured proxy settings. To use the
Defense Center as an NTP server, see Serving Time from the Defense Center on
page 357.
Sourcefire recommends that you synchronize your virtual appliances to a physical
NTP server. Do not synchronize your 3D Sensors (virtual or physical) to a Virtual
Defense Center.
The procedure for synchronizing time differs slightly depending on whether you
are using the web interface on a Defense Center or a 3D Sensor. Each procedure
is explained separately below.
To synchronize time on the Defense Center:



• To modify the time settings in an existing system policy, click Edit next
• To configure the time settings as part of a new system policy, click
Create Policy.
3. Click Time Synchronization.
The Time Synchronization page appears.
4. If you want to serve time from the Defense Center to your managed sensors,
in the Serve time via NTP drop-down list, select Enabled.
Note that if you set this option to Enabled and then apply the system policy to
a sensor rather than a Defense Center, this value is ignored. Only Defense
Centers can act as NTP servers.
5. You have two options for specifying how the time is synchronized on the
appliance:
• To set the time manually, select Manually in the System Settings. See
Setting the Time Manually on page 389 for information about setting
the time after you apply the system policy.
• To receive time through NTP from a different server, select Via NTP
Server from and, in the text box, type a comma-separated list of IP
addresses for the NTP servers you want to use or, if DNS is enabled,
type the fully qualified host and domain names.
WARNING! If the appliance is rebooted and your DHCP server sets an NTP
server record different than the one you specify here, the DHCP-provided
NTP server will be used instead. To avoid this situation, you should configure
your DHCP server to set the same NTP server.


information.
IMPORTANT! It may take a few minutes for the appliance to synchronize

with the configured NTP servers.
To synchronize time on a 3D Sensor:

• To modify the time settings in an existing system policy, click Edit next
• To configure the time settings as part of a new system policy, click
Create Policy.
4. You have two options for specifying how time is synchronized on the
3D Sensor:

• To set the time manually, select Manually in the System Settings. See
Setting the Time Manually on page 389 for information about setting
the time after you apply the system policy.
• To receive time through NTP from different servers, select Via NTP
Server from and, in the text box, type a comma-separated list of IP
addresses of the NTP servers or, if DNS is enabled, type the fully
qualified host and domain names.
information.
IMPORTANT! It may take a few minutes for the 3D Sensor to synchronize

with the configured NTP servers. In addition, if you are synchronizing the
3D Sensor to a Defense Center that is configured as an NTP server, and the
Defense Center itself is configured to use an NTP server, it may take some
time for the time to synchronize. This is because the Defense Center must
first synchronize with its configured NTP server before it can serve time to
the 3D Sensor.
Serving Time from the Defense Center

Requires: DC/MDC You can configure the Defense Center as a time server using NTP and then use it
to synchronize time between the Defense Center and managed 3D Sensors.
TIP! You cannot set the time manually after configuring the Defense Center to
serve time using NTP. If you need to manually change the time, you should do so
before configuring the Defense Center to serve time using NTP. If you need to
change the time manually after configuring the Defense Center as an NTP server,
disable the Via NTP option and click Save, change the time manually and click Save,
and then enable Via NTP and click Save.
IMPORTANT! If you configure the Defense Center to serve time using NTP, and
then later disable it, the NTP service on managed sensors will still attempt to
synchronize time with the Defense Center. You must disable NTP from the
managed sensors’ web interfaces to stop the synchronization attempts.
To configure the Defense Center as an NTP server:

Access: Admin 1. On the Defense Center, select Operations > System Policy.


• To modify the NTP server settings in an existing system policy, click Edit
• To configure the NTP server settings as part of a new system policy,
click Create Policy.
4. From the Serve Time via NTP drop-down list, select Enabled.
5. In the Set My Clock option for the sensors, select Via NTP from Defense Center.
IMPORTANT! It may take a few minutes for the Defense Center to

synchronize with its managed sensors.
Mapping Vulnerabilities for Services

Requires: DC/MDC RNA automatically maps vulnerabilities to a host for any service traffic received or
sent by the host, when the service has a service ID in the RNA database and the
packet header for the traffic includes a vendor and version.
However, many services do not include vendor and version information. For the
services listed in the system policy, you can configure whether RNA associates
vulnerabilities with service traffic for vendor and versionless services.
For example, a host receives SMTP traffic that does not have a vendor or version
in the header. If you enable the SMTP service on the Vulnerability Mapping page
of a system policy, then apply that policy to the Defense Center managing the
sensor that detects the traffic, all vulnerabilities associated with SMTP
applications are added to the host profile for the host.
Note that although RNA detectors collect service information and add it to host
profiles, the service information will not be used for vulnerability mapping
because you cannot specify a vendor or version for a custom service and cannot
select the service for vulnerability mapping in the system policy.

To configure vulnerability mapping for services:

• To modify active fingerprint source settings in an existing system policy,
• To configure active fingerprint source settings as part of a new system
3. Click Vulnerability Mapping.
The Vulnerability Mapping page appears.

• To prevent vulnerabilities for a service from being mapped to hosts that
receive service traffic without vendor or version information, clear the
check box for that service.
• To cause vulnerabilities for a service to be mapped to hosts that receive
service traffic without vendor or version information, select the check
box for that service.
TIP! You can select or clear all check boxes at once using the check box next
to Enable.


Chapter 10
Administrator Guide
Configuring System Settings
The system settings include a series of linked pages that you can use to view and
modify settings on your appliance. Contrast the system settings, which are likely
to be specific to a single appliance, with a system policy, which controls aspects
of an appliance that are likely to be similar across a deployment. See Managing
System Policies on page 320 for more information.

Chapter 10
The System Settings Options table describes the options you can configure in the
system settings.
System Settings Options
Option Description
Information Allows you to view current information about the appliance.

You can also change the appliance name. See Viewing and
Modifying the Appliance Information on page 362 for more
information.
License Provides you with options for managing your current

licenses and for adding additional feature licenses on the
platforms that support them. See Understanding Licenses
on page 364 for more information.
Network Enables you to change options such as the IP address,

hostname, and proxy settings of the appliance that were
initially set up as part of the installation. See Configuring
Network Settings on page 377 for more information.
Network Allows you to view and modify the settings for the network
Interface interfaces on your appliance. See Editing Network Interface
Configurations on page 380 for more information.
Process Provides options that you can use to:

• restart the Sourcefire 3D System-related processes
See Shutting Down and Restarting the System on page 382
Remote On the 3D Sensor, enables you to establish

Management communications with a Defense Center from the sensor.
See Configuring Remote Access to the Defense Center on
On the Defense Center, enables you to specify values for
the internal network and management port that the
Defense Center uses to communicate with its managed
sensors and high availability peer. See Configuring the
Communication Channel on page 383 for more information.
Time Displays the current time. If the time synchronization

settings in the current system policy for the appliance is set
to Manual, then you can use this page to change the time.
See Setting the Time Manually on page 389 for more
information.

Viewing and Modifying the Appliance Information Chapter 10
System Settings Options (Continued)
Option Description
Health On the Defense Center, allows you to temporarily disable

Blacklist health monitoring for a 3D Sensor to prevent the Defense
Center from generating unnecessary health events. See
Blacklisting Health Modules on page 391 for more
information.
NetFlow On the Defense Center, allows you to specify the

Devices NetFlow-enabled devices you want to use to collect flow
data. See Specifying NetFlow-Enabled Devices on page 392
Remote On Series 2 DC1000 and DC3000 Defense Centers, allows

Storage you to configure remote storage for backups and reports.
See Managing Remote Storage on page 393 for more
information.
To configure the system settings:

Access: Admin X Select Operations > System Settings.
The Information page appears, with a list on the left side of the page that you
can use to access other system settings. The Series 2 DC1000 or DC3000
Defense Center version of this the page is shown below.
Viewing and Modifying the Appliance Information

Requires: Any The Information page provides you with information about the Defense Center or
3D Sensor. The information includes view-only information such as the product
name and model number, the operating system and version, and the current
appliance-level policies. The page also provides you with an option to change the
name of the appliance.
IMPORTANT! You cannot view sensor information for Intrusion Agents.

Viewing and Modifying the Appliance Information Chapter 10
The Appliance Information table describes each field.
Appliance Information
Field Description
Name A name you assign to the appliance. Note that this name
is only used within the context of the Sourcefire 3D
System. Although you can use the hostname as the name
of the appliance, entering a different name in this field
does not change the hostname.
Product Model The model name for the appliance.
Software Version The version of the software currently installed.
Store Events Enable this check box to store event data on the Defense
Only on Defense Center, but not the managed sensor. Clear this check box
Center to store event data on both appliances.
Prohibit Packet Enable this check box to prevent the managed sensor
Transfer to the from sending packet data with the events. Clear this
Defense Center check box to allow packet data to be stored on the DC
with events.
Operating The operating system currently running on the appliance.

System

System Version the appliance.
IP Address The IP address of the appliance.
Current Policies The appliance-level policies currently applied to the

appliance. If a policy has been updated since it was last
applied, the name of the policy appears in italics.
Model Number The model number for the appliance. This number can be
important for troubleshooting.

Understanding Licenses Chapter 10
To modify the appliance information:

The Information page appears. The Defense Center version of the page is
shown below.
For comparison, the 3D Sensor version of the page is shown below.
2. To change the appliance name, type a new name in the Name field.
WARNING! The name must be alphanumeric characters and should not be

composed of numeric characters only.
3. To save your changes, click Save.

The page refreshes and your changes are saved.
Understanding Licenses
Requires: Any You can license a variety of products and features to create your optimal
deployment. For Defense Centers, the Sourcefire 3D System requires that you
enable IPS by applying a product license file to each appliance as part of the
installation process. You can also add feature licenses such as RNA host licenses
and Intrusion Agent licenses.

See the following for more information:

• Understanding Feature Licenses on page 366
• Verifying Your Product License on page 368
• Managing Your Feature Licenses on page 370
You can use a variety of appliances and optional features in your deployment. To
understand why and when to use these licenses, see the Sourcefire Licenses
table on page 365.
Sourcefire Licenses
You apply a.. to... so that you can...
Product License a 3D Sensor or a use IPS on that appliance.

Defense Center
during installation For information on adding a
product license, see Sourcefire
3D Sensor Installation Guide,
and Sourcefire Defense Center
Installation Guide.
For information on IPS, see
Introduction to Sourcefire IPS in
Sourcefire 3D System Analyst
Guide
Feature License a Defense Center use additional features such as

at any time RNA, RUA, and so on.
For information on how the
various features function, see
Understanding Feature Licenses
on page 366.
For information on how to add a
feature license, see Adding
Feature Licenses on page 370.
Virtual License a Defense Center use virtual machines.

at any time
For information on how to use
virtual appliances, see Sourcefire
Virtual Defense Center and
3D Sensor Installation Guide.
TIP! You can view your licenses by using the Product Licensing widget in the
dashboard. See Understanding the Product Licensing Widget on page 84 for
more information.

Understanding Feature Licenses

The Feature Licenses table describes how to determine which features to license
for your deployment.
Feature Licenses
If you want to... you need a license for...
capture and export data about the traffic that NetFlows.

passes through NetFlow-enabled devices
monitor hosts on your network (including hosts RNA Hosts.

discovered by NetFlow-enabled devices) to
observe your network traffic to analyze a
complete, up-to-the-minute profile of your
network
correlate threat, endpoint, and network RUA Users.

intelligence with user identity information
identify the source of policy breaches, attacks, or RUA Users and either
network vulnerabilities RNA Hosts or the
product license (or both).
transmit events generated by open source Snort Intrusion Agents.

installations to the Defense Center
IPS for use with Crossbeam Systems X-Series IPS Software Sensors.
NetFlow
NetFlow is an embedded instrumentation within Cisco IOS Software that
characterizes network operation. Standardized through the RFC process, NetFlow
is available not only on Cisco networking devices, but can also be embedded in
Juniper, FreeBSD, and OpenBSD devices.
NetFlow-enabled devices are widely used to capture and export data about the
traffic that passes through those devices. The NetFlow cache stores a record of
every flow (a sequence of packets that represents a connection between a
source and destination host) that passes through the devices. You can deploy
NetFlow-enabled devices on networks that your sensors cannot monitor, and use
NetFlow data to monitor those networks.
You must use a Defense Center to configure NetFlow data collection and to view
the collected data, and your deployment must include at least one 3D Sensor
with RNA that can communicate with your NetFlow-enabled devices. Although
you can use NetFlow-enabled devices exclusively to monitor your network, the
Sourcefire 3D System uses RNA detection engines on 3D Sensors to analyze
NetFlow data. For more information, see Introduction to NetFlow in the
Sourcefire 3D System Analyst Guide.

RNA Host
Sourcefire RNA allows your organization to confidently monitor and protect your
network using a combination of forensic analysis, behavioral profiling, and built-in
alerting and remediation. 3D Sensors with RNA passively observe your
organization’s network traffic and analyze it to provide you with a complete, up-to-
the-minute profile of your network.
By default, RNA is installed on most 3D Sensors. (The 3D9800 does not support
RNA.) Sourcefire also makes key components of RNA available in installation
packages for Red Hat Linux servers and Crossbeam Systems security switches.
However, to control how network intelligence is gathered and to view the
resulting information, you must manage 3D Sensors with RNA with a Defense
Center. In addition, to enable RNA functionality, that Defense Center must have
an RNA host license installed and the 3D Sensor must have a product license
installed. For more information, see Introduction to Sourcefire RNA in the
Sourcefire 3D System Analyst Guide.
RUA Host
Sourcefire Real-time User Awareness, also called RUA, allows your organization
to correlate threat, endpoint, and network intelligence with user identity
information. By linking network behavior, traffic, and events directly to individual
users, RUA can help you to identify the source of policy breaches, attacks, or
network vulnerabilities, as well as mitigate risk, block users or user activity, and
take action to protect others from disruption. These capabilities also significantly
improve audit controls and enhance regulatory compliance.
All RUA deployments require a Defense Center that has an RUA feature license
installed. If your organization uses LDAP, you can use the user information on your
LDAP server to augment the Defense Center’s database of user identity
information with available metadata. For more information, see Using Sourcefire
RUA in the Sourcefire 3D System Analyst Guide.
Intrusion Agent
If you have an existing installation of Snort®, you can install an Intrusion Agent to
forward intrusion events to a Defense Center. You can then analyze the events
detected by Snort alongside your other data.
Although you cannot manage policies or rules for an Intrusion Agent from the
Defense Center, you can do analysis and reporting on those events. If the
network map on the Defense Center has entries for the target host in a given
event, the Defense Center assigns impact flags to the events. You can continue
to manually tune Snort rules and preprocessors with the Intrusion Agent in place.
For more information, see Sourcefire 3D System Intrusion Agent Configuration
Guide.

IPS Software Sensor

An IPS Software Sensor allows you to use 3D Sensor Software for X-Series on a
Crossbeam® Next Generation Security Platform to gather network intelligence
and intrusion information. For more information, see Sourcefire Crossbeam
Installation Guide XOS.
For information on adding, viewing, and deleting feature licenses, see Managing
Your Feature Licenses on page 370.
Verifying Your Product License

Requires: Any During installation, the user who sets up the appliance adds the software license
as part of the process. In most cases, you do not need to re-install the license.
To verify the product license file:

2. Click License.

3. Under Product Licenses, click Edit.

The Manage License page appears.
4. Click Verify License.

• If the license file is valid, a message appears under the License field. Do
not proceed to step 5.
• If the license file is invalid, you will receive an error message. Continue
with step 5 to obtain a license and install it.
5. Click Get License.
The Licensing Center web site appears.
IMPORTANT! If your web browser cannot access the Internet, you must
switch to a host that can access it. Copy the license key at the bottom of the
page and browse to https://keyserver.sourcefire.com/.
6. Follow the on-screen instructions for an appliance license to obtain your

license file, which will be sent to you in an email.
7. Copy the license file from the email, paste it into the License field (as shown
in Step 3), and click Submit License.
If the license file is correct, the license is added to the appliance, and the
features for the appliance are available in the web interface.
IMPORTANT! If you purchased a feature license, click Add New License and add it
using the Add Feature License page. For more information about feature licenses,
see Managing Your Feature Licenses on page 370.

Managing Your Feature Licenses

Requires: DC The Defense Center uses feature licenses to allow for additional features. Feature
licenses include:
• NetFlow licenses, which specify the number of NetFlow-enabled devices
you can use to gather flow data
• RNA host licenses, which specify the number of hosts that you can monitor
with RNA
• RUA licenses, which allow you to use the RUA feature
• Intrusion Agent licenses, which allow you to use intrusion agents
• 3D Virtual Sensors, which allow you use virtual sensors in your deployment
• IPS licenses for Crossbeam, which allow you to use 3D Sensor Software
with IPS on Crossbeam Systems security switches
When you purchase license packs for any licensable feature, you must add them
to the Defense Center from the web interface.
• Adding Feature Licenses on page 370
• Viewing Feature Licenses on page 372
• Configuring Network Settings on page 377
Adding Feature Licenses

Requires: DC If you need to obtain a feature license for a feature you purchased, you can
request it from the web interface. Before beginning, you should have the 12-digit
feature license serial number provided by Sourcefire when you purchased the
licensable feature. If you do not have the serial number, you can find it by logging
into the Sourcefire Support Site (https://support.sourcefire.com/), clicking
Account, then clicking Products & Contracts. The serial number appears in the
Sourcefire Software & Licenses section.
IMPORTANT! Both Defense Centers in a high-availability pair must have NetFlow

licenses for at least the number of NetFlow-enabled devices you are using. If one
Defense Center does not have a NetFlow license, it will not receive data from
your NetFlow-enabled devices.

To add a license:
2. Click License.
3. Click Add New License.

The Add Feature License page appears.

4. Click Get License.

The Licensing Center web site appears.
IMPORTANT! If your web browser cannot access the Internet, you must
switch to a host that can access it. Copy the license key at the bottom of the
page and browse to https://keyserver.sourcefire.com/.
5. Follow the on-screen instructions for a feature license to obtain your license
file, which will be sent to you in an email.
6. After you receive an email with the feature license file, copy the license file
from the email, paste it into the License field, and click Submit License.
If the license file is correct, the license is added to the appliance, and the
licensed feature is available. You can repeat this process for each feature
license you need to add.
TIP! Your Defense Center can have multiple feature licenses (for example,
one or more licenses for RNA Hosts in addition to one or more licenses for
Intrusion Agents, RUA, and so on). Note that there is only one product
license.
Viewing Feature Licenses

Requires: DC The licenses page displays the product and feature licenses that you have added
to the Defense Center.
The first license that appears shows the Defense Center’s product license which
shows the license status, model code, node (MAC address), and expiration date,
and provides a link that allows you to view or edit the license. For more
information about viewing and modifying product licenses, see Verifying Your
Product License on page 368.
If you have feature or host licenses installed, they appear itemized below the
product license. A summary of your licenses appears below the itemized list, and
shows the total number of hosts, connections, exporters, virtual appliances, or
users allowed by the sum of your feature or host licenses.
TIP! You can also view licenses by using the Product Licensing widget on the
dashboard. See Understanding the Product Licensing Widget on page 84 for
more information.

The NetFlow License Columns table describes each column that appears in a
NetFlow license.
NetFlow License Columns
Column Description
Feature ID Displays the ID number that corresponds with the feature

being licensed.
Serial Number Displays the feature serial number.
Status Indicates if the license is valid, invalid, or if a temporary

license has expired.
Model Displays the appliance model number.
Allowed NetFlow Lists the number of NetFlow-enabled devices that the

Exporters license allows you to use.
Node Displays the appliance’s MAC address.
Expires Displays the date and time that the feature license
expires.
Action Allows you to delete the feature license by clicking Delete.
The RNA Host License Columns table describes each column that appears in an
RNA host license.
RNA Host License Columns
Column Description

being licensed.

Number of Lists the number of monitored hosts added by the

Hosts license.

RNA Host License Columns (Continued)
Column Description
expires.
Action Allows you to delete the host license by clicking Delete.
The RUA License Columns table describes each column that appears in an RUA
host license.
RUA License Columns
Column Description

being licensed.

Number of Lists the number of monitored users added by the

Users license.
expires.
The Intrusion Agent License Columns table describes each column that appears
in an intrusion agent license.
Intrusion Agent License Columns
Column Description

being licensed.

Intrusion Agent License Columns (Continued)
Column Description

Swagent Max Lists the maximum number of software agent

Connections connections allowed by the license.
expires.
The Virtual 3D Sensor License Columns table describes each column that appears
in an intrusion agent license.
Virtual 3D Sensor License Columns
Column Description

being licensed.

Allowed Virtual Lists the maximum number of Virtual 3D Sensors allowed

Sensors by the license.
Throughput Limit Displays the maximum capacity licensed for processing

by the Virtual 3D Sensor (20, 45, 100, or 250MB).
IMPORTANT! These speeds are not a guaranteed
throughput for the Virtual 3D Sensor you license.
Maximum throughput is limited by other factors such as
number of Virtual Machines on your VMware server, its
connections, and other physical hardware constraints.

Virtual 3D Sensor License Columns (Continued)
Column Description
expires.
The IPS Software License Columns table describes each column that appears in
an IPS Software license.
IPS Software License Columns
Column Description

being licensed.

expires.
To view or delete your feature licenses:


Configuring Network Settings Chapter 10
2. Click License.
The License page appears, showing the product license and any feature
licenses you have added.
3. For the feature that you want to delete, click Delete in the Action column.
Configuring Network Settings

Requires: Any With some exceptions, your Sourcefire 3D System provides a dual stack
implementation so that you can choose IPv4, IPv6, or both IPv4 and IPv6 network
settings in System Settings. The exceptions include software sensors or 3Dx800
sensors. You must use native applications, such as command line interfaces,
third-party user interfaces, or the operating system interface, to manage network
settings for software sensors or 3Dx800 sensors:
• For more information on configuring settings for Crossbeam-based software
sensors, see the Sourcefire 3D Sensor Software for X-Series Installation
Guide.
• For more information on configuring settings for Virtual 3D Sensors, see the
Virtual Defense Center and 3D Sensor Installation Guide.
• For more information on configuring settings for 3Dx800 appliances, see
the 3D Sensor Installation Guide.
• For more information on configuring settings for RNA Software for Red Hat
Linux, see the Sourcefire RNA Software for Red Hat Linux Configuration
Guide.
• For more information on configuring settings for Intrusion Agents, see the
Intrusion Agent Configuration Guide.
You have the following configuration options:
• Disabled (IPv4 or IPv6)
• Manual (IPv4 and IPv6)
• DHCP (IPv4 and IPv6)
• Router assigned (IPv6 only)
If you specify manual, you must manually configure all network properties. If you
specify DHCP, the appliance automatically retrieves its network settings from a

local DHCP server. If, in the case of IPv6, you specify Router assigned, the
appliance retrieves its network settings from a local router.
Manual Network Configuration Settings
Setting Description
Management Interface The IP address for the management interface.

Address and either • For IPv4, you must set the address and
IPv4 Netmask or IPv6
Prefix Length netmask in dotted decimal form (for example:
a netmask of 255.255.0.0).
• For IPv6, you must set the address in
colon-separated hexadecimal form and the
number of bits in the prefix (for example: a
prefix length of 112).
In most installations, the management interface is

connected to an internal, protected network. This is
the network through which Defense Centers and
sensors communicate.
Default Network The IP address of the gateway device for your

Gateway network
Hostname The DNS-resolvable name for the appliance

IMPORTANT! If you change the hostname, the new
name is not reflected in the syslog until after you
reboot the appliance.
Domain The fully-qualified domain name where the

appliance resides
Primary DNS Server The IP address of the DNS server for the network
where the appliance resides
Secondary DNS Server A secondary DNS server’s IP address
Tertiary DNS Server A tertiary DNS server’s IP address
If the appliance is not directly connected to the Internet, you can configure a
proxy server to be used when downloading updates and SEUs. By default, the
appliance is configured to directly connect to the Internet.
To configure network settings:


2. Click Network.
The Network page appears.
3. Specify which IP version (v4, v6, or both) you want to use by selecting the
Configuration from the IPv4 and IPv6 settings:
• Select Disabled to use only the alternative IP version (for example, if
your network uses only IPv6, in the IPv4 section select Disabled).
• Select DHCP to allow DHCP server network setting resolution.
• Select Router assigned (an IPv6-only configuration) to allow router
assigned network setting resolution.
• Select Manual to manually specify network settings.
4. If you selected Manual, specify the network settings.
See the Manual Network Configuration Settings table on page 378 for a full
description of each field you can configure. You can change the Shared
Settings (hostname, domain, and domain servers) if you use manual or router
assigned configurations.

Editing Network Interface Configurations Chapter 10
5. If your appliance is not directly connected to the Internet, you can identify a
proxy server to be used when downloading updates and rules. By default,
appliances are configured to connect directly to the Internet. To configure a
proxy server, you have two options:
• If you have a direct connection from the appliance to the Internet, select
Direct connection.
• If your network uses a proxy, select Manual proxy configuration and enter
the IP address or fully qualified domain name of your proxy server in the
HTTP Proxy field and the port in the Port field.
6. Click Save.
The network settings are changed.
Editing Network Interface Configurations

Requires: DC or You can use the Network Interface page to modify the default settings for each
3D Sensor network interface on your appliance. Any changes you make to the Auto
Negotiate value are ignored for Gigabit interfaces. You must configure 3Dx800
interfaces on the 3Dx800 CLI.
WARNING! Do not modify the settings for the management interface unless you
have physical access to the appliance. It is possible to select a setting that makes
it difficult to access the web interface.
If you change the link mode for a sensing interface, the sensor drops traffic while
the network interface card renegotiates its network connection.
To edit a network interface:

Access: Admin 1. You have two choices:
• To configure network interfaces from a 3D Sensor, select Operations >
System Settings.
• To configure network interfaces from a Defense Center, select
Operations > Sensor, then click Edit next to the 3D Sensor.
The System Settings page appears.

Editing Network Interface Configurations Chapter 10
2. Click Network Interface.

The Network Interface page appears, listing the current settings for each
interface on your appliance.
3. Click Edit next to the interface that you want to modify.

The current settings for the interface appear:
These setting include:

• interface name
• sensor name
• interface type, either Sensing or Management
• interface description
• whether the interface is configured to auto-negotiate speed and duplex
settings

Shutting Down and Restarting the System Chapter 10
• whether the interface is configured for MDI (medium dependent

interface), MDIX (medium dependent interface crossover), or Auto
mode (Series 2 3D Sensors only); N/A in this column indicates that the
interface does not support MDI/MDIX
• the current link mode, including the bandwidth and duplex setting (Full
or Half); N/A indicates that there is no link for the interface
You can modify the interface name and description, MDI/MDIX settings, and
the link mode as needed. However, keep the following in mind:
• In the Auto Negotiate field, select Off only if you require a specific link
mode setting. You cannot change the Auto Negotiate setting for 10Gb
interfaces.
If you need to specify a link mode, select it in the Link Mode field.
Any changes you make to the Auto Negotiate value are ignored for
Gigabit interfaces. You must configure 3Dx800 interfaces on the
3Dx800 CLI.
• Series 2 3D Sensors only If you disable auto negotiation and specify a link
mode, you must also set the MDI/MDIX field to the required MDI or
MDIX mode.
Normally, MDI/MDIX is set to Auto, which automatically handles
switching between MDI and MDIX to attain link. However, when you
set a specific link mode, automatic MDI/MDIX handling is disabled,
making it impossible for the endpoints to attain link unless you manually
set the required MDI/MDIX mode.
4. Click Save.
The Network Interface page appears again.
Shutting Down and Restarting the System

Requires: Any You have several options for controlling the processes on your appliance. You can:
• restart communications, database, and http server processes on the
appliance (this is typically used during troubleshooting)
• restart the RNA and Snort processes (Snort runs on the 3D Sensor only if
you are licensed to use IPS)
IMPORTANT! If you shut down the appliance, the process shuts down the
operating system on the appliance, but does not physically shut off power. To
shut off power to the appliance, you must press the power button on the
appliance, or, for an appliance without a power button, unplug it.

Configuring the Communication Channel Chapter 10
To shut down or restart your appliance:

2. Click Process.
The Appliance Process page appears. The Defense Center version of the
page is shown below.
3. Specify the command you want to perform:

For DC/MDC
• To shut down the Defense Center, click Run Command next to Shutdown
Defense Center.
• To reboot the system, click Run Command next to Reboot Defense Center.
Note that this logs you out of the Defense Center.
• To restart the Defense Center, click Run Command next to Restart Defense
Center Console. Note that restarting the Defense Center may cause
deleted hosts to reappear in the network map.
For 3D Sensor
• To shut down the 3D Sensor, click Run Command next to Shutdown
Appliance.
• To reboot the system, click Run Command next to Reboot Appliance. Note
that this logs you out of the 3D Sensor.
• To restart the 3D Sensor, click Run Command next to Restart Appliance
Console.
• To restart the Snort and RNA processes, click Run Command next to
Restart Detection Engines.
Configuring the Communication Channel

Requires: DC + Version 4.8 and earlier Defense Centers and sensors use a range of internal
3D Sensor network IP addresses called the management virtual network to transmit third-
party communications such as NTP to managed sensors and, in high availability
deployments, to its Defense Center peer. The default address range is 172.16.0.0/
16. The default port for communications between the Defense Center, its
managed sensors, and if high availability is enabled, its high availability peer is
8305/tcp. The communication on port 8305 is bi-directional.
Enhancements in the current software eliminate the need for the management
virtual network provided both the Defense Center and the sensors it manages are

both using the current software. However, if your Defense Center is running the
current version of the software and the sensors it manages are running an older
version of the software, you will need to use a management virtual network and
ensure that it does not conflict with other communications on your network.
IMPORTANT! The management virtual network is required only when the

Defense Center must communicate with sensors running an older version. If both
the Defense Center and all sensors have been upgraded to the current version,
the management virtual network is unnecessary.
For more information, refer to:

• Setting Up the Management Virtual Network on page 384
• Editing the Management Virtual Network on page 385
Setting Up the Management Virtual Network

Requires: DC + If the IP address range or the port conflicts with other communications on your
3D Sensor network, you can specify different values. This is usually configured as part of the
installation process, but you can change it later.
WARNING! The IP address range you specify for the Management Virtual
Network must not conflict with any other local network, including your
management network. The user interface prevents you from entering the address
range for the management network, but make sure you do not to enter a range
that overlaps other local networks. Doing so may break communications between
hosts on the local network.
You must use native applications, such as command line interfaces, third-party
user interfaces, or the operating system interface, to manage the communication
channel sensor settings for Crossbeam-based software sensors, 3Dx800
sensors, and Intrusion Agents. For more information on configuring settings for
Crossbeam-based software sensor, see the Sourcefire 3D Sensor Software for
X-Series Installation Guide. For more information on configuring settings for
3Dx800 sensors, see the Sourcefire 3D Sensor Installation Guide. For more
information on configuring settings for RNA Software for Red Hat Linux, see the
Sourcefire RNA Software for Red Hat Linux Configuration Guide. For more
information on configuring settings for Intrusion Agents, see the Intrusion Agent

Virtual Network. You can not edit the Management Virtual Network field of a Master
Defense Center. The field is filled with 0.0.0.0/24 to indicate that the
Management Virtual Network is disabled on a Master Defense Center.

To configure the communications channel:

3. In the Management Port field, enter the port number that you want to use.
WARNING! Changing the management port on the Defense Center requires

that you also manually change the management port on every managed
sensor.
4. In the Management Virtual Network field, enter the IP address range that you
want to use.
TIP! The subnet mask is fixed at /16 (sixteen bits).
5. Click Save to save your changes for both the IP address range and the port
number.
The new values are saved.
Editing the Management Virtual Network

Requires: DC + You can change the host IP or host name of the connected appliance. You can
3D Sensor also regenerate the Virtual IP address, a feature that is especially useful after
network reconfigurations or appliance updates.
WARNING! If the Management Virtual Network is functioning properly, it should

not be edited. Typically, this function is used only under the direction of Sourcefire
Support.
Master Defense Centers do not currently use a Management Virtual Network.

You can not edit the Management Virtual Network field of a Master Defense Center.
The field is filled with 0.0.0.0/24 to indicate that the Management Virtual Network
is disabled on a Master Defense Center.
Past versions of Sourcefire 3D Systems used a default /24 (twenty-four bit) CIDR
address space, which provided enough addresses for 127 appliances. The current

Configuring Remote Access to the Defense Center Chapter 10
version uses a default /16 (sixteen bit) CIDR address space, which provides for a
much greater number of appliances.
To edit the remote management virtual network:

3. Click Edit next to the host whose Management Virtual Network you want to
change.
The Edit Remote Management page appears.
4. Edit the name or host ID in the Name or Host fields as required.

5. Optionally, click Regenerate VIP to regenerate the IP address used by the
virtual network.
TIP! The regenerate VIP option is useful after you reconfigure your network
or change the Sourcefire 3D System to take advantage of a larger address
space.
6. After appropriate management virtual network edits are made, click Save.
Configuring Remote Access to the Defense Center

Requires: DC + You must begin the procedure for setting up the management relationship
3D Sensor between a Defense Center and a sensor on the sensor.
• Management Host - the hostname of IP address.
• Registration Key - registration key
• Unique NAT ID - a unique alphanumeric ID for use when registering sensors
in NAT environments. See Working in NAT Environments on page 112 for
more information.


• Management Host and Registration Key used on both appliances
• Registration Key and Unique NAT ID used on the 3D Sensor with Host,
Registration Key, and Unique NAT ID used on the Defense Center.
• Management Host, Registration Key, and Unique NAT ID used on the 3D Sensor
with Registration Key and Unique NAT ID used on the Defense Center.
The Management Host or Host field (hostname or IP address) must be used on at
least one of the appliances.
TIP! If you register a sensor to a Defense Center using a Registration Key and
Unique NAT ID, but without a hostname or IP address, the Remote Management
page displays the Unique NAT ID in the Host field.
Sourcefire strongly recommends that you read Using the Defense Center on
page 99 before you add sensors to the Defense Center.
To set up sensor management from the sensor:

Access: Admin 1. On the sensor’s web interface, select Operations > System Settings.
WARNING! Leave the Management Port field at the top of the Remote
Management page in the default setting in nearly all cases. If you must
change the Management Port, see Setting Up the Management Virtual
Network on page 384.

4. In the Management Host field, type the IP address or the hostname of the

Note that you can leave the Management Host field empty if the management host
does not have a routable address. In that case, use both the Registration Key and
the Unique NAT ID fields.
Defense Center.
you want to use to identify the sensor.
7. Click Save.
8. Access the Defense Center web interface and select Operations > Sensors.
Host field.
you used in step 5.
12. If you used a unique ID in step 6, type the same value in the Unique NAT ID
field.

Setting the Time Manually Chapter 10
13. You can store IPS data on both the Defense Center and the sensor by clearing
the Store Events and Packets Only on the Defense Center check box.
By default, IPS data is stored only on the Defense Center and not on the
sensor. Note that RNA data is never stored on the sensor.
IMPORTANT! 3Dx800 sensors and Crossbeam-based software sensors

cannot store IPS data locally. You must store events on the Defense Center.
IMPORTANT! If you elect to prohibit sending packets and you do not store
events on the 3D Sensor, packet data is not retained. Packet data is often
important for forensic analysis.
page 131.
16. Click Add.
communication.
IMPORTANT! In some high availability deployments where network address

translation is used, you may need to use the Add Manager feature to add the
secondary Defense Center. Contact Sourcefire Support for more information.
Setting the Time Manually

Requires: Any If the Time Synchronization setting in the currently applied system policy is set to
Manual, then you can manually set the time for the appliance using the Time page
in the system settings.

Setting the Time Manually Chapter 10
If the appliance is synchronizing its time based on NTP, you cannot change the
time manually. Instead, the NTP Status section on the Time page provides the
following information:
NTP Status
Column Description
NTP The IP address and name of the configured NTP server.

Server
Status The status of the NTP server time synchronization. The

following states may appear:
• Being Used indicates that the appliance is synchronized with
the NTP server.
• Available indicates that the NTP server is available for use
but time is not yet synchronized.
• Not Available indicates that the NTP server is in your
configuration but the NTP daemon is unable to use it.
• Pending indicates that the NTP server is new or the NTP
daemon was recently restarted. Over time, its value should
change to Being Used, Available, or Not Available.
• Unknown indicates that the status of the NTP server is
unknown.
Offset The number of milliseconds of difference between the time on

the appliance and the configured NTP server. Negative values
indicate that the appliance is behind the NTP server, and
positive values indicate that it is ahead.
Last The number of seconds that have elapsed since the time was
Update last synchronized with the NTP server. The NTP daemon
automatically adjusts the synchronization times based on a
number of conditions. For example, if you see larger update
times such as 300 seconds, that indicates that the time is
relatively stable and the NTP daemon has determined that it
does not need to use a lower update increment.
See Synchronizing Time on page 354 for more information about the time
settings in the system policy.
To manually configure the time:


Blacklisting Health Modules Chapter 10
2. Click Time.
The Time page appears.
3. From list boxes that appear, select the following:

• year
• month
• day
• hour
• minute
4. Click Apply.
The time is updated.
5. If you want to change the time zone, click the time zone link located next to
the date and time.
A pop-up window appears.
6. Select your time zone and click Save and, after the time zone setting is saved,
click Close to close the pop-up window.
For more information about using the time zone page, see Setting Your
Default Time Zone on page 34.
Blacklisting Health Modules

Requires: DC/MDC If you want to disable health events for all appliances with a particular health
policy, you can blacklist the policy. If you need to disable the results of a group of
appliances’ health monitoring, you can blacklist the group of appliances. Once the
blacklist settings take effect, the appliances report a disabled status in the Health
Monitor Summary. For information on blacklisting individual or groups of
appliances see Blacklisting Health Policies or Appliances on page 535.
You can also blacklist individual health policy modules on appliances. You may
want to do this to prevent events from the module from changing the status for
the appliance to warning or critical. For example, if an appliance is temporarily
disconnected from the management network, you can blacklist the Appliance
Heartbeat module during that maintenance window. For information on
blacklisting an individual policy modules, see Blacklisting a Health Policy Module
on page 537

Specifying NetFlow-Enabled Devices Chapter 10
Specifying NetFlow-Enabled Devices

Requires: DC + RNA If you have enabled the NetFlow feature on your NetFlow-enabled devices), you
can use the flow data that these devices collect to supplement the flow data
collected by 3D Sensors with RNA by specifying the devices and the networks
they monitor in your RNA detection policy.
One of the prerequisites for using NetFlow data is to use the system settings to
specify the NetFlow-enabled devices you are going to use to collect the data. You
must configure these NetFlow-enabled devices to export NetFlow version 5 data.
For more information on using NetFlow data with the Sourcefire 3D System,
including information on additional prerequisites, see Introduction to NetFlow in
the Analyst Guide.
To add NetFlow-enabled devices for flow data collection:

2. Click NetFlow Devices.
The NetFlow Devices page appears.
3. Click Add Device to add a NetFlow-enabled device.
4. In the IP Address field, enter the IP address of the NetFlow-enabled device

you want to use to collect flow data.
5. To add additional NetFlow-enabled devices, repeat steps 3 and 4.
TIP! To remove a NetFlow-enabled device, click Delete next to the device you
want to remove. Keep in mind that if you remove a NetFlow-enabled device
from the system policy, you should also remove it from your RNA detection
policy. For more information, see Editing an RNA Detection Policy in the
Analyst Guide.
6. Click Save.
The list of NetFlow-enabled devices is saved.

Managing Remote Storage Chapter 10
Managing Remote Storage

Requires: Series 2 DC On Series 2 Defense Centers you can use local or remote storage for backups
and reports. You can use Network File System (NFS), Secure Shell (SSH), or
Server Message Block (SMB)/Common Internet File System (CIFS) for backup
and report remote storage. You cannot send backups to one remote system and
reports to a another, but you can choose to send either to a remote system and
store the other on the local Defense Center. For information on backup and
restore, see Using Backup and Restore on page 413.
Keep in mind that only Series 2 Defense Centers and not Master Defense Centers
provide backup and report remote storage.
TIP! After configuring and selecting remote storage, you can switch back to local
storage only if you have not increased the RNA flow database limit.
You must ensure that your external remote storage system is functional and
accessible from the Defense Center.
Select one of the backup and report storage options:
• To disable external remote storage and use the local Defense Center for
backup and report storage, see Using Local Storage on page 393.
• To use NFS for backup and report storage, see Using NFS for Remote
Storage on page 394.
• To use SSH for backup and report storage, see Using SSH for Remote
• To use SMB for backup and report storage, see Using SMB for Remote
IMPORTANT! You cannot use remote backup and restore to manage data on
Crossbeam-based software sensors, RNA Software for Red Hat Linux, 3Dx800
sensors, or Intrusion Agents.
Using Local Storage

Requires: Series 2 DC You can store backups and reports on the local Defense Center.
To store backups and reports locally:


2. Click Remote Storage Device.

The Remote Storage Device page appears.
3. At Storage Type, select Local (No Remote Storage).

4. Click Save.
Your storage location choice is saved.
TIP! You do not use the Test button with local storage.
Using NFS for Remote Storage

Requires: Series 2 DC You can select Network File System (NFS) protocol to store your reports and
backups.
To store backups and reports using NFS:

3. At Storage Type, select NFS.
The page refreshes to display the NFS storage configuration options.
4. Add the connection information:

• Enter the IP or hostname of the storage system in the Host field.
• Enter the path to your storage area in the Directory field.

5. If there are any required command line options, select Use Advanced Options.
A Command Line Options field appears where you can enter the commands.
6. Under System Usage, select either or both of the following:
• Select Enable Remote Storage for Backups to store backups on the
designated host.
• Select Enable Remote Storage for Reports to store reports on the
designated host.
7. Optionally, click Test.
The test ensures that the Defense Center can access the designated host
and directory.
8. Click Save.
Your remote storage configuration is saved.
Using SSH for Remote Storage

Requires: Series 2 DC You can select Secure Shell (SSH) protocol to store your reports and backups.
To store backups and reports using SSH:

3. At Storage Type, select SSH.
The page refreshes to display the SSH storage configuration options.


• Enter the path to your storage area in the Directory field.
• Enter the storage system’s user name in the Username field and the
password for that user in the Password field.
• To use SSH keys, copy the content of the SSH Public Key field and place
it in your authorized_keys file.
designated host.
designated host.
and directory.
8. Click Save.
Using SMB for Remote Storage

Requires: Series 2 DC You can select Server Message Block (SMB) protocol to store your reports and
backups.
To store backups and reports using SMB:


3. At Storage Type, select SMB.

The page refreshes to display the SMB storage configuration options.

• Enter the share of your storage area in the Share field.
• Optionally, enter the domain name for the remote storage system in the
Domain field.
• Enter the user name for the storage system in the Username field and
the password for that user in the Password field.
designated host.
designated host.
and directory.
8. Click Save.

Chapter 11
Administrator Guide
Updating System Software
Use the Update feature to update the Sourcefire 3D System. Sourcefire

electronically distributes several different types of updates:
• Patches include a limited range of fixes (and usually change the fourth digit
in the version number; for example, 4.9.0.1).
• Feature updates are more comprehensive than patches and generally include
new features (and usually change the third digit in the version number; for
example, 4.9.1).
• Major and minor version releases include new features and functionality and
may entail large-scale changes to the product (and usually change the first
or second digit in version number; for example, 4.9 or 5.0).
• Vulnerability database (VDB) updates affect the vulnerabilities reported by RNA
as well as the operating systems, client applications, and services that RNA
detects.
IMPORTANT! You cannot use the Update feature to update the SEU or Intrusion
Agents. For information on updating your SEU, see Importing SEUs and Rule Files
in the Analyst Guide. For information on Intrusion Agents, see the Intrusion Agent

Chapter 11
You can obtain updates from the Sourcefire Support and then manually install
them using the Patch Update Management page.The following graphic shows the
Defense Center version of the page.
When you upload updates to your appliance, they appear on the page. Uploaded
VDB updates also appear on the page, as do uninstaller updates, which are
created when you install a patch to a Sourcefire appliance. The list of updates
shows the type of each update, the version number, and the date and time it was
generated. It also indicates whether a reboot is required as part of the update.
TIP! For patches, feature updates, and VDB updates, you can take advantage of
the automated update feature; see Scheduling Tasks on page 425.
If your deployment includes a Defense Center, you can use it to install updates on
its managed 3D Sensors, including software sensors. However, for major updates
to software sensors, you may need to uninstall the previous version and install
the new version.
You can uninstall patches to the Sourcefire software using an appliance’s local
web interface. Uninstalling from the web interface is not supported for major
version upgrades, nor is it supported for appliances that do not have local web
interfaces.
WARNING! This chapter contains general information on updating the Sourcefire

3D System. Before you update Sourcefire software, you must read the release
notes that accompany the update. The release notes describe supported
platforms, new features and functionality, known and resolved issues, and
product compatibility. They also contain information on any prerequisites,
warnings, and specific installation and uninstallation instructions.

• Installing Software Updates on page 400
• Uninstalling Software Updates on page 409
• Updating the Vulnerability Database on page 410

Installing Software Updates Chapter 11
Installing Software Updates

Requires: Any Sourcefire periodically issues updates to the Sourcefire 3D System software.
Updating an appliance does not modify its configuration; the policies and network
settings on the appliance remain intact.
Note that for major updates to software sensors (Crossbeam-based software
sensors and RNA for Red Hat Linux), you may need to uninstall the previous
version and install the new version; see the release notes for more information.
TIP! This section explains how to plan for and perform manual software updates
on your Sourcefire appliances. For patches and feature updates, you can take
advantage of the automated update feature; see Automating Software Updates
on page 430.
To update your Sourcefire 3D System appliances:

Access: Admin 1. Read the release notes for the update.
Available on the Sourcefire Support Site, the release notes describe
supported platforms, new features and functionality, known and resolved
issues, and product compatibility; they also contain information on any
prerequisites, warnings, and specific installation and uninstallation
instructions.
2. Make sure your appliances (including software sensors) are running the correct
version of the Sourcefire 3D System.
The release notes for the update indicate the required version. If you are
running an earlier version, you can obtain updates from the Sourcefire
Support Site.
3. Install the latest SEU on your appliances.
You must install the latest SEU (see Importing SEUs and Rule Files in the
Analyst Guide) on your appliances before you begin the update. You can
obtain the SEU from the Sourcefire Support Site.
4. Make sure the computers or appliances where you installed software sensors are
running the correct versions of their operating systems.
Make sure that any Crossbeam Systems or Red Hat Linux platforms you are
using to host Sourcefire software sensors are running the correct version of
the operating system, as described in the release notes.

5. Delete any backups that reside on the appliance, then back up current event and
configuration data to an external location.
Sourcefire strongly recommends that you delete or move any backup files that
reside on your appliance, then back up current event and configuration data to
an external location. Event data is not backed up as part of the update
process.
For more information on the backup and restore feature, including the types
of backups that are supported for your appliance, see Using Backup and
Restore on page 413.
6. Make sure you have enough free disk space and allow enough time for the update.
When you update a managed sensor, the update requires additional disk
space on the Defense Center. The release notes for the update indicate
space and time requirements.
7. Update your Master Defense Centers.
Always update Master Defense Centers first; see Updating a Defense Center
or Master Defense Center on page 402.
8. Update your Defense Centers.
After you update any Master Defense Centers in your deployment, you can
update the Defense Centers they manage; see Updating a Defense Center or
Master Defense Center on page 402.
Note that when you begin to update one Defense Center in a high availability
pair, the other Defense Center in the pair becomes the primary, if it is not
already. In addition, the paired Defense Centers stop sharing configuration
information; paired Defense Centers do not receive software updates as part
of the regular synchronization process. To ensure continuity of operations, do
not update paired Defense Center at the same time. First, complete the
update procedure for one of the Defense Centers, then update the second
Defense Center.
9. Update your managed 3D Sensors.
After you update the Master Defense Centers and Defense Centers in your
deployment, you can update your managed sensors (including software
sensors). Sourcefire strongly recommends that you use your Defense Centers
to update the sensors they manage; see Updating Managed Sensors on
page 404.
Note that you must use the Defense Center to update sensors that do not
have a web interface, including Crossbeam-based software sensors, RNA for
Red Hat Linux, and 3Dx800 sensors. However, for major updates to software
sensors, you may need to uninstall the previous version and install the new
version; see the release notes for more information.
10. Update your unmanaged 3D Sensors.
See Updating Unmanaged 3D Sensors on page 406.

Updating a Defense Center or Master Defense Center

Requires: DC/MDC Use the procedure in this section to update your Defense Centers and Master
Defense Centers. If your deployment includes Master Defense Centers, you must
update them before you update the Defense Centers that they manage.
You update the Defense Center in one of two ways, depending on the type of
update and whether your Defense Center has access to the internet:
• You can use the Defense Center to obtain the update directly from the
Support Site. Choose this option if your Defense Center has access to the
internet and you are not performing a major update. This option is not
supported for major updates.
• You can manually download the update from the Sourcefire Support Site
and then upload it to the Defense Center. Choose this option if your
Defense Center does not have access to the internet or if you are
performing a major update.
Note that when you begin to update one Defense Center in a high availability pair,
the other Defense Center in the pair becomes the primary, if it is not already. In
addition, the paired Defense Centers stop sharing configuration information;
paired Defense Centers do not receive software updates as part of the regular
synchronization process. To ensure continuity of operations, do not update paired
Defense Center at the same time. First, complete the update procedure for one
of the Defense Centers, then update the second Defense Center.
IMPORTANT! For major updates, updating the Defense Center removes any
existing updates and patches, as well as their uninstall scripts, from the
appliance.
To update the Defense Center or Master Defense Center:

Access: Admin 1. Read the release notes for the update and complete any required pre-update
tasks.
Pre-update tasks can include making sure that the Defense Center is running
the correct version of the Sourcefire software, making sure you have enough
free disk space to perform the update, making sure you have set aside
adequate time to perform the update, backing up event and configuration
data, and so on.

2. Upload the update to the Defense Center. You have two options, depending
on the type of update and whether your Defense Center has access to the
internet.
• For all except major releases, and if your Defense Center has access to
the Internet, select Operations > Update to display the Patch Update
Management page, then click Download Updates to check for the latest
updates on the Support Site.
• For major releases, or if your Defense Center does not have access to
the Internet, first manually download the update from the Sourcefire
Support Site. Select Operations > Update to display the Patch Update
Management page, then click Upload Update. Browse to the update and
click Upload.
IMPORTANT! Download the update directly from the Support Site, either
manually or by clicking Update on the Patch Update Management page. If you
transfer an update file by email, it may become corrupted.
The update is uploaded to the Defense Center. The Patch Update

Management page shows the type of update you just uploaded, its version
number, and the date and time it was generated. The page also indicates
whether a reboot is required as part of the update.
3. Make sure that the appliances in your deployment are successfully
communicating and that there are no issues being reported by the health
monitor.
4. Select Operations > Monitoring > Task Status to view the task queue and make
sure that there are no jobs in process.
Tasks that are running when the update begins are stopped and cannot be
resumed; you must manually delete them from the task queue after the
update completes. The task queue automatically refreshes every 10 seconds.
You must wait until any long-running tasks are complete before you begin the
update.
5. Select Operations > Update.
The Patch Update Management page appears.
6. Click Install next to the update you uploaded.
The Install Update page appears.

7. Under Selected Update, select the Defense Center and click Install. If
prompted, confirm that you want to install the update and reboot the Defense
Center.
The update process begins. You can monitor the update's progress in the
task queue (Operations > Monitoring > Task Status).
WARNING! Do not use the web interface to perform any other tasks until the
update has completed and (if necessary) the Defense Center reboots. Before
the update completes, the web interface may become unavailable, or the
Defense Center may log you out. This is expected behavior. If this occurs, log
in again to view the task queue. If the update is still running, continue to
refrain from using the web interface until the update has completed. If you
encounter issues with the update (for example, if the task queue indicates
that the update has failed or if a manual refresh of the task queue shows no
progress), do not restart the update. Instead, contact Support.
8. After the update finishes, if necessary, log into the Defense Center.
9. Clear your browser cache and force a reload of the browser. Otherwise, the
user interface may exhibit unexpected behavior.
10. Select Operations > Help > About and confirm that the software version is listed
correctly.
11. Verify that all managed sensors are successfully communicating with the
Defense Center.
12. Re-apply intrusion policies to the IPS detection engines on your managed
3D Sensors.
Unless you enabled the Inspect Traffic During Policy Apply option when you
created your IPS detection engines (this option is supported on many sensor
models; see Creating a Detection Engine on page 193), applying an intrusion
policy causes IPS detection engines to restart. This can cause a short pause
in processing and, for most detection engines with inline interface sets, may
cause a few packets to pass through the sensor uninspected.
13. Update the VDB on your Defense Centers and the 3D Sensors with RNA that
they manage; see Updating the Vulnerability Database on page 410.
14. Continue with the next section, Updating Managed Sensors, to update the
Sourcefire software on the sensors that the Defense Center manages.
Updating Managed Sensors

Requires: DC + After you update your Defense Centers, Sourcefire strongly recommends that you
3D Sensor use them to update the sensors they manage. Updating managed sensors is a
multi-step process. First, download the update from the Support Site and upload
it to the managing Defense Center. Next, push the update to the sensors from
the Defense Center. Finally, install the software. Note that you can update

multiple 3D Sensors at once, but only if they use the same update. For
information on updating the 3D Sensors in your deployment, see the release
notes.
IMPORTANT! You must use the Defense Center to update sensors that do not
have a web interface, including Crossbeam-based software sensors, RNA for Red
Hat Linux, and 3Dx800 sensors. However, for major updates to software sensors,
you may need to uninstall the previous version and install the new version; see
the release notes for more information.
To update managed 3D Sensors:

tasks.
Pre-update tasks can include updating your managing Defense Center,
making sure that the 3D Sensors are running the correct version of the
Sourcefire software, making sure software sensors are running the correct
version of their operating systems, making sure you have enough free disk
space to perform the update, you have set aside adequate time to perform
the update, backing up event and configuration data, and so on.
2. Update the Sourcefire software on the sensors’ managing Defense Center;
see Updating a Defense Center or Master Defense Center on page 402.
3. Download the update from the Sourcefire Support Site.
Different 3D Sensor models use different updates. For information on the
updates you can download, see the release notes.
IMPORTANT! Download the update directly from the Support Site. If you
4. Make sure that the appliances in your deployment are successfully

communicating and that there are no issues being reported by the health
monitor.
5. On the managing Defense Center, select Operations > Update.
6. Click Upload Update to browse to the update you downloaded, then click
Upload.
The update is uploaded to the Defense Center. The Patch Update
Management page shows the type of update you just uploaded, its version
number, and date and time it was generated. The page also indicates
whether a reboot is required as part of the update.
7. Click Push next to the update.
The Push Update page appears.

8. Under Selected Update, select the sensors you want to update, then click
Push.
Depending on the size of the file, it may take some time to push the update
to all sensors. You can monitor the progress of the push in the task queue
(Operations > Monitoring > Task Status). When the push is complete, continue
with the next step.
9. Click Install next to the update you are installing.
10. Select the sensors where you pushed the update and click Install. If
prompted, confirm that you want to install the update and reboot the
3D Sensors.
Defense Center’s task queue (Operations > Monitoring > Task Status).
If the update requires a reboot, your 3D Sensors use IPS detection engines
with inline interface sets, and the sensors do not have fail-open network
cards, traffic is interrupted while the sensors reboot. If your sensors have
fail-open network cards, some traffic may pass through the sensors
uninspected while they reboot.
WARNING! If you encounter issues with the update (for example, if the task
queue indicates that the update has failed or if a manual refresh of the task
queue shows no progress), do not restart the update. Instead, contact
Support.
11. Select Operations > Sensors and confirm that the sensors you updated have
the correct version listed.
12. Verify that the sensors you updated are successfully communicating with the
Defense Center.
13. Re-apply intrusion policies to the IPS detection engines on your managed
3D Sensors.
Updating Unmanaged 3D Sensors

Requires: 3D Sensor Use the procedure in this section to update unmanaged 3D Sensors only;
Sourcefire strongly recommends that you update managed 3D Sensors using their
managing Defense Centers. For more information, see Updating Managed
Sensors on page 404.

You update the 3D Sensor in one of two ways, depending on the type of update
and whether your 3D Sensor has access to the internet:
• You can use the 3D Sensor to obtain the update directly from the Support
Site. Choose this option if your 3D Sensor has access to the internet and
you are not performing a major update. This option is not supported for
major updates.
• You can manually download the update from the Sourcefire Support Site
and then upload it to the 3D Sensor. Choose this option if your 3D Sensor
does not have access to the internet or if you are performing a major
update.
IMPORTANT! For major updates, updating the 3D Sensor removes any existing
updates and patches, as well as their uninstall scripts, from the sensor.
To update an unmanaged 3D Sensor:

tasks.
Pre-update tasks can include making sure that the 3D Sensor is running the
correct version of the Sourcefire software, making sure you have enough free
disk space to perform the update, making sure you have set aside adequate
time to perform the update, backing up event and configuration data, and so
on.
2. Upload the update to the 3D Sensor. You have two options, depending on the
type of update and whether your 3D Sensor has access to the internet.
• For all except major releases, and if your 3D Sensor has access to the
Internet, select Operations > Update to display the Patch Update
Management page, then click Download Updates to check for the latest
updates on the Support Site.
• For major releases, or if your 3D Sensor does not have access to the
Internet, first manually download the update from the Sourcefire
Support Site. Select Operations > Update to display the Patch Update
Management page, then click Upload Update. Browse to the update and
click Upload.
manually or by clicking Update on the Patch Update Management page. If you
The update is uploaded to the 3D Sensor. The Patch Update Management

page shows the type of update you just uploaded, its version number, and the
date and time it was generated. The page also indicates whether a reboot is
required as part of the update.

3. Select Operations > Monitoring > Task Status to view the task queue and make
sure that there are no jobs in process.
Tasks that are running when the update begins are stopped and cannot be
resumed; you must manually delete them from the task queue after the
update completes. The task queue automatically refreshes every 10 seconds.
You must wait until any long-running tasks are complete before you begin the
update.
5. Click Install next to the update you just uploaded. If prompted, confirm that
you want to install the update and reboot the 3D Sensor.
task queue (Operations > Monitoring > Task Status).
If the update requires a reboot, your 3D Sensor uses IPS detection engines
with inline interface sets, and the sensor does not have a fail-open network
card, traffic is interrupted while the sensor reboots. If the sensor has a
fail-open network card, some traffic may pass through the sensor
uninspected while it reboots.
update has completed and (if necessary) the 3D Sensor reboots. Before the
update completes, the web interface may become unavailable, or the
3D Sensor may log you out. This is expected behavior. If this occurs, log in
again to view the task queue. If the update is still running, continue to refrain
from using the web interface until the update has completed. If you
encounter issues with the update (for example, if the task queue indicates
that the update has failed or if a manual refresh of the task queue shows no
progress), do not restart the update. Instead, contact Support.
6. After the update finishes, if necessary, log into the 3D Sensor.

correctly.
9. Re-apply intrusion policies to your IPS detection engines.

Uninstalling Software Updates Chapter 11
Uninstalling Software Updates

Requires: Any When you install a patch to a Sourcefire appliance, the update process creates an
uninstaller update that allows you to uninstall the patch from that appliances’s
web interface.
IMPORTANT! Uninstalling from the web interface is not supported for major
version upgrades. If you upgraded to a new version of the appliance and need to
revert to an older version, contact Support.
You must use the local web interface to uninstall patches, as described by the
procedure in this section; you cannot use the Defense Center to uninstall patches
from managed sensors. For information on uninstalling patches from appliances
that do not have local web interfaces (Crossbeam-based software sensors, RNA
for Red Hat Linux, and 3Dx800 sensors), see the release notes.
In addition, you must uninstall a patch from the appliances in your deployment in
the reverse order of how you installed it. That is, first uninstall the patch from your
managed 3D Sensors, then your Defense Centers, and finally your Master
Defense Centers.
When you uninstall a patch, the resulting Sourcefire software version depends on
the update path for your appliance. For example, consider a scenario where you
updated an appliance directly from Version 4.9.0 to Version 4.9.0.2. Uninstalling
the Version 4.9.0.2 patch might result in an appliance running Version 4.9.0.1,
even though you never installed the Version 4.9.0.1 update. For information on
the resulting Sourcefire software version when you uninstall an update, see the
release notes.
To uninstall a patch using the local web interface:

Access: Admin 1. Select Operations > Update.

Updating the Vulnerability Database Chapter 11
2. Click Install next to the uninstaller for the update you want to remove.
• On the Defense Center, the Install Update page appears. Under
Selected Update, select the Defense Center and click Install.
• On the 3D Sensor, there is no intervening page.
In either case, if prompted, confirm that you want to uninstall the update and
reboot the appliance.
The uninstall process begins. You can monitor its progress in the task queue
(Operations > Monitoring > Task Status).
If the uninstall for a 3D Sensor requires a reboot, the sensor uses IPS
detection engines with inline interface sets, and the sensor does not have a
fail-open network card, traffic is interrupted while the sensor reboots. If the
sensor has a fail-open network card, some traffic may pass through the
sensor uninspected while it reboots.
uninstall has completed and (if necessary) the appliance reboots. Before the
uninstall completes, the web interface may become unavailable, or the
appliance may log you out. This is expected behavior. If this occurs, log in
again and view the task queue. If the uninstall is still running, continue to
refrain from using the web interface until the uninstall has completed. If you
encounter issues with the uninstall, for example, if the task queue indicates
that the uninstall has failed or if a manual refresh of the task queue shows no
progress, do not restart the uninstall. Instead, contact Support.
3. After the uninstall finishes, if necessary, log into the appliance.

correctly.
6. Verify that the appliance where you uninstalled the patch is successfully
communicating with its managed sensors (for the Defense Center) or its
managing Defense Center (for 3D Sensors).
Updating the Vulnerability Database

Requires: DC + RNA The Sourcefire Vulnerability Database (VDB) is a database of known vulnerabilities
to which hosts may be susceptible, as well as fingerprints for RNA-detection
operating systems, client applications, and services. RNA correlates the operating
system and services detected on each host with the vulnerability database to
help you determine whether a particular host increases your risk of network
compromise. The Sourcefire Vulnerability Research Team (VRT) issues periodic
updates to the VDB.

You should install the same version of the VDB on all the appliances in your
deployment. To ensure you install the same VDB version, use your Defense
Centers to push and install the VDB on all managed 3D Sensors with RNA,
including software sensors. Because you cannot view RNA data on Master
Defense Centers or on unmanaged 3D Sensors, you do not need to update the
VDB on these appliances.
The time it takes to update vulnerability mappings depends on the number of
hosts in your network map. You may want to schedule the update during low
system usage times to minimize the impact of any system downtime. As a rule of
thumb, divide the number of hosts on your network by 1000 to determine the
approximate number of minutes to perform the update.
TIP! This section explains how to plan for and perform manual VDB updates on
your Sourcefire 3D System appliances. You can take advantage of the automated
update feature to schedule VDB updates; see Automating Vulnerability Database
Updates on page 437.
To update the vulnerability database:

Access: Admin 1. Read the VDB Update Advisory Text for the update.
The VDB Update Advisory Text includes information about the changes to the
VDB made in the update, as well as product compatibility information.
3. Upload the update to the Defense Center.
• If your Defense Center has access to the Internet, click Download
Updates to check for the latest updates on the Support site.
• If your Defense Center does not have access to the Internet, manually
download the update from the Sourcefire Support Site, then click Upload
Update. Browse to the update and click Upload.
manually or by clicking Update. If you transfer an update file by email, it may
become corrupted.
The VDB update is saved on the Defense Center and appears in the Updates
section.
4. Click Push next to the VDB update.
The Push Update page appears.

5. Under Selected Update, select the managed 3D Sensors you want to update,
then click Push.
Depending on the size of the file, it may take some time to push the VDB
update to all sensors. You can monitor the progress of the push in the
Defense Center’s task queue (Operations > Monitoring > Task Status). When the
push is complete, continue with the next step.
6. Click Install next to the VDB update.
7. Select the Defense Center, as well as the sensors where you pushed the
VDB update, then click Install.
The update process begins. Depending on the number of hosts in your
network map, the update may take some time. You can monitor the update's
progress in the task queue (Operations > Monitoring > Task Status).
WARNING! Do not use the web interface to perform tasks related to mapped
vulnerabilities until the update has completed. If you encounter issues with
the update, for example, if the task queue indicates that the update has failed
or if a manual refresh of the task queue shows no progress, do not restart the
update. Instead, contact Support.
8. After the update finishes, confirm that the VDB build number matches the
update you installed.
• To check the VDB build number on the Defense Center, select
Operations > Help > About.
• To check the VDB build number on your managed sensors, select
Operations > Sensors on the Defense Center, then click Edit next to each
sensor you updated.

Chapter 12
Administrator Guide
Using Backup and Restore
Backup and restoration is an essential part of any system maintenance plan.

While each organization’s backup plan is highly individualized, Sourcefire 3D
System provides a mechanism for archiving data so that the Defense Center or
3D Sensor can be restored in case of disaster.
You can restore a backup onto a replacement appliance if the two appliances are
the same model and are running the same version of the Sourcefire 3D System
software.
WARNING! Do not use the backup and restore process to copy the configuration
files between sensors. The configuration files include information that uniquely
identifies a sensor and cannot be shared.
By default, system configuration files are saved in the backup file. You can also
choose to back up the following, if applicable for the range of appliances in your
deployment:
• the entire intrusion event database
• the entire RNA event database
• additional files that reside on the appliance
WARNING! If you applied any SEU updates, those updates are not backed up.
You need to apply the latest SEU update after you restore.

Creating Backup Files Chapter 12
You can save backup files to the appliance or to your local computer. Additionally,
if you are using a Series 2 Defense Center, you can use remote storage as
detailed in Managing Remote Storage on page 393.
See the following sections for more information.
• See Creating Backup Files on page 414 for information about backing up
files from the appliance.
• See Creating Backup Profiles on page 418 for information about creating
backup profiles that you can use later as templates for creating backups.
• See Performing Sensor Backup with the Defense Center on page 419 for
information about backing up managed sensors with the Defense Center.
• See Uploading Backups from a Local Host on page 420 for information
about uploading backup files from a local host.
• See Restoring the Appliance from a Backup File on page 421 for information
about how to restore a backup file to the appliance.
Creating Backup Files

Requires: IPS or DC/ To view and use existing system backups go to the System Backup Management
MDC page. You should periodically save a backup file that contains all of the
configuration files required to restore the appliance, in addition to event and
packet data. You may also want to back up the system when testing configuration
changes so that you can revert to the saved configuration, if needed. You can
choose to save the backup file on the appliance or on your local computer.
As an alternative or if your backup file is larger than 4GB, copy it via SCP to a
remote host. Uploading a backup from your local computer does not work on
backup files larger than 4GB since web browsers do not support uploading files
that large. On Series 2 Defense Centers, the backup file can be saved to a remote
location; see Managing Remote Storage on page 393.
When your backup task is collecting RNA events, data correlation is temporarily
suspended.

The Defense Center and Master Defense Center version of the page is shown
below.

For comparison, the 3D Sensor version of the page is shown below.
To create a backup file:

Access: Maint/Admin 1. Select Operations > Tools > Backup/Restore.
The System Backup Management page appears.
2. Click Sensor Backup on a 3D Sensor toolbar or Defense Center Backup on a
Defense Center toolbar.
The Backup page appears.
3. In the Name field, type a name for the backup file.
4. Requires: IPS or DC/MDC To archive the configuration, select Backup
Configuration.
5. Requires: IPS or DC/MDC To archive the entire event database, select Backup
Events.
6. Requires: IPS To archive individual intrusion event data files, select the files
that you want to include from the Unified File List.

7. Requires: IPS Ensure that the value of the compressed backup file in the
Selected Sum field is less than the value in the Available Space field.
TIP! The compressed value that appears in the Selected Sum field is a
conservative estimate of the size of the compressed file. Often, the file will
be smaller.
8. If you want to include an additional file in the backup, type the full path and
file name in the Additional Files field and click the plus sign (+).
TIP! You can repeat this step to add additional files.
9. Optionally, to be notified when the backup is complete, select the Email when
complete check box and type your email address in the accompanying text
box.
You must make sure that your mail relay host is configured as described in
Configuring a Mail Relay Host and Notification Address on page 338.
10. Optionally, to use secure copy (scp) to copy the backup archive to a different
machine, select the Copy when complete check box and then type the following
information in the accompanying text boxes:
• the hostname or IP address of the machine where you want to copy the
backup
• the path to the directory where you want to copy the backup
• the user name that you want to use to log into the remote machine
• the password for that user name
TIP! Sourcefire recommends that you periodically save backups to a remote

location so that the appliance can be restored in case of system failure.

Creating Backup Profiles Chapter 12

• To save the backup file to the appliance, click Start Backup. The backup
file is saved in the /var/sf/backup directory. On Series 2 Defense
Centers, you can direct the backup file to a remote location; see
Managing Remote Storage on page 393.
When the backup process is complete, you can view the file on the
Restoration Database page. For information about restoring a backup
file, see Restoring the Appliance from a Backup File on page 421.
• To save this configuration as a backup profile that you can use later, click
Save As New.
You can modify or delete the backup profile by selecting Operations >
Tools > Backup & Restore and then clicking Backup Profiles. See Creating
Backup Profiles on page 418 for more information.
Creating Backup Profiles

Requires: IPS or DC/ You can use the Backup Profiles page to create backup profiles that contain the
MDC settings that you want to use for different types of backups. You can later select
one of these profiles when you are backing up the files on your appliance.
TIP! When you create a backup file as described in Creating Backup Files on
page 414, a backup profile is automatically created.
To create a backup profile:

2. Click Backup Profiles on the toolbar.
The Backup Profiles page appears with a list of existing backup profiles.
TIP! You can click Edit to modify an existing profile or click Delete to delete a
profile from the list.
3. Click Create Profile.

The System Backup page appears.

Performing Sensor Backup with the Defense Center Chapter 12
4. Type a name for the backup profile.

5. Configure the backup profile according to your needs.
See Creating Backup Files on page 414 for more information about the
options on this page.
6. Click Save As New to save the backup profile.
The Backup Profiles page appears and includes your new profile in the list.
Performing Sensor Backup with the Defense Center

Requires: DC You can use the Defense Center to back up data on managed 3D Sensors. The
default name for the backup file uses the name of the managed 3D Sensor.
TIP! If you use a backup file name containing spaces or punctuation characters,
they change to underscores.
You cannot use remote backup and restore to manage data on Crossbeam-based
software sensors, RNA Software for Red Hat Linux, 3Dx800 sensors, or Intrusion
Agents.
To back up a managed sensor:

2. Click Sensor Backup on the toolbar.
The Remote Backup page appears.
3. In the Sensors field, select the managed sensors that you want to back up.
4. To include event data in addition to configuration data, select the Include All
Unified Files check box. Note that the unified files are binary file that the
Sourcefire 3D System uses to log event data.

Uploading Backups from a Local Host Chapter 12
5. To save the backup file on the Defense Center, select the Retrieve to DC check
box.
TIP! To save each sensor’s backup file on the sensor itself, leave this check
box unselected.
6. Click Start Backup.
TIP! It can take several minutes to complete the backup. Check the task
status for progress.
A success messages appears and the backup task is set up. When the
backup is complete, you can view the backup file on the Restoration
Database page.
Uploading Backups from a Local Host

Requires: DC If you download a backup file to your local host using the download function
described in the Backup Management table on page 421, you can upload it to a
Defense Center.
TIP! Uploading a backup larger than 4GB from your local host does not work
because web browsers do not support uploading files that large. As an
alternative, copy the backup via SCP to a remote host and retrieve it from there.
On Series 2 Defense Centers, the backup file can be saved to and retrieved from
a remote location; see Managing Remote Storage on page 393.
To upload a backup from your local host:

2. Click Upload Backup.
The Upload Backup page appears.
3. Click Browse, and navigate to the backup file.
After you select the file to upload, click Upload Backup.

Restoring the Appliance from a Backup File Chapter 12
4. Click Backup Management on the toolbar to return to the System Backup

Management page.
The backup file is uploaded and appears in the backup list.
TIP! After the Defense Center verifies the file integrity, refresh the System
Backup Management page to reveal detailed file system information.
Restoring the Appliance from a Backup File

Requires: IPS or DC/ You can restore the appliance from backup files using the System Backup
MDC Management page. After you complete the restoration process, you must apply
the latest SEU.
If you use local storage, backup files are saved to /var/sf/backup which is listed
with the amount of disk space used in the /var partition at the top of the System
Backup Management page. On Series 2 Defense Centers, select Enable Remote
Storage for Backups to enable or disable remote storage at the top of the System
Backup Management page. If you use remote storage, the protocol, backup
system, and backup directory are listed at the top of the page. The Backup
Management table describes each column and icon on the System Backup
Management page.
Backup Management
Column Description
System The originating appliance name, type, and version. Note that
Information you can only restore a backup to an identical appliance type
and version.
Date The date and time that the backup file was created
Created
File Name The full name of the backup file
Location The location of the backup file
Size (MB) The size of the backup file, in megabytes
Events? “Yes” indicates the backup includes event data.
View Click with the backup file selected to view a list of the files
included in the compressed backup file.
Restore Click with the backup file selected to restore it on the

appliance.

Backup Management (Continued)
Column Description
Download Click with the backup file selected to save it to your local
computer.
Delete Click with the backup file selected to delete it.
Move On a Series 2 Defense Center when you have a previously-

created local backup selected, click to send the backup to the
designated remote backup location.
To restore the appliance from a backup file:

Access: Admin 1. Select Operations > Tools > Backup/Restore.
The System Backup Management page appears. A Series 2 Defense Center
version of the page is shown.

2. To view the contents of a backup file, select the file and click View.
The manifest appears listing the name of each file, its owner and
permissions, and its file size and date. The Defense Center version of the
page is truncated to show a sample of the files that are backed up.
3. On the toolbar, click Backup Management to return to the System Backup

Management page.
4. Select the backup file that you want to restore and click Restore.
The Restore Screen page appears.
WARNING! This procedure will overwrite all configuration files and, on the
3D Sensor, all event data.
5. Requires: DC/MDC To restore files, select either or both:

• Replace Configuration Data
• Restore Event Data
Then click Restore to begin the restoration.

6. Requires: IPS If you want to restore intrusion event data, select the files that
you want to include from the Unified File List box.
Click Restore to begin the restoration.
TIP! To cancel the restoration, click Cancel.
The appliance is restored using the backup file you specified.

7. Reboot the appliance.
8. Apply the latest SEU to re-apply SEU rule and software updates.
9. Re-apply any intrusion, RNA detection, health, and system policies to the
restored system.

Chapter 13
Administrator Guide
Scheduling Tasks
You can schedule many different types of administrative tasks to run at scheduled
times, including:
• running backups
• Requires: IPS applying intrusion policies
• generating reports
• Requires: DC + RNA running Nessus scans
• Requires: DC + RNA synchronizing Nessus plugins
• Requires: DC + RNA running Nmap scans
• Requires: DC + RNA + IPS using RNA rule recommendations
• Requires: IPS importing Security Enhancement Updates (SEUs)
• downloading and installing software updates
• Requires: DC + RNA downloading and installing vulnerability database updates
• Requires: DC pushing downloaded updates to managed sensors
You can schedule tasks to run once or on a recurring schedule.
IMPORTANT! Some tasks (such as those involving automated software and SEU
updates and those that require pushing updates or intrusion policies to managed
sensors) can place a significant load on networks with low bandwidths. You
should always schedule tasks like these to run during periods of low network use.

Scheduling Tasks
Configuring a Recurring Task Chapter 13

• Configuring a Recurring Task on page 426 explains how to set up a
scheduled task so that it runs at regular intervals.
• Automating Backup Jobs on page 428 provides procedures for scheduling
backup jobs.
• Automating Software Updates on page 430 provides procedures for
scheduling the download, push, and installation of software updates.
• Automating Vulnerability Database Updates on page 437 provides
procedures for scheduling the download, push, and installation of software
updates.
• Automating SEU Imports on page 444 provides procedures for scheduling
rule updates.
• Automating Intrusion Policy Applications on page 446 provides procedures
for scheduling intrusion policy applications.
• Automating Reports on page 448 provides procedures for scheduling
reports.
• Automating Nessus Scans on page 450 provides procedures for scheduling
Nessus scans.
• Synchronizing Nessus Plugins on page 452 provides procedures for
synchronizing your sensor with the Nessus server.
• Automating Nmap Scans on page 454 provides procedures for scheduling
Nessus scans.
• Automating Recommended Rule State Generation on page 456 provides
procedures for scheduling automatic update of intrusion rule state
recommendations based on RNA data.
• Viewing Tasks on page 458 describes how to view and manage tasks after
they are scheduled.
• Editing Scheduled Tasks on page 461 describes how to edit an existing task.
• Deleting Scheduled Tasks on page 461 describes how to delete one-time
tasks and all instances of recurring tasks.
Configuring a Recurring Task

Requires: IPS or DC/ You set the frequency for a recurring task using the same process for all types of
MDC tasks.
IMPORTANT! You cannot configure a recurring task schedule on the inactive

Defense Center in a high availability pair of Defense Centers. You must recreate
the recurring task schedule on a newly activated Defense Center when it changes
from inactive to active.

Scheduling Tasks
Configuring a Recurring Task Chapter 13
Note that the time displayed on most pages on the web interface is the local
time, which is determined by using the time zone you specify in your system
settings. Further, the Defense Center or 3D Sensor with IPS automatically adjusts
its local time display for daylight saving time (DST), where appropriate. However,
recurring tasks that span the transition dates from DST to standard time and back
do not adjust for the transition. That is, if you create a task scheduled for 2am
during standard time, it will run at 3am during DST. Similarly, if you create a task
scheduled for 2am during DST, it will run at 1am during standard time.
To configure a recurring task:

Access: Maint/Admin 1. Select Operations > Tools > Scheduling.
The Scheduling page appears.
2. Click Add Task.
The Add Task page appears.
3. From the Job Type list, select the type of task that you want to schedule.
Each of the types of tasks you can schedule is explained in its own section.
4. For the Schedule task to run option, select Recurring.
The page reloads with the recurring task options.
5. In the Start On field, specify the date when you want to start your recurring
task. You can use the drop-down list to select the month, day, and year.
6. In the Repeat Every field, specify how often you want the task to recur. You can
specify a number of hours, days, weeks, or months.
TIP! You can either type a number or use the arrow buttons to specify the
interval. For example, type 2 and select Day(s) to run the task every two days.
7. In the Run At field, specify the time when you want to start your recurring
task.

Scheduling Tasks
Automating Backup Jobs Chapter 13
8. If you selected Week(s) in the Repeat Every field, a Repeat On field appears.
Select the check boxes next to the days of the week when you want to run
the task.
9. If you selected Month(s) in the Repeat Every field, a Repeat On field appears.
Use the drop-down list to select the day of the month when you want to run
the task.
The remaining options on the Add Task page are determined by the task you
are creating. See the following sections for more information:
• Automating Backup Jobs on page 428
• Automating Software Updates on page 430
• Automating Vulnerability Database Updates on page 437
• Automating SEU Imports on page 444
• Automating Intrusion Policy Applications on page 446
• Automating Reports on page 448
• Automating Nessus Scans on page 450
• Synchronizing Nessus Plugins on page 452
• Automating Nmap Scans on page 454
• Automating Recommended Rule State Generation on page 456
Automating Backup Jobs

Requires: IPS or DC/ You can use the scheduler to automate system backups of a Defense Center or a
MDC 3D Sensor with IPS.
TIP! You must design a backup profile before you can configure it as a scheduled
task. For information on backup profiles, see Creating Backup Profiles on
page 418.
To automate backup tasks:

2. Click Add Task.

Scheduling Tasks
Automating Backup Jobs Chapter 13
3. From the Job Type list, select Backup.

The page reloads to show the backup options.
4. Specify how you want to schedule the backup, Once or Recurring.

• For one-time tasks, use the drop-down lists to specify the start date and
time.
TIP! The Current Time field indicates the current time on the appliance.
• For recurring tasks, you have several options for setting the interval
between instances of the task. See Configuring a Recurring Task on
page 426 for details.
5. In the Job Name field, type a name using up to 255 alphanumeric characters,
spaces, or dashes.
6. From the Backup Profile list, select the appropriate backup profile.
For more information on creating new backup profiles, see Creating Backup
Profiles on page 418.
7. Optionally, in the Comment field, type a comment using up to 255
alphanumeric characters, spaces, or periods.
TIP! The comment field appears in the View Tasks section of the page, so
you should try to keep it relatively short.

Scheduling Tasks
Automating Software Updates Chapter 13
8. Optionally, in the Email Status To: field, type the email address (or multiple
email addresses separated by commas) where you want status messages
sent.
IMPORTANT! You must have a valid email relay server configured to send
status messages. See Configuring a Mail Relay Host and Notification Address
on page 338 for more information about configuring a relay host.
9. Click Save.
The backup task is created.
Automating Software Updates

The tasks you schedule to automate download, push, and installation of software
updates vary depending on whether you are updating an appliance directly or are
using a Defense Center to perform the updates.
When automating direct software updates for an appliance, you can schedule
automatic software installation and, as long as the appliance has access to the
Internet, the appliance automatically downloads the latest update when the
installation task runs. So, for example, if you want to update your 3D Sensor
directly and it is connected to the internet, you can just schedule the Install Latest
Update task. Similarly, if you want to update the software for your Defense
Center, you can schedule Install Latest Update to download and install the latest
Defense Center update.
If you use your Defense Center to automate software updates for managed
3D Sensors, you must schedule two tasks:
1. Push the update to managed sensors.
2. Install the update on managed sensors.
Note that when the Defense Center runs either the Push Latest Update or the
Install Latest Update task, it queries the Sourcefire support site for the latest
updates, as long as it has access to the Internet.
You should schedule the push and install tasks to happen in succession. For
example, if you want to automate software updates on your managed sensors,
you must always push the update to the sensor first, then install it on the sensor.
Always allow enough time between tasks for the process to complete. Tasks
should be scheduled at least 30 minutes apart. For example, if you schedule a
task to install an update and the update has not finished copying from the
Defense Center to the sensor, the installation task will not succeed. However, if
the scheduled installation task repeats daily, it will install the pushed update when
it runs the next day.
Note that the tasks for pushing the update to managed sensors (on the Defense
Center) and installing the update (on any appliance) automatically check the

Scheduling Tasks
Support site to ensure that you have the latest version of the update. If your
appliance cannot access the Support site, the task does not complete. This
behavior also has implications for appliances that cannot access the Support site
at all. Specifically, if you manually download an update to an appliance that cannot
access the Support site, you cannot schedule either pushes to managed sensors
(on the Defense Center) or installs (on any appliance). Instead you must manually
push or install the updates as described in Updating System Software on
page 398.
If you want to have more control over this process, you can use the Once option
to download and install updates during off-peak hours after you learn that an
update has been released.
TIP! The automated update process allows you to download and install software
patches and feature releases (generally when the last two digits in the four-digit
version number change, such as 4.8.1 or 4.8.2.1). For larger, more comprehensive
updates (such as 4.8 or 4.9), you must manually upload, push, and install the
upgrade files.

• Automating Software Downloads on page 431
• Automating Software Pushes on page 433
• Automating Software Installs on page 435
Automating Software Downloads

Requires: IPS or DC/ You can create a scheduled task that automatically downloads the latest software
MDC updates from Sourcefire. On the Defense Center, you can also automate
vulnerability database (VDB) updates. You can use this task to schedule download
of updates you plan to push or install manually.
To automate software updates:

2. Click Add Task.

Scheduling Tasks
3. From the Job Type list, select Download Latest Update.

The Add Task page reloads to show the update options. The Defense Center
version of the page is shown below.
4. Specify how you want to schedule the task, Once or Recurring.

time.
spaces, or dashes.
IMPORTANT! If your appliance is not directly connected to the Internet, you

should set up a proxy as described in Configuring Network Settings on
page 377 to allow it to download updates from the Sourcefire Support site
(https://support.sourcefire.com/).
6. In the Update Items section, specify which updates you want to download.
• Select Software to download the most recent software patch.
• Requires: DC Select Vulnerability Database to download the most recent
vulnerability database update.
Both options are selected by default.

Scheduling Tasks

sent.
9. Click Save.
The task is created.
Automating Software Pushes

Requires: DC/MDC If you are installing software or vulnerability database updates on managed
3D Sensors, you must push the software to the managed sensors before
installing. When you push software updates to managed sensors, information
about the push process status is reported on the Tasks page. See Viewing the
Status of Long-Running Tasks on page 600 for more information.
Note that if you manually download an update to an appliance that cannot access
the Support site, you cannot schedule pushes to managed sensors. Instead you
must manually push the update as described in Updating System Software on
page 398.
When you create the task to push software updates to managed sensors, make
sure you allow enough time between the push task and a scheduled install task
for the updates to be copied to the sensor.
To push software updates to managed sensors:

2. Click Add Task.

Scheduling Tasks
3. From the Job Type list, select Push Latest Update.

The page reloads to show the options for pushing updates.

time.
spaces, or dashes.
6. From the Sensor list, select the sensor that you want to receive updates.
7. In the Update Items section, specify which updates you want to push to your
managed sensors.
• Select Software to push the software update.
• Requires: DC + RNA Select Vulnerability Database to push the VDB update.
Both options are selected by default.

Scheduling Tasks
sent.
10. Click Save.

The task is added. You can check the status of a running task on the Task
Status page. See Viewing the Status of Long-Running Tasks on page 600 for
more information.
Automating Software Installs

Requires: IPS or DC/ If you are using a Defense Center to create a task to install a software update on
MDC a managed sensor, make sure you allow enough time between the task that
pushes the update to the sensor and the task that installs the update. See
Automating Software Pushes on page 433 for information about pushing updates
to managed sensors.
the Support site, you cannot schedule installation of that update. Instead you
must manually install the update as described in Updating System Software on
page 398.
WARNING! Depending on the update being installed, the appliance may reboot
after the software is installed.
To schedule a software installation task:

2. Click Add Task.

Scheduling Tasks
3. From the Job Type list, select Install Latest Update.

The page reloads to show the options for installing updates. The Defense
Center version of the page is shown below.

time.
spaces, or dashes.
6. If you are using a Defense Center, from the Sensor list, you have the following
options:
• Select the sensor where you want to install the update.
• Select the name of the Defense Center to install the update there.
7. In the Update Items section, select Software to install the software update.

Scheduling Tasks
Automating Vulnerability Database Updates Chapter 13
sent.
10. Click Save.

The scheduled software installation task is added.
You can check the status of a running task on the Task Status page. See
Viewing the Status of Long-Running Tasks on page 600 for more information.
Automating Vulnerability Database Updates

Sourcefire uses vulnerability database (VDB) updates to distribute new operating
system fingerprints as we expand the list of operating systems that RNA
recognizes. VDB updates also include new vulnerabilities discovered by the
Sourcefire Vulnerability Research Team (VRT). You can use the scheduling feature
to download and install the latest VDB updates, thereby ensuring that RNA is
using the most up-to-date information to evaluate the hosts on your network.
TIP! If your Sourcefire 3D System deployment includes IPS and RNA monitoring
the same network segments, make sure that you download and install VDB
updates and SEUs on a regular basis. This ensures that your Defense Center is
correctly setting the impact flag on the intrusion events generated by the traffic
on your network.
When automating VDB updates for your Defense Center, you must automate two
separate steps:
1. Downloading the VDB update.
2. Installing the VDB update.
When automating VDB updates for managed sensors with RNA, you must
schedule three tasks in this order:
1. Download the VDB update on your Defense Center.
2. Push the VDB update to your managed 3D Sensors that are using the RNA
component.
3. Install the VDB update on the Defense Center and on those managed
sensors.
Always allow enough time between tasks for the process to complete. For
example, if you schedule a task to install an update and the update has not fully

Scheduling Tasks
downloaded, the installation task will not succeed. However, if the scheduled
installation task repeats daily, it will install the downloaded VDB update when it
runs the next day.
the Support site, you cannot schedule either pushes to managed sensors (on the
Defense Center) or installs (on any appliance). Instead you must manually push or
install the updates as described in Updating System Software on page 398.
If you want to have more control over this process, you can use the Once option
to download and install VDB updates during off-peak hours after you learn that an
update has been released.
• Automating VDB Update Downloads on page 438
• Automating VDB Update Pushes on page 440
• Automating VDB Update Installs on page 442
Automating VDB Update Downloads

Requires: DC/MDC + You can create a scheduled task that automatically downloads the latest
RNA vulnerability database updates from Sourcefire.
IMPORTANT! You cannot download the VDB using a scheduled task on a sensor.
You must download the VDB on the Defense Center and push it to the sensor.
To automate VDB updates:

2. Click Add Task.

Scheduling Tasks
3. From the Job Type list, select Download Latest Update.

The Add Task page reloads to show the update options.

time.
spaces, or dashes.
IMPORTANT! If your appliance is not directly connected to the Internet, you

should set up a proxy as described in Configuring Network Settings on
page 377 to allow it to download updates from the Sourcefire Support site
(https://support.sourcefire.com/).
6. In the Update Items section, make sure Vulnerability Database is selected.

Both the Software and Vulnerability Database options are selected by default.

Scheduling Tasks
sent.
9. Click Save.
Automating VDB Update Pushes

Requires: DC/MDC + If you are installing vulnerability database updates on managed 3D Sensors with
3D Sensor + RNA RNA, you must push the update to the managed sensors before installing. When
you push VDB updates to managed sensors, information about the process
status is reported on the Tasks page. See Viewing the Status of Long-Running
Tasks on page 600 for more information.
the Support site, you cannot schedule pushes to managed sensors. Instead you
must manually push the update as described in Updating System Software on
page 398.
WARNING! You must download vulnerability database updates before you can
push them to managed sensors.
To push VDB updates to managed 3D Sensors with RNA:

2. Click Add Task.

Scheduling Tasks
3. From the Job Type list, select Push Latest Update.

The page reloads to show the options for pushing updates.

time.
spaces, or dashes.
6. From the Sensor list, select the sensor that you want to receive updates.
7. In the Update Items section, make sure Vulnerability Database is selected.
Both the Software and Vulnerability Database options are selected by default.

Scheduling Tasks
sent.
10. Click Save.

The task is added. You can check the status of a running task on the Task
Status page. See Viewing the Status of Long-Running Tasks on page 600 for
more information.
Automating VDB Update Installs

Requires: DC/MDC + After you have downloaded a VDB update, you can schedule the installation
RNA process.
You should allow enough time for a scheduled VDB update to download when you
set up a scheduled task to install it. If you are creating a task to install a VDB
update on a managed sensor, you must allow enough time between the task that
pushes the update to the sensor and the task that installs the update. See
Automating VDB Update Pushes on page 440 for information about pushing
updates to managed sensors.
the Support site, you cannot schedule installation of that update. Instead you
must manually install the updates as described in Updating System Software on
page 398.
To schedule a software installation task:

2. Click Add Task.

Scheduling Tasks
3. From the Job Type list, select Install Latest Update.

The page reloads to show the options for installing updates.

time.
spaces, or dashes.
6. From the Sensor list, you have the following options:
• If you want to install the update on a managed sensor, select the name
of the sensor from the drop-down list.
• If you want to install the update on the Defense Center, select the
name of the Defense Center from the drop-down list.
7. In the Update Items section, select Vulnerability Database to install the VDB
update.

Scheduling Tasks
Automating SEU Imports Chapter 13
sent.
10. Click Save.

The scheduled VDB installation task is added.
Automating SEU Imports

Requires: IPS or DC/ As new vulnerabilities are identified, the Sourcefire Vulnerability Research Team
MDC + IPS (VRT) releases Security Enhancement Updates (SEUs). An SEU contains new and
updated standard text rules and shared object rules and may contain updated
versions of Snort® and features such as preprocessors and decoders. You can
automatically download and install SEUs.
The Import SEU task allows you to schedule the following subtasks separately or
to combine them into one scheduled task:
1. Download the latest SEU.
2. Import the SEU.
3. Re-apply your intrusion policy so that the new SEU takes effect.
Note that on the Defense Center, you also must re-apply your intrusion policies
on your managed 3D Sensors with IPS. Applying an intrusion policy from a
Defense Center to a managed sensor after you import an SEU does not apply the
SEU to the sensor. However, any new rules or features provided by the SEU that
are enabled in the policy you apply to the sensor are also enabled on the sensor
by that policy.
The selected subtasks present in the Import SEU task occur in the following
order: download, install, rule state update, and policy re-apply. Once one subtask
completes, the next configured subtask begins. Note that you can only re-apply
policies applied from the appliance where the scheduled task is configured.
If you enable Update when a new SEU is installed for the base policy of an existing
policy and the SEU contains changes to the default rule states for existing rules in
that base policy, those changes are also imported. Note, however, that if you
changed a rule state, the SEU does not override your change.
VRT sometimes uses an SEU to change the default state of one or more rules in a
default policy. If you allow SEUs to update your base policy, you also allow the

Scheduling Tasks
Automating SEU Imports Chapter 13
SEU to change the default state of a rule in your policy when the default state
changes in the default policy you used to create your policy (or in the default
policy it is based on). Note, however, that if you have changed the rule state, the
SEU will not override your change.
In addition to configuring SEU imports on the Scheduling page, you can also use
the recurring SEU import feature on the Import SEU page. For more information
on the recurring SEU import feature and a comparison of the two methods of
setting up recurring imports, see Importing SEUs and Rule Files in the Analyst
Guide. Note that you must be using Snort 2.8.2 or higher to import recurring
SEUs on the Import SEU page.
IMPORTANT! SEUs may contain new binaries. Make sure your process for
downloading and importing SEUs complies with your security policies. In
addition, SEUs can be quite large, so make sure you schedule downloads during
periods of low network use.
To schedule an Import SEU task:

2. Click Add Task.
3. From the Job Type list, select Import SEU.
The page reloads to show the options for importing SEUs.

Scheduling Tasks
Automating Intrusion Policy Applications Chapter 13

time.
spaces, or dashes.
6. To use this task to download the latest SEU, select Download the latest SEU
from the support site.
7. To use this task to install the latest downloaded SEU, select Install the latest
downloaded SEU.
8. To re-apply intrusion policies after installing an SEU, select Reapply intrusion
policies after the SEU import completes.
sent.
11. Click Save.

Automating Intrusion Policy Applications

Requires: IPS or DC/ You can automatically apply intrusion policies at scheduled intervals. This feature
MDC + IPS is useful if you need to use different policies during different times of the day.

Scheduling Tasks
Automating Intrusion Policy Applications Chapter 13
To automate intrusion policy application:

2. Click Add Task.
3. From the Job Type list, select Apply Policy.
The page reloads to show the options for applying an intrusion policy.

time.
spaces, or dashes.
6. In the Policy Name field, select the intrusion policy you want to apply from the
drop-down list or select Policy Default to apply the policy to each detection
engine targeted in the policy.
7. In the Detection Engine field, select the detection engine where you want to
apply the policy.

Scheduling Tasks
Automating Reports Chapter 13

sent.
10. Click Save.

Automating Reports
Requires: IPS or DC/ You can automate reports so that they run at regular intervals. However, you must
MDC design a profile for your report before you can configure it as a scheduled task.
See Creating a Report Profile on page 246 for more information about using the
report designer to create a report profile.
To automate a report:
2. Click Add Task.

Scheduling Tasks
Automating Reports Chapter 13
3. From the Job Type list, select Reports.

The page reloads to show the options for setting up a report to run
automatically. The Defense Center version of the page is displayed below.

time.
spaces, or dashes.
6. In the Report Profile field, select the report profile that you want to use from
the drop-down list.
IMPORTANT! You cannot run remote reports on Crossbeam-based software

sensors.
7. Requires: DC If you want to run the report on a managed sensor, in the Remote
Run field, select the name of the sensor from the drop-down list.

Scheduling Tasks
Automating Nessus Scans Chapter 13
sent.
10. Click Save.

Automating Nessus Scans

You can schedule regular Nessus scans of targets on your network. Automated
scans allow you to test periodically to make sure that operating system updates
or other changes do not introduce vulnerabilities on your enterprise-critical
systems. You can also schedule scans to test for recurrent vulnerabilities to
attacks that have happened in the past. See the following sections for more
information:
• Preparing Your System to Run a Nessus Scan on page 450
• Scheduling a Nessus Scan on page 451
Note that a Policy & Response Administrator can also use a Nessus scan as a
remediation. For more information, see Nessus Scan Remediations in the Analyst
Guide.
Preparing Your System to Run a Nessus Scan

If you have not used the Nessus scanning capability before, you need to complete
several Nessus configuration steps prior to defining a scheduled scan.
1. If you do not have an existing external Nessus server, set up the Nessus
server on your Defense Center.
For more information on starting the server and configuring and activating a
Nessus user, see Configuring a Local Nessus Server on page 641.
2. Create a scan instance to define the Nessus server to be used by your scan.
For more information on setting up a Nessus server connection profile, see
Creating a Nessus Scan Instance on page 643.
IMPORTANT! Make note of the name of the scan instance you create. You
need to select this name when prompted for the Nessus Remediation name
when setting up the scheduled scan.

Scheduling Tasks
Automating Nessus Scans Chapter 13
3. Create a scan target to define the target hosts and host ports to scan.
For more information on setting up a scan target, see Creating a Nessus Scan
Target on page 645.
4. Create a remediation definition to define what plugins and Nessus scan
settings should be used when the scheduled scan runs.
For more information on setting up a remediation definition, see Creating a
Nessus Remediation on page 646.
5. Continue with Scheduling a Nessus Scan.
Scheduling a Nessus Scan

Requires: DC + RNA You can automate Nessus scanning using a specific scan remediation by
scheduling the scan.
To schedule Nessus scanning:

2. Click Add Task.
3. From the Job Type list, select Nessus Scan.
The page reloads to show the options for automating Nessus scans.

Scheduling Tasks
Synchronizing Nessus Plugins Chapter 13

time.
spaces, or dashes.
6. In the Nessus Remediation field, select the Nessus remediation for the Nessus
server where you want to run the scan.
7. In the Nessus Target field, select the scan target that defines the target hosts
you want to scan.
sent.
10. Click Save.

Synchronizing Nessus Plugins

Requires: DC + RNA You can automate synchronization with the Nessus server to obtain an up-to-date
list of plugins before you scan. You may want to schedule your plugin
synchronization to occur shortly before your scheduled Nessus scans to make
sure that you scan with the latest list of plugins.

Scheduling Tasks
Synchronizing Nessus Plugins Chapter 13
To schedule Nessus plugin synchronization:

2. Click Add Task.
3. From the Job Type list, select Synchronize Nessus Plugins.
The page reloads to show the Nessus plugin synchronization options.

time.
The Current Time field indicates the current time on the appliance.
spaces, or dashes.
6. In the Nessus Instance field, select the instances with the Nessus plugins that
you want to synchronize.

Scheduling Tasks
Automating Nmap Scans Chapter 13
sent.
9. Click Save.
Automating Nmap Scans

You can schedule regular Nmap scans of targets on your network. Automated
scans allow you to refresh operating system and service information previously
supplied by an Nmap scan. Because RNA cannot update Nmap-supplied data, you
need to rescan periodically to keep that data up to date. You can also schedule
scans to automatically test for unidentified services on hosts in your network.
• Preparing Your System for an Nmap Scan
• Scheduling an Nmap Scan
Note that a Policy & Response Administrator can also use an Nmap scan as a
remediation. For example, when an operating system conflict occurs on a host,
that conflict can trigger an Nmap scan. Running the scan obtains updated
operating system information for the host, which resolves the conflict. For more
information, see Nmap Scan Remediations in the Analyst Guide.
Preparing Your System for an Nmap Scan

If you have not used the Nmap scanning capability before, you must complete
several Nmap configuration steps prior to defining a scheduled scan.
1. Create a scan instance to define the Nmap server to be used by your scan.
For more information on setting up a Nmap server connection profile, see
Creating an Nmap Scan Instance in the Analyst Guide.
IMPORTANT! Make note of the name of the scan instance you create. You
need to select this name when prompted for the Nmap Configuration name
when setting up the scheduled scan.
2. Create a scan target to define the target hosts and host ports to scan.
For more information on setting up a scan target, see Creating an Nmap Scan
Target in the Analyst Guide.

Scheduling Tasks
Automating Nmap Scans Chapter 13
3. Create a remediation definition to define what plugins and Nmap scan

settings should be used when the scheduled scan runs.
For more information on setting up a remediation definition, see Creating an
Nmap Remediation in the Analyst Guide.
4. Continue with Scheduling an Nmap Scan.
Scheduling an Nmap Scan

Requires: DC + RNA You can schedule a scan of a host or hosts on your network using the Nmap
utility.
Once Nmap replaces a host’s operating system or services detected by RNA with
the results from an Nmap scan, RNA no longer updates the information replaced
by Nmap for the host. Nmap-supplied service and operating system data remains
static until you run another Nmap scan. If you plan to scan a host using Nmap,
you may want to set up regularly scheduled scans to keep Nmap-supplied
operating system and services up to date. If the host is deleted from the network
map and re-added, any Nmap scan results are discarded and RNA resumes
monitoring of all operating system and service data for the host.
To schedule Nmap scanning:

2. Click Add Task.
3. From the Job Type list, select Nmap Scan.
The page reloads to show the options for automating Nmap scans.

Scheduling Tasks
Automating Recommended Rule State Generation Chapter 13

time.
spaces, or dashes.
6. In the Nmap Remediation field, select the Nmap remediation to use when
running the scan.
7. In the Nmap Target field, select the scan target that defines the target hosts
you want to scan.
sent.
10. Click Save.

Automating Recommended Rule State Generation

Requires: DC + RNA + IMPORTANT! If the system automatically generates scheduled
IPS recommendations for an intrusion policy with unsaved changes, you must discard
your changes in that policy and commit the policy if you want the policy to reflect
the automatically generated recommendations. See Committing Intrusion Policy
Changes in the Analyst Guide for more information.

Scheduling Tasks
Automating Recommended Rule State Generation Chapter 13
You can automatically generate rule state recommendations based on RNA data
for your network using the most recently saved configuration settings in your
custom intrusion policy.
When the task runs, the system automatically generates recommended rule
states. Optionally, depending on the configuration of your policy, it also modifies
the states of intrusion rules based on the criteria described in Managing RNA
Rule State Recommendations in the Analyst Guide. Modified rule states take
effect the next time you apply your intrusion policy. See Using RNA
Recommendations in the Analyst Guide for more information.
To generate recommendations:
2. Click Add Task.
3. From the Job Type list, select RNA Recommended Rules.
The page reloads to show the options for generating RNA-recommended rule
states.
4. Optionally, click the policies link in the Job Type field to display the Detection &
Prevention page, where you can configure RNA Recommended Rules in a
policy. See Managing RNA Rule State Recommendations in the Analyst
Guide for more information.

Scheduling Tasks
Viewing Tasks Chapter 13

time.
spaces, or dashes.
7. Next to Policies, select one or more policies where you want to generate
recommendations. You have the following options:
• In the Policies field, select one or more policies. Use the Shift and Ctrl
keys to select multiple policies.
• Click the All Policies check box to select all policies.
sent.
10. Click Save.

Viewing Tasks
After adding scheduled tasks, you can view them and evaluate their status. The
View Options section of the page allows you to view scheduled tasks using a
calendar and a list of scheduled tasks.

Scheduling Tasks

• Using the Calendar on page 459
• Using the Task List on page 460
Using the Calendar

Requires: DC/MDC or The Calendar view option allows you to view which scheduled tasks occur on
3D Sensor which day.
To view scheduled tasks using the calendar:

2. You can perform the following tasks using the calendar view:
• Click << to move back one year.
• Click < to move back one month.

Scheduling Tasks
• Click > to move forward one month.

• Click >> to move forward one year.
• Click Today to return to the current month and year.
• Click Add Task to schedule a new task.
• Click a date to view all scheduled tasks for the specific date in a task list
table below the calendar.
• Click a specific task on a date to view the task in a task list table below
the calendar.
IMPORTANT! For more information about using the task list, see Using the
Task List on page 460.
Using the Task List

Requires: DC/MDC or The Task List shows a list of tasks along with their status. The task list appears at
3D Sensor below the calendar when you open the calendar. In addition, you can access it by
selecting a date or task from the calendar. (See Using the Calendar on page 459
for more information.)
Task List Columns
Column Description
Name Displays the name of the scheduled task.
Type Displays the type of scheduled task.
Start Time Displays the scheduled start date and time.
Frequency Displays how often the task is run.
Comment Displays the comment that accompanies the scheduled task.
Status Describes the current status for a scheduled task.

• A check mark icon indicates that the task ran successfully.
• A question mark icon indicates that the task is in an
unknown state.
• A red ! indicates that the task failed.
Creator Displays the name of the user that created the scheduled task.
Delete Deletes the scheduled task.

Scheduling Tasks
Editing Scheduled Tasks Chapter 13
Editing Scheduled Tasks

Requires: DC/MDC or You can edit a scheduled task that you previously created. This feature is
3D Sensor especially useful if you want to test a scheduled task once to make sure that the
parameters are correct. Later, after the task completes successfully, you can
change it to a recurring task.
To edit an existing scheduled task:

2. Click either the task that you want to edit or the day on which the task
appears.
The Task Details table containing the selected task or tasks appears.
3. Locate the task you want to edit in the table and click Edit.
The Edit Task page appears showing the details of the task you selected.
4. Edit the task to meet your needs, including the start time, the job name, and
how often the task runs, once or recurring. You cannot change the type of job.
The remaining options are determined by the task you are editing. See the
following sections for more information:
• Automating Backup Jobs on page 428
• Automating Software Updates on page 430
• Automating Vulnerability Database Updates on page 437
• Automating SEU Imports on page 444
• Automating Intrusion Policy Applications on page 446
• Automating Reports on page 448
• Automating Nessus Scans on page 450
• Synchronizing Nessus Plugins on page 452
• Automating Nmap Scans on page 454
• Automating Recommended Rule State Generation on page 456
5. Click Save to save your edits.
Your change are saved and the Scheduling page appears again.
Deleting Scheduled Tasks

There are two types of deletions you can perform from the Schedule View page.
You can delete a specific one-time task that has not yet run or you can delete
every instance of a recurring task. If you delete an instance of a recurring task, all
instances of the task are deleted. If you delete a task that is scheduled to run
once, only that task is deleted.

Scheduling Tasks
Deleting Scheduled Tasks Chapter 13
The following sections describe how to delete tasks:

• To delete all instances of a task, see Deleting a Recurring Task on page 462.
• To delete a single instance of a task, see Deleting a One-Time Task on
page 462.
Deleting a Recurring Task

Requires: DC/MDC or When you delete one instance of a recurring task, you automatically delete all
3D Sensor instances of that task.
To delete a recurring task:

2. On the calendar, select an instance of the recurring task you want to delete.
The page reloads to display a table of tasks below the calendar.
3. Locate an instance of the recurring task you want to delete in the table and
click Delete.
All instances of the recurring task are deleted.
Deleting a One-Time Task

Requires: DC/MDC or You can delete a one-time scheduled task or delete the record of a previously-run
3D Sensor scheduled task using the task list.
To delete a single task or, if it has already run, delete a task record:
2. Click the task that you want to delete or the day on which the task appears.
A table containing the selected task or tasks appears.
3. Locate the task you want to delete in the table and click Delete.
The instance of the task you selected is deleted.

Chapter 14
Administrator Guide
Monitoring the System
The Sourcefire 3D System provides many useful monitoring features to assist you
in the daily administration of your system, all on a single page. For example, on
the Host Statistics page you can monitor basic host statistics, intrusion event
information, and statistics for the Data Correlator and RNA processes for the
current day. You can also monitor both summary and detailed information on all
processes that are currently running on the Defense Center or 3D Sensor. The
following sections provide more information about the monitoring features that
the system provides:
• Viewing Host Statistics on page 464 describes how to view host
information such as:
• system uptime
• disk and memory usage
• RNA process statistics
• Data Correlator statistics
• system processes
• intrusion event information
On the Defense Center, you can also use the health monitor to monitor disk
usage and alert on low disk space conditions. For more information, see
Understanding Health Monitoring on page 483.

Viewing Host Statistics Chapter 14
• Monitoring System Status and Disk Space Usage on page 468 describes
how to view basic event and disk partition information.
• Viewing System Process Status on page 468 describes how to view basic
process status.
• Understanding Running Processes on page 471 describes the basic system
processes that run on the appliance.
• Viewing IPS Performance Statistics on page 476 describes how to view IPS
performance statistics and how to generate graphs based on these
statistics.
• Viewing RNA Performance Statistics on page 478 describes how to view
RNA performance statistics and how to generate graphs based on these
statistics.
Viewing Host Statistics

Requires: Any The Statistics page lists the current status of following:
• general host statistics; see the Host Statistics table on page 464 for details
• Data Correlator statistics (Defense Center only - requires RNA); see the
Data Correlator Process Statistics table on page 465 for details
• RNA process statistics (Defense Center only - requires RNA); see the RNA
Process Statistics table on page 466 for details
• intrusion event information (requires IPS); see the Intrusion Event
Information table on page 467 for details
The Host Statistics table describes the host statistics listed on the Statistics
page.
Host Statistics
Category Description
Time The current time on the system.
Uptime The number of days (if applicable), hours, and minutes

since the system was last started.
Memory Usage The percentage of system memory that is being used.
Load Average The average number of processes in the CPU queue for
the past 1 minute, 5 minutes, and 15 minutes.

Host Statistics (Continued)
Disk Usage The percentage of the disk that is being used. Click the
arrow to view more detailed host statistics. See
Monitoring System Status and Disk Space Usage on
Processes A summary of the processes running on the system. See

Viewing System Process Status on page 468 for more
information.
If your Sourcefire 3D System deployment includes a Defense Center managing

3D Sensors with RNA, you can also view statistics about the Data Correlator and
RNA processes for the current day. As the 3D Sensors perform data acquisition,
decoding, and analysis, the RNA process correlates the data with the fingerprint
and vulnerability databases, and then produces binary files that are processed by
the Data Correlator running on the Defense Center. The Data Correlator analyzes
the information from the binary files, generates events, and creates the RNA
network map.
The statistics that appear for RNA and the Data Correlator are averages for the
current day, using statistics gathered between 12:00AM and 11:59PM for each
detection engine.
The Data Correlator Process Statistics table describes the statistics displayed for
the Data Correlator process.
Data Correlator Process Statistics
Events/Sec Number of RNA events that the Data Correlator

receives and processes per second
Flows/Sec Number of flows that the Data Correlator receives

and processes per second
CPU Usage - User (%) Average percentage of CPU time spent on user
processes for the current day
CPU Usage - System (%) Average percentage of CPU time spent on

system processes for the current day
VmSize (KB) Average size of memory allocated to the Data

Correlator for the current day, in kilobytes
VmRSS (KB) Average amount of memory used by the Data

Correlator for the current day, in kilobytes

The RNA Process Statistics table describes the statistics displayed for the RNA
process.
RNA Process Statistics
Packets Dropped (%) Average percentage of packets dropped by the

RNA process for the current day
Mbits/Second Average number of megabits per second

processed by the RNA process for the current day
Packets/Second Average number of packets per second

processed by the RNA process for the current day
CPU Usage - User (%) Average percentage of CPU time spent by user
processes for the current day
CPU Usage - System (%) Average percentage of CPU time spent by

system processes for the current day
VmSize (KB) Average size of memory allocated to the RNA

process for the current day, in kilobytes
VmRSS (KB) Average amount of memory used by the RNA

process for the current day, in kilobytes
On 3D Sensors with IPS and on Defense Centers that manage sensors with IPS,
you can also view the time and date of the last intrusion event, the total number
of events that have occurred in the past hour and the past day, and the total
number in the database.
The information in the Intrusion Event Information section of the Statistics page is
based on intrusion events stored on the sensor rather than those sent to the
Defense Center. If you manage your sensor so that intrusion events are not
stored locally, no intrusion event information is listed on this page. This is also the
case for 3D Sensors that cannot store events locally.

The Intrusion Event Information table describes the statistics displayed in the
Intrusion Event Information section of the Statistics page.
Intrusion Event Information
Statistic Description
Last Alert Was The date and time that the last event occurred
Total Events Last Hour The total number of events that occurred in the
past hour
Total Events Last Day The total number of events that occurred in the
past twenty-four hours
Total Events in Database The total number of events in the events

database
To view the Statistics page:

Access: Maint/Admin 1. Select Operations > Monitoring > Statistics.
The Statistics page appears. The Defense Center version of the page is
shown below.

Monitoring System Status and Disk Space Usage Chapter 14
2. On the Defense Center, you can also list statistics for managed sensors.
From the Select Device(s) box and click Select Devices. You can use the Shift
and Ctrl keys to select multiple devices at once.
The Statistics page is updated with statistics for the devices that you
selected.
Monitoring System Status and Disk Space Usage

Requires: Any The Disk Usage section of the Statistics page provides a quick synopsis of
partition status. You can monitor this page from time to time to ensure that
enough disk space is available for system processes and the database.
TIP! On the Defense Center you can also use the health monitor to monitor disk
usage and alert on low disk space conditions. For more information, see
To access disk usage information:

The Statistics page appears.
2. Click the down arrow next to Disk Usage to expand it.
The Disk Usage section expands.
On the Defense Center, to view disk usage information for a specific sensor:
Access: Maint/Admin 1. Select the sensor name from the Select Device(s) box, and click Select Devices.
The page reloads, listing host statistics for each sensor you selected.
2. Click the down arrow next to Disk Usage to expand it.
The Disk Usage section expands.
Viewing System Process Status

Requires: Any The Processes section of the Host Statistics page allows you to see the
processes that are currently running on an appliance. It provides general process
information and specific information for each running process. If you are
managing sensors with a Defense Center, you can use the Defense Center’s web
interface to view the process status for any managed sensor.

Viewing System Process Status Chapter 14
The Process Status table describes each column that appears in the process list.
Process Status
Column Description
Pid The process ID number
Username The name of the user or group running the process
Pri The process priority
Nice The nice value, which is a value that indicates the scheduling
priority of a process. Values range between -20 (highest priority)
and 19 (lowest priority)
Size The memory size used by the process (in kilobytes, unless the
value is followed by m, which indicates megabytes)
Res The amount of resident paging files in memory (in kilobytes,

unless the value is followed by m, which indicates megabytes)
State The process state:

• D - process is in uninterruptible sleep (usually Input/Output)
• N - process has a positive nice value
• R - process is runnable (on queue to run)
• S - process is in sleep mode
• T - process is being traced or stopped
• W - process is paging
• X - process is dead
• Z - process is defunct
• < - process has a negative nice value
Time The amount of time (in hours:minutes:seconds) that the

process has been running
Cpu The percentage of CPU that the process is using
Command The executable name of the process
To expand the process list:

The Statistics page appears.

Viewing System Process Status Chapter 14
2. On the Defense Center, select the device or devices you want to view
process statistics for and click Select Devices.
3. Click the down arrow next to Processes.
The process list expands, listing general process status that includes the
number and types of running tasks, the current time, the current system
uptime, the system load average, CPU, memory, and swap information, and
specific information about each running process.
Cpu(s) lists the following CPU usage information:

• user process usage percentage
• system process usage percentage
• nice usage percentage (CPU usage of processes that have a negative
nice value, indicating a higher priority)
Nice values indicate the scheduled priority for system processes and
can range between -20 (highest priority) and 19 (lowest priority).
• idle usage percentage
Mem lists the following memory usage information:
• total number of kilobytes in memory
• total number of used kilobytes in memory
• total number of free kilobytes in memory
• total number of buffered kilobytes in memory
Swap lists the following swap usage information:
• total number of kilobytes in swap
• total number of used kilobytes in swap
• total number of free kilobytes in swap
• total number of cached kilobytes in swap
IMPORTANT! For more information about the types of processes that run on
the appliance, see Understanding Running Processes on page 471.

Understanding Running Processes Chapter 14
To collapse the process list:

Access: Maint/Admin X Click the up arrow next to Processes.
The process list collapses.
Understanding Running Processes

There are two different types of processes that run on an appliance: daemons and
executable files. Daemons always run, and executable files are run when
required.
• Understanding System Daemons on page 471
• Understanding Executables and System Utilities on page 473
Understanding System Daemons

Daemons continually run on an appliance. They ensure that services are available
and spawn processes when required. The System Daemons table lists daemons
that you may see on the Process Status page and provides a brief description of
their functionality. This table is not an exhaustive list of all processes that may run
on an appliance.
System Daemons
Daemon Description
crond Manages the execution of scheduled commands (cron jobs)
dhclient Manages dynamic host IP addressing
fpcollect Manages the collection of client and server fingerprints
httpd Manages the HTTP (Apache web server) process
httpsd Manages the HTTPS (Apache web server with SSL) service, and checks for
working SSL and valid certificate authentication; runs in the background to
provide secure web access to the appliance
keventd Manages Linux kernel event notification messages
klogd Manages the interception and logging of Linux kernel messages
kswapd Manages Linux kernel swap memory

System Daemons (Continued)
Daemon Description
kupdated Manages the Linux kernel update process, which performs disk
synchronization
mysqld Manages Sourcefire 3D System database processes
ntpd Manages the Network Time Protocol (NTP) process
pm Manages all Sourcefire processes, starts required processes, restarts any

process that fails unexpectedly
reportd Manages reports
rnareportd Manages RNA reports
safe_mysqld Manages safe mode operation of the database; restarts the database daemon
if an error occurs and logs runtime information to a file
SFDataCorrelator Manages data transmission
sfestreamer Manages connections to third-party client applications that use the Event
(Defense Center Streamer
only)
sfmgr Provides the RPC service for remotely managing and configuring an appliance
using an sftunnel connection to the appliance
sfreactd Manages Check Point OPSEC integration; only seen if Checkpoint SAM
support is enabled
SFRemediateD Manages remediation responses

(Defense Center only
- requires RNA)
sftimeserviced Forwards time synchronization messages to managed sensors

(Defense Center
only)
sfmbservice Provides access to the sfmb message broker process running on a remote
(requires IPS) appliance, using an sftunnel connection to the appliance. Currently used only
by health monitoring to send health events and alerts from a 3D Sensor to a
Defense Center or, in a high availability environment, between Defense
Centers
sftroughd Listens for connections on incoming sockets and then invokes the correct
executable (typically the Sourcefire message broker, sfmb) to handle the
request

System Daemons (Continued)
Daemon Description
sftunnel Provides the secure communication channel for all processes requiring
communication with a remote appliance
sshd Manages the Secure Shell (SSH) process; runs in the background to provide
SSH access to the appliance
syslogd Manages the system logging (syslog) process
Understanding Executables and System Utilities

There are a number of executables on the system that run when executed by
other processes or through user action. The System Executables and Utilities
table describes the executables that you may see on the Process Status page.
System Executables and Utilities
Executable Description
awk Utility that executes programs written in the awk

programming language
bash GNU Bourne-Again SHell
cat Utility that reads files and writes content to standard

output
chown Utility that changes user and group file permissions
chsh Utility that changes the default login shell
correlator Analyzes binary files created by RNA to generate events,

(Defense flow data, and the network map
Center only -
requires RNA)
cp Utility that copies files
df Utility that lists the amount of free space on the appliance
echo Utility that writes content to standard output
egrep Utility that searches files and folders for specified input;
supports extended set of regular expressions not
supported in standard grep

System Executables and Utilities (Continued)
find Utility that recursively searches directories for specified

input
grep Utility that searches files and directories for specified input
halt Utility that stops the server
httpsdctl Handles secure Apache Web processes
hwclock Utility that allows access to the hardware clock
ifconfig Indicates the network configuration executable. Ensures

that the MAC address stays constant
iptables Handles access restriction based on changes made to the

Access Configuration page. See Configuring the Access
List for Your Appliance on page 325 for more information
about access configuration.
iptables-restore Handles iptables file restoration
iptables-save Handles saved changes to the iptables
kill Utility that can be used to end a session and process
killall Utility that can be used to end all sessions and processes
ksh Public domain version of the Korn shell
logger Utility that provides a way to access the syslog daemon

from the command line
md5sum Utility that prints checksums and block counts for specified
files
mv Utility that moves (renames) files
myisamchk Indicates database table checking and repairing
mysql Indicates a database process; multiple instances may

appear
openssl Indicates authentication certificate creation
perl Indicates a perl process

ps Utility that writes process information to standard output
RNA Captures packets, decodes and performs session

(requires RNA) reassembly, correlating acquired data with the RNA
fingerprint database, then generates binary files that the
Data Correlator processes to generate the network map
and to populate the database with events and flow data
sed Utility used to edit one or more text files
sfheartbeat Identifies a heartbeat broadcast, indicating that the

appliance is active; heartbeat used to maintain contact
between a sensor and Defense Center
sfmb Indicates a message broker process; handles

communication between Defense Centers and sensor.
sfsnort Indicates that Snort is running

(requires IPS)
sh Public domain version of the Korn shell
shutdown Utility that shuts down the appliance
sleep Utility that suspends a process for a specified number of

seconds
smtpclient Mail client that handles email transmission when email

event notification functionality is enabled
snmptrap Forwards SNMP trap data to the SNMP trap server

specified when SNMP notification functionality is enabled
ssh Indicates a Secure Shell (SSH) connection to the appliance
sudo Indicates a sudo process, which allows users other than

root to run executables
top Utility that displays information about the top CPU

processes
touch Utility that can be used to change the access and

modification times of specified files

Viewing IPS Performance Statistics Chapter 14
vim Utility used to edit text files
wc Utility that performs line, word, and byte counts on

specified files
Viewing IPS Performance Statistics

Requires: IPS or The IPS performance statistics page allows you to generate graphs that depict
DC/MDC + IPS performance statistics for IPS over a specific period of time. Graphs can be
generated to reflect number of intrusion events per second, number of megabits
per second, average number of bytes per packet, and the percent of packets
uninspected by Snort. These graphs can show statistics for the last hour, last day,
last week, or last month of operation.
IMPORTANT! Because of the way traffic is processed on 3Dx800 sensors,

performance statistics for those sensors are under reported.
IPS performance statistics refer only to the data stored locally on the 3D Sensor.
To view the IPS performance statistics:

Access: Maint/Admin X Select Operations > Monitoring > Performance > IPS.
The IPS page appears. The Defense Center version of the page is shown
below.

• Generating IPS Performance Statistics Graphs on page 476
• Saving IPS Performance Statistics Graphs on page 478
Generating IPS Performance Statistics Graphs

Requires: IPS or You can generate graphs that depict performance statistics for a Defense Center
DC/MDC + IPS or a 3D Sensor with IPS based on the number of events per second, megabits
per second, or average bytes per packet.

Viewing IPS Performance Statistics Chapter 14
New data is accumulated for statistics graphs every five minutes. Therefore, if
you reload a graph quickly, the data may not change until the next five-minute
increment occurs.
The IPS Performance Statistics Graph Types table lists the available graph types.
IPS Performance Statistics Graph Types
Graph Type Output
Events/Sec Displays a graph that represents the number of events that

are generated on the sensor per second
Mbits/Sec Displays a graph that represents the number of megabits

of traffic that pass through the sensor per second
Avg Displays a graph that represents the average number of

Bytes/Packet bytes included in each packet
This graph depicts the average percentage of uninspected
Percent Packets
Dropped packets across all detection resources (instances of Snort)
assigned to the selected detection engine. If you assign
two detection resources to a detection engine that has two
interface sets and each interface set is connected to a
different network segment, then an average of 50% may
indicate that one segment has a 90% drop rate and the
other has a 10% drop rate. It may also indicate that both
segments have a drop rate of 50%. The graph only
represents the total % drop when there is a single
detection resource assigned to a selected detection engine.
To generate IPS performance statistics graphs:

Access: Maint/Admin 1. Select Operations > Monitoring > Performance > IPS.
The IPS page appears. The Defense Center version of the page is shown
below.
2. From the Select Device list, select the detection engines whose data you want
to view.
3. From the Select Graph(s) list, select the type of graph you want to create.

Viewing RNA Performance Statistics Chapter 14
4. From the Select Time Range list, select the time range you would like to use for
the graph.
You can choose from last hour, last day, last week, or last month.
5. Click Graph.
The graph appears, displaying the information you specified.
Saving IPS Performance Statistics Graphs

Requires: IPS or After you have generated an IPS performance statistics graph, you can save the
DC/MDC + IPS graph as a graphic file for later use.
To save the graph:

Access: Maint/Admin X Right-click on the graph and follow the instructions for your browser to save
the image.
Viewing RNA Performance Statistics

Requires: DC + RNA The RNA Performance page allows you to generate graphs that display
RNA-related performance statistics over a specific period of time. Graphs can be
generated to display:
• the number of events generated by the Data Correlator per second
• the number of megabits analyzed by the RNA process per second
• average number of bytes included in each packet analyzed by the RNA
process
• the percentage of packets dropped by RNA

• the number of packets, in thousands, analyzed by the RNA process per

second
• the number of established connections analyzed by the RNA process per
second
These graphs can show statistics for the last hour, last day, last week, or last
month of operation.
To access the RNA Performance page:

Access: Maint/Admin X Select Operations > Monitoring > Performance > RNA.
The RNA page appears.

• Generating RNA Performance Statistics Graphs on page 479
• Saving RNA Performance Statistics Graphs on page 481
Generating RNA Performance Statistics Graphs

Requires: DC + RNA You can generate graphs that display performance statistics for managed
3D Sensors with RNA.
New data is accumulated for statistics graphs every five minutes. Therefore, if
you reload a graph quickly, the data may not change until the next five-minute
increment occurs.
The RNA Performance Statistics Graph Types table lists the available graph types.
RNA Performance Statistics Graph Types
Graph Type Output
Processed Events/Sec Displays a graph that represents the number

of events that the Data Correlator processes
per second
Processed Flows/Sec Displays a graph that represents the number

of flows that the Data Correlator processes
per second
Generated Events/Sec Displays a graph that represents the number

of events that RNA generates per second

RNA Performance Statistics Graph Types (Continued)
Graph Type Output
Mbits/Sec Displays a graph that represents the number

of megabits of traffic that are analyzed by the
RNA process per second
Avg Bytes/Packet Displays a graph that represents the average

number of bytes included in each packet
analyzed by the RNA process
Percent Packets Displays a graph that represents the

Dropped percentage of packets dropped by RNA
K Packets/Sec Displays a graph that represents the number

of packets analyzed by the RNA process per
second, in thousands
Syn/Ack/Sec Displays a graph that represents the number

of established connections observed by the
RNA process per second
To generate RNA performance statistics graphs:

Access: Maint/Admin 1. Select Operations > Monitoring > Performance > RNA.
The RNA page appears.
2. From the Select Target list, select the Defense Center, the managed
3D Sensors, or the detection engines that you want to include.
Depending on whether you select a detection engine or a sensor, the Select
Graph(s) list adjusts to display the available graphs.
3. From the Select Graph(s) list, select the type of graph you want to create.
TIP! You can select multiple graphs by holding down the Ctrl or Shift keys
while clicking on the graph type.
4. From the Select Time Range list, select the time range you would like to use for
the graph.
You can choose from last hour, last day, last week, or last month.

5. Click Graph.
The graph appears, displaying the information you specified. If you selected
multiple graphs, each graph appears on the page.
Saving RNA Performance Statistics Graphs

Requires: DC + RNA After you have generated an RNA performance statistics graph, you can save the
graph as a graphic file for later use.
To save the graph:

Access: Maint/Admin 1. Create an RNA performance statistic graph as described in Generating RNA
Performance Statistics Graphs on page 479.
2. Right-click on the graph and follow the instructions for your browser to save
the image.

Chapter 15
Administrator Guide
Using Health Monitoring
The health monitor provides numerous tests for determining the health of an
appliance from the Defense Center. You can use the health monitor to create a
collection of tests, referred to as a health policy, and apply the health policy to one
or more appliances. You can create one health policy for every appliance in your
system, customize a health policy for the specific appliance where you plan to
apply it, or use one of the default health policies. You can also import a health
policy exported from another Defense Center.
The tests, referred to as health modules, are scripts that test for criteria you
specify. You can modify a health policy by enabling or disabling tests or by
changing test settings, and you can delete health policies that you no longer need.
You can also suppress messages from selected appliances by blacklisting them.
The tests in a health policy run automatically at the interval you configure. You can
also run all tests or a specific test on demand. The health monitor collects health
events based on the test conditions configured. Optionally, you can also configure
email, SNMP, or syslog alerting in response to health events.
At the Defense Center, you can view health status information for the entire
system or for a particular appliance. Fully customizable event views allow you to
quickly and easily analyze the health status events gathered by the health
monitor. These event views allow you to search and view event data and to
access other information that may be related to the events you are investigating.
You can also generate troubleshooting files for an appliance if you are asked to do
so by Support.
• Understanding Health Monitoring on page 483

Understanding Health Monitoring Chapter 15
• Using the Health Monitor Blacklist on page 534

Understanding Health Monitoring

You can use the health monitor to check the status of critical functionality across
your Sourcefire 3D System deployment. Monitor the health of your entire
Sourcefire 3D System through the Defense Center by applying health policies to
each of the managed appliances and collecting the resulting health data at the
Defense Center. Pie charts and status tables on the Health Monitor page visually
represent the health status for monitored appliances, so you can check status at a
glance, then drill down into status details if needed.
You can use the health monitor to access health status information for the entire
system or for a particular appliance. The Health Monitor page provides a visual
summary of the status of all appliances on your system. Individual appliance
health monitors let you drill down into health details for a specific appliance.
You can also view health events in the standard Sourcefire 3D System table view.
From an individual appliance’s health monitor, you can open a table view of
occurrences of a specific event, or you can retrieve all the health events for that
appliance. You can also search for specific health events. For example, if you want
to see all the occurrences of CPU usage with a certain percentage, you can
search for the CPU usage module and enter the percentage value.
You can also configure email, SNMP, or syslog alerting in response to health
events. A health alert is an association between a standard alert and a health
status level. For example, if you need to make sure an appliance never fails due to
hardware overload, you can set up an email alert. You can then create a health
alert that triggers that email alert whenever CPU, disk, or memory usage reaches
the Warning level you configure in the health policy applied to that appliance. You
can set alerting thresholds to minimize the number of repeating alerts you
receive.

Because health monitoring is an administrative activity, only users with Admin

access privileges can access system health data. For more information on
assigning user privileges, see Modifying User Privileges and Options on
page 306.
IMPORTANT! Except for the Defense Center, Sourcefire 3D System appliances

do not have health monitoring policies applied to them by default. If you want to
monitor the health of a managed appliance, you have to apply a health policy to
that appliance. For more information on available default health policies you can
apply to an appliance, see Predefined Health Policies on page 490. For more
information on creating customized health policies, see Creating Health Policies
on page 497. For details on applying policies, see Applying Health Policies on
page 528.
For more information on health policies and the health modules you can run to
test system health, see the following topics:
• Understanding Health Policies on page 484
• Understanding Health Modules on page 485
• Understanding Health Monitoring Configuration on page 489
Understanding Health Policies

A health policy is a collection of health module settings you apply to an appliance
to define the criteria that the Defense Center uses when checking the health of
the appliance. The health monitor tracks a variety of health indicators to ensure
that your Sourcefire 3D System hardware and software are working correctly.
When you create health policies, you choose which tests to run to determine
appliance health. You can also apply one of the five default health policies to each
appliance. For example, to monitor the health of a 3D Sensor with IPS, you can
create a policy that monitors just the intrusion event rate and the IPS process, or
you can apply the default policy, which also monitors CPU, disk, and memory
usage, the Data Correlator process, and traffic status.

Understanding Health Modules

Health modules, also sometimes referred to as health tests, are scripts that test
for the criteria you specify in a health policy. The available health modules are
described in the Health Modules table.
Health Modules
Module Description
Appliance Heartbeat This module determines if an appliance heartbeat is being heard from the
sensor and alerts based on the sensor heartbeat status.
Automatic This module determines if a detection engine has been bypassed because it
Application Bypass did not respond within the number of seconds set in the bypass threshold,
Status and alerts when a bypass occurs.
CPU Temperature This module determines if the CPU on the sensor is overheated and alerts
when the temperature exceeds temperatures configured for the module. This
module only runs on 3Dx800 sensors.
CPU Usage This module checks that the CPU on the appliance is not overloaded and alerts
when CPU usage exceeds the percentages configured for the module.
Card Reset This module checks for network cards which have restarted due to hardware
failure and alerts when a reset occurs.
Data Correlator This module determines if the Data Correlator process (SFDataCorrelator) is
Process restarting too often, which may indicate a problem with the process, and alerts
when the number of restarts exceeds limits configured for the module.
The restart counter does not count actual restarts. The module checks if any
restarts occurred during the period between tests. Even if multiple restarts
occur between tests, the module only increments the restart counter by one
each time it checks. If any restarts occur, the module adds one to the restart
count. The first time the module checks and no restarts have occurred since
the last test, the module resets the counter to zero. The alert level also lowers
by one level (for example, Critical is reduced to Warning or Warning is reduced
to Normal). The second time the module checks and no restarts have occurred
since the last test, the alert level resets to Normal.
If the module finds that the process is not running at all, it increments the
restart counter by one, but sets the module status to Critical for that test,
regardless of the limits set for the module. The status remains Critical until the
module finds that the process is running. At that point, the module sets status
according to the restart counter value and the configured limits for the
module.
For more information on system daemons such as SFDataCorrelator, see
Understanding System Daemons on page 471.

Health Modules (Continued)
Module Description
Defense Center This module ensures that there are heartbeats from connected Defense
Status Centers and alerts based on the Defense Center status.
This module only runs on Master Defense Centers.
Disk Usage This module compares disk usage on the appliance to the limits configured for
the module and alerts when usage exceeds the percentages configured for
the module.
eStreamer Process This module determines if the eStreamer process is restarting too often,
which may indicate a problem with the process, and alerts when the number
of restarts exceeds limits configured for the module.
module.
This module only runs on Defense Centers.
Event Stream Status This module compares the number of events per second to the limits
configured for this module and alerts if the limits are exceeded. If the Event
Stream is zero, the eStreamer process may be down or the Defense Center
may not be sending events.
This module only runs on Master Defense Centers.
Fan Alarm This module determines if fans need to be replaced on the sensor and alerts
based on the fan status. This module only runs on 3Dx800 sensors.
Hardware Alarms This module determines if hardware needs to be replaced on a 3Dx800 or

3D9900 sensor and alerts based on the hardware status. On the 3D9900, the
module also reports on the status of hardware-related daemons. This module
only runs on 3Dx800 sensors and 3D9900 sensors.
For more information on the details reported for 3D9900 sensors, see
Interpreting Hardware Alert Details for 3D9900 Sensors on page 560.

Module Description
Health Monitor This module monitors the status of the health monitor itself and alerts if the
Process number of minutes since the last health event received by the Defense Center
exceeds the Warning or Critical limits.
This module only runs on Defense Centers.
IPS Event Rate This module compares the number of intrusion events per second to the limits
configured for this module and alerts if the limits are exceeded. If the IPS
Event Rate is zero, the IPS process may be down or the 3D Sensor may not be
sending events. Select Analysis & Reporting > Event Summary > Intrusion Event
Statistics to check if events are being received from the sensor.
IPS Process This module determines if the IPS process (snort) has been restarting too
often, which may indicate a problem with the process, and alerts when the
number of restarts exceeds the limits configured for the module. The IPS
process (also known as snort) is the packet decoder on a 3D Sensor with that
is licensed for IPS component. If the IPS process is down or has been
restarting, the IPS Event Rate results may be inaccurate.
The restart counter does not indicate the number of restarts. Instead, the
module checks if any restarts occurred during the period between tests. Even
if multiple restarts occur between tests, the module only increments the
restart counter by one each time it checks. If any restarts occur, the module
adds one to the restart count. The first time the module checks and no restarts
have occurred since the last test, the module resets the counter to zero. The
alert level also lowers by one level (for example, Critical is reduced to Warning
or Warning is reduced to Normal). The second time the module checks and no
restarts have occurred since the last test, the alert level resets to Normal.
module.
Link State This module determines when a link in a paired inline interface set fails and
Propagation triggers the link state propagation mode.
MDC Event Service This module monitors the health of the internal eStreamer process used to
transmit events to the Master Defense Center from the Defense Center.
Memory Usage This module compares memory usage on the appliance to the limits
configured for the module and alerts when usage exceeds the levels
configured for the module.
This module monitors the application of PEP rules to interface sets on a
PEP Status
3D9900. If PEP rules cannot be applied to interfaces in an interface set, the
module generates an alert.

Module Description
Power Supply This module determines if power supplies on the sensor require replacement
and alerts based on the power supply status. This module only runs on the
Series 2 DC3000, MDC3000, 3Dx800, 3D9900, 3D3500, 3D4500, and
3D6500 appliances.
RNA Event Status This module indicates whether a specified period of time has passed since any
RNA events have been detected by a sensor.
RNA Host License This module determines if sufficient RNA host licenses remain and alerts
Limit based on the warning level configured for the module.
RNA Process This module determines if the RNA process (rna) is restarting too often, which
may indicate a problem with the process, and alerts based on the number of
restarts configured for the module.
module.
Time Synchronization This module tracks the synchronization of a sensor clock that obtains time
Status using NTP with the clock on the NTP server and alerts if the difference in the
clocks is more than ten seconds.
Traffic Status This module determines if the sensor currently collects traffic and alerts based
on the traffic status.

Configuring Health Policies Chapter 15
Understanding Health Monitoring Configuration

There are several steps to setting up health monitoring on your Sourcefire 3D
System, as indicated in the following procedure:
1. Create health policies for your appliances.
You can set up specific policies for each kind of appliance you have in your
Sourcefire 3D System, enabling only the appropriate tests for that appliance.
TIP! If you want to quickly enable health monitoring without customizing the
monitoring behavior, you can apply one of the default policies provided for
that purpose.
For more information on setting up health policies, see Configuring Health

Policies on page 489.
2. Apply a health policy to each appliance where you want to track health status.
For information on the default health policies available for immediate
application, see Predefined Health Policies on page 490.
3. Optionally, configure health monitor alerts.
You can set up email, syslog, or SNMP alerts that trigger when the health
status level reaches a particular severity level for specific health modules.
For more information on setting up health monitor alerts, see Configuring
Health Monitor Alerts on page 539.
After you set up health monitoring on your system, you can view the health status
at any time on the Health Monitor page or the Health Table Events View. For more
information about viewing system health data, see the following topics:
Configuring Health Policies

A health policy contains configured health test criteria for several modules. You
can control which health modules run against each of your appliances and
configure the specific limits used in the tests run by each module. For more
information on the health modules you can configure in a health policy, see
You can create one health policy that can be applied to every appliance in your
system, customize each health policy to the specific appliance where you plan to
apply it, or use the default health policies provided for you. You can also import a
health policy exported from another Defense Center.

When you configure a health policy, you decide whether to enable each health
module for that policy. You also select the criteria that control which health status
each enabled module reports each time it assesses the health of a process.
For more information on the default health policy, which is applied to the Defense
Center and Master Defense Center automatically, see Default Health Policy on
page 493.
• Predefined Health Policies on page 490
• Creating Health Policies on page 497
• Applying Health Policies on page 528
• Editing Health Policies on page 530
• Deleting Health Policies on page 533
Predefined Health Policies

The Defense Center health monitor includes several default health policies to
make it easier for you to quickly implement health monitoring for your appliances.
The Default Health Policy is automatically applied to the Defense Center. To also
monitor sensor health, you can push health policies to 3D Sensors.
IMPORTANT! You cannot apply a health policy to RNA Software for Red Hat
Linux or Crossbeam-based software sensors.

• Default 3D Sensor Health Policy on page 491
• Default 3Dx800 Health Policy on page 491
• Suggested 3D9900 Health Policy on page 492
• Default Health Policy on page 493
• Default Intrusion Sensor Health Policy on page 495
• Default IPS (3Dx800 only) Health Policy on page 495
• Default RNA Sensor Health Policy on page 496

Default 3D Sensor Health Policy

Use the Default 3D Sensor Health Policy to monitor health on any 3D Sensor.
Enabled health modules for this policy are listed in the Enabled Health Modules:
3D Sensor Health Policy table.
Enabled Health Modules: 3D Sensor Health Policy
Module For more information, see...
Automatic Configuring Automatic Application Bypass Monitoring on

Application page 502
Bypass Status
Data Correlator Configuring Data Correlator Process Monitoring on

Process page 506
Disk Usage Configuring Disk Usage Monitoring on page 508
IPS Event Rate Configuring IPS Event Rate Monitoring on page 515
IPS Process Configuring IPS Process Monitoring on page 516
Link State Configuring Link State Propagation Monitoring on

Propagation page 518
Memory Usage Configuring Memory Usage Monitoring on page 520
Power Supply Configuring Power Supply Monitoring on page 522
RNA Process Configuring RNA Process Monitoring on page 525
Traffic Status Configuring Traffic Status Monitoring on page 527
Default 3Dx800 Health Policy

Use the Default 3Dx800 Health Policy to monitor health on 3Dx800 sensors.
Enabled health modules for this policy are listed in the Enabled Health Modules:
Default 3Dx800 Health Policy table. Note that the Hardware Alarm module should

be used instead of the Power Supply module to monitor power supply health on
the 3Dx800 sensor models.
Enabled Health Modules: Default 3Dx800 Health Policy

Bypass Status
CPU Configuring CPU Temperature Monitoring on page 503

Temperature
Fan Alarm Configuring Fan Monitoring on page 512
Hardware Configuring Hardware Monitoring on page 513

Alarms
Suggested 3D9900 Health Policy

The Defense Center interface does not include a default health policy specifically
for 3D9900 sensors. Sourcefire recommends that you start with the default
3D Sensor policy and enable the Hardware Alarms module. If the sensor will be
running RNA, enable the RNA Process module as well.
Health modules that should be enabled when creating a policy for this type of
sensor are listed in the Suggested Health Modules: 3D9900 Health Policy table.
Note that the CPU Usage module cannot be enabled when monitoring 3D9900

sensor models. CPU usage for a 3D9900 may reach 100% during normal sensor
operation, so the data provided by the module would generate misleading events.
Suggested Health Modules: 3D9900 Health Policy

Process page 506

Alarms

PEP Status Configuring PEP Status Monitoring on page 521
Default Health Policy

Use the Default Health Policy to monitor health on a Defense Center. Enabled
health modules for this policy are listed in the Enabled Defense Center Health
Modules - Default Health Policy table.
Enabled Defense Center Health Modules - Default Health Policy
Automatic Configuring Automatic Application Bypass Monitoring

Application Bypass on page 502
Status
Appliance Heartbeat Configuring Appliance Heartbeat Monitoring on

page 501

Enabled Defense Center Health Modules - Default Health Policy (Continued)

Process page 506

Time Synchronization Configuring Time Synchronization Monitoring on

Status page 526
RNA Host License Configuring RNA Host Usage Monitoring on page 524
Limit
Use the Default Health Policy to monitor health on a Master Defense Center.
Enabled health modules for this policy are listed in the Enabled MDC Health
Modules - Default Health Policy table.
Enabled MDC Health Modules - Default Health Policy

Process page 506
Defense Center Configuring Defense Center Status on page 507

Status
eStreamer Configuring eStreamer Process Monitoring on page 509

Process
Event Stream Configuring Event Stream Monitoring on page 511
RNA Host Configuring RNA Host Usage Monitoring on page 524

License Limit

Default Intrusion Sensor Health Policy

Use the Default IPS Health Policy to monitor health on legacy Intrusion Sensors
that you have not upgraded to Version 4.9.1. Enabled health modules for this
policy are listed in the Enabled Health Modules: Default Intrusion Sensor Health
Policy table.
Enabled Health Modules: Default Intrusion Sensor Health Policy

Bypass Status

Process page 506
Health Monitor Configuring Health Status Monitoring on page 514

Process

Default IPS (3Dx800 only) Health Policy

Use the Default IPS (3Dx800 only) Health Policy to monitor IPS health on 3Dx800
sensors. Enabled health modules for this policy are listed in the Enabled Health
Modules: Default IPS (3Dx800 only) Health Policy table. Note that the Hardware

Alarm module should be used instead of the Power Supply module to monitor
power supply health on the 3Dx800 sensor models.
Enabled Health Modules: Default IPS (3Dx800 only) Health Policy

Bypass Status
CPU Configuring CPU Temperature Monitoring on page 503

Temperature

Process page 506
Fan Alarm Configuring Fan Monitoring on page 512

Alarms
Default RNA Sensor Health Policy

Use the Default RNA Sensor Health Policy to monitor health on legacy RNA
Sensors that you have not upgraded to Version 4.9.1. Enabled health modules for

this policy are listed in the Enabled Health Modules: Default RNA Sensor Health
Policy table.
Enabled Health Modules: Default RNA Sensor Health Policy

Bypass Status

Process page 506

RNA Host Configuring RNA Host Usage Monitoring on page 524

License Limit
Creating Health Policies

Requires: DC/MDC If you want to customize a health policy to use with your appliances, you can
create a new policy. The settings in the policy initially populate with the settings
from the health policy you select as a basis for the new policy. You can enable or
disable modules within the policy and change the alerting criteria for each module
as needed.
TIP! Instead of creating a new policy, you can export a health policy from another
Defense Center and then import it onto your Defense Center. You can then edit
the imported policy to suit your needs before you apply it. For more information,
see Importing and Exporting Objects on page 583.
To create a health policy:

Access: Maint/Admin 1. Select Operations > Monitoring > Health.
The Health Monitor page appears.

2. On the toolbar, click Health Policy.

The Health Policy page appears.
3. Click Create Policy to create a new policy.

The Create Health Policy page appears.
4. Select the existing policy that you want to use as the basis for the new policy
from the Copy Policy drop-down list.
5. Enter a name for the policy.
6. Enter a description for the policy.

7. Select Save to save the policy information.

The Health Policy Configuration page appears, including a list of the modules.
8. Configure settings on each module you want to use to test the health status
of your appliances, as described in the following sections:
• Configuring Policy Run Time Intervals on page 500
• Configuring Appliance Heartbeat Monitoring on page 501
• Configuring Automatic Application Bypass Monitoring on page 502
• Configuring CPU Temperature Monitoring on page 503
• Configuring CPU Usage Monitoring on page 504
• Configuring Card Reset Monitoring on page 505
• Configuring Data Correlator Process Monitoring on page 506
• Configuring Defense Center Status on page 507
• Configuring Disk Usage Monitoring on page 508
• Configuring eStreamer Process Monitoring on page 509
• Configuring Event Stream Monitoring on page 511
• Configuring Fan Monitoring on page 512

• Configuring Hardware Monitoring on page 513

• Configuring Health Status Monitoring on page 514
• Configuring IPS Event Rate Monitoring on page 515
• Configuring IPS Process Monitoring on page 516
• Configuring Link State Propagation Monitoring on page 518
• Configuring MDC Event Service Monitoring on page 519
• Configuring Memory Usage Monitoring on page 520
• Configuring PEP Status Monitoring on page 521
• Configuring Power Supply Monitoring on page 522
• Configuring RNA Event Status Monitoring on page 523
• Configuring RNA Host Usage Monitoring on page 524
• Configuring RNA Process Monitoring on page 525
• Configuring Time Synchronization Monitoring on page 526
• Configuring Traffic Status Monitoring on page 527
IMPORTANT! Make sure you enable each module that you want to run to
test the health status on each Health Policy Configuration page as you
configure the settings. Disabled modules do not produce health status
feedback, even if the policy that contains the module has been applied to an
appliance.
9. Click Save to save the policy.

You must apply the policy to each appliance for it to take effect. For more
information on applying health policies, see Applying Health Policies on
page 528.
Configuring Policy Run Time Intervals

Requires: DC/MDC You can control how often health tests run by modifying the Policy Run Time
Interval for the health policy. The maximum run time interval you can set is 99999
minutes.
WARNING! Do not set a run interval of less than five minutes.
To configure a policy run time interval:

Access: Maint/Admin 1. On the Health Policy Configuration page, select Policy Run Time Interval.
The Health Policy Configuration - Policy Run Time Interval page appears.

2. In the Run Interval (mins) field, enter the time in minutes that you want to
elapse between automatic repetitions of the test.
3. You have three options:
• To save your changes to this module and return to the Health Policy
page, click Save Policy and Exit.
• To return to the Health Policy page without saving any of your settings
for this module, click Cancel.
• To temporarily save your changes to this module and switch to another
module’s settings to modify, select the other module from the list at the
left of the page. If you click Save Policy and Exit when you are done, all
changes you made will be saved; if you click Cancel, you discard all
changes.
You must apply the health policy to the appropriate appliances if you want
your settings to take effect. See Applying Health Policies on page 528 for
more information.
Configuring Appliance Heartbeat Monitoring

Requires: DC Supported Platforms: Defense Center
The Defense Center receives heartbeats from its managed appliances once every
two minutes or every 200 events, whichever comes first, as an indicator that the
appliance is running and communicating properly with the Defense Center. Use
the Appliance Heartbeat health status module to track whether the Defense
Center receives heartbeats from managed appliances. If the Defense Center
does not detect a heartbeat from a appliance, the status classification for this
module changes to Critical. That status data feeds into the health monitor.
To configure Appliance Heartbeat health module settings:

Access: Maint/Admin 1. In the Health Policy Configuration page, select Appliance Heartbeat.
The Health Policy Configuration - Appliance Heartbeat page appears.
2. Select On for the Enabled option to enable use of the module for health status
testing.


changes.
more information.
Configuring Automatic Application Bypass Monitoring

Requires: DC/MDC Supported Platforms: 3D Sensors except 3D9900
Use this module to detect when a detection engine is bypassed because it did
not respond within the number of seconds configured as the bypass threshold. If
a bypass occurs, this module generates an alert. That status data feeds into the
health monitor.
For more information on automatic application bypass, see Automatic Application
Bypass on page 212.
To configure automatic application bypass monitoring status:

Access: Maint/Admin 1. In the Health Policy Configuration page, select Automatic Application Bypass
Status.
The Automatic Application Bypass Status page appears.
testing.


changes.
You must apply the health policy to the appropriate 3D Sensor if you want
more information.
Configuring CPU Temperature Monitoring

Requires: DC/MDC Supported Platforms: 3Dx800
The temperature of the central processing unit (CPU) on your 3Dx800 sensor
provides an important barometer for the health of your sensor. Overheating a
CPU can damage the processing unit. Use the CPU Temperature health status
module to set CPU temperature limits.
If the CPU temperature on the monitored sensor exceeds the Warning limit, the
status classification for that module changes to Warning. If the CPU temperature
on the monitored sensor exceeds the Critical limit, the status classification for
that module changes to Critical. That status data feeds into the health monitor.
By default, the Critical limit is set to 52 degrees Celsius and the Warning limit is
set to 50 degrees Celsius. The maximum temperature you can set for either limit
is 100 degrees Celsius, and the Critical limit must be greater than the Warning
limit.
WARNING! Sourcefire recommends that you do not set the Critical limit higher
than 65 degrees Celsius and that you do not set the Warning limit higher than 55
degrees Celsius.
To configure CPU temperature health module settings:

Access: Maint/Admin 1. In the Health Policy Configuration page, select CPU Temperature.
The Health Policy Configuration - CPU Temperature page appears.

testing.
3. In the Critical Threshold Celsius field, enter the number of degrees, in Celsius,
that should trigger a critical health status.
4. In the Warning Threshold Celsius field, enter the number of degrees, in Celsius,
that should trigger a warning health status.
changes.
You must apply the health policy to the appropriate sensors if you want your
settings to take effect. See Applying Health Policies on page 528 for more
information.
Configuring CPU Usage Monitoring

Requires: DC/MDC Supported Platforms: All except 3D9900
Excessive CPU usage can indicate that you need to upgrade your hardware or
that there are processes that are not functioning correctly. Use the CPU Usage
health status module to set CPU usage limits.
If the CPU usage on the monitored appliance exceeds the Warning limit, the
status classification for that module changes to Warning. If the CPU usage on the
monitored appliance exceeds the Critical limit, the status classification for that
The maximum percentage you can set for either limit is 100 percent, and the
Critical limit must be higher than the Warning limit.
Note that this module is not available for health policies applied to 3D9900
sensors.

To configure CPU Usage health module settings:

Access: Maint/Admin 1. On the Health Policy Configuration page, select CPU Usage.
The Health Policy Configuration - CPU Usage page appears.
testing.
3. In the Critical Threshold % field, enter the percentage of CPU usage that
should trigger a critical health status.
4. In the Warning Threshold % field, enter the percentage of CPU usage that
should trigger a warning health status.
changes.
more information.
Configuring Card Reset Monitoring

Requires: DC/MDC Supported Platforms: 3D500 - 3D6500 except 3Dx800
Use the card reset monitoring health status module to track when the network
card restarts because of hardware failure. If a reset occurs, this module
generates an alert. That status data feeds into the health monitor.
To configure card reset monitoring:

Access: Maint/Admin 1. In the Health Policy Configuration page, select Card Reset.
The Card Reset Monitoring page appears.

testing.
changes.
You must apply the health policy to the appropriate Defense Center if you
want your settings to take effect. See Applying Health Policies on page 528
Configuring Data Correlator Process Monitoring

Requires: DC/MDC Supported Platforms: All
The Data Correlator, short for the system daemon SFDataCorrelator, manages
data transmission. Use the Data Correlator Process health status module to set
limits for the number of restarts that trigger a change in the health status.
restarts occurred during the period between tests. Even if multiple restarts occur
between tests, the module only increments the restart counter by one each time
it checks. If any restarts occur, the module adds one to the restart count. The first
time the module checks and no restarts have occurred since the last test, the
module resets the counter to zero. The alert level also lowers by one level (for
example, Critical is reduced to Warning or Warning is reduced to Normal). The
second time the module checks and no restarts have occurred since the last test,
the alert level resets to Normal.
If the module finds that the process is not running at all, it increments the restart
counter by one, but sets the module status to Critical for that test, regardless of
the limits set for the module. The status remains Critical until the module finds
that the process is running. At that point, the module sets status according to the
restart counter value and the configured limits for the module.
If the module checks the Data Correlator process as many times as configured in
the Warning Number of restarts limit, and each time one or more restarts have
occurred, the status classification for that module changes to Warning. If the
module checks the Data Correlator process as many times as configured in the
Critical Number of restarts limit, and each time one or more restarts have
occurred, the status classification for that module changes to Critical. That status
data feeds into the health monitor.

The maximum number of restarts you can set for either limit is 100, and the
To configure Data Correlator Process health module settings:

Access: Maint/Admin 1. On the Health Policy Configuration page, select Data Correlator Process.
The Health Policy Configuration - Data Correlator Process page appears.
testing.
3. In the Critical Number of restarts field, enter the number of process restarts
4. In the Warning Number of restarts field, enter the number of process restarts
changes.
more information.
Configuring Defense Center Status

Requires: MDC Supported Platforms: Master Defense Center
Use the Defense Center Status health status module to monitor the status of a
Defense Center or Defense Centers managed by the Master Defense Center
where the health policy is applied. If a heartbeat is not obtained from the
managed Defense Center or Defense Centers, this module generates an alert.
That status data feeds into the health monitor.

To configure Defense Center Status:

Access: Maint/Admin 1. In the Health Policy Configuration page, select Defense Center Status.
The Defense Center Status page appears.
testing.
changes.
You must apply the health policy to the appropriate Defense Center if you
want your settings to take effect. See Applying Health Policies on page 528
Configuring Disk Usage Monitoring

Without sufficient disk space, an appliance cannot run. The health monitor can
identify low disk space conditions on your appliances before the space runs out.
Use the Disk Usage health status module to set disk usage limits for the / and /
volume partitions on the appliance.
IMPORTANT! Although the disk usage module lists the /boot partition as a
monitored partition, the size of the partition is static so the module does not alert
on the boot partition.
If the disk usage on the monitored appliance exceeds the Warning limit, the
status classification for that module changes to Warning. If the disk usage on the
monitored appliance exceeds the Critical limit, the status classification for that

To configure Disk Usage health module settings:

Access: Maint/Admin 1. On the Health Policy Configuration page, select Disk Usage.
The Health Policy Configuration - Disk Usage page appears.
testing.
3. In the Critical Threshold % field, enter the percentage of disk usage that should
trigger a critical health status.
4. In the Warning Threshold % field, enter the percentage of disk usage that
changes.
more information.
Configuring eStreamer Process Monitoring

Requires: DC/MDC Supported Platforms: Defense Center
Use the eStreamer Process health status module to monitor the health of the
eStreamer process on the Defense Center. eStreamer, short for the Sourcefire
Event Streamer, allows you to stream Sourcefire 3D System intrusion and
network discovery data from the Sourcefire Defense Center to an eStreamer
client.
You can set limits for the number of restarts that trigger a change in the health
status. The restart counter does not count actual restarts. The module checks if
any restarts occurred during the period between tests. Even if multiple restarts
occur between tests, the module only increments the restart counter by one each
time it checks. If any restarts occur, the module adds one to the restart count.

The first time the module checks and no restarts have occurred since the last
test, the module resets the counter to zero. The alert level also lowers by one
level (for example, Critical is reduced to Warning or Warning is reduced to
Normal). The second time the module checks and no restarts have occurred since
the last test, the alert level resets to Normal.
If the module checks the eStreamer process as many times as configured in the
Warning Number of restarts limit, and each time one or more restarts have
module checks the eStreamer process as many times as configured in the Critical
Number of restarts limit, and each time one or more restarts have occurred, the
status classification for that module changes to Critical. That status data feeds
into the health monitor.
To configure eStreamer Process health module settings:

Access: Maint/Admin 1. On the Health Policy Configuration page, select eStreamer Process.
The Health Policy Configuration - eStreamer Process page appears.
testing.


changes.
more information.
Configuring Event Stream Monitoring

Requires: DC/MDC Supported Platforms: Master Defense Center
Use the Event Stream Status module to monitor the health of the event stream
process on a Defense Center by generating alerts when too many seconds
elapse between events received by the Master Defense Center.
You can configure the elapsed duration between events, in seconds, that causes
an alert to be generated. If the wait exceeds the number of seconds configured in
the Warning Seconds since last event limit, the status classification for that
module changes to Warning. If the wait exceeds the Critical Seconds since last
event limit, the status classification for that module changes to Critical. That
status data feeds into the health monitor.
The maximum number of seconds you can set for either limit is 600, and the
Critical limit must be higher than the Warning limit. The minimum number of
seconds is 300.
To configure Event Stream Status health module settings:

Access: Maint/Admin 1. In the Health Policy Configuration page, select Event Stream Status.
The Health Policy Configuration - Event Stream Status page appears.
testing.
3. In the Critical Seconds since last event field, enter the maximum number of
seconds to wait between events, before triggering a critical health status.

4. In the Warning Seconds since last event field, enter the maximum number of
seconds to wait between events, before triggering a warning health status.
changes.
You must apply the health policy to the Master Defense Center for your
information.
Configuring Fan Monitoring

Requires: DC/MDC Supported Platforms: 3Dx800
Use the Fan Alarm health status module to warn of fan failure on a 3Dx800
sensor. If the Fan Alarm module finds a fan that has failed, the status
classification for that module changes to Critical. That status data feeds into the
health monitor.
To configure Fan Alarm health module settings:

Access: Maint/Admin 1. In the Health Policy Configuration page, select Fan Alarm.
The Health Policy Configuration - Fan Alarm monitor page appears.
testing.


changes.
information.
Configuring Hardware Monitoring

Requires: DC/MDC Supported Platforms: 3Dx800, 3D9900
Use the Hardware Alarm health status module to detect hardware failure on a
3Dx800 or 3D9900 sensor. If the Hardware Alarm module finds a hardware
component that has failed, the status classification for that module changes to
Critical. That status data feeds into the health monitor.
Note that the Hardware Alarm module can be used in addition to the Power
Supply module to monitor power supply health on the 3Dx800 sensor models.
For more information on the hardware status conditions that can cause hardware
alerts on 3D9900 sensors, see Interpreting Hardware Alert Details for 3D9900
Sensors on page 560.
To configure Hardware Alarm health module settings:

Access: Maint/Admin 1. In the Health Policy Configuration page, select Hardware Alarms.
The Health Policy Configuration - Hardware Alarm monitor page appears.
testing.


changes.
information.
Configuring Health Status Monitoring

Use the Health Monitor Process module to monitor the health of the health
monitor on a Defense Center by generating alerts when too many minutes elapse
between health events received from monitored appliances.
For example, if a Defense Center (myrtle.example.com) monitors a sensor
(dogwood.example.com), you apply a health policy with the Health Monitor
Process module enabled to myrtle.example.com. The Health Monitor Process
module then reports events that indicate how many minutes have elapsed since
the last event was received from dogwood.example.com.
You can configure the elapsed duration between events, in minutes, that causes
an alert to be generated. If the wait exceeds the number of minutes configured in
the Warning Minutes since last event limit, the status classification for that
module changes to Warning. If the wait exceeds the Critical Minutes since last
event limit, the status classification for that module changes to Critical. That
status data feeds into the health monitor.
The maximum number of minutes you can set for either limit is 144, and the
minutes is 5.
To configure Health Monitor Process module settings:

Access: Maint/Admin 1. In the Health Policy Configuration page, select Health Monitor Process.
The Health Policy Configuration - Health Monitor Process page appears.
testing.
3. In the Critical Minutes since last event field, enter the maximum number of
minutes to wait between events, before triggering a critical health status.

4. In the Warning Minutes since last event field, enter the maximum number of
minutes to wait between events, before triggering a warning health status.

changes.
You must apply the health policy to the Defense Center for your settings to
take effect. See Applying Health Policies on page 528 for more information.
Configuring IPS Event Rate Monitoring

Requires: DC/MDC Supported Platforms: IPS
Use the IPS Event Rate health status module to set limits for the number of
packets per second that trigger a change in the health status. If the event rate for
the IPS process on the monitored sensor exceeds the number of events per
second configured in the Events per second (Warning) limit, the status
classification for that module changes to Warning. If the event rate exceeds the
number of events per second configured in the Events per second (Critical) limit,
the status classification for that module changes to Critical. That status data feeds
Typically, the event rate for a network segment averages 20 events per second.
For a network segment with this average rate, Events per second (Critical) should
be set to 50 and Events per second (Warning) should be set to 30. To determine
limits for your system, find the Events/Sec value on the Statistics page for your
sensor (Operations > Monitoring > Statistics), then calculate the limits using these
formulas:
• Events per second (Critical) = Events/Sec * 2.5
• Events per second (Warning) = Events/Sec *1.5
The maximum number of events you can set for either limit is 999, and the

To configure IPS Event Rate Monitor health module settings:

Access: Maint/Admin 1. In the Health Policy Configuration page, select IPS Event Rate.
The Health Policy Configuration - IPS Event Rate page appears.
testing.
3. In the Events per second (Critical) field, enter the number of events per second
4. In the Events per second (Warning) field, enter the number of events per
second that should trigger a warning health status.
changes.
information.
Configuring IPS Process Monitoring

The IPS process (also known as Snort) is the packet decoder on a 3D Sensor with
the IPS component. Use the IPS Process health status module to monitor the
health of the IPS process on a sensor. You can configure how many restarts
trigger a change in the health status for the process.


If the module checks the IPS process as many times as configured in the Warning
status classification for that module changes to Warning. If the module checks
the IPS process as many times as configured in the Critical Number of restarts
limit, and each time one or more restarts have occurred, the status classification
for that module changes to Critical. That status data feeds into the health monitor.
To configure IPS Process Monitor health module settings:

Access: Maint/Admin 1. In the Health Policy Configuration page, select IPS Process.
The Health Policy Configuration - IPS Process page appears.
testing.


changes.
information.
Configuring Link State Propagation Monitoring

Use the Link State Propagation health status module to detect the interface link
state propagation status on an inline interface pair. If a link state propagates to the
paired interface, the status classification for that module changes to Critical and
the state reads:
Module Link State Propagation: ethx_ethy is Triggered
where x and y are the paired interface numbers.
To configure Link State Propagation health module settings:

Access: Maint/Admin 1. On the Health Policy Configuration page, select Link State Propagation.
The Health Policy Configuration - Link State Propagation monitor page
appears.
testing.


changes.
information.
Configuring MDC Event Service Monitoring

Use the MDC health status module to monitor the health of the internal
eStreamer process on the Defense Center that is used to transmit events to the
You can set limits for the number of restarts that trigger a change in the health
status. The restart counter does not count actual restarts. The module checks if
any restarts occurred during the period between tests. Even if multiple restarts
occur between tests, the module only increments the restart counter by one each
time it checks. If any restarts occur, the module adds one to the restart count.
The first time the module checks and no restarts have occurred since the last
test, the module resets the counter to zero. The alert level also lowers by one
level (for example, Critical is reduced to Warning or Warning is reduced to
Normal). The second time the module checks and no restarts have occurred since
the last test, the alert level resets to Normal.
If the module checks the MDC event service as many times as configured in the
module checks the MDC event service as many times as configured in the Critical

To configure MDC Event Service health module settings:

Access: Maint/Admin 1. On the Health Policy Configuration page, select MDC Event Service.
The Health Policy Configuration - MDC Event Service Process page appears.
testing.
changes.
more information.
Configuring Memory Usage Monitoring

Use the Memory Usage health status module to set memory usage limits. The
module calculates free memory by adding free memory and cached memory. If
the memory usage on the monitored appliance exceeds the Warning limit, the
status classification for that module changes to Warning. If the memory usage on
the monitored appliance exceeds the Critical limit, the status classification for that

To configure Memory Usage health module settings:

Access: Maint/Admin 1. On the Health Policy Configuration page, select Memory Usage.
The Health Policy Configuration - Memory Usage page appears.
testing.
3. In the Critical Threshold % field, enter the percentage of memory usage that
should trigger a critical health status.
4. In the Warning Threshold % field, enter the percentage of memory usage that
changes.
more information.
Configuring PEP Status Monitoring

Requires: DC/MDC Supported Platforms: 3D9900
Use the PEP Status health status module to monitor the application of PEP rules
to interface sets on a 3D9900. If PEP rules cannot be applied to interfaces in an
interface set, this module generates an alert. That status data feeds into the
health monitor.

To configure PEP Status health module settings:

Access: Maint/Admin 1. In the Health Policy Configuration page, select PEP Status.
The Health Policy Configuration - PEP Status monitor page appears.
testing.
changes.
information.
Configuring Power Supply Monitoring

Requires: DC/MDC Supported Platforms: Series 2 DC3000, MDC3000, 3D9900, 3Dx800, 3D3500, 3D4500, 3D6500
Use the Power Supply health status module to detect a power supply failure on a
Series 2 DC3000, MDC3000, 3Dx800, 3D9900, 3D3500, 3D4500, or 3D6500
sensor. If the Power Supply module finds a power supply that has no power, the
status classification for that module changes to No Power. If the module cannot
detect the presence of the power supply, the status changes to Critical Error. That
status data feeds into the health monitor. You can expand the Power Supply item
on the Alert Detail list in the health monitor to see specific status items for each
power supply.
Note that the Hardware Alarm module can be used in addition to the Power
Supply module to monitor power supply health on the 3Dx800 sensor models.
To configure Power Supply health module settings:

Access: Maint/Admin 1. In the Health Policy Configuration page, select Power Supply.
The Health Policy Configuration - Power Supply monitor page appears.

testing.
changes.
information.
Configuring RNA Event Status Monitoring

Requires: DC/MDC Supported Platforms: DC
Use the RNA Event Status module to monitor the health of the RNA process on a
sensor from the Defense Center by generating alerts when too many seconds
elapse between RNA events received by the Defense Center. You can configure
the elapsed duration between events, in seconds, that causes an alert to be
generated. If the wait exceeds the number of seconds configured in the Warning
Seconds since last event limit, the status classification for that module changes to
Warning. If the wait exceeds the Critical Seconds since last event limit, the status
classification for that module changes to Critical. That status data feeds into the
health monitor.
The maximum number of seconds you can set for either limit is 7200, and the
seconds is 3600.
Note that the RNA Health module was renamed to the RNA Event Status module
in 4.9.1 and that the supported platforms changed from 3D Sensor to Defense
Center in 4.9.1.
To configure RNA Event Status module settings:

Access: Maint/Admin 1. In the Health Policy Configuration page, select RNA Event Status.
The Health Policy Configuration - RNA Event Status page appears.

testing.
3. In the Critical Seconds since last event field, enter the maximum number of
seconds to wait between events, before triggering a critical health status.
4. In the Warning Seconds since last event field, enter the maximum number of
seconds to wait between events, before triggering a warning health status.
changes.
You must apply the health policy to the Defense Center for your settings to
take effect. See Applying Health Policies on page 528 for more information.
Configuring RNA Host Usage Monitoring

Requires: DC/MDC Supported Platforms: RNA
Use the RNA Host License Limit health status module to set RNA Host shortage
limits. If the number of remaining RNA Hosts on the monitored sensor falls below
the Warning Hosts limit, the status classification for that module changes to
Warning. If the number of remaining RNA Hosts on the monitored sensor falls
below the Critical Hosts limit, the status classification for that module changes to
Critical. That status data feeds into the health monitor.
The maximum number of hosts you can set for either limit is 999, and the Critical
limit must be higher than the Warning limit.
To configure RNA Host License Limit health module settings:

Access: Maint/Admin 1. In the Health Policy Configuration page, select RNA Host License Limit.
The Health Policy Configuration - RNA Host License Limit page appears.
testing.

3. In the Critical number Hosts field, enter the remaining number of available
hosts that should trigger a critical health status.
4. In the Warning number Hosts field, enter the remaining number of available
hosts that should trigger a warning health status.
changes.
information.
Configuring RNA Process Monitoring

Requires: DC/MDC Supported Platforms: RNA
Use the RNA Process health status module to set limits for the number of
restarts that trigger a change in the health status.
If the module checks the RNA process as many times as configured in the
module checks the RNA process as many times as configured in the Critical

To configure RNA Process health module settings:

Access: Maint/Admin 1. In the Health Policy Configuration page, select RNA Process.
The Health Policy Configuration - RNA Process page appears.
testing.
changes.
information.
Configuring Time Synchronization Monitoring

Use the Time Synchronization Status module to detect when the time on a
managed sensor that uses NTP to obtain time from an NTP server differs by 10
seconds or more from the time on the server.

To configure time synchronization monitoring settings:

Access: Maint/Admin 1. In the Health Policy Configuration page, select Time Synchronization Status.
The Health Policy Configuration - Time Synchronization Status monitor page
appears.
testing.
changes.
information.
Configuring Traffic Status Monitoring

Requires: DC/MDC Supported Platforms: IPS, RNA
Use the Traffic Status health status module to detect whether a sensor receives
traffic. If the Traffic Status module determines that a sensor does not receive
traffic, the status classification for that module changes to Critical. That status
data feeds into the health monitor.
WARNING! If you enable the Traffic Status module on a sensor where there are
unused interfaces that are included in an interface set associated with a detection
engine, the module interprets the idleness of the port as a traffic failure and alerts
on traffic status. To prevent alerting on idle interfaces, remove those interfaces
from all interface sets associated with detection engines. For more information
on managing interface sets, see Editing an Interface Set on page 221.

To configure Traffic Status health module settings:

Access: Maint/Admin 1. In the Health Policy Configuration page, select Traffic Status.
The Health Policy Configuration - Traffic Status monitor page appears.
testing.
changes.
information.
Applying Health Policies

Requires: DC/MDC When you apply a health policy to an appliance, the health tests for all the
modules you enabled in the policy automatically monitor the health of the
processes and hardware on the appliance. Health tests then continue to run at
the intervals you configured in the policy, collecting health data for the appliance
and forwarding that data to the Defense Center.
If you enable a module in a health policy and then apply the policy to an appliance
that does not require that health test, the health monitor reports the status for
that health module as disabled.
If you apply a policy with all modules disabled to an appliance, it removes all
applied health policies from the appliance so no health policy is applied.
When you apply a different policy to an appliance that already has a policy applied,
expect some latency in the display of new data based on the newly applied tests.
IMPORTANT! Default health policies are not replicated between Defense

Centers in a high availability pair. Each appliance uses the local default health
policy configured for that appliance.

You cannot apply a health policy to RNA Software for Red Hat Linux.
To apply a health policy:

2. Click Health Policy in the health monitor toolbar.
3. Click Apply next to the policy you want to apply.

The Health Policy Apply page appears.
TIP! The status icon next to the Health Policy column ( ) indicates the
current health status for the appliance. The status icon next to the System
Policy column ( ) indicates the communication status between the Defense
Center and the sensor. Note that you can remove the currently applied policy
by clicking the remove icon ( ).
4. Check the appliances where you want to apply the health policy.
5. Click Apply to apply the policy to the selected appliances.
The Health Policy page appears, with a message indicating if the application
of the policy was successful. Monitoring of the appliance starts as soon as
the policy is successfully applied.

To unapply a health policy:

3. Click Apply next to the policy you want to apply.

The Health Policy Apply page appears.

• Apply a health policy with all modules disabled.
• Click the x next to the health policy.
Under Health Policy the status of None appears.
Editing Health Policies

Requires: DC/MDC You can modify a health policy by enabling or disabling modules or by changing
module settings. If you modify a policy that is already applied to an appliance, the
changes do not take effect until you reapply the policy.

Applicable health modules for various appliances are listed in the Health Modules
Applicable to Appliances table.
Health Modules Applicable to Appliances
Module Applicable Appliance
Appliance Heartbeat Defense Center
Automatic Application Bypass Status 3D Sensors, except 3D9900
CPU Temperature 3Dx800 Only
CPU Usage All except 3D9900
Card Reset All
Data Correlator Process All
Defense Center Status Master Defense Center
Disk Usage All
eStreamer Process Defense Center
Event Stream Status Master Defense Center
Fan Alarm 3Dx800
Hardware Alarms 3Dx800 and 3D9900
Health Monitor Process Defense Center
IPS Event Rate 3D Sensors with IPS
IPS Process 3D Sensors with IPS
Link State Propagation 3D Sensors with IPS
MDC Event Service Master Defense Center
Memory Usage All
PEP Status 3D9900
Power Supply Series 2 DC3000, MDC3000,

3Dx800, 3D3500, 3D4500, and
3D6500

Health Modules Applicable to Appliances (Continued)
Module Applicable Appliance
RNA Health Defense Center
RNA Host License Limit Defense Center
RNA Process 3D Sensors with RNA
Time Synchronization Status Defense Center
Traffic Status 3D Sensors with IPS, 3D Sensors

with RNA
To edit a health policy:

3. Click Edit next to the policy you want to modify.

The Health Policy Configuration page appears, with the Policy Run Time
Interval settings selected.
4. Modify settings as needed, as described in the following sections:
• Configuring Policy Run Time Intervals on page 500
• Configuring Appliance Heartbeat Monitoring on page 501
• Configuring Automatic Application Bypass Monitoring on page 502
• Configuring CPU Temperature Monitoring on page 503
• Configuring CPU Usage Monitoring on page 504
• Configuring Card Reset Monitoring on page 505
• Configuring Data Correlator Process Monitoring on page 506
• Configuring Defense Center Status on page 507

• Configuring Disk Usage Monitoring on page 508

• Configuring eStreamer Process Monitoring on page 509
• Configuring Event Stream Monitoring on page 511
• Configuring Fan Monitoring on page 512
• Configuring Hardware Monitoring on page 513
• Configuring Health Status Monitoring
• Configuring IPS Event Rate Monitoring on page 515
• Configuring IPS Process Monitoring on page 516
• Configuring Link State Propagation Monitoring on page 518
• Configuring MDC Event Service Monitoring on page 519
• Configuring Memory Usage Monitoring on page 520
• Configuring PEP Status Monitoring on page 521
• Configuring Power Supply Monitoring on page 522
• Configuring RNA Event Status Monitoring on page 523
• Configuring RNA Host Usage Monitoring on page 524
• Configuring RNA Process Monitoring on page 525
• Configuring Time Synchronization Monitoring on page 526
• Configuring Traffic Status Monitoring on page 527
changes.
6. Reapply the policy to the appropriate appliances as described in Applying
Health Policies on page 528.
Deleting Health Policies

Requires: DC/MDC You can delete health policies that you no longer need. If you delete a policy that
is still applied to an appliance, the policy settings remain in effect until you apply a
different policy. In addition, if you delete a health policy that is applied to a sensor,
any health monitoring alerts in effect for the sensor remain active until you

Using the Health Monitor Blacklist Chapter 15
deactivate the underlying associated alert. For more information on deactivating

alerts, see Activating and Deactivating Alerts in the Analyst Guide.
TIP! To stop health monitoring for an appliance, create a health policy with all
modules disabled and apply it to the appliance. For more information on creating
health policies, see Creating Health Policies on page 497. For more information
on applying health policies, see Applying Health Policies on page 528.
To delete a health policy:

3. Click Delete next to the policy you want to delete.
A message appears, indicating if the deletion was successful.
Using the Health Monitor Blacklist

In the course of normal network maintenance, you disable appliances or make
them temporarily unavailable. Because those outages are deliberate, you do not
want the health status from those appliances to affect the summary health status
on your Defense Center or Master Defense Center.
You can use the health monitor blacklist feature to disable health monitoring
status reporting on an appliance, module, or detection engine. For example, if you
know that a segment of your network will be unavailable, you can temporarily
disable health monitoring for a 3D Sensor on that segment to prevent the health
status on the Defense Center from displaying a warning or critical state because
of the lapsed connection to the 3D Sensor.
When you disable health monitoring status, health events are still generated, but
they have a disabled status and do not affect the health status for the health
monitor. If you remove the appliance, module, or detection engine from the
blacklist, the events that were generated during the blacklisting continue to show
a status of disabled.
To temporarily disable health events from an appliance, go to the Blacklist
configuration page, and add an appliance to the blacklist. After the setting takes
effect the appliance no longer includes the appliance when calculating the overall
health status. The Health Monitor Appliance Status Summary lists the appliance
as disabled.
At times it may be more practical to just blacklist an individual health monitoring
module on an appliance or detection engine. For example, when you run out of

RNA host licenses on an appliance, you can blacklist the RNA Host License Limit
status messages until you install a new license with more hosts.
Make sure to remove all unused sensing interfaces from any interface sets in use
by a detection engine so health monitoring alerts do not generate for those
interfaces.
Note that on the main Health Monitor page you can distinguish between
appliances that are blacklisted if you expand to view the list of appliances with a
particular status by clicking the arrow in that status row. For more information on
expanding that view, see Using the Health Monitor on page 545.
A blacklist icon ( ) and a notation are visible once you expand the view for a
blacklisted or partially blacklisted appliance.
IMPORTANT! On a Defense Center, Health Monitor blacklist settings are system

settings. Therefore if you blacklist a sensor, then delete it and later re-register it
with the Defense Center, the blacklist settings remain persistent. The newly
re-registered sensor remains blacklisted.
Blacklisting Health Policies or Appliances

Requires: DC/MDC If you want to set health events to disabled for all appliances with a particular
health policy, you can blacklist the policy. If you need to disable the results of a
group of appliances’ health monitoring, you can blacklist the group of appliances.
Once the blacklist settings take effect, the appliances report a disabled status in
the Appliance Status Summary.
Note that if your Defense Center is in a high availability configuration, you can
blacklist a managed sensor on one HA peer and not the other. You can also
blacklist the HA peer to cause it to mark events generated by it and the sensors
from which it receives health events as disabled.
TIP! You can blacklist 3D Sensors only from a Defense Center, not a Master
Defense Center. You cannot blacklist intrusion agents.
To blacklist an entire health policy or group of appliances:

2. On the toolbar, click Blacklist.
The Blacklist page appears.

3. Use the drop-down list on the right to sort the list by group, policy, or model.
(On a Master Defense Center, sort the list by group, manager, policy or
model. Groups on a Defense Center are 3D Sensors. Groups on a Master
Defense Center are appliances.)
TIP! The status icon next to the Health Policy column ( ) indicates the
current health status for the appliance. The status icon next to the System
Policy column ( ) indicates the communication status between the Defense
Center and the sensor. Note that you can remove the currently applied policy
by clicking the remove icon ( ).
4. To blacklist all appliances in a group, model, or policy category, select the

category then click Apply. (On a Master Defense Center, to blacklist all
appliances associated with a manager, select the manager then click Apply.)
The page refreshes, now indicating the blacklisted state of the appliances.
Blacklisting an Appliance
If you need to set the events and health status for an individual appliance to
disabled, you can blacklist the appliance. Once the blacklist settings take effect,
the appliance shows as disabled in the Health Monitor Appliance Module
Summary and health events for the appliance have a status of disabled.
To blacklist an individual appliance:

3. Use the drop-down list on the right to sort the list by appliance group, model,
or by policy. (On a Master Defense Center, sort the list by group, manager,
policy or model.)

4. To blacklist an individual appliance, select and expand a category folder, select

the box next to the appropriate appliance, then click Apply.
The page refreshes then indicates the blacklisted state of the appliances.
Click Edit and see Blacklisting a Health Policy Module on page 537 to blacklist
individual health policy modules.
Blacklisting a Health Policy Module

Requires: DC/MDC You can blacklist individual health policy modules on appliances. You may want to
do this to prevent events from the module from changing the status for the
appliance to warning or critical.
For some modules, you can blacklist that module for a specific detection engine.
For example, if you know you are going to disable the RNA detection engine on a
sensor and do not want traffic status alerts to change the status for the sensor,
you can blacklist the Traffic Status module for that detection engine.
Note that modules that allow you to select a specific detection engine have an
arrow next to the module. When any part of a module is blacklisted, the line for
that module appears in boldface type in the Defense Center web interface. In
addition, the interface indicates the following information in parentheses after
each module with detection engines: number of blacklisted detection
engines/maximum number of detection engines.
Defense Center Only

Specific health policy modules operate for a Defense Center. When blacklisting
modules for Defense Centers, only include the following modules:
• Appliance Heartbeat
• CPU Usage
• Disk Usage
• eStreamer Process
• Health Monitor Process
• MDC Event Service
• Memory Usage
• Time Synchronization Status

• Power Supply
• RNA Host License Limit
Master Defense Center Only

Specific health policy modules operate for a Master Defense Center. When
blacklisting modules for Master Defense Centers, only include the following
modules:
• CPU Usage
• Defense Center Status
• Disk Usage
• Event Stream Status
• Memory Usage
• Power Supply
For details about applicable modules on all appliances, see the Health Modules
Applicable to Appliances table on page 531.
TIP! Once the blacklist settings take effect, the appliance shows as Part
Blacklisted or All Modules Blacklisted in the Blacklist page and in the
Appliance Health Monitor Module Status Summary but only in expanded views
on the main Appliance Status Summary page. Make sure that you keep track of
individually blacklisted modules so you can reactivate them when you need them.
You may miss necessary warning or critical messages if you accidentally leave a
module disabled.
To blacklist an individual health policy module:


Configuring Health Monitor Alerts Chapter 15
3. Sort by Group, Policy, or Model, then click Edit to display the list of health
policy modules.
The health policy modules appear.

• Select each module that you want to blacklist.
• Expand the detection engine list by clicking on the arrow next to
modules with detection engine lists, then select each detection engine
for which you want to blacklist the module.
5. Click Save.
Configuring Health Monitor Alerts

You can set up alerts to notify you through email, through SNMP, or through the
system log when the status changes for the modules in a health policy. You can
associate an existing alert with health event levels to cause that alert to trigger
when health events of a particular level occur.

For example, if you are concerned that your appliances may run out of hard disk
space, you can automatically send an email to a system administrator when the
remaining disk space reaches the warning level. If the hard drive continues to fill,
you can send a second email when the hard drive reaches the critical level.
• Preparing to Create a Health Alert on page 540
• Creating Health Monitor Alerts on page 540
• Interpreting Health Monitor Alerts on page 542
• Editing Health Monitor Alerts on page 543
• Deleting Health Monitor Alerts on page 544
Preparing to Create a Health Alert

Requires: DC/MDC If you want to create a health alert, you first need to create the underlying alert
that you associate to the health alert. If you want to use email alerting, you also
need to set up your email relay host in your system policy and re-apply that policy.
To prepare your system for alerting:

Access: Admin 1. If you plan to use email alerting:
• Select Operations > System Policy.
• Create a new policy or click Edit next to an existing one.
• In the policy, click Email Notification.
• Enter the name of the Mail Relay Host.
• Click Save Policy and Exit.
• Click Apply and apply the policy to the Defense Center where you plan
to create the health alert.
2. Create email, SNMP, or syslog alerts you want to associate with health alerts:
• For more information on creating syslog alerts, see Creating Syslog
Alerts in the Analyst Guide.
• For more information on creating email alerts, see Creating Email Alerts
in the Analyst Guide.
• For more information on creating SNMP alerts, see Creating SNMP
Alerts in the Analyst Guide.
Continue with Creating Health Monitor Alerts on page 540.
Creating Health Monitor Alerts

Requires: DC/MDC When you create a health monitor alert, you create an association between a
severity level, a health module, and an alert. You can use an existing alert or
configure a new one specifically to report on system health. For more information

on creating the alert, see Preparing to Create a Health Alert on page 540. When
the severity level occurs for the selected module, the associated alert triggers.
Note that if you create or update a threshold in a way that duplicates an existing
threshold, you are notified of the conflict. When duplicate thresholds exist, the
health monitor uses the threshold that generates the fewest alerts and ignores
the others. The timeout value for the threshold must be between 5 and
4,294,967,295 minutes.
To create health monitor alerts:

Access: Admin 1. Select Operations > Monitoring > Health.
2. Click Health Monitor Alerts in the health monitor toolbar.
The Health Monitor Alerts page appears.
3. Type a name for the health alert in the Health Alert Name field.
4. From the Severity list, select the severity level you want to use to trigger the
alert.
5. From the Module list, select the modules for which you want the alert to apply.
TIP! To select multiple modules, press Shift + Ctrl and click the module
names.

6. From the Alert list, select the alert which you want to trigger when the
selected severity level is reached.
TIP! Click Alerts in the toolbar to open the Alerts page. For more information
on creating alerts, see Creating Alerts in the Analyst Guide.
7. In the Threshold Timeout field, type the number of minutes that should elapse
before each threshold period ends and the threshold count resets.
8. Click Save to save the health alert.
A message appears, indicating if the alert configuration was successfully
saved. The Active Health Alerts list now includes the alert you created.
Interpreting Health Monitor Alerts

The alerts generated by the health monitor contain the following information:
• Severity, which indicates the severity level of the alert.
• Module, which specifies the health module whose test results triggered the
alert.
• Description, which includes the health test results that triggered the alert.
For more information on health alert severity levels, see the Alert Severities table.
Alert Severities
Severity Description
Critical The health test results met the criteria to trigger a Critical alert
status.
Warning The health test results met the criteria to trigger a Warning alert
status.
Normal The health test results met the criteria to trigger a Normal alert
status.
Error The health test did not run.
Recovered The health test results met the criteria to return to a normal
alert status, following a Critical or Warning alert status.
For more information on health modules, see Understanding Health Modules on

page 485.

Editing Health Monitor Alerts

Requires: DC/MDC You can edit existing health monitor alerts to change the severity level, health
module, or alert associated with the health monitor alert.
To edit health monitor alerts:

3. Select the alert you want to modify in the Active Health Alerts list.
4. Click Load to load the configured settings for the selected alert.
5. Modify settings as needed. For more information, see Creating Health
Monitor Alerts on page 540.
6. Click Save to save the modified health alert.
saved.

Deleting Health Monitor Alerts

Requires: DC/MDC You can delete existing health monitor alerts.
IMPORTANT! Deleting a health monitor alert does not delete the associated
alert. You must deactivate or delete the underlying alert to ensure that alerting
does not continue. For more information on deactivating alerts, see Activating and
Deactivating Alerts in the Analyst Guide. For more information on deleting alerts,
see Deleting Alerts in the Analyst Guide.
To delete health monitor alerts:

3. Select the alert you want to delete in the Active Health Alerts list.
4. Click Delete.
deleted.

Chapter 16
Administrator Guide
Reviewing Health Status
You can obtain information about the health of your Sourcefire 3D System
through the Health Monitor. Administrators can create and apply a health policy to
an appliance. The Health Monitor then generates health events to indicate the
current status of any aspects of appliance health that you chose to monitor. For
more information on viewing the health status of your appliance, see the
following topics:
Using the Health Monitor

Requires: DC/MDC The Health Monitor page provides the compiled health status for all sensors
managed by the Defense Center, plus the Defense Center. The Status table
provides a count of the managed appliances for this Defense Center by overall
health status. The pie chart supplies another view of the health status breakdown,
indicating the percentage of appliances currently in each health status category.

Using the Health Monitor Chapter 16
To use the health monitor:

Access: Maint/Admin/ 1. Click Health Monitor on the toolbar.
Any Analyst except The Health Monitor page appears.
Restricted
2. Select the appropriate status in the Status column of the table or the
appropriate portion of the pie chart to the list appliances with that status.
TIP! If the arrow in the row for a status level points down, the appliance list
for that status shows in the lower table. If the arrow points right, the
appliance list is hidden.
The following topics provide details on the tasks you can perform from the Health
Monitor page:
• Interpreting Health Monitor Status on page 547

Using Appliance Health Monitors Chapter 16
Interpreting Health Monitor Status

Available status categories, by severity, include Error, Critical, Warning, Normal,
and Disabled, as described in the Health Status Indicator table.
Health Status Indicator
Status Status Status Description

Level Icon Color
Error White Indicates that at least one health monitoring module has failed on
the appliance and has not been successfully re-run since the failure
occurred. Contact your technical support representative to obtain
an update to the health monitoring module.
Critical Red Indicates that the critical limits have been exceeded for at least
one health module on the appliance and the problem has not been
corrected.
Warning Yellow Indicates that warning limits have been exceeded for at least one
health module on the appliance and the problem has not been
corrected.
Normal Green Indicates that all health modules on the appliance are running
within the limits configured in the health policy applied to the
appliance.
Recovered Green Indicates that all health modules on the appliance are running
within the limits configured in the health policy applied to the
appliance, including modules that were in a Critical or Warning
state.
Disabled Blue Indicates that an appliance is disabled or blacklisted, that the

appliance does not have a health policy applied to it, or that the
appliance is currently unreachable.
Using Appliance Health Monitors

Requires: DC/MDC The Appliance health monitor provides a detailed view of the health status of an
appliance.
IMPORTANT! Your browser session will not be automatically timed out while you
are viewing the Health Monitor page.

To view the status summary for a specific appliance:

Access: Maint/Admin/ 1. Select Operations > Monitoring > Health.
Restricted
2. To show the list of appliances with a particular status, click the arrow in that
status row.
3. In the Appliance column of the appliance list, click the name of the appliance
for which you want to view details in the health monitor toolbar.
The Health Monitor Appliance page appears.
4. Optionally, in the Module Status Summary graph, click the color for the event
status category you want to view. The Alert Detail list toggles the display to
show or hide events.
• Interpreting Appliance Health Monitor Status on page 549
• Viewing Alerts by Status on page 549
• Running All Modules for an Appliance on page 550

• Running a Specific Health Module on page 551

• Generating Health Module Alert Graphs on page 553
• Generating Appliance Troubleshooting Files on page 554
Interpreting Appliance Health Monitor Status

Available status categories, by severity, include Error, Critical, Warning, Normal,
and Disabled, as described in the Appliance Health Status Indicator table that
follows.
Appliance Health Status Indicator
Status Status Status Description

Level Icon Color
Error White Indicates that the health monitoring module has failed and has not
been successfully re-run since the failure occurred. Contact your
technical support representative to obtain an update to the health
monitoring module.
Critical Red Indicates that the critical limits have been exceeded for the health
module on the appliance and the problem has not been corrected.
Warning Yellow Indicates that warning limits have been exceeded for the health
module on the appliance and the problem has not been corrected.
Normal Green Indicates that the monitored item is running within the limits
configured in the health policy applied to the appliance.
Recovered Green Indicates that the health for the monitored item is back within the
limits configured in the health policy applied to the appliance.
Disabled Blue Indicates that a module is disabled or blacklisted, that the

appliance does not have a health policy applied to it, or that the
appliance is currently unreachable.
Viewing Alerts by Status

Requires: DC/MDC You can show or hide categories of alerts by status.

To show alerts by status:

Access: Maint/Admin/ X Click the status icon or the color segment in the pie chart that corresponds to
Any Analyst except the health status of the alerts you want to view. The alerts for that category
Restricted appear in the Alert Detail list.
To hide alerts by status:

Access: Maint/Admin/ X Click the status icon or the color segment in the pie chart that corresponds to
Any Analyst except the health status of the alerts you want to view. The alerts in the Alert Detail
Restricted list for that category disappear.
Running All Modules for an Appliance

Requires: DC/MDC Health module tests run automatically at the policy run time interval you configure
when you create a health policy. However, you can also run all health module
tests on demand to collect up-to-date health information for the appliance.
To run all health modules for the appliance:

Restricted
2. To expand the appliance list to show appliances with a particular status, click
the arrow in that status row.

4. Click Run All Modules.

The status bar indicates the progress of the tests, then the Health Monitor
Appliance page refreshes.
IMPORTANT! When you manually run health modules, the first refresh that
automatically occurs may not reflect the data from the manually-run tests. If
the value has not changed for a module that you just ran manually, wait a few
seconds, then refresh the page by clicking the sensor name. You can also
wait for the page to refresh again automatically.
Running a Specific Health Module

Requires: DC/MDC Health module tests run automatically at the policy run time interval you configure
when you create a health policy. However, you can also run a health module test
on demand to collect up-to-date health information for that module.

To run a specific health module:

Restricted
4. In the Module Status Summary graph of the Health Monitor Appliance page,
click the color for the health alert status category you want to view.
The Alert Detail list expands to list the health alerts for the selected appliance
for that status category.
5. In the Alert Detail row for the alert for which you want to view a list of events,
click Run.
The status bar indicates the progress of the test, then the Health Monitor
Appliance page refreshes.
IMPORTANT! When you manually run health modules, the first refresh that
automatically occurs may not reflect the data from the manually-run tests. If
the value has not changed for a module that you just manually ran, wait a few
seconds, then refresh the page by clicking the sensor name. You can also
wait for the page to refresh automatically again.

Generating Health Module Alert Graphs

Requires: DC/MDC You can graph the results over a period of time of a particular health test for a
specific appliance.
To generate a health module alert graph:

Restricted

click Graph.
A graph appears, showing the status of the event over time. The Alert Detail
section below the graph lists all health alerts for the selected appliance.
TIP! If no events appear, you may need to adjust the time range. See Setting
Event Time Constraints in the Analyst Guide for more information.
Generating Appliance Troubleshooting Files

Requires: DC/MDC In some cases, if you have a problem with your appliance, Sourcefire Support
may ask you to generate troubleshooting files to help them diagnose the
problem.
To generate appliance troubleshooting files:

Restricted

Working with Health Events Chapter 16
4. Click Generate Troubleshooting Files and confirm that you want to generate the
files.
The file generation task is added to the task status queue.
5. Select Operations > Monitoring > Task Status.
The Task Status page appears.
6. Click the folder for the file generation job entry to expand the entry.
7. Select Click to retrieve generated files.

A File Download dialog box appears.
8. Save the files to a location on your computer.
9. Send the generated files to technical support to assist in troubleshooting your
system.
Working with Health Events

The Defense Center provides fully customizable event views that allow you to
quickly and easily analyze the health status events gathered by the health
monitor. These event views allow you to search and view event data and to easily
access other information that may be related to the events you are investigating.
Many functions that you can perform on the health event view pages are constant
across all event view pages. See Understanding Health Event Views on page 556
for more information about these common procedures.
From the Operations > Monitoring > Health menu, you can view health events, and
can search for specific events.

See the following sections for more information about viewing events:
• Understanding Health Event Views on page 556 describes the types of
events that RNA generates.
• Viewing Health Events on page 556 describes how to access and use the
Event View page.
• Searching for Health Events on page 563 describes how to search for
specific events using the Event Search page.
Understanding Health Event Views

The Defense Center health monitor logs health events, which you can see on the
Health Event View page. If you understand what conditions each health module
tests for, you can more effectively configure alerting for health events. For more
information on the different types of health modules that generate health events,
see Understanding Health Modules on page 485.
For more information about viewing and searching for health events, see the
following sections:
• Viewing Health Events on page 556
• Understanding the Health Events Table on page 561
• Searching for Health Events on page 563
Viewing Health Events

You can view the appliance health data collected by your health monitor in several
ways.
• Viewing All Health Events on page 556
• Viewing Health Events by Module and Appliance on page 557
• Working with the Health Events Table View on page 559
• Searching for Health Events on page 563
Viewing All Health Events

Requires: DC/MDC The Table View of Health Events page provides a list of all health events on the
selected appliance. For a description of the health modules that generated the
events that you may see on this page, see Understanding Health Modules on
page 485.
When you access health events from the Health Monitor page on your Defense
Center, you retrieve all health events for all managed appliances.

To view all health events on all managed appliances:

Restricted
2. In the toolbar, click Health Events.
The Events page appears, containing all health events.
If no events appear, you may need to adjust the time range. See Setting
TIP! You can bookmark this view to allow you to return to the page in the
health events workflow containing the Health Events table of events. The
bookmarked view retrieves events within the time range you are currently
viewing, but you can then modify the time range to update the table with
more recent information if needed. For more information, see Setting Event
Time Constraints in the Analyst Guide.
Viewing Health Events by Module and Appliance

Requires: DC/MDC You can query for events generated by a specific health module on a specific
appliance.
To view the health events for a specific module:

Restricted

click Events.
The Health Events page appears, containing query results for a query with
the name of the appliance and the name of the selected health alert module
as constraints.
If no events appear, you may need to adjust the time range. See Setting
6. If you want to view all health events for the selected appliance, expand
Search Constraints and click the Module Name constraint to remove it.

Working with the Health Events Table View

Requires: DC/MDC The Health Event View Functions table describes each action you can perform
from the Event View page.
Health Event View Functions
To... You can...
learn more about the contents of the columns find more information in Understanding the
that appear in the Health event view Health Events Table on page 561.
modify the time and date range for events listed find more information in Setting Event Time
in the Health table view Constraints in the Analyst Guide.
Note that events that were generated outside the
appliance's configured time window (whether
global or event-specific) may appear in an event
view if you constrain the event view by time. This
can occur even if you configured a sliding time
window for the appliance.
sort the events that appear, change what columns find more information in Sorting Drill-down
display in the table of events, or constrain the Workflow Pages in the Analyst Guide.
events that appear
delete health events select the check box next to the events you want
to delete and click Delete. To delete all the events
in the current constrained view, click Delete All,
then confirm you want to delete all the events.
navigate through event view pages find more information in Navigating to Other
Pages in the Workflow in the Analyst Guide.
navigate to other event tables to view associated find more information in Navigating between
events Workflows in the Analyst Guide.
bookmark the current page so that you can click Bookmark This Page, provide a name for the
quickly return to it bookmark and click Save. See Using Bookmarks in
the Analyst Guide for more information.
navigate to the bookmark management page select Analysis & Reporting > Bookmarks or, from
any event view, click View Bookmarks. See Using
Bookmarks in the Analyst Guide for more
information.
generate a report based on data in the table view click Report Designer. See Generating Reports
from Event Views on page 235 for more
information.

Health Event View Functions (Continued)
To... You can...
select another health events workflow click Workflows or select from the Workflows drop-
down list in the toolbar. See Selecting Workflows
view the details associated with a single health click the down arrow link on the left side of the
event event.
view event details for multiple health events select the check box next to the rows that
correspond with the events you want to view
details for and then click View.
view event details for all events in the view click View All.
view all events of a particular status click the status icon in the Status column for an
event with that status.
Interpreting Hardware Alert Details for 3D9900 Sensors

For 3D9900 sensor models, hardware alarms generate in response to the events
described in the Conditions Monitored for 3D9900 Sensors table. The triggering
condition can be found in the message detail for the alert.
Conditions Monitored for 3D9900 Sensors
Condition Monitored Causes of Yellow or Red Error Conditions
NFE card presence If NFE hardware is detected that is not valid for the
appliance, health status for the Hardware Alarms
module changes to red and the message details
include a reference to the NFE card presence.
NFE temperature • If NFE temperature exceeds 89 degrees

Fahrenheit, health status for the Hardware
Alarms module changes to yellow and the
message details include a reference to the NFE
temperature.
• If NFE temperature exceeds 99 degrees
Fahrenheit, health status for the Hardware
Alarms module changes to red and the
message details include a reference to the NFE
temperature.
NFE Platform daemon If the NFE Platform daemon goes down, health
status for the Hardware Alarms module changes to
red and the message details include a reference to
the daemon.

Conditions Monitored for 3D9900 Sensors (Continued)
Condition Monitored Causes of Yellow or Red Error Conditions
NFE Message daemon If the NFE Message daemon goes down, health
status for the Hardware Alarms module changes to
the daemon.
NFE TCAM daemon If the NFE TCAM daemon goes down, health status
for the Hardware Alarms module changes to red
and the message details include a reference to the
daemon.
LBIM presence If the Load-Balancing Interface Module (LBIM)

switch assembly is not present or not
communicating, health status for the Hardware
Alarms module changes to red and the message
details include a reference to the LBIM presence.
Scmd daemon If the Scmd daemon goes down, health status for
the Hardware Alarms module changes to red and
the message details include a reference to the
daemon.
Psls daemon If the Psls daemon goes down, health status for
daemon.
Ftwo daemon If the Ftwo daemon goes down, health status for
daemon.
Rulesd (host rules) If the Rulesd daemon goes down, health status for
daemon the Hardware Alarms module changes to yellow
and the message details include a reference to the
daemon.
nfm_ipfragd (host If the nfm_ipfragd daemon goes down, health

frag) daemon status for the Hardware Alarms module changes to
the daemon.
Understanding the Health Events Table

You can use the Defense Center’s health monitor to determine the status of
critical functionality within the Sourcefire 3D System. You create and apply health
policies to your appliances, which monitor a variety of aspects, including
hardware and software status. The Health Monitor modules you choose to enable

in your health policy run various tests to determine appliance health status. When
the health status meets criteria that you specify, a health event is generated. For
more information on health monitoring, see Monitoring the System on page 463.
The fields in the health events table are described in the Health Event Fields
table.
Health Event Fields
Field Description
Module Name The name of the health module that generated the event.
For a list of health modules, see the Health Modules table
on page 485.
Test Name The name of the test. This is typically the same as the
module name.
Time The timestamp for the health event.
Description The description of the health module that generated the

event. For example, health events generated when a
process was unable to execute are labeled Unable to
Execute.
Value The value (number of units) of the result obtained by the

health test that generated the event.
For example, if the Defense Center generates a health
event whenever a sensor it is monitoring is using 80
percent or more of its CPU resources, the value could be a
number from 80 to 100.
Units The units descriptor for the result. You can use the asterisk
(*) to create wildcard searches.
For example, if the Defense Center generates a health
event when a sensor it is monitoring is using 80 percent or
more of its CPU resources, the units is a percentage sign
(%).
Status The status (Critical, Yellow, Green, or Disabled) reported for

the appliance.
Sensor The appliance where the health event was reported.
To display the table view of health events:

Restricted

2. On the toolbar, click Health Events.

The table view appears. For information on working with health events, see
Working with Health Events on page 555.
TIP! If you are using a custom workflow that does not include the table view
of health events, click Workflows. On the Select Workflow page, click Health
Events.
Searching for Health Events

Requires: DC/MDC You can use Event Search to search for specific network discovery events. You
can create, save, and re-use event searches. When creating new searches or
modifying default searches, there are a number of options you can configure. The
Health Event Search Criteria table describes each search criterion you can specify.
Health Event Search Criteria
Search Field Description
Module Name Specify the name of the module which generated the health events you want
to view. For example, to view events that measure CPU performance, type
CPU. The search should retrieve applicable CPU Usage and CPU temperature
events.
Value Specify the value (number of units) of the result obtained by the health test for
the events you want to view.
For example, if you specify a value of 15 and type CPU in the Units field, you
retrieve events where the appliance CPU was running at 15% utilization at the
time the test ran.
Description Specify the description of the events you want to view. For example, you could
enter Unable to Execute to view any health events where a process was
unable to execute. You can use an asterisk (*) in this field to create wildcard
searches.

Health Event Search Criteria (Continued)
Search Field Description
Units Specify the units descriptor for the result obtained by the health test for the
events you want to view. You can use an asterisk (*) in this field to create
wildcard searches.
For example, if you type % in the Units field, you retrieve all events for the Disk
Usage modules, because the Disk Usage module has a “%” label in the Units
field (and no additional text). However, if you type *% in the Units field, you
retrieve all events for any modules that contain text followed by a “%” sign in
the Units field.
Status Specify the status for the health events that you want to view. Valid status
levels are Critical, Warning, Normal, Error, and Disabled.
For example, type Critical to retrieve all health events that indicate a critical
status.
Appliance Specify the name of appliance.
To run and save health event searches:

Access: Any Analyst 1. Select Analysis & Reporting > Searches > Health Events.
except Restricted/ The Search page appears.
Admin
2. Optionally, if you want to save the search, enter a name for the search in the
Name field.
If you do not enter a name, one is created automatically when you save the
search.
3. Enter your search criteria.
See Health Event Search Criteria on page 563 for more information about the
values you can enter for search criteria.

4. Optionally, if you want to save the search so that other users can access it,
disable the Save As Private check box. Otherwise, leave the check box
selected to save the search as private.
TIP! If you want to save a search as a restriction for restricted data users,
you must save it as a private search.

• Click Search to execute the search.
Your search results appear in the default health events workflow,
constrained by the current time range. To use a different workflow,
including a custom workflow, use the Workflows menu on the toolbar.
For information on specifying a different default workflow, see
Configuring Event View Settings on page 27.
• Click Save if you are modifying an existing search and want to save your
changes.
• Click Save as New Search to save the search criteria. The search is saved
and associated with your user account (if you selected Save As Private),
so that you can run it at a later time.
For more information about searching, see the following sections:
• Loading a Saved Search in the Analyst Guide
• Deleting a Saved Search in the Analyst Guide

Chapter 17
Administrator Guide
Auditing the System
You can audit activity on your system in two ways. The appliances that are a part
of the Sourcefire 3D System generate an audit record for each user interaction
with the web interface, and also record system status messages in the system
log.
The following sections provide more information about the monitoring features
that the system provides:
• Managing Audit Records on page 566 describes how to view and manage
system audit information.
• Viewing the System Log on page 578 describes how to view the system
log, which contains system status messages.
TIP! Defense Centers and 3D Sensors with IPS also provide full-featured
reporting features that allow you to generate reports for almost any type of data
accessible in an event view, including auditing data. For more information, see
Working with Event Reports on page 232.
Managing Audit Records

Requires: DC/MDC or Defense Centers and 3D Sensors log read-only auditing information for user
3D Sensor activity. Audit logs are presented in a standard event view that allows you to view,
sort, and filter audit log messages based on any item in the audit view. You can
easily delete and report on audit information.

Auditing the System
Managing Audit Records Chapter 17
The audit log stores a maximum of 100,000 entries. When the number of audit
log entries exceeds 100,000, the appliance prunes the oldest records from the
database to reduce the number to 100,000.
• Viewing Audit Records on page 567
• Suppressing Audit Records on page 570
• Understanding the Audit Log Table on page 574
• Searching Audit Records on page 575
Viewing Audit Records

Requires: DC/MDC or You can use the appliance to view a table of audit records. Then, you can
3D Sensor manipulate the view depending on the information you are looking for. The
predefined workflow includes a single table view of events. You can also create a
custom workflow that displays only the information that matches your specific
needs. For information on creating a custom workflow, see Creating Custom
Workflows in the Analyst Guide.
The Audit Log Actions table below describes some of the specific actions you can
perform on an audit log workflow page.
Audit Log Actions
To... You can...
learn more about the find more information in Understanding the

contents of the columns in Audit Log Table on page 574.
the table
modify the time range used find more information at Setting Event Time
when viewing audit records Constraints in the Analyst Guide.
Note that events that were generated outside
the appliance's configured time window
(whether global or event-specific) may appear
in an event view if you constrain the event
view by time. This can occur even if you
configured a sliding time window for the
appliance.
sort and constrain events on find more information in Sorting Table View
the current workflow page Pages and Changing Their Layout in the
Analyst Guide.
navigate within the current find more information in Navigating to Other

workflow page Pages in the Workflow in the Analyst Guide.

Auditing the System
Audit Log Actions (Continued)
To... You can...
navigate between pages in click the appropriate page link at the top left
the current workflow, of the workflow page. For more information,
keeping the current see Using Workflow Pages in the Analyst
constraints Guide.
drill down to the next page in use one of the following methods:
the workflow • To drill down to the next workflow page
constraining on a specific value, click a
value within a row. Note that this only
works on drill-down pages. Clicking a
value within a row in a table view
constrains the table view and does not
drill down to the next page.
• To drill down to the next workflow page
constraining on some events, select the
checkboxes next to the events you want
to view on the next workflow page, then
click View.
• To drill down to the next workflow page
keeping the current constraints, click View
All.
TIP! Table views always include “Table View”
in the page name.
For more information, see Constraining
Events in the Analyst Guide.
constraining on a specific Click a value within a row.

value
If you click a value on a drilldown page, you
move to the next page and constrain on the
value.
Note that clicking a value within a row in a
table view constrains the table view and does
not drill down to the next page.
TIP! Table views always include “Table View“
in the page name.
For more information, see Constraining
Events in the Analyst Guide.

Auditing the System
Audit Log Actions (Continued)
To... You can...
delete audit records use one of the following methods:

• To delete some items, select the check
boxes next to events you want to delete,
then click Delete.
• To delete all items in the current
constrained view, click Delete All, then
confirm you want to delete all the events.
temporarily use a different click Workflows. For more information, see

workflow Selecting Workflows in the Analyst Guide.
bookmark the current page click Bookmark This Page. For more
so that you can quickly return information, see Using Bookmarks in the
to it Analyst Guide.
navigate to the bookmark click View Bookmarks. For more information,

management page see Using Bookmarks in the Analyst Guide.
generate a report based on click Report Designer. For more information,

the data in the current view see Generating Reports from Event Views on
page 235.
To view audit records:

Access: Admin X Select Operations > Monitoring > Audit.
The first page of the default audit log workflow appears. To use a different
workflow, including a custom workflow, use the Workflows menu on the
toolbar. For information on specifying a different default workflow, see
Configuring Event View Settings on page 27. If no events appear, you may
need to adjust the time range. For more information, see Setting Event Time
Constraints in the Analyst Guide.
TIP! If you are using a custom workflow that does not include the table view
of audit events, from the Workflows menu on the toolbar, select Audit Log.
Working with Audit Events

Requires: Any You can change the layout of the event view or constrain the events in the view by
a field value.
When disabling columns, after you click the close icon ( ) in the column heading
that you want to hide, in the pop-up window that appears, click Apply. When you
disable a column, it is disabled for the duration of your session (unless you add it

Auditing the System
back later). Note that when you disable the first column, the count column is
added.
To hide or show other columns, select or clear the appropriate check boxes before
you click Apply. To add a disabled column back to the view, use the Expand arrow
( ) to expand the search constraints, then click the column name under
Disabled Columns.
Clicking a value within a row in a table view constrains the table view and does
not drill down to the next page.
TIP! Table views always include “Table View” in the page name.

• Constraining Events in the Analyst Guide.
• Using Compound Constraints in the Analyst Guide
• Sorting Drill-down Workflow Pages in the Analyst Guide
• Understanding the Audit Log Table on page 574
Suppressing Audit Records

Requires: Any If your auditing policy does not require that you audit specific types of user
interactions with the Sourcefire 3D System, you can prevent those interactions
from generating audit records. For example, by default, each time a user views
the online help, the Sourcefire 3D System generates an audit record. If you do not

Auditing the System
need to keep a record of these interactions, you can automatically suppress

them.
To set up the suppression mechanism, you must have access to an appliance’s
root user account, and you must be able to either access the appliance’s console
or open a secure shell.
WARNING! Make sure that only authorized personnel have access to the
appliance and to its root account.
To suppress audit records you must create one or more files in the /etc/sf
directory in the following form:
AuditBlock.type
where type is address, message, subsystem, or user.
If you create an AuditBlock.type file for a specific type of audit message, but
later decide that you no longer want to suppress them, you must delete the
contents of the AuditBlock.type file but leave the file itself on the Sourcefire 3D
System.
The contents for each audit block type must be in a specific format as described
in the Audit Block Types table. Make sure you use the correct capitalization for the
file names. Note also that the contents of the files are case sensitive.
Audit Block Types
Type Description
Address Create a file named AuditBlock.address and include, one per

line, each IP address that you want to suppress from the audit
log. You can use partial IP addresses provided that they map
from the beginning of the address. For example, the partial
address 10.1.1 matches addresses from 10.1.1.0 through
10.1.1.255.
Message Create a file named AuditBlock.message and include, one per

line, the message substrings that you want to suppress.
Note that substrings are matched so that if you include backup
in your file, all messages that include the word backup are
suppressed.

Auditing the System
Audit Block Types (Continued)
Type Description
Subsystem Create a file named AuditBlock.subsystem and include, one

per line, each subsystem that you want to suppress.
Note that substrings are not matched. You must use exact
strings. See the Subsystem Names table for a list of
subsystems that are audited.
User Create a file named AuditBlock.user and include, one per

line, each user account that you want to suppress. You can use
partial string matching provided that they map from the
beginning of the username. For example, the partial username
IPSAnalyst matches the usernames IPSAnalyst1 and
IPSAnalyst2.
When you add an AuditBlock file, an audit record with a subsystem of Audit
and a message of Audit Filter type Changed is added to the audit events. For
security reasons, this audit record cannot be suppressed.
Subsystem Names
Name Includes user interactions with...
Admin Administrative features such as system and access configuration, time

synchronization, back up and restore, sensor management, user account
management, and scheduling
Alerting Alerting functions such as email, SNMP, and syslog alerting
Audit Log Audit event views
Audit Log Search Audit event searches
Configuration Email alerting
COOP Continuity of operations feature
Date Date and time range for event views
Default Subsystem Options that do not have assigned subsystems
Detection & Prevention Menu options for intrusion policies

Policy
Error System-level errors

Auditing the System
Subsystem Names (Continued)
eStreamer eStreamer configuration
EULA Reviewing the end user license agreement
Events RNA and intrusion event views
Events Clipboard Intrusion event clipboard
Events Reviewed Reviewed intrusion events
Events Search Any event search
Failed to install SEU Installing SEUs

seu_id
Header Initial presentation of the user interface after a user logs in
Health Health monitoring
Health Events Health monitoring event views
Help Online help
High Availability High availability feature
IDS Impact Flag Impact flag configuration
IDS Policy Intrusion policies
IDSPolicy > Applying intrusion policies

policy_name >
Appliance >
det_engine_name
IDSRule sid:sig_id Intrusion rules by SID

rev:rev_num
Incidents Intrusion incidents
Insert Policy Apply Job Applying policies
Install Installing updates
Intrusion Events Intrusion events

Auditing the System
Subsystem Names (Continued)
Login Web interface login and logout functions
Menu Any menu option
Object export > Importing objects of a specific type and name

obj_type > obj_name
Preferences User preferences such as the time zone for a user account and individual
event preferences
Policy Any policy, including intrusion and OPSEC policies
Register Registering sensors on a Defense Center
RemoteStorageDevice Configuring remote storage devices
Reports Report listing and report designer features
Rules Intrusion rules including the rule editor and the rule importation process
SEU Import Log Viewing the SEU import log
SEU Install Installing SEUs
Status Syslog, as well as host and performance statistics
System Various system-wide settings
System Policy > Applying system policies

policy_nameAppliance
> appliance_name
Task Queue Viewing the task queue
Users Creating and modifying user accounts
Understanding the Audit Log Table

Requires: DC/MDC or Each appliance generates an audit event for each user interaction with the web
3D Sensor interface. Each event includes a time stamp, the user name of the user whose

Auditing the System
action generated the event, a source IP, and text describing the event. The fields
in the audit log table are described in the Audit Log Fields table.
Audit Log Fields
Field Description
Time Time and date that the appliance generated the audit record
User User name of the user that triggered the audit event
Subsystem Menu path the user followed to generate the audit record
For example, Operations > Monitoring > Audit is the menu path
to view the audit log.
Message Action the user performed

For example, “Page View” signifies that the user simply
viewed the page indicated in the Subsystem, while “Save”
means that the user clicked the Save button on the page.
Source IP IP address of the host used by the user
Count The number of events that match the information that appears
in each row. Note that the Count field appears only after you
apply a constraint that creates two or more identical rows.
Searching Audit Records

Requires: DC/MDC or You can search audit records to find information specific to a user, a specific
3D Sensor subsystem, or an audit record message.
You may want to create searches customized for your network environment, then
save them to re-use later. The search criteria you can use are described in the
Audit Record Search Criteria table. Note that audit searches are not case-

Auditing the System
sensitive. For example, searching for Analyst01 or analyst01 yields the same
results.
Audit Record Search Criteria
Search Field Description Example
User Enter the user name of the user who jsmith returns all audit records involving
triggered the audit events you want to the user jsmith.
see. You can use an asterisk (*) as a
wildcard character in this field.
Subsystem Enter the full menu path a user would Operations > Monitoring > Audit
follow to generate the audit records you and *Audit both return audit records
want to see. You can use an asterisk (*) that involve using the audit log.
as a wildcard character in this field.
*Audit* returns all of the above records,
plus records that involve searching for
audit records.
Message The action the user performed or the Apply returns audit records where the
button the user clicked on the page. You user applied an intrusion policy.
can use an asterisk (*) as a wildcard
character in this field. Save Rule returns audit records where
the user saved a compliance rule.
Page View returns audit records where
the user viewed the page.
Time Specify the date and time the audit > 2006-01-15 13:30:00 returns all audit
record was generated. See Specifying records generated after January 15, 2006
Time Constraints in Searches in the at 1:30pm.
Analyst Guide for the syntax for entering
time.
Source IP Enter the IP address of the host that you 172.16.1.37 returns all audit records
want to view audit records for. generated by a user from the 172.16.1.37
IP address.
IMPORTANT! You must type a specific IP
address. You cannot use IP ranges when
searching audit logs.
For more information on searching, including how to load and delete saved
searches, see Searching for Events in the Analyst Guide.

Auditing the System
To search for audit records:

Access: Admin 1. Select Analysis & Reporting > Searches > Audit Log.
The Audit Log search page appears.
TIP! To search the database for a different kind of event, select it from the
Table list.
2. Optionally, if you want to save the search, enter a name for the search in the
Name field.
If you do not enter a name, the web interface automatically creates one when
you save it.
3. Enter your search criteria in the appropriate fields, as described in the Audit
Record Search Criteria table. If you enter multiple criteria, the appliance
returns only the records that match all the criteria.
4. If you want to save the search so that other users can access it, clear the Save
As Private check box. Otherwise, leave the check box selected to save the
search as private.
TIP! If you want to save a search as a restriction for restricted data users,
you must save it as a private search.

• Click Search to start the search.
Your search results appear in the default audit log workflow, constrained
by the current time range. To use a different workflow, including a
custom workflow, use the Workflows menu on the toolbar. For
information on specifying a different default workflow, see Configuring
Event View Settings on page 27.

Auditing the System
Viewing the System Log Chapter 17
• Click Save if you are modifying an existing search and want to save your
changes.
• Click Save as New Search to save the search criteria. The search is saved
(and associated with your user account if you selected Save As Private),
so that you can run it at a later time.
Viewing the System Log

Requires: DC/MDC or The System Log (syslog) page provides you with system log information for the
3D Sensor appliance. The system log displays each message generated by the system. The
following items are listed in order:
• the date that the message was generated
• the time that the message was generated
• the host that generated the message
• the message itself
IMPORTANT! System log information is local. For example, you cannot use the
Defense Center to view system status messages in the system logs on your
managed sensors.
You can view system log messages for specific components by using the filter
feature. For more information, see Filtering System Log Messages on page 579.
If you want to use a 3D3800 sensor in compliance with ICSA requirements, you
can also configure system logging using a four-digit year format. For more
information, see Using Four-Digit Year Formats on the 3D3800 on page 581.

Auditing the System
To view the syslog:

Access: Maint/Admin X Select Operations > Monitoring > Syslog.
The System Log page appears. The Defense Center version of the page is
shown below.
TIP! On the 3D9900, the Load Balancing Interface Module (LBIM) forwards
messages to the sensor's syslog. You can find these messages by filtering on
lbim.
Filtering System Log Messages

Requires: DC/MDC or You can view system log messages for specific components by using the filter
3D Sensor feature. Filtering allows you to search for specific messages based on content.
The filter functionality uses the UNIX file search utility Grep, and as such, you can
use most syntax accepted by Grep. This includes using Grep-compatible regular
expressions for pattern matching. You can use a single word as a filter, or you can
use Grep-supported regular expressions to search for content.
WARNING! The System Log page does not allow the use of pipe characters for
OR expressions. For example, if you use [word_1|word_2], you will receive an
invalid filter error.

Auditing the System
The System Log Filter Syntax table shows the regular expression syntax you can
use in System Log filters:
System Log Filter Syntax
Syntax Description Example

Component
. Matches any character or white Admi. matches Admin, AdmiN, Admi1, and
space Admi&
[[:alpha:]] Matches any alphabetic character [[:alpha:]]dmin matches Admin, bdmin,

Cdmin, and so on.
[[:upper:]] Matches any uppercase alphabetic [[:upper:]]dmin matches Admin, Bdmin,

character Cdmin, and so on.
[[:lower:]] Matches any lowercase alphabetic [[:lower:]]dmin matches admin, bdmin,

character cdmin, and so on.
[[:digit:]] Matches any numeric character [[:digit:]]dmin matches 0dmin, 1dmin,

2dmin, and so on.
[[:alnum:]] Matches any alphanumeric character [[:alnum:]]dmin matches 1dmin, admin,

2dmin, bdmin, and so on.
[[:space:]] Matches any white space, including Feb[[:space:]]29 matches logs from
tabs February 29th.
* Matches one or more instances of ab* matches ab, abb, abbb, abbbb, and so
the pattern it follows on. [ab]* matches ab, abab, ababab, and
so on.
? Matches zero or one instances ab? matches a or ab.
\ Allows you to search for a character alert\? matches alert?.

typically interpreted as regular
expression syntax

Auditing the System
The System Log Filter Examples table shows some example filters you can use
on the System Log page.
System Log Filter Examples
To search for all log entries that... Use...
Are generated on November 5 Nov[[:space:]]*5
Contain the user name “Admin” Admin
Contain authorization debugging Nov[[:space:]]*5.*AUTH.*DEBUG

information on November 5
To search for specific message content in the system log:

Access: Maint/Admin 1. On the System Log page, enter a word or query in the Filter field.
See the System Log Filter Syntax table on page 580 and the System Log
Filter Examples table on page 581 for more information about the filter syntax
you can use.
Only Grep-compatible search syntax is supported. For example, you could
search for all NTP-related system log messages by using ntp as a filter, or
search for all messages generated in November by using Nov as a filter. You
could view messages from November 27th by using Nov[[:space:]]*27 or
Nov.*27, but you could not, however, use Nov 27 or Nov*27 to view these
messages.
2. Optionally, to make your search case-sensitive, check Case-sensitive. (By
default, filters are not case-sensitive.)
3. Optionally, check Exclusion to search for all system log messages that do not
meet the criteria you entered.
4. Click Go.
The messages that match the filter appear.
Using Four-Digit Year Formats on the 3D3800

Requires: 3D3800 If needed, you can update the syslog configuration on a 3D3800 to use a
four-digit year format for syslog events. The ICSA-certificated security
implementation for the appliance requires the four-digit year format.
To update the logging method to use the four-digit year format:

Access: root 1. Open the rc.config file in a file editor.
2. Change the value for the SYSLOGD_REPLACE_TIMESTAMPS option to yes.
3. Save changes to the file and exit the editor.

Auditing the System
4. Run SuSEconfig. For example, type:

# ./sbin/SuSEconfig
5. Restart the syslogd process. For example, type:
#/sbin/syslogd restart

Appendix A
Administrator Guide
Importing and Exporting Objects
You can use the Import/Export feature to copy several types of objects, including
policies, from one appliance to another appliance of the same type. Object import
and export is not intended as a backup tool, but can be used to simplify the
process of adding new appliances to your Sourcefire 3D System.
You can import and export the objects listed in the following table.
Objects with Import and Export Capability
Object Requires
Custom Tables DC/MDC
Custom Workflows Any
Dashboards Any
Health Policies DC/MDC
Intrusion Policies IPS or DC/MDC + IPS
PEP Policies DC/MDC + IPS
RNA Detection Policies DC
System Policies Any
User-Defined RNA Detectors DC

Exporting Objects Appendix A
Note that to import an exported object, both appliances must be running the
same version of the Sourcefire 3D System. To import an exported intrusion policy,
the SEU versions on both appliances must also match.
• Exporting Objects on page 584
• Importing Objects on page 593
Exporting Objects
Requires: IPS or You can export a single object, or you can export several objects at once.
DC/MDC
When you export an object, the appliance also exports revision information for
that object. The Sourcefire 3D System uses that information to determine
whether you can import that object onto another appliance; you cannot import an
object revision that already exists on an appliance.
In addition, when you export an object, the appliance also exports system objects
that the object depends on, such as authentication objects. For example, if you
set up authentication to an LDAP server on your Defense Center, and then export
a Defense Center system policy with authentication enabled, the authentication
object is exported as well.
Note that depending on the number of objects being exported and the number of
objects those objects reference, the export process may take several minutes.
• Exporting a Custom Table on page 584
• Exporting a Custom Workflow on page 585
• Exporting a Health Policy on page 586
• Exporting an Intrusion Policy on page 586
• Exporting a PEP Policy on page 588
• Exporting an RNA Detection Policy on page 588
• Exporting a System Policy on page 588
• Exporting a User-Defined RNA Detector on page 589
• Exporting Multiple Objects on page 590
Exporting a Custom Table

Requires: DC + RNA A custom table is table you can construct that combines fields from two or more
of the predefined tables delivered with the Sourcefire 3D System.

To export a custom table:

Access: Any 1. Make sure that the Defense Center where you are exporting the custom
RNA/Admin table and the Defense Center where you plan to import the custom table are
running the same version of the Sourcefire 3D System.
If the versions of the Sourcefire 3D System do not match, the import will fail.
2. Select Analysis & Reporting > Custom Tables.
The Custom Tables page appears.
3. Click Export next to the custom table you want to export.
4. Follow your web browser’s prompts to save the exported package to your
computer.
Exporting a Custom Workflow

Requires: IPS or A custom workflow is a workflow that you create to meet the unique needs of
DC/MDC your organization. On the Defense Center, you can export custom workflows that
you create as well as the predefined custom workflows delivered with the
appliance.
Note that if an appliance does not allow you to view the table on which an
exported custom workflow is based, you can import the workflow but will not be
able to view it. For example, you cannot access a custom workflow based on
RNA hosts that you created on the Defense Center and then imported onto a
3D Sensor or Master Defense Center.
To export a custom workflow:

Access: Any 1. Make sure that the appliance where you are exporting the custom workflow
Analyst/Admin and the appliance where you plan to import the custom workflow are running
the same version of the Sourcefire 3D System.
2. Select Analysis & Reporting > Custom Workflows.
The Custom Workflows page appears.
3. Click Export next to the custom workflow you want to export.
computer.
Exporting a Dashboard
Requires: Any A dashboard is a customizable tabbed view that provides you with an at-a-glance
display of your current system status. Dashboards use various widgets to present
data about the events collected and generated by the Sourcefire 3D System, as
well as information about the status and overall health of the appliances in your
deployment.

Note that the dashboard widgets that you can view depend on the type of
appliance you are using and on your user role. For example, a dashboard created
on the Defense Center and imported onto a 3D Sensor or Master Defense Center
may display some invalid, disabled widgets. For more information, see
Understanding Widget Availability on page 61.
To export a dashboard:
Access: Any 1. Select Analysis & Reporting > Event Summary > Dashboards.
If you have a default dashboard defined, it appears; continue with the next
step.
3. Click Export next to the dashboard you want to export.
computer.
Exporting a Health Policy

Requires: DC/ MDC A health policy comprises the criteria used when checking the health of
appliances in your deployment, that is, whether your Sourcefire hardware and
software are working correctly.
To export a health policy:

2. On the toolbar, click Health Policy.
3. Click Export next to the policy you want to export.
computer.
Exporting an Intrusion Policy

Requires: IPS or Intrusion policies include a variety of components that you can configure to
DC/MDC inspect your network traffic for intrusions and policy violations. These
components include preprocessors; intrusion rules that inspect the protocol
header values, payload content, and certain packet size characteristics; adaptive
profile configurations; RNA recommended rules configurations; and tools that
allow you to control how often events are logged and displayed.

Exporting an intrusion policy exports all settings for the policy. For example, if you
choose to set a rule to generate events, or if you set SNMP alerting for a rule, or if
you turn on the SMTP preprocessor in a policy, those settings remain in place in
the exported policy. Custom rules, custom rule classifications, and user-defined
variables are also exported with the policy.
Note that if you export an intrusion policy that uses a layer that is shared by a
second intrusion policy, that shared layer is copied into the policy you are
exporting and the sharing relationship is broken. When you import the intrusion
policy on another appliance, you can edit the imported policy to suit your needs,
including deleting, adding, and sharing layers.
Also note the following if you export an intrusion policy from a Defense Center,
and then import the policy onto a 3D Sensor:
• The Adaptive Profiles feature is ignored if it is enabled in the policy; you
cannot configure or use adaptive profiles in an intrusion policy that you
apply from a sensor. For more information, see Using Adaptive Profiles in
the Analyst Guide.
• Any RNA-recommended rule states in the policy are used on the sensor by
importing the built-in RNA Recommended Rules layer as a user layer
located immediately above the base layer. Although you cannot configure
RNA Recommended Rules on a sensor, you can use the imported RNA
Recommended Rules layer as you would any other user layer. For more
information, see Managing RNA Rule State Recommendations in the
Analyst Guide and Working With Layers in the Analyst Guide.
IMPORTANT! You cannot use the Import/Export feature to update rules created
by Sourcefire’s Vulnerability Research Team (VRT). To update rules, download and
apply the latest SEU version; see Importing SEUs and Rule Files in the Analyst
Guide.
To export an intrusion policy:

Access: P&R 1. Make sure that the appliance where you are exporting the intrusion policy and
Admin/Admin the appliance where you plan to import the policy are running the same
version of the Sourcefire 3D System, as well as the same version of the SEU.
If the versions of the Sourcefire 3D System and the SEU do not match, the
import will fail.
2. Select Policy & Response > IPS > Intrusion Policy.
The Intrusion Policy page appears.
3. Click Export next to the intrusion policy you want to export.
Depending on the number of rules referenced by the policy you are exporting,
the export process may take several minutes.
computer.

Exporting a PEP Policy

Requires: DC/MDC + PEP policies allow you to configure 3D9900 sensors to block, analyze, or pass
IPS traffic directly through the sensor with no further inspection by taking advantage
of the hardware capabilities on those sensors.
To export a PEP Policy:

Access: P&R 1. Make sure that the appliance where you are exporting the PEP policy and the
Admin/Admin appliance where you plan to import the PEP policy are running the same
version of the Sourcefire 3D System.
2. Select Policy & Response > PEP > Policy Management.
The PEP Policy Management page appears.
computer.
Exporting an RNA Detection Policy

Requires: DC + RNA RNA detection policies control how RNA events and flow data are collected,
which network segments are monitored by 3D Sensor with RNA and which are
monitored with NetFlow-enabled devices, and whether traffic that travels from or
to specific ports is excluded from monitoring.
To export an RNA detection policy:

Access: P&R 1. Make sure that the Defense Center where you are exporting the detection
Admin/Admin policy and the Defense Center where you plan to import the detection policy
are running the same version of the Sourcefire 3D System.
2. Select Policy & Response > RNA > Detection Policy.
The Detection Policy page appears.
computer.
Exporting a System Policy

Requires: Any A system policy controls the aspects of an appliance that are likely to be similar
for other Sourcefire 3D System appliances in your deployment, including
database event limits, time settings, login banners, and so on.
Note that when you export a system policy from a Defense Center where
external authentication is enabled, the Defense Center also exports the

authentication objects on which the system policy depends. That is, if you set up
authentication to an LDAP server on your Defense Center, and then export a
Defense Center system policy with authentication enabled, the authentication
object is exported as well.
Also note that system policies on Defense Centers contain database settings that
do not apply to 3D Sensors. If you export a system policy from a 3D Sensor and
then import it onto a Defense Center, the database limits that you could not
configure on the sensor are set to the default values on the Defense Center.
To export a system policy:

Access: Admin 1. Make sure that the appliance where you are exporting the system policy and
the appliance where you plan to import the system policy are running the
same version of the Sourcefire 3D System.
2. Select Operations > System Policy.
3. Click Export next to the system policy you want to export.
computer.
Exporting a User-Defined RNA Detector

Requires: DC + RNA User-defined RNA detectors provide RNA with the information needed to identify
non-standard services, including the port used by service traffic, a pattern within
the traffic, or both the port and the pattern.
You can export user-defined RNA detectors and Sourcefire-provided detectors
that you added to the Sourcefire 3D System using the Import/Export feature.
However, you cannot export internal detectors or Sourcefire-provided detectors
added via VDB update.
To export a user-defined RNA detector:

Access: P&R 1. Make sure that the Defense Center where you are exporting the detector and
Admin/Admin the Defense Center where you plan to import the detector are running the
same version of the Sourcefire 3D System.
2. Select Policy & Response > RNA > RNA Detectors.
The RNA Detectors page appears.

3. Select the check box next to the detector you want to export and click Export.
Depending on how many detectors you have, the detector you want to export
may not be on the first page. You can find it by paging through the detector
list, or applying one or more filters. For more information, see Working with
RNA Detectors in the Analyst Guide.
TIP! To export multiple detectors at once, select the check boxes next to the
appropriate detectors, then click Export. You can also select all detectors in the
current filtered view by selecting the check box at the top of the page.
computer.
Exporting Multiple Objects

Requires: IPS or You can export several different objects at once (in a single package) using the
DC/MDC Import/Export feature. When you later import the package onto another appliance,
you choose which objects in the package to import.
The following table lists the objects that you can export from the various
Sourcefire appliance types.
Object Requires
Dashboards Any
System Policies Any

Depending on the type of object you are exporting, you should keep the following
points in mind:
• You must make sure that the appliance you are using to export an object is
running the same version of the Sourcefire 3D System as the appliance you
plan to use to import the exported object. For intrusion policies, the SEU
versions on both appliances must also match. If the versions do not match,
the import will fail.
• If you cannot view the table on which a custom workflow is based on your
appliance, you can import the workflow but will not be able to view it.
• The dashboard widgets that you can view depend on the type of appliance
you are using and on your user role. For example, a dashboard created on
the Defense Center and imported onto a 3D Sensor or Master Defense
Center may display some invalid, disabled widgets.
• If you export an intrusion policy that uses a layer that is shared by a second
intrusion policy, that shared layer is copied into the policy you are exporting
and the sharing relationship is broken.
In addition, because RNA Recommended Rules and Adaptive Profiles are
not supported on 3D Sensors, there are additional consequences if you
export an intrusion policy from a Defense Center and then import the policy
onto a 3D Sensor. For more information, see Exporting an Intrusion Policy
on page 586.
IMPORTANT! You cannot use the Import/Export feature to update rules

created by Sourcefire’s Vulnerability Research Team (VRT). To update rules,
download and apply the latest SEU version; see Importing SEUs and Rule
Files in the Analyst Guide.
• When you export a system policy from a Defense Center where external
authentication is enabled, the Defense Center also exports the
authentication objects on which the system policy depends.
Also note that if you export a system policy from a 3D Sensor and then
import it onto a Defense Center, the database limits that you could not
configure on the sensor are set to the default values on the Defense
Center.
• You can export user-defined RNA detectors and Sourcefire-provided
detectors that you added to the Sourcefire 3D System using the
Import/Export feature. However, you cannot export internal detectors or
Sourcefire-provided detectors added via VDB update.
For detailed information on exporting specific objects, see the following sections:
• Exporting a Custom Table on page 584
• Exporting a Custom Workflow on page 585


• Exporting a Health Policy on page 586
• Exporting an Intrusion Policy on page 586
• Exporting a PEP Policy on page 588
• Exporting an RNA Detection Policy on page 588
• Exporting a System Policy on page 588
• Exporting a User-Defined RNA Detector on page 589
Depending on the number of objects being exported and the number of objects
those objects reference, the export process may take several minutes.
To export multiple objects:

Access: Admin 1. Make sure that the appliance where you are exporting the objects and the
appliance where you plan to import the objects are running the same version
of the Sourcefire 3D System. For intrusion policies, you must also make sure
that the SEU version matches.
If the versions of the Sourcefire 3D System (and, for intrusion policies, the
SEU version) do not match, the import will fail.
2. Select Operations > Tools > Import/Export.
The Import/Export page appears, including a list of the objects on the
appliance.
TIP! You can click the collapse icon ( ) next to an object type to collapse
the list of objects. Click the expand folder icon ( ) next to an object type to
reveal objects.
The Defense Center version of the page is shown below with some object
types collapsed.
3. Select the check boxes next to the objects you want to export and click Export.

Importing Objects Appendix A
computer.
Importing Objects
Requires: Any After you export an object from another appliance, you can import it onto a
different appliance as long as that appliance supports it. Note, however, that
some imported objects may not be useful depending on the type of appliance you
are using and on your user role. The following table lists the objects that you can
import on the various Sourcefire appliance types.
Object Requires
Dashboards Any
System Policies Any
Depending on the type of object you are importing, you should keep the following
points in mind:
• You must make sure that the appliance where you are importing an object is
running the same version of the Sourcefire 3D System as the appliance you
used to export the object. For intrusion policies, the SEU versions on both
appliances must also match. If the versions do not match, the import will
fail.
• If your appliance does not allow you to view the table on which an custom
workflow is based, you can import the workflow but will not be able to view
it.

• The dashboard widgets that you can view depend on the type of appliance
you are using and on your user role. For example, a dashboard created on
the Defense Center and imported onto a 3D Sensor or Master Defense
Center may display some invalid, disabled widgets.
• If you import an intrusion policy that used a shared layer from a second
intrusion policy, the export process breaks the sharing relationship and the
previously shared layer is copied into the package. In other words, imported
intrusion policies do not contain shared layers.
In addition, because RNA Recommended Rules and Adaptive Profiles are
not supported on 3D Sensors, there are additional consequences if you
export an intrusion policy from a Defense Center and then import the policy
onto a 3D Sensor. For more information, see Exporting an Intrusion Policy
on page 586.
IMPORTANT! You cannot use the Import/Export feature to update rules

created by Sourcefire’s Vulnerability Research Team (VRT). To update rules,
download and apply the latest SEU version; see Importing SEUs and Rule
Files in the Analyst Guide.
• When you import a system policy that was exported from a Defense Center
where external authentication is enabled, you also import the authentication
objects on which the system policy depends.
Also note that for a system policy exported from a 3D Sensor and then
imported onto a Defense Center, the database limits that you could not
configure on the sensor are set to the default values on the Defense
Center.
Because can export several different objects in a single package, when you import
the package you must choose which objects in the package to import. You can
only import objects that are supported on the destination appliance.
When you attempt to import an object, your appliance determines whether that
object already exists on the appliance. If a conflict exists, you can keep the
existing object, replace the existing object with a new object, keep the newest
object, or import the object as a new object. If you import an object and then later
make a modification to the object on the destination system, and then re-import
the object, you must choose which version of the object to keep.
WARNING! If you import default policies or rules to an appliance, you cannot

delete them.
Depending on the number of objects being imported and the number of objects
those objects reference, the import process may take several minutes.

For information on using imported objects, see the following sections:

• Using Custom Tables in the Analyst Guide
• Using Custom Workflows in the Analyst Guide
• Applying Health Policies on page 528
• Applying an Intrusion Policy in the Analyst Guide
• Applying PEP Policies in the Analyst Guide
• Applying an RNA Detection Policy in the Analyst Guide
• Applying a System Policy on page 324
• Activating and Deactivating RNA Detectors in the Analyst Guide
• Activating and Deactivating RNA Detectors in the Analyst Guide
To import one or more objects:

Access: Admin 1. Make sure that the appliance where you are exporting the objects and the
appliance where you plan to import the objects are running the same version
of the Sourcefire 3D System. For intrusion policies, you must also make sure
that the SEU version matches.
If the version of the Sourcefire 3D System (and, for intrusion policies, the SEU
version) do not match, the import will fail.
2. Export the objects you want to import; see Exporting Objects on page 584.

3. On the appliance where you want to import the objects, select Operations >
Tools > Import/Export.
The Import/Export page appears.
TIP! You can click the collapse icon ( ) next to an object type to collapse
the list of objects. Click the expand folder icon ( ) next to an object type to
reveal objects.
The Defense Center version of the page is shown below with some object
types collapsed.
4. Click Upload Package.

The Upload Package page appears.

• Type the path to the package you want to upload.
• Click Browse to browse to locate the package.

6. Click Upload.
The result of the upload depends on the contents of the package:
• If the object and rule versions in the package exactly match versions
that already exist on your appliance, a message displays indicating that
the versions already exist. The appliance has the most recent objects so
you do not need to import them.
• If there is a Sourcefire 3D System or SEU version mismatch between
your appliance and the appliance where the package was exported, a
message appears, indicating that you cannot import the package.
Update the Sourcefire 3D System or the SEU version and attempt the
process again.
• If the package contains any object or rule versions that do not exist on
your appliance, the Package Import page appears. Continue with the
next step.
7. Select the objects you want to import and click Import.
The import process occurs, with the following results:
• If the objects you import do not have previous revisions on your
appliance, the import completes automatically and a success message
appears. Skip the rest of the procedure.
• If the objects you import do have previous revisions on your appliance,
the Import Resolution page appears. Continue with step 8.
8. Expand each object and select the appropriate option:

• To keep the object on your appliance, select Keep existing.
• To replace the object on your appliance with the imported object, select
Replace existing.
• To keep the newest object, select Keep existing if newer.
• To save the imported object as a new object, select Import as new, and,
optionally, edit the object name.
9. Click Import.
The objects are imported.

Appendix B
Administrator Guide
Purging the RNA and RUA

Databases
Requires: DC + RNA or You can use the RNA/RUA Event Purge page to purge files from the RNA and
DC + RUA RUA databases. Note that if you purge database items from the RNA or RUA
database, the RNA or RUA process is restarted.
WARNING! Purging a database removes the data you specify from the Defense
Center. After the data is deleted, it cannot be recovered.
To purge the RNA database:

Access: RNA/Admin 1. Select Operations > Configuration > RNA/RUA Event Purge.
The RNA/RUA Event Purge page appears.
2. Under RNA Database, perform any or all of the following:

• Select RNA Events to remove all network discovery events from the RNA
database.
• Select Hosts to remove all hosts from the RNA database.
• Select Flow Stats to remove all flow data from the RNA database.
• Select Flow Summary to remove all flow summary data from the RNA
database.
3. Click Save & Restart RNA.
The items are purged and RNA is restarted.

Purging the RNA and RUA Databases
Appendix B
To purge the RUA database:

Access: RNA/Admin 1. Select Operations > Configuration > RNA/RUA Event Purge.
The RNA/RUA Event Purge page appears.
2. Under RUA database, perform any or all of the following:

• Select RUA Events to remove all RUA events from the RUA events
database.
• Select Users to remove all users from the RUA history database.
3. Click Save & Restart RUA.
The items are purged and RUA is restarted.

Appendix C
Administrator Guide
Viewing the Status of Long-Running

Tasks
When you perform long-running tasks, such as applying a policy, pushing updates,
installing software, and so on, the status of these tasks is reported in the task
queue. The task queue provides information about complex tasks and reports
when they are complete.
• Viewing the Task Queue on page 600
• Managing the Task Queue on page 602
Viewing the Task Queue

Requires: Any When you perform long-running tasks, such as applying a policy, pushing updates,
installing software, and so on, the status of these tasks is reported in the task
queue. The task queue provides information about complex tasks and reports
when they are complete.

Viewing the Status of Long-Running Tasks
Viewing the Task Queue Appendix C
You view the task queue on the Task Status page, which automatically refreshes
every 10 seconds. You can always see the status of tasks that you initiated; if your
account has Administrator access, you can also see the status of every task
regardless of who initiated it.
The Job Summary section displays the state of the tasks listed on the page, as
described in the following table.
Task Queue Task Types
Task Type Description
Running The number of tasks currently in progress.
Waiting The number of tasks waiting for a in-progress task to complete

before running.
Completed The number of tasks that completed, regardless of whether

they succeeded,
Retrying The number of tasks that are automatically retrying. Note that
not all tasks are permitted to try again.
Failed The number of tasks that did not complete successfully.
The Jobs section provides information about each task, including a brief
description, when the task was launched, the current status of the task, and
when the status last changed. Tasks of the same type appear together.

Viewing the Status of Long-Running Tasks
Managing the Task Queue Appendix C
To view the task queue:

Access: Maint/P&R X You have two options:
Admin/Admin • If you manually launched the task, click the Task Status link in the
notification box that appeared when you launched the task.
The Task Status page appears in a pop-up window.
• If you scheduled a task, or if a task was launched from a page you are
not viewing, select Operations > Monitoring > Task Status.
The Task Status page appears.
For information on the actions you can perform on the Task Status page, see
the next section, Managing the Task Queue.
Managing the Task Queue

Requires: Any If you have Administrator, Maintenance, or Policy & Response Administrator
access, there are several actions you can perform while viewing the task queue
(see Viewing the Task Queue on page 600).
Task Queue Actions
To... You can...
remove all completed click Remove Complete Jobs.

tasks from the task
queue
remove all failed task click Remove Failed Jobs.

from the task queue
remove a single task click Delete next to the task you want to delete.
from the task queue
Note that you cannot delete a running task. If you
need to delete a running task (for example, if a task
repeatedly fails) contact Sourcefire Support.
collapse the view of click the collapse icon ( ) next to the task type for
tasks of the same type the tasks you want to hide.
expand the view of click the expand folder icon ( ) next to the task
tasks of the same type type for which you want to view individual tasks.

Glossary
3D Sensor An appliance-based sensor that, as part of the Sourcefire 3D System, can run the
IPS component, the RNA component, the RUA component, or combinations of
the components.
active detection The addition, to the network map, of data collected by active sources, such as
host operating system and service information.
adaptive profile An intrusion policy profile that uses information from RNA host profiles to
determine the operating system for the target host of a packet. Profiles within an
intrusion policy then automatically adapt to cause the preprocessors to
defragment IP packets and reassemble streams in the same way as the operating
system on the target host and to cause Snort to analyze the data in the same
format as that used by the destination host.
Administrator A type of user role that conveys rights to all Sourcefire 3D System functionality.
Administrators can set up an appliance’s network configuration, manage user
accounts, and configure system policies and system settings. Users with the
Administrator role also have the access rights provided to the Intrusion Event
Analyst, RNA Event Analyst, Policy & Response Administrator, and Maintenance
User roles.
advanced feature An IPS component feature such as a layer, preprocessor, global rule thresholding,
setting VLAN or subnetwork policy configuration, and so on that you enable, disable, or
configure on web interface pages accessed by some means other than directly
from the Policy Information page where basic feature settings are accessed.

advanced intrusion policy
to
basic intrusion policy Glossary
advanced intrusion An intrusion policy with custom user layers, modified advanced feature settings,
policy or both.
alert A message that notifies you when an intrusion event, health event, host input
event, RNA event, RUA event, white list event, or compliance event is generated.
You can send alerts to an external syslog server, a specific email address, or an
SNMP trap server. See email alerting, SNMP alerting, and syslog alerting.
alert rule An intrusion rule that, when triggered, generates an intrusion event and logs the
details of the packet that triggered the rule. Compare with pass rule and drop rule.
anomaly detection The detection of anomalous conditions in traffic rate or traffic content that
indicates an attack.
audit log A record of user interactions with the web interface. The audit log comprises
audit events.
audit event An event that describes a specific user interaction with the web interface. Each
audit event contains a time stamp, the user name of the user whose action
generated the event, a source IP address, and text describing the event. You can
view audit events in the audit log.
banner The first 256 bytes of the first packet detected by a service. A banner is collected
only once, the first time a service is detected by RNA. Banners provide additional
context to the information gathered by RNA.
base policy A selectable set of configurations that can be any one of the default intrusion
policies provided by Sourcefire or a custom user layer.
base policy layer A built-in layer in an intrusion policy comprised of all of the default basic feature
settings and advanced feature settings for the IPS component. The default
settings in the base policy layer are determined by the base policy selected for
the intrusion policy.
basic feature setting An IPS component feature in a basic intrusion policy that you can access directly
from the Intrusion Policy information page. Basic features include the policy
name, description and protection mode, and management of detection engines,
variables, rules, and RNA recommended rules.
basic intrusion policy An intrusion policy with no custom user layers and no modified advanced feature
settings. Although layers are transparent to the user in a basic intrusion policy, a
basic intrusion policy includes the read-only base policy layer, a modifiable
system-defined user layer that is initially named My Changes and, optionally, a
read-only RNA Recommendations layer immediately above the base policy. In
addition to default basic feature settings, a basic intrusion policy also includes
default advanced feature settings.

bit mask
to
clustering Glossary
bit mask The notation used to identify which bits in an IP address correspond to the
network address and subnet portions of the address.
bookmark A saved link to a specific location and time in an event analysis. Bookmarks retain
information about the workflow you are using, the part of the workflow you are
viewing, the page number within the workflow you are viewing, the time range
you selected, and any columns you disabled as well as any constraints you
imposed. The bookmarks you create are available to all users with unrestricted
analyst access.
bridge A network device that forwards traffic between network segments. RNA
identifies bridges as network devices that communicate using Cisco Discovery
Protocol (CDP) or Spanning Tree Protocol (STP). RNA may identify switches as
bridges.
built-in layer A read-only layer in an intrusion policy. An intrusion policy always includes a
built-in base policy layer and, optionally, can include a built-in RNA
Recommendations layer.
Classless Inter- A notation that defines IP address ranges by combining an IP address with a bit
Domain Routing mask that signifies the subnet mask used to define the number of IP addresses in
(CIDR) notation the specified range. For example, if you want to define the network described by
192.168.1.x with a subnet mask of 255.255.255.0, use 192.168.1.1/24, where 24
signifies the number of bits in the subnet mask.
client application An application that runs on one host and relies on another host (a server) to
perform some operation. For example, email clients are client applications that
allow you to send and receive email. When RNA detects that a user on a host is
using a specific client application to access another host, it reports that
information in the host profile and network map, including the name and version
(if available) of the client application.
client application Information that describes client application activity on monitored hosts. For each
event detected client application, RNA logs the IP address that used the application and
when the application was last used, as well as the application name, version, and
the number of times its use was detected.
clipboard A holding area where you can copy up to 25,000 intrusion events that you can
later add to incidents. The contents of the clipboard are sorted by the date and
time that the events were generated.
clustering A feature that allows you to increase the amount of traffic inspected on a network
segment by connecting two fiber-based 3D9900 sensors in a clustered pair.
When you establish a clustered pair configuration, you combine the 3D9900
sensors resources into a single, shared configuration.

complex condition
to
current identity Glossary
complex condition A complex way of qualifying compliance rules, flow trackers, host profile
qualifications, and traffic profiles. A complex condition comprises at least two
simple conditions, linked to each other with an AND or an OR operator.
complex constraint A constraint set in an event view or event search that constrains an event query
using all the criteria from a specific event.
compliance event An event generated by the Defense Center when a compliance rule triggers. You
can search, view, and delete compliance events and can configure the number of
compliance events saved in the database. Note that white list events, generated
by white list violations, are a special kind of compliance event.
compliance policy Describes the network activity that constitutes a security policy violation, using
compliance rules and compliance white lists. You can specify responses to each
rule or white list within a policy.
compliance rule Along with compliance white lists, one of the ways you can specify criteria that
network traffic must meet in order to violate a compliance policy. You can use the
Defense Center to configure compliance rules to trigger (and generate a
compliance event) when a specific intrusion event, RNA event, or flow event
occurs, or when your network traffic deviates from your normal network traffic
pattern as characterized in a traffic profile. You can constrain compliance rules
with host profile qualifications, flow trackers, snooze periods, and inactive
periods. You can also configure the Defense Center to launch a response, such as
an alert or remediation, when a compliance rule triggers.
compliance white list Along with compliance rules, one of the ways you can specify criteria that
network traffic must meet in order to violate a compliance policy. You can use the
Defense Center to configure compliance white lists to specify which operating
systems, services, client applications, and protocols are allowed to run on the
hosts in a specific subnet. You can also configure the Defense Center to launch a
response, such as an alert or remediation, when a white list is violated. Note that
a compliance white list is not associated with the white list of IP addresses that
you can configure in certain remediations.
compliance white list See white list event.

event
compliance white list See white list violation.

violation
current identity The operating system or service identity that RNA finds most likely to be correct,
which is used to assign host vulnerability, to assess impact of an attack, to
evaluate compliance rules written against operating system identifications, host
profile qualifications, and compliance white lists, to display in the Hosts and
Services table views in workflows and in the host profile, and to calculate the
operating system and service statistics on the RNA Statistics page.

custom fingerprint
to
derived fingerprint Glossary
custom fingerprint See fingerprint.
custom table A table you can construct that combines fields from two or more of the
predefined tables delivered with the Sourcefire 3D System. For example, you
could combine the host criticality information from the host attributes table with
information from the flow data table to examine flow data in a new context.
Custom tables include Sourcefire-defined custom tables, which are custom
tables delivered with the Defense Center.
custom workflow A workflow that you create to meet the unique needs of your organization.
Compare with predefined workflow and, on the Defense Center, saved custom
workflow.
dashboard A display that provides tabs of at-a-glance information about many aspects of the
performance on your Sourcefire 3D System. You can configure as many
dashboards as you need and decide which dashboard widgets appear on each tab
to fit your system monitoring needs. The dashboard appears as the default home
page for all user roles except the restricted event analyst roles.
dashboard widget A dashboard widget provides status or performance information about a specific
aspect of your Sourcefire 3D System. You can select which widgets to add to your
dashboard.
data correlator A program that generates events and creates the network map on the Defense
Center, using the data collected by RNA.
decoder A component of IPS that places sniffed packets into a format that can be
understood by a preprocessor.
Defense Center A central management point that allows you to manage sensors and
automatically aggregate the events they generate. You can also push policies
created on the Defense Center and software updates to managed sensors. If you
manage 3D Sensors with IPS and RNA with a Defense Center, the Defense
Center correlates intrusion events with host vulnerabilities and assigns impact
flags to the intrusion events. Impact correlation lets you focus on attacks most
likely to affect high-priority hosts. The Defense Center also correlates intrusion
information with user identity data from the RUA database.
defragmentation Describes how the IP defragmentation preprocessor (a component of IPS) should

policy reassemble fragmented IP packets, based on the target host’s operating system.
Note that adaptive profiles use adaptive defragmentation policies.
derived fingerprint An operating system fingerprint created by RNA from all passively collected
fingerprints for a host by applying a formula which calculates the most likely
identity using the confidence value of each collected fingerprint and the amount
of corroborating fingerprint data between identities.

detection engine
to
event Glossary
detection engine The mechanism that is responsible for analyzing the traffic on the network
segment where a sensor is connected. A detection engine has two main
components: an interface set and a detection resource. RNA uses RNA detection
engines, IPS uses IPS detection engines, and RUA uses RUA detection engines.
detection policy See RNA detection policy.
detection resource A portion of a sensor's computing resources used as part of a detection engine.
DNS cache Temporary storage of previously resolved IP addresses. Configuring DNS caching
allows you to resolve those IP addresses without performing additional lookups.
This can reduce the amount of traffic on your network and speed the display of
event pages.
drill-down page An intermediate workflow page used to constrain event views. Generally, a
drill-down page presents constraints that you can select to advance to a more
narrowly constrained page or a table view.
drop event An intrusion event generated when a drop rule triggers. Drop events are marked
with black inline result flags on RNA compliance event views and IPS intrusion
event views.
drop rule An intrusion rule whose rule state is set to Drop and Generate Events. When a
malicious packet triggers the rule, IPS drops the packet and generates an
intrusion event (specifically, a drop event). You can only use a drop rule within an
inline intrusion policy that is applied to detection engines that are deployed inline.
Compare with alert rule and pass rule.
dynamic rule state A rule state that is set for a specified period of time in response to a detected rate
anomaly in traffic matching the rule.
email alerting The transmission of an alert as an email message.
eStreamer See Event Streamer.
event Information that is stored as an event. An event contains multiple fields that
describe the activity that caused the event to be generated. IPS generates
intrusion events, which also include drop events and preprocessor events. RNA
generates network discovery events and flow events, as well as events that
provide general information about your network topology: client application
events, host events, host attributes, and service events. A vulnerability is also
considered an RNA event. You can use the policy and response feature to
configure your Defense Center to generate compliance events and white list
events, as well as remediation status events. RUA generates RUA events when it
detects user logins or user additions or deletions. In addition, every appliance
generates records of user activity called audit events. The health monitor on the
Defense Center also generates health events.

event analyst
to
fingerprint Glossary
event analyst An event analyst examines event data collected by the Sourcefire 3D System. The
Intrusion Event Analyst, RNA Event Analyst, and Restricted Event Analyst roles,
or their read-only counterparts, can be assigned to a user to provide access to
event analysis functionality.
Event Streamer Also known as eStreamer, a component of the Sourcefire 3D System that allows
you to stream event data from a Defense Center or 3D Sensor to external client
applications.
event suppression A feature that allows you to use suppress intrusion events when a specific IP
address or range of IP addresses triggers a rule. Event suppression is useful for
eliminating false positives. For example, if you have a mail server that transmits
packets that look like a specific exploit, you can suppress events for the rules that
are triggered by your mail server, so that you only see the events for legitimate
attacks.
event thresholding A feature that allows you to limit the number of times the system logs and
displays an intrusion event, based on how many times the event is generated
within a specified time period. Use event thresholding if you are overwhelmed
with a large number of identical events.
event view A workflow view containing a set of events. You can constrain the events
included in an event view using an event search or using simple constraints or
complex constraints.
export A method that you can use to transfer various configurations from appliance to
appliance. You can export intrusion policies, RNA detection policies, system
policies, health policies, dashboards, custom workflows and tables, and some
RNA detectors. After you export a configuration from one appliance, you can
import it onto another appliance of the same type.
external A method (such as LDAP authentication or RADIUS authentication) that uses

authentication externally stored user credentials to authenticate user names and passwords
when users log into Sourcefire 3D System appliances. Compare with internal
authentication.
fail-open card A network interface card that allows network traffic to pass through a 3D Sensor
that uses IPS detection engines that are deployed inline, even if the appliance
itself fails or loses power.
feature license A license you can add to an appliance that enables additional features, including
NetFlow, Intrusion Agents, Sourcefire 3D Sensor Software for X-Series,
Sourcefire Virtual 3D Sensors, and the ability to monitor a number of hosts with
RNA or users with RUA.
fingerprint An established definition that RNA compares against specific packet header
values and other unique data from network traffic to identify a host's operating

flow data
to
health module Glossary
system. If RNA misidentifies or cannot identify a host's operating system, you

can create a custom fingerprint that identifies the host.
flow data See flow event.
flow event An event generated when RNA detects that a connection between a monitored
host and any other host is terminated. Flow events include information about the
collected traffic, including the first packet of the transaction, the last packet of the
transaction, the source IP address and port, the destination IP address and port,
the number of packets and bytes sent and received by the monitored host, and
the client application and URL involved in the transaction, if applicable.
flow summary Flow data aggregated over a five-minute interval. You can choose to store flow
data only as flow summaries to save disk space.
flow tracker One or more conditions that constrain a compliance rule so that after the rule’s
initial criteria are met, RNA begins tracking certain flows. The rule then triggers
only if the tracked flows meet additional criteria.
gateway A device that acts as an entrance to and controls traffic within your organization’s
network. When you set up your 3D Sensor or Defense Center, you must specify
the IP address of the gateway device for your network.
GID (generator ID) A number that indicates which component of the Sourcefire 3D System
generated an intrusion event. GIDs help you analyze events more effectively by
categorizing the type of event in the same way a rule’s SID offers context for the
packets that trigger rules.
health alert An alert generated by the Defense Center or Master Defense Center when a
specific health event occurs.
health event An event that is generated when one of the appliances in your deployment meets
(or fails to meet) performance criteria specified in a health module. Health events
indicate which module triggered the event and when the event was triggered.
health monitor A feature that continuously monitors the performance of the appliances in your
deployment. The health monitor uses health modules to test various performance
aspects of the appliances. You configure the health monitor using a health policy.
health monitor A blacklist that temporarily disables aspects of health monitoring to prevent the
blacklist Defense Center from generating unnecessary health events. You can disable
monitoring for a group of appliances, a single appliance, or a specific health
module.
health module A test of a particular performance aspect of one of the appliances in your
deployment. For example, you can monitor CPU usage or available disk space.
You can configure health modules to generate health events and health alerts
when the performance aspects they monitor reach a certain level.

health policy
to
host input Glossary
health policy The criteria used when checking the health of an appliance in your deployment.
Health policies use health modules to indicate whether your Sourcefire 3D
System hardware and software are working correctly. The Defense Center and
Master Defense Center are delivered with default health policies; you can modify
them or create your own.
high availability A feature that allows you to designate redundant Defense Centers to manage
groups of sensors. Event data streams from managed sensors to both Defense
Centers and certain configuration elements are maintained on both Defense
Centers. If your primary Defense Center fails, you can monitor your network
without interruption using the secondary Defense Center.
hop The trip a packet takes from one router or intermediate point to another in the
network. RNA detects the number of network hops that exist between the
sensors and the hosts they monitor, which provides you with information about
the physical location the hosts on your network.
host A device that is connected to a network and has a unique IP address. To RNA, a
host is any identified host that is not categorized as a bridge, router, NAT device,
or load balancer.
host attribute A tool you can use to provide information about hosts detected by RNA and to
classify them in ways that are important to your network environment. For
example, you could create a host attribute that designates the physical location of
each host on your network. You can use and configure the two predefined host
attributes, host criticality and notes, as well as create your own host attributes. In
addition, when you create a compliance white list, RNA automatically creates a
host attribute that indicates the compliance of the host. You can use host
attributes in compliance rules and compliance white lists, and you can search for
hosts with specific host attribute values. You also can generate reports based on
host attributes.
host criticality A host attribute that indicates the business criticality (importance) of any given
host detected by RNA. You can use host criticality values when searching for
hosts or when creating compliance rules and compliance white lists.
host event An event indicating that RNA has detected a host. RNA collects information about
the hosts on monitored network segments. The information that RNA collects
comprises that host’s host profile.
host import input data Host input data imported using a command line utility or the host input API.
host input A feature that allows you to import host data from third-party applications to
augment the information in the RNA network map using scripts or command-line
files. You can also use the host input feature through the web interface to modify
operating system or service identities or deleting services, protocols, host
attributes, or client applications.

host input event
to
import Glossary
host input event An event that is created when a change is made to your network map using the
host input feature.
host profile Collected information about a specific host detected by RNA. This includes
general host information, such as its name and operating system, as well as its
user history, host attributes, the protocols it uses, the services it is running, VLAN
information, client applications running on the host, applicable white list
violations, detected vulnerabilities, and any scan results for that host.
host profile A constraint placed on a traffic profile or compliance rule. A host profile
qualification qualification within a compliance rule specifies that the Defense Center should
generate a compliance event only if the host involved meets certain criteria. A
host profile qualification within a traffic profile limits the hosts that are profiled.
host statistics Information you can obtain about an appliance, including uptime, system memory
usage, load average, disk usage, a summary of system processes, and, on the
Defense Center, information about data correlator processes.
host view The final page in workflows based on RNA events (with the exception of
workflows based on vulnerabilities, which use the vulnerability detail page). The
host view displays the host profiles of the hosts involved in the events you are
viewing.
HTTP Inspection A preprocessor that decodes and normalizes URI data sent to and received from
web servers on your network, detects and generates events against possible
URI-encoding attacks, and makes the normalized data available for additional rule
processing. This is important because HTTP traffic can be encoded in a variety of
formats, making it difficult for IPS to inspect packets accurately.
identity conflict A conflict event that occurs when RNA reports a new passive identity that
conflicts with the current active identity and previously-reported passive
identities.
impact The qualification of each intrusion event on a Defense Center based on whether
RNA deployed on the same segment detected a vulnerable service or open port
on the target of the attack. If the targeted host is not vulnerable, the impact of the
attack is low. However, if the targeted host is vulnerable, then the impact is high
and you should act to mitigate the effects of the attack.
impact flag For intrusion events, an indicator of the correlation between intrusion data, RNA
network discovery events, and vulnerability information. A red impact flag means
that the host is vulnerable to the attack represented by the intrusion event,
orange means it is potentially vulnerable, and so on. Intrusion events detected on
network segments not monitored by RNA have gray impact flags; this indicates
that the Defense Center cannot determine the events’ impact.
import A method that you can use to transfer various configurations from appliance to
appliance. You can import intrusion policies, RNA detection policies, system

inactive period
to
intrusion event Glossary
policies, health policies, dashboards, custom workflows and tables, and RNA
detectors that you previously exported from another appliance of the same type.
inactive period An interval during which a compliance rule does not trigger. You can configure an
inactive period to occur daily, weekly, or monthly and to begin at a specified time
and last a specified number of minutes. For example, you might perform a nightly
Nessus scan on your internal network to look for vulnerabilities. In that case, you
could set a daily inactive period on the affected compliance rules for the time and
duration of your scan so those rules do not trigger erroneously. See also snooze
period.
incident One or more intrusion events that you suspect are involved in a possible violation
of your security policy. The Sourcefire 3D System provides incident-handling
features that you can use to collect and process information that is relevant to
your investigation of the incident.
inline A type of interface set that allows you to deploy a 3D Sensor inline on a network.
In this configuration, the IPS component can affect the traffic flow on the
monitored network, including dropping malicious packets.
inline intrusion policy An intrusion policy that you apply to an IPS detection engine configured with an
inline or inline with fail open interface set. Inline intrusion policies can contain
intrusion rules that not only generate intrusion events based on network traffic
content, but that also can drop malicious packets and replace their content with
benign alternatives. You designate an intrusion policy as inline by setting the
protection mode to inline. Compare with passive intrusion policy.
inline with fail open A type of interface set that allows you to use a compatible fail-open card that
allows network traffic to continue flowing if the appliance fails for any reason.
interface set One or more sensing interfaces on a 3D Sensor that you can use to monitor
network segments for one or more detection engines. You can use passive,
inline, or inline with fail open interface sets.
internal An authentication method that stores user credentials in a local database. When a
authentication user logs into the appliance, the user name and password are checked against the
information in the database. Compare with external authentication.
intrusion A security breach, attack, or exploit that occurs on your network.
Intrusion Agent Software that can be installed on certain Red Hat Linux, FreeBSD or Sun Solaris
servers to transmit intrusion events generated by Snort to the Defense Center.
You can use the Defense Center to aggregate event information from Intrusion
Agents with data from 3D Sensors with IPS.
intrusion event A record of the network traffic that violated an intrusion policy. Intrusion event
data includes the date, time, and the type of exploit, as well as other contextual
information about the source of the attack and its target.

intrusion policy
to
link state propagation mode Glossary
intrusion policy Either an passive intrusion policy or an inline intrusion policy. Intrusion policies
include a variety of components that you can configure to inspect your network
traffic for intrusions and policy violations. These components include
preprocessors; intrusion rules that inspect the protocol header values, payload
content, and certain packet size characteristics; adaptive profile configuration;
RNA recommended rules configuration; and tools that allow you to control how
often events are logged and displayed.
intrusion rule A set of keywords and arguments that, when applied to captured network traffic,
identify potential intrusions, policy violations, and security breaches. IPS
compares packets against the conditions specified in each rule and, if the packet
data matches all the conditions specified in the rule, the rule triggers and
generates an intrusion event. Intrusion rules include alert rules, drop rules, and
pass rules.
IP address A 32-bit (IPv4) or 128-bit (IPv6) number, usually represented in dot notation (for
example, 192.168.34.166), that identifies the host that sends or receives packets
on the Internet or on the local network.
IPS A component of the Sourcefire 3D System, separately licensable on 3D Sensors,

that provides intrusion detection and prevention capabilities. If you configure a
3D Sensor with IPS with an inline or inline with fail open interface set and use an
inline intrusion policy, you can alert on and drop malicious traffic. If instead you
use the IPS component with a passive interface set and a passive intrusion policy,
then the IPS component can only alert on malicious traffic and cannot affect the
network traffic flow.
Intrusion Event A user role that provides access to IPS analysis features, including intrusion event
Analyst views, incidents, and reports. Intrusion Event Analysts see the main toolbar and
IPS analysis-related options on the Analysis & Reporting and Operations menus.
The Intrusion Event Analyst (Read Only) role provides read-only access to the
same set of functions.
layer A complete set of option settings for all IPS features. In a basic intrusion policy, all
layer interactions are transparent to the user. You can add custom user layers to
the built-in layer or layers in your policy to create a more advanced intrusion policy.
In either a basic intrusion policy or an advanced intrusion policy, the setting in a
higher layer for an intrusion policy feature or feature option overrides a setting for
the same feature or option in a lower layer
LDAP authentication A form of external authentication that verifies user credentials by comparing them
to a Lightweight Directory Access Protocol (LDAP) directory stored on an LDAP
directory server.
link state propagation An option you can enable for an inline interface set. With this option enabled,
mode when one of the interfaces goes down the other interface in the set is
automatically brought down within a few seconds. For copper fail-open NIMs,
when the first interface comes back up the second interface comes up

load balancer
to
Nessus plugin Glossary
automatically. Link state propagation mode is also available for fiber interface
cards, but that recovery is not automatic. To restore fiber interfaces you must
reset the NIM. Crossbeam-based software sensors and 3D9800 sensors do not
support this feature.
load balancer A network device that distributes network traffic to optimize performance and
resource use. RNA identifies network devices as load balancers if the TTL value
changes from the client side, or if the TTL value changes more frequently than a
typical boot time. RNA distinguishes between load balancers and NAT devices
depending on what side the analyzed traffic is coming from: server (load balancer)
or client (NAT device).
MAC address Media Access Control address. A MAC address is a NIC’s (network interface
card’s) unique hardware address. RNA detects the MAC addresses and hardware
vendors of the NICs for the hosts and network devices on your network.
managed sensor A 3D Sensor, Intrusion Agent, or software sensor configured and managed by a
Defense Center.
management The network interface that you use to administer the Defense Center or
interface 3D Sensor. In most installations, the management interface is connected to an
internal, protected network. Compare with sensing interface.
Maintenance User A user role that provides access to monitoring and maintenance features.
Maintenance users see the main toolbar and maintenance-related options on the
Operations top-level menu.
Master Defense A special-purpose appliance that is capable of aggregating intrusion events and
Center compliance events from up to ten other Defense Centers. A Master Defense
Center is also able to collect health status from its managed Defense Centers.
NAT device A network device that performs network address translation (NAT), most
commonly to share a single internet connection among multiple hosts on a
private network. RNA identifies network devices as NAT devices if the TTL value
changes from the client side, or if the TTL value changes more frequently than a
typical boot time. RNA distinguishes between load balancers and NAT devices
depending on what side the analyzed traffic is coming from: server (load balancer)
or client (NAT device).
Nessus An open source vulnerability scanner developed through the Nessus Project
(http://www.nessus.org/) that uses Nessus plugins to test for vulnerabilities on
the hosts that it scans.
Nessus plugin A Nessus script written in the Nessus Attack Scripting Language (NASL) that
tests for a specific vulnerability on your system. Over 9000 Nessus plugins exist.

Nessus plugin family
to
object, for import or export Glossary
Nessus plugin family A group of Nessus plugins of a particular type. The Sourcefire 3D System
integration with Nessus allows you to select the plugins used to scan by enabling
or disabling plugin families.
Nessus scan A network scan for vulnerabilities that emulates the actions of an attacker.
Nessus scans use plugin families (see Nessus plugin family) to test for specific
vulnerabilities on your network. You can manually run Nessus scans, or you can
schedule periodic scans. Within a compliance policy, you can configure a Nessus
scan as a response (or remediation) to a compliance event or white list event.
NetFlow An open but proprietary network protocol for collecting IP traffic information,
developed by Cisco Systems to run on Cisco IOS-enabled equipment. You can
use the information collected by NetFlow-enabled devices to supplement the
data collected by RNA and to monitor networks not covered by 3D Sensors with
RNA.
network device In the Sourcefire 3D System, a bridge, router, NAT device, or load balancer.
network discovery A kind of RNA event that communicates the details of changes to the hosts on
event your monitored network. New events are generated for newly discovered
network features, and change events are generated for any change in previously
identified network assets. Settings in the system policy determine the types of
network discovery events that are stored in the RNA database.
network map A detailed representation of your network generated by RNA. The network map
allows you to view your network topology in terms of the hosts and network
devices running on your network as well as their associated host attributes,
services, and vulnerabilities.
Nmap An open source active scanner that you can use to detect operating systems and
services running on a host. Running an Nmap scan adds the information detected
to your network map.
Nmap scan A scan of a designated host or hosts to detect operating systems and services.
NTP Network Time Protocol. NTP uses Coordinated Universal Time (UTC time) to
synchronize the computer clocks in a network. You can synchronize the Defense
Center’s time with an NTP server. You can also configure a Defense Center as an
NTP server so that managed sensors can synchronize time with it.
object, for import or A policy or rule that is created on an appliance and can be exported from that
export appliance and imported by another appliance. Depending on the type of appliance
and the components you are licensed to use, you can import and export some
RNA detectors, custom table views, custom workflows, dashboards, system
policies, intrusion policies, custom intrusion rules and rule classifications, RNA
detection policies, and health policies.

operating system identity
to
PCRE Glossary
operating system The operating system vendor and version details for an operating system on a
identity host.
packet A unit of data routed between a source and a destination on a network. When
data travels from one place to another on a network, the file is divided into chunks
of an efficient size, called packets, for routing. The packets that comprise a single
file may travel different routes through the network, but can be reassembled into
the original file at the receiving end. If you are licensed for the IPS component,
you can view the portion of a packet that was captured as part of an intrusion
event.
packet decoder rule A rule associated with a detection option of the packet decoder included in the
IPS component of the Sourcefire 3D System. You must enable packet decoder
rules if you want them to generate events. Packet decoder rules have a GID
(generator ID) of 116.
packet view A type of workflow page that provides detailed information about the packet that
triggered an intrusion rule or the preprocessor that generated an intrusion event.
The packet view is the final page in workflows based on intrusion events.
pass rule An intrusion rule that, when triggered, does not generates an intrusion event and
does not log the details of the packet that triggered the rule. Pass rules allow you
to prevent packets that meet specific criteria from generating an event in specific
situations, as an alternative to disabling the intrusion rule. Compare with alert rule
and drop rule.
passive A type of interface set that allows you to deploy a 3D Sensor passively on a
network. In this configuration, the IPS component cannot affect the traffic flow,
and should be used with a passive intrusion policy.
passive detection The detection of host operating system and service information through analysis
of traffic passively collected by RNA.
passive intrusion An intrusion policy applied to an IPS detection engine configured with a passive
policy interface set. You can also apply a passive intrusion policy to an IPS detection
engine that uses an inline or inline with fail open interface set. You designate an
intrusion policy as passive by setting the protection mode to passive. Compare
with inline intrusion policy.
payload In an event, the content of http traffic detected by RNA, if available. Payload
information is comprised of a payload type, which represents the general content
type (for example, audio or video) as well as a payload, which represents the
specific type of content (for example, WMV or QuickTime).
PCRE Perl-compatible regular expression. You can search packet payloads for content
using PCREs. This is useful if you want to search for content that could be
displayed in a variety of ways; the content may have different attributes that you
want to account for in your attempt to locate it within a packet’s payload.

PEP
to
predefined workflow Glossary
PEP A technology based on the hardware capabilities of 3D9900 interface sets that
allows you to use a PEP policy for advanced traffic management.
PEP policy The criteria used when determining if a PEP-capable interface set should block,
analyze, or send traffic directly through the sensor with no further inspection.
policy A mechanism for applying settings to an appliance or detection engine. See

intrusion policy, passive intrusion policy, inline intrusion policy, defragmentation
policy, compliance policy, RNA detection policy, health policy, PEP policy, system
policy, and security policy.
policy and response A feature you can use to build a compliance policy that responds in real-time to
threats on your network. In addition, the remediation component of policy and
response provides a flexible API that allows you to create and upload your own
custom remediation modules to respond to policy violations.
Policy & Response A user role that provides access to rules and policy configuration. Policy &
Administrator Response Administrators have access to the main toolbar and rule and
policy-related options on the Policy & Response and Operations menus.
policy violation A security breach, attack, exploit, or other misuse of your network as detected by
a compliance policy.
port The endpoint of a logical connection on a TCP or UDP network. Each port on a
host has a number, which identifies the type of port. Many services have default
ports; for example, HTTP traffic typically uses port 80. TCP and UDP use port
numbers to separate data transmissions on the same network interface on the
same host. With IPS, when you tune your intrusion policy, you can define, in both
variables and rules, specific port numbers, such as ports susceptible to shell code
exploits, HTTP (or web server) ports, and database server ports. This lets you
specify the level of granularity of inspection so that rules execute against ports
appropriate to your network needs.
portscan A form of network reconnaissance that is often used by attackers as a prelude to

an attack. In a portscan, an attacker sends specially crafted packets to a targeted
host. By examining the packets that the host responds with, the attacker can
often determine which ports are open on the host and, either directly or by
inference, which services are running on these ports.
predefined table A database table delivered with the Sourcefire 3D System. You can use the web
interface to view the event information in the predefined tables. Predefined tables
cannot be modified. Compare with custom table.
predefined workflow A workflow delivered with the Sourcefire 3D System. You cannot modify
predefined workflows. Compare with custom workflow and saved custom
workflow.

preprocessor
to
remediation Glossary
preprocessor A feature of IPS that normalizes traffic and helps identify network layer and
transport layer protocol anomalies by identifying inappropriate header options,
defragmenting IP datagrams, providing TCP stateful inspection and stream
reassembly, and validating checksums. Preprocessors can also render specific
types of packet data in a format that the detection engine can analyze; these
preprocessors are called data normalization preprocessors, or application-layer
protocol preprocessors. Normalizing application-layer protocol encoding allows
the detection engine to effectively apply the same content-related rules to
packets whose data is represented differently and obtain meaningful results.
Preprocessors generate preprocessor events whenever packets trigger
preprocessor options that you configure.
preprocessor event A type of intrusion event that is generated when a packet triggers specified
preprocessor options. Preprocessor events can help you detect anomalous
protocol exploits.
preprocessor rule A rule associated with a detection option of one of the preprocessors or with the
portscan flow detector included in the IPS component of the Sourcefire 3D
System. You must enable preprocessor rules if you want them to generate
events. Preprocessor rules have a preprocessor-specific GID (generator ID).
private search A named set of search terms that is tied to your user account. Only you and users
with Administrator access can use your private searches.
protection mode An intrusion policy setting that determines how IPS handles rule states set to
Drop and Generate Events in an inline deployment. When you apply an inline
intrusion policy to a detection engine on a 3D Sensor with an inline interface set,
IPS drops packets that trigger enabled preprocessor rules, packet decoder rules,
or intrusion rules that are set to Drop and Generate Events and generates events
for the triggered rules.
protected network Your organization’s internal network that is protected from users of other
networks by a device such as a firewall. Many of the intrusion rules delivered with
the Sourcefire 3D System use variables to define the protected network and the
unprotected (or outside) network.
RADIUS Remote Authentication Dial In User Service. RADIUS is an authentication protocol

authentication used to authenticate, authorize, and account for user access to network
resources. You can create an external authentication object to allow Sourcefire 3D
Systemusers to authenticate through a RADIUS server.
rate filtering A form of anomaly detection that sets a new rule state for a rule based on the rate
of matching traffic.
remediation An action that mitigates potential attacks on your system. You can configure
remediations and, within a compliance policy, associate them with compliance
rules and compliance white lists so that when they trigger, the Defense Center
launches the remediation. This not only can automatically mitigate attacks when

remediation status event
to
RNA detector Glossary
you are not immediately available to address them, but also can ensure that your
system remains compliant with your organization’s security policy. The Defense
Center ships with predefined remediation modules: three that are designed for a
particular firewalls and routers, one that lets you perform Nessus scans, one that
lets you perform Nmap scans, and one that lets you set host attributes. You also
can use a flexible API to create custom remediations.
remediation status An event generated when a remediation is launched.

event
replace rule When using an inline IPS detection engine, you use the replace keyword in a
custom standard text rule to replace a specific string with exactly the same
number of characters. This allows you to replace the content of malicious packets
with benign alternatives. Only the first instance of the content found by the rule is
replaced. The sensor automatically updates the packet checksum so that the
destination host can receive the packet without error.
report profile A template for an event report. You can create and save custom report profiles.
You can then manually run reports based on the profiles, or schedule the
Sourcefire 3D System to generate reports automatically. You can use report
profiles to add your company logo to reports, define the set of events that appear,
specify the amount of detail, and specify the report’s output file format.
response A reaction to a compliance policy violation—either an alert or a remediation.
Restricted Event A user role that can provide access to the same features as Intrusion Event
Analyst Analyst or RNA Event Analyst access. You can restrict access by only allowing
access to those events that match specified search criteria or you can turn off
access for an entire category of events. Restricted event analyst users see only
the main toolbar and analysis-related options on the Analysis & Reporting and
Operations menus. The Restricted Event Analyst (Read Only) role provides read-
only access to the same set of functions.
RNA A component of the Sourcefire 3D System that is installed by default on the

3D Sensor and that passively analyzes your network traffic to provide you with a
complete, persistent view of your network. RNA identifies new and changed
hosts on your network as well as tracks the sessions involving monitored hosts.
For each detected host, RNA discovers the services and client applications that
they use as well as vulnerabilities to which the host is susceptible. Note that you
must add a feature license in the form of an RNA host license on the Defense
Center that manages the sensor before you can view RNA data.
RNA detection policy A policy that you apply to RNA detection engines that specifies the kinds of data
RNA collects, as well as the network segments each RNA detection engine or
NetFlow-enabled device monitors.
RNA detector An RNA detector provides RNA with the information needed to identify
non-standard services, including the port used by service traffic, a pattern within

RNA event
to
RUA user Glossary
the traffic, or both the port and the pattern. The Sourcefire 3D System is delivered
with many internal RNA detectors, or you can create your own. In addition,
Sourcefire may deliver additional RNA detectors that you can add to the
Sourcefire 3D System via vulnerability database updates or via the Import/Export
feature.
RNA event An event generated by RNA. RNA events include network discovery events,
which communicate the details of changes to the hosts on your monitored
network, and flow events, which are records of sessions involving monitored
hosts. RNA events also include client application events, host events, host
attributes, and service events, which provide general information about your
network topology. A vulnerability is also considered an RNA event.
RNA Event Analyst A user role that provides access to RNA analysis features, including event views,
network maps, host profiles, services, vulnerabilities, client applications, and
reports. RNA Event Analysts see the main toolbar and RNA analysis-related
options on the Analysis & Reporting and Operations menus. The RNA Analyst
(Read Only) role provides read-only access to the same set of functions.
RNA A built-in layer in an intrusion policy that exists when you choose to allow IPS to
Recommendations modify the rule states of shared object rules and standard text rules to the states
layer recommended by the RNA recommended rules features. You cannot manually
modify or remove this layer. IPS removes or restores the layer when you decide
to not use or use, respectively, recommendations for a policy.
RNA recommended A feature that recommends which rules should be enabled or disabled in your
rules intrusion policy, based on information from your RNA network map. You can
choose to allow the system to modify rule states based on recommendations, in
which case the system adds a read-only RNA Recommendations layer.
router A network device, located at a gateway, that forwards packets between

networks. RNA identifies network devices as routers if they are detected
communicating using CDP or if they meet other qualifying criteria. For example, if
multiple hosts appear to be using the same MAC address, that MAC address is
often identified as the router to which the multiple hosts are connected.
RUA Real-time User Awareness, also called RUA, allows your organization to correlate
threat, endpoint, and network intelligence with user identity information.
RUA Agent An RUA Agent is an agent you install on a Microsoft Active Directory server to
monitor users as they log into the network or when they authenticate against
Active Directory credentials for any other reason.
RUA event An event generated by RUA in response to a detected user login or the addition or
deletion of a user from the RUA database. RUA events are stored in the RUA
database.
RUA user A user detected by RUA whose user identity data is stored in the RUA database.

rule
to
Series 2 appliance Glossary
rule A construct that provides criteria against which network traffic is examined. Rules
can detect a variety of intrusions, attacks, exploits, and suspicious traffic. See
compliance rule, intrusion rule, alert rule, pass rule, and drop rule.
rule state Whether an intrusion rule is enabled, disabled, or set to Drop within an intrusion
policy. If you enable a rule, it is used to evaluate your network traffic; if you
disable a rule, it is not used. A drop rule drops any packets that trigger the rule;
note that you can set the Drop rule state only in an inline intrusion policy.
saved custom A custom workflow that is based on a custom table and delivered with the
workflow Defense Center. Unlike predefined workflows, you can modify saved custom
workflows.
scheduled task An administrative task that you can schedule to run once or at recurring intervals.
Depending on the appliance where you are creating the task, you can schedule
tasks to run backups, apply an intrusion policy, generate reports, download and
install SEUs, manage RNA recommended rules, run Nmap scans, run Nessus
scans and synchronize Nessus plugins, download and install software and
vulnerability database updates, and push downloaded updates to managed
sensors.
security policy An organization's guidelines for protecting its network. For example, your security
policy might forbid the use of wireless access points. A security policy may also
include an acceptable use policy (AUP), which provides employees with
guidelines of how they may use their organization’s systems. For example, your
AUP might forbid the use of instant messaging client applications.
sensing interface A network interface on a sensor that you use to monitor a network segment. You
can connect sensing interfaces to your network in various ways. How you plan to
deploy your detection engines (passively or inline) affects how you connect them
to your network. Compare with management interface.
sensitive data A preprocessor that detects sensitive data such as credit card numbers and Social
Security numbers in ASCII text. This can be particularly useful for detecting
accidental data leaks that can occur, for example, when an employee emails
themselves a list of credit card numbers to work with at home.
sensor group On the Defense Center, a logical group that can contain or more managed
sensors so you can more readily manage them. For example, you can easily apply
a system policy to, or install updates on, multiple sensors at once.
Series 1 appliance The first series of Sourcefire appliance models, including the following models:
3D500 PW, 3D1000 NH, 3D2000 NH, 3D2100 NH, 3D3000 JR, DC1000 JR,
DC3000 JR, and the 3Dx800 sensor models.
Series 2 appliance The second series of Sourcefire appliance models, including the following
models: 3D500 PB, 3D1000 PB, 3D2000 PB, 3D2100 FR, 3D2500 FR, 3D3500
FR, 3D4500 FR, DC1000 AL, DC3000 AL, and MDC3000 AL. All appliances

service
to
SNMP trap Glossary
currently shipping from Sourcefire, with the exception of the 3Dx800 models, are
Series 2 appliances.
service Work performed by a server. NTP, SSH, HTTP, and AIM are examples of services.
service event An event indicating that RNA has detected a service running on a specific host.
RNA collects information about all services run by hosts on monitored network
segments. The information that RNA collects includes the name of the service,
the protocol used by the service, the IP address of the host running a service, and
the port on which the service is running.
service identity The service type, vendor, and version details for a service on a host.
SEU (Security An as-needed product update that contains new and updated standard text rules
Enhancement Update) and shared object rules. In addition, SEUs can provide your Defense Centers and
3D Sensors with an updated version of Snort, as well as features such as new
preprocessors and decoders.
shared object rule An intrusion rule delivered as a binary module compiled from C source code. You
can use shared object rules to detect attacks in ways that standard text rules
cannot. You cannot modify the rule keywords and arguments in a shared object
rule; you are limited to either modifying variables used in the rule, or modifying
aspects such as the source and destination ports and IP addresses and saving a
new instance of the rule as a custom shared object rule. Shared object rules have
a GID (generator ID) of 3.
SID A unique identifying number assigned to each intrusion rule. When you create a
new rule or modify an existing standard text rule, it is given a SID (Signature ID,
also called Snort ID) of 1,000,000 or greater. The SIDs for shared object rules and
standard text rules delivered with the Sourcefire 3D System are lower than
1,000,000. Also, preprocessors and decoders use SIDs to identify the different
types of packets they detect.
simple condition A single constraint placed on a compliance rule, flow tracker, host profile
qualification, or traffic profile. You can link simple conditions with other simple or
complex conditions using AND or OR operators.
simple constraint A simple constraint sets a single constraint on the events retrieved in an event
view or event search.
SNMP alerting The transmission of an alert as an SNMP trap. Each event SNMP trap contains
information identifying the server's name, the sensor’s IP address, and the event
data.
SNMP trap A message sent by a network device on UDP port 162 using the simple network
management protocol (SNMP) when errors or specific events occur on the
network. See also SNMP alerting.

snooze period
to
syslog alerting Glossary
snooze period An interval specified in seconds, minutes, or hours after a compliance rule
triggers during which the Defense Center stops firing that rule, even if the rule is
violated again during the interval. When the snooze period has elapsed, the rule
can trigger again (and start a new snooze period). See also inactive period.
Snort An open-source intrusion detection system that performs real-time traffic analysis
and packet logging on IP networks. Snort can perform protocol analysis, content
searching and matching, and can detect a variety of attacks and probes. Snort
uses a flexible rules language to describe network traffic that it should collect or
pass. The IPS detection engines use Snort to test packets against decoders,
preprocessors, and intrusion rules.
Sourcefire-defined A table that is delivered with the Defense Center that contains fields from two or
custom table more predefined tables.
standard text rule An intrusion rule created based on the identifiers, keywords and arguments
available in the rule editor. You can create your own custom standard text rules
and modify existing standard text rules provided by Sourcefire. A standard text
rule has a GID (generator ID) of 1.
stateful inspection A preprocessor that makes sure that only packets that are part of a TCP session
established with a legitimate three-way handshake between a client and server
can generate intrusion events. This allows analysts to focus on these events
rather than the volume of events caused by denial of service (DoS) attacks like
stick or snot.
stream reassembly A preprocessor that IPS uses to collect and reassemble all of the packets that are
part of a TCP session’s server-to-client or client-to-server communication stream.
Stream reassembly allows the detection engine to inspect the stream as a single
entity rather than only the individual packets, which allows the detection engine
to identify stream-based attacks.
subnet detection A feature that allows RNA to automatically determine the closest subnets to each
RNA detection engine and then make recommendations about which detection
engines should be the reporting detection engines for specific subnets.
subnet mask A bit mask used to identify which bits in an IP address correspond to the network
address, and which correspond to the subnet portion of the address.
suppression See event suppression.
switch A multiport bridge.
syslog A logging system, also called the system log, used by many operating systems.
You can configure the Defense Center or 3D Sensor to perform syslog alerting.
syslog alerting The transmission of an alert as a message to an external syslog. All syslog
messages include both a facility and a priority level. The facility indicates the

system policy
to
three-way handshake Glossary
subsystem (for example, FTP, NTP, or MAIL) that created the message and the
priority defines the importance of the message.
system policy Settings that are likely to be similar for multiple appliances in a deployment, such
as access configuration, authentication profiles, database limits, DNS cache
settings, the mail relay host, a notification address for database prune messages,
language selection (English or Japanese), login banner, RNA settings, and time
synchronization settings. You can configure a system policy on a Defense Center
and then apply the policy to the Defense Center and its managed sensors.
system settings Settings that are specific to a single appliance, such as appliance name, IP
address, time settings, licensing, and remote management settings. You can also
use the system settings pages to shut down or reboot an appliance and to restart
its software.
table view A type of workflow page that displays event information. Table views include a
column for each of the fields in the database. For example, the table view of
intrusion events includes columns such as Time, Priority, Impact Flag, Source IP,
Destination IP. As another example, the table view of RNA network discovery
events includes such columns as Time, Event, IP Address, MAC Address, and so
on. Generally, you use drill-down pages to constrain the events you want to
investigate before moving to the table view that shows you the details about the
events you are interested in. The table view is the next to last page in predefined
workflows; advancing from the table view leads to the packet view (for workflows
based on intrusion events), the host view (for workflows based on RNA events),
the vulnerability detail page (for workflows based on vulnerabilities), or the user
identity view (for workflows based on RUA events).
tap mode A setting for an inline interface set on a 3D3800, 3D5800, 3D9800, or 3D9900
sensor where a copy of each packet is sent to the sensor and the network traffic
flow is undisturbed instead of the packet flow passing through the sensor.
Because you are working with copies of packets rather than the packets
themselves, you cannot use drop rules or replace rules as you can with a sensor
that is deployed in the packet stream.
task queue A queue of jobs that the Defense Center or 3D Sensor needs to perform. When
you apply a policy, push updates, install software, and perform other long-running
jobs, the jobs are queued and their status reported on the Task Status page. The
Task Status page provides a detailed list of jobs and refreshes every ten seconds
to update their status.
three-way handshake The process two hosts use to establish a TCP/IP connection. A three-way
handshake occurs when the originating host sends a SYN (synchronization)
packet to the destination host. The destination then sends its own SYN packet
and an ACK (acknowledgement) packet. The originator then returns an ACK which
acknowledges the SYN/ACK packets the destination sent. With IPS, you can
configure intrusion rules evaluate the data in established TCP sessions only

thresholding
to
VLAN Glossary
(where a three-way handshake has occurred) or on all traffic, including orphaned

packets.
thresholding See event thresholding.
traffic profile A profile of the traffic on your network, based on flow data collected by RNA over
a time span that you specify. You can create profiles using all the traffic on a
monitored network segment, or you can create more targeted profiles using
criteria based on the data in flow events. Then, you can use the policy and
response feature to detect abnormal network traffic by evaluating new traffic
against an existing profile.
transparent inline A setting that allows 3D Sensors configured with inline interface sets that
mode forward packets regardless of whether they contain MAC addresses that are valid
for the monitored network.
unidentified host A host whose operating system cannot be identified because RNA has not yet
gathered enough information about the host. Compare with unknown host.
unknown host A host whose traffic has been analyzed by RNA, but whose operating system
does not match any known fingerprints. Compare with unidentified host.
Unified file A binary file format that the Sourcefire 3D System uses to log event data.
user identity view The user identity view provides details on RUA users and a host history with a
graphic representation of the last twenty-four hours of the user’s activity.
user input data Host input data added through the Sourcefire 3D System user interface by setting
or modifying an identity.
user layer A layer in an intrusion policy where you can modify the basic feature settings and
advanced feature settings in the policy.
UTC time Coordinated Universal Time. Also known as Greenwich Mean Time (GMT), UTC is
the standard time common to every place in the world. The Sourcefire 3D System
uses UTC, although you can set the local time using the Time Zone feature.
variable A representation of a value that is commonly used in intrusion rules. The

Sourcefire 3D System uses pre-configured variables to define networks and port
numbers. Rather than hard-coding these values in multiple rules, to tailor a rule to
accurately reflect your network environment, you can change the variable value.
You can use a variable within an intrusion policy or a specific IPS detection engine.
VLAN A virtual local area network. VLANs map hosts not by geographic location, but by
some other criterion (such as by department or primary use). This is useful if you
want to separate hosts into small, logical network segments. A host’s host profile
shows any VLAN information associated with the host. VLAN information is
included in intrusion events (as the innermost VLAN tag in the packet that

vulnerability
to
widget Glossary
triggered the event). You can filter intrusion policies by VLAN, or target
compliance white lists by VLAN.
vulnerability A description of a specific compromise to which a host is susceptible. The

Defense Center provides information on the vulnerabilities to which each of your
hosts is vulnerable in the hosts’ host profiles. In addition, you can use the
vulnerabilities network map to obtain an overall view of the vulnerabilities that
RNA has detected on your entire monitored network. If you deem that a host or
hosts is no longer vulnerable to a specific compromise, you can deactivate, or
mark as invalid, a specific vulnerability.
vulnerability database A database of known vulnerabilities to which hosts may be susceptible. The
database includes such technical details as vulnerability title and identification
number, technical details, whether any exploits are known to take advantage of
the vulnerability, known solutions, and so on. RNA correlates the operating
system and services detected on each host with the vulnerability database to
help you determine whether a particular host increases your risk of network
compromise.
vulnerability detail A page in a workflow that provides information about a specific vulnerability,
page including technical details and known solutions. The vulnerability detail page is
the final page in workflows based on vulnerabilities.
white list Either a compliance white list or a list of IP addresses that you can configure
within a remediation to exempt the IP addresses from some kind of action. For
example, you could configure a firewall-based remediation to block all hosts that
trigger a specific compliance rule, with the exception of hosts specified in a white
list.
white list event An event generated when RNA detects that a valid target host has become
non-compliant with a compliance white list. For example, you can configure the
Defense Center to generate a white list event when RNA detects a new
non-compliant service running on a target host. Note that a white list event is a
special kind of compliance event.
white list violation A white list violation is an event that occurs when RNA generates an event that
indicates that a host is out of compliance. The Sourcefire 3D System includes
workflows that allow you to view each of the individual white list violations, as
well as the number of violations per host.
whois A mechanism for finding contact and registration information for IP addresses. If
your Defense Center or 3D Sensor is connected to the Internet, you can use the
web interface to look up information about an IP address using the whois feature,
which uses ARIN's (American Registry for Internet Numbers) WHOIS service.
widget See dashboard widget.

workflow
to
workflow Glossary
workflow A series of pages you can use to view and evaluate events by moving from a
broad view of event data to a more focused view that contains only the events of
interest to you. Workflows can include three types of pages, each of which
performs a unique function: drill-down pages, table views, and a final page (which
could be, depending upon the type of analysis you are performing, a packet view,
host view, vulnerability detail page, or user identity view). IPS provides two
categories of workflows: predefined workflows and custom workflows. The
Defense Center provides three categories of workflows: predefined workflows,
custom workflows, and saved custom workflows.

Index
Numerics A
3D Sensors 15, 16 access list 325
adding to a Defense Center 117 access requirements conventions 39
deleting 121 accessing the appliance 21, 23
deleting 3Dx800s 127 Active Directory 282
disabling communications 138 adding sensors to a Defense Center 117
health policy 491 Admin access 305
host name 137, 146 appliance groups 179
management concepts 100 creating 180
managing 99, 113 deleting 181
managing 3Dx800s 125 editing 180
resetting communications 128 appliance heartbeat monitoring 485, 501
resetting management 122 appliance information 135, 362
restarting 137 appliance status widget 67
sensor attributes 133 Application 212
sensor information 135 asynchronous routing and interface sets 216
Sensors page 115 audit log
stopping 137 time window 29
time sync 139 audit log settings 327
unregistering 153 auditing
updating 405, 406 audit records 566
3D9900s field descriptions 575
clustering 227 introduction 566
hardware alert details 560 searching 575
3Dx800s understanding 574
health policy 491, 495 viewing 567
managing 107, 125, 127 authentication objects 269
resetting communications 128 creating 269

Index
deleting 298 current sessions widget 69
editing 286 current time 87
LDAP 269, 270 custom
RADIUS 287 login banner 341
authentication profiles 329 report footers 259
Auto MDI/MDIX 382 custom analysis widget
Automatic Application Bypass 212 configuring 72
automatic application bypass monitoring 502 enabling 331
understanding 69
B
backup and restore 413
D
remote backups 419 dashboards 59, 89
scheduling backups 428 adding widgets 95
backup files custom dashboards 89
creating 414 default dashboard 35, 59
location 418 deleting 97
restoring 421 home page 60
backup profiles 418 modifying 93
blacklists properties 93
health monitoring 534, 537 settings 331
Master Defense Center 184 tabs 94, 95
system settings 362, 391 viewing 91
browser requirements 21 widgets 60, 64
bypass mode for fail open fiber interfaces 225, 226 data correlator process monitoring 485, 506
database
limits 332
purging 598
DC500 limitations 18
C default detection engines 191

Defense Center 99
card reset monitoring 505 adding sensors 117
CIDR notation 41 deleting sensors 121
client application timeout (RNA settings) 343 disabling communications 138
client requirements 21 health status 486, 507
clustering 3D9900s 227 managing 3D Sensors 113
communications channel 113, 383 managing with a Master Defense Center 156
compliance events resetting management 122
aggregating 158 restarting managed sensors 137
dashboard widgets 67 time sync 139
context menus 36 updating 402
conventions Defense Center groups 179
access requirements 39 creating 180
platform requirements 38 deleting 181
correlator process 473 editing 180
CPU temperature monitoring 485, 503 managing 179
CPU usage monitoring 485, 504 Defense Center, introduction 17
Crossbeam-based sensors 20, 110 detection engine groups 197
CSV reports 259 creating 197
deleting 199

Index
detection engines event stream process monitoring 486
and IPS 189 events
assign variable values 200 reports 235
creating 193 restoring events from backup files 424
creating variables 202 time window 29
default 191 expanding time window 29
definition 186 exporting
deleting 197 custom tables 584
deleting variables 203 custom workflows 585
detection engine groups 197 dashboards 585
detection engine types 194 health policies 586
editing 194 introduction 583
interface set types 187 intrusion policies 586
introduction 185 multiple objects 590
managing 193 policies 584
resetting variables 203 RNA detection policies 588
understanding 186 RNA detectors 589
variables 199 system policies 588
DHCP 378 external authentication 269, 287
disabling
communications between appliances 138
high availability 153
disk usage monitoring 486, 508
disk usage widget 80
DNS F
configuring the cache 337 failed logins 304
primary server 378 fan monitoring 486, 512
secondary server 378 feature licenses
tertiary server 378 adding 370
documentation viewing 372
conventions 38 filter configuration 176
resources 37 first boot instructions 44
domain name 378 Frames 212
drop new hosts (RNA settings) 343
E G
global policy management 161
email notification 338 graphs
email relay host 338 health monitoring 553
Enabling Fail-Safe 213 performance statistics 476
eStreamer 20 groups
process monitoring 486, 509 appliance groups 179
event aggregation 157 Defense Center groups 179
compliance events 158 detection engines 197
intrusion events 158 sensor groups 131
limitations 159
event database limits 332
event logging (RNA settings) 345
event preferences 27
event stream monitoring 511

Index
H exporting 586
health status monitoring 514
hardware alerts for 3Dx900s 560 high availability 112, 145, 146, 148
hardware monitoring 486, 513 configuration guidelines 149
health alerts 539, 540 disabling 153
creating 540 health monitoring blacklist 535
deleting 544 monitoring 152
editing 543 pausing communications 154
understanding 542 restarting communications 154
health events 555 setting up 150
field descriptions 562 shared configurations 146
searching 563 shared policies 147
table view 561 understanding 148
understanding 556 home page 35
viewing 556 dashboards 60
health modules 485 host statistics 464
blacklisting 537 host timeout, RNA settings 342
running all modules 550 hostname 378
running specific modules 551 HTML reports 259
health monitor
blacklist 362, 534, 537
health monitor process monitoring 487
health monitoring
alerts 539
appliance monitoring 547 I
blacklists 391 ICSA-compliant syslog formats 581
configuring 489 importing
creating alerts 540 introduction 583
default health policy 493 policies 593
deleting alerts 544 initial setup 43
editing alerts 543 admin user tasks 53
events 555 Defense Centers 47
graphs 553 IPS analyst user tasks 57
health modules 485 maintenance user tasks 54
health monitor 545 Policy and Response Admin user tasks 55
health policies 484 RNA analyst user tasks 56
introduction 482 interface sets 207
link state propagation 518 asynchronous routing 216
power supplies 522 creating 213
running health modules 550, 551 definition 187
status icons 549 deleting 223
status indicators 547 editing 221
time window 29 forcing into bypass mode 226
troubleshooting 554 interface status widget 68
understanding 483 interface traffic widget 81
understanding alerts 542 introduction 185
health policies 484 link state propagation mode 211
applying 528 multiple inline interface sets 216
configuring 489 tap mode 210
creating 497 transparent inline mode 209
defaults 490 types 187, 209
deleting 533 interface status widget 68
editing 530 interface traffic widget 81

Index
introduction 14 RUA users 374, 375
intrusion agents 19, 106 verifying 368
licenses 370 viewing 372
intrusion events link mode, editing 380
aggregating 158 link state propagation 211
widget 81 monitoring 518
intrusion policies link state propagation monitoring 487
exporting 586 local time 87
preferences 339 local vs. remote policies 102
scheduling policy applications 446 logging into the appliance 21
system policy preferences 336 using LDAP 23
IPS logging out of the appliance 24
introduction 16 login banner 341
IPS analyst access 306
IPS event rate monitoring 487, 511, 515
IPS process monitoring 487, 516
M
mail relay host 338
J Maintenance access 305
management interface 378
jumbo frames 212 management virtual network 383
managing
3D Sensors 99
3Dx800s 107, 125, 127
Defense Centers 156
L managed sensor system settings 133

sensors 100, 113
language 340 time settings 139
last successful login 25 Master Defense Center 156
LDAP 266, 269, 280 adding a Defense Center 165, 168
Active Directory server 282 appliance groups 179
attribute mapping 274 deleting a Defense Center 171
authentication profiles 329 editing settings for the Defense Center 175
authentication server 270 event aggregation 157
examples 281 filter configuration 176
group access settings 275 global policy management 161
logging in 23 health policies 162
managing user accounts 302 intrusion policies 161
OpenLDAP directory server 281 managing Defense Centers 156
settings 271 policy limitations 163
shell access 278 RNA detection policies 162
Sun directory server 284 system policies 162
licenses system settings 181
adding 370 updating 402
feature licenses 370 MDC event service monitoring 487, 519
managing 364 memory usage monitoring 487, 520
NetFlow 373, 376 multiple inline interface sets 216
product licensing widget 84
requesting 370
RNA hosts 373, 374

Index
N intrusion policies 339
time zone 34
NAT, working in NAT environments 112 widgets 64
Nessus scans primary Defense Center 148, 149, 150
scheduling plugin synchronization 452 product licensing widget 84
scheduling scans 450 product updates widget 85
NetFlow prohibit packet transfer to the Defense Center 135
adding devices 392 purging the RNA/RUA databases 598
licenses 370, 373, 376
system settings options 362
network address translation, see NAT
network compliance widget 82
network gateway 378
network interfaces 380 R
network settings RADIUS 287
configuring 377 connection settings 288
using DHCP 378 creating authentication objects 287
using static 379 custom attributes 293
Nmap scans, scheduling 454 editing authentication objects 298
examples 295
shell access 292
testing authentication 294
user roles 290
O read only access 305, 306
refresh interval 29
OpenLDAP 274, 281 registration ID 151
registration key 112, 151, 166, 169
remote backups 419
remote management 383, 386
remote reports 240
P remote storage 393

local storage 393
password settings 303 NFS 394
passwords SMG 396
changing 311 SSH 395
failed logins 304 system settings options 362
force reset 304 remote storage, reports 239
password options 304 remote vs. local policies 102
strength check options 304 report designer 246
passwords, changing 25 report profiles
PDF reports 259 creating 246
peer manager 151 deleting 263
PEP status monitoring 487 introduction 241
performance statistics 476, 478 predefined 242
platform requirements conventions 38 using 260
plugins, scheduling plugin synchronization 452 viewing generated reports 238
Policy & Response Admin access 306 reports
power supply monitoring 488, 522 creating report profiles 246
preferences 25 deleting 239
changing passwords 25 deleting report profiles 263
event preferences 27 downloading 238
home page 35 footers 259
from event views 235

Index
introduction 232 deleting 461
predefined profiles 242 editing 461
remote reports 240 introduction 425
remote storage 239 intrusion policy applications 446
report profiles 241 Nessus scans 450
scheduling reports 448 Nmap scans 454
using a report profile 260 recurring tasks 426
viewing generated reports 238 reports 448
requesting feature licenses 370 RNA recommended rules 456
Requires conventions 38 SEU imports 444
resetting management 122 software downloads 431
restarting the appliance 382 software installs 435
restoring from backup files 421 software pushes 433
Restricted event analyst access 306, 307 software updates 430
right-click menus 36 synchronizing Nessus plugins 452
RNA 15 using the calendar 459
introduction 15 using the task list 460
performance statistics 478, 479, 481 VDB downloads 438
purging the database 598 VDB installs 442
RNA settings in system policies 342 VDB pushes 440
subnet detection (system policy) 349 VDB updates 437
summary reports 257 viewing 458
rna (executable name) 475 searching
RNA analyst access 305 audit records 575
RNA detection policies CIDR notation 41
exporting 588 health events 563
system policy preferences 336 secondary Defense Center 148, 149, 150
RNA detectors SecurID 22, 23, 24
exporting 589 sensor groups
RNA events, purging the database 598 creating 131
RNA for Red Hat Linux 20, 109 deleting 133
RNA health monitoring 488, 523 editing 132
RNA host usage monitoring 488, 524 managing 131
RNA process monitoring 488, 525 sensor list 115
RNA recommended rules service timeout (RNA settings) 342
scheduling 456 serving time to managed sensors 357
RNA settings 347 session logouts 22
RNA subnet detection settings 349 sessions, current sessions widget 69
RSS feed widget 86 setup instructions 43, 44
RUA SEUs, scheduling imports 444
licenses 370, 374, 375 shell access 278, 292
purging RUA events 598 shutting down the appliance 382
system policy settings 352 sliding time window 29
rule classifications software sensors 105
exporting 587 software updates 398
installing 400
scheduling downloads 431
scheduling installs 435
scheduling pushes 433
S scheduling updates 430

static time window 29
scheduling tasks statistics
backups 428 performance 476, 478

Index
statistics refresh interval 29 understanding 471
status, tasks 600 viewing 468
store events only on Defense Center 135 system settings 360
subnet detection, system policy settings 349 appliance information 362
Sun directory server 284 introduction 360
syslog licenses 364
filer examples 581 managing with a Defense Center 133
filter syntax 579 Master Defense Center 181
four-digit years 581 NetFlow-enabled devices 392
viewing 578 network settings 377
system daemons 471 remote management 383, 386
system load widget 87 remote storage 393
system management restarting the appliance 382
backup and restore 413 shutting down the appliance 382
IPS performance statistics 476 time sync 389
RNA performance statistics 478 system time widget 87
software updates 398 system utilities and executables 473
system policies 320
system settings 360
uninstalling software updates 409
VDB updates 398
system monitoring
disk usage 468 T
host statistics 464 tap mode 210
introduction 463 task queue 600
system processes 468 managing 602
system status 468 viewing 600
system monitoring, system load widget 87 testing authentication 280
system policies 320 time sync 354, 357
access list 325 Master Defense Center 183
applying 324 serving time 357
audit log 327 setting manually 389
authentication profiles 329 setting time on a managed sensor 139
creating 321 time sync, system time widget 87
custom login banner 341 time synchronization monitoring 488, 526
dashboard settings 331 time window 29
database limits 332 default setting 29
deleting 325 time zone 34
detection policy preferences 336 timeout
DNS cache 337 DNS cache option 337
editing 323 session logout 24
exporting 588 session logouts 22
language 340 traffic status monitoring 488, 527
mail relay host 338 transparent inline mode 209
multiple fingerprint settings 345 troubleshooting files 554
RNA data storage 342
RNA settings 342, 347
RUA settings 352
service vulnerability mapping 358
subnet detection settings 349
time sync 354 U
vulnerability impact assessment settings 345
unauthorized activity 23
system processes

Index
uninstalling software updates 409
unique NAT ID 112, 386 W
updating web browser requirements 21
managed 3D Sensors 405 what’s next? 52
unmanaged 3D Sensors 406 white lists
updating the software 400 network compliance widget 82
product updates widget 85 white list events widget 88
user accounts widgets 60
access types 304 adding to a dashboard 95
account management 264 appliance status 67
creating 300 availability 61
deleting 312 compliance events 67
editing 306 current sessions 69
externally authenticated user accounts 302 custom analysis 69
LDAP users 302 deleting 97
managing 299 disk usage 80
menu access per access type 312 interface status 68
password options 304 interface traffic widget 81
password settings 303 intrusion events 81
privileges 267 minimizing and maximizing 97
shell access 278, 292 moving 97
user authentication 264 network compliance 82
viewing 299 predefined 61, 65
user authentication 264 preferences 64
external authentication 266 product licensing 84
internal authentication 266 product updates 85
user preferences 25 RSS feeds 86
changing event preferences 27 system load 87
changing passwords 25 system time 87
home page 35 white list events 88
time zone 34 workflows, default workflows 32
user roles 304
V
variables
and detection engines 199
assigning values for detection engines 200
creating in detection engines 202
VDB updates 410
scheduling downloads 438
scheduling installs 442
scheduling pushes 440
scheduling updates 437
vulnerability database
updating 398
vulnerability lookup (RNA settings) 345
vulnerability mapping for services 358

Sourcefire 3D System Administrator Guide v4.9.1

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sourcefire 3D System Administrator Guide v4.9.1

Uploaded by

Copyright:

Available Formats

Sourcefire 3D System

Terms Of Use and Copyright and Trademark Notices

© 2004 - 2010 Sourcefire, Inc. All rights reserved.

Chapter 1: Introduction to the Sourcefire 3D System............................. 14

Version 4.9.1 Sourcefire 3D System Administrator Guide 3

Documentation Conventions .............................................................................. 38

Chapter 2: Performing the Initial Setup .................................................... 43

Chapter 3: Using Dashboards..................................................................... 59

Version 4.9.1 Sourcefire 3D System Administrator Guide 4

Chapter 4: Using the Defense Center........................................................ 99

Chapter 5: Using the Master Defense Center........................................ 156

Version 4.9.1 Sourcefire 3D System Administrator Guide 5

Understanding Global Policy Management....................................................... 161

Chapter 6: Using Detection Engines and Interface Sets...................... 185

Version 4.9.1 Sourcefire 3D System Administrator Guide 6

Using Variables within Detection Engines ........................................................ 199

Chapter 7: Working with Event Reports.................................................. 232

Version 4.9.1 Sourcefire 3D System Administrator Guide 7

Working with Report Sections .......................................................................... 255

Chapter 8: Managing Users ...................................................................... 264

Chapter 9: Managing System Policies .................................................... 320

Version 4.9.1 Sourcefire 3D System Administrator Guide 8

Configuring the Parts of Your System Policy..................................................... 325

Chapter 10: Configuring System Settings ................................................. 360

Version 4.9.1 Sourcefire 3D System Administrator Guide 9

Chapter 11: Updating System Software.................................................... 398

Chapter 12: Using Backup and Restore .................................................... 413

Chapter 13: Scheduling Tasks .................................................................... 425

Version 4.9.1 Sourcefire 3D System Administrator Guide 10

Viewing Tasks ................................................................................................... 458

Chapter 14: Monitoring the System ........................................................... 463

Chapter 15: Using Health Monitoring ........................................................ 482

Version 4.9.1 Sourcefire 3D System Administrator Guide 11

Configuring Health Monitor Alerts .................................................................... 539

Chapter 16: Reviewing Health Status........................................................ 545

Chapter 17: Auditing the System................................................................ 566

Version 4.9.1 Sourcefire 3D System Administrator Guide 12

Appendix A: Importing and Exporting Objects .......................................... 583

Appendix B: Purging the RNA and RUA Databases................................. 598

Appendix C: Viewing the Status of Long-Running Tasks ........................ 600

Glossary .................................................................................................................... 603

Index .......................................................................................................................... 629

Version 4.9.1 Sourcefire 3D System Administrator Guide 13

Introduction to the Sourcefire 3D

Version 4.9.1 Sourcefire 3D System Administrator Guide 14

• Documentation Resources on page 37 explains where to locate specific

Components of the Sourcefire 3D System

Real-time Network Awareness (RNA)

Version 4.9.1 Sourcefire 3D System Administrator Guide 15

• the vulnerabilities and exploits to which monitored network devices may be

Intrusion Prevention System (IPS)

Version 4.9.1 Sourcefire 3D System Administrator Guide 16

IMPORTANT! The Sourcefire 3D Sensor 3800, 3D Sensor 6800, and 3D Sensor

Real-time User Awareness (RUA)

PEP Traffic Management

Version 4.9.1 Sourcefire 3D System Administrator Guide 17

IMPORTANT! You cannot use DC500s in high availability configurations.

Key DC500 database limits are:

Version 4.9.1 Sourcefire 3D System Administrator Guide 18

Key DC3000 database quantities are:

Virtual Defense Center

Master Defense Centers