P. 1


|Views: 8,697|Likes:

More info:

Published by: dominic_murphy19791242 on Feb 15, 2011
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less






  • Components of the Sourcefire 3D System
  • •Real-time Network Awareness (RNA) on page15
  • Real-time Network Awareness (RNA)
  • Intrusion Prevention System (IPS)
  • Real-time User Awareness (RUA)
  • PEP Traffic Management
  • Defense Centers
  • Master Defense Centers
  • Intrusion Agents
  • RNA for Red Hat Linux
  • RNA and IPS for Crossbeam Systems
  • eStreamer
  • Logging into the Appliance
  • Logging into the Appliance to Set Up an Account
  • Logging Out of the Appliance
  • Last Successful Login
  • Specifying Your User Preferences
  • Changing Your Password
  • Changing an Expired Password
  • Configuring Event View Settings
  • Setting Your Default Time Zone
  • Specifying Your Home Page
  • To specify your home page:
  • Specifying Your Default Dashboard
  • To specify your default dashboard:
  • Using the Context Menu
  • Documentation Resources
  • Documentation Conventions
  • Platform Requirements Conventions
  • Access Requirements Conventions
  • IP Address Conventions
  • Setting Up 3DSensors
  • Setting up Defense Centers
  • Communication Ports
  • What’s Next?
  • Administrator User Tasks
  • Maintenance User Tasks
  • Policy & Response Administrator User Tasks
  • RNA Event Analyst User Tasks
  • Intrusion Event Analyst User Tasks
  • •Understanding Dashboard Widgets on page60
  • Understanding Dashboard Widgets
  • •Understanding Widget Availability on page61
  • Understanding Widget Availability
  • Sourcefire Appliances and Dashboard Widget Availability
  • Understanding Widget Preferences
  • Understanding the Predefined Widgets
  • Understanding the Appliance Information Widget
  • Understanding the Appliance Status Widget
  • Understanding the Compliance Events Widget
  • Understanding the Current Interface Status Widget
  • Understanding the Current Sessions Widget
  • Understanding the Custom Analysis Widget
  • •Configuring the Custom Analysis Widget on page72
  • Configuring the Custom Analysis Widget
  • Viewing Associated Events from the Custom Analysis Widget
  • Understanding the Disk Usage Widget
  • Understanding the Interface Traffic Widget
  • Understanding the Intrusion Events Widget
  • Understanding the Network Compliance Widget
  • Understanding the Product Licensing Widget
  • Understanding the Product Updates Widget
  • Understanding the RSS Feed Widget
  • Understanding the System Load Widget
  • Understanding the System Time Widget
  • Understanding the White List Events Widget
  • Working with Dashboards
  • •Creating a Custom Dashboard on page89
  • Creating a Custom Dashboard
  • Viewing Dashboards
  • Modifying Dashboards
  • •Changing Dashboard Properties on page93
  • Deleting a Dashboard
  • Using the Defense Center
  • Management Concepts
  • •The Benefits of Managing Your Sensors on page100
  • The Benefits of Managing Your Sensors
  • What Can Be Managed by a Defense Center?
  • Understanding Software Sensors
  • Managing 3DSensor Software with RNA for Crossbeam
  • Managing 3DSensor Software with IPS for Crossbeam
  • Beyond Policies and Events
  • Using Redundant Defense Centers
  • Working in NAT Environments
  • Working with Sensors
  • Understanding the Sensors Page
  • Adding Sensors to the Defense Center
  • Deleting Sensors
  • Resetting Management of a Sensor
  • Managing a 3Dx800 Sensor
  • •Managing 3Dx800 Sensors with a Defense Center on page125
  • Managing 3Dx800 Sensors with a Defense Center
  • Deleting a 3Dx800 Sensor from the Defense Center
  • Resetting Communications on the 3Dx800
  • Adding Intrusion Agents
  • Sensor Attributes - Intrusion Agent Page
  • Managing Sensor Groups
  • Creating Sensor Groups
  • Editing Sensor Groups
  • Deleting Sensor Groups
  • Editing a Managed Sensor’s System Settings
  • Viewing a Sensor’s Information Page
  • Stopping and Restarting a Managed Sensor
  • Managing Communication on a Managed Sensor
  • Setting the Time on a Managed Sensor
  • Managing a Clustered Pair
  • •Establishing a Clustered Pair on page142
  • Establishing a Clustered Pair
  • Separating a Clustered Pair
  • Configuring High Availability
  • Using High Availability
  • Sensor Configurations and User Information
  • Understanding High Availability
  • Guidelines for Implementing High Availability
  • Setting Up High Availability
  • Monitoring the High Availability Status
  • Disabling High Availability and Unregistering Sensors
  • Pausing Communication between Paired Defense Centers
  • Restarting Communication between Paired Defense Centers
  • Understanding Event Aggregation
  • Aggregating Intrusion Events
  • Aggregating Compliance Events
  • Limitations on Event Aggregation
  • Master Defense Center and Defense Center Functional Comparison
  • Understanding Global Policy Management
  • Managing Global Intrusion Policies
  • Using RNA Detection Policies on a Master Defense Center
  • Using Health Policies on a Master Defense Center
  • Using System Policies on a Master Defense Center
  • Master Defense Center Policy Management Limitations
  • Adding and Deleting Defense Centers
  • Adding a Master Defense Center
  • Adding a Defense Center
  • Deleting a Defense Center
  • Resetting Management of a Defense Center
  • Using the Appliances Page
  • Editing Settings for a Managed Defense Center
  • •Viewing the Defense Center Information Page on page175
  • Viewing the Defense Center Information Page
  • Defense Center Information
  • Editing the Event Filter Configuration
  • Editing or Disabling Remote Management Communications
  • Managing the Health Blacklist
  • Managing High Availability Defense Centers
  • Managing Appliance Groups
  • Creating Appliance Groups
  • Editing Appliance Groups
  • Deleting Appliance Groups
  • Editing Master Defense Center System Settings
  • Listing Master Defense Center Information
  • Viewing a Master Defense Center License
  • Configuring Remote Management Networking
  • Setting System Time
  • Blacklisting Health Policies
  • Understanding Detection Engines
  • Understanding Detection Resources and 3DSensor Models
  • Understanding Default Detection Engines
  • Managing Detection Engines
  • •Creating a Detection Engine on page193
  • •Editing a Detection Engine on page194
  • Creating a Detection Engine
  • To create a detection engine:
  • Editing a Detection Engine
  • Deleting a Detection Engine
  • To delete a detection engine:
  • Using Detection Engine Groups
  • •Creating Detection Engine Groups on page197
  • •Editing Detection Engine Groups on page198
  • Creating Detection Engine Groups
  • Editing Detection Engine Groups
  • To edit a detection engine group:
  • Deleting Detection Engine Groups
  • To delete a detection engine group:
  • Using Variables within Detection Engines
  • Assigning Values to System Default Variables in Detection Engines
  • Creating New Variables for Detection Engines
  • Deleting and Resetting Variables
  • Configuring Custom Variables in Detection Engines
  • Using Portscan-Only Detection Engines
  • Using Interface Sets
  • •Understanding Interface Set Configuration Options on page207
  • Understanding Interface Set Configuration Options
  • Creating an Interface Set
  • Creating an Inline Interface Set
  • Editing an Interface Set
  • Deleting an Interface Set
  • Using Interface Set Groups
  • •Creating Interface Set Groups on page224
  • Creating Interface Set Groups
  • Editing Interface Set Groups
  • Deleting Interface Set Groups
  • Inline Fail Open Interface Set Commands
  • Removing Bypass Mode on Inline Fail Open Fiber Interfaces
  • Forcing an Inline Fail Open Interface Set into Bypass Mode
  • To force an inline fail open interface set into bypass mode:
  • Using Clustered 3DSensors
  • •Using Detection Engines on Clustered 3DSensors on page228
  • Using Detection Engines on Clustered 3DSensors
  • •Managing Clustered 3DSensor Detection Engines on page228
  • Managing Clustered 3DSensor Detection Engines
  • Using Clustered 3DSensor Detection Engines in Policies
  • Understanding Interface Sets on Clustered 3DSensors
  • Managing Information from a Clustered 3DSensor
  • •Working with Event Reports on page234
  • •Working with Report Profiles on page234
  • Working with Report Profiles
  • Generating Reports from Event Views
  • Managing Generated Reports
  • •Viewing Generated Reports on page238
  • •Downloading Generated Reports on page238
  • Viewing Generated Reports
  • Downloading Generated Reports
  • To download generated reports:
  • Deleting Generated Reports
  • Moving Reports to a Remote Storage Location
  • Running Remote Reports
  • Understanding Report Profiles
  • Understanding the Predefined Report Profiles
  • Modifying a Predefined Report Profile
  • Creating a Report Profile
  • Working with Report Information
  • Report Categories
  • •Using Report Types on page250
  • Using Report Types
  • IPS Category Report Types
  • RNA Category Report Types
  • Defining Report Information
  • Working with Report Sections
  • •Using Summary Reports on page255
  • Using Summary Reports
  • Comparison of Quick Summary and Detail Summary Reports
  • Including an Image File
  • Defining the Report Sections
  • To define the Report Sections:
  • Working with Report Options
  • Using a Report Profile
  • •Generating a Report using a Report Profile on page261
  • Generating a Report using a Report Profile
  • Editing Report Profiles
  • Deleting Report Profiles
  • •Understanding Sourcefire User Authentication on page264
  • Understanding Sourcefire User Authentication
  • •Understanding Internal Authentication on page266
  • •Understanding External Authentication on page266
  • Understanding Internal Authentication
  • Understanding External Authentication
  • Understanding User Privileges
  • Managing Authentication Objects
  • •Understanding LDAP Authentication on page269
  • •Creating LDAP Authentication Objects on page269
  • •Editing LDAP Authentication Objects on page286
  • Understanding LDAP Authentication
  • Creating LDAP Authentication Objects
  • Configuring LDAP Authentication Settings
  • Configuring Attribute Mapping
  • Configuring Access Settings by Group
  • Testing User Authentication
  • To test user authentication:
  • LDAP Authentication Object Examples
  • •OpenLDAP Example on page281
  • Microsoft Active Directory Server Example
  • Editing LDAP Authentication Objects
  • Understanding RADIUS Authentication
  • Creating RADIUS Authentication Objects
  • Configuring RADIUS Connection Settings
  • Configuring RADIUS User Roles
  • Configuring Administrative Shell Access
  • RADIUS Authentication Object Examples
  • •Authenticating a User using RADIUS on page295
  • Editing RADIUS Authentication Objects
  • •Creating RADIUS Authentication Objects on page287
  • Deleting Authentication Objects
  • Managing User Accounts
  • Viewing User Accounts
  • •Adding New User Accounts on page300
  • Adding New User Accounts
  • Managing Externally Authenticated User Accounts
  • Managing User Password Settings
  • Configuring User Roles
  • Modifying User Privileges and Options
  • Modifying Restricted Event Analyst Access Properties
  • Modifying User Passwords
  • Deleting User Accounts
  • User Account Privileges
  • •Creating a System Policy on page321
  • •Editing a System Policy on page323
  • Creating a System Policy
  • Editing a System Policy
  • Applying a System Policy
  • To apply a system policy:
  • Deleting System Policies
  • Configuring the Parts of Your System Policy
  • •Configuring the Access List for Your Appliance on page325
  • Configuring the Access List for Your Appliance
  • Configuring Audit Log Settings
  • Configuring Authentication Profiles
  • Configuring Dashboard Settings
  • Configuring Database Event Limits
  • Configuring Detection Policy Preferences
  • To configure detection policy preferences:
  • Configuring DNS Cache Properties
  • Configuring a Mail Relay Host and Notification Address
  • Configuring Intrusion Policy Preferences
  • Specifying a Different Language
  • Adding a Custom Login Banner
  • Configuring RNA Settings
  • •Understanding RNA Data Storage Settings on page342
  • Understanding Vulnerability Impact Assessment Settings
  • Configuring RNA Subnet Detection Settings
  • Configuring RUA Settings
  • Synchronizing Time
  • Serving Time from the Defense Center
  • Mapping Vulnerabilities for Services
  • System Settings Options
  • Viewing and Modifying the Appliance Information
  • Understanding Licenses
  • Understanding Feature Licenses
  • Verifying Your Product License
  • Managing Your Feature Licenses
  • •Adding Feature Licenses on page370
  • •Viewing Feature Licenses on page372
  • NetFlow License Columns
  • RNA Host License Columns
  • Intrusion Agent License Columns
  • Virtual 3DSensor License Columns
  • Configuring Network Settings
  • Editing Network Interface Configurations
  • Shutting Down and Restarting the System
  • Configuring the Communication Channel
  • •Setting Up the Management Virtual Network on page384
  • Setting Up the Management Virtual Network
  • Editing the Management Virtual Network
  • Configuring Remote Access to the Defense Center
  • Setting the Time Manually
  • Blacklisting Health Modules
  • Specifying NetFlow-Enabled Devices
  • Managing Remote Storage
  • Using Local Storage
  • Using NFS for Remote Storage
  • Using SSH for Remote Storage
  • Using SMB for Remote Storage
  • Updating System Software
  • Installing Software Updates
  • Updating a Defense Center or Master Defense Center
  • Updating Managed Sensors
  • Updating Unmanaged 3DSensors
  • Uninstalling Software Updates
  • Updating the Vulnerability Database
  • Using Backup and Restore
  • Creating Backup Files
  • Creating Backup Profiles
  • Performing Sensor Backup with the Defense Center
  • Uploading Backups from a Local Host
  • Restoring the Appliance from a Backup File
  • Configuring a Recurring Task
  • •Automating Backup Jobs on page428
  • Automating Backup Jobs
  • Automating Software Updates
  • •Automating Software Downloads on page431
  • Automating Software Downloads
  • Automating Software Pushes
  • Automating Software Installs
  • Automating Vulnerability Database Updates
  • •Automating VDB Update Downloads on page438
  • Automating VDB Update Downloads
  • Automating VDB Update Pushes
  • Automating VDB Update Installs
  • Automating SEU Imports
  • Automating Intrusion Policy Applications
  • Automating Reports
  • Automating Nessus Scans
  • •Preparing Your System to Run a Nessus Scan on page450
  • Preparing Your System to Run a Nessus Scan
  • Scheduling a Nessus Scan
  • Synchronizing Nessus Plugins
  • Automating Nmap Scans
  • •Preparing Your System for an Nmap Scan
  • Preparing Your System for an Nmap Scan
  • Scheduling an Nmap Scan
  • Automating Recommended Rule State Generation
  • Viewing Tasks
  • •Using the Calendar on page459
  • Using the Calendar
  • Using the Task List
  • Editing Scheduled Tasks
  • Deleting Scheduled Tasks
  • Deleting a Recurring Task
  • Deleting a One-Time Task
  • Viewing Host Statistics
  • Data Correlator Process Statistics
  • Intrusion Event Information
  • Monitoring System Status and Disk Space Usage
  • Viewing System Process Status
  • Understanding Running Processes
  • •Understanding System Daemons on page471
  • Understanding System Daemons
  • Understanding Executables and System Utilities
  • System Executables and Utilities
  • Viewing IPS Performance Statistics
  • •Generating IPS Performance Statistics Graphs on page476
  • Generating IPS Performance Statistics Graphs
  • IPS Performance Statistics Graph Types
  • Saving IPS Performance Statistics Graphs
  • Viewing RNA Performance Statistics
  • •Generating RNA Performance Statistics Graphs on page479
  • Generating RNA Performance Statistics Graphs
  • RNA Performance Statistics Graph Types
  • Saving RNA Performance Statistics Graphs
  • Understanding Health Monitoring
  • •Understanding Health Policies on page484
  • Understanding Health Policies
  • Understanding Health Modules
  • Understanding Health Monitoring Configuration
  • Configuring Health Policies
  • •Predefined Health Policies on page490
  • Predefined Health Policies
  • Default Health Policy
  • Enabled Defense Center Health Modules - Default Health Policy
  • Enabled MDC Health Modules - Default Health Policy
  • Default Intrusion Sensor Health Policy
  • Default IPS (3Dx800 only) Health Policy
  • Enabled Health Modules: Default Intrusion Sensor Health Policy
  • Creating Health Policies
  • Enabled Health Modules: Default RNA Sensor Health Policy
  • Configuring Appliance Heartbeat Monitoring
  • Configuring Automatic Application Bypass Monitoring
  • Configuring Data Correlator Process Monitoring
  • Configuring Health Status Monitoring
  • Configuring Link State Propagation Monitoring
  • Configuring Time Synchronization Monitoring
  • Applying Health Policies
  • Editing Health Policies
  • Deleting Health Policies
  • Using the Health Monitor Blacklist
  • Blacklisting Health Policies or Appliances
  • Blacklisting a Health Policy Module
  • Configuring Health Monitor Alerts
  • •Preparing to Create a Health Alert on page540
  • •Creating Health Monitor Alerts on page540
  • •Editing Health Monitor Alerts on page543
  • Preparing to Create a Health Alert
  • Continue with Creating Health Monitor Alerts on page540
  • Creating Health Monitor Alerts
  • Interpreting Health Monitor Alerts
  • Editing Health Monitor Alerts
  • To edit health monitor alerts:
  • Deleting Health Monitor Alerts
  • To delete health monitor alerts:
  • •Using the Health Monitor on page545
  • Using the Health Monitor
  • Interpreting Health Monitor Status
  • Using Appliance Health Monitors
  • Health Status Indicator
  • Interpreting Appliance Health Monitor Status
  • Viewing Alerts by Status
  • Running All Modules for an Appliance
  • Running a Specific Health Module
  • Generating Health Module Alert Graphs
  • To generate a health module alert graph:
  • Generating Appliance Troubleshooting Files
  • To generate appliance troubleshooting files:
  • Working with Health Events
  • Understanding Health Event Views
  • •Viewing Health Events on page556
  • Viewing Health Events
  • •Viewing All Health Events on page556
  • Viewing Health Events by Module and Appliance
  • Interpreting Hardware Alert Details for 3D9900 Sensors
  • Understanding the Health Events Table
  • Health Event Fields
  • Searching for Health Events
  • Health Event Search Criteria
  • Managing Audit Records
  • •Viewing Audit Records on page567
  • Viewing Audit Records
  • Suppressing Audit Records
  • Understanding the Audit Log Table
  • Searching Audit Records
  • Audit Record Search Criteria
  • Viewing the System Log
  • Filtering System Log Messages
  • System Log Filter Syntax
  • Using Four-Digit Year Formats on the 3D3800
  • System Log Filter Examples
  • •Exporting Objects on page584
  • Exporting Objects
  • •Exporting a Custom Table on page584
  • Exporting a Custom Table
  • Exporting a Custom Workflow
  • To export a custom workflow:
  • Exporting a Dashboard
  • Exporting a Health Policy
  • To export a health policy:
  • Exporting an Intrusion Policy
  • Exporting a PEP Policy
  • Exporting an RNA Detection Policy
  • To export an RNA detection policy:
  • Exporting a System Policy
  • Exporting a User-Defined RNA Detector
  • To export a user-defined RNA detector:
  • Exporting Multiple Objects
  • Importing Objects
  • Viewing the Status of Long-Running Tasks
  • •Viewing the Task Queue on page600
  • Viewing the Task Queue
  • Managing the Task Queue
  • Glossary
  • Policy & Response Administrator
  • RADIUS authentication
  • Restricted Event Analyst
  • RNA recommended rules
  • Index


In addition to applying policies to sensors and receiving events from them, you
can also perform other sensor-related tasks on the Defense Center.

Backing Up a Sensor

If you are storing event data on your sensor in addition to sending it to the
Defense Center, you can use the Defense Center’s web interface to back up
those events from the sensor. See Performing Sensor Backup with the Defense
Center on page419 for more information.

Running Remote Reports

You can create a report profile on the Defense Center and run it remotely using
the data on a managed sensor. This is particularly useful if you want to generate a
report for the audit events on a managed sensor. Audit events are stored locally

Supported Features for IPS on Crossbeam

Supported through Defense Center

Supported through
Crossbeam X-Series

Not Supported

•Detection engine

•High availability

•Host Statistics

•Interface set management

•Intrusion policy apply

•Intrusion event collection and


•Performance Statistics

•Reports generated on the
Defense Center

•SEU updates

•Sensor information
management (in System

•Software updates

•Backup and




•Registration of

•Time settings


•Event storage
on sensor

•Health policy

backup and


•System policy

Version 4.9.1

Sourcefire 3D System Administrator Guide


Using the Defense Center
Working in NAT Environments

Chapter 4

and are not sent to the Defense Center, but you can design a report on the
Defense Center, select a managed sensor, and run the report. If you set up the
report so that it is automatically emailed to you, you do not even need a user
account on the sensor to read the resulting report. See Working with Event
Reports on page232 for more information.

Updating Sensors

From time to time, Sourcefire releases updates to the Sourcefire 3D System,

•Security Enhancement Updates (SEUs), which can contain new and
updated intrusion rules, as well as new and updated preprocessors and
protocol decoders

•vulnerability database updates

•software patches and updates

You can use the Defense Center to push an update to the sensors it manages and
then automatically install the update.

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->